From: Sasha Levin Date: Fri, 19 Sep 2025 15:36:33 +0000 (-0400) Subject: Fixes for all trees X-Git-Tag: v6.1.154~36 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9f1919c4d6d7816168da04031c6457a62e468560;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for all trees Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/alsa-firewire-motu-drop-epollout-from-poll-return-va.patch b/queue-5.10/alsa-firewire-motu-drop-epollout-from-poll-return-va.patch new file mode 100644 index 0000000000..4fe9a218cb --- /dev/null +++ b/queue-5.10/alsa-firewire-motu-drop-epollout-from-poll-return-va.patch @@ -0,0 +1,46 @@ +From 9368ba0587ad09478b494791a4f579e52b382fdf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Aug 2025 08:37:49 +0900 +Subject: ALSA: firewire-motu: drop EPOLLOUT from poll return values as write + is not supported + +From: Takashi Sakamoto + +[ Upstream commit aea3493246c474bc917d124d6fb627663ab6bef0 ] + +The ALSA HwDep character device of the firewire-motu driver incorrectly +returns EPOLLOUT in poll(2), even though the driver implements no operation +for write(2). This misleads userspace applications to believe write() is +allowed, potentially resulting in unnecessarily wakeups. + +This issue dates back to the driver's initial code added by a commit +71c3797779d3 ("ALSA: firewire-motu: add hwdep interface"), and persisted +when POLLOUT was updated to EPOLLOUT by a commit a9a08845e9ac ('vfs: do +bulk POLL* -> EPOLL* replacement("").'). + +This commit fixes the bug. + +Signed-off-by: Takashi Sakamoto +Link: https://patch.msgid.link/20250829233749.366222-1-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/firewire/motu/motu-hwdep.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/firewire/motu/motu-hwdep.c b/sound/firewire/motu/motu-hwdep.c +index 0764a477052a2..5e1254f106bf8 100644 +--- a/sound/firewire/motu/motu-hwdep.c ++++ b/sound/firewire/motu/motu-hwdep.c +@@ -73,7 +73,7 @@ static __poll_t hwdep_poll(struct snd_hwdep *hwdep, struct file *file, + events = 0; + spin_unlock_irq(&motu->lock); + +- return events | EPOLLOUT; ++ return events; + } + + static int hwdep_get_info(struct snd_motu *motu, void __user *arg) +-- +2.51.0 + diff --git a/queue-5.10/cgroup-split-cgroup_destroy_wq-into-3-workqueues.patch b/queue-5.10/cgroup-split-cgroup_destroy_wq-into-3-workqueues.patch new file mode 100644 index 0000000000..419319bf6c --- /dev/null +++ b/queue-5.10/cgroup-split-cgroup_destroy_wq-into-3-workqueues.patch @@ -0,0 +1,168 @@ +From 0599b73a17f857476da6ba4b645562a7245dbda9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Aug 2025 01:07:24 +0000 +Subject: cgroup: split cgroup_destroy_wq into 3 workqueues +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chen Ridong + +[ Upstream commit 79f919a89c9d06816dbdbbd168fa41d27411a7f9 ] + +A hung task can occur during [1] LTP cgroup testing when repeatedly +mounting/unmounting perf_event and net_prio controllers with +systemd.unified_cgroup_hierarchy=1. The hang manifests in +cgroup_lock_and_drain_offline() during root destruction. + +Related case: +cgroup_fj_function_perf_event cgroup_fj_function.sh perf_event +cgroup_fj_function_net_prio cgroup_fj_function.sh net_prio + +Call Trace: + cgroup_lock_and_drain_offline+0x14c/0x1e8 + cgroup_destroy_root+0x3c/0x2c0 + css_free_rwork_fn+0x248/0x338 + process_one_work+0x16c/0x3b8 + worker_thread+0x22c/0x3b0 + kthread+0xec/0x100 + ret_from_fork+0x10/0x20 + +Root Cause: + +CPU0 CPU1 +mount perf_event umount net_prio +cgroup1_get_tree cgroup_kill_sb +rebind_subsystems // root destruction enqueues + // cgroup_destroy_wq +// kill all perf_event css + // one perf_event css A is dying + // css A offline enqueues cgroup_destroy_wq + // root destruction will be executed first + css_free_rwork_fn + cgroup_destroy_root + cgroup_lock_and_drain_offline + // some perf descendants are dying + // cgroup_destroy_wq max_active = 1 + // waiting for css A to die + +Problem scenario: +1. CPU0 mounts perf_event (rebind_subsystems) +2. CPU1 unmounts net_prio (cgroup_kill_sb), queuing root destruction work +3. A dying perf_event CSS gets queued for offline after root destruction +4. Root destruction waits for offline completion, but offline work is + blocked behind root destruction in cgroup_destroy_wq (max_active=1) + +Solution: +Split cgroup_destroy_wq into three dedicated workqueues: +cgroup_offline_wq – Handles CSS offline operations +cgroup_release_wq – Manages resource release +cgroup_free_wq – Performs final memory deallocation + +This separation eliminates blocking in the CSS free path while waiting for +offline operations to complete. + +[1] https://github.com/linux-test-project/ltp/blob/master/runtest/controllers +Fixes: 334c3679ec4b ("cgroup: reimplement rebind_subsystems() using cgroup_apply_control() and friends") +Reported-by: Gao Yingjie +Signed-off-by: Chen Ridong +Suggested-by: Teju Heo +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/cgroup/cgroup.c | 43 +++++++++++++++++++++++++++++++++++------- + 1 file changed, 36 insertions(+), 7 deletions(-) + +diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c +index 37d7a99be8f01..d709375d7509d 100644 +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -114,8 +114,31 @@ DEFINE_PERCPU_RWSEM(cgroup_threadgroup_rwsem); + * of concurrent destructions. Use a separate workqueue so that cgroup + * destruction work items don't end up filling up max_active of system_wq + * which may lead to deadlock. ++ * ++ * A cgroup destruction should enqueue work sequentially to: ++ * cgroup_offline_wq: use for css offline work ++ * cgroup_release_wq: use for css release work ++ * cgroup_free_wq: use for free work ++ * ++ * Rationale for using separate workqueues: ++ * The cgroup root free work may depend on completion of other css offline ++ * operations. If all tasks were enqueued to a single workqueue, this could ++ * create a deadlock scenario where: ++ * - Free work waits for other css offline work to complete. ++ * - But other css offline work is queued after free work in the same queue. ++ * ++ * Example deadlock scenario with single workqueue (cgroup_destroy_wq): ++ * 1. umount net_prio ++ * 2. net_prio root destruction enqueues work to cgroup_destroy_wq (CPUx) ++ * 3. perf_event CSS A offline enqueues work to same cgroup_destroy_wq (CPUx) ++ * 4. net_prio cgroup_destroy_root->cgroup_lock_and_drain_offline. ++ * 5. net_prio root destruction blocks waiting for perf_event CSS A offline, ++ * which can never complete as it's behind in the same queue and ++ * workqueue's max_active is 1. + */ +-static struct workqueue_struct *cgroup_destroy_wq; ++static struct workqueue_struct *cgroup_offline_wq; ++static struct workqueue_struct *cgroup_release_wq; ++static struct workqueue_struct *cgroup_free_wq; + + /* generate an array of cgroup subsystem pointers */ + #define SUBSYS(_x) [_x ## _cgrp_id] = &_x ## _cgrp_subsys, +@@ -5165,7 +5188,7 @@ static void css_release_work_fn(struct work_struct *work) + mutex_unlock(&cgroup_mutex); + + INIT_RCU_WORK(&css->destroy_rwork, css_free_rwork_fn); +- queue_rcu_work(cgroup_destroy_wq, &css->destroy_rwork); ++ queue_rcu_work(cgroup_free_wq, &css->destroy_rwork); + } + + static void css_release(struct percpu_ref *ref) +@@ -5174,7 +5197,7 @@ static void css_release(struct percpu_ref *ref) + container_of(ref, struct cgroup_subsys_state, refcnt); + + INIT_WORK(&css->destroy_work, css_release_work_fn); +- queue_work(cgroup_destroy_wq, &css->destroy_work); ++ queue_work(cgroup_release_wq, &css->destroy_work); + } + + static void init_and_link_css(struct cgroup_subsys_state *css, +@@ -5305,7 +5328,7 @@ static struct cgroup_subsys_state *css_create(struct cgroup *cgrp, + err_free_css: + list_del_rcu(&css->rstat_css_node); + INIT_RCU_WORK(&css->destroy_rwork, css_free_rwork_fn); +- queue_rcu_work(cgroup_destroy_wq, &css->destroy_rwork); ++ queue_rcu_work(cgroup_free_wq, &css->destroy_rwork); + return ERR_PTR(err); + } + +@@ -5545,7 +5568,7 @@ static void css_killed_ref_fn(struct percpu_ref *ref) + + if (atomic_dec_and_test(&css->online_cnt)) { + INIT_WORK(&css->destroy_work, css_killed_work_fn); +- queue_work(cgroup_destroy_wq, &css->destroy_work); ++ queue_work(cgroup_offline_wq, &css->destroy_work); + } + } + +@@ -5922,8 +5945,14 @@ static int __init cgroup_wq_init(void) + * We would prefer to do this in cgroup_init() above, but that + * is called before init_workqueues(): so leave this until after. + */ +- cgroup_destroy_wq = alloc_workqueue("cgroup_destroy", 0, 1); +- BUG_ON(!cgroup_destroy_wq); ++ cgroup_offline_wq = alloc_workqueue("cgroup_offline", 0, 1); ++ BUG_ON(!cgroup_offline_wq); ++ ++ cgroup_release_wq = alloc_workqueue("cgroup_release", 0, 1); ++ BUG_ON(!cgroup_release_wq); ++ ++ cgroup_free_wq = alloc_workqueue("cgroup_free", 0, 1); ++ BUG_ON(!cgroup_free_wq); + return 0; + } + core_initcall(cgroup_wq_init); +-- +2.51.0 + diff --git a/queue-5.10/cnic-fix-use-after-free-bugs-in-cnic_delete_task.patch b/queue-5.10/cnic-fix-use-after-free-bugs-in-cnic_delete_task.patch new file mode 100644 index 0000000000..302f10d49b --- /dev/null +++ b/queue-5.10/cnic-fix-use-after-free-bugs-in-cnic_delete_task.patch @@ -0,0 +1,76 @@ +From 168da6af34e43b78d94e70081b4f826da9c9c9d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Sep 2025 13:46:02 +0800 +Subject: cnic: Fix use-after-free bugs in cnic_delete_task +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Duoming Zhou + +[ Upstream commit cfa7d9b1e3a8604afc84e9e51d789c29574fb216 ] + +The original code uses cancel_delayed_work() in cnic_cm_stop_bnx2x_hw(), +which does not guarantee that the delayed work item 'delete_task' has +fully completed if it was already running. Additionally, the delayed work +item is cyclic, the flush_workqueue() in cnic_cm_stop_bnx2x_hw() only +blocks and waits for work items that were already queued to the +workqueue prior to its invocation. Any work items submitted after +flush_workqueue() is called are not included in the set of tasks that the +flush operation awaits. This means that after the cyclic work items have +finished executing, a delayed work item may still exist in the workqueue. +This leads to use-after-free scenarios where the cnic_dev is deallocated +by cnic_free_dev(), while delete_task remains active and attempt to +dereference cnic_dev in cnic_delete_task(). + +A typical race condition is illustrated below: + +CPU 0 (cleanup) | CPU 1 (delayed work callback) +cnic_netdev_event() | + cnic_stop_hw() | cnic_delete_task() + cnic_cm_stop_bnx2x_hw() | ... + cancel_delayed_work() | /* the queue_delayed_work() + flush_workqueue() | executes after flush_workqueue()*/ + | queue_delayed_work() + cnic_free_dev(dev)//free | cnic_delete_task() //new instance + | dev = cp->dev; //use + +Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure +that the cyclic delayed work item is properly canceled and that any +ongoing execution of the work item completes before the cnic_dev is +deallocated. Furthermore, since cancel_delayed_work_sync() uses +__flush_work(work, true) to synchronously wait for any currently +executing instance of the work item to finish, the flush_workqueue() +becomes redundant and should be removed. + +This bug was identified through static analysis. To reproduce the issue +and validate the fix, I simulated the cnic PCI device in QEMU and +introduced intentional delays — such as inserting calls to ssleep() +within the cnic_delete_task() function — to increase the likelihood +of triggering the bug. + +Fixes: fdf24086f475 ("cnic: Defer iscsi connection cleanup") +Signed-off-by: Duoming Zhou +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/cnic.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/cnic.c b/drivers/net/ethernet/broadcom/cnic.c +index f7f10cfb3476e..582ca97532868 100644 +--- a/drivers/net/ethernet/broadcom/cnic.c ++++ b/drivers/net/ethernet/broadcom/cnic.c +@@ -4223,8 +4223,7 @@ static void cnic_cm_stop_bnx2x_hw(struct cnic_dev *dev) + + cnic_bnx2x_delete_wait(dev, 0); + +- cancel_delayed_work(&cp->delete_task); +- flush_workqueue(cnic_wq); ++ cancel_delayed_work_sync(&cp->delete_task); + + if (atomic_read(&cp->iscsi_conn) != 0) + netdev_warn(dev->netdev, "%d iSCSI connections not destroyed\n", +-- +2.51.0 + diff --git a/queue-5.10/i40e-remove-redundant-memory-barrier-when-cleaning-t.patch b/queue-5.10/i40e-remove-redundant-memory-barrier-when-cleaning-t.patch new file mode 100644 index 0000000000..a418f9a0e6 --- /dev/null +++ b/queue-5.10/i40e-remove-redundant-memory-barrier-when-cleaning-t.patch @@ -0,0 +1,53 @@ +From 2ffd5c7cfe16b41a7c8210f15dd8aa621d383d87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Aug 2025 17:16:17 +0200 +Subject: i40e: remove redundant memory barrier when cleaning Tx descs + +From: Maciej Fijalkowski + +[ Upstream commit e37084a26070c546ae7961ee135bbfb15fbe13fd ] + +i40e has a feature which writes to memory location last descriptor +successfully sent. Memory barrier in i40e_clean_tx_irq() was used to +avoid forward-reading descriptor fields in case DD bit was not set. +Having mentioned feature in place implies that such situation will not +happen as we know in advance how many descriptors HW has dealt with. + +Besides, this barrier placement was wrong. Idea is to have this +protection *after* reading DD bit from HW descriptor, not before. +Digging through git history showed me that indeed barrier was before DD +bit check, anyways the commit introducing i40e_get_head() should have +wiped it out altogether. + +Also, there was one commit doing s/read_barrier_depends/smp_rmb when get +head feature was already in place, but it was only theoretical based on +ixgbe experiences, which is different in these terms as that driver has +to read DD bit from HW descriptor. + +Fixes: 1943d8ba9507 ("i40e/i40evf: enable hardware feature head write back") +Signed-off-by: Maciej Fijalkowski +Reviewed-by: Aleksandr Loktionov +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_txrx.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.c b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +index 57667ccc28f54..0678705cb1b4a 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +@@ -795,9 +795,6 @@ static bool i40e_clean_tx_irq(struct i40e_vsi *vsi, + if (!eop_desc) + break; + +- /* prevent any other reads prior to eop_desc */ +- smp_rmb(); +- + i40e_trace(clean_tx_irq, tx_ring, tx_desc, tx_buf); + /* we have caught up to head, no work left to do */ + if (tx_head == tx_desc) +-- +2.51.0 + diff --git a/queue-5.10/net-liquidio-fix-overflow-in-octeon_init_instr_queue.patch b/queue-5.10/net-liquidio-fix-overflow-in-octeon_init_instr_queue.patch new file mode 100644 index 0000000000..1f3e777ffd --- /dev/null +++ b/queue-5.10/net-liquidio-fix-overflow-in-octeon_init_instr_queue.patch @@ -0,0 +1,37 @@ +From cb4598d2883884ccb61afdc7f0f137ceb722b07b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Sep 2025 15:30:58 +0000 +Subject: net: liquidio: fix overflow in octeon_init_instr_queue() + +From: Alexey Nepomnyashih + +[ Upstream commit cca7b1cfd7b8a0eff2a3510c5e0f10efe8fa3758 ] + +The expression `(conf->instr_type == 64) << iq_no` can overflow because +`iq_no` may be as high as 64 (`CN23XX_MAX_RINGS_PER_PF`). Casting the +operand to `u64` ensures correct 64-bit arithmetic. + +Fixes: f21fb3ed364b ("Add support of Cavium Liquidio ethernet adapters") +Signed-off-by: Alexey Nepomnyashih +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/liquidio/request_manager.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cavium/liquidio/request_manager.c b/drivers/net/ethernet/cavium/liquidio/request_manager.c +index 8e59c2825533a..2a066f193bca1 100644 +--- a/drivers/net/ethernet/cavium/liquidio/request_manager.c ++++ b/drivers/net/ethernet/cavium/liquidio/request_manager.c +@@ -135,7 +135,7 @@ int octeon_init_instr_queue(struct octeon_device *oct, + oct->io_qmask.iq |= BIT_ULL(iq_no); + + /* Set the 32B/64B mode for each input queue */ +- oct->io_qmask.iq64B |= ((conf->instr_type == 64) << iq_no); ++ oct->io_qmask.iq64B |= ((u64)(conf->instr_type == 64) << iq_no); + iq->iqcmd_64B = (conf->instr_type == 64); + + oct->fn_list.setup_iq_regs(oct, iq_no); +-- +2.51.0 + diff --git a/queue-5.10/net-natsemi-fix-rx_dropped-double-accounting-on-neti.patch b/queue-5.10/net-natsemi-fix-rx_dropped-double-accounting-on-neti.patch new file mode 100644 index 0000000000..d7dae1b051 --- /dev/null +++ b/queue-5.10/net-natsemi-fix-rx_dropped-double-accounting-on-neti.patch @@ -0,0 +1,74 @@ +From 61b27525b8b46d9b264b2746e58de4f9295cdde9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Sep 2025 15:01:36 +0900 +Subject: net: natsemi: fix `rx_dropped` double accounting on `netif_rx()` + failure + +From: Yeounsu Moon + +[ Upstream commit 93ab4881a4e2b9657bdce4b8940073bfb4ed5eab ] + +`netif_rx()` already increments `rx_dropped` core stat when it fails. +The driver was also updating `ndev->stats.rx_dropped` in the same path. +Since both are reported together via `ip -s -s` command, this resulted +in drops being counted twice in user-visible stats. + +Keep the driver update on `if (unlikely(!skb))`, but skip it after +`netif_rx()` errors. + +Fixes: caf586e5f23c ("net: add a core netdev->rx_dropped counter") +Signed-off-by: Yeounsu Moon +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250913060135.35282-3-yyyynoom@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/natsemi/ns83820.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/natsemi/ns83820.c b/drivers/net/ethernet/natsemi/ns83820.c +index 72794d1588711..09dbc975fcee9 100644 +--- a/drivers/net/ethernet/natsemi/ns83820.c ++++ b/drivers/net/ethernet/natsemi/ns83820.c +@@ -820,7 +820,7 @@ static void rx_irq(struct net_device *ndev) + struct ns83820 *dev = PRIV(ndev); + struct rx_info *info = &dev->rx_info; + unsigned next_rx; +- int rx_rc, len; ++ int len; + u32 cmdsts; + __le32 *desc; + unsigned long flags; +@@ -881,8 +881,10 @@ static void rx_irq(struct net_device *ndev) + if (likely(CMDSTS_OK & cmdsts)) { + #endif + skb_put(skb, len); +- if (unlikely(!skb)) ++ if (unlikely(!skb)) { ++ ndev->stats.rx_dropped++; + goto netdev_mangle_me_harder_failed; ++ } + if (cmdsts & CMDSTS_DEST_MULTI) + ndev->stats.multicast++; + ndev->stats.rx_packets++; +@@ -901,15 +903,12 @@ static void rx_irq(struct net_device *ndev) + __vlan_hwaccel_put_tag(skb, htons(ETH_P_IPV6), tag); + } + #endif +- rx_rc = netif_rx(skb); +- if (NET_RX_DROP == rx_rc) { +-netdev_mangle_me_harder_failed: +- ndev->stats.rx_dropped++; +- } ++ netif_rx(skb); + } else { + dev_kfree_skb_irq(skb); + } + ++netdev_mangle_me_harder_failed: + nr++; + next_rx = info->next_rx; + desc = info->descs + (DESC_SIZE * next_rx); +-- +2.51.0 + diff --git a/queue-5.10/pcmcia-omap_cf-mark-driver-struct-with-__refdata-to-.patch b/queue-5.10/pcmcia-omap_cf-mark-driver-struct-with-__refdata-to-.patch new file mode 100644 index 0000000000..52b5089857 --- /dev/null +++ b/queue-5.10/pcmcia-omap_cf-mark-driver-struct-with-__refdata-to-.patch @@ -0,0 +1,52 @@ +From ceb2bb97a8f6497ba834fb49bfb977293133793a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Aug 2025 17:50:14 +0200 +Subject: pcmcia: omap_cf: Mark driver struct with __refdata to prevent section + mismatch +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Geert Uytterhoeven + +[ Upstream commit d1dfcdd30140c031ae091868fb5bed084132bca1 ] + +As described in the added code comment, a reference to .exit.text is ok +for drivers registered via platform_driver_probe(). Make this explicit +to prevent the following section mismatch warning + + WARNING: modpost: drivers/pcmcia/omap_cf: section mismatch in reference: omap_cf_driver+0x4 (section: .data) -> omap_cf_remove (section: .exit.text) + +that triggers on an omap1_defconfig + CONFIG_OMAP_CF=m build. + +Signed-off-by: Geert Uytterhoeven +Acked-by: Aaro Koskinen +Reviewed-by: Uwe Kleine-König +Signed-off-by: Dominik Brodowski +Signed-off-by: Sasha Levin +--- + drivers/pcmcia/omap_cf.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/pcmcia/omap_cf.c b/drivers/pcmcia/omap_cf.c +index d3ef5534991e6..a98841db02d5d 100644 +--- a/drivers/pcmcia/omap_cf.c ++++ b/drivers/pcmcia/omap_cf.c +@@ -327,7 +327,13 @@ static int __exit omap_cf_remove(struct platform_device *pdev) + return 0; + } + +-static struct platform_driver omap_cf_driver = { ++/* ++ * omap_cf_remove() lives in .exit.text. For drivers registered via ++ * platform_driver_probe() this is ok because they cannot get unbound at ++ * runtime. So mark the driver struct with __refdata to prevent modpost ++ * triggering a section mismatch warning. ++ */ ++static struct platform_driver omap_cf_driver __refdata = { + .driver = { + .name = driver_name, + }, +-- +2.51.0 + diff --git a/queue-5.10/qed-don-t-collect-too-many-protection-override-grc-e.patch b/queue-5.10/qed-don-t-collect-too-many-protection-override-grc-e.patch new file mode 100644 index 0000000000..b760c699c4 --- /dev/null +++ b/queue-5.10/qed-don-t-collect-too-many-protection-override-grc-e.patch @@ -0,0 +1,89 @@ +From 5f98044dea61740b299a6353f324a81004e9324c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Sep 2025 16:29:16 +1000 +Subject: qed: Don't collect too many protection override GRC elements + +From: Jamie Bainbridge + +[ Upstream commit 56c0a2a9ddc2f5b5078c5fb0f81ab76bbc3d4c37 ] + +In the protection override dump path, the firmware can return far too +many GRC elements, resulting in attempting to write past the end of the +previously-kmalloc'ed dump buffer. + +This will result in a kernel panic with reason: + + BUG: unable to handle kernel paging request at ADDRESS + +where "ADDRESS" is just past the end of the protection override dump +buffer. The start address of the buffer is: + p_hwfn->cdev->dbg_features[DBG_FEATURE_PROTECTION_OVERRIDE].dump_buf +and the size of the buffer is buf_size in the same data structure. + +The panic can be arrived at from either the qede Ethernet driver path: + + [exception RIP: qed_grc_dump_addr_range+0x108] + qed_protection_override_dump at ffffffffc02662ed [qed] + qed_dbg_protection_override_dump at ffffffffc0267792 [qed] + qed_dbg_feature at ffffffffc026aa8f [qed] + qed_dbg_all_data at ffffffffc026b211 [qed] + qed_fw_fatal_reporter_dump at ffffffffc027298a [qed] + devlink_health_do_dump at ffffffff82497f61 + devlink_health_report at ffffffff8249cf29 + qed_report_fatal_error at ffffffffc0272baf [qed] + qede_sp_task at ffffffffc045ed32 [qede] + process_one_work at ffffffff81d19783 + +or the qedf storage driver path: + + [exception RIP: qed_grc_dump_addr_range+0x108] + qed_protection_override_dump at ffffffffc068b2ed [qed] + qed_dbg_protection_override_dump at ffffffffc068c792 [qed] + qed_dbg_feature at ffffffffc068fa8f [qed] + qed_dbg_all_data at ffffffffc0690211 [qed] + qed_fw_fatal_reporter_dump at ffffffffc069798a [qed] + devlink_health_do_dump at ffffffff8aa95e51 + devlink_health_report at ffffffff8aa9ae19 + qed_report_fatal_error at ffffffffc0697baf [qed] + qed_hw_err_notify at ffffffffc06d32d7 [qed] + qed_spq_post at ffffffffc06b1011 [qed] + qed_fcoe_destroy_conn at ffffffffc06b2e91 [qed] + qedf_cleanup_fcport at ffffffffc05e7597 [qedf] + qedf_rport_event_handler at ffffffffc05e7bf7 [qedf] + fc_rport_work at ffffffffc02da715 [libfc] + process_one_work at ffffffff8a319663 + +Resolve this by clamping the firmware's return value to the maximum +number of legal elements the firmware should return. + +Fixes: d52c89f120de8 ("qed*: Utilize FW 8.37.2.0") +Signed-off-by: Jamie Bainbridge +Link: https://patch.msgid.link/f8e1182934aa274c18d0682a12dbaf347595469c.1757485536.git.jamie.bainbridge@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_debug.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_debug.c b/drivers/net/ethernet/qlogic/qed/qed_debug.c +index 4b4077cf2d266..b4e108d3ec945 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_debug.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_debug.c +@@ -4374,10 +4374,11 @@ static enum dbg_status qed_protection_override_dump(struct qed_hwfn *p_hwfn, + goto out; + } + +- /* Add override window info to buffer */ ++ /* Add override window info to buffer, preventing buffer overflow */ + override_window_dwords = +- qed_rd(p_hwfn, p_ptt, GRC_REG_NUMBER_VALID_OVERRIDE_WINDOW) * +- PROTECTION_OVERRIDE_ELEMENT_DWORDS; ++ min(qed_rd(p_hwfn, p_ptt, GRC_REG_NUMBER_VALID_OVERRIDE_WINDOW) * ++ PROTECTION_OVERRIDE_ELEMENT_DWORDS, ++ PROTECTION_OVERRIDE_DEPTH_DWORDS); + if (override_window_dwords) { + addr = BYTES_TO_DWORDS(GRC_REG_PROTECTION_OVERRIDE_WINDOW); + offset += qed_grc_dump_addr_range(p_hwfn, +-- +2.51.0 + diff --git a/queue-5.10/revert-net-mlx5e-update-and-set-xon-xoff-upon-port-s.patch b/queue-5.10/revert-net-mlx5e-update-and-set-xon-xoff-upon-port-s.patch new file mode 100644 index 0000000000..c3c4a934b2 --- /dev/null +++ b/queue-5.10/revert-net-mlx5e-update-and-set-xon-xoff-upon-port-s.patch @@ -0,0 +1,39 @@ +From 4cf0dc0a6e33bde933fa0268d9766424a360ce1a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Sep 2025 16:48:54 +0300 +Subject: Revert "net/mlx5e: Update and set Xon/Xoff upon port speed set" + +From: Tariq Toukan + +[ Upstream commit 3fbfe251cc9f6d391944282cdb9bcf0bd02e01f8 ] + +This reverts commit d24341740fe48add8a227a753e68b6eedf4b385a. +It causes errors when trying to configure QoS, as well as +loss of L2 connectivity (on multi-host devices). + +Reported-by: Jakub Kicinski +Link: https://lore.kernel.org/20250910170011.70528106@kernel.org +Fixes: d24341740fe4 ("net/mlx5e: Update and set Xon/Xoff upon port speed set") +Signed-off-by: Tariq Toukan +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index cc93c503984a1..cef60bc2589cc 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -141,8 +141,6 @@ void mlx5e_update_carrier(struct mlx5e_priv *priv) + if (port_state == VPORT_STATE_UP) { + netdev_info(priv->netdev, "Link up\n"); + netif_carrier_on(priv->netdev); +- mlx5e_port_manual_buffer_config(priv, 0, priv->netdev->mtu, +- NULL, NULL, NULL); + } else { + netdev_info(priv->netdev, "Link down\n"); + netif_carrier_off(priv->netdev); +-- +2.51.0 + diff --git a/queue-5.10/series b/queue-5.10/series index 3b4bcc41c9..3866119b39 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -43,3 +43,15 @@ phy-ti-pipe3-fix-device-leak-at-unbind.patch soc-qcom-mdt_loader-deal-with-zero-e_shentsize.patch drm-i915-power-fix-size-for-for_each_set_bit-in-abox-iteration.patch mm-memory-failure-fix-vm_bug_on_page-pagepoisoned-page-when-unpoison-memory.patch +alsa-firewire-motu-drop-epollout-from-poll-return-va.patch +wifi-mac80211-fix-incorrect-type-for-ret.patch +pcmcia-omap_cf-mark-driver-struct-with-__refdata-to-.patch +cgroup-split-cgroup_destroy_wq-into-3-workqueues.patch +um-virtio_uml-fix-use-after-free-after-put_device-in.patch +qed-don-t-collect-too-many-protection-override-grc-e.patch +net-natsemi-fix-rx_dropped-double-accounting-on-neti.patch +i40e-remove-redundant-memory-barrier-when-cleaning-t.patch +tcp-clear-tcp_sk-sk-fastopen_rsk-in-tcp_disconnect.patch +revert-net-mlx5e-update-and-set-xon-xoff-upon-port-s.patch +net-liquidio-fix-overflow-in-octeon_init_instr_queue.patch +cnic-fix-use-after-free-bugs-in-cnic_delete_task.patch diff --git a/queue-5.10/tcp-clear-tcp_sk-sk-fastopen_rsk-in-tcp_disconnect.patch b/queue-5.10/tcp-clear-tcp_sk-sk-fastopen_rsk-in-tcp_disconnect.patch new file mode 100644 index 0000000000..c947c966a4 --- /dev/null +++ b/queue-5.10/tcp-clear-tcp_sk-sk-fastopen_rsk-in-tcp_disconnect.patch @@ -0,0 +1,94 @@ +From afb1ed8853b34fd26fba541d20dfb88cce22f654 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Sep 2025 17:56:46 +0000 +Subject: tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). + +From: Kuniyuki Iwashima + +[ Upstream commit 45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01 ] + +syzbot reported the splat below where a socket had tcp_sk(sk)->fastopen_rsk +in the TCP_ESTABLISHED state. [0] + +syzbot reused the server-side TCP Fast Open socket as a new client before +the TFO socket completes 3WHS: + + 1. accept() + 2. connect(AF_UNSPEC) + 3. connect() to another destination + +As of accept(), sk->sk_state is TCP_SYN_RECV, and tcp_disconnect() changes +it to TCP_CLOSE and makes connect() possible, which restarts timers. + +Since tcp_disconnect() forgot to clear tcp_sk(sk)->fastopen_rsk, the +retransmit timer triggered the warning and the intended packet was not +retransmitted. + +Let's call reqsk_fastopen_remove() in tcp_disconnect(). + +[0]: +WARNING: CPU: 2 PID: 0 at net/ipv4/tcp_timer.c:542 tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7)) +Modules linked in: +CPU: 2 UID: 0 PID: 0 Comm: swapper/2 Not tainted 6.17.0-rc5-g201825fb4278 #62 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +RIP: 0010:tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7)) +Code: 41 55 41 54 55 53 48 8b af b8 08 00 00 48 89 fb 48 85 ed 0f 84 55 01 00 00 0f b6 47 12 3c 03 74 0c 0f b6 47 12 3c 04 74 04 90 <0f> 0b 90 48 8b 85 c0 00 00 00 48 89 ef 48 8b 40 30 e8 6a 4f 06 3e +RSP: 0018:ffffc900002f8d40 EFLAGS: 00010293 +RAX: 0000000000000002 RBX: ffff888106911400 RCX: 0000000000000017 +RDX: 0000000002517619 RSI: ffffffff83764080 RDI: ffff888106911400 +RBP: ffff888106d5c000 R08: 0000000000000001 R09: ffffc900002f8de8 +R10: 00000000000000c2 R11: ffffc900002f8ff8 R12: ffff888106911540 +R13: ffff888106911480 R14: ffff888106911840 R15: ffffc900002f8de0 +FS: 0000000000000000(0000) GS:ffff88907b768000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f8044d69d90 CR3: 0000000002c30003 CR4: 0000000000370ef0 +Call Trace: + + tcp_write_timer (net/ipv4/tcp_timer.c:738) + call_timer_fn (kernel/time/timer.c:1747) + __run_timers (kernel/time/timer.c:1799 kernel/time/timer.c:2372) + timer_expire_remote (kernel/time/timer.c:2385 kernel/time/timer.c:2376 kernel/time/timer.c:2135) + tmigr_handle_remote_up (kernel/time/timer_migration.c:944 kernel/time/timer_migration.c:1035) + __walk_groups.isra.0 (kernel/time/timer_migration.c:533 (discriminator 1)) + tmigr_handle_remote (kernel/time/timer_migration.c:1096) + handle_softirqs (./arch/x86/include/asm/jump_label.h:36 ./include/trace/events/irq.h:142 kernel/softirq.c:580) + irq_exit_rcu (kernel/softirq.c:614 kernel/softirq.c:453 kernel/softirq.c:680 kernel/softirq.c:696) + sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1050 (discriminator 35) arch/x86/kernel/apic/apic.c:1050 (discriminator 35)) + + +Fixes: 8336886f786f ("tcp: TCP Fast Open Server - support TFO listeners") +Reported-by: syzkaller +Signed-off-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250915175800.118793-2-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 2d870d5e31cfb..afc31f1def760 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2770,6 +2770,7 @@ int tcp_disconnect(struct sock *sk, int flags) + struct inet_connection_sock *icsk = inet_csk(sk); + struct tcp_sock *tp = tcp_sk(sk); + int old_state = sk->sk_state; ++ struct request_sock *req; + u32 seq; + + /* Deny disconnect if other threads are blocked in sk_wait_event() +@@ -2890,6 +2891,10 @@ int tcp_disconnect(struct sock *sk, int flags) + + + /* Clean up fastopen related fields */ ++ req = rcu_dereference_protected(tp->fastopen_rsk, ++ lockdep_sock_is_held(sk)); ++ if (req) ++ reqsk_fastopen_remove(sk, req, false); + tcp_free_fastopen_req(tp); + inet->defer_connect = 0; + tp->fastopen_client_fail = 0; +-- +2.51.0 + diff --git a/queue-5.10/um-virtio_uml-fix-use-after-free-after-put_device-in.patch b/queue-5.10/um-virtio_uml-fix-use-after-free-after-put_device-in.patch new file mode 100644 index 0000000000..3d4f88eff4 --- /dev/null +++ b/queue-5.10/um-virtio_uml-fix-use-after-free-after-put_device-in.patch @@ -0,0 +1,44 @@ +From 5c6277b6493217eac1f5e3331ac6d360eee37d08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Aug 2025 15:00:51 +0800 +Subject: um: virtio_uml: Fix use-after-free after put_device in probe + +From: Miaoqian Lin + +[ Upstream commit 7ebf70cf181651fe3f2e44e95e7e5073d594c9c0 ] + +When register_virtio_device() fails in virtio_uml_probe(), +the code sets vu_dev->registered = 1 even though +the device was not successfully registered. +This can lead to use-after-free or other issues. + +Fixes: 04e5b1fb0183 ("um: virtio: Remove device on disconnect") +Signed-off-by: Miaoqian Lin +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + arch/um/drivers/virtio_uml.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/arch/um/drivers/virtio_uml.c b/arch/um/drivers/virtio_uml.c +index d5d768188b3ba..0178d33e59469 100644 +--- a/arch/um/drivers/virtio_uml.c ++++ b/arch/um/drivers/virtio_uml.c +@@ -1129,10 +1129,12 @@ static int virtio_uml_probe(struct platform_device *pdev) + platform_set_drvdata(pdev, vu_dev); + + rc = register_virtio_device(&vu_dev->vdev); +- if (rc) ++ if (rc) { + put_device(&vu_dev->vdev.dev); ++ return rc; ++ } + vu_dev->registered = 1; +- return rc; ++ return 0; + + error_init: + os_close_file(vu_dev->sock); +-- +2.51.0 + diff --git a/queue-5.10/wifi-mac80211-fix-incorrect-type-for-ret.patch b/queue-5.10/wifi-mac80211-fix-incorrect-type-for-ret.patch new file mode 100644 index 0000000000..224683c7c1 --- /dev/null +++ b/queue-5.10/wifi-mac80211-fix-incorrect-type-for-ret.patch @@ -0,0 +1,37 @@ +From 0852a59c7d14ef6ebba648ed6ba31d43bb9ed96c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Aug 2025 10:29:11 +0800 +Subject: wifi: mac80211: fix incorrect type for ret + +From: Liao Yuanhong + +[ Upstream commit a33b375ab5b3a9897a0ab76be8258d9f6b748628 ] + +The variable ret is declared as a u32 type, but it is assigned a value +of -EOPNOTSUPP. Since unsigned types cannot correctly represent negative +values, the type of ret should be changed to int. + +Signed-off-by: Liao Yuanhong +Link: https://patch.msgid.link/20250825022911.139377-1-liaoyuanhong@vivo.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/driver-ops.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/driver-ops.h b/net/mac80211/driver-ops.h +index a172f69c71123..d860c905fa733 100644 +--- a/net/mac80211/driver-ops.h ++++ b/net/mac80211/driver-ops.h +@@ -1236,7 +1236,7 @@ drv_get_ftm_responder_stats(struct ieee80211_local *local, + struct ieee80211_sub_if_data *sdata, + struct cfg80211_ftm_responder_stats *ftm_stats) + { +- u32 ret = -EOPNOTSUPP; ++ int ret = -EOPNOTSUPP; + + if (local->ops->get_ftm_responder_stats) + ret = local->ops->get_ftm_responder_stats(&local->hw, +-- +2.51.0 + diff --git a/queue-5.15/alsa-firewire-motu-drop-epollout-from-poll-return-va.patch b/queue-5.15/alsa-firewire-motu-drop-epollout-from-poll-return-va.patch new file mode 100644 index 0000000000..b9d2a15114 --- /dev/null +++ b/queue-5.15/alsa-firewire-motu-drop-epollout-from-poll-return-va.patch @@ -0,0 +1,46 @@ +From 2142dd1a0373bd180addffb84164c91c8fa57188 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Aug 2025 08:37:49 +0900 +Subject: ALSA: firewire-motu: drop EPOLLOUT from poll return values as write + is not supported + +From: Takashi Sakamoto + +[ Upstream commit aea3493246c474bc917d124d6fb627663ab6bef0 ] + +The ALSA HwDep character device of the firewire-motu driver incorrectly +returns EPOLLOUT in poll(2), even though the driver implements no operation +for write(2). This misleads userspace applications to believe write() is +allowed, potentially resulting in unnecessarily wakeups. + +This issue dates back to the driver's initial code added by a commit +71c3797779d3 ("ALSA: firewire-motu: add hwdep interface"), and persisted +when POLLOUT was updated to EPOLLOUT by a commit a9a08845e9ac ('vfs: do +bulk POLL* -> EPOLL* replacement("").'). + +This commit fixes the bug. + +Signed-off-by: Takashi Sakamoto +Link: https://patch.msgid.link/20250829233749.366222-1-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/firewire/motu/motu-hwdep.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/firewire/motu/motu-hwdep.c b/sound/firewire/motu/motu-hwdep.c +index b5ced5d27758b..364fecf8d2867 100644 +--- a/sound/firewire/motu/motu-hwdep.c ++++ b/sound/firewire/motu/motu-hwdep.c +@@ -73,7 +73,7 @@ static __poll_t hwdep_poll(struct snd_hwdep *hwdep, struct file *file, + events = 0; + spin_unlock_irq(&motu->lock); + +- return events | EPOLLOUT; ++ return events; + } + + static int hwdep_get_info(struct snd_motu *motu, void __user *arg) +-- +2.51.0 + diff --git a/queue-5.15/cgroup-split-cgroup_destroy_wq-into-3-workqueues.patch b/queue-5.15/cgroup-split-cgroup_destroy_wq-into-3-workqueues.patch new file mode 100644 index 0000000000..11cdfaee11 --- /dev/null +++ b/queue-5.15/cgroup-split-cgroup_destroy_wq-into-3-workqueues.patch @@ -0,0 +1,168 @@ +From bbecf6e15fb8ebb0216867d5092df2f450a5b447 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Aug 2025 01:07:24 +0000 +Subject: cgroup: split cgroup_destroy_wq into 3 workqueues +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chen Ridong + +[ Upstream commit 79f919a89c9d06816dbdbbd168fa41d27411a7f9 ] + +A hung task can occur during [1] LTP cgroup testing when repeatedly +mounting/unmounting perf_event and net_prio controllers with +systemd.unified_cgroup_hierarchy=1. The hang manifests in +cgroup_lock_and_drain_offline() during root destruction. + +Related case: +cgroup_fj_function_perf_event cgroup_fj_function.sh perf_event +cgroup_fj_function_net_prio cgroup_fj_function.sh net_prio + +Call Trace: + cgroup_lock_and_drain_offline+0x14c/0x1e8 + cgroup_destroy_root+0x3c/0x2c0 + css_free_rwork_fn+0x248/0x338 + process_one_work+0x16c/0x3b8 + worker_thread+0x22c/0x3b0 + kthread+0xec/0x100 + ret_from_fork+0x10/0x20 + +Root Cause: + +CPU0 CPU1 +mount perf_event umount net_prio +cgroup1_get_tree cgroup_kill_sb +rebind_subsystems // root destruction enqueues + // cgroup_destroy_wq +// kill all perf_event css + // one perf_event css A is dying + // css A offline enqueues cgroup_destroy_wq + // root destruction will be executed first + css_free_rwork_fn + cgroup_destroy_root + cgroup_lock_and_drain_offline + // some perf descendants are dying + // cgroup_destroy_wq max_active = 1 + // waiting for css A to die + +Problem scenario: +1. CPU0 mounts perf_event (rebind_subsystems) +2. CPU1 unmounts net_prio (cgroup_kill_sb), queuing root destruction work +3. A dying perf_event CSS gets queued for offline after root destruction +4. Root destruction waits for offline completion, but offline work is + blocked behind root destruction in cgroup_destroy_wq (max_active=1) + +Solution: +Split cgroup_destroy_wq into three dedicated workqueues: +cgroup_offline_wq – Handles CSS offline operations +cgroup_release_wq – Manages resource release +cgroup_free_wq – Performs final memory deallocation + +This separation eliminates blocking in the CSS free path while waiting for +offline operations to complete. + +[1] https://github.com/linux-test-project/ltp/blob/master/runtest/controllers +Fixes: 334c3679ec4b ("cgroup: reimplement rebind_subsystems() using cgroup_apply_control() and friends") +Reported-by: Gao Yingjie +Signed-off-by: Chen Ridong +Suggested-by: Teju Heo +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/cgroup/cgroup.c | 43 +++++++++++++++++++++++++++++++++++------- + 1 file changed, 36 insertions(+), 7 deletions(-) + +diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c +index 1a3b2e1436db0..e5fe4ffff7cd1 100644 +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -122,8 +122,31 @@ DEFINE_PERCPU_RWSEM(cgroup_threadgroup_rwsem); + * of concurrent destructions. Use a separate workqueue so that cgroup + * destruction work items don't end up filling up max_active of system_wq + * which may lead to deadlock. ++ * ++ * A cgroup destruction should enqueue work sequentially to: ++ * cgroup_offline_wq: use for css offline work ++ * cgroup_release_wq: use for css release work ++ * cgroup_free_wq: use for free work ++ * ++ * Rationale for using separate workqueues: ++ * The cgroup root free work may depend on completion of other css offline ++ * operations. If all tasks were enqueued to a single workqueue, this could ++ * create a deadlock scenario where: ++ * - Free work waits for other css offline work to complete. ++ * - But other css offline work is queued after free work in the same queue. ++ * ++ * Example deadlock scenario with single workqueue (cgroup_destroy_wq): ++ * 1. umount net_prio ++ * 2. net_prio root destruction enqueues work to cgroup_destroy_wq (CPUx) ++ * 3. perf_event CSS A offline enqueues work to same cgroup_destroy_wq (CPUx) ++ * 4. net_prio cgroup_destroy_root->cgroup_lock_and_drain_offline. ++ * 5. net_prio root destruction blocks waiting for perf_event CSS A offline, ++ * which can never complete as it's behind in the same queue and ++ * workqueue's max_active is 1. + */ +-static struct workqueue_struct *cgroup_destroy_wq; ++static struct workqueue_struct *cgroup_offline_wq; ++static struct workqueue_struct *cgroup_release_wq; ++static struct workqueue_struct *cgroup_free_wq; + + /* generate an array of cgroup subsystem pointers */ + #define SUBSYS(_x) [_x ## _cgrp_id] = &_x ## _cgrp_subsys, +@@ -5263,7 +5286,7 @@ static void css_release_work_fn(struct work_struct *work) + mutex_unlock(&cgroup_mutex); + + INIT_RCU_WORK(&css->destroy_rwork, css_free_rwork_fn); +- queue_rcu_work(cgroup_destroy_wq, &css->destroy_rwork); ++ queue_rcu_work(cgroup_free_wq, &css->destroy_rwork); + } + + static void css_release(struct percpu_ref *ref) +@@ -5272,7 +5295,7 @@ static void css_release(struct percpu_ref *ref) + container_of(ref, struct cgroup_subsys_state, refcnt); + + INIT_WORK(&css->destroy_work, css_release_work_fn); +- queue_work(cgroup_destroy_wq, &css->destroy_work); ++ queue_work(cgroup_release_wq, &css->destroy_work); + } + + static void init_and_link_css(struct cgroup_subsys_state *css, +@@ -5394,7 +5417,7 @@ static struct cgroup_subsys_state *css_create(struct cgroup *cgrp, + err_free_css: + list_del_rcu(&css->rstat_css_node); + INIT_RCU_WORK(&css->destroy_rwork, css_free_rwork_fn); +- queue_rcu_work(cgroup_destroy_wq, &css->destroy_rwork); ++ queue_rcu_work(cgroup_free_wq, &css->destroy_rwork); + return ERR_PTR(err); + } + +@@ -5631,7 +5654,7 @@ static void css_killed_ref_fn(struct percpu_ref *ref) + + if (atomic_dec_and_test(&css->online_cnt)) { + INIT_WORK(&css->destroy_work, css_killed_work_fn); +- queue_work(cgroup_destroy_wq, &css->destroy_work); ++ queue_work(cgroup_offline_wq, &css->destroy_work); + } + } + +@@ -6008,8 +6031,14 @@ static int __init cgroup_wq_init(void) + * We would prefer to do this in cgroup_init() above, but that + * is called before init_workqueues(): so leave this until after. + */ +- cgroup_destroy_wq = alloc_workqueue("cgroup_destroy", 0, 1); +- BUG_ON(!cgroup_destroy_wq); ++ cgroup_offline_wq = alloc_workqueue("cgroup_offline", 0, 1); ++ BUG_ON(!cgroup_offline_wq); ++ ++ cgroup_release_wq = alloc_workqueue("cgroup_release", 0, 1); ++ BUG_ON(!cgroup_release_wq); ++ ++ cgroup_free_wq = alloc_workqueue("cgroup_free", 0, 1); ++ BUG_ON(!cgroup_free_wq); + return 0; + } + core_initcall(cgroup_wq_init); +-- +2.51.0 + diff --git a/queue-5.15/cnic-fix-use-after-free-bugs-in-cnic_delete_task.patch b/queue-5.15/cnic-fix-use-after-free-bugs-in-cnic_delete_task.patch new file mode 100644 index 0000000000..126c82168c --- /dev/null +++ b/queue-5.15/cnic-fix-use-after-free-bugs-in-cnic_delete_task.patch @@ -0,0 +1,76 @@ +From 82e77876bbbd99a5e6ca944cfcdb5f7051603fd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Sep 2025 13:46:02 +0800 +Subject: cnic: Fix use-after-free bugs in cnic_delete_task +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Duoming Zhou + +[ Upstream commit cfa7d9b1e3a8604afc84e9e51d789c29574fb216 ] + +The original code uses cancel_delayed_work() in cnic_cm_stop_bnx2x_hw(), +which does not guarantee that the delayed work item 'delete_task' has +fully completed if it was already running. Additionally, the delayed work +item is cyclic, the flush_workqueue() in cnic_cm_stop_bnx2x_hw() only +blocks and waits for work items that were already queued to the +workqueue prior to its invocation. Any work items submitted after +flush_workqueue() is called are not included in the set of tasks that the +flush operation awaits. This means that after the cyclic work items have +finished executing, a delayed work item may still exist in the workqueue. +This leads to use-after-free scenarios where the cnic_dev is deallocated +by cnic_free_dev(), while delete_task remains active and attempt to +dereference cnic_dev in cnic_delete_task(). + +A typical race condition is illustrated below: + +CPU 0 (cleanup) | CPU 1 (delayed work callback) +cnic_netdev_event() | + cnic_stop_hw() | cnic_delete_task() + cnic_cm_stop_bnx2x_hw() | ... + cancel_delayed_work() | /* the queue_delayed_work() + flush_workqueue() | executes after flush_workqueue()*/ + | queue_delayed_work() + cnic_free_dev(dev)//free | cnic_delete_task() //new instance + | dev = cp->dev; //use + +Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure +that the cyclic delayed work item is properly canceled and that any +ongoing execution of the work item completes before the cnic_dev is +deallocated. Furthermore, since cancel_delayed_work_sync() uses +__flush_work(work, true) to synchronously wait for any currently +executing instance of the work item to finish, the flush_workqueue() +becomes redundant and should be removed. + +This bug was identified through static analysis. To reproduce the issue +and validate the fix, I simulated the cnic PCI device in QEMU and +introduced intentional delays — such as inserting calls to ssleep() +within the cnic_delete_task() function — to increase the likelihood +of triggering the bug. + +Fixes: fdf24086f475 ("cnic: Defer iscsi connection cleanup") +Signed-off-by: Duoming Zhou +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/cnic.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/cnic.c b/drivers/net/ethernet/broadcom/cnic.c +index f7f10cfb3476e..582ca97532868 100644 +--- a/drivers/net/ethernet/broadcom/cnic.c ++++ b/drivers/net/ethernet/broadcom/cnic.c +@@ -4223,8 +4223,7 @@ static void cnic_cm_stop_bnx2x_hw(struct cnic_dev *dev) + + cnic_bnx2x_delete_wait(dev, 0); + +- cancel_delayed_work(&cp->delete_task); +- flush_workqueue(cnic_wq); ++ cancel_delayed_work_sync(&cp->delete_task); + + if (atomic_read(&cp->iscsi_conn) != 0) + netdev_warn(dev->netdev, "%d iSCSI connections not destroyed\n", +-- +2.51.0 + diff --git a/queue-5.15/dpaa2-switch-fix-buffer-pool-seeding-for-control-tra.patch b/queue-5.15/dpaa2-switch-fix-buffer-pool-seeding-for-control-tra.patch new file mode 100644 index 0000000000..b38b3add7d --- /dev/null +++ b/queue-5.15/dpaa2-switch-fix-buffer-pool-seeding-for-control-tra.patch @@ -0,0 +1,69 @@ +From 12d9181b3b4ceecb9e1e7dd5a2b9dd7c2f40753f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Sep 2025 17:48:25 +0300 +Subject: dpaa2-switch: fix buffer pool seeding for control traffic + +From: Ioana Ciornei + +[ Upstream commit 2690cb089502b80b905f2abdafd1bf2d54e1abef ] + +Starting with commit c50e7475961c ("dpaa2-switch: Fix error checking in +dpaa2_switch_seed_bp()"), the probing of a second DPSW object errors out +like below. + +fsl_dpaa2_switch dpsw.1: fsl_mc_driver_probe failed: -12 +fsl_dpaa2_switch dpsw.1: probe with driver fsl_dpaa2_switch failed with error -12 + +The aforementioned commit brought to the surface the fact that seeding +buffers into the buffer pool destined for control traffic is not +successful and an access violation recoverable error can be seen in the +MC firmware log: + +[E, qbman_rec_isr:391, QBMAN] QBMAN recoverable event 0x1000000 + +This happens because the driver incorrectly used the ID of the DPBP +object instead of the hardware buffer pool ID when trying to release +buffers into it. + +This is because any DPSW object uses two buffer pools, one managed by +the Linux driver and destined for control traffic packet buffers and the +other one managed by the MC firmware and destined only for offloaded +traffic. And since the buffer pool managed by the MC firmware does not +have an external facing DPBP equivalent, any subsequent DPBP objects +created after the first DPSW will have a DPBP id different to the +underlying hardware buffer ID. + +The issue was not caught earlier because these two numbers can be +identical when all DPBP objects are created before the DPSW objects are. +This is the case when the DPL file is used to describe the entire DPAA2 +object layout and objects are created at boot time and it's also true +for the first DPSW being created dynamically using ls-addsw. + +Fix this by using the buffer pool ID instead of the DPBP id when +releasing buffers into the pool. + +Fixes: 2877e4f7e189 ("staging: dpaa2-switch: setup buffer pool and RX path rings") +Signed-off-by: Ioana Ciornei +Link: https://patch.msgid.link/20250910144825.2416019-1-ioana.ciornei@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +index 6448e06dcf826..1e6b29c047710 100644 +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +@@ -2682,7 +2682,7 @@ static int dpaa2_switch_setup_dpbp(struct ethsw_core *ethsw) + dev_err(dev, "dpsw_ctrl_if_set_pools() failed\n"); + goto err_get_attr; + } +- ethsw->bpid = dpbp_attrs.id; ++ ethsw->bpid = dpbp_attrs.bpid; + + return 0; + +-- +2.51.0 + diff --git a/queue-5.15/i40e-remove-redundant-memory-barrier-when-cleaning-t.patch b/queue-5.15/i40e-remove-redundant-memory-barrier-when-cleaning-t.patch new file mode 100644 index 0000000000..af345c4ff4 --- /dev/null +++ b/queue-5.15/i40e-remove-redundant-memory-barrier-when-cleaning-t.patch @@ -0,0 +1,53 @@ +From e77b4236991903ded15887c1929a184aea273f79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Aug 2025 17:16:17 +0200 +Subject: i40e: remove redundant memory barrier when cleaning Tx descs + +From: Maciej Fijalkowski + +[ Upstream commit e37084a26070c546ae7961ee135bbfb15fbe13fd ] + +i40e has a feature which writes to memory location last descriptor +successfully sent. Memory barrier in i40e_clean_tx_irq() was used to +avoid forward-reading descriptor fields in case DD bit was not set. +Having mentioned feature in place implies that such situation will not +happen as we know in advance how many descriptors HW has dealt with. + +Besides, this barrier placement was wrong. Idea is to have this +protection *after* reading DD bit from HW descriptor, not before. +Digging through git history showed me that indeed barrier was before DD +bit check, anyways the commit introducing i40e_get_head() should have +wiped it out altogether. + +Also, there was one commit doing s/read_barrier_depends/smp_rmb when get +head feature was already in place, but it was only theoretical based on +ixgbe experiences, which is different in these terms as that driver has +to read DD bit from HW descriptor. + +Fixes: 1943d8ba9507 ("i40e/i40evf: enable hardware feature head write back") +Signed-off-by: Maciej Fijalkowski +Reviewed-by: Aleksandr Loktionov +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_txrx.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.c b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +index e2737875e3795..b94d67729283c 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +@@ -949,9 +949,6 @@ static bool i40e_clean_tx_irq(struct i40e_vsi *vsi, + if (!eop_desc) + break; + +- /* prevent any other reads prior to eop_desc */ +- smp_rmb(); +- + i40e_trace(clean_tx_irq, tx_ring, tx_desc, tx_buf); + /* we have caught up to head, no work left to do */ + if (tx_head == tx_desc) +-- +2.51.0 + diff --git a/queue-5.15/net-liquidio-fix-overflow-in-octeon_init_instr_queue.patch b/queue-5.15/net-liquidio-fix-overflow-in-octeon_init_instr_queue.patch new file mode 100644 index 0000000000..32ff6b2a53 --- /dev/null +++ b/queue-5.15/net-liquidio-fix-overflow-in-octeon_init_instr_queue.patch @@ -0,0 +1,37 @@ +From 53b69dca4c3ac8293763b0e9fd7cd6e5c4309861 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Sep 2025 15:30:58 +0000 +Subject: net: liquidio: fix overflow in octeon_init_instr_queue() + +From: Alexey Nepomnyashih + +[ Upstream commit cca7b1cfd7b8a0eff2a3510c5e0f10efe8fa3758 ] + +The expression `(conf->instr_type == 64) << iq_no` can overflow because +`iq_no` may be as high as 64 (`CN23XX_MAX_RINGS_PER_PF`). Casting the +operand to `u64` ensures correct 64-bit arithmetic. + +Fixes: f21fb3ed364b ("Add support of Cavium Liquidio ethernet adapters") +Signed-off-by: Alexey Nepomnyashih +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/liquidio/request_manager.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cavium/liquidio/request_manager.c b/drivers/net/ethernet/cavium/liquidio/request_manager.c +index 8e59c2825533a..2a066f193bca1 100644 +--- a/drivers/net/ethernet/cavium/liquidio/request_manager.c ++++ b/drivers/net/ethernet/cavium/liquidio/request_manager.c +@@ -135,7 +135,7 @@ int octeon_init_instr_queue(struct octeon_device *oct, + oct->io_qmask.iq |= BIT_ULL(iq_no); + + /* Set the 32B/64B mode for each input queue */ +- oct->io_qmask.iq64B |= ((conf->instr_type == 64) << iq_no); ++ oct->io_qmask.iq64B |= ((u64)(conf->instr_type == 64) << iq_no); + iq->iqcmd_64B = (conf->instr_type == 64); + + oct->fn_list.setup_iq_regs(oct, iq_no); +-- +2.51.0 + diff --git a/queue-5.15/net-natsemi-fix-rx_dropped-double-accounting-on-neti.patch b/queue-5.15/net-natsemi-fix-rx_dropped-double-accounting-on-neti.patch new file mode 100644 index 0000000000..cd01a9e4be --- /dev/null +++ b/queue-5.15/net-natsemi-fix-rx_dropped-double-accounting-on-neti.patch @@ -0,0 +1,74 @@ +From 516bb16c57a764750f95a646c1d56e7824fa1e69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Sep 2025 15:01:36 +0900 +Subject: net: natsemi: fix `rx_dropped` double accounting on `netif_rx()` + failure + +From: Yeounsu Moon + +[ Upstream commit 93ab4881a4e2b9657bdce4b8940073bfb4ed5eab ] + +`netif_rx()` already increments `rx_dropped` core stat when it fails. +The driver was also updating `ndev->stats.rx_dropped` in the same path. +Since both are reported together via `ip -s -s` command, this resulted +in drops being counted twice in user-visible stats. + +Keep the driver update on `if (unlikely(!skb))`, but skip it after +`netif_rx()` errors. + +Fixes: caf586e5f23c ("net: add a core netdev->rx_dropped counter") +Signed-off-by: Yeounsu Moon +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250913060135.35282-3-yyyynoom@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/natsemi/ns83820.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/natsemi/ns83820.c b/drivers/net/ethernet/natsemi/ns83820.c +index 72794d1588711..09dbc975fcee9 100644 +--- a/drivers/net/ethernet/natsemi/ns83820.c ++++ b/drivers/net/ethernet/natsemi/ns83820.c +@@ -820,7 +820,7 @@ static void rx_irq(struct net_device *ndev) + struct ns83820 *dev = PRIV(ndev); + struct rx_info *info = &dev->rx_info; + unsigned next_rx; +- int rx_rc, len; ++ int len; + u32 cmdsts; + __le32 *desc; + unsigned long flags; +@@ -881,8 +881,10 @@ static void rx_irq(struct net_device *ndev) + if (likely(CMDSTS_OK & cmdsts)) { + #endif + skb_put(skb, len); +- if (unlikely(!skb)) ++ if (unlikely(!skb)) { ++ ndev->stats.rx_dropped++; + goto netdev_mangle_me_harder_failed; ++ } + if (cmdsts & CMDSTS_DEST_MULTI) + ndev->stats.multicast++; + ndev->stats.rx_packets++; +@@ -901,15 +903,12 @@ static void rx_irq(struct net_device *ndev) + __vlan_hwaccel_put_tag(skb, htons(ETH_P_IPV6), tag); + } + #endif +- rx_rc = netif_rx(skb); +- if (NET_RX_DROP == rx_rc) { +-netdev_mangle_me_harder_failed: +- ndev->stats.rx_dropped++; +- } ++ netif_rx(skb); + } else { + dev_kfree_skb_irq(skb); + } + ++netdev_mangle_me_harder_failed: + nr++; + next_rx = info->next_rx; + desc = info->descs + (DESC_SIZE * next_rx); +-- +2.51.0 + diff --git a/queue-5.15/pcmcia-omap_cf-mark-driver-struct-with-__refdata-to-.patch b/queue-5.15/pcmcia-omap_cf-mark-driver-struct-with-__refdata-to-.patch new file mode 100644 index 0000000000..e2d23d6690 --- /dev/null +++ b/queue-5.15/pcmcia-omap_cf-mark-driver-struct-with-__refdata-to-.patch @@ -0,0 +1,52 @@ +From cd26382f70c229d03d12ea58f3b51e42ced4282f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Aug 2025 17:50:14 +0200 +Subject: pcmcia: omap_cf: Mark driver struct with __refdata to prevent section + mismatch +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Geert Uytterhoeven + +[ Upstream commit d1dfcdd30140c031ae091868fb5bed084132bca1 ] + +As described in the added code comment, a reference to .exit.text is ok +for drivers registered via platform_driver_probe(). Make this explicit +to prevent the following section mismatch warning + + WARNING: modpost: drivers/pcmcia/omap_cf: section mismatch in reference: omap_cf_driver+0x4 (section: .data) -> omap_cf_remove (section: .exit.text) + +that triggers on an omap1_defconfig + CONFIG_OMAP_CF=m build. + +Signed-off-by: Geert Uytterhoeven +Acked-by: Aaro Koskinen +Reviewed-by: Uwe Kleine-König +Signed-off-by: Dominik Brodowski +Signed-off-by: Sasha Levin +--- + drivers/pcmcia/omap_cf.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/pcmcia/omap_cf.c b/drivers/pcmcia/omap_cf.c +index f0b2c2d034695..ca88c75f04277 100644 +--- a/drivers/pcmcia/omap_cf.c ++++ b/drivers/pcmcia/omap_cf.c +@@ -331,7 +331,13 @@ static int __exit omap_cf_remove(struct platform_device *pdev) + return 0; + } + +-static struct platform_driver omap_cf_driver = { ++/* ++ * omap_cf_remove() lives in .exit.text. For drivers registered via ++ * platform_driver_probe() this is ok because they cannot get unbound at ++ * runtime. So mark the driver struct with __refdata to prevent modpost ++ * triggering a section mismatch warning. ++ */ ++static struct platform_driver omap_cf_driver __refdata = { + .driver = { + .name = driver_name, + }, +-- +2.51.0 + diff --git a/queue-5.15/qed-don-t-collect-too-many-protection-override-grc-e.patch b/queue-5.15/qed-don-t-collect-too-many-protection-override-grc-e.patch new file mode 100644 index 0000000000..df85e79862 --- /dev/null +++ b/queue-5.15/qed-don-t-collect-too-many-protection-override-grc-e.patch @@ -0,0 +1,89 @@ +From 75fa28627689c3e97808b477a99b953010bbfe34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Sep 2025 16:29:16 +1000 +Subject: qed: Don't collect too many protection override GRC elements + +From: Jamie Bainbridge + +[ Upstream commit 56c0a2a9ddc2f5b5078c5fb0f81ab76bbc3d4c37 ] + +In the protection override dump path, the firmware can return far too +many GRC elements, resulting in attempting to write past the end of the +previously-kmalloc'ed dump buffer. + +This will result in a kernel panic with reason: + + BUG: unable to handle kernel paging request at ADDRESS + +where "ADDRESS" is just past the end of the protection override dump +buffer. The start address of the buffer is: + p_hwfn->cdev->dbg_features[DBG_FEATURE_PROTECTION_OVERRIDE].dump_buf +and the size of the buffer is buf_size in the same data structure. + +The panic can be arrived at from either the qede Ethernet driver path: + + [exception RIP: qed_grc_dump_addr_range+0x108] + qed_protection_override_dump at ffffffffc02662ed [qed] + qed_dbg_protection_override_dump at ffffffffc0267792 [qed] + qed_dbg_feature at ffffffffc026aa8f [qed] + qed_dbg_all_data at ffffffffc026b211 [qed] + qed_fw_fatal_reporter_dump at ffffffffc027298a [qed] + devlink_health_do_dump at ffffffff82497f61 + devlink_health_report at ffffffff8249cf29 + qed_report_fatal_error at ffffffffc0272baf [qed] + qede_sp_task at ffffffffc045ed32 [qede] + process_one_work at ffffffff81d19783 + +or the qedf storage driver path: + + [exception RIP: qed_grc_dump_addr_range+0x108] + qed_protection_override_dump at ffffffffc068b2ed [qed] + qed_dbg_protection_override_dump at ffffffffc068c792 [qed] + qed_dbg_feature at ffffffffc068fa8f [qed] + qed_dbg_all_data at ffffffffc0690211 [qed] + qed_fw_fatal_reporter_dump at ffffffffc069798a [qed] + devlink_health_do_dump at ffffffff8aa95e51 + devlink_health_report at ffffffff8aa9ae19 + qed_report_fatal_error at ffffffffc0697baf [qed] + qed_hw_err_notify at ffffffffc06d32d7 [qed] + qed_spq_post at ffffffffc06b1011 [qed] + qed_fcoe_destroy_conn at ffffffffc06b2e91 [qed] + qedf_cleanup_fcport at ffffffffc05e7597 [qedf] + qedf_rport_event_handler at ffffffffc05e7bf7 [qedf] + fc_rport_work at ffffffffc02da715 [libfc] + process_one_work at ffffffff8a319663 + +Resolve this by clamping the firmware's return value to the maximum +number of legal elements the firmware should return. + +Fixes: d52c89f120de8 ("qed*: Utilize FW 8.37.2.0") +Signed-off-by: Jamie Bainbridge +Link: https://patch.msgid.link/f8e1182934aa274c18d0682a12dbaf347595469c.1757485536.git.jamie.bainbridge@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_debug.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_debug.c b/drivers/net/ethernet/qlogic/qed/qed_debug.c +index 4b4077cf2d266..b4e108d3ec945 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_debug.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_debug.c +@@ -4374,10 +4374,11 @@ static enum dbg_status qed_protection_override_dump(struct qed_hwfn *p_hwfn, + goto out; + } + +- /* Add override window info to buffer */ ++ /* Add override window info to buffer, preventing buffer overflow */ + override_window_dwords = +- qed_rd(p_hwfn, p_ptt, GRC_REG_NUMBER_VALID_OVERRIDE_WINDOW) * +- PROTECTION_OVERRIDE_ELEMENT_DWORDS; ++ min(qed_rd(p_hwfn, p_ptt, GRC_REG_NUMBER_VALID_OVERRIDE_WINDOW) * ++ PROTECTION_OVERRIDE_ELEMENT_DWORDS, ++ PROTECTION_OVERRIDE_DEPTH_DWORDS); + if (override_window_dwords) { + addr = BYTES_TO_DWORDS(GRC_REG_PROTECTION_OVERRIDE_WINDOW); + offset += qed_grc_dump_addr_range(p_hwfn, +-- +2.51.0 + diff --git a/queue-5.15/revert-net-mlx5e-update-and-set-xon-xoff-upon-port-s.patch b/queue-5.15/revert-net-mlx5e-update-and-set-xon-xoff-upon-port-s.patch new file mode 100644 index 0000000000..05108be17f --- /dev/null +++ b/queue-5.15/revert-net-mlx5e-update-and-set-xon-xoff-upon-port-s.patch @@ -0,0 +1,39 @@ +From 95f6cf476446621fcdd96898cb8786efb1814791 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Sep 2025 16:48:54 +0300 +Subject: Revert "net/mlx5e: Update and set Xon/Xoff upon port speed set" + +From: Tariq Toukan + +[ Upstream commit 3fbfe251cc9f6d391944282cdb9bcf0bd02e01f8 ] + +This reverts commit d24341740fe48add8a227a753e68b6eedf4b385a. +It causes errors when trying to configure QoS, as well as +loss of L2 connectivity (on multi-host devices). + +Reported-by: Jakub Kicinski +Link: https://lore.kernel.org/20250910170011.70528106@kernel.org +Fixes: d24341740fe4 ("net/mlx5e: Update and set Xon/Xoff upon port speed set") +Signed-off-by: Tariq Toukan +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index cfbc569edfb5f..bb7e3c80ad74e 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -104,8 +104,6 @@ void mlx5e_update_carrier(struct mlx5e_priv *priv) + if (up) { + netdev_info(priv->netdev, "Link up\n"); + netif_carrier_on(priv->netdev); +- mlx5e_port_manual_buffer_config(priv, 0, priv->netdev->mtu, +- NULL, NULL, NULL); + } else { + netdev_info(priv->netdev, "Link down\n"); + netif_carrier_off(priv->netdev); +-- +2.51.0 + diff --git a/queue-5.15/series b/queue-5.15/series index c41ed87fe9..3b64ca3c60 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -62,3 +62,16 @@ drm-amdgpu-fix-a-memory-leak-in-fence-cleanup-when-unloading.patch drm-i915-power-fix-size-for-for_each_set_bit-in-abox-iteration.patch mm-memory-failure-fix-vm_bug_on_page-pagepoisoned-page-when-unpoison-memory.patch net-hsr-hsr_slave-fix-the-promiscuous-mode-in-offload-mode.patch +alsa-firewire-motu-drop-epollout-from-poll-return-va.patch +wifi-mac80211-fix-incorrect-type-for-ret.patch +pcmcia-omap_cf-mark-driver-struct-with-__refdata-to-.patch +cgroup-split-cgroup_destroy_wq-into-3-workqueues.patch +um-virtio_uml-fix-use-after-free-after-put_device-in.patch +dpaa2-switch-fix-buffer-pool-seeding-for-control-tra.patch +qed-don-t-collect-too-many-protection-override-grc-e.patch +net-natsemi-fix-rx_dropped-double-accounting-on-neti.patch +i40e-remove-redundant-memory-barrier-when-cleaning-t.patch +tcp-clear-tcp_sk-sk-fastopen_rsk-in-tcp_disconnect.patch +revert-net-mlx5e-update-and-set-xon-xoff-upon-port-s.patch +net-liquidio-fix-overflow-in-octeon_init_instr_queue.patch +cnic-fix-use-after-free-bugs-in-cnic_delete_task.patch diff --git a/queue-5.15/tcp-clear-tcp_sk-sk-fastopen_rsk-in-tcp_disconnect.patch b/queue-5.15/tcp-clear-tcp_sk-sk-fastopen_rsk-in-tcp_disconnect.patch new file mode 100644 index 0000000000..b85a94e53c --- /dev/null +++ b/queue-5.15/tcp-clear-tcp_sk-sk-fastopen_rsk-in-tcp_disconnect.patch @@ -0,0 +1,94 @@ +From f4ade75127f1a36ad3273be46375b9c223822287 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Sep 2025 17:56:46 +0000 +Subject: tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). + +From: Kuniyuki Iwashima + +[ Upstream commit 45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01 ] + +syzbot reported the splat below where a socket had tcp_sk(sk)->fastopen_rsk +in the TCP_ESTABLISHED state. [0] + +syzbot reused the server-side TCP Fast Open socket as a new client before +the TFO socket completes 3WHS: + + 1. accept() + 2. connect(AF_UNSPEC) + 3. connect() to another destination + +As of accept(), sk->sk_state is TCP_SYN_RECV, and tcp_disconnect() changes +it to TCP_CLOSE and makes connect() possible, which restarts timers. + +Since tcp_disconnect() forgot to clear tcp_sk(sk)->fastopen_rsk, the +retransmit timer triggered the warning and the intended packet was not +retransmitted. + +Let's call reqsk_fastopen_remove() in tcp_disconnect(). + +[0]: +WARNING: CPU: 2 PID: 0 at net/ipv4/tcp_timer.c:542 tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7)) +Modules linked in: +CPU: 2 UID: 0 PID: 0 Comm: swapper/2 Not tainted 6.17.0-rc5-g201825fb4278 #62 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +RIP: 0010:tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7)) +Code: 41 55 41 54 55 53 48 8b af b8 08 00 00 48 89 fb 48 85 ed 0f 84 55 01 00 00 0f b6 47 12 3c 03 74 0c 0f b6 47 12 3c 04 74 04 90 <0f> 0b 90 48 8b 85 c0 00 00 00 48 89 ef 48 8b 40 30 e8 6a 4f 06 3e +RSP: 0018:ffffc900002f8d40 EFLAGS: 00010293 +RAX: 0000000000000002 RBX: ffff888106911400 RCX: 0000000000000017 +RDX: 0000000002517619 RSI: ffffffff83764080 RDI: ffff888106911400 +RBP: ffff888106d5c000 R08: 0000000000000001 R09: ffffc900002f8de8 +R10: 00000000000000c2 R11: ffffc900002f8ff8 R12: ffff888106911540 +R13: ffff888106911480 R14: ffff888106911840 R15: ffffc900002f8de0 +FS: 0000000000000000(0000) GS:ffff88907b768000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f8044d69d90 CR3: 0000000002c30003 CR4: 0000000000370ef0 +Call Trace: + + tcp_write_timer (net/ipv4/tcp_timer.c:738) + call_timer_fn (kernel/time/timer.c:1747) + __run_timers (kernel/time/timer.c:1799 kernel/time/timer.c:2372) + timer_expire_remote (kernel/time/timer.c:2385 kernel/time/timer.c:2376 kernel/time/timer.c:2135) + tmigr_handle_remote_up (kernel/time/timer_migration.c:944 kernel/time/timer_migration.c:1035) + __walk_groups.isra.0 (kernel/time/timer_migration.c:533 (discriminator 1)) + tmigr_handle_remote (kernel/time/timer_migration.c:1096) + handle_softirqs (./arch/x86/include/asm/jump_label.h:36 ./include/trace/events/irq.h:142 kernel/softirq.c:580) + irq_exit_rcu (kernel/softirq.c:614 kernel/softirq.c:453 kernel/softirq.c:680 kernel/softirq.c:696) + sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1050 (discriminator 35) arch/x86/kernel/apic/apic.c:1050 (discriminator 35)) + + +Fixes: 8336886f786f ("tcp: TCP Fast Open Server - support TFO listeners") +Reported-by: syzkaller +Signed-off-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250915175800.118793-2-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index c1e624ca6a250..9508e2c90b840 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2981,6 +2981,7 @@ int tcp_disconnect(struct sock *sk, int flags) + struct inet_connection_sock *icsk = inet_csk(sk); + struct tcp_sock *tp = tcp_sk(sk); + int old_state = sk->sk_state; ++ struct request_sock *req; + u32 seq; + + /* Deny disconnect if other threads are blocked in sk_wait_event() +@@ -3101,6 +3102,10 @@ int tcp_disconnect(struct sock *sk, int flags) + + + /* Clean up fastopen related fields */ ++ req = rcu_dereference_protected(tp->fastopen_rsk, ++ lockdep_sock_is_held(sk)); ++ if (req) ++ reqsk_fastopen_remove(sk, req, false); + tcp_free_fastopen_req(tp); + inet->defer_connect = 0; + tp->fastopen_client_fail = 0; +-- +2.51.0 + diff --git a/queue-5.15/um-virtio_uml-fix-use-after-free-after-put_device-in.patch b/queue-5.15/um-virtio_uml-fix-use-after-free-after-put_device-in.patch new file mode 100644 index 0000000000..b608034607 --- /dev/null +++ b/queue-5.15/um-virtio_uml-fix-use-after-free-after-put_device-in.patch @@ -0,0 +1,44 @@ +From a132f13367ee9eb394b0cbf9f3443e00d019e483 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Aug 2025 15:00:51 +0800 +Subject: um: virtio_uml: Fix use-after-free after put_device in probe + +From: Miaoqian Lin + +[ Upstream commit 7ebf70cf181651fe3f2e44e95e7e5073d594c9c0 ] + +When register_virtio_device() fails in virtio_uml_probe(), +the code sets vu_dev->registered = 1 even though +the device was not successfully registered. +This can lead to use-after-free or other issues. + +Fixes: 04e5b1fb0183 ("um: virtio: Remove device on disconnect") +Signed-off-by: Miaoqian Lin +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + arch/um/drivers/virtio_uml.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/arch/um/drivers/virtio_uml.c b/arch/um/drivers/virtio_uml.c +index 204e9dfbff1a0..8edc218ce21fd 100644 +--- a/arch/um/drivers/virtio_uml.c ++++ b/arch/um/drivers/virtio_uml.c +@@ -1225,10 +1225,12 @@ static int virtio_uml_probe(struct platform_device *pdev) + device_set_wakeup_capable(&vu_dev->vdev.dev, true); + + rc = register_virtio_device(&vu_dev->vdev); +- if (rc) ++ if (rc) { + put_device(&vu_dev->vdev.dev); ++ return rc; ++ } + vu_dev->registered = 1; +- return rc; ++ return 0; + + error_init: + os_close_file(vu_dev->sock); +-- +2.51.0 + diff --git a/queue-5.15/wifi-mac80211-fix-incorrect-type-for-ret.patch b/queue-5.15/wifi-mac80211-fix-incorrect-type-for-ret.patch new file mode 100644 index 0000000000..d83ede4b98 --- /dev/null +++ b/queue-5.15/wifi-mac80211-fix-incorrect-type-for-ret.patch @@ -0,0 +1,37 @@ +From 0d0635494ee1ed5bf5e7aaf0dbed13b7f5145f9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Aug 2025 10:29:11 +0800 +Subject: wifi: mac80211: fix incorrect type for ret + +From: Liao Yuanhong + +[ Upstream commit a33b375ab5b3a9897a0ab76be8258d9f6b748628 ] + +The variable ret is declared as a u32 type, but it is assigned a value +of -EOPNOTSUPP. Since unsigned types cannot correctly represent negative +values, the type of ret should be changed to int. + +Signed-off-by: Liao Yuanhong +Link: https://patch.msgid.link/20250825022911.139377-1-liaoyuanhong@vivo.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/driver-ops.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/driver-ops.h b/net/mac80211/driver-ops.h +index c336267f4599c..d415a031bfa02 100644 +--- a/net/mac80211/driver-ops.h ++++ b/net/mac80211/driver-ops.h +@@ -1254,7 +1254,7 @@ drv_get_ftm_responder_stats(struct ieee80211_local *local, + struct ieee80211_sub_if_data *sdata, + struct cfg80211_ftm_responder_stats *ftm_stats) + { +- u32 ret = -EOPNOTSUPP; ++ int ret = -EOPNOTSUPP; + + if (local->ops->get_ftm_responder_stats) + ret = local->ops->get_ftm_responder_stats(&local->hw, +-- +2.51.0 + diff --git a/queue-5.4/alsa-firewire-motu-drop-epollout-from-poll-return-va.patch b/queue-5.4/alsa-firewire-motu-drop-epollout-from-poll-return-va.patch new file mode 100644 index 0000000000..29e8990844 --- /dev/null +++ b/queue-5.4/alsa-firewire-motu-drop-epollout-from-poll-return-va.patch @@ -0,0 +1,46 @@ +From bddc886e1e9e2f108f49c59919df3aedf749a144 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Aug 2025 08:37:49 +0900 +Subject: ALSA: firewire-motu: drop EPOLLOUT from poll return values as write + is not supported + +From: Takashi Sakamoto + +[ Upstream commit aea3493246c474bc917d124d6fb627663ab6bef0 ] + +The ALSA HwDep character device of the firewire-motu driver incorrectly +returns EPOLLOUT in poll(2), even though the driver implements no operation +for write(2). This misleads userspace applications to believe write() is +allowed, potentially resulting in unnecessarily wakeups. + +This issue dates back to the driver's initial code added by a commit +71c3797779d3 ("ALSA: firewire-motu: add hwdep interface"), and persisted +when POLLOUT was updated to EPOLLOUT by a commit a9a08845e9ac ('vfs: do +bulk POLL* -> EPOLL* replacement("").'). + +This commit fixes the bug. + +Signed-off-by: Takashi Sakamoto +Link: https://patch.msgid.link/20250829233749.366222-1-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/firewire/motu/motu-hwdep.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/firewire/motu/motu-hwdep.c b/sound/firewire/motu/motu-hwdep.c +index 0764a477052a2..5e1254f106bf8 100644 +--- a/sound/firewire/motu/motu-hwdep.c ++++ b/sound/firewire/motu/motu-hwdep.c +@@ -73,7 +73,7 @@ static __poll_t hwdep_poll(struct snd_hwdep *hwdep, struct file *file, + events = 0; + spin_unlock_irq(&motu->lock); + +- return events | EPOLLOUT; ++ return events; + } + + static int hwdep_get_info(struct snd_motu *motu, void __user *arg) +-- +2.51.0 + diff --git a/queue-5.4/cgroup-split-cgroup_destroy_wq-into-3-workqueues.patch b/queue-5.4/cgroup-split-cgroup_destroy_wq-into-3-workqueues.patch new file mode 100644 index 0000000000..28c3deb6f2 --- /dev/null +++ b/queue-5.4/cgroup-split-cgroup_destroy_wq-into-3-workqueues.patch @@ -0,0 +1,168 @@ +From 5140d7b34dbb5c71c6d2da7082909732dbe46aed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Aug 2025 01:07:24 +0000 +Subject: cgroup: split cgroup_destroy_wq into 3 workqueues +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chen Ridong + +[ Upstream commit 79f919a89c9d06816dbdbbd168fa41d27411a7f9 ] + +A hung task can occur during [1] LTP cgroup testing when repeatedly +mounting/unmounting perf_event and net_prio controllers with +systemd.unified_cgroup_hierarchy=1. The hang manifests in +cgroup_lock_and_drain_offline() during root destruction. + +Related case: +cgroup_fj_function_perf_event cgroup_fj_function.sh perf_event +cgroup_fj_function_net_prio cgroup_fj_function.sh net_prio + +Call Trace: + cgroup_lock_and_drain_offline+0x14c/0x1e8 + cgroup_destroy_root+0x3c/0x2c0 + css_free_rwork_fn+0x248/0x338 + process_one_work+0x16c/0x3b8 + worker_thread+0x22c/0x3b0 + kthread+0xec/0x100 + ret_from_fork+0x10/0x20 + +Root Cause: + +CPU0 CPU1 +mount perf_event umount net_prio +cgroup1_get_tree cgroup_kill_sb +rebind_subsystems // root destruction enqueues + // cgroup_destroy_wq +// kill all perf_event css + // one perf_event css A is dying + // css A offline enqueues cgroup_destroy_wq + // root destruction will be executed first + css_free_rwork_fn + cgroup_destroy_root + cgroup_lock_and_drain_offline + // some perf descendants are dying + // cgroup_destroy_wq max_active = 1 + // waiting for css A to die + +Problem scenario: +1. CPU0 mounts perf_event (rebind_subsystems) +2. CPU1 unmounts net_prio (cgroup_kill_sb), queuing root destruction work +3. A dying perf_event CSS gets queued for offline after root destruction +4. Root destruction waits for offline completion, but offline work is + blocked behind root destruction in cgroup_destroy_wq (max_active=1) + +Solution: +Split cgroup_destroy_wq into three dedicated workqueues: +cgroup_offline_wq – Handles CSS offline operations +cgroup_release_wq – Manages resource release +cgroup_free_wq – Performs final memory deallocation + +This separation eliminates blocking in the CSS free path while waiting for +offline operations to complete. + +[1] https://github.com/linux-test-project/ltp/blob/master/runtest/controllers +Fixes: 334c3679ec4b ("cgroup: reimplement rebind_subsystems() using cgroup_apply_control() and friends") +Reported-by: Gao Yingjie +Signed-off-by: Chen Ridong +Suggested-by: Teju Heo +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/cgroup/cgroup.c | 43 +++++++++++++++++++++++++++++++++++------- + 1 file changed, 36 insertions(+), 7 deletions(-) + +diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c +index 801022a8899b5..b761d70eccbf4 100644 +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -114,8 +114,31 @@ DEFINE_PERCPU_RWSEM(cgroup_threadgroup_rwsem); + * of concurrent destructions. Use a separate workqueue so that cgroup + * destruction work items don't end up filling up max_active of system_wq + * which may lead to deadlock. ++ * ++ * A cgroup destruction should enqueue work sequentially to: ++ * cgroup_offline_wq: use for css offline work ++ * cgroup_release_wq: use for css release work ++ * cgroup_free_wq: use for free work ++ * ++ * Rationale for using separate workqueues: ++ * The cgroup root free work may depend on completion of other css offline ++ * operations. If all tasks were enqueued to a single workqueue, this could ++ * create a deadlock scenario where: ++ * - Free work waits for other css offline work to complete. ++ * - But other css offline work is queued after free work in the same queue. ++ * ++ * Example deadlock scenario with single workqueue (cgroup_destroy_wq): ++ * 1. umount net_prio ++ * 2. net_prio root destruction enqueues work to cgroup_destroy_wq (CPUx) ++ * 3. perf_event CSS A offline enqueues work to same cgroup_destroy_wq (CPUx) ++ * 4. net_prio cgroup_destroy_root->cgroup_lock_and_drain_offline. ++ * 5. net_prio root destruction blocks waiting for perf_event CSS A offline, ++ * which can never complete as it's behind in the same queue and ++ * workqueue's max_active is 1. + */ +-static struct workqueue_struct *cgroup_destroy_wq; ++static struct workqueue_struct *cgroup_offline_wq; ++static struct workqueue_struct *cgroup_release_wq; ++static struct workqueue_struct *cgroup_free_wq; + + /* generate an array of cgroup subsystem pointers */ + #define SUBSYS(_x) [_x ## _cgrp_id] = &_x ## _cgrp_subsys, +@@ -5233,7 +5256,7 @@ static void css_release_work_fn(struct work_struct *work) + mutex_unlock(&cgroup_mutex); + + INIT_RCU_WORK(&css->destroy_rwork, css_free_rwork_fn); +- queue_rcu_work(cgroup_destroy_wq, &css->destroy_rwork); ++ queue_rcu_work(cgroup_free_wq, &css->destroy_rwork); + } + + static void css_release(struct percpu_ref *ref) +@@ -5242,7 +5265,7 @@ static void css_release(struct percpu_ref *ref) + container_of(ref, struct cgroup_subsys_state, refcnt); + + INIT_WORK(&css->destroy_work, css_release_work_fn); +- queue_work(cgroup_destroy_wq, &css->destroy_work); ++ queue_work(cgroup_release_wq, &css->destroy_work); + } + + static void init_and_link_css(struct cgroup_subsys_state *css, +@@ -5373,7 +5396,7 @@ static struct cgroup_subsys_state *css_create(struct cgroup *cgrp, + err_free_css: + list_del_rcu(&css->rstat_css_node); + INIT_RCU_WORK(&css->destroy_rwork, css_free_rwork_fn); +- queue_rcu_work(cgroup_destroy_wq, &css->destroy_rwork); ++ queue_rcu_work(cgroup_free_wq, &css->destroy_rwork); + return ERR_PTR(err); + } + +@@ -5626,7 +5649,7 @@ static void css_killed_ref_fn(struct percpu_ref *ref) + + if (atomic_dec_and_test(&css->online_cnt)) { + INIT_WORK(&css->destroy_work, css_killed_work_fn); +- queue_work(cgroup_destroy_wq, &css->destroy_work); ++ queue_work(cgroup_offline_wq, &css->destroy_work); + } + } + +@@ -6002,8 +6025,14 @@ static int __init cgroup_wq_init(void) + * We would prefer to do this in cgroup_init() above, but that + * is called before init_workqueues(): so leave this until after. + */ +- cgroup_destroy_wq = alloc_workqueue("cgroup_destroy", 0, 1); +- BUG_ON(!cgroup_destroy_wq); ++ cgroup_offline_wq = alloc_workqueue("cgroup_offline", 0, 1); ++ BUG_ON(!cgroup_offline_wq); ++ ++ cgroup_release_wq = alloc_workqueue("cgroup_release", 0, 1); ++ BUG_ON(!cgroup_release_wq); ++ ++ cgroup_free_wq = alloc_workqueue("cgroup_free", 0, 1); ++ BUG_ON(!cgroup_free_wq); + return 0; + } + core_initcall(cgroup_wq_init); +-- +2.51.0 + diff --git a/queue-5.4/cnic-fix-use-after-free-bugs-in-cnic_delete_task.patch b/queue-5.4/cnic-fix-use-after-free-bugs-in-cnic_delete_task.patch new file mode 100644 index 0000000000..e39429f4e8 --- /dev/null +++ b/queue-5.4/cnic-fix-use-after-free-bugs-in-cnic_delete_task.patch @@ -0,0 +1,76 @@ +From 7272710c39a402db4a4e9263d45b737585fd45dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Sep 2025 13:46:02 +0800 +Subject: cnic: Fix use-after-free bugs in cnic_delete_task +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Duoming Zhou + +[ Upstream commit cfa7d9b1e3a8604afc84e9e51d789c29574fb216 ] + +The original code uses cancel_delayed_work() in cnic_cm_stop_bnx2x_hw(), +which does not guarantee that the delayed work item 'delete_task' has +fully completed if it was already running. Additionally, the delayed work +item is cyclic, the flush_workqueue() in cnic_cm_stop_bnx2x_hw() only +blocks and waits for work items that were already queued to the +workqueue prior to its invocation. Any work items submitted after +flush_workqueue() is called are not included in the set of tasks that the +flush operation awaits. This means that after the cyclic work items have +finished executing, a delayed work item may still exist in the workqueue. +This leads to use-after-free scenarios where the cnic_dev is deallocated +by cnic_free_dev(), while delete_task remains active and attempt to +dereference cnic_dev in cnic_delete_task(). + +A typical race condition is illustrated below: + +CPU 0 (cleanup) | CPU 1 (delayed work callback) +cnic_netdev_event() | + cnic_stop_hw() | cnic_delete_task() + cnic_cm_stop_bnx2x_hw() | ... + cancel_delayed_work() | /* the queue_delayed_work() + flush_workqueue() | executes after flush_workqueue()*/ + | queue_delayed_work() + cnic_free_dev(dev)//free | cnic_delete_task() //new instance + | dev = cp->dev; //use + +Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure +that the cyclic delayed work item is properly canceled and that any +ongoing execution of the work item completes before the cnic_dev is +deallocated. Furthermore, since cancel_delayed_work_sync() uses +__flush_work(work, true) to synchronously wait for any currently +executing instance of the work item to finish, the flush_workqueue() +becomes redundant and should be removed. + +This bug was identified through static analysis. To reproduce the issue +and validate the fix, I simulated the cnic PCI device in QEMU and +introduced intentional delays — such as inserting calls to ssleep() +within the cnic_delete_task() function — to increase the likelihood +of triggering the bug. + +Fixes: fdf24086f475 ("cnic: Defer iscsi connection cleanup") +Signed-off-by: Duoming Zhou +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/cnic.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/cnic.c b/drivers/net/ethernet/broadcom/cnic.c +index 155599dcee76d..3283f66e02b6e 100644 +--- a/drivers/net/ethernet/broadcom/cnic.c ++++ b/drivers/net/ethernet/broadcom/cnic.c +@@ -4224,8 +4224,7 @@ static void cnic_cm_stop_bnx2x_hw(struct cnic_dev *dev) + + cnic_bnx2x_delete_wait(dev, 0); + +- cancel_delayed_work(&cp->delete_task); +- flush_workqueue(cnic_wq); ++ cancel_delayed_work_sync(&cp->delete_task); + + if (atomic_read(&cp->iscsi_conn) != 0) + netdev_warn(dev->netdev, "%d iSCSI connections not destroyed\n", +-- +2.51.0 + diff --git a/queue-5.4/i40e-remove-redundant-memory-barrier-when-cleaning-t.patch b/queue-5.4/i40e-remove-redundant-memory-barrier-when-cleaning-t.patch new file mode 100644 index 0000000000..7a4d1ccf92 --- /dev/null +++ b/queue-5.4/i40e-remove-redundant-memory-barrier-when-cleaning-t.patch @@ -0,0 +1,53 @@ +From a54a4736a9eb39f755d4ad369fd7fa0dba5dc651 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Aug 2025 17:16:17 +0200 +Subject: i40e: remove redundant memory barrier when cleaning Tx descs + +From: Maciej Fijalkowski + +[ Upstream commit e37084a26070c546ae7961ee135bbfb15fbe13fd ] + +i40e has a feature which writes to memory location last descriptor +successfully sent. Memory barrier in i40e_clean_tx_irq() was used to +avoid forward-reading descriptor fields in case DD bit was not set. +Having mentioned feature in place implies that such situation will not +happen as we know in advance how many descriptors HW has dealt with. + +Besides, this barrier placement was wrong. Idea is to have this +protection *after* reading DD bit from HW descriptor, not before. +Digging through git history showed me that indeed barrier was before DD +bit check, anyways the commit introducing i40e_get_head() should have +wiped it out altogether. + +Also, there was one commit doing s/read_barrier_depends/smp_rmb when get +head feature was already in place, but it was only theoretical based on +ixgbe experiences, which is different in these terms as that driver has +to read DD bit from HW descriptor. + +Fixes: 1943d8ba9507 ("i40e/i40evf: enable hardware feature head write back") +Signed-off-by: Maciej Fijalkowski +Reviewed-by: Aleksandr Loktionov +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_txrx.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.c b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +index 6067c88668341..ff213cbe84ca8 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +@@ -794,9 +794,6 @@ static bool i40e_clean_tx_irq(struct i40e_vsi *vsi, + if (!eop_desc) + break; + +- /* prevent any other reads prior to eop_desc */ +- smp_rmb(); +- + i40e_trace(clean_tx_irq, tx_ring, tx_desc, tx_buf); + /* we have caught up to head, no work left to do */ + if (tx_head == tx_desc) +-- +2.51.0 + diff --git a/queue-5.4/net-liquidio-fix-overflow-in-octeon_init_instr_queue.patch b/queue-5.4/net-liquidio-fix-overflow-in-octeon_init_instr_queue.patch new file mode 100644 index 0000000000..ab47ffca8b --- /dev/null +++ b/queue-5.4/net-liquidio-fix-overflow-in-octeon_init_instr_queue.patch @@ -0,0 +1,37 @@ +From b13e60395dcf8483410bdf798af9defe386d50b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Sep 2025 15:30:58 +0000 +Subject: net: liquidio: fix overflow in octeon_init_instr_queue() + +From: Alexey Nepomnyashih + +[ Upstream commit cca7b1cfd7b8a0eff2a3510c5e0f10efe8fa3758 ] + +The expression `(conf->instr_type == 64) << iq_no` can overflow because +`iq_no` may be as high as 64 (`CN23XX_MAX_RINGS_PER_PF`). Casting the +operand to `u64` ensures correct 64-bit arithmetic. + +Fixes: f21fb3ed364b ("Add support of Cavium Liquidio ethernet adapters") +Signed-off-by: Alexey Nepomnyashih +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/liquidio/request_manager.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cavium/liquidio/request_manager.c b/drivers/net/ethernet/cavium/liquidio/request_manager.c +index 6dd65f9b347cb..b606cb1906644 100644 +--- a/drivers/net/ethernet/cavium/liquidio/request_manager.c ++++ b/drivers/net/ethernet/cavium/liquidio/request_manager.c +@@ -139,7 +139,7 @@ int octeon_init_instr_queue(struct octeon_device *oct, + oct->io_qmask.iq |= BIT_ULL(iq_no); + + /* Set the 32B/64B mode for each input queue */ +- oct->io_qmask.iq64B |= ((conf->instr_type == 64) << iq_no); ++ oct->io_qmask.iq64B |= ((u64)(conf->instr_type == 64) << iq_no); + iq->iqcmd_64B = (conf->instr_type == 64); + + oct->fn_list.setup_iq_regs(oct, iq_no); +-- +2.51.0 + diff --git a/queue-5.4/net-natsemi-fix-rx_dropped-double-accounting-on-neti.patch b/queue-5.4/net-natsemi-fix-rx_dropped-double-accounting-on-neti.patch new file mode 100644 index 0000000000..41beaa84f1 --- /dev/null +++ b/queue-5.4/net-natsemi-fix-rx_dropped-double-accounting-on-neti.patch @@ -0,0 +1,74 @@ +From 2bf9f57894216dec121fd9d76349d6aa716a0d54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Sep 2025 15:01:36 +0900 +Subject: net: natsemi: fix `rx_dropped` double accounting on `netif_rx()` + failure + +From: Yeounsu Moon + +[ Upstream commit 93ab4881a4e2b9657bdce4b8940073bfb4ed5eab ] + +`netif_rx()` already increments `rx_dropped` core stat when it fails. +The driver was also updating `ndev->stats.rx_dropped` in the same path. +Since both are reported together via `ip -s -s` command, this resulted +in drops being counted twice in user-visible stats. + +Keep the driver update on `if (unlikely(!skb))`, but skip it after +`netif_rx()` errors. + +Fixes: caf586e5f23c ("net: add a core netdev->rx_dropped counter") +Signed-off-by: Yeounsu Moon +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250913060135.35282-3-yyyynoom@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/natsemi/ns83820.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/natsemi/ns83820.c b/drivers/net/ethernet/natsemi/ns83820.c +index 6af9a7eee1149..ded37141683a9 100644 +--- a/drivers/net/ethernet/natsemi/ns83820.c ++++ b/drivers/net/ethernet/natsemi/ns83820.c +@@ -818,7 +818,7 @@ static void rx_irq(struct net_device *ndev) + struct ns83820 *dev = PRIV(ndev); + struct rx_info *info = &dev->rx_info; + unsigned next_rx; +- int rx_rc, len; ++ int len; + u32 cmdsts; + __le32 *desc; + unsigned long flags; +@@ -879,8 +879,10 @@ static void rx_irq(struct net_device *ndev) + if (likely(CMDSTS_OK & cmdsts)) { + #endif + skb_put(skb, len); +- if (unlikely(!skb)) ++ if (unlikely(!skb)) { ++ ndev->stats.rx_dropped++; + goto netdev_mangle_me_harder_failed; ++ } + if (cmdsts & CMDSTS_DEST_MULTI) + ndev->stats.multicast++; + ndev->stats.rx_packets++; +@@ -899,15 +901,12 @@ static void rx_irq(struct net_device *ndev) + __vlan_hwaccel_put_tag(skb, htons(ETH_P_IPV6), tag); + } + #endif +- rx_rc = netif_rx(skb); +- if (NET_RX_DROP == rx_rc) { +-netdev_mangle_me_harder_failed: +- ndev->stats.rx_dropped++; +- } ++ netif_rx(skb); + } else { + dev_kfree_skb_irq(skb); + } + ++netdev_mangle_me_harder_failed: + nr++; + next_rx = info->next_rx; + desc = info->descs + (DESC_SIZE * next_rx); +-- +2.51.0 + diff --git a/queue-5.4/pcmcia-omap_cf-mark-driver-struct-with-__refdata-to-.patch b/queue-5.4/pcmcia-omap_cf-mark-driver-struct-with-__refdata-to-.patch new file mode 100644 index 0000000000..3720c61ef2 --- /dev/null +++ b/queue-5.4/pcmcia-omap_cf-mark-driver-struct-with-__refdata-to-.patch @@ -0,0 +1,52 @@ +From aebb5fd8081d493cc48dd91404b8dc23b3f0c4b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Aug 2025 17:50:14 +0200 +Subject: pcmcia: omap_cf: Mark driver struct with __refdata to prevent section + mismatch +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Geert Uytterhoeven + +[ Upstream commit d1dfcdd30140c031ae091868fb5bed084132bca1 ] + +As described in the added code comment, a reference to .exit.text is ok +for drivers registered via platform_driver_probe(). Make this explicit +to prevent the following section mismatch warning + + WARNING: modpost: drivers/pcmcia/omap_cf: section mismatch in reference: omap_cf_driver+0x4 (section: .data) -> omap_cf_remove (section: .exit.text) + +that triggers on an omap1_defconfig + CONFIG_OMAP_CF=m build. + +Signed-off-by: Geert Uytterhoeven +Acked-by: Aaro Koskinen +Reviewed-by: Uwe Kleine-König +Signed-off-by: Dominik Brodowski +Signed-off-by: Sasha Levin +--- + drivers/pcmcia/omap_cf.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/pcmcia/omap_cf.c b/drivers/pcmcia/omap_cf.c +index 0a04eb04f3a28..2e7559b7f103e 100644 +--- a/drivers/pcmcia/omap_cf.c ++++ b/drivers/pcmcia/omap_cf.c +@@ -327,7 +327,13 @@ static int __exit omap_cf_remove(struct platform_device *pdev) + return 0; + } + +-static struct platform_driver omap_cf_driver = { ++/* ++ * omap_cf_remove() lives in .exit.text. For drivers registered via ++ * platform_driver_probe() this is ok because they cannot get unbound at ++ * runtime. So mark the driver struct with __refdata to prevent modpost ++ * triggering a section mismatch warning. ++ */ ++static struct platform_driver omap_cf_driver __refdata = { + .driver = { + .name = (char *) driver_name, + }, +-- +2.51.0 + diff --git a/queue-5.4/revert-net-mlx5e-update-and-set-xon-xoff-upon-port-s.patch b/queue-5.4/revert-net-mlx5e-update-and-set-xon-xoff-upon-port-s.patch new file mode 100644 index 0000000000..ebfe860c62 --- /dev/null +++ b/queue-5.4/revert-net-mlx5e-update-and-set-xon-xoff-upon-port-s.patch @@ -0,0 +1,39 @@ +From 7963320fb8567ee8195f1004b00e61f3c4834b5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Sep 2025 16:48:54 +0300 +Subject: Revert "net/mlx5e: Update and set Xon/Xoff upon port speed set" + +From: Tariq Toukan + +[ Upstream commit 3fbfe251cc9f6d391944282cdb9bcf0bd02e01f8 ] + +This reverts commit d24341740fe48add8a227a753e68b6eedf4b385a. +It causes errors when trying to configure QoS, as well as +loss of L2 connectivity (on multi-host devices). + +Reported-by: Jakub Kicinski +Link: https://lore.kernel.org/20250910170011.70528106@kernel.org +Fixes: d24341740fe4 ("net/mlx5e: Update and set Xon/Xoff upon port speed set") +Signed-off-by: Tariq Toukan +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index b8d0b68befcb9..41bd16cc9d0f6 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -141,8 +141,6 @@ void mlx5e_update_carrier(struct mlx5e_priv *priv) + if (port_state == VPORT_STATE_UP) { + netdev_info(priv->netdev, "Link up\n"); + netif_carrier_on(priv->netdev); +- mlx5e_port_manual_buffer_config(priv, 0, priv->netdev->mtu, +- NULL, NULL, NULL); + } else { + netdev_info(priv->netdev, "Link down\n"); + netif_carrier_off(priv->netdev); +-- +2.51.0 + diff --git a/queue-5.4/series b/queue-5.4/series index bb770c32d5..14ac92425e 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -28,3 +28,13 @@ dmaengine-qcom-bam_dma-fix-dt-error-handling-for-num-channels-ees.patch phy-ti-pipe3-fix-device-leak-at-unbind.patch soc-qcom-mdt_loader-deal-with-zero-e_shentsize.patch mm-memory-failure-fix-vm_bug_on_page-pagepoisoned-page-when-unpoison-memory.patch +alsa-firewire-motu-drop-epollout-from-poll-return-va.patch +wifi-mac80211-fix-incorrect-type-for-ret.patch +pcmcia-omap_cf-mark-driver-struct-with-__refdata-to-.patch +cgroup-split-cgroup_destroy_wq-into-3-workqueues.patch +net-natsemi-fix-rx_dropped-double-accounting-on-neti.patch +i40e-remove-redundant-memory-barrier-when-cleaning-t.patch +tcp-clear-tcp_sk-sk-fastopen_rsk-in-tcp_disconnect.patch +revert-net-mlx5e-update-and-set-xon-xoff-upon-port-s.patch +net-liquidio-fix-overflow-in-octeon_init_instr_queue.patch +cnic-fix-use-after-free-bugs-in-cnic_delete_task.patch diff --git a/queue-5.4/tcp-clear-tcp_sk-sk-fastopen_rsk-in-tcp_disconnect.patch b/queue-5.4/tcp-clear-tcp_sk-sk-fastopen_rsk-in-tcp_disconnect.patch new file mode 100644 index 0000000000..1ffd8cd354 --- /dev/null +++ b/queue-5.4/tcp-clear-tcp_sk-sk-fastopen_rsk-in-tcp_disconnect.patch @@ -0,0 +1,94 @@ +From bd6a686db8b43253cb6dbbbd789a615d3dbbd2fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Sep 2025 17:56:46 +0000 +Subject: tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). + +From: Kuniyuki Iwashima + +[ Upstream commit 45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01 ] + +syzbot reported the splat below where a socket had tcp_sk(sk)->fastopen_rsk +in the TCP_ESTABLISHED state. [0] + +syzbot reused the server-side TCP Fast Open socket as a new client before +the TFO socket completes 3WHS: + + 1. accept() + 2. connect(AF_UNSPEC) + 3. connect() to another destination + +As of accept(), sk->sk_state is TCP_SYN_RECV, and tcp_disconnect() changes +it to TCP_CLOSE and makes connect() possible, which restarts timers. + +Since tcp_disconnect() forgot to clear tcp_sk(sk)->fastopen_rsk, the +retransmit timer triggered the warning and the intended packet was not +retransmitted. + +Let's call reqsk_fastopen_remove() in tcp_disconnect(). + +[0]: +WARNING: CPU: 2 PID: 0 at net/ipv4/tcp_timer.c:542 tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7)) +Modules linked in: +CPU: 2 UID: 0 PID: 0 Comm: swapper/2 Not tainted 6.17.0-rc5-g201825fb4278 #62 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +RIP: 0010:tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7)) +Code: 41 55 41 54 55 53 48 8b af b8 08 00 00 48 89 fb 48 85 ed 0f 84 55 01 00 00 0f b6 47 12 3c 03 74 0c 0f b6 47 12 3c 04 74 04 90 <0f> 0b 90 48 8b 85 c0 00 00 00 48 89 ef 48 8b 40 30 e8 6a 4f 06 3e +RSP: 0018:ffffc900002f8d40 EFLAGS: 00010293 +RAX: 0000000000000002 RBX: ffff888106911400 RCX: 0000000000000017 +RDX: 0000000002517619 RSI: ffffffff83764080 RDI: ffff888106911400 +RBP: ffff888106d5c000 R08: 0000000000000001 R09: ffffc900002f8de8 +R10: 00000000000000c2 R11: ffffc900002f8ff8 R12: ffff888106911540 +R13: ffff888106911480 R14: ffff888106911840 R15: ffffc900002f8de0 +FS: 0000000000000000(0000) GS:ffff88907b768000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f8044d69d90 CR3: 0000000002c30003 CR4: 0000000000370ef0 +Call Trace: + + tcp_write_timer (net/ipv4/tcp_timer.c:738) + call_timer_fn (kernel/time/timer.c:1747) + __run_timers (kernel/time/timer.c:1799 kernel/time/timer.c:2372) + timer_expire_remote (kernel/time/timer.c:2385 kernel/time/timer.c:2376 kernel/time/timer.c:2135) + tmigr_handle_remote_up (kernel/time/timer_migration.c:944 kernel/time/timer_migration.c:1035) + __walk_groups.isra.0 (kernel/time/timer_migration.c:533 (discriminator 1)) + tmigr_handle_remote (kernel/time/timer_migration.c:1096) + handle_softirqs (./arch/x86/include/asm/jump_label.h:36 ./include/trace/events/irq.h:142 kernel/softirq.c:580) + irq_exit_rcu (kernel/softirq.c:614 kernel/softirq.c:453 kernel/softirq.c:680 kernel/softirq.c:696) + sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1050 (discriminator 35) arch/x86/kernel/apic/apic.c:1050 (discriminator 35)) + + +Fixes: 8336886f786f ("tcp: TCP Fast Open Server - support TFO listeners") +Reported-by: syzkaller +Signed-off-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250915175800.118793-2-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 55754bf176d99..cc0efcb4a553c 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2593,6 +2593,7 @@ int tcp_disconnect(struct sock *sk, int flags) + struct inet_connection_sock *icsk = inet_csk(sk); + struct tcp_sock *tp = tcp_sk(sk); + int old_state = sk->sk_state; ++ struct request_sock *req; + u32 seq; + + /* Deny disconnect if other threads are blocked in sk_wait_event() +@@ -2711,6 +2712,10 @@ int tcp_disconnect(struct sock *sk, int flags) + + + /* Clean up fastopen related fields */ ++ req = rcu_dereference_protected(tp->fastopen_rsk, ++ lockdep_sock_is_held(sk)); ++ if (req) ++ reqsk_fastopen_remove(sk, req, false); + tcp_free_fastopen_req(tp); + inet->defer_connect = 0; + tp->fastopen_client_fail = 0; +-- +2.51.0 + diff --git a/queue-5.4/wifi-mac80211-fix-incorrect-type-for-ret.patch b/queue-5.4/wifi-mac80211-fix-incorrect-type-for-ret.patch new file mode 100644 index 0000000000..5a9daf759a --- /dev/null +++ b/queue-5.4/wifi-mac80211-fix-incorrect-type-for-ret.patch @@ -0,0 +1,37 @@ +From 8b897af7c2bcc52ad5e52339ccaacc19e09091e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Aug 2025 10:29:11 +0800 +Subject: wifi: mac80211: fix incorrect type for ret + +From: Liao Yuanhong + +[ Upstream commit a33b375ab5b3a9897a0ab76be8258d9f6b748628 ] + +The variable ret is declared as a u32 type, but it is assigned a value +of -EOPNOTSUPP. Since unsigned types cannot correctly represent negative +values, the type of ret should be changed to int. + +Signed-off-by: Liao Yuanhong +Link: https://patch.msgid.link/20250825022911.139377-1-liaoyuanhong@vivo.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/driver-ops.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/driver-ops.h b/net/mac80211/driver-ops.h +index f4c7e0af896b1..ce902f8a08942 100644 +--- a/net/mac80211/driver-ops.h ++++ b/net/mac80211/driver-ops.h +@@ -1237,7 +1237,7 @@ drv_get_ftm_responder_stats(struct ieee80211_local *local, + struct ieee80211_sub_if_data *sdata, + struct cfg80211_ftm_responder_stats *ftm_stats) + { +- u32 ret = -EOPNOTSUPP; ++ int ret = -EOPNOTSUPP; + + if (local->ops->get_ftm_responder_stats) + ret = local->ops->get_ftm_responder_stats(&local->hw, +-- +2.51.0 + diff --git a/queue-6.1/alsa-firewire-motu-drop-epollout-from-poll-return-va.patch b/queue-6.1/alsa-firewire-motu-drop-epollout-from-poll-return-va.patch new file mode 100644 index 0000000000..f05a95cd59 --- /dev/null +++ b/queue-6.1/alsa-firewire-motu-drop-epollout-from-poll-return-va.patch @@ -0,0 +1,46 @@ +From 6befdff83f7d192163999d85f99a1aea2655399f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Aug 2025 08:37:49 +0900 +Subject: ALSA: firewire-motu: drop EPOLLOUT from poll return values as write + is not supported + +From: Takashi Sakamoto + +[ Upstream commit aea3493246c474bc917d124d6fb627663ab6bef0 ] + +The ALSA HwDep character device of the firewire-motu driver incorrectly +returns EPOLLOUT in poll(2), even though the driver implements no operation +for write(2). This misleads userspace applications to believe write() is +allowed, potentially resulting in unnecessarily wakeups. + +This issue dates back to the driver's initial code added by a commit +71c3797779d3 ("ALSA: firewire-motu: add hwdep interface"), and persisted +when POLLOUT was updated to EPOLLOUT by a commit a9a08845e9ac ('vfs: do +bulk POLL* -> EPOLL* replacement("").'). + +This commit fixes the bug. + +Signed-off-by: Takashi Sakamoto +Link: https://patch.msgid.link/20250829233749.366222-1-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/firewire/motu/motu-hwdep.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/firewire/motu/motu-hwdep.c b/sound/firewire/motu/motu-hwdep.c +index 88d1f4b56e4be..a220ac0c8eb83 100644 +--- a/sound/firewire/motu/motu-hwdep.c ++++ b/sound/firewire/motu/motu-hwdep.c +@@ -111,7 +111,7 @@ static __poll_t hwdep_poll(struct snd_hwdep *hwdep, struct file *file, + events = 0; + spin_unlock_irq(&motu->lock); + +- return events | EPOLLOUT; ++ return events; + } + + static int hwdep_get_info(struct snd_motu *motu, void __user *arg) +-- +2.51.0 + diff --git a/queue-6.1/bonding-don-t-set-oif-to-bond-dev-when-getting-ns-ta.patch b/queue-6.1/bonding-don-t-set-oif-to-bond-dev-when-getting-ns-ta.patch new file mode 100644 index 0000000000..85fe51558c --- /dev/null +++ b/queue-6.1/bonding-don-t-set-oif-to-bond-dev-when-getting-ns-ta.patch @@ -0,0 +1,49 @@ +From 6b270dbf3195cb7527296fd89195042a747d2b14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Sep 2025 08:01:26 +0000 +Subject: bonding: don't set oif to bond dev when getting NS target destination + +From: Hangbin Liu + +[ Upstream commit a8ba87f04ca9cdec06776ce92dce1395026dc3bb ] + +Unlike IPv4, IPv6 routing strictly requires the source address to be valid +on the outgoing interface. If the NS target is set to a remote VLAN interface, +and the source address is also configured on a VLAN over a bond interface, +setting the oif to the bond device will fail to retrieve the correct +destination route. + +Fix this by not setting the oif to the bond device when retrieving the NS +target destination. This allows the correct destination device (the VLAN +interface) to be determined, so that bond_verify_device_path can return the +proper VLAN tags for sending NS messages. + +Reported-by: David Wilder +Closes: https://lore.kernel.org/netdev/aGOKggdfjv0cApTO@fedora/ +Suggested-by: Jay Vosburgh +Tested-by: David Wilder +Acked-by: Jay Vosburgh +Fixes: 4e24be018eb9 ("bonding: add new parameter ns_targets") +Signed-off-by: Hangbin Liu +Link: https://patch.msgid.link/20250916080127.430626-1-liuhangbin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 11c58b88f9ce7..69ea7db784fd7 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3206,7 +3206,6 @@ static void bond_ns_send_all(struct bonding *bond, struct slave *slave) + /* Find out through which dev should the packet go */ + memset(&fl6, 0, sizeof(struct flowi6)); + fl6.daddr = targets[i]; +- fl6.flowi6_oif = bond->dev->ifindex; + + dst = ip6_route_output(dev_net(bond->dev), NULL, &fl6); + if (dst->error) { +-- +2.51.0 + diff --git a/queue-6.1/btrfs-fix-invalid-extref-key-setup-when-replaying-de.patch b/queue-6.1/btrfs-fix-invalid-extref-key-setup-when-replaying-de.patch new file mode 100644 index 0000000000..7b4ebfd3b8 --- /dev/null +++ b/queue-6.1/btrfs-fix-invalid-extref-key-setup-when-replaying-de.patch @@ -0,0 +1,41 @@ +From 750a12260c583e527c9b3bcda64dbc48b17296db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Sep 2025 16:53:21 +0100 +Subject: btrfs: fix invalid extref key setup when replaying dentry + +From: Filipe Manana + +[ Upstream commit b62fd63ade7cb573b114972ef8f9fa505be8d74a ] + +The offset for an extref item's key is not the object ID of the parent +dir, otherwise we would not need the extref item and would use plain ref +items. Instead the offset is the result of a hash computation that uses +the object ID of the parent dir and the name associated to the entry. +So fix this by setting the key offset at replay_one_name() to be the +result of calling btrfs_extref_hash(). + +Fixes: 725af92a6251 ("btrfs: Open-code name_in_log_ref in replay_one_name") +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/tree-log.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index 6e8e90bce0467..e4cc287eee993 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -1934,7 +1934,7 @@ static noinline int replay_one_name(struct btrfs_trans_handle *trans, + + search_key.objectid = log_key.objectid; + search_key.type = BTRFS_INODE_EXTREF_KEY; +- search_key.offset = key->objectid; ++ search_key.offset = btrfs_extref_hash(key->objectid, name.name, name.len); + ret = backref_in_log(root->log_root, &search_key, key->objectid, &name); + if (ret < 0) { + goto out; +-- +2.51.0 + diff --git a/queue-6.1/cgroup-split-cgroup_destroy_wq-into-3-workqueues.patch b/queue-6.1/cgroup-split-cgroup_destroy_wq-into-3-workqueues.patch new file mode 100644 index 0000000000..b857937251 --- /dev/null +++ b/queue-6.1/cgroup-split-cgroup_destroy_wq-into-3-workqueues.patch @@ -0,0 +1,168 @@ +From 252b77d3d717045947a5871d8fdd49d94ee875c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Aug 2025 01:07:24 +0000 +Subject: cgroup: split cgroup_destroy_wq into 3 workqueues +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chen Ridong + +[ Upstream commit 79f919a89c9d06816dbdbbd168fa41d27411a7f9 ] + +A hung task can occur during [1] LTP cgroup testing when repeatedly +mounting/unmounting perf_event and net_prio controllers with +systemd.unified_cgroup_hierarchy=1. The hang manifests in +cgroup_lock_and_drain_offline() during root destruction. + +Related case: +cgroup_fj_function_perf_event cgroup_fj_function.sh perf_event +cgroup_fj_function_net_prio cgroup_fj_function.sh net_prio + +Call Trace: + cgroup_lock_and_drain_offline+0x14c/0x1e8 + cgroup_destroy_root+0x3c/0x2c0 + css_free_rwork_fn+0x248/0x338 + process_one_work+0x16c/0x3b8 + worker_thread+0x22c/0x3b0 + kthread+0xec/0x100 + ret_from_fork+0x10/0x20 + +Root Cause: + +CPU0 CPU1 +mount perf_event umount net_prio +cgroup1_get_tree cgroup_kill_sb +rebind_subsystems // root destruction enqueues + // cgroup_destroy_wq +// kill all perf_event css + // one perf_event css A is dying + // css A offline enqueues cgroup_destroy_wq + // root destruction will be executed first + css_free_rwork_fn + cgroup_destroy_root + cgroup_lock_and_drain_offline + // some perf descendants are dying + // cgroup_destroy_wq max_active = 1 + // waiting for css A to die + +Problem scenario: +1. CPU0 mounts perf_event (rebind_subsystems) +2. CPU1 unmounts net_prio (cgroup_kill_sb), queuing root destruction work +3. A dying perf_event CSS gets queued for offline after root destruction +4. Root destruction waits for offline completion, but offline work is + blocked behind root destruction in cgroup_destroy_wq (max_active=1) + +Solution: +Split cgroup_destroy_wq into three dedicated workqueues: +cgroup_offline_wq – Handles CSS offline operations +cgroup_release_wq – Manages resource release +cgroup_free_wq – Performs final memory deallocation + +This separation eliminates blocking in the CSS free path while waiting for +offline operations to complete. + +[1] https://github.com/linux-test-project/ltp/blob/master/runtest/controllers +Fixes: 334c3679ec4b ("cgroup: reimplement rebind_subsystems() using cgroup_apply_control() and friends") +Reported-by: Gao Yingjie +Signed-off-by: Chen Ridong +Suggested-by: Teju Heo +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/cgroup/cgroup.c | 43 +++++++++++++++++++++++++++++++++++------- + 1 file changed, 36 insertions(+), 7 deletions(-) + +diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c +index 7997c8021b62f..9742574ec62fd 100644 +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -123,8 +123,31 @@ DEFINE_PERCPU_RWSEM(cgroup_threadgroup_rwsem); + * of concurrent destructions. Use a separate workqueue so that cgroup + * destruction work items don't end up filling up max_active of system_wq + * which may lead to deadlock. ++ * ++ * A cgroup destruction should enqueue work sequentially to: ++ * cgroup_offline_wq: use for css offline work ++ * cgroup_release_wq: use for css release work ++ * cgroup_free_wq: use for free work ++ * ++ * Rationale for using separate workqueues: ++ * The cgroup root free work may depend on completion of other css offline ++ * operations. If all tasks were enqueued to a single workqueue, this could ++ * create a deadlock scenario where: ++ * - Free work waits for other css offline work to complete. ++ * - But other css offline work is queued after free work in the same queue. ++ * ++ * Example deadlock scenario with single workqueue (cgroup_destroy_wq): ++ * 1. umount net_prio ++ * 2. net_prio root destruction enqueues work to cgroup_destroy_wq (CPUx) ++ * 3. perf_event CSS A offline enqueues work to same cgroup_destroy_wq (CPUx) ++ * 4. net_prio cgroup_destroy_root->cgroup_lock_and_drain_offline. ++ * 5. net_prio root destruction blocks waiting for perf_event CSS A offline, ++ * which can never complete as it's behind in the same queue and ++ * workqueue's max_active is 1. + */ +-static struct workqueue_struct *cgroup_destroy_wq; ++static struct workqueue_struct *cgroup_offline_wq; ++static struct workqueue_struct *cgroup_release_wq; ++static struct workqueue_struct *cgroup_free_wq; + + /* generate an array of cgroup subsystem pointers */ + #define SUBSYS(_x) [_x ## _cgrp_id] = &_x ## _cgrp_subsys, +@@ -5444,7 +5467,7 @@ static void css_release_work_fn(struct work_struct *work) + cgroup_unlock(); + + INIT_RCU_WORK(&css->destroy_rwork, css_free_rwork_fn); +- queue_rcu_work(cgroup_destroy_wq, &css->destroy_rwork); ++ queue_rcu_work(cgroup_free_wq, &css->destroy_rwork); + } + + static void css_release(struct percpu_ref *ref) +@@ -5453,7 +5476,7 @@ static void css_release(struct percpu_ref *ref) + container_of(ref, struct cgroup_subsys_state, refcnt); + + INIT_WORK(&css->destroy_work, css_release_work_fn); +- queue_work(cgroup_destroy_wq, &css->destroy_work); ++ queue_work(cgroup_release_wq, &css->destroy_work); + } + + static void init_and_link_css(struct cgroup_subsys_state *css, +@@ -5575,7 +5598,7 @@ static struct cgroup_subsys_state *css_create(struct cgroup *cgrp, + err_free_css: + list_del_rcu(&css->rstat_css_node); + INIT_RCU_WORK(&css->destroy_rwork, css_free_rwork_fn); +- queue_rcu_work(cgroup_destroy_wq, &css->destroy_rwork); ++ queue_rcu_work(cgroup_free_wq, &css->destroy_rwork); + return ERR_PTR(err); + } + +@@ -5811,7 +5834,7 @@ static void css_killed_ref_fn(struct percpu_ref *ref) + + if (atomic_dec_and_test(&css->online_cnt)) { + INIT_WORK(&css->destroy_work, css_killed_work_fn); +- queue_work(cgroup_destroy_wq, &css->destroy_work); ++ queue_work(cgroup_offline_wq, &css->destroy_work); + } + } + +@@ -6183,8 +6206,14 @@ static int __init cgroup_wq_init(void) + * We would prefer to do this in cgroup_init() above, but that + * is called before init_workqueues(): so leave this until after. + */ +- cgroup_destroy_wq = alloc_workqueue("cgroup_destroy", 0, 1); +- BUG_ON(!cgroup_destroy_wq); ++ cgroup_offline_wq = alloc_workqueue("cgroup_offline", 0, 1); ++ BUG_ON(!cgroup_offline_wq); ++ ++ cgroup_release_wq = alloc_workqueue("cgroup_release", 0, 1); ++ BUG_ON(!cgroup_release_wq); ++ ++ cgroup_free_wq = alloc_workqueue("cgroup_free", 0, 1); ++ BUG_ON(!cgroup_free_wq); + return 0; + } + core_initcall(cgroup_wq_init); +-- +2.51.0 + diff --git a/queue-6.1/cnic-fix-use-after-free-bugs-in-cnic_delete_task.patch b/queue-6.1/cnic-fix-use-after-free-bugs-in-cnic_delete_task.patch new file mode 100644 index 0000000000..9520547826 --- /dev/null +++ b/queue-6.1/cnic-fix-use-after-free-bugs-in-cnic_delete_task.patch @@ -0,0 +1,76 @@ +From 7c44f8a760b7d0a19369ea03399d1413b78de6c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Sep 2025 13:46:02 +0800 +Subject: cnic: Fix use-after-free bugs in cnic_delete_task +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Duoming Zhou + +[ Upstream commit cfa7d9b1e3a8604afc84e9e51d789c29574fb216 ] + +The original code uses cancel_delayed_work() in cnic_cm_stop_bnx2x_hw(), +which does not guarantee that the delayed work item 'delete_task' has +fully completed if it was already running. Additionally, the delayed work +item is cyclic, the flush_workqueue() in cnic_cm_stop_bnx2x_hw() only +blocks and waits for work items that were already queued to the +workqueue prior to its invocation. Any work items submitted after +flush_workqueue() is called are not included in the set of tasks that the +flush operation awaits. This means that after the cyclic work items have +finished executing, a delayed work item may still exist in the workqueue. +This leads to use-after-free scenarios where the cnic_dev is deallocated +by cnic_free_dev(), while delete_task remains active and attempt to +dereference cnic_dev in cnic_delete_task(). + +A typical race condition is illustrated below: + +CPU 0 (cleanup) | CPU 1 (delayed work callback) +cnic_netdev_event() | + cnic_stop_hw() | cnic_delete_task() + cnic_cm_stop_bnx2x_hw() | ... + cancel_delayed_work() | /* the queue_delayed_work() + flush_workqueue() | executes after flush_workqueue()*/ + | queue_delayed_work() + cnic_free_dev(dev)//free | cnic_delete_task() //new instance + | dev = cp->dev; //use + +Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure +that the cyclic delayed work item is properly canceled and that any +ongoing execution of the work item completes before the cnic_dev is +deallocated. Furthermore, since cancel_delayed_work_sync() uses +__flush_work(work, true) to synchronously wait for any currently +executing instance of the work item to finish, the flush_workqueue() +becomes redundant and should be removed. + +This bug was identified through static analysis. To reproduce the issue +and validate the fix, I simulated the cnic PCI device in QEMU and +introduced intentional delays — such as inserting calls to ssleep() +within the cnic_delete_task() function — to increase the likelihood +of triggering the bug. + +Fixes: fdf24086f475 ("cnic: Defer iscsi connection cleanup") +Signed-off-by: Duoming Zhou +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/cnic.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/cnic.c b/drivers/net/ethernet/broadcom/cnic.c +index 2198e35d9e181..1e3eff91877d0 100644 +--- a/drivers/net/ethernet/broadcom/cnic.c ++++ b/drivers/net/ethernet/broadcom/cnic.c +@@ -4222,8 +4222,7 @@ static void cnic_cm_stop_bnx2x_hw(struct cnic_dev *dev) + + cnic_bnx2x_delete_wait(dev, 0); + +- cancel_delayed_work(&cp->delete_task); +- flush_workqueue(cnic_wq); ++ cancel_delayed_work_sync(&cp->delete_task); + + if (atomic_read(&cp->iscsi_conn) != 0) + netdev_warn(dev->netdev, "%d iSCSI connections not destroyed\n", +-- +2.51.0 + diff --git a/queue-6.1/dpaa2-switch-fix-buffer-pool-seeding-for-control-tra.patch b/queue-6.1/dpaa2-switch-fix-buffer-pool-seeding-for-control-tra.patch new file mode 100644 index 0000000000..747b532f81 --- /dev/null +++ b/queue-6.1/dpaa2-switch-fix-buffer-pool-seeding-for-control-tra.patch @@ -0,0 +1,69 @@ +From c822fe89cb255a7678aaa609201729f5c515488c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Sep 2025 17:48:25 +0300 +Subject: dpaa2-switch: fix buffer pool seeding for control traffic + +From: Ioana Ciornei + +[ Upstream commit 2690cb089502b80b905f2abdafd1bf2d54e1abef ] + +Starting with commit c50e7475961c ("dpaa2-switch: Fix error checking in +dpaa2_switch_seed_bp()"), the probing of a second DPSW object errors out +like below. + +fsl_dpaa2_switch dpsw.1: fsl_mc_driver_probe failed: -12 +fsl_dpaa2_switch dpsw.1: probe with driver fsl_dpaa2_switch failed with error -12 + +The aforementioned commit brought to the surface the fact that seeding +buffers into the buffer pool destined for control traffic is not +successful and an access violation recoverable error can be seen in the +MC firmware log: + +[E, qbman_rec_isr:391, QBMAN] QBMAN recoverable event 0x1000000 + +This happens because the driver incorrectly used the ID of the DPBP +object instead of the hardware buffer pool ID when trying to release +buffers into it. + +This is because any DPSW object uses two buffer pools, one managed by +the Linux driver and destined for control traffic packet buffers and the +other one managed by the MC firmware and destined only for offloaded +traffic. And since the buffer pool managed by the MC firmware does not +have an external facing DPBP equivalent, any subsequent DPBP objects +created after the first DPSW will have a DPBP id different to the +underlying hardware buffer ID. + +The issue was not caught earlier because these two numbers can be +identical when all DPBP objects are created before the DPSW objects are. +This is the case when the DPL file is used to describe the entire DPAA2 +object layout and objects are created at boot time and it's also true +for the first DPSW being created dynamically using ls-addsw. + +Fix this by using the buffer pool ID instead of the DPBP id when +releasing buffers into the pool. + +Fixes: 2877e4f7e189 ("staging: dpaa2-switch: setup buffer pool and RX path rings") +Signed-off-by: Ioana Ciornei +Link: https://patch.msgid.link/20250910144825.2416019-1-ioana.ciornei@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +index 732fd2e389c41..e928fea16e841 100644 +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +@@ -2680,7 +2680,7 @@ static int dpaa2_switch_setup_dpbp(struct ethsw_core *ethsw) + dev_err(dev, "dpsw_ctrl_if_set_pools() failed\n"); + goto err_get_attr; + } +- ethsw->bpid = dpbp_attrs.id; ++ ethsw->bpid = dpbp_attrs.bpid; + + return 0; + +-- +2.51.0 + diff --git a/queue-6.1/i40e-remove-redundant-memory-barrier-when-cleaning-t.patch b/queue-6.1/i40e-remove-redundant-memory-barrier-when-cleaning-t.patch new file mode 100644 index 0000000000..a2fbd09f8e --- /dev/null +++ b/queue-6.1/i40e-remove-redundant-memory-barrier-when-cleaning-t.patch @@ -0,0 +1,53 @@ +From 11a0b36a7379aac1087b6611906e7c0916b6d3eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Aug 2025 17:16:17 +0200 +Subject: i40e: remove redundant memory barrier when cleaning Tx descs + +From: Maciej Fijalkowski + +[ Upstream commit e37084a26070c546ae7961ee135bbfb15fbe13fd ] + +i40e has a feature which writes to memory location last descriptor +successfully sent. Memory barrier in i40e_clean_tx_irq() was used to +avoid forward-reading descriptor fields in case DD bit was not set. +Having mentioned feature in place implies that such situation will not +happen as we know in advance how many descriptors HW has dealt with. + +Besides, this barrier placement was wrong. Idea is to have this +protection *after* reading DD bit from HW descriptor, not before. +Digging through git history showed me that indeed barrier was before DD +bit check, anyways the commit introducing i40e_get_head() should have +wiped it out altogether. + +Also, there was one commit doing s/read_barrier_depends/smp_rmb when get +head feature was already in place, but it was only theoretical based on +ixgbe experiences, which is different in these terms as that driver has +to read DD bit from HW descriptor. + +Fixes: 1943d8ba9507 ("i40e/i40evf: enable hardware feature head write back") +Signed-off-by: Maciej Fijalkowski +Reviewed-by: Aleksandr Loktionov +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_txrx.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.c b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +index 3d83fccf742b1..2ede35ba3919b 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +@@ -949,9 +949,6 @@ static bool i40e_clean_tx_irq(struct i40e_vsi *vsi, + if (!eop_desc) + break; + +- /* prevent any other reads prior to eop_desc */ +- smp_rmb(); +- + i40e_trace(clean_tx_irq, tx_ring, tx_desc, tx_buf); + /* we have caught up to head, no work left to do */ + if (tx_head == tx_desc) +-- +2.51.0 + diff --git a/queue-6.1/mptcp-set-remote_deny_join_id0-on-syn-recv.patch b/queue-6.1/mptcp-set-remote_deny_join_id0-on-syn-recv.patch new file mode 100644 index 0000000000..8c97d21d20 --- /dev/null +++ b/queue-6.1/mptcp-set-remote_deny_join_id0-on-syn-recv.patch @@ -0,0 +1,45 @@ +From ff468dea284e368b3e945cf34635f156a7ab7f4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Sep 2025 14:52:20 +0200 +Subject: mptcp: set remote_deny_join_id0 on SYN recv + +From: Matthieu Baerts (NGI0) + +[ Upstream commit 96939cec994070aa5df852c10fad5fc303a97ea3 ] + +When a SYN containing the 'C' flag (deny join id0) was received, this +piece of information was not propagated to the path-manager. + +Even if this flag is mainly set on the server side, a client can also +tell the server it cannot try to establish new subflows to the client's +initial IP address and port. The server's PM should then record such +info when received, and before sending events about the new connection. + +Fixes: df377be38725 ("mptcp: add deny_join_id0 in mptcp_options_received") +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250912-net-mptcp-pm-uspace-deny_join_id0-v1-1-40171884ade8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mptcp/subflow.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c +index cff2328106928..2ff72b7940fe9 100644 +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -773,6 +773,10 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk, + goto fallback; + + owner = mptcp_sk(ctx->conn); ++ ++ if (mp_opt.deny_join_id0) ++ WRITE_ONCE(owner->pm.remote_deny_join_id0, true); ++ + mptcp_pm_new_connection(owner, child, 1); + + /* with OoO packets we can reach here without ingress +-- +2.51.0 + diff --git a/queue-6.1/net-liquidio-fix-overflow-in-octeon_init_instr_queue.patch b/queue-6.1/net-liquidio-fix-overflow-in-octeon_init_instr_queue.patch new file mode 100644 index 0000000000..bfad0ea424 --- /dev/null +++ b/queue-6.1/net-liquidio-fix-overflow-in-octeon_init_instr_queue.patch @@ -0,0 +1,37 @@ +From a5a64d5c8364e0b1051e3a390d8de8b3ed3deaae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Sep 2025 15:30:58 +0000 +Subject: net: liquidio: fix overflow in octeon_init_instr_queue() + +From: Alexey Nepomnyashih + +[ Upstream commit cca7b1cfd7b8a0eff2a3510c5e0f10efe8fa3758 ] + +The expression `(conf->instr_type == 64) << iq_no` can overflow because +`iq_no` may be as high as 64 (`CN23XX_MAX_RINGS_PER_PF`). Casting the +operand to `u64` ensures correct 64-bit arithmetic. + +Fixes: f21fb3ed364b ("Add support of Cavium Liquidio ethernet adapters") +Signed-off-by: Alexey Nepomnyashih +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/liquidio/request_manager.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cavium/liquidio/request_manager.c b/drivers/net/ethernet/cavium/liquidio/request_manager.c +index 8e59c2825533a..2a066f193bca1 100644 +--- a/drivers/net/ethernet/cavium/liquidio/request_manager.c ++++ b/drivers/net/ethernet/cavium/liquidio/request_manager.c +@@ -135,7 +135,7 @@ int octeon_init_instr_queue(struct octeon_device *oct, + oct->io_qmask.iq |= BIT_ULL(iq_no); + + /* Set the 32B/64B mode for each input queue */ +- oct->io_qmask.iq64B |= ((conf->instr_type == 64) << iq_no); ++ oct->io_qmask.iq64B |= ((u64)(conf->instr_type == 64) << iq_no); + iq->iqcmd_64B = (conf->instr_type == 64); + + oct->fn_list.setup_iq_regs(oct, iq_no); +-- +2.51.0 + diff --git a/queue-6.1/net-natsemi-fix-rx_dropped-double-accounting-on-neti.patch b/queue-6.1/net-natsemi-fix-rx_dropped-double-accounting-on-neti.patch new file mode 100644 index 0000000000..2d9c516169 --- /dev/null +++ b/queue-6.1/net-natsemi-fix-rx_dropped-double-accounting-on-neti.patch @@ -0,0 +1,74 @@ +From 8a339436b517bfca0eebe2591be07fcaa9f92753 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Sep 2025 15:01:36 +0900 +Subject: net: natsemi: fix `rx_dropped` double accounting on `netif_rx()` + failure + +From: Yeounsu Moon + +[ Upstream commit 93ab4881a4e2b9657bdce4b8940073bfb4ed5eab ] + +`netif_rx()` already increments `rx_dropped` core stat when it fails. +The driver was also updating `ndev->stats.rx_dropped` in the same path. +Since both are reported together via `ip -s -s` command, this resulted +in drops being counted twice in user-visible stats. + +Keep the driver update on `if (unlikely(!skb))`, but skip it after +`netif_rx()` errors. + +Fixes: caf586e5f23c ("net: add a core netdev->rx_dropped counter") +Signed-off-by: Yeounsu Moon +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250913060135.35282-3-yyyynoom@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/natsemi/ns83820.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/natsemi/ns83820.c b/drivers/net/ethernet/natsemi/ns83820.c +index 998586872599b..c692d2e878b2e 100644 +--- a/drivers/net/ethernet/natsemi/ns83820.c ++++ b/drivers/net/ethernet/natsemi/ns83820.c +@@ -820,7 +820,7 @@ static void rx_irq(struct net_device *ndev) + struct ns83820 *dev = PRIV(ndev); + struct rx_info *info = &dev->rx_info; + unsigned next_rx; +- int rx_rc, len; ++ int len; + u32 cmdsts; + __le32 *desc; + unsigned long flags; +@@ -881,8 +881,10 @@ static void rx_irq(struct net_device *ndev) + if (likely(CMDSTS_OK & cmdsts)) { + #endif + skb_put(skb, len); +- if (unlikely(!skb)) ++ if (unlikely(!skb)) { ++ ndev->stats.rx_dropped++; + goto netdev_mangle_me_harder_failed; ++ } + if (cmdsts & CMDSTS_DEST_MULTI) + ndev->stats.multicast++; + ndev->stats.rx_packets++; +@@ -901,15 +903,12 @@ static void rx_irq(struct net_device *ndev) + __vlan_hwaccel_put_tag(skb, htons(ETH_P_IPV6), tag); + } + #endif +- rx_rc = netif_rx(skb); +- if (NET_RX_DROP == rx_rc) { +-netdev_mangle_me_harder_failed: +- ndev->stats.rx_dropped++; +- } ++ netif_rx(skb); + } else { + dev_kfree_skb_irq(skb); + } + ++netdev_mangle_me_harder_failed: + nr++; + next_rx = info->next_rx; + desc = info->descs + (DESC_SIZE * next_rx); +-- +2.51.0 + diff --git a/queue-6.1/octeontx2-pf-fix-use-after-free-bugs-in-otx2_sync_ts.patch b/queue-6.1/octeontx2-pf-fix-use-after-free-bugs-in-otx2_sync_ts.patch new file mode 100644 index 0000000000..4266e93e48 --- /dev/null +++ b/queue-6.1/octeontx2-pf-fix-use-after-free-bugs-in-otx2_sync_ts.patch @@ -0,0 +1,126 @@ +From ab657b1d978396600bafd7466482d756e710bd53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Sep 2025 14:38:53 +0800 +Subject: octeontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp() + +From: Duoming Zhou + +[ Upstream commit f8b4687151021db61841af983f1cb7be6915d4ef ] + +The original code relies on cancel_delayed_work() in otx2_ptp_destroy(), +which does not ensure that the delayed work item synctstamp_work has fully +completed if it was already running. This leads to use-after-free scenarios +where otx2_ptp is deallocated by otx2_ptp_destroy(), while synctstamp_work +remains active and attempts to dereference otx2_ptp in otx2_sync_tstamp(). +Furthermore, the synctstamp_work is cyclic, the likelihood of triggering +the bug is nonnegligible. + +A typical race condition is illustrated below: + +CPU 0 (cleanup) | CPU 1 (delayed work callback) +otx2_remove() | + otx2_ptp_destroy() | otx2_sync_tstamp() + cancel_delayed_work() | + kfree(ptp) | + | ptp = container_of(...); //UAF + | ptp-> //UAF + +This is confirmed by a KASAN report: + +BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0 +Write of size 8 at addr ffff88800aa09a18 by task bash/136 +... +Call Trace: + + dump_stack_lvl+0x55/0x70 + print_report+0xcf/0x610 + ? __run_timer_base.part.0+0x7d7/0x8c0 + kasan_report+0xb8/0xf0 + ? __run_timer_base.part.0+0x7d7/0x8c0 + __run_timer_base.part.0+0x7d7/0x8c0 + ? __pfx___run_timer_base.part.0+0x10/0x10 + ? __pfx_read_tsc+0x10/0x10 + ? ktime_get+0x60/0x140 + ? lapic_next_event+0x11/0x20 + ? clockevents_program_event+0x1d4/0x2a0 + run_timer_softirq+0xd1/0x190 + handle_softirqs+0x16a/0x550 + irq_exit_rcu+0xaf/0xe0 + sysvec_apic_timer_interrupt+0x70/0x80 + +... +Allocated by task 1: + kasan_save_stack+0x24/0x50 + kasan_save_track+0x14/0x30 + __kasan_kmalloc+0x7f/0x90 + otx2_ptp_init+0xb1/0x860 + otx2_probe+0x4eb/0xc30 + local_pci_probe+0xdc/0x190 + pci_device_probe+0x2fe/0x470 + really_probe+0x1ca/0x5c0 + __driver_probe_device+0x248/0x310 + driver_probe_device+0x44/0x120 + __driver_attach+0xd2/0x310 + bus_for_each_dev+0xed/0x170 + bus_add_driver+0x208/0x500 + driver_register+0x132/0x460 + do_one_initcall+0x89/0x300 + kernel_init_freeable+0x40d/0x720 + kernel_init+0x1a/0x150 + ret_from_fork+0x10c/0x1a0 + ret_from_fork_asm+0x1a/0x30 + +Freed by task 136: + kasan_save_stack+0x24/0x50 + kasan_save_track+0x14/0x30 + kasan_save_free_info+0x3a/0x60 + __kasan_slab_free+0x3f/0x50 + kfree+0x137/0x370 + otx2_ptp_destroy+0x38/0x80 + otx2_remove+0x10d/0x4c0 + pci_device_remove+0xa6/0x1d0 + device_release_driver_internal+0xf8/0x210 + pci_stop_bus_device+0x105/0x150 + pci_stop_and_remove_bus_device_locked+0x15/0x30 + remove_store+0xcc/0xe0 + kernfs_fop_write_iter+0x2c3/0x440 + vfs_write+0x871/0xd70 + ksys_write+0xee/0x1c0 + do_syscall_64+0xac/0x280 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +... + +Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure +that the delayed work item is properly canceled before the otx2_ptp is +deallocated. + +This bug was initially identified through static analysis. To reproduce +and test it, I simulated the OcteonTX2 PCI device in QEMU and introduced +artificial delays within the otx2_sync_tstamp() function to increase the +likelihood of triggering the bug. + +Fixes: 2958d17a8984 ("octeontx2-pf: Add support for ptp 1-step mode on CN10K silicon") +Signed-off-by: Duoming Zhou +Reviewed-by: Vadim Fedorenko +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/otx2_ptp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ptp.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ptp.c +index 896b2f9bac344..d2584b450f272 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ptp.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ptp.c +@@ -365,7 +365,7 @@ void otx2_ptp_destroy(struct otx2_nic *pfvf) + if (!ptp) + return; + +- cancel_delayed_work(&pfvf->ptp->synctstamp_work); ++ cancel_delayed_work_sync(&pfvf->ptp->synctstamp_work); + + ptp_clock_unregister(ptp->ptp_clock); + kfree(ptp); +-- +2.51.0 + diff --git a/queue-6.1/pcmcia-omap_cf-mark-driver-struct-with-__refdata-to-.patch b/queue-6.1/pcmcia-omap_cf-mark-driver-struct-with-__refdata-to-.patch new file mode 100644 index 0000000000..1f3dde12b0 --- /dev/null +++ b/queue-6.1/pcmcia-omap_cf-mark-driver-struct-with-__refdata-to-.patch @@ -0,0 +1,52 @@ +From 12c628d2a715caac0641be1688747e6857a9c5e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Aug 2025 17:50:14 +0200 +Subject: pcmcia: omap_cf: Mark driver struct with __refdata to prevent section + mismatch +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Geert Uytterhoeven + +[ Upstream commit d1dfcdd30140c031ae091868fb5bed084132bca1 ] + +As described in the added code comment, a reference to .exit.text is ok +for drivers registered via platform_driver_probe(). Make this explicit +to prevent the following section mismatch warning + + WARNING: modpost: drivers/pcmcia/omap_cf: section mismatch in reference: omap_cf_driver+0x4 (section: .data) -> omap_cf_remove (section: .exit.text) + +that triggers on an omap1_defconfig + CONFIG_OMAP_CF=m build. + +Signed-off-by: Geert Uytterhoeven +Acked-by: Aaro Koskinen +Reviewed-by: Uwe Kleine-König +Signed-off-by: Dominik Brodowski +Signed-off-by: Sasha Levin +--- + drivers/pcmcia/omap_cf.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/pcmcia/omap_cf.c b/drivers/pcmcia/omap_cf.c +index e22a752052f2f..b8260dd12b1a8 100644 +--- a/drivers/pcmcia/omap_cf.c ++++ b/drivers/pcmcia/omap_cf.c +@@ -305,7 +305,13 @@ static int __exit omap_cf_remove(struct platform_device *pdev) + return 0; + } + +-static struct platform_driver omap_cf_driver = { ++/* ++ * omap_cf_remove() lives in .exit.text. For drivers registered via ++ * platform_driver_probe() this is ok because they cannot get unbound at ++ * runtime. So mark the driver struct with __refdata to prevent modpost ++ * triggering a section mismatch warning. ++ */ ++static struct platform_driver omap_cf_driver __refdata = { + .driver = { + .name = driver_name, + }, +-- +2.51.0 + diff --git a/queue-6.1/qed-don-t-collect-too-many-protection-override-grc-e.patch b/queue-6.1/qed-don-t-collect-too-many-protection-override-grc-e.patch new file mode 100644 index 0000000000..4d3ae0674c --- /dev/null +++ b/queue-6.1/qed-don-t-collect-too-many-protection-override-grc-e.patch @@ -0,0 +1,89 @@ +From d7ab85d902abebd97893a3c1492623e63cc4afcb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Sep 2025 16:29:16 +1000 +Subject: qed: Don't collect too many protection override GRC elements + +From: Jamie Bainbridge + +[ Upstream commit 56c0a2a9ddc2f5b5078c5fb0f81ab76bbc3d4c37 ] + +In the protection override dump path, the firmware can return far too +many GRC elements, resulting in attempting to write past the end of the +previously-kmalloc'ed dump buffer. + +This will result in a kernel panic with reason: + + BUG: unable to handle kernel paging request at ADDRESS + +where "ADDRESS" is just past the end of the protection override dump +buffer. The start address of the buffer is: + p_hwfn->cdev->dbg_features[DBG_FEATURE_PROTECTION_OVERRIDE].dump_buf +and the size of the buffer is buf_size in the same data structure. + +The panic can be arrived at from either the qede Ethernet driver path: + + [exception RIP: qed_grc_dump_addr_range+0x108] + qed_protection_override_dump at ffffffffc02662ed [qed] + qed_dbg_protection_override_dump at ffffffffc0267792 [qed] + qed_dbg_feature at ffffffffc026aa8f [qed] + qed_dbg_all_data at ffffffffc026b211 [qed] + qed_fw_fatal_reporter_dump at ffffffffc027298a [qed] + devlink_health_do_dump at ffffffff82497f61 + devlink_health_report at ffffffff8249cf29 + qed_report_fatal_error at ffffffffc0272baf [qed] + qede_sp_task at ffffffffc045ed32 [qede] + process_one_work at ffffffff81d19783 + +or the qedf storage driver path: + + [exception RIP: qed_grc_dump_addr_range+0x108] + qed_protection_override_dump at ffffffffc068b2ed [qed] + qed_dbg_protection_override_dump at ffffffffc068c792 [qed] + qed_dbg_feature at ffffffffc068fa8f [qed] + qed_dbg_all_data at ffffffffc0690211 [qed] + qed_fw_fatal_reporter_dump at ffffffffc069798a [qed] + devlink_health_do_dump at ffffffff8aa95e51 + devlink_health_report at ffffffff8aa9ae19 + qed_report_fatal_error at ffffffffc0697baf [qed] + qed_hw_err_notify at ffffffffc06d32d7 [qed] + qed_spq_post at ffffffffc06b1011 [qed] + qed_fcoe_destroy_conn at ffffffffc06b2e91 [qed] + qedf_cleanup_fcport at ffffffffc05e7597 [qedf] + qedf_rport_event_handler at ffffffffc05e7bf7 [qedf] + fc_rport_work at ffffffffc02da715 [libfc] + process_one_work at ffffffff8a319663 + +Resolve this by clamping the firmware's return value to the maximum +number of legal elements the firmware should return. + +Fixes: d52c89f120de8 ("qed*: Utilize FW 8.37.2.0") +Signed-off-by: Jamie Bainbridge +Link: https://patch.msgid.link/f8e1182934aa274c18d0682a12dbaf347595469c.1757485536.git.jamie.bainbridge@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_debug.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_debug.c b/drivers/net/ethernet/qlogic/qed/qed_debug.c +index cdcead614e9fa..ae421c2707785 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_debug.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_debug.c +@@ -4461,10 +4461,11 @@ static enum dbg_status qed_protection_override_dump(struct qed_hwfn *p_hwfn, + goto out; + } + +- /* Add override window info to buffer */ ++ /* Add override window info to buffer, preventing buffer overflow */ + override_window_dwords = +- qed_rd(p_hwfn, p_ptt, GRC_REG_NUMBER_VALID_OVERRIDE_WINDOW) * +- PROTECTION_OVERRIDE_ELEMENT_DWORDS; ++ min(qed_rd(p_hwfn, p_ptt, GRC_REG_NUMBER_VALID_OVERRIDE_WINDOW) * ++ PROTECTION_OVERRIDE_ELEMENT_DWORDS, ++ PROTECTION_OVERRIDE_DEPTH_DWORDS); + if (override_window_dwords) { + addr = BYTES_TO_DWORDS(GRC_REG_PROTECTION_OVERRIDE_WINDOW); + offset += qed_grc_dump_addr_range(p_hwfn, +-- +2.51.0 + diff --git a/queue-6.1/revert-net-mlx5e-update-and-set-xon-xoff-upon-port-s.patch b/queue-6.1/revert-net-mlx5e-update-and-set-xon-xoff-upon-port-s.patch new file mode 100644 index 0000000000..75737a8a89 --- /dev/null +++ b/queue-6.1/revert-net-mlx5e-update-and-set-xon-xoff-upon-port-s.patch @@ -0,0 +1,39 @@ +From acbd4eb6dfb1ebc59475896342eb998f80c5842c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Sep 2025 16:48:54 +0300 +Subject: Revert "net/mlx5e: Update and set Xon/Xoff upon port speed set" + +From: Tariq Toukan + +[ Upstream commit 3fbfe251cc9f6d391944282cdb9bcf0bd02e01f8 ] + +This reverts commit d24341740fe48add8a227a753e68b6eedf4b385a. +It causes errors when trying to configure QoS, as well as +loss of L2 connectivity (on multi-host devices). + +Reported-by: Jakub Kicinski +Link: https://lore.kernel.org/20250910170011.70528106@kernel.org +Fixes: d24341740fe4 ("net/mlx5e: Update and set Xon/Xoff upon port speed set") +Signed-off-by: Tariq Toukan +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index ae3a7b96f7978..7612070b66160 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -107,8 +107,6 @@ void mlx5e_update_carrier(struct mlx5e_priv *priv) + if (up) { + netdev_info(priv->netdev, "Link up\n"); + netif_carrier_on(priv->netdev); +- mlx5e_port_manual_buffer_config(priv, 0, priv->netdev->mtu, +- NULL, NULL, NULL); + } else { + netdev_info(priv->netdev, "Link down\n"); + netif_carrier_off(priv->netdev); +-- +2.51.0 + diff --git a/queue-6.1/series b/queue-6.1/series new file mode 100644 index 0000000000..36524c8957 --- /dev/null +++ b/queue-6.1/series @@ -0,0 +1,19 @@ +alsa-firewire-motu-drop-epollout-from-poll-return-va.patch +wifi-mac80211-increase-scan_ies_len-for-s1g.patch +wifi-mac80211-fix-incorrect-type-for-ret.patch +pcmcia-omap_cf-mark-driver-struct-with-__refdata-to-.patch +cgroup-split-cgroup_destroy_wq-into-3-workqueues.patch +btrfs-fix-invalid-extref-key-setup-when-replaying-de.patch +um-virtio_uml-fix-use-after-free-after-put_device-in.patch +dpaa2-switch-fix-buffer-pool-seeding-for-control-tra.patch +qed-don-t-collect-too-many-protection-override-grc-e.patch +mptcp-set-remote_deny_join_id0-on-syn-recv.patch +net-natsemi-fix-rx_dropped-double-accounting-on-neti.patch +i40e-remove-redundant-memory-barrier-when-cleaning-t.patch +bonding-don-t-set-oif-to-bond-dev-when-getting-ns-ta.patch +tcp-clear-tcp_sk-sk-fastopen_rsk-in-tcp_disconnect.patch +tls-make-sure-to-abort-the-stream-if-headers-are-bog.patch +revert-net-mlx5e-update-and-set-xon-xoff-upon-port-s.patch +net-liquidio-fix-overflow-in-octeon_init_instr_queue.patch +cnic-fix-use-after-free-bugs-in-cnic_delete_task.patch +octeontx2-pf-fix-use-after-free-bugs-in-otx2_sync_ts.patch diff --git a/queue-6.1/tcp-clear-tcp_sk-sk-fastopen_rsk-in-tcp_disconnect.patch b/queue-6.1/tcp-clear-tcp_sk-sk-fastopen_rsk-in-tcp_disconnect.patch new file mode 100644 index 0000000000..9598123ff3 --- /dev/null +++ b/queue-6.1/tcp-clear-tcp_sk-sk-fastopen_rsk-in-tcp_disconnect.patch @@ -0,0 +1,94 @@ +From 4717254dde96f0701be4da5c815b9c1a8f73fe79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Sep 2025 17:56:46 +0000 +Subject: tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). + +From: Kuniyuki Iwashima + +[ Upstream commit 45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01 ] + +syzbot reported the splat below where a socket had tcp_sk(sk)->fastopen_rsk +in the TCP_ESTABLISHED state. [0] + +syzbot reused the server-side TCP Fast Open socket as a new client before +the TFO socket completes 3WHS: + + 1. accept() + 2. connect(AF_UNSPEC) + 3. connect() to another destination + +As of accept(), sk->sk_state is TCP_SYN_RECV, and tcp_disconnect() changes +it to TCP_CLOSE and makes connect() possible, which restarts timers. + +Since tcp_disconnect() forgot to clear tcp_sk(sk)->fastopen_rsk, the +retransmit timer triggered the warning and the intended packet was not +retransmitted. + +Let's call reqsk_fastopen_remove() in tcp_disconnect(). + +[0]: +WARNING: CPU: 2 PID: 0 at net/ipv4/tcp_timer.c:542 tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7)) +Modules linked in: +CPU: 2 UID: 0 PID: 0 Comm: swapper/2 Not tainted 6.17.0-rc5-g201825fb4278 #62 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +RIP: 0010:tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7)) +Code: 41 55 41 54 55 53 48 8b af b8 08 00 00 48 89 fb 48 85 ed 0f 84 55 01 00 00 0f b6 47 12 3c 03 74 0c 0f b6 47 12 3c 04 74 04 90 <0f> 0b 90 48 8b 85 c0 00 00 00 48 89 ef 48 8b 40 30 e8 6a 4f 06 3e +RSP: 0018:ffffc900002f8d40 EFLAGS: 00010293 +RAX: 0000000000000002 RBX: ffff888106911400 RCX: 0000000000000017 +RDX: 0000000002517619 RSI: ffffffff83764080 RDI: ffff888106911400 +RBP: ffff888106d5c000 R08: 0000000000000001 R09: ffffc900002f8de8 +R10: 00000000000000c2 R11: ffffc900002f8ff8 R12: ffff888106911540 +R13: ffff888106911480 R14: ffff888106911840 R15: ffffc900002f8de0 +FS: 0000000000000000(0000) GS:ffff88907b768000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f8044d69d90 CR3: 0000000002c30003 CR4: 0000000000370ef0 +Call Trace: + + tcp_write_timer (net/ipv4/tcp_timer.c:738) + call_timer_fn (kernel/time/timer.c:1747) + __run_timers (kernel/time/timer.c:1799 kernel/time/timer.c:2372) + timer_expire_remote (kernel/time/timer.c:2385 kernel/time/timer.c:2376 kernel/time/timer.c:2135) + tmigr_handle_remote_up (kernel/time/timer_migration.c:944 kernel/time/timer_migration.c:1035) + __walk_groups.isra.0 (kernel/time/timer_migration.c:533 (discriminator 1)) + tmigr_handle_remote (kernel/time/timer_migration.c:1096) + handle_softirqs (./arch/x86/include/asm/jump_label.h:36 ./include/trace/events/irq.h:142 kernel/softirq.c:580) + irq_exit_rcu (kernel/softirq.c:614 kernel/softirq.c:453 kernel/softirq.c:680 kernel/softirq.c:696) + sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1050 (discriminator 35) arch/x86/kernel/apic/apic.c:1050 (discriminator 35)) + + +Fixes: 8336886f786f ("tcp: TCP Fast Open Server - support TFO listeners") +Reported-by: syzkaller +Signed-off-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250915175800.118793-2-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index b64d53590f25c..d94daa296d59d 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3130,6 +3130,7 @@ int tcp_disconnect(struct sock *sk, int flags) + struct inet_connection_sock *icsk = inet_csk(sk); + struct tcp_sock *tp = tcp_sk(sk); + int old_state = sk->sk_state; ++ struct request_sock *req; + u32 seq; + + if (old_state != TCP_CLOSE) +@@ -3239,6 +3240,10 @@ int tcp_disconnect(struct sock *sk, int flags) + + + /* Clean up fastopen related fields */ ++ req = rcu_dereference_protected(tp->fastopen_rsk, ++ lockdep_sock_is_held(sk)); ++ if (req) ++ reqsk_fastopen_remove(sk, req, false); + tcp_free_fastopen_req(tp); + inet->defer_connect = 0; + tp->fastopen_client_fail = 0; +-- +2.51.0 + diff --git a/queue-6.1/tls-make-sure-to-abort-the-stream-if-headers-are-bog.patch b/queue-6.1/tls-make-sure-to-abort-the-stream-if-headers-are-bog.patch new file mode 100644 index 0000000000..e0595984d1 --- /dev/null +++ b/queue-6.1/tls-make-sure-to-abort-the-stream-if-headers-are-bog.patch @@ -0,0 +1,112 @@ +From 699c158e3ad7482de4c3eb461b039cbd5aa8f190 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Sep 2025 17:28:13 -0700 +Subject: tls: make sure to abort the stream if headers are bogus + +From: Jakub Kicinski + +[ Upstream commit 0aeb54ac4cd5cf8f60131b4d9ec0b6dc9c27b20d ] + +Normally we wait for the socket to buffer up the whole record +before we service it. If the socket has a tiny buffer, however, +we read out the data sooner, to prevent connection stalls. +Make sure that we abort the connection when we find out late +that the record is actually invalid. Retrying the parsing is +fine in itself but since we copy some more data each time +before we parse we can overflow the allocated skb space. + +Constructing a scenario in which we're under pressure without +enough data in the socket to parse the length upfront is quite +hard. syzbot figured out a way to do this by serving us the header +in small OOB sends, and then filling in the recvbuf with a large +normal send. + +Make sure that tls_rx_msg_size() aborts strp, if we reach +an invalid record there's really no way to recover. + +Reported-by: Lee Jones +Fixes: 84c61fe1a75b ("tls: rx: do not use the standard strparser") +Reviewed-by: Sabrina Dubroca +Signed-off-by: Jakub Kicinski +Link: https://patch.msgid.link/20250917002814.1743558-1-kuba@kernel.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/tls/tls.h | 1 + + net/tls/tls_strp.c | 14 +++++++++----- + net/tls/tls_sw.c | 3 +-- + 3 files changed, 11 insertions(+), 7 deletions(-) + +diff --git a/net/tls/tls.h b/net/tls/tls.h +index 4922668fefaa8..f25699517bdf8 100644 +--- a/net/tls/tls.h ++++ b/net/tls/tls.h +@@ -91,6 +91,7 @@ int tls_sk_query(struct sock *sk, int optname, char __user *optval, + int tls_sk_attach(struct sock *sk, int optname, char __user *optval, + unsigned int optlen); + void tls_err_abort(struct sock *sk, int err); ++void tls_strp_abort_strp(struct tls_strparser *strp, int err); + + int tls_set_sw_offload(struct sock *sk, struct tls_context *ctx, int tx); + void tls_update_rx_zc_capable(struct tls_context *tls_ctx); +diff --git a/net/tls/tls_strp.c b/net/tls/tls_strp.c +index b7ed76c0e576e..532230bed13b0 100644 +--- a/net/tls/tls_strp.c ++++ b/net/tls/tls_strp.c +@@ -12,7 +12,7 @@ + + static struct workqueue_struct *tls_strp_wq; + +-static void tls_strp_abort_strp(struct tls_strparser *strp, int err) ++void tls_strp_abort_strp(struct tls_strparser *strp, int err) + { + if (strp->stopped) + return; +@@ -210,11 +210,17 @@ static int tls_strp_copyin_frag(struct tls_strparser *strp, struct sk_buff *skb, + struct sk_buff *in_skb, unsigned int offset, + size_t in_len) + { ++ unsigned int nfrag = skb->len / PAGE_SIZE; + size_t len, chunk; + skb_frag_t *frag; + int sz; + +- frag = &skb_shinfo(skb)->frags[skb->len / PAGE_SIZE]; ++ if (unlikely(nfrag >= skb_shinfo(skb)->nr_frags)) { ++ DEBUG_NET_WARN_ON_ONCE(1); ++ return -EMSGSIZE; ++ } ++ ++ frag = &skb_shinfo(skb)->frags[nfrag]; + + len = in_len; + /* First make sure we got the header */ +@@ -515,10 +521,8 @@ static int tls_strp_read_sock(struct tls_strparser *strp) + tls_strp_load_anchor_with_queue(strp, inq); + if (!strp->stm.full_len) { + sz = tls_rx_msg_size(strp, strp->anchor); +- if (sz < 0) { +- tls_strp_abort_strp(strp, sz); ++ if (sz < 0) + return sz; +- } + + strp->stm.full_len = sz; + +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c +index 96e62e8f1dad2..fe6514e964ba3 100644 +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -2435,8 +2435,7 @@ int tls_rx_msg_size(struct tls_strparser *strp, struct sk_buff *skb) + return data_len + TLS_HEADER_SIZE; + + read_failure: +- tls_err_abort(strp->sk, ret); +- ++ tls_strp_abort_strp(strp, ret); + return ret; + } + +-- +2.51.0 + diff --git a/queue-6.1/um-virtio_uml-fix-use-after-free-after-put_device-in.patch b/queue-6.1/um-virtio_uml-fix-use-after-free-after-put_device-in.patch new file mode 100644 index 0000000000..ed72bb6669 --- /dev/null +++ b/queue-6.1/um-virtio_uml-fix-use-after-free-after-put_device-in.patch @@ -0,0 +1,44 @@ +From 1e7ae85e9e3baf538105726ccce5e3bd24290a59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Aug 2025 15:00:51 +0800 +Subject: um: virtio_uml: Fix use-after-free after put_device in probe + +From: Miaoqian Lin + +[ Upstream commit 7ebf70cf181651fe3f2e44e95e7e5073d594c9c0 ] + +When register_virtio_device() fails in virtio_uml_probe(), +the code sets vu_dev->registered = 1 even though +the device was not successfully registered. +This can lead to use-after-free or other issues. + +Fixes: 04e5b1fb0183 ("um: virtio: Remove device on disconnect") +Signed-off-by: Miaoqian Lin +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + arch/um/drivers/virtio_uml.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/arch/um/drivers/virtio_uml.c b/arch/um/drivers/virtio_uml.c +index ddd080f6dd82e..d288dbed5f5bc 100644 +--- a/arch/um/drivers/virtio_uml.c ++++ b/arch/um/drivers/virtio_uml.c +@@ -1229,10 +1229,12 @@ static int virtio_uml_probe(struct platform_device *pdev) + device_set_wakeup_capable(&vu_dev->vdev.dev, true); + + rc = register_virtio_device(&vu_dev->vdev); +- if (rc) ++ if (rc) { + put_device(&vu_dev->vdev.dev); ++ return rc; ++ } + vu_dev->registered = 1; +- return rc; ++ return 0; + + error_init: + os_close_file(vu_dev->sock); +-- +2.51.0 + diff --git a/queue-6.1/wifi-mac80211-fix-incorrect-type-for-ret.patch b/queue-6.1/wifi-mac80211-fix-incorrect-type-for-ret.patch new file mode 100644 index 0000000000..e70b277f72 --- /dev/null +++ b/queue-6.1/wifi-mac80211-fix-incorrect-type-for-ret.patch @@ -0,0 +1,37 @@ +From 0578ca708c1079cd69886cb8b2377cc7685b6c35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Aug 2025 10:29:11 +0800 +Subject: wifi: mac80211: fix incorrect type for ret + +From: Liao Yuanhong + +[ Upstream commit a33b375ab5b3a9897a0ab76be8258d9f6b748628 ] + +The variable ret is declared as a u32 type, but it is assigned a value +of -EOPNOTSUPP. Since unsigned types cannot correctly represent negative +values, the type of ret should be changed to int. + +Signed-off-by: Liao Yuanhong +Link: https://patch.msgid.link/20250825022911.139377-1-liaoyuanhong@vivo.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/driver-ops.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/driver-ops.h b/net/mac80211/driver-ops.h +index e685c12757f4b..1f961944ecc98 100644 +--- a/net/mac80211/driver-ops.h ++++ b/net/mac80211/driver-ops.h +@@ -1216,7 +1216,7 @@ drv_get_ftm_responder_stats(struct ieee80211_local *local, + struct ieee80211_sub_if_data *sdata, + struct cfg80211_ftm_responder_stats *ftm_stats) + { +- u32 ret = -EOPNOTSUPP; ++ int ret = -EOPNOTSUPP; + + if (local->ops->get_ftm_responder_stats) + ret = local->ops->get_ftm_responder_stats(&local->hw, +-- +2.51.0 + diff --git a/queue-6.1/wifi-mac80211-increase-scan_ies_len-for-s1g.patch b/queue-6.1/wifi-mac80211-increase-scan_ies_len-for-s1g.patch new file mode 100644 index 0000000000..df5d77dc25 --- /dev/null +++ b/queue-6.1/wifi-mac80211-increase-scan_ies_len-for-s1g.patch @@ -0,0 +1,65 @@ +From 2a25390356fc836a2343ca90632ee35b71329287 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Aug 2025 18:54:37 +1000 +Subject: wifi: mac80211: increase scan_ies_len for S1G + +From: Lachlan Hodges + +[ Upstream commit 7e2f3213e85eba00acb4cfe6d71647892d63c3a1 ] + +Currently the S1G capability element is not taken into account +for the scan_ies_len, which leads to a buffer length validation +failure in ieee80211_prep_hw_scan() and subsequent WARN in +__ieee80211_start_scan(). This prevents hw scanning from functioning. +To fix ensure we accommodate for the S1G capability length. + +Signed-off-by: Lachlan Hodges +Link: https://patch.msgid.link/20250826085437.3493-1-lachlan.hodges@morsemicro.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/main.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/main.c b/net/mac80211/main.c +index 683301d9f5084..7831e412c7b9d 100644 +--- a/net/mac80211/main.c ++++ b/net/mac80211/main.c +@@ -945,7 +945,7 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) + int result, i; + enum nl80211_band band; + int channels, max_bitrates; +- bool supp_ht, supp_vht, supp_he, supp_eht; ++ bool supp_ht, supp_vht, supp_he, supp_eht, supp_s1g; + struct cfg80211_chan_def dflt_chandef = {}; + + if (ieee80211_hw_check(hw, QUEUE_CONTROL) && +@@ -1061,6 +1061,7 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) + supp_vht = false; + supp_he = false; + supp_eht = false; ++ supp_s1g = false; + for (band = 0; band < NUM_NL80211_BANDS; band++) { + struct ieee80211_supported_band *sband; + +@@ -1097,6 +1098,7 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) + max_bitrates = sband->n_bitrates; + supp_ht = supp_ht || sband->ht_cap.ht_supported; + supp_vht = supp_vht || sband->vht_cap.vht_supported; ++ supp_s1g = supp_s1g || sband->s1g_cap.s1g; + + for (i = 0; i < sband->n_iftype_data; i++) { + const struct ieee80211_sband_iftype_data *iftd; +@@ -1219,6 +1221,9 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) + local->scan_ies_len += + 2 + sizeof(struct ieee80211_vht_cap); + ++ if (supp_s1g) ++ local->scan_ies_len += 2 + sizeof(struct ieee80211_s1g_cap); ++ + /* + * HE cap element is variable in size - set len to allow max size */ + if (supp_he) { +-- +2.51.0 + diff --git a/queue-6.12/alsa-firewire-motu-drop-epollout-from-poll-return-va.patch b/queue-6.12/alsa-firewire-motu-drop-epollout-from-poll-return-va.patch new file mode 100644 index 0000000000..4a431ff7d9 --- /dev/null +++ b/queue-6.12/alsa-firewire-motu-drop-epollout-from-poll-return-va.patch @@ -0,0 +1,46 @@ +From b6007a1b9f1084aa7845613809d18af639c61a6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Aug 2025 08:37:49 +0900 +Subject: ALSA: firewire-motu: drop EPOLLOUT from poll return values as write + is not supported + +From: Takashi Sakamoto + +[ Upstream commit aea3493246c474bc917d124d6fb627663ab6bef0 ] + +The ALSA HwDep character device of the firewire-motu driver incorrectly +returns EPOLLOUT in poll(2), even though the driver implements no operation +for write(2). This misleads userspace applications to believe write() is +allowed, potentially resulting in unnecessarily wakeups. + +This issue dates back to the driver's initial code added by a commit +71c3797779d3 ("ALSA: firewire-motu: add hwdep interface"), and persisted +when POLLOUT was updated to EPOLLOUT by a commit a9a08845e9ac ('vfs: do +bulk POLL* -> EPOLL* replacement("").'). + +This commit fixes the bug. + +Signed-off-by: Takashi Sakamoto +Link: https://patch.msgid.link/20250829233749.366222-1-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/firewire/motu/motu-hwdep.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/firewire/motu/motu-hwdep.c b/sound/firewire/motu/motu-hwdep.c +index 88d1f4b56e4be..a220ac0c8eb83 100644 +--- a/sound/firewire/motu/motu-hwdep.c ++++ b/sound/firewire/motu/motu-hwdep.c +@@ -111,7 +111,7 @@ static __poll_t hwdep_poll(struct snd_hwdep *hwdep, struct file *file, + events = 0; + spin_unlock_irq(&motu->lock); + +- return events | EPOLLOUT; ++ return events; + } + + static int hwdep_get_info(struct snd_motu *motu, void __user *arg) +-- +2.51.0 + diff --git a/queue-6.12/bonding-don-t-set-oif-to-bond-dev-when-getting-ns-ta.patch b/queue-6.12/bonding-don-t-set-oif-to-bond-dev-when-getting-ns-ta.patch new file mode 100644 index 0000000000..2f1ed36b38 --- /dev/null +++ b/queue-6.12/bonding-don-t-set-oif-to-bond-dev-when-getting-ns-ta.patch @@ -0,0 +1,49 @@ +From e49908478147378ec4434b3b376a54f6ae75202e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Sep 2025 08:01:26 +0000 +Subject: bonding: don't set oif to bond dev when getting NS target destination + +From: Hangbin Liu + +[ Upstream commit a8ba87f04ca9cdec06776ce92dce1395026dc3bb ] + +Unlike IPv4, IPv6 routing strictly requires the source address to be valid +on the outgoing interface. If the NS target is set to a remote VLAN interface, +and the source address is also configured on a VLAN over a bond interface, +setting the oif to the bond device will fail to retrieve the correct +destination route. + +Fix this by not setting the oif to the bond device when retrieving the NS +target destination. This allows the correct destination device (the VLAN +interface) to be determined, so that bond_verify_device_path can return the +proper VLAN tags for sending NS messages. + +Reported-by: David Wilder +Closes: https://lore.kernel.org/netdev/aGOKggdfjv0cApTO@fedora/ +Suggested-by: Jay Vosburgh +Tested-by: David Wilder +Acked-by: Jay Vosburgh +Fixes: 4e24be018eb9 ("bonding: add new parameter ns_targets") +Signed-off-by: Hangbin Liu +Link: https://patch.msgid.link/20250916080127.430626-1-liuhangbin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 952737a98751e..00204e42de2e7 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3338,7 +3338,6 @@ static void bond_ns_send_all(struct bonding *bond, struct slave *slave) + /* Find out through which dev should the packet go */ + memset(&fl6, 0, sizeof(struct flowi6)); + fl6.daddr = targets[i]; +- fl6.flowi6_oif = bond->dev->ifindex; + + dst = ip6_route_output(dev_net(bond->dev), NULL, &fl6); + if (dst->error) { +-- +2.51.0 + diff --git a/queue-6.12/bonding-set-random-address-only-when-slaves-already-.patch b/queue-6.12/bonding-set-random-address-only-when-slaves-already-.patch new file mode 100644 index 0000000000..479199535f --- /dev/null +++ b/queue-6.12/bonding-set-random-address-only-when-slaves-already-.patch @@ -0,0 +1,42 @@ +From 32b83eb4c2d1006f68c7962c3353833e9831c0a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Sep 2025 02:43:34 +0000 +Subject: bonding: set random address only when slaves already exist + +From: Hangbin Liu + +[ Upstream commit 35ae4e86292ef7dfe4edbb9942955c884e984352 ] + +After commit 5c3bf6cba791 ("bonding: assign random address if device +address is same as bond"), bonding will erroneously randomize the MAC +address of the first interface added to the bond if fail_over_mac = +follow. + +Correct this by additionally testing for the bond being empty before +randomizing the MAC. + +Fixes: 5c3bf6cba791 ("bonding: assign random address if device address is same as bond") +Reported-by: Qiuling Ren +Signed-off-by: Hangbin Liu +Link: https://patch.msgid.link/20250910024336.400253-1-liuhangbin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 52ff0f9e04e07..952737a98751e 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2117,6 +2117,7 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev, + memcpy(ss.__data, bond_dev->dev_addr, bond_dev->addr_len); + } else if (bond->params.fail_over_mac == BOND_FOM_FOLLOW && + BOND_MODE(bond) == BOND_MODE_ACTIVEBACKUP && ++ bond_has_slaves(bond) && + memcmp(slave_dev->dev_addr, bond_dev->dev_addr, bond_dev->addr_len) == 0) { + /* Set slave to random address to avoid duplicate mac + * address in later fail over. +-- +2.51.0 + diff --git a/queue-6.12/btrfs-fix-invalid-extref-key-setup-when-replaying-de.patch b/queue-6.12/btrfs-fix-invalid-extref-key-setup-when-replaying-de.patch new file mode 100644 index 0000000000..36fa965071 --- /dev/null +++ b/queue-6.12/btrfs-fix-invalid-extref-key-setup-when-replaying-de.patch @@ -0,0 +1,41 @@ +From aa74e05ae7a20b9b7b6f548aaaa2c921113aff79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Sep 2025 16:53:21 +0100 +Subject: btrfs: fix invalid extref key setup when replaying dentry + +From: Filipe Manana + +[ Upstream commit b62fd63ade7cb573b114972ef8f9fa505be8d74a ] + +The offset for an extref item's key is not the object ID of the parent +dir, otherwise we would not need the extref item and would use plain ref +items. Instead the offset is the result of a hash computation that uses +the object ID of the parent dir and the name associated to the entry. +So fix this by setting the key offset at replay_one_name() to be the +result of calling btrfs_extref_hash(). + +Fixes: 725af92a6251 ("btrfs: Open-code name_in_log_ref in replay_one_name") +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/tree-log.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index f917fdae7e672..0022ad003791f 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -1946,7 +1946,7 @@ static noinline int replay_one_name(struct btrfs_trans_handle *trans, + + search_key.objectid = log_key.objectid; + search_key.type = BTRFS_INODE_EXTREF_KEY; +- search_key.offset = key->objectid; ++ search_key.offset = btrfs_extref_hash(key->objectid, name.name, name.len); + ret = backref_in_log(root->log_root, &search_key, key->objectid, &name); + if (ret < 0) { + goto out; +-- +2.51.0 + diff --git a/queue-6.12/cgroup-split-cgroup_destroy_wq-into-3-workqueues.patch b/queue-6.12/cgroup-split-cgroup_destroy_wq-into-3-workqueues.patch new file mode 100644 index 0000000000..5753345ca6 --- /dev/null +++ b/queue-6.12/cgroup-split-cgroup_destroy_wq-into-3-workqueues.patch @@ -0,0 +1,168 @@ +From 927d59c67c1af7ef8107cce783e2ddea87e8d596 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Aug 2025 01:07:24 +0000 +Subject: cgroup: split cgroup_destroy_wq into 3 workqueues +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chen Ridong + +[ Upstream commit 79f919a89c9d06816dbdbbd168fa41d27411a7f9 ] + +A hung task can occur during [1] LTP cgroup testing when repeatedly +mounting/unmounting perf_event and net_prio controllers with +systemd.unified_cgroup_hierarchy=1. The hang manifests in +cgroup_lock_and_drain_offline() during root destruction. + +Related case: +cgroup_fj_function_perf_event cgroup_fj_function.sh perf_event +cgroup_fj_function_net_prio cgroup_fj_function.sh net_prio + +Call Trace: + cgroup_lock_and_drain_offline+0x14c/0x1e8 + cgroup_destroy_root+0x3c/0x2c0 + css_free_rwork_fn+0x248/0x338 + process_one_work+0x16c/0x3b8 + worker_thread+0x22c/0x3b0 + kthread+0xec/0x100 + ret_from_fork+0x10/0x20 + +Root Cause: + +CPU0 CPU1 +mount perf_event umount net_prio +cgroup1_get_tree cgroup_kill_sb +rebind_subsystems // root destruction enqueues + // cgroup_destroy_wq +// kill all perf_event css + // one perf_event css A is dying + // css A offline enqueues cgroup_destroy_wq + // root destruction will be executed first + css_free_rwork_fn + cgroup_destroy_root + cgroup_lock_and_drain_offline + // some perf descendants are dying + // cgroup_destroy_wq max_active = 1 + // waiting for css A to die + +Problem scenario: +1. CPU0 mounts perf_event (rebind_subsystems) +2. CPU1 unmounts net_prio (cgroup_kill_sb), queuing root destruction work +3. A dying perf_event CSS gets queued for offline after root destruction +4. Root destruction waits for offline completion, but offline work is + blocked behind root destruction in cgroup_destroy_wq (max_active=1) + +Solution: +Split cgroup_destroy_wq into three dedicated workqueues: +cgroup_offline_wq – Handles CSS offline operations +cgroup_release_wq – Manages resource release +cgroup_free_wq – Performs final memory deallocation + +This separation eliminates blocking in the CSS free path while waiting for +offline operations to complete. + +[1] https://github.com/linux-test-project/ltp/blob/master/runtest/controllers +Fixes: 334c3679ec4b ("cgroup: reimplement rebind_subsystems() using cgroup_apply_control() and friends") +Reported-by: Gao Yingjie +Signed-off-by: Chen Ridong +Suggested-by: Teju Heo +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/cgroup/cgroup.c | 43 +++++++++++++++++++++++++++++++++++------- + 1 file changed, 36 insertions(+), 7 deletions(-) + +diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c +index 62933468aaf46..5fc2801ee921c 100644 +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -123,8 +123,31 @@ DEFINE_PERCPU_RWSEM(cgroup_threadgroup_rwsem); + * of concurrent destructions. Use a separate workqueue so that cgroup + * destruction work items don't end up filling up max_active of system_wq + * which may lead to deadlock. ++ * ++ * A cgroup destruction should enqueue work sequentially to: ++ * cgroup_offline_wq: use for css offline work ++ * cgroup_release_wq: use for css release work ++ * cgroup_free_wq: use for free work ++ * ++ * Rationale for using separate workqueues: ++ * The cgroup root free work may depend on completion of other css offline ++ * operations. If all tasks were enqueued to a single workqueue, this could ++ * create a deadlock scenario where: ++ * - Free work waits for other css offline work to complete. ++ * - But other css offline work is queued after free work in the same queue. ++ * ++ * Example deadlock scenario with single workqueue (cgroup_destroy_wq): ++ * 1. umount net_prio ++ * 2. net_prio root destruction enqueues work to cgroup_destroy_wq (CPUx) ++ * 3. perf_event CSS A offline enqueues work to same cgroup_destroy_wq (CPUx) ++ * 4. net_prio cgroup_destroy_root->cgroup_lock_and_drain_offline. ++ * 5. net_prio root destruction blocks waiting for perf_event CSS A offline, ++ * which can never complete as it's behind in the same queue and ++ * workqueue's max_active is 1. + */ +-static struct workqueue_struct *cgroup_destroy_wq; ++static struct workqueue_struct *cgroup_offline_wq; ++static struct workqueue_struct *cgroup_release_wq; ++static struct workqueue_struct *cgroup_free_wq; + + /* generate an array of cgroup subsystem pointers */ + #define SUBSYS(_x) [_x ## _cgrp_id] = &_x ## _cgrp_subsys, +@@ -5541,7 +5564,7 @@ static void css_release_work_fn(struct work_struct *work) + cgroup_unlock(); + + INIT_RCU_WORK(&css->destroy_rwork, css_free_rwork_fn); +- queue_rcu_work(cgroup_destroy_wq, &css->destroy_rwork); ++ queue_rcu_work(cgroup_free_wq, &css->destroy_rwork); + } + + static void css_release(struct percpu_ref *ref) +@@ -5550,7 +5573,7 @@ static void css_release(struct percpu_ref *ref) + container_of(ref, struct cgroup_subsys_state, refcnt); + + INIT_WORK(&css->destroy_work, css_release_work_fn); +- queue_work(cgroup_destroy_wq, &css->destroy_work); ++ queue_work(cgroup_release_wq, &css->destroy_work); + } + + static void init_and_link_css(struct cgroup_subsys_state *css, +@@ -5685,7 +5708,7 @@ static struct cgroup_subsys_state *css_create(struct cgroup *cgrp, + err_free_css: + list_del_rcu(&css->rstat_css_node); + INIT_RCU_WORK(&css->destroy_rwork, css_free_rwork_fn); +- queue_rcu_work(cgroup_destroy_wq, &css->destroy_rwork); ++ queue_rcu_work(cgroup_free_wq, &css->destroy_rwork); + return ERR_PTR(err); + } + +@@ -5918,7 +5941,7 @@ static void css_killed_ref_fn(struct percpu_ref *ref) + + if (atomic_dec_and_test(&css->online_cnt)) { + INIT_WORK(&css->destroy_work, css_killed_work_fn); +- queue_work(cgroup_destroy_wq, &css->destroy_work); ++ queue_work(cgroup_offline_wq, &css->destroy_work); + } + } + +@@ -6296,8 +6319,14 @@ static int __init cgroup_wq_init(void) + * We would prefer to do this in cgroup_init() above, but that + * is called before init_workqueues(): so leave this until after. + */ +- cgroup_destroy_wq = alloc_workqueue("cgroup_destroy", 0, 1); +- BUG_ON(!cgroup_destroy_wq); ++ cgroup_offline_wq = alloc_workqueue("cgroup_offline", 0, 1); ++ BUG_ON(!cgroup_offline_wq); ++ ++ cgroup_release_wq = alloc_workqueue("cgroup_release", 0, 1); ++ BUG_ON(!cgroup_release_wq); ++ ++ cgroup_free_wq = alloc_workqueue("cgroup_free", 0, 1); ++ BUG_ON(!cgroup_free_wq); + return 0; + } + core_initcall(cgroup_wq_init); +-- +2.51.0 + diff --git a/queue-6.12/cnic-fix-use-after-free-bugs-in-cnic_delete_task.patch b/queue-6.12/cnic-fix-use-after-free-bugs-in-cnic_delete_task.patch new file mode 100644 index 0000000000..b979bd5b83 --- /dev/null +++ b/queue-6.12/cnic-fix-use-after-free-bugs-in-cnic_delete_task.patch @@ -0,0 +1,76 @@ +From 16cd5b99ea5197e9ac8a13f3e4f35e58f0eb2186 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Sep 2025 13:46:02 +0800 +Subject: cnic: Fix use-after-free bugs in cnic_delete_task +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Duoming Zhou + +[ Upstream commit cfa7d9b1e3a8604afc84e9e51d789c29574fb216 ] + +The original code uses cancel_delayed_work() in cnic_cm_stop_bnx2x_hw(), +which does not guarantee that the delayed work item 'delete_task' has +fully completed if it was already running. Additionally, the delayed work +item is cyclic, the flush_workqueue() in cnic_cm_stop_bnx2x_hw() only +blocks and waits for work items that were already queued to the +workqueue prior to its invocation. Any work items submitted after +flush_workqueue() is called are not included in the set of tasks that the +flush operation awaits. This means that after the cyclic work items have +finished executing, a delayed work item may still exist in the workqueue. +This leads to use-after-free scenarios where the cnic_dev is deallocated +by cnic_free_dev(), while delete_task remains active and attempt to +dereference cnic_dev in cnic_delete_task(). + +A typical race condition is illustrated below: + +CPU 0 (cleanup) | CPU 1 (delayed work callback) +cnic_netdev_event() | + cnic_stop_hw() | cnic_delete_task() + cnic_cm_stop_bnx2x_hw() | ... + cancel_delayed_work() | /* the queue_delayed_work() + flush_workqueue() | executes after flush_workqueue()*/ + | queue_delayed_work() + cnic_free_dev(dev)//free | cnic_delete_task() //new instance + | dev = cp->dev; //use + +Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure +that the cyclic delayed work item is properly canceled and that any +ongoing execution of the work item completes before the cnic_dev is +deallocated. Furthermore, since cancel_delayed_work_sync() uses +__flush_work(work, true) to synchronously wait for any currently +executing instance of the work item to finish, the flush_workqueue() +becomes redundant and should be removed. + +This bug was identified through static analysis. To reproduce the issue +and validate the fix, I simulated the cnic PCI device in QEMU and +introduced intentional delays — such as inserting calls to ssleep() +within the cnic_delete_task() function — to increase the likelihood +of triggering the bug. + +Fixes: fdf24086f475 ("cnic: Defer iscsi connection cleanup") +Signed-off-by: Duoming Zhou +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/cnic.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/cnic.c b/drivers/net/ethernet/broadcom/cnic.c +index a9040c42d2ff9..6e97a5a7daaf9 100644 +--- a/drivers/net/ethernet/broadcom/cnic.c ++++ b/drivers/net/ethernet/broadcom/cnic.c +@@ -4230,8 +4230,7 @@ static void cnic_cm_stop_bnx2x_hw(struct cnic_dev *dev) + + cnic_bnx2x_delete_wait(dev, 0); + +- cancel_delayed_work(&cp->delete_task); +- flush_workqueue(cnic_wq); ++ cancel_delayed_work_sync(&cp->delete_task); + + if (atomic_read(&cp->iscsi_conn) != 0) + netdev_warn(dev->netdev, "%d iSCSI connections not destroyed\n", +-- +2.51.0 + diff --git a/queue-6.12/dpaa2-switch-fix-buffer-pool-seeding-for-control-tra.patch b/queue-6.12/dpaa2-switch-fix-buffer-pool-seeding-for-control-tra.patch new file mode 100644 index 0000000000..af0ea3d6f6 --- /dev/null +++ b/queue-6.12/dpaa2-switch-fix-buffer-pool-seeding-for-control-tra.patch @@ -0,0 +1,69 @@ +From d3dfa9f4c2caf7321eb94c1c277a4d9a5e5317ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Sep 2025 17:48:25 +0300 +Subject: dpaa2-switch: fix buffer pool seeding for control traffic + +From: Ioana Ciornei + +[ Upstream commit 2690cb089502b80b905f2abdafd1bf2d54e1abef ] + +Starting with commit c50e7475961c ("dpaa2-switch: Fix error checking in +dpaa2_switch_seed_bp()"), the probing of a second DPSW object errors out +like below. + +fsl_dpaa2_switch dpsw.1: fsl_mc_driver_probe failed: -12 +fsl_dpaa2_switch dpsw.1: probe with driver fsl_dpaa2_switch failed with error -12 + +The aforementioned commit brought to the surface the fact that seeding +buffers into the buffer pool destined for control traffic is not +successful and an access violation recoverable error can be seen in the +MC firmware log: + +[E, qbman_rec_isr:391, QBMAN] QBMAN recoverable event 0x1000000 + +This happens because the driver incorrectly used the ID of the DPBP +object instead of the hardware buffer pool ID when trying to release +buffers into it. + +This is because any DPSW object uses two buffer pools, one managed by +the Linux driver and destined for control traffic packet buffers and the +other one managed by the MC firmware and destined only for offloaded +traffic. And since the buffer pool managed by the MC firmware does not +have an external facing DPBP equivalent, any subsequent DPBP objects +created after the first DPSW will have a DPBP id different to the +underlying hardware buffer ID. + +The issue was not caught earlier because these two numbers can be +identical when all DPBP objects are created before the DPSW objects are. +This is the case when the DPL file is used to describe the entire DPAA2 +object layout and objects are created at boot time and it's also true +for the first DPSW being created dynamically using ls-addsw. + +Fix this by using the buffer pool ID instead of the DPBP id when +releasing buffers into the pool. + +Fixes: 2877e4f7e189 ("staging: dpaa2-switch: setup buffer pool and RX path rings") +Signed-off-by: Ioana Ciornei +Link: https://patch.msgid.link/20250910144825.2416019-1-ioana.ciornei@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +index cbd3859ea475b..980daecab8ea3 100644 +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +@@ -2735,7 +2735,7 @@ static int dpaa2_switch_setup_dpbp(struct ethsw_core *ethsw) + dev_err(dev, "dpsw_ctrl_if_set_pools() failed\n"); + goto err_get_attr; + } +- ethsw->bpid = dpbp_attrs.id; ++ ethsw->bpid = dpbp_attrs.bpid; + + return 0; + +-- +2.51.0 + diff --git a/queue-6.12/i40e-remove-redundant-memory-barrier-when-cleaning-t.patch b/queue-6.12/i40e-remove-redundant-memory-barrier-when-cleaning-t.patch new file mode 100644 index 0000000000..9efd175742 --- /dev/null +++ b/queue-6.12/i40e-remove-redundant-memory-barrier-when-cleaning-t.patch @@ -0,0 +1,53 @@ +From 13f8f045157cbba249009fdcf209c0e44b1111ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Aug 2025 17:16:17 +0200 +Subject: i40e: remove redundant memory barrier when cleaning Tx descs + +From: Maciej Fijalkowski + +[ Upstream commit e37084a26070c546ae7961ee135bbfb15fbe13fd ] + +i40e has a feature which writes to memory location last descriptor +successfully sent. Memory barrier in i40e_clean_tx_irq() was used to +avoid forward-reading descriptor fields in case DD bit was not set. +Having mentioned feature in place implies that such situation will not +happen as we know in advance how many descriptors HW has dealt with. + +Besides, this barrier placement was wrong. Idea is to have this +protection *after* reading DD bit from HW descriptor, not before. +Digging through git history showed me that indeed barrier was before DD +bit check, anyways the commit introducing i40e_get_head() should have +wiped it out altogether. + +Also, there was one commit doing s/read_barrier_depends/smp_rmb when get +head feature was already in place, but it was only theoretical based on +ixgbe experiences, which is different in these terms as that driver has +to read DD bit from HW descriptor. + +Fixes: 1943d8ba9507 ("i40e/i40evf: enable hardware feature head write back") +Signed-off-by: Maciej Fijalkowski +Reviewed-by: Aleksandr Loktionov +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_txrx.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.c b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +index c006f716a3bdb..ca7517a68a2c3 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +@@ -947,9 +947,6 @@ static bool i40e_clean_tx_irq(struct i40e_vsi *vsi, + if (!eop_desc) + break; + +- /* prevent any other reads prior to eop_desc */ +- smp_rmb(); +- + i40e_trace(clean_tx_irq, tx_ring, tx_desc, tx_buf); + /* we have caught up to head, no work left to do */ + if (tx_head == tx_desc) +-- +2.51.0 + diff --git a/queue-6.12/ice-fix-rx-page-leak-on-multi-buffer-frames.patch b/queue-6.12/ice-fix-rx-page-leak-on-multi-buffer-frames.patch new file mode 100644 index 0000000000..934d05d807 --- /dev/null +++ b/queue-6.12/ice-fix-rx-page-leak-on-multi-buffer-frames.patch @@ -0,0 +1,274 @@ +From 7b8f0200a50dce83f351af259b95fe666d5517e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Aug 2025 16:00:14 -0700 +Subject: ice: fix Rx page leak on multi-buffer frames + +From: Jacob Keller + +[ Upstream commit 84bf1ac85af84d354c7a2fdbdc0d4efc8aaec34b ] + +The ice_put_rx_mbuf() function handles calling ice_put_rx_buf() for each +buffer in the current frame. This function was introduced as part of +handling multi-buffer XDP support in the ice driver. + +It works by iterating over the buffers from first_desc up to 1 plus the +total number of fragments in the frame, cached from before the XDP program +was executed. + +If the hardware posts a descriptor with a size of 0, the logic used in +ice_put_rx_mbuf() breaks. Such descriptors get skipped and don't get added +as fragments in ice_add_xdp_frag. Since the buffer isn't counted as a +fragment, we do not iterate over it in ice_put_rx_mbuf(), and thus we don't +call ice_put_rx_buf(). + +Because we don't call ice_put_rx_buf(), we don't attempt to re-use the +page or free it. This leaves a stale page in the ring, as we don't +increment next_to_alloc. + +The ice_reuse_rx_page() assumes that the next_to_alloc has been incremented +properly, and that it always points to a buffer with a NULL page. Since +this function doesn't check, it will happily recycle a page over the top +of the next_to_alloc buffer, losing track of the old page. + +Note that this leak only occurs for multi-buffer frames. The +ice_put_rx_mbuf() function always handles at least one buffer, so a +single-buffer frame will always get handled correctly. It is not clear +precisely why the hardware hands us descriptors with a size of 0 sometimes, +but it happens somewhat regularly with "jumbo frames" used by 9K MTU. + +To fix ice_put_rx_mbuf(), we need to make sure to call ice_put_rx_buf() on +all buffers between first_desc and next_to_clean. Borrow the logic of a +similar function in i40e used for this same purpose. Use the same logic +also in ice_get_pgcnts(). + +Instead of iterating over just the number of fragments, use a loop which +iterates until the current index reaches to the next_to_clean element just +past the current frame. Unlike i40e, the ice_put_rx_mbuf() function does +call ice_put_rx_buf() on the last buffer of the frame indicating the end of +packet. + +For non-linear (multi-buffer) frames, we need to take care when adjusting +the pagecnt_bias. An XDP program might release fragments from the tail of +the frame, in which case that fragment page is already released. Only +update the pagecnt_bias for the first descriptor and fragments still +remaining post-XDP program. Take care to only access the shared info for +fragmented buffers, as this avoids a significant cache miss. + +The xdp_xmit value only needs to be updated if an XDP program is run, and +only once per packet. Drop the xdp_xmit pointer argument from +ice_put_rx_mbuf(). Instead, set xdp_xmit in the ice_clean_rx_irq() function +directly. This avoids needing to pass the argument and avoids an extra +bit-wise OR for each buffer in the frame. + +Move the increment of the ntc local variable to ensure its updated *before* +all calls to ice_get_pgcnts() or ice_put_rx_mbuf(), as the loop logic +requires the index of the element just after the current frame. + +Now that we use an index pointer in the ring to identify the packet, we no +longer need to track or cache the number of fragments in the rx_ring. + +Cc: Christoph Petrausch +Cc: Jesper Dangaard Brouer +Reported-by: Jaroslav Pulchart +Closes: https://lore.kernel.org/netdev/CAK8fFZ4hY6GUJNENz3wY9jaYLZXGfpr7dnZxzGMYoE44caRbgw@mail.gmail.com/ +Fixes: 743bbd93cf29 ("ice: put Rx buffers after being done with current frame") +Tested-by: Michal Kubiak +Signed-off-by: Jacob Keller +Acked-by: Jesper Dangaard Brouer +Tested-by: Priya Singh +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_txrx.c | 80 ++++++++++------------- + drivers/net/ethernet/intel/ice/ice_txrx.h | 1 - + 2 files changed, 34 insertions(+), 47 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_txrx.c b/drivers/net/ethernet/intel/ice/ice_txrx.c +index cde69f5686656..431a6ed498a4e 100644 +--- a/drivers/net/ethernet/intel/ice/ice_txrx.c ++++ b/drivers/net/ethernet/intel/ice/ice_txrx.c +@@ -865,10 +865,6 @@ ice_add_xdp_frag(struct ice_rx_ring *rx_ring, struct xdp_buff *xdp, + __skb_fill_page_desc_noacc(sinfo, sinfo->nr_frags++, rx_buf->page, + rx_buf->page_offset, size); + sinfo->xdp_frags_size += size; +- /* remember frag count before XDP prog execution; bpf_xdp_adjust_tail() +- * can pop off frags but driver has to handle it on its own +- */ +- rx_ring->nr_frags = sinfo->nr_frags; + + if (page_is_pfmemalloc(rx_buf->page)) + xdp_buff_set_frag_pfmemalloc(xdp); +@@ -939,20 +935,20 @@ ice_get_rx_buf(struct ice_rx_ring *rx_ring, const unsigned int size, + /** + * ice_get_pgcnts - grab page_count() for gathered fragments + * @rx_ring: Rx descriptor ring to store the page counts on ++ * @ntc: the next to clean element (not included in this frame!) + * + * This function is intended to be called right before running XDP + * program so that the page recycling mechanism will be able to take + * a correct decision regarding underlying pages; this is done in such + * way as XDP program can change the refcount of page + */ +-static void ice_get_pgcnts(struct ice_rx_ring *rx_ring) ++static void ice_get_pgcnts(struct ice_rx_ring *rx_ring, unsigned int ntc) + { +- u32 nr_frags = rx_ring->nr_frags + 1; + u32 idx = rx_ring->first_desc; + struct ice_rx_buf *rx_buf; + u32 cnt = rx_ring->count; + +- for (int i = 0; i < nr_frags; i++) { ++ while (idx != ntc) { + rx_buf = &rx_ring->rx_buf[idx]; + rx_buf->pgcnt = page_count(rx_buf->page); + +@@ -1125,62 +1121,51 @@ ice_put_rx_buf(struct ice_rx_ring *rx_ring, struct ice_rx_buf *rx_buf) + } + + /** +- * ice_put_rx_mbuf - ice_put_rx_buf() caller, for all frame frags ++ * ice_put_rx_mbuf - ice_put_rx_buf() caller, for all buffers in frame + * @rx_ring: Rx ring with all the auxiliary data + * @xdp: XDP buffer carrying linear + frags part +- * @xdp_xmit: XDP_TX/XDP_REDIRECT verdict storage +- * @ntc: a current next_to_clean value to be stored at rx_ring ++ * @ntc: the next to clean element (not included in this frame!) + * @verdict: return code from XDP program execution + * +- * Walk through gathered fragments and satisfy internal page +- * recycle mechanism; we take here an action related to verdict +- * returned by XDP program; ++ * Called after XDP program is completed, or on error with verdict set to ++ * ICE_XDP_CONSUMED. ++ * ++ * Walk through buffers from first_desc to the end of the frame, releasing ++ * buffers and satisfying internal page recycle mechanism. The action depends ++ * on verdict from XDP program. + */ + static void ice_put_rx_mbuf(struct ice_rx_ring *rx_ring, struct xdp_buff *xdp, +- u32 *xdp_xmit, u32 ntc, u32 verdict) ++ u32 ntc, u32 verdict) + { +- u32 nr_frags = rx_ring->nr_frags + 1; + u32 idx = rx_ring->first_desc; + u32 cnt = rx_ring->count; +- u32 post_xdp_frags = 1; + struct ice_rx_buf *buf; +- int i; ++ u32 xdp_frags = 0; ++ int i = 0; + + if (unlikely(xdp_buff_has_frags(xdp))) +- post_xdp_frags += xdp_get_shared_info_from_buff(xdp)->nr_frags; ++ xdp_frags = xdp_get_shared_info_from_buff(xdp)->nr_frags; + +- for (i = 0; i < post_xdp_frags; i++) { ++ while (idx != ntc) { + buf = &rx_ring->rx_buf[idx]; ++ if (++idx == cnt) ++ idx = 0; + +- if (verdict & (ICE_XDP_TX | ICE_XDP_REDIR)) { ++ /* An XDP program could release fragments from the end of the ++ * buffer. For these, we need to keep the pagecnt_bias as-is. ++ * To do this, only adjust pagecnt_bias for fragments up to ++ * the total remaining after the XDP program has run. ++ */ ++ if (verdict != ICE_XDP_CONSUMED) + ice_rx_buf_adjust_pg_offset(buf, xdp->frame_sz); +- *xdp_xmit |= verdict; +- } else if (verdict & ICE_XDP_CONSUMED) { ++ else if (i++ <= xdp_frags) + buf->pagecnt_bias++; +- } else if (verdict == ICE_XDP_PASS) { +- ice_rx_buf_adjust_pg_offset(buf, xdp->frame_sz); +- } + + ice_put_rx_buf(rx_ring, buf); +- +- if (++idx == cnt) +- idx = 0; +- } +- /* handle buffers that represented frags released by XDP prog; +- * for these we keep pagecnt_bias as-is; refcount from struct page +- * has been decremented within XDP prog and we do not have to increase +- * the biased refcnt +- */ +- for (; i < nr_frags; i++) { +- buf = &rx_ring->rx_buf[idx]; +- ice_put_rx_buf(rx_ring, buf); +- if (++idx == cnt) +- idx = 0; + } + + xdp->data = NULL; + rx_ring->first_desc = ntc; +- rx_ring->nr_frags = 0; + } + + /** +@@ -1260,6 +1245,10 @@ int ice_clean_rx_irq(struct ice_rx_ring *rx_ring, int budget) + /* retrieve a buffer from the ring */ + rx_buf = ice_get_rx_buf(rx_ring, size, ntc); + ++ /* Increment ntc before calls to ice_put_rx_mbuf() */ ++ if (++ntc == cnt) ++ ntc = 0; ++ + if (!xdp->data) { + void *hard_start; + +@@ -1268,24 +1257,23 @@ int ice_clean_rx_irq(struct ice_rx_ring *rx_ring, int budget) + xdp_prepare_buff(xdp, hard_start, offset, size, !!offset); + xdp_buff_clear_frags_flag(xdp); + } else if (ice_add_xdp_frag(rx_ring, xdp, rx_buf, size)) { +- ice_put_rx_mbuf(rx_ring, xdp, NULL, ntc, ICE_XDP_CONSUMED); ++ ice_put_rx_mbuf(rx_ring, xdp, ntc, ICE_XDP_CONSUMED); + break; + } +- if (++ntc == cnt) +- ntc = 0; + + /* skip if it is NOP desc */ + if (ice_is_non_eop(rx_ring, rx_desc)) + continue; + +- ice_get_pgcnts(rx_ring); ++ ice_get_pgcnts(rx_ring, ntc); + xdp_verdict = ice_run_xdp(rx_ring, xdp, xdp_prog, xdp_ring, rx_desc); + if (xdp_verdict == ICE_XDP_PASS) + goto construct_skb; + total_rx_bytes += xdp_get_buff_len(xdp); + total_rx_pkts++; + +- ice_put_rx_mbuf(rx_ring, xdp, &xdp_xmit, ntc, xdp_verdict); ++ ice_put_rx_mbuf(rx_ring, xdp, ntc, xdp_verdict); ++ xdp_xmit |= xdp_verdict & (ICE_XDP_TX | ICE_XDP_REDIR); + + continue; + construct_skb: +@@ -1298,7 +1286,7 @@ int ice_clean_rx_irq(struct ice_rx_ring *rx_ring, int budget) + rx_ring->ring_stats->rx_stats.alloc_buf_failed++; + xdp_verdict = ICE_XDP_CONSUMED; + } +- ice_put_rx_mbuf(rx_ring, xdp, &xdp_xmit, ntc, xdp_verdict); ++ ice_put_rx_mbuf(rx_ring, xdp, ntc, xdp_verdict); + + if (!skb) + break; +diff --git a/drivers/net/ethernet/intel/ice/ice_txrx.h b/drivers/net/ethernet/intel/ice/ice_txrx.h +index 7eef66f5964a3..a13531c21d4ad 100644 +--- a/drivers/net/ethernet/intel/ice/ice_txrx.h ++++ b/drivers/net/ethernet/intel/ice/ice_txrx.h +@@ -357,7 +357,6 @@ struct ice_rx_ring { + struct ice_tx_ring *xdp_ring; + struct ice_rx_ring *next; /* pointer to next ring in q_vector */ + struct xsk_buff_pool *xsk_pool; +- u32 nr_frags; + u16 max_frame; + u16 rx_buf_len; + dma_addr_t dma; /* physical address of ring */ +-- +2.51.0 + diff --git a/queue-6.12/ice-store-max_frame-and-rx_buf_len-only-in-ice_rx_ri.patch b/queue-6.12/ice-store-max_frame-and-rx_buf_len-only-in-ice_rx_ri.patch new file mode 100644 index 0000000000..fa756e828d --- /dev/null +++ b/queue-6.12/ice-store-max_frame-and-rx_buf_len-only-in-ice_rx_ri.patch @@ -0,0 +1,202 @@ +From 2aa39010e622492c0f45b1c53a5266dbae6d5ad4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Sep 2024 16:07:45 -0700 +Subject: ice: store max_frame and rx_buf_len only in ice_rx_ring + +From: Jacob Keller + +[ Upstream commit 7e61c89c6065731dfc11ac7a2c0dd27a910f2afb ] + +The max_frame and rx_buf_len fields of the VSI set the maximum frame size +for packets on the wire, and configure the size of the Rx buffer. In the +hardware, these are per-queue configuration. Most VSI types use a simple +method to determine the size of the buffers for all queues. + +However, VFs may potentially configure different values for each queue. +While the Linux iAVF driver does not do this, it is allowed by the virtchnl +interface. + +The current virtchnl code simply sets the per-VSI fields inbetween calls to +ice_vsi_cfg_single_rxq(). This technically works, as these fields are only +ever used when programming the Rx ring, and otherwise not checked again. +However, it is confusing to maintain. + +The Rx ring also already has an rx_buf_len field in order to access the +buffer length in the hotpath. It also has extra unused bytes in the ring +structure which we can make use of to store the maximum frame size. + +Drop the VSI max_frame and rx_buf_len fields. Add max_frame to the Rx ring, +and slightly re-order rx_buf_len to better fit into the gaps in the +structure layout. + +Change the ice_vsi_cfg_frame_size function so that it writes to the ring +fields. Call this function once per ring in ice_vsi_cfg_rxqs(). This is +done over calling it inside the ice_vsi_cfg_rxq(), because +ice_vsi_cfg_rxq() is called in the virtchnl flow where the max_frame and +rx_buf_len have already been configured. + +Change the accesses for rx_buf_len and max_frame to all point to the ring +structure. This has the added benefit that ice_vsi_cfg_rxq() no longer has +the surprise side effect of updating ring->rx_buf_len based on the VSI +field. + +Update the virtchnl ice_vc_cfg_qs_msg() function to set the ring values +directly, and drop references to the removed VSI fields. + +This now makes the VF logic clear, as the ring fields are obviously +per-queue. This reduces the required cognitive load when reasoning about +this logic. + +Note that removing the VSI fields does leave a 4 byte gap, but the ice_vsi +structure has many gaps, and its layout is not as critical in the hot path. +The structure may benefit from a more thorough repacking, but no attempt +was made in this change. + +Signed-off-by: Jacob Keller +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Stable-dep-of: 84bf1ac85af8 ("ice: fix Rx page leak on multi-buffer frames") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice.h | 3 -- + drivers/net/ethernet/intel/ice/ice_base.c | 34 ++++++++++--------- + drivers/net/ethernet/intel/ice/ice_txrx.h | 3 +- + drivers/net/ethernet/intel/ice/ice_virtchnl.c | 7 ++-- + 4 files changed, 23 insertions(+), 24 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice.h b/drivers/net/ethernet/intel/ice/ice.h +index 2960709f6b62c..0e699a0432c5b 100644 +--- a/drivers/net/ethernet/intel/ice/ice.h ++++ b/drivers/net/ethernet/intel/ice/ice.h +@@ -372,9 +372,6 @@ struct ice_vsi { + spinlock_t arfs_lock; /* protects aRFS hash table and filter state */ + atomic_t *arfs_last_fltr_id; + +- u16 max_frame; +- u16 rx_buf_len; +- + struct ice_aqc_vsi_props info; /* VSI properties */ + struct ice_vsi_vlan_info vlan_info; /* vlan config to be restored */ + +diff --git a/drivers/net/ethernet/intel/ice/ice_base.c b/drivers/net/ethernet/intel/ice/ice_base.c +index 4a9a6899fc453..98c3764fed396 100644 +--- a/drivers/net/ethernet/intel/ice/ice_base.c ++++ b/drivers/net/ethernet/intel/ice/ice_base.c +@@ -445,7 +445,7 @@ static int ice_setup_rx_ctx(struct ice_rx_ring *ring) + /* Max packet size for this queue - must not be set to a larger value + * than 5 x DBUF + */ +- rlan_ctx.rxmax = min_t(u32, vsi->max_frame, ++ rlan_ctx.rxmax = min_t(u32, ring->max_frame, + ICE_MAX_CHAINED_RX_BUFS * ring->rx_buf_len); + + /* Rx queue threshold in units of 64 */ +@@ -541,8 +541,6 @@ static int ice_vsi_cfg_rxq(struct ice_rx_ring *ring) + u32 num_bufs = ICE_RX_DESC_UNUSED(ring); + int err; + +- ring->rx_buf_len = ring->vsi->rx_buf_len; +- + if (ring->vsi->type == ICE_VSI_PF || ring->vsi->type == ICE_VSI_SF) { + if (!xdp_rxq_info_is_reg(&ring->xdp_rxq)) { + err = __xdp_rxq_info_reg(&ring->xdp_rxq, ring->netdev, +@@ -641,21 +639,25 @@ int ice_vsi_cfg_single_rxq(struct ice_vsi *vsi, u16 q_idx) + /** + * ice_vsi_cfg_frame_size - setup max frame size and Rx buffer length + * @vsi: VSI ++ * @ring: Rx ring to configure ++ * ++ * Determine the maximum frame size and Rx buffer length to use for a PF VSI. ++ * Set these in the associated Rx ring structure. + */ +-static void ice_vsi_cfg_frame_size(struct ice_vsi *vsi) ++static void ice_vsi_cfg_frame_size(struct ice_vsi *vsi, struct ice_rx_ring *ring) + { + if (!vsi->netdev || test_bit(ICE_FLAG_LEGACY_RX, vsi->back->flags)) { +- vsi->max_frame = ICE_MAX_FRAME_LEGACY_RX; +- vsi->rx_buf_len = ICE_RXBUF_1664; ++ ring->max_frame = ICE_MAX_FRAME_LEGACY_RX; ++ ring->rx_buf_len = ICE_RXBUF_1664; + #if (PAGE_SIZE < 8192) + } else if (!ICE_2K_TOO_SMALL_WITH_PADDING && + (vsi->netdev->mtu <= ETH_DATA_LEN)) { +- vsi->max_frame = ICE_RXBUF_1536 - NET_IP_ALIGN; +- vsi->rx_buf_len = ICE_RXBUF_1536 - NET_IP_ALIGN; ++ ring->max_frame = ICE_RXBUF_1536 - NET_IP_ALIGN; ++ ring->rx_buf_len = ICE_RXBUF_1536 - NET_IP_ALIGN; + #endif + } else { +- vsi->max_frame = ICE_AQ_SET_MAC_FRAME_SIZE_MAX; +- vsi->rx_buf_len = ICE_RXBUF_3072; ++ ring->max_frame = ICE_AQ_SET_MAC_FRAME_SIZE_MAX; ++ ring->rx_buf_len = ICE_RXBUF_3072; + } + } + +@@ -670,15 +672,15 @@ int ice_vsi_cfg_rxqs(struct ice_vsi *vsi) + { + u16 i; + +- if (vsi->type == ICE_VSI_VF) +- goto setup_rings; +- +- ice_vsi_cfg_frame_size(vsi); +-setup_rings: + /* set up individual rings */ + ice_for_each_rxq(vsi, i) { +- int err = ice_vsi_cfg_rxq(vsi->rx_rings[i]); ++ struct ice_rx_ring *ring = vsi->rx_rings[i]; ++ int err; ++ ++ if (vsi->type != ICE_VSI_VF) ++ ice_vsi_cfg_frame_size(vsi, ring); + ++ err = ice_vsi_cfg_rxq(ring); + if (err) + return err; + } +diff --git a/drivers/net/ethernet/intel/ice/ice_txrx.h b/drivers/net/ethernet/intel/ice/ice_txrx.h +index 7130992d41779..7eef66f5964a3 100644 +--- a/drivers/net/ethernet/intel/ice/ice_txrx.h ++++ b/drivers/net/ethernet/intel/ice/ice_txrx.h +@@ -358,8 +358,9 @@ struct ice_rx_ring { + struct ice_rx_ring *next; /* pointer to next ring in q_vector */ + struct xsk_buff_pool *xsk_pool; + u32 nr_frags; +- dma_addr_t dma; /* physical address of ring */ ++ u16 max_frame; + u16 rx_buf_len; ++ dma_addr_t dma; /* physical address of ring */ + u8 dcb_tc; /* Traffic class of ring */ + u8 ptp_rx; + #define ICE_RX_FLAGS_RING_BUILD_SKB BIT(1) +diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl.c b/drivers/net/ethernet/intel/ice/ice_virtchnl.c +index 87ffd25b268a2..471d64d202b76 100644 +--- a/drivers/net/ethernet/intel/ice/ice_virtchnl.c ++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl.c +@@ -1748,19 +1748,18 @@ static int ice_vc_cfg_qs_msg(struct ice_vf *vf, u8 *msg) + (qpi->rxq.databuffer_size > ((16 * 1024) - 128) || + qpi->rxq.databuffer_size < 1024)) + goto error_param; +- vsi->rx_buf_len = qpi->rxq.databuffer_size; +- ring->rx_buf_len = vsi->rx_buf_len; ++ ring->rx_buf_len = qpi->rxq.databuffer_size; + if (qpi->rxq.max_pkt_size > max_frame_size || + qpi->rxq.max_pkt_size < 64) + goto error_param; + +- vsi->max_frame = qpi->rxq.max_pkt_size; ++ ring->max_frame = qpi->rxq.max_pkt_size; + /* add space for the port VLAN since the VF driver is + * not expected to account for it in the MTU + * calculation + */ + if (ice_vf_is_port_vlan_ena(vf)) +- vsi->max_frame += VLAN_HLEN; ++ ring->max_frame += VLAN_HLEN; + + if (ice_vsi_cfg_single_rxq(vsi, q_idx)) { + dev_warn(ice_pf_to_dev(pf), "VF-%d failed to configure RX queue %d\n", +-- +2.51.0 + diff --git a/queue-6.12/igc-don-t-fail-igc_probe-on-led-setup-error.patch b/queue-6.12/igc-don-t-fail-igc_probe-on-led-setup-error.patch new file mode 100644 index 0000000000..82fce6f16c --- /dev/null +++ b/queue-6.12/igc-don-t-fail-igc_probe-on-led-setup-error.patch @@ -0,0 +1,108 @@ +From bd63bed57c71644099b052637bea1e8adee59308 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Sep 2025 22:47:21 +0900 +Subject: igc: don't fail igc_probe() on LED setup error + +From: Kohei Enju + +[ Upstream commit 528eb4e19ec0df30d0c9ae4074ce945667dde919 ] + +When igc_led_setup() fails, igc_probe() fails and triggers kernel panic +in free_netdev() since unregister_netdev() is not called. [1] +This behavior can be tested using fault-injection framework, especially +the failslab feature. [2] + +Since LED support is not mandatory, treat LED setup failures as +non-fatal and continue probe with a warning message, consequently +avoiding the kernel panic. + +[1] + kernel BUG at net/core/dev.c:12047! + Oops: invalid opcode: 0000 [#1] SMP NOPTI + CPU: 0 UID: 0 PID: 937 Comm: repro-igc-led-e Not tainted 6.17.0-rc4-enjuk-tnguy-00865-gc4940196ab02 #64 PREEMPT(voluntary) + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 + RIP: 0010:free_netdev+0x278/0x2b0 + [...] + Call Trace: + + igc_probe+0x370/0x910 + local_pci_probe+0x3a/0x80 + pci_device_probe+0xd1/0x200 + [...] + +[2] + #!/bin/bash -ex + + FAILSLAB_PATH=/sys/kernel/debug/failslab/ + DEVICE=0000:00:05.0 + START_ADDR=$(grep " igc_led_setup" /proc/kallsyms \ + | awk '{printf("0x%s", $1)}') + END_ADDR=$(printf "0x%x" $((START_ADDR + 0x100))) + + echo $START_ADDR > $FAILSLAB_PATH/require-start + echo $END_ADDR > $FAILSLAB_PATH/require-end + echo 1 > $FAILSLAB_PATH/times + echo 100 > $FAILSLAB_PATH/probability + echo N > $FAILSLAB_PATH/ignore-gfp-wait + + echo $DEVICE > /sys/bus/pci/drivers/igc/bind + +Fixes: ea578703b03d ("igc: Add support for LEDs on i225/i226") +Signed-off-by: Kohei Enju +Reviewed-by: Paul Menzel +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Vitaly Lifshits +Reviewed-by: Kurt Kanzenbach +Tested-by: Mor Bar-Gabay +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc.h | 1 + + drivers/net/ethernet/intel/igc/igc_main.c | 12 +++++++++--- + 2 files changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc.h b/drivers/net/ethernet/intel/igc/igc.h +index 323db1e2be388..79d5fc5ac4fce 100644 +--- a/drivers/net/ethernet/intel/igc/igc.h ++++ b/drivers/net/ethernet/intel/igc/igc.h +@@ -336,6 +336,7 @@ struct igc_adapter { + /* LEDs */ + struct mutex led_mutex; + struct igc_led_classdev *leds; ++ bool leds_available; + }; + + void igc_up(struct igc_adapter *adapter); +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index aadc0667fa04a..9ba41a427e141 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -7169,8 +7169,14 @@ static int igc_probe(struct pci_dev *pdev, + + if (IS_ENABLED(CONFIG_IGC_LEDS)) { + err = igc_led_setup(adapter); +- if (err) +- goto err_register; ++ if (err) { ++ netdev_warn_once(netdev, ++ "LED init failed (%d); continuing without LED support\n", ++ err); ++ adapter->leds_available = false; ++ } else { ++ adapter->leds_available = true; ++ } + } + + return 0; +@@ -7226,7 +7232,7 @@ static void igc_remove(struct pci_dev *pdev) + cancel_work_sync(&adapter->watchdog_task); + hrtimer_cancel(&adapter->hrtimer); + +- if (IS_ENABLED(CONFIG_IGC_LEDS)) ++ if (IS_ENABLED(CONFIG_IGC_LEDS) && adapter->leds_available) + igc_led_free(adapter); + + /* Release control of h/w to f/w. If f/w is AMT enabled, this +-- +2.51.0 + diff --git a/queue-6.12/mptcp-set-remote_deny_join_id0-on-syn-recv.patch b/queue-6.12/mptcp-set-remote_deny_join_id0-on-syn-recv.patch new file mode 100644 index 0000000000..6181849022 --- /dev/null +++ b/queue-6.12/mptcp-set-remote_deny_join_id0-on-syn-recv.patch @@ -0,0 +1,45 @@ +From d8825196666154e4ecd79e576b938db6216f04c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Sep 2025 14:52:20 +0200 +Subject: mptcp: set remote_deny_join_id0 on SYN recv + +From: Matthieu Baerts (NGI0) + +[ Upstream commit 96939cec994070aa5df852c10fad5fc303a97ea3 ] + +When a SYN containing the 'C' flag (deny join id0) was received, this +piece of information was not propagated to the path-manager. + +Even if this flag is mainly set on the server side, a client can also +tell the server it cannot try to establish new subflows to the client's +initial IP address and port. The server's PM should then record such +info when received, and before sending events about the new connection. + +Fixes: df377be38725 ("mptcp: add deny_join_id0 in mptcp_options_received") +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250912-net-mptcp-pm-uspace-deny_join_id0-v1-1-40171884ade8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mptcp/subflow.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c +index a05f201d194c5..17d1a9d8b0e98 100644 +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -888,6 +888,10 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk, + + ctx->subflow_id = 1; + owner = mptcp_sk(ctx->conn); ++ ++ if (mp_opt.deny_join_id0) ++ WRITE_ONCE(owner->pm.remote_deny_join_id0, true); ++ + mptcp_pm_new_connection(owner, child, 1); + + /* with OoO packets we can reach here without ingress +-- +2.51.0 + diff --git a/queue-6.12/mptcp-tfo-record-deny-join-id0-info.patch b/queue-6.12/mptcp-tfo-record-deny-join-id0-info.patch new file mode 100644 index 0000000000..3fdfe12b39 --- /dev/null +++ b/queue-6.12/mptcp-tfo-record-deny-join-id0-info.patch @@ -0,0 +1,52 @@ +From bb855294d9be986f55e069c1689c699a76c4bdb8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Sep 2025 14:52:23 +0200 +Subject: mptcp: tfo: record 'deny join id0' info + +From: Matthieu Baerts (NGI0) + +[ Upstream commit 92da495cb65719583aa06bc946aeb18a10e1e6e2 ] + +When TFO is used, the check to see if the 'C' flag (deny join id0) was +set was bypassed. + +This flag can be set when TFO is used, so the check should also be done +when TFO is used. + +Note that the set_fully_established label is also used when a 4th ACK is +received. In this case, deny_join_id0 will not be set. + +Fixes: dfc8d0603033 ("mptcp: implement delayed seq generation for passive fastopen") +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250912-net-mptcp-pm-uspace-deny_join_id0-v1-4-40171884ade8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mptcp/options.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/mptcp/options.c b/net/mptcp/options.c +index 7d4718a57bdcc..479a3bfa87aa2 100644 +--- a/net/mptcp/options.c ++++ b/net/mptcp/options.c +@@ -985,13 +985,13 @@ static bool check_fully_established(struct mptcp_sock *msk, struct sock *ssk, + return false; + } + +- if (mp_opt->deny_join_id0) +- WRITE_ONCE(msk->pm.remote_deny_join_id0, true); +- + if (unlikely(!READ_ONCE(msk->pm.server_side))) + pr_warn_once("bogus mpc option on established client sk"); + + set_fully_established: ++ if (mp_opt->deny_join_id0) ++ WRITE_ONCE(msk->pm.remote_deny_join_id0, true); ++ + mptcp_data_lock((struct sock *)msk); + __mptcp_subflow_fully_established(msk, subflow, mp_opt); + mptcp_data_unlock((struct sock *)msk); +-- +2.51.0 + diff --git a/queue-6.12/net-liquidio-fix-overflow-in-octeon_init_instr_queue.patch b/queue-6.12/net-liquidio-fix-overflow-in-octeon_init_instr_queue.patch new file mode 100644 index 0000000000..17d974892d --- /dev/null +++ b/queue-6.12/net-liquidio-fix-overflow-in-octeon_init_instr_queue.patch @@ -0,0 +1,37 @@ +From 774e166ea15e2b2075420b2933782e739ceff458 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Sep 2025 15:30:58 +0000 +Subject: net: liquidio: fix overflow in octeon_init_instr_queue() + +From: Alexey Nepomnyashih + +[ Upstream commit cca7b1cfd7b8a0eff2a3510c5e0f10efe8fa3758 ] + +The expression `(conf->instr_type == 64) << iq_no` can overflow because +`iq_no` may be as high as 64 (`CN23XX_MAX_RINGS_PER_PF`). Casting the +operand to `u64` ensures correct 64-bit arithmetic. + +Fixes: f21fb3ed364b ("Add support of Cavium Liquidio ethernet adapters") +Signed-off-by: Alexey Nepomnyashih +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/liquidio/request_manager.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cavium/liquidio/request_manager.c b/drivers/net/ethernet/cavium/liquidio/request_manager.c +index de8a6ce86ad7e..12105ffb5dac6 100644 +--- a/drivers/net/ethernet/cavium/liquidio/request_manager.c ++++ b/drivers/net/ethernet/cavium/liquidio/request_manager.c +@@ -126,7 +126,7 @@ int octeon_init_instr_queue(struct octeon_device *oct, + oct->io_qmask.iq |= BIT_ULL(iq_no); + + /* Set the 32B/64B mode for each input queue */ +- oct->io_qmask.iq64B |= ((conf->instr_type == 64) << iq_no); ++ oct->io_qmask.iq64B |= ((u64)(conf->instr_type == 64) << iq_no); + iq->iqcmd_64B = (conf->instr_type == 64); + + oct->fn_list.setup_iq_regs(oct, iq_no); +-- +2.51.0 + diff --git a/queue-6.12/net-mlx5e-harden-uplink-netdev-access-against-device.patch b/queue-6.12/net-mlx5e-harden-uplink-netdev-access-against-device.patch new file mode 100644 index 0000000000..5d9830b83d --- /dev/null +++ b/queue-6.12/net-mlx5e-harden-uplink-netdev-access-against-device.patch @@ -0,0 +1,155 @@ +From cf00a9167b79ba1fc0e06bda875e14067fb1c144 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Sep 2025 15:24:32 +0300 +Subject: net/mlx5e: Harden uplink netdev access against device unbind + +From: Jianbo Liu + +[ Upstream commit 6b4be64fd9fec16418f365c2d8e47a7566e9eba5 ] + +The function mlx5_uplink_netdev_get() gets the uplink netdevice +pointer from mdev->mlx5e_res.uplink_netdev. However, the netdevice can +be removed and its pointer cleared when unbound from the mlx5_core.eth +driver. This results in a NULL pointer, causing a kernel panic. + + BUG: unable to handle page fault for address: 0000000000001300 + at RIP: 0010:mlx5e_vport_rep_load+0x22a/0x270 [mlx5_core] + Call Trace: + + mlx5_esw_offloads_rep_load+0x68/0xe0 [mlx5_core] + esw_offloads_enable+0x593/0x910 [mlx5_core] + mlx5_eswitch_enable_locked+0x341/0x420 [mlx5_core] + mlx5_devlink_eswitch_mode_set+0x17e/0x3a0 [mlx5_core] + devlink_nl_eswitch_set_doit+0x60/0xd0 + genl_family_rcv_msg_doit+0xe0/0x130 + genl_rcv_msg+0x183/0x290 + netlink_rcv_skb+0x4b/0xf0 + genl_rcv+0x24/0x40 + netlink_unicast+0x255/0x380 + netlink_sendmsg+0x1f3/0x420 + __sock_sendmsg+0x38/0x60 + __sys_sendto+0x119/0x180 + do_syscall_64+0x53/0x1d0 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +Ensure the pointer is valid before use by checking it for NULL. If it +is valid, immediately call netdev_hold() to take a reference, and +preventing the netdevice from being freed while it is in use. + +Fixes: 7a9fb35e8c3a ("net/mlx5e: Do not reload ethernet ports when changing eswitch mode") +Signed-off-by: Jianbo Liu +Reviewed-by: Cosmin Ratiu +Reviewed-by: Jiri Pirko +Reviewed-by: Dragos Tatulea +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/1757939074-617281-2-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/en_rep.c | 27 +++++++++++++++---- + .../net/ethernet/mellanox/mlx5/core/esw/qos.c | 1 + + .../ethernet/mellanox/mlx5/core/lib/mlx5.h | 15 ++++++++++- + include/linux/mlx5/driver.h | 1 + + 4 files changed, 38 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +index 18ec392d17404..b561358474c4f 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +@@ -1497,12 +1497,21 @@ static const struct mlx5e_profile mlx5e_uplink_rep_profile = { + static int + mlx5e_vport_uplink_rep_load(struct mlx5_core_dev *dev, struct mlx5_eswitch_rep *rep) + { +- struct mlx5e_priv *priv = netdev_priv(mlx5_uplink_netdev_get(dev)); + struct mlx5e_rep_priv *rpriv = mlx5e_rep_to_rep_priv(rep); ++ struct net_device *netdev; ++ struct mlx5e_priv *priv; ++ int err; ++ ++ netdev = mlx5_uplink_netdev_get(dev); ++ if (!netdev) ++ return 0; + ++ priv = netdev_priv(netdev); + rpriv->netdev = priv->netdev; +- return mlx5e_netdev_change_profile(priv, &mlx5e_uplink_rep_profile, +- rpriv); ++ err = mlx5e_netdev_change_profile(priv, &mlx5e_uplink_rep_profile, ++ rpriv); ++ mlx5_uplink_netdev_put(dev, netdev); ++ return err; + } + + static void +@@ -1629,8 +1638,16 @@ mlx5e_vport_rep_unload(struct mlx5_eswitch_rep *rep) + { + struct mlx5e_rep_priv *rpriv = mlx5e_rep_to_rep_priv(rep); + struct net_device *netdev = rpriv->netdev; +- struct mlx5e_priv *priv = netdev_priv(netdev); +- void *ppriv = priv->ppriv; ++ struct mlx5e_priv *priv; ++ void *ppriv; ++ ++ if (!netdev) { ++ ppriv = rpriv; ++ goto free_ppriv; ++ } ++ ++ priv = netdev_priv(netdev); ++ ppriv = priv->ppriv; + + if (rep->vport == MLX5_VPORT_UPLINK) { + mlx5e_vport_uplink_rep_unload(rpriv); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c +index 02a3563f51ad2..d8c304427e2ab 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c +@@ -733,6 +733,7 @@ static u32 mlx5_esw_qos_lag_link_speed_get_locked(struct mlx5_core_dev *mdev) + speed = lksettings.base.speed; + + out: ++ mlx5_uplink_netdev_put(mdev, slave); + return speed; + } + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h b/drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h +index 37d5f445598c7..a7486e6d0d5ef 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h +@@ -52,7 +52,20 @@ static inline struct net *mlx5_core_net(struct mlx5_core_dev *dev) + + static inline struct net_device *mlx5_uplink_netdev_get(struct mlx5_core_dev *mdev) + { +- return mdev->mlx5e_res.uplink_netdev; ++ struct mlx5e_resources *mlx5e_res = &mdev->mlx5e_res; ++ struct net_device *netdev; ++ ++ mutex_lock(&mlx5e_res->uplink_netdev_lock); ++ netdev = mlx5e_res->uplink_netdev; ++ netdev_hold(netdev, &mlx5e_res->tracker, GFP_KERNEL); ++ mutex_unlock(&mlx5e_res->uplink_netdev_lock); ++ return netdev; ++} ++ ++static inline void mlx5_uplink_netdev_put(struct mlx5_core_dev *mdev, ++ struct net_device *netdev) ++{ ++ netdev_put(netdev, &mdev->mlx5e_res.tracker); + } + + struct mlx5_sd; +diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h +index da9749739abde..9a8eb644f6707 100644 +--- a/include/linux/mlx5/driver.h ++++ b/include/linux/mlx5/driver.h +@@ -689,6 +689,7 @@ struct mlx5e_resources { + bool tisn_valid; + } hw_objs; + struct net_device *uplink_netdev; ++ netdevice_tracker tracker; + struct mutex uplink_netdev_lock; + struct mlx5_crypto_dek_priv *dek_priv; + }; +-- +2.51.0 + diff --git a/queue-6.12/net-natsemi-fix-rx_dropped-double-accounting-on-neti.patch b/queue-6.12/net-natsemi-fix-rx_dropped-double-accounting-on-neti.patch new file mode 100644 index 0000000000..8570232971 --- /dev/null +++ b/queue-6.12/net-natsemi-fix-rx_dropped-double-accounting-on-neti.patch @@ -0,0 +1,74 @@ +From a8b0f43e4877c088575ad220fe1c1925d71b124f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Sep 2025 15:01:36 +0900 +Subject: net: natsemi: fix `rx_dropped` double accounting on `netif_rx()` + failure + +From: Yeounsu Moon + +[ Upstream commit 93ab4881a4e2b9657bdce4b8940073bfb4ed5eab ] + +`netif_rx()` already increments `rx_dropped` core stat when it fails. +The driver was also updating `ndev->stats.rx_dropped` in the same path. +Since both are reported together via `ip -s -s` command, this resulted +in drops being counted twice in user-visible stats. + +Keep the driver update on `if (unlikely(!skb))`, but skip it after +`netif_rx()` errors. + +Fixes: caf586e5f23c ("net: add a core netdev->rx_dropped counter") +Signed-off-by: Yeounsu Moon +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250913060135.35282-3-yyyynoom@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/natsemi/ns83820.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/natsemi/ns83820.c b/drivers/net/ethernet/natsemi/ns83820.c +index 998586872599b..c692d2e878b2e 100644 +--- a/drivers/net/ethernet/natsemi/ns83820.c ++++ b/drivers/net/ethernet/natsemi/ns83820.c +@@ -820,7 +820,7 @@ static void rx_irq(struct net_device *ndev) + struct ns83820 *dev = PRIV(ndev); + struct rx_info *info = &dev->rx_info; + unsigned next_rx; +- int rx_rc, len; ++ int len; + u32 cmdsts; + __le32 *desc; + unsigned long flags; +@@ -881,8 +881,10 @@ static void rx_irq(struct net_device *ndev) + if (likely(CMDSTS_OK & cmdsts)) { + #endif + skb_put(skb, len); +- if (unlikely(!skb)) ++ if (unlikely(!skb)) { ++ ndev->stats.rx_dropped++; + goto netdev_mangle_me_harder_failed; ++ } + if (cmdsts & CMDSTS_DEST_MULTI) + ndev->stats.multicast++; + ndev->stats.rx_packets++; +@@ -901,15 +903,12 @@ static void rx_irq(struct net_device *ndev) + __vlan_hwaccel_put_tag(skb, htons(ETH_P_IPV6), tag); + } + #endif +- rx_rc = netif_rx(skb); +- if (NET_RX_DROP == rx_rc) { +-netdev_mangle_me_harder_failed: +- ndev->stats.rx_dropped++; +- } ++ netif_rx(skb); + } else { + dev_kfree_skb_irq(skb); + } + ++netdev_mangle_me_harder_failed: + nr++; + next_rx = info->next_rx; + desc = info->descs + (DESC_SIZE * next_rx); +-- +2.51.0 + diff --git a/queue-6.12/net-tcp-fix-a-null-pointer-dereference-when-using-tc.patch b/queue-6.12/net-tcp-fix-a-null-pointer-dereference-when-using-tc.patch new file mode 100644 index 0000000000..e4ced807aa --- /dev/null +++ b/queue-6.12/net-tcp-fix-a-null-pointer-dereference-when-using-tc.patch @@ -0,0 +1,95 @@ +From f829f20e8a6a6fe4ab178be7e99a3e32022b7382 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Sep 2025 20:07:44 -0300 +Subject: net/tcp: Fix a NULL pointer dereference when using TCP-AO with + TCP_REPAIR + +From: Anderson Nascimento + +[ Upstream commit 2e7bba08923ebc675b1f0e0e0959e68e53047838 ] + +A NULL pointer dereference can occur in tcp_ao_finish_connect() during a +connect() system call on a socket with a TCP-AO key added and TCP_REPAIR +enabled. + +The function is called with skb being NULL and attempts to dereference it +on tcp_hdr(skb)->seq without a prior skb validation. + +Fix this by checking if skb is NULL before dereferencing it. + +The commentary is taken from bpf_skops_established(), which is also called +in the same flow. Unlike the function being patched, +bpf_skops_established() validates the skb before dereferencing it. + +int main(void){ + struct sockaddr_in sockaddr; + struct tcp_ao_add tcp_ao; + int sk; + int one = 1; + + memset(&sockaddr,'\0',sizeof(sockaddr)); + memset(&tcp_ao,'\0',sizeof(tcp_ao)); + + sk = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); + + sockaddr.sin_family = AF_INET; + + memcpy(tcp_ao.alg_name,"cmac(aes128)",12); + memcpy(tcp_ao.key,"ABCDEFGHABCDEFGH",16); + tcp_ao.keylen = 16; + + memcpy(&tcp_ao.addr,&sockaddr,sizeof(sockaddr)); + + setsockopt(sk, IPPROTO_TCP, TCP_AO_ADD_KEY, &tcp_ao, + sizeof(tcp_ao)); + setsockopt(sk, IPPROTO_TCP, TCP_REPAIR, &one, sizeof(one)); + + sockaddr.sin_family = AF_INET; + sockaddr.sin_port = htobe16(123); + + inet_aton("127.0.0.1", &sockaddr.sin_addr); + + connect(sk,(struct sockaddr *)&sockaddr,sizeof(sockaddr)); + +return 0; +} + +$ gcc tcp-ao-nullptr.c -o tcp-ao-nullptr -Wall +$ unshare -Urn + +BUG: kernel NULL pointer dereference, address: 00000000000000b6 +PGD 1f648d067 P4D 1f648d067 PUD 1982e8067 PMD 0 +Oops: Oops: 0000 [#1] SMP NOPTI +Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop +Reference Platform, BIOS 6.00 11/12/2020 +RIP: 0010:tcp_ao_finish_connect (net/ipv4/tcp_ao.c:1182) + +Fixes: 7c2ffaf21bd6 ("net/tcp: Calculate TCP-AO traffic keys") +Signed-off-by: Anderson Nascimento +Reviewed-by: Dmitry Safonov <0x7f454c46@gmail.com> +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20250911230743.2551-3-anderson@allelesecurity.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_ao.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c +index bbb8d5f0eae7d..3338b6cc85c48 100644 +--- a/net/ipv4/tcp_ao.c ++++ b/net/ipv4/tcp_ao.c +@@ -1178,7 +1178,9 @@ void tcp_ao_finish_connect(struct sock *sk, struct sk_buff *skb) + if (!ao) + return; + +- WRITE_ONCE(ao->risn, tcp_hdr(skb)->seq); ++ /* sk with TCP_REPAIR_ON does not have skb in tcp_finish_connect */ ++ if (skb) ++ WRITE_ONCE(ao->risn, tcp_hdr(skb)->seq); + ao->rcv_sne = 0; + + hlist_for_each_entry_rcu(key, &ao->head, node, lockdep_sock_is_held(sk)) +-- +2.51.0 + diff --git a/queue-6.12/nvme-fix-pi-insert-on-write.patch b/queue-6.12/nvme-fix-pi-insert-on-write.patch new file mode 100644 index 0000000000..aaec929a89 --- /dev/null +++ b/queue-6.12/nvme-fix-pi-insert-on-write.patch @@ -0,0 +1,94 @@ +From e80b6c133925e67c75e0ad1a2cd8fa7193574265 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Aug 2025 15:32:49 +0200 +Subject: nvme: fix PI insert on write + +From: Christoph Hellwig + +[ Upstream commit 7ac3c2889bc060c3f67cf44df0dbb093a835c176 ] + +I recently ran into an issue where the PI generated using the block layer +integrity code differs from that from a kernel using the PRACT fallback +when the block layer integrity code is disabled, and I tracked this down +to us using PRACT incorrectly. + +The NVM Command Set Specification (section 5.33 in 1.2, similar in older +versions) specifies the PRACT insert behavior as: + + Inserted protection information consists of the computed CRC for the + protection information format (refer to section 5.3.1) in the Guard + field, the LBAT field value in the Application Tag field, the LBST + field value in the Storage Tag field, if defined, and the computed + reference tag in the Logical Block Reference Tag. + +Where the computed reference tag is defined as following for type 1 and +type 2 using the text below that is duplicated in the respective bullet +points: + + the value of the computed reference tag for the first logical block of + the command is the value contained in the Initial Logical Block + Reference Tag (ILBRT) or Expected Initial Logical Block Reference Tag + (EILBRT) field in the command, and the computed reference tag is + incremented for each subsequent logical block. + +So we need to set ILBRT field, but we currently don't. Interestingly +this works fine on my older type 1 formatted SSD, but Qemu trips up on +this. We already set ILBRT for Write Same since commit aeb7bb061be5 +("nvme: set the PRACT bit when using Write Zeroes with T10 PI"). + +To ease this, move the PI type check into nvme_set_ref_tag. + +Reviewed-by: Martin K. Petersen +Signed-off-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 9e223574db7f7..24d82d35041b5 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -890,6 +890,15 @@ static void nvme_set_ref_tag(struct nvme_ns *ns, struct nvme_command *cmnd, + u32 upper, lower; + u64 ref48; + ++ /* only type1 and type 2 PI formats have a reftag */ ++ switch (ns->head->pi_type) { ++ case NVME_NS_DPS_PI_TYPE1: ++ case NVME_NS_DPS_PI_TYPE2: ++ break; ++ default: ++ return; ++ } ++ + /* both rw and write zeroes share the same reftag format */ + switch (ns->head->guard_type) { + case NVME_NVM_NS_16B_GUARD: +@@ -929,13 +938,7 @@ static inline blk_status_t nvme_setup_write_zeroes(struct nvme_ns *ns, + + if (nvme_ns_has_pi(ns->head)) { + cmnd->write_zeroes.control |= cpu_to_le16(NVME_RW_PRINFO_PRACT); +- +- switch (ns->head->pi_type) { +- case NVME_NS_DPS_PI_TYPE1: +- case NVME_NS_DPS_PI_TYPE2: +- nvme_set_ref_tag(ns, cmnd, req); +- break; +- } ++ nvme_set_ref_tag(ns, cmnd, req); + } + + return BLK_STS_OK; +@@ -1014,6 +1017,7 @@ static inline blk_status_t nvme_setup_rw(struct nvme_ns *ns, + if (WARN_ON_ONCE(!nvme_ns_has_pi(ns->head))) + return BLK_STS_NOTSUPP; + control |= NVME_RW_PRINFO_PRACT; ++ nvme_set_ref_tag(ns, cmnd, req); + } + + switch (ns->head->pi_type) { +-- +2.51.0 + diff --git a/queue-6.12/octeon_ep-fix-vf-mac-address-lifecycle-handling.patch b/queue-6.12/octeon_ep-fix-vf-mac-address-lifecycle-handling.patch new file mode 100644 index 0000000000..4de684c9a6 --- /dev/null +++ b/queue-6.12/octeon_ep-fix-vf-mac-address-lifecycle-handling.patch @@ -0,0 +1,55 @@ +From 82a82949027011bbc7300f6b8fb63c81a37292f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Sep 2025 06:32:07 -0700 +Subject: octeon_ep: fix VF MAC address lifecycle handling + +From: Sathesh B Edara + +[ Upstream commit a72175c985132885573593222a7b088cf49b07ae ] + +Currently, VF MAC address info is not updated when the MAC address is +configured from VF, and it is not cleared when the VF is removed. This +leads to stale or missing MAC information in the PF, which may cause +incorrect state tracking or inconsistencies when VFs are hot-plugged +or reassigned. + +Fix this by: + - storing the VF MAC address in the PF when it is set from VF + - clearing the stored VF MAC address when the VF is removed + +This ensures that the PF always has correct VF MAC state. + +Fixes: cde29af9e68e ("octeon_ep: add PF-VF mailbox communication") +Signed-off-by: Sathesh B Edara +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250916133207.21737-1-sedara@marvell.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeon_ep/octep_pfvf_mbox.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/octeon_ep/octep_pfvf_mbox.c b/drivers/net/ethernet/marvell/octeon_ep/octep_pfvf_mbox.c +index e6eb98d70f3c4..6334b68f28d79 100644 +--- a/drivers/net/ethernet/marvell/octeon_ep/octep_pfvf_mbox.c ++++ b/drivers/net/ethernet/marvell/octeon_ep/octep_pfvf_mbox.c +@@ -177,6 +177,7 @@ static void octep_pfvf_get_mac_addr(struct octep_device *oct, u32 vf_id, + dev_err(&oct->pdev->dev, "Get VF MAC address failed via host control Mbox\n"); + return; + } ++ ether_addr_copy(oct->vf_info[vf_id].mac_addr, rsp->s_set_mac.mac_addr); + rsp->s_set_mac.type = OCTEP_PFVF_MBOX_TYPE_RSP_ACK; + } + +@@ -186,6 +187,8 @@ static void octep_pfvf_dev_remove(struct octep_device *oct, u32 vf_id, + { + int err; + ++ /* Reset VF-specific information maintained by the PF */ ++ memset(&oct->vf_info[vf_id], 0, sizeof(struct octep_pfvf_info)); + err = octep_ctrl_net_dev_remove(oct, vf_id); + if (err) { + rsp->s.type = OCTEP_PFVF_MBOX_TYPE_RSP_NACK; +-- +2.51.0 + diff --git a/queue-6.12/octeontx2-pf-fix-use-after-free-bugs-in-otx2_sync_ts.patch b/queue-6.12/octeontx2-pf-fix-use-after-free-bugs-in-otx2_sync_ts.patch new file mode 100644 index 0000000000..eccfbf2870 --- /dev/null +++ b/queue-6.12/octeontx2-pf-fix-use-after-free-bugs-in-otx2_sync_ts.patch @@ -0,0 +1,126 @@ +From 58015432fe36cba7c5e650e8e672da75c02792e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Sep 2025 14:38:53 +0800 +Subject: octeontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp() + +From: Duoming Zhou + +[ Upstream commit f8b4687151021db61841af983f1cb7be6915d4ef ] + +The original code relies on cancel_delayed_work() in otx2_ptp_destroy(), +which does not ensure that the delayed work item synctstamp_work has fully +completed if it was already running. This leads to use-after-free scenarios +where otx2_ptp is deallocated by otx2_ptp_destroy(), while synctstamp_work +remains active and attempts to dereference otx2_ptp in otx2_sync_tstamp(). +Furthermore, the synctstamp_work is cyclic, the likelihood of triggering +the bug is nonnegligible. + +A typical race condition is illustrated below: + +CPU 0 (cleanup) | CPU 1 (delayed work callback) +otx2_remove() | + otx2_ptp_destroy() | otx2_sync_tstamp() + cancel_delayed_work() | + kfree(ptp) | + | ptp = container_of(...); //UAF + | ptp-> //UAF + +This is confirmed by a KASAN report: + +BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0 +Write of size 8 at addr ffff88800aa09a18 by task bash/136 +... +Call Trace: + + dump_stack_lvl+0x55/0x70 + print_report+0xcf/0x610 + ? __run_timer_base.part.0+0x7d7/0x8c0 + kasan_report+0xb8/0xf0 + ? __run_timer_base.part.0+0x7d7/0x8c0 + __run_timer_base.part.0+0x7d7/0x8c0 + ? __pfx___run_timer_base.part.0+0x10/0x10 + ? __pfx_read_tsc+0x10/0x10 + ? ktime_get+0x60/0x140 + ? lapic_next_event+0x11/0x20 + ? clockevents_program_event+0x1d4/0x2a0 + run_timer_softirq+0xd1/0x190 + handle_softirqs+0x16a/0x550 + irq_exit_rcu+0xaf/0xe0 + sysvec_apic_timer_interrupt+0x70/0x80 + +... +Allocated by task 1: + kasan_save_stack+0x24/0x50 + kasan_save_track+0x14/0x30 + __kasan_kmalloc+0x7f/0x90 + otx2_ptp_init+0xb1/0x860 + otx2_probe+0x4eb/0xc30 + local_pci_probe+0xdc/0x190 + pci_device_probe+0x2fe/0x470 + really_probe+0x1ca/0x5c0 + __driver_probe_device+0x248/0x310 + driver_probe_device+0x44/0x120 + __driver_attach+0xd2/0x310 + bus_for_each_dev+0xed/0x170 + bus_add_driver+0x208/0x500 + driver_register+0x132/0x460 + do_one_initcall+0x89/0x300 + kernel_init_freeable+0x40d/0x720 + kernel_init+0x1a/0x150 + ret_from_fork+0x10c/0x1a0 + ret_from_fork_asm+0x1a/0x30 + +Freed by task 136: + kasan_save_stack+0x24/0x50 + kasan_save_track+0x14/0x30 + kasan_save_free_info+0x3a/0x60 + __kasan_slab_free+0x3f/0x50 + kfree+0x137/0x370 + otx2_ptp_destroy+0x38/0x80 + otx2_remove+0x10d/0x4c0 + pci_device_remove+0xa6/0x1d0 + device_release_driver_internal+0xf8/0x210 + pci_stop_bus_device+0x105/0x150 + pci_stop_and_remove_bus_device_locked+0x15/0x30 + remove_store+0xcc/0xe0 + kernfs_fop_write_iter+0x2c3/0x440 + vfs_write+0x871/0xd70 + ksys_write+0xee/0x1c0 + do_syscall_64+0xac/0x280 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +... + +Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure +that the delayed work item is properly canceled before the otx2_ptp is +deallocated. + +This bug was initially identified through static analysis. To reproduce +and test it, I simulated the OcteonTX2 PCI device in QEMU and introduced +artificial delays within the otx2_sync_tstamp() function to increase the +likelihood of triggering the bug. + +Fixes: 2958d17a8984 ("octeontx2-pf: Add support for ptp 1-step mode on CN10K silicon") +Signed-off-by: Duoming Zhou +Reviewed-by: Vadim Fedorenko +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/otx2_ptp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ptp.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ptp.c +index 63130ba37e9df..69b435ed8fbbe 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ptp.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ptp.c +@@ -491,7 +491,7 @@ void otx2_ptp_destroy(struct otx2_nic *pfvf) + if (!ptp) + return; + +- cancel_delayed_work(&pfvf->ptp->synctstamp_work); ++ cancel_delayed_work_sync(&pfvf->ptp->synctstamp_work); + + ptp_clock_unregister(ptp->ptp_clock); + kfree(ptp); +-- +2.51.0 + diff --git a/queue-6.12/pcmcia-omap_cf-mark-driver-struct-with-__refdata-to-.patch b/queue-6.12/pcmcia-omap_cf-mark-driver-struct-with-__refdata-to-.patch new file mode 100644 index 0000000000..7bf8cc36fd --- /dev/null +++ b/queue-6.12/pcmcia-omap_cf-mark-driver-struct-with-__refdata-to-.patch @@ -0,0 +1,52 @@ +From 48c0c903f896fb7af5ad032e839de0b5b239e592 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Aug 2025 17:50:14 +0200 +Subject: pcmcia: omap_cf: Mark driver struct with __refdata to prevent section + mismatch +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Geert Uytterhoeven + +[ Upstream commit d1dfcdd30140c031ae091868fb5bed084132bca1 ] + +As described in the added code comment, a reference to .exit.text is ok +for drivers registered via platform_driver_probe(). Make this explicit +to prevent the following section mismatch warning + + WARNING: modpost: drivers/pcmcia/omap_cf: section mismatch in reference: omap_cf_driver+0x4 (section: .data) -> omap_cf_remove (section: .exit.text) + +that triggers on an omap1_defconfig + CONFIG_OMAP_CF=m build. + +Signed-off-by: Geert Uytterhoeven +Acked-by: Aaro Koskinen +Reviewed-by: Uwe Kleine-König +Signed-off-by: Dominik Brodowski +Signed-off-by: Sasha Levin +--- + drivers/pcmcia/omap_cf.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/pcmcia/omap_cf.c b/drivers/pcmcia/omap_cf.c +index 5b639c942f17a..a2f50db2b8bab 100644 +--- a/drivers/pcmcia/omap_cf.c ++++ b/drivers/pcmcia/omap_cf.c +@@ -304,7 +304,13 @@ static void __exit omap_cf_remove(struct platform_device *pdev) + kfree(cf); + } + +-static struct platform_driver omap_cf_driver = { ++/* ++ * omap_cf_remove() lives in .exit.text. For drivers registered via ++ * platform_driver_probe() this is ok because they cannot get unbound at ++ * runtime. So mark the driver struct with __refdata to prevent modpost ++ * triggering a section mismatch warning. ++ */ ++static struct platform_driver omap_cf_driver __refdata = { + .driver = { + .name = driver_name, + }, +-- +2.51.0 + diff --git a/queue-6.12/qed-don-t-collect-too-many-protection-override-grc-e.patch b/queue-6.12/qed-don-t-collect-too-many-protection-override-grc-e.patch new file mode 100644 index 0000000000..c46672b16d --- /dev/null +++ b/queue-6.12/qed-don-t-collect-too-many-protection-override-grc-e.patch @@ -0,0 +1,89 @@ +From 38857443e2dd3807d79760cfe37117d5131663d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Sep 2025 16:29:16 +1000 +Subject: qed: Don't collect too many protection override GRC elements + +From: Jamie Bainbridge + +[ Upstream commit 56c0a2a9ddc2f5b5078c5fb0f81ab76bbc3d4c37 ] + +In the protection override dump path, the firmware can return far too +many GRC elements, resulting in attempting to write past the end of the +previously-kmalloc'ed dump buffer. + +This will result in a kernel panic with reason: + + BUG: unable to handle kernel paging request at ADDRESS + +where "ADDRESS" is just past the end of the protection override dump +buffer. The start address of the buffer is: + p_hwfn->cdev->dbg_features[DBG_FEATURE_PROTECTION_OVERRIDE].dump_buf +and the size of the buffer is buf_size in the same data structure. + +The panic can be arrived at from either the qede Ethernet driver path: + + [exception RIP: qed_grc_dump_addr_range+0x108] + qed_protection_override_dump at ffffffffc02662ed [qed] + qed_dbg_protection_override_dump at ffffffffc0267792 [qed] + qed_dbg_feature at ffffffffc026aa8f [qed] + qed_dbg_all_data at ffffffffc026b211 [qed] + qed_fw_fatal_reporter_dump at ffffffffc027298a [qed] + devlink_health_do_dump at ffffffff82497f61 + devlink_health_report at ffffffff8249cf29 + qed_report_fatal_error at ffffffffc0272baf [qed] + qede_sp_task at ffffffffc045ed32 [qede] + process_one_work at ffffffff81d19783 + +or the qedf storage driver path: + + [exception RIP: qed_grc_dump_addr_range+0x108] + qed_protection_override_dump at ffffffffc068b2ed [qed] + qed_dbg_protection_override_dump at ffffffffc068c792 [qed] + qed_dbg_feature at ffffffffc068fa8f [qed] + qed_dbg_all_data at ffffffffc0690211 [qed] + qed_fw_fatal_reporter_dump at ffffffffc069798a [qed] + devlink_health_do_dump at ffffffff8aa95e51 + devlink_health_report at ffffffff8aa9ae19 + qed_report_fatal_error at ffffffffc0697baf [qed] + qed_hw_err_notify at ffffffffc06d32d7 [qed] + qed_spq_post at ffffffffc06b1011 [qed] + qed_fcoe_destroy_conn at ffffffffc06b2e91 [qed] + qedf_cleanup_fcport at ffffffffc05e7597 [qedf] + qedf_rport_event_handler at ffffffffc05e7bf7 [qedf] + fc_rport_work at ffffffffc02da715 [libfc] + process_one_work at ffffffff8a319663 + +Resolve this by clamping the firmware's return value to the maximum +number of legal elements the firmware should return. + +Fixes: d52c89f120de8 ("qed*: Utilize FW 8.37.2.0") +Signed-off-by: Jamie Bainbridge +Link: https://patch.msgid.link/f8e1182934aa274c18d0682a12dbaf347595469c.1757485536.git.jamie.bainbridge@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_debug.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_debug.c b/drivers/net/ethernet/qlogic/qed/qed_debug.c +index f67be4b8ad435..523cbd91baf49 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_debug.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_debug.c +@@ -4461,10 +4461,11 @@ static enum dbg_status qed_protection_override_dump(struct qed_hwfn *p_hwfn, + goto out; + } + +- /* Add override window info to buffer */ ++ /* Add override window info to buffer, preventing buffer overflow */ + override_window_dwords = +- qed_rd(p_hwfn, p_ptt, GRC_REG_NUMBER_VALID_OVERRIDE_WINDOW) * +- PROTECTION_OVERRIDE_ELEMENT_DWORDS; ++ min(qed_rd(p_hwfn, p_ptt, GRC_REG_NUMBER_VALID_OVERRIDE_WINDOW) * ++ PROTECTION_OVERRIDE_ELEMENT_DWORDS, ++ PROTECTION_OVERRIDE_DEPTH_DWORDS); + if (override_window_dwords) { + addr = BYTES_TO_DWORDS(GRC_REG_PROTECTION_OVERRIDE_WINDOW); + offset += qed_grc_dump_addr_range(p_hwfn, +-- +2.51.0 + diff --git a/queue-6.12/revert-net-mlx5e-update-and-set-xon-xoff-upon-port-s.patch b/queue-6.12/revert-net-mlx5e-update-and-set-xon-xoff-upon-port-s.patch new file mode 100644 index 0000000000..1dd7131ef8 --- /dev/null +++ b/queue-6.12/revert-net-mlx5e-update-and-set-xon-xoff-upon-port-s.patch @@ -0,0 +1,39 @@ +From f572355bcd817072f1ca6ddeb8483d7f803a0813 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Sep 2025 16:48:54 +0300 +Subject: Revert "net/mlx5e: Update and set Xon/Xoff upon port speed set" + +From: Tariq Toukan + +[ Upstream commit 3fbfe251cc9f6d391944282cdb9bcf0bd02e01f8 ] + +This reverts commit d24341740fe48add8a227a753e68b6eedf4b385a. +It causes errors when trying to configure QoS, as well as +loss of L2 connectivity (on multi-host devices). + +Reported-by: Jakub Kicinski +Link: https://lore.kernel.org/20250910170011.70528106@kernel.org +Fixes: d24341740fe4 ("net/mlx5e: Update and set Xon/Xoff upon port speed set") +Signed-off-by: Tariq Toukan +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 6176457b846bc..de2327ffb0f78 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -135,8 +135,6 @@ void mlx5e_update_carrier(struct mlx5e_priv *priv) + if (up) { + netdev_info(priv->netdev, "Link up\n"); + netif_carrier_on(priv->netdev); +- mlx5e_port_manual_buffer_config(priv, 0, priv->netdev->mtu, +- NULL, NULL, NULL); + } else { + netdev_info(priv->netdev, "Link down\n"); + netif_carrier_off(priv->netdev); +-- +2.51.0 + diff --git a/queue-6.12/selftests-mptcp-sockopt-fix-error-messages.patch b/queue-6.12/selftests-mptcp-sockopt-fix-error-messages.patch new file mode 100644 index 0000000000..86aec806da --- /dev/null +++ b/queue-6.12/selftests-mptcp-sockopt-fix-error-messages.patch @@ -0,0 +1,77 @@ +From 762f1158cf3804b6033a4a0ea121febc3751256d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Sep 2025 14:52:24 +0200 +Subject: selftests: mptcp: sockopt: fix error messages + +From: Geliang Tang + +[ Upstream commit b86418beade11d45540a2d20c4ec1128849b6c27 ] + +This patch fixes several issues in the error reporting of the MPTCP sockopt +selftest: + +1. Fix diff not printed: The error messages for counter mismatches had + the actual difference ('diff') as argument, but it was missing in the + format string. Displaying it makes the debugging easier. + +2. Fix variable usage: The error check for 'mptcpi_bytes_acked' incorrectly + used 'ret2' (sent bytes) for both the expected value and the difference + calculation. It now correctly uses 'ret' (received bytes), which is the + expected value for bytes_acked. + +3. Fix off-by-one in diff: The calculation for the 'mptcpi_rcv_delta' diff + was 's.mptcpi_rcv_delta - ret', which is off-by-one. It has been + corrected to 's.mptcpi_rcv_delta - (ret + 1)' to match the expected + value in the condition above it. + +Fixes: 5dcff89e1455 ("selftests: mptcp: explicitly tests aggregate counters") +Signed-off-by: Geliang Tang +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250912-net-mptcp-pm-uspace-deny_join_id0-v1-5-40171884ade8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../testing/selftests/net/mptcp/mptcp_sockopt.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/tools/testing/selftests/net/mptcp/mptcp_sockopt.c b/tools/testing/selftests/net/mptcp/mptcp_sockopt.c +index 926b0be87c990..1dc2bd6ee4a50 100644 +--- a/tools/testing/selftests/net/mptcp/mptcp_sockopt.c ++++ b/tools/testing/selftests/net/mptcp/mptcp_sockopt.c +@@ -658,22 +658,26 @@ static void process_one_client(int fd, int pipefd) + + do_getsockopts(&s, fd, ret, ret2); + if (s.mptcpi_rcv_delta != (uint64_t)ret + 1) +- xerror("mptcpi_rcv_delta %" PRIu64 ", expect %" PRIu64, s.mptcpi_rcv_delta, ret + 1, s.mptcpi_rcv_delta - ret); ++ xerror("mptcpi_rcv_delta %" PRIu64 ", expect %" PRIu64 ", diff %" PRId64, ++ s.mptcpi_rcv_delta, ret + 1, s.mptcpi_rcv_delta - (ret + 1)); + + /* be nice when running on top of older kernel */ + if (s.pkt_stats_avail) { + if (s.last_sample.mptcpi_bytes_sent != ret2) +- xerror("mptcpi_bytes_sent %" PRIu64 ", expect %" PRIu64, ++ xerror("mptcpi_bytes_sent %" PRIu64 ", expect %" PRIu64 ++ ", diff %" PRId64, + s.last_sample.mptcpi_bytes_sent, ret2, + s.last_sample.mptcpi_bytes_sent - ret2); + if (s.last_sample.mptcpi_bytes_received != ret) +- xerror("mptcpi_bytes_received %" PRIu64 ", expect %" PRIu64, ++ xerror("mptcpi_bytes_received %" PRIu64 ", expect %" PRIu64 ++ ", diff %" PRId64, + s.last_sample.mptcpi_bytes_received, ret, + s.last_sample.mptcpi_bytes_received - ret); + if (s.last_sample.mptcpi_bytes_acked != ret) +- xerror("mptcpi_bytes_acked %" PRIu64 ", expect %" PRIu64, +- s.last_sample.mptcpi_bytes_acked, ret2, +- s.last_sample.mptcpi_bytes_acked - ret2); ++ xerror("mptcpi_bytes_acked %" PRIu64 ", expect %" PRIu64 ++ ", diff %" PRId64, ++ s.last_sample.mptcpi_bytes_acked, ret, ++ s.last_sample.mptcpi_bytes_acked - ret); + } + + close(fd); +-- +2.51.0 + diff --git a/queue-6.12/selftests-mptcp-userspace-pm-validate-deny-join-id0-.patch b/queue-6.12/selftests-mptcp-userspace-pm-validate-deny-join-id0-.patch new file mode 100644 index 0000000000..bc80a99448 --- /dev/null +++ b/queue-6.12/selftests-mptcp-userspace-pm-validate-deny-join-id0-.patch @@ -0,0 +1,99 @@ +From 5ce3378e212531dd84e788ff1ed2514a5a0663e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Sep 2025 14:52:22 +0200 +Subject: selftests: mptcp: userspace pm: validate deny-join-id0 flag + +From: Matthieu Baerts (NGI0) + +[ Upstream commit 24733e193a0d68f20d220e86da0362460c9aa812 ] + +The previous commit adds the MPTCP_PM_EV_FLAG_DENY_JOIN_ID0 flag. Make +sure it is correctly announced by the other peer when it has been +received. + +pm_nl_ctl will now display 'deny_join_id0:1' when monitoring the events, +and when this flag was set by the other peer. + +The 'Fixes' tag here below is the same as the one from the previous +commit: this patch here is not fixing anything wrong in the selftests, +but it validates the previous fix for an issue introduced by this commit +ID. + +Fixes: 702c2f646d42 ("mptcp: netlink: allow userspace-driven subflow establishment") +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250912-net-mptcp-pm-uspace-deny_join_id0-v1-3-40171884ade8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 7 +++++++ + tools/testing/selftests/net/mptcp/userspace_pm.sh | 14 +++++++++++--- + 2 files changed, 18 insertions(+), 3 deletions(-) + +diff --git a/tools/testing/selftests/net/mptcp/pm_nl_ctl.c b/tools/testing/selftests/net/mptcp/pm_nl_ctl.c +index 994a556f46c15..93fea3442216c 100644 +--- a/tools/testing/selftests/net/mptcp/pm_nl_ctl.c ++++ b/tools/testing/selftests/net/mptcp/pm_nl_ctl.c +@@ -188,6 +188,13 @@ static int capture_events(int fd, int event_group) + fprintf(stderr, ",error:%u", *(__u8 *)RTA_DATA(attrs)); + else if (attrs->rta_type == MPTCP_ATTR_SERVER_SIDE) + fprintf(stderr, ",server_side:%u", *(__u8 *)RTA_DATA(attrs)); ++ else if (attrs->rta_type == MPTCP_ATTR_FLAGS) { ++ __u16 flags = *(__u16 *)RTA_DATA(attrs); ++ ++ /* only print when present, easier */ ++ if (flags & MPTCP_PM_EV_FLAG_DENY_JOIN_ID0) ++ fprintf(stderr, ",deny_join_id0:1"); ++ } + + attrs = RTA_NEXT(attrs, msg_len); + } +diff --git a/tools/testing/selftests/net/mptcp/userspace_pm.sh b/tools/testing/selftests/net/mptcp/userspace_pm.sh +index 3651f73451cf8..cc682bf675b2b 100755 +--- a/tools/testing/selftests/net/mptcp/userspace_pm.sh ++++ b/tools/testing/selftests/net/mptcp/userspace_pm.sh +@@ -173,6 +173,9 @@ make_connection() + is_v6="v4" + fi + ++ # set this on the client side only: will not affect the rest ++ ip netns exec "$ns2" sysctl -q net.mptcp.allow_join_initial_addr_port=0 ++ + :>"$client_evts" + :>"$server_evts" + +@@ -195,23 +198,28 @@ make_connection() + local client_token + local client_port + local client_serverside ++ local client_nojoin + local server_token + local server_serverside ++ local server_nojoin + + client_token=$(mptcp_lib_evts_get_info token "$client_evts") + client_port=$(mptcp_lib_evts_get_info sport "$client_evts") + client_serverside=$(mptcp_lib_evts_get_info server_side "$client_evts") ++ client_nojoin=$(mptcp_lib_evts_get_info deny_join_id0 "$client_evts") + server_token=$(mptcp_lib_evts_get_info token "$server_evts") + server_serverside=$(mptcp_lib_evts_get_info server_side "$server_evts") ++ server_nojoin=$(mptcp_lib_evts_get_info deny_join_id0 "$server_evts") + + print_test "Established IP${is_v6} MPTCP Connection ns2 => ns1" +- if [ "$client_token" != "" ] && [ "$server_token" != "" ] && [ "$client_serverside" = 0 ] && +- [ "$server_serverside" = 1 ] ++ if [ "${client_token}" != "" ] && [ "${server_token}" != "" ] && ++ [ "${client_serverside}" = 0 ] && [ "${server_serverside}" = 1 ] && ++ [ "${client_nojoin:-0}" = 0 ] && [ "${server_nojoin:-0}" = 1 ] + then + test_pass + print_title "Connection info: ${client_addr}:${client_port} -> ${connect_addr}:${app_port}" + else +- test_fail "Expected tokens (c:${client_token} - s:${server_token}) and server (c:${client_serverside} - s:${server_serverside})" ++ test_fail "Expected tokens (c:${client_token} - s:${server_token}), server (c:${client_serverside} - s:${server_serverside}), nojoin (c:${client_nojoin} - s:${server_nojoin})" + mptcp_lib_result_print_all_tap + exit ${KSFT_FAIL} + fi +-- +2.51.0 + diff --git a/queue-6.12/series b/queue-6.12/series new file mode 100644 index 0000000000..1756723818 --- /dev/null +++ b/queue-6.12/series @@ -0,0 +1,32 @@ +wifi-wilc1000-avoid-buffer-overflow-in-wid-string-co.patch +nvme-fix-pi-insert-on-write.patch +alsa-firewire-motu-drop-epollout-from-poll-return-va.patch +wifi-mac80211-increase-scan_ies_len-for-s1g.patch +wifi-mac80211-fix-incorrect-type-for-ret.patch +pcmcia-omap_cf-mark-driver-struct-with-__refdata-to-.patch +cgroup-split-cgroup_destroy_wq-into-3-workqueues.patch +btrfs-fix-invalid-extref-key-setup-when-replaying-de.patch +um-virtio_uml-fix-use-after-free-after-put_device-in.patch +um-fix-fd-copy-size-in-os_rcv_fd_msg.patch +dpaa2-switch-fix-buffer-pool-seeding-for-control-tra.patch +net-tcp-fix-a-null-pointer-dereference-when-using-tc.patch +qed-don-t-collect-too-many-protection-override-grc-e.patch +bonding-set-random-address-only-when-slaves-already-.patch +mptcp-set-remote_deny_join_id0-on-syn-recv.patch +selftests-mptcp-userspace-pm-validate-deny-join-id0-.patch +mptcp-tfo-record-deny-join-id0-info.patch +selftests-mptcp-sockopt-fix-error-messages.patch +net-natsemi-fix-rx_dropped-double-accounting-on-neti.patch +ice-store-max_frame-and-rx_buf_len-only-in-ice_rx_ri.patch +ice-fix-rx-page-leak-on-multi-buffer-frames.patch +i40e-remove-redundant-memory-barrier-when-cleaning-t.patch +igc-don-t-fail-igc_probe-on-led-setup-error.patch +net-mlx5e-harden-uplink-netdev-access-against-device.patch +bonding-don-t-set-oif-to-bond-dev-when-getting-ns-ta.patch +octeon_ep-fix-vf-mac-address-lifecycle-handling.patch +tcp-clear-tcp_sk-sk-fastopen_rsk-in-tcp_disconnect.patch +tls-make-sure-to-abort-the-stream-if-headers-are-bog.patch +revert-net-mlx5e-update-and-set-xon-xoff-upon-port-s.patch +net-liquidio-fix-overflow-in-octeon_init_instr_queue.patch +cnic-fix-use-after-free-bugs-in-cnic_delete_task.patch +octeontx2-pf-fix-use-after-free-bugs-in-otx2_sync_ts.patch diff --git a/queue-6.12/tcp-clear-tcp_sk-sk-fastopen_rsk-in-tcp_disconnect.patch b/queue-6.12/tcp-clear-tcp_sk-sk-fastopen_rsk-in-tcp_disconnect.patch new file mode 100644 index 0000000000..d4b06debe3 --- /dev/null +++ b/queue-6.12/tcp-clear-tcp_sk-sk-fastopen_rsk-in-tcp_disconnect.patch @@ -0,0 +1,94 @@ +From 7c45dab0e4a5f5b75f7939937c451f42da7bd913 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Sep 2025 17:56:46 +0000 +Subject: tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). + +From: Kuniyuki Iwashima + +[ Upstream commit 45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01 ] + +syzbot reported the splat below where a socket had tcp_sk(sk)->fastopen_rsk +in the TCP_ESTABLISHED state. [0] + +syzbot reused the server-side TCP Fast Open socket as a new client before +the TFO socket completes 3WHS: + + 1. accept() + 2. connect(AF_UNSPEC) + 3. connect() to another destination + +As of accept(), sk->sk_state is TCP_SYN_RECV, and tcp_disconnect() changes +it to TCP_CLOSE and makes connect() possible, which restarts timers. + +Since tcp_disconnect() forgot to clear tcp_sk(sk)->fastopen_rsk, the +retransmit timer triggered the warning and the intended packet was not +retransmitted. + +Let's call reqsk_fastopen_remove() in tcp_disconnect(). + +[0]: +WARNING: CPU: 2 PID: 0 at net/ipv4/tcp_timer.c:542 tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7)) +Modules linked in: +CPU: 2 UID: 0 PID: 0 Comm: swapper/2 Not tainted 6.17.0-rc5-g201825fb4278 #62 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +RIP: 0010:tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7)) +Code: 41 55 41 54 55 53 48 8b af b8 08 00 00 48 89 fb 48 85 ed 0f 84 55 01 00 00 0f b6 47 12 3c 03 74 0c 0f b6 47 12 3c 04 74 04 90 <0f> 0b 90 48 8b 85 c0 00 00 00 48 89 ef 48 8b 40 30 e8 6a 4f 06 3e +RSP: 0018:ffffc900002f8d40 EFLAGS: 00010293 +RAX: 0000000000000002 RBX: ffff888106911400 RCX: 0000000000000017 +RDX: 0000000002517619 RSI: ffffffff83764080 RDI: ffff888106911400 +RBP: ffff888106d5c000 R08: 0000000000000001 R09: ffffc900002f8de8 +R10: 00000000000000c2 R11: ffffc900002f8ff8 R12: ffff888106911540 +R13: ffff888106911480 R14: ffff888106911840 R15: ffffc900002f8de0 +FS: 0000000000000000(0000) GS:ffff88907b768000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f8044d69d90 CR3: 0000000002c30003 CR4: 0000000000370ef0 +Call Trace: + + tcp_write_timer (net/ipv4/tcp_timer.c:738) + call_timer_fn (kernel/time/timer.c:1747) + __run_timers (kernel/time/timer.c:1799 kernel/time/timer.c:2372) + timer_expire_remote (kernel/time/timer.c:2385 kernel/time/timer.c:2376 kernel/time/timer.c:2135) + tmigr_handle_remote_up (kernel/time/timer_migration.c:944 kernel/time/timer_migration.c:1035) + __walk_groups.isra.0 (kernel/time/timer_migration.c:533 (discriminator 1)) + tmigr_handle_remote (kernel/time/timer_migration.c:1096) + handle_softirqs (./arch/x86/include/asm/jump_label.h:36 ./include/trace/events/irq.h:142 kernel/softirq.c:580) + irq_exit_rcu (kernel/softirq.c:614 kernel/softirq.c:453 kernel/softirq.c:680 kernel/softirq.c:696) + sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1050 (discriminator 35) arch/x86/kernel/apic/apic.c:1050 (discriminator 35)) + + +Fixes: 8336886f786f ("tcp: TCP Fast Open Server - support TFO listeners") +Reported-by: syzkaller +Signed-off-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250915175800.118793-2-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 156da81bce068..988992ff898b3 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3286,6 +3286,7 @@ int tcp_disconnect(struct sock *sk, int flags) + struct inet_connection_sock *icsk = inet_csk(sk); + struct tcp_sock *tp = tcp_sk(sk); + int old_state = sk->sk_state; ++ struct request_sock *req; + u32 seq; + + if (old_state != TCP_CLOSE) +@@ -3400,6 +3401,10 @@ int tcp_disconnect(struct sock *sk, int flags) + + + /* Clean up fastopen related fields */ ++ req = rcu_dereference_protected(tp->fastopen_rsk, ++ lockdep_sock_is_held(sk)); ++ if (req) ++ reqsk_fastopen_remove(sk, req, false); + tcp_free_fastopen_req(tp); + inet_clear_bit(DEFER_CONNECT, sk); + tp->fastopen_client_fail = 0; +-- +2.51.0 + diff --git a/queue-6.12/tls-make-sure-to-abort-the-stream-if-headers-are-bog.patch b/queue-6.12/tls-make-sure-to-abort-the-stream-if-headers-are-bog.patch new file mode 100644 index 0000000000..4f6e778ef4 --- /dev/null +++ b/queue-6.12/tls-make-sure-to-abort-the-stream-if-headers-are-bog.patch @@ -0,0 +1,112 @@ +From 322f730e1f4112d39702b23affba4f2e3dd65c2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Sep 2025 17:28:13 -0700 +Subject: tls: make sure to abort the stream if headers are bogus + +From: Jakub Kicinski + +[ Upstream commit 0aeb54ac4cd5cf8f60131b4d9ec0b6dc9c27b20d ] + +Normally we wait for the socket to buffer up the whole record +before we service it. If the socket has a tiny buffer, however, +we read out the data sooner, to prevent connection stalls. +Make sure that we abort the connection when we find out late +that the record is actually invalid. Retrying the parsing is +fine in itself but since we copy some more data each time +before we parse we can overflow the allocated skb space. + +Constructing a scenario in which we're under pressure without +enough data in the socket to parse the length upfront is quite +hard. syzbot figured out a way to do this by serving us the header +in small OOB sends, and then filling in the recvbuf with a large +normal send. + +Make sure that tls_rx_msg_size() aborts strp, if we reach +an invalid record there's really no way to recover. + +Reported-by: Lee Jones +Fixes: 84c61fe1a75b ("tls: rx: do not use the standard strparser") +Reviewed-by: Sabrina Dubroca +Signed-off-by: Jakub Kicinski +Link: https://patch.msgid.link/20250917002814.1743558-1-kuba@kernel.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/tls/tls.h | 1 + + net/tls/tls_strp.c | 14 +++++++++----- + net/tls/tls_sw.c | 3 +-- + 3 files changed, 11 insertions(+), 7 deletions(-) + +diff --git a/net/tls/tls.h b/net/tls/tls.h +index e1eaf12b37426..fca0c0e170047 100644 +--- a/net/tls/tls.h ++++ b/net/tls/tls.h +@@ -141,6 +141,7 @@ void update_sk_prot(struct sock *sk, struct tls_context *ctx); + + int wait_on_pending_writer(struct sock *sk, long *timeo); + void tls_err_abort(struct sock *sk, int err); ++void tls_strp_abort_strp(struct tls_strparser *strp, int err); + + int init_prot_info(struct tls_prot_info *prot, + const struct tls_crypto_info *crypto_info, +diff --git a/net/tls/tls_strp.c b/net/tls/tls_strp.c +index d71643b494a1a..98e12f0ff57e5 100644 +--- a/net/tls/tls_strp.c ++++ b/net/tls/tls_strp.c +@@ -13,7 +13,7 @@ + + static struct workqueue_struct *tls_strp_wq; + +-static void tls_strp_abort_strp(struct tls_strparser *strp, int err) ++void tls_strp_abort_strp(struct tls_strparser *strp, int err) + { + if (strp->stopped) + return; +@@ -211,11 +211,17 @@ static int tls_strp_copyin_frag(struct tls_strparser *strp, struct sk_buff *skb, + struct sk_buff *in_skb, unsigned int offset, + size_t in_len) + { ++ unsigned int nfrag = skb->len / PAGE_SIZE; + size_t len, chunk; + skb_frag_t *frag; + int sz; + +- frag = &skb_shinfo(skb)->frags[skb->len / PAGE_SIZE]; ++ if (unlikely(nfrag >= skb_shinfo(skb)->nr_frags)) { ++ DEBUG_NET_WARN_ON_ONCE(1); ++ return -EMSGSIZE; ++ } ++ ++ frag = &skb_shinfo(skb)->frags[nfrag]; + + len = in_len; + /* First make sure we got the header */ +@@ -520,10 +526,8 @@ static int tls_strp_read_sock(struct tls_strparser *strp) + tls_strp_load_anchor_with_queue(strp, inq); + if (!strp->stm.full_len) { + sz = tls_rx_msg_size(strp, strp->anchor); +- if (sz < 0) { +- tls_strp_abort_strp(strp, sz); ++ if (sz < 0) + return sz; +- } + + strp->stm.full_len = sz; + +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c +index ee92ce3255f93..f46550b96061e 100644 +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -2440,8 +2440,7 @@ int tls_rx_msg_size(struct tls_strparser *strp, struct sk_buff *skb) + return data_len + TLS_HEADER_SIZE; + + read_failure: +- tls_err_abort(strp->sk, ret); +- ++ tls_strp_abort_strp(strp, ret); + return ret; + } + +-- +2.51.0 + diff --git a/queue-6.12/um-fix-fd-copy-size-in-os_rcv_fd_msg.patch b/queue-6.12/um-fix-fd-copy-size-in-os_rcv_fd_msg.patch new file mode 100644 index 0000000000..a81759075d --- /dev/null +++ b/queue-6.12/um-fix-fd-copy-size-in-os_rcv_fd_msg.patch @@ -0,0 +1,36 @@ +From 8eead82becf7e25b1e320ee39d08046f6412d259 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Sep 2025 08:27:15 +0800 +Subject: um: Fix FD copy size in os_rcv_fd_msg() + +From: Tiwei Bie + +[ Upstream commit df447a3b4a4b961c9979b4b3ffb74317394b9b40 ] + +When copying FDs, the copy size should not include the control +message header (cmsghdr). Fix it. + +Fixes: 5cde6096a4dd ("um: generalize os_rcv_fd") +Signed-off-by: Tiwei Bie +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + arch/um/os-Linux/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/um/os-Linux/file.c b/arch/um/os-Linux/file.c +index f1d03cf3957fe..62c176a2c1ac4 100644 +--- a/arch/um/os-Linux/file.c ++++ b/arch/um/os-Linux/file.c +@@ -556,7 +556,7 @@ ssize_t os_rcv_fd_msg(int fd, int *fds, unsigned int n_fds, + cmsg->cmsg_type != SCM_RIGHTS) + return n; + +- memcpy(fds, CMSG_DATA(cmsg), cmsg->cmsg_len); ++ memcpy(fds, CMSG_DATA(cmsg), cmsg->cmsg_len - CMSG_LEN(0)); + return n; + } + +-- +2.51.0 + diff --git a/queue-6.12/um-virtio_uml-fix-use-after-free-after-put_device-in.patch b/queue-6.12/um-virtio_uml-fix-use-after-free-after-put_device-in.patch new file mode 100644 index 0000000000..f4ce2ac23e --- /dev/null +++ b/queue-6.12/um-virtio_uml-fix-use-after-free-after-put_device-in.patch @@ -0,0 +1,44 @@ +From ab8389f71a24ddb4d63b899c0fb0fd0d7c0c9624 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Aug 2025 15:00:51 +0800 +Subject: um: virtio_uml: Fix use-after-free after put_device in probe + +From: Miaoqian Lin + +[ Upstream commit 7ebf70cf181651fe3f2e44e95e7e5073d594c9c0 ] + +When register_virtio_device() fails in virtio_uml_probe(), +the code sets vu_dev->registered = 1 even though +the device was not successfully registered. +This can lead to use-after-free or other issues. + +Fixes: 04e5b1fb0183 ("um: virtio: Remove device on disconnect") +Signed-off-by: Miaoqian Lin +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + arch/um/drivers/virtio_uml.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/arch/um/drivers/virtio_uml.c b/arch/um/drivers/virtio_uml.c +index 2b6e701776b6b..e2cba5117fd25 100644 +--- a/arch/um/drivers/virtio_uml.c ++++ b/arch/um/drivers/virtio_uml.c +@@ -1231,10 +1231,12 @@ static int virtio_uml_probe(struct platform_device *pdev) + device_set_wakeup_capable(&vu_dev->vdev.dev, true); + + rc = register_virtio_device(&vu_dev->vdev); +- if (rc) ++ if (rc) { + put_device(&vu_dev->vdev.dev); ++ return rc; ++ } + vu_dev->registered = 1; +- return rc; ++ return 0; + + error_init: + os_close_file(vu_dev->sock); +-- +2.51.0 + diff --git a/queue-6.12/wifi-mac80211-fix-incorrect-type-for-ret.patch b/queue-6.12/wifi-mac80211-fix-incorrect-type-for-ret.patch new file mode 100644 index 0000000000..12524d7488 --- /dev/null +++ b/queue-6.12/wifi-mac80211-fix-incorrect-type-for-ret.patch @@ -0,0 +1,37 @@ +From 85f562c264f2ecef4b0bb7bdedd6031717e0d136 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Aug 2025 10:29:11 +0800 +Subject: wifi: mac80211: fix incorrect type for ret + +From: Liao Yuanhong + +[ Upstream commit a33b375ab5b3a9897a0ab76be8258d9f6b748628 ] + +The variable ret is declared as a u32 type, but it is assigned a value +of -EOPNOTSUPP. Since unsigned types cannot correctly represent negative +values, the type of ret should be changed to int. + +Signed-off-by: Liao Yuanhong +Link: https://patch.msgid.link/20250825022911.139377-1-liaoyuanhong@vivo.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/driver-ops.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/driver-ops.h b/net/mac80211/driver-ops.h +index d1c10f5f95160..69de9fdd779f2 100644 +--- a/net/mac80211/driver-ops.h ++++ b/net/mac80211/driver-ops.h +@@ -1388,7 +1388,7 @@ drv_get_ftm_responder_stats(struct ieee80211_local *local, + struct ieee80211_sub_if_data *sdata, + struct cfg80211_ftm_responder_stats *ftm_stats) + { +- u32 ret = -EOPNOTSUPP; ++ int ret = -EOPNOTSUPP; + + might_sleep(); + lockdep_assert_wiphy(local->hw.wiphy); +-- +2.51.0 + diff --git a/queue-6.12/wifi-mac80211-increase-scan_ies_len-for-s1g.patch b/queue-6.12/wifi-mac80211-increase-scan_ies_len-for-s1g.patch new file mode 100644 index 0000000000..1b72e48e2c --- /dev/null +++ b/queue-6.12/wifi-mac80211-increase-scan_ies_len-for-s1g.patch @@ -0,0 +1,65 @@ +From 3829de569726fc1c624e36a0e688700e6560c9f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Aug 2025 18:54:37 +1000 +Subject: wifi: mac80211: increase scan_ies_len for S1G + +From: Lachlan Hodges + +[ Upstream commit 7e2f3213e85eba00acb4cfe6d71647892d63c3a1 ] + +Currently the S1G capability element is not taken into account +for the scan_ies_len, which leads to a buffer length validation +failure in ieee80211_prep_hw_scan() and subsequent WARN in +__ieee80211_start_scan(). This prevents hw scanning from functioning. +To fix ensure we accommodate for the S1G capability length. + +Signed-off-by: Lachlan Hodges +Link: https://patch.msgid.link/20250826085437.3493-1-lachlan.hodges@morsemicro.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/main.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/main.c b/net/mac80211/main.c +index caedc939eea19..c745de0aae776 100644 +--- a/net/mac80211/main.c ++++ b/net/mac80211/main.c +@@ -1120,7 +1120,7 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) + int result, i; + enum nl80211_band band; + int channels, max_bitrates; +- bool supp_ht, supp_vht, supp_he, supp_eht; ++ bool supp_ht, supp_vht, supp_he, supp_eht, supp_s1g; + struct cfg80211_chan_def dflt_chandef = {}; + + if (ieee80211_hw_check(hw, QUEUE_CONTROL) && +@@ -1236,6 +1236,7 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) + supp_vht = false; + supp_he = false; + supp_eht = false; ++ supp_s1g = false; + for (band = 0; band < NUM_NL80211_BANDS; band++) { + const struct ieee80211_sband_iftype_data *iftd; + struct ieee80211_supported_band *sband; +@@ -1283,6 +1284,7 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) + max_bitrates = sband->n_bitrates; + supp_ht = supp_ht || sband->ht_cap.ht_supported; + supp_vht = supp_vht || sband->vht_cap.vht_supported; ++ supp_s1g = supp_s1g || sband->s1g_cap.s1g; + + for_each_sband_iftype_data(sband, i, iftd) { + u8 he_40_mhz_cap; +@@ -1411,6 +1413,9 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) + local->scan_ies_len += + 2 + sizeof(struct ieee80211_vht_cap); + ++ if (supp_s1g) ++ local->scan_ies_len += 2 + sizeof(struct ieee80211_s1g_cap); ++ + /* + * HE cap element is variable in size - set len to allow max size */ + if (supp_he) { +-- +2.51.0 + diff --git a/queue-6.12/wifi-wilc1000-avoid-buffer-overflow-in-wid-string-co.patch b/queue-6.12/wifi-wilc1000-avoid-buffer-overflow-in-wid-string-co.patch new file mode 100644 index 0000000000..e198b1e333 --- /dev/null +++ b/queue-6.12/wifi-wilc1000-avoid-buffer-overflow-in-wid-string-co.patch @@ -0,0 +1,155 @@ +From a60a47c24337ee0c1cb4ba0e7d382f25fcabd359 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 22:58:43 +0000 +Subject: wifi: wilc1000: avoid buffer overflow in WID string configuration + +From: Ajay.Kathat@microchip.com + +[ Upstream commit fe9e4d0c39311d0f97b024147a0d155333f388b5 ] + +Fix the following copy overflow warning identified by Smatch checker. + + drivers/net/wireless/microchip/wilc1000/wlan_cfg.c:184 wilc_wlan_parse_response_frame() + error: '__memcpy()' 'cfg->s[i]->str' copy overflow (512 vs 65537) + +This patch introduces size check before accessing the memory buffer. +The checks are base on the WID type of received data from the firmware. +For WID string configuration, the size limit is determined by individual +element size in 'struct wilc_cfg_str_vals' that is maintained in 'len' field +of 'struct wilc_cfg_str'. + +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/linux-wireless/aLFbr9Yu9j_TQTey@stanley.mountain +Suggested-by: Dan Carpenter +Signed-off-by: Ajay Singh +Link: https://patch.msgid.link/20250829225829.5423-1-ajay.kathat@microchip.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + .../wireless/microchip/wilc1000/wlan_cfg.c | 37 ++++++++++++++----- + .../wireless/microchip/wilc1000/wlan_cfg.h | 5 ++- + 2 files changed, 30 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/wireless/microchip/wilc1000/wlan_cfg.c b/drivers/net/wireless/microchip/wilc1000/wlan_cfg.c +index 131388886acbf..cfabd5aebb540 100644 +--- a/drivers/net/wireless/microchip/wilc1000/wlan_cfg.c ++++ b/drivers/net/wireless/microchip/wilc1000/wlan_cfg.c +@@ -41,10 +41,10 @@ static const struct wilc_cfg_word g_cfg_word[] = { + }; + + static const struct wilc_cfg_str g_cfg_str[] = { +- {WID_FIRMWARE_VERSION, NULL}, +- {WID_MAC_ADDR, NULL}, +- {WID_ASSOC_RES_INFO, NULL}, +- {WID_NIL, NULL} ++ {WID_FIRMWARE_VERSION, 0, NULL}, ++ {WID_MAC_ADDR, 0, NULL}, ++ {WID_ASSOC_RES_INFO, 0, NULL}, ++ {WID_NIL, 0, NULL} + }; + + #define WILC_RESP_MSG_TYPE_CONFIG_REPLY 'R' +@@ -147,44 +147,58 @@ static void wilc_wlan_parse_response_frame(struct wilc *wl, u8 *info, int size) + + switch (FIELD_GET(WILC_WID_TYPE, wid)) { + case WID_CHAR: ++ len = 3; ++ if (len + 2 > size) ++ return; ++ + while (cfg->b[i].id != WID_NIL && cfg->b[i].id != wid) + i++; + + if (cfg->b[i].id == wid) + cfg->b[i].val = info[4]; + +- len = 3; + break; + + case WID_SHORT: ++ len = 4; ++ if (len + 2 > size) ++ return; ++ + while (cfg->hw[i].id != WID_NIL && cfg->hw[i].id != wid) + i++; + + if (cfg->hw[i].id == wid) + cfg->hw[i].val = get_unaligned_le16(&info[4]); + +- len = 4; + break; + + case WID_INT: ++ len = 6; ++ if (len + 2 > size) ++ return; ++ + while (cfg->w[i].id != WID_NIL && cfg->w[i].id != wid) + i++; + + if (cfg->w[i].id == wid) + cfg->w[i].val = get_unaligned_le32(&info[4]); + +- len = 6; + break; + + case WID_STR: ++ len = 2 + get_unaligned_le16(&info[2]); ++ + while (cfg->s[i].id != WID_NIL && cfg->s[i].id != wid) + i++; + +- if (cfg->s[i].id == wid) ++ if (cfg->s[i].id == wid) { ++ if (len > cfg->s[i].len || (len + 2 > size)) ++ return; ++ + memcpy(cfg->s[i].str, &info[2], +- get_unaligned_le16(&info[2]) + 2); ++ len); ++ } + +- len = 2 + get_unaligned_le16(&info[2]); + break; + + default: +@@ -384,12 +398,15 @@ int wilc_wlan_cfg_init(struct wilc *wl) + /* store the string cfg parameters */ + wl->cfg.s[i].id = WID_FIRMWARE_VERSION; + wl->cfg.s[i].str = str_vals->firmware_version; ++ wl->cfg.s[i].len = sizeof(str_vals->firmware_version); + i++; + wl->cfg.s[i].id = WID_MAC_ADDR; + wl->cfg.s[i].str = str_vals->mac_address; ++ wl->cfg.s[i].len = sizeof(str_vals->mac_address); + i++; + wl->cfg.s[i].id = WID_ASSOC_RES_INFO; + wl->cfg.s[i].str = str_vals->assoc_rsp; ++ wl->cfg.s[i].len = sizeof(str_vals->assoc_rsp); + i++; + wl->cfg.s[i].id = WID_NIL; + wl->cfg.s[i].str = NULL; +diff --git a/drivers/net/wireless/microchip/wilc1000/wlan_cfg.h b/drivers/net/wireless/microchip/wilc1000/wlan_cfg.h +index 7038b74f8e8ff..5ae74bced7d74 100644 +--- a/drivers/net/wireless/microchip/wilc1000/wlan_cfg.h ++++ b/drivers/net/wireless/microchip/wilc1000/wlan_cfg.h +@@ -24,12 +24,13 @@ struct wilc_cfg_word { + + struct wilc_cfg_str { + u16 id; ++ u16 len; + u8 *str; + }; + + struct wilc_cfg_str_vals { +- u8 mac_address[7]; +- u8 firmware_version[129]; ++ u8 mac_address[8]; ++ u8 firmware_version[130]; + u8 assoc_rsp[WILC_MAX_ASSOC_RESP_FRAME_SIZE]; + }; + +-- +2.51.0 + diff --git a/queue-6.16/alsa-firewire-motu-drop-epollout-from-poll-return-va.patch b/queue-6.16/alsa-firewire-motu-drop-epollout-from-poll-return-va.patch new file mode 100644 index 0000000000..2ffdae68a1 --- /dev/null +++ b/queue-6.16/alsa-firewire-motu-drop-epollout-from-poll-return-va.patch @@ -0,0 +1,46 @@ +From c4d95feb9fe64d8801ec4aa3a61fec618d05e02c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Aug 2025 08:37:49 +0900 +Subject: ALSA: firewire-motu: drop EPOLLOUT from poll return values as write + is not supported + +From: Takashi Sakamoto + +[ Upstream commit aea3493246c474bc917d124d6fb627663ab6bef0 ] + +The ALSA HwDep character device of the firewire-motu driver incorrectly +returns EPOLLOUT in poll(2), even though the driver implements no operation +for write(2). This misleads userspace applications to believe write() is +allowed, potentially resulting in unnecessarily wakeups. + +This issue dates back to the driver's initial code added by a commit +71c3797779d3 ("ALSA: firewire-motu: add hwdep interface"), and persisted +when POLLOUT was updated to EPOLLOUT by a commit a9a08845e9ac ('vfs: do +bulk POLL* -> EPOLL* replacement("").'). + +This commit fixes the bug. + +Signed-off-by: Takashi Sakamoto +Link: https://patch.msgid.link/20250829233749.366222-1-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/firewire/motu/motu-hwdep.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/firewire/motu/motu-hwdep.c b/sound/firewire/motu/motu-hwdep.c +index 88d1f4b56e4be..a220ac0c8eb83 100644 +--- a/sound/firewire/motu/motu-hwdep.c ++++ b/sound/firewire/motu/motu-hwdep.c +@@ -111,7 +111,7 @@ static __poll_t hwdep_poll(struct snd_hwdep *hwdep, struct file *file, + events = 0; + spin_unlock_irq(&motu->lock); + +- return events | EPOLLOUT; ++ return events; + } + + static int hwdep_get_info(struct snd_motu *motu, void __user *arg) +-- +2.51.0 + diff --git a/queue-6.16/bonding-don-t-set-oif-to-bond-dev-when-getting-ns-ta.patch b/queue-6.16/bonding-don-t-set-oif-to-bond-dev-when-getting-ns-ta.patch new file mode 100644 index 0000000000..1044ac9564 --- /dev/null +++ b/queue-6.16/bonding-don-t-set-oif-to-bond-dev-when-getting-ns-ta.patch @@ -0,0 +1,49 @@ +From 1a8d25a84d7dfb35640a6c1f803693c5b33cc832 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Sep 2025 08:01:26 +0000 +Subject: bonding: don't set oif to bond dev when getting NS target destination + +From: Hangbin Liu + +[ Upstream commit a8ba87f04ca9cdec06776ce92dce1395026dc3bb ] + +Unlike IPv4, IPv6 routing strictly requires the source address to be valid +on the outgoing interface. If the NS target is set to a remote VLAN interface, +and the source address is also configured on a VLAN over a bond interface, +setting the oif to the bond device will fail to retrieve the correct +destination route. + +Fix this by not setting the oif to the bond device when retrieving the NS +target destination. This allows the correct destination device (the VLAN +interface) to be determined, so that bond_verify_device_path can return the +proper VLAN tags for sending NS messages. + +Reported-by: David Wilder +Closes: https://lore.kernel.org/netdev/aGOKggdfjv0cApTO@fedora/ +Suggested-by: Jay Vosburgh +Tested-by: David Wilder +Acked-by: Jay Vosburgh +Fixes: 4e24be018eb9 ("bonding: add new parameter ns_targets") +Signed-off-by: Hangbin Liu +Link: https://patch.msgid.link/20250916080127.430626-1-liuhangbin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index e413340be2bff..e23195dd74776 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3339,7 +3339,6 @@ static void bond_ns_send_all(struct bonding *bond, struct slave *slave) + /* Find out through which dev should the packet go */ + memset(&fl6, 0, sizeof(struct flowi6)); + fl6.daddr = targets[i]; +- fl6.flowi6_oif = bond->dev->ifindex; + + dst = ip6_route_output(dev_net(bond->dev), NULL, &fl6); + if (dst->error) { +-- +2.51.0 + diff --git a/queue-6.16/bonding-set-random-address-only-when-slaves-already-.patch b/queue-6.16/bonding-set-random-address-only-when-slaves-already-.patch new file mode 100644 index 0000000000..20706a669f --- /dev/null +++ b/queue-6.16/bonding-set-random-address-only-when-slaves-already-.patch @@ -0,0 +1,42 @@ +From ee4dd737079778582981c10216e4b3c1945325be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Sep 2025 02:43:34 +0000 +Subject: bonding: set random address only when slaves already exist + +From: Hangbin Liu + +[ Upstream commit 35ae4e86292ef7dfe4edbb9942955c884e984352 ] + +After commit 5c3bf6cba791 ("bonding: assign random address if device +address is same as bond"), bonding will erroneously randomize the MAC +address of the first interface added to the bond if fail_over_mac = +follow. + +Correct this by additionally testing for the bond being empty before +randomizing the MAC. + +Fixes: 5c3bf6cba791 ("bonding: assign random address if device address is same as bond") +Reported-by: Qiuling Ren +Signed-off-by: Hangbin Liu +Link: https://patch.msgid.link/20250910024336.400253-1-liuhangbin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index c4d53e8e7c152..e413340be2bff 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2115,6 +2115,7 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev, + memcpy(ss.__data, bond_dev->dev_addr, bond_dev->addr_len); + } else if (bond->params.fail_over_mac == BOND_FOM_FOLLOW && + BOND_MODE(bond) == BOND_MODE_ACTIVEBACKUP && ++ bond_has_slaves(bond) && + memcmp(slave_dev->dev_addr, bond_dev->dev_addr, bond_dev->addr_len) == 0) { + /* Set slave to random address to avoid duplicate mac + * address in later fail over. +-- +2.51.0 + diff --git a/queue-6.16/btrfs-fix-invalid-extref-key-setup-when-replaying-de.patch b/queue-6.16/btrfs-fix-invalid-extref-key-setup-when-replaying-de.patch new file mode 100644 index 0000000000..df464e977b --- /dev/null +++ b/queue-6.16/btrfs-fix-invalid-extref-key-setup-when-replaying-de.patch @@ -0,0 +1,41 @@ +From 03f81a74805f76d9c702e12f90d8dd531f09eef4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Sep 2025 16:53:21 +0100 +Subject: btrfs: fix invalid extref key setup when replaying dentry + +From: Filipe Manana + +[ Upstream commit b62fd63ade7cb573b114972ef8f9fa505be8d74a ] + +The offset for an extref item's key is not the object ID of the parent +dir, otherwise we would not need the extref item and would use plain ref +items. Instead the offset is the result of a hash computation that uses +the object ID of the parent dir and the name associated to the entry. +So fix this by setting the key offset at replay_one_name() to be the +result of calling btrfs_extref_hash(). + +Fixes: 725af92a6251 ("btrfs: Open-code name_in_log_ref in replay_one_name") +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/tree-log.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index 56d30ec0f52fc..5466a93a28f58 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -1933,7 +1933,7 @@ static noinline int replay_one_name(struct btrfs_trans_handle *trans, + + search_key.objectid = log_key.objectid; + search_key.type = BTRFS_INODE_EXTREF_KEY; +- search_key.offset = key->objectid; ++ search_key.offset = btrfs_extref_hash(key->objectid, name.name, name.len); + ret = backref_in_log(root->log_root, &search_key, key->objectid, &name); + if (ret < 0) { + goto out; +-- +2.51.0 + diff --git a/queue-6.16/btrfs-zoned-fix-incorrect-assert-in-btrfs_zoned_rese.patch b/queue-6.16/btrfs-zoned-fix-incorrect-assert-in-btrfs_zoned_rese.patch new file mode 100644 index 0000000000..00f2e6e3f3 --- /dev/null +++ b/queue-6.16/btrfs-zoned-fix-incorrect-assert-in-btrfs_zoned_rese.patch @@ -0,0 +1,51 @@ +From f234ea32324ca215fda2357001defece2e0a0513 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Sep 2025 15:54:43 +0200 +Subject: btrfs: zoned: fix incorrect ASSERT in + btrfs_zoned_reserve_data_reloc_bg() + +From: Johannes Thumshirn + +[ Upstream commit 5b8d2964754102323ca24495ba94892426284e3a ] + +When moving a block-group to the dedicated data relocation space-info in +btrfs_zoned_reserve_data_reloc_bg() it is asserted that the newly +created block group for data relocation does not contain any +zone_unusable bytes. + +But on disks with zone_capacity < zone_size, the difference between +zone_size and zone_capacity is accounted as zone_unusable. + +Instead of asserting that the block-group does not contain any +zone_unusable bytes, remove them from the block-groups total size. + +Reported-by: Yi Zhang +Link: https://lore.kernel.org/linux-block/CAHj4cs8-cS2E+-xQ-d2Bj6vMJZ+CwT_cbdWBTju4BV35LsvEYw@mail.gmail.com/ +Fixes: daa0fde322350 ("btrfs: zoned: fix data relocation block group reservation") +Reviewed-by: Naohiro Aota +Tested-by: Yi Zhang +Signed-off-by: Johannes Thumshirn +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/zoned.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/zoned.c b/fs/btrfs/zoned.c +index d7a1193332d94..60937127a0bc6 100644 +--- a/fs/btrfs/zoned.c ++++ b/fs/btrfs/zoned.c +@@ -2577,9 +2577,9 @@ void btrfs_zoned_reserve_data_reloc_bg(struct btrfs_fs_info *fs_info) + spin_lock(&space_info->lock); + space_info->total_bytes -= bg->length; + space_info->disk_total -= bg->length * factor; ++ space_info->disk_total -= bg->zone_unusable; + /* There is no allocation ever happened. */ + ASSERT(bg->used == 0); +- ASSERT(bg->zone_unusable == 0); + /* No super block in a block group on the zoned setup. */ + ASSERT(bg->bytes_super == 0); + spin_unlock(&space_info->lock); +-- +2.51.0 + diff --git a/queue-6.16/cgroup-split-cgroup_destroy_wq-into-3-workqueues.patch b/queue-6.16/cgroup-split-cgroup_destroy_wq-into-3-workqueues.patch new file mode 100644 index 0000000000..49f6320818 --- /dev/null +++ b/queue-6.16/cgroup-split-cgroup_destroy_wq-into-3-workqueues.patch @@ -0,0 +1,168 @@ +From 6c82021c81e99a1dffc6639af885139d6755f27e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Aug 2025 01:07:24 +0000 +Subject: cgroup: split cgroup_destroy_wq into 3 workqueues +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chen Ridong + +[ Upstream commit 79f919a89c9d06816dbdbbd168fa41d27411a7f9 ] + +A hung task can occur during [1] LTP cgroup testing when repeatedly +mounting/unmounting perf_event and net_prio controllers with +systemd.unified_cgroup_hierarchy=1. The hang manifests in +cgroup_lock_and_drain_offline() during root destruction. + +Related case: +cgroup_fj_function_perf_event cgroup_fj_function.sh perf_event +cgroup_fj_function_net_prio cgroup_fj_function.sh net_prio + +Call Trace: + cgroup_lock_and_drain_offline+0x14c/0x1e8 + cgroup_destroy_root+0x3c/0x2c0 + css_free_rwork_fn+0x248/0x338 + process_one_work+0x16c/0x3b8 + worker_thread+0x22c/0x3b0 + kthread+0xec/0x100 + ret_from_fork+0x10/0x20 + +Root Cause: + +CPU0 CPU1 +mount perf_event umount net_prio +cgroup1_get_tree cgroup_kill_sb +rebind_subsystems // root destruction enqueues + // cgroup_destroy_wq +// kill all perf_event css + // one perf_event css A is dying + // css A offline enqueues cgroup_destroy_wq + // root destruction will be executed first + css_free_rwork_fn + cgroup_destroy_root + cgroup_lock_and_drain_offline + // some perf descendants are dying + // cgroup_destroy_wq max_active = 1 + // waiting for css A to die + +Problem scenario: +1. CPU0 mounts perf_event (rebind_subsystems) +2. CPU1 unmounts net_prio (cgroup_kill_sb), queuing root destruction work +3. A dying perf_event CSS gets queued for offline after root destruction +4. Root destruction waits for offline completion, but offline work is + blocked behind root destruction in cgroup_destroy_wq (max_active=1) + +Solution: +Split cgroup_destroy_wq into three dedicated workqueues: +cgroup_offline_wq – Handles CSS offline operations +cgroup_release_wq – Manages resource release +cgroup_free_wq – Performs final memory deallocation + +This separation eliminates blocking in the CSS free path while waiting for +offline operations to complete. + +[1] https://github.com/linux-test-project/ltp/blob/master/runtest/controllers +Fixes: 334c3679ec4b ("cgroup: reimplement rebind_subsystems() using cgroup_apply_control() and friends") +Reported-by: Gao Yingjie +Signed-off-by: Chen Ridong +Suggested-by: Teju Heo +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/cgroup/cgroup.c | 43 +++++++++++++++++++++++++++++++++++------- + 1 file changed, 36 insertions(+), 7 deletions(-) + +diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c +index a723b7dc6e4e2..20f76b2176501 100644 +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -126,8 +126,31 @@ DEFINE_PERCPU_RWSEM(cgroup_threadgroup_rwsem); + * of concurrent destructions. Use a separate workqueue so that cgroup + * destruction work items don't end up filling up max_active of system_wq + * which may lead to deadlock. ++ * ++ * A cgroup destruction should enqueue work sequentially to: ++ * cgroup_offline_wq: use for css offline work ++ * cgroup_release_wq: use for css release work ++ * cgroup_free_wq: use for free work ++ * ++ * Rationale for using separate workqueues: ++ * The cgroup root free work may depend on completion of other css offline ++ * operations. If all tasks were enqueued to a single workqueue, this could ++ * create a deadlock scenario where: ++ * - Free work waits for other css offline work to complete. ++ * - But other css offline work is queued after free work in the same queue. ++ * ++ * Example deadlock scenario with single workqueue (cgroup_destroy_wq): ++ * 1. umount net_prio ++ * 2. net_prio root destruction enqueues work to cgroup_destroy_wq (CPUx) ++ * 3. perf_event CSS A offline enqueues work to same cgroup_destroy_wq (CPUx) ++ * 4. net_prio cgroup_destroy_root->cgroup_lock_and_drain_offline. ++ * 5. net_prio root destruction blocks waiting for perf_event CSS A offline, ++ * which can never complete as it's behind in the same queue and ++ * workqueue's max_active is 1. + */ +-static struct workqueue_struct *cgroup_destroy_wq; ++static struct workqueue_struct *cgroup_offline_wq; ++static struct workqueue_struct *cgroup_release_wq; ++static struct workqueue_struct *cgroup_free_wq; + + /* generate an array of cgroup subsystem pointers */ + #define SUBSYS(_x) [_x ## _cgrp_id] = &_x ## _cgrp_subsys, +@@ -5553,7 +5576,7 @@ static void css_release_work_fn(struct work_struct *work) + cgroup_unlock(); + + INIT_RCU_WORK(&css->destroy_rwork, css_free_rwork_fn); +- queue_rcu_work(cgroup_destroy_wq, &css->destroy_rwork); ++ queue_rcu_work(cgroup_free_wq, &css->destroy_rwork); + } + + static void css_release(struct percpu_ref *ref) +@@ -5562,7 +5585,7 @@ static void css_release(struct percpu_ref *ref) + container_of(ref, struct cgroup_subsys_state, refcnt); + + INIT_WORK(&css->destroy_work, css_release_work_fn); +- queue_work(cgroup_destroy_wq, &css->destroy_work); ++ queue_work(cgroup_release_wq, &css->destroy_work); + } + + static void init_and_link_css(struct cgroup_subsys_state *css, +@@ -5696,7 +5719,7 @@ static struct cgroup_subsys_state *css_create(struct cgroup *cgrp, + list_del_rcu(&css->sibling); + err_free_css: + INIT_RCU_WORK(&css->destroy_rwork, css_free_rwork_fn); +- queue_rcu_work(cgroup_destroy_wq, &css->destroy_rwork); ++ queue_rcu_work(cgroup_free_wq, &css->destroy_rwork); + return ERR_PTR(err); + } + +@@ -5934,7 +5957,7 @@ static void css_killed_ref_fn(struct percpu_ref *ref) + + if (atomic_dec_and_test(&css->online_cnt)) { + INIT_WORK(&css->destroy_work, css_killed_work_fn); +- queue_work(cgroup_destroy_wq, &css->destroy_work); ++ queue_work(cgroup_offline_wq, &css->destroy_work); + } + } + +@@ -6320,8 +6343,14 @@ static int __init cgroup_wq_init(void) + * We would prefer to do this in cgroup_init() above, but that + * is called before init_workqueues(): so leave this until after. + */ +- cgroup_destroy_wq = alloc_workqueue("cgroup_destroy", 0, 1); +- BUG_ON(!cgroup_destroy_wq); ++ cgroup_offline_wq = alloc_workqueue("cgroup_offline", 0, 1); ++ BUG_ON(!cgroup_offline_wq); ++ ++ cgroup_release_wq = alloc_workqueue("cgroup_release", 0, 1); ++ BUG_ON(!cgroup_release_wq); ++ ++ cgroup_free_wq = alloc_workqueue("cgroup_free", 0, 1); ++ BUG_ON(!cgroup_free_wq); + return 0; + } + core_initcall(cgroup_wq_init); +-- +2.51.0 + diff --git a/queue-6.16/cnic-fix-use-after-free-bugs-in-cnic_delete_task.patch b/queue-6.16/cnic-fix-use-after-free-bugs-in-cnic_delete_task.patch new file mode 100644 index 0000000000..0cf59fee78 --- /dev/null +++ b/queue-6.16/cnic-fix-use-after-free-bugs-in-cnic_delete_task.patch @@ -0,0 +1,76 @@ +From 8c922a9d34f27de93a392cc53dbac2e203f0a4c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Sep 2025 13:46:02 +0800 +Subject: cnic: Fix use-after-free bugs in cnic_delete_task +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Duoming Zhou + +[ Upstream commit cfa7d9b1e3a8604afc84e9e51d789c29574fb216 ] + +The original code uses cancel_delayed_work() in cnic_cm_stop_bnx2x_hw(), +which does not guarantee that the delayed work item 'delete_task' has +fully completed if it was already running. Additionally, the delayed work +item is cyclic, the flush_workqueue() in cnic_cm_stop_bnx2x_hw() only +blocks and waits for work items that were already queued to the +workqueue prior to its invocation. Any work items submitted after +flush_workqueue() is called are not included in the set of tasks that the +flush operation awaits. This means that after the cyclic work items have +finished executing, a delayed work item may still exist in the workqueue. +This leads to use-after-free scenarios where the cnic_dev is deallocated +by cnic_free_dev(), while delete_task remains active and attempt to +dereference cnic_dev in cnic_delete_task(). + +A typical race condition is illustrated below: + +CPU 0 (cleanup) | CPU 1 (delayed work callback) +cnic_netdev_event() | + cnic_stop_hw() | cnic_delete_task() + cnic_cm_stop_bnx2x_hw() | ... + cancel_delayed_work() | /* the queue_delayed_work() + flush_workqueue() | executes after flush_workqueue()*/ + | queue_delayed_work() + cnic_free_dev(dev)//free | cnic_delete_task() //new instance + | dev = cp->dev; //use + +Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure +that the cyclic delayed work item is properly canceled and that any +ongoing execution of the work item completes before the cnic_dev is +deallocated. Furthermore, since cancel_delayed_work_sync() uses +__flush_work(work, true) to synchronously wait for any currently +executing instance of the work item to finish, the flush_workqueue() +becomes redundant and should be removed. + +This bug was identified through static analysis. To reproduce the issue +and validate the fix, I simulated the cnic PCI device in QEMU and +introduced intentional delays — such as inserting calls to ssleep() +within the cnic_delete_task() function — to increase the likelihood +of triggering the bug. + +Fixes: fdf24086f475 ("cnic: Defer iscsi connection cleanup") +Signed-off-by: Duoming Zhou +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/cnic.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/cnic.c b/drivers/net/ethernet/broadcom/cnic.c +index a9040c42d2ff9..6e97a5a7daaf9 100644 +--- a/drivers/net/ethernet/broadcom/cnic.c ++++ b/drivers/net/ethernet/broadcom/cnic.c +@@ -4230,8 +4230,7 @@ static void cnic_cm_stop_bnx2x_hw(struct cnic_dev *dev) + + cnic_bnx2x_delete_wait(dev, 0); + +- cancel_delayed_work(&cp->delete_task); +- flush_workqueue(cnic_wq); ++ cancel_delayed_work_sync(&cp->delete_task); + + if (atomic_read(&cp->iscsi_conn) != 0) + netdev_warn(dev->netdev, "%d iSCSI connections not destroyed\n", +-- +2.51.0 + diff --git a/queue-6.16/doc-netlink-fix-typos-in-operation-attributes.patch b/queue-6.16/doc-netlink-fix-typos-in-operation-attributes.patch new file mode 100644 index 0000000000..6b137e27c2 --- /dev/null +++ b/queue-6.16/doc-netlink-fix-typos-in-operation-attributes.patch @@ -0,0 +1,78 @@ +From e7c988463efeb036299c0edb6ba9a125f1357ba5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Sep 2025 14:05:28 +0000 +Subject: doc/netlink: Fix typos in operation attributes + +From: Remy D. Farley + +[ Upstream commit 109f8b51543d106aee50dfe911f439e43fb30c7a ] + +I'm trying to generate Rust bindings for netlink using the yaml spec. + +It looks like there's a typo in conntrack spec: attribute set conntrack-attrs +defines attributes "counters-{orig,reply}" (plural), while get operation +references "counter-{orig,reply}" (singular). The latter should be fixed, as it +denotes multiple counters (packet and byte). The corresonding C define is +CTA_COUNTERS_ORIG. + +Also, dump request references "nfgen-family" attribute, which neither exists in +conntrack-attrs attrset nor ctattr_type enum. There's member of nfgenmsg struct +with the same name, which is where family value is actually taken from. + +> static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl, +> struct sk_buff *skb, +> const struct nlmsghdr *nlh, +> const struct nlattr * const cda[], +> struct netlink_ext_ack *extack) +> { +> int err; +> struct nfgenmsg *nfmsg = nlmsg_data(nlh); +> u_int8_t u3 = nfmsg->nfgen_family; + ^^^^^^^^^^^^ + +Signed-off-by: Remy D. Farley +Fixes: 23fc9311a526 ("netlink: specs: add conntrack dump and stats dump support") +Link: https://patch.msgid.link/20250913140515.1132886-1-one-d-wide@protonmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + Documentation/netlink/specs/conntrack.yaml | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/Documentation/netlink/specs/conntrack.yaml b/Documentation/netlink/specs/conntrack.yaml +index 840dc4504216b..1865ddf01fb0f 100644 +--- a/Documentation/netlink/specs/conntrack.yaml ++++ b/Documentation/netlink/specs/conntrack.yaml +@@ -575,8 +575,8 @@ operations: + - nat-dst + - timeout + - mark +- - counter-orig +- - counter-reply ++ - counters-orig ++ - counters-reply + - use + - id + - nat-dst +@@ -591,7 +591,6 @@ operations: + request: + value: 0x101 + attributes: +- - nfgen-family + - mark + - filter + - status +@@ -608,8 +607,8 @@ operations: + - nat-dst + - timeout + - mark +- - counter-orig +- - counter-reply ++ - counters-orig ++ - counters-reply + - use + - id + - nat-dst +-- +2.51.0 + diff --git a/queue-6.16/dpaa2-switch-fix-buffer-pool-seeding-for-control-tra.patch b/queue-6.16/dpaa2-switch-fix-buffer-pool-seeding-for-control-tra.patch new file mode 100644 index 0000000000..b261301fc1 --- /dev/null +++ b/queue-6.16/dpaa2-switch-fix-buffer-pool-seeding-for-control-tra.patch @@ -0,0 +1,69 @@ +From 61af5c852378b936a7ccfefdb6a657fa0c8cea73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Sep 2025 17:48:25 +0300 +Subject: dpaa2-switch: fix buffer pool seeding for control traffic + +From: Ioana Ciornei + +[ Upstream commit 2690cb089502b80b905f2abdafd1bf2d54e1abef ] + +Starting with commit c50e7475961c ("dpaa2-switch: Fix error checking in +dpaa2_switch_seed_bp()"), the probing of a second DPSW object errors out +like below. + +fsl_dpaa2_switch dpsw.1: fsl_mc_driver_probe failed: -12 +fsl_dpaa2_switch dpsw.1: probe with driver fsl_dpaa2_switch failed with error -12 + +The aforementioned commit brought to the surface the fact that seeding +buffers into the buffer pool destined for control traffic is not +successful and an access violation recoverable error can be seen in the +MC firmware log: + +[E, qbman_rec_isr:391, QBMAN] QBMAN recoverable event 0x1000000 + +This happens because the driver incorrectly used the ID of the DPBP +object instead of the hardware buffer pool ID when trying to release +buffers into it. + +This is because any DPSW object uses two buffer pools, one managed by +the Linux driver and destined for control traffic packet buffers and the +other one managed by the MC firmware and destined only for offloaded +traffic. And since the buffer pool managed by the MC firmware does not +have an external facing DPBP equivalent, any subsequent DPBP objects +created after the first DPSW will have a DPBP id different to the +underlying hardware buffer ID. + +The issue was not caught earlier because these two numbers can be +identical when all DPBP objects are created before the DPSW objects are. +This is the case when the DPL file is used to describe the entire DPAA2 +object layout and objects are created at boot time and it's also true +for the first DPSW being created dynamically using ls-addsw. + +Fix this by using the buffer pool ID instead of the DPBP id when +releasing buffers into the pool. + +Fixes: 2877e4f7e189 ("staging: dpaa2-switch: setup buffer pool and RX path rings") +Signed-off-by: Ioana Ciornei +Link: https://patch.msgid.link/20250910144825.2416019-1-ioana.ciornei@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +index 4643a33806182..b1e1ad9e4b48e 100644 +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +@@ -2736,7 +2736,7 @@ static int dpaa2_switch_setup_dpbp(struct ethsw_core *ethsw) + dev_err(dev, "dpsw_ctrl_if_set_pools() failed\n"); + goto err_get_attr; + } +- ethsw->bpid = dpbp_attrs.id; ++ ethsw->bpid = dpbp_attrs.bpid; + + return 0; + +-- +2.51.0 + diff --git a/queue-6.16/dpll-fix-clock-quality-level-reporting.patch b/queue-6.16/dpll-fix-clock-quality-level-reporting.patch new file mode 100644 index 0000000000..e1367f1a46 --- /dev/null +++ b/queue-6.16/dpll-fix-clock-quality-level-reporting.patch @@ -0,0 +1,53 @@ +From 14b11467ec3cb433082c100824da6dc88531f664 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Sep 2025 11:33:31 +0200 +Subject: dpll: fix clock quality level reporting + +From: Ivan Vecera + +[ Upstream commit 70d99623d5c11e1a9bcc564b8fbad6fa916913d8 ] + +The DPLL_CLOCK_QUALITY_LEVEL_ITU_OPT1_EPRC is not reported via netlink +due to bug in dpll_msg_add_clock_quality_level(). The usage of +DPLL_CLOCK_QUALITY_LEVEL_MAX for both DECLARE_BITMAP() and +for_each_set_bit() is not correct because these macros requires bitmap +size and not the highest valid bit in the bitmap. + +Use correct bitmap size to fix this issue. + +Fixes: a1afb959add1 ("dpll: add clock quality level attribute and op") +Signed-off-by: Ivan Vecera +Reviewed-by: Arkadiusz Kubalewski +Link: https://patch.msgid.link/20250912093331.862333-1-ivecera@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/dpll/dpll_netlink.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/dpll/dpll_netlink.c b/drivers/dpll/dpll_netlink.c +index c130f87147fa3..815de752bcd38 100644 +--- a/drivers/dpll/dpll_netlink.c ++++ b/drivers/dpll/dpll_netlink.c +@@ -173,8 +173,8 @@ static int + dpll_msg_add_clock_quality_level(struct sk_buff *msg, struct dpll_device *dpll, + struct netlink_ext_ack *extack) + { ++ DECLARE_BITMAP(qls, DPLL_CLOCK_QUALITY_LEVEL_MAX + 1) = { 0 }; + const struct dpll_device_ops *ops = dpll_device_ops(dpll); +- DECLARE_BITMAP(qls, DPLL_CLOCK_QUALITY_LEVEL_MAX) = { 0 }; + enum dpll_clock_quality_level ql; + int ret; + +@@ -183,7 +183,7 @@ dpll_msg_add_clock_quality_level(struct sk_buff *msg, struct dpll_device *dpll, + ret = ops->clock_quality_level_get(dpll, dpll_priv(dpll), qls, extack); + if (ret) + return ret; +- for_each_set_bit(ql, qls, DPLL_CLOCK_QUALITY_LEVEL_MAX) ++ for_each_set_bit(ql, qls, DPLL_CLOCK_QUALITY_LEVEL_MAX + 1) + if (nla_put_u32(msg, DPLL_A_CLOCK_QUALITY_LEVEL, ql)) + return -EMSGSIZE; + +-- +2.51.0 + diff --git a/queue-6.16/i40e-remove-redundant-memory-barrier-when-cleaning-t.patch b/queue-6.16/i40e-remove-redundant-memory-barrier-when-cleaning-t.patch new file mode 100644 index 0000000000..cb403a6838 --- /dev/null +++ b/queue-6.16/i40e-remove-redundant-memory-barrier-when-cleaning-t.patch @@ -0,0 +1,53 @@ +From 5fcb8c7c335a1169c6f9d3678e792bcf3ae7dccb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Aug 2025 17:16:17 +0200 +Subject: i40e: remove redundant memory barrier when cleaning Tx descs + +From: Maciej Fijalkowski + +[ Upstream commit e37084a26070c546ae7961ee135bbfb15fbe13fd ] + +i40e has a feature which writes to memory location last descriptor +successfully sent. Memory barrier in i40e_clean_tx_irq() was used to +avoid forward-reading descriptor fields in case DD bit was not set. +Having mentioned feature in place implies that such situation will not +happen as we know in advance how many descriptors HW has dealt with. + +Besides, this barrier placement was wrong. Idea is to have this +protection *after* reading DD bit from HW descriptor, not before. +Digging through git history showed me that indeed barrier was before DD +bit check, anyways the commit introducing i40e_get_head() should have +wiped it out altogether. + +Also, there was one commit doing s/read_barrier_depends/smp_rmb when get +head feature was already in place, but it was only theoretical based on +ixgbe experiences, which is different in these terms as that driver has +to read DD bit from HW descriptor. + +Fixes: 1943d8ba9507 ("i40e/i40evf: enable hardware feature head write back") +Signed-off-by: Maciej Fijalkowski +Reviewed-by: Aleksandr Loktionov +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_txrx.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.c b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +index c006f716a3bdb..ca7517a68a2c3 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +@@ -947,9 +947,6 @@ static bool i40e_clean_tx_irq(struct i40e_vsi *vsi, + if (!eop_desc) + break; + +- /* prevent any other reads prior to eop_desc */ +- smp_rmb(); +- + i40e_trace(clean_tx_irq, tx_ring, tx_desc, tx_buf); + /* we have caught up to head, no work left to do */ + if (tx_head == tx_desc) +-- +2.51.0 + diff --git a/queue-6.16/ice-fix-rx-page-leak-on-multi-buffer-frames.patch b/queue-6.16/ice-fix-rx-page-leak-on-multi-buffer-frames.patch new file mode 100644 index 0000000000..8d91a8f771 --- /dev/null +++ b/queue-6.16/ice-fix-rx-page-leak-on-multi-buffer-frames.patch @@ -0,0 +1,274 @@ +From 3a90a47e3f83917ff8c27fb1eb2d025ff046ad7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Aug 2025 16:00:14 -0700 +Subject: ice: fix Rx page leak on multi-buffer frames + +From: Jacob Keller + +[ Upstream commit 84bf1ac85af84d354c7a2fdbdc0d4efc8aaec34b ] + +The ice_put_rx_mbuf() function handles calling ice_put_rx_buf() for each +buffer in the current frame. This function was introduced as part of +handling multi-buffer XDP support in the ice driver. + +It works by iterating over the buffers from first_desc up to 1 plus the +total number of fragments in the frame, cached from before the XDP program +was executed. + +If the hardware posts a descriptor with a size of 0, the logic used in +ice_put_rx_mbuf() breaks. Such descriptors get skipped and don't get added +as fragments in ice_add_xdp_frag. Since the buffer isn't counted as a +fragment, we do not iterate over it in ice_put_rx_mbuf(), and thus we don't +call ice_put_rx_buf(). + +Because we don't call ice_put_rx_buf(), we don't attempt to re-use the +page or free it. This leaves a stale page in the ring, as we don't +increment next_to_alloc. + +The ice_reuse_rx_page() assumes that the next_to_alloc has been incremented +properly, and that it always points to a buffer with a NULL page. Since +this function doesn't check, it will happily recycle a page over the top +of the next_to_alloc buffer, losing track of the old page. + +Note that this leak only occurs for multi-buffer frames. The +ice_put_rx_mbuf() function always handles at least one buffer, so a +single-buffer frame will always get handled correctly. It is not clear +precisely why the hardware hands us descriptors with a size of 0 sometimes, +but it happens somewhat regularly with "jumbo frames" used by 9K MTU. + +To fix ice_put_rx_mbuf(), we need to make sure to call ice_put_rx_buf() on +all buffers between first_desc and next_to_clean. Borrow the logic of a +similar function in i40e used for this same purpose. Use the same logic +also in ice_get_pgcnts(). + +Instead of iterating over just the number of fragments, use a loop which +iterates until the current index reaches to the next_to_clean element just +past the current frame. Unlike i40e, the ice_put_rx_mbuf() function does +call ice_put_rx_buf() on the last buffer of the frame indicating the end of +packet. + +For non-linear (multi-buffer) frames, we need to take care when adjusting +the pagecnt_bias. An XDP program might release fragments from the tail of +the frame, in which case that fragment page is already released. Only +update the pagecnt_bias for the first descriptor and fragments still +remaining post-XDP program. Take care to only access the shared info for +fragmented buffers, as this avoids a significant cache miss. + +The xdp_xmit value only needs to be updated if an XDP program is run, and +only once per packet. Drop the xdp_xmit pointer argument from +ice_put_rx_mbuf(). Instead, set xdp_xmit in the ice_clean_rx_irq() function +directly. This avoids needing to pass the argument and avoids an extra +bit-wise OR for each buffer in the frame. + +Move the increment of the ntc local variable to ensure its updated *before* +all calls to ice_get_pgcnts() or ice_put_rx_mbuf(), as the loop logic +requires the index of the element just after the current frame. + +Now that we use an index pointer in the ring to identify the packet, we no +longer need to track or cache the number of fragments in the rx_ring. + +Cc: Christoph Petrausch +Cc: Jesper Dangaard Brouer +Reported-by: Jaroslav Pulchart +Closes: https://lore.kernel.org/netdev/CAK8fFZ4hY6GUJNENz3wY9jaYLZXGfpr7dnZxzGMYoE44caRbgw@mail.gmail.com/ +Fixes: 743bbd93cf29 ("ice: put Rx buffers after being done with current frame") +Tested-by: Michal Kubiak +Signed-off-by: Jacob Keller +Acked-by: Jesper Dangaard Brouer +Tested-by: Priya Singh +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_txrx.c | 80 ++++++++++------------- + drivers/net/ethernet/intel/ice/ice_txrx.h | 1 - + 2 files changed, 34 insertions(+), 47 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_txrx.c b/drivers/net/ethernet/intel/ice/ice_txrx.c +index c50cf3ad190e9..4766597ac5550 100644 +--- a/drivers/net/ethernet/intel/ice/ice_txrx.c ++++ b/drivers/net/ethernet/intel/ice/ice_txrx.c +@@ -865,10 +865,6 @@ ice_add_xdp_frag(struct ice_rx_ring *rx_ring, struct xdp_buff *xdp, + __skb_fill_page_desc_noacc(sinfo, sinfo->nr_frags++, rx_buf->page, + rx_buf->page_offset, size); + sinfo->xdp_frags_size += size; +- /* remember frag count before XDP prog execution; bpf_xdp_adjust_tail() +- * can pop off frags but driver has to handle it on its own +- */ +- rx_ring->nr_frags = sinfo->nr_frags; + + if (page_is_pfmemalloc(rx_buf->page)) + xdp_buff_set_frag_pfmemalloc(xdp); +@@ -939,20 +935,20 @@ ice_get_rx_buf(struct ice_rx_ring *rx_ring, const unsigned int size, + /** + * ice_get_pgcnts - grab page_count() for gathered fragments + * @rx_ring: Rx descriptor ring to store the page counts on ++ * @ntc: the next to clean element (not included in this frame!) + * + * This function is intended to be called right before running XDP + * program so that the page recycling mechanism will be able to take + * a correct decision regarding underlying pages; this is done in such + * way as XDP program can change the refcount of page + */ +-static void ice_get_pgcnts(struct ice_rx_ring *rx_ring) ++static void ice_get_pgcnts(struct ice_rx_ring *rx_ring, unsigned int ntc) + { +- u32 nr_frags = rx_ring->nr_frags + 1; + u32 idx = rx_ring->first_desc; + struct ice_rx_buf *rx_buf; + u32 cnt = rx_ring->count; + +- for (int i = 0; i < nr_frags; i++) { ++ while (idx != ntc) { + rx_buf = &rx_ring->rx_buf[idx]; + rx_buf->pgcnt = page_count(rx_buf->page); + +@@ -1125,62 +1121,51 @@ ice_put_rx_buf(struct ice_rx_ring *rx_ring, struct ice_rx_buf *rx_buf) + } + + /** +- * ice_put_rx_mbuf - ice_put_rx_buf() caller, for all frame frags ++ * ice_put_rx_mbuf - ice_put_rx_buf() caller, for all buffers in frame + * @rx_ring: Rx ring with all the auxiliary data + * @xdp: XDP buffer carrying linear + frags part +- * @xdp_xmit: XDP_TX/XDP_REDIRECT verdict storage +- * @ntc: a current next_to_clean value to be stored at rx_ring ++ * @ntc: the next to clean element (not included in this frame!) + * @verdict: return code from XDP program execution + * +- * Walk through gathered fragments and satisfy internal page +- * recycle mechanism; we take here an action related to verdict +- * returned by XDP program; ++ * Called after XDP program is completed, or on error with verdict set to ++ * ICE_XDP_CONSUMED. ++ * ++ * Walk through buffers from first_desc to the end of the frame, releasing ++ * buffers and satisfying internal page recycle mechanism. The action depends ++ * on verdict from XDP program. + */ + static void ice_put_rx_mbuf(struct ice_rx_ring *rx_ring, struct xdp_buff *xdp, +- u32 *xdp_xmit, u32 ntc, u32 verdict) ++ u32 ntc, u32 verdict) + { +- u32 nr_frags = rx_ring->nr_frags + 1; + u32 idx = rx_ring->first_desc; + u32 cnt = rx_ring->count; +- u32 post_xdp_frags = 1; + struct ice_rx_buf *buf; +- int i; ++ u32 xdp_frags = 0; ++ int i = 0; + + if (unlikely(xdp_buff_has_frags(xdp))) +- post_xdp_frags += xdp_get_shared_info_from_buff(xdp)->nr_frags; ++ xdp_frags = xdp_get_shared_info_from_buff(xdp)->nr_frags; + +- for (i = 0; i < post_xdp_frags; i++) { ++ while (idx != ntc) { + buf = &rx_ring->rx_buf[idx]; ++ if (++idx == cnt) ++ idx = 0; + +- if (verdict & (ICE_XDP_TX | ICE_XDP_REDIR)) { ++ /* An XDP program could release fragments from the end of the ++ * buffer. For these, we need to keep the pagecnt_bias as-is. ++ * To do this, only adjust pagecnt_bias for fragments up to ++ * the total remaining after the XDP program has run. ++ */ ++ if (verdict != ICE_XDP_CONSUMED) + ice_rx_buf_adjust_pg_offset(buf, xdp->frame_sz); +- *xdp_xmit |= verdict; +- } else if (verdict & ICE_XDP_CONSUMED) { ++ else if (i++ <= xdp_frags) + buf->pagecnt_bias++; +- } else if (verdict == ICE_XDP_PASS) { +- ice_rx_buf_adjust_pg_offset(buf, xdp->frame_sz); +- } + + ice_put_rx_buf(rx_ring, buf); +- +- if (++idx == cnt) +- idx = 0; +- } +- /* handle buffers that represented frags released by XDP prog; +- * for these we keep pagecnt_bias as-is; refcount from struct page +- * has been decremented within XDP prog and we do not have to increase +- * the biased refcnt +- */ +- for (; i < nr_frags; i++) { +- buf = &rx_ring->rx_buf[idx]; +- ice_put_rx_buf(rx_ring, buf); +- if (++idx == cnt) +- idx = 0; + } + + xdp->data = NULL; + rx_ring->first_desc = ntc; +- rx_ring->nr_frags = 0; + } + + /** +@@ -1260,6 +1245,10 @@ int ice_clean_rx_irq(struct ice_rx_ring *rx_ring, int budget) + /* retrieve a buffer from the ring */ + rx_buf = ice_get_rx_buf(rx_ring, size, ntc); + ++ /* Increment ntc before calls to ice_put_rx_mbuf() */ ++ if (++ntc == cnt) ++ ntc = 0; ++ + if (!xdp->data) { + void *hard_start; + +@@ -1268,24 +1257,23 @@ int ice_clean_rx_irq(struct ice_rx_ring *rx_ring, int budget) + xdp_prepare_buff(xdp, hard_start, offset, size, !!offset); + xdp_buff_clear_frags_flag(xdp); + } else if (ice_add_xdp_frag(rx_ring, xdp, rx_buf, size)) { +- ice_put_rx_mbuf(rx_ring, xdp, NULL, ntc, ICE_XDP_CONSUMED); ++ ice_put_rx_mbuf(rx_ring, xdp, ntc, ICE_XDP_CONSUMED); + break; + } +- if (++ntc == cnt) +- ntc = 0; + + /* skip if it is NOP desc */ + if (ice_is_non_eop(rx_ring, rx_desc)) + continue; + +- ice_get_pgcnts(rx_ring); ++ ice_get_pgcnts(rx_ring, ntc); + xdp_verdict = ice_run_xdp(rx_ring, xdp, xdp_prog, xdp_ring, rx_desc); + if (xdp_verdict == ICE_XDP_PASS) + goto construct_skb; + total_rx_bytes += xdp_get_buff_len(xdp); + total_rx_pkts++; + +- ice_put_rx_mbuf(rx_ring, xdp, &xdp_xmit, ntc, xdp_verdict); ++ ice_put_rx_mbuf(rx_ring, xdp, ntc, xdp_verdict); ++ xdp_xmit |= xdp_verdict & (ICE_XDP_TX | ICE_XDP_REDIR); + + continue; + construct_skb: +@@ -1298,7 +1286,7 @@ int ice_clean_rx_irq(struct ice_rx_ring *rx_ring, int budget) + rx_ring->ring_stats->rx_stats.alloc_buf_failed++; + xdp_verdict = ICE_XDP_CONSUMED; + } +- ice_put_rx_mbuf(rx_ring, xdp, &xdp_xmit, ntc, xdp_verdict); ++ ice_put_rx_mbuf(rx_ring, xdp, ntc, xdp_verdict); + + if (!skb) + break; +diff --git a/drivers/net/ethernet/intel/ice/ice_txrx.h b/drivers/net/ethernet/intel/ice/ice_txrx.h +index a4b1e95146327..07155e615f75a 100644 +--- a/drivers/net/ethernet/intel/ice/ice_txrx.h ++++ b/drivers/net/ethernet/intel/ice/ice_txrx.h +@@ -358,7 +358,6 @@ struct ice_rx_ring { + struct ice_tx_ring *xdp_ring; + struct ice_rx_ring *next; /* pointer to next ring in q_vector */ + struct xsk_buff_pool *xsk_pool; +- u32 nr_frags; + u16 max_frame; + u16 rx_buf_len; + dma_addr_t dma; /* physical address of ring */ +-- +2.51.0 + diff --git a/queue-6.16/igc-don-t-fail-igc_probe-on-led-setup-error.patch b/queue-6.16/igc-don-t-fail-igc_probe-on-led-setup-error.patch new file mode 100644 index 0000000000..2bc7c1c441 --- /dev/null +++ b/queue-6.16/igc-don-t-fail-igc_probe-on-led-setup-error.patch @@ -0,0 +1,108 @@ +From 1da67a9827e9c41105611b9d2ec16f6dcb3f1ecf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Sep 2025 22:47:21 +0900 +Subject: igc: don't fail igc_probe() on LED setup error + +From: Kohei Enju + +[ Upstream commit 528eb4e19ec0df30d0c9ae4074ce945667dde919 ] + +When igc_led_setup() fails, igc_probe() fails and triggers kernel panic +in free_netdev() since unregister_netdev() is not called. [1] +This behavior can be tested using fault-injection framework, especially +the failslab feature. [2] + +Since LED support is not mandatory, treat LED setup failures as +non-fatal and continue probe with a warning message, consequently +avoiding the kernel panic. + +[1] + kernel BUG at net/core/dev.c:12047! + Oops: invalid opcode: 0000 [#1] SMP NOPTI + CPU: 0 UID: 0 PID: 937 Comm: repro-igc-led-e Not tainted 6.17.0-rc4-enjuk-tnguy-00865-gc4940196ab02 #64 PREEMPT(voluntary) + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 + RIP: 0010:free_netdev+0x278/0x2b0 + [...] + Call Trace: + + igc_probe+0x370/0x910 + local_pci_probe+0x3a/0x80 + pci_device_probe+0xd1/0x200 + [...] + +[2] + #!/bin/bash -ex + + FAILSLAB_PATH=/sys/kernel/debug/failslab/ + DEVICE=0000:00:05.0 + START_ADDR=$(grep " igc_led_setup" /proc/kallsyms \ + | awk '{printf("0x%s", $1)}') + END_ADDR=$(printf "0x%x" $((START_ADDR + 0x100))) + + echo $START_ADDR > $FAILSLAB_PATH/require-start + echo $END_ADDR > $FAILSLAB_PATH/require-end + echo 1 > $FAILSLAB_PATH/times + echo 100 > $FAILSLAB_PATH/probability + echo N > $FAILSLAB_PATH/ignore-gfp-wait + + echo $DEVICE > /sys/bus/pci/drivers/igc/bind + +Fixes: ea578703b03d ("igc: Add support for LEDs on i225/i226") +Signed-off-by: Kohei Enju +Reviewed-by: Paul Menzel +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Vitaly Lifshits +Reviewed-by: Kurt Kanzenbach +Tested-by: Mor Bar-Gabay +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc.h | 1 + + drivers/net/ethernet/intel/igc/igc_main.c | 12 +++++++++--- + 2 files changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc.h b/drivers/net/ethernet/intel/igc/igc.h +index 859a15e4ccbab..1bbe7f72757c0 100644 +--- a/drivers/net/ethernet/intel/igc/igc.h ++++ b/drivers/net/ethernet/intel/igc/igc.h +@@ -343,6 +343,7 @@ struct igc_adapter { + /* LEDs */ + struct mutex led_mutex; + struct igc_led_classdev *leds; ++ bool leds_available; + }; + + void igc_up(struct igc_adapter *adapter); +diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c +index 1b4465d6b2b72..5b8f9b5121489 100644 +--- a/drivers/net/ethernet/intel/igc/igc_main.c ++++ b/drivers/net/ethernet/intel/igc/igc_main.c +@@ -7301,8 +7301,14 @@ static int igc_probe(struct pci_dev *pdev, + + if (IS_ENABLED(CONFIG_IGC_LEDS)) { + err = igc_led_setup(adapter); +- if (err) +- goto err_register; ++ if (err) { ++ netdev_warn_once(netdev, ++ "LED init failed (%d); continuing without LED support\n", ++ err); ++ adapter->leds_available = false; ++ } else { ++ adapter->leds_available = true; ++ } + } + + return 0; +@@ -7358,7 +7364,7 @@ static void igc_remove(struct pci_dev *pdev) + cancel_work_sync(&adapter->watchdog_task); + hrtimer_cancel(&adapter->hrtimer); + +- if (IS_ENABLED(CONFIG_IGC_LEDS)) ++ if (IS_ENABLED(CONFIG_IGC_LEDS) && adapter->leds_available) + igc_led_free(adapter); + + /* Release control of h/w to f/w. If f/w is AMT enabled, this +-- +2.51.0 + diff --git a/queue-6.16/ixgbe-destroy-aci.lock-later-within-ixgbe_remove-pat.patch b/queue-6.16/ixgbe-destroy-aci.lock-later-within-ixgbe_remove-pat.patch new file mode 100644 index 0000000000..4e4ad39dcb --- /dev/null +++ b/queue-6.16/ixgbe-destroy-aci.lock-later-within-ixgbe_remove-pat.patch @@ -0,0 +1,89 @@ +From 0395dfe57a75f5537b6cf89cfd8f14fe37ccd2e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Sep 2025 13:26:29 +0200 +Subject: ixgbe: destroy aci.lock later within ixgbe_remove path + +From: Jedrzej Jagielski + +[ Upstream commit 316ba68175b04a9f6f75295764789ea94e31d48c ] + +There's another issue with aci.lock and previous patch uncovers it. +aci.lock is being destroyed during removing ixgbe while some of the +ixgbe closing routines are still ongoing. These routines use Admin +Command Interface which require taking aci.lock which has been already +destroyed what leads to call trace. + +[ +0.000004] DEBUG_LOCKS_WARN_ON(lock->magic != lock) +[ +0.000007] WARNING: CPU: 12 PID: 10277 at kernel/locking/mutex.c:155 mutex_lock+0x5f/0x70 +[ +0.000002] Call Trace: +[ +0.000003] +[ +0.000006] ixgbe_aci_send_cmd+0xc8/0x220 [ixgbe] +[ +0.000049] ? try_to_wake_up+0x29d/0x5d0 +[ +0.000009] ixgbe_disable_rx_e610+0xc4/0x110 [ixgbe] +[ +0.000032] ixgbe_disable_rx+0x3d/0x200 [ixgbe] +[ +0.000027] ixgbe_down+0x102/0x3b0 [ixgbe] +[ +0.000031] ixgbe_close_suspend+0x28/0x90 [ixgbe] +[ +0.000028] ixgbe_close+0xfb/0x100 [ixgbe] +[ +0.000025] __dev_close_many+0xae/0x220 +[ +0.000005] dev_close_many+0xc2/0x1a0 +[ +0.000004] ? kernfs_should_drain_open_files+0x2a/0x40 +[ +0.000005] unregister_netdevice_many_notify+0x204/0xb00 +[ +0.000006] ? __kernfs_remove.part.0+0x109/0x210 +[ +0.000006] ? kobj_kset_leave+0x4b/0x70 +[ +0.000008] unregister_netdevice_queue+0xf6/0x130 +[ +0.000006] unregister_netdev+0x1c/0x40 +[ +0.000005] ixgbe_remove+0x216/0x290 [ixgbe] +[ +0.000021] pci_device_remove+0x42/0xb0 +[ +0.000007] device_release_driver_internal+0x19c/0x200 +[ +0.000008] driver_detach+0x48/0x90 +[ +0.000003] bus_remove_driver+0x6d/0xf0 +[ +0.000006] pci_unregister_driver+0x2e/0xb0 +[ +0.000005] ixgbe_exit_module+0x1c/0xc80 [ixgbe] + +Same as for the previous commit, the issue has been highlighted by the +commit 337369f8ce9e ("locking/mutex: Add MUTEX_WARN_ON() into fast path"). + +Move destroying aci.lock to the end of ixgbe_remove(), as this +simply fixes the issue. + +Fixes: 4600cdf9f5ac ("ixgbe: Enable link management in E610 device") +Signed-off-by: Jedrzej Jagielski +Reviewed-by: Przemek Kitszel +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Simon Horman +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +index 2a857037dd102..d5c421451f319 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +@@ -11892,10 +11892,8 @@ static void ixgbe_remove(struct pci_dev *pdev) + set_bit(__IXGBE_REMOVING, &adapter->state); + cancel_work_sync(&adapter->service_task); + +- if (adapter->hw.mac.type == ixgbe_mac_e610) { ++ if (adapter->hw.mac.type == ixgbe_mac_e610) + ixgbe_disable_link_status_events(adapter); +- mutex_destroy(&adapter->hw.aci.lock); +- } + + if (adapter->mii_bus) + mdiobus_unregister(adapter->mii_bus); +@@ -11955,6 +11953,9 @@ static void ixgbe_remove(struct pci_dev *pdev) + disable_dev = !test_and_set_bit(__IXGBE_DISABLED, &adapter->state); + free_netdev(netdev); + ++ if (adapter->hw.mac.type == ixgbe_mac_e610) ++ mutex_destroy(&adapter->hw.aci.lock); ++ + if (disable_dev) + pci_disable_device(pdev); + } +-- +2.51.0 + diff --git a/queue-6.16/ixgbe-initialize-aci.lock-before-it-s-used.patch b/queue-6.16/ixgbe-initialize-aci.lock-before-it-s-used.patch new file mode 100644 index 0000000000..f4f8b834c2 --- /dev/null +++ b/queue-6.16/ixgbe-initialize-aci.lock-before-it-s-used.patch @@ -0,0 +1,100 @@ +From d09d625328e7099d91d8b42ddb081446596fb889 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Sep 2025 13:26:28 +0200 +Subject: ixgbe: initialize aci.lock before it's used + +From: Jedrzej Jagielski + +[ Upstream commit b85936e95a4bd2a07e134af71e2c0750a69d2b8b ] + +Currently aci.lock is initialized too late. A bunch of ACI callbacks +using the lock are called prior it's initialized. + +Commit 337369f8ce9e ("locking/mutex: Add MUTEX_WARN_ON() into fast path") +highlights that issue what results in call trace. + +[ 4.092899] DEBUG_LOCKS_WARN_ON(lock->magic != lock) +[ 4.092910] WARNING: CPU: 0 PID: 578 at kernel/locking/mutex.c:154 mutex_lock+0x6d/0x80 +[ 4.098757] Call Trace: +[ 4.098847] +[ 4.098922] ixgbe_aci_send_cmd+0x8c/0x1e0 [ixgbe] +[ 4.099108] ? hrtimer_try_to_cancel+0x18/0x110 +[ 4.099277] ixgbe_aci_get_fw_ver+0x52/0xa0 [ixgbe] +[ 4.099460] ixgbe_check_fw_error+0x1fc/0x2f0 [ixgbe] +[ 4.099650] ? usleep_range_state+0x69/0xd0 +[ 4.099811] ? usleep_range_state+0x8c/0xd0 +[ 4.099964] ixgbe_probe+0x3b0/0x12d0 [ixgbe] +[ 4.100132] local_pci_probe+0x43/0xa0 +[ 4.100267] work_for_cpu_fn+0x13/0x20 +[ 4.101647] + +Move aci.lock mutex initialization to ixgbe_sw_init() before any ACI +command is sent. Along with that move also related SWFW semaphore in +order to reduce size of ixgbe_probe() and that way all locks are +initialized in ixgbe_sw_init(). + +Reviewed-by: Michal Swiatkowski +Reviewed-by: Przemek Kitszel +Reviewed-by: Simon Horman +Reviewed-by: Aleksandr Loktionov +Fixes: 4600cdf9f5ac ("ixgbe: Enable link management in E610 device") +Signed-off-by: Jedrzej Jagielski +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +index cba860f0e1f15..2a857037dd102 100644 +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +@@ -6801,6 +6801,13 @@ static int ixgbe_sw_init(struct ixgbe_adapter *adapter, + break; + } + ++ /* Make sure the SWFW semaphore is in a valid state */ ++ if (hw->mac.ops.init_swfw_sync) ++ hw->mac.ops.init_swfw_sync(hw); ++ ++ if (hw->mac.type == ixgbe_mac_e610) ++ mutex_init(&hw->aci.lock); ++ + #ifdef IXGBE_FCOE + /* FCoE support exists, always init the FCoE lock */ + spin_lock_init(&adapter->fcoe.lock); +@@ -11474,10 +11481,6 @@ static int ixgbe_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + if (err) + goto err_sw_init; + +- /* Make sure the SWFW semaphore is in a valid state */ +- if (hw->mac.ops.init_swfw_sync) +- hw->mac.ops.init_swfw_sync(hw); +- + if (ixgbe_check_fw_error(adapter)) + return ixgbe_recovery_probe(adapter); + +@@ -11681,8 +11684,6 @@ static int ixgbe_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + ether_addr_copy(hw->mac.addr, hw->mac.perm_addr); + ixgbe_mac_set_default_filter(adapter); + +- if (hw->mac.type == ixgbe_mac_e610) +- mutex_init(&hw->aci.lock); + timer_setup(&adapter->service_timer, ixgbe_service_timer, 0); + + if (ixgbe_removed(hw->hw_addr)) { +@@ -11838,9 +11839,9 @@ static int ixgbe_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + devl_unlock(adapter->devlink); + ixgbe_release_hw_control(adapter); + ixgbe_clear_interrupt_scheme(adapter); ++err_sw_init: + if (hw->mac.type == ixgbe_mac_e610) + mutex_destroy(&adapter->hw.aci.lock); +-err_sw_init: + ixgbe_disable_sriov(adapter); + adapter->flags2 &= ~IXGBE_FLAG2_SEARCH_FOR_SFP; + iounmap(adapter->io_addr); +-- +2.51.0 + diff --git a/queue-6.16/mptcp-set-remote_deny_join_id0-on-syn-recv.patch b/queue-6.16/mptcp-set-remote_deny_join_id0-on-syn-recv.patch new file mode 100644 index 0000000000..c2a8f4e6ea --- /dev/null +++ b/queue-6.16/mptcp-set-remote_deny_join_id0-on-syn-recv.patch @@ -0,0 +1,45 @@ +From 00d2fa438cd22006b1d835ff7cb31050ac8538eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Sep 2025 14:52:20 +0200 +Subject: mptcp: set remote_deny_join_id0 on SYN recv + +From: Matthieu Baerts (NGI0) + +[ Upstream commit 96939cec994070aa5df852c10fad5fc303a97ea3 ] + +When a SYN containing the 'C' flag (deny join id0) was received, this +piece of information was not propagated to the path-manager. + +Even if this flag is mainly set on the server side, a client can also +tell the server it cannot try to establish new subflows to the client's +initial IP address and port. The server's PM should then record such +info when received, and before sending events about the new connection. + +Fixes: df377be38725 ("mptcp: add deny_join_id0 in mptcp_options_received") +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250912-net-mptcp-pm-uspace-deny_join_id0-v1-1-40171884ade8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mptcp/subflow.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c +index 1802bc5435a1a..d77a2e374a7ae 100644 +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -882,6 +882,10 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk, + + ctx->subflow_id = 1; + owner = mptcp_sk(ctx->conn); ++ ++ if (mp_opt.deny_join_id0) ++ WRITE_ONCE(owner->pm.remote_deny_join_id0, true); ++ + mptcp_pm_new_connection(owner, child, 1); + + /* with OoO packets we can reach here without ingress +-- +2.51.0 + diff --git a/queue-6.16/mptcp-tfo-record-deny-join-id0-info.patch b/queue-6.16/mptcp-tfo-record-deny-join-id0-info.patch new file mode 100644 index 0000000000..e8fceec983 --- /dev/null +++ b/queue-6.16/mptcp-tfo-record-deny-join-id0-info.patch @@ -0,0 +1,52 @@ +From ab7c5e91091cbf6f9ba69dccace1250b92fc73e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Sep 2025 14:52:23 +0200 +Subject: mptcp: tfo: record 'deny join id0' info + +From: Matthieu Baerts (NGI0) + +[ Upstream commit 92da495cb65719583aa06bc946aeb18a10e1e6e2 ] + +When TFO is used, the check to see if the 'C' flag (deny join id0) was +set was bypassed. + +This flag can be set when TFO is used, so the check should also be done +when TFO is used. + +Note that the set_fully_established label is also used when a 4th ACK is +received. In this case, deny_join_id0 will not be set. + +Fixes: dfc8d0603033 ("mptcp: implement delayed seq generation for passive fastopen") +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250912-net-mptcp-pm-uspace-deny_join_id0-v1-4-40171884ade8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mptcp/options.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/mptcp/options.c b/net/mptcp/options.c +index c6983471dca55..bb4253aa675a6 100644 +--- a/net/mptcp/options.c ++++ b/net/mptcp/options.c +@@ -984,13 +984,13 @@ static bool check_fully_established(struct mptcp_sock *msk, struct sock *ssk, + return false; + } + +- if (mp_opt->deny_join_id0) +- WRITE_ONCE(msk->pm.remote_deny_join_id0, true); +- + if (unlikely(!READ_ONCE(msk->pm.server_side))) + pr_warn_once("bogus mpc option on established client sk"); + + set_fully_established: ++ if (mp_opt->deny_join_id0) ++ WRITE_ONCE(msk->pm.remote_deny_join_id0, true); ++ + mptcp_data_lock((struct sock *)msk); + __mptcp_subflow_fully_established(msk, subflow, mp_opt); + mptcp_data_unlock((struct sock *)msk); +-- +2.51.0 + diff --git a/queue-6.16/net-clear-sk-sk_ino-in-sk_set_socket-sk-null.patch b/queue-6.16/net-clear-sk-sk_ino-in-sk_set_socket-sk-null.patch new file mode 100644 index 0000000000..9dd59b97e3 --- /dev/null +++ b/queue-6.16/net-clear-sk-sk_ino-in-sk_set_socket-sk-null.patch @@ -0,0 +1,59 @@ +From be2c0d02a2255a0f7aca8361d240846d4bb5c5f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Sep 2025 13:53:37 +0000 +Subject: net: clear sk->sk_ino in sk_set_socket(sk, NULL) + +From: Eric Dumazet + +[ Upstream commit 87ebb628a5acb892eba41ef1d8989beb8f036034 ] + +Andrei Vagin reported that blamed commit broke CRIU. + +Indeed, while we want to keep sk_uid unchanged when a socket +is cloned, we want to clear sk->sk_ino. + +Otherwise, sock_diag might report multiple sockets sharing +the same inode number. + +Move the clearing part from sock_orphan() to sk_set_socket(sk, NULL), +called both from sock_orphan() and sk_clone_lock(). + +Fixes: 5d6b58c932ec ("net: lockless sock_i_ino()") +Closes: https://lore.kernel.org/netdev/aMhX-VnXkYDpKd9V@google.com/ +Closes: https://github.com/checkpoint-restore/criu/issues/2744 +Reported-by: Andrei Vagin +Signed-off-by: Eric Dumazet +Acked-by: Andrei Vagin +Link: https://patch.msgid.link/20250917135337.1736101-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index a348ae145eda4..6e9f4c126672d 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -2061,6 +2061,9 @@ static inline void sk_set_socket(struct sock *sk, struct socket *sock) + if (sock) { + WRITE_ONCE(sk->sk_uid, SOCK_INODE(sock)->i_uid); + WRITE_ONCE(sk->sk_ino, SOCK_INODE(sock)->i_ino); ++ } else { ++ /* Note: sk_uid is unchanged. */ ++ WRITE_ONCE(sk->sk_ino, 0); + } + } + +@@ -2082,8 +2085,6 @@ static inline void sock_orphan(struct sock *sk) + sock_set_flag(sk, SOCK_DEAD); + sk_set_socket(sk, NULL); + sk->sk_wq = NULL; +- /* Note: sk_uid is unchanged. */ +- WRITE_ONCE(sk->sk_ino, 0); + write_unlock_bh(&sk->sk_callback_lock); + } + +-- +2.51.0 + diff --git a/queue-6.16/net-dst_metadata-fix-ip_df-bit-not-extracted-from-tu.patch b/queue-6.16/net-dst_metadata-fix-ip_df-bit-not-extracted-from-tu.patch new file mode 100644 index 0000000000..9116bcc1e7 --- /dev/null +++ b/queue-6.16/net-dst_metadata-fix-ip_df-bit-not-extracted-from-tu.patch @@ -0,0 +1,88 @@ +From d50e63469735dc6d1fd1a556d3375aaab63fd747 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Sep 2025 18:54:15 +0200 +Subject: net: dst_metadata: fix IP_DF bit not extracted from tunnel headers + +From: Ilya Maximets + +[ Upstream commit a9888628cb2c768202a4530e2816da1889cc3165 ] + +Both OVS and TC flower allow extracting and matching on the DF bit of +the outer IP header via OVS_TUNNEL_KEY_ATTR_DONT_FRAGMENT in the +OVS_KEY_ATTR_TUNNEL and TCA_FLOWER_KEY_FLAGS_TUNNEL_DONT_FRAGMENT in +the TCA_FLOWER_KEY_ENC_FLAGS respectively. Flow dissector extracts +this information as FLOW_DIS_F_TUNNEL_DONT_FRAGMENT from the tunnel +info key. + +However, the IP_TUNNEL_DONT_FRAGMENT_BIT in the tunnel key is never +actually set, because the tunneling code doesn't actually extract it +from the IP header. OAM and CRIT_OPT are extracted by the tunnel +implementation code, same code also sets the KEY flag, if present. +UDP tunnel core takes care of setting the CSUM flag if the checksum +is present in the UDP header, but the DONT_FRAGMENT is not handled at +any layer. + +Fix that by checking the bit and setting the corresponding flag while +populating the tunnel info in the IP layer where it belongs. + +Not using __assign_bit as we don't really need to clear the bit in a +just initialized field. It also doesn't seem like using __assign_bit +will make the code look better. + +Clearly, users didn't rely on this functionality for anything very +important until now. The reason why this doesn't break OVS logic is +that it only matches on what kernel previously parsed out and if kernel +consistently reports this bit as zero, OVS will only match on it to be +zero, which sort of works. But it is still a bug that the uAPI reports +and allows matching on the field that is not actually checked in the +packet. And this is causing misleading -df reporting in OVS datapath +flows, while the tunnel traffic actually has the bit set in most cases. + +This may also cause issues if a hardware properly implements support +for tunnel flag matching as it will disagree with the implementation +in a software path of TC flower. + +Fixes: 7d5437c709de ("openvswitch: Add tunneling interface.") +Fixes: 1d17568e74de ("net/sched: cls_flower: add support for matching tunnel control flags") +Signed-off-by: Ilya Maximets +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20250909165440.229890-2-i.maximets@ovn.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/dst_metadata.h | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/include/net/dst_metadata.h b/include/net/dst_metadata.h +index 4160731dcb6e3..1fc2fb03ce3f9 100644 +--- a/include/net/dst_metadata.h ++++ b/include/net/dst_metadata.h +@@ -3,6 +3,7 @@ + #define __NET_DST_METADATA_H 1 + + #include ++#include + #include + #include + #include +@@ -220,9 +221,15 @@ static inline struct metadata_dst *ip_tun_rx_dst(struct sk_buff *skb, + int md_size) + { + const struct iphdr *iph = ip_hdr(skb); ++ struct metadata_dst *tun_dst; ++ ++ tun_dst = __ip_tun_set_dst(iph->saddr, iph->daddr, iph->tos, iph->ttl, ++ 0, flags, tunnel_id, md_size); + +- return __ip_tun_set_dst(iph->saddr, iph->daddr, iph->tos, iph->ttl, +- 0, flags, tunnel_id, md_size); ++ if (tun_dst && (iph->frag_off & htons(IP_DF))) ++ __set_bit(IP_TUNNEL_DONT_FRAGMENT_BIT, ++ tun_dst->u.tun_info.key.tun_flags); ++ return tun_dst; + } + + static inline struct metadata_dst *__ipv6_tun_set_dst(const struct in6_addr *saddr, +-- +2.51.0 + diff --git a/queue-6.16/net-liquidio-fix-overflow-in-octeon_init_instr_queue.patch b/queue-6.16/net-liquidio-fix-overflow-in-octeon_init_instr_queue.patch new file mode 100644 index 0000000000..638b3c2efd --- /dev/null +++ b/queue-6.16/net-liquidio-fix-overflow-in-octeon_init_instr_queue.patch @@ -0,0 +1,37 @@ +From 5d21fe028f39756d219c1e243ab276c6d87f362d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Sep 2025 15:30:58 +0000 +Subject: net: liquidio: fix overflow in octeon_init_instr_queue() + +From: Alexey Nepomnyashih + +[ Upstream commit cca7b1cfd7b8a0eff2a3510c5e0f10efe8fa3758 ] + +The expression `(conf->instr_type == 64) << iq_no` can overflow because +`iq_no` may be as high as 64 (`CN23XX_MAX_RINGS_PER_PF`). Casting the +operand to `u64` ensures correct 64-bit arithmetic. + +Fixes: f21fb3ed364b ("Add support of Cavium Liquidio ethernet adapters") +Signed-off-by: Alexey Nepomnyashih +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/liquidio/request_manager.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cavium/liquidio/request_manager.c b/drivers/net/ethernet/cavium/liquidio/request_manager.c +index de8a6ce86ad7e..12105ffb5dac6 100644 +--- a/drivers/net/ethernet/cavium/liquidio/request_manager.c ++++ b/drivers/net/ethernet/cavium/liquidio/request_manager.c +@@ -126,7 +126,7 @@ int octeon_init_instr_queue(struct octeon_device *oct, + oct->io_qmask.iq |= BIT_ULL(iq_no); + + /* Set the 32B/64B mode for each input queue */ +- oct->io_qmask.iq64B |= ((conf->instr_type == 64) << iq_no); ++ oct->io_qmask.iq64B |= ((u64)(conf->instr_type == 64) << iq_no); + iq->iqcmd_64B = (conf->instr_type == 64); + + oct->fn_list.setup_iq_regs(oct, iq_no); +-- +2.51.0 + diff --git a/queue-6.16/net-mlx5-not-returning-mlx5_link_info-table-when-spe.patch b/queue-6.16/net-mlx5-not-returning-mlx5_link_info-table-when-spe.patch new file mode 100644 index 0000000000..f0e5f3e53d --- /dev/null +++ b/queue-6.16/net-mlx5-not-returning-mlx5_link_info-table-when-spe.patch @@ -0,0 +1,44 @@ +From 8619859b04a2a0300e4dc9b8a96676e398e5542c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Sep 2025 08:37:32 +0800 +Subject: net/mlx5: Not returning mlx5_link_info table when speed is unknown + +From: Li Tian + +[ Upstream commit 5577352b55833d0f4350eb5d62eda2df09e84922 ] + +Because mlx5e_link_info and mlx5e_ext_link_info have holes +e.g. Azure mlx5 reports PTYS 19. Do not return it unless speed +is retrieved successfully. + +Fixes: 65a5d35571849 ("net/mlx5: Refactor link speed handling with mlx5_link_info struct") +Suggested-by: Vitaly Kuznetsov +Signed-off-by: Li Tian +Reviewed-by: Tariq Toukan +Link: https://patch.msgid.link/20250910003732.5973-1-litian@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/port.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/port.c b/drivers/net/ethernet/mellanox/mlx5/core/port.c +index 2d7adf7444ba2..aa9f2b0a77d36 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/port.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/port.c +@@ -1170,7 +1170,11 @@ const struct mlx5_link_info *mlx5_port_ptys2info(struct mlx5_core_dev *mdev, + mlx5e_port_get_link_mode_info_arr(mdev, &table, &max_size, + force_legacy); + i = find_first_bit(&temp, max_size); +- if (i < max_size) ++ ++ /* mlx5e_link_info has holes. Check speed ++ * is not zero as indication of one. ++ */ ++ if (i < max_size && table[i].speed) + return &table[i]; + + return NULL; +-- +2.51.0 + diff --git a/queue-6.16/net-mlx5e-add-a-miss-level-for-ipsec-crypto-offload.patch b/queue-6.16/net-mlx5e-add-a-miss-level-for-ipsec-crypto-offload.patch new file mode 100644 index 0000000000..b326dc6136 --- /dev/null +++ b/queue-6.16/net-mlx5e-add-a-miss-level-for-ipsec-crypto-offload.patch @@ -0,0 +1,104 @@ +From 233183e2eb1c3fb9696b3c66f9398df8a8478fa6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Sep 2025 15:24:34 +0300 +Subject: net/mlx5e: Add a miss level for ipsec crypto offload + +From: Lama Kayal + +[ Upstream commit 7601a0a46216f4ba05adff2de75923b4e8e585c2 ] + +The cited commit adds a miss table for switchdev mode. But it +uses the same level as policy table. Will hit the following error +when running command: + + # ip xfrm state add src 192.168.1.22 dst 192.168.1.21 proto \ + esp spi 1001 reqid 10001 aead 'rfc4106(gcm(aes))' \ + 0x3a189a7f9374955d3817886c8587f1da3df387ff 128 \ + mode tunnel offload dev enp8s0f0 dir in + Error: mlx5_core: Device failed to offload this state. + +The dmesg error is: + + mlx5_core 0000:03:00.0: ipsec_miss_create:578:(pid 311797): fail to create IPsec miss_rule err=-22 + +Fix it by adding a new miss level to avoid the error. + +Fixes: 7d9e292ecd67 ("net/mlx5e: Move IPSec policy check after decryption") +Signed-off-by: Jianbo Liu +Signed-off-by: Chris Mi +Signed-off-by: Lama Kayal +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/1757939074-617281-4-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/fs.h | 1 + + drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h | 1 + + drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c | 3 ++- + drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 4 ++-- + 4 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/fs.h b/drivers/net/ethernet/mellanox/mlx5/core/en/fs.h +index 9560fcba643f5..ac65e31914802 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/fs.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/fs.h +@@ -92,6 +92,7 @@ enum { + MLX5E_ACCEL_FS_ESP_FT_LEVEL = MLX5E_INNER_TTC_FT_LEVEL + 1, + MLX5E_ACCEL_FS_ESP_FT_ERR_LEVEL, + MLX5E_ACCEL_FS_POL_FT_LEVEL, ++ MLX5E_ACCEL_FS_POL_MISS_FT_LEVEL, + MLX5E_ACCEL_FS_ESP_FT_ROCE_LEVEL, + #endif + }; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h +index ffcd0cdeb7754..23703f28386ad 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h +@@ -185,6 +185,7 @@ struct mlx5e_ipsec_rx_create_attr { + u32 family; + int prio; + int pol_level; ++ int pol_miss_level; + int sa_level; + int status_level; + enum mlx5_flow_namespace_type chains_ns; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c +index 98b6a3a623f99..65dc3529283b6 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c +@@ -747,6 +747,7 @@ static void ipsec_rx_create_attr_set(struct mlx5e_ipsec *ipsec, + attr->family = family; + attr->prio = MLX5E_NIC_PRIO; + attr->pol_level = MLX5E_ACCEL_FS_POL_FT_LEVEL; ++ attr->pol_miss_level = MLX5E_ACCEL_FS_POL_MISS_FT_LEVEL; + attr->sa_level = MLX5E_ACCEL_FS_ESP_FT_LEVEL; + attr->status_level = MLX5E_ACCEL_FS_ESP_FT_ERR_LEVEL; + attr->chains_ns = MLX5_FLOW_NAMESPACE_KERNEL; +@@ -833,7 +834,7 @@ static int ipsec_rx_chains_create_miss(struct mlx5e_ipsec *ipsec, + + ft_attr.max_fte = 1; + ft_attr.autogroup.max_num_groups = 1; +- ft_attr.level = attr->pol_level; ++ ft_attr.level = attr->pol_miss_level; + ft_attr.prio = attr->prio; + + ft = mlx5_create_auto_grouped_flow_table(attr->ns, &ft_attr); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +index 29ce09af59aef..3b57ef6b3de38 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c +@@ -114,9 +114,9 @@ + #define ETHTOOL_NUM_PRIOS 11 + #define ETHTOOL_MIN_LEVEL (KERNEL_MIN_LEVEL + ETHTOOL_NUM_PRIOS) + /* Vlan, mac, ttc, inner ttc, {UDP/ANY/aRFS/accel/{esp, esp_err}}, IPsec policy, +- * {IPsec RoCE MPV,Alias table},IPsec RoCE policy ++ * IPsec policy miss, {IPsec RoCE MPV,Alias table},IPsec RoCE policy + */ +-#define KERNEL_NIC_PRIO_NUM_LEVELS 10 ++#define KERNEL_NIC_PRIO_NUM_LEVELS 11 + #define KERNEL_NIC_NUM_PRIOS 1 + /* One more level for tc, and one more for promisc */ + #define KERNEL_MIN_LEVEL (KERNEL_NIC_PRIO_NUM_LEVELS + 2) +-- +2.51.0 + diff --git a/queue-6.16/net-mlx5e-harden-uplink-netdev-access-against-device.patch b/queue-6.16/net-mlx5e-harden-uplink-netdev-access-against-device.patch new file mode 100644 index 0000000000..7c00fff7e6 --- /dev/null +++ b/queue-6.16/net-mlx5e-harden-uplink-netdev-access-against-device.patch @@ -0,0 +1,155 @@ +From 7621439d884fd1ed80f21e0f5108c4084ca71dd0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Sep 2025 15:24:32 +0300 +Subject: net/mlx5e: Harden uplink netdev access against device unbind + +From: Jianbo Liu + +[ Upstream commit 6b4be64fd9fec16418f365c2d8e47a7566e9eba5 ] + +The function mlx5_uplink_netdev_get() gets the uplink netdevice +pointer from mdev->mlx5e_res.uplink_netdev. However, the netdevice can +be removed and its pointer cleared when unbound from the mlx5_core.eth +driver. This results in a NULL pointer, causing a kernel panic. + + BUG: unable to handle page fault for address: 0000000000001300 + at RIP: 0010:mlx5e_vport_rep_load+0x22a/0x270 [mlx5_core] + Call Trace: + + mlx5_esw_offloads_rep_load+0x68/0xe0 [mlx5_core] + esw_offloads_enable+0x593/0x910 [mlx5_core] + mlx5_eswitch_enable_locked+0x341/0x420 [mlx5_core] + mlx5_devlink_eswitch_mode_set+0x17e/0x3a0 [mlx5_core] + devlink_nl_eswitch_set_doit+0x60/0xd0 + genl_family_rcv_msg_doit+0xe0/0x130 + genl_rcv_msg+0x183/0x290 + netlink_rcv_skb+0x4b/0xf0 + genl_rcv+0x24/0x40 + netlink_unicast+0x255/0x380 + netlink_sendmsg+0x1f3/0x420 + __sock_sendmsg+0x38/0x60 + __sys_sendto+0x119/0x180 + do_syscall_64+0x53/0x1d0 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +Ensure the pointer is valid before use by checking it for NULL. If it +is valid, immediately call netdev_hold() to take a reference, and +preventing the netdevice from being freed while it is in use. + +Fixes: 7a9fb35e8c3a ("net/mlx5e: Do not reload ethernet ports when changing eswitch mode") +Signed-off-by: Jianbo Liu +Reviewed-by: Cosmin Ratiu +Reviewed-by: Jiri Pirko +Reviewed-by: Dragos Tatulea +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/1757939074-617281-2-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/en_rep.c | 27 +++++++++++++++---- + .../net/ethernet/mellanox/mlx5/core/esw/qos.c | 1 + + .../ethernet/mellanox/mlx5/core/lib/mlx5.h | 15 ++++++++++- + include/linux/mlx5/driver.h | 1 + + 4 files changed, 38 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +index 63a7a788fb0db..cd0242eb008c2 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +@@ -1506,12 +1506,21 @@ static const struct mlx5e_profile mlx5e_uplink_rep_profile = { + static int + mlx5e_vport_uplink_rep_load(struct mlx5_core_dev *dev, struct mlx5_eswitch_rep *rep) + { +- struct mlx5e_priv *priv = netdev_priv(mlx5_uplink_netdev_get(dev)); + struct mlx5e_rep_priv *rpriv = mlx5e_rep_to_rep_priv(rep); ++ struct net_device *netdev; ++ struct mlx5e_priv *priv; ++ int err; ++ ++ netdev = mlx5_uplink_netdev_get(dev); ++ if (!netdev) ++ return 0; + ++ priv = netdev_priv(netdev); + rpriv->netdev = priv->netdev; +- return mlx5e_netdev_change_profile(priv, &mlx5e_uplink_rep_profile, +- rpriv); ++ err = mlx5e_netdev_change_profile(priv, &mlx5e_uplink_rep_profile, ++ rpriv); ++ mlx5_uplink_netdev_put(dev, netdev); ++ return err; + } + + static void +@@ -1638,8 +1647,16 @@ mlx5e_vport_rep_unload(struct mlx5_eswitch_rep *rep) + { + struct mlx5e_rep_priv *rpriv = mlx5e_rep_to_rep_priv(rep); + struct net_device *netdev = rpriv->netdev; +- struct mlx5e_priv *priv = netdev_priv(netdev); +- void *ppriv = priv->ppriv; ++ struct mlx5e_priv *priv; ++ void *ppriv; ++ ++ if (!netdev) { ++ ppriv = rpriv; ++ goto free_ppriv; ++ } ++ ++ priv = netdev_priv(netdev); ++ ppriv = priv->ppriv; + + if (rep->vport == MLX5_VPORT_UPLINK) { + mlx5e_vport_uplink_rep_unload(rpriv); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c +index ad9f6fca9b6a2..c6476e943e98d 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c +@@ -743,6 +743,7 @@ static u32 mlx5_esw_qos_lag_link_speed_get_locked(struct mlx5_core_dev *mdev) + speed = lksettings.base.speed; + + out: ++ mlx5_uplink_netdev_put(mdev, slave); + return speed; + } + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h b/drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h +index 37d5f445598c7..a7486e6d0d5ef 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h +@@ -52,7 +52,20 @@ static inline struct net *mlx5_core_net(struct mlx5_core_dev *dev) + + static inline struct net_device *mlx5_uplink_netdev_get(struct mlx5_core_dev *mdev) + { +- return mdev->mlx5e_res.uplink_netdev; ++ struct mlx5e_resources *mlx5e_res = &mdev->mlx5e_res; ++ struct net_device *netdev; ++ ++ mutex_lock(&mlx5e_res->uplink_netdev_lock); ++ netdev = mlx5e_res->uplink_netdev; ++ netdev_hold(netdev, &mlx5e_res->tracker, GFP_KERNEL); ++ mutex_unlock(&mlx5e_res->uplink_netdev_lock); ++ return netdev; ++} ++ ++static inline void mlx5_uplink_netdev_put(struct mlx5_core_dev *mdev, ++ struct net_device *netdev) ++{ ++ netdev_put(netdev, &mdev->mlx5e_res.tracker); + } + + struct mlx5_sd; +diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h +index e6ba8f4f4bd1f..27850ebb651b3 100644 +--- a/include/linux/mlx5/driver.h ++++ b/include/linux/mlx5/driver.h +@@ -662,6 +662,7 @@ struct mlx5e_resources { + bool tisn_valid; + } hw_objs; + struct net_device *uplink_netdev; ++ netdevice_tracker tracker; + struct mutex uplink_netdev_lock; + struct mlx5_crypto_dek_priv *dek_priv; + }; +-- +2.51.0 + diff --git a/queue-6.16/net-natsemi-fix-rx_dropped-double-accounting-on-neti.patch b/queue-6.16/net-natsemi-fix-rx_dropped-double-accounting-on-neti.patch new file mode 100644 index 0000000000..1729809246 --- /dev/null +++ b/queue-6.16/net-natsemi-fix-rx_dropped-double-accounting-on-neti.patch @@ -0,0 +1,74 @@ +From e31f1d88de5a75b3a6a4a554620acaa82d549c4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Sep 2025 15:01:36 +0900 +Subject: net: natsemi: fix `rx_dropped` double accounting on `netif_rx()` + failure + +From: Yeounsu Moon + +[ Upstream commit 93ab4881a4e2b9657bdce4b8940073bfb4ed5eab ] + +`netif_rx()` already increments `rx_dropped` core stat when it fails. +The driver was also updating `ndev->stats.rx_dropped` in the same path. +Since both are reported together via `ip -s -s` command, this resulted +in drops being counted twice in user-visible stats. + +Keep the driver update on `if (unlikely(!skb))`, but skip it after +`netif_rx()` errors. + +Fixes: caf586e5f23c ("net: add a core netdev->rx_dropped counter") +Signed-off-by: Yeounsu Moon +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250913060135.35282-3-yyyynoom@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/natsemi/ns83820.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/natsemi/ns83820.c b/drivers/net/ethernet/natsemi/ns83820.c +index 56d5464222d97..cdbf82affa7be 100644 +--- a/drivers/net/ethernet/natsemi/ns83820.c ++++ b/drivers/net/ethernet/natsemi/ns83820.c +@@ -820,7 +820,7 @@ static void rx_irq(struct net_device *ndev) + struct ns83820 *dev = PRIV(ndev); + struct rx_info *info = &dev->rx_info; + unsigned next_rx; +- int rx_rc, len; ++ int len; + u32 cmdsts; + __le32 *desc; + unsigned long flags; +@@ -881,8 +881,10 @@ static void rx_irq(struct net_device *ndev) + if (likely(CMDSTS_OK & cmdsts)) { + #endif + skb_put(skb, len); +- if (unlikely(!skb)) ++ if (unlikely(!skb)) { ++ ndev->stats.rx_dropped++; + goto netdev_mangle_me_harder_failed; ++ } + if (cmdsts & CMDSTS_DEST_MULTI) + ndev->stats.multicast++; + ndev->stats.rx_packets++; +@@ -901,15 +903,12 @@ static void rx_irq(struct net_device *ndev) + __vlan_hwaccel_put_tag(skb, htons(ETH_P_IPV6), tag); + } + #endif +- rx_rc = netif_rx(skb); +- if (NET_RX_DROP == rx_rc) { +-netdev_mangle_me_harder_failed: +- ndev->stats.rx_dropped++; +- } ++ netif_rx(skb); + } else { + dev_kfree_skb_irq(skb); + } + ++netdev_mangle_me_harder_failed: + nr++; + next_rx = info->next_rx; + desc = info->descs + (DESC_SIZE * next_rx); +-- +2.51.0 + diff --git a/queue-6.16/net-tcp-fix-a-null-pointer-dereference-when-using-tc.patch b/queue-6.16/net-tcp-fix-a-null-pointer-dereference-when-using-tc.patch new file mode 100644 index 0000000000..0339467e26 --- /dev/null +++ b/queue-6.16/net-tcp-fix-a-null-pointer-dereference-when-using-tc.patch @@ -0,0 +1,95 @@ +From 5512d85152e6210832f487e8c236327d6eab796c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Sep 2025 20:07:44 -0300 +Subject: net/tcp: Fix a NULL pointer dereference when using TCP-AO with + TCP_REPAIR + +From: Anderson Nascimento + +[ Upstream commit 2e7bba08923ebc675b1f0e0e0959e68e53047838 ] + +A NULL pointer dereference can occur in tcp_ao_finish_connect() during a +connect() system call on a socket with a TCP-AO key added and TCP_REPAIR +enabled. + +The function is called with skb being NULL and attempts to dereference it +on tcp_hdr(skb)->seq without a prior skb validation. + +Fix this by checking if skb is NULL before dereferencing it. + +The commentary is taken from bpf_skops_established(), which is also called +in the same flow. Unlike the function being patched, +bpf_skops_established() validates the skb before dereferencing it. + +int main(void){ + struct sockaddr_in sockaddr; + struct tcp_ao_add tcp_ao; + int sk; + int one = 1; + + memset(&sockaddr,'\0',sizeof(sockaddr)); + memset(&tcp_ao,'\0',sizeof(tcp_ao)); + + sk = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); + + sockaddr.sin_family = AF_INET; + + memcpy(tcp_ao.alg_name,"cmac(aes128)",12); + memcpy(tcp_ao.key,"ABCDEFGHABCDEFGH",16); + tcp_ao.keylen = 16; + + memcpy(&tcp_ao.addr,&sockaddr,sizeof(sockaddr)); + + setsockopt(sk, IPPROTO_TCP, TCP_AO_ADD_KEY, &tcp_ao, + sizeof(tcp_ao)); + setsockopt(sk, IPPROTO_TCP, TCP_REPAIR, &one, sizeof(one)); + + sockaddr.sin_family = AF_INET; + sockaddr.sin_port = htobe16(123); + + inet_aton("127.0.0.1", &sockaddr.sin_addr); + + connect(sk,(struct sockaddr *)&sockaddr,sizeof(sockaddr)); + +return 0; +} + +$ gcc tcp-ao-nullptr.c -o tcp-ao-nullptr -Wall +$ unshare -Urn + +BUG: kernel NULL pointer dereference, address: 00000000000000b6 +PGD 1f648d067 P4D 1f648d067 PUD 1982e8067 PMD 0 +Oops: Oops: 0000 [#1] SMP NOPTI +Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop +Reference Platform, BIOS 6.00 11/12/2020 +RIP: 0010:tcp_ao_finish_connect (net/ipv4/tcp_ao.c:1182) + +Fixes: 7c2ffaf21bd6 ("net/tcp: Calculate TCP-AO traffic keys") +Signed-off-by: Anderson Nascimento +Reviewed-by: Dmitry Safonov <0x7f454c46@gmail.com> +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20250911230743.2551-3-anderson@allelesecurity.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_ao.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c +index bbb8d5f0eae7d..3338b6cc85c48 100644 +--- a/net/ipv4/tcp_ao.c ++++ b/net/ipv4/tcp_ao.c +@@ -1178,7 +1178,9 @@ void tcp_ao_finish_connect(struct sock *sk, struct sk_buff *skb) + if (!ao) + return; + +- WRITE_ONCE(ao->risn, tcp_hdr(skb)->seq); ++ /* sk with TCP_REPAIR_ON does not have skb in tcp_finish_connect */ ++ if (skb) ++ WRITE_ONCE(ao->risn, tcp_hdr(skb)->seq); + ao->rcv_sne = 0; + + hlist_for_each_entry_rcu(key, &ao->head, node, lockdep_sock_is_held(sk)) +-- +2.51.0 + diff --git a/queue-6.16/nvme-fix-pi-insert-on-write.patch b/queue-6.16/nvme-fix-pi-insert-on-write.patch new file mode 100644 index 0000000000..52f8f88831 --- /dev/null +++ b/queue-6.16/nvme-fix-pi-insert-on-write.patch @@ -0,0 +1,94 @@ +From 1119883f44c9a79f5821422c720d2cf39e743269 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Aug 2025 15:32:49 +0200 +Subject: nvme: fix PI insert on write + +From: Christoph Hellwig + +[ Upstream commit 7ac3c2889bc060c3f67cf44df0dbb093a835c176 ] + +I recently ran into an issue where the PI generated using the block layer +integrity code differs from that from a kernel using the PRACT fallback +when the block layer integrity code is disabled, and I tracked this down +to us using PRACT incorrectly. + +The NVM Command Set Specification (section 5.33 in 1.2, similar in older +versions) specifies the PRACT insert behavior as: + + Inserted protection information consists of the computed CRC for the + protection information format (refer to section 5.3.1) in the Guard + field, the LBAT field value in the Application Tag field, the LBST + field value in the Storage Tag field, if defined, and the computed + reference tag in the Logical Block Reference Tag. + +Where the computed reference tag is defined as following for type 1 and +type 2 using the text below that is duplicated in the respective bullet +points: + + the value of the computed reference tag for the first logical block of + the command is the value contained in the Initial Logical Block + Reference Tag (ILBRT) or Expected Initial Logical Block Reference Tag + (EILBRT) field in the command, and the computed reference tag is + incremented for each subsequent logical block. + +So we need to set ILBRT field, but we currently don't. Interestingly +this works fine on my older type 1 formatted SSD, but Qemu trips up on +this. We already set ILBRT for Write Same since commit aeb7bb061be5 +("nvme: set the PRACT bit when using Write Zeroes with T10 PI"). + +To ease this, move the PI type check into nvme_set_ref_tag. + +Reviewed-by: Martin K. Petersen +Signed-off-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 895fb163d48e6..5395623d2ba6a 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -903,6 +903,15 @@ static void nvme_set_ref_tag(struct nvme_ns *ns, struct nvme_command *cmnd, + u32 upper, lower; + u64 ref48; + ++ /* only type1 and type 2 PI formats have a reftag */ ++ switch (ns->head->pi_type) { ++ case NVME_NS_DPS_PI_TYPE1: ++ case NVME_NS_DPS_PI_TYPE2: ++ break; ++ default: ++ return; ++ } ++ + /* both rw and write zeroes share the same reftag format */ + switch (ns->head->guard_type) { + case NVME_NVM_NS_16B_GUARD: +@@ -942,13 +951,7 @@ static inline blk_status_t nvme_setup_write_zeroes(struct nvme_ns *ns, + + if (nvme_ns_has_pi(ns->head)) { + cmnd->write_zeroes.control |= cpu_to_le16(NVME_RW_PRINFO_PRACT); +- +- switch (ns->head->pi_type) { +- case NVME_NS_DPS_PI_TYPE1: +- case NVME_NS_DPS_PI_TYPE2: +- nvme_set_ref_tag(ns, cmnd, req); +- break; +- } ++ nvme_set_ref_tag(ns, cmnd, req); + } + + return BLK_STS_OK; +@@ -1039,6 +1042,7 @@ static inline blk_status_t nvme_setup_rw(struct nvme_ns *ns, + if (WARN_ON_ONCE(!nvme_ns_has_pi(ns->head))) + return BLK_STS_NOTSUPP; + control |= NVME_RW_PRINFO_PRACT; ++ nvme_set_ref_tag(ns, cmnd, req); + } + + if (bio_integrity_flagged(req->bio, BIP_CHECK_GUARD)) +-- +2.51.0 + diff --git a/queue-6.16/octeon_ep-fix-vf-mac-address-lifecycle-handling.patch b/queue-6.16/octeon_ep-fix-vf-mac-address-lifecycle-handling.patch new file mode 100644 index 0000000000..79c1aa3693 --- /dev/null +++ b/queue-6.16/octeon_ep-fix-vf-mac-address-lifecycle-handling.patch @@ -0,0 +1,55 @@ +From 202e62f9bbca84fb0f9aeae7debd9dbb2bdf9333 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Sep 2025 06:32:07 -0700 +Subject: octeon_ep: fix VF MAC address lifecycle handling + +From: Sathesh B Edara + +[ Upstream commit a72175c985132885573593222a7b088cf49b07ae ] + +Currently, VF MAC address info is not updated when the MAC address is +configured from VF, and it is not cleared when the VF is removed. This +leads to stale or missing MAC information in the PF, which may cause +incorrect state tracking or inconsistencies when VFs are hot-plugged +or reassigned. + +Fix this by: + - storing the VF MAC address in the PF when it is set from VF + - clearing the stored VF MAC address when the VF is removed + +This ensures that the PF always has correct VF MAC state. + +Fixes: cde29af9e68e ("octeon_ep: add PF-VF mailbox communication") +Signed-off-by: Sathesh B Edara +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250916133207.21737-1-sedara@marvell.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeon_ep/octep_pfvf_mbox.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/octeon_ep/octep_pfvf_mbox.c b/drivers/net/ethernet/marvell/octeon_ep/octep_pfvf_mbox.c +index ebecdd29f3bd0..0867fab61b190 100644 +--- a/drivers/net/ethernet/marvell/octeon_ep/octep_pfvf_mbox.c ++++ b/drivers/net/ethernet/marvell/octeon_ep/octep_pfvf_mbox.c +@@ -196,6 +196,7 @@ static void octep_pfvf_get_mac_addr(struct octep_device *oct, u32 vf_id, + vf_id); + return; + } ++ ether_addr_copy(oct->vf_info[vf_id].mac_addr, rsp->s_set_mac.mac_addr); + rsp->s_set_mac.type = OCTEP_PFVF_MBOX_TYPE_RSP_ACK; + } + +@@ -205,6 +206,8 @@ static void octep_pfvf_dev_remove(struct octep_device *oct, u32 vf_id, + { + int err; + ++ /* Reset VF-specific information maintained by the PF */ ++ memset(&oct->vf_info[vf_id], 0, sizeof(struct octep_pfvf_info)); + err = octep_ctrl_net_dev_remove(oct, vf_id); + if (err) { + rsp->s.type = OCTEP_PFVF_MBOX_TYPE_RSP_NACK; +-- +2.51.0 + diff --git a/queue-6.16/octeon_ep-validate-the-vf-id.patch b/queue-6.16/octeon_ep-validate-the-vf-id.patch new file mode 100644 index 0000000000..892066da31 --- /dev/null +++ b/queue-6.16/octeon_ep-validate-the-vf-id.patch @@ -0,0 +1,79 @@ +From 6c2e1ec973720aea0c68465333b554892f682539 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Sep 2025 18:36:10 -0400 +Subject: octeon_ep: Validate the VF ID + +From: Kamal Heib + +[ Upstream commit af82e857df5dd883a4867bcaf5dde041e57a4e33 ] + +Add a helper to validate the VF ID and use it in the VF ndo ops to +prevent accessing out-of-range entries. + +Without this check, users can run commands such as: + + # ip link show dev enp135s0 + 2: enp135s0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 + link/ether 00:00:00:01:01:00 brd ff:ff:ff:ff:ff:ff + vf 0 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state enable, trust off + vf 1 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state enable, trust off + # ip link set dev enp135s0 vf 4 mac 00:00:00:00:00:14 + # echo $? + 0 + +even though VF 4 does not exist, which results in silent success instead +of returning an error. + +Fixes: 8a241ef9b9b8 ("octeon_ep: add ndo ops for VFs in PF driver") +Signed-off-by: Kamal Heib +Reviewed-by: Michal Swiatkowski +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250911223610.1803144-1-kheib@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/marvell/octeon_ep/octep_main.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/octeon_ep/octep_main.c b/drivers/net/ethernet/marvell/octeon_ep/octep_main.c +index 24499bb36c005..bcea3fc26a8c7 100644 +--- a/drivers/net/ethernet/marvell/octeon_ep/octep_main.c ++++ b/drivers/net/ethernet/marvell/octeon_ep/octep_main.c +@@ -1124,11 +1124,24 @@ static int octep_set_features(struct net_device *dev, netdev_features_t features + return err; + } + ++static bool octep_is_vf_valid(struct octep_device *oct, int vf) ++{ ++ if (vf >= CFG_GET_ACTIVE_VFS(oct->conf)) { ++ netdev_err(oct->netdev, "Invalid VF ID %d\n", vf); ++ return false; ++ } ++ ++ return true; ++} ++ + static int octep_get_vf_config(struct net_device *dev, int vf, + struct ifla_vf_info *ivi) + { + struct octep_device *oct = netdev_priv(dev); + ++ if (!octep_is_vf_valid(oct, vf)) ++ return -EINVAL; ++ + ivi->vf = vf; + ether_addr_copy(ivi->mac, oct->vf_info[vf].mac_addr); + ivi->spoofchk = true; +@@ -1143,6 +1156,9 @@ static int octep_set_vf_mac(struct net_device *dev, int vf, u8 *mac) + struct octep_device *oct = netdev_priv(dev); + int err; + ++ if (!octep_is_vf_valid(oct, vf)) ++ return -EINVAL; ++ + if (!is_valid_ether_addr(mac)) { + dev_err(&oct->pdev->dev, "Invalid MAC Address %pM\n", mac); + return -EADDRNOTAVAIL; +-- +2.51.0 + diff --git a/queue-6.16/octeontx2-pf-fix-use-after-free-bugs-in-otx2_sync_ts.patch b/queue-6.16/octeontx2-pf-fix-use-after-free-bugs-in-otx2_sync_ts.patch new file mode 100644 index 0000000000..366c3587a9 --- /dev/null +++ b/queue-6.16/octeontx2-pf-fix-use-after-free-bugs-in-otx2_sync_ts.patch @@ -0,0 +1,126 @@ +From 1e85cb0c26e2704641de0203ee141e1cbf51f5d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Sep 2025 14:38:53 +0800 +Subject: octeontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp() + +From: Duoming Zhou + +[ Upstream commit f8b4687151021db61841af983f1cb7be6915d4ef ] + +The original code relies on cancel_delayed_work() in otx2_ptp_destroy(), +which does not ensure that the delayed work item synctstamp_work has fully +completed if it was already running. This leads to use-after-free scenarios +where otx2_ptp is deallocated by otx2_ptp_destroy(), while synctstamp_work +remains active and attempts to dereference otx2_ptp in otx2_sync_tstamp(). +Furthermore, the synctstamp_work is cyclic, the likelihood of triggering +the bug is nonnegligible. + +A typical race condition is illustrated below: + +CPU 0 (cleanup) | CPU 1 (delayed work callback) +otx2_remove() | + otx2_ptp_destroy() | otx2_sync_tstamp() + cancel_delayed_work() | + kfree(ptp) | + | ptp = container_of(...); //UAF + | ptp-> //UAF + +This is confirmed by a KASAN report: + +BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0 +Write of size 8 at addr ffff88800aa09a18 by task bash/136 +... +Call Trace: + + dump_stack_lvl+0x55/0x70 + print_report+0xcf/0x610 + ? __run_timer_base.part.0+0x7d7/0x8c0 + kasan_report+0xb8/0xf0 + ? __run_timer_base.part.0+0x7d7/0x8c0 + __run_timer_base.part.0+0x7d7/0x8c0 + ? __pfx___run_timer_base.part.0+0x10/0x10 + ? __pfx_read_tsc+0x10/0x10 + ? ktime_get+0x60/0x140 + ? lapic_next_event+0x11/0x20 + ? clockevents_program_event+0x1d4/0x2a0 + run_timer_softirq+0xd1/0x190 + handle_softirqs+0x16a/0x550 + irq_exit_rcu+0xaf/0xe0 + sysvec_apic_timer_interrupt+0x70/0x80 + +... +Allocated by task 1: + kasan_save_stack+0x24/0x50 + kasan_save_track+0x14/0x30 + __kasan_kmalloc+0x7f/0x90 + otx2_ptp_init+0xb1/0x860 + otx2_probe+0x4eb/0xc30 + local_pci_probe+0xdc/0x190 + pci_device_probe+0x2fe/0x470 + really_probe+0x1ca/0x5c0 + __driver_probe_device+0x248/0x310 + driver_probe_device+0x44/0x120 + __driver_attach+0xd2/0x310 + bus_for_each_dev+0xed/0x170 + bus_add_driver+0x208/0x500 + driver_register+0x132/0x460 + do_one_initcall+0x89/0x300 + kernel_init_freeable+0x40d/0x720 + kernel_init+0x1a/0x150 + ret_from_fork+0x10c/0x1a0 + ret_from_fork_asm+0x1a/0x30 + +Freed by task 136: + kasan_save_stack+0x24/0x50 + kasan_save_track+0x14/0x30 + kasan_save_free_info+0x3a/0x60 + __kasan_slab_free+0x3f/0x50 + kfree+0x137/0x370 + otx2_ptp_destroy+0x38/0x80 + otx2_remove+0x10d/0x4c0 + pci_device_remove+0xa6/0x1d0 + device_release_driver_internal+0xf8/0x210 + pci_stop_bus_device+0x105/0x150 + pci_stop_and_remove_bus_device_locked+0x15/0x30 + remove_store+0xcc/0xe0 + kernfs_fop_write_iter+0x2c3/0x440 + vfs_write+0x871/0xd70 + ksys_write+0xee/0x1c0 + do_syscall_64+0xac/0x280 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +... + +Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure +that the delayed work item is properly canceled before the otx2_ptp is +deallocated. + +This bug was initially identified through static analysis. To reproduce +and test it, I simulated the OcteonTX2 PCI device in QEMU and introduced +artificial delays within the otx2_sync_tstamp() function to increase the +likelihood of triggering the bug. + +Fixes: 2958d17a8984 ("octeontx2-pf: Add support for ptp 1-step mode on CN10K silicon") +Signed-off-by: Duoming Zhou +Reviewed-by: Vadim Fedorenko +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/otx2_ptp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ptp.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ptp.c +index 63130ba37e9df..69b435ed8fbbe 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ptp.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ptp.c +@@ -491,7 +491,7 @@ void otx2_ptp_destroy(struct otx2_nic *pfvf) + if (!ptp) + return; + +- cancel_delayed_work(&pfvf->ptp->synctstamp_work); ++ cancel_delayed_work_sync(&pfvf->ptp->synctstamp_work); + + ptp_clock_unregister(ptp->ptp_clock); + kfree(ptp); +-- +2.51.0 + diff --git a/queue-6.16/pcmcia-omap_cf-mark-driver-struct-with-__refdata-to-.patch b/queue-6.16/pcmcia-omap_cf-mark-driver-struct-with-__refdata-to-.patch new file mode 100644 index 0000000000..6efe312c49 --- /dev/null +++ b/queue-6.16/pcmcia-omap_cf-mark-driver-struct-with-__refdata-to-.patch @@ -0,0 +1,52 @@ +From ed3447d37ad35079545370105c5b55daee2d46a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Aug 2025 17:50:14 +0200 +Subject: pcmcia: omap_cf: Mark driver struct with __refdata to prevent section + mismatch +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Geert Uytterhoeven + +[ Upstream commit d1dfcdd30140c031ae091868fb5bed084132bca1 ] + +As described in the added code comment, a reference to .exit.text is ok +for drivers registered via platform_driver_probe(). Make this explicit +to prevent the following section mismatch warning + + WARNING: modpost: drivers/pcmcia/omap_cf: section mismatch in reference: omap_cf_driver+0x4 (section: .data) -> omap_cf_remove (section: .exit.text) + +that triggers on an omap1_defconfig + CONFIG_OMAP_CF=m build. + +Signed-off-by: Geert Uytterhoeven +Acked-by: Aaro Koskinen +Reviewed-by: Uwe Kleine-König +Signed-off-by: Dominik Brodowski +Signed-off-by: Sasha Levin +--- + drivers/pcmcia/omap_cf.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/pcmcia/omap_cf.c b/drivers/pcmcia/omap_cf.c +index 441cdf83f5a44..d6f24c7d15622 100644 +--- a/drivers/pcmcia/omap_cf.c ++++ b/drivers/pcmcia/omap_cf.c +@@ -304,7 +304,13 @@ static void __exit omap_cf_remove(struct platform_device *pdev) + kfree(cf); + } + +-static struct platform_driver omap_cf_driver = { ++/* ++ * omap_cf_remove() lives in .exit.text. For drivers registered via ++ * platform_driver_probe() this is ok because they cannot get unbound at ++ * runtime. So mark the driver struct with __refdata to prevent modpost ++ * triggering a section mismatch warning. ++ */ ++static struct platform_driver omap_cf_driver __refdata = { + .driver = { + .name = driver_name, + }, +-- +2.51.0 + diff --git a/queue-6.16/perf-maps-ensure-kmap-is-set-up-for-all-inserts.patch b/queue-6.16/perf-maps-ensure-kmap-is-set-up-for-all-inserts.patch new file mode 100644 index 0000000000..e9494c9f16 --- /dev/null +++ b/queue-6.16/perf-maps-ensure-kmap-is-set-up-for-all-inserts.patch @@ -0,0 +1,95 @@ +From 3f2b55e319369c9e2582e572850555c514d4093c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Sep 2025 11:18:08 -0700 +Subject: perf maps: Ensure kmap is set up for all inserts + +From: Ian Rogers + +[ Upstream commit 20c9ccffccd61b37325a0519fb6d485caeecf7fa ] + +__maps__fixup_overlap_and_insert may split or directly insert a map, +when doing this the map may need to have a kmap set up for the sake of +the kmaps. The missing kmap set up fails the check_invariants test in +maps, later "Internal error" reports from map__kmap and ultimately +causes segfaults. + +Similar fixes were added in commit e0e4e0b8b7fa ("perf maps: Add +missing map__set_kmap_maps() when replacing a kernel map") and commit +25d9c0301d36 ("perf maps: Set the kmaps for newly created/added kernel +maps") but they missed cases. To try to reduce the risk of this, +update the kmap directly following any manual insert. This identified +another problem in maps__copy_from. + +Fixes: e0e4e0b8b7fa ("perf maps: Add missing map__set_kmap_maps() when replacing a kernel map") +Fixes: 25d9c0301d36 ("perf maps: Set the kmaps for newly created/added kernel maps") +Signed-off-by: Ian Rogers +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/util/maps.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/tools/perf/util/maps.c b/tools/perf/util/maps.c +index 85b2a93a59ac6..779f6230130af 100644 +--- a/tools/perf/util/maps.c ++++ b/tools/perf/util/maps.c +@@ -477,6 +477,7 @@ static int __maps__insert(struct maps *maps, struct map *new) + } + /* Insert the value at the end. */ + maps_by_address[nr_maps] = map__get(new); ++ map__set_kmap_maps(new, maps); + if (maps_by_name) + maps_by_name[nr_maps] = map__get(new); + +@@ -502,8 +503,6 @@ static int __maps__insert(struct maps *maps, struct map *new) + if (map__end(new) < map__start(new)) + RC_CHK_ACCESS(maps)->ends_broken = true; + +- map__set_kmap_maps(new, maps); +- + return 0; + } + +@@ -891,6 +890,7 @@ static int __maps__fixup_overlap_and_insert(struct maps *maps, struct map *new) + if (before) { + map__put(maps_by_address[i]); + maps_by_address[i] = before; ++ map__set_kmap_maps(before, maps); + + if (maps_by_name) { + map__put(maps_by_name[ni]); +@@ -918,6 +918,7 @@ static int __maps__fixup_overlap_and_insert(struct maps *maps, struct map *new) + */ + map__put(maps_by_address[i]); + maps_by_address[i] = map__get(new); ++ map__set_kmap_maps(new, maps); + + if (maps_by_name) { + map__put(maps_by_name[ni]); +@@ -942,14 +943,13 @@ static int __maps__fixup_overlap_and_insert(struct maps *maps, struct map *new) + */ + map__put(maps_by_address[i]); + maps_by_address[i] = map__get(new); ++ map__set_kmap_maps(new, maps); + + if (maps_by_name) { + map__put(maps_by_name[ni]); + maps_by_name[ni] = map__get(new); + } + +- map__set_kmap_maps(new, maps); +- + check_invariants(maps); + return err; + } +@@ -1019,6 +1019,7 @@ int maps__copy_from(struct maps *dest, struct maps *parent) + err = unwind__prepare_access(dest, new, NULL); + if (!err) { + dest_maps_by_address[i] = new; ++ map__set_kmap_maps(new, dest); + if (dest_maps_by_name) + dest_maps_by_name[i] = map__get(new); + RC_CHK_ACCESS(dest)->nr_maps = i + 1; +-- +2.51.0 + diff --git a/queue-6.16/qed-don-t-collect-too-many-protection-override-grc-e.patch b/queue-6.16/qed-don-t-collect-too-many-protection-override-grc-e.patch new file mode 100644 index 0000000000..e034534bd8 --- /dev/null +++ b/queue-6.16/qed-don-t-collect-too-many-protection-override-grc-e.patch @@ -0,0 +1,89 @@ +From 698af8cda8f553b8b1cf4c347c9f0f7015a9d06c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Sep 2025 16:29:16 +1000 +Subject: qed: Don't collect too many protection override GRC elements + +From: Jamie Bainbridge + +[ Upstream commit 56c0a2a9ddc2f5b5078c5fb0f81ab76bbc3d4c37 ] + +In the protection override dump path, the firmware can return far too +many GRC elements, resulting in attempting to write past the end of the +previously-kmalloc'ed dump buffer. + +This will result in a kernel panic with reason: + + BUG: unable to handle kernel paging request at ADDRESS + +where "ADDRESS" is just past the end of the protection override dump +buffer. The start address of the buffer is: + p_hwfn->cdev->dbg_features[DBG_FEATURE_PROTECTION_OVERRIDE].dump_buf +and the size of the buffer is buf_size in the same data structure. + +The panic can be arrived at from either the qede Ethernet driver path: + + [exception RIP: qed_grc_dump_addr_range+0x108] + qed_protection_override_dump at ffffffffc02662ed [qed] + qed_dbg_protection_override_dump at ffffffffc0267792 [qed] + qed_dbg_feature at ffffffffc026aa8f [qed] + qed_dbg_all_data at ffffffffc026b211 [qed] + qed_fw_fatal_reporter_dump at ffffffffc027298a [qed] + devlink_health_do_dump at ffffffff82497f61 + devlink_health_report at ffffffff8249cf29 + qed_report_fatal_error at ffffffffc0272baf [qed] + qede_sp_task at ffffffffc045ed32 [qede] + process_one_work at ffffffff81d19783 + +or the qedf storage driver path: + + [exception RIP: qed_grc_dump_addr_range+0x108] + qed_protection_override_dump at ffffffffc068b2ed [qed] + qed_dbg_protection_override_dump at ffffffffc068c792 [qed] + qed_dbg_feature at ffffffffc068fa8f [qed] + qed_dbg_all_data at ffffffffc0690211 [qed] + qed_fw_fatal_reporter_dump at ffffffffc069798a [qed] + devlink_health_do_dump at ffffffff8aa95e51 + devlink_health_report at ffffffff8aa9ae19 + qed_report_fatal_error at ffffffffc0697baf [qed] + qed_hw_err_notify at ffffffffc06d32d7 [qed] + qed_spq_post at ffffffffc06b1011 [qed] + qed_fcoe_destroy_conn at ffffffffc06b2e91 [qed] + qedf_cleanup_fcport at ffffffffc05e7597 [qedf] + qedf_rport_event_handler at ffffffffc05e7bf7 [qedf] + fc_rport_work at ffffffffc02da715 [libfc] + process_one_work at ffffffff8a319663 + +Resolve this by clamping the firmware's return value to the maximum +number of legal elements the firmware should return. + +Fixes: d52c89f120de8 ("qed*: Utilize FW 8.37.2.0") +Signed-off-by: Jamie Bainbridge +Link: https://patch.msgid.link/f8e1182934aa274c18d0682a12dbaf347595469c.1757485536.git.jamie.bainbridge@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_debug.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_debug.c b/drivers/net/ethernet/qlogic/qed/qed_debug.c +index 9c3d3dd2f8475..1f0cea3cae92f 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_debug.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_debug.c +@@ -4462,10 +4462,11 @@ static enum dbg_status qed_protection_override_dump(struct qed_hwfn *p_hwfn, + goto out; + } + +- /* Add override window info to buffer */ ++ /* Add override window info to buffer, preventing buffer overflow */ + override_window_dwords = +- qed_rd(p_hwfn, p_ptt, GRC_REG_NUMBER_VALID_OVERRIDE_WINDOW) * +- PROTECTION_OVERRIDE_ELEMENT_DWORDS; ++ min(qed_rd(p_hwfn, p_ptt, GRC_REG_NUMBER_VALID_OVERRIDE_WINDOW) * ++ PROTECTION_OVERRIDE_ELEMENT_DWORDS, ++ PROTECTION_OVERRIDE_DEPTH_DWORDS); + if (override_window_dwords) { + addr = BYTES_TO_DWORDS(GRC_REG_PROTECTION_OVERRIDE_WINDOW); + offset += qed_grc_dump_addr_range(p_hwfn, +-- +2.51.0 + diff --git a/queue-6.16/revert-net-mlx5e-update-and-set-xon-xoff-upon-port-s.patch b/queue-6.16/revert-net-mlx5e-update-and-set-xon-xoff-upon-port-s.patch new file mode 100644 index 0000000000..1fc72df91a --- /dev/null +++ b/queue-6.16/revert-net-mlx5e-update-and-set-xon-xoff-upon-port-s.patch @@ -0,0 +1,39 @@ +From 3e037c01b0d4a7008776c7985fb4a96acbab6d55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Sep 2025 16:48:54 +0300 +Subject: Revert "net/mlx5e: Update and set Xon/Xoff upon port speed set" + +From: Tariq Toukan + +[ Upstream commit 3fbfe251cc9f6d391944282cdb9bcf0bd02e01f8 ] + +This reverts commit d24341740fe48add8a227a753e68b6eedf4b385a. +It causes errors when trying to configure QoS, as well as +loss of L2 connectivity (on multi-host devices). + +Reported-by: Jakub Kicinski +Link: https://lore.kernel.org/20250910170011.70528106@kernel.org +Fixes: d24341740fe4 ("net/mlx5e: Update and set Xon/Xoff upon port speed set") +Signed-off-by: Tariq Toukan +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index e39c51cfc8e6c..f0142d32b648f 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -136,8 +136,6 @@ void mlx5e_update_carrier(struct mlx5e_priv *priv) + if (up) { + netdev_info(priv->netdev, "Link up\n"); + netif_carrier_on(priv->netdev); +- mlx5e_port_manual_buffer_config(priv, 0, priv->netdev->mtu, +- NULL, NULL, NULL); + } else { + netdev_info(priv->netdev, "Link down\n"); + netif_carrier_off(priv->netdev); +-- +2.51.0 + diff --git a/queue-6.16/rxrpc-fix-unhandled-errors-in-rxgk_verify_packet_int.patch b/queue-6.16/rxrpc-fix-unhandled-errors-in-rxgk_verify_packet_int.patch new file mode 100644 index 0000000000..259882b0de --- /dev/null +++ b/queue-6.16/rxrpc-fix-unhandled-errors-in-rxgk_verify_packet_int.patch @@ -0,0 +1,160 @@ +From 317691c22c4f6e4aa6200c80c0610a986f4026b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Sep 2025 23:58:16 +0100 +Subject: rxrpc: Fix unhandled errors in rxgk_verify_packet_integrity() + +From: David Howells + +[ Upstream commit 64863f4ca4945bdb62ce2b30823f39ea9fe95415 ] + +rxgk_verify_packet_integrity() may get more errors than just -EPROTO from +rxgk_verify_mic_skb(). Pretty much anything other than -ENOMEM constitutes +an unrecoverable error. In the case of -ENOMEM, we can just drop the +packet and wait for a retransmission. + +Similar happens with rxgk_decrypt_skb() and its callers. + +Fix rxgk_decrypt_skb() or rxgk_verify_mic_skb() to return a greater variety +of abort codes and fix their callers to abort the connection on any error +apart from -ENOMEM. + +Also preclear the variables used to hold the abort code returned from +rxgk_decrypt_skb() or rxgk_verify_mic_skb() to eliminate uninitialised +variable warnings. + +Fixes: 9d1d2b59341f ("rxrpc: rxgk: Implement the yfs-rxgk security class (GSSAPI)") +Reported-by: Dan Carpenter +Closes: https://lists.infradead.org/pipermail/linux-afs/2025-April/009739.html +Closes: https://lists.infradead.org/pipermail/linux-afs/2025-April/009740.html +Signed-off-by: David Howells +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/2038804.1757631496@warthog.procyon.org.uk +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/rxrpc/rxgk.c | 18 ++++++++++-------- + net/rxrpc/rxgk_app.c | 10 ++++++---- + net/rxrpc/rxgk_common.h | 14 ++++++++++++-- + 3 files changed, 28 insertions(+), 14 deletions(-) + +diff --git a/net/rxrpc/rxgk.c b/net/rxrpc/rxgk.c +index 1e19c605bcc82..dce5a3d8a964f 100644 +--- a/net/rxrpc/rxgk.c ++++ b/net/rxrpc/rxgk.c +@@ -475,7 +475,7 @@ static int rxgk_verify_packet_integrity(struct rxrpc_call *call, + struct krb5_buffer metadata; + unsigned int offset = sp->offset, len = sp->len; + size_t data_offset = 0, data_len = len; +- u32 ac; ++ u32 ac = 0; + int ret = -ENOMEM; + + _enter(""); +@@ -499,9 +499,10 @@ static int rxgk_verify_packet_integrity(struct rxrpc_call *call, + ret = rxgk_verify_mic_skb(gk->krb5, gk->rx_Kc, &metadata, + skb, &offset, &len, &ac); + kfree(hdr); +- if (ret == -EPROTO) { +- rxrpc_abort_eproto(call, skb, ac, +- rxgk_abort_1_verify_mic_eproto); ++ if (ret < 0) { ++ if (ret != -ENOMEM) ++ rxrpc_abort_eproto(call, skb, ac, ++ rxgk_abort_1_verify_mic_eproto); + } else { + sp->offset = offset; + sp->len = len; +@@ -524,15 +525,16 @@ static int rxgk_verify_packet_encrypted(struct rxrpc_call *call, + struct rxgk_header hdr; + unsigned int offset = sp->offset, len = sp->len; + int ret; +- u32 ac; ++ u32 ac = 0; + + _enter(""); + + ret = rxgk_decrypt_skb(gk->krb5, gk->rx_enc, skb, &offset, &len, &ac); +- if (ret == -EPROTO) +- rxrpc_abort_eproto(call, skb, ac, rxgk_abort_2_decrypt_eproto); +- if (ret < 0) ++ if (ret < 0) { ++ if (ret != -ENOMEM) ++ rxrpc_abort_eproto(call, skb, ac, rxgk_abort_2_decrypt_eproto); + goto error; ++ } + + if (len < sizeof(hdr)) { + ret = rxrpc_abort_eproto(call, skb, RXGK_PACKETSHORT, +diff --git a/net/rxrpc/rxgk_app.c b/net/rxrpc/rxgk_app.c +index b94b77a1c3178..df684b5a85314 100644 +--- a/net/rxrpc/rxgk_app.c ++++ b/net/rxrpc/rxgk_app.c +@@ -187,7 +187,7 @@ int rxgk_extract_token(struct rxrpc_connection *conn, struct sk_buff *skb, + struct key *server_key; + unsigned int ticket_offset, ticket_len; + u32 kvno, enctype; +- int ret, ec; ++ int ret, ec = 0; + + struct { + __be32 kvno; +@@ -236,9 +236,11 @@ int rxgk_extract_token(struct rxrpc_connection *conn, struct sk_buff *skb, + &ticket_offset, &ticket_len, &ec); + crypto_free_aead(token_enc); + token_enc = NULL; +- if (ret < 0) +- return rxrpc_abort_conn(conn, skb, ec, ret, +- rxgk_abort_resp_tok_dec); ++ if (ret < 0) { ++ if (ret != -ENOMEM) ++ return rxrpc_abort_conn(conn, skb, ec, ret, ++ rxgk_abort_resp_tok_dec); ++ } + + ret = conn->security->default_decode_ticket(conn, skb, ticket_offset, + ticket_len, _key); +diff --git a/net/rxrpc/rxgk_common.h b/net/rxrpc/rxgk_common.h +index 7370a56559853..80164d89e19c0 100644 +--- a/net/rxrpc/rxgk_common.h ++++ b/net/rxrpc/rxgk_common.h +@@ -88,11 +88,16 @@ int rxgk_decrypt_skb(const struct krb5_enctype *krb5, + *_offset += offset; + *_len = len; + break; ++ case -EBADMSG: /* Checksum mismatch. */ + case -EPROTO: +- case -EBADMSG: + *_error_code = RXGK_SEALEDINCON; + break; ++ case -EMSGSIZE: ++ *_error_code = RXGK_PACKETSHORT; ++ break; ++ case -ENOPKG: /* Would prefer RXGK_BADETYPE, but not available for YFS. */ + default: ++ *_error_code = RXGK_INCONSISTENCY; + break; + } + +@@ -127,11 +132,16 @@ int rxgk_verify_mic_skb(const struct krb5_enctype *krb5, + *_offset += offset; + *_len = len; + break; ++ case -EBADMSG: /* Checksum mismatch */ + case -EPROTO: +- case -EBADMSG: + *_error_code = RXGK_SEALEDINCON; + break; ++ case -EMSGSIZE: ++ *_error_code = RXGK_PACKETSHORT; ++ break; ++ case -ENOPKG: /* Would prefer RXGK_BADETYPE, but not available for YFS. */ + default: ++ *_error_code = RXGK_INCONSISTENCY; + break; + } + +-- +2.51.0 + diff --git a/queue-6.16/rxrpc-fix-untrusted-unsigned-subtract.patch b/queue-6.16/rxrpc-fix-untrusted-unsigned-subtract.patch new file mode 100644 index 0000000000..2921ffe18a --- /dev/null +++ b/queue-6.16/rxrpc-fix-untrusted-unsigned-subtract.patch @@ -0,0 +1,90 @@ +From 15eceb655233ec0d5a74ffc31d086368dfc99981 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Sep 2025 00:06:17 +0100 +Subject: rxrpc: Fix untrusted unsigned subtract + +From: David Howells + +[ Upstream commit 2429a197648178cd4dc930a9d87c13c547460564 ] + +Fix the following Smatch static checker warning: + + net/rxrpc/rxgk_app.c:65 rxgk_yfs_decode_ticket() + warn: untrusted unsigned subtract. 'ticket_len - 10 * 4' + +by prechecking the length of what we're trying to extract in two places in +the token and decoding for a response packet. + +Also use sizeof() on the struct we're extracting rather specifying the size +numerically to be consistent with the other related statements. + +Fixes: 9d1d2b59341f ("rxrpc: rxgk: Implement the yfs-rxgk security class (GSSAPI)") +Reported-by: Dan Carpenter +Closes: https://lists.infradead.org/pipermail/linux-afs/2025-September/010135.html +Signed-off-by: David Howells +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/2039268.1757631977@warthog.procyon.org.uk +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/rxrpc/rxgk_app.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/net/rxrpc/rxgk_app.c b/net/rxrpc/rxgk_app.c +index df684b5a85314..30275cb5ba3e2 100644 +--- a/net/rxrpc/rxgk_app.c ++++ b/net/rxrpc/rxgk_app.c +@@ -54,6 +54,10 @@ int rxgk_yfs_decode_ticket(struct rxrpc_connection *conn, struct sk_buff *skb, + + _enter(""); + ++ if (ticket_len < 10 * sizeof(__be32)) ++ return rxrpc_abort_conn(conn, skb, RXGK_INCONSISTENCY, -EPROTO, ++ rxgk_abort_resp_short_yfs_tkt); ++ + /* Get the session key length */ + ret = skb_copy_bits(skb, ticket_offset, tmp, sizeof(tmp)); + if (ret < 0) +@@ -195,22 +199,23 @@ int rxgk_extract_token(struct rxrpc_connection *conn, struct sk_buff *skb, + __be32 token_len; + } container; + ++ if (token_len < sizeof(container)) ++ goto short_packet; ++ + /* Decode the RXGK_TokenContainer object. This tells us which server + * key we should be using. We can then fetch the key, get the secret + * and set up the crypto to extract the token. + */ + if (skb_copy_bits(skb, token_offset, &container, sizeof(container)) < 0) +- return rxrpc_abort_conn(conn, skb, RXGK_PACKETSHORT, -EPROTO, +- rxgk_abort_resp_tok_short); ++ goto short_packet; + + kvno = ntohl(container.kvno); + enctype = ntohl(container.enctype); + ticket_len = ntohl(container.token_len); + ticket_offset = token_offset + sizeof(container); + +- if (xdr_round_up(ticket_len) > token_len - 3 * 4) +- return rxrpc_abort_conn(conn, skb, RXGK_PACKETSHORT, -EPROTO, +- rxgk_abort_resp_tok_short); ++ if (xdr_round_up(ticket_len) > token_len - sizeof(container)) ++ goto short_packet; + + _debug("KVNO %u", kvno); + _debug("ENC %u", enctype); +@@ -285,4 +290,8 @@ int rxgk_extract_token(struct rxrpc_connection *conn, struct sk_buff *skb, + * also come out this way if the ticket decryption fails. + */ + return ret; ++ ++short_packet: ++ return rxrpc_abort_conn(conn, skb, RXGK_PACKETSHORT, -EPROTO, ++ rxgk_abort_resp_tok_short); + } +-- +2.51.0 + diff --git a/queue-6.16/selftests-mptcp-sockopt-fix-error-messages.patch b/queue-6.16/selftests-mptcp-sockopt-fix-error-messages.patch new file mode 100644 index 0000000000..86b6b57eb5 --- /dev/null +++ b/queue-6.16/selftests-mptcp-sockopt-fix-error-messages.patch @@ -0,0 +1,77 @@ +From e929a18b72d5ff8f7016e5f4f8d9f68f2d069127 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Sep 2025 14:52:24 +0200 +Subject: selftests: mptcp: sockopt: fix error messages + +From: Geliang Tang + +[ Upstream commit b86418beade11d45540a2d20c4ec1128849b6c27 ] + +This patch fixes several issues in the error reporting of the MPTCP sockopt +selftest: + +1. Fix diff not printed: The error messages for counter mismatches had + the actual difference ('diff') as argument, but it was missing in the + format string. Displaying it makes the debugging easier. + +2. Fix variable usage: The error check for 'mptcpi_bytes_acked' incorrectly + used 'ret2' (sent bytes) for both the expected value and the difference + calculation. It now correctly uses 'ret' (received bytes), which is the + expected value for bytes_acked. + +3. Fix off-by-one in diff: The calculation for the 'mptcpi_rcv_delta' diff + was 's.mptcpi_rcv_delta - ret', which is off-by-one. It has been + corrected to 's.mptcpi_rcv_delta - (ret + 1)' to match the expected + value in the condition above it. + +Fixes: 5dcff89e1455 ("selftests: mptcp: explicitly tests aggregate counters") +Signed-off-by: Geliang Tang +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250912-net-mptcp-pm-uspace-deny_join_id0-v1-5-40171884ade8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../testing/selftests/net/mptcp/mptcp_sockopt.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/tools/testing/selftests/net/mptcp/mptcp_sockopt.c b/tools/testing/selftests/net/mptcp/mptcp_sockopt.c +index e934dd26a59d9..112c07c4c37a3 100644 +--- a/tools/testing/selftests/net/mptcp/mptcp_sockopt.c ++++ b/tools/testing/selftests/net/mptcp/mptcp_sockopt.c +@@ -667,22 +667,26 @@ static void process_one_client(int fd, int pipefd) + + do_getsockopts(&s, fd, ret, ret2); + if (s.mptcpi_rcv_delta != (uint64_t)ret + 1) +- xerror("mptcpi_rcv_delta %" PRIu64 ", expect %" PRIu64, s.mptcpi_rcv_delta, ret + 1, s.mptcpi_rcv_delta - ret); ++ xerror("mptcpi_rcv_delta %" PRIu64 ", expect %" PRIu64 ", diff %" PRId64, ++ s.mptcpi_rcv_delta, ret + 1, s.mptcpi_rcv_delta - (ret + 1)); + + /* be nice when running on top of older kernel */ + if (s.pkt_stats_avail) { + if (s.last_sample.mptcpi_bytes_sent != ret2) +- xerror("mptcpi_bytes_sent %" PRIu64 ", expect %" PRIu64, ++ xerror("mptcpi_bytes_sent %" PRIu64 ", expect %" PRIu64 ++ ", diff %" PRId64, + s.last_sample.mptcpi_bytes_sent, ret2, + s.last_sample.mptcpi_bytes_sent - ret2); + if (s.last_sample.mptcpi_bytes_received != ret) +- xerror("mptcpi_bytes_received %" PRIu64 ", expect %" PRIu64, ++ xerror("mptcpi_bytes_received %" PRIu64 ", expect %" PRIu64 ++ ", diff %" PRId64, + s.last_sample.mptcpi_bytes_received, ret, + s.last_sample.mptcpi_bytes_received - ret); + if (s.last_sample.mptcpi_bytes_acked != ret) +- xerror("mptcpi_bytes_acked %" PRIu64 ", expect %" PRIu64, +- s.last_sample.mptcpi_bytes_acked, ret2, +- s.last_sample.mptcpi_bytes_acked - ret2); ++ xerror("mptcpi_bytes_acked %" PRIu64 ", expect %" PRIu64 ++ ", diff %" PRId64, ++ s.last_sample.mptcpi_bytes_acked, ret, ++ s.last_sample.mptcpi_bytes_acked - ret); + } + + close(fd); +-- +2.51.0 + diff --git a/queue-6.16/selftests-mptcp-userspace-pm-validate-deny-join-id0-.patch b/queue-6.16/selftests-mptcp-userspace-pm-validate-deny-join-id0-.patch new file mode 100644 index 0000000000..2701fc6a00 --- /dev/null +++ b/queue-6.16/selftests-mptcp-userspace-pm-validate-deny-join-id0-.patch @@ -0,0 +1,99 @@ +From 4c438b0ad5b22f4ca8d382da2585829490f6ef42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Sep 2025 14:52:22 +0200 +Subject: selftests: mptcp: userspace pm: validate deny-join-id0 flag + +From: Matthieu Baerts (NGI0) + +[ Upstream commit 24733e193a0d68f20d220e86da0362460c9aa812 ] + +The previous commit adds the MPTCP_PM_EV_FLAG_DENY_JOIN_ID0 flag. Make +sure it is correctly announced by the other peer when it has been +received. + +pm_nl_ctl will now display 'deny_join_id0:1' when monitoring the events, +and when this flag was set by the other peer. + +The 'Fixes' tag here below is the same as the one from the previous +commit: this patch here is not fixing anything wrong in the selftests, +but it validates the previous fix for an issue introduced by this commit +ID. + +Fixes: 702c2f646d42 ("mptcp: netlink: allow userspace-driven subflow establishment") +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250912-net-mptcp-pm-uspace-deny_join_id0-v1-3-40171884ade8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 7 +++++++ + tools/testing/selftests/net/mptcp/userspace_pm.sh | 14 +++++++++++--- + 2 files changed, 18 insertions(+), 3 deletions(-) + +diff --git a/tools/testing/selftests/net/mptcp/pm_nl_ctl.c b/tools/testing/selftests/net/mptcp/pm_nl_ctl.c +index 994a556f46c15..93fea3442216c 100644 +--- a/tools/testing/selftests/net/mptcp/pm_nl_ctl.c ++++ b/tools/testing/selftests/net/mptcp/pm_nl_ctl.c +@@ -188,6 +188,13 @@ static int capture_events(int fd, int event_group) + fprintf(stderr, ",error:%u", *(__u8 *)RTA_DATA(attrs)); + else if (attrs->rta_type == MPTCP_ATTR_SERVER_SIDE) + fprintf(stderr, ",server_side:%u", *(__u8 *)RTA_DATA(attrs)); ++ else if (attrs->rta_type == MPTCP_ATTR_FLAGS) { ++ __u16 flags = *(__u16 *)RTA_DATA(attrs); ++ ++ /* only print when present, easier */ ++ if (flags & MPTCP_PM_EV_FLAG_DENY_JOIN_ID0) ++ fprintf(stderr, ",deny_join_id0:1"); ++ } + + attrs = RTA_NEXT(attrs, msg_len); + } +diff --git a/tools/testing/selftests/net/mptcp/userspace_pm.sh b/tools/testing/selftests/net/mptcp/userspace_pm.sh +index 333064b0b5ac0..97819e18578f4 100755 +--- a/tools/testing/selftests/net/mptcp/userspace_pm.sh ++++ b/tools/testing/selftests/net/mptcp/userspace_pm.sh +@@ -201,6 +201,9 @@ make_connection() + is_v6="v4" + fi + ++ # set this on the client side only: will not affect the rest ++ ip netns exec "$ns2" sysctl -q net.mptcp.allow_join_initial_addr_port=0 ++ + :>"$client_evts" + :>"$server_evts" + +@@ -223,23 +226,28 @@ make_connection() + local client_token + local client_port + local client_serverside ++ local client_nojoin + local server_token + local server_serverside ++ local server_nojoin + + client_token=$(mptcp_lib_evts_get_info token "$client_evts") + client_port=$(mptcp_lib_evts_get_info sport "$client_evts") + client_serverside=$(mptcp_lib_evts_get_info server_side "$client_evts") ++ client_nojoin=$(mptcp_lib_evts_get_info deny_join_id0 "$client_evts") + server_token=$(mptcp_lib_evts_get_info token "$server_evts") + server_serverside=$(mptcp_lib_evts_get_info server_side "$server_evts") ++ server_nojoin=$(mptcp_lib_evts_get_info deny_join_id0 "$server_evts") + + print_test "Established IP${is_v6} MPTCP Connection ns2 => ns1" +- if [ "$client_token" != "" ] && [ "$server_token" != "" ] && [ "$client_serverside" = 0 ] && +- [ "$server_serverside" = 1 ] ++ if [ "${client_token}" != "" ] && [ "${server_token}" != "" ] && ++ [ "${client_serverside}" = 0 ] && [ "${server_serverside}" = 1 ] && ++ [ "${client_nojoin:-0}" = 0 ] && [ "${server_nojoin:-0}" = 1 ] + then + test_pass + print_title "Connection info: ${client_addr}:${client_port} -> ${connect_addr}:${app_port}" + else +- test_fail "Expected tokens (c:${client_token} - s:${server_token}) and server (c:${client_serverside} - s:${server_serverside})" ++ test_fail "Expected tokens (c:${client_token} - s:${server_token}), server (c:${client_serverside} - s:${server_serverside}), nojoin (c:${client_nojoin} - s:${server_nojoin})" + mptcp_lib_result_print_all_tap + exit ${KSFT_FAIL} + fi +-- +2.51.0 + diff --git a/queue-6.16/series b/queue-6.16/series new file mode 100644 index 0000000000..e146e05a1c --- /dev/null +++ b/queue-6.16/series @@ -0,0 +1,46 @@ +cgroup-split-cgroup_destroy_wq-into-3-workqueues.patch +btrfs-fix-invalid-extref-key-setup-when-replaying-de.patch +btrfs-zoned-fix-incorrect-assert-in-btrfs_zoned_rese.patch +perf-maps-ensure-kmap-is-set-up-for-all-inserts.patch +wifi-wilc1000-avoid-buffer-overflow-in-wid-string-co.patch +nvme-fix-pi-insert-on-write.patch +alsa-firewire-motu-drop-epollout-from-poll-return-va.patch +wifi-mt76-do-not-add-non-sta-wcid-entries-to-the-pol.patch +wifi-mac80211-increase-scan_ies_len-for-s1g.patch +wifi-mac80211-fix-incorrect-type-for-ret.patch +pcmcia-omap_cf-mark-driver-struct-with-__refdata-to-.patch +smb-server-let-smb_direct_writev-respect-smb_direct_.patch +um-virtio_uml-fix-use-after-free-after-put_device-in.patch +um-fix-fd-copy-size-in-os_rcv_fd_msg.patch +net-mlx5-not-returning-mlx5_link_info-table-when-spe.patch +dpaa2-switch-fix-buffer-pool-seeding-for-control-tra.patch +net-tcp-fix-a-null-pointer-dereference-when-using-tc.patch +dpll-fix-clock-quality-level-reporting.patch +rxrpc-fix-unhandled-errors-in-rxgk_verify_packet_int.patch +rxrpc-fix-untrusted-unsigned-subtract.patch +octeon_ep-validate-the-vf-id.patch +qed-don-t-collect-too-many-protection-override-grc-e.patch +net-dst_metadata-fix-ip_df-bit-not-extracted-from-tu.patch +bonding-set-random-address-only-when-slaves-already-.patch +mptcp-set-remote_deny_join_id0-on-syn-recv.patch +selftests-mptcp-userspace-pm-validate-deny-join-id0-.patch +mptcp-tfo-record-deny-join-id0-info.patch +selftests-mptcp-sockopt-fix-error-messages.patch +net-natsemi-fix-rx_dropped-double-accounting-on-neti.patch +ice-fix-rx-page-leak-on-multi-buffer-frames.patch +i40e-remove-redundant-memory-barrier-when-cleaning-t.patch +ixgbe-initialize-aci.lock-before-it-s-used.patch +ixgbe-destroy-aci.lock-later-within-ixgbe_remove-pat.patch +igc-don-t-fail-igc_probe-on-led-setup-error.patch +doc-netlink-fix-typos-in-operation-attributes.patch +net-mlx5e-harden-uplink-netdev-access-against-device.patch +net-mlx5e-add-a-miss-level-for-ipsec-crypto-offload.patch +bonding-don-t-set-oif-to-bond-dev-when-getting-ns-ta.patch +octeon_ep-fix-vf-mac-address-lifecycle-handling.patch +tcp-clear-tcp_sk-sk-fastopen_rsk-in-tcp_disconnect.patch +tls-make-sure-to-abort-the-stream-if-headers-are-bog.patch +revert-net-mlx5e-update-and-set-xon-xoff-upon-port-s.patch +net-clear-sk-sk_ino-in-sk_set_socket-sk-null.patch +net-liquidio-fix-overflow-in-octeon_init_instr_queue.patch +cnic-fix-use-after-free-bugs-in-cnic_delete_task.patch +octeontx2-pf-fix-use-after-free-bugs-in-otx2_sync_ts.patch diff --git a/queue-6.16/smb-server-let-smb_direct_writev-respect-smb_direct_.patch b/queue-6.16/smb-server-let-smb_direct_writev-respect-smb_direct_.patch new file mode 100644 index 0000000000..739576b40d --- /dev/null +++ b/queue-6.16/smb-server-let-smb_direct_writev-respect-smb_direct_.patch @@ -0,0 +1,270 @@ +From 282b361faeb468cd7aee94aa2ce1967955c5ff91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Sep 2025 13:06:41 +0200 +Subject: smb: server: let smb_direct_writev() respect SMB_DIRECT_MAX_SEND_SGES + +From: Stefan Metzmacher + +[ Upstream commit d162694037215fe25f1487999c58d70df809a2fd ] + +We should not use more sges for ib_post_send() than we told the rdma +device in rdma_create_qp()! + +Otherwise ib_post_send() will return -EINVAL, so we disconnect the +connection. Or with the current siw.ko we'll get 0 from ib_post_send(), +but will never ever get a completion for the request. I've already sent a +fix for siw.ko... + +So we need to make sure smb_direct_writev() limits the number of vectors +we pass to individual smb_direct_post_send_data() calls, so that we +don't go over the queue pair limits. + +Commit 621433b7e25d ("ksmbd: smbd: relax the count of sges required") +was very strange and I guess only needed because +SMB_DIRECT_MAX_SEND_SGES was 8 at that time. It basically removed the +check that the rdma device is able to handle the number of sges we try +to use. + +While the real problem was added by commit ddbdc861e37c ("ksmbd: smbd: +introduce read/write credits for RDMA read/write") as it used the +minumun of device->attrs.max_send_sge and device->attrs.max_sge_rd, with +the problem that device->attrs.max_sge_rd is always 1 for iWarp. And +that limitation should only apply to RDMA Read operations. For now we +keep that limitation for RDMA Write operations too, fixing that is a +task for another day as it's not really required a bug fix. + +Commit 2b4eeeaa9061 ("ksmbd: decrease the number of SMB3 smbdirect +server SGEs") lowered SMB_DIRECT_MAX_SEND_SGES to 6, which is also used +by our client code. And that client code enforces +device->attrs.max_send_sge >= 6 since commit d2e81f92e5b7 ("Decrease the +number of SMB3 smbdirect client SGEs") and (briefly looking) only the +i40w driver provides only 3, see I40IW_MAX_WQ_FRAGMENT_COUNT. But +currently we'd require 4 anyway, so that would not work anyway, but now +it fails early. + +Cc: Steve French +Cc: Tom Talpey +Cc: Hyunchul Lee +Cc: linux-cifs@vger.kernel.org +Cc: samba-technical@lists.samba.org +Cc: linux-rdma@vger.kernel.org +Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers") +Fixes: ddbdc861e37c ("ksmbd: smbd: introduce read/write credits for RDMA read/write") +Fixes: 621433b7e25d ("ksmbd: smbd: relax the count of sges required") +Fixes: 2b4eeeaa9061 ("ksmbd: decrease the number of SMB3 smbdirect server SGEs") +Acked-by: Namjae Jeon +Signed-off-by: Stefan Metzmacher +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/server/transport_rdma.c | 157 ++++++++++++++++++++++----------- + 1 file changed, 107 insertions(+), 50 deletions(-) + +diff --git a/fs/smb/server/transport_rdma.c b/fs/smb/server/transport_rdma.c +index 5466aa8c39b1c..cc4322bfa1d61 100644 +--- a/fs/smb/server/transport_rdma.c ++++ b/fs/smb/server/transport_rdma.c +@@ -1209,78 +1209,130 @@ static int smb_direct_writev(struct ksmbd_transport *t, + bool need_invalidate, unsigned int remote_key) + { + struct smb_direct_transport *st = smb_trans_direct_transfort(t); +- int remaining_data_length; +- int start, i, j; +- int max_iov_size = st->max_send_size - ++ size_t remaining_data_length; ++ size_t iov_idx; ++ size_t iov_ofs; ++ size_t max_iov_size = st->max_send_size - + sizeof(struct smb_direct_data_transfer); + int ret; +- struct kvec vec; + struct smb_direct_send_ctx send_ctx; ++ int error = 0; + + if (st->status != SMB_DIRECT_CS_CONNECTED) + return -ENOTCONN; + + //FIXME: skip RFC1002 header.. ++ if (WARN_ON_ONCE(niovs <= 1 || iov[0].iov_len != 4)) ++ return -EINVAL; + buflen -= 4; ++ iov_idx = 1; ++ iov_ofs = 0; + + remaining_data_length = buflen; + ksmbd_debug(RDMA, "Sending smb (RDMA): smb_len=%u\n", buflen); + + smb_direct_send_ctx_init(st, &send_ctx, need_invalidate, remote_key); +- start = i = 1; +- buflen = 0; +- while (true) { +- buflen += iov[i].iov_len; +- if (buflen > max_iov_size) { +- if (i > start) { +- remaining_data_length -= +- (buflen - iov[i].iov_len); +- ret = smb_direct_post_send_data(st, &send_ctx, +- &iov[start], i - start, +- remaining_data_length); +- if (ret) ++ while (remaining_data_length) { ++ struct kvec vecs[SMB_DIRECT_MAX_SEND_SGES - 1]; /* minus smbdirect hdr */ ++ size_t possible_bytes = max_iov_size; ++ size_t possible_vecs; ++ size_t bytes = 0; ++ size_t nvecs = 0; ++ ++ /* ++ * For the last message remaining_data_length should be ++ * have been 0 already! ++ */ ++ if (WARN_ON_ONCE(iov_idx >= niovs)) { ++ error = -EINVAL; ++ goto done; ++ } ++ ++ /* ++ * We have 2 factors which limit the arguments we pass ++ * to smb_direct_post_send_data(): ++ * ++ * 1. The number of supported sges for the send, ++ * while one is reserved for the smbdirect header. ++ * And we currently need one SGE per page. ++ * 2. The number of negotiated payload bytes per send. ++ */ ++ possible_vecs = min_t(size_t, ARRAY_SIZE(vecs), niovs - iov_idx); ++ ++ while (iov_idx < niovs && possible_vecs && possible_bytes) { ++ struct kvec *v = &vecs[nvecs]; ++ int page_count; ++ ++ v->iov_base = ((u8 *)iov[iov_idx].iov_base) + iov_ofs; ++ v->iov_len = min_t(size_t, ++ iov[iov_idx].iov_len - iov_ofs, ++ possible_bytes); ++ page_count = get_buf_page_count(v->iov_base, v->iov_len); ++ if (page_count > possible_vecs) { ++ /* ++ * If the number of pages in the buffer ++ * is to much (because we currently require ++ * one SGE per page), we need to limit the ++ * length. ++ * ++ * We know possible_vecs is at least 1, ++ * so we always keep the first page. ++ * ++ * We need to calculate the number extra ++ * pages (epages) we can also keep. ++ * ++ * We calculate the number of bytes in the ++ * first page (fplen), this should never be ++ * larger than v->iov_len because page_count is ++ * at least 2, but adding a limitation feels ++ * better. ++ * ++ * Then we calculate the number of bytes (elen) ++ * we can keep for the extra pages. ++ */ ++ size_t epages = possible_vecs - 1; ++ size_t fpofs = offset_in_page(v->iov_base); ++ size_t fplen = min_t(size_t, PAGE_SIZE - fpofs, v->iov_len); ++ size_t elen = min_t(size_t, v->iov_len - fplen, epages*PAGE_SIZE); ++ ++ v->iov_len = fplen + elen; ++ page_count = get_buf_page_count(v->iov_base, v->iov_len); ++ if (WARN_ON_ONCE(page_count > possible_vecs)) { ++ /* ++ * Something went wrong in the above ++ * logic... ++ */ ++ error = -EINVAL; + goto done; +- } else { +- /* iov[start] is too big, break it */ +- int nvec = (buflen + max_iov_size - 1) / +- max_iov_size; +- +- for (j = 0; j < nvec; j++) { +- vec.iov_base = +- (char *)iov[start].iov_base + +- j * max_iov_size; +- vec.iov_len = +- min_t(int, max_iov_size, +- buflen - max_iov_size * j); +- remaining_data_length -= vec.iov_len; +- ret = smb_direct_post_send_data(st, &send_ctx, &vec, 1, +- remaining_data_length); +- if (ret) +- goto done; + } +- i++; +- if (i == niovs) +- break; + } +- start = i; +- buflen = 0; +- } else { +- i++; +- if (i == niovs) { +- /* send out all remaining vecs */ +- remaining_data_length -= buflen; +- ret = smb_direct_post_send_data(st, &send_ctx, +- &iov[start], i - start, +- remaining_data_length); +- if (ret) +- goto done; +- break; ++ possible_vecs -= page_count; ++ nvecs += 1; ++ possible_bytes -= v->iov_len; ++ bytes += v->iov_len; ++ ++ iov_ofs += v->iov_len; ++ if (iov_ofs >= iov[iov_idx].iov_len) { ++ iov_idx += 1; ++ iov_ofs = 0; + } + } ++ ++ remaining_data_length -= bytes; ++ ++ ret = smb_direct_post_send_data(st, &send_ctx, ++ vecs, nvecs, ++ remaining_data_length); ++ if (unlikely(ret)) { ++ error = ret; ++ goto done; ++ } + } + + done: + ret = smb_direct_flush_send_list(st, &send_ctx, true); ++ if (unlikely(!ret && error)) ++ ret = error; + + /* + * As an optimization, we don't wait for individual I/O to finish +@@ -1744,6 +1796,11 @@ static int smb_direct_init_params(struct smb_direct_transport *t, + return -EINVAL; + } + ++ if (device->attrs.max_send_sge < SMB_DIRECT_MAX_SEND_SGES) { ++ pr_err("warning: device max_send_sge = %d too small\n", ++ device->attrs.max_send_sge); ++ return -EINVAL; ++ } + if (device->attrs.max_recv_sge < SMB_DIRECT_MAX_RECV_SGES) { + pr_err("warning: device max_recv_sge = %d too small\n", + device->attrs.max_recv_sge); +@@ -1767,7 +1824,7 @@ static int smb_direct_init_params(struct smb_direct_transport *t, + + cap->max_send_wr = max_send_wrs; + cap->max_recv_wr = t->recv_credit_max; +- cap->max_send_sge = max_sge_per_wr; ++ cap->max_send_sge = SMB_DIRECT_MAX_SEND_SGES; + cap->max_recv_sge = SMB_DIRECT_MAX_RECV_SGES; + cap->max_inline_data = 0; + cap->max_rdma_ctxs = t->max_rw_credits; +-- +2.51.0 + diff --git a/queue-6.16/tcp-clear-tcp_sk-sk-fastopen_rsk-in-tcp_disconnect.patch b/queue-6.16/tcp-clear-tcp_sk-sk-fastopen_rsk-in-tcp_disconnect.patch new file mode 100644 index 0000000000..3759095100 --- /dev/null +++ b/queue-6.16/tcp-clear-tcp_sk-sk-fastopen_rsk-in-tcp_disconnect.patch @@ -0,0 +1,94 @@ +From a7302ecdc69840138ea91d7ebcfc4edc44c7fc9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Sep 2025 17:56:46 +0000 +Subject: tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). + +From: Kuniyuki Iwashima + +[ Upstream commit 45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01 ] + +syzbot reported the splat below where a socket had tcp_sk(sk)->fastopen_rsk +in the TCP_ESTABLISHED state. [0] + +syzbot reused the server-side TCP Fast Open socket as a new client before +the TFO socket completes 3WHS: + + 1. accept() + 2. connect(AF_UNSPEC) + 3. connect() to another destination + +As of accept(), sk->sk_state is TCP_SYN_RECV, and tcp_disconnect() changes +it to TCP_CLOSE and makes connect() possible, which restarts timers. + +Since tcp_disconnect() forgot to clear tcp_sk(sk)->fastopen_rsk, the +retransmit timer triggered the warning and the intended packet was not +retransmitted. + +Let's call reqsk_fastopen_remove() in tcp_disconnect(). + +[0]: +WARNING: CPU: 2 PID: 0 at net/ipv4/tcp_timer.c:542 tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7)) +Modules linked in: +CPU: 2 UID: 0 PID: 0 Comm: swapper/2 Not tainted 6.17.0-rc5-g201825fb4278 #62 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +RIP: 0010:tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7)) +Code: 41 55 41 54 55 53 48 8b af b8 08 00 00 48 89 fb 48 85 ed 0f 84 55 01 00 00 0f b6 47 12 3c 03 74 0c 0f b6 47 12 3c 04 74 04 90 <0f> 0b 90 48 8b 85 c0 00 00 00 48 89 ef 48 8b 40 30 e8 6a 4f 06 3e +RSP: 0018:ffffc900002f8d40 EFLAGS: 00010293 +RAX: 0000000000000002 RBX: ffff888106911400 RCX: 0000000000000017 +RDX: 0000000002517619 RSI: ffffffff83764080 RDI: ffff888106911400 +RBP: ffff888106d5c000 R08: 0000000000000001 R09: ffffc900002f8de8 +R10: 00000000000000c2 R11: ffffc900002f8ff8 R12: ffff888106911540 +R13: ffff888106911480 R14: ffff888106911840 R15: ffffc900002f8de0 +FS: 0000000000000000(0000) GS:ffff88907b768000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f8044d69d90 CR3: 0000000002c30003 CR4: 0000000000370ef0 +Call Trace: + + tcp_write_timer (net/ipv4/tcp_timer.c:738) + call_timer_fn (kernel/time/timer.c:1747) + __run_timers (kernel/time/timer.c:1799 kernel/time/timer.c:2372) + timer_expire_remote (kernel/time/timer.c:2385 kernel/time/timer.c:2376 kernel/time/timer.c:2135) + tmigr_handle_remote_up (kernel/time/timer_migration.c:944 kernel/time/timer_migration.c:1035) + __walk_groups.isra.0 (kernel/time/timer_migration.c:533 (discriminator 1)) + tmigr_handle_remote (kernel/time/timer_migration.c:1096) + handle_softirqs (./arch/x86/include/asm/jump_label.h:36 ./include/trace/events/irq.h:142 kernel/softirq.c:580) + irq_exit_rcu (kernel/softirq.c:614 kernel/softirq.c:453 kernel/softirq.c:680 kernel/softirq.c:696) + sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1050 (discriminator 35) arch/x86/kernel/apic/apic.c:1050 (discriminator 35)) + + +Fixes: 8336886f786f ("tcp: TCP Fast Open Server - support TFO listeners") +Reported-by: syzkaller +Signed-off-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250915175800.118793-2-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 461a9ab540af0..98da33e0c308b 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3330,6 +3330,7 @@ int tcp_disconnect(struct sock *sk, int flags) + struct inet_connection_sock *icsk = inet_csk(sk); + struct tcp_sock *tp = tcp_sk(sk); + int old_state = sk->sk_state; ++ struct request_sock *req; + u32 seq; + + if (old_state != TCP_CLOSE) +@@ -3445,6 +3446,10 @@ int tcp_disconnect(struct sock *sk, int flags) + + + /* Clean up fastopen related fields */ ++ req = rcu_dereference_protected(tp->fastopen_rsk, ++ lockdep_sock_is_held(sk)); ++ if (req) ++ reqsk_fastopen_remove(sk, req, false); + tcp_free_fastopen_req(tp); + inet_clear_bit(DEFER_CONNECT, sk); + tp->fastopen_client_fail = 0; +-- +2.51.0 + diff --git a/queue-6.16/tls-make-sure-to-abort-the-stream-if-headers-are-bog.patch b/queue-6.16/tls-make-sure-to-abort-the-stream-if-headers-are-bog.patch new file mode 100644 index 0000000000..f83284b6cc --- /dev/null +++ b/queue-6.16/tls-make-sure-to-abort-the-stream-if-headers-are-bog.patch @@ -0,0 +1,112 @@ +From 5cbff25bc4d0d84138659d4afaaa01a3116cbee1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Sep 2025 17:28:13 -0700 +Subject: tls: make sure to abort the stream if headers are bogus + +From: Jakub Kicinski + +[ Upstream commit 0aeb54ac4cd5cf8f60131b4d9ec0b6dc9c27b20d ] + +Normally we wait for the socket to buffer up the whole record +before we service it. If the socket has a tiny buffer, however, +we read out the data sooner, to prevent connection stalls. +Make sure that we abort the connection when we find out late +that the record is actually invalid. Retrying the parsing is +fine in itself but since we copy some more data each time +before we parse we can overflow the allocated skb space. + +Constructing a scenario in which we're under pressure without +enough data in the socket to parse the length upfront is quite +hard. syzbot figured out a way to do this by serving us the header +in small OOB sends, and then filling in the recvbuf with a large +normal send. + +Make sure that tls_rx_msg_size() aborts strp, if we reach +an invalid record there's really no way to recover. + +Reported-by: Lee Jones +Fixes: 84c61fe1a75b ("tls: rx: do not use the standard strparser") +Reviewed-by: Sabrina Dubroca +Signed-off-by: Jakub Kicinski +Link: https://patch.msgid.link/20250917002814.1743558-1-kuba@kernel.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/tls/tls.h | 1 + + net/tls/tls_strp.c | 14 +++++++++----- + net/tls/tls_sw.c | 3 +-- + 3 files changed, 11 insertions(+), 7 deletions(-) + +diff --git a/net/tls/tls.h b/net/tls/tls.h +index 4e077068e6d98..e4c42731ce39a 100644 +--- a/net/tls/tls.h ++++ b/net/tls/tls.h +@@ -141,6 +141,7 @@ void update_sk_prot(struct sock *sk, struct tls_context *ctx); + + int wait_on_pending_writer(struct sock *sk, long *timeo); + void tls_err_abort(struct sock *sk, int err); ++void tls_strp_abort_strp(struct tls_strparser *strp, int err); + + int init_prot_info(struct tls_prot_info *prot, + const struct tls_crypto_info *crypto_info, +diff --git a/net/tls/tls_strp.c b/net/tls/tls_strp.c +index d71643b494a1a..98e12f0ff57e5 100644 +--- a/net/tls/tls_strp.c ++++ b/net/tls/tls_strp.c +@@ -13,7 +13,7 @@ + + static struct workqueue_struct *tls_strp_wq; + +-static void tls_strp_abort_strp(struct tls_strparser *strp, int err) ++void tls_strp_abort_strp(struct tls_strparser *strp, int err) + { + if (strp->stopped) + return; +@@ -211,11 +211,17 @@ static int tls_strp_copyin_frag(struct tls_strparser *strp, struct sk_buff *skb, + struct sk_buff *in_skb, unsigned int offset, + size_t in_len) + { ++ unsigned int nfrag = skb->len / PAGE_SIZE; + size_t len, chunk; + skb_frag_t *frag; + int sz; + +- frag = &skb_shinfo(skb)->frags[skb->len / PAGE_SIZE]; ++ if (unlikely(nfrag >= skb_shinfo(skb)->nr_frags)) { ++ DEBUG_NET_WARN_ON_ONCE(1); ++ return -EMSGSIZE; ++ } ++ ++ frag = &skb_shinfo(skb)->frags[nfrag]; + + len = in_len; + /* First make sure we got the header */ +@@ -520,10 +526,8 @@ static int tls_strp_read_sock(struct tls_strparser *strp) + tls_strp_load_anchor_with_queue(strp, inq); + if (!strp->stm.full_len) { + sz = tls_rx_msg_size(strp, strp->anchor); +- if (sz < 0) { +- tls_strp_abort_strp(strp, sz); ++ if (sz < 0) + return sz; +- } + + strp->stm.full_len = sz; + +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c +index bac65d0d4e3e1..daac9fd4be7eb 100644 +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -2474,8 +2474,7 @@ int tls_rx_msg_size(struct tls_strparser *strp, struct sk_buff *skb) + return data_len + TLS_HEADER_SIZE; + + read_failure: +- tls_err_abort(strp->sk, ret); +- ++ tls_strp_abort_strp(strp, ret); + return ret; + } + +-- +2.51.0 + diff --git a/queue-6.16/um-fix-fd-copy-size-in-os_rcv_fd_msg.patch b/queue-6.16/um-fix-fd-copy-size-in-os_rcv_fd_msg.patch new file mode 100644 index 0000000000..42ebd41e28 --- /dev/null +++ b/queue-6.16/um-fix-fd-copy-size-in-os_rcv_fd_msg.patch @@ -0,0 +1,36 @@ +From 1a0eec03366ad0fa40f3077a9bef92643c837b3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Sep 2025 08:27:15 +0800 +Subject: um: Fix FD copy size in os_rcv_fd_msg() + +From: Tiwei Bie + +[ Upstream commit df447a3b4a4b961c9979b4b3ffb74317394b9b40 ] + +When copying FDs, the copy size should not include the control +message header (cmsghdr). Fix it. + +Fixes: 5cde6096a4dd ("um: generalize os_rcv_fd") +Signed-off-by: Tiwei Bie +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + arch/um/os-Linux/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/um/os-Linux/file.c b/arch/um/os-Linux/file.c +index 617886d1fb1e9..21f0e50fb1df9 100644 +--- a/arch/um/os-Linux/file.c ++++ b/arch/um/os-Linux/file.c +@@ -535,7 +535,7 @@ ssize_t os_rcv_fd_msg(int fd, int *fds, unsigned int n_fds, + cmsg->cmsg_type != SCM_RIGHTS) + return n; + +- memcpy(fds, CMSG_DATA(cmsg), cmsg->cmsg_len); ++ memcpy(fds, CMSG_DATA(cmsg), cmsg->cmsg_len - CMSG_LEN(0)); + return n; + } + +-- +2.51.0 + diff --git a/queue-6.16/um-virtio_uml-fix-use-after-free-after-put_device-in.patch b/queue-6.16/um-virtio_uml-fix-use-after-free-after-put_device-in.patch new file mode 100644 index 0000000000..0b10c5bd40 --- /dev/null +++ b/queue-6.16/um-virtio_uml-fix-use-after-free-after-put_device-in.patch @@ -0,0 +1,44 @@ +From 7277b2bae4099f83d048dbc1f97e779968225e3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Aug 2025 15:00:51 +0800 +Subject: um: virtio_uml: Fix use-after-free after put_device in probe + +From: Miaoqian Lin + +[ Upstream commit 7ebf70cf181651fe3f2e44e95e7e5073d594c9c0 ] + +When register_virtio_device() fails in virtio_uml_probe(), +the code sets vu_dev->registered = 1 even though +the device was not successfully registered. +This can lead to use-after-free or other issues. + +Fixes: 04e5b1fb0183 ("um: virtio: Remove device on disconnect") +Signed-off-by: Miaoqian Lin +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + arch/um/drivers/virtio_uml.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/arch/um/drivers/virtio_uml.c b/arch/um/drivers/virtio_uml.c +index ad8d78fb1d9aa..de7867ae220d0 100644 +--- a/arch/um/drivers/virtio_uml.c ++++ b/arch/um/drivers/virtio_uml.c +@@ -1250,10 +1250,12 @@ static int virtio_uml_probe(struct platform_device *pdev) + device_set_wakeup_capable(&vu_dev->vdev.dev, true); + + rc = register_virtio_device(&vu_dev->vdev); +- if (rc) ++ if (rc) { + put_device(&vu_dev->vdev.dev); ++ return rc; ++ } + vu_dev->registered = 1; +- return rc; ++ return 0; + + error_init: + os_close_file(vu_dev->sock); +-- +2.51.0 + diff --git a/queue-6.16/wifi-mac80211-fix-incorrect-type-for-ret.patch b/queue-6.16/wifi-mac80211-fix-incorrect-type-for-ret.patch new file mode 100644 index 0000000000..04d2f6f1e4 --- /dev/null +++ b/queue-6.16/wifi-mac80211-fix-incorrect-type-for-ret.patch @@ -0,0 +1,37 @@ +From 7023c83bda8604a7d13f00c476f04b3d9dd070be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Aug 2025 10:29:11 +0800 +Subject: wifi: mac80211: fix incorrect type for ret + +From: Liao Yuanhong + +[ Upstream commit a33b375ab5b3a9897a0ab76be8258d9f6b748628 ] + +The variable ret is declared as a u32 type, but it is assigned a value +of -EOPNOTSUPP. Since unsigned types cannot correctly represent negative +values, the type of ret should be changed to int. + +Signed-off-by: Liao Yuanhong +Link: https://patch.msgid.link/20250825022911.139377-1-liaoyuanhong@vivo.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/driver-ops.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/driver-ops.h b/net/mac80211/driver-ops.h +index 307587c8a0037..7964a7c5f0b2b 100644 +--- a/net/mac80211/driver-ops.h ++++ b/net/mac80211/driver-ops.h +@@ -1389,7 +1389,7 @@ drv_get_ftm_responder_stats(struct ieee80211_local *local, + struct ieee80211_sub_if_data *sdata, + struct cfg80211_ftm_responder_stats *ftm_stats) + { +- u32 ret = -EOPNOTSUPP; ++ int ret = -EOPNOTSUPP; + + might_sleep(); + lockdep_assert_wiphy(local->hw.wiphy); +-- +2.51.0 + diff --git a/queue-6.16/wifi-mac80211-increase-scan_ies_len-for-s1g.patch b/queue-6.16/wifi-mac80211-increase-scan_ies_len-for-s1g.patch new file mode 100644 index 0000000000..2b7b0da069 --- /dev/null +++ b/queue-6.16/wifi-mac80211-increase-scan_ies_len-for-s1g.patch @@ -0,0 +1,65 @@ +From 637e5dae90bd2a7609eae8cf69adb880db52e55d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Aug 2025 18:54:37 +1000 +Subject: wifi: mac80211: increase scan_ies_len for S1G + +From: Lachlan Hodges + +[ Upstream commit 7e2f3213e85eba00acb4cfe6d71647892d63c3a1 ] + +Currently the S1G capability element is not taken into account +for the scan_ies_len, which leads to a buffer length validation +failure in ieee80211_prep_hw_scan() and subsequent WARN in +__ieee80211_start_scan(). This prevents hw scanning from functioning. +To fix ensure we accommodate for the S1G capability length. + +Signed-off-by: Lachlan Hodges +Link: https://patch.msgid.link/20250826085437.3493-1-lachlan.hodges@morsemicro.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/main.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/main.c b/net/mac80211/main.c +index 1bad353d8a772..35c6755b817a8 100644 +--- a/net/mac80211/main.c ++++ b/net/mac80211/main.c +@@ -1136,7 +1136,7 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) + int result, i; + enum nl80211_band band; + int channels, max_bitrates; +- bool supp_ht, supp_vht, supp_he, supp_eht; ++ bool supp_ht, supp_vht, supp_he, supp_eht, supp_s1g; + struct cfg80211_chan_def dflt_chandef = {}; + + if (ieee80211_hw_check(hw, QUEUE_CONTROL) && +@@ -1252,6 +1252,7 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) + supp_vht = false; + supp_he = false; + supp_eht = false; ++ supp_s1g = false; + for (band = 0; band < NUM_NL80211_BANDS; band++) { + const struct ieee80211_sband_iftype_data *iftd; + struct ieee80211_supported_band *sband; +@@ -1299,6 +1300,7 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) + max_bitrates = sband->n_bitrates; + supp_ht = supp_ht || sband->ht_cap.ht_supported; + supp_vht = supp_vht || sband->vht_cap.vht_supported; ++ supp_s1g = supp_s1g || sband->s1g_cap.s1g; + + for_each_sband_iftype_data(sband, i, iftd) { + u8 he_40_mhz_cap; +@@ -1432,6 +1434,9 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) + local->scan_ies_len += + 2 + sizeof(struct ieee80211_vht_cap); + ++ if (supp_s1g) ++ local->scan_ies_len += 2 + sizeof(struct ieee80211_s1g_cap); ++ + /* + * HE cap element is variable in size - set len to allow max size */ + if (supp_he) { +-- +2.51.0 + diff --git a/queue-6.16/wifi-mt76-do-not-add-non-sta-wcid-entries-to-the-pol.patch b/queue-6.16/wifi-mt76-do-not-add-non-sta-wcid-entries-to-the-pol.patch new file mode 100644 index 0000000000..60026f4d79 --- /dev/null +++ b/queue-6.16/wifi-mt76-do-not-add-non-sta-wcid-entries-to-the-pol.patch @@ -0,0 +1,34 @@ +From 756a1a0a8ab62831430d24e3c70ff952f02d9833 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Aug 2025 10:53:48 +0200 +Subject: wifi: mt76: do not add non-sta wcid entries to the poll list + +From: Felix Fietkau + +[ Upstream commit a3c99ef88a084e1c2b99dd56bbfa7f89c9be3e92 ] + +Polling and airtime reporting is valid for station entries only + +Link: https://patch.msgid.link/20250827085352.51636-2-nbd@nbd.name +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mac80211.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mac80211.c b/drivers/net/wireless/mediatek/mt76/mac80211.c +index 8e6ce16ab5b88..c9e2dca308312 100644 +--- a/drivers/net/wireless/mediatek/mt76/mac80211.c ++++ b/drivers/net/wireless/mediatek/mt76/mac80211.c +@@ -1731,7 +1731,7 @@ EXPORT_SYMBOL_GPL(mt76_wcid_cleanup); + + void mt76_wcid_add_poll(struct mt76_dev *dev, struct mt76_wcid *wcid) + { +- if (test_bit(MT76_MCU_RESET, &dev->phy.state)) ++ if (test_bit(MT76_MCU_RESET, &dev->phy.state) || !wcid->sta) + return; + + spin_lock_bh(&dev->sta_poll_lock); +-- +2.51.0 + diff --git a/queue-6.16/wifi-wilc1000-avoid-buffer-overflow-in-wid-string-co.patch b/queue-6.16/wifi-wilc1000-avoid-buffer-overflow-in-wid-string-co.patch new file mode 100644 index 0000000000..0ff887bc13 --- /dev/null +++ b/queue-6.16/wifi-wilc1000-avoid-buffer-overflow-in-wid-string-co.patch @@ -0,0 +1,155 @@ +From 408f4284e548c32204be8717ea6b7ce42abca627 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 22:58:43 +0000 +Subject: wifi: wilc1000: avoid buffer overflow in WID string configuration + +From: Ajay.Kathat@microchip.com + +[ Upstream commit fe9e4d0c39311d0f97b024147a0d155333f388b5 ] + +Fix the following copy overflow warning identified by Smatch checker. + + drivers/net/wireless/microchip/wilc1000/wlan_cfg.c:184 wilc_wlan_parse_response_frame() + error: '__memcpy()' 'cfg->s[i]->str' copy overflow (512 vs 65537) + +This patch introduces size check before accessing the memory buffer. +The checks are base on the WID type of received data from the firmware. +For WID string configuration, the size limit is determined by individual +element size in 'struct wilc_cfg_str_vals' that is maintained in 'len' field +of 'struct wilc_cfg_str'. + +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/linux-wireless/aLFbr9Yu9j_TQTey@stanley.mountain +Suggested-by: Dan Carpenter +Signed-off-by: Ajay Singh +Link: https://patch.msgid.link/20250829225829.5423-1-ajay.kathat@microchip.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + .../wireless/microchip/wilc1000/wlan_cfg.c | 37 ++++++++++++++----- + .../wireless/microchip/wilc1000/wlan_cfg.h | 5 ++- + 2 files changed, 30 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/wireless/microchip/wilc1000/wlan_cfg.c b/drivers/net/wireless/microchip/wilc1000/wlan_cfg.c +index 131388886acbf..cfabd5aebb540 100644 +--- a/drivers/net/wireless/microchip/wilc1000/wlan_cfg.c ++++ b/drivers/net/wireless/microchip/wilc1000/wlan_cfg.c +@@ -41,10 +41,10 @@ static const struct wilc_cfg_word g_cfg_word[] = { + }; + + static const struct wilc_cfg_str g_cfg_str[] = { +- {WID_FIRMWARE_VERSION, NULL}, +- {WID_MAC_ADDR, NULL}, +- {WID_ASSOC_RES_INFO, NULL}, +- {WID_NIL, NULL} ++ {WID_FIRMWARE_VERSION, 0, NULL}, ++ {WID_MAC_ADDR, 0, NULL}, ++ {WID_ASSOC_RES_INFO, 0, NULL}, ++ {WID_NIL, 0, NULL} + }; + + #define WILC_RESP_MSG_TYPE_CONFIG_REPLY 'R' +@@ -147,44 +147,58 @@ static void wilc_wlan_parse_response_frame(struct wilc *wl, u8 *info, int size) + + switch (FIELD_GET(WILC_WID_TYPE, wid)) { + case WID_CHAR: ++ len = 3; ++ if (len + 2 > size) ++ return; ++ + while (cfg->b[i].id != WID_NIL && cfg->b[i].id != wid) + i++; + + if (cfg->b[i].id == wid) + cfg->b[i].val = info[4]; + +- len = 3; + break; + + case WID_SHORT: ++ len = 4; ++ if (len + 2 > size) ++ return; ++ + while (cfg->hw[i].id != WID_NIL && cfg->hw[i].id != wid) + i++; + + if (cfg->hw[i].id == wid) + cfg->hw[i].val = get_unaligned_le16(&info[4]); + +- len = 4; + break; + + case WID_INT: ++ len = 6; ++ if (len + 2 > size) ++ return; ++ + while (cfg->w[i].id != WID_NIL && cfg->w[i].id != wid) + i++; + + if (cfg->w[i].id == wid) + cfg->w[i].val = get_unaligned_le32(&info[4]); + +- len = 6; + break; + + case WID_STR: ++ len = 2 + get_unaligned_le16(&info[2]); ++ + while (cfg->s[i].id != WID_NIL && cfg->s[i].id != wid) + i++; + +- if (cfg->s[i].id == wid) ++ if (cfg->s[i].id == wid) { ++ if (len > cfg->s[i].len || (len + 2 > size)) ++ return; ++ + memcpy(cfg->s[i].str, &info[2], +- get_unaligned_le16(&info[2]) + 2); ++ len); ++ } + +- len = 2 + get_unaligned_le16(&info[2]); + break; + + default: +@@ -384,12 +398,15 @@ int wilc_wlan_cfg_init(struct wilc *wl) + /* store the string cfg parameters */ + wl->cfg.s[i].id = WID_FIRMWARE_VERSION; + wl->cfg.s[i].str = str_vals->firmware_version; ++ wl->cfg.s[i].len = sizeof(str_vals->firmware_version); + i++; + wl->cfg.s[i].id = WID_MAC_ADDR; + wl->cfg.s[i].str = str_vals->mac_address; ++ wl->cfg.s[i].len = sizeof(str_vals->mac_address); + i++; + wl->cfg.s[i].id = WID_ASSOC_RES_INFO; + wl->cfg.s[i].str = str_vals->assoc_rsp; ++ wl->cfg.s[i].len = sizeof(str_vals->assoc_rsp); + i++; + wl->cfg.s[i].id = WID_NIL; + wl->cfg.s[i].str = NULL; +diff --git a/drivers/net/wireless/microchip/wilc1000/wlan_cfg.h b/drivers/net/wireless/microchip/wilc1000/wlan_cfg.h +index 7038b74f8e8ff..5ae74bced7d74 100644 +--- a/drivers/net/wireless/microchip/wilc1000/wlan_cfg.h ++++ b/drivers/net/wireless/microchip/wilc1000/wlan_cfg.h +@@ -24,12 +24,13 @@ struct wilc_cfg_word { + + struct wilc_cfg_str { + u16 id; ++ u16 len; + u8 *str; + }; + + struct wilc_cfg_str_vals { +- u8 mac_address[7]; +- u8 firmware_version[129]; ++ u8 mac_address[8]; ++ u8 firmware_version[130]; + u8 assoc_rsp[WILC_MAX_ASSOC_RESP_FRAME_SIZE]; + }; + +-- +2.51.0 + diff --git a/queue-6.6/alsa-firewire-motu-drop-epollout-from-poll-return-va.patch b/queue-6.6/alsa-firewire-motu-drop-epollout-from-poll-return-va.patch new file mode 100644 index 0000000000..9bb6988a46 --- /dev/null +++ b/queue-6.6/alsa-firewire-motu-drop-epollout-from-poll-return-va.patch @@ -0,0 +1,46 @@ +From 69a2d7069933b0b222f3f6fca55d45394743c3cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Aug 2025 08:37:49 +0900 +Subject: ALSA: firewire-motu: drop EPOLLOUT from poll return values as write + is not supported + +From: Takashi Sakamoto + +[ Upstream commit aea3493246c474bc917d124d6fb627663ab6bef0 ] + +The ALSA HwDep character device of the firewire-motu driver incorrectly +returns EPOLLOUT in poll(2), even though the driver implements no operation +for write(2). This misleads userspace applications to believe write() is +allowed, potentially resulting in unnecessarily wakeups. + +This issue dates back to the driver's initial code added by a commit +71c3797779d3 ("ALSA: firewire-motu: add hwdep interface"), and persisted +when POLLOUT was updated to EPOLLOUT by a commit a9a08845e9ac ('vfs: do +bulk POLL* -> EPOLL* replacement("").'). + +This commit fixes the bug. + +Signed-off-by: Takashi Sakamoto +Link: https://patch.msgid.link/20250829233749.366222-1-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/firewire/motu/motu-hwdep.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/firewire/motu/motu-hwdep.c b/sound/firewire/motu/motu-hwdep.c +index 88d1f4b56e4be..a220ac0c8eb83 100644 +--- a/sound/firewire/motu/motu-hwdep.c ++++ b/sound/firewire/motu/motu-hwdep.c +@@ -111,7 +111,7 @@ static __poll_t hwdep_poll(struct snd_hwdep *hwdep, struct file *file, + events = 0; + spin_unlock_irq(&motu->lock); + +- return events | EPOLLOUT; ++ return events; + } + + static int hwdep_get_info(struct snd_motu *motu, void __user *arg) +-- +2.51.0 + diff --git a/queue-6.6/bonding-don-t-set-oif-to-bond-dev-when-getting-ns-ta.patch b/queue-6.6/bonding-don-t-set-oif-to-bond-dev-when-getting-ns-ta.patch new file mode 100644 index 0000000000..59bdf373c7 --- /dev/null +++ b/queue-6.6/bonding-don-t-set-oif-to-bond-dev-when-getting-ns-ta.patch @@ -0,0 +1,49 @@ +From b2391f1a13751051b3f0d21b3ecfe3b77b2e845f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Sep 2025 08:01:26 +0000 +Subject: bonding: don't set oif to bond dev when getting NS target destination + +From: Hangbin Liu + +[ Upstream commit a8ba87f04ca9cdec06776ce92dce1395026dc3bb ] + +Unlike IPv4, IPv6 routing strictly requires the source address to be valid +on the outgoing interface. If the NS target is set to a remote VLAN interface, +and the source address is also configured on a VLAN over a bond interface, +setting the oif to the bond device will fail to retrieve the correct +destination route. + +Fix this by not setting the oif to the bond device when retrieving the NS +target destination. This allows the correct destination device (the VLAN +interface) to be determined, so that bond_verify_device_path can return the +proper VLAN tags for sending NS messages. + +Reported-by: David Wilder +Closes: https://lore.kernel.org/netdev/aGOKggdfjv0cApTO@fedora/ +Suggested-by: Jay Vosburgh +Tested-by: David Wilder +Acked-by: Jay Vosburgh +Fixes: 4e24be018eb9 ("bonding: add new parameter ns_targets") +Signed-off-by: Hangbin Liu +Link: https://patch.msgid.link/20250916080127.430626-1-liuhangbin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 291f33c772161..f7ed129fc8110 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3261,7 +3261,6 @@ static void bond_ns_send_all(struct bonding *bond, struct slave *slave) + /* Find out through which dev should the packet go */ + memset(&fl6, 0, sizeof(struct flowi6)); + fl6.daddr = targets[i]; +- fl6.flowi6_oif = bond->dev->ifindex; + + dst = ip6_route_output(dev_net(bond->dev), NULL, &fl6); + if (dst->error) { +-- +2.51.0 + diff --git a/queue-6.6/bonding-set-random-address-only-when-slaves-already-.patch b/queue-6.6/bonding-set-random-address-only-when-slaves-already-.patch new file mode 100644 index 0000000000..f841f49c79 --- /dev/null +++ b/queue-6.6/bonding-set-random-address-only-when-slaves-already-.patch @@ -0,0 +1,42 @@ +From a01ca9cb55e1ea68e6eab3483b4b2bf4abeeb56c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Sep 2025 02:43:34 +0000 +Subject: bonding: set random address only when slaves already exist + +From: Hangbin Liu + +[ Upstream commit 35ae4e86292ef7dfe4edbb9942955c884e984352 ] + +After commit 5c3bf6cba791 ("bonding: assign random address if device +address is same as bond"), bonding will erroneously randomize the MAC +address of the first interface added to the bond if fail_over_mac = +follow. + +Correct this by additionally testing for the bond being empty before +randomizing the MAC. + +Fixes: 5c3bf6cba791 ("bonding: assign random address if device address is same as bond") +Reported-by: Qiuling Ren +Signed-off-by: Hangbin Liu +Link: https://patch.msgid.link/20250910024336.400253-1-liuhangbin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index cd5691ed9f171..291f33c772161 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2042,6 +2042,7 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev, + memcpy(ss.__data, bond_dev->dev_addr, bond_dev->addr_len); + } else if (bond->params.fail_over_mac == BOND_FOM_FOLLOW && + BOND_MODE(bond) == BOND_MODE_ACTIVEBACKUP && ++ bond_has_slaves(bond) && + memcmp(slave_dev->dev_addr, bond_dev->dev_addr, bond_dev->addr_len) == 0) { + /* Set slave to random address to avoid duplicate mac + * address in later fail over. +-- +2.51.0 + diff --git a/queue-6.6/btrfs-fix-invalid-extref-key-setup-when-replaying-de.patch b/queue-6.6/btrfs-fix-invalid-extref-key-setup-when-replaying-de.patch new file mode 100644 index 0000000000..7244f52cec --- /dev/null +++ b/queue-6.6/btrfs-fix-invalid-extref-key-setup-when-replaying-de.patch @@ -0,0 +1,41 @@ +From 603b0f4b241635e2875367e0e961826f56ce9c34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Sep 2025 16:53:21 +0100 +Subject: btrfs: fix invalid extref key setup when replaying dentry + +From: Filipe Manana + +[ Upstream commit b62fd63ade7cb573b114972ef8f9fa505be8d74a ] + +The offset for an extref item's key is not the object ID of the parent +dir, otherwise we would not need the extref item and would use plain ref +items. Instead the offset is the result of a hash computation that uses +the object ID of the parent dir and the name associated to the entry. +So fix this by setting the key offset at replay_one_name() to be the +result of calling btrfs_extref_hash(). + +Fixes: 725af92a6251 ("btrfs: Open-code name_in_log_ref in replay_one_name") +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/tree-log.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index e5d6bc1bb5e5d..4b53e19f7520f 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -1998,7 +1998,7 @@ static noinline int replay_one_name(struct btrfs_trans_handle *trans, + + search_key.objectid = log_key.objectid; + search_key.type = BTRFS_INODE_EXTREF_KEY; +- search_key.offset = key->objectid; ++ search_key.offset = btrfs_extref_hash(key->objectid, name.name, name.len); + ret = backref_in_log(root->log_root, &search_key, key->objectid, &name); + if (ret < 0) { + goto out; +-- +2.51.0 + diff --git a/queue-6.6/cgroup-split-cgroup_destroy_wq-into-3-workqueues.patch b/queue-6.6/cgroup-split-cgroup_destroy_wq-into-3-workqueues.patch new file mode 100644 index 0000000000..014e9d2624 --- /dev/null +++ b/queue-6.6/cgroup-split-cgroup_destroy_wq-into-3-workqueues.patch @@ -0,0 +1,168 @@ +From 267ea81b1371d3cf99533bcdc9f5b32b5b98a893 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Aug 2025 01:07:24 +0000 +Subject: cgroup: split cgroup_destroy_wq into 3 workqueues +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chen Ridong + +[ Upstream commit 79f919a89c9d06816dbdbbd168fa41d27411a7f9 ] + +A hung task can occur during [1] LTP cgroup testing when repeatedly +mounting/unmounting perf_event and net_prio controllers with +systemd.unified_cgroup_hierarchy=1. The hang manifests in +cgroup_lock_and_drain_offline() during root destruction. + +Related case: +cgroup_fj_function_perf_event cgroup_fj_function.sh perf_event +cgroup_fj_function_net_prio cgroup_fj_function.sh net_prio + +Call Trace: + cgroup_lock_and_drain_offline+0x14c/0x1e8 + cgroup_destroy_root+0x3c/0x2c0 + css_free_rwork_fn+0x248/0x338 + process_one_work+0x16c/0x3b8 + worker_thread+0x22c/0x3b0 + kthread+0xec/0x100 + ret_from_fork+0x10/0x20 + +Root Cause: + +CPU0 CPU1 +mount perf_event umount net_prio +cgroup1_get_tree cgroup_kill_sb +rebind_subsystems // root destruction enqueues + // cgroup_destroy_wq +// kill all perf_event css + // one perf_event css A is dying + // css A offline enqueues cgroup_destroy_wq + // root destruction will be executed first + css_free_rwork_fn + cgroup_destroy_root + cgroup_lock_and_drain_offline + // some perf descendants are dying + // cgroup_destroy_wq max_active = 1 + // waiting for css A to die + +Problem scenario: +1. CPU0 mounts perf_event (rebind_subsystems) +2. CPU1 unmounts net_prio (cgroup_kill_sb), queuing root destruction work +3. A dying perf_event CSS gets queued for offline after root destruction +4. Root destruction waits for offline completion, but offline work is + blocked behind root destruction in cgroup_destroy_wq (max_active=1) + +Solution: +Split cgroup_destroy_wq into three dedicated workqueues: +cgroup_offline_wq – Handles CSS offline operations +cgroup_release_wq – Manages resource release +cgroup_free_wq – Performs final memory deallocation + +This separation eliminates blocking in the CSS free path while waiting for +offline operations to complete. + +[1] https://github.com/linux-test-project/ltp/blob/master/runtest/controllers +Fixes: 334c3679ec4b ("cgroup: reimplement rebind_subsystems() using cgroup_apply_control() and friends") +Reported-by: Gao Yingjie +Signed-off-by: Chen Ridong +Suggested-by: Teju Heo +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/cgroup/cgroup.c | 43 +++++++++++++++++++++++++++++++++++------- + 1 file changed, 36 insertions(+), 7 deletions(-) + +diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c +index e8ef062f6ca05..5135838b5899f 100644 +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -123,8 +123,31 @@ DEFINE_PERCPU_RWSEM(cgroup_threadgroup_rwsem); + * of concurrent destructions. Use a separate workqueue so that cgroup + * destruction work items don't end up filling up max_active of system_wq + * which may lead to deadlock. ++ * ++ * A cgroup destruction should enqueue work sequentially to: ++ * cgroup_offline_wq: use for css offline work ++ * cgroup_release_wq: use for css release work ++ * cgroup_free_wq: use for free work ++ * ++ * Rationale for using separate workqueues: ++ * The cgroup root free work may depend on completion of other css offline ++ * operations. If all tasks were enqueued to a single workqueue, this could ++ * create a deadlock scenario where: ++ * - Free work waits for other css offline work to complete. ++ * - But other css offline work is queued after free work in the same queue. ++ * ++ * Example deadlock scenario with single workqueue (cgroup_destroy_wq): ++ * 1. umount net_prio ++ * 2. net_prio root destruction enqueues work to cgroup_destroy_wq (CPUx) ++ * 3. perf_event CSS A offline enqueues work to same cgroup_destroy_wq (CPUx) ++ * 4. net_prio cgroup_destroy_root->cgroup_lock_and_drain_offline. ++ * 5. net_prio root destruction blocks waiting for perf_event CSS A offline, ++ * which can never complete as it's behind in the same queue and ++ * workqueue's max_active is 1. + */ +-static struct workqueue_struct *cgroup_destroy_wq; ++static struct workqueue_struct *cgroup_offline_wq; ++static struct workqueue_struct *cgroup_release_wq; ++static struct workqueue_struct *cgroup_free_wq; + + /* generate an array of cgroup subsystem pointers */ + #define SUBSYS(_x) [_x ## _cgrp_id] = &_x ## _cgrp_subsys, +@@ -5435,7 +5458,7 @@ static void css_release_work_fn(struct work_struct *work) + cgroup_unlock(); + + INIT_RCU_WORK(&css->destroy_rwork, css_free_rwork_fn); +- queue_rcu_work(cgroup_destroy_wq, &css->destroy_rwork); ++ queue_rcu_work(cgroup_free_wq, &css->destroy_rwork); + } + + static void css_release(struct percpu_ref *ref) +@@ -5444,7 +5467,7 @@ static void css_release(struct percpu_ref *ref) + container_of(ref, struct cgroup_subsys_state, refcnt); + + INIT_WORK(&css->destroy_work, css_release_work_fn); +- queue_work(cgroup_destroy_wq, &css->destroy_work); ++ queue_work(cgroup_release_wq, &css->destroy_work); + } + + static void init_and_link_css(struct cgroup_subsys_state *css, +@@ -5566,7 +5589,7 @@ static struct cgroup_subsys_state *css_create(struct cgroup *cgrp, + err_free_css: + list_del_rcu(&css->rstat_css_node); + INIT_RCU_WORK(&css->destroy_rwork, css_free_rwork_fn); +- queue_rcu_work(cgroup_destroy_wq, &css->destroy_rwork); ++ queue_rcu_work(cgroup_free_wq, &css->destroy_rwork); + return ERR_PTR(err); + } + +@@ -5801,7 +5824,7 @@ static void css_killed_ref_fn(struct percpu_ref *ref) + + if (atomic_dec_and_test(&css->online_cnt)) { + INIT_WORK(&css->destroy_work, css_killed_work_fn); +- queue_work(cgroup_destroy_wq, &css->destroy_work); ++ queue_work(cgroup_offline_wq, &css->destroy_work); + } + } + +@@ -6173,8 +6196,14 @@ static int __init cgroup_wq_init(void) + * We would prefer to do this in cgroup_init() above, but that + * is called before init_workqueues(): so leave this until after. + */ +- cgroup_destroy_wq = alloc_workqueue("cgroup_destroy", 0, 1); +- BUG_ON(!cgroup_destroy_wq); ++ cgroup_offline_wq = alloc_workqueue("cgroup_offline", 0, 1); ++ BUG_ON(!cgroup_offline_wq); ++ ++ cgroup_release_wq = alloc_workqueue("cgroup_release", 0, 1); ++ BUG_ON(!cgroup_release_wq); ++ ++ cgroup_free_wq = alloc_workqueue("cgroup_free", 0, 1); ++ BUG_ON(!cgroup_free_wq); + return 0; + } + core_initcall(cgroup_wq_init); +-- +2.51.0 + diff --git a/queue-6.6/cnic-fix-use-after-free-bugs-in-cnic_delete_task.patch b/queue-6.6/cnic-fix-use-after-free-bugs-in-cnic_delete_task.patch new file mode 100644 index 0000000000..41ed7902a5 --- /dev/null +++ b/queue-6.6/cnic-fix-use-after-free-bugs-in-cnic_delete_task.patch @@ -0,0 +1,76 @@ +From 8bb617239412796f6fe8b81a33c1c9eb96de41b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Sep 2025 13:46:02 +0800 +Subject: cnic: Fix use-after-free bugs in cnic_delete_task +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Duoming Zhou + +[ Upstream commit cfa7d9b1e3a8604afc84e9e51d789c29574fb216 ] + +The original code uses cancel_delayed_work() in cnic_cm_stop_bnx2x_hw(), +which does not guarantee that the delayed work item 'delete_task' has +fully completed if it was already running. Additionally, the delayed work +item is cyclic, the flush_workqueue() in cnic_cm_stop_bnx2x_hw() only +blocks and waits for work items that were already queued to the +workqueue prior to its invocation. Any work items submitted after +flush_workqueue() is called are not included in the set of tasks that the +flush operation awaits. This means that after the cyclic work items have +finished executing, a delayed work item may still exist in the workqueue. +This leads to use-after-free scenarios where the cnic_dev is deallocated +by cnic_free_dev(), while delete_task remains active and attempt to +dereference cnic_dev in cnic_delete_task(). + +A typical race condition is illustrated below: + +CPU 0 (cleanup) | CPU 1 (delayed work callback) +cnic_netdev_event() | + cnic_stop_hw() | cnic_delete_task() + cnic_cm_stop_bnx2x_hw() | ... + cancel_delayed_work() | /* the queue_delayed_work() + flush_workqueue() | executes after flush_workqueue()*/ + | queue_delayed_work() + cnic_free_dev(dev)//free | cnic_delete_task() //new instance + | dev = cp->dev; //use + +Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure +that the cyclic delayed work item is properly canceled and that any +ongoing execution of the work item completes before the cnic_dev is +deallocated. Furthermore, since cancel_delayed_work_sync() uses +__flush_work(work, true) to synchronously wait for any currently +executing instance of the work item to finish, the flush_workqueue() +becomes redundant and should be removed. + +This bug was identified through static analysis. To reproduce the issue +and validate the fix, I simulated the cnic PCI device in QEMU and +introduced intentional delays — such as inserting calls to ssleep() +within the cnic_delete_task() function — to increase the likelihood +of triggering the bug. + +Fixes: fdf24086f475 ("cnic: Defer iscsi connection cleanup") +Signed-off-by: Duoming Zhou +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/cnic.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/cnic.c b/drivers/net/ethernet/broadcom/cnic.c +index 7926aaef8f0c5..ad2745c07c1ae 100644 +--- a/drivers/net/ethernet/broadcom/cnic.c ++++ b/drivers/net/ethernet/broadcom/cnic.c +@@ -4220,8 +4220,7 @@ static void cnic_cm_stop_bnx2x_hw(struct cnic_dev *dev) + + cnic_bnx2x_delete_wait(dev, 0); + +- cancel_delayed_work(&cp->delete_task); +- flush_workqueue(cnic_wq); ++ cancel_delayed_work_sync(&cp->delete_task); + + if (atomic_read(&cp->iscsi_conn) != 0) + netdev_warn(dev->netdev, "%d iSCSI connections not destroyed\n", +-- +2.51.0 + diff --git a/queue-6.6/dpaa2-switch-fix-buffer-pool-seeding-for-control-tra.patch b/queue-6.6/dpaa2-switch-fix-buffer-pool-seeding-for-control-tra.patch new file mode 100644 index 0000000000..e35adb90cb --- /dev/null +++ b/queue-6.6/dpaa2-switch-fix-buffer-pool-seeding-for-control-tra.patch @@ -0,0 +1,69 @@ +From 67036afc8e2dbba9b50304b2a85cd8430a2c0f6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Sep 2025 17:48:25 +0300 +Subject: dpaa2-switch: fix buffer pool seeding for control traffic + +From: Ioana Ciornei + +[ Upstream commit 2690cb089502b80b905f2abdafd1bf2d54e1abef ] + +Starting with commit c50e7475961c ("dpaa2-switch: Fix error checking in +dpaa2_switch_seed_bp()"), the probing of a second DPSW object errors out +like below. + +fsl_dpaa2_switch dpsw.1: fsl_mc_driver_probe failed: -12 +fsl_dpaa2_switch dpsw.1: probe with driver fsl_dpaa2_switch failed with error -12 + +The aforementioned commit brought to the surface the fact that seeding +buffers into the buffer pool destined for control traffic is not +successful and an access violation recoverable error can be seen in the +MC firmware log: + +[E, qbman_rec_isr:391, QBMAN] QBMAN recoverable event 0x1000000 + +This happens because the driver incorrectly used the ID of the DPBP +object instead of the hardware buffer pool ID when trying to release +buffers into it. + +This is because any DPSW object uses two buffer pools, one managed by +the Linux driver and destined for control traffic packet buffers and the +other one managed by the MC firmware and destined only for offloaded +traffic. And since the buffer pool managed by the MC firmware does not +have an external facing DPBP equivalent, any subsequent DPBP objects +created after the first DPSW will have a DPBP id different to the +underlying hardware buffer ID. + +The issue was not caught earlier because these two numbers can be +identical when all DPBP objects are created before the DPSW objects are. +This is the case when the DPL file is used to describe the entire DPAA2 +object layout and objects are created at boot time and it's also true +for the first DPSW being created dynamically using ls-addsw. + +Fix this by using the buffer pool ID instead of the DPBP id when +releasing buffers into the pool. + +Fixes: 2877e4f7e189 ("staging: dpaa2-switch: setup buffer pool and RX path rings") +Signed-off-by: Ioana Ciornei +Link: https://patch.msgid.link/20250910144825.2416019-1-ioana.ciornei@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +index 76795bb0b564b..cdab37e9634d4 100644 +--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c ++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c +@@ -2700,7 +2700,7 @@ static int dpaa2_switch_setup_dpbp(struct ethsw_core *ethsw) + dev_err(dev, "dpsw_ctrl_if_set_pools() failed\n"); + goto err_get_attr; + } +- ethsw->bpid = dpbp_attrs.id; ++ ethsw->bpid = dpbp_attrs.bpid; + + return 0; + +-- +2.51.0 + diff --git a/queue-6.6/i40e-remove-redundant-memory-barrier-when-cleaning-t.patch b/queue-6.6/i40e-remove-redundant-memory-barrier-when-cleaning-t.patch new file mode 100644 index 0000000000..1474166395 --- /dev/null +++ b/queue-6.6/i40e-remove-redundant-memory-barrier-when-cleaning-t.patch @@ -0,0 +1,53 @@ +From 76a7a2f5d34e0f65041a060b218b4f9ef47ea3ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Aug 2025 17:16:17 +0200 +Subject: i40e: remove redundant memory barrier when cleaning Tx descs + +From: Maciej Fijalkowski + +[ Upstream commit e37084a26070c546ae7961ee135bbfb15fbe13fd ] + +i40e has a feature which writes to memory location last descriptor +successfully sent. Memory barrier in i40e_clean_tx_irq() was used to +avoid forward-reading descriptor fields in case DD bit was not set. +Having mentioned feature in place implies that such situation will not +happen as we know in advance how many descriptors HW has dealt with. + +Besides, this barrier placement was wrong. Idea is to have this +protection *after* reading DD bit from HW descriptor, not before. +Digging through git history showed me that indeed barrier was before DD +bit check, anyways the commit introducing i40e_get_head() should have +wiped it out altogether. + +Also, there was one commit doing s/read_barrier_depends/smp_rmb when get +head feature was already in place, but it was only theoretical based on +ixgbe experiences, which is different in these terms as that driver has +to read DD bit from HW descriptor. + +Fixes: 1943d8ba9507 ("i40e/i40evf: enable hardware feature head write back") +Signed-off-by: Maciej Fijalkowski +Reviewed-by: Aleksandr Loktionov +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_txrx.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.c b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +index c962987d8b51b..6a9b47b005d29 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +@@ -950,9 +950,6 @@ static bool i40e_clean_tx_irq(struct i40e_vsi *vsi, + if (!eop_desc) + break; + +- /* prevent any other reads prior to eop_desc */ +- smp_rmb(); +- + i40e_trace(clean_tx_irq, tx_ring, tx_desc, tx_buf); + /* we have caught up to head, no work left to do */ + if (tx_head == tx_desc) +-- +2.51.0 + diff --git a/queue-6.6/mptcp-set-remote_deny_join_id0-on-syn-recv.patch b/queue-6.6/mptcp-set-remote_deny_join_id0-on-syn-recv.patch new file mode 100644 index 0000000000..ff39b4ad87 --- /dev/null +++ b/queue-6.6/mptcp-set-remote_deny_join_id0-on-syn-recv.patch @@ -0,0 +1,45 @@ +From d2b550fbdf153fc6a5eeb0add13a2459eb609e68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Sep 2025 14:52:20 +0200 +Subject: mptcp: set remote_deny_join_id0 on SYN recv + +From: Matthieu Baerts (NGI0) + +[ Upstream commit 96939cec994070aa5df852c10fad5fc303a97ea3 ] + +When a SYN containing the 'C' flag (deny join id0) was received, this +piece of information was not propagated to the path-manager. + +Even if this flag is mainly set on the server side, a client can also +tell the server it cannot try to establish new subflows to the client's +initial IP address and port. The server's PM should then record such +info when received, and before sending events about the new connection. + +Fixes: df377be38725 ("mptcp: add deny_join_id0 in mptcp_options_received") +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250912-net-mptcp-pm-uspace-deny_join_id0-v1-1-40171884ade8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mptcp/subflow.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c +index 0c9b9c0c277c2..dfee1890c841b 100644 +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -863,6 +863,10 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk, + + ctx->subflow_id = 1; + owner = mptcp_sk(ctx->conn); ++ ++ if (mp_opt.deny_join_id0) ++ WRITE_ONCE(owner->pm.remote_deny_join_id0, true); ++ + mptcp_pm_new_connection(owner, child, 1); + + /* with OoO packets we can reach here without ingress +-- +2.51.0 + diff --git a/queue-6.6/mptcp-tfo-record-deny-join-id0-info.patch b/queue-6.6/mptcp-tfo-record-deny-join-id0-info.patch new file mode 100644 index 0000000000..dccf0a660e --- /dev/null +++ b/queue-6.6/mptcp-tfo-record-deny-join-id0-info.patch @@ -0,0 +1,52 @@ +From 1499bf32fc41010ac6514c04f956e0f7cb67074e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Sep 2025 14:52:23 +0200 +Subject: mptcp: tfo: record 'deny join id0' info + +From: Matthieu Baerts (NGI0) + +[ Upstream commit 92da495cb65719583aa06bc946aeb18a10e1e6e2 ] + +When TFO is used, the check to see if the 'C' flag (deny join id0) was +set was bypassed. + +This flag can be set when TFO is used, so the check should also be done +when TFO is used. + +Note that the set_fully_established label is also used when a 4th ACK is +received. In this case, deny_join_id0 will not be set. + +Fixes: dfc8d0603033 ("mptcp: implement delayed seq generation for passive fastopen") +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250912-net-mptcp-pm-uspace-deny_join_id0-v1-4-40171884ade8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/mptcp/options.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/mptcp/options.c b/net/mptcp/options.c +index 9406d2d555e74..b245abd08c824 100644 +--- a/net/mptcp/options.c ++++ b/net/mptcp/options.c +@@ -985,13 +985,13 @@ static bool check_fully_established(struct mptcp_sock *msk, struct sock *ssk, + return false; + } + +- if (mp_opt->deny_join_id0) +- WRITE_ONCE(msk->pm.remote_deny_join_id0, true); +- + if (unlikely(!READ_ONCE(msk->pm.server_side))) + pr_warn_once("bogus mpc option on established client sk"); + + set_fully_established: ++ if (mp_opt->deny_join_id0) ++ WRITE_ONCE(msk->pm.remote_deny_join_id0, true); ++ + mptcp_data_lock((struct sock *)msk); + __mptcp_subflow_fully_established(msk, subflow, mp_opt); + mptcp_data_unlock((struct sock *)msk); +-- +2.51.0 + diff --git a/queue-6.6/net-liquidio-fix-overflow-in-octeon_init_instr_queue.patch b/queue-6.6/net-liquidio-fix-overflow-in-octeon_init_instr_queue.patch new file mode 100644 index 0000000000..573fbe1221 --- /dev/null +++ b/queue-6.6/net-liquidio-fix-overflow-in-octeon_init_instr_queue.patch @@ -0,0 +1,37 @@ +From 1dd4791339264156a62be532e9441b6ff9d76528 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Sep 2025 15:30:58 +0000 +Subject: net: liquidio: fix overflow in octeon_init_instr_queue() + +From: Alexey Nepomnyashih + +[ Upstream commit cca7b1cfd7b8a0eff2a3510c5e0f10efe8fa3758 ] + +The expression `(conf->instr_type == 64) << iq_no` can overflow because +`iq_no` may be as high as 64 (`CN23XX_MAX_RINGS_PER_PF`). Casting the +operand to `u64` ensures correct 64-bit arithmetic. + +Fixes: f21fb3ed364b ("Add support of Cavium Liquidio ethernet adapters") +Signed-off-by: Alexey Nepomnyashih +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/liquidio/request_manager.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cavium/liquidio/request_manager.c b/drivers/net/ethernet/cavium/liquidio/request_manager.c +index de8a6ce86ad7e..12105ffb5dac6 100644 +--- a/drivers/net/ethernet/cavium/liquidio/request_manager.c ++++ b/drivers/net/ethernet/cavium/liquidio/request_manager.c +@@ -126,7 +126,7 @@ int octeon_init_instr_queue(struct octeon_device *oct, + oct->io_qmask.iq |= BIT_ULL(iq_no); + + /* Set the 32B/64B mode for each input queue */ +- oct->io_qmask.iq64B |= ((conf->instr_type == 64) << iq_no); ++ oct->io_qmask.iq64B |= ((u64)(conf->instr_type == 64) << iq_no); + iq->iqcmd_64B = (conf->instr_type == 64); + + oct->fn_list.setup_iq_regs(oct, iq_no); +-- +2.51.0 + diff --git a/queue-6.6/net-mlx5e-consider-aggregated-port-speed-during-rate.patch b/queue-6.6/net-mlx5e-consider-aggregated-port-speed-during-rate.patch new file mode 100644 index 0000000000..8b8920f7ef --- /dev/null +++ b/queue-6.6/net-mlx5e-consider-aggregated-port-speed-during-rate.patch @@ -0,0 +1,145 @@ +From fc35e434bdd5094c883b1e47946afb10f8e9efa8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Aug 2023 01:19:01 +0000 +Subject: net/mlx5e: Consider aggregated port speed during rate configuration + +From: Jianbo Liu + +[ Upstream commit 8d88e198dcaf700e33c2a4c796af9434652c56e7 ] + +When LAG is configured, functions (PF,VF,SF) can utilize the maximum +aggregated link speed for transmission. Currently the aggregated link +speed is not considered. + +Hence, improve it to use the aggregated link speed by referring to the +physical port's upper bonding device when LAG is configured. + +Signed-off-by: Jianbo Liu +Reviewed-by: Parav Pandit +Reviewed-by: Dragos Tatulea +Signed-off-by: Saeed Mahameed +Stable-dep-of: 6b4be64fd9fe ("net/mlx5e: Harden uplink netdev access against device unbind") +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/esw/qos.c | 84 ++++++++++++++++--- + 1 file changed, 72 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c +index cc0f2be21a265..34f7d814859db 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c +@@ -2,6 +2,7 @@ + /* Copyright (c) 2021, NVIDIA CORPORATION & AFFILIATES. All rights reserved. */ + + #include "eswitch.h" ++#include "lib/mlx5.h" + #include "esw/qos.h" + #include "en/port.h" + #define CREATE_TRACE_POINTS +@@ -712,6 +713,70 @@ int mlx5_esw_qos_set_vport_rate(struct mlx5_eswitch *esw, struct mlx5_vport *vpo + return err; + } + ++static u32 mlx5_esw_qos_lag_link_speed_get_locked(struct mlx5_core_dev *mdev) ++{ ++ struct ethtool_link_ksettings lksettings; ++ struct net_device *slave, *master; ++ u32 speed = SPEED_UNKNOWN; ++ ++ /* Lock ensures a stable reference to master and slave netdevice ++ * while port speed of master is queried. ++ */ ++ ASSERT_RTNL(); ++ ++ slave = mlx5_uplink_netdev_get(mdev); ++ if (!slave) ++ goto out; ++ ++ master = netdev_master_upper_dev_get(slave); ++ if (master && !__ethtool_get_link_ksettings(master, &lksettings)) ++ speed = lksettings.base.speed; ++ ++out: ++ return speed; ++} ++ ++static int mlx5_esw_qos_max_link_speed_get(struct mlx5_core_dev *mdev, u32 *link_speed_max, ++ bool hold_rtnl_lock, struct netlink_ext_ack *extack) ++{ ++ int err; ++ ++ if (!mlx5_lag_is_active(mdev)) ++ goto skip_lag; ++ ++ if (hold_rtnl_lock) ++ rtnl_lock(); ++ ++ *link_speed_max = mlx5_esw_qos_lag_link_speed_get_locked(mdev); ++ ++ if (hold_rtnl_lock) ++ rtnl_unlock(); ++ ++ if (*link_speed_max != (u32)SPEED_UNKNOWN) ++ return 0; ++ ++skip_lag: ++ err = mlx5_port_max_linkspeed(mdev, link_speed_max); ++ if (err) ++ NL_SET_ERR_MSG_MOD(extack, "Failed to get link maximum speed"); ++ ++ return err; ++} ++ ++static int mlx5_esw_qos_link_speed_verify(struct mlx5_core_dev *mdev, ++ const char *name, u32 link_speed_max, ++ u64 value, struct netlink_ext_ack *extack) ++{ ++ if (value > link_speed_max) { ++ pr_err("%s rate value %lluMbps exceed link maximum speed %u.\n", ++ name, value, link_speed_max); ++ NL_SET_ERR_MSG_MOD(extack, "TX rate value exceed link maximum speed"); ++ return -EINVAL; ++ } ++ ++ return 0; ++} ++ + int mlx5_esw_qos_modify_vport_rate(struct mlx5_eswitch *esw, u16 vport_num, u32 rate_mbps) + { + u32 ctx[MLX5_ST_SZ_DW(scheduling_context)] = {}; +@@ -755,12 +820,6 @@ static int esw_qos_devlink_rate_to_mbps(struct mlx5_core_dev *mdev, const char * + u64 value; + int err; + +- err = mlx5_port_max_linkspeed(mdev, &link_speed_max); +- if (err) { +- NL_SET_ERR_MSG_MOD(extack, "Failed to get link maximum speed"); +- return err; +- } +- + value = div_u64_rem(*rate, MLX5_LINKSPEED_UNIT, &remainder); + if (remainder) { + pr_err("%s rate value %lluBps not in link speed units of 1Mbps.\n", +@@ -769,12 +828,13 @@ static int esw_qos_devlink_rate_to_mbps(struct mlx5_core_dev *mdev, const char * + return -EINVAL; + } + +- if (value > link_speed_max) { +- pr_err("%s rate value %lluMbps exceed link maximum speed %u.\n", +- name, value, link_speed_max); +- NL_SET_ERR_MSG_MOD(extack, "TX rate value exceed link maximum speed"); +- return -EINVAL; +- } ++ err = mlx5_esw_qos_max_link_speed_get(mdev, &link_speed_max, true, extack); ++ if (err) ++ return err; ++ ++ err = mlx5_esw_qos_link_speed_verify(mdev, name, link_speed_max, value, extack); ++ if (err) ++ return err; + + *rate = value; + return 0; +-- +2.51.0 + diff --git a/queue-6.6/net-mlx5e-harden-uplink-netdev-access-against-device.patch b/queue-6.6/net-mlx5e-harden-uplink-netdev-access-against-device.patch new file mode 100644 index 0000000000..761a572c9f --- /dev/null +++ b/queue-6.6/net-mlx5e-harden-uplink-netdev-access-against-device.patch @@ -0,0 +1,154 @@ +From 12e7e487ffdf82fe1ddf94c8b1e54d2422c7f4fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Sep 2025 15:24:32 +0300 +Subject: net/mlx5e: Harden uplink netdev access against device unbind + +From: Jianbo Liu + +[ Upstream commit 6b4be64fd9fec16418f365c2d8e47a7566e9eba5 ] + +The function mlx5_uplink_netdev_get() gets the uplink netdevice +pointer from mdev->mlx5e_res.uplink_netdev. However, the netdevice can +be removed and its pointer cleared when unbound from the mlx5_core.eth +driver. This results in a NULL pointer, causing a kernel panic. + + BUG: unable to handle page fault for address: 0000000000001300 + at RIP: 0010:mlx5e_vport_rep_load+0x22a/0x270 [mlx5_core] + Call Trace: + + mlx5_esw_offloads_rep_load+0x68/0xe0 [mlx5_core] + esw_offloads_enable+0x593/0x910 [mlx5_core] + mlx5_eswitch_enable_locked+0x341/0x420 [mlx5_core] + mlx5_devlink_eswitch_mode_set+0x17e/0x3a0 [mlx5_core] + devlink_nl_eswitch_set_doit+0x60/0xd0 + genl_family_rcv_msg_doit+0xe0/0x130 + genl_rcv_msg+0x183/0x290 + netlink_rcv_skb+0x4b/0xf0 + genl_rcv+0x24/0x40 + netlink_unicast+0x255/0x380 + netlink_sendmsg+0x1f3/0x420 + __sock_sendmsg+0x38/0x60 + __sys_sendto+0x119/0x180 + do_syscall_64+0x53/0x1d0 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +Ensure the pointer is valid before use by checking it for NULL. If it +is valid, immediately call netdev_hold() to take a reference, and +preventing the netdevice from being freed while it is in use. + +Fixes: 7a9fb35e8c3a ("net/mlx5e: Do not reload ethernet ports when changing eswitch mode") +Signed-off-by: Jianbo Liu +Reviewed-by: Cosmin Ratiu +Reviewed-by: Jiri Pirko +Reviewed-by: Dragos Tatulea +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/1757939074-617281-2-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/en_rep.c | 27 +++++++++++++++---- + .../net/ethernet/mellanox/mlx5/core/esw/qos.c | 1 + + .../ethernet/mellanox/mlx5/core/lib/mlx5.h | 15 ++++++++++- + include/linux/mlx5/driver.h | 1 + + 4 files changed, 38 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +index 851c499faa795..656a7b65f4c7b 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +@@ -1448,12 +1448,21 @@ static const struct mlx5e_profile mlx5e_uplink_rep_profile = { + static int + mlx5e_vport_uplink_rep_load(struct mlx5_core_dev *dev, struct mlx5_eswitch_rep *rep) + { +- struct mlx5e_priv *priv = netdev_priv(mlx5_uplink_netdev_get(dev)); + struct mlx5e_rep_priv *rpriv = mlx5e_rep_to_rep_priv(rep); ++ struct net_device *netdev; ++ struct mlx5e_priv *priv; ++ int err; ++ ++ netdev = mlx5_uplink_netdev_get(dev); ++ if (!netdev) ++ return 0; + ++ priv = netdev_priv(netdev); + rpriv->netdev = priv->netdev; +- return mlx5e_netdev_change_profile(priv, &mlx5e_uplink_rep_profile, +- rpriv); ++ err = mlx5e_netdev_change_profile(priv, &mlx5e_uplink_rep_profile, ++ rpriv); ++ mlx5_uplink_netdev_put(dev, netdev); ++ return err; + } + + static void +@@ -1565,8 +1574,16 @@ mlx5e_vport_rep_unload(struct mlx5_eswitch_rep *rep) + { + struct mlx5e_rep_priv *rpriv = mlx5e_rep_to_rep_priv(rep); + struct net_device *netdev = rpriv->netdev; +- struct mlx5e_priv *priv = netdev_priv(netdev); +- void *ppriv = priv->ppriv; ++ struct mlx5e_priv *priv; ++ void *ppriv; ++ ++ if (!netdev) { ++ ppriv = rpriv; ++ goto free_ppriv; ++ } ++ ++ priv = netdev_priv(netdev); ++ ppriv = priv->ppriv; + + if (rep->vport == MLX5_VPORT_UPLINK) { + mlx5e_vport_uplink_rep_unload(rpriv); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c +index 34f7d814859db..05fbd2098b268 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c +@@ -733,6 +733,7 @@ static u32 mlx5_esw_qos_lag_link_speed_get_locked(struct mlx5_core_dev *mdev) + speed = lksettings.base.speed; + + out: ++ mlx5_uplink_netdev_put(mdev, slave); + return speed; + } + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h b/drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h +index 2b5826a785c4f..adcc2bc9c8c87 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/mlx5.h +@@ -52,6 +52,19 @@ static inline struct net *mlx5_core_net(struct mlx5_core_dev *dev) + + static inline struct net_device *mlx5_uplink_netdev_get(struct mlx5_core_dev *mdev) + { +- return mdev->mlx5e_res.uplink_netdev; ++ struct mlx5e_resources *mlx5e_res = &mdev->mlx5e_res; ++ struct net_device *netdev; ++ ++ mutex_lock(&mlx5e_res->uplink_netdev_lock); ++ netdev = mlx5e_res->uplink_netdev; ++ netdev_hold(netdev, &mlx5e_res->tracker, GFP_KERNEL); ++ mutex_unlock(&mlx5e_res->uplink_netdev_lock); ++ return netdev; ++} ++ ++static inline void mlx5_uplink_netdev_put(struct mlx5_core_dev *mdev, ++ struct net_device *netdev) ++{ ++ netdev_put(netdev, &mdev->mlx5e_res.tracker); + } + #endif +diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h +index 696a2227869fb..c0e0468b25a18 100644 +--- a/include/linux/mlx5/driver.h ++++ b/include/linux/mlx5/driver.h +@@ -677,6 +677,7 @@ struct mlx5e_resources { + struct mlx5_sq_bfreg bfreg; + } hw_objs; + struct net_device *uplink_netdev; ++ netdevice_tracker tracker; + struct mutex uplink_netdev_lock; + struct mlx5_crypto_dek_priv *dek_priv; + }; +-- +2.51.0 + diff --git a/queue-6.6/net-natsemi-fix-rx_dropped-double-accounting-on-neti.patch b/queue-6.6/net-natsemi-fix-rx_dropped-double-accounting-on-neti.patch new file mode 100644 index 0000000000..27a17ee383 --- /dev/null +++ b/queue-6.6/net-natsemi-fix-rx_dropped-double-accounting-on-neti.patch @@ -0,0 +1,74 @@ +From 3d270fa0244685cf355b81c33b3d0f03a63a5350 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Sep 2025 15:01:36 +0900 +Subject: net: natsemi: fix `rx_dropped` double accounting on `netif_rx()` + failure + +From: Yeounsu Moon + +[ Upstream commit 93ab4881a4e2b9657bdce4b8940073bfb4ed5eab ] + +`netif_rx()` already increments `rx_dropped` core stat when it fails. +The driver was also updating `ndev->stats.rx_dropped` in the same path. +Since both are reported together via `ip -s -s` command, this resulted +in drops being counted twice in user-visible stats. + +Keep the driver update on `if (unlikely(!skb))`, but skip it after +`netif_rx()` errors. + +Fixes: caf586e5f23c ("net: add a core netdev->rx_dropped counter") +Signed-off-by: Yeounsu Moon +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250913060135.35282-3-yyyynoom@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/natsemi/ns83820.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/natsemi/ns83820.c b/drivers/net/ethernet/natsemi/ns83820.c +index 998586872599b..c692d2e878b2e 100644 +--- a/drivers/net/ethernet/natsemi/ns83820.c ++++ b/drivers/net/ethernet/natsemi/ns83820.c +@@ -820,7 +820,7 @@ static void rx_irq(struct net_device *ndev) + struct ns83820 *dev = PRIV(ndev); + struct rx_info *info = &dev->rx_info; + unsigned next_rx; +- int rx_rc, len; ++ int len; + u32 cmdsts; + __le32 *desc; + unsigned long flags; +@@ -881,8 +881,10 @@ static void rx_irq(struct net_device *ndev) + if (likely(CMDSTS_OK & cmdsts)) { + #endif + skb_put(skb, len); +- if (unlikely(!skb)) ++ if (unlikely(!skb)) { ++ ndev->stats.rx_dropped++; + goto netdev_mangle_me_harder_failed; ++ } + if (cmdsts & CMDSTS_DEST_MULTI) + ndev->stats.multicast++; + ndev->stats.rx_packets++; +@@ -901,15 +903,12 @@ static void rx_irq(struct net_device *ndev) + __vlan_hwaccel_put_tag(skb, htons(ETH_P_IPV6), tag); + } + #endif +- rx_rc = netif_rx(skb); +- if (NET_RX_DROP == rx_rc) { +-netdev_mangle_me_harder_failed: +- ndev->stats.rx_dropped++; +- } ++ netif_rx(skb); + } else { + dev_kfree_skb_irq(skb); + } + ++netdev_mangle_me_harder_failed: + nr++; + next_rx = info->next_rx; + desc = info->descs + (DESC_SIZE * next_rx); +-- +2.51.0 + diff --git a/queue-6.6/octeontx2-pf-fix-use-after-free-bugs-in-otx2_sync_ts.patch b/queue-6.6/octeontx2-pf-fix-use-after-free-bugs-in-otx2_sync_ts.patch new file mode 100644 index 0000000000..36966a035f --- /dev/null +++ b/queue-6.6/octeontx2-pf-fix-use-after-free-bugs-in-otx2_sync_ts.patch @@ -0,0 +1,126 @@ +From 7b73b50a91fc4b746fbda6bf24f334420c1e1786 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Sep 2025 14:38:53 +0800 +Subject: octeontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp() + +From: Duoming Zhou + +[ Upstream commit f8b4687151021db61841af983f1cb7be6915d4ef ] + +The original code relies on cancel_delayed_work() in otx2_ptp_destroy(), +which does not ensure that the delayed work item synctstamp_work has fully +completed if it was already running. This leads to use-after-free scenarios +where otx2_ptp is deallocated by otx2_ptp_destroy(), while synctstamp_work +remains active and attempts to dereference otx2_ptp in otx2_sync_tstamp(). +Furthermore, the synctstamp_work is cyclic, the likelihood of triggering +the bug is nonnegligible. + +A typical race condition is illustrated below: + +CPU 0 (cleanup) | CPU 1 (delayed work callback) +otx2_remove() | + otx2_ptp_destroy() | otx2_sync_tstamp() + cancel_delayed_work() | + kfree(ptp) | + | ptp = container_of(...); //UAF + | ptp-> //UAF + +This is confirmed by a KASAN report: + +BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0 +Write of size 8 at addr ffff88800aa09a18 by task bash/136 +... +Call Trace: + + dump_stack_lvl+0x55/0x70 + print_report+0xcf/0x610 + ? __run_timer_base.part.0+0x7d7/0x8c0 + kasan_report+0xb8/0xf0 + ? __run_timer_base.part.0+0x7d7/0x8c0 + __run_timer_base.part.0+0x7d7/0x8c0 + ? __pfx___run_timer_base.part.0+0x10/0x10 + ? __pfx_read_tsc+0x10/0x10 + ? ktime_get+0x60/0x140 + ? lapic_next_event+0x11/0x20 + ? clockevents_program_event+0x1d4/0x2a0 + run_timer_softirq+0xd1/0x190 + handle_softirqs+0x16a/0x550 + irq_exit_rcu+0xaf/0xe0 + sysvec_apic_timer_interrupt+0x70/0x80 + +... +Allocated by task 1: + kasan_save_stack+0x24/0x50 + kasan_save_track+0x14/0x30 + __kasan_kmalloc+0x7f/0x90 + otx2_ptp_init+0xb1/0x860 + otx2_probe+0x4eb/0xc30 + local_pci_probe+0xdc/0x190 + pci_device_probe+0x2fe/0x470 + really_probe+0x1ca/0x5c0 + __driver_probe_device+0x248/0x310 + driver_probe_device+0x44/0x120 + __driver_attach+0xd2/0x310 + bus_for_each_dev+0xed/0x170 + bus_add_driver+0x208/0x500 + driver_register+0x132/0x460 + do_one_initcall+0x89/0x300 + kernel_init_freeable+0x40d/0x720 + kernel_init+0x1a/0x150 + ret_from_fork+0x10c/0x1a0 + ret_from_fork_asm+0x1a/0x30 + +Freed by task 136: + kasan_save_stack+0x24/0x50 + kasan_save_track+0x14/0x30 + kasan_save_free_info+0x3a/0x60 + __kasan_slab_free+0x3f/0x50 + kfree+0x137/0x370 + otx2_ptp_destroy+0x38/0x80 + otx2_remove+0x10d/0x4c0 + pci_device_remove+0xa6/0x1d0 + device_release_driver_internal+0xf8/0x210 + pci_stop_bus_device+0x105/0x150 + pci_stop_and_remove_bus_device_locked+0x15/0x30 + remove_store+0xcc/0xe0 + kernfs_fop_write_iter+0x2c3/0x440 + vfs_write+0x871/0xd70 + ksys_write+0xee/0x1c0 + do_syscall_64+0xac/0x280 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +... + +Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure +that the delayed work item is properly canceled before the otx2_ptp is +deallocated. + +This bug was initially identified through static analysis. To reproduce +and test it, I simulated the OcteonTX2 PCI device in QEMU and introduced +artificial delays within the otx2_sync_tstamp() function to increase the +likelihood of triggering the bug. + +Fixes: 2958d17a8984 ("octeontx2-pf: Add support for ptp 1-step mode on CN10K silicon") +Signed-off-by: Duoming Zhou +Reviewed-by: Vadim Fedorenko +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/otx2_ptp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ptp.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ptp.c +index 3a72b0793d4a7..82725923555c5 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ptp.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ptp.c +@@ -476,7 +476,7 @@ void otx2_ptp_destroy(struct otx2_nic *pfvf) + if (!ptp) + return; + +- cancel_delayed_work(&pfvf->ptp->synctstamp_work); ++ cancel_delayed_work_sync(&pfvf->ptp->synctstamp_work); + + ptp_clock_unregister(ptp->ptp_clock); + kfree(ptp); +-- +2.51.0 + diff --git a/queue-6.6/pcmcia-omap_cf-mark-driver-struct-with-__refdata-to-.patch b/queue-6.6/pcmcia-omap_cf-mark-driver-struct-with-__refdata-to-.patch new file mode 100644 index 0000000000..39c2862582 --- /dev/null +++ b/queue-6.6/pcmcia-omap_cf-mark-driver-struct-with-__refdata-to-.patch @@ -0,0 +1,52 @@ +From 56cb5109363255a5625a35e1262075519a1134c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Aug 2025 17:50:14 +0200 +Subject: pcmcia: omap_cf: Mark driver struct with __refdata to prevent section + mismatch +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Geert Uytterhoeven + +[ Upstream commit d1dfcdd30140c031ae091868fb5bed084132bca1 ] + +As described in the added code comment, a reference to .exit.text is ok +for drivers registered via platform_driver_probe(). Make this explicit +to prevent the following section mismatch warning + + WARNING: modpost: drivers/pcmcia/omap_cf: section mismatch in reference: omap_cf_driver+0x4 (section: .data) -> omap_cf_remove (section: .exit.text) + +that triggers on an omap1_defconfig + CONFIG_OMAP_CF=m build. + +Signed-off-by: Geert Uytterhoeven +Acked-by: Aaro Koskinen +Reviewed-by: Uwe Kleine-König +Signed-off-by: Dominik Brodowski +Signed-off-by: Sasha Levin +--- + drivers/pcmcia/omap_cf.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/pcmcia/omap_cf.c b/drivers/pcmcia/omap_cf.c +index 25382612e48ac..a8e0dd5d30c43 100644 +--- a/drivers/pcmcia/omap_cf.c ++++ b/drivers/pcmcia/omap_cf.c +@@ -305,7 +305,13 @@ static int __exit omap_cf_remove(struct platform_device *pdev) + return 0; + } + +-static struct platform_driver omap_cf_driver = { ++/* ++ * omap_cf_remove() lives in .exit.text. For drivers registered via ++ * platform_driver_probe() this is ok because they cannot get unbound at ++ * runtime. So mark the driver struct with __refdata to prevent modpost ++ * triggering a section mismatch warning. ++ */ ++static struct platform_driver omap_cf_driver __refdata = { + .driver = { + .name = driver_name, + }, +-- +2.51.0 + diff --git a/queue-6.6/qed-don-t-collect-too-many-protection-override-grc-e.patch b/queue-6.6/qed-don-t-collect-too-many-protection-override-grc-e.patch new file mode 100644 index 0000000000..9884928d18 --- /dev/null +++ b/queue-6.6/qed-don-t-collect-too-many-protection-override-grc-e.patch @@ -0,0 +1,89 @@ +From 9a486f70cd1872ee820911093c872d44464cce0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Sep 2025 16:29:16 +1000 +Subject: qed: Don't collect too many protection override GRC elements + +From: Jamie Bainbridge + +[ Upstream commit 56c0a2a9ddc2f5b5078c5fb0f81ab76bbc3d4c37 ] + +In the protection override dump path, the firmware can return far too +many GRC elements, resulting in attempting to write past the end of the +previously-kmalloc'ed dump buffer. + +This will result in a kernel panic with reason: + + BUG: unable to handle kernel paging request at ADDRESS + +where "ADDRESS" is just past the end of the protection override dump +buffer. The start address of the buffer is: + p_hwfn->cdev->dbg_features[DBG_FEATURE_PROTECTION_OVERRIDE].dump_buf +and the size of the buffer is buf_size in the same data structure. + +The panic can be arrived at from either the qede Ethernet driver path: + + [exception RIP: qed_grc_dump_addr_range+0x108] + qed_protection_override_dump at ffffffffc02662ed [qed] + qed_dbg_protection_override_dump at ffffffffc0267792 [qed] + qed_dbg_feature at ffffffffc026aa8f [qed] + qed_dbg_all_data at ffffffffc026b211 [qed] + qed_fw_fatal_reporter_dump at ffffffffc027298a [qed] + devlink_health_do_dump at ffffffff82497f61 + devlink_health_report at ffffffff8249cf29 + qed_report_fatal_error at ffffffffc0272baf [qed] + qede_sp_task at ffffffffc045ed32 [qede] + process_one_work at ffffffff81d19783 + +or the qedf storage driver path: + + [exception RIP: qed_grc_dump_addr_range+0x108] + qed_protection_override_dump at ffffffffc068b2ed [qed] + qed_dbg_protection_override_dump at ffffffffc068c792 [qed] + qed_dbg_feature at ffffffffc068fa8f [qed] + qed_dbg_all_data at ffffffffc0690211 [qed] + qed_fw_fatal_reporter_dump at ffffffffc069798a [qed] + devlink_health_do_dump at ffffffff8aa95e51 + devlink_health_report at ffffffff8aa9ae19 + qed_report_fatal_error at ffffffffc0697baf [qed] + qed_hw_err_notify at ffffffffc06d32d7 [qed] + qed_spq_post at ffffffffc06b1011 [qed] + qed_fcoe_destroy_conn at ffffffffc06b2e91 [qed] + qedf_cleanup_fcport at ffffffffc05e7597 [qedf] + qedf_rport_event_handler at ffffffffc05e7bf7 [qedf] + fc_rport_work at ffffffffc02da715 [libfc] + process_one_work at ffffffff8a319663 + +Resolve this by clamping the firmware's return value to the maximum +number of legal elements the firmware should return. + +Fixes: d52c89f120de8 ("qed*: Utilize FW 8.37.2.0") +Signed-off-by: Jamie Bainbridge +Link: https://patch.msgid.link/f8e1182934aa274c18d0682a12dbaf347595469c.1757485536.git.jamie.bainbridge@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_debug.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_debug.c b/drivers/net/ethernet/qlogic/qed/qed_debug.c +index cdcead614e9fa..ae421c2707785 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_debug.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_debug.c +@@ -4461,10 +4461,11 @@ static enum dbg_status qed_protection_override_dump(struct qed_hwfn *p_hwfn, + goto out; + } + +- /* Add override window info to buffer */ ++ /* Add override window info to buffer, preventing buffer overflow */ + override_window_dwords = +- qed_rd(p_hwfn, p_ptt, GRC_REG_NUMBER_VALID_OVERRIDE_WINDOW) * +- PROTECTION_OVERRIDE_ELEMENT_DWORDS; ++ min(qed_rd(p_hwfn, p_ptt, GRC_REG_NUMBER_VALID_OVERRIDE_WINDOW) * ++ PROTECTION_OVERRIDE_ELEMENT_DWORDS, ++ PROTECTION_OVERRIDE_DEPTH_DWORDS); + if (override_window_dwords) { + addr = BYTES_TO_DWORDS(GRC_REG_PROTECTION_OVERRIDE_WINDOW); + offset += qed_grc_dump_addr_range(p_hwfn, +-- +2.51.0 + diff --git a/queue-6.6/revert-net-mlx5e-update-and-set-xon-xoff-upon-port-s.patch b/queue-6.6/revert-net-mlx5e-update-and-set-xon-xoff-upon-port-s.patch new file mode 100644 index 0000000000..82f1ab2a4b --- /dev/null +++ b/queue-6.6/revert-net-mlx5e-update-and-set-xon-xoff-upon-port-s.patch @@ -0,0 +1,39 @@ +From 73e42d6b6e5b6abb3d4a87f440da240704d43850 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Sep 2025 16:48:54 +0300 +Subject: Revert "net/mlx5e: Update and set Xon/Xoff upon port speed set" + +From: Tariq Toukan + +[ Upstream commit 3fbfe251cc9f6d391944282cdb9bcf0bd02e01f8 ] + +This reverts commit d24341740fe48add8a227a753e68b6eedf4b385a. +It causes errors when trying to configure QoS, as well as +loss of L2 connectivity (on multi-host devices). + +Reported-by: Jakub Kicinski +Link: https://lore.kernel.org/20250910170011.70528106@kernel.org +Fixes: d24341740fe4 ("net/mlx5e: Update and set Xon/Xoff upon port speed set") +Signed-off-by: Tariq Toukan +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index d378aa55f22f9..09ba60b2e744b 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -109,8 +109,6 @@ void mlx5e_update_carrier(struct mlx5e_priv *priv) + if (up) { + netdev_info(priv->netdev, "Link up\n"); + netif_carrier_on(priv->netdev); +- mlx5e_port_manual_buffer_config(priv, 0, priv->netdev->mtu, +- NULL, NULL, NULL); + } else { + netdev_info(priv->netdev, "Link down\n"); + netif_carrier_off(priv->netdev); +-- +2.51.0 + diff --git a/queue-6.6/selftests-mptcp-sockopt-fix-error-messages.patch b/queue-6.6/selftests-mptcp-sockopt-fix-error-messages.patch new file mode 100644 index 0000000000..50ab2eb2f7 --- /dev/null +++ b/queue-6.6/selftests-mptcp-sockopt-fix-error-messages.patch @@ -0,0 +1,77 @@ +From d1d8cfbbd078d818418880d9e42404f0704d91b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Sep 2025 14:52:24 +0200 +Subject: selftests: mptcp: sockopt: fix error messages + +From: Geliang Tang + +[ Upstream commit b86418beade11d45540a2d20c4ec1128849b6c27 ] + +This patch fixes several issues in the error reporting of the MPTCP sockopt +selftest: + +1. Fix diff not printed: The error messages for counter mismatches had + the actual difference ('diff') as argument, but it was missing in the + format string. Displaying it makes the debugging easier. + +2. Fix variable usage: The error check for 'mptcpi_bytes_acked' incorrectly + used 'ret2' (sent bytes) for both the expected value and the difference + calculation. It now correctly uses 'ret' (received bytes), which is the + expected value for bytes_acked. + +3. Fix off-by-one in diff: The calculation for the 'mptcpi_rcv_delta' diff + was 's.mptcpi_rcv_delta - ret', which is off-by-one. It has been + corrected to 's.mptcpi_rcv_delta - (ret + 1)' to match the expected + value in the condition above it. + +Fixes: 5dcff89e1455 ("selftests: mptcp: explicitly tests aggregate counters") +Signed-off-by: Geliang Tang +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250912-net-mptcp-pm-uspace-deny_join_id0-v1-5-40171884ade8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../testing/selftests/net/mptcp/mptcp_sockopt.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/tools/testing/selftests/net/mptcp/mptcp_sockopt.c b/tools/testing/selftests/net/mptcp/mptcp_sockopt.c +index 926b0be87c990..1dc2bd6ee4a50 100644 +--- a/tools/testing/selftests/net/mptcp/mptcp_sockopt.c ++++ b/tools/testing/selftests/net/mptcp/mptcp_sockopt.c +@@ -658,22 +658,26 @@ static void process_one_client(int fd, int pipefd) + + do_getsockopts(&s, fd, ret, ret2); + if (s.mptcpi_rcv_delta != (uint64_t)ret + 1) +- xerror("mptcpi_rcv_delta %" PRIu64 ", expect %" PRIu64, s.mptcpi_rcv_delta, ret + 1, s.mptcpi_rcv_delta - ret); ++ xerror("mptcpi_rcv_delta %" PRIu64 ", expect %" PRIu64 ", diff %" PRId64, ++ s.mptcpi_rcv_delta, ret + 1, s.mptcpi_rcv_delta - (ret + 1)); + + /* be nice when running on top of older kernel */ + if (s.pkt_stats_avail) { + if (s.last_sample.mptcpi_bytes_sent != ret2) +- xerror("mptcpi_bytes_sent %" PRIu64 ", expect %" PRIu64, ++ xerror("mptcpi_bytes_sent %" PRIu64 ", expect %" PRIu64 ++ ", diff %" PRId64, + s.last_sample.mptcpi_bytes_sent, ret2, + s.last_sample.mptcpi_bytes_sent - ret2); + if (s.last_sample.mptcpi_bytes_received != ret) +- xerror("mptcpi_bytes_received %" PRIu64 ", expect %" PRIu64, ++ xerror("mptcpi_bytes_received %" PRIu64 ", expect %" PRIu64 ++ ", diff %" PRId64, + s.last_sample.mptcpi_bytes_received, ret, + s.last_sample.mptcpi_bytes_received - ret); + if (s.last_sample.mptcpi_bytes_acked != ret) +- xerror("mptcpi_bytes_acked %" PRIu64 ", expect %" PRIu64, +- s.last_sample.mptcpi_bytes_acked, ret2, +- s.last_sample.mptcpi_bytes_acked - ret2); ++ xerror("mptcpi_bytes_acked %" PRIu64 ", expect %" PRIu64 ++ ", diff %" PRId64, ++ s.last_sample.mptcpi_bytes_acked, ret, ++ s.last_sample.mptcpi_bytes_acked - ret); + } + + close(fd); +-- +2.51.0 + diff --git a/queue-6.6/series b/queue-6.6/series new file mode 100644 index 0000000000..64e2a6abaf --- /dev/null +++ b/queue-6.6/series @@ -0,0 +1,25 @@ +wifi-wilc1000-avoid-buffer-overflow-in-wid-string-co.patch +alsa-firewire-motu-drop-epollout-from-poll-return-va.patch +wifi-mac80211-increase-scan_ies_len-for-s1g.patch +wifi-mac80211-fix-incorrect-type-for-ret.patch +pcmcia-omap_cf-mark-driver-struct-with-__refdata-to-.patch +cgroup-split-cgroup_destroy_wq-into-3-workqueues.patch +btrfs-fix-invalid-extref-key-setup-when-replaying-de.patch +um-virtio_uml-fix-use-after-free-after-put_device-in.patch +dpaa2-switch-fix-buffer-pool-seeding-for-control-tra.patch +qed-don-t-collect-too-many-protection-override-grc-e.patch +bonding-set-random-address-only-when-slaves-already-.patch +mptcp-set-remote_deny_join_id0-on-syn-recv.patch +mptcp-tfo-record-deny-join-id0-info.patch +selftests-mptcp-sockopt-fix-error-messages.patch +net-natsemi-fix-rx_dropped-double-accounting-on-neti.patch +i40e-remove-redundant-memory-barrier-when-cleaning-t.patch +net-mlx5e-consider-aggregated-port-speed-during-rate.patch +net-mlx5e-harden-uplink-netdev-access-against-device.patch +bonding-don-t-set-oif-to-bond-dev-when-getting-ns-ta.patch +tcp-clear-tcp_sk-sk-fastopen_rsk-in-tcp_disconnect.patch +tls-make-sure-to-abort-the-stream-if-headers-are-bog.patch +revert-net-mlx5e-update-and-set-xon-xoff-upon-port-s.patch +net-liquidio-fix-overflow-in-octeon_init_instr_queue.patch +cnic-fix-use-after-free-bugs-in-cnic_delete_task.patch +octeontx2-pf-fix-use-after-free-bugs-in-otx2_sync_ts.patch diff --git a/queue-6.6/tcp-clear-tcp_sk-sk-fastopen_rsk-in-tcp_disconnect.patch b/queue-6.6/tcp-clear-tcp_sk-sk-fastopen_rsk-in-tcp_disconnect.patch new file mode 100644 index 0000000000..8ddba873ec --- /dev/null +++ b/queue-6.6/tcp-clear-tcp_sk-sk-fastopen_rsk-in-tcp_disconnect.patch @@ -0,0 +1,94 @@ +From 5060368a1cecf71e5f4ab0d50eedcb5963687989 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Sep 2025 17:56:46 +0000 +Subject: tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). + +From: Kuniyuki Iwashima + +[ Upstream commit 45c8a6cc2bcd780e634a6ba8e46bffbdf1fc5c01 ] + +syzbot reported the splat below where a socket had tcp_sk(sk)->fastopen_rsk +in the TCP_ESTABLISHED state. [0] + +syzbot reused the server-side TCP Fast Open socket as a new client before +the TFO socket completes 3WHS: + + 1. accept() + 2. connect(AF_UNSPEC) + 3. connect() to another destination + +As of accept(), sk->sk_state is TCP_SYN_RECV, and tcp_disconnect() changes +it to TCP_CLOSE and makes connect() possible, which restarts timers. + +Since tcp_disconnect() forgot to clear tcp_sk(sk)->fastopen_rsk, the +retransmit timer triggered the warning and the intended packet was not +retransmitted. + +Let's call reqsk_fastopen_remove() in tcp_disconnect(). + +[0]: +WARNING: CPU: 2 PID: 0 at net/ipv4/tcp_timer.c:542 tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7)) +Modules linked in: +CPU: 2 UID: 0 PID: 0 Comm: swapper/2 Not tainted 6.17.0-rc5-g201825fb4278 #62 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +RIP: 0010:tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7)) +Code: 41 55 41 54 55 53 48 8b af b8 08 00 00 48 89 fb 48 85 ed 0f 84 55 01 00 00 0f b6 47 12 3c 03 74 0c 0f b6 47 12 3c 04 74 04 90 <0f> 0b 90 48 8b 85 c0 00 00 00 48 89 ef 48 8b 40 30 e8 6a 4f 06 3e +RSP: 0018:ffffc900002f8d40 EFLAGS: 00010293 +RAX: 0000000000000002 RBX: ffff888106911400 RCX: 0000000000000017 +RDX: 0000000002517619 RSI: ffffffff83764080 RDI: ffff888106911400 +RBP: ffff888106d5c000 R08: 0000000000000001 R09: ffffc900002f8de8 +R10: 00000000000000c2 R11: ffffc900002f8ff8 R12: ffff888106911540 +R13: ffff888106911480 R14: ffff888106911840 R15: ffffc900002f8de0 +FS: 0000000000000000(0000) GS:ffff88907b768000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f8044d69d90 CR3: 0000000002c30003 CR4: 0000000000370ef0 +Call Trace: + + tcp_write_timer (net/ipv4/tcp_timer.c:738) + call_timer_fn (kernel/time/timer.c:1747) + __run_timers (kernel/time/timer.c:1799 kernel/time/timer.c:2372) + timer_expire_remote (kernel/time/timer.c:2385 kernel/time/timer.c:2376 kernel/time/timer.c:2135) + tmigr_handle_remote_up (kernel/time/timer_migration.c:944 kernel/time/timer_migration.c:1035) + __walk_groups.isra.0 (kernel/time/timer_migration.c:533 (discriminator 1)) + tmigr_handle_remote (kernel/time/timer_migration.c:1096) + handle_softirqs (./arch/x86/include/asm/jump_label.h:36 ./include/trace/events/irq.h:142 kernel/softirq.c:580) + irq_exit_rcu (kernel/softirq.c:614 kernel/softirq.c:453 kernel/softirq.c:680 kernel/softirq.c:696) + sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1050 (discriminator 35) arch/x86/kernel/apic/apic.c:1050 (discriminator 35)) + + +Fixes: 8336886f786f ("tcp: TCP Fast Open Server - support TFO listeners") +Reported-by: syzkaller +Signed-off-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250915175800.118793-2-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index a4bbe959d1e25..40a2f172be2cb 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3011,6 +3011,7 @@ int tcp_disconnect(struct sock *sk, int flags) + struct inet_connection_sock *icsk = inet_csk(sk); + struct tcp_sock *tp = tcp_sk(sk); + int old_state = sk->sk_state; ++ struct request_sock *req; + u32 seq; + + if (old_state != TCP_CLOSE) +@@ -3121,6 +3122,10 @@ int tcp_disconnect(struct sock *sk, int flags) + + + /* Clean up fastopen related fields */ ++ req = rcu_dereference_protected(tp->fastopen_rsk, ++ lockdep_sock_is_held(sk)); ++ if (req) ++ reqsk_fastopen_remove(sk, req, false); + tcp_free_fastopen_req(tp); + inet_clear_bit(DEFER_CONNECT, sk); + tp->fastopen_client_fail = 0; +-- +2.51.0 + diff --git a/queue-6.6/tls-make-sure-to-abort-the-stream-if-headers-are-bog.patch b/queue-6.6/tls-make-sure-to-abort-the-stream-if-headers-are-bog.patch new file mode 100644 index 0000000000..49c1f71faf --- /dev/null +++ b/queue-6.6/tls-make-sure-to-abort-the-stream-if-headers-are-bog.patch @@ -0,0 +1,112 @@ +From 8a15873cf4b7801800c710d6ccf57762291b4e39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Sep 2025 17:28:13 -0700 +Subject: tls: make sure to abort the stream if headers are bogus + +From: Jakub Kicinski + +[ Upstream commit 0aeb54ac4cd5cf8f60131b4d9ec0b6dc9c27b20d ] + +Normally we wait for the socket to buffer up the whole record +before we service it. If the socket has a tiny buffer, however, +we read out the data sooner, to prevent connection stalls. +Make sure that we abort the connection when we find out late +that the record is actually invalid. Retrying the parsing is +fine in itself but since we copy some more data each time +before we parse we can overflow the allocated skb space. + +Constructing a scenario in which we're under pressure without +enough data in the socket to parse the length upfront is quite +hard. syzbot figured out a way to do this by serving us the header +in small OOB sends, and then filling in the recvbuf with a large +normal send. + +Make sure that tls_rx_msg_size() aborts strp, if we reach +an invalid record there's really no way to recover. + +Reported-by: Lee Jones +Fixes: 84c61fe1a75b ("tls: rx: do not use the standard strparser") +Reviewed-by: Sabrina Dubroca +Signed-off-by: Jakub Kicinski +Link: https://patch.msgid.link/20250917002814.1743558-1-kuba@kernel.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/tls/tls.h | 1 + + net/tls/tls_strp.c | 14 +++++++++----- + net/tls/tls_sw.c | 3 +-- + 3 files changed, 11 insertions(+), 7 deletions(-) + +diff --git a/net/tls/tls.h b/net/tls/tls.h +index 5dc61c85c076e..a3c5c5a59fda6 100644 +--- a/net/tls/tls.h ++++ b/net/tls/tls.h +@@ -141,6 +141,7 @@ void update_sk_prot(struct sock *sk, struct tls_context *ctx); + + int wait_on_pending_writer(struct sock *sk, long *timeo); + void tls_err_abort(struct sock *sk, int err); ++void tls_strp_abort_strp(struct tls_strparser *strp, int err); + + int tls_set_sw_offload(struct sock *sk, struct tls_context *ctx, int tx); + void tls_update_rx_zc_capable(struct tls_context *tls_ctx); +diff --git a/net/tls/tls_strp.c b/net/tls/tls_strp.c +index 6ce64a6e4495e..ae723cd6af397 100644 +--- a/net/tls/tls_strp.c ++++ b/net/tls/tls_strp.c +@@ -12,7 +12,7 @@ + + static struct workqueue_struct *tls_strp_wq; + +-static void tls_strp_abort_strp(struct tls_strparser *strp, int err) ++void tls_strp_abort_strp(struct tls_strparser *strp, int err) + { + if (strp->stopped) + return; +@@ -210,11 +210,17 @@ static int tls_strp_copyin_frag(struct tls_strparser *strp, struct sk_buff *skb, + struct sk_buff *in_skb, unsigned int offset, + size_t in_len) + { ++ unsigned int nfrag = skb->len / PAGE_SIZE; + size_t len, chunk; + skb_frag_t *frag; + int sz; + +- frag = &skb_shinfo(skb)->frags[skb->len / PAGE_SIZE]; ++ if (unlikely(nfrag >= skb_shinfo(skb)->nr_frags)) { ++ DEBUG_NET_WARN_ON_ONCE(1); ++ return -EMSGSIZE; ++ } ++ ++ frag = &skb_shinfo(skb)->frags[nfrag]; + + len = in_len; + /* First make sure we got the header */ +@@ -519,10 +525,8 @@ static int tls_strp_read_sock(struct tls_strparser *strp) + tls_strp_load_anchor_with_queue(strp, inq); + if (!strp->stm.full_len) { + sz = tls_rx_msg_size(strp, strp->anchor); +- if (sz < 0) { +- tls_strp_abort_strp(strp, sz); ++ if (sz < 0) + return sz; +- } + + strp->stm.full_len = sz; + +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c +index 27ce1feb79e14..435235a351e2f 100644 +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -2441,8 +2441,7 @@ int tls_rx_msg_size(struct tls_strparser *strp, struct sk_buff *skb) + return data_len + TLS_HEADER_SIZE; + + read_failure: +- tls_err_abort(strp->sk, ret); +- ++ tls_strp_abort_strp(strp, ret); + return ret; + } + +-- +2.51.0 + diff --git a/queue-6.6/um-virtio_uml-fix-use-after-free-after-put_device-in.patch b/queue-6.6/um-virtio_uml-fix-use-after-free-after-put_device-in.patch new file mode 100644 index 0000000000..32a9535cb5 --- /dev/null +++ b/queue-6.6/um-virtio_uml-fix-use-after-free-after-put_device-in.patch @@ -0,0 +1,44 @@ +From a6ce622659c2db1c80e7b5ad59091ea451a36712 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Aug 2025 15:00:51 +0800 +Subject: um: virtio_uml: Fix use-after-free after put_device in probe + +From: Miaoqian Lin + +[ Upstream commit 7ebf70cf181651fe3f2e44e95e7e5073d594c9c0 ] + +When register_virtio_device() fails in virtio_uml_probe(), +the code sets vu_dev->registered = 1 even though +the device was not successfully registered. +This can lead to use-after-free or other issues. + +Fixes: 04e5b1fb0183 ("um: virtio: Remove device on disconnect") +Signed-off-by: Miaoqian Lin +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + arch/um/drivers/virtio_uml.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/arch/um/drivers/virtio_uml.c b/arch/um/drivers/virtio_uml.c +index 8adca2000e519..d790acfc2c674 100644 +--- a/arch/um/drivers/virtio_uml.c ++++ b/arch/um/drivers/virtio_uml.c +@@ -1229,10 +1229,12 @@ static int virtio_uml_probe(struct platform_device *pdev) + device_set_wakeup_capable(&vu_dev->vdev.dev, true); + + rc = register_virtio_device(&vu_dev->vdev); +- if (rc) ++ if (rc) { + put_device(&vu_dev->vdev.dev); ++ return rc; ++ } + vu_dev->registered = 1; +- return rc; ++ return 0; + + error_init: + os_close_file(vu_dev->sock); +-- +2.51.0 + diff --git a/queue-6.6/wifi-mac80211-fix-incorrect-type-for-ret.patch b/queue-6.6/wifi-mac80211-fix-incorrect-type-for-ret.patch new file mode 100644 index 0000000000..0c27ec3cb9 --- /dev/null +++ b/queue-6.6/wifi-mac80211-fix-incorrect-type-for-ret.patch @@ -0,0 +1,37 @@ +From 657f6c6117dfabcc48ce472f1180d53a18e5a415 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Aug 2025 10:29:11 +0800 +Subject: wifi: mac80211: fix incorrect type for ret + +From: Liao Yuanhong + +[ Upstream commit a33b375ab5b3a9897a0ab76be8258d9f6b748628 ] + +The variable ret is declared as a u32 type, but it is assigned a value +of -EOPNOTSUPP. Since unsigned types cannot correctly represent negative +values, the type of ret should be changed to int. + +Signed-off-by: Liao Yuanhong +Link: https://patch.msgid.link/20250825022911.139377-1-liaoyuanhong@vivo.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/driver-ops.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/driver-ops.h b/net/mac80211/driver-ops.h +index 78aa3bc51586e..5f8f72ca2769c 100644 +--- a/net/mac80211/driver-ops.h ++++ b/net/mac80211/driver-ops.h +@@ -1273,7 +1273,7 @@ drv_get_ftm_responder_stats(struct ieee80211_local *local, + struct ieee80211_sub_if_data *sdata, + struct cfg80211_ftm_responder_stats *ftm_stats) + { +- u32 ret = -EOPNOTSUPP; ++ int ret = -EOPNOTSUPP; + + if (local->ops->get_ftm_responder_stats) + ret = local->ops->get_ftm_responder_stats(&local->hw, +-- +2.51.0 + diff --git a/queue-6.6/wifi-mac80211-increase-scan_ies_len-for-s1g.patch b/queue-6.6/wifi-mac80211-increase-scan_ies_len-for-s1g.patch new file mode 100644 index 0000000000..70a24542e3 --- /dev/null +++ b/queue-6.6/wifi-mac80211-increase-scan_ies_len-for-s1g.patch @@ -0,0 +1,65 @@ +From c97be7e89d0ee6e3c273b483f2165940ee5f4ee2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Aug 2025 18:54:37 +1000 +Subject: wifi: mac80211: increase scan_ies_len for S1G + +From: Lachlan Hodges + +[ Upstream commit 7e2f3213e85eba00acb4cfe6d71647892d63c3a1 ] + +Currently the S1G capability element is not taken into account +for the scan_ies_len, which leads to a buffer length validation +failure in ieee80211_prep_hw_scan() and subsequent WARN in +__ieee80211_start_scan(). This prevents hw scanning from functioning. +To fix ensure we accommodate for the S1G capability length. + +Signed-off-by: Lachlan Hodges +Link: https://patch.msgid.link/20250826085437.3493-1-lachlan.hodges@morsemicro.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/main.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/main.c b/net/mac80211/main.c +index 3a6fff98748b8..80b143bde93d6 100644 +--- a/net/mac80211/main.c ++++ b/net/mac80211/main.c +@@ -965,7 +965,7 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) + int result, i; + enum nl80211_band band; + int channels, max_bitrates; +- bool supp_ht, supp_vht, supp_he, supp_eht; ++ bool supp_ht, supp_vht, supp_he, supp_eht, supp_s1g; + struct cfg80211_chan_def dflt_chandef = {}; + + if (ieee80211_hw_check(hw, QUEUE_CONTROL) && +@@ -1081,6 +1081,7 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) + supp_vht = false; + supp_he = false; + supp_eht = false; ++ supp_s1g = false; + for (band = 0; band < NUM_NL80211_BANDS; band++) { + struct ieee80211_supported_band *sband; + +@@ -1127,6 +1128,7 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) + max_bitrates = sband->n_bitrates; + supp_ht = supp_ht || sband->ht_cap.ht_supported; + supp_vht = supp_vht || sband->vht_cap.vht_supported; ++ supp_s1g = supp_s1g || sband->s1g_cap.s1g; + + for (i = 0; i < sband->n_iftype_data; i++) { + const struct ieee80211_sband_iftype_data *iftd; +@@ -1253,6 +1255,9 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) + local->scan_ies_len += + 2 + sizeof(struct ieee80211_vht_cap); + ++ if (supp_s1g) ++ local->scan_ies_len += 2 + sizeof(struct ieee80211_s1g_cap); ++ + /* + * HE cap element is variable in size - set len to allow max size */ + if (supp_he) { +-- +2.51.0 + diff --git a/queue-6.6/wifi-wilc1000-avoid-buffer-overflow-in-wid-string-co.patch b/queue-6.6/wifi-wilc1000-avoid-buffer-overflow-in-wid-string-co.patch new file mode 100644 index 0000000000..2fd61db136 --- /dev/null +++ b/queue-6.6/wifi-wilc1000-avoid-buffer-overflow-in-wid-string-co.patch @@ -0,0 +1,155 @@ +From 572f8e10b15c0ec580dee97736a33ad9800a7579 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 22:58:43 +0000 +Subject: wifi: wilc1000: avoid buffer overflow in WID string configuration + +From: Ajay.Kathat@microchip.com + +[ Upstream commit fe9e4d0c39311d0f97b024147a0d155333f388b5 ] + +Fix the following copy overflow warning identified by Smatch checker. + + drivers/net/wireless/microchip/wilc1000/wlan_cfg.c:184 wilc_wlan_parse_response_frame() + error: '__memcpy()' 'cfg->s[i]->str' copy overflow (512 vs 65537) + +This patch introduces size check before accessing the memory buffer. +The checks are base on the WID type of received data from the firmware. +For WID string configuration, the size limit is determined by individual +element size in 'struct wilc_cfg_str_vals' that is maintained in 'len' field +of 'struct wilc_cfg_str'. + +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/linux-wireless/aLFbr9Yu9j_TQTey@stanley.mountain +Suggested-by: Dan Carpenter +Signed-off-by: Ajay Singh +Link: https://patch.msgid.link/20250829225829.5423-1-ajay.kathat@microchip.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + .../wireless/microchip/wilc1000/wlan_cfg.c | 37 ++++++++++++++----- + .../wireless/microchip/wilc1000/wlan_cfg.h | 5 ++- + 2 files changed, 30 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/wireless/microchip/wilc1000/wlan_cfg.c b/drivers/net/wireless/microchip/wilc1000/wlan_cfg.c +index 131388886acbf..cfabd5aebb540 100644 +--- a/drivers/net/wireless/microchip/wilc1000/wlan_cfg.c ++++ b/drivers/net/wireless/microchip/wilc1000/wlan_cfg.c +@@ -41,10 +41,10 @@ static const struct wilc_cfg_word g_cfg_word[] = { + }; + + static const struct wilc_cfg_str g_cfg_str[] = { +- {WID_FIRMWARE_VERSION, NULL}, +- {WID_MAC_ADDR, NULL}, +- {WID_ASSOC_RES_INFO, NULL}, +- {WID_NIL, NULL} ++ {WID_FIRMWARE_VERSION, 0, NULL}, ++ {WID_MAC_ADDR, 0, NULL}, ++ {WID_ASSOC_RES_INFO, 0, NULL}, ++ {WID_NIL, 0, NULL} + }; + + #define WILC_RESP_MSG_TYPE_CONFIG_REPLY 'R' +@@ -147,44 +147,58 @@ static void wilc_wlan_parse_response_frame(struct wilc *wl, u8 *info, int size) + + switch (FIELD_GET(WILC_WID_TYPE, wid)) { + case WID_CHAR: ++ len = 3; ++ if (len + 2 > size) ++ return; ++ + while (cfg->b[i].id != WID_NIL && cfg->b[i].id != wid) + i++; + + if (cfg->b[i].id == wid) + cfg->b[i].val = info[4]; + +- len = 3; + break; + + case WID_SHORT: ++ len = 4; ++ if (len + 2 > size) ++ return; ++ + while (cfg->hw[i].id != WID_NIL && cfg->hw[i].id != wid) + i++; + + if (cfg->hw[i].id == wid) + cfg->hw[i].val = get_unaligned_le16(&info[4]); + +- len = 4; + break; + + case WID_INT: ++ len = 6; ++ if (len + 2 > size) ++ return; ++ + while (cfg->w[i].id != WID_NIL && cfg->w[i].id != wid) + i++; + + if (cfg->w[i].id == wid) + cfg->w[i].val = get_unaligned_le32(&info[4]); + +- len = 6; + break; + + case WID_STR: ++ len = 2 + get_unaligned_le16(&info[2]); ++ + while (cfg->s[i].id != WID_NIL && cfg->s[i].id != wid) + i++; + +- if (cfg->s[i].id == wid) ++ if (cfg->s[i].id == wid) { ++ if (len > cfg->s[i].len || (len + 2 > size)) ++ return; ++ + memcpy(cfg->s[i].str, &info[2], +- get_unaligned_le16(&info[2]) + 2); ++ len); ++ } + +- len = 2 + get_unaligned_le16(&info[2]); + break; + + default: +@@ -384,12 +398,15 @@ int wilc_wlan_cfg_init(struct wilc *wl) + /* store the string cfg parameters */ + wl->cfg.s[i].id = WID_FIRMWARE_VERSION; + wl->cfg.s[i].str = str_vals->firmware_version; ++ wl->cfg.s[i].len = sizeof(str_vals->firmware_version); + i++; + wl->cfg.s[i].id = WID_MAC_ADDR; + wl->cfg.s[i].str = str_vals->mac_address; ++ wl->cfg.s[i].len = sizeof(str_vals->mac_address); + i++; + wl->cfg.s[i].id = WID_ASSOC_RES_INFO; + wl->cfg.s[i].str = str_vals->assoc_rsp; ++ wl->cfg.s[i].len = sizeof(str_vals->assoc_rsp); + i++; + wl->cfg.s[i].id = WID_NIL; + wl->cfg.s[i].str = NULL; +diff --git a/drivers/net/wireless/microchip/wilc1000/wlan_cfg.h b/drivers/net/wireless/microchip/wilc1000/wlan_cfg.h +index 7038b74f8e8ff..5ae74bced7d74 100644 +--- a/drivers/net/wireless/microchip/wilc1000/wlan_cfg.h ++++ b/drivers/net/wireless/microchip/wilc1000/wlan_cfg.h +@@ -24,12 +24,13 @@ struct wilc_cfg_word { + + struct wilc_cfg_str { + u16 id; ++ u16 len; + u8 *str; + }; + + struct wilc_cfg_str_vals { +- u8 mac_address[7]; +- u8 firmware_version[129]; ++ u8 mac_address[8]; ++ u8 firmware_version[130]; + u8 assoc_rsp[WILC_MAX_ASSOC_RESP_FRAME_SIZE]; + }; + +-- +2.51.0 +