From: Sasha Levin Date: Fri, 20 Dec 2024 14:38:59 +0000 (-0500) Subject: Fixes for 6.1 X-Git-Tag: v6.1.122~45 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=adc88733a46ce7ccb755971b79cdd1e99e3f136c;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.1 Signed-off-by: Sasha Levin --- diff --git a/queue-6.1/cxl-region-fix-region-creation-for-greater-than-x2-s.patch b/queue-6.1/cxl-region-fix-region-creation-for-greater-than-x2-s.patch new file mode 100644 index 00000000000..6f925d9f315 --- /dev/null +++ b/queue-6.1/cxl-region-fix-region-creation-for-greater-than-x2-s.patch @@ -0,0 +1,153 @@ +From 6862f8f3591f506e4a84efe5e3a9c6164578e2da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Dec 2024 15:33:02 -0800 +Subject: cxl/region: Fix region creation for greater than x2 switches + +From: Huaisheng Ye + +[ Upstream commit 76467a94810c2aa4dd3096903291ac6df30c399e ] + +The cxl_port_setup_targets() algorithm fails to identify valid target list +ordering in the presence of 4-way and above switches resulting in +'cxl create-region' failures of the form: + + $ cxl create-region -d decoder0.0 -g 1024 -s 2G -t ram -w 8 -m mem4 mem1 mem6 mem3 mem2 mem5 mem7 mem0 + cxl region: create_region: region0: failed to set target7 to mem0 + cxl region: cmd_create_region: created 0 regions + + [kernel debug message] + check_last_peer:1213: cxl region0: pci0000:0c:port1: cannot host mem6:decoder7.0 at 2 + bus_remove_device:574: bus: 'cxl': remove device region0 + +QEMU can create this failing topology: + + ACPI0017:00 [root0] + | + HB_0 [port1] + / \ + RP_0 RP_1 + | | + USP [port2] USP [port3] + / / \ \ / / \ \ + DSP DSP DSP DSP DSP DSP DSP DSP + | | | | | | | | + mem4 mem6 mem2 mem7 mem1 mem3 mem5 mem0 + Pos: 0 2 4 6 1 3 5 7 + + HB: Host Bridge + RP: Root Port + USP: Upstream Port + DSP: Downstream Port + +...with the following command steps: + +$ qemu-system-x86_64 -machine q35,cxl=on,accel=tcg \ + -smp cpus=8 \ + -m 8G \ + -hda /home/work/vm-images/centos-stream8-02.qcow2 \ + -object memory-backend-ram,size=4G,id=m0 \ + -object memory-backend-ram,size=4G,id=m1 \ + -object memory-backend-ram,size=2G,id=cxl-mem0 \ + -object memory-backend-ram,size=2G,id=cxl-mem1 \ + -object memory-backend-ram,size=2G,id=cxl-mem2 \ + -object memory-backend-ram,size=2G,id=cxl-mem3 \ + -object memory-backend-ram,size=2G,id=cxl-mem4 \ + -object memory-backend-ram,size=2G,id=cxl-mem5 \ + -object memory-backend-ram,size=2G,id=cxl-mem6 \ + -object memory-backend-ram,size=2G,id=cxl-mem7 \ + -numa node,memdev=m0,cpus=0-3,nodeid=0 \ + -numa node,memdev=m1,cpus=4-7,nodeid=1 \ + -netdev user,id=net0,hostfwd=tcp::2222-:22 \ + -device virtio-net-pci,netdev=net0 \ + -device pxb-cxl,bus_nr=12,bus=pcie.0,id=cxl.1 \ + -device cxl-rp,port=0,bus=cxl.1,id=root_port0,chassis=0,slot=0 \ + -device cxl-rp,port=1,bus=cxl.1,id=root_port1,chassis=0,slot=1 \ + -device cxl-upstream,bus=root_port0,id=us0 \ + -device cxl-downstream,port=0,bus=us0,id=swport0,chassis=0,slot=4 \ + -device cxl-type3,bus=swport0,volatile-memdev=cxl-mem0,id=cxl-vmem0 \ + -device cxl-downstream,port=1,bus=us0,id=swport1,chassis=0,slot=5 \ + -device cxl-type3,bus=swport1,volatile-memdev=cxl-mem1,id=cxl-vmem1 \ + -device cxl-downstream,port=2,bus=us0,id=swport2,chassis=0,slot=6 \ + -device cxl-type3,bus=swport2,volatile-memdev=cxl-mem2,id=cxl-vmem2 \ + -device cxl-downstream,port=3,bus=us0,id=swport3,chassis=0,slot=7 \ + -device cxl-type3,bus=swport3,volatile-memdev=cxl-mem3,id=cxl-vmem3 \ + -device cxl-upstream,bus=root_port1,id=us1 \ + -device cxl-downstream,port=4,bus=us1,id=swport4,chassis=0,slot=8 \ + -device cxl-type3,bus=swport4,volatile-memdev=cxl-mem4,id=cxl-vmem4 \ + -device cxl-downstream,port=5,bus=us1,id=swport5,chassis=0,slot=9 \ + -device cxl-type3,bus=swport5,volatile-memdev=cxl-mem5,id=cxl-vmem5 \ + -device cxl-downstream,port=6,bus=us1,id=swport6,chassis=0,slot=10 \ + -device cxl-type3,bus=swport6,volatile-memdev=cxl-mem6,id=cxl-vmem6 \ + -device cxl-downstream,port=7,bus=us1,id=swport7,chassis=0,slot=11 \ + -device cxl-type3,bus=swport7,volatile-memdev=cxl-mem7,id=cxl-vmem7 \ + -M cxl-fmw.0.targets.0=cxl.1,cxl-fmw.0.size=32G & + +In Guest OS: +$ cxl create-region -d decoder0.0 -g 1024 -s 2G -t ram -w 8 -m mem4 mem1 mem6 mem3 mem2 mem5 mem7 mem0 + +Fix the method to calculate @distance by iterativeley multiplying the +number of targets per switch port. This also follows the algorithm +recommended here [1]. + +Fixes: 27b3f8d13830 ("cxl/region: Program target lists") +Link: http://lore.kernel.org/6538824b52349_7258329466@dwillia2-xfh.jf.intel.com.notmuch [1] +Signed-off-by: Huaisheng Ye +Tested-by: Li Zhijian +[djbw: add a comment explaining 'distance'] +Signed-off-by: Dan Williams +Link: https://patch.msgid.link/173378716722.1270362.9546805175813426729.stgit@dwillia2-xfh.jf.intel.com +Signed-off-by: Dave Jiang +Signed-off-by: Sasha Levin +--- + drivers/cxl/core/region.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +diff --git a/drivers/cxl/core/region.c b/drivers/cxl/core/region.c +index 5b7d848a6f01..0e03c4908050 100644 +--- a/drivers/cxl/core/region.c ++++ b/drivers/cxl/core/region.c +@@ -974,6 +974,7 @@ static int cxl_port_setup_targets(struct cxl_port *port, + struct cxl_region_params *p = &cxlr->params; + struct cxl_decoder *cxld = cxl_rr->decoder; + struct cxl_switch_decoder *cxlsd; ++ struct cxl_port *iter = port; + u16 eig, peig; + u8 eiw, peiw; + +@@ -990,16 +991,26 @@ static int cxl_port_setup_targets(struct cxl_port *port, + + cxlsd = to_cxl_switch_decoder(&cxld->dev); + if (cxl_rr->nr_targets_set) { +- int i, distance; ++ int i, distance = 1; ++ struct cxl_region_ref *cxl_rr_iter; + + /* +- * Passthrough decoders impose no distance requirements between +- * peers ++ * The "distance" between peer downstream ports represents which ++ * endpoint positions in the region interleave a given port can ++ * host. ++ * ++ * For example, at the root of a hierarchy the distance is ++ * always 1 as every index targets a different host-bridge. At ++ * each subsequent switch level those ports map every Nth region ++ * position where N is the width of the switch == distance. + */ +- if (cxl_rr->nr_targets == 1) +- distance = 0; +- else +- distance = p->nr_targets / cxl_rr->nr_targets; ++ do { ++ cxl_rr_iter = cxl_rr_load(iter, cxlr); ++ distance *= cxl_rr_iter->nr_targets; ++ iter = to_cxl_port(iter->dev.parent); ++ } while (!is_cxl_root(iter)); ++ distance *= cxlrd->cxlsd.cxld.interleave_ways; ++ + for (i = 0; i < cxl_rr->nr_targets_set; i++) + if (ep->dport == cxlsd->target[i]) { + rc = check_last_peer(cxled, ep, cxl_rr, +-- +2.39.5 + diff --git a/queue-6.1/ionic-fix-netdev-notifier-unregister-on-failure.patch b/queue-6.1/ionic-fix-netdev-notifier-unregister-on-failure.patch new file mode 100644 index 00000000000..1fdb4b7c7ab --- /dev/null +++ b/queue-6.1/ionic-fix-netdev-notifier-unregister-on-failure.patch @@ -0,0 +1,43 @@ +From 528c8183a5bde5c8615b60307207fc858a167b88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Dec 2024 13:31:55 -0800 +Subject: ionic: Fix netdev notifier unregister on failure + +From: Brett Creeley + +[ Upstream commit 9590d32e090ea2751e131ae5273859ca22f5ac14 ] + +If register_netdev() fails, then the driver leaks the netdev notifier. +Fix this by calling ionic_lif_unregister() on register_netdev() +failure. This will also call ionic_lif_unregister_phc() if it has +already been registered. + +Fixes: 30b87ab4c0b3 ("ionic: remove lif list concept") +Signed-off-by: Brett Creeley +Signed-off-by: Shannon Nelson +Reviewed-by: Jacob Keller +Link: https://patch.msgid.link/20241212213157.12212-2-shannon.nelson@amd.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/pensando/ionic/ionic_lif.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +index 14865fc245da..b746944bcd2a 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +@@ -3484,8 +3484,8 @@ int ionic_lif_register(struct ionic_lif *lif) + /* only register LIF0 for now */ + err = register_netdev(lif->netdev); + if (err) { +- dev_err(lif->ionic->dev, "Cannot register net device, aborting\n"); +- ionic_lif_unregister_phc(lif); ++ dev_err(lif->ionic->dev, "Cannot register net device: %d, aborting\n", err); ++ ionic_lif_unregister(lif); + return err; + } + +-- +2.39.5 + diff --git a/queue-6.1/ionic-use-ee-offset-when-returning-sprom-data.patch b/queue-6.1/ionic-use-ee-offset-when-returning-sprom-data.patch new file mode 100644 index 00000000000..02ad561b98f --- /dev/null +++ b/queue-6.1/ionic-use-ee-offset-when-returning-sprom-data.patch @@ -0,0 +1,42 @@ +From e37a88561309d7d35a024ae330f604acabe6bd4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Dec 2024 13:31:57 -0800 +Subject: ionic: use ee->offset when returning sprom data + +From: Shannon Nelson + +[ Upstream commit b096d62ba1323391b2db98b7704e2468cf3b1588 ] + +Some calls into ionic_get_module_eeprom() don't use a single +full buffer size, but instead multiple calls with an offset. +Teach our driver to use the offset correctly so we can +respond appropriately to the caller. + +Fixes: 4d03e00a2140 ("ionic: Add initial ethtool support") +Signed-off-by: Shannon Nelson +Reviewed-by: Jacob Keller +Link: https://patch.msgid.link/20241212213157.12212-4-shannon.nelson@amd.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/pensando/ionic/ionic_ethtool.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_ethtool.c b/drivers/net/ethernet/pensando/ionic/ionic_ethtool.c +index d7370fb60a16..928ef2933990 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_ethtool.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_ethtool.c +@@ -828,8 +828,8 @@ static int ionic_get_module_eeprom(struct net_device *netdev, + len = min_t(u32, sizeof(xcvr->sprom), ee->len); + + do { +- memcpy(data, xcvr->sprom, len); +- memcpy(tbuf, xcvr->sprom, len); ++ memcpy(data, &xcvr->sprom[ee->offset], len); ++ memcpy(tbuf, &xcvr->sprom[ee->offset], len); + + /* Let's make sure we got a consistent copy */ + if (!memcmp(data, tbuf, len)) +-- +2.39.5 + diff --git a/queue-6.1/net-ethernet-bgmac-platform-fix-an-of-node-reference.patch b/queue-6.1/net-ethernet-bgmac-platform-fix-an-of-node-reference.patch new file mode 100644 index 00000000000..7a9c34436f9 --- /dev/null +++ b/queue-6.1/net-ethernet-bgmac-platform-fix-an-of-node-reference.patch @@ -0,0 +1,51 @@ +From 285d6f388863660ab0e2d2b3576a4621510cd312 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Dec 2024 10:49:12 +0900 +Subject: net: ethernet: bgmac-platform: fix an OF node reference leak + +From: Joe Hattori + +[ Upstream commit 0cb2c504d79e7caa3abade3f466750c82ad26f01 ] + +The OF node obtained by of_parse_phandle() is not freed. Call +of_node_put() to balance the refcount. + +This bug was found by an experimental static analysis tool that I am +developing. + +Fixes: 1676aba5ef7e ("net: ethernet: bgmac: device tree phy enablement") +Signed-off-by: Joe Hattori +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20241214014912.2810315-1-joe@pf.is.s.u-tokyo.ac.jp +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bgmac-platform.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bgmac-platform.c b/drivers/net/ethernet/broadcom/bgmac-platform.c +index b4381cd41979..3f4e8bac40c1 100644 +--- a/drivers/net/ethernet/broadcom/bgmac-platform.c ++++ b/drivers/net/ethernet/broadcom/bgmac-platform.c +@@ -171,6 +171,7 @@ static int platform_phy_connect(struct bgmac *bgmac) + static int bgmac_probe(struct platform_device *pdev) + { + struct device_node *np = pdev->dev.of_node; ++ struct device_node *phy_node; + struct bgmac *bgmac; + struct resource *regs; + int ret; +@@ -236,7 +237,9 @@ static int bgmac_probe(struct platform_device *pdev) + bgmac->cco_ctl_maskset = platform_bgmac_cco_ctl_maskset; + bgmac->get_bus_clock = platform_bgmac_get_bus_clock; + bgmac->cmn_maskset32 = platform_bgmac_cmn_maskset32; +- if (of_parse_phandle(np, "phy-handle", 0)) { ++ phy_node = of_parse_phandle(np, "phy-handle", 0); ++ if (phy_node) { ++ of_node_put(phy_node); + bgmac->phy_connect = platform_phy_connect; + } else { + bgmac->phy_connect = bgmac_phy_connect_direct; +-- +2.39.5 + diff --git a/queue-6.1/net-hinic-fix-cleanup-in-create_rxqs-txqs.patch b/queue-6.1/net-hinic-fix-cleanup-in-create_rxqs-txqs.patch new file mode 100644 index 00000000000..3507a8d91b2 --- /dev/null +++ b/queue-6.1/net-hinic-fix-cleanup-in-create_rxqs-txqs.patch @@ -0,0 +1,54 @@ +From 4e66dd58e806ed11d6b5bc8823b9ff2c8df54977 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Dec 2024 17:28:11 +0300 +Subject: net: hinic: Fix cleanup in create_rxqs/txqs() + +From: Dan Carpenter + +[ Upstream commit 7203d10e93b6e6e1d19481ef7907de6a9133a467 ] + +There is a check for NULL at the start of create_txqs() and +create_rxqs() which tess if "nic_dev->txqs" is non-NULL. The +intention is that if the device is already open and the queues +are already created then we don't create them a second time. + +However, the bug is that if we have an error in the create_txqs() +then the pointer doesn't get set back to NULL. The NULL check +at the start of the function will say that it's already open when +it's not and the device can't be used. + +Set ->txqs back to NULL on cleanup on error. + +Fixes: c3e79baf1b03 ("net-next/hinic: Add logical Txq and Rxq") +Signed-off-by: Dan Carpenter +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/0cc98faf-a0ed-4565-a55b-0fa2734bc205@stanley.mountain +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/huawei/hinic/hinic_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/huawei/hinic/hinic_main.c b/drivers/net/ethernet/huawei/hinic/hinic_main.c +index 2d6906aba2a2..af6100e5d9b9 100644 +--- a/drivers/net/ethernet/huawei/hinic/hinic_main.c ++++ b/drivers/net/ethernet/huawei/hinic/hinic_main.c +@@ -172,6 +172,7 @@ static int create_txqs(struct hinic_dev *nic_dev) + hinic_sq_dbgfs_uninit(nic_dev); + + devm_kfree(&netdev->dev, nic_dev->txqs); ++ nic_dev->txqs = NULL; + return err; + } + +@@ -268,6 +269,7 @@ static int create_rxqs(struct hinic_dev *nic_dev) + hinic_rq_dbgfs_uninit(nic_dev); + + devm_kfree(&netdev->dev, nic_dev->rxqs); ++ nic_dev->rxqs = NULL; + return err; + } + +-- +2.39.5 + diff --git a/queue-6.1/net-mdiobus-fix-an-of-node-reference-leak.patch b/queue-6.1/net-mdiobus-fix-an-of-node-reference-leak.patch new file mode 100644 index 00000000000..3d7c4f4469f --- /dev/null +++ b/queue-6.1/net-mdiobus-fix-an-of-node-reference-leak.patch @@ -0,0 +1,61 @@ +From f367fc5f73cc4db12534fe51f7243751850be4e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2024 12:51:06 +0900 +Subject: net: mdiobus: fix an OF node reference leak + +From: Joe Hattori + +[ Upstream commit 572af9f284669d31d9175122bbef9bc62cea8ded ] + +fwnode_find_mii_timestamper() calls of_parse_phandle_with_fixed_args() +but does not decrement the refcount of the obtained OF node. Add an +of_node_put() call before returning from the function. + +This bug was detected by an experimental static analysis tool that I am +developing. + +Fixes: bc1bee3b87ee ("net: mdiobus: Introduce fwnode_mdiobus_register_phy()") +Signed-off-by: Joe Hattori +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20241218035106.1436405-1-joe@pf.is.s.u-tokyo.ac.jp +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/mdio/fwnode_mdio.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/mdio/fwnode_mdio.c b/drivers/net/mdio/fwnode_mdio.c +index b782c35c4ac1..8ada397bc357 100644 +--- a/drivers/net/mdio/fwnode_mdio.c ++++ b/drivers/net/mdio/fwnode_mdio.c +@@ -38,6 +38,7 @@ fwnode_find_pse_control(struct fwnode_handle *fwnode) + static struct mii_timestamper * + fwnode_find_mii_timestamper(struct fwnode_handle *fwnode) + { ++ struct mii_timestamper *mii_ts; + struct of_phandle_args arg; + int err; + +@@ -51,10 +52,16 @@ fwnode_find_mii_timestamper(struct fwnode_handle *fwnode) + else if (err) + return ERR_PTR(err); + +- if (arg.args_count != 1) +- return ERR_PTR(-EINVAL); ++ if (arg.args_count != 1) { ++ mii_ts = ERR_PTR(-EINVAL); ++ goto put_node; ++ } ++ ++ mii_ts = register_mii_timestamper(arg.np, arg.args[0]); + +- return register_mii_timestamper(arg.np, arg.args[0]); ++put_node: ++ of_node_put(arg.np); ++ return mii_ts; + } + + int fwnode_mdiobus_phy_device_register(struct mii_bus *mdio, +-- +2.39.5 + diff --git a/queue-6.1/net-mscc-ocelot-fix-incorrect-ifh-src_port-field-in-.patch b/queue-6.1/net-mscc-ocelot-fix-incorrect-ifh-src_port-field-in-.patch new file mode 100644 index 00000000000..173dcec0bce --- /dev/null +++ b/queue-6.1/net-mscc-ocelot-fix-incorrect-ifh-src_port-field-in-.patch @@ -0,0 +1,73 @@ +From 97b908529311ae75a75c9da3692187b5650bbcd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Dec 2024 18:55:45 +0200 +Subject: net: mscc: ocelot: fix incorrect IFH SRC_PORT field in + ocelot_ifh_set_basic() + +From: Vladimir Oltean + +[ Upstream commit 2d5df3a680ffdaf606baa10636bdb1daf757832e ] + +Packets injected by the CPU should have a SRC_PORT field equal to the +CPU port module index in the Analyzer block (ocelot->num_phys_ports). + +The blamed commit copied the ocelot_ifh_set_basic() call incorrectly +from ocelot_xmit_common() in net/dsa/tag_ocelot.c. Instead of calling +with "x", it calls with BIT_ULL(x), but the field is not a port mask, +but rather a single port index. + +[ side note: this is the technical debt of code duplication :( ] + +The error used to be silent and doesn't appear to have other +user-visible manifestations, but with new changes in the packing +library, it now fails loudly as follows: + +------------[ cut here ]------------ +Cannot store 0x40 inside bits 46-43 - will truncate +sja1105 spi2.0: xmit timed out +WARNING: CPU: 1 PID: 102 at lib/packing.c:98 __pack+0x90/0x198 +sja1105 spi2.0: timed out polling for tstamp +CPU: 1 UID: 0 PID: 102 Comm: felix_xmit +Tainted: G W N 6.13.0-rc1-00372-gf706b85d972d-dirty #2605 +Call trace: + __pack+0x90/0x198 (P) + __pack+0x90/0x198 (L) + packing+0x78/0x98 + ocelot_ifh_set_basic+0x260/0x368 + ocelot_port_inject_frame+0xa8/0x250 + felix_port_deferred_xmit+0x14c/0x258 + kthread_worker_fn+0x134/0x350 + kthread+0x114/0x138 + +The code path pertains to the ocelot switchdev driver and to the felix +secondary DSA tag protocol, ocelot-8021q. Here seen with ocelot-8021q. + +The messenger (packing) is not really to blame, so fix the original +commit instead. + +Fixes: e1b9e80236c5 ("net: mscc: ocelot: fix QoS class for injected packets with "ocelot-8021q"") +Signed-off-by: Vladimir Oltean +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20241212165546.879567-1-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mscc/ocelot.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mscc/ocelot.c b/drivers/net/ethernet/mscc/ocelot.c +index 310a36356f56..71dbdac38020 100644 +--- a/drivers/net/ethernet/mscc/ocelot.c ++++ b/drivers/net/ethernet/mscc/ocelot.c +@@ -1161,7 +1161,7 @@ void ocelot_ifh_set_basic(void *ifh, struct ocelot *ocelot, int port, + + memset(ifh, 0, OCELOT_TAG_LEN); + ocelot_ifh_set_bypass(ifh, 1); +- ocelot_ifh_set_src(ifh, BIT_ULL(ocelot->num_phys_ports)); ++ ocelot_ifh_set_src(ifh, ocelot->num_phys_ports); + ocelot_ifh_set_dest(ifh, BIT_ULL(port)); + ocelot_ifh_set_qos_class(ifh, qos_class); + ocelot_ifh_set_tag_type(ifh, tag_type); +-- +2.39.5 + diff --git a/queue-6.1/net-smc-check-iparea_offset-and-ipv6_prefixes_cnt-wh.patch b/queue-6.1/net-smc-check-iparea_offset-and-ipv6_prefixes_cnt-wh.patch new file mode 100644 index 00000000000..efaf39eb977 --- /dev/null +++ b/queue-6.1/net-smc-check-iparea_offset-and-ipv6_prefixes_cnt-wh.patch @@ -0,0 +1,90 @@ +From b36da7c27d9bc1c218c21f82e49175f8cde143e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2024 17:21:18 +0800 +Subject: net/smc: check iparea_offset and ipv6_prefixes_cnt when receiving + proposal msg + +From: Guangguan Wang + +[ Upstream commit a29e220d3c8edbf0e1beb0f028878a4a85966556 ] + +When receiving proposal msg in server, the field iparea_offset +and the field ipv6_prefixes_cnt in proposal msg are from the +remote client and can not be fully trusted. Especially the +field iparea_offset, once exceed the max value, there has the +chance to access wrong address, and crash may happen. + +This patch checks iparea_offset and ipv6_prefixes_cnt before using them. + +Fixes: e7b7a64a8493 ("smc: support variable CLC proposal messages") +Signed-off-by: Guangguan Wang +Reviewed-by: Wen Gu +Reviewed-by: D. Wythe +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 6 +++++- + net/smc/smc_clc.c | 4 ++++ + net/smc/smc_clc.h | 6 +++++- + 3 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index aeeb6e62361f..889709c35b1f 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -1988,6 +1988,8 @@ static int smc_listen_prfx_check(struct smc_sock *new_smc, + if (pclc->hdr.typev1 == SMC_TYPE_N) + return 0; + pclc_prfx = smc_clc_proposal_get_prefix(pclc); ++ if (!pclc_prfx) ++ return -EPROTO; + if (smc_clc_prfx_match(newclcsock, pclc_prfx)) + return SMC_CLC_DECL_DIFFPREFIX; + +@@ -2153,7 +2155,9 @@ static void smc_find_ism_v1_device_serv(struct smc_sock *new_smc, + int rc = 0; + + /* check if ISM V1 is available */ +- if (!(ini->smcd_version & SMC_V1) || !smcd_indicated(ini->smc_type_v1)) ++ if (!(ini->smcd_version & SMC_V1) || ++ !smcd_indicated(ini->smc_type_v1) || ++ !pclc_smcd) + goto not_found; + ini->is_smcd = true; /* prepare ISM check */ + ini->ism_peer_gid[0] = ntohll(pclc_smcd->ism.gid); +diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c +index 867df4522815..f734fdd90c81 100644 +--- a/net/smc/smc_clc.c ++++ b/net/smc/smc_clc.c +@@ -354,6 +354,10 @@ static bool smc_clc_msg_prop_valid(struct smc_clc_msg_proposal *pclc) + + v2_ext = smc_get_clc_v2_ext(pclc); + pclc_prfx = smc_clc_proposal_get_prefix(pclc); ++ if (!pclc_prfx || ++ pclc_prfx->ipv6_prefixes_cnt > SMC_CLC_MAX_V6_PREFIX) ++ return false; ++ + if (hdr->version == SMC_V1) { + if (hdr->typev1 == SMC_TYPE_N) + return false; +diff --git a/net/smc/smc_clc.h b/net/smc/smc_clc.h +index 5fee545c9a10..08279081d438 100644 +--- a/net/smc/smc_clc.h ++++ b/net/smc/smc_clc.h +@@ -303,8 +303,12 @@ struct smc_clc_msg_decline_v2 { /* clc decline message */ + static inline struct smc_clc_msg_proposal_prefix * + smc_clc_proposal_get_prefix(struct smc_clc_msg_proposal *pclc) + { ++ u16 offset = ntohs(pclc->iparea_offset); ++ ++ if (offset > sizeof(struct smc_clc_msg_smcd)) ++ return NULL; + return (struct smc_clc_msg_proposal_prefix *) +- ((u8 *)pclc + sizeof(*pclc) + ntohs(pclc->iparea_offset)); ++ ((u8 *)pclc + sizeof(*pclc) + offset); + } + + static inline bool smcr_indicated(int smc_type) +-- +2.39.5 + diff --git a/queue-6.1/net-smc-check-return-value-of-sock_recvmsg-when-drai.patch b/queue-6.1/net-smc-check-return-value-of-sock_recvmsg-when-drai.patch new file mode 100644 index 00000000000..0977b8896cd --- /dev/null +++ b/queue-6.1/net-smc-check-return-value-of-sock_recvmsg-when-drai.patch @@ -0,0 +1,47 @@ +From 731a3b785cac3e8f374802a18f3edc54733e8455 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2024 17:21:21 +0800 +Subject: net/smc: check return value of sock_recvmsg when draining clc data + +From: Guangguan Wang + +[ Upstream commit c5b8ee5022a19464783058dc6042e8eefa34e8cd ] + +When receiving clc msg, the field length in smc_clc_msg_hdr indicates the +length of msg should be received from network and the value should not be +fully trusted as it is from the network. Once the value of length exceeds +the value of buflen in function smc_clc_wait_msg it may run into deadloop +when trying to drain the remaining data exceeding buflen. + +This patch checks the return value of sock_recvmsg when draining data in +case of deadloop in draining. + +Fixes: fb4f79264c0f ("net/smc: tolerate future SMCD versions") +Signed-off-by: Guangguan Wang +Reviewed-by: Wen Gu +Reviewed-by: D. Wythe +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/smc/smc_clc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c +index f734fdd90c81..a48fdc83fe6b 100644 +--- a/net/smc/smc_clc.c ++++ b/net/smc/smc_clc.c +@@ -753,6 +753,11 @@ int smc_clc_wait_msg(struct smc_sock *smc, void *buf, int buflen, + SMC_CLC_RECV_BUF_LEN : datlen; + iov_iter_kvec(&msg.msg_iter, ITER_DEST, &vec, 1, recvlen); + len = sock_recvmsg(smc->clcsock, &msg, krflags); ++ if (len < recvlen) { ++ smc->sk.sk_err = EPROTO; ++ reason_code = -EPROTO; ++ goto out; ++ } + datlen -= len; + } + if (clcm->type == SMC_CLC_DECLINE) { +-- +2.39.5 + diff --git a/queue-6.1/net-smc-check-smcd_v2_ext_offset-when-receiving-prop.patch b/queue-6.1/net-smc-check-smcd_v2_ext_offset-when-receiving-prop.patch new file mode 100644 index 00000000000..2253bae3206 --- /dev/null +++ b/queue-6.1/net-smc-check-smcd_v2_ext_offset-when-receiving-prop.patch @@ -0,0 +1,64 @@ +From 396f06a935d29e0e9c606ac6fb065b6070e47604 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2024 17:21:20 +0800 +Subject: net/smc: check smcd_v2_ext_offset when receiving proposal msg + +From: Guangguan Wang + +[ Upstream commit 9ab332deb671d8f7e66d82a2ff2b3f715bc3a4ad ] + +When receiving proposal msg in server, the field smcd_v2_ext_offset in +proposal msg is from the remote client and can not be fully trusted. +Once the value of smcd_v2_ext_offset exceed the max value, there has +the chance to access wrong address, and crash may happen. + +This patch checks the value of smcd_v2_ext_offset before using it. + +Fixes: 5c21c4ccafe8 ("net/smc: determine accepted ISM devices") +Signed-off-by: Guangguan Wang +Reviewed-by: Wen Gu +Reviewed-by: D. Wythe +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 2 ++ + net/smc/smc_clc.h | 8 +++++++- + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index 889709c35b1f..e2bdd6aa3d89 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -2096,6 +2096,8 @@ static void smc_find_ism_v2_device_serv(struct smc_sock *new_smc, + pclc_smcd = smc_get_clc_msg_smcd(pclc); + smc_v2_ext = smc_get_clc_v2_ext(pclc); + smcd_v2_ext = smc_get_clc_smcd_v2_ext(smc_v2_ext); ++ if (!pclc_smcd || !smc_v2_ext || !smcd_v2_ext) ++ goto not_found; + + mutex_lock(&smcd_dev_list.mutex); + if (pclc_smcd->ism.chid) +diff --git a/net/smc/smc_clc.h b/net/smc/smc_clc.h +index 08279081d438..0f6102cd5de1 100644 +--- a/net/smc/smc_clc.h ++++ b/net/smc/smc_clc.h +@@ -361,9 +361,15 @@ smc_get_clc_v2_ext(struct smc_clc_msg_proposal *prop) + static inline struct smc_clc_smcd_v2_extension * + smc_get_clc_smcd_v2_ext(struct smc_clc_v2_extension *prop_v2ext) + { ++ u16 max_offset = offsetof(struct smc_clc_msg_proposal_area, pclc_smcd_v2_ext) - ++ offsetof(struct smc_clc_msg_proposal_area, pclc_v2_ext) - ++ offsetof(struct smc_clc_v2_extension, hdr) - ++ offsetofend(struct smc_clnt_opts_area_hdr, smcd_v2_ext_offset); ++ + if (!prop_v2ext) + return NULL; +- if (!ntohs(prop_v2ext->hdr.smcd_v2_ext_offset)) ++ if (!ntohs(prop_v2ext->hdr.smcd_v2_ext_offset) || ++ ntohs(prop_v2ext->hdr.smcd_v2_ext_offset) > max_offset) + return NULL; + + return (struct smc_clc_smcd_v2_extension *) +-- +2.39.5 + diff --git a/queue-6.1/net-smc-check-sndbuf_space-again-after-nospace-flag-.patch b/queue-6.1/net-smc-check-sndbuf_space-again-after-nospace-flag-.patch new file mode 100644 index 00000000000..a5fc6e357cf --- /dev/null +++ b/queue-6.1/net-smc-check-sndbuf_space-again-after-nospace-flag-.patch @@ -0,0 +1,63 @@ +From 83c42ae072db85eb313f24e8035afa407ba4f4d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2024 17:21:17 +0800 +Subject: net/smc: check sndbuf_space again after NOSPACE flag is set in + smc_poll + +From: Guangguan Wang + +[ Upstream commit 679e9ddcf90dbdf98aaaa71a492454654b627bcb ] + +When application sending data more than sndbuf_space, there have chances +application will sleep in epoll_wait, and will never be wakeup again. This +is caused by a race between smc_poll and smc_cdc_tx_handler. + +application tasklet +smc_tx_sendmsg(len > sndbuf_space) | +epoll_wait for EPOLL_OUT,timeout=0 | + smc_poll | + if (!smc->conn.sndbuf_space) | + | smc_cdc_tx_handler + | atomic_add sndbuf_space + | smc_tx_sndbuf_nonfull + | if (!test_bit SOCK_NOSPACE) + | do not sk_write_space; + set_bit SOCK_NOSPACE; | + return mask=0; | + +Application will sleep in epoll_wait as smc_poll returns 0. And +smc_cdc_tx_handler will not call sk_write_space because the SOCK_NOSPACE +has not be set. If there is no inflight cdc msg, sk_write_space will not be +called any more, and application will sleep in epoll_wait forever. +So check sndbuf_space again after NOSPACE flag is set to break the race. + +Fixes: 8dce2786a290 ("net/smc: smc_poll improvements") +Signed-off-by: Guangguan Wang +Suggested-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index 868e722aef06..aeeb6e62361f 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -2789,6 +2789,13 @@ static __poll_t smc_poll(struct file *file, struct socket *sock, + } else { + sk_set_bit(SOCKWQ_ASYNC_NOSPACE, sk); + set_bit(SOCK_NOSPACE, &sk->sk_socket->flags); ++ ++ if (sk->sk_state != SMC_INIT) { ++ /* Race breaker the same way as tcp_poll(). */ ++ smp_mb__after_atomic(); ++ if (atomic_read(&smc->conn.sndbuf_space)) ++ mask |= EPOLLOUT | EPOLLWRNORM; ++ } + } + if (atomic_read(&smc->conn.bytes_to_rcv)) + mask |= EPOLLIN | EPOLLRDNORM; +-- +2.39.5 + diff --git a/queue-6.1/net-smc-protect-link-down-work-from-execute-after-lg.patch b/queue-6.1/net-smc-protect-link-down-work-from-execute-after-lg.patch new file mode 100644 index 00000000000..597cb7769d0 --- /dev/null +++ b/queue-6.1/net-smc-protect-link-down-work-from-execute-after-lg.patch @@ -0,0 +1,89 @@ +From ab589db0cbf22524c1d031ddf6a3da97766de049 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2024 17:21:16 +0800 +Subject: net/smc: protect link down work from execute after lgr freed + +From: Guangguan Wang + +[ Upstream commit 2b33eb8f1b3e8c2f87cfdbc8cc117f6bdfabc6ec ] + +link down work may be scheduled before lgr freed but execute +after lgr freed, which may result in crash. So it is need to +hold a reference before shedule link down work, and put the +reference after work executed or canceled. + +The relevant crash call stack as follows: + list_del corruption. prev->next should be ffffb638c9c0fe20, + but was 0000000000000000 + ------------[ cut here ]------------ + kernel BUG at lib/list_debug.c:51! + invalid opcode: 0000 [#1] SMP NOPTI + CPU: 6 PID: 978112 Comm: kworker/6:119 Kdump: loaded Tainted: G #1 + Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 2221b89 04/01/2014 + Workqueue: events smc_link_down_work [smc] + RIP: 0010:__list_del_entry_valid.cold+0x31/0x47 + RSP: 0018:ffffb638c9c0fdd8 EFLAGS: 00010086 + RAX: 0000000000000054 RBX: ffff942fb75e5128 RCX: 0000000000000000 + RDX: ffff943520930aa0 RSI: ffff94352091fc80 RDI: ffff94352091fc80 + RBP: 0000000000000000 R08: 0000000000000000 R09: ffffb638c9c0fc38 + R10: ffffb638c9c0fc30 R11: ffffffffa015eb28 R12: 0000000000000002 + R13: ffffb638c9c0fe20 R14: 0000000000000001 R15: ffff942f9cd051c0 + FS: 0000000000000000(0000) GS:ffff943520900000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007f4f25214000 CR3: 000000025fbae004 CR4: 00000000007706e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + PKRU: 55555554 + Call Trace: + rwsem_down_write_slowpath+0x17e/0x470 + smc_link_down_work+0x3c/0x60 [smc] + process_one_work+0x1ac/0x350 + worker_thread+0x49/0x2f0 + ? rescuer_thread+0x360/0x360 + kthread+0x118/0x140 + ? __kthread_bind_mask+0x60/0x60 + ret_from_fork+0x1f/0x30 + +Fixes: 541afa10c126 ("net/smc: add smcr_port_err() and smcr_link_down() processing") +Signed-off-by: Guangguan Wang +Reviewed-by: Tony Lu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/smc/smc_core.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/net/smc/smc_core.c b/net/smc/smc_core.c +index 10d79cb55528..890785d4f6b6 100644 +--- a/net/smc/smc_core.c ++++ b/net/smc/smc_core.c +@@ -1726,7 +1726,9 @@ void smcr_link_down_cond_sched(struct smc_link *lnk) + { + if (smc_link_downing(&lnk->state)) { + trace_smcr_link_down(lnk, __builtin_return_address(0)); +- schedule_work(&lnk->link_down_wrk); ++ smcr_link_hold(lnk); /* smcr_link_put in link_down_wrk */ ++ if (!schedule_work(&lnk->link_down_wrk)) ++ smcr_link_put(lnk); + } + } + +@@ -1758,11 +1760,14 @@ static void smc_link_down_work(struct work_struct *work) + struct smc_link_group *lgr = link->lgr; + + if (list_empty(&lgr->list)) +- return; ++ goto out; + wake_up_all(&lgr->llc_msg_waiter); + mutex_lock(&lgr->llc_conf_mutex); + smcr_link_down(link); + mutex_unlock(&lgr->llc_conf_mutex); ++ ++out: ++ smcr_link_put(link); /* smcr_link_hold by schedulers of link_down_work */ + } + + static int smc_vlan_by_tcpsk_walk(struct net_device *lower_dev, +-- +2.39.5 + diff --git a/queue-6.1/netdevsim-prevent-bad-user-input-in-nsim_dev_health_.patch b/queue-6.1/netdevsim-prevent-bad-user-input-in-nsim_dev_health_.patch new file mode 100644 index 00000000000..1a0041e0671 --- /dev/null +++ b/queue-6.1/netdevsim-prevent-bad-user-input-in-nsim_dev_health_.patch @@ -0,0 +1,40 @@ +From aba7793869dab625c385d0d3a5cba7f09263356a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Dec 2024 17:25:18 +0000 +Subject: netdevsim: prevent bad user input in nsim_dev_health_break_write() + +From: Eric Dumazet + +[ Upstream commit ee76746387f6233bdfa93d7406990f923641568f ] + +If either a zero count or a large one is provided, kernel can crash. + +Fixes: 82c93a87bf8b ("netdevsim: implement couple of testing devlink health reporters") +Reported-by: syzbot+ea40e4294e58b0292f74@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/675c6862.050a0220.37aaf.00b1.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Jiri Pirko +Reviewed-by: Joe Damato +Link: https://patch.msgid.link/20241213172518.2415666-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/netdevsim/health.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/netdevsim/health.c b/drivers/net/netdevsim/health.c +index aa77af4a68df..bc44462c70e2 100644 +--- a/drivers/net/netdevsim/health.c ++++ b/drivers/net/netdevsim/health.c +@@ -203,6 +203,8 @@ static ssize_t nsim_dev_health_break_write(struct file *file, + char *break_msg; + int err; + ++ if (count == 0 || count > PAGE_SIZE) ++ return -EINVAL; + break_msg = memdup_user_nul(data, count); + if (IS_ERR(break_msg)) + return PTR_ERR(break_msg); +-- +2.39.5 + diff --git a/queue-6.1/netfilter-ipset-fix-for-recursive-locking-warning.patch b/queue-6.1/netfilter-ipset-fix-for-recursive-locking-warning.patch new file mode 100644 index 00000000000..960273a3236 --- /dev/null +++ b/queue-6.1/netfilter-ipset-fix-for-recursive-locking-warning.patch @@ -0,0 +1,62 @@ +From d09fb0ec1b354ff82b7644602b8bc5fda6356af3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Dec 2024 20:56:55 +0100 +Subject: netfilter: ipset: Fix for recursive locking warning + +From: Phil Sutter + +[ Upstream commit 70b6f46a4ed8bd56c85ffff22df91e20e8c85e33 ] + +With CONFIG_PROVE_LOCKING, when creating a set of type bitmap:ip, adding +it to a set of type list:set and populating it from iptables SET target +triggers a kernel warning: + +| WARNING: possible recursive locking detected +| 6.12.0-rc7-01692-g5e9a28f41134-dirty #594 Not tainted +| -------------------------------------------- +| ping/4018 is trying to acquire lock: +| ffff8881094a6848 (&set->lock){+.-.}-{2:2}, at: ip_set_add+0x28c/0x360 [ip_set] +| +| but task is already holding lock: +| ffff88811034c048 (&set->lock){+.-.}-{2:2}, at: ip_set_add+0x28c/0x360 [ip_set] + +This is a false alarm: ipset does not allow nested list:set type, so the +loop in list_set_kadd() can never encounter the outer set itself. No +other set type supports embedded sets, so this is the only case to +consider. + +To avoid the false report, create a distinct lock class for list:set +type ipset locks. + +Fixes: f830837f0eed ("netfilter: ipset: list:set set type support") +Signed-off-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipset/ip_set_list_set.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/ipset/ip_set_list_set.c b/net/netfilter/ipset/ip_set_list_set.c +index 902ff2f3bc72..5cc35b553a04 100644 +--- a/net/netfilter/ipset/ip_set_list_set.c ++++ b/net/netfilter/ipset/ip_set_list_set.c +@@ -611,6 +611,8 @@ init_list_set(struct net *net, struct ip_set *set, u32 size) + return true; + } + ++static struct lock_class_key list_set_lockdep_key; ++ + static int + list_set_create(struct net *net, struct ip_set *set, struct nlattr *tb[], + u32 flags) +@@ -627,6 +629,7 @@ list_set_create(struct net *net, struct ip_set *set, struct nlattr *tb[], + if (size < IP_SET_LIST_MIN_SIZE) + size = IP_SET_LIST_MIN_SIZE; + ++ lockdep_set_class(&set->lock, &list_set_lockdep_key); + set->variant = &set_variant; + set->dsize = ip_set_elem_len(set, tb, sizeof(struct set_elem), + __alignof__(struct set_elem)); +-- +2.39.5 + diff --git a/queue-6.1/series b/queue-6.1/series index 3305d4cb0bb..76b3ce0f037 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -15,3 +15,17 @@ p2sb-introduce-the-global-flag-p2sb_hidden_by_bios.patch p2sb-move-p2sb-hide-and-unhide-code-to-p2sb_scan_and.patch p2sb-do-not-scan-and-remove-the-p2sb-device-when-it-.patch i2c-pnx-fix-timeout-in-wait-functions.patch +cxl-region-fix-region-creation-for-greater-than-x2-s.patch +net-smc-protect-link-down-work-from-execute-after-lg.patch +net-smc-check-sndbuf_space-again-after-nospace-flag-.patch +net-smc-check-iparea_offset-and-ipv6_prefixes_cnt-wh.patch +net-smc-check-smcd_v2_ext_offset-when-receiving-prop.patch +net-smc-check-return-value-of-sock_recvmsg-when-drai.patch +net-mscc-ocelot-fix-incorrect-ifh-src_port-field-in-.patch +netdevsim-prevent-bad-user-input-in-nsim_dev_health_.patch +ionic-fix-netdev-notifier-unregister-on-failure.patch +ionic-use-ee-offset-when-returning-sprom-data.patch +net-hinic-fix-cleanup-in-create_rxqs-txqs.patch +net-ethernet-bgmac-platform-fix-an-of-node-reference.patch +netfilter-ipset-fix-for-recursive-locking-warning.patch +net-mdiobus-fix-an-of-node-reference-leak.patch