From 043ee679b3bb6d91c51b9d8fb96444f9e7d98f5b Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 24 Feb 2026 16:57:14 -0800 Subject: [PATCH] 6.18-stable patches added patches: drivers-hv-vmbus-use-kthread-for-vmbus-interrupts-on-preempt_rt.patch drm-amd-display-clear-hdmi-hpd-pending-work-only-if-it-is-enabled.patch drm-exynos-vidi-fix-to-avoid-directly-dereferencing-user-pointer.patch drm-exynos-vidi-use-priv-vidi_dev-for-ctx-lookup-in-vidi_connection_ioctl.patch io_uring-rsrc-clean-up-buffer-cloning-arg-validation.patch selftests-bpf-test-bpf_skb_check_mtu-bpf_mtu_chk_segs-when-transport_header-is-not-set.patch --- ...d-for-vmbus-interrupts-on-preempt_rt.patch | 175 ++++++++++++++++++ ...d-pending-work-only-if-it-is-enabled.patch | 43 +++++ ...-directly-dereferencing-user-pointer.patch | 58 ++++++ ...-ctx-lookup-in-vidi_connection_ioctl.patch | 90 +++++++++ ...ean-up-buffer-cloning-arg-validation.patch | 82 ++++++++ ...egs-when-transport_header-is-not-set.patch | 94 ++++++++++ queue-6.18/series | 6 + 7 files changed, 548 insertions(+) create mode 100644 queue-6.18/drivers-hv-vmbus-use-kthread-for-vmbus-interrupts-on-preempt_rt.patch create mode 100644 queue-6.18/drm-amd-display-clear-hdmi-hpd-pending-work-only-if-it-is-enabled.patch create mode 100644 queue-6.18/drm-exynos-vidi-fix-to-avoid-directly-dereferencing-user-pointer.patch create mode 100644 queue-6.18/drm-exynos-vidi-use-priv-vidi_dev-for-ctx-lookup-in-vidi_connection_ioctl.patch create mode 100644 queue-6.18/io_uring-rsrc-clean-up-buffer-cloning-arg-validation.patch create mode 100644 queue-6.18/selftests-bpf-test-bpf_skb_check_mtu-bpf_mtu_chk_segs-when-transport_header-is-not-set.patch diff --git a/queue-6.18/drivers-hv-vmbus-use-kthread-for-vmbus-interrupts-on-preempt_rt.patch b/queue-6.18/drivers-hv-vmbus-use-kthread-for-vmbus-interrupts-on-preempt_rt.patch new file mode 100644 index 0000000000..600233d42c --- /dev/null +++ b/queue-6.18/drivers-hv-vmbus-use-kthread-for-vmbus-interrupts-on-preempt_rt.patch @@ -0,0 +1,175 @@ +From f8e6343b7a89c7c649db5a9e309ba7aa20401813 Mon Sep 17 00:00:00 2001 +From: Jan Kiszka +Date: Mon, 16 Feb 2026 17:24:56 +0100 +Subject: Drivers: hv: vmbus: Use kthread for vmbus interrupts on PREEMPT_RT + +From: Jan Kiszka + +commit f8e6343b7a89c7c649db5a9e309ba7aa20401813 upstream. + +Resolves the following lockdep report when booting PREEMPT_RT on Hyper-V +with related guest support enabled: + +[ 1.127941] hv_vmbus: registering driver hyperv_drm + +[ 1.132518] ============================= +[ 1.132519] [ BUG: Invalid wait context ] +[ 1.132521] 6.19.0-rc8+ #9 Not tainted +[ 1.132524] ----------------------------- +[ 1.132525] swapper/0/0 is trying to lock: +[ 1.132526] ffff8b9381bb3c90 (&channel->sched_lock){....}-{3:3}, at: vmbus_chan_sched+0xc4/0x2b0 +[ 1.132543] other info that might help us debug this: +[ 1.132544] context-{2:2} +[ 1.132545] 1 lock held by swapper/0/0: +[ 1.132547] #0: ffffffffa010c4c0 (rcu_read_lock){....}-{1:3}, at: vmbus_chan_sched+0x31/0x2b0 +[ 1.132557] stack backtrace: +[ 1.132560] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.19.0-rc8+ #9 PREEMPT_{RT,(lazy)} +[ 1.132565] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/25/2025 +[ 1.132567] Call Trace: +[ 1.132570] +[ 1.132573] dump_stack_lvl+0x6e/0xa0 +[ 1.132581] __lock_acquire+0xee0/0x21b0 +[ 1.132592] lock_acquire+0xd5/0x2d0 +[ 1.132598] ? vmbus_chan_sched+0xc4/0x2b0 +[ 1.132606] ? lock_acquire+0xd5/0x2d0 +[ 1.132613] ? vmbus_chan_sched+0x31/0x2b0 +[ 1.132619] rt_spin_lock+0x3f/0x1f0 +[ 1.132623] ? vmbus_chan_sched+0xc4/0x2b0 +[ 1.132629] ? vmbus_chan_sched+0x31/0x2b0 +[ 1.132634] vmbus_chan_sched+0xc4/0x2b0 +[ 1.132641] vmbus_isr+0x2c/0x150 +[ 1.132648] __sysvec_hyperv_callback+0x5f/0xa0 +[ 1.132654] sysvec_hyperv_callback+0x88/0xb0 +[ 1.132658] +[ 1.132659] +[ 1.132660] asm_sysvec_hyperv_callback+0x1a/0x20 + +As code paths that handle vmbus IRQs use sleepy locks under PREEMPT_RT, +the vmbus_isr execution needs to be moved into thread context. Open- +coding this allows to skip the IPI that irq_work would additionally +bring and which we do not need, being an IRQ, never an NMI. + +This affects both x86 and arm64, therefore hook into the common driver +logic. + +Signed-off-by: Jan Kiszka +Reviewed-by: Florian Bezdeka +Tested-by: Florian Bezdeka +Reviewed-by: Michael Kelley +Tested-by: Michael Kelley +Signed-off-by: Wei Liu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hv/vmbus_drv.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 65 insertions(+), 1 deletion(-) + +--- a/drivers/hv/vmbus_drv.c ++++ b/drivers/hv/vmbus_drv.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -1306,7 +1307,7 @@ sched_unlock_rcu: + } + } + +-static void vmbus_isr(void) ++static void __vmbus_isr(void) + { + struct hv_per_cpu_context *hv_cpu + = this_cpu_ptr(hv_context.cpu_context); +@@ -1330,6 +1331,53 @@ static void vmbus_isr(void) + add_interrupt_randomness(vmbus_interrupt); + } + ++static DEFINE_PER_CPU(bool, vmbus_irq_pending); ++static DEFINE_PER_CPU(struct task_struct *, vmbus_irqd); ++ ++static void vmbus_irqd_wake(void) ++{ ++ struct task_struct *tsk = __this_cpu_read(vmbus_irqd); ++ ++ __this_cpu_write(vmbus_irq_pending, true); ++ wake_up_process(tsk); ++} ++ ++static void vmbus_irqd_setup(unsigned int cpu) ++{ ++ sched_set_fifo(current); ++} ++ ++static int vmbus_irqd_should_run(unsigned int cpu) ++{ ++ return __this_cpu_read(vmbus_irq_pending); ++} ++ ++static void run_vmbus_irqd(unsigned int cpu) ++{ ++ __this_cpu_write(vmbus_irq_pending, false); ++ __vmbus_isr(); ++} ++ ++static bool vmbus_irq_initialized; ++ ++static struct smp_hotplug_thread vmbus_irq_threads = { ++ .store = &vmbus_irqd, ++ .setup = vmbus_irqd_setup, ++ .thread_should_run = vmbus_irqd_should_run, ++ .thread_fn = run_vmbus_irqd, ++ .thread_comm = "vmbus_irq/%u", ++}; ++ ++static void vmbus_isr(void) ++{ ++ if (IS_ENABLED(CONFIG_PREEMPT_RT)) { ++ vmbus_irqd_wake(); ++ } else { ++ lockdep_hardirq_threaded(); ++ __vmbus_isr(); ++ } ++} ++ + static irqreturn_t vmbus_percpu_isr(int irq, void *dev_id) + { + vmbus_isr(); +@@ -1375,6 +1423,13 @@ static int vmbus_bus_init(void) + * the VMbus interrupt handler. + */ + ++ if (IS_ENABLED(CONFIG_PREEMPT_RT) && !vmbus_irq_initialized) { ++ ret = smpboot_register_percpu_thread(&vmbus_irq_threads); ++ if (ret) ++ goto err_kthread; ++ vmbus_irq_initialized = true; ++ } ++ + if (vmbus_irq == -1) { + hv_setup_vmbus_handler(vmbus_isr); + } else { +@@ -1449,6 +1504,11 @@ err_alloc: + free_percpu(vmbus_evt); + } + err_setup: ++ if (IS_ENABLED(CONFIG_PREEMPT_RT) && vmbus_irq_initialized) { ++ smpboot_unregister_percpu_thread(&vmbus_irq_threads); ++ vmbus_irq_initialized = false; ++ } ++err_kthread: + bus_unregister(&hv_bus); + return ret; + } +@@ -2914,6 +2974,10 @@ static void __exit vmbus_exit(void) + free_percpu_irq(vmbus_irq, vmbus_evt); + free_percpu(vmbus_evt); + } ++ if (IS_ENABLED(CONFIG_PREEMPT_RT) && vmbus_irq_initialized) { ++ smpboot_unregister_percpu_thread(&vmbus_irq_threads); ++ vmbus_irq_initialized = false; ++ } + for_each_online_cpu(cpu) { + struct hv_per_cpu_context *hv_cpu + = per_cpu_ptr(hv_context.cpu_context, cpu); diff --git a/queue-6.18/drm-amd-display-clear-hdmi-hpd-pending-work-only-if-it-is-enabled.patch b/queue-6.18/drm-amd-display-clear-hdmi-hpd-pending-work-only-if-it-is-enabled.patch new file mode 100644 index 0000000000..4c329f25dc --- /dev/null +++ b/queue-6.18/drm-amd-display-clear-hdmi-hpd-pending-work-only-if-it-is-enabled.patch @@ -0,0 +1,43 @@ +From 17b2c526fd8026d8e0f4c0e7f94fc517e3901589 Mon Sep 17 00:00:00 2001 +From: Ivan Lipski +Date: Fri, 16 Jan 2026 10:03:54 -0500 +Subject: drm/amd/display: Clear HDMI HPD pending work only if it is enabled + +From: Ivan Lipski + +commit 17b2c526fd8026d8e0f4c0e7f94fc517e3901589 upstream. + +[Why&How] +On amdgpu_dm_connector_destroy(), the driver attempts to cancel pending +HDMI HPD work without checking if the HDMI HPD is enabled. + +Added a check that it is enabled before clearing it. + +Fixes: 6a681cd90345 ("drm/amd/display: Add an hdmi_hpd_debounce_delay_ms module") +Signed-off-by: Ivan Lipski +Reviewed-by: Mario Limonciello (AMD) +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -7548,10 +7548,12 @@ static void amdgpu_dm_connector_destroy( + drm_dp_mst_topology_mgr_destroy(&aconnector->mst_mgr); + + /* Cancel and flush any pending HDMI HPD debounce work */ +- cancel_delayed_work_sync(&aconnector->hdmi_hpd_debounce_work); +- if (aconnector->hdmi_prev_sink) { +- dc_sink_release(aconnector->hdmi_prev_sink); +- aconnector->hdmi_prev_sink = NULL; ++ if (aconnector->hdmi_hpd_debounce_delay_ms) { ++ cancel_delayed_work_sync(&aconnector->hdmi_hpd_debounce_work); ++ if (aconnector->hdmi_prev_sink) { ++ dc_sink_release(aconnector->hdmi_prev_sink); ++ aconnector->hdmi_prev_sink = NULL; ++ } + } + + if (aconnector->bl_idx != -1) { diff --git a/queue-6.18/drm-exynos-vidi-fix-to-avoid-directly-dereferencing-user-pointer.patch b/queue-6.18/drm-exynos-vidi-fix-to-avoid-directly-dereferencing-user-pointer.patch new file mode 100644 index 0000000000..9382ed7b05 --- /dev/null +++ b/queue-6.18/drm-exynos-vidi-fix-to-avoid-directly-dereferencing-user-pointer.patch @@ -0,0 +1,58 @@ +From d4c98c077c7fb2dfdece7d605e694b5ea2665085 Mon Sep 17 00:00:00 2001 +From: Jeongjun Park +Date: Mon, 19 Jan 2026 17:25:52 +0900 +Subject: drm/exynos: vidi: fix to avoid directly dereferencing user pointer + +From: Jeongjun Park + +commit d4c98c077c7fb2dfdece7d605e694b5ea2665085 upstream. + +In vidi_connection_ioctl(), vidi->edid(user pointer) is directly +dereferenced in the kernel. + +This allows arbitrary kernel memory access from the user space, so instead +of directly accessing the user pointer in the kernel, we should modify it +to copy edid to kernel memory using copy_from_user() and use it. + +Cc: +Signed-off-by: Jeongjun Park +Signed-off-by: Inki Dae +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/exynos/exynos_drm_vidi.c | 22 ++++++++++++++++++---- + 1 file changed, 18 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c ++++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c +@@ -262,13 +262,27 @@ int vidi_connection_ioctl(struct drm_dev + + if (vidi->connection) { + const struct drm_edid *drm_edid; +- const struct edid *raw_edid; ++ const void __user *edid_userptr = u64_to_user_ptr(vidi->edid); ++ void *edid_buf; ++ struct edid hdr; + size_t size; + +- raw_edid = (const struct edid *)(unsigned long)vidi->edid; +- size = (raw_edid->extensions + 1) * EDID_LENGTH; ++ if (copy_from_user(&hdr, edid_userptr, sizeof(hdr))) ++ return -EFAULT; + +- drm_edid = drm_edid_alloc(raw_edid, size); ++ size = (hdr.extensions + 1) * EDID_LENGTH; ++ ++ edid_buf = kmalloc(size, GFP_KERNEL); ++ if (!edid_buf) ++ return -ENOMEM; ++ ++ if (copy_from_user(edid_buf, edid_userptr, size)) { ++ kfree(edid_buf); ++ return -EFAULT; ++ } ++ ++ drm_edid = drm_edid_alloc(edid_buf, size); ++ kfree(edid_buf); + if (!drm_edid) + return -ENOMEM; + diff --git a/queue-6.18/drm-exynos-vidi-use-priv-vidi_dev-for-ctx-lookup-in-vidi_connection_ioctl.patch b/queue-6.18/drm-exynos-vidi-use-priv-vidi_dev-for-ctx-lookup-in-vidi_connection_ioctl.patch new file mode 100644 index 0000000000..eb107d7e6c --- /dev/null +++ b/queue-6.18/drm-exynos-vidi-use-priv-vidi_dev-for-ctx-lookup-in-vidi_connection_ioctl.patch @@ -0,0 +1,90 @@ +From d3968a0d85b211e197f2f4f06268a7031079e0d0 Mon Sep 17 00:00:00 2001 +From: Jeongjun Park +Date: Mon, 19 Jan 2026 17:25:51 +0900 +Subject: drm/exynos: vidi: use priv->vidi_dev for ctx lookup in vidi_connection_ioctl() + +From: Jeongjun Park + +commit d3968a0d85b211e197f2f4f06268a7031079e0d0 upstream. + +vidi_connection_ioctl() retrieves the driver_data from drm_dev->dev to +obtain a struct vidi_context pointer. However, drm_dev->dev is the +exynos-drm master device, and the driver_data contained therein is not +the vidi component device, but a completely different device. + +This can lead to various bugs, ranging from null pointer dereferences and +garbage value accesses to, in unlucky cases, out-of-bounds errors, +use-after-free errors, and more. + +To resolve this issue, we need to store/delete the vidi device pointer in +exynos_drm_private->vidi_dev during bind/unbind, and then read this +exynos_drm_private->vidi_dev within ioctl() to obtain the correct +struct vidi_context pointer. + +Cc: +Signed-off-by: Jeongjun Park +Signed-off-by: Inki Dae +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/exynos/exynos_drm_drv.h | 1 + + drivers/gpu/drm/exynos/exynos_drm_vidi.c | 14 +++++++++++++- + 2 files changed, 14 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/exynos/exynos_drm_drv.h ++++ b/drivers/gpu/drm/exynos/exynos_drm_drv.h +@@ -199,6 +199,7 @@ struct drm_exynos_file_private { + struct exynos_drm_private { + struct device *g2d_dev; + struct device *dma_dev; ++ struct device *vidi_dev; + void *mapping; + + /* for atomic commit */ +--- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c ++++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c +@@ -231,9 +231,14 @@ ATTRIBUTE_GROUPS(vidi); + int vidi_connection_ioctl(struct drm_device *drm_dev, void *data, + struct drm_file *file_priv) + { +- struct vidi_context *ctx = dev_get_drvdata(drm_dev->dev); ++ struct exynos_drm_private *priv = drm_dev->dev_private; ++ struct device *dev = priv ? priv->vidi_dev : NULL; ++ struct vidi_context *ctx = dev ? dev_get_drvdata(dev) : NULL; + struct drm_exynos_vidi_connection *vidi = data; + ++ if (!ctx) ++ return -ENODEV; ++ + if (!vidi) { + DRM_DEV_DEBUG_KMS(ctx->dev, + "user data for vidi is null.\n"); +@@ -393,6 +398,7 @@ static int vidi_bind(struct device *dev, + { + struct vidi_context *ctx = dev_get_drvdata(dev); + struct drm_device *drm_dev = data; ++ struct exynos_drm_private *priv = drm_dev->dev_private; + struct drm_encoder *encoder = &ctx->encoder; + struct exynos_drm_plane *exynos_plane; + struct exynos_drm_plane_config plane_config = { 0 }; +@@ -400,6 +406,8 @@ static int vidi_bind(struct device *dev, + int ret; + + ctx->drm_dev = drm_dev; ++ if (priv) ++ priv->vidi_dev = dev; + + plane_config.pixel_formats = formats; + plane_config.num_pixel_formats = ARRAY_SIZE(formats); +@@ -445,8 +453,12 @@ static int vidi_bind(struct device *dev, + static void vidi_unbind(struct device *dev, struct device *master, void *data) + { + struct vidi_context *ctx = dev_get_drvdata(dev); ++ struct drm_device *drm_dev = data; ++ struct exynos_drm_private *priv = drm_dev->dev_private; + + timer_delete_sync(&ctx->timer); ++ if (priv) ++ priv->vidi_dev = NULL; + } + + static const struct component_ops vidi_component_ops = { diff --git a/queue-6.18/io_uring-rsrc-clean-up-buffer-cloning-arg-validation.patch b/queue-6.18/io_uring-rsrc-clean-up-buffer-cloning-arg-validation.patch new file mode 100644 index 0000000000..baff19d7ab --- /dev/null +++ b/queue-6.18/io_uring-rsrc-clean-up-buffer-cloning-arg-validation.patch @@ -0,0 +1,82 @@ +From b8201b50e403815f941d1c6581a27fdbfe7d0fd4 Mon Sep 17 00:00:00 2001 +From: Joanne Koong +Date: Thu, 4 Dec 2025 13:51:14 -0800 +Subject: io_uring/rsrc: clean up buffer cloning arg validation + +From: Joanne Koong + +commit b8201b50e403815f941d1c6581a27fdbfe7d0fd4 upstream. + +Get rid of some redundant checks and move the src arg validation to +before the buffer table allocation, which simplifies error handling. + +Signed-off-by: Joanne Koong +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/rsrc.c | 27 ++++++--------------------- + 1 file changed, 6 insertions(+), 21 deletions(-) + +--- a/io_uring/rsrc.c ++++ b/io_uring/rsrc.c +@@ -1185,12 +1185,16 @@ static int io_clone_buffers(struct io_ri + return -EBUSY; + + nbufs = src_ctx->buf_table.nr; ++ if (!nbufs) ++ return -ENXIO; + if (!arg->nr) + arg->nr = nbufs; + else if (arg->nr > nbufs) + return -EINVAL; + else if (arg->nr > IORING_MAX_REG_BUFFERS) + return -EINVAL; ++ if (check_add_overflow(arg->nr, arg->src_off, &off) || off > nbufs) ++ return -EOVERFLOW; + if (check_add_overflow(arg->nr, arg->dst_off, &nbufs)) + return -EOVERFLOW; + if (nbufs > IORING_MAX_REG_BUFFERS) +@@ -1210,21 +1214,6 @@ static int io_clone_buffers(struct io_ri + } + } + +- ret = -ENXIO; +- nbufs = src_ctx->buf_table.nr; +- if (!nbufs) +- goto out_free; +- ret = -EINVAL; +- if (!arg->nr) +- arg->nr = nbufs; +- else if (arg->nr > nbufs) +- goto out_free; +- ret = -EOVERFLOW; +- if (check_add_overflow(arg->nr, arg->src_off, &off)) +- goto out_free; +- if (off > nbufs) +- goto out_free; +- + off = arg->dst_off; + i = arg->src_off; + nr = arg->nr; +@@ -1237,8 +1226,8 @@ static int io_clone_buffers(struct io_ri + } else { + dst_node = io_rsrc_node_alloc(ctx, IORING_RSRC_BUFFER); + if (!dst_node) { +- ret = -ENOMEM; +- goto out_free; ++ io_rsrc_data_free(ctx, &data); ++ return -ENOMEM; + } + + refcount_inc(&src_node->buf->refs); +@@ -1274,10 +1263,6 @@ static int io_clone_buffers(struct io_ri + WARN_ON_ONCE(ctx->buf_table.nr); + ctx->buf_table = data; + return 0; +- +-out_free: +- io_rsrc_data_free(ctx, &data); +- return ret; + } + + /* diff --git a/queue-6.18/selftests-bpf-test-bpf_skb_check_mtu-bpf_mtu_chk_segs-when-transport_header-is-not-set.patch b/queue-6.18/selftests-bpf-test-bpf_skb_check_mtu-bpf_mtu_chk_segs-when-transport_header-is-not-set.patch new file mode 100644 index 0000000000..7e08737d78 --- /dev/null +++ b/queue-6.18/selftests-bpf-test-bpf_skb_check_mtu-bpf_mtu_chk_segs-when-transport_header-is-not-set.patch @@ -0,0 +1,94 @@ +From 6cc73f35406cae1f053e984e8de40e6dc9681446 Mon Sep 17 00:00:00 2001 +From: Martin KaFai Lau +Date: Wed, 12 Nov 2025 15:23:31 -0800 +Subject: selftests/bpf: Test bpf_skb_check_mtu(BPF_MTU_CHK_SEGS) when transport_header is not set + +From: Martin KaFai Lau + +commit 6cc73f35406cae1f053e984e8de40e6dc9681446 upstream. + +Add a test to check that bpf_skb_check_mtu(BPF_MTU_CHK_SEGS) is +rejected (-EINVAL) if skb->transport_header is not set. The test +needs to lower the MTU of the loopback device. Thus, take this +opportunity to run the test in a netns by adding "ns_" to the test +name. The "serial_" prefix can then be removed. + +Signed-off-by: Martin KaFai Lau +Link: https://lore.kernel.org/r/20251112232331.1566074-2-martin.lau@linux.dev +Signed-off-by: Alexei Starovoitov +Signed-off-by: Greg Kroah-Hartman +--- +Signed-off-by: Shung-Hsi Yu +--- + tools/testing/selftests/bpf/prog_tests/check_mtu.c | 23 ++++++++++++++++++++- + tools/testing/selftests/bpf/progs/test_check_mtu.c | 12 ++++++++++ + 2 files changed, 34 insertions(+), 1 deletion(-) + +--- a/tools/testing/selftests/bpf/prog_tests/check_mtu.c ++++ b/tools/testing/selftests/bpf/prog_tests/check_mtu.c +@@ -153,6 +153,26 @@ static void test_check_mtu_run_tc(struct + ASSERT_EQ(mtu_result, mtu_expect, "MTU-compare-user"); + } + ++static void test_chk_segs_flag(struct test_check_mtu *skel, __u32 mtu) ++{ ++ int err, prog_fd = bpf_program__fd(skel->progs.tc_chk_segs_flag); ++ struct __sk_buff skb = { ++ .gso_size = 10, ++ }; ++ LIBBPF_OPTS(bpf_test_run_opts, topts, ++ .data_in = &pkt_v4, ++ .data_size_in = sizeof(pkt_v4), ++ .ctx_in = &skb, ++ .ctx_size_in = sizeof(skb), ++ ); ++ ++ /* Lower the mtu to test the BPF_MTU_CHK_SEGS */ ++ SYS_NOFAIL("ip link set dev lo mtu 10"); ++ err = bpf_prog_test_run_opts(prog_fd, &topts); ++ SYS_NOFAIL("ip link set dev lo mtu %u", mtu); ++ ASSERT_OK(err, "test_run"); ++ ASSERT_EQ(topts.retval, BPF_OK, "retval"); ++} + + static void test_check_mtu_tc(__u32 mtu, __u32 ifindex) + { +@@ -177,11 +197,12 @@ static void test_check_mtu_tc(__u32 mtu, + test_check_mtu_run_tc(skel, skel->progs.tc_minus_delta, mtu); + test_check_mtu_run_tc(skel, skel->progs.tc_input_len, mtu); + test_check_mtu_run_tc(skel, skel->progs.tc_input_len_exceed, mtu); ++ test_chk_segs_flag(skel, mtu); + cleanup: + test_check_mtu__destroy(skel); + } + +-void serial_test_check_mtu(void) ++void test_ns_check_mtu(void) + { + int mtu_lo; + +--- a/tools/testing/selftests/bpf/progs/test_check_mtu.c ++++ b/tools/testing/selftests/bpf/progs/test_check_mtu.c +@@ -7,6 +7,7 @@ + + #include + #include ++#include + + char _license[] SEC("license") = "GPL"; + +@@ -288,3 +289,14 @@ int tc_input_len_exceed(struct __sk_buff + global_bpf_mtu_xdp = mtu_len; + return retval; + } ++ ++SEC("tc") ++int tc_chk_segs_flag(struct __sk_buff *ctx) ++{ ++ __u32 mtu_len = 0; ++ int err; ++ ++ err = bpf_check_mtu(ctx, GLOBAL_USER_IFINDEX, &mtu_len, 0, BPF_MTU_CHK_SEGS); ++ ++ return err == -EINVAL ? BPF_OK : BPF_DROP; ++} diff --git a/queue-6.18/series b/queue-6.18/series index 08fd618c91..2e3d693fb2 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -633,3 +633,9 @@ asoc-dt-bindings-asahi-kasei-ak5558-fix-the-supply-names.patch alsa-hda-realtek-add-quirk-for-gigabyte-g5-kf5-2023.patch alsa-hda-conexant-fix-headphone-jack-handling-on-acer-swift-sf314.patch alsa-hda-realtek-add-quirk-for-samsung-galaxy-book3-pro-360-np965qfg.patch +drm-exynos-vidi-use-priv-vidi_dev-for-ctx-lookup-in-vidi_connection_ioctl.patch +drm-exynos-vidi-fix-to-avoid-directly-dereferencing-user-pointer.patch +drivers-hv-vmbus-use-kthread-for-vmbus-interrupts-on-preempt_rt.patch +io_uring-rsrc-clean-up-buffer-cloning-arg-validation.patch +selftests-bpf-test-bpf_skb_check_mtu-bpf_mtu_chk_segs-when-transport_header-is-not-set.patch +drm-amd-display-clear-hdmi-hpd-pending-work-only-if-it-is-enabled.patch -- 2.47.3