From 1af850794180fe98b67f9debb42ba8cb248f3d7c Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Tue, 25 Nov 2025 08:52:21 -0500 Subject: [PATCH] Fixes for all trees Signed-off-by: Sasha Levin --- ...itialize-the-default-locale-at-start.patch | 49 +++ ...itialize-the-default-locale-at-start.patch | 49 +++ ...ix-memory-leak-in-mlxsw_sp_flower_st.patch | 47 +++ ...remove-never-working-support-for-set.patch | 310 ++++++++++++++++++ ...x-async-resync-request-on-rcd_delta-.patch | 77 +++++ queue-5.10/s390-ctcm-fix-double-kfree.patch | 45 +++ ...regression-triggered-by-scsi_host_bu.patch | 77 +++++ queue-5.10/series | 8 + ...nal-timeout-on-connect-if-already-es.patch | 101 ++++++ ...itialize-the-default-locale-at-start.patch | 49 +++ ...itialize-the-default-locale-at-start.patch | 49 +++ ...move-array_size-to-a-separate-header.patch | 89 +++++ ...ix-memory-leak-in-mlxsw_sp_flower_st.patch | 47 +++ ...k-fix-missing-error-handling-in-led-.patch | 57 ++++ ...remove-never-working-support-for-set.patch | 310 ++++++++++++++++++ ...fix-potential-out-of-bounds-read-in-.patch | 62 ++++ ...x-async-resync-request-on-rcd_delta-.patch | 77 +++++ ...el-speed_select_if-convert-pcibios_-.patch | 53 +++ queue-5.15/s390-ctcm-fix-double-kfree.patch | 45 +++ ...regression-triggered-by-scsi_host_bu.patch | 77 +++++ ...sts-net-use-bash-for-bareudp-testing.patch | 46 +++ queue-5.15/series | 13 + ...nal-timeout-on-connect-if-already-es.patch | 101 ++++++ ...itialize-the-default-locale-at-start.patch | 49 +++ ...itialize-the-default-locale-at-start.patch | 49 +++ ...ix-memory-leak-in-mlxsw_sp_flower_st.patch | 47 +++ ...remove-never-working-support-for-set.patch | 310 ++++++++++++++++++ queue-5.4/s390-ctcm-fix-double-kfree.patch | 45 +++ queue-5.4/series | 6 + ...nal-timeout-on-connect-if-already-es.patch | 101 ++++++ ...on-t-register-devices-disabled-in-of.patch | 51 +++ ...o-in-enable_gcm_256-module-parameter.patch | 34 ++ queue-6.1/drm-tegra-add-call-to-put_pid.patch | 46 +++ ...t-context-device-based-on-attached-i.patch | 85 +++++ ...itialize-the-default-locale-at-start.patch | 49 +++ ...itialize-the-default-locale-at-start.patch | 49 +++ ...move-array_size-to-a-separate-header.patch | 89 +++++ ...ix-memory-leak-in-mlxsw_sp_flower_st.patch | 47 +++ ...k-fix-missing-error-handling-in-led-.patch | 57 ++++ ...rds-fix-missing-error-check-in-mlxsw.patch | 42 +++ ...remove-never-working-support-for-set.patch | 310 ++++++++++++++++++ ...fix-potential-out-of-bounds-read-in-.patch | 62 ++++ ...x-async-resync-request-on-rcd_delta-.patch | 77 +++++ ...ix-lockdep-warn-due-to-partition-sca.patch | 47 +++ ...el-speed_select_if-convert-pcibios_-.patch | 53 +++ queue-6.1/s390-ctcm-fix-double-kfree.patch | 45 +++ ...regression-triggered-by-scsi_host_bu.patch | 77 +++++ ...sts-net-use-bash-for-bareudp-testing.patch | 46 +++ queue-6.1/series | 20 ++ ...nal-timeout-on-connect-if-already-es.patch | 101 ++++++ ...nner-gso-type-from-packet-inner-prot.patch | 96 ++++++ ...tate-msg-in-unix_stream_read_generic.patch | 98 ++++++ ...peek_offset-again-after-sleeping-in-.patch | 109 ++++++ ...on-t-register-devices-disabled-in-of.patch | 51 +++ ...e-blk_sts_inval-for-alignment-errors.patch | 42 +++ ...leak-in-smb3_fs_context_parse_param-.patch | 64 ++++ ...o-in-enable_gcm_256-module-parameter.patch | 34 ++ ...et-parent-pointer-in-devl_rate_nodes.patch | 127 +++++++ .../drm-tegra-add-call-to-put_pid.patch | 46 +++ ...anup-on-driver-removal-in-error-path.patch | 122 +++++++ ...e-vport_config-null-pointer-deref-in.patch | 60 ++++ ...itialize-the-default-locale-at-start.patch | 49 +++ ...itialize-the-default-locale-at-start.patch | 49 +++ ...use-uapi-types-in-ptrace-uapi-header.patch | 107 ++++++ ...ix-memory-leak-in-mlxsw_sp_flower_st.patch | 47 +++ ...k-fix-missing-error-handling-in-led-.patch | 57 ++++ ...p-only-new-irq-glue-on-request_irq-f.patch | 161 +++++++++ ...rds-fix-missing-error-check-in-mlxsw.patch | 42 +++ ...remove-never-working-support-for-set.patch | 310 ++++++++++++++++++ ...fix-potential-out-of-bounds-read-in-.patch | 62 ++++ ...x-async-resync-request-on-rcd_delta-.patch | 77 +++++ ...change-async-resync-helpers-argument.patch | 117 +++++++ ...ix-lockdep-warn-due-to-partition-sca.patch | 47 +++ ...fix-fwnode-leak-in-cs42l43_pin_probe.patch | 68 ++++ ...ek-select-regmap_mmio-for-rtd-driver.patch | 42 +++ ...x-uninitialized-memory-in-s32_pinctr.patch | 81 +++++ ...itialize-gpio_pin_config-list-after-.patch | 38 +++ ...el-speed_select_if-convert-pcibios_-.patch | 53 +++ ...si-wmi-platform-fix-typo-in-wmi-guid.patch | 63 ++++ ...-wmi-platform-only-load-on-msi-devic.patch | 108 ++++++ queue-6.12/s390-ctcm-fix-double-kfree.patch | 45 +++ ...regression-triggered-by-scsi_host_bu.patch | 77 +++++ ...-lib-do-not-overwrite-error-messages.patch | 97 ++++++ ...sts-net-use-bash-for-bareudp-testing.patch | 46 +++ queue-6.12/series | 40 +++ ...d-misalignment-of-csr-related-defini.patch | 62 ++++ ...nal-timeout-on-connect-if-already-es.patch | 101 ++++++ ...d-limit-entrysign-signature-checking.patch | 63 ++++ ...nner-gso-type-from-packet-inner-prot.patch | 96 ++++++ ...erence-in-xfrm_state_update-if-dir-d.patch | 47 +++ ...ally-generated-packets-from-direct-o.patch | 44 +++ ...-extack-on-failure-to-create-pcpu-sa.patch | 41 +++ ...peek_offset-again-after-sleeping-in-.patch | 109 ++++++ ...-add-quirk-for-lenovo-yoga-7-2-in-1-.patch | 38 +++ ...-fix-mute-led-for-hp-victus-15-fa1xx.patch | 36 ++ ...-rt721-fix-prepare-clock-stop-failed.patch | 50 +++ ...on-t-register-devices-disabled-in-of.patch | 51 +++ ...e-blk_sts_inval-for-alignment-errors.patch | 42 +++ ...leak-in-smb3_fs_context_parse_param-.patch | 64 ++++ ...o-in-enable_gcm_256-module-parameter.patch | 34 ++ ...k-a523-bus-r-cpucfg-clock-as-critica.patch | 41 +++ ...55i-a523-ccu-lower-audio0-pll-minimu.patch | 42 +++ ...55i-a523-r-ccu-mark-bus-r-dma-as-cri.patch | 44 +++ ...et-parent-pointer-in-devl_rate_nodes.patch | 127 +++++++ ...-add-definition-for-wcl-as-subplatfo.patch | 73 +++++ ...trict-ptl-intel_encoder_is_c10phy-to.patch | 65 ++++ ...d-load-dmc-for-xe3_lpd-version-30.02.patch | 56 ++++ ...-msm-fix-pgtable-prealloc-error-path.patch | 101 ++++++ ...ptl-pciids-group-to-make-wcl-subplat.patch | 74 +++++ .../drm-tegra-add-call-to-put_pid.patch | 46 +++ ...xe-irq-handle-msix-vector0-interrupt.patch | 68 ++++ ...fix-forcewake-assertion-in-mocs-test.patch | 44 +++ ...ure-the-cdev-fd-is-still-active-befo.patch | 72 ++++ ...anup-on-driver-removal-in-error-path.patch | 122 +++++++ ...e-vport_config-null-pointer-deref-in.patch | 60 ++++ ...itialize-the-default-locale-at-start.patch | 49 +++ ...itialize-the-default-locale-at-start.patch | 49 +++ ...use-uapi-types-in-ptrace-uapi-header.patch | 107 ++++++ ...ps-dts-econet-fix-en751221-core-type.patch | 35 ++ ...ernel-fix-random-segmentation-faults.patch | 45 +++ ...ix-memory-leak-in-mlxsw_sp_flower_st.patch | 47 +++ ...airoha-add-wlan-flowtable-tx-offload.patch | 213 ++++++++++++ ...t-loopback-traffic-to-gdm2-if-it-is-.patch | 41 +++ ...-null-deref-in-generic_hwtstamp_ioct.patch | 55 ++++ ...k-fix-missing-error-handling-in-led-.patch | 57 ++++ ...p-only-new-irq-glue-on-request_irq-f.patch | 161 +++++++++ ...rds-fix-missing-error-check-in-mlxsw.patch | 42 +++ ...remove-never-working-support-for-set.patch | 310 ++++++++++++++++++ ...missing-supported-link-modes-for-the.patch | 60 ++++ ...fix-potential-out-of-bounds-read-in-.patch | 62 ++++ ...x-async-resync-request-on-rcd_delta-.patch | 77 +++++ ...change-async-resync-helpers-argument.patch | 117 +++++++ ...ix-lockdep-warn-due-to-partition-sca.patch | 47 +++ ...e-sc_c-in-target-host-hash-calculati.patch | 81 +++++ .../perf-fix-0-count-issue-of-cpu-clock.patch | 55 ++++ ...ncore-add-uncore-pmu-support-for-wil.patch | 37 +++ ...fix-fwnode-leak-in-cs42l43_pin_probe.patch | 68 ++++ ...-mt8189-align-register-base-names-to.patch | 46 +++ ...-mt8196-align-register-base-names-to.patch | 47 +++ ...ek-select-regmap_mmio-for-rtd-driver.patch | 42 +++ ...x-uninitialized-memory-in-s32_pinctr.patch | 81 +++++ ...itialize-gpio_pin_config-list-after-.patch | 38 +++ ...el-speed_select_if-convert-pcibios_-.patch | 53 +++ ...el-uncore-freq-fix-all-header-kernel.patch | 73 +++++ ...si-wmi-platform-fix-typo-in-wmi-guid.patch | 63 ++++ ...-wmi-platform-only-load-on-msi-devic.patch | 108 ++++++ queue-6.17/s390-ctcm-fix-double-kfree.patch | 45 +++ ...te-scx_kick_cpus_pnt_seqs-lazily-usi.patch | 202 ++++++++++++ ...queue_balance_callback-until-after-o.patch | 128 ++++++++ ...regression-triggered-by-scsi_host_bu.patch | 77 +++++ ...tat-fix-warning-on-declaration-under.patch | 55 ++++ ...-lib-do-not-overwrite-error-messages.patch | 97 ++++++ ...sts-net-use-bash-for-bareudp-testing.patch | 46 +++ queue-6.17/series | 76 +++++ ...dle-lack-of-ipc-in-dfs_cache_refresh.patch | 246 ++++++++++++++ ...ogus-condition-in-report_idle_softir.patch | 99 ++++++ ...resource-leak-in-tk_aux_sysfs_init-e.patch | 79 +++++ ...d-misalignment-of-csr-related-defini.patch | 62 ++++ ...-handing-of-race-to-avoid-txq-gettin.patch | 151 +++++++++ ...nal-timeout-on-connect-if-already-es.patch | 101 ++++++ .../x86-cpu-amd-extend-zen6-model-range.patch | 35 ++ ...d-limit-entrysign-signature-checking.patch | 62 ++++ ...frm_state_delete_tunnel-at-destroy-t.patch | 76 +++++ ...ev_state_delete-when-xfrm_state_migr.patch | 49 +++ ...-packet-family-directly-from-skb_dst.patch | 71 ++++ ...nner-gso-type-from-packet-inner-prot.patch | 96 ++++++ ...erence-in-xfrm_state_update-if-dir-d.patch | 47 +++ ...ally-generated-packets-from-direct-o.patch | 44 +++ ...-extack-on-failure-to-create-pcpu-sa.patch | 41 +++ ...on-t-register-devices-disabled-in-of.patch | 51 +++ ...leak-in-smb3_fs_context_parse_param-.patch | 64 ++++ ...o-in-enable_gcm_256-module-parameter.patch | 34 ++ ...et-parent-pointer-in-devl_rate_nodes.patch | 127 +++++++ queue-6.6/drm-tegra-add-call-to-put_pid.patch | 46 +++ ...itialize-the-default-locale-at-start.patch | 49 +++ ...itialize-the-default-locale-at-start.patch | 49 +++ ...move-array_size-to-a-separate-header.patch | 89 +++++ ...use-uapi-types-in-ptrace-uapi-header.patch | 107 ++++++ ...ix-memory-leak-in-mlxsw_sp_flower_st.patch | 47 +++ ...k-fix-missing-error-handling-in-led-.patch | 57 ++++ ...p-only-new-irq-glue-on-request_irq-f.patch | 161 +++++++++ ...rds-fix-missing-error-check-in-mlxsw.patch | 42 +++ ...remove-never-working-support-for-set.patch | 310 ++++++++++++++++++ ...fix-potential-out-of-bounds-read-in-.patch | 62 ++++ ...x-async-resync-request-on-rcd_delta-.patch | 77 +++++ ...ix-lockdep-warn-due-to-partition-sca.patch | 47 +++ ...fix-fwnode-leak-in-cs42l43_pin_probe.patch | 68 ++++ ...x-uninitialized-memory-in-s32_pinctr.patch | 81 +++++ ...itialize-gpio_pin_config-list-after-.patch | 38 +++ ...el-speed_select_if-convert-pcibios_-.patch | 53 +++ queue-6.6/s390-ctcm-fix-double-kfree.patch | 45 +++ ...regression-triggered-by-scsi_host_bu.patch | 77 +++++ ...sts-net-use-bash-for-bareudp-testing.patch | 46 +++ queue-6.6/series | 28 ++ ...nal-timeout-on-connect-if-already-es.patch | 101 ++++++ ...d-limit-entrysign-signature-checking.patch | 63 ++++ ...nner-gso-type-from-packet-inner-prot.patch | 96 ++++++ ...ally-generated-packets-from-direct-o.patch | 44 +++ 198 files changed, 14987 insertions(+) create mode 100644 queue-5.10/kconfig-mconf-initialize-the-default-locale-at-start.patch create mode 100644 queue-5.10/kconfig-nconf-initialize-the-default-locale-at-start.patch create mode 100644 queue-5.10/mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch create mode 100644 queue-5.10/net-openvswitch-remove-never-working-support-for-set.patch create mode 100644 queue-5.10/net-tls-cancel-rx-async-resync-request-on-rcd_delta-.patch create mode 100644 queue-5.10/s390-ctcm-fix-double-kfree.patch create mode 100644 queue-5.10/scsi-core-fix-a-regression-triggered-by-scsi_host_bu.patch create mode 100644 queue-5.10/vsock-ignore-signal-timeout-on-connect-if-already-es.patch create mode 100644 queue-5.15/kconfig-mconf-initialize-the-default-locale-at-start.patch create mode 100644 queue-5.15/kconfig-nconf-initialize-the-default-locale-at-start.patch create mode 100644 queue-5.15/kernel.h-move-array_size-to-a-separate-header.patch create mode 100644 queue-5.15/mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch create mode 100644 queue-5.15/net-dsa-hellcreek-fix-missing-error-handling-in-led-.patch create mode 100644 queue-5.15/net-openvswitch-remove-never-working-support-for-set.patch create mode 100644 queue-5.15/net-qlogic-qede-fix-potential-out-of-bounds-read-in-.patch create mode 100644 queue-5.15/net-tls-cancel-rx-async-resync-request-on-rcd_delta-.patch create mode 100644 queue-5.15/platform-x86-intel-speed_select_if-convert-pcibios_-.patch create mode 100644 queue-5.15/s390-ctcm-fix-double-kfree.patch create mode 100644 queue-5.15/scsi-core-fix-a-regression-triggered-by-scsi_host_bu.patch create mode 100644 queue-5.15/selftests-net-use-bash-for-bareudp-testing.patch create mode 100644 queue-5.15/vsock-ignore-signal-timeout-on-connect-if-already-es.patch create mode 100644 queue-5.4/kconfig-mconf-initialize-the-default-locale-at-start.patch create mode 100644 queue-5.4/kconfig-nconf-initialize-the-default-locale-at-start.patch create mode 100644 queue-5.4/mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch create mode 100644 queue-5.4/net-openvswitch-remove-never-working-support-for-set.patch create mode 100644 queue-5.4/s390-ctcm-fix-double-kfree.patch create mode 100644 queue-5.4/vsock-ignore-signal-timeout-on-connect-if-already-es.patch create mode 100644 queue-6.1/bcma-don-t-register-devices-disabled-in-of.patch create mode 100644 queue-6.1/cifs-fix-typo-in-enable_gcm_256-module-parameter.patch create mode 100644 queue-6.1/drm-tegra-add-call-to-put_pid.patch create mode 100644 queue-6.1/gpu-host1x-select-context-device-based-on-attached-i.patch create mode 100644 queue-6.1/kconfig-mconf-initialize-the-default-locale-at-start.patch create mode 100644 queue-6.1/kconfig-nconf-initialize-the-default-locale-at-start.patch create mode 100644 queue-6.1/kernel.h-move-array_size-to-a-separate-header.patch create mode 100644 queue-6.1/mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch create mode 100644 queue-6.1/net-dsa-hellcreek-fix-missing-error-handling-in-led-.patch create mode 100644 queue-6.1/net-mlxsw-linecards-fix-missing-error-check-in-mlxsw.patch create mode 100644 queue-6.1/net-openvswitch-remove-never-working-support-for-set.patch create mode 100644 queue-6.1/net-qlogic-qede-fix-potential-out-of-bounds-read-in-.patch create mode 100644 queue-6.1/net-tls-cancel-rx-async-resync-request-on-rcd_delta-.patch create mode 100644 queue-6.1/nvme-multipath-fix-lockdep-warn-due-to-partition-sca.patch create mode 100644 queue-6.1/platform-x86-intel-speed_select_if-convert-pcibios_-.patch create mode 100644 queue-6.1/s390-ctcm-fix-double-kfree.patch create mode 100644 queue-6.1/scsi-core-fix-a-regression-triggered-by-scsi_host_bu.patch create mode 100644 queue-6.1/selftests-net-use-bash-for-bareudp-testing.patch create mode 100644 queue-6.1/vsock-ignore-signal-timeout-on-connect-if-already-es.patch create mode 100644 queue-6.1/xfrm-determine-inner-gso-type-from-packet-inner-prot.patch create mode 100644 queue-6.12/af_unix-cache-state-msg-in-unix_stream_read_generic.patch create mode 100644 queue-6.12/af_unix-read-sk_peek_offset-again-after-sleeping-in-.patch create mode 100644 queue-6.12/bcma-don-t-register-devices-disabled-in-of.patch create mode 100644 queue-6.12/blk-crypto-use-blk_sts_inval-for-alignment-errors.patch create mode 100644 queue-6.12/cifs-fix-memory-leak-in-smb3_fs_context_parse_param-.patch create mode 100644 queue-6.12/cifs-fix-typo-in-enable_gcm_256-module-parameter.patch create mode 100644 queue-6.12/devlink-rate-unset-parent-pointer-in-devl_rate_nodes.patch create mode 100644 queue-6.12/drm-tegra-add-call-to-put_pid.patch create mode 100644 queue-6.12/ice-fix-ptp-cleanup-on-driver-removal-in-error-path.patch create mode 100644 queue-6.12/idpf-fix-possible-vport_config-null-pointer-deref-in.patch create mode 100644 queue-6.12/kconfig-mconf-initialize-the-default-locale-at-start.patch create mode 100644 queue-6.12/kconfig-nconf-initialize-the-default-locale-at-start.patch create mode 100644 queue-6.12/loongarch-use-uapi-types-in-ptrace-uapi-header.patch create mode 100644 queue-6.12/mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch create mode 100644 queue-6.12/net-dsa-hellcreek-fix-missing-error-handling-in-led-.patch create mode 100644 queue-6.12/net-mlx5-clean-up-only-new-irq-glue-on-request_irq-f.patch create mode 100644 queue-6.12/net-mlxsw-linecards-fix-missing-error-check-in-mlxsw.patch create mode 100644 queue-6.12/net-openvswitch-remove-never-working-support-for-set.patch create mode 100644 queue-6.12/net-qlogic-qede-fix-potential-out-of-bounds-read-in-.patch create mode 100644 queue-6.12/net-tls-cancel-rx-async-resync-request-on-rcd_delta-.patch create mode 100644 queue-6.12/net-tls-change-async-resync-helpers-argument.patch create mode 100644 queue-6.12/nvme-multipath-fix-lockdep-warn-due-to-partition-sca.patch create mode 100644 queue-6.12/pinctrl-cirrus-fix-fwnode-leak-in-cs42l43_pin_probe.patch create mode 100644 queue-6.12/pinctrl-realtek-select-regmap_mmio-for-rtd-driver.patch create mode 100644 queue-6.12/pinctrl-s32cc-fix-uninitialized-memory-in-s32_pinctr.patch create mode 100644 queue-6.12/pinctrl-s32cc-initialize-gpio_pin_config-list-after-.patch create mode 100644 queue-6.12/platform-x86-intel-speed_select_if-convert-pcibios_-.patch create mode 100644 queue-6.12/platform-x86-msi-wmi-platform-fix-typo-in-wmi-guid.patch create mode 100644 queue-6.12/platform-x86-msi-wmi-platform-only-load-on-msi-devic.patch create mode 100644 queue-6.12/s390-ctcm-fix-double-kfree.patch create mode 100644 queue-6.12/scsi-core-fix-a-regression-triggered-by-scsi_host_bu.patch create mode 100644 queue-6.12/selftests-net-lib-do-not-overwrite-error-messages.patch create mode 100644 queue-6.12/selftests-net-use-bash-for-bareudp-testing.patch create mode 100644 queue-6.12/tools-riscv-fixed-misalignment-of-csr-related-defini.patch create mode 100644 queue-6.12/vsock-ignore-signal-timeout-on-connect-if-already-es.patch create mode 100644 queue-6.12/x86-microcode-amd-limit-entrysign-signature-checking.patch create mode 100644 queue-6.12/xfrm-determine-inner-gso-type-from-packet-inner-prot.patch create mode 100644 queue-6.12/xfrm-drop-sa-reference-in-xfrm_state_update-if-dir-d.patch create mode 100644 queue-6.12/xfrm-prevent-locally-generated-packets-from-direct-o.patch create mode 100644 queue-6.12/xfrm-set-err-and-extack-on-failure-to-create-pcpu-sa.patch create mode 100644 queue-6.17/af_unix-read-sk_peek_offset-again-after-sleeping-in-.patch create mode 100644 queue-6.17/alsa-hda-realtek-add-quirk-for-lenovo-yoga-7-2-in-1-.patch create mode 100644 queue-6.17/alsa-hda-realtek-fix-mute-led-for-hp-victus-15-fa1xx.patch create mode 100644 queue-6.17/asoc-rt721-fix-prepare-clock-stop-failed.patch create mode 100644 queue-6.17/bcma-don-t-register-devices-disabled-in-of.patch create mode 100644 queue-6.17/blk-crypto-use-blk_sts_inval-for-alignment-errors.patch create mode 100644 queue-6.17/cifs-fix-memory-leak-in-smb3_fs_context_parse_param-.patch create mode 100644 queue-6.17/cifs-fix-typo-in-enable_gcm_256-module-parameter.patch create mode 100644 queue-6.17/clk-sunxi-ng-mark-a523-bus-r-cpucfg-clock-as-critica.patch create mode 100644 queue-6.17/clk-sunxi-ng-sun55i-a523-ccu-lower-audio0-pll-minimu.patch create mode 100644 queue-6.17/clk-sunxi-ng-sun55i-a523-r-ccu-mark-bus-r-dma-as-cri.patch create mode 100644 queue-6.17/devlink-rate-unset-parent-pointer-in-devl_rate_nodes.patch create mode 100644 queue-6.17/drm-i915-display-add-definition-for-wcl-as-subplatfo.patch create mode 100644 queue-6.17/drm-i915-xe3-restrict-ptl-intel_encoder_is_c10phy-to.patch create mode 100644 queue-6.17/drm-i915-xe3lpd-load-dmc-for-xe3_lpd-version-30.02.patch create mode 100644 queue-6.17/drm-msm-fix-pgtable-prealloc-error-path.patch create mode 100644 queue-6.17/drm-pcids-split-ptl-pciids-group-to-make-wcl-subplat.patch create mode 100644 queue-6.17/drm-tegra-add-call-to-put_pid.patch create mode 100644 queue-6.17/drm-xe-irq-handle-msix-vector0-interrupt.patch create mode 100644 queue-6.17/drm-xe-kunit-fix-forcewake-assertion-in-mocs-test.patch create mode 100644 queue-6.17/gpio-cdev-make-sure-the-cdev-fd-is-still-active-befo.patch create mode 100644 queue-6.17/ice-fix-ptp-cleanup-on-driver-removal-in-error-path.patch create mode 100644 queue-6.17/idpf-fix-possible-vport_config-null-pointer-deref-in.patch create mode 100644 queue-6.17/kconfig-mconf-initialize-the-default-locale-at-start.patch create mode 100644 queue-6.17/kconfig-nconf-initialize-the-default-locale-at-start.patch create mode 100644 queue-6.17/loongarch-use-uapi-types-in-ptrace-uapi-header.patch create mode 100644 queue-6.17/mips-dts-econet-fix-en751221-core-type.patch create mode 100644 queue-6.17/mips-kernel-fix-random-segmentation-faults.patch create mode 100644 queue-6.17/mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch create mode 100644 queue-6.17/net-airoha-add-wlan-flowtable-tx-offload.patch create mode 100644 queue-6.17/net-airoha-do-not-loopback-traffic-to-gdm2-if-it-is-.patch create mode 100644 queue-6.17/net-core-prevent-null-deref-in-generic_hwtstamp_ioct.patch create mode 100644 queue-6.17/net-dsa-hellcreek-fix-missing-error-handling-in-led-.patch create mode 100644 queue-6.17/net-mlx5-clean-up-only-new-irq-glue-on-request_irq-f.patch create mode 100644 queue-6.17/net-mlxsw-linecards-fix-missing-error-check-in-mlxsw.patch create mode 100644 queue-6.17/net-openvswitch-remove-never-working-support-for-set.patch create mode 100644 queue-6.17/net-phylink-add-missing-supported-link-modes-for-the.patch create mode 100644 queue-6.17/net-qlogic-qede-fix-potential-out-of-bounds-read-in-.patch create mode 100644 queue-6.17/net-tls-cancel-rx-async-resync-request-on-rcd_delta-.patch create mode 100644 queue-6.17/net-tls-change-async-resync-helpers-argument.patch create mode 100644 queue-6.17/nvme-multipath-fix-lockdep-warn-due-to-partition-sca.patch create mode 100644 queue-6.17/nvmet-auth-update-sc_c-in-target-host-hash-calculati.patch create mode 100644 queue-6.17/perf-fix-0-count-issue-of-cpu-clock.patch create mode 100644 queue-6.17/perf-x86-intel-uncore-add-uncore-pmu-support-for-wil.patch create mode 100644 queue-6.17/pinctrl-cirrus-fix-fwnode-leak-in-cs42l43_pin_probe.patch create mode 100644 queue-6.17/pinctrl-mediatek-mt8189-align-register-base-names-to.patch create mode 100644 queue-6.17/pinctrl-mediatek-mt8196-align-register-base-names-to.patch create mode 100644 queue-6.17/pinctrl-realtek-select-regmap_mmio-for-rtd-driver.patch create mode 100644 queue-6.17/pinctrl-s32cc-fix-uninitialized-memory-in-s32_pinctr.patch create mode 100644 queue-6.17/pinctrl-s32cc-initialize-gpio_pin_config-list-after-.patch create mode 100644 queue-6.17/platform-x86-intel-speed_select_if-convert-pcibios_-.patch create mode 100644 queue-6.17/platform-x86-intel-uncore-freq-fix-all-header-kernel.patch create mode 100644 queue-6.17/platform-x86-msi-wmi-platform-fix-typo-in-wmi-guid.patch create mode 100644 queue-6.17/platform-x86-msi-wmi-platform-only-load-on-msi-devic.patch create mode 100644 queue-6.17/s390-ctcm-fix-double-kfree.patch create mode 100644 queue-6.17/sched_ext-allocate-scx_kick_cpus_pnt_seqs-lazily-usi.patch create mode 100644 queue-6.17/sched_ext-defer-queue_balance_callback-until-after-o.patch create mode 100644 queue-6.17/scsi-core-fix-a-regression-triggered-by-scsi_host_bu.patch create mode 100644 queue-6.17/selftests-cachestat-fix-warning-on-declaration-under.patch create mode 100644 queue-6.17/selftests-net-lib-do-not-overwrite-error-messages.patch create mode 100644 queue-6.17/selftests-net-use-bash-for-bareudp-testing.patch create mode 100644 queue-6.17/smb-client-handle-lack-of-ipc-in-dfs_cache_refresh.patch create mode 100644 queue-6.17/tick-sched-fix-bogus-condition-in-report_idle_softir.patch create mode 100644 queue-6.17/timekeeping-fix-resource-leak-in-tk_aux_sysfs_init-e.patch create mode 100644 queue-6.17/tools-riscv-fixed-misalignment-of-csr-related-defini.patch create mode 100644 queue-6.17/veth-more-robust-handing-of-race-to-avoid-txq-gettin.patch create mode 100644 queue-6.17/vsock-ignore-signal-timeout-on-connect-if-already-es.patch create mode 100644 queue-6.17/x86-cpu-amd-extend-zen6-model-range.patch create mode 100644 queue-6.17/x86-microcode-amd-limit-entrysign-signature-checking.patch create mode 100644 queue-6.17/xfrm-also-call-xfrm_state_delete_tunnel-at-destroy-t.patch create mode 100644 queue-6.17/xfrm-call-xfrm_dev_state_delete-when-xfrm_state_migr.patch create mode 100644 queue-6.17/xfrm-check-inner-packet-family-directly-from-skb_dst.patch create mode 100644 queue-6.17/xfrm-determine-inner-gso-type-from-packet-inner-prot.patch create mode 100644 queue-6.17/xfrm-drop-sa-reference-in-xfrm_state_update-if-dir-d.patch create mode 100644 queue-6.17/xfrm-prevent-locally-generated-packets-from-direct-o.patch create mode 100644 queue-6.17/xfrm-set-err-and-extack-on-failure-to-create-pcpu-sa.patch create mode 100644 queue-6.6/bcma-don-t-register-devices-disabled-in-of.patch create mode 100644 queue-6.6/cifs-fix-memory-leak-in-smb3_fs_context_parse_param-.patch create mode 100644 queue-6.6/cifs-fix-typo-in-enable_gcm_256-module-parameter.patch create mode 100644 queue-6.6/devlink-rate-unset-parent-pointer-in-devl_rate_nodes.patch create mode 100644 queue-6.6/drm-tegra-add-call-to-put_pid.patch create mode 100644 queue-6.6/kconfig-mconf-initialize-the-default-locale-at-start.patch create mode 100644 queue-6.6/kconfig-nconf-initialize-the-default-locale-at-start.patch create mode 100644 queue-6.6/kernel.h-move-array_size-to-a-separate-header.patch create mode 100644 queue-6.6/loongarch-use-uapi-types-in-ptrace-uapi-header.patch create mode 100644 queue-6.6/mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch create mode 100644 queue-6.6/net-dsa-hellcreek-fix-missing-error-handling-in-led-.patch create mode 100644 queue-6.6/net-mlx5-clean-up-only-new-irq-glue-on-request_irq-f.patch create mode 100644 queue-6.6/net-mlxsw-linecards-fix-missing-error-check-in-mlxsw.patch create mode 100644 queue-6.6/net-openvswitch-remove-never-working-support-for-set.patch create mode 100644 queue-6.6/net-qlogic-qede-fix-potential-out-of-bounds-read-in-.patch create mode 100644 queue-6.6/net-tls-cancel-rx-async-resync-request-on-rcd_delta-.patch create mode 100644 queue-6.6/nvme-multipath-fix-lockdep-warn-due-to-partition-sca.patch create mode 100644 queue-6.6/pinctrl-cirrus-fix-fwnode-leak-in-cs42l43_pin_probe.patch create mode 100644 queue-6.6/pinctrl-s32cc-fix-uninitialized-memory-in-s32_pinctr.patch create mode 100644 queue-6.6/pinctrl-s32cc-initialize-gpio_pin_config-list-after-.patch create mode 100644 queue-6.6/platform-x86-intel-speed_select_if-convert-pcibios_-.patch create mode 100644 queue-6.6/s390-ctcm-fix-double-kfree.patch create mode 100644 queue-6.6/scsi-core-fix-a-regression-triggered-by-scsi_host_bu.patch create mode 100644 queue-6.6/selftests-net-use-bash-for-bareudp-testing.patch create mode 100644 queue-6.6/vsock-ignore-signal-timeout-on-connect-if-already-es.patch create mode 100644 queue-6.6/x86-microcode-amd-limit-entrysign-signature-checking.patch create mode 100644 queue-6.6/xfrm-determine-inner-gso-type-from-packet-inner-prot.patch create mode 100644 queue-6.6/xfrm-prevent-locally-generated-packets-from-direct-o.patch diff --git a/queue-5.10/kconfig-mconf-initialize-the-default-locale-at-start.patch b/queue-5.10/kconfig-mconf-initialize-the-default-locale-at-start.patch new file mode 100644 index 0000000000..fef700a7ea --- /dev/null +++ b/queue-5.10/kconfig-mconf-initialize-the-default-locale-at-start.patch @@ -0,0 +1,49 @@ +From f6943f3e84ff8872e148bad991f3adcb77093f1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Oct 2025 17:49:32 +0200 +Subject: kconfig/mconf: Initialize the default locale at startup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jakub Horký + +[ Upstream commit 3927c4a1084c48ef97f11281a0a43ecb2cb4d6f1 ] + +Fix bug where make menuconfig doesn't initialize the default locale, which +causes ncurses menu borders to be displayed incorrectly (lqqqqk) in +UTF-8 terminals that don't support VT100 ACS by default, such as PuTTY. + +Signed-off-by: Jakub Horký +Link: https://patch.msgid.link/20251014154933.3990990-1-jakub.git@horky.net +[nathan: Alphabetize locale.h include] +Signed-off-by: Nathan Chancellor +Signed-off-by: Sasha Levin +--- + scripts/kconfig/mconf.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/scripts/kconfig/mconf.c b/scripts/kconfig/mconf.c +index 4063dbc1b9270..a6d24c63c98c2 100644 +--- a/scripts/kconfig/mconf.c ++++ b/scripts/kconfig/mconf.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1008,6 +1009,8 @@ int main(int ac, char **av) + + signal(SIGINT, sig_handler); + ++ setlocale(LC_ALL, ""); ++ + if (ac > 1 && strcmp(av[1], "-s") == 0) { + silent = 1; + /* Silence conf_read() until the real callback is set up */ +-- +2.51.0 + diff --git a/queue-5.10/kconfig-nconf-initialize-the-default-locale-at-start.patch b/queue-5.10/kconfig-nconf-initialize-the-default-locale-at-start.patch new file mode 100644 index 0000000000..c8423d1f65 --- /dev/null +++ b/queue-5.10/kconfig-nconf-initialize-the-default-locale-at-start.patch @@ -0,0 +1,49 @@ +From 63c367f829cf803b9995b69d47b7402a99491a23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Oct 2025 16:44:06 +0200 +Subject: kconfig/nconf: Initialize the default locale at startup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jakub Horký + +[ Upstream commit 43c2931a95e6b295bfe9e3b90dbe0f7596933e91 ] + +Fix bug where make nconfig doesn't initialize the default locale, which +causes ncurses menu borders to be displayed incorrectly (lqqqqk) in +UTF-8 terminals that don't support VT100 ACS by default, such as PuTTY. + +Signed-off-by: Jakub Horký +Link: https://patch.msgid.link/20251014144405.3975275-2-jakub.git@horky.net +[nathan: Alphabetize locale.h include] +Signed-off-by: Nathan Chancellor +Signed-off-by: Sasha Levin +--- + scripts/kconfig/nconf.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c +index cdbd60a3ae16a..5b504be357135 100644 +--- a/scripts/kconfig/nconf.c ++++ b/scripts/kconfig/nconf.c +@@ -7,6 +7,7 @@ + #ifndef _GNU_SOURCE + #define _GNU_SOURCE + #endif ++#include + #include + #include + #include +@@ -1478,6 +1479,8 @@ int main(int ac, char **av) + int lines, columns; + char *mode; + ++ setlocale(LC_ALL, ""); ++ + if (ac > 1 && strcmp(av[1], "-s") == 0) { + /* Silence conf_read() until the real callback is set up */ + conf_set_message_callback(NULL); +-- +2.51.0 + diff --git a/queue-5.10/mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch b/queue-5.10/mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch new file mode 100644 index 0000000000..1f2e76d661 --- /dev/null +++ b/queue-5.10/mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch @@ -0,0 +1,47 @@ +From 7a67c21923531c80371509f445092276ce6309db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 05:21:14 +0000 +Subject: mlxsw: spectrum: Fix memory leak in mlxsw_sp_flower_stats() + +From: Zilin Guan + +[ Upstream commit 407a06507c2358554958e8164dc97176feddcafc ] + +The function mlxsw_sp_flower_stats() calls mlxsw_sp_acl_ruleset_get() to +obtain a ruleset reference. If the subsequent call to +mlxsw_sp_acl_rule_lookup() fails to find a rule, the function returns +an error without releasing the ruleset reference, causing a memory leak. + +Fix this by using a goto to the existing error handling label, which +calls mlxsw_sp_acl_ruleset_put() to properly release the reference. + +Fixes: 7c1b8eb175b69 ("mlxsw: spectrum: Add support for TC flower offload statistics") +Signed-off-by: Zilin Guan +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20251112052114.1591695-1-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c +index 41855e58564b1..3d99b16ebd553 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c +@@ -650,8 +650,10 @@ int mlxsw_sp_flower_stats(struct mlxsw_sp *mlxsw_sp, + return -EINVAL; + + rule = mlxsw_sp_acl_rule_lookup(mlxsw_sp, ruleset, f->cookie); +- if (!rule) +- return -EINVAL; ++ if (!rule) { ++ err = -EINVAL; ++ goto err_rule_get_stats; ++ } + + err = mlxsw_sp_acl_rule_get_stats(mlxsw_sp, rule, &packets, &bytes, + &drops, &lastuse, &used_hw_stats); +-- +2.51.0 + diff --git a/queue-5.10/net-openvswitch-remove-never-working-support-for-set.patch b/queue-5.10/net-openvswitch-remove-never-working-support-for-set.patch new file mode 100644 index 0000000000..e5bf4a5cf1 --- /dev/null +++ b/queue-5.10/net-openvswitch-remove-never-working-support-for-set.patch @@ -0,0 +1,310 @@ +From ffbda86161d8e5f840a6285df54f9d43387ccff1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 12:14:03 +0100 +Subject: net: openvswitch: remove never-working support for setting nsh fields + +From: Ilya Maximets + +[ Upstream commit dfe28c4167a9259fc0c372d9f9473e1ac95cff67 ] + +The validation of the set(nsh(...)) action is completely wrong. +It runs through the nsh_key_put_from_nlattr() function that is the +same function that validates NSH keys for the flow match and the +push_nsh() action. However, the set(nsh(...)) has a very different +memory layout. Nested attributes in there are doubled in size in +case of the masked set(). That makes proper validation impossible. + +There is also confusion in the code between the 'masked' flag, that +says that the nested attributes are doubled in size containing both +the value and the mask, and the 'is_mask' that says that the value +we're parsing is the mask. This is causing kernel crash on trying to +write into mask part of the match with SW_FLOW_KEY_PUT() during +validation, while validate_nsh() doesn't allocate any memory for it: + + BUG: kernel NULL pointer dereference, address: 0000000000000018 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 1c2383067 P4D 1c2383067 PUD 20b703067 PMD 0 + Oops: Oops: 0000 [#1] SMP NOPTI + CPU: 8 UID: 0 Kdump: loaded Not tainted 6.17.0-rc4+ #107 PREEMPT(voluntary) + RIP: 0010:nsh_key_put_from_nlattr+0x19d/0x610 [openvswitch] + Call Trace: + + validate_nsh+0x60/0x90 [openvswitch] + validate_set.constprop.0+0x270/0x3c0 [openvswitch] + __ovs_nla_copy_actions+0x477/0x860 [openvswitch] + ovs_nla_copy_actions+0x8d/0x100 [openvswitch] + ovs_packet_cmd_execute+0x1cc/0x310 [openvswitch] + genl_family_rcv_msg_doit+0xdb/0x130 + genl_family_rcv_msg+0x14b/0x220 + genl_rcv_msg+0x47/0xa0 + netlink_rcv_skb+0x53/0x100 + genl_rcv+0x24/0x40 + netlink_unicast+0x280/0x3b0 + netlink_sendmsg+0x1f7/0x430 + ____sys_sendmsg+0x36b/0x3a0 + ___sys_sendmsg+0x87/0xd0 + __sys_sendmsg+0x6d/0xd0 + do_syscall_64+0x7b/0x2c0 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +The third issue with this process is that while trying to convert +the non-masked set into masked one, validate_set() copies and doubles +the size of the OVS_KEY_ATTR_NSH as if it didn't have any nested +attributes. It should be copying each nested attribute and doubling +them in size independently. And the process must be properly reversed +during the conversion back from masked to a non-masked variant during +the flow dump. + +In the end, the only two outcomes of trying to use this action are +either validation failure or a kernel crash. And if somehow someone +manages to install a flow with such an action, it will most definitely +not do what it is supposed to, since all the keys and the masks are +mixed up. + +Fixing all the issues is a complex task as it requires re-writing +most of the validation code. + +Given that and the fact that this functionality never worked since +introduction, let's just remove it altogether. It's better to +re-introduce it later with a proper implementation instead of trying +to fix it in stable releases. + +Fixes: b2d0f5d5dc53 ("openvswitch: enable NSH support") +Reported-by: Junvy Yang +Signed-off-by: Ilya Maximets +Acked-by: Eelco Chaudron +Reviewed-by: Aaron Conole +Link: https://patch.msgid.link/20251112112246.95064-1-i.maximets@ovn.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/openvswitch/actions.c | 68 +--------------------------------- + net/openvswitch/flow_netlink.c | 64 ++++---------------------------- + net/openvswitch/flow_netlink.h | 2 - + 3 files changed, 9 insertions(+), 125 deletions(-) + +diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c +index c3ca4ae11c09f..3b3cc6ea274f8 100644 +--- a/net/openvswitch/actions.c ++++ b/net/openvswitch/actions.c +@@ -594,69 +594,6 @@ static int set_ipv6(struct sk_buff *skb, struct sw_flow_key *flow_key, + return 0; + } + +-static int set_nsh(struct sk_buff *skb, struct sw_flow_key *flow_key, +- const struct nlattr *a) +-{ +- struct nshhdr *nh; +- size_t length; +- int err; +- u8 flags; +- u8 ttl; +- int i; +- +- struct ovs_key_nsh key; +- struct ovs_key_nsh mask; +- +- err = nsh_key_from_nlattr(a, &key, &mask); +- if (err) +- return err; +- +- /* Make sure the NSH base header is there */ +- if (!pskb_may_pull(skb, skb_network_offset(skb) + NSH_BASE_HDR_LEN)) +- return -ENOMEM; +- +- nh = nsh_hdr(skb); +- length = nsh_hdr_len(nh); +- +- /* Make sure the whole NSH header is there */ +- err = skb_ensure_writable(skb, skb_network_offset(skb) + +- length); +- if (unlikely(err)) +- return err; +- +- nh = nsh_hdr(skb); +- skb_postpull_rcsum(skb, nh, length); +- flags = nsh_get_flags(nh); +- flags = OVS_MASKED(flags, key.base.flags, mask.base.flags); +- flow_key->nsh.base.flags = flags; +- ttl = nsh_get_ttl(nh); +- ttl = OVS_MASKED(ttl, key.base.ttl, mask.base.ttl); +- flow_key->nsh.base.ttl = ttl; +- nsh_set_flags_and_ttl(nh, flags, ttl); +- nh->path_hdr = OVS_MASKED(nh->path_hdr, key.base.path_hdr, +- mask.base.path_hdr); +- flow_key->nsh.base.path_hdr = nh->path_hdr; +- switch (nh->mdtype) { +- case NSH_M_TYPE1: +- for (i = 0; i < NSH_MD1_CONTEXT_SIZE; i++) { +- nh->md1.context[i] = +- OVS_MASKED(nh->md1.context[i], key.context[i], +- mask.context[i]); +- } +- memcpy(flow_key->nsh.context, nh->md1.context, +- sizeof(nh->md1.context)); +- break; +- case NSH_M_TYPE2: +- memset(flow_key->nsh.context, 0, +- sizeof(flow_key->nsh.context)); +- break; +- default: +- return -EINVAL; +- } +- skb_postpush_rcsum(skb, nh, length); +- return 0; +-} +- + /* Must follow skb_ensure_writable() since that can move the skb data. */ + static void set_tp_port(struct sk_buff *skb, __be16 *port, + __be16 new_port, __sum16 *check) +@@ -1123,10 +1060,6 @@ static int execute_masked_set_action(struct sk_buff *skb, + get_mask(a, struct ovs_key_ethernet *)); + break; + +- case OVS_KEY_ATTR_NSH: +- err = set_nsh(skb, flow_key, a); +- break; +- + case OVS_KEY_ATTR_IPV4: + err = set_ipv4(skb, flow_key, nla_data(a), + get_mask(a, struct ovs_key_ipv4 *)); +@@ -1163,6 +1096,7 @@ static int execute_masked_set_action(struct sk_buff *skb, + case OVS_KEY_ATTR_CT_LABELS: + case OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4: + case OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6: ++ case OVS_KEY_ATTR_NSH: + err = -EINVAL; + break; + } +diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c +index 3f8f43dbf44fc..a70a87a4392ab 100644 +--- a/net/openvswitch/flow_netlink.c ++++ b/net/openvswitch/flow_netlink.c +@@ -1280,6 +1280,11 @@ static int metadata_from_nlattrs(struct net *net, struct sw_flow_match *match, + return 0; + } + ++/* ++ * Constructs NSH header 'nh' from attributes of OVS_ACTION_ATTR_PUSH_NSH, ++ * where 'nh' points to a memory block of 'size' bytes. It's assumed that ++ * attributes were previously validated with validate_push_nsh(). ++ */ + int nsh_hdr_from_nlattr(const struct nlattr *attr, + struct nshhdr *nh, size_t size) + { +@@ -1289,8 +1294,6 @@ int nsh_hdr_from_nlattr(const struct nlattr *attr, + u8 ttl = 0; + int mdlen = 0; + +- /* validate_nsh has check this, so we needn't do duplicate check here +- */ + if (size < NSH_BASE_HDR_LEN) + return -ENOBUFS; + +@@ -1334,46 +1337,6 @@ int nsh_hdr_from_nlattr(const struct nlattr *attr, + return 0; + } + +-int nsh_key_from_nlattr(const struct nlattr *attr, +- struct ovs_key_nsh *nsh, struct ovs_key_nsh *nsh_mask) +-{ +- struct nlattr *a; +- int rem; +- +- /* validate_nsh has check this, so we needn't do duplicate check here +- */ +- nla_for_each_nested(a, attr, rem) { +- int type = nla_type(a); +- +- switch (type) { +- case OVS_NSH_KEY_ATTR_BASE: { +- const struct ovs_nsh_key_base *base = nla_data(a); +- const struct ovs_nsh_key_base *base_mask = base + 1; +- +- nsh->base = *base; +- nsh_mask->base = *base_mask; +- break; +- } +- case OVS_NSH_KEY_ATTR_MD1: { +- const struct ovs_nsh_key_md1 *md1 = nla_data(a); +- const struct ovs_nsh_key_md1 *md1_mask = md1 + 1; +- +- memcpy(nsh->context, md1->context, sizeof(*md1)); +- memcpy(nsh_mask->context, md1_mask->context, +- sizeof(*md1_mask)); +- break; +- } +- case OVS_NSH_KEY_ATTR_MD2: +- /* Not supported yet */ +- return -ENOTSUPP; +- default: +- return -EINVAL; +- } +- } +- +- return 0; +-} +- + static int nsh_key_put_from_nlattr(const struct nlattr *attr, + struct sw_flow_match *match, bool is_mask, + bool is_push_nsh, bool log) +@@ -2797,17 +2760,13 @@ static int validate_and_copy_set_tun(const struct nlattr *attr, + return err; + } + +-static bool validate_nsh(const struct nlattr *attr, bool is_mask, +- bool is_push_nsh, bool log) ++static bool validate_push_nsh(const struct nlattr *attr, bool log) + { + struct sw_flow_match match; + struct sw_flow_key key; +- int ret = 0; + + ovs_match_init(&match, &key, true, NULL); +- ret = nsh_key_put_from_nlattr(attr, &match, is_mask, +- is_push_nsh, log); +- return !ret; ++ return !nsh_key_put_from_nlattr(attr, &match, false, true, log); + } + + /* Return false if there are any non-masked bits set. +@@ -2955,13 +2914,6 @@ static int validate_set(const struct nlattr *a, + + break; + +- case OVS_KEY_ATTR_NSH: +- if (eth_type != htons(ETH_P_NSH)) +- return -EINVAL; +- if (!validate_nsh(nla_data(a), masked, false, log)) +- return -EINVAL; +- break; +- + default: + return -EINVAL; + } +@@ -3368,7 +3320,7 @@ static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr, + return -EINVAL; + } + mac_proto = MAC_PROTO_NONE; +- if (!validate_nsh(nla_data(a), false, true, true)) ++ if (!validate_push_nsh(nla_data(a), log)) + return -EINVAL; + break; + +diff --git a/net/openvswitch/flow_netlink.h b/net/openvswitch/flow_netlink.h +index fe7f77fc5f189..ff8cdecbe3465 100644 +--- a/net/openvswitch/flow_netlink.h ++++ b/net/openvswitch/flow_netlink.h +@@ -65,8 +65,6 @@ int ovs_nla_put_actions(const struct nlattr *attr, + void ovs_nla_free_flow_actions(struct sw_flow_actions *); + void ovs_nla_free_flow_actions_rcu(struct sw_flow_actions *); + +-int nsh_key_from_nlattr(const struct nlattr *attr, struct ovs_key_nsh *nsh, +- struct ovs_key_nsh *nsh_mask); + int nsh_hdr_from_nlattr(const struct nlattr *attr, struct nshhdr *nh, + size_t size); + +-- +2.51.0 + diff --git a/queue-5.10/net-tls-cancel-rx-async-resync-request-on-rcd_delta-.patch b/queue-5.10/net-tls-cancel-rx-async-resync-request-on-rcd_delta-.patch new file mode 100644 index 0000000000..0d177e3ab6 --- /dev/null +++ b/queue-5.10/net-tls-cancel-rx-async-resync-request-on-rcd_delta-.patch @@ -0,0 +1,77 @@ +From 835b8f33cdf20e88ee559d0112b7ed27d941159d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Oct 2025 22:03:02 +0200 +Subject: net: tls: Cancel RX async resync request on rcd_delta overflow + +From: Shahar Shitrit + +[ Upstream commit c15d5c62ab313c19121f10e25d4fec852bd1c40c ] + +When a netdev issues a RX async resync request for a TLS connection, +the TLS module handles it by logging record headers and attempting to +match them to the tcp_sn provided by the device. If a match is found, +the TLS module approves the tcp_sn for resynchronization. + +While waiting for a device response, the TLS module also increments +rcd_delta each time a new TLS record is received, tracking the distance +from the original resync request. + +However, if the device response is delayed or fails (e.g due to +unstable connection and device getting out of tracking, hardware +errors, resource exhaustion etc.), the TLS module keeps logging and +incrementing, which can lead to a WARN() when rcd_delta exceeds the +threshold. + +To address this, introduce tls_offload_rx_resync_async_request_cancel() +to explicitly cancel resync requests when a device response failure is +detected. Call this helper also as a final safeguard when rcd_delta +crosses its threshold, as reaching this point implies that earlier +cancellation did not occur. + +Signed-off-by: Shahar Shitrit +Reviewed-by: Sabrina Dubroca +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/1761508983-937977-3-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tls.h | 6 ++++++ + net/tls/tls_device.c | 4 +++- + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/include/net/tls.h b/include/net/tls.h +index c76a827a678ae..b4040f76b007f 100644 +--- a/include/net/tls.h ++++ b/include/net/tls.h +@@ -674,6 +674,12 @@ tls_offload_rx_resync_async_request_end(struct sock *sk, __be32 seq) + ((u64)ntohl(seq) << 32) | RESYNC_REQ); + } + ++static inline void ++tls_offload_rx_resync_async_request_cancel(struct tls_offload_resync_async *resync_async) ++{ ++ atomic64_set(&resync_async->req, 0); ++} ++ + static inline void + tls_offload_rx_resync_set_type(struct sock *sk, enum tls_offload_sync_type type) + { +diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c +index 5cb6846544cc7..8e89ff403073b 100644 +--- a/net/tls/tls_device.c ++++ b/net/tls/tls_device.c +@@ -710,8 +710,10 @@ tls_device_rx_resync_async(struct tls_offload_resync_async *resync_async, + /* shouldn't get to wraparound: + * too long in async stage, something bad happened + */ +- if (WARN_ON_ONCE(resync_async->rcd_delta == USHRT_MAX)) ++ if (WARN_ON_ONCE(resync_async->rcd_delta == USHRT_MAX)) { ++ tls_offload_rx_resync_async_request_cancel(resync_async); + return false; ++ } + + /* asynchronous stage: log all headers seq such that + * req_seq <= seq <= end_seq, and wait for real resync request +-- +2.51.0 + diff --git a/queue-5.10/s390-ctcm-fix-double-kfree.patch b/queue-5.10/s390-ctcm-fix-double-kfree.patch new file mode 100644 index 0000000000..7de33024f0 --- /dev/null +++ b/queue-5.10/s390-ctcm-fix-double-kfree.patch @@ -0,0 +1,45 @@ +From abf00d47599a483e5a7611ae21fef9bb7a192bbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 19:27:24 +0100 +Subject: s390/ctcm: Fix double-kfree + +From: Aleksei Nikiforov + +[ Upstream commit da02a1824884d6c84c5e5b5ac373b0c9e3288ec2 ] + +The function 'mpc_rcvd_sweep_req(mpcginfo)' is called conditionally +from function 'ctcmpc_unpack_skb'. It frees passed mpcginfo. +After that a call to function 'kfree' in function 'ctcmpc_unpack_skb' +frees it again. + +Remove 'kfree' call in function 'mpc_rcvd_sweep_req(mpcginfo)'. + +Bug detected by the clang static analyzer. + +Fixes: 0c0b20587b9f25a2 ("s390/ctcm: fix potential memory leak") +Reviewed-by: Aswin Karuvally +Signed-off-by: Aleksei Nikiforov +Signed-off-by: Aswin Karuvally +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20251112182724.1109474-1-aswin@linux.ibm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/s390/net/ctcm_mpc.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/s390/net/ctcm_mpc.c b/drivers/s390/net/ctcm_mpc.c +index 20a6097e1b204..4e6f340d09261 100644 +--- a/drivers/s390/net/ctcm_mpc.c ++++ b/drivers/s390/net/ctcm_mpc.c +@@ -712,7 +712,6 @@ static void mpc_rcvd_sweep_req(struct mpcg_info *mpcginfo) + + grp->sweep_req_pend_num--; + ctcmpc_send_sweep_resp(ch); +- kfree(mpcginfo); + return; + } + +-- +2.51.0 + diff --git a/queue-5.10/scsi-core-fix-a-regression-triggered-by-scsi_host_bu.patch b/queue-5.10/scsi-core-fix-a-regression-triggered-by-scsi_host_bu.patch new file mode 100644 index 0000000000..fc35279bb1 --- /dev/null +++ b/queue-5.10/scsi-core-fix-a-regression-triggered-by-scsi_host_bu.patch @@ -0,0 +1,77 @@ +From 4f279145d16b41c7600b78312043d720fa16661b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Oct 2025 14:48:00 -0700 +Subject: scsi: core: Fix a regression triggered by scsi_host_busy() + +From: Bart Van Assche + +[ Upstream commit a0b7780602b1b196f47e527fec82166a7e67c4d0 ] + +Commit 995412e23bb2 ("blk-mq: Replace tags->lock with SRCU for tag +iterators") introduced the following regression: + +Call trace: + __srcu_read_lock+0x30/0x80 (P) + blk_mq_tagset_busy_iter+0x44/0x300 + scsi_host_busy+0x38/0x70 + ufshcd_print_host_state+0x34/0x1bc + ufshcd_link_startup.constprop.0+0xe4/0x2e0 + ufshcd_init+0x944/0xf80 + ufshcd_pltfrm_init+0x504/0x820 + ufs_rockchip_probe+0x2c/0x88 + platform_probe+0x5c/0xa4 + really_probe+0xc0/0x38c + __driver_probe_device+0x7c/0x150 + driver_probe_device+0x40/0x120 + __driver_attach+0xc8/0x1e0 + bus_for_each_dev+0x7c/0xdc + driver_attach+0x24/0x30 + bus_add_driver+0x110/0x230 + driver_register+0x68/0x130 + __platform_driver_register+0x20/0x2c + ufs_rockchip_pltform_init+0x1c/0x28 + do_one_initcall+0x60/0x1e0 + kernel_init_freeable+0x248/0x2c4 + kernel_init+0x20/0x140 + ret_from_fork+0x10/0x20 + +Fix this regression by making scsi_host_busy() check whether the SCSI +host tag set has already been initialized. tag_set->ops is set by +scsi_mq_setup_tags() just before blk_mq_alloc_tag_set() is called. This +fix is based on the assumption that scsi_host_busy() and +scsi_mq_setup_tags() calls are serialized. This is the case in the UFS +driver. + +Reported-by: Sebastian Reichel +Closes: https://lore.kernel.org/linux-block/pnezafputodmqlpumwfbn644ohjybouveehcjhz2hmhtcf2rka@sdhoiivync4y/ +Cc: Ming Lei +Cc: Jens Axboe +Signed-off-by: Bart Van Assche +Reviewed-by: Ming Lei +Tested-by: Sebastian Reichel +Link: https://patch.msgid.link/20251007214800.1678255-1-bvanassche@acm.org +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hosts.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c +index 17fa1cd91da61..97cbe22d7fee2 100644 +--- a/drivers/scsi/hosts.c ++++ b/drivers/scsi/hosts.c +@@ -598,8 +598,9 @@ int scsi_host_busy(struct Scsi_Host *shost) + { + int cnt = 0; + +- blk_mq_tagset_busy_iter(&shost->tag_set, +- scsi_host_check_in_flight, &cnt); ++ if (shost->tag_set.ops) ++ blk_mq_tagset_busy_iter(&shost->tag_set, ++ scsi_host_check_in_flight, &cnt); + return cnt; + } + EXPORT_SYMBOL(scsi_host_busy); +-- +2.51.0 + diff --git a/queue-5.10/series b/queue-5.10/series index bb2a3d7d90..bb84108286 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -224,3 +224,11 @@ scsi-sg-do-not-sleep-in-atomic-context.patch scsi-target-tcm_loop-fix-segfault-in-tcm_loop_tpg_address_show.patch mips-malta-fix-eva-soc-it-pci-mmio.patch drm-tegra-dc-fix-reference-leak-in-tegra_dc_couple.patch +mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch +net-openvswitch-remove-never-working-support-for-set.patch +s390-ctcm-fix-double-kfree.patch +vsock-ignore-signal-timeout-on-connect-if-already-es.patch +scsi-core-fix-a-regression-triggered-by-scsi_host_bu.patch +net-tls-cancel-rx-async-resync-request-on-rcd_delta-.patch +kconfig-mconf-initialize-the-default-locale-at-start.patch +kconfig-nconf-initialize-the-default-locale-at-start.patch diff --git a/queue-5.10/vsock-ignore-signal-timeout-on-connect-if-already-es.patch b/queue-5.10/vsock-ignore-signal-timeout-on-connect-if-already-es.patch new file mode 100644 index 0000000000..0dc748ee5a --- /dev/null +++ b/queue-5.10/vsock-ignore-signal-timeout-on-connect-if-already-es.patch @@ -0,0 +1,101 @@ +From 0a910fb6bdd37db636ae947c42e0360d9e470c4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Nov 2025 15:02:59 +0100 +Subject: vsock: Ignore signal/timeout on connect() if already established + +From: Michal Luczaj + +[ Upstream commit 002541ef650b742a198e4be363881439bb9d86b4 ] + +During connect(), acting on a signal/timeout by disconnecting an already +established socket leads to several issues: + +1. connect() invoking vsock_transport_cancel_pkt() -> + virtio_transport_purge_skbs() may race with sendmsg() invoking + virtio_transport_get_credit(). This results in a permanently elevated + `vvs->bytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling. + +2. connect() resetting a connected socket's state may race with socket + being placed in a sockmap. A disconnected socket remaining in a sockmap + breaks sockmap's assumptions. And gives rise to WARNs. + +3. connect() transitioning SS_CONNECTED -> SS_UNCONNECTED allows for a + transport change/drop after TCP_ESTABLISHED. Which poses a problem for + any simultaneous sendmsg() or connect() and may result in a + use-after-free/null-ptr-deref. + +Do not disconnect socket on signal/timeout. Keep the logic for unconnected +sockets: they don't linger, can't be placed in a sockmap, are rejected by +sendmsg(). + +[1]: https://lore.kernel.org/netdev/e07fd95c-9a38-4eea-9638-133e38c2ec9b@rbox.co/ +[2]: https://lore.kernel.org/netdev/20250317-vsock-trans-signal-race-v4-0-fc8837f3f1d4@rbox.co/ +[3]: https://lore.kernel.org/netdev/60f1b7db-3099-4f6a-875e-af9f6ef194f6@rbox.co/ + +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Signed-off-by: Michal Luczaj +Reviewed-by: Stefano Garzarella +Link: https://patch.msgid.link/20251119-vsock-interrupted-connect-v2-1-70734cf1233f@rbox.co +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/af_vsock.c | 40 +++++++++++++++++++++++++++++++--------- + 1 file changed, 31 insertions(+), 9 deletions(-) + +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index 36b65b45c5c7a..3a5cde1a026ed 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1464,18 +1464,40 @@ static int vsock_stream_connect(struct socket *sock, struct sockaddr *addr, + timeout = schedule_timeout(timeout); + lock_sock(sk); + +- if (signal_pending(current)) { +- err = sock_intr_errno(timeout); +- sk->sk_state = sk->sk_state == TCP_ESTABLISHED ? TCP_CLOSING : TCP_CLOSE; +- sock->state = SS_UNCONNECTED; +- vsock_transport_cancel_pkt(vsk); +- vsock_remove_connected(vsk); +- goto out_wait; +- } else if ((sk->sk_state != TCP_ESTABLISHED) && (timeout == 0)) { +- err = -ETIMEDOUT; ++ /* Connection established. Whatever happens to socket once we ++ * release it, that's not connect()'s concern. No need to go ++ * into signal and timeout handling. Call it a day. ++ * ++ * Note that allowing to "reset" an already established socket ++ * here is racy and insecure. ++ */ ++ if (sk->sk_state == TCP_ESTABLISHED) ++ break; ++ ++ /* If connection was _not_ established and a signal/timeout came ++ * to be, we want the socket's state reset. User space may want ++ * to retry. ++ * ++ * sk_state != TCP_ESTABLISHED implies that socket is not on ++ * vsock_connected_table. We keep the binding and the transport ++ * assigned. ++ */ ++ if (signal_pending(current) || timeout == 0) { ++ err = timeout == 0 ? -ETIMEDOUT : sock_intr_errno(timeout); ++ ++ /* Listener might have already responded with ++ * VIRTIO_VSOCK_OP_RESPONSE. Its handling expects our ++ * sk_state == TCP_SYN_SENT, which hereby we break. ++ * In such case VIRTIO_VSOCK_OP_RST will follow. ++ */ + sk->sk_state = TCP_CLOSE; + sock->state = SS_UNCONNECTED; ++ ++ /* Try to cancel VIRTIO_VSOCK_OP_REQUEST skb sent out by ++ * transport->connect(). ++ */ + vsock_transport_cancel_pkt(vsk); ++ + goto out_wait; + } + +-- +2.51.0 + diff --git a/queue-5.15/kconfig-mconf-initialize-the-default-locale-at-start.patch b/queue-5.15/kconfig-mconf-initialize-the-default-locale-at-start.patch new file mode 100644 index 0000000000..2d8f2f6426 --- /dev/null +++ b/queue-5.15/kconfig-mconf-initialize-the-default-locale-at-start.patch @@ -0,0 +1,49 @@ +From ab715f095cf41687c429e193a2a6b21a3cd17ab6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Oct 2025 17:49:32 +0200 +Subject: kconfig/mconf: Initialize the default locale at startup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jakub Horký + +[ Upstream commit 3927c4a1084c48ef97f11281a0a43ecb2cb4d6f1 ] + +Fix bug where make menuconfig doesn't initialize the default locale, which +causes ncurses menu borders to be displayed incorrectly (lqqqqk) in +UTF-8 terminals that don't support VT100 ACS by default, such as PuTTY. + +Signed-off-by: Jakub Horký +Link: https://patch.msgid.link/20251014154933.3990990-1-jakub.git@horky.net +[nathan: Alphabetize locale.h include] +Signed-off-by: Nathan Chancellor +Signed-off-by: Sasha Levin +--- + scripts/kconfig/mconf.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/scripts/kconfig/mconf.c b/scripts/kconfig/mconf.c +index 9d3cf510562f8..0649ff35ec5c0 100644 +--- a/scripts/kconfig/mconf.c ++++ b/scripts/kconfig/mconf.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1005,6 +1006,8 @@ int main(int ac, char **av) + + signal(SIGINT, sig_handler); + ++ setlocale(LC_ALL, ""); ++ + if (ac > 1 && strcmp(av[1], "-s") == 0) { + silent = 1; + /* Silence conf_read() until the real callback is set up */ +-- +2.51.0 + diff --git a/queue-5.15/kconfig-nconf-initialize-the-default-locale-at-start.patch b/queue-5.15/kconfig-nconf-initialize-the-default-locale-at-start.patch new file mode 100644 index 0000000000..a35a1b07ca --- /dev/null +++ b/queue-5.15/kconfig-nconf-initialize-the-default-locale-at-start.patch @@ -0,0 +1,49 @@ +From baffbcb31851a3d994afa64c0547a7f1bc1ab840 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Oct 2025 16:44:06 +0200 +Subject: kconfig/nconf: Initialize the default locale at startup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jakub Horký + +[ Upstream commit 43c2931a95e6b295bfe9e3b90dbe0f7596933e91 ] + +Fix bug where make nconfig doesn't initialize the default locale, which +causes ncurses menu borders to be displayed incorrectly (lqqqqk) in +UTF-8 terminals that don't support VT100 ACS by default, such as PuTTY. + +Signed-off-by: Jakub Horký +Link: https://patch.msgid.link/20251014144405.3975275-2-jakub.git@horky.net +[nathan: Alphabetize locale.h include] +Signed-off-by: Nathan Chancellor +Signed-off-by: Sasha Levin +--- + scripts/kconfig/nconf.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c +index 8b166ccb0447f..d1d928b20ecfd 100644 +--- a/scripts/kconfig/nconf.c ++++ b/scripts/kconfig/nconf.c +@@ -7,6 +7,7 @@ + #ifndef _GNU_SOURCE + #define _GNU_SOURCE + #endif ++#include + #include + #include + #include +@@ -1472,6 +1473,8 @@ int main(int ac, char **av) + int lines, columns; + char *mode; + ++ setlocale(LC_ALL, ""); ++ + if (ac > 1 && strcmp(av[1], "-s") == 0) { + /* Silence conf_read() until the real callback is set up */ + conf_set_message_callback(NULL); +-- +2.51.0 + diff --git a/queue-5.15/kernel.h-move-array_size-to-a-separate-header.patch b/queue-5.15/kernel.h-move-array_size-to-a-separate-header.patch new file mode 100644 index 0000000000..bf36b840d0 --- /dev/null +++ b/queue-5.15/kernel.h-move-array_size-to-a-separate-header.patch @@ -0,0 +1,89 @@ +From 37c00f7198183b32f92f5ae7669dab1a218d428f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Oct 2023 14:59:53 +0300 +Subject: kernel.h: Move ARRAY_SIZE() to a separate header + +From: Alejandro Colomar + +[ Upstream commit 3cd39bc3b11b8d34b7d7c961a35fdfd18b0ebf75 ] + +Touching files so used for the kernel, +forces 'make' to recompile most of the kernel. + +Having those definitions in more granular files +helps avoid recompiling so much of the kernel. + +Signed-off-by: Alejandro Colomar +Reviewed-by: Giovanni Cabiddu +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230817143352.132583-2-lucas.segarra.fernandez@intel.com +[andy: reduced to cover only string.h for now] +Signed-off-by: Andy Shevchenko +Stable-dep-of: 896f1a2493b5 ("net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end()") +Signed-off-by: Sasha Levin +--- + include/linux/array_size.h | 13 +++++++++++++ + include/linux/kernel.h | 7 +------ + include/linux/string.h | 1 + + 3 files changed, 15 insertions(+), 6 deletions(-) + create mode 100644 include/linux/array_size.h + +diff --git a/include/linux/array_size.h b/include/linux/array_size.h +new file mode 100644 +index 0000000000000..06d7d83196ca3 +--- /dev/null ++++ b/include/linux/array_size.h +@@ -0,0 +1,13 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++#ifndef _LINUX_ARRAY_SIZE_H ++#define _LINUX_ARRAY_SIZE_H ++ ++#include ++ ++/** ++ * ARRAY_SIZE - get the number of elements in array @arr ++ * @arr: array to be sized ++ */ ++#define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]) + __must_be_array(arr)) ++ ++#endif /* _LINUX_ARRAY_SIZE_H */ +diff --git a/include/linux/kernel.h b/include/linux/kernel.h +index f56cd8879a594..5717a0965bd6c 100644 +--- a/include/linux/kernel.h ++++ b/include/linux/kernel.h +@@ -4,6 +4,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -37,12 +38,6 @@ + #define READ 0 + #define WRITE 1 + +-/** +- * ARRAY_SIZE - get the number of elements in array @arr +- * @arr: array to be sized +- */ +-#define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]) + __must_be_array(arr)) +- + #define PTR_IF(cond, ptr) ((cond) ? (ptr) : NULL) + + #define u64_to_user_ptr(x) ( \ +diff --git a/include/linux/string.h b/include/linux/string.h +index 3b9f5abe5ee83..bf368130bc42b 100644 +--- a/include/linux/string.h ++++ b/include/linux/string.h +@@ -2,6 +2,7 @@ + #ifndef _LINUX_STRING_H_ + #define _LINUX_STRING_H_ + ++#include + #include /* for inline */ + #include /* for size_t */ + #include /* for NULL */ +-- +2.51.0 + diff --git a/queue-5.15/mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch b/queue-5.15/mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch new file mode 100644 index 0000000000..bb55f16ca7 --- /dev/null +++ b/queue-5.15/mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch @@ -0,0 +1,47 @@ +From 0338856fcf4a047143a059277845db2cb9031de3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 05:21:14 +0000 +Subject: mlxsw: spectrum: Fix memory leak in mlxsw_sp_flower_stats() + +From: Zilin Guan + +[ Upstream commit 407a06507c2358554958e8164dc97176feddcafc ] + +The function mlxsw_sp_flower_stats() calls mlxsw_sp_acl_ruleset_get() to +obtain a ruleset reference. If the subsequent call to +mlxsw_sp_acl_rule_lookup() fails to find a rule, the function returns +an error without releasing the ruleset reference, causing a memory leak. + +Fix this by using a goto to the existing error handling label, which +calls mlxsw_sp_acl_ruleset_put() to properly release the reference. + +Fixes: 7c1b8eb175b69 ("mlxsw: spectrum: Add support for TC flower offload statistics") +Signed-off-by: Zilin Guan +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20251112052114.1591695-1-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c +index be3791ca6069d..c327b11265773 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c +@@ -673,8 +673,10 @@ int mlxsw_sp_flower_stats(struct mlxsw_sp *mlxsw_sp, + return -EINVAL; + + rule = mlxsw_sp_acl_rule_lookup(mlxsw_sp, ruleset, f->cookie); +- if (!rule) +- return -EINVAL; ++ if (!rule) { ++ err = -EINVAL; ++ goto err_rule_get_stats; ++ } + + err = mlxsw_sp_acl_rule_get_stats(mlxsw_sp, rule, &packets, &bytes, + &drops, &lastuse, &used_hw_stats); +-- +2.51.0 + diff --git a/queue-5.15/net-dsa-hellcreek-fix-missing-error-handling-in-led-.patch b/queue-5.15/net-dsa-hellcreek-fix-missing-error-handling-in-led-.patch new file mode 100644 index 0000000000..c690781d26 --- /dev/null +++ b/queue-5.15/net-dsa-hellcreek-fix-missing-error-handling-in-led-.patch @@ -0,0 +1,57 @@ +From ee003c8cb46edbd0eb1799b8c76355262edfaf5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Nov 2025 16:57:44 +0300 +Subject: net: dsa: hellcreek: fix missing error handling in LED registration + +From: Pavel Zhigulin + +[ Upstream commit e6751b0b19a6baab219a62e1e302b8aa6b5a55b2 ] + +The LED setup routine registered both led_sync_good +and led_is_gm devices without checking the return +values of led_classdev_register(). If either registration +failed, the function continued silently, leaving the +driver in a partially-initialized state and leaking +a registered LED classdev. + +Add proper error handling + +Fixes: 7d9ee2e8ff15 ("net: dsa: hellcreek: Add PTP status LEDs") +Signed-off-by: Pavel Zhigulin +Reviewed-by: Andrew Lunn +Acked-by: Kurt Kanzenbach +Link: https://patch.msgid.link/20251113135745.92375-1-Pavel.Zhigulin@kaspersky.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/hirschmann/hellcreek_ptp.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/hirschmann/hellcreek_ptp.c b/drivers/net/dsa/hirschmann/hellcreek_ptp.c +index b28baab6d56a1..763666480a8a8 100644 +--- a/drivers/net/dsa/hirschmann/hellcreek_ptp.c ++++ b/drivers/net/dsa/hirschmann/hellcreek_ptp.c +@@ -367,8 +367,18 @@ static int hellcreek_led_setup(struct hellcreek *hellcreek) + hellcreek_set_brightness(hellcreek, STATUS_OUT_IS_GM, 1); + + /* Register both leds */ +- led_classdev_register(hellcreek->dev, &hellcreek->led_sync_good); +- led_classdev_register(hellcreek->dev, &hellcreek->led_is_gm); ++ ret = led_classdev_register(hellcreek->dev, &hellcreek->led_sync_good); ++ if (ret) { ++ dev_err(hellcreek->dev, "Failed to register sync_good LED\n"); ++ goto out; ++ } ++ ++ ret = led_classdev_register(hellcreek->dev, &hellcreek->led_is_gm); ++ if (ret) { ++ dev_err(hellcreek->dev, "Failed to register is_gm LED\n"); ++ led_classdev_unregister(&hellcreek->led_sync_good); ++ goto out; ++ } + + ret = 0; + +-- +2.51.0 + diff --git a/queue-5.15/net-openvswitch-remove-never-working-support-for-set.patch b/queue-5.15/net-openvswitch-remove-never-working-support-for-set.patch new file mode 100644 index 0000000000..70ebb00c90 --- /dev/null +++ b/queue-5.15/net-openvswitch-remove-never-working-support-for-set.patch @@ -0,0 +1,310 @@ +From afb70ceb256635d7f08aa8b83a36253c4b739e8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 12:14:03 +0100 +Subject: net: openvswitch: remove never-working support for setting nsh fields + +From: Ilya Maximets + +[ Upstream commit dfe28c4167a9259fc0c372d9f9473e1ac95cff67 ] + +The validation of the set(nsh(...)) action is completely wrong. +It runs through the nsh_key_put_from_nlattr() function that is the +same function that validates NSH keys for the flow match and the +push_nsh() action. However, the set(nsh(...)) has a very different +memory layout. Nested attributes in there are doubled in size in +case of the masked set(). That makes proper validation impossible. + +There is also confusion in the code between the 'masked' flag, that +says that the nested attributes are doubled in size containing both +the value and the mask, and the 'is_mask' that says that the value +we're parsing is the mask. This is causing kernel crash on trying to +write into mask part of the match with SW_FLOW_KEY_PUT() during +validation, while validate_nsh() doesn't allocate any memory for it: + + BUG: kernel NULL pointer dereference, address: 0000000000000018 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 1c2383067 P4D 1c2383067 PUD 20b703067 PMD 0 + Oops: Oops: 0000 [#1] SMP NOPTI + CPU: 8 UID: 0 Kdump: loaded Not tainted 6.17.0-rc4+ #107 PREEMPT(voluntary) + RIP: 0010:nsh_key_put_from_nlattr+0x19d/0x610 [openvswitch] + Call Trace: + + validate_nsh+0x60/0x90 [openvswitch] + validate_set.constprop.0+0x270/0x3c0 [openvswitch] + __ovs_nla_copy_actions+0x477/0x860 [openvswitch] + ovs_nla_copy_actions+0x8d/0x100 [openvswitch] + ovs_packet_cmd_execute+0x1cc/0x310 [openvswitch] + genl_family_rcv_msg_doit+0xdb/0x130 + genl_family_rcv_msg+0x14b/0x220 + genl_rcv_msg+0x47/0xa0 + netlink_rcv_skb+0x53/0x100 + genl_rcv+0x24/0x40 + netlink_unicast+0x280/0x3b0 + netlink_sendmsg+0x1f7/0x430 + ____sys_sendmsg+0x36b/0x3a0 + ___sys_sendmsg+0x87/0xd0 + __sys_sendmsg+0x6d/0xd0 + do_syscall_64+0x7b/0x2c0 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +The third issue with this process is that while trying to convert +the non-masked set into masked one, validate_set() copies and doubles +the size of the OVS_KEY_ATTR_NSH as if it didn't have any nested +attributes. It should be copying each nested attribute and doubling +them in size independently. And the process must be properly reversed +during the conversion back from masked to a non-masked variant during +the flow dump. + +In the end, the only two outcomes of trying to use this action are +either validation failure or a kernel crash. And if somehow someone +manages to install a flow with such an action, it will most definitely +not do what it is supposed to, since all the keys and the masks are +mixed up. + +Fixing all the issues is a complex task as it requires re-writing +most of the validation code. + +Given that and the fact that this functionality never worked since +introduction, let's just remove it altogether. It's better to +re-introduce it later with a proper implementation instead of trying +to fix it in stable releases. + +Fixes: b2d0f5d5dc53 ("openvswitch: enable NSH support") +Reported-by: Junvy Yang +Signed-off-by: Ilya Maximets +Acked-by: Eelco Chaudron +Reviewed-by: Aaron Conole +Link: https://patch.msgid.link/20251112112246.95064-1-i.maximets@ovn.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/openvswitch/actions.c | 68 +--------------------------------- + net/openvswitch/flow_netlink.c | 64 ++++---------------------------- + net/openvswitch/flow_netlink.h | 2 - + 3 files changed, 9 insertions(+), 125 deletions(-) + +diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c +index 0de165ed04eba..aa240953d7669 100644 +--- a/net/openvswitch/actions.c ++++ b/net/openvswitch/actions.c +@@ -595,69 +595,6 @@ static int set_ipv6(struct sk_buff *skb, struct sw_flow_key *flow_key, + return 0; + } + +-static int set_nsh(struct sk_buff *skb, struct sw_flow_key *flow_key, +- const struct nlattr *a) +-{ +- struct nshhdr *nh; +- size_t length; +- int err; +- u8 flags; +- u8 ttl; +- int i; +- +- struct ovs_key_nsh key; +- struct ovs_key_nsh mask; +- +- err = nsh_key_from_nlattr(a, &key, &mask); +- if (err) +- return err; +- +- /* Make sure the NSH base header is there */ +- if (!pskb_may_pull(skb, skb_network_offset(skb) + NSH_BASE_HDR_LEN)) +- return -ENOMEM; +- +- nh = nsh_hdr(skb); +- length = nsh_hdr_len(nh); +- +- /* Make sure the whole NSH header is there */ +- err = skb_ensure_writable(skb, skb_network_offset(skb) + +- length); +- if (unlikely(err)) +- return err; +- +- nh = nsh_hdr(skb); +- skb_postpull_rcsum(skb, nh, length); +- flags = nsh_get_flags(nh); +- flags = OVS_MASKED(flags, key.base.flags, mask.base.flags); +- flow_key->nsh.base.flags = flags; +- ttl = nsh_get_ttl(nh); +- ttl = OVS_MASKED(ttl, key.base.ttl, mask.base.ttl); +- flow_key->nsh.base.ttl = ttl; +- nsh_set_flags_and_ttl(nh, flags, ttl); +- nh->path_hdr = OVS_MASKED(nh->path_hdr, key.base.path_hdr, +- mask.base.path_hdr); +- flow_key->nsh.base.path_hdr = nh->path_hdr; +- switch (nh->mdtype) { +- case NSH_M_TYPE1: +- for (i = 0; i < NSH_MD1_CONTEXT_SIZE; i++) { +- nh->md1.context[i] = +- OVS_MASKED(nh->md1.context[i], key.context[i], +- mask.context[i]); +- } +- memcpy(flow_key->nsh.context, nh->md1.context, +- sizeof(nh->md1.context)); +- break; +- case NSH_M_TYPE2: +- memset(flow_key->nsh.context, 0, +- sizeof(flow_key->nsh.context)); +- break; +- default: +- return -EINVAL; +- } +- skb_postpush_rcsum(skb, nh, length); +- return 0; +-} +- + /* Must follow skb_ensure_writable() since that can move the skb data. */ + static void set_tp_port(struct sk_buff *skb, __be16 *port, + __be16 new_port, __sum16 *check) +@@ -1130,10 +1067,6 @@ static int execute_masked_set_action(struct sk_buff *skb, + get_mask(a, struct ovs_key_ethernet *)); + break; + +- case OVS_KEY_ATTR_NSH: +- err = set_nsh(skb, flow_key, a); +- break; +- + case OVS_KEY_ATTR_IPV4: + err = set_ipv4(skb, flow_key, nla_data(a), + get_mask(a, struct ovs_key_ipv4 *)); +@@ -1170,6 +1103,7 @@ static int execute_masked_set_action(struct sk_buff *skb, + case OVS_KEY_ATTR_CT_LABELS: + case OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4: + case OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6: ++ case OVS_KEY_ATTR_NSH: + err = -EINVAL; + break; + } +diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c +index 7db0f8938c145..7c2692f897f99 100644 +--- a/net/openvswitch/flow_netlink.c ++++ b/net/openvswitch/flow_netlink.c +@@ -1280,6 +1280,11 @@ static int metadata_from_nlattrs(struct net *net, struct sw_flow_match *match, + return 0; + } + ++/* ++ * Constructs NSH header 'nh' from attributes of OVS_ACTION_ATTR_PUSH_NSH, ++ * where 'nh' points to a memory block of 'size' bytes. It's assumed that ++ * attributes were previously validated with validate_push_nsh(). ++ */ + int nsh_hdr_from_nlattr(const struct nlattr *attr, + struct nshhdr *nh, size_t size) + { +@@ -1289,8 +1294,6 @@ int nsh_hdr_from_nlattr(const struct nlattr *attr, + u8 ttl = 0; + int mdlen = 0; + +- /* validate_nsh has check this, so we needn't do duplicate check here +- */ + if (size < NSH_BASE_HDR_LEN) + return -ENOBUFS; + +@@ -1334,46 +1337,6 @@ int nsh_hdr_from_nlattr(const struct nlattr *attr, + return 0; + } + +-int nsh_key_from_nlattr(const struct nlattr *attr, +- struct ovs_key_nsh *nsh, struct ovs_key_nsh *nsh_mask) +-{ +- struct nlattr *a; +- int rem; +- +- /* validate_nsh has check this, so we needn't do duplicate check here +- */ +- nla_for_each_nested(a, attr, rem) { +- int type = nla_type(a); +- +- switch (type) { +- case OVS_NSH_KEY_ATTR_BASE: { +- const struct ovs_nsh_key_base *base = nla_data(a); +- const struct ovs_nsh_key_base *base_mask = base + 1; +- +- nsh->base = *base; +- nsh_mask->base = *base_mask; +- break; +- } +- case OVS_NSH_KEY_ATTR_MD1: { +- const struct ovs_nsh_key_md1 *md1 = nla_data(a); +- const struct ovs_nsh_key_md1 *md1_mask = md1 + 1; +- +- memcpy(nsh->context, md1->context, sizeof(*md1)); +- memcpy(nsh_mask->context, md1_mask->context, +- sizeof(*md1_mask)); +- break; +- } +- case OVS_NSH_KEY_ATTR_MD2: +- /* Not supported yet */ +- return -ENOTSUPP; +- default: +- return -EINVAL; +- } +- } +- +- return 0; +-} +- + static int nsh_key_put_from_nlattr(const struct nlattr *attr, + struct sw_flow_match *match, bool is_mask, + bool is_push_nsh, bool log) +@@ -2794,17 +2757,13 @@ static int validate_and_copy_set_tun(const struct nlattr *attr, + return err; + } + +-static bool validate_nsh(const struct nlattr *attr, bool is_mask, +- bool is_push_nsh, bool log) ++static bool validate_push_nsh(const struct nlattr *attr, bool log) + { + struct sw_flow_match match; + struct sw_flow_key key; +- int ret = 0; + + ovs_match_init(&match, &key, true, NULL); +- ret = nsh_key_put_from_nlattr(attr, &match, is_mask, +- is_push_nsh, log); +- return !ret; ++ return !nsh_key_put_from_nlattr(attr, &match, false, true, log); + } + + /* Return false if there are any non-masked bits set. +@@ -2952,13 +2911,6 @@ static int validate_set(const struct nlattr *a, + + break; + +- case OVS_KEY_ATTR_NSH: +- if (eth_type != htons(ETH_P_NSH)) +- return -EINVAL; +- if (!validate_nsh(nla_data(a), masked, false, log)) +- return -EINVAL; +- break; +- + default: + return -EINVAL; + } +@@ -3365,7 +3317,7 @@ static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr, + return -EINVAL; + } + mac_proto = MAC_PROTO_NONE; +- if (!validate_nsh(nla_data(a), false, true, true)) ++ if (!validate_push_nsh(nla_data(a), log)) + return -EINVAL; + break; + +diff --git a/net/openvswitch/flow_netlink.h b/net/openvswitch/flow_netlink.h +index fe7f77fc5f189..ff8cdecbe3465 100644 +--- a/net/openvswitch/flow_netlink.h ++++ b/net/openvswitch/flow_netlink.h +@@ -65,8 +65,6 @@ int ovs_nla_put_actions(const struct nlattr *attr, + void ovs_nla_free_flow_actions(struct sw_flow_actions *); + void ovs_nla_free_flow_actions_rcu(struct sw_flow_actions *); + +-int nsh_key_from_nlattr(const struct nlattr *attr, struct ovs_key_nsh *nsh, +- struct ovs_key_nsh *nsh_mask); + int nsh_hdr_from_nlattr(const struct nlattr *attr, struct nshhdr *nh, + size_t size); + +-- +2.51.0 + diff --git a/queue-5.15/net-qlogic-qede-fix-potential-out-of-bounds-read-in-.patch b/queue-5.15/net-qlogic-qede-fix-potential-out-of-bounds-read-in-.patch new file mode 100644 index 0000000000..c34dd5a8a0 --- /dev/null +++ b/queue-5.15/net-qlogic-qede-fix-potential-out-of-bounds-read-in-.patch @@ -0,0 +1,62 @@ +From a18e28f305ca7441099d93b045a143face3e78b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Nov 2025 14:27:56 +0300 +Subject: net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() + and qede_tpa_end() + +From: Pavel Zhigulin + +[ Upstream commit 896f1a2493b59beb2b5ccdf990503dbb16cb2256 ] + +The loops in 'qede_tpa_cont()' and 'qede_tpa_end()', iterate +over 'cqe->len_list[]' using only a zero-length terminator as +the stopping condition. If the terminator was missing or +malformed, the loop could run past the end of the fixed-size array. + +Add an explicit bound check using ARRAY_SIZE() in both loops to prevent +a potential out-of-bounds access. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 55482edc25f0 ("qede: Add slowpath/fastpath support and enable hardware GRO") +Signed-off-by: Pavel Zhigulin +Link: https://patch.msgid.link/20251113112757.4166625-1-Pavel.Zhigulin@kaspersky.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qede/qede_fp.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qede/qede_fp.c b/drivers/net/ethernet/qlogic/qede/qede_fp.c +index d67d4e74b326d..503ab11a5a33e 100644 +--- a/drivers/net/ethernet/qlogic/qede/qede_fp.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_fp.c +@@ -4,6 +4,7 @@ + * Copyright (c) 2019-2020 Marvell International Ltd. + */ + ++#include + #include + #include + #include +@@ -961,7 +962,7 @@ static inline void qede_tpa_cont(struct qede_dev *edev, + { + int i; + +- for (i = 0; cqe->len_list[i]; i++) ++ for (i = 0; cqe->len_list[i] && i < ARRAY_SIZE(cqe->len_list); i++) + qede_fill_frag_skb(edev, rxq, cqe->tpa_agg_index, + le16_to_cpu(cqe->len_list[i])); + +@@ -986,7 +987,7 @@ static int qede_tpa_end(struct qede_dev *edev, + dma_unmap_page(rxq->dev, tpa_info->buffer.mapping, + PAGE_SIZE, rxq->data_direction); + +- for (i = 0; cqe->len_list[i]; i++) ++ for (i = 0; cqe->len_list[i] && i < ARRAY_SIZE(cqe->len_list); i++) + qede_fill_frag_skb(edev, rxq, cqe->tpa_agg_index, + le16_to_cpu(cqe->len_list[i])); + if (unlikely(i > 1)) +-- +2.51.0 + diff --git a/queue-5.15/net-tls-cancel-rx-async-resync-request-on-rcd_delta-.patch b/queue-5.15/net-tls-cancel-rx-async-resync-request-on-rcd_delta-.patch new file mode 100644 index 0000000000..c6875c49b9 --- /dev/null +++ b/queue-5.15/net-tls-cancel-rx-async-resync-request-on-rcd_delta-.patch @@ -0,0 +1,77 @@ +From ffb091f77c28f37bd7f902df743aa38c8b488ba7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Oct 2025 22:03:02 +0200 +Subject: net: tls: Cancel RX async resync request on rcd_delta overflow + +From: Shahar Shitrit + +[ Upstream commit c15d5c62ab313c19121f10e25d4fec852bd1c40c ] + +When a netdev issues a RX async resync request for a TLS connection, +the TLS module handles it by logging record headers and attempting to +match them to the tcp_sn provided by the device. If a match is found, +the TLS module approves the tcp_sn for resynchronization. + +While waiting for a device response, the TLS module also increments +rcd_delta each time a new TLS record is received, tracking the distance +from the original resync request. + +However, if the device response is delayed or fails (e.g due to +unstable connection and device getting out of tracking, hardware +errors, resource exhaustion etc.), the TLS module keeps logging and +incrementing, which can lead to a WARN() when rcd_delta exceeds the +threshold. + +To address this, introduce tls_offload_rx_resync_async_request_cancel() +to explicitly cancel resync requests when a device response failure is +detected. Call this helper also as a final safeguard when rcd_delta +crosses its threshold, as reaching this point implies that earlier +cancellation did not occur. + +Signed-off-by: Shahar Shitrit +Reviewed-by: Sabrina Dubroca +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/1761508983-937977-3-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tls.h | 6 ++++++ + net/tls/tls_device.c | 4 +++- + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/include/net/tls.h b/include/net/tls.h +index 59ff5c901ab56..db0d1ec04f39c 100644 +--- a/include/net/tls.h ++++ b/include/net/tls.h +@@ -665,6 +665,12 @@ tls_offload_rx_resync_async_request_end(struct sock *sk, __be32 seq) + ((u64)ntohl(seq) << 32) | RESYNC_REQ); + } + ++static inline void ++tls_offload_rx_resync_async_request_cancel(struct tls_offload_resync_async *resync_async) ++{ ++ atomic64_set(&resync_async->req, 0); ++} ++ + static inline void + tls_offload_rx_resync_set_type(struct sock *sk, enum tls_offload_sync_type type) + { +diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c +index e7c361807590d..1338e4e2c0f40 100644 +--- a/net/tls/tls_device.c ++++ b/net/tls/tls_device.c +@@ -694,8 +694,10 @@ tls_device_rx_resync_async(struct tls_offload_resync_async *resync_async, + /* shouldn't get to wraparound: + * too long in async stage, something bad happened + */ +- if (WARN_ON_ONCE(resync_async->rcd_delta == USHRT_MAX)) ++ if (WARN_ON_ONCE(resync_async->rcd_delta == USHRT_MAX)) { ++ tls_offload_rx_resync_async_request_cancel(resync_async); + return false; ++ } + + /* asynchronous stage: log all headers seq such that + * req_seq <= seq <= end_seq, and wait for real resync request +-- +2.51.0 + diff --git a/queue-5.15/platform-x86-intel-speed_select_if-convert-pcibios_-.patch b/queue-5.15/platform-x86-intel-speed_select_if-convert-pcibios_-.patch new file mode 100644 index 0000000000..fac9512259 --- /dev/null +++ b/queue-5.15/platform-x86-intel-speed_select_if-convert-pcibios_-.patch @@ -0,0 +1,53 @@ +From 851b8dd521a29e49a8262048049e61043bfc686b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Nov 2025 11:33:54 +0800 +Subject: platform/x86/intel/speed_select_if: Convert PCIBIOS_* return codes to + errnos +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Haotian Zhang + +[ Upstream commit d8bb447efc5622577994287dc77c684fa8840b30 ] + +isst_if_probe() uses pci_read_config_dword() that returns PCIBIOS_* +codes. The return code is returned from the probe function as is but +probe functions should return normal errnos. A proper implementation +can be found in drivers/leds/leds-ss4200.c. + +Convert PCIBIOS_* return codes using pcibios_err_to_errno() into +normal errno before returning. + +Fixes: d3a23584294c ("platform/x86: ISST: Add Intel Speed Select mmio interface") +Signed-off-by: Haotian Zhang +Acked-by: Srinivas Pandruvada +Link: https://patch.msgid.link/20251117033354.132-1-vulab@iscas.ac.cn +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c b/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c +index ff49025ec0856..bb38e5f021a80 100644 +--- a/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c ++++ b/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c +@@ -106,11 +106,11 @@ static int isst_if_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + + ret = pci_read_config_dword(pdev, 0xD0, &mmio_base); + if (ret) +- return ret; ++ return pcibios_err_to_errno(ret); + + ret = pci_read_config_dword(pdev, 0xFC, &pcu_base); + if (ret) +- return ret; ++ return pcibios_err_to_errno(ret); + + pcu_base &= GENMASK(10, 0); + base_addr = (u64)mmio_base << 23 | (u64) pcu_base << 12; +-- +2.51.0 + diff --git a/queue-5.15/s390-ctcm-fix-double-kfree.patch b/queue-5.15/s390-ctcm-fix-double-kfree.patch new file mode 100644 index 0000000000..9de40cc104 --- /dev/null +++ b/queue-5.15/s390-ctcm-fix-double-kfree.patch @@ -0,0 +1,45 @@ +From 2b02f942fabe191771d89ff29074e788ca8e12bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 19:27:24 +0100 +Subject: s390/ctcm: Fix double-kfree + +From: Aleksei Nikiforov + +[ Upstream commit da02a1824884d6c84c5e5b5ac373b0c9e3288ec2 ] + +The function 'mpc_rcvd_sweep_req(mpcginfo)' is called conditionally +from function 'ctcmpc_unpack_skb'. It frees passed mpcginfo. +After that a call to function 'kfree' in function 'ctcmpc_unpack_skb' +frees it again. + +Remove 'kfree' call in function 'mpc_rcvd_sweep_req(mpcginfo)'. + +Bug detected by the clang static analyzer. + +Fixes: 0c0b20587b9f25a2 ("s390/ctcm: fix potential memory leak") +Reviewed-by: Aswin Karuvally +Signed-off-by: Aleksei Nikiforov +Signed-off-by: Aswin Karuvally +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20251112182724.1109474-1-aswin@linux.ibm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/s390/net/ctcm_mpc.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/s390/net/ctcm_mpc.c b/drivers/s390/net/ctcm_mpc.c +index be03cb123ef48..cde36a3b6c03c 100644 +--- a/drivers/s390/net/ctcm_mpc.c ++++ b/drivers/s390/net/ctcm_mpc.c +@@ -698,7 +698,6 @@ static void mpc_rcvd_sweep_req(struct mpcg_info *mpcginfo) + + grp->sweep_req_pend_num--; + ctcmpc_send_sweep_resp(ch); +- kfree(mpcginfo); + return; + } + +-- +2.51.0 + diff --git a/queue-5.15/scsi-core-fix-a-regression-triggered-by-scsi_host_bu.patch b/queue-5.15/scsi-core-fix-a-regression-triggered-by-scsi_host_bu.patch new file mode 100644 index 0000000000..c25720e8d8 --- /dev/null +++ b/queue-5.15/scsi-core-fix-a-regression-triggered-by-scsi_host_bu.patch @@ -0,0 +1,77 @@ +From 95b3ab55ef29dec5af0159cda77c60a2be70cde0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Oct 2025 14:48:00 -0700 +Subject: scsi: core: Fix a regression triggered by scsi_host_busy() + +From: Bart Van Assche + +[ Upstream commit a0b7780602b1b196f47e527fec82166a7e67c4d0 ] + +Commit 995412e23bb2 ("blk-mq: Replace tags->lock with SRCU for tag +iterators") introduced the following regression: + +Call trace: + __srcu_read_lock+0x30/0x80 (P) + blk_mq_tagset_busy_iter+0x44/0x300 + scsi_host_busy+0x38/0x70 + ufshcd_print_host_state+0x34/0x1bc + ufshcd_link_startup.constprop.0+0xe4/0x2e0 + ufshcd_init+0x944/0xf80 + ufshcd_pltfrm_init+0x504/0x820 + ufs_rockchip_probe+0x2c/0x88 + platform_probe+0x5c/0xa4 + really_probe+0xc0/0x38c + __driver_probe_device+0x7c/0x150 + driver_probe_device+0x40/0x120 + __driver_attach+0xc8/0x1e0 + bus_for_each_dev+0x7c/0xdc + driver_attach+0x24/0x30 + bus_add_driver+0x110/0x230 + driver_register+0x68/0x130 + __platform_driver_register+0x20/0x2c + ufs_rockchip_pltform_init+0x1c/0x28 + do_one_initcall+0x60/0x1e0 + kernel_init_freeable+0x248/0x2c4 + kernel_init+0x20/0x140 + ret_from_fork+0x10/0x20 + +Fix this regression by making scsi_host_busy() check whether the SCSI +host tag set has already been initialized. tag_set->ops is set by +scsi_mq_setup_tags() just before blk_mq_alloc_tag_set() is called. This +fix is based on the assumption that scsi_host_busy() and +scsi_mq_setup_tags() calls are serialized. This is the case in the UFS +driver. + +Reported-by: Sebastian Reichel +Closes: https://lore.kernel.org/linux-block/pnezafputodmqlpumwfbn644ohjybouveehcjhz2hmhtcf2rka@sdhoiivync4y/ +Cc: Ming Lei +Cc: Jens Axboe +Signed-off-by: Bart Van Assche +Reviewed-by: Ming Lei +Tested-by: Sebastian Reichel +Link: https://patch.msgid.link/20251007214800.1678255-1-bvanassche@acm.org +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hosts.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c +index eb3e8b41adb10..cf842c97639a7 100644 +--- a/drivers/scsi/hosts.c ++++ b/drivers/scsi/hosts.c +@@ -594,8 +594,9 @@ int scsi_host_busy(struct Scsi_Host *shost) + { + int cnt = 0; + +- blk_mq_tagset_busy_iter(&shost->tag_set, +- scsi_host_check_in_flight, &cnt); ++ if (shost->tag_set.ops) ++ blk_mq_tagset_busy_iter(&shost->tag_set, ++ scsi_host_check_in_flight, &cnt); + return cnt; + } + EXPORT_SYMBOL(scsi_host_busy); +-- +2.51.0 + diff --git a/queue-5.15/selftests-net-use-bash-for-bareudp-testing.patch b/queue-5.15/selftests-net-use-bash-for-bareudp-testing.patch new file mode 100644 index 0000000000..d2b538a1c4 --- /dev/null +++ b/queue-5.15/selftests-net-use-bash-for-bareudp-testing.patch @@ -0,0 +1,46 @@ +From 308e7d7d9514accea57e1b9ddfc38e2875795008 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Oct 2025 17:57:10 +0800 +Subject: selftests: net: use BASH for bareudp testing + +From: Po-Hsu Lin + +[ Upstream commit 9311e9540a8b406d9f028aa87fb072a3819d4c82 ] + +In bareudp.sh, this script uses /bin/sh and it will load another lib.sh +BASH script at the very beginning. + +But on some operating systems like Ubuntu, /bin/sh is actually pointed to +DASH, thus it will try to run BASH commands with DASH and consequently +leads to syntax issues: + # ./bareudp.sh: 4: ./lib.sh: Bad substitution + # ./bareudp.sh: 5: ./lib.sh: source: not found + # ./bareudp.sh: 24: ./lib.sh: Syntax error: "(" unexpected + +Fix this by explicitly using BASH for bareudp.sh. This fixes test +execution failures on systems where /bin/sh is not BASH. + +Reported-by: Edoardo Canepa +Link: https://bugs.launchpad.net/bugs/2129812 +Signed-off-by: Po-Hsu Lin +Reviewed-by: Przemek Kitszel +Link: https://patch.msgid.link/20251027095710.2036108-2-po-hsu.lin@canonical.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/bareudp.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/bareudp.sh b/tools/testing/selftests/net/bareudp.sh +index f366cadbc5e86..ff4308b48e65d 100755 +--- a/tools/testing/selftests/net/bareudp.sh ++++ b/tools/testing/selftests/net/bareudp.sh +@@ -1,4 +1,4 @@ +-#!/bin/sh ++#!/bin/bash + # SPDX-License-Identifier: GPL-2.0 + + # Test various bareudp tunnel configurations. +-- +2.51.0 + diff --git a/queue-5.15/series b/queue-5.15/series index bd3c3964ad..4b2d376905 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -292,3 +292,16 @@ scsi-target-tcm_loop-fix-segfault-in-tcm_loop_tpg_address_show.patch mips-malta-fix-eva-soc-it-pci-mmio.patch mptcp-fix-race-condition-in-mptcp_schedule_work.patch drm-tegra-dc-fix-reference-leak-in-tegra_dc_couple.patch +mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch +net-dsa-hellcreek-fix-missing-error-handling-in-led-.patch +net-openvswitch-remove-never-working-support-for-set.patch +s390-ctcm-fix-double-kfree.patch +platform-x86-intel-speed_select_if-convert-pcibios_-.patch +kernel.h-move-array_size-to-a-separate-header.patch +net-qlogic-qede-fix-potential-out-of-bounds-read-in-.patch +vsock-ignore-signal-timeout-on-connect-if-already-es.patch +scsi-core-fix-a-regression-triggered-by-scsi_host_bu.patch +selftests-net-use-bash-for-bareudp-testing.patch +net-tls-cancel-rx-async-resync-request-on-rcd_delta-.patch +kconfig-mconf-initialize-the-default-locale-at-start.patch +kconfig-nconf-initialize-the-default-locale-at-start.patch diff --git a/queue-5.15/vsock-ignore-signal-timeout-on-connect-if-already-es.patch b/queue-5.15/vsock-ignore-signal-timeout-on-connect-if-already-es.patch new file mode 100644 index 0000000000..e1681b8e1c --- /dev/null +++ b/queue-5.15/vsock-ignore-signal-timeout-on-connect-if-already-es.patch @@ -0,0 +1,101 @@ +From 0b614133981d1c960d7cfbb1c416ae74483d6f20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Nov 2025 15:02:59 +0100 +Subject: vsock: Ignore signal/timeout on connect() if already established + +From: Michal Luczaj + +[ Upstream commit 002541ef650b742a198e4be363881439bb9d86b4 ] + +During connect(), acting on a signal/timeout by disconnecting an already +established socket leads to several issues: + +1. connect() invoking vsock_transport_cancel_pkt() -> + virtio_transport_purge_skbs() may race with sendmsg() invoking + virtio_transport_get_credit(). This results in a permanently elevated + `vvs->bytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling. + +2. connect() resetting a connected socket's state may race with socket + being placed in a sockmap. A disconnected socket remaining in a sockmap + breaks sockmap's assumptions. And gives rise to WARNs. + +3. connect() transitioning SS_CONNECTED -> SS_UNCONNECTED allows for a + transport change/drop after TCP_ESTABLISHED. Which poses a problem for + any simultaneous sendmsg() or connect() and may result in a + use-after-free/null-ptr-deref. + +Do not disconnect socket on signal/timeout. Keep the logic for unconnected +sockets: they don't linger, can't be placed in a sockmap, are rejected by +sendmsg(). + +[1]: https://lore.kernel.org/netdev/e07fd95c-9a38-4eea-9638-133e38c2ec9b@rbox.co/ +[2]: https://lore.kernel.org/netdev/20250317-vsock-trans-signal-race-v4-0-fc8837f3f1d4@rbox.co/ +[3]: https://lore.kernel.org/netdev/60f1b7db-3099-4f6a-875e-af9f6ef194f6@rbox.co/ + +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Signed-off-by: Michal Luczaj +Reviewed-by: Stefano Garzarella +Link: https://patch.msgid.link/20251119-vsock-interrupted-connect-v2-1-70734cf1233f@rbox.co +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/af_vsock.c | 40 +++++++++++++++++++++++++++++++--------- + 1 file changed, 31 insertions(+), 9 deletions(-) + +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index 033fcdffc9e50..d79a755388318 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1493,18 +1493,40 @@ static int vsock_connect(struct socket *sock, struct sockaddr *addr, + timeout = schedule_timeout(timeout); + lock_sock(sk); + +- if (signal_pending(current)) { +- err = sock_intr_errno(timeout); +- sk->sk_state = sk->sk_state == TCP_ESTABLISHED ? TCP_CLOSING : TCP_CLOSE; +- sock->state = SS_UNCONNECTED; +- vsock_transport_cancel_pkt(vsk); +- vsock_remove_connected(vsk); +- goto out_wait; +- } else if ((sk->sk_state != TCP_ESTABLISHED) && (timeout == 0)) { +- err = -ETIMEDOUT; ++ /* Connection established. Whatever happens to socket once we ++ * release it, that's not connect()'s concern. No need to go ++ * into signal and timeout handling. Call it a day. ++ * ++ * Note that allowing to "reset" an already established socket ++ * here is racy and insecure. ++ */ ++ if (sk->sk_state == TCP_ESTABLISHED) ++ break; ++ ++ /* If connection was _not_ established and a signal/timeout came ++ * to be, we want the socket's state reset. User space may want ++ * to retry. ++ * ++ * sk_state != TCP_ESTABLISHED implies that socket is not on ++ * vsock_connected_table. We keep the binding and the transport ++ * assigned. ++ */ ++ if (signal_pending(current) || timeout == 0) { ++ err = timeout == 0 ? -ETIMEDOUT : sock_intr_errno(timeout); ++ ++ /* Listener might have already responded with ++ * VIRTIO_VSOCK_OP_RESPONSE. Its handling expects our ++ * sk_state == TCP_SYN_SENT, which hereby we break. ++ * In such case VIRTIO_VSOCK_OP_RST will follow. ++ */ + sk->sk_state = TCP_CLOSE; + sock->state = SS_UNCONNECTED; ++ ++ /* Try to cancel VIRTIO_VSOCK_OP_REQUEST skb sent out by ++ * transport->connect(). ++ */ + vsock_transport_cancel_pkt(vsk); ++ + goto out_wait; + } + +-- +2.51.0 + diff --git a/queue-5.4/kconfig-mconf-initialize-the-default-locale-at-start.patch b/queue-5.4/kconfig-mconf-initialize-the-default-locale-at-start.patch new file mode 100644 index 0000000000..7dffa040e4 --- /dev/null +++ b/queue-5.4/kconfig-mconf-initialize-the-default-locale-at-start.patch @@ -0,0 +1,49 @@ +From ff0d8fd814836af6e8aa89dee9e6d82172013fa9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Oct 2025 17:49:32 +0200 +Subject: kconfig/mconf: Initialize the default locale at startup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jakub Horký + +[ Upstream commit 3927c4a1084c48ef97f11281a0a43ecb2cb4d6f1 ] + +Fix bug where make menuconfig doesn't initialize the default locale, which +causes ncurses menu borders to be displayed incorrectly (lqqqqk) in +UTF-8 terminals that don't support VT100 ACS by default, such as PuTTY. + +Signed-off-by: Jakub Horký +Link: https://patch.msgid.link/20251014154933.3990990-1-jakub.git@horky.net +[nathan: Alphabetize locale.h include] +Signed-off-by: Nathan Chancellor +Signed-off-by: Sasha Levin +--- + scripts/kconfig/mconf.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/scripts/kconfig/mconf.c b/scripts/kconfig/mconf.c +index 49c26ea9dd984..fe57b4071e910 100644 +--- a/scripts/kconfig/mconf.c ++++ b/scripts/kconfig/mconf.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1007,6 +1008,8 @@ int main(int ac, char **av) + + signal(SIGINT, sig_handler); + ++ setlocale(LC_ALL, ""); ++ + if (ac > 1 && strcmp(av[1], "-s") == 0) { + silent = 1; + /* Silence conf_read() until the real callback is set up */ +-- +2.51.0 + diff --git a/queue-5.4/kconfig-nconf-initialize-the-default-locale-at-start.patch b/queue-5.4/kconfig-nconf-initialize-the-default-locale-at-start.patch new file mode 100644 index 0000000000..2e2df80a40 --- /dev/null +++ b/queue-5.4/kconfig-nconf-initialize-the-default-locale-at-start.patch @@ -0,0 +1,49 @@ +From 058b7ff6323c3c6d6c9200579f714b9a4a1efe71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Oct 2025 16:44:06 +0200 +Subject: kconfig/nconf: Initialize the default locale at startup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jakub Horký + +[ Upstream commit 43c2931a95e6b295bfe9e3b90dbe0f7596933e91 ] + +Fix bug where make nconfig doesn't initialize the default locale, which +causes ncurses menu borders to be displayed incorrectly (lqqqqk) in +UTF-8 terminals that don't support VT100 ACS by default, such as PuTTY. + +Signed-off-by: Jakub Horký +Link: https://patch.msgid.link/20251014144405.3975275-2-jakub.git@horky.net +[nathan: Alphabetize locale.h include] +Signed-off-by: Nathan Chancellor +Signed-off-by: Sasha Levin +--- + scripts/kconfig/nconf.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c +index af56d27693d07..7c126569e6cb5 100644 +--- a/scripts/kconfig/nconf.c ++++ b/scripts/kconfig/nconf.c +@@ -7,6 +7,7 @@ + #ifndef _GNU_SOURCE + #define _GNU_SOURCE + #endif ++#include + #include + #include + +@@ -1478,6 +1479,8 @@ int main(int ac, char **av) + int lines, columns; + char *mode; + ++ setlocale(LC_ALL, ""); ++ + if (ac > 1 && strcmp(av[1], "-s") == 0) { + /* Silence conf_read() until the real callback is set up */ + conf_set_message_callback(NULL); +-- +2.51.0 + diff --git a/queue-5.4/mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch b/queue-5.4/mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch new file mode 100644 index 0000000000..2e302fc429 --- /dev/null +++ b/queue-5.4/mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch @@ -0,0 +1,47 @@ +From bb7900953c51ca784c86a3e4fe342cd6b68845e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 05:21:14 +0000 +Subject: mlxsw: spectrum: Fix memory leak in mlxsw_sp_flower_stats() + +From: Zilin Guan + +[ Upstream commit 407a06507c2358554958e8164dc97176feddcafc ] + +The function mlxsw_sp_flower_stats() calls mlxsw_sp_acl_ruleset_get() to +obtain a ruleset reference. If the subsequent call to +mlxsw_sp_acl_rule_lookup() fails to find a rule, the function returns +an error without releasing the ruleset reference, causing a memory leak. + +Fix this by using a goto to the existing error handling label, which +calls mlxsw_sp_acl_ruleset_put() to properly release the reference. + +Fixes: 7c1b8eb175b69 ("mlxsw: spectrum: Add support for TC flower offload statistics") +Signed-off-by: Zilin Guan +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20251112052114.1591695-1-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c +index 498de6ef68705..4eeebcb50ab68 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c +@@ -542,8 +542,10 @@ int mlxsw_sp_flower_stats(struct mlxsw_sp *mlxsw_sp, + return -EINVAL; + + rule = mlxsw_sp_acl_rule_lookup(mlxsw_sp, ruleset, f->cookie); +- if (!rule) +- return -EINVAL; ++ if (!rule) { ++ err = -EINVAL; ++ goto err_rule_get_stats; ++ } + + err = mlxsw_sp_acl_rule_get_stats(mlxsw_sp, rule, &packets, &bytes, + &lastuse); +-- +2.51.0 + diff --git a/queue-5.4/net-openvswitch-remove-never-working-support-for-set.patch b/queue-5.4/net-openvswitch-remove-never-working-support-for-set.patch new file mode 100644 index 0000000000..692f5f3531 --- /dev/null +++ b/queue-5.4/net-openvswitch-remove-never-working-support-for-set.patch @@ -0,0 +1,310 @@ +From 316e04e5def01fd3b334b0bb43076f134be68d36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 12:14:03 +0100 +Subject: net: openvswitch: remove never-working support for setting nsh fields + +From: Ilya Maximets + +[ Upstream commit dfe28c4167a9259fc0c372d9f9473e1ac95cff67 ] + +The validation of the set(nsh(...)) action is completely wrong. +It runs through the nsh_key_put_from_nlattr() function that is the +same function that validates NSH keys for the flow match and the +push_nsh() action. However, the set(nsh(...)) has a very different +memory layout. Nested attributes in there are doubled in size in +case of the masked set(). That makes proper validation impossible. + +There is also confusion in the code between the 'masked' flag, that +says that the nested attributes are doubled in size containing both +the value and the mask, and the 'is_mask' that says that the value +we're parsing is the mask. This is causing kernel crash on trying to +write into mask part of the match with SW_FLOW_KEY_PUT() during +validation, while validate_nsh() doesn't allocate any memory for it: + + BUG: kernel NULL pointer dereference, address: 0000000000000018 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 1c2383067 P4D 1c2383067 PUD 20b703067 PMD 0 + Oops: Oops: 0000 [#1] SMP NOPTI + CPU: 8 UID: 0 Kdump: loaded Not tainted 6.17.0-rc4+ #107 PREEMPT(voluntary) + RIP: 0010:nsh_key_put_from_nlattr+0x19d/0x610 [openvswitch] + Call Trace: + + validate_nsh+0x60/0x90 [openvswitch] + validate_set.constprop.0+0x270/0x3c0 [openvswitch] + __ovs_nla_copy_actions+0x477/0x860 [openvswitch] + ovs_nla_copy_actions+0x8d/0x100 [openvswitch] + ovs_packet_cmd_execute+0x1cc/0x310 [openvswitch] + genl_family_rcv_msg_doit+0xdb/0x130 + genl_family_rcv_msg+0x14b/0x220 + genl_rcv_msg+0x47/0xa0 + netlink_rcv_skb+0x53/0x100 + genl_rcv+0x24/0x40 + netlink_unicast+0x280/0x3b0 + netlink_sendmsg+0x1f7/0x430 + ____sys_sendmsg+0x36b/0x3a0 + ___sys_sendmsg+0x87/0xd0 + __sys_sendmsg+0x6d/0xd0 + do_syscall_64+0x7b/0x2c0 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +The third issue with this process is that while trying to convert +the non-masked set into masked one, validate_set() copies and doubles +the size of the OVS_KEY_ATTR_NSH as if it didn't have any nested +attributes. It should be copying each nested attribute and doubling +them in size independently. And the process must be properly reversed +during the conversion back from masked to a non-masked variant during +the flow dump. + +In the end, the only two outcomes of trying to use this action are +either validation failure or a kernel crash. And if somehow someone +manages to install a flow with such an action, it will most definitely +not do what it is supposed to, since all the keys and the masks are +mixed up. + +Fixing all the issues is a complex task as it requires re-writing +most of the validation code. + +Given that and the fact that this functionality never worked since +introduction, let's just remove it altogether. It's better to +re-introduce it later with a proper implementation instead of trying +to fix it in stable releases. + +Fixes: b2d0f5d5dc53 ("openvswitch: enable NSH support") +Reported-by: Junvy Yang +Signed-off-by: Ilya Maximets +Acked-by: Eelco Chaudron +Reviewed-by: Aaron Conole +Link: https://patch.msgid.link/20251112112246.95064-1-i.maximets@ovn.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/openvswitch/actions.c | 68 +--------------------------------- + net/openvswitch/flow_netlink.c | 64 ++++---------------------------- + net/openvswitch/flow_netlink.h | 2 - + 3 files changed, 9 insertions(+), 125 deletions(-) + +diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c +index 5af7fe6312cf0..b1a3581ce2060 100644 +--- a/net/openvswitch/actions.c ++++ b/net/openvswitch/actions.c +@@ -599,69 +599,6 @@ static int set_ipv6(struct sk_buff *skb, struct sw_flow_key *flow_key, + return 0; + } + +-static int set_nsh(struct sk_buff *skb, struct sw_flow_key *flow_key, +- const struct nlattr *a) +-{ +- struct nshhdr *nh; +- size_t length; +- int err; +- u8 flags; +- u8 ttl; +- int i; +- +- struct ovs_key_nsh key; +- struct ovs_key_nsh mask; +- +- err = nsh_key_from_nlattr(a, &key, &mask); +- if (err) +- return err; +- +- /* Make sure the NSH base header is there */ +- if (!pskb_may_pull(skb, skb_network_offset(skb) + NSH_BASE_HDR_LEN)) +- return -ENOMEM; +- +- nh = nsh_hdr(skb); +- length = nsh_hdr_len(nh); +- +- /* Make sure the whole NSH header is there */ +- err = skb_ensure_writable(skb, skb_network_offset(skb) + +- length); +- if (unlikely(err)) +- return err; +- +- nh = nsh_hdr(skb); +- skb_postpull_rcsum(skb, nh, length); +- flags = nsh_get_flags(nh); +- flags = OVS_MASKED(flags, key.base.flags, mask.base.flags); +- flow_key->nsh.base.flags = flags; +- ttl = nsh_get_ttl(nh); +- ttl = OVS_MASKED(ttl, key.base.ttl, mask.base.ttl); +- flow_key->nsh.base.ttl = ttl; +- nsh_set_flags_and_ttl(nh, flags, ttl); +- nh->path_hdr = OVS_MASKED(nh->path_hdr, key.base.path_hdr, +- mask.base.path_hdr); +- flow_key->nsh.base.path_hdr = nh->path_hdr; +- switch (nh->mdtype) { +- case NSH_M_TYPE1: +- for (i = 0; i < NSH_MD1_CONTEXT_SIZE; i++) { +- nh->md1.context[i] = +- OVS_MASKED(nh->md1.context[i], key.context[i], +- mask.context[i]); +- } +- memcpy(flow_key->nsh.context, nh->md1.context, +- sizeof(nh->md1.context)); +- break; +- case NSH_M_TYPE2: +- memset(flow_key->nsh.context, 0, +- sizeof(flow_key->nsh.context)); +- break; +- default: +- return -EINVAL; +- } +- skb_postpush_rcsum(skb, nh, length); +- return 0; +-} +- + /* Must follow skb_ensure_writable() since that can move the skb data. */ + static void set_tp_port(struct sk_buff *skb, __be16 *port, + __be16 new_port, __sum16 *check) +@@ -1122,10 +1059,6 @@ static int execute_masked_set_action(struct sk_buff *skb, + get_mask(a, struct ovs_key_ethernet *)); + break; + +- case OVS_KEY_ATTR_NSH: +- err = set_nsh(skb, flow_key, a); +- break; +- + case OVS_KEY_ATTR_IPV4: + err = set_ipv4(skb, flow_key, nla_data(a), + get_mask(a, struct ovs_key_ipv4 *)); +@@ -1162,6 +1095,7 @@ static int execute_masked_set_action(struct sk_buff *skb, + case OVS_KEY_ATTR_CT_LABELS: + case OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4: + case OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6: ++ case OVS_KEY_ATTR_NSH: + err = -EINVAL; + break; + } +diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c +index 4ad4c89886ee3..a378b06db24f0 100644 +--- a/net/openvswitch/flow_netlink.c ++++ b/net/openvswitch/flow_netlink.c +@@ -1277,6 +1277,11 @@ static int metadata_from_nlattrs(struct net *net, struct sw_flow_match *match, + return 0; + } + ++/* ++ * Constructs NSH header 'nh' from attributes of OVS_ACTION_ATTR_PUSH_NSH, ++ * where 'nh' points to a memory block of 'size' bytes. It's assumed that ++ * attributes were previously validated with validate_push_nsh(). ++ */ + int nsh_hdr_from_nlattr(const struct nlattr *attr, + struct nshhdr *nh, size_t size) + { +@@ -1286,8 +1291,6 @@ int nsh_hdr_from_nlattr(const struct nlattr *attr, + u8 ttl = 0; + int mdlen = 0; + +- /* validate_nsh has check this, so we needn't do duplicate check here +- */ + if (size < NSH_BASE_HDR_LEN) + return -ENOBUFS; + +@@ -1331,46 +1334,6 @@ int nsh_hdr_from_nlattr(const struct nlattr *attr, + return 0; + } + +-int nsh_key_from_nlattr(const struct nlattr *attr, +- struct ovs_key_nsh *nsh, struct ovs_key_nsh *nsh_mask) +-{ +- struct nlattr *a; +- int rem; +- +- /* validate_nsh has check this, so we needn't do duplicate check here +- */ +- nla_for_each_nested(a, attr, rem) { +- int type = nla_type(a); +- +- switch (type) { +- case OVS_NSH_KEY_ATTR_BASE: { +- const struct ovs_nsh_key_base *base = nla_data(a); +- const struct ovs_nsh_key_base *base_mask = base + 1; +- +- nsh->base = *base; +- nsh_mask->base = *base_mask; +- break; +- } +- case OVS_NSH_KEY_ATTR_MD1: { +- const struct ovs_nsh_key_md1 *md1 = nla_data(a); +- const struct ovs_nsh_key_md1 *md1_mask = md1 + 1; +- +- memcpy(nsh->context, md1->context, sizeof(*md1)); +- memcpy(nsh_mask->context, md1_mask->context, +- sizeof(*md1_mask)); +- break; +- } +- case OVS_NSH_KEY_ATTR_MD2: +- /* Not supported yet */ +- return -ENOTSUPP; +- default: +- return -EINVAL; +- } +- } +- +- return 0; +-} +- + static int nsh_key_put_from_nlattr(const struct nlattr *attr, + struct sw_flow_match *match, bool is_mask, + bool is_push_nsh, bool log) +@@ -2704,17 +2667,13 @@ static int validate_and_copy_set_tun(const struct nlattr *attr, + return err; + } + +-static bool validate_nsh(const struct nlattr *attr, bool is_mask, +- bool is_push_nsh, bool log) ++static bool validate_push_nsh(const struct nlattr *attr, bool log) + { + struct sw_flow_match match; + struct sw_flow_key key; +- int ret = 0; + + ovs_match_init(&match, &key, true, NULL); +- ret = nsh_key_put_from_nlattr(attr, &match, is_mask, +- is_push_nsh, log); +- return !ret; ++ return !nsh_key_put_from_nlattr(attr, &match, false, true, log); + } + + /* Return false if there are any non-masked bits set. +@@ -2860,13 +2819,6 @@ static int validate_set(const struct nlattr *a, + + break; + +- case OVS_KEY_ATTR_NSH: +- if (eth_type != htons(ETH_P_NSH)) +- return -EINVAL; +- if (!validate_nsh(nla_data(a), masked, false, log)) +- return -EINVAL; +- break; +- + default: + return -EINVAL; + } +@@ -3219,7 +3171,7 @@ static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr, + return -EINVAL; + } + mac_proto = MAC_PROTO_NONE; +- if (!validate_nsh(nla_data(a), false, true, true)) ++ if (!validate_push_nsh(nla_data(a), log)) + return -EINVAL; + break; + +diff --git a/net/openvswitch/flow_netlink.h b/net/openvswitch/flow_netlink.h +index fe7f77fc5f189..ff8cdecbe3465 100644 +--- a/net/openvswitch/flow_netlink.h ++++ b/net/openvswitch/flow_netlink.h +@@ -65,8 +65,6 @@ int ovs_nla_put_actions(const struct nlattr *attr, + void ovs_nla_free_flow_actions(struct sw_flow_actions *); + void ovs_nla_free_flow_actions_rcu(struct sw_flow_actions *); + +-int nsh_key_from_nlattr(const struct nlattr *attr, struct ovs_key_nsh *nsh, +- struct ovs_key_nsh *nsh_mask); + int nsh_hdr_from_nlattr(const struct nlattr *attr, struct nshhdr *nh, + size_t size); + +-- +2.51.0 + diff --git a/queue-5.4/s390-ctcm-fix-double-kfree.patch b/queue-5.4/s390-ctcm-fix-double-kfree.patch new file mode 100644 index 0000000000..cf1d28f2e5 --- /dev/null +++ b/queue-5.4/s390-ctcm-fix-double-kfree.patch @@ -0,0 +1,45 @@ +From ccbdc41f3f9a994ab062e10884de5f1ed05c2bd3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 19:27:24 +0100 +Subject: s390/ctcm: Fix double-kfree + +From: Aleksei Nikiforov + +[ Upstream commit da02a1824884d6c84c5e5b5ac373b0c9e3288ec2 ] + +The function 'mpc_rcvd_sweep_req(mpcginfo)' is called conditionally +from function 'ctcmpc_unpack_skb'. It frees passed mpcginfo. +After that a call to function 'kfree' in function 'ctcmpc_unpack_skb' +frees it again. + +Remove 'kfree' call in function 'mpc_rcvd_sweep_req(mpcginfo)'. + +Bug detected by the clang static analyzer. + +Fixes: 0c0b20587b9f25a2 ("s390/ctcm: fix potential memory leak") +Reviewed-by: Aswin Karuvally +Signed-off-by: Aleksei Nikiforov +Signed-off-by: Aswin Karuvally +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20251112182724.1109474-1-aswin@linux.ibm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/s390/net/ctcm_mpc.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/s390/net/ctcm_mpc.c b/drivers/s390/net/ctcm_mpc.c +index d766002bc5bee..e76b6e7f80ac5 100644 +--- a/drivers/s390/net/ctcm_mpc.c ++++ b/drivers/s390/net/ctcm_mpc.c +@@ -712,7 +712,6 @@ static void mpc_rcvd_sweep_req(struct mpcg_info *mpcginfo) + + grp->sweep_req_pend_num--; + ctcmpc_send_sweep_resp(ch); +- kfree(mpcginfo); + return; + } + +-- +2.51.0 + diff --git a/queue-5.4/series b/queue-5.4/series index a84610effb..9afe85e636 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -163,3 +163,9 @@ input-cros_ec_keyb-fix-an-invalid-memory-access.patch scsi-sg-do-not-sleep-in-atomic-context.patch scsi-target-tcm_loop-fix-segfault-in-tcm_loop_tpg_address_show.patch mips-malta-fix-eva-soc-it-pci-mmio.patch +mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch +net-openvswitch-remove-never-working-support-for-set.patch +s390-ctcm-fix-double-kfree.patch +vsock-ignore-signal-timeout-on-connect-if-already-es.patch +kconfig-mconf-initialize-the-default-locale-at-start.patch +kconfig-nconf-initialize-the-default-locale-at-start.patch diff --git a/queue-5.4/vsock-ignore-signal-timeout-on-connect-if-already-es.patch b/queue-5.4/vsock-ignore-signal-timeout-on-connect-if-already-es.patch new file mode 100644 index 0000000000..1a826c8333 --- /dev/null +++ b/queue-5.4/vsock-ignore-signal-timeout-on-connect-if-already-es.patch @@ -0,0 +1,101 @@ +From f3ab0069cd20ebd92a3b41b4749315f2451012b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Nov 2025 15:02:59 +0100 +Subject: vsock: Ignore signal/timeout on connect() if already established + +From: Michal Luczaj + +[ Upstream commit 002541ef650b742a198e4be363881439bb9d86b4 ] + +During connect(), acting on a signal/timeout by disconnecting an already +established socket leads to several issues: + +1. connect() invoking vsock_transport_cancel_pkt() -> + virtio_transport_purge_skbs() may race with sendmsg() invoking + virtio_transport_get_credit(). This results in a permanently elevated + `vvs->bytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling. + +2. connect() resetting a connected socket's state may race with socket + being placed in a sockmap. A disconnected socket remaining in a sockmap + breaks sockmap's assumptions. And gives rise to WARNs. + +3. connect() transitioning SS_CONNECTED -> SS_UNCONNECTED allows for a + transport change/drop after TCP_ESTABLISHED. Which poses a problem for + any simultaneous sendmsg() or connect() and may result in a + use-after-free/null-ptr-deref. + +Do not disconnect socket on signal/timeout. Keep the logic for unconnected +sockets: they don't linger, can't be placed in a sockmap, are rejected by +sendmsg(). + +[1]: https://lore.kernel.org/netdev/e07fd95c-9a38-4eea-9638-133e38c2ec9b@rbox.co/ +[2]: https://lore.kernel.org/netdev/20250317-vsock-trans-signal-race-v4-0-fc8837f3f1d4@rbox.co/ +[3]: https://lore.kernel.org/netdev/60f1b7db-3099-4f6a-875e-af9f6ef194f6@rbox.co/ + +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Signed-off-by: Michal Luczaj +Reviewed-by: Stefano Garzarella +Link: https://patch.msgid.link/20251119-vsock-interrupted-connect-v2-1-70734cf1233f@rbox.co +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/af_vsock.c | 40 +++++++++++++++++++++++++++++++--------- + 1 file changed, 31 insertions(+), 9 deletions(-) + +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index 831ca8da84813..2202a8ba2dfdc 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1235,18 +1235,40 @@ static int vsock_stream_connect(struct socket *sock, struct sockaddr *addr, + timeout = schedule_timeout(timeout); + lock_sock(sk); + +- if (signal_pending(current)) { +- err = sock_intr_errno(timeout); +- sk->sk_state = sk->sk_state == TCP_ESTABLISHED ? TCP_CLOSING : TCP_CLOSE; +- sock->state = SS_UNCONNECTED; +- vsock_transport_cancel_pkt(vsk); +- vsock_remove_connected(vsk); +- goto out_wait; +- } else if ((sk->sk_state != TCP_ESTABLISHED) && (timeout == 0)) { +- err = -ETIMEDOUT; ++ /* Connection established. Whatever happens to socket once we ++ * release it, that's not connect()'s concern. No need to go ++ * into signal and timeout handling. Call it a day. ++ * ++ * Note that allowing to "reset" an already established socket ++ * here is racy and insecure. ++ */ ++ if (sk->sk_state == TCP_ESTABLISHED) ++ break; ++ ++ /* If connection was _not_ established and a signal/timeout came ++ * to be, we want the socket's state reset. User space may want ++ * to retry. ++ * ++ * sk_state != TCP_ESTABLISHED implies that socket is not on ++ * vsock_connected_table. We keep the binding and the transport ++ * assigned. ++ */ ++ if (signal_pending(current) || timeout == 0) { ++ err = timeout == 0 ? -ETIMEDOUT : sock_intr_errno(timeout); ++ ++ /* Listener might have already responded with ++ * VIRTIO_VSOCK_OP_RESPONSE. Its handling expects our ++ * sk_state == TCP_SYN_SENT, which hereby we break. ++ * In such case VIRTIO_VSOCK_OP_RST will follow. ++ */ + sk->sk_state = TCP_CLOSE; + sock->state = SS_UNCONNECTED; ++ ++ /* Try to cancel VIRTIO_VSOCK_OP_REQUEST skb sent out by ++ * transport->connect(). ++ */ + vsock_transport_cancel_pkt(vsk); ++ + goto out_wait; + } + +-- +2.51.0 + diff --git a/queue-6.1/bcma-don-t-register-devices-disabled-in-of.patch b/queue-6.1/bcma-don-t-register-devices-disabled-in-of.patch new file mode 100644 index 0000000000..2c1628b0ab --- /dev/null +++ b/queue-6.1/bcma-don-t-register-devices-disabled-in-of.patch @@ -0,0 +1,51 @@ +From af2c8f8f1ed23ca9022827b48af3a03e50268909 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Oct 2025 14:51:26 +0200 +Subject: bcma: don't register devices disabled in OF +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +[ Upstream commit a2a69add80411dd295c9088c1bcf925b1f4e53d7 ] + +Some bus devices can be marked as disabled for specific SoCs or models. +Those should not be registered to avoid probing them. + +Signed-off-by: Rafał Miłecki +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20251003125126.27950-1-zajec5@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/bcma/main.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/bcma/main.c b/drivers/bcma/main.c +index 44392b624b200..11fbae15a7884 100644 +--- a/drivers/bcma/main.c ++++ b/drivers/bcma/main.c +@@ -293,6 +293,8 @@ static int bcma_register_devices(struct bcma_bus *bus) + int err; + + list_for_each_entry(core, &bus->cores, list) { ++ struct device_node *np; ++ + /* We support that core ourselves */ + switch (core->id.id) { + case BCMA_CORE_4706_CHIPCOMMON: +@@ -310,6 +312,10 @@ static int bcma_register_devices(struct bcma_bus *bus) + if (bcma_is_core_needed_early(core->id.id)) + continue; + ++ np = core->dev.of_node; ++ if (np && !of_device_is_available(np)) ++ continue; ++ + /* Only first GMAC core on BCM4706 is connected and working */ + if (core->id.id == BCMA_CORE_4706_MAC_GBIT && + core->core_unit > 0) +-- +2.51.0 + diff --git a/queue-6.1/cifs-fix-typo-in-enable_gcm_256-module-parameter.patch b/queue-6.1/cifs-fix-typo-in-enable_gcm_256-module-parameter.patch new file mode 100644 index 0000000000..40a1499965 --- /dev/null +++ b/queue-6.1/cifs-fix-typo-in-enable_gcm_256-module-parameter.patch @@ -0,0 +1,34 @@ +From 1a9dcbf68e54650aae5e1347e1c23a5780c8860a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Oct 2025 21:17:01 -0500 +Subject: cifs: fix typo in enable_gcm_256 module parameter + +From: Steve French + +[ Upstream commit f765fdfcd8b5bce92c6aa1a517ff549529ddf590 ] + +Fix typo in description of enable_gcm_256 module parameter + +Suggested-by: Thomas Spear +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/cifsfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/smb/client/cifsfs.c b/fs/smb/client/cifsfs.c +index 32b008bc99a09..74e4beb351946 100644 +--- a/fs/smb/client/cifsfs.c ++++ b/fs/smb/client/cifsfs.c +@@ -128,7 +128,7 @@ module_param(enable_oplocks, bool, 0644); + MODULE_PARM_DESC(enable_oplocks, "Enable or disable oplocks. Default: y/Y/1"); + + module_param(enable_gcm_256, bool, 0644); +-MODULE_PARM_DESC(enable_gcm_256, "Enable requesting strongest (256 bit) GCM encryption. Default: y/Y/0"); ++MODULE_PARM_DESC(enable_gcm_256, "Enable requesting strongest (256 bit) GCM encryption. Default: y/Y/1"); + + module_param(require_gcm_256, bool, 0644); + MODULE_PARM_DESC(require_gcm_256, "Require strongest (256 bit) GCM encryption. Default: n/N/0"); +-- +2.51.0 + diff --git a/queue-6.1/drm-tegra-add-call-to-put_pid.patch b/queue-6.1/drm-tegra-add-call-to-put_pid.patch new file mode 100644 index 0000000000..66475abb6d --- /dev/null +++ b/queue-6.1/drm-tegra-add-call-to-put_pid.patch @@ -0,0 +1,46 @@ +From 341f0e3a9cbbaa076bb8ae2eb1aeab32fcd3faea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Sep 2025 13:25:40 +0900 +Subject: drm/tegra: Add call to put_pid() + +From: Prateek Agarwal + +[ Upstream commit 6cbab9f0da72b4dc3c3f9161197aa3b9daa1fa3a ] + +Add a call to put_pid() corresponding to get_task_pid(). +host1x_memory_context_alloc() does not take ownership of the PID so we +need to free it here to avoid leaking. + +Signed-off-by: Prateek Agarwal +Fixes: e09db97889ec ("drm/tegra: Support context isolation") +[mperttunen@nvidia.com: reword commit message] +Signed-off-by: Mikko Perttunen +Signed-off-by: Thierry Reding +Link: https://patch.msgid.link/20250919-host1x-put-pid-v1-1-19c2163dfa87@nvidia.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tegra/uapi.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/tegra/uapi.c b/drivers/gpu/drm/tegra/uapi.c +index 5adab6b229164..d0b6a1fa6efad 100644 +--- a/drivers/gpu/drm/tegra/uapi.c ++++ b/drivers/gpu/drm/tegra/uapi.c +@@ -114,9 +114,12 @@ int tegra_drm_ioctl_channel_open(struct drm_device *drm, void *data, struct drm_ + if (err) + goto put_channel; + +- if (supported) ++ if (supported) { ++ struct pid *pid = get_task_pid(current, PIDTYPE_TGID); + context->memory_context = host1x_memory_context_alloc( +- host, client->base.dev, get_task_pid(current, PIDTYPE_TGID)); ++ host, client->base.dev, pid); ++ put_pid(pid); ++ } + + if (IS_ERR(context->memory_context)) { + if (PTR_ERR(context->memory_context) != -EOPNOTSUPP) { +-- +2.51.0 + diff --git a/queue-6.1/gpu-host1x-select-context-device-based-on-attached-i.patch b/queue-6.1/gpu-host1x-select-context-device-based-on-attached-i.patch new file mode 100644 index 0000000000..df4bbc19d1 --- /dev/null +++ b/queue-6.1/gpu-host1x-select-context-device-based-on-attached-i.patch @@ -0,0 +1,85 @@ +From dec46b3bc3cbcbd215875f698fb5a5ad9c70df57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Sep 2022 11:38:42 +0300 +Subject: gpu: host1x: Select context device based on attached IOMMU + +From: Mikko Perttunen + +[ Upstream commit 8935002fc37fce1ad211d98a70f2fd42083c0594 ] + +On Tegra234, engines that are programmed through Host1x channels can +be attached to either the NISO0 or NISO1 SMMU. Because of that, when +selecting a context device to use with an engine, we need to select +one that is also attached to the same SMMU. + +Add a parameter to host1x_memory_context_alloc to specify which device +we are allocating a context for, and use it to pick an appropriate +context device. + +Signed-off-by: Mikko Perttunen +[treding@nvidia.com: update !IOMMU_API stub signature] +Signed-off-by: Thierry Reding +Stable-dep-of: 6cbab9f0da72 ("drm/tegra: Add call to put_pid()") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tegra/uapi.c | 2 +- + drivers/gpu/host1x/context.c | 4 ++++ + include/linux/host1x.h | 2 ++ + 3 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/tegra/uapi.c b/drivers/gpu/drm/tegra/uapi.c +index a98239cb0e29a..5adab6b229164 100644 +--- a/drivers/gpu/drm/tegra/uapi.c ++++ b/drivers/gpu/drm/tegra/uapi.c +@@ -116,7 +116,7 @@ int tegra_drm_ioctl_channel_open(struct drm_device *drm, void *data, struct drm_ + + if (supported) + context->memory_context = host1x_memory_context_alloc( +- host, get_task_pid(current, PIDTYPE_TGID)); ++ host, client->base.dev, get_task_pid(current, PIDTYPE_TGID)); + + if (IS_ERR(context->memory_context)) { + if (PTR_ERR(context->memory_context) != -EOPNOTSUPP) { +diff --git a/drivers/gpu/host1x/context.c b/drivers/gpu/host1x/context.c +index 93c0c532fe5af..9c0db178fade9 100644 +--- a/drivers/gpu/host1x/context.c ++++ b/drivers/gpu/host1x/context.c +@@ -112,6 +112,7 @@ void host1x_memory_context_list_free(struct host1x_memory_context_list *cdl) + } + + struct host1x_memory_context *host1x_memory_context_alloc(struct host1x *host1x, ++ struct device *dev, + struct pid *pid) + { + struct host1x_memory_context_list *cdl = &host1x->context_list; +@@ -126,6 +127,9 @@ struct host1x_memory_context *host1x_memory_context_alloc(struct host1x *host1x, + for (i = 0; i < cdl->len; i++) { + struct host1x_memory_context *cd = &cdl->devs[i]; + ++ if (cd->dev.iommu->iommu_dev != dev->iommu->iommu_dev) ++ continue; ++ + if (cd->owner == pid) { + refcount_inc(&cd->ref); + mutex_unlock(&cdl->lock); +diff --git a/include/linux/host1x.h b/include/linux/host1x.h +index cb2100d9b0ffe..dc55d9d3b94f0 100644 +--- a/include/linux/host1x.h ++++ b/include/linux/host1x.h +@@ -469,11 +469,13 @@ struct host1x_memory_context { + + #ifdef CONFIG_IOMMU_API + struct host1x_memory_context *host1x_memory_context_alloc(struct host1x *host1x, ++ struct device *dev, + struct pid *pid); + void host1x_memory_context_get(struct host1x_memory_context *cd); + void host1x_memory_context_put(struct host1x_memory_context *cd); + #else + static inline struct host1x_memory_context *host1x_memory_context_alloc(struct host1x *host1x, ++ struct device *dev, + struct pid *pid) + { + return NULL; +-- +2.51.0 + diff --git a/queue-6.1/kconfig-mconf-initialize-the-default-locale-at-start.patch b/queue-6.1/kconfig-mconf-initialize-the-default-locale-at-start.patch new file mode 100644 index 0000000000..7d3d84f974 --- /dev/null +++ b/queue-6.1/kconfig-mconf-initialize-the-default-locale-at-start.patch @@ -0,0 +1,49 @@ +From 12d52675e4e7330780d522c63a562c61c914ba23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Oct 2025 17:49:32 +0200 +Subject: kconfig/mconf: Initialize the default locale at startup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jakub Horký + +[ Upstream commit 3927c4a1084c48ef97f11281a0a43ecb2cb4d6f1 ] + +Fix bug where make menuconfig doesn't initialize the default locale, which +causes ncurses menu borders to be displayed incorrectly (lqqqqk) in +UTF-8 terminals that don't support VT100 ACS by default, such as PuTTY. + +Signed-off-by: Jakub Horký +Link: https://patch.msgid.link/20251014154933.3990990-1-jakub.git@horky.net +[nathan: Alphabetize locale.h include] +Signed-off-by: Nathan Chancellor +Signed-off-by: Sasha Levin +--- + scripts/kconfig/mconf.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/scripts/kconfig/mconf.c b/scripts/kconfig/mconf.c +index 9d3cf510562f8..0649ff35ec5c0 100644 +--- a/scripts/kconfig/mconf.c ++++ b/scripts/kconfig/mconf.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1005,6 +1006,8 @@ int main(int ac, char **av) + + signal(SIGINT, sig_handler); + ++ setlocale(LC_ALL, ""); ++ + if (ac > 1 && strcmp(av[1], "-s") == 0) { + silent = 1; + /* Silence conf_read() until the real callback is set up */ +-- +2.51.0 + diff --git a/queue-6.1/kconfig-nconf-initialize-the-default-locale-at-start.patch b/queue-6.1/kconfig-nconf-initialize-the-default-locale-at-start.patch new file mode 100644 index 0000000000..581a36dd58 --- /dev/null +++ b/queue-6.1/kconfig-nconf-initialize-the-default-locale-at-start.patch @@ -0,0 +1,49 @@ +From a847976f53c7531462f4b9f35b74d0ab5ed6aa97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Oct 2025 16:44:06 +0200 +Subject: kconfig/nconf: Initialize the default locale at startup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jakub Horký + +[ Upstream commit 43c2931a95e6b295bfe9e3b90dbe0f7596933e91 ] + +Fix bug where make nconfig doesn't initialize the default locale, which +causes ncurses menu borders to be displayed incorrectly (lqqqqk) in +UTF-8 terminals that don't support VT100 ACS by default, such as PuTTY. + +Signed-off-by: Jakub Horký +Link: https://patch.msgid.link/20251014144405.3975275-2-jakub.git@horky.net +[nathan: Alphabetize locale.h include] +Signed-off-by: Nathan Chancellor +Signed-off-by: Sasha Levin +--- + scripts/kconfig/nconf.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c +index 16a2db59432a5..e9ae03d056b09 100644 +--- a/scripts/kconfig/nconf.c ++++ b/scripts/kconfig/nconf.c +@@ -7,6 +7,7 @@ + #ifndef _GNU_SOURCE + #define _GNU_SOURCE + #endif ++#include + #include + #include + #include +@@ -1476,6 +1477,8 @@ int main(int ac, char **av) + int lines, columns; + char *mode; + ++ setlocale(LC_ALL, ""); ++ + if (ac > 1 && strcmp(av[1], "-s") == 0) { + /* Silence conf_read() until the real callback is set up */ + conf_set_message_callback(NULL); +-- +2.51.0 + diff --git a/queue-6.1/kernel.h-move-array_size-to-a-separate-header.patch b/queue-6.1/kernel.h-move-array_size-to-a-separate-header.patch new file mode 100644 index 0000000000..9e07470998 --- /dev/null +++ b/queue-6.1/kernel.h-move-array_size-to-a-separate-header.patch @@ -0,0 +1,89 @@ +From 3ce2cf119e03f49288ea5171f006188a3e44e500 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Oct 2023 14:59:53 +0300 +Subject: kernel.h: Move ARRAY_SIZE() to a separate header + +From: Alejandro Colomar + +[ Upstream commit 3cd39bc3b11b8d34b7d7c961a35fdfd18b0ebf75 ] + +Touching files so used for the kernel, +forces 'make' to recompile most of the kernel. + +Having those definitions in more granular files +helps avoid recompiling so much of the kernel. + +Signed-off-by: Alejandro Colomar +Reviewed-by: Giovanni Cabiddu +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230817143352.132583-2-lucas.segarra.fernandez@intel.com +[andy: reduced to cover only string.h for now] +Signed-off-by: Andy Shevchenko +Stable-dep-of: 896f1a2493b5 ("net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end()") +Signed-off-by: Sasha Levin +--- + include/linux/array_size.h | 13 +++++++++++++ + include/linux/kernel.h | 7 +------ + include/linux/string.h | 1 + + 3 files changed, 15 insertions(+), 6 deletions(-) + create mode 100644 include/linux/array_size.h + +diff --git a/include/linux/array_size.h b/include/linux/array_size.h +new file mode 100644 +index 0000000000000..06d7d83196ca3 +--- /dev/null ++++ b/include/linux/array_size.h +@@ -0,0 +1,13 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++#ifndef _LINUX_ARRAY_SIZE_H ++#define _LINUX_ARRAY_SIZE_H ++ ++#include ++ ++/** ++ * ARRAY_SIZE - get the number of elements in array @arr ++ * @arr: array to be sized ++ */ ++#define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]) + __must_be_array(arr)) ++ ++#endif /* _LINUX_ARRAY_SIZE_H */ +diff --git a/include/linux/kernel.h b/include/linux/kernel.h +index fe6efb24d151a..50254bb6b7a98 100644 +--- a/include/linux/kernel.h ++++ b/include/linux/kernel.h +@@ -13,6 +13,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -48,12 +49,6 @@ + #define READ 0 + #define WRITE 1 + +-/** +- * ARRAY_SIZE - get the number of elements in array @arr +- * @arr: array to be sized +- */ +-#define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]) + __must_be_array(arr)) +- + #define PTR_IF(cond, ptr) ((cond) ? (ptr) : NULL) + + #define u64_to_user_ptr(x) ( \ +diff --git a/include/linux/string.h b/include/linux/string.h +index 422606e98cc42..e7ade5223d422 100644 +--- a/include/linux/string.h ++++ b/include/linux/string.h +@@ -2,6 +2,7 @@ + #ifndef _LINUX_STRING_H_ + #define _LINUX_STRING_H_ + ++#include + #include /* for inline */ + #include /* for size_t */ + #include /* for NULL */ +-- +2.51.0 + diff --git a/queue-6.1/mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch b/queue-6.1/mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch new file mode 100644 index 0000000000..a451d15041 --- /dev/null +++ b/queue-6.1/mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch @@ -0,0 +1,47 @@ +From 5f5966c95dd83602d68c468356ca92977a969d4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 05:21:14 +0000 +Subject: mlxsw: spectrum: Fix memory leak in mlxsw_sp_flower_stats() + +From: Zilin Guan + +[ Upstream commit 407a06507c2358554958e8164dc97176feddcafc ] + +The function mlxsw_sp_flower_stats() calls mlxsw_sp_acl_ruleset_get() to +obtain a ruleset reference. If the subsequent call to +mlxsw_sp_acl_rule_lookup() fails to find a rule, the function returns +an error without releasing the ruleset reference, causing a memory leak. + +Fix this by using a goto to the existing error handling label, which +calls mlxsw_sp_acl_ruleset_put() to properly release the reference. + +Fixes: 7c1b8eb175b69 ("mlxsw: spectrum: Add support for TC flower offload statistics") +Signed-off-by: Zilin Guan +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20251112052114.1591695-1-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c +index e91fb205e0b4c..66e95918bdf6e 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c +@@ -719,8 +719,10 @@ int mlxsw_sp_flower_stats(struct mlxsw_sp *mlxsw_sp, + return -EINVAL; + + rule = mlxsw_sp_acl_rule_lookup(mlxsw_sp, ruleset, f->cookie); +- if (!rule) +- return -EINVAL; ++ if (!rule) { ++ err = -EINVAL; ++ goto err_rule_get_stats; ++ } + + err = mlxsw_sp_acl_rule_get_stats(mlxsw_sp, rule, &packets, &bytes, + &drops, &lastuse, &used_hw_stats); +-- +2.51.0 + diff --git a/queue-6.1/net-dsa-hellcreek-fix-missing-error-handling-in-led-.patch b/queue-6.1/net-dsa-hellcreek-fix-missing-error-handling-in-led-.patch new file mode 100644 index 0000000000..aef870baf6 --- /dev/null +++ b/queue-6.1/net-dsa-hellcreek-fix-missing-error-handling-in-led-.patch @@ -0,0 +1,57 @@ +From b5413919a577dff937ae66a7a273157f210a7848 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Nov 2025 16:57:44 +0300 +Subject: net: dsa: hellcreek: fix missing error handling in LED registration + +From: Pavel Zhigulin + +[ Upstream commit e6751b0b19a6baab219a62e1e302b8aa6b5a55b2 ] + +The LED setup routine registered both led_sync_good +and led_is_gm devices without checking the return +values of led_classdev_register(). If either registration +failed, the function continued silently, leaving the +driver in a partially-initialized state and leaking +a registered LED classdev. + +Add proper error handling + +Fixes: 7d9ee2e8ff15 ("net: dsa: hellcreek: Add PTP status LEDs") +Signed-off-by: Pavel Zhigulin +Reviewed-by: Andrew Lunn +Acked-by: Kurt Kanzenbach +Link: https://patch.msgid.link/20251113135745.92375-1-Pavel.Zhigulin@kaspersky.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/hirschmann/hellcreek_ptp.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/hirschmann/hellcreek_ptp.c b/drivers/net/dsa/hirschmann/hellcreek_ptp.c +index b28baab6d56a1..763666480a8a8 100644 +--- a/drivers/net/dsa/hirschmann/hellcreek_ptp.c ++++ b/drivers/net/dsa/hirschmann/hellcreek_ptp.c +@@ -367,8 +367,18 @@ static int hellcreek_led_setup(struct hellcreek *hellcreek) + hellcreek_set_brightness(hellcreek, STATUS_OUT_IS_GM, 1); + + /* Register both leds */ +- led_classdev_register(hellcreek->dev, &hellcreek->led_sync_good); +- led_classdev_register(hellcreek->dev, &hellcreek->led_is_gm); ++ ret = led_classdev_register(hellcreek->dev, &hellcreek->led_sync_good); ++ if (ret) { ++ dev_err(hellcreek->dev, "Failed to register sync_good LED\n"); ++ goto out; ++ } ++ ++ ret = led_classdev_register(hellcreek->dev, &hellcreek->led_is_gm); ++ if (ret) { ++ dev_err(hellcreek->dev, "Failed to register is_gm LED\n"); ++ led_classdev_unregister(&hellcreek->led_sync_good); ++ goto out; ++ } + + ret = 0; + +-- +2.51.0 + diff --git a/queue-6.1/net-mlxsw-linecards-fix-missing-error-check-in-mlxsw.patch b/queue-6.1/net-mlxsw-linecards-fix-missing-error-check-in-mlxsw.patch new file mode 100644 index 0000000000..2097513df5 --- /dev/null +++ b/queue-6.1/net-mlxsw-linecards-fix-missing-error-check-in-mlxsw.patch @@ -0,0 +1,42 @@ +From dbf83b6bf2efeb0530e1f2dccca3dd9bc0955757 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Nov 2025 19:19:21 +0300 +Subject: net: mlxsw: linecards: fix missing error check in + mlxsw_linecard_devlink_info_get() + +From: Pavel Zhigulin + +[ Upstream commit b0c959fec18f4595a6a6317ffc30615cfa37bf69 ] + +The call to devlink_info_version_fixed_put() in +mlxsw_linecard_devlink_info_get() did not check for errors, +although it is checked everywhere in the code. + +Add missed 'err' check to the mlxsw_linecard_devlink_info_get() + +Fixes: 3fc0c51905fb ("mlxsw: core_linecards: Expose device PSID over device info") +Signed-off-by: Pavel Zhigulin +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20251113161922.813828-1-Pavel.Zhigulin@kaspersky.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/core_linecards.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c b/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c +index 99196333d1324..525973da7abc9 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c +@@ -601,6 +601,8 @@ int mlxsw_linecard_devlink_info_get(struct mlxsw_linecard *linecard, + err = devlink_info_version_fixed_put(req, + DEVLINK_INFO_VERSION_GENERIC_FW_PSID, + info->psid); ++ if (err) ++ goto unlock; + + sprintf(buf, "%u.%u.%u", info->fw_major, info->fw_minor, + info->fw_sub_minor); +-- +2.51.0 + diff --git a/queue-6.1/net-openvswitch-remove-never-working-support-for-set.patch b/queue-6.1/net-openvswitch-remove-never-working-support-for-set.patch new file mode 100644 index 0000000000..c991b883b4 --- /dev/null +++ b/queue-6.1/net-openvswitch-remove-never-working-support-for-set.patch @@ -0,0 +1,310 @@ +From 45f28ca934b638619f37c6edbe052f4faf0498be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 12:14:03 +0100 +Subject: net: openvswitch: remove never-working support for setting nsh fields + +From: Ilya Maximets + +[ Upstream commit dfe28c4167a9259fc0c372d9f9473e1ac95cff67 ] + +The validation of the set(nsh(...)) action is completely wrong. +It runs through the nsh_key_put_from_nlattr() function that is the +same function that validates NSH keys for the flow match and the +push_nsh() action. However, the set(nsh(...)) has a very different +memory layout. Nested attributes in there are doubled in size in +case of the masked set(). That makes proper validation impossible. + +There is also confusion in the code between the 'masked' flag, that +says that the nested attributes are doubled in size containing both +the value and the mask, and the 'is_mask' that says that the value +we're parsing is the mask. This is causing kernel crash on trying to +write into mask part of the match with SW_FLOW_KEY_PUT() during +validation, while validate_nsh() doesn't allocate any memory for it: + + BUG: kernel NULL pointer dereference, address: 0000000000000018 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 1c2383067 P4D 1c2383067 PUD 20b703067 PMD 0 + Oops: Oops: 0000 [#1] SMP NOPTI + CPU: 8 UID: 0 Kdump: loaded Not tainted 6.17.0-rc4+ #107 PREEMPT(voluntary) + RIP: 0010:nsh_key_put_from_nlattr+0x19d/0x610 [openvswitch] + Call Trace: + + validate_nsh+0x60/0x90 [openvswitch] + validate_set.constprop.0+0x270/0x3c0 [openvswitch] + __ovs_nla_copy_actions+0x477/0x860 [openvswitch] + ovs_nla_copy_actions+0x8d/0x100 [openvswitch] + ovs_packet_cmd_execute+0x1cc/0x310 [openvswitch] + genl_family_rcv_msg_doit+0xdb/0x130 + genl_family_rcv_msg+0x14b/0x220 + genl_rcv_msg+0x47/0xa0 + netlink_rcv_skb+0x53/0x100 + genl_rcv+0x24/0x40 + netlink_unicast+0x280/0x3b0 + netlink_sendmsg+0x1f7/0x430 + ____sys_sendmsg+0x36b/0x3a0 + ___sys_sendmsg+0x87/0xd0 + __sys_sendmsg+0x6d/0xd0 + do_syscall_64+0x7b/0x2c0 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +The third issue with this process is that while trying to convert +the non-masked set into masked one, validate_set() copies and doubles +the size of the OVS_KEY_ATTR_NSH as if it didn't have any nested +attributes. It should be copying each nested attribute and doubling +them in size independently. And the process must be properly reversed +during the conversion back from masked to a non-masked variant during +the flow dump. + +In the end, the only two outcomes of trying to use this action are +either validation failure or a kernel crash. And if somehow someone +manages to install a flow with such an action, it will most definitely +not do what it is supposed to, since all the keys and the masks are +mixed up. + +Fixing all the issues is a complex task as it requires re-writing +most of the validation code. + +Given that and the fact that this functionality never worked since +introduction, let's just remove it altogether. It's better to +re-introduce it later with a proper implementation instead of trying +to fix it in stable releases. + +Fixes: b2d0f5d5dc53 ("openvswitch: enable NSH support") +Reported-by: Junvy Yang +Signed-off-by: Ilya Maximets +Acked-by: Eelco Chaudron +Reviewed-by: Aaron Conole +Link: https://patch.msgid.link/20251112112246.95064-1-i.maximets@ovn.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/openvswitch/actions.c | 68 +--------------------------------- + net/openvswitch/flow_netlink.c | 64 ++++---------------------------- + net/openvswitch/flow_netlink.h | 2 - + 3 files changed, 9 insertions(+), 125 deletions(-) + +diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c +index a87c25e06bafd..f7cc87e67d3c8 100644 +--- a/net/openvswitch/actions.c ++++ b/net/openvswitch/actions.c +@@ -595,69 +595,6 @@ static int set_ipv6(struct sk_buff *skb, struct sw_flow_key *flow_key, + return 0; + } + +-static int set_nsh(struct sk_buff *skb, struct sw_flow_key *flow_key, +- const struct nlattr *a) +-{ +- struct nshhdr *nh; +- size_t length; +- int err; +- u8 flags; +- u8 ttl; +- int i; +- +- struct ovs_key_nsh key; +- struct ovs_key_nsh mask; +- +- err = nsh_key_from_nlattr(a, &key, &mask); +- if (err) +- return err; +- +- /* Make sure the NSH base header is there */ +- if (!pskb_may_pull(skb, skb_network_offset(skb) + NSH_BASE_HDR_LEN)) +- return -ENOMEM; +- +- nh = nsh_hdr(skb); +- length = nsh_hdr_len(nh); +- +- /* Make sure the whole NSH header is there */ +- err = skb_ensure_writable(skb, skb_network_offset(skb) + +- length); +- if (unlikely(err)) +- return err; +- +- nh = nsh_hdr(skb); +- skb_postpull_rcsum(skb, nh, length); +- flags = nsh_get_flags(nh); +- flags = OVS_MASKED(flags, key.base.flags, mask.base.flags); +- flow_key->nsh.base.flags = flags; +- ttl = nsh_get_ttl(nh); +- ttl = OVS_MASKED(ttl, key.base.ttl, mask.base.ttl); +- flow_key->nsh.base.ttl = ttl; +- nsh_set_flags_and_ttl(nh, flags, ttl); +- nh->path_hdr = OVS_MASKED(nh->path_hdr, key.base.path_hdr, +- mask.base.path_hdr); +- flow_key->nsh.base.path_hdr = nh->path_hdr; +- switch (nh->mdtype) { +- case NSH_M_TYPE1: +- for (i = 0; i < NSH_MD1_CONTEXT_SIZE; i++) { +- nh->md1.context[i] = +- OVS_MASKED(nh->md1.context[i], key.context[i], +- mask.context[i]); +- } +- memcpy(flow_key->nsh.context, nh->md1.context, +- sizeof(nh->md1.context)); +- break; +- case NSH_M_TYPE2: +- memset(flow_key->nsh.context, 0, +- sizeof(flow_key->nsh.context)); +- break; +- default: +- return -EINVAL; +- } +- skb_postpush_rcsum(skb, nh, length); +- return 0; +-} +- + /* Must follow skb_ensure_writable() since that can move the skb data. */ + static void set_tp_port(struct sk_buff *skb, __be16 *port, + __be16 new_port, __sum16 *check) +@@ -1130,10 +1067,6 @@ static int execute_masked_set_action(struct sk_buff *skb, + get_mask(a, struct ovs_key_ethernet *)); + break; + +- case OVS_KEY_ATTR_NSH: +- err = set_nsh(skb, flow_key, a); +- break; +- + case OVS_KEY_ATTR_IPV4: + err = set_ipv4(skb, flow_key, nla_data(a), + get_mask(a, struct ovs_key_ipv4 *)); +@@ -1170,6 +1103,7 @@ static int execute_masked_set_action(struct sk_buff *skb, + case OVS_KEY_ATTR_CT_LABELS: + case OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4: + case OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6: ++ case OVS_KEY_ATTR_NSH: + err = -EINVAL; + break; + } +diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c +index 0ed3953dbe529..d0b6e58720816 100644 +--- a/net/openvswitch/flow_netlink.c ++++ b/net/openvswitch/flow_netlink.c +@@ -1290,6 +1290,11 @@ static int metadata_from_nlattrs(struct net *net, struct sw_flow_match *match, + return 0; + } + ++/* ++ * Constructs NSH header 'nh' from attributes of OVS_ACTION_ATTR_PUSH_NSH, ++ * where 'nh' points to a memory block of 'size' bytes. It's assumed that ++ * attributes were previously validated with validate_push_nsh(). ++ */ + int nsh_hdr_from_nlattr(const struct nlattr *attr, + struct nshhdr *nh, size_t size) + { +@@ -1299,8 +1304,6 @@ int nsh_hdr_from_nlattr(const struct nlattr *attr, + u8 ttl = 0; + int mdlen = 0; + +- /* validate_nsh has check this, so we needn't do duplicate check here +- */ + if (size < NSH_BASE_HDR_LEN) + return -ENOBUFS; + +@@ -1344,46 +1347,6 @@ int nsh_hdr_from_nlattr(const struct nlattr *attr, + return 0; + } + +-int nsh_key_from_nlattr(const struct nlattr *attr, +- struct ovs_key_nsh *nsh, struct ovs_key_nsh *nsh_mask) +-{ +- struct nlattr *a; +- int rem; +- +- /* validate_nsh has check this, so we needn't do duplicate check here +- */ +- nla_for_each_nested(a, attr, rem) { +- int type = nla_type(a); +- +- switch (type) { +- case OVS_NSH_KEY_ATTR_BASE: { +- const struct ovs_nsh_key_base *base = nla_data(a); +- const struct ovs_nsh_key_base *base_mask = base + 1; +- +- nsh->base = *base; +- nsh_mask->base = *base_mask; +- break; +- } +- case OVS_NSH_KEY_ATTR_MD1: { +- const struct ovs_nsh_key_md1 *md1 = nla_data(a); +- const struct ovs_nsh_key_md1 *md1_mask = md1 + 1; +- +- memcpy(nsh->context, md1->context, sizeof(*md1)); +- memcpy(nsh_mask->context, md1_mask->context, +- sizeof(*md1_mask)); +- break; +- } +- case OVS_NSH_KEY_ATTR_MD2: +- /* Not supported yet */ +- return -ENOTSUPP; +- default: +- return -EINVAL; +- } +- } +- +- return 0; +-} +- + static int nsh_key_put_from_nlattr(const struct nlattr *attr, + struct sw_flow_match *match, bool is_mask, + bool is_push_nsh, bool log) +@@ -2823,17 +2786,13 @@ static int validate_and_copy_set_tun(const struct nlattr *attr, + return err; + } + +-static bool validate_nsh(const struct nlattr *attr, bool is_mask, +- bool is_push_nsh, bool log) ++static bool validate_push_nsh(const struct nlattr *attr, bool log) + { + struct sw_flow_match match; + struct sw_flow_key key; +- int ret = 0; + + ovs_match_init(&match, &key, true, NULL); +- ret = nsh_key_put_from_nlattr(attr, &match, is_mask, +- is_push_nsh, log); +- return !ret; ++ return !nsh_key_put_from_nlattr(attr, &match, false, true, log); + } + + /* Return false if there are any non-masked bits set. +@@ -2981,13 +2940,6 @@ static int validate_set(const struct nlattr *a, + + break; + +- case OVS_KEY_ATTR_NSH: +- if (eth_type != htons(ETH_P_NSH)) +- return -EINVAL; +- if (!validate_nsh(nla_data(a), masked, false, log)) +- return -EINVAL; +- break; +- + default: + return -EINVAL; + } +@@ -3394,7 +3346,7 @@ static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr, + return -EINVAL; + } + mac_proto = MAC_PROTO_NONE; +- if (!validate_nsh(nla_data(a), false, true, true)) ++ if (!validate_push_nsh(nla_data(a), log)) + return -EINVAL; + break; + +diff --git a/net/openvswitch/flow_netlink.h b/net/openvswitch/flow_netlink.h +index fe7f77fc5f189..ff8cdecbe3465 100644 +--- a/net/openvswitch/flow_netlink.h ++++ b/net/openvswitch/flow_netlink.h +@@ -65,8 +65,6 @@ int ovs_nla_put_actions(const struct nlattr *attr, + void ovs_nla_free_flow_actions(struct sw_flow_actions *); + void ovs_nla_free_flow_actions_rcu(struct sw_flow_actions *); + +-int nsh_key_from_nlattr(const struct nlattr *attr, struct ovs_key_nsh *nsh, +- struct ovs_key_nsh *nsh_mask); + int nsh_hdr_from_nlattr(const struct nlattr *attr, struct nshhdr *nh, + size_t size); + +-- +2.51.0 + diff --git a/queue-6.1/net-qlogic-qede-fix-potential-out-of-bounds-read-in-.patch b/queue-6.1/net-qlogic-qede-fix-potential-out-of-bounds-read-in-.patch new file mode 100644 index 0000000000..c3d32add95 --- /dev/null +++ b/queue-6.1/net-qlogic-qede-fix-potential-out-of-bounds-read-in-.patch @@ -0,0 +1,62 @@ +From 9183e6551c531a0a1eb418298b2e1b8f182ba222 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Nov 2025 14:27:56 +0300 +Subject: net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() + and qede_tpa_end() + +From: Pavel Zhigulin + +[ Upstream commit 896f1a2493b59beb2b5ccdf990503dbb16cb2256 ] + +The loops in 'qede_tpa_cont()' and 'qede_tpa_end()', iterate +over 'cqe->len_list[]' using only a zero-length terminator as +the stopping condition. If the terminator was missing or +malformed, the loop could run past the end of the fixed-size array. + +Add an explicit bound check using ARRAY_SIZE() in both loops to prevent +a potential out-of-bounds access. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 55482edc25f0 ("qede: Add slowpath/fastpath support and enable hardware GRO") +Signed-off-by: Pavel Zhigulin +Link: https://patch.msgid.link/20251113112757.4166625-1-Pavel.Zhigulin@kaspersky.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qede/qede_fp.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qede/qede_fp.c b/drivers/net/ethernet/qlogic/qede/qede_fp.c +index cb1746bc0e0c5..273dae622c411 100644 +--- a/drivers/net/ethernet/qlogic/qede/qede_fp.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_fp.c +@@ -4,6 +4,7 @@ + * Copyright (c) 2019-2020 Marvell International Ltd. + */ + ++#include + #include + #include + #include +@@ -960,7 +961,7 @@ static inline void qede_tpa_cont(struct qede_dev *edev, + { + int i; + +- for (i = 0; cqe->len_list[i]; i++) ++ for (i = 0; cqe->len_list[i] && i < ARRAY_SIZE(cqe->len_list); i++) + qede_fill_frag_skb(edev, rxq, cqe->tpa_agg_index, + le16_to_cpu(cqe->len_list[i])); + +@@ -985,7 +986,7 @@ static int qede_tpa_end(struct qede_dev *edev, + dma_unmap_page(rxq->dev, tpa_info->buffer.mapping, + PAGE_SIZE, rxq->data_direction); + +- for (i = 0; cqe->len_list[i]; i++) ++ for (i = 0; cqe->len_list[i] && i < ARRAY_SIZE(cqe->len_list); i++) + qede_fill_frag_skb(edev, rxq, cqe->tpa_agg_index, + le16_to_cpu(cqe->len_list[i])); + if (unlikely(i > 1)) +-- +2.51.0 + diff --git a/queue-6.1/net-tls-cancel-rx-async-resync-request-on-rcd_delta-.patch b/queue-6.1/net-tls-cancel-rx-async-resync-request-on-rcd_delta-.patch new file mode 100644 index 0000000000..dc3e391149 --- /dev/null +++ b/queue-6.1/net-tls-cancel-rx-async-resync-request-on-rcd_delta-.patch @@ -0,0 +1,77 @@ +From 6d1bd8b86dc10fb6bec0c0a2e93581f2f779165b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Oct 2025 22:03:02 +0200 +Subject: net: tls: Cancel RX async resync request on rcd_delta overflow + +From: Shahar Shitrit + +[ Upstream commit c15d5c62ab313c19121f10e25d4fec852bd1c40c ] + +When a netdev issues a RX async resync request for a TLS connection, +the TLS module handles it by logging record headers and attempting to +match them to the tcp_sn provided by the device. If a match is found, +the TLS module approves the tcp_sn for resynchronization. + +While waiting for a device response, the TLS module also increments +rcd_delta each time a new TLS record is received, tracking the distance +from the original resync request. + +However, if the device response is delayed or fails (e.g due to +unstable connection and device getting out of tracking, hardware +errors, resource exhaustion etc.), the TLS module keeps logging and +incrementing, which can lead to a WARN() when rcd_delta exceeds the +threshold. + +To address this, introduce tls_offload_rx_resync_async_request_cancel() +to explicitly cancel resync requests when a device response failure is +detected. Call this helper also as a final safeguard when rcd_delta +crosses its threshold, as reaching this point implies that earlier +cancellation did not occur. + +Signed-off-by: Shahar Shitrit +Reviewed-by: Sabrina Dubroca +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/1761508983-937977-3-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tls.h | 6 ++++++ + net/tls/tls_device.c | 4 +++- + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/include/net/tls.h b/include/net/tls.h +index 899c863aba02c..037049def8a7f 100644 +--- a/include/net/tls.h ++++ b/include/net/tls.h +@@ -475,6 +475,12 @@ tls_offload_rx_resync_async_request_end(struct sock *sk, __be32 seq) + ((u64)ntohl(seq) << 32) | RESYNC_REQ); + } + ++static inline void ++tls_offload_rx_resync_async_request_cancel(struct tls_offload_resync_async *resync_async) ++{ ++ atomic64_set(&resync_async->req, 0); ++} ++ + static inline void + tls_offload_rx_resync_set_type(struct sock *sk, enum tls_offload_sync_type type) + { +diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c +index 1849827884735..c51377a159bec 100644 +--- a/net/tls/tls_device.c ++++ b/net/tls/tls_device.c +@@ -739,8 +739,10 @@ tls_device_rx_resync_async(struct tls_offload_resync_async *resync_async, + /* shouldn't get to wraparound: + * too long in async stage, something bad happened + */ +- if (WARN_ON_ONCE(resync_async->rcd_delta == USHRT_MAX)) ++ if (WARN_ON_ONCE(resync_async->rcd_delta == USHRT_MAX)) { ++ tls_offload_rx_resync_async_request_cancel(resync_async); + return false; ++ } + + /* asynchronous stage: log all headers seq such that + * req_seq <= seq <= end_seq, and wait for real resync request +-- +2.51.0 + diff --git a/queue-6.1/nvme-multipath-fix-lockdep-warn-due-to-partition-sca.patch b/queue-6.1/nvme-multipath-fix-lockdep-warn-due-to-partition-sca.patch new file mode 100644 index 0000000000..67fbf3869e --- /dev/null +++ b/queue-6.1/nvme-multipath-fix-lockdep-warn-due-to-partition-sca.patch @@ -0,0 +1,47 @@ +From 309e4ba60f78efb5bf8d7699bd69c54547f5825b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Nov 2025 11:23:39 +0900 +Subject: nvme-multipath: fix lockdep WARN due to partition scan work + +From: Shin'ichiro Kawasaki + +[ Upstream commit 6d87cd5335784351280f82c47cc8a657271929c3 ] + +Blktests test cases nvme/014, 057 and 058 fail occasionally due to a +lockdep WARN. As reported in the Closes tag URL, the WARN indicates that +a deadlock can happen due to the dependency among disk->open_mutex, +kblockd workqueue completion and partition_scan_work completion. + +To avoid the lockdep WARN and the potential deadlock, cut the dependency +by running the partition_scan_work not by kblockd workqueue but by +nvme_wq. + +Reported-by: Yi Zhang +Closes: https://lore.kernel.org/linux-block/CAHj4cs8mJ+R_GmQm9R8ebResKAWUE8kF5+_WVg0v8zndmqd6BQ@mail.gmail.com/ +Link: https://lore.kernel.org/linux-block/oeyzci6ffshpukpfqgztsdeke5ost5hzsuz4rrsjfmvpqcevax@5nhnwbkzbrpa/ +Fixes: 1f021341eef4 ("nvme-multipath: defer partition scanning") +Signed-off-by: Shin'ichiro Kawasaki +Reviewed-by: Christoph Hellwig +Reviewed-by: Hannes Reinecke +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/multipath.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c +index 43b89c7d585f0..a3e225bb4b88f 100644 +--- a/drivers/nvme/host/multipath.c ++++ b/drivers/nvme/host/multipath.c +@@ -577,7 +577,7 @@ static void nvme_mpath_set_live(struct nvme_ns *ns) + return; + } + nvme_add_ns_head_cdev(head); +- kblockd_schedule_work(&head->partition_scan_work); ++ queue_work(nvme_wq, &head->partition_scan_work); + } + + mutex_lock(&head->lock); +-- +2.51.0 + diff --git a/queue-6.1/platform-x86-intel-speed_select_if-convert-pcibios_-.patch b/queue-6.1/platform-x86-intel-speed_select_if-convert-pcibios_-.patch new file mode 100644 index 0000000000..b5570cdc1e --- /dev/null +++ b/queue-6.1/platform-x86-intel-speed_select_if-convert-pcibios_-.patch @@ -0,0 +1,53 @@ +From 547f0dc91c114ad359e0b4795d91231ddad21b5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Nov 2025 11:33:54 +0800 +Subject: platform/x86/intel/speed_select_if: Convert PCIBIOS_* return codes to + errnos +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Haotian Zhang + +[ Upstream commit d8bb447efc5622577994287dc77c684fa8840b30 ] + +isst_if_probe() uses pci_read_config_dword() that returns PCIBIOS_* +codes. The return code is returned from the probe function as is but +probe functions should return normal errnos. A proper implementation +can be found in drivers/leds/leds-ss4200.c. + +Convert PCIBIOS_* return codes using pcibios_err_to_errno() into +normal errno before returning. + +Fixes: d3a23584294c ("platform/x86: ISST: Add Intel Speed Select mmio interface") +Signed-off-by: Haotian Zhang +Acked-by: Srinivas Pandruvada +Link: https://patch.msgid.link/20251117033354.132-1-vulab@iscas.ac.cn +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c b/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c +index ff49025ec0856..bb38e5f021a80 100644 +--- a/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c ++++ b/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c +@@ -106,11 +106,11 @@ static int isst_if_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + + ret = pci_read_config_dword(pdev, 0xD0, &mmio_base); + if (ret) +- return ret; ++ return pcibios_err_to_errno(ret); + + ret = pci_read_config_dword(pdev, 0xFC, &pcu_base); + if (ret) +- return ret; ++ return pcibios_err_to_errno(ret); + + pcu_base &= GENMASK(10, 0); + base_addr = (u64)mmio_base << 23 | (u64) pcu_base << 12; +-- +2.51.0 + diff --git a/queue-6.1/s390-ctcm-fix-double-kfree.patch b/queue-6.1/s390-ctcm-fix-double-kfree.patch new file mode 100644 index 0000000000..bad0440b55 --- /dev/null +++ b/queue-6.1/s390-ctcm-fix-double-kfree.patch @@ -0,0 +1,45 @@ +From 4dceb0fa666972de17777b50b3e0ea391151c843 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 19:27:24 +0100 +Subject: s390/ctcm: Fix double-kfree + +From: Aleksei Nikiforov + +[ Upstream commit da02a1824884d6c84c5e5b5ac373b0c9e3288ec2 ] + +The function 'mpc_rcvd_sweep_req(mpcginfo)' is called conditionally +from function 'ctcmpc_unpack_skb'. It frees passed mpcginfo. +After that a call to function 'kfree' in function 'ctcmpc_unpack_skb' +frees it again. + +Remove 'kfree' call in function 'mpc_rcvd_sweep_req(mpcginfo)'. + +Bug detected by the clang static analyzer. + +Fixes: 0c0b20587b9f25a2 ("s390/ctcm: fix potential memory leak") +Reviewed-by: Aswin Karuvally +Signed-off-by: Aleksei Nikiforov +Signed-off-by: Aswin Karuvally +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20251112182724.1109474-1-aswin@linux.ibm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/s390/net/ctcm_mpc.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/s390/net/ctcm_mpc.c b/drivers/s390/net/ctcm_mpc.c +index 8ac213a551418..55216d2fbea0b 100644 +--- a/drivers/s390/net/ctcm_mpc.c ++++ b/drivers/s390/net/ctcm_mpc.c +@@ -698,7 +698,6 @@ static void mpc_rcvd_sweep_req(struct mpcg_info *mpcginfo) + + grp->sweep_req_pend_num--; + ctcmpc_send_sweep_resp(ch); +- kfree(mpcginfo); + return; + } + +-- +2.51.0 + diff --git a/queue-6.1/scsi-core-fix-a-regression-triggered-by-scsi_host_bu.patch b/queue-6.1/scsi-core-fix-a-regression-triggered-by-scsi_host_bu.patch new file mode 100644 index 0000000000..59aa8bc515 --- /dev/null +++ b/queue-6.1/scsi-core-fix-a-regression-triggered-by-scsi_host_bu.patch @@ -0,0 +1,77 @@ +From cdf6ebbee86f107885c4f3769e310a91754b381c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Oct 2025 14:48:00 -0700 +Subject: scsi: core: Fix a regression triggered by scsi_host_busy() + +From: Bart Van Assche + +[ Upstream commit a0b7780602b1b196f47e527fec82166a7e67c4d0 ] + +Commit 995412e23bb2 ("blk-mq: Replace tags->lock with SRCU for tag +iterators") introduced the following regression: + +Call trace: + __srcu_read_lock+0x30/0x80 (P) + blk_mq_tagset_busy_iter+0x44/0x300 + scsi_host_busy+0x38/0x70 + ufshcd_print_host_state+0x34/0x1bc + ufshcd_link_startup.constprop.0+0xe4/0x2e0 + ufshcd_init+0x944/0xf80 + ufshcd_pltfrm_init+0x504/0x820 + ufs_rockchip_probe+0x2c/0x88 + platform_probe+0x5c/0xa4 + really_probe+0xc0/0x38c + __driver_probe_device+0x7c/0x150 + driver_probe_device+0x40/0x120 + __driver_attach+0xc8/0x1e0 + bus_for_each_dev+0x7c/0xdc + driver_attach+0x24/0x30 + bus_add_driver+0x110/0x230 + driver_register+0x68/0x130 + __platform_driver_register+0x20/0x2c + ufs_rockchip_pltform_init+0x1c/0x28 + do_one_initcall+0x60/0x1e0 + kernel_init_freeable+0x248/0x2c4 + kernel_init+0x20/0x140 + ret_from_fork+0x10/0x20 + +Fix this regression by making scsi_host_busy() check whether the SCSI +host tag set has already been initialized. tag_set->ops is set by +scsi_mq_setup_tags() just before blk_mq_alloc_tag_set() is called. This +fix is based on the assumption that scsi_host_busy() and +scsi_mq_setup_tags() calls are serialized. This is the case in the UFS +driver. + +Reported-by: Sebastian Reichel +Closes: https://lore.kernel.org/linux-block/pnezafputodmqlpumwfbn644ohjybouveehcjhz2hmhtcf2rka@sdhoiivync4y/ +Cc: Ming Lei +Cc: Jens Axboe +Signed-off-by: Bart Van Assche +Reviewed-by: Ming Lei +Tested-by: Sebastian Reichel +Link: https://patch.msgid.link/20251007214800.1678255-1-bvanassche@acm.org +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hosts.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c +index c785493b105c0..28cf473fcf96d 100644 +--- a/drivers/scsi/hosts.c ++++ b/drivers/scsi/hosts.c +@@ -600,8 +600,9 @@ int scsi_host_busy(struct Scsi_Host *shost) + { + int cnt = 0; + +- blk_mq_tagset_busy_iter(&shost->tag_set, +- scsi_host_check_in_flight, &cnt); ++ if (shost->tag_set.ops) ++ blk_mq_tagset_busy_iter(&shost->tag_set, ++ scsi_host_check_in_flight, &cnt); + return cnt; + } + EXPORT_SYMBOL(scsi_host_busy); +-- +2.51.0 + diff --git a/queue-6.1/selftests-net-use-bash-for-bareudp-testing.patch b/queue-6.1/selftests-net-use-bash-for-bareudp-testing.patch new file mode 100644 index 0000000000..17a80c1e68 --- /dev/null +++ b/queue-6.1/selftests-net-use-bash-for-bareudp-testing.patch @@ -0,0 +1,46 @@ +From cc50b495496221f607813c3e35249be39a8296fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Oct 2025 17:57:10 +0800 +Subject: selftests: net: use BASH for bareudp testing + +From: Po-Hsu Lin + +[ Upstream commit 9311e9540a8b406d9f028aa87fb072a3819d4c82 ] + +In bareudp.sh, this script uses /bin/sh and it will load another lib.sh +BASH script at the very beginning. + +But on some operating systems like Ubuntu, /bin/sh is actually pointed to +DASH, thus it will try to run BASH commands with DASH and consequently +leads to syntax issues: + # ./bareudp.sh: 4: ./lib.sh: Bad substitution + # ./bareudp.sh: 5: ./lib.sh: source: not found + # ./bareudp.sh: 24: ./lib.sh: Syntax error: "(" unexpected + +Fix this by explicitly using BASH for bareudp.sh. This fixes test +execution failures on systems where /bin/sh is not BASH. + +Reported-by: Edoardo Canepa +Link: https://bugs.launchpad.net/bugs/2129812 +Signed-off-by: Po-Hsu Lin +Reviewed-by: Przemek Kitszel +Link: https://patch.msgid.link/20251027095710.2036108-2-po-hsu.lin@canonical.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/bareudp.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/bareudp.sh b/tools/testing/selftests/net/bareudp.sh +index f366cadbc5e86..ff4308b48e65d 100755 +--- a/tools/testing/selftests/net/bareudp.sh ++++ b/tools/testing/selftests/net/bareudp.sh +@@ -1,4 +1,4 @@ +-#!/bin/sh ++#!/bin/bash + # SPDX-License-Identifier: GPL-2.0 + + # Test various bareudp tunnel configurations. +-- +2.51.0 + diff --git a/queue-6.1/series b/queue-6.1/series index 79d93e36c7..d608ff9b4a 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -451,3 +451,23 @@ mptcp-avoid-unneeded-subflow-level-drops.patch mptcp-do-not-fallback-when-ooo-is-present.patch drm-tegra-dc-fix-reference-leak-in-tegra_dc_couple.patch drm-amdgpu-skip-emit-de-meta-data-on-gfx11-with-rs64-enabled.patch +xfrm-determine-inner-gso-type-from-packet-inner-prot.patch +mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch +gpu-host1x-select-context-device-based-on-attached-i.patch +drm-tegra-add-call-to-put_pid.patch +net-dsa-hellcreek-fix-missing-error-handling-in-led-.patch +net-mlxsw-linecards-fix-missing-error-check-in-mlxsw.patch +net-openvswitch-remove-never-working-support-for-set.patch +nvme-multipath-fix-lockdep-warn-due-to-partition-sca.patch +s390-ctcm-fix-double-kfree.patch +platform-x86-intel-speed_select_if-convert-pcibios_-.patch +kernel.h-move-array_size-to-a-separate-header.patch +net-qlogic-qede-fix-potential-out-of-bounds-read-in-.patch +vsock-ignore-signal-timeout-on-connect-if-already-es.patch +bcma-don-t-register-devices-disabled-in-of.patch +cifs-fix-typo-in-enable_gcm_256-module-parameter.patch +scsi-core-fix-a-regression-triggered-by-scsi_host_bu.patch +selftests-net-use-bash-for-bareudp-testing.patch +net-tls-cancel-rx-async-resync-request-on-rcd_delta-.patch +kconfig-mconf-initialize-the-default-locale-at-start.patch +kconfig-nconf-initialize-the-default-locale-at-start.patch diff --git a/queue-6.1/vsock-ignore-signal-timeout-on-connect-if-already-es.patch b/queue-6.1/vsock-ignore-signal-timeout-on-connect-if-already-es.patch new file mode 100644 index 0000000000..4710c75b13 --- /dev/null +++ b/queue-6.1/vsock-ignore-signal-timeout-on-connect-if-already-es.patch @@ -0,0 +1,101 @@ +From d9ba2de6a8b233a16865a8ac3af8e13f36d668a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Nov 2025 15:02:59 +0100 +Subject: vsock: Ignore signal/timeout on connect() if already established + +From: Michal Luczaj + +[ Upstream commit 002541ef650b742a198e4be363881439bb9d86b4 ] + +During connect(), acting on a signal/timeout by disconnecting an already +established socket leads to several issues: + +1. connect() invoking vsock_transport_cancel_pkt() -> + virtio_transport_purge_skbs() may race with sendmsg() invoking + virtio_transport_get_credit(). This results in a permanently elevated + `vvs->bytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling. + +2. connect() resetting a connected socket's state may race with socket + being placed in a sockmap. A disconnected socket remaining in a sockmap + breaks sockmap's assumptions. And gives rise to WARNs. + +3. connect() transitioning SS_CONNECTED -> SS_UNCONNECTED allows for a + transport change/drop after TCP_ESTABLISHED. Which poses a problem for + any simultaneous sendmsg() or connect() and may result in a + use-after-free/null-ptr-deref. + +Do not disconnect socket on signal/timeout. Keep the logic for unconnected +sockets: they don't linger, can't be placed in a sockmap, are rejected by +sendmsg(). + +[1]: https://lore.kernel.org/netdev/e07fd95c-9a38-4eea-9638-133e38c2ec9b@rbox.co/ +[2]: https://lore.kernel.org/netdev/20250317-vsock-trans-signal-race-v4-0-fc8837f3f1d4@rbox.co/ +[3]: https://lore.kernel.org/netdev/60f1b7db-3099-4f6a-875e-af9f6ef194f6@rbox.co/ + +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Signed-off-by: Michal Luczaj +Reviewed-by: Stefano Garzarella +Link: https://patch.msgid.link/20251119-vsock-interrupted-connect-v2-1-70734cf1233f@rbox.co +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/af_vsock.c | 40 +++++++++++++++++++++++++++++++--------- + 1 file changed, 31 insertions(+), 9 deletions(-) + +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index 6de321a6e43cf..95441466d90dd 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1502,18 +1502,40 @@ static int vsock_connect(struct socket *sock, struct sockaddr *addr, + timeout = schedule_timeout(timeout); + lock_sock(sk); + +- if (signal_pending(current)) { +- err = sock_intr_errno(timeout); +- sk->sk_state = sk->sk_state == TCP_ESTABLISHED ? TCP_CLOSING : TCP_CLOSE; +- sock->state = SS_UNCONNECTED; +- vsock_transport_cancel_pkt(vsk); +- vsock_remove_connected(vsk); +- goto out_wait; +- } else if ((sk->sk_state != TCP_ESTABLISHED) && (timeout == 0)) { +- err = -ETIMEDOUT; ++ /* Connection established. Whatever happens to socket once we ++ * release it, that's not connect()'s concern. No need to go ++ * into signal and timeout handling. Call it a day. ++ * ++ * Note that allowing to "reset" an already established socket ++ * here is racy and insecure. ++ */ ++ if (sk->sk_state == TCP_ESTABLISHED) ++ break; ++ ++ /* If connection was _not_ established and a signal/timeout came ++ * to be, we want the socket's state reset. User space may want ++ * to retry. ++ * ++ * sk_state != TCP_ESTABLISHED implies that socket is not on ++ * vsock_connected_table. We keep the binding and the transport ++ * assigned. ++ */ ++ if (signal_pending(current) || timeout == 0) { ++ err = timeout == 0 ? -ETIMEDOUT : sock_intr_errno(timeout); ++ ++ /* Listener might have already responded with ++ * VIRTIO_VSOCK_OP_RESPONSE. Its handling expects our ++ * sk_state == TCP_SYN_SENT, which hereby we break. ++ * In such case VIRTIO_VSOCK_OP_RST will follow. ++ */ + sk->sk_state = TCP_CLOSE; + sock->state = SS_UNCONNECTED; ++ ++ /* Try to cancel VIRTIO_VSOCK_OP_REQUEST skb sent out by ++ * transport->connect(). ++ */ + vsock_transport_cancel_pkt(vsk); ++ + goto out_wait; + } + +-- +2.51.0 + diff --git a/queue-6.1/xfrm-determine-inner-gso-type-from-packet-inner-prot.patch b/queue-6.1/xfrm-determine-inner-gso-type-from-packet-inner-prot.patch new file mode 100644 index 0000000000..a16c435604 --- /dev/null +++ b/queue-6.1/xfrm-determine-inner-gso-type-from-packet-inner-prot.patch @@ -0,0 +1,96 @@ +From ec62da3c2a8d4d0906edb65652d7a65f61021fb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Oct 2025 04:22:48 +0200 +Subject: xfrm: Determine inner GSO type from packet inner protocol + +From: Jianbo Liu + +[ Upstream commit 61fafbee6cfed283c02a320896089f658fa67e56 ] + +The GSO segmentation functions for ESP tunnel mode +(xfrm4_tunnel_gso_segment and xfrm6_tunnel_gso_segment) were +determining the inner packet's L2 protocol type by checking the static +x->inner_mode.family field from the xfrm state. + +This is unreliable. In tunnel mode, the state's actual inner family +could be defined by x->inner_mode.family or by +x->inner_mode_iaf.family. Checking only the former can lead to a +mismatch with the actual packet being processed, causing GSO to create +segments with the wrong L2 header type. + +This patch fixes the bug by deriving the inner mode directly from the +packet's inner protocol stored in XFRM_MODE_SKB_CB(skb)->protocol. + +Instead of replicating the code, this patch modifies the +xfrm_ip2inner_mode helper function. It now correctly returns +&x->inner_mode if the selector family (x->sel.family) is already +specified, thereby handling both specific and AF_UNSPEC cases +appropriately. + +With this change, ESP GSO can use xfrm_ip2inner_mode to get the +correct inner mode. It doesn't affect existing callers, as the updated +logic now mirrors the checks they were already performing externally. + +Fixes: 26dbd66eab80 ("esp: choose the correct inner protocol for GSO on inter address family tunnels") +Signed-off-by: Jianbo Liu +Reviewed-by: Cosmin Ratiu +Reviewed-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + include/net/xfrm.h | 3 ++- + net/ipv4/esp4_offload.c | 6 ++++-- + net/ipv6/esp6_offload.c | 6 ++++-- + 3 files changed, 10 insertions(+), 5 deletions(-) + +diff --git a/include/net/xfrm.h b/include/net/xfrm.h +index 64911162ab5f4..ac5db167370c9 100644 +--- a/include/net/xfrm.h ++++ b/include/net/xfrm.h +@@ -446,7 +446,8 @@ static inline int xfrm_af2proto(unsigned int family) + + static inline const struct xfrm_mode *xfrm_ip2inner_mode(struct xfrm_state *x, int ipproto) + { +- if ((ipproto == IPPROTO_IPIP && x->props.family == AF_INET) || ++ if ((x->sel.family != AF_UNSPEC) || ++ (ipproto == IPPROTO_IPIP && x->props.family == AF_INET) || + (ipproto == IPPROTO_IPV6 && x->props.family == AF_INET6)) + return &x->inner_mode; + else +diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c +index ee848be59e65a..cbfc8b5b15bd2 100644 +--- a/net/ipv4/esp4_offload.c ++++ b/net/ipv4/esp4_offload.c +@@ -110,8 +110,10 @@ static struct sk_buff *xfrm4_tunnel_gso_segment(struct xfrm_state *x, + struct sk_buff *skb, + netdev_features_t features) + { +- __be16 type = x->inner_mode.family == AF_INET6 ? htons(ETH_P_IPV6) +- : htons(ETH_P_IP); ++ const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, ++ XFRM_MODE_SKB_CB(skb)->protocol); ++ __be16 type = inner_mode->family == AF_INET6 ? htons(ETH_P_IPV6) ++ : htons(ETH_P_IP); + + return skb_eth_gso_segment(skb, features, type); + } +diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c +index fc6a5be732634..65d628e500059 100644 +--- a/net/ipv6/esp6_offload.c ++++ b/net/ipv6/esp6_offload.c +@@ -145,8 +145,10 @@ static struct sk_buff *xfrm6_tunnel_gso_segment(struct xfrm_state *x, + struct sk_buff *skb, + netdev_features_t features) + { +- __be16 type = x->inner_mode.family == AF_INET ? htons(ETH_P_IP) +- : htons(ETH_P_IPV6); ++ const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, ++ XFRM_MODE_SKB_CB(skb)->protocol); ++ __be16 type = inner_mode->family == AF_INET ? htons(ETH_P_IP) ++ : htons(ETH_P_IPV6); + + return skb_eth_gso_segment(skb, features, type); + } +-- +2.51.0 + diff --git a/queue-6.12/af_unix-cache-state-msg-in-unix_stream_read_generic.patch b/queue-6.12/af_unix-cache-state-msg-in-unix_stream_read_generic.patch new file mode 100644 index 0000000000..50f98e47d4 --- /dev/null +++ b/queue-6.12/af_unix-cache-state-msg-in-unix_stream_read_generic.patch @@ -0,0 +1,98 @@ +From a6eca0819b00c0d2f8b0d9066c2815a3e751adcd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jul 2025 22:35:17 +0000 +Subject: af_unix: Cache state->msg in unix_stream_read_generic(). + +From: Kuniyuki Iwashima + +[ Upstream commit 8b77338eb2af74bb93986e4a8cfd86724168fe39 ] + +In unix_stream_read_generic(), state->msg is fetched multiple times. + +Let's cache it in a local variable. + +Signed-off-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250702223606.1054680-6-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 7bf3a476ce43 ("af_unix: Read sk_peek_offset() again after sleeping in unix_stream_read_generic().") +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 33 +++++++++++++++++---------------- + 1 file changed, 17 insertions(+), 16 deletions(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 45f8e21829ecd..26d37a90b755d 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -2769,20 +2769,21 @@ static int unix_stream_read_skb(struct sock *sk, skb_read_actor_t recv_actor) + static int unix_stream_read_generic(struct unix_stream_read_state *state, + bool freezable) + { +- struct scm_cookie scm; ++ int noblock = state->flags & MSG_DONTWAIT; + struct socket *sock = state->socket; ++ struct msghdr *msg = state->msg; + struct sock *sk = sock->sk; +- struct unix_sock *u = unix_sk(sk); +- int copied = 0; ++ size_t size = state->size; + int flags = state->flags; +- int noblock = flags & MSG_DONTWAIT; + bool check_creds = false; +- int target; ++ struct scm_cookie scm; ++ unsigned int last_len; ++ struct unix_sock *u; ++ int copied = 0; + int err = 0; + long timeo; ++ int target; + int skip; +- size_t size = state->size; +- unsigned int last_len; + + if (unlikely(READ_ONCE(sk->sk_state) != TCP_ESTABLISHED)) { + err = -EINVAL; +@@ -2802,6 +2803,8 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state, + + memset(&scm, 0, sizeof(scm)); + ++ u = unix_sk(sk); ++ + /* Lock the socket to prevent queue disordering + * while sleeps in memcpy_tomsg + */ +@@ -2894,14 +2897,12 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state, + } + + /* Copy address just once */ +- if (state->msg && state->msg->msg_name) { +- DECLARE_SOCKADDR(struct sockaddr_un *, sunaddr, +- state->msg->msg_name); +- unix_copy_addr(state->msg, skb->sk); ++ if (msg && msg->msg_name) { ++ DECLARE_SOCKADDR(struct sockaddr_un *, sunaddr, msg->msg_name); + +- BPF_CGROUP_RUN_PROG_UNIX_RECVMSG_LOCK(sk, +- state->msg->msg_name, +- &state->msg->msg_namelen); ++ unix_copy_addr(msg, skb->sk); ++ BPF_CGROUP_RUN_PROG_UNIX_RECVMSG_LOCK(sk, msg->msg_name, ++ &msg->msg_namelen); + + sunaddr = NULL; + } +@@ -2959,8 +2960,8 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state, + } while (size); + + mutex_unlock(&u->iolock); +- if (state->msg) +- scm_recv_unix(sock, state->msg, &scm, flags); ++ if (msg) ++ scm_recv_unix(sock, msg, &scm, flags); + else + scm_destroy(&scm); + out: +-- +2.51.0 + diff --git a/queue-6.12/af_unix-read-sk_peek_offset-again-after-sleeping-in-.patch b/queue-6.12/af_unix-read-sk_peek_offset-again-after-sleeping-in-.patch new file mode 100644 index 0000000000..19da34551f --- /dev/null +++ b/queue-6.12/af_unix-read-sk_peek_offset-again-after-sleeping-in-.patch @@ -0,0 +1,109 @@ +From f2b1ab4fafe6b975fa16c9f522b0fcdb83eb4260 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Nov 2025 17:47:10 +0000 +Subject: af_unix: Read sk_peek_offset() again after sleeping in + unix_stream_read_generic(). + +From: Kuniyuki Iwashima + +[ Upstream commit 7bf3a476ce43833c49fceddbe94ff3472e04e9bc ] + +Miao Wang reported a bug of SO_PEEK_OFF on AF_UNIX SOCK_STREAM +socket. + +The unexpected behaviour is triggered when the peek offset is +larger than the recv queue and the thread is unblocked by new +data. + +Let's assume a socket which has "aaaa" in the recv queue and +the peek offset is 4. + +First, unix_stream_read_generic() reads the offset 4 and skips +the skb(s) of "aaaa" with the code below: + + skip = max(sk_peek_offset(sk, flags), 0); /* @skip is 4. */ + + do { + ... + while (skip >= unix_skb_len(skb)) { + skip -= unix_skb_len(skb); + ... + skb = skb_peek_next(skb, &sk->sk_receive_queue); + if (!skb) + goto again; /* @skip is 0. */ + } + +The thread jumps to the 'again' label and goes to sleep since +new data has not arrived yet. + +Later, new data "bbbb" unblocks the thread, and the thread jumps +to the 'redo:' label to restart the entire process from the first +skb in the recv queue. + + do { + ... +redo: + ... + last = skb = skb_peek(&sk->sk_receive_queue); + ... +again: + if (skb == NULL) { + ... + timeo = unix_stream_data_wait(sk, timeo, last, + last_len, freezable); + ... + goto redo; /* @skip is 0 !! */ + +However, the peek offset is not reset in the path. + +If the buffer size is 8, recv() will return "aaaabbbb" without +skipping any data, and the final offset will be 12 (the original +offset 4 + peeked skbs' length 8). + +After sleeping in unix_stream_read_generic(), we have to fetch the +peek offset again. + +Let's move the redo label before mutex_lock(&u->iolock). + +Fixes: 9f389e35674f ("af_unix: return data from multiple SKBs on recv() with MSG_PEEK flag") +Reported-by: Miao Wang +Closes: https://lore.kernel.org/netdev/3B969F90-F51F-4B9D-AB1A-994D9A54D460@gmail.com/ +Signed-off-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20251117174740.3684604-2-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 26d37a90b755d..59911ac719b19 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -2805,6 +2805,7 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state, + + u = unix_sk(sk); + ++redo: + /* Lock the socket to prevent queue disordering + * while sleeps in memcpy_tomsg + */ +@@ -2816,7 +2817,6 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state, + struct sk_buff *skb, *last; + int chunk; + +-redo: + unix_state_lock(sk); + if (sock_flag(sk, SOCK_DEAD)) { + err = -ECONNRESET; +@@ -2866,7 +2866,6 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state, + goto out; + } + +- mutex_lock(&u->iolock); + goto redo; + unlock: + unix_state_unlock(sk); +-- +2.51.0 + diff --git a/queue-6.12/bcma-don-t-register-devices-disabled-in-of.patch b/queue-6.12/bcma-don-t-register-devices-disabled-in-of.patch new file mode 100644 index 0000000000..61fb522cc8 --- /dev/null +++ b/queue-6.12/bcma-don-t-register-devices-disabled-in-of.patch @@ -0,0 +1,51 @@ +From c725e8aeaa72445ea2784528a3834258ecb8bab3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Oct 2025 14:51:26 +0200 +Subject: bcma: don't register devices disabled in OF +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +[ Upstream commit a2a69add80411dd295c9088c1bcf925b1f4e53d7 ] + +Some bus devices can be marked as disabled for specific SoCs or models. +Those should not be registered to avoid probing them. + +Signed-off-by: Rafał Miłecki +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20251003125126.27950-1-zajec5@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/bcma/main.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/bcma/main.c b/drivers/bcma/main.c +index 6ecfc821cf833..72f045e6ed513 100644 +--- a/drivers/bcma/main.c ++++ b/drivers/bcma/main.c +@@ -294,6 +294,8 @@ static int bcma_register_devices(struct bcma_bus *bus) + int err; + + list_for_each_entry(core, &bus->cores, list) { ++ struct device_node *np; ++ + /* We support that core ourselves */ + switch (core->id.id) { + case BCMA_CORE_4706_CHIPCOMMON: +@@ -311,6 +313,10 @@ static int bcma_register_devices(struct bcma_bus *bus) + if (bcma_is_core_needed_early(core->id.id)) + continue; + ++ np = core->dev.of_node; ++ if (np && !of_device_is_available(np)) ++ continue; ++ + /* Only first GMAC core on BCM4706 is connected and working */ + if (core->id.id == BCMA_CORE_4706_MAC_GBIT && + core->core_unit > 0) +-- +2.51.0 + diff --git a/queue-6.12/blk-crypto-use-blk_sts_inval-for-alignment-errors.patch b/queue-6.12/blk-crypto-use-blk_sts_inval-for-alignment-errors.patch new file mode 100644 index 0000000000..d2a5fd1384 --- /dev/null +++ b/queue-6.12/blk-crypto-use-blk_sts_inval-for-alignment-errors.patch @@ -0,0 +1,42 @@ +From ee487477301ee6b00e85f984e0fcdba676ee3e1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Oct 2025 04:39:18 +0000 +Subject: blk-crypto: use BLK_STS_INVAL for alignment errors + +From: Carlos Llamas + +[ Upstream commit 0b39ca457241aeca07a613002512573e8804f93a ] + +Make __blk_crypto_bio_prep() propagate BLK_STS_INVAL when IO segments +fail the data unit alignment check. + +This was flagged by an LTP test that expects EINVAL when performing an +O_DIRECT read with a misaligned buffer [1]. + +Cc: Eric Biggers +Cc: Christoph Hellwig +Link: https://lore.kernel.org/all/aP-c5gPjrpsn0vJA@google.com/ [1] +Signed-off-by: Carlos Llamas +Reviewed-by: Eric Biggers +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-crypto.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/blk-crypto.c b/block/blk-crypto.c +index 4d760b092deb9..7a0bd086a194b 100644 +--- a/block/blk-crypto.c ++++ b/block/blk-crypto.c +@@ -282,7 +282,7 @@ bool __blk_crypto_bio_prep(struct bio **bio_ptr) + } + + if (!bio_crypt_check_alignment(bio)) { +- bio->bi_status = BLK_STS_IOERR; ++ bio->bi_status = BLK_STS_INVAL; + goto fail; + } + +-- +2.51.0 + diff --git a/queue-6.12/cifs-fix-memory-leak-in-smb3_fs_context_parse_param-.patch b/queue-6.12/cifs-fix-memory-leak-in-smb3_fs_context_parse_param-.patch new file mode 100644 index 0000000000..ccd3684a2d --- /dev/null +++ b/queue-6.12/cifs-fix-memory-leak-in-smb3_fs_context_parse_param-.patch @@ -0,0 +1,64 @@ +From a967772ba591e579b9d300542bbb415204042439 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Nov 2025 20:32:57 +0530 +Subject: cifs: fix memory leak in smb3_fs_context_parse_param error path + +From: Shaurya Rane + +[ Upstream commit 7e4d9120cfa413dd34f4f434befc5dbe6c38b2e5 ] + +Add proper cleanup of ctx->source and fc->source to the +cifs_parse_mount_err error handler. This ensures that memory allocated +for the source strings is correctly freed on all error paths, matching +the cleanup already performed in the success path by +smb3_cleanup_fs_context_contents(). +Pointers are also set to NULL after freeing to prevent potential +double-free issues. + +This change fixes a memory leak originally detected by syzbot. The +leak occurred when processing Opt_source mount options if an error +happened after ctx->source and fc->source were successfully +allocated but before the function completed. + +The specific leak sequence was: +1. ctx->source = smb3_fs_context_fullpath(ctx, '/') allocates memory +2. fc->source = kstrdup(ctx->source, GFP_KERNEL) allocates more memory +3. A subsequent error jumps to cifs_parse_mount_err +4. The old error handler freed passwords but not the source strings, +causing the memory to leak. + +This issue was not addressed by commit e8c73eb7db0a ("cifs: client: +fix memory leak in smb3_fs_context_parse_param"), which only fixed +leaks from repeated fsconfig() calls but not this error path. + +Patch updated with minor change suggested by kernel test robot + +Reported-by: syzbot+87be6809ed9bf6d718e3@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=87be6809ed9bf6d718e3 +Fixes: 24e0a1eff9e2 ("cifs: switch to new mount api") +Reviewed-by: David Howells +Signed-off-by: Shaurya Rane +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/fs_context.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c +index 4c295d6ca986a..9a4492106c25f 100644 +--- a/fs/smb/client/fs_context.c ++++ b/fs/smb/client/fs_context.c +@@ -1764,6 +1764,10 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, + ctx->password = NULL; + kfree_sensitive(ctx->password2); + ctx->password2 = NULL; ++ kfree(ctx->source); ++ ctx->source = NULL; ++ kfree(fc->source); ++ fc->source = NULL; + return -EINVAL; + } + +-- +2.51.0 + diff --git a/queue-6.12/cifs-fix-typo-in-enable_gcm_256-module-parameter.patch b/queue-6.12/cifs-fix-typo-in-enable_gcm_256-module-parameter.patch new file mode 100644 index 0000000000..9d09032e44 --- /dev/null +++ b/queue-6.12/cifs-fix-typo-in-enable_gcm_256-module-parameter.patch @@ -0,0 +1,34 @@ +From 584a63ef658a247b8314f63e24c9eeb638d24c23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Oct 2025 21:17:01 -0500 +Subject: cifs: fix typo in enable_gcm_256 module parameter + +From: Steve French + +[ Upstream commit f765fdfcd8b5bce92c6aa1a517ff549529ddf590 ] + +Fix typo in description of enable_gcm_256 module parameter + +Suggested-by: Thomas Spear +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/cifsfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/smb/client/cifsfs.c b/fs/smb/client/cifsfs.c +index 64dc7ec045d87..1187b0240a444 100644 +--- a/fs/smb/client/cifsfs.c ++++ b/fs/smb/client/cifsfs.c +@@ -134,7 +134,7 @@ module_param(enable_oplocks, bool, 0644); + MODULE_PARM_DESC(enable_oplocks, "Enable or disable oplocks. Default: y/Y/1"); + + module_param(enable_gcm_256, bool, 0644); +-MODULE_PARM_DESC(enable_gcm_256, "Enable requesting strongest (256 bit) GCM encryption. Default: y/Y/0"); ++MODULE_PARM_DESC(enable_gcm_256, "Enable requesting strongest (256 bit) GCM encryption. Default: y/Y/1"); + + module_param(require_gcm_256, bool, 0644); + MODULE_PARM_DESC(require_gcm_256, "Require strongest (256 bit) GCM encryption. Default: n/N/0"); +-- +2.51.0 + diff --git a/queue-6.12/devlink-rate-unset-parent-pointer-in-devl_rate_nodes.patch b/queue-6.12/devlink-rate-unset-parent-pointer-in-devl_rate_nodes.patch new file mode 100644 index 0000000000..878b77f2b8 --- /dev/null +++ b/queue-6.12/devlink-rate-unset-parent-pointer-in-devl_rate_nodes.patch @@ -0,0 +1,127 @@ +From 94868d32be393ed64c12fe5714fe3967c5993ff2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Nov 2025 14:05:49 +0200 +Subject: devlink: rate: Unset parent pointer in devl_rate_nodes_destroy + +From: Shay Drory + +[ Upstream commit f94c1a114ac209977bdf5ca841b98424295ab1f0 ] + +The function devl_rate_nodes_destroy is documented to "Unset parent for +all rate objects". However, it was only calling the driver-specific +`rate_leaf_parent_set` or `rate_node_parent_set` ops and decrementing +the parent's refcount, without actually setting the +`devlink_rate->parent` pointer to NULL. + +This leaves a dangling pointer in the `devlink_rate` struct, which cause +refcount error in netdevsim[1] and mlx5[2]. In addition, this is +inconsistent with the behavior of `devlink_nl_rate_parent_node_set`, +where the parent pointer is correctly cleared. + +This patch fixes the issue by explicitly setting `devlink_rate->parent` +to NULL after notifying the driver, thus fulfilling the function's +documented behavior for all rate objects. + +[1] +repro steps: +echo 1 > /sys/bus/netdevsim/new_device +devlink dev eswitch set netdevsim/netdevsim1 mode switchdev +echo 1 > /sys/bus/netdevsim/devices/netdevsim1/sriov_numvfs +devlink port function rate add netdevsim/netdevsim1/test_node +devlink port function rate set netdevsim/netdevsim1/128 parent test_node +echo 1 > /sys/bus/netdevsim/del_device + +dmesg: +refcount_t: decrement hit 0; leaking memory. +WARNING: CPU: 8 PID: 1530 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0 +CPU: 8 UID: 0 PID: 1530 Comm: bash Not tainted 6.18.0-rc4+ #1 NONE +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +RIP: 0010:refcount_warn_saturate+0x42/0xe0 +Call Trace: + + devl_rate_leaf_destroy+0x8d/0x90 + __nsim_dev_port_del+0x6c/0x70 [netdevsim] + nsim_dev_reload_destroy+0x11c/0x140 [netdevsim] + nsim_drv_remove+0x2b/0xb0 [netdevsim] + device_release_driver_internal+0x194/0x1f0 + bus_remove_device+0xc6/0x130 + device_del+0x159/0x3c0 + device_unregister+0x1a/0x60 + del_device_store+0x111/0x170 [netdevsim] + kernfs_fop_write_iter+0x12e/0x1e0 + vfs_write+0x215/0x3d0 + ksys_write+0x5f/0xd0 + do_syscall_64+0x55/0x10f0 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +[2] +devlink dev eswitch set pci/0000:08:00.0 mode switchdev +devlink port add pci/0000:08:00.0 flavour pcisf pfnum 0 sfnum 1000 +devlink port function rate add pci/0000:08:00.0/group1 +devlink port function rate set pci/0000:08:00.0/32768 parent group1 +modprobe -r mlx5_ib mlx5_fwctl mlx5_core + +dmesg: +refcount_t: decrement hit 0; leaking memory. +WARNING: CPU: 7 PID: 16151 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0 +CPU: 7 UID: 0 PID: 16151 Comm: bash Not tainted 6.17.0-rc7_for_upstream_min_debug_2025_10_02_12_44 #1 NONE +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 +RIP: 0010:refcount_warn_saturate+0x42/0xe0 +Call Trace: + + devl_rate_leaf_destroy+0x8d/0x90 + mlx5_esw_offloads_devlink_port_unregister+0x33/0x60 [mlx5_core] + mlx5_esw_offloads_unload_rep+0x3f/0x50 [mlx5_core] + mlx5_eswitch_unload_sf_vport+0x40/0x90 [mlx5_core] + mlx5_sf_esw_event+0xc4/0x120 [mlx5_core] + notifier_call_chain+0x33/0xa0 + blocking_notifier_call_chain+0x3b/0x50 + mlx5_eswitch_disable_locked+0x50/0x110 [mlx5_core] + mlx5_eswitch_disable+0x63/0x90 [mlx5_core] + mlx5_unload+0x1d/0x170 [mlx5_core] + mlx5_uninit_one+0xa2/0x130 [mlx5_core] + remove_one+0x78/0xd0 [mlx5_core] + pci_device_remove+0x39/0xa0 + device_release_driver_internal+0x194/0x1f0 + unbind_store+0x99/0xa0 + kernfs_fop_write_iter+0x12e/0x1e0 + vfs_write+0x215/0x3d0 + ksys_write+0x5f/0xd0 + do_syscall_64+0x53/0x1f0 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +Fixes: d75559845078 ("devlink: Allow setting parent node of rate objects") +Signed-off-by: Shay Drory +Reviewed-by: Carolina Jubran +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/1763381149-1234377-1-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/devlink/rate.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/devlink/rate.c b/net/devlink/rate.c +index 7139e67e93aeb..adb5267d377cf 100644 +--- a/net/devlink/rate.c ++++ b/net/devlink/rate.c +@@ -701,13 +701,15 @@ void devl_rate_nodes_destroy(struct devlink *devlink) + if (!devlink_rate->parent) + continue; + +- refcount_dec(&devlink_rate->parent->refcnt); + if (devlink_rate_is_leaf(devlink_rate)) + ops->rate_leaf_parent_set(devlink_rate, NULL, devlink_rate->priv, + NULL, NULL); + else if (devlink_rate_is_node(devlink_rate)) + ops->rate_node_parent_set(devlink_rate, NULL, devlink_rate->priv, + NULL, NULL); ++ ++ refcount_dec(&devlink_rate->parent->refcnt); ++ devlink_rate->parent = NULL; + } + list_for_each_entry_safe(devlink_rate, tmp, &devlink->rate_list, list) { + if (devlink_rate_is_node(devlink_rate)) { +-- +2.51.0 + diff --git a/queue-6.12/drm-tegra-add-call-to-put_pid.patch b/queue-6.12/drm-tegra-add-call-to-put_pid.patch new file mode 100644 index 0000000000..e75e22ffb9 --- /dev/null +++ b/queue-6.12/drm-tegra-add-call-to-put_pid.patch @@ -0,0 +1,46 @@ +From 68c820211fa6c95a11a1d50d96125d480323d5ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Sep 2025 13:25:40 +0900 +Subject: drm/tegra: Add call to put_pid() + +From: Prateek Agarwal + +[ Upstream commit 6cbab9f0da72b4dc3c3f9161197aa3b9daa1fa3a ] + +Add a call to put_pid() corresponding to get_task_pid(). +host1x_memory_context_alloc() does not take ownership of the PID so we +need to free it here to avoid leaking. + +Signed-off-by: Prateek Agarwal +Fixes: e09db97889ec ("drm/tegra: Support context isolation") +[mperttunen@nvidia.com: reword commit message] +Signed-off-by: Mikko Perttunen +Signed-off-by: Thierry Reding +Link: https://patch.msgid.link/20250919-host1x-put-pid-v1-1-19c2163dfa87@nvidia.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tegra/uapi.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/tegra/uapi.c b/drivers/gpu/drm/tegra/uapi.c +index 5adab6b229164..d0b6a1fa6efad 100644 +--- a/drivers/gpu/drm/tegra/uapi.c ++++ b/drivers/gpu/drm/tegra/uapi.c +@@ -114,9 +114,12 @@ int tegra_drm_ioctl_channel_open(struct drm_device *drm, void *data, struct drm_ + if (err) + goto put_channel; + +- if (supported) ++ if (supported) { ++ struct pid *pid = get_task_pid(current, PIDTYPE_TGID); + context->memory_context = host1x_memory_context_alloc( +- host, client->base.dev, get_task_pid(current, PIDTYPE_TGID)); ++ host, client->base.dev, pid); ++ put_pid(pid); ++ } + + if (IS_ERR(context->memory_context)) { + if (PTR_ERR(context->memory_context) != -EOPNOTSUPP) { +-- +2.51.0 + diff --git a/queue-6.12/ice-fix-ptp-cleanup-on-driver-removal-in-error-path.patch b/queue-6.12/ice-fix-ptp-cleanup-on-driver-removal-in-error-path.patch new file mode 100644 index 0000000000..d05ab9d971 --- /dev/null +++ b/queue-6.12/ice-fix-ptp-cleanup-on-driver-removal-in-error-path.patch @@ -0,0 +1,122 @@ +From f7b95cc2d030f380f0bb8922b9362ceb64d8d288 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Oct 2025 12:02:16 +0200 +Subject: ice: fix PTP cleanup on driver removal in error path + +From: Grzegorz Nitka + +[ Upstream commit 23a5b9b12de9dcd15ebae4f1abc8814ec1c51ab0 ] + +Improve the cleanup on releasing PTP resources in error path. +The error case might happen either at the driver probe and PTP +feature initialization or on PTP restart (errors in reset handling, NVM +update etc). In both cases, calls to PF PTP cleanup (ice_ptp_cleanup_pf +function) and 'ps_lock' mutex deinitialization were missed. +Additionally, ptp clock was not unregistered in the latter case. + +Keep PTP state as 'uninitialized' on init to distinguish between error +scenarios and to avoid resource release duplication at driver removal. + +The consequence of missing ice_ptp_cleanup_pf call is the following call +trace dumped when ice_adapter object is freed (port list is not empty, +as it is required at this stage): + +[ T93022] ------------[ cut here ]------------ +[ T93022] WARNING: CPU: 10 PID: 93022 at +ice/ice_adapter.c:67 ice_adapter_put+0xef/0x100 [ice] +... +[ T93022] RIP: 0010:ice_adapter_put+0xef/0x100 [ice] +... +[ T93022] Call Trace: +[ T93022] +[ T93022] ? ice_adapter_put+0xef/0x100 [ice +33d2647ad4f6d866d41eefff1806df37c68aef0c] +[ T93022] ? __warn.cold+0xb0/0x10e +[ T93022] ? ice_adapter_put+0xef/0x100 [ice +33d2647ad4f6d866d41eefff1806df37c68aef0c] +[ T93022] ? report_bug+0xd8/0x150 +[ T93022] ? handle_bug+0xe9/0x110 +[ T93022] ? exc_invalid_op+0x17/0x70 +[ T93022] ? asm_exc_invalid_op+0x1a/0x20 +[ T93022] ? ice_adapter_put+0xef/0x100 [ice +33d2647ad4f6d866d41eefff1806df37c68aef0c] +[ T93022] pci_device_remove+0x42/0xb0 +[ T93022] device_release_driver_internal+0x19f/0x200 +[ T93022] driver_detach+0x48/0x90 +[ T93022] bus_remove_driver+0x70/0xf0 +[ T93022] pci_unregister_driver+0x42/0xb0 +[ T93022] ice_module_exit+0x10/0xdb0 [ice +33d2647ad4f6d866d41eefff1806df37c68aef0c] +... +[ T93022] ---[ end trace 0000000000000000 ]--- +[ T93022] ice: module unloaded + +Fixes: e800654e85b5 ("ice: Use ice_adapter for PTP shared data instead of auxdev") +Signed-off-by: Grzegorz Nitka +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Paul Menzel +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_ptp.c | 22 +++++++++++++++++++--- + 1 file changed, 19 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_ptp.c b/drivers/net/ethernet/intel/ice/ice_ptp.c +index 369c968a0117d..4e6006991e8fd 100644 +--- a/drivers/net/ethernet/intel/ice/ice_ptp.c ++++ b/drivers/net/ethernet/intel/ice/ice_ptp.c +@@ -3409,7 +3409,7 @@ void ice_ptp_init(struct ice_pf *pf) + + err = ice_ptp_init_port(pf, &ptp->port); + if (err) +- goto err_exit; ++ goto err_clean_pf; + + /* Start the PHY timestamping block */ + ice_ptp_reset_phy_timestamping(pf); +@@ -3426,13 +3426,19 @@ void ice_ptp_init(struct ice_pf *pf) + dev_info(ice_pf_to_dev(pf), "PTP init successful\n"); + return; + ++err_clean_pf: ++ mutex_destroy(&ptp->port.ps_lock); ++ ice_ptp_cleanup_pf(pf); + err_exit: + /* If we registered a PTP clock, release it */ + if (pf->ptp.clock) { + ptp_clock_unregister(ptp->clock); + pf->ptp.clock = NULL; + } +- ptp->state = ICE_PTP_ERROR; ++ /* Keep ICE_PTP_UNINIT state to avoid ambiguity at driver unload ++ * and to avoid duplicated resources release. ++ */ ++ ptp->state = ICE_PTP_UNINIT; + dev_err(ice_pf_to_dev(pf), "PTP failed %d\n", err); + } + +@@ -3445,9 +3451,19 @@ void ice_ptp_init(struct ice_pf *pf) + */ + void ice_ptp_release(struct ice_pf *pf) + { +- if (pf->ptp.state != ICE_PTP_READY) ++ if (pf->ptp.state == ICE_PTP_UNINIT) + return; + ++ if (pf->ptp.state != ICE_PTP_READY) { ++ mutex_destroy(&pf->ptp.port.ps_lock); ++ ice_ptp_cleanup_pf(pf); ++ if (pf->ptp.clock) { ++ ptp_clock_unregister(pf->ptp.clock); ++ pf->ptp.clock = NULL; ++ } ++ return; ++ } ++ + pf->ptp.state = ICE_PTP_UNINIT; + + /* Disable timestamping for both Tx and Rx */ +-- +2.51.0 + diff --git a/queue-6.12/idpf-fix-possible-vport_config-null-pointer-deref-in.patch b/queue-6.12/idpf-fix-possible-vport_config-null-pointer-deref-in.patch new file mode 100644 index 0000000000..1b57127d2e --- /dev/null +++ b/queue-6.12/idpf-fix-possible-vport_config-null-pointer-deref-in.patch @@ -0,0 +1,60 @@ +From 7c5f586e87ace38146c48a5a830efe7e196d4221 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Oct 2025 08:08:24 -0700 +Subject: idpf: fix possible vport_config NULL pointer deref in remove + +From: Emil Tantilov + +[ Upstream commit 118082368c2b6ddefe6cb607efc312285148f044 ] + +Attempting to remove the driver will cause a crash in cases where +the vport failed to initialize. Following trace is from an instance where +the driver failed during an attempt to create a VF: +[ 1661.543624] idpf 0000:84:00.7: Device HW Reset initiated +[ 1722.923726] idpf 0000:84:00.7: Transaction timed-out (op:1 cookie:2900 vc_op:1 salt:29 timeout:60000ms) +[ 1723.353263] BUG: kernel NULL pointer dereference, address: 0000000000000028 +... +[ 1723.358472] RIP: 0010:idpf_remove+0x11c/0x200 [idpf] +... +[ 1723.364973] Call Trace: +[ 1723.365475] +[ 1723.365972] pci_device_remove+0x42/0xb0 +[ 1723.366481] device_release_driver_internal+0x1a9/0x210 +[ 1723.366987] pci_stop_bus_device+0x6d/0x90 +[ 1723.367488] pci_stop_and_remove_bus_device+0x12/0x20 +[ 1723.367971] pci_iov_remove_virtfn+0xbd/0x120 +[ 1723.368309] sriov_disable+0x34/0xe0 +[ 1723.368643] idpf_sriov_configure+0x58/0x140 [idpf] +[ 1723.368982] sriov_numvfs_store+0xda/0x1c0 + +Avoid the NULL pointer dereference by adding NULL pointer check for +vport_config[i], before freeing user_config.q_coalesce. + +Fixes: e1e3fec3e34b ("idpf: preserve coalescing settings across resets") +Signed-off-by: Emil Tantilov +Reviewed-by: Chittim Madhu +Reviewed-by: Simon Horman +Tested-by: Samuel Salin +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/idpf/idpf_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_main.c b/drivers/net/ethernet/intel/idpf/idpf_main.c +index 4c48a1a6aab0d..d7a7b0c5f1b8d 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_main.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_main.c +@@ -62,6 +62,8 @@ static void idpf_remove(struct pci_dev *pdev) + destroy_workqueue(adapter->vc_event_wq); + + for (i = 0; i < adapter->max_vports; i++) { ++ if (!adapter->vport_config[i]) ++ continue; + kfree(adapter->vport_config[i]->user_config.q_coalesce); + kfree(adapter->vport_config[i]); + adapter->vport_config[i] = NULL; +-- +2.51.0 + diff --git a/queue-6.12/kconfig-mconf-initialize-the-default-locale-at-start.patch b/queue-6.12/kconfig-mconf-initialize-the-default-locale-at-start.patch new file mode 100644 index 0000000000..5197f8e7cf --- /dev/null +++ b/queue-6.12/kconfig-mconf-initialize-the-default-locale-at-start.patch @@ -0,0 +1,49 @@ +From 1c9c7c9c15fcf0ce051c471f2996a4507b7787f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Oct 2025 17:49:32 +0200 +Subject: kconfig/mconf: Initialize the default locale at startup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jakub Horký + +[ Upstream commit 3927c4a1084c48ef97f11281a0a43ecb2cb4d6f1 ] + +Fix bug where make menuconfig doesn't initialize the default locale, which +causes ncurses menu borders to be displayed incorrectly (lqqqqk) in +UTF-8 terminals that don't support VT100 ACS by default, such as PuTTY. + +Signed-off-by: Jakub Horký +Link: https://patch.msgid.link/20251014154933.3990990-1-jakub.git@horky.net +[nathan: Alphabetize locale.h include] +Signed-off-by: Nathan Chancellor +Signed-off-by: Sasha Levin +--- + scripts/kconfig/mconf.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/scripts/kconfig/mconf.c b/scripts/kconfig/mconf.c +index 84ea9215c0a7e..b8b7bba84a651 100644 +--- a/scripts/kconfig/mconf.c ++++ b/scripts/kconfig/mconf.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -931,6 +932,8 @@ int main(int ac, char **av) + + signal(SIGINT, sig_handler); + ++ setlocale(LC_ALL, ""); ++ + if (ac > 1 && strcmp(av[1], "-s") == 0) { + silent = 1; + /* Silence conf_read() until the real callback is set up */ +-- +2.51.0 + diff --git a/queue-6.12/kconfig-nconf-initialize-the-default-locale-at-start.patch b/queue-6.12/kconfig-nconf-initialize-the-default-locale-at-start.patch new file mode 100644 index 0000000000..897153d68c --- /dev/null +++ b/queue-6.12/kconfig-nconf-initialize-the-default-locale-at-start.patch @@ -0,0 +1,49 @@ +From 9c762fb091faa592058ef7b65511397ee7deda4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Oct 2025 16:44:06 +0200 +Subject: kconfig/nconf: Initialize the default locale at startup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jakub Horký + +[ Upstream commit 43c2931a95e6b295bfe9e3b90dbe0f7596933e91 ] + +Fix bug where make nconfig doesn't initialize the default locale, which +causes ncurses menu borders to be displayed incorrectly (lqqqqk) in +UTF-8 terminals that don't support VT100 ACS by default, such as PuTTY. + +Signed-off-by: Jakub Horký +Link: https://patch.msgid.link/20251014144405.3975275-2-jakub.git@horky.net +[nathan: Alphabetize locale.h include] +Signed-off-by: Nathan Chancellor +Signed-off-by: Sasha Levin +--- + scripts/kconfig/nconf.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c +index 5f484422278e1..cfe66aaf8bfe9 100644 +--- a/scripts/kconfig/nconf.c ++++ b/scripts/kconfig/nconf.c +@@ -7,6 +7,7 @@ + #ifndef _GNU_SOURCE + #define _GNU_SOURCE + #endif ++#include + #include + #include + #include +@@ -1478,6 +1479,8 @@ int main(int ac, char **av) + int lines, columns; + char *mode; + ++ setlocale(LC_ALL, ""); ++ + if (ac > 1 && strcmp(av[1], "-s") == 0) { + /* Silence conf_read() until the real callback is set up */ + conf_set_message_callback(NULL); +-- +2.51.0 + diff --git a/queue-6.12/loongarch-use-uapi-types-in-ptrace-uapi-header.patch b/queue-6.12/loongarch-use-uapi-types-in-ptrace-uapi-header.patch new file mode 100644 index 0000000000..68c74f7b4b --- /dev/null +++ b/queue-6.12/loongarch-use-uapi-types-in-ptrace-uapi-header.patch @@ -0,0 +1,107 @@ +From a60adaf4a5b2aaacc56ccba9a26bdb82b8012611 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Nov 2025 14:42:05 +0800 +Subject: LoongArch: Use UAPI types in ptrace UAPI header +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +[ Upstream commit 20d7338f2d3bcb570068dd6d39b16f1a909fe976 ] + +The kernel UAPI headers already contain fixed-width integer types, there +is no need to rely on the libc types. There may not be a libc available +or the libc may not provides the , like for example on nolibc. + +This also aligns the header with the rest of the LoongArch UAPI headers. + +Fixes: 803b0fc5c3f2 ("LoongArch: Add process management") +Signed-off-by: Thomas Weißschuh +Signed-off-by: Huacai Chen +Signed-off-by: Sasha Levin +--- + arch/loongarch/include/uapi/asm/ptrace.h | 40 +++++++++++------------- + 1 file changed, 18 insertions(+), 22 deletions(-) + +diff --git a/arch/loongarch/include/uapi/asm/ptrace.h b/arch/loongarch/include/uapi/asm/ptrace.h +index aafb3cd9e943e..215e0f9e8aa32 100644 +--- a/arch/loongarch/include/uapi/asm/ptrace.h ++++ b/arch/loongarch/include/uapi/asm/ptrace.h +@@ -10,10 +10,6 @@ + + #include + +-#ifndef __KERNEL__ +-#include +-#endif +- + /* + * For PTRACE_{POKE,PEEK}USR. 0 - 31 are GPRs, + * 32 is syscall's original ARG0, 33 is PC, 34 is BADVADDR. +@@ -41,44 +37,44 @@ struct user_pt_regs { + } __attribute__((aligned(8))); + + struct user_fp_state { +- uint64_t fpr[32]; +- uint64_t fcc; +- uint32_t fcsr; ++ __u64 fpr[32]; ++ __u64 fcc; ++ __u32 fcsr; + }; + + struct user_lsx_state { + /* 32 registers, 128 bits width per register. */ +- uint64_t vregs[32*2]; ++ __u64 vregs[32*2]; + }; + + struct user_lasx_state { + /* 32 registers, 256 bits width per register. */ +- uint64_t vregs[32*4]; ++ __u64 vregs[32*4]; + }; + + struct user_lbt_state { +- uint64_t scr[4]; +- uint32_t eflags; +- uint32_t ftop; ++ __u64 scr[4]; ++ __u32 eflags; ++ __u32 ftop; + }; + + struct user_watch_state { +- uint64_t dbg_info; ++ __u64 dbg_info; + struct { +- uint64_t addr; +- uint64_t mask; +- uint32_t ctrl; +- uint32_t pad; ++ __u64 addr; ++ __u64 mask; ++ __u32 ctrl; ++ __u32 pad; + } dbg_regs[8]; + }; + + struct user_watch_state_v2 { +- uint64_t dbg_info; ++ __u64 dbg_info; + struct { +- uint64_t addr; +- uint64_t mask; +- uint32_t ctrl; +- uint32_t pad; ++ __u64 addr; ++ __u64 mask; ++ __u32 ctrl; ++ __u32 pad; + } dbg_regs[14]; + }; + +-- +2.51.0 + diff --git a/queue-6.12/mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch b/queue-6.12/mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch new file mode 100644 index 0000000000..2d39ad72d7 --- /dev/null +++ b/queue-6.12/mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch @@ -0,0 +1,47 @@ +From ac1f4812e5a7c7213b58fb02468b0449f3d4f77d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 05:21:14 +0000 +Subject: mlxsw: spectrum: Fix memory leak in mlxsw_sp_flower_stats() + +From: Zilin Guan + +[ Upstream commit 407a06507c2358554958e8164dc97176feddcafc ] + +The function mlxsw_sp_flower_stats() calls mlxsw_sp_acl_ruleset_get() to +obtain a ruleset reference. If the subsequent call to +mlxsw_sp_acl_rule_lookup() fails to find a rule, the function returns +an error without releasing the ruleset reference, causing a memory leak. + +Fix this by using a goto to the existing error handling label, which +calls mlxsw_sp_acl_ruleset_put() to properly release the reference. + +Fixes: 7c1b8eb175b69 ("mlxsw: spectrum: Add support for TC flower offload statistics") +Signed-off-by: Zilin Guan +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20251112052114.1591695-1-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c +index f07955b5439f6..a8d4cf8b92998 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c +@@ -820,8 +820,10 @@ int mlxsw_sp_flower_stats(struct mlxsw_sp *mlxsw_sp, + return -EINVAL; + + rule = mlxsw_sp_acl_rule_lookup(mlxsw_sp, ruleset, f->cookie); +- if (!rule) +- return -EINVAL; ++ if (!rule) { ++ err = -EINVAL; ++ goto err_rule_get_stats; ++ } + + err = mlxsw_sp_acl_rule_get_stats(mlxsw_sp, rule, &packets, &bytes, + &drops, &lastuse, &used_hw_stats); +-- +2.51.0 + diff --git a/queue-6.12/net-dsa-hellcreek-fix-missing-error-handling-in-led-.patch b/queue-6.12/net-dsa-hellcreek-fix-missing-error-handling-in-led-.patch new file mode 100644 index 0000000000..d6184ca933 --- /dev/null +++ b/queue-6.12/net-dsa-hellcreek-fix-missing-error-handling-in-led-.patch @@ -0,0 +1,57 @@ +From 1522ff9ba8af7b0c997cd1c5a14a36cbaba40b23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Nov 2025 16:57:44 +0300 +Subject: net: dsa: hellcreek: fix missing error handling in LED registration + +From: Pavel Zhigulin + +[ Upstream commit e6751b0b19a6baab219a62e1e302b8aa6b5a55b2 ] + +The LED setup routine registered both led_sync_good +and led_is_gm devices without checking the return +values of led_classdev_register(). If either registration +failed, the function continued silently, leaving the +driver in a partially-initialized state and leaking +a registered LED classdev. + +Add proper error handling + +Fixes: 7d9ee2e8ff15 ("net: dsa: hellcreek: Add PTP status LEDs") +Signed-off-by: Pavel Zhigulin +Reviewed-by: Andrew Lunn +Acked-by: Kurt Kanzenbach +Link: https://patch.msgid.link/20251113135745.92375-1-Pavel.Zhigulin@kaspersky.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/hirschmann/hellcreek_ptp.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/hirschmann/hellcreek_ptp.c b/drivers/net/dsa/hirschmann/hellcreek_ptp.c +index bfe21f9f7dcd3..cb23bea9c21b8 100644 +--- a/drivers/net/dsa/hirschmann/hellcreek_ptp.c ++++ b/drivers/net/dsa/hirschmann/hellcreek_ptp.c +@@ -376,8 +376,18 @@ static int hellcreek_led_setup(struct hellcreek *hellcreek) + hellcreek_set_brightness(hellcreek, STATUS_OUT_IS_GM, 1); + + /* Register both leds */ +- led_classdev_register(hellcreek->dev, &hellcreek->led_sync_good); +- led_classdev_register(hellcreek->dev, &hellcreek->led_is_gm); ++ ret = led_classdev_register(hellcreek->dev, &hellcreek->led_sync_good); ++ if (ret) { ++ dev_err(hellcreek->dev, "Failed to register sync_good LED\n"); ++ goto out; ++ } ++ ++ ret = led_classdev_register(hellcreek->dev, &hellcreek->led_is_gm); ++ if (ret) { ++ dev_err(hellcreek->dev, "Failed to register is_gm LED\n"); ++ led_classdev_unregister(&hellcreek->led_sync_good); ++ goto out; ++ } + + ret = 0; + +-- +2.51.0 + diff --git a/queue-6.12/net-mlx5-clean-up-only-new-irq-glue-on-request_irq-f.patch b/queue-6.12/net-mlx5-clean-up-only-new-irq-glue-on-request_irq-f.patch new file mode 100644 index 0000000000..7ca361fc4f --- /dev/null +++ b/queue-6.12/net-mlx5-clean-up-only-new-irq-glue-on-request_irq-f.patch @@ -0,0 +1,161 @@ +From efe20ffae60c94dded386d4cbd7869a035c57cf7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Nov 2025 14:16:08 +0200 +Subject: net/mlx5: Clean up only new IRQ glue on request_irq() failure + +From: Pradyumn Rahar + +[ Upstream commit d47515af6cccd7484d8b0870376858c9848a18ec ] + +The mlx5_irq_alloc() function can inadvertently free the entire rmap +and end up in a crash[1] when the other threads tries to access this, +when request_irq() fails due to exhausted IRQ vectors. This commit +modifies the cleanup to remove only the specific IRQ mapping that was +just added. + +This prevents removal of other valid mappings and ensures precise +cleanup of the failed IRQ allocation's associated glue object. + +Note: This error is observed when both fwctl and rds configs are enabled. + +[1] +mlx5_core 0000:05:00.0: Successfully registered panic handler for port 1 +mlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to +request irq. err = -28 +infiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while +trying to test write-combining support +mlx5_core 0000:05:00.0: Successfully unregistered panic handler for port 1 +mlx5_core 0000:06:00.0: Successfully registered panic handler for port 1 +mlx5_core 0000:06:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to +request irq. err = -28 +infiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while +trying to test write-combining support +mlx5_core 0000:06:00.0: Successfully unregistered panic handler for port 1 +mlx5_core 0000:03:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to +request irq. err = -28 +mlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to +request irq. err = -28 +general protection fault, probably for non-canonical address +0xe277a58fde16f291: 0000 [#1] SMP NOPTI + +RIP: 0010:free_irq_cpu_rmap+0x23/0x7d +Call Trace: + + ? show_trace_log_lvl+0x1d6/0x2f9 + ? show_trace_log_lvl+0x1d6/0x2f9 + ? mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core] + ? __die_body.cold+0x8/0xa + ? die_addr+0x39/0x53 + ? exc_general_protection+0x1c4/0x3e9 + ? dev_vprintk_emit+0x5f/0x90 + ? asm_exc_general_protection+0x22/0x27 + ? free_irq_cpu_rmap+0x23/0x7d + mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core] + irq_pool_request_vector+0x7d/0x90 [mlx5_core] + mlx5_irq_request+0x2e/0xe0 [mlx5_core] + mlx5_irq_request_vector+0xad/0xf7 [mlx5_core] + comp_irq_request_pci+0x64/0xf0 [mlx5_core] + create_comp_eq+0x71/0x385 [mlx5_core] + ? mlx5e_open_xdpsq+0x11c/0x230 [mlx5_core] + mlx5_comp_eqn_get+0x72/0x90 [mlx5_core] + ? xas_load+0x8/0x91 + mlx5_comp_irqn_get+0x40/0x90 [mlx5_core] + mlx5e_open_channel+0x7d/0x3c7 [mlx5_core] + mlx5e_open_channels+0xad/0x250 [mlx5_core] + mlx5e_open_locked+0x3e/0x110 [mlx5_core] + mlx5e_open+0x23/0x70 [mlx5_core] + __dev_open+0xf1/0x1a5 + __dev_change_flags+0x1e1/0x249 + dev_change_flags+0x21/0x5c + do_setlink+0x28b/0xcc4 + ? __nla_parse+0x22/0x3d + ? inet6_validate_link_af+0x6b/0x108 + ? cpumask_next+0x1f/0x35 + ? __snmp6_fill_stats64.constprop.0+0x66/0x107 + ? __nla_validate_parse+0x48/0x1e6 + __rtnl_newlink+0x5ff/0xa57 + ? kmem_cache_alloc_trace+0x164/0x2ce + rtnl_newlink+0x44/0x6e + rtnetlink_rcv_msg+0x2bb/0x362 + ? __netlink_sendskb+0x4c/0x6c + ? netlink_unicast+0x28f/0x2ce + ? rtnl_calcit.isra.0+0x150/0x146 + netlink_rcv_skb+0x5f/0x112 + netlink_unicast+0x213/0x2ce + netlink_sendmsg+0x24f/0x4d9 + __sock_sendmsg+0x65/0x6a + ____sys_sendmsg+0x28f/0x2c9 + ? import_iovec+0x17/0x2b + ___sys_sendmsg+0x97/0xe0 + __sys_sendmsg+0x81/0xd8 + do_syscall_64+0x35/0x87 + entry_SYSCALL_64_after_hwframe+0x6e/0x0 +RIP: 0033:0x7fc328603727 +Code: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 0b ed +ff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 <48> 3d 00 +f0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 44 ed ff ff 48 +RSP: 002b:00007ffe8eb3f1a0 EFLAGS: 00000293 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007fc328603727 +RDX: 0000000000000000 RSI: 00007ffe8eb3f1f0 RDI: 000000000000000d +RBP: 00007ffe8eb3f1f0 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 +R13: 0000000000000000 R14: 00007ffe8eb3f3c8 R15: 00007ffe8eb3f3bc + +---[ end trace f43ce73c3c2b13a2 ]--- +RIP: 0010:free_irq_cpu_rmap+0x23/0x7d +Code: 0f 1f 80 00 00 00 00 48 85 ff 74 6b 55 48 89 fd 53 66 83 7f 06 00 +74 24 31 db 48 8b 55 08 0f b7 c3 48 8b 04 c2 48 85 c0 74 09 <8b> 38 31 +f6 e8 c4 0a b8 ff 83 c3 01 66 3b 5d 06 72 de b8 ff ff ff +RSP: 0018:ff384881640eaca0 EFLAGS: 00010282 +RAX: e277a58fde16f291 RBX: 0000000000000000 RCX: 0000000000000000 +RDX: ff2335e2e20b3600 RSI: 0000000000000000 RDI: ff2335e2e20b3400 +RBP: ff2335e2e20b3400 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 00000000ffffffe4 R12: ff384881640ead88 +R13: ff2335c3760751e0 R14: ff2335e2e1672200 R15: ff2335c3760751f8 +FS: 00007fc32ac22480(0000) GS:ff2335e2d6e00000(0000) +knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f651ab54000 CR3: 00000029f1206003 CR4: 0000000000771ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Kernel panic - not syncing: Fatal exception +Kernel Offset: 0x1dc00000 from 0xffffffff81000000 (relocation range: +0xffffffff80000000-0xffffffffbfffffff) +kvm-guest: disable async PF for cpu 0 + +Fixes: 3354822cde5a ("net/mlx5: Use dynamic msix vectors allocation") +Signed-off-by: Mohith Kumar Thummaluru +Tested-by: Mohith Kumar Thummaluru +Reviewed-by: Moshe Shemesh +Reviewed-by: Shay Drori +Signed-off-by: Pradyumn Rahar +Reviewed-by: Jacob Keller +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/1763381768-1234998-1-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c b/drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c +index 2c5f850c31f68..0c6b5103a57c0 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c +@@ -324,10 +324,8 @@ struct mlx5_irq *mlx5_irq_alloc(struct mlx5_irq_pool *pool, int i, + free_irq(irq->map.virq, &irq->nh); + err_req_irq: + #ifdef CONFIG_RFS_ACCEL +- if (i && rmap && *rmap) { +- free_irq_cpu_rmap(*rmap); +- *rmap = NULL; +- } ++ if (i && rmap && *rmap) ++ irq_cpu_rmap_remove(*rmap, irq->map.virq); + err_irq_rmap: + #endif + if (i && pci_msix_can_alloc_dyn(dev->pdev)) +-- +2.51.0 + diff --git a/queue-6.12/net-mlxsw-linecards-fix-missing-error-check-in-mlxsw.patch b/queue-6.12/net-mlxsw-linecards-fix-missing-error-check-in-mlxsw.patch new file mode 100644 index 0000000000..6ae71ac5a5 --- /dev/null +++ b/queue-6.12/net-mlxsw-linecards-fix-missing-error-check-in-mlxsw.patch @@ -0,0 +1,42 @@ +From 90d1b6d72738edf93a9922fd182fd7a303e6a910 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Nov 2025 19:19:21 +0300 +Subject: net: mlxsw: linecards: fix missing error check in + mlxsw_linecard_devlink_info_get() + +From: Pavel Zhigulin + +[ Upstream commit b0c959fec18f4595a6a6317ffc30615cfa37bf69 ] + +The call to devlink_info_version_fixed_put() in +mlxsw_linecard_devlink_info_get() did not check for errors, +although it is checked everywhere in the code. + +Add missed 'err' check to the mlxsw_linecard_devlink_info_get() + +Fixes: 3fc0c51905fb ("mlxsw: core_linecards: Expose device PSID over device info") +Signed-off-by: Pavel Zhigulin +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20251113161922.813828-1-Pavel.Zhigulin@kaspersky.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/core_linecards.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c b/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c +index b032d5a4b3b84..10f5bc4892fc7 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c +@@ -601,6 +601,8 @@ int mlxsw_linecard_devlink_info_get(struct mlxsw_linecard *linecard, + err = devlink_info_version_fixed_put(req, + DEVLINK_INFO_VERSION_GENERIC_FW_PSID, + info->psid); ++ if (err) ++ goto unlock; + + sprintf(buf, "%u.%u.%u", info->fw_major, info->fw_minor, + info->fw_sub_minor); +-- +2.51.0 + diff --git a/queue-6.12/net-openvswitch-remove-never-working-support-for-set.patch b/queue-6.12/net-openvswitch-remove-never-working-support-for-set.patch new file mode 100644 index 0000000000..ab78e201f6 --- /dev/null +++ b/queue-6.12/net-openvswitch-remove-never-working-support-for-set.patch @@ -0,0 +1,310 @@ +From 734e64f3b36b5030d55c22d42c96fc3130fbdfa8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 12:14:03 +0100 +Subject: net: openvswitch: remove never-working support for setting nsh fields + +From: Ilya Maximets + +[ Upstream commit dfe28c4167a9259fc0c372d9f9473e1ac95cff67 ] + +The validation of the set(nsh(...)) action is completely wrong. +It runs through the nsh_key_put_from_nlattr() function that is the +same function that validates NSH keys for the flow match and the +push_nsh() action. However, the set(nsh(...)) has a very different +memory layout. Nested attributes in there are doubled in size in +case of the masked set(). That makes proper validation impossible. + +There is also confusion in the code between the 'masked' flag, that +says that the nested attributes are doubled in size containing both +the value and the mask, and the 'is_mask' that says that the value +we're parsing is the mask. This is causing kernel crash on trying to +write into mask part of the match with SW_FLOW_KEY_PUT() during +validation, while validate_nsh() doesn't allocate any memory for it: + + BUG: kernel NULL pointer dereference, address: 0000000000000018 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 1c2383067 P4D 1c2383067 PUD 20b703067 PMD 0 + Oops: Oops: 0000 [#1] SMP NOPTI + CPU: 8 UID: 0 Kdump: loaded Not tainted 6.17.0-rc4+ #107 PREEMPT(voluntary) + RIP: 0010:nsh_key_put_from_nlattr+0x19d/0x610 [openvswitch] + Call Trace: + + validate_nsh+0x60/0x90 [openvswitch] + validate_set.constprop.0+0x270/0x3c0 [openvswitch] + __ovs_nla_copy_actions+0x477/0x860 [openvswitch] + ovs_nla_copy_actions+0x8d/0x100 [openvswitch] + ovs_packet_cmd_execute+0x1cc/0x310 [openvswitch] + genl_family_rcv_msg_doit+0xdb/0x130 + genl_family_rcv_msg+0x14b/0x220 + genl_rcv_msg+0x47/0xa0 + netlink_rcv_skb+0x53/0x100 + genl_rcv+0x24/0x40 + netlink_unicast+0x280/0x3b0 + netlink_sendmsg+0x1f7/0x430 + ____sys_sendmsg+0x36b/0x3a0 + ___sys_sendmsg+0x87/0xd0 + __sys_sendmsg+0x6d/0xd0 + do_syscall_64+0x7b/0x2c0 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +The third issue with this process is that while trying to convert +the non-masked set into masked one, validate_set() copies and doubles +the size of the OVS_KEY_ATTR_NSH as if it didn't have any nested +attributes. It should be copying each nested attribute and doubling +them in size independently. And the process must be properly reversed +during the conversion back from masked to a non-masked variant during +the flow dump. + +In the end, the only two outcomes of trying to use this action are +either validation failure or a kernel crash. And if somehow someone +manages to install a flow with such an action, it will most definitely +not do what it is supposed to, since all the keys and the masks are +mixed up. + +Fixing all the issues is a complex task as it requires re-writing +most of the validation code. + +Given that and the fact that this functionality never worked since +introduction, let's just remove it altogether. It's better to +re-introduce it later with a proper implementation instead of trying +to fix it in stable releases. + +Fixes: b2d0f5d5dc53 ("openvswitch: enable NSH support") +Reported-by: Junvy Yang +Signed-off-by: Ilya Maximets +Acked-by: Eelco Chaudron +Reviewed-by: Aaron Conole +Link: https://patch.msgid.link/20251112112246.95064-1-i.maximets@ovn.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/openvswitch/actions.c | 68 +--------------------------------- + net/openvswitch/flow_netlink.c | 64 ++++---------------------------- + net/openvswitch/flow_netlink.h | 2 - + 3 files changed, 9 insertions(+), 125 deletions(-) + +diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c +index 2f22ca59586f2..dad8e6eefe680 100644 +--- a/net/openvswitch/actions.c ++++ b/net/openvswitch/actions.c +@@ -613,69 +613,6 @@ static int set_ipv6(struct sk_buff *skb, struct sw_flow_key *flow_key, + return 0; + } + +-static int set_nsh(struct sk_buff *skb, struct sw_flow_key *flow_key, +- const struct nlattr *a) +-{ +- struct nshhdr *nh; +- size_t length; +- int err; +- u8 flags; +- u8 ttl; +- int i; +- +- struct ovs_key_nsh key; +- struct ovs_key_nsh mask; +- +- err = nsh_key_from_nlattr(a, &key, &mask); +- if (err) +- return err; +- +- /* Make sure the NSH base header is there */ +- if (!pskb_may_pull(skb, skb_network_offset(skb) + NSH_BASE_HDR_LEN)) +- return -ENOMEM; +- +- nh = nsh_hdr(skb); +- length = nsh_hdr_len(nh); +- +- /* Make sure the whole NSH header is there */ +- err = skb_ensure_writable(skb, skb_network_offset(skb) + +- length); +- if (unlikely(err)) +- return err; +- +- nh = nsh_hdr(skb); +- skb_postpull_rcsum(skb, nh, length); +- flags = nsh_get_flags(nh); +- flags = OVS_MASKED(flags, key.base.flags, mask.base.flags); +- flow_key->nsh.base.flags = flags; +- ttl = nsh_get_ttl(nh); +- ttl = OVS_MASKED(ttl, key.base.ttl, mask.base.ttl); +- flow_key->nsh.base.ttl = ttl; +- nsh_set_flags_and_ttl(nh, flags, ttl); +- nh->path_hdr = OVS_MASKED(nh->path_hdr, key.base.path_hdr, +- mask.base.path_hdr); +- flow_key->nsh.base.path_hdr = nh->path_hdr; +- switch (nh->mdtype) { +- case NSH_M_TYPE1: +- for (i = 0; i < NSH_MD1_CONTEXT_SIZE; i++) { +- nh->md1.context[i] = +- OVS_MASKED(nh->md1.context[i], key.context[i], +- mask.context[i]); +- } +- memcpy(flow_key->nsh.context, nh->md1.context, +- sizeof(nh->md1.context)); +- break; +- case NSH_M_TYPE2: +- memset(flow_key->nsh.context, 0, +- sizeof(flow_key->nsh.context)); +- break; +- default: +- return -EINVAL; +- } +- skb_postpush_rcsum(skb, nh, length); +- return 0; +-} +- + /* Must follow skb_ensure_writable() since that can move the skb data. */ + static void set_tp_port(struct sk_buff *skb, __be16 *port, + __be16 new_port, __sum16 *check) +@@ -1169,10 +1106,6 @@ static int execute_masked_set_action(struct sk_buff *skb, + get_mask(a, struct ovs_key_ethernet *)); + break; + +- case OVS_KEY_ATTR_NSH: +- err = set_nsh(skb, flow_key, a); +- break; +- + case OVS_KEY_ATTR_IPV4: + err = set_ipv4(skb, flow_key, nla_data(a), + get_mask(a, struct ovs_key_ipv4 *)); +@@ -1209,6 +1142,7 @@ static int execute_masked_set_action(struct sk_buff *skb, + case OVS_KEY_ATTR_CT_LABELS: + case OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4: + case OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6: ++ case OVS_KEY_ATTR_NSH: + err = -EINVAL; + break; + } +diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c +index 305daf57a4f9d..e3359e15aa2e4 100644 +--- a/net/openvswitch/flow_netlink.c ++++ b/net/openvswitch/flow_netlink.c +@@ -1305,6 +1305,11 @@ static int metadata_from_nlattrs(struct net *net, struct sw_flow_match *match, + return 0; + } + ++/* ++ * Constructs NSH header 'nh' from attributes of OVS_ACTION_ATTR_PUSH_NSH, ++ * where 'nh' points to a memory block of 'size' bytes. It's assumed that ++ * attributes were previously validated with validate_push_nsh(). ++ */ + int nsh_hdr_from_nlattr(const struct nlattr *attr, + struct nshhdr *nh, size_t size) + { +@@ -1314,8 +1319,6 @@ int nsh_hdr_from_nlattr(const struct nlattr *attr, + u8 ttl = 0; + int mdlen = 0; + +- /* validate_nsh has check this, so we needn't do duplicate check here +- */ + if (size < NSH_BASE_HDR_LEN) + return -ENOBUFS; + +@@ -1359,46 +1362,6 @@ int nsh_hdr_from_nlattr(const struct nlattr *attr, + return 0; + } + +-int nsh_key_from_nlattr(const struct nlattr *attr, +- struct ovs_key_nsh *nsh, struct ovs_key_nsh *nsh_mask) +-{ +- struct nlattr *a; +- int rem; +- +- /* validate_nsh has check this, so we needn't do duplicate check here +- */ +- nla_for_each_nested(a, attr, rem) { +- int type = nla_type(a); +- +- switch (type) { +- case OVS_NSH_KEY_ATTR_BASE: { +- const struct ovs_nsh_key_base *base = nla_data(a); +- const struct ovs_nsh_key_base *base_mask = base + 1; +- +- nsh->base = *base; +- nsh_mask->base = *base_mask; +- break; +- } +- case OVS_NSH_KEY_ATTR_MD1: { +- const struct ovs_nsh_key_md1 *md1 = nla_data(a); +- const struct ovs_nsh_key_md1 *md1_mask = md1 + 1; +- +- memcpy(nsh->context, md1->context, sizeof(*md1)); +- memcpy(nsh_mask->context, md1_mask->context, +- sizeof(*md1_mask)); +- break; +- } +- case OVS_NSH_KEY_ATTR_MD2: +- /* Not supported yet */ +- return -ENOTSUPP; +- default: +- return -EINVAL; +- } +- } +- +- return 0; +-} +- + static int nsh_key_put_from_nlattr(const struct nlattr *attr, + struct sw_flow_match *match, bool is_mask, + bool is_push_nsh, bool log) +@@ -2839,17 +2802,13 @@ static int validate_and_copy_set_tun(const struct nlattr *attr, + return err; + } + +-static bool validate_nsh(const struct nlattr *attr, bool is_mask, +- bool is_push_nsh, bool log) ++static bool validate_push_nsh(const struct nlattr *attr, bool log) + { + struct sw_flow_match match; + struct sw_flow_key key; +- int ret = 0; + + ovs_match_init(&match, &key, true, NULL); +- ret = nsh_key_put_from_nlattr(attr, &match, is_mask, +- is_push_nsh, log); +- return !ret; ++ return !nsh_key_put_from_nlattr(attr, &match, false, true, log); + } + + /* Return false if there are any non-masked bits set. +@@ -2997,13 +2956,6 @@ static int validate_set(const struct nlattr *a, + + break; + +- case OVS_KEY_ATTR_NSH: +- if (eth_type != htons(ETH_P_NSH)) +- return -EINVAL; +- if (!validate_nsh(nla_data(a), masked, false, log)) +- return -EINVAL; +- break; +- + default: + return -EINVAL; + } +@@ -3436,7 +3388,7 @@ static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr, + return -EINVAL; + } + mac_proto = MAC_PROTO_NONE; +- if (!validate_nsh(nla_data(a), false, true, true)) ++ if (!validate_push_nsh(nla_data(a), log)) + return -EINVAL; + break; + +diff --git a/net/openvswitch/flow_netlink.h b/net/openvswitch/flow_netlink.h +index fe7f77fc5f189..ff8cdecbe3465 100644 +--- a/net/openvswitch/flow_netlink.h ++++ b/net/openvswitch/flow_netlink.h +@@ -65,8 +65,6 @@ int ovs_nla_put_actions(const struct nlattr *attr, + void ovs_nla_free_flow_actions(struct sw_flow_actions *); + void ovs_nla_free_flow_actions_rcu(struct sw_flow_actions *); + +-int nsh_key_from_nlattr(const struct nlattr *attr, struct ovs_key_nsh *nsh, +- struct ovs_key_nsh *nsh_mask); + int nsh_hdr_from_nlattr(const struct nlattr *attr, struct nshhdr *nh, + size_t size); + +-- +2.51.0 + diff --git a/queue-6.12/net-qlogic-qede-fix-potential-out-of-bounds-read-in-.patch b/queue-6.12/net-qlogic-qede-fix-potential-out-of-bounds-read-in-.patch new file mode 100644 index 0000000000..62258c981e --- /dev/null +++ b/queue-6.12/net-qlogic-qede-fix-potential-out-of-bounds-read-in-.patch @@ -0,0 +1,62 @@ +From 49982d3ec2e0a2e416cf9119c116d3787ecd9b64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Nov 2025 14:27:56 +0300 +Subject: net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() + and qede_tpa_end() + +From: Pavel Zhigulin + +[ Upstream commit 896f1a2493b59beb2b5ccdf990503dbb16cb2256 ] + +The loops in 'qede_tpa_cont()' and 'qede_tpa_end()', iterate +over 'cqe->len_list[]' using only a zero-length terminator as +the stopping condition. If the terminator was missing or +malformed, the loop could run past the end of the fixed-size array. + +Add an explicit bound check using ARRAY_SIZE() in both loops to prevent +a potential out-of-bounds access. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 55482edc25f0 ("qede: Add slowpath/fastpath support and enable hardware GRO") +Signed-off-by: Pavel Zhigulin +Link: https://patch.msgid.link/20251113112757.4166625-1-Pavel.Zhigulin@kaspersky.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qede/qede_fp.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qede/qede_fp.c b/drivers/net/ethernet/qlogic/qede/qede_fp.c +index 847fa62c80df8..e338bfc8b7b2f 100644 +--- a/drivers/net/ethernet/qlogic/qede/qede_fp.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_fp.c +@@ -4,6 +4,7 @@ + * Copyright (c) 2019-2020 Marvell International Ltd. + */ + ++#include + #include + #include + #include +@@ -960,7 +961,7 @@ static inline void qede_tpa_cont(struct qede_dev *edev, + { + int i; + +- for (i = 0; cqe->len_list[i]; i++) ++ for (i = 0; cqe->len_list[i] && i < ARRAY_SIZE(cqe->len_list); i++) + qede_fill_frag_skb(edev, rxq, cqe->tpa_agg_index, + le16_to_cpu(cqe->len_list[i])); + +@@ -985,7 +986,7 @@ static int qede_tpa_end(struct qede_dev *edev, + dma_unmap_page(rxq->dev, tpa_info->buffer.mapping, + PAGE_SIZE, rxq->data_direction); + +- for (i = 0; cqe->len_list[i]; i++) ++ for (i = 0; cqe->len_list[i] && i < ARRAY_SIZE(cqe->len_list); i++) + qede_fill_frag_skb(edev, rxq, cqe->tpa_agg_index, + le16_to_cpu(cqe->len_list[i])); + if (unlikely(i > 1)) +-- +2.51.0 + diff --git a/queue-6.12/net-tls-cancel-rx-async-resync-request-on-rcd_delta-.patch b/queue-6.12/net-tls-cancel-rx-async-resync-request-on-rcd_delta-.patch new file mode 100644 index 0000000000..974b817e07 --- /dev/null +++ b/queue-6.12/net-tls-cancel-rx-async-resync-request-on-rcd_delta-.patch @@ -0,0 +1,77 @@ +From 2a4e9079f013a4a69fbd400d6ffce61c0711db5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Oct 2025 22:03:02 +0200 +Subject: net: tls: Cancel RX async resync request on rcd_delta overflow + +From: Shahar Shitrit + +[ Upstream commit c15d5c62ab313c19121f10e25d4fec852bd1c40c ] + +When a netdev issues a RX async resync request for a TLS connection, +the TLS module handles it by logging record headers and attempting to +match them to the tcp_sn provided by the device. If a match is found, +the TLS module approves the tcp_sn for resynchronization. + +While waiting for a device response, the TLS module also increments +rcd_delta each time a new TLS record is received, tracking the distance +from the original resync request. + +However, if the device response is delayed or fails (e.g due to +unstable connection and device getting out of tracking, hardware +errors, resource exhaustion etc.), the TLS module keeps logging and +incrementing, which can lead to a WARN() when rcd_delta exceeds the +threshold. + +To address this, introduce tls_offload_rx_resync_async_request_cancel() +to explicitly cancel resync requests when a device response failure is +detected. Call this helper also as a final safeguard when rcd_delta +crosses its threshold, as reaching this point implies that earlier +cancellation did not occur. + +Signed-off-by: Shahar Shitrit +Reviewed-by: Sabrina Dubroca +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/1761508983-937977-3-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tls.h | 6 ++++++ + net/tls/tls_device.c | 4 +++- + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/include/net/tls.h b/include/net/tls.h +index 181173e62a068..3f4235cc0207c 100644 +--- a/include/net/tls.h ++++ b/include/net/tls.h +@@ -464,6 +464,12 @@ tls_offload_rx_resync_async_request_end(struct tls_offload_resync_async *resync_ + atomic64_set(&resync_async->req, ((u64)ntohl(seq) << 32) | RESYNC_REQ); + } + ++static inline void ++tls_offload_rx_resync_async_request_cancel(struct tls_offload_resync_async *resync_async) ++{ ++ atomic64_set(&resync_async->req, 0); ++} ++ + static inline void + tls_offload_rx_resync_set_type(struct sock *sk, enum tls_offload_sync_type type) + { +diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c +index dc063c2c7950e..0af7b3c529678 100644 +--- a/net/tls/tls_device.c ++++ b/net/tls/tls_device.c +@@ -721,8 +721,10 @@ tls_device_rx_resync_async(struct tls_offload_resync_async *resync_async, + /* shouldn't get to wraparound: + * too long in async stage, something bad happened + */ +- if (WARN_ON_ONCE(resync_async->rcd_delta == USHRT_MAX)) ++ if (WARN_ON_ONCE(resync_async->rcd_delta == USHRT_MAX)) { ++ tls_offload_rx_resync_async_request_cancel(resync_async); + return false; ++ } + + /* asynchronous stage: log all headers seq such that + * req_seq <= seq <= end_seq, and wait for real resync request +-- +2.51.0 + diff --git a/queue-6.12/net-tls-change-async-resync-helpers-argument.patch b/queue-6.12/net-tls-change-async-resync-helpers-argument.patch new file mode 100644 index 0000000000..68582781d4 --- /dev/null +++ b/queue-6.12/net-tls-change-async-resync-helpers-argument.patch @@ -0,0 +1,117 @@ +From 7ee7e39be1e7ba7e40b8a2276608f06066bb2710 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Oct 2025 22:03:01 +0200 +Subject: net: tls: Change async resync helpers argument + +From: Shahar Shitrit + +[ Upstream commit 34892cfec0c2d96787c4be7bda0d5f18d7dacf85 ] + +Update tls_offload_rx_resync_async_request_start() and +tls_offload_rx_resync_async_request_end() to get a struct +tls_offload_resync_async parameter directly, rather than +extracting it from struct sock. + +This change aligns the function signatures with the upcoming +tls_offload_rx_resync_async_request_cancel() helper, which +will be introduced in a subsequent patch. + +Signed-off-by: Shahar Shitrit +Reviewed-by: Sabrina Dubroca +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/1761508983-937977-2-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../mellanox/mlx5/core/en_accel/ktls_rx.c | 9 ++++++-- + include/net/tls.h | 21 +++++++------------ + 2 files changed, 15 insertions(+), 15 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c +index 65ccb33edafb7..c0089c704c0cc 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c +@@ -425,12 +425,14 @@ void mlx5e_ktls_handle_get_psv_completion(struct mlx5e_icosq_wqe_info *wi, + { + struct mlx5e_ktls_rx_resync_buf *buf = wi->tls_get_params.buf; + struct mlx5e_ktls_offload_context_rx *priv_rx; ++ struct tls_offload_context_rx *rx_ctx; + u8 tracker_state, auth_state, *ctx; + struct device *dev; + u32 hw_seq; + + priv_rx = buf->priv_rx; + dev = mlx5_core_dma_dev(sq->channel->mdev); ++ rx_ctx = tls_offload_ctx_rx(tls_get_ctx(priv_rx->sk)); + if (unlikely(test_bit(MLX5E_PRIV_RX_FLAG_DELETING, priv_rx->flags))) + goto out; + +@@ -447,7 +449,8 @@ void mlx5e_ktls_handle_get_psv_completion(struct mlx5e_icosq_wqe_info *wi, + } + + hw_seq = MLX5_GET(tls_progress_params, ctx, hw_resync_tcp_sn); +- tls_offload_rx_resync_async_request_end(priv_rx->sk, cpu_to_be32(hw_seq)); ++ tls_offload_rx_resync_async_request_end(rx_ctx->resync_async, ++ cpu_to_be32(hw_seq)); + priv_rx->rq_stats->tls_resync_req_end++; + out: + mlx5e_ktls_priv_rx_put(priv_rx); +@@ -482,6 +485,7 @@ static bool resync_queue_get_psv(struct sock *sk) + static void resync_update_sn(struct mlx5e_rq *rq, struct sk_buff *skb) + { + struct ethhdr *eth = (struct ethhdr *)(skb->data); ++ struct tls_offload_resync_async *resync_async; + struct net_device *netdev = rq->netdev; + struct net *net = dev_net(netdev); + struct sock *sk = NULL; +@@ -528,7 +532,8 @@ static void resync_update_sn(struct mlx5e_rq *rq, struct sk_buff *skb) + + seq = th->seq; + datalen = skb->len - depth; +- tls_offload_rx_resync_async_request_start(sk, seq, datalen); ++ resync_async = tls_offload_ctx_rx(tls_get_ctx(sk))->resync_async; ++ tls_offload_rx_resync_async_request_start(resync_async, seq, datalen); + rq->stats->tls_resync_req_start++; + + unref: +diff --git a/include/net/tls.h b/include/net/tls.h +index 61fef28801140..181173e62a068 100644 +--- a/include/net/tls.h ++++ b/include/net/tls.h +@@ -448,25 +448,20 @@ static inline void tls_offload_rx_resync_request(struct sock *sk, __be32 seq) + + /* Log all TLS record header TCP sequences in [seq, seq+len] */ + static inline void +-tls_offload_rx_resync_async_request_start(struct sock *sk, __be32 seq, u16 len) ++tls_offload_rx_resync_async_request_start(struct tls_offload_resync_async *resync_async, ++ __be32 seq, u16 len) + { +- struct tls_context *tls_ctx = tls_get_ctx(sk); +- struct tls_offload_context_rx *rx_ctx = tls_offload_ctx_rx(tls_ctx); +- +- atomic64_set(&rx_ctx->resync_async->req, ((u64)ntohl(seq) << 32) | ++ atomic64_set(&resync_async->req, ((u64)ntohl(seq) << 32) | + ((u64)len << 16) | RESYNC_REQ | RESYNC_REQ_ASYNC); +- rx_ctx->resync_async->loglen = 0; +- rx_ctx->resync_async->rcd_delta = 0; ++ resync_async->loglen = 0; ++ resync_async->rcd_delta = 0; + } + + static inline void +-tls_offload_rx_resync_async_request_end(struct sock *sk, __be32 seq) ++tls_offload_rx_resync_async_request_end(struct tls_offload_resync_async *resync_async, ++ __be32 seq) + { +- struct tls_context *tls_ctx = tls_get_ctx(sk); +- struct tls_offload_context_rx *rx_ctx = tls_offload_ctx_rx(tls_ctx); +- +- atomic64_set(&rx_ctx->resync_async->req, +- ((u64)ntohl(seq) << 32) | RESYNC_REQ); ++ atomic64_set(&resync_async->req, ((u64)ntohl(seq) << 32) | RESYNC_REQ); + } + + static inline void +-- +2.51.0 + diff --git a/queue-6.12/nvme-multipath-fix-lockdep-warn-due-to-partition-sca.patch b/queue-6.12/nvme-multipath-fix-lockdep-warn-due-to-partition-sca.patch new file mode 100644 index 0000000000..9fb5cfe1b7 --- /dev/null +++ b/queue-6.12/nvme-multipath-fix-lockdep-warn-due-to-partition-sca.patch @@ -0,0 +1,47 @@ +From af2de824bae4db082cb2f0b0028130ff58496c74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Nov 2025 11:23:39 +0900 +Subject: nvme-multipath: fix lockdep WARN due to partition scan work + +From: Shin'ichiro Kawasaki + +[ Upstream commit 6d87cd5335784351280f82c47cc8a657271929c3 ] + +Blktests test cases nvme/014, 057 and 058 fail occasionally due to a +lockdep WARN. As reported in the Closes tag URL, the WARN indicates that +a deadlock can happen due to the dependency among disk->open_mutex, +kblockd workqueue completion and partition_scan_work completion. + +To avoid the lockdep WARN and the potential deadlock, cut the dependency +by running the partition_scan_work not by kblockd workqueue but by +nvme_wq. + +Reported-by: Yi Zhang +Closes: https://lore.kernel.org/linux-block/CAHj4cs8mJ+R_GmQm9R8ebResKAWUE8kF5+_WVg0v8zndmqd6BQ@mail.gmail.com/ +Link: https://lore.kernel.org/linux-block/oeyzci6ffshpukpfqgztsdeke5ost5hzsuz4rrsjfmvpqcevax@5nhnwbkzbrpa/ +Fixes: 1f021341eef4 ("nvme-multipath: defer partition scanning") +Signed-off-by: Shin'ichiro Kawasaki +Reviewed-by: Christoph Hellwig +Reviewed-by: Hannes Reinecke +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/multipath.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c +index 24cff8b044923..4ec4a1b11bb2e 100644 +--- a/drivers/nvme/host/multipath.c ++++ b/drivers/nvme/host/multipath.c +@@ -687,7 +687,7 @@ static void nvme_mpath_set_live(struct nvme_ns *ns) + return; + } + nvme_add_ns_head_cdev(head); +- kblockd_schedule_work(&head->partition_scan_work); ++ queue_work(nvme_wq, &head->partition_scan_work); + } + + mutex_lock(&head->lock); +-- +2.51.0 + diff --git a/queue-6.12/pinctrl-cirrus-fix-fwnode-leak-in-cs42l43_pin_probe.patch b/queue-6.12/pinctrl-cirrus-fix-fwnode-leak-in-cs42l43_pin_probe.patch new file mode 100644 index 0000000000..5763d0edce --- /dev/null +++ b/queue-6.12/pinctrl-cirrus-fix-fwnode-leak-in-cs42l43_pin_probe.patch @@ -0,0 +1,68 @@ +From f42f2e1c5ece900f6abd54c99da09e93d57ab76d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Oct 2025 11:05:09 +0800 +Subject: pinctrl: cirrus: Fix fwnode leak in cs42l43_pin_probe() + +From: Haotian Zhang + +[ Upstream commit 9b07cdf86a0b90556f5b68a6b20b35833b558df3 ] + +The driver calls fwnode_get_named_child_node() which takes a reference +on the child node, but never releases it, which causes a reference leak. + +Fix by using devm_add_action_or_reset() to automatically release the +reference when the device is removed. + +Fixes: d5282a539297 ("pinctrl: cs42l43: Add support for the cs42l43") +Suggested-by: Charles Keepax +Signed-off-by: Haotian Zhang +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/cirrus/pinctrl-cs42l43.c | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +diff --git a/drivers/pinctrl/cirrus/pinctrl-cs42l43.c b/drivers/pinctrl/cirrus/pinctrl-cs42l43.c +index 628b60ccc2b07..8b3f3b945e206 100644 +--- a/drivers/pinctrl/cirrus/pinctrl-cs42l43.c ++++ b/drivers/pinctrl/cirrus/pinctrl-cs42l43.c +@@ -527,6 +527,11 @@ static int cs42l43_gpio_add_pin_ranges(struct gpio_chip *chip) + return ret; + } + ++static void cs42l43_fwnode_put(void *data) ++{ ++ fwnode_handle_put(data); ++} ++ + static int cs42l43_pin_probe(struct platform_device *pdev) + { + struct cs42l43 *cs42l43 = dev_get_drvdata(pdev->dev.parent); +@@ -558,10 +563,20 @@ static int cs42l43_pin_probe(struct platform_device *pdev) + priv->gpio_chip.ngpio = CS42L43_NUM_GPIOS; + + if (is_of_node(fwnode)) { +- fwnode = fwnode_get_named_child_node(fwnode, "pinctrl"); +- +- if (fwnode && !fwnode->dev) +- fwnode->dev = priv->dev; ++ struct fwnode_handle *child; ++ ++ child = fwnode_get_named_child_node(fwnode, "pinctrl"); ++ if (child) { ++ ret = devm_add_action_or_reset(&pdev->dev, ++ cs42l43_fwnode_put, child); ++ if (ret) { ++ fwnode_handle_put(child); ++ return ret; ++ } ++ if (!child->dev) ++ child->dev = priv->dev; ++ fwnode = child; ++ } + } + + priv->gpio_chip.fwnode = fwnode; +-- +2.51.0 + diff --git a/queue-6.12/pinctrl-realtek-select-regmap_mmio-for-rtd-driver.patch b/queue-6.12/pinctrl-realtek-select-regmap_mmio-for-rtd-driver.patch new file mode 100644 index 0000000000..00380e30d7 --- /dev/null +++ b/queue-6.12/pinctrl-realtek-select-regmap_mmio-for-rtd-driver.patch @@ -0,0 +1,42 @@ +From b74a81e378d9d3ee22efe14e18d62be6bef00461 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Oct 2025 15:55:29 +0800 +Subject: pinctrl: realtek: Select REGMAP_MMIO for RTD driver + +From: Yu-Chun Lin + +[ Upstream commit 369f772299821f93f872bf1b4d7d7ed2fc50243b ] + +The pinctrl-rtd driver uses 'devm_regmap_init_mmio', which requires +'REGMAP_MMIO' to be enabled. + +Without this selection, the build fails with an undefined reference: +aarch64-none-linux-gnu-ld: drivers/pinctrl/realtek/pinctrl-rtd.o: in +function rtd_pinctrl_probe': pinctrl-rtd.c:(.text+0x5a0): undefined +reference to __devm_regmap_init_mmio_clk' + +Fix this by selecting 'REGMAP_MMIO' in the Kconfig. + +Fixes: e99ce78030db ("pinctrl: realtek: Add common pinctrl driver for Realtek DHC RTD SoCs") +Signed-off-by: Yu-Chun Lin +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/realtek/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pinctrl/realtek/Kconfig b/drivers/pinctrl/realtek/Kconfig +index 0fc6bd4fcb7ec..400c9e5b16ada 100644 +--- a/drivers/pinctrl/realtek/Kconfig ++++ b/drivers/pinctrl/realtek/Kconfig +@@ -6,6 +6,7 @@ config PINCTRL_RTD + default y + select PINMUX + select GENERIC_PINCONF ++ select REGMAP_MMIO + + config PINCTRL_RTD1619B + tristate "Realtek DHC 1619B pin controller driver" +-- +2.51.0 + diff --git a/queue-6.12/pinctrl-s32cc-fix-uninitialized-memory-in-s32_pinctr.patch b/queue-6.12/pinctrl-s32cc-fix-uninitialized-memory-in-s32_pinctr.patch new file mode 100644 index 0000000000..2106fcb2ed --- /dev/null +++ b/queue-6.12/pinctrl-s32cc-fix-uninitialized-memory-in-s32_pinctr.patch @@ -0,0 +1,81 @@ +From e5318ea32ff27620f90c44098bf3e7ec22a5a499 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Nov 2025 13:54:11 -0800 +Subject: pinctrl: s32cc: fix uninitialized memory in s32_pinctrl_desc + +From: Jared Kangas + +[ Upstream commit 97ea34defbb57bfaf71ce487b1b0865ffd186e81 ] + +s32_pinctrl_desc is allocated with devm_kmalloc(), but not all of its +fields are initialized. Notably, num_custom_params is used in +pinconf_generic_parse_dt_config(), resulting in intermittent allocation +errors, such as the following splat when probing i2c-imx: + + WARNING: CPU: 0 PID: 176 at mm/page_alloc.c:4795 __alloc_pages_noprof+0x290/0x300 + [...] + Hardware name: NXP S32G3 Reference Design Board 3 (S32G-VNP-RDB3) (DT) + [...] + Call trace: + __alloc_pages_noprof+0x290/0x300 (P) + ___kmalloc_large_node+0x84/0x168 + __kmalloc_large_node_noprof+0x34/0x120 + __kmalloc_noprof+0x2ac/0x378 + pinconf_generic_parse_dt_config+0x68/0x1a0 + s32_dt_node_to_map+0x104/0x248 + dt_to_map_one_config+0x154/0x1d8 + pinctrl_dt_to_map+0x12c/0x280 + create_pinctrl+0x6c/0x270 + pinctrl_get+0xc0/0x170 + devm_pinctrl_get+0x50/0xa0 + pinctrl_bind_pins+0x60/0x2a0 + really_probe+0x60/0x3a0 + [...] + __platform_driver_register+0x2c/0x40 + i2c_adap_imx_init+0x28/0xff8 [i2c_imx] + [...] + +This results in later parse failures that can cause issues in dependent +drivers: + + s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c0-pins/i2c0-grp0: could not parse node property + s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c0-pins/i2c0-grp0: could not parse node property + [...] + pca953x 0-0022: failed writing register: -6 + i2c i2c-0: IMX I2C adapter registered + s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c2-pins/i2c2-grp0: could not parse node property + s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c2-pins/i2c2-grp0: could not parse node property + i2c i2c-1: IMX I2C adapter registered + s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c4-pins/i2c4-grp0: could not parse node property + s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c4-pins/i2c4-grp0: could not parse node property + i2c i2c-2: IMX I2C adapter registered + +Fix this by initializing s32_pinctrl_desc with devm_kzalloc() instead of +devm_kmalloc() in s32_pinctrl_probe(), which sets the previously +uninitialized fields to zero. + +Fixes: fd84aaa8173d ("pinctrl: add NXP S32 SoC family support") +Signed-off-by: Jared Kangas +Tested-by: Jan Petrous (OSS) +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/nxp/pinctrl-s32cc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/nxp/pinctrl-s32cc.c b/drivers/pinctrl/nxp/pinctrl-s32cc.c +index 501eb296c7605..51ecb8d0fb7e8 100644 +--- a/drivers/pinctrl/nxp/pinctrl-s32cc.c ++++ b/drivers/pinctrl/nxp/pinctrl-s32cc.c +@@ -951,7 +951,7 @@ int s32_pinctrl_probe(struct platform_device *pdev, + spin_lock_init(&ipctl->gpio_configs_lock); + + s32_pinctrl_desc = +- devm_kmalloc(&pdev->dev, sizeof(*s32_pinctrl_desc), GFP_KERNEL); ++ devm_kzalloc(&pdev->dev, sizeof(*s32_pinctrl_desc), GFP_KERNEL); + if (!s32_pinctrl_desc) + return -ENOMEM; + +-- +2.51.0 + diff --git a/queue-6.12/pinctrl-s32cc-initialize-gpio_pin_config-list-after-.patch b/queue-6.12/pinctrl-s32cc-initialize-gpio_pin_config-list-after-.patch new file mode 100644 index 0000000000..aa3decd8c5 --- /dev/null +++ b/queue-6.12/pinctrl-s32cc-initialize-gpio_pin_config-list-after-.patch @@ -0,0 +1,38 @@ +From e6a9218556130ff9fa8eed82ea08136352046c13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Nov 2025 13:54:12 -0800 +Subject: pinctrl: s32cc: initialize gpio_pin_config::list after kmalloc() + +From: Jared Kangas + +[ Upstream commit 6010d4d8b55b5d3ae1efb5502c54312e15c14f21 ] + +s32_pmx_gpio_request_enable() does not initialize the newly-allocated +gpio_pin_config::list before adding it to s32_pinctrl::gpio_configs. +This could result in a linked list corruption. + +Initialize the new list_head with INIT_LIST_HEAD() to fix this. + +Fixes: fd84aaa8173d ("pinctrl: add NXP S32 SoC family support") +Signed-off-by: Jared Kangas +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/nxp/pinctrl-s32cc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pinctrl/nxp/pinctrl-s32cc.c b/drivers/pinctrl/nxp/pinctrl-s32cc.c +index 51ecb8d0fb7e8..35511f83d0560 100644 +--- a/drivers/pinctrl/nxp/pinctrl-s32cc.c ++++ b/drivers/pinctrl/nxp/pinctrl-s32cc.c +@@ -392,6 +392,7 @@ static int s32_pmx_gpio_request_enable(struct pinctrl_dev *pctldev, + + gpio_pin->pin_id = offset; + gpio_pin->config = config; ++ INIT_LIST_HEAD(&gpio_pin->list); + + spin_lock_irqsave(&ipctl->gpio_configs_lock, flags); + list_add(&gpio_pin->list, &ipctl->gpio_configs); +-- +2.51.0 + diff --git a/queue-6.12/platform-x86-intel-speed_select_if-convert-pcibios_-.patch b/queue-6.12/platform-x86-intel-speed_select_if-convert-pcibios_-.patch new file mode 100644 index 0000000000..7b32ef17c1 --- /dev/null +++ b/queue-6.12/platform-x86-intel-speed_select_if-convert-pcibios_-.patch @@ -0,0 +1,53 @@ +From f8255018d535990af2a6c4269277e9f56df0a3d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Nov 2025 11:33:54 +0800 +Subject: platform/x86/intel/speed_select_if: Convert PCIBIOS_* return codes to + errnos +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Haotian Zhang + +[ Upstream commit d8bb447efc5622577994287dc77c684fa8840b30 ] + +isst_if_probe() uses pci_read_config_dword() that returns PCIBIOS_* +codes. The return code is returned from the probe function as is but +probe functions should return normal errnos. A proper implementation +can be found in drivers/leds/leds-ss4200.c. + +Convert PCIBIOS_* return codes using pcibios_err_to_errno() into +normal errno before returning. + +Fixes: d3a23584294c ("platform/x86: ISST: Add Intel Speed Select mmio interface") +Signed-off-by: Haotian Zhang +Acked-by: Srinivas Pandruvada +Link: https://patch.msgid.link/20251117033354.132-1-vulab@iscas.ac.cn +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c b/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c +index 3f4343147dadb..950ede5eab769 100644 +--- a/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c ++++ b/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c +@@ -108,11 +108,11 @@ static int isst_if_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + + ret = pci_read_config_dword(pdev, 0xD0, &mmio_base); + if (ret) +- return ret; ++ return pcibios_err_to_errno(ret); + + ret = pci_read_config_dword(pdev, 0xFC, &pcu_base); + if (ret) +- return ret; ++ return pcibios_err_to_errno(ret); + + pcu_base &= GENMASK(10, 0); + base_addr = (u64)mmio_base << 23 | (u64) pcu_base << 12; +-- +2.51.0 + diff --git a/queue-6.12/platform-x86-msi-wmi-platform-fix-typo-in-wmi-guid.patch b/queue-6.12/platform-x86-msi-wmi-platform-fix-typo-in-wmi-guid.patch new file mode 100644 index 0000000000..dd2410eb4f --- /dev/null +++ b/queue-6.12/platform-x86-msi-wmi-platform-fix-typo-in-wmi-guid.patch @@ -0,0 +1,63 @@ +From 34be04a84c55ad8ba16147b7a204aa06bfb94479 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Nov 2025 12:12:53 +0100 +Subject: platform/x86: msi-wmi-platform: Fix typo in WMI GUID +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Armin Wolf + +[ Upstream commit 97b726eb1dc2b4a2532544eb3da72bb6acbd39a3 ] + +The WMI driver core only supports GUID strings containing only +uppercase characters, however the GUID string used by the +msi-wmi-platform driver contains a single lowercase character. +This prevents the WMI driver core from matching said driver to +its WMI device. + +Fix this by turning the lowercase character into a uppercase +character. Also update the WMI driver development guide to warn +about this. + +Reported-by: Antheas Kapenekakis +Fixes: 9c0beb6b29e7 ("platform/x86: wmi: Add MSI WMI Platform driver") +Tested-by: Antheas Kapenekakis +Signed-off-by: Armin Wolf +Link: https://patch.msgid.link/20251110111253.16204-3-W_Armin@gmx.de +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + Documentation/wmi/driver-development-guide.rst | 1 + + drivers/platform/x86/msi-wmi-platform.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/Documentation/wmi/driver-development-guide.rst b/Documentation/wmi/driver-development-guide.rst +index 429137b2f6323..4c10159d5f6cd 100644 +--- a/Documentation/wmi/driver-development-guide.rst ++++ b/Documentation/wmi/driver-development-guide.rst +@@ -50,6 +50,7 @@ to matching WMI devices using a struct wmi_device_id table: + :: + + static const struct wmi_device_id foo_id_table[] = { ++ /* Only use uppercase letters! */ + { "936DA01F-9ABD-4D9D-80C7-02AF85C822A8", NULL }, + { } + }; +diff --git a/drivers/platform/x86/msi-wmi-platform.c b/drivers/platform/x86/msi-wmi-platform.c +index bd2687828a2e6..e912fcc12d124 100644 +--- a/drivers/platform/x86/msi-wmi-platform.c ++++ b/drivers/platform/x86/msi-wmi-platform.c +@@ -29,7 +29,7 @@ + + #define DRIVER_NAME "msi-wmi-platform" + +-#define MSI_PLATFORM_GUID "ABBC0F6E-8EA1-11d1-00A0-C90629100000" ++#define MSI_PLATFORM_GUID "ABBC0F6E-8EA1-11D1-00A0-C90629100000" + + #define MSI_WMI_PLATFORM_INTERFACE_VERSION 2 + +-- +2.51.0 + diff --git a/queue-6.12/platform-x86-msi-wmi-platform-only-load-on-msi-devic.patch b/queue-6.12/platform-x86-msi-wmi-platform-only-load-on-msi-devic.patch new file mode 100644 index 0000000000..1f253b453a --- /dev/null +++ b/queue-6.12/platform-x86-msi-wmi-platform-only-load-on-msi-devic.patch @@ -0,0 +1,108 @@ +From 875c4d0fff99f4c708d6962763c721a376ef967d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Nov 2025 12:12:52 +0100 +Subject: platform/x86: msi-wmi-platform: Only load on MSI devices +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Armin Wolf + +[ Upstream commit c93433fd4e2bbbe7caa67b53d808b4a084852ff3 ] + +It turns out that the GUID used by the msi-wmi-platform driver +(ABBC0F60-8EA1-11D1-00A0-C90629100000) is not unique, but was instead +copied from the WIndows Driver Samples. This means that this driver +could load on devices from other manufacturers that also copied this +GUID, potentially causing hardware errors. + +Prevent this by only loading on devices whitelisted via DMI. The DMI +matches where taken from the msi-ec driver. + +Reported-by: Antheas Kapenekakis +Fixes: 9c0beb6b29e7 ("platform/x86: wmi: Add MSI WMI Platform driver") +Tested-by: Antheas Kapenekakis +Signed-off-by: Armin Wolf +Link: https://patch.msgid.link/20251110111253.16204-2-W_Armin@gmx.de +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/Kconfig | 1 + + drivers/platform/x86/msi-wmi-platform.c | 41 ++++++++++++++++++++++++- + 2 files changed, 41 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/Kconfig b/drivers/platform/x86/Kconfig +index 3875abba5a790..902b50510d8d6 100644 +--- a/drivers/platform/x86/Kconfig ++++ b/drivers/platform/x86/Kconfig +@@ -726,6 +726,7 @@ config MSI_WMI + config MSI_WMI_PLATFORM + tristate "MSI WMI Platform features" + depends on ACPI_WMI ++ depends on DMI + depends on HWMON + help + Say Y here if you want to have support for WMI-based platform features +diff --git a/drivers/platform/x86/msi-wmi-platform.c b/drivers/platform/x86/msi-wmi-platform.c +index dc5e9878cb682..bd2687828a2e6 100644 +--- a/drivers/platform/x86/msi-wmi-platform.c ++++ b/drivers/platform/x86/msi-wmi-platform.c +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -448,7 +449,45 @@ static struct wmi_driver msi_wmi_platform_driver = { + .probe = msi_wmi_platform_probe, + .no_singleton = true, + }; +-module_wmi_driver(msi_wmi_platform_driver); ++ ++/* ++ * MSI reused the WMI GUID from the WMI-ACPI sample code provided by Microsoft, ++ * so other manufacturers might use it as well for their WMI-ACPI implementations. ++ */ ++static const struct dmi_system_id msi_wmi_platform_whitelist[] __initconst = { ++ { ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "MICRO-STAR INT"), ++ }, ++ }, ++ { ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Micro-Star International"), ++ }, ++ }, ++ { } ++}; ++ ++static int __init msi_wmi_platform_module_init(void) ++{ ++ if (!dmi_check_system(msi_wmi_platform_whitelist)) { ++ if (!force) ++ return -ENODEV; ++ ++ pr_warn("Ignoring DMI whitelist\n"); ++ } ++ ++ return wmi_driver_register(&msi_wmi_platform_driver); ++} ++ ++static void __exit msi_wmi_platform_module_exit(void) ++{ ++ wmi_driver_unregister(&msi_wmi_platform_driver); ++} ++ ++module_init(msi_wmi_platform_module_init); ++module_exit(msi_wmi_platform_module_exit); ++ + + MODULE_AUTHOR("Armin Wolf "); + MODULE_DESCRIPTION("MSI WMI platform features"); +-- +2.51.0 + diff --git a/queue-6.12/s390-ctcm-fix-double-kfree.patch b/queue-6.12/s390-ctcm-fix-double-kfree.patch new file mode 100644 index 0000000000..54350c9c05 --- /dev/null +++ b/queue-6.12/s390-ctcm-fix-double-kfree.patch @@ -0,0 +1,45 @@ +From 425dc28b0345081d9d528cb4901937a0ca75b3c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 19:27:24 +0100 +Subject: s390/ctcm: Fix double-kfree + +From: Aleksei Nikiforov + +[ Upstream commit da02a1824884d6c84c5e5b5ac373b0c9e3288ec2 ] + +The function 'mpc_rcvd_sweep_req(mpcginfo)' is called conditionally +from function 'ctcmpc_unpack_skb'. It frees passed mpcginfo. +After that a call to function 'kfree' in function 'ctcmpc_unpack_skb' +frees it again. + +Remove 'kfree' call in function 'mpc_rcvd_sweep_req(mpcginfo)'. + +Bug detected by the clang static analyzer. + +Fixes: 0c0b20587b9f25a2 ("s390/ctcm: fix potential memory leak") +Reviewed-by: Aswin Karuvally +Signed-off-by: Aleksei Nikiforov +Signed-off-by: Aswin Karuvally +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20251112182724.1109474-1-aswin@linux.ibm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/s390/net/ctcm_mpc.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/s390/net/ctcm_mpc.c b/drivers/s390/net/ctcm_mpc.c +index 9e580ef69bdaa..48ea517ff567a 100644 +--- a/drivers/s390/net/ctcm_mpc.c ++++ b/drivers/s390/net/ctcm_mpc.c +@@ -700,7 +700,6 @@ static void mpc_rcvd_sweep_req(struct mpcg_info *mpcginfo) + + grp->sweep_req_pend_num--; + ctcmpc_send_sweep_resp(ch); +- kfree(mpcginfo); + return; + } + +-- +2.51.0 + diff --git a/queue-6.12/scsi-core-fix-a-regression-triggered-by-scsi_host_bu.patch b/queue-6.12/scsi-core-fix-a-regression-triggered-by-scsi_host_bu.patch new file mode 100644 index 0000000000..5ffcb30769 --- /dev/null +++ b/queue-6.12/scsi-core-fix-a-regression-triggered-by-scsi_host_bu.patch @@ -0,0 +1,77 @@ +From bee13d64b2cf52aea4eced7532a3e57623bc4623 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Oct 2025 14:48:00 -0700 +Subject: scsi: core: Fix a regression triggered by scsi_host_busy() + +From: Bart Van Assche + +[ Upstream commit a0b7780602b1b196f47e527fec82166a7e67c4d0 ] + +Commit 995412e23bb2 ("blk-mq: Replace tags->lock with SRCU for tag +iterators") introduced the following regression: + +Call trace: + __srcu_read_lock+0x30/0x80 (P) + blk_mq_tagset_busy_iter+0x44/0x300 + scsi_host_busy+0x38/0x70 + ufshcd_print_host_state+0x34/0x1bc + ufshcd_link_startup.constprop.0+0xe4/0x2e0 + ufshcd_init+0x944/0xf80 + ufshcd_pltfrm_init+0x504/0x820 + ufs_rockchip_probe+0x2c/0x88 + platform_probe+0x5c/0xa4 + really_probe+0xc0/0x38c + __driver_probe_device+0x7c/0x150 + driver_probe_device+0x40/0x120 + __driver_attach+0xc8/0x1e0 + bus_for_each_dev+0x7c/0xdc + driver_attach+0x24/0x30 + bus_add_driver+0x110/0x230 + driver_register+0x68/0x130 + __platform_driver_register+0x20/0x2c + ufs_rockchip_pltform_init+0x1c/0x28 + do_one_initcall+0x60/0x1e0 + kernel_init_freeable+0x248/0x2c4 + kernel_init+0x20/0x140 + ret_from_fork+0x10/0x20 + +Fix this regression by making scsi_host_busy() check whether the SCSI +host tag set has already been initialized. tag_set->ops is set by +scsi_mq_setup_tags() just before blk_mq_alloc_tag_set() is called. This +fix is based on the assumption that scsi_host_busy() and +scsi_mq_setup_tags() calls are serialized. This is the case in the UFS +driver. + +Reported-by: Sebastian Reichel +Closes: https://lore.kernel.org/linux-block/pnezafputodmqlpumwfbn644ohjybouveehcjhz2hmhtcf2rka@sdhoiivync4y/ +Cc: Ming Lei +Cc: Jens Axboe +Signed-off-by: Bart Van Assche +Reviewed-by: Ming Lei +Tested-by: Sebastian Reichel +Link: https://patch.msgid.link/20251007214800.1678255-1-bvanassche@acm.org +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hosts.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c +index e021f1106beab..5cf13d019a15e 100644 +--- a/drivers/scsi/hosts.c ++++ b/drivers/scsi/hosts.c +@@ -607,8 +607,9 @@ int scsi_host_busy(struct Scsi_Host *shost) + { + int cnt = 0; + +- blk_mq_tagset_busy_iter(&shost->tag_set, +- scsi_host_check_in_flight, &cnt); ++ if (shost->tag_set.ops) ++ blk_mq_tagset_busy_iter(&shost->tag_set, ++ scsi_host_check_in_flight, &cnt); + return cnt; + } + EXPORT_SYMBOL(scsi_host_busy); +-- +2.51.0 + diff --git a/queue-6.12/selftests-net-lib-do-not-overwrite-error-messages.patch b/queue-6.12/selftests-net-lib-do-not-overwrite-error-messages.patch new file mode 100644 index 0000000000..9202a98c42 --- /dev/null +++ b/queue-6.12/selftests-net-lib-do-not-overwrite-error-messages.patch @@ -0,0 +1,97 @@ +From e1651b909c728bf5542e55aadbedfb6c5702a47a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Nov 2025 10:10:29 +0200 +Subject: selftests: net: lib: Do not overwrite error messages + +From: Ido Schimmel + +[ Upstream commit bed22c7b90af732978715a1789bca1c3cfa245a6 ] + +ret_set_ksft_status() calls ksft_status_merge() with the current return +status and the last one. It treats a non-zero return code from +ksft_status_merge() as an indication that the return status was +overwritten by the last one and therefore overwrites the return message +with the last one. + +Currently, ksft_status_merge() returns a non-zero return code even if +the current return status and the last one are equal. This results in +return messages being overwritten which is counter-productive since we +are more interested in the first failure message and not the last one. + +Fix by changing ksft_status_merge() to only return a non-zero return +code if the current return status was actually changed. + +Add a test case which checks that the first error message is not +overwritten. + +Before: + + # ./lib_sh_test.sh + [...] + TEST: RET tfail2 tfail -> fail [FAIL] + retmsg=tfail expected tfail2 + [...] + # echo $? + 1 + +After: + + # ./lib_sh_test.sh + [...] + TEST: RET tfail2 tfail -> fail [ OK ] + [...] + # echo $? + 0 + +Fixes: 596c8819cb78 ("selftests: forwarding: Have RET track kselftest framework constants") +Reviewed-by: Petr Machata +Signed-off-by: Ido Schimmel +Link: https://patch.msgid.link/20251116081029.69112-1-idosch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/forwarding/lib_sh_test.sh | 7 +++++++ + tools/testing/selftests/net/lib.sh | 2 +- + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/forwarding/lib_sh_test.sh b/tools/testing/selftests/net/forwarding/lib_sh_test.sh +index ff2accccaf4d4..b4eda6c6199ed 100755 +--- a/tools/testing/selftests/net/forwarding/lib_sh_test.sh ++++ b/tools/testing/selftests/net/forwarding/lib_sh_test.sh +@@ -30,6 +30,11 @@ tfail() + do_test "tfail" false + } + ++tfail2() ++{ ++ do_test "tfail2" false ++} ++ + txfail() + { + FAIL_TO_XFAIL=yes do_test "txfail" false +@@ -132,6 +137,8 @@ test_ret() + ret_subtest $ksft_fail "tfail" txfail tfail + + ret_subtest $ksft_xfail "txfail" txfail txfail ++ ++ ret_subtest $ksft_fail "tfail2" tfail2 tfail + } + + exit_status_tests_run() +diff --git a/tools/testing/selftests/net/lib.sh b/tools/testing/selftests/net/lib.sh +index bb4d2f8d50d67..501615d285300 100644 +--- a/tools/testing/selftests/net/lib.sh ++++ b/tools/testing/selftests/net/lib.sh +@@ -40,7 +40,7 @@ __ksft_status_merge() + weights[$i]=$((weight++)) + done + +- if [[ ${weights[$a]} > ${weights[$b]} ]]; then ++ if [[ ${weights[$a]} -ge ${weights[$b]} ]]; then + echo "$a" + return 0 + else +-- +2.51.0 + diff --git a/queue-6.12/selftests-net-use-bash-for-bareudp-testing.patch b/queue-6.12/selftests-net-use-bash-for-bareudp-testing.patch new file mode 100644 index 0000000000..44c49b0631 --- /dev/null +++ b/queue-6.12/selftests-net-use-bash-for-bareudp-testing.patch @@ -0,0 +1,46 @@ +From f4d04565859630f67e78a7f2f25d1ba0c3e229fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Oct 2025 17:57:10 +0800 +Subject: selftests: net: use BASH for bareudp testing + +From: Po-Hsu Lin + +[ Upstream commit 9311e9540a8b406d9f028aa87fb072a3819d4c82 ] + +In bareudp.sh, this script uses /bin/sh and it will load another lib.sh +BASH script at the very beginning. + +But on some operating systems like Ubuntu, /bin/sh is actually pointed to +DASH, thus it will try to run BASH commands with DASH and consequently +leads to syntax issues: + # ./bareudp.sh: 4: ./lib.sh: Bad substitution + # ./bareudp.sh: 5: ./lib.sh: source: not found + # ./bareudp.sh: 24: ./lib.sh: Syntax error: "(" unexpected + +Fix this by explicitly using BASH for bareudp.sh. This fixes test +execution failures on systems where /bin/sh is not BASH. + +Reported-by: Edoardo Canepa +Link: https://bugs.launchpad.net/bugs/2129812 +Signed-off-by: Po-Hsu Lin +Reviewed-by: Przemek Kitszel +Link: https://patch.msgid.link/20251027095710.2036108-2-po-hsu.lin@canonical.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/bareudp.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/bareudp.sh b/tools/testing/selftests/net/bareudp.sh +index f366cadbc5e86..ff4308b48e65d 100755 +--- a/tools/testing/selftests/net/bareudp.sh ++++ b/tools/testing/selftests/net/bareudp.sh +@@ -1,4 +1,4 @@ +-#!/bin/sh ++#!/bin/bash + # SPDX-License-Identifier: GPL-2.0 + + # Test various bareudp tunnel configurations. +-- +2.51.0 + diff --git a/queue-6.12/series b/queue-6.12/series index e5868fa302..f3c08c7c56 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -50,3 +50,43 @@ drm-amd-display-increase-dpcd-read-retries.patch drm-amd-display-move-sleep-into-each-retry-for-retrieve_link_cap.patch drm-amd-display-fix-pbn-to-kbps-conversion.patch drm-amd-display-clear-the-cur_enable-register-on-dcn20-on-dpp5.patch +xfrm-drop-sa-reference-in-xfrm_state_update-if-dir-d.patch +xfrm-set-err-and-extack-on-failure-to-create-pcpu-sa.patch +pinctrl-realtek-select-regmap_mmio-for-rtd-driver.patch +xfrm-determine-inner-gso-type-from-packet-inner-prot.patch +xfrm-prevent-locally-generated-packets-from-direct-o.patch +pinctrl-cirrus-fix-fwnode-leak-in-cs42l43_pin_probe.patch +platform-x86-msi-wmi-platform-only-load-on-msi-devic.patch +platform-x86-msi-wmi-platform-fix-typo-in-wmi-guid.patch +mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch +drm-tegra-add-call-to-put_pid.patch +net-dsa-hellcreek-fix-missing-error-handling-in-led-.patch +net-mlxsw-linecards-fix-missing-error-check-in-mlxsw.patch +net-openvswitch-remove-never-working-support-for-set.patch +tools-riscv-fixed-misalignment-of-csr-related-defini.patch +nvme-multipath-fix-lockdep-warn-due-to-partition-sca.patch +s390-ctcm-fix-double-kfree.patch +selftests-net-lib-do-not-overwrite-error-messages.patch +platform-x86-intel-speed_select_if-convert-pcibios_-.patch +net-qlogic-qede-fix-potential-out-of-bounds-read-in-.patch +idpf-fix-possible-vport_config-null-pointer-deref-in.patch +ice-fix-ptp-cleanup-on-driver-removal-in-error-path.patch +pinctrl-s32cc-fix-uninitialized-memory-in-s32_pinctr.patch +pinctrl-s32cc-initialize-gpio_pin_config-list-after-.patch +devlink-rate-unset-parent-pointer-in-devl_rate_nodes.patch +net-mlx5-clean-up-only-new-irq-glue-on-request_irq-f.patch +af_unix-cache-state-msg-in-unix_stream_read_generic.patch +af_unix-read-sk_peek_offset-again-after-sleeping-in-.patch +loongarch-use-uapi-types-in-ptrace-uapi-header.patch +cifs-fix-memory-leak-in-smb3_fs_context_parse_param-.patch +vsock-ignore-signal-timeout-on-connect-if-already-es.patch +bcma-don-t-register-devices-disabled-in-of.patch +cifs-fix-typo-in-enable_gcm_256-module-parameter.patch +scsi-core-fix-a-regression-triggered-by-scsi_host_bu.patch +x86-microcode-amd-limit-entrysign-signature-checking.patch +selftests-net-use-bash-for-bareudp-testing.patch +net-tls-change-async-resync-helpers-argument.patch +blk-crypto-use-blk_sts_inval-for-alignment-errors.patch +net-tls-cancel-rx-async-resync-request-on-rcd_delta-.patch +kconfig-mconf-initialize-the-default-locale-at-start.patch +kconfig-nconf-initialize-the-default-locale-at-start.patch diff --git a/queue-6.12/tools-riscv-fixed-misalignment-of-csr-related-defini.patch b/queue-6.12/tools-riscv-fixed-misalignment-of-csr-related-defini.patch new file mode 100644 index 0000000000..b6a6aa5d4e --- /dev/null +++ b/queue-6.12/tools-riscv-fixed-misalignment-of-csr-related-defini.patch @@ -0,0 +1,62 @@ +From fe75c6d12f2beb8334d198a0df363d50e7743666 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Nov 2025 15:12:15 +0800 +Subject: tools: riscv: Fixed misalignment of CSR related definitions + +From: Chen Pei + +[ Upstream commit e2cb69263e797c0aa6676bcef23e9e27e44c83b0 ] + +The file tools/arch/riscv/include/asm/csr.h borrows from +arch/riscv/include/asm/csr.h, and subsequent modifications +related to CSR should maintain consistency. + +Signed-off-by: Chen Pei +Link: https://patch.msgid.link/20251114071215.816-1-cp0613@linux.alibaba.com +[pjw@kernel.org: dropped Fixes: lines for patches that weren't broken; removed superfluous blank line] +Signed-off-by: Paul Walmsley +Signed-off-by: Sasha Levin +--- + drivers/perf/riscv_pmu_sbi.c | 2 +- + tools/arch/riscv/include/asm/csr.h | 5 +++-- + 2 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/perf/riscv_pmu_sbi.c b/drivers/perf/riscv_pmu_sbi.c +index da3651d329069..6df8b260f0702 100644 +--- a/drivers/perf/riscv_pmu_sbi.c ++++ b/drivers/perf/riscv_pmu_sbi.c +@@ -1016,7 +1016,7 @@ static irqreturn_t pmu_sbi_ovf_handler(int irq, void *dev) + /* compute hardware counter index */ + hidx = info->csr - CSR_CYCLE; + +- /* check if the corresponding bit is set in sscountovf or overflow mask in shmem */ ++ /* check if the corresponding bit is set in scountovf or overflow mask in shmem */ + if (!(overflow & BIT(hidx))) + continue; + +diff --git a/tools/arch/riscv/include/asm/csr.h b/tools/arch/riscv/include/asm/csr.h +index 0dfc09254f99a..1cd824aaa3ba2 100644 +--- a/tools/arch/riscv/include/asm/csr.h ++++ b/tools/arch/riscv/include/asm/csr.h +@@ -167,7 +167,8 @@ + #define VSIP_TO_HVIP_SHIFT (IRQ_VS_SOFT - IRQ_S_SOFT) + #define VSIP_VALID_MASK ((_AC(1, UL) << IRQ_S_SOFT) | \ + (_AC(1, UL) << IRQ_S_TIMER) | \ +- (_AC(1, UL) << IRQ_S_EXT)) ++ (_AC(1, UL) << IRQ_S_EXT) | \ ++ (_AC(1, UL) << IRQ_PMU_OVF)) + + /* AIA CSR bits */ + #define TOPI_IID_SHIFT 16 +@@ -280,7 +281,7 @@ + #define CSR_HPMCOUNTER30H 0xc9e + #define CSR_HPMCOUNTER31H 0xc9f + +-#define CSR_SSCOUNTOVF 0xda0 ++#define CSR_SCOUNTOVF 0xda0 + + #define CSR_SSTATUS 0x100 + #define CSR_SIE 0x104 +-- +2.51.0 + diff --git a/queue-6.12/vsock-ignore-signal-timeout-on-connect-if-already-es.patch b/queue-6.12/vsock-ignore-signal-timeout-on-connect-if-already-es.patch new file mode 100644 index 0000000000..c86ba1ca62 --- /dev/null +++ b/queue-6.12/vsock-ignore-signal-timeout-on-connect-if-already-es.patch @@ -0,0 +1,101 @@ +From 9a650d808d2fa40c4cd2c6b55df8eff50bf58e2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Nov 2025 15:02:59 +0100 +Subject: vsock: Ignore signal/timeout on connect() if already established + +From: Michal Luczaj + +[ Upstream commit 002541ef650b742a198e4be363881439bb9d86b4 ] + +During connect(), acting on a signal/timeout by disconnecting an already +established socket leads to several issues: + +1. connect() invoking vsock_transport_cancel_pkt() -> + virtio_transport_purge_skbs() may race with sendmsg() invoking + virtio_transport_get_credit(). This results in a permanently elevated + `vvs->bytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling. + +2. connect() resetting a connected socket's state may race with socket + being placed in a sockmap. A disconnected socket remaining in a sockmap + breaks sockmap's assumptions. And gives rise to WARNs. + +3. connect() transitioning SS_CONNECTED -> SS_UNCONNECTED allows for a + transport change/drop after TCP_ESTABLISHED. Which poses a problem for + any simultaneous sendmsg() or connect() and may result in a + use-after-free/null-ptr-deref. + +Do not disconnect socket on signal/timeout. Keep the logic for unconnected +sockets: they don't linger, can't be placed in a sockmap, are rejected by +sendmsg(). + +[1]: https://lore.kernel.org/netdev/e07fd95c-9a38-4eea-9638-133e38c2ec9b@rbox.co/ +[2]: https://lore.kernel.org/netdev/20250317-vsock-trans-signal-race-v4-0-fc8837f3f1d4@rbox.co/ +[3]: https://lore.kernel.org/netdev/60f1b7db-3099-4f6a-875e-af9f6ef194f6@rbox.co/ + +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Signed-off-by: Michal Luczaj +Reviewed-by: Stefano Garzarella +Link: https://patch.msgid.link/20251119-vsock-interrupted-connect-v2-1-70734cf1233f@rbox.co +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/af_vsock.c | 40 +++++++++++++++++++++++++++++++--------- + 1 file changed, 31 insertions(+), 9 deletions(-) + +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index 68a9d4214584f..621be9be64f67 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1616,18 +1616,40 @@ static int vsock_connect(struct socket *sock, struct sockaddr *addr, + timeout = schedule_timeout(timeout); + lock_sock(sk); + +- if (signal_pending(current)) { +- err = sock_intr_errno(timeout); +- sk->sk_state = sk->sk_state == TCP_ESTABLISHED ? TCP_CLOSING : TCP_CLOSE; +- sock->state = SS_UNCONNECTED; +- vsock_transport_cancel_pkt(vsk); +- vsock_remove_connected(vsk); +- goto out_wait; +- } else if ((sk->sk_state != TCP_ESTABLISHED) && (timeout == 0)) { +- err = -ETIMEDOUT; ++ /* Connection established. Whatever happens to socket once we ++ * release it, that's not connect()'s concern. No need to go ++ * into signal and timeout handling. Call it a day. ++ * ++ * Note that allowing to "reset" an already established socket ++ * here is racy and insecure. ++ */ ++ if (sk->sk_state == TCP_ESTABLISHED) ++ break; ++ ++ /* If connection was _not_ established and a signal/timeout came ++ * to be, we want the socket's state reset. User space may want ++ * to retry. ++ * ++ * sk_state != TCP_ESTABLISHED implies that socket is not on ++ * vsock_connected_table. We keep the binding and the transport ++ * assigned. ++ */ ++ if (signal_pending(current) || timeout == 0) { ++ err = timeout == 0 ? -ETIMEDOUT : sock_intr_errno(timeout); ++ ++ /* Listener might have already responded with ++ * VIRTIO_VSOCK_OP_RESPONSE. Its handling expects our ++ * sk_state == TCP_SYN_SENT, which hereby we break. ++ * In such case VIRTIO_VSOCK_OP_RST will follow. ++ */ + sk->sk_state = TCP_CLOSE; + sock->state = SS_UNCONNECTED; ++ ++ /* Try to cancel VIRTIO_VSOCK_OP_REQUEST skb sent out by ++ * transport->connect(). ++ */ + vsock_transport_cancel_pkt(vsk); ++ + goto out_wait; + } + +-- +2.51.0 + diff --git a/queue-6.12/x86-microcode-amd-limit-entrysign-signature-checking.patch b/queue-6.12/x86-microcode-amd-limit-entrysign-signature-checking.patch new file mode 100644 index 0000000000..09038170ac --- /dev/null +++ b/queue-6.12/x86-microcode-amd-limit-entrysign-signature-checking.patch @@ -0,0 +1,63 @@ +From 172066aea2e12be6fa3b8cdf7233c027b8e5e4fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Oct 2025 14:46:29 +0200 +Subject: x86/microcode/AMD: Limit Entrysign signature checking to known + generations + +From: Borislav Petkov (AMD) + +[ Upstream commit 8a9fb5129e8e64d24543ebc70de941a2d77a9e77 ] + +Limit Entrysign sha256 signature checking to CPUs in the range Zen1-Zen5. + +X86_BUG cannot be used here because the loading on the BSP happens way +too early, before the cpufeatures machinery has been set up. + +Signed-off-by: Borislav Petkov (AMD) +Link: https://patch.msgid.link/all/20251023124629.5385-1-bp@kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/microcode/amd.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c +index 93cbf05b83a56..7e997360223b2 100644 +--- a/arch/x86/kernel/cpu/microcode/amd.c ++++ b/arch/x86/kernel/cpu/microcode/amd.c +@@ -224,6 +224,24 @@ static bool need_sha_check(u32 cur_rev) + return true; + } + ++static bool cpu_has_entrysign(void) ++{ ++ unsigned int fam = x86_family(bsp_cpuid_1_eax); ++ unsigned int model = x86_model(bsp_cpuid_1_eax); ++ ++ if (fam == 0x17 || fam == 0x19) ++ return true; ++ ++ if (fam == 0x1a) { ++ if (model <= 0x2f || ++ (0x40 <= model && model <= 0x4f) || ++ (0x60 <= model && model <= 0x6f)) ++ return true; ++ } ++ ++ return false; ++} ++ + static bool verify_sha256_digest(u32 patch_id, u32 cur_rev, const u8 *data, unsigned int len) + { + struct patch_digest *pd = NULL; +@@ -231,7 +249,7 @@ static bool verify_sha256_digest(u32 patch_id, u32 cur_rev, const u8 *data, unsi + struct sha256_state s; + int i; + +- if (x86_family(bsp_cpuid_1_eax) < 0x17) ++ if (!cpu_has_entrysign()) + return true; + + if (!need_sha_check(cur_rev)) +-- +2.51.0 + diff --git a/queue-6.12/xfrm-determine-inner-gso-type-from-packet-inner-prot.patch b/queue-6.12/xfrm-determine-inner-gso-type-from-packet-inner-prot.patch new file mode 100644 index 0000000000..3101b2a3ee --- /dev/null +++ b/queue-6.12/xfrm-determine-inner-gso-type-from-packet-inner-prot.patch @@ -0,0 +1,96 @@ +From ec380dc3515271fdca298dc8c8930b2e2dfd26cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Oct 2025 04:22:48 +0200 +Subject: xfrm: Determine inner GSO type from packet inner protocol + +From: Jianbo Liu + +[ Upstream commit 61fafbee6cfed283c02a320896089f658fa67e56 ] + +The GSO segmentation functions for ESP tunnel mode +(xfrm4_tunnel_gso_segment and xfrm6_tunnel_gso_segment) were +determining the inner packet's L2 protocol type by checking the static +x->inner_mode.family field from the xfrm state. + +This is unreliable. In tunnel mode, the state's actual inner family +could be defined by x->inner_mode.family or by +x->inner_mode_iaf.family. Checking only the former can lead to a +mismatch with the actual packet being processed, causing GSO to create +segments with the wrong L2 header type. + +This patch fixes the bug by deriving the inner mode directly from the +packet's inner protocol stored in XFRM_MODE_SKB_CB(skb)->protocol. + +Instead of replicating the code, this patch modifies the +xfrm_ip2inner_mode helper function. It now correctly returns +&x->inner_mode if the selector family (x->sel.family) is already +specified, thereby handling both specific and AF_UNSPEC cases +appropriately. + +With this change, ESP GSO can use xfrm_ip2inner_mode to get the +correct inner mode. It doesn't affect existing callers, as the updated +logic now mirrors the checks they were already performing externally. + +Fixes: 26dbd66eab80 ("esp: choose the correct inner protocol for GSO on inter address family tunnels") +Signed-off-by: Jianbo Liu +Reviewed-by: Cosmin Ratiu +Reviewed-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + include/net/xfrm.h | 3 ++- + net/ipv4/esp4_offload.c | 6 ++++-- + net/ipv6/esp6_offload.c | 6 ++++-- + 3 files changed, 10 insertions(+), 5 deletions(-) + +diff --git a/include/net/xfrm.h b/include/net/xfrm.h +index 1484dd15a3694..caaff61601a07 100644 +--- a/include/net/xfrm.h ++++ b/include/net/xfrm.h +@@ -472,7 +472,8 @@ static inline int xfrm_af2proto(unsigned int family) + + static inline const struct xfrm_mode *xfrm_ip2inner_mode(struct xfrm_state *x, int ipproto) + { +- if ((ipproto == IPPROTO_IPIP && x->props.family == AF_INET) || ++ if ((x->sel.family != AF_UNSPEC) || ++ (ipproto == IPPROTO_IPIP && x->props.family == AF_INET) || + (ipproto == IPPROTO_IPV6 && x->props.family == AF_INET6)) + return &x->inner_mode; + else +diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c +index e0d94270da28a..05828d4cb6cdb 100644 +--- a/net/ipv4/esp4_offload.c ++++ b/net/ipv4/esp4_offload.c +@@ -122,8 +122,10 @@ static struct sk_buff *xfrm4_tunnel_gso_segment(struct xfrm_state *x, + struct sk_buff *skb, + netdev_features_t features) + { +- __be16 type = x->inner_mode.family == AF_INET6 ? htons(ETH_P_IPV6) +- : htons(ETH_P_IP); ++ const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, ++ XFRM_MODE_SKB_CB(skb)->protocol); ++ __be16 type = inner_mode->family == AF_INET6 ? htons(ETH_P_IPV6) ++ : htons(ETH_P_IP); + + return skb_eth_gso_segment(skb, features, type); + } +diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c +index 7b41fb4f00b58..22410243ebe88 100644 +--- a/net/ipv6/esp6_offload.c ++++ b/net/ipv6/esp6_offload.c +@@ -158,8 +158,10 @@ static struct sk_buff *xfrm6_tunnel_gso_segment(struct xfrm_state *x, + struct sk_buff *skb, + netdev_features_t features) + { +- __be16 type = x->inner_mode.family == AF_INET ? htons(ETH_P_IP) +- : htons(ETH_P_IPV6); ++ const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, ++ XFRM_MODE_SKB_CB(skb)->protocol); ++ __be16 type = inner_mode->family == AF_INET ? htons(ETH_P_IP) ++ : htons(ETH_P_IPV6); + + return skb_eth_gso_segment(skb, features, type); + } +-- +2.51.0 + diff --git a/queue-6.12/xfrm-drop-sa-reference-in-xfrm_state_update-if-dir-d.patch b/queue-6.12/xfrm-drop-sa-reference-in-xfrm_state_update-if-dir-d.patch new file mode 100644 index 0000000000..6d9074ee77 --- /dev/null +++ b/queue-6.12/xfrm-drop-sa-reference-in-xfrm_state_update-if-dir-d.patch @@ -0,0 +1,47 @@ +From 45063117417619a4f66efc36b573ee65f2db361a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Oct 2025 12:39:12 +0200 +Subject: xfrm: drop SA reference in xfrm_state_update if dir doesn't match + +From: Sabrina Dubroca + +[ Upstream commit 8d2a2a49c30f67a480fa9ed25e08436a446f057e ] + +We're not updating x1, but we still need to put() it. + +Fixes: a4a87fa4e96c ("xfrm: Add Direction to the SA in or out") +Signed-off-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_state.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c +index 1e2f5ecd63248..f8cb033f102ed 100644 +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -2117,14 +2117,18 @@ int xfrm_state_update(struct xfrm_state *x) + } + + if (x1->km.state == XFRM_STATE_ACQ) { +- if (x->dir && x1->dir != x->dir) ++ if (x->dir && x1->dir != x->dir) { ++ to_put = x1; + goto out; ++ } + + __xfrm_state_insert(x); + x = NULL; + } else { +- if (x1->dir != x->dir) ++ if (x1->dir != x->dir) { ++ to_put = x1; + goto out; ++ } + } + err = 0; + +-- +2.51.0 + diff --git a/queue-6.12/xfrm-prevent-locally-generated-packets-from-direct-o.patch b/queue-6.12/xfrm-prevent-locally-generated-packets-from-direct-o.patch new file mode 100644 index 0000000000..9a4966ed40 --- /dev/null +++ b/queue-6.12/xfrm-prevent-locally-generated-packets-from-direct-o.patch @@ -0,0 +1,44 @@ +From 0c31e08f1b7ea748ffb8aaf1e01ab5382c7d3bc2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Oct 2025 11:50:25 +0200 +Subject: xfrm: Prevent locally generated packets from direct output in tunnel + mode + +From: Jianbo Liu + +[ Upstream commit 59630e2ccd728703cc826e3a3515d70f8c7a766c ] + +Add a check to ensure locally generated packets (skb->sk != NULL) do +not use direct output in tunnel mode, as these packets require proper +L2 header setup that is handled by the normal XFRM processing path. + +Fixes: 5eddd76ec2fd ("xfrm: fix tunnel mode TX datapath in packet offload mode") +Signed-off-by: Jianbo Liu +Reviewed-by: Leon Romanovsky +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_output.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c +index a30538a980cc7..9277dd4ed541a 100644 +--- a/net/xfrm/xfrm_output.c ++++ b/net/xfrm/xfrm_output.c +@@ -766,8 +766,12 @@ int xfrm_output(struct sock *sk, struct sk_buff *skb) + /* Exclusive direct xmit for tunnel mode, as + * some filtering or matching rules may apply + * in transport mode. ++ * Locally generated packets also require ++ * the normal XFRM path for L2 header setup, ++ * as the hardware needs the L2 header to match ++ * for encryption, so skip direct output as well. + */ +- if (x->props.mode == XFRM_MODE_TUNNEL) ++ if (x->props.mode == XFRM_MODE_TUNNEL && !skb->sk) + return xfrm_dev_direct_output(sk, x, skb); + + return xfrm_output_resume(sk, skb, 0); +-- +2.51.0 + diff --git a/queue-6.12/xfrm-set-err-and-extack-on-failure-to-create-pcpu-sa.patch b/queue-6.12/xfrm-set-err-and-extack-on-failure-to-create-pcpu-sa.patch new file mode 100644 index 0000000000..4be03d017a --- /dev/null +++ b/queue-6.12/xfrm-set-err-and-extack-on-failure-to-create-pcpu-sa.patch @@ -0,0 +1,41 @@ +From d8c21464ec4c3f677c62d3e05154ffe758cfadfa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Oct 2025 12:39:16 +0200 +Subject: xfrm: set err and extack on failure to create pcpu SA + +From: Sabrina Dubroca + +[ Upstream commit 1dcf617bec5cb85f68ca19969e7537ef6f6931d3 ] + +xfrm_state_construct can fail without setting an error if the +requested pcpu_num value is too big. Set err and add an extack message +to avoid confusing userspace. + +Fixes: 1ddf9916ac09 ("xfrm: Add support for per cpu xfrm state handling.") +Signed-off-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index d41e5642625e3..3d0fdeebaf3c8 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -893,8 +893,11 @@ static struct xfrm_state *xfrm_state_construct(struct net *net, + + if (attrs[XFRMA_SA_PCPU]) { + x->pcpu_num = nla_get_u32(attrs[XFRMA_SA_PCPU]); +- if (x->pcpu_num >= num_possible_cpus()) ++ if (x->pcpu_num >= num_possible_cpus()) { ++ err = -ERANGE; ++ NL_SET_ERR_MSG(extack, "pCPU number too big"); + goto error; ++ } + } + + err = __xfrm_init_state(x, false, attrs[XFRMA_OFFLOAD_DEV], extack); +-- +2.51.0 + diff --git a/queue-6.17/af_unix-read-sk_peek_offset-again-after-sleeping-in-.patch b/queue-6.17/af_unix-read-sk_peek_offset-again-after-sleeping-in-.patch new file mode 100644 index 0000000000..10a08d5d27 --- /dev/null +++ b/queue-6.17/af_unix-read-sk_peek_offset-again-after-sleeping-in-.patch @@ -0,0 +1,109 @@ +From 0f012048e33f3d90e9637b82a6df1c8afe92e252 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Nov 2025 17:47:10 +0000 +Subject: af_unix: Read sk_peek_offset() again after sleeping in + unix_stream_read_generic(). + +From: Kuniyuki Iwashima + +[ Upstream commit 7bf3a476ce43833c49fceddbe94ff3472e04e9bc ] + +Miao Wang reported a bug of SO_PEEK_OFF on AF_UNIX SOCK_STREAM +socket. + +The unexpected behaviour is triggered when the peek offset is +larger than the recv queue and the thread is unblocked by new +data. + +Let's assume a socket which has "aaaa" in the recv queue and +the peek offset is 4. + +First, unix_stream_read_generic() reads the offset 4 and skips +the skb(s) of "aaaa" with the code below: + + skip = max(sk_peek_offset(sk, flags), 0); /* @skip is 4. */ + + do { + ... + while (skip >= unix_skb_len(skb)) { + skip -= unix_skb_len(skb); + ... + skb = skb_peek_next(skb, &sk->sk_receive_queue); + if (!skb) + goto again; /* @skip is 0. */ + } + +The thread jumps to the 'again' label and goes to sleep since +new data has not arrived yet. + +Later, new data "bbbb" unblocks the thread, and the thread jumps +to the 'redo:' label to restart the entire process from the first +skb in the recv queue. + + do { + ... +redo: + ... + last = skb = skb_peek(&sk->sk_receive_queue); + ... +again: + if (skb == NULL) { + ... + timeo = unix_stream_data_wait(sk, timeo, last, + last_len, freezable); + ... + goto redo; /* @skip is 0 !! */ + +However, the peek offset is not reset in the path. + +If the buffer size is 8, recv() will return "aaaabbbb" without +skipping any data, and the final offset will be 12 (the original +offset 4 + peeked skbs' length 8). + +After sleeping in unix_stream_read_generic(), we have to fetch the +peek offset again. + +Let's move the redo label before mutex_lock(&u->iolock). + +Fixes: 9f389e35674f ("af_unix: return data from multiple SKBs on recv() with MSG_PEEK flag") +Reported-by: Miao Wang +Closes: https://lore.kernel.org/netdev/3B969F90-F51F-4B9D-AB1A-994D9A54D460@gmail.com/ +Signed-off-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20251117174740.3684604-2-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index 6d7c110814ffa..0f288a80e0acd 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -2954,6 +2954,7 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state, + + u = unix_sk(sk); + ++redo: + /* Lock the socket to prevent queue disordering + * while sleeps in memcpy_tomsg + */ +@@ -2965,7 +2966,6 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state, + struct sk_buff *skb, *last; + int chunk; + +-redo: + unix_state_lock(sk); + if (sock_flag(sk, SOCK_DEAD)) { + err = -ECONNRESET; +@@ -3015,7 +3015,6 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state, + goto out; + } + +- mutex_lock(&u->iolock); + goto redo; + unlock: + unix_state_unlock(sk); +-- +2.51.0 + diff --git a/queue-6.17/alsa-hda-realtek-add-quirk-for-lenovo-yoga-7-2-in-1-.patch b/queue-6.17/alsa-hda-realtek-add-quirk-for-lenovo-yoga-7-2-in-1-.patch new file mode 100644 index 0000000000..7520432994 --- /dev/null +++ b/queue-6.17/alsa-hda-realtek-add-quirk-for-lenovo-yoga-7-2-in-1-.patch @@ -0,0 +1,38 @@ +From 9936ba7e9a7bb05f3a056cba8ba6a9c7d3027c51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Oct 2025 15:52:26 +0100 +Subject: ALSA: hda/realtek: Add quirk for Lenovo Yoga 7 2-in-1 14AKP10 + +From: J-Donald Tournier + +[ Upstream commit 1386d16761c0b569efedb998f56c1ae048a086e2 ] + +This laptop requires the same quirk as Lenovo Yoga9 14IAP7 for +fixing the bass speaker problems. + +Use HDA_CODEC_QUIRK to match on the codec SSID to avoid conflict with +the Lenovo Legion Slim 7 16IRH8, which has the same PCI SSID. + +Signed-off-by: J-Donald Tournier +Link: https://patch.msgid.link/20251018145322.39119-1-jdournier@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/codecs/realtek/alc269.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c +index 19604352317dd..20f0ad43953f4 100644 +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -7082,6 +7082,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x17aa, 0x38a9, "Thinkbook 16P", ALC287_FIXUP_MG_RTKC_CSAMP_CS35L41_I2C_THINKPAD), + SND_PCI_QUIRK(0x17aa, 0x38ab, "Thinkbook 16P", ALC287_FIXUP_MG_RTKC_CSAMP_CS35L41_I2C_THINKPAD), + SND_PCI_QUIRK(0x17aa, 0x38b4, "Legion Slim 7 16IRH8", ALC287_FIXUP_CS35L41_I2C_2), ++ HDA_CODEC_QUIRK(0x17aa, 0x391c, "Lenovo Yoga 7 2-in-1 14AKP10", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN), + SND_PCI_QUIRK(0x17aa, 0x38b5, "Legion Slim 7 16IRH8", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x17aa, 0x38b6, "Legion Slim 7 16APH8", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x17aa, 0x38b7, "Legion Slim 7 16APH8", ALC287_FIXUP_CS35L41_I2C_2), +-- +2.51.0 + diff --git a/queue-6.17/alsa-hda-realtek-fix-mute-led-for-hp-victus-15-fa1xx.patch b/queue-6.17/alsa-hda-realtek-fix-mute-led-for-hp-victus-15-fa1xx.patch new file mode 100644 index 0000000000..9d46a60b8b --- /dev/null +++ b/queue-6.17/alsa-hda-realtek-fix-mute-led-for-hp-victus-15-fa1xx.patch @@ -0,0 +1,36 @@ +From 3b3cd5df8100b7f22b675ef745bfca1ce9c7f66d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Oct 2025 13:58:10 +0300 +Subject: ALSA: hda/realtek: Fix mute led for HP Victus 15-fa1xxx (MB 8C2D) + +From: Eren Demir + +[ Upstream commit 28935ee5e4789ad86c08ba9f2426edd6203d13fa ] + +The quirk for Victus 15-fa1xxx wasn't working on Victus 15-fa1031nt due to a different board id. This patch enables the existing quirk for the board id 8BC8. + +Tested on HP Victus 15-fa1031nt (MB 8C2D). The LED behaviour works as intended. + +Signed-off-by: Eren Demir +Link: https://patch.msgid.link/20251027110208.6481-1-eren.demir2479090@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/codecs/realtek/alc269.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c +index 20f0ad43953f4..796f555dd381d 100644 +--- a/sound/hda/codecs/realtek/alc269.c ++++ b/sound/hda/codecs/realtek/alc269.c +@@ -6580,6 +6580,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = { + SND_PCI_QUIRK(0x103c, 0x8c16, "HP Spectre x360 2-in-1 Laptop 16-aa0xxx", ALC245_FIXUP_HP_SPECTRE_X360_16_AA0XXX), + SND_PCI_QUIRK(0x103c, 0x8c17, "HP Spectre 16", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x8c21, "HP Pavilion Plus Laptop 14-ey0XXX", ALC245_FIXUP_HP_X360_MUTE_LEDS), ++ SND_PCI_QUIRK(0x103c, 0x8c2d, "HP Victus 15-fa1xxx (MB 8C2D)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT), + SND_PCI_QUIRK(0x103c, 0x8c30, "HP Victus 15-fb1xxx", ALC245_FIXUP_HP_MUTE_LED_COEFBIT), + SND_PCI_QUIRK(0x103c, 0x8c46, "HP EliteBook 830 G11", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8c47, "HP EliteBook 840 G11", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), +-- +2.51.0 + diff --git a/queue-6.17/asoc-rt721-fix-prepare-clock-stop-failed.patch b/queue-6.17/asoc-rt721-fix-prepare-clock-stop-failed.patch new file mode 100644 index 0000000000..7b06017d9e --- /dev/null +++ b/queue-6.17/asoc-rt721-fix-prepare-clock-stop-failed.patch @@ -0,0 +1,50 @@ +From 38056358953efd70f7ef5cccb2b4a9d28e1d7325 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Oct 2025 18:33:33 +0800 +Subject: ASoC: rt721: fix prepare clock stop failed + +From: Shuming Fan + +[ Upstream commit d914ec6f07548f7c13a231a4f526e043e736e82e ] + +This patch adds settings to prevent the 'prepare clock stop failed' error. + +Signed-off-by: Shuming Fan +Link: https://patch.msgid.link/20251027103333.38353-1-shumingf@realtek.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt721-sdca.c | 4 ++++ + sound/soc/codecs/rt721-sdca.h | 1 + + 2 files changed, 5 insertions(+) + +diff --git a/sound/soc/codecs/rt721-sdca.c b/sound/soc/codecs/rt721-sdca.c +index a4bd29d7220b8..5f7b505d54147 100644 +--- a/sound/soc/codecs/rt721-sdca.c ++++ b/sound/soc/codecs/rt721-sdca.c +@@ -281,6 +281,10 @@ static void rt721_sdca_jack_preset(struct rt721_sdca_priv *rt721) + rt_sdca_index_write(rt721->mbq_regmap, RT721_BOOST_CTRL, + RT721_BST_4CH_TOP_GATING_CTRL1, 0x002a); + regmap_write(rt721->regmap, 0x2f58, 0x07); ++ ++ regmap_write(rt721->regmap, 0x2f51, 0x00); ++ rt_sdca_index_write(rt721->mbq_regmap, RT721_HDA_SDCA_FLOAT, ++ RT721_MISC_CTL, 0x0004); + } + + static void rt721_sdca_jack_init(struct rt721_sdca_priv *rt721) +diff --git a/sound/soc/codecs/rt721-sdca.h b/sound/soc/codecs/rt721-sdca.h +index 71fac9cd87394..24ce188562baf 100644 +--- a/sound/soc/codecs/rt721-sdca.h ++++ b/sound/soc/codecs/rt721-sdca.h +@@ -137,6 +137,7 @@ struct rt721_sdca_dmic_kctrl_priv { + #define RT721_HDA_LEGACY_UAJ_CTL 0x02 + #define RT721_HDA_LEGACY_CTL1 0x05 + #define RT721_HDA_LEGACY_RESET_CTL 0x06 ++#define RT721_MISC_CTL 0x07 + #define RT721_XU_REL_CTRL 0x0c + #define RT721_GE_REL_CTRL1 0x0d + #define RT721_HDA_LEGACY_GPIO_WAKE_EN_CTL 0x0e +-- +2.51.0 + diff --git a/queue-6.17/bcma-don-t-register-devices-disabled-in-of.patch b/queue-6.17/bcma-don-t-register-devices-disabled-in-of.patch new file mode 100644 index 0000000000..e0beafb4c3 --- /dev/null +++ b/queue-6.17/bcma-don-t-register-devices-disabled-in-of.patch @@ -0,0 +1,51 @@ +From 4a9d79aa3fba19433606d32b00976f7b0ac07ea6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Oct 2025 14:51:26 +0200 +Subject: bcma: don't register devices disabled in OF +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +[ Upstream commit a2a69add80411dd295c9088c1bcf925b1f4e53d7 ] + +Some bus devices can be marked as disabled for specific SoCs or models. +Those should not be registered to avoid probing them. + +Signed-off-by: Rafał Miłecki +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20251003125126.27950-1-zajec5@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/bcma/main.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/bcma/main.c b/drivers/bcma/main.c +index 6ecfc821cf833..72f045e6ed513 100644 +--- a/drivers/bcma/main.c ++++ b/drivers/bcma/main.c +@@ -294,6 +294,8 @@ static int bcma_register_devices(struct bcma_bus *bus) + int err; + + list_for_each_entry(core, &bus->cores, list) { ++ struct device_node *np; ++ + /* We support that core ourselves */ + switch (core->id.id) { + case BCMA_CORE_4706_CHIPCOMMON: +@@ -311,6 +313,10 @@ static int bcma_register_devices(struct bcma_bus *bus) + if (bcma_is_core_needed_early(core->id.id)) + continue; + ++ np = core->dev.of_node; ++ if (np && !of_device_is_available(np)) ++ continue; ++ + /* Only first GMAC core on BCM4706 is connected and working */ + if (core->id.id == BCMA_CORE_4706_MAC_GBIT && + core->core_unit > 0) +-- +2.51.0 + diff --git a/queue-6.17/blk-crypto-use-blk_sts_inval-for-alignment-errors.patch b/queue-6.17/blk-crypto-use-blk_sts_inval-for-alignment-errors.patch new file mode 100644 index 0000000000..303ec5e240 --- /dev/null +++ b/queue-6.17/blk-crypto-use-blk_sts_inval-for-alignment-errors.patch @@ -0,0 +1,42 @@ +From ca6137099df179c26c3b0f7a8055dac065f882e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Oct 2025 04:39:18 +0000 +Subject: blk-crypto: use BLK_STS_INVAL for alignment errors + +From: Carlos Llamas + +[ Upstream commit 0b39ca457241aeca07a613002512573e8804f93a ] + +Make __blk_crypto_bio_prep() propagate BLK_STS_INVAL when IO segments +fail the data unit alignment check. + +This was flagged by an LTP test that expects EINVAL when performing an +O_DIRECT read with a misaligned buffer [1]. + +Cc: Eric Biggers +Cc: Christoph Hellwig +Link: https://lore.kernel.org/all/aP-c5gPjrpsn0vJA@google.com/ [1] +Signed-off-by: Carlos Llamas +Reviewed-by: Eric Biggers +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-crypto.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/blk-crypto.c b/block/blk-crypto.c +index 4b1ad84d1b5ab..3e7bf1974cbd8 100644 +--- a/block/blk-crypto.c ++++ b/block/blk-crypto.c +@@ -292,7 +292,7 @@ bool __blk_crypto_bio_prep(struct bio **bio_ptr) + } + + if (!bio_crypt_check_alignment(bio)) { +- bio->bi_status = BLK_STS_IOERR; ++ bio->bi_status = BLK_STS_INVAL; + goto fail; + } + +-- +2.51.0 + diff --git a/queue-6.17/cifs-fix-memory-leak-in-smb3_fs_context_parse_param-.patch b/queue-6.17/cifs-fix-memory-leak-in-smb3_fs_context_parse_param-.patch new file mode 100644 index 0000000000..46dcf5898d --- /dev/null +++ b/queue-6.17/cifs-fix-memory-leak-in-smb3_fs_context_parse_param-.patch @@ -0,0 +1,64 @@ +From 945b2e49870f2eceed667e2f742a845f55cf7c9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Nov 2025 20:32:57 +0530 +Subject: cifs: fix memory leak in smb3_fs_context_parse_param error path + +From: Shaurya Rane + +[ Upstream commit 7e4d9120cfa413dd34f4f434befc5dbe6c38b2e5 ] + +Add proper cleanup of ctx->source and fc->source to the +cifs_parse_mount_err error handler. This ensures that memory allocated +for the source strings is correctly freed on all error paths, matching +the cleanup already performed in the success path by +smb3_cleanup_fs_context_contents(). +Pointers are also set to NULL after freeing to prevent potential +double-free issues. + +This change fixes a memory leak originally detected by syzbot. The +leak occurred when processing Opt_source mount options if an error +happened after ctx->source and fc->source were successfully +allocated but before the function completed. + +The specific leak sequence was: +1. ctx->source = smb3_fs_context_fullpath(ctx, '/') allocates memory +2. fc->source = kstrdup(ctx->source, GFP_KERNEL) allocates more memory +3. A subsequent error jumps to cifs_parse_mount_err +4. The old error handler freed passwords but not the source strings, +causing the memory to leak. + +This issue was not addressed by commit e8c73eb7db0a ("cifs: client: +fix memory leak in smb3_fs_context_parse_param"), which only fixed +leaks from repeated fsconfig() calls but not this error path. + +Patch updated with minor change suggested by kernel test robot + +Reported-by: syzbot+87be6809ed9bf6d718e3@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=87be6809ed9bf6d718e3 +Fixes: 24e0a1eff9e2 ("cifs: switch to new mount api") +Reviewed-by: David Howells +Signed-off-by: Shaurya Rane +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/fs_context.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c +index 55ea0ad894449..c9cd00b96cde1 100644 +--- a/fs/smb/client/fs_context.c ++++ b/fs/smb/client/fs_context.c +@@ -1829,6 +1829,10 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, + ctx->password = NULL; + kfree_sensitive(ctx->password2); + ctx->password2 = NULL; ++ kfree(ctx->source); ++ ctx->source = NULL; ++ kfree(fc->source); ++ fc->source = NULL; + return -EINVAL; + } + +-- +2.51.0 + diff --git a/queue-6.17/cifs-fix-typo-in-enable_gcm_256-module-parameter.patch b/queue-6.17/cifs-fix-typo-in-enable_gcm_256-module-parameter.patch new file mode 100644 index 0000000000..87f6a1c052 --- /dev/null +++ b/queue-6.17/cifs-fix-typo-in-enable_gcm_256-module-parameter.patch @@ -0,0 +1,34 @@ +From feaa4bdb3708be6a386903ca6f803ec81d2123a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Oct 2025 21:17:01 -0500 +Subject: cifs: fix typo in enable_gcm_256 module parameter + +From: Steve French + +[ Upstream commit f765fdfcd8b5bce92c6aa1a517ff549529ddf590 ] + +Fix typo in description of enable_gcm_256 module parameter + +Suggested-by: Thomas Spear +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/cifsfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/smb/client/cifsfs.c b/fs/smb/client/cifsfs.c +index e1848276bab41..984545cfe30b7 100644 +--- a/fs/smb/client/cifsfs.c ++++ b/fs/smb/client/cifsfs.c +@@ -133,7 +133,7 @@ module_param(enable_oplocks, bool, 0644); + MODULE_PARM_DESC(enable_oplocks, "Enable or disable oplocks. Default: y/Y/1"); + + module_param(enable_gcm_256, bool, 0644); +-MODULE_PARM_DESC(enable_gcm_256, "Enable requesting strongest (256 bit) GCM encryption. Default: y/Y/0"); ++MODULE_PARM_DESC(enable_gcm_256, "Enable requesting strongest (256 bit) GCM encryption. Default: y/Y/1"); + + module_param(require_gcm_256, bool, 0644); + MODULE_PARM_DESC(require_gcm_256, "Require strongest (256 bit) GCM encryption. Default: n/N/0"); +-- +2.51.0 + diff --git a/queue-6.17/clk-sunxi-ng-mark-a523-bus-r-cpucfg-clock-as-critica.patch b/queue-6.17/clk-sunxi-ng-mark-a523-bus-r-cpucfg-clock-as-critica.patch new file mode 100644 index 0000000000..d7548088c8 --- /dev/null +++ b/queue-6.17/clk-sunxi-ng-mark-a523-bus-r-cpucfg-clock-as-critica.patch @@ -0,0 +1,41 @@ +From 661abf83efe7878793b62f4d5035cb1c6ba9cfa3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Oct 2025 17:27:04 +0200 +Subject: clk: sunxi-ng: Mark A523 bus-r-cpucfg clock as critical + +From: Jernej Skrabec + +[ Upstream commit 1dba74abf3e2fa4484b924d8ba6e54e64ebb8c82 ] + +bus-r-cpucfg clock is important for peripheral which takes care of +powering CPU cores on and off. Since this operation is done by firmware +(TF-A), mark it as critical. That way Linux won't interfere with that +clock. + +Fixes: 8cea339cfb81 ("clk: sunxi-ng: add support for the A523/T527 PRCM CCU") +Signed-off-by: Jernej Skrabec +Reviewed-by: Andre Przywara +Tested-by: Andre Przywara +Link: https://patch.msgid.link/20251020152704.4804-1-jernej.skrabec@gmail.com +Signed-off-by: Chen-Yu Tsai +Signed-off-by: Sasha Levin +--- + drivers/clk/sunxi-ng/ccu-sun55i-a523-r.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/sunxi-ng/ccu-sun55i-a523-r.c b/drivers/clk/sunxi-ng/ccu-sun55i-a523-r.c +index 70ce0ca0cb7db..c5b0d4a2e397e 100644 +--- a/drivers/clk/sunxi-ng/ccu-sun55i-a523-r.c ++++ b/drivers/clk/sunxi-ng/ccu-sun55i-a523-r.c +@@ -125,7 +125,7 @@ static SUNXI_CCU_GATE_HW(bus_r_dma_clk, "bus-r-dma", + static SUNXI_CCU_GATE_HW(bus_r_rtc_clk, "bus-r-rtc", + &r_apb0_clk.common.hw, 0x20c, BIT(0), 0); + static SUNXI_CCU_GATE_HW(bus_r_cpucfg_clk, "bus-r-cpucfg", +- &r_apb0_clk.common.hw, 0x22c, BIT(0), 0); ++ &r_apb0_clk.common.hw, 0x22c, BIT(0), CLK_IS_CRITICAL); + + static struct ccu_common *sun55i_a523_r_ccu_clks[] = { + &r_ahb_clk.common, +-- +2.51.0 + diff --git a/queue-6.17/clk-sunxi-ng-sun55i-a523-ccu-lower-audio0-pll-minimu.patch b/queue-6.17/clk-sunxi-ng-sun55i-a523-ccu-lower-audio0-pll-minimu.patch new file mode 100644 index 0000000000..6b695fa0a2 --- /dev/null +++ b/queue-6.17/clk-sunxi-ng-sun55i-a523-ccu-lower-audio0-pll-minimu.patch @@ -0,0 +1,42 @@ +From d02dcdb3496ba64f238ead1ad43a6870dd6ca1e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Oct 2025 01:10:52 +0800 +Subject: clk: sunxi-ng: sun55i-a523-ccu: Lower audio0 pll minimum rate + +From: Chen-Yu Tsai + +[ Upstream commit 2050280a4bb660b47f8cccf75a69293ae7cbb087 ] + +While the user manual states that the PLL's rate should be between 180 +MHz and 3 GHz in the register defninition section, it also says the +actual operating frequency is 22.5792*4 MHz in the PLL features table. + +22.5792*4 MHz is one of the actual clock rates that we want and is +is available in the SDM table. Lower the minimum clock rate to 90 MHz +so that both rates in the SDM table can be used. + +Fixes: 7cae1e2b5544 ("clk: sunxi-ng: Add support for the A523/T527 CCU PLLs") +Reviewed-by: Jernej Skrabec +Link: https://patch.msgid.link/20251020171059.2786070-7-wens@kernel.org +Signed-off-by: Chen-Yu Tsai +Signed-off-by: Sasha Levin +--- + drivers/clk/sunxi-ng/ccu-sun55i-a523.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/sunxi-ng/ccu-sun55i-a523.c b/drivers/clk/sunxi-ng/ccu-sun55i-a523.c +index 1a9a1cb869e23..9e0468fb012b6 100644 +--- a/drivers/clk/sunxi-ng/ccu-sun55i-a523.c ++++ b/drivers/clk/sunxi-ng/ccu-sun55i-a523.c +@@ -299,7 +299,7 @@ static struct ccu_nm pll_audio0_4x_clk = { + .m = _SUNXI_CCU_DIV(16, 6), + .sdm = _SUNXI_CCU_SDM(pll_audio0_sdm_table, BIT(24), + 0x178, BIT(31)), +- .min_rate = 180000000U, ++ .min_rate = 90000000U, + .max_rate = 3000000000U, + .common = { + .reg = 0x078, +-- +2.51.0 + diff --git a/queue-6.17/clk-sunxi-ng-sun55i-a523-r-ccu-mark-bus-r-dma-as-cri.patch b/queue-6.17/clk-sunxi-ng-sun55i-a523-r-ccu-mark-bus-r-dma-as-cri.patch new file mode 100644 index 0000000000..92f79c06be --- /dev/null +++ b/queue-6.17/clk-sunxi-ng-sun55i-a523-r-ccu-mark-bus-r-dma-as-cri.patch @@ -0,0 +1,44 @@ +From 753839537b471a7927b98c902e192a0a1dacd718 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Oct 2025 01:10:51 +0800 +Subject: clk: sunxi-ng: sun55i-a523-r-ccu: Mark bus-r-dma as critical + +From: Chen-Yu Tsai + +[ Upstream commit 5888533c6011de319c5f23ae147f1f291ce81582 ] + +The "bus-r-dma" clock in the A523's PRCM clock controller is also +referred to as "DMA_CLKEN_SW" or "DMA ADB400 gating". It is unclear how +this ties into the DMA controller MBUS clock gate; however if the clock +is not enabled, the DMA controller in the MCU block will fail to access +DRAM, even failing to retrieve the DMA descriptors. + +Mark this clock as critical. This sort of mirrors what is done for the +main DMA controller's MBUS clock, which has a separate toggle that is +currently left out of the main clock controller driver. + +Fixes: 8cea339cfb81 ("clk: sunxi-ng: add support for the A523/T527 PRCM CCU") +Acked-by: Jernej Skrabec +Link: https://patch.msgid.link/20251020171059.2786070-6-wens@kernel.org +Signed-off-by: Chen-Yu Tsai +Signed-off-by: Sasha Levin +--- + drivers/clk/sunxi-ng/ccu-sun55i-a523-r.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/sunxi-ng/ccu-sun55i-a523-r.c b/drivers/clk/sunxi-ng/ccu-sun55i-a523-r.c +index c5b0d4a2e397e..0339c4af0fe5b 100644 +--- a/drivers/clk/sunxi-ng/ccu-sun55i-a523-r.c ++++ b/drivers/clk/sunxi-ng/ccu-sun55i-a523-r.c +@@ -121,7 +121,7 @@ static SUNXI_CCU_GATE_HW(bus_r_ir_rx_clk, "bus-r-ir-rx", + &r_apb0_clk.common.hw, 0x1cc, BIT(0), 0); + + static SUNXI_CCU_GATE_HW(bus_r_dma_clk, "bus-r-dma", +- &r_apb0_clk.common.hw, 0x1dc, BIT(0), 0); ++ &r_apb0_clk.common.hw, 0x1dc, BIT(0), CLK_IS_CRITICAL); + static SUNXI_CCU_GATE_HW(bus_r_rtc_clk, "bus-r-rtc", + &r_apb0_clk.common.hw, 0x20c, BIT(0), 0); + static SUNXI_CCU_GATE_HW(bus_r_cpucfg_clk, "bus-r-cpucfg", +-- +2.51.0 + diff --git a/queue-6.17/devlink-rate-unset-parent-pointer-in-devl_rate_nodes.patch b/queue-6.17/devlink-rate-unset-parent-pointer-in-devl_rate_nodes.patch new file mode 100644 index 0000000000..bdbd350dce --- /dev/null +++ b/queue-6.17/devlink-rate-unset-parent-pointer-in-devl_rate_nodes.patch @@ -0,0 +1,127 @@ +From 6121737f6e125b2aac103eb8819ea9983a267cc7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Nov 2025 14:05:49 +0200 +Subject: devlink: rate: Unset parent pointer in devl_rate_nodes_destroy + +From: Shay Drory + +[ Upstream commit f94c1a114ac209977bdf5ca841b98424295ab1f0 ] + +The function devl_rate_nodes_destroy is documented to "Unset parent for +all rate objects". However, it was only calling the driver-specific +`rate_leaf_parent_set` or `rate_node_parent_set` ops and decrementing +the parent's refcount, without actually setting the +`devlink_rate->parent` pointer to NULL. + +This leaves a dangling pointer in the `devlink_rate` struct, which cause +refcount error in netdevsim[1] and mlx5[2]. In addition, this is +inconsistent with the behavior of `devlink_nl_rate_parent_node_set`, +where the parent pointer is correctly cleared. + +This patch fixes the issue by explicitly setting `devlink_rate->parent` +to NULL after notifying the driver, thus fulfilling the function's +documented behavior for all rate objects. + +[1] +repro steps: +echo 1 > /sys/bus/netdevsim/new_device +devlink dev eswitch set netdevsim/netdevsim1 mode switchdev +echo 1 > /sys/bus/netdevsim/devices/netdevsim1/sriov_numvfs +devlink port function rate add netdevsim/netdevsim1/test_node +devlink port function rate set netdevsim/netdevsim1/128 parent test_node +echo 1 > /sys/bus/netdevsim/del_device + +dmesg: +refcount_t: decrement hit 0; leaking memory. +WARNING: CPU: 8 PID: 1530 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0 +CPU: 8 UID: 0 PID: 1530 Comm: bash Not tainted 6.18.0-rc4+ #1 NONE +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +RIP: 0010:refcount_warn_saturate+0x42/0xe0 +Call Trace: + + devl_rate_leaf_destroy+0x8d/0x90 + __nsim_dev_port_del+0x6c/0x70 [netdevsim] + nsim_dev_reload_destroy+0x11c/0x140 [netdevsim] + nsim_drv_remove+0x2b/0xb0 [netdevsim] + device_release_driver_internal+0x194/0x1f0 + bus_remove_device+0xc6/0x130 + device_del+0x159/0x3c0 + device_unregister+0x1a/0x60 + del_device_store+0x111/0x170 [netdevsim] + kernfs_fop_write_iter+0x12e/0x1e0 + vfs_write+0x215/0x3d0 + ksys_write+0x5f/0xd0 + do_syscall_64+0x55/0x10f0 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +[2] +devlink dev eswitch set pci/0000:08:00.0 mode switchdev +devlink port add pci/0000:08:00.0 flavour pcisf pfnum 0 sfnum 1000 +devlink port function rate add pci/0000:08:00.0/group1 +devlink port function rate set pci/0000:08:00.0/32768 parent group1 +modprobe -r mlx5_ib mlx5_fwctl mlx5_core + +dmesg: +refcount_t: decrement hit 0; leaking memory. +WARNING: CPU: 7 PID: 16151 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0 +CPU: 7 UID: 0 PID: 16151 Comm: bash Not tainted 6.17.0-rc7_for_upstream_min_debug_2025_10_02_12_44 #1 NONE +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 +RIP: 0010:refcount_warn_saturate+0x42/0xe0 +Call Trace: + + devl_rate_leaf_destroy+0x8d/0x90 + mlx5_esw_offloads_devlink_port_unregister+0x33/0x60 [mlx5_core] + mlx5_esw_offloads_unload_rep+0x3f/0x50 [mlx5_core] + mlx5_eswitch_unload_sf_vport+0x40/0x90 [mlx5_core] + mlx5_sf_esw_event+0xc4/0x120 [mlx5_core] + notifier_call_chain+0x33/0xa0 + blocking_notifier_call_chain+0x3b/0x50 + mlx5_eswitch_disable_locked+0x50/0x110 [mlx5_core] + mlx5_eswitch_disable+0x63/0x90 [mlx5_core] + mlx5_unload+0x1d/0x170 [mlx5_core] + mlx5_uninit_one+0xa2/0x130 [mlx5_core] + remove_one+0x78/0xd0 [mlx5_core] + pci_device_remove+0x39/0xa0 + device_release_driver_internal+0x194/0x1f0 + unbind_store+0x99/0xa0 + kernfs_fop_write_iter+0x12e/0x1e0 + vfs_write+0x215/0x3d0 + ksys_write+0x5f/0xd0 + do_syscall_64+0x53/0x1f0 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +Fixes: d75559845078 ("devlink: Allow setting parent node of rate objects") +Signed-off-by: Shay Drory +Reviewed-by: Carolina Jubran +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/1763381149-1234377-1-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/devlink/rate.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/devlink/rate.c b/net/devlink/rate.c +index 264fb82cba196..d157a8419bcad 100644 +--- a/net/devlink/rate.c ++++ b/net/devlink/rate.c +@@ -828,13 +828,15 @@ void devl_rate_nodes_destroy(struct devlink *devlink) + if (!devlink_rate->parent) + continue; + +- refcount_dec(&devlink_rate->parent->refcnt); + if (devlink_rate_is_leaf(devlink_rate)) + ops->rate_leaf_parent_set(devlink_rate, NULL, devlink_rate->priv, + NULL, NULL); + else if (devlink_rate_is_node(devlink_rate)) + ops->rate_node_parent_set(devlink_rate, NULL, devlink_rate->priv, + NULL, NULL); ++ ++ refcount_dec(&devlink_rate->parent->refcnt); ++ devlink_rate->parent = NULL; + } + list_for_each_entry_safe(devlink_rate, tmp, &devlink->rate_list, list) { + if (devlink_rate_is_node(devlink_rate)) { +-- +2.51.0 + diff --git a/queue-6.17/drm-i915-display-add-definition-for-wcl-as-subplatfo.patch b/queue-6.17/drm-i915-display-add-definition-for-wcl-as-subplatfo.patch new file mode 100644 index 0000000000..9d6e63f2a9 --- /dev/null +++ b/queue-6.17/drm-i915-display-add-definition-for-wcl-as-subplatfo.patch @@ -0,0 +1,73 @@ +From de9578803067ed0b27af908b1d14890428b0aca6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Sep 2025 20:33:16 +0530 +Subject: drm/i915/display: Add definition for wcl as subplatform + +From: Dnyaneshwar Bhadane + +[ Upstream commit 913253ed47b9925454cbb17faa3e350015b3d67a ] + +We will need to differentiate between WCL and PTL in +intel_encoder_is_c10phy(). Since WCL and PTL use the same display +architecture, let's define WCL as a subplatform of PTL to allow the +differentiation. + +v2: Update commit message and reorder wcl define (Gustavo) + +Fixes: 3c0f211bc8fc ("drm/xe: Add Wildcat Lake device IDs to PTL list") +Signed-off-by: Dnyaneshwar Bhadane +Reviewed-by: Gustavo Sousa +Signed-off-by: Suraj Kandpal +Link: https://lore.kernel.org/r/20250922150317.2334680-3-dnyaneshwar.bhadane@intel.com +(cherry picked from commit 4dfaae643e59cf3ab71b88689dce1b874f036f00) +Signed-off-by: Rodrigo Vivi +[Rodrigo added Fixes tag when porting it to fixes] +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_display_device.c | 12 ++++++++++++ + drivers/gpu/drm/i915/display/intel_display_device.h | 4 +++- + 2 files changed, 15 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_display_device.c b/drivers/gpu/drm/i915/display/intel_display_device.c +index 9023c15f3645d..f7ea4ed2b176b 100644 +--- a/drivers/gpu/drm/i915/display/intel_display_device.c ++++ b/drivers/gpu/drm/i915/display/intel_display_device.c +@@ -1391,8 +1391,20 @@ static const struct platform_desc bmg_desc = { + PLATFORM_GROUP(dgfx), + }; + ++static const u16 wcl_ids[] = { ++ INTEL_WCL_IDS(ID), ++ 0 ++}; ++ + static const struct platform_desc ptl_desc = { + PLATFORM(pantherlake), ++ .subplatforms = (const struct subplatform_desc[]) { ++ { ++ SUBPLATFORM(pantherlake, wildcatlake), ++ .pciidlist = wcl_ids, ++ }, ++ {}, ++ } + }; + + __diag_pop(); +diff --git a/drivers/gpu/drm/i915/display/intel_display_device.h b/drivers/gpu/drm/i915/display/intel_display_device.h +index 4308822f0415d..dddafb54188a6 100644 +--- a/drivers/gpu/drm/i915/display/intel_display_device.h ++++ b/drivers/gpu/drm/i915/display/intel_display_device.h +@@ -102,7 +102,9 @@ struct pci_dev; + /* Display ver 14.1 (based on GMD ID) */ \ + func(battlemage) \ + /* Display ver 30 (based on GMD ID) */ \ +- func(pantherlake) ++ func(pantherlake) \ ++ func(pantherlake_wildcatlake) ++ + + #define __MEMBER(name) unsigned long name:1; + #define __COUNT(x) 1 + +-- +2.51.0 + diff --git a/queue-6.17/drm-i915-xe3-restrict-ptl-intel_encoder_is_c10phy-to.patch b/queue-6.17/drm-i915-xe3-restrict-ptl-intel_encoder_is_c10phy-to.patch new file mode 100644 index 0000000000..277f6a3cc0 --- /dev/null +++ b/queue-6.17/drm-i915-xe3-restrict-ptl-intel_encoder_is_c10phy-to.patch @@ -0,0 +1,65 @@ +From edc825bbdfcc229900df90174d7e5c9c856fe508 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Sep 2025 20:33:17 +0530 +Subject: drm/i915/xe3: Restrict PTL intel_encoder_is_c10phy() to only PHY A + +From: Dnyaneshwar Bhadane + +[ Upstream commit 5474560381775bc70cc90ed2acefad48ffd6ee07 ] + +On PTL, no combo PHY is connected to PORT B. However, PORT B can +still be used for Type-C and will utilize the C20 PHY for eDP +over Type-C. In such configurations, VBTs also enumerate PORT B. + +This leads to issues where PORT B is incorrectly identified as using the +C10 PHY, due to the assumption that returning true for PORT B in +intel_encoder_is_c10phy() would not cause problems. + +From PTL's perspective, only PORT A/PHY A uses the C10 PHY. + +Update the helper intel_encoder_is_c10phy() to return true only for +PORT A/PHY on PTL. + +v2: Change the condition code style for ptl/wcl + +Bspec: 72571,73944 +Fixes: 9d10de78a37f ("drm/i915/wcl: C10 phy connected to port A and B") +Signed-off-by: Dnyaneshwar Bhadane +Reviewed-by: Gustavo Sousa +Signed-off-by: Suraj Kandpal +Link: https://lore.kernel.org/r/20250922150317.2334680-4-dnyaneshwar.bhadane@intel.com +(cherry picked from commit 8147f7a1c083fd565fb958824f7c552de3b2dc46) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_cx0_phy.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_cx0_phy.c b/drivers/gpu/drm/i915/display/intel_cx0_phy.c +index 801235a5bc0a3..a2d2cecf71217 100644 +--- a/drivers/gpu/drm/i915/display/intel_cx0_phy.c ++++ b/drivers/gpu/drm/i915/display/intel_cx0_phy.c +@@ -39,14 +39,12 @@ bool intel_encoder_is_c10phy(struct intel_encoder *encoder) + struct intel_display *display = to_intel_display(encoder); + enum phy phy = intel_encoder_to_phy(encoder); + +- /* PTL doesn't have a PHY connected to PORT B; as such, +- * there will never be a case where PTL uses PHY B. +- * WCL uses PORT A and B with the C10 PHY. +- * Reusing the condition for WCL and extending it for PORT B +- * should not cause any issues for PTL. +- */ +- if (display->platform.pantherlake && phy < PHY_C) +- return true; ++ if (display->platform.pantherlake) { ++ if (display->platform.pantherlake_wildcatlake) ++ return phy <= PHY_B; ++ else ++ return phy == PHY_A; ++ } + + if ((display->platform.lunarlake || display->platform.meteorlake) && phy < PHY_C) + return true; +-- +2.51.0 + diff --git a/queue-6.17/drm-i915-xe3lpd-load-dmc-for-xe3_lpd-version-30.02.patch b/queue-6.17/drm-i915-xe3lpd-load-dmc-for-xe3_lpd-version-30.02.patch new file mode 100644 index 0000000000..7477a46a5d --- /dev/null +++ b/queue-6.17/drm-i915-xe3lpd-load-dmc-for-xe3_lpd-version-30.02.patch @@ -0,0 +1,56 @@ +From e859338c20c359a50c33dc96bda061a7edeb89c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Oct 2025 18:45:17 +0530 +Subject: drm/i915/xe3lpd: Load DMC for Xe3_LPD version 30.02 + +From: Dnyaneshwar Bhadane + +[ Upstream commit fa766e759ff7b128ab77323d9d9c232434621bb6 ] + +Load the DMC for Xe3_LPD version 30.02. + +Fixes: 3c0f211bc8fc ("drm/xe: Add Wildcat Lake device IDs to PTL list") +Signed-off-by: Dnyaneshwar Bhadane +Reviewed-by: Gustavo Sousa +Reviewed-by: Chaitanya Kumar Borah +Link: https://lore.kernel.org/r/20251016131517.2032684-1-dnyaneshwar.bhadane@intel.com +Signed-off-by: Gustavo Sousa +(cherry picked from commit a63db39a578b543f5e5719b9f14dd82d3b8648d1) +Signed-off-by: Rodrigo Vivi +[Rodrigo added the Fixes tag while cherry-picking to fixes] +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_dmc.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_dmc.c b/drivers/gpu/drm/i915/display/intel_dmc.c +index 4aa2aa6379787..8ec06a734d8e3 100644 +--- a/drivers/gpu/drm/i915/display/intel_dmc.c ++++ b/drivers/gpu/drm/i915/display/intel_dmc.c +@@ -127,6 +127,9 @@ static bool dmc_firmware_param_disabled(struct intel_display *display) + #define DISPLAY_VER13_DMC_MAX_FW_SIZE 0x20000 + #define DISPLAY_VER12_DMC_MAX_FW_SIZE ICL_DMC_MAX_FW_SIZE + ++#define XE3LPD_3002_DMC_PATH DMC_PATH(xe3lpd_3002) ++MODULE_FIRMWARE(XE3LPD_3002_DMC_PATH); ++ + #define XE3LPD_DMC_PATH DMC_PATH(xe3lpd) + MODULE_FIRMWARE(XE3LPD_DMC_PATH); + +@@ -183,9 +186,10 @@ static const char *dmc_firmware_default(struct intel_display *display, u32 *size + { + const char *fw_path = NULL; + u32 max_fw_size = 0; +- +- if (DISPLAY_VERx100(display) == 3002 || +- DISPLAY_VERx100(display) == 3000) { ++ if (DISPLAY_VERx100(display) == 3002) { ++ fw_path = XE3LPD_3002_DMC_PATH; ++ max_fw_size = XE2LPD_DMC_MAX_FW_SIZE; ++ } else if (DISPLAY_VERx100(display) == 3000) { + fw_path = XE3LPD_DMC_PATH; + max_fw_size = XE2LPD_DMC_MAX_FW_SIZE; + } else if (DISPLAY_VERx100(display) == 2000) { +-- +2.51.0 + diff --git a/queue-6.17/drm-msm-fix-pgtable-prealloc-error-path.patch b/queue-6.17/drm-msm-fix-pgtable-prealloc-error-path.patch new file mode 100644 index 0000000000..1a089a2c3f --- /dev/null +++ b/queue-6.17/drm-msm-fix-pgtable-prealloc-error-path.patch @@ -0,0 +1,101 @@ +From 49cf9b5956c805e8e95142e023de5156c40edf70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Oct 2025 08:35:41 -0700 +Subject: drm/msm: Fix pgtable prealloc error path + +From: Rob Clark + +[ Upstream commit 830d68f2cb8ab6fb798bb9555016709a9e012af0 ] + +The following splat was reported: + + Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 + Mem abort info: + ESR = 0x0000000096000004 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + FSC = 0x04: level 0 translation fault + Data abort info: + ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 + CM = 0, WnR = 0, TnD = 0, TagAccess = 0 + GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 + user pgtable: 4k pages, 48-bit VAs, pgdp=00000008d0fd8000 + [0000000000000010] pgd=0000000000000000, p4d=0000000000000000 + Internal error: Oops: 0000000096000004 [#1] SMP + CPU: 5 UID: 1000 PID: 149076 Comm: Xwayland Tainted: G S 6.16.0-rc2-00809-g0b6974bb4134-dirty #367 PREEMPT + Tainted: [S]=CPU_OUT_OF_SPEC + Hardware name: Qualcomm Technologies, Inc. SM8650 HDK (DT) + pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) + pc : build_detached_freelist+0x28/0x224 + lr : kmem_cache_free_bulk.part.0+0x38/0x244 + sp : ffff000a508c7a20 + x29: ffff000a508c7a20 x28: ffff000a508c7d50 x27: ffffc4e49d16f350 + x26: 0000000000000058 x25: 00000000fffffffc x24: 0000000000000000 + x23: ffff00098c4e1450 x22: 00000000fffffffc x21: 0000000000000000 + x20: ffff000a508c7af8 x19: 0000000000000002 x18: 00000000000003e8 + x17: ffff000809523850 x16: ffff000809523820 x15: 0000000000401640 + x14: ffff000809371140 x13: 0000000000000130 x12: ffff0008b5711e30 + x11: 00000000001058fa x10: 0000000000000a80 x9 : ffff000a508c7940 + x8 : ffff000809371ba0 x7 : 781fffe033087fff x6 : 0000000000000000 + x5 : ffff0008003cd000 x4 : 781fffe033083fff x3 : ffff000a508c7af8 + x2 : fffffdffc0000000 x1 : 0001000000000000 x0 : ffff0008001a6a00 + Call trace: + build_detached_freelist+0x28/0x224 (P) + kmem_cache_free_bulk.part.0+0x38/0x244 + kmem_cache_free_bulk+0x10/0x1c + msm_iommu_pagetable_prealloc_cleanup+0x3c/0xd0 + msm_vma_job_free+0x30/0x240 + msm_ioctl_vm_bind+0x1d0/0x9a0 + drm_ioctl_kernel+0x84/0x104 + drm_ioctl+0x358/0x4d4 + __arm64_sys_ioctl+0x8c/0xe0 + invoke_syscall+0x44/0x100 + el0_svc_common.constprop.0+0x3c/0xe0 + do_el0_svc+0x18/0x20 + el0_svc+0x30/0x100 + el0t_64_sync_handler+0x104/0x130 + el0t_64_sync+0x170/0x174 + Code: aa0203f5 b26287e2 f2dfbfe2 aa0303f4 (f8737ab6) + ---[ end trace 0000000000000000 ]--- + +Since msm_vma_job_free() is called directly from the ioctl, this looks +like an error path cleanup issue. Which I think results from +prealloc_cleanup() called without a preceding successful +prealloc_allocate() call. So handle that case better. + +Reported-by: Connor Abbott +Signed-off-by: Rob Clark +Patchwork: https://patchwork.freedesktop.org/patch/678677/ +Message-ID: <20251006153542.419998-1-robin.clark@oss.qualcomm.com> +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_iommu.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpu/drm/msm/msm_iommu.c b/drivers/gpu/drm/msm/msm_iommu.c +index 76cdd5ea06a02..10ef47ffb787a 100644 +--- a/drivers/gpu/drm/msm/msm_iommu.c ++++ b/drivers/gpu/drm/msm/msm_iommu.c +@@ -338,6 +338,8 @@ msm_iommu_pagetable_prealloc_allocate(struct msm_mmu *mmu, struct msm_mmu_preall + + ret = kmem_cache_alloc_bulk(pt_cache, GFP_KERNEL, p->count, p->pages); + if (ret != p->count) { ++ kfree(p->pages); ++ p->pages = NULL; + p->count = ret; + return -ENOMEM; + } +@@ -351,6 +353,9 @@ msm_iommu_pagetable_prealloc_cleanup(struct msm_mmu *mmu, struct msm_mmu_preallo + struct kmem_cache *pt_cache = get_pt_cache(mmu); + uint32_t remaining_pt_count = p->count - p->ptr; + ++ if (!p->pages) ++ return; ++ + if (p->count > 0) + trace_msm_mmu_prealloc_cleanup(p->count, remaining_pt_count); + +-- +2.51.0 + diff --git a/queue-6.17/drm-pcids-split-ptl-pciids-group-to-make-wcl-subplat.patch b/queue-6.17/drm-pcids-split-ptl-pciids-group-to-make-wcl-subplat.patch new file mode 100644 index 0000000000..d998395832 --- /dev/null +++ b/queue-6.17/drm-pcids-split-ptl-pciids-group-to-make-wcl-subplat.patch @@ -0,0 +1,74 @@ +From c2fba8452ea6a98af5477e63fb7d69d21d27df2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Sep 2025 20:33:15 +0530 +Subject: drm/pcids: Split PTL pciids group to make wcl subplatform + +From: Dnyaneshwar Bhadane + +[ Upstream commit 6eb2e056b0e418718fc5a3cfe79bdb41d9a2851d ] + +To form the WCL platform as a subplatform of PTL in definition, +WCL pci ids are splited into saparate group from PTL. +So update the pciidlist struct to cover all the pci ids. + +v2: +- Squash wcl description in single patch for display and xe.(jani,gustavo) + +Fixes: 3c0f211bc8fc ("drm/xe: Add Wildcat Lake device IDs to PTL list") +Signed-off-by: Dnyaneshwar Bhadane +Reviewed-by: Gustavo Sousa +Signed-off-by: Suraj Kandpal +Link: https://lore.kernel.org/r/20250922150317.2334680-2-dnyaneshwar.bhadane@intel.com +(cherry picked from commit 32620e176443bf23ec81bfe8f177c6721a904864) +Signed-off-by: Rodrigo Vivi +[Rodrigo added the Fixes tag when porting it to fixes] +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_display_device.c | 1 + + drivers/gpu/drm/xe/xe_pci.c | 1 + + include/drm/intel/pciids.h | 5 ++++- + 3 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_display_device.c b/drivers/gpu/drm/i915/display/intel_display_device.c +index 089cffabbad57..9023c15f3645d 100644 +--- a/drivers/gpu/drm/i915/display/intel_display_device.c ++++ b/drivers/gpu/drm/i915/display/intel_display_device.c +@@ -1469,6 +1469,7 @@ static const struct { + INTEL_LNL_IDS(INTEL_DISPLAY_DEVICE, &lnl_desc), + INTEL_BMG_IDS(INTEL_DISPLAY_DEVICE, &bmg_desc), + INTEL_PTL_IDS(INTEL_DISPLAY_DEVICE, &ptl_desc), ++ INTEL_WCL_IDS(INTEL_DISPLAY_DEVICE, &ptl_desc), + }; + + static const struct { +diff --git a/drivers/gpu/drm/xe/xe_pci.c b/drivers/gpu/drm/xe/xe_pci.c +index 6c2637fc8f1ab..47236457e6a3b 100644 +--- a/drivers/gpu/drm/xe/xe_pci.c ++++ b/drivers/gpu/drm/xe/xe_pci.c +@@ -367,6 +367,7 @@ static const struct pci_device_id pciidlist[] = { + INTEL_LNL_IDS(INTEL_VGA_DEVICE, &lnl_desc), + INTEL_BMG_IDS(INTEL_VGA_DEVICE, &bmg_desc), + INTEL_PTL_IDS(INTEL_VGA_DEVICE, &ptl_desc), ++ INTEL_WCL_IDS(INTEL_VGA_DEVICE, &ptl_desc), + { } + }; + MODULE_DEVICE_TABLE(pci, pciidlist); +diff --git a/include/drm/intel/pciids.h b/include/drm/intel/pciids.h +index 76f8d26f9cc9d..97fde8356fb23 100644 +--- a/include/drm/intel/pciids.h ++++ b/include/drm/intel/pciids.h +@@ -872,7 +872,10 @@ + MACRO__(0xB08F, ## __VA_ARGS__), \ + MACRO__(0xB090, ## __VA_ARGS__), \ + MACRO__(0xB0A0, ## __VA_ARGS__), \ +- MACRO__(0xB0B0, ## __VA_ARGS__), \ ++ MACRO__(0xB0B0, ## __VA_ARGS__) ++ ++/* WCL */ ++#define INTEL_WCL_IDS(MACRO__, ...) \ + MACRO__(0xFD80, ## __VA_ARGS__), \ + MACRO__(0xFD81, ## __VA_ARGS__) + +-- +2.51.0 + diff --git a/queue-6.17/drm-tegra-add-call-to-put_pid.patch b/queue-6.17/drm-tegra-add-call-to-put_pid.patch new file mode 100644 index 0000000000..71c11e6bd5 --- /dev/null +++ b/queue-6.17/drm-tegra-add-call-to-put_pid.patch @@ -0,0 +1,46 @@ +From c1b62307f45c4478c627a698fd21cdae1a8105eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Sep 2025 13:25:40 +0900 +Subject: drm/tegra: Add call to put_pid() + +From: Prateek Agarwal + +[ Upstream commit 6cbab9f0da72b4dc3c3f9161197aa3b9daa1fa3a ] + +Add a call to put_pid() corresponding to get_task_pid(). +host1x_memory_context_alloc() does not take ownership of the PID so we +need to free it here to avoid leaking. + +Signed-off-by: Prateek Agarwal +Fixes: e09db97889ec ("drm/tegra: Support context isolation") +[mperttunen@nvidia.com: reword commit message] +Signed-off-by: Mikko Perttunen +Signed-off-by: Thierry Reding +Link: https://patch.msgid.link/20250919-host1x-put-pid-v1-1-19c2163dfa87@nvidia.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tegra/uapi.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/tegra/uapi.c b/drivers/gpu/drm/tegra/uapi.c +index 5adab6b229164..d0b6a1fa6efad 100644 +--- a/drivers/gpu/drm/tegra/uapi.c ++++ b/drivers/gpu/drm/tegra/uapi.c +@@ -114,9 +114,12 @@ int tegra_drm_ioctl_channel_open(struct drm_device *drm, void *data, struct drm_ + if (err) + goto put_channel; + +- if (supported) ++ if (supported) { ++ struct pid *pid = get_task_pid(current, PIDTYPE_TGID); + context->memory_context = host1x_memory_context_alloc( +- host, client->base.dev, get_task_pid(current, PIDTYPE_TGID)); ++ host, client->base.dev, pid); ++ put_pid(pid); ++ } + + if (IS_ERR(context->memory_context)) { + if (PTR_ERR(context->memory_context) != -EOPNOTSUPP) { +-- +2.51.0 + diff --git a/queue-6.17/drm-xe-irq-handle-msix-vector0-interrupt.patch b/queue-6.17/drm-xe-irq-handle-msix-vector0-interrupt.patch new file mode 100644 index 0000000000..dddecc1991 --- /dev/null +++ b/queue-6.17/drm-xe-irq-handle-msix-vector0-interrupt.patch @@ -0,0 +1,68 @@ +From 02056001cea7199271f18bceffb7b084e5a94ae1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Nov 2025 14:01:41 +0530 +Subject: drm/xe/irq: Handle msix vector0 interrupt + +From: Venkata Ramana Nayana + +[ Upstream commit 5b38c22687d9287d85dd3bef2fa708bf62cf3895 ] + +Current gu2host handler registered as MSI-X vector 0 and as per bspec for +a msix vector 0 interrupt, the driver must check the legacy registers +190008(TILE_INT_REG), 190060h (GT INTR Identity Reg 0) and other registers +mentioned in "Interrupt Service Routine Pseudocode" otherwise it will block +the next interrupts. To overcome this issue replacing guc2host handler +with legacy xe_irq_handler. + +Fixes: da889070be7b2 ("drm/xe/irq: Separate MSI and MSI-X flows") +Bspec: 62357 +Signed-off-by: Venkata Ramana Nayana +Reviewed-by: Balasubramani Vivekanandan +Link: https://patch.msgid.link/20251107083141.2080189-1-venkata.ramana.nayana@intel.com +Signed-off-by: Matt Roper +(cherry picked from commit c34a14bce7090862ebe5a64abe8d85df75e62737) +Signed-off-by: Lucas De Marchi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_irq.c | 18 +----------------- + 1 file changed, 1 insertion(+), 17 deletions(-) + +diff --git a/drivers/gpu/drm/xe/xe_irq.c b/drivers/gpu/drm/xe/xe_irq.c +index 5df5b8c2a3e4d..da22f083e86a7 100644 +--- a/drivers/gpu/drm/xe/xe_irq.c ++++ b/drivers/gpu/drm/xe/xe_irq.c +@@ -843,22 +843,6 @@ static int xe_irq_msix_init(struct xe_device *xe) + return 0; + } + +-static irqreturn_t guc2host_irq_handler(int irq, void *arg) +-{ +- struct xe_device *xe = arg; +- struct xe_tile *tile; +- u8 id; +- +- if (!atomic_read(&xe->irq.enabled)) +- return IRQ_NONE; +- +- for_each_tile(tile, xe, id) +- xe_guc_irq_handler(&tile->primary_gt->uc.guc, +- GUC_INTR_GUC2HOST); +- +- return IRQ_HANDLED; +-} +- + static irqreturn_t xe_irq_msix_default_hwe_handler(int irq, void *arg) + { + unsigned int tile_id, gt_id; +@@ -975,7 +959,7 @@ int xe_irq_msix_request_irqs(struct xe_device *xe) + u16 msix; + + msix = GUC2HOST_MSIX; +- err = xe_irq_msix_request_irq(xe, guc2host_irq_handler, xe, ++ err = xe_irq_msix_request_irq(xe, xe_irq_handler(xe), xe, + DRIVER_NAME "-guc2host", false, &msix); + if (err) + return err; +-- +2.51.0 + diff --git a/queue-6.17/drm-xe-kunit-fix-forcewake-assertion-in-mocs-test.patch b/queue-6.17/drm-xe-kunit-fix-forcewake-assertion-in-mocs-test.patch new file mode 100644 index 0000000000..275b1e965a --- /dev/null +++ b/queue-6.17/drm-xe-kunit-fix-forcewake-assertion-in-mocs-test.patch @@ -0,0 +1,44 @@ +From cc5db707831b2bbfd1af185df5bb2edf3781debd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Nov 2025 15:40:39 -0800 +Subject: drm/xe/kunit: Fix forcewake assertion in mocs test + +From: Matt Roper + +[ Upstream commit 905a3468ec679293949438393de7e61310432662 ] + +The MOCS kunit test calls KUNIT_ASSERT_TRUE_MSG() with a condition of +'true;' this prevents the assertion from ever failing. Replace +KUNIT_ASSERT_TRUE_MSG with KUNIT_FAIL_AND_ABORT to get the intended +failure behavior in cases where forcewake was not acquired successfully. + +Fixes: 51c0ee84e4dc ("drm/xe/tests/mocs: Hold XE_FORCEWAKE_ALL for LNCF regs") +Cc: Tejas Upadhyay +Cc: Gustavo Sousa +Reviewed-by: Lucas De Marchi +Reviewed-by: Gustavo Sousa +Link: https://patch.msgid.link/20251113234038.2256106-2-matthew.d.roper@intel.com +Signed-off-by: Matt Roper +(cherry picked from commit 9be4f0f687048ba77428ceca11994676736507b7) +Signed-off-by: Lucas De Marchi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/tests/xe_mocs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/xe/tests/xe_mocs.c b/drivers/gpu/drm/xe/tests/xe_mocs.c +index 0e502feaca818..6bb278167aaf6 100644 +--- a/drivers/gpu/drm/xe/tests/xe_mocs.c ++++ b/drivers/gpu/drm/xe/tests/xe_mocs.c +@@ -49,7 +49,7 @@ static void read_l3cc_table(struct xe_gt *gt, + fw_ref = xe_force_wake_get(gt_to_fw(gt), XE_FORCEWAKE_ALL); + if (!xe_force_wake_ref_has_domain(fw_ref, XE_FORCEWAKE_ALL)) { + xe_force_wake_put(gt_to_fw(gt), fw_ref); +- KUNIT_ASSERT_TRUE_MSG(test, true, "Forcewake Failed.\n"); ++ KUNIT_FAIL_AND_ABORT(test, "Forcewake Failed.\n"); + } + + for (i = 0; i < info->num_mocs_regs; i++) { +-- +2.51.0 + diff --git a/queue-6.17/gpio-cdev-make-sure-the-cdev-fd-is-still-active-befo.patch b/queue-6.17/gpio-cdev-make-sure-the-cdev-fd-is-still-active-befo.patch new file mode 100644 index 0000000000..b24c9e065c --- /dev/null +++ b/queue-6.17/gpio-cdev-make-sure-the-cdev-fd-is-still-active-befo.patch @@ -0,0 +1,72 @@ +From 00187ba251ed7635118e92d4a36c92dfb290ec84 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Nov 2025 16:08:42 +0100 +Subject: gpio: cdev: make sure the cdev fd is still active before emitting + events + +From: Bartosz Golaszewski + +[ Upstream commit d4cd0902c156b2ca60fdda8cd8b5bcb4b0e9ed64 ] + +With the final call to fput() on a file descriptor, the release action +may be deferred and scheduled on a work queue. The reference count of +that descriptor is still zero and it must not be used. It's possible +that a GPIO change, we want to notify the user-space about, happens +AFTER the reference count on the file descriptor associated with the +character device went down to zero but BEFORE the .release() callback +was called from the workqueue and so BEFORE we unregistered from the +notifier. + +Using the regular get_file() routine in this situation triggers the +following warning: + + struct file::f_count incremented from zero; use-after-free condition present! + +So use the get_file_active() variant that will return NULL on file +descriptors that have been or are being released. + +Fixes: 40b7c49950bd ("gpio: cdev: put emitting the line state events on a workqueue") +Reported-by: Alexander Sverdlin +Closes: https://lore.kernel.org/all/5d605f7fc99456804911403102a4fe999a14cc85.camel@siemens.com/ +Tested-by: Alexander Sverdlin +Link: https://lore.kernel.org/r/20251117-gpio-cdev-get-file-v1-1-28a16b5985b8@linaro.org +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib-cdev.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c +index e6a289fa0f8fd..6a52d812e4e7c 100644 +--- a/drivers/gpio/gpiolib-cdev.c ++++ b/drivers/gpio/gpiolib-cdev.c +@@ -2548,10 +2548,17 @@ static int lineinfo_changed_notify(struct notifier_block *nb, + container_of(nb, struct gpio_chardev_data, lineinfo_changed_nb); + struct lineinfo_changed_ctx *ctx; + struct gpio_desc *desc = data; ++ struct file *fp; + + if (!test_bit(gpio_chip_hwgpio(desc), cdev->watched_lines)) + return NOTIFY_DONE; + ++ /* Keep the file descriptor alive for the duration of the notification. */ ++ fp = get_file_active(&cdev->fp); ++ if (!fp) ++ /* Chardev file descriptor was or is being released. */ ++ return NOTIFY_DONE; ++ + /* + * If this is called from atomic context (for instance: with a spinlock + * taken by the atomic notifier chain), any sleeping calls must be done +@@ -2575,8 +2582,6 @@ static int lineinfo_changed_notify(struct notifier_block *nb, + /* Keep the GPIO device alive until we emit the event. */ + ctx->gdev = gpio_device_get(desc->gdev); + ctx->cdev = cdev; +- /* Keep the file descriptor alive too. */ +- get_file(ctx->cdev->fp); + + INIT_WORK(&ctx->work, lineinfo_changed_func); + queue_work(ctx->gdev->line_state_wq, &ctx->work); +-- +2.51.0 + diff --git a/queue-6.17/ice-fix-ptp-cleanup-on-driver-removal-in-error-path.patch b/queue-6.17/ice-fix-ptp-cleanup-on-driver-removal-in-error-path.patch new file mode 100644 index 0000000000..7616e8e713 --- /dev/null +++ b/queue-6.17/ice-fix-ptp-cleanup-on-driver-removal-in-error-path.patch @@ -0,0 +1,122 @@ +From 4853411bc03c623b435f8ca06cb7dcd76dbd37db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Oct 2025 12:02:16 +0200 +Subject: ice: fix PTP cleanup on driver removal in error path + +From: Grzegorz Nitka + +[ Upstream commit 23a5b9b12de9dcd15ebae4f1abc8814ec1c51ab0 ] + +Improve the cleanup on releasing PTP resources in error path. +The error case might happen either at the driver probe and PTP +feature initialization or on PTP restart (errors in reset handling, NVM +update etc). In both cases, calls to PF PTP cleanup (ice_ptp_cleanup_pf +function) and 'ps_lock' mutex deinitialization were missed. +Additionally, ptp clock was not unregistered in the latter case. + +Keep PTP state as 'uninitialized' on init to distinguish between error +scenarios and to avoid resource release duplication at driver removal. + +The consequence of missing ice_ptp_cleanup_pf call is the following call +trace dumped when ice_adapter object is freed (port list is not empty, +as it is required at this stage): + +[ T93022] ------------[ cut here ]------------ +[ T93022] WARNING: CPU: 10 PID: 93022 at +ice/ice_adapter.c:67 ice_adapter_put+0xef/0x100 [ice] +... +[ T93022] RIP: 0010:ice_adapter_put+0xef/0x100 [ice] +... +[ T93022] Call Trace: +[ T93022] +[ T93022] ? ice_adapter_put+0xef/0x100 [ice +33d2647ad4f6d866d41eefff1806df37c68aef0c] +[ T93022] ? __warn.cold+0xb0/0x10e +[ T93022] ? ice_adapter_put+0xef/0x100 [ice +33d2647ad4f6d866d41eefff1806df37c68aef0c] +[ T93022] ? report_bug+0xd8/0x150 +[ T93022] ? handle_bug+0xe9/0x110 +[ T93022] ? exc_invalid_op+0x17/0x70 +[ T93022] ? asm_exc_invalid_op+0x1a/0x20 +[ T93022] ? ice_adapter_put+0xef/0x100 [ice +33d2647ad4f6d866d41eefff1806df37c68aef0c] +[ T93022] pci_device_remove+0x42/0xb0 +[ T93022] device_release_driver_internal+0x19f/0x200 +[ T93022] driver_detach+0x48/0x90 +[ T93022] bus_remove_driver+0x70/0xf0 +[ T93022] pci_unregister_driver+0x42/0xb0 +[ T93022] ice_module_exit+0x10/0xdb0 [ice +33d2647ad4f6d866d41eefff1806df37c68aef0c] +... +[ T93022] ---[ end trace 0000000000000000 ]--- +[ T93022] ice: module unloaded + +Fixes: e800654e85b5 ("ice: Use ice_adapter for PTP shared data instead of auxdev") +Signed-off-by: Grzegorz Nitka +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Paul Menzel +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_ptp.c | 22 +++++++++++++++++++--- + 1 file changed, 19 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_ptp.c b/drivers/net/ethernet/intel/ice/ice_ptp.c +index fb0f6365a6d6f..8ec0f7d0fcebd 100644 +--- a/drivers/net/ethernet/intel/ice/ice_ptp.c ++++ b/drivers/net/ethernet/intel/ice/ice_ptp.c +@@ -3246,7 +3246,7 @@ void ice_ptp_init(struct ice_pf *pf) + + err = ice_ptp_init_port(pf, &ptp->port); + if (err) +- goto err_exit; ++ goto err_clean_pf; + + /* Start the PHY timestamping block */ + ice_ptp_reset_phy_timestamping(pf); +@@ -3263,13 +3263,19 @@ void ice_ptp_init(struct ice_pf *pf) + dev_info(ice_pf_to_dev(pf), "PTP init successful\n"); + return; + ++err_clean_pf: ++ mutex_destroy(&ptp->port.ps_lock); ++ ice_ptp_cleanup_pf(pf); + err_exit: + /* If we registered a PTP clock, release it */ + if (pf->ptp.clock) { + ptp_clock_unregister(ptp->clock); + pf->ptp.clock = NULL; + } +- ptp->state = ICE_PTP_ERROR; ++ /* Keep ICE_PTP_UNINIT state to avoid ambiguity at driver unload ++ * and to avoid duplicated resources release. ++ */ ++ ptp->state = ICE_PTP_UNINIT; + dev_err(ice_pf_to_dev(pf), "PTP failed %d\n", err); + } + +@@ -3282,9 +3288,19 @@ void ice_ptp_init(struct ice_pf *pf) + */ + void ice_ptp_release(struct ice_pf *pf) + { +- if (pf->ptp.state != ICE_PTP_READY) ++ if (pf->ptp.state == ICE_PTP_UNINIT) + return; + ++ if (pf->ptp.state != ICE_PTP_READY) { ++ mutex_destroy(&pf->ptp.port.ps_lock); ++ ice_ptp_cleanup_pf(pf); ++ if (pf->ptp.clock) { ++ ptp_clock_unregister(pf->ptp.clock); ++ pf->ptp.clock = NULL; ++ } ++ return; ++ } ++ + pf->ptp.state = ICE_PTP_UNINIT; + + /* Disable timestamping for both Tx and Rx */ +-- +2.51.0 + diff --git a/queue-6.17/idpf-fix-possible-vport_config-null-pointer-deref-in.patch b/queue-6.17/idpf-fix-possible-vport_config-null-pointer-deref-in.patch new file mode 100644 index 0000000000..a4f7dc81f7 --- /dev/null +++ b/queue-6.17/idpf-fix-possible-vport_config-null-pointer-deref-in.patch @@ -0,0 +1,60 @@ +From d5b113f54c6374a910161f8853e2eed47ab729a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Oct 2025 08:08:24 -0700 +Subject: idpf: fix possible vport_config NULL pointer deref in remove + +From: Emil Tantilov + +[ Upstream commit 118082368c2b6ddefe6cb607efc312285148f044 ] + +Attempting to remove the driver will cause a crash in cases where +the vport failed to initialize. Following trace is from an instance where +the driver failed during an attempt to create a VF: +[ 1661.543624] idpf 0000:84:00.7: Device HW Reset initiated +[ 1722.923726] idpf 0000:84:00.7: Transaction timed-out (op:1 cookie:2900 vc_op:1 salt:29 timeout:60000ms) +[ 1723.353263] BUG: kernel NULL pointer dereference, address: 0000000000000028 +... +[ 1723.358472] RIP: 0010:idpf_remove+0x11c/0x200 [idpf] +... +[ 1723.364973] Call Trace: +[ 1723.365475] +[ 1723.365972] pci_device_remove+0x42/0xb0 +[ 1723.366481] device_release_driver_internal+0x1a9/0x210 +[ 1723.366987] pci_stop_bus_device+0x6d/0x90 +[ 1723.367488] pci_stop_and_remove_bus_device+0x12/0x20 +[ 1723.367971] pci_iov_remove_virtfn+0xbd/0x120 +[ 1723.368309] sriov_disable+0x34/0xe0 +[ 1723.368643] idpf_sriov_configure+0x58/0x140 [idpf] +[ 1723.368982] sriov_numvfs_store+0xda/0x1c0 + +Avoid the NULL pointer dereference by adding NULL pointer check for +vport_config[i], before freeing user_config.q_coalesce. + +Fixes: e1e3fec3e34b ("idpf: preserve coalescing settings across resets") +Signed-off-by: Emil Tantilov +Reviewed-by: Chittim Madhu +Reviewed-by: Simon Horman +Tested-by: Samuel Salin +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/idpf/idpf_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_main.c b/drivers/net/ethernet/intel/idpf/idpf_main.c +index dfe9126f1f4ab..1088cbbcf9487 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_main.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_main.c +@@ -62,6 +62,8 @@ static void idpf_remove(struct pci_dev *pdev) + destroy_workqueue(adapter->vc_event_wq); + + for (i = 0; i < adapter->max_vports; i++) { ++ if (!adapter->vport_config[i]) ++ continue; + kfree(adapter->vport_config[i]->user_config.q_coalesce); + kfree(adapter->vport_config[i]); + adapter->vport_config[i] = NULL; +-- +2.51.0 + diff --git a/queue-6.17/kconfig-mconf-initialize-the-default-locale-at-start.patch b/queue-6.17/kconfig-mconf-initialize-the-default-locale-at-start.patch new file mode 100644 index 0000000000..b9c9bac4aa --- /dev/null +++ b/queue-6.17/kconfig-mconf-initialize-the-default-locale-at-start.patch @@ -0,0 +1,49 @@ +From 4a45cc97f97ab54274c532541c4f8d332a3a352a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Oct 2025 17:49:32 +0200 +Subject: kconfig/mconf: Initialize the default locale at startup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jakub Horký + +[ Upstream commit 3927c4a1084c48ef97f11281a0a43ecb2cb4d6f1 ] + +Fix bug where make menuconfig doesn't initialize the default locale, which +causes ncurses menu borders to be displayed incorrectly (lqqqqk) in +UTF-8 terminals that don't support VT100 ACS by default, such as PuTTY. + +Signed-off-by: Jakub Horký +Link: https://patch.msgid.link/20251014154933.3990990-1-jakub.git@horky.net +[nathan: Alphabetize locale.h include] +Signed-off-by: Nathan Chancellor +Signed-off-by: Sasha Levin +--- + scripts/kconfig/mconf.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/scripts/kconfig/mconf.c b/scripts/kconfig/mconf.c +index 84ea9215c0a7e..b8b7bba84a651 100644 +--- a/scripts/kconfig/mconf.c ++++ b/scripts/kconfig/mconf.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -931,6 +932,8 @@ int main(int ac, char **av) + + signal(SIGINT, sig_handler); + ++ setlocale(LC_ALL, ""); ++ + if (ac > 1 && strcmp(av[1], "-s") == 0) { + silent = 1; + /* Silence conf_read() until the real callback is set up */ +-- +2.51.0 + diff --git a/queue-6.17/kconfig-nconf-initialize-the-default-locale-at-start.patch b/queue-6.17/kconfig-nconf-initialize-the-default-locale-at-start.patch new file mode 100644 index 0000000000..9f69a5b2ea --- /dev/null +++ b/queue-6.17/kconfig-nconf-initialize-the-default-locale-at-start.patch @@ -0,0 +1,49 @@ +From 1f3a20c760336b05f7526e9f956b459aea4c9b0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Oct 2025 16:44:06 +0200 +Subject: kconfig/nconf: Initialize the default locale at startup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jakub Horký + +[ Upstream commit 43c2931a95e6b295bfe9e3b90dbe0f7596933e91 ] + +Fix bug where make nconfig doesn't initialize the default locale, which +causes ncurses menu borders to be displayed incorrectly (lqqqqk) in +UTF-8 terminals that don't support VT100 ACS by default, such as PuTTY. + +Signed-off-by: Jakub Horký +Link: https://patch.msgid.link/20251014144405.3975275-2-jakub.git@horky.net +[nathan: Alphabetize locale.h include] +Signed-off-by: Nathan Chancellor +Signed-off-by: Sasha Levin +--- + scripts/kconfig/nconf.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c +index ae1fe5f603270..521700ed71524 100644 +--- a/scripts/kconfig/nconf.c ++++ b/scripts/kconfig/nconf.c +@@ -7,6 +7,7 @@ + #ifndef _GNU_SOURCE + #define _GNU_SOURCE + #endif ++#include + #include + #include + #include +@@ -1478,6 +1479,8 @@ int main(int ac, char **av) + int lines, columns; + char *mode; + ++ setlocale(LC_ALL, ""); ++ + if (ac > 1 && strcmp(av[1], "-s") == 0) { + /* Silence conf_read() until the real callback is set up */ + conf_set_message_callback(NULL); +-- +2.51.0 + diff --git a/queue-6.17/loongarch-use-uapi-types-in-ptrace-uapi-header.patch b/queue-6.17/loongarch-use-uapi-types-in-ptrace-uapi-header.patch new file mode 100644 index 0000000000..86585f4866 --- /dev/null +++ b/queue-6.17/loongarch-use-uapi-types-in-ptrace-uapi-header.patch @@ -0,0 +1,107 @@ +From b24890369836616da4a3c51c780063a7d18836e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Nov 2025 14:42:05 +0800 +Subject: LoongArch: Use UAPI types in ptrace UAPI header +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +[ Upstream commit 20d7338f2d3bcb570068dd6d39b16f1a909fe976 ] + +The kernel UAPI headers already contain fixed-width integer types, there +is no need to rely on the libc types. There may not be a libc available +or the libc may not provides the , like for example on nolibc. + +This also aligns the header with the rest of the LoongArch UAPI headers. + +Fixes: 803b0fc5c3f2 ("LoongArch: Add process management") +Signed-off-by: Thomas Weißschuh +Signed-off-by: Huacai Chen +Signed-off-by: Sasha Levin +--- + arch/loongarch/include/uapi/asm/ptrace.h | 40 +++++++++++------------- + 1 file changed, 18 insertions(+), 22 deletions(-) + +diff --git a/arch/loongarch/include/uapi/asm/ptrace.h b/arch/loongarch/include/uapi/asm/ptrace.h +index aafb3cd9e943e..215e0f9e8aa32 100644 +--- a/arch/loongarch/include/uapi/asm/ptrace.h ++++ b/arch/loongarch/include/uapi/asm/ptrace.h +@@ -10,10 +10,6 @@ + + #include + +-#ifndef __KERNEL__ +-#include +-#endif +- + /* + * For PTRACE_{POKE,PEEK}USR. 0 - 31 are GPRs, + * 32 is syscall's original ARG0, 33 is PC, 34 is BADVADDR. +@@ -41,44 +37,44 @@ struct user_pt_regs { + } __attribute__((aligned(8))); + + struct user_fp_state { +- uint64_t fpr[32]; +- uint64_t fcc; +- uint32_t fcsr; ++ __u64 fpr[32]; ++ __u64 fcc; ++ __u32 fcsr; + }; + + struct user_lsx_state { + /* 32 registers, 128 bits width per register. */ +- uint64_t vregs[32*2]; ++ __u64 vregs[32*2]; + }; + + struct user_lasx_state { + /* 32 registers, 256 bits width per register. */ +- uint64_t vregs[32*4]; ++ __u64 vregs[32*4]; + }; + + struct user_lbt_state { +- uint64_t scr[4]; +- uint32_t eflags; +- uint32_t ftop; ++ __u64 scr[4]; ++ __u32 eflags; ++ __u32 ftop; + }; + + struct user_watch_state { +- uint64_t dbg_info; ++ __u64 dbg_info; + struct { +- uint64_t addr; +- uint64_t mask; +- uint32_t ctrl; +- uint32_t pad; ++ __u64 addr; ++ __u64 mask; ++ __u32 ctrl; ++ __u32 pad; + } dbg_regs[8]; + }; + + struct user_watch_state_v2 { +- uint64_t dbg_info; ++ __u64 dbg_info; + struct { +- uint64_t addr; +- uint64_t mask; +- uint32_t ctrl; +- uint32_t pad; ++ __u64 addr; ++ __u64 mask; ++ __u32 ctrl; ++ __u32 pad; + } dbg_regs[14]; + }; + +-- +2.51.0 + diff --git a/queue-6.17/mips-dts-econet-fix-en751221-core-type.patch b/queue-6.17/mips-dts-econet-fix-en751221-core-type.patch new file mode 100644 index 0000000000..87f4fbcfb6 --- /dev/null +++ b/queue-6.17/mips-dts-econet-fix-en751221-core-type.patch @@ -0,0 +1,35 @@ +From 4206ce0bf35624169609c8f8a092b05cc943e4ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Oct 2025 20:01:19 +0200 +Subject: mips: dts: econet: fix EN751221 core type + +From: Aleksander Jan Bajkowski + +[ Upstream commit 09782e72eec451fa14d327595f86cdc338ebe53c ] + +In fact, it is a multi-threaded MIPS34Kc, not a single-threaded MIPS24Kc. + +Fixes: 0ec488700972 ("mips: dts: Add EcoNet DTS with EN751221 and SmartFiber XP8421-B board") +Signed-off-by: Aleksander Jan Bajkowski +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/boot/dts/econet/en751221.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/mips/boot/dts/econet/en751221.dtsi b/arch/mips/boot/dts/econet/en751221.dtsi +index 66197e73d4f04..2abeef5b744a8 100644 +--- a/arch/mips/boot/dts/econet/en751221.dtsi ++++ b/arch/mips/boot/dts/econet/en751221.dtsi +@@ -18,7 +18,7 @@ + + cpu@0 { + device_type = "cpu"; +- compatible = "mips,mips24KEc"; ++ compatible = "mips,mips34Kc"; + reg = <0>; + }; + }; +-- +2.51.0 + diff --git a/queue-6.17/mips-kernel-fix-random-segmentation-faults.patch b/queue-6.17/mips-kernel-fix-random-segmentation-faults.patch new file mode 100644 index 0000000000..ff2c834b49 --- /dev/null +++ b/queue-6.17/mips-kernel-fix-random-segmentation-faults.patch @@ -0,0 +1,45 @@ +From d3388354bcfcbcc0767cacac577a90611dcaf90a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Nov 2025 13:10:29 +0100 +Subject: MIPS: kernel: Fix random segmentation faults +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Bogendoerfer + +[ Upstream commit 14b46ba92bf547508b4a49370c99aba76cb53b53 ] + +Commit 69896119dc9d ("MIPS: vdso: Switch to generic storage +implementation") switches to a generic vdso storage, which increases +the number of data pages from 1 to 4. But there is only one page +reserved, which causes segementation faults depending where the VDSO +area is randomized to. To fix this use the same size of reservation +and allocation of the VDSO data pages. + +Fixes: 69896119dc9d ("MIPS: vdso: Switch to generic storage implementation") +Reviewed-by: Thomas Weißschuh +Reviewed-by: Huacai Chen +Reviewed-by: Thomas Gleixner +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/kernel/process.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c +index 29191fa1801e2..a3101f2268c6c 100644 +--- a/arch/mips/kernel/process.c ++++ b/arch/mips/kernel/process.c +@@ -692,7 +692,7 @@ unsigned long mips_stack_top(void) + /* Space for the VDSO, data page & GIC user page */ + if (current->thread.abi) { + top -= PAGE_ALIGN(current->thread.abi->vdso->size); +- top -= PAGE_SIZE; ++ top -= VDSO_NR_PAGES * PAGE_SIZE; + top -= mips_gic_present() ? PAGE_SIZE : 0; + + /* Space to randomize the VDSO base */ +-- +2.51.0 + diff --git a/queue-6.17/mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch b/queue-6.17/mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch new file mode 100644 index 0000000000..92bb65c235 --- /dev/null +++ b/queue-6.17/mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch @@ -0,0 +1,47 @@ +From b446c15661bb725c613dc3fa84cf76ee2b4cdd2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 05:21:14 +0000 +Subject: mlxsw: spectrum: Fix memory leak in mlxsw_sp_flower_stats() + +From: Zilin Guan + +[ Upstream commit 407a06507c2358554958e8164dc97176feddcafc ] + +The function mlxsw_sp_flower_stats() calls mlxsw_sp_acl_ruleset_get() to +obtain a ruleset reference. If the subsequent call to +mlxsw_sp_acl_rule_lookup() fails to find a rule, the function returns +an error without releasing the ruleset reference, causing a memory leak. + +Fix this by using a goto to the existing error handling label, which +calls mlxsw_sp_acl_ruleset_put() to properly release the reference. + +Fixes: 7c1b8eb175b69 ("mlxsw: spectrum: Add support for TC flower offload statistics") +Signed-off-by: Zilin Guan +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20251112052114.1591695-1-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c +index 6a4a81c63451c..353fd9ca89a68 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c +@@ -830,8 +830,10 @@ int mlxsw_sp_flower_stats(struct mlxsw_sp *mlxsw_sp, + return -EINVAL; + + rule = mlxsw_sp_acl_rule_lookup(mlxsw_sp, ruleset, f->cookie); +- if (!rule) +- return -EINVAL; ++ if (!rule) { ++ err = -EINVAL; ++ goto err_rule_get_stats; ++ } + + err = mlxsw_sp_acl_rule_get_stats(mlxsw_sp, rule, &packets, &bytes, + &drops, &lastuse, &used_hw_stats); +-- +2.51.0 + diff --git a/queue-6.17/net-airoha-add-wlan-flowtable-tx-offload.patch b/queue-6.17/net-airoha-add-wlan-flowtable-tx-offload.patch new file mode 100644 index 0000000000..85a2f82e34 --- /dev/null +++ b/queue-6.17/net-airoha-add-wlan-flowtable-tx-offload.patch @@ -0,0 +1,213 @@ +From cad813bb9e53780910b86166fa308d58d0f1972a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Aug 2025 09:51:16 +0200 +Subject: net: airoha: Add wlan flowtable TX offload + +From: Lorenzo Bianconi + +[ Upstream commit a8bdd935d1ddb7186358fb60ffe84253e85340c8 ] + +Introduce support to offload the traffic received on the ethernet NIC +and forwarded to the wireless one using HW Packet Processor Engine (PPE) +capabilities. + +Signed-off-by: Lorenzo Bianconi +Link: https://patch.msgid.link/20250814-airoha-en7581-wlan-tx-offload-v1-1-72e0a312003e@kernel.org +Signed-off-by: Paolo Abeni +Stable-dep-of: 8e0a754b0836 ("net: airoha: Do not loopback traffic to GDM2 if it is available on the device") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/airoha/airoha_eth.h | 11 +++ + drivers/net/ethernet/airoha/airoha_ppe.c | 103 ++++++++++++++++------- + 2 files changed, 85 insertions(+), 29 deletions(-) + +diff --git a/drivers/net/ethernet/airoha/airoha_eth.h b/drivers/net/ethernet/airoha/airoha_eth.h +index a970b789cf232..9f721e2b972f0 100644 +--- a/drivers/net/ethernet/airoha/airoha_eth.h ++++ b/drivers/net/ethernet/airoha/airoha_eth.h +@@ -252,6 +252,10 @@ enum { + #define AIROHA_FOE_MAC_SMAC_ID GENMASK(20, 16) + #define AIROHA_FOE_MAC_PPPOE_ID GENMASK(15, 0) + ++#define AIROHA_FOE_MAC_WDMA_QOS GENMASK(15, 12) ++#define AIROHA_FOE_MAC_WDMA_BAND BIT(11) ++#define AIROHA_FOE_MAC_WDMA_WCID GENMASK(10, 0) ++ + struct airoha_foe_mac_info_common { + u16 vlan1; + u16 etype; +@@ -481,6 +485,13 @@ struct airoha_flow_table_entry { + unsigned long cookie; + }; + ++struct airoha_wdma_info { ++ u8 idx; ++ u8 queue; ++ u16 wcid; ++ u8 bss; ++}; ++ + /* RX queue to IRQ mapping: BIT(q) in IRQ(n) */ + #define RX_IRQ0_BANK_PIN_MASK 0x839f + #define RX_IRQ1_BANK_PIN_MASK 0x7fe00000 +diff --git a/drivers/net/ethernet/airoha/airoha_ppe.c b/drivers/net/ethernet/airoha/airoha_ppe.c +index 88694b08afa1c..62e46a8d7e3c8 100644 +--- a/drivers/net/ethernet/airoha/airoha_ppe.c ++++ b/drivers/net/ethernet/airoha/airoha_ppe.c +@@ -190,6 +190,31 @@ static int airoha_ppe_flow_mangle_ipv4(const struct flow_action_entry *act, + return 0; + } + ++static int airoha_ppe_get_wdma_info(struct net_device *dev, const u8 *addr, ++ struct airoha_wdma_info *info) ++{ ++ struct net_device_path_stack stack; ++ struct net_device_path *path; ++ int err; ++ ++ if (!dev) ++ return -ENODEV; ++ ++ err = dev_fill_forward_path(dev, addr, &stack); ++ if (err) ++ return err; ++ ++ path = &stack.path[stack.num_paths - 1]; ++ if (path->type != DEV_PATH_MTK_WDMA) ++ return -1; ++ ++ info->idx = path->mtk_wdma.wdma_idx; ++ info->bss = path->mtk_wdma.bss; ++ info->wcid = path->mtk_wdma.wcid; ++ ++ return 0; ++} ++ + static int airoha_get_dsa_port(struct net_device **dev) + { + #if IS_ENABLED(CONFIG_NET_DSA) +@@ -220,9 +245,9 @@ static int airoha_ppe_foe_entry_prepare(struct airoha_eth *eth, + struct airoha_flow_data *data, + int l4proto) + { +- int dsa_port = airoha_get_dsa_port(&dev); ++ u32 qdata = FIELD_PREP(AIROHA_FOE_SHAPER_ID, 0x7f), ports_pad, val; ++ int wlan_etype = -EINVAL, dsa_port = airoha_get_dsa_port(&dev); + struct airoha_foe_mac_info_common *l2; +- u32 qdata, ports_pad, val; + u8 smac_id = 0xf; + + memset(hwe, 0, sizeof(*hwe)); +@@ -236,31 +261,47 @@ static int airoha_ppe_foe_entry_prepare(struct airoha_eth *eth, + AIROHA_FOE_IB1_BIND_TTL; + hwe->ib1 = val; + +- val = FIELD_PREP(AIROHA_FOE_IB2_PORT_AG, 0x1f) | +- AIROHA_FOE_IB2_PSE_QOS; +- if (dsa_port >= 0) +- val |= FIELD_PREP(AIROHA_FOE_IB2_NBQ, dsa_port); +- ++ val = FIELD_PREP(AIROHA_FOE_IB2_PORT_AG, 0x1f); + if (dev) { +- struct airoha_gdm_port *port = netdev_priv(dev); +- u8 pse_port; +- +- if (!airoha_is_valid_gdm_port(eth, port)) +- return -EINVAL; +- +- if (dsa_port >= 0) +- pse_port = port->id == 4 ? FE_PSE_PORT_GDM4 : port->id; +- else +- pse_port = 2; /* uplink relies on GDM2 loopback */ +- val |= FIELD_PREP(AIROHA_FOE_IB2_PSE_PORT, pse_port); +- +- /* For downlink traffic consume SRAM memory for hw forwarding +- * descriptors queue. +- */ +- if (airhoa_is_lan_gdm_port(port)) +- val |= AIROHA_FOE_IB2_FAST_PATH; +- +- smac_id = port->id; ++ struct airoha_wdma_info info = {}; ++ ++ if (!airoha_ppe_get_wdma_info(dev, data->eth.h_dest, &info)) { ++ val |= FIELD_PREP(AIROHA_FOE_IB2_NBQ, info.idx) | ++ FIELD_PREP(AIROHA_FOE_IB2_PSE_PORT, ++ FE_PSE_PORT_CDM4); ++ qdata |= FIELD_PREP(AIROHA_FOE_ACTDP, info.bss); ++ wlan_etype = FIELD_PREP(AIROHA_FOE_MAC_WDMA_BAND, ++ info.idx) | ++ FIELD_PREP(AIROHA_FOE_MAC_WDMA_WCID, ++ info.wcid); ++ } else { ++ struct airoha_gdm_port *port = netdev_priv(dev); ++ u8 pse_port; ++ ++ if (!airoha_is_valid_gdm_port(eth, port)) ++ return -EINVAL; ++ ++ if (dsa_port >= 0) ++ pse_port = port->id == 4 ? FE_PSE_PORT_GDM4 ++ : port->id; ++ else ++ pse_port = 2; /* uplink relies on GDM2 ++ * loopback ++ */ ++ ++ val |= FIELD_PREP(AIROHA_FOE_IB2_PSE_PORT, pse_port) | ++ AIROHA_FOE_IB2_PSE_QOS; ++ /* For downlink traffic consume SRAM memory for hw ++ * forwarding descriptors queue. ++ */ ++ if (airhoa_is_lan_gdm_port(port)) ++ val |= AIROHA_FOE_IB2_FAST_PATH; ++ if (dsa_port >= 0) ++ val |= FIELD_PREP(AIROHA_FOE_IB2_NBQ, ++ dsa_port); ++ ++ smac_id = port->id; ++ } + } + + if (is_multicast_ether_addr(data->eth.h_dest)) +@@ -272,7 +313,6 @@ static int airoha_ppe_foe_entry_prepare(struct airoha_eth *eth, + if (type == PPE_PKT_TYPE_IPV6_ROUTE_3T) + hwe->ipv6.ports = ports_pad; + +- qdata = FIELD_PREP(AIROHA_FOE_SHAPER_ID, 0x7f); + if (type == PPE_PKT_TYPE_BRIDGE) { + airoha_ppe_foe_set_bridge_addrs(&hwe->bridge, &data->eth); + hwe->bridge.data = qdata; +@@ -313,7 +353,9 @@ static int airoha_ppe_foe_entry_prepare(struct airoha_eth *eth, + l2->vlan2 = data->vlan.hdr[1].id; + } + +- if (dsa_port >= 0) { ++ if (wlan_etype >= 0) { ++ l2->etype = wlan_etype; ++ } else if (dsa_port >= 0) { + l2->etype = BIT(dsa_port); + l2->etype |= !data->vlan.num ? BIT(15) : 0; + } else if (data->pppoe.num) { +@@ -490,6 +532,10 @@ static void airoha_ppe_foe_flow_stats_update(struct airoha_ppe *ppe, + meter = &hwe->ipv4.l2.meter; + } + ++ pse_port = FIELD_GET(AIROHA_FOE_IB2_PSE_PORT, *ib2); ++ if (pse_port == FE_PSE_PORT_CDM4) ++ return; ++ + airoha_ppe_foe_flow_stat_entry_reset(ppe, npu, index); + + val = FIELD_GET(AIROHA_FOE_CHANNEL | AIROHA_FOE_QID, *data); +@@ -500,7 +546,6 @@ static void airoha_ppe_foe_flow_stats_update(struct airoha_ppe *ppe, + AIROHA_FOE_IB2_PSE_QOS | AIROHA_FOE_IB2_FAST_PATH); + *meter |= FIELD_PREP(AIROHA_FOE_TUNNEL_MTU, val); + +- pse_port = FIELD_GET(AIROHA_FOE_IB2_PSE_PORT, *ib2); + nbq = pse_port == 1 ? 6 : 5; + *ib2 &= ~(AIROHA_FOE_IB2_NBQ | AIROHA_FOE_IB2_PSE_PORT | + AIROHA_FOE_IB2_PSE_QOS); +-- +2.51.0 + diff --git a/queue-6.17/net-airoha-do-not-loopback-traffic-to-gdm2-if-it-is-.patch b/queue-6.17/net-airoha-do-not-loopback-traffic-to-gdm2-if-it-is-.patch new file mode 100644 index 0000000000..994a41378b --- /dev/null +++ b/queue-6.17/net-airoha-do-not-loopback-traffic-to-gdm2-if-it-is-.patch @@ -0,0 +1,41 @@ +From 3997a505440827bfc0ca5078ff78b26753076b76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Nov 2025 18:19:38 +0100 +Subject: net: airoha: Do not loopback traffic to GDM2 if it is available on + the device + +From: Lorenzo Bianconi + +[ Upstream commit 8e0a754b0836d996802713bbebc87bc1cc17925c ] + +Airoha_eth driver forwards offloaded uplink traffic (packets received +on GDM1 and forwarded to GDM{3,4}) to GDM2 in order to apply hw QoS. +This is correct if the device does not support a dedicated GDM2 port. +In this case, in order to enable hw offloading for uplink traffic, +the packets should be sent to GDM{3,4} directly. + +Fixes: 9cd451d414f6 ("net: airoha: Add loopback support for GDM2") +Signed-off-by: Lorenzo Bianconi +Link: https://patch.msgid.link/20251113-airoha-hw-offload-gdm2-fix-v1-1-7e4ca300872f@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/airoha/airoha_ppe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/airoha/airoha_ppe.c b/drivers/net/ethernet/airoha/airoha_ppe.c +index 62e46a8d7e3c8..20e77cdb86d0c 100644 +--- a/drivers/net/ethernet/airoha/airoha_ppe.c ++++ b/drivers/net/ethernet/airoha/airoha_ppe.c +@@ -281,7 +281,7 @@ static int airoha_ppe_foe_entry_prepare(struct airoha_eth *eth, + if (!airoha_is_valid_gdm_port(eth, port)) + return -EINVAL; + +- if (dsa_port >= 0) ++ if (dsa_port >= 0 || eth->ports[1]) + pse_port = port->id == 4 ? FE_PSE_PORT_GDM4 + : port->id; + else +-- +2.51.0 + diff --git a/queue-6.17/net-core-prevent-null-deref-in-generic_hwtstamp_ioct.patch b/queue-6.17/net-core-prevent-null-deref-in-generic_hwtstamp_ioct.patch new file mode 100644 index 0000000000..0bd01c1019 --- /dev/null +++ b/queue-6.17/net-core-prevent-null-deref-in-generic_hwtstamp_ioct.patch @@ -0,0 +1,55 @@ +From 8c55e701b132ef42f1ea24dcbf5abaf9ef629e91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 01:36:52 +0800 +Subject: net: core: prevent NULL deref in generic_hwtstamp_ioctl_lower() + +From: Jiaming Zhang + +[ Upstream commit f796a8dec9beafcc0f6f0d3478ed685a15c5e062 ] + +The ethtool tsconfig Netlink path can trigger a null pointer +dereference. A call chain such as: + + tsconfig_prepare_data() -> + dev_get_hwtstamp_phylib() -> + vlan_hwtstamp_get() -> + generic_hwtstamp_get_lower() -> + generic_hwtstamp_ioctl_lower() + +results in generic_hwtstamp_ioctl_lower() being called with +kernel_cfg->ifr as NULL. + +The generic_hwtstamp_ioctl_lower() function does not expect +a NULL ifr and dereferences it, leading to a system crash. + +Fix this by adding a NULL check for kernel_cfg->ifr in +generic_hwtstamp_ioctl_lower(). If ifr is NULL, return -EINVAL. + +Fixes: 6e9e2eed4f39 ("net: ethtool: Add support for tsconfig command to get/set hwtstamp config") +Closes: https://lore.kernel.org/cd6a7056-fa6d-43f8-b78a-f5e811247ba8@linux.dev +Signed-off-by: Jiaming Zhang +Reviewed-by: Kory Maincent +Link: https://patch.msgid.link/20251111173652.749159-2-r772577952@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/dev_ioctl.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c +index ad54b12d4b4c8..8bb71a10dba09 100644 +--- a/net/core/dev_ioctl.c ++++ b/net/core/dev_ioctl.c +@@ -443,6 +443,9 @@ static int generic_hwtstamp_ioctl_lower(struct net_device *dev, int cmd, + struct ifreq ifrr; + int err; + ++ if (!kernel_cfg->ifr) ++ return -EINVAL; ++ + strscpy_pad(ifrr.ifr_name, dev->name, IFNAMSIZ); + ifrr.ifr_ifru = kernel_cfg->ifr->ifr_ifru; + +-- +2.51.0 + diff --git a/queue-6.17/net-dsa-hellcreek-fix-missing-error-handling-in-led-.patch b/queue-6.17/net-dsa-hellcreek-fix-missing-error-handling-in-led-.patch new file mode 100644 index 0000000000..dbc15ec04b --- /dev/null +++ b/queue-6.17/net-dsa-hellcreek-fix-missing-error-handling-in-led-.patch @@ -0,0 +1,57 @@ +From edad189a993fd1897a6d50d69e8821c921564e54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Nov 2025 16:57:44 +0300 +Subject: net: dsa: hellcreek: fix missing error handling in LED registration + +From: Pavel Zhigulin + +[ Upstream commit e6751b0b19a6baab219a62e1e302b8aa6b5a55b2 ] + +The LED setup routine registered both led_sync_good +and led_is_gm devices without checking the return +values of led_classdev_register(). If either registration +failed, the function continued silently, leaving the +driver in a partially-initialized state and leaking +a registered LED classdev. + +Add proper error handling + +Fixes: 7d9ee2e8ff15 ("net: dsa: hellcreek: Add PTP status LEDs") +Signed-off-by: Pavel Zhigulin +Reviewed-by: Andrew Lunn +Acked-by: Kurt Kanzenbach +Link: https://patch.msgid.link/20251113135745.92375-1-Pavel.Zhigulin@kaspersky.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/hirschmann/hellcreek_ptp.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/hirschmann/hellcreek_ptp.c b/drivers/net/dsa/hirschmann/hellcreek_ptp.c +index bfe21f9f7dcd3..cb23bea9c21b8 100644 +--- a/drivers/net/dsa/hirschmann/hellcreek_ptp.c ++++ b/drivers/net/dsa/hirschmann/hellcreek_ptp.c +@@ -376,8 +376,18 @@ static int hellcreek_led_setup(struct hellcreek *hellcreek) + hellcreek_set_brightness(hellcreek, STATUS_OUT_IS_GM, 1); + + /* Register both leds */ +- led_classdev_register(hellcreek->dev, &hellcreek->led_sync_good); +- led_classdev_register(hellcreek->dev, &hellcreek->led_is_gm); ++ ret = led_classdev_register(hellcreek->dev, &hellcreek->led_sync_good); ++ if (ret) { ++ dev_err(hellcreek->dev, "Failed to register sync_good LED\n"); ++ goto out; ++ } ++ ++ ret = led_classdev_register(hellcreek->dev, &hellcreek->led_is_gm); ++ if (ret) { ++ dev_err(hellcreek->dev, "Failed to register is_gm LED\n"); ++ led_classdev_unregister(&hellcreek->led_sync_good); ++ goto out; ++ } + + ret = 0; + +-- +2.51.0 + diff --git a/queue-6.17/net-mlx5-clean-up-only-new-irq-glue-on-request_irq-f.patch b/queue-6.17/net-mlx5-clean-up-only-new-irq-glue-on-request_irq-f.patch new file mode 100644 index 0000000000..543b9d159b --- /dev/null +++ b/queue-6.17/net-mlx5-clean-up-only-new-irq-glue-on-request_irq-f.patch @@ -0,0 +1,161 @@ +From 38cd643123e6c4882b3eea9086092fdb081e8b55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Nov 2025 14:16:08 +0200 +Subject: net/mlx5: Clean up only new IRQ glue on request_irq() failure + +From: Pradyumn Rahar + +[ Upstream commit d47515af6cccd7484d8b0870376858c9848a18ec ] + +The mlx5_irq_alloc() function can inadvertently free the entire rmap +and end up in a crash[1] when the other threads tries to access this, +when request_irq() fails due to exhausted IRQ vectors. This commit +modifies the cleanup to remove only the specific IRQ mapping that was +just added. + +This prevents removal of other valid mappings and ensures precise +cleanup of the failed IRQ allocation's associated glue object. + +Note: This error is observed when both fwctl and rds configs are enabled. + +[1] +mlx5_core 0000:05:00.0: Successfully registered panic handler for port 1 +mlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to +request irq. err = -28 +infiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while +trying to test write-combining support +mlx5_core 0000:05:00.0: Successfully unregistered panic handler for port 1 +mlx5_core 0000:06:00.0: Successfully registered panic handler for port 1 +mlx5_core 0000:06:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to +request irq. err = -28 +infiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while +trying to test write-combining support +mlx5_core 0000:06:00.0: Successfully unregistered panic handler for port 1 +mlx5_core 0000:03:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to +request irq. err = -28 +mlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to +request irq. err = -28 +general protection fault, probably for non-canonical address +0xe277a58fde16f291: 0000 [#1] SMP NOPTI + +RIP: 0010:free_irq_cpu_rmap+0x23/0x7d +Call Trace: + + ? show_trace_log_lvl+0x1d6/0x2f9 + ? show_trace_log_lvl+0x1d6/0x2f9 + ? mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core] + ? __die_body.cold+0x8/0xa + ? die_addr+0x39/0x53 + ? exc_general_protection+0x1c4/0x3e9 + ? dev_vprintk_emit+0x5f/0x90 + ? asm_exc_general_protection+0x22/0x27 + ? free_irq_cpu_rmap+0x23/0x7d + mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core] + irq_pool_request_vector+0x7d/0x90 [mlx5_core] + mlx5_irq_request+0x2e/0xe0 [mlx5_core] + mlx5_irq_request_vector+0xad/0xf7 [mlx5_core] + comp_irq_request_pci+0x64/0xf0 [mlx5_core] + create_comp_eq+0x71/0x385 [mlx5_core] + ? mlx5e_open_xdpsq+0x11c/0x230 [mlx5_core] + mlx5_comp_eqn_get+0x72/0x90 [mlx5_core] + ? xas_load+0x8/0x91 + mlx5_comp_irqn_get+0x40/0x90 [mlx5_core] + mlx5e_open_channel+0x7d/0x3c7 [mlx5_core] + mlx5e_open_channels+0xad/0x250 [mlx5_core] + mlx5e_open_locked+0x3e/0x110 [mlx5_core] + mlx5e_open+0x23/0x70 [mlx5_core] + __dev_open+0xf1/0x1a5 + __dev_change_flags+0x1e1/0x249 + dev_change_flags+0x21/0x5c + do_setlink+0x28b/0xcc4 + ? __nla_parse+0x22/0x3d + ? inet6_validate_link_af+0x6b/0x108 + ? cpumask_next+0x1f/0x35 + ? __snmp6_fill_stats64.constprop.0+0x66/0x107 + ? __nla_validate_parse+0x48/0x1e6 + __rtnl_newlink+0x5ff/0xa57 + ? kmem_cache_alloc_trace+0x164/0x2ce + rtnl_newlink+0x44/0x6e + rtnetlink_rcv_msg+0x2bb/0x362 + ? __netlink_sendskb+0x4c/0x6c + ? netlink_unicast+0x28f/0x2ce + ? rtnl_calcit.isra.0+0x150/0x146 + netlink_rcv_skb+0x5f/0x112 + netlink_unicast+0x213/0x2ce + netlink_sendmsg+0x24f/0x4d9 + __sock_sendmsg+0x65/0x6a + ____sys_sendmsg+0x28f/0x2c9 + ? import_iovec+0x17/0x2b + ___sys_sendmsg+0x97/0xe0 + __sys_sendmsg+0x81/0xd8 + do_syscall_64+0x35/0x87 + entry_SYSCALL_64_after_hwframe+0x6e/0x0 +RIP: 0033:0x7fc328603727 +Code: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 0b ed +ff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 <48> 3d 00 +f0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 44 ed ff ff 48 +RSP: 002b:00007ffe8eb3f1a0 EFLAGS: 00000293 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007fc328603727 +RDX: 0000000000000000 RSI: 00007ffe8eb3f1f0 RDI: 000000000000000d +RBP: 00007ffe8eb3f1f0 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 +R13: 0000000000000000 R14: 00007ffe8eb3f3c8 R15: 00007ffe8eb3f3bc + +---[ end trace f43ce73c3c2b13a2 ]--- +RIP: 0010:free_irq_cpu_rmap+0x23/0x7d +Code: 0f 1f 80 00 00 00 00 48 85 ff 74 6b 55 48 89 fd 53 66 83 7f 06 00 +74 24 31 db 48 8b 55 08 0f b7 c3 48 8b 04 c2 48 85 c0 74 09 <8b> 38 31 +f6 e8 c4 0a b8 ff 83 c3 01 66 3b 5d 06 72 de b8 ff ff ff +RSP: 0018:ff384881640eaca0 EFLAGS: 00010282 +RAX: e277a58fde16f291 RBX: 0000000000000000 RCX: 0000000000000000 +RDX: ff2335e2e20b3600 RSI: 0000000000000000 RDI: ff2335e2e20b3400 +RBP: ff2335e2e20b3400 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 00000000ffffffe4 R12: ff384881640ead88 +R13: ff2335c3760751e0 R14: ff2335e2e1672200 R15: ff2335c3760751f8 +FS: 00007fc32ac22480(0000) GS:ff2335e2d6e00000(0000) +knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f651ab54000 CR3: 00000029f1206003 CR4: 0000000000771ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Kernel panic - not syncing: Fatal exception +Kernel Offset: 0x1dc00000 from 0xffffffff81000000 (relocation range: +0xffffffff80000000-0xffffffffbfffffff) +kvm-guest: disable async PF for cpu 0 + +Fixes: 3354822cde5a ("net/mlx5: Use dynamic msix vectors allocation") +Signed-off-by: Mohith Kumar Thummaluru +Tested-by: Mohith Kumar Thummaluru +Reviewed-by: Moshe Shemesh +Reviewed-by: Shay Drori +Signed-off-by: Pradyumn Rahar +Reviewed-by: Jacob Keller +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/1763381768-1234998-1-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c b/drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c +index 692ef9c2f7293..82ada674f8e27 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c +@@ -324,10 +324,8 @@ struct mlx5_irq *mlx5_irq_alloc(struct mlx5_irq_pool *pool, int i, + free_irq(irq->map.virq, &irq->nh); + err_req_irq: + #ifdef CONFIG_RFS_ACCEL +- if (i && rmap && *rmap) { +- free_irq_cpu_rmap(*rmap); +- *rmap = NULL; +- } ++ if (i && rmap && *rmap) ++ irq_cpu_rmap_remove(*rmap, irq->map.virq); + err_irq_rmap: + #endif + if (i && pci_msix_can_alloc_dyn(dev->pdev)) +-- +2.51.0 + diff --git a/queue-6.17/net-mlxsw-linecards-fix-missing-error-check-in-mlxsw.patch b/queue-6.17/net-mlxsw-linecards-fix-missing-error-check-in-mlxsw.patch new file mode 100644 index 0000000000..eee05c030c --- /dev/null +++ b/queue-6.17/net-mlxsw-linecards-fix-missing-error-check-in-mlxsw.patch @@ -0,0 +1,42 @@ +From 4417c1b76d5791e5e920e884c6caf2f3d92723b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Nov 2025 19:19:21 +0300 +Subject: net: mlxsw: linecards: fix missing error check in + mlxsw_linecard_devlink_info_get() + +From: Pavel Zhigulin + +[ Upstream commit b0c959fec18f4595a6a6317ffc30615cfa37bf69 ] + +The call to devlink_info_version_fixed_put() in +mlxsw_linecard_devlink_info_get() did not check for errors, +although it is checked everywhere in the code. + +Add missed 'err' check to the mlxsw_linecard_devlink_info_get() + +Fixes: 3fc0c51905fb ("mlxsw: core_linecards: Expose device PSID over device info") +Signed-off-by: Pavel Zhigulin +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20251113161922.813828-1-Pavel.Zhigulin@kaspersky.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/core_linecards.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c b/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c +index b032d5a4b3b84..10f5bc4892fc7 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c +@@ -601,6 +601,8 @@ int mlxsw_linecard_devlink_info_get(struct mlxsw_linecard *linecard, + err = devlink_info_version_fixed_put(req, + DEVLINK_INFO_VERSION_GENERIC_FW_PSID, + info->psid); ++ if (err) ++ goto unlock; + + sprintf(buf, "%u.%u.%u", info->fw_major, info->fw_minor, + info->fw_sub_minor); +-- +2.51.0 + diff --git a/queue-6.17/net-openvswitch-remove-never-working-support-for-set.patch b/queue-6.17/net-openvswitch-remove-never-working-support-for-set.patch new file mode 100644 index 0000000000..2189cbab69 --- /dev/null +++ b/queue-6.17/net-openvswitch-remove-never-working-support-for-set.patch @@ -0,0 +1,310 @@ +From 4ab1746529388cbe70878f166f6e84fce5d02e66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 12:14:03 +0100 +Subject: net: openvswitch: remove never-working support for setting nsh fields + +From: Ilya Maximets + +[ Upstream commit dfe28c4167a9259fc0c372d9f9473e1ac95cff67 ] + +The validation of the set(nsh(...)) action is completely wrong. +It runs through the nsh_key_put_from_nlattr() function that is the +same function that validates NSH keys for the flow match and the +push_nsh() action. However, the set(nsh(...)) has a very different +memory layout. Nested attributes in there are doubled in size in +case of the masked set(). That makes proper validation impossible. + +There is also confusion in the code between the 'masked' flag, that +says that the nested attributes are doubled in size containing both +the value and the mask, and the 'is_mask' that says that the value +we're parsing is the mask. This is causing kernel crash on trying to +write into mask part of the match with SW_FLOW_KEY_PUT() during +validation, while validate_nsh() doesn't allocate any memory for it: + + BUG: kernel NULL pointer dereference, address: 0000000000000018 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 1c2383067 P4D 1c2383067 PUD 20b703067 PMD 0 + Oops: Oops: 0000 [#1] SMP NOPTI + CPU: 8 UID: 0 Kdump: loaded Not tainted 6.17.0-rc4+ #107 PREEMPT(voluntary) + RIP: 0010:nsh_key_put_from_nlattr+0x19d/0x610 [openvswitch] + Call Trace: + + validate_nsh+0x60/0x90 [openvswitch] + validate_set.constprop.0+0x270/0x3c0 [openvswitch] + __ovs_nla_copy_actions+0x477/0x860 [openvswitch] + ovs_nla_copy_actions+0x8d/0x100 [openvswitch] + ovs_packet_cmd_execute+0x1cc/0x310 [openvswitch] + genl_family_rcv_msg_doit+0xdb/0x130 + genl_family_rcv_msg+0x14b/0x220 + genl_rcv_msg+0x47/0xa0 + netlink_rcv_skb+0x53/0x100 + genl_rcv+0x24/0x40 + netlink_unicast+0x280/0x3b0 + netlink_sendmsg+0x1f7/0x430 + ____sys_sendmsg+0x36b/0x3a0 + ___sys_sendmsg+0x87/0xd0 + __sys_sendmsg+0x6d/0xd0 + do_syscall_64+0x7b/0x2c0 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +The third issue with this process is that while trying to convert +the non-masked set into masked one, validate_set() copies and doubles +the size of the OVS_KEY_ATTR_NSH as if it didn't have any nested +attributes. It should be copying each nested attribute and doubling +them in size independently. And the process must be properly reversed +during the conversion back from masked to a non-masked variant during +the flow dump. + +In the end, the only two outcomes of trying to use this action are +either validation failure or a kernel crash. And if somehow someone +manages to install a flow with such an action, it will most definitely +not do what it is supposed to, since all the keys and the masks are +mixed up. + +Fixing all the issues is a complex task as it requires re-writing +most of the validation code. + +Given that and the fact that this functionality never worked since +introduction, let's just remove it altogether. It's better to +re-introduce it later with a proper implementation instead of trying +to fix it in stable releases. + +Fixes: b2d0f5d5dc53 ("openvswitch: enable NSH support") +Reported-by: Junvy Yang +Signed-off-by: Ilya Maximets +Acked-by: Eelco Chaudron +Reviewed-by: Aaron Conole +Link: https://patch.msgid.link/20251112112246.95064-1-i.maximets@ovn.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/openvswitch/actions.c | 68 +--------------------------------- + net/openvswitch/flow_netlink.c | 64 ++++---------------------------- + net/openvswitch/flow_netlink.h | 2 - + 3 files changed, 9 insertions(+), 125 deletions(-) + +diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c +index 2832e07941971..792ca44a461da 100644 +--- a/net/openvswitch/actions.c ++++ b/net/openvswitch/actions.c +@@ -572,69 +572,6 @@ static int set_ipv6(struct sk_buff *skb, struct sw_flow_key *flow_key, + return 0; + } + +-static int set_nsh(struct sk_buff *skb, struct sw_flow_key *flow_key, +- const struct nlattr *a) +-{ +- struct nshhdr *nh; +- size_t length; +- int err; +- u8 flags; +- u8 ttl; +- int i; +- +- struct ovs_key_nsh key; +- struct ovs_key_nsh mask; +- +- err = nsh_key_from_nlattr(a, &key, &mask); +- if (err) +- return err; +- +- /* Make sure the NSH base header is there */ +- if (!pskb_may_pull(skb, skb_network_offset(skb) + NSH_BASE_HDR_LEN)) +- return -ENOMEM; +- +- nh = nsh_hdr(skb); +- length = nsh_hdr_len(nh); +- +- /* Make sure the whole NSH header is there */ +- err = skb_ensure_writable(skb, skb_network_offset(skb) + +- length); +- if (unlikely(err)) +- return err; +- +- nh = nsh_hdr(skb); +- skb_postpull_rcsum(skb, nh, length); +- flags = nsh_get_flags(nh); +- flags = OVS_MASKED(flags, key.base.flags, mask.base.flags); +- flow_key->nsh.base.flags = flags; +- ttl = nsh_get_ttl(nh); +- ttl = OVS_MASKED(ttl, key.base.ttl, mask.base.ttl); +- flow_key->nsh.base.ttl = ttl; +- nsh_set_flags_and_ttl(nh, flags, ttl); +- nh->path_hdr = OVS_MASKED(nh->path_hdr, key.base.path_hdr, +- mask.base.path_hdr); +- flow_key->nsh.base.path_hdr = nh->path_hdr; +- switch (nh->mdtype) { +- case NSH_M_TYPE1: +- for (i = 0; i < NSH_MD1_CONTEXT_SIZE; i++) { +- nh->md1.context[i] = +- OVS_MASKED(nh->md1.context[i], key.context[i], +- mask.context[i]); +- } +- memcpy(flow_key->nsh.context, nh->md1.context, +- sizeof(nh->md1.context)); +- break; +- case NSH_M_TYPE2: +- memset(flow_key->nsh.context, 0, +- sizeof(flow_key->nsh.context)); +- break; +- default: +- return -EINVAL; +- } +- skb_postpush_rcsum(skb, nh, length); +- return 0; +-} +- + /* Must follow skb_ensure_writable() since that can move the skb data. */ + static void set_tp_port(struct sk_buff *skb, __be16 *port, + __be16 new_port, __sum16 *check) +@@ -1130,10 +1067,6 @@ static int execute_masked_set_action(struct sk_buff *skb, + get_mask(a, struct ovs_key_ethernet *)); + break; + +- case OVS_KEY_ATTR_NSH: +- err = set_nsh(skb, flow_key, a); +- break; +- + case OVS_KEY_ATTR_IPV4: + err = set_ipv4(skb, flow_key, nla_data(a), + get_mask(a, struct ovs_key_ipv4 *)); +@@ -1170,6 +1103,7 @@ static int execute_masked_set_action(struct sk_buff *skb, + case OVS_KEY_ATTR_CT_LABELS: + case OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4: + case OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6: ++ case OVS_KEY_ATTR_NSH: + err = -EINVAL; + break; + } +diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c +index ad64bb9ab5e25..1cb4f97335d87 100644 +--- a/net/openvswitch/flow_netlink.c ++++ b/net/openvswitch/flow_netlink.c +@@ -1305,6 +1305,11 @@ static int metadata_from_nlattrs(struct net *net, struct sw_flow_match *match, + return 0; + } + ++/* ++ * Constructs NSH header 'nh' from attributes of OVS_ACTION_ATTR_PUSH_NSH, ++ * where 'nh' points to a memory block of 'size' bytes. It's assumed that ++ * attributes were previously validated with validate_push_nsh(). ++ */ + int nsh_hdr_from_nlattr(const struct nlattr *attr, + struct nshhdr *nh, size_t size) + { +@@ -1314,8 +1319,6 @@ int nsh_hdr_from_nlattr(const struct nlattr *attr, + u8 ttl = 0; + int mdlen = 0; + +- /* validate_nsh has check this, so we needn't do duplicate check here +- */ + if (size < NSH_BASE_HDR_LEN) + return -ENOBUFS; + +@@ -1359,46 +1362,6 @@ int nsh_hdr_from_nlattr(const struct nlattr *attr, + return 0; + } + +-int nsh_key_from_nlattr(const struct nlattr *attr, +- struct ovs_key_nsh *nsh, struct ovs_key_nsh *nsh_mask) +-{ +- struct nlattr *a; +- int rem; +- +- /* validate_nsh has check this, so we needn't do duplicate check here +- */ +- nla_for_each_nested(a, attr, rem) { +- int type = nla_type(a); +- +- switch (type) { +- case OVS_NSH_KEY_ATTR_BASE: { +- const struct ovs_nsh_key_base *base = nla_data(a); +- const struct ovs_nsh_key_base *base_mask = base + 1; +- +- nsh->base = *base; +- nsh_mask->base = *base_mask; +- break; +- } +- case OVS_NSH_KEY_ATTR_MD1: { +- const struct ovs_nsh_key_md1 *md1 = nla_data(a); +- const struct ovs_nsh_key_md1 *md1_mask = md1 + 1; +- +- memcpy(nsh->context, md1->context, sizeof(*md1)); +- memcpy(nsh_mask->context, md1_mask->context, +- sizeof(*md1_mask)); +- break; +- } +- case OVS_NSH_KEY_ATTR_MD2: +- /* Not supported yet */ +- return -ENOTSUPP; +- default: +- return -EINVAL; +- } +- } +- +- return 0; +-} +- + static int nsh_key_put_from_nlattr(const struct nlattr *attr, + struct sw_flow_match *match, bool is_mask, + bool is_push_nsh, bool log) +@@ -2839,17 +2802,13 @@ static int validate_and_copy_set_tun(const struct nlattr *attr, + return err; + } + +-static bool validate_nsh(const struct nlattr *attr, bool is_mask, +- bool is_push_nsh, bool log) ++static bool validate_push_nsh(const struct nlattr *attr, bool log) + { + struct sw_flow_match match; + struct sw_flow_key key; +- int ret = 0; + + ovs_match_init(&match, &key, true, NULL); +- ret = nsh_key_put_from_nlattr(attr, &match, is_mask, +- is_push_nsh, log); +- return !ret; ++ return !nsh_key_put_from_nlattr(attr, &match, false, true, log); + } + + /* Return false if there are any non-masked bits set. +@@ -2997,13 +2956,6 @@ static int validate_set(const struct nlattr *a, + + break; + +- case OVS_KEY_ATTR_NSH: +- if (eth_type != htons(ETH_P_NSH)) +- return -EINVAL; +- if (!validate_nsh(nla_data(a), masked, false, log)) +- return -EINVAL; +- break; +- + default: + return -EINVAL; + } +@@ -3437,7 +3389,7 @@ static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr, + return -EINVAL; + } + mac_proto = MAC_PROTO_NONE; +- if (!validate_nsh(nla_data(a), false, true, true)) ++ if (!validate_push_nsh(nla_data(a), log)) + return -EINVAL; + break; + +diff --git a/net/openvswitch/flow_netlink.h b/net/openvswitch/flow_netlink.h +index fe7f77fc5f189..ff8cdecbe3465 100644 +--- a/net/openvswitch/flow_netlink.h ++++ b/net/openvswitch/flow_netlink.h +@@ -65,8 +65,6 @@ int ovs_nla_put_actions(const struct nlattr *attr, + void ovs_nla_free_flow_actions(struct sw_flow_actions *); + void ovs_nla_free_flow_actions_rcu(struct sw_flow_actions *); + +-int nsh_key_from_nlattr(const struct nlattr *attr, struct ovs_key_nsh *nsh, +- struct ovs_key_nsh *nsh_mask); + int nsh_hdr_from_nlattr(const struct nlattr *attr, struct nshhdr *nh, + size_t size); + +-- +2.51.0 + diff --git a/queue-6.17/net-phylink-add-missing-supported-link-modes-for-the.patch b/queue-6.17/net-phylink-add-missing-supported-link-modes-for-the.patch new file mode 100644 index 0000000000..fd59e5750f --- /dev/null +++ b/queue-6.17/net-phylink-add-missing-supported-link-modes-for-the.patch @@ -0,0 +1,60 @@ +From bca7862cc186f7de90e28ed993f3455640294aaf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Nov 2025 18:29:43 +0800 +Subject: net: phylink: add missing supported link modes for the fixed-link + +From: Wei Fang + +[ Upstream commit e31a11be41cd134f245c01d1329e7bc89aba78fb ] + +Pause, Asym_Pause and Autoneg bits are not set when pl->supported is +initialized, so these link modes will not work for the fixed-link. This +leads to a TCP performance degradation issue observed on the i.MX943 +platform. + +The switch CPU port of i.MX943 is connected to an ENETC MAC, this link +is a fixed link and the link speed is 2.5Gbps. And one of the switch +user ports is the RGMII interface, and its link speed is 1Gbps. If the +flow-control of the fixed link is not enabled, we can easily observe +the iperf performance of TCP packets is very low. Because the inbound +rate on the CPU port is greater than the outbound rate on the user port, +the switch is prone to congestion, leading to the loss of some TCP +packets and requiring multiple retransmissions. + +Solving this problem should be as simple as setting the Asym_Pause and +Pause bits. The reason why the Autoneg bit needs to be set, Russell +has gave a very good explanation in the thread [1], see below. + +"As the advertising and lp_advertising bitmasks have to be non-empty, +and the swphy reports aneg capable, aneg complete, and AN enabled, then +for consistency with that state, Autoneg should be set. This is how it +was prior to the blamed commit." + +Fixes: de7d3f87be3c ("net: phylink: Use phy_caps_lookup for fixed-link configuration") +Link: https://lore.kernel.org/aRjqLN8eQDIQfBjS@shell.armlinux.org.uk # [1] +Signed-off-by: Wei Fang +Reviewed-by: Maxime Chevallier +Link: https://patch.msgid.link/20251117102943.1862680-1-wei.fang@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phylink.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/phy/phylink.c b/drivers/net/phy/phylink.c +index 1988b7d2089a6..928a1186f0d9a 100644 +--- a/drivers/net/phy/phylink.c ++++ b/drivers/net/phy/phylink.c +@@ -637,6 +637,9 @@ static int phylink_validate(struct phylink *pl, unsigned long *supported, + + static void phylink_fill_fixedlink_supported(unsigned long *supported) + { ++ linkmode_set_bit(ETHTOOL_LINK_MODE_Pause_BIT, supported); ++ linkmode_set_bit(ETHTOOL_LINK_MODE_Asym_Pause_BIT, supported); ++ linkmode_set_bit(ETHTOOL_LINK_MODE_Autoneg_BIT, supported); + linkmode_set_bit(ETHTOOL_LINK_MODE_10baseT_Half_BIT, supported); + linkmode_set_bit(ETHTOOL_LINK_MODE_10baseT_Full_BIT, supported); + linkmode_set_bit(ETHTOOL_LINK_MODE_100baseT_Half_BIT, supported); +-- +2.51.0 + diff --git a/queue-6.17/net-qlogic-qede-fix-potential-out-of-bounds-read-in-.patch b/queue-6.17/net-qlogic-qede-fix-potential-out-of-bounds-read-in-.patch new file mode 100644 index 0000000000..f9a0623940 --- /dev/null +++ b/queue-6.17/net-qlogic-qede-fix-potential-out-of-bounds-read-in-.patch @@ -0,0 +1,62 @@ +From 885dccd2d9e01292686d9e8bb1e2f7cc9f8918a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Nov 2025 14:27:56 +0300 +Subject: net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() + and qede_tpa_end() + +From: Pavel Zhigulin + +[ Upstream commit 896f1a2493b59beb2b5ccdf990503dbb16cb2256 ] + +The loops in 'qede_tpa_cont()' and 'qede_tpa_end()', iterate +over 'cqe->len_list[]' using only a zero-length terminator as +the stopping condition. If the terminator was missing or +malformed, the loop could run past the end of the fixed-size array. + +Add an explicit bound check using ARRAY_SIZE() in both loops to prevent +a potential out-of-bounds access. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 55482edc25f0 ("qede: Add slowpath/fastpath support and enable hardware GRO") +Signed-off-by: Pavel Zhigulin +Link: https://patch.msgid.link/20251113112757.4166625-1-Pavel.Zhigulin@kaspersky.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qede/qede_fp.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qede/qede_fp.c b/drivers/net/ethernet/qlogic/qede/qede_fp.c +index 847fa62c80df8..e338bfc8b7b2f 100644 +--- a/drivers/net/ethernet/qlogic/qede/qede_fp.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_fp.c +@@ -4,6 +4,7 @@ + * Copyright (c) 2019-2020 Marvell International Ltd. + */ + ++#include + #include + #include + #include +@@ -960,7 +961,7 @@ static inline void qede_tpa_cont(struct qede_dev *edev, + { + int i; + +- for (i = 0; cqe->len_list[i]; i++) ++ for (i = 0; cqe->len_list[i] && i < ARRAY_SIZE(cqe->len_list); i++) + qede_fill_frag_skb(edev, rxq, cqe->tpa_agg_index, + le16_to_cpu(cqe->len_list[i])); + +@@ -985,7 +986,7 @@ static int qede_tpa_end(struct qede_dev *edev, + dma_unmap_page(rxq->dev, tpa_info->buffer.mapping, + PAGE_SIZE, rxq->data_direction); + +- for (i = 0; cqe->len_list[i]; i++) ++ for (i = 0; cqe->len_list[i] && i < ARRAY_SIZE(cqe->len_list); i++) + qede_fill_frag_skb(edev, rxq, cqe->tpa_agg_index, + le16_to_cpu(cqe->len_list[i])); + if (unlikely(i > 1)) +-- +2.51.0 + diff --git a/queue-6.17/net-tls-cancel-rx-async-resync-request-on-rcd_delta-.patch b/queue-6.17/net-tls-cancel-rx-async-resync-request-on-rcd_delta-.patch new file mode 100644 index 0000000000..37aa89bf51 --- /dev/null +++ b/queue-6.17/net-tls-cancel-rx-async-resync-request-on-rcd_delta-.patch @@ -0,0 +1,77 @@ +From 95e74d899dc322699020b00e4b23b9ac8b0ed13d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Oct 2025 22:03:02 +0200 +Subject: net: tls: Cancel RX async resync request on rcd_delta overflow + +From: Shahar Shitrit + +[ Upstream commit c15d5c62ab313c19121f10e25d4fec852bd1c40c ] + +When a netdev issues a RX async resync request for a TLS connection, +the TLS module handles it by logging record headers and attempting to +match them to the tcp_sn provided by the device. If a match is found, +the TLS module approves the tcp_sn for resynchronization. + +While waiting for a device response, the TLS module also increments +rcd_delta each time a new TLS record is received, tracking the distance +from the original resync request. + +However, if the device response is delayed or fails (e.g due to +unstable connection and device getting out of tracking, hardware +errors, resource exhaustion etc.), the TLS module keeps logging and +incrementing, which can lead to a WARN() when rcd_delta exceeds the +threshold. + +To address this, introduce tls_offload_rx_resync_async_request_cancel() +to explicitly cancel resync requests when a device response failure is +detected. Call this helper also as a final safeguard when rcd_delta +crosses its threshold, as reaching this point implies that earlier +cancellation did not occur. + +Signed-off-by: Shahar Shitrit +Reviewed-by: Sabrina Dubroca +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/1761508983-937977-3-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tls.h | 6 ++++++ + net/tls/tls_device.c | 4 +++- + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/include/net/tls.h b/include/net/tls.h +index b90f3b675c3c4..c7bcdb3afad75 100644 +--- a/include/net/tls.h ++++ b/include/net/tls.h +@@ -467,6 +467,12 @@ tls_offload_rx_resync_async_request_end(struct tls_offload_resync_async *resync_ + atomic64_set(&resync_async->req, ((u64)ntohl(seq) << 32) | RESYNC_REQ); + } + ++static inline void ++tls_offload_rx_resync_async_request_cancel(struct tls_offload_resync_async *resync_async) ++{ ++ atomic64_set(&resync_async->req, 0); ++} ++ + static inline void + tls_offload_rx_resync_set_type(struct sock *sk, enum tls_offload_sync_type type) + { +diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c +index a82fdcf199690..bb14d9b467f28 100644 +--- a/net/tls/tls_device.c ++++ b/net/tls/tls_device.c +@@ -723,8 +723,10 @@ tls_device_rx_resync_async(struct tls_offload_resync_async *resync_async, + /* shouldn't get to wraparound: + * too long in async stage, something bad happened + */ +- if (WARN_ON_ONCE(resync_async->rcd_delta == USHRT_MAX)) ++ if (WARN_ON_ONCE(resync_async->rcd_delta == USHRT_MAX)) { ++ tls_offload_rx_resync_async_request_cancel(resync_async); + return false; ++ } + + /* asynchronous stage: log all headers seq such that + * req_seq <= seq <= end_seq, and wait for real resync request +-- +2.51.0 + diff --git a/queue-6.17/net-tls-change-async-resync-helpers-argument.patch b/queue-6.17/net-tls-change-async-resync-helpers-argument.patch new file mode 100644 index 0000000000..8f9121a46f --- /dev/null +++ b/queue-6.17/net-tls-change-async-resync-helpers-argument.patch @@ -0,0 +1,117 @@ +From 8b106e05aefdf3a71e865e10967197ccc15481b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Oct 2025 22:03:01 +0200 +Subject: net: tls: Change async resync helpers argument + +From: Shahar Shitrit + +[ Upstream commit 34892cfec0c2d96787c4be7bda0d5f18d7dacf85 ] + +Update tls_offload_rx_resync_async_request_start() and +tls_offload_rx_resync_async_request_end() to get a struct +tls_offload_resync_async parameter directly, rather than +extracting it from struct sock. + +This change aligns the function signatures with the upcoming +tls_offload_rx_resync_async_request_cancel() helper, which +will be introduced in a subsequent patch. + +Signed-off-by: Shahar Shitrit +Reviewed-by: Sabrina Dubroca +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/1761508983-937977-2-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../mellanox/mlx5/core/en_accel/ktls_rx.c | 9 ++++++-- + include/net/tls.h | 21 +++++++------------ + 2 files changed, 15 insertions(+), 15 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c +index 65ccb33edafb7..c0089c704c0cc 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c +@@ -425,12 +425,14 @@ void mlx5e_ktls_handle_get_psv_completion(struct mlx5e_icosq_wqe_info *wi, + { + struct mlx5e_ktls_rx_resync_buf *buf = wi->tls_get_params.buf; + struct mlx5e_ktls_offload_context_rx *priv_rx; ++ struct tls_offload_context_rx *rx_ctx; + u8 tracker_state, auth_state, *ctx; + struct device *dev; + u32 hw_seq; + + priv_rx = buf->priv_rx; + dev = mlx5_core_dma_dev(sq->channel->mdev); ++ rx_ctx = tls_offload_ctx_rx(tls_get_ctx(priv_rx->sk)); + if (unlikely(test_bit(MLX5E_PRIV_RX_FLAG_DELETING, priv_rx->flags))) + goto out; + +@@ -447,7 +449,8 @@ void mlx5e_ktls_handle_get_psv_completion(struct mlx5e_icosq_wqe_info *wi, + } + + hw_seq = MLX5_GET(tls_progress_params, ctx, hw_resync_tcp_sn); +- tls_offload_rx_resync_async_request_end(priv_rx->sk, cpu_to_be32(hw_seq)); ++ tls_offload_rx_resync_async_request_end(rx_ctx->resync_async, ++ cpu_to_be32(hw_seq)); + priv_rx->rq_stats->tls_resync_req_end++; + out: + mlx5e_ktls_priv_rx_put(priv_rx); +@@ -482,6 +485,7 @@ static bool resync_queue_get_psv(struct sock *sk) + static void resync_update_sn(struct mlx5e_rq *rq, struct sk_buff *skb) + { + struct ethhdr *eth = (struct ethhdr *)(skb->data); ++ struct tls_offload_resync_async *resync_async; + struct net_device *netdev = rq->netdev; + struct net *net = dev_net(netdev); + struct sock *sk = NULL; +@@ -528,7 +532,8 @@ static void resync_update_sn(struct mlx5e_rq *rq, struct sk_buff *skb) + + seq = th->seq; + datalen = skb->len - depth; +- tls_offload_rx_resync_async_request_start(sk, seq, datalen); ++ resync_async = tls_offload_ctx_rx(tls_get_ctx(sk))->resync_async; ++ tls_offload_rx_resync_async_request_start(resync_async, seq, datalen); + rq->stats->tls_resync_req_start++; + + unref: +diff --git a/include/net/tls.h b/include/net/tls.h +index 857340338b694..b90f3b675c3c4 100644 +--- a/include/net/tls.h ++++ b/include/net/tls.h +@@ -451,25 +451,20 @@ static inline void tls_offload_rx_resync_request(struct sock *sk, __be32 seq) + + /* Log all TLS record header TCP sequences in [seq, seq+len] */ + static inline void +-tls_offload_rx_resync_async_request_start(struct sock *sk, __be32 seq, u16 len) ++tls_offload_rx_resync_async_request_start(struct tls_offload_resync_async *resync_async, ++ __be32 seq, u16 len) + { +- struct tls_context *tls_ctx = tls_get_ctx(sk); +- struct tls_offload_context_rx *rx_ctx = tls_offload_ctx_rx(tls_ctx); +- +- atomic64_set(&rx_ctx->resync_async->req, ((u64)ntohl(seq) << 32) | ++ atomic64_set(&resync_async->req, ((u64)ntohl(seq) << 32) | + ((u64)len << 16) | RESYNC_REQ | RESYNC_REQ_ASYNC); +- rx_ctx->resync_async->loglen = 0; +- rx_ctx->resync_async->rcd_delta = 0; ++ resync_async->loglen = 0; ++ resync_async->rcd_delta = 0; + } + + static inline void +-tls_offload_rx_resync_async_request_end(struct sock *sk, __be32 seq) ++tls_offload_rx_resync_async_request_end(struct tls_offload_resync_async *resync_async, ++ __be32 seq) + { +- struct tls_context *tls_ctx = tls_get_ctx(sk); +- struct tls_offload_context_rx *rx_ctx = tls_offload_ctx_rx(tls_ctx); +- +- atomic64_set(&rx_ctx->resync_async->req, +- ((u64)ntohl(seq) << 32) | RESYNC_REQ); ++ atomic64_set(&resync_async->req, ((u64)ntohl(seq) << 32) | RESYNC_REQ); + } + + static inline void +-- +2.51.0 + diff --git a/queue-6.17/nvme-multipath-fix-lockdep-warn-due-to-partition-sca.patch b/queue-6.17/nvme-multipath-fix-lockdep-warn-due-to-partition-sca.patch new file mode 100644 index 0000000000..b521109196 --- /dev/null +++ b/queue-6.17/nvme-multipath-fix-lockdep-warn-due-to-partition-sca.patch @@ -0,0 +1,47 @@ +From db3fd7facd18cffdff7588389c5c9584a9585574 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Nov 2025 11:23:39 +0900 +Subject: nvme-multipath: fix lockdep WARN due to partition scan work + +From: Shin'ichiro Kawasaki + +[ Upstream commit 6d87cd5335784351280f82c47cc8a657271929c3 ] + +Blktests test cases nvme/014, 057 and 058 fail occasionally due to a +lockdep WARN. As reported in the Closes tag URL, the WARN indicates that +a deadlock can happen due to the dependency among disk->open_mutex, +kblockd workqueue completion and partition_scan_work completion. + +To avoid the lockdep WARN and the potential deadlock, cut the dependency +by running the partition_scan_work not by kblockd workqueue but by +nvme_wq. + +Reported-by: Yi Zhang +Closes: https://lore.kernel.org/linux-block/CAHj4cs8mJ+R_GmQm9R8ebResKAWUE8kF5+_WVg0v8zndmqd6BQ@mail.gmail.com/ +Link: https://lore.kernel.org/linux-block/oeyzci6ffshpukpfqgztsdeke5ost5hzsuz4rrsjfmvpqcevax@5nhnwbkzbrpa/ +Fixes: 1f021341eef4 ("nvme-multipath: defer partition scanning") +Signed-off-by: Shin'ichiro Kawasaki +Reviewed-by: Christoph Hellwig +Reviewed-by: Hannes Reinecke +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/multipath.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c +index 543e17aead12b..e35eccacee8c8 100644 +--- a/drivers/nvme/host/multipath.c ++++ b/drivers/nvme/host/multipath.c +@@ -793,7 +793,7 @@ static void nvme_mpath_set_live(struct nvme_ns *ns) + return; + } + nvme_add_ns_head_cdev(head); +- kblockd_schedule_work(&head->partition_scan_work); ++ queue_work(nvme_wq, &head->partition_scan_work); + } + + nvme_mpath_add_sysfs_link(ns->head); +-- +2.51.0 + diff --git a/queue-6.17/nvmet-auth-update-sc_c-in-target-host-hash-calculati.patch b/queue-6.17/nvmet-auth-update-sc_c-in-target-host-hash-calculati.patch new file mode 100644 index 0000000000..fa8e2d85e6 --- /dev/null +++ b/queue-6.17/nvmet-auth-update-sc_c-in-target-host-hash-calculati.patch @@ -0,0 +1,81 @@ +From 7ac4fcebd9f993037d058fb8f27cbd8da2bbbee0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Nov 2025 09:17:11 +1000 +Subject: nvmet-auth: update sc_c in target host hash calculation + +From: Alistair Francis + +[ Upstream commit 159de7a825aea4242d3f8d32de5853d269dbe72f ] + +Commit 7e091add9c43 "nvme-auth: update sc_c in host response" added +the sc_c variable to the dhchap queue context structure which is +appropriately set during negotiate and then used in the host response. + +This breaks secure concat connections with a Linux target as the target +code wasn't updated at the same time. This patch fixes this by adding a +new sc_c variable to the host hash calculations. + +Fixes: 7e091add9c43 ("nvme-auth: update sc_c in host response") +Tested-by: Shin'ichiro Kawasaki +Tested-by: Yi Zhang +Reviewed-by: Martin George +Reviewed-by: Christoph Hellwig +Reviewed-by: Hannes Reinecke +Signed-off-by: Alistair Francis +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/auth.c | 4 ++-- + drivers/nvme/target/fabrics-cmd-auth.c | 1 + + drivers/nvme/target/nvmet.h | 1 + + 3 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvme/target/auth.c b/drivers/nvme/target/auth.c +index ceba21684e82c..300d5e032f6d4 100644 +--- a/drivers/nvme/target/auth.c ++++ b/drivers/nvme/target/auth.c +@@ -298,7 +298,7 @@ int nvmet_auth_host_hash(struct nvmet_req *req, u8 *response, + const char *hash_name; + u8 *challenge = req->sq->dhchap_c1; + struct nvme_dhchap_key *transformed_key; +- u8 buf[4], sc_c = ctrl->concat ? 1 : 0; ++ u8 buf[4]; + int ret; + + hash_name = nvme_auth_hmac_name(ctrl->shash_id); +@@ -367,7 +367,7 @@ int nvmet_auth_host_hash(struct nvmet_req *req, u8 *response, + ret = crypto_shash_update(shash, buf, 2); + if (ret) + goto out; +- *buf = sc_c; ++ *buf = req->sq->sc_c; + ret = crypto_shash_update(shash, buf, 1); + if (ret) + goto out; +diff --git a/drivers/nvme/target/fabrics-cmd-auth.c b/drivers/nvme/target/fabrics-cmd-auth.c +index bf01ec414c55f..5946681cb0e32 100644 +--- a/drivers/nvme/target/fabrics-cmd-auth.c ++++ b/drivers/nvme/target/fabrics-cmd-auth.c +@@ -43,6 +43,7 @@ static u8 nvmet_auth_negotiate(struct nvmet_req *req, void *d) + data->auth_protocol[0].dhchap.halen, + data->auth_protocol[0].dhchap.dhlen); + req->sq->dhchap_tid = le16_to_cpu(data->t_id); ++ req->sq->sc_c = data->sc_c; + if (data->sc_c != NVME_AUTH_SECP_NOSC) { + if (!IS_ENABLED(CONFIG_NVME_TARGET_TCP_TLS)) + return NVME_AUTH_DHCHAP_FAILURE_CONCAT_MISMATCH; +diff --git a/drivers/nvme/target/nvmet.h b/drivers/nvme/target/nvmet.h +index 51df72f5e89b7..f3b09f4099f08 100644 +--- a/drivers/nvme/target/nvmet.h ++++ b/drivers/nvme/target/nvmet.h +@@ -159,6 +159,7 @@ struct nvmet_sq { + bool authenticated; + struct delayed_work auth_expired_work; + u16 dhchap_tid; ++ u8 sc_c; + u8 dhchap_status; + u8 dhchap_step; + u8 *dhchap_c1; +-- +2.51.0 + diff --git a/queue-6.17/perf-fix-0-count-issue-of-cpu-clock.patch b/queue-6.17/perf-fix-0-count-issue-of-cpu-clock.patch new file mode 100644 index 0000000000..e816f525a3 --- /dev/null +++ b/queue-6.17/perf-fix-0-count-issue-of-cpu-clock.patch @@ -0,0 +1,55 @@ +From bd0935649fe873e44e26ceac70cf609632ddb7b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 16:05:26 +0800 +Subject: perf: Fix 0 count issue of cpu-clock + +From: Dapeng Mi + +[ Upstream commit f1f96511b1c4c33e53f05909dd267878e0643a9a ] + +Currently cpu-clock event always returns 0 count, e.g., + +perf stat -e cpu-clock -- sleep 1 + + Performance counter stats for 'sleep 1': + 0 cpu-clock # 0.000 CPUs utilized + 1.002308394 seconds time elapsed + +The root cause is the commit 'bc4394e5e79c ("perf: Fix the throttle + error of some clock events")' adds PERF_EF_UPDATE flag check before +calling cpu_clock_event_update() to update the count, however the +PERF_EF_UPDATE flag is never set when the cpu-clock event is stopped in +counting mode (pmu->dev() -> cpu_clock_event_del() -> +cpu_clock_event_stop()). This leads to the cpu-clock event count is +never updated. + +To fix this issue, force to set PERF_EF_UPDATE flag for cpu-clock event +just like what task-clock does. + +Fixes: bc4394e5e79c ("perf: Fix the throttle error of some clock events") +Signed-off-by: Dapeng Mi +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Ian Rogers +Acked-by: Namhyung Kim +Link: https://patch.msgid.link/20251112080526.3971392-1-dapeng1.mi@linux.intel.com +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index f13565d0eb699..970c4a5ab763b 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -11885,7 +11885,7 @@ static int cpu_clock_event_add(struct perf_event *event, int flags) + + static void cpu_clock_event_del(struct perf_event *event, int flags) + { +- cpu_clock_event_stop(event, flags); ++ cpu_clock_event_stop(event, PERF_EF_UPDATE); + } + + static void cpu_clock_event_read(struct perf_event *event) +-- +2.51.0 + diff --git a/queue-6.17/perf-x86-intel-uncore-add-uncore-pmu-support-for-wil.patch b/queue-6.17/perf-x86-intel-uncore-add-uncore-pmu-support-for-wil.patch new file mode 100644 index 0000000000..24dbe0fae5 --- /dev/null +++ b/queue-6.17/perf-x86-intel-uncore-add-uncore-pmu-support-for-wil.patch @@ -0,0 +1,37 @@ +From 42c532e8326568224b5ba130f90593b82d837f80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Sep 2025 14:16:39 +0800 +Subject: perf/x86/intel/uncore: Add uncore PMU support for Wildcat Lake + +From: dongsheng + +[ Upstream commit f4c12e5cefc8ec2eda93bc17ea734407228449ab ] + +WildcatLake (WCL) is a variant of PantherLake (PTL) and shares the same +uncore PMU features with PTL. Therefore, directly reuse Pantherlake's +uncore PMU enabling code for WildcatLake. + +Signed-off-by: dongsheng +Signed-off-by: Dapeng Mi +Signed-off-by: Peter Zijlstra (Intel) +Link: https://patch.msgid.link/20250908061639.938105-2-dapeng1.mi@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/uncore.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/events/intel/uncore.c b/arch/x86/events/intel/uncore.c +index a762f7f5b1616..d6c945cc5d07c 100644 +--- a/arch/x86/events/intel/uncore.c ++++ b/arch/x86/events/intel/uncore.c +@@ -1895,6 +1895,7 @@ static const struct x86_cpu_id intel_uncore_match[] __initconst = { + X86_MATCH_VFM(INTEL_ARROWLAKE_H, &mtl_uncore_init), + X86_MATCH_VFM(INTEL_LUNARLAKE_M, &lnl_uncore_init), + X86_MATCH_VFM(INTEL_PANTHERLAKE_L, &ptl_uncore_init), ++ X86_MATCH_VFM(INTEL_WILDCATLAKE_L, &ptl_uncore_init), + X86_MATCH_VFM(INTEL_SAPPHIRERAPIDS_X, &spr_uncore_init), + X86_MATCH_VFM(INTEL_EMERALDRAPIDS_X, &spr_uncore_init), + X86_MATCH_VFM(INTEL_GRANITERAPIDS_X, &gnr_uncore_init), +-- +2.51.0 + diff --git a/queue-6.17/pinctrl-cirrus-fix-fwnode-leak-in-cs42l43_pin_probe.patch b/queue-6.17/pinctrl-cirrus-fix-fwnode-leak-in-cs42l43_pin_probe.patch new file mode 100644 index 0000000000..6cb9827e9c --- /dev/null +++ b/queue-6.17/pinctrl-cirrus-fix-fwnode-leak-in-cs42l43_pin_probe.patch @@ -0,0 +1,68 @@ +From f9199dd49551032ec32f60112c7432709ac9dea0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Oct 2025 11:05:09 +0800 +Subject: pinctrl: cirrus: Fix fwnode leak in cs42l43_pin_probe() + +From: Haotian Zhang + +[ Upstream commit 9b07cdf86a0b90556f5b68a6b20b35833b558df3 ] + +The driver calls fwnode_get_named_child_node() which takes a reference +on the child node, but never releases it, which causes a reference leak. + +Fix by using devm_add_action_or_reset() to automatically release the +reference when the device is removed. + +Fixes: d5282a539297 ("pinctrl: cs42l43: Add support for the cs42l43") +Suggested-by: Charles Keepax +Signed-off-by: Haotian Zhang +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/cirrus/pinctrl-cs42l43.c | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +diff --git a/drivers/pinctrl/cirrus/pinctrl-cs42l43.c b/drivers/pinctrl/cirrus/pinctrl-cs42l43.c +index 68abb6d6cecd8..a8f82104a3842 100644 +--- a/drivers/pinctrl/cirrus/pinctrl-cs42l43.c ++++ b/drivers/pinctrl/cirrus/pinctrl-cs42l43.c +@@ -532,6 +532,11 @@ static int cs42l43_gpio_add_pin_ranges(struct gpio_chip *chip) + return ret; + } + ++static void cs42l43_fwnode_put(void *data) ++{ ++ fwnode_handle_put(data); ++} ++ + static int cs42l43_pin_probe(struct platform_device *pdev) + { + struct cs42l43 *cs42l43 = dev_get_drvdata(pdev->dev.parent); +@@ -563,10 +568,20 @@ static int cs42l43_pin_probe(struct platform_device *pdev) + priv->gpio_chip.ngpio = CS42L43_NUM_GPIOS; + + if (is_of_node(fwnode)) { +- fwnode = fwnode_get_named_child_node(fwnode, "pinctrl"); +- +- if (fwnode && !fwnode->dev) +- fwnode->dev = priv->dev; ++ struct fwnode_handle *child; ++ ++ child = fwnode_get_named_child_node(fwnode, "pinctrl"); ++ if (child) { ++ ret = devm_add_action_or_reset(&pdev->dev, ++ cs42l43_fwnode_put, child); ++ if (ret) { ++ fwnode_handle_put(child); ++ return ret; ++ } ++ if (!child->dev) ++ child->dev = priv->dev; ++ fwnode = child; ++ } + } + + priv->gpio_chip.fwnode = fwnode; +-- +2.51.0 + diff --git a/queue-6.17/pinctrl-mediatek-mt8189-align-register-base-names-to.patch b/queue-6.17/pinctrl-mediatek-mt8189-align-register-base-names-to.patch new file mode 100644 index 0000000000..242c5dd8b8 --- /dev/null +++ b/queue-6.17/pinctrl-mediatek-mt8189-align-register-base-names-to.patch @@ -0,0 +1,46 @@ +From 4821043c7399a0891922fb1728ab4a6e88e0d1c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Oct 2025 15:48:49 +0200 +Subject: pinctrl: mediatek: mt8189: align register base names to dt-bindings + ones + +From: Louis-Alexis Eyraud + +[ Upstream commit 518919276c4119e34e24334003af70ab12477f00 ] + +The mt8189-pinctrl driver requires to probe that a device tree uses +in the device node the same names than mt8189_pinctrl_register_base_names +array. But they are not matching the required ones in the +"mediatek,mt8189-pinctrl" dt-bindings, leading to possible dtbs check +issues. The mt8189_pinctrl_register_base_names entry order is also +different. +So, align all mt8189_pinctrl_register_base_names entry names and order +on dt-bindings. + +Fixes: a3fe1324c3c5 ("pinctrl: mediatek: Add pinctrl driver for mt8189") +Signed-off-by: Louis-Alexis Eyraud +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/mediatek/pinctrl-mt8189.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/pinctrl/mediatek/pinctrl-mt8189.c b/drivers/pinctrl/mediatek/pinctrl-mt8189.c +index 7028aff55ae58..f6a3e584588b0 100644 +--- a/drivers/pinctrl/mediatek/pinctrl-mt8189.c ++++ b/drivers/pinctrl/mediatek/pinctrl-mt8189.c +@@ -1642,9 +1642,7 @@ static const struct mtk_pin_reg_calc mt8189_reg_cals[PINCTRL_PIN_REG_MAX] = { + }; + + static const char * const mt8189_pinctrl_register_base_names[] = { +- "gpio_base", "iocfg_bm0_base", "iocfg_bm1_base", "iocfg_bm2_base", "iocfg_lm_base", +- "iocfg_lt0_base", "iocfg_lt1_base", "iocfg_rb0_base", "iocfg_rb1_base", +- "iocfg_rt_base" ++ "base", "lm", "rb0", "rb1", "bm0", "bm1", "bm2", "lt0", "lt1", "rt", + }; + + static const struct mtk_eint_hw mt8189_eint_hw = { +-- +2.51.0 + diff --git a/queue-6.17/pinctrl-mediatek-mt8196-align-register-base-names-to.patch b/queue-6.17/pinctrl-mediatek-mt8196-align-register-base-names-to.patch new file mode 100644 index 0000000000..026ffedbae --- /dev/null +++ b/queue-6.17/pinctrl-mediatek-mt8196-align-register-base-names-to.patch @@ -0,0 +1,47 @@ +From 524226ac7b6b32732bd9e389629a1dfc2c909975 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Oct 2025 16:00:28 +0200 +Subject: pinctrl: mediatek: mt8196: align register base names to dt-bindings + ones + +From: Louis-Alexis Eyraud + +[ Upstream commit 404ee89b4008cf2130554dac2c64cd8412601356 ] + +The mt8196-pinctrl driver requires to probe that a device tree uses +in the device node the same names than mt8196_pinctrl_register_base_names +array. But they are not matching the required ones in the +"mediatek,mt8196-pinctrl" dt-bindings, leading to possible dtbs check +issues. +So, align all mt8196_pinctrl_register_base_names entries on dt-bindings +ones. + +Fixes: f7a29377c253 ("pinctrl: mediatek: Add pinctrl driver on mt8196") +Signed-off-by: Louis-Alexis Eyraud +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/mediatek/pinctrl-mt8196.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/pinctrl/mediatek/pinctrl-mt8196.c b/drivers/pinctrl/mediatek/pinctrl-mt8196.c +index 82a73929c7a0f..dec957c1724b0 100644 +--- a/drivers/pinctrl/mediatek/pinctrl-mt8196.c ++++ b/drivers/pinctrl/mediatek/pinctrl-mt8196.c +@@ -1801,10 +1801,8 @@ static const struct mtk_pin_reg_calc mt8196_reg_cals[PINCTRL_PIN_REG_MAX] = { + }; + + static const char * const mt8196_pinctrl_register_base_names[] = { +- "iocfg0", "iocfg_rt", "iocfg_rm1", "iocfg_rm2", +- "iocfg_rb", "iocfg_bm1", "iocfg_bm2", "iocfg_bm3", +- "iocfg_lt", "iocfg_lm1", "iocfg_lm2", "iocfg_lb1", +- "iocfg_lb2", "iocfg_tm1", "iocfg_tm2", "iocfg_tm3", ++ "base", "rt", "rm1", "rm2", "rb", "bm1", "bm2", "bm3", ++ "lt", "lm1", "lm2", "lb1", "lb2", "tm1", "tm2", "tm3", + }; + + static const struct mtk_eint_hw mt8196_eint_hw = { +-- +2.51.0 + diff --git a/queue-6.17/pinctrl-realtek-select-regmap_mmio-for-rtd-driver.patch b/queue-6.17/pinctrl-realtek-select-regmap_mmio-for-rtd-driver.patch new file mode 100644 index 0000000000..0e50c6b992 --- /dev/null +++ b/queue-6.17/pinctrl-realtek-select-regmap_mmio-for-rtd-driver.patch @@ -0,0 +1,42 @@ +From 81101a429928e2f63ce2a9d56e99913f661dae93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Oct 2025 15:55:29 +0800 +Subject: pinctrl: realtek: Select REGMAP_MMIO for RTD driver + +From: Yu-Chun Lin + +[ Upstream commit 369f772299821f93f872bf1b4d7d7ed2fc50243b ] + +The pinctrl-rtd driver uses 'devm_regmap_init_mmio', which requires +'REGMAP_MMIO' to be enabled. + +Without this selection, the build fails with an undefined reference: +aarch64-none-linux-gnu-ld: drivers/pinctrl/realtek/pinctrl-rtd.o: in +function rtd_pinctrl_probe': pinctrl-rtd.c:(.text+0x5a0): undefined +reference to __devm_regmap_init_mmio_clk' + +Fix this by selecting 'REGMAP_MMIO' in the Kconfig. + +Fixes: e99ce78030db ("pinctrl: realtek: Add common pinctrl driver for Realtek DHC RTD SoCs") +Signed-off-by: Yu-Chun Lin +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/realtek/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pinctrl/realtek/Kconfig b/drivers/pinctrl/realtek/Kconfig +index 0fc6bd4fcb7ec..400c9e5b16ada 100644 +--- a/drivers/pinctrl/realtek/Kconfig ++++ b/drivers/pinctrl/realtek/Kconfig +@@ -6,6 +6,7 @@ config PINCTRL_RTD + default y + select PINMUX + select GENERIC_PINCONF ++ select REGMAP_MMIO + + config PINCTRL_RTD1619B + tristate "Realtek DHC 1619B pin controller driver" +-- +2.51.0 + diff --git a/queue-6.17/pinctrl-s32cc-fix-uninitialized-memory-in-s32_pinctr.patch b/queue-6.17/pinctrl-s32cc-fix-uninitialized-memory-in-s32_pinctr.patch new file mode 100644 index 0000000000..bfd08b69dd --- /dev/null +++ b/queue-6.17/pinctrl-s32cc-fix-uninitialized-memory-in-s32_pinctr.patch @@ -0,0 +1,81 @@ +From 745ddeba5305f20aad6ea18ed6cd0b044e1f27d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Nov 2025 13:54:11 -0800 +Subject: pinctrl: s32cc: fix uninitialized memory in s32_pinctrl_desc + +From: Jared Kangas + +[ Upstream commit 97ea34defbb57bfaf71ce487b1b0865ffd186e81 ] + +s32_pinctrl_desc is allocated with devm_kmalloc(), but not all of its +fields are initialized. Notably, num_custom_params is used in +pinconf_generic_parse_dt_config(), resulting in intermittent allocation +errors, such as the following splat when probing i2c-imx: + + WARNING: CPU: 0 PID: 176 at mm/page_alloc.c:4795 __alloc_pages_noprof+0x290/0x300 + [...] + Hardware name: NXP S32G3 Reference Design Board 3 (S32G-VNP-RDB3) (DT) + [...] + Call trace: + __alloc_pages_noprof+0x290/0x300 (P) + ___kmalloc_large_node+0x84/0x168 + __kmalloc_large_node_noprof+0x34/0x120 + __kmalloc_noprof+0x2ac/0x378 + pinconf_generic_parse_dt_config+0x68/0x1a0 + s32_dt_node_to_map+0x104/0x248 + dt_to_map_one_config+0x154/0x1d8 + pinctrl_dt_to_map+0x12c/0x280 + create_pinctrl+0x6c/0x270 + pinctrl_get+0xc0/0x170 + devm_pinctrl_get+0x50/0xa0 + pinctrl_bind_pins+0x60/0x2a0 + really_probe+0x60/0x3a0 + [...] + __platform_driver_register+0x2c/0x40 + i2c_adap_imx_init+0x28/0xff8 [i2c_imx] + [...] + +This results in later parse failures that can cause issues in dependent +drivers: + + s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c0-pins/i2c0-grp0: could not parse node property + s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c0-pins/i2c0-grp0: could not parse node property + [...] + pca953x 0-0022: failed writing register: -6 + i2c i2c-0: IMX I2C adapter registered + s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c2-pins/i2c2-grp0: could not parse node property + s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c2-pins/i2c2-grp0: could not parse node property + i2c i2c-1: IMX I2C adapter registered + s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c4-pins/i2c4-grp0: could not parse node property + s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c4-pins/i2c4-grp0: could not parse node property + i2c i2c-2: IMX I2C adapter registered + +Fix this by initializing s32_pinctrl_desc with devm_kzalloc() instead of +devm_kmalloc() in s32_pinctrl_probe(), which sets the previously +uninitialized fields to zero. + +Fixes: fd84aaa8173d ("pinctrl: add NXP S32 SoC family support") +Signed-off-by: Jared Kangas +Tested-by: Jan Petrous (OSS) +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/nxp/pinctrl-s32cc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/nxp/pinctrl-s32cc.c b/drivers/pinctrl/nxp/pinctrl-s32cc.c +index 501eb296c7605..51ecb8d0fb7e8 100644 +--- a/drivers/pinctrl/nxp/pinctrl-s32cc.c ++++ b/drivers/pinctrl/nxp/pinctrl-s32cc.c +@@ -951,7 +951,7 @@ int s32_pinctrl_probe(struct platform_device *pdev, + spin_lock_init(&ipctl->gpio_configs_lock); + + s32_pinctrl_desc = +- devm_kmalloc(&pdev->dev, sizeof(*s32_pinctrl_desc), GFP_KERNEL); ++ devm_kzalloc(&pdev->dev, sizeof(*s32_pinctrl_desc), GFP_KERNEL); + if (!s32_pinctrl_desc) + return -ENOMEM; + +-- +2.51.0 + diff --git a/queue-6.17/pinctrl-s32cc-initialize-gpio_pin_config-list-after-.patch b/queue-6.17/pinctrl-s32cc-initialize-gpio_pin_config-list-after-.patch new file mode 100644 index 0000000000..857c5dc617 --- /dev/null +++ b/queue-6.17/pinctrl-s32cc-initialize-gpio_pin_config-list-after-.patch @@ -0,0 +1,38 @@ +From b97852ba42c8f9856cfc7adbc3c932ea66a3c326 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Nov 2025 13:54:12 -0800 +Subject: pinctrl: s32cc: initialize gpio_pin_config::list after kmalloc() + +From: Jared Kangas + +[ Upstream commit 6010d4d8b55b5d3ae1efb5502c54312e15c14f21 ] + +s32_pmx_gpio_request_enable() does not initialize the newly-allocated +gpio_pin_config::list before adding it to s32_pinctrl::gpio_configs. +This could result in a linked list corruption. + +Initialize the new list_head with INIT_LIST_HEAD() to fix this. + +Fixes: fd84aaa8173d ("pinctrl: add NXP S32 SoC family support") +Signed-off-by: Jared Kangas +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/nxp/pinctrl-s32cc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pinctrl/nxp/pinctrl-s32cc.c b/drivers/pinctrl/nxp/pinctrl-s32cc.c +index 51ecb8d0fb7e8..35511f83d0560 100644 +--- a/drivers/pinctrl/nxp/pinctrl-s32cc.c ++++ b/drivers/pinctrl/nxp/pinctrl-s32cc.c +@@ -392,6 +392,7 @@ static int s32_pmx_gpio_request_enable(struct pinctrl_dev *pctldev, + + gpio_pin->pin_id = offset; + gpio_pin->config = config; ++ INIT_LIST_HEAD(&gpio_pin->list); + + spin_lock_irqsave(&ipctl->gpio_configs_lock, flags); + list_add(&gpio_pin->list, &ipctl->gpio_configs); +-- +2.51.0 + diff --git a/queue-6.17/platform-x86-intel-speed_select_if-convert-pcibios_-.patch b/queue-6.17/platform-x86-intel-speed_select_if-convert-pcibios_-.patch new file mode 100644 index 0000000000..9e2900562b --- /dev/null +++ b/queue-6.17/platform-x86-intel-speed_select_if-convert-pcibios_-.patch @@ -0,0 +1,53 @@ +From 31df8f7456b2dadfcef3c98c888698c648159542 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Nov 2025 11:33:54 +0800 +Subject: platform/x86/intel/speed_select_if: Convert PCIBIOS_* return codes to + errnos +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Haotian Zhang + +[ Upstream commit d8bb447efc5622577994287dc77c684fa8840b30 ] + +isst_if_probe() uses pci_read_config_dword() that returns PCIBIOS_* +codes. The return code is returned from the probe function as is but +probe functions should return normal errnos. A proper implementation +can be found in drivers/leds/leds-ss4200.c. + +Convert PCIBIOS_* return codes using pcibios_err_to_errno() into +normal errno before returning. + +Fixes: d3a23584294c ("platform/x86: ISST: Add Intel Speed Select mmio interface") +Signed-off-by: Haotian Zhang +Acked-by: Srinivas Pandruvada +Link: https://patch.msgid.link/20251117033354.132-1-vulab@iscas.ac.cn +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c b/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c +index 3f4343147dadb..950ede5eab769 100644 +--- a/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c ++++ b/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c +@@ -108,11 +108,11 @@ static int isst_if_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + + ret = pci_read_config_dword(pdev, 0xD0, &mmio_base); + if (ret) +- return ret; ++ return pcibios_err_to_errno(ret); + + ret = pci_read_config_dword(pdev, 0xFC, &pcu_base); + if (ret) +- return ret; ++ return pcibios_err_to_errno(ret); + + pcu_base &= GENMASK(10, 0); + base_addr = (u64)mmio_base << 23 | (u64) pcu_base << 12; +-- +2.51.0 + diff --git a/queue-6.17/platform-x86-intel-uncore-freq-fix-all-header-kernel.patch b/queue-6.17/platform-x86-intel-uncore-freq-fix-all-header-kernel.patch new file mode 100644 index 0000000000..7aba51294a --- /dev/null +++ b/queue-6.17/platform-x86-intel-uncore-freq-fix-all-header-kernel.patch @@ -0,0 +1,73 @@ +From 7578753349324607ce3857cecb3143059060c719 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Nov 2025 22:09:34 -0800 +Subject: platform/x86: intel-uncore-freq: fix all header kernel-doc warnings +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Randy Dunlap + +[ Upstream commit db30233361f94e1a84450c607989bdb671100fb6 ] + +In file uncore-frequency/uncore-frequency-common.h, +correct all kernel-doc warnings by adding missing leading " *" to some +lines, adding a missing kernel-doc entry, and fixing a name typo. + +Warning: uncore-frequency-common.h:50 bad line: + Storage for kobject attribute elc_low_threshold_percent +Warning: uncore-frequency-common.h:52 bad line: + Storage for kobject attribute elc_high_threshold_percent +Warning: uncore-frequency-common.h:54 bad line: + Storage for kobject attribute elc_high_threshold_enable +Warning: uncore-frequency-common.h:92 struct member + 'min_freq_khz_kobj_attr' not described in 'uncore_data' +Warning: uncore-frequency-common.h:92 struct member + 'die_id_kobj_attr' not described in 'uncore_data' + +Fixes: 24b6616355f7 ("platform/x86/intel-uncore-freq: Add efficiency latency control to sysfs interface") +Fixes: 416de0246f35 ("platform/x86: intel-uncore-freq: Fix types in sysfs callbacks") +Fixes: 247b43fcd872 ("platform/x86/intel-uncore-freq: Add attributes to show die_id") +Signed-off-by: Randy Dunlap +Link: https://patch.msgid.link/20251111060938.1998542-1-rdunlap@infradead.org +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + .../x86/intel/uncore-frequency/uncore-frequency-common.h | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/platform/x86/intel/uncore-frequency/uncore-frequency-common.h b/drivers/platform/x86/intel/uncore-frequency/uncore-frequency-common.h +index 70ae11519837e..0abe850ef54ea 100644 +--- a/drivers/platform/x86/intel/uncore-frequency/uncore-frequency-common.h ++++ b/drivers/platform/x86/intel/uncore-frequency/uncore-frequency-common.h +@@ -40,7 +40,7 @@ + * @agent_type_mask: Bit mask of all hardware agents for this domain + * @uncore_attr_group: Attribute group storage + * @max_freq_khz_kobj_attr: Storage for kobject attribute max_freq_khz +- * @mix_freq_khz_kobj_attr: Storage for kobject attribute min_freq_khz ++ * @min_freq_khz_kobj_attr: Storage for kobject attribute min_freq_khz + * @initial_max_freq_khz_kobj_attr: Storage for kobject attribute initial_max_freq_khz + * @initial_min_freq_khz_kobj_attr: Storage for kobject attribute initial_min_freq_khz + * @current_freq_khz_kobj_attr: Storage for kobject attribute current_freq_khz +@@ -48,13 +48,14 @@ + * @fabric_cluster_id_kobj_attr: Storage for kobject attribute fabric_cluster_id + * @package_id_kobj_attr: Storage for kobject attribute package_id + * @elc_low_threshold_percent_kobj_attr: +- Storage for kobject attribute elc_low_threshold_percent ++ * Storage for kobject attribute elc_low_threshold_percent + * @elc_high_threshold_percent_kobj_attr: +- Storage for kobject attribute elc_high_threshold_percent ++ * Storage for kobject attribute elc_high_threshold_percent + * @elc_high_threshold_enable_kobj_attr: +- Storage for kobject attribute elc_high_threshold_enable ++ * Storage for kobject attribute elc_high_threshold_enable + * @elc_floor_freq_khz_kobj_attr: Storage for kobject attribute elc_floor_freq_khz + * @agent_types_kobj_attr: Storage for kobject attribute agent_type ++ * @die_id_kobj_attr: Attribute storage for die_id information + * @uncore_attrs: Attribute storage for group creation + * + * This structure is used to encapsulate all data related to uncore sysfs +-- +2.51.0 + diff --git a/queue-6.17/platform-x86-msi-wmi-platform-fix-typo-in-wmi-guid.patch b/queue-6.17/platform-x86-msi-wmi-platform-fix-typo-in-wmi-guid.patch new file mode 100644 index 0000000000..5e96d689e6 --- /dev/null +++ b/queue-6.17/platform-x86-msi-wmi-platform-fix-typo-in-wmi-guid.patch @@ -0,0 +1,63 @@ +From 9787d8618f4f9d260ed45c060cf0fcb9971b70a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Nov 2025 12:12:53 +0100 +Subject: platform/x86: msi-wmi-platform: Fix typo in WMI GUID +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Armin Wolf + +[ Upstream commit 97b726eb1dc2b4a2532544eb3da72bb6acbd39a3 ] + +The WMI driver core only supports GUID strings containing only +uppercase characters, however the GUID string used by the +msi-wmi-platform driver contains a single lowercase character. +This prevents the WMI driver core from matching said driver to +its WMI device. + +Fix this by turning the lowercase character into a uppercase +character. Also update the WMI driver development guide to warn +about this. + +Reported-by: Antheas Kapenekakis +Fixes: 9c0beb6b29e7 ("platform/x86: wmi: Add MSI WMI Platform driver") +Tested-by: Antheas Kapenekakis +Signed-off-by: Armin Wolf +Link: https://patch.msgid.link/20251110111253.16204-3-W_Armin@gmx.de +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + Documentation/wmi/driver-development-guide.rst | 1 + + drivers/platform/x86/msi-wmi-platform.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/Documentation/wmi/driver-development-guide.rst b/Documentation/wmi/driver-development-guide.rst +index 99ef21fc1c1ed..5680303ae314e 100644 +--- a/Documentation/wmi/driver-development-guide.rst ++++ b/Documentation/wmi/driver-development-guide.rst +@@ -54,6 +54,7 @@ to matching WMI devices using a struct wmi_device_id table: + :: + + static const struct wmi_device_id foo_id_table[] = { ++ /* Only use uppercase letters! */ + { "936DA01F-9ABD-4D9D-80C7-02AF85C822A8", NULL }, + { } + }; +diff --git a/drivers/platform/x86/msi-wmi-platform.c b/drivers/platform/x86/msi-wmi-platform.c +index bd2687828a2e6..e912fcc12d124 100644 +--- a/drivers/platform/x86/msi-wmi-platform.c ++++ b/drivers/platform/x86/msi-wmi-platform.c +@@ -29,7 +29,7 @@ + + #define DRIVER_NAME "msi-wmi-platform" + +-#define MSI_PLATFORM_GUID "ABBC0F6E-8EA1-11d1-00A0-C90629100000" ++#define MSI_PLATFORM_GUID "ABBC0F6E-8EA1-11D1-00A0-C90629100000" + + #define MSI_WMI_PLATFORM_INTERFACE_VERSION 2 + +-- +2.51.0 + diff --git a/queue-6.17/platform-x86-msi-wmi-platform-only-load-on-msi-devic.patch b/queue-6.17/platform-x86-msi-wmi-platform-only-load-on-msi-devic.patch new file mode 100644 index 0000000000..56864d1d30 --- /dev/null +++ b/queue-6.17/platform-x86-msi-wmi-platform-only-load-on-msi-devic.patch @@ -0,0 +1,108 @@ +From 1892ca0afb4e38858b5d19eab64609de0280985b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Nov 2025 12:12:52 +0100 +Subject: platform/x86: msi-wmi-platform: Only load on MSI devices +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Armin Wolf + +[ Upstream commit c93433fd4e2bbbe7caa67b53d808b4a084852ff3 ] + +It turns out that the GUID used by the msi-wmi-platform driver +(ABBC0F60-8EA1-11D1-00A0-C90629100000) is not unique, but was instead +copied from the WIndows Driver Samples. This means that this driver +could load on devices from other manufacturers that also copied this +GUID, potentially causing hardware errors. + +Prevent this by only loading on devices whitelisted via DMI. The DMI +matches where taken from the msi-ec driver. + +Reported-by: Antheas Kapenekakis +Fixes: 9c0beb6b29e7 ("platform/x86: wmi: Add MSI WMI Platform driver") +Tested-by: Antheas Kapenekakis +Signed-off-by: Armin Wolf +Link: https://patch.msgid.link/20251110111253.16204-2-W_Armin@gmx.de +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/Kconfig | 1 + + drivers/platform/x86/msi-wmi-platform.c | 41 ++++++++++++++++++++++++- + 2 files changed, 41 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/Kconfig b/drivers/platform/x86/Kconfig +index 6d238e120dce7..98252cc19aab7 100644 +--- a/drivers/platform/x86/Kconfig ++++ b/drivers/platform/x86/Kconfig +@@ -533,6 +533,7 @@ config MSI_WMI + config MSI_WMI_PLATFORM + tristate "MSI WMI Platform features" + depends on ACPI_WMI ++ depends on DMI + depends on HWMON + help + Say Y here if you want to have support for WMI-based platform features +diff --git a/drivers/platform/x86/msi-wmi-platform.c b/drivers/platform/x86/msi-wmi-platform.c +index dc5e9878cb682..bd2687828a2e6 100644 +--- a/drivers/platform/x86/msi-wmi-platform.c ++++ b/drivers/platform/x86/msi-wmi-platform.c +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -448,7 +449,45 @@ static struct wmi_driver msi_wmi_platform_driver = { + .probe = msi_wmi_platform_probe, + .no_singleton = true, + }; +-module_wmi_driver(msi_wmi_platform_driver); ++ ++/* ++ * MSI reused the WMI GUID from the WMI-ACPI sample code provided by Microsoft, ++ * so other manufacturers might use it as well for their WMI-ACPI implementations. ++ */ ++static const struct dmi_system_id msi_wmi_platform_whitelist[] __initconst = { ++ { ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "MICRO-STAR INT"), ++ }, ++ }, ++ { ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Micro-Star International"), ++ }, ++ }, ++ { } ++}; ++ ++static int __init msi_wmi_platform_module_init(void) ++{ ++ if (!dmi_check_system(msi_wmi_platform_whitelist)) { ++ if (!force) ++ return -ENODEV; ++ ++ pr_warn("Ignoring DMI whitelist\n"); ++ } ++ ++ return wmi_driver_register(&msi_wmi_platform_driver); ++} ++ ++static void __exit msi_wmi_platform_module_exit(void) ++{ ++ wmi_driver_unregister(&msi_wmi_platform_driver); ++} ++ ++module_init(msi_wmi_platform_module_init); ++module_exit(msi_wmi_platform_module_exit); ++ + + MODULE_AUTHOR("Armin Wolf "); + MODULE_DESCRIPTION("MSI WMI platform features"); +-- +2.51.0 + diff --git a/queue-6.17/s390-ctcm-fix-double-kfree.patch b/queue-6.17/s390-ctcm-fix-double-kfree.patch new file mode 100644 index 0000000000..b8fb603ed6 --- /dev/null +++ b/queue-6.17/s390-ctcm-fix-double-kfree.patch @@ -0,0 +1,45 @@ +From 927a848a5243e28bebfa8657942466303af3560d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 19:27:24 +0100 +Subject: s390/ctcm: Fix double-kfree + +From: Aleksei Nikiforov + +[ Upstream commit da02a1824884d6c84c5e5b5ac373b0c9e3288ec2 ] + +The function 'mpc_rcvd_sweep_req(mpcginfo)' is called conditionally +from function 'ctcmpc_unpack_skb'. It frees passed mpcginfo. +After that a call to function 'kfree' in function 'ctcmpc_unpack_skb' +frees it again. + +Remove 'kfree' call in function 'mpc_rcvd_sweep_req(mpcginfo)'. + +Bug detected by the clang static analyzer. + +Fixes: 0c0b20587b9f25a2 ("s390/ctcm: fix potential memory leak") +Reviewed-by: Aswin Karuvally +Signed-off-by: Aleksei Nikiforov +Signed-off-by: Aswin Karuvally +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20251112182724.1109474-1-aswin@linux.ibm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/s390/net/ctcm_mpc.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/s390/net/ctcm_mpc.c b/drivers/s390/net/ctcm_mpc.c +index 0aeafa772fb1e..407b7c5166585 100644 +--- a/drivers/s390/net/ctcm_mpc.c ++++ b/drivers/s390/net/ctcm_mpc.c +@@ -701,7 +701,6 @@ static void mpc_rcvd_sweep_req(struct mpcg_info *mpcginfo) + + grp->sweep_req_pend_num--; + ctcmpc_send_sweep_resp(ch); +- kfree(mpcginfo); + return; + } + +-- +2.51.0 + diff --git a/queue-6.17/sched_ext-allocate-scx_kick_cpus_pnt_seqs-lazily-usi.patch b/queue-6.17/sched_ext-allocate-scx_kick_cpus_pnt_seqs-lazily-usi.patch new file mode 100644 index 0000000000..721264e995 --- /dev/null +++ b/queue-6.17/sched_ext-allocate-scx_kick_cpus_pnt_seqs-lazily-usi.patch @@ -0,0 +1,202 @@ +From 73b76f56d89fe8284f8a47d5a1434b641ca27849 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Oct 2025 13:43:26 -1000 +Subject: sched_ext: Allocate scx_kick_cpus_pnt_seqs lazily using kvzalloc() + +From: Tejun Heo + +[ Upstream commit 14c1da3895a116f4e32c20487046655f26d3999b ] + +On systems with >4096 CPUs, scx_kick_cpus_pnt_seqs allocation fails during +boot because it exceeds the 32,768 byte percpu allocator limit. + +Restructure to use DEFINE_PER_CPU() for the per-CPU pointers, with each CPU +pointing to its own kvzalloc'd array. Move allocation from boot time to +scx_enable() and free in scx_disable(), so the O(nr_cpu_ids^2) memory is only +consumed when sched_ext is active. + +Use RCU to guard against racing with free. Arrays are freed via call_rcu() +and kick_cpus_irq_workfn() uses rcu_dereference_bh() with a NULL check. + +While at it, rename to scx_kick_pseqs for brevity and update comments to +clarify these are pick_task sequence numbers. + +v2: RCU protect scx_kick_seqs to manage kick_cpus_irq_workfn() racing + against disable as per Andrea. + +v3: Fix bugs notcied by Andrea. + +Reported-by: Phil Auld +Link: http://lkml.kernel.org/r/20251007133523.GA93086@pauld.westford.csb +Cc: Andrea Righi +Reviewed-by: Emil Tsalapatis +Reviewed-by: Phil Auld +Reviewed-by: Andrea Righi +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/sched/ext.c | 89 ++++++++++++++++++++++++++++++++++++++++------ + 1 file changed, 79 insertions(+), 10 deletions(-) + +diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c +index 77eec6f16a5ed..b454206100ce5 100644 +--- a/kernel/sched/ext.c ++++ b/kernel/sched/ext.c +@@ -67,8 +67,19 @@ static unsigned long scx_watchdog_timestamp = INITIAL_JIFFIES; + + static struct delayed_work scx_watchdog_work; + +-/* for %SCX_KICK_WAIT */ +-static unsigned long __percpu *scx_kick_cpus_pnt_seqs; ++/* ++ * For %SCX_KICK_WAIT: Each CPU has a pointer to an array of pick_task sequence ++ * numbers. The arrays are allocated with kvzalloc() as size can exceed percpu ++ * allocator limits on large machines. O(nr_cpu_ids^2) allocation, allocated ++ * lazily when enabling and freed when disabling to avoid waste when sched_ext ++ * isn't active. ++ */ ++struct scx_kick_pseqs { ++ struct rcu_head rcu; ++ unsigned long seqs[]; ++}; ++ ++static DEFINE_PER_CPU(struct scx_kick_pseqs __rcu *, scx_kick_pseqs); + + /* + * Direct dispatch marker. +@@ -3905,6 +3916,27 @@ static const char *scx_exit_reason(enum scx_exit_kind kind) + } + } + ++static void free_kick_pseqs_rcu(struct rcu_head *rcu) ++{ ++ struct scx_kick_pseqs *pseqs = container_of(rcu, struct scx_kick_pseqs, rcu); ++ ++ kvfree(pseqs); ++} ++ ++static void free_kick_pseqs(void) ++{ ++ int cpu; ++ ++ for_each_possible_cpu(cpu) { ++ struct scx_kick_pseqs **pseqs = per_cpu_ptr(&scx_kick_pseqs, cpu); ++ struct scx_kick_pseqs *to_free; ++ ++ to_free = rcu_replace_pointer(*pseqs, NULL, true); ++ if (to_free) ++ call_rcu(&to_free->rcu, free_kick_pseqs_rcu); ++ } ++} ++ + static void scx_disable_workfn(struct kthread_work *work) + { + struct scx_sched *sch = container_of(work, struct scx_sched, disable_work); +@@ -4041,6 +4073,7 @@ static void scx_disable_workfn(struct kthread_work *work) + free_percpu(scx_dsp_ctx); + scx_dsp_ctx = NULL; + scx_dsp_max_batch = 0; ++ free_kick_pseqs(); + + mutex_unlock(&scx_enable_mutex); + +@@ -4402,6 +4435,33 @@ static void scx_vexit(struct scx_sched *sch, + irq_work_queue(&sch->error_irq_work); + } + ++static int alloc_kick_pseqs(void) ++{ ++ int cpu; ++ ++ /* ++ * Allocate per-CPU arrays sized by nr_cpu_ids. Use kvzalloc as size ++ * can exceed percpu allocator limits on large machines. ++ */ ++ for_each_possible_cpu(cpu) { ++ struct scx_kick_pseqs **pseqs = per_cpu_ptr(&scx_kick_pseqs, cpu); ++ struct scx_kick_pseqs *new_pseqs; ++ ++ WARN_ON_ONCE(rcu_access_pointer(*pseqs)); ++ ++ new_pseqs = kvzalloc_node(struct_size(new_pseqs, seqs, nr_cpu_ids), ++ GFP_KERNEL, cpu_to_node(cpu)); ++ if (!new_pseqs) { ++ free_kick_pseqs(); ++ return -ENOMEM; ++ } ++ ++ rcu_assign_pointer(*pseqs, new_pseqs); ++ } ++ ++ return 0; ++} ++ + static struct scx_sched *scx_alloc_and_add_sched(struct sched_ext_ops *ops) + { + struct scx_sched *sch; +@@ -4547,15 +4607,19 @@ static int scx_enable(struct sched_ext_ops *ops, struct bpf_link *link) + + mutex_lock(&scx_enable_mutex); + ++ ret = alloc_kick_pseqs(); ++ if (ret) ++ goto err_unlock; ++ + if (scx_enable_state() != SCX_DISABLED) { + ret = -EBUSY; +- goto err_unlock; ++ goto err_free_pseqs; + } + + sch = scx_alloc_and_add_sched(ops); + if (IS_ERR(sch)) { + ret = PTR_ERR(sch); +- goto err_unlock; ++ goto err_free_pseqs; + } + + /* +@@ -4759,6 +4823,8 @@ static int scx_enable(struct sched_ext_ops *ops, struct bpf_link *link) + + return 0; + ++err_free_pseqs: ++ free_kick_pseqs(); + err_unlock: + mutex_unlock(&scx_enable_mutex); + return ret; +@@ -5140,10 +5206,18 @@ static void kick_cpus_irq_workfn(struct irq_work *irq_work) + { + struct rq *this_rq = this_rq(); + struct scx_rq *this_scx = &this_rq->scx; +- unsigned long *pseqs = this_cpu_ptr(scx_kick_cpus_pnt_seqs); ++ struct scx_kick_pseqs __rcu *pseqs_pcpu = __this_cpu_read(scx_kick_pseqs); + bool should_wait = false; ++ unsigned long *pseqs; + s32 cpu; + ++ if (unlikely(!pseqs_pcpu)) { ++ pr_warn_once("kick_cpus_irq_workfn() called with NULL scx_kick_pseqs"); ++ return; ++ } ++ ++ pseqs = rcu_dereference_bh(pseqs_pcpu)->seqs; ++ + for_each_cpu(cpu, this_scx->cpus_to_kick) { + should_wait |= kick_one_cpu(cpu, this_rq, pseqs); + cpumask_clear_cpu(cpu, this_scx->cpus_to_kick); +@@ -5266,11 +5340,6 @@ void __init init_sched_ext_class(void) + + scx_idle_init_masks(); + +- scx_kick_cpus_pnt_seqs = +- __alloc_percpu(sizeof(scx_kick_cpus_pnt_seqs[0]) * nr_cpu_ids, +- __alignof__(scx_kick_cpus_pnt_seqs[0])); +- BUG_ON(!scx_kick_cpus_pnt_seqs); +- + for_each_possible_cpu(cpu) { + struct rq *rq = cpu_rq(cpu); + int n = cpu_to_node(cpu); +-- +2.51.0 + diff --git a/queue-6.17/sched_ext-defer-queue_balance_callback-until-after-o.patch b/queue-6.17/sched_ext-defer-queue_balance_callback-until-after-o.patch new file mode 100644 index 0000000000..573d0cf0fc --- /dev/null +++ b/queue-6.17/sched_ext-defer-queue_balance_callback-until-after-o.patch @@ -0,0 +1,128 @@ +From 4b1b455d3fae1451c370e5a23cb38905eeedd91d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Oct 2025 12:12:50 -0700 +Subject: sched_ext: defer queue_balance_callback() until after ops.dispatch + +From: Emil Tsalapatis + +[ Upstream commit a8ad873113d3fe01f9b5d737d4b0570fa36826b0 ] + +The sched_ext code calls queue_balance_callback() during enqueue_task() +to defer operations that drop multiple locks until we can unpin them. +The call assumes that the rq lock is held until the callbacks are +invoked, and the pending callbacks will not be visible to any other +threads. This is enforced by a WARN_ON_ONCE() in rq_pin_lock(). + +However, balance_one() may actually drop the lock during a BPF dispatch +call. Another thread may win the race to get the rq lock and see the +pending callback. To avoid this, sched_ext must only queue the callback +after the dispatch calls have completed. + +CPU 0 CPU 1 CPU 2 + +scx_balance() + rq_unpin_lock() + scx_balance_one() + |= IN_BALANCE scx_enqueue() + ops.dispatch() + rq_unlock() + rq_lock() + queue_balance_callback() + rq_unlock() + [WARN] rq_pin_lock() + rq_lock() + &= ~IN_BALANCE +rq_repin_lock() + +Changelog + +v2-> v1 (https://lore.kernel.org/sched-ext/aOgOxtHCeyRT_7jn@gpd4) + +- Fixed explanation in patch description (Andrea) +- Fixed scx_rq mask state updates (Andrea) +- Added Reviewed-by tag from Andrea + +Reported-by: Jakub Kicinski +Signed-off-by: Emil Tsalapatis (Meta) +Reviewed-by: Andrea Righi +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/sched/ext.c | 29 +++++++++++++++++++++++++++-- + kernel/sched/sched.h | 1 + + 2 files changed, 28 insertions(+), 2 deletions(-) + +diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c +index b454206100ce5..d6d2eea9d1483 100644 +--- a/kernel/sched/ext.c ++++ b/kernel/sched/ext.c +@@ -820,13 +820,23 @@ static void schedule_deferred(struct rq *rq) + if (rq->scx.flags & SCX_RQ_IN_WAKEUP) + return; + ++ /* Don't do anything if there already is a deferred operation. */ ++ if (rq->scx.flags & SCX_RQ_BAL_PENDING) ++ return; ++ + /* + * If in balance, the balance callbacks will be called before rq lock is + * released. Schedule one. ++ * ++ * ++ * We can't directly insert the callback into the ++ * rq's list: The call can drop its lock and make the pending balance ++ * callback visible to unrelated code paths that call rq_pin_lock(). ++ * ++ * Just let balance_one() know that it must do it itself. + */ + if (rq->scx.flags & SCX_RQ_IN_BALANCE) { +- queue_balance_callback(rq, &rq->scx.deferred_bal_cb, +- deferred_bal_cb_workfn); ++ rq->scx.flags |= SCX_RQ_BAL_CB_PENDING; + return; + } + +@@ -2043,6 +2053,19 @@ static void flush_dispatch_buf(struct scx_sched *sch, struct rq *rq) + dspc->cursor = 0; + } + ++static inline void maybe_queue_balance_callback(struct rq *rq) ++{ ++ lockdep_assert_rq_held(rq); ++ ++ if (!(rq->scx.flags & SCX_RQ_BAL_CB_PENDING)) ++ return; ++ ++ queue_balance_callback(rq, &rq->scx.deferred_bal_cb, ++ deferred_bal_cb_workfn); ++ ++ rq->scx.flags &= ~SCX_RQ_BAL_CB_PENDING; ++} ++ + static int balance_one(struct rq *rq, struct task_struct *prev) + { + struct scx_sched *sch = scx_root; +@@ -2190,6 +2213,8 @@ static int balance_scx(struct rq *rq, struct task_struct *prev, + #endif + rq_repin_lock(rq, rf); + ++ maybe_queue_balance_callback(rq); ++ + return ret; + } + +diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h +index 72fb9129afb6a..c7f67f54d4e3e 100644 +--- a/kernel/sched/sched.h ++++ b/kernel/sched/sched.h +@@ -782,6 +782,7 @@ enum scx_rq_flags { + SCX_RQ_BAL_KEEP = 1 << 3, /* balance decided to keep current */ + SCX_RQ_BYPASSING = 1 << 4, + SCX_RQ_CLK_VALID = 1 << 5, /* RQ clock is fresh and valid */ ++ SCX_RQ_BAL_CB_PENDING = 1 << 6, /* must queue a cb after dispatching */ + + SCX_RQ_IN_WAKEUP = 1 << 16, + SCX_RQ_IN_BALANCE = 1 << 17, +-- +2.51.0 + diff --git a/queue-6.17/scsi-core-fix-a-regression-triggered-by-scsi_host_bu.patch b/queue-6.17/scsi-core-fix-a-regression-triggered-by-scsi_host_bu.patch new file mode 100644 index 0000000000..e20921bf72 --- /dev/null +++ b/queue-6.17/scsi-core-fix-a-regression-triggered-by-scsi_host_bu.patch @@ -0,0 +1,77 @@ +From 124fb533b20fd495f3e08c4363c0ce5913c431ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Oct 2025 14:48:00 -0700 +Subject: scsi: core: Fix a regression triggered by scsi_host_busy() + +From: Bart Van Assche + +[ Upstream commit a0b7780602b1b196f47e527fec82166a7e67c4d0 ] + +Commit 995412e23bb2 ("blk-mq: Replace tags->lock with SRCU for tag +iterators") introduced the following regression: + +Call trace: + __srcu_read_lock+0x30/0x80 (P) + blk_mq_tagset_busy_iter+0x44/0x300 + scsi_host_busy+0x38/0x70 + ufshcd_print_host_state+0x34/0x1bc + ufshcd_link_startup.constprop.0+0xe4/0x2e0 + ufshcd_init+0x944/0xf80 + ufshcd_pltfrm_init+0x504/0x820 + ufs_rockchip_probe+0x2c/0x88 + platform_probe+0x5c/0xa4 + really_probe+0xc0/0x38c + __driver_probe_device+0x7c/0x150 + driver_probe_device+0x40/0x120 + __driver_attach+0xc8/0x1e0 + bus_for_each_dev+0x7c/0xdc + driver_attach+0x24/0x30 + bus_add_driver+0x110/0x230 + driver_register+0x68/0x130 + __platform_driver_register+0x20/0x2c + ufs_rockchip_pltform_init+0x1c/0x28 + do_one_initcall+0x60/0x1e0 + kernel_init_freeable+0x248/0x2c4 + kernel_init+0x20/0x140 + ret_from_fork+0x10/0x20 + +Fix this regression by making scsi_host_busy() check whether the SCSI +host tag set has already been initialized. tag_set->ops is set by +scsi_mq_setup_tags() just before blk_mq_alloc_tag_set() is called. This +fix is based on the assumption that scsi_host_busy() and +scsi_mq_setup_tags() calls are serialized. This is the case in the UFS +driver. + +Reported-by: Sebastian Reichel +Closes: https://lore.kernel.org/linux-block/pnezafputodmqlpumwfbn644ohjybouveehcjhz2hmhtcf2rka@sdhoiivync4y/ +Cc: Ming Lei +Cc: Jens Axboe +Signed-off-by: Bart Van Assche +Reviewed-by: Ming Lei +Tested-by: Sebastian Reichel +Link: https://patch.msgid.link/20251007214800.1678255-1-bvanassche@acm.org +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hosts.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c +index cc5d05dc395c4..17173239301e6 100644 +--- a/drivers/scsi/hosts.c ++++ b/drivers/scsi/hosts.c +@@ -611,8 +611,9 @@ int scsi_host_busy(struct Scsi_Host *shost) + { + int cnt = 0; + +- blk_mq_tagset_busy_iter(&shost->tag_set, +- scsi_host_check_in_flight, &cnt); ++ if (shost->tag_set.ops) ++ blk_mq_tagset_busy_iter(&shost->tag_set, ++ scsi_host_check_in_flight, &cnt); + return cnt; + } + EXPORT_SYMBOL(scsi_host_busy); +-- +2.51.0 + diff --git a/queue-6.17/selftests-cachestat-fix-warning-on-declaration-under.patch b/queue-6.17/selftests-cachestat-fix-warning-on-declaration-under.patch new file mode 100644 index 0000000000..e1d4baf653 --- /dev/null +++ b/queue-6.17/selftests-cachestat-fix-warning-on-declaration-under.patch @@ -0,0 +1,55 @@ +From 1e024dd0161e836241cd9a170141d7ff30078bce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Sep 2025 17:24:06 +0530 +Subject: selftests: cachestat: Fix warning on declaration under label + +From: Sidharth Seela + +[ Upstream commit 920aa3a7705a061cb3004572d8b7932b54463dbf ] + +Fix warning caused from declaration under a case label. The proper way +is to declare variable at the beginning of the function. The warning +came from running clang using LLVM=1; and is as follows: + +-test_cachestat.c:260:3: warning: label followed by a declaration is a C23 extension [-Wc23-extensions] + 260 | char *map = mmap(NULL, filesize, PROT_READ | PROT_WRITE, + | + +Link: https://lore.kernel.org/r/20250929115405.25695-2-sidharthseela@gmail.com +Signed-off-by: Sidharth Seela +Reviewed-by: SeongJae Park +Reviewed-by: wang lian +Reviewed-by: Dev Jain +Acked-by: Shuah Khan +Acked-by: Nhat Pham +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/cachestat/test_cachestat.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/cachestat/test_cachestat.c b/tools/testing/selftests/cachestat/test_cachestat.c +index c952640f163b5..ab838bcb9ec55 100644 +--- a/tools/testing/selftests/cachestat/test_cachestat.c ++++ b/tools/testing/selftests/cachestat/test_cachestat.c +@@ -226,7 +226,7 @@ bool run_cachestat_test(enum file_type type) + int syscall_ret; + size_t compute_len = PS * 512; + struct cachestat_range cs_range = { PS, compute_len }; +- char *filename = "tmpshmcstat"; ++ char *filename = "tmpshmcstat", *map; + struct cachestat cs; + bool ret = true; + int fd; +@@ -257,7 +257,7 @@ bool run_cachestat_test(enum file_type type) + } + break; + case FILE_MMAP: +- char *map = mmap(NULL, filesize, PROT_READ | PROT_WRITE, ++ map = mmap(NULL, filesize, PROT_READ | PROT_WRITE, + MAP_SHARED, fd, 0); + + if (map == MAP_FAILED) { +-- +2.51.0 + diff --git a/queue-6.17/selftests-net-lib-do-not-overwrite-error-messages.patch b/queue-6.17/selftests-net-lib-do-not-overwrite-error-messages.patch new file mode 100644 index 0000000000..b829b3e60d --- /dev/null +++ b/queue-6.17/selftests-net-lib-do-not-overwrite-error-messages.patch @@ -0,0 +1,97 @@ +From 86c17397677554999cbd8c63740f3a2351548d3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Nov 2025 10:10:29 +0200 +Subject: selftests: net: lib: Do not overwrite error messages + +From: Ido Schimmel + +[ Upstream commit bed22c7b90af732978715a1789bca1c3cfa245a6 ] + +ret_set_ksft_status() calls ksft_status_merge() with the current return +status and the last one. It treats a non-zero return code from +ksft_status_merge() as an indication that the return status was +overwritten by the last one and therefore overwrites the return message +with the last one. + +Currently, ksft_status_merge() returns a non-zero return code even if +the current return status and the last one are equal. This results in +return messages being overwritten which is counter-productive since we +are more interested in the first failure message and not the last one. + +Fix by changing ksft_status_merge() to only return a non-zero return +code if the current return status was actually changed. + +Add a test case which checks that the first error message is not +overwritten. + +Before: + + # ./lib_sh_test.sh + [...] + TEST: RET tfail2 tfail -> fail [FAIL] + retmsg=tfail expected tfail2 + [...] + # echo $? + 1 + +After: + + # ./lib_sh_test.sh + [...] + TEST: RET tfail2 tfail -> fail [ OK ] + [...] + # echo $? + 0 + +Fixes: 596c8819cb78 ("selftests: forwarding: Have RET track kselftest framework constants") +Reviewed-by: Petr Machata +Signed-off-by: Ido Schimmel +Link: https://patch.msgid.link/20251116081029.69112-1-idosch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/forwarding/lib_sh_test.sh | 7 +++++++ + tools/testing/selftests/net/lib.sh | 2 +- + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/forwarding/lib_sh_test.sh b/tools/testing/selftests/net/forwarding/lib_sh_test.sh +index ff2accccaf4d4..b4eda6c6199ed 100755 +--- a/tools/testing/selftests/net/forwarding/lib_sh_test.sh ++++ b/tools/testing/selftests/net/forwarding/lib_sh_test.sh +@@ -30,6 +30,11 @@ tfail() + do_test "tfail" false + } + ++tfail2() ++{ ++ do_test "tfail2" false ++} ++ + txfail() + { + FAIL_TO_XFAIL=yes do_test "txfail" false +@@ -132,6 +137,8 @@ test_ret() + ret_subtest $ksft_fail "tfail" txfail tfail + + ret_subtest $ksft_xfail "txfail" txfail txfail ++ ++ ret_subtest $ksft_fail "tfail2" tfail2 tfail + } + + exit_status_tests_run() +diff --git a/tools/testing/selftests/net/lib.sh b/tools/testing/selftests/net/lib.sh +index 80cf1a75136cf..bc332ab3f7b88 100644 +--- a/tools/testing/selftests/net/lib.sh ++++ b/tools/testing/selftests/net/lib.sh +@@ -43,7 +43,7 @@ __ksft_status_merge() + weights[$i]=$((weight++)) + done + +- if [[ ${weights[$a]} > ${weights[$b]} ]]; then ++ if [[ ${weights[$a]} -ge ${weights[$b]} ]]; then + echo "$a" + return 0 + else +-- +2.51.0 + diff --git a/queue-6.17/selftests-net-use-bash-for-bareudp-testing.patch b/queue-6.17/selftests-net-use-bash-for-bareudp-testing.patch new file mode 100644 index 0000000000..c1edb9af82 --- /dev/null +++ b/queue-6.17/selftests-net-use-bash-for-bareudp-testing.patch @@ -0,0 +1,46 @@ +From eaa556a401fb50893561ee3235a3365c8bc9b2de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Oct 2025 17:57:10 +0800 +Subject: selftests: net: use BASH for bareudp testing + +From: Po-Hsu Lin + +[ Upstream commit 9311e9540a8b406d9f028aa87fb072a3819d4c82 ] + +In bareudp.sh, this script uses /bin/sh and it will load another lib.sh +BASH script at the very beginning. + +But on some operating systems like Ubuntu, /bin/sh is actually pointed to +DASH, thus it will try to run BASH commands with DASH and consequently +leads to syntax issues: + # ./bareudp.sh: 4: ./lib.sh: Bad substitution + # ./bareudp.sh: 5: ./lib.sh: source: not found + # ./bareudp.sh: 24: ./lib.sh: Syntax error: "(" unexpected + +Fix this by explicitly using BASH for bareudp.sh. This fixes test +execution failures on systems where /bin/sh is not BASH. + +Reported-by: Edoardo Canepa +Link: https://bugs.launchpad.net/bugs/2129812 +Signed-off-by: Po-Hsu Lin +Reviewed-by: Przemek Kitszel +Link: https://patch.msgid.link/20251027095710.2036108-2-po-hsu.lin@canonical.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/bareudp.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/bareudp.sh b/tools/testing/selftests/net/bareudp.sh +index 4046131e78882..d9e5b967f8151 100755 +--- a/tools/testing/selftests/net/bareudp.sh ++++ b/tools/testing/selftests/net/bareudp.sh +@@ -1,4 +1,4 @@ +-#!/bin/sh ++#!/bin/bash + # SPDX-License-Identifier: GPL-2.0 + + # Test various bareudp tunnel configurations. +-- +2.51.0 + diff --git a/queue-6.17/series b/queue-6.17/series index 2c5f9ea76b..12d7401065 100644 --- a/queue-6.17/series +++ b/queue-6.17/series @@ -74,3 +74,79 @@ drm-amd-display-increase-dpcd-read-retries.patch drm-amd-display-move-sleep-into-each-retry-for-retrieve_link_cap.patch drm-amd-display-fix-pbn-to-kbps-conversion.patch drm-amd-display-clear-the-cur_enable-register-on-dcn20-on-dpp5.patch +pinctrl-mediatek-mt8196-align-register-base-names-to.patch +pinctrl-mediatek-mt8189-align-register-base-names-to.patch +xfrm-drop-sa-reference-in-xfrm_state_update-if-dir-d.patch +xfrm-also-call-xfrm_state_delete_tunnel-at-destroy-t.patch +xfrm-call-xfrm_dev_state_delete-when-xfrm_state_migr.patch +xfrm-set-err-and-extack-on-failure-to-create-pcpu-sa.patch +clk-sunxi-ng-mark-a523-bus-r-cpucfg-clock-as-critica.patch +clk-sunxi-ng-sun55i-a523-r-ccu-mark-bus-r-dma-as-cri.patch +clk-sunxi-ng-sun55i-a523-ccu-lower-audio0-pll-minimu.patch +pinctrl-realtek-select-regmap_mmio-for-rtd-driver.patch +xfrm-check-inner-packet-family-directly-from-skb_dst.patch +xfrm-determine-inner-gso-type-from-packet-inner-prot.patch +xfrm-prevent-locally-generated-packets-from-direct-o.patch +pinctrl-cirrus-fix-fwnode-leak-in-cs42l43_pin_probe.patch +platform-x86-msi-wmi-platform-only-load-on-msi-devic.patch +platform-x86-msi-wmi-platform-fix-typo-in-wmi-guid.patch +mips-dts-econet-fix-en751221-core-type.patch +net-core-prevent-null-deref-in-generic_hwtstamp_ioct.patch +mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch +drm-tegra-add-call-to-put_pid.patch +net-dsa-hellcreek-fix-missing-error-handling-in-led-.patch +net-mlxsw-linecards-fix-missing-error-check-in-mlxsw.patch +net-openvswitch-remove-never-working-support-for-set.patch +veth-more-robust-handing-of-race-to-avoid-txq-gettin.patch +tools-riscv-fixed-misalignment-of-csr-related-defini.patch +nvmet-auth-update-sc_c-in-target-host-hash-calculati.patch +nvme-multipath-fix-lockdep-warn-due-to-partition-sca.patch +drm-i915-xe3lpd-load-dmc-for-xe3_lpd-version-30.02.patch +s390-ctcm-fix-double-kfree.patch +selftests-net-lib-do-not-overwrite-error-messages.patch +net-airoha-add-wlan-flowtable-tx-offload.patch +net-airoha-do-not-loopback-traffic-to-gdm2-if-it-is-.patch +platform-x86-intel-speed_select_if-convert-pcibios_-.patch +platform-x86-intel-uncore-freq-fix-all-header-kernel.patch +net-qlogic-qede-fix-potential-out-of-bounds-read-in-.patch +drm-pcids-split-ptl-pciids-group-to-make-wcl-subplat.patch +drm-i915-display-add-definition-for-wcl-as-subplatfo.patch +drm-i915-xe3-restrict-ptl-intel_encoder_is_c10phy-to.patch +drm-xe-kunit-fix-forcewake-assertion-in-mocs-test.patch +drm-xe-irq-handle-msix-vector0-interrupt.patch +idpf-fix-possible-vport_config-null-pointer-deref-in.patch +ice-fix-ptp-cleanup-on-driver-removal-in-error-path.patch +pinctrl-s32cc-fix-uninitialized-memory-in-s32_pinctr.patch +pinctrl-s32cc-initialize-gpio_pin_config-list-after-.patch +devlink-rate-unset-parent-pointer-in-devl_rate_nodes.patch +net-mlx5-clean-up-only-new-irq-glue-on-request_irq-f.patch +af_unix-read-sk_peek_offset-again-after-sleeping-in-.patch +gpio-cdev-make-sure-the-cdev-fd-is-still-active-befo.patch +net-phylink-add-missing-supported-link-modes-for-the.patch +tick-sched-fix-bogus-condition-in-report_idle_softir.patch +loongarch-use-uapi-types-in-ptrace-uapi-header.patch +cifs-fix-memory-leak-in-smb3_fs_context_parse_param-.patch +perf-fix-0-count-issue-of-cpu-clock.patch +vsock-ignore-signal-timeout-on-connect-if-already-es.patch +timekeeping-fix-resource-leak-in-tk_aux_sysfs_init-e.patch +mips-kernel-fix-random-segmentation-faults.patch +alsa-hda-realtek-add-quirk-for-lenovo-yoga-7-2-in-1-.patch +sched_ext-allocate-scx_kick_cpus_pnt_seqs-lazily-usi.patch +bcma-don-t-register-devices-disabled-in-of.patch +sched_ext-defer-queue_balance_callback-until-after-o.patch +drm-msm-fix-pgtable-prealloc-error-path.patch +asoc-rt721-fix-prepare-clock-stop-failed.patch +cifs-fix-typo-in-enable_gcm_256-module-parameter.patch +scsi-core-fix-a-regression-triggered-by-scsi_host_bu.patch +alsa-hda-realtek-fix-mute-led-for-hp-victus-15-fa1xx.patch +perf-x86-intel-uncore-add-uncore-pmu-support-for-wil.patch +x86-microcode-amd-limit-entrysign-signature-checking.patch +selftests-cachestat-fix-warning-on-declaration-under.patch +smb-client-handle-lack-of-ipc-in-dfs_cache_refresh.patch +selftests-net-use-bash-for-bareudp-testing.patch +net-tls-change-async-resync-helpers-argument.patch +blk-crypto-use-blk_sts_inval-for-alignment-errors.patch +net-tls-cancel-rx-async-resync-request-on-rcd_delta-.patch +x86-cpu-amd-extend-zen6-model-range.patch +kconfig-mconf-initialize-the-default-locale-at-start.patch +kconfig-nconf-initialize-the-default-locale-at-start.patch diff --git a/queue-6.17/smb-client-handle-lack-of-ipc-in-dfs_cache_refresh.patch b/queue-6.17/smb-client-handle-lack-of-ipc-in-dfs_cache_refresh.patch new file mode 100644 index 0000000000..399605a2f4 --- /dev/null +++ b/queue-6.17/smb-client-handle-lack-of-ipc-in-dfs_cache_refresh.patch @@ -0,0 +1,246 @@ +From 44207b06e5cd3f68615b2786cd4db6a80160e9db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Oct 2025 18:59:47 -0300 +Subject: smb: client: handle lack of IPC in dfs_cache_refresh() + +From: Paulo Alcantara + +[ Upstream commit fac56c4651ae95f3f2b468c2cf1884cf0e6d18c1 ] + +In very rare cases, DFS mounts could end up with SMB sessions without +any IPC connections. These mounts are only possible when having +unexpired cached DFS referrals, hence not requiring any IPC +connections during the mount process. + +Try to establish those missing IPC connections when refreshing DFS +referrals. If the server is still rejecting it, then simply ignore +and leave expired cached DFS referral for any potential DFS failovers. + +Reported-by: Jay Shin +Signed-off-by: Paulo Alcantara (Red Hat) +Cc: David Howells +Cc: linux-cifs@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/cifsproto.h | 2 ++ + fs/smb/client/connect.c | 38 ++++++++++++--------------- + fs/smb/client/dfs_cache.c | 55 +++++++++++++++++++++++++++++++++------ + 3 files changed, 66 insertions(+), 29 deletions(-) + +diff --git a/fs/smb/client/cifsproto.h b/fs/smb/client/cifsproto.h +index e8fba98690ce3..8c00ff52a12a6 100644 +--- a/fs/smb/client/cifsproto.h ++++ b/fs/smb/client/cifsproto.h +@@ -615,6 +615,8 @@ extern int E_md4hash(const unsigned char *passwd, unsigned char *p16, + extern struct TCP_Server_Info * + cifs_find_tcp_session(struct smb3_fs_context *ctx); + ++struct cifs_tcon *cifs_setup_ipc(struct cifs_ses *ses, bool seal); ++ + void __cifs_put_smb_ses(struct cifs_ses *ses); + + extern struct cifs_ses * +diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c +index dd12f3eb61dcb..d65ab7e4b1c26 100644 +--- a/fs/smb/client/connect.c ++++ b/fs/smb/client/connect.c +@@ -2015,39 +2015,31 @@ static int match_session(struct cifs_ses *ses, + /** + * cifs_setup_ipc - helper to setup the IPC tcon for the session + * @ses: smb session to issue the request on +- * @ctx: the superblock configuration context to use for building the +- * new tree connection for the IPC (interprocess communication RPC) ++ * @seal: if encryption is requested + * + * A new IPC connection is made and stored in the session + * tcon_ipc. The IPC tcon has the same lifetime as the session. + */ +-static int +-cifs_setup_ipc(struct cifs_ses *ses, struct smb3_fs_context *ctx) ++struct cifs_tcon *cifs_setup_ipc(struct cifs_ses *ses, bool seal) + { + int rc = 0, xid; + struct cifs_tcon *tcon; + char unc[SERVER_NAME_LENGTH + sizeof("//x/IPC$")] = {0}; +- bool seal = false; + struct TCP_Server_Info *server = ses->server; + + /* + * If the mount request that resulted in the creation of the + * session requires encryption, force IPC to be encrypted too. + */ +- if (ctx->seal) { +- if (server->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION) +- seal = true; +- else { +- cifs_server_dbg(VFS, +- "IPC: server doesn't support encryption\n"); +- return -EOPNOTSUPP; +- } ++ if (seal && !(server->capabilities & SMB2_GLOBAL_CAP_ENCRYPTION)) { ++ cifs_server_dbg(VFS, "IPC: server doesn't support encryption\n"); ++ return ERR_PTR(-EOPNOTSUPP); + } + + /* no need to setup directory caching on IPC share, so pass in false */ + tcon = tcon_info_alloc(false, netfs_trace_tcon_ref_new_ipc); + if (tcon == NULL) +- return -ENOMEM; ++ return ERR_PTR(-ENOMEM); + + spin_lock(&server->srv_lock); + scnprintf(unc, sizeof(unc), "\\\\%s\\IPC$", server->hostname); +@@ -2057,13 +2049,13 @@ cifs_setup_ipc(struct cifs_ses *ses, struct smb3_fs_context *ctx) + tcon->ses = ses; + tcon->ipc = true; + tcon->seal = seal; +- rc = server->ops->tree_connect(xid, ses, unc, tcon, ctx->local_nls); ++ rc = server->ops->tree_connect(xid, ses, unc, tcon, ses->local_nls); + free_xid(xid); + + if (rc) { +- cifs_server_dbg(VFS, "failed to connect to IPC (rc=%d)\n", rc); ++ cifs_server_dbg(VFS | ONCE, "failed to connect to IPC (rc=%d)\n", rc); + tconInfoFree(tcon, netfs_trace_tcon_ref_free_ipc_fail); +- goto out; ++ return ERR_PTR(rc); + } + + cifs_dbg(FYI, "IPC tcon rc=%d ipc tid=0x%x\n", rc, tcon->tid); +@@ -2071,9 +2063,7 @@ cifs_setup_ipc(struct cifs_ses *ses, struct smb3_fs_context *ctx) + spin_lock(&tcon->tc_lock); + tcon->status = TID_GOOD; + spin_unlock(&tcon->tc_lock); +- ses->tcon_ipc = tcon; +-out: +- return rc; ++ return tcon; + } + + static struct cifs_ses * +@@ -2347,6 +2337,7 @@ cifs_get_smb_ses(struct TCP_Server_Info *server, struct smb3_fs_context *ctx) + { + struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *)&server->dstaddr; + struct sockaddr_in *addr = (struct sockaddr_in *)&server->dstaddr; ++ struct cifs_tcon *ipc; + struct cifs_ses *ses; + unsigned int xid; + int retries = 0; +@@ -2525,7 +2516,12 @@ cifs_get_smb_ses(struct TCP_Server_Info *server, struct smb3_fs_context *ctx) + list_add(&ses->smb_ses_list, &server->smb_ses_list); + spin_unlock(&cifs_tcp_ses_lock); + +- cifs_setup_ipc(ses, ctx); ++ ipc = cifs_setup_ipc(ses, ctx->seal); ++ spin_lock(&cifs_tcp_ses_lock); ++ spin_lock(&ses->ses_lock); ++ ses->tcon_ipc = !IS_ERR(ipc) ? ipc : NULL; ++ spin_unlock(&ses->ses_lock); ++ spin_unlock(&cifs_tcp_ses_lock); + + free_xid(xid); + +diff --git a/fs/smb/client/dfs_cache.c b/fs/smb/client/dfs_cache.c +index 4dada26d56b5f..f2ad0ccd08a77 100644 +--- a/fs/smb/client/dfs_cache.c ++++ b/fs/smb/client/dfs_cache.c +@@ -1120,24 +1120,63 @@ static bool target_share_equal(struct cifs_tcon *tcon, const char *s1) + return match; + } + +-static bool is_ses_good(struct cifs_ses *ses) ++static bool is_ses_good(struct cifs_tcon *tcon, struct cifs_ses *ses) + { + struct TCP_Server_Info *server = ses->server; +- struct cifs_tcon *tcon = ses->tcon_ipc; ++ struct cifs_tcon *ipc = NULL; + bool ret; + ++ spin_lock(&cifs_tcp_ses_lock); + spin_lock(&ses->ses_lock); + spin_lock(&ses->chan_lock); ++ + ret = !cifs_chan_needs_reconnect(ses, server) && +- ses->ses_status == SES_GOOD && +- !tcon->need_reconnect; ++ ses->ses_status == SES_GOOD; ++ + spin_unlock(&ses->chan_lock); ++ ++ if (!ret) ++ goto out; ++ ++ if (likely(ses->tcon_ipc)) { ++ if (ses->tcon_ipc->need_reconnect) { ++ ret = false; ++ goto out; ++ } ++ } else { ++ spin_unlock(&ses->ses_lock); ++ spin_unlock(&cifs_tcp_ses_lock); ++ ++ ipc = cifs_setup_ipc(ses, tcon->seal); ++ ++ spin_lock(&cifs_tcp_ses_lock); ++ spin_lock(&ses->ses_lock); ++ if (!IS_ERR(ipc)) { ++ if (!ses->tcon_ipc) { ++ ses->tcon_ipc = ipc; ++ ipc = NULL; ++ } ++ } else { ++ ret = false; ++ ipc = NULL; ++ } ++ } ++ ++out: + spin_unlock(&ses->ses_lock); ++ spin_unlock(&cifs_tcp_ses_lock); ++ if (ipc && server->ops->tree_disconnect) { ++ unsigned int xid = get_xid(); ++ ++ (void)server->ops->tree_disconnect(xid, ipc); ++ _free_xid(xid); ++ } ++ tconInfoFree(ipc, netfs_trace_tcon_ref_free_ipc); + return ret; + } + + /* Refresh dfs referral of @ses */ +-static void refresh_ses_referral(struct cifs_ses *ses) ++static void refresh_ses_referral(struct cifs_tcon *tcon, struct cifs_ses *ses) + { + struct cache_entry *ce; + unsigned int xid; +@@ -1153,7 +1192,7 @@ static void refresh_ses_referral(struct cifs_ses *ses) + } + + ses = CIFS_DFS_ROOT_SES(ses); +- if (!is_ses_good(ses)) { ++ if (!is_ses_good(tcon, ses)) { + cifs_dbg(FYI, "%s: skip cache refresh due to disconnected ipc\n", + __func__); + goto out; +@@ -1241,7 +1280,7 @@ static void refresh_tcon_referral(struct cifs_tcon *tcon, bool force_refresh) + up_read(&htable_rw_lock); + + ses = CIFS_DFS_ROOT_SES(ses); +- if (!is_ses_good(ses)) { ++ if (!is_ses_good(tcon, ses)) { + cifs_dbg(FYI, "%s: skip cache refresh due to disconnected ipc\n", + __func__); + goto out; +@@ -1309,7 +1348,7 @@ void dfs_cache_refresh(struct work_struct *work) + tcon = container_of(work, struct cifs_tcon, dfs_cache_work.work); + + list_for_each_entry(ses, &tcon->dfs_ses_list, dlist) +- refresh_ses_referral(ses); ++ refresh_ses_referral(tcon, ses); + refresh_tcon_referral(tcon, false); + + queue_delayed_work(dfscache_wq, &tcon->dfs_cache_work, +-- +2.51.0 + diff --git a/queue-6.17/tick-sched-fix-bogus-condition-in-report_idle_softir.patch b/queue-6.17/tick-sched-fix-bogus-condition-in-report_idle_softir.patch new file mode 100644 index 0000000000..724d676b2e --- /dev/null +++ b/queue-6.17/tick-sched-fix-bogus-condition-in-report_idle_softir.patch @@ -0,0 +1,99 @@ +From f5421a384ca06c9a6c7d71fc5d9f838f87a310a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Nov 2025 01:45:25 +0800 +Subject: tick/sched: Fix bogus condition in report_idle_softirq() + +From: Wen Yang + +[ Upstream commit 807e0d187da4c0b22036b5e34000f7a8c52f6e50 ] + +In commit 0345691b24c0 ("tick/rcu: Stop allowing RCU_SOFTIRQ in idle") the +new function report_idle_softirq() was created by breaking code out of the +existing can_stop_idle_tick() for kernels v5.18 and newer. + +In doing so, the code essentially went from this form: + + if (A) { + static int ratelimit; + if (ratelimit < 10 && !C && A&D) { + pr_warn("NOHZ tick-stop error: ..."); + ratelimit++; + } + return false; + } + +to a new function: + +static bool report_idle_softirq(void) +{ + static int ratelimit; + + if (likely(!A)) + return false; + + if (ratelimit < 10) + return false; +... + pr_warn("NOHZ tick-stop error: local softirq work is pending, handler #%02x!!!\n", + pending); + ratelimit++; + + return true; +} + +commit a7e282c77785 ("tick/rcu: Fix bogus ratelimit condition") realized +ratelimit was essentially set to zero instead of ten, and hence *no* +softirq pending messages would ever be issued, but "fixed" it as: + +- if (ratelimit < 10) ++ if (ratelimit >= 10) + return false; + +However, this fix introduced another issue: + +When ratelimit is greater than or equal 10, even if A is true, it will +directly return false. While ratelimit in the original code was only used +to control printing and will not affect the return value. + +Restore the original logic and restrict ratelimit to control the printk and +not the return value. + +Fixes: 0345691b24c0 ("tick/rcu: Stop allowing RCU_SOFTIRQ in idle") +Fixes: a7e282c77785 ("tick/rcu: Fix bogus ratelimit condition") +Signed-off-by: Wen Yang +Signed-off-by: Thomas Gleixner +Link: https://patch.msgid.link/20251119174525.29470-1-wen.yang@linux.dev +Signed-off-by: Sasha Levin +--- + kernel/time/tick-sched.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/kernel/time/tick-sched.c b/kernel/time/tick-sched.c +index c527b421c8652..466e083c82721 100644 +--- a/kernel/time/tick-sched.c ++++ b/kernel/time/tick-sched.c +@@ -1152,16 +1152,15 @@ static bool report_idle_softirq(void) + return false; + } + +- if (ratelimit >= 10) +- return false; +- + /* On RT, softirq handling may be waiting on some lock */ + if (local_bh_blocked()) + return false; + +- pr_warn("NOHZ tick-stop error: local softirq work is pending, handler #%02x!!!\n", +- pending); +- ratelimit++; ++ if (ratelimit < 10) { ++ pr_warn("NOHZ tick-stop error: local softirq work is pending, handler #%02x!!!\n", ++ pending); ++ ratelimit++; ++ } + + return true; + } +-- +2.51.0 + diff --git a/queue-6.17/timekeeping-fix-resource-leak-in-tk_aux_sysfs_init-e.patch b/queue-6.17/timekeeping-fix-resource-leak-in-tk_aux_sysfs_init-e.patch new file mode 100644 index 0000000000..71180ecb10 --- /dev/null +++ b/queue-6.17/timekeeping-fix-resource-leak-in-tk_aux_sysfs_init-e.patch @@ -0,0 +1,79 @@ +From b52b6d480c33c7a08d5e3d765b21faa0e61bd2f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Nov 2025 20:32:13 +0530 +Subject: timekeeping: Fix resource leak in tk_aux_sysfs_init() error paths + +From: Malaya Kumar Rout + +[ Upstream commit 7b5ab04f035f829ed6008e4685501ec00b3e73c9 ] + +tk_aux_sysfs_init() returns immediately on error during the auxiliary clock +initialization loop without cleaning up previously allocated kobjects and +sysfs groups. + +If kobject_create_and_add() or sysfs_create_group() fails during loop +iteration, the parent kobjects (tko and auxo) and any previously created +child kobjects are leaked. + +Fix this by adding proper error handling with goto labels to ensure all +allocated resources are cleaned up on failure. kobject_put() on the +parent kobjects will handle cleanup of their children. + +Fixes: 7b95663a3d96 ("timekeeping: Provide interface to control auxiliary clocks") +Signed-off-by: Malaya Kumar Rout +Signed-off-by: Thomas Gleixner +Link: https://patch.msgid.link/20251120150213.246777-1-mrout@redhat.com +Signed-off-by: Sasha Levin +--- + kernel/time/timekeeping.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c +index 3a4d3b2e3f740..08e0943b54da6 100644 +--- a/kernel/time/timekeeping.c ++++ b/kernel/time/timekeeping.c +@@ -3060,29 +3060,32 @@ static const struct attribute_group aux_clock_enable_attr_group = { + static int __init tk_aux_sysfs_init(void) + { + struct kobject *auxo, *tko = kobject_create_and_add("time", kernel_kobj); ++ int ret = -ENOMEM; + + if (!tko) +- return -ENOMEM; ++ return ret; + + auxo = kobject_create_and_add("aux_clocks", tko); +- if (!auxo) { +- kobject_put(tko); +- return -ENOMEM; +- } ++ if (!auxo) ++ goto err_clean; + + for (int i = 0; i < MAX_AUX_CLOCKS; i++) { + char id[2] = { [0] = '0' + i, }; + struct kobject *clk = kobject_create_and_add(id, auxo); + + if (!clk) +- return -ENOMEM; +- +- int ret = sysfs_create_group(clk, &aux_clock_enable_attr_group); ++ goto err_clean; + ++ ret = sysfs_create_group(clk, &aux_clock_enable_attr_group); + if (ret) +- return ret; ++ goto err_clean; + } + return 0; ++ ++err_clean: ++ kobject_put(auxo); ++ kobject_put(tko); ++ return ret; + } + late_initcall(tk_aux_sysfs_init); + +-- +2.51.0 + diff --git a/queue-6.17/tools-riscv-fixed-misalignment-of-csr-related-defini.patch b/queue-6.17/tools-riscv-fixed-misalignment-of-csr-related-defini.patch new file mode 100644 index 0000000000..a97a8a1eba --- /dev/null +++ b/queue-6.17/tools-riscv-fixed-misalignment-of-csr-related-defini.patch @@ -0,0 +1,62 @@ +From 560b9838100434a477392d3bca4b0de398de786d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Nov 2025 15:12:15 +0800 +Subject: tools: riscv: Fixed misalignment of CSR related definitions + +From: Chen Pei + +[ Upstream commit e2cb69263e797c0aa6676bcef23e9e27e44c83b0 ] + +The file tools/arch/riscv/include/asm/csr.h borrows from +arch/riscv/include/asm/csr.h, and subsequent modifications +related to CSR should maintain consistency. + +Signed-off-by: Chen Pei +Link: https://patch.msgid.link/20251114071215.816-1-cp0613@linux.alibaba.com +[pjw@kernel.org: dropped Fixes: lines for patches that weren't broken; removed superfluous blank line] +Signed-off-by: Paul Walmsley +Signed-off-by: Sasha Levin +--- + drivers/perf/riscv_pmu_sbi.c | 2 +- + tools/arch/riscv/include/asm/csr.h | 5 +++-- + 2 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/perf/riscv_pmu_sbi.c b/drivers/perf/riscv_pmu_sbi.c +index 698de8ddf895b..824209f0a3641 100644 +--- a/drivers/perf/riscv_pmu_sbi.c ++++ b/drivers/perf/riscv_pmu_sbi.c +@@ -1019,7 +1019,7 @@ static irqreturn_t pmu_sbi_ovf_handler(int irq, void *dev) + /* compute hardware counter index */ + hidx = info->csr - CSR_CYCLE; + +- /* check if the corresponding bit is set in sscountovf or overflow mask in shmem */ ++ /* check if the corresponding bit is set in scountovf or overflow mask in shmem */ + if (!(overflow & BIT(hidx))) + continue; + +diff --git a/tools/arch/riscv/include/asm/csr.h b/tools/arch/riscv/include/asm/csr.h +index 0dfc09254f99a..1cd824aaa3ba2 100644 +--- a/tools/arch/riscv/include/asm/csr.h ++++ b/tools/arch/riscv/include/asm/csr.h +@@ -167,7 +167,8 @@ + #define VSIP_TO_HVIP_SHIFT (IRQ_VS_SOFT - IRQ_S_SOFT) + #define VSIP_VALID_MASK ((_AC(1, UL) << IRQ_S_SOFT) | \ + (_AC(1, UL) << IRQ_S_TIMER) | \ +- (_AC(1, UL) << IRQ_S_EXT)) ++ (_AC(1, UL) << IRQ_S_EXT) | \ ++ (_AC(1, UL) << IRQ_PMU_OVF)) + + /* AIA CSR bits */ + #define TOPI_IID_SHIFT 16 +@@ -280,7 +281,7 @@ + #define CSR_HPMCOUNTER30H 0xc9e + #define CSR_HPMCOUNTER31H 0xc9f + +-#define CSR_SSCOUNTOVF 0xda0 ++#define CSR_SCOUNTOVF 0xda0 + + #define CSR_SSTATUS 0x100 + #define CSR_SIE 0x104 +-- +2.51.0 + diff --git a/queue-6.17/veth-more-robust-handing-of-race-to-avoid-txq-gettin.patch b/queue-6.17/veth-more-robust-handing-of-race-to-avoid-txq-gettin.patch new file mode 100644 index 0000000000..26dafd649c --- /dev/null +++ b/queue-6.17/veth-more-robust-handing-of-race-to-avoid-txq-gettin.patch @@ -0,0 +1,151 @@ +From 64f4778b5bccd2a593bb963cd526351eeb42b6e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 14:13:52 +0100 +Subject: veth: more robust handing of race to avoid txq getting stuck + +From: Jesper Dangaard Brouer + +[ Upstream commit 5442a9da69789741bfda39f34ee7f69552bf0c56 ] + +Commit dc82a33297fc ("veth: apply qdisc backpressure on full ptr_ring to +reduce TX drops") introduced a race condition that can lead to a permanently +stalled TXQ. This was observed in production on ARM64 systems (Ampere Altra +Max). + +The race occurs in veth_xmit(). The producer observes a full ptr_ring and +stops the queue (netif_tx_stop_queue()). The subsequent conditional logic, +intended to re-wake the queue if the consumer had just emptied it (if +(__ptr_ring_empty(...)) netif_tx_wake_queue()), can fail. This leads to a +"lost wakeup" where the TXQ remains stopped (QUEUE_STATE_DRV_XOFF) and +traffic halts. + +This failure is caused by an incorrect use of the __ptr_ring_empty() API +from the producer side. As noted in kernel comments, this check is not +guaranteed to be correct if a consumer is operating on another CPU. The +empty test is based on ptr_ring->consumer_head, making it reliable only for +the consumer. Using this check from the producer side is fundamentally racy. + +This patch fixes the race by adopting the more robust logic from an earlier +version V4 of the patchset, which always flushed the peer: + +(1) In veth_xmit(), the racy conditional wake-up logic and its memory barrier +are removed. Instead, after stopping the queue, we unconditionally call +__veth_xdp_flush(rq). This guarantees that the NAPI consumer is scheduled, +making it solely responsible for re-waking the TXQ. + This handles the race where veth_poll() consumes all packets and completes +NAPI *before* veth_xmit() on the producer side has called netif_tx_stop_queue. +The __veth_xdp_flush(rq) will observe rx_notify_masked is false and schedule +NAPI. + +(2) On the consumer side, the logic for waking the peer TXQ is moved out of +veth_xdp_rcv() and placed at the end of the veth_poll() function. This +placement is part of fixing the race, as the netif_tx_queue_stopped() check +must occur after rx_notify_masked is potentially set to false during NAPI +completion. + This handles the race where veth_poll() consumes all packets, but haven't +finished (rx_notify_masked is still true). The producer veth_xmit() stops the +TXQ and __veth_xdp_flush(rq) will observe rx_notify_masked is true, meaning +not starting NAPI. Then veth_poll() change rx_notify_masked to false and +stops NAPI. Before exiting veth_poll() will observe TXQ is stopped and wake +it up. + +Fixes: dc82a33297fc ("veth: apply qdisc backpressure on full ptr_ring to reduce TX drops") +Reviewed-by: Toshiaki Makita +Signed-off-by: Jesper Dangaard Brouer +Link: https://patch.msgid.link/176295323282.307447.14790015927673763094.stgit@firesoul +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/veth.c | 38 ++++++++++++++++++++------------------ + 1 file changed, 20 insertions(+), 18 deletions(-) + +diff --git a/drivers/net/veth.c b/drivers/net/veth.c +index a3046142cb8e2..35dd89aff4a94 100644 +--- a/drivers/net/veth.c ++++ b/drivers/net/veth.c +@@ -392,14 +392,12 @@ static netdev_tx_t veth_xmit(struct sk_buff *skb, struct net_device *dev) + } + /* Restore Eth hdr pulled by dev_forward_skb/eth_type_trans */ + __skb_push(skb, ETH_HLEN); +- /* Depend on prior success packets started NAPI consumer via +- * __veth_xdp_flush(). Cancel TXQ stop if consumer stopped, +- * paired with empty check in veth_poll(). +- */ + netif_tx_stop_queue(txq); +- smp_mb__after_atomic(); +- if (unlikely(__ptr_ring_empty(&rq->xdp_ring))) +- netif_tx_wake_queue(txq); ++ /* Makes sure NAPI peer consumer runs. Consumer is responsible ++ * for starting txq again, until then ndo_start_xmit (this ++ * function) will not be invoked by the netstack again. ++ */ ++ __veth_xdp_flush(rq); + break; + case NET_RX_DROP: /* same as NET_XMIT_DROP */ + drop: +@@ -900,17 +898,9 @@ static int veth_xdp_rcv(struct veth_rq *rq, int budget, + struct veth_xdp_tx_bq *bq, + struct veth_stats *stats) + { +- struct veth_priv *priv = netdev_priv(rq->dev); +- int queue_idx = rq->xdp_rxq.queue_index; +- struct netdev_queue *peer_txq; +- struct net_device *peer_dev; + int i, done = 0, n_xdpf = 0; + void *xdpf[VETH_XDP_BATCH]; + +- /* NAPI functions as RCU section */ +- peer_dev = rcu_dereference_check(priv->peer, rcu_read_lock_bh_held()); +- peer_txq = peer_dev ? netdev_get_tx_queue(peer_dev, queue_idx) : NULL; +- + for (i = 0; i < budget; i++) { + void *ptr = __ptr_ring_consume(&rq->xdp_ring); + +@@ -959,9 +949,6 @@ static int veth_xdp_rcv(struct veth_rq *rq, int budget, + rq->stats.vs.xdp_packets += done; + u64_stats_update_end(&rq->stats.syncp); + +- if (peer_txq && unlikely(netif_tx_queue_stopped(peer_txq))) +- netif_tx_wake_queue(peer_txq); +- + return done; + } + +@@ -969,12 +956,20 @@ static int veth_poll(struct napi_struct *napi, int budget) + { + struct veth_rq *rq = + container_of(napi, struct veth_rq, xdp_napi); ++ struct veth_priv *priv = netdev_priv(rq->dev); ++ int queue_idx = rq->xdp_rxq.queue_index; ++ struct netdev_queue *peer_txq; + struct veth_stats stats = {}; ++ struct net_device *peer_dev; + struct veth_xdp_tx_bq bq; + int done; + + bq.count = 0; + ++ /* NAPI functions as RCU section */ ++ peer_dev = rcu_dereference_check(priv->peer, rcu_read_lock_bh_held()); ++ peer_txq = peer_dev ? netdev_get_tx_queue(peer_dev, queue_idx) : NULL; ++ + xdp_set_return_frame_no_direct(); + done = veth_xdp_rcv(rq, budget, &bq, &stats); + +@@ -996,6 +991,13 @@ static int veth_poll(struct napi_struct *napi, int budget) + veth_xdp_flush(rq, &bq); + xdp_clear_return_frame_no_direct(); + ++ /* Release backpressure per NAPI poll */ ++ smp_rmb(); /* Paired with netif_tx_stop_queue set_bit */ ++ if (peer_txq && netif_tx_queue_stopped(peer_txq)) { ++ txq_trans_cond_update(peer_txq); ++ netif_tx_wake_queue(peer_txq); ++ } ++ + return done; + } + +-- +2.51.0 + diff --git a/queue-6.17/vsock-ignore-signal-timeout-on-connect-if-already-es.patch b/queue-6.17/vsock-ignore-signal-timeout-on-connect-if-already-es.patch new file mode 100644 index 0000000000..0873ffa00d --- /dev/null +++ b/queue-6.17/vsock-ignore-signal-timeout-on-connect-if-already-es.patch @@ -0,0 +1,101 @@ +From cfe68c66df01f827da0cf3a9070479b94cfc2646 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Nov 2025 15:02:59 +0100 +Subject: vsock: Ignore signal/timeout on connect() if already established + +From: Michal Luczaj + +[ Upstream commit 002541ef650b742a198e4be363881439bb9d86b4 ] + +During connect(), acting on a signal/timeout by disconnecting an already +established socket leads to several issues: + +1. connect() invoking vsock_transport_cancel_pkt() -> + virtio_transport_purge_skbs() may race with sendmsg() invoking + virtio_transport_get_credit(). This results in a permanently elevated + `vvs->bytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling. + +2. connect() resetting a connected socket's state may race with socket + being placed in a sockmap. A disconnected socket remaining in a sockmap + breaks sockmap's assumptions. And gives rise to WARNs. + +3. connect() transitioning SS_CONNECTED -> SS_UNCONNECTED allows for a + transport change/drop after TCP_ESTABLISHED. Which poses a problem for + any simultaneous sendmsg() or connect() and may result in a + use-after-free/null-ptr-deref. + +Do not disconnect socket on signal/timeout. Keep the logic for unconnected +sockets: they don't linger, can't be placed in a sockmap, are rejected by +sendmsg(). + +[1]: https://lore.kernel.org/netdev/e07fd95c-9a38-4eea-9638-133e38c2ec9b@rbox.co/ +[2]: https://lore.kernel.org/netdev/20250317-vsock-trans-signal-race-v4-0-fc8837f3f1d4@rbox.co/ +[3]: https://lore.kernel.org/netdev/60f1b7db-3099-4f6a-875e-af9f6ef194f6@rbox.co/ + +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Signed-off-by: Michal Luczaj +Reviewed-by: Stefano Garzarella +Link: https://patch.msgid.link/20251119-vsock-interrupted-connect-v2-1-70734cf1233f@rbox.co +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/af_vsock.c | 40 +++++++++++++++++++++++++++++++--------- + 1 file changed, 31 insertions(+), 9 deletions(-) + +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index 21758f59edc13..67bd6779448a5 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1666,18 +1666,40 @@ static int vsock_connect(struct socket *sock, struct sockaddr *addr, + timeout = schedule_timeout(timeout); + lock_sock(sk); + +- if (signal_pending(current)) { +- err = sock_intr_errno(timeout); +- sk->sk_state = sk->sk_state == TCP_ESTABLISHED ? TCP_CLOSING : TCP_CLOSE; +- sock->state = SS_UNCONNECTED; +- vsock_transport_cancel_pkt(vsk); +- vsock_remove_connected(vsk); +- goto out_wait; +- } else if ((sk->sk_state != TCP_ESTABLISHED) && (timeout == 0)) { +- err = -ETIMEDOUT; ++ /* Connection established. Whatever happens to socket once we ++ * release it, that's not connect()'s concern. No need to go ++ * into signal and timeout handling. Call it a day. ++ * ++ * Note that allowing to "reset" an already established socket ++ * here is racy and insecure. ++ */ ++ if (sk->sk_state == TCP_ESTABLISHED) ++ break; ++ ++ /* If connection was _not_ established and a signal/timeout came ++ * to be, we want the socket's state reset. User space may want ++ * to retry. ++ * ++ * sk_state != TCP_ESTABLISHED implies that socket is not on ++ * vsock_connected_table. We keep the binding and the transport ++ * assigned. ++ */ ++ if (signal_pending(current) || timeout == 0) { ++ err = timeout == 0 ? -ETIMEDOUT : sock_intr_errno(timeout); ++ ++ /* Listener might have already responded with ++ * VIRTIO_VSOCK_OP_RESPONSE. Its handling expects our ++ * sk_state == TCP_SYN_SENT, which hereby we break. ++ * In such case VIRTIO_VSOCK_OP_RST will follow. ++ */ + sk->sk_state = TCP_CLOSE; + sock->state = SS_UNCONNECTED; ++ ++ /* Try to cancel VIRTIO_VSOCK_OP_REQUEST skb sent out by ++ * transport->connect(). ++ */ + vsock_transport_cancel_pkt(vsk); ++ + goto out_wait; + } + +-- +2.51.0 + diff --git a/queue-6.17/x86-cpu-amd-extend-zen6-model-range.patch b/queue-6.17/x86-cpu-amd-extend-zen6-model-range.patch new file mode 100644 index 0000000000..104931a332 --- /dev/null +++ b/queue-6.17/x86-cpu-amd-extend-zen6-model-range.patch @@ -0,0 +1,35 @@ +From 869cf8de0da6e7d0d38fa618b652180f4b0e56bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Oct 2025 12:34:31 +0100 +Subject: x86/CPU/AMD: Extend Zen6 model range + +From: Borislav Petkov (AMD) + +[ Upstream commit 847ebc4476714f81d7dea73e5ea69448d7fe9d3a ] + +Add some more Zen6 models. + +Signed-off-by: Borislav Petkov (AMD) +Signed-off-by: Ingo Molnar +Link: https://patch.msgid.link/20251029123056.19987-1-bp@kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/amd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c +index 3139713e3a78f..9390312c93b6e 100644 +--- a/arch/x86/kernel/cpu/amd.c ++++ b/arch/x86/kernel/cpu/amd.c +@@ -516,7 +516,7 @@ static void bsp_init_amd(struct cpuinfo_x86 *c) + setup_force_cpu_cap(X86_FEATURE_ZEN5); + break; + case 0x50 ... 0x5f: +- case 0x90 ... 0xaf: ++ case 0x80 ... 0xaf: + case 0xc0 ... 0xcf: + setup_force_cpu_cap(X86_FEATURE_ZEN6); + break; +-- +2.51.0 + diff --git a/queue-6.17/x86-microcode-amd-limit-entrysign-signature-checking.patch b/queue-6.17/x86-microcode-amd-limit-entrysign-signature-checking.patch new file mode 100644 index 0000000000..a24d394d91 --- /dev/null +++ b/queue-6.17/x86-microcode-amd-limit-entrysign-signature-checking.patch @@ -0,0 +1,62 @@ +From caa236a481b5e071764503aa79eb1377394ac026 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Oct 2025 14:46:29 +0200 +Subject: x86/microcode/AMD: Limit Entrysign signature checking to known + generations + +From: Borislav Petkov (AMD) + +[ Upstream commit 8a9fb5129e8e64d24543ebc70de941a2d77a9e77 ] + +Limit Entrysign sha256 signature checking to CPUs in the range Zen1-Zen5. + +X86_BUG cannot be used here because the loading on the BSP happens way +too early, before the cpufeatures machinery has been set up. + +Signed-off-by: Borislav Petkov (AMD) +Link: https://patch.msgid.link/all/20251023124629.5385-1-bp@kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/microcode/amd.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c +index c5363e6563798..ff40fe7ef58eb 100644 +--- a/arch/x86/kernel/cpu/microcode/amd.c ++++ b/arch/x86/kernel/cpu/microcode/amd.c +@@ -236,13 +236,31 @@ static bool need_sha_check(u32 cur_rev) + return true; + } + ++static bool cpu_has_entrysign(void) ++{ ++ unsigned int fam = x86_family(bsp_cpuid_1_eax); ++ unsigned int model = x86_model(bsp_cpuid_1_eax); ++ ++ if (fam == 0x17 || fam == 0x19) ++ return true; ++ ++ if (fam == 0x1a) { ++ if (model <= 0x2f || ++ (0x40 <= model && model <= 0x4f) || ++ (0x60 <= model && model <= 0x6f)) ++ return true; ++ } ++ ++ return false; ++} ++ + static bool verify_sha256_digest(u32 patch_id, u32 cur_rev, const u8 *data, unsigned int len) + { + struct patch_digest *pd = NULL; + u8 digest[SHA256_DIGEST_SIZE]; + int i; + +- if (x86_family(bsp_cpuid_1_eax) < 0x17) ++ if (!cpu_has_entrysign()) + return true; + + if (!need_sha_check(cur_rev)) +-- +2.51.0 + diff --git a/queue-6.17/xfrm-also-call-xfrm_state_delete_tunnel-at-destroy-t.patch b/queue-6.17/xfrm-also-call-xfrm_state_delete_tunnel-at-destroy-t.patch new file mode 100644 index 0000000000..1828e5a4f5 --- /dev/null +++ b/queue-6.17/xfrm-also-call-xfrm_state_delete_tunnel-at-destroy-t.patch @@ -0,0 +1,76 @@ +From 44830d1db5f7ee9661165c9d043e0145de1bc5f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Oct 2025 12:39:13 +0200 +Subject: xfrm: also call xfrm_state_delete_tunnel at destroy time for states + that were never added + +From: Sabrina Dubroca + +[ Upstream commit 10deb69864840ccf96b00ac2ab3a2055c0c04721 ] + +In commit b441cf3f8c4b ("xfrm: delete x->tunnel as we delete x"), I +missed the case where state creation fails between full +initialization (->init_state has been called) and being inserted on +the lists. + +In this situation, ->init_state has been called, so for IPcomp +tunnels, the fallback tunnel has been created and added onto the +lists, but the user state never gets added, because we fail before +that. The user state doesn't go through __xfrm_state_delete, so we +don't call xfrm_state_delete_tunnel for those states, and we end up +leaking the FB tunnel. + +There are several codepaths affected by this: the add/update paths, in +both net/key and xfrm, and the migrate code (xfrm_migrate, +xfrm_state_migrate). A "proper" rollback of the init_state work would +probably be doable in the add/update code, but for migrate it gets +more complicated as multiple states may be involved. + +At some point, the new (not-inserted) state will be destroyed, so call +xfrm_state_delete_tunnel during xfrm_state_gc_destroy. Most states +will have their fallback tunnel cleaned up during __xfrm_state_delete, +which solves the issue that b441cf3f8c4b (and other patches before it) +aimed at. All states (including FB tunnels) will be removed from the +lists once xfrm_state_fini has called flush_work(&xfrm_state_gc_work). + +Reported-by: syzbot+999eb23467f83f9bf9bf@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=999eb23467f83f9bf9bf +Fixes: b441cf3f8c4b ("xfrm: delete x->tunnel as we delete x") +Signed-off-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_state.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c +index e4736d1ebb443..721ef0f409b51 100644 +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -592,6 +592,7 @@ void xfrm_state_free(struct xfrm_state *x) + } + EXPORT_SYMBOL(xfrm_state_free); + ++static void xfrm_state_delete_tunnel(struct xfrm_state *x); + static void xfrm_state_gc_destroy(struct xfrm_state *x) + { + if (x->mode_cbs && x->mode_cbs->destroy_state) +@@ -607,6 +608,7 @@ static void xfrm_state_gc_destroy(struct xfrm_state *x) + kfree(x->replay_esn); + kfree(x->preplay_esn); + xfrm_unset_type_offload(x); ++ xfrm_state_delete_tunnel(x); + if (x->type) { + x->type->destructor(x); + xfrm_put_type(x->type); +@@ -806,7 +808,6 @@ void __xfrm_state_destroy(struct xfrm_state *x) + } + EXPORT_SYMBOL(__xfrm_state_destroy); + +-static void xfrm_state_delete_tunnel(struct xfrm_state *x); + int __xfrm_state_delete(struct xfrm_state *x) + { + struct net *net = xs_net(x); +-- +2.51.0 + diff --git a/queue-6.17/xfrm-call-xfrm_dev_state_delete-when-xfrm_state_migr.patch b/queue-6.17/xfrm-call-xfrm_dev_state_delete-when-xfrm_state_migr.patch new file mode 100644 index 0000000000..4373fb0721 --- /dev/null +++ b/queue-6.17/xfrm-call-xfrm_dev_state_delete-when-xfrm_state_migr.patch @@ -0,0 +1,49 @@ +From e0622576776a0cd64fe9861908b9d28c5e5c0f15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Oct 2025 12:39:15 +0200 +Subject: xfrm: call xfrm_dev_state_delete when xfrm_state_migrate fails to add + the state + +From: Sabrina Dubroca + +[ Upstream commit 7f02285764790e0ff1a731b4187fa3e389ed02c7 ] + +In case xfrm_state_migrate fails after calling xfrm_dev_state_add, we +directly release the last reference and destroy the new state, without +calling xfrm_dev_state_delete (this only happens in +__xfrm_state_delete, which we're not calling on this path, since the +state was never added). + +Call xfrm_dev_state_delete on error when an offload configuration was +provided. + +Fixes: ab244a394c7f ("xfrm: Migrate offload configuration") +Signed-off-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_state.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c +index 721ef0f409b51..f8a5837457a35 100644 +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -2158,10 +2158,13 @@ struct xfrm_state *xfrm_state_migrate(struct xfrm_state *x, + xfrm_state_insert(xc); + } else { + if (xfrm_state_add(xc) < 0) +- goto error; ++ goto error_add; + } + + return xc; ++error_add: ++ if (xuo) ++ xfrm_dev_state_delete(xc); + error: + xfrm_state_put(xc); + return NULL; +-- +2.51.0 + diff --git a/queue-6.17/xfrm-check-inner-packet-family-directly-from-skb_dst.patch b/queue-6.17/xfrm-check-inner-packet-family-directly-from-skb_dst.patch new file mode 100644 index 0000000000..aaf66eed67 --- /dev/null +++ b/queue-6.17/xfrm-check-inner-packet-family-directly-from-skb_dst.patch @@ -0,0 +1,71 @@ +From 702fba0f8075e89d6c256178191a70a5e8f4ae0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Oct 2025 04:22:47 +0200 +Subject: xfrm: Check inner packet family directly from skb_dst + +From: Jianbo Liu + +[ Upstream commit 082ef944e55da8a9a8df92e3842ca82a626d359a ] + +In the output path, xfrm_dev_offload_ok and xfrm_get_inner_ipproto +need to determine the protocol family of the inner packet (skb) before +it gets encapsulated. + +In xfrm_dev_offload_ok, the code checked x->inner_mode.family. This is +unreliable because, for states handling both IPv4 and IPv6, the +relevant inner family could be either x->inner_mode.family or +x->inner_mode_iaf.family. Checking only the former can lead to a +mismatch with the actual packet being processed. + +In xfrm_get_inner_ipproto, the code checked x->outer_mode.family. This +is also incorrect for tunnel mode, as the inner packet's family can be +different from the outer header's family. + +At both of these call sites, the skb variable holds the original inner +packet. The most direct and reliable source of truth for its protocol +family is its destination entry. This patch fixes the issue by using +skb_dst(skb)->ops->family to ensure protocol-specific headers are only +accessed for the correct packet type. + +Fixes: 91d8a53db219 ("xfrm: fix offloading of cross-family tunnels") +Fixes: 45a98ef4922d ("net/xfrm: IPsec tunnel mode fix inner_ipproto setting in sec_path") +Signed-off-by: Jianbo Liu +Reviewed-by: Cosmin Ratiu +Reviewed-by: Zhu Yanjun +Reviewed-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_device.c | 2 +- + net/xfrm/xfrm_output.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c +index 44b9de6e4e778..52ae0e034d29e 100644 +--- a/net/xfrm/xfrm_device.c ++++ b/net/xfrm/xfrm_device.c +@@ -438,7 +438,7 @@ bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x) + + check_tunnel_size = x->xso.type == XFRM_DEV_OFFLOAD_PACKET && + x->props.mode == XFRM_MODE_TUNNEL; +- switch (x->inner_mode.family) { ++ switch (skb_dst(skb)->ops->family) { + case AF_INET: + /* Check for IPv4 options */ + if (ip_hdr(skb)->ihl != 5) +diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c +index 9077730ff7d0e..a98b5bf55ac31 100644 +--- a/net/xfrm/xfrm_output.c ++++ b/net/xfrm/xfrm_output.c +@@ -698,7 +698,7 @@ static void xfrm_get_inner_ipproto(struct sk_buff *skb, struct xfrm_state *x) + return; + + if (x->outer_mode.encap == XFRM_MODE_TUNNEL) { +- switch (x->outer_mode.family) { ++ switch (skb_dst(skb)->ops->family) { + case AF_INET: + xo->inner_ipproto = ip_hdr(skb)->protocol; + break; +-- +2.51.0 + diff --git a/queue-6.17/xfrm-determine-inner-gso-type-from-packet-inner-prot.patch b/queue-6.17/xfrm-determine-inner-gso-type-from-packet-inner-prot.patch new file mode 100644 index 0000000000..24d2443e5c --- /dev/null +++ b/queue-6.17/xfrm-determine-inner-gso-type-from-packet-inner-prot.patch @@ -0,0 +1,96 @@ +From 2163af01c94d56c82a747c6a48ce74197ae2bf62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Oct 2025 04:22:48 +0200 +Subject: xfrm: Determine inner GSO type from packet inner protocol + +From: Jianbo Liu + +[ Upstream commit 61fafbee6cfed283c02a320896089f658fa67e56 ] + +The GSO segmentation functions for ESP tunnel mode +(xfrm4_tunnel_gso_segment and xfrm6_tunnel_gso_segment) were +determining the inner packet's L2 protocol type by checking the static +x->inner_mode.family field from the xfrm state. + +This is unreliable. In tunnel mode, the state's actual inner family +could be defined by x->inner_mode.family or by +x->inner_mode_iaf.family. Checking only the former can lead to a +mismatch with the actual packet being processed, causing GSO to create +segments with the wrong L2 header type. + +This patch fixes the bug by deriving the inner mode directly from the +packet's inner protocol stored in XFRM_MODE_SKB_CB(skb)->protocol. + +Instead of replicating the code, this patch modifies the +xfrm_ip2inner_mode helper function. It now correctly returns +&x->inner_mode if the selector family (x->sel.family) is already +specified, thereby handling both specific and AF_UNSPEC cases +appropriately. + +With this change, ESP GSO can use xfrm_ip2inner_mode to get the +correct inner mode. It doesn't affect existing callers, as the updated +logic now mirrors the checks they were already performing externally. + +Fixes: 26dbd66eab80 ("esp: choose the correct inner protocol for GSO on inter address family tunnels") +Signed-off-by: Jianbo Liu +Reviewed-by: Cosmin Ratiu +Reviewed-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + include/net/xfrm.h | 3 ++- + net/ipv4/esp4_offload.c | 6 ++++-- + net/ipv6/esp6_offload.c | 6 ++++-- + 3 files changed, 10 insertions(+), 5 deletions(-) + +diff --git a/include/net/xfrm.h b/include/net/xfrm.h +index f3014e4f54fc3..0a14daaa5dd40 100644 +--- a/include/net/xfrm.h ++++ b/include/net/xfrm.h +@@ -536,7 +536,8 @@ static inline int xfrm_af2proto(unsigned int family) + + static inline const struct xfrm_mode *xfrm_ip2inner_mode(struct xfrm_state *x, int ipproto) + { +- if ((ipproto == IPPROTO_IPIP && x->props.family == AF_INET) || ++ if ((x->sel.family != AF_UNSPEC) || ++ (ipproto == IPPROTO_IPIP && x->props.family == AF_INET) || + (ipproto == IPPROTO_IPV6 && x->props.family == AF_INET6)) + return &x->inner_mode; + else +diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c +index e0d94270da28a..05828d4cb6cdb 100644 +--- a/net/ipv4/esp4_offload.c ++++ b/net/ipv4/esp4_offload.c +@@ -122,8 +122,10 @@ static struct sk_buff *xfrm4_tunnel_gso_segment(struct xfrm_state *x, + struct sk_buff *skb, + netdev_features_t features) + { +- __be16 type = x->inner_mode.family == AF_INET6 ? htons(ETH_P_IPV6) +- : htons(ETH_P_IP); ++ const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, ++ XFRM_MODE_SKB_CB(skb)->protocol); ++ __be16 type = inner_mode->family == AF_INET6 ? htons(ETH_P_IPV6) ++ : htons(ETH_P_IP); + + return skb_eth_gso_segment(skb, features, type); + } +diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c +index 7b41fb4f00b58..22410243ebe88 100644 +--- a/net/ipv6/esp6_offload.c ++++ b/net/ipv6/esp6_offload.c +@@ -158,8 +158,10 @@ static struct sk_buff *xfrm6_tunnel_gso_segment(struct xfrm_state *x, + struct sk_buff *skb, + netdev_features_t features) + { +- __be16 type = x->inner_mode.family == AF_INET ? htons(ETH_P_IP) +- : htons(ETH_P_IPV6); ++ const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, ++ XFRM_MODE_SKB_CB(skb)->protocol); ++ __be16 type = inner_mode->family == AF_INET ? htons(ETH_P_IP) ++ : htons(ETH_P_IPV6); + + return skb_eth_gso_segment(skb, features, type); + } +-- +2.51.0 + diff --git a/queue-6.17/xfrm-drop-sa-reference-in-xfrm_state_update-if-dir-d.patch b/queue-6.17/xfrm-drop-sa-reference-in-xfrm_state_update-if-dir-d.patch new file mode 100644 index 0000000000..0e573f6221 --- /dev/null +++ b/queue-6.17/xfrm-drop-sa-reference-in-xfrm_state_update-if-dir-d.patch @@ -0,0 +1,47 @@ +From 9961ac39afaa0f275878bf9942651d7b80bd4579 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Oct 2025 12:39:12 +0200 +Subject: xfrm: drop SA reference in xfrm_state_update if dir doesn't match + +From: Sabrina Dubroca + +[ Upstream commit 8d2a2a49c30f67a480fa9ed25e08436a446f057e ] + +We're not updating x1, but we still need to put() it. + +Fixes: a4a87fa4e96c ("xfrm: Add Direction to the SA in or out") +Signed-off-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_state.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c +index d213ca3653a8f..e4736d1ebb443 100644 +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -2191,14 +2191,18 @@ int xfrm_state_update(struct xfrm_state *x) + } + + if (x1->km.state == XFRM_STATE_ACQ) { +- if (x->dir && x1->dir != x->dir) ++ if (x->dir && x1->dir != x->dir) { ++ to_put = x1; + goto out; ++ } + + __xfrm_state_insert(x); + x = NULL; + } else { +- if (x1->dir != x->dir) ++ if (x1->dir != x->dir) { ++ to_put = x1; + goto out; ++ } + } + err = 0; + +-- +2.51.0 + diff --git a/queue-6.17/xfrm-prevent-locally-generated-packets-from-direct-o.patch b/queue-6.17/xfrm-prevent-locally-generated-packets-from-direct-o.patch new file mode 100644 index 0000000000..e381e8b3dd --- /dev/null +++ b/queue-6.17/xfrm-prevent-locally-generated-packets-from-direct-o.patch @@ -0,0 +1,44 @@ +From 934226cc6cbda62606d7dcd84677f3f81d11dd2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Oct 2025 11:50:25 +0200 +Subject: xfrm: Prevent locally generated packets from direct output in tunnel + mode + +From: Jianbo Liu + +[ Upstream commit 59630e2ccd728703cc826e3a3515d70f8c7a766c ] + +Add a check to ensure locally generated packets (skb->sk != NULL) do +not use direct output in tunnel mode, as these packets require proper +L2 header setup that is handled by the normal XFRM processing path. + +Fixes: 5eddd76ec2fd ("xfrm: fix tunnel mode TX datapath in packet offload mode") +Signed-off-by: Jianbo Liu +Reviewed-by: Leon Romanovsky +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_output.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c +index a98b5bf55ac31..54222fcbd7fd8 100644 +--- a/net/xfrm/xfrm_output.c ++++ b/net/xfrm/xfrm_output.c +@@ -772,8 +772,12 @@ int xfrm_output(struct sock *sk, struct sk_buff *skb) + /* Exclusive direct xmit for tunnel mode, as + * some filtering or matching rules may apply + * in transport mode. ++ * Locally generated packets also require ++ * the normal XFRM path for L2 header setup, ++ * as the hardware needs the L2 header to match ++ * for encryption, so skip direct output as well. + */ +- if (x->props.mode == XFRM_MODE_TUNNEL) ++ if (x->props.mode == XFRM_MODE_TUNNEL && !skb->sk) + return xfrm_dev_direct_output(sk, x, skb); + + return xfrm_output_resume(sk, skb, 0); +-- +2.51.0 + diff --git a/queue-6.17/xfrm-set-err-and-extack-on-failure-to-create-pcpu-sa.patch b/queue-6.17/xfrm-set-err-and-extack-on-failure-to-create-pcpu-sa.patch new file mode 100644 index 0000000000..9da2e57df3 --- /dev/null +++ b/queue-6.17/xfrm-set-err-and-extack-on-failure-to-create-pcpu-sa.patch @@ -0,0 +1,41 @@ +From d20c8811f8dea67671c50b448cbf228156c3de81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Oct 2025 12:39:16 +0200 +Subject: xfrm: set err and extack on failure to create pcpu SA + +From: Sabrina Dubroca + +[ Upstream commit 1dcf617bec5cb85f68ca19969e7537ef6f6931d3 ] + +xfrm_state_construct can fail without setting an error if the +requested pcpu_num value is too big. Set err and add an extack message +to avoid confusing userspace. + +Fixes: 1ddf9916ac09 ("xfrm: Add support for per cpu xfrm state handling.") +Signed-off-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_user.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 684239018bec4..977a03291f6a5 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -947,8 +947,11 @@ static struct xfrm_state *xfrm_state_construct(struct net *net, + + if (attrs[XFRMA_SA_PCPU]) { + x->pcpu_num = nla_get_u32(attrs[XFRMA_SA_PCPU]); +- if (x->pcpu_num >= num_possible_cpus()) ++ if (x->pcpu_num >= num_possible_cpus()) { ++ err = -ERANGE; ++ NL_SET_ERR_MSG(extack, "pCPU number too big"); + goto error; ++ } + } + + err = __xfrm_init_state(x, extack); +-- +2.51.0 + diff --git a/queue-6.6/bcma-don-t-register-devices-disabled-in-of.patch b/queue-6.6/bcma-don-t-register-devices-disabled-in-of.patch new file mode 100644 index 0000000000..c61794d9e1 --- /dev/null +++ b/queue-6.6/bcma-don-t-register-devices-disabled-in-of.patch @@ -0,0 +1,51 @@ +From 207e7bfe243841b9c985c39dc6ee7287d8ba1d9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Oct 2025 14:51:26 +0200 +Subject: bcma: don't register devices disabled in OF +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +[ Upstream commit a2a69add80411dd295c9088c1bcf925b1f4e53d7 ] + +Some bus devices can be marked as disabled for specific SoCs or models. +Those should not be registered to avoid probing them. + +Signed-off-by: Rafał Miłecki +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20251003125126.27950-1-zajec5@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/bcma/main.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/bcma/main.c b/drivers/bcma/main.c +index 7061d3ee836a1..c69c05256b59f 100644 +--- a/drivers/bcma/main.c ++++ b/drivers/bcma/main.c +@@ -294,6 +294,8 @@ static int bcma_register_devices(struct bcma_bus *bus) + int err; + + list_for_each_entry(core, &bus->cores, list) { ++ struct device_node *np; ++ + /* We support that core ourselves */ + switch (core->id.id) { + case BCMA_CORE_4706_CHIPCOMMON: +@@ -311,6 +313,10 @@ static int bcma_register_devices(struct bcma_bus *bus) + if (bcma_is_core_needed_early(core->id.id)) + continue; + ++ np = core->dev.of_node; ++ if (np && !of_device_is_available(np)) ++ continue; ++ + /* Only first GMAC core on BCM4706 is connected and working */ + if (core->id.id == BCMA_CORE_4706_MAC_GBIT && + core->core_unit > 0) +-- +2.51.0 + diff --git a/queue-6.6/cifs-fix-memory-leak-in-smb3_fs_context_parse_param-.patch b/queue-6.6/cifs-fix-memory-leak-in-smb3_fs_context_parse_param-.patch new file mode 100644 index 0000000000..faf77a1cc2 --- /dev/null +++ b/queue-6.6/cifs-fix-memory-leak-in-smb3_fs_context_parse_param-.patch @@ -0,0 +1,64 @@ +From ca225e0952249d92bbbe3726b8bfb1f390720d89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Nov 2025 20:32:57 +0530 +Subject: cifs: fix memory leak in smb3_fs_context_parse_param error path + +From: Shaurya Rane + +[ Upstream commit 7e4d9120cfa413dd34f4f434befc5dbe6c38b2e5 ] + +Add proper cleanup of ctx->source and fc->source to the +cifs_parse_mount_err error handler. This ensures that memory allocated +for the source strings is correctly freed on all error paths, matching +the cleanup already performed in the success path by +smb3_cleanup_fs_context_contents(). +Pointers are also set to NULL after freeing to prevent potential +double-free issues. + +This change fixes a memory leak originally detected by syzbot. The +leak occurred when processing Opt_source mount options if an error +happened after ctx->source and fc->source were successfully +allocated but before the function completed. + +The specific leak sequence was: +1. ctx->source = smb3_fs_context_fullpath(ctx, '/') allocates memory +2. fc->source = kstrdup(ctx->source, GFP_KERNEL) allocates more memory +3. A subsequent error jumps to cifs_parse_mount_err +4. The old error handler freed passwords but not the source strings, +causing the memory to leak. + +This issue was not addressed by commit e8c73eb7db0a ("cifs: client: +fix memory leak in smb3_fs_context_parse_param"), which only fixed +leaks from repeated fsconfig() calls but not this error path. + +Patch updated with minor change suggested by kernel test robot + +Reported-by: syzbot+87be6809ed9bf6d718e3@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=87be6809ed9bf6d718e3 +Fixes: 24e0a1eff9e2 ("cifs: switch to new mount api") +Reviewed-by: David Howells +Signed-off-by: Shaurya Rane +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/fs_context.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c +index cf233cb9c1943..a64c0b0dbec78 100644 +--- a/fs/smb/client/fs_context.c ++++ b/fs/smb/client/fs_context.c +@@ -1726,6 +1726,10 @@ static int smb3_fs_context_parse_param(struct fs_context *fc, + ctx->password = NULL; + kfree_sensitive(ctx->password2); + ctx->password2 = NULL; ++ kfree(ctx->source); ++ ctx->source = NULL; ++ kfree(fc->source); ++ fc->source = NULL; + return -EINVAL; + } + +-- +2.51.0 + diff --git a/queue-6.6/cifs-fix-typo-in-enable_gcm_256-module-parameter.patch b/queue-6.6/cifs-fix-typo-in-enable_gcm_256-module-parameter.patch new file mode 100644 index 0000000000..4a3b82c819 --- /dev/null +++ b/queue-6.6/cifs-fix-typo-in-enable_gcm_256-module-parameter.patch @@ -0,0 +1,34 @@ +From 49f86c7310df03015a9fc10e98d88718c37ac5c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Oct 2025 21:17:01 -0500 +Subject: cifs: fix typo in enable_gcm_256 module parameter + +From: Steve French + +[ Upstream commit f765fdfcd8b5bce92c6aa1a517ff549529ddf590 ] + +Fix typo in description of enable_gcm_256 module parameter + +Suggested-by: Thomas Spear +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/cifsfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/smb/client/cifsfs.c b/fs/smb/client/cifsfs.c +index 2744d5580d195..0461f89c4852e 100644 +--- a/fs/smb/client/cifsfs.c ++++ b/fs/smb/client/cifsfs.c +@@ -133,7 +133,7 @@ module_param(enable_oplocks, bool, 0644); + MODULE_PARM_DESC(enable_oplocks, "Enable or disable oplocks. Default: y/Y/1"); + + module_param(enable_gcm_256, bool, 0644); +-MODULE_PARM_DESC(enable_gcm_256, "Enable requesting strongest (256 bit) GCM encryption. Default: y/Y/0"); ++MODULE_PARM_DESC(enable_gcm_256, "Enable requesting strongest (256 bit) GCM encryption. Default: y/Y/1"); + + module_param(require_gcm_256, bool, 0644); + MODULE_PARM_DESC(require_gcm_256, "Require strongest (256 bit) GCM encryption. Default: n/N/0"); +-- +2.51.0 + diff --git a/queue-6.6/devlink-rate-unset-parent-pointer-in-devl_rate_nodes.patch b/queue-6.6/devlink-rate-unset-parent-pointer-in-devl_rate_nodes.patch new file mode 100644 index 0000000000..06a78338d4 --- /dev/null +++ b/queue-6.6/devlink-rate-unset-parent-pointer-in-devl_rate_nodes.patch @@ -0,0 +1,127 @@ +From f806cfef7f9744fc0d1944161d199766391706ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Nov 2025 14:05:49 +0200 +Subject: devlink: rate: Unset parent pointer in devl_rate_nodes_destroy + +From: Shay Drory + +[ Upstream commit f94c1a114ac209977bdf5ca841b98424295ab1f0 ] + +The function devl_rate_nodes_destroy is documented to "Unset parent for +all rate objects". However, it was only calling the driver-specific +`rate_leaf_parent_set` or `rate_node_parent_set` ops and decrementing +the parent's refcount, without actually setting the +`devlink_rate->parent` pointer to NULL. + +This leaves a dangling pointer in the `devlink_rate` struct, which cause +refcount error in netdevsim[1] and mlx5[2]. In addition, this is +inconsistent with the behavior of `devlink_nl_rate_parent_node_set`, +where the parent pointer is correctly cleared. + +This patch fixes the issue by explicitly setting `devlink_rate->parent` +to NULL after notifying the driver, thus fulfilling the function's +documented behavior for all rate objects. + +[1] +repro steps: +echo 1 > /sys/bus/netdevsim/new_device +devlink dev eswitch set netdevsim/netdevsim1 mode switchdev +echo 1 > /sys/bus/netdevsim/devices/netdevsim1/sriov_numvfs +devlink port function rate add netdevsim/netdevsim1/test_node +devlink port function rate set netdevsim/netdevsim1/128 parent test_node +echo 1 > /sys/bus/netdevsim/del_device + +dmesg: +refcount_t: decrement hit 0; leaking memory. +WARNING: CPU: 8 PID: 1530 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0 +CPU: 8 UID: 0 PID: 1530 Comm: bash Not tainted 6.18.0-rc4+ #1 NONE +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +RIP: 0010:refcount_warn_saturate+0x42/0xe0 +Call Trace: + + devl_rate_leaf_destroy+0x8d/0x90 + __nsim_dev_port_del+0x6c/0x70 [netdevsim] + nsim_dev_reload_destroy+0x11c/0x140 [netdevsim] + nsim_drv_remove+0x2b/0xb0 [netdevsim] + device_release_driver_internal+0x194/0x1f0 + bus_remove_device+0xc6/0x130 + device_del+0x159/0x3c0 + device_unregister+0x1a/0x60 + del_device_store+0x111/0x170 [netdevsim] + kernfs_fop_write_iter+0x12e/0x1e0 + vfs_write+0x215/0x3d0 + ksys_write+0x5f/0xd0 + do_syscall_64+0x55/0x10f0 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +[2] +devlink dev eswitch set pci/0000:08:00.0 mode switchdev +devlink port add pci/0000:08:00.0 flavour pcisf pfnum 0 sfnum 1000 +devlink port function rate add pci/0000:08:00.0/group1 +devlink port function rate set pci/0000:08:00.0/32768 parent group1 +modprobe -r mlx5_ib mlx5_fwctl mlx5_core + +dmesg: +refcount_t: decrement hit 0; leaking memory. +WARNING: CPU: 7 PID: 16151 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0 +CPU: 7 UID: 0 PID: 16151 Comm: bash Not tainted 6.17.0-rc7_for_upstream_min_debug_2025_10_02_12_44 #1 NONE +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 +RIP: 0010:refcount_warn_saturate+0x42/0xe0 +Call Trace: + + devl_rate_leaf_destroy+0x8d/0x90 + mlx5_esw_offloads_devlink_port_unregister+0x33/0x60 [mlx5_core] + mlx5_esw_offloads_unload_rep+0x3f/0x50 [mlx5_core] + mlx5_eswitch_unload_sf_vport+0x40/0x90 [mlx5_core] + mlx5_sf_esw_event+0xc4/0x120 [mlx5_core] + notifier_call_chain+0x33/0xa0 + blocking_notifier_call_chain+0x3b/0x50 + mlx5_eswitch_disable_locked+0x50/0x110 [mlx5_core] + mlx5_eswitch_disable+0x63/0x90 [mlx5_core] + mlx5_unload+0x1d/0x170 [mlx5_core] + mlx5_uninit_one+0xa2/0x130 [mlx5_core] + remove_one+0x78/0xd0 [mlx5_core] + pci_device_remove+0x39/0xa0 + device_release_driver_internal+0x194/0x1f0 + unbind_store+0x99/0xa0 + kernfs_fop_write_iter+0x12e/0x1e0 + vfs_write+0x215/0x3d0 + ksys_write+0x5f/0xd0 + do_syscall_64+0x53/0x1f0 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +Fixes: d75559845078 ("devlink: Allow setting parent node of rate objects") +Signed-off-by: Shay Drory +Reviewed-by: Carolina Jubran +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/1763381149-1234377-1-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/devlink/rate.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/devlink/rate.c b/net/devlink/rate.c +index dff1593b8406a..e7e80af4abaf6 100644 +--- a/net/devlink/rate.c ++++ b/net/devlink/rate.c +@@ -702,13 +702,15 @@ void devl_rate_nodes_destroy(struct devlink *devlink) + if (!devlink_rate->parent) + continue; + +- refcount_dec(&devlink_rate->parent->refcnt); + if (devlink_rate_is_leaf(devlink_rate)) + ops->rate_leaf_parent_set(devlink_rate, NULL, devlink_rate->priv, + NULL, NULL); + else if (devlink_rate_is_node(devlink_rate)) + ops->rate_node_parent_set(devlink_rate, NULL, devlink_rate->priv, + NULL, NULL); ++ ++ refcount_dec(&devlink_rate->parent->refcnt); ++ devlink_rate->parent = NULL; + } + list_for_each_entry_safe(devlink_rate, tmp, &devlink->rate_list, list) { + if (devlink_rate_is_node(devlink_rate)) { +-- +2.51.0 + diff --git a/queue-6.6/drm-tegra-add-call-to-put_pid.patch b/queue-6.6/drm-tegra-add-call-to-put_pid.patch new file mode 100644 index 0000000000..3fb8866a30 --- /dev/null +++ b/queue-6.6/drm-tegra-add-call-to-put_pid.patch @@ -0,0 +1,46 @@ +From a21b9511ab9d4e98ee32091135f175c93272a6f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Sep 2025 13:25:40 +0900 +Subject: drm/tegra: Add call to put_pid() + +From: Prateek Agarwal + +[ Upstream commit 6cbab9f0da72b4dc3c3f9161197aa3b9daa1fa3a ] + +Add a call to put_pid() corresponding to get_task_pid(). +host1x_memory_context_alloc() does not take ownership of the PID so we +need to free it here to avoid leaking. + +Signed-off-by: Prateek Agarwal +Fixes: e09db97889ec ("drm/tegra: Support context isolation") +[mperttunen@nvidia.com: reword commit message] +Signed-off-by: Mikko Perttunen +Signed-off-by: Thierry Reding +Link: https://patch.msgid.link/20250919-host1x-put-pid-v1-1-19c2163dfa87@nvidia.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tegra/uapi.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/tegra/uapi.c b/drivers/gpu/drm/tegra/uapi.c +index 5adab6b229164..d0b6a1fa6efad 100644 +--- a/drivers/gpu/drm/tegra/uapi.c ++++ b/drivers/gpu/drm/tegra/uapi.c +@@ -114,9 +114,12 @@ int tegra_drm_ioctl_channel_open(struct drm_device *drm, void *data, struct drm_ + if (err) + goto put_channel; + +- if (supported) ++ if (supported) { ++ struct pid *pid = get_task_pid(current, PIDTYPE_TGID); + context->memory_context = host1x_memory_context_alloc( +- host, client->base.dev, get_task_pid(current, PIDTYPE_TGID)); ++ host, client->base.dev, pid); ++ put_pid(pid); ++ } + + if (IS_ERR(context->memory_context)) { + if (PTR_ERR(context->memory_context) != -EOPNOTSUPP) { +-- +2.51.0 + diff --git a/queue-6.6/kconfig-mconf-initialize-the-default-locale-at-start.patch b/queue-6.6/kconfig-mconf-initialize-the-default-locale-at-start.patch new file mode 100644 index 0000000000..be814e4323 --- /dev/null +++ b/queue-6.6/kconfig-mconf-initialize-the-default-locale-at-start.patch @@ -0,0 +1,49 @@ +From b3e9a26ebc63f7c2b875219349a864b3851857d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Oct 2025 17:49:32 +0200 +Subject: kconfig/mconf: Initialize the default locale at startup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jakub Horký + +[ Upstream commit 3927c4a1084c48ef97f11281a0a43ecb2cb4d6f1 ] + +Fix bug where make menuconfig doesn't initialize the default locale, which +causes ncurses menu borders to be displayed incorrectly (lqqqqk) in +UTF-8 terminals that don't support VT100 ACS by default, such as PuTTY. + +Signed-off-by: Jakub Horký +Link: https://patch.msgid.link/20251014154933.3990990-1-jakub.git@horky.net +[nathan: Alphabetize locale.h include] +Signed-off-by: Nathan Chancellor +Signed-off-by: Sasha Levin +--- + scripts/kconfig/mconf.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/scripts/kconfig/mconf.c b/scripts/kconfig/mconf.c +index 3795c36a9181a..2364140596c5d 100644 +--- a/scripts/kconfig/mconf.c ++++ b/scripts/kconfig/mconf.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1015,6 +1016,8 @@ int main(int ac, char **av) + + signal(SIGINT, sig_handler); + ++ setlocale(LC_ALL, ""); ++ + if (ac > 1 && strcmp(av[1], "-s") == 0) { + silent = 1; + /* Silence conf_read() until the real callback is set up */ +-- +2.51.0 + diff --git a/queue-6.6/kconfig-nconf-initialize-the-default-locale-at-start.patch b/queue-6.6/kconfig-nconf-initialize-the-default-locale-at-start.patch new file mode 100644 index 0000000000..71384a933b --- /dev/null +++ b/queue-6.6/kconfig-nconf-initialize-the-default-locale-at-start.patch @@ -0,0 +1,49 @@ +From 927ead667b7ff08984f0e31f6fca1809da503038 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Oct 2025 16:44:06 +0200 +Subject: kconfig/nconf: Initialize the default locale at startup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jakub Horký + +[ Upstream commit 43c2931a95e6b295bfe9e3b90dbe0f7596933e91 ] + +Fix bug where make nconfig doesn't initialize the default locale, which +causes ncurses menu borders to be displayed incorrectly (lqqqqk) in +UTF-8 terminals that don't support VT100 ACS by default, such as PuTTY. + +Signed-off-by: Jakub Horký +Link: https://patch.msgid.link/20251014144405.3975275-2-jakub.git@horky.net +[nathan: Alphabetize locale.h include] +Signed-off-by: Nathan Chancellor +Signed-off-by: Sasha Levin +--- + scripts/kconfig/nconf.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c +index 7a17c94a15941..a7cfa6813c63f 100644 +--- a/scripts/kconfig/nconf.c ++++ b/scripts/kconfig/nconf.c +@@ -7,6 +7,7 @@ + #ifndef _GNU_SOURCE + #define _GNU_SOURCE + #endif ++#include + #include + #include + #include +@@ -1569,6 +1570,8 @@ int main(int ac, char **av) + int lines, columns; + char *mode; + ++ setlocale(LC_ALL, ""); ++ + if (ac > 1 && strcmp(av[1], "-s") == 0) { + /* Silence conf_read() until the real callback is set up */ + conf_set_message_callback(NULL); +-- +2.51.0 + diff --git a/queue-6.6/kernel.h-move-array_size-to-a-separate-header.patch b/queue-6.6/kernel.h-move-array_size-to-a-separate-header.patch new file mode 100644 index 0000000000..d09acd6aff --- /dev/null +++ b/queue-6.6/kernel.h-move-array_size-to-a-separate-header.patch @@ -0,0 +1,89 @@ +From b7e710e6a14e60df8b9c4c9321d7382f5f5e1840 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Oct 2023 14:59:53 +0300 +Subject: kernel.h: Move ARRAY_SIZE() to a separate header + +From: Alejandro Colomar + +[ Upstream commit 3cd39bc3b11b8d34b7d7c961a35fdfd18b0ebf75 ] + +Touching files so used for the kernel, +forces 'make' to recompile most of the kernel. + +Having those definitions in more granular files +helps avoid recompiling so much of the kernel. + +Signed-off-by: Alejandro Colomar +Reviewed-by: Giovanni Cabiddu +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230817143352.132583-2-lucas.segarra.fernandez@intel.com +[andy: reduced to cover only string.h for now] +Signed-off-by: Andy Shevchenko +Stable-dep-of: 896f1a2493b5 ("net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end()") +Signed-off-by: Sasha Levin +--- + include/linux/array_size.h | 13 +++++++++++++ + include/linux/kernel.h | 7 +------ + include/linux/string.h | 1 + + 3 files changed, 15 insertions(+), 6 deletions(-) + create mode 100644 include/linux/array_size.h + +diff --git a/include/linux/array_size.h b/include/linux/array_size.h +new file mode 100644 +index 0000000000000..06d7d83196ca3 +--- /dev/null ++++ b/include/linux/array_size.h +@@ -0,0 +1,13 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++#ifndef _LINUX_ARRAY_SIZE_H ++#define _LINUX_ARRAY_SIZE_H ++ ++#include ++ ++/** ++ * ARRAY_SIZE - get the number of elements in array @arr ++ * @arr: array to be sized ++ */ ++#define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]) + __must_be_array(arr)) ++ ++#endif /* _LINUX_ARRAY_SIZE_H */ +diff --git a/include/linux/kernel.h b/include/linux/kernel.h +index cee8fe87e9f4f..d9ad21058eed9 100644 +--- a/include/linux/kernel.h ++++ b/include/linux/kernel.h +@@ -13,6 +13,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -50,12 +51,6 @@ + #define READ 0 + #define WRITE 1 + +-/** +- * ARRAY_SIZE - get the number of elements in array @arr +- * @arr: array to be sized +- */ +-#define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]) + __must_be_array(arr)) +- + #define PTR_IF(cond, ptr) ((cond) ? (ptr) : NULL) + + #define u64_to_user_ptr(x) ( \ +diff --git a/include/linux/string.h b/include/linux/string.h +index 5077776e995e0..ce137830a0b99 100644 +--- a/include/linux/string.h ++++ b/include/linux/string.h +@@ -2,6 +2,7 @@ + #ifndef _LINUX_STRING_H_ + #define _LINUX_STRING_H_ + ++#include + #include /* for inline */ + #include /* for size_t */ + #include /* for NULL */ +-- +2.51.0 + diff --git a/queue-6.6/loongarch-use-uapi-types-in-ptrace-uapi-header.patch b/queue-6.6/loongarch-use-uapi-types-in-ptrace-uapi-header.patch new file mode 100644 index 0000000000..c92a274c92 --- /dev/null +++ b/queue-6.6/loongarch-use-uapi-types-in-ptrace-uapi-header.patch @@ -0,0 +1,107 @@ +From fe4f109741ad4322c2cf52b7b40b719704f65ae8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Nov 2025 14:42:05 +0800 +Subject: LoongArch: Use UAPI types in ptrace UAPI header +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +[ Upstream commit 20d7338f2d3bcb570068dd6d39b16f1a909fe976 ] + +The kernel UAPI headers already contain fixed-width integer types, there +is no need to rely on the libc types. There may not be a libc available +or the libc may not provides the , like for example on nolibc. + +This also aligns the header with the rest of the LoongArch UAPI headers. + +Fixes: 803b0fc5c3f2 ("LoongArch: Add process management") +Signed-off-by: Thomas Weißschuh +Signed-off-by: Huacai Chen +Signed-off-by: Sasha Levin +--- + arch/loongarch/include/uapi/asm/ptrace.h | 40 +++++++++++------------- + 1 file changed, 18 insertions(+), 22 deletions(-) + +diff --git a/arch/loongarch/include/uapi/asm/ptrace.h b/arch/loongarch/include/uapi/asm/ptrace.h +index aafb3cd9e943e..215e0f9e8aa32 100644 +--- a/arch/loongarch/include/uapi/asm/ptrace.h ++++ b/arch/loongarch/include/uapi/asm/ptrace.h +@@ -10,10 +10,6 @@ + + #include + +-#ifndef __KERNEL__ +-#include +-#endif +- + /* + * For PTRACE_{POKE,PEEK}USR. 0 - 31 are GPRs, + * 32 is syscall's original ARG0, 33 is PC, 34 is BADVADDR. +@@ -41,44 +37,44 @@ struct user_pt_regs { + } __attribute__((aligned(8))); + + struct user_fp_state { +- uint64_t fpr[32]; +- uint64_t fcc; +- uint32_t fcsr; ++ __u64 fpr[32]; ++ __u64 fcc; ++ __u32 fcsr; + }; + + struct user_lsx_state { + /* 32 registers, 128 bits width per register. */ +- uint64_t vregs[32*2]; ++ __u64 vregs[32*2]; + }; + + struct user_lasx_state { + /* 32 registers, 256 bits width per register. */ +- uint64_t vregs[32*4]; ++ __u64 vregs[32*4]; + }; + + struct user_lbt_state { +- uint64_t scr[4]; +- uint32_t eflags; +- uint32_t ftop; ++ __u64 scr[4]; ++ __u32 eflags; ++ __u32 ftop; + }; + + struct user_watch_state { +- uint64_t dbg_info; ++ __u64 dbg_info; + struct { +- uint64_t addr; +- uint64_t mask; +- uint32_t ctrl; +- uint32_t pad; ++ __u64 addr; ++ __u64 mask; ++ __u32 ctrl; ++ __u32 pad; + } dbg_regs[8]; + }; + + struct user_watch_state_v2 { +- uint64_t dbg_info; ++ __u64 dbg_info; + struct { +- uint64_t addr; +- uint64_t mask; +- uint32_t ctrl; +- uint32_t pad; ++ __u64 addr; ++ __u64 mask; ++ __u32 ctrl; ++ __u32 pad; + } dbg_regs[14]; + }; + +-- +2.51.0 + diff --git a/queue-6.6/mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch b/queue-6.6/mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch new file mode 100644 index 0000000000..83d3a48961 --- /dev/null +++ b/queue-6.6/mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch @@ -0,0 +1,47 @@ +From 9b8d4dd095f8876c8e23cc822a7af05b87cf395e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 05:21:14 +0000 +Subject: mlxsw: spectrum: Fix memory leak in mlxsw_sp_flower_stats() + +From: Zilin Guan + +[ Upstream commit 407a06507c2358554958e8164dc97176feddcafc ] + +The function mlxsw_sp_flower_stats() calls mlxsw_sp_acl_ruleset_get() to +obtain a ruleset reference. If the subsequent call to +mlxsw_sp_acl_rule_lookup() fails to find a rule, the function returns +an error without releasing the ruleset reference, causing a memory leak. + +Fix this by using a goto to the existing error handling label, which +calls mlxsw_sp_acl_ruleset_put() to properly release the reference. + +Fixes: 7c1b8eb175b69 ("mlxsw: spectrum: Add support for TC flower offload statistics") +Signed-off-by: Zilin Guan +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20251112052114.1591695-1-zilin@seu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c +index 9fd1ca0792584..fba545938fd7d 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c +@@ -816,8 +816,10 @@ int mlxsw_sp_flower_stats(struct mlxsw_sp *mlxsw_sp, + return -EINVAL; + + rule = mlxsw_sp_acl_rule_lookup(mlxsw_sp, ruleset, f->cookie); +- if (!rule) +- return -EINVAL; ++ if (!rule) { ++ err = -EINVAL; ++ goto err_rule_get_stats; ++ } + + err = mlxsw_sp_acl_rule_get_stats(mlxsw_sp, rule, &packets, &bytes, + &drops, &lastuse, &used_hw_stats); +-- +2.51.0 + diff --git a/queue-6.6/net-dsa-hellcreek-fix-missing-error-handling-in-led-.patch b/queue-6.6/net-dsa-hellcreek-fix-missing-error-handling-in-led-.patch new file mode 100644 index 0000000000..7f11defc91 --- /dev/null +++ b/queue-6.6/net-dsa-hellcreek-fix-missing-error-handling-in-led-.patch @@ -0,0 +1,57 @@ +From 3043eb6e1b2481a3777e7176c33772e38e406293 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Nov 2025 16:57:44 +0300 +Subject: net: dsa: hellcreek: fix missing error handling in LED registration + +From: Pavel Zhigulin + +[ Upstream commit e6751b0b19a6baab219a62e1e302b8aa6b5a55b2 ] + +The LED setup routine registered both led_sync_good +and led_is_gm devices without checking the return +values of led_classdev_register(). If either registration +failed, the function continued silently, leaving the +driver in a partially-initialized state and leaking +a registered LED classdev. + +Add proper error handling + +Fixes: 7d9ee2e8ff15 ("net: dsa: hellcreek: Add PTP status LEDs") +Signed-off-by: Pavel Zhigulin +Reviewed-by: Andrew Lunn +Acked-by: Kurt Kanzenbach +Link: https://patch.msgid.link/20251113135745.92375-1-Pavel.Zhigulin@kaspersky.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/hirschmann/hellcreek_ptp.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/hirschmann/hellcreek_ptp.c b/drivers/net/dsa/hirschmann/hellcreek_ptp.c +index 5249a1c2a80b8..1bb994f785963 100644 +--- a/drivers/net/dsa/hirschmann/hellcreek_ptp.c ++++ b/drivers/net/dsa/hirschmann/hellcreek_ptp.c +@@ -371,8 +371,18 @@ static int hellcreek_led_setup(struct hellcreek *hellcreek) + hellcreek_set_brightness(hellcreek, STATUS_OUT_IS_GM, 1); + + /* Register both leds */ +- led_classdev_register(hellcreek->dev, &hellcreek->led_sync_good); +- led_classdev_register(hellcreek->dev, &hellcreek->led_is_gm); ++ ret = led_classdev_register(hellcreek->dev, &hellcreek->led_sync_good); ++ if (ret) { ++ dev_err(hellcreek->dev, "Failed to register sync_good LED\n"); ++ goto out; ++ } ++ ++ ret = led_classdev_register(hellcreek->dev, &hellcreek->led_is_gm); ++ if (ret) { ++ dev_err(hellcreek->dev, "Failed to register is_gm LED\n"); ++ led_classdev_unregister(&hellcreek->led_sync_good); ++ goto out; ++ } + + ret = 0; + +-- +2.51.0 + diff --git a/queue-6.6/net-mlx5-clean-up-only-new-irq-glue-on-request_irq-f.patch b/queue-6.6/net-mlx5-clean-up-only-new-irq-glue-on-request_irq-f.patch new file mode 100644 index 0000000000..8255dc672f --- /dev/null +++ b/queue-6.6/net-mlx5-clean-up-only-new-irq-glue-on-request_irq-f.patch @@ -0,0 +1,161 @@ +From aa7b172281273a902dda502c12bd33f892a2e7e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Nov 2025 14:16:08 +0200 +Subject: net/mlx5: Clean up only new IRQ glue on request_irq() failure + +From: Pradyumn Rahar + +[ Upstream commit d47515af6cccd7484d8b0870376858c9848a18ec ] + +The mlx5_irq_alloc() function can inadvertently free the entire rmap +and end up in a crash[1] when the other threads tries to access this, +when request_irq() fails due to exhausted IRQ vectors. This commit +modifies the cleanup to remove only the specific IRQ mapping that was +just added. + +This prevents removal of other valid mappings and ensures precise +cleanup of the failed IRQ allocation's associated glue object. + +Note: This error is observed when both fwctl and rds configs are enabled. + +[1] +mlx5_core 0000:05:00.0: Successfully registered panic handler for port 1 +mlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to +request irq. err = -28 +infiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while +trying to test write-combining support +mlx5_core 0000:05:00.0: Successfully unregistered panic handler for port 1 +mlx5_core 0000:06:00.0: Successfully registered panic handler for port 1 +mlx5_core 0000:06:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to +request irq. err = -28 +infiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while +trying to test write-combining support +mlx5_core 0000:06:00.0: Successfully unregistered panic handler for port 1 +mlx5_core 0000:03:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to +request irq. err = -28 +mlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to +request irq. err = -28 +general protection fault, probably for non-canonical address +0xe277a58fde16f291: 0000 [#1] SMP NOPTI + +RIP: 0010:free_irq_cpu_rmap+0x23/0x7d +Call Trace: + + ? show_trace_log_lvl+0x1d6/0x2f9 + ? show_trace_log_lvl+0x1d6/0x2f9 + ? mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core] + ? __die_body.cold+0x8/0xa + ? die_addr+0x39/0x53 + ? exc_general_protection+0x1c4/0x3e9 + ? dev_vprintk_emit+0x5f/0x90 + ? asm_exc_general_protection+0x22/0x27 + ? free_irq_cpu_rmap+0x23/0x7d + mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core] + irq_pool_request_vector+0x7d/0x90 [mlx5_core] + mlx5_irq_request+0x2e/0xe0 [mlx5_core] + mlx5_irq_request_vector+0xad/0xf7 [mlx5_core] + comp_irq_request_pci+0x64/0xf0 [mlx5_core] + create_comp_eq+0x71/0x385 [mlx5_core] + ? mlx5e_open_xdpsq+0x11c/0x230 [mlx5_core] + mlx5_comp_eqn_get+0x72/0x90 [mlx5_core] + ? xas_load+0x8/0x91 + mlx5_comp_irqn_get+0x40/0x90 [mlx5_core] + mlx5e_open_channel+0x7d/0x3c7 [mlx5_core] + mlx5e_open_channels+0xad/0x250 [mlx5_core] + mlx5e_open_locked+0x3e/0x110 [mlx5_core] + mlx5e_open+0x23/0x70 [mlx5_core] + __dev_open+0xf1/0x1a5 + __dev_change_flags+0x1e1/0x249 + dev_change_flags+0x21/0x5c + do_setlink+0x28b/0xcc4 + ? __nla_parse+0x22/0x3d + ? inet6_validate_link_af+0x6b/0x108 + ? cpumask_next+0x1f/0x35 + ? __snmp6_fill_stats64.constprop.0+0x66/0x107 + ? __nla_validate_parse+0x48/0x1e6 + __rtnl_newlink+0x5ff/0xa57 + ? kmem_cache_alloc_trace+0x164/0x2ce + rtnl_newlink+0x44/0x6e + rtnetlink_rcv_msg+0x2bb/0x362 + ? __netlink_sendskb+0x4c/0x6c + ? netlink_unicast+0x28f/0x2ce + ? rtnl_calcit.isra.0+0x150/0x146 + netlink_rcv_skb+0x5f/0x112 + netlink_unicast+0x213/0x2ce + netlink_sendmsg+0x24f/0x4d9 + __sock_sendmsg+0x65/0x6a + ____sys_sendmsg+0x28f/0x2c9 + ? import_iovec+0x17/0x2b + ___sys_sendmsg+0x97/0xe0 + __sys_sendmsg+0x81/0xd8 + do_syscall_64+0x35/0x87 + entry_SYSCALL_64_after_hwframe+0x6e/0x0 +RIP: 0033:0x7fc328603727 +Code: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 0b ed +ff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 <48> 3d 00 +f0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 44 ed ff ff 48 +RSP: 002b:00007ffe8eb3f1a0 EFLAGS: 00000293 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007fc328603727 +RDX: 0000000000000000 RSI: 00007ffe8eb3f1f0 RDI: 000000000000000d +RBP: 00007ffe8eb3f1f0 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 +R13: 0000000000000000 R14: 00007ffe8eb3f3c8 R15: 00007ffe8eb3f3bc + +---[ end trace f43ce73c3c2b13a2 ]--- +RIP: 0010:free_irq_cpu_rmap+0x23/0x7d +Code: 0f 1f 80 00 00 00 00 48 85 ff 74 6b 55 48 89 fd 53 66 83 7f 06 00 +74 24 31 db 48 8b 55 08 0f b7 c3 48 8b 04 c2 48 85 c0 74 09 <8b> 38 31 +f6 e8 c4 0a b8 ff 83 c3 01 66 3b 5d 06 72 de b8 ff ff ff +RSP: 0018:ff384881640eaca0 EFLAGS: 00010282 +RAX: e277a58fde16f291 RBX: 0000000000000000 RCX: 0000000000000000 +RDX: ff2335e2e20b3600 RSI: 0000000000000000 RDI: ff2335e2e20b3400 +RBP: ff2335e2e20b3400 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 00000000ffffffe4 R12: ff384881640ead88 +R13: ff2335c3760751e0 R14: ff2335e2e1672200 R15: ff2335c3760751f8 +FS: 00007fc32ac22480(0000) GS:ff2335e2d6e00000(0000) +knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f651ab54000 CR3: 00000029f1206003 CR4: 0000000000771ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Kernel panic - not syncing: Fatal exception +Kernel Offset: 0x1dc00000 from 0xffffffff81000000 (relocation range: +0xffffffff80000000-0xffffffffbfffffff) +kvm-guest: disable async PF for cpu 0 + +Fixes: 3354822cde5a ("net/mlx5: Use dynamic msix vectors allocation") +Signed-off-by: Mohith Kumar Thummaluru +Tested-by: Mohith Kumar Thummaluru +Reviewed-by: Moshe Shemesh +Reviewed-by: Shay Drori +Signed-off-by: Pradyumn Rahar +Reviewed-by: Jacob Keller +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/1763381768-1234998-1-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c b/drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c +index a8d6fd18c0f55..487d8b413a41d 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c +@@ -323,10 +323,8 @@ struct mlx5_irq *mlx5_irq_alloc(struct mlx5_irq_pool *pool, int i, + free_irq(irq->map.virq, &irq->nh); + err_req_irq: + #ifdef CONFIG_RFS_ACCEL +- if (i && rmap && *rmap) { +- free_irq_cpu_rmap(*rmap); +- *rmap = NULL; +- } ++ if (i && rmap && *rmap) ++ irq_cpu_rmap_remove(*rmap, irq->map.virq); + err_irq_rmap: + #endif + if (i && pci_msix_can_alloc_dyn(dev->pdev)) +-- +2.51.0 + diff --git a/queue-6.6/net-mlxsw-linecards-fix-missing-error-check-in-mlxsw.patch b/queue-6.6/net-mlxsw-linecards-fix-missing-error-check-in-mlxsw.patch new file mode 100644 index 0000000000..1b1171e46f --- /dev/null +++ b/queue-6.6/net-mlxsw-linecards-fix-missing-error-check-in-mlxsw.patch @@ -0,0 +1,42 @@ +From 7a5e31c2bddeb497aed20eadc9feb17da9ca6573 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Nov 2025 19:19:21 +0300 +Subject: net: mlxsw: linecards: fix missing error check in + mlxsw_linecard_devlink_info_get() + +From: Pavel Zhigulin + +[ Upstream commit b0c959fec18f4595a6a6317ffc30615cfa37bf69 ] + +The call to devlink_info_version_fixed_put() in +mlxsw_linecard_devlink_info_get() did not check for errors, +although it is checked everywhere in the code. + +Add missed 'err' check to the mlxsw_linecard_devlink_info_get() + +Fixes: 3fc0c51905fb ("mlxsw: core_linecards: Expose device PSID over device info") +Signed-off-by: Pavel Zhigulin +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20251113161922.813828-1-Pavel.Zhigulin@kaspersky.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxsw/core_linecards.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c b/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c +index b032d5a4b3b84..10f5bc4892fc7 100644 +--- a/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c +@@ -601,6 +601,8 @@ int mlxsw_linecard_devlink_info_get(struct mlxsw_linecard *linecard, + err = devlink_info_version_fixed_put(req, + DEVLINK_INFO_VERSION_GENERIC_FW_PSID, + info->psid); ++ if (err) ++ goto unlock; + + sprintf(buf, "%u.%u.%u", info->fw_major, info->fw_minor, + info->fw_sub_minor); +-- +2.51.0 + diff --git a/queue-6.6/net-openvswitch-remove-never-working-support-for-set.patch b/queue-6.6/net-openvswitch-remove-never-working-support-for-set.patch new file mode 100644 index 0000000000..9edd58cdd6 --- /dev/null +++ b/queue-6.6/net-openvswitch-remove-never-working-support-for-set.patch @@ -0,0 +1,310 @@ +From 08907e2da85dcdc2843c2ba0073a6334aab8f18c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 12:14:03 +0100 +Subject: net: openvswitch: remove never-working support for setting nsh fields + +From: Ilya Maximets + +[ Upstream commit dfe28c4167a9259fc0c372d9f9473e1ac95cff67 ] + +The validation of the set(nsh(...)) action is completely wrong. +It runs through the nsh_key_put_from_nlattr() function that is the +same function that validates NSH keys for the flow match and the +push_nsh() action. However, the set(nsh(...)) has a very different +memory layout. Nested attributes in there are doubled in size in +case of the masked set(). That makes proper validation impossible. + +There is also confusion in the code between the 'masked' flag, that +says that the nested attributes are doubled in size containing both +the value and the mask, and the 'is_mask' that says that the value +we're parsing is the mask. This is causing kernel crash on trying to +write into mask part of the match with SW_FLOW_KEY_PUT() during +validation, while validate_nsh() doesn't allocate any memory for it: + + BUG: kernel NULL pointer dereference, address: 0000000000000018 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 1c2383067 P4D 1c2383067 PUD 20b703067 PMD 0 + Oops: Oops: 0000 [#1] SMP NOPTI + CPU: 8 UID: 0 Kdump: loaded Not tainted 6.17.0-rc4+ #107 PREEMPT(voluntary) + RIP: 0010:nsh_key_put_from_nlattr+0x19d/0x610 [openvswitch] + Call Trace: + + validate_nsh+0x60/0x90 [openvswitch] + validate_set.constprop.0+0x270/0x3c0 [openvswitch] + __ovs_nla_copy_actions+0x477/0x860 [openvswitch] + ovs_nla_copy_actions+0x8d/0x100 [openvswitch] + ovs_packet_cmd_execute+0x1cc/0x310 [openvswitch] + genl_family_rcv_msg_doit+0xdb/0x130 + genl_family_rcv_msg+0x14b/0x220 + genl_rcv_msg+0x47/0xa0 + netlink_rcv_skb+0x53/0x100 + genl_rcv+0x24/0x40 + netlink_unicast+0x280/0x3b0 + netlink_sendmsg+0x1f7/0x430 + ____sys_sendmsg+0x36b/0x3a0 + ___sys_sendmsg+0x87/0xd0 + __sys_sendmsg+0x6d/0xd0 + do_syscall_64+0x7b/0x2c0 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +The third issue with this process is that while trying to convert +the non-masked set into masked one, validate_set() copies and doubles +the size of the OVS_KEY_ATTR_NSH as if it didn't have any nested +attributes. It should be copying each nested attribute and doubling +them in size independently. And the process must be properly reversed +during the conversion back from masked to a non-masked variant during +the flow dump. + +In the end, the only two outcomes of trying to use this action are +either validation failure or a kernel crash. And if somehow someone +manages to install a flow with such an action, it will most definitely +not do what it is supposed to, since all the keys and the masks are +mixed up. + +Fixing all the issues is a complex task as it requires re-writing +most of the validation code. + +Given that and the fact that this functionality never worked since +introduction, let's just remove it altogether. It's better to +re-introduce it later with a proper implementation instead of trying +to fix it in stable releases. + +Fixes: b2d0f5d5dc53 ("openvswitch: enable NSH support") +Reported-by: Junvy Yang +Signed-off-by: Ilya Maximets +Acked-by: Eelco Chaudron +Reviewed-by: Aaron Conole +Link: https://patch.msgid.link/20251112112246.95064-1-i.maximets@ovn.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/openvswitch/actions.c | 68 +--------------------------------- + net/openvswitch/flow_netlink.c | 64 ++++---------------------------- + net/openvswitch/flow_netlink.h | 2 - + 3 files changed, 9 insertions(+), 125 deletions(-) + +diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c +index 10c646b32b9d0..0ea4fc2a755bf 100644 +--- a/net/openvswitch/actions.c ++++ b/net/openvswitch/actions.c +@@ -597,69 +597,6 @@ static int set_ipv6(struct sk_buff *skb, struct sw_flow_key *flow_key, + return 0; + } + +-static int set_nsh(struct sk_buff *skb, struct sw_flow_key *flow_key, +- const struct nlattr *a) +-{ +- struct nshhdr *nh; +- size_t length; +- int err; +- u8 flags; +- u8 ttl; +- int i; +- +- struct ovs_key_nsh key; +- struct ovs_key_nsh mask; +- +- err = nsh_key_from_nlattr(a, &key, &mask); +- if (err) +- return err; +- +- /* Make sure the NSH base header is there */ +- if (!pskb_may_pull(skb, skb_network_offset(skb) + NSH_BASE_HDR_LEN)) +- return -ENOMEM; +- +- nh = nsh_hdr(skb); +- length = nsh_hdr_len(nh); +- +- /* Make sure the whole NSH header is there */ +- err = skb_ensure_writable(skb, skb_network_offset(skb) + +- length); +- if (unlikely(err)) +- return err; +- +- nh = nsh_hdr(skb); +- skb_postpull_rcsum(skb, nh, length); +- flags = nsh_get_flags(nh); +- flags = OVS_MASKED(flags, key.base.flags, mask.base.flags); +- flow_key->nsh.base.flags = flags; +- ttl = nsh_get_ttl(nh); +- ttl = OVS_MASKED(ttl, key.base.ttl, mask.base.ttl); +- flow_key->nsh.base.ttl = ttl; +- nsh_set_flags_and_ttl(nh, flags, ttl); +- nh->path_hdr = OVS_MASKED(nh->path_hdr, key.base.path_hdr, +- mask.base.path_hdr); +- flow_key->nsh.base.path_hdr = nh->path_hdr; +- switch (nh->mdtype) { +- case NSH_M_TYPE1: +- for (i = 0; i < NSH_MD1_CONTEXT_SIZE; i++) { +- nh->md1.context[i] = +- OVS_MASKED(nh->md1.context[i], key.context[i], +- mask.context[i]); +- } +- memcpy(flow_key->nsh.context, nh->md1.context, +- sizeof(nh->md1.context)); +- break; +- case NSH_M_TYPE2: +- memset(flow_key->nsh.context, 0, +- sizeof(flow_key->nsh.context)); +- break; +- default: +- return -EINVAL; +- } +- skb_postpush_rcsum(skb, nh, length); +- return 0; +-} +- + /* Must follow skb_ensure_writable() since that can move the skb data. */ + static void set_tp_port(struct sk_buff *skb, __be16 *port, + __be16 new_port, __sum16 *check) +@@ -1143,10 +1080,6 @@ static int execute_masked_set_action(struct sk_buff *skb, + get_mask(a, struct ovs_key_ethernet *)); + break; + +- case OVS_KEY_ATTR_NSH: +- err = set_nsh(skb, flow_key, a); +- break; +- + case OVS_KEY_ATTR_IPV4: + err = set_ipv4(skb, flow_key, nla_data(a), + get_mask(a, struct ovs_key_ipv4 *)); +@@ -1183,6 +1116,7 @@ static int execute_masked_set_action(struct sk_buff *skb, + case OVS_KEY_ATTR_CT_LABELS: + case OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4: + case OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6: ++ case OVS_KEY_ATTR_NSH: + err = -EINVAL; + break; + } +diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c +index 089ab1826e1d5..836e8e705d40e 100644 +--- a/net/openvswitch/flow_netlink.c ++++ b/net/openvswitch/flow_netlink.c +@@ -1292,6 +1292,11 @@ static int metadata_from_nlattrs(struct net *net, struct sw_flow_match *match, + return 0; + } + ++/* ++ * Constructs NSH header 'nh' from attributes of OVS_ACTION_ATTR_PUSH_NSH, ++ * where 'nh' points to a memory block of 'size' bytes. It's assumed that ++ * attributes were previously validated with validate_push_nsh(). ++ */ + int nsh_hdr_from_nlattr(const struct nlattr *attr, + struct nshhdr *nh, size_t size) + { +@@ -1301,8 +1306,6 @@ int nsh_hdr_from_nlattr(const struct nlattr *attr, + u8 ttl = 0; + int mdlen = 0; + +- /* validate_nsh has check this, so we needn't do duplicate check here +- */ + if (size < NSH_BASE_HDR_LEN) + return -ENOBUFS; + +@@ -1346,46 +1349,6 @@ int nsh_hdr_from_nlattr(const struct nlattr *attr, + return 0; + } + +-int nsh_key_from_nlattr(const struct nlattr *attr, +- struct ovs_key_nsh *nsh, struct ovs_key_nsh *nsh_mask) +-{ +- struct nlattr *a; +- int rem; +- +- /* validate_nsh has check this, so we needn't do duplicate check here +- */ +- nla_for_each_nested(a, attr, rem) { +- int type = nla_type(a); +- +- switch (type) { +- case OVS_NSH_KEY_ATTR_BASE: { +- const struct ovs_nsh_key_base *base = nla_data(a); +- const struct ovs_nsh_key_base *base_mask = base + 1; +- +- nsh->base = *base; +- nsh_mask->base = *base_mask; +- break; +- } +- case OVS_NSH_KEY_ATTR_MD1: { +- const struct ovs_nsh_key_md1 *md1 = nla_data(a); +- const struct ovs_nsh_key_md1 *md1_mask = md1 + 1; +- +- memcpy(nsh->context, md1->context, sizeof(*md1)); +- memcpy(nsh_mask->context, md1_mask->context, +- sizeof(*md1_mask)); +- break; +- } +- case OVS_NSH_KEY_ATTR_MD2: +- /* Not supported yet */ +- return -ENOTSUPP; +- default: +- return -EINVAL; +- } +- } +- +- return 0; +-} +- + static int nsh_key_put_from_nlattr(const struct nlattr *attr, + struct sw_flow_match *match, bool is_mask, + bool is_push_nsh, bool log) +@@ -2825,17 +2788,13 @@ static int validate_and_copy_set_tun(const struct nlattr *attr, + return err; + } + +-static bool validate_nsh(const struct nlattr *attr, bool is_mask, +- bool is_push_nsh, bool log) ++static bool validate_push_nsh(const struct nlattr *attr, bool log) + { + struct sw_flow_match match; + struct sw_flow_key key; +- int ret = 0; + + ovs_match_init(&match, &key, true, NULL); +- ret = nsh_key_put_from_nlattr(attr, &match, is_mask, +- is_push_nsh, log); +- return !ret; ++ return !nsh_key_put_from_nlattr(attr, &match, false, true, log); + } + + /* Return false if there are any non-masked bits set. +@@ -2983,13 +2942,6 @@ static int validate_set(const struct nlattr *a, + + break; + +- case OVS_KEY_ATTR_NSH: +- if (eth_type != htons(ETH_P_NSH)) +- return -EINVAL; +- if (!validate_nsh(nla_data(a), masked, false, log)) +- return -EINVAL; +- break; +- + default: + return -EINVAL; + } +@@ -3399,7 +3351,7 @@ static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr, + return -EINVAL; + } + mac_proto = MAC_PROTO_NONE; +- if (!validate_nsh(nla_data(a), false, true, true)) ++ if (!validate_push_nsh(nla_data(a), log)) + return -EINVAL; + break; + +diff --git a/net/openvswitch/flow_netlink.h b/net/openvswitch/flow_netlink.h +index fe7f77fc5f189..ff8cdecbe3465 100644 +--- a/net/openvswitch/flow_netlink.h ++++ b/net/openvswitch/flow_netlink.h +@@ -65,8 +65,6 @@ int ovs_nla_put_actions(const struct nlattr *attr, + void ovs_nla_free_flow_actions(struct sw_flow_actions *); + void ovs_nla_free_flow_actions_rcu(struct sw_flow_actions *); + +-int nsh_key_from_nlattr(const struct nlattr *attr, struct ovs_key_nsh *nsh, +- struct ovs_key_nsh *nsh_mask); + int nsh_hdr_from_nlattr(const struct nlattr *attr, struct nshhdr *nh, + size_t size); + +-- +2.51.0 + diff --git a/queue-6.6/net-qlogic-qede-fix-potential-out-of-bounds-read-in-.patch b/queue-6.6/net-qlogic-qede-fix-potential-out-of-bounds-read-in-.patch new file mode 100644 index 0000000000..81f6b2f685 --- /dev/null +++ b/queue-6.6/net-qlogic-qede-fix-potential-out-of-bounds-read-in-.patch @@ -0,0 +1,62 @@ +From 4a4c7c819827713f213fe536da0e9a92e1e9e638 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Nov 2025 14:27:56 +0300 +Subject: net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() + and qede_tpa_end() + +From: Pavel Zhigulin + +[ Upstream commit 896f1a2493b59beb2b5ccdf990503dbb16cb2256 ] + +The loops in 'qede_tpa_cont()' and 'qede_tpa_end()', iterate +over 'cqe->len_list[]' using only a zero-length terminator as +the stopping condition. If the terminator was missing or +malformed, the loop could run past the end of the fixed-size array. + +Add an explicit bound check using ARRAY_SIZE() in both loops to prevent +a potential out-of-bounds access. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 55482edc25f0 ("qede: Add slowpath/fastpath support and enable hardware GRO") +Signed-off-by: Pavel Zhigulin +Link: https://patch.msgid.link/20251113112757.4166625-1-Pavel.Zhigulin@kaspersky.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qede/qede_fp.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qede/qede_fp.c b/drivers/net/ethernet/qlogic/qede/qede_fp.c +index cb1746bc0e0c5..273dae622c411 100644 +--- a/drivers/net/ethernet/qlogic/qede/qede_fp.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_fp.c +@@ -4,6 +4,7 @@ + * Copyright (c) 2019-2020 Marvell International Ltd. + */ + ++#include + #include + #include + #include +@@ -960,7 +961,7 @@ static inline void qede_tpa_cont(struct qede_dev *edev, + { + int i; + +- for (i = 0; cqe->len_list[i]; i++) ++ for (i = 0; cqe->len_list[i] && i < ARRAY_SIZE(cqe->len_list); i++) + qede_fill_frag_skb(edev, rxq, cqe->tpa_agg_index, + le16_to_cpu(cqe->len_list[i])); + +@@ -985,7 +986,7 @@ static int qede_tpa_end(struct qede_dev *edev, + dma_unmap_page(rxq->dev, tpa_info->buffer.mapping, + PAGE_SIZE, rxq->data_direction); + +- for (i = 0; cqe->len_list[i]; i++) ++ for (i = 0; cqe->len_list[i] && i < ARRAY_SIZE(cqe->len_list); i++) + qede_fill_frag_skb(edev, rxq, cqe->tpa_agg_index, + le16_to_cpu(cqe->len_list[i])); + if (unlikely(i > 1)) +-- +2.51.0 + diff --git a/queue-6.6/net-tls-cancel-rx-async-resync-request-on-rcd_delta-.patch b/queue-6.6/net-tls-cancel-rx-async-resync-request-on-rcd_delta-.patch new file mode 100644 index 0000000000..e6ccae7790 --- /dev/null +++ b/queue-6.6/net-tls-cancel-rx-async-resync-request-on-rcd_delta-.patch @@ -0,0 +1,77 @@ +From d06f76927c035493090d756be3746a06924adf1a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Oct 2025 22:03:02 +0200 +Subject: net: tls: Cancel RX async resync request on rcd_delta overflow + +From: Shahar Shitrit + +[ Upstream commit c15d5c62ab313c19121f10e25d4fec852bd1c40c ] + +When a netdev issues a RX async resync request for a TLS connection, +the TLS module handles it by logging record headers and attempting to +match them to the tcp_sn provided by the device. If a match is found, +the TLS module approves the tcp_sn for resynchronization. + +While waiting for a device response, the TLS module also increments +rcd_delta each time a new TLS record is received, tracking the distance +from the original resync request. + +However, if the device response is delayed or fails (e.g due to +unstable connection and device getting out of tracking, hardware +errors, resource exhaustion etc.), the TLS module keeps logging and +incrementing, which can lead to a WARN() when rcd_delta exceeds the +threshold. + +To address this, introduce tls_offload_rx_resync_async_request_cancel() +to explicitly cancel resync requests when a device response failure is +detected. Call this helper also as a final safeguard when rcd_delta +crosses its threshold, as reaching this point implies that earlier +cancellation did not occur. + +Signed-off-by: Shahar Shitrit +Reviewed-by: Sabrina Dubroca +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/1761508983-937977-3-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/tls.h | 6 ++++++ + net/tls/tls_device.c | 4 +++- + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/include/net/tls.h b/include/net/tls.h +index 6c642ea180504..66527376ca973 100644 +--- a/include/net/tls.h ++++ b/include/net/tls.h +@@ -474,6 +474,12 @@ tls_offload_rx_resync_async_request_end(struct sock *sk, __be32 seq) + ((u64)ntohl(seq) << 32) | RESYNC_REQ); + } + ++static inline void ++tls_offload_rx_resync_async_request_cancel(struct tls_offload_resync_async *resync_async) ++{ ++ atomic64_set(&resync_async->req, 0); ++} ++ + static inline void + tls_offload_rx_resync_set_type(struct sock *sk, enum tls_offload_sync_type type) + { +diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c +index 8c94c926606ad..4f72fd26ab405 100644 +--- a/net/tls/tls_device.c ++++ b/net/tls/tls_device.c +@@ -727,8 +727,10 @@ tls_device_rx_resync_async(struct tls_offload_resync_async *resync_async, + /* shouldn't get to wraparound: + * too long in async stage, something bad happened + */ +- if (WARN_ON_ONCE(resync_async->rcd_delta == USHRT_MAX)) ++ if (WARN_ON_ONCE(resync_async->rcd_delta == USHRT_MAX)) { ++ tls_offload_rx_resync_async_request_cancel(resync_async); + return false; ++ } + + /* asynchronous stage: log all headers seq such that + * req_seq <= seq <= end_seq, and wait for real resync request +-- +2.51.0 + diff --git a/queue-6.6/nvme-multipath-fix-lockdep-warn-due-to-partition-sca.patch b/queue-6.6/nvme-multipath-fix-lockdep-warn-due-to-partition-sca.patch new file mode 100644 index 0000000000..8bfdad9e45 --- /dev/null +++ b/queue-6.6/nvme-multipath-fix-lockdep-warn-due-to-partition-sca.patch @@ -0,0 +1,47 @@ +From 052450ca844622b17a455791d9a3e8f31752148a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Nov 2025 11:23:39 +0900 +Subject: nvme-multipath: fix lockdep WARN due to partition scan work + +From: Shin'ichiro Kawasaki + +[ Upstream commit 6d87cd5335784351280f82c47cc8a657271929c3 ] + +Blktests test cases nvme/014, 057 and 058 fail occasionally due to a +lockdep WARN. As reported in the Closes tag URL, the WARN indicates that +a deadlock can happen due to the dependency among disk->open_mutex, +kblockd workqueue completion and partition_scan_work completion. + +To avoid the lockdep WARN and the potential deadlock, cut the dependency +by running the partition_scan_work not by kblockd workqueue but by +nvme_wq. + +Reported-by: Yi Zhang +Closes: https://lore.kernel.org/linux-block/CAHj4cs8mJ+R_GmQm9R8ebResKAWUE8kF5+_WVg0v8zndmqd6BQ@mail.gmail.com/ +Link: https://lore.kernel.org/linux-block/oeyzci6ffshpukpfqgztsdeke5ost5hzsuz4rrsjfmvpqcevax@5nhnwbkzbrpa/ +Fixes: 1f021341eef4 ("nvme-multipath: defer partition scanning") +Signed-off-by: Shin'ichiro Kawasaki +Reviewed-by: Christoph Hellwig +Reviewed-by: Hannes Reinecke +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/multipath.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c +index 57416bbf9344f..578f4f29eacfe 100644 +--- a/drivers/nvme/host/multipath.c ++++ b/drivers/nvme/host/multipath.c +@@ -686,7 +686,7 @@ static void nvme_mpath_set_live(struct nvme_ns *ns) + return; + } + nvme_add_ns_head_cdev(head); +- kblockd_schedule_work(&head->partition_scan_work); ++ queue_work(nvme_wq, &head->partition_scan_work); + } + + mutex_lock(&head->lock); +-- +2.51.0 + diff --git a/queue-6.6/pinctrl-cirrus-fix-fwnode-leak-in-cs42l43_pin_probe.patch b/queue-6.6/pinctrl-cirrus-fix-fwnode-leak-in-cs42l43_pin_probe.patch new file mode 100644 index 0000000000..7c2c2b012c --- /dev/null +++ b/queue-6.6/pinctrl-cirrus-fix-fwnode-leak-in-cs42l43_pin_probe.patch @@ -0,0 +1,68 @@ +From 9e4c93dbe16bff7145d2e5d4b9c24c438448fd02 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Oct 2025 11:05:09 +0800 +Subject: pinctrl: cirrus: Fix fwnode leak in cs42l43_pin_probe() + +From: Haotian Zhang + +[ Upstream commit 9b07cdf86a0b90556f5b68a6b20b35833b558df3 ] + +The driver calls fwnode_get_named_child_node() which takes a reference +on the child node, but never releases it, which causes a reference leak. + +Fix by using devm_add_action_or_reset() to automatically release the +reference when the device is removed. + +Fixes: d5282a539297 ("pinctrl: cs42l43: Add support for the cs42l43") +Suggested-by: Charles Keepax +Signed-off-by: Haotian Zhang +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/cirrus/pinctrl-cs42l43.c | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +diff --git a/drivers/pinctrl/cirrus/pinctrl-cs42l43.c b/drivers/pinctrl/cirrus/pinctrl-cs42l43.c +index c096463184195..e1ac89be7c847 100644 +--- a/drivers/pinctrl/cirrus/pinctrl-cs42l43.c ++++ b/drivers/pinctrl/cirrus/pinctrl-cs42l43.c +@@ -532,6 +532,11 @@ static int cs42l43_gpio_add_pin_ranges(struct gpio_chip *chip) + return ret; + } + ++static void cs42l43_fwnode_put(void *data) ++{ ++ fwnode_handle_put(data); ++} ++ + static int cs42l43_pin_probe(struct platform_device *pdev) + { + struct cs42l43 *cs42l43 = dev_get_drvdata(pdev->dev.parent); +@@ -563,10 +568,20 @@ static int cs42l43_pin_probe(struct platform_device *pdev) + priv->gpio_chip.ngpio = CS42L43_NUM_GPIOS; + + if (is_of_node(fwnode)) { +- fwnode = fwnode_get_named_child_node(fwnode, "pinctrl"); +- +- if (fwnode && !fwnode->dev) +- fwnode->dev = priv->dev; ++ struct fwnode_handle *child; ++ ++ child = fwnode_get_named_child_node(fwnode, "pinctrl"); ++ if (child) { ++ ret = devm_add_action_or_reset(&pdev->dev, ++ cs42l43_fwnode_put, child); ++ if (ret) { ++ fwnode_handle_put(child); ++ return ret; ++ } ++ if (!child->dev) ++ child->dev = priv->dev; ++ fwnode = child; ++ } + } + + priv->gpio_chip.fwnode = fwnode; +-- +2.51.0 + diff --git a/queue-6.6/pinctrl-s32cc-fix-uninitialized-memory-in-s32_pinctr.patch b/queue-6.6/pinctrl-s32cc-fix-uninitialized-memory-in-s32_pinctr.patch new file mode 100644 index 0000000000..15223f0474 --- /dev/null +++ b/queue-6.6/pinctrl-s32cc-fix-uninitialized-memory-in-s32_pinctr.patch @@ -0,0 +1,81 @@ +From 410cac81be0ecce5353247a9a8a3b67e4c033f85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Nov 2025 13:54:11 -0800 +Subject: pinctrl: s32cc: fix uninitialized memory in s32_pinctrl_desc + +From: Jared Kangas + +[ Upstream commit 97ea34defbb57bfaf71ce487b1b0865ffd186e81 ] + +s32_pinctrl_desc is allocated with devm_kmalloc(), but not all of its +fields are initialized. Notably, num_custom_params is used in +pinconf_generic_parse_dt_config(), resulting in intermittent allocation +errors, such as the following splat when probing i2c-imx: + + WARNING: CPU: 0 PID: 176 at mm/page_alloc.c:4795 __alloc_pages_noprof+0x290/0x300 + [...] + Hardware name: NXP S32G3 Reference Design Board 3 (S32G-VNP-RDB3) (DT) + [...] + Call trace: + __alloc_pages_noprof+0x290/0x300 (P) + ___kmalloc_large_node+0x84/0x168 + __kmalloc_large_node_noprof+0x34/0x120 + __kmalloc_noprof+0x2ac/0x378 + pinconf_generic_parse_dt_config+0x68/0x1a0 + s32_dt_node_to_map+0x104/0x248 + dt_to_map_one_config+0x154/0x1d8 + pinctrl_dt_to_map+0x12c/0x280 + create_pinctrl+0x6c/0x270 + pinctrl_get+0xc0/0x170 + devm_pinctrl_get+0x50/0xa0 + pinctrl_bind_pins+0x60/0x2a0 + really_probe+0x60/0x3a0 + [...] + __platform_driver_register+0x2c/0x40 + i2c_adap_imx_init+0x28/0xff8 [i2c_imx] + [...] + +This results in later parse failures that can cause issues in dependent +drivers: + + s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c0-pins/i2c0-grp0: could not parse node property + s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c0-pins/i2c0-grp0: could not parse node property + [...] + pca953x 0-0022: failed writing register: -6 + i2c i2c-0: IMX I2C adapter registered + s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c2-pins/i2c2-grp0: could not parse node property + s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c2-pins/i2c2-grp0: could not parse node property + i2c i2c-1: IMX I2C adapter registered + s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c4-pins/i2c4-grp0: could not parse node property + s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c4-pins/i2c4-grp0: could not parse node property + i2c i2c-2: IMX I2C adapter registered + +Fix this by initializing s32_pinctrl_desc with devm_kzalloc() instead of +devm_kmalloc() in s32_pinctrl_probe(), which sets the previously +uninitialized fields to zero. + +Fixes: fd84aaa8173d ("pinctrl: add NXP S32 SoC family support") +Signed-off-by: Jared Kangas +Tested-by: Jan Petrous (OSS) +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/nxp/pinctrl-s32cc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/nxp/pinctrl-s32cc.c b/drivers/pinctrl/nxp/pinctrl-s32cc.c +index 08d80fb935b3a..9e97968e25fcd 100644 +--- a/drivers/pinctrl/nxp/pinctrl-s32cc.c ++++ b/drivers/pinctrl/nxp/pinctrl-s32cc.c +@@ -943,7 +943,7 @@ int s32_pinctrl_probe(struct platform_device *pdev, + spin_lock_init(&ipctl->gpio_configs_lock); + + s32_pinctrl_desc = +- devm_kmalloc(&pdev->dev, sizeof(*s32_pinctrl_desc), GFP_KERNEL); ++ devm_kzalloc(&pdev->dev, sizeof(*s32_pinctrl_desc), GFP_KERNEL); + if (!s32_pinctrl_desc) + return -ENOMEM; + +-- +2.51.0 + diff --git a/queue-6.6/pinctrl-s32cc-initialize-gpio_pin_config-list-after-.patch b/queue-6.6/pinctrl-s32cc-initialize-gpio_pin_config-list-after-.patch new file mode 100644 index 0000000000..b54a37e822 --- /dev/null +++ b/queue-6.6/pinctrl-s32cc-initialize-gpio_pin_config-list-after-.patch @@ -0,0 +1,38 @@ +From 6af1e52fc77b68bf693796d2296bd009ea5fcb1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Nov 2025 13:54:12 -0800 +Subject: pinctrl: s32cc: initialize gpio_pin_config::list after kmalloc() + +From: Jared Kangas + +[ Upstream commit 6010d4d8b55b5d3ae1efb5502c54312e15c14f21 ] + +s32_pmx_gpio_request_enable() does not initialize the newly-allocated +gpio_pin_config::list before adding it to s32_pinctrl::gpio_configs. +This could result in a linked list corruption. + +Initialize the new list_head with INIT_LIST_HEAD() to fix this. + +Fixes: fd84aaa8173d ("pinctrl: add NXP S32 SoC family support") +Signed-off-by: Jared Kangas +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/nxp/pinctrl-s32cc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pinctrl/nxp/pinctrl-s32cc.c b/drivers/pinctrl/nxp/pinctrl-s32cc.c +index 9e97968e25fcd..9c435e44abb4f 100644 +--- a/drivers/pinctrl/nxp/pinctrl-s32cc.c ++++ b/drivers/pinctrl/nxp/pinctrl-s32cc.c +@@ -392,6 +392,7 @@ static int s32_pmx_gpio_request_enable(struct pinctrl_dev *pctldev, + + gpio_pin->pin_id = offset; + gpio_pin->config = config; ++ INIT_LIST_HEAD(&gpio_pin->list); + + spin_lock_irqsave(&ipctl->gpio_configs_lock, flags); + list_add(&gpio_pin->list, &ipctl->gpio_configs); +-- +2.51.0 + diff --git a/queue-6.6/platform-x86-intel-speed_select_if-convert-pcibios_-.patch b/queue-6.6/platform-x86-intel-speed_select_if-convert-pcibios_-.patch new file mode 100644 index 0000000000..0a8d454878 --- /dev/null +++ b/queue-6.6/platform-x86-intel-speed_select_if-convert-pcibios_-.patch @@ -0,0 +1,53 @@ +From 7853c47f4984dbd7197d24e9427343476359dd5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Nov 2025 11:33:54 +0800 +Subject: platform/x86/intel/speed_select_if: Convert PCIBIOS_* return codes to + errnos +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Haotian Zhang + +[ Upstream commit d8bb447efc5622577994287dc77c684fa8840b30 ] + +isst_if_probe() uses pci_read_config_dword() that returns PCIBIOS_* +codes. The return code is returned from the probe function as is but +probe functions should return normal errnos. A proper implementation +can be found in drivers/leds/leds-ss4200.c. + +Convert PCIBIOS_* return codes using pcibios_err_to_errno() into +normal errno before returning. + +Fixes: d3a23584294c ("platform/x86: ISST: Add Intel Speed Select mmio interface") +Signed-off-by: Haotian Zhang +Acked-by: Srinivas Pandruvada +Link: https://patch.msgid.link/20251117033354.132-1-vulab@iscas.ac.cn +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c b/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c +index ff49025ec0856..bb38e5f021a80 100644 +--- a/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c ++++ b/drivers/platform/x86/intel/speed_select_if/isst_if_mmio.c +@@ -106,11 +106,11 @@ static int isst_if_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + + ret = pci_read_config_dword(pdev, 0xD0, &mmio_base); + if (ret) +- return ret; ++ return pcibios_err_to_errno(ret); + + ret = pci_read_config_dword(pdev, 0xFC, &pcu_base); + if (ret) +- return ret; ++ return pcibios_err_to_errno(ret); + + pcu_base &= GENMASK(10, 0); + base_addr = (u64)mmio_base << 23 | (u64) pcu_base << 12; +-- +2.51.0 + diff --git a/queue-6.6/s390-ctcm-fix-double-kfree.patch b/queue-6.6/s390-ctcm-fix-double-kfree.patch new file mode 100644 index 0000000000..d9a7278ba4 --- /dev/null +++ b/queue-6.6/s390-ctcm-fix-double-kfree.patch @@ -0,0 +1,45 @@ +From bc64ca5b10cf4e275c8f71a91ddce9ec5d126761 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Nov 2025 19:27:24 +0100 +Subject: s390/ctcm: Fix double-kfree + +From: Aleksei Nikiforov + +[ Upstream commit da02a1824884d6c84c5e5b5ac373b0c9e3288ec2 ] + +The function 'mpc_rcvd_sweep_req(mpcginfo)' is called conditionally +from function 'ctcmpc_unpack_skb'. It frees passed mpcginfo. +After that a call to function 'kfree' in function 'ctcmpc_unpack_skb' +frees it again. + +Remove 'kfree' call in function 'mpc_rcvd_sweep_req(mpcginfo)'. + +Bug detected by the clang static analyzer. + +Fixes: 0c0b20587b9f25a2 ("s390/ctcm: fix potential memory leak") +Reviewed-by: Aswin Karuvally +Signed-off-by: Aleksei Nikiforov +Signed-off-by: Aswin Karuvally +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20251112182724.1109474-1-aswin@linux.ibm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/s390/net/ctcm_mpc.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/s390/net/ctcm_mpc.c b/drivers/s390/net/ctcm_mpc.c +index 7a2f34a5e0e09..f8b3e3f7b8ce0 100644 +--- a/drivers/s390/net/ctcm_mpc.c ++++ b/drivers/s390/net/ctcm_mpc.c +@@ -700,7 +700,6 @@ static void mpc_rcvd_sweep_req(struct mpcg_info *mpcginfo) + + grp->sweep_req_pend_num--; + ctcmpc_send_sweep_resp(ch); +- kfree(mpcginfo); + return; + } + +-- +2.51.0 + diff --git a/queue-6.6/scsi-core-fix-a-regression-triggered-by-scsi_host_bu.patch b/queue-6.6/scsi-core-fix-a-regression-triggered-by-scsi_host_bu.patch new file mode 100644 index 0000000000..3a8d4b80f8 --- /dev/null +++ b/queue-6.6/scsi-core-fix-a-regression-triggered-by-scsi_host_bu.patch @@ -0,0 +1,77 @@ +From 1e2982393cb6ed5c927bf22bc5bab0886f0e373c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Oct 2025 14:48:00 -0700 +Subject: scsi: core: Fix a regression triggered by scsi_host_busy() + +From: Bart Van Assche + +[ Upstream commit a0b7780602b1b196f47e527fec82166a7e67c4d0 ] + +Commit 995412e23bb2 ("blk-mq: Replace tags->lock with SRCU for tag +iterators") introduced the following regression: + +Call trace: + __srcu_read_lock+0x30/0x80 (P) + blk_mq_tagset_busy_iter+0x44/0x300 + scsi_host_busy+0x38/0x70 + ufshcd_print_host_state+0x34/0x1bc + ufshcd_link_startup.constprop.0+0xe4/0x2e0 + ufshcd_init+0x944/0xf80 + ufshcd_pltfrm_init+0x504/0x820 + ufs_rockchip_probe+0x2c/0x88 + platform_probe+0x5c/0xa4 + really_probe+0xc0/0x38c + __driver_probe_device+0x7c/0x150 + driver_probe_device+0x40/0x120 + __driver_attach+0xc8/0x1e0 + bus_for_each_dev+0x7c/0xdc + driver_attach+0x24/0x30 + bus_add_driver+0x110/0x230 + driver_register+0x68/0x130 + __platform_driver_register+0x20/0x2c + ufs_rockchip_pltform_init+0x1c/0x28 + do_one_initcall+0x60/0x1e0 + kernel_init_freeable+0x248/0x2c4 + kernel_init+0x20/0x140 + ret_from_fork+0x10/0x20 + +Fix this regression by making scsi_host_busy() check whether the SCSI +host tag set has already been initialized. tag_set->ops is set by +scsi_mq_setup_tags() just before blk_mq_alloc_tag_set() is called. This +fix is based on the assumption that scsi_host_busy() and +scsi_mq_setup_tags() calls are serialized. This is the case in the UFS +driver. + +Reported-by: Sebastian Reichel +Closes: https://lore.kernel.org/linux-block/pnezafputodmqlpumwfbn644ohjybouveehcjhz2hmhtcf2rka@sdhoiivync4y/ +Cc: Ming Lei +Cc: Jens Axboe +Signed-off-by: Bart Van Assche +Reviewed-by: Ming Lei +Tested-by: Sebastian Reichel +Link: https://patch.msgid.link/20251007214800.1678255-1-bvanassche@acm.org +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hosts.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c +index 445f4a220df3e..f274812aee1e8 100644 +--- a/drivers/scsi/hosts.c ++++ b/drivers/scsi/hosts.c +@@ -602,8 +602,9 @@ int scsi_host_busy(struct Scsi_Host *shost) + { + int cnt = 0; + +- blk_mq_tagset_busy_iter(&shost->tag_set, +- scsi_host_check_in_flight, &cnt); ++ if (shost->tag_set.ops) ++ blk_mq_tagset_busy_iter(&shost->tag_set, ++ scsi_host_check_in_flight, &cnt); + return cnt; + } + EXPORT_SYMBOL(scsi_host_busy); +-- +2.51.0 + diff --git a/queue-6.6/selftests-net-use-bash-for-bareudp-testing.patch b/queue-6.6/selftests-net-use-bash-for-bareudp-testing.patch new file mode 100644 index 0000000000..ab0bf40b92 --- /dev/null +++ b/queue-6.6/selftests-net-use-bash-for-bareudp-testing.patch @@ -0,0 +1,46 @@ +From 717affa8622d07e46396a58a88e2099e1ef0d936 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Oct 2025 17:57:10 +0800 +Subject: selftests: net: use BASH for bareudp testing + +From: Po-Hsu Lin + +[ Upstream commit 9311e9540a8b406d9f028aa87fb072a3819d4c82 ] + +In bareudp.sh, this script uses /bin/sh and it will load another lib.sh +BASH script at the very beginning. + +But on some operating systems like Ubuntu, /bin/sh is actually pointed to +DASH, thus it will try to run BASH commands with DASH and consequently +leads to syntax issues: + # ./bareudp.sh: 4: ./lib.sh: Bad substitution + # ./bareudp.sh: 5: ./lib.sh: source: not found + # ./bareudp.sh: 24: ./lib.sh: Syntax error: "(" unexpected + +Fix this by explicitly using BASH for bareudp.sh. This fixes test +execution failures on systems where /bin/sh is not BASH. + +Reported-by: Edoardo Canepa +Link: https://bugs.launchpad.net/bugs/2129812 +Signed-off-by: Po-Hsu Lin +Reviewed-by: Przemek Kitszel +Link: https://patch.msgid.link/20251027095710.2036108-2-po-hsu.lin@canonical.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/bareudp.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/bareudp.sh b/tools/testing/selftests/net/bareudp.sh +index f366cadbc5e86..ff4308b48e65d 100755 +--- a/tools/testing/selftests/net/bareudp.sh ++++ b/tools/testing/selftests/net/bareudp.sh +@@ -1,4 +1,4 @@ +-#!/bin/sh ++#!/bin/bash + # SPDX-License-Identifier: GPL-2.0 + + # Test various bareudp tunnel configurations. +-- +2.51.0 + diff --git a/queue-6.6/series b/queue-6.6/series index 07abb20fed..a217872cc1 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -35,3 +35,31 @@ drm-tegra-dc-fix-reference-leak-in-tegra_dc_couple.patch drm-amdgpu-skip-emit-de-meta-data-on-gfx11-with-rs64-enabled.patch drm-amd-display-increase-dpcd-read-retries.patch drm-amd-display-move-sleep-into-each-retry-for-retrieve_link_cap.patch +xfrm-determine-inner-gso-type-from-packet-inner-prot.patch +xfrm-prevent-locally-generated-packets-from-direct-o.patch +pinctrl-cirrus-fix-fwnode-leak-in-cs42l43_pin_probe.patch +mlxsw-spectrum-fix-memory-leak-in-mlxsw_sp_flower_st.patch +drm-tegra-add-call-to-put_pid.patch +net-dsa-hellcreek-fix-missing-error-handling-in-led-.patch +net-mlxsw-linecards-fix-missing-error-check-in-mlxsw.patch +net-openvswitch-remove-never-working-support-for-set.patch +nvme-multipath-fix-lockdep-warn-due-to-partition-sca.patch +s390-ctcm-fix-double-kfree.patch +platform-x86-intel-speed_select_if-convert-pcibios_-.patch +kernel.h-move-array_size-to-a-separate-header.patch +net-qlogic-qede-fix-potential-out-of-bounds-read-in-.patch +pinctrl-s32cc-fix-uninitialized-memory-in-s32_pinctr.patch +pinctrl-s32cc-initialize-gpio_pin_config-list-after-.patch +devlink-rate-unset-parent-pointer-in-devl_rate_nodes.patch +net-mlx5-clean-up-only-new-irq-glue-on-request_irq-f.patch +loongarch-use-uapi-types-in-ptrace-uapi-header.patch +cifs-fix-memory-leak-in-smb3_fs_context_parse_param-.patch +vsock-ignore-signal-timeout-on-connect-if-already-es.patch +bcma-don-t-register-devices-disabled-in-of.patch +cifs-fix-typo-in-enable_gcm_256-module-parameter.patch +scsi-core-fix-a-regression-triggered-by-scsi_host_bu.patch +x86-microcode-amd-limit-entrysign-signature-checking.patch +selftests-net-use-bash-for-bareudp-testing.patch +net-tls-cancel-rx-async-resync-request-on-rcd_delta-.patch +kconfig-mconf-initialize-the-default-locale-at-start.patch +kconfig-nconf-initialize-the-default-locale-at-start.patch diff --git a/queue-6.6/vsock-ignore-signal-timeout-on-connect-if-already-es.patch b/queue-6.6/vsock-ignore-signal-timeout-on-connect-if-already-es.patch new file mode 100644 index 0000000000..050860188a --- /dev/null +++ b/queue-6.6/vsock-ignore-signal-timeout-on-connect-if-already-es.patch @@ -0,0 +1,101 @@ +From c667c46df8bc45a4cc4efde5b0a0419476488ce3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Nov 2025 15:02:59 +0100 +Subject: vsock: Ignore signal/timeout on connect() if already established + +From: Michal Luczaj + +[ Upstream commit 002541ef650b742a198e4be363881439bb9d86b4 ] + +During connect(), acting on a signal/timeout by disconnecting an already +established socket leads to several issues: + +1. connect() invoking vsock_transport_cancel_pkt() -> + virtio_transport_purge_skbs() may race with sendmsg() invoking + virtio_transport_get_credit(). This results in a permanently elevated + `vvs->bytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling. + +2. connect() resetting a connected socket's state may race with socket + being placed in a sockmap. A disconnected socket remaining in a sockmap + breaks sockmap's assumptions. And gives rise to WARNs. + +3. connect() transitioning SS_CONNECTED -> SS_UNCONNECTED allows for a + transport change/drop after TCP_ESTABLISHED. Which poses a problem for + any simultaneous sendmsg() or connect() and may result in a + use-after-free/null-ptr-deref. + +Do not disconnect socket on signal/timeout. Keep the logic for unconnected +sockets: they don't linger, can't be placed in a sockmap, are rejected by +sendmsg(). + +[1]: https://lore.kernel.org/netdev/e07fd95c-9a38-4eea-9638-133e38c2ec9b@rbox.co/ +[2]: https://lore.kernel.org/netdev/20250317-vsock-trans-signal-race-v4-0-fc8837f3f1d4@rbox.co/ +[3]: https://lore.kernel.org/netdev/60f1b7db-3099-4f6a-875e-af9f6ef194f6@rbox.co/ + +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Signed-off-by: Michal Luczaj +Reviewed-by: Stefano Garzarella +Link: https://patch.msgid.link/20251119-vsock-interrupted-connect-v2-1-70734cf1233f@rbox.co +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/af_vsock.c | 40 +++++++++++++++++++++++++++++++--------- + 1 file changed, 31 insertions(+), 9 deletions(-) + +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index 64790062cfa2e..ca1289e64bcc8 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1550,18 +1550,40 @@ static int vsock_connect(struct socket *sock, struct sockaddr *addr, + timeout = schedule_timeout(timeout); + lock_sock(sk); + +- if (signal_pending(current)) { +- err = sock_intr_errno(timeout); +- sk->sk_state = sk->sk_state == TCP_ESTABLISHED ? TCP_CLOSING : TCP_CLOSE; +- sock->state = SS_UNCONNECTED; +- vsock_transport_cancel_pkt(vsk); +- vsock_remove_connected(vsk); +- goto out_wait; +- } else if ((sk->sk_state != TCP_ESTABLISHED) && (timeout == 0)) { +- err = -ETIMEDOUT; ++ /* Connection established. Whatever happens to socket once we ++ * release it, that's not connect()'s concern. No need to go ++ * into signal and timeout handling. Call it a day. ++ * ++ * Note that allowing to "reset" an already established socket ++ * here is racy and insecure. ++ */ ++ if (sk->sk_state == TCP_ESTABLISHED) ++ break; ++ ++ /* If connection was _not_ established and a signal/timeout came ++ * to be, we want the socket's state reset. User space may want ++ * to retry. ++ * ++ * sk_state != TCP_ESTABLISHED implies that socket is not on ++ * vsock_connected_table. We keep the binding and the transport ++ * assigned. ++ */ ++ if (signal_pending(current) || timeout == 0) { ++ err = timeout == 0 ? -ETIMEDOUT : sock_intr_errno(timeout); ++ ++ /* Listener might have already responded with ++ * VIRTIO_VSOCK_OP_RESPONSE. Its handling expects our ++ * sk_state == TCP_SYN_SENT, which hereby we break. ++ * In such case VIRTIO_VSOCK_OP_RST will follow. ++ */ + sk->sk_state = TCP_CLOSE; + sock->state = SS_UNCONNECTED; ++ ++ /* Try to cancel VIRTIO_VSOCK_OP_REQUEST skb sent out by ++ * transport->connect(). ++ */ + vsock_transport_cancel_pkt(vsk); ++ + goto out_wait; + } + +-- +2.51.0 + diff --git a/queue-6.6/x86-microcode-amd-limit-entrysign-signature-checking.patch b/queue-6.6/x86-microcode-amd-limit-entrysign-signature-checking.patch new file mode 100644 index 0000000000..bb2494b3f8 --- /dev/null +++ b/queue-6.6/x86-microcode-amd-limit-entrysign-signature-checking.patch @@ -0,0 +1,63 @@ +From a641232abaf0d4758b3e2c5f4ed420c6d86d9a60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Oct 2025 14:46:29 +0200 +Subject: x86/microcode/AMD: Limit Entrysign signature checking to known + generations + +From: Borislav Petkov (AMD) + +[ Upstream commit 8a9fb5129e8e64d24543ebc70de941a2d77a9e77 ] + +Limit Entrysign sha256 signature checking to CPUs in the range Zen1-Zen5. + +X86_BUG cannot be used here because the loading on the BSP happens way +too early, before the cpufeatures machinery has been set up. + +Signed-off-by: Borislav Petkov (AMD) +Link: https://patch.msgid.link/all/20251023124629.5385-1-bp@kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/microcode/amd.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c +index f9b6e2043e6b2..9952c774eaa69 100644 +--- a/arch/x86/kernel/cpu/microcode/amd.c ++++ b/arch/x86/kernel/cpu/microcode/amd.c +@@ -226,6 +226,24 @@ static bool need_sha_check(u32 cur_rev) + return true; + } + ++static bool cpu_has_entrysign(void) ++{ ++ unsigned int fam = x86_family(bsp_cpuid_1_eax); ++ unsigned int model = x86_model(bsp_cpuid_1_eax); ++ ++ if (fam == 0x17 || fam == 0x19) ++ return true; ++ ++ if (fam == 0x1a) { ++ if (model <= 0x2f || ++ (0x40 <= model && model <= 0x4f) || ++ (0x60 <= model && model <= 0x6f)) ++ return true; ++ } ++ ++ return false; ++} ++ + static bool verify_sha256_digest(u32 patch_id, u32 cur_rev, const u8 *data, unsigned int len) + { + struct patch_digest *pd = NULL; +@@ -233,7 +251,7 @@ static bool verify_sha256_digest(u32 patch_id, u32 cur_rev, const u8 *data, unsi + struct sha256_state s; + int i; + +- if (x86_family(bsp_cpuid_1_eax) < 0x17) ++ if (!cpu_has_entrysign()) + return true; + + if (!need_sha_check(cur_rev)) +-- +2.51.0 + diff --git a/queue-6.6/xfrm-determine-inner-gso-type-from-packet-inner-prot.patch b/queue-6.6/xfrm-determine-inner-gso-type-from-packet-inner-prot.patch new file mode 100644 index 0000000000..576f8d8774 --- /dev/null +++ b/queue-6.6/xfrm-determine-inner-gso-type-from-packet-inner-prot.patch @@ -0,0 +1,96 @@ +From 0b1a52a49ffbf5a2de3762e39cd94e9274e200d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Oct 2025 04:22:48 +0200 +Subject: xfrm: Determine inner GSO type from packet inner protocol + +From: Jianbo Liu + +[ Upstream commit 61fafbee6cfed283c02a320896089f658fa67e56 ] + +The GSO segmentation functions for ESP tunnel mode +(xfrm4_tunnel_gso_segment and xfrm6_tunnel_gso_segment) were +determining the inner packet's L2 protocol type by checking the static +x->inner_mode.family field from the xfrm state. + +This is unreliable. In tunnel mode, the state's actual inner family +could be defined by x->inner_mode.family or by +x->inner_mode_iaf.family. Checking only the former can lead to a +mismatch with the actual packet being processed, causing GSO to create +segments with the wrong L2 header type. + +This patch fixes the bug by deriving the inner mode directly from the +packet's inner protocol stored in XFRM_MODE_SKB_CB(skb)->protocol. + +Instead of replicating the code, this patch modifies the +xfrm_ip2inner_mode helper function. It now correctly returns +&x->inner_mode if the selector family (x->sel.family) is already +specified, thereby handling both specific and AF_UNSPEC cases +appropriately. + +With this change, ESP GSO can use xfrm_ip2inner_mode to get the +correct inner mode. It doesn't affect existing callers, as the updated +logic now mirrors the checks they were already performing externally. + +Fixes: 26dbd66eab80 ("esp: choose the correct inner protocol for GSO on inter address family tunnels") +Signed-off-by: Jianbo Liu +Reviewed-by: Cosmin Ratiu +Reviewed-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + include/net/xfrm.h | 3 ++- + net/ipv4/esp4_offload.c | 6 ++++-- + net/ipv6/esp6_offload.c | 6 ++++-- + 3 files changed, 10 insertions(+), 5 deletions(-) + +diff --git a/include/net/xfrm.h b/include/net/xfrm.h +index fd550c0b56345..84a1c8c861d29 100644 +--- a/include/net/xfrm.h ++++ b/include/net/xfrm.h +@@ -462,7 +462,8 @@ static inline int xfrm_af2proto(unsigned int family) + + static inline const struct xfrm_mode *xfrm_ip2inner_mode(struct xfrm_state *x, int ipproto) + { +- if ((ipproto == IPPROTO_IPIP && x->props.family == AF_INET) || ++ if ((x->sel.family != AF_UNSPEC) || ++ (ipproto == IPPROTO_IPIP && x->props.family == AF_INET) || + (ipproto == IPPROTO_IPV6 && x->props.family == AF_INET6)) + return &x->inner_mode; + else +diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c +index 10e96ed6c9e39..11e33a4312674 100644 +--- a/net/ipv4/esp4_offload.c ++++ b/net/ipv4/esp4_offload.c +@@ -111,8 +111,10 @@ static struct sk_buff *xfrm4_tunnel_gso_segment(struct xfrm_state *x, + struct sk_buff *skb, + netdev_features_t features) + { +- __be16 type = x->inner_mode.family == AF_INET6 ? htons(ETH_P_IPV6) +- : htons(ETH_P_IP); ++ const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, ++ XFRM_MODE_SKB_CB(skb)->protocol); ++ __be16 type = inner_mode->family == AF_INET6 ? htons(ETH_P_IPV6) ++ : htons(ETH_P_IP); + + return skb_eth_gso_segment(skb, features, type); + } +diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c +index a189e08370a5e..438f9cbdca299 100644 +--- a/net/ipv6/esp6_offload.c ++++ b/net/ipv6/esp6_offload.c +@@ -145,8 +145,10 @@ static struct sk_buff *xfrm6_tunnel_gso_segment(struct xfrm_state *x, + struct sk_buff *skb, + netdev_features_t features) + { +- __be16 type = x->inner_mode.family == AF_INET ? htons(ETH_P_IP) +- : htons(ETH_P_IPV6); ++ const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, ++ XFRM_MODE_SKB_CB(skb)->protocol); ++ __be16 type = inner_mode->family == AF_INET ? htons(ETH_P_IP) ++ : htons(ETH_P_IPV6); + + return skb_eth_gso_segment(skb, features, type); + } +-- +2.51.0 + diff --git a/queue-6.6/xfrm-prevent-locally-generated-packets-from-direct-o.patch b/queue-6.6/xfrm-prevent-locally-generated-packets-from-direct-o.patch new file mode 100644 index 0000000000..ddc0223d25 --- /dev/null +++ b/queue-6.6/xfrm-prevent-locally-generated-packets-from-direct-o.patch @@ -0,0 +1,44 @@ +From 6cd5eceb711f96b6321804451a2b2fe40022f7f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Oct 2025 11:50:25 +0200 +Subject: xfrm: Prevent locally generated packets from direct output in tunnel + mode + +From: Jianbo Liu + +[ Upstream commit 59630e2ccd728703cc826e3a3515d70f8c7a766c ] + +Add a check to ensure locally generated packets (skb->sk != NULL) do +not use direct output in tunnel mode, as these packets require proper +L2 header setup that is handled by the normal XFRM processing path. + +Fixes: 5eddd76ec2fd ("xfrm: fix tunnel mode TX datapath in packet offload mode") +Signed-off-by: Jianbo Liu +Reviewed-by: Leon Romanovsky +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_output.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c +index a30538a980cc7..9277dd4ed541a 100644 +--- a/net/xfrm/xfrm_output.c ++++ b/net/xfrm/xfrm_output.c +@@ -766,8 +766,12 @@ int xfrm_output(struct sock *sk, struct sk_buff *skb) + /* Exclusive direct xmit for tunnel mode, as + * some filtering or matching rules may apply + * in transport mode. ++ * Locally generated packets also require ++ * the normal XFRM path for L2 header setup, ++ * as the hardware needs the L2 header to match ++ * for encryption, so skip direct output as well. + */ +- if (x->props.mode == XFRM_MODE_TUNNEL) ++ if (x->props.mode == XFRM_MODE_TUNNEL && !skb->sk) + return xfrm_dev_direct_output(sk, x, skb); + + return xfrm_output_resume(sk, skb, 0); +-- +2.51.0 + -- 2.47.3