--- /dev/null
+From 529bb1727646a10de2a6a67ba7350a5b6bb698d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Jan 2026 20:08:59 +0800
+Subject: Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work
+
+From: Jia-Hong Su <s11242586@gmail.com>
+
+[ Upstream commit 0c3cd7a0b862c37acbee6d9502107146cc944398 ]
+
+hci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling
+hci_uart_register_dev(), which calls proto->open() to initialize
+hu->priv. However, if a TTY write wakeup occurs during this window,
+hci_uart_tx_wakeup() may schedule write_work before hu->priv is
+initialized, leading to a NULL pointer dereference in
+hci_uart_write_work() when proto->dequeue() accesses hu->priv.
+
+The race condition is:
+
+ CPU0 CPU1
+ ---- ----
+ hci_uart_set_proto()
+ set_bit(HCI_UART_PROTO_INIT)
+ hci_uart_register_dev()
+ tty write wakeup
+ hci_uart_tty_wakeup()
+ hci_uart_tx_wakeup()
+ schedule_work(&hu->write_work)
+ proto->open(hu)
+ // initializes hu->priv
+ hci_uart_write_work()
+ hci_uart_dequeue()
+ proto->dequeue(hu)
+ // accesses hu->priv (NULL!)
+
+Fix this by moving set_bit(HCI_UART_PROTO_INIT) after proto->open()
+succeeds, ensuring hu->priv is initialized before any work can be
+scheduled.
+
+Fixes: 5df5dafc171b ("Bluetooth: hci_uart: Fix another race during initialization")
+Link: https://lore.kernel.org/linux-bluetooth/6969764f.170a0220.2b9fc4.35a7@mx.google.com/
+
+Signed-off-by: Jia-Hong Su <s11242586@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/hci_ldisc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
+index 93bb58971dbe6..436d82a7f5871 100644
+--- a/drivers/bluetooth/hci_ldisc.c
++++ b/drivers/bluetooth/hci_ldisc.c
+@@ -684,6 +684,8 @@ static int hci_uart_register_dev(struct hci_uart *hu)
+ return err;
+ }
+
++ set_bit(HCI_UART_PROTO_INIT, &hu->flags);
++
+ if (test_bit(HCI_UART_INIT_PENDING, &hu->hdev_flags))
+ return 0;
+
+@@ -711,8 +713,6 @@ static int hci_uart_set_proto(struct hci_uart *hu, int id)
+
+ hu->proto = p;
+
+- set_bit(HCI_UART_PROTO_INIT, &hu->flags);
+-
+ err = hci_uart_register_dev(hu);
+ if (err) {
+ return err;
+--
+2.51.0
+
--- /dev/null
+From c55a51f3a18dc8ff03d8f9111014cd403d59c02f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Dec 2025 15:38:52 -0800
+Subject: ice: stop counting UDP csum mismatch as rx_errors
+
+From: Jesse Brandeburg <jbrandeburg@cloudflare.com>
+
+[ Upstream commit 05faf2c0a76581d0a7fdbb8ec46477ba183df95b ]
+
+Since the beginning, the Intel ice driver has counted receive checksum
+offload mismatches into the rx_errors member of the rtnl_link_stats64
+struct. In ethtool -S these show up as rx_csum_bad.nic.
+
+I believe counting these in rx_errors is fundamentally wrong, as it's
+pretty clear from the comments in if_link.h and from every other statistic
+the driver is summing into rx_errors, that all of them would cause a
+"hardware drop" except for the UDP checksum mismatch, as well as the fact
+that all the other causes for rx_errors are L2 reasons, and this L4 UDP
+"mismatch" is an outlier.
+
+A last nail in the coffin is that rx_errors is monitored in production and
+can indicate a bad NIC/cable/Switch port, but instead some random series of
+UDP packets with bad checksums will now trigger this alert. This false
+positive makes the alert useless and affects us as well as other companies.
+
+This packet with presumably a bad UDP checksum is *already* passed to the
+stack, just not marked as offloaded by the hardware/driver. If it is
+dropped by the stack it will show up as UDP_MIB_CSUMERRORS.
+
+And one more thing, none of the other Intel drivers, and at least bnxt_en
+and mlx5 both don't appear to count UDP offload mismatches as rx_errors.
+
+Here is a related customer complaint:
+https://community.intel.com/t5/Ethernet-Products/ice-rx-errros-is-too-sensitive-to-IP-TCP-attack-packets-Intel/td-p/1662125
+
+Fixes: 4f1fe43c920b ("ice: Add more Rx errors to netdev's rx_error counter")
+Cc: Tony Nguyen <anthony.l.nguyen@intel.com>
+Cc: Jake Keller <jacob.e.keller@intel.com>
+Cc: IWL <intel-wired-lan@lists.osuosl.org>
+Signed-off-by: Jesse Brandeburg <jbrandeburg@cloudflare.com>
+Acked-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_main.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
+index a337a6826a845..b3ae457b4db6b 100644
+--- a/drivers/net/ethernet/intel/ice/ice_main.c
++++ b/drivers/net/ethernet/intel/ice/ice_main.c
+@@ -5441,7 +5441,6 @@ void ice_update_vsi_stats(struct ice_vsi *vsi)
+ pf->stats.illegal_bytes +
+ pf->stats.rx_len_errors +
+ pf->stats.rx_undersize +
+- pf->hw_csum_rx_error +
+ pf->stats.rx_jabber +
+ pf->stats.rx_fragments +
+ pf->stats.rx_oversize;
+--
+2.51.0
+
--- /dev/null
+From 62b7dec27b692abf005ae97f9d0bc98da59e36af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jan 2026 11:19:23 +0100
+Subject: net: bridge: fix static key check
+
+From: Martin Kaiser <martin@kaiser.cx>
+
+[ Upstream commit cc0cf10fdaeadf5542d64a55b5b4120d3df90b7d ]
+
+Fix the check if netfilter's static keys are available. netfilter defines
+and exports static keys if CONFIG_JUMP_LABEL is enabled. (HAVE_JUMP_LABEL
+is never defined.)
+
+Fixes: 971502d77faa ("bridge: netfilter: unroll NF_HOOK helper in bridge input path")
+Signed-off-by: Martin Kaiser <martin@kaiser.cx>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://patch.msgid.link/20260127101925.1754425-1-martin@kaiser.cx
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_input.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
+index 52dd0708fd143..f9d4b86e3186d 100644
+--- a/net/bridge/br_input.c
++++ b/net/bridge/br_input.c
+@@ -218,7 +218,7 @@ static int nf_hook_bridge_pre(struct sk_buff *skb, struct sk_buff **pskb)
+ int ret;
+
+ net = dev_net(skb->dev);
+-#ifdef HAVE_JUMP_LABEL
++#ifdef CONFIG_JUMP_LABEL
+ if (!static_key_false(&nf_hooks_needed[NFPROTO_BRIDGE][NF_BR_PRE_ROUTING]))
+ goto frame_finish;
+ #endif
+--
+2.51.0
+
--- /dev/null
+From 0f72403452a108e2fd573d233f8320172afb51bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Jun 2022 13:04:48 -0700
+Subject: net/mlx5: Add HW definitions of vport debug counters
+
+From: Saeed Mahameed <saeedm@nvidia.com>
+
+[ Upstream commit 3e94e61bd44d90070dcda53b647fdc826097ef26 ]
+
+total_q_under_processor_handle - number of queues in error state due to an
+async error or errored command.
+
+send_queue_priority_update_flow - number of QP/SQ priority/SL update
+events.
+
+cq_overrun - number of times CQ entered an error state due to an
+overflow.
+
+async_eq_overrun -number of time an EQ mapped to async events was
+overrun.
+
+comp_eq_overrun - number of time an EQ mapped to completion events was
+overrun.
+
+quota_exceeded_command - number of commands issued and failed due to quota
+exceeded.
+
+invalid_command - number of commands issued and failed dues to any reason
+other than quota exceeded.
+
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Michael Guralnik <michaelgur@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Stable-dep-of: 476681f10cc1 ("net/mlx5e: Account for netdev stats in ndo_get_stats64")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/mlx5/mlx5_ifc.h | 23 +++++++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h
+index 88dbb20090805..303cbf0355a2e 100644
+--- a/include/linux/mlx5/mlx5_ifc.h
++++ b/include/linux/mlx5/mlx5_ifc.h
+@@ -1282,7 +1282,8 @@ struct mlx5_ifc_cmd_hca_cap_bits {
+
+ u8 reserved_at_120[0xa];
+ u8 log_max_ra_req_dc[0x6];
+- u8 reserved_at_130[0xa];
++ u8 reserved_at_130[0x9];
++ u8 vnic_env_cq_overrun[0x1];
+ u8 log_max_ra_res_dc[0x6];
+
+ u8 reserved_at_140[0x6];
+@@ -1472,7 +1473,11 @@ struct mlx5_ifc_cmd_hca_cap_bits {
+ u8 nic_receive_steering_discard[0x1];
+ u8 receive_discard_vport_down[0x1];
+ u8 transmit_discard_vport_down[0x1];
+- u8 reserved_at_343[0x5];
++ u8 eq_overrun_count[0x1];
++ u8 reserved_at_344[0x1];
++ u8 invalid_command_count[0x1];
++ u8 quota_exceeded_count[0x1];
++ u8 reserved_at_347[0x1];
+ u8 log_max_flow_counter_bulk[0x8];
+ u8 max_flow_counter_15_0[0x10];
+
+@@ -3128,11 +3133,21 @@ struct mlx5_ifc_vnic_diagnostic_statistics_bits {
+
+ u8 transmit_discard_vport_down[0x40];
+
+- u8 reserved_at_140[0xa0];
++ u8 async_eq_overrun[0x20];
++
++ u8 comp_eq_overrun[0x20];
++
++ u8 reserved_at_180[0x20];
++
++ u8 invalid_command[0x20];
++
++ u8 quota_exceeded_command[0x20];
+
+ u8 internal_rq_out_of_buffer[0x20];
+
+- u8 reserved_at_200[0xe00];
++ u8 cq_overrun[0x20];
++
++ u8 reserved_at_220[0xde0];
+ };
+
+ struct mlx5_ifc_traffic_counter_bits {
+--
+2.51.0
+
--- /dev/null
+From 9db8193d3f9a756b7f38a2e357528f8a1bf27b36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jan 2026 13:46:40 +0000
+Subject: net/mlx5: Fix memory leak in esw_acl_ingress_lgcy_setup()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 108948f723b13874b7ebf6b3f1cc598a7de38622 ]
+
+In esw_acl_ingress_lgcy_setup(), if esw_acl_table_create() fails,
+the function returns directly without releasing the previously
+created counter, leading to a memory leak.
+
+Fix this by jumping to the out label instead of returning directly,
+which aligns with the error handling logic of other paths in this
+function.
+
+Compile tested only. Issue found using a prototype static analysis tool
+and code review.
+
+Fixes: 07bab9502641 ("net/mlx5: E-Switch, Refactor eswitch ingress acl codes")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/20260120134640.2717808-1-zilin@seu.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c
+index 45570d0a58d2f..02b2ab7958543 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c
+@@ -185,7 +185,7 @@ int esw_acl_ingress_lgcy_setup(struct mlx5_eswitch *esw,
+ if (IS_ERR(vport->ingress.acl)) {
+ err = PTR_ERR(vport->ingress.acl);
+ vport->ingress.acl = NULL;
+- return err;
++ goto out;
+ }
+
+ err = esw_acl_ingress_lgcy_groups_create(esw, vport);
+--
+2.51.0
+
--- /dev/null
+From 4d08288e9cd4d8782fb7d5685d1960f758a2deb8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jan 2026 09:14:55 +0200
+Subject: net/mlx5e: Account for netdev stats in ndo_get_stats64
+
+From: Gal Pressman <gal@nvidia.com>
+
+[ Upstream commit 476681f10cc1e0e56e26856684e75d4678b072b2 ]
+
+The driver's ndo_get_stats64 callback is only reporting mlx5 counters,
+without accounting for the netdev stats, causing errors from the network
+stack to be invisible in statistics.
+
+Add netdev_stats_to_stats64() call to first populate the counters, then
+add mlx5 counters on top, ensuring both are accounted for (where
+appropriate).
+
+Fixes: f62b8bb8f2d3 ("net/mlx5: Extend mlx5_core to support ConnectX-4 Ethernet functionality")
+Signed-off-by: Gal Pressman <gal@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/1769411695-18820-4-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/en_main.c | 20 ++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index 36f5d5e449209..9c5ccbaa160b1 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -3679,6 +3679,8 @@ mlx5e_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats)
+ mlx5e_queue_update_stats(priv);
+ }
+
++ netdev_stats_to_stats64(stats, &dev->stats);
++
+ if (mlx5e_is_uplink_rep(priv)) {
+ struct mlx5e_vport_stats *vstats = &priv->stats.vport;
+
+@@ -3695,21 +3697,21 @@ mlx5e_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats)
+ mlx5e_fold_sw_stats64(priv, stats);
+ }
+
+- stats->rx_missed_errors = priv->stats.qcnt.rx_out_of_buffer;
+- stats->rx_dropped = PPORT_2863_GET(pstats, if_in_discards);
++ stats->rx_missed_errors += priv->stats.qcnt.rx_out_of_buffer;
++ stats->rx_dropped += PPORT_2863_GET(pstats, if_in_discards);
+
+- stats->rx_length_errors =
++ stats->rx_length_errors +=
+ PPORT_802_3_GET(pstats, a_in_range_length_errors) +
+ PPORT_802_3_GET(pstats, a_out_of_range_length_field) +
+ PPORT_802_3_GET(pstats, a_frame_too_long_errors) +
+ VNIC_ENV_GET(&priv->stats.vnic, eth_wqe_too_small);
+- stats->rx_crc_errors =
++ stats->rx_crc_errors +=
+ PPORT_802_3_GET(pstats, a_frame_check_sequence_errors);
+- stats->rx_frame_errors = PPORT_802_3_GET(pstats, a_alignment_errors);
+- stats->tx_aborted_errors = PPORT_2863_GET(pstats, if_out_discards);
+- stats->rx_errors = stats->rx_length_errors + stats->rx_crc_errors +
+- stats->rx_frame_errors;
+- stats->tx_errors = stats->tx_aborted_errors + stats->tx_carrier_errors;
++ stats->rx_frame_errors += PPORT_802_3_GET(pstats, a_alignment_errors);
++ stats->tx_aborted_errors += PPORT_2863_GET(pstats, if_out_discards);
++ stats->rx_errors += stats->rx_length_errors + stats->rx_crc_errors +
++ stats->rx_frame_errors;
++ stats->tx_errors += stats->tx_aborted_errors + stats->tx_carrier_errors;
+ }
+
+ static void mlx5e_set_rx_mode(struct net_device *dev)
+--
+2.51.0
+
--- /dev/null
+From 51e11b92cbf62b5b03c103f0fe915c6a1e5d1e12 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 Oct 2022 21:56:27 -0700
+Subject: net/mlx5e: Expose rx_oversize_pkts_buffer counter
+
+From: Gal Pressman <gal@nvidia.com>
+
+[ Upstream commit 16ab85e78439bab1201ff26ba430231d1574b4ae ]
+
+Add the rx_oversize_pkts_buffer counter to ethtool statistics.
+This counter exposes the number of dropped received packets due to
+length which arrived to RQ and exceed software buffer size allocated by
+the device for incoming traffic. It might imply that the device MTU is
+larger than the software buffers size.
+
+Signed-off-by: Gal Pressman <gal@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 476681f10cc1 ("net/mlx5e: Account for netdev stats in ndo_get_stats64")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/en_main.c | 3 ++-
+ .../ethernet/mellanox/mlx5/core/en_stats.c | 21 ++++++++++++++++++-
+ .../ethernet/mellanox/mlx5/core/en_stats.h | 4 ++++
+ include/linux/mlx5/mlx5_ifc.h | 8 +++++--
+ 4 files changed, 32 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index c3ff1fc577a7c..af98d9e59626d 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -3700,7 +3700,8 @@ mlx5e_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats)
+ stats->rx_length_errors =
+ PPORT_802_3_GET(pstats, a_in_range_length_errors) +
+ PPORT_802_3_GET(pstats, a_out_of_range_length_field) +
+- PPORT_802_3_GET(pstats, a_frame_too_long_errors);
++ PPORT_802_3_GET(pstats, a_frame_too_long_errors) +
++ VNIC_ENV_GET(&priv->stats.vnic, eth_wqe_too_small);
+ stats->rx_crc_errors =
+ PPORT_802_3_GET(pstats, a_frame_check_sequence_errors);
+ stats->rx_frame_errors = PPORT_802_3_GET(pstats, a_alignment_errors);
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c
+index ff4f10d0f090b..96d537bc0b8fc 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c
+@@ -489,17 +489,26 @@ static const struct counter_desc vnic_env_stats_dev_oob_desc[] = {
+ VNIC_ENV_OFF(vport_env.internal_rq_out_of_buffer) },
+ };
+
++static const struct counter_desc vnic_env_stats_drop_desc[] = {
++ { "rx_oversize_pkts_buffer",
++ VNIC_ENV_OFF(vport_env.eth_wqe_too_small) },
++};
++
+ #define NUM_VNIC_ENV_STEER_COUNTERS(dev) \
+ (MLX5_CAP_GEN(dev, nic_receive_steering_discard) ? \
+ ARRAY_SIZE(vnic_env_stats_steer_desc) : 0)
+ #define NUM_VNIC_ENV_DEV_OOB_COUNTERS(dev) \
+ (MLX5_CAP_GEN(dev, vnic_env_int_rq_oob) ? \
+ ARRAY_SIZE(vnic_env_stats_dev_oob_desc) : 0)
++#define NUM_VNIC_ENV_DROP_COUNTERS(dev) \
++ (MLX5_CAP_GEN(dev, eth_wqe_too_small) ? \
++ ARRAY_SIZE(vnic_env_stats_drop_desc) : 0)
+
+ static MLX5E_DECLARE_STATS_GRP_OP_NUM_STATS(vnic_env)
+ {
+ return NUM_VNIC_ENV_STEER_COUNTERS(priv->mdev) +
+- NUM_VNIC_ENV_DEV_OOB_COUNTERS(priv->mdev);
++ NUM_VNIC_ENV_DEV_OOB_COUNTERS(priv->mdev) +
++ NUM_VNIC_ENV_DROP_COUNTERS(priv->mdev);
+ }
+
+ static MLX5E_DECLARE_STATS_GRP_OP_FILL_STRS(vnic_env)
+@@ -513,6 +522,11 @@ static MLX5E_DECLARE_STATS_GRP_OP_FILL_STRS(vnic_env)
+ for (i = 0; i < NUM_VNIC_ENV_DEV_OOB_COUNTERS(priv->mdev); i++)
+ strcpy(data + (idx++) * ETH_GSTRING_LEN,
+ vnic_env_stats_dev_oob_desc[i].format);
++
++ for (i = 0; i < NUM_VNIC_ENV_DROP_COUNTERS(priv->mdev); i++)
++ strcpy(data + (idx++) * ETH_GSTRING_LEN,
++ vnic_env_stats_drop_desc[i].format);
++
+ return idx;
+ }
+
+@@ -527,6 +541,11 @@ static MLX5E_DECLARE_STATS_GRP_OP_FILL_STATS(vnic_env)
+ for (i = 0; i < NUM_VNIC_ENV_DEV_OOB_COUNTERS(priv->mdev); i++)
+ data[idx++] = MLX5E_READ_CTR32_BE(priv->stats.vnic.query_vnic_env_out,
+ vnic_env_stats_dev_oob_desc, i);
++
++ for (i = 0; i < NUM_VNIC_ENV_DROP_COUNTERS(priv->mdev); i++)
++ data[idx++] = MLX5E_READ_CTR32_BE(priv->stats.vnic.query_vnic_env_out,
++ vnic_env_stats_drop_desc, i);
++
+ return idx;
+ }
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h
+index 162daaadb0d8a..8813989f3f109 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h
+@@ -239,6 +239,10 @@ struct mlx5e_qcounter_stats {
+ u32 rx_if_down_packets;
+ };
+
++#define VNIC_ENV_GET(vnic_env_stats, c) \
++ MLX5_GET(query_vnic_env_out, (vnic_env_stats)->query_vnic_env_out, \
++ vport_env.c)
++
+ struct mlx5e_vnic_env_stats {
+ __be64 query_vnic_env_out[MLX5_ST_SZ_QW(query_vnic_env_out)];
+ };
+diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h
+index 303cbf0355a2e..705d8798bed5f 100644
+--- a/include/linux/mlx5/mlx5_ifc.h
++++ b/include/linux/mlx5/mlx5_ifc.h
+@@ -1282,7 +1282,9 @@ struct mlx5_ifc_cmd_hca_cap_bits {
+
+ u8 reserved_at_120[0xa];
+ u8 log_max_ra_req_dc[0x6];
+- u8 reserved_at_130[0x9];
++ u8 reserved_at_130[0x2];
++ u8 eth_wqe_too_small[0x1];
++ u8 reserved_at_133[0x6];
+ u8 vnic_env_cq_overrun[0x1];
+ u8 log_max_ra_res_dc[0x6];
+
+@@ -3147,7 +3149,9 @@ struct mlx5_ifc_vnic_diagnostic_statistics_bits {
+
+ u8 cq_overrun[0x20];
+
+- u8 reserved_at_220[0xde0];
++ u8 eth_wqe_too_small[0x20];
++
++ u8 reserved_at_220[0xdc0];
+ };
+
+ struct mlx5_ifc_traffic_counter_bits {
+--
+2.51.0
+
--- /dev/null
+From b55a17e169396a16eba016b9b19eb01c9be08029 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2024 10:27:06 +0800
+Subject: net/mlx5e: Report rx_discards_phy via rx_dropped
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yafang Shao <laoar.shao@gmail.com>
+
+[ Upstream commit c9cfced17365b1df8c6ae6cd5db56aebd7ed9b57 ]
+
+We noticed a high number of rx_discards_phy events on certain servers while
+running `ethtool -S`. However, this critical counter is not currently
+included in the standard /proc/net/dev statistics file, making it difficult
+to monitor effectively—especially given the diversity of vendors across a
+large fleet of servers.
+
+Let's report it via the standard rx_dropped metric.
+
+Suggested-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
+Cc: Saeed Mahameed <saeedm@nvidia.com>
+Cc: Leon Romanovsky <leon@kernel.org>
+Cc: Gal Pressman <gal@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/20241210022706.6665-1-laoar.shao@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 476681f10cc1 ("net/mlx5e: Account for netdev stats in ndo_get_stats64")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index af98d9e59626d..36f5d5e449209 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -3696,6 +3696,7 @@ mlx5e_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats)
+ }
+
+ stats->rx_missed_errors = priv->stats.qcnt.rx_out_of_buffer;
++ stats->rx_dropped = PPORT_2863_GET(pstats, if_in_discards);
+
+ stats->rx_length_errors =
+ PPORT_802_3_GET(pstats, a_in_range_length_errors) +
+--
+2.51.0
+
--- /dev/null
+From 411d82cc33bb0842428fdb280057d7638e73fdb1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jan 2026 06:57:16 +0000
+Subject: net: mvpp2: cls: Fix memory leak in mvpp2_ethtool_cls_rule_ins()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 09f979d1f312627b31d2ee1e46f9692e442610cd ]
+
+In mvpp2_ethtool_cls_rule_ins(), the ethtool_rule is allocated by
+ethtool_rx_flow_rule_create(). If the subsequent conversion to flow
+type fails, the function jumps to the clean_rule label.
+
+However, the clean_rule label only frees efs, skipping the cleanup
+of ethtool_rule, which leads to a memory leak.
+
+Fix this by jumping to the clean_eth_rule label, which properly calls
+ethtool_rx_flow_rule_destroy() before freeing efs.
+
+Compile tested only. Issue found using a prototype static analysis tool
+and code review.
+
+Fixes: f4f1ba18195d ("net: mvpp2: cls: Report an error for unsupported flow types")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Link: https://patch.msgid.link/20260123065716.2248324-1-zilin@seu.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c
+index 3ad1327395877..821cc5aa4a7b4 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c
+@@ -1383,7 +1383,7 @@ int mvpp2_ethtool_cls_rule_ins(struct mvpp2_port *port,
+ efs->rule.flow_type = mvpp2_cls_ethtool_flow_to_type(info->fs.flow_type);
+ if (efs->rule.flow_type < 0) {
+ ret = efs->rule.flow_type;
+- goto clean_rule;
++ goto clean_eth_rule;
+ }
+
+ ret = mvpp2_cls_rfs_parse_rule(&efs->rule);
+--
+2.51.0
+
--- /dev/null
+From 9ced466bb99ca5196d7b6b83fcbf3a0f8c5b139d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 25 Jan 2026 00:59:28 +0000
+Subject: nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 165c34fb6068ff153e3fc99a932a80a9d5755709 ]
+
+syzbot reported various memory leaks related to NFC, struct
+nfc_llcp_sock, sk_buff, nfc_dev, etc. [0]
+
+The leading log hinted that nfc_llcp_send_ui_frame() failed
+to allocate skb due to sock_error(sk) being -ENXIO.
+
+ENXIO is set by nfc_llcp_socket_release() when struct
+nfc_llcp_local is destroyed by local_cleanup().
+
+The problem is that there is no synchronisation between
+nfc_llcp_send_ui_frame() and local_cleanup(), and skb
+could be put into local->tx_queue after it was purged in
+local_cleanup():
+
+ CPU1 CPU2
+ ---- ----
+ nfc_llcp_send_ui_frame() local_cleanup()
+ |- do { '
+ |- pdu = nfc_alloc_send_skb(..., &err)
+ | .
+ | |- nfc_llcp_socket_release(local, false, ENXIO);
+ | |- skb_queue_purge(&local->tx_queue); |
+ | ' |
+ |- skb_queue_tail(&local->tx_queue, pdu); |
+ ... |
+ |- pdu = nfc_alloc_send_skb(..., &err) |
+ ^._________________________________.'
+
+local_cleanup() is called for struct nfc_llcp_local only
+after nfc_llcp_remove_local() unlinks it from llcp_devices.
+
+If we hold local->tx_queue.lock then, we can synchronise
+the thread and nfc_llcp_send_ui_frame().
+
+Let's do that and check list_empty(&local->list) before
+queuing skb to local->tx_queue in nfc_llcp_send_ui_frame().
+
+[0]:
+[ 56.074943][ T6096] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6)
+[ 64.318868][ T5813] kmemleak: 6 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
+BUG: memory leak
+unreferenced object 0xffff8881272f6800 (size 1024):
+ comm "syz.0.17", pid 6096, jiffies 4294942766
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 27 00 03 40 00 00 00 00 00 00 00 00 00 00 00 00 '..@............
+ backtrace (crc da58d84d):
+ kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
+ slab_post_alloc_hook mm/slub.c:4979 [inline]
+ slab_alloc_node mm/slub.c:5284 [inline]
+ __do_kmalloc_node mm/slub.c:5645 [inline]
+ __kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5658
+ kmalloc_noprof include/linux/slab.h:961 [inline]
+ sk_prot_alloc+0x11a/0x1b0 net/core/sock.c:2239
+ sk_alloc+0x36/0x360 net/core/sock.c:2295
+ nfc_llcp_sock_alloc+0x37/0x130 net/nfc/llcp_sock.c:979
+ llcp_sock_create+0x71/0xd0 net/nfc/llcp_sock.c:1044
+ nfc_sock_create+0xc9/0xf0 net/nfc/af_nfc.c:31
+ __sock_create+0x1a9/0x340 net/socket.c:1605
+ sock_create net/socket.c:1663 [inline]
+ __sys_socket_create net/socket.c:1700 [inline]
+ __sys_socket+0xb9/0x1a0 net/socket.c:1747
+ __do_sys_socket net/socket.c:1761 [inline]
+ __se_sys_socket net/socket.c:1759 [inline]
+ __x64_sys_socket+0x1b/0x30 net/socket.c:1759
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+BUG: memory leak
+unreferenced object 0xffff88810fbd9800 (size 240):
+ comm "syz.0.17", pid 6096, jiffies 4294942850
+ hex dump (first 32 bytes):
+ 68 f0 ff 08 81 88 ff ff 68 f0 ff 08 81 88 ff ff h.......h.......
+ 00 00 00 00 00 00 00 00 00 68 2f 27 81 88 ff ff .........h/'....
+ backtrace (crc 6cc652b1):
+ kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
+ slab_post_alloc_hook mm/slub.c:4979 [inline]
+ slab_alloc_node mm/slub.c:5284 [inline]
+ kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5336
+ __alloc_skb+0x203/0x240 net/core/skbuff.c:660
+ alloc_skb include/linux/skbuff.h:1383 [inline]
+ alloc_skb_with_frags+0x69/0x3f0 net/core/skbuff.c:6671
+ sock_alloc_send_pskb+0x379/0x3e0 net/core/sock.c:2965
+ sock_alloc_send_skb include/net/sock.h:1859 [inline]
+ nfc_alloc_send_skb+0x45/0x80 net/nfc/core.c:724
+ nfc_llcp_send_ui_frame+0x162/0x360 net/nfc/llcp_commands.c:766
+ llcp_sock_sendmsg+0x14c/0x1d0 net/nfc/llcp_sock.c:814
+ sock_sendmsg_nosec net/socket.c:727 [inline]
+ __sock_sendmsg net/socket.c:742 [inline]
+ __sys_sendto+0x2d8/0x2f0 net/socket.c:2244
+ __do_sys_sendto net/socket.c:2251 [inline]
+ __se_sys_sendto net/socket.c:2247 [inline]
+ __x64_sys_sendto+0x28/0x30 net/socket.c:2247
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: 94f418a20664 ("NFC: UI frame sending routine implementation")
+Reported-by: syzbot+f2d245f1d76bbfa50e4c@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/697569c7.a00a0220.33ccc7.0014.GAE@google.com/T/#u
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260125010214.1572439-1-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nfc/llcp_commands.c | 17 ++++++++++++++++-
+ net/nfc/llcp_core.c | 4 +++-
+ 2 files changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
+index 5b8754ae7d3af..706da71c5f298 100644
+--- a/net/nfc/llcp_commands.c
++++ b/net/nfc/llcp_commands.c
+@@ -786,8 +786,23 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
+ if (likely(frag_len > 0))
+ skb_put_data(pdu, msg_ptr, frag_len);
+
++ spin_lock(&local->tx_queue.lock);
++
++ if (list_empty(&local->list)) {
++ spin_unlock(&local->tx_queue.lock);
++
++ kfree_skb(pdu);
++
++ len -= remaining_len;
++ if (len == 0)
++ len = -ENXIO;
++ break;
++ }
++
+ /* No need to check for the peer RW for UI frames */
+- skb_queue_tail(&local->tx_queue, pdu);
++ __skb_queue_tail(&local->tx_queue, pdu);
++
++ spin_unlock(&local->tx_queue.lock);
+
+ remaining_len -= frag_len;
+ msg_ptr += frag_len;
+diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
+index da3cb0d29b972..504245aeb4e2a 100644
+--- a/net/nfc/llcp_core.c
++++ b/net/nfc/llcp_core.c
+@@ -316,7 +316,9 @@ static struct nfc_llcp_local *nfc_llcp_remove_local(struct nfc_dev *dev)
+ spin_lock(&llcp_devices_lock);
+ list_for_each_entry_safe(local, tmp, &llcp_devices, list)
+ if (local->dev == dev) {
+- list_del(&local->list);
++ spin_lock(&local->tx_queue.lock);
++ list_del_init(&local->list);
++ spin_unlock(&local->tx_queue.lock);
+ spin_unlock(&llcp_devices_lock);
+ return local;
+ }
+--
+2.51.0
+
--- /dev/null
+From 67d20a761920405c09dbc88d742cd58741170c4b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jan 2026 04:03:59 +0000
+Subject: nfc: nci: Fix race between rfkill and nci_unregister_device().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit d2492688bb9fed6ab6e313682c387ae71a66ebae ]
+
+syzbot reported the splat below [0] without a repro.
+
+It indicates that struct nci_dev.cmd_wq had been destroyed before
+nci_close_device() was called via rfkill.
+
+nci_dev.cmd_wq is only destroyed in nci_unregister_device(), which
+(I think) was called from virtual_ncidev_close() when syzbot close()d
+an fd of virtual_ncidev.
+
+The problem is that nci_unregister_device() destroys nci_dev.cmd_wq
+first and then calls nfc_unregister_device(), which removes the
+device from rfkill by rfkill_unregister().
+
+So, the device is still visible via rfkill even after nci_dev.cmd_wq
+is destroyed.
+
+Let's unregister the device from rfkill first in nci_unregister_device().
+
+Note that we cannot call nfc_unregister_device() before
+nci_close_device() because
+
+ 1) nfc_unregister_device() calls device_del() which frees
+ all memory allocated by devm_kzalloc() and linked to
+ ndev->conn_info_list
+
+ 2) nci_rx_work() could try to queue nci_conn_info to
+ ndev->conn_info_list which could be leaked
+
+Thus, nfc_unregister_device() is split into two functions so we
+can remove rfkill interfaces only before nci_close_device().
+
+[0]:
+DEBUG_LOCKS_WARN_ON(1)
+WARNING: kernel/locking/lockdep.c:238 at hlock_class kernel/locking/lockdep.c:238 [inline], CPU#0: syz.0.8675/6349
+WARNING: kernel/locking/lockdep.c:238 at check_wait_context kernel/locking/lockdep.c:4854 [inline], CPU#0: syz.0.8675/6349
+WARNING: kernel/locking/lockdep.c:238 at __lock_acquire+0x39d/0x2cf0 kernel/locking/lockdep.c:5187, CPU#0: syz.0.8675/6349
+Modules linked in:
+CPU: 0 UID: 0 PID: 6349 Comm: syz.0.8675 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026
+RIP: 0010:hlock_class kernel/locking/lockdep.c:238 [inline]
+RIP: 0010:check_wait_context kernel/locking/lockdep.c:4854 [inline]
+RIP: 0010:__lock_acquire+0x3a4/0x2cf0 kernel/locking/lockdep.c:5187
+Code: 18 00 4c 8b 74 24 08 75 27 90 e8 17 f2 fc 02 85 c0 74 1c 83 3d 50 e0 4e 0e 00 75 13 48 8d 3d 43 f7 51 0e 48 c7 c6 8b 3a de 8d <67> 48 0f b9 3a 90 31 c0 0f b6 98 c4 00 00 00 41 8b 45 20 25 ff 1f
+RSP: 0018:ffffc9000c767680 EFLAGS: 00010046
+RAX: 0000000000000001 RBX: 0000000000040000 RCX: 0000000000080000
+RDX: ffffc90013080000 RSI: ffffffff8dde3a8b RDI: ffffffff8ff24ca0
+RBP: 0000000000000003 R08: ffffffff8fef35a3 R09: 1ffffffff1fde6b4
+R10: dffffc0000000000 R11: fffffbfff1fde6b5 R12: 00000000000012a2
+R13: ffff888030338ba8 R14: ffff888030338000 R15: ffff888030338b30
+FS: 00007fa5995f66c0(0000) GS:ffff8881256f8000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f7e72f842d0 CR3: 00000000485a0000 CR4: 00000000003526f0
+Call Trace:
+ <TASK>
+ lock_acquire+0x106/0x330 kernel/locking/lockdep.c:5868
+ touch_wq_lockdep_map+0xcb/0x180 kernel/workqueue.c:3940
+ __flush_workqueue+0x14b/0x14f0 kernel/workqueue.c:3982
+ nci_close_device+0x302/0x630 net/nfc/nci/core.c:567
+ nci_dev_down+0x3b/0x50 net/nfc/nci/core.c:639
+ nfc_dev_down+0x152/0x290 net/nfc/core.c:161
+ nfc_rfkill_set_block+0x2d/0x100 net/nfc/core.c:179
+ rfkill_set_block+0x1d2/0x440 net/rfkill/core.c:346
+ rfkill_fop_write+0x461/0x5a0 net/rfkill/core.c:1301
+ vfs_write+0x29a/0xb90 fs/read_write.c:684
+ ksys_write+0x150/0x270 fs/read_write.c:738
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7fa59b39acb9
+Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007fa5995f6028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+RAX: ffffffffffffffda RBX: 00007fa59b615fa0 RCX: 00007fa59b39acb9
+RDX: 0000000000000008 RSI: 0000200000000080 RDI: 0000000000000007
+RBP: 00007fa59b408bf7 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007fa59b616038 R14: 00007fa59b615fa0 R15: 00007ffc82218788
+ </TASK>
+
+Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation")
+Reported-by: syzbot+f9c5fd1a0874f9069dce@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/695e7f56.050a0220.1c677c.036c.GAE@google.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260127040411.494931-1-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/nfc/nfc.h | 2 ++
+ net/nfc/core.c | 27 ++++++++++++++++++++++++---
+ net/nfc/nci/core.c | 4 +++-
+ 3 files changed, 29 insertions(+), 4 deletions(-)
+
+diff --git a/include/net/nfc/nfc.h b/include/net/nfc/nfc.h
+index 32890e43f06cc..91f153d0bbb08 100644
+--- a/include/net/nfc/nfc.h
++++ b/include/net/nfc/nfc.h
+@@ -215,6 +215,8 @@ static inline void nfc_free_device(struct nfc_dev *dev)
+
+ int nfc_register_device(struct nfc_dev *dev);
+
++void nfc_unregister_rfkill(struct nfc_dev *dev);
++void nfc_remove_device(struct nfc_dev *dev);
+ void nfc_unregister_device(struct nfc_dev *dev);
+
+ /**
+diff --git a/net/nfc/core.c b/net/nfc/core.c
+index 00cb55e2528d1..2e32af33df7db 100644
+--- a/net/nfc/core.c
++++ b/net/nfc/core.c
+@@ -1139,14 +1139,14 @@ int nfc_register_device(struct nfc_dev *dev)
+ EXPORT_SYMBOL(nfc_register_device);
+
+ /**
+- * nfc_unregister_device - unregister a nfc device in the nfc subsystem
++ * nfc_unregister_rfkill - unregister a nfc device in the rfkill subsystem
+ *
+ * @dev: The nfc device to unregister
+ */
+-void nfc_unregister_device(struct nfc_dev *dev)
++void nfc_unregister_rfkill(struct nfc_dev *dev)
+ {
+- int rc;
+ struct rfkill *rfk = NULL;
++ int rc;
+
+ pr_debug("dev_name=%s\n", dev_name(&dev->dev));
+
+@@ -1167,7 +1167,16 @@ void nfc_unregister_device(struct nfc_dev *dev)
+ rfkill_unregister(rfk);
+ rfkill_destroy(rfk);
+ }
++}
++EXPORT_SYMBOL(nfc_unregister_rfkill);
+
++/**
++ * nfc_remove_device - remove a nfc device in the nfc subsystem
++ *
++ * @dev: The nfc device to remove
++ */
++void nfc_remove_device(struct nfc_dev *dev)
++{
+ if (dev->ops->check_presence) {
+ del_timer_sync(&dev->check_pres_timer);
+ cancel_work_sync(&dev->check_pres_work);
+@@ -1180,6 +1189,18 @@ void nfc_unregister_device(struct nfc_dev *dev)
+ device_del(&dev->dev);
+ mutex_unlock(&nfc_devlist_mutex);
+ }
++EXPORT_SYMBOL(nfc_remove_device);
++
++/**
++ * nfc_unregister_device - unregister a nfc device in the nfc subsystem
++ *
++ * @dev: The nfc device to unregister
++ */
++void nfc_unregister_device(struct nfc_dev *dev)
++{
++ nfc_unregister_rfkill(dev);
++ nfc_remove_device(dev);
++}
+ EXPORT_SYMBOL(nfc_unregister_device);
+
+ static int __init nfc_init(void)
+diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
+index 3182b4228cfa4..3514686eb53f9 100644
+--- a/net/nfc/nci/core.c
++++ b/net/nfc/nci/core.c
+@@ -1281,6 +1281,8 @@ void nci_unregister_device(struct nci_dev *ndev)
+ {
+ struct nci_conn_info *conn_info, *n;
+
++ nfc_unregister_rfkill(ndev->nfc_dev);
++
+ /* This set_bit is not protected with specialized barrier,
+ * However, it is fine because the mutex_lock(&ndev->req_lock);
+ * in nci_close_device() will help to emit one.
+@@ -1298,7 +1300,7 @@ void nci_unregister_device(struct nci_dev *ndev)
+ /* conn_info is allocated with devm_kzalloc */
+ }
+
+- nfc_unregister_device(ndev->nfc_dev);
++ nfc_remove_device(ndev->nfc_dev);
+ }
+ EXPORT_SYMBOL(nci_unregister_device);
+
+--
+2.51.0
+
--- /dev/null
+From aafc87719839b2385e05a4dd793a2b7599ab0e0c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 Jan 2026 05:10:31 +0800
+Subject: rocker: fix memory leak in rocker_world_port_post_fini()
+
+From: Kery Qi <qikeyu2017@gmail.com>
+
+[ Upstream commit 8d7ba71e46216b8657a82ca2ec118bc93812a4d0 ]
+
+In rocker_world_port_pre_init(), rocker_port->wpriv is allocated with
+kzalloc(wops->port_priv_size, GFP_KERNEL). However, in
+rocker_world_port_post_fini(), the memory is only freed when
+wops->port_post_fini callback is set:
+
+ if (!wops->port_post_fini)
+ return;
+ wops->port_post_fini(rocker_port);
+ kfree(rocker_port->wpriv);
+
+Since rocker_ofdpa_ops does not implement port_post_fini callback
+(it is NULL), the wpriv memory allocated for each port is never freed
+when ports are removed. This leads to a memory leak of
+sizeof(struct ofdpa_port) bytes per port on every device removal.
+
+Fix this by always calling kfree(rocker_port->wpriv) regardless of
+whether the port_post_fini callback exists.
+
+Fixes: e420114eef4a ("rocker: introduce worlds infrastructure")
+Signed-off-by: Kery Qi <qikeyu2017@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260123211030.2109-2-qikeyu2017@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/rocker/rocker_main.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/rocker/rocker_main.c b/drivers/net/ethernet/rocker/rocker_main.c
+index ec90f75289dbe..4073e3852adb5 100644
+--- a/drivers/net/ethernet/rocker/rocker_main.c
++++ b/drivers/net/ethernet/rocker/rocker_main.c
+@@ -1525,9 +1525,8 @@ static void rocker_world_port_post_fini(struct rocker_port *rocker_port)
+ {
+ struct rocker_world_ops *wops = rocker_port->rocker->wops;
+
+- if (!wops->port_post_fini)
+- return;
+- wops->port_post_fini(rocker_port);
++ if (wops->port_post_fini)
++ wops->port_post_fini(rocker_port);
+ kfree(rocker_port->wpriv);
+ }
+
+--
+2.51.0
+
fbdev-fbcon-properly-revert-changes-when-vc_resize-failed.patch
fbdev-fbcon-release-buffer-when-fbcon_do_set_font-failed.patch
fbcon-always-restore-the-old-font-data-in-fbcon_do_set_font.patch
+bluetooth-hci_uart-fix-null-ptr-deref-in-hci_uart_wr.patch
+net-mlx5-fix-memory-leak-in-esw_acl_ingress_lgcy_set.patch
+net-mvpp2-cls-fix-memory-leak-in-mvpp2_ethtool_cls_r.patch
+rocker-fix-memory-leak-in-rocker_world_port_post_fin.patch
+nfc-llcp-fix-memleak-in-nfc_llcp_send_ui_frame.patch
+ice-stop-counting-udp-csum-mismatch-as-rx_errors.patch
+net-mlx5-add-hw-definitions-of-vport-debug-counters.patch
+net-mlx5e-expose-rx_oversize_pkts_buffer-counter.patch
+net-mlx5e-report-rx_discards_phy-via-rx_dropped.patch
+net-mlx5e-account-for-netdev-stats-in-ndo_get_stats6.patch
+nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch
+net-bridge-fix-static-key-check.patch
--- /dev/null
+From 0e2d51550cd29bd22bd8394af3c0632a4b50723f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Jan 2026 20:08:59 +0800
+Subject: Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work
+
+From: Jia-Hong Su <s11242586@gmail.com>
+
+[ Upstream commit 0c3cd7a0b862c37acbee6d9502107146cc944398 ]
+
+hci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling
+hci_uart_register_dev(), which calls proto->open() to initialize
+hu->priv. However, if a TTY write wakeup occurs during this window,
+hci_uart_tx_wakeup() may schedule write_work before hu->priv is
+initialized, leading to a NULL pointer dereference in
+hci_uart_write_work() when proto->dequeue() accesses hu->priv.
+
+The race condition is:
+
+ CPU0 CPU1
+ ---- ----
+ hci_uart_set_proto()
+ set_bit(HCI_UART_PROTO_INIT)
+ hci_uart_register_dev()
+ tty write wakeup
+ hci_uart_tty_wakeup()
+ hci_uart_tx_wakeup()
+ schedule_work(&hu->write_work)
+ proto->open(hu)
+ // initializes hu->priv
+ hci_uart_write_work()
+ hci_uart_dequeue()
+ proto->dequeue(hu)
+ // accesses hu->priv (NULL!)
+
+Fix this by moving set_bit(HCI_UART_PROTO_INIT) after proto->open()
+succeeds, ensuring hu->priv is initialized before any work can be
+scheduled.
+
+Fixes: 5df5dafc171b ("Bluetooth: hci_uart: Fix another race during initialization")
+Link: https://lore.kernel.org/linux-bluetooth/6969764f.170a0220.2b9fc4.35a7@mx.google.com/
+
+Signed-off-by: Jia-Hong Su <s11242586@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/hci_ldisc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
+index 4692b9bec4692..46b37d825d185 100644
+--- a/drivers/bluetooth/hci_ldisc.c
++++ b/drivers/bluetooth/hci_ldisc.c
+@@ -684,6 +684,8 @@ static int hci_uart_register_dev(struct hci_uart *hu)
+ return err;
+ }
+
++ set_bit(HCI_UART_PROTO_INIT, &hu->flags);
++
+ if (test_bit(HCI_UART_INIT_PENDING, &hu->hdev_flags))
+ return 0;
+
+@@ -711,8 +713,6 @@ static int hci_uart_set_proto(struct hci_uart *hu, int id)
+
+ hu->proto = p;
+
+- set_bit(HCI_UART_PROTO_INIT, &hu->flags);
+-
+ err = hci_uart_register_dev(hu);
+ if (err) {
+ return err;
+--
+2.51.0
+
--- /dev/null
+From 63bdbd01e03ac70196b853ddfa0162b20a7e3efa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Dec 2025 15:38:52 -0800
+Subject: ice: stop counting UDP csum mismatch as rx_errors
+
+From: Jesse Brandeburg <jbrandeburg@cloudflare.com>
+
+[ Upstream commit 05faf2c0a76581d0a7fdbb8ec46477ba183df95b ]
+
+Since the beginning, the Intel ice driver has counted receive checksum
+offload mismatches into the rx_errors member of the rtnl_link_stats64
+struct. In ethtool -S these show up as rx_csum_bad.nic.
+
+I believe counting these in rx_errors is fundamentally wrong, as it's
+pretty clear from the comments in if_link.h and from every other statistic
+the driver is summing into rx_errors, that all of them would cause a
+"hardware drop" except for the UDP checksum mismatch, as well as the fact
+that all the other causes for rx_errors are L2 reasons, and this L4 UDP
+"mismatch" is an outlier.
+
+A last nail in the coffin is that rx_errors is monitored in production and
+can indicate a bad NIC/cable/Switch port, but instead some random series of
+UDP packets with bad checksums will now trigger this alert. This false
+positive makes the alert useless and affects us as well as other companies.
+
+This packet with presumably a bad UDP checksum is *already* passed to the
+stack, just not marked as offloaded by the hardware/driver. If it is
+dropped by the stack it will show up as UDP_MIB_CSUMERRORS.
+
+And one more thing, none of the other Intel drivers, and at least bnxt_en
+and mlx5 both don't appear to count UDP offload mismatches as rx_errors.
+
+Here is a related customer complaint:
+https://community.intel.com/t5/Ethernet-Products/ice-rx-errros-is-too-sensitive-to-IP-TCP-attack-packets-Intel/td-p/1662125
+
+Fixes: 4f1fe43c920b ("ice: Add more Rx errors to netdev's rx_error counter")
+Cc: Tony Nguyen <anthony.l.nguyen@intel.com>
+Cc: Jake Keller <jacob.e.keller@intel.com>
+Cc: IWL <intel-wired-lan@lists.osuosl.org>
+Signed-off-by: Jesse Brandeburg <jbrandeburg@cloudflare.com>
+Acked-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_main.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
+index 04e3f6c424c0c..db5319a8eb241 100644
+--- a/drivers/net/ethernet/intel/ice/ice_main.c
++++ b/drivers/net/ethernet/intel/ice/ice_main.c
+@@ -5841,7 +5841,6 @@ void ice_update_vsi_stats(struct ice_vsi *vsi)
+ pf->stats.illegal_bytes +
+ pf->stats.rx_len_errors +
+ pf->stats.rx_undersize +
+- pf->hw_csum_rx_error +
+ pf->stats.rx_jabber +
+ pf->stats.rx_fragments +
+ pf->stats.rx_oversize;
+--
+2.51.0
+
--- /dev/null
+From 2b6d383cd9cd60888679cdc029562141b3e0d0b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jan 2026 20:44:08 +0100
+Subject: ipv6: use the right ifindex when replying to icmpv6 from localhost
+
+From: Fernando Fernandez Mancera <fmancera@suse.de>
+
+[ Upstream commit 03cbcdf93866e61beb0063392e6dbb701f03aea2 ]
+
+When replying to a ICMPv6 echo request that comes from localhost address
+the right output ifindex is 1 (lo) and not rt6i_idev dev index. Use the
+skb device ifindex instead. This fixes pinging to a local address from
+localhost source address.
+
+$ ping6 -I ::1 2001:1:1::2 -c 3
+PING 2001:1:1::2 (2001:1:1::2) from ::1 : 56 data bytes
+64 bytes from 2001:1:1::2: icmp_seq=1 ttl=64 time=0.037 ms
+64 bytes from 2001:1:1::2: icmp_seq=2 ttl=64 time=0.069 ms
+64 bytes from 2001:1:1::2: icmp_seq=3 ttl=64 time=0.122 ms
+
+2001:1:1::2 ping statistics
+3 packets transmitted, 3 received, 0% packet loss, time 2032ms
+rtt min/avg/max/mdev = 0.037/0.076/0.122/0.035 ms
+
+Fixes: 1b70d792cf67 ("ipv6: Use rt6i_idev index for echo replies to a local address")
+Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://patch.msgid.link/20260121194409.6749-1-fmancera@suse.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/icmp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
+index 71a69166a6bd2..8601c76f3cc93 100644
+--- a/net/ipv6/icmp.c
++++ b/net/ipv6/icmp.c
+@@ -761,7 +761,9 @@ static void icmpv6_echo_reply(struct sk_buff *skb)
+ fl6.daddr = ipv6_hdr(skb)->saddr;
+ if (saddr)
+ fl6.saddr = *saddr;
+- fl6.flowi6_oif = icmp6_iif(skb);
++ fl6.flowi6_oif = ipv6_addr_loopback(&fl6.daddr) ?
++ skb->dev->ifindex :
++ icmp6_iif(skb);
+ fl6.fl6_icmp_type = type;
+ fl6.flowi6_mark = mark;
+ fl6.flowi6_uid = sock_net_uid(net, NULL);
+--
+2.51.0
+
--- /dev/null
+From bce9c601c203f1a4ebb6b4a9d307cf2fae2aed78 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jan 2026 11:19:23 +0100
+Subject: net: bridge: fix static key check
+
+From: Martin Kaiser <martin@kaiser.cx>
+
+[ Upstream commit cc0cf10fdaeadf5542d64a55b5b4120d3df90b7d ]
+
+Fix the check if netfilter's static keys are available. netfilter defines
+and exports static keys if CONFIG_JUMP_LABEL is enabled. (HAVE_JUMP_LABEL
+is never defined.)
+
+Fixes: 971502d77faa ("bridge: netfilter: unroll NF_HOOK helper in bridge input path")
+Signed-off-by: Martin Kaiser <martin@kaiser.cx>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://patch.msgid.link/20260127101925.1754425-1-martin@kaiser.cx
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_input.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
+index f3d49343f7dbe..14423132a3df5 100644
+--- a/net/bridge/br_input.c
++++ b/net/bridge/br_input.c
+@@ -225,7 +225,7 @@ static int nf_hook_bridge_pre(struct sk_buff *skb, struct sk_buff **pskb)
+ int ret;
+
+ net = dev_net(skb->dev);
+-#ifdef HAVE_JUMP_LABEL
++#ifdef CONFIG_JUMP_LABEL
+ if (!static_key_false(&nf_hooks_needed[NFPROTO_BRIDGE][NF_BR_PRE_ROUTING]))
+ goto frame_finish;
+ #endif
+--
+2.51.0
+
--- /dev/null
+From a27e723165b201183853b660d43b09474636b849 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Jun 2022 13:04:48 -0700
+Subject: net/mlx5: Add HW definitions of vport debug counters
+
+From: Saeed Mahameed <saeedm@nvidia.com>
+
+[ Upstream commit 3e94e61bd44d90070dcda53b647fdc826097ef26 ]
+
+total_q_under_processor_handle - number of queues in error state due to an
+async error or errored command.
+
+send_queue_priority_update_flow - number of QP/SQ priority/SL update
+events.
+
+cq_overrun - number of times CQ entered an error state due to an
+overflow.
+
+async_eq_overrun -number of time an EQ mapped to async events was
+overrun.
+
+comp_eq_overrun - number of time an EQ mapped to completion events was
+overrun.
+
+quota_exceeded_command - number of commands issued and failed due to quota
+exceeded.
+
+invalid_command - number of commands issued and failed dues to any reason
+other than quota exceeded.
+
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Michael Guralnik <michaelgur@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Stable-dep-of: 476681f10cc1 ("net/mlx5e: Account for netdev stats in ndo_get_stats64")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/mlx5/mlx5_ifc.h | 23 +++++++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h
+index d974c235ad8ee..c8489aeb74f7e 100644
+--- a/include/linux/mlx5/mlx5_ifc.h
++++ b/include/linux/mlx5/mlx5_ifc.h
+@@ -1384,7 +1384,8 @@ struct mlx5_ifc_cmd_hca_cap_bits {
+
+ u8 reserved_at_120[0xa];
+ u8 log_max_ra_req_dc[0x6];
+- u8 reserved_at_130[0xa];
++ u8 reserved_at_130[0x9];
++ u8 vnic_env_cq_overrun[0x1];
+ u8 log_max_ra_res_dc[0x6];
+
+ u8 reserved_at_140[0x6];
+@@ -1579,7 +1580,11 @@ struct mlx5_ifc_cmd_hca_cap_bits {
+ u8 nic_receive_steering_discard[0x1];
+ u8 receive_discard_vport_down[0x1];
+ u8 transmit_discard_vport_down[0x1];
+- u8 reserved_at_343[0x5];
++ u8 eq_overrun_count[0x1];
++ u8 reserved_at_344[0x1];
++ u8 invalid_command_count[0x1];
++ u8 quota_exceeded_count[0x1];
++ u8 reserved_at_347[0x1];
+ u8 log_max_flow_counter_bulk[0x8];
+ u8 max_flow_counter_15_0[0x10];
+
+@@ -3318,11 +3323,21 @@ struct mlx5_ifc_vnic_diagnostic_statistics_bits {
+
+ u8 transmit_discard_vport_down[0x40];
+
+- u8 reserved_at_140[0xa0];
++ u8 async_eq_overrun[0x20];
++
++ u8 comp_eq_overrun[0x20];
++
++ u8 reserved_at_180[0x20];
++
++ u8 invalid_command[0x20];
++
++ u8 quota_exceeded_command[0x20];
+
+ u8 internal_rq_out_of_buffer[0x20];
+
+- u8 reserved_at_200[0xe00];
++ u8 cq_overrun[0x20];
++
++ u8 reserved_at_220[0xde0];
+ };
+
+ struct mlx5_ifc_traffic_counter_bits {
+--
+2.51.0
+
--- /dev/null
+From 959997f8106618f7f23ffe45f50ed309325059f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jan 2026 13:46:40 +0000
+Subject: net/mlx5: Fix memory leak in esw_acl_ingress_lgcy_setup()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 108948f723b13874b7ebf6b3f1cc598a7de38622 ]
+
+In esw_acl_ingress_lgcy_setup(), if esw_acl_table_create() fails,
+the function returns directly without releasing the previously
+created counter, leading to a memory leak.
+
+Fix this by jumping to the out label instead of returning directly,
+which aligns with the error handling logic of other paths in this
+function.
+
+Compile tested only. Issue found using a prototype static analysis tool
+and code review.
+
+Fixes: 07bab9502641 ("net/mlx5: E-Switch, Refactor eswitch ingress acl codes")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/20260120134640.2717808-1-zilin@seu.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c
+index 093ed86a0acd8..db51c500ed359 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c
+@@ -188,7 +188,7 @@ int esw_acl_ingress_lgcy_setup(struct mlx5_eswitch *esw,
+ if (IS_ERR(vport->ingress.acl)) {
+ err = PTR_ERR(vport->ingress.acl);
+ vport->ingress.acl = NULL;
+- return err;
++ goto out;
+ }
+
+ err = esw_acl_ingress_lgcy_groups_create(esw, vport);
+--
+2.51.0
+
--- /dev/null
+From 77d2e538c02729c196571d6629cf7dd20befa0ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jan 2026 09:14:55 +0200
+Subject: net/mlx5e: Account for netdev stats in ndo_get_stats64
+
+From: Gal Pressman <gal@nvidia.com>
+
+[ Upstream commit 476681f10cc1e0e56e26856684e75d4678b072b2 ]
+
+The driver's ndo_get_stats64 callback is only reporting mlx5 counters,
+without accounting for the netdev stats, causing errors from the network
+stack to be invisible in statistics.
+
+Add netdev_stats_to_stats64() call to first populate the counters, then
+add mlx5 counters on top, ensuring both are accounted for (where
+appropriate).
+
+Fixes: f62b8bb8f2d3 ("net/mlx5: Extend mlx5_core to support ConnectX-4 Ethernet functionality")
+Signed-off-by: Gal Pressman <gal@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/1769411695-18820-4-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/en_main.c | 20 ++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index 5504b7b3b3f90..130e54562a6bc 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -3169,6 +3169,8 @@ mlx5e_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats)
+ mlx5e_queue_update_stats(priv);
+ }
+
++ netdev_stats_to_stats64(stats, &dev->stats);
++
+ if (mlx5e_is_uplink_rep(priv)) {
+ struct mlx5e_vport_stats *vstats = &priv->stats.vport;
+
+@@ -3185,21 +3187,21 @@ mlx5e_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats)
+ mlx5e_fold_sw_stats64(priv, stats);
+ }
+
+- stats->rx_missed_errors = priv->stats.qcnt.rx_out_of_buffer;
+- stats->rx_dropped = PPORT_2863_GET(pstats, if_in_discards);
++ stats->rx_missed_errors += priv->stats.qcnt.rx_out_of_buffer;
++ stats->rx_dropped += PPORT_2863_GET(pstats, if_in_discards);
+
+- stats->rx_length_errors =
++ stats->rx_length_errors +=
+ PPORT_802_3_GET(pstats, a_in_range_length_errors) +
+ PPORT_802_3_GET(pstats, a_out_of_range_length_field) +
+ PPORT_802_3_GET(pstats, a_frame_too_long_errors) +
+ VNIC_ENV_GET(&priv->stats.vnic, eth_wqe_too_small);
+- stats->rx_crc_errors =
++ stats->rx_crc_errors +=
+ PPORT_802_3_GET(pstats, a_frame_check_sequence_errors);
+- stats->rx_frame_errors = PPORT_802_3_GET(pstats, a_alignment_errors);
+- stats->tx_aborted_errors = PPORT_2863_GET(pstats, if_out_discards);
+- stats->rx_errors = stats->rx_length_errors + stats->rx_crc_errors +
+- stats->rx_frame_errors;
+- stats->tx_errors = stats->tx_aborted_errors + stats->tx_carrier_errors;
++ stats->rx_frame_errors += PPORT_802_3_GET(pstats, a_alignment_errors);
++ stats->tx_aborted_errors += PPORT_2863_GET(pstats, if_out_discards);
++ stats->rx_errors += stats->rx_length_errors + stats->rx_crc_errors +
++ stats->rx_frame_errors;
++ stats->tx_errors += stats->tx_aborted_errors + stats->tx_carrier_errors;
+ }
+
+ static void mlx5e_nic_set_rx_mode(struct mlx5e_priv *priv)
+--
+2.51.0
+
--- /dev/null
+From 13d844748c1dce28cfbe9850a1668c61766e8c50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 Oct 2022 21:56:27 -0700
+Subject: net/mlx5e: Expose rx_oversize_pkts_buffer counter
+
+From: Gal Pressman <gal@nvidia.com>
+
+[ Upstream commit 16ab85e78439bab1201ff26ba430231d1574b4ae ]
+
+Add the rx_oversize_pkts_buffer counter to ethtool statistics.
+This counter exposes the number of dropped received packets due to
+length which arrived to RQ and exceed software buffer size allocated by
+the device for incoming traffic. It might imply that the device MTU is
+larger than the software buffers size.
+
+Signed-off-by: Gal Pressman <gal@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 476681f10cc1 ("net/mlx5e: Account for netdev stats in ndo_get_stats64")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/en_main.c | 3 ++-
+ .../ethernet/mellanox/mlx5/core/en_stats.c | 21 ++++++++++++++++++-
+ .../ethernet/mellanox/mlx5/core/en_stats.h | 4 ++++
+ include/linux/mlx5/mlx5_ifc.h | 8 +++++--
+ 4 files changed, 32 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index ba36e500c1ff1..b4e6a467409be 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -3190,7 +3190,8 @@ mlx5e_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats)
+ stats->rx_length_errors =
+ PPORT_802_3_GET(pstats, a_in_range_length_errors) +
+ PPORT_802_3_GET(pstats, a_out_of_range_length_field) +
+- PPORT_802_3_GET(pstats, a_frame_too_long_errors);
++ PPORT_802_3_GET(pstats, a_frame_too_long_errors) +
++ VNIC_ENV_GET(&priv->stats.vnic, eth_wqe_too_small);
+ stats->rx_crc_errors =
+ PPORT_802_3_GET(pstats, a_frame_check_sequence_errors);
+ stats->rx_frame_errors = PPORT_802_3_GET(pstats, a_alignment_errors);
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c
+index 5a5c6eda29d28..75c3b2ac7e24e 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c
+@@ -567,17 +567,26 @@ static const struct counter_desc vnic_env_stats_dev_oob_desc[] = {
+ VNIC_ENV_OFF(vport_env.internal_rq_out_of_buffer) },
+ };
+
++static const struct counter_desc vnic_env_stats_drop_desc[] = {
++ { "rx_oversize_pkts_buffer",
++ VNIC_ENV_OFF(vport_env.eth_wqe_too_small) },
++};
++
+ #define NUM_VNIC_ENV_STEER_COUNTERS(dev) \
+ (MLX5_CAP_GEN(dev, nic_receive_steering_discard) ? \
+ ARRAY_SIZE(vnic_env_stats_steer_desc) : 0)
+ #define NUM_VNIC_ENV_DEV_OOB_COUNTERS(dev) \
+ (MLX5_CAP_GEN(dev, vnic_env_int_rq_oob) ? \
+ ARRAY_SIZE(vnic_env_stats_dev_oob_desc) : 0)
++#define NUM_VNIC_ENV_DROP_COUNTERS(dev) \
++ (MLX5_CAP_GEN(dev, eth_wqe_too_small) ? \
++ ARRAY_SIZE(vnic_env_stats_drop_desc) : 0)
+
+ static MLX5E_DECLARE_STATS_GRP_OP_NUM_STATS(vnic_env)
+ {
+ return NUM_VNIC_ENV_STEER_COUNTERS(priv->mdev) +
+- NUM_VNIC_ENV_DEV_OOB_COUNTERS(priv->mdev);
++ NUM_VNIC_ENV_DEV_OOB_COUNTERS(priv->mdev) +
++ NUM_VNIC_ENV_DROP_COUNTERS(priv->mdev);
+ }
+
+ static MLX5E_DECLARE_STATS_GRP_OP_FILL_STRS(vnic_env)
+@@ -591,6 +600,11 @@ static MLX5E_DECLARE_STATS_GRP_OP_FILL_STRS(vnic_env)
+ for (i = 0; i < NUM_VNIC_ENV_DEV_OOB_COUNTERS(priv->mdev); i++)
+ strcpy(data + (idx++) * ETH_GSTRING_LEN,
+ vnic_env_stats_dev_oob_desc[i].format);
++
++ for (i = 0; i < NUM_VNIC_ENV_DROP_COUNTERS(priv->mdev); i++)
++ strcpy(data + (idx++) * ETH_GSTRING_LEN,
++ vnic_env_stats_drop_desc[i].format);
++
+ return idx;
+ }
+
+@@ -605,6 +619,11 @@ static MLX5E_DECLARE_STATS_GRP_OP_FILL_STATS(vnic_env)
+ for (i = 0; i < NUM_VNIC_ENV_DEV_OOB_COUNTERS(priv->mdev); i++)
+ data[idx++] = MLX5E_READ_CTR32_BE(priv->stats.vnic.query_vnic_env_out,
+ vnic_env_stats_dev_oob_desc, i);
++
++ for (i = 0; i < NUM_VNIC_ENV_DROP_COUNTERS(priv->mdev); i++)
++ data[idx++] = MLX5E_READ_CTR32_BE(priv->stats.vnic.query_vnic_env_out,
++ vnic_env_stats_drop_desc, i);
++
+ return idx;
+ }
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h
+index 139e59f30db00..f31da3699c7b5 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h
+@@ -256,6 +256,10 @@ struct mlx5e_qcounter_stats {
+ u32 rx_if_down_packets;
+ };
+
++#define VNIC_ENV_GET(vnic_env_stats, c) \
++ MLX5_GET(query_vnic_env_out, (vnic_env_stats)->query_vnic_env_out, \
++ vport_env.c)
++
+ struct mlx5e_vnic_env_stats {
+ __be64 query_vnic_env_out[MLX5_ST_SZ_QW(query_vnic_env_out)];
+ };
+diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h
+index c8489aeb74f7e..30251dfbe040c 100644
+--- a/include/linux/mlx5/mlx5_ifc.h
++++ b/include/linux/mlx5/mlx5_ifc.h
+@@ -1384,7 +1384,9 @@ struct mlx5_ifc_cmd_hca_cap_bits {
+
+ u8 reserved_at_120[0xa];
+ u8 log_max_ra_req_dc[0x6];
+- u8 reserved_at_130[0x9];
++ u8 reserved_at_130[0x2];
++ u8 eth_wqe_too_small[0x1];
++ u8 reserved_at_133[0x6];
+ u8 vnic_env_cq_overrun[0x1];
+ u8 log_max_ra_res_dc[0x6];
+
+@@ -3337,7 +3339,9 @@ struct mlx5_ifc_vnic_diagnostic_statistics_bits {
+
+ u8 cq_overrun[0x20];
+
+- u8 reserved_at_220[0xde0];
++ u8 eth_wqe_too_small[0x20];
++
++ u8 reserved_at_220[0xdc0];
+ };
+
+ struct mlx5_ifc_traffic_counter_bits {
+--
+2.51.0
+
--- /dev/null
+From cf2aee6fe4a9f0f3863b38b670e5da73c88c6620 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2024 10:27:06 +0800
+Subject: net/mlx5e: Report rx_discards_phy via rx_dropped
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yafang Shao <laoar.shao@gmail.com>
+
+[ Upstream commit c9cfced17365b1df8c6ae6cd5db56aebd7ed9b57 ]
+
+We noticed a high number of rx_discards_phy events on certain servers while
+running `ethtool -S`. However, this critical counter is not currently
+included in the standard /proc/net/dev statistics file, making it difficult
+to monitor effectively—especially given the diversity of vendors across a
+large fleet of servers.
+
+Let's report it via the standard rx_dropped metric.
+
+Suggested-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
+Cc: Saeed Mahameed <saeedm@nvidia.com>
+Cc: Leon Romanovsky <leon@kernel.org>
+Cc: Gal Pressman <gal@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/20241210022706.6665-1-laoar.shao@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 476681f10cc1 ("net/mlx5e: Account for netdev stats in ndo_get_stats64")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index b4e6a467409be..5504b7b3b3f90 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -3186,6 +3186,7 @@ mlx5e_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats)
+ }
+
+ stats->rx_missed_errors = priv->stats.qcnt.rx_out_of_buffer;
++ stats->rx_dropped = PPORT_2863_GET(pstats, if_in_discards);
+
+ stats->rx_length_errors =
+ PPORT_802_3_GET(pstats, a_in_range_length_errors) +
+--
+2.51.0
+
--- /dev/null
+From c01817881edf5cd4ec103593720eb146cc8bad14 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jan 2026 06:57:16 +0000
+Subject: net: mvpp2: cls: Fix memory leak in mvpp2_ethtool_cls_rule_ins()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 09f979d1f312627b31d2ee1e46f9692e442610cd ]
+
+In mvpp2_ethtool_cls_rule_ins(), the ethtool_rule is allocated by
+ethtool_rx_flow_rule_create(). If the subsequent conversion to flow
+type fails, the function jumps to the clean_rule label.
+
+However, the clean_rule label only frees efs, skipping the cleanup
+of ethtool_rule, which leads to a memory leak.
+
+Fix this by jumping to the clean_eth_rule label, which properly calls
+ethtool_rx_flow_rule_destroy() before freeing efs.
+
+Compile tested only. Issue found using a prototype static analysis tool
+and code review.
+
+Fixes: f4f1ba18195d ("net: mvpp2: cls: Report an error for unsupported flow types")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Link: https://patch.msgid.link/20260123065716.2248324-1-zilin@seu.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c
+index d2757cc116139..038382a0b8e9f 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c
+@@ -1389,7 +1389,7 @@ int mvpp2_ethtool_cls_rule_ins(struct mvpp2_port *port,
+ efs->rule.flow_type = mvpp2_cls_ethtool_flow_to_type(info->fs.flow_type);
+ if (efs->rule.flow_type < 0) {
+ ret = efs->rule.flow_type;
+- goto clean_rule;
++ goto clean_eth_rule;
+ }
+
+ ret = mvpp2_cls_rfs_parse_rule(&efs->rule);
+--
+2.51.0
+
--- /dev/null
+From f134c0d0f22330dbbbd2d79443e58b0bf53f4fce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 25 Jan 2026 00:59:28 +0000
+Subject: nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 165c34fb6068ff153e3fc99a932a80a9d5755709 ]
+
+syzbot reported various memory leaks related to NFC, struct
+nfc_llcp_sock, sk_buff, nfc_dev, etc. [0]
+
+The leading log hinted that nfc_llcp_send_ui_frame() failed
+to allocate skb due to sock_error(sk) being -ENXIO.
+
+ENXIO is set by nfc_llcp_socket_release() when struct
+nfc_llcp_local is destroyed by local_cleanup().
+
+The problem is that there is no synchronisation between
+nfc_llcp_send_ui_frame() and local_cleanup(), and skb
+could be put into local->tx_queue after it was purged in
+local_cleanup():
+
+ CPU1 CPU2
+ ---- ----
+ nfc_llcp_send_ui_frame() local_cleanup()
+ |- do { '
+ |- pdu = nfc_alloc_send_skb(..., &err)
+ | .
+ | |- nfc_llcp_socket_release(local, false, ENXIO);
+ | |- skb_queue_purge(&local->tx_queue); |
+ | ' |
+ |- skb_queue_tail(&local->tx_queue, pdu); |
+ ... |
+ |- pdu = nfc_alloc_send_skb(..., &err) |
+ ^._________________________________.'
+
+local_cleanup() is called for struct nfc_llcp_local only
+after nfc_llcp_remove_local() unlinks it from llcp_devices.
+
+If we hold local->tx_queue.lock then, we can synchronise
+the thread and nfc_llcp_send_ui_frame().
+
+Let's do that and check list_empty(&local->list) before
+queuing skb to local->tx_queue in nfc_llcp_send_ui_frame().
+
+[0]:
+[ 56.074943][ T6096] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6)
+[ 64.318868][ T5813] kmemleak: 6 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
+BUG: memory leak
+unreferenced object 0xffff8881272f6800 (size 1024):
+ comm "syz.0.17", pid 6096, jiffies 4294942766
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 27 00 03 40 00 00 00 00 00 00 00 00 00 00 00 00 '..@............
+ backtrace (crc da58d84d):
+ kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
+ slab_post_alloc_hook mm/slub.c:4979 [inline]
+ slab_alloc_node mm/slub.c:5284 [inline]
+ __do_kmalloc_node mm/slub.c:5645 [inline]
+ __kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5658
+ kmalloc_noprof include/linux/slab.h:961 [inline]
+ sk_prot_alloc+0x11a/0x1b0 net/core/sock.c:2239
+ sk_alloc+0x36/0x360 net/core/sock.c:2295
+ nfc_llcp_sock_alloc+0x37/0x130 net/nfc/llcp_sock.c:979
+ llcp_sock_create+0x71/0xd0 net/nfc/llcp_sock.c:1044
+ nfc_sock_create+0xc9/0xf0 net/nfc/af_nfc.c:31
+ __sock_create+0x1a9/0x340 net/socket.c:1605
+ sock_create net/socket.c:1663 [inline]
+ __sys_socket_create net/socket.c:1700 [inline]
+ __sys_socket+0xb9/0x1a0 net/socket.c:1747
+ __do_sys_socket net/socket.c:1761 [inline]
+ __se_sys_socket net/socket.c:1759 [inline]
+ __x64_sys_socket+0x1b/0x30 net/socket.c:1759
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+BUG: memory leak
+unreferenced object 0xffff88810fbd9800 (size 240):
+ comm "syz.0.17", pid 6096, jiffies 4294942850
+ hex dump (first 32 bytes):
+ 68 f0 ff 08 81 88 ff ff 68 f0 ff 08 81 88 ff ff h.......h.......
+ 00 00 00 00 00 00 00 00 00 68 2f 27 81 88 ff ff .........h/'....
+ backtrace (crc 6cc652b1):
+ kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
+ slab_post_alloc_hook mm/slub.c:4979 [inline]
+ slab_alloc_node mm/slub.c:5284 [inline]
+ kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5336
+ __alloc_skb+0x203/0x240 net/core/skbuff.c:660
+ alloc_skb include/linux/skbuff.h:1383 [inline]
+ alloc_skb_with_frags+0x69/0x3f0 net/core/skbuff.c:6671
+ sock_alloc_send_pskb+0x379/0x3e0 net/core/sock.c:2965
+ sock_alloc_send_skb include/net/sock.h:1859 [inline]
+ nfc_alloc_send_skb+0x45/0x80 net/nfc/core.c:724
+ nfc_llcp_send_ui_frame+0x162/0x360 net/nfc/llcp_commands.c:766
+ llcp_sock_sendmsg+0x14c/0x1d0 net/nfc/llcp_sock.c:814
+ sock_sendmsg_nosec net/socket.c:727 [inline]
+ __sock_sendmsg net/socket.c:742 [inline]
+ __sys_sendto+0x2d8/0x2f0 net/socket.c:2244
+ __do_sys_sendto net/socket.c:2251 [inline]
+ __se_sys_sendto net/socket.c:2247 [inline]
+ __x64_sys_sendto+0x28/0x30 net/socket.c:2247
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: 94f418a20664 ("NFC: UI frame sending routine implementation")
+Reported-by: syzbot+f2d245f1d76bbfa50e4c@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/697569c7.a00a0220.33ccc7.0014.GAE@google.com/T/#u
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260125010214.1572439-1-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nfc/llcp_commands.c | 17 ++++++++++++++++-
+ net/nfc/llcp_core.c | 4 +++-
+ 2 files changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
+index 5b8754ae7d3af..706da71c5f298 100644
+--- a/net/nfc/llcp_commands.c
++++ b/net/nfc/llcp_commands.c
+@@ -786,8 +786,23 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
+ if (likely(frag_len > 0))
+ skb_put_data(pdu, msg_ptr, frag_len);
+
++ spin_lock(&local->tx_queue.lock);
++
++ if (list_empty(&local->list)) {
++ spin_unlock(&local->tx_queue.lock);
++
++ kfree_skb(pdu);
++
++ len -= remaining_len;
++ if (len == 0)
++ len = -ENXIO;
++ break;
++ }
++
+ /* No need to check for the peer RW for UI frames */
+- skb_queue_tail(&local->tx_queue, pdu);
++ __skb_queue_tail(&local->tx_queue, pdu);
++
++ spin_unlock(&local->tx_queue.lock);
+
+ remaining_len -= frag_len;
+ msg_ptr += frag_len;
+diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
+index da3cb0d29b972..504245aeb4e2a 100644
+--- a/net/nfc/llcp_core.c
++++ b/net/nfc/llcp_core.c
+@@ -316,7 +316,9 @@ static struct nfc_llcp_local *nfc_llcp_remove_local(struct nfc_dev *dev)
+ spin_lock(&llcp_devices_lock);
+ list_for_each_entry_safe(local, tmp, &llcp_devices, list)
+ if (local->dev == dev) {
+- list_del(&local->list);
++ spin_lock(&local->tx_queue.lock);
++ list_del_init(&local->list);
++ spin_unlock(&local->tx_queue.lock);
+ spin_unlock(&llcp_devices_lock);
+ return local;
+ }
+--
+2.51.0
+
--- /dev/null
+From c73490fa6d6400c22bdf0192355c1a2eef449112 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jan 2026 04:03:59 +0000
+Subject: nfc: nci: Fix race between rfkill and nci_unregister_device().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit d2492688bb9fed6ab6e313682c387ae71a66ebae ]
+
+syzbot reported the splat below [0] without a repro.
+
+It indicates that struct nci_dev.cmd_wq had been destroyed before
+nci_close_device() was called via rfkill.
+
+nci_dev.cmd_wq is only destroyed in nci_unregister_device(), which
+(I think) was called from virtual_ncidev_close() when syzbot close()d
+an fd of virtual_ncidev.
+
+The problem is that nci_unregister_device() destroys nci_dev.cmd_wq
+first and then calls nfc_unregister_device(), which removes the
+device from rfkill by rfkill_unregister().
+
+So, the device is still visible via rfkill even after nci_dev.cmd_wq
+is destroyed.
+
+Let's unregister the device from rfkill first in nci_unregister_device().
+
+Note that we cannot call nfc_unregister_device() before
+nci_close_device() because
+
+ 1) nfc_unregister_device() calls device_del() which frees
+ all memory allocated by devm_kzalloc() and linked to
+ ndev->conn_info_list
+
+ 2) nci_rx_work() could try to queue nci_conn_info to
+ ndev->conn_info_list which could be leaked
+
+Thus, nfc_unregister_device() is split into two functions so we
+can remove rfkill interfaces only before nci_close_device().
+
+[0]:
+DEBUG_LOCKS_WARN_ON(1)
+WARNING: kernel/locking/lockdep.c:238 at hlock_class kernel/locking/lockdep.c:238 [inline], CPU#0: syz.0.8675/6349
+WARNING: kernel/locking/lockdep.c:238 at check_wait_context kernel/locking/lockdep.c:4854 [inline], CPU#0: syz.0.8675/6349
+WARNING: kernel/locking/lockdep.c:238 at __lock_acquire+0x39d/0x2cf0 kernel/locking/lockdep.c:5187, CPU#0: syz.0.8675/6349
+Modules linked in:
+CPU: 0 UID: 0 PID: 6349 Comm: syz.0.8675 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026
+RIP: 0010:hlock_class kernel/locking/lockdep.c:238 [inline]
+RIP: 0010:check_wait_context kernel/locking/lockdep.c:4854 [inline]
+RIP: 0010:__lock_acquire+0x3a4/0x2cf0 kernel/locking/lockdep.c:5187
+Code: 18 00 4c 8b 74 24 08 75 27 90 e8 17 f2 fc 02 85 c0 74 1c 83 3d 50 e0 4e 0e 00 75 13 48 8d 3d 43 f7 51 0e 48 c7 c6 8b 3a de 8d <67> 48 0f b9 3a 90 31 c0 0f b6 98 c4 00 00 00 41 8b 45 20 25 ff 1f
+RSP: 0018:ffffc9000c767680 EFLAGS: 00010046
+RAX: 0000000000000001 RBX: 0000000000040000 RCX: 0000000000080000
+RDX: ffffc90013080000 RSI: ffffffff8dde3a8b RDI: ffffffff8ff24ca0
+RBP: 0000000000000003 R08: ffffffff8fef35a3 R09: 1ffffffff1fde6b4
+R10: dffffc0000000000 R11: fffffbfff1fde6b5 R12: 00000000000012a2
+R13: ffff888030338ba8 R14: ffff888030338000 R15: ffff888030338b30
+FS: 00007fa5995f66c0(0000) GS:ffff8881256f8000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f7e72f842d0 CR3: 00000000485a0000 CR4: 00000000003526f0
+Call Trace:
+ <TASK>
+ lock_acquire+0x106/0x330 kernel/locking/lockdep.c:5868
+ touch_wq_lockdep_map+0xcb/0x180 kernel/workqueue.c:3940
+ __flush_workqueue+0x14b/0x14f0 kernel/workqueue.c:3982
+ nci_close_device+0x302/0x630 net/nfc/nci/core.c:567
+ nci_dev_down+0x3b/0x50 net/nfc/nci/core.c:639
+ nfc_dev_down+0x152/0x290 net/nfc/core.c:161
+ nfc_rfkill_set_block+0x2d/0x100 net/nfc/core.c:179
+ rfkill_set_block+0x1d2/0x440 net/rfkill/core.c:346
+ rfkill_fop_write+0x461/0x5a0 net/rfkill/core.c:1301
+ vfs_write+0x29a/0xb90 fs/read_write.c:684
+ ksys_write+0x150/0x270 fs/read_write.c:738
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7fa59b39acb9
+Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007fa5995f6028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+RAX: ffffffffffffffda RBX: 00007fa59b615fa0 RCX: 00007fa59b39acb9
+RDX: 0000000000000008 RSI: 0000200000000080 RDI: 0000000000000007
+RBP: 00007fa59b408bf7 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007fa59b616038 R14: 00007fa59b615fa0 R15: 00007ffc82218788
+ </TASK>
+
+Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation")
+Reported-by: syzbot+f9c5fd1a0874f9069dce@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/695e7f56.050a0220.1c677c.036c.GAE@google.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260127040411.494931-1-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/nfc/nfc.h | 2 ++
+ net/nfc/core.c | 27 ++++++++++++++++++++++++---
+ net/nfc/nci/core.c | 4 +++-
+ 3 files changed, 29 insertions(+), 4 deletions(-)
+
+diff --git a/include/net/nfc/nfc.h b/include/net/nfc/nfc.h
+index 5dee575fbe86a..b82f4f2a27fb8 100644
+--- a/include/net/nfc/nfc.h
++++ b/include/net/nfc/nfc.h
+@@ -215,6 +215,8 @@ static inline void nfc_free_device(struct nfc_dev *dev)
+
+ int nfc_register_device(struct nfc_dev *dev);
+
++void nfc_unregister_rfkill(struct nfc_dev *dev);
++void nfc_remove_device(struct nfc_dev *dev);
+ void nfc_unregister_device(struct nfc_dev *dev);
+
+ /**
+diff --git a/net/nfc/core.c b/net/nfc/core.c
+index c2dab6e2c283e..99f7300497c80 100644
+--- a/net/nfc/core.c
++++ b/net/nfc/core.c
+@@ -1147,14 +1147,14 @@ int nfc_register_device(struct nfc_dev *dev)
+ EXPORT_SYMBOL(nfc_register_device);
+
+ /**
+- * nfc_unregister_device - unregister a nfc device in the nfc subsystem
++ * nfc_unregister_rfkill - unregister a nfc device in the rfkill subsystem
+ *
+ * @dev: The nfc device to unregister
+ */
+-void nfc_unregister_device(struct nfc_dev *dev)
++void nfc_unregister_rfkill(struct nfc_dev *dev)
+ {
+- int rc;
+ struct rfkill *rfk = NULL;
++ int rc;
+
+ pr_debug("dev_name=%s\n", dev_name(&dev->dev));
+
+@@ -1175,7 +1175,16 @@ void nfc_unregister_device(struct nfc_dev *dev)
+ rfkill_unregister(rfk);
+ rfkill_destroy(rfk);
+ }
++}
++EXPORT_SYMBOL(nfc_unregister_rfkill);
+
++/**
++ * nfc_remove_device - remove a nfc device in the nfc subsystem
++ *
++ * @dev: The nfc device to remove
++ */
++void nfc_remove_device(struct nfc_dev *dev)
++{
+ if (dev->ops->check_presence) {
+ del_timer_sync(&dev->check_pres_timer);
+ cancel_work_sync(&dev->check_pres_work);
+@@ -1188,6 +1197,18 @@ void nfc_unregister_device(struct nfc_dev *dev)
+ device_del(&dev->dev);
+ mutex_unlock(&nfc_devlist_mutex);
+ }
++EXPORT_SYMBOL(nfc_remove_device);
++
++/**
++ * nfc_unregister_device - unregister a nfc device in the nfc subsystem
++ *
++ * @dev: The nfc device to unregister
++ */
++void nfc_unregister_device(struct nfc_dev *dev)
++{
++ nfc_unregister_rfkill(dev);
++ nfc_remove_device(dev);
++}
+ EXPORT_SYMBOL(nfc_unregister_device);
+
+ static int __init nfc_init(void)
+diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
+index 905452006d2d1..c26914ca40aff 100644
+--- a/net/nfc/nci/core.c
++++ b/net/nfc/nci/core.c
+@@ -1295,6 +1295,8 @@ void nci_unregister_device(struct nci_dev *ndev)
+ {
+ struct nci_conn_info *conn_info, *n;
+
++ nfc_unregister_rfkill(ndev->nfc_dev);
++
+ /* This set_bit is not protected with specialized barrier,
+ * However, it is fine because the mutex_lock(&ndev->req_lock);
+ * in nci_close_device() will help to emit one.
+@@ -1312,7 +1314,7 @@ void nci_unregister_device(struct nci_dev *ndev)
+ /* conn_info is allocated with devm_kzalloc */
+ }
+
+- nfc_unregister_device(ndev->nfc_dev);
++ nfc_remove_device(ndev->nfc_dev);
+ }
+ EXPORT_SYMBOL(nci_unregister_device);
+
+--
+2.51.0
+
--- /dev/null
+From ba27d1024e6602a2b4cf629f35d6b887e91dd6e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 Jan 2026 05:10:31 +0800
+Subject: rocker: fix memory leak in rocker_world_port_post_fini()
+
+From: Kery Qi <qikeyu2017@gmail.com>
+
+[ Upstream commit 8d7ba71e46216b8657a82ca2ec118bc93812a4d0 ]
+
+In rocker_world_port_pre_init(), rocker_port->wpriv is allocated with
+kzalloc(wops->port_priv_size, GFP_KERNEL). However, in
+rocker_world_port_post_fini(), the memory is only freed when
+wops->port_post_fini callback is set:
+
+ if (!wops->port_post_fini)
+ return;
+ wops->port_post_fini(rocker_port);
+ kfree(rocker_port->wpriv);
+
+Since rocker_ofdpa_ops does not implement port_post_fini callback
+(it is NULL), the wpriv memory allocated for each port is never freed
+when ports are removed. This leads to a memory leak of
+sizeof(struct ofdpa_port) bytes per port on every device removal.
+
+Fix this by always calling kfree(rocker_port->wpriv) regardless of
+whether the port_post_fini callback exists.
+
+Fixes: e420114eef4a ("rocker: introduce worlds infrastructure")
+Signed-off-by: Kery Qi <qikeyu2017@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260123211030.2109-2-qikeyu2017@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/rocker/rocker_main.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/rocker/rocker_main.c b/drivers/net/ethernet/rocker/rocker_main.c
+index e1509becb7536..a7495a46d0943 100644
+--- a/drivers/net/ethernet/rocker/rocker_main.c
++++ b/drivers/net/ethernet/rocker/rocker_main.c
+@@ -1525,9 +1525,8 @@ static void rocker_world_port_post_fini(struct rocker_port *rocker_port)
+ {
+ struct rocker_world_ops *wops = rocker_port->rocker->wops;
+
+- if (!wops->port_post_fini)
+- return;
+- wops->port_post_fini(rocker_port);
++ if (wops->port_post_fini)
++ wops->port_post_fini(rocker_port);
+ kfree(rocker_port->wpriv);
+ }
+
+--
+2.51.0
+
migrate-correct-lock-ordering-for-hugetlb-file-folios.patch
bpf-do-not-let-bpf-test-infra-emit-invalid-gso-types-to-stack.patch
bpf-reject-narrower-access-to-pointer-ctx-fields.patch
+bluetooth-hci_uart-fix-null-ptr-deref-in-hci_uart_wr.patch
+net-mlx5-fix-memory-leak-in-esw_acl_ingress_lgcy_set.patch
+net-mvpp2-cls-fix-memory-leak-in-mvpp2_ethtool_cls_r.patch
+ipv6-use-the-right-ifindex-when-replying-to-icmpv6-f.patch
+rocker-fix-memory-leak-in-rocker_world_port_post_fin.patch
+nfc-llcp-fix-memleak-in-nfc_llcp_send_ui_frame.patch
+ice-stop-counting-udp-csum-mismatch-as-rx_errors.patch
+net-mlx5-add-hw-definitions-of-vport-debug-counters.patch
+net-mlx5e-expose-rx_oversize_pkts_buffer-counter.patch
+net-mlx5e-report-rx_discards_phy-via-rx_dropped.patch
+net-mlx5e-account-for-netdev-stats-in-ndo_get_stats6.patch
+nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch
+net-bridge-fix-static-key-check.patch
--- /dev/null
+From 006b9d69e6c47aad5cd36d1d59315688bf280451 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Jan 2026 20:08:59 +0800
+Subject: Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work
+
+From: Jia-Hong Su <s11242586@gmail.com>
+
+[ Upstream commit 0c3cd7a0b862c37acbee6d9502107146cc944398 ]
+
+hci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling
+hci_uart_register_dev(), which calls proto->open() to initialize
+hu->priv. However, if a TTY write wakeup occurs during this window,
+hci_uart_tx_wakeup() may schedule write_work before hu->priv is
+initialized, leading to a NULL pointer dereference in
+hci_uart_write_work() when proto->dequeue() accesses hu->priv.
+
+The race condition is:
+
+ CPU0 CPU1
+ ---- ----
+ hci_uart_set_proto()
+ set_bit(HCI_UART_PROTO_INIT)
+ hci_uart_register_dev()
+ tty write wakeup
+ hci_uart_tty_wakeup()
+ hci_uart_tx_wakeup()
+ schedule_work(&hu->write_work)
+ proto->open(hu)
+ // initializes hu->priv
+ hci_uart_write_work()
+ hci_uart_dequeue()
+ proto->dequeue(hu)
+ // accesses hu->priv (NULL!)
+
+Fix this by moving set_bit(HCI_UART_PROTO_INIT) after proto->open()
+succeeds, ensuring hu->priv is initialized before any work can be
+scheduled.
+
+Fixes: 5df5dafc171b ("Bluetooth: hci_uart: Fix another race during initialization")
+Link: https://lore.kernel.org/linux-bluetooth/6969764f.170a0220.2b9fc4.35a7@mx.google.com/
+
+Signed-off-by: Jia-Hong Su <s11242586@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/hci_ldisc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
+index 6a90fc69ef444..2752857dbccf3 100644
+--- a/drivers/bluetooth/hci_ldisc.c
++++ b/drivers/bluetooth/hci_ldisc.c
+@@ -687,6 +687,8 @@ static int hci_uart_register_dev(struct hci_uart *hu)
+ return err;
+ }
+
++ set_bit(HCI_UART_PROTO_INIT, &hu->flags);
++
+ if (test_bit(HCI_UART_INIT_PENDING, &hu->hdev_flags))
+ return 0;
+
+@@ -714,8 +716,6 @@ static int hci_uart_set_proto(struct hci_uart *hu, int id)
+
+ hu->proto = p;
+
+- set_bit(HCI_UART_PROTO_INIT, &hu->flags);
+-
+ err = hci_uart_register_dev(hu);
+ if (err) {
+ return err;
+--
+2.51.0
+
--- /dev/null
+From 2c8853c0ecadfa15e44d6806b87b74ab2896798c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Jan 2026 16:29:14 +0000
+Subject: bonding: annotate data-races around slave->last_rx
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit f6c3665b6dc53c3ab7d31b585446a953a74340ef ]
+
+slave->last_rx and slave->target_last_arp_rx[...] can be read and written
+locklessly. Add READ_ONCE() and WRITE_ONCE() annotations.
+
+syzbot reported:
+
+BUG: KCSAN: data-race in bond_rcv_validate / bond_rcv_validate
+
+write to 0xffff888149f0d428 of 8 bytes by interrupt on cpu 1:
+ bond_rcv_validate+0x202/0x7a0 drivers/net/bonding/bond_main.c:3335
+ bond_handle_frame+0xde/0x5e0 drivers/net/bonding/bond_main.c:1533
+ __netif_receive_skb_core+0x5b1/0x1950 net/core/dev.c:6039
+ __netif_receive_skb_one_core net/core/dev.c:6150 [inline]
+ __netif_receive_skb+0x59/0x270 net/core/dev.c:6265
+ netif_receive_skb_internal net/core/dev.c:6351 [inline]
+ netif_receive_skb+0x4b/0x2d0 net/core/dev.c:6410
+...
+
+write to 0xffff888149f0d428 of 8 bytes by interrupt on cpu 0:
+ bond_rcv_validate+0x202/0x7a0 drivers/net/bonding/bond_main.c:3335
+ bond_handle_frame+0xde/0x5e0 drivers/net/bonding/bond_main.c:1533
+ __netif_receive_skb_core+0x5b1/0x1950 net/core/dev.c:6039
+ __netif_receive_skb_one_core net/core/dev.c:6150 [inline]
+ __netif_receive_skb+0x59/0x270 net/core/dev.c:6265
+ netif_receive_skb_internal net/core/dev.c:6351 [inline]
+ netif_receive_skb+0x4b/0x2d0 net/core/dev.c:6410
+ br_netif_receive_skb net/bridge/br_input.c:30 [inline]
+ NF_HOOK include/linux/netfilter.h:318 [inline]
+...
+
+value changed: 0x0000000100005365 -> 0x0000000100005366
+
+Fixes: f5b2b966f032 ("[PATCH] bonding: Validate probe replies in ARP monitor")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Link: https://patch.msgid.link/20260122162914.2299312-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 18 ++++++++++--------
+ drivers/net/bonding/bond_options.c | 8 ++++----
+ include/net/bonding.h | 13 +++++++------
+ 3 files changed, 21 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index b0bc811aaab91..71912ddfa7149 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -3082,8 +3082,8 @@ static void bond_validate_arp(struct bonding *bond, struct slave *slave, __be32
+ __func__, &sip);
+ return;
+ }
+- slave->last_rx = jiffies;
+- slave->target_last_arp_rx[i] = jiffies;
++ WRITE_ONCE(slave->last_rx, jiffies);
++ WRITE_ONCE(slave->target_last_arp_rx[i], jiffies);
+ }
+
+ static int bond_arp_rcv(const struct sk_buff *skb, struct bonding *bond,
+@@ -3302,8 +3302,8 @@ static void bond_validate_na(struct bonding *bond, struct slave *slave,
+ __func__, saddr);
+ return;
+ }
+- slave->last_rx = jiffies;
+- slave->target_last_arp_rx[i] = jiffies;
++ WRITE_ONCE(slave->last_rx, jiffies);
++ WRITE_ONCE(slave->target_last_arp_rx[i], jiffies);
+ }
+
+ static int bond_na_rcv(const struct sk_buff *skb, struct bonding *bond,
+@@ -3373,7 +3373,7 @@ int bond_rcv_validate(const struct sk_buff *skb, struct bonding *bond,
+ (slave_do_arp_validate_only(bond) && is_ipv6) ||
+ #endif
+ !slave_do_arp_validate_only(bond))
+- slave->last_rx = jiffies;
++ WRITE_ONCE(slave->last_rx, jiffies);
+ return RX_HANDLER_ANOTHER;
+ } else if (is_arp) {
+ return bond_arp_rcv(skb, bond, slave);
+@@ -3441,7 +3441,7 @@ static void bond_loadbalance_arp_mon(struct bonding *bond)
+
+ if (slave->link != BOND_LINK_UP) {
+ if (bond_time_in_interval(bond, last_tx, 1) &&
+- bond_time_in_interval(bond, slave->last_rx, 1)) {
++ bond_time_in_interval(bond, READ_ONCE(slave->last_rx), 1)) {
+
+ bond_propose_link_state(slave, BOND_LINK_UP);
+ slave_state_changed = 1;
+@@ -3465,8 +3465,10 @@ static void bond_loadbalance_arp_mon(struct bonding *bond)
+ * when the source ip is 0, so don't take the link down
+ * if we don't know our ip yet
+ */
+- if (!bond_time_in_interval(bond, last_tx, bond->params.missed_max) ||
+- !bond_time_in_interval(bond, slave->last_rx, bond->params.missed_max)) {
++ if (!bond_time_in_interval(bond, last_tx,
++ bond->params.missed_max) ||
++ !bond_time_in_interval(bond, READ_ONCE(slave->last_rx),
++ bond->params.missed_max)) {
+
+ bond_propose_link_state(slave, BOND_LINK_DOWN);
+ slave_state_changed = 1;
+diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c
+index 1235878d87159..9473e76c6dc9d 100644
+--- a/drivers/net/bonding/bond_options.c
++++ b/drivers/net/bonding/bond_options.c
+@@ -1133,7 +1133,7 @@ static void _bond_options_arp_ip_target_set(struct bonding *bond, int slot,
+
+ if (slot >= 0 && slot < BOND_MAX_ARP_TARGETS) {
+ bond_for_each_slave(bond, slave, iter)
+- slave->target_last_arp_rx[slot] = last_rx;
++ WRITE_ONCE(slave->target_last_arp_rx[slot], last_rx);
+ targets[slot] = target;
+ }
+ }
+@@ -1202,8 +1202,8 @@ static int bond_option_arp_ip_target_rem(struct bonding *bond, __be32 target)
+ bond_for_each_slave(bond, slave, iter) {
+ targets_rx = slave->target_last_arp_rx;
+ for (i = ind; (i < BOND_MAX_ARP_TARGETS-1) && targets[i+1]; i++)
+- targets_rx[i] = targets_rx[i+1];
+- targets_rx[i] = 0;
++ WRITE_ONCE(targets_rx[i], READ_ONCE(targets_rx[i+1]));
++ WRITE_ONCE(targets_rx[i], 0);
+ }
+ for (i = ind; (i < BOND_MAX_ARP_TARGETS-1) && targets[i+1]; i++)
+ targets[i] = targets[i+1];
+@@ -1358,7 +1358,7 @@ static void _bond_options_ns_ip6_target_set(struct bonding *bond, int slot,
+
+ if (slot >= 0 && slot < BOND_MAX_NS_TARGETS) {
+ bond_for_each_slave(bond, slave, iter) {
+- slave->target_last_arp_rx[slot] = last_rx;
++ WRITE_ONCE(slave->target_last_arp_rx[slot], last_rx);
+ slave_set_ns_maddr(bond, slave, target, &targets[slot]);
+ }
+ targets[slot] = *target;
+diff --git a/include/net/bonding.h b/include/net/bonding.h
+index bfd3e4e58f861..bdfbe77c18420 100644
+--- a/include/net/bonding.h
++++ b/include/net/bonding.h
+@@ -525,13 +525,14 @@ static inline int bond_is_ip6_target_ok(struct in6_addr *addr)
+ static inline unsigned long slave_oldest_target_arp_rx(struct bonding *bond,
+ struct slave *slave)
+ {
++ unsigned long tmp, ret = READ_ONCE(slave->target_last_arp_rx[0]);
+ int i = 1;
+- unsigned long ret = slave->target_last_arp_rx[0];
+-
+- for (; (i < BOND_MAX_ARP_TARGETS) && bond->params.arp_targets[i]; i++)
+- if (time_before(slave->target_last_arp_rx[i], ret))
+- ret = slave->target_last_arp_rx[i];
+
++ for (; (i < BOND_MAX_ARP_TARGETS) && bond->params.arp_targets[i]; i++) {
++ tmp = READ_ONCE(slave->target_last_arp_rx[i]);
++ if (time_before(tmp, ret))
++ ret = tmp;
++ }
+ return ret;
+ }
+
+@@ -541,7 +542,7 @@ static inline unsigned long slave_last_rx(struct bonding *bond,
+ if (bond->params.arp_all_targets == BOND_ARP_TARGETS_ALL)
+ return slave_oldest_target_arp_rx(bond, slave);
+
+- return slave->last_rx;
++ return READ_ONCE(slave->last_rx);
+ }
+
+ static inline void slave_update_last_tx(struct slave *slave)
+--
+2.51.0
+
--- /dev/null
+From 2ecab70218a048a4aebaf8ff2d1f503b6ca64369 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jan 2026 10:40:22 +0100
+Subject: can: gs_usb: gs_usb_receive_bulk_callback(): fix error message
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+[ Upstream commit 494fc029f662c331e06b7c2031deff3c64200eed ]
+
+Sinc commit 79a6d1bfe114 ("can: gs_usb: gs_usb_receive_bulk_callback():
+unanchor URL on usb_submit_urb() error") a failing resubmit URB will print
+an info message.
+
+In the case of a short read where netdev has not yet been assigned,
+initialize as NULL to avoid dereferencing an undefined value. Also report
+the error value of the failed resubmit.
+
+Fixes: 79a6d1bfe114 ("can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error")
+Reported-by: Jakub Kicinski <kuba@kernel.org>
+Closes: https://lore.kernel.org/all/20260119181904.1209979-1-kuba@kernel.org/
+Link: https://patch.msgid.link/20260120-gs_usb-fix-error-message-v1-1-6be04de572bc@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/usb/gs_usb.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c
+index f782c3aa179e0..8859e65d4470b 100644
+--- a/drivers/net/can/usb/gs_usb.c
++++ b/drivers/net/can/usb/gs_usb.c
+@@ -526,7 +526,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
+ {
+ struct gs_usb *parent = urb->context;
+ struct gs_can *dev;
+- struct net_device *netdev;
++ struct net_device *netdev = NULL;
+ int rc;
+ struct net_device_stats *stats;
+ struct gs_host_frame *hf = urb->transfer_buffer;
+@@ -674,7 +674,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
+ }
+ } else if (rc != -ESHUTDOWN && net_ratelimit()) {
+ netdev_info(netdev, "failed to re-submit IN URB: %pe\n",
+- ERR_PTR(urb->status));
++ ERR_PTR(rc));
+ }
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 5d80f523e702d13056f7cf65839a05c9d62a501f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Dec 2025 15:38:52 -0800
+Subject: ice: stop counting UDP csum mismatch as rx_errors
+
+From: Jesse Brandeburg <jbrandeburg@cloudflare.com>
+
+[ Upstream commit 05faf2c0a76581d0a7fdbb8ec46477ba183df95b ]
+
+Since the beginning, the Intel ice driver has counted receive checksum
+offload mismatches into the rx_errors member of the rtnl_link_stats64
+struct. In ethtool -S these show up as rx_csum_bad.nic.
+
+I believe counting these in rx_errors is fundamentally wrong, as it's
+pretty clear from the comments in if_link.h and from every other statistic
+the driver is summing into rx_errors, that all of them would cause a
+"hardware drop" except for the UDP checksum mismatch, as well as the fact
+that all the other causes for rx_errors are L2 reasons, and this L4 UDP
+"mismatch" is an outlier.
+
+A last nail in the coffin is that rx_errors is monitored in production and
+can indicate a bad NIC/cable/Switch port, but instead some random series of
+UDP packets with bad checksums will now trigger this alert. This false
+positive makes the alert useless and affects us as well as other companies.
+
+This packet with presumably a bad UDP checksum is *already* passed to the
+stack, just not marked as offloaded by the hardware/driver. If it is
+dropped by the stack it will show up as UDP_MIB_CSUMERRORS.
+
+And one more thing, none of the other Intel drivers, and at least bnxt_en
+and mlx5 both don't appear to count UDP offload mismatches as rx_errors.
+
+Here is a related customer complaint:
+https://community.intel.com/t5/Ethernet-Products/ice-rx-errros-is-too-sensitive-to-IP-TCP-attack-packets-Intel/td-p/1662125
+
+Fixes: 4f1fe43c920b ("ice: Add more Rx errors to netdev's rx_error counter")
+Cc: Tony Nguyen <anthony.l.nguyen@intel.com>
+Cc: Jake Keller <jacob.e.keller@intel.com>
+Cc: IWL <intel-wired-lan@lists.osuosl.org>
+Signed-off-by: Jesse Brandeburg <jbrandeburg@cloudflare.com>
+Acked-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_main.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
+index 9a540b85756f4..2737050aae218 100644
+--- a/drivers/net/ethernet/intel/ice/ice_main.c
++++ b/drivers/net/ethernet/intel/ice/ice_main.c
+@@ -6546,7 +6546,6 @@ void ice_update_vsi_stats(struct ice_vsi *vsi)
+ pf->stats.illegal_bytes +
+ pf->stats.rx_len_errors +
+ pf->stats.rx_undersize +
+- pf->hw_csum_rx_error +
+ pf->stats.rx_jabber +
+ pf->stats.rx_fragments +
+ pf->stats.rx_oversize;
+--
+2.51.0
+
--- /dev/null
+From 8de5e2c1dcc5085f0b47a154fb5387b1674f8bd4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jan 2026 20:44:08 +0100
+Subject: ipv6: use the right ifindex when replying to icmpv6 from localhost
+
+From: Fernando Fernandez Mancera <fmancera@suse.de>
+
+[ Upstream commit 03cbcdf93866e61beb0063392e6dbb701f03aea2 ]
+
+When replying to a ICMPv6 echo request that comes from localhost address
+the right output ifindex is 1 (lo) and not rt6i_idev dev index. Use the
+skb device ifindex instead. This fixes pinging to a local address from
+localhost source address.
+
+$ ping6 -I ::1 2001:1:1::2 -c 3
+PING 2001:1:1::2 (2001:1:1::2) from ::1 : 56 data bytes
+64 bytes from 2001:1:1::2: icmp_seq=1 ttl=64 time=0.037 ms
+64 bytes from 2001:1:1::2: icmp_seq=2 ttl=64 time=0.069 ms
+64 bytes from 2001:1:1::2: icmp_seq=3 ttl=64 time=0.122 ms
+
+2001:1:1::2 ping statistics
+3 packets transmitted, 3 received, 0% packet loss, time 2032ms
+rtt min/avg/max/mdev = 0.037/0.076/0.122/0.035 ms
+
+Fixes: 1b70d792cf67 ("ipv6: Use rt6i_idev index for echo replies to a local address")
+Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://patch.msgid.link/20260121194409.6749-1-fmancera@suse.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/icmp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
+index 7d88fd314c390..7ba3c642ab3c3 100644
+--- a/net/ipv6/icmp.c
++++ b/net/ipv6/icmp.c
+@@ -765,7 +765,9 @@ static void icmpv6_echo_reply(struct sk_buff *skb)
+ fl6.daddr = ipv6_hdr(skb)->saddr;
+ if (saddr)
+ fl6.saddr = *saddr;
+- fl6.flowi6_oif = icmp6_iif(skb);
++ fl6.flowi6_oif = ipv6_addr_loopback(&fl6.daddr) ?
++ skb->dev->ifindex :
++ icmp6_iif(skb);
+ fl6.fl6_icmp_type = type;
+ fl6.flowi6_mark = mark;
+ fl6.flowi6_uid = sock_net_uid(net, NULL);
+--
+2.51.0
+
--- /dev/null
+From 4c86977dc78555c0ff9bf83763092edf6b398ba3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jan 2026 11:19:23 +0100
+Subject: net: bridge: fix static key check
+
+From: Martin Kaiser <martin@kaiser.cx>
+
+[ Upstream commit cc0cf10fdaeadf5542d64a55b5b4120d3df90b7d ]
+
+Fix the check if netfilter's static keys are available. netfilter defines
+and exports static keys if CONFIG_JUMP_LABEL is enabled. (HAVE_JUMP_LABEL
+is never defined.)
+
+Fixes: 971502d77faa ("bridge: netfilter: unroll NF_HOOK helper in bridge input path")
+Signed-off-by: Martin Kaiser <martin@kaiser.cx>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://patch.msgid.link/20260127101925.1754425-1-martin@kaiser.cx
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_input.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
+index f11345720c275..e33500771b30f 100644
+--- a/net/bridge/br_input.c
++++ b/net/bridge/br_input.c
+@@ -243,7 +243,7 @@ static int nf_hook_bridge_pre(struct sk_buff *skb, struct sk_buff **pskb)
+ int ret;
+
+ net = dev_net(skb->dev);
+-#ifdef HAVE_JUMP_LABEL
++#ifdef CONFIG_JUMP_LABEL
+ if (!static_key_false(&nf_hooks_needed[NFPROTO_BRIDGE][NF_BR_PRE_ROUTING]))
+ goto frame_finish;
+ #endif
+--
+2.51.0
+
--- /dev/null
+From c2b4483c00aeee0f3dfb68af3aca180dd16b2330 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jan 2026 13:46:40 +0000
+Subject: net/mlx5: Fix memory leak in esw_acl_ingress_lgcy_setup()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 108948f723b13874b7ebf6b3f1cc598a7de38622 ]
+
+In esw_acl_ingress_lgcy_setup(), if esw_acl_table_create() fails,
+the function returns directly without releasing the previously
+created counter, leading to a memory leak.
+
+Fix this by jumping to the out label instead of returning directly,
+which aligns with the error handling logic of other paths in this
+function.
+
+Compile tested only. Issue found using a prototype static analysis tool
+and code review.
+
+Fixes: 07bab9502641 ("net/mlx5: E-Switch, Refactor eswitch ingress acl codes")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/20260120134640.2717808-1-zilin@seu.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c
+index 093ed86a0acd8..db51c500ed359 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c
+@@ -188,7 +188,7 @@ int esw_acl_ingress_lgcy_setup(struct mlx5_eswitch *esw,
+ if (IS_ERR(vport->ingress.acl)) {
+ err = PTR_ERR(vport->ingress.acl);
+ vport->ingress.acl = NULL;
+- return err;
++ goto out;
+ }
+
+ err = esw_acl_ingress_lgcy_groups_create(esw, vport);
+--
+2.51.0
+
--- /dev/null
+From 528efe665d38a4fe5e430773a40548db2eb98041 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jan 2026 09:14:55 +0200
+Subject: net/mlx5e: Account for netdev stats in ndo_get_stats64
+
+From: Gal Pressman <gal@nvidia.com>
+
+[ Upstream commit 476681f10cc1e0e56e26856684e75d4678b072b2 ]
+
+The driver's ndo_get_stats64 callback is only reporting mlx5 counters,
+without accounting for the netdev stats, causing errors from the network
+stack to be invisible in statistics.
+
+Add netdev_stats_to_stats64() call to first populate the counters, then
+add mlx5 counters on top, ensuring both are accounted for (where
+appropriate).
+
+Fixes: f62b8bb8f2d3 ("net/mlx5: Extend mlx5_core to support ConnectX-4 Ethernet functionality")
+Signed-off-by: Gal Pressman <gal@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/1769411695-18820-4-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/en_main.c | 20 ++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index 1d7fe4ffdd734..2d0b57583ea35 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -3650,6 +3650,8 @@ mlx5e_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats)
+ mlx5e_queue_update_stats(priv);
+ }
+
++ netdev_stats_to_stats64(stats, &dev->stats);
++
+ if (mlx5e_is_uplink_rep(priv)) {
+ struct mlx5e_vport_stats *vstats = &priv->stats.vport;
+
+@@ -3666,21 +3668,21 @@ mlx5e_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats)
+ mlx5e_fold_sw_stats64(priv, stats);
+ }
+
+- stats->rx_missed_errors = priv->stats.qcnt.rx_out_of_buffer;
+- stats->rx_dropped = PPORT_2863_GET(pstats, if_in_discards);
++ stats->rx_missed_errors += priv->stats.qcnt.rx_out_of_buffer;
++ stats->rx_dropped += PPORT_2863_GET(pstats, if_in_discards);
+
+- stats->rx_length_errors =
++ stats->rx_length_errors +=
+ PPORT_802_3_GET(pstats, a_in_range_length_errors) +
+ PPORT_802_3_GET(pstats, a_out_of_range_length_field) +
+ PPORT_802_3_GET(pstats, a_frame_too_long_errors) +
+ VNIC_ENV_GET(&priv->stats.vnic, eth_wqe_too_small);
+- stats->rx_crc_errors =
++ stats->rx_crc_errors +=
+ PPORT_802_3_GET(pstats, a_frame_check_sequence_errors);
+- stats->rx_frame_errors = PPORT_802_3_GET(pstats, a_alignment_errors);
+- stats->tx_aborted_errors = PPORT_2863_GET(pstats, if_out_discards);
+- stats->rx_errors = stats->rx_length_errors + stats->rx_crc_errors +
+- stats->rx_frame_errors;
+- stats->tx_errors = stats->tx_aborted_errors + stats->tx_carrier_errors;
++ stats->rx_frame_errors += PPORT_802_3_GET(pstats, a_alignment_errors);
++ stats->tx_aborted_errors += PPORT_2863_GET(pstats, if_out_discards);
++ stats->rx_errors += stats->rx_length_errors + stats->rx_crc_errors +
++ stats->rx_frame_errors;
++ stats->tx_errors += stats->tx_aborted_errors + stats->tx_carrier_errors;
+ }
+
+ static void mlx5e_nic_set_rx_mode(struct mlx5e_priv *priv)
+--
+2.51.0
+
--- /dev/null
+From c1a15d07e011dab1aa14356f125cf6a756957969 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2024 10:27:06 +0800
+Subject: net/mlx5e: Report rx_discards_phy via rx_dropped
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yafang Shao <laoar.shao@gmail.com>
+
+[ Upstream commit c9cfced17365b1df8c6ae6cd5db56aebd7ed9b57 ]
+
+We noticed a high number of rx_discards_phy events on certain servers while
+running `ethtool -S`. However, this critical counter is not currently
+included in the standard /proc/net/dev statistics file, making it difficult
+to monitor effectively—especially given the diversity of vendors across a
+large fleet of servers.
+
+Let's report it via the standard rx_dropped metric.
+
+Suggested-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
+Cc: Saeed Mahameed <saeedm@nvidia.com>
+Cc: Leon Romanovsky <leon@kernel.org>
+Cc: Gal Pressman <gal@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/20241210022706.6665-1-laoar.shao@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 476681f10cc1 ("net/mlx5e: Account for netdev stats in ndo_get_stats64")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index 73011870e5ff6..1d7fe4ffdd734 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -3667,6 +3667,7 @@ mlx5e_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats)
+ }
+
+ stats->rx_missed_errors = priv->stats.qcnt.rx_out_of_buffer;
++ stats->rx_dropped = PPORT_2863_GET(pstats, if_in_discards);
+
+ stats->rx_length_errors =
+ PPORT_802_3_GET(pstats, a_in_range_length_errors) +
+--
+2.51.0
+
--- /dev/null
+From 41dbbba9bb0d4f14af83b3a9354ed45d8eb4bbd8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jan 2026 06:57:16 +0000
+Subject: net: mvpp2: cls: Fix memory leak in mvpp2_ethtool_cls_rule_ins()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 09f979d1f312627b31d2ee1e46f9692e442610cd ]
+
+In mvpp2_ethtool_cls_rule_ins(), the ethtool_rule is allocated by
+ethtool_rx_flow_rule_create(). If the subsequent conversion to flow
+type fails, the function jumps to the clean_rule label.
+
+However, the clean_rule label only frees efs, skipping the cleanup
+of ethtool_rule, which leads to a memory leak.
+
+Fix this by jumping to the clean_eth_rule label, which properly calls
+ethtool_rx_flow_rule_destroy() before freeing efs.
+
+Compile tested only. Issue found using a prototype static analysis tool
+and code review.
+
+Fixes: f4f1ba18195d ("net: mvpp2: cls: Report an error for unsupported flow types")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Link: https://patch.msgid.link/20260123065716.2248324-1-zilin@seu.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c
+index d2757cc116139..038382a0b8e9f 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c
+@@ -1389,7 +1389,7 @@ int mvpp2_ethtool_cls_rule_ins(struct mvpp2_port *port,
+ efs->rule.flow_type = mvpp2_cls_ethtool_flow_to_type(info->fs.flow_type);
+ if (efs->rule.flow_type < 0) {
+ ret = efs->rule.flow_type;
+- goto clean_rule;
++ goto clean_eth_rule;
+ }
+
+ ret = mvpp2_cls_rfs_parse_rule(&efs->rule);
+--
+2.51.0
+
--- /dev/null
+From b18a77d10d1d2014860cbd37177e3dc908e5fbd8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jan 2026 01:04:01 +0800
+Subject: net: wwan: t7xx: fix potential skb->frags overflow in RX path
+
+From: Kery Qi <qikeyu2017@gmail.com>
+
+[ Upstream commit f0813bcd2d9d97fdbdf2efb9532ab03ae92e99e6 ]
+
+When receiving data in the DPMAIF RX path,
+the t7xx_dpmaif_set_frag_to_skb() function adds
+page fragments to an skb without checking if the number of
+fragments has exceeded MAX_SKB_FRAGS. This could lead to a buffer overflow
+in skb_shinfo(skb)->frags[] array, corrupting adjacent memory and
+potentially causing kernel crashes or other undefined behavior.
+
+This issue was identified through static code analysis by comparing with a
+similar vulnerability fixed in the mt76 driver commit b102f0c522cf ("mt76:
+fix array overflow on receiving too many fragments for a packet").
+
+The vulnerability could be triggered if the modem firmware sends packets
+with excessive fragments. While under normal protocol conditions (MTU 3080
+bytes, BAT buffer 3584 bytes),
+a single packet should not require additional
+fragments, the kernel should not blindly trust firmware behavior.
+Malicious, buggy, or compromised firmware could potentially craft packets
+with more fragments than the kernel expects.
+
+Fix this by adding a bounds check before calling skb_add_rx_frag() to
+ensure nr_frags does not exceed MAX_SKB_FRAGS.
+
+The check must be performed before unmapping to avoid a page leak
+and double DMA unmap during device teardown.
+
+Fixes: d642b012df70a ("net: wwan: t7xx: Add data path interface")
+Signed-off-by: Kery Qi <qikeyu2017@gmail.com>
+Link: https://patch.msgid.link/20260122170401.1986-2-qikeyu2017@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
+index f4f924d75103a..bdf1451fbc87d 100644
+--- a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
++++ b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
+@@ -430,6 +430,7 @@ static int t7xx_dpmaif_set_frag_to_skb(const struct dpmaif_rx_queue *rxq,
+ struct sk_buff *skb)
+ {
+ unsigned long long data_bus_addr, data_base_addr;
++ struct skb_shared_info *shinfo = skb_shinfo(skb);
+ struct device *dev = rxq->dpmaif_ctrl->dev;
+ struct dpmaif_bat_page *page_info;
+ unsigned int data_len;
+@@ -437,18 +438,22 @@ static int t7xx_dpmaif_set_frag_to_skb(const struct dpmaif_rx_queue *rxq,
+
+ page_info = rxq->bat_frag->bat_skb;
+ page_info += t7xx_normal_pit_bid(pkt_info);
+- dma_unmap_page(dev, page_info->data_bus_addr, page_info->data_len, DMA_FROM_DEVICE);
+
+ if (!page_info->page)
+ return -EINVAL;
+
++ if (shinfo->nr_frags >= MAX_SKB_FRAGS)
++ return -EINVAL;
++
++ dma_unmap_page(dev, page_info->data_bus_addr, page_info->data_len, DMA_FROM_DEVICE);
++
+ data_bus_addr = le32_to_cpu(pkt_info->pd.data_addr_h);
+ data_bus_addr = (data_bus_addr << 32) + le32_to_cpu(pkt_info->pd.data_addr_l);
+ data_base_addr = page_info->data_bus_addr;
+ data_offset = data_bus_addr - data_base_addr;
+ data_offset += page_info->offset;
+ data_len = FIELD_GET(PD_PIT_DATA_LEN, le32_to_cpu(pkt_info->header));
+- skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags, page_info->page,
++ skb_add_rx_frag(skb, shinfo->nr_frags, page_info->page,
+ data_offset, data_len, page_info->data_len);
+
+ page_info->page = NULL;
+--
+2.51.0
+
--- /dev/null
+From 0d1fb8662bd9935d54fc2140929e2a669a3cb226 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 25 Jan 2026 00:59:28 +0000
+Subject: nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 165c34fb6068ff153e3fc99a932a80a9d5755709 ]
+
+syzbot reported various memory leaks related to NFC, struct
+nfc_llcp_sock, sk_buff, nfc_dev, etc. [0]
+
+The leading log hinted that nfc_llcp_send_ui_frame() failed
+to allocate skb due to sock_error(sk) being -ENXIO.
+
+ENXIO is set by nfc_llcp_socket_release() when struct
+nfc_llcp_local is destroyed by local_cleanup().
+
+The problem is that there is no synchronisation between
+nfc_llcp_send_ui_frame() and local_cleanup(), and skb
+could be put into local->tx_queue after it was purged in
+local_cleanup():
+
+ CPU1 CPU2
+ ---- ----
+ nfc_llcp_send_ui_frame() local_cleanup()
+ |- do { '
+ |- pdu = nfc_alloc_send_skb(..., &err)
+ | .
+ | |- nfc_llcp_socket_release(local, false, ENXIO);
+ | |- skb_queue_purge(&local->tx_queue); |
+ | ' |
+ |- skb_queue_tail(&local->tx_queue, pdu); |
+ ... |
+ |- pdu = nfc_alloc_send_skb(..., &err) |
+ ^._________________________________.'
+
+local_cleanup() is called for struct nfc_llcp_local only
+after nfc_llcp_remove_local() unlinks it from llcp_devices.
+
+If we hold local->tx_queue.lock then, we can synchronise
+the thread and nfc_llcp_send_ui_frame().
+
+Let's do that and check list_empty(&local->list) before
+queuing skb to local->tx_queue in nfc_llcp_send_ui_frame().
+
+[0]:
+[ 56.074943][ T6096] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6)
+[ 64.318868][ T5813] kmemleak: 6 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
+BUG: memory leak
+unreferenced object 0xffff8881272f6800 (size 1024):
+ comm "syz.0.17", pid 6096, jiffies 4294942766
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 27 00 03 40 00 00 00 00 00 00 00 00 00 00 00 00 '..@............
+ backtrace (crc da58d84d):
+ kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
+ slab_post_alloc_hook mm/slub.c:4979 [inline]
+ slab_alloc_node mm/slub.c:5284 [inline]
+ __do_kmalloc_node mm/slub.c:5645 [inline]
+ __kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5658
+ kmalloc_noprof include/linux/slab.h:961 [inline]
+ sk_prot_alloc+0x11a/0x1b0 net/core/sock.c:2239
+ sk_alloc+0x36/0x360 net/core/sock.c:2295
+ nfc_llcp_sock_alloc+0x37/0x130 net/nfc/llcp_sock.c:979
+ llcp_sock_create+0x71/0xd0 net/nfc/llcp_sock.c:1044
+ nfc_sock_create+0xc9/0xf0 net/nfc/af_nfc.c:31
+ __sock_create+0x1a9/0x340 net/socket.c:1605
+ sock_create net/socket.c:1663 [inline]
+ __sys_socket_create net/socket.c:1700 [inline]
+ __sys_socket+0xb9/0x1a0 net/socket.c:1747
+ __do_sys_socket net/socket.c:1761 [inline]
+ __se_sys_socket net/socket.c:1759 [inline]
+ __x64_sys_socket+0x1b/0x30 net/socket.c:1759
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+BUG: memory leak
+unreferenced object 0xffff88810fbd9800 (size 240):
+ comm "syz.0.17", pid 6096, jiffies 4294942850
+ hex dump (first 32 bytes):
+ 68 f0 ff 08 81 88 ff ff 68 f0 ff 08 81 88 ff ff h.......h.......
+ 00 00 00 00 00 00 00 00 00 68 2f 27 81 88 ff ff .........h/'....
+ backtrace (crc 6cc652b1):
+ kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
+ slab_post_alloc_hook mm/slub.c:4979 [inline]
+ slab_alloc_node mm/slub.c:5284 [inline]
+ kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5336
+ __alloc_skb+0x203/0x240 net/core/skbuff.c:660
+ alloc_skb include/linux/skbuff.h:1383 [inline]
+ alloc_skb_with_frags+0x69/0x3f0 net/core/skbuff.c:6671
+ sock_alloc_send_pskb+0x379/0x3e0 net/core/sock.c:2965
+ sock_alloc_send_skb include/net/sock.h:1859 [inline]
+ nfc_alloc_send_skb+0x45/0x80 net/nfc/core.c:724
+ nfc_llcp_send_ui_frame+0x162/0x360 net/nfc/llcp_commands.c:766
+ llcp_sock_sendmsg+0x14c/0x1d0 net/nfc/llcp_sock.c:814
+ sock_sendmsg_nosec net/socket.c:727 [inline]
+ __sock_sendmsg net/socket.c:742 [inline]
+ __sys_sendto+0x2d8/0x2f0 net/socket.c:2244
+ __do_sys_sendto net/socket.c:2251 [inline]
+ __se_sys_sendto net/socket.c:2247 [inline]
+ __x64_sys_sendto+0x28/0x30 net/socket.c:2247
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: 94f418a20664 ("NFC: UI frame sending routine implementation")
+Reported-by: syzbot+f2d245f1d76bbfa50e4c@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/697569c7.a00a0220.33ccc7.0014.GAE@google.com/T/#u
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260125010214.1572439-1-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nfc/llcp_commands.c | 17 ++++++++++++++++-
+ net/nfc/llcp_core.c | 4 +++-
+ 2 files changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
+index e2680a3bef799..b652323bc2c12 100644
+--- a/net/nfc/llcp_commands.c
++++ b/net/nfc/llcp_commands.c
+@@ -778,8 +778,23 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
+ if (likely(frag_len > 0))
+ skb_put_data(pdu, msg_ptr, frag_len);
+
++ spin_lock(&local->tx_queue.lock);
++
++ if (list_empty(&local->list)) {
++ spin_unlock(&local->tx_queue.lock);
++
++ kfree_skb(pdu);
++
++ len -= remaining_len;
++ if (len == 0)
++ len = -ENXIO;
++ break;
++ }
++
+ /* No need to check for the peer RW for UI frames */
+- skb_queue_tail(&local->tx_queue, pdu);
++ __skb_queue_tail(&local->tx_queue, pdu);
++
++ spin_unlock(&local->tx_queue.lock);
+
+ remaining_len -= frag_len;
+ msg_ptr += frag_len;
+diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
+index 18be13fb9b75a..ced99d2a90cc1 100644
+--- a/net/nfc/llcp_core.c
++++ b/net/nfc/llcp_core.c
+@@ -314,7 +314,9 @@ static struct nfc_llcp_local *nfc_llcp_remove_local(struct nfc_dev *dev)
+ spin_lock(&llcp_devices_lock);
+ list_for_each_entry_safe(local, tmp, &llcp_devices, list)
+ if (local->dev == dev) {
+- list_del(&local->list);
++ spin_lock(&local->tx_queue.lock);
++ list_del_init(&local->list);
++ spin_unlock(&local->tx_queue.lock);
+ spin_unlock(&llcp_devices_lock);
+ return local;
+ }
+--
+2.51.0
+
--- /dev/null
+From 41808a335347e255d0e262ebc6b19be015b7390d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jan 2026 04:03:59 +0000
+Subject: nfc: nci: Fix race between rfkill and nci_unregister_device().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit d2492688bb9fed6ab6e313682c387ae71a66ebae ]
+
+syzbot reported the splat below [0] without a repro.
+
+It indicates that struct nci_dev.cmd_wq had been destroyed before
+nci_close_device() was called via rfkill.
+
+nci_dev.cmd_wq is only destroyed in nci_unregister_device(), which
+(I think) was called from virtual_ncidev_close() when syzbot close()d
+an fd of virtual_ncidev.
+
+The problem is that nci_unregister_device() destroys nci_dev.cmd_wq
+first and then calls nfc_unregister_device(), which removes the
+device from rfkill by rfkill_unregister().
+
+So, the device is still visible via rfkill even after nci_dev.cmd_wq
+is destroyed.
+
+Let's unregister the device from rfkill first in nci_unregister_device().
+
+Note that we cannot call nfc_unregister_device() before
+nci_close_device() because
+
+ 1) nfc_unregister_device() calls device_del() which frees
+ all memory allocated by devm_kzalloc() and linked to
+ ndev->conn_info_list
+
+ 2) nci_rx_work() could try to queue nci_conn_info to
+ ndev->conn_info_list which could be leaked
+
+Thus, nfc_unregister_device() is split into two functions so we
+can remove rfkill interfaces only before nci_close_device().
+
+[0]:
+DEBUG_LOCKS_WARN_ON(1)
+WARNING: kernel/locking/lockdep.c:238 at hlock_class kernel/locking/lockdep.c:238 [inline], CPU#0: syz.0.8675/6349
+WARNING: kernel/locking/lockdep.c:238 at check_wait_context kernel/locking/lockdep.c:4854 [inline], CPU#0: syz.0.8675/6349
+WARNING: kernel/locking/lockdep.c:238 at __lock_acquire+0x39d/0x2cf0 kernel/locking/lockdep.c:5187, CPU#0: syz.0.8675/6349
+Modules linked in:
+CPU: 0 UID: 0 PID: 6349 Comm: syz.0.8675 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026
+RIP: 0010:hlock_class kernel/locking/lockdep.c:238 [inline]
+RIP: 0010:check_wait_context kernel/locking/lockdep.c:4854 [inline]
+RIP: 0010:__lock_acquire+0x3a4/0x2cf0 kernel/locking/lockdep.c:5187
+Code: 18 00 4c 8b 74 24 08 75 27 90 e8 17 f2 fc 02 85 c0 74 1c 83 3d 50 e0 4e 0e 00 75 13 48 8d 3d 43 f7 51 0e 48 c7 c6 8b 3a de 8d <67> 48 0f b9 3a 90 31 c0 0f b6 98 c4 00 00 00 41 8b 45 20 25 ff 1f
+RSP: 0018:ffffc9000c767680 EFLAGS: 00010046
+RAX: 0000000000000001 RBX: 0000000000040000 RCX: 0000000000080000
+RDX: ffffc90013080000 RSI: ffffffff8dde3a8b RDI: ffffffff8ff24ca0
+RBP: 0000000000000003 R08: ffffffff8fef35a3 R09: 1ffffffff1fde6b4
+R10: dffffc0000000000 R11: fffffbfff1fde6b5 R12: 00000000000012a2
+R13: ffff888030338ba8 R14: ffff888030338000 R15: ffff888030338b30
+FS: 00007fa5995f66c0(0000) GS:ffff8881256f8000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f7e72f842d0 CR3: 00000000485a0000 CR4: 00000000003526f0
+Call Trace:
+ <TASK>
+ lock_acquire+0x106/0x330 kernel/locking/lockdep.c:5868
+ touch_wq_lockdep_map+0xcb/0x180 kernel/workqueue.c:3940
+ __flush_workqueue+0x14b/0x14f0 kernel/workqueue.c:3982
+ nci_close_device+0x302/0x630 net/nfc/nci/core.c:567
+ nci_dev_down+0x3b/0x50 net/nfc/nci/core.c:639
+ nfc_dev_down+0x152/0x290 net/nfc/core.c:161
+ nfc_rfkill_set_block+0x2d/0x100 net/nfc/core.c:179
+ rfkill_set_block+0x1d2/0x440 net/rfkill/core.c:346
+ rfkill_fop_write+0x461/0x5a0 net/rfkill/core.c:1301
+ vfs_write+0x29a/0xb90 fs/read_write.c:684
+ ksys_write+0x150/0x270 fs/read_write.c:738
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7fa59b39acb9
+Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007fa5995f6028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+RAX: ffffffffffffffda RBX: 00007fa59b615fa0 RCX: 00007fa59b39acb9
+RDX: 0000000000000008 RSI: 0000200000000080 RDI: 0000000000000007
+RBP: 00007fa59b408bf7 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007fa59b616038 R14: 00007fa59b615fa0 R15: 00007ffc82218788
+ </TASK>
+
+Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation")
+Reported-by: syzbot+f9c5fd1a0874f9069dce@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/695e7f56.050a0220.1c677c.036c.GAE@google.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260127040411.494931-1-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/nfc/nfc.h | 2 ++
+ net/nfc/core.c | 27 ++++++++++++++++++++++++---
+ net/nfc/nci/core.c | 4 +++-
+ 3 files changed, 29 insertions(+), 4 deletions(-)
+
+diff --git a/include/net/nfc/nfc.h b/include/net/nfc/nfc.h
+index 5dee575fbe86a..b82f4f2a27fb8 100644
+--- a/include/net/nfc/nfc.h
++++ b/include/net/nfc/nfc.h
+@@ -215,6 +215,8 @@ static inline void nfc_free_device(struct nfc_dev *dev)
+
+ int nfc_register_device(struct nfc_dev *dev);
+
++void nfc_unregister_rfkill(struct nfc_dev *dev);
++void nfc_remove_device(struct nfc_dev *dev);
+ void nfc_unregister_device(struct nfc_dev *dev);
+
+ /**
+diff --git a/net/nfc/core.c b/net/nfc/core.c
+index 5352571b62148..a02ede8b067bd 100644
+--- a/net/nfc/core.c
++++ b/net/nfc/core.c
+@@ -1147,14 +1147,14 @@ int nfc_register_device(struct nfc_dev *dev)
+ EXPORT_SYMBOL(nfc_register_device);
+
+ /**
+- * nfc_unregister_device - unregister a nfc device in the nfc subsystem
++ * nfc_unregister_rfkill - unregister a nfc device in the rfkill subsystem
+ *
+ * @dev: The nfc device to unregister
+ */
+-void nfc_unregister_device(struct nfc_dev *dev)
++void nfc_unregister_rfkill(struct nfc_dev *dev)
+ {
+- int rc;
+ struct rfkill *rfk = NULL;
++ int rc;
+
+ pr_debug("dev_name=%s\n", dev_name(&dev->dev));
+
+@@ -1175,7 +1175,16 @@ void nfc_unregister_device(struct nfc_dev *dev)
+ rfkill_unregister(rfk);
+ rfkill_destroy(rfk);
+ }
++}
++EXPORT_SYMBOL(nfc_unregister_rfkill);
+
++/**
++ * nfc_remove_device - remove a nfc device in the nfc subsystem
++ *
++ * @dev: The nfc device to remove
++ */
++void nfc_remove_device(struct nfc_dev *dev)
++{
+ if (dev->ops->check_presence) {
+ del_timer_sync(&dev->check_pres_timer);
+ cancel_work_sync(&dev->check_pres_work);
+@@ -1188,6 +1197,18 @@ void nfc_unregister_device(struct nfc_dev *dev)
+ device_del(&dev->dev);
+ mutex_unlock(&nfc_devlist_mutex);
+ }
++EXPORT_SYMBOL(nfc_remove_device);
++
++/**
++ * nfc_unregister_device - unregister a nfc device in the nfc subsystem
++ *
++ * @dev: The nfc device to unregister
++ */
++void nfc_unregister_device(struct nfc_dev *dev)
++{
++ nfc_unregister_rfkill(dev);
++ nfc_remove_device(dev);
++}
+ EXPORT_SYMBOL(nfc_unregister_device);
+
+ static int __init nfc_init(void)
+diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
+index 6196bb512dfc1..2ffdbbf90eb70 100644
+--- a/net/nfc/nci/core.c
++++ b/net/nfc/nci/core.c
+@@ -1291,6 +1291,8 @@ void nci_unregister_device(struct nci_dev *ndev)
+ {
+ struct nci_conn_info *conn_info, *n;
+
++ nfc_unregister_rfkill(ndev->nfc_dev);
++
+ /* This set_bit is not protected with specialized barrier,
+ * However, it is fine because the mutex_lock(&ndev->req_lock);
+ * in nci_close_device() will help to emit one.
+@@ -1308,7 +1310,7 @@ void nci_unregister_device(struct nci_dev *ndev)
+ /* conn_info is allocated with devm_kzalloc */
+ }
+
+- nfc_unregister_device(ndev->nfc_dev);
++ nfc_remove_device(ndev->nfc_dev);
+ }
+ EXPORT_SYMBOL(nci_unregister_device);
+
+--
+2.51.0
+
--- /dev/null
+From 17592778d5c2b445d488476051be037e2fef913f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 Jan 2026 05:10:31 +0800
+Subject: rocker: fix memory leak in rocker_world_port_post_fini()
+
+From: Kery Qi <qikeyu2017@gmail.com>
+
+[ Upstream commit 8d7ba71e46216b8657a82ca2ec118bc93812a4d0 ]
+
+In rocker_world_port_pre_init(), rocker_port->wpriv is allocated with
+kzalloc(wops->port_priv_size, GFP_KERNEL). However, in
+rocker_world_port_post_fini(), the memory is only freed when
+wops->port_post_fini callback is set:
+
+ if (!wops->port_post_fini)
+ return;
+ wops->port_post_fini(rocker_port);
+ kfree(rocker_port->wpriv);
+
+Since rocker_ofdpa_ops does not implement port_post_fini callback
+(it is NULL), the wpriv memory allocated for each port is never freed
+when ports are removed. This leads to a memory leak of
+sizeof(struct ofdpa_port) bytes per port on every device removal.
+
+Fix this by always calling kfree(rocker_port->wpriv) regardless of
+whether the port_post_fini callback exists.
+
+Fixes: e420114eef4a ("rocker: introduce worlds infrastructure")
+Signed-off-by: Kery Qi <qikeyu2017@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260123211030.2109-2-qikeyu2017@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/rocker/rocker_main.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/rocker/rocker_main.c b/drivers/net/ethernet/rocker/rocker_main.c
+index 2e2826c901fcc..b741d335b1dc4 100644
+--- a/drivers/net/ethernet/rocker/rocker_main.c
++++ b/drivers/net/ethernet/rocker/rocker_main.c
+@@ -1525,9 +1525,8 @@ static void rocker_world_port_post_fini(struct rocker_port *rocker_port)
+ {
+ struct rocker_world_ops *wops = rocker_port->rocker->wops;
+
+- if (!wops->port_post_fini)
+- return;
+- wops->port_post_fini(rocker_port);
++ if (wops->port_post_fini)
++ wops->port_post_fini(rocker_port);
+ kfree(rocker_port->wpriv);
+ }
+
+--
+2.51.0
+
bpf-reject-narrower-access-to-pointer-ctx-fields.patch
mm-damon-sysfs-scheme-cleanup-quotas-subdirs-on-scheme-dir-setup-failure.patch
mm-damon-sysfs-scheme-cleanup-access_pattern-subdirs-on-scheme-dir-setup-failure.patch
+bluetooth-hci_uart-fix-null-ptr-deref-in-hci_uart_wr.patch
+net-mlx5-fix-memory-leak-in-esw_acl_ingress_lgcy_set.patch
+can-gs_usb-gs_usb_receive_bulk_callback-fix-error-me.patch
+bonding-annotate-data-races-around-slave-last_rx.patch
+net-mvpp2-cls-fix-memory-leak-in-mvpp2_ethtool_cls_r.patch
+ipv6-use-the-right-ifindex-when-replying-to-icmpv6-f.patch
+net-wwan-t7xx-fix-potential-skb-frags-overflow-in-rx.patch
+rocker-fix-memory-leak-in-rocker_world_port_post_fin.patch
+nfc-llcp-fix-memleak-in-nfc_llcp_send_ui_frame.patch
+ice-stop-counting-udp-csum-mismatch-as-rx_errors.patch
+net-mlx5e-report-rx_discards_phy-via-rx_dropped.patch
+net-mlx5e-account-for-netdev-stats-in-ndo_get_stats6.patch
+nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch
+net-bridge-fix-static-key-check.patch
--- /dev/null
+From 433ae9a94bbb8b432f17f76a93f2e8a41d073c02 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Jan 2026 20:08:59 +0800
+Subject: Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work
+
+From: Jia-Hong Su <s11242586@gmail.com>
+
+[ Upstream commit 0c3cd7a0b862c37acbee6d9502107146cc944398 ]
+
+hci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling
+hci_uart_register_dev(), which calls proto->open() to initialize
+hu->priv. However, if a TTY write wakeup occurs during this window,
+hci_uart_tx_wakeup() may schedule write_work before hu->priv is
+initialized, leading to a NULL pointer dereference in
+hci_uart_write_work() when proto->dequeue() accesses hu->priv.
+
+The race condition is:
+
+ CPU0 CPU1
+ ---- ----
+ hci_uart_set_proto()
+ set_bit(HCI_UART_PROTO_INIT)
+ hci_uart_register_dev()
+ tty write wakeup
+ hci_uart_tty_wakeup()
+ hci_uart_tx_wakeup()
+ schedule_work(&hu->write_work)
+ proto->open(hu)
+ // initializes hu->priv
+ hci_uart_write_work()
+ hci_uart_dequeue()
+ proto->dequeue(hu)
+ // accesses hu->priv (NULL!)
+
+Fix this by moving set_bit(HCI_UART_PROTO_INIT) after proto->open()
+succeeds, ensuring hu->priv is initialized before any work can be
+scheduled.
+
+Fixes: 5df5dafc171b ("Bluetooth: hci_uart: Fix another race during initialization")
+Link: https://lore.kernel.org/linux-bluetooth/6969764f.170a0220.2b9fc4.35a7@mx.google.com/
+
+Signed-off-by: Jia-Hong Su <s11242586@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/hci_ldisc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
+index 2f322f890b81f..436ee77d4bf2f 100644
+--- a/drivers/bluetooth/hci_ldisc.c
++++ b/drivers/bluetooth/hci_ldisc.c
+@@ -685,6 +685,8 @@ static int hci_uart_register_dev(struct hci_uart *hu)
+ return err;
+ }
+
++ set_bit(HCI_UART_PROTO_INIT, &hu->flags);
++
+ if (test_bit(HCI_UART_INIT_PENDING, &hu->hdev_flags))
+ return 0;
+
+@@ -712,8 +714,6 @@ static int hci_uart_set_proto(struct hci_uart *hu, int id)
+
+ hu->proto = p;
+
+- set_bit(HCI_UART_PROTO_INIT, &hu->flags);
+-
+ err = hci_uart_register_dev(hu);
+ if (err) {
+ return err;
+--
+2.51.0
+
--- /dev/null
+From 1b2b6a0c5d1fe3991d2e6488f05d51ba57779744 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jan 2026 13:29:26 +0800
+Subject: Bluetooth: MGMT: Fix memory leak in set_ssp_complete
+
+From: Jianpeng Chang <jianpeng.chang.cn@windriver.com>
+
+[ Upstream commit 1b9c17fd0a7fdcbe69ec5d6fe8e50bc5ed7f01f2 ]
+
+Fix memory leak in set_ssp_complete() where mgmt_pending_cmd structures
+are not freed after being removed from the pending list.
+
+Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") replaced
+mgmt_pending_foreach() calls with individual command handling but missed
+adding mgmt_pending_free() calls in both error and success paths of
+set_ssp_complete(). Other completion functions like set_le_complete()
+were fixed correctly in the same commit.
+
+This causes a memory leak of the mgmt_pending_cmd structure and its
+associated parameter data for each SSP command that completes.
+
+Add the missing mgmt_pending_free(cmd) calls in both code paths to fix
+the memory leak. Also fix the same issue in set_advertising_complete().
+
+Fixes: 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs")
+Signed-off-by: Jianpeng Chang <jianpeng.chang.cn@windriver.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/mgmt.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
+index 6d21b641b0d14..4894e6444900a 100644
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -1943,6 +1943,7 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err)
+ }
+
+ mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_err);
++ mgmt_pending_free(cmd);
+ return;
+ }
+
+@@ -1961,6 +1962,7 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err)
+ sock_put(match.sk);
+
+ hci_update_eir_sync(hdev);
++ mgmt_pending_free(cmd);
+ }
+
+ static int set_ssp_sync(struct hci_dev *hdev, void *data)
+@@ -6455,6 +6457,7 @@ static void set_advertising_complete(struct hci_dev *hdev, void *data, int err)
+ hci_dev_clear_flag(hdev, HCI_ADVERTISING);
+
+ settings_rsp(cmd, &match);
++ mgmt_pending_free(cmd);
+
+ new_settings(hdev, match.sk);
+
+--
+2.51.0
+
--- /dev/null
+From 1832825bd8923117561fb06520ce093899d30692 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Jan 2026 16:29:14 +0000
+Subject: bonding: annotate data-races around slave->last_rx
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit f6c3665b6dc53c3ab7d31b585446a953a74340ef ]
+
+slave->last_rx and slave->target_last_arp_rx[...] can be read and written
+locklessly. Add READ_ONCE() and WRITE_ONCE() annotations.
+
+syzbot reported:
+
+BUG: KCSAN: data-race in bond_rcv_validate / bond_rcv_validate
+
+write to 0xffff888149f0d428 of 8 bytes by interrupt on cpu 1:
+ bond_rcv_validate+0x202/0x7a0 drivers/net/bonding/bond_main.c:3335
+ bond_handle_frame+0xde/0x5e0 drivers/net/bonding/bond_main.c:1533
+ __netif_receive_skb_core+0x5b1/0x1950 net/core/dev.c:6039
+ __netif_receive_skb_one_core net/core/dev.c:6150 [inline]
+ __netif_receive_skb+0x59/0x270 net/core/dev.c:6265
+ netif_receive_skb_internal net/core/dev.c:6351 [inline]
+ netif_receive_skb+0x4b/0x2d0 net/core/dev.c:6410
+...
+
+write to 0xffff888149f0d428 of 8 bytes by interrupt on cpu 0:
+ bond_rcv_validate+0x202/0x7a0 drivers/net/bonding/bond_main.c:3335
+ bond_handle_frame+0xde/0x5e0 drivers/net/bonding/bond_main.c:1533
+ __netif_receive_skb_core+0x5b1/0x1950 net/core/dev.c:6039
+ __netif_receive_skb_one_core net/core/dev.c:6150 [inline]
+ __netif_receive_skb+0x59/0x270 net/core/dev.c:6265
+ netif_receive_skb_internal net/core/dev.c:6351 [inline]
+ netif_receive_skb+0x4b/0x2d0 net/core/dev.c:6410
+ br_netif_receive_skb net/bridge/br_input.c:30 [inline]
+ NF_HOOK include/linux/netfilter.h:318 [inline]
+...
+
+value changed: 0x0000000100005365 -> 0x0000000100005366
+
+Fixes: f5b2b966f032 ("[PATCH] bonding: Validate probe replies in ARP monitor")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Link: https://patch.msgid.link/20260122162914.2299312-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 18 ++++++++++--------
+ drivers/net/bonding/bond_options.c | 8 ++++----
+ include/net/bonding.h | 13 +++++++------
+ 3 files changed, 21 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index b52f5f64e3abb..209cab75ac0a5 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -3214,8 +3214,8 @@ static void bond_validate_arp(struct bonding *bond, struct slave *slave, __be32
+ __func__, &sip);
+ return;
+ }
+- slave->last_rx = jiffies;
+- slave->target_last_arp_rx[i] = jiffies;
++ WRITE_ONCE(slave->last_rx, jiffies);
++ WRITE_ONCE(slave->target_last_arp_rx[i], jiffies);
+ }
+
+ static int bond_arp_rcv(const struct sk_buff *skb, struct bonding *bond,
+@@ -3434,8 +3434,8 @@ static void bond_validate_na(struct bonding *bond, struct slave *slave,
+ __func__, saddr);
+ return;
+ }
+- slave->last_rx = jiffies;
+- slave->target_last_arp_rx[i] = jiffies;
++ WRITE_ONCE(slave->last_rx, jiffies);
++ WRITE_ONCE(slave->target_last_arp_rx[i], jiffies);
+ }
+
+ static int bond_na_rcv(const struct sk_buff *skb, struct bonding *bond,
+@@ -3505,7 +3505,7 @@ int bond_rcv_validate(const struct sk_buff *skb, struct bonding *bond,
+ (slave_do_arp_validate_only(bond) && is_ipv6) ||
+ #endif
+ !slave_do_arp_validate_only(bond))
+- slave->last_rx = jiffies;
++ WRITE_ONCE(slave->last_rx, jiffies);
+ return RX_HANDLER_ANOTHER;
+ } else if (is_arp) {
+ return bond_arp_rcv(skb, bond, slave);
+@@ -3573,7 +3573,7 @@ static void bond_loadbalance_arp_mon(struct bonding *bond)
+
+ if (slave->link != BOND_LINK_UP) {
+ if (bond_time_in_interval(bond, last_tx, 1) &&
+- bond_time_in_interval(bond, slave->last_rx, 1)) {
++ bond_time_in_interval(bond, READ_ONCE(slave->last_rx), 1)) {
+
+ bond_propose_link_state(slave, BOND_LINK_UP);
+ slave_state_changed = 1;
+@@ -3597,8 +3597,10 @@ static void bond_loadbalance_arp_mon(struct bonding *bond)
+ * when the source ip is 0, so don't take the link down
+ * if we don't know our ip yet
+ */
+- if (!bond_time_in_interval(bond, last_tx, bond->params.missed_max) ||
+- !bond_time_in_interval(bond, slave->last_rx, bond->params.missed_max)) {
++ if (!bond_time_in_interval(bond, last_tx,
++ bond->params.missed_max) ||
++ !bond_time_in_interval(bond, READ_ONCE(slave->last_rx),
++ bond->params.missed_max)) {
+
+ bond_propose_link_state(slave, BOND_LINK_DOWN);
+ slave_state_changed = 1;
+diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c
+index 28c53f1b13826..a37b47b8ea8ed 100644
+--- a/drivers/net/bonding/bond_options.c
++++ b/drivers/net/bonding/bond_options.c
+@@ -1124,7 +1124,7 @@ static void _bond_options_arp_ip_target_set(struct bonding *bond, int slot,
+
+ if (slot >= 0 && slot < BOND_MAX_ARP_TARGETS) {
+ bond_for_each_slave(bond, slave, iter)
+- slave->target_last_arp_rx[slot] = last_rx;
++ WRITE_ONCE(slave->target_last_arp_rx[slot], last_rx);
+ targets[slot] = target;
+ }
+ }
+@@ -1193,8 +1193,8 @@ static int bond_option_arp_ip_target_rem(struct bonding *bond, __be32 target)
+ bond_for_each_slave(bond, slave, iter) {
+ targets_rx = slave->target_last_arp_rx;
+ for (i = ind; (i < BOND_MAX_ARP_TARGETS-1) && targets[i+1]; i++)
+- targets_rx[i] = targets_rx[i+1];
+- targets_rx[i] = 0;
++ WRITE_ONCE(targets_rx[i], READ_ONCE(targets_rx[i+1]));
++ WRITE_ONCE(targets_rx[i], 0);
+ }
+ for (i = ind; (i < BOND_MAX_ARP_TARGETS-1) && targets[i+1]; i++)
+ targets[i] = targets[i+1];
+@@ -1349,7 +1349,7 @@ static void _bond_options_ns_ip6_target_set(struct bonding *bond, int slot,
+
+ if (slot >= 0 && slot < BOND_MAX_NS_TARGETS) {
+ bond_for_each_slave(bond, slave, iter) {
+- slave->target_last_arp_rx[slot] = last_rx;
++ WRITE_ONCE(slave->target_last_arp_rx[slot], last_rx);
+ slave_set_ns_maddr(bond, slave, target, &targets[slot]);
+ }
+ targets[slot] = *target;
+diff --git a/include/net/bonding.h b/include/net/bonding.h
+index 95f67b308c19a..9fb40a5920209 100644
+--- a/include/net/bonding.h
++++ b/include/net/bonding.h
+@@ -519,13 +519,14 @@ static inline int bond_is_ip6_target_ok(struct in6_addr *addr)
+ static inline unsigned long slave_oldest_target_arp_rx(struct bonding *bond,
+ struct slave *slave)
+ {
++ unsigned long tmp, ret = READ_ONCE(slave->target_last_arp_rx[0]);
+ int i = 1;
+- unsigned long ret = slave->target_last_arp_rx[0];
+-
+- for (; (i < BOND_MAX_ARP_TARGETS) && bond->params.arp_targets[i]; i++)
+- if (time_before(slave->target_last_arp_rx[i], ret))
+- ret = slave->target_last_arp_rx[i];
+
++ for (; (i < BOND_MAX_ARP_TARGETS) && bond->params.arp_targets[i]; i++) {
++ tmp = READ_ONCE(slave->target_last_arp_rx[i]);
++ if (time_before(tmp, ret))
++ ret = tmp;
++ }
+ return ret;
+ }
+
+@@ -535,7 +536,7 @@ static inline unsigned long slave_last_rx(struct bonding *bond,
+ if (bond->params.arp_all_targets == BOND_ARP_TARGETS_ALL)
+ return slave_oldest_target_arp_rx(bond, slave);
+
+- return slave->last_rx;
++ return READ_ONCE(slave->last_rx);
+ }
+
+ static inline void slave_update_last_tx(struct slave *slave)
+--
+2.51.0
+
--- /dev/null
+From 45bc603a8c1124fa5be71535995ec89ef44ad9a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Jan 2026 11:41:28 +0000
+Subject: can: at91_can: Fix memory leak in at91_can_probe()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 0baa4d3170d72a2a8dc93bf729d6d04ad113dc72 ]
+
+In at91_can_probe(), the dev structure is allocated via alloc_candev().
+However, if the subsequent call to devm_phy_optional_get() fails, the
+code jumps directly to exit_iounmap, missing the call to free_candev().
+This results in a memory leak of the allocated net_device structure.
+
+Fix this by jumping to the exit_free label instead, which ensures that
+free_candev() is called to properly release the memory.
+
+Compile tested only. Issue found using a prototype static analysis tool
+and code review.
+
+Fixes: 3ecc09856afb ("can: at91_can: add CAN transceiver support")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Link: https://patch.msgid.link/20260122114128.643752-1-zilin@seu.edu.cn
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/at91_can.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/at91_can.c b/drivers/net/can/at91_can.c
+index 191707d7e3dac..d6dcb2be56342 100644
+--- a/drivers/net/can/at91_can.c
++++ b/drivers/net/can/at91_can.c
+@@ -1100,7 +1100,7 @@ static int at91_can_probe(struct platform_device *pdev)
+ if (IS_ERR(transceiver)) {
+ err = PTR_ERR(transceiver);
+ dev_err_probe(&pdev->dev, err, "failed to get phy\n");
+- goto exit_iounmap;
++ goto exit_free;
+ }
+
+ dev->netdev_ops = &at91_netdev_ops;
+--
+2.51.0
+
--- /dev/null
+From 79e6794e51f0755738752480b7c2189be7b55703 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jan 2026 10:40:22 +0100
+Subject: can: gs_usb: gs_usb_receive_bulk_callback(): fix error message
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+[ Upstream commit 494fc029f662c331e06b7c2031deff3c64200eed ]
+
+Sinc commit 79a6d1bfe114 ("can: gs_usb: gs_usb_receive_bulk_callback():
+unanchor URL on usb_submit_urb() error") a failing resubmit URB will print
+an info message.
+
+In the case of a short read where netdev has not yet been assigned,
+initialize as NULL to avoid dereferencing an undefined value. Also report
+the error value of the failed resubmit.
+
+Fixes: 79a6d1bfe114 ("can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error")
+Reported-by: Jakub Kicinski <kuba@kernel.org>
+Closes: https://lore.kernel.org/all/20260119181904.1209979-1-kuba@kernel.org/
+Link: https://patch.msgid.link/20260120-gs_usb-fix-error-message-v1-1-6be04de572bc@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/usb/gs_usb.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c
+index e63e77f21801c..d1d1412c65659 100644
+--- a/drivers/net/can/usb/gs_usb.c
++++ b/drivers/net/can/usb/gs_usb.c
+@@ -607,7 +607,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
+ {
+ struct gs_usb *parent = urb->context;
+ struct gs_can *dev;
+- struct net_device *netdev;
++ struct net_device *netdev = NULL;
+ int rc;
+ struct net_device_stats *stats;
+ struct gs_host_frame *hf = urb->transfer_buffer;
+@@ -765,7 +765,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
+ }
+ } else if (rc != -ESHUTDOWN && net_ratelimit()) {
+ netdev_info(netdev, "failed to re-submit IN URB: %pe\n",
+- ERR_PTR(urb->status));
++ ERR_PTR(rc));
+ }
+ }
+
+--
+2.51.0
+
--- /dev/null
+From b2cdbcb792e6648c640f1af631ad57f7d1c62101 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Dec 2025 14:21:21 +0800
+Subject: ice: Fix NULL pointer dereference in ice_vsi_set_napi_queues
+
+From: Aaron Ma <aaron.ma@canonical.com>
+
+[ Upstream commit 9bb30be4d89ff9a8d7ab1aa0eb2edaca83431f85 ]
+
+Add NULL pointer checks in ice_vsi_set_napi_queues() to prevent crashes
+during resume from suspend when rings[q_idx]->q_vector is NULL.
+
+Tested adaptor:
+60:00.0 Ethernet controller [0200]: Intel Corporation Ethernet Controller E810-XXV for SFP [8086:159b] (rev 02)
+ Subsystem: Intel Corporation Ethernet Network Adapter E810-XXV-2 [8086:4003]
+
+SR-IOV state: both disabled and enabled can reproduce this issue.
+
+kernel version: v6.18
+
+Reproduce steps:
+Boot up and execute suspend like systemctl suspend or rtcwake.
+
+Log:
+<1>[ 231.443607] BUG: kernel NULL pointer dereference, address: 0000000000000040
+<1>[ 231.444052] #PF: supervisor read access in kernel mode
+<1>[ 231.444484] #PF: error_code(0x0000) - not-present page
+<6>[ 231.444913] PGD 0 P4D 0
+<4>[ 231.445342] Oops: Oops: 0000 [#1] SMP NOPTI
+<4>[ 231.446635] RIP: 0010:netif_queue_set_napi+0xa/0x170
+<4>[ 231.447067] Code: 31 f6 31 ff c3 cc cc cc cc 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 48 85 c9 74 0b <48> 83 79 30 00 0f 84 39 01 00 00 55 41 89 d1 49 89 f8 89 f2 48 89
+<4>[ 231.447513] RSP: 0018:ffffcc780fc078c0 EFLAGS: 00010202
+<4>[ 231.447961] RAX: ffff8b848ca30400 RBX: ffff8b848caf2028 RCX: 0000000000000010
+<4>[ 231.448443] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8b848dbd4000
+<4>[ 231.448896] RBP: ffffcc780fc078e8 R08: 0000000000000000 R09: 0000000000000000
+<4>[ 231.449345] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
+<4>[ 231.449817] R13: ffff8b848dbd4000 R14: ffff8b84833390c8 R15: 0000000000000000
+<4>[ 231.450265] FS: 00007c7b29e9d740(0000) GS:ffff8b8c068e2000(0000) knlGS:0000000000000000
+<4>[ 231.450715] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+<4>[ 231.451179] CR2: 0000000000000040 CR3: 000000030626f004 CR4: 0000000000f72ef0
+<4>[ 231.451629] PKRU: 55555554
+<4>[ 231.452076] Call Trace:
+<4>[ 231.452549] <TASK>
+<4>[ 231.452996] ? ice_vsi_set_napi_queues+0x4d/0x110 [ice]
+<4>[ 231.453482] ice_resume+0xfd/0x220 [ice]
+<4>[ 231.453977] ? __pfx_pci_pm_resume+0x10/0x10
+<4>[ 231.454425] pci_pm_resume+0x8c/0x140
+<4>[ 231.454872] ? __pfx_pci_pm_resume+0x10/0x10
+<4>[ 231.455347] dpm_run_callback+0x5f/0x160
+<4>[ 231.455796] ? dpm_wait_for_superior+0x107/0x170
+<4>[ 231.456244] device_resume+0x177/0x270
+<4>[ 231.456708] dpm_resume+0x209/0x2f0
+<4>[ 231.457151] dpm_resume_end+0x15/0x30
+<4>[ 231.457596] suspend_devices_and_enter+0x1da/0x2b0
+<4>[ 231.458054] enter_state+0x10e/0x570
+
+Add defensive checks for both the ring pointer and its q_vector
+before dereferencing, allowing the system to resume successfully even when
+q_vectors are unmapped.
+
+Fixes: 2a5dc090b92cf ("ice: move netif_queue_set_napi to rtnl-protected sections")
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Aaron Ma <aaron.ma@canonical.com>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_lib.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c
+index 4e022de9e4bbd..4ad21c21c5c57 100644
+--- a/drivers/net/ethernet/intel/ice/ice_lib.c
++++ b/drivers/net/ethernet/intel/ice/ice_lib.c
+@@ -2731,12 +2731,14 @@ void ice_vsi_set_napi_queues(struct ice_vsi *vsi)
+ return;
+
+ ice_for_each_rxq(vsi, q_idx)
+- netif_queue_set_napi(netdev, q_idx, NETDEV_QUEUE_TYPE_RX,
+- &vsi->rx_rings[q_idx]->q_vector->napi);
++ if (vsi->rx_rings[q_idx] && vsi->rx_rings[q_idx]->q_vector)
++ netif_queue_set_napi(netdev, q_idx, NETDEV_QUEUE_TYPE_RX,
++ &vsi->rx_rings[q_idx]->q_vector->napi);
+
+ ice_for_each_txq(vsi, q_idx)
+- netif_queue_set_napi(netdev, q_idx, NETDEV_QUEUE_TYPE_TX,
+- &vsi->tx_rings[q_idx]->q_vector->napi);
++ if (vsi->tx_rings[q_idx] && vsi->tx_rings[q_idx]->q_vector)
++ netif_queue_set_napi(netdev, q_idx, NETDEV_QUEUE_TYPE_TX,
++ &vsi->tx_rings[q_idx]->q_vector->napi);
+ /* Also set the interrupt number for the NAPI */
+ ice_for_each_q_vector(vsi, v_idx) {
+ struct ice_q_vector *q_vector = vsi->q_vectors[v_idx];
+--
+2.51.0
+
--- /dev/null
+From b42256ca44dfc9f1cbb600cdc875462f5bbfe382 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Dec 2025 15:38:52 -0800
+Subject: ice: stop counting UDP csum mismatch as rx_errors
+
+From: Jesse Brandeburg <jbrandeburg@cloudflare.com>
+
+[ Upstream commit 05faf2c0a76581d0a7fdbb8ec46477ba183df95b ]
+
+Since the beginning, the Intel ice driver has counted receive checksum
+offload mismatches into the rx_errors member of the rtnl_link_stats64
+struct. In ethtool -S these show up as rx_csum_bad.nic.
+
+I believe counting these in rx_errors is fundamentally wrong, as it's
+pretty clear from the comments in if_link.h and from every other statistic
+the driver is summing into rx_errors, that all of them would cause a
+"hardware drop" except for the UDP checksum mismatch, as well as the fact
+that all the other causes for rx_errors are L2 reasons, and this L4 UDP
+"mismatch" is an outlier.
+
+A last nail in the coffin is that rx_errors is monitored in production and
+can indicate a bad NIC/cable/Switch port, but instead some random series of
+UDP packets with bad checksums will now trigger this alert. This false
+positive makes the alert useless and affects us as well as other companies.
+
+This packet with presumably a bad UDP checksum is *already* passed to the
+stack, just not marked as offloaded by the hardware/driver. If it is
+dropped by the stack it will show up as UDP_MIB_CSUMERRORS.
+
+And one more thing, none of the other Intel drivers, and at least bnxt_en
+and mlx5 both don't appear to count UDP offload mismatches as rx_errors.
+
+Here is a related customer complaint:
+https://community.intel.com/t5/Ethernet-Products/ice-rx-errros-is-too-sensitive-to-IP-TCP-attack-packets-Intel/td-p/1662125
+
+Fixes: 4f1fe43c920b ("ice: Add more Rx errors to netdev's rx_error counter")
+Cc: Tony Nguyen <anthony.l.nguyen@intel.com>
+Cc: Jake Keller <jacob.e.keller@intel.com>
+Cc: IWL <intel-wired-lan@lists.osuosl.org>
+Signed-off-by: Jesse Brandeburg <jbrandeburg@cloudflare.com>
+Acked-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_main.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
+index d024e71722de3..8e0f180ec38e1 100644
+--- a/drivers/net/ethernet/intel/ice/ice_main.c
++++ b/drivers/net/ethernet/intel/ice/ice_main.c
+@@ -6974,7 +6974,6 @@ void ice_update_vsi_stats(struct ice_vsi *vsi)
+ cur_ns->rx_errors = pf->stats.crc_errors +
+ pf->stats.illegal_bytes +
+ pf->stats.rx_undersize +
+- pf->hw_csum_rx_error +
+ pf->stats.rx_jabber +
+ pf->stats.rx_fragments +
+ pf->stats.rx_oversize;
+--
+2.51.0
+
--- /dev/null
+From 80a487164202758f2f4874f9af3a3fb93e0654f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jan 2026 20:44:08 +0100
+Subject: ipv6: use the right ifindex when replying to icmpv6 from localhost
+
+From: Fernando Fernandez Mancera <fmancera@suse.de>
+
+[ Upstream commit 03cbcdf93866e61beb0063392e6dbb701f03aea2 ]
+
+When replying to a ICMPv6 echo request that comes from localhost address
+the right output ifindex is 1 (lo) and not rt6i_idev dev index. Use the
+skb device ifindex instead. This fixes pinging to a local address from
+localhost source address.
+
+$ ping6 -I ::1 2001:1:1::2 -c 3
+PING 2001:1:1::2 (2001:1:1::2) from ::1 : 56 data bytes
+64 bytes from 2001:1:1::2: icmp_seq=1 ttl=64 time=0.037 ms
+64 bytes from 2001:1:1::2: icmp_seq=2 ttl=64 time=0.069 ms
+64 bytes from 2001:1:1::2: icmp_seq=3 ttl=64 time=0.122 ms
+
+2001:1:1::2 ping statistics
+3 packets transmitted, 3 received, 0% packet loss, time 2032ms
+rtt min/avg/max/mdev = 0.037/0.076/0.122/0.035 ms
+
+Fixes: 1b70d792cf67 ("ipv6: Use rt6i_idev index for echo replies to a local address")
+Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://patch.msgid.link/20260121194409.6749-1-fmancera@suse.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/icmp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
+index 8117c17845967..13a796bfc2f93 100644
+--- a/net/ipv6/icmp.c
++++ b/net/ipv6/icmp.c
+@@ -770,7 +770,9 @@ static enum skb_drop_reason icmpv6_echo_reply(struct sk_buff *skb)
+ fl6.daddr = ipv6_hdr(skb)->saddr;
+ if (saddr)
+ fl6.saddr = *saddr;
+- fl6.flowi6_oif = icmp6_iif(skb);
++ fl6.flowi6_oif = ipv6_addr_loopback(&fl6.daddr) ?
++ skb->dev->ifindex :
++ icmp6_iif(skb);
+ fl6.fl6_icmp_type = type;
+ fl6.flowi6_mark = mark;
+ fl6.flowi6_uid = sock_net_uid(net, NULL);
+--
+2.51.0
+
--- /dev/null
+From a56387803fd71db84e1ca4f1408552a70648c733 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Jan 2026 11:40:01 -0800
+Subject: net: bcmasp: fix early exit leak with fixed phy
+
+From: Justin Chen <justin.chen@broadcom.com>
+
+[ Upstream commit 6de4436bf369e1444606445e4cd5df5bcfc74b48 ]
+
+We are not deregistering the fixed phy link when hitting the early
+exit condition. Add the correct early exit sequence.
+
+Fixes: 490cb412007d ("net: bcmasp: Add support for ASP2.0 Ethernet controller")
+Signed-off-by: Justin Chen <justin.chen@broadcom.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20260122194001.1098859-1-justin.chen@broadcom.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c b/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c
+index 9ea16ef4139d3..79185bafaf4b3 100644
+--- a/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c
++++ b/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c
+@@ -1253,7 +1253,7 @@ struct bcmasp_intf *bcmasp_interface_create(struct bcmasp_priv *priv,
+ netdev_err(intf->ndev, "invalid PHY mode: %s for port %d\n",
+ phy_modes(intf->phy_interface), intf->port);
+ ret = -EINVAL;
+- goto err_free_netdev;
++ goto err_deregister_fixed_link;
+ }
+
+ ret = of_get_ethdev_address(ndev_dn, ndev);
+@@ -1276,6 +1276,9 @@ struct bcmasp_intf *bcmasp_interface_create(struct bcmasp_priv *priv,
+
+ return intf;
+
++err_deregister_fixed_link:
++ if (of_phy_is_fixed_link(ndev_dn))
++ of_phy_deregister_fixed_link(ndev_dn);
+ err_free_netdev:
+ free_netdev(ndev);
+ err:
+--
+2.51.0
+
--- /dev/null
+From d95e9ba9c734521051a18e2557cff8486155f2b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jan 2026 11:19:23 +0100
+Subject: net: bridge: fix static key check
+
+From: Martin Kaiser <martin@kaiser.cx>
+
+[ Upstream commit cc0cf10fdaeadf5542d64a55b5b4120d3df90b7d ]
+
+Fix the check if netfilter's static keys are available. netfilter defines
+and exports static keys if CONFIG_JUMP_LABEL is enabled. (HAVE_JUMP_LABEL
+is never defined.)
+
+Fixes: 971502d77faa ("bridge: netfilter: unroll NF_HOOK helper in bridge input path")
+Signed-off-by: Martin Kaiser <martin@kaiser.cx>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://patch.msgid.link/20260127101925.1754425-1-martin@kaiser.cx
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_input.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
+index 8c26605c4cc1e..44459c9d2ce77 100644
+--- a/net/bridge/br_input.c
++++ b/net/bridge/br_input.c
+@@ -260,7 +260,7 @@ static int nf_hook_bridge_pre(struct sk_buff *skb, struct sk_buff **pskb)
+ int ret;
+
+ net = dev_net(skb->dev);
+-#ifdef HAVE_JUMP_LABEL
++#ifdef CONFIG_JUMP_LABEL
+ if (!static_key_false(&nf_hooks_needed[NFPROTO_BRIDGE][NF_BR_PRE_ROUTING]))
+ goto frame_finish;
+ #endif
+--
+2.51.0
+
--- /dev/null
+From 9cbb3ad47cb0d608fee2eebc00f9de94f7617993 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jan 2026 13:46:40 +0000
+Subject: net/mlx5: Fix memory leak in esw_acl_ingress_lgcy_setup()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 108948f723b13874b7ebf6b3f1cc598a7de38622 ]
+
+In esw_acl_ingress_lgcy_setup(), if esw_acl_table_create() fails,
+the function returns directly without releasing the previously
+created counter, leading to a memory leak.
+
+Fix this by jumping to the out label instead of returning directly,
+which aligns with the error handling logic of other paths in this
+function.
+
+Compile tested only. Issue found using a prototype static analysis tool
+and code review.
+
+Fixes: 07bab9502641 ("net/mlx5: E-Switch, Refactor eswitch ingress acl codes")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/20260120134640.2717808-1-zilin@seu.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c
+index 093ed86a0acd8..db51c500ed359 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c
+@@ -188,7 +188,7 @@ int esw_acl_ingress_lgcy_setup(struct mlx5_eswitch *esw,
+ if (IS_ERR(vport->ingress.acl)) {
+ err = PTR_ERR(vport->ingress.acl);
+ vport->ingress.acl = NULL;
+- return err;
++ goto out;
+ }
+
+ err = esw_acl_ingress_lgcy_groups_create(esw, vport);
+--
+2.51.0
+
--- /dev/null
+From cc1712e9c5f04624992ec0ff0799b256405831f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jan 2026 10:52:40 +0200
+Subject: net/mlx5: Fix vhca_id access call trace use before alloc
+
+From: Parav Pandit <parav@nvidia.com>
+
+[ Upstream commit a8f930b7be7be3f18f14446df461e17137400407 ]
+
+HCA CAP structure is allocated in mlx5_hca_caps_alloc().
+mlx5_mdev_init()
+ mlx5_hca_caps_alloc()
+
+And HCA CAP is read from the device in mlx5_init_one().
+
+The vhca_id's debugfs file is published even before above two
+operations are done.
+Due to this when user reads the vhca id before the initialization,
+following call trace is observed.
+
+Fix this by deferring debugfs publication until the HCA CAP is
+allocated and read from the device.
+
+BUG: kernel NULL pointer dereference, address: 0000000000000004
+PGD 0 P4D 0
+Oops: Oops: 0000 [#1] SMP PTI
+CPU: 23 UID: 0 PID: 6605 Comm: cat Kdump: loaded Not tainted 6.18.0-rc7-sf+ #110 PREEMPT(full)
+Hardware name: Supermicro SYS-6028U-TR4+/X10DRU-i+, BIOS 2.0b 08/09/2016
+RIP: 0010:vhca_id_show+0x17/0x30 [mlx5_core]
+Code: cb 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 48 8b 47 70 48 c7 c6 45 f0 12 c1 48 8b 80 70 03 00 00 <8b> 50 04 0f ca 0f b7 d2 e8 8c 82 47 cb 31 c0 c3 cc cc cc cc 0f 1f
+RSP: 0018:ffffd37f4f337d40 EFLAGS: 00010203
+RAX: 0000000000000000 RBX: ffff8f18445c9b40 RCX: 0000000000000001
+RDX: ffff8f1109825180 RSI: ffffffffc112f045 RDI: ffff8f18445c9b40
+RBP: 0000000000000000 R08: 0000645eac0d2928 R09: 0000000000000006
+R10: ffffd37f4f337d48 R11: 0000000000000000 R12: ffffd37f4f337dd8
+R13: ffffd37f4f337db0 R14: ffff8f18445c9b68 R15: 0000000000000001
+FS: 00007f3eea099580(0000) GS:ffff8f2090f1f000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000004 CR3: 00000008b64e4006 CR4: 00000000003726f0
+Call Trace:
+ <TASK>
+ seq_read_iter+0x11f/0x4f0
+ ? _raw_spin_unlock+0x15/0x30
+ ? do_anonymous_page+0x104/0x810
+ seq_read+0xf6/0x120
+ ? srso_alias_untrain_ret+0x1/0x10
+ full_proxy_read+0x5c/0x90
+ vfs_read+0xad/0x320
+ ? handle_mm_fault+0x1ab/0x290
+ ksys_read+0x52/0xd0
+ do_syscall_64+0x61/0x11e0
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+Fixes: dd3dd7263cde ("net/mlx5: Expose vhca_id to debugfs")
+Signed-off-by: Parav Pandit <parav@nvidia.com>
+Reviewed-by: Shay Drori <shayd@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/1769503961-124173-4-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/debugfs.c | 16 ++++++++++++++++
+ drivers/net/ethernet/mellanox/mlx5/core/main.c | 14 +++-----------
+ .../net/ethernet/mellanox/mlx5/core/mlx5_core.h | 1 +
+ .../ethernet/mellanox/mlx5/core/sf/dev/driver.c | 1 +
+ 4 files changed, 21 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/debugfs.c b/drivers/net/ethernet/mellanox/mlx5/core/debugfs.c
+index 36806e813c33c..1301c56e20d65 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/debugfs.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/debugfs.c
+@@ -613,3 +613,19 @@ void mlx5_debug_cq_remove(struct mlx5_core_dev *dev, struct mlx5_core_cq *cq)
+ cq->dbg = NULL;
+ }
+ }
++
++static int vhca_id_show(struct seq_file *file, void *priv)
++{
++ struct mlx5_core_dev *dev = file->private;
++
++ seq_printf(file, "0x%x\n", MLX5_CAP_GEN(dev, vhca_id));
++ return 0;
++}
++
++DEFINE_SHOW_ATTRIBUTE(vhca_id);
++
++void mlx5_vhca_debugfs_init(struct mlx5_core_dev *dev)
++{
++ debugfs_create_file("vhca_id", 0400, dev->priv.dbg.dbg_root, dev,
++ &vhca_id_fops);
++}
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+index 4ed23d19c0eca..8bfa95cda0063 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+@@ -1810,16 +1810,6 @@ static int mlx5_hca_caps_alloc(struct mlx5_core_dev *dev)
+ return -ENOMEM;
+ }
+
+-static int vhca_id_show(struct seq_file *file, void *priv)
+-{
+- struct mlx5_core_dev *dev = file->private;
+-
+- seq_printf(file, "0x%x\n", MLX5_CAP_GEN(dev, vhca_id));
+- return 0;
+-}
+-
+-DEFINE_SHOW_ATTRIBUTE(vhca_id);
+-
+ static int mlx5_notifiers_init(struct mlx5_core_dev *dev)
+ {
+ int err;
+@@ -1862,7 +1852,7 @@ int mlx5_mdev_init(struct mlx5_core_dev *dev, int profile_idx)
+ priv->numa_node = dev_to_node(mlx5_core_dma_dev(dev));
+ priv->dbg.dbg_root = debugfs_create_dir(dev_name(dev->device),
+ mlx5_debugfs_root);
+- debugfs_create_file("vhca_id", 0400, priv->dbg.dbg_root, dev, &vhca_id_fops);
++
+ INIT_LIST_HEAD(&priv->traps);
+
+ err = mlx5_cmd_init(dev);
+@@ -2000,6 +1990,8 @@ static int probe_one(struct pci_dev *pdev, const struct pci_device_id *id)
+ goto err_init_one;
+ }
+
++ mlx5_vhca_debugfs_init(dev);
++
+ pci_save_state(pdev);
+ return 0;
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h b/drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h
+index dc6965f6746ec..6b82a494bd323 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h
+@@ -251,6 +251,7 @@ int mlx5_wait_for_pages(struct mlx5_core_dev *dev, int *pages);
+ void mlx5_cmd_flush(struct mlx5_core_dev *dev);
+ void mlx5_cq_debugfs_init(struct mlx5_core_dev *dev);
+ void mlx5_cq_debugfs_cleanup(struct mlx5_core_dev *dev);
++void mlx5_vhca_debugfs_init(struct mlx5_core_dev *dev);
+
+ int mlx5_query_pcam_reg(struct mlx5_core_dev *dev, u32 *pcam, u8 feature_group,
+ u8 access_reg_group);
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c b/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c
+index b706f1486504a..c45540fe7d9d9 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c
+@@ -76,6 +76,7 @@ static int mlx5_sf_dev_probe(struct auxiliary_device *adev, const struct auxilia
+ goto init_one_err;
+ }
+
++ mlx5_vhca_debugfs_init(mdev);
+ return 0;
+
+ init_one_err:
+--
+2.51.0
+
--- /dev/null
+From d719b31c6525821e88c886c1326b2dfe20097eae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jan 2026 10:52:38 +0200
+Subject: net/mlx5: fs, Fix inverted cap check in tx flow table root disconnect
+
+From: Shay Drory <shayd@nvidia.com>
+
+[ Upstream commit 2610a3d65691a1301ab10c92ff6ebab0bedf9199 ]
+
+The capability check for reset_root_to_default was inverted, causing
+the function to return -EOPNOTSUPP when the capability IS supported,
+rather than when it is NOT supported.
+
+Fix the capability check condition.
+
+Fixes: 3c9c34c32bc6 ("net/mlx5: fs, Command to control TX flow table root")
+Signed-off-by: Shay Drory <shayd@nvidia.com>
+Reviewed-by: Mark Bloch <mbloch@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/1769503961-124173-2-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/fs_cmd.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_cmd.c
+index 676005854dad4..c115270936774 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_cmd.c
+@@ -1166,7 +1166,8 @@ int mlx5_fs_cmd_set_tx_flow_table_root(struct mlx5_core_dev *dev, u32 ft_id, boo
+ u32 out[MLX5_ST_SZ_DW(set_flow_table_root_out)] = {};
+ u32 in[MLX5_ST_SZ_DW(set_flow_table_root_in)] = {};
+
+- if (disconnect && MLX5_CAP_FLOWTABLE_NIC_TX(dev, reset_root_to_default))
++ if (disconnect &&
++ !MLX5_CAP_FLOWTABLE_NIC_TX(dev, reset_root_to_default))
+ return -EOPNOTSUPP;
+
+ MLX5_SET(set_flow_table_root_in, in, opcode,
+--
+2.51.0
+
--- /dev/null
+From be6973a07f0ffd333d37f8a827bd3d2dc121a254 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 16 Nov 2025 22:45:35 +0200
+Subject: net/mlx5: Initialize events outside devlink lock
+
+From: Cosmin Ratiu <cratiu@nvidia.com>
+
+[ Upstream commit b6b03097f9826db72aeb3f751774c5e9edd9a5b3 ]
+
+Move event init/cleanup outside of mlx5_init_one() / mlx5_uninit_one()
+and into the mlx5_mdev_init() / mlx5_mdev_uninit() functions.
+
+By doing this, we avoid the events being reinitialized on devlink reload
+and, more importantly, the events->sw_nh notifier chain becomes
+available earlier in the init procedure, which will be used in
+subsequent patches. This makes sense because the events struct is pure
+software, independent of any HW details.
+
+Signed-off-by: Cosmin Ratiu <cratiu@nvidia.com>
+Reviewed-by: Carolina Jubran <cjubran@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/1763325940-1231508-2-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: a8f930b7be7b ("net/mlx5: Fix vhca_id access call trace use before alloc")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/main.c | 34 +++++++++++++------
+ 1 file changed, 24 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+index e97b3494b9161..4ed23d19c0eca 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+@@ -1016,16 +1016,10 @@ static int mlx5_init_once(struct mlx5_core_dev *dev)
+ goto err_irq_cleanup;
+ }
+
+- err = mlx5_events_init(dev);
+- if (err) {
+- mlx5_core_err(dev, "failed to initialize events\n");
+- goto err_eq_cleanup;
+- }
+-
+ err = mlx5_fw_reset_init(dev);
+ if (err) {
+ mlx5_core_err(dev, "failed to initialize fw reset events\n");
+- goto err_events_cleanup;
++ goto err_eq_cleanup;
+ }
+
+ mlx5_cq_debugfs_init(dev);
+@@ -1121,8 +1115,6 @@ static int mlx5_init_once(struct mlx5_core_dev *dev)
+ mlx5_cleanup_reserved_gids(dev);
+ mlx5_cq_debugfs_cleanup(dev);
+ mlx5_fw_reset_cleanup(dev);
+-err_events_cleanup:
+- mlx5_events_cleanup(dev);
+ err_eq_cleanup:
+ mlx5_eq_table_cleanup(dev);
+ err_irq_cleanup:
+@@ -1155,7 +1147,6 @@ static void mlx5_cleanup_once(struct mlx5_core_dev *dev)
+ mlx5_cleanup_reserved_gids(dev);
+ mlx5_cq_debugfs_cleanup(dev);
+ mlx5_fw_reset_cleanup(dev);
+- mlx5_events_cleanup(dev);
+ mlx5_eq_table_cleanup(dev);
+ mlx5_irq_table_cleanup(dev);
+ mlx5_unregister_hca_devcom_comp(dev);
+@@ -1829,6 +1820,24 @@ static int vhca_id_show(struct seq_file *file, void *priv)
+
+ DEFINE_SHOW_ATTRIBUTE(vhca_id);
+
++static int mlx5_notifiers_init(struct mlx5_core_dev *dev)
++{
++ int err;
++
++ err = mlx5_events_init(dev);
++ if (err) {
++ mlx5_core_err(dev, "failed to initialize events\n");
++ return err;
++ }
++
++ return 0;
++}
++
++static void mlx5_notifiers_cleanup(struct mlx5_core_dev *dev)
++{
++ mlx5_events_cleanup(dev);
++}
++
+ int mlx5_mdev_init(struct mlx5_core_dev *dev, int profile_idx)
+ {
+ struct mlx5_priv *priv = &dev->priv;
+@@ -1884,6 +1893,10 @@ int mlx5_mdev_init(struct mlx5_core_dev *dev, int profile_idx)
+ if (err)
+ goto err_hca_caps;
+
++ err = mlx5_notifiers_init(dev);
++ if (err)
++ goto err_hca_caps;
++
+ /* The conjunction of sw_vhca_id with sw_owner_id will be a global
+ * unique id per function which uses mlx5_core.
+ * Those values are supplied to FW as part of the init HCA command to
+@@ -1926,6 +1939,7 @@ void mlx5_mdev_uninit(struct mlx5_core_dev *dev)
+ if (priv->sw_vhca_id > 0)
+ ida_free(&sw_vhca_ida, dev->priv.sw_vhca_id);
+
++ mlx5_notifiers_cleanup(dev);
+ mlx5_hca_caps_free(dev);
+ mlx5_adev_cleanup(dev);
+ mlx5_pagealloc_cleanup(dev);
+--
+2.51.0
+
--- /dev/null
+From de3b4becccf598c84d9d30e82e6bb4bda1da0365 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jan 2026 10:52:41 +0200
+Subject: net/mlx5e: Skip ESN replay window setup for IPsec crypto offload
+
+From: Jianbo Liu <jianbol@nvidia.com>
+
+[ Upstream commit 011be342dd24b5168a5dcf408b14c3babe503341 ]
+
+Commit a5e400a985df ("net/mlx5e: Honor user choice of IPsec replay
+window size") introduced logic to setup the ESN replay window size.
+This logic is only valid for packet offload.
+
+However, the check to skip this block only covered outbound offloads.
+It was not skipped for crypto offload, causing it to fall through to
+the new switch statement and trigger its WARN_ON default case (for
+instance, if a window larger than 256 bits was configured).
+
+Fix this by amending the condition to also skip the replay window
+setup if the offload type is not XFRM_DEV_OFFLOAD_PACKET.
+
+Fixes: a5e400a985df ("net/mlx5e: Honor user choice of IPsec replay window size")
+Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/1769503961-124173-5-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+index 39dcbf863421a..7e24f3f0b4dd3 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+@@ -347,7 +347,8 @@ void mlx5e_ipsec_build_accel_xfrm_attrs(struct mlx5e_ipsec_sa_entry *sa_entry,
+ attrs->replay_esn.esn = sa_entry->esn_state.esn;
+ attrs->replay_esn.esn_msb = sa_entry->esn_state.esn_msb;
+ attrs->replay_esn.overlap = sa_entry->esn_state.overlap;
+- if (attrs->dir == XFRM_DEV_OFFLOAD_OUT)
++ if (attrs->dir == XFRM_DEV_OFFLOAD_OUT ||
++ x->xso.type != XFRM_DEV_OFFLOAD_PACKET)
+ goto skip_replay_window;
+
+ switch (x->replay_esn->replay_window) {
+--
+2.51.0
+
--- /dev/null
+From 9343aaadff6cd32d4305a4a338f44f70645e7c43 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jan 2026 09:14:54 +0200
+Subject: net/mlx5e: TC, delete flows only for existing peers
+
+From: Mark Bloch <mbloch@nvidia.com>
+
+[ Upstream commit f67666938ae626cbda63fbf5176b3583c07e7124 ]
+
+When deleting TC steering flows, iterate only over actual devcom
+peers instead of assuming all possible ports exist. This avoids
+touching non-existent peers and ensures cleanup is limited to
+devices the driver is currently connected to.
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000008
+ #PF: supervisor write access in kernel mode
+ #PF: error_code(0x0002) - not-present page
+ PGD 133c8a067 P4D 0
+ Oops: Oops: 0002 [#1] SMP
+ CPU: 19 UID: 0 PID: 2169 Comm: tc Not tainted 6.18.0+ #156 NONE
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+ RIP: 0010:mlx5e_tc_del_fdb_peers_flow+0xbe/0x200 [mlx5_core]
+ Code: 00 00 a8 08 74 a8 49 8b 46 18 f6 c4 02 74 9f 4c 8d bf a0 12 00 00 4c 89 ff e8 0e e7 96 e1 49 8b 44 24 08 49 8b 0c 24 4c 89 ff <48> 89 41 08 48 89 08 49 89 2c 24 49 89 5c 24 08 e8 7d ce 96 e1 49
+ RSP: 0018:ff11000143867528 EFLAGS: 00010246
+ RAX: 0000000000000000 RBX: dead000000000122 RCX: 0000000000000000
+ RDX: ff11000143691580 RSI: ff110001026e5000 RDI: ff11000106f3d2a0
+ RBP: dead000000000100 R08: 00000000000003fd R09: 0000000000000002
+ R10: ff11000101c75690 R11: ff1100085faea178 R12: ff11000115f0ae78
+ R13: 0000000000000000 R14: ff11000115f0a800 R15: ff11000106f3d2a0
+ FS: 00007f35236bf740(0000) GS:ff110008dc809000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000008 CR3: 0000000157a01001 CR4: 0000000000373eb0
+ Call Trace:
+ <TASK>
+ mlx5e_tc_del_flow+0x46/0x270 [mlx5_core]
+ mlx5e_flow_put+0x25/0x50 [mlx5_core]
+ mlx5e_delete_flower+0x2a6/0x3e0 [mlx5_core]
+ tc_setup_cb_reoffload+0x20/0x80
+ fl_reoffload+0x26f/0x2f0 [cls_flower]
+ ? mlx5e_tc_reoffload_flows_work+0xc0/0xc0 [mlx5_core]
+ ? mlx5e_tc_reoffload_flows_work+0xc0/0xc0 [mlx5_core]
+ tcf_block_playback_offloads+0x9e/0x1c0
+ tcf_block_unbind+0x7b/0xd0
+ tcf_block_setup+0x186/0x1d0
+ tcf_block_offload_cmd.isra.0+0xef/0x130
+ tcf_block_offload_unbind+0x43/0x70
+ __tcf_block_put+0x85/0x160
+ ingress_destroy+0x32/0x110 [sch_ingress]
+ __qdisc_destroy+0x44/0x100
+ qdisc_graft+0x22b/0x610
+ tc_get_qdisc+0x183/0x4d0
+ rtnetlink_rcv_msg+0x2d7/0x3d0
+ ? rtnl_calcit.isra.0+0x100/0x100
+ netlink_rcv_skb+0x53/0x100
+ netlink_unicast+0x249/0x320
+ ? __alloc_skb+0x102/0x1f0
+ netlink_sendmsg+0x1e3/0x420
+ __sock_sendmsg+0x38/0x60
+ ____sys_sendmsg+0x1ef/0x230
+ ? copy_msghdr_from_user+0x6c/0xa0
+ ___sys_sendmsg+0x7f/0xc0
+ ? ___sys_recvmsg+0x8a/0xc0
+ ? __sys_sendto+0x119/0x180
+ __sys_sendmsg+0x61/0xb0
+ do_syscall_64+0x55/0x640
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+ RIP: 0033:0x7f35238bb764
+ Code: 15 b9 86 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb bf 0f 1f 44 00 00 f3 0f 1e fa 80 3d e5 08 0d 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 4c c3 0f 1f 00 55 48 89 e5 48 83 ec 20 89 55
+ RSP: 002b:00007ffed4c35638 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
+ RAX: ffffffffffffffda RBX: 000055a2efcc75e0 RCX: 00007f35238bb764
+ RDX: 0000000000000000 RSI: 00007ffed4c356a0 RDI: 0000000000000003
+ RBP: 00007ffed4c35710 R08: 0000000000000010 R09: 00007f3523984b20
+ R10: 0000000000000004 R11: 0000000000000202 R12: 00007ffed4c35790
+ R13: 000000006947df8f R14: 000055a2efcc75e0 R15: 00007ffed4c35780
+
+Fixes: 9be6c21fdcf8 ("net/mlx5e: Handle offloads flows per peer")
+Signed-off-by: Mark Bloch <mbloch@nvidia.com>
+Reviewed-by: Shay Drori <shayd@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/1769411695-18820-3-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/en_tc.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+index 4d766eea32a37..8878990254f46 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+@@ -2143,11 +2143,14 @@ static void mlx5e_tc_del_fdb_peer_flow(struct mlx5e_tc_flow *flow,
+
+ static void mlx5e_tc_del_fdb_peers_flow(struct mlx5e_tc_flow *flow)
+ {
++ struct mlx5_devcom_comp_dev *devcom;
++ struct mlx5_devcom_comp_dev *pos;
++ struct mlx5_eswitch *peer_esw;
+ int i;
+
+- for (i = 0; i < MLX5_MAX_PORTS; i++) {
+- if (i == mlx5_get_dev_index(flow->priv->mdev))
+- continue;
++ devcom = flow->priv->mdev->priv.eswitch->devcom;
++ mlx5_devcom_for_each_peer_entry(devcom, peer_esw, pos) {
++ i = mlx5_get_dev_index(peer_esw->dev);
+ mlx5e_tc_del_fdb_peer_flow(flow, i);
+ }
+ }
+@@ -5504,12 +5507,16 @@ int mlx5e_tc_num_filters(struct mlx5e_priv *priv, unsigned long flags)
+
+ void mlx5e_tc_clean_fdb_peer_flows(struct mlx5_eswitch *esw)
+ {
++ struct mlx5_devcom_comp_dev *devcom;
++ struct mlx5_devcom_comp_dev *pos;
+ struct mlx5e_tc_flow *flow, *tmp;
++ struct mlx5_eswitch *peer_esw;
+ int i;
+
+- for (i = 0; i < MLX5_MAX_PORTS; i++) {
+- if (i == mlx5_get_dev_index(esw->dev))
+- continue;
++ devcom = esw->devcom;
++
++ mlx5_devcom_for_each_peer_entry(devcom, peer_esw, pos) {
++ i = mlx5_get_dev_index(peer_esw->dev);
+ list_for_each_entry_safe(flow, tmp, &esw->offloads.peer_flows[i], peer[i])
+ mlx5e_tc_del_fdb_peers_flow(flow);
+ }
+--
+2.51.0
+
--- /dev/null
+From 3eb9d176e8914bb50296065c6ad35f7afa519106 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jan 2026 06:57:16 +0000
+Subject: net: mvpp2: cls: Fix memory leak in mvpp2_ethtool_cls_rule_ins()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 09f979d1f312627b31d2ee1e46f9692e442610cd ]
+
+In mvpp2_ethtool_cls_rule_ins(), the ethtool_rule is allocated by
+ethtool_rx_flow_rule_create(). If the subsequent conversion to flow
+type fails, the function jumps to the clean_rule label.
+
+However, the clean_rule label only frees efs, skipping the cleanup
+of ethtool_rule, which leads to a memory leak.
+
+Fix this by jumping to the clean_eth_rule label, which properly calls
+ethtool_rx_flow_rule_destroy() before freeing efs.
+
+Compile tested only. Issue found using a prototype static analysis tool
+and code review.
+
+Fixes: f4f1ba18195d ("net: mvpp2: cls: Report an error for unsupported flow types")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Link: https://patch.msgid.link/20260123065716.2248324-1-zilin@seu.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c
+index 8ed83fb988624..155bc41ffce65 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c
+@@ -1389,7 +1389,7 @@ int mvpp2_ethtool_cls_rule_ins(struct mvpp2_port *port,
+ efs->rule.flow_type = mvpp2_cls_ethtool_flow_to_type(info->fs.flow_type);
+ if (efs->rule.flow_type < 0) {
+ ret = efs->rule.flow_type;
+- goto clean_rule;
++ goto clean_eth_rule;
+ }
+
+ ret = mvpp2_cls_rfs_parse_rule(&efs->rule);
+--
+2.51.0
+
--- /dev/null
+From 3440953da668736b9afdcdea94abe95be7bb7288 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jan 2026 16:15:44 +0800
+Subject: net: phy: micrel: fix clk warning when removing the driver
+
+From: Wei Fang <wei.fang@nxp.com>
+
+[ Upstream commit 2aa1545ba8d4801fba5be83a404e28014b80196a ]
+
+Since the commit 25c6a5ab151f ("net: phy: micrel: Dynamically control
+external clock of KSZ PHY"), the clock of Micrel PHY has been enabled
+by phy_driver::resume() and disabled by phy_driver::suspend(). However,
+devm_clk_get_optional_enabled() is used in kszphy_probe(), so the clock
+will automatically be disabled when the device is unbound from the bus.
+Therefore, this could cause the clock to be disabled twice, resulting
+in clk driver warnings.
+
+For example, this issue can be reproduced on i.MX6ULL platform, and we
+can see the following logs when removing the FEC MAC drivers.
+
+$ echo 2188000.ethernet > /sys/bus/platform/drivers/fec/unbind
+$ echo 20b4000.ethernet > /sys/bus/platform/drivers/fec/unbind
+[ 109.758207] ------------[ cut here ]------------
+[ 109.758240] WARNING: drivers/clk/clk.c:1188 at clk_core_disable+0xb4/0xd0, CPU#0: sh/639
+[ 109.771011] enet2_ref already disabled
+[ 109.793359] Call trace:
+[ 109.822006] clk_core_disable from clk_disable+0x28/0x34
+[ 109.827340] clk_disable from clk_disable_unprepare+0xc/0x18
+[ 109.833029] clk_disable_unprepare from devm_clk_release+0x1c/0x28
+[ 109.839241] devm_clk_release from devres_release_all+0x98/0x100
+[ 109.845278] devres_release_all from device_unbind_cleanup+0xc/0x70
+[ 109.851571] device_unbind_cleanup from device_release_driver_internal+0x1a4/0x1f4
+[ 109.859170] device_release_driver_internal from bus_remove_device+0xbc/0xe4
+[ 109.866243] bus_remove_device from device_del+0x140/0x458
+[ 109.871757] device_del from phy_mdio_device_remove+0xc/0x24
+[ 109.877452] phy_mdio_device_remove from mdiobus_unregister+0x40/0xac
+[ 109.883918] mdiobus_unregister from fec_enet_mii_remove+0x40/0x78
+[ 109.890125] fec_enet_mii_remove from fec_drv_remove+0x4c/0x158
+[ 109.896076] fec_drv_remove from device_release_driver_internal+0x17c/0x1f4
+[ 109.962748] WARNING: drivers/clk/clk.c:1047 at clk_core_unprepare+0xfc/0x13c, CPU#0: sh/639
+[ 109.975805] enet2_ref already unprepared
+[ 110.002866] Call trace:
+[ 110.031758] clk_core_unprepare from clk_unprepare+0x24/0x2c
+[ 110.037440] clk_unprepare from devm_clk_release+0x1c/0x28
+[ 110.042957] devm_clk_release from devres_release_all+0x98/0x100
+[ 110.048989] devres_release_all from device_unbind_cleanup+0xc/0x70
+[ 110.055280] device_unbind_cleanup from device_release_driver_internal+0x1a4/0x1f4
+[ 110.062877] device_release_driver_internal from bus_remove_device+0xbc/0xe4
+[ 110.069950] bus_remove_device from device_del+0x140/0x458
+[ 110.075469] device_del from phy_mdio_device_remove+0xc/0x24
+[ 110.081165] phy_mdio_device_remove from mdiobus_unregister+0x40/0xac
+[ 110.087632] mdiobus_unregister from fec_enet_mii_remove+0x40/0x78
+[ 110.093836] fec_enet_mii_remove from fec_drv_remove+0x4c/0x158
+[ 110.099782] fec_drv_remove from device_release_driver_internal+0x17c/0x1f4
+
+After analyzing the process of removing the FEC driver, as shown below,
+it can be seen that the clock was disabled twice by the PHY driver.
+
+fec_drv_remove()
+ --> fec_enet_close()
+ --> phy_stop()
+ --> phy_suspend()
+ --> kszphy_suspend() #1 The clock is disabled
+ --> fec_enet_mii_remove()
+ --> mdiobus_unregister()
+ --> phy_mdio_device_remove()
+ --> device_del()
+ --> devm_clk_release() #2 The clock is disabled again
+
+Therefore, devm_clk_get_optional() is used to fix the above issue. And
+to avoid the issue mentioned by the commit 985329462723 ("net: phy:
+micrel: use devm_clk_get_optional_enabled for the rmii-ref clock"), the
+clock is enabled by clk_prepare_enable() to get the correct clock rate.
+
+Fixes: 25c6a5ab151f ("net: phy: micrel: Dynamically control external clock of KSZ PHY")
+Signed-off-by: Wei Fang <wei.fang@nxp.com>
+Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Link: https://patch.msgid.link/20260126081544.983517-1-wei.fang@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/micrel.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c
+index 5e5a5010932c1..f0c068075322f 100644
+--- a/drivers/net/phy/micrel.c
++++ b/drivers/net/phy/micrel.c
+@@ -2268,11 +2268,21 @@ static int kszphy_probe(struct phy_device *phydev)
+
+ kszphy_parse_led_mode(phydev);
+
+- clk = devm_clk_get_optional_enabled(&phydev->mdio.dev, "rmii-ref");
++ clk = devm_clk_get_optional(&phydev->mdio.dev, "rmii-ref");
+ /* NOTE: clk may be NULL if building without CONFIG_HAVE_CLK */
+ if (!IS_ERR_OR_NULL(clk)) {
+- unsigned long rate = clk_get_rate(clk);
+ bool rmii_ref_clk_sel_25_mhz;
++ unsigned long rate;
++ int err;
++
++ err = clk_prepare_enable(clk);
++ if (err) {
++ phydev_err(phydev, "Failed to enable rmii-ref clock\n");
++ return err;
++ }
++
++ rate = clk_get_rate(clk);
++ clk_disable_unprepare(clk);
+
+ if (type)
+ priv->rmii_ref_clk_sel = type->has_rmii_ref_clk_sel;
+@@ -2290,13 +2300,12 @@ static int kszphy_probe(struct phy_device *phydev)
+ }
+ } else if (!clk) {
+ /* unnamed clock from the generic ethernet-phy binding */
+- clk = devm_clk_get_optional_enabled(&phydev->mdio.dev, NULL);
++ clk = devm_clk_get_optional(&phydev->mdio.dev, NULL);
+ }
+
+ if (IS_ERR(clk))
+ return PTR_ERR(clk);
+
+- clk_disable_unprepare(clk);
+ priv->clk = clk;
+
+ if (ksz8041_fiber_mode(phydev))
+--
+2.51.0
+
--- /dev/null
+From aa1be734c05f9a94a73c424dfa9fb74231d8d1c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jan 2026 01:04:01 +0800
+Subject: net: wwan: t7xx: fix potential skb->frags overflow in RX path
+
+From: Kery Qi <qikeyu2017@gmail.com>
+
+[ Upstream commit f0813bcd2d9d97fdbdf2efb9532ab03ae92e99e6 ]
+
+When receiving data in the DPMAIF RX path,
+the t7xx_dpmaif_set_frag_to_skb() function adds
+page fragments to an skb without checking if the number of
+fragments has exceeded MAX_SKB_FRAGS. This could lead to a buffer overflow
+in skb_shinfo(skb)->frags[] array, corrupting adjacent memory and
+potentially causing kernel crashes or other undefined behavior.
+
+This issue was identified through static code analysis by comparing with a
+similar vulnerability fixed in the mt76 driver commit b102f0c522cf ("mt76:
+fix array overflow on receiving too many fragments for a packet").
+
+The vulnerability could be triggered if the modem firmware sends packets
+with excessive fragments. While under normal protocol conditions (MTU 3080
+bytes, BAT buffer 3584 bytes),
+a single packet should not require additional
+fragments, the kernel should not blindly trust firmware behavior.
+Malicious, buggy, or compromised firmware could potentially craft packets
+with more fragments than the kernel expects.
+
+Fix this by adding a bounds check before calling skb_add_rx_frag() to
+ensure nr_frags does not exceed MAX_SKB_FRAGS.
+
+The check must be performed before unmapping to avoid a page leak
+and double DMA unmap during device teardown.
+
+Fixes: d642b012df70a ("net: wwan: t7xx: Add data path interface")
+Signed-off-by: Kery Qi <qikeyu2017@gmail.com>
+Link: https://patch.msgid.link/20260122170401.1986-2-qikeyu2017@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
+index 7a9c09cd4fdcf..6b0df637afeb8 100644
+--- a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
++++ b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
+@@ -394,6 +394,7 @@ static int t7xx_dpmaif_set_frag_to_skb(const struct dpmaif_rx_queue *rxq,
+ struct sk_buff *skb)
+ {
+ unsigned long long data_bus_addr, data_base_addr;
++ struct skb_shared_info *shinfo = skb_shinfo(skb);
+ struct device *dev = rxq->dpmaif_ctrl->dev;
+ struct dpmaif_bat_page *page_info;
+ unsigned int data_len;
+@@ -401,18 +402,22 @@ static int t7xx_dpmaif_set_frag_to_skb(const struct dpmaif_rx_queue *rxq,
+
+ page_info = rxq->bat_frag->bat_skb;
+ page_info += t7xx_normal_pit_bid(pkt_info);
+- dma_unmap_page(dev, page_info->data_bus_addr, page_info->data_len, DMA_FROM_DEVICE);
+
+ if (!page_info->page)
+ return -EINVAL;
+
++ if (shinfo->nr_frags >= MAX_SKB_FRAGS)
++ return -EINVAL;
++
++ dma_unmap_page(dev, page_info->data_bus_addr, page_info->data_len, DMA_FROM_DEVICE);
++
+ data_bus_addr = le32_to_cpu(pkt_info->pd.data_addr_h);
+ data_bus_addr = (data_bus_addr << 32) + le32_to_cpu(pkt_info->pd.data_addr_l);
+ data_base_addr = page_info->data_bus_addr;
+ data_offset = data_bus_addr - data_base_addr;
+ data_offset += page_info->offset;
+ data_len = FIELD_GET(PD_PIT_DATA_LEN, le32_to_cpu(pkt_info->header));
+- skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags, page_info->page,
++ skb_add_rx_frag(skb, shinfo->nr_frags, page_info->page,
+ data_offset, data_len, page_info->data_len);
+
+ page_info->page = NULL;
+--
+2.51.0
+
--- /dev/null
+From 83bd7526794c50bf111c999bd5fb9d9937877d85 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 25 Jan 2026 00:59:28 +0000
+Subject: nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 165c34fb6068ff153e3fc99a932a80a9d5755709 ]
+
+syzbot reported various memory leaks related to NFC, struct
+nfc_llcp_sock, sk_buff, nfc_dev, etc. [0]
+
+The leading log hinted that nfc_llcp_send_ui_frame() failed
+to allocate skb due to sock_error(sk) being -ENXIO.
+
+ENXIO is set by nfc_llcp_socket_release() when struct
+nfc_llcp_local is destroyed by local_cleanup().
+
+The problem is that there is no synchronisation between
+nfc_llcp_send_ui_frame() and local_cleanup(), and skb
+could be put into local->tx_queue after it was purged in
+local_cleanup():
+
+ CPU1 CPU2
+ ---- ----
+ nfc_llcp_send_ui_frame() local_cleanup()
+ |- do { '
+ |- pdu = nfc_alloc_send_skb(..., &err)
+ | .
+ | |- nfc_llcp_socket_release(local, false, ENXIO);
+ | |- skb_queue_purge(&local->tx_queue); |
+ | ' |
+ |- skb_queue_tail(&local->tx_queue, pdu); |
+ ... |
+ |- pdu = nfc_alloc_send_skb(..., &err) |
+ ^._________________________________.'
+
+local_cleanup() is called for struct nfc_llcp_local only
+after nfc_llcp_remove_local() unlinks it from llcp_devices.
+
+If we hold local->tx_queue.lock then, we can synchronise
+the thread and nfc_llcp_send_ui_frame().
+
+Let's do that and check list_empty(&local->list) before
+queuing skb to local->tx_queue in nfc_llcp_send_ui_frame().
+
+[0]:
+[ 56.074943][ T6096] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6)
+[ 64.318868][ T5813] kmemleak: 6 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
+BUG: memory leak
+unreferenced object 0xffff8881272f6800 (size 1024):
+ comm "syz.0.17", pid 6096, jiffies 4294942766
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 27 00 03 40 00 00 00 00 00 00 00 00 00 00 00 00 '..@............
+ backtrace (crc da58d84d):
+ kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
+ slab_post_alloc_hook mm/slub.c:4979 [inline]
+ slab_alloc_node mm/slub.c:5284 [inline]
+ __do_kmalloc_node mm/slub.c:5645 [inline]
+ __kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5658
+ kmalloc_noprof include/linux/slab.h:961 [inline]
+ sk_prot_alloc+0x11a/0x1b0 net/core/sock.c:2239
+ sk_alloc+0x36/0x360 net/core/sock.c:2295
+ nfc_llcp_sock_alloc+0x37/0x130 net/nfc/llcp_sock.c:979
+ llcp_sock_create+0x71/0xd0 net/nfc/llcp_sock.c:1044
+ nfc_sock_create+0xc9/0xf0 net/nfc/af_nfc.c:31
+ __sock_create+0x1a9/0x340 net/socket.c:1605
+ sock_create net/socket.c:1663 [inline]
+ __sys_socket_create net/socket.c:1700 [inline]
+ __sys_socket+0xb9/0x1a0 net/socket.c:1747
+ __do_sys_socket net/socket.c:1761 [inline]
+ __se_sys_socket net/socket.c:1759 [inline]
+ __x64_sys_socket+0x1b/0x30 net/socket.c:1759
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+BUG: memory leak
+unreferenced object 0xffff88810fbd9800 (size 240):
+ comm "syz.0.17", pid 6096, jiffies 4294942850
+ hex dump (first 32 bytes):
+ 68 f0 ff 08 81 88 ff ff 68 f0 ff 08 81 88 ff ff h.......h.......
+ 00 00 00 00 00 00 00 00 00 68 2f 27 81 88 ff ff .........h/'....
+ backtrace (crc 6cc652b1):
+ kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
+ slab_post_alloc_hook mm/slub.c:4979 [inline]
+ slab_alloc_node mm/slub.c:5284 [inline]
+ kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5336
+ __alloc_skb+0x203/0x240 net/core/skbuff.c:660
+ alloc_skb include/linux/skbuff.h:1383 [inline]
+ alloc_skb_with_frags+0x69/0x3f0 net/core/skbuff.c:6671
+ sock_alloc_send_pskb+0x379/0x3e0 net/core/sock.c:2965
+ sock_alloc_send_skb include/net/sock.h:1859 [inline]
+ nfc_alloc_send_skb+0x45/0x80 net/nfc/core.c:724
+ nfc_llcp_send_ui_frame+0x162/0x360 net/nfc/llcp_commands.c:766
+ llcp_sock_sendmsg+0x14c/0x1d0 net/nfc/llcp_sock.c:814
+ sock_sendmsg_nosec net/socket.c:727 [inline]
+ __sock_sendmsg net/socket.c:742 [inline]
+ __sys_sendto+0x2d8/0x2f0 net/socket.c:2244
+ __do_sys_sendto net/socket.c:2251 [inline]
+ __se_sys_sendto net/socket.c:2247 [inline]
+ __x64_sys_sendto+0x28/0x30 net/socket.c:2247
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: 94f418a20664 ("NFC: UI frame sending routine implementation")
+Reported-by: syzbot+f2d245f1d76bbfa50e4c@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/697569c7.a00a0220.33ccc7.0014.GAE@google.com/T/#u
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260125010214.1572439-1-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nfc/llcp_commands.c | 17 ++++++++++++++++-
+ net/nfc/llcp_core.c | 4 +++-
+ 2 files changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
+index e2680a3bef799..b652323bc2c12 100644
+--- a/net/nfc/llcp_commands.c
++++ b/net/nfc/llcp_commands.c
+@@ -778,8 +778,23 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
+ if (likely(frag_len > 0))
+ skb_put_data(pdu, msg_ptr, frag_len);
+
++ spin_lock(&local->tx_queue.lock);
++
++ if (list_empty(&local->list)) {
++ spin_unlock(&local->tx_queue.lock);
++
++ kfree_skb(pdu);
++
++ len -= remaining_len;
++ if (len == 0)
++ len = -ENXIO;
++ break;
++ }
++
+ /* No need to check for the peer RW for UI frames */
+- skb_queue_tail(&local->tx_queue, pdu);
++ __skb_queue_tail(&local->tx_queue, pdu);
++
++ spin_unlock(&local->tx_queue.lock);
+
+ remaining_len -= frag_len;
+ msg_ptr += frag_len;
+diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
+index 18be13fb9b75a..ced99d2a90cc1 100644
+--- a/net/nfc/llcp_core.c
++++ b/net/nfc/llcp_core.c
+@@ -314,7 +314,9 @@ static struct nfc_llcp_local *nfc_llcp_remove_local(struct nfc_dev *dev)
+ spin_lock(&llcp_devices_lock);
+ list_for_each_entry_safe(local, tmp, &llcp_devices, list)
+ if (local->dev == dev) {
+- list_del(&local->list);
++ spin_lock(&local->tx_queue.lock);
++ list_del_init(&local->list);
++ spin_unlock(&local->tx_queue.lock);
+ spin_unlock(&llcp_devices_lock);
+ return local;
+ }
+--
+2.51.0
+
--- /dev/null
+From 6f1b98539bc62f244404ac253cdc6eb7e24e64f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jan 2026 04:03:59 +0000
+Subject: nfc: nci: Fix race between rfkill and nci_unregister_device().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit d2492688bb9fed6ab6e313682c387ae71a66ebae ]
+
+syzbot reported the splat below [0] without a repro.
+
+It indicates that struct nci_dev.cmd_wq had been destroyed before
+nci_close_device() was called via rfkill.
+
+nci_dev.cmd_wq is only destroyed in nci_unregister_device(), which
+(I think) was called from virtual_ncidev_close() when syzbot close()d
+an fd of virtual_ncidev.
+
+The problem is that nci_unregister_device() destroys nci_dev.cmd_wq
+first and then calls nfc_unregister_device(), which removes the
+device from rfkill by rfkill_unregister().
+
+So, the device is still visible via rfkill even after nci_dev.cmd_wq
+is destroyed.
+
+Let's unregister the device from rfkill first in nci_unregister_device().
+
+Note that we cannot call nfc_unregister_device() before
+nci_close_device() because
+
+ 1) nfc_unregister_device() calls device_del() which frees
+ all memory allocated by devm_kzalloc() and linked to
+ ndev->conn_info_list
+
+ 2) nci_rx_work() could try to queue nci_conn_info to
+ ndev->conn_info_list which could be leaked
+
+Thus, nfc_unregister_device() is split into two functions so we
+can remove rfkill interfaces only before nci_close_device().
+
+[0]:
+DEBUG_LOCKS_WARN_ON(1)
+WARNING: kernel/locking/lockdep.c:238 at hlock_class kernel/locking/lockdep.c:238 [inline], CPU#0: syz.0.8675/6349
+WARNING: kernel/locking/lockdep.c:238 at check_wait_context kernel/locking/lockdep.c:4854 [inline], CPU#0: syz.0.8675/6349
+WARNING: kernel/locking/lockdep.c:238 at __lock_acquire+0x39d/0x2cf0 kernel/locking/lockdep.c:5187, CPU#0: syz.0.8675/6349
+Modules linked in:
+CPU: 0 UID: 0 PID: 6349 Comm: syz.0.8675 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026
+RIP: 0010:hlock_class kernel/locking/lockdep.c:238 [inline]
+RIP: 0010:check_wait_context kernel/locking/lockdep.c:4854 [inline]
+RIP: 0010:__lock_acquire+0x3a4/0x2cf0 kernel/locking/lockdep.c:5187
+Code: 18 00 4c 8b 74 24 08 75 27 90 e8 17 f2 fc 02 85 c0 74 1c 83 3d 50 e0 4e 0e 00 75 13 48 8d 3d 43 f7 51 0e 48 c7 c6 8b 3a de 8d <67> 48 0f b9 3a 90 31 c0 0f b6 98 c4 00 00 00 41 8b 45 20 25 ff 1f
+RSP: 0018:ffffc9000c767680 EFLAGS: 00010046
+RAX: 0000000000000001 RBX: 0000000000040000 RCX: 0000000000080000
+RDX: ffffc90013080000 RSI: ffffffff8dde3a8b RDI: ffffffff8ff24ca0
+RBP: 0000000000000003 R08: ffffffff8fef35a3 R09: 1ffffffff1fde6b4
+R10: dffffc0000000000 R11: fffffbfff1fde6b5 R12: 00000000000012a2
+R13: ffff888030338ba8 R14: ffff888030338000 R15: ffff888030338b30
+FS: 00007fa5995f66c0(0000) GS:ffff8881256f8000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f7e72f842d0 CR3: 00000000485a0000 CR4: 00000000003526f0
+Call Trace:
+ <TASK>
+ lock_acquire+0x106/0x330 kernel/locking/lockdep.c:5868
+ touch_wq_lockdep_map+0xcb/0x180 kernel/workqueue.c:3940
+ __flush_workqueue+0x14b/0x14f0 kernel/workqueue.c:3982
+ nci_close_device+0x302/0x630 net/nfc/nci/core.c:567
+ nci_dev_down+0x3b/0x50 net/nfc/nci/core.c:639
+ nfc_dev_down+0x152/0x290 net/nfc/core.c:161
+ nfc_rfkill_set_block+0x2d/0x100 net/nfc/core.c:179
+ rfkill_set_block+0x1d2/0x440 net/rfkill/core.c:346
+ rfkill_fop_write+0x461/0x5a0 net/rfkill/core.c:1301
+ vfs_write+0x29a/0xb90 fs/read_write.c:684
+ ksys_write+0x150/0x270 fs/read_write.c:738
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7fa59b39acb9
+Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007fa5995f6028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+RAX: ffffffffffffffda RBX: 00007fa59b615fa0 RCX: 00007fa59b39acb9
+RDX: 0000000000000008 RSI: 0000200000000080 RDI: 0000000000000007
+RBP: 00007fa59b408bf7 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007fa59b616038 R14: 00007fa59b615fa0 R15: 00007ffc82218788
+ </TASK>
+
+Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation")
+Reported-by: syzbot+f9c5fd1a0874f9069dce@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/695e7f56.050a0220.1c677c.036c.GAE@google.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260127040411.494931-1-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/nfc/nfc.h | 2 ++
+ net/nfc/core.c | 27 ++++++++++++++++++++++++---
+ net/nfc/nci/core.c | 4 +++-
+ 3 files changed, 29 insertions(+), 4 deletions(-)
+
+diff --git a/include/net/nfc/nfc.h b/include/net/nfc/nfc.h
+index 3a3781838c672..473f58e646cc5 100644
+--- a/include/net/nfc/nfc.h
++++ b/include/net/nfc/nfc.h
+@@ -215,6 +215,8 @@ static inline void nfc_free_device(struct nfc_dev *dev)
+
+ int nfc_register_device(struct nfc_dev *dev);
+
++void nfc_unregister_rfkill(struct nfc_dev *dev);
++void nfc_remove_device(struct nfc_dev *dev);
+ void nfc_unregister_device(struct nfc_dev *dev);
+
+ /**
+diff --git a/net/nfc/core.c b/net/nfc/core.c
+index eebe9b511e0ed..96dc0e6786013 100644
+--- a/net/nfc/core.c
++++ b/net/nfc/core.c
+@@ -1147,14 +1147,14 @@ int nfc_register_device(struct nfc_dev *dev)
+ EXPORT_SYMBOL(nfc_register_device);
+
+ /**
+- * nfc_unregister_device - unregister a nfc device in the nfc subsystem
++ * nfc_unregister_rfkill - unregister a nfc device in the rfkill subsystem
+ *
+ * @dev: The nfc device to unregister
+ */
+-void nfc_unregister_device(struct nfc_dev *dev)
++void nfc_unregister_rfkill(struct nfc_dev *dev)
+ {
+- int rc;
+ struct rfkill *rfk = NULL;
++ int rc;
+
+ pr_debug("dev_name=%s\n", dev_name(&dev->dev));
+
+@@ -1175,7 +1175,16 @@ void nfc_unregister_device(struct nfc_dev *dev)
+ rfkill_unregister(rfk);
+ rfkill_destroy(rfk);
+ }
++}
++EXPORT_SYMBOL(nfc_unregister_rfkill);
+
++/**
++ * nfc_remove_device - remove a nfc device in the nfc subsystem
++ *
++ * @dev: The nfc device to remove
++ */
++void nfc_remove_device(struct nfc_dev *dev)
++{
+ if (dev->ops->check_presence) {
+ del_timer_sync(&dev->check_pres_timer);
+ cancel_work_sync(&dev->check_pres_work);
+@@ -1188,6 +1197,18 @@ void nfc_unregister_device(struct nfc_dev *dev)
+ device_del(&dev->dev);
+ mutex_unlock(&nfc_devlist_mutex);
+ }
++EXPORT_SYMBOL(nfc_remove_device);
++
++/**
++ * nfc_unregister_device - unregister a nfc device in the nfc subsystem
++ *
++ * @dev: The nfc device to unregister
++ */
++void nfc_unregister_device(struct nfc_dev *dev)
++{
++ nfc_unregister_rfkill(dev);
++ nfc_remove_device(dev);
++}
+ EXPORT_SYMBOL(nfc_unregister_device);
+
+ static int __init nfc_init(void)
+diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
+index f456a5911e7d1..1bdaf680b488c 100644
+--- a/net/nfc/nci/core.c
++++ b/net/nfc/nci/core.c
+@@ -1292,6 +1292,8 @@ void nci_unregister_device(struct nci_dev *ndev)
+ {
+ struct nci_conn_info *conn_info, *n;
+
++ nfc_unregister_rfkill(ndev->nfc_dev);
++
+ /* This set_bit is not protected with specialized barrier,
+ * However, it is fine because the mutex_lock(&ndev->req_lock);
+ * in nci_close_device() will help to emit one.
+@@ -1309,7 +1311,7 @@ void nci_unregister_device(struct nci_dev *ndev)
+ /* conn_info is allocated with devm_kzalloc */
+ }
+
+- nfc_unregister_device(ndev->nfc_dev);
++ nfc_remove_device(ndev->nfc_dev);
+ }
+ EXPORT_SYMBOL(nci_unregister_device);
+
+--
+2.51.0
+
--- /dev/null
+From aca0974b8184986ff649ee2ff2c0814f61d76626 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jan 2026 13:05:51 +0000
+Subject: octeon_ep: Fix memory leak in octep_device_setup()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 8016dc5ee19a77678c264f8ba368b1e873fa705b ]
+
+In octep_device_setup(), if octep_ctrl_net_init() fails, the function
+returns directly without unmapping the mapped resources and freeing the
+allocated configuration memory.
+
+Fix this by jumping to the unsupported_dev label, which performs the
+necessary cleanup. This aligns with the error handling logic of other
+paths in this function.
+
+Compile tested only. Issue found using a prototype static analysis tool
+and code review.
+
+Fixes: 577f0d1b1c5f ("octeon_ep: add separate mailbox command and response queues")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+Link: https://patch.msgid.link/20260121130551.3717090-1-zilin@seu.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeon_ep/octep_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeon_ep/octep_main.c b/drivers/net/ethernet/marvell/octeon_ep/octep_main.c
+index 1b2f5cae06449..449c55c09b4a5 100644
+--- a/drivers/net/ethernet/marvell/octeon_ep/octep_main.c
++++ b/drivers/net/ethernet/marvell/octeon_ep/octep_main.c
+@@ -1283,7 +1283,7 @@ int octep_device_setup(struct octep_device *oct)
+
+ ret = octep_ctrl_net_init(oct);
+ if (ret)
+- return ret;
++ goto unsupported_dev;
+
+ INIT_WORK(&oct->tx_timeout_task, octep_tx_timeout_task);
+ INIT_WORK(&oct->ctrl_mbox_task, octep_ctrl_mbox_task);
+--
+2.51.0
+
--- /dev/null
+From 9cc1411c6823f1f70738ad20763b076b5743ae01 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 Jan 2026 05:10:31 +0800
+Subject: rocker: fix memory leak in rocker_world_port_post_fini()
+
+From: Kery Qi <qikeyu2017@gmail.com>
+
+[ Upstream commit 8d7ba71e46216b8657a82ca2ec118bc93812a4d0 ]
+
+In rocker_world_port_pre_init(), rocker_port->wpriv is allocated with
+kzalloc(wops->port_priv_size, GFP_KERNEL). However, in
+rocker_world_port_post_fini(), the memory is only freed when
+wops->port_post_fini callback is set:
+
+ if (!wops->port_post_fini)
+ return;
+ wops->port_post_fini(rocker_port);
+ kfree(rocker_port->wpriv);
+
+Since rocker_ofdpa_ops does not implement port_post_fini callback
+(it is NULL), the wpriv memory allocated for each port is never freed
+when ports are removed. This leads to a memory leak of
+sizeof(struct ofdpa_port) bytes per port on every device removal.
+
+Fix this by always calling kfree(rocker_port->wpriv) regardless of
+whether the port_post_fini callback exists.
+
+Fixes: e420114eef4a ("rocker: introduce worlds infrastructure")
+Signed-off-by: Kery Qi <qikeyu2017@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260123211030.2109-2-qikeyu2017@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/rocker/rocker_main.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/rocker/rocker_main.c b/drivers/net/ethernet/rocker/rocker_main.c
+index fe0bf1d3217af..23b20d5fd0168 100644
+--- a/drivers/net/ethernet/rocker/rocker_main.c
++++ b/drivers/net/ethernet/rocker/rocker_main.c
+@@ -1524,9 +1524,8 @@ static void rocker_world_port_post_fini(struct rocker_port *rocker_port)
+ {
+ struct rocker_world_ops *wops = rocker_port->rocker->wops;
+
+- if (!wops->port_post_fini)
+- return;
+- wops->port_post_fini(rocker_port);
++ if (wops->port_post_fini)
++ wops->port_post_fini(rocker_port);
+ kfree(rocker_port->wpriv);
+ }
+
+--
+2.51.0
+
--- /dev/null
+can-at91_can-fix-memory-leak-in-at91_can_probe.patch
+bluetooth-hci_uart-fix-null-ptr-deref-in-hci_uart_wr.patch
+bluetooth-mgmt-fix-memory-leak-in-set_ssp_complete.patch
+net-mlx5-fix-memory-leak-in-esw_acl_ingress_lgcy_set.patch
+can-gs_usb-gs_usb_receive_bulk_callback-fix-error-me.patch
+net-bcmasp-fix-early-exit-leak-with-fixed-phy.patch
+octeon_ep-fix-memory-leak-in-octep_device_setup.patch
+bonding-annotate-data-races-around-slave-last_rx.patch
+net-mvpp2-cls-fix-memory-leak-in-mvpp2_ethtool_cls_r.patch
+ipv6-use-the-right-ifindex-when-replying-to-icmpv6-f.patch
+net-wwan-t7xx-fix-potential-skb-frags-overflow-in-rx.patch
+rocker-fix-memory-leak-in-rocker_world_port_post_fin.patch
+nfc-llcp-fix-memleak-in-nfc_llcp_send_ui_frame.patch
+ice-fix-null-pointer-dereference-in-ice_vsi_set_napi.patch
+ice-stop-counting-udp-csum-mismatch-as-rx_errors.patch
+net-mlx5e-tc-delete-flows-only-for-existing-peers.patch
+nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch
+net-bridge-fix-static-key-check.patch
+net-phy-micrel-fix-clk-warning-when-removing-the-dri.patch
+net-mlx5-fs-fix-inverted-cap-check-in-tx-flow-table-.patch
+net-mlx5-initialize-events-outside-devlink-lock.patch
+net-mlx5-fix-vhca_id-access-call-trace-use-before-al.patch
+net-mlx5e-skip-esn-replay-window-setup-for-ipsec-cry.patch
--- /dev/null
+From 6d895a67bd58f26c8ee18139db78a0312c7d41a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Jan 2026 20:08:59 +0800
+Subject: Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work
+
+From: Jia-Hong Su <s11242586@gmail.com>
+
+[ Upstream commit 0c3cd7a0b862c37acbee6d9502107146cc944398 ]
+
+hci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling
+hci_uart_register_dev(), which calls proto->open() to initialize
+hu->priv. However, if a TTY write wakeup occurs during this window,
+hci_uart_tx_wakeup() may schedule write_work before hu->priv is
+initialized, leading to a NULL pointer dereference in
+hci_uart_write_work() when proto->dequeue() accesses hu->priv.
+
+The race condition is:
+
+ CPU0 CPU1
+ ---- ----
+ hci_uart_set_proto()
+ set_bit(HCI_UART_PROTO_INIT)
+ hci_uart_register_dev()
+ tty write wakeup
+ hci_uart_tty_wakeup()
+ hci_uart_tx_wakeup()
+ schedule_work(&hu->write_work)
+ proto->open(hu)
+ // initializes hu->priv
+ hci_uart_write_work()
+ hci_uart_dequeue()
+ proto->dequeue(hu)
+ // accesses hu->priv (NULL!)
+
+Fix this by moving set_bit(HCI_UART_PROTO_INIT) after proto->open()
+succeeds, ensuring hu->priv is initialized before any work can be
+scheduled.
+
+Fixes: 5df5dafc171b ("Bluetooth: hci_uart: Fix another race during initialization")
+Link: https://lore.kernel.org/linux-bluetooth/6969764f.170a0220.2b9fc4.35a7@mx.google.com/
+
+Signed-off-by: Jia-Hong Su <s11242586@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/hci_ldisc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
+index d0adae3267b41..2b28515de92c4 100644
+--- a/drivers/bluetooth/hci_ldisc.c
++++ b/drivers/bluetooth/hci_ldisc.c
+@@ -685,6 +685,8 @@ static int hci_uart_register_dev(struct hci_uart *hu)
+ return err;
+ }
+
++ set_bit(HCI_UART_PROTO_INIT, &hu->flags);
++
+ if (test_bit(HCI_UART_INIT_PENDING, &hu->hdev_flags))
+ return 0;
+
+@@ -712,8 +714,6 @@ static int hci_uart_set_proto(struct hci_uart *hu, int id)
+
+ hu->proto = p;
+
+- set_bit(HCI_UART_PROTO_INIT, &hu->flags);
+-
+ err = hci_uart_register_dev(hu);
+ if (err) {
+ return err;
+--
+2.51.0
+
--- /dev/null
+From da26a089bfe76cdf345a60b4582800cada6deb3b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jan 2026 13:29:26 +0800
+Subject: Bluetooth: MGMT: Fix memory leak in set_ssp_complete
+
+From: Jianpeng Chang <jianpeng.chang.cn@windriver.com>
+
+[ Upstream commit 1b9c17fd0a7fdcbe69ec5d6fe8e50bc5ed7f01f2 ]
+
+Fix memory leak in set_ssp_complete() where mgmt_pending_cmd structures
+are not freed after being removed from the pending list.
+
+Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") replaced
+mgmt_pending_foreach() calls with individual command handling but missed
+adding mgmt_pending_free() calls in both error and success paths of
+set_ssp_complete(). Other completion functions like set_le_complete()
+were fixed correctly in the same commit.
+
+This causes a memory leak of the mgmt_pending_cmd structure and its
+associated parameter data for each SSP command that completes.
+
+Add the missing mgmt_pending_free(cmd) calls in both code paths to fix
+the memory leak. Also fix the same issue in set_advertising_complete().
+
+Fixes: 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs")
+Signed-off-by: Jianpeng Chang <jianpeng.chang.cn@windriver.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/mgmt.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
+index 211951eb832af..ee2dd26b1b82b 100644
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -1954,6 +1954,7 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err)
+ }
+
+ mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_err);
++ mgmt_pending_free(cmd);
+ return;
+ }
+
+@@ -1972,6 +1973,7 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err)
+ sock_put(match.sk);
+
+ hci_update_eir_sync(hdev);
++ mgmt_pending_free(cmd);
+ }
+
+ static int set_ssp_sync(struct hci_dev *hdev, void *data)
+@@ -6356,6 +6358,7 @@ static void set_advertising_complete(struct hci_dev *hdev, void *data, int err)
+ hci_dev_clear_flag(hdev, HCI_ADVERTISING);
+
+ settings_rsp(cmd, &match);
++ mgmt_pending_free(cmd);
+
+ new_settings(hdev, match.sk);
+
+--
+2.51.0
+
--- /dev/null
+From ab1cd047893bd06cae3c864673ce615ad01bc176 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Jan 2026 16:29:14 +0000
+Subject: bonding: annotate data-races around slave->last_rx
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit f6c3665b6dc53c3ab7d31b585446a953a74340ef ]
+
+slave->last_rx and slave->target_last_arp_rx[...] can be read and written
+locklessly. Add READ_ONCE() and WRITE_ONCE() annotations.
+
+syzbot reported:
+
+BUG: KCSAN: data-race in bond_rcv_validate / bond_rcv_validate
+
+write to 0xffff888149f0d428 of 8 bytes by interrupt on cpu 1:
+ bond_rcv_validate+0x202/0x7a0 drivers/net/bonding/bond_main.c:3335
+ bond_handle_frame+0xde/0x5e0 drivers/net/bonding/bond_main.c:1533
+ __netif_receive_skb_core+0x5b1/0x1950 net/core/dev.c:6039
+ __netif_receive_skb_one_core net/core/dev.c:6150 [inline]
+ __netif_receive_skb+0x59/0x270 net/core/dev.c:6265
+ netif_receive_skb_internal net/core/dev.c:6351 [inline]
+ netif_receive_skb+0x4b/0x2d0 net/core/dev.c:6410
+...
+
+write to 0xffff888149f0d428 of 8 bytes by interrupt on cpu 0:
+ bond_rcv_validate+0x202/0x7a0 drivers/net/bonding/bond_main.c:3335
+ bond_handle_frame+0xde/0x5e0 drivers/net/bonding/bond_main.c:1533
+ __netif_receive_skb_core+0x5b1/0x1950 net/core/dev.c:6039
+ __netif_receive_skb_one_core net/core/dev.c:6150 [inline]
+ __netif_receive_skb+0x59/0x270 net/core/dev.c:6265
+ netif_receive_skb_internal net/core/dev.c:6351 [inline]
+ netif_receive_skb+0x4b/0x2d0 net/core/dev.c:6410
+ br_netif_receive_skb net/bridge/br_input.c:30 [inline]
+ NF_HOOK include/linux/netfilter.h:318 [inline]
+...
+
+value changed: 0x0000000100005365 -> 0x0000000100005366
+
+Fixes: f5b2b966f032 ("[PATCH] bonding: Validate probe replies in ARP monitor")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Link: https://patch.msgid.link/20260122162914.2299312-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 18 ++++++++++--------
+ drivers/net/bonding/bond_options.c | 8 ++++----
+ include/net/bonding.h | 13 +++++++------
+ 3 files changed, 21 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 595fda2444b1f..99adfffcca044 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -3138,8 +3138,8 @@ static void bond_validate_arp(struct bonding *bond, struct slave *slave, __be32
+ __func__, &sip);
+ return;
+ }
+- slave->last_rx = jiffies;
+- slave->target_last_arp_rx[i] = jiffies;
++ WRITE_ONCE(slave->last_rx, jiffies);
++ WRITE_ONCE(slave->target_last_arp_rx[i], jiffies);
+ }
+
+ static int bond_arp_rcv(const struct sk_buff *skb, struct bonding *bond,
+@@ -3358,8 +3358,8 @@ static void bond_validate_na(struct bonding *bond, struct slave *slave,
+ __func__, saddr);
+ return;
+ }
+- slave->last_rx = jiffies;
+- slave->target_last_arp_rx[i] = jiffies;
++ WRITE_ONCE(slave->last_rx, jiffies);
++ WRITE_ONCE(slave->target_last_arp_rx[i], jiffies);
+ }
+
+ static int bond_na_rcv(const struct sk_buff *skb, struct bonding *bond,
+@@ -3429,7 +3429,7 @@ int bond_rcv_validate(const struct sk_buff *skb, struct bonding *bond,
+ (slave_do_arp_validate_only(bond) && is_ipv6) ||
+ #endif
+ !slave_do_arp_validate_only(bond))
+- slave->last_rx = jiffies;
++ WRITE_ONCE(slave->last_rx, jiffies);
+ return RX_HANDLER_ANOTHER;
+ } else if (is_arp) {
+ return bond_arp_rcv(skb, bond, slave);
+@@ -3497,7 +3497,7 @@ static void bond_loadbalance_arp_mon(struct bonding *bond)
+
+ if (slave->link != BOND_LINK_UP) {
+ if (bond_time_in_interval(bond, last_tx, 1) &&
+- bond_time_in_interval(bond, slave->last_rx, 1)) {
++ bond_time_in_interval(bond, READ_ONCE(slave->last_rx), 1)) {
+
+ bond_propose_link_state(slave, BOND_LINK_UP);
+ slave_state_changed = 1;
+@@ -3521,8 +3521,10 @@ static void bond_loadbalance_arp_mon(struct bonding *bond)
+ * when the source ip is 0, so don't take the link down
+ * if we don't know our ip yet
+ */
+- if (!bond_time_in_interval(bond, last_tx, bond->params.missed_max) ||
+- !bond_time_in_interval(bond, slave->last_rx, bond->params.missed_max)) {
++ if (!bond_time_in_interval(bond, last_tx,
++ bond->params.missed_max) ||
++ !bond_time_in_interval(bond, READ_ONCE(slave->last_rx),
++ bond->params.missed_max)) {
+
+ bond_propose_link_state(slave, BOND_LINK_DOWN);
+ slave_state_changed = 1;
+diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c
+index 384499c869b8d..f1c6e9d8f6167 100644
+--- a/drivers/net/bonding/bond_options.c
++++ b/drivers/net/bonding/bond_options.c
+@@ -1152,7 +1152,7 @@ static void _bond_options_arp_ip_target_set(struct bonding *bond, int slot,
+
+ if (slot >= 0 && slot < BOND_MAX_ARP_TARGETS) {
+ bond_for_each_slave(bond, slave, iter)
+- slave->target_last_arp_rx[slot] = last_rx;
++ WRITE_ONCE(slave->target_last_arp_rx[slot], last_rx);
+ targets[slot] = target;
+ }
+ }
+@@ -1221,8 +1221,8 @@ static int bond_option_arp_ip_target_rem(struct bonding *bond, __be32 target)
+ bond_for_each_slave(bond, slave, iter) {
+ targets_rx = slave->target_last_arp_rx;
+ for (i = ind; (i < BOND_MAX_ARP_TARGETS-1) && targets[i+1]; i++)
+- targets_rx[i] = targets_rx[i+1];
+- targets_rx[i] = 0;
++ WRITE_ONCE(targets_rx[i], READ_ONCE(targets_rx[i+1]));
++ WRITE_ONCE(targets_rx[i], 0);
+ }
+ for (i = ind; (i < BOND_MAX_ARP_TARGETS-1) && targets[i+1]; i++)
+ targets[i] = targets[i+1];
+@@ -1377,7 +1377,7 @@ static void _bond_options_ns_ip6_target_set(struct bonding *bond, int slot,
+
+ if (slot >= 0 && slot < BOND_MAX_NS_TARGETS) {
+ bond_for_each_slave(bond, slave, iter) {
+- slave->target_last_arp_rx[slot] = last_rx;
++ WRITE_ONCE(slave->target_last_arp_rx[slot], last_rx);
+ slave_set_ns_maddr(bond, slave, target, &targets[slot]);
+ }
+ targets[slot] = *target;
+diff --git a/include/net/bonding.h b/include/net/bonding.h
+index 49edc7da05867..4620784035570 100644
+--- a/include/net/bonding.h
++++ b/include/net/bonding.h
+@@ -521,13 +521,14 @@ static inline int bond_is_ip6_target_ok(struct in6_addr *addr)
+ static inline unsigned long slave_oldest_target_arp_rx(struct bonding *bond,
+ struct slave *slave)
+ {
++ unsigned long tmp, ret = READ_ONCE(slave->target_last_arp_rx[0]);
+ int i = 1;
+- unsigned long ret = slave->target_last_arp_rx[0];
+-
+- for (; (i < BOND_MAX_ARP_TARGETS) && bond->params.arp_targets[i]; i++)
+- if (time_before(slave->target_last_arp_rx[i], ret))
+- ret = slave->target_last_arp_rx[i];
+
++ for (; (i < BOND_MAX_ARP_TARGETS) && bond->params.arp_targets[i]; i++) {
++ tmp = READ_ONCE(slave->target_last_arp_rx[i]);
++ if (time_before(tmp, ret))
++ ret = tmp;
++ }
+ return ret;
+ }
+
+@@ -537,7 +538,7 @@ static inline unsigned long slave_last_rx(struct bonding *bond,
+ if (bond->params.arp_all_targets == BOND_ARP_TARGETS_ALL)
+ return slave_oldest_target_arp_rx(bond, slave);
+
+- return slave->last_rx;
++ return READ_ONCE(slave->last_rx);
+ }
+
+ static inline void slave_update_last_tx(struct slave *slave)
+--
+2.51.0
+
--- /dev/null
+From 59abd1d5be0e5776ba142116c9e53107296af41a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jan 2026 14:06:59 +0200
+Subject: bonding: fix use-after-free due to enslave fail after slave array
+ update
+
+From: Nikolay Aleksandrov <razor@blackwall.org>
+
+[ Upstream commit e9acda52fd2ee0cdca332f996da7a95c5fd25294 ]
+
+Fix a use-after-free which happens due to enslave failure after the new
+slave has been added to the array. Since the new slave can be used for Tx
+immediately, we can use it after it has been freed by the enslave error
+cleanup path which frees the allocated slave memory. Slave update array is
+supposed to be called last when further enslave failures are not expected.
+Move it after xdp setup to avoid any problems.
+
+It is very easy to reproduce the problem with a simple xdp_pass prog:
+ ip l add bond1 type bond mode balance-xor
+ ip l set bond1 up
+ ip l set dev bond1 xdp object xdp_pass.o sec xdp_pass
+ ip l add dumdum type dummy
+
+Then run in parallel:
+ while :; do ip l set dumdum master bond1 1>/dev/null 2>&1; done;
+ mausezahn bond1 -a own -b rand -A rand -B 1.1.1.1 -c 0 -t tcp "dp=1-1023, flags=syn"
+
+The crash happens almost immediately:
+ [ 605.602850] Oops: general protection fault, probably for non-canonical address 0xe0e6fc2460000137: 0000 [#1] SMP KASAN NOPTI
+ [ 605.602916] KASAN: maybe wild-memory-access in range [0x07380123000009b8-0x07380123000009bf]
+ [ 605.602946] CPU: 0 UID: 0 PID: 2445 Comm: mausezahn Kdump: loaded Tainted: G B 6.19.0-rc6+ #21 PREEMPT(voluntary)
+ [ 605.602979] Tainted: [B]=BAD_PAGE
+ [ 605.602998] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+ [ 605.603032] RIP: 0010:netdev_core_pick_tx+0xcd/0x210
+ [ 605.603063] Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 3e 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 6b 08 49 8d 7d 30 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 25 01 00 00 49 8b 45 30 4c 89 e2 48 89 ee 48 89
+ [ 605.603111] RSP: 0018:ffff88817b9af348 EFLAGS: 00010213
+ [ 605.603145] RAX: dffffc0000000000 RBX: ffff88817d28b420 RCX: 0000000000000000
+ [ 605.603172] RDX: 00e7002460000137 RSI: 0000000000000008 RDI: 07380123000009be
+ [ 605.603199] RBP: ffff88817b541a00 R08: 0000000000000001 R09: fffffbfff3ed8c0c
+ [ 605.603226] R10: ffffffff9f6c6067 R11: 0000000000000001 R12: 0000000000000000
+ [ 605.603253] R13: 073801230000098e R14: ffff88817d28b448 R15: ffff88817b541a84
+ [ 605.603286] FS: 00007f6570ef67c0(0000) GS:ffff888221dfa000(0000) knlGS:0000000000000000
+ [ 605.603319] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [ 605.603343] CR2: 00007f65712fae40 CR3: 000000011371b000 CR4: 0000000000350ef0
+ [ 605.603373] Call Trace:
+ [ 605.603392] <TASK>
+ [ 605.603410] __dev_queue_xmit+0x448/0x32a0
+ [ 605.603434] ? __pfx_vprintk_emit+0x10/0x10
+ [ 605.603461] ? __pfx_vprintk_emit+0x10/0x10
+ [ 605.603484] ? __pfx___dev_queue_xmit+0x10/0x10
+ [ 605.603507] ? bond_start_xmit+0xbfb/0xc20 [bonding]
+ [ 605.603546] ? _printk+0xcb/0x100
+ [ 605.603566] ? __pfx__printk+0x10/0x10
+ [ 605.603589] ? bond_start_xmit+0xbfb/0xc20 [bonding]
+ [ 605.603627] ? add_taint+0x5e/0x70
+ [ 605.603648] ? add_taint+0x2a/0x70
+ [ 605.603670] ? end_report.cold+0x51/0x75
+ [ 605.603693] ? bond_start_xmit+0xbfb/0xc20 [bonding]
+ [ 605.603731] bond_start_xmit+0x623/0xc20 [bonding]
+
+Fixes: 9e2ee5c7e7c3 ("net, bonding: Add XDP support to the bonding driver")
+Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
+Reported-by: Chen Zhen <chenzhen126@huawei.com>
+Closes: https://lore.kernel.org/netdev/fae17c21-4940-5605-85b2-1d5e17342358@huawei.com/
+CC: Jussi Maki <joamaki@gmail.com>
+CC: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://patch.msgid.link/20260123120659.571187-1-razor@blackwall.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 99adfffcca044..51733fb29bd77 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -2293,11 +2293,6 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev,
+ unblock_netpoll_tx();
+ }
+
+- /* broadcast mode uses the all_slaves to loop through slaves. */
+- if (bond_mode_can_use_xmit_hash(bond) ||
+- BOND_MODE(bond) == BOND_MODE_BROADCAST)
+- bond_update_slave_arr(bond, NULL);
+-
+ if (!slave_dev->netdev_ops->ndo_bpf ||
+ !slave_dev->netdev_ops->ndo_xdp_xmit) {
+ if (bond->xdp_prog) {
+@@ -2331,6 +2326,11 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev,
+ bpf_prog_inc(bond->xdp_prog);
+ }
+
++ /* broadcast mode uses the all_slaves to loop through slaves. */
++ if (bond_mode_can_use_xmit_hash(bond) ||
++ BOND_MODE(bond) == BOND_MODE_BROADCAST)
++ bond_update_slave_arr(bond, NULL);
++
+ bond_xdp_set_features(bond_dev);
+
+ slave_info(bond_dev, slave_dev, "Enslaving as %s interface with %s link\n",
+--
+2.51.0
+
--- /dev/null
+From 7e113818fd2955204a517331255e0957a5912b73 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Jan 2026 16:24:04 +1030
+Subject: btrfs: zlib: fix the folio leak on S390 hardware acceleration
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit 0d0f1314e8f86f5205f71f9e31e272a1d008e40b ]
+
+[BUG]
+After commit aa60fe12b4f4 ("btrfs: zlib: refactor S390x HW acceleration
+buffer preparation"), we no longer release the folio of the page cache
+of folio returned by btrfs_compress_filemap_get_folio() for S390
+hardware acceleration path.
+
+[CAUSE]
+Before that commit, we call kumap_local() and folio_put() after handling
+each folio.
+
+Although the timing is not ideal (it release previous folio at the
+beginning of the loop, and rely on some extra cleanup out of the loop),
+it at least handles the folio release correctly.
+
+Meanwhile the refactored code is easier to read, it lacks the call to
+release the filemap folio.
+
+[FIX]
+Add the missing folio_put() for copy_data_into_buffer().
+
+CC: linux-s390@vger.kernel.org # 6.18+
+Fixes: aa60fe12b4f4 ("btrfs: zlib: refactor S390x HW acceleration buffer preparation")
+Reviewed-by: Boris Burkov <boris@bur.io>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/zlib.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/btrfs/zlib.c b/fs/btrfs/zlib.c
+index 6caba8be7c845..10ed48d4a8466 100644
+--- a/fs/btrfs/zlib.c
++++ b/fs/btrfs/zlib.c
+@@ -139,6 +139,7 @@ static int copy_data_into_buffer(struct address_space *mapping,
+ data_in = kmap_local_folio(folio, offset);
+ memcpy(workspace->buf + cur - filepos, data_in, copy_length);
+ kunmap_local(data_in);
++ folio_put(folio);
+ cur += copy_length;
+ }
+ return 0;
+--
+2.51.0
+
--- /dev/null
+From 804ea02ee94cf12bbc5fcf6d792a7b1e2a09739b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Jan 2026 11:41:28 +0000
+Subject: can: at91_can: Fix memory leak in at91_can_probe()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 0baa4d3170d72a2a8dc93bf729d6d04ad113dc72 ]
+
+In at91_can_probe(), the dev structure is allocated via alloc_candev().
+However, if the subsequent call to devm_phy_optional_get() fails, the
+code jumps directly to exit_iounmap, missing the call to free_candev().
+This results in a memory leak of the allocated net_device structure.
+
+Fix this by jumping to the exit_free label instead, which ensures that
+free_candev() is called to properly release the memory.
+
+Compile tested only. Issue found using a prototype static analysis tool
+and code review.
+
+Fixes: 3ecc09856afb ("can: at91_can: add CAN transceiver support")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Link: https://patch.msgid.link/20260122114128.643752-1-zilin@seu.edu.cn
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/at91_can.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/at91_can.c b/drivers/net/can/at91_can.c
+index 191707d7e3dac..d6dcb2be56342 100644
+--- a/drivers/net/can/at91_can.c
++++ b/drivers/net/can/at91_can.c
+@@ -1100,7 +1100,7 @@ static int at91_can_probe(struct platform_device *pdev)
+ if (IS_ERR(transceiver)) {
+ err = PTR_ERR(transceiver);
+ dev_err_probe(&pdev->dev, err, "failed to get phy\n");
+- goto exit_iounmap;
++ goto exit_free;
+ }
+
+ dev->netdev_ops = &at91_netdev_ops;
+--
+2.51.0
+
--- /dev/null
+From ab6b05879531f990a48f65d560fa5936dc0ab73d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jan 2026 10:40:22 +0100
+Subject: can: gs_usb: gs_usb_receive_bulk_callback(): fix error message
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+[ Upstream commit 494fc029f662c331e06b7c2031deff3c64200eed ]
+
+Sinc commit 79a6d1bfe114 ("can: gs_usb: gs_usb_receive_bulk_callback():
+unanchor URL on usb_submit_urb() error") a failing resubmit URB will print
+an info message.
+
+In the case of a short read where netdev has not yet been assigned,
+initialize as NULL to avoid dereferencing an undefined value. Also report
+the error value of the failed resubmit.
+
+Fixes: 79a6d1bfe114 ("can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error")
+Reported-by: Jakub Kicinski <kuba@kernel.org>
+Closes: https://lore.kernel.org/all/20260119181904.1209979-1-kuba@kernel.org/
+Link: https://patch.msgid.link/20260120-gs_usb-fix-error-message-v1-1-6be04de572bc@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/usb/gs_usb.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c
+index fd7fb21b10989..861b583935225 100644
+--- a/drivers/net/can/usb/gs_usb.c
++++ b/drivers/net/can/usb/gs_usb.c
+@@ -610,7 +610,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
+ {
+ struct gs_usb *parent = urb->context;
+ struct gs_can *dev;
+- struct net_device *netdev;
++ struct net_device *netdev = NULL;
+ int rc;
+ struct net_device_stats *stats;
+ struct gs_host_frame *hf = urb->transfer_buffer;
+@@ -768,7 +768,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
+ }
+ } else if (rc != -ESHUTDOWN && net_ratelimit()) {
+ netdev_info(netdev, "failed to re-submit IN URB: %pe\n",
+- ERR_PTR(urb->status));
++ ERR_PTR(rc));
+ }
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 32355b2d35f195b355cf4821db437c1ad1f3d835 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Dec 2025 14:21:21 +0800
+Subject: ice: Fix NULL pointer dereference in ice_vsi_set_napi_queues
+
+From: Aaron Ma <aaron.ma@canonical.com>
+
+[ Upstream commit 9bb30be4d89ff9a8d7ab1aa0eb2edaca83431f85 ]
+
+Add NULL pointer checks in ice_vsi_set_napi_queues() to prevent crashes
+during resume from suspend when rings[q_idx]->q_vector is NULL.
+
+Tested adaptor:
+60:00.0 Ethernet controller [0200]: Intel Corporation Ethernet Controller E810-XXV for SFP [8086:159b] (rev 02)
+ Subsystem: Intel Corporation Ethernet Network Adapter E810-XXV-2 [8086:4003]
+
+SR-IOV state: both disabled and enabled can reproduce this issue.
+
+kernel version: v6.18
+
+Reproduce steps:
+Boot up and execute suspend like systemctl suspend or rtcwake.
+
+Log:
+<1>[ 231.443607] BUG: kernel NULL pointer dereference, address: 0000000000000040
+<1>[ 231.444052] #PF: supervisor read access in kernel mode
+<1>[ 231.444484] #PF: error_code(0x0000) - not-present page
+<6>[ 231.444913] PGD 0 P4D 0
+<4>[ 231.445342] Oops: Oops: 0000 [#1] SMP NOPTI
+<4>[ 231.446635] RIP: 0010:netif_queue_set_napi+0xa/0x170
+<4>[ 231.447067] Code: 31 f6 31 ff c3 cc cc cc cc 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 48 85 c9 74 0b <48> 83 79 30 00 0f 84 39 01 00 00 55 41 89 d1 49 89 f8 89 f2 48 89
+<4>[ 231.447513] RSP: 0018:ffffcc780fc078c0 EFLAGS: 00010202
+<4>[ 231.447961] RAX: ffff8b848ca30400 RBX: ffff8b848caf2028 RCX: 0000000000000010
+<4>[ 231.448443] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8b848dbd4000
+<4>[ 231.448896] RBP: ffffcc780fc078e8 R08: 0000000000000000 R09: 0000000000000000
+<4>[ 231.449345] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
+<4>[ 231.449817] R13: ffff8b848dbd4000 R14: ffff8b84833390c8 R15: 0000000000000000
+<4>[ 231.450265] FS: 00007c7b29e9d740(0000) GS:ffff8b8c068e2000(0000) knlGS:0000000000000000
+<4>[ 231.450715] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+<4>[ 231.451179] CR2: 0000000000000040 CR3: 000000030626f004 CR4: 0000000000f72ef0
+<4>[ 231.451629] PKRU: 55555554
+<4>[ 231.452076] Call Trace:
+<4>[ 231.452549] <TASK>
+<4>[ 231.452996] ? ice_vsi_set_napi_queues+0x4d/0x110 [ice]
+<4>[ 231.453482] ice_resume+0xfd/0x220 [ice]
+<4>[ 231.453977] ? __pfx_pci_pm_resume+0x10/0x10
+<4>[ 231.454425] pci_pm_resume+0x8c/0x140
+<4>[ 231.454872] ? __pfx_pci_pm_resume+0x10/0x10
+<4>[ 231.455347] dpm_run_callback+0x5f/0x160
+<4>[ 231.455796] ? dpm_wait_for_superior+0x107/0x170
+<4>[ 231.456244] device_resume+0x177/0x270
+<4>[ 231.456708] dpm_resume+0x209/0x2f0
+<4>[ 231.457151] dpm_resume_end+0x15/0x30
+<4>[ 231.457596] suspend_devices_and_enter+0x1da/0x2b0
+<4>[ 231.458054] enter_state+0x10e/0x570
+
+Add defensive checks for both the ring pointer and its q_vector
+before dereferencing, allowing the system to resume successfully even when
+q_vectors are unmapped.
+
+Fixes: 2a5dc090b92cf ("ice: move netif_queue_set_napi to rtnl-protected sections")
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Aaron Ma <aaron.ma@canonical.com>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_lib.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c
+index 5a3e7d6697325..3d14932871c58 100644
+--- a/drivers/net/ethernet/intel/ice/ice_lib.c
++++ b/drivers/net/ethernet/intel/ice/ice_lib.c
+@@ -2784,12 +2784,14 @@ void ice_vsi_set_napi_queues(struct ice_vsi *vsi)
+ return;
+
+ ice_for_each_rxq(vsi, q_idx)
+- netif_queue_set_napi(netdev, q_idx, NETDEV_QUEUE_TYPE_RX,
+- &vsi->rx_rings[q_idx]->q_vector->napi);
++ if (vsi->rx_rings[q_idx] && vsi->rx_rings[q_idx]->q_vector)
++ netif_queue_set_napi(netdev, q_idx, NETDEV_QUEUE_TYPE_RX,
++ &vsi->rx_rings[q_idx]->q_vector->napi);
+
+ ice_for_each_txq(vsi, q_idx)
+- netif_queue_set_napi(netdev, q_idx, NETDEV_QUEUE_TYPE_TX,
+- &vsi->tx_rings[q_idx]->q_vector->napi);
++ if (vsi->tx_rings[q_idx] && vsi->tx_rings[q_idx]->q_vector)
++ netif_queue_set_napi(netdev, q_idx, NETDEV_QUEUE_TYPE_TX,
++ &vsi->tx_rings[q_idx]->q_vector->napi);
+ /* Also set the interrupt number for the NAPI */
+ ice_for_each_q_vector(vsi, v_idx) {
+ struct ice_q_vector *q_vector = vsi->q_vectors[v_idx];
+--
+2.51.0
+
--- /dev/null
+From f8b0c509efd78a3079b308d8a1519e00d6ee3e4f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Dec 2025 15:38:52 -0800
+Subject: ice: stop counting UDP csum mismatch as rx_errors
+
+From: Jesse Brandeburg <jbrandeburg@cloudflare.com>
+
+[ Upstream commit 05faf2c0a76581d0a7fdbb8ec46477ba183df95b ]
+
+Since the beginning, the Intel ice driver has counted receive checksum
+offload mismatches into the rx_errors member of the rtnl_link_stats64
+struct. In ethtool -S these show up as rx_csum_bad.nic.
+
+I believe counting these in rx_errors is fundamentally wrong, as it's
+pretty clear from the comments in if_link.h and from every other statistic
+the driver is summing into rx_errors, that all of them would cause a
+"hardware drop" except for the UDP checksum mismatch, as well as the fact
+that all the other causes for rx_errors are L2 reasons, and this L4 UDP
+"mismatch" is an outlier.
+
+A last nail in the coffin is that rx_errors is monitored in production and
+can indicate a bad NIC/cable/Switch port, but instead some random series of
+UDP packets with bad checksums will now trigger this alert. This false
+positive makes the alert useless and affects us as well as other companies.
+
+This packet with presumably a bad UDP checksum is *already* passed to the
+stack, just not marked as offloaded by the hardware/driver. If it is
+dropped by the stack it will show up as UDP_MIB_CSUMERRORS.
+
+And one more thing, none of the other Intel drivers, and at least bnxt_en
+and mlx5 both don't appear to count UDP offload mismatches as rx_errors.
+
+Here is a related customer complaint:
+https://community.intel.com/t5/Ethernet-Products/ice-rx-errros-is-too-sensitive-to-IP-TCP-attack-packets-Intel/td-p/1662125
+
+Fixes: 4f1fe43c920b ("ice: Add more Rx errors to netdev's rx_error counter")
+Cc: Tony Nguyen <anthony.l.nguyen@intel.com>
+Cc: Jake Keller <jacob.e.keller@intel.com>
+Cc: IWL <intel-wired-lan@lists.osuosl.org>
+Signed-off-by: Jesse Brandeburg <jbrandeburg@cloudflare.com>
+Acked-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_main.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
+index fc284802e2bcd..b5ebfcdc9d434 100644
+--- a/drivers/net/ethernet/intel/ice/ice_main.c
++++ b/drivers/net/ethernet/intel/ice/ice_main.c
+@@ -6993,7 +6993,6 @@ void ice_update_vsi_stats(struct ice_vsi *vsi)
+ cur_ns->rx_errors = pf->stats.crc_errors +
+ pf->stats.illegal_bytes +
+ pf->stats.rx_undersize +
+- pf->hw_csum_rx_error +
+ pf->stats.rx_jabber +
+ pf->stats.rx_fragments +
+ pf->stats.rx_oversize;
+--
+2.51.0
+
--- /dev/null
+From 4d486e66a41f15b07a01e0b6f87889891e7343d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jan 2026 20:44:08 +0100
+Subject: ipv6: use the right ifindex when replying to icmpv6 from localhost
+
+From: Fernando Fernandez Mancera <fmancera@suse.de>
+
+[ Upstream commit 03cbcdf93866e61beb0063392e6dbb701f03aea2 ]
+
+When replying to a ICMPv6 echo request that comes from localhost address
+the right output ifindex is 1 (lo) and not rt6i_idev dev index. Use the
+skb device ifindex instead. This fixes pinging to a local address from
+localhost source address.
+
+$ ping6 -I ::1 2001:1:1::2 -c 3
+PING 2001:1:1::2 (2001:1:1::2) from ::1 : 56 data bytes
+64 bytes from 2001:1:1::2: icmp_seq=1 ttl=64 time=0.037 ms
+64 bytes from 2001:1:1::2: icmp_seq=2 ttl=64 time=0.069 ms
+64 bytes from 2001:1:1::2: icmp_seq=3 ttl=64 time=0.122 ms
+
+2001:1:1::2 ping statistics
+3 packets transmitted, 3 received, 0% packet loss, time 2032ms
+rtt min/avg/max/mdev = 0.037/0.076/0.122/0.035 ms
+
+Fixes: 1b70d792cf67 ("ipv6: Use rt6i_idev index for echo replies to a local address")
+Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://patch.msgid.link/20260121194409.6749-1-fmancera@suse.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/icmp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
+index 56c974cf75d15..cf6455cbe2cc9 100644
+--- a/net/ipv6/icmp.c
++++ b/net/ipv6/icmp.c
+@@ -769,7 +769,9 @@ static enum skb_drop_reason icmpv6_echo_reply(struct sk_buff *skb)
+ fl6.daddr = ipv6_hdr(skb)->saddr;
+ if (saddr)
+ fl6.saddr = *saddr;
+- fl6.flowi6_oif = icmp6_iif(skb);
++ fl6.flowi6_oif = ipv6_addr_loopback(&fl6.daddr) ?
++ skb->dev->ifindex :
++ icmp6_iif(skb);
+ fl6.fl6_icmp_type = type;
+ fl6.flowi6_mark = mark;
+ fl6.flowi6_uid = sock_net_uid(net, NULL);
+--
+2.51.0
+
--- /dev/null
+From fbe5570ca175c2869d3d7aa2131d74e110f1ae9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Dec 2025 18:15:32 +0900
+Subject: ixgbe: don't initialize aci lock in ixgbe_recovery_probe()
+
+From: Kohei Enju <enjuk@amazon.com>
+
+[ Upstream commit 100cf7b4ca6ed770ec4287f3789b1da2e340a05a ]
+
+hw->aci.lock is already initialized in ixgbe_sw_init(), so
+ixgbe_recovery_probe() doesn't need to initialize the lock. This
+function is also not responsible for destroying the lock on failures.
+
+Additionally, change the name of label in accordance with this change.
+
+Fixes: 29cb3b8d95c7 ("ixgbe: add E610 implementation of FW recovery mode")
+Reported-by: Simon Horman <horms@kernel.org>
+Closes: https://lore.kernel.org/intel-wired-lan/aTcFhoH-z2btEKT-@horms.kernel.org/
+Signed-off-by: Kohei Enju <enjuk@amazon.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+index ee1007e9b6355..3edebca958307 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+@@ -11476,10 +11476,9 @@ static int ixgbe_recovery_probe(struct ixgbe_adapter *adapter)
+ return err;
+
+ ixgbe_get_hw_control(adapter);
+- mutex_init(&hw->aci.lock);
+ err = ixgbe_get_flash_data(&adapter->hw);
+ if (err)
+- goto shutdown_aci;
++ goto err_release_hw_control;
+
+ timer_setup(&adapter->service_timer, ixgbe_service_timer, 0);
+ INIT_WORK(&adapter->service_task, ixgbe_recovery_service_task);
+@@ -11502,8 +11501,7 @@ static int ixgbe_recovery_probe(struct ixgbe_adapter *adapter)
+ devl_unlock(adapter->devlink);
+
+ return 0;
+-shutdown_aci:
+- mutex_destroy(&adapter->hw.aci.lock);
++err_release_hw_control:
+ ixgbe_release_hw_control(adapter);
+ return err;
+ }
+--
+2.51.0
+
--- /dev/null
+From 9be5e2deabb98fface0252ea29ab5cdfec487dba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Dec 2025 18:15:31 +0900
+Subject: ixgbe: fix memory leaks in the ixgbe_recovery_probe() path
+
+From: Kohei Enju <enjuk@amazon.com>
+
+[ Upstream commit 638344712aefeba97b6e0d90f560815fd88abd0f ]
+
+When ixgbe_recovery_probe() is invoked and this function fails,
+allocated resources in advance are not completely freed, because
+ixgbe_probe() returns ixgbe_recovery_probe() directly and
+ixgbe_recovery_probe() only frees partial resources, resulting in memory
+leaks including:
+- adapter->io_addr
+- adapter->jump_tables[0]
+- adapter->mac_table
+- adapter->rss_key
+- adapter->af_xdp_zc_qps
+
+The leaked MMIO region can be observed in /proc/vmallocinfo, and the
+remaining leaks are reported by kmemleak.
+
+Don't return ixgbe_recovery_probe() directly, and instead let
+ixgbe_probe() to clean up resources on failures.
+
+Fixes: 29cb3b8d95c7 ("ixgbe: add E610 implementation of FW recovery mode")
+Signed-off-by: Kohei Enju <enjuk@amazon.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 20 ++++++++-----------
+ 1 file changed, 8 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+index 3190ce7e44c74..ee1007e9b6355 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+@@ -11468,14 +11468,12 @@ static void ixgbe_set_fw_version(struct ixgbe_adapter *adapter)
+ */
+ static int ixgbe_recovery_probe(struct ixgbe_adapter *adapter)
+ {
+- struct net_device *netdev = adapter->netdev;
+ struct pci_dev *pdev = adapter->pdev;
+ struct ixgbe_hw *hw = &adapter->hw;
+- bool disable_dev;
+ int err = -EIO;
+
+ if (hw->mac.type != ixgbe_mac_e610)
+- goto clean_up_probe;
++ return err;
+
+ ixgbe_get_hw_control(adapter);
+ mutex_init(&hw->aci.lock);
+@@ -11507,13 +11505,6 @@ static int ixgbe_recovery_probe(struct ixgbe_adapter *adapter)
+ shutdown_aci:
+ mutex_destroy(&adapter->hw.aci.lock);
+ ixgbe_release_hw_control(adapter);
+-clean_up_probe:
+- disable_dev = !test_and_set_bit(__IXGBE_DISABLED, &adapter->state);
+- free_netdev(netdev);
+- devlink_free(adapter->devlink);
+- pci_release_mem_regions(pdev);
+- if (disable_dev)
+- pci_disable_device(pdev);
+ return err;
+ }
+
+@@ -11655,8 +11646,13 @@ static int ixgbe_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ if (err)
+ goto err_sw_init;
+
+- if (ixgbe_check_fw_error(adapter))
+- return ixgbe_recovery_probe(adapter);
++ if (ixgbe_check_fw_error(adapter)) {
++ err = ixgbe_recovery_probe(adapter);
++ if (err)
++ goto err_sw_init;
++
++ return 0;
++ }
+
+ if (adapter->hw.mac.type == ixgbe_mac_e610) {
+ err = ixgbe_get_caps(&adapter->hw);
+--
+2.51.0
+
--- /dev/null
+From a4261966354cf91abd8d526d681772bfe41a1de7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 Jan 2026 11:59:18 +0100
+Subject: mptcp: fix race in mptcp_pm_nl_flush_addrs_doit()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit e2a9eeb69f7d4ca4cf4c70463af77664fdb6ab1d ]
+
+syzbot and Eulgyu Kim reported crashes in mptcp_pm_nl_get_local_id()
+and/or mptcp_pm_nl_is_backup()
+
+Root cause is list_splice_init() in mptcp_pm_nl_flush_addrs_doit()
+which is not RCU ready.
+
+list_splice_init_rcu() can not be called here while holding pernet->lock
+spinlock.
+
+Many thanks to Eulgyu Kim for providing a repro and testing our patches.
+
+Fixes: 141694df6573 ("mptcp: remove address when netlink flushes addrs")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot+5498a510ff9de39d37da@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/6970a46d.a00a0220.3ad28e.5cf0.GAE@google.com/T/
+Reported-by: Eulgyu Kim <eulgyukim@snu.ac.kr>
+Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/611
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20260124-net-mptcp-race_nl_flush_addrs-v3-1-b2dc1b613e9d@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mptcp/pm_kernel.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/net/mptcp/pm_kernel.c b/net/mptcp/pm_kernel.c
+index 0a50fd5edc06d..1b517a81e0299 100644
+--- a/net/mptcp/pm_kernel.c
++++ b/net/mptcp/pm_kernel.c
+@@ -1276,16 +1276,26 @@ static void __reset_counters(struct pm_nl_pernet *pernet)
+ int mptcp_pm_nl_flush_addrs_doit(struct sk_buff *skb, struct genl_info *info)
+ {
+ struct pm_nl_pernet *pernet = genl_info_pm_nl(info);
+- LIST_HEAD(free_list);
++ struct list_head free_list;
+
+ spin_lock_bh(&pernet->lock);
+- list_splice_init(&pernet->endp_list, &free_list);
++ free_list = pernet->endp_list;
++ INIT_LIST_HEAD_RCU(&pernet->endp_list);
+ __reset_counters(pernet);
+ pernet->next_id = 1;
+ bitmap_zero(pernet->id_bitmap, MPTCP_PM_MAX_ADDR_ID + 1);
+ spin_unlock_bh(&pernet->lock);
+- mptcp_nl_flush_addrs_list(sock_net(skb->sk), &free_list);
++
++ if (free_list.next == &pernet->endp_list)
++ return 0;
++
+ synchronize_rcu();
++
++ /* Adjust the pointers to free_list instead of pernet->endp_list */
++ free_list.prev->next = &free_list;
++ free_list.next->prev = &free_list;
++
++ mptcp_nl_flush_addrs_list(sock_net(skb->sk), &free_list);
+ __flush_addrs(&free_list);
+ return 0;
+ }
+--
+2.51.0
+
--- /dev/null
+From 251a190efea59a816d136cb8c8e8992a69248d83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Jan 2026 11:40:01 -0800
+Subject: net: bcmasp: fix early exit leak with fixed phy
+
+From: Justin Chen <justin.chen@broadcom.com>
+
+[ Upstream commit 6de4436bf369e1444606445e4cd5df5bcfc74b48 ]
+
+We are not deregistering the fixed phy link when hitting the early
+exit condition. Add the correct early exit sequence.
+
+Fixes: 490cb412007d ("net: bcmasp: Add support for ASP2.0 Ethernet controller")
+Signed-off-by: Justin Chen <justin.chen@broadcom.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20260122194001.1098859-1-justin.chen@broadcom.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c b/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c
+index b9973956c4809..ceb6c11431dd9 100644
+--- a/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c
++++ b/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c
+@@ -1261,7 +1261,7 @@ struct bcmasp_intf *bcmasp_interface_create(struct bcmasp_priv *priv,
+ netdev_err(intf->ndev, "invalid PHY mode: %s for port %d\n",
+ phy_modes(intf->phy_interface), intf->port);
+ ret = -EINVAL;
+- goto err_free_netdev;
++ goto err_deregister_fixed_link;
+ }
+
+ ret = of_get_ethdev_address(ndev_dn, ndev);
+@@ -1286,6 +1286,9 @@ struct bcmasp_intf *bcmasp_interface_create(struct bcmasp_priv *priv,
+
+ return intf;
+
++err_deregister_fixed_link:
++ if (of_phy_is_fixed_link(ndev_dn))
++ of_phy_deregister_fixed_link(ndev_dn);
+ err_free_netdev:
+ free_netdev(ndev);
+ err:
+--
+2.51.0
+
--- /dev/null
+From ab41fbe11b52999622e98c403a8e7463207b65db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jan 2026 11:19:23 +0100
+Subject: net: bridge: fix static key check
+
+From: Martin Kaiser <martin@kaiser.cx>
+
+[ Upstream commit cc0cf10fdaeadf5542d64a55b5b4120d3df90b7d ]
+
+Fix the check if netfilter's static keys are available. netfilter defines
+and exports static keys if CONFIG_JUMP_LABEL is enabled. (HAVE_JUMP_LABEL
+is never defined.)
+
+Fixes: 971502d77faa ("bridge: netfilter: unroll NF_HOOK helper in bridge input path")
+Signed-off-by: Martin Kaiser <martin@kaiser.cx>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://patch.msgid.link/20260127101925.1754425-1-martin@kaiser.cx
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_input.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
+index e355a15bf5ab1..1405f1061a549 100644
+--- a/net/bridge/br_input.c
++++ b/net/bridge/br_input.c
+@@ -274,7 +274,7 @@ static int nf_hook_bridge_pre(struct sk_buff *skb, struct sk_buff **pskb)
+ int ret;
+
+ net = dev_net(skb->dev);
+-#ifdef HAVE_JUMP_LABEL
++#ifdef CONFIG_JUMP_LABEL
+ if (!static_key_false(&nf_hooks_needed[NFPROTO_BRIDGE][NF_BR_PRE_ROUTING]))
+ goto frame_finish;
+ #endif
+--
+2.51.0
+
--- /dev/null
+From 7fe6886209eb51d8c1e394443dab596a4a984b0e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jan 2026 13:46:40 +0000
+Subject: net/mlx5: Fix memory leak in esw_acl_ingress_lgcy_setup()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 108948f723b13874b7ebf6b3f1cc598a7de38622 ]
+
+In esw_acl_ingress_lgcy_setup(), if esw_acl_table_create() fails,
+the function returns directly without releasing the previously
+created counter, leading to a memory leak.
+
+Fix this by jumping to the out label instead of returning directly,
+which aligns with the error handling logic of other paths in this
+function.
+
+Compile tested only. Issue found using a prototype static analysis tool
+and code review.
+
+Fixes: 07bab9502641 ("net/mlx5: E-Switch, Refactor eswitch ingress acl codes")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/20260120134640.2717808-1-zilin@seu.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c
+index 1c37098e09ea5..49a637829c594 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c
+@@ -188,7 +188,7 @@ int esw_acl_ingress_lgcy_setup(struct mlx5_eswitch *esw,
+ if (IS_ERR(vport->ingress.acl)) {
+ err = PTR_ERR(vport->ingress.acl);
+ vport->ingress.acl = NULL;
+- return err;
++ goto out;
+ }
+
+ err = esw_acl_ingress_lgcy_groups_create(esw, vport);
+--
+2.51.0
+
--- /dev/null
+From 75d3e88b686dd59ee3e9df72aba5a02ff166eb32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jan 2026 16:57:49 +0800
+Subject: net/mlx5: Fix return type mismatch in mlx5_esw_vport_vhca_id()
+
+From: Zeng Chi <zengchi@kylinos.cn>
+
+[ Upstream commit ca12c4a155ebf84e9ef29b05ce979bc89364290f ]
+
+The function mlx5_esw_vport_vhca_id() is declared to return bool,
+but returns -EOPNOTSUPP (-45), which is an int error code. This
+causes a signedness bug as reported by smatch.
+
+This patch fixes this smatch report:
+drivers/net/ethernet/mellanox/mlx5/core/eswitch.h:981 mlx5_esw_vport_vhca_id()
+warn: signedness bug returning '(-45)'
+
+Fixes: 1baf30426553 ("net/mlx5: E-Switch, Set/Query hca cap via vhca id")
+Reviewed-by: Parav Pandit <parav@nvidia.com>
+Signed-off-by: Zeng Chi <zengchi@kylinos.cn>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/20260123085749.1401969-1-zeng_chi911@163.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/eswitch.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
+index 16eb99aba2a7e..2d91f77b01601 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
+@@ -1002,7 +1002,7 @@ mlx5_esw_host_functions_enabled(const struct mlx5_core_dev *dev)
+ static inline bool
+ mlx5_esw_vport_vhca_id(struct mlx5_eswitch *esw, u16 vportn, u16 *vhca_id)
+ {
+- return -EOPNOTSUPP;
++ return false;
+ }
+
+ #endif /* CONFIG_MLX5_ESWITCH */
+--
+2.51.0
+
--- /dev/null
+From 7e6b669e5049bed6936a052d5e37dc874e3c37cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jan 2026 10:52:40 +0200
+Subject: net/mlx5: Fix vhca_id access call trace use before alloc
+
+From: Parav Pandit <parav@nvidia.com>
+
+[ Upstream commit a8f930b7be7be3f18f14446df461e17137400407 ]
+
+HCA CAP structure is allocated in mlx5_hca_caps_alloc().
+mlx5_mdev_init()
+ mlx5_hca_caps_alloc()
+
+And HCA CAP is read from the device in mlx5_init_one().
+
+The vhca_id's debugfs file is published even before above two
+operations are done.
+Due to this when user reads the vhca id before the initialization,
+following call trace is observed.
+
+Fix this by deferring debugfs publication until the HCA CAP is
+allocated and read from the device.
+
+BUG: kernel NULL pointer dereference, address: 0000000000000004
+PGD 0 P4D 0
+Oops: Oops: 0000 [#1] SMP PTI
+CPU: 23 UID: 0 PID: 6605 Comm: cat Kdump: loaded Not tainted 6.18.0-rc7-sf+ #110 PREEMPT(full)
+Hardware name: Supermicro SYS-6028U-TR4+/X10DRU-i+, BIOS 2.0b 08/09/2016
+RIP: 0010:vhca_id_show+0x17/0x30 [mlx5_core]
+Code: cb 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 48 8b 47 70 48 c7 c6 45 f0 12 c1 48 8b 80 70 03 00 00 <8b> 50 04 0f ca 0f b7 d2 e8 8c 82 47 cb 31 c0 c3 cc cc cc cc 0f 1f
+RSP: 0018:ffffd37f4f337d40 EFLAGS: 00010203
+RAX: 0000000000000000 RBX: ffff8f18445c9b40 RCX: 0000000000000001
+RDX: ffff8f1109825180 RSI: ffffffffc112f045 RDI: ffff8f18445c9b40
+RBP: 0000000000000000 R08: 0000645eac0d2928 R09: 0000000000000006
+R10: ffffd37f4f337d48 R11: 0000000000000000 R12: ffffd37f4f337dd8
+R13: ffffd37f4f337db0 R14: ffff8f18445c9b68 R15: 0000000000000001
+FS: 00007f3eea099580(0000) GS:ffff8f2090f1f000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000004 CR3: 00000008b64e4006 CR4: 00000000003726f0
+Call Trace:
+ <TASK>
+ seq_read_iter+0x11f/0x4f0
+ ? _raw_spin_unlock+0x15/0x30
+ ? do_anonymous_page+0x104/0x810
+ seq_read+0xf6/0x120
+ ? srso_alias_untrain_ret+0x1/0x10
+ full_proxy_read+0x5c/0x90
+ vfs_read+0xad/0x320
+ ? handle_mm_fault+0x1ab/0x290
+ ksys_read+0x52/0xd0
+ do_syscall_64+0x61/0x11e0
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+Fixes: dd3dd7263cde ("net/mlx5: Expose vhca_id to debugfs")
+Signed-off-by: Parav Pandit <parav@nvidia.com>
+Reviewed-by: Shay Drori <shayd@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/1769503961-124173-4-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/debugfs.c | 16 ++++++++++++++++
+ drivers/net/ethernet/mellanox/mlx5/core/main.c | 14 +++-----------
+ .../net/ethernet/mellanox/mlx5/core/mlx5_core.h | 1 +
+ .../ethernet/mellanox/mlx5/core/sf/dev/driver.c | 1 +
+ 4 files changed, 21 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/debugfs.c b/drivers/net/ethernet/mellanox/mlx5/core/debugfs.c
+index 36806e813c33c..1301c56e20d65 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/debugfs.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/debugfs.c
+@@ -613,3 +613,19 @@ void mlx5_debug_cq_remove(struct mlx5_core_dev *dev, struct mlx5_core_cq *cq)
+ cq->dbg = NULL;
+ }
+ }
++
++static int vhca_id_show(struct seq_file *file, void *priv)
++{
++ struct mlx5_core_dev *dev = file->private;
++
++ seq_printf(file, "0x%x\n", MLX5_CAP_GEN(dev, vhca_id));
++ return 0;
++}
++
++DEFINE_SHOW_ATTRIBUTE(vhca_id);
++
++void mlx5_vhca_debugfs_init(struct mlx5_core_dev *dev)
++{
++ debugfs_create_file("vhca_id", 0400, dev->priv.dbg.dbg_root, dev,
++ &vhca_id_fops);
++}
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+index 236cb1eb98c82..14c57d4372802 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+@@ -1803,16 +1803,6 @@ static int mlx5_hca_caps_alloc(struct mlx5_core_dev *dev)
+ return -ENOMEM;
+ }
+
+-static int vhca_id_show(struct seq_file *file, void *priv)
+-{
+- struct mlx5_core_dev *dev = file->private;
+-
+- seq_printf(file, "0x%x\n", MLX5_CAP_GEN(dev, vhca_id));
+- return 0;
+-}
+-
+-DEFINE_SHOW_ATTRIBUTE(vhca_id);
+-
+ static int mlx5_notifiers_init(struct mlx5_core_dev *dev)
+ {
+ int err;
+@@ -1855,7 +1845,7 @@ int mlx5_mdev_init(struct mlx5_core_dev *dev, int profile_idx)
+ priv->numa_node = dev_to_node(mlx5_core_dma_dev(dev));
+ priv->dbg.dbg_root = debugfs_create_dir(dev_name(dev->device),
+ mlx5_debugfs_root);
+- debugfs_create_file("vhca_id", 0400, priv->dbg.dbg_root, dev, &vhca_id_fops);
++
+ INIT_LIST_HEAD(&priv->traps);
+
+ err = mlx5_cmd_init(dev);
+@@ -1993,6 +1983,8 @@ static int probe_one(struct pci_dev *pdev, const struct pci_device_id *id)
+ goto err_init_one;
+ }
+
++ mlx5_vhca_debugfs_init(dev);
++
+ pci_save_state(pdev);
+ return 0;
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h b/drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h
+index 082259b56816c..da5345e19082d 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h
+@@ -258,6 +258,7 @@ int mlx5_wait_for_pages(struct mlx5_core_dev *dev, int *pages);
+ void mlx5_cmd_flush(struct mlx5_core_dev *dev);
+ void mlx5_cq_debugfs_init(struct mlx5_core_dev *dev);
+ void mlx5_cq_debugfs_cleanup(struct mlx5_core_dev *dev);
++void mlx5_vhca_debugfs_init(struct mlx5_core_dev *dev);
+
+ int mlx5_query_pcam_reg(struct mlx5_core_dev *dev, u32 *pcam, u8 feature_group,
+ u8 access_reg_group);
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c b/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c
+index b706f1486504a..c45540fe7d9d9 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c
+@@ -76,6 +76,7 @@ static int mlx5_sf_dev_probe(struct auxiliary_device *adev, const struct auxilia
+ goto init_one_err;
+ }
+
++ mlx5_vhca_debugfs_init(mdev);
+ return 0;
+
+ init_one_err:
+--
+2.51.0
+
--- /dev/null
+From a09b3a74d2b5508938d090d5c4b2c052c1268c6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jan 2026 10:52:38 +0200
+Subject: net/mlx5: fs, Fix inverted cap check in tx flow table root disconnect
+
+From: Shay Drory <shayd@nvidia.com>
+
+[ Upstream commit 2610a3d65691a1301ab10c92ff6ebab0bedf9199 ]
+
+The capability check for reset_root_to_default was inverted, causing
+the function to return -EOPNOTSUPP when the capability IS supported,
+rather than when it is NOT supported.
+
+Fix the capability check condition.
+
+Fixes: 3c9c34c32bc6 ("net/mlx5: fs, Command to control TX flow table root")
+Signed-off-by: Shay Drory <shayd@nvidia.com>
+Reviewed-by: Mark Bloch <mbloch@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/1769503961-124173-2-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/fs_cmd.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_cmd.c
+index 1af76da8b1320..b79544134e2a2 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_cmd.c
+@@ -1167,7 +1167,8 @@ int mlx5_fs_cmd_set_tx_flow_table_root(struct mlx5_core_dev *dev, u32 ft_id, boo
+ u32 out[MLX5_ST_SZ_DW(set_flow_table_root_out)] = {};
+ u32 in[MLX5_ST_SZ_DW(set_flow_table_root_in)] = {};
+
+- if (disconnect && MLX5_CAP_FLOWTABLE_NIC_TX(dev, reset_root_to_default))
++ if (disconnect &&
++ !MLX5_CAP_FLOWTABLE_NIC_TX(dev, reset_root_to_default))
+ return -EOPNOTSUPP;
+
+ MLX5_SET(set_flow_table_root_in, in, opcode,
+--
+2.51.0
+
--- /dev/null
+From d39df8f4185b39bbdf9f05255c9f027bb7f4c6f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 16 Nov 2025 22:45:35 +0200
+Subject: net/mlx5: Initialize events outside devlink lock
+
+From: Cosmin Ratiu <cratiu@nvidia.com>
+
+[ Upstream commit b6b03097f9826db72aeb3f751774c5e9edd9a5b3 ]
+
+Move event init/cleanup outside of mlx5_init_one() / mlx5_uninit_one()
+and into the mlx5_mdev_init() / mlx5_mdev_uninit() functions.
+
+By doing this, we avoid the events being reinitialized on devlink reload
+and, more importantly, the events->sw_nh notifier chain becomes
+available earlier in the init procedure, which will be used in
+subsequent patches. This makes sense because the events struct is pure
+software, independent of any HW details.
+
+Signed-off-by: Cosmin Ratiu <cratiu@nvidia.com>
+Reviewed-by: Carolina Jubran <cjubran@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/1763325940-1231508-2-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: a8f930b7be7b ("net/mlx5: Fix vhca_id access call trace use before alloc")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/main.c | 34 +++++++++++++------
+ 1 file changed, 24 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+index 9e0c9e6266a47..236cb1eb98c82 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+@@ -999,16 +999,10 @@ static int mlx5_init_once(struct mlx5_core_dev *dev)
+ goto err_irq_cleanup;
+ }
+
+- err = mlx5_events_init(dev);
+- if (err) {
+- mlx5_core_err(dev, "failed to initialize events\n");
+- goto err_eq_cleanup;
+- }
+-
+ err = mlx5_fw_reset_init(dev);
+ if (err) {
+ mlx5_core_err(dev, "failed to initialize fw reset events\n");
+- goto err_events_cleanup;
++ goto err_eq_cleanup;
+ }
+
+ mlx5_cq_debugfs_init(dev);
+@@ -1110,8 +1104,6 @@ static int mlx5_init_once(struct mlx5_core_dev *dev)
+ mlx5_cleanup_reserved_gids(dev);
+ mlx5_cq_debugfs_cleanup(dev);
+ mlx5_fw_reset_cleanup(dev);
+-err_events_cleanup:
+- mlx5_events_cleanup(dev);
+ err_eq_cleanup:
+ mlx5_eq_table_cleanup(dev);
+ err_irq_cleanup:
+@@ -1144,7 +1136,6 @@ static void mlx5_cleanup_once(struct mlx5_core_dev *dev)
+ mlx5_cleanup_reserved_gids(dev);
+ mlx5_cq_debugfs_cleanup(dev);
+ mlx5_fw_reset_cleanup(dev);
+- mlx5_events_cleanup(dev);
+ mlx5_eq_table_cleanup(dev);
+ mlx5_irq_table_cleanup(dev);
+ mlx5_devcom_unregister_device(dev->priv.devc);
+@@ -1822,6 +1813,24 @@ static int vhca_id_show(struct seq_file *file, void *priv)
+
+ DEFINE_SHOW_ATTRIBUTE(vhca_id);
+
++static int mlx5_notifiers_init(struct mlx5_core_dev *dev)
++{
++ int err;
++
++ err = mlx5_events_init(dev);
++ if (err) {
++ mlx5_core_err(dev, "failed to initialize events\n");
++ return err;
++ }
++
++ return 0;
++}
++
++static void mlx5_notifiers_cleanup(struct mlx5_core_dev *dev)
++{
++ mlx5_events_cleanup(dev);
++}
++
+ int mlx5_mdev_init(struct mlx5_core_dev *dev, int profile_idx)
+ {
+ struct mlx5_priv *priv = &dev->priv;
+@@ -1877,6 +1886,10 @@ int mlx5_mdev_init(struct mlx5_core_dev *dev, int profile_idx)
+ if (err)
+ goto err_hca_caps;
+
++ err = mlx5_notifiers_init(dev);
++ if (err)
++ goto err_hca_caps;
++
+ /* The conjunction of sw_vhca_id with sw_owner_id will be a global
+ * unique id per function which uses mlx5_core.
+ * Those values are supplied to FW as part of the init HCA command to
+@@ -1919,6 +1932,7 @@ void mlx5_mdev_uninit(struct mlx5_core_dev *dev)
+ if (priv->sw_vhca_id > 0)
+ ida_free(&sw_vhca_ida, dev->priv.sw_vhca_id);
+
++ mlx5_notifiers_cleanup(dev);
+ mlx5_hca_caps_free(dev);
+ mlx5_adev_cleanup(dev);
+ mlx5_pagealloc_cleanup(dev);
+--
+2.51.0
+
--- /dev/null
+From ad057131d7e5baae1536ed2c0b80ac8e8a2c782f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jan 2026 09:14:55 +0200
+Subject: net/mlx5e: Account for netdev stats in ndo_get_stats64
+
+From: Gal Pressman <gal@nvidia.com>
+
+[ Upstream commit 476681f10cc1e0e56e26856684e75d4678b072b2 ]
+
+The driver's ndo_get_stats64 callback is only reporting mlx5 counters,
+without accounting for the netdev stats, causing errors from the network
+stack to be invisible in statistics.
+
+Add netdev_stats_to_stats64() call to first populate the counters, then
+add mlx5 counters on top, ensuring both are accounted for (where
+appropriate).
+
+Fixes: f62b8bb8f2d3 ("net/mlx5: Extend mlx5_core to support ConnectX-4 Ethernet functionality")
+Signed-off-by: Gal Pressman <gal@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/1769411695-18820-4-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/en_main.c | 20 ++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index f8d9968542d9c..59e17b41c3a67 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -4033,6 +4033,8 @@ mlx5e_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats)
+ mlx5e_queue_update_stats(priv);
+ }
+
++ netdev_stats_to_stats64(stats, &dev->stats);
++
+ if (mlx5e_is_uplink_rep(priv)) {
+ struct mlx5e_vport_stats *vstats = &priv->stats.vport;
+
+@@ -4049,21 +4051,21 @@ mlx5e_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats)
+ mlx5e_fold_sw_stats64(priv, stats);
+ }
+
+- stats->rx_missed_errors = priv->stats.qcnt.rx_out_of_buffer;
+- stats->rx_dropped = PPORT_2863_GET(pstats, if_in_discards);
++ stats->rx_missed_errors += priv->stats.qcnt.rx_out_of_buffer;
++ stats->rx_dropped += PPORT_2863_GET(pstats, if_in_discards);
+
+- stats->rx_length_errors =
++ stats->rx_length_errors +=
+ PPORT_802_3_GET(pstats, a_in_range_length_errors) +
+ PPORT_802_3_GET(pstats, a_out_of_range_length_field) +
+ PPORT_802_3_GET(pstats, a_frame_too_long_errors) +
+ VNIC_ENV_GET(&priv->stats.vnic, eth_wqe_too_small);
+- stats->rx_crc_errors =
++ stats->rx_crc_errors +=
+ PPORT_802_3_GET(pstats, a_frame_check_sequence_errors);
+- stats->rx_frame_errors = PPORT_802_3_GET(pstats, a_alignment_errors);
+- stats->tx_aborted_errors = PPORT_2863_GET(pstats, if_out_discards);
+- stats->rx_errors = stats->rx_length_errors + stats->rx_crc_errors +
+- stats->rx_frame_errors;
+- stats->tx_errors = stats->tx_aborted_errors + stats->tx_carrier_errors;
++ stats->rx_frame_errors += PPORT_802_3_GET(pstats, a_alignment_errors);
++ stats->tx_aborted_errors += PPORT_2863_GET(pstats, if_out_discards);
++ stats->rx_errors += stats->rx_length_errors + stats->rx_crc_errors +
++ stats->rx_frame_errors;
++ stats->tx_errors += stats->tx_aborted_errors + stats->tx_carrier_errors;
+ }
+
+ static void mlx5e_nic_set_rx_mode(struct mlx5e_priv *priv)
+--
+2.51.0
+
--- /dev/null
+From e479d52b2f06971f0b705c6ebeff8a85e727a5a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jan 2026 11:38:17 -0800
+Subject: net/mlx5e: don't assume psp tx skbs are ipv6 csum handling
+
+From: Daniel Zahka <daniel.zahka@gmail.com>
+
+[ Upstream commit a62f7d62d2b115e67c7224e36ace4ef12a9650b4 ]
+
+mlx5e_psp_handle_tx_skb() assumes skbs are ipv6 when doing a partial
+TCP checksum with tso. Make correctly mlx5e_psp_handle_tx_skb() handle
+ipv4 packets.
+
+Fixes: e5a1861a298e ("net/mlx5e: Implement PSP Tx data path")
+Signed-off-by: Daniel Zahka <daniel.zahka@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
+Link: https://patch.msgid.link/20260126-dzahka-fix-tx-csum-partial-v2-1-0a905590ea5f@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../mellanox/mlx5/core/en_accel/psp_rxtx.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp_rxtx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp_rxtx.c
+index 828bff1137aff..fa98d0074531b 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp_rxtx.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp_rxtx.c
+@@ -177,8 +177,6 @@ bool mlx5e_psp_handle_tx_skb(struct net_device *netdev,
+ {
+ struct mlx5e_priv *priv = netdev_priv(netdev);
+ struct net *net = sock_net(skb->sk);
+- const struct ipv6hdr *ip6;
+- struct tcphdr *th;
+
+ if (!mlx5e_psp_set_state(priv, skb, psp_st))
+ return true;
+@@ -189,11 +187,18 @@ bool mlx5e_psp_handle_tx_skb(struct net_device *netdev,
+ return false;
+ }
+ if (skb_is_gso(skb)) {
+- ip6 = ipv6_hdr(skb);
+- th = inner_tcp_hdr(skb);
++ int len = skb_shinfo(skb)->gso_size + inner_tcp_hdrlen(skb);
++ struct tcphdr *th = inner_tcp_hdr(skb);
+
+- th->check = ~tcp_v6_check(skb_shinfo(skb)->gso_size + inner_tcp_hdrlen(skb), &ip6->saddr,
+- &ip6->daddr, 0);
++ if (skb->protocol == htons(ETH_P_IP)) {
++ const struct iphdr *ip = ip_hdr(skb);
++
++ th->check = ~tcp_v4_check(len, ip->saddr, ip->daddr, 0);
++ } else {
++ const struct ipv6hdr *ip6 = ipv6_hdr(skb);
++
++ th->check = ~tcp_v6_check(len, &ip6->saddr, &ip6->daddr, 0);
++ }
+ }
+
+ return true;
+--
+2.51.0
+
--- /dev/null
+From 5b5bfc6b6e73f6a58a7ea491e2032ff72697b04c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jan 2026 10:52:41 +0200
+Subject: net/mlx5e: Skip ESN replay window setup for IPsec crypto offload
+
+From: Jianbo Liu <jianbol@nvidia.com>
+
+[ Upstream commit 011be342dd24b5168a5dcf408b14c3babe503341 ]
+
+Commit a5e400a985df ("net/mlx5e: Honor user choice of IPsec replay
+window size") introduced logic to setup the ESN replay window size.
+This logic is only valid for packet offload.
+
+However, the check to skip this block only covered outbound offloads.
+It was not skipped for crypto offload, causing it to fall through to
+the new switch statement and trigger its WARN_ON default case (for
+instance, if a window larger than 256 bits was configured).
+
+Fix this by amending the condition to also skip the replay window
+setup if the offload type is not XFRM_DEV_OFFLOAD_PACKET.
+
+Fixes: a5e400a985df ("net/mlx5e: Honor user choice of IPsec replay window size")
+Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/1769503961-124173-5-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+index a8fb4bec369cf..9c7064187ed0f 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+@@ -430,7 +430,8 @@ void mlx5e_ipsec_build_accel_xfrm_attrs(struct mlx5e_ipsec_sa_entry *sa_entry,
+ attrs->replay_esn.esn = sa_entry->esn_state.esn;
+ attrs->replay_esn.esn_msb = sa_entry->esn_state.esn_msb;
+ attrs->replay_esn.overlap = sa_entry->esn_state.overlap;
+- if (attrs->dir == XFRM_DEV_OFFLOAD_OUT)
++ if (attrs->dir == XFRM_DEV_OFFLOAD_OUT ||
++ x->xso.type != XFRM_DEV_OFFLOAD_PACKET)
+ goto skip_replay_window;
+
+ switch (x->replay_esn->replay_window) {
+--
+2.51.0
+
--- /dev/null
+From 3ac403689e90bb4f828ab9a54b5d1830b6b9be12 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jan 2026 09:14:54 +0200
+Subject: net/mlx5e: TC, delete flows only for existing peers
+
+From: Mark Bloch <mbloch@nvidia.com>
+
+[ Upstream commit f67666938ae626cbda63fbf5176b3583c07e7124 ]
+
+When deleting TC steering flows, iterate only over actual devcom
+peers instead of assuming all possible ports exist. This avoids
+touching non-existent peers and ensures cleanup is limited to
+devices the driver is currently connected to.
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000008
+ #PF: supervisor write access in kernel mode
+ #PF: error_code(0x0002) - not-present page
+ PGD 133c8a067 P4D 0
+ Oops: Oops: 0002 [#1] SMP
+ CPU: 19 UID: 0 PID: 2169 Comm: tc Not tainted 6.18.0+ #156 NONE
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+ RIP: 0010:mlx5e_tc_del_fdb_peers_flow+0xbe/0x200 [mlx5_core]
+ Code: 00 00 a8 08 74 a8 49 8b 46 18 f6 c4 02 74 9f 4c 8d bf a0 12 00 00 4c 89 ff e8 0e e7 96 e1 49 8b 44 24 08 49 8b 0c 24 4c 89 ff <48> 89 41 08 48 89 08 49 89 2c 24 49 89 5c 24 08 e8 7d ce 96 e1 49
+ RSP: 0018:ff11000143867528 EFLAGS: 00010246
+ RAX: 0000000000000000 RBX: dead000000000122 RCX: 0000000000000000
+ RDX: ff11000143691580 RSI: ff110001026e5000 RDI: ff11000106f3d2a0
+ RBP: dead000000000100 R08: 00000000000003fd R09: 0000000000000002
+ R10: ff11000101c75690 R11: ff1100085faea178 R12: ff11000115f0ae78
+ R13: 0000000000000000 R14: ff11000115f0a800 R15: ff11000106f3d2a0
+ FS: 00007f35236bf740(0000) GS:ff110008dc809000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000008 CR3: 0000000157a01001 CR4: 0000000000373eb0
+ Call Trace:
+ <TASK>
+ mlx5e_tc_del_flow+0x46/0x270 [mlx5_core]
+ mlx5e_flow_put+0x25/0x50 [mlx5_core]
+ mlx5e_delete_flower+0x2a6/0x3e0 [mlx5_core]
+ tc_setup_cb_reoffload+0x20/0x80
+ fl_reoffload+0x26f/0x2f0 [cls_flower]
+ ? mlx5e_tc_reoffload_flows_work+0xc0/0xc0 [mlx5_core]
+ ? mlx5e_tc_reoffload_flows_work+0xc0/0xc0 [mlx5_core]
+ tcf_block_playback_offloads+0x9e/0x1c0
+ tcf_block_unbind+0x7b/0xd0
+ tcf_block_setup+0x186/0x1d0
+ tcf_block_offload_cmd.isra.0+0xef/0x130
+ tcf_block_offload_unbind+0x43/0x70
+ __tcf_block_put+0x85/0x160
+ ingress_destroy+0x32/0x110 [sch_ingress]
+ __qdisc_destroy+0x44/0x100
+ qdisc_graft+0x22b/0x610
+ tc_get_qdisc+0x183/0x4d0
+ rtnetlink_rcv_msg+0x2d7/0x3d0
+ ? rtnl_calcit.isra.0+0x100/0x100
+ netlink_rcv_skb+0x53/0x100
+ netlink_unicast+0x249/0x320
+ ? __alloc_skb+0x102/0x1f0
+ netlink_sendmsg+0x1e3/0x420
+ __sock_sendmsg+0x38/0x60
+ ____sys_sendmsg+0x1ef/0x230
+ ? copy_msghdr_from_user+0x6c/0xa0
+ ___sys_sendmsg+0x7f/0xc0
+ ? ___sys_recvmsg+0x8a/0xc0
+ ? __sys_sendto+0x119/0x180
+ __sys_sendmsg+0x61/0xb0
+ do_syscall_64+0x55/0x640
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+ RIP: 0033:0x7f35238bb764
+ Code: 15 b9 86 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb bf 0f 1f 44 00 00 f3 0f 1e fa 80 3d e5 08 0d 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 4c c3 0f 1f 00 55 48 89 e5 48 83 ec 20 89 55
+ RSP: 002b:00007ffed4c35638 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
+ RAX: ffffffffffffffda RBX: 000055a2efcc75e0 RCX: 00007f35238bb764
+ RDX: 0000000000000000 RSI: 00007ffed4c356a0 RDI: 0000000000000003
+ RBP: 00007ffed4c35710 R08: 0000000000000010 R09: 00007f3523984b20
+ R10: 0000000000000004 R11: 0000000000000202 R12: 00007ffed4c35790
+ R13: 000000006947df8f R14: 000055a2efcc75e0 R15: 00007ffed4c35780
+
+Fixes: 9be6c21fdcf8 ("net/mlx5e: Handle offloads flows per peer")
+Signed-off-by: Mark Bloch <mbloch@nvidia.com>
+Reviewed-by: Shay Drori <shayd@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/1769411695-18820-3-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/en_tc.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+index 00c2763e57ca1..ebea43c235cc3 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+@@ -2147,11 +2147,14 @@ static void mlx5e_tc_del_fdb_peer_flow(struct mlx5e_tc_flow *flow,
+
+ static void mlx5e_tc_del_fdb_peers_flow(struct mlx5e_tc_flow *flow)
+ {
++ struct mlx5_devcom_comp_dev *devcom;
++ struct mlx5_devcom_comp_dev *pos;
++ struct mlx5_eswitch *peer_esw;
+ int i;
+
+- for (i = 0; i < MLX5_MAX_PORTS; i++) {
+- if (i == mlx5_get_dev_index(flow->priv->mdev))
+- continue;
++ devcom = flow->priv->mdev->priv.eswitch->devcom;
++ mlx5_devcom_for_each_peer_entry(devcom, peer_esw, pos) {
++ i = mlx5_get_dev_index(peer_esw->dev);
+ mlx5e_tc_del_fdb_peer_flow(flow, i);
+ }
+ }
+@@ -5511,12 +5514,16 @@ int mlx5e_tc_num_filters(struct mlx5e_priv *priv, unsigned long flags)
+
+ void mlx5e_tc_clean_fdb_peer_flows(struct mlx5_eswitch *esw)
+ {
++ struct mlx5_devcom_comp_dev *devcom;
++ struct mlx5_devcom_comp_dev *pos;
+ struct mlx5e_tc_flow *flow, *tmp;
++ struct mlx5_eswitch *peer_esw;
+ int i;
+
+- for (i = 0; i < MLX5_MAX_PORTS; i++) {
+- if (i == mlx5_get_dev_index(esw->dev))
+- continue;
++ devcom = esw->devcom;
++
++ mlx5_devcom_for_each_peer_entry(devcom, peer_esw, pos) {
++ i = mlx5_get_dev_index(peer_esw->dev);
+ list_for_each_entry_safe(flow, tmp, &esw->offloads.peer_flows[i], peer[i])
+ mlx5e_tc_del_fdb_peers_flow(flow);
+ }
+--
+2.51.0
+
--- /dev/null
+From 08a670f1ca25e58840dee561b4e928d24388700e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jan 2026 06:57:16 +0000
+Subject: net: mvpp2: cls: Fix memory leak in mvpp2_ethtool_cls_rule_ins()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 09f979d1f312627b31d2ee1e46f9692e442610cd ]
+
+In mvpp2_ethtool_cls_rule_ins(), the ethtool_rule is allocated by
+ethtool_rx_flow_rule_create(). If the subsequent conversion to flow
+type fails, the function jumps to the clean_rule label.
+
+However, the clean_rule label only frees efs, skipping the cleanup
+of ethtool_rule, which leads to a memory leak.
+
+Fix this by jumping to the clean_eth_rule label, which properly calls
+ethtool_rx_flow_rule_destroy() before freeing efs.
+
+Compile tested only. Issue found using a prototype static analysis tool
+and code review.
+
+Fixes: f4f1ba18195d ("net: mvpp2: cls: Report an error for unsupported flow types")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Link: https://patch.msgid.link/20260123065716.2248324-1-zilin@seu.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c
+index 44b201817d94c..c116da7d7f18c 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c
+@@ -1389,7 +1389,7 @@ int mvpp2_ethtool_cls_rule_ins(struct mvpp2_port *port,
+ efs->rule.flow_type = mvpp2_cls_ethtool_flow_to_type(info->fs.flow_type);
+ if (efs->rule.flow_type < 0) {
+ ret = efs->rule.flow_type;
+- goto clean_rule;
++ goto clean_eth_rule;
+ }
+
+ ret = mvpp2_cls_rfs_parse_rule(&efs->rule);
+--
+2.51.0
+
--- /dev/null
+From e24fb0d0e87b1bc74e86b3151f1c00cd9bb62186 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jan 2026 16:15:44 +0800
+Subject: net: phy: micrel: fix clk warning when removing the driver
+
+From: Wei Fang <wei.fang@nxp.com>
+
+[ Upstream commit 2aa1545ba8d4801fba5be83a404e28014b80196a ]
+
+Since the commit 25c6a5ab151f ("net: phy: micrel: Dynamically control
+external clock of KSZ PHY"), the clock of Micrel PHY has been enabled
+by phy_driver::resume() and disabled by phy_driver::suspend(). However,
+devm_clk_get_optional_enabled() is used in kszphy_probe(), so the clock
+will automatically be disabled when the device is unbound from the bus.
+Therefore, this could cause the clock to be disabled twice, resulting
+in clk driver warnings.
+
+For example, this issue can be reproduced on i.MX6ULL platform, and we
+can see the following logs when removing the FEC MAC drivers.
+
+$ echo 2188000.ethernet > /sys/bus/platform/drivers/fec/unbind
+$ echo 20b4000.ethernet > /sys/bus/platform/drivers/fec/unbind
+[ 109.758207] ------------[ cut here ]------------
+[ 109.758240] WARNING: drivers/clk/clk.c:1188 at clk_core_disable+0xb4/0xd0, CPU#0: sh/639
+[ 109.771011] enet2_ref already disabled
+[ 109.793359] Call trace:
+[ 109.822006] clk_core_disable from clk_disable+0x28/0x34
+[ 109.827340] clk_disable from clk_disable_unprepare+0xc/0x18
+[ 109.833029] clk_disable_unprepare from devm_clk_release+0x1c/0x28
+[ 109.839241] devm_clk_release from devres_release_all+0x98/0x100
+[ 109.845278] devres_release_all from device_unbind_cleanup+0xc/0x70
+[ 109.851571] device_unbind_cleanup from device_release_driver_internal+0x1a4/0x1f4
+[ 109.859170] device_release_driver_internal from bus_remove_device+0xbc/0xe4
+[ 109.866243] bus_remove_device from device_del+0x140/0x458
+[ 109.871757] device_del from phy_mdio_device_remove+0xc/0x24
+[ 109.877452] phy_mdio_device_remove from mdiobus_unregister+0x40/0xac
+[ 109.883918] mdiobus_unregister from fec_enet_mii_remove+0x40/0x78
+[ 109.890125] fec_enet_mii_remove from fec_drv_remove+0x4c/0x158
+[ 109.896076] fec_drv_remove from device_release_driver_internal+0x17c/0x1f4
+[ 109.962748] WARNING: drivers/clk/clk.c:1047 at clk_core_unprepare+0xfc/0x13c, CPU#0: sh/639
+[ 109.975805] enet2_ref already unprepared
+[ 110.002866] Call trace:
+[ 110.031758] clk_core_unprepare from clk_unprepare+0x24/0x2c
+[ 110.037440] clk_unprepare from devm_clk_release+0x1c/0x28
+[ 110.042957] devm_clk_release from devres_release_all+0x98/0x100
+[ 110.048989] devres_release_all from device_unbind_cleanup+0xc/0x70
+[ 110.055280] device_unbind_cleanup from device_release_driver_internal+0x1a4/0x1f4
+[ 110.062877] device_release_driver_internal from bus_remove_device+0xbc/0xe4
+[ 110.069950] bus_remove_device from device_del+0x140/0x458
+[ 110.075469] device_del from phy_mdio_device_remove+0xc/0x24
+[ 110.081165] phy_mdio_device_remove from mdiobus_unregister+0x40/0xac
+[ 110.087632] mdiobus_unregister from fec_enet_mii_remove+0x40/0x78
+[ 110.093836] fec_enet_mii_remove from fec_drv_remove+0x4c/0x158
+[ 110.099782] fec_drv_remove from device_release_driver_internal+0x17c/0x1f4
+
+After analyzing the process of removing the FEC driver, as shown below,
+it can be seen that the clock was disabled twice by the PHY driver.
+
+fec_drv_remove()
+ --> fec_enet_close()
+ --> phy_stop()
+ --> phy_suspend()
+ --> kszphy_suspend() #1 The clock is disabled
+ --> fec_enet_mii_remove()
+ --> mdiobus_unregister()
+ --> phy_mdio_device_remove()
+ --> device_del()
+ --> devm_clk_release() #2 The clock is disabled again
+
+Therefore, devm_clk_get_optional() is used to fix the above issue. And
+to avoid the issue mentioned by the commit 985329462723 ("net: phy:
+micrel: use devm_clk_get_optional_enabled for the rmii-ref clock"), the
+clock is enabled by clk_prepare_enable() to get the correct clock rate.
+
+Fixes: 25c6a5ab151f ("net: phy: micrel: Dynamically control external clock of KSZ PHY")
+Signed-off-by: Wei Fang <wei.fang@nxp.com>
+Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Link: https://patch.msgid.link/20260126081544.983517-1-wei.fang@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/micrel.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c
+index 01c87c9b77020..bc19880107ae4 100644
+--- a/drivers/net/phy/micrel.c
++++ b/drivers/net/phy/micrel.c
+@@ -2541,11 +2541,21 @@ static int kszphy_probe(struct phy_device *phydev)
+
+ kszphy_parse_led_mode(phydev);
+
+- clk = devm_clk_get_optional_enabled(&phydev->mdio.dev, "rmii-ref");
++ clk = devm_clk_get_optional(&phydev->mdio.dev, "rmii-ref");
+ /* NOTE: clk may be NULL if building without CONFIG_HAVE_CLK */
+ if (!IS_ERR_OR_NULL(clk)) {
+- unsigned long rate = clk_get_rate(clk);
+ bool rmii_ref_clk_sel_25_mhz;
++ unsigned long rate;
++ int err;
++
++ err = clk_prepare_enable(clk);
++ if (err) {
++ phydev_err(phydev, "Failed to enable rmii-ref clock\n");
++ return err;
++ }
++
++ rate = clk_get_rate(clk);
++ clk_disable_unprepare(clk);
+
+ if (type)
+ priv->rmii_ref_clk_sel = type->has_rmii_ref_clk_sel;
+@@ -2563,13 +2573,12 @@ static int kszphy_probe(struct phy_device *phydev)
+ }
+ } else if (!clk) {
+ /* unnamed clock from the generic ethernet-phy binding */
+- clk = devm_clk_get_optional_enabled(&phydev->mdio.dev, NULL);
++ clk = devm_clk_get_optional(&phydev->mdio.dev, NULL);
+ }
+
+ if (IS_ERR(clk))
+ return PTR_ERR(clk);
+
+- clk_disable_unprepare(clk);
+ priv->clk = clk;
+
+ if (ksz8041_fiber_mode(phydev))
+--
+2.51.0
+
--- /dev/null
+From db998d0ddd2bea0c62ed638b953c89acc1953010 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jan 2026 11:52:23 +0800
+Subject: net: spacemit: Check for netif_carrier_ok() in emac_stats_update()
+
+From: Vivian Wang <wangruikang@iscas.ac.cn>
+
+[ Upstream commit 2c84959167d6493dbdac88965c7389b8ab88bf4e ]
+
+Some PHYs stop the refclk for power saving, usually while link down.
+This causes reading stats to time out.
+
+Therefore, in emac_stats_update(), also don't update and reschedule if
+!netif_carrier_ok(). But that means we could be missing later updates if
+the link comes back up, so also reschedule when link up is detected in
+emac_adjust_link().
+
+While we're at it, improve the comments and error message prints around
+this to reflect the better understanding of how this could happen.
+Hopefully if this happens again on new hardware, these comments will
+direct towards a solution.
+
+Closes: https://lore.kernel.org/r/20260119141620.1318102-1-amadeus@jmu.edu.cn/
+Fixes: bfec6d7f2001 ("net: spacemit: Add K1 Ethernet MAC")
+Co-developed-by: Chukun Pan <amadeus@jmu.edu.cn>
+Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
+Signed-off-by: Vivian Wang <wangruikang@iscas.ac.cn>
+Link: https://patch.msgid.link/20260123-k1-ethernet-clarify-stat-timeout-v3-1-93b9df627e87@iscas.ac.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/spacemit/k1_emac.c | 34 ++++++++++++++++++++-----
+ 1 file changed, 27 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/spacemit/k1_emac.c b/drivers/net/ethernet/spacemit/k1_emac.c
+index 220eb5ce75833..88e9424d2d51a 100644
+--- a/drivers/net/ethernet/spacemit/k1_emac.c
++++ b/drivers/net/ethernet/spacemit/k1_emac.c
+@@ -1099,7 +1099,13 @@ static int emac_read_stat_cnt(struct emac_priv *priv, u8 cnt, u32 *res,
+ 100, 10000);
+
+ if (ret) {
+- netdev_err(priv->ndev, "Read stat timeout\n");
++ /*
++ * This could be caused by the PHY stopping its refclk even when
++ * the link is up, for power saving. See also comments in
++ * emac_stats_update().
++ */
++ dev_err_ratelimited(&priv->ndev->dev,
++ "Read stat timeout. PHY clock stopped?\n");
+ return ret;
+ }
+
+@@ -1147,17 +1153,25 @@ static void emac_stats_update(struct emac_priv *priv)
+
+ assert_spin_locked(&priv->stats_lock);
+
+- if (!netif_running(priv->ndev) || !netif_device_present(priv->ndev)) {
+- /* Not up, don't try to update */
++ /*
++ * We can't read statistics if the interface is not up. Also, some PHYs
++ * stop their reference clocks for link down power saving, which also
++ * causes reading statistics to time out. Don't update and don't
++ * reschedule in these cases.
++ */
++ if (!netif_running(priv->ndev) ||
++ !netif_carrier_ok(priv->ndev) ||
++ !netif_device_present(priv->ndev)) {
+ return;
+ }
+
+ for (i = 0; i < sizeof(priv->tx_stats) / sizeof(*tx_stats); i++) {
+ /*
+- * If reading stats times out, everything is broken and there's
+- * nothing we can do. Reading statistics also can't return an
+- * error, so just return without updating and without
+- * rescheduling.
++ * If reading stats times out anyway, the stat registers will be
++ * stuck, and we can't really recover from that.
++ *
++ * Reading statistics also can't return an error, so just return
++ * without updating and without rescheduling.
+ */
+ if (emac_tx_read_stat_cnt(priv, i, &res))
+ return;
+@@ -1636,6 +1650,12 @@ static void emac_adjust_link(struct net_device *dev)
+ emac_wr(priv, MAC_GLOBAL_CONTROL, ctrl);
+
+ emac_set_fc_autoneg(priv);
++
++ /*
++ * Reschedule stats updates now that link is up. See comments in
++ * emac_stats_update().
++ */
++ mod_timer(&priv->stats_timer, jiffies);
+ }
+
+ phy_print_status(phydev);
+--
+2.51.0
+
--- /dev/null
+From e49f772fcae292d939718fc5100d4b75ae42478e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jan 2026 01:04:01 +0800
+Subject: net: wwan: t7xx: fix potential skb->frags overflow in RX path
+
+From: Kery Qi <qikeyu2017@gmail.com>
+
+[ Upstream commit f0813bcd2d9d97fdbdf2efb9532ab03ae92e99e6 ]
+
+When receiving data in the DPMAIF RX path,
+the t7xx_dpmaif_set_frag_to_skb() function adds
+page fragments to an skb without checking if the number of
+fragments has exceeded MAX_SKB_FRAGS. This could lead to a buffer overflow
+in skb_shinfo(skb)->frags[] array, corrupting adjacent memory and
+potentially causing kernel crashes or other undefined behavior.
+
+This issue was identified through static code analysis by comparing with a
+similar vulnerability fixed in the mt76 driver commit b102f0c522cf ("mt76:
+fix array overflow on receiving too many fragments for a packet").
+
+The vulnerability could be triggered if the modem firmware sends packets
+with excessive fragments. While under normal protocol conditions (MTU 3080
+bytes, BAT buffer 3584 bytes),
+a single packet should not require additional
+fragments, the kernel should not blindly trust firmware behavior.
+Malicious, buggy, or compromised firmware could potentially craft packets
+with more fragments than the kernel expects.
+
+Fix this by adding a bounds check before calling skb_add_rx_frag() to
+ensure nr_frags does not exceed MAX_SKB_FRAGS.
+
+The check must be performed before unmapping to avoid a page leak
+and double DMA unmap during device teardown.
+
+Fixes: d642b012df70a ("net: wwan: t7xx: Add data path interface")
+Signed-off-by: Kery Qi <qikeyu2017@gmail.com>
+Link: https://patch.msgid.link/20260122170401.1986-2-qikeyu2017@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
+index 2310493203d3c..d9f10df03a5db 100644
+--- a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
++++ b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
+@@ -395,6 +395,7 @@ static int t7xx_dpmaif_set_frag_to_skb(const struct dpmaif_rx_queue *rxq,
+ struct sk_buff *skb)
+ {
+ unsigned long long data_bus_addr, data_base_addr;
++ struct skb_shared_info *shinfo = skb_shinfo(skb);
+ struct device *dev = rxq->dpmaif_ctrl->dev;
+ struct dpmaif_bat_page *page_info;
+ unsigned int data_len;
+@@ -402,18 +403,22 @@ static int t7xx_dpmaif_set_frag_to_skb(const struct dpmaif_rx_queue *rxq,
+
+ page_info = rxq->bat_frag->bat_skb;
+ page_info += t7xx_normal_pit_bid(pkt_info);
+- dma_unmap_page(dev, page_info->data_bus_addr, page_info->data_len, DMA_FROM_DEVICE);
+
+ if (!page_info->page)
+ return -EINVAL;
+
++ if (shinfo->nr_frags >= MAX_SKB_FRAGS)
++ return -EINVAL;
++
++ dma_unmap_page(dev, page_info->data_bus_addr, page_info->data_len, DMA_FROM_DEVICE);
++
+ data_bus_addr = le32_to_cpu(pkt_info->pd.data_addr_h);
+ data_bus_addr = (data_bus_addr << 32) + le32_to_cpu(pkt_info->pd.data_addr_l);
+ data_base_addr = page_info->data_bus_addr;
+ data_offset = data_bus_addr - data_base_addr;
+ data_offset += page_info->offset;
+ data_len = FIELD_GET(PD_PIT_DATA_LEN, le32_to_cpu(pkt_info->header));
+- skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags, page_info->page,
++ skb_add_rx_frag(skb, shinfo->nr_frags, page_info->page,
+ data_offset, data_len, page_info->data_len);
+
+ page_info->page = NULL;
+--
+2.51.0
+
--- /dev/null
+From a66d7c4b5d81961bdbc91a02e66eed00d22179b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 25 Jan 2026 00:59:28 +0000
+Subject: nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 165c34fb6068ff153e3fc99a932a80a9d5755709 ]
+
+syzbot reported various memory leaks related to NFC, struct
+nfc_llcp_sock, sk_buff, nfc_dev, etc. [0]
+
+The leading log hinted that nfc_llcp_send_ui_frame() failed
+to allocate skb due to sock_error(sk) being -ENXIO.
+
+ENXIO is set by nfc_llcp_socket_release() when struct
+nfc_llcp_local is destroyed by local_cleanup().
+
+The problem is that there is no synchronisation between
+nfc_llcp_send_ui_frame() and local_cleanup(), and skb
+could be put into local->tx_queue after it was purged in
+local_cleanup():
+
+ CPU1 CPU2
+ ---- ----
+ nfc_llcp_send_ui_frame() local_cleanup()
+ |- do { '
+ |- pdu = nfc_alloc_send_skb(..., &err)
+ | .
+ | |- nfc_llcp_socket_release(local, false, ENXIO);
+ | |- skb_queue_purge(&local->tx_queue); |
+ | ' |
+ |- skb_queue_tail(&local->tx_queue, pdu); |
+ ... |
+ |- pdu = nfc_alloc_send_skb(..., &err) |
+ ^._________________________________.'
+
+local_cleanup() is called for struct nfc_llcp_local only
+after nfc_llcp_remove_local() unlinks it from llcp_devices.
+
+If we hold local->tx_queue.lock then, we can synchronise
+the thread and nfc_llcp_send_ui_frame().
+
+Let's do that and check list_empty(&local->list) before
+queuing skb to local->tx_queue in nfc_llcp_send_ui_frame().
+
+[0]:
+[ 56.074943][ T6096] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6)
+[ 64.318868][ T5813] kmemleak: 6 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
+BUG: memory leak
+unreferenced object 0xffff8881272f6800 (size 1024):
+ comm "syz.0.17", pid 6096, jiffies 4294942766
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 27 00 03 40 00 00 00 00 00 00 00 00 00 00 00 00 '..@............
+ backtrace (crc da58d84d):
+ kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
+ slab_post_alloc_hook mm/slub.c:4979 [inline]
+ slab_alloc_node mm/slub.c:5284 [inline]
+ __do_kmalloc_node mm/slub.c:5645 [inline]
+ __kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5658
+ kmalloc_noprof include/linux/slab.h:961 [inline]
+ sk_prot_alloc+0x11a/0x1b0 net/core/sock.c:2239
+ sk_alloc+0x36/0x360 net/core/sock.c:2295
+ nfc_llcp_sock_alloc+0x37/0x130 net/nfc/llcp_sock.c:979
+ llcp_sock_create+0x71/0xd0 net/nfc/llcp_sock.c:1044
+ nfc_sock_create+0xc9/0xf0 net/nfc/af_nfc.c:31
+ __sock_create+0x1a9/0x340 net/socket.c:1605
+ sock_create net/socket.c:1663 [inline]
+ __sys_socket_create net/socket.c:1700 [inline]
+ __sys_socket+0xb9/0x1a0 net/socket.c:1747
+ __do_sys_socket net/socket.c:1761 [inline]
+ __se_sys_socket net/socket.c:1759 [inline]
+ __x64_sys_socket+0x1b/0x30 net/socket.c:1759
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+BUG: memory leak
+unreferenced object 0xffff88810fbd9800 (size 240):
+ comm "syz.0.17", pid 6096, jiffies 4294942850
+ hex dump (first 32 bytes):
+ 68 f0 ff 08 81 88 ff ff 68 f0 ff 08 81 88 ff ff h.......h.......
+ 00 00 00 00 00 00 00 00 00 68 2f 27 81 88 ff ff .........h/'....
+ backtrace (crc 6cc652b1):
+ kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
+ slab_post_alloc_hook mm/slub.c:4979 [inline]
+ slab_alloc_node mm/slub.c:5284 [inline]
+ kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5336
+ __alloc_skb+0x203/0x240 net/core/skbuff.c:660
+ alloc_skb include/linux/skbuff.h:1383 [inline]
+ alloc_skb_with_frags+0x69/0x3f0 net/core/skbuff.c:6671
+ sock_alloc_send_pskb+0x379/0x3e0 net/core/sock.c:2965
+ sock_alloc_send_skb include/net/sock.h:1859 [inline]
+ nfc_alloc_send_skb+0x45/0x80 net/nfc/core.c:724
+ nfc_llcp_send_ui_frame+0x162/0x360 net/nfc/llcp_commands.c:766
+ llcp_sock_sendmsg+0x14c/0x1d0 net/nfc/llcp_sock.c:814
+ sock_sendmsg_nosec net/socket.c:727 [inline]
+ __sock_sendmsg net/socket.c:742 [inline]
+ __sys_sendto+0x2d8/0x2f0 net/socket.c:2244
+ __do_sys_sendto net/socket.c:2251 [inline]
+ __se_sys_sendto net/socket.c:2247 [inline]
+ __x64_sys_sendto+0x28/0x30 net/socket.c:2247
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: 94f418a20664 ("NFC: UI frame sending routine implementation")
+Reported-by: syzbot+f2d245f1d76bbfa50e4c@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/697569c7.a00a0220.33ccc7.0014.GAE@google.com/T/#u
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260125010214.1572439-1-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nfc/llcp_commands.c | 17 ++++++++++++++++-
+ net/nfc/llcp_core.c | 4 +++-
+ 2 files changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
+index e2680a3bef799..b652323bc2c12 100644
+--- a/net/nfc/llcp_commands.c
++++ b/net/nfc/llcp_commands.c
+@@ -778,8 +778,23 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
+ if (likely(frag_len > 0))
+ skb_put_data(pdu, msg_ptr, frag_len);
+
++ spin_lock(&local->tx_queue.lock);
++
++ if (list_empty(&local->list)) {
++ spin_unlock(&local->tx_queue.lock);
++
++ kfree_skb(pdu);
++
++ len -= remaining_len;
++ if (len == 0)
++ len = -ENXIO;
++ break;
++ }
++
+ /* No need to check for the peer RW for UI frames */
+- skb_queue_tail(&local->tx_queue, pdu);
++ __skb_queue_tail(&local->tx_queue, pdu);
++
++ spin_unlock(&local->tx_queue.lock);
+
+ remaining_len -= frag_len;
+ msg_ptr += frag_len;
+diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
+index beeb3b4d28cab..444a3774c8e80 100644
+--- a/net/nfc/llcp_core.c
++++ b/net/nfc/llcp_core.c
+@@ -316,7 +316,9 @@ static struct nfc_llcp_local *nfc_llcp_remove_local(struct nfc_dev *dev)
+ spin_lock(&llcp_devices_lock);
+ list_for_each_entry_safe(local, tmp, &llcp_devices, list)
+ if (local->dev == dev) {
+- list_del(&local->list);
++ spin_lock(&local->tx_queue.lock);
++ list_del_init(&local->list);
++ spin_unlock(&local->tx_queue.lock);
+ spin_unlock(&llcp_devices_lock);
+ return local;
+ }
+--
+2.51.0
+
--- /dev/null
+From 90a9a5e2096da7ec1fa3319d9d7bf09b5e80d324 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jan 2026 04:03:59 +0000
+Subject: nfc: nci: Fix race between rfkill and nci_unregister_device().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit d2492688bb9fed6ab6e313682c387ae71a66ebae ]
+
+syzbot reported the splat below [0] without a repro.
+
+It indicates that struct nci_dev.cmd_wq had been destroyed before
+nci_close_device() was called via rfkill.
+
+nci_dev.cmd_wq is only destroyed in nci_unregister_device(), which
+(I think) was called from virtual_ncidev_close() when syzbot close()d
+an fd of virtual_ncidev.
+
+The problem is that nci_unregister_device() destroys nci_dev.cmd_wq
+first and then calls nfc_unregister_device(), which removes the
+device from rfkill by rfkill_unregister().
+
+So, the device is still visible via rfkill even after nci_dev.cmd_wq
+is destroyed.
+
+Let's unregister the device from rfkill first in nci_unregister_device().
+
+Note that we cannot call nfc_unregister_device() before
+nci_close_device() because
+
+ 1) nfc_unregister_device() calls device_del() which frees
+ all memory allocated by devm_kzalloc() and linked to
+ ndev->conn_info_list
+
+ 2) nci_rx_work() could try to queue nci_conn_info to
+ ndev->conn_info_list which could be leaked
+
+Thus, nfc_unregister_device() is split into two functions so we
+can remove rfkill interfaces only before nci_close_device().
+
+[0]:
+DEBUG_LOCKS_WARN_ON(1)
+WARNING: kernel/locking/lockdep.c:238 at hlock_class kernel/locking/lockdep.c:238 [inline], CPU#0: syz.0.8675/6349
+WARNING: kernel/locking/lockdep.c:238 at check_wait_context kernel/locking/lockdep.c:4854 [inline], CPU#0: syz.0.8675/6349
+WARNING: kernel/locking/lockdep.c:238 at __lock_acquire+0x39d/0x2cf0 kernel/locking/lockdep.c:5187, CPU#0: syz.0.8675/6349
+Modules linked in:
+CPU: 0 UID: 0 PID: 6349 Comm: syz.0.8675 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026
+RIP: 0010:hlock_class kernel/locking/lockdep.c:238 [inline]
+RIP: 0010:check_wait_context kernel/locking/lockdep.c:4854 [inline]
+RIP: 0010:__lock_acquire+0x3a4/0x2cf0 kernel/locking/lockdep.c:5187
+Code: 18 00 4c 8b 74 24 08 75 27 90 e8 17 f2 fc 02 85 c0 74 1c 83 3d 50 e0 4e 0e 00 75 13 48 8d 3d 43 f7 51 0e 48 c7 c6 8b 3a de 8d <67> 48 0f b9 3a 90 31 c0 0f b6 98 c4 00 00 00 41 8b 45 20 25 ff 1f
+RSP: 0018:ffffc9000c767680 EFLAGS: 00010046
+RAX: 0000000000000001 RBX: 0000000000040000 RCX: 0000000000080000
+RDX: ffffc90013080000 RSI: ffffffff8dde3a8b RDI: ffffffff8ff24ca0
+RBP: 0000000000000003 R08: ffffffff8fef35a3 R09: 1ffffffff1fde6b4
+R10: dffffc0000000000 R11: fffffbfff1fde6b5 R12: 00000000000012a2
+R13: ffff888030338ba8 R14: ffff888030338000 R15: ffff888030338b30
+FS: 00007fa5995f66c0(0000) GS:ffff8881256f8000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f7e72f842d0 CR3: 00000000485a0000 CR4: 00000000003526f0
+Call Trace:
+ <TASK>
+ lock_acquire+0x106/0x330 kernel/locking/lockdep.c:5868
+ touch_wq_lockdep_map+0xcb/0x180 kernel/workqueue.c:3940
+ __flush_workqueue+0x14b/0x14f0 kernel/workqueue.c:3982
+ nci_close_device+0x302/0x630 net/nfc/nci/core.c:567
+ nci_dev_down+0x3b/0x50 net/nfc/nci/core.c:639
+ nfc_dev_down+0x152/0x290 net/nfc/core.c:161
+ nfc_rfkill_set_block+0x2d/0x100 net/nfc/core.c:179
+ rfkill_set_block+0x1d2/0x440 net/rfkill/core.c:346
+ rfkill_fop_write+0x461/0x5a0 net/rfkill/core.c:1301
+ vfs_write+0x29a/0xb90 fs/read_write.c:684
+ ksys_write+0x150/0x270 fs/read_write.c:738
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7fa59b39acb9
+Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007fa5995f6028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+RAX: ffffffffffffffda RBX: 00007fa59b615fa0 RCX: 00007fa59b39acb9
+RDX: 0000000000000008 RSI: 0000200000000080 RDI: 0000000000000007
+RBP: 00007fa59b408bf7 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007fa59b616038 R14: 00007fa59b615fa0 R15: 00007ffc82218788
+ </TASK>
+
+Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation")
+Reported-by: syzbot+f9c5fd1a0874f9069dce@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/695e7f56.050a0220.1c677c.036c.GAE@google.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260127040411.494931-1-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/nfc/nfc.h | 2 ++
+ net/nfc/core.c | 27 ++++++++++++++++++++++++---
+ net/nfc/nci/core.c | 4 +++-
+ 3 files changed, 29 insertions(+), 4 deletions(-)
+
+diff --git a/include/net/nfc/nfc.h b/include/net/nfc/nfc.h
+index 127e6c7d910dc..c54df042db6be 100644
+--- a/include/net/nfc/nfc.h
++++ b/include/net/nfc/nfc.h
+@@ -219,6 +219,8 @@ static inline void nfc_free_device(struct nfc_dev *dev)
+
+ int nfc_register_device(struct nfc_dev *dev);
+
++void nfc_unregister_rfkill(struct nfc_dev *dev);
++void nfc_remove_device(struct nfc_dev *dev);
+ void nfc_unregister_device(struct nfc_dev *dev);
+
+ /**
+diff --git a/net/nfc/core.c b/net/nfc/core.c
+index 82f023f377541..f50e5bab35d8e 100644
+--- a/net/nfc/core.c
++++ b/net/nfc/core.c
+@@ -1147,14 +1147,14 @@ int nfc_register_device(struct nfc_dev *dev)
+ EXPORT_SYMBOL(nfc_register_device);
+
+ /**
+- * nfc_unregister_device - unregister a nfc device in the nfc subsystem
++ * nfc_unregister_rfkill - unregister a nfc device in the rfkill subsystem
+ *
+ * @dev: The nfc device to unregister
+ */
+-void nfc_unregister_device(struct nfc_dev *dev)
++void nfc_unregister_rfkill(struct nfc_dev *dev)
+ {
+- int rc;
+ struct rfkill *rfk = NULL;
++ int rc;
+
+ pr_debug("dev_name=%s\n", dev_name(&dev->dev));
+
+@@ -1175,7 +1175,16 @@ void nfc_unregister_device(struct nfc_dev *dev)
+ rfkill_unregister(rfk);
+ rfkill_destroy(rfk);
+ }
++}
++EXPORT_SYMBOL(nfc_unregister_rfkill);
+
++/**
++ * nfc_remove_device - remove a nfc device in the nfc subsystem
++ *
++ * @dev: The nfc device to remove
++ */
++void nfc_remove_device(struct nfc_dev *dev)
++{
+ if (dev->ops->check_presence) {
+ timer_delete_sync(&dev->check_pres_timer);
+ cancel_work_sync(&dev->check_pres_work);
+@@ -1188,6 +1197,18 @@ void nfc_unregister_device(struct nfc_dev *dev)
+ device_del(&dev->dev);
+ mutex_unlock(&nfc_devlist_mutex);
+ }
++EXPORT_SYMBOL(nfc_remove_device);
++
++/**
++ * nfc_unregister_device - unregister a nfc device in the nfc subsystem
++ *
++ * @dev: The nfc device to unregister
++ */
++void nfc_unregister_device(struct nfc_dev *dev)
++{
++ nfc_unregister_rfkill(dev);
++ nfc_remove_device(dev);
++}
+ EXPORT_SYMBOL(nfc_unregister_device);
+
+ static int __init nfc_init(void)
+diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
+index fc921cd2cdffa..e419e020a70a3 100644
+--- a/net/nfc/nci/core.c
++++ b/net/nfc/nci/core.c
+@@ -1303,6 +1303,8 @@ void nci_unregister_device(struct nci_dev *ndev)
+ {
+ struct nci_conn_info *conn_info, *n;
+
++ nfc_unregister_rfkill(ndev->nfc_dev);
++
+ /* This set_bit is not protected with specialized barrier,
+ * However, it is fine because the mutex_lock(&ndev->req_lock);
+ * in nci_close_device() will help to emit one.
+@@ -1320,7 +1322,7 @@ void nci_unregister_device(struct nci_dev *ndev)
+ /* conn_info is allocated with devm_kzalloc */
+ }
+
+- nfc_unregister_device(ndev->nfc_dev);
++ nfc_remove_device(ndev->nfc_dev);
+ }
+ EXPORT_SYMBOL(nci_unregister_device);
+
+--
+2.51.0
+
--- /dev/null
+From 8a45f3310e08a03b44e60cb1a1f751722dfed44c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jan 2026 13:05:51 +0000
+Subject: octeon_ep: Fix memory leak in octep_device_setup()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 8016dc5ee19a77678c264f8ba368b1e873fa705b ]
+
+In octep_device_setup(), if octep_ctrl_net_init() fails, the function
+returns directly without unmapping the mapped resources and freeing the
+allocated configuration memory.
+
+Fix this by jumping to the unsupported_dev label, which performs the
+necessary cleanup. This aligns with the error handling logic of other
+paths in this function.
+
+Compile tested only. Issue found using a prototype static analysis tool
+and code review.
+
+Fixes: 577f0d1b1c5f ("octeon_ep: add separate mailbox command and response queues")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+Link: https://patch.msgid.link/20260121130551.3717090-1-zilin@seu.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeon_ep/octep_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeon_ep/octep_main.c b/drivers/net/ethernet/marvell/octeon_ep/octep_main.c
+index bcea3fc26a8c7..57db7ea2f5be9 100644
+--- a/drivers/net/ethernet/marvell/octeon_ep/octep_main.c
++++ b/drivers/net/ethernet/marvell/octeon_ep/octep_main.c
+@@ -1338,7 +1338,7 @@ int octep_device_setup(struct octep_device *oct)
+
+ ret = octep_ctrl_net_init(oct);
+ if (ret)
+- return ret;
++ goto unsupported_dev;
+
+ INIT_WORK(&oct->tx_timeout_task, octep_tx_timeout_task);
+ INIT_WORK(&oct->ctrl_mbox_task, octep_ctrl_mbox_task);
+--
+2.51.0
+
--- /dev/null
+From 0172410f66d957efd1248ac7a994c7b865e08ec2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 08:45:22 +0100
+Subject: readdir: require opt-in for d_type flags
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+[ Upstream commit c644bce62b9c6b441143a03c910f986109c47001 ]
+
+Commit c31f91c6af96 ("fuse: don't allow signals to interrupt getdents
+copying") introduced the use of high bits in d_type as flags. However,
+overlayfs was not adapted to handle this change.
+
+In ovl_cache_entry_new(), the code checks if d_type == DT_CHR to
+determine if an entry might be a whiteout. When fuse is used as the
+lower layer and sets high bits in d_type, this comparison fails,
+causing whiteout files to not be recognized properly and resulting in
+incorrect overlayfs behavior.
+
+Fix this by requiring callers of iterate_dir() to opt-in for getting
+flag bits in d_type outside of S_DT_MASK.
+
+Fixes: c31f91c6af96 ("fuse: don't allow signals to interrupt getdents copying")
+Link: https://lore.kernel.org/all/20260107034551.439-1-luochunsheng@ustc.edu/
+Link: https://github.com/containerd/stargz-snapshotter/issues/2214
+Reported-by: Chunsheng Luo <luochunsheng@ustc.edu>
+Reviewed-by: Chunsheng Luo <luochunsheng@ustc.edu>
+Tested-by: Chunsheng Luo <luochunsheng@ustc.edu>
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Link: https://patch.msgid.link/20260108074522.3400998-1-amir73il@gmail.com
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/readdir.c | 3 +++
+ include/linux/fs.h | 6 +++++-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/fs/readdir.c b/fs/readdir.c
+index 7764b86389788..73707b6816e9a 100644
+--- a/fs/readdir.c
++++ b/fs/readdir.c
+@@ -316,6 +316,7 @@ SYSCALL_DEFINE3(getdents, unsigned int, fd,
+ struct getdents_callback buf = {
+ .ctx.actor = filldir,
+ .ctx.count = count,
++ .ctx.dt_flags_mask = FILLDIR_FLAG_NOINTR,
+ .current_dir = dirent
+ };
+ int error;
+@@ -400,6 +401,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int, fd,
+ struct getdents_callback64 buf = {
+ .ctx.actor = filldir64,
+ .ctx.count = count,
++ .ctx.dt_flags_mask = FILLDIR_FLAG_NOINTR,
+ .current_dir = dirent
+ };
+ int error;
+@@ -569,6 +571,7 @@ COMPAT_SYSCALL_DEFINE3(getdents, unsigned int, fd,
+ struct compat_getdents_callback buf = {
+ .ctx.actor = compat_filldir,
+ .ctx.count = count,
++ .ctx.dt_flags_mask = FILLDIR_FLAG_NOINTR,
+ .current_dir = dirent,
+ };
+ int error;
+diff --git a/include/linux/fs.h b/include/linux/fs.h
+index 9b2230fb2332f..3e965c77fa1b1 100644
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -2207,6 +2207,8 @@ struct dir_context {
+ * INT_MAX unlimited
+ */
+ int count;
++ /* @actor supports these flags in d_type high bits */
++ unsigned int dt_flags_mask;
+ };
+
+ /* If OR-ed with d_type, pending signals are not checked */
+@@ -3985,7 +3987,9 @@ static inline bool dir_emit(struct dir_context *ctx,
+ const char *name, int namelen,
+ u64 ino, unsigned type)
+ {
+- return ctx->actor(ctx, name, namelen, ctx->pos, ino, type);
++ unsigned int dt_mask = S_DT_MASK | ctx->dt_flags_mask;
++
++ return ctx->actor(ctx, name, namelen, ctx->pos, ino, type & dt_mask);
+ }
+ static inline bool dir_emit_dot(struct file *file, struct dir_context *ctx)
+ {
+--
+2.51.0
+
--- /dev/null
+From c918f6e830dc4374c573f3d2eefac9e55fb9670c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 Jan 2026 05:10:31 +0800
+Subject: rocker: fix memory leak in rocker_world_port_post_fini()
+
+From: Kery Qi <qikeyu2017@gmail.com>
+
+[ Upstream commit 8d7ba71e46216b8657a82ca2ec118bc93812a4d0 ]
+
+In rocker_world_port_pre_init(), rocker_port->wpriv is allocated with
+kzalloc(wops->port_priv_size, GFP_KERNEL). However, in
+rocker_world_port_post_fini(), the memory is only freed when
+wops->port_post_fini callback is set:
+
+ if (!wops->port_post_fini)
+ return;
+ wops->port_post_fini(rocker_port);
+ kfree(rocker_port->wpriv);
+
+Since rocker_ofdpa_ops does not implement port_post_fini callback
+(it is NULL), the wpriv memory allocated for each port is never freed
+when ports are removed. This leads to a memory leak of
+sizeof(struct ofdpa_port) bytes per port on every device removal.
+
+Fix this by always calling kfree(rocker_port->wpriv) regardless of
+whether the port_post_fini callback exists.
+
+Fixes: e420114eef4a ("rocker: introduce worlds infrastructure")
+Signed-off-by: Kery Qi <qikeyu2017@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260123211030.2109-2-qikeyu2017@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/rocker/rocker_main.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/rocker/rocker_main.c b/drivers/net/ethernet/rocker/rocker_main.c
+index 36af94a2e062a..2794f75df8fcb 100644
+--- a/drivers/net/ethernet/rocker/rocker_main.c
++++ b/drivers/net/ethernet/rocker/rocker_main.c
+@@ -1524,9 +1524,8 @@ static void rocker_world_port_post_fini(struct rocker_port *rocker_port)
+ {
+ struct rocker_world_ops *wops = rocker_port->rocker->wops;
+
+- if (!wops->port_post_fini)
+- return;
+- wops->port_post_fini(rocker_port);
++ if (wops->port_post_fini)
++ wops->port_post_fini(rocker_port);
+ kfree(rocker_port->wpriv);
+ }
+
+--
+2.51.0
+
--- /dev/null
+readdir-require-opt-in-for-d_type-flags.patch
+btrfs-zlib-fix-the-folio-leak-on-s390-hardware-accel.patch
+can-at91_can-fix-memory-leak-in-at91_can_probe.patch
+bluetooth-hci_uart-fix-null-ptr-deref-in-hci_uart_wr.patch
+bluetooth-mgmt-fix-memory-leak-in-set_ssp_complete.patch
+net-mlx5-fix-memory-leak-in-esw_acl_ingress_lgcy_set.patch
+can-gs_usb-gs_usb_receive_bulk_callback-fix-error-me.patch
+net-bcmasp-fix-early-exit-leak-with-fixed-phy.patch
+octeon_ep-fix-memory-leak-in-octep_device_setup.patch
+bonding-annotate-data-races-around-slave-last_rx.patch
+sfc-fix-deadlock-in-rss-config-read.patch
+net-mvpp2-cls-fix-memory-leak-in-mvpp2_ethtool_cls_r.patch
+ipv6-use-the-right-ifindex-when-replying-to-icmpv6-f.patch
+net-wwan-t7xx-fix-potential-skb-frags-overflow-in-rx.patch
+net-mlx5-fix-return-type-mismatch-in-mlx5_esw_vport_.patch
+rocker-fix-memory-leak-in-rocker_world_port_post_fin.patch
+mptcp-fix-race-in-mptcp_pm_nl_flush_addrs_doit.patch
+net-spacemit-check-for-netif_carrier_ok-in-emac_stat.patch
+nfc-llcp-fix-memleak-in-nfc_llcp_send_ui_frame.patch
+bonding-fix-use-after-free-due-to-enslave-fail-after.patch
+ixgbe-fix-memory-leaks-in-the-ixgbe_recovery_probe-p.patch
+ixgbe-don-t-initialize-aci-lock-in-ixgbe_recovery_pr.patch
+ice-fix-null-pointer-dereference-in-ice_vsi_set_napi.patch
+ice-stop-counting-udp-csum-mismatch-as-rx_errors.patch
+net-mlx5e-tc-delete-flows-only-for-existing-peers.patch
+net-mlx5e-account-for-netdev-stats-in-ndo_get_stats6.patch
+nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch
+net-bridge-fix-static-key-check.patch
+net-mlx5e-don-t-assume-psp-tx-skbs-are-ipv6-csum-han.patch
+net-phy-micrel-fix-clk-warning-when-removing-the-dri.patch
+net-mlx5-fs-fix-inverted-cap-check-in-tx-flow-table-.patch
+net-mlx5-initialize-events-outside-devlink-lock.patch
+net-mlx5-fix-vhca_id-access-call-trace-use-before-al.patch
+net-mlx5e-skip-esn-replay-window-setup-for-ipsec-cry.patch
+wifi-mac80211-parse-all-ttlm-entries.patch
+wifi-mac80211-apply-advertised-ttlm-from-association.patch
+wifi-mac80211-correctly-decode-ttlm-with-default-lin.patch
--- /dev/null
+From 0a97f9fa820a0f2db755bcef81db707a978d87b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jan 2026 16:16:34 +0000
+Subject: sfc: fix deadlock in RSS config read
+
+From: Edward Cree <ecree.xilinx@gmail.com>
+
+[ Upstream commit 944c614b0a7afa5b87612c3fb557b95a50ad654c ]
+
+Since cited commit, core locks the net_device's rss_lock when handling
+ ethtool -x command, so driver's implementation should not lock it
+ again. Remove the latter.
+
+Fixes: 040cef30b5e6 ("net: ethtool: move get_rxfh callback under the rss_lock")
+Reported-by: Damir Mansurov <damir.mansurov@oktetlabs.ru>
+Closes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126015
+Suggested-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Edward Cree <ecree.xilinx@gmail.com>
+Link: https://patch.msgid.link/20260123161634.1215006-1-edward.cree@amd.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sfc/mcdi_filters.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/sfc/mcdi_filters.c b/drivers/net/ethernet/sfc/mcdi_filters.c
+index 6ef96292909a2..3db589b90b68a 100644
+--- a/drivers/net/ethernet/sfc/mcdi_filters.c
++++ b/drivers/net/ethernet/sfc/mcdi_filters.c
+@@ -2182,12 +2182,7 @@ int efx_mcdi_rx_pull_rss_context_config(struct efx_nic *efx,
+
+ int efx_mcdi_rx_pull_rss_config(struct efx_nic *efx)
+ {
+- int rc;
+-
+- mutex_lock(&efx->net_dev->ethtool->rss_lock);
+- rc = efx_mcdi_rx_pull_rss_context_config(efx, &efx->rss_context);
+- mutex_unlock(&efx->net_dev->ethtool->rss_lock);
+- return rc;
++ return efx_mcdi_rx_pull_rss_context_config(efx, &efx->rss_context);
+ }
+
+ void efx_mcdi_rx_restore_rss_contexts(struct efx_nic *efx)
+--
+2.51.0
+
--- /dev/null
+From 6d4e008d166b218e87d5c9adc9a207a61ae975c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Jan 2026 09:51:14 +0200
+Subject: wifi: mac80211: apply advertised TTLM from association response
+
+From: Benjamin Berg <benjamin.berg@intel.com>
+
+[ Upstream commit aebc29dec67aa998a9ea6d34aacba7b5c6a74d33 ]
+
+When the AP has a disabled link that the station can include in the
+association, the fact that the link is dormant needs to be advertised
+in the TID to Link Mapping (TTLM). Section 35.3.7.2.3 ("Negotiation of
+TTLM") of Draft P802.11REVmf_D1.0 also states that the mapping needs to
+be included in the association response frame.
+
+As such, we can simply rely on the TTLM from the association response.
+Before this change mac80211 would not properly track that an advertised
+TTLM was effectively active, resulting in it not enabling the link once
+it became available again.
+
+For the link reconfiguration case, the data was not used at all. This
+behaviour is actually correct because Draft P802.11REVmf_D1.0 states in
+section 35.3.6.4 that we "shall operate with all the TIDs mapped to the
+newly added links ..."
+
+Fixes: 6d543b34dbcf ("wifi: mac80211: Support disabled links during association")
+Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20260118093904.43c861424543.I067f702ac46b84ac3f8b4ea16fb0db9cbbfae7e2@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Stable-dep-of: 1eab33aa63c9 ("wifi: mac80211: correctly decode TTLM with default link map")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/ieee80211_i.h | 2 -
+ net/mac80211/mlme.c | 216 ++++++++++++++++++++-----------------
+ 2 files changed, 119 insertions(+), 99 deletions(-)
+
+diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
+index 878c3b14aeb80..5c0c833fcf7a9 100644
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -451,8 +451,6 @@ struct ieee80211_mgd_assoc_data {
+ struct ieee80211_conn_settings conn;
+
+ u16 status;
+-
+- bool disabled;
+ } link[IEEE80211_MLD_MAX_NUM_LINKS];
+
+ u8 ap_addr[ETH_ALEN] __aligned(2);
+diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
+index d70163c0b9e32..21c73a65f73f9 100644
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -6161,6 +6161,98 @@ static bool ieee80211_get_dtim(const struct cfg80211_bss_ies *ies,
+ return true;
+ }
+
++static u16 ieee80211_get_ttlm(u8 bm_size, u8 *data)
++{
++ if (bm_size == 1)
++ return *data;
++
++ return get_unaligned_le16(data);
++}
++
++static int
++ieee80211_parse_adv_t2l(struct ieee80211_sub_if_data *sdata,
++ const struct ieee80211_ttlm_elem *ttlm,
++ struct ieee80211_adv_ttlm_info *ttlm_info)
++{
++ /* The element size was already validated in
++ * ieee80211_tid_to_link_map_size_ok()
++ */
++ u8 control, link_map_presence, map_size, tid;
++ u8 *pos;
++
++ memset(ttlm_info, 0, sizeof(*ttlm_info));
++ pos = (void *)ttlm->optional;
++ control = ttlm->control;
++
++ if ((control & IEEE80211_TTLM_CONTROL_DIRECTION) !=
++ IEEE80211_TTLM_DIRECTION_BOTH) {
++ sdata_info(sdata, "Invalid advertised T2L map direction\n");
++ return -EINVAL;
++ }
++
++ link_map_presence = *pos;
++ pos++;
++
++ if (control & IEEE80211_TTLM_CONTROL_SWITCH_TIME_PRESENT) {
++ ttlm_info->switch_time = get_unaligned_le16(pos);
++
++ /* Since ttlm_info->switch_time == 0 means no switch time, bump
++ * it by 1.
++ */
++ if (!ttlm_info->switch_time)
++ ttlm_info->switch_time = 1;
++
++ pos += 2;
++ }
++
++ if (control & IEEE80211_TTLM_CONTROL_EXPECTED_DUR_PRESENT) {
++ ttlm_info->duration = pos[0] | pos[1] << 8 | pos[2] << 16;
++ pos += 3;
++ }
++
++ if (control & IEEE80211_TTLM_CONTROL_DEF_LINK_MAP) {
++ ttlm_info->map = 0xffff;
++ return 0;
++ }
++
++ if (control & IEEE80211_TTLM_CONTROL_LINK_MAP_SIZE)
++ map_size = 1;
++ else
++ map_size = 2;
++
++ /* According to Draft P802.11be_D3.0 clause 35.3.7.1.7, an AP MLD shall
++ * not advertise a TID-to-link mapping that does not map all TIDs to the
++ * same link set, reject frame if not all links have mapping
++ */
++ if (link_map_presence != 0xff) {
++ sdata_info(sdata,
++ "Invalid advertised T2L mapping presence indicator\n");
++ return -EINVAL;
++ }
++
++ ttlm_info->map = ieee80211_get_ttlm(map_size, pos);
++ if (!ttlm_info->map) {
++ sdata_info(sdata,
++ "Invalid advertised T2L map for TID 0\n");
++ return -EINVAL;
++ }
++
++ pos += map_size;
++
++ for (tid = 1; tid < 8; tid++) {
++ u16 map = ieee80211_get_ttlm(map_size, pos);
++
++ if (map != ttlm_info->map) {
++ sdata_info(sdata, "Invalid advertised T2L map for tid %d\n",
++ tid);
++ return -EINVAL;
++ }
++
++ pos += map_size;
++ }
++ return 0;
++}
++
+ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
+ struct ieee80211_mgmt *mgmt,
+ struct ieee802_11_elems *elems,
+@@ -6192,8 +6284,6 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
+ continue;
+
+ valid_links |= BIT(link_id);
+- if (assoc_data->link[link_id].disabled)
+- dormant_links |= BIT(link_id);
+
+ if (link_id != assoc_data->assoc_link_id) {
+ err = ieee80211_sta_allocate_link(sta, link_id);
+@@ -6202,6 +6292,33 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
+ }
+ }
+
++ /*
++ * We do not support setting a negotiated TTLM during
++ * association. As such, we can assume that if there is a TTLM,
++ * then it is the currently active advertised TTLM.
++ * In that case, there must be exactly one TTLM that does not
++ * have a switch time set. This mapping should also leave us
++ * with at least one usable link.
++ */
++ if (elems->ttlm_num > 1) {
++ sdata_info(sdata,
++ "More than one advertised TTLM in association response\n");
++ goto out_err;
++ } else if (elems->ttlm_num == 1) {
++ if (ieee80211_parse_adv_t2l(sdata, elems->ttlm[0],
++ &sdata->u.mgd.ttlm_info) ||
++ sdata->u.mgd.ttlm_info.switch_time != 0 ||
++ !(valid_links & sdata->u.mgd.ttlm_info.map)) {
++ sdata_info(sdata,
++ "Invalid advertised TTLM in association response\n");
++ goto out_err;
++ }
++
++ sdata->u.mgd.ttlm_info.active = true;
++ dormant_links =
++ valid_links & ~sdata->u.mgd.ttlm_info.map;
++ }
++
+ ieee80211_vif_set_links(sdata, valid_links, dormant_links);
+ }
+
+@@ -6991,98 +7108,6 @@ static void ieee80211_tid_to_link_map_work(struct wiphy *wiphy,
+ sdata->u.mgd.ttlm_info.switch_time = 0;
+ }
+
+-static u16 ieee80211_get_ttlm(u8 bm_size, u8 *data)
+-{
+- if (bm_size == 1)
+- return *data;
+- else
+- return get_unaligned_le16(data);
+-}
+-
+-static int
+-ieee80211_parse_adv_t2l(struct ieee80211_sub_if_data *sdata,
+- const struct ieee80211_ttlm_elem *ttlm,
+- struct ieee80211_adv_ttlm_info *ttlm_info)
+-{
+- /* The element size was already validated in
+- * ieee80211_tid_to_link_map_size_ok()
+- */
+- u8 control, link_map_presence, map_size, tid;
+- u8 *pos;
+-
+- memset(ttlm_info, 0, sizeof(*ttlm_info));
+- pos = (void *)ttlm->optional;
+- control = ttlm->control;
+-
+- if ((control & IEEE80211_TTLM_CONTROL_DIRECTION) !=
+- IEEE80211_TTLM_DIRECTION_BOTH) {
+- sdata_info(sdata, "Invalid advertised T2L map direction\n");
+- return -EINVAL;
+- }
+-
+- link_map_presence = *pos;
+- pos++;
+-
+- if (control & IEEE80211_TTLM_CONTROL_SWITCH_TIME_PRESENT) {
+- ttlm_info->switch_time = get_unaligned_le16(pos);
+-
+- /* Since ttlm_info->switch_time == 0 means no switch time, bump
+- * it by 1.
+- */
+- if (!ttlm_info->switch_time)
+- ttlm_info->switch_time = 1;
+-
+- pos += 2;
+- }
+-
+- if (control & IEEE80211_TTLM_CONTROL_EXPECTED_DUR_PRESENT) {
+- ttlm_info->duration = pos[0] | pos[1] << 8 | pos[2] << 16;
+- pos += 3;
+- }
+-
+- if (control & IEEE80211_TTLM_CONTROL_DEF_LINK_MAP) {
+- ttlm_info->map = 0xffff;
+- return 0;
+- }
+-
+- if (control & IEEE80211_TTLM_CONTROL_LINK_MAP_SIZE)
+- map_size = 1;
+- else
+- map_size = 2;
+-
+- /* According to Draft P802.11be_D3.0 clause 35.3.7.1.7, an AP MLD shall
+- * not advertise a TID-to-link mapping that does not map all TIDs to the
+- * same link set, reject frame if not all links have mapping
+- */
+- if (link_map_presence != 0xff) {
+- sdata_info(sdata,
+- "Invalid advertised T2L mapping presence indicator\n");
+- return -EINVAL;
+- }
+-
+- ttlm_info->map = ieee80211_get_ttlm(map_size, pos);
+- if (!ttlm_info->map) {
+- sdata_info(sdata,
+- "Invalid advertised T2L map for TID 0\n");
+- return -EINVAL;
+- }
+-
+- pos += map_size;
+-
+- for (tid = 1; tid < 8; tid++) {
+- u16 map = ieee80211_get_ttlm(map_size, pos);
+-
+- if (map != ttlm_info->map) {
+- sdata_info(sdata, "Invalid advertised T2L map for tid %d\n",
+- tid);
+- return -EINVAL;
+- }
+-
+- pos += map_size;
+- }
+- return 0;
+-}
+-
+ static void ieee80211_process_adv_ttlm(struct ieee80211_sub_if_data *sdata,
+ struct ieee802_11_elems *elems,
+ u64 beacon_ts)
+@@ -9729,7 +9754,6 @@ int ieee80211_mgd_assoc(struct ieee80211_sub_if_data *sdata,
+ req, true, i,
+ &assoc_data->link[i].conn);
+ assoc_data->link[i].bss = link_cbss;
+- assoc_data->link[i].disabled = req->links[i].disabled;
+
+ if (!bss->uapsd_supported)
+ uapsd_supported = false;
+@@ -10711,8 +10735,6 @@ int ieee80211_mgd_assoc_ml_reconf(struct ieee80211_sub_if_data *sdata,
+ &data->link[link_id].conn);
+
+ data->link[link_id].bss = link_cbss;
+- data->link[link_id].disabled =
+- req->add_links[link_id].disabled;
+ data->link[link_id].elems =
+ (u8 *)req->add_links[link_id].elems;
+ data->link[link_id].elems_len =
+--
+2.51.0
+
--- /dev/null
+From 8335fc8987008789cefb2606df0a68bac56d5d15 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Jan 2026 11:33:50 +0100
+Subject: wifi: mac80211: correctly decode TTLM with default link map
+
+From: Benjamin Berg <benjamin.berg@intel.com>
+
+[ Upstream commit 1eab33aa63c993685dd341e03bd5b267dd7403fa ]
+
+TID-To-Link Mapping (TTLM) elements do not contain any link mapping
+presence indicator if a default mapping is used and parsing needs to be
+skipped.
+
+Note that access points should not explicitly report an advertised TTLM
+with a default mapping as that is the implied mapping if the element is
+not included, this is even the case when switching back to the default
+mapping. However, mac80211 would incorrectly parse the frame and would
+also read one byte beyond the end of the element.
+
+Reported-by: Ruikai Peng <ruikai@pwno.io>
+Closes: https://lore.kernel.org/linux-wireless/CAFD3drMqc9YWvTCSHLyP89AOpBZsHdZ+pak6zVftYoZcUyF7gw@mail.gmail.com
+Fixes: 702e80470a33 ("wifi: mac80211: support handling of advertised TID-to-link mapping")
+Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
+Link: https://patch.msgid.link/20260129113349.d6b96f12c732.I69212a50f0f70db185edd3abefb6f04d3cb3e5ff@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mlme.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
+index 21c73a65f73f9..dca47a533392a 100644
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -8,7 +8,7 @@
+ * Copyright 2007, Michael Wu <flamingice@sourmilk.net>
+ * Copyright 2013-2014 Intel Mobile Communications GmbH
+ * Copyright (C) 2015 - 2017 Intel Deutschland GmbH
+- * Copyright (C) 2018 - 2025 Intel Corporation
++ * Copyright (C) 2018 - 2026 Intel Corporation
+ */
+
+ #include <linux/delay.h>
+@@ -6190,8 +6190,10 @@ ieee80211_parse_adv_t2l(struct ieee80211_sub_if_data *sdata,
+ return -EINVAL;
+ }
+
+- link_map_presence = *pos;
+- pos++;
++ if (!(control & IEEE80211_TTLM_CONTROL_DEF_LINK_MAP)) {
++ link_map_presence = *pos;
++ pos++;
++ }
+
+ if (control & IEEE80211_TTLM_CONTROL_SWITCH_TIME_PRESENT) {
+ ttlm_info->switch_time = get_unaligned_le16(pos);
+--
+2.51.0
+
--- /dev/null
+From 65dd3bc58486988ea765b59526244423da57db73 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Jan 2026 09:51:13 +0200
+Subject: wifi: mac80211: parse all TTLM entries
+
+From: Benjamin Berg <benjamin.berg@intel.com>
+
+[ Upstream commit 3fa2886d11d4545dc0dcfd0759ffbd03f88b5410 ]
+
+For the follow up patch, we need to properly parse TTLM entries that do
+not have a switch time. Change the logic so that ieee80211_parse_adv_t2l
+returns usable values in all non-error cases. Before the values filled
+in were technically incorrect but enough for ieee80211_process_adv_ttlm.
+
+Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
+Reviewed-by: Johannes Berg <johannes.berg@intel.com>
+Reviewed-by: Ilan Peer <ilan.peer@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20260118093904.ccd324e2dd59.I69f0bee0a22e9b11bb95beef313e305dab17c051@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Stable-dep-of: 1eab33aa63c9 ("wifi: mac80211: correctly decode TTLM with default link map")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mlme.c | 25 ++++++++++++++-----------
+ 1 file changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
+index f3138d1585353..d70163c0b9e32 100644
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -7014,10 +7014,6 @@ ieee80211_parse_adv_t2l(struct ieee80211_sub_if_data *sdata,
+ pos = (void *)ttlm->optional;
+ control = ttlm->control;
+
+- if ((control & IEEE80211_TTLM_CONTROL_DEF_LINK_MAP) ||
+- !(control & IEEE80211_TTLM_CONTROL_SWITCH_TIME_PRESENT))
+- return 0;
+-
+ if ((control & IEEE80211_TTLM_CONTROL_DIRECTION) !=
+ IEEE80211_TTLM_DIRECTION_BOTH) {
+ sdata_info(sdata, "Invalid advertised T2L map direction\n");
+@@ -7027,21 +7023,28 @@ ieee80211_parse_adv_t2l(struct ieee80211_sub_if_data *sdata,
+ link_map_presence = *pos;
+ pos++;
+
+- ttlm_info->switch_time = get_unaligned_le16(pos);
++ if (control & IEEE80211_TTLM_CONTROL_SWITCH_TIME_PRESENT) {
++ ttlm_info->switch_time = get_unaligned_le16(pos);
+
+- /* Since ttlm_info->switch_time == 0 means no switch time, bump it
+- * by 1.
+- */
+- if (!ttlm_info->switch_time)
+- ttlm_info->switch_time = 1;
++ /* Since ttlm_info->switch_time == 0 means no switch time, bump
++ * it by 1.
++ */
++ if (!ttlm_info->switch_time)
++ ttlm_info->switch_time = 1;
+
+- pos += 2;
++ pos += 2;
++ }
+
+ if (control & IEEE80211_TTLM_CONTROL_EXPECTED_DUR_PRESENT) {
+ ttlm_info->duration = pos[0] | pos[1] << 8 | pos[2] << 16;
+ pos += 3;
+ }
+
++ if (control & IEEE80211_TTLM_CONTROL_DEF_LINK_MAP) {
++ ttlm_info->map = 0xffff;
++ return 0;
++ }
++
+ if (control & IEEE80211_TTLM_CONTROL_LINK_MAP_SIZE)
+ map_size = 1;
+ else
+--
+2.51.0
+
--- /dev/null
+From b6abc6134056dc4d5f78238a6d4da83c0c76a0b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Jan 2026 20:08:59 +0800
+Subject: Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work
+
+From: Jia-Hong Su <s11242586@gmail.com>
+
+[ Upstream commit 0c3cd7a0b862c37acbee6d9502107146cc944398 ]
+
+hci_uart_set_proto() sets HCI_UART_PROTO_INIT before calling
+hci_uart_register_dev(), which calls proto->open() to initialize
+hu->priv. However, if a TTY write wakeup occurs during this window,
+hci_uart_tx_wakeup() may schedule write_work before hu->priv is
+initialized, leading to a NULL pointer dereference in
+hci_uart_write_work() when proto->dequeue() accesses hu->priv.
+
+The race condition is:
+
+ CPU0 CPU1
+ ---- ----
+ hci_uart_set_proto()
+ set_bit(HCI_UART_PROTO_INIT)
+ hci_uart_register_dev()
+ tty write wakeup
+ hci_uart_tty_wakeup()
+ hci_uart_tx_wakeup()
+ schedule_work(&hu->write_work)
+ proto->open(hu)
+ // initializes hu->priv
+ hci_uart_write_work()
+ hci_uart_dequeue()
+ proto->dequeue(hu)
+ // accesses hu->priv (NULL!)
+
+Fix this by moving set_bit(HCI_UART_PROTO_INIT) after proto->open()
+succeeds, ensuring hu->priv is initialized before any work can be
+scheduled.
+
+Fixes: 5df5dafc171b ("Bluetooth: hci_uart: Fix another race during initialization")
+Link: https://lore.kernel.org/linux-bluetooth/6969764f.170a0220.2b9fc4.35a7@mx.google.com/
+
+Signed-off-by: Jia-Hong Su <s11242586@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/hci_ldisc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
+index 70320b8f1aa1c..e38f3c4458c90 100644
+--- a/drivers/bluetooth/hci_ldisc.c
++++ b/drivers/bluetooth/hci_ldisc.c
+@@ -682,6 +682,8 @@ static int hci_uart_register_dev(struct hci_uart *hu)
+ return err;
+ }
+
++ set_bit(HCI_UART_PROTO_INIT, &hu->flags);
++
+ if (test_bit(HCI_UART_INIT_PENDING, &hu->hdev_flags))
+ return 0;
+
+@@ -709,8 +711,6 @@ static int hci_uart_set_proto(struct hci_uart *hu, int id)
+
+ hu->proto = p;
+
+- set_bit(HCI_UART_PROTO_INIT, &hu->flags);
+-
+ err = hci_uart_register_dev(hu);
+ if (err) {
+ return err;
+--
+2.51.0
+
--- /dev/null
+From 61360d9a379070cd9d2835e4f96c9bfb0d8798e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Jan 2026 16:29:14 +0000
+Subject: bonding: annotate data-races around slave->last_rx
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit f6c3665b6dc53c3ab7d31b585446a953a74340ef ]
+
+slave->last_rx and slave->target_last_arp_rx[...] can be read and written
+locklessly. Add READ_ONCE() and WRITE_ONCE() annotations.
+
+syzbot reported:
+
+BUG: KCSAN: data-race in bond_rcv_validate / bond_rcv_validate
+
+write to 0xffff888149f0d428 of 8 bytes by interrupt on cpu 1:
+ bond_rcv_validate+0x202/0x7a0 drivers/net/bonding/bond_main.c:3335
+ bond_handle_frame+0xde/0x5e0 drivers/net/bonding/bond_main.c:1533
+ __netif_receive_skb_core+0x5b1/0x1950 net/core/dev.c:6039
+ __netif_receive_skb_one_core net/core/dev.c:6150 [inline]
+ __netif_receive_skb+0x59/0x270 net/core/dev.c:6265
+ netif_receive_skb_internal net/core/dev.c:6351 [inline]
+ netif_receive_skb+0x4b/0x2d0 net/core/dev.c:6410
+...
+
+write to 0xffff888149f0d428 of 8 bytes by interrupt on cpu 0:
+ bond_rcv_validate+0x202/0x7a0 drivers/net/bonding/bond_main.c:3335
+ bond_handle_frame+0xde/0x5e0 drivers/net/bonding/bond_main.c:1533
+ __netif_receive_skb_core+0x5b1/0x1950 net/core/dev.c:6039
+ __netif_receive_skb_one_core net/core/dev.c:6150 [inline]
+ __netif_receive_skb+0x59/0x270 net/core/dev.c:6265
+ netif_receive_skb_internal net/core/dev.c:6351 [inline]
+ netif_receive_skb+0x4b/0x2d0 net/core/dev.c:6410
+ br_netif_receive_skb net/bridge/br_input.c:30 [inline]
+ NF_HOOK include/linux/netfilter.h:318 [inline]
+...
+
+value changed: 0x0000000100005365 -> 0x0000000100005366
+
+Fixes: f5b2b966f032 ("[PATCH] bonding: Validate probe replies in ARP monitor")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Link: https://patch.msgid.link/20260122162914.2299312-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 18 ++++++++++--------
+ drivers/net/bonding/bond_options.c | 8 ++++----
+ include/net/bonding.h | 13 +++++++------
+ 3 files changed, 21 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 9385c3ac0c83c..4373e300879d9 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -3137,8 +3137,8 @@ static void bond_validate_arp(struct bonding *bond, struct slave *slave, __be32
+ __func__, &sip);
+ return;
+ }
+- slave->last_rx = jiffies;
+- slave->target_last_arp_rx[i] = jiffies;
++ WRITE_ONCE(slave->last_rx, jiffies);
++ WRITE_ONCE(slave->target_last_arp_rx[i], jiffies);
+ }
+
+ static int bond_arp_rcv(const struct sk_buff *skb, struct bonding *bond,
+@@ -3357,8 +3357,8 @@ static void bond_validate_na(struct bonding *bond, struct slave *slave,
+ __func__, saddr);
+ return;
+ }
+- slave->last_rx = jiffies;
+- slave->target_last_arp_rx[i] = jiffies;
++ WRITE_ONCE(slave->last_rx, jiffies);
++ WRITE_ONCE(slave->target_last_arp_rx[i], jiffies);
+ }
+
+ static int bond_na_rcv(const struct sk_buff *skb, struct bonding *bond,
+@@ -3428,7 +3428,7 @@ int bond_rcv_validate(const struct sk_buff *skb, struct bonding *bond,
+ (slave_do_arp_validate_only(bond) && is_ipv6) ||
+ #endif
+ !slave_do_arp_validate_only(bond))
+- slave->last_rx = jiffies;
++ WRITE_ONCE(slave->last_rx, jiffies);
+ return RX_HANDLER_ANOTHER;
+ } else if (is_arp) {
+ return bond_arp_rcv(skb, bond, slave);
+@@ -3496,7 +3496,7 @@ static void bond_loadbalance_arp_mon(struct bonding *bond)
+
+ if (slave->link != BOND_LINK_UP) {
+ if (bond_time_in_interval(bond, last_tx, 1) &&
+- bond_time_in_interval(bond, slave->last_rx, 1)) {
++ bond_time_in_interval(bond, READ_ONCE(slave->last_rx), 1)) {
+
+ bond_propose_link_state(slave, BOND_LINK_UP);
+ slave_state_changed = 1;
+@@ -3520,8 +3520,10 @@ static void bond_loadbalance_arp_mon(struct bonding *bond)
+ * when the source ip is 0, so don't take the link down
+ * if we don't know our ip yet
+ */
+- if (!bond_time_in_interval(bond, last_tx, bond->params.missed_max) ||
+- !bond_time_in_interval(bond, slave->last_rx, bond->params.missed_max)) {
++ if (!bond_time_in_interval(bond, last_tx,
++ bond->params.missed_max) ||
++ !bond_time_in_interval(bond, READ_ONCE(slave->last_rx),
++ bond->params.missed_max)) {
+
+ bond_propose_link_state(slave, BOND_LINK_DOWN);
+ slave_state_changed = 1;
+diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c
+index a2fa068193e3b..5a2a935945c4c 100644
+--- a/drivers/net/bonding/bond_options.c
++++ b/drivers/net/bonding/bond_options.c
+@@ -1124,7 +1124,7 @@ static void _bond_options_arp_ip_target_set(struct bonding *bond, int slot,
+
+ if (slot >= 0 && slot < BOND_MAX_ARP_TARGETS) {
+ bond_for_each_slave(bond, slave, iter)
+- slave->target_last_arp_rx[slot] = last_rx;
++ WRITE_ONCE(slave->target_last_arp_rx[slot], last_rx);
+ targets[slot] = target;
+ }
+ }
+@@ -1193,8 +1193,8 @@ static int bond_option_arp_ip_target_rem(struct bonding *bond, __be32 target)
+ bond_for_each_slave(bond, slave, iter) {
+ targets_rx = slave->target_last_arp_rx;
+ for (i = ind; (i < BOND_MAX_ARP_TARGETS-1) && targets[i+1]; i++)
+- targets_rx[i] = targets_rx[i+1];
+- targets_rx[i] = 0;
++ WRITE_ONCE(targets_rx[i], READ_ONCE(targets_rx[i+1]));
++ WRITE_ONCE(targets_rx[i], 0);
+ }
+ for (i = ind; (i < BOND_MAX_ARP_TARGETS-1) && targets[i+1]; i++)
+ targets[i] = targets[i+1];
+@@ -1349,7 +1349,7 @@ static void _bond_options_ns_ip6_target_set(struct bonding *bond, int slot,
+
+ if (slot >= 0 && slot < BOND_MAX_NS_TARGETS) {
+ bond_for_each_slave(bond, slave, iter) {
+- slave->target_last_arp_rx[slot] = last_rx;
++ WRITE_ONCE(slave->target_last_arp_rx[slot], last_rx);
+ slave_set_ns_maddr(bond, slave, target, &targets[slot]);
+ }
+ targets[slot] = *target;
+diff --git a/include/net/bonding.h b/include/net/bonding.h
+index 95f67b308c19a..9fb40a5920209 100644
+--- a/include/net/bonding.h
++++ b/include/net/bonding.h
+@@ -519,13 +519,14 @@ static inline int bond_is_ip6_target_ok(struct in6_addr *addr)
+ static inline unsigned long slave_oldest_target_arp_rx(struct bonding *bond,
+ struct slave *slave)
+ {
++ unsigned long tmp, ret = READ_ONCE(slave->target_last_arp_rx[0]);
+ int i = 1;
+- unsigned long ret = slave->target_last_arp_rx[0];
+-
+- for (; (i < BOND_MAX_ARP_TARGETS) && bond->params.arp_targets[i]; i++)
+- if (time_before(slave->target_last_arp_rx[i], ret))
+- ret = slave->target_last_arp_rx[i];
+
++ for (; (i < BOND_MAX_ARP_TARGETS) && bond->params.arp_targets[i]; i++) {
++ tmp = READ_ONCE(slave->target_last_arp_rx[i]);
++ if (time_before(tmp, ret))
++ ret = tmp;
++ }
+ return ret;
+ }
+
+@@ -535,7 +536,7 @@ static inline unsigned long slave_last_rx(struct bonding *bond,
+ if (bond->params.arp_all_targets == BOND_ARP_TARGETS_ALL)
+ return slave_oldest_target_arp_rx(bond, slave);
+
+- return slave->last_rx;
++ return READ_ONCE(slave->last_rx);
+ }
+
+ static inline void slave_update_last_tx(struct slave *slave)
+--
+2.51.0
+
--- /dev/null
+From e77c5939ab7a30a2db9bf31bd850649c6cee571a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jan 2026 10:40:22 +0100
+Subject: can: gs_usb: gs_usb_receive_bulk_callback(): fix error message
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+[ Upstream commit 494fc029f662c331e06b7c2031deff3c64200eed ]
+
+Sinc commit 79a6d1bfe114 ("can: gs_usb: gs_usb_receive_bulk_callback():
+unanchor URL on usb_submit_urb() error") a failing resubmit URB will print
+an info message.
+
+In the case of a short read where netdev has not yet been assigned,
+initialize as NULL to avoid dereferencing an undefined value. Also report
+the error value of the failed resubmit.
+
+Fixes: 79a6d1bfe114 ("can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error")
+Reported-by: Jakub Kicinski <kuba@kernel.org>
+Closes: https://lore.kernel.org/all/20260119181904.1209979-1-kuba@kernel.org/
+Link: https://patch.msgid.link/20260120-gs_usb-fix-error-message-v1-1-6be04de572bc@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/usb/gs_usb.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c
+index 63439affd59d5..7a3c6493a3536 100644
+--- a/drivers/net/can/usb/gs_usb.c
++++ b/drivers/net/can/usb/gs_usb.c
+@@ -607,7 +607,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
+ {
+ struct gs_usb *parent = urb->context;
+ struct gs_can *dev;
+- struct net_device *netdev;
++ struct net_device *netdev = NULL;
+ int rc;
+ struct net_device_stats *stats;
+ struct gs_host_frame *hf = urb->transfer_buffer;
+@@ -765,7 +765,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
+ }
+ } else if (rc != -ESHUTDOWN && net_ratelimit()) {
+ netdev_info(netdev, "failed to re-submit IN URB: %pe\n",
+- ERR_PTR(urb->status));
++ ERR_PTR(rc));
+ }
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 27627eaa1d58bba4f9e106cca66acafb52e864ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Dec 2025 15:38:52 -0800
+Subject: ice: stop counting UDP csum mismatch as rx_errors
+
+From: Jesse Brandeburg <jbrandeburg@cloudflare.com>
+
+[ Upstream commit 05faf2c0a76581d0a7fdbb8ec46477ba183df95b ]
+
+Since the beginning, the Intel ice driver has counted receive checksum
+offload mismatches into the rx_errors member of the rtnl_link_stats64
+struct. In ethtool -S these show up as rx_csum_bad.nic.
+
+I believe counting these in rx_errors is fundamentally wrong, as it's
+pretty clear from the comments in if_link.h and from every other statistic
+the driver is summing into rx_errors, that all of them would cause a
+"hardware drop" except for the UDP checksum mismatch, as well as the fact
+that all the other causes for rx_errors are L2 reasons, and this L4 UDP
+"mismatch" is an outlier.
+
+A last nail in the coffin is that rx_errors is monitored in production and
+can indicate a bad NIC/cable/Switch port, but instead some random series of
+UDP packets with bad checksums will now trigger this alert. This false
+positive makes the alert useless and affects us as well as other companies.
+
+This packet with presumably a bad UDP checksum is *already* passed to the
+stack, just not marked as offloaded by the hardware/driver. If it is
+dropped by the stack it will show up as UDP_MIB_CSUMERRORS.
+
+And one more thing, none of the other Intel drivers, and at least bnxt_en
+and mlx5 both don't appear to count UDP offload mismatches as rx_errors.
+
+Here is a related customer complaint:
+https://community.intel.com/t5/Ethernet-Products/ice-rx-errros-is-too-sensitive-to-IP-TCP-attack-packets-Intel/td-p/1662125
+
+Fixes: 4f1fe43c920b ("ice: Add more Rx errors to netdev's rx_error counter")
+Cc: Tony Nguyen <anthony.l.nguyen@intel.com>
+Cc: Jake Keller <jacob.e.keller@intel.com>
+Cc: IWL <intel-wired-lan@lists.osuosl.org>
+Signed-off-by: Jesse Brandeburg <jbrandeburg@cloudflare.com>
+Acked-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_main.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
+index e846246261b94..72e394dc68f4e 100644
+--- a/drivers/net/ethernet/intel/ice/ice_main.c
++++ b/drivers/net/ethernet/intel/ice/ice_main.c
+@@ -6711,7 +6711,6 @@ void ice_update_vsi_stats(struct ice_vsi *vsi)
+ pf->stats.illegal_bytes +
+ pf->stats.rx_len_errors +
+ pf->stats.rx_undersize +
+- pf->hw_csum_rx_error +
+ pf->stats.rx_jabber +
+ pf->stats.rx_fragments +
+ pf->stats.rx_oversize;
+--
+2.51.0
+
--- /dev/null
+From 3fae1e4e9630a57bf7812007ce8464afce1b04a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jan 2026 20:44:08 +0100
+Subject: ipv6: use the right ifindex when replying to icmpv6 from localhost
+
+From: Fernando Fernandez Mancera <fmancera@suse.de>
+
+[ Upstream commit 03cbcdf93866e61beb0063392e6dbb701f03aea2 ]
+
+When replying to a ICMPv6 echo request that comes from localhost address
+the right output ifindex is 1 (lo) and not rt6i_idev dev index. Use the
+skb device ifindex instead. This fixes pinging to a local address from
+localhost source address.
+
+$ ping6 -I ::1 2001:1:1::2 -c 3
+PING 2001:1:1::2 (2001:1:1::2) from ::1 : 56 data bytes
+64 bytes from 2001:1:1::2: icmp_seq=1 ttl=64 time=0.037 ms
+64 bytes from 2001:1:1::2: icmp_seq=2 ttl=64 time=0.069 ms
+64 bytes from 2001:1:1::2: icmp_seq=3 ttl=64 time=0.122 ms
+
+2001:1:1::2 ping statistics
+3 packets transmitted, 3 received, 0% packet loss, time 2032ms
+rtt min/avg/max/mdev = 0.037/0.076/0.122/0.035 ms
+
+Fixes: 1b70d792cf67 ("ipv6: Use rt6i_idev index for echo replies to a local address")
+Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://patch.msgid.link/20260121194409.6749-1-fmancera@suse.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/icmp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
+index fd91fd139d76c..c7e815b7ca087 100644
+--- a/net/ipv6/icmp.c
++++ b/net/ipv6/icmp.c
+@@ -768,7 +768,9 @@ static enum skb_drop_reason icmpv6_echo_reply(struct sk_buff *skb)
+ fl6.daddr = ipv6_hdr(skb)->saddr;
+ if (saddr)
+ fl6.saddr = *saddr;
+- fl6.flowi6_oif = icmp6_iif(skb);
++ fl6.flowi6_oif = ipv6_addr_loopback(&fl6.daddr) ?
++ skb->dev->ifindex :
++ icmp6_iif(skb);
+ fl6.fl6_icmp_type = type;
+ fl6.flowi6_mark = mark;
+ fl6.flowi6_uid = sock_net_uid(net, NULL);
+--
+2.51.0
+
--- /dev/null
+From 8350c8c24a48f5559213878ea07514270d2215cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Jan 2026 11:40:01 -0800
+Subject: net: bcmasp: fix early exit leak with fixed phy
+
+From: Justin Chen <justin.chen@broadcom.com>
+
+[ Upstream commit 6de4436bf369e1444606445e4cd5df5bcfc74b48 ]
+
+We are not deregistering the fixed phy link when hitting the early
+exit condition. Add the correct early exit sequence.
+
+Fixes: 490cb412007d ("net: bcmasp: Add support for ASP2.0 Ethernet controller")
+Signed-off-by: Justin Chen <justin.chen@broadcom.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20260122194001.1098859-1-justin.chen@broadcom.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c b/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c
+index f0647286c68b2..3127f335e0b7b 100644
+--- a/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c
++++ b/drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c
+@@ -1272,7 +1272,7 @@ struct bcmasp_intf *bcmasp_interface_create(struct bcmasp_priv *priv,
+ netdev_err(intf->ndev, "invalid PHY mode: %s for port %d\n",
+ phy_modes(intf->phy_interface), intf->port);
+ ret = -EINVAL;
+- goto err_free_netdev;
++ goto err_deregister_fixed_link;
+ }
+
+ ret = of_get_ethdev_address(ndev_dn, ndev);
+@@ -1295,6 +1295,9 @@ struct bcmasp_intf *bcmasp_interface_create(struct bcmasp_priv *priv,
+
+ return intf;
+
++err_deregister_fixed_link:
++ if (of_phy_is_fixed_link(ndev_dn))
++ of_phy_deregister_fixed_link(ndev_dn);
+ err_free_netdev:
+ free_netdev(ndev);
+ err:
+--
+2.51.0
+
--- /dev/null
+From 180de8c0830af5d2c88f24c8fefed34bd28fbdf4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jan 2026 11:19:23 +0100
+Subject: net: bridge: fix static key check
+
+From: Martin Kaiser <martin@kaiser.cx>
+
+[ Upstream commit cc0cf10fdaeadf5542d64a55b5b4120d3df90b7d ]
+
+Fix the check if netfilter's static keys are available. netfilter defines
+and exports static keys if CONFIG_JUMP_LABEL is enabled. (HAVE_JUMP_LABEL
+is never defined.)
+
+Fixes: 971502d77faa ("bridge: netfilter: unroll NF_HOOK helper in bridge input path")
+Signed-off-by: Martin Kaiser <martin@kaiser.cx>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://patch.msgid.link/20260127101925.1754425-1-martin@kaiser.cx
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_input.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
+index 2d5b81ebbaa6d..847fe03a08ee8 100644
+--- a/net/bridge/br_input.c
++++ b/net/bridge/br_input.c
+@@ -260,7 +260,7 @@ static int nf_hook_bridge_pre(struct sk_buff *skb, struct sk_buff **pskb)
+ int ret;
+
+ net = dev_net(skb->dev);
+-#ifdef HAVE_JUMP_LABEL
++#ifdef CONFIG_JUMP_LABEL
+ if (!static_key_false(&nf_hooks_needed[NFPROTO_BRIDGE][NF_BR_PRE_ROUTING]))
+ goto frame_finish;
+ #endif
+--
+2.51.0
+
--- /dev/null
+From b0f14d333655d8fdd327c501c42d4e24f1ab5120 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jan 2026 13:46:40 +0000
+Subject: net/mlx5: Fix memory leak in esw_acl_ingress_lgcy_setup()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 108948f723b13874b7ebf6b3f1cc598a7de38622 ]
+
+In esw_acl_ingress_lgcy_setup(), if esw_acl_table_create() fails,
+the function returns directly without releasing the previously
+created counter, leading to a memory leak.
+
+Fix this by jumping to the out label instead of returning directly,
+which aligns with the error handling logic of other paths in this
+function.
+
+Compile tested only. Issue found using a prototype static analysis tool
+and code review.
+
+Fixes: 07bab9502641 ("net/mlx5: E-Switch, Refactor eswitch ingress acl codes")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/20260120134640.2717808-1-zilin@seu.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c
+index 093ed86a0acd8..db51c500ed359 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_lgcy.c
+@@ -188,7 +188,7 @@ int esw_acl_ingress_lgcy_setup(struct mlx5_eswitch *esw,
+ if (IS_ERR(vport->ingress.acl)) {
+ err = PTR_ERR(vport->ingress.acl);
+ vport->ingress.acl = NULL;
+- return err;
++ goto out;
+ }
+
+ err = esw_acl_ingress_lgcy_groups_create(esw, vport);
+--
+2.51.0
+
--- /dev/null
+From 67601aa35dfe5ea3fd9ddd21be6e7ff8b565638a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jan 2026 09:14:55 +0200
+Subject: net/mlx5e: Account for netdev stats in ndo_get_stats64
+
+From: Gal Pressman <gal@nvidia.com>
+
+[ Upstream commit 476681f10cc1e0e56e26856684e75d4678b072b2 ]
+
+The driver's ndo_get_stats64 callback is only reporting mlx5 counters,
+without accounting for the netdev stats, causing errors from the network
+stack to be invisible in statistics.
+
+Add netdev_stats_to_stats64() call to first populate the counters, then
+add mlx5 counters on top, ensuring both are accounted for (where
+appropriate).
+
+Fixes: f62b8bb8f2d3 ("net/mlx5: Extend mlx5_core to support ConnectX-4 Ethernet functionality")
+Signed-off-by: Gal Pressman <gal@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/1769411695-18820-4-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/en_main.c | 20 ++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index c72c085be603c..71749497ec27a 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -3743,6 +3743,8 @@ mlx5e_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats)
+ mlx5e_queue_update_stats(priv);
+ }
+
++ netdev_stats_to_stats64(stats, &dev->stats);
++
+ if (mlx5e_is_uplink_rep(priv)) {
+ struct mlx5e_vport_stats *vstats = &priv->stats.vport;
+
+@@ -3759,21 +3761,21 @@ mlx5e_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats)
+ mlx5e_fold_sw_stats64(priv, stats);
+ }
+
+- stats->rx_missed_errors = priv->stats.qcnt.rx_out_of_buffer;
+- stats->rx_dropped = PPORT_2863_GET(pstats, if_in_discards);
++ stats->rx_missed_errors += priv->stats.qcnt.rx_out_of_buffer;
++ stats->rx_dropped += PPORT_2863_GET(pstats, if_in_discards);
+
+- stats->rx_length_errors =
++ stats->rx_length_errors +=
+ PPORT_802_3_GET(pstats, a_in_range_length_errors) +
+ PPORT_802_3_GET(pstats, a_out_of_range_length_field) +
+ PPORT_802_3_GET(pstats, a_frame_too_long_errors) +
+ VNIC_ENV_GET(&priv->stats.vnic, eth_wqe_too_small);
+- stats->rx_crc_errors =
++ stats->rx_crc_errors +=
+ PPORT_802_3_GET(pstats, a_frame_check_sequence_errors);
+- stats->rx_frame_errors = PPORT_802_3_GET(pstats, a_alignment_errors);
+- stats->tx_aborted_errors = PPORT_2863_GET(pstats, if_out_discards);
+- stats->rx_errors = stats->rx_length_errors + stats->rx_crc_errors +
+- stats->rx_frame_errors;
+- stats->tx_errors = stats->tx_aborted_errors + stats->tx_carrier_errors;
++ stats->rx_frame_errors += PPORT_802_3_GET(pstats, a_alignment_errors);
++ stats->tx_aborted_errors += PPORT_2863_GET(pstats, if_out_discards);
++ stats->rx_errors += stats->rx_length_errors + stats->rx_crc_errors +
++ stats->rx_frame_errors;
++ stats->tx_errors += stats->tx_aborted_errors + stats->tx_carrier_errors;
+ }
+
+ static void mlx5e_nic_set_rx_mode(struct mlx5e_priv *priv)
+--
+2.51.0
+
--- /dev/null
+From e2b4036b7c05593ee1170f8cacd90db23efb0708 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2024 10:27:06 +0800
+Subject: net/mlx5e: Report rx_discards_phy via rx_dropped
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yafang Shao <laoar.shao@gmail.com>
+
+[ Upstream commit c9cfced17365b1df8c6ae6cd5db56aebd7ed9b57 ]
+
+We noticed a high number of rx_discards_phy events on certain servers while
+running `ethtool -S`. However, this critical counter is not currently
+included in the standard /proc/net/dev statistics file, making it difficult
+to monitor effectively—especially given the diversity of vendors across a
+large fleet of servers.
+
+Let's report it via the standard rx_dropped metric.
+
+Suggested-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
+Cc: Saeed Mahameed <saeedm@nvidia.com>
+Cc: Leon Romanovsky <leon@kernel.org>
+Cc: Gal Pressman <gal@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/20241210022706.6665-1-laoar.shao@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 476681f10cc1 ("net/mlx5e: Account for netdev stats in ndo_get_stats64")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index 03201bcda1a68..c72c085be603c 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -3760,6 +3760,7 @@ mlx5e_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats)
+ }
+
+ stats->rx_missed_errors = priv->stats.qcnt.rx_out_of_buffer;
++ stats->rx_dropped = PPORT_2863_GET(pstats, if_in_discards);
+
+ stats->rx_length_errors =
+ PPORT_802_3_GET(pstats, a_in_range_length_errors) +
+--
+2.51.0
+
--- /dev/null
+From 9c620158eb3f0f1bbef0b4d8f25d19cbe22d5bed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jan 2026 10:52:41 +0200
+Subject: net/mlx5e: Skip ESN replay window setup for IPsec crypto offload
+
+From: Jianbo Liu <jianbol@nvidia.com>
+
+[ Upstream commit 011be342dd24b5168a5dcf408b14c3babe503341 ]
+
+Commit a5e400a985df ("net/mlx5e: Honor user choice of IPsec replay
+window size") introduced logic to setup the ESN replay window size.
+This logic is only valid for packet offload.
+
+However, the check to skip this block only covered outbound offloads.
+It was not skipped for crypto offload, causing it to fall through to
+the new switch statement and trigger its WARN_ON default case (for
+instance, if a window larger than 256 bits was configured).
+
+Fix this by amending the condition to also skip the replay window
+setup if the offload type is not XFRM_DEV_OFFLOAD_PACKET.
+
+Fixes: a5e400a985df ("net/mlx5e: Honor user choice of IPsec replay window size")
+Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/1769503961-124173-5-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+index 5161bf51fa110..fdf664e9c46e9 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+@@ -350,7 +350,8 @@ void mlx5e_ipsec_build_accel_xfrm_attrs(struct mlx5e_ipsec_sa_entry *sa_entry,
+ attrs->replay_esn.esn = sa_entry->esn_state.esn;
+ attrs->replay_esn.esn_msb = sa_entry->esn_state.esn_msb;
+ attrs->replay_esn.overlap = sa_entry->esn_state.overlap;
+- if (attrs->dir == XFRM_DEV_OFFLOAD_OUT)
++ if (attrs->dir == XFRM_DEV_OFFLOAD_OUT ||
++ x->xso.type != XFRM_DEV_OFFLOAD_PACKET)
+ goto skip_replay_window;
+
+ switch (x->replay_esn->replay_window) {
+--
+2.51.0
+
--- /dev/null
+From 42a4122d0b825f801a850d5581528ae973152c04 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jan 2026 09:14:54 +0200
+Subject: net/mlx5e: TC, delete flows only for existing peers
+
+From: Mark Bloch <mbloch@nvidia.com>
+
+[ Upstream commit f67666938ae626cbda63fbf5176b3583c07e7124 ]
+
+When deleting TC steering flows, iterate only over actual devcom
+peers instead of assuming all possible ports exist. This avoids
+touching non-existent peers and ensures cleanup is limited to
+devices the driver is currently connected to.
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000008
+ #PF: supervisor write access in kernel mode
+ #PF: error_code(0x0002) - not-present page
+ PGD 133c8a067 P4D 0
+ Oops: Oops: 0002 [#1] SMP
+ CPU: 19 UID: 0 PID: 2169 Comm: tc Not tainted 6.18.0+ #156 NONE
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+ RIP: 0010:mlx5e_tc_del_fdb_peers_flow+0xbe/0x200 [mlx5_core]
+ Code: 00 00 a8 08 74 a8 49 8b 46 18 f6 c4 02 74 9f 4c 8d bf a0 12 00 00 4c 89 ff e8 0e e7 96 e1 49 8b 44 24 08 49 8b 0c 24 4c 89 ff <48> 89 41 08 48 89 08 49 89 2c 24 49 89 5c 24 08 e8 7d ce 96 e1 49
+ RSP: 0018:ff11000143867528 EFLAGS: 00010246
+ RAX: 0000000000000000 RBX: dead000000000122 RCX: 0000000000000000
+ RDX: ff11000143691580 RSI: ff110001026e5000 RDI: ff11000106f3d2a0
+ RBP: dead000000000100 R08: 00000000000003fd R09: 0000000000000002
+ R10: ff11000101c75690 R11: ff1100085faea178 R12: ff11000115f0ae78
+ R13: 0000000000000000 R14: ff11000115f0a800 R15: ff11000106f3d2a0
+ FS: 00007f35236bf740(0000) GS:ff110008dc809000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000008 CR3: 0000000157a01001 CR4: 0000000000373eb0
+ Call Trace:
+ <TASK>
+ mlx5e_tc_del_flow+0x46/0x270 [mlx5_core]
+ mlx5e_flow_put+0x25/0x50 [mlx5_core]
+ mlx5e_delete_flower+0x2a6/0x3e0 [mlx5_core]
+ tc_setup_cb_reoffload+0x20/0x80
+ fl_reoffload+0x26f/0x2f0 [cls_flower]
+ ? mlx5e_tc_reoffload_flows_work+0xc0/0xc0 [mlx5_core]
+ ? mlx5e_tc_reoffload_flows_work+0xc0/0xc0 [mlx5_core]
+ tcf_block_playback_offloads+0x9e/0x1c0
+ tcf_block_unbind+0x7b/0xd0
+ tcf_block_setup+0x186/0x1d0
+ tcf_block_offload_cmd.isra.0+0xef/0x130
+ tcf_block_offload_unbind+0x43/0x70
+ __tcf_block_put+0x85/0x160
+ ingress_destroy+0x32/0x110 [sch_ingress]
+ __qdisc_destroy+0x44/0x100
+ qdisc_graft+0x22b/0x610
+ tc_get_qdisc+0x183/0x4d0
+ rtnetlink_rcv_msg+0x2d7/0x3d0
+ ? rtnl_calcit.isra.0+0x100/0x100
+ netlink_rcv_skb+0x53/0x100
+ netlink_unicast+0x249/0x320
+ ? __alloc_skb+0x102/0x1f0
+ netlink_sendmsg+0x1e3/0x420
+ __sock_sendmsg+0x38/0x60
+ ____sys_sendmsg+0x1ef/0x230
+ ? copy_msghdr_from_user+0x6c/0xa0
+ ___sys_sendmsg+0x7f/0xc0
+ ? ___sys_recvmsg+0x8a/0xc0
+ ? __sys_sendto+0x119/0x180
+ __sys_sendmsg+0x61/0xb0
+ do_syscall_64+0x55/0x640
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+ RIP: 0033:0x7f35238bb764
+ Code: 15 b9 86 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb bf 0f 1f 44 00 00 f3 0f 1e fa 80 3d e5 08 0d 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 4c c3 0f 1f 00 55 48 89 e5 48 83 ec 20 89 55
+ RSP: 002b:00007ffed4c35638 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
+ RAX: ffffffffffffffda RBX: 000055a2efcc75e0 RCX: 00007f35238bb764
+ RDX: 0000000000000000 RSI: 00007ffed4c356a0 RDI: 0000000000000003
+ RBP: 00007ffed4c35710 R08: 0000000000000010 R09: 00007f3523984b20
+ R10: 0000000000000004 R11: 0000000000000202 R12: 00007ffed4c35790
+ R13: 000000006947df8f R14: 000055a2efcc75e0 R15: 00007ffed4c35780
+
+Fixes: 9be6c21fdcf8 ("net/mlx5e: Handle offloads flows per peer")
+Signed-off-by: Mark Bloch <mbloch@nvidia.com>
+Reviewed-by: Shay Drori <shayd@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/1769411695-18820-3-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/en_tc.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+index 2be9c69daad5f..f1f4225057311 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+@@ -2025,11 +2025,14 @@ static void mlx5e_tc_del_fdb_peer_flow(struct mlx5e_tc_flow *flow,
+
+ static void mlx5e_tc_del_fdb_peers_flow(struct mlx5e_tc_flow *flow)
+ {
++ struct mlx5_devcom_comp_dev *devcom;
++ struct mlx5_devcom_comp_dev *pos;
++ struct mlx5_eswitch *peer_esw;
+ int i;
+
+- for (i = 0; i < MLX5_MAX_PORTS; i++) {
+- if (i == mlx5_get_dev_index(flow->priv->mdev))
+- continue;
++ devcom = flow->priv->mdev->priv.eswitch->devcom;
++ mlx5_devcom_for_each_peer_entry(devcom, peer_esw, pos) {
++ i = mlx5_get_dev_index(peer_esw->dev);
+ mlx5e_tc_del_fdb_peer_flow(flow, i);
+ }
+ }
+@@ -5404,12 +5407,16 @@ int mlx5e_tc_num_filters(struct mlx5e_priv *priv, unsigned long flags)
+
+ void mlx5e_tc_clean_fdb_peer_flows(struct mlx5_eswitch *esw)
+ {
++ struct mlx5_devcom_comp_dev *devcom;
++ struct mlx5_devcom_comp_dev *pos;
+ struct mlx5e_tc_flow *flow, *tmp;
++ struct mlx5_eswitch *peer_esw;
+ int i;
+
+- for (i = 0; i < MLX5_MAX_PORTS; i++) {
+- if (i == mlx5_get_dev_index(esw->dev))
+- continue;
++ devcom = esw->devcom;
++
++ mlx5_devcom_for_each_peer_entry(devcom, peer_esw, pos) {
++ i = mlx5_get_dev_index(peer_esw->dev);
+ list_for_each_entry_safe(flow, tmp, &esw->offloads.peer_flows[i], peer[i])
+ mlx5e_tc_del_fdb_peers_flow(flow);
+ }
+--
+2.51.0
+
--- /dev/null
+From bf9057d6cd66d215dff830f38507268cfa12276a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jan 2026 06:57:16 +0000
+Subject: net: mvpp2: cls: Fix memory leak in mvpp2_ethtool_cls_rule_ins()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 09f979d1f312627b31d2ee1e46f9692e442610cd ]
+
+In mvpp2_ethtool_cls_rule_ins(), the ethtool_rule is allocated by
+ethtool_rx_flow_rule_create(). If the subsequent conversion to flow
+type fails, the function jumps to the clean_rule label.
+
+However, the clean_rule label only frees efs, skipping the cleanup
+of ethtool_rule, which leads to a memory leak.
+
+Fix this by jumping to the clean_eth_rule label, which properly calls
+ethtool_rx_flow_rule_destroy() before freeing efs.
+
+Compile tested only. Issue found using a prototype static analysis tool
+and code review.
+
+Fixes: f4f1ba18195d ("net: mvpp2: cls: Report an error for unsupported flow types")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Link: https://patch.msgid.link/20260123065716.2248324-1-zilin@seu.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c
+index d2757cc116139..038382a0b8e9f 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c
+@@ -1389,7 +1389,7 @@ int mvpp2_ethtool_cls_rule_ins(struct mvpp2_port *port,
+ efs->rule.flow_type = mvpp2_cls_ethtool_flow_to_type(info->fs.flow_type);
+ if (efs->rule.flow_type < 0) {
+ ret = efs->rule.flow_type;
+- goto clean_rule;
++ goto clean_eth_rule;
+ }
+
+ ret = mvpp2_cls_rfs_parse_rule(&efs->rule);
+--
+2.51.0
+
--- /dev/null
+From 508a22a8a532028c214e871cac650dc33632ddfb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jan 2026 01:04:01 +0800
+Subject: net: wwan: t7xx: fix potential skb->frags overflow in RX path
+
+From: Kery Qi <qikeyu2017@gmail.com>
+
+[ Upstream commit f0813bcd2d9d97fdbdf2efb9532ab03ae92e99e6 ]
+
+When receiving data in the DPMAIF RX path,
+the t7xx_dpmaif_set_frag_to_skb() function adds
+page fragments to an skb without checking if the number of
+fragments has exceeded MAX_SKB_FRAGS. This could lead to a buffer overflow
+in skb_shinfo(skb)->frags[] array, corrupting adjacent memory and
+potentially causing kernel crashes or other undefined behavior.
+
+This issue was identified through static code analysis by comparing with a
+similar vulnerability fixed in the mt76 driver commit b102f0c522cf ("mt76:
+fix array overflow on receiving too many fragments for a packet").
+
+The vulnerability could be triggered if the modem firmware sends packets
+with excessive fragments. While under normal protocol conditions (MTU 3080
+bytes, BAT buffer 3584 bytes),
+a single packet should not require additional
+fragments, the kernel should not blindly trust firmware behavior.
+Malicious, buggy, or compromised firmware could potentially craft packets
+with more fragments than the kernel expects.
+
+Fix this by adding a bounds check before calling skb_add_rx_frag() to
+ensure nr_frags does not exceed MAX_SKB_FRAGS.
+
+The check must be performed before unmapping to avoid a page leak
+and double DMA unmap during device teardown.
+
+Fixes: d642b012df70a ("net: wwan: t7xx: Add data path interface")
+Signed-off-by: Kery Qi <qikeyu2017@gmail.com>
+Link: https://patch.msgid.link/20260122170401.1986-2-qikeyu2017@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
+index 7c4a11f60f911..52b036fe6cfea 100644
+--- a/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
++++ b/drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c
+@@ -394,6 +394,7 @@ static int t7xx_dpmaif_set_frag_to_skb(const struct dpmaif_rx_queue *rxq,
+ struct sk_buff *skb)
+ {
+ unsigned long long data_bus_addr, data_base_addr;
++ struct skb_shared_info *shinfo = skb_shinfo(skb);
+ struct device *dev = rxq->dpmaif_ctrl->dev;
+ struct dpmaif_bat_page *page_info;
+ unsigned int data_len;
+@@ -401,18 +402,22 @@ static int t7xx_dpmaif_set_frag_to_skb(const struct dpmaif_rx_queue *rxq,
+
+ page_info = rxq->bat_frag->bat_skb;
+ page_info += t7xx_normal_pit_bid(pkt_info);
+- dma_unmap_page(dev, page_info->data_bus_addr, page_info->data_len, DMA_FROM_DEVICE);
+
+ if (!page_info->page)
+ return -EINVAL;
+
++ if (shinfo->nr_frags >= MAX_SKB_FRAGS)
++ return -EINVAL;
++
++ dma_unmap_page(dev, page_info->data_bus_addr, page_info->data_len, DMA_FROM_DEVICE);
++
+ data_bus_addr = le32_to_cpu(pkt_info->pd.data_addr_h);
+ data_bus_addr = (data_bus_addr << 32) + le32_to_cpu(pkt_info->pd.data_addr_l);
+ data_base_addr = page_info->data_bus_addr;
+ data_offset = data_bus_addr - data_base_addr;
+ data_offset += page_info->offset;
+ data_len = FIELD_GET(PD_PIT_DATA_LEN, le32_to_cpu(pkt_info->header));
+- skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags, page_info->page,
++ skb_add_rx_frag(skb, shinfo->nr_frags, page_info->page,
+ data_offset, data_len, page_info->data_len);
+
+ page_info->page = NULL;
+--
+2.51.0
+
--- /dev/null
+From c3747cdc707c2f41670a9e43f46d498077aa839d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 25 Jan 2026 00:59:28 +0000
+Subject: nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 165c34fb6068ff153e3fc99a932a80a9d5755709 ]
+
+syzbot reported various memory leaks related to NFC, struct
+nfc_llcp_sock, sk_buff, nfc_dev, etc. [0]
+
+The leading log hinted that nfc_llcp_send_ui_frame() failed
+to allocate skb due to sock_error(sk) being -ENXIO.
+
+ENXIO is set by nfc_llcp_socket_release() when struct
+nfc_llcp_local is destroyed by local_cleanup().
+
+The problem is that there is no synchronisation between
+nfc_llcp_send_ui_frame() and local_cleanup(), and skb
+could be put into local->tx_queue after it was purged in
+local_cleanup():
+
+ CPU1 CPU2
+ ---- ----
+ nfc_llcp_send_ui_frame() local_cleanup()
+ |- do { '
+ |- pdu = nfc_alloc_send_skb(..., &err)
+ | .
+ | |- nfc_llcp_socket_release(local, false, ENXIO);
+ | |- skb_queue_purge(&local->tx_queue); |
+ | ' |
+ |- skb_queue_tail(&local->tx_queue, pdu); |
+ ... |
+ |- pdu = nfc_alloc_send_skb(..., &err) |
+ ^._________________________________.'
+
+local_cleanup() is called for struct nfc_llcp_local only
+after nfc_llcp_remove_local() unlinks it from llcp_devices.
+
+If we hold local->tx_queue.lock then, we can synchronise
+the thread and nfc_llcp_send_ui_frame().
+
+Let's do that and check list_empty(&local->list) before
+queuing skb to local->tx_queue in nfc_llcp_send_ui_frame().
+
+[0]:
+[ 56.074943][ T6096] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6)
+[ 64.318868][ T5813] kmemleak: 6 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
+BUG: memory leak
+unreferenced object 0xffff8881272f6800 (size 1024):
+ comm "syz.0.17", pid 6096, jiffies 4294942766
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 27 00 03 40 00 00 00 00 00 00 00 00 00 00 00 00 '..@............
+ backtrace (crc da58d84d):
+ kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
+ slab_post_alloc_hook mm/slub.c:4979 [inline]
+ slab_alloc_node mm/slub.c:5284 [inline]
+ __do_kmalloc_node mm/slub.c:5645 [inline]
+ __kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5658
+ kmalloc_noprof include/linux/slab.h:961 [inline]
+ sk_prot_alloc+0x11a/0x1b0 net/core/sock.c:2239
+ sk_alloc+0x36/0x360 net/core/sock.c:2295
+ nfc_llcp_sock_alloc+0x37/0x130 net/nfc/llcp_sock.c:979
+ llcp_sock_create+0x71/0xd0 net/nfc/llcp_sock.c:1044
+ nfc_sock_create+0xc9/0xf0 net/nfc/af_nfc.c:31
+ __sock_create+0x1a9/0x340 net/socket.c:1605
+ sock_create net/socket.c:1663 [inline]
+ __sys_socket_create net/socket.c:1700 [inline]
+ __sys_socket+0xb9/0x1a0 net/socket.c:1747
+ __do_sys_socket net/socket.c:1761 [inline]
+ __se_sys_socket net/socket.c:1759 [inline]
+ __x64_sys_socket+0x1b/0x30 net/socket.c:1759
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+BUG: memory leak
+unreferenced object 0xffff88810fbd9800 (size 240):
+ comm "syz.0.17", pid 6096, jiffies 4294942850
+ hex dump (first 32 bytes):
+ 68 f0 ff 08 81 88 ff ff 68 f0 ff 08 81 88 ff ff h.......h.......
+ 00 00 00 00 00 00 00 00 00 68 2f 27 81 88 ff ff .........h/'....
+ backtrace (crc 6cc652b1):
+ kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
+ slab_post_alloc_hook mm/slub.c:4979 [inline]
+ slab_alloc_node mm/slub.c:5284 [inline]
+ kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5336
+ __alloc_skb+0x203/0x240 net/core/skbuff.c:660
+ alloc_skb include/linux/skbuff.h:1383 [inline]
+ alloc_skb_with_frags+0x69/0x3f0 net/core/skbuff.c:6671
+ sock_alloc_send_pskb+0x379/0x3e0 net/core/sock.c:2965
+ sock_alloc_send_skb include/net/sock.h:1859 [inline]
+ nfc_alloc_send_skb+0x45/0x80 net/nfc/core.c:724
+ nfc_llcp_send_ui_frame+0x162/0x360 net/nfc/llcp_commands.c:766
+ llcp_sock_sendmsg+0x14c/0x1d0 net/nfc/llcp_sock.c:814
+ sock_sendmsg_nosec net/socket.c:727 [inline]
+ __sock_sendmsg net/socket.c:742 [inline]
+ __sys_sendto+0x2d8/0x2f0 net/socket.c:2244
+ __do_sys_sendto net/socket.c:2251 [inline]
+ __se_sys_sendto net/socket.c:2247 [inline]
+ __x64_sys_sendto+0x28/0x30 net/socket.c:2247
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: 94f418a20664 ("NFC: UI frame sending routine implementation")
+Reported-by: syzbot+f2d245f1d76bbfa50e4c@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/697569c7.a00a0220.33ccc7.0014.GAE@google.com/T/#u
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260125010214.1572439-1-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nfc/llcp_commands.c | 17 ++++++++++++++++-
+ net/nfc/llcp_core.c | 4 +++-
+ 2 files changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
+index e2680a3bef799..b652323bc2c12 100644
+--- a/net/nfc/llcp_commands.c
++++ b/net/nfc/llcp_commands.c
+@@ -778,8 +778,23 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
+ if (likely(frag_len > 0))
+ skb_put_data(pdu, msg_ptr, frag_len);
+
++ spin_lock(&local->tx_queue.lock);
++
++ if (list_empty(&local->list)) {
++ spin_unlock(&local->tx_queue.lock);
++
++ kfree_skb(pdu);
++
++ len -= remaining_len;
++ if (len == 0)
++ len = -ENXIO;
++ break;
++ }
++
+ /* No need to check for the peer RW for UI frames */
+- skb_queue_tail(&local->tx_queue, pdu);
++ __skb_queue_tail(&local->tx_queue, pdu);
++
++ spin_unlock(&local->tx_queue.lock);
+
+ remaining_len -= frag_len;
+ msg_ptr += frag_len;
+diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
+index 18be13fb9b75a..ced99d2a90cc1 100644
+--- a/net/nfc/llcp_core.c
++++ b/net/nfc/llcp_core.c
+@@ -314,7 +314,9 @@ static struct nfc_llcp_local *nfc_llcp_remove_local(struct nfc_dev *dev)
+ spin_lock(&llcp_devices_lock);
+ list_for_each_entry_safe(local, tmp, &llcp_devices, list)
+ if (local->dev == dev) {
+- list_del(&local->list);
++ spin_lock(&local->tx_queue.lock);
++ list_del_init(&local->list);
++ spin_unlock(&local->tx_queue.lock);
+ spin_unlock(&llcp_devices_lock);
+ return local;
+ }
+--
+2.51.0
+
--- /dev/null
+From 1b52d0e89619be2c61cfe27251b243c7c849de15 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jan 2026 04:03:59 +0000
+Subject: nfc: nci: Fix race between rfkill and nci_unregister_device().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit d2492688bb9fed6ab6e313682c387ae71a66ebae ]
+
+syzbot reported the splat below [0] without a repro.
+
+It indicates that struct nci_dev.cmd_wq had been destroyed before
+nci_close_device() was called via rfkill.
+
+nci_dev.cmd_wq is only destroyed in nci_unregister_device(), which
+(I think) was called from virtual_ncidev_close() when syzbot close()d
+an fd of virtual_ncidev.
+
+The problem is that nci_unregister_device() destroys nci_dev.cmd_wq
+first and then calls nfc_unregister_device(), which removes the
+device from rfkill by rfkill_unregister().
+
+So, the device is still visible via rfkill even after nci_dev.cmd_wq
+is destroyed.
+
+Let's unregister the device from rfkill first in nci_unregister_device().
+
+Note that we cannot call nfc_unregister_device() before
+nci_close_device() because
+
+ 1) nfc_unregister_device() calls device_del() which frees
+ all memory allocated by devm_kzalloc() and linked to
+ ndev->conn_info_list
+
+ 2) nci_rx_work() could try to queue nci_conn_info to
+ ndev->conn_info_list which could be leaked
+
+Thus, nfc_unregister_device() is split into two functions so we
+can remove rfkill interfaces only before nci_close_device().
+
+[0]:
+DEBUG_LOCKS_WARN_ON(1)
+WARNING: kernel/locking/lockdep.c:238 at hlock_class kernel/locking/lockdep.c:238 [inline], CPU#0: syz.0.8675/6349
+WARNING: kernel/locking/lockdep.c:238 at check_wait_context kernel/locking/lockdep.c:4854 [inline], CPU#0: syz.0.8675/6349
+WARNING: kernel/locking/lockdep.c:238 at __lock_acquire+0x39d/0x2cf0 kernel/locking/lockdep.c:5187, CPU#0: syz.0.8675/6349
+Modules linked in:
+CPU: 0 UID: 0 PID: 6349 Comm: syz.0.8675 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026
+RIP: 0010:hlock_class kernel/locking/lockdep.c:238 [inline]
+RIP: 0010:check_wait_context kernel/locking/lockdep.c:4854 [inline]
+RIP: 0010:__lock_acquire+0x3a4/0x2cf0 kernel/locking/lockdep.c:5187
+Code: 18 00 4c 8b 74 24 08 75 27 90 e8 17 f2 fc 02 85 c0 74 1c 83 3d 50 e0 4e 0e 00 75 13 48 8d 3d 43 f7 51 0e 48 c7 c6 8b 3a de 8d <67> 48 0f b9 3a 90 31 c0 0f b6 98 c4 00 00 00 41 8b 45 20 25 ff 1f
+RSP: 0018:ffffc9000c767680 EFLAGS: 00010046
+RAX: 0000000000000001 RBX: 0000000000040000 RCX: 0000000000080000
+RDX: ffffc90013080000 RSI: ffffffff8dde3a8b RDI: ffffffff8ff24ca0
+RBP: 0000000000000003 R08: ffffffff8fef35a3 R09: 1ffffffff1fde6b4
+R10: dffffc0000000000 R11: fffffbfff1fde6b5 R12: 00000000000012a2
+R13: ffff888030338ba8 R14: ffff888030338000 R15: ffff888030338b30
+FS: 00007fa5995f66c0(0000) GS:ffff8881256f8000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f7e72f842d0 CR3: 00000000485a0000 CR4: 00000000003526f0
+Call Trace:
+ <TASK>
+ lock_acquire+0x106/0x330 kernel/locking/lockdep.c:5868
+ touch_wq_lockdep_map+0xcb/0x180 kernel/workqueue.c:3940
+ __flush_workqueue+0x14b/0x14f0 kernel/workqueue.c:3982
+ nci_close_device+0x302/0x630 net/nfc/nci/core.c:567
+ nci_dev_down+0x3b/0x50 net/nfc/nci/core.c:639
+ nfc_dev_down+0x152/0x290 net/nfc/core.c:161
+ nfc_rfkill_set_block+0x2d/0x100 net/nfc/core.c:179
+ rfkill_set_block+0x1d2/0x440 net/rfkill/core.c:346
+ rfkill_fop_write+0x461/0x5a0 net/rfkill/core.c:1301
+ vfs_write+0x29a/0xb90 fs/read_write.c:684
+ ksys_write+0x150/0x270 fs/read_write.c:738
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7fa59b39acb9
+Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007fa5995f6028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+RAX: ffffffffffffffda RBX: 00007fa59b615fa0 RCX: 00007fa59b39acb9
+RDX: 0000000000000008 RSI: 0000200000000080 RDI: 0000000000000007
+RBP: 00007fa59b408bf7 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007fa59b616038 R14: 00007fa59b615fa0 R15: 00007ffc82218788
+ </TASK>
+
+Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation")
+Reported-by: syzbot+f9c5fd1a0874f9069dce@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/695e7f56.050a0220.1c677c.036c.GAE@google.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260127040411.494931-1-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/nfc/nfc.h | 2 ++
+ net/nfc/core.c | 27 ++++++++++++++++++++++++---
+ net/nfc/nci/core.c | 4 +++-
+ 3 files changed, 29 insertions(+), 4 deletions(-)
+
+diff --git a/include/net/nfc/nfc.h b/include/net/nfc/nfc.h
+index 5dee575fbe86a..b82f4f2a27fb8 100644
+--- a/include/net/nfc/nfc.h
++++ b/include/net/nfc/nfc.h
+@@ -215,6 +215,8 @@ static inline void nfc_free_device(struct nfc_dev *dev)
+
+ int nfc_register_device(struct nfc_dev *dev);
+
++void nfc_unregister_rfkill(struct nfc_dev *dev);
++void nfc_remove_device(struct nfc_dev *dev);
+ void nfc_unregister_device(struct nfc_dev *dev);
+
+ /**
+diff --git a/net/nfc/core.c b/net/nfc/core.c
+index 5352571b62148..a02ede8b067bd 100644
+--- a/net/nfc/core.c
++++ b/net/nfc/core.c
+@@ -1147,14 +1147,14 @@ int nfc_register_device(struct nfc_dev *dev)
+ EXPORT_SYMBOL(nfc_register_device);
+
+ /**
+- * nfc_unregister_device - unregister a nfc device in the nfc subsystem
++ * nfc_unregister_rfkill - unregister a nfc device in the rfkill subsystem
+ *
+ * @dev: The nfc device to unregister
+ */
+-void nfc_unregister_device(struct nfc_dev *dev)
++void nfc_unregister_rfkill(struct nfc_dev *dev)
+ {
+- int rc;
+ struct rfkill *rfk = NULL;
++ int rc;
+
+ pr_debug("dev_name=%s\n", dev_name(&dev->dev));
+
+@@ -1175,7 +1175,16 @@ void nfc_unregister_device(struct nfc_dev *dev)
+ rfkill_unregister(rfk);
+ rfkill_destroy(rfk);
+ }
++}
++EXPORT_SYMBOL(nfc_unregister_rfkill);
+
++/**
++ * nfc_remove_device - remove a nfc device in the nfc subsystem
++ *
++ * @dev: The nfc device to remove
++ */
++void nfc_remove_device(struct nfc_dev *dev)
++{
+ if (dev->ops->check_presence) {
+ del_timer_sync(&dev->check_pres_timer);
+ cancel_work_sync(&dev->check_pres_work);
+@@ -1188,6 +1197,18 @@ void nfc_unregister_device(struct nfc_dev *dev)
+ device_del(&dev->dev);
+ mutex_unlock(&nfc_devlist_mutex);
+ }
++EXPORT_SYMBOL(nfc_remove_device);
++
++/**
++ * nfc_unregister_device - unregister a nfc device in the nfc subsystem
++ *
++ * @dev: The nfc device to unregister
++ */
++void nfc_unregister_device(struct nfc_dev *dev)
++{
++ nfc_unregister_rfkill(dev);
++ nfc_remove_device(dev);
++}
+ EXPORT_SYMBOL(nfc_unregister_device);
+
+ static int __init nfc_init(void)
+diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
+index c4d2932c59032..b7d4952a7dcf8 100644
+--- a/net/nfc/nci/core.c
++++ b/net/nfc/nci/core.c
+@@ -1292,6 +1292,8 @@ void nci_unregister_device(struct nci_dev *ndev)
+ {
+ struct nci_conn_info *conn_info, *n;
+
++ nfc_unregister_rfkill(ndev->nfc_dev);
++
+ /* This set_bit is not protected with specialized barrier,
+ * However, it is fine because the mutex_lock(&ndev->req_lock);
+ * in nci_close_device() will help to emit one.
+@@ -1309,7 +1311,7 @@ void nci_unregister_device(struct nci_dev *ndev)
+ /* conn_info is allocated with devm_kzalloc */
+ }
+
+- nfc_unregister_device(ndev->nfc_dev);
++ nfc_remove_device(ndev->nfc_dev);
+ }
+ EXPORT_SYMBOL(nci_unregister_device);
+
+--
+2.51.0
+
--- /dev/null
+From 38af85d07be02342216e39e4d6e962f5b19b7109 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jan 2026 13:05:51 +0000
+Subject: octeon_ep: Fix memory leak in octep_device_setup()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 8016dc5ee19a77678c264f8ba368b1e873fa705b ]
+
+In octep_device_setup(), if octep_ctrl_net_init() fails, the function
+returns directly without unmapping the mapped resources and freeing the
+allocated configuration memory.
+
+Fix this by jumping to the unsupported_dev label, which performs the
+necessary cleanup. This aligns with the error handling logic of other
+paths in this function.
+
+Compile tested only. Issue found using a prototype static analysis tool
+and code review.
+
+Fixes: 577f0d1b1c5f ("octeon_ep: add separate mailbox command and response queues")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+Link: https://patch.msgid.link/20260121130551.3717090-1-zilin@seu.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeon_ep/octep_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeon_ep/octep_main.c b/drivers/net/ethernet/marvell/octeon_ep/octep_main.c
+index 7a30095b3486f..c385084546639 100644
+--- a/drivers/net/ethernet/marvell/octeon_ep/octep_main.c
++++ b/drivers/net/ethernet/marvell/octeon_ep/octep_main.c
+@@ -998,7 +998,7 @@ int octep_device_setup(struct octep_device *oct)
+
+ ret = octep_ctrl_net_init(oct);
+ if (ret)
+- return ret;
++ goto unsupported_dev;
+
+ atomic_set(&oct->hb_miss_cnt, 0);
+ INIT_DELAYED_WORK(&oct->hb_task, octep_hb_timeout_task);
+--
+2.51.0
+
--- /dev/null
+From 689e661addd6c9857bd3d0b117cd70dd8cd3d9cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 Jan 2026 05:10:31 +0800
+Subject: rocker: fix memory leak in rocker_world_port_post_fini()
+
+From: Kery Qi <qikeyu2017@gmail.com>
+
+[ Upstream commit 8d7ba71e46216b8657a82ca2ec118bc93812a4d0 ]
+
+In rocker_world_port_pre_init(), rocker_port->wpriv is allocated with
+kzalloc(wops->port_priv_size, GFP_KERNEL). However, in
+rocker_world_port_post_fini(), the memory is only freed when
+wops->port_post_fini callback is set:
+
+ if (!wops->port_post_fini)
+ return;
+ wops->port_post_fini(rocker_port);
+ kfree(rocker_port->wpriv);
+
+Since rocker_ofdpa_ops does not implement port_post_fini callback
+(it is NULL), the wpriv memory allocated for each port is never freed
+when ports are removed. This leads to a memory leak of
+sizeof(struct ofdpa_port) bytes per port on every device removal.
+
+Fix this by always calling kfree(rocker_port->wpriv) regardless of
+whether the port_post_fini callback exists.
+
+Fixes: e420114eef4a ("rocker: introduce worlds infrastructure")
+Signed-off-by: Kery Qi <qikeyu2017@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260123211030.2109-2-qikeyu2017@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/rocker/rocker_main.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/rocker/rocker_main.c b/drivers/net/ethernet/rocker/rocker_main.c
+index 2e2826c901fcc..b741d335b1dc4 100644
+--- a/drivers/net/ethernet/rocker/rocker_main.c
++++ b/drivers/net/ethernet/rocker/rocker_main.c
+@@ -1525,9 +1525,8 @@ static void rocker_world_port_post_fini(struct rocker_port *rocker_port)
+ {
+ struct rocker_world_ops *wops = rocker_port->rocker->wops;
+
+- if (!wops->port_post_fini)
+- return;
+- wops->port_post_fini(rocker_port);
++ if (wops->port_post_fini)
++ wops->port_post_fini(rocker_port);
+ kfree(rocker_port->wpriv);
+ }
+
+--
+2.51.0
+
--- /dev/null
+bluetooth-hci_uart-fix-null-ptr-deref-in-hci_uart_wr.patch
+net-mlx5-fix-memory-leak-in-esw_acl_ingress_lgcy_set.patch
+can-gs_usb-gs_usb_receive_bulk_callback-fix-error-me.patch
+net-bcmasp-fix-early-exit-leak-with-fixed-phy.patch
+octeon_ep-fix-memory-leak-in-octep_device_setup.patch
+bonding-annotate-data-races-around-slave-last_rx.patch
+net-mvpp2-cls-fix-memory-leak-in-mvpp2_ethtool_cls_r.patch
+ipv6-use-the-right-ifindex-when-replying-to-icmpv6-f.patch
+net-wwan-t7xx-fix-potential-skb-frags-overflow-in-rx.patch
+rocker-fix-memory-leak-in-rocker_world_port_post_fin.patch
+nfc-llcp-fix-memleak-in-nfc_llcp_send_ui_frame.patch
+ice-stop-counting-udp-csum-mismatch-as-rx_errors.patch
+net-mlx5e-tc-delete-flows-only-for-existing-peers.patch
+net-mlx5e-report-rx_discards_phy-via-rx_dropped.patch
+net-mlx5e-account-for-netdev-stats-in-ndo_get_stats6.patch
+nfc-nci-fix-race-between-rfkill-and-nci_unregister_d.patch
+net-bridge-fix-static-key-check.patch
+net-mlx5e-skip-esn-replay-window-setup-for-ipsec-cry.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
