--- /dev/null
+From a548586d536fd1078d09c08c9d55df779c3c2663 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Sep 2023 10:18:02 +0200
+Subject: can: dev: can_restart(): move debug message and stats after
+ successful restart
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+[ Upstream commit f0e0c809c0be05fe865b9ac128ef3ee35c276021 ]
+
+Move the debug message "restarted" and the CAN restart stats_after_
+the successful restart of the CAN device, because the restart may
+fail.
+
+While there update the error message from printing the error number to
+printing symbolic error names.
+
+Link: https://lore.kernel.org/all/20231005-can-dev-fix-can-restart-v2-4-91b5c1fd922c@pengutronix.de
+Reviewed-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+[mkl: mention stats in subject and description, too]
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Stable-dep-of: c1f3f9797c1f ("can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/dev/dev.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/can/dev/dev.c b/drivers/net/can/dev/dev.c
+index 42c486d1fd10b..78e3ea180d767 100644
+--- a/drivers/net/can/dev/dev.c
++++ b/drivers/net/can/dev/dev.c
+@@ -147,15 +147,15 @@ static void can_restart(struct net_device *dev)
+ netif_rx(skb);
+ }
+
+- netdev_dbg(dev, "restarted\n");
+- priv->can_stats.restarts++;
+-
+ /* Now restart the device */
+ netif_carrier_on(dev);
+ err = priv->do_set_mode(dev, CAN_MODE_START);
+ if (err) {
+- netdev_err(dev, "Error %d during restart", err);
++ netdev_err(dev, "Restart failed, error %pe\n", ERR_PTR(err));
+ netif_carrier_off(dev);
++ } else {
++ netdev_dbg(dev, "Restarted\n");
++ priv->can_stats.restarts++;
+ }
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 911c1d65ef527313f0ae8d42bef618e1c5cd8aa8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Sep 2023 09:47:38 +0200
+Subject: can: dev: can_restart(): reverse logic to remove need for goto
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+[ Upstream commit 8f3ec204d340af183fb2bb21b8e797ac2ed012b2 ]
+
+Reverse the logic in the if statement and eliminate the need for a
+goto to simplify code readability.
+
+Link: https://lore.kernel.org/all/20231005-can-dev-fix-can-restart-v2-3-91b5c1fd922c@pengutronix.de
+Reviewed-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Stable-dep-of: c1f3f9797c1f ("can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/dev/dev.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/can/dev/dev.c b/drivers/net/can/dev/dev.c
+index 43125ce96f1aa..42c486d1fd10b 100644
+--- a/drivers/net/can/dev/dev.c
++++ b/drivers/net/can/dev/dev.c
+@@ -142,14 +142,11 @@ static void can_restart(struct net_device *dev)
+
+ /* send restart message upstream */
+ skb = alloc_can_err_skb(dev, &cf);
+- if (!skb)
+- goto restart;
+-
+- cf->can_id |= CAN_ERR_RESTARTED;
+-
+- netif_rx(skb);
++ if (skb) {
++ cf->can_id |= CAN_ERR_RESTARTED;
++ netif_rx(skb);
++ }
+
+-restart:
+ netdev_dbg(dev, "restarted\n");
+ priv->can_stats.restarts++;
+
+--
+2.39.5
+
--- /dev/null
+From 964d77e0851758f50f9691b2f315b6c1d41b1858 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jul 2025 22:35:46 +0200
+Subject: can: netlink: can_changelink(): fix NULL pointer deref of struct
+ can_priv::do_set_mode
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+[ Upstream commit c1f3f9797c1f44a762e6f5f72520b2e520537b52 ]
+
+Andrei Lalaev reported a NULL pointer deref when a CAN device is
+restarted from Bus Off and the driver does not implement the struct
+can_priv::do_set_mode callback.
+
+There are 2 code path that call struct can_priv::do_set_mode:
+- directly by a manual restart from the user space, via
+ can_changelink()
+- delayed automatic restart after bus off (deactivated by default)
+
+To prevent the NULL pointer deference, refuse a manual restart or
+configure the automatic restart delay in can_changelink() and report
+the error via extack to user space.
+
+As an additional safety measure let can_restart() return an error if
+can_priv::do_set_mode is not set instead of dereferencing it
+unchecked.
+
+Reported-by: Andrei Lalaev <andrey.lalaev@gmail.com>
+Closes: https://lore.kernel.org/all/20250714175520.307467-1-andrey.lalaev@gmail.com
+Fixes: 39549eef3587 ("can: CAN Network device driver and Netlink interface")
+Link: https://patch.msgid.link/20250718-fix-nullptr-deref-do_set_mode-v1-1-0b520097bb96@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/dev/dev.c | 12 +++++++++---
+ drivers/net/can/dev/netlink.c | 12 ++++++++++++
+ 2 files changed, 21 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/can/dev/dev.c b/drivers/net/can/dev/dev.c
+index 78e3ea180d767..89f80d74f27e3 100644
+--- a/drivers/net/can/dev/dev.c
++++ b/drivers/net/can/dev/dev.c
+@@ -125,13 +125,16 @@ void can_change_state(struct net_device *dev, struct can_frame *cf,
+ EXPORT_SYMBOL_GPL(can_change_state);
+
+ /* CAN device restart for bus-off recovery */
+-static void can_restart(struct net_device *dev)
++static int can_restart(struct net_device *dev)
+ {
+ struct can_priv *priv = netdev_priv(dev);
+ struct sk_buff *skb;
+ struct can_frame *cf;
+ int err;
+
++ if (!priv->do_set_mode)
++ return -EOPNOTSUPP;
++
+ if (netif_carrier_ok(dev))
+ netdev_err(dev, "Attempt to restart for bus-off recovery, but carrier is OK?\n");
+
+@@ -153,10 +156,14 @@ static void can_restart(struct net_device *dev)
+ if (err) {
+ netdev_err(dev, "Restart failed, error %pe\n", ERR_PTR(err));
+ netif_carrier_off(dev);
++
++ return err;
+ } else {
+ netdev_dbg(dev, "Restarted\n");
+ priv->can_stats.restarts++;
+ }
++
++ return 0;
+ }
+
+ static void can_restart_work(struct work_struct *work)
+@@ -181,9 +188,8 @@ int can_restart_now(struct net_device *dev)
+ return -EBUSY;
+
+ cancel_delayed_work_sync(&priv->restart_work);
+- can_restart(dev);
+
+- return 0;
++ return can_restart(dev);
+ }
+
+ /* CAN bus-off
+diff --git a/drivers/net/can/dev/netlink.c b/drivers/net/can/dev/netlink.c
+index 053d375eae4f5..7425db9d34dd9 100644
+--- a/drivers/net/can/dev/netlink.c
++++ b/drivers/net/can/dev/netlink.c
+@@ -252,6 +252,12 @@ static int can_changelink(struct net_device *dev, struct nlattr *tb[],
+ }
+
+ if (data[IFLA_CAN_RESTART_MS]) {
++ if (!priv->do_set_mode) {
++ NL_SET_ERR_MSG(extack,
++ "Device doesn't support restart from Bus Off");
++ return -EOPNOTSUPP;
++ }
++
+ /* Do not allow changing restart delay while running */
+ if (dev->flags & IFF_UP)
+ return -EBUSY;
+@@ -259,6 +265,12 @@ static int can_changelink(struct net_device *dev, struct nlattr *tb[],
+ }
+
+ if (data[IFLA_CAN_RESTART]) {
++ if (!priv->do_set_mode) {
++ NL_SET_ERR_MSG(extack,
++ "Device doesn't support restart from Bus Off");
++ return -EOPNOTSUPP;
++ }
++
+ /* Do not allow a restart while not running */
+ if (!(dev->flags & IFF_UP))
+ return -EINVAL;
+--
+2.39.5
+
--- /dev/null
+From 2d7440c06cd08123413a5ded0a736353083e99bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Jul 2025 13:06:32 -0700
+Subject: drm/bridge: ti-sn65dsi86: Remove extra semicolon in
+ ti_sn_bridge_probe()
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit 15a7ca747d9538c2ad8b0c81dd4c1261e0736c82 ]
+
+As reported by the kernel test robot, a recent patch introduced an
+unnecessary semicolon. Remove it.
+
+Fixes: 55e8ff842051 ("drm/bridge: ti-sn65dsi86: Add HPD for DisplayPort connector type")
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202506301704.0SBj6ply-lkp@intel.com/
+Reviewed-by: Devarsh Thakkar <devarsht@ti.com>
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Link: https://lore.kernel.org/r/20250714130631.1.I1cfae3222e344a3b3c770d079ee6b6f7f3b5d636@changeid
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/ti-sn65dsi86.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi86.c b/drivers/gpu/drm/bridge/ti-sn65dsi86.c
+index 26a064624d976..6595f954135ad 100644
+--- a/drivers/gpu/drm/bridge/ti-sn65dsi86.c
++++ b/drivers/gpu/drm/bridge/ti-sn65dsi86.c
+@@ -1333,7 +1333,7 @@ static int ti_sn_bridge_probe(struct auxiliary_device *adev,
+ regmap_update_bits(pdata->regmap, SN_HPD_DISABLE_REG,
+ HPD_DISABLE, 0);
+ mutex_unlock(&pdata->comms_mutex);
+- };
++ }
+
+ drm_bridge_add(&pdata->bridge);
+
+--
+2.39.5
+
--- /dev/null
+From 63debb9cd59ac668b0809a39b0a3e2b60b96c9c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Sep 2023 15:27:57 +0800
+Subject: i40e: Add rx_missed_errors for buffer exhaustion
+
+From: Yajun Deng <yajun.deng@linux.dev>
+
+[ Upstream commit 5337d294973331660e84e41836a54014de22e5b0 ]
+
+As the comment in struct rtnl_link_stats64, rx_dropped should not
+include packets dropped by the device due to buffer exhaustion.
+They are counted in rx_missed_errors, procfs folds those two counters
+together.
+
+Add rx_missed_errors for buffer exhaustion, rx_missed_errors corresponds
+to rx_discards, rx_dropped corresponds to rx_discards_other.
+
+Signed-off-by: Yajun Deng <yajun.deng@linux.dev>
+Tested-by: Arpana Arland <arpanax.arland@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Stable-dep-of: 50b2af451597 ("i40e: report VF tx_dropped with tx_errors instead of tx_discards")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 3 ++-
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 18 +++++++-----------
+ .../net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 2 +-
+ 3 files changed, 10 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
+index 107bcca7db8c9..9b5044cfea872 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
+@@ -245,6 +245,7 @@ static const struct i40e_stats i40e_gstrings_net_stats[] = {
+ I40E_NETDEV_STAT(rx_errors),
+ I40E_NETDEV_STAT(tx_errors),
+ I40E_NETDEV_STAT(rx_dropped),
++ I40E_NETDEV_STAT(rx_missed_errors),
+ I40E_NETDEV_STAT(tx_dropped),
+ I40E_NETDEV_STAT(collisions),
+ I40E_NETDEV_STAT(rx_length_errors),
+@@ -321,7 +322,7 @@ static const struct i40e_stats i40e_gstrings_stats[] = {
+ I40E_PF_STAT("port.rx_broadcast", stats.eth.rx_broadcast),
+ I40E_PF_STAT("port.tx_broadcast", stats.eth.tx_broadcast),
+ I40E_PF_STAT("port.tx_errors", stats.eth.tx_errors),
+- I40E_PF_STAT("port.rx_dropped", stats.eth.rx_discards),
++ I40E_PF_STAT("port.rx_discards", stats.eth.rx_discards),
+ I40E_PF_STAT("port.tx_dropped_link_down", stats.tx_dropped_link_down),
+ I40E_PF_STAT("port.rx_crc_errors", stats.crc_errors),
+ I40E_PF_STAT("port.illegal_bytes", stats.illegal_bytes),
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index 3b165d8f03dc2..37d83b4bca7fd 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -495,6 +495,7 @@ static void i40e_get_netdev_stats_struct(struct net_device *netdev,
+ stats->tx_dropped = vsi_stats->tx_dropped;
+ stats->rx_errors = vsi_stats->rx_errors;
+ stats->rx_dropped = vsi_stats->rx_dropped;
++ stats->rx_missed_errors = vsi_stats->rx_missed_errors;
+ stats->rx_crc_errors = vsi_stats->rx_crc_errors;
+ stats->rx_length_errors = vsi_stats->rx_length_errors;
+ }
+@@ -686,17 +687,13 @@ i40e_stats_update_rx_discards(struct i40e_vsi *vsi, struct i40e_hw *hw,
+ struct i40e_eth_stats *stat_offset,
+ struct i40e_eth_stats *stat)
+ {
+- u64 rx_rdpc, rx_rxerr;
+-
+ i40e_stat_update32(hw, I40E_GLV_RDPC(stat_idx), offset_loaded,
+- &stat_offset->rx_discards, &rx_rdpc);
++ &stat_offset->rx_discards, &stat->rx_discards);
+ i40e_stat_update64(hw,
+ I40E_GL_RXERR1H(i40e_compute_pci_to_hw_id(vsi, hw)),
+ I40E_GL_RXERR1L(i40e_compute_pci_to_hw_id(vsi, hw)),
+ offset_loaded, &stat_offset->rx_discards_other,
+- &rx_rxerr);
+-
+- stat->rx_discards = rx_rdpc + rx_rxerr;
++ &stat->rx_discards_other);
+ }
+
+ /**
+@@ -718,9 +715,6 @@ void i40e_update_eth_stats(struct i40e_vsi *vsi)
+ i40e_stat_update32(hw, I40E_GLV_TEPC(stat_idx),
+ vsi->stat_offsets_loaded,
+ &oes->tx_errors, &es->tx_errors);
+- i40e_stat_update32(hw, I40E_GLV_RDPC(stat_idx),
+- vsi->stat_offsets_loaded,
+- &oes->rx_discards, &es->rx_discards);
+ i40e_stat_update32(hw, I40E_GLV_RUPP(stat_idx),
+ vsi->stat_offsets_loaded,
+ &oes->rx_unknown_protocol, &es->rx_unknown_protocol);
+@@ -977,8 +971,10 @@ static void i40e_update_vsi_stats(struct i40e_vsi *vsi)
+ ns->tx_errors = es->tx_errors;
+ ons->multicast = oes->rx_multicast;
+ ns->multicast = es->rx_multicast;
+- ons->rx_dropped = oes->rx_discards;
+- ns->rx_dropped = es->rx_discards;
++ ons->rx_dropped = oes->rx_discards_other;
++ ns->rx_dropped = es->rx_discards_other;
++ ons->rx_missed_errors = oes->rx_discards;
++ ns->rx_missed_errors = es->rx_discards;
+ ons->tx_dropped = oes->tx_discards;
+ ns->tx_dropped = es->tx_discards;
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+index ff4f1c4f3829b..64bcffe75fbda 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -4934,7 +4934,7 @@ int i40e_get_vf_stats(struct net_device *netdev, int vf_id,
+ vf_stats->tx_bytes = stats->tx_bytes;
+ vf_stats->broadcast = stats->rx_broadcast;
+ vf_stats->multicast = stats->rx_multicast;
+- vf_stats->rx_dropped = stats->rx_discards;
++ vf_stats->rx_dropped = stats->rx_discards + stats->rx_discards_other;
+ vf_stats->tx_dropped = stats->tx_discards;
+
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From 5bf60b845870ff0baf57a51b51a04c5e25e331e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 15:52:40 -0400
+Subject: i40e: report VF tx_dropped with tx_errors instead of tx_discards
+
+From: Dennis Chen <dechen@redhat.com>
+
+[ Upstream commit 50b2af451597ca6eefe9d4543f8bbf8de8aa00e7 ]
+
+Currently the tx_dropped field in VF stats is not updated correctly
+when reading stats from the PF. This is because it reads from
+i40e_eth_stats.tx_discards which seems to be unused for per VSI stats,
+as it is not updated by i40e_update_eth_stats() and the corresponding
+register, GLV_TDPC, is not implemented[1].
+
+Use i40e_eth_stats.tx_errors instead, which is actually updated by
+i40e_update_eth_stats() by reading from GLV_TEPC.
+
+To test, create a VF and try to send bad packets through it:
+
+$ echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs
+$ cat test.py
+from scapy.all import *
+
+vlan_pkt = Ether(dst="ff:ff:ff:ff:ff:ff") / Dot1Q(vlan=999) / IP(dst="192.168.0.1") / ICMP()
+ttl_pkt = IP(dst="8.8.8.8", ttl=0) / ICMP()
+
+print("Send packet with bad VLAN tag")
+sendp(vlan_pkt, iface="enp2s0f0v0")
+print("Send packet with TTL=0")
+sendp(ttl_pkt, iface="enp2s0f0v0")
+$ ip -s link show dev enp2s0f0
+16: enp2s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
+ link/ether 3c:ec:ef:b7:e0:ac brd ff:ff:ff:ff:ff:ff
+ RX: bytes packets errors dropped missed mcast
+ 0 0 0 0 0 0
+ TX: bytes packets errors dropped carrier collsns
+ 0 0 0 0 0 0
+ vf 0 link/ether e2:c6:fd:c1:1e:92 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off
+ RX: bytes packets mcast bcast dropped
+ 0 0 0 0 0
+ TX: bytes packets dropped
+ 0 0 0
+$ python test.py
+Send packet with bad VLAN tag
+.
+Sent 1 packets.
+Send packet with TTL=0
+.
+Sent 1 packets.
+$ ip -s link show dev enp2s0f0
+16: enp2s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
+ link/ether 3c:ec:ef:b7:e0:ac brd ff:ff:ff:ff:ff:ff
+ RX: bytes packets errors dropped missed mcast
+ 0 0 0 0 0 0
+ TX: bytes packets errors dropped carrier collsns
+ 0 0 0 0 0 0
+ vf 0 link/ether e2:c6:fd:c1:1e:92 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off
+ RX: bytes packets mcast bcast dropped
+ 0 0 0 0 0
+ TX: bytes packets dropped
+ 0 0 0
+
+A packet with non-existent VLAN tag and a packet with TTL = 0 are sent,
+but tx_dropped is not incremented.
+
+After patch:
+
+$ ip -s link show dev enp2s0f0
+19: enp2s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
+ link/ether 3c:ec:ef:b7:e0:ac brd ff:ff:ff:ff:ff:ff
+ RX: bytes packets errors dropped missed mcast
+ 0 0 0 0 0 0
+ TX: bytes packets errors dropped carrier collsns
+ 0 0 0 0 0 0
+ vf 0 link/ether 4a:b7:3d:37:f7:56 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off
+ RX: bytes packets mcast bcast dropped
+ 0 0 0 0 0
+ TX: bytes packets dropped
+ 0 0 2
+
+Fixes: dc645daef9af5bcbd9c ("i40e: implement VF stats NDO")
+Signed-off-by: Dennis Chen <dechen@redhat.com>
+Link: https://www.intel.com/content/www/us/en/content-details/596333/intel-ethernet-controller-x710-tm4-at2-carlsville-datasheet.html
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+index 64bcffe75fbda..7f8899a0ae80d 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -4935,7 +4935,7 @@ int i40e_get_vf_stats(struct net_device *netdev, int vf_id,
+ vf_stats->broadcast = stats->rx_broadcast;
+ vf_stats->multicast = stats->rx_multicast;
+ vf_stats->rx_dropped = stats->rx_discards + stats->rx_discards_other;
+- vf_stats->tx_dropped = stats->tx_discards;
++ vf_stats->tx_dropped = stats->tx_errors;
+
+ return 0;
+ }
+--
+2.39.5
+
--- /dev/null
+From 9c985550da34f733d6c17c02c66440ed66f01b65 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jun 2025 09:29:18 +1000
+Subject: i40e: When removing VF MAC filters, only check PF-set MAC
+
+From: Jamie Bainbridge <jamie.bainbridge@gmail.com>
+
+[ Upstream commit 5a0df02999dbe838c3feed54b1d59e9445f68b89 ]
+
+When the PF is processing an Admin Queue message to delete a VF's MACs
+from the MAC filter, we currently check if the PF set the MAC and if
+the VF is trusted.
+
+This results in undesirable behaviour, where if a trusted VF with a
+PF-set MAC sets itself down (which sends an AQ message to delete the
+VF's MAC filters) then the VF MAC is erased from the interface.
+
+This results in the VF losing its PF-set MAC which should not happen.
+
+There is no need to check for trust at all, because an untrusted VF
+cannot change its own MAC. The only check needed is whether the PF set
+the MAC. If the PF set the MAC, then don't erase the MAC on link-down.
+
+Resolve this by changing the deletion check only for PF-set MAC.
+
+(the out-of-tree driver has also intentionally removed the check for VF
+trust here with OOT driver version 2.26.8, this changes the Linux kernel
+driver behaviour and comment to match the OOT driver behaviour)
+
+Fixes: ea2a1cfc3b201 ("i40e: Fix VF MAC filter removal")
+Signed-off-by: Jamie Bainbridge <jamie.bainbridge@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+index 7f8899a0ae80d..7cfcb16c30911 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -3076,10 +3076,10 @@ static int i40e_vc_del_mac_addr_msg(struct i40e_vf *vf, u8 *msg)
+ const u8 *addr = al->list[i].addr;
+
+ /* Allow to delete VF primary MAC only if it was not set
+- * administratively by PF or if VF is trusted.
++ * administratively by PF.
+ */
+ if (ether_addr_equal(addr, vf->default_lan_addr.addr)) {
+- if (i40e_can_vf_change_mac(vf))
++ if (!vf->pf_set_mac)
+ was_unimac_deleted = true;
+ else
+ continue;
+--
+2.39.5
+
--- /dev/null
+From 01143eafcfa9021e6c5705e7c859b9d64cf539f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 01:28:43 +0000
+Subject: net: appletalk: Fix use-after-free in AARP proxy probe
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kito Xu (veritas501) <hxzene@gmail.com>
+
+[ Upstream commit 6c4a92d07b0850342d3becf2e608f805e972467c ]
+
+The AARP proxy‐probe routine (aarp_proxy_probe_network) sends a probe,
+releases the aarp_lock, sleeps, then re-acquires the lock. During that
+window an expire timer thread (__aarp_expire_timer) can remove and
+kfree() the same entry, leading to a use-after-free.
+
+race condition:
+
+ cpu 0 | cpu 1
+ atalk_sendmsg() | atif_proxy_probe_device()
+ aarp_send_ddp() | aarp_proxy_probe_network()
+ mod_timer() | lock(aarp_lock) // LOCK!!
+ timeout around 200ms | alloc(aarp_entry)
+ and then call | proxies[hash] = aarp_entry
+ aarp_expire_timeout() | aarp_send_probe()
+ | unlock(aarp_lock) // UNLOCK!!
+ lock(aarp_lock) // LOCK!! | msleep(100);
+ __aarp_expire_timer(&proxies[ct]) |
+ free(aarp_entry) |
+ unlock(aarp_lock) // UNLOCK!! |
+ | lock(aarp_lock) // LOCK!!
+ | UAF aarp_entry !!
+
+==================================================================
+BUG: KASAN: slab-use-after-free in aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493
+Read of size 4 at addr ffff8880123aa360 by task repro/13278
+
+CPU: 3 UID: 0 PID: 13278 Comm: repro Not tainted 6.15.2 #3 PREEMPT(full)
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:408 [inline]
+ print_report+0xc1/0x630 mm/kasan/report.c:521
+ kasan_report+0xca/0x100 mm/kasan/report.c:634
+ aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493
+ atif_proxy_probe_device net/appletalk/ddp.c:332 [inline]
+ atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857
+ atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818
+ sock_do_ioctl+0xdc/0x260 net/socket.c:1190
+ sock_ioctl+0x239/0x6a0 net/socket.c:1311
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:906 [inline]
+ __se_sys_ioctl fs/ioctl.c:892 [inline]
+ __x64_sys_ioctl+0x194/0x200 fs/ioctl.c:892
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xcb/0x250 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ </TASK>
+
+Allocated:
+ aarp_alloc net/appletalk/aarp.c:382 [inline]
+ aarp_proxy_probe_network+0xd8/0x630 net/appletalk/aarp.c:468
+ atif_proxy_probe_device net/appletalk/ddp.c:332 [inline]
+ atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857
+ atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818
+
+Freed:
+ kfree+0x148/0x4d0 mm/slub.c:4841
+ __aarp_expire net/appletalk/aarp.c:90 [inline]
+ __aarp_expire_timer net/appletalk/aarp.c:261 [inline]
+ aarp_expire_timeout+0x480/0x6e0 net/appletalk/aarp.c:317
+
+The buggy address belongs to the object at ffff8880123aa300
+ which belongs to the cache kmalloc-192 of size 192
+The buggy address is located 96 bytes inside of
+ freed 192-byte region [ffff8880123aa300, ffff8880123aa3c0)
+
+Memory state around the buggy address:
+ ffff8880123aa200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffff8880123aa280: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
+>ffff8880123aa300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff8880123aa380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+ ffff8880123aa400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+==================================================================
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Kito Xu (veritas501) <hxzene@gmail.com>
+Link: https://patch.msgid.link/20250717012843.880423-1-hxzene@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/appletalk/aarp.c | 24 +++++++++++++++++++++---
+ 1 file changed, 21 insertions(+), 3 deletions(-)
+
+diff --git a/net/appletalk/aarp.c b/net/appletalk/aarp.c
+index c7236daa24152..0d7c14a496681 100644
+--- a/net/appletalk/aarp.c
++++ b/net/appletalk/aarp.c
+@@ -35,6 +35,7 @@
+ #include <linux/seq_file.h>
+ #include <linux/export.h>
+ #include <linux/etherdevice.h>
++#include <linux/refcount.h>
+
+ int sysctl_aarp_expiry_time = AARP_EXPIRY_TIME;
+ int sysctl_aarp_tick_time = AARP_TICK_TIME;
+@@ -44,6 +45,7 @@ int sysctl_aarp_resolve_time = AARP_RESOLVE_TIME;
+ /* Lists of aarp entries */
+ /**
+ * struct aarp_entry - AARP entry
++ * @refcnt: Reference count
+ * @last_sent: Last time we xmitted the aarp request
+ * @packet_queue: Queue of frames wait for resolution
+ * @status: Used for proxy AARP
+@@ -55,6 +57,7 @@ int sysctl_aarp_resolve_time = AARP_RESOLVE_TIME;
+ * @next: Next entry in chain
+ */
+ struct aarp_entry {
++ refcount_t refcnt;
+ /* These first two are only used for unresolved entries */
+ unsigned long last_sent;
+ struct sk_buff_head packet_queue;
+@@ -79,6 +82,17 @@ static DEFINE_RWLOCK(aarp_lock);
+ /* Used to walk the list and purge/kick entries. */
+ static struct timer_list aarp_timer;
+
++static inline void aarp_entry_get(struct aarp_entry *a)
++{
++ refcount_inc(&a->refcnt);
++}
++
++static inline void aarp_entry_put(struct aarp_entry *a)
++{
++ if (refcount_dec_and_test(&a->refcnt))
++ kfree(a);
++}
++
+ /*
+ * Delete an aarp queue
+ *
+@@ -87,7 +101,7 @@ static struct timer_list aarp_timer;
+ static void __aarp_expire(struct aarp_entry *a)
+ {
+ skb_queue_purge(&a->packet_queue);
+- kfree(a);
++ aarp_entry_put(a);
+ }
+
+ /*
+@@ -380,9 +394,11 @@ static void aarp_purge(void)
+ static struct aarp_entry *aarp_alloc(void)
+ {
+ struct aarp_entry *a = kmalloc(sizeof(*a), GFP_ATOMIC);
++ if (!a)
++ return NULL;
+
+- if (a)
+- skb_queue_head_init(&a->packet_queue);
++ refcount_set(&a->refcnt, 1);
++ skb_queue_head_init(&a->packet_queue);
+ return a;
+ }
+
+@@ -508,6 +524,7 @@ int aarp_proxy_probe_network(struct atalk_iface *atif, struct atalk_addr *sa)
+ entry->dev = atif->dev;
+
+ write_lock_bh(&aarp_lock);
++ aarp_entry_get(entry);
+
+ hash = sa->s_node % (AARP_HASH_SIZE - 1);
+ entry->next = proxies[hash];
+@@ -533,6 +550,7 @@ int aarp_proxy_probe_network(struct atalk_iface *atif, struct atalk_addr *sa)
+ retval = 1;
+ }
+
++ aarp_entry_put(entry);
+ write_unlock_bh(&aarp_lock);
+ out:
+ return retval;
+--
+2.39.5
+
--- /dev/null
+From 410259bbaaf777e61826c23b8c3c942759c1ed30 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jul 2025 20:54:21 +0800
+Subject: net: hns3: disable interrupt when ptp init failed
+
+From: Yonglong Liu <liuyonglong@huawei.com>
+
+[ Upstream commit cde304655f25d94a996c45b0f9956e7dcc2bc4c0 ]
+
+When ptp init failed, we'd better disable the interrupt and clear the
+flag, to avoid early report interrupt at next probe.
+
+Fixes: 0bf5eb788512 ("net: hns3: add support for PTP")
+Signed-off-by: Yonglong Liu <liuyonglong@huawei.com>
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250722125423.1270673-3-shaojijie@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c
+index b7cf9fbf97183..6d7aeac600128 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c
+@@ -509,14 +509,14 @@ int hclge_ptp_init(struct hclge_dev *hdev)
+ if (ret) {
+ dev_err(&hdev->pdev->dev,
+ "failed to init freq, ret = %d\n", ret);
+- goto out;
++ goto out_clear_int;
+ }
+
+ ret = hclge_ptp_set_ts_mode(hdev, &hdev->ptp->ts_cfg);
+ if (ret) {
+ dev_err(&hdev->pdev->dev,
+ "failed to init ts mode, ret = %d\n", ret);
+- goto out;
++ goto out_clear_int;
+ }
+
+ ktime_get_real_ts64(&ts);
+@@ -524,7 +524,7 @@ int hclge_ptp_init(struct hclge_dev *hdev)
+ if (ret) {
+ dev_err(&hdev->pdev->dev,
+ "failed to init ts time, ret = %d\n", ret);
+- goto out;
++ goto out_clear_int;
+ }
+
+ set_bit(HCLGE_STATE_PTP_EN, &hdev->state);
+@@ -532,6 +532,9 @@ int hclge_ptp_init(struct hclge_dev *hdev)
+
+ return 0;
+
++out_clear_int:
++ clear_bit(HCLGE_PTP_FLAG_EN, &hdev->ptp->flags);
++ hclge_ptp_int_en(hdev, false);
+ out:
+ hclge_ptp_destroy_clock(hdev);
+
+--
+2.39.5
+
--- /dev/null
+From a93e4496b756a8707aedb75928641b5d288e4d92 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jul 2025 20:54:20 +0800
+Subject: net: hns3: fix concurrent setting vlan filter issue
+
+From: Jian Shen <shenjian15@huawei.com>
+
+[ Upstream commit 4555f8f8b6aa46940f55feb6a07704c2935b6d6e ]
+
+The vport->req_vlan_fltr_en may be changed concurrently by function
+hclge_sync_vlan_fltr_state() called in periodic work task and
+function hclge_enable_vport_vlan_filter() called by user configuration.
+It may cause the user configuration inoperative. Fixes it by protect
+the vport->req_vlan_fltr by vport_lock.
+
+Fixes: 2ba306627f59 ("net: hns3: add support for modify VLAN filter state")
+Signed-off-by: Jian Shen <shenjian15@huawei.com>
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250722125423.1270673-2-shaojijie@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../hisilicon/hns3/hns3pf/hclge_main.c | 36 +++++++++++--------
+ 1 file changed, 21 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+index ed1b49a360165..c509c1e12109f 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+@@ -9599,33 +9599,36 @@ static bool hclge_need_enable_vport_vlan_filter(struct hclge_vport *vport)
+ return false;
+ }
+
+-int hclge_enable_vport_vlan_filter(struct hclge_vport *vport, bool request_en)
++static int __hclge_enable_vport_vlan_filter(struct hclge_vport *vport,
++ bool request_en)
+ {
+- struct hclge_dev *hdev = vport->back;
+ bool need_en;
+ int ret;
+
+- mutex_lock(&hdev->vport_lock);
+-
+- vport->req_vlan_fltr_en = request_en;
+-
+ need_en = hclge_need_enable_vport_vlan_filter(vport);
+- if (need_en == vport->cur_vlan_fltr_en) {
+- mutex_unlock(&hdev->vport_lock);
++ if (need_en == vport->cur_vlan_fltr_en)
+ return 0;
+- }
+
+ ret = hclge_set_vport_vlan_filter(vport, need_en);
+- if (ret) {
+- mutex_unlock(&hdev->vport_lock);
++ if (ret)
+ return ret;
+- }
+
+ vport->cur_vlan_fltr_en = need_en;
+
++ return 0;
++}
++
++int hclge_enable_vport_vlan_filter(struct hclge_vport *vport, bool request_en)
++{
++ struct hclge_dev *hdev = vport->back;
++ int ret;
++
++ mutex_lock(&hdev->vport_lock);
++ vport->req_vlan_fltr_en = request_en;
++ ret = __hclge_enable_vport_vlan_filter(vport, request_en);
+ mutex_unlock(&hdev->vport_lock);
+
+- return 0;
++ return ret;
+ }
+
+ static int hclge_enable_vlan_filter(struct hnae3_handle *handle, bool enable)
+@@ -10646,16 +10649,19 @@ static void hclge_sync_vlan_fltr_state(struct hclge_dev *hdev)
+ &vport->state))
+ continue;
+
+- ret = hclge_enable_vport_vlan_filter(vport,
+- vport->req_vlan_fltr_en);
++ mutex_lock(&hdev->vport_lock);
++ ret = __hclge_enable_vport_vlan_filter(vport,
++ vport->req_vlan_fltr_en);
+ if (ret) {
+ dev_err(&hdev->pdev->dev,
+ "failed to sync vlan filter state for vport%u, ret = %d\n",
+ vport->vport_id, ret);
+ set_bit(HCLGE_VPORT_STATE_VLAN_FLTR_CHANGE,
+ &vport->state);
++ mutex_unlock(&hdev->vport_lock);
+ return;
+ }
++ mutex_unlock(&hdev->vport_lock);
+ }
+ }
+
+--
+2.39.5
+
--- /dev/null
+From adafaf26503a8b6478b4625d5adcf354ff0317d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jul 2025 20:54:22 +0800
+Subject: net: hns3: fixed vf get max channels bug
+
+From: Jian Shen <shenjian15@huawei.com>
+
+[ Upstream commit b3e75c0bcc53f647311960bc1b0970b9b480ca5a ]
+
+Currently, the queried maximum of vf channels is the maximum of channels
+supported by each TC. However, the actual maximum of channels is
+the maximum of channels supported by the device.
+
+Fixes: 849e46077689 ("net: hns3: add ethtool_ops.get_channels support for VF")
+Signed-off-by: Jian Shen <shenjian15@huawei.com>
+Signed-off-by: Hao Lan <lanhao@huawei.com>
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250722125423.1270673-4-shaojijie@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+index b11d38a6093f8..cff8654354e6d 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+@@ -3086,11 +3086,7 @@ static void hclgevf_uninit_ae_dev(struct hnae3_ae_dev *ae_dev)
+
+ static u32 hclgevf_get_max_channels(struct hclgevf_dev *hdev)
+ {
+- struct hnae3_handle *nic = &hdev->nic;
+- struct hnae3_knic_private_info *kinfo = &nic->kinfo;
+-
+- return min_t(u32, hdev->rss_size_max,
+- hdev->num_tqps / kinfo->tc_info.num_tc);
++ return min(hdev->rss_size_max, hdev->num_tqps);
+ }
+
+ /**
+--
+2.39.5
+
--- /dev/null
+From 5953ba7791d2b25288ac8a03ba0dffaeda4d43eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 15:06:09 +0300
+Subject: net/mlx5: Fix memory leak in cmd_exec()
+
+From: Chiara Meiohas <cmeiohas@nvidia.com>
+
+[ Upstream commit 3afa3ae3db52e3c216d77bd5907a5a86833806cc ]
+
+If cmd_exec() is called with callback and mlx5_cmd_invoke() returns an
+error, resources allocated in cmd_exec() will not be freed.
+
+Fix the code to release the resources if mlx5_cmd_invoke() returns an
+error.
+
+Fixes: f086470122d5 ("net/mlx5: cmdif, Return value improvements")
+Reported-by: Alex Tereshkin <atereshkin@nvidia.com>
+Signed-off-by: Chiara Meiohas <cmeiohas@nvidia.com>
+Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
+Signed-off-by: Vlad Dumitrescu <vdumitrescu@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/1752753970-261832-2-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+index 6dbb4021fd2fa..c83523395d5ee 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@ -1913,8 +1913,8 @@ static int cmd_exec(struct mlx5_core_dev *dev, void *in, int in_size, void *out,
+
+ err = mlx5_cmd_invoke(dev, inb, outb, out, out_size, callback, context,
+ pages_queue, token, force_polling);
+- if (callback)
+- return err;
++ if (callback && !err)
++ return 0;
+
+ if (err > 0) /* Failed in FW, command didn't execute */
+ err = deliv_status_to_err(err);
+--
+2.39.5
+
--- /dev/null
+From 554cb3c5ce16c8d89902cd7d56040dc3b0128e08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 16:01:28 -0700
+Subject: net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in
+ qfq_delete_class
+
+From: Xiang Mei <xmei5@asu.edu>
+
+[ Upstream commit cf074eca0065bc5142e6004ae236bb35a2687fdf ]
+
+might_sleep could be trigger in the atomic context in qfq_delete_class.
+
+qfq_destroy_class was moved into atomic context locked
+by sch_tree_lock to avoid a race condition bug on
+qfq_aggregate. However, might_sleep could be triggered by
+qfq_destroy_class, which introduced sleeping in atomic context (path:
+qfq_destroy_class->qdisc_put->__qdisc_destroy->lockdep_unregister_key
+->might_sleep).
+
+Considering the race is on the qfq_aggregate objects, keeping
+qfq_rm_from_agg in the lock but moving the left part out can solve
+this issue.
+
+Fixes: 5e28d5a3f774 ("net/sched: sch_qfq: Fix race condition on qfq_aggregate")
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Xiang Mei <xmei5@asu.edu>
+Link: https://patch.msgid.link/4a04e0cc-a64b-44e7-9213-2880ed641d77@sabinyo.mountain
+Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/20250717230128.159766-1-xmei5@asu.edu
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_qfq.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
+index f2692c9173f79..2f2863ae18ad5 100644
+--- a/net/sched/sch_qfq.c
++++ b/net/sched/sch_qfq.c
+@@ -540,9 +540,6 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
+
+ static void qfq_destroy_class(struct Qdisc *sch, struct qfq_class *cl)
+ {
+- struct qfq_sched *q = qdisc_priv(sch);
+-
+- qfq_rm_from_agg(q, cl);
+ gen_kill_estimator(&cl->rate_est);
+ qdisc_put(cl->qdisc);
+ kfree(cl);
+@@ -561,10 +558,11 @@ static int qfq_delete_class(struct Qdisc *sch, unsigned long arg,
+
+ qdisc_purge_queue(cl->qdisc);
+ qdisc_class_hash_remove(&q->clhash, &cl->common);
+- qfq_destroy_class(sch, cl);
++ qfq_rm_from_agg(q, cl);
+
+ sch_tree_unlock(sch);
+
++ qfq_destroy_class(sch, cl);
+ return 0;
+ }
+
+@@ -1505,6 +1503,7 @@ static void qfq_destroy_qdisc(struct Qdisc *sch)
+ for (i = 0; i < q->clhash.hashsize; i++) {
+ hlist_for_each_entry_safe(cl, next, &q->clhash.hash[i],
+ common.hnode) {
++ qfq_rm_from_agg(q, cl);
+ qfq_destroy_class(sch, cl);
+ }
+ }
+--
+2.39.5
+
staging-vc04_services-drop-vchiq_error-usage.patch
staging-vc04_services-drop-vchiq_retry-usage.patch
staging-vchiq_arm-make-vchiq_shutdown-never-fail.patch
+xfrm-interface-fix-use-after-free-after-changing-col.patch
+net-mlx5-fix-memory-leak-in-cmd_exec.patch
+i40e-add-rx_missed_errors-for-buffer-exhaustion.patch
+i40e-report-vf-tx_dropped-with-tx_errors-instead-of-.patch
+i40e-when-removing-vf-mac-filters-only-check-pf-set-.patch
+net-appletalk-fix-use-after-free-in-aarp-proxy-probe.patch
+net-sched-sch_qfq-avoid-triggering-might_sleep-in-at.patch
+can-dev-can_restart-reverse-logic-to-remove-need-for.patch
+can-dev-can_restart-move-debug-message-and-stats-aft.patch
+can-netlink-can_changelink-fix-null-pointer-deref-of.patch
+drm-bridge-ti-sn65dsi86-remove-extra-semicolon-in-ti.patch
+net-hns3-fix-concurrent-setting-vlan-filter-issue.patch
+net-hns3-disable-interrupt-when-ptp-init-failed.patch
+net-hns3-fixed-vf-get-max-channels-bug.patch
--- /dev/null
+From f23c4fce48221920c968b940335d29c2db10542d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 10:02:58 -0700
+Subject: xfrm: interface: fix use-after-free after changing collect_md xfrm
+ interface
+
+From: Eyal Birger <eyal.birger@gmail.com>
+
+[ Upstream commit a90b2a1aaacbcf0f91d7e4868ad6c51c5dee814b ]
+
+collect_md property on xfrm interfaces can only be set on device creation,
+thus xfrmi_changelink() should fail when called on such interfaces.
+
+The check to enforce this was done only in the case where the xi was
+returned from xfrmi_locate() which doesn't look for the collect_md
+interface, and thus the validation was never reached.
+
+Calling changelink would thus errornously place the special interface xi
+in the xfrmi_net->xfrmi hash, but since it also exists in the
+xfrmi_net->collect_md_xfrmi pointer it would lead to a double free when
+the net namespace was taken down [1].
+
+Change the check to use the xi from netdev_priv which is available earlier
+in the function to prevent changes in xfrm collect_md interfaces.
+
+[1] resulting oops:
+[ 8.516540] kernel BUG at net/core/dev.c:12029!
+[ 8.516552] Oops: invalid opcode: 0000 [#1] SMP NOPTI
+[ 8.516559] CPU: 0 UID: 0 PID: 12 Comm: kworker/u80:0 Not tainted 6.15.0-virtme #5 PREEMPT(voluntary)
+[ 8.516565] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 8.516569] Workqueue: netns cleanup_net
+[ 8.516579] RIP: 0010:unregister_netdevice_many_notify+0x101/0xab0
+[ 8.516590] Code: 90 0f 0b 90 48 8b b0 78 01 00 00 48 8b 90 80 01 00 00 48 89 56 08 48 89 32 4c 89 80 78 01 00 00 48 89 b8 80 01 00 00 eb ac 90 <0f> 0b 48 8b 45 00 4c 8d a0 88 fe ff ff 48 39 c5 74 5c 41 80 bc 24
+[ 8.516593] RSP: 0018:ffffa93b8006bd30 EFLAGS: 00010206
+[ 8.516598] RAX: ffff98fe4226e000 RBX: ffffa93b8006bd58 RCX: ffffa93b8006bc60
+[ 8.516601] RDX: 0000000000000004 RSI: 0000000000000000 RDI: dead000000000122
+[ 8.516603] RBP: ffffa93b8006bdd8 R08: dead000000000100 R09: ffff98fe4133c100
+[ 8.516605] R10: 0000000000000000 R11: 00000000000003d2 R12: ffffa93b8006be00
+[ 8.516608] R13: ffffffff96c1a510 R14: ffffffff96c1a510 R15: ffffa93b8006be00
+[ 8.516615] FS: 0000000000000000(0000) GS:ffff98fee73b7000(0000) knlGS:0000000000000000
+[ 8.516619] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 8.516622] CR2: 00007fcd2abd0700 CR3: 000000003aa40000 CR4: 0000000000752ef0
+[ 8.516625] PKRU: 55555554
+[ 8.516627] Call Trace:
+[ 8.516632] <TASK>
+[ 8.516635] ? rtnl_is_locked+0x15/0x20
+[ 8.516641] ? unregister_netdevice_queue+0x29/0xf0
+[ 8.516650] ops_undo_list+0x1f2/0x220
+[ 8.516659] cleanup_net+0x1ad/0x2e0
+[ 8.516664] process_one_work+0x160/0x380
+[ 8.516673] worker_thread+0x2aa/0x3c0
+[ 8.516679] ? __pfx_worker_thread+0x10/0x10
+[ 8.516686] kthread+0xfb/0x200
+[ 8.516690] ? __pfx_kthread+0x10/0x10
+[ 8.516693] ? __pfx_kthread+0x10/0x10
+[ 8.516697] ret_from_fork+0x82/0xf0
+[ 8.516705] ? __pfx_kthread+0x10/0x10
+[ 8.516709] ret_from_fork_asm+0x1a/0x30
+[ 8.516718] </TASK>
+
+Fixes: abc340b38ba2 ("xfrm: interface: support collect metadata mode")
+Reported-by: Lonial Con <kongln9170@gmail.com>
+Signed-off-by: Eyal Birger <eyal.birger@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_interface_core.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+diff --git a/net/xfrm/xfrm_interface_core.c b/net/xfrm/xfrm_interface_core.c
+index 85501b77f4e37..45466fa4ace43 100644
+--- a/net/xfrm/xfrm_interface_core.c
++++ b/net/xfrm/xfrm_interface_core.c
+@@ -871,7 +871,7 @@ static int xfrmi_changelink(struct net_device *dev, struct nlattr *tb[],
+ return -EINVAL;
+ }
+
+- if (p.collect_md) {
++ if (p.collect_md || xi->p.collect_md) {
+ NL_SET_ERR_MSG(extack, "collect_md can't be changed");
+ return -EINVAL;
+ }
+@@ -882,11 +882,6 @@ static int xfrmi_changelink(struct net_device *dev, struct nlattr *tb[],
+ } else {
+ if (xi->dev != dev)
+ return -EEXIST;
+- if (xi->p.collect_md) {
+- NL_SET_ERR_MSG(extack,
+- "device can't be changed to collect_md");
+- return -EINVAL;
+- }
+ }
+
+ return xfrmi_update(xi, &p);
+--
+2.39.5
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
