--- /dev/null
+From 8a8229002d012a9d54369454018e352379730756 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Dec 2025 14:15:41 +0800
+Subject: crypto: seqiv - Do not use req->iv after crypto_aead_encrypt
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 50fdb78b7c0bcc550910ef69c0984e751cac72fa ]
+
+As soon as crypto_aead_encrypt is called, the underlying request
+may be freed by an asynchronous completion. Thus dereferencing
+req->iv after it returns is invalid.
+
+Instead of checking req->iv against info, create a new variable
+unaligned_info and use it for that purpose instead.
+
+Fixes: 0a270321dbf9 ("[CRYPTO] seqiv: Add Sequence Number IV Generator")
+Reported-by: Xiumei Mu <xmu@redhat.com>
+Reported-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/seqiv.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/seqiv.c b/crypto/seqiv.c
+index b1bcfe537daf..562ab102226a 100644
+--- a/crypto/seqiv.c
++++ b/crypto/seqiv.c
+@@ -51,6 +51,7 @@ static int seqiv_aead_encrypt(struct aead_request *req)
+ struct aead_geniv_ctx *ctx = crypto_aead_ctx(geniv);
+ struct aead_request *subreq = aead_request_ctx(req);
+ crypto_completion_t compl;
++ bool unaligned_info;
+ void *data;
+ u8 *info;
+ unsigned int ivsize = 8;
+@@ -80,8 +81,9 @@ static int seqiv_aead_encrypt(struct aead_request *req)
+ return err;
+ }
+
+- if (unlikely(!IS_ALIGNED((unsigned long)info,
+- crypto_aead_alignmask(geniv) + 1))) {
++ unaligned_info = !IS_ALIGNED((unsigned long)info,
++ crypto_aead_alignmask(geniv) + 1);
++ if (unlikely(unaligned_info)) {
+ info = kmemdup(req->iv, ivsize, req->base.flags &
+ CRYPTO_TFM_REQ_MAY_SLEEP ? GFP_KERNEL :
+ GFP_ATOMIC);
+@@ -101,7 +103,7 @@ static int seqiv_aead_encrypt(struct aead_request *req)
+ scatterwalk_map_and_copy(info, req->dst, req->assoclen, ivsize, 1);
+
+ err = crypto_aead_encrypt(subreq);
+- if (unlikely(info != req->iv))
++ if (unlikely(unaligned_info))
+ seqiv_aead_encrypt_complete2(req, err);
+ return err;
+ }
+--
+2.51.0
+
--- /dev/null
+From baab5f791c8b8cda8e97ceefda990a8a62d024c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Dec 2025 17:54:18 +0100
+Subject: firewire: nosy: Fix dma_free_coherent() size
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit c48c0fd0e19684b6ecdb4108a429e3a4e73f5e21 ]
+
+It looks like the buffer allocated and mapped in add_card() is done
+with size RCV_BUFFER_SIZE which is 16 KB and 4KB.
+
+Fixes: 286468210d83 ("firewire: new driver: nosy - IEEE 1394 traffic sniffer")
+Co-developed-by: Thomas Fourier <fourier.thomas@gmail.com>
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Co-developed-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/20251216165420.38355-2-fourier.thomas@gmail.com
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firewire/nosy.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/firewire/nosy.c b/drivers/firewire/nosy.c
+index ea31ac7ac1ca..e59053738a43 100644
+--- a/drivers/firewire/nosy.c
++++ b/drivers/firewire/nosy.c
+@@ -36,6 +36,8 @@
+
+ static char driver_name[] = KBUILD_MODNAME;
+
++#define RCV_BUFFER_SIZE (16 * 1024)
++
+ /* this is the physical layout of a PCL, its size is 128 bytes */
+ struct pcl {
+ __le32 next;
+@@ -517,16 +519,14 @@ remove_card(struct pci_dev *dev)
+ lynx->rcv_start_pcl, lynx->rcv_start_pcl_bus);
+ dma_free_coherent(&lynx->pci_device->dev, sizeof(struct pcl),
+ lynx->rcv_pcl, lynx->rcv_pcl_bus);
+- dma_free_coherent(&lynx->pci_device->dev, PAGE_SIZE, lynx->rcv_buffer,
+- lynx->rcv_buffer_bus);
++ dma_free_coherent(&lynx->pci_device->dev, RCV_BUFFER_SIZE,
++ lynx->rcv_buffer, lynx->rcv_buffer_bus);
+
+ iounmap(lynx->registers);
+ pci_disable_device(dev);
+ lynx_put(lynx);
+ }
+
+-#define RCV_BUFFER_SIZE (16 * 1024)
+-
+ static int
+ add_card(struct pci_dev *dev, const struct pci_device_id *unused)
+ {
+@@ -680,7 +680,7 @@ add_card(struct pci_dev *dev, const struct pci_device_id *unused)
+ dma_free_coherent(&lynx->pci_device->dev, sizeof(struct pcl),
+ lynx->rcv_pcl, lynx->rcv_pcl_bus);
+ if (lynx->rcv_buffer)
+- dma_free_coherent(&lynx->pci_device->dev, PAGE_SIZE,
++ dma_free_coherent(&lynx->pci_device->dev, RCV_BUFFER_SIZE,
+ lynx->rcv_buffer, lynx->rcv_buffer_bus);
+ iounmap(lynx->registers);
+
+--
+2.51.0
+
--- /dev/null
+From d67958d90ce5b61290947e29a4916db180c39470 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Jun 2021 15:27:43 +0200
+Subject: firewire: nosy: switch from 'pci_' to 'dma_' API
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 01d12a6656f7fa239cddbd713656be83cdbdc9b3 ]
+
+The wrappers in include/linux/pci-dma-compat.h should go away.
+
+The patch has been generated with the coccinelle script below and has been
+hand modified to replace GFP_ with a correct flag.
+It has been compile tested.
+
+When memory is allocated in 'add_card()', GFP_KERNEL can be used because
+this flag is already used a few lines above and no lock is taken in the
+between.
+
+While at it, also remove some useless casting.
+
+@@ @@
+- PCI_DMA_BIDIRECTIONAL
++ DMA_BIDIRECTIONAL
+
+@@ @@
+- PCI_DMA_TODEVICE
++ DMA_TO_DEVICE
+
+@@ @@
+- PCI_DMA_FROMDEVICE
++ DMA_FROM_DEVICE
+
+@@ @@
+- PCI_DMA_NONE
++ DMA_NONE
+
+@@
+expression e1, e2, e3;
+@@
+- pci_alloc_consistent(e1, e2, e3)
++ dma_alloc_coherent(&e1->dev, e2, e3, GFP_)
+
+@@
+expression e1, e2, e3;
+@@
+- pci_zalloc_consistent(e1, e2, e3)
++ dma_alloc_coherent(&e1->dev, e2, e3, GFP_)
+
+@@
+expression e1, e2, e3, e4;
+@@
+- pci_free_consistent(e1, e2, e3, e4)
++ dma_free_coherent(&e1->dev, e2, e3, e4)
+
+@@
+expression e1, e2, e3, e4;
+@@
+- pci_map_single(e1, e2, e3, e4)
++ dma_map_single(&e1->dev, e2, e3, e4)
+
+@@
+expression e1, e2, e3, e4;
+@@
+- pci_unmap_single(e1, e2, e3, e4)
++ dma_unmap_single(&e1->dev, e2, e3, e4)
+
+@@
+expression e1, e2, e3, e4, e5;
+@@
+- pci_map_page(e1, e2, e3, e4, e5)
++ dma_map_page(&e1->dev, e2, e3, e4, e5)
+
+@@
+expression e1, e2, e3, e4;
+@@
+- pci_unmap_page(e1, e2, e3, e4)
++ dma_unmap_page(&e1->dev, e2, e3, e4)
+
+@@
+expression e1, e2, e3, e4;
+@@
+- pci_map_sg(e1, e2, e3, e4)
++ dma_map_sg(&e1->dev, e2, e3, e4)
+
+@@
+expression e1, e2, e3, e4;
+@@
+- pci_unmap_sg(e1, e2, e3, e4)
++ dma_unmap_sg(&e1->dev, e2, e3, e4)
+
+@@
+expression e1, e2, e3, e4;
+@@
+- pci_dma_sync_single_for_cpu(e1, e2, e3, e4)
++ dma_sync_single_for_cpu(&e1->dev, e2, e3, e4)
+
+@@
+expression e1, e2, e3, e4;
+@@
+- pci_dma_sync_single_for_device(e1, e2, e3, e4)
++ dma_sync_single_for_device(&e1->dev, e2, e3, e4)
+
+@@
+expression e1, e2, e3, e4;
+@@
+- pci_dma_sync_sg_for_cpu(e1, e2, e3, e4)
++ dma_sync_sg_for_cpu(&e1->dev, e2, e3, e4)
+
+@@
+expression e1, e2, e3, e4;
+@@
+- pci_dma_sync_sg_for_device(e1, e2, e3, e4)
++ dma_sync_sg_for_device(&e1->dev, e2, e3, e4)
+
+@@
+expression e1, e2;
+@@
+- pci_dma_mapping_error(e1, e2)
++ dma_mapping_error(&e1->dev, e2)
+
+@@
+expression e1, e2;
+@@
+- pci_set_dma_mask(e1, e2)
++ dma_set_mask(&e1->dev, e2)
+
+@@
+expression e1, e2;
+@@
+- pci_set_consistent_dma_mask(e1, e2)
++ dma_set_coherent_mask(&e1->dev, e2)
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/e1d7fa558f31abf294659a9d4edcc1e4fc065fab.1623590706.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: c48c0fd0e196 ("firewire: nosy: Fix dma_free_coherent() size")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firewire/nosy.c | 43 +++++++++++++++++++++++------------------
+ 1 file changed, 24 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/firewire/nosy.c b/drivers/firewire/nosy.c
+index 42d9f25efc5c..ea31ac7ac1ca 100644
+--- a/drivers/firewire/nosy.c
++++ b/drivers/firewire/nosy.c
+@@ -513,12 +513,12 @@ remove_card(struct pci_dev *dev)
+ wake_up_interruptible(&client->buffer.wait);
+ spin_unlock_irq(&lynx->client_list_lock);
+
+- pci_free_consistent(lynx->pci_device, sizeof(struct pcl),
+- lynx->rcv_start_pcl, lynx->rcv_start_pcl_bus);
+- pci_free_consistent(lynx->pci_device, sizeof(struct pcl),
+- lynx->rcv_pcl, lynx->rcv_pcl_bus);
+- pci_free_consistent(lynx->pci_device, PAGE_SIZE,
+- lynx->rcv_buffer, lynx->rcv_buffer_bus);
++ dma_free_coherent(&lynx->pci_device->dev, sizeof(struct pcl),
++ lynx->rcv_start_pcl, lynx->rcv_start_pcl_bus);
++ dma_free_coherent(&lynx->pci_device->dev, sizeof(struct pcl),
++ lynx->rcv_pcl, lynx->rcv_pcl_bus);
++ dma_free_coherent(&lynx->pci_device->dev, PAGE_SIZE, lynx->rcv_buffer,
++ lynx->rcv_buffer_bus);
+
+ iounmap(lynx->registers);
+ pci_disable_device(dev);
+@@ -534,7 +534,7 @@ add_card(struct pci_dev *dev, const struct pci_device_id *unused)
+ u32 p, end;
+ int ret, i;
+
+- if (pci_set_dma_mask(dev, DMA_BIT_MASK(32))) {
++ if (dma_set_mask(&dev->dev, DMA_BIT_MASK(32))) {
+ dev_err(&dev->dev,
+ "DMA address limits not supported for PCILynx hardware\n");
+ return -ENXIO;
+@@ -566,12 +566,16 @@ add_card(struct pci_dev *dev, const struct pci_device_id *unused)
+ goto fail_deallocate_lynx;
+ }
+
+- lynx->rcv_start_pcl = pci_alloc_consistent(lynx->pci_device,
+- sizeof(struct pcl), &lynx->rcv_start_pcl_bus);
+- lynx->rcv_pcl = pci_alloc_consistent(lynx->pci_device,
+- sizeof(struct pcl), &lynx->rcv_pcl_bus);
+- lynx->rcv_buffer = pci_alloc_consistent(lynx->pci_device,
+- RCV_BUFFER_SIZE, &lynx->rcv_buffer_bus);
++ lynx->rcv_start_pcl = dma_alloc_coherent(&lynx->pci_device->dev,
++ sizeof(struct pcl),
++ &lynx->rcv_start_pcl_bus,
++ GFP_KERNEL);
++ lynx->rcv_pcl = dma_alloc_coherent(&lynx->pci_device->dev,
++ sizeof(struct pcl),
++ &lynx->rcv_pcl_bus, GFP_KERNEL);
++ lynx->rcv_buffer = dma_alloc_coherent(&lynx->pci_device->dev,
++ RCV_BUFFER_SIZE,
++ &lynx->rcv_buffer_bus, GFP_KERNEL);
+ if (lynx->rcv_start_pcl == NULL ||
+ lynx->rcv_pcl == NULL ||
+ lynx->rcv_buffer == NULL) {
+@@ -669,14 +673,15 @@ add_card(struct pci_dev *dev, const struct pci_device_id *unused)
+
+ fail_deallocate_buffers:
+ if (lynx->rcv_start_pcl)
+- pci_free_consistent(lynx->pci_device, sizeof(struct pcl),
+- lynx->rcv_start_pcl, lynx->rcv_start_pcl_bus);
++ dma_free_coherent(&lynx->pci_device->dev, sizeof(struct pcl),
++ lynx->rcv_start_pcl,
++ lynx->rcv_start_pcl_bus);
+ if (lynx->rcv_pcl)
+- pci_free_consistent(lynx->pci_device, sizeof(struct pcl),
+- lynx->rcv_pcl, lynx->rcv_pcl_bus);
++ dma_free_coherent(&lynx->pci_device->dev, sizeof(struct pcl),
++ lynx->rcv_pcl, lynx->rcv_pcl_bus);
+ if (lynx->rcv_buffer)
+- pci_free_consistent(lynx->pci_device, PAGE_SIZE,
+- lynx->rcv_buffer, lynx->rcv_buffer_bus);
++ dma_free_coherent(&lynx->pci_device->dev, PAGE_SIZE,
++ lynx->rcv_buffer, lynx->rcv_buffer_bus);
+ iounmap(lynx->registers);
+
+ fail_deallocate_lynx:
+--
+2.51.0
+
--- /dev/null
+From 4fe5fdcd8ed909ba152320ce7f130705e42b1d5a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Nov 2025 10:39:24 -0800
+Subject: genalloc.h: fix htmldocs warning
+
+From: Andrew Morton <akpm@linux-foundation.org>
+
+[ Upstream commit 5393802c94e0ab1295c04c94c57bcb00222d4674 ]
+
+WARNING: include/linux/genalloc.h:52 function parameter 'start_addr' not described in 'genpool_algo_t'
+
+Fixes: 52fbf1134d47 ("lib/genalloc.c: fix allocation of aligned buffer from non-aligned chunk")
+Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Closes: https://lkml.kernel.org/r/20251127130624.563597e3@canb.auug.org.au
+Acked-by: Randy Dunlap <rdunlap@infradead.org>
+Tested-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Alexey Skidanov <alexey.skidanov@intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/genalloc.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/linux/genalloc.h b/include/linux/genalloc.h
+index 0bd581003cd5..60de63e46b33 100644
+--- a/include/linux/genalloc.h
++++ b/include/linux/genalloc.h
+@@ -44,6 +44,7 @@ struct gen_pool;
+ * @nr: The number of zeroed bits we're looking for
+ * @data: optional additional data used by the callback
+ * @pool: the pool being allocated from
++ * @start_addr: start address of memory chunk
+ */
+ typedef unsigned long (*genpool_algo_t)(unsigned long *map,
+ unsigned long size,
+--
+2.51.0
+
--- /dev/null
+From d46452342fb33b6665430a4fae9bc38e7f1d1700 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Nov 2025 13:07:28 +0100
+Subject: i40e: fix scheduling in set_rx_mode
+
+From: Przemyslaw Korba <przemyslaw.korba@intel.com>
+
+[ Upstream commit be43abc5514167cc129a8d8e9727b89b8e1d9719 ]
+
+Add service task schedule to set_rx_mode.
+In some cases there are error messages printed out in PTP application
+(ptp4l):
+
+ptp4l[13848.762]: port 1 (ens2f3np3): received SYNC without timestamp
+ptp4l[13848.825]: port 1 (ens2f3np3): received SYNC without timestamp
+ptp4l[13848.887]: port 1 (ens2f3np3): received SYNC without timestamp
+
+This happens when service task would not run immediately after
+set_rx_mode, and we need it for setup tasks. This service task checks, if
+PTP RX packets are hung in firmware, and propagate correct settings such
+as multicast address for IEEE 1588 Precision Time Protocol.
+RX timestamping depends on some of these filters set. Bug happens only
+with high PTP packets frequency incoming, and not every run since
+sometimes service task is being ran from a different place immediately
+after starting ptp4l.
+
+Fixes: 0e4425ed641f ("i40e: fix: do not sleep in netdev_ops")
+Reviewed-by: Grzegorz Nitka <grzegorz.nitka@intel.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Przemyslaw Korba <przemyslaw.korba@intel.com>
+Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index f11cb3176cab..f11d6166186f 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -2101,6 +2101,7 @@ static void i40e_set_rx_mode(struct net_device *netdev)
+ vsi->flags |= I40E_VSI_FLAG_FILTER_CHANGED;
+ set_bit(__I40E_MACVLAN_SYNC_PENDING, vsi->back->state);
+ }
++ i40e_service_event_schedule(vsi->back);
+ }
+
+ /**
+--
+2.51.0
+
--- /dev/null
+From 74028295b4c16c67921a4d93d95295a66d096991 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Oct 2025 01:58:50 +0900
+Subject: iavf: fix off-by-one issues in iavf_config_rss_reg()
+
+From: Kohei Enju <enjuk@amazon.com>
+
+[ Upstream commit 6daa2893f323981c7894c68440823326e93a7d61 ]
+
+There are off-by-one bugs when configuring RSS hash key and lookup
+table, causing out-of-bounds reads to memory [1] and out-of-bounds
+writes to device registers.
+
+Before commit 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS"),
+the loop upper bounds were:
+ i <= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX
+which is safe since the value is the last valid index.
+
+That commit changed the bounds to:
+ i <= adapter->rss_{key,lut}_size / 4
+where `rss_{key,lut}_size / 4` is the number of dwords, so the last
+valid index is `(rss_{key,lut}_size / 4) - 1`. Therefore, using `<=`
+accesses one element past the end.
+
+Fix the issues by using `<` instead of `<=`, ensuring we do not exceed
+the bounds.
+
+[1] KASAN splat about rss_key_size off-by-one
+ BUG: KASAN: slab-out-of-bounds in iavf_config_rss+0x619/0x800
+ Read of size 4 at addr ffff888102c50134 by task kworker/u8:6/63
+
+ CPU: 0 UID: 0 PID: 63 Comm: kworker/u8:6 Not tainted 6.18.0-rc2-enjuk-tnguy-00378-g3005f5b77652-dirty #156 PREEMPT(voluntary)
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+ Workqueue: iavf iavf_watchdog_task
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x6f/0xb0
+ print_report+0x170/0x4f3
+ kasan_report+0xe1/0x1a0
+ iavf_config_rss+0x619/0x800
+ iavf_watchdog_task+0x2be7/0x3230
+ process_one_work+0x7fd/0x1420
+ worker_thread+0x4d1/0xd40
+ kthread+0x344/0x660
+ ret_from_fork+0x249/0x320
+ ret_from_fork_asm+0x1a/0x30
+ </TASK>
+
+ Allocated by task 63:
+ kasan_save_stack+0x30/0x50
+ kasan_save_track+0x14/0x30
+ __kasan_kmalloc+0x7f/0x90
+ __kmalloc_noprof+0x246/0x6f0
+ iavf_watchdog_task+0x28fc/0x3230
+ process_one_work+0x7fd/0x1420
+ worker_thread+0x4d1/0xd40
+ kthread+0x344/0x660
+ ret_from_fork+0x249/0x320
+ ret_from_fork_asm+0x1a/0x30
+
+ The buggy address belongs to the object at ffff888102c50100
+ which belongs to the cache kmalloc-64 of size 64
+ The buggy address is located 0 bytes to the right of
+ allocated 52-byte region [ffff888102c50100, ffff888102c50134)
+
+ The buggy address belongs to the physical page:
+ page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c50
+ flags: 0x200000000000000(node=0|zone=2)
+ page_type: f5(slab)
+ raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000
+ raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
+ page dumped because: kasan: bad access detected
+
+ Memory state around the buggy address:
+ ffff888102c50000: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
+ ffff888102c50080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
+ >ffff888102c50100: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc
+ ^
+ ffff888102c50180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
+ ffff888102c50200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+
+Fixes: 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS")
+Signed-off-by: Kohei Enju <enjuk@amazon.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index 65259722a572..4ed93c7f81d2 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -1262,11 +1262,11 @@ static int iavf_config_rss_reg(struct iavf_adapter *adapter)
+ u16 i;
+
+ dw = (u32 *)adapter->rss_key;
+- for (i = 0; i <= adapter->rss_key_size / 4; i++)
++ for (i = 0; i < adapter->rss_key_size / 4; i++)
+ wr32(hw, IAVF_VFQF_HKEY(i), dw[i]);
+
+ dw = (u32 *)adapter->rss_lut;
+- for (i = 0; i <= adapter->rss_lut_size / 4; i++)
++ for (i = 0; i < adapter->rss_lut_size / 4; i++)
+ wr32(hw, IAVF_VFQF_HLUT(i), dw[i]);
+
+ iavf_flush(hw);
+--
+2.51.0
+
--- /dev/null
+From a67c61d8e2f6f79bbb5e7cc25a897661b3fec2af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Dec 2025 17:35:50 +0000
+Subject: ip6_gre: make ip6gre_header() robust
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit db5b4e39c4e63700c68a7e65fc4e1f1375273476 ]
+
+Over the years, syzbot found many ways to crash the kernel
+in ip6gre_header() [1].
+
+This involves team or bonding drivers ability to dynamically
+change their dev->needed_headroom and/or dev->hard_header_len
+
+In this particular crash mld_newpack() allocated an skb
+with a too small reserve/headroom, and by the time mld_sendpack()
+was called, syzbot managed to attach an ip6gre device.
+
+[1]
+skbuff: skb_under_panic: text:ffffffff8a1d69a8 len:136 put:40 head:ffff888059bc7000 data:ffff888059bc6fe8 tail:0x70 end:0x6c0 dev:team0
+------------[ cut here ]------------
+ kernel BUG at net/core/skbuff.c:213 !
+ <TASK>
+ skb_under_panic net/core/skbuff.c:223 [inline]
+ skb_push+0xc3/0xe0 net/core/skbuff.c:2641
+ ip6gre_header+0xc8/0x790 net/ipv6/ip6_gre.c:1371
+ dev_hard_header include/linux/netdevice.h:3436 [inline]
+ neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618
+ neigh_output include/net/neighbour.h:556 [inline]
+ ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136
+ __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline]
+ ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:220
+ NF_HOOK_COND include/linux/netfilter.h:307 [inline]
+ ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247
+ NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318
+ mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855
+ mld_send_cr net/ipv6/mcast.c:2154 [inline]
+ mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693
+
+Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
+Reported-by: syzbot+43a2ebcf2a64b1102d64@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/693b002c.a70a0220.33cd7b.0033.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20251211173550.2032674-1-edumazet@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6_gre.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
+index 13ac0ccdc8d7..1a5b4b176e18 100644
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -1382,9 +1382,16 @@ static int ip6gre_header(struct sk_buff *skb, struct net_device *dev,
+ {
+ struct ip6_tnl *t = netdev_priv(dev);
+ struct ipv6hdr *ipv6h;
++ int needed;
+ __be16 *p;
+
+- ipv6h = skb_push(skb, t->hlen + sizeof(*ipv6h));
++ needed = t->hlen + sizeof(*ipv6h);
++ if (skb_headroom(skb) < needed &&
++ pskb_expand_head(skb, HH_DATA_ALIGN(needed - skb_headroom(skb)),
++ 0, GFP_ATOMIC))
++ return -needed;
++
++ ipv6h = skb_push(skb, needed);
+ ip6_flow_hdr(ipv6h, 0, ip6_make_flowlabel(dev_net(dev), skb,
+ t->fl.u.ip6.flowlabel,
+ true, &t->fl.u.ip6));
+--
+2.51.0
+
--- /dev/null
+From f8ea0b1151f302d31305cca78bae2ded0984003f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Dec 2025 16:48:28 +0200
+Subject: ipv4: Fix reference count leak when using error routes with nexthop
+ objects
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit ac782f4e3bfcde145b8a7f8af31d9422d94d172a ]
+
+When a nexthop object is deleted, it is marked as dead and then
+fib_table_flush() is called to flush all the routes that are using the
+dead nexthop.
+
+The current logic in fib_table_flush() is to only flush error routes
+(e.g., blackhole) when it is called as part of network namespace
+dismantle (i.e., with flush_all=true). Therefore, error routes are not
+flushed when their nexthop object is deleted:
+
+ # ip link add name dummy1 up type dummy
+ # ip nexthop add id 1 dev dummy1
+ # ip route add 198.51.100.1/32 nhid 1
+ # ip route add blackhole 198.51.100.2/32 nhid 1
+ # ip nexthop del id 1
+ # ip route show
+ blackhole 198.51.100.2 nhid 1 dev dummy1
+
+As such, they keep holding a reference on the nexthop object which in
+turn holds a reference on the nexthop device, resulting in a reference
+count leak:
+
+ # ip link del dev dummy1
+ [ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2
+
+Fix by flushing error routes when their nexthop is marked as dead.
+
+IPv6 does not suffer from this problem.
+
+Fixes: 493ced1ac47c ("ipv4: Allow routes to use nexthop objects")
+Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Closes: https://lore.kernel.org/netdev/d943f806-4da6-4970-ac28-b9373b0e63ac@I-love.SAKURA.ne.jp/
+Reported-by: syzbot+881d65229ca4f9ae8c84@syzkaller.appspotmail.com
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://patch.msgid.link/20251221144829.197694-1-idosch@nvidia.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/fib_trie.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
+index 6c53381fa36f..671178ed41d0 100644
+--- a/net/ipv4/fib_trie.c
++++ b/net/ipv4/fib_trie.c
+@@ -2005,10 +2005,11 @@ int fib_table_flush(struct net *net, struct fib_table *tb, bool flush_all)
+ continue;
+ }
+
+- /* Do not flush error routes if network namespace is
+- * not being dismantled
++ /* When not flushing the entire table, skip error
++ * routes that are not marked for deletion.
+ */
+- if (!flush_all && fib_props[fa->fa_type].error) {
++ if (!flush_all && fib_props[fa->fa_type].error &&
++ !(fi->fib_flags & RTNH_F_DEAD)) {
+ slen = fa->fa_slen;
+ continue;
+ }
+--
+2.51.0
+
--- /dev/null
+From 7e7f2a9fbdbcf1bd724d8ca3b2bc18f758464367 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 10:36:37 -0700
+Subject: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()
+
+From: Will Rosenberg <whrosenb@asu.edu>
+
+[ Upstream commit 58fc7342b529803d3c221101102fe913df7adb83 ]
+
+There exists a kernel oops caused by a BUG_ON(nhead < 0) at
+net/core/skbuff.c:2232 in pskb_expand_head().
+This bug is triggered as part of the calipso_skbuff_setattr()
+routine when skb_cow() is passed headroom > INT_MAX
+(i.e. (int)(skb_headroom(skb) + len_delta) < 0).
+
+The root cause of the bug is due to an implicit integer cast in
+__skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure
+that delta = headroom - skb_headroom(skb) is never negative, otherwise
+we will trigger a BUG_ON in pskb_expand_head(). However, if
+headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta
+becomes negative, and pskb_expand_head() is passed a negative value for
+nhead.
+
+Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing
+"negative" headroom sizes to skb_cow() within calipso_skbuff_setattr()
+by only using skb_cow() to grow headroom.
+
+PoC:
+ Using `netlabelctl` tool:
+
+ netlabelctl map del default
+ netlabelctl calipso add pass doi:7
+ netlabelctl map add default address:0::1/128 protocol:calipso,7
+
+ Then run the following PoC:
+
+ int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
+
+ // setup msghdr
+ int cmsg_size = 2;
+ int cmsg_len = 0x60;
+ struct msghdr msg;
+ struct sockaddr_in6 dest_addr;
+ struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1,
+ sizeof(struct cmsghdr) + cmsg_len);
+ msg.msg_name = &dest_addr;
+ msg.msg_namelen = sizeof(dest_addr);
+ msg.msg_iov = NULL;
+ msg.msg_iovlen = 0;
+ msg.msg_control = cmsg;
+ msg.msg_controllen = cmsg_len;
+ msg.msg_flags = 0;
+
+ // setup sockaddr
+ dest_addr.sin6_family = AF_INET6;
+ dest_addr.sin6_port = htons(31337);
+ dest_addr.sin6_flowinfo = htonl(31337);
+ dest_addr.sin6_addr = in6addr_loopback;
+ dest_addr.sin6_scope_id = 31337;
+
+ // setup cmsghdr
+ cmsg->cmsg_len = cmsg_len;
+ cmsg->cmsg_level = IPPROTO_IPV6;
+ cmsg->cmsg_type = IPV6_HOPOPTS;
+ char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr);
+ hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80
+
+ sendmsg(fd, &msg, 0);
+
+Fixes: 2917f57b6bc1 ("calipso: Allow the lsm to label the skbuff directly.")
+Suggested-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Will Rosenberg <whrosenb@asu.edu>
+Acked-by: Paul Moore <paul@paul-moore.com>
+Link: https://patch.msgid.link/20251219173637.797418-1-whrosenb@asu.edu
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/calipso.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c
+index 59997e5d1343..c2e716601ed3 100644
+--- a/net/ipv6/calipso.c
++++ b/net/ipv6/calipso.c
+@@ -1345,7 +1345,8 @@ static int calipso_skbuff_setattr(struct sk_buff *skb,
+ /* At this point new_end aligns to 4n, so (new_end & 4) pads to 8n */
+ pad = ((new_end & 4) + (end & 7)) & 7;
+ len_delta = new_end - (int)end + pad;
+- ret_val = skb_cow(skb, skb_headroom(skb) + len_delta);
++ ret_val = skb_cow(skb,
++ skb_headroom(skb) + (len_delta > 0 ? len_delta : 0));
+ if (ret_val < 0)
+ return ret_val;
+
+--
+2.51.0
+
--- /dev/null
+From e9fb89f684856e41a881bc76ac9bca58eaecb3bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Dec 2025 11:29:37 +0700
+Subject: net: bridge: Describe @tunnel_hash member in net_bridge_vlan_group
+ struct
+
+From: Bagas Sanjaya <bagasdotme@gmail.com>
+
+[ Upstream commit f79f9b7ace1713e4b83888c385f5f55519dfb687 ]
+
+Sphinx reports kernel-doc warning:
+
+WARNING: ./net/bridge/br_private.h:267 struct member 'tunnel_hash' not described in 'net_bridge_vlan_group'
+
+Fix it by describing @tunnel_hash member.
+
+Fixes: efa5356b0d9753 ("bridge: per vlan dst_metadata netlink support")
+Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20251218042936.24175-2-bagasdotme@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_private.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
+index 259b43b435a9..19d77a8721fa 100644
+--- a/net/bridge/br_private.h
++++ b/net/bridge/br_private.h
+@@ -158,6 +158,7 @@ struct net_bridge_vlan {
+ * struct net_bridge_vlan_group
+ *
+ * @vlan_hash: VLAN entry rhashtable
++ * @tunnel_hash: Hash table to map from tunnel key ID (e.g. VXLAN VNI) to VLAN
+ * @vlan_list: sorted VLAN entry list
+ * @num_vlans: number of total VLAN entries
+ * @pvid: PVID VLAN id
+--
+2.51.0
+
--- /dev/null
+From ddae8dcc049192e9a48755cd75509a9827382298 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Dec 2025 21:57:56 +0100
+Subject: net: dsa: b53: skip multicast entries for fdb_dump()
+
+From: Jonas Gorski <jonas.gorski@gmail.com>
+
+[ Upstream commit d42bce414d1c5c0b536758466a1f63ac358e613c ]
+
+port_fdb_dump() is supposed to only add fdb entries, but we iterate over
+the full ARL table, which also includes multicast entries.
+
+So check if the entry is a multicast entry before passing it on to the
+callback().
+
+Additionally, the port of those entries is a bitmask, not a port number,
+so any included entries would have even be for the wrong port.
+
+Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations")
+Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20251217205756.172123-1-jonas.gorski@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/b53/b53_common.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
+index 416ed1ca1d52..b80e4216f98c 100644
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -1761,6 +1761,9 @@ static int b53_fdb_copy(int port, const struct b53_arl_entry *ent,
+ if (!ent->is_valid)
+ return 0;
+
++ if (is_multicast_ether_addr(ent->mac))
++ return 0;
++
+ if (port != ent->port)
+ return 0;
+
+--
+2.51.0
+
--- /dev/null
+From db60b0c77f6e75093ff88902d72235ffbce26536 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Dec 2025 14:24:58 +0800
+Subject: net: mdio: aspeed: add dummy read to avoid read-after-write issue
+
+From: Jacky Chou <jacky_chou@aspeedtech.com>
+
+[ Upstream commit d1a1a4bade4b20c0858d0b2f81d2611de055f675 ]
+
+The Aspeed MDIO controller may return incorrect data when a read operation
+follows immediately after a write. Due to a controller bug, the subsequent
+read can latch stale data, causing the polling logic to terminate earlier
+than expected.
+
+To work around this hardware issue, insert a dummy read after each write
+operation. This ensures that the next actual read returns the correct
+data and prevents premature polling exit.
+
+This workaround has been verified to stabilize MDIO transactions on
+affected Aspeed platforms.
+
+Fixes: f160e99462c6 ("net: phy: Add mdio-aspeed")
+Signed-off-by: Jacky Chou <jacky_chou@aspeedtech.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20251211-aspeed_mdio_add_dummy_read-v3-1-382868869004@aspeedtech.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/mdio/mdio-aspeed.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/net/mdio/mdio-aspeed.c b/drivers/net/mdio/mdio-aspeed.c
+index f22be2f069e9..a929399a10d1 100644
+--- a/drivers/net/mdio/mdio-aspeed.c
++++ b/drivers/net/mdio/mdio-aspeed.c
+@@ -57,6 +57,13 @@ static int aspeed_mdio_op(struct mii_bus *bus, u8 st, u8 op, u8 phyad, u8 regad,
+
+ iowrite32(ctrl, ctx->base + ASPEED_MDIO_CTRL);
+
++ /* Workaround for read-after-write issue.
++ * The controller may return stale data if a read follows immediately
++ * after a write. A dummy read forces the hardware to update its
++ * internal state, ensuring that the next real read returns correct data.
++ */
++ ioread32(ctx->base + ASPEED_MDIO_CTRL);
++
+ return readl_poll_timeout(ctx->base + ASPEED_MDIO_CTRL, ctrl,
+ !(ctrl & ASPEED_MDIO_CTRL_FIRE),
+ ASPEED_MDIO_INTERVAL_US,
+--
+2.51.0
+
--- /dev/null
+From b4b4c2bc4bd118e1d009204d197272bb68c976e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Apr 2022 09:17:36 +0800
+Subject: net: mdio: aspeed: move reg accessing part into separate functions
+
+From: Potin Lai <potin.lai@quantatw.com>
+
+[ Upstream commit 737ca352569e744bf753b4522a6f91b120a734f1 ]
+
+Add aspeed_mdio_op() and aseed_mdio_get_data() for register accessing.
+
+aspeed_mdio_op() handles operations, write command to control register,
+then check and wait operations is finished (bit 31 is cleared).
+
+aseed_mdio_get_data() fetchs the result value of operation from data
+register.
+
+Signed-off-by: Potin Lai <potin.lai@quantatw.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: d1a1a4bade4b ("net: mdio: aspeed: add dummy read to avoid read-after-write issue")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/mdio/mdio-aspeed.c | 70 ++++++++++++++++++----------------
+ 1 file changed, 38 insertions(+), 32 deletions(-)
+
+diff --git a/drivers/net/mdio/mdio-aspeed.c b/drivers/net/mdio/mdio-aspeed.c
+index e2273588c75b..f22be2f069e9 100644
+--- a/drivers/net/mdio/mdio-aspeed.c
++++ b/drivers/net/mdio/mdio-aspeed.c
+@@ -39,34 +39,35 @@ struct aspeed_mdio {
+ void __iomem *base;
+ };
+
+-static int aspeed_mdio_read(struct mii_bus *bus, int addr, int regnum)
++static int aspeed_mdio_op(struct mii_bus *bus, u8 st, u8 op, u8 phyad, u8 regad,
++ u16 data)
+ {
+ struct aspeed_mdio *ctx = bus->priv;
+ u32 ctrl;
+- u32 data;
+- int rc;
+
+- dev_dbg(&bus->dev, "%s: addr: %d, regnum: %d\n", __func__, addr,
+- regnum);
+-
+- /* Just clause 22 for the moment */
+- if (regnum & MII_ADDR_C45)
+- return -EOPNOTSUPP;
++ dev_dbg(&bus->dev, "%s: st: %u op: %u, phyad: %u, regad: %u, data: %u\n",
++ __func__, st, op, phyad, regad, data);
+
+ ctrl = ASPEED_MDIO_CTRL_FIRE
+- | FIELD_PREP(ASPEED_MDIO_CTRL_ST, ASPEED_MDIO_CTRL_ST_C22)
+- | FIELD_PREP(ASPEED_MDIO_CTRL_OP, MDIO_C22_OP_READ)
+- | FIELD_PREP(ASPEED_MDIO_CTRL_PHYAD, addr)
+- | FIELD_PREP(ASPEED_MDIO_CTRL_REGAD, regnum);
++ | FIELD_PREP(ASPEED_MDIO_CTRL_ST, st)
++ | FIELD_PREP(ASPEED_MDIO_CTRL_OP, op)
++ | FIELD_PREP(ASPEED_MDIO_CTRL_PHYAD, phyad)
++ | FIELD_PREP(ASPEED_MDIO_CTRL_REGAD, regad)
++ | FIELD_PREP(ASPEED_MDIO_DATA_MIIRDATA, data);
+
+ iowrite32(ctrl, ctx->base + ASPEED_MDIO_CTRL);
+
+- rc = readl_poll_timeout(ctx->base + ASPEED_MDIO_CTRL, ctrl,
++ return readl_poll_timeout(ctx->base + ASPEED_MDIO_CTRL, ctrl,
+ !(ctrl & ASPEED_MDIO_CTRL_FIRE),
+ ASPEED_MDIO_INTERVAL_US,
+ ASPEED_MDIO_TIMEOUT_US);
+- if (rc < 0)
+- return rc;
++}
++
++static int aspeed_mdio_get_data(struct mii_bus *bus)
++{
++ struct aspeed_mdio *ctx = bus->priv;
++ int rc;
++ u32 data;
+
+ rc = readl_poll_timeout(ctx->base + ASPEED_MDIO_DATA, data,
+ data & ASPEED_MDIO_DATA_IDLE,
+@@ -78,31 +79,36 @@ static int aspeed_mdio_read(struct mii_bus *bus, int addr, int regnum)
+ return FIELD_GET(ASPEED_MDIO_DATA_MIIRDATA, data);
+ }
+
+-static int aspeed_mdio_write(struct mii_bus *bus, int addr, int regnum, u16 val)
++static int aspeed_mdio_read(struct mii_bus *bus, int addr, int regnum)
+ {
+- struct aspeed_mdio *ctx = bus->priv;
+- u32 ctrl;
++ int rc;
+
+- dev_dbg(&bus->dev, "%s: addr: %d, regnum: %d, val: 0x%x\n",
+- __func__, addr, regnum, val);
++ dev_dbg(&bus->dev, "%s: addr: %d, regnum: %d\n", __func__, addr,
++ regnum);
+
+ /* Just clause 22 for the moment */
+ if (regnum & MII_ADDR_C45)
+ return -EOPNOTSUPP;
+
+- ctrl = ASPEED_MDIO_CTRL_FIRE
+- | FIELD_PREP(ASPEED_MDIO_CTRL_ST, ASPEED_MDIO_CTRL_ST_C22)
+- | FIELD_PREP(ASPEED_MDIO_CTRL_OP, MDIO_C22_OP_WRITE)
+- | FIELD_PREP(ASPEED_MDIO_CTRL_PHYAD, addr)
+- | FIELD_PREP(ASPEED_MDIO_CTRL_REGAD, regnum)
+- | FIELD_PREP(ASPEED_MDIO_CTRL_MIIWDATA, val);
++ rc = aspeed_mdio_op(bus, ASPEED_MDIO_CTRL_ST_C22, MDIO_C22_OP_READ,
++ addr, regnum, 0);
++ if (rc < 0)
++ return rc;
+
+- iowrite32(ctrl, ctx->base + ASPEED_MDIO_CTRL);
++ return aspeed_mdio_get_data(bus);
++}
+
+- return readl_poll_timeout(ctx->base + ASPEED_MDIO_CTRL, ctrl,
+- !(ctrl & ASPEED_MDIO_CTRL_FIRE),
+- ASPEED_MDIO_INTERVAL_US,
+- ASPEED_MDIO_TIMEOUT_US);
++static int aspeed_mdio_write(struct mii_bus *bus, int addr, int regnum, u16 val)
++{
++ dev_dbg(&bus->dev, "%s: addr: %d, regnum: %d, val: 0x%x\n",
++ __func__, addr, regnum, val);
++
++ /* Just clause 22 for the moment */
++ if (regnum & MII_ADDR_C45)
++ return -EOPNOTSUPP;
++
++ return aspeed_mdio_op(bus, ASPEED_MDIO_CTRL_ST_C22, MDIO_C22_OP_WRITE,
++ addr, regnum, val);
+ }
+
+ static int aspeed_mdio_probe(struct platform_device *pdev)
+--
+2.51.0
+
--- /dev/null
+From d852d291240adb3343d079914f55a4c43ede5395 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Dec 2025 12:50:05 +0100
+Subject: net: openvswitch: Avoid needlessly taking the RTNL on vport destroy
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Toke Høiland-Jørgensen <toke@redhat.com>
+
+[ Upstream commit 5498227676303e3ffa9a3a46214af96bc3e81314 ]
+
+The openvswitch teardown code will immediately call
+ovs_netdev_detach_dev() in response to a NETDEV_UNREGISTER notification.
+It will then start the dp_notify_work workqueue, which will later end up
+calling the vport destroy() callback. This callback takes the RTNL to do
+another ovs_netdev_detach_port(), which in this case is unnecessary.
+This causes extra pressure on the RTNL, in some cases leading to
+"unregister_netdevice: waiting for XX to become free" warnings on
+teardown.
+
+We can straight-forwardly avoid the extra RTNL lock acquisition by
+checking the device flags before taking the lock, and skip the locking
+altogether if the IFF_OVS_DATAPATH flag has already been unset.
+
+Fixes: b07c26511e94 ("openvswitch: fix vport-netdev unregister")
+Tested-by: Adrian Moreno <amorenoz@redhat.com>
+Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Acked-by: Eelco Chaudron <echaudro@redhat.com>
+Acked-by: Aaron Conole <aconole@redhat.com>
+Link: https://patch.msgid.link/20251211115006.228876-1-toke@redhat.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/openvswitch/vport-netdev.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/net/openvswitch/vport-netdev.c b/net/openvswitch/vport-netdev.c
+index 57d6436e6f6a..72cf13bbf3dd 100644
+--- a/net/openvswitch/vport-netdev.c
++++ b/net/openvswitch/vport-netdev.c
+@@ -155,10 +155,19 @@ void ovs_netdev_detach_dev(struct vport *vport)
+
+ static void netdev_destroy(struct vport *vport)
+ {
+- rtnl_lock();
+- if (netif_is_ovs_port(vport->dev))
+- ovs_netdev_detach_dev(vport);
+- rtnl_unlock();
++ /* When called from ovs_db_notify_wq() after a dp_device_event(), the
++ * port has already been detached, so we can avoid taking the RTNL by
++ * checking this first.
++ */
++ if (netif_is_ovs_port(vport->dev)) {
++ rtnl_lock();
++ /* Check again while holding the lock to ensure we don't race
++ * with the netdev notifier and detach twice.
++ */
++ if (netif_is_ovs_port(vport->dev))
++ ovs_netdev_detach_dev(vport);
++ rtnl_unlock();
++ }
+
+ call_rcu(&vport->rcu, vport_netdev_free);
+ }
+--
+2.51.0
+
--- /dev/null
+From cf6b0dca63fa846cd008ef074ec34049762cf509 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Dec 2025 21:22:27 +0000
+Subject: net: rose: fix invalid array index in rose_kill_by_device()
+
+From: Pwnverse <stanksal@purdue.edu>
+
+[ Upstream commit 6595beb40fb0ec47223d3f6058ee40354694c8e4 ]
+
+rose_kill_by_device() collects sockets into a local array[] and then
+iterates over them to disconnect sockets bound to a device being brought
+down.
+
+The loop mistakenly indexes array[cnt] instead of array[i]. For cnt <
+ARRAY_SIZE(array), this reads an uninitialized entry; for cnt ==
+ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to
+an invalid socket pointer dereference and also leaks references taken
+via sock_hold().
+
+Fix the index to use i.
+
+Fixes: 64b8bc7d5f143 ("net/rose: fix races in rose_kill_by_device()")
+Co-developed-by: Fatma Alwasmi <falwasmi@purdue.edu>
+Signed-off-by: Fatma Alwasmi <falwasmi@purdue.edu>
+Signed-off-by: Pwnverse <stanksal@purdue.edu>
+Link: https://patch.msgid.link/20251222212227.4116041-1-ritviktanksalkar@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rose/af_rose.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
+index f8cd085c4234..04173c85d92b 100644
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -204,7 +204,7 @@ static void rose_kill_by_device(struct net_device *dev)
+ spin_unlock_bh(&rose_list_lock);
+
+ for (i = 0; i < cnt; i++) {
+- sk = array[cnt];
++ sk = array[i];
+ rose = rose_sk(sk);
+ lock_sock(sk);
+ spin_lock_bh(&rose_list_lock);
+--
+2.51.0
+
--- /dev/null
+From 1cef05868650b749e976eaa08cb18cfc26d57aab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Dec 2025 20:43:05 +0530
+Subject: net: usb: rtl8150: fix memory leak on usb_submit_urb() failure
+
+From: Deepakkumar Karn <dkarn@redhat.com>
+
+[ Upstream commit 12cab1191d9890097171156d06bfa8d31f1e39c8 ]
+
+In async_set_registers(), when usb_submit_urb() fails, the allocated
+ async_req structure and URB are not freed, causing a memory leak.
+
+ The completion callback async_set_reg_cb() is responsible for freeing
+ these allocations, but it is only called after the URB is successfully
+ submitted and completes (successfully or with error). If submission
+ fails, the callback never runs and the memory is leaked.
+
+ Fix this by freeing both the URB and the request structure in the error
+ path when usb_submit_urb() fails.
+
+Reported-by: syzbot+8dd915c7cb0490fc8c52@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=8dd915c7cb0490fc8c52
+Fixes: 4d12997a9bb3 ("drivers: net: usb: rtl8150: concurrent URB bugfix")
+Signed-off-by: Deepakkumar Karn <dkarn@redhat.com>
+Link: https://patch.msgid.link/20251216151304.59865-2-dkarn@redhat.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/rtl8150.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
+index eb4f3f8a1906..185b8c8b19ba 100644
+--- a/drivers/net/usb/rtl8150.c
++++ b/drivers/net/usb/rtl8150.c
+@@ -211,6 +211,8 @@ static int async_set_registers(rtl8150_t *dev, u16 indx, u16 size, u16 reg)
+ if (res == -ENODEV)
+ netif_device_detach(dev->netdev);
+ dev_err(&dev->udev->dev, "%s failed with %d\n", __func__, res);
++ kfree(req);
++ usb_free_urb(async_urb);
+ }
+ return res;
+ }
+--
+2.51.0
+
--- /dev/null
+From 0caea13a5961bcc803f61e46103d7fda68d2a260 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 11:52:26 +0530
+Subject: octeontx2-pf: fix "UBSAN: shift-out-of-bounds error"
+
+From: Anshumali Gaur <agaur@marvell.com>
+
+[ Upstream commit 85f4b0c650d9f9db10bda8d3acfa1af83bf78cf7 ]
+
+This patch ensures that the RX ring size (rx_pending) is not
+set below the permitted length. This avoids UBSAN
+shift-out-of-bounds errors when users passes small or zero
+ring sizes via ethtool -G.
+
+Fixes: d45d8979840d ("octeontx2-pf: Add basic ethtool support")
+Signed-off-by: Anshumali Gaur <agaur@marvell.com>
+Link: https://patch.msgid.link/20251219062226.524844-1-agaur@marvell.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
+index 9b6938dde267..6e547e177511 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
+@@ -382,6 +382,14 @@ static int otx2_set_ringparam(struct net_device *netdev,
+ */
+ if (rx_count < pfvf->hw.rq_skid)
+ rx_count = pfvf->hw.rq_skid;
++
++ if (ring->rx_pending < 16) {
++ netdev_err(netdev,
++ "rx ring size %u invalid, min is 16\n",
++ ring->rx_pending);
++ return -EINVAL;
++ }
++
+ rx_count = Q_COUNT(Q_SIZE(rx_count, 3));
+
+ /* Due pipelining impact minimum 2000 unused SQ CQE's
+--
+2.51.0
+
--- /dev/null
+From a4396ee9238d7ca4c0297221940a6779e7aba0cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 16:30:29 +0800
+Subject: platform/x86: ibm_rtl: fix EBDA signature search pointer arithmetic
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Junrui Luo <moonafterrain@outlook.com>
+
+[ Upstream commit 15dd100349b8526cbdf2de0ce3e72e700eb6c208 ]
+
+The ibm_rtl_init() function searches for the signature but has a pointer
+arithmetic error. The loop counter suggests searching at 4-byte intervals
+but the implementation only advances by 1 byte per iteration.
+
+Fix by properly advancing the pointer by sizeof(unsigned int) bytes
+each iteration.
+
+Reported-by: Yuhao Jiang <danisjiang@gmail.com>
+Reported-by: Junrui Luo <moonafterrain@outlook.com>
+Fixes: 35f0ce032b0f ("IBM Real-Time "SMI Free" mode driver -v7")
+Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
+Link: https://patch.msgid.link/SYBPR01MB78812D887A92DE3802D0D06EAFA9A@SYBPR01MB7881.ausprd01.prod.outlook.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/ibm_rtl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/ibm_rtl.c b/drivers/platform/x86/ibm_rtl.c
+index 5fc665f7d9b3..10cab7bdfe15 100644
+--- a/drivers/platform/x86/ibm_rtl.c
++++ b/drivers/platform/x86/ibm_rtl.c
+@@ -262,7 +262,7 @@ static int __init ibm_rtl_init(void) {
+ /* search for the _RTL_ signature at the start of the table */
+ for (i = 0 ; i < ebda_size/sizeof(unsigned int); i++) {
+ struct ibm_rtl_table __iomem * tmp;
+- tmp = (struct ibm_rtl_table __iomem *) (ebda_map+i);
++ tmp = (struct ibm_rtl_table __iomem *) (ebda_map + i*sizeof(unsigned int));
+ if ((readq(&tmp->signature) & RTL_MASK) == RTL_SIGNATURE) {
+ phys_addr_t addr;
+ unsigned int plen;
+--
+2.51.0
+
--- /dev/null
+From 9d9e876914f213caf9c0bd864d0f55d1fc056058 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Dec 2025 11:36:13 +0100
+Subject: platform/x86: msi-laptop: add missing sysfs_remove_group()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 1461209cf813b6ee6d40f29b96b544587df6d2b1 ]
+
+A sysfs group is created in msi_init() when old_ec_model is enabled, but
+never removed. Remove the msipf_old_attribute_group in that case.
+
+Fixes: 03696e51d75a ("msi-laptop: Disable brightness control for new EC")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://patch.msgid.link/20251217103617.27668-2-fourier.thomas@gmail.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/msi-laptop.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/platform/x86/msi-laptop.c b/drivers/platform/x86/msi-laptop.c
+index dfb4af759aa7..fd6b3383ac4f 100644
+--- a/drivers/platform/x86/msi-laptop.c
++++ b/drivers/platform/x86/msi-laptop.c
+@@ -1146,6 +1146,9 @@ static void __exit msi_cleanup(void)
+ sysfs_remove_group(&msipf_device->dev.kobj, &msipf_attribute_group);
+ if (!quirks->old_ec_model && threeg_exists)
+ device_remove_file(&msipf_device->dev, &dev_attr_threeg);
++ if (quirks->old_ec_model)
++ sysfs_remove_group(&msipf_device->dev.kobj,
++ &msipf_old_attribute_group);
+ platform_device_unregister(msipf_device);
+ platform_driver_unregister(&msipf_driver);
+ backlight_device_unregister(msibl_device);
+--
+2.51.0
+
--- /dev/null
+From 2ddc1d50b8b202cdd7f192adfb7ad3b94c4854ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Dec 2025 09:51:21 +0100
+Subject: RDMA/bnxt_re: fix dma_free_coherent() pointer
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit fcd431a9627f272b4c0bec445eba365fe2232a94 ]
+
+The dma_alloc_coherent() allocates a dma-mapped buffer, pbl->pg_arr[i].
+The dma_free_coherent() should pass the same buffer to
+dma_free_coherent() and not page-aligned.
+
+Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://patch.msgid.link/20251230085121.8023-2-fourier.thomas@gmail.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_res.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+index 64e88104165e..8547a8512541 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+@@ -70,9 +70,7 @@ static void __free_pbl(struct bnxt_qplib_res *res, struct bnxt_qplib_pbl *pbl,
+ for (i = 0; i < pbl->pg_count; i++) {
+ if (pbl->pg_arr[i])
+ dma_free_coherent(&pdev->dev, pbl->pg_size,
+- (void *)((unsigned long)
+- pbl->pg_arr[i] &
+- PAGE_MASK),
++ pbl->pg_arr[i],
+ pbl->pg_map_arr[i]);
+ else
+ dev_warn(&pdev->dev,
+--
+2.51.0
+
--- /dev/null
+From 2f8d35eb4a4cd7c0bb1672a2967a3d95e6760293 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 01:32:57 -0800
+Subject: RDMA/bnxt_re: Fix IB_SEND_IP_CSUM handling in post_send
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit f01765a2361323e78e3d91b1cb1d5527a83c5cf7 ]
+
+The bnxt_re SEND path checks wr->send_flags to enable features such as
+IP checksum offload. However, send_flags is a bitmask and may contain
+multiple flags (e.g. IB_SEND_SIGNALED | IB_SEND_IP_CSUM), while the
+existing code uses a switch() statement that only matches when
+send_flags is exactly IB_SEND_IP_CSUM.
+
+As a result, checksum offload is not enabled when additional SEND
+flags are present.
+
+Replace the switch() with a bitmask test:
+
+ if (wr->send_flags & IB_SEND_IP_CSUM)
+
+This ensures IP checksum offload is enabled correctly when multiple
+SEND flags are used.
+
+Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Link: https://patch.msgid.link/20251219093308.2415620-1-alok.a.tiwari@oracle.com
+Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/ib_verbs.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+index 089d7de829a0..5d0c1241b948 100644
+--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+@@ -2647,14 +2647,9 @@ int bnxt_re_post_send(struct ib_qp *ib_qp, const struct ib_send_wr *wr,
+ wqe.rawqp1.lflags |=
+ SQ_SEND_RAWETH_QP1_LFLAGS_ROCE_CRC;
+ }
+- switch (wr->send_flags) {
+- case IB_SEND_IP_CSUM:
++ if (wr->send_flags & IB_SEND_IP_CSUM)
+ wqe.rawqp1.lflags |=
+ SQ_SEND_RAWETH_QP1_LFLAGS_IP_CHKSUM;
+- break;
+- default:
+- break;
+- }
+ fallthrough;
+ case IB_WR_SEND_WITH_INV:
+ rc = bnxt_re_build_send_wqe(qp, wr, &wqe);
+--
+2.51.0
+
--- /dev/null
+From 6e756d9ce9634770bf4c420a0943da4a216d650d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Dec 2025 02:01:41 -0800
+Subject: RDMA/bnxt_re: Fix incorrect BAR check in bnxt_qplib_map_creq_db()
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit 145a417a39d7efbc881f52e829817376972b278c ]
+
+RCFW_COMM_CONS_PCI_BAR_REGION is defined as BAR 2, so checking
+!creq_db->reg.bar_id is incorrect and always false.
+
+pci_resource_start() returns the BAR base address, and a value of 0
+indicates that the BAR is unassigned. Update the condition to test
+bar_base == 0 instead.
+
+This ensures the driver detects and logs an error for an unassigned
+RCFW communication BAR.
+
+Fixes: cee0c7bba486 ("RDMA/bnxt_re: Refactor command queue management code")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Link: https://patch.msgid.link/20251217100158.752504-1-alok.a.tiwari@oracle.com
+Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
+index 0d61a1563f48..f9b56744d674 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
+@@ -775,7 +775,7 @@ static int bnxt_qplib_map_creq_db(struct bnxt_qplib_rcfw *rcfw, u32 reg_offt)
+
+ creq_db->reg.bar_id = RCFW_COMM_CONS_PCI_BAR_REGION;
+ creq_db->reg.bar_base = pci_resource_start(pdev, creq_db->reg.bar_id);
+- if (!creq_db->reg.bar_id)
++ if (!creq_db->reg.bar_base)
+ dev_err(&pdev->dev,
+ "QPLIB: CREQ BAR region %d resc start is 0!",
+ creq_db->reg.bar_id);
+--
+2.51.0
+
--- /dev/null
+From 624935066cb1e0caec9467dd086b2da8f0172a3b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Dec 2025 18:48:55 +0530
+Subject: RDMA/bnxt_re: Fix to use correct page size for PDE table
+
+From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+
+[ Upstream commit 3d70e0fb0f289b0c778041c5bb04d099e1aa7c1c ]
+
+In bnxt_qplib_alloc_init_hwq(), while allocating memory for PDE table
+driver incorrectly is using the "pg_size" value passed to the function.
+Fixed to use the right value 4K. Also, fixed the allocation size for
+PBL table.
+
+Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation")
+Signed-off-by: Damodharam Ammepalli <damodharam.ammepalli@broadcom.com>
+Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Link: https://patch.msgid.link/20251223131855.145955-1-kalesh-anakkur.purayil@broadcom.com
+Reviewed-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_res.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+index be98b23488b4..64e88104165e 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+@@ -242,7 +242,7 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq,
+ if (npbl % BIT(MAX_PDL_LVL_SHIFT))
+ npde++;
+ /* Alloc PDE pages */
+- sginfo.pgsize = npde * pg_size;
++ sginfo.pgsize = npde * ROCE_PG_SIZE_4K;
+ sginfo.npages = 1;
+ rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_0], &sginfo);
+ if (rc)
+@@ -250,7 +250,7 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq,
+
+ /* Alloc PBL pages */
+ sginfo.npages = npbl;
+- sginfo.pgsize = PAGE_SIZE;
++ sginfo.pgsize = ROCE_PG_SIZE_4K;
+ rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_1], &sginfo);
+ if (rc)
+ goto fail;
+--
+2.51.0
+
--- /dev/null
+From 83d1bc47688f08b85943c1e382ede2eb8f3c72d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 13:15:08 +0900
+Subject: RDMA/core: Fix logic error in ib_get_gids_from_rdma_hdr()
+
+From: Jang Ingyu <ingyujang25@korea.ac.kr>
+
+[ Upstream commit 8aaa848eaddd9ef8680fc6aafbd3a0646da5df40 ]
+
+Fix missing comparison operator for RDMA_NETWORK_ROCE_V1 in the
+conditional statement. The constant was used directly instead of
+being compared with net_type, causing the condition to always
+evaluate to true.
+
+Fixes: 1c15b4f2a42f ("RDMA/core: Modify enum ib_gid_type and enum rdma_network_type")
+Signed-off-by: Jang Ingyu <ingyujang25@korea.ac.kr>
+Link: https://patch.msgid.link/20251219041508.1725947-1-ingyujang25@korea.ac.kr
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/verbs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c
+index 4fcabe5a84be..4a28f30c39f1 100644
+--- a/drivers/infiniband/core/verbs.c
++++ b/drivers/infiniband/core/verbs.c
+@@ -735,7 +735,7 @@ int ib_get_gids_from_rdma_hdr(const union rdma_network_hdr *hdr,
+ (struct in6_addr *)dgid);
+ return 0;
+ } else if (net_type == RDMA_NETWORK_IPV6 ||
+- net_type == RDMA_NETWORK_IB || RDMA_NETWORK_ROCE_V1) {
++ net_type == RDMA_NETWORK_IB || net_type == RDMA_NETWORK_ROCE_V1) {
+ *dgid = hdr->ibgrh.dgid;
+ *sgid = hdr->ibgrh.sgid;
+ return 0;
+--
+2.51.0
+
--- /dev/null
+From 12962d353c82d3ca9d18f31d44262f2b6a998b64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Dec 2025 17:36:56 +0000
+Subject: RDMA/efa: Remove possible negative shift
+
+From: Michael Margolin <mrgolin@amazon.com>
+
+[ Upstream commit 85463eb6a46caf2f1e0e1a6d0731f2f3bab17780 ]
+
+The page size used for device might in some cases be smaller than
+PAGE_SIZE what results in a negative shift when calculating the number of
+host pages in PAGE_SIZE for a debug log. Remove the debug line together
+with the calculation.
+
+Fixes: 40909f664d27 ("RDMA/efa: Add EFA verbs implementation")
+Link: https://patch.msgid.link/r/20251210173656.8180-1-mrgolin@amazon.com
+Reviewed-by: Tom Sela <tomsela@amazon.com>
+Reviewed-by: Yonatan Nachum <ynachum@amazon.com>
+Signed-off-by: Michael Margolin <mrgolin@amazon.com>
+Reviewed-by: Gal Pressman <gal.pressman@linux.dev>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/efa/efa_verbs.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/infiniband/hw/efa/efa_verbs.c b/drivers/infiniband/hw/efa/efa_verbs.c
+index 9cf051818725..d7fccffeeb58 100644
+--- a/drivers/infiniband/hw/efa/efa_verbs.c
++++ b/drivers/infiniband/hw/efa/efa_verbs.c
+@@ -1145,13 +1145,9 @@ static int umem_to_page_list(struct efa_dev *dev,
+ u32 hp_cnt,
+ u8 hp_shift)
+ {
+- u32 pages_in_hp = BIT(hp_shift - PAGE_SHIFT);
+ struct ib_block_iter biter;
+ unsigned int hp_idx = 0;
+
+- ibdev_dbg(&dev->ibdev, "hp_cnt[%u], pages_in_hp[%u]\n",
+- hp_cnt, pages_in_hp);
+-
+ rdma_umem_for_each_dma_block(umem, &biter, BIT(hp_shift))
+ page_list[hp_idx++] = rdma_block_iter_dma_address(&biter);
+
+--
+2.51.0
+
--- /dev/null
+From 4c5d1b0e9b01e242e77e9980a04418a263bfc328 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Aug 2023 09:32:26 +0800
+Subject: selftests/ftrace: traceonoff_triggers: strip off names
+
+From: Yipeng Zou <zouyipeng@huawei.com>
+
+[ Upstream commit b889b4fb4cbea3ca7eb9814075d6a51936394bd9 ]
+
+The func_traceonoff_triggers.tc sometimes goes to fail
+on my board, Kunpeng-920.
+
+[root@localhost]# ./ftracetest ./test.d/ftrace/func_traceonoff_triggers.tc -l fail.log
+=== Ftrace unit tests ===
+[1] ftrace - test for function traceon/off triggers [FAIL]
+[2] (instance) ftrace - test for function traceon/off triggers [UNSUPPORTED]
+
+I look up the log, and it shows that the md5sum is different between csum1 and csum2.
+
+++ cnt=611
+++ sleep .1
++++ cnt_trace
++++ grep -v '^#' trace
++++ wc -l
+++ cnt2=611
+++ '[' 611 -ne 611 ']'
++++ cat tracing_on
+++ on=0
+++ '[' 0 '!=' 0 ']'
++++ md5sum trace
+++ csum1='76896aa74362fff66a6a5f3cf8a8a500 trace'
+++ sleep .1
++++ md5sum trace
+++ csum2='ee8625a21c058818fc26e45c1ed3f6de trace'
+++ '[' '76896aa74362fff66a6a5f3cf8a8a500 trace' '!=' 'ee8625a21c058818fc26e45c1ed3f6de trace' ']'
+++ fail 'Tracing file is still changing'
+++ echo Tracing file is still changing
+Tracing file is still changing
+++ exit_fail
+++ exit 1
+
+So I directly dump the trace file before md5sum, the diff shows that:
+
+[root@localhost]# diff trace_1.log trace_2.log -y --suppress-common-lines
+dockerd-12285 [036] d.... 18385.510290: sched_stat | <...>-12285 [036] d.... 18385.510290: sched_stat
+dockerd-12285 [036] d.... 18385.510291: sched_swit | <...>-12285 [036] d.... 18385.510291: sched_swit
+<...>-740 [044] d.... 18385.602859: sched_stat | kworker/44:1-740 [044] d.... 18385.602859: sched_stat
+<...>-740 [044] d.... 18385.602860: sched_swit | kworker/44:1-740 [044] d.... 18385.602860: sched_swit
+
+And we can see that <...> filed be filled with names.
+
+We can strip off the names there to fix that.
+
+After strip off the names:
+
+kworker/u257:0-12 [019] d..2. 2528.758910: sched_stat | -12 [019] d..2. 2528.758910: sched_stat_runtime: comm=k
+kworker/u257:0-12 [019] d..2. 2528.758912: sched_swit | -12 [019] d..2. 2528.758912: sched_switch: prev_comm=kw
+<idle>-0 [000] d.s5. 2528.762318: sched_waki | -0 [000] d.s5. 2528.762318: sched_waking: comm=sshd pi
+<idle>-0 [037] dNh2. 2528.762326: sched_wake | -0 [037] dNh2. 2528.762326: sched_wakeup: comm=sshd pi
+<idle>-0 [037] d..2. 2528.762334: sched_swit | -0 [037] d..2. 2528.762334: sched_switch: prev_comm=sw
+
+Link: https://lore.kernel.org/r/20230818013226.2182299-1-zouyipeng@huawei.com
+Fixes: d87b29179aa0 ("selftests: ftrace: Use md5sum to take less time of checking logs")
+Suggested-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Yipeng Zou <zouyipeng@huawei.com>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ftrace/test.d/ftrace/func_traceonoff_triggers.tc | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc b/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc
+index aee22289536b..1b57771dbfdf 100644
+--- a/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc
++++ b/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc
+@@ -90,9 +90,10 @@ if [ $on != "0" ]; then
+ fail "Tracing is not off"
+ fi
+
+-csum1=`md5sum trace`
++# Cannot rely on names being around as they are only cached, strip them
++csum1=`cat trace | sed -e 's/^ *[^ ]*\(-[0-9][0-9]*\)/\1/' | md5sum`
+ sleep $SLEEP_TIME
+-csum2=`md5sum trace`
++csum2=`cat trace | sed -e 's/^ *[^ ]*\(-[0-9][0-9]*\)/\1/' | md5sum`
+
+ if [ "$csum1" != "$csum2" ]; then
+ fail "Tracing file is still changing"
+--
+2.51.0
+
i2c-amd-mp2-fix-reference-leak-in-mp2-pci-device.patch
hwmon-w83791d-convert-macros-to-functions-to-avoid-toctou.patch
hwmon-w83l786ng-convert-macros-to-functions-to-avoid-toctou.patch
+i40e-fix-scheduling-in-set_rx_mode.patch
+iavf-fix-off-by-one-issues-in-iavf_config_rss_reg.patch
+crypto-seqiv-do-not-use-req-iv-after-crypto_aead_enc.patch
+net-mdio-aspeed-move-reg-accessing-part-into-separat.patch
+net-mdio-aspeed-add-dummy-read-to-avoid-read-after-w.patch
+net-openvswitch-avoid-needlessly-taking-the-rtnl-on-.patch
+ip6_gre-make-ip6gre_header-robust.patch
+platform-x86-msi-laptop-add-missing-sysfs_remove_gro.patch
+platform-x86-ibm_rtl-fix-ebda-signature-search-point.patch
+team-fix-check-for-port-enabled-in-team_queue_overri.patch
+net-usb-rtl8150-fix-memory-leak-on-usb_submit_urb-fa.patch
+genalloc.h-fix-htmldocs-warning.patch
+firewire-nosy-switch-from-pci_-to-dma_-api.patch
+firewire-nosy-fix-dma_free_coherent-size.patch
+net-dsa-b53-skip-multicast-entries-for-fdb_dump.patch
+net-bridge-describe-tunnel_hash-member-in-net_bridge.patch
+octeontx2-pf-fix-ubsan-shift-out-of-bounds-error.patch
+ipv6-bug-in-pskb_expand_head-as-part-of-calipso_skbu.patch
+ipv4-fix-reference-count-leak-when-using-error-route.patch
+net-rose-fix-invalid-array-index-in-rose_kill_by_dev.patch
+rdma-efa-remove-possible-negative-shift.patch
+rdma-core-fix-logic-error-in-ib_get_gids_from_rdma_h.patch
+rdma-bnxt_re-fix-incorrect-bar-check-in-bnxt_qplib_m.patch
+rdma-bnxt_re-fix-ib_send_ip_csum-handling-in-post_se.patch
+rdma-bnxt_re-fix-to-use-correct-page-size-for-pde-ta.patch
+rdma-bnxt_re-fix-dma_free_coherent-pointer.patch
+selftests-ftrace-traceonoff_triggers-strip-off-names.patch
--- /dev/null
+From 951243649dec1e4ff75a3123f8e0cde7c02ca11e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Dec 2025 11:29:53 +0100
+Subject: team: fix check for port enabled in
+ team_queue_override_port_prio_changed()
+
+From: Jiri Pirko <jiri@nvidia.com>
+
+[ Upstream commit 932ac51d9953eaf77a1252f79b656d4ca86163c6 ]
+
+There has been a syzkaller bug reported recently with the following
+trace:
+
+list_del corruption, ffff888058bea080->prev is LIST_POISON2 (dead000000000122)
+------------[ cut here ]------------
+kernel BUG at lib/list_debug.c:59!
+Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
+CPU: 3 UID: 0 PID: 21246 Comm: syz.0.2928 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+RIP: 0010:__list_del_entry_valid_or_report+0x13e/0x200 lib/list_debug.c:59
+Code: 48 c7 c7 e0 71 f0 8b e8 30 08 ef fc 90 0f 0b 48 89 ef e8 a5 02 55 fd 48 89 ea 48 89 de 48 c7 c7 40 72 f0 8b e8 13 08 ef fc 90 <0f> 0b 48 89 ef e8 88 02 55 fd 48 89 ea 48 b8 00 00 00 00 00 fc ff
+RSP: 0018:ffffc9000d49f370 EFLAGS: 00010286
+RAX: 000000000000004e RBX: ffff888058bea080 RCX: ffffc9002817d000
+RDX: 0000000000000000 RSI: ffffffff819becc6 RDI: 0000000000000005
+RBP: dead000000000122 R08: 0000000000000005 R09: 0000000000000000
+R10: 0000000080000000 R11: 0000000000000001 R12: ffff888039e9c230
+R13: ffff888058bea088 R14: ffff888058bea080 R15: ffff888055461480
+FS: 00007fbbcfe6f6c0(0000) GS:ffff8880d6d0a000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 000000110c3afcb0 CR3: 00000000382c7000 CR4: 0000000000352ef0
+Call Trace:
+ <TASK>
+ __list_del_entry_valid include/linux/list.h:132 [inline]
+ __list_del_entry include/linux/list.h:223 [inline]
+ list_del_rcu include/linux/rculist.h:178 [inline]
+ __team_queue_override_port_del drivers/net/team/team_core.c:826 [inline]
+ __team_queue_override_port_del drivers/net/team/team_core.c:821 [inline]
+ team_queue_override_port_prio_changed drivers/net/team/team_core.c:883 [inline]
+ team_priority_option_set+0x171/0x2f0 drivers/net/team/team_core.c:1534
+ team_option_set drivers/net/team/team_core.c:376 [inline]
+ team_nl_options_set_doit+0x8ae/0xe60 drivers/net/team/team_core.c:2653
+ genl_family_rcv_msg_doit+0x209/0x2f0 net/netlink/genetlink.c:1115
+ genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
+ genl_rcv_msg+0x55c/0x800 net/netlink/genetlink.c:1210
+ netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552
+ genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
+ netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
+ netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346
+ netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1896
+ sock_sendmsg_nosec net/socket.c:727 [inline]
+ __sock_sendmsg net/socket.c:742 [inline]
+ ____sys_sendmsg+0xa98/0xc70 net/socket.c:2630
+ ___sys_sendmsg+0x134/0x1d0 net/socket.c:2684
+ __sys_sendmsg+0x16d/0x220 net/socket.c:2716
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+The problem is in this flow:
+1) Port is enabled, queue_id != 0, in qom_list
+2) Port gets disabled
+ -> team_port_disable()
+ -> team_queue_override_port_del()
+ -> del (removed from list)
+3) Port is disabled, queue_id != 0, not in any list
+4) Priority changes
+ -> team_queue_override_port_prio_changed()
+ -> checks: port disabled && queue_id != 0
+ -> calls del - hits the BUG as it is removed already
+
+To fix this, change the check in team_queue_override_port_prio_changed()
+so it returns early if port is not enabled.
+
+Reported-by: syzbot+422806e5f4cce722a71f@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=422806e5f4cce722a71f
+Fixes: 6c31ff366c11 ("team: remove synchronize_rcu() called during queue override change")
+Signed-off-by: Jiri Pirko <jiri@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20251212102953.167287-1-jiri@resnulli.us
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/team/team.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
+index c05a60f23677..03cc3da8c3c1 100644
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -872,7 +872,7 @@ static void __team_queue_override_enabled_check(struct team *team)
+ static void team_queue_override_port_prio_changed(struct team *team,
+ struct team_port *port)
+ {
+- if (!port->queue_id || team_port_enabled(port))
++ if (!port->queue_id || !team_port_enabled(port))
+ return;
+ __team_queue_override_port_del(team, port);
+ __team_queue_override_port_add(team, port);
+--
+2.51.0
+
--- /dev/null
+From e2f061c621e7917438904d2105de2bd552a33445 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Dec 2025 11:02:28 -0500
+Subject: Bluetooth: btusb: revert use of devm_kzalloc in btusb
+
+From: Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
+
+[ Upstream commit 252714f1e8bdd542025b16321c790458014d6880 ]
+
+This reverts commit 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in
+btusb.c file").
+
+In btusb_probe(), we use devm_kzalloc() to allocate the btusb data. This
+ties the lifetime of all the btusb data to the binding of a driver to
+one interface, INTF. In a driver that binds to other interfaces, ISOC
+and DIAG, this is an accident waiting to happen.
+
+The issue is revealed in btusb_disconnect(), where calling
+usb_driver_release_interface(&btusb_driver, data->intf) will have devm
+free the data that is also being used by the other interfaces of the
+driver that may not be released yet.
+
+To fix this, revert the use of devm and go back to freeing memory
+explicitly.
+
+Fixes: 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in btusb.c file")
+Signed-off-by: Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btusb.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index 95483a8d7b1e..c447e2e9417b 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -3788,7 +3788,7 @@ static int btusb_probe(struct usb_interface *intf,
+ return -ENODEV;
+ }
+
+- data = devm_kzalloc(&intf->dev, sizeof(*data), GFP_KERNEL);
++ data = kzalloc(sizeof(*data), GFP_KERNEL);
+ if (!data)
+ return -ENOMEM;
+
+@@ -3811,8 +3811,10 @@ static int btusb_probe(struct usb_interface *intf,
+ }
+ }
+
+- if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep)
++ if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep) {
++ kfree(data);
+ return -ENODEV;
++ }
+
+ if (id->driver_info & BTUSB_AMP) {
+ data->cmdreq_type = USB_TYPE_CLASS | 0x01;
+@@ -3855,8 +3857,10 @@ static int btusb_probe(struct usb_interface *intf,
+ data->recv_acl = hci_recv_frame;
+
+ hdev = hci_alloc_dev_priv(priv_size);
+- if (!hdev)
++ if (!hdev) {
++ kfree(data);
+ return -ENOMEM;
++ }
+
+ hdev->bus = HCI_USB;
+ hci_set_drvdata(hdev, data);
+@@ -4104,6 +4108,7 @@ static int btusb_probe(struct usb_interface *intf,
+ if (data->reset_gpio)
+ gpiod_put(data->reset_gpio);
+ hci_free_dev(hdev);
++ kfree(data);
+ return err;
+ }
+
+@@ -4149,6 +4154,7 @@ static void btusb_disconnect(struct usb_interface *intf)
+ }
+
+ hci_free_dev(hdev);
++ kfree(data);
+ }
+
+ #ifdef CONFIG_PM
+--
+2.51.0
+
--- /dev/null
+From ec3773f4515eae2e85f828468299e4cadd3f6fc9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Dec 2025 14:15:41 +0800
+Subject: crypto: seqiv - Do not use req->iv after crypto_aead_encrypt
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 50fdb78b7c0bcc550910ef69c0984e751cac72fa ]
+
+As soon as crypto_aead_encrypt is called, the underlying request
+may be freed by an asynchronous completion. Thus dereferencing
+req->iv after it returns is invalid.
+
+Instead of checking req->iv against info, create a new variable
+unaligned_info and use it for that purpose instead.
+
+Fixes: 0a270321dbf9 ("[CRYPTO] seqiv: Add Sequence Number IV Generator")
+Reported-by: Xiumei Mu <xmu@redhat.com>
+Reported-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/seqiv.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/seqiv.c b/crypto/seqiv.c
+index b1bcfe537daf..562ab102226a 100644
+--- a/crypto/seqiv.c
++++ b/crypto/seqiv.c
+@@ -51,6 +51,7 @@ static int seqiv_aead_encrypt(struct aead_request *req)
+ struct aead_geniv_ctx *ctx = crypto_aead_ctx(geniv);
+ struct aead_request *subreq = aead_request_ctx(req);
+ crypto_completion_t compl;
++ bool unaligned_info;
+ void *data;
+ u8 *info;
+ unsigned int ivsize = 8;
+@@ -80,8 +81,9 @@ static int seqiv_aead_encrypt(struct aead_request *req)
+ return err;
+ }
+
+- if (unlikely(!IS_ALIGNED((unsigned long)info,
+- crypto_aead_alignmask(geniv) + 1))) {
++ unaligned_info = !IS_ALIGNED((unsigned long)info,
++ crypto_aead_alignmask(geniv) + 1);
++ if (unlikely(unaligned_info)) {
+ info = kmemdup(req->iv, ivsize, req->base.flags &
+ CRYPTO_TFM_REQ_MAY_SLEEP ? GFP_KERNEL :
+ GFP_ATOMIC);
+@@ -101,7 +103,7 @@ static int seqiv_aead_encrypt(struct aead_request *req)
+ scatterwalk_map_and_copy(info, req->dst, req->assoclen, ivsize, 1);
+
+ err = crypto_aead_encrypt(subreq);
+- if (unlikely(info != req->iv))
++ if (unlikely(unaligned_info))
+ seqiv_aead_encrypt_complete2(req, err);
+ return err;
+ }
+--
+2.51.0
+
--- /dev/null
+From cba3cb789d9e02e9cd6d46905d54a2845bf758fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Dec 2025 17:54:18 +0100
+Subject: firewire: nosy: Fix dma_free_coherent() size
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit c48c0fd0e19684b6ecdb4108a429e3a4e73f5e21 ]
+
+It looks like the buffer allocated and mapped in add_card() is done
+with size RCV_BUFFER_SIZE which is 16 KB and 4KB.
+
+Fixes: 286468210d83 ("firewire: new driver: nosy - IEEE 1394 traffic sniffer")
+Co-developed-by: Thomas Fourier <fourier.thomas@gmail.com>
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Co-developed-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/20251216165420.38355-2-fourier.thomas@gmail.com
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firewire/nosy.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/firewire/nosy.c b/drivers/firewire/nosy.c
+index ea31ac7ac1ca..e59053738a43 100644
+--- a/drivers/firewire/nosy.c
++++ b/drivers/firewire/nosy.c
+@@ -36,6 +36,8 @@
+
+ static char driver_name[] = KBUILD_MODNAME;
+
++#define RCV_BUFFER_SIZE (16 * 1024)
++
+ /* this is the physical layout of a PCL, its size is 128 bytes */
+ struct pcl {
+ __le32 next;
+@@ -517,16 +519,14 @@ remove_card(struct pci_dev *dev)
+ lynx->rcv_start_pcl, lynx->rcv_start_pcl_bus);
+ dma_free_coherent(&lynx->pci_device->dev, sizeof(struct pcl),
+ lynx->rcv_pcl, lynx->rcv_pcl_bus);
+- dma_free_coherent(&lynx->pci_device->dev, PAGE_SIZE, lynx->rcv_buffer,
+- lynx->rcv_buffer_bus);
++ dma_free_coherent(&lynx->pci_device->dev, RCV_BUFFER_SIZE,
++ lynx->rcv_buffer, lynx->rcv_buffer_bus);
+
+ iounmap(lynx->registers);
+ pci_disable_device(dev);
+ lynx_put(lynx);
+ }
+
+-#define RCV_BUFFER_SIZE (16 * 1024)
+-
+ static int
+ add_card(struct pci_dev *dev, const struct pci_device_id *unused)
+ {
+@@ -680,7 +680,7 @@ add_card(struct pci_dev *dev, const struct pci_device_id *unused)
+ dma_free_coherent(&lynx->pci_device->dev, sizeof(struct pcl),
+ lynx->rcv_pcl, lynx->rcv_pcl_bus);
+ if (lynx->rcv_buffer)
+- dma_free_coherent(&lynx->pci_device->dev, PAGE_SIZE,
++ dma_free_coherent(&lynx->pci_device->dev, RCV_BUFFER_SIZE,
+ lynx->rcv_buffer, lynx->rcv_buffer_bus);
+ iounmap(lynx->registers);
+
+--
+2.51.0
+
--- /dev/null
+From 3f48a063e74e7c7d5551c7cf76f519b2eb6da96e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Nov 2025 10:39:24 -0800
+Subject: genalloc.h: fix htmldocs warning
+
+From: Andrew Morton <akpm@linux-foundation.org>
+
+[ Upstream commit 5393802c94e0ab1295c04c94c57bcb00222d4674 ]
+
+WARNING: include/linux/genalloc.h:52 function parameter 'start_addr' not described in 'genpool_algo_t'
+
+Fixes: 52fbf1134d47 ("lib/genalloc.c: fix allocation of aligned buffer from non-aligned chunk")
+Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Closes: https://lkml.kernel.org/r/20251127130624.563597e3@canb.auug.org.au
+Acked-by: Randy Dunlap <rdunlap@infradead.org>
+Tested-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Alexey Skidanov <alexey.skidanov@intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/genalloc.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/linux/genalloc.h b/include/linux/genalloc.h
+index 0bd581003cd5..60de63e46b33 100644
+--- a/include/linux/genalloc.h
++++ b/include/linux/genalloc.h
+@@ -44,6 +44,7 @@ struct gen_pool;
+ * @nr: The number of zeroed bits we're looking for
+ * @data: optional additional data used by the callback
+ * @pool: the pool being allocated from
++ * @start_addr: start address of memory chunk
+ */
+ typedef unsigned long (*genpool_algo_t)(unsigned long *map,
+ unsigned long size,
+--
+2.51.0
+
--- /dev/null
+From 2247c2ba02e48f01f6b913082362daee474d05c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Nov 2025 13:07:28 +0100
+Subject: i40e: fix scheduling in set_rx_mode
+
+From: Przemyslaw Korba <przemyslaw.korba@intel.com>
+
+[ Upstream commit be43abc5514167cc129a8d8e9727b89b8e1d9719 ]
+
+Add service task schedule to set_rx_mode.
+In some cases there are error messages printed out in PTP application
+(ptp4l):
+
+ptp4l[13848.762]: port 1 (ens2f3np3): received SYNC without timestamp
+ptp4l[13848.825]: port 1 (ens2f3np3): received SYNC without timestamp
+ptp4l[13848.887]: port 1 (ens2f3np3): received SYNC without timestamp
+
+This happens when service task would not run immediately after
+set_rx_mode, and we need it for setup tasks. This service task checks, if
+PTP RX packets are hung in firmware, and propagate correct settings such
+as multicast address for IEEE 1588 Precision Time Protocol.
+RX timestamping depends on some of these filters set. Bug happens only
+with high PTP packets frequency incoming, and not every run since
+sometimes service task is being ran from a different place immediately
+after starting ptp4l.
+
+Fixes: 0e4425ed641f ("i40e: fix: do not sleep in netdev_ops")
+Reviewed-by: Grzegorz Nitka <grzegorz.nitka@intel.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Przemyslaw Korba <przemyslaw.korba@intel.com>
+Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index 4c50e18707c7..8f9cbbfec63e 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -2216,6 +2216,7 @@ static void i40e_set_rx_mode(struct net_device *netdev)
+ vsi->flags |= I40E_VSI_FLAG_FILTER_CHANGED;
+ set_bit(__I40E_MACVLAN_SYNC_PENDING, vsi->back->state);
+ }
++ i40e_service_event_schedule(vsi->back);
+ }
+
+ /**
+--
+2.51.0
+
--- /dev/null
+From 1ca5d84cebe4f1a5df0f83e3077287588854425d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 Apr 2024 09:26:04 +0200
+Subject: i40e: Refactor argument of i40e_detect_recover_hung()
+
+From: Ivan Vecera <ivecera@redhat.com>
+
+[ Upstream commit 7033ada04e33048c8b33294fecbb0d73f3cd1088 ]
+
+Commit 07d44190a389 ("i40e/i40evf: Detect and recover hung queue
+scenario") changes i40e_detect_recover_hung() argument type from
+i40e_pf* to i40e_vsi* to be shareable by both i40e and i40evf.
+Because the i40evf does not exist anymore and the function is
+exclusively used by i40e we can revert this change.
+
+Reviewed-by: Michal Schmidt <mschmidt@redhat.com>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com>
+Signed-off-by: Ivan Vecera <ivecera@redhat.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Stable-dep-of: 699428342153 ("i40e: validate ring_len parameter against hardware-specific values")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 2 +-
+ drivers/net/ethernet/intel/i40e/i40e_txrx.c | 10 ++++++----
+ drivers/net/ethernet/intel/i40e/i40e_txrx.h | 2 +-
+ 3 files changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index 9671058cda40..b2e185357ab2 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -11275,7 +11275,7 @@ static void i40e_service_task(struct work_struct *work)
+ return;
+
+ if (!test_bit(__I40E_RECOVERY_MODE, pf->state)) {
+- i40e_detect_recover_hung(pf->vsi[pf->lan_vsi]);
++ i40e_detect_recover_hung(pf);
+ i40e_sync_filters_subtask(pf);
+ i40e_reset_subtask(pf);
+ i40e_handle_mdd_event(pf);
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.c b/drivers/net/ethernet/intel/i40e/i40e_txrx.c
+index b94d67729283..dabeeffd06fc 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c
+@@ -867,13 +867,15 @@ u32 i40e_get_tx_pending(struct i40e_ring *ring, bool in_sw)
+
+ /**
+ * i40e_detect_recover_hung - Function to detect and recover hung_queues
+- * @vsi: pointer to vsi struct with tx queues
++ * @pf: pointer to PF struct
+ *
+- * VSI has netdev and netdev has TX queues. This function is to check each of
+- * those TX queues if they are hung, trigger recovery by issuing SW interrupt.
++ * LAN VSI has netdev and netdev has TX queues. This function is to check
++ * each of those TX queues if they are hung, trigger recovery by issuing
++ * SW interrupt.
+ **/
+-void i40e_detect_recover_hung(struct i40e_vsi *vsi)
++void i40e_detect_recover_hung(struct i40e_pf *pf)
+ {
++ struct i40e_vsi *vsi = pf->vsi[pf->lan_vsi];
+ struct i40e_ring *tx_ring = NULL;
+ struct net_device *netdev;
+ unsigned int i;
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.h b/drivers/net/ethernet/intel/i40e/i40e_txrx.h
+index 054b7d1632e1..2ea4138099be 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.h
++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.h
+@@ -462,7 +462,7 @@ void i40e_free_rx_resources(struct i40e_ring *rx_ring);
+ int i40e_napi_poll(struct napi_struct *napi, int budget);
+ void i40e_force_wb(struct i40e_vsi *vsi, struct i40e_q_vector *q_vector);
+ u32 i40e_get_tx_pending(struct i40e_ring *ring, bool in_sw);
+-void i40e_detect_recover_hung(struct i40e_vsi *vsi);
++void i40e_detect_recover_hung(struct i40e_pf *pf);
+ int __i40e_maybe_stop_tx(struct i40e_ring *tx_ring, int size);
+ bool __i40e_chk_linearize(struct sk_buff *skb);
+ int i40e_xdp_xmit(struct net_device *dev, int n, struct xdp_frame **frames,
+--
+2.51.0
+
--- /dev/null
+From 06c9de36253d438fb4d7a07bef8bd8ebb34cb151 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 Apr 2024 09:26:03 +0200
+Subject: i40e: Refactor argument of several client notification functions
+
+From: Ivan Vecera <ivecera@redhat.com>
+
+[ Upstream commit 54c4664e48eea52f2b296c73ddb8f5629b958678 ]
+
+Commit 0ef2d5afb12d ("i40e: KISS the client interface") simplified
+the client interface so in practice it supports only one client
+per i40e netdev. But we have still 2 notification functions that
+uses as parameter a pointer to VSI of netdevice associated with
+the client. After the mentioned commit only possible and used
+VSI is the main (LAN) VSI.
+So refactor these functions so they are called with PF pointer argument
+and the associated VSI (LAN) is taken inside them.
+
+Reviewed-by: Michal Schmidt <mschmidt@redhat.com>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com>
+Signed-off-by: Ivan Vecera <ivecera@redhat.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Stable-dep-of: 699428342153 ("i40e: validate ring_len parameter against hardware-specific values")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e.h | 4 ++--
+ drivers/net/ethernet/intel/i40e/i40e_client.c | 20 +++++++++----------
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 12 +++++------
+ 3 files changed, 17 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e.h b/drivers/net/ethernet/intel/i40e/i40e.h
+index e031906f23a4..bbd95b3d7326 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e.h
++++ b/drivers/net/ethernet/intel/i40e/i40e.h
+@@ -1198,8 +1198,8 @@ static inline void i40e_dbg_exit(void) {}
+ int i40e_lan_add_device(struct i40e_pf *pf);
+ int i40e_lan_del_device(struct i40e_pf *pf);
+ void i40e_client_subtask(struct i40e_pf *pf);
+-void i40e_notify_client_of_l2_param_changes(struct i40e_vsi *vsi);
+-void i40e_notify_client_of_netdev_close(struct i40e_vsi *vsi, bool reset);
++void i40e_notify_client_of_l2_param_changes(struct i40e_pf *pf);
++void i40e_notify_client_of_netdev_close(struct i40e_pf *pf, bool reset);
+ void i40e_notify_client_of_vf_enable(struct i40e_pf *pf, u32 num_vfs);
+ void i40e_notify_client_of_vf_reset(struct i40e_pf *pf, u32 vf_id);
+ void i40e_client_update_msix_info(struct i40e_pf *pf);
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_client.c b/drivers/net/ethernet/intel/i40e/i40e_client.c
+index 4af2a4c59106..126223d28152 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_client.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_client.c
+@@ -102,25 +102,26 @@ i40e_notify_client_of_vf_msg(struct i40e_vsi *vsi, u32 vf_id, u8 *msg, u16 len)
+
+ /**
+ * i40e_notify_client_of_l2_param_changes - call the client notify callback
+- * @vsi: the VSI with l2 param changes
++ * @pf: PF device pointer
+ *
+- * If there is a client to this VSI, call the client
++ * If there is a client, call its callback
+ **/
+-void i40e_notify_client_of_l2_param_changes(struct i40e_vsi *vsi)
++void i40e_notify_client_of_l2_param_changes(struct i40e_pf *pf)
+ {
+- struct i40e_pf *pf = vsi->back;
+ struct i40e_client_instance *cdev = pf->cinst;
++ struct i40e_vsi *vsi = pf->vsi[pf->lan_vsi];
+ struct i40e_params params;
+
+ if (!cdev || !cdev->client)
+ return;
+ if (!cdev->client->ops || !cdev->client->ops->l2_param_change) {
+- dev_dbg(&vsi->back->pdev->dev,
++ dev_dbg(&pf->pdev->dev,
+ "Cannot locate client instance l2_param_change routine\n");
+ return;
+ }
+ if (!test_bit(__I40E_CLIENT_INSTANCE_OPENED, &cdev->state)) {
+- dev_dbg(&vsi->back->pdev->dev, "Client is not open, abort l2 param change\n");
++ dev_dbg(&pf->pdev->dev,
++ "Client is not open, abort l2 param change\n");
+ return;
+ }
+ memset(¶ms, 0, sizeof(params));
+@@ -160,20 +161,19 @@ static void i40e_client_release_qvlist(struct i40e_info *ldev)
+
+ /**
+ * i40e_notify_client_of_netdev_close - call the client close callback
+- * @vsi: the VSI with netdev closed
++ * @pf: PF device pointer
+ * @reset: true when close called due to a reset pending
+ *
+ * If there is a client to this netdev, call the client with close
+ **/
+-void i40e_notify_client_of_netdev_close(struct i40e_vsi *vsi, bool reset)
++void i40e_notify_client_of_netdev_close(struct i40e_pf *pf, bool reset)
+ {
+- struct i40e_pf *pf = vsi->back;
+ struct i40e_client_instance *cdev = pf->cinst;
+
+ if (!cdev || !cdev->client)
+ return;
+ if (!cdev->client->ops || !cdev->client->ops->close) {
+- dev_dbg(&vsi->back->pdev->dev,
++ dev_dbg(&pf->pdev->dev,
+ "Cannot locate client instance close routine\n");
+ return;
+ }
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index 8f9cbbfec63e..9671058cda40 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -11284,14 +11284,12 @@ static void i40e_service_task(struct work_struct *work)
+ i40e_fdir_reinit_subtask(pf);
+ if (test_and_clear_bit(__I40E_CLIENT_RESET, pf->state)) {
+ /* Client subtask will reopen next time through. */
+- i40e_notify_client_of_netdev_close(pf->vsi[pf->lan_vsi],
+- true);
++ i40e_notify_client_of_netdev_close(pf, true);
+ } else {
+ i40e_client_subtask(pf);
+ if (test_and_clear_bit(__I40E_CLIENT_L2_CHANGE,
+ pf->state))
+- i40e_notify_client_of_l2_param_changes(
+- pf->vsi[pf->lan_vsi]);
++ i40e_notify_client_of_l2_param_changes(pf);
+ }
+ i40e_sync_filters_subtask(pf);
+ } else {
+@@ -16263,7 +16261,7 @@ static void i40e_remove(struct pci_dev *pdev)
+ /* Client close must be called explicitly here because the timer
+ * has been stopped.
+ */
+- i40e_notify_client_of_netdev_close(pf->vsi[pf->lan_vsi], false);
++ i40e_notify_client_of_netdev_close(pf, false);
+
+ i40e_fdir_teardown(pf);
+
+@@ -16529,7 +16527,7 @@ static void i40e_shutdown(struct pci_dev *pdev)
+ /* Client close must be called explicitly here because the timer
+ * has been stopped.
+ */
+- i40e_notify_client_of_netdev_close(pf->vsi[pf->lan_vsi], false);
++ i40e_notify_client_of_netdev_close(pf, false);
+
+ if (pf->wol_en && (pf->hw_features & I40E_HW_WOL_MC_MAGIC_PKT_WAKE))
+ i40e_enable_mc_magic_wake(pf);
+@@ -16582,7 +16580,7 @@ static int __maybe_unused i40e_suspend(struct device *dev)
+ /* Client close must be called explicitly here because the timer
+ * has been stopped.
+ */
+- i40e_notify_client_of_netdev_close(pf->vsi[pf->lan_vsi], false);
++ i40e_notify_client_of_netdev_close(pf, false);
+
+ if (pf->wol_en && (pf->hw_features & I40E_HW_WOL_MC_MAGIC_PKT_WAKE))
+ i40e_enable_mc_magic_wake(pf);
+--
+2.51.0
+
--- /dev/null
+From 7aaedc102596f558944e543ce62b731f880c87d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Dec 2025 22:06:43 +0100
+Subject: i40e: validate ring_len parameter against hardware-specific values
+
+From: Gregory Herrero <gregory.herrero@oracle.com>
+
+[ Upstream commit 69942834215323cd9131db557091b4dec43f19c5 ]
+
+The maximum number of descriptors supported by the hardware is
+hardware-dependent and can be retrieved using
+i40e_get_max_num_descriptors(). Move this function to a shared header
+and use it when checking for valid ring_len parameter rather than using
+hardcoded value.
+
+By fixing an over-acceptance issue, behavior change could be seen where
+ring_len could now be rejected while configuring rx and tx queues if its
+size is larger than the hardware-dependent maximum number of
+descriptors.
+
+Fixes: 55d225670def ("i40e: add validation for ring_len param")
+Signed-off-by: Gregory Herrero <gregory.herrero@oracle.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e.h | 11 +++++++++++
+ drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 12 ------------
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 4 ++--
+ 3 files changed, 13 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e.h b/drivers/net/ethernet/intel/i40e/i40e.h
+index bbd95b3d7326..022bf6e86164 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e.h
++++ b/drivers/net/ethernet/intel/i40e/i40e.h
+@@ -1305,4 +1305,15 @@ static inline u32 i40e_is_tc_mqprio_enabled(struct i40e_pf *pf)
+ return pf->flags & I40E_FLAG_TC_MQPRIO;
+ }
+
++static inline u32 i40e_get_max_num_descriptors(const struct i40e_pf *pf)
++{
++ const struct i40e_hw *hw = &pf->hw;
++
++ switch (hw->mac.type) {
++ case I40E_MAC_XL710:
++ return I40E_MAX_NUM_DESCRIPTORS_XL710;
++ default:
++ return I40E_MAX_NUM_DESCRIPTORS;
++ }
++}
+ #endif /* _I40E_H_ */
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
+index 74a18b8df11f..04d304eef379 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
+@@ -1918,18 +1918,6 @@ static void i40e_get_drvinfo(struct net_device *netdev,
+ drvinfo->n_priv_flags += I40E_GL_PRIV_FLAGS_STR_LEN;
+ }
+
+-static u32 i40e_get_max_num_descriptors(struct i40e_pf *pf)
+-{
+- struct i40e_hw *hw = &pf->hw;
+-
+- switch (hw->mac.type) {
+- case I40E_MAC_XL710:
+- return I40E_MAX_NUM_DESCRIPTORS_XL710;
+- default:
+- return I40E_MAX_NUM_DESCRIPTORS;
+- }
+-}
+-
+ static void i40e_get_ringparam(struct net_device *netdev,
+ struct ethtool_ringparam *ring)
+ {
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+index 5cd7a2bc40fd..907727604c70 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -656,7 +656,7 @@ static int i40e_config_vsi_tx_queue(struct i40e_vf *vf, u16 vsi_id,
+
+ /* ring_len has to be multiple of 8 */
+ if (!IS_ALIGNED(info->ring_len, 8) ||
+- info->ring_len > I40E_MAX_NUM_DESCRIPTORS_XL710) {
++ info->ring_len > i40e_get_max_num_descriptors(pf)) {
+ ret = -EINVAL;
+ goto error_context;
+ }
+@@ -728,7 +728,7 @@ static int i40e_config_vsi_rx_queue(struct i40e_vf *vf, u16 vsi_id,
+
+ /* ring_len has to be multiple of 32 */
+ if (!IS_ALIGNED(info->ring_len, 32) ||
+- info->ring_len > I40E_MAX_NUM_DESCRIPTORS_XL710) {
++ info->ring_len > i40e_get_max_num_descriptors(pf)) {
+ ret = -EINVAL;
+ goto error_param;
+ }
+--
+2.51.0
+
--- /dev/null
+From 0b48b4365d2e0024e21ab7b41e8f90b37b6bf849 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Oct 2025 01:58:50 +0900
+Subject: iavf: fix off-by-one issues in iavf_config_rss_reg()
+
+From: Kohei Enju <enjuk@amazon.com>
+
+[ Upstream commit 6daa2893f323981c7894c68440823326e93a7d61 ]
+
+There are off-by-one bugs when configuring RSS hash key and lookup
+table, causing out-of-bounds reads to memory [1] and out-of-bounds
+writes to device registers.
+
+Before commit 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS"),
+the loop upper bounds were:
+ i <= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX
+which is safe since the value is the last valid index.
+
+That commit changed the bounds to:
+ i <= adapter->rss_{key,lut}_size / 4
+where `rss_{key,lut}_size / 4` is the number of dwords, so the last
+valid index is `(rss_{key,lut}_size / 4) - 1`. Therefore, using `<=`
+accesses one element past the end.
+
+Fix the issues by using `<` instead of `<=`, ensuring we do not exceed
+the bounds.
+
+[1] KASAN splat about rss_key_size off-by-one
+ BUG: KASAN: slab-out-of-bounds in iavf_config_rss+0x619/0x800
+ Read of size 4 at addr ffff888102c50134 by task kworker/u8:6/63
+
+ CPU: 0 UID: 0 PID: 63 Comm: kworker/u8:6 Not tainted 6.18.0-rc2-enjuk-tnguy-00378-g3005f5b77652-dirty #156 PREEMPT(voluntary)
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+ Workqueue: iavf iavf_watchdog_task
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x6f/0xb0
+ print_report+0x170/0x4f3
+ kasan_report+0xe1/0x1a0
+ iavf_config_rss+0x619/0x800
+ iavf_watchdog_task+0x2be7/0x3230
+ process_one_work+0x7fd/0x1420
+ worker_thread+0x4d1/0xd40
+ kthread+0x344/0x660
+ ret_from_fork+0x249/0x320
+ ret_from_fork_asm+0x1a/0x30
+ </TASK>
+
+ Allocated by task 63:
+ kasan_save_stack+0x30/0x50
+ kasan_save_track+0x14/0x30
+ __kasan_kmalloc+0x7f/0x90
+ __kmalloc_noprof+0x246/0x6f0
+ iavf_watchdog_task+0x28fc/0x3230
+ process_one_work+0x7fd/0x1420
+ worker_thread+0x4d1/0xd40
+ kthread+0x344/0x660
+ ret_from_fork+0x249/0x320
+ ret_from_fork_asm+0x1a/0x30
+
+ The buggy address belongs to the object at ffff888102c50100
+ which belongs to the cache kmalloc-64 of size 64
+ The buggy address is located 0 bytes to the right of
+ allocated 52-byte region [ffff888102c50100, ffff888102c50134)
+
+ The buggy address belongs to the physical page:
+ page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c50
+ flags: 0x200000000000000(node=0|zone=2)
+ page_type: f5(slab)
+ raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000
+ raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
+ page dumped because: kasan: bad access detected
+
+ Memory state around the buggy address:
+ ffff888102c50000: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
+ ffff888102c50080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
+ >ffff888102c50100: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc
+ ^
+ ffff888102c50180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
+ ffff888102c50200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+
+Fixes: 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS")
+Signed-off-by: Kohei Enju <enjuk@amazon.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index 6073dcc414d6..10970001db56 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -1393,11 +1393,11 @@ static int iavf_config_rss_reg(struct iavf_adapter *adapter)
+ u16 i;
+
+ dw = (u32 *)adapter->rss_key;
+- for (i = 0; i <= adapter->rss_key_size / 4; i++)
++ for (i = 0; i < adapter->rss_key_size / 4; i++)
+ wr32(hw, IAVF_VFQF_HKEY(i), dw[i]);
+
+ dw = (u32 *)adapter->rss_lut;
+- for (i = 0; i <= adapter->rss_lut_size / 4; i++)
++ for (i = 0; i < adapter->rss_lut_size / 4; i++)
+ wr32(hw, IAVF_VFQF_HLUT(i), dw[i]);
+
+ iavf_flush(hw);
+--
+2.51.0
+
--- /dev/null
+From d8e63307b013243dc1443fb8b243053fcb5110b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Dec 2025 17:35:50 +0000
+Subject: ip6_gre: make ip6gre_header() robust
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit db5b4e39c4e63700c68a7e65fc4e1f1375273476 ]
+
+Over the years, syzbot found many ways to crash the kernel
+in ip6gre_header() [1].
+
+This involves team or bonding drivers ability to dynamically
+change their dev->needed_headroom and/or dev->hard_header_len
+
+In this particular crash mld_newpack() allocated an skb
+with a too small reserve/headroom, and by the time mld_sendpack()
+was called, syzbot managed to attach an ip6gre device.
+
+[1]
+skbuff: skb_under_panic: text:ffffffff8a1d69a8 len:136 put:40 head:ffff888059bc7000 data:ffff888059bc6fe8 tail:0x70 end:0x6c0 dev:team0
+------------[ cut here ]------------
+ kernel BUG at net/core/skbuff.c:213 !
+ <TASK>
+ skb_under_panic net/core/skbuff.c:223 [inline]
+ skb_push+0xc3/0xe0 net/core/skbuff.c:2641
+ ip6gre_header+0xc8/0x790 net/ipv6/ip6_gre.c:1371
+ dev_hard_header include/linux/netdevice.h:3436 [inline]
+ neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618
+ neigh_output include/net/neighbour.h:556 [inline]
+ ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136
+ __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline]
+ ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:220
+ NF_HOOK_COND include/linux/netfilter.h:307 [inline]
+ ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247
+ NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318
+ mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855
+ mld_send_cr net/ipv6/mcast.c:2154 [inline]
+ mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693
+
+Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
+Reported-by: syzbot+43a2ebcf2a64b1102d64@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/693b002c.a70a0220.33cd7b.0033.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20251211173550.2032674-1-edumazet@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6_gre.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
+index 501630e3f1b6..84ba9ad00135 100644
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -1383,9 +1383,16 @@ static int ip6gre_header(struct sk_buff *skb, struct net_device *dev,
+ {
+ struct ip6_tnl *t = netdev_priv(dev);
+ struct ipv6hdr *ipv6h;
++ int needed;
+ __be16 *p;
+
+- ipv6h = skb_push(skb, t->hlen + sizeof(*ipv6h));
++ needed = t->hlen + sizeof(*ipv6h);
++ if (skb_headroom(skb) < needed &&
++ pskb_expand_head(skb, HH_DATA_ALIGN(needed - skb_headroom(skb)),
++ 0, GFP_ATOMIC))
++ return -needed;
++
++ ipv6h = skb_push(skb, needed);
+ ip6_flow_hdr(ipv6h, 0, ip6_make_flowlabel(dev_net(dev), skb,
+ t->fl.u.ip6.flowlabel,
+ true, &t->fl.u.ip6));
+--
+2.51.0
+
--- /dev/null
+From 8df46ce77ad2bd2336ba0430f4cd240e4725d6f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Dec 2025 16:48:28 +0200
+Subject: ipv4: Fix reference count leak when using error routes with nexthop
+ objects
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit ac782f4e3bfcde145b8a7f8af31d9422d94d172a ]
+
+When a nexthop object is deleted, it is marked as dead and then
+fib_table_flush() is called to flush all the routes that are using the
+dead nexthop.
+
+The current logic in fib_table_flush() is to only flush error routes
+(e.g., blackhole) when it is called as part of network namespace
+dismantle (i.e., with flush_all=true). Therefore, error routes are not
+flushed when their nexthop object is deleted:
+
+ # ip link add name dummy1 up type dummy
+ # ip nexthop add id 1 dev dummy1
+ # ip route add 198.51.100.1/32 nhid 1
+ # ip route add blackhole 198.51.100.2/32 nhid 1
+ # ip nexthop del id 1
+ # ip route show
+ blackhole 198.51.100.2 nhid 1 dev dummy1
+
+As such, they keep holding a reference on the nexthop object which in
+turn holds a reference on the nexthop device, resulting in a reference
+count leak:
+
+ # ip link del dev dummy1
+ [ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2
+
+Fix by flushing error routes when their nexthop is marked as dead.
+
+IPv6 does not suffer from this problem.
+
+Fixes: 493ced1ac47c ("ipv4: Allow routes to use nexthop objects")
+Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Closes: https://lore.kernel.org/netdev/d943f806-4da6-4970-ac28-b9373b0e63ac@I-love.SAKURA.ne.jp/
+Reported-by: syzbot+881d65229ca4f9ae8c84@syzkaller.appspotmail.com
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://patch.msgid.link/20251221144829.197694-1-idosch@nvidia.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/fib_trie.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
+index 8ab6ad65d0b8..2cec18cb5c48 100644
+--- a/net/ipv4/fib_trie.c
++++ b/net/ipv4/fib_trie.c
+@@ -2049,10 +2049,11 @@ int fib_table_flush(struct net *net, struct fib_table *tb, bool flush_all)
+ continue;
+ }
+
+- /* Do not flush error routes if network namespace is
+- * not being dismantled
++ /* When not flushing the entire table, skip error
++ * routes that are not marked for deletion.
+ */
+- if (!flush_all && fib_props[fa->fa_type].error) {
++ if (!flush_all && fib_props[fa->fa_type].error &&
++ !(fi->fib_flags & RTNH_F_DEAD)) {
+ slen = fa->fa_slen;
+ continue;
+ }
+--
+2.51.0
+
--- /dev/null
+From 3cf619db7e1f5c12ef9124a70fca0d42c2c13470 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 10:36:37 -0700
+Subject: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()
+
+From: Will Rosenberg <whrosenb@asu.edu>
+
+[ Upstream commit 58fc7342b529803d3c221101102fe913df7adb83 ]
+
+There exists a kernel oops caused by a BUG_ON(nhead < 0) at
+net/core/skbuff.c:2232 in pskb_expand_head().
+This bug is triggered as part of the calipso_skbuff_setattr()
+routine when skb_cow() is passed headroom > INT_MAX
+(i.e. (int)(skb_headroom(skb) + len_delta) < 0).
+
+The root cause of the bug is due to an implicit integer cast in
+__skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure
+that delta = headroom - skb_headroom(skb) is never negative, otherwise
+we will trigger a BUG_ON in pskb_expand_head(). However, if
+headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta
+becomes negative, and pskb_expand_head() is passed a negative value for
+nhead.
+
+Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing
+"negative" headroom sizes to skb_cow() within calipso_skbuff_setattr()
+by only using skb_cow() to grow headroom.
+
+PoC:
+ Using `netlabelctl` tool:
+
+ netlabelctl map del default
+ netlabelctl calipso add pass doi:7
+ netlabelctl map add default address:0::1/128 protocol:calipso,7
+
+ Then run the following PoC:
+
+ int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
+
+ // setup msghdr
+ int cmsg_size = 2;
+ int cmsg_len = 0x60;
+ struct msghdr msg;
+ struct sockaddr_in6 dest_addr;
+ struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1,
+ sizeof(struct cmsghdr) + cmsg_len);
+ msg.msg_name = &dest_addr;
+ msg.msg_namelen = sizeof(dest_addr);
+ msg.msg_iov = NULL;
+ msg.msg_iovlen = 0;
+ msg.msg_control = cmsg;
+ msg.msg_controllen = cmsg_len;
+ msg.msg_flags = 0;
+
+ // setup sockaddr
+ dest_addr.sin6_family = AF_INET6;
+ dest_addr.sin6_port = htons(31337);
+ dest_addr.sin6_flowinfo = htonl(31337);
+ dest_addr.sin6_addr = in6addr_loopback;
+ dest_addr.sin6_scope_id = 31337;
+
+ // setup cmsghdr
+ cmsg->cmsg_len = cmsg_len;
+ cmsg->cmsg_level = IPPROTO_IPV6;
+ cmsg->cmsg_type = IPV6_HOPOPTS;
+ char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr);
+ hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80
+
+ sendmsg(fd, &msg, 0);
+
+Fixes: 2917f57b6bc1 ("calipso: Allow the lsm to label the skbuff directly.")
+Suggested-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Will Rosenberg <whrosenb@asu.edu>
+Acked-by: Paul Moore <paul@paul-moore.com>
+Link: https://patch.msgid.link/20251219173637.797418-1-whrosenb@asu.edu
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/calipso.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c
+index 24666291c54a..72079ef2959b 100644
+--- a/net/ipv6/calipso.c
++++ b/net/ipv6/calipso.c
+@@ -1345,7 +1345,8 @@ static int calipso_skbuff_setattr(struct sk_buff *skb,
+ /* At this point new_end aligns to 4n, so (new_end & 4) pads to 8n */
+ pad = ((new_end & 4) + (end & 7)) & 7;
+ len_delta = new_end - (int)end + pad;
+- ret_val = skb_cow(skb, skb_headroom(skb) + len_delta);
++ ret_val = skb_cow(skb,
++ skb_headroom(skb) + (len_delta > 0 ? len_delta : 0));
+ if (ret_val < 0)
+ return ret_val;
+
+--
+2.51.0
+
--- /dev/null
+From fd885a075b798f09eee41ad590107d5cd87cb5d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Dec 2025 11:29:37 +0700
+Subject: net: bridge: Describe @tunnel_hash member in net_bridge_vlan_group
+ struct
+
+From: Bagas Sanjaya <bagasdotme@gmail.com>
+
+[ Upstream commit f79f9b7ace1713e4b83888c385f5f55519dfb687 ]
+
+Sphinx reports kernel-doc warning:
+
+WARNING: ./net/bridge/br_private.h:267 struct member 'tunnel_hash' not described in 'net_bridge_vlan_group'
+
+Fix it by describing @tunnel_hash member.
+
+Fixes: efa5356b0d9753 ("bridge: per vlan dst_metadata netlink support")
+Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20251218042936.24175-2-bagasdotme@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_private.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
+index 8acb427ae6de..0fd8dad7eca4 100644
+--- a/net/bridge/br_private.h
++++ b/net/bridge/br_private.h
+@@ -221,6 +221,7 @@ struct net_bridge_vlan {
+ * struct net_bridge_vlan_group
+ *
+ * @vlan_hash: VLAN entry rhashtable
++ * @tunnel_hash: Hash table to map from tunnel key ID (e.g. VXLAN VNI) to VLAN
+ * @vlan_list: sorted VLAN entry list
+ * @num_vlans: number of total VLAN entries
+ * @pvid: PVID VLAN id
+--
+2.51.0
+
--- /dev/null
+From 704ced4d4be2fa73e09d04723d0f55bfd7521335 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Dec 2025 21:57:56 +0100
+Subject: net: dsa: b53: skip multicast entries for fdb_dump()
+
+From: Jonas Gorski <jonas.gorski@gmail.com>
+
+[ Upstream commit d42bce414d1c5c0b536758466a1f63ac358e613c ]
+
+port_fdb_dump() is supposed to only add fdb entries, but we iterate over
+the full ARL table, which also includes multicast entries.
+
+So check if the entry is a multicast entry before passing it on to the
+callback().
+
+Additionally, the port of those entries is a bitmask, not a port number,
+so any included entries would have even be for the wrong port.
+
+Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations")
+Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20251217205756.172123-1-jonas.gorski@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/b53/b53_common.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
+index d5ed733c0c97..a43cbb481529 100644
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -1832,6 +1832,9 @@ static int b53_fdb_copy(int port, const struct b53_arl_entry *ent,
+ if (!ent->is_valid)
+ return 0;
+
++ if (is_multicast_ether_addr(ent->mac))
++ return 0;
++
+ if (port != ent->port)
+ return 0;
+
+--
+2.51.0
+
--- /dev/null
+From 9eee2d86d642f1d8069abc1f42d814a2d52437b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Dec 2025 14:24:58 +0800
+Subject: net: mdio: aspeed: add dummy read to avoid read-after-write issue
+
+From: Jacky Chou <jacky_chou@aspeedtech.com>
+
+[ Upstream commit d1a1a4bade4b20c0858d0b2f81d2611de055f675 ]
+
+The Aspeed MDIO controller may return incorrect data when a read operation
+follows immediately after a write. Due to a controller bug, the subsequent
+read can latch stale data, causing the polling logic to terminate earlier
+than expected.
+
+To work around this hardware issue, insert a dummy read after each write
+operation. This ensures that the next actual read returns the correct
+data and prevents premature polling exit.
+
+This workaround has been verified to stabilize MDIO transactions on
+affected Aspeed platforms.
+
+Fixes: f160e99462c6 ("net: phy: Add mdio-aspeed")
+Signed-off-by: Jacky Chou <jacky_chou@aspeedtech.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20251211-aspeed_mdio_add_dummy_read-v3-1-382868869004@aspeedtech.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/mdio/mdio-aspeed.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/net/mdio/mdio-aspeed.c b/drivers/net/mdio/mdio-aspeed.c
+index f22be2f069e9..a929399a10d1 100644
+--- a/drivers/net/mdio/mdio-aspeed.c
++++ b/drivers/net/mdio/mdio-aspeed.c
+@@ -57,6 +57,13 @@ static int aspeed_mdio_op(struct mii_bus *bus, u8 st, u8 op, u8 phyad, u8 regad,
+
+ iowrite32(ctrl, ctx->base + ASPEED_MDIO_CTRL);
+
++ /* Workaround for read-after-write issue.
++ * The controller may return stale data if a read follows immediately
++ * after a write. A dummy read forces the hardware to update its
++ * internal state, ensuring that the next real read returns correct data.
++ */
++ ioread32(ctx->base + ASPEED_MDIO_CTRL);
++
+ return readl_poll_timeout(ctx->base + ASPEED_MDIO_CTRL, ctrl,
+ !(ctrl & ASPEED_MDIO_CTRL_FIRE),
+ ASPEED_MDIO_INTERVAL_US,
+--
+2.51.0
+
--- /dev/null
+From b30c033fd6d54eadcd7fbe9b504986ad44a39f80 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Apr 2022 09:17:36 +0800
+Subject: net: mdio: aspeed: move reg accessing part into separate functions
+
+From: Potin Lai <potin.lai@quantatw.com>
+
+[ Upstream commit 737ca352569e744bf753b4522a6f91b120a734f1 ]
+
+Add aspeed_mdio_op() and aseed_mdio_get_data() for register accessing.
+
+aspeed_mdio_op() handles operations, write command to control register,
+then check and wait operations is finished (bit 31 is cleared).
+
+aseed_mdio_get_data() fetchs the result value of operation from data
+register.
+
+Signed-off-by: Potin Lai <potin.lai@quantatw.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: d1a1a4bade4b ("net: mdio: aspeed: add dummy read to avoid read-after-write issue")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/mdio/mdio-aspeed.c | 70 ++++++++++++++++++----------------
+ 1 file changed, 38 insertions(+), 32 deletions(-)
+
+diff --git a/drivers/net/mdio/mdio-aspeed.c b/drivers/net/mdio/mdio-aspeed.c
+index e2273588c75b..f22be2f069e9 100644
+--- a/drivers/net/mdio/mdio-aspeed.c
++++ b/drivers/net/mdio/mdio-aspeed.c
+@@ -39,34 +39,35 @@ struct aspeed_mdio {
+ void __iomem *base;
+ };
+
+-static int aspeed_mdio_read(struct mii_bus *bus, int addr, int regnum)
++static int aspeed_mdio_op(struct mii_bus *bus, u8 st, u8 op, u8 phyad, u8 regad,
++ u16 data)
+ {
+ struct aspeed_mdio *ctx = bus->priv;
+ u32 ctrl;
+- u32 data;
+- int rc;
+
+- dev_dbg(&bus->dev, "%s: addr: %d, regnum: %d\n", __func__, addr,
+- regnum);
+-
+- /* Just clause 22 for the moment */
+- if (regnum & MII_ADDR_C45)
+- return -EOPNOTSUPP;
++ dev_dbg(&bus->dev, "%s: st: %u op: %u, phyad: %u, regad: %u, data: %u\n",
++ __func__, st, op, phyad, regad, data);
+
+ ctrl = ASPEED_MDIO_CTRL_FIRE
+- | FIELD_PREP(ASPEED_MDIO_CTRL_ST, ASPEED_MDIO_CTRL_ST_C22)
+- | FIELD_PREP(ASPEED_MDIO_CTRL_OP, MDIO_C22_OP_READ)
+- | FIELD_PREP(ASPEED_MDIO_CTRL_PHYAD, addr)
+- | FIELD_PREP(ASPEED_MDIO_CTRL_REGAD, regnum);
++ | FIELD_PREP(ASPEED_MDIO_CTRL_ST, st)
++ | FIELD_PREP(ASPEED_MDIO_CTRL_OP, op)
++ | FIELD_PREP(ASPEED_MDIO_CTRL_PHYAD, phyad)
++ | FIELD_PREP(ASPEED_MDIO_CTRL_REGAD, regad)
++ | FIELD_PREP(ASPEED_MDIO_DATA_MIIRDATA, data);
+
+ iowrite32(ctrl, ctx->base + ASPEED_MDIO_CTRL);
+
+- rc = readl_poll_timeout(ctx->base + ASPEED_MDIO_CTRL, ctrl,
++ return readl_poll_timeout(ctx->base + ASPEED_MDIO_CTRL, ctrl,
+ !(ctrl & ASPEED_MDIO_CTRL_FIRE),
+ ASPEED_MDIO_INTERVAL_US,
+ ASPEED_MDIO_TIMEOUT_US);
+- if (rc < 0)
+- return rc;
++}
++
++static int aspeed_mdio_get_data(struct mii_bus *bus)
++{
++ struct aspeed_mdio *ctx = bus->priv;
++ int rc;
++ u32 data;
+
+ rc = readl_poll_timeout(ctx->base + ASPEED_MDIO_DATA, data,
+ data & ASPEED_MDIO_DATA_IDLE,
+@@ -78,31 +79,36 @@ static int aspeed_mdio_read(struct mii_bus *bus, int addr, int regnum)
+ return FIELD_GET(ASPEED_MDIO_DATA_MIIRDATA, data);
+ }
+
+-static int aspeed_mdio_write(struct mii_bus *bus, int addr, int regnum, u16 val)
++static int aspeed_mdio_read(struct mii_bus *bus, int addr, int regnum)
+ {
+- struct aspeed_mdio *ctx = bus->priv;
+- u32 ctrl;
++ int rc;
+
+- dev_dbg(&bus->dev, "%s: addr: %d, regnum: %d, val: 0x%x\n",
+- __func__, addr, regnum, val);
++ dev_dbg(&bus->dev, "%s: addr: %d, regnum: %d\n", __func__, addr,
++ regnum);
+
+ /* Just clause 22 for the moment */
+ if (regnum & MII_ADDR_C45)
+ return -EOPNOTSUPP;
+
+- ctrl = ASPEED_MDIO_CTRL_FIRE
+- | FIELD_PREP(ASPEED_MDIO_CTRL_ST, ASPEED_MDIO_CTRL_ST_C22)
+- | FIELD_PREP(ASPEED_MDIO_CTRL_OP, MDIO_C22_OP_WRITE)
+- | FIELD_PREP(ASPEED_MDIO_CTRL_PHYAD, addr)
+- | FIELD_PREP(ASPEED_MDIO_CTRL_REGAD, regnum)
+- | FIELD_PREP(ASPEED_MDIO_CTRL_MIIWDATA, val);
++ rc = aspeed_mdio_op(bus, ASPEED_MDIO_CTRL_ST_C22, MDIO_C22_OP_READ,
++ addr, regnum, 0);
++ if (rc < 0)
++ return rc;
+
+- iowrite32(ctrl, ctx->base + ASPEED_MDIO_CTRL);
++ return aspeed_mdio_get_data(bus);
++}
+
+- return readl_poll_timeout(ctx->base + ASPEED_MDIO_CTRL, ctrl,
+- !(ctrl & ASPEED_MDIO_CTRL_FIRE),
+- ASPEED_MDIO_INTERVAL_US,
+- ASPEED_MDIO_TIMEOUT_US);
++static int aspeed_mdio_write(struct mii_bus *bus, int addr, int regnum, u16 val)
++{
++ dev_dbg(&bus->dev, "%s: addr: %d, regnum: %d, val: 0x%x\n",
++ __func__, addr, regnum, val);
++
++ /* Just clause 22 for the moment */
++ if (regnum & MII_ADDR_C45)
++ return -EOPNOTSUPP;
++
++ return aspeed_mdio_op(bus, ASPEED_MDIO_CTRL_ST_C22, MDIO_C22_OP_WRITE,
++ addr, regnum, val);
+ }
+
+ static int aspeed_mdio_probe(struct platform_device *pdev)
+--
+2.51.0
+
--- /dev/null
+From 7be5f46094369da34ed6c4077d722386bcda44d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Dec 2025 12:50:05 +0100
+Subject: net: openvswitch: Avoid needlessly taking the RTNL on vport destroy
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Toke Høiland-Jørgensen <toke@redhat.com>
+
+[ Upstream commit 5498227676303e3ffa9a3a46214af96bc3e81314 ]
+
+The openvswitch teardown code will immediately call
+ovs_netdev_detach_dev() in response to a NETDEV_UNREGISTER notification.
+It will then start the dp_notify_work workqueue, which will later end up
+calling the vport destroy() callback. This callback takes the RTNL to do
+another ovs_netdev_detach_port(), which in this case is unnecessary.
+This causes extra pressure on the RTNL, in some cases leading to
+"unregister_netdevice: waiting for XX to become free" warnings on
+teardown.
+
+We can straight-forwardly avoid the extra RTNL lock acquisition by
+checking the device flags before taking the lock, and skip the locking
+altogether if the IFF_OVS_DATAPATH flag has already been unset.
+
+Fixes: b07c26511e94 ("openvswitch: fix vport-netdev unregister")
+Tested-by: Adrian Moreno <amorenoz@redhat.com>
+Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Acked-by: Eelco Chaudron <echaudro@redhat.com>
+Acked-by: Aaron Conole <aconole@redhat.com>
+Link: https://patch.msgid.link/20251211115006.228876-1-toke@redhat.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/openvswitch/vport-netdev.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/net/openvswitch/vport-netdev.c b/net/openvswitch/vport-netdev.c
+index 8e1a88f13622..3beec619283a 100644
+--- a/net/openvswitch/vport-netdev.c
++++ b/net/openvswitch/vport-netdev.c
+@@ -154,10 +154,19 @@ void ovs_netdev_detach_dev(struct vport *vport)
+
+ static void netdev_destroy(struct vport *vport)
+ {
+- rtnl_lock();
+- if (netif_is_ovs_port(vport->dev))
+- ovs_netdev_detach_dev(vport);
+- rtnl_unlock();
++ /* When called from ovs_db_notify_wq() after a dp_device_event(), the
++ * port has already been detached, so we can avoid taking the RTNL by
++ * checking this first.
++ */
++ if (netif_is_ovs_port(vport->dev)) {
++ rtnl_lock();
++ /* Check again while holding the lock to ensure we don't race
++ * with the netdev notifier and detach twice.
++ */
++ if (netif_is_ovs_port(vport->dev))
++ ovs_netdev_detach_dev(vport);
++ rtnl_unlock();
++ }
+
+ call_rcu(&vport->rcu, vport_netdev_free);
+ }
+--
+2.51.0
+
--- /dev/null
+From fa978d07ce1975ecce4279a8cd6c4367a9784433 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Dec 2025 21:22:27 +0000
+Subject: net: rose: fix invalid array index in rose_kill_by_device()
+
+From: Pwnverse <stanksal@purdue.edu>
+
+[ Upstream commit 6595beb40fb0ec47223d3f6058ee40354694c8e4 ]
+
+rose_kill_by_device() collects sockets into a local array[] and then
+iterates over them to disconnect sockets bound to a device being brought
+down.
+
+The loop mistakenly indexes array[cnt] instead of array[i]. For cnt <
+ARRAY_SIZE(array), this reads an uninitialized entry; for cnt ==
+ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to
+an invalid socket pointer dereference and also leaks references taken
+via sock_hold().
+
+Fix the index to use i.
+
+Fixes: 64b8bc7d5f143 ("net/rose: fix races in rose_kill_by_device()")
+Co-developed-by: Fatma Alwasmi <falwasmi@purdue.edu>
+Signed-off-by: Fatma Alwasmi <falwasmi@purdue.edu>
+Signed-off-by: Pwnverse <stanksal@purdue.edu>
+Link: https://patch.msgid.link/20251222212227.4116041-1-ritviktanksalkar@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rose/af_rose.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
+index f8cd085c4234..04173c85d92b 100644
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -204,7 +204,7 @@ static void rose_kill_by_device(struct net_device *dev)
+ spin_unlock_bh(&rose_list_lock);
+
+ for (i = 0; i < cnt; i++) {
+- sk = array[cnt];
++ sk = array[i];
+ rose = rose_sk(sk);
+ lock_sock(sk);
+ spin_lock_bh(&rose_list_lock);
+--
+2.51.0
+
--- /dev/null
+From 77bd69b3e70d45c15314a1289c070d1e21f244d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Dec 2025 06:41:56 +0530
+Subject: net: usb: asix: validate PHY address before use
+
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+
+[ Upstream commit a1e077a3f76eea0dc671ed6792e7d543946227e8 ]
+
+The ASIX driver reads the PHY address from the USB device via
+asix_read_phy_addr(). A malicious or faulty device can return an
+invalid address (>= PHY_MAX_ADDR), which causes a warning in
+mdiobus_get_phy():
+
+ addr 207 out of range
+ WARNING: drivers/net/phy/mdio_bus.c:76
+
+Validate the PHY address in asix_read_phy_addr() and remove the
+now-redundant check in ax88172a.c.
+
+Reported-by: syzbot+3d43c9066a5b54902232@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=3d43c9066a5b54902232
+Tested-by: syzbot+3d43c9066a5b54902232@syzkaller.appspotmail.com
+Fixes: 7e88b11a862a ("net: usb: asix: refactor asix_read_phy_addr() and handle errors on return")
+Link: https://lore.kernel.org/all/20251217085057.270704-1-kartikey406@gmail.com/T/ [v1]
+Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20251218011156.276824-1-kartikey406@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/asix_common.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c
+index 00c23f1d1c94..8c613e3ea05a 100644
+--- a/drivers/net/usb/asix_common.c
++++ b/drivers/net/usb/asix_common.c
+@@ -333,6 +333,11 @@ int asix_read_phy_addr(struct usbnet *dev, bool internal)
+ offset = (internal ? 1 : 0);
+ ret = buf[offset];
+
++ if (ret >= PHY_MAX_ADDR) {
++ netdev_err(dev->net, "invalid PHY address: %d\n", ret);
++ return -ENODEV;
++ }
++
+ netdev_dbg(dev->net, "%s PHY address 0x%x\n",
+ internal ? "internal" : "external", ret);
+
+--
+2.51.0
+
--- /dev/null
+From 73ef097b4e37d8108e2009c6c3010d4de62ede12 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Dec 2025 20:43:05 +0530
+Subject: net: usb: rtl8150: fix memory leak on usb_submit_urb() failure
+
+From: Deepakkumar Karn <dkarn@redhat.com>
+
+[ Upstream commit 12cab1191d9890097171156d06bfa8d31f1e39c8 ]
+
+In async_set_registers(), when usb_submit_urb() fails, the allocated
+ async_req structure and URB are not freed, causing a memory leak.
+
+ The completion callback async_set_reg_cb() is responsible for freeing
+ these allocations, but it is only called after the URB is successfully
+ submitted and completes (successfully or with error). If submission
+ fails, the callback never runs and the memory is leaked.
+
+ Fix this by freeing both the URB and the request structure in the error
+ path when usb_submit_urb() fails.
+
+Reported-by: syzbot+8dd915c7cb0490fc8c52@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=8dd915c7cb0490fc8c52
+Fixes: 4d12997a9bb3 ("drivers: net: usb: rtl8150: concurrent URB bugfix")
+Signed-off-by: Deepakkumar Karn <dkarn@redhat.com>
+Link: https://patch.msgid.link/20251216151304.59865-2-dkarn@redhat.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/rtl8150.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
+index 011cf3a35378..fa69d59a309a 100644
+--- a/drivers/net/usb/rtl8150.c
++++ b/drivers/net/usb/rtl8150.c
+@@ -211,6 +211,8 @@ static int async_set_registers(rtl8150_t *dev, u16 indx, u16 size, u16 reg)
+ if (res == -ENODEV)
+ netif_device_detach(dev->netdev);
+ dev_err(&dev->udev->dev, "%s failed with %d\n", __func__, res);
++ kfree(req);
++ usb_free_urb(async_urb);
+ }
+ return res;
+ }
+--
+2.51.0
+
--- /dev/null
+From 877bac9d15a958a80b7b526fc99c6214bc94c4e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 11:52:26 +0530
+Subject: octeontx2-pf: fix "UBSAN: shift-out-of-bounds error"
+
+From: Anshumali Gaur <agaur@marvell.com>
+
+[ Upstream commit 85f4b0c650d9f9db10bda8d3acfa1af83bf78cf7 ]
+
+This patch ensures that the RX ring size (rx_pending) is not
+set below the permitted length. This avoids UBSAN
+shift-out-of-bounds errors when users passes small or zero
+ring sizes via ethtool -G.
+
+Fixes: d45d8979840d ("octeontx2-pf: Add basic ethtool support")
+Signed-off-by: Anshumali Gaur <agaur@marvell.com>
+Link: https://patch.msgid.link/20251219062226.524844-1-agaur@marvell.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
+index db4a9fc399f3..e0c108d48d2e 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
+@@ -391,6 +391,14 @@ static int otx2_set_ringparam(struct net_device *netdev,
+ */
+ if (rx_count < pfvf->hw.rq_skid)
+ rx_count = pfvf->hw.rq_skid;
++
++ if (ring->rx_pending < 16) {
++ netdev_err(netdev,
++ "rx ring size %u invalid, min is 16\n",
++ ring->rx_pending);
++ return -EINVAL;
++ }
++
+ rx_count = Q_COUNT(Q_SIZE(rx_count, 3));
+
+ /* Due pipelining impact minimum 2000 unused SQ CQE's
+--
+2.51.0
+
--- /dev/null
+From 701efa5f3ad608838f9193a3480072fcaec28bd6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 16:30:29 +0800
+Subject: platform/x86: ibm_rtl: fix EBDA signature search pointer arithmetic
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Junrui Luo <moonafterrain@outlook.com>
+
+[ Upstream commit 15dd100349b8526cbdf2de0ce3e72e700eb6c208 ]
+
+The ibm_rtl_init() function searches for the signature but has a pointer
+arithmetic error. The loop counter suggests searching at 4-byte intervals
+but the implementation only advances by 1 byte per iteration.
+
+Fix by properly advancing the pointer by sizeof(unsigned int) bytes
+each iteration.
+
+Reported-by: Yuhao Jiang <danisjiang@gmail.com>
+Reported-by: Junrui Luo <moonafterrain@outlook.com>
+Fixes: 35f0ce032b0f ("IBM Real-Time "SMI Free" mode driver -v7")
+Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
+Link: https://patch.msgid.link/SYBPR01MB78812D887A92DE3802D0D06EAFA9A@SYBPR01MB7881.ausprd01.prod.outlook.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/ibm_rtl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/ibm_rtl.c b/drivers/platform/x86/ibm_rtl.c
+index 5fc665f7d9b3..10cab7bdfe15 100644
+--- a/drivers/platform/x86/ibm_rtl.c
++++ b/drivers/platform/x86/ibm_rtl.c
+@@ -262,7 +262,7 @@ static int __init ibm_rtl_init(void) {
+ /* search for the _RTL_ signature at the start of the table */
+ for (i = 0 ; i < ebda_size/sizeof(unsigned int); i++) {
+ struct ibm_rtl_table __iomem * tmp;
+- tmp = (struct ibm_rtl_table __iomem *) (ebda_map+i);
++ tmp = (struct ibm_rtl_table __iomem *) (ebda_map + i*sizeof(unsigned int));
+ if ((readq(&tmp->signature) & RTL_MASK) == RTL_SIGNATURE) {
+ phys_addr_t addr;
+ unsigned int plen;
+--
+2.51.0
+
--- /dev/null
+From 37b729a74c418e06539f9a88339fc8e2baf7e2af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Dec 2025 11:36:13 +0100
+Subject: platform/x86: msi-laptop: add missing sysfs_remove_group()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 1461209cf813b6ee6d40f29b96b544587df6d2b1 ]
+
+A sysfs group is created in msi_init() when old_ec_model is enabled, but
+never removed. Remove the msipf_old_attribute_group in that case.
+
+Fixes: 03696e51d75a ("msi-laptop: Disable brightness control for new EC")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://patch.msgid.link/20251217103617.27668-2-fourier.thomas@gmail.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/msi-laptop.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/platform/x86/msi-laptop.c b/drivers/platform/x86/msi-laptop.c
+index dfb4af759aa7..fd6b3383ac4f 100644
+--- a/drivers/platform/x86/msi-laptop.c
++++ b/drivers/platform/x86/msi-laptop.c
+@@ -1146,6 +1146,9 @@ static void __exit msi_cleanup(void)
+ sysfs_remove_group(&msipf_device->dev.kobj, &msipf_attribute_group);
+ if (!quirks->old_ec_model && threeg_exists)
+ device_remove_file(&msipf_device->dev, &dev_attr_threeg);
++ if (quirks->old_ec_model)
++ sysfs_remove_group(&msipf_device->dev.kobj,
++ &msipf_old_attribute_group);
+ platform_device_unregister(msipf_device);
+ platform_driver_unregister(&msipf_driver);
+ backlight_device_unregister(msibl_device);
+--
+2.51.0
+
--- /dev/null
+From b8444d7d4e9c0cae8f9dcf2170644c9840304ec9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Dec 2025 09:51:21 +0100
+Subject: RDMA/bnxt_re: fix dma_free_coherent() pointer
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit fcd431a9627f272b4c0bec445eba365fe2232a94 ]
+
+The dma_alloc_coherent() allocates a dma-mapped buffer, pbl->pg_arr[i].
+The dma_free_coherent() should pass the same buffer to
+dma_free_coherent() and not page-aligned.
+
+Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://patch.msgid.link/20251230085121.8023-2-fourier.thomas@gmail.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_res.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+index 76fbe52a957c..2bdb428fd273 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+@@ -70,9 +70,7 @@ static void __free_pbl(struct bnxt_qplib_res *res, struct bnxt_qplib_pbl *pbl,
+ for (i = 0; i < pbl->pg_count; i++) {
+ if (pbl->pg_arr[i])
+ dma_free_coherent(&pdev->dev, pbl->pg_size,
+- (void *)((unsigned long)
+- pbl->pg_arr[i] &
+- PAGE_MASK),
++ pbl->pg_arr[i],
+ pbl->pg_map_arr[i]);
+ else
+ dev_warn(&pdev->dev,
+--
+2.51.0
+
--- /dev/null
+From d2fa48087bdbeff299061bdf372b762080048f17 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 01:32:57 -0800
+Subject: RDMA/bnxt_re: Fix IB_SEND_IP_CSUM handling in post_send
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit f01765a2361323e78e3d91b1cb1d5527a83c5cf7 ]
+
+The bnxt_re SEND path checks wr->send_flags to enable features such as
+IP checksum offload. However, send_flags is a bitmask and may contain
+multiple flags (e.g. IB_SEND_SIGNALED | IB_SEND_IP_CSUM), while the
+existing code uses a switch() statement that only matches when
+send_flags is exactly IB_SEND_IP_CSUM.
+
+As a result, checksum offload is not enabled when additional SEND
+flags are present.
+
+Replace the switch() with a bitmask test:
+
+ if (wr->send_flags & IB_SEND_IP_CSUM)
+
+This ensures IP checksum offload is enabled correctly when multiple
+SEND flags are used.
+
+Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Link: https://patch.msgid.link/20251219093308.2415620-1-alok.a.tiwari@oracle.com
+Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/ib_verbs.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+index cb733fc497c8..83bc013c8f79 100644
+--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+@@ -2644,14 +2644,9 @@ int bnxt_re_post_send(struct ib_qp *ib_qp, const struct ib_send_wr *wr,
+ wqe.rawqp1.lflags |=
+ SQ_SEND_RAWETH_QP1_LFLAGS_ROCE_CRC;
+ }
+- switch (wr->send_flags) {
+- case IB_SEND_IP_CSUM:
++ if (wr->send_flags & IB_SEND_IP_CSUM)
+ wqe.rawqp1.lflags |=
+ SQ_SEND_RAWETH_QP1_LFLAGS_IP_CHKSUM;
+- break;
+- default:
+- break;
+- }
+ fallthrough;
+ case IB_WR_SEND_WITH_INV:
+ rc = bnxt_re_build_send_wqe(qp, wr, &wqe);
+--
+2.51.0
+
--- /dev/null
+From de71e644296413e6238a3964fb9866cc1e1c235f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Dec 2025 02:01:41 -0800
+Subject: RDMA/bnxt_re: Fix incorrect BAR check in bnxt_qplib_map_creq_db()
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit 145a417a39d7efbc881f52e829817376972b278c ]
+
+RCFW_COMM_CONS_PCI_BAR_REGION is defined as BAR 2, so checking
+!creq_db->reg.bar_id is incorrect and always false.
+
+pci_resource_start() returns the BAR base address, and a value of 0
+indicates that the BAR is unassigned. Update the condition to test
+bar_base == 0 instead.
+
+This ensures the driver detects and logs an error for an unassigned
+RCFW communication BAR.
+
+Fixes: cee0c7bba486 ("RDMA/bnxt_re: Refactor command queue management code")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Link: https://patch.msgid.link/20251217100158.752504-1-alok.a.tiwari@oracle.com
+Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
+index 2394dcc0338c..67c12e604e9b 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
+@@ -779,7 +779,7 @@ static int bnxt_qplib_map_creq_db(struct bnxt_qplib_rcfw *rcfw, u32 reg_offt)
+
+ creq_db->reg.bar_id = RCFW_COMM_CONS_PCI_BAR_REGION;
+ creq_db->reg.bar_base = pci_resource_start(pdev, creq_db->reg.bar_id);
+- if (!creq_db->reg.bar_id)
++ if (!creq_db->reg.bar_base)
+ dev_err(&pdev->dev,
+ "QPLIB: CREQ BAR region %d resc start is 0!",
+ creq_db->reg.bar_id);
+--
+2.51.0
+
--- /dev/null
+From 5d71004b2be4803704a2f804895e96cb24b30509 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Dec 2025 18:48:55 +0530
+Subject: RDMA/bnxt_re: Fix to use correct page size for PDE table
+
+From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+
+[ Upstream commit 3d70e0fb0f289b0c778041c5bb04d099e1aa7c1c ]
+
+In bnxt_qplib_alloc_init_hwq(), while allocating memory for PDE table
+driver incorrectly is using the "pg_size" value passed to the function.
+Fixed to use the right value 4K. Also, fixed the allocation size for
+PBL table.
+
+Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation")
+Signed-off-by: Damodharam Ammepalli <damodharam.ammepalli@broadcom.com>
+Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Link: https://patch.msgid.link/20251223131855.145955-1-kalesh-anakkur.purayil@broadcom.com
+Reviewed-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_res.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+index 7585d5a55db2..76fbe52a957c 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+@@ -242,7 +242,7 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq,
+ if (npbl % BIT(MAX_PDL_LVL_SHIFT))
+ npde++;
+ /* Alloc PDE pages */
+- sginfo.pgsize = npde * pg_size;
++ sginfo.pgsize = npde * ROCE_PG_SIZE_4K;
+ sginfo.npages = 1;
+ rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_0], &sginfo);
+ if (rc)
+@@ -250,7 +250,7 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq,
+
+ /* Alloc PBL pages */
+ sginfo.npages = npbl;
+- sginfo.pgsize = PAGE_SIZE;
++ sginfo.pgsize = ROCE_PG_SIZE_4K;
+ rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_1], &sginfo);
+ if (rc)
+ goto fail;
+--
+2.51.0
+
--- /dev/null
+From d2ed79376f68ec11edb3e3be765b4b082ec2dcfd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 13:15:08 +0900
+Subject: RDMA/core: Fix logic error in ib_get_gids_from_rdma_hdr()
+
+From: Jang Ingyu <ingyujang25@korea.ac.kr>
+
+[ Upstream commit 8aaa848eaddd9ef8680fc6aafbd3a0646da5df40 ]
+
+Fix missing comparison operator for RDMA_NETWORK_ROCE_V1 in the
+conditional statement. The constant was used directly instead of
+being compared with net_type, causing the condition to always
+evaluate to true.
+
+Fixes: 1c15b4f2a42f ("RDMA/core: Modify enum ib_gid_type and enum rdma_network_type")
+Signed-off-by: Jang Ingyu <ingyujang25@korea.ac.kr>
+Link: https://patch.msgid.link/20251219041508.1725947-1-ingyujang25@korea.ac.kr
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/verbs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c
+index bdc9564f0ff8..53552559917c 100644
+--- a/drivers/infiniband/core/verbs.c
++++ b/drivers/infiniband/core/verbs.c
+@@ -740,7 +740,7 @@ int ib_get_gids_from_rdma_hdr(const union rdma_network_hdr *hdr,
+ (struct in6_addr *)dgid);
+ return 0;
+ } else if (net_type == RDMA_NETWORK_IPV6 ||
+- net_type == RDMA_NETWORK_IB || RDMA_NETWORK_ROCE_V1) {
++ net_type == RDMA_NETWORK_IB || net_type == RDMA_NETWORK_ROCE_V1) {
+ *dgid = hdr->ibgrh.dgid;
+ *sgid = hdr->ibgrh.sgid;
+ return 0;
+--
+2.51.0
+
--- /dev/null
+From 6fe742fa7a20cf70207da4978c8585ba72d27394 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Dec 2025 17:36:56 +0000
+Subject: RDMA/efa: Remove possible negative shift
+
+From: Michael Margolin <mrgolin@amazon.com>
+
+[ Upstream commit 85463eb6a46caf2f1e0e1a6d0731f2f3bab17780 ]
+
+The page size used for device might in some cases be smaller than
+PAGE_SIZE what results in a negative shift when calculating the number of
+host pages in PAGE_SIZE for a debug log. Remove the debug line together
+with the calculation.
+
+Fixes: 40909f664d27 ("RDMA/efa: Add EFA verbs implementation")
+Link: https://patch.msgid.link/r/20251210173656.8180-1-mrgolin@amazon.com
+Reviewed-by: Tom Sela <tomsela@amazon.com>
+Reviewed-by: Yonatan Nachum <ynachum@amazon.com>
+Signed-off-by: Michael Margolin <mrgolin@amazon.com>
+Reviewed-by: Gal Pressman <gal.pressman@linux.dev>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/efa/efa_verbs.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/infiniband/hw/efa/efa_verbs.c b/drivers/infiniband/hw/efa/efa_verbs.c
+index 1aab6c3e9f53..6fca145f1e8a 100644
+--- a/drivers/infiniband/hw/efa/efa_verbs.c
++++ b/drivers/infiniband/hw/efa/efa_verbs.c
+@@ -1151,13 +1151,9 @@ static int umem_to_page_list(struct efa_dev *dev,
+ u32 hp_cnt,
+ u8 hp_shift)
+ {
+- u32 pages_in_hp = BIT(hp_shift - PAGE_SHIFT);
+ struct ib_block_iter biter;
+ unsigned int hp_idx = 0;
+
+- ibdev_dbg(&dev->ibdev, "hp_cnt[%u], pages_in_hp[%u]\n",
+- hp_cnt, pages_in_hp);
+-
+ rdma_umem_for_each_dma_block(umem, &biter, BIT(hp_shift))
+ page_list[hp_idx++] = rdma_block_iter_dma_address(&biter);
+
+--
+2.51.0
+
--- /dev/null
+From 76caba48c3285084fc6bfed0acaa27752dfc8630 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Nov 2025 15:31:50 +0100
+Subject: RDMA/irdma: avoid invalid read in irdma_net_event
+
+From: Michal Schmidt <mschmidt@redhat.com>
+
+[ Upstream commit 6f05611728e9d0ab024832a4f1abb74a5f5d0bb0 ]
+
+irdma_net_event() should not dereference anything from "neigh" (alias
+"ptr") until it has checked that the event is NETEVENT_NEIGH_UPDATE.
+Other events come with different structures pointed to by "ptr" and they
+may be smaller than struct neighbour.
+
+Move the read of neigh->dev under the NETEVENT_NEIGH_UPDATE case.
+
+The bug is mostly harmless, but it triggers KASAN on debug kernels:
+
+ BUG: KASAN: stack-out-of-bounds in irdma_net_event+0x32e/0x3b0 [irdma]
+ Read of size 8 at addr ffffc900075e07f0 by task kworker/27:2/542554
+
+ CPU: 27 PID: 542554 Comm: kworker/27:2 Kdump: loaded Not tainted 5.14.0-630.el9.x86_64+debug #1
+ Hardware name: [...]
+ Workqueue: events rt6_probe_deferred
+ Call Trace:
+ <IRQ>
+ dump_stack_lvl+0x60/0xb0
+ print_address_description.constprop.0+0x2c/0x3f0
+ print_report+0xb4/0x270
+ kasan_report+0x92/0xc0
+ irdma_net_event+0x32e/0x3b0 [irdma]
+ notifier_call_chain+0x9e/0x180
+ atomic_notifier_call_chain+0x5c/0x110
+ rt6_do_redirect+0xb91/0x1080
+ tcp_v6_err+0xe9b/0x13e0
+ icmpv6_notify+0x2b2/0x630
+ ndisc_redirect_rcv+0x328/0x530
+ icmpv6_rcv+0xc16/0x1360
+ ip6_protocol_deliver_rcu+0xb84/0x12e0
+ ip6_input_finish+0x117/0x240
+ ip6_input+0xc4/0x370
+ ipv6_rcv+0x420/0x7d0
+ __netif_receive_skb_one_core+0x118/0x1b0
+ process_backlog+0xd1/0x5d0
+ __napi_poll.constprop.0+0xa3/0x440
+ net_rx_action+0x78a/0xba0
+ handle_softirqs+0x2d4/0x9c0
+ do_softirq+0xad/0xe0
+ </IRQ>
+
+Fixes: 915cc7ac0f8e ("RDMA/irdma: Add miscellaneous utility definitions")
+Link: https://patch.msgid.link/r/20251127143150.121099-1-mschmidt@redhat.com
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/irdma/utils.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/irdma/utils.c b/drivers/infiniband/hw/irdma/utils.c
+index a47eedb6df82..235515e8bf9b 100644
+--- a/drivers/infiniband/hw/irdma/utils.c
++++ b/drivers/infiniband/hw/irdma/utils.c
+@@ -251,7 +251,7 @@ int irdma_net_event(struct notifier_block *notifier, unsigned long event,
+ void *ptr)
+ {
+ struct neighbour *neigh = ptr;
+- struct net_device *real_dev, *netdev = (struct net_device *)neigh->dev;
++ struct net_device *real_dev, *netdev;
+ struct irdma_device *iwdev;
+ struct ib_device *ibdev;
+ __be32 *p;
+@@ -260,6 +260,7 @@ int irdma_net_event(struct notifier_block *notifier, unsigned long event,
+
+ switch (event) {
+ case NETEVENT_NEIGH_UPDATE:
++ netdev = neigh->dev;
+ real_dev = rdma_vlan_dev_real_dev(netdev);
+ if (!real_dev)
+ real_dev = netdev;
+--
+2.51.0
+
--- /dev/null
+From cdf11822c2f269849fa475ae77dd412462d37649 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Dec 2025 10:56:17 +0800
+Subject: RDMA/rtrs: Fix clt_path::max_pages_per_mr calculation
+
+From: Honggang LI <honggangli@163.com>
+
+[ Upstream commit 43bd09d5b750f700499ae8ec45fd41a4c48673e6 ]
+
+If device max_mr_size bits in the range [mr_page_shift+31:mr_page_shift]
+are zero, the `min3` function will set clt_path::max_pages_per_mr to
+zero.
+
+`alloc_path_reqs` will pass zero, which is invalid, as the third parameter
+to `ib_alloc_mr`.
+
+Fixes: 6a98d71daea1 ("RDMA/rtrs: client: main functionality")
+Signed-off-by: Honggang LI <honggangli@163.com>
+Link: https://patch.msgid.link/20251229025617.13241-1-honggangli@163.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/rtrs/rtrs-clt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/infiniband/ulp/rtrs/rtrs-clt.c b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
+index e8f5a1f104cf..cda7849e2133 100644
+--- a/drivers/infiniband/ulp/rtrs/rtrs-clt.c
++++ b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
+@@ -1469,6 +1469,7 @@ static void query_fast_reg_mode(struct rtrs_clt_path *clt_path)
+ mr_page_shift = max(12, ffs(ib_dev->attrs.page_size_cap) - 1);
+ max_pages_per_mr = ib_dev->attrs.max_mr_size;
+ do_div(max_pages_per_mr, (1ull << mr_page_shift));
++ max_pages_per_mr = min_not_zero((u32)max_pages_per_mr, U32_MAX);
+ clt_path->max_pages_per_mr =
+ min3(clt_path->max_pages_per_mr, (u32)max_pages_per_mr,
+ ib_dev->attrs.max_fast_reg_page_list_len);
+--
+2.51.0
+
--- /dev/null
+From 103d92c051a699818738f8506f7345830d66f4bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Aug 2023 09:32:26 +0800
+Subject: selftests/ftrace: traceonoff_triggers: strip off names
+
+From: Yipeng Zou <zouyipeng@huawei.com>
+
+[ Upstream commit b889b4fb4cbea3ca7eb9814075d6a51936394bd9 ]
+
+The func_traceonoff_triggers.tc sometimes goes to fail
+on my board, Kunpeng-920.
+
+[root@localhost]# ./ftracetest ./test.d/ftrace/func_traceonoff_triggers.tc -l fail.log
+=== Ftrace unit tests ===
+[1] ftrace - test for function traceon/off triggers [FAIL]
+[2] (instance) ftrace - test for function traceon/off triggers [UNSUPPORTED]
+
+I look up the log, and it shows that the md5sum is different between csum1 and csum2.
+
+++ cnt=611
+++ sleep .1
++++ cnt_trace
++++ grep -v '^#' trace
++++ wc -l
+++ cnt2=611
+++ '[' 611 -ne 611 ']'
++++ cat tracing_on
+++ on=0
+++ '[' 0 '!=' 0 ']'
++++ md5sum trace
+++ csum1='76896aa74362fff66a6a5f3cf8a8a500 trace'
+++ sleep .1
++++ md5sum trace
+++ csum2='ee8625a21c058818fc26e45c1ed3f6de trace'
+++ '[' '76896aa74362fff66a6a5f3cf8a8a500 trace' '!=' 'ee8625a21c058818fc26e45c1ed3f6de trace' ']'
+++ fail 'Tracing file is still changing'
+++ echo Tracing file is still changing
+Tracing file is still changing
+++ exit_fail
+++ exit 1
+
+So I directly dump the trace file before md5sum, the diff shows that:
+
+[root@localhost]# diff trace_1.log trace_2.log -y --suppress-common-lines
+dockerd-12285 [036] d.... 18385.510290: sched_stat | <...>-12285 [036] d.... 18385.510290: sched_stat
+dockerd-12285 [036] d.... 18385.510291: sched_swit | <...>-12285 [036] d.... 18385.510291: sched_swit
+<...>-740 [044] d.... 18385.602859: sched_stat | kworker/44:1-740 [044] d.... 18385.602859: sched_stat
+<...>-740 [044] d.... 18385.602860: sched_swit | kworker/44:1-740 [044] d.... 18385.602860: sched_swit
+
+And we can see that <...> filed be filled with names.
+
+We can strip off the names there to fix that.
+
+After strip off the names:
+
+kworker/u257:0-12 [019] d..2. 2528.758910: sched_stat | -12 [019] d..2. 2528.758910: sched_stat_runtime: comm=k
+kworker/u257:0-12 [019] d..2. 2528.758912: sched_swit | -12 [019] d..2. 2528.758912: sched_switch: prev_comm=kw
+<idle>-0 [000] d.s5. 2528.762318: sched_waki | -0 [000] d.s5. 2528.762318: sched_waking: comm=sshd pi
+<idle>-0 [037] dNh2. 2528.762326: sched_wake | -0 [037] dNh2. 2528.762326: sched_wakeup: comm=sshd pi
+<idle>-0 [037] d..2. 2528.762334: sched_swit | -0 [037] d..2. 2528.762334: sched_switch: prev_comm=sw
+
+Link: https://lore.kernel.org/r/20230818013226.2182299-1-zouyipeng@huawei.com
+Fixes: d87b29179aa0 ("selftests: ftrace: Use md5sum to take less time of checking logs")
+Suggested-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Yipeng Zou <zouyipeng@huawei.com>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ftrace/test.d/ftrace/func_traceonoff_triggers.tc | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc b/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc
+index aee22289536b..1b57771dbfdf 100644
+--- a/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc
++++ b/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc
+@@ -90,9 +90,10 @@ if [ $on != "0" ]; then
+ fail "Tracing is not off"
+ fi
+
+-csum1=`md5sum trace`
++# Cannot rely on names being around as they are only cached, strip them
++csum1=`cat trace | sed -e 's/^ *[^ ]*\(-[0-9][0-9]*\)/\1/' | md5sum`
+ sleep $SLEEP_TIME
+-csum2=`md5sum trace`
++csum2=`cat trace | sed -e 's/^ *[^ ]*\(-[0-9][0-9]*\)/\1/' | md5sum`
+
+ if [ "$csum1" != "$csum2" ]; then
+ fail "Tracing file is still changing"
+--
+2.51.0
+
hwmon-max16065-use-local-variable-to-avoid-toctou.patch
hwmon-w83791d-convert-macros-to-functions-to-avoid-toctou.patch
hwmon-w83l786ng-convert-macros-to-functions-to-avoid-toctou.patch
+i40e-fix-scheduling-in-set_rx_mode.patch
+i40e-refactor-argument-of-several-client-notificatio.patch
+i40e-refactor-argument-of-i40e_detect_recover_hung.patch
+i40e-validate-ring_len-parameter-against-hardware-sp.patch
+iavf-fix-off-by-one-issues-in-iavf_config_rss_reg.patch
+crypto-seqiv-do-not-use-req-iv-after-crypto_aead_enc.patch
+bluetooth-btusb-revert-use-of-devm_kzalloc-in-btusb.patch
+net-mdio-aspeed-move-reg-accessing-part-into-separat.patch
+net-mdio-aspeed-add-dummy-read-to-avoid-read-after-w.patch
+net-openvswitch-avoid-needlessly-taking-the-rtnl-on-.patch
+ip6_gre-make-ip6gre_header-robust.patch
+platform-x86-msi-laptop-add-missing-sysfs_remove_gro.patch
+platform-x86-ibm_rtl-fix-ebda-signature-search-point.patch
+team-fix-check-for-port-enabled-in-team_queue_overri.patch
+net-usb-rtl8150-fix-memory-leak-on-usb_submit_urb-fa.patch
+smc91x-fix-broken-irq-context-in-preempt_rt.patch
+genalloc.h-fix-htmldocs-warning.patch
+firewire-nosy-fix-dma_free_coherent-size.patch
+net-dsa-b53-skip-multicast-entries-for-fdb_dump.patch
+net-usb-asix-validate-phy-address-before-use.patch
+net-bridge-describe-tunnel_hash-member-in-net_bridge.patch
+octeontx2-pf-fix-ubsan-shift-out-of-bounds-error.patch
+ipv6-bug-in-pskb_expand_head-as-part-of-calipso_skbu.patch
+ipv4-fix-reference-count-leak-when-using-error-route.patch
+net-rose-fix-invalid-array-index-in-rose_kill_by_dev.patch
+rdma-irdma-avoid-invalid-read-in-irdma_net_event.patch
+rdma-efa-remove-possible-negative-shift.patch
+rdma-core-fix-logic-error-in-ib_get_gids_from_rdma_h.patch
+rdma-bnxt_re-fix-incorrect-bar-check-in-bnxt_qplib_m.patch
+rdma-bnxt_re-fix-ib_send_ip_csum-handling-in-post_se.patch
+rdma-bnxt_re-fix-to-use-correct-page-size-for-pde-ta.patch
+rdma-rtrs-fix-clt_path-max_pages_per_mr-calculation.patch
+rdma-bnxt_re-fix-dma_free_coherent-pointer.patch
+selftests-ftrace-traceonoff_triggers-strip-off-names.patch
--- /dev/null
+From e02b217e50afbdf2cc80eef6a58cf2fcff25d71a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Dec 2025 08:51:15 +0000
+Subject: smc91x: fix broken irq-context in PREEMPT_RT
+
+From: Yeoreum Yun <yeoreum.yun@arm.com>
+
+[ Upstream commit 6402078bd9d1ed46e79465e1faaa42e3458f8a33 ]
+
+When smc91x.c is built with PREEMPT_RT, the following splat occurs
+in FVP_RevC:
+
+[ 13.055000] smc91x LNRO0003:00 eth0: link up, 10Mbps, half-duplex, lpa 0x0000
+[ 13.062137] BUG: workqueue leaked atomic, lock or RCU: kworker/2:1[106]
+[ 13.062137] preempt=0x00000000 lock=0->0 RCU=0->1 workfn=mld_ifc_work
+[ 13.062266] C
+** replaying previous printk message **
+[ 13.062266] CPU: 2 UID: 0 PID: 106 Comm: kworker/2:1 Not tainted 6.18.0-dirty #179 PREEMPT_{RT,(full)}
+[ 13.062353] Hardware name: , BIOS
+[ 13.062382] Workqueue: mld mld_ifc_work
+[ 13.062469] Call trace:
+[ 13.062494] show_stack+0x24/0x40 (C)
+[ 13.062602] __dump_stack+0x28/0x48
+[ 13.062710] dump_stack_lvl+0x7c/0xb0
+[ 13.062818] dump_stack+0x18/0x34
+[ 13.062926] process_scheduled_works+0x294/0x450
+[ 13.063043] worker_thread+0x260/0x3d8
+[ 13.063124] kthread+0x1c4/0x228
+[ 13.063235] ret_from_fork+0x10/0x20
+
+This happens because smc_special_trylock() disables IRQs even on PREEMPT_RT,
+but smc_special_unlock() does not restore IRQs on PREEMPT_RT.
+The reason is that smc_special_unlock() calls spin_unlock_irqrestore(),
+and rcu_read_unlock_bh() in __dev_queue_xmit() cannot invoke
+rcu_read_unlock() through __local_bh_enable_ip() when current->softirq_disable_cnt becomes zero.
+
+To address this issue, replace smc_special_trylock() with spin_trylock_irqsave().
+
+Fixes: 342a93247e08 ("locking/spinlock: Provide RT variant header: <linux/spinlock_rt.h>")
+Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20251217085115.1730036-1-yeoreum.yun@arm.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/smsc/smc91x.c | 10 +---------
+ 1 file changed, 1 insertion(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/smsc/smc91x.c b/drivers/net/ethernet/smsc/smc91x.c
+index 813ea941b91a..c63783516202 100644
+--- a/drivers/net/ethernet/smsc/smc91x.c
++++ b/drivers/net/ethernet/smsc/smc91x.c
+@@ -515,15 +515,7 @@ static inline void smc_rcv(struct net_device *dev)
+ * any other concurrent access and C would always interrupt B. But life
+ * isn't that easy in a SMP world...
+ */
+-#define smc_special_trylock(lock, flags) \
+-({ \
+- int __ret; \
+- local_irq_save(flags); \
+- __ret = spin_trylock(lock); \
+- if (!__ret) \
+- local_irq_restore(flags); \
+- __ret; \
+-})
++#define smc_special_trylock(lock, flags) spin_trylock_irqsave(lock, flags)
+ #define smc_special_lock(lock, flags) spin_lock_irqsave(lock, flags)
+ #define smc_special_unlock(lock, flags) spin_unlock_irqrestore(lock, flags)
+ #else
+--
+2.51.0
+
--- /dev/null
+From d930a0ed202de97cfb828418f69aa975b86a5817 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Dec 2025 11:29:53 +0100
+Subject: team: fix check for port enabled in
+ team_queue_override_port_prio_changed()
+
+From: Jiri Pirko <jiri@nvidia.com>
+
+[ Upstream commit 932ac51d9953eaf77a1252f79b656d4ca86163c6 ]
+
+There has been a syzkaller bug reported recently with the following
+trace:
+
+list_del corruption, ffff888058bea080->prev is LIST_POISON2 (dead000000000122)
+------------[ cut here ]------------
+kernel BUG at lib/list_debug.c:59!
+Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
+CPU: 3 UID: 0 PID: 21246 Comm: syz.0.2928 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+RIP: 0010:__list_del_entry_valid_or_report+0x13e/0x200 lib/list_debug.c:59
+Code: 48 c7 c7 e0 71 f0 8b e8 30 08 ef fc 90 0f 0b 48 89 ef e8 a5 02 55 fd 48 89 ea 48 89 de 48 c7 c7 40 72 f0 8b e8 13 08 ef fc 90 <0f> 0b 48 89 ef e8 88 02 55 fd 48 89 ea 48 b8 00 00 00 00 00 fc ff
+RSP: 0018:ffffc9000d49f370 EFLAGS: 00010286
+RAX: 000000000000004e RBX: ffff888058bea080 RCX: ffffc9002817d000
+RDX: 0000000000000000 RSI: ffffffff819becc6 RDI: 0000000000000005
+RBP: dead000000000122 R08: 0000000000000005 R09: 0000000000000000
+R10: 0000000080000000 R11: 0000000000000001 R12: ffff888039e9c230
+R13: ffff888058bea088 R14: ffff888058bea080 R15: ffff888055461480
+FS: 00007fbbcfe6f6c0(0000) GS:ffff8880d6d0a000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 000000110c3afcb0 CR3: 00000000382c7000 CR4: 0000000000352ef0
+Call Trace:
+ <TASK>
+ __list_del_entry_valid include/linux/list.h:132 [inline]
+ __list_del_entry include/linux/list.h:223 [inline]
+ list_del_rcu include/linux/rculist.h:178 [inline]
+ __team_queue_override_port_del drivers/net/team/team_core.c:826 [inline]
+ __team_queue_override_port_del drivers/net/team/team_core.c:821 [inline]
+ team_queue_override_port_prio_changed drivers/net/team/team_core.c:883 [inline]
+ team_priority_option_set+0x171/0x2f0 drivers/net/team/team_core.c:1534
+ team_option_set drivers/net/team/team_core.c:376 [inline]
+ team_nl_options_set_doit+0x8ae/0xe60 drivers/net/team/team_core.c:2653
+ genl_family_rcv_msg_doit+0x209/0x2f0 net/netlink/genetlink.c:1115
+ genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
+ genl_rcv_msg+0x55c/0x800 net/netlink/genetlink.c:1210
+ netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552
+ genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
+ netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
+ netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346
+ netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1896
+ sock_sendmsg_nosec net/socket.c:727 [inline]
+ __sock_sendmsg net/socket.c:742 [inline]
+ ____sys_sendmsg+0xa98/0xc70 net/socket.c:2630
+ ___sys_sendmsg+0x134/0x1d0 net/socket.c:2684
+ __sys_sendmsg+0x16d/0x220 net/socket.c:2716
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+The problem is in this flow:
+1) Port is enabled, queue_id != 0, in qom_list
+2) Port gets disabled
+ -> team_port_disable()
+ -> team_queue_override_port_del()
+ -> del (removed from list)
+3) Port is disabled, queue_id != 0, not in any list
+4) Priority changes
+ -> team_queue_override_port_prio_changed()
+ -> checks: port disabled && queue_id != 0
+ -> calls del - hits the BUG as it is removed already
+
+To fix this, change the check in team_queue_override_port_prio_changed()
+so it returns early if port is not enabled.
+
+Reported-by: syzbot+422806e5f4cce722a71f@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=422806e5f4cce722a71f
+Fixes: 6c31ff366c11 ("team: remove synchronize_rcu() called during queue override change")
+Signed-off-by: Jiri Pirko <jiri@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20251212102953.167287-1-jiri@resnulli.us
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/team/team.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
+index 1e0adeb5e177..f866f7a4be31 100644
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -873,7 +873,7 @@ static void __team_queue_override_enabled_check(struct team *team)
+ static void team_queue_override_port_prio_changed(struct team *team,
+ struct team_port *port)
+ {
+- if (!port->queue_id || team_port_enabled(port))
++ if (!port->queue_id || !team_port_enabled(port))
+ return;
+ __team_queue_override_port_del(team, port);
+ __team_queue_override_port_add(team, port);
+--
+2.51.0
+
--- /dev/null
+From e9ec1f61cbb463f40c3137429c8a7b62c07fe062 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Mar 2024 10:12:44 +0800
+Subject: blk-mq: don't schedule block kworker on isolated CPUs
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit a46c27026da10a126dd870f7b65380010bd20db5 ]
+
+Kernel parameter of `isolcpus=` or 'nohz_full=' are used to isolate CPUs
+for specific task, and it isn't expected to let block IO disturb these CPUs.
+blk-mq kworker shouldn't be scheduled on isolated CPUs. Also if isolated
+CPUs is run for blk-mq kworker, long block IO latency can be caused.
+
+Kernel workqueue only respects CPU isolation for WQ_UNBOUND, for bound
+WQ, the responsibility is on user because CPU is specified as WQ API
+parameter, such as mod_delayed_work_on(cpu), queue_delayed_work_on(cpu)
+and queue_work_on(cpu).
+
+So not run blk-mq kworker on isolated CPUs by removing isolated CPUs
+from hctx->cpumask. Meantime use queue map to check if all CPUs in this
+hw queue are offline instead of hctx->cpumask, this way can avoid any
+cost in fast IO code path, and is safe since hctx->cpumask are only
+used in the two cases.
+
+Cc: Tim Chen <tim.c.chen@linux.intel.com>
+Cc: Juri Lelli <juri.lelli@redhat.com>
+Cc: Andrew Theurer <atheurer@redhat.com>
+Cc: Joe Mario <jmario@redhat.com>
+Cc: Sebastian Jug <sejug@redhat.com>
+Cc: Frederic Weisbecker <frederic@kernel.org>
+Cc: Bart Van Assche <bvanassche@acm.org>
+Cc: Tejun Heo <tj@kernel.org>
+Tesed-by: Joe Mario <jmario@redhat.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Ewan D. Milne <emilne@redhat.com>
+Link: https://lore.kernel.org/r/20240322021244.1056223-1-ming.lei@redhat.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Stable-dep-of: 10845a105bbc ("blk-mq: skip CPU offline notify on unmapped hctx")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-mq.c | 57 +++++++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 47 insertions(+), 10 deletions(-)
+
+diff --git a/block/blk-mq.c b/block/blk-mq.c
+index d3ced0cff916..6cfbbe0d7792 100644
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -30,6 +30,7 @@
+ #include <linux/prefetch.h>
+ #include <linux/blk-crypto.h>
+ #include <linux/part_stat.h>
++#include <linux/sched/isolation.h>
+
+ #include <trace/events/block.h>
+
+@@ -2216,6 +2217,15 @@ static inline int blk_mq_first_mapped_cpu(struct blk_mq_hw_ctx *hctx)
+ return cpu;
+ }
+
++/*
++ * ->next_cpu is always calculated from hctx->cpumask, so simply use
++ * it for speeding up the check
++ */
++static bool blk_mq_hctx_empty_cpumask(struct blk_mq_hw_ctx *hctx)
++{
++ return hctx->next_cpu >= nr_cpu_ids;
++}
++
+ /*
+ * It'd be great if the workqueue API had a way to pass
+ * in a mask and had some smarts for more clever placement.
+@@ -2227,7 +2237,8 @@ static int blk_mq_hctx_next_cpu(struct blk_mq_hw_ctx *hctx)
+ bool tried = false;
+ int next_cpu = hctx->next_cpu;
+
+- if (hctx->queue->nr_hw_queues == 1)
++ /* Switch to unbound if no allowable CPUs in this hctx */
++ if (hctx->queue->nr_hw_queues == 1 || blk_mq_hctx_empty_cpumask(hctx))
+ return WORK_CPU_UNBOUND;
+
+ if (--hctx->next_cpu_batch <= 0) {
+@@ -3497,14 +3508,30 @@ static bool blk_mq_hctx_has_requests(struct blk_mq_hw_ctx *hctx)
+ return data.has_rq;
+ }
+
+-static inline bool blk_mq_last_cpu_in_hctx(unsigned int cpu,
+- struct blk_mq_hw_ctx *hctx)
++static bool blk_mq_hctx_has_online_cpu(struct blk_mq_hw_ctx *hctx,
++ unsigned int this_cpu)
+ {
+- if (cpumask_first_and(hctx->cpumask, cpu_online_mask) != cpu)
+- return false;
+- if (cpumask_next_and(cpu, hctx->cpumask, cpu_online_mask) < nr_cpu_ids)
+- return false;
+- return true;
++ enum hctx_type type = hctx->type;
++ int cpu;
++
++ /*
++ * hctx->cpumask has to rule out isolated CPUs, but userspace still
++ * might submit IOs on these isolated CPUs, so use the queue map to
++ * check if all CPUs mapped to this hctx are offline
++ */
++ for_each_online_cpu(cpu) {
++ struct blk_mq_hw_ctx *h = blk_mq_map_queue_type(hctx->queue,
++ type, cpu);
++
++ if (h != hctx)
++ continue;
++
++ /* this hctx has at least one online CPU */
++ if (this_cpu != cpu)
++ return true;
++ }
++
++ return false;
+ }
+
+ static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node)
+@@ -3513,8 +3540,7 @@ static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node)
+ struct blk_mq_hw_ctx, cpuhp_online);
+ int ret = 0;
+
+- if (!cpumask_test_cpu(cpu, hctx->cpumask) ||
+- !blk_mq_last_cpu_in_hctx(cpu, hctx))
++ if (blk_mq_hctx_has_online_cpu(hctx, cpu))
+ return 0;
+
+ /*
+@@ -3933,6 +3959,8 @@ static void blk_mq_map_swqueue(struct request_queue *q)
+ }
+
+ queue_for_each_hw_ctx(q, hctx, i) {
++ int cpu;
++
+ /*
+ * If no software queues are mapped to this hardware queue,
+ * disable it and free the request entries.
+@@ -3959,6 +3987,15 @@ static void blk_mq_map_swqueue(struct request_queue *q)
+ */
+ sbitmap_resize(&hctx->ctx_map, hctx->nr_ctx);
+
++ /*
++ * Rule out isolated CPUs from hctx->cpumask to avoid
++ * running block kworker on isolated CPUs
++ */
++ for_each_cpu(cpu, hctx->cpumask) {
++ if (cpu_is_isolated(cpu))
++ cpumask_clear_cpu(cpu, hctx->cpumask);
++ }
++
+ /*
+ * Initialize batch roundrobin counts
+ */
+--
+2.51.0
+
--- /dev/null
+From f43ac1f920c754ad4adfb41a710a912422d1a67a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Dec 2025 17:17:05 +0800
+Subject: blk-mq: skip CPU offline notify on unmapped hctx
+
+From: Cong Zhang <cong.zhang@oss.qualcomm.com>
+
+[ Upstream commit 10845a105bbcb030647a729f1716c2309da71d33 ]
+
+If an hctx has no software ctx mapped, blk_mq_map_swqueue() never
+allocates tags and leaves hctx->tags NULL. The CPU hotplug offline
+notifier can still run for that hctx, return early since hctx cannot
+hold any requests.
+
+Signed-off-by: Cong Zhang <cong.zhang@oss.qualcomm.com>
+Fixes: bf0beec0607d ("blk-mq: drain I/O when all CPUs in a hctx are offline")
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-mq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/block/blk-mq.c b/block/blk-mq.c
+index 6cfbbe0d7792..2edad54b1788 100644
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -3540,7 +3540,7 @@ static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node)
+ struct blk_mq_hw_ctx, cpuhp_online);
+ int ret = 0;
+
+- if (blk_mq_hctx_has_online_cpu(hctx, cpu))
++ if (!hctx->nr_ctx || blk_mq_hctx_has_online_cpu(hctx, cpu))
+ return 0;
+
+ /*
+--
+2.51.0
+
--- /dev/null
+From c07d6c88ade52b5f5cc8a88568f87925ffb8cf15 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Dec 2025 11:02:28 -0500
+Subject: Bluetooth: btusb: revert use of devm_kzalloc in btusb
+
+From: Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
+
+[ Upstream commit 252714f1e8bdd542025b16321c790458014d6880 ]
+
+This reverts commit 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in
+btusb.c file").
+
+In btusb_probe(), we use devm_kzalloc() to allocate the btusb data. This
+ties the lifetime of all the btusb data to the binding of a driver to
+one interface, INTF. In a driver that binds to other interfaces, ISOC
+and DIAG, this is an accident waiting to happen.
+
+The issue is revealed in btusb_disconnect(), where calling
+usb_driver_release_interface(&btusb_driver, data->intf) will have devm
+free the data that is also being used by the other interfaces of the
+driver that may not be released yet.
+
+To fix this, revert the use of devm and go back to freeing memory
+explicitly.
+
+Fixes: 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in btusb.c file")
+Signed-off-by: Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btusb.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index 983794632927..c6ac351209c0 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -3849,7 +3849,7 @@ static int btusb_probe(struct usb_interface *intf,
+ return -ENODEV;
+ }
+
+- data = devm_kzalloc(&intf->dev, sizeof(*data), GFP_KERNEL);
++ data = kzalloc(sizeof(*data), GFP_KERNEL);
+ if (!data)
+ return -ENOMEM;
+
+@@ -3872,8 +3872,10 @@ static int btusb_probe(struct usb_interface *intf,
+ }
+ }
+
+- if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep)
++ if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep) {
++ kfree(data);
+ return -ENODEV;
++ }
+
+ if (id->driver_info & BTUSB_AMP) {
+ data->cmdreq_type = USB_TYPE_CLASS | 0x01;
+@@ -3920,8 +3922,10 @@ static int btusb_probe(struct usb_interface *intf,
+ data->recv_acl = hci_recv_frame;
+
+ hdev = hci_alloc_dev_priv(priv_size);
+- if (!hdev)
++ if (!hdev) {
++ kfree(data);
+ return -ENOMEM;
++ }
+
+ hdev->bus = HCI_USB;
+ hci_set_drvdata(hdev, data);
+@@ -4182,6 +4186,7 @@ static int btusb_probe(struct usb_interface *intf,
+ if (data->reset_gpio)
+ gpiod_put(data->reset_gpio);
+ hci_free_dev(hdev);
++ kfree(data);
+ return err;
+ }
+
+@@ -4227,6 +4232,7 @@ static void btusb_disconnect(struct usb_interface *intf)
+ }
+
+ hci_free_dev(hdev);
++ kfree(data);
+ }
+
+ #ifdef CONFIG_PM
+--
+2.51.0
+
--- /dev/null
+From a8a49e3c4429aefa3290d473384bf99eeb138695 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Mar 2023 04:38:00 -0700
+Subject: cfg80211: support RNR for EMA AP
+
+From: Aloka Dixit <quic_alokad@quicinc.com>
+
+[ Upstream commit dbbb27e183b1568d5a907ace1cd144b0709ea52a ]
+
+As per IEEE Std 802.11ax-2021, 11.1.3.8.3 Discovery of a nontransmitted
+BSSID profile, an EMA AP that transmits a Beacon frame carrying a partial
+list of nontransmitted BSSID profiles should include in the frame
+a Reduced Neighbor Report element carrying information for at least the
+nontransmitted BSSIDs that are not present in the Multiple BSSID element
+carried in that frame.
+Add new nested attribute NL80211_ATTR_EMA_RNR_ELEMS to support the above.
+Number of RNR elements must be more than or equal to the number of
+MBSSID elements. This attribute can be used only when EMA is enabled.
+Userspace is responsible for splitting the RNR into multiple elements such
+that each element excludes the non-transmitting profiles already included
+in the MBSSID element (%NL80211_ATTR_MBSSID_ELEMS) at the same index.
+Each EMA beacon will be generated by adding MBSSID and RNR elements
+at the same index. If the userspace provides more RNR elements than the
+number of MBSSID elements then these will be added in every EMA beacon.
+
+Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
+Link: https://lore.kernel.org/r/20230323113801.6903-2-quic_alokad@quicinc.com
+[Johannes: validate elements]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Stable-dep-of: a519be2f5d95 ("wifi: mac80211: do not use old MBSSID elements")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/cfg80211.h | 19 +++++++++
+ include/uapi/linux/nl80211.h | 13 ++++++
+ net/wireless/nl80211.c | 79 ++++++++++++++++++++++++++++++++----
+ 3 files changed, 104 insertions(+), 7 deletions(-)
+
+diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
+index 34709bd733ed..f39a60475c24 100644
+--- a/include/net/cfg80211.h
++++ b/include/net/cfg80211.h
+@@ -1187,6 +1187,23 @@ struct cfg80211_mbssid_elems {
+ } elem[];
+ };
+
++/**
++ * struct cfg80211_rnr_elems - Reduced neighbor report (RNR) elements
++ *
++ * @cnt: Number of elements in array %elems.
++ *
++ * @elem: Array of RNR element(s) to be added into Beacon frames.
++ * @elem.data: Data for RNR elements.
++ * @elem.len: Length of data.
++ */
++struct cfg80211_rnr_elems {
++ u8 cnt;
++ struct {
++ const u8 *data;
++ size_t len;
++ } elem[];
++};
++
+ /**
+ * struct cfg80211_beacon_data - beacon data
+ * @link_id: the link ID for the AP MLD link sending this beacon
+@@ -1207,6 +1224,7 @@ struct cfg80211_mbssid_elems {
+ * @probe_resp_len: length of probe response template (@probe_resp)
+ * @probe_resp: probe response template (AP mode only)
+ * @mbssid_ies: multiple BSSID elements
++ * @rnr_ies: reduced neighbor report elements
+ * @ftm_responder: enable FTM responder functionality; -1 for no change
+ * (which also implies no change in LCI/civic location data)
+ * @lci: Measurement Report element content, starting with Measurement Token
+@@ -1230,6 +1248,7 @@ struct cfg80211_beacon_data {
+ const u8 *lci;
+ const u8 *civicloc;
+ struct cfg80211_mbssid_elems *mbssid_ies;
++ struct cfg80211_rnr_elems *rnr_ies;
+ s8 ftm_responder;
+
+ size_t head_len, tail_len;
+diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
+index 274d1b34c954..63d7241edd49 100644
+--- a/include/uapi/linux/nl80211.h
++++ b/include/uapi/linux/nl80211.h
+@@ -2776,6 +2776,17 @@ enum nl80211_commands {
+ * @NL80211_ATTR_HW_TIMESTAMP_ENABLED: Indicates whether HW timestamping should
+ * be enabled or not (flag attribute).
+ *
++ * @NL80211_ATTR_EMA_RNR_ELEMS: Optional nested attribute for
++ * reduced neighbor report (RNR) elements. This attribute can be used
++ * only when NL80211_MBSSID_CONFIG_ATTR_EMA is enabled.
++ * Userspace is responsible for splitting the RNR into multiple
++ * elements such that each element excludes the non-transmitting
++ * profiles already included in the MBSSID element
++ * (%NL80211_ATTR_MBSSID_ELEMS) at the same index. Each EMA beacon
++ * will be generated by adding MBSSID and RNR elements at the same
++ * index. If the userspace includes more RNR elements than number of
++ * MBSSID elements then these will be added in every EMA beacon.
++ *
+ * @NUM_NL80211_ATTR: total number of nl80211_attrs available
+ * @NL80211_ATTR_MAX: highest attribute number currently defined
+ * @__NL80211_ATTR_AFTER_LAST: internal use
+@@ -3310,6 +3321,8 @@ enum nl80211_attrs {
+ NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS,
+ NL80211_ATTR_HW_TIMESTAMP_ENABLED,
+
++ NL80211_ATTR_EMA_RNR_ELEMS,
++
+ /* add attributes here, update the policy in nl80211.c */
+
+ __NL80211_ATTR_AFTER_LAST,
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 5e2b676f5ce0..7a976bd1641f 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -814,6 +814,7 @@ static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
+
+ [NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS] = { .type = NLA_U16 },
+ [NL80211_ATTR_HW_TIMESTAMP_ENABLED] = { .type = NLA_FLAG },
++ [NL80211_ATTR_EMA_RNR_ELEMS] = { .type = NLA_NESTED },
+ };
+
+ /* policy for the key attributes */
+@@ -5455,6 +5456,38 @@ nl80211_parse_mbssid_elems(struct wiphy *wiphy, struct nlattr *attrs)
+ return elems;
+ }
+
++static struct cfg80211_rnr_elems *
++nl80211_parse_rnr_elems(struct wiphy *wiphy, struct nlattr *attrs,
++ struct netlink_ext_ack *extack)
++{
++ struct nlattr *nl_elems;
++ struct cfg80211_rnr_elems *elems;
++ int rem_elems;
++ u8 i = 0, num_elems = 0;
++
++ nla_for_each_nested(nl_elems, attrs, rem_elems) {
++ int ret;
++
++ ret = validate_ie_attr(nl_elems, extack);
++ if (ret)
++ return ERR_PTR(ret);
++
++ num_elems++;
++ }
++
++ elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
++ if (!elems)
++ return ERR_PTR(-ENOMEM);
++
++ nla_for_each_nested(nl_elems, attrs, rem_elems) {
++ elems->elem[i].data = nla_data(nl_elems);
++ elems->elem[i].len = nla_len(nl_elems);
++ i++;
++ }
++ elems->cnt = num_elems;
++ return elems;
++}
++
+ static int nl80211_parse_he_bss_color(struct nlattr *attrs,
+ struct cfg80211_he_bss_color *he_bss_color)
+ {
+@@ -5481,7 +5514,8 @@ static int nl80211_parse_he_bss_color(struct nlattr *attrs,
+
+ static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
+ struct nlattr *attrs[],
+- struct cfg80211_beacon_data *bcn)
++ struct cfg80211_beacon_data *bcn,
++ struct netlink_ext_ack *extack)
+ {
+ bool haveinfo = false;
+ int err;
+@@ -5578,6 +5612,21 @@ static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
+ return PTR_ERR(mbssid);
+
+ bcn->mbssid_ies = mbssid;
++
++ if (bcn->mbssid_ies && attrs[NL80211_ATTR_EMA_RNR_ELEMS]) {
++ struct cfg80211_rnr_elems *rnr =
++ nl80211_parse_rnr_elems(&rdev->wiphy,
++ attrs[NL80211_ATTR_EMA_RNR_ELEMS],
++ extack);
++
++ if (IS_ERR(rnr))
++ return PTR_ERR(rnr);
++
++ if (rnr && rnr->cnt < bcn->mbssid_ies->cnt)
++ return -EINVAL;
++
++ bcn->rnr_ies = rnr;
++ }
+ }
+
+ return 0;
+@@ -5860,7 +5909,8 @@ static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
+ if (!params)
+ return -ENOMEM;
+
+- err = nl80211_parse_beacon(rdev, info->attrs, ¶ms->beacon);
++ err = nl80211_parse_beacon(rdev, info->attrs, ¶ms->beacon,
++ info->extack);
+ if (err)
+ goto out;
+
+@@ -6090,6 +6140,11 @@ static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
+ goto out_unlock;
+ }
+
++ if (!params->mbssid_config.ema && params->beacon.rnr_ies) {
++ err = -EINVAL;
++ goto out_unlock;
++ }
++
+ err = nl80211_calculate_ap_params(params);
+ if (err)
+ goto out_unlock;
+@@ -6129,6 +6184,7 @@ static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
+ params->mbssid_config.tx_wdev->netdev &&
+ params->mbssid_config.tx_wdev->netdev != dev)
+ dev_put(params->mbssid_config.tx_wdev->netdev);
++ kfree(params->beacon.rnr_ies);
+ kfree(params);
+
+ return err;
+@@ -6153,7 +6209,7 @@ static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
+ if (!wdev->links[link_id].ap.beacon_interval)
+ return -EINVAL;
+
+- err = nl80211_parse_beacon(rdev, info->attrs, ¶ms);
++ err = nl80211_parse_beacon(rdev, info->attrs, ¶ms, info->extack);
+ if (err)
+ goto out;
+
+@@ -6163,6 +6219,7 @@ static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
+
+ out:
+ kfree(params.mbssid_ies);
++ kfree(params.rnr_ies);
+ return err;
+ }
+
+@@ -10017,7 +10074,8 @@ static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
+ if (!need_new_beacon)
+ goto skip_beacons;
+
+- err = nl80211_parse_beacon(rdev, info->attrs, ¶ms.beacon_after);
++ err = nl80211_parse_beacon(rdev, info->attrs, ¶ms.beacon_after,
++ info->extack);
+ if (err)
+ goto free;
+
+@@ -10034,7 +10092,8 @@ static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
+ if (err)
+ goto free;
+
+- err = nl80211_parse_beacon(rdev, csa_attrs, ¶ms.beacon_csa);
++ err = nl80211_parse_beacon(rdev, csa_attrs, ¶ms.beacon_csa,
++ info->extack);
+ if (err)
+ goto free;
+
+@@ -10154,6 +10213,8 @@ static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
+ free:
+ kfree(params.beacon_after.mbssid_ies);
+ kfree(params.beacon_csa.mbssid_ies);
++ kfree(params.beacon_after.rnr_ies);
++ kfree(params.beacon_csa.rnr_ies);
+ kfree(csa_attrs);
+ return err;
+ }
+@@ -15880,7 +15941,8 @@ static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
+ params.count = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT]);
+ params.color = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR]);
+
+- err = nl80211_parse_beacon(rdev, info->attrs, ¶ms.beacon_next);
++ err = nl80211_parse_beacon(rdev, info->attrs, ¶ms.beacon_next,
++ info->extack);
+ if (err)
+ return err;
+
+@@ -15894,7 +15956,8 @@ static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
+ if (err)
+ goto out;
+
+- err = nl80211_parse_beacon(rdev, tb, ¶ms.beacon_color_change);
++ err = nl80211_parse_beacon(rdev, tb, ¶ms.beacon_color_change,
++ info->extack);
+ if (err)
+ goto out;
+
+@@ -15950,6 +16013,8 @@ static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
+ out:
+ kfree(params.beacon_next.mbssid_ies);
+ kfree(params.beacon_color_change.mbssid_ies);
++ kfree(params.beacon_next.rnr_ies);
++ kfree(params.beacon_color_change.rnr_ies);
+ kfree(tb);
+ return err;
+ }
+--
+2.51.0
+
--- /dev/null
+From d101d504399ad0d3acbb2b70e3f04c6466e1400a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Sep 2022 18:14:48 +0530
+Subject: cfg80211: Update Transition Disable policy during port authorization
+
+From: Vinayak Yadawad <vinayak.yadawad@broadcom.com>
+
+[ Upstream commit 0ff57171d6d225558c81a69439d5323e35b40549 ]
+
+In case of 4way handshake offload, transition disable policy
+updated by the AP during EAPOL 3/4 is not updated to the upper layer.
+This results in mismatch between transition disable policy
+between the upper layer and the driver. This patch addresses this
+issue by updating transition disable policy as part of port
+authorization indication.
+
+Signed-off-by: Vinayak Yadawad <vinayak.yadawad@broadcom.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Stable-dep-of: a519be2f5d95 ("wifi: mac80211: do not use old MBSSID elements")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 +-
+ include/net/cfg80211.h | 4 +++-
+ include/uapi/linux/nl80211.h | 3 +++
+ net/wireless/core.h | 5 ++++-
+ net/wireless/nl80211.c | 8 +++++++-
+ net/wireless/nl80211.h | 3 ++-
+ net/wireless/sme.c | 12 ++++++++----
+ net/wireless/util.c | 4 +++-
+ 8 files changed, 31 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+index 7eec5eb62371..6e7de5dce49e 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -6009,7 +6009,7 @@ brcmf_bss_roaming_done(struct brcmf_cfg80211_info *cfg,
+ brcmf_dbg(CONN, "Report roaming result\n");
+
+ if (profile->use_fwsup == BRCMF_PROFILE_FWSUP_1X && profile->is_ft) {
+- cfg80211_port_authorized(ndev, profile->bssid, GFP_KERNEL);
++ cfg80211_port_authorized(ndev, profile->bssid, NULL, 0, GFP_KERNEL);
+ brcmf_dbg(CONN, "Report port authorized\n");
+ }
+
+diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
+index e35bc5c35732..d15033420ca3 100644
+--- a/include/net/cfg80211.h
++++ b/include/net/cfg80211.h
+@@ -7825,6 +7825,8 @@ void cfg80211_roamed(struct net_device *dev, struct cfg80211_roam_info *info,
+ *
+ * @dev: network device
+ * @bssid: the BSSID of the AP
++ * @td_bitmap: transition disable policy
++ * @td_bitmap_len: Length of transition disable policy
+ * @gfp: allocation flags
+ *
+ * This function should be called by a driver that supports 4 way handshake
+@@ -7835,7 +7837,7 @@ void cfg80211_roamed(struct net_device *dev, struct cfg80211_roam_info *info,
+ * indicate the 802.11 association.
+ */
+ void cfg80211_port_authorized(struct net_device *dev, const u8 *bssid,
+- gfp_t gfp);
++ const u8* td_bitmap, u8 td_bitmap_len, gfp_t gfp);
+
+ /**
+ * cfg80211_disconnected - notify cfg80211 that connection was dropped
+diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
+index c32e7616a366..c14a91bbca7c 100644
+--- a/include/uapi/linux/nl80211.h
++++ b/include/uapi/linux/nl80211.h
+@@ -2749,6 +2749,8 @@ enum nl80211_commands {
+ * When used with %NL80211_CMD_FRAME_TX_STATUS, indicates the ack RX
+ * timestamp. When used with %NL80211_CMD_FRAME RX notification, indicates
+ * the incoming frame RX timestamp.
++ * @NL80211_ATTR_TD_BITMAP: Transition Disable bitmap, for subsequent
++ * (re)associations.
+ * @NUM_NL80211_ATTR: total number of nl80211_attrs available
+ * @NL80211_ATTR_MAX: highest attribute number currently defined
+ * @__NL80211_ATTR_AFTER_LAST: internal use
+@@ -3276,6 +3278,7 @@ enum nl80211_attrs {
+
+ NL80211_ATTR_TX_HW_TIMESTAMP,
+ NL80211_ATTR_RX_HW_TIMESTAMP,
++ NL80211_ATTR_TD_BITMAP,
+
+ /* add attributes here, update the policy in nl80211.c */
+
+diff --git a/net/wireless/core.h b/net/wireless/core.h
+index ee980965a7cf..17dfdf9fe749 100644
+--- a/net/wireless/core.h
++++ b/net/wireless/core.h
+@@ -277,6 +277,8 @@ struct cfg80211_event {
+ } ij;
+ struct {
+ u8 bssid[ETH_ALEN];
++ const u8 *td_bitmap;
++ u8 td_bitmap_len;
+ } pa;
+ };
+ };
+@@ -421,7 +423,8 @@ int cfg80211_disconnect(struct cfg80211_registered_device *rdev,
+ bool wextev);
+ void __cfg80211_roamed(struct wireless_dev *wdev,
+ struct cfg80211_roam_info *info);
+-void __cfg80211_port_authorized(struct wireless_dev *wdev, const u8 *bssid);
++void __cfg80211_port_authorized(struct wireless_dev *wdev, const u8 *bssid,
++ const u8 *td_bitmap, u8 td_bitmap_len);
+ int cfg80211_mgd_wext_connect(struct cfg80211_registered_device *rdev,
+ struct wireless_dev *wdev);
+ void cfg80211_autodisconnect_wk(struct work_struct *work);
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 3ff2fe98a974..1ab60967d6cd 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -18016,7 +18016,8 @@ void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
+ }
+
+ void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
+- struct net_device *netdev, const u8 *bssid)
++ struct net_device *netdev, const u8 *bssid,
++ const u8 *td_bitmap, u8 td_bitmap_len)
+ {
+ struct sk_buff *msg;
+ void *hdr;
+@@ -18036,6 +18037,11 @@ void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
+ nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
+ goto nla_put_failure;
+
++ if ((td_bitmap_len > 0) && td_bitmap)
++ if (nla_put(msg, NL80211_ATTR_TD_BITMAP,
++ td_bitmap_len, td_bitmap))
++ goto nla_put_failure;
++
+ genlmsg_end(msg, hdr);
+
+ genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
+diff --git a/net/wireless/nl80211.h b/net/wireless/nl80211.h
+index 855d540ddfb9..ba9457e94c43 100644
+--- a/net/wireless/nl80211.h
++++ b/net/wireless/nl80211.h
+@@ -83,7 +83,8 @@ void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
+ struct net_device *netdev,
+ struct cfg80211_roam_info *info, gfp_t gfp);
+ void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
+- struct net_device *netdev, const u8 *bssid);
++ struct net_device *netdev, const u8 *bssid,
++ const u8 *td_bitmap, u8 td_bitmap_len);
+ void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
+ struct net_device *netdev, u16 reason,
+ const u8 *ie, size_t ie_len, bool from_ap);
+diff --git a/net/wireless/sme.c b/net/wireless/sme.c
+index 26106802b17b..5adf3912f585 100644
+--- a/net/wireless/sme.c
++++ b/net/wireless/sme.c
+@@ -1270,7 +1270,8 @@ void cfg80211_roamed(struct net_device *dev, struct cfg80211_roam_info *info,
+ }
+ EXPORT_SYMBOL(cfg80211_roamed);
+
+-void __cfg80211_port_authorized(struct wireless_dev *wdev, const u8 *bssid)
++void __cfg80211_port_authorized(struct wireless_dev *wdev, const u8 *bssid,
++ const u8 *td_bitmap, u8 td_bitmap_len)
+ {
+ ASSERT_WDEV_LOCK(wdev);
+
+@@ -1283,11 +1284,11 @@ void __cfg80211_port_authorized(struct wireless_dev *wdev, const u8 *bssid)
+ return;
+
+ nl80211_send_port_authorized(wiphy_to_rdev(wdev->wiphy), wdev->netdev,
+- bssid);
++ bssid, td_bitmap, td_bitmap_len);
+ }
+
+ void cfg80211_port_authorized(struct net_device *dev, const u8 *bssid,
+- gfp_t gfp)
++ const u8 *td_bitmap, u8 td_bitmap_len, gfp_t gfp)
+ {
+ struct wireless_dev *wdev = dev->ieee80211_ptr;
+ struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
+@@ -1297,12 +1298,15 @@ void cfg80211_port_authorized(struct net_device *dev, const u8 *bssid,
+ if (WARN_ON(!bssid))
+ return;
+
+- ev = kzalloc(sizeof(*ev), gfp);
++ ev = kzalloc(sizeof(*ev) + td_bitmap_len, gfp);
+ if (!ev)
+ return;
+
+ ev->type = EVENT_PORT_AUTHORIZED;
+ memcpy(ev->pa.bssid, bssid, ETH_ALEN);
++ ev->pa.td_bitmap = ((u8 *)ev) + sizeof(*ev);
++ ev->pa.td_bitmap_len = td_bitmap_len;
++ memcpy((void *)ev->pa.td_bitmap, td_bitmap, td_bitmap_len);
+
+ /*
+ * Use the wdev event list so that if there are pending
+diff --git a/net/wireless/util.c b/net/wireless/util.c
+index 00c1530e1979..b513e24572a3 100644
+--- a/net/wireless/util.c
++++ b/net/wireless/util.c
+@@ -1113,7 +1113,9 @@ void cfg80211_process_wdev_events(struct wireless_dev *wdev)
+ __cfg80211_leave(wiphy_to_rdev(wdev->wiphy), wdev);
+ break;
+ case EVENT_PORT_AUTHORIZED:
+- __cfg80211_port_authorized(wdev, ev->pa.bssid);
++ __cfg80211_port_authorized(wdev, ev->pa.bssid,
++ ev->pa.td_bitmap,
++ ev->pa.td_bitmap_len);
+ break;
+ }
+ wdev_unlock(wdev);
+--
+2.51.0
+
--- /dev/null
+From bdf4273d250621adabbbecdd64f062e8f73300d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Dec 2025 14:15:41 +0800
+Subject: crypto: seqiv - Do not use req->iv after crypto_aead_encrypt
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 50fdb78b7c0bcc550910ef69c0984e751cac72fa ]
+
+As soon as crypto_aead_encrypt is called, the underlying request
+may be freed by an asynchronous completion. Thus dereferencing
+req->iv after it returns is invalid.
+
+Instead of checking req->iv against info, create a new variable
+unaligned_info and use it for that purpose instead.
+
+Fixes: 0a270321dbf9 ("[CRYPTO] seqiv: Add Sequence Number IV Generator")
+Reported-by: Xiumei Mu <xmu@redhat.com>
+Reported-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/seqiv.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/seqiv.c b/crypto/seqiv.c
+index b1bcfe537daf..562ab102226a 100644
+--- a/crypto/seqiv.c
++++ b/crypto/seqiv.c
+@@ -51,6 +51,7 @@ static int seqiv_aead_encrypt(struct aead_request *req)
+ struct aead_geniv_ctx *ctx = crypto_aead_ctx(geniv);
+ struct aead_request *subreq = aead_request_ctx(req);
+ crypto_completion_t compl;
++ bool unaligned_info;
+ void *data;
+ u8 *info;
+ unsigned int ivsize = 8;
+@@ -80,8 +81,9 @@ static int seqiv_aead_encrypt(struct aead_request *req)
+ return err;
+ }
+
+- if (unlikely(!IS_ALIGNED((unsigned long)info,
+- crypto_aead_alignmask(geniv) + 1))) {
++ unaligned_info = !IS_ALIGNED((unsigned long)info,
++ crypto_aead_alignmask(geniv) + 1);
++ if (unlikely(unaligned_info)) {
+ info = kmemdup(req->iv, ivsize, req->base.flags &
+ CRYPTO_TFM_REQ_MAY_SLEEP ? GFP_KERNEL :
+ GFP_ATOMIC);
+@@ -101,7 +103,7 @@ static int seqiv_aead_encrypt(struct aead_request *req)
+ scatterwalk_map_and_copy(info, req->dst, req->assoclen, ivsize, 1);
+
+ err = crypto_aead_encrypt(subreq);
+- if (unlikely(info != req->iv))
++ if (unlikely(unaligned_info))
+ seqiv_aead_encrypt_complete2(req, err);
+ return err;
+ }
+--
+2.51.0
+
--- /dev/null
+From ffc028d346a5c6c4cd4fdd75de67f414fc615d1d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Dec 2025 17:54:18 +0100
+Subject: firewire: nosy: Fix dma_free_coherent() size
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit c48c0fd0e19684b6ecdb4108a429e3a4e73f5e21 ]
+
+It looks like the buffer allocated and mapped in add_card() is done
+with size RCV_BUFFER_SIZE which is 16 KB and 4KB.
+
+Fixes: 286468210d83 ("firewire: new driver: nosy - IEEE 1394 traffic sniffer")
+Co-developed-by: Thomas Fourier <fourier.thomas@gmail.com>
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Co-developed-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/20251216165420.38355-2-fourier.thomas@gmail.com
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firewire/nosy.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/firewire/nosy.c b/drivers/firewire/nosy.c
+index ea31ac7ac1ca..e59053738a43 100644
+--- a/drivers/firewire/nosy.c
++++ b/drivers/firewire/nosy.c
+@@ -36,6 +36,8 @@
+
+ static char driver_name[] = KBUILD_MODNAME;
+
++#define RCV_BUFFER_SIZE (16 * 1024)
++
+ /* this is the physical layout of a PCL, its size is 128 bytes */
+ struct pcl {
+ __le32 next;
+@@ -517,16 +519,14 @@ remove_card(struct pci_dev *dev)
+ lynx->rcv_start_pcl, lynx->rcv_start_pcl_bus);
+ dma_free_coherent(&lynx->pci_device->dev, sizeof(struct pcl),
+ lynx->rcv_pcl, lynx->rcv_pcl_bus);
+- dma_free_coherent(&lynx->pci_device->dev, PAGE_SIZE, lynx->rcv_buffer,
+- lynx->rcv_buffer_bus);
++ dma_free_coherent(&lynx->pci_device->dev, RCV_BUFFER_SIZE,
++ lynx->rcv_buffer, lynx->rcv_buffer_bus);
+
+ iounmap(lynx->registers);
+ pci_disable_device(dev);
+ lynx_put(lynx);
+ }
+
+-#define RCV_BUFFER_SIZE (16 * 1024)
+-
+ static int
+ add_card(struct pci_dev *dev, const struct pci_device_id *unused)
+ {
+@@ -680,7 +680,7 @@ add_card(struct pci_dev *dev, const struct pci_device_id *unused)
+ dma_free_coherent(&lynx->pci_device->dev, sizeof(struct pcl),
+ lynx->rcv_pcl, lynx->rcv_pcl_bus);
+ if (lynx->rcv_buffer)
+- dma_free_coherent(&lynx->pci_device->dev, PAGE_SIZE,
++ dma_free_coherent(&lynx->pci_device->dev, RCV_BUFFER_SIZE,
+ lynx->rcv_buffer, lynx->rcv_buffer_bus);
+ iounmap(lynx->registers);
+
+--
+2.51.0
+
--- /dev/null
+From 10160131344a950f6eb7180e9bba548c80a9ad22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Nov 2025 10:39:24 -0800
+Subject: genalloc.h: fix htmldocs warning
+
+From: Andrew Morton <akpm@linux-foundation.org>
+
+[ Upstream commit 5393802c94e0ab1295c04c94c57bcb00222d4674 ]
+
+WARNING: include/linux/genalloc.h:52 function parameter 'start_addr' not described in 'genpool_algo_t'
+
+Fixes: 52fbf1134d47 ("lib/genalloc.c: fix allocation of aligned buffer from non-aligned chunk")
+Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Closes: https://lkml.kernel.org/r/20251127130624.563597e3@canb.auug.org.au
+Acked-by: Randy Dunlap <rdunlap@infradead.org>
+Tested-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Alexey Skidanov <alexey.skidanov@intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/genalloc.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/linux/genalloc.h b/include/linux/genalloc.h
+index 0bd581003cd5..60de63e46b33 100644
+--- a/include/linux/genalloc.h
++++ b/include/linux/genalloc.h
+@@ -44,6 +44,7 @@ struct gen_pool;
+ * @nr: The number of zeroed bits we're looking for
+ * @data: optional additional data used by the callback
+ * @pool: the pool being allocated from
++ * @start_addr: start address of memory chunk
+ */
+ typedef unsigned long (*genpool_algo_t)(unsigned long *map,
+ unsigned long size,
+--
+2.51.0
+
--- /dev/null
+From 6d89e49eb5b80e9d956f7083c8e58dd043029269 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Nov 2025 13:07:28 +0100
+Subject: i40e: fix scheduling in set_rx_mode
+
+From: Przemyslaw Korba <przemyslaw.korba@intel.com>
+
+[ Upstream commit be43abc5514167cc129a8d8e9727b89b8e1d9719 ]
+
+Add service task schedule to set_rx_mode.
+In some cases there are error messages printed out in PTP application
+(ptp4l):
+
+ptp4l[13848.762]: port 1 (ens2f3np3): received SYNC without timestamp
+ptp4l[13848.825]: port 1 (ens2f3np3): received SYNC without timestamp
+ptp4l[13848.887]: port 1 (ens2f3np3): received SYNC without timestamp
+
+This happens when service task would not run immediately after
+set_rx_mode, and we need it for setup tasks. This service task checks, if
+PTP RX packets are hung in firmware, and propagate correct settings such
+as multicast address for IEEE 1588 Precision Time Protocol.
+RX timestamping depends on some of these filters set. Bug happens only
+with high PTP packets frequency incoming, and not every run since
+sometimes service task is being ran from a different place immediately
+after starting ptp4l.
+
+Fixes: 0e4425ed641f ("i40e: fix: do not sleep in netdev_ops")
+Reviewed-by: Grzegorz Nitka <grzegorz.nitka@intel.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Przemyslaw Korba <przemyslaw.korba@intel.com>
+Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index 522267314160..5823229ae598 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -2252,6 +2252,7 @@ static void i40e_set_rx_mode(struct net_device *netdev)
+ vsi->flags |= I40E_VSI_FLAG_FILTER_CHANGED;
+ set_bit(__I40E_MACVLAN_SYNC_PENDING, vsi->back->state);
+ }
++ i40e_service_event_schedule(vsi->back);
+ }
+
+ /**
+--
+2.51.0
+
--- /dev/null
+From 36ae0923964da83750856854f869c6389494bf07 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 Apr 2024 09:26:04 +0200
+Subject: i40e: Refactor argument of i40e_detect_recover_hung()
+
+From: Ivan Vecera <ivecera@redhat.com>
+
+[ Upstream commit 7033ada04e33048c8b33294fecbb0d73f3cd1088 ]
+
+Commit 07d44190a389 ("i40e/i40evf: Detect and recover hung queue
+scenario") changes i40e_detect_recover_hung() argument type from
+i40e_pf* to i40e_vsi* to be shareable by both i40e and i40evf.
+Because the i40evf does not exist anymore and the function is
+exclusively used by i40e we can revert this change.
+
+Reviewed-by: Michal Schmidt <mschmidt@redhat.com>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com>
+Signed-off-by: Ivan Vecera <ivecera@redhat.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Stable-dep-of: 699428342153 ("i40e: validate ring_len parameter against hardware-specific values")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 2 +-
+ drivers/net/ethernet/intel/i40e/i40e_txrx.c | 10 ++++++----
+ drivers/net/ethernet/intel/i40e/i40e_txrx.h | 2 +-
+ 3 files changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index fb0dd6f33090..f64ef96ed4f7 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -11304,7 +11304,7 @@ static void i40e_service_task(struct work_struct *work)
+ return;
+
+ if (!test_bit(__I40E_RECOVERY_MODE, pf->state)) {
+- i40e_detect_recover_hung(pf->vsi[pf->lan_vsi]);
++ i40e_detect_recover_hung(pf);
+ i40e_sync_filters_subtask(pf);
+ i40e_reset_subtask(pf);
+ i40e_handle_mdd_event(pf);
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.c b/drivers/net/ethernet/intel/i40e/i40e_txrx.c
+index 2ede35ba3919..d6fe9e3a8482 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c
+@@ -867,13 +867,15 @@ u32 i40e_get_tx_pending(struct i40e_ring *ring, bool in_sw)
+
+ /**
+ * i40e_detect_recover_hung - Function to detect and recover hung_queues
+- * @vsi: pointer to vsi struct with tx queues
++ * @pf: pointer to PF struct
+ *
+- * VSI has netdev and netdev has TX queues. This function is to check each of
+- * those TX queues if they are hung, trigger recovery by issuing SW interrupt.
++ * LAN VSI has netdev and netdev has TX queues. This function is to check
++ * each of those TX queues if they are hung, trigger recovery by issuing
++ * SW interrupt.
+ **/
+-void i40e_detect_recover_hung(struct i40e_vsi *vsi)
++void i40e_detect_recover_hung(struct i40e_pf *pf)
+ {
++ struct i40e_vsi *vsi = pf->vsi[pf->lan_vsi];
+ struct i40e_ring *tx_ring = NULL;
+ struct net_device *netdev;
+ unsigned int i;
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.h b/drivers/net/ethernet/intel/i40e/i40e_txrx.h
+index 6e567d343e03..8188ec7e3ef2 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.h
++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.h
+@@ -465,7 +465,7 @@ void i40e_free_rx_resources(struct i40e_ring *rx_ring);
+ int i40e_napi_poll(struct napi_struct *napi, int budget);
+ void i40e_force_wb(struct i40e_vsi *vsi, struct i40e_q_vector *q_vector);
+ u32 i40e_get_tx_pending(struct i40e_ring *ring, bool in_sw);
+-void i40e_detect_recover_hung(struct i40e_vsi *vsi);
++void i40e_detect_recover_hung(struct i40e_pf *pf);
+ int __i40e_maybe_stop_tx(struct i40e_ring *tx_ring, int size);
+ bool __i40e_chk_linearize(struct sk_buff *skb);
+ int i40e_xdp_xmit(struct net_device *dev, int n, struct xdp_frame **frames,
+--
+2.51.0
+
--- /dev/null
+From 5fe3cbbf504f59ec2be7763a4b4a674aa8589e3e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 Apr 2024 09:26:03 +0200
+Subject: i40e: Refactor argument of several client notification functions
+
+From: Ivan Vecera <ivecera@redhat.com>
+
+[ Upstream commit 54c4664e48eea52f2b296c73ddb8f5629b958678 ]
+
+Commit 0ef2d5afb12d ("i40e: KISS the client interface") simplified
+the client interface so in practice it supports only one client
+per i40e netdev. But we have still 2 notification functions that
+uses as parameter a pointer to VSI of netdevice associated with
+the client. After the mentioned commit only possible and used
+VSI is the main (LAN) VSI.
+So refactor these functions so they are called with PF pointer argument
+and the associated VSI (LAN) is taken inside them.
+
+Reviewed-by: Michal Schmidt <mschmidt@redhat.com>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com>
+Signed-off-by: Ivan Vecera <ivecera@redhat.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Stable-dep-of: 699428342153 ("i40e: validate ring_len parameter against hardware-specific values")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e.h | 4 ++--
+ drivers/net/ethernet/intel/i40e/i40e_client.c | 20 +++++++++----------
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 12 +++++------
+ 3 files changed, 17 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e.h b/drivers/net/ethernet/intel/i40e/i40e.h
+index 3c9ac53da331..bc2ccb77dbe0 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e.h
++++ b/drivers/net/ethernet/intel/i40e/i40e.h
+@@ -1217,8 +1217,8 @@ static inline void i40e_dbg_exit(void) {}
+ int i40e_lan_add_device(struct i40e_pf *pf);
+ int i40e_lan_del_device(struct i40e_pf *pf);
+ void i40e_client_subtask(struct i40e_pf *pf);
+-void i40e_notify_client_of_l2_param_changes(struct i40e_vsi *vsi);
+-void i40e_notify_client_of_netdev_close(struct i40e_vsi *vsi, bool reset);
++void i40e_notify_client_of_l2_param_changes(struct i40e_pf *pf);
++void i40e_notify_client_of_netdev_close(struct i40e_pf *pf, bool reset);
+ void i40e_notify_client_of_vf_enable(struct i40e_pf *pf, u32 num_vfs);
+ void i40e_notify_client_of_vf_reset(struct i40e_pf *pf, u32 vf_id);
+ void i40e_client_update_msix_info(struct i40e_pf *pf);
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_client.c b/drivers/net/ethernet/intel/i40e/i40e_client.c
+index 86fd82412e9e..406cfb9c5ac9 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_client.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_client.c
+@@ -102,25 +102,26 @@ i40e_notify_client_of_vf_msg(struct i40e_vsi *vsi, u32 vf_id, u8 *msg, u16 len)
+
+ /**
+ * i40e_notify_client_of_l2_param_changes - call the client notify callback
+- * @vsi: the VSI with l2 param changes
++ * @pf: PF device pointer
+ *
+- * If there is a client to this VSI, call the client
++ * If there is a client, call its callback
+ **/
+-void i40e_notify_client_of_l2_param_changes(struct i40e_vsi *vsi)
++void i40e_notify_client_of_l2_param_changes(struct i40e_pf *pf)
+ {
+- struct i40e_pf *pf = vsi->back;
+ struct i40e_client_instance *cdev = pf->cinst;
++ struct i40e_vsi *vsi = pf->vsi[pf->lan_vsi];
+ struct i40e_params params;
+
+ if (!cdev || !cdev->client)
+ return;
+ if (!cdev->client->ops || !cdev->client->ops->l2_param_change) {
+- dev_dbg(&vsi->back->pdev->dev,
++ dev_dbg(&pf->pdev->dev,
+ "Cannot locate client instance l2_param_change routine\n");
+ return;
+ }
+ if (!test_bit(__I40E_CLIENT_INSTANCE_OPENED, &cdev->state)) {
+- dev_dbg(&vsi->back->pdev->dev, "Client is not open, abort l2 param change\n");
++ dev_dbg(&pf->pdev->dev,
++ "Client is not open, abort l2 param change\n");
+ return;
+ }
+ memset(¶ms, 0, sizeof(params));
+@@ -160,20 +161,19 @@ static void i40e_client_release_qvlist(struct i40e_info *ldev)
+
+ /**
+ * i40e_notify_client_of_netdev_close - call the client close callback
+- * @vsi: the VSI with netdev closed
++ * @pf: PF device pointer
+ * @reset: true when close called due to a reset pending
+ *
+ * If there is a client to this netdev, call the client with close
+ **/
+-void i40e_notify_client_of_netdev_close(struct i40e_vsi *vsi, bool reset)
++void i40e_notify_client_of_netdev_close(struct i40e_pf *pf, bool reset)
+ {
+- struct i40e_pf *pf = vsi->back;
+ struct i40e_client_instance *cdev = pf->cinst;
+
+ if (!cdev || !cdev->client)
+ return;
+ if (!cdev->client->ops || !cdev->client->ops->close) {
+- dev_dbg(&vsi->back->pdev->dev,
++ dev_dbg(&pf->pdev->dev,
+ "Cannot locate client instance close routine\n");
+ return;
+ }
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index 5823229ae598..fb0dd6f33090 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -11313,14 +11313,12 @@ static void i40e_service_task(struct work_struct *work)
+ i40e_fdir_reinit_subtask(pf);
+ if (test_and_clear_bit(__I40E_CLIENT_RESET, pf->state)) {
+ /* Client subtask will reopen next time through. */
+- i40e_notify_client_of_netdev_close(pf->vsi[pf->lan_vsi],
+- true);
++ i40e_notify_client_of_netdev_close(pf, true);
+ } else {
+ i40e_client_subtask(pf);
+ if (test_and_clear_bit(__I40E_CLIENT_L2_CHANGE,
+ pf->state))
+- i40e_notify_client_of_l2_param_changes(
+- pf->vsi[pf->lan_vsi]);
++ i40e_notify_client_of_l2_param_changes(pf);
+ }
+ i40e_sync_filters_subtask(pf);
+ } else {
+@@ -16307,7 +16305,7 @@ static void i40e_remove(struct pci_dev *pdev)
+ /* Client close must be called explicitly here because the timer
+ * has been stopped.
+ */
+- i40e_notify_client_of_netdev_close(pf->vsi[pf->lan_vsi], false);
++ i40e_notify_client_of_netdev_close(pf, false);
+
+ i40e_fdir_teardown(pf);
+
+@@ -16573,7 +16571,7 @@ static void i40e_shutdown(struct pci_dev *pdev)
+ /* Client close must be called explicitly here because the timer
+ * has been stopped.
+ */
+- i40e_notify_client_of_netdev_close(pf->vsi[pf->lan_vsi], false);
++ i40e_notify_client_of_netdev_close(pf, false);
+
+ if (pf->wol_en && (pf->hw_features & I40E_HW_WOL_MC_MAGIC_PKT_WAKE))
+ i40e_enable_mc_magic_wake(pf);
+@@ -16626,7 +16624,7 @@ static int __maybe_unused i40e_suspend(struct device *dev)
+ /* Client close must be called explicitly here because the timer
+ * has been stopped.
+ */
+- i40e_notify_client_of_netdev_close(pf->vsi[pf->lan_vsi], false);
++ i40e_notify_client_of_netdev_close(pf, false);
+
+ if (pf->wol_en && (pf->hw_features & I40E_HW_WOL_MC_MAGIC_PKT_WAKE))
+ i40e_enable_mc_magic_wake(pf);
+--
+2.51.0
+
--- /dev/null
+From 8fe01eea9bf50118183bf344235ef9b0ceaefc8f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Dec 2025 22:06:43 +0100
+Subject: i40e: validate ring_len parameter against hardware-specific values
+
+From: Gregory Herrero <gregory.herrero@oracle.com>
+
+[ Upstream commit 69942834215323cd9131db557091b4dec43f19c5 ]
+
+The maximum number of descriptors supported by the hardware is
+hardware-dependent and can be retrieved using
+i40e_get_max_num_descriptors(). Move this function to a shared header
+and use it when checking for valid ring_len parameter rather than using
+hardcoded value.
+
+By fixing an over-acceptance issue, behavior change could be seen where
+ring_len could now be rejected while configuring rx and tx queues if its
+size is larger than the hardware-dependent maximum number of
+descriptors.
+
+Fixes: 55d225670def ("i40e: add validation for ring_len param")
+Signed-off-by: Gregory Herrero <gregory.herrero@oracle.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e.h | 11 +++++++++++
+ drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 12 ------------
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 4 ++--
+ 3 files changed, 13 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e.h b/drivers/net/ethernet/intel/i40e/i40e.h
+index bc2ccb77dbe0..af60be8626aa 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e.h
++++ b/drivers/net/ethernet/intel/i40e/i40e.h
+@@ -1325,4 +1325,15 @@ static inline u32 i40e_is_tc_mqprio_enabled(struct i40e_pf *pf)
+ return pf->flags & I40E_FLAG_TC_MQPRIO;
+ }
+
++static inline u32 i40e_get_max_num_descriptors(const struct i40e_pf *pf)
++{
++ const struct i40e_hw *hw = &pf->hw;
++
++ switch (hw->mac.type) {
++ case I40E_MAC_XL710:
++ return I40E_MAX_NUM_DESCRIPTORS_XL710;
++ default:
++ return I40E_MAX_NUM_DESCRIPTORS;
++ }
++}
+ #endif /* _I40E_H_ */
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
+index c3378106946c..1aed31bc2e8a 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
+@@ -2012,18 +2012,6 @@ static void i40e_get_drvinfo(struct net_device *netdev,
+ drvinfo->n_priv_flags += I40E_GL_PRIV_FLAGS_STR_LEN;
+ }
+
+-static u32 i40e_get_max_num_descriptors(struct i40e_pf *pf)
+-{
+- struct i40e_hw *hw = &pf->hw;
+-
+- switch (hw->mac.type) {
+- case I40E_MAC_XL710:
+- return I40E_MAX_NUM_DESCRIPTORS_XL710;
+- default:
+- return I40E_MAX_NUM_DESCRIPTORS;
+- }
+-}
+-
+ static void i40e_get_ringparam(struct net_device *netdev,
+ struct ethtool_ringparam *ring,
+ struct kernel_ethtool_ringparam *kernel_ring,
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+index 2b2f9bb755b6..1bba77347efb 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -656,7 +656,7 @@ static int i40e_config_vsi_tx_queue(struct i40e_vf *vf, u16 vsi_id,
+
+ /* ring_len has to be multiple of 8 */
+ if (!IS_ALIGNED(info->ring_len, 8) ||
+- info->ring_len > I40E_MAX_NUM_DESCRIPTORS_XL710) {
++ info->ring_len > i40e_get_max_num_descriptors(pf)) {
+ ret = -EINVAL;
+ goto error_context;
+ }
+@@ -728,7 +728,7 @@ static int i40e_config_vsi_rx_queue(struct i40e_vf *vf, u16 vsi_id,
+
+ /* ring_len has to be multiple of 32 */
+ if (!IS_ALIGNED(info->ring_len, 32) ||
+- info->ring_len > I40E_MAX_NUM_DESCRIPTORS_XL710) {
++ info->ring_len > i40e_get_max_num_descriptors(pf)) {
+ ret = -EINVAL;
+ goto error_param;
+ }
+--
+2.51.0
+
--- /dev/null
+From 50080a7f2c01a698e133d33f7230de1cd9fb515c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Oct 2025 01:58:50 +0900
+Subject: iavf: fix off-by-one issues in iavf_config_rss_reg()
+
+From: Kohei Enju <enjuk@amazon.com>
+
+[ Upstream commit 6daa2893f323981c7894c68440823326e93a7d61 ]
+
+There are off-by-one bugs when configuring RSS hash key and lookup
+table, causing out-of-bounds reads to memory [1] and out-of-bounds
+writes to device registers.
+
+Before commit 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS"),
+the loop upper bounds were:
+ i <= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX
+which is safe since the value is the last valid index.
+
+That commit changed the bounds to:
+ i <= adapter->rss_{key,lut}_size / 4
+where `rss_{key,lut}_size / 4` is the number of dwords, so the last
+valid index is `(rss_{key,lut}_size / 4) - 1`. Therefore, using `<=`
+accesses one element past the end.
+
+Fix the issues by using `<` instead of `<=`, ensuring we do not exceed
+the bounds.
+
+[1] KASAN splat about rss_key_size off-by-one
+ BUG: KASAN: slab-out-of-bounds in iavf_config_rss+0x619/0x800
+ Read of size 4 at addr ffff888102c50134 by task kworker/u8:6/63
+
+ CPU: 0 UID: 0 PID: 63 Comm: kworker/u8:6 Not tainted 6.18.0-rc2-enjuk-tnguy-00378-g3005f5b77652-dirty #156 PREEMPT(voluntary)
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+ Workqueue: iavf iavf_watchdog_task
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x6f/0xb0
+ print_report+0x170/0x4f3
+ kasan_report+0xe1/0x1a0
+ iavf_config_rss+0x619/0x800
+ iavf_watchdog_task+0x2be7/0x3230
+ process_one_work+0x7fd/0x1420
+ worker_thread+0x4d1/0xd40
+ kthread+0x344/0x660
+ ret_from_fork+0x249/0x320
+ ret_from_fork_asm+0x1a/0x30
+ </TASK>
+
+ Allocated by task 63:
+ kasan_save_stack+0x30/0x50
+ kasan_save_track+0x14/0x30
+ __kasan_kmalloc+0x7f/0x90
+ __kmalloc_noprof+0x246/0x6f0
+ iavf_watchdog_task+0x28fc/0x3230
+ process_one_work+0x7fd/0x1420
+ worker_thread+0x4d1/0xd40
+ kthread+0x344/0x660
+ ret_from_fork+0x249/0x320
+ ret_from_fork_asm+0x1a/0x30
+
+ The buggy address belongs to the object at ffff888102c50100
+ which belongs to the cache kmalloc-64 of size 64
+ The buggy address is located 0 bytes to the right of
+ allocated 52-byte region [ffff888102c50100, ffff888102c50134)
+
+ The buggy address belongs to the physical page:
+ page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c50
+ flags: 0x200000000000000(node=0|zone=2)
+ page_type: f5(slab)
+ raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000
+ raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
+ page dumped because: kasan: bad access detected
+
+ Memory state around the buggy address:
+ ffff888102c50000: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
+ ffff888102c50080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
+ >ffff888102c50100: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc
+ ^
+ ffff888102c50180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
+ ffff888102c50200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+
+Fixes: 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS")
+Signed-off-by: Kohei Enju <enjuk@amazon.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index 7119bce4c091..467ad433a47b 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -1783,11 +1783,11 @@ static int iavf_config_rss_reg(struct iavf_adapter *adapter)
+ u16 i;
+
+ dw = (u32 *)adapter->rss_key;
+- for (i = 0; i <= adapter->rss_key_size / 4; i++)
++ for (i = 0; i < adapter->rss_key_size / 4; i++)
+ wr32(hw, IAVF_VFQF_HKEY(i), dw[i]);
+
+ dw = (u32 *)adapter->rss_lut;
+- for (i = 0; i <= adapter->rss_lut_size / 4; i++)
++ for (i = 0; i < adapter->rss_lut_size / 4; i++)
+ wr32(hw, IAVF_VFQF_HLUT(i), dw[i]);
+
+ iavf_flush(hw);
+--
+2.51.0
+
--- /dev/null
+From 20472c953ef355e2bca2995b8b6f9179a82ab9ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Dec 2025 17:35:50 +0000
+Subject: ip6_gre: make ip6gre_header() robust
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit db5b4e39c4e63700c68a7e65fc4e1f1375273476 ]
+
+Over the years, syzbot found many ways to crash the kernel
+in ip6gre_header() [1].
+
+This involves team or bonding drivers ability to dynamically
+change their dev->needed_headroom and/or dev->hard_header_len
+
+In this particular crash mld_newpack() allocated an skb
+with a too small reserve/headroom, and by the time mld_sendpack()
+was called, syzbot managed to attach an ip6gre device.
+
+[1]
+skbuff: skb_under_panic: text:ffffffff8a1d69a8 len:136 put:40 head:ffff888059bc7000 data:ffff888059bc6fe8 tail:0x70 end:0x6c0 dev:team0
+------------[ cut here ]------------
+ kernel BUG at net/core/skbuff.c:213 !
+ <TASK>
+ skb_under_panic net/core/skbuff.c:223 [inline]
+ skb_push+0xc3/0xe0 net/core/skbuff.c:2641
+ ip6gre_header+0xc8/0x790 net/ipv6/ip6_gre.c:1371
+ dev_hard_header include/linux/netdevice.h:3436 [inline]
+ neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618
+ neigh_output include/net/neighbour.h:556 [inline]
+ ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136
+ __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline]
+ ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:220
+ NF_HOOK_COND include/linux/netfilter.h:307 [inline]
+ ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247
+ NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318
+ mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855
+ mld_send_cr net/ipv6/mcast.c:2154 [inline]
+ mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693
+
+Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
+Reported-by: syzbot+43a2ebcf2a64b1102d64@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/693b002c.a70a0220.33cd7b.0033.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20251211173550.2032674-1-edumazet@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6_gre.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
+index 718fcad69cf1..249c613a9280 100644
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -1405,9 +1405,16 @@ static int ip6gre_header(struct sk_buff *skb, struct net_device *dev,
+ {
+ struct ip6_tnl *t = netdev_priv(dev);
+ struct ipv6hdr *ipv6h;
++ int needed;
+ __be16 *p;
+
+- ipv6h = skb_push(skb, t->hlen + sizeof(*ipv6h));
++ needed = t->hlen + sizeof(*ipv6h);
++ if (skb_headroom(skb) < needed &&
++ pskb_expand_head(skb, HH_DATA_ALIGN(needed - skb_headroom(skb)),
++ 0, GFP_ATOMIC))
++ return -needed;
++
++ ipv6h = skb_push(skb, needed);
+ ip6_flow_hdr(ipv6h, 0, ip6_make_flowlabel(dev_net(dev), skb,
+ t->fl.u.ip6.flowlabel,
+ true, &t->fl.u.ip6));
+--
+2.51.0
+
--- /dev/null
+From 10866d25db0e5fdc8142a2168e2a87d9d54d7ebc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Dec 2025 16:48:28 +0200
+Subject: ipv4: Fix reference count leak when using error routes with nexthop
+ objects
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit ac782f4e3bfcde145b8a7f8af31d9422d94d172a ]
+
+When a nexthop object is deleted, it is marked as dead and then
+fib_table_flush() is called to flush all the routes that are using the
+dead nexthop.
+
+The current logic in fib_table_flush() is to only flush error routes
+(e.g., blackhole) when it is called as part of network namespace
+dismantle (i.e., with flush_all=true). Therefore, error routes are not
+flushed when their nexthop object is deleted:
+
+ # ip link add name dummy1 up type dummy
+ # ip nexthop add id 1 dev dummy1
+ # ip route add 198.51.100.1/32 nhid 1
+ # ip route add blackhole 198.51.100.2/32 nhid 1
+ # ip nexthop del id 1
+ # ip route show
+ blackhole 198.51.100.2 nhid 1 dev dummy1
+
+As such, they keep holding a reference on the nexthop object which in
+turn holds a reference on the nexthop device, resulting in a reference
+count leak:
+
+ # ip link del dev dummy1
+ [ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2
+
+Fix by flushing error routes when their nexthop is marked as dead.
+
+IPv6 does not suffer from this problem.
+
+Fixes: 493ced1ac47c ("ipv4: Allow routes to use nexthop objects")
+Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Closes: https://lore.kernel.org/netdev/d943f806-4da6-4970-ac28-b9373b0e63ac@I-love.SAKURA.ne.jp/
+Reported-by: syzbot+881d65229ca4f9ae8c84@syzkaller.appspotmail.com
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://patch.msgid.link/20251221144829.197694-1-idosch@nvidia.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/fib_trie.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
+index fa54b36b241a..4d148d089232 100644
+--- a/net/ipv4/fib_trie.c
++++ b/net/ipv4/fib_trie.c
+@@ -2059,10 +2059,11 @@ int fib_table_flush(struct net *net, struct fib_table *tb, bool flush_all)
+ continue;
+ }
+
+- /* Do not flush error routes if network namespace is
+- * not being dismantled
++ /* When not flushing the entire table, skip error
++ * routes that are not marked for deletion.
+ */
+- if (!flush_all && fib_props[fa->fa_type].error) {
++ if (!flush_all && fib_props[fa->fa_type].error &&
++ !(fi->fib_flags & RTNH_F_DEAD)) {
+ slen = fa->fa_slen;
+ continue;
+ }
+--
+2.51.0
+
--- /dev/null
+From aac1d74d4677db37f88a1acba20996d2411732e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 10:36:37 -0700
+Subject: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()
+
+From: Will Rosenberg <whrosenb@asu.edu>
+
+[ Upstream commit 58fc7342b529803d3c221101102fe913df7adb83 ]
+
+There exists a kernel oops caused by a BUG_ON(nhead < 0) at
+net/core/skbuff.c:2232 in pskb_expand_head().
+This bug is triggered as part of the calipso_skbuff_setattr()
+routine when skb_cow() is passed headroom > INT_MAX
+(i.e. (int)(skb_headroom(skb) + len_delta) < 0).
+
+The root cause of the bug is due to an implicit integer cast in
+__skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure
+that delta = headroom - skb_headroom(skb) is never negative, otherwise
+we will trigger a BUG_ON in pskb_expand_head(). However, if
+headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta
+becomes negative, and pskb_expand_head() is passed a negative value for
+nhead.
+
+Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing
+"negative" headroom sizes to skb_cow() within calipso_skbuff_setattr()
+by only using skb_cow() to grow headroom.
+
+PoC:
+ Using `netlabelctl` tool:
+
+ netlabelctl map del default
+ netlabelctl calipso add pass doi:7
+ netlabelctl map add default address:0::1/128 protocol:calipso,7
+
+ Then run the following PoC:
+
+ int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
+
+ // setup msghdr
+ int cmsg_size = 2;
+ int cmsg_len = 0x60;
+ struct msghdr msg;
+ struct sockaddr_in6 dest_addr;
+ struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1,
+ sizeof(struct cmsghdr) + cmsg_len);
+ msg.msg_name = &dest_addr;
+ msg.msg_namelen = sizeof(dest_addr);
+ msg.msg_iov = NULL;
+ msg.msg_iovlen = 0;
+ msg.msg_control = cmsg;
+ msg.msg_controllen = cmsg_len;
+ msg.msg_flags = 0;
+
+ // setup sockaddr
+ dest_addr.sin6_family = AF_INET6;
+ dest_addr.sin6_port = htons(31337);
+ dest_addr.sin6_flowinfo = htonl(31337);
+ dest_addr.sin6_addr = in6addr_loopback;
+ dest_addr.sin6_scope_id = 31337;
+
+ // setup cmsghdr
+ cmsg->cmsg_len = cmsg_len;
+ cmsg->cmsg_level = IPPROTO_IPV6;
+ cmsg->cmsg_type = IPV6_HOPOPTS;
+ char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr);
+ hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80
+
+ sendmsg(fd, &msg, 0);
+
+Fixes: 2917f57b6bc1 ("calipso: Allow the lsm to label the skbuff directly.")
+Suggested-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Will Rosenberg <whrosenb@asu.edu>
+Acked-by: Paul Moore <paul@paul-moore.com>
+Link: https://patch.msgid.link/20251219173637.797418-1-whrosenb@asu.edu
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/calipso.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c
+index 24666291c54a..72079ef2959b 100644
+--- a/net/ipv6/calipso.c
++++ b/net/ipv6/calipso.c
+@@ -1345,7 +1345,8 @@ static int calipso_skbuff_setattr(struct sk_buff *skb,
+ /* At this point new_end aligns to 4n, so (new_end & 4) pads to 8n */
+ pad = ((new_end & 4) + (end & 7)) & 7;
+ len_delta = new_end - (int)end + pad;
+- ret_val = skb_cow(skb, skb_headroom(skb) + len_delta);
++ ret_val = skb_cow(skb,
++ skb_headroom(skb) + (len_delta > 0 ? len_delta : 0));
+ if (ret_val < 0)
+ return ret_val;
+
+--
+2.51.0
+
--- /dev/null
+From 102b24b9027d944f1c162075791843948c3d0b3d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Mar 2023 04:38:01 -0700
+Subject: mac80211: support RNR for EMA AP
+
+From: Aloka Dixit <quic_alokad@quicinc.com>
+
+[ Upstream commit 68b9bea267bfc1259e195dcac1bf69db0c0c28da ]
+
+Generate EMA beacons, each including MBSSID and RNR elements at a given
+index. If number of stored RNR elements is more than the number of
+MBSSID elements then add those in every EMA beacon.
+
+Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
+Link: https://lore.kernel.org/r/20230323113801.6903-3-quic_alokad@quicinc.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Stable-dep-of: a519be2f5d95 ("wifi: mac80211: do not use old MBSSID elements")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/cfg.c | 63 +++++++++++++++++++++++++++++++++++---
+ net/mac80211/ieee80211_i.h | 21 +++++++++++--
+ net/mac80211/tx.c | 10 ++++++
+ 3 files changed, 86 insertions(+), 8 deletions(-)
+
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index 72dd534492bf..a25d647c1c4b 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1087,6 +1087,23 @@ ieee80211_copy_mbssid_beacon(u8 *pos, struct cfg80211_mbssid_elems *dst,
+ return offset;
+ }
+
++static int
++ieee80211_copy_rnr_beacon(u8 *pos, struct cfg80211_rnr_elems *dst,
++ struct cfg80211_rnr_elems *src)
++{
++ int i, offset = 0;
++
++ for (i = 0; i < src->cnt; i++) {
++ memcpy(pos + offset, src->elem[i].data, src->elem[i].len);
++ dst->elem[i].len = src->elem[i].len;
++ dst->elem[i].data = pos + offset;
++ offset += dst->elem[i].len;
++ }
++ dst->cnt = src->cnt;
++
++ return offset;
++}
++
+ static int ieee80211_assign_beacon(struct ieee80211_sub_if_data *sdata,
+ struct ieee80211_link_data *link,
+ struct cfg80211_beacon_data *params,
+@@ -1094,6 +1111,7 @@ static int ieee80211_assign_beacon(struct ieee80211_sub_if_data *sdata,
+ const struct ieee80211_color_change_settings *cca)
+ {
+ struct cfg80211_mbssid_elems *mbssid = NULL;
++ struct cfg80211_rnr_elems *rnr = NULL;
+ struct beacon_data *new, *old;
+ int new_head_len, new_tail_len;
+ int size, err;
+@@ -1125,11 +1143,21 @@ static int ieee80211_assign_beacon(struct ieee80211_sub_if_data *sdata,
+ if (params->mbssid_ies) {
+ mbssid = params->mbssid_ies;
+ size += struct_size(new->mbssid_ies, elem, mbssid->cnt);
+- size += ieee80211_get_mbssid_beacon_len(mbssid, mbssid->cnt);
++ if (params->rnr_ies) {
++ rnr = params->rnr_ies;
++ size += struct_size(new->rnr_ies, elem, rnr->cnt);
++ }
++ size += ieee80211_get_mbssid_beacon_len(mbssid, rnr,
++ mbssid->cnt);
+ } else if (old && old->mbssid_ies) {
+ mbssid = old->mbssid_ies;
+ size += struct_size(new->mbssid_ies, elem, mbssid->cnt);
+- size += ieee80211_get_mbssid_beacon_len(mbssid, mbssid->cnt);
++ if (old && old->rnr_ies) {
++ rnr = old->rnr_ies;
++ size += struct_size(new->rnr_ies, elem, rnr->cnt);
++ }
++ size += ieee80211_get_mbssid_beacon_len(mbssid, rnr,
++ mbssid->cnt);
+ }
+
+ new = kzalloc(size, GFP_KERNEL);
+@@ -1140,7 +1168,7 @@ static int ieee80211_assign_beacon(struct ieee80211_sub_if_data *sdata,
+
+ /*
+ * pointers go into the block we allocated,
+- * memory is | beacon_data | head | tail | mbssid_ies
++ * memory is | beacon_data | head | tail | mbssid_ies | rnr_ies
+ */
+ new->head = ((u8 *) new) + sizeof(*new);
+ new->tail = new->head + new_head_len;
+@@ -1152,7 +1180,13 @@ static int ieee80211_assign_beacon(struct ieee80211_sub_if_data *sdata,
+
+ new->mbssid_ies = (void *)pos;
+ pos += struct_size(new->mbssid_ies, elem, mbssid->cnt);
+- ieee80211_copy_mbssid_beacon(pos, new->mbssid_ies, mbssid);
++ pos += ieee80211_copy_mbssid_beacon(pos, new->mbssid_ies,
++ mbssid);
++ if (rnr) {
++ new->rnr_ies = (void *)pos;
++ pos += struct_size(new->rnr_ies, elem, rnr->cnt);
++ ieee80211_copy_rnr_beacon(pos, new->rnr_ies, rnr);
++ }
+ /* update bssid_indicator */
+ link_conf->bssid_indicator =
+ ilog2(__roundup_pow_of_two(mbssid->cnt + 1));
+@@ -1448,6 +1482,7 @@ static void ieee80211_free_next_beacon(struct ieee80211_link_data *link)
+ return;
+
+ kfree(link->u.ap.next_beacon->mbssid_ies);
++ kfree(link->u.ap.next_beacon->rnr_ies);
+ kfree(link->u.ap.next_beacon);
+ link->u.ap.next_beacon = NULL;
+ }
+@@ -3360,6 +3395,7 @@ cfg80211_beacon_dup(struct cfg80211_beacon_data *beacon)
+
+ if (beacon->mbssid_ies)
+ len += ieee80211_get_mbssid_beacon_len(beacon->mbssid_ies,
++ beacon->rnr_ies,
+ beacon->mbssid_ies->cnt);
+
+ new_beacon = kzalloc(sizeof(*new_beacon) + len, GFP_KERNEL);
+@@ -3375,6 +3411,18 @@ cfg80211_beacon_dup(struct cfg80211_beacon_data *beacon)
+ kfree(new_beacon);
+ return NULL;
+ }
++
++ if (beacon->rnr_ies && beacon->rnr_ies->cnt) {
++ new_beacon->rnr_ies =
++ kzalloc(struct_size(new_beacon->rnr_ies,
++ elem, beacon->rnr_ies->cnt),
++ GFP_KERNEL);
++ if (!new_beacon->rnr_ies) {
++ kfree(new_beacon->mbssid_ies);
++ kfree(new_beacon);
++ return NULL;
++ }
++ }
+ }
+
+ pos = (u8 *)(new_beacon + 1);
+@@ -3414,10 +3462,15 @@ cfg80211_beacon_dup(struct cfg80211_beacon_data *beacon)
+ memcpy(pos, beacon->probe_resp, beacon->probe_resp_len);
+ pos += beacon->probe_resp_len;
+ }
+- if (beacon->mbssid_ies && beacon->mbssid_ies->cnt)
++ if (beacon->mbssid_ies && beacon->mbssid_ies->cnt) {
+ pos += ieee80211_copy_mbssid_beacon(pos,
+ new_beacon->mbssid_ies,
+ beacon->mbssid_ies);
++ if (beacon->rnr_ies && beacon->rnr_ies->cnt)
++ pos += ieee80211_copy_rnr_beacon(pos,
++ new_beacon->rnr_ies,
++ beacon->rnr_ies);
++ }
+
+ /* might copy -1, meaning no changes requested */
+ new_beacon->ftm_responder = beacon->ftm_responder;
+diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
+index d08aa09002df..64f8d8f2b799 100644
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -269,6 +269,7 @@ struct beacon_data {
+ u16 cntdwn_counter_offsets[IEEE80211_MAX_CNTDWN_COUNTERS_NUM];
+ u8 cntdwn_current_counter;
+ struct cfg80211_mbssid_elems *mbssid_ies;
++ struct cfg80211_rnr_elems *rnr_ies;
+ struct rcu_head rcu_head;
+ };
+
+@@ -1165,20 +1166,34 @@ ieee80211_vif_get_shift(struct ieee80211_vif *vif)
+ }
+
+ static inline int
+-ieee80211_get_mbssid_beacon_len(struct cfg80211_mbssid_elems *elems, u8 i)
++ieee80211_get_mbssid_beacon_len(struct cfg80211_mbssid_elems *elems,
++ struct cfg80211_rnr_elems *rnr_elems,
++ u8 i)
+ {
+ int len = 0;
+
+ if (!elems || !elems->cnt || i > elems->cnt)
+ return 0;
+
+- if (i < elems->cnt)
+- return elems->elem[i].len;
++ if (i < elems->cnt) {
++ len = elems->elem[i].len;
++ if (rnr_elems) {
++ len += rnr_elems->elem[i].len;
++ for (i = elems->cnt; i < rnr_elems->cnt; i++)
++ len += rnr_elems->elem[i].len;
++ }
++ return len;
++ }
+
+ /* i == elems->cnt, calculate total length of all MBSSID elements */
+ for (i = 0; i < elems->cnt; i++)
+ len += elems->elem[i].len;
+
++ if (rnr_elems) {
++ for (i = 0; i < rnr_elems->cnt; i++)
++ len += rnr_elems->elem[i].len;
++ }
++
+ return len;
+ }
+
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index 854bad6fbe19..5b7587cda883 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -5149,6 +5149,15 @@ ieee80211_beacon_add_mbssid(struct sk_buff *skb, struct beacon_data *beacon,
+ if (i < beacon->mbssid_ies->cnt) {
+ skb_put_data(skb, beacon->mbssid_ies->elem[i].data,
+ beacon->mbssid_ies->elem[i].len);
++
++ if (beacon->rnr_ies && beacon->rnr_ies->cnt) {
++ skb_put_data(skb, beacon->rnr_ies->elem[i].data,
++ beacon->rnr_ies->elem[i].len);
++
++ for (i = beacon->mbssid_ies->cnt; i < beacon->rnr_ies->cnt; i++)
++ skb_put_data(skb, beacon->rnr_ies->elem[i].data,
++ beacon->rnr_ies->elem[i].len);
++ }
+ return;
+ }
+
+@@ -5186,6 +5195,7 @@ ieee80211_beacon_get_ap(struct ieee80211_hw *hw,
+ * tail length, maximum TIM length and multiple BSSID length
+ */
+ mbssid_len = ieee80211_get_mbssid_beacon_len(beacon->mbssid_ies,
++ beacon->rnr_ies,
+ ema_index);
+
+ skb = dev_alloc_skb(local->tx_headroom + beacon->head_len +
+--
+2.51.0
+
--- /dev/null
+From 75cdcb842aa5ed915fe8a6fd01eb96d8057c0c82 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Dec 2025 11:29:37 +0700
+Subject: net: bridge: Describe @tunnel_hash member in net_bridge_vlan_group
+ struct
+
+From: Bagas Sanjaya <bagasdotme@gmail.com>
+
+[ Upstream commit f79f9b7ace1713e4b83888c385f5f55519dfb687 ]
+
+Sphinx reports kernel-doc warning:
+
+WARNING: ./net/bridge/br_private.h:267 struct member 'tunnel_hash' not described in 'net_bridge_vlan_group'
+
+Fix it by describing @tunnel_hash member.
+
+Fixes: efa5356b0d9753 ("bridge: per vlan dst_metadata netlink support")
+Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20251218042936.24175-2-bagasdotme@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_private.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
+index 901b9f609b0c..9f3f636587f3 100644
+--- a/net/bridge/br_private.h
++++ b/net/bridge/br_private.h
+@@ -224,6 +224,7 @@ struct net_bridge_vlan {
+ * struct net_bridge_vlan_group
+ *
+ * @vlan_hash: VLAN entry rhashtable
++ * @tunnel_hash: Hash table to map from tunnel key ID (e.g. VXLAN VNI) to VLAN
+ * @vlan_list: sorted VLAN entry list
+ * @num_vlans: number of total VLAN entries
+ * @pvid: PVID VLAN id
+--
+2.51.0
+
--- /dev/null
+From 0d7aa1312bcc7cd937c1161f53d1a3f3c36d2e97 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Dec 2025 21:57:56 +0100
+Subject: net: dsa: b53: skip multicast entries for fdb_dump()
+
+From: Jonas Gorski <jonas.gorski@gmail.com>
+
+[ Upstream commit d42bce414d1c5c0b536758466a1f63ac358e613c ]
+
+port_fdb_dump() is supposed to only add fdb entries, but we iterate over
+the full ARL table, which also includes multicast entries.
+
+So check if the entry is a multicast entry before passing it on to the
+callback().
+
+Additionally, the port of those entries is a bitmask, not a port number,
+so any included entries would have even be for the wrong port.
+
+Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations")
+Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20251217205756.172123-1-jonas.gorski@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/b53/b53_common.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
+index bdbb873fe6eb..49fb610db484 100644
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -1815,6 +1815,9 @@ static int b53_fdb_copy(int port, const struct b53_arl_entry *ent,
+ if (!ent->is_valid)
+ return 0;
+
++ if (is_multicast_ether_addr(ent->mac))
++ return 0;
++
+ if (port != ent->port)
+ return 0;
+
+--
+2.51.0
+
--- /dev/null
+From bfd71b99988d4bf258438d964b857e4003f30793 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Dec 2025 14:24:58 +0800
+Subject: net: mdio: aspeed: add dummy read to avoid read-after-write issue
+
+From: Jacky Chou <jacky_chou@aspeedtech.com>
+
+[ Upstream commit d1a1a4bade4b20c0858d0b2f81d2611de055f675 ]
+
+The Aspeed MDIO controller may return incorrect data when a read operation
+follows immediately after a write. Due to a controller bug, the subsequent
+read can latch stale data, causing the polling logic to terminate earlier
+than expected.
+
+To work around this hardware issue, insert a dummy read after each write
+operation. This ensures that the next actual read returns the correct
+data and prevents premature polling exit.
+
+This workaround has been verified to stabilize MDIO transactions on
+affected Aspeed platforms.
+
+Fixes: f160e99462c6 ("net: phy: Add mdio-aspeed")
+Signed-off-by: Jacky Chou <jacky_chou@aspeedtech.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20251211-aspeed_mdio_add_dummy_read-v3-1-382868869004@aspeedtech.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/mdio/mdio-aspeed.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/net/mdio/mdio-aspeed.c b/drivers/net/mdio/mdio-aspeed.c
+index 944d005d2bd1..77fccb903718 100644
+--- a/drivers/net/mdio/mdio-aspeed.c
++++ b/drivers/net/mdio/mdio-aspeed.c
+@@ -63,6 +63,13 @@ static int aspeed_mdio_op(struct mii_bus *bus, u8 st, u8 op, u8 phyad, u8 regad,
+
+ iowrite32(ctrl, ctx->base + ASPEED_MDIO_CTRL);
+
++ /* Workaround for read-after-write issue.
++ * The controller may return stale data if a read follows immediately
++ * after a write. A dummy read forces the hardware to update its
++ * internal state, ensuring that the next real read returns correct data.
++ */
++ ioread32(ctx->base + ASPEED_MDIO_CTRL);
++
+ return readl_poll_timeout(ctx->base + ASPEED_MDIO_CTRL, ctrl,
+ !(ctrl & ASPEED_MDIO_CTRL_FIRE),
+ ASPEED_MDIO_INTERVAL_US,
+--
+2.51.0
+
--- /dev/null
+From 903e54de2ea262b391be606981f1910b6ca34c69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Dec 2025 12:50:05 +0100
+Subject: net: openvswitch: Avoid needlessly taking the RTNL on vport destroy
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Toke Høiland-Jørgensen <toke@redhat.com>
+
+[ Upstream commit 5498227676303e3ffa9a3a46214af96bc3e81314 ]
+
+The openvswitch teardown code will immediately call
+ovs_netdev_detach_dev() in response to a NETDEV_UNREGISTER notification.
+It will then start the dp_notify_work workqueue, which will later end up
+calling the vport destroy() callback. This callback takes the RTNL to do
+another ovs_netdev_detach_port(), which in this case is unnecessary.
+This causes extra pressure on the RTNL, in some cases leading to
+"unregister_netdevice: waiting for XX to become free" warnings on
+teardown.
+
+We can straight-forwardly avoid the extra RTNL lock acquisition by
+checking the device flags before taking the lock, and skip the locking
+altogether if the IFF_OVS_DATAPATH flag has already been unset.
+
+Fixes: b07c26511e94 ("openvswitch: fix vport-netdev unregister")
+Tested-by: Adrian Moreno <amorenoz@redhat.com>
+Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Acked-by: Eelco Chaudron <echaudro@redhat.com>
+Acked-by: Aaron Conole <aconole@redhat.com>
+Link: https://patch.msgid.link/20251211115006.228876-1-toke@redhat.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/openvswitch/vport-netdev.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/net/openvswitch/vport-netdev.c b/net/openvswitch/vport-netdev.c
+index 2f61d5bdce1a..7126ff104550 100644
+--- a/net/openvswitch/vport-netdev.c
++++ b/net/openvswitch/vport-netdev.c
+@@ -153,10 +153,19 @@ void ovs_netdev_detach_dev(struct vport *vport)
+
+ static void netdev_destroy(struct vport *vport)
+ {
+- rtnl_lock();
+- if (netif_is_ovs_port(vport->dev))
+- ovs_netdev_detach_dev(vport);
+- rtnl_unlock();
++ /* When called from ovs_db_notify_wq() after a dp_device_event(), the
++ * port has already been detached, so we can avoid taking the RTNL by
++ * checking this first.
++ */
++ if (netif_is_ovs_port(vport->dev)) {
++ rtnl_lock();
++ /* Check again while holding the lock to ensure we don't race
++ * with the netdev notifier and detach twice.
++ */
++ if (netif_is_ovs_port(vport->dev))
++ ovs_netdev_detach_dev(vport);
++ rtnl_unlock();
++ }
+
+ call_rcu(&vport->rcu, vport_netdev_free);
+ }
+--
+2.51.0
+
--- /dev/null
+From d6a27d72b1172494697f4070f1e4e343c81cebfb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Dec 2025 21:22:27 +0000
+Subject: net: rose: fix invalid array index in rose_kill_by_device()
+
+From: Pwnverse <stanksal@purdue.edu>
+
+[ Upstream commit 6595beb40fb0ec47223d3f6058ee40354694c8e4 ]
+
+rose_kill_by_device() collects sockets into a local array[] and then
+iterates over them to disconnect sockets bound to a device being brought
+down.
+
+The loop mistakenly indexes array[cnt] instead of array[i]. For cnt <
+ARRAY_SIZE(array), this reads an uninitialized entry; for cnt ==
+ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to
+an invalid socket pointer dereference and also leaks references taken
+via sock_hold().
+
+Fix the index to use i.
+
+Fixes: 64b8bc7d5f143 ("net/rose: fix races in rose_kill_by_device()")
+Co-developed-by: Fatma Alwasmi <falwasmi@purdue.edu>
+Signed-off-by: Fatma Alwasmi <falwasmi@purdue.edu>
+Signed-off-by: Pwnverse <stanksal@purdue.edu>
+Link: https://patch.msgid.link/20251222212227.4116041-1-ritviktanksalkar@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rose/af_rose.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
+index 5a0bf022a84b..d13ec76a1fec 100644
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -205,7 +205,7 @@ static void rose_kill_by_device(struct net_device *dev)
+ spin_unlock_bh(&rose_list_lock);
+
+ for (i = 0; i < cnt; i++) {
+- sk = array[cnt];
++ sk = array[i];
+ rose = rose_sk(sk);
+ lock_sock(sk);
+ spin_lock_bh(&rose_list_lock);
+--
+2.51.0
+
--- /dev/null
+From ec0e6e10d2fc2ffb27a2c6fcc0987f0be554c0a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Apr 2023 15:04:06 -0500
+Subject: net: stmmac: dwmac4: Allow platforms to specify some DMA/MTL offsets
+
+From: Andrew Halaney <ahalaney@redhat.com>
+
+[ Upstream commit 33719b57f52e5b761234373f98f55f4e036d61c9 ]
+
+Some platforms have dwmac4 implementations that have a different
+address space layout than the default, resulting in the need to define
+their own DMA/MTL offsets.
+
+Extend the functions to allow a platform driver to indicate what its
+addresses are, overriding the defaults.
+
+Signed-off-by: Andrew Halaney <ahalaney@redhat.com>
+Reviewed-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Tested-by: Brian Masney <bmasney@redhat.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Stable-dep-of: a48e23221000 ("net: stmmac: fix the crash issue for zero copy XDP_TX action")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac4.h | 101 +++++++++--
+ .../net/ethernet/stmicro/stmmac/dwmac4_core.c | 36 ++--
+ .../net/ethernet/stmicro/stmmac/dwmac4_dma.c | 157 ++++++++++--------
+ .../net/ethernet/stmicro/stmmac/dwmac4_dma.h | 54 +++---
+ .../net/ethernet/stmicro/stmmac/dwmac4_lib.c | 67 +++++---
+ include/linux/stmmac.h | 19 +++
+ 6 files changed, 293 insertions(+), 141 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4.h b/drivers/net/ethernet/stmicro/stmmac/dwmac4.h
+index 12c0e60809f4..9c16265e527f 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4.h
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4.h
+@@ -339,14 +339,25 @@ enum power_event {
+
+ #define MTL_CHAN_BASE_ADDR 0x00000d00
+ #define MTL_CHAN_BASE_OFFSET 0x40
+-#define MTL_CHANX_BASE_ADDR(x) (MTL_CHAN_BASE_ADDR + \
+- (x * MTL_CHAN_BASE_OFFSET))
+
+-#define MTL_CHAN_TX_OP_MODE(x) MTL_CHANX_BASE_ADDR(x)
+-#define MTL_CHAN_TX_DEBUG(x) (MTL_CHANX_BASE_ADDR(x) + 0x8)
+-#define MTL_CHAN_INT_CTRL(x) (MTL_CHANX_BASE_ADDR(x) + 0x2c)
+-#define MTL_CHAN_RX_OP_MODE(x) (MTL_CHANX_BASE_ADDR(x) + 0x30)
+-#define MTL_CHAN_RX_DEBUG(x) (MTL_CHANX_BASE_ADDR(x) + 0x38)
++static inline u32 mtl_chanx_base_addr(const struct dwmac4_addrs *addrs,
++ const u32 x)
++{
++ u32 addr;
++
++ if (addrs)
++ addr = addrs->mtl_chan + (x * addrs->mtl_chan_offset);
++ else
++ addr = MTL_CHAN_BASE_ADDR + (x * MTL_CHAN_BASE_OFFSET);
++
++ return addr;
++}
++
++#define MTL_CHAN_TX_OP_MODE(addrs, x) mtl_chanx_base_addr(addrs, x)
++#define MTL_CHAN_TX_DEBUG(addrs, x) (mtl_chanx_base_addr(addrs, x) + 0x8)
++#define MTL_CHAN_INT_CTRL(addrs, x) (mtl_chanx_base_addr(addrs, x) + 0x2c)
++#define MTL_CHAN_RX_OP_MODE(addrs, x) (mtl_chanx_base_addr(addrs, x) + 0x30)
++#define MTL_CHAN_RX_DEBUG(addrs, x) (mtl_chanx_base_addr(addrs, x) + 0x38)
+
+ #define MTL_OP_MODE_RSF BIT(5)
+ #define MTL_OP_MODE_TXQEN_MASK GENMASK(3, 2)
+@@ -391,8 +402,19 @@ enum power_event {
+ /* MTL ETS Control register */
+ #define MTL_ETS_CTRL_BASE_ADDR 0x00000d10
+ #define MTL_ETS_CTRL_BASE_OFFSET 0x40
+-#define MTL_ETSX_CTRL_BASE_ADDR(x) (MTL_ETS_CTRL_BASE_ADDR + \
+- ((x) * MTL_ETS_CTRL_BASE_OFFSET))
++
++static inline u32 mtl_etsx_ctrl_base_addr(const struct dwmac4_addrs *addrs,
++ const u32 x)
++{
++ u32 addr;
++
++ if (addrs)
++ addr = addrs->mtl_ets_ctrl + (x * addrs->mtl_ets_ctrl_offset);
++ else
++ addr = MTL_ETS_CTRL_BASE_ADDR + (x * MTL_ETS_CTRL_BASE_OFFSET);
++
++ return addr;
++}
+
+ #define MTL_ETS_CTRL_CC BIT(3)
+ #define MTL_ETS_CTRL_AVALG BIT(2)
+@@ -400,31 +422,76 @@ enum power_event {
+ /* MTL Queue Quantum Weight */
+ #define MTL_TXQ_WEIGHT_BASE_ADDR 0x00000d18
+ #define MTL_TXQ_WEIGHT_BASE_OFFSET 0x40
+-#define MTL_TXQX_WEIGHT_BASE_ADDR(x) (MTL_TXQ_WEIGHT_BASE_ADDR + \
+- ((x) * MTL_TXQ_WEIGHT_BASE_OFFSET))
++
++static inline u32 mtl_txqx_weight_base_addr(const struct dwmac4_addrs *addrs,
++ const u32 x)
++{
++ u32 addr;
++
++ if (addrs)
++ addr = addrs->mtl_txq_weight + (x * addrs->mtl_txq_weight_offset);
++ else
++ addr = MTL_TXQ_WEIGHT_BASE_ADDR + (x * MTL_TXQ_WEIGHT_BASE_OFFSET);
++
++ return addr;
++}
++
+ #define MTL_TXQ_WEIGHT_ISCQW_MASK GENMASK(20, 0)
+
+ /* MTL sendSlopeCredit register */
+ #define MTL_SEND_SLP_CRED_BASE_ADDR 0x00000d1c
+ #define MTL_SEND_SLP_CRED_OFFSET 0x40
+-#define MTL_SEND_SLP_CREDX_BASE_ADDR(x) (MTL_SEND_SLP_CRED_BASE_ADDR + \
+- ((x) * MTL_SEND_SLP_CRED_OFFSET))
++
++static inline u32 mtl_send_slp_credx_base_addr(const struct dwmac4_addrs *addrs,
++ const u32 x)
++{
++ u32 addr;
++
++ if (addrs)
++ addr = addrs->mtl_send_slp_cred + (x * addrs->mtl_send_slp_cred_offset);
++ else
++ addr = MTL_SEND_SLP_CRED_BASE_ADDR + (x * MTL_SEND_SLP_CRED_OFFSET);
++
++ return addr;
++}
+
+ #define MTL_SEND_SLP_CRED_SSC_MASK GENMASK(13, 0)
+
+ /* MTL hiCredit register */
+ #define MTL_HIGH_CRED_BASE_ADDR 0x00000d20
+ #define MTL_HIGH_CRED_OFFSET 0x40
+-#define MTL_HIGH_CREDX_BASE_ADDR(x) (MTL_HIGH_CRED_BASE_ADDR + \
+- ((x) * MTL_HIGH_CRED_OFFSET))
++
++static inline u32 mtl_high_credx_base_addr(const struct dwmac4_addrs *addrs,
++ const u32 x)
++{
++ u32 addr;
++
++ if (addrs)
++ addr = addrs->mtl_high_cred + (x * addrs->mtl_high_cred_offset);
++ else
++ addr = MTL_HIGH_CRED_BASE_ADDR + (x * MTL_HIGH_CRED_OFFSET);
++
++ return addr;
++}
+
+ #define MTL_HIGH_CRED_HC_MASK GENMASK(28, 0)
+
+ /* MTL loCredit register */
+ #define MTL_LOW_CRED_BASE_ADDR 0x00000d24
+ #define MTL_LOW_CRED_OFFSET 0x40
+-#define MTL_LOW_CREDX_BASE_ADDR(x) (MTL_LOW_CRED_BASE_ADDR + \
+- ((x) * MTL_LOW_CRED_OFFSET))
++
++static inline u32 mtl_low_credx_base_addr(const struct dwmac4_addrs *addrs,
++ const u32 x)
++{
++ u32 addr;
++
++ if (addrs)
++ addr = addrs->mtl_low_cred + (x * addrs->mtl_low_cred_offset);
++ else
++ addr = MTL_LOW_CRED_BASE_ADDR + (x * MTL_LOW_CRED_OFFSET);
++
++ return addr;
++}
+
+ #define MTL_HIGH_CRED_LC_MASK GENMASK(28, 0)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
+index 279977d0d565..e7c1e150e2e9 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
+@@ -230,12 +230,14 @@ static void dwmac4_set_mtl_tx_queue_weight(struct stmmac_priv *priv,
+ struct mac_device_info *hw,
+ u32 weight, u32 queue)
+ {
++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs;
+ void __iomem *ioaddr = hw->pcsr;
+- u32 value = readl(ioaddr + MTL_TXQX_WEIGHT_BASE_ADDR(queue));
++ u32 value = readl(ioaddr + mtl_txqx_weight_base_addr(dwmac4_addrs,
++ queue));
+
+ value &= ~MTL_TXQ_WEIGHT_ISCQW_MASK;
+ value |= weight & MTL_TXQ_WEIGHT_ISCQW_MASK;
+- writel(value, ioaddr + MTL_TXQX_WEIGHT_BASE_ADDR(queue));
++ writel(value, ioaddr + mtl_txqx_weight_base_addr(dwmac4_addrs, queue));
+ }
+
+ static void dwmac4_map_mtl_dma(struct mac_device_info *hw, u32 queue, u32 chan)
+@@ -270,6 +272,7 @@ static void dwmac4_config_cbs(struct stmmac_priv *priv,
+ u32 send_slope, u32 idle_slope,
+ u32 high_credit, u32 low_credit, u32 queue)
+ {
++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs;
+ void __iomem *ioaddr = hw->pcsr;
+ u32 value;
+
+@@ -280,31 +283,33 @@ static void dwmac4_config_cbs(struct stmmac_priv *priv,
+ pr_debug("\tlow_credit: 0x%08x\n", low_credit);
+
+ /* enable AV algorithm */
+- value = readl(ioaddr + MTL_ETSX_CTRL_BASE_ADDR(queue));
++ value = readl(ioaddr + mtl_etsx_ctrl_base_addr(dwmac4_addrs, queue));
+ value |= MTL_ETS_CTRL_AVALG;
+ value |= MTL_ETS_CTRL_CC;
+- writel(value, ioaddr + MTL_ETSX_CTRL_BASE_ADDR(queue));
++ writel(value, ioaddr + mtl_etsx_ctrl_base_addr(dwmac4_addrs, queue));
+
+ /* configure send slope */
+- value = readl(ioaddr + MTL_SEND_SLP_CREDX_BASE_ADDR(queue));
++ value = readl(ioaddr + mtl_send_slp_credx_base_addr(dwmac4_addrs,
++ queue));
+ value &= ~MTL_SEND_SLP_CRED_SSC_MASK;
+ value |= send_slope & MTL_SEND_SLP_CRED_SSC_MASK;
+- writel(value, ioaddr + MTL_SEND_SLP_CREDX_BASE_ADDR(queue));
++ writel(value, ioaddr + mtl_send_slp_credx_base_addr(dwmac4_addrs,
++ queue));
+
+ /* configure idle slope (same register as tx weight) */
+ dwmac4_set_mtl_tx_queue_weight(priv, hw, idle_slope, queue);
+
+ /* configure high credit */
+- value = readl(ioaddr + MTL_HIGH_CREDX_BASE_ADDR(queue));
++ value = readl(ioaddr + mtl_high_credx_base_addr(dwmac4_addrs, queue));
+ value &= ~MTL_HIGH_CRED_HC_MASK;
+ value |= high_credit & MTL_HIGH_CRED_HC_MASK;
+- writel(value, ioaddr + MTL_HIGH_CREDX_BASE_ADDR(queue));
++ writel(value, ioaddr + mtl_high_credx_base_addr(dwmac4_addrs, queue));
+
+ /* configure high credit */
+- value = readl(ioaddr + MTL_LOW_CREDX_BASE_ADDR(queue));
++ value = readl(ioaddr + mtl_low_credx_base_addr(dwmac4_addrs, queue));
+ value &= ~MTL_HIGH_CRED_LC_MASK;
+ value |= low_credit & MTL_HIGH_CRED_LC_MASK;
+- writel(value, ioaddr + MTL_LOW_CREDX_BASE_ADDR(queue));
++ writel(value, ioaddr + mtl_low_credx_base_addr(dwmac4_addrs, queue));
+ }
+
+ static void dwmac4_dump_regs(struct mac_device_info *hw, u32 *reg_space)
+@@ -800,6 +805,7 @@ static void dwmac4_phystatus(void __iomem *ioaddr, struct stmmac_extra_stats *x)
+ static int dwmac4_irq_mtl_status(struct stmmac_priv *priv,
+ struct mac_device_info *hw, u32 chan)
+ {
++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs;
+ void __iomem *ioaddr = hw->pcsr;
+ u32 mtl_int_qx_status;
+ int ret = 0;
+@@ -809,12 +815,13 @@ static int dwmac4_irq_mtl_status(struct stmmac_priv *priv,
+ /* Check MTL Interrupt */
+ if (mtl_int_qx_status & MTL_INT_QX(chan)) {
+ /* read Queue x Interrupt status */
+- u32 status = readl(ioaddr + MTL_CHAN_INT_CTRL(chan));
++ u32 status = readl(ioaddr + MTL_CHAN_INT_CTRL(dwmac4_addrs,
++ chan));
+
+ if (status & MTL_RX_OVERFLOW_INT) {
+ /* clear Interrupt */
+ writel(status | MTL_RX_OVERFLOW_INT,
+- ioaddr + MTL_CHAN_INT_CTRL(chan));
++ ioaddr + MTL_CHAN_INT_CTRL(dwmac4_addrs, chan));
+ ret = CORE_IRQ_MTL_RX_OVERFLOW;
+ }
+ }
+@@ -876,11 +883,12 @@ static void dwmac4_debug(struct stmmac_priv *priv, void __iomem *ioaddr,
+ struct stmmac_extra_stats *x,
+ u32 rx_queues, u32 tx_queues)
+ {
++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs;
+ u32 value;
+ u32 queue;
+
+ for (queue = 0; queue < tx_queues; queue++) {
+- value = readl(ioaddr + MTL_CHAN_TX_DEBUG(queue));
++ value = readl(ioaddr + MTL_CHAN_TX_DEBUG(dwmac4_addrs, queue));
+
+ if (value & MTL_DEBUG_TXSTSFSTS)
+ x->mtl_tx_status_fifo_full++;
+@@ -905,7 +913,7 @@ static void dwmac4_debug(struct stmmac_priv *priv, void __iomem *ioaddr,
+ }
+
+ for (queue = 0; queue < rx_queues; queue++) {
+- value = readl(ioaddr + MTL_CHAN_RX_DEBUG(queue));
++ value = readl(ioaddr + MTL_CHAN_RX_DEBUG(dwmac4_addrs, queue));
+
+ if (value & MTL_DEBUG_RXFSTS_MASK) {
+ u32 rxfsts = (value & MTL_DEBUG_RXFSTS_MASK)
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c
+index 6f255d12f60f..84d3a8551b03 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c
+@@ -13,6 +13,7 @@
+ #include <linux/io.h>
+ #include "dwmac4.h"
+ #include "dwmac4_dma.h"
++#include "stmmac.h"
+
+ static void dwmac4_dma_axi(void __iomem *ioaddr, struct stmmac_axi *axi)
+ {
+@@ -73,18 +74,20 @@ static void dwmac4_dma_init_rx_chan(struct stmmac_priv *priv,
+ struct stmmac_dma_cfg *dma_cfg,
+ dma_addr_t dma_rx_phy, u32 chan)
+ {
++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs;
+ u32 value;
+ u32 rxpbl = dma_cfg->rxpbl ?: dma_cfg->pbl;
+
+- value = readl(ioaddr + DMA_CHAN_RX_CONTROL(chan));
++ value = readl(ioaddr + DMA_CHAN_RX_CONTROL(dwmac4_addrs, chan));
+ value = value | (rxpbl << DMA_BUS_MODE_RPBL_SHIFT);
+- writel(value, ioaddr + DMA_CHAN_RX_CONTROL(chan));
++ writel(value, ioaddr + DMA_CHAN_RX_CONTROL(dwmac4_addrs, chan));
+
+ if (IS_ENABLED(CONFIG_ARCH_DMA_ADDR_T_64BIT) && likely(dma_cfg->eame))
+ writel(upper_32_bits(dma_rx_phy),
+- ioaddr + DMA_CHAN_RX_BASE_ADDR_HI(chan));
++ ioaddr + DMA_CHAN_RX_BASE_ADDR_HI(dwmac4_addrs, chan));
+
+- writel(lower_32_bits(dma_rx_phy), ioaddr + DMA_CHAN_RX_BASE_ADDR(chan));
++ writel(lower_32_bits(dma_rx_phy),
++ ioaddr + DMA_CHAN_RX_BASE_ADDR(dwmac4_addrs, chan));
+ }
+
+ static void dwmac4_dma_init_tx_chan(struct stmmac_priv *priv,
+@@ -92,57 +95,61 @@ static void dwmac4_dma_init_tx_chan(struct stmmac_priv *priv,
+ struct stmmac_dma_cfg *dma_cfg,
+ dma_addr_t dma_tx_phy, u32 chan)
+ {
++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs;
+ u32 value;
+ u32 txpbl = dma_cfg->txpbl ?: dma_cfg->pbl;
+
+- value = readl(ioaddr + DMA_CHAN_TX_CONTROL(chan));
++ value = readl(ioaddr + DMA_CHAN_TX_CONTROL(dwmac4_addrs, chan));
+ value = value | (txpbl << DMA_BUS_MODE_PBL_SHIFT);
+
+ /* Enable OSP to get best performance */
+ value |= DMA_CONTROL_OSP;
+
+- writel(value, ioaddr + DMA_CHAN_TX_CONTROL(chan));
++ writel(value, ioaddr + DMA_CHAN_TX_CONTROL(dwmac4_addrs, chan));
+
+ if (IS_ENABLED(CONFIG_ARCH_DMA_ADDR_T_64BIT) && likely(dma_cfg->eame))
+ writel(upper_32_bits(dma_tx_phy),
+- ioaddr + DMA_CHAN_TX_BASE_ADDR_HI(chan));
++ ioaddr + DMA_CHAN_TX_BASE_ADDR_HI(dwmac4_addrs, chan));
+
+- writel(lower_32_bits(dma_tx_phy), ioaddr + DMA_CHAN_TX_BASE_ADDR(chan));
++ writel(lower_32_bits(dma_tx_phy),
++ ioaddr + DMA_CHAN_TX_BASE_ADDR(dwmac4_addrs, chan));
+ }
+
+ static void dwmac4_dma_init_channel(struct stmmac_priv *priv,
+ void __iomem *ioaddr,
+ struct stmmac_dma_cfg *dma_cfg, u32 chan)
+ {
++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs;
+ u32 value;
+
+ /* common channel control register config */
+- value = readl(ioaddr + DMA_CHAN_CONTROL(chan));
++ value = readl(ioaddr + DMA_CHAN_CONTROL(dwmac4_addrs, chan));
+ if (dma_cfg->pblx8)
+ value = value | DMA_BUS_MODE_PBL;
+- writel(value, ioaddr + DMA_CHAN_CONTROL(chan));
++ writel(value, ioaddr + DMA_CHAN_CONTROL(dwmac4_addrs, chan));
+
+ /* Mask interrupts by writing to CSR7 */
+ writel(DMA_CHAN_INTR_DEFAULT_MASK,
+- ioaddr + DMA_CHAN_INTR_ENA(chan));
++ ioaddr + DMA_CHAN_INTR_ENA(dwmac4_addrs, chan));
+ }
+
+ static void dwmac410_dma_init_channel(struct stmmac_priv *priv,
+ void __iomem *ioaddr,
+ struct stmmac_dma_cfg *dma_cfg, u32 chan)
+ {
++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs;
+ u32 value;
+
+ /* common channel control register config */
+- value = readl(ioaddr + DMA_CHAN_CONTROL(chan));
++ value = readl(ioaddr + DMA_CHAN_CONTROL(dwmac4_addrs, chan));
+ if (dma_cfg->pblx8)
+ value = value | DMA_BUS_MODE_PBL;
+
+- writel(value, ioaddr + DMA_CHAN_CONTROL(chan));
++ writel(value, ioaddr + DMA_CHAN_CONTROL(dwmac4_addrs, chan));
+
+ /* Mask interrupts by writing to CSR7 */
+ writel(DMA_CHAN_INTR_DEFAULT_MASK_4_10,
+- ioaddr + DMA_CHAN_INTR_ENA(chan));
++ ioaddr + DMA_CHAN_INTR_ENA(dwmac4_addrs, chan));
+ }
+
+ static void dwmac4_dma_init(void __iomem *ioaddr,
+@@ -184,40 +191,46 @@ static void _dwmac4_dump_dma_regs(struct stmmac_priv *priv,
+ void __iomem *ioaddr, u32 channel,
+ u32 *reg_space)
+ {
+- reg_space[DMA_CHAN_CONTROL(channel) / 4] =
+- readl(ioaddr + DMA_CHAN_CONTROL(channel));
+- reg_space[DMA_CHAN_TX_CONTROL(channel) / 4] =
+- readl(ioaddr + DMA_CHAN_TX_CONTROL(channel));
+- reg_space[DMA_CHAN_RX_CONTROL(channel) / 4] =
+- readl(ioaddr + DMA_CHAN_RX_CONTROL(channel));
+- reg_space[DMA_CHAN_TX_BASE_ADDR(channel) / 4] =
+- readl(ioaddr + DMA_CHAN_TX_BASE_ADDR(channel));
+- reg_space[DMA_CHAN_RX_BASE_ADDR(channel) / 4] =
+- readl(ioaddr + DMA_CHAN_RX_BASE_ADDR(channel));
+- reg_space[DMA_CHAN_TX_END_ADDR(channel) / 4] =
+- readl(ioaddr + DMA_CHAN_TX_END_ADDR(channel));
+- reg_space[DMA_CHAN_RX_END_ADDR(channel) / 4] =
+- readl(ioaddr + DMA_CHAN_RX_END_ADDR(channel));
+- reg_space[DMA_CHAN_TX_RING_LEN(channel) / 4] =
+- readl(ioaddr + DMA_CHAN_TX_RING_LEN(channel));
+- reg_space[DMA_CHAN_RX_RING_LEN(channel) / 4] =
+- readl(ioaddr + DMA_CHAN_RX_RING_LEN(channel));
+- reg_space[DMA_CHAN_INTR_ENA(channel) / 4] =
+- readl(ioaddr + DMA_CHAN_INTR_ENA(channel));
+- reg_space[DMA_CHAN_RX_WATCHDOG(channel) / 4] =
+- readl(ioaddr + DMA_CHAN_RX_WATCHDOG(channel));
+- reg_space[DMA_CHAN_SLOT_CTRL_STATUS(channel) / 4] =
+- readl(ioaddr + DMA_CHAN_SLOT_CTRL_STATUS(channel));
+- reg_space[DMA_CHAN_CUR_TX_DESC(channel) / 4] =
+- readl(ioaddr + DMA_CHAN_CUR_TX_DESC(channel));
+- reg_space[DMA_CHAN_CUR_RX_DESC(channel) / 4] =
+- readl(ioaddr + DMA_CHAN_CUR_RX_DESC(channel));
+- reg_space[DMA_CHAN_CUR_TX_BUF_ADDR(channel) / 4] =
+- readl(ioaddr + DMA_CHAN_CUR_TX_BUF_ADDR(channel));
+- reg_space[DMA_CHAN_CUR_RX_BUF_ADDR(channel) / 4] =
+- readl(ioaddr + DMA_CHAN_CUR_RX_BUF_ADDR(channel));
+- reg_space[DMA_CHAN_STATUS(channel) / 4] =
+- readl(ioaddr + DMA_CHAN_STATUS(channel));
++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs;
++ const struct dwmac4_addrs *default_addrs = NULL;
++
++ /* Purposely save the registers in the "normal" layout, regardless of
++ * platform modifications, to keep reg_space size constant
++ */
++ reg_space[DMA_CHAN_CONTROL(default_addrs, channel) / 4] =
++ readl(ioaddr + DMA_CHAN_CONTROL(dwmac4_addrs, channel));
++ reg_space[DMA_CHAN_TX_CONTROL(default_addrs, channel) / 4] =
++ readl(ioaddr + DMA_CHAN_TX_CONTROL(dwmac4_addrs, channel));
++ reg_space[DMA_CHAN_RX_CONTROL(default_addrs, channel) / 4] =
++ readl(ioaddr + DMA_CHAN_RX_CONTROL(dwmac4_addrs, channel));
++ reg_space[DMA_CHAN_TX_BASE_ADDR(default_addrs, channel) / 4] =
++ readl(ioaddr + DMA_CHAN_TX_BASE_ADDR(dwmac4_addrs, channel));
++ reg_space[DMA_CHAN_RX_BASE_ADDR(default_addrs, channel) / 4] =
++ readl(ioaddr + DMA_CHAN_RX_BASE_ADDR(dwmac4_addrs, channel));
++ reg_space[DMA_CHAN_TX_END_ADDR(default_addrs, channel) / 4] =
++ readl(ioaddr + DMA_CHAN_TX_END_ADDR(dwmac4_addrs, channel));
++ reg_space[DMA_CHAN_RX_END_ADDR(default_addrs, channel) / 4] =
++ readl(ioaddr + DMA_CHAN_RX_END_ADDR(dwmac4_addrs, channel));
++ reg_space[DMA_CHAN_TX_RING_LEN(default_addrs, channel) / 4] =
++ readl(ioaddr + DMA_CHAN_TX_RING_LEN(dwmac4_addrs, channel));
++ reg_space[DMA_CHAN_RX_RING_LEN(default_addrs, channel) / 4] =
++ readl(ioaddr + DMA_CHAN_RX_RING_LEN(dwmac4_addrs, channel));
++ reg_space[DMA_CHAN_INTR_ENA(default_addrs, channel) / 4] =
++ readl(ioaddr + DMA_CHAN_INTR_ENA(dwmac4_addrs, channel));
++ reg_space[DMA_CHAN_RX_WATCHDOG(default_addrs, channel) / 4] =
++ readl(ioaddr + DMA_CHAN_RX_WATCHDOG(dwmac4_addrs, channel));
++ reg_space[DMA_CHAN_SLOT_CTRL_STATUS(default_addrs, channel) / 4] =
++ readl(ioaddr + DMA_CHAN_SLOT_CTRL_STATUS(dwmac4_addrs, channel));
++ reg_space[DMA_CHAN_CUR_TX_DESC(default_addrs, channel) / 4] =
++ readl(ioaddr + DMA_CHAN_CUR_TX_DESC(dwmac4_addrs, channel));
++ reg_space[DMA_CHAN_CUR_RX_DESC(default_addrs, channel) / 4] =
++ readl(ioaddr + DMA_CHAN_CUR_RX_DESC(dwmac4_addrs, channel));
++ reg_space[DMA_CHAN_CUR_TX_BUF_ADDR(default_addrs, channel) / 4] =
++ readl(ioaddr + DMA_CHAN_CUR_TX_BUF_ADDR(dwmac4_addrs, channel));
++ reg_space[DMA_CHAN_CUR_RX_BUF_ADDR(default_addrs, channel) / 4] =
++ readl(ioaddr + DMA_CHAN_CUR_RX_BUF_ADDR(dwmac4_addrs, channel));
++ reg_space[DMA_CHAN_STATUS(default_addrs, channel) / 4] =
++ readl(ioaddr + DMA_CHAN_STATUS(dwmac4_addrs, channel));
+ }
+
+ static void dwmac4_dump_dma_regs(struct stmmac_priv *priv, void __iomem *ioaddr,
+@@ -232,17 +245,20 @@ static void dwmac4_dump_dma_regs(struct stmmac_priv *priv, void __iomem *ioaddr,
+ static void dwmac4_rx_watchdog(struct stmmac_priv *priv, void __iomem *ioaddr,
+ u32 riwt, u32 queue)
+ {
+- writel(riwt, ioaddr + DMA_CHAN_RX_WATCHDOG(queue));
++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs;
++
++ writel(riwt, ioaddr + DMA_CHAN_RX_WATCHDOG(dwmac4_addrs, queue));
+ }
+
+ static void dwmac4_dma_rx_chan_op_mode(struct stmmac_priv *priv,
+ void __iomem *ioaddr, int mode,
+ u32 channel, int fifosz, u8 qmode)
+ {
++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs;
+ unsigned int rqs = fifosz / 256 - 1;
+ u32 mtl_rx_op;
+
+- mtl_rx_op = readl(ioaddr + MTL_CHAN_RX_OP_MODE(channel));
++ mtl_rx_op = readl(ioaddr + MTL_CHAN_RX_OP_MODE(dwmac4_addrs, channel));
+
+ if (mode == SF_DMA_MODE) {
+ pr_debug("GMAC: enable RX store and forward mode\n");
+@@ -300,14 +316,16 @@ static void dwmac4_dma_rx_chan_op_mode(struct stmmac_priv *priv,
+ mtl_rx_op |= rfa << MTL_OP_MODE_RFA_SHIFT;
+ }
+
+- writel(mtl_rx_op, ioaddr + MTL_CHAN_RX_OP_MODE(channel));
++ writel(mtl_rx_op, ioaddr + MTL_CHAN_RX_OP_MODE(dwmac4_addrs, channel));
+ }
+
+ static void dwmac4_dma_tx_chan_op_mode(struct stmmac_priv *priv,
+ void __iomem *ioaddr, int mode,
+ u32 channel, int fifosz, u8 qmode)
+ {
+- u32 mtl_tx_op = readl(ioaddr + MTL_CHAN_TX_OP_MODE(channel));
++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs;
++ u32 mtl_tx_op = readl(ioaddr + MTL_CHAN_TX_OP_MODE(dwmac4_addrs,
++ channel));
+ unsigned int tqs = fifosz / 256 - 1;
+
+ if (mode == SF_DMA_MODE) {
+@@ -353,7 +371,7 @@ static void dwmac4_dma_tx_chan_op_mode(struct stmmac_priv *priv,
+ mtl_tx_op &= ~MTL_OP_MODE_TQS_MASK;
+ mtl_tx_op |= tqs << MTL_OP_MODE_TQS_SHIFT;
+
+- writel(mtl_tx_op, ioaddr + MTL_CHAN_TX_OP_MODE(channel));
++ writel(mtl_tx_op, ioaddr + MTL_CHAN_TX_OP_MODE(dwmac4_addrs, channel));
+ }
+
+ static int dwmac4_get_hw_feature(void __iomem *ioaddr,
+@@ -454,25 +472,28 @@ static int dwmac4_get_hw_feature(void __iomem *ioaddr,
+ static void dwmac4_enable_tso(struct stmmac_priv *priv, void __iomem *ioaddr,
+ bool en, u32 chan)
+ {
++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs;
+ u32 value;
+
+ if (en) {
+ /* enable TSO */
+- value = readl(ioaddr + DMA_CHAN_TX_CONTROL(chan));
++ value = readl(ioaddr + DMA_CHAN_TX_CONTROL(dwmac4_addrs, chan));
+ writel(value | DMA_CONTROL_TSE,
+- ioaddr + DMA_CHAN_TX_CONTROL(chan));
++ ioaddr + DMA_CHAN_TX_CONTROL(dwmac4_addrs, chan));
+ } else {
+ /* enable TSO */
+- value = readl(ioaddr + DMA_CHAN_TX_CONTROL(chan));
++ value = readl(ioaddr + DMA_CHAN_TX_CONTROL(dwmac4_addrs, chan));
+ writel(value & ~DMA_CONTROL_TSE,
+- ioaddr + DMA_CHAN_TX_CONTROL(chan));
++ ioaddr + DMA_CHAN_TX_CONTROL(dwmac4_addrs, chan));
+ }
+ }
+
+ static void dwmac4_qmode(struct stmmac_priv *priv, void __iomem *ioaddr,
+ u32 channel, u8 qmode)
+ {
+- u32 mtl_tx_op = readl(ioaddr + MTL_CHAN_TX_OP_MODE(channel));
++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs;
++ u32 mtl_tx_op = readl(ioaddr + MTL_CHAN_TX_OP_MODE(dwmac4_addrs,
++ channel));
+
+ mtl_tx_op &= ~MTL_OP_MODE_TXQEN_MASK;
+ if (qmode != MTL_QUEUE_AVB)
+@@ -480,50 +501,54 @@ static void dwmac4_qmode(struct stmmac_priv *priv, void __iomem *ioaddr,
+ else
+ mtl_tx_op |= MTL_OP_MODE_TXQEN_AV;
+
+- writel(mtl_tx_op, ioaddr + MTL_CHAN_TX_OP_MODE(channel));
++ writel(mtl_tx_op, ioaddr + MTL_CHAN_TX_OP_MODE(dwmac4_addrs, channel));
+ }
+
+ static void dwmac4_set_bfsize(struct stmmac_priv *priv, void __iomem *ioaddr,
+ int bfsize, u32 chan)
+ {
+- u32 value = readl(ioaddr + DMA_CHAN_RX_CONTROL(chan));
++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs;
++ u32 value = readl(ioaddr + DMA_CHAN_RX_CONTROL(dwmac4_addrs, chan));
+
+ value &= ~DMA_RBSZ_MASK;
+ value |= (bfsize << DMA_RBSZ_SHIFT) & DMA_RBSZ_MASK;
+
+- writel(value, ioaddr + DMA_CHAN_RX_CONTROL(chan));
++ writel(value, ioaddr + DMA_CHAN_RX_CONTROL(dwmac4_addrs, chan));
+ }
+
+ static void dwmac4_enable_sph(struct stmmac_priv *priv, void __iomem *ioaddr,
+ bool en, u32 chan)
+ {
++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs;
+ u32 value = readl(ioaddr + GMAC_EXT_CONFIG);
+
+ value &= ~GMAC_CONFIG_HDSMS;
+ value |= GMAC_CONFIG_HDSMS_256; /* Segment max 256 bytes */
+ writel(value, ioaddr + GMAC_EXT_CONFIG);
+
+- value = readl(ioaddr + DMA_CHAN_CONTROL(chan));
++ value = readl(ioaddr + DMA_CHAN_CONTROL(dwmac4_addrs, chan));
+ if (en)
+ value |= DMA_CONTROL_SPH;
+ else
+ value &= ~DMA_CONTROL_SPH;
+- writel(value, ioaddr + DMA_CHAN_CONTROL(chan));
++ writel(value, ioaddr + DMA_CHAN_CONTROL(dwmac4_addrs, chan));
+ }
+
+ static int dwmac4_enable_tbs(struct stmmac_priv *priv, void __iomem *ioaddr,
+ bool en, u32 chan)
+ {
+- u32 value = readl(ioaddr + DMA_CHAN_TX_CONTROL(chan));
++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs;
++ u32 value = readl(ioaddr + DMA_CHAN_TX_CONTROL(dwmac4_addrs, chan));
+
+ if (en)
+ value |= DMA_CONTROL_EDSE;
+ else
+ value &= ~DMA_CONTROL_EDSE;
+
+- writel(value, ioaddr + DMA_CHAN_TX_CONTROL(chan));
++ writel(value, ioaddr + DMA_CHAN_TX_CONTROL(dwmac4_addrs, chan));
+
+- value = readl(ioaddr + DMA_CHAN_TX_CONTROL(chan)) & DMA_CONTROL_EDSE;
++ value = readl(ioaddr + DMA_CHAN_TX_CONTROL(dwmac4_addrs,
++ chan)) & DMA_CONTROL_EDSE;
+ if (en && !value)
+ return -EIO;
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.h b/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.h
+index 740c3bc8d9a0..358e7dcb6a9a 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.h
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.h
+@@ -95,29 +95,41 @@
+ /* Following DMA defines are chanels oriented */
+ #define DMA_CHAN_BASE_ADDR 0x00001100
+ #define DMA_CHAN_BASE_OFFSET 0x80
+-#define DMA_CHANX_BASE_ADDR(x) (DMA_CHAN_BASE_ADDR + \
+- (x * DMA_CHAN_BASE_OFFSET))
++
++static inline u32 dma_chanx_base_addr(const struct dwmac4_addrs *addrs,
++ const u32 x)
++{
++ u32 addr;
++
++ if (addrs)
++ addr = addrs->dma_chan + (x * addrs->dma_chan_offset);
++ else
++ addr = DMA_CHAN_BASE_ADDR + (x * DMA_CHAN_BASE_OFFSET);
++
++ return addr;
++}
++
+ #define DMA_CHAN_REG_NUMBER 17
+
+-#define DMA_CHAN_CONTROL(x) DMA_CHANX_BASE_ADDR(x)
+-#define DMA_CHAN_TX_CONTROL(x) (DMA_CHANX_BASE_ADDR(x) + 0x4)
+-#define DMA_CHAN_RX_CONTROL(x) (DMA_CHANX_BASE_ADDR(x) + 0x8)
+-#define DMA_CHAN_TX_BASE_ADDR_HI(x) (DMA_CHANX_BASE_ADDR(x) + 0x10)
+-#define DMA_CHAN_TX_BASE_ADDR(x) (DMA_CHANX_BASE_ADDR(x) + 0x14)
+-#define DMA_CHAN_RX_BASE_ADDR_HI(x) (DMA_CHANX_BASE_ADDR(x) + 0x18)
+-#define DMA_CHAN_RX_BASE_ADDR(x) (DMA_CHANX_BASE_ADDR(x) + 0x1c)
+-#define DMA_CHAN_TX_END_ADDR(x) (DMA_CHANX_BASE_ADDR(x) + 0x20)
+-#define DMA_CHAN_RX_END_ADDR(x) (DMA_CHANX_BASE_ADDR(x) + 0x28)
+-#define DMA_CHAN_TX_RING_LEN(x) (DMA_CHANX_BASE_ADDR(x) + 0x2c)
+-#define DMA_CHAN_RX_RING_LEN(x) (DMA_CHANX_BASE_ADDR(x) + 0x30)
+-#define DMA_CHAN_INTR_ENA(x) (DMA_CHANX_BASE_ADDR(x) + 0x34)
+-#define DMA_CHAN_RX_WATCHDOG(x) (DMA_CHANX_BASE_ADDR(x) + 0x38)
+-#define DMA_CHAN_SLOT_CTRL_STATUS(x) (DMA_CHANX_BASE_ADDR(x) + 0x3c)
+-#define DMA_CHAN_CUR_TX_DESC(x) (DMA_CHANX_BASE_ADDR(x) + 0x44)
+-#define DMA_CHAN_CUR_RX_DESC(x) (DMA_CHANX_BASE_ADDR(x) + 0x4c)
+-#define DMA_CHAN_CUR_TX_BUF_ADDR(x) (DMA_CHANX_BASE_ADDR(x) + 0x54)
+-#define DMA_CHAN_CUR_RX_BUF_ADDR(x) (DMA_CHANX_BASE_ADDR(x) + 0x5c)
+-#define DMA_CHAN_STATUS(x) (DMA_CHANX_BASE_ADDR(x) + 0x60)
++#define DMA_CHAN_CONTROL(addrs, x) dma_chanx_base_addr(addrs, x)
++#define DMA_CHAN_TX_CONTROL(addrs, x) (dma_chanx_base_addr(addrs, x) + 0x4)
++#define DMA_CHAN_RX_CONTROL(addrs, x) (dma_chanx_base_addr(addrs, x) + 0x8)
++#define DMA_CHAN_TX_BASE_ADDR_HI(addrs, x) (dma_chanx_base_addr(addrs, x) + 0x10)
++#define DMA_CHAN_TX_BASE_ADDR(addrs, x) (dma_chanx_base_addr(addrs, x) + 0x14)
++#define DMA_CHAN_RX_BASE_ADDR_HI(addrs, x) (dma_chanx_base_addr(addrs, x) + 0x18)
++#define DMA_CHAN_RX_BASE_ADDR(addrs, x) (dma_chanx_base_addr(addrs, x) + 0x1c)
++#define DMA_CHAN_TX_END_ADDR(addrs, x) (dma_chanx_base_addr(addrs, x) + 0x20)
++#define DMA_CHAN_RX_END_ADDR(addrs, x) (dma_chanx_base_addr(addrs, x) + 0x28)
++#define DMA_CHAN_TX_RING_LEN(addrs, x) (dma_chanx_base_addr(addrs, x) + 0x2c)
++#define DMA_CHAN_RX_RING_LEN(addrs, x) (dma_chanx_base_addr(addrs, x) + 0x30)
++#define DMA_CHAN_INTR_ENA(addrs, x) (dma_chanx_base_addr(addrs, x) + 0x34)
++#define DMA_CHAN_RX_WATCHDOG(addrs, x) (dma_chanx_base_addr(addrs, x) + 0x38)
++#define DMA_CHAN_SLOT_CTRL_STATUS(addrs, x) (dma_chanx_base_addr(addrs, x) + 0x3c)
++#define DMA_CHAN_CUR_TX_DESC(addrs, x) (dma_chanx_base_addr(addrs, x) + 0x44)
++#define DMA_CHAN_CUR_RX_DESC(addrs, x) (dma_chanx_base_addr(addrs, x) + 0x4c)
++#define DMA_CHAN_CUR_TX_BUF_ADDR(addrs, x) (dma_chanx_base_addr(addrs, x) + 0x54)
++#define DMA_CHAN_CUR_RX_BUF_ADDR(addrs, x) (dma_chanx_base_addr(addrs, x) + 0x5c)
++#define DMA_CHAN_STATUS(addrs, x) (dma_chanx_base_addr(addrs, x) + 0x60)
+
+ /* DMA Control X */
+ #define DMA_CONTROL_SPH BIT(24)
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_lib.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_lib.c
+index 57328f010ab9..03ceb6a94073 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_lib.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_lib.c
+@@ -11,6 +11,7 @@
+ #include "common.h"
+ #include "dwmac4_dma.h"
+ #include "dwmac4.h"
++#include "stmmac.h"
+
+ int dwmac4_dma_reset(void __iomem *ioaddr)
+ {
+@@ -28,22 +29,27 @@ int dwmac4_dma_reset(void __iomem *ioaddr)
+ void dwmac4_set_rx_tail_ptr(struct stmmac_priv *priv, void __iomem *ioaddr,
+ u32 tail_ptr, u32 chan)
+ {
+- writel(tail_ptr, ioaddr + DMA_CHAN_RX_END_ADDR(chan));
++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs;
++
++ writel(tail_ptr, ioaddr + DMA_CHAN_RX_END_ADDR(dwmac4_addrs, chan));
+ }
+
+ void dwmac4_set_tx_tail_ptr(struct stmmac_priv *priv, void __iomem *ioaddr,
+ u32 tail_ptr, u32 chan)
+ {
+- writel(tail_ptr, ioaddr + DMA_CHAN_TX_END_ADDR(chan));
++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs;
++
++ writel(tail_ptr, ioaddr + DMA_CHAN_TX_END_ADDR(dwmac4_addrs, chan));
+ }
+
+ void dwmac4_dma_start_tx(struct stmmac_priv *priv, void __iomem *ioaddr,
+ u32 chan)
+ {
+- u32 value = readl(ioaddr + DMA_CHAN_TX_CONTROL(chan));
++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs;
++ u32 value = readl(ioaddr + DMA_CHAN_TX_CONTROL(dwmac4_addrs, chan));
+
+ value |= DMA_CONTROL_ST;
+- writel(value, ioaddr + DMA_CHAN_TX_CONTROL(chan));
++ writel(value, ioaddr + DMA_CHAN_TX_CONTROL(dwmac4_addrs, chan));
+
+ value = readl(ioaddr + GMAC_CONFIG);
+ value |= GMAC_CONFIG_TE;
+@@ -53,20 +59,24 @@ void dwmac4_dma_start_tx(struct stmmac_priv *priv, void __iomem *ioaddr,
+ void dwmac4_dma_stop_tx(struct stmmac_priv *priv, void __iomem *ioaddr,
+ u32 chan)
+ {
+- u32 value = readl(ioaddr + DMA_CHAN_TX_CONTROL(chan));
++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs;
++
++ u32 value = readl(ioaddr + DMA_CHAN_TX_CONTROL(dwmac4_addrs, chan));
+
+ value &= ~DMA_CONTROL_ST;
+- writel(value, ioaddr + DMA_CHAN_TX_CONTROL(chan));
++ writel(value, ioaddr + DMA_CHAN_TX_CONTROL(dwmac4_addrs, chan));
+ }
+
+ void dwmac4_dma_start_rx(struct stmmac_priv *priv, void __iomem *ioaddr,
+ u32 chan)
+ {
+- u32 value = readl(ioaddr + DMA_CHAN_RX_CONTROL(chan));
++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs;
++
++ u32 value = readl(ioaddr + DMA_CHAN_RX_CONTROL(dwmac4_addrs, chan));
+
+ value |= DMA_CONTROL_SR;
+
+- writel(value, ioaddr + DMA_CHAN_RX_CONTROL(chan));
++ writel(value, ioaddr + DMA_CHAN_RX_CONTROL(dwmac4_addrs, chan));
+
+ value = readl(ioaddr + GMAC_CONFIG);
+ value |= GMAC_CONFIG_RE;
+@@ -76,81 +86,91 @@ void dwmac4_dma_start_rx(struct stmmac_priv *priv, void __iomem *ioaddr,
+ void dwmac4_dma_stop_rx(struct stmmac_priv *priv, void __iomem *ioaddr,
+ u32 chan)
+ {
+- u32 value = readl(ioaddr + DMA_CHAN_RX_CONTROL(chan));
++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs;
++ u32 value = readl(ioaddr + DMA_CHAN_RX_CONTROL(dwmac4_addrs, chan));
+
+ value &= ~DMA_CONTROL_SR;
+- writel(value, ioaddr + DMA_CHAN_RX_CONTROL(chan));
++ writel(value, ioaddr + DMA_CHAN_RX_CONTROL(dwmac4_addrs, chan));
+ }
+
+ void dwmac4_set_tx_ring_len(struct stmmac_priv *priv, void __iomem *ioaddr,
+ u32 len, u32 chan)
+ {
+- writel(len, ioaddr + DMA_CHAN_TX_RING_LEN(chan));
++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs;
++
++ writel(len, ioaddr + DMA_CHAN_TX_RING_LEN(dwmac4_addrs, chan));
+ }
+
+ void dwmac4_set_rx_ring_len(struct stmmac_priv *priv, void __iomem *ioaddr,
+ u32 len, u32 chan)
+ {
+- writel(len, ioaddr + DMA_CHAN_RX_RING_LEN(chan));
++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs;
++
++ writel(len, ioaddr + DMA_CHAN_RX_RING_LEN(dwmac4_addrs, chan));
+ }
+
+ void dwmac4_enable_dma_irq(struct stmmac_priv *priv, void __iomem *ioaddr,
+ u32 chan, bool rx, bool tx)
+ {
+- u32 value = readl(ioaddr + DMA_CHAN_INTR_ENA(chan));
++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs;
++ u32 value = readl(ioaddr + DMA_CHAN_INTR_ENA(dwmac4_addrs, chan));
+
+ if (rx)
+ value |= DMA_CHAN_INTR_DEFAULT_RX;
+ if (tx)
+ value |= DMA_CHAN_INTR_DEFAULT_TX;
+
+- writel(value, ioaddr + DMA_CHAN_INTR_ENA(chan));
++ writel(value, ioaddr + DMA_CHAN_INTR_ENA(dwmac4_addrs, chan));
+ }
+
+ void dwmac410_enable_dma_irq(struct stmmac_priv *priv, void __iomem *ioaddr,
+ u32 chan, bool rx, bool tx)
+ {
+- u32 value = readl(ioaddr + DMA_CHAN_INTR_ENA(chan));
++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs;
++ u32 value = readl(ioaddr + DMA_CHAN_INTR_ENA(dwmac4_addrs, chan));
+
+ if (rx)
+ value |= DMA_CHAN_INTR_DEFAULT_RX_4_10;
+ if (tx)
+ value |= DMA_CHAN_INTR_DEFAULT_TX_4_10;
+
+- writel(value, ioaddr + DMA_CHAN_INTR_ENA(chan));
++ writel(value, ioaddr + DMA_CHAN_INTR_ENA(dwmac4_addrs, chan));
+ }
+
+ void dwmac4_disable_dma_irq(struct stmmac_priv *priv, void __iomem *ioaddr,
+ u32 chan, bool rx, bool tx)
+ {
+- u32 value = readl(ioaddr + DMA_CHAN_INTR_ENA(chan));
++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs;
++ u32 value = readl(ioaddr + DMA_CHAN_INTR_ENA(dwmac4_addrs, chan));
+
+ if (rx)
+ value &= ~DMA_CHAN_INTR_DEFAULT_RX;
+ if (tx)
+ value &= ~DMA_CHAN_INTR_DEFAULT_TX;
+
+- writel(value, ioaddr + DMA_CHAN_INTR_ENA(chan));
++ writel(value, ioaddr + DMA_CHAN_INTR_ENA(dwmac4_addrs, chan));
+ }
+
+ void dwmac410_disable_dma_irq(struct stmmac_priv *priv, void __iomem *ioaddr,
+ u32 chan, bool rx, bool tx)
+ {
+- u32 value = readl(ioaddr + DMA_CHAN_INTR_ENA(chan));
++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs;
++ u32 value = readl(ioaddr + DMA_CHAN_INTR_ENA(dwmac4_addrs, chan));
+
+ if (rx)
+ value &= ~DMA_CHAN_INTR_DEFAULT_RX_4_10;
+ if (tx)
+ value &= ~DMA_CHAN_INTR_DEFAULT_TX_4_10;
+
+- writel(value, ioaddr + DMA_CHAN_INTR_ENA(chan));
++ writel(value, ioaddr + DMA_CHAN_INTR_ENA(dwmac4_addrs, chan));
+ }
+
+ int dwmac4_dma_interrupt(struct stmmac_priv *priv, void __iomem *ioaddr,
+ struct stmmac_extra_stats *x, u32 chan, u32 dir)
+ {
+- u32 intr_status = readl(ioaddr + DMA_CHAN_STATUS(chan));
+- u32 intr_en = readl(ioaddr + DMA_CHAN_INTR_ENA(chan));
++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs;
++ u32 intr_status = readl(ioaddr + DMA_CHAN_STATUS(dwmac4_addrs, chan));
++ u32 intr_en = readl(ioaddr + DMA_CHAN_INTR_ENA(dwmac4_addrs, chan));
+ int ret = 0;
+
+ if (dir == DMA_DIR_RX)
+@@ -195,7 +215,8 @@ int dwmac4_dma_interrupt(struct stmmac_priv *priv, void __iomem *ioaddr,
+ if (unlikely(intr_status & DMA_CHAN_STATUS_ERI))
+ x->rx_early_irq++;
+
+- writel(intr_status & intr_en, ioaddr + DMA_CHAN_STATUS(chan));
++ writel(intr_status & intr_en,
++ ioaddr + DMA_CHAN_STATUS(dwmac4_addrs, chan));
+ return ret;
+ }
+
+diff --git a/include/linux/stmmac.h b/include/linux/stmmac.h
+index c97df9464f90..7c7553efa698 100644
+--- a/include/linux/stmmac.h
++++ b/include/linux/stmmac.h
+@@ -187,6 +187,24 @@ struct stmmac_safety_feature_cfg {
+ u32 tmouten;
+ };
+
++/* Addresses that may be customized by a platform */
++struct dwmac4_addrs {
++ u32 dma_chan;
++ u32 dma_chan_offset;
++ u32 mtl_chan;
++ u32 mtl_chan_offset;
++ u32 mtl_ets_ctrl;
++ u32 mtl_ets_ctrl_offset;
++ u32 mtl_txq_weight;
++ u32 mtl_txq_weight_offset;
++ u32 mtl_send_slp_cred;
++ u32 mtl_send_slp_cred_offset;
++ u32 mtl_high_cred;
++ u32 mtl_high_cred_offset;
++ u32 mtl_low_cred;
++ u32 mtl_low_cred_offset;
++};
++
+ struct plat_stmmacenet_data {
+ int bus_id;
+ int phy_addr;
+@@ -274,5 +292,6 @@ struct plat_stmmacenet_data {
+ bool use_phy_wol;
+ bool sph_disable;
+ bool serdes_up_after_phy_linkup;
++ const struct dwmac4_addrs *dwmac4_addrs;
+ };
+ #endif
+--
+2.51.0
+
--- /dev/null
+From 3eb5fda5511625e96c03ede4b6366c2e2bc11ae2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Dec 2025 15:13:32 +0800
+Subject: net: stmmac: fix the crash issue for zero copy XDP_TX action
+
+From: Wei Fang <wei.fang@nxp.com>
+
+[ Upstream commit a48e232210009be50591fdea8ba7c07b0f566a13 ]
+
+There is a crash issue when running zero copy XDP_TX action, the crash
+log is shown below.
+
+[ 216.122464] Unable to handle kernel paging request at virtual address fffeffff80000000
+[ 216.187524] Internal error: Oops: 0000000096000144 [#1] SMP
+[ 216.301694] Call trace:
+[ 216.304130] dcache_clean_poc+0x20/0x38 (P)
+[ 216.308308] __dma_sync_single_for_device+0x1bc/0x1e0
+[ 216.313351] stmmac_xdp_xmit_xdpf+0x354/0x400
+[ 216.317701] __stmmac_xdp_run_prog+0x164/0x368
+[ 216.322139] stmmac_napi_poll_rxtx+0xba8/0xf00
+[ 216.326576] __napi_poll+0x40/0x218
+[ 216.408054] Kernel panic - not syncing: Oops: Fatal exception in interrupt
+
+For XDP_TX action, the xdp_buff is converted to xdp_frame by
+xdp_convert_buff_to_frame(). The memory type of the resulting xdp_frame
+depends on the memory type of the xdp_buff. For page pool based xdp_buff
+it produces xdp_frame with memory type MEM_TYPE_PAGE_POOL. For zero copy
+XSK pool based xdp_buff it produces xdp_frame with memory type
+MEM_TYPE_PAGE_ORDER0. However, stmmac_xdp_xmit_back() does not check the
+memory type and always uses the page pool type, this leads to invalid
+mappings and causes the crash. Therefore, check the xdp_buff memory type
+in stmmac_xdp_xmit_back() to fix this issue.
+
+Fixes: bba2556efad6 ("net: stmmac: Enable RX via AF_XDP zero-copy")
+Signed-off-by: Wei Fang <wei.fang@nxp.com>
+Reviewed-by: Hariprasad Kelam <hkelam@marvell.com>
+Link: https://patch.msgid.link/20251204071332.1907111-1-wei.fang@nxp.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/stmicro/stmmac/stmmac_main.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index b2362e107f20..438d0b7da345 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -86,6 +86,7 @@ MODULE_PARM_DESC(phyaddr, "Physical device address");
+ #define STMMAC_XDP_CONSUMED BIT(0)
+ #define STMMAC_XDP_TX BIT(1)
+ #define STMMAC_XDP_REDIRECT BIT(2)
++#define STMMAC_XSK_CONSUMED BIT(3)
+
+ static int flow_ctrl = FLOW_AUTO;
+ module_param(flow_ctrl, int, 0644);
+@@ -4839,6 +4840,7 @@ static int stmmac_xdp_get_tx_queue(struct stmmac_priv *priv,
+ static int stmmac_xdp_xmit_back(struct stmmac_priv *priv,
+ struct xdp_buff *xdp)
+ {
++ bool zc = !!(xdp->rxq->mem.type == MEM_TYPE_XSK_BUFF_POOL);
+ struct xdp_frame *xdpf = xdp_convert_buff_to_frame(xdp);
+ int cpu = smp_processor_id();
+ struct netdev_queue *nq;
+@@ -4855,9 +4857,18 @@ static int stmmac_xdp_xmit_back(struct stmmac_priv *priv,
+ /* Avoids TX time-out as we are sharing with slow path */
+ txq_trans_cond_update(nq);
+
+- res = stmmac_xdp_xmit_xdpf(priv, queue, xdpf, false);
+- if (res == STMMAC_XDP_TX)
++ /* For zero copy XDP_TX action, dma_map is true */
++ res = stmmac_xdp_xmit_xdpf(priv, queue, xdpf, zc);
++ if (res == STMMAC_XDP_TX) {
+ stmmac_flush_tx_descriptors(priv, queue);
++ } else if (res == STMMAC_XDP_CONSUMED && zc) {
++ /* xdp has been freed by xdp_convert_buff_to_frame(),
++ * no need to call xsk_buff_free() again, so return
++ * STMMAC_XSK_CONSUMED.
++ */
++ res = STMMAC_XSK_CONSUMED;
++ xdp_return_frame(xdpf);
++ }
+
+ __netif_tx_unlock(nq);
+
+@@ -5188,6 +5199,8 @@ static int stmmac_rx_zc(struct stmmac_priv *priv, int limit, u32 queue)
+ break;
+ case STMMAC_XDP_CONSUMED:
+ xsk_buff_free(buf->xdp);
++ fallthrough;
++ case STMMAC_XSK_CONSUMED:
+ rx_dropped++;
+ break;
+ case STMMAC_XDP_TX:
+--
+2.51.0
+
--- /dev/null
+From 4bce10d4d5ed783831842d4a2d0a1149e48f7fd2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 Apr 2023 14:45:01 +0800
+Subject: net: stmmac: introduce wrapper for struct xdp_buff
+
+From: Song Yoong Siang <yoong.siang.song@intel.com>
+
+[ Upstream commit 5b24324a907c996faf47ea3969499e04beea9c4f ]
+
+Introduce struct stmmac_xdp_buff as a preparation to support XDP Rx
+metadata via kfuncs.
+
+Signed-off-by: Song Yoong Siang <yoong.siang.song@intel.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: a48e23221000 ("net: stmmac: fix the crash issue for zero copy XDP_TX action")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac.h | 4 ++++
+ .../net/ethernet/stmicro/stmmac/stmmac_main.c | 18 +++++++++---------
+ 2 files changed, 13 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac.h b/drivers/net/ethernet/stmicro/stmmac/stmmac.h
+index 46944c02b45e..b9b41dd18cde 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac.h
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac.h
+@@ -92,6 +92,10 @@ struct stmmac_rx_buffer {
+ dma_addr_t sec_addr;
+ };
+
++struct stmmac_xdp_buff {
++ struct xdp_buff xdp;
++};
++
+ struct stmmac_rx_queue {
+ u32 rx_count_frames;
+ u32 queue_index;
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index 0483e8c2f1de..4aeacb5fe81e 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -5217,7 +5217,7 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue)
+ enum dma_data_direction dma_dir;
+ unsigned int desc_size;
+ struct sk_buff *skb = NULL;
+- struct xdp_buff xdp;
++ struct stmmac_xdp_buff ctx;
+ int xdp_status = 0;
+ int buf_sz;
+
+@@ -5339,17 +5339,17 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue)
+ dma_sync_single_for_cpu(priv->device, buf->addr,
+ buf1_len, dma_dir);
+
+- xdp_init_buff(&xdp, buf_sz, &rx_q->xdp_rxq);
+- xdp_prepare_buff(&xdp, page_address(buf->page),
++ xdp_init_buff(&ctx.xdp, buf_sz, &rx_q->xdp_rxq);
++ xdp_prepare_buff(&ctx.xdp, page_address(buf->page),
+ buf->page_offset, buf1_len, false);
+
+- pre_len = xdp.data_end - xdp.data_hard_start -
++ pre_len = ctx.xdp.data_end - ctx.xdp.data_hard_start -
+ buf->page_offset;
+- skb = stmmac_xdp_run_prog(priv, &xdp);
++ skb = stmmac_xdp_run_prog(priv, &ctx.xdp);
+ /* Due xdp_adjust_tail: DMA sync for_device
+ * cover max len CPU touch
+ */
+- sync_len = xdp.data_end - xdp.data_hard_start -
++ sync_len = ctx.xdp.data_end - ctx.xdp.data_hard_start -
+ buf->page_offset;
+ sync_len = max(sync_len, pre_len);
+
+@@ -5359,7 +5359,7 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue)
+
+ if (xdp_res & STMMAC_XDP_CONSUMED) {
+ page_pool_put_page(rx_q->page_pool,
+- virt_to_head_page(xdp.data),
++ virt_to_head_page(ctx.xdp.data),
+ sync_len, true);
+ buf->page = NULL;
+ priv->dev->stats.rx_dropped++;
+@@ -5387,7 +5387,7 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue)
+
+ if (!skb) {
+ /* XDP program may expand or reduce tail */
+- buf1_len = xdp.data_end - xdp.data;
++ buf1_len = ctx.xdp.data_end - ctx.xdp.data;
+
+ skb = napi_alloc_skb(&ch->rx_napi, buf1_len);
+ if (!skb) {
+@@ -5397,7 +5397,7 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue)
+ }
+
+ /* XDP program may adjust header */
+- skb_copy_to_linear_data(skb, xdp.data, buf1_len);
++ skb_copy_to_linear_data(skb, ctx.xdp.data, buf1_len);
+ skb_put(skb, buf1_len);
+
+ /* Data payload copied into SKB, page ready for recycle */
+--
+2.51.0
+
--- /dev/null
+From e86e71dbabb8d186122ce545090895639cc8be5d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Apr 2023 15:04:05 -0500
+Subject: net: stmmac: Pass stmmac_priv in some callbacks
+
+From: Andrew Halaney <ahalaney@redhat.com>
+
+[ Upstream commit 1d84b487bc2d9061bd00203f571e5cb99fe0a312 ]
+
+Passing stmmac_priv to some of the callbacks allows hwif implementations
+to grab some data that platforms can customize. Adjust the callbacks
+accordingly in preparation of such a platform customization.
+
+Signed-off-by: Andrew Halaney <ahalaney@redhat.com>
+Reviewed-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Tested-by: Brian Masney <bmasney@redhat.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Stable-dep-of: a48e23221000 ("net: stmmac: fix the crash issue for zero copy XDP_TX action")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/stmicro/stmmac/dwmac-sun8i.c | 36 +++--
+ .../ethernet/stmicro/stmmac/dwmac1000_core.c | 3 +-
+ .../ethernet/stmicro/stmmac/dwmac1000_dma.c | 19 ++-
+ .../ethernet/stmicro/stmmac/dwmac100_dma.c | 10 +-
+ .../net/ethernet/stmicro/stmmac/dwmac4_core.c | 14 +-
+ .../net/ethernet/stmicro/stmmac/dwmac4_dma.c | 44 ++++--
+ .../net/ethernet/stmicro/stmmac/dwmac4_dma.h | 38 +++--
+ .../net/ethernet/stmicro/stmmac/dwmac4_lib.c | 38 +++--
+ .../net/ethernet/stmicro/stmmac/dwmac_dma.h | 22 ++-
+ .../net/ethernet/stmicro/stmmac/dwmac_lib.c | 18 ++-
+ .../ethernet/stmicro/stmmac/dwxgmac2_core.c | 9 +-
+ .../ethernet/stmicro/stmmac/dwxgmac2_dma.c | 71 ++++++---
+ drivers/net/ethernet/stmicro/stmmac/hwif.h | 146 ++++++++++--------
+ 13 files changed, 291 insertions(+), 177 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c
+index 0921b78c6244..b44e76a25965 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c
+@@ -304,7 +304,8 @@ static void sun8i_dwmac_dma_init(void __iomem *ioaddr,
+ writel(0x1FFFFFF, ioaddr + EMAC_INT_STA);
+ }
+
+-static void sun8i_dwmac_dma_init_rx(void __iomem *ioaddr,
++static void sun8i_dwmac_dma_init_rx(struct stmmac_priv *priv,
++ void __iomem *ioaddr,
+ struct stmmac_dma_cfg *dma_cfg,
+ dma_addr_t dma_rx_phy, u32 chan)
+ {
+@@ -312,7 +313,8 @@ static void sun8i_dwmac_dma_init_rx(void __iomem *ioaddr,
+ writel(lower_32_bits(dma_rx_phy), ioaddr + EMAC_RX_DESC_LIST);
+ }
+
+-static void sun8i_dwmac_dma_init_tx(void __iomem *ioaddr,
++static void sun8i_dwmac_dma_init_tx(struct stmmac_priv *priv,
++ void __iomem *ioaddr,
+ struct stmmac_dma_cfg *dma_cfg,
+ dma_addr_t dma_tx_phy, u32 chan)
+ {
+@@ -324,7 +326,8 @@ static void sun8i_dwmac_dma_init_tx(void __iomem *ioaddr,
+ * Called from stmmac_dma_ops->dump_regs
+ * Used for ethtool
+ */
+-static void sun8i_dwmac_dump_regs(void __iomem *ioaddr, u32 *reg_space)
++static void sun8i_dwmac_dump_regs(struct stmmac_priv *priv,
++ void __iomem *ioaddr, u32 *reg_space)
+ {
+ int i;
+
+@@ -352,7 +355,8 @@ static void sun8i_dwmac_dump_mac_regs(struct mac_device_info *hw,
+ }
+ }
+
+-static void sun8i_dwmac_enable_dma_irq(void __iomem *ioaddr, u32 chan,
++static void sun8i_dwmac_enable_dma_irq(struct stmmac_priv *priv,
++ void __iomem *ioaddr, u32 chan,
+ bool rx, bool tx)
+ {
+ u32 value = readl(ioaddr + EMAC_INT_EN);
+@@ -365,7 +369,8 @@ static void sun8i_dwmac_enable_dma_irq(void __iomem *ioaddr, u32 chan,
+ writel(value, ioaddr + EMAC_INT_EN);
+ }
+
+-static void sun8i_dwmac_disable_dma_irq(void __iomem *ioaddr, u32 chan,
++static void sun8i_dwmac_disable_dma_irq(struct stmmac_priv *priv,
++ void __iomem *ioaddr, u32 chan,
+ bool rx, bool tx)
+ {
+ u32 value = readl(ioaddr + EMAC_INT_EN);
+@@ -378,7 +383,8 @@ static void sun8i_dwmac_disable_dma_irq(void __iomem *ioaddr, u32 chan,
+ writel(value, ioaddr + EMAC_INT_EN);
+ }
+
+-static void sun8i_dwmac_dma_start_tx(void __iomem *ioaddr, u32 chan)
++static void sun8i_dwmac_dma_start_tx(struct stmmac_priv *priv,
++ void __iomem *ioaddr, u32 chan)
+ {
+ u32 v;
+
+@@ -398,7 +404,8 @@ static void sun8i_dwmac_enable_dma_transmission(void __iomem *ioaddr)
+ writel(v, ioaddr + EMAC_TX_CTL1);
+ }
+
+-static void sun8i_dwmac_dma_stop_tx(void __iomem *ioaddr, u32 chan)
++static void sun8i_dwmac_dma_stop_tx(struct stmmac_priv *priv,
++ void __iomem *ioaddr, u32 chan)
+ {
+ u32 v;
+
+@@ -407,7 +414,8 @@ static void sun8i_dwmac_dma_stop_tx(void __iomem *ioaddr, u32 chan)
+ writel(v, ioaddr + EMAC_TX_CTL1);
+ }
+
+-static void sun8i_dwmac_dma_start_rx(void __iomem *ioaddr, u32 chan)
++static void sun8i_dwmac_dma_start_rx(struct stmmac_priv *priv,
++ void __iomem *ioaddr, u32 chan)
+ {
+ u32 v;
+
+@@ -417,7 +425,8 @@ static void sun8i_dwmac_dma_start_rx(void __iomem *ioaddr, u32 chan)
+ writel(v, ioaddr + EMAC_RX_CTL1);
+ }
+
+-static void sun8i_dwmac_dma_stop_rx(void __iomem *ioaddr, u32 chan)
++static void sun8i_dwmac_dma_stop_rx(struct stmmac_priv *priv,
++ void __iomem *ioaddr, u32 chan)
+ {
+ u32 v;
+
+@@ -426,7 +435,8 @@ static void sun8i_dwmac_dma_stop_rx(void __iomem *ioaddr, u32 chan)
+ writel(v, ioaddr + EMAC_RX_CTL1);
+ }
+
+-static int sun8i_dwmac_dma_interrupt(void __iomem *ioaddr,
++static int sun8i_dwmac_dma_interrupt(struct stmmac_priv *priv,
++ void __iomem *ioaddr,
+ struct stmmac_extra_stats *x, u32 chan,
+ u32 dir)
+ {
+@@ -492,7 +502,8 @@ static int sun8i_dwmac_dma_interrupt(void __iomem *ioaddr,
+ return ret;
+ }
+
+-static void sun8i_dwmac_dma_operation_mode_rx(void __iomem *ioaddr, int mode,
++static void sun8i_dwmac_dma_operation_mode_rx(struct stmmac_priv *priv,
++ void __iomem *ioaddr, int mode,
+ u32 channel, int fifosz, u8 qmode)
+ {
+ u32 v;
+@@ -515,7 +526,8 @@ static void sun8i_dwmac_dma_operation_mode_rx(void __iomem *ioaddr, int mode,
+ writel(v, ioaddr + EMAC_RX_CTL1);
+ }
+
+-static void sun8i_dwmac_dma_operation_mode_tx(void __iomem *ioaddr, int mode,
++static void sun8i_dwmac_dma_operation_mode_tx(struct stmmac_priv *priv,
++ void __iomem *ioaddr, int mode,
+ u32 channel, int fifosz, u8 qmode)
+ {
+ u32 v;
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c
+index 0e00dd83d027..3927609abc44 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c
+@@ -414,7 +414,8 @@ static void dwmac1000_get_adv_lp(void __iomem *ioaddr, struct rgmii_adv *adv)
+ dwmac_get_adv_lp(ioaddr, GMAC_PCS_BASE, adv);
+ }
+
+-static void dwmac1000_debug(void __iomem *ioaddr, struct stmmac_extra_stats *x,
++static void dwmac1000_debug(struct stmmac_priv *priv, void __iomem *ioaddr,
++ struct stmmac_extra_stats *x,
+ u32 rx_queues, u32 tx_queues)
+ {
+ u32 value = readl(ioaddr + GMAC_DEBUG);
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_dma.c b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_dma.c
+index f5581db0ba9b..daf79cdbd3ec 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_dma.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_dma.c
+@@ -110,7 +110,8 @@ static void dwmac1000_dma_init(void __iomem *ioaddr,
+ writel(DMA_INTR_DEFAULT_MASK, ioaddr + DMA_INTR_ENA);
+ }
+
+-static void dwmac1000_dma_init_rx(void __iomem *ioaddr,
++static void dwmac1000_dma_init_rx(struct stmmac_priv *priv,
++ void __iomem *ioaddr,
+ struct stmmac_dma_cfg *dma_cfg,
+ dma_addr_t dma_rx_phy, u32 chan)
+ {
+@@ -118,7 +119,8 @@ static void dwmac1000_dma_init_rx(void __iomem *ioaddr,
+ writel(lower_32_bits(dma_rx_phy), ioaddr + DMA_RCV_BASE_ADDR);
+ }
+
+-static void dwmac1000_dma_init_tx(void __iomem *ioaddr,
++static void dwmac1000_dma_init_tx(struct stmmac_priv *priv,
++ void __iomem *ioaddr,
+ struct stmmac_dma_cfg *dma_cfg,
+ dma_addr_t dma_tx_phy, u32 chan)
+ {
+@@ -147,7 +149,8 @@ static u32 dwmac1000_configure_fc(u32 csr6, int rxfifosz)
+ return csr6;
+ }
+
+-static void dwmac1000_dma_operation_mode_rx(void __iomem *ioaddr, int mode,
++static void dwmac1000_dma_operation_mode_rx(struct stmmac_priv *priv,
++ void __iomem *ioaddr, int mode,
+ u32 channel, int fifosz, u8 qmode)
+ {
+ u32 csr6 = readl(ioaddr + DMA_CONTROL);
+@@ -175,7 +178,8 @@ static void dwmac1000_dma_operation_mode_rx(void __iomem *ioaddr, int mode,
+ writel(csr6, ioaddr + DMA_CONTROL);
+ }
+
+-static void dwmac1000_dma_operation_mode_tx(void __iomem *ioaddr, int mode,
++static void dwmac1000_dma_operation_mode_tx(struct stmmac_priv *priv,
++ void __iomem *ioaddr, int mode,
+ u32 channel, int fifosz, u8 qmode)
+ {
+ u32 csr6 = readl(ioaddr + DMA_CONTROL);
+@@ -208,7 +212,8 @@ static void dwmac1000_dma_operation_mode_tx(void __iomem *ioaddr, int mode,
+ writel(csr6, ioaddr + DMA_CONTROL);
+ }
+
+-static void dwmac1000_dump_dma_regs(void __iomem *ioaddr, u32 *reg_space)
++static void dwmac1000_dump_dma_regs(struct stmmac_priv *priv,
++ void __iomem *ioaddr, u32 *reg_space)
+ {
+ int i;
+
+@@ -263,8 +268,8 @@ static int dwmac1000_get_hw_feature(void __iomem *ioaddr,
+ return 0;
+ }
+
+-static void dwmac1000_rx_watchdog(void __iomem *ioaddr, u32 riwt,
+- u32 queue)
++static void dwmac1000_rx_watchdog(struct stmmac_priv *priv,
++ void __iomem *ioaddr, u32 riwt, u32 queue)
+ {
+ writel(riwt, ioaddr + DMA_RX_WATCHDOG);
+ }
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac100_dma.c b/drivers/net/ethernet/stmicro/stmmac/dwmac100_dma.c
+index f6abc7bfd29d..1c32b1788f02 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac100_dma.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac100_dma.c
+@@ -29,7 +29,7 @@ static void dwmac100_dma_init(void __iomem *ioaddr,
+ writel(DMA_INTR_DEFAULT_MASK, ioaddr + DMA_INTR_ENA);
+ }
+
+-static void dwmac100_dma_init_rx(void __iomem *ioaddr,
++static void dwmac100_dma_init_rx(struct stmmac_priv *priv, void __iomem *ioaddr,
+ struct stmmac_dma_cfg *dma_cfg,
+ dma_addr_t dma_rx_phy, u32 chan)
+ {
+@@ -37,7 +37,7 @@ static void dwmac100_dma_init_rx(void __iomem *ioaddr,
+ writel(lower_32_bits(dma_rx_phy), ioaddr + DMA_RCV_BASE_ADDR);
+ }
+
+-static void dwmac100_dma_init_tx(void __iomem *ioaddr,
++static void dwmac100_dma_init_tx(struct stmmac_priv *priv, void __iomem *ioaddr,
+ struct stmmac_dma_cfg *dma_cfg,
+ dma_addr_t dma_tx_phy, u32 chan)
+ {
+@@ -50,7 +50,8 @@ static void dwmac100_dma_init_tx(void __iomem *ioaddr,
+ * The transmit threshold can be programmed by setting the TTC bits in the DMA
+ * control register.
+ */
+-static void dwmac100_dma_operation_mode_tx(void __iomem *ioaddr, int mode,
++static void dwmac100_dma_operation_mode_tx(struct stmmac_priv *priv,
++ void __iomem *ioaddr, int mode,
+ u32 channel, int fifosz, u8 qmode)
+ {
+ u32 csr6 = readl(ioaddr + DMA_CONTROL);
+@@ -65,7 +66,8 @@ static void dwmac100_dma_operation_mode_tx(void __iomem *ioaddr, int mode,
+ writel(csr6, ioaddr + DMA_CONTROL);
+ }
+
+-static void dwmac100_dump_dma_regs(void __iomem *ioaddr, u32 *reg_space)
++static void dwmac100_dump_dma_regs(struct stmmac_priv *priv,
++ void __iomem *ioaddr, u32 *reg_space)
+ {
+ int i;
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
+index c75868f3ceae..279977d0d565 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
+@@ -226,7 +226,8 @@ static void dwmac4_prog_mtl_tx_algorithms(struct mac_device_info *hw,
+ writel(value, ioaddr + MTL_OPERATION_MODE);
+ }
+
+-static void dwmac4_set_mtl_tx_queue_weight(struct mac_device_info *hw,
++static void dwmac4_set_mtl_tx_queue_weight(struct stmmac_priv *priv,
++ struct mac_device_info *hw,
+ u32 weight, u32 queue)
+ {
+ void __iomem *ioaddr = hw->pcsr;
+@@ -264,7 +265,8 @@ static void dwmac4_map_mtl_dma(struct mac_device_info *hw, u32 queue, u32 chan)
+ writel(value, ioaddr + MTL_RXQ_DMA_MAP1);
+ }
+
+-static void dwmac4_config_cbs(struct mac_device_info *hw,
++static void dwmac4_config_cbs(struct stmmac_priv *priv,
++ struct mac_device_info *hw,
+ u32 send_slope, u32 idle_slope,
+ u32 high_credit, u32 low_credit, u32 queue)
+ {
+@@ -290,7 +292,7 @@ static void dwmac4_config_cbs(struct mac_device_info *hw,
+ writel(value, ioaddr + MTL_SEND_SLP_CREDX_BASE_ADDR(queue));
+
+ /* configure idle slope (same register as tx weight) */
+- dwmac4_set_mtl_tx_queue_weight(hw, idle_slope, queue);
++ dwmac4_set_mtl_tx_queue_weight(priv, hw, idle_slope, queue);
+
+ /* configure high credit */
+ value = readl(ioaddr + MTL_HIGH_CREDX_BASE_ADDR(queue));
+@@ -795,7 +797,8 @@ static void dwmac4_phystatus(void __iomem *ioaddr, struct stmmac_extra_stats *x)
+ }
+ }
+
+-static int dwmac4_irq_mtl_status(struct mac_device_info *hw, u32 chan)
++static int dwmac4_irq_mtl_status(struct stmmac_priv *priv,
++ struct mac_device_info *hw, u32 chan)
+ {
+ void __iomem *ioaddr = hw->pcsr;
+ u32 mtl_int_qx_status;
+@@ -869,7 +872,8 @@ static int dwmac4_irq_status(struct mac_device_info *hw,
+ return ret;
+ }
+
+-static void dwmac4_debug(void __iomem *ioaddr, struct stmmac_extra_stats *x,
++static void dwmac4_debug(struct stmmac_priv *priv, void __iomem *ioaddr,
++ struct stmmac_extra_stats *x,
+ u32 rx_queues, u32 tx_queues)
+ {
+ u32 value;
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c
+index d99fa028c646..6f255d12f60f 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c
+@@ -68,7 +68,8 @@ static void dwmac4_dma_axi(void __iomem *ioaddr, struct stmmac_axi *axi)
+ writel(value, ioaddr + DMA_SYS_BUS_MODE);
+ }
+
+-static void dwmac4_dma_init_rx_chan(void __iomem *ioaddr,
++static void dwmac4_dma_init_rx_chan(struct stmmac_priv *priv,
++ void __iomem *ioaddr,
+ struct stmmac_dma_cfg *dma_cfg,
+ dma_addr_t dma_rx_phy, u32 chan)
+ {
+@@ -86,7 +87,8 @@ static void dwmac4_dma_init_rx_chan(void __iomem *ioaddr,
+ writel(lower_32_bits(dma_rx_phy), ioaddr + DMA_CHAN_RX_BASE_ADDR(chan));
+ }
+
+-static void dwmac4_dma_init_tx_chan(void __iomem *ioaddr,
++static void dwmac4_dma_init_tx_chan(struct stmmac_priv *priv,
++ void __iomem *ioaddr,
+ struct stmmac_dma_cfg *dma_cfg,
+ dma_addr_t dma_tx_phy, u32 chan)
+ {
+@@ -108,7 +110,8 @@ static void dwmac4_dma_init_tx_chan(void __iomem *ioaddr,
+ writel(lower_32_bits(dma_tx_phy), ioaddr + DMA_CHAN_TX_BASE_ADDR(chan));
+ }
+
+-static void dwmac4_dma_init_channel(void __iomem *ioaddr,
++static void dwmac4_dma_init_channel(struct stmmac_priv *priv,
++ void __iomem *ioaddr,
+ struct stmmac_dma_cfg *dma_cfg, u32 chan)
+ {
+ u32 value;
+@@ -124,7 +127,8 @@ static void dwmac4_dma_init_channel(void __iomem *ioaddr,
+ ioaddr + DMA_CHAN_INTR_ENA(chan));
+ }
+
+-static void dwmac410_dma_init_channel(void __iomem *ioaddr,
++static void dwmac410_dma_init_channel(struct stmmac_priv *priv,
++ void __iomem *ioaddr,
+ struct stmmac_dma_cfg *dma_cfg, u32 chan)
+ {
+ u32 value;
+@@ -176,7 +180,8 @@ static void dwmac4_dma_init(void __iomem *ioaddr,
+
+ }
+
+-static void _dwmac4_dump_dma_regs(void __iomem *ioaddr, u32 channel,
++static void _dwmac4_dump_dma_regs(struct stmmac_priv *priv,
++ void __iomem *ioaddr, u32 channel,
+ u32 *reg_space)
+ {
+ reg_space[DMA_CHAN_CONTROL(channel) / 4] =
+@@ -215,20 +220,23 @@ static void _dwmac4_dump_dma_regs(void __iomem *ioaddr, u32 channel,
+ readl(ioaddr + DMA_CHAN_STATUS(channel));
+ }
+
+-static void dwmac4_dump_dma_regs(void __iomem *ioaddr, u32 *reg_space)
++static void dwmac4_dump_dma_regs(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 *reg_space)
+ {
+ int i;
+
+ for (i = 0; i < DMA_CHANNEL_NB_MAX; i++)
+- _dwmac4_dump_dma_regs(ioaddr, i, reg_space);
++ _dwmac4_dump_dma_regs(priv, ioaddr, i, reg_space);
+ }
+
+-static void dwmac4_rx_watchdog(void __iomem *ioaddr, u32 riwt, u32 queue)
++static void dwmac4_rx_watchdog(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 riwt, u32 queue)
+ {
+ writel(riwt, ioaddr + DMA_CHAN_RX_WATCHDOG(queue));
+ }
+
+-static void dwmac4_dma_rx_chan_op_mode(void __iomem *ioaddr, int mode,
++static void dwmac4_dma_rx_chan_op_mode(struct stmmac_priv *priv,
++ void __iomem *ioaddr, int mode,
+ u32 channel, int fifosz, u8 qmode)
+ {
+ unsigned int rqs = fifosz / 256 - 1;
+@@ -295,7 +303,8 @@ static void dwmac4_dma_rx_chan_op_mode(void __iomem *ioaddr, int mode,
+ writel(mtl_rx_op, ioaddr + MTL_CHAN_RX_OP_MODE(channel));
+ }
+
+-static void dwmac4_dma_tx_chan_op_mode(void __iomem *ioaddr, int mode,
++static void dwmac4_dma_tx_chan_op_mode(struct stmmac_priv *priv,
++ void __iomem *ioaddr, int mode,
+ u32 channel, int fifosz, u8 qmode)
+ {
+ u32 mtl_tx_op = readl(ioaddr + MTL_CHAN_TX_OP_MODE(channel));
+@@ -442,7 +451,8 @@ static int dwmac4_get_hw_feature(void __iomem *ioaddr,
+ }
+
+ /* Enable/disable TSO feature and set MSS */
+-static void dwmac4_enable_tso(void __iomem *ioaddr, bool en, u32 chan)
++static void dwmac4_enable_tso(struct stmmac_priv *priv, void __iomem *ioaddr,
++ bool en, u32 chan)
+ {
+ u32 value;
+
+@@ -459,7 +469,8 @@ static void dwmac4_enable_tso(void __iomem *ioaddr, bool en, u32 chan)
+ }
+ }
+
+-static void dwmac4_qmode(void __iomem *ioaddr, u32 channel, u8 qmode)
++static void dwmac4_qmode(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 channel, u8 qmode)
+ {
+ u32 mtl_tx_op = readl(ioaddr + MTL_CHAN_TX_OP_MODE(channel));
+
+@@ -472,7 +483,8 @@ static void dwmac4_qmode(void __iomem *ioaddr, u32 channel, u8 qmode)
+ writel(mtl_tx_op, ioaddr + MTL_CHAN_TX_OP_MODE(channel));
+ }
+
+-static void dwmac4_set_bfsize(void __iomem *ioaddr, int bfsize, u32 chan)
++static void dwmac4_set_bfsize(struct stmmac_priv *priv, void __iomem *ioaddr,
++ int bfsize, u32 chan)
+ {
+ u32 value = readl(ioaddr + DMA_CHAN_RX_CONTROL(chan));
+
+@@ -482,7 +494,8 @@ static void dwmac4_set_bfsize(void __iomem *ioaddr, int bfsize, u32 chan)
+ writel(value, ioaddr + DMA_CHAN_RX_CONTROL(chan));
+ }
+
+-static void dwmac4_enable_sph(void __iomem *ioaddr, bool en, u32 chan)
++static void dwmac4_enable_sph(struct stmmac_priv *priv, void __iomem *ioaddr,
++ bool en, u32 chan)
+ {
+ u32 value = readl(ioaddr + GMAC_EXT_CONFIG);
+
+@@ -498,7 +511,8 @@ static void dwmac4_enable_sph(void __iomem *ioaddr, bool en, u32 chan)
+ writel(value, ioaddr + DMA_CHAN_CONTROL(chan));
+ }
+
+-static int dwmac4_enable_tbs(void __iomem *ioaddr, bool en, u32 chan)
++static int dwmac4_enable_tbs(struct stmmac_priv *priv, void __iomem *ioaddr,
++ bool en, u32 chan)
+ {
+ u32 value = readl(ioaddr + DMA_CHAN_TX_CONTROL(chan));
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.h b/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.h
+index 9321879b599c..740c3bc8d9a0 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.h
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.h
+@@ -220,19 +220,31 @@
+ #define DMA_CHAN0_DBG_STAT_RPS_SHIFT 8
+
+ int dwmac4_dma_reset(void __iomem *ioaddr);
+-void dwmac4_enable_dma_irq(void __iomem *ioaddr, u32 chan, bool rx, bool tx);
+-void dwmac410_enable_dma_irq(void __iomem *ioaddr, u32 chan, bool rx, bool tx);
+-void dwmac4_disable_dma_irq(void __iomem *ioaddr, u32 chan, bool rx, bool tx);
+-void dwmac410_disable_dma_irq(void __iomem *ioaddr, u32 chan, bool rx, bool tx);
+-void dwmac4_dma_start_tx(void __iomem *ioaddr, u32 chan);
+-void dwmac4_dma_stop_tx(void __iomem *ioaddr, u32 chan);
+-void dwmac4_dma_start_rx(void __iomem *ioaddr, u32 chan);
+-void dwmac4_dma_stop_rx(void __iomem *ioaddr, u32 chan);
+-int dwmac4_dma_interrupt(void __iomem *ioaddr,
++void dwmac4_enable_dma_irq(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 chan, bool rx, bool tx);
++void dwmac410_enable_dma_irq(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 chan, bool rx, bool tx);
++void dwmac4_disable_dma_irq(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 chan, bool rx, bool tx);
++void dwmac410_disable_dma_irq(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 chan, bool rx, bool tx);
++void dwmac4_dma_start_tx(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 chan);
++void dwmac4_dma_stop_tx(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 chan);
++void dwmac4_dma_start_rx(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 chan);
++void dwmac4_dma_stop_rx(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 chan);
++int dwmac4_dma_interrupt(struct stmmac_priv *priv, void __iomem *ioaddr,
+ struct stmmac_extra_stats *x, u32 chan, u32 dir);
+-void dwmac4_set_rx_ring_len(void __iomem *ioaddr, u32 len, u32 chan);
+-void dwmac4_set_tx_ring_len(void __iomem *ioaddr, u32 len, u32 chan);
+-void dwmac4_set_rx_tail_ptr(void __iomem *ioaddr, u32 tail_ptr, u32 chan);
+-void dwmac4_set_tx_tail_ptr(void __iomem *ioaddr, u32 tail_ptr, u32 chan);
++void dwmac4_set_rx_ring_len(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 len, u32 chan);
++void dwmac4_set_tx_ring_len(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 len, u32 chan);
++void dwmac4_set_rx_tail_ptr(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 tail_ptr, u32 chan);
++void dwmac4_set_tx_tail_ptr(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 tail_ptr, u32 chan);
+
+ #endif /* __DWMAC4_DMA_H__ */
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_lib.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_lib.c
+index 7c26394f665e..57328f010ab9 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_lib.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_lib.c
+@@ -25,17 +25,20 @@ int dwmac4_dma_reset(void __iomem *ioaddr)
+ 10000, 1000000);
+ }
+
+-void dwmac4_set_rx_tail_ptr(void __iomem *ioaddr, u32 tail_ptr, u32 chan)
++void dwmac4_set_rx_tail_ptr(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 tail_ptr, u32 chan)
+ {
+ writel(tail_ptr, ioaddr + DMA_CHAN_RX_END_ADDR(chan));
+ }
+
+-void dwmac4_set_tx_tail_ptr(void __iomem *ioaddr, u32 tail_ptr, u32 chan)
++void dwmac4_set_tx_tail_ptr(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 tail_ptr, u32 chan)
+ {
+ writel(tail_ptr, ioaddr + DMA_CHAN_TX_END_ADDR(chan));
+ }
+
+-void dwmac4_dma_start_tx(void __iomem *ioaddr, u32 chan)
++void dwmac4_dma_start_tx(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 chan)
+ {
+ u32 value = readl(ioaddr + DMA_CHAN_TX_CONTROL(chan));
+
+@@ -47,7 +50,8 @@ void dwmac4_dma_start_tx(void __iomem *ioaddr, u32 chan)
+ writel(value, ioaddr + GMAC_CONFIG);
+ }
+
+-void dwmac4_dma_stop_tx(void __iomem *ioaddr, u32 chan)
++void dwmac4_dma_stop_tx(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 chan)
+ {
+ u32 value = readl(ioaddr + DMA_CHAN_TX_CONTROL(chan));
+
+@@ -55,7 +59,8 @@ void dwmac4_dma_stop_tx(void __iomem *ioaddr, u32 chan)
+ writel(value, ioaddr + DMA_CHAN_TX_CONTROL(chan));
+ }
+
+-void dwmac4_dma_start_rx(void __iomem *ioaddr, u32 chan)
++void dwmac4_dma_start_rx(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 chan)
+ {
+ u32 value = readl(ioaddr + DMA_CHAN_RX_CONTROL(chan));
+
+@@ -68,7 +73,8 @@ void dwmac4_dma_start_rx(void __iomem *ioaddr, u32 chan)
+ writel(value, ioaddr + GMAC_CONFIG);
+ }
+
+-void dwmac4_dma_stop_rx(void __iomem *ioaddr, u32 chan)
++void dwmac4_dma_stop_rx(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 chan)
+ {
+ u32 value = readl(ioaddr + DMA_CHAN_RX_CONTROL(chan));
+
+@@ -76,17 +82,20 @@ void dwmac4_dma_stop_rx(void __iomem *ioaddr, u32 chan)
+ writel(value, ioaddr + DMA_CHAN_RX_CONTROL(chan));
+ }
+
+-void dwmac4_set_tx_ring_len(void __iomem *ioaddr, u32 len, u32 chan)
++void dwmac4_set_tx_ring_len(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 len, u32 chan)
+ {
+ writel(len, ioaddr + DMA_CHAN_TX_RING_LEN(chan));
+ }
+
+-void dwmac4_set_rx_ring_len(void __iomem *ioaddr, u32 len, u32 chan)
++void dwmac4_set_rx_ring_len(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 len, u32 chan)
+ {
+ writel(len, ioaddr + DMA_CHAN_RX_RING_LEN(chan));
+ }
+
+-void dwmac4_enable_dma_irq(void __iomem *ioaddr, u32 chan, bool rx, bool tx)
++void dwmac4_enable_dma_irq(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 chan, bool rx, bool tx)
+ {
+ u32 value = readl(ioaddr + DMA_CHAN_INTR_ENA(chan));
+
+@@ -98,7 +107,8 @@ void dwmac4_enable_dma_irq(void __iomem *ioaddr, u32 chan, bool rx, bool tx)
+ writel(value, ioaddr + DMA_CHAN_INTR_ENA(chan));
+ }
+
+-void dwmac410_enable_dma_irq(void __iomem *ioaddr, u32 chan, bool rx, bool tx)
++void dwmac410_enable_dma_irq(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 chan, bool rx, bool tx)
+ {
+ u32 value = readl(ioaddr + DMA_CHAN_INTR_ENA(chan));
+
+@@ -110,7 +120,8 @@ void dwmac410_enable_dma_irq(void __iomem *ioaddr, u32 chan, bool rx, bool tx)
+ writel(value, ioaddr + DMA_CHAN_INTR_ENA(chan));
+ }
+
+-void dwmac4_disable_dma_irq(void __iomem *ioaddr, u32 chan, bool rx, bool tx)
++void dwmac4_disable_dma_irq(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 chan, bool rx, bool tx)
+ {
+ u32 value = readl(ioaddr + DMA_CHAN_INTR_ENA(chan));
+
+@@ -122,7 +133,8 @@ void dwmac4_disable_dma_irq(void __iomem *ioaddr, u32 chan, bool rx, bool tx)
+ writel(value, ioaddr + DMA_CHAN_INTR_ENA(chan));
+ }
+
+-void dwmac410_disable_dma_irq(void __iomem *ioaddr, u32 chan, bool rx, bool tx)
++void dwmac410_disable_dma_irq(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 chan, bool rx, bool tx)
+ {
+ u32 value = readl(ioaddr + DMA_CHAN_INTR_ENA(chan));
+
+@@ -134,7 +146,7 @@ void dwmac410_disable_dma_irq(void __iomem *ioaddr, u32 chan, bool rx, bool tx)
+ writel(value, ioaddr + DMA_CHAN_INTR_ENA(chan));
+ }
+
+-int dwmac4_dma_interrupt(void __iomem *ioaddr,
++int dwmac4_dma_interrupt(struct stmmac_priv *priv, void __iomem *ioaddr,
+ struct stmmac_extra_stats *x, u32 chan, u32 dir)
+ {
+ u32 intr_status = readl(ioaddr + DMA_CHAN_STATUS(chan));
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac_dma.h b/drivers/net/ethernet/stmicro/stmmac/dwmac_dma.h
+index acd70b9a3173..72672391675f 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac_dma.h
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac_dma.h
+@@ -153,14 +153,20 @@
+ #define NUM_DWMAC4_DMA_REGS 27
+
+ void dwmac_enable_dma_transmission(void __iomem *ioaddr);
+-void dwmac_enable_dma_irq(void __iomem *ioaddr, u32 chan, bool rx, bool tx);
+-void dwmac_disable_dma_irq(void __iomem *ioaddr, u32 chan, bool rx, bool tx);
+-void dwmac_dma_start_tx(void __iomem *ioaddr, u32 chan);
+-void dwmac_dma_stop_tx(void __iomem *ioaddr, u32 chan);
+-void dwmac_dma_start_rx(void __iomem *ioaddr, u32 chan);
+-void dwmac_dma_stop_rx(void __iomem *ioaddr, u32 chan);
+-int dwmac_dma_interrupt(void __iomem *ioaddr, struct stmmac_extra_stats *x,
+- u32 chan, u32 dir);
++void dwmac_enable_dma_irq(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 chan, bool rx, bool tx);
++void dwmac_disable_dma_irq(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 chan, bool rx, bool tx);
++void dwmac_dma_start_tx(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 chan);
++void dwmac_dma_stop_tx(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 chan);
++void dwmac_dma_start_rx(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 chan);
++void dwmac_dma_stop_rx(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 chan);
++int dwmac_dma_interrupt(struct stmmac_priv *priv, void __iomem *ioaddr,
++ struct stmmac_extra_stats *x, u32 chan, u32 dir);
+ int dwmac_dma_reset(void __iomem *ioaddr);
+
+ #endif /* __DWMAC_DMA_H__ */
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac_lib.c b/drivers/net/ethernet/stmicro/stmmac/dwmac_lib.c
+index 9b6138b11776..0b6f999a8305 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac_lib.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac_lib.c
+@@ -32,7 +32,8 @@ void dwmac_enable_dma_transmission(void __iomem *ioaddr)
+ writel(1, ioaddr + DMA_XMT_POLL_DEMAND);
+ }
+
+-void dwmac_enable_dma_irq(void __iomem *ioaddr, u32 chan, bool rx, bool tx)
++void dwmac_enable_dma_irq(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 chan, bool rx, bool tx)
+ {
+ u32 value = readl(ioaddr + DMA_INTR_ENA);
+
+@@ -44,7 +45,8 @@ void dwmac_enable_dma_irq(void __iomem *ioaddr, u32 chan, bool rx, bool tx)
+ writel(value, ioaddr + DMA_INTR_ENA);
+ }
+
+-void dwmac_disable_dma_irq(void __iomem *ioaddr, u32 chan, bool rx, bool tx)
++void dwmac_disable_dma_irq(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 chan, bool rx, bool tx)
+ {
+ u32 value = readl(ioaddr + DMA_INTR_ENA);
+
+@@ -56,28 +58,30 @@ void dwmac_disable_dma_irq(void __iomem *ioaddr, u32 chan, bool rx, bool tx)
+ writel(value, ioaddr + DMA_INTR_ENA);
+ }
+
+-void dwmac_dma_start_tx(void __iomem *ioaddr, u32 chan)
++void dwmac_dma_start_tx(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 chan)
+ {
+ u32 value = readl(ioaddr + DMA_CONTROL);
+ value |= DMA_CONTROL_ST;
+ writel(value, ioaddr + DMA_CONTROL);
+ }
+
+-void dwmac_dma_stop_tx(void __iomem *ioaddr, u32 chan)
++void dwmac_dma_stop_tx(struct stmmac_priv *priv, void __iomem *ioaddr, u32 chan)
+ {
+ u32 value = readl(ioaddr + DMA_CONTROL);
+ value &= ~DMA_CONTROL_ST;
+ writel(value, ioaddr + DMA_CONTROL);
+ }
+
+-void dwmac_dma_start_rx(void __iomem *ioaddr, u32 chan)
++void dwmac_dma_start_rx(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 chan)
+ {
+ u32 value = readl(ioaddr + DMA_CONTROL);
+ value |= DMA_CONTROL_SR;
+ writel(value, ioaddr + DMA_CONTROL);
+ }
+
+-void dwmac_dma_stop_rx(void __iomem *ioaddr, u32 chan)
++void dwmac_dma_stop_rx(struct stmmac_priv *priv, void __iomem *ioaddr, u32 chan)
+ {
+ u32 value = readl(ioaddr + DMA_CONTROL);
+ value &= ~DMA_CONTROL_SR;
+@@ -154,7 +158,7 @@ static void show_rx_process_state(unsigned int status)
+ }
+ #endif
+
+-int dwmac_dma_interrupt(void __iomem *ioaddr,
++int dwmac_dma_interrupt(struct stmmac_priv *priv, void __iomem *ioaddr,
+ struct stmmac_extra_stats *x, u32 chan, u32 dir)
+ {
+ int ret = 0;
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c
+index 813327d04c56..d0e2748a0ed2 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c
+@@ -211,7 +211,8 @@ static void dwxgmac2_prog_mtl_tx_algorithms(struct mac_device_info *hw,
+ }
+ }
+
+-static void dwxgmac2_set_mtl_tx_queue_weight(struct mac_device_info *hw,
++static void dwxgmac2_set_mtl_tx_queue_weight(struct stmmac_priv *priv,
++ struct mac_device_info *hw,
+ u32 weight, u32 queue)
+ {
+ void __iomem *ioaddr = hw->pcsr;
+@@ -236,7 +237,8 @@ static void dwxgmac2_map_mtl_to_dma(struct mac_device_info *hw, u32 queue,
+ writel(value, ioaddr + reg);
+ }
+
+-static void dwxgmac2_config_cbs(struct mac_device_info *hw,
++static void dwxgmac2_config_cbs(struct stmmac_priv *priv,
++ struct mac_device_info *hw,
+ u32 send_slope, u32 idle_slope,
+ u32 high_credit, u32 low_credit, u32 queue)
+ {
+@@ -300,7 +302,8 @@ static int dwxgmac2_host_irq_status(struct mac_device_info *hw,
+ return ret;
+ }
+
+-static int dwxgmac2_host_mtl_irq_status(struct mac_device_info *hw, u32 chan)
++static int dwxgmac2_host_mtl_irq_status(struct stmmac_priv *priv,
++ struct mac_device_info *hw, u32 chan)
+ {
+ void __iomem *ioaddr = hw->pcsr;
+ int ret = 0;
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c
+index 3e4318d5dcdf..e92c29199e77 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c
+@@ -33,7 +33,8 @@ static void dwxgmac2_dma_init(void __iomem *ioaddr,
+ writel(value, ioaddr + XGMAC_DMA_SYSBUS_MODE);
+ }
+
+-static void dwxgmac2_dma_init_chan(void __iomem *ioaddr,
++static void dwxgmac2_dma_init_chan(struct stmmac_priv *priv,
++ void __iomem *ioaddr,
+ struct stmmac_dma_cfg *dma_cfg, u32 chan)
+ {
+ u32 value = readl(ioaddr + XGMAC_DMA_CH_CONTROL(chan));
+@@ -45,7 +46,8 @@ static void dwxgmac2_dma_init_chan(void __iomem *ioaddr,
+ writel(XGMAC_DMA_INT_DEFAULT_EN, ioaddr + XGMAC_DMA_CH_INT_EN(chan));
+ }
+
+-static void dwxgmac2_dma_init_rx_chan(void __iomem *ioaddr,
++static void dwxgmac2_dma_init_rx_chan(struct stmmac_priv *priv,
++ void __iomem *ioaddr,
+ struct stmmac_dma_cfg *dma_cfg,
+ dma_addr_t phy, u32 chan)
+ {
+@@ -61,7 +63,8 @@ static void dwxgmac2_dma_init_rx_chan(void __iomem *ioaddr,
+ writel(lower_32_bits(phy), ioaddr + XGMAC_DMA_CH_RxDESC_LADDR(chan));
+ }
+
+-static void dwxgmac2_dma_init_tx_chan(void __iomem *ioaddr,
++static void dwxgmac2_dma_init_tx_chan(struct stmmac_priv *priv,
++ void __iomem *ioaddr,
+ struct stmmac_dma_cfg *dma_cfg,
+ dma_addr_t phy, u32 chan)
+ {
+@@ -131,7 +134,8 @@ static void dwxgmac2_dma_axi(void __iomem *ioaddr, struct stmmac_axi *axi)
+ writel(XGMAC_RDPS, ioaddr + XGMAC_RX_EDMA_CTRL);
+ }
+
+-static void dwxgmac2_dma_dump_regs(void __iomem *ioaddr, u32 *reg_space)
++static void dwxgmac2_dma_dump_regs(struct stmmac_priv *priv,
++ void __iomem *ioaddr, u32 *reg_space)
+ {
+ int i;
+
+@@ -139,8 +143,8 @@ static void dwxgmac2_dma_dump_regs(void __iomem *ioaddr, u32 *reg_space)
+ reg_space[i] = readl(ioaddr + i * 4);
+ }
+
+-static void dwxgmac2_dma_rx_mode(void __iomem *ioaddr, int mode,
+- u32 channel, int fifosz, u8 qmode)
++static void dwxgmac2_dma_rx_mode(struct stmmac_priv *priv, void __iomem *ioaddr,
++ int mode, u32 channel, int fifosz, u8 qmode)
+ {
+ u32 value = readl(ioaddr + XGMAC_MTL_RXQ_OPMODE(channel));
+ unsigned int rqs = fifosz / 256 - 1;
+@@ -201,8 +205,8 @@ static void dwxgmac2_dma_rx_mode(void __iomem *ioaddr, int mode,
+ writel(value, ioaddr + XGMAC_MTL_RXQ_OPMODE(channel));
+ }
+
+-static void dwxgmac2_dma_tx_mode(void __iomem *ioaddr, int mode,
+- u32 channel, int fifosz, u8 qmode)
++static void dwxgmac2_dma_tx_mode(struct stmmac_priv *priv, void __iomem *ioaddr,
++ int mode, u32 channel, int fifosz, u8 qmode)
+ {
+ u32 value = readl(ioaddr + XGMAC_MTL_TXQ_OPMODE(channel));
+ unsigned int tqs = fifosz / 256 - 1;
+@@ -244,7 +248,8 @@ static void dwxgmac2_dma_tx_mode(void __iomem *ioaddr, int mode,
+ writel(value, ioaddr + XGMAC_MTL_TXQ_OPMODE(channel));
+ }
+
+-static void dwxgmac2_enable_dma_irq(void __iomem *ioaddr, u32 chan,
++static void dwxgmac2_enable_dma_irq(struct stmmac_priv *priv,
++ void __iomem *ioaddr, u32 chan,
+ bool rx, bool tx)
+ {
+ u32 value = readl(ioaddr + XGMAC_DMA_CH_INT_EN(chan));
+@@ -257,7 +262,8 @@ static void dwxgmac2_enable_dma_irq(void __iomem *ioaddr, u32 chan,
+ writel(value, ioaddr + XGMAC_DMA_CH_INT_EN(chan));
+ }
+
+-static void dwxgmac2_disable_dma_irq(void __iomem *ioaddr, u32 chan,
++static void dwxgmac2_disable_dma_irq(struct stmmac_priv *priv,
++ void __iomem *ioaddr, u32 chan,
+ bool rx, bool tx)
+ {
+ u32 value = readl(ioaddr + XGMAC_DMA_CH_INT_EN(chan));
+@@ -270,7 +276,8 @@ static void dwxgmac2_disable_dma_irq(void __iomem *ioaddr, u32 chan,
+ writel(value, ioaddr + XGMAC_DMA_CH_INT_EN(chan));
+ }
+
+-static void dwxgmac2_dma_start_tx(void __iomem *ioaddr, u32 chan)
++static void dwxgmac2_dma_start_tx(struct stmmac_priv *priv,
++ void __iomem *ioaddr, u32 chan)
+ {
+ u32 value;
+
+@@ -283,7 +290,8 @@ static void dwxgmac2_dma_start_tx(void __iomem *ioaddr, u32 chan)
+ writel(value, ioaddr + XGMAC_TX_CONFIG);
+ }
+
+-static void dwxgmac2_dma_stop_tx(void __iomem *ioaddr, u32 chan)
++static void dwxgmac2_dma_stop_tx(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 chan)
+ {
+ u32 value;
+
+@@ -296,7 +304,8 @@ static void dwxgmac2_dma_stop_tx(void __iomem *ioaddr, u32 chan)
+ writel(value, ioaddr + XGMAC_TX_CONFIG);
+ }
+
+-static void dwxgmac2_dma_start_rx(void __iomem *ioaddr, u32 chan)
++static void dwxgmac2_dma_start_rx(struct stmmac_priv *priv,
++ void __iomem *ioaddr, u32 chan)
+ {
+ u32 value;
+
+@@ -309,7 +318,8 @@ static void dwxgmac2_dma_start_rx(void __iomem *ioaddr, u32 chan)
+ writel(value, ioaddr + XGMAC_RX_CONFIG);
+ }
+
+-static void dwxgmac2_dma_stop_rx(void __iomem *ioaddr, u32 chan)
++static void dwxgmac2_dma_stop_rx(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 chan)
+ {
+ u32 value;
+
+@@ -318,7 +328,8 @@ static void dwxgmac2_dma_stop_rx(void __iomem *ioaddr, u32 chan)
+ writel(value, ioaddr + XGMAC_DMA_CH_RX_CONTROL(chan));
+ }
+
+-static int dwxgmac2_dma_interrupt(void __iomem *ioaddr,
++static int dwxgmac2_dma_interrupt(struct stmmac_priv *priv,
++ void __iomem *ioaddr,
+ struct stmmac_extra_stats *x, u32 chan,
+ u32 dir)
+ {
+@@ -445,32 +456,38 @@ static int dwxgmac2_get_hw_feature(void __iomem *ioaddr,
+ return 0;
+ }
+
+-static void dwxgmac2_rx_watchdog(void __iomem *ioaddr, u32 riwt, u32 queue)
++static void dwxgmac2_rx_watchdog(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 riwt, u32 queue)
+ {
+ writel(riwt & XGMAC_RWT, ioaddr + XGMAC_DMA_CH_Rx_WATCHDOG(queue));
+ }
+
+-static void dwxgmac2_set_rx_ring_len(void __iomem *ioaddr, u32 len, u32 chan)
++static void dwxgmac2_set_rx_ring_len(struct stmmac_priv *priv,
++ void __iomem *ioaddr, u32 len, u32 chan)
+ {
+ writel(len, ioaddr + XGMAC_DMA_CH_RxDESC_RING_LEN(chan));
+ }
+
+-static void dwxgmac2_set_tx_ring_len(void __iomem *ioaddr, u32 len, u32 chan)
++static void dwxgmac2_set_tx_ring_len(struct stmmac_priv *priv,
++ void __iomem *ioaddr, u32 len, u32 chan)
+ {
+ writel(len, ioaddr + XGMAC_DMA_CH_TxDESC_RING_LEN(chan));
+ }
+
+-static void dwxgmac2_set_rx_tail_ptr(void __iomem *ioaddr, u32 ptr, u32 chan)
++static void dwxgmac2_set_rx_tail_ptr(struct stmmac_priv *priv,
++ void __iomem *ioaddr, u32 ptr, u32 chan)
+ {
+ writel(ptr, ioaddr + XGMAC_DMA_CH_RxDESC_TAIL_LPTR(chan));
+ }
+
+-static void dwxgmac2_set_tx_tail_ptr(void __iomem *ioaddr, u32 ptr, u32 chan)
++static void dwxgmac2_set_tx_tail_ptr(struct stmmac_priv *priv,
++ void __iomem *ioaddr, u32 ptr, u32 chan)
+ {
+ writel(ptr, ioaddr + XGMAC_DMA_CH_TxDESC_TAIL_LPTR(chan));
+ }
+
+-static void dwxgmac2_enable_tso(void __iomem *ioaddr, bool en, u32 chan)
++static void dwxgmac2_enable_tso(struct stmmac_priv *priv, void __iomem *ioaddr,
++ bool en, u32 chan)
+ {
+ u32 value = readl(ioaddr + XGMAC_DMA_CH_TX_CONTROL(chan));
+
+@@ -482,7 +499,8 @@ static void dwxgmac2_enable_tso(void __iomem *ioaddr, bool en, u32 chan)
+ writel(value, ioaddr + XGMAC_DMA_CH_TX_CONTROL(chan));
+ }
+
+-static void dwxgmac2_qmode(void __iomem *ioaddr, u32 channel, u8 qmode)
++static void dwxgmac2_qmode(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 channel, u8 qmode)
+ {
+ u32 value = readl(ioaddr + XGMAC_MTL_TXQ_OPMODE(channel));
+ u32 flow = readl(ioaddr + XGMAC_RX_FLOW_CTRL);
+@@ -499,7 +517,8 @@ static void dwxgmac2_qmode(void __iomem *ioaddr, u32 channel, u8 qmode)
+ writel(value, ioaddr + XGMAC_MTL_TXQ_OPMODE(channel));
+ }
+
+-static void dwxgmac2_set_bfsize(void __iomem *ioaddr, int bfsize, u32 chan)
++static void dwxgmac2_set_bfsize(struct stmmac_priv *priv, void __iomem *ioaddr,
++ int bfsize, u32 chan)
+ {
+ u32 value;
+
+@@ -509,7 +528,8 @@ static void dwxgmac2_set_bfsize(void __iomem *ioaddr, int bfsize, u32 chan)
+ writel(value, ioaddr + XGMAC_DMA_CH_RX_CONTROL(chan));
+ }
+
+-static void dwxgmac2_enable_sph(void __iomem *ioaddr, bool en, u32 chan)
++static void dwxgmac2_enable_sph(struct stmmac_priv *priv, void __iomem *ioaddr,
++ bool en, u32 chan)
+ {
+ u32 value = readl(ioaddr + XGMAC_RX_CONFIG);
+
+@@ -525,7 +545,8 @@ static void dwxgmac2_enable_sph(void __iomem *ioaddr, bool en, u32 chan)
+ writel(value, ioaddr + XGMAC_DMA_CH_CONTROL(chan));
+ }
+
+-static int dwxgmac2_enable_tbs(void __iomem *ioaddr, bool en, u32 chan)
++static int dwxgmac2_enable_tbs(struct stmmac_priv *priv, void __iomem *ioaddr,
++ bool en, u32 chan)
+ {
+ u32 value = readl(ioaddr + XGMAC_DMA_CH_TX_CONTROL(chan));
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/hwif.h b/drivers/net/ethernet/stmicro/stmmac/hwif.h
+index 17ea6216a78f..87161c85b1a1 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/hwif.h
++++ b/drivers/net/ethernet/stmicro/stmmac/hwif.h
+@@ -26,6 +26,7 @@
+ })
+
+ struct stmmac_extra_stats;
++struct stmmac_priv;
+ struct stmmac_safety_stats;
+ struct dma_desc;
+ struct dma_extended_desc;
+@@ -171,51 +172,67 @@ struct stmmac_dma_ops {
+ int (*reset)(void __iomem *ioaddr);
+ void (*init)(void __iomem *ioaddr, struct stmmac_dma_cfg *dma_cfg,
+ int atds);
+- void (*init_chan)(void __iomem *ioaddr,
++ void (*init_chan)(struct stmmac_priv *priv, void __iomem *ioaddr,
+ struct stmmac_dma_cfg *dma_cfg, u32 chan);
+- void (*init_rx_chan)(void __iomem *ioaddr,
++ void (*init_rx_chan)(struct stmmac_priv *priv, void __iomem *ioaddr,
+ struct stmmac_dma_cfg *dma_cfg,
+ dma_addr_t phy, u32 chan);
+- void (*init_tx_chan)(void __iomem *ioaddr,
++ void (*init_tx_chan)(struct stmmac_priv *priv, void __iomem *ioaddr,
+ struct stmmac_dma_cfg *dma_cfg,
+ dma_addr_t phy, u32 chan);
+ /* Configure the AXI Bus Mode Register */
+ void (*axi)(void __iomem *ioaddr, struct stmmac_axi *axi);
+ /* Dump DMA registers */
+- void (*dump_regs)(void __iomem *ioaddr, u32 *reg_space);
+- void (*dma_rx_mode)(void __iomem *ioaddr, int mode, u32 channel,
+- int fifosz, u8 qmode);
+- void (*dma_tx_mode)(void __iomem *ioaddr, int mode, u32 channel,
++ void (*dump_regs)(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 *reg_space);
++ void (*dma_rx_mode)(struct stmmac_priv *priv, void __iomem *ioaddr,
++ int mode, u32 channel,
+ int fifosz, u8 qmode);
++ void (*dma_tx_mode)(struct stmmac_priv *priv, void __iomem *ioaddr,
++ int mode, u32 channel, int fifosz, u8 qmode);
+ /* To track extra statistic (if supported) */
+ void (*dma_diagnostic_fr)(struct net_device_stats *stats,
+ struct stmmac_extra_stats *x,
+ void __iomem *ioaddr);
+ void (*enable_dma_transmission) (void __iomem *ioaddr);
+- void (*enable_dma_irq)(void __iomem *ioaddr, u32 chan,
+- bool rx, bool tx);
+- void (*disable_dma_irq)(void __iomem *ioaddr, u32 chan,
+- bool rx, bool tx);
+- void (*start_tx)(void __iomem *ioaddr, u32 chan);
+- void (*stop_tx)(void __iomem *ioaddr, u32 chan);
+- void (*start_rx)(void __iomem *ioaddr, u32 chan);
+- void (*stop_rx)(void __iomem *ioaddr, u32 chan);
+- int (*dma_interrupt) (void __iomem *ioaddr,
+- struct stmmac_extra_stats *x, u32 chan, u32 dir);
++ void (*enable_dma_irq)(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 chan, bool rx, bool tx);
++ void (*disable_dma_irq)(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 chan, bool rx, bool tx);
++ void (*start_tx)(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 chan);
++ void (*stop_tx)(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 chan);
++ void (*start_rx)(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 chan);
++ void (*stop_rx)(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 chan);
++ int (*dma_interrupt)(struct stmmac_priv *priv, void __iomem *ioaddr,
++ struct stmmac_extra_stats *x, u32 chan, u32 dir);
+ /* If supported then get the optional core features */
+ int (*get_hw_feature)(void __iomem *ioaddr,
+ struct dma_features *dma_cap);
+ /* Program the HW RX Watchdog */
+- void (*rx_watchdog)(void __iomem *ioaddr, u32 riwt, u32 queue);
+- void (*set_tx_ring_len)(void __iomem *ioaddr, u32 len, u32 chan);
+- void (*set_rx_ring_len)(void __iomem *ioaddr, u32 len, u32 chan);
+- void (*set_rx_tail_ptr)(void __iomem *ioaddr, u32 tail_ptr, u32 chan);
+- void (*set_tx_tail_ptr)(void __iomem *ioaddr, u32 tail_ptr, u32 chan);
+- void (*enable_tso)(void __iomem *ioaddr, bool en, u32 chan);
+- void (*qmode)(void __iomem *ioaddr, u32 channel, u8 qmode);
+- void (*set_bfsize)(void __iomem *ioaddr, int bfsize, u32 chan);
+- void (*enable_sph)(void __iomem *ioaddr, bool en, u32 chan);
+- int (*enable_tbs)(void __iomem *ioaddr, bool en, u32 chan);
++ void (*rx_watchdog)(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 riwt, u32 queue);
++ void (*set_tx_ring_len)(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 len, u32 chan);
++ void (*set_rx_ring_len)(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 len, u32 chan);
++ void (*set_rx_tail_ptr)(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 tail_ptr, u32 chan);
++ void (*set_tx_tail_ptr)(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 tail_ptr, u32 chan);
++ void (*enable_tso)(struct stmmac_priv *priv, void __iomem *ioaddr,
++ bool en, u32 chan);
++ void (*qmode)(struct stmmac_priv *priv, void __iomem *ioaddr,
++ u32 channel, u8 qmode);
++ void (*set_bfsize)(struct stmmac_priv *priv, void __iomem *ioaddr,
++ int bfsize, u32 chan);
++ void (*enable_sph)(struct stmmac_priv *priv, void __iomem *ioaddr,
++ bool en, u32 chan);
++ int (*enable_tbs)(struct stmmac_priv *priv, void __iomem *ioaddr,
++ bool en, u32 chan);
+ };
+
+ #define stmmac_reset(__priv, __args...) \
+@@ -223,59 +240,59 @@ struct stmmac_dma_ops {
+ #define stmmac_dma_init(__priv, __args...) \
+ stmmac_do_void_callback(__priv, dma, init, __args)
+ #define stmmac_init_chan(__priv, __args...) \
+- stmmac_do_void_callback(__priv, dma, init_chan, __args)
++ stmmac_do_void_callback(__priv, dma, init_chan, __priv, __args)
+ #define stmmac_init_rx_chan(__priv, __args...) \
+- stmmac_do_void_callback(__priv, dma, init_rx_chan, __args)
++ stmmac_do_void_callback(__priv, dma, init_rx_chan, __priv, __args)
+ #define stmmac_init_tx_chan(__priv, __args...) \
+- stmmac_do_void_callback(__priv, dma, init_tx_chan, __args)
++ stmmac_do_void_callback(__priv, dma, init_tx_chan, __priv, __args)
+ #define stmmac_axi(__priv, __args...) \
+ stmmac_do_void_callback(__priv, dma, axi, __args)
+ #define stmmac_dump_dma_regs(__priv, __args...) \
+- stmmac_do_void_callback(__priv, dma, dump_regs, __args)
++ stmmac_do_void_callback(__priv, dma, dump_regs, __priv, __args)
+ #define stmmac_dma_rx_mode(__priv, __args...) \
+- stmmac_do_void_callback(__priv, dma, dma_rx_mode, __args)
++ stmmac_do_void_callback(__priv, dma, dma_rx_mode, __priv, __args)
+ #define stmmac_dma_tx_mode(__priv, __args...) \
+- stmmac_do_void_callback(__priv, dma, dma_tx_mode, __args)
++ stmmac_do_void_callback(__priv, dma, dma_tx_mode, __priv, __args)
+ #define stmmac_dma_diagnostic_fr(__priv, __args...) \
+ stmmac_do_void_callback(__priv, dma, dma_diagnostic_fr, __args)
+ #define stmmac_enable_dma_transmission(__priv, __args...) \
+ stmmac_do_void_callback(__priv, dma, enable_dma_transmission, __args)
+ #define stmmac_enable_dma_irq(__priv, __args...) \
+- stmmac_do_void_callback(__priv, dma, enable_dma_irq, __args)
++ stmmac_do_void_callback(__priv, dma, enable_dma_irq, __priv, __args)
+ #define stmmac_disable_dma_irq(__priv, __args...) \
+- stmmac_do_void_callback(__priv, dma, disable_dma_irq, __args)
++ stmmac_do_void_callback(__priv, dma, disable_dma_irq, __priv, __args)
+ #define stmmac_start_tx(__priv, __args...) \
+- stmmac_do_void_callback(__priv, dma, start_tx, __args)
++ stmmac_do_void_callback(__priv, dma, start_tx, __priv, __args)
+ #define stmmac_stop_tx(__priv, __args...) \
+- stmmac_do_void_callback(__priv, dma, stop_tx, __args)
++ stmmac_do_void_callback(__priv, dma, stop_tx, __priv, __args)
+ #define stmmac_start_rx(__priv, __args...) \
+- stmmac_do_void_callback(__priv, dma, start_rx, __args)
++ stmmac_do_void_callback(__priv, dma, start_rx, __priv, __args)
+ #define stmmac_stop_rx(__priv, __args...) \
+- stmmac_do_void_callback(__priv, dma, stop_rx, __args)
++ stmmac_do_void_callback(__priv, dma, stop_rx, __priv, __args)
+ #define stmmac_dma_interrupt_status(__priv, __args...) \
+- stmmac_do_callback(__priv, dma, dma_interrupt, __args)
++ stmmac_do_callback(__priv, dma, dma_interrupt, __priv, __args)
+ #define stmmac_get_hw_feature(__priv, __args...) \
+ stmmac_do_callback(__priv, dma, get_hw_feature, __args)
+ #define stmmac_rx_watchdog(__priv, __args...) \
+- stmmac_do_void_callback(__priv, dma, rx_watchdog, __args)
++ stmmac_do_void_callback(__priv, dma, rx_watchdog, __priv, __args)
+ #define stmmac_set_tx_ring_len(__priv, __args...) \
+- stmmac_do_void_callback(__priv, dma, set_tx_ring_len, __args)
++ stmmac_do_void_callback(__priv, dma, set_tx_ring_len, __priv, __args)
+ #define stmmac_set_rx_ring_len(__priv, __args...) \
+- stmmac_do_void_callback(__priv, dma, set_rx_ring_len, __args)
++ stmmac_do_void_callback(__priv, dma, set_rx_ring_len, __priv, __args)
+ #define stmmac_set_rx_tail_ptr(__priv, __args...) \
+- stmmac_do_void_callback(__priv, dma, set_rx_tail_ptr, __args)
++ stmmac_do_void_callback(__priv, dma, set_rx_tail_ptr, __priv, __args)
+ #define stmmac_set_tx_tail_ptr(__priv, __args...) \
+- stmmac_do_void_callback(__priv, dma, set_tx_tail_ptr, __args)
++ stmmac_do_void_callback(__priv, dma, set_tx_tail_ptr, __priv, __args)
+ #define stmmac_enable_tso(__priv, __args...) \
+- stmmac_do_void_callback(__priv, dma, enable_tso, __args)
++ stmmac_do_void_callback(__priv, dma, enable_tso, __priv, __args)
+ #define stmmac_dma_qmode(__priv, __args...) \
+- stmmac_do_void_callback(__priv, dma, qmode, __args)
++ stmmac_do_void_callback(__priv, dma, qmode, __priv, __args)
+ #define stmmac_set_dma_bfsize(__priv, __args...) \
+- stmmac_do_void_callback(__priv, dma, set_bfsize, __args)
++ stmmac_do_void_callback(__priv, dma, set_bfsize, __priv, __args)
+ #define stmmac_enable_sph(__priv, __args...) \
+- stmmac_do_void_callback(__priv, dma, enable_sph, __args)
++ stmmac_do_void_callback(__priv, dma, enable_sph, __priv, __args)
+ #define stmmac_enable_tbs(__priv, __args...) \
+- stmmac_do_callback(__priv, dma, enable_tbs, __args)
++ stmmac_do_callback(__priv, dma, enable_tbs, __priv, __args)
+
+ struct mac_device_info;
+ struct net_device;
+@@ -307,21 +324,23 @@ struct stmmac_ops {
+ /* Program TX Algorithms */
+ void (*prog_mtl_tx_algorithms)(struct mac_device_info *hw, u32 tx_alg);
+ /* Set MTL TX queues weight */
+- void (*set_mtl_tx_queue_weight)(struct mac_device_info *hw,
++ void (*set_mtl_tx_queue_weight)(struct stmmac_priv *priv,
++ struct mac_device_info *hw,
+ u32 weight, u32 queue);
+ /* RX MTL queue to RX dma mapping */
+ void (*map_mtl_to_dma)(struct mac_device_info *hw, u32 queue, u32 chan);
+ /* Configure AV Algorithm */
+- void (*config_cbs)(struct mac_device_info *hw, u32 send_slope,
+- u32 idle_slope, u32 high_credit, u32 low_credit,
+- u32 queue);
++ void (*config_cbs)(struct stmmac_priv *priv, struct mac_device_info *hw,
++ u32 send_slope, u32 idle_slope, u32 high_credit,
++ u32 low_credit, u32 queue);
+ /* Dump MAC registers */
+ void (*dump_regs)(struct mac_device_info *hw, u32 *reg_space);
+ /* Handle extra events on specific interrupts hw dependent */
+ int (*host_irq_status)(struct mac_device_info *hw,
+ struct stmmac_extra_stats *x);
+ /* Handle MTL interrupts */
+- int (*host_mtl_irq_status)(struct mac_device_info *hw, u32 chan);
++ int (*host_mtl_irq_status)(struct stmmac_priv *priv,
++ struct mac_device_info *hw, u32 chan);
+ /* Multicast filter setting */
+ void (*set_filter)(struct mac_device_info *hw, struct net_device *dev);
+ /* Flow control setting */
+@@ -341,8 +360,9 @@ struct stmmac_ops {
+ void (*set_eee_lpi_entry_timer)(struct mac_device_info *hw, int et);
+ void (*set_eee_timer)(struct mac_device_info *hw, int ls, int tw);
+ void (*set_eee_pls)(struct mac_device_info *hw, int link);
+- void (*debug)(void __iomem *ioaddr, struct stmmac_extra_stats *x,
+- u32 rx_queues, u32 tx_queues);
++ void (*debug)(struct stmmac_priv *priv, void __iomem *ioaddr,
++ struct stmmac_extra_stats *x, u32 rx_queues,
++ u32 tx_queues);
+ /* PCS calls */
+ void (*pcs_ctrl_ane)(void __iomem *ioaddr, bool ane, bool srgmi_ral,
+ bool loopback);
+@@ -424,17 +444,17 @@ struct stmmac_ops {
+ #define stmmac_prog_mtl_tx_algorithms(__priv, __args...) \
+ stmmac_do_void_callback(__priv, mac, prog_mtl_tx_algorithms, __args)
+ #define stmmac_set_mtl_tx_queue_weight(__priv, __args...) \
+- stmmac_do_void_callback(__priv, mac, set_mtl_tx_queue_weight, __args)
++ stmmac_do_void_callback(__priv, mac, set_mtl_tx_queue_weight, __priv, __args)
+ #define stmmac_map_mtl_to_dma(__priv, __args...) \
+ stmmac_do_void_callback(__priv, mac, map_mtl_to_dma, __args)
+ #define stmmac_config_cbs(__priv, __args...) \
+- stmmac_do_void_callback(__priv, mac, config_cbs, __args)
++ stmmac_do_void_callback(__priv, mac, config_cbs, __priv, __args)
+ #define stmmac_dump_mac_regs(__priv, __args...) \
+ stmmac_do_void_callback(__priv, mac, dump_regs, __args)
+ #define stmmac_host_irq_status(__priv, __args...) \
+ stmmac_do_callback(__priv, mac, host_irq_status, __args)
+ #define stmmac_host_mtl_irq_status(__priv, __args...) \
+- stmmac_do_callback(__priv, mac, host_mtl_irq_status, __args)
++ stmmac_do_callback(__priv, mac, host_mtl_irq_status, __priv, __args)
+ #define stmmac_set_filter(__priv, __args...) \
+ stmmac_do_void_callback(__priv, mac, set_filter, __args)
+ #define stmmac_flow_ctrl(__priv, __args...) \
+@@ -456,11 +476,11 @@ struct stmmac_ops {
+ #define stmmac_set_eee_pls(__priv, __args...) \
+ stmmac_do_void_callback(__priv, mac, set_eee_pls, __args)
+ #define stmmac_mac_debug(__priv, __args...) \
+- stmmac_do_void_callback(__priv, mac, debug, __args)
++ stmmac_do_void_callback(__priv, mac, debug, __priv, __args)
+ #define stmmac_pcs_ctrl_ane(__priv, __args...) \
+ stmmac_do_void_callback(__priv, mac, pcs_ctrl_ane, __args)
+ #define stmmac_pcs_rane(__priv, __args...) \
+- stmmac_do_void_callback(__priv, mac, pcs_rane, __args)
++ stmmac_do_void_callback(__priv, mac, pcs_rane, __priv, __args)
+ #define stmmac_pcs_get_adv_lp(__priv, __args...) \
+ stmmac_do_void_callback(__priv, mac, pcs_get_adv_lp, __args)
+ #define stmmac_safety_feat_config(__priv, __args...) \
+@@ -508,8 +528,6 @@ struct stmmac_ops {
+ #define stmmac_fpe_irq_status(__priv, __args...) \
+ stmmac_do_callback(__priv, mac, fpe_irq_status, __args)
+
+-struct stmmac_priv;
+-
+ /* PTP and HW Timer helpers */
+ struct stmmac_hwtimestamp {
+ void (*config_hw_tstamping) (void __iomem *ioaddr, u32 data);
+--
+2.51.0
+
--- /dev/null
+From cd43909740d459cd2cf70a08af1088d824b53a2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Dec 2022 15:58:43 +0000
+Subject: net: stmmac: Power up SERDES after the PHY link
+
+From: Revanth Kumar Uppala <ruppala@nvidia.com>
+
+[ Upstream commit a46e9010124256f5bf5fc2c241a45cf1944b768e ]
+
+The Tegra MGBE ethernet controller requires that the SERDES link is
+powered-up after the PHY link is up, otherwise the link fails to
+become ready following a resume from suspend. Add a variable to indicate
+that the SERDES link must be powered-up after the PHY link.
+
+Signed-off-by: Revanth Kumar Uppala <ruppala@nvidia.com>
+Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: a48e23221000 ("net: stmmac: fix the crash issue for zero copy XDP_TX action")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 7 +++++--
+ include/linux/stmmac.h | 1 +
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index 202c43d73a2b..0483e8c2f1de 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -994,6 +994,9 @@ static void stmmac_mac_link_up(struct phylink_config *config,
+ struct stmmac_priv *priv = netdev_priv(to_net_dev(config->dev));
+ u32 old_ctrl, ctrl;
+
++ if (priv->plat->serdes_up_after_phy_linkup && priv->plat->serdes_powerup)
++ priv->plat->serdes_powerup(priv->dev, priv->plat->bsp_priv);
++
+ old_ctrl = readl(priv->ioaddr + MAC_CTRL_REG);
+ ctrl = old_ctrl & ~priv->hw->link.speed_mask;
+
+@@ -3839,7 +3842,7 @@ static int __stmmac_open(struct net_device *dev,
+
+ stmmac_reset_queues_param(priv);
+
+- if (priv->plat->serdes_powerup) {
++ if (!priv->plat->serdes_up_after_phy_linkup && priv->plat->serdes_powerup) {
+ ret = priv->plat->serdes_powerup(dev, priv->plat->bsp_priv);
+ if (ret < 0) {
+ netdev_err(priv->dev, "%s: Serdes powerup failed\n",
+@@ -7563,7 +7566,7 @@ int stmmac_resume(struct device *dev)
+ stmmac_mdio_reset(priv->mii);
+ }
+
+- if (priv->plat->serdes_powerup) {
++ if (!priv->plat->serdes_up_after_phy_linkup && priv->plat->serdes_powerup) {
+ ret = priv->plat->serdes_powerup(ndev,
+ priv->plat->bsp_priv);
+
+diff --git a/include/linux/stmmac.h b/include/linux/stmmac.h
+index 9f4a4f70270d..c97df9464f90 100644
+--- a/include/linux/stmmac.h
++++ b/include/linux/stmmac.h
+@@ -273,5 +273,6 @@ struct plat_stmmacenet_data {
+ int msi_tx_base_vec;
+ bool use_phy_wol;
+ bool sph_disable;
++ bool serdes_up_after_phy_linkup;
+ };
+ #endif
+--
+2.51.0
+
--- /dev/null
+From 5b684b4248bf1c59f0981e493c3b955e037fa6d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Apr 2023 15:04:04 -0500
+Subject: net: stmmac: Remove some unnecessary void pointers
+
+From: Andrew Halaney <ahalaney@redhat.com>
+
+[ Upstream commit 0c3f3c4f4b15a2c105e1ca882d100048074a2865 ]
+
+There's a few spots in the hardware interface where a void pointer is
+used, but what's passed in and later cast out is always the same type.
+
+Just use the proper type directly.
+
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Andrew Halaney <ahalaney@redhat.com>
+Reviewed-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Tested-by: Brian Masney <bmasney@redhat.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Stable-dep-of: a48e23221000 ("net: stmmac: fix the crash issue for zero copy XDP_TX action")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/stmicro/stmmac/chain_mode.c | 10 +++----
+ .../ethernet/stmicro/stmmac/dwmac100_dma.c | 4 +--
+ .../ethernet/stmicro/stmmac/dwmac4_descs.c | 8 ++---
+ .../ethernet/stmicro/stmmac/dwxgmac2_descs.c | 6 ++--
+ .../net/ethernet/stmicro/stmmac/enh_desc.c | 11 +++----
+ drivers/net/ethernet/stmicro/stmmac/hwif.h | 30 ++++++++++++-------
+ .../net/ethernet/stmicro/stmmac/norm_desc.c | 8 ++---
+ .../net/ethernet/stmicro/stmmac/ring_mode.c | 10 +++----
+ 8 files changed, 47 insertions(+), 40 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/chain_mode.c b/drivers/net/ethernet/stmicro/stmmac/chain_mode.c
+index 2e8744ac6b91..fb55efd52240 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/chain_mode.c
++++ b/drivers/net/ethernet/stmicro/stmmac/chain_mode.c
+@@ -14,9 +14,9 @@
+
+ #include "stmmac.h"
+
+-static int jumbo_frm(void *p, struct sk_buff *skb, int csum)
++static int jumbo_frm(struct stmmac_tx_queue *tx_q, struct sk_buff *skb,
++ int csum)
+ {
+- struct stmmac_tx_queue *tx_q = (struct stmmac_tx_queue *)p;
+ unsigned int nopaged_len = skb_headlen(skb);
+ struct stmmac_priv *priv = tx_q->priv_data;
+ unsigned int entry = tx_q->cur_tx;
+@@ -125,9 +125,8 @@ static void init_dma_chain(void *des, dma_addr_t phy_addr,
+ }
+ }
+
+-static void refill_desc3(void *priv_ptr, struct dma_desc *p)
++static void refill_desc3(struct stmmac_rx_queue *rx_q, struct dma_desc *p)
+ {
+- struct stmmac_rx_queue *rx_q = (struct stmmac_rx_queue *)priv_ptr;
+ struct stmmac_priv *priv = rx_q->priv_data;
+
+ if (priv->hwts_rx_en && !priv->extend_desc)
+@@ -141,9 +140,8 @@ static void refill_desc3(void *priv_ptr, struct dma_desc *p)
+ sizeof(struct dma_desc)));
+ }
+
+-static void clean_desc3(void *priv_ptr, struct dma_desc *p)
++static void clean_desc3(struct stmmac_tx_queue *tx_q, struct dma_desc *p)
+ {
+- struct stmmac_tx_queue *tx_q = (struct stmmac_tx_queue *)priv_ptr;
+ struct stmmac_priv *priv = tx_q->priv_data;
+ unsigned int entry = tx_q->dirty_tx;
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac100_dma.c b/drivers/net/ethernet/stmicro/stmmac/dwmac100_dma.c
+index 8f0d9bc7cab5..f6abc7bfd29d 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac100_dma.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac100_dma.c
+@@ -80,10 +80,10 @@ static void dwmac100_dump_dma_regs(void __iomem *ioaddr, u32 *reg_space)
+ }
+
+ /* DMA controller has two counters to track the number of the missed frames. */
+-static void dwmac100_dma_diagnostic_fr(void *data, struct stmmac_extra_stats *x,
++static void dwmac100_dma_diagnostic_fr(struct net_device_stats *stats,
++ struct stmmac_extra_stats *x,
+ void __iomem *ioaddr)
+ {
+- struct net_device_stats *stats = (struct net_device_stats *)data;
+ u32 csr8 = readl(ioaddr + DMA_MISSED_FRAME_CTR);
+
+ if (unlikely(csr8)) {
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_descs.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_descs.c
+index 8cc80b1db4cb..6a011d8633e8 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_descs.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_descs.c
+@@ -13,11 +13,11 @@
+ #include "dwmac4.h"
+ #include "dwmac4_descs.h"
+
+-static int dwmac4_wrback_get_tx_status(void *data, struct stmmac_extra_stats *x,
++static int dwmac4_wrback_get_tx_status(struct net_device_stats *stats,
++ struct stmmac_extra_stats *x,
+ struct dma_desc *p,
+ void __iomem *ioaddr)
+ {
+- struct net_device_stats *stats = (struct net_device_stats *)data;
+ unsigned int tdes3;
+ int ret = tx_done;
+
+@@ -73,10 +73,10 @@ static int dwmac4_wrback_get_tx_status(void *data, struct stmmac_extra_stats *x,
+ return ret;
+ }
+
+-static int dwmac4_wrback_get_rx_status(void *data, struct stmmac_extra_stats *x,
++static int dwmac4_wrback_get_rx_status(struct net_device_stats *stats,
++ struct stmmac_extra_stats *x,
+ struct dma_desc *p)
+ {
+- struct net_device_stats *stats = (struct net_device_stats *)data;
+ unsigned int rdes1 = le32_to_cpu(p->des1);
+ unsigned int rdes2 = le32_to_cpu(p->des2);
+ unsigned int rdes3 = le32_to_cpu(p->des3);
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_descs.c b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_descs.c
+index b1f0c3984a09..13c347ee8be9 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_descs.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_descs.c
+@@ -8,7 +8,8 @@
+ #include "common.h"
+ #include "dwxgmac2.h"
+
+-static int dwxgmac2_get_tx_status(void *data, struct stmmac_extra_stats *x,
++static int dwxgmac2_get_tx_status(struct net_device_stats *stats,
++ struct stmmac_extra_stats *x,
+ struct dma_desc *p, void __iomem *ioaddr)
+ {
+ unsigned int tdes3 = le32_to_cpu(p->des3);
+@@ -22,7 +23,8 @@ static int dwxgmac2_get_tx_status(void *data, struct stmmac_extra_stats *x,
+ return ret;
+ }
+
+-static int dwxgmac2_get_rx_status(void *data, struct stmmac_extra_stats *x,
++static int dwxgmac2_get_rx_status(struct net_device_stats *stats,
++ struct stmmac_extra_stats *x,
+ struct dma_desc *p)
+ {
+ unsigned int rdes3 = le32_to_cpu(p->des3);
+diff --git a/drivers/net/ethernet/stmicro/stmmac/enh_desc.c b/drivers/net/ethernet/stmicro/stmmac/enh_desc.c
+index 1bcbbd724fb5..a91d8f13a931 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/enh_desc.c
++++ b/drivers/net/ethernet/stmicro/stmmac/enh_desc.c
+@@ -12,10 +12,10 @@
+ #include "common.h"
+ #include "descs_com.h"
+
+-static int enh_desc_get_tx_status(void *data, struct stmmac_extra_stats *x,
++static int enh_desc_get_tx_status(struct net_device_stats *stats,
++ struct stmmac_extra_stats *x,
+ struct dma_desc *p, void __iomem *ioaddr)
+ {
+- struct net_device_stats *stats = (struct net_device_stats *)data;
+ unsigned int tdes0 = le32_to_cpu(p->des0);
+ int ret = tx_done;
+
+@@ -117,7 +117,8 @@ static int enh_desc_coe_rdes0(int ipc_err, int type, int payload_err)
+ return ret;
+ }
+
+-static void enh_desc_get_ext_status(void *data, struct stmmac_extra_stats *x,
++static void enh_desc_get_ext_status(struct net_device_stats *stats,
++ struct stmmac_extra_stats *x,
+ struct dma_extended_desc *p)
+ {
+ unsigned int rdes0 = le32_to_cpu(p->basic.des0);
+@@ -181,10 +182,10 @@ static void enh_desc_get_ext_status(void *data, struct stmmac_extra_stats *x,
+ }
+ }
+
+-static int enh_desc_get_rx_status(void *data, struct stmmac_extra_stats *x,
++static int enh_desc_get_rx_status(struct net_device_stats *stats,
++ struct stmmac_extra_stats *x,
+ struct dma_desc *p)
+ {
+- struct net_device_stats *stats = (struct net_device_stats *)data;
+ unsigned int rdes0 = le32_to_cpu(p->des0);
+ int ret = good_frame;
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/hwif.h b/drivers/net/ethernet/stmicro/stmmac/hwif.h
+index 820e2251b7c8..17ea6216a78f 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/hwif.h
++++ b/drivers/net/ethernet/stmicro/stmmac/hwif.h
+@@ -56,8 +56,9 @@ struct stmmac_desc_ops {
+ /* Last tx segment reports the transmit status */
+ int (*get_tx_ls)(struct dma_desc *p);
+ /* Return the transmit status looking at the TDES1 */
+- int (*tx_status)(void *data, struct stmmac_extra_stats *x,
+- struct dma_desc *p, void __iomem *ioaddr);
++ int (*tx_status)(struct net_device_stats *stats,
++ struct stmmac_extra_stats *x,
++ struct dma_desc *p, void __iomem *ioaddr);
+ /* Get the buffer size from the descriptor */
+ int (*get_tx_len)(struct dma_desc *p);
+ /* Handle extra events on specific interrupts hw dependent */
+@@ -65,10 +66,12 @@ struct stmmac_desc_ops {
+ /* Get the receive frame size */
+ int (*get_rx_frame_len)(struct dma_desc *p, int rx_coe_type);
+ /* Return the reception status looking at the RDES1 */
+- int (*rx_status)(void *data, struct stmmac_extra_stats *x,
+- struct dma_desc *p);
+- void (*rx_extended_status)(void *data, struct stmmac_extra_stats *x,
+- struct dma_extended_desc *p);
++ int (*rx_status)(struct net_device_stats *stats,
++ struct stmmac_extra_stats *x,
++ struct dma_desc *p);
++ void (*rx_extended_status)(struct net_device_stats *stats,
++ struct stmmac_extra_stats *x,
++ struct dma_extended_desc *p);
+ /* Set tx timestamp enable bit */
+ void (*enable_tx_timestamp) (struct dma_desc *p);
+ /* get tx timestamp status */
+@@ -185,8 +188,9 @@ struct stmmac_dma_ops {
+ void (*dma_tx_mode)(void __iomem *ioaddr, int mode, u32 channel,
+ int fifosz, u8 qmode);
+ /* To track extra statistic (if supported) */
+- void (*dma_diagnostic_fr) (void *data, struct stmmac_extra_stats *x,
+- void __iomem *ioaddr);
++ void (*dma_diagnostic_fr)(struct net_device_stats *stats,
++ struct stmmac_extra_stats *x,
++ void __iomem *ioaddr);
+ void (*enable_dma_transmission) (void __iomem *ioaddr);
+ void (*enable_dma_irq)(void __iomem *ioaddr, u32 chan,
+ bool rx, bool tx);
+@@ -537,16 +541,20 @@ struct stmmac_hwtimestamp {
+ #define stmmac_timestamp_interrupt(__priv, __args...) \
+ stmmac_do_void_callback(__priv, ptp, timestamp_interrupt, __args)
+
++struct stmmac_tx_queue;
++struct stmmac_rx_queue;
++
+ /* Helpers to manage the descriptors for chain and ring modes */
+ struct stmmac_mode_ops {
+ void (*init) (void *des, dma_addr_t phy_addr, unsigned int size,
+ unsigned int extend_desc);
+ unsigned int (*is_jumbo_frm) (int len, int ehn_desc);
+- int (*jumbo_frm)(void *priv, struct sk_buff *skb, int csum);
++ int (*jumbo_frm)(struct stmmac_tx_queue *tx_q, struct sk_buff *skb,
++ int csum);
+ int (*set_16kib_bfsize)(int mtu);
+ void (*init_desc3)(struct dma_desc *p);
+- void (*refill_desc3) (void *priv, struct dma_desc *p);
+- void (*clean_desc3) (void *priv, struct dma_desc *p);
++ void (*refill_desc3)(struct stmmac_rx_queue *rx_q, struct dma_desc *p);
++ void (*clean_desc3)(struct stmmac_tx_queue *tx_q, struct dma_desc *p);
+ };
+
+ #define stmmac_mode_init(__priv, __args...) \
+diff --git a/drivers/net/ethernet/stmicro/stmmac/norm_desc.c b/drivers/net/ethernet/stmicro/stmmac/norm_desc.c
+index e3da4da242ee..350e6670a576 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/norm_desc.c
++++ b/drivers/net/ethernet/stmicro/stmmac/norm_desc.c
+@@ -12,10 +12,10 @@
+ #include "common.h"
+ #include "descs_com.h"
+
+-static int ndesc_get_tx_status(void *data, struct stmmac_extra_stats *x,
++static int ndesc_get_tx_status(struct net_device_stats *stats,
++ struct stmmac_extra_stats *x,
+ struct dma_desc *p, void __iomem *ioaddr)
+ {
+- struct net_device_stats *stats = (struct net_device_stats *)data;
+ unsigned int tdes0 = le32_to_cpu(p->des0);
+ unsigned int tdes1 = le32_to_cpu(p->des1);
+ int ret = tx_done;
+@@ -70,12 +70,12 @@ static int ndesc_get_tx_len(struct dma_desc *p)
+ * and, if required, updates the multicast statistics.
+ * In case of success, it returns good_frame because the GMAC device
+ * is supposed to be able to compute the csum in HW. */
+-static int ndesc_get_rx_status(void *data, struct stmmac_extra_stats *x,
++static int ndesc_get_rx_status(struct net_device_stats *stats,
++ struct stmmac_extra_stats *x,
+ struct dma_desc *p)
+ {
+ int ret = good_frame;
+ unsigned int rdes0 = le32_to_cpu(p->des0);
+- struct net_device_stats *stats = (struct net_device_stats *)data;
+
+ if (unlikely(rdes0 & RDES0_OWN))
+ return dma_own;
+diff --git a/drivers/net/ethernet/stmicro/stmmac/ring_mode.c b/drivers/net/ethernet/stmicro/stmmac/ring_mode.c
+index 2b5b17d8b8a0..d218412ca832 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/ring_mode.c
++++ b/drivers/net/ethernet/stmicro/stmmac/ring_mode.c
+@@ -14,9 +14,9 @@
+
+ #include "stmmac.h"
+
+-static int jumbo_frm(void *p, struct sk_buff *skb, int csum)
++static int jumbo_frm(struct stmmac_tx_queue *tx_q, struct sk_buff *skb,
++ int csum)
+ {
+- struct stmmac_tx_queue *tx_q = (struct stmmac_tx_queue *)p;
+ unsigned int nopaged_len = skb_headlen(skb);
+ struct stmmac_priv *priv = tx_q->priv_data;
+ unsigned int entry = tx_q->cur_tx;
+@@ -101,9 +101,8 @@ static unsigned int is_jumbo_frm(int len, int enh_desc)
+ return ret;
+ }
+
+-static void refill_desc3(void *priv_ptr, struct dma_desc *p)
++static void refill_desc3(struct stmmac_rx_queue *rx_q, struct dma_desc *p)
+ {
+- struct stmmac_rx_queue *rx_q = priv_ptr;
+ struct stmmac_priv *priv = rx_q->priv_data;
+
+ /* Fill DES3 in case of RING mode */
+@@ -117,9 +116,8 @@ static void init_desc3(struct dma_desc *p)
+ p->des3 = cpu_to_le32(le32_to_cpu(p->des2) + BUF_SIZE_8KiB);
+ }
+
+-static void clean_desc3(void *priv_ptr, struct dma_desc *p)
++static void clean_desc3(struct stmmac_tx_queue *tx_q, struct dma_desc *p)
+ {
+- struct stmmac_tx_queue *tx_q = (struct stmmac_tx_queue *)priv_ptr;
+ struct stmmac_priv *priv = tx_q->priv_data;
+ unsigned int entry = tx_q->dirty_tx;
+
+--
+2.51.0
+
--- /dev/null
+From 0f6cf4967feccc8a6db4b865e3b5483d5b8392c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Jul 2023 00:06:30 +0800
+Subject: net: stmmac: use per-queue 64 bit statistics where necessary
+
+From: Jisheng Zhang <jszhang@kernel.org>
+
+[ Upstream commit 133466c3bbe171f826294161db203f7670bb30c8 ]
+
+Currently, there are two major issues with stmmac driver statistics
+First of all, statistics in stmmac_extra_stats, stmmac_rxq_stats
+and stmmac_txq_stats are 32 bit variables on 32 bit platforms. This
+can cause some stats to overflow after several minutes of
+high traffic, for example rx_pkt_n, tx_pkt_n and so on.
+
+Secondly, if HW supports multiqueues, there are frequent cacheline
+ping pongs on some driver statistic vars, for example, normal_irq_n,
+tx_pkt_n and so on. What's more, frequent cacheline ping pongs on
+normal_irq_n happens in ISR, this makes the situation worse.
+
+To improve the driver, we convert those statistics to 64 bit, implement
+ndo_get_stats64 and update .get_ethtool_stats implementation
+accordingly. We also use per-queue statistics where necessary to remove
+the cacheline ping pongs as much as possible to make multiqueue
+operations faster. Those statistics which are not possible to overflow
+and not frequently updated are kept as is.
+
+Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
+Link: https://lore.kernel.org/r/20230717160630.1892-3-jszhang@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: a48e23221000 ("net: stmmac: fix the crash issue for zero copy XDP_TX action")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/common.h | 39 ++--
+ .../net/ethernet/stmicro/stmmac/dwmac-sun8i.c | 12 +-
+ .../ethernet/stmicro/stmmac/dwmac100_dma.c | 7 +-
+ .../ethernet/stmicro/stmmac/dwmac4_descs.c | 16 +-
+ .../net/ethernet/stmicro/stmmac/dwmac4_lib.c | 15 +-
+ .../net/ethernet/stmicro/stmmac/dwmac_lib.c | 12 +-
+ .../ethernet/stmicro/stmmac/dwxgmac2_descs.c | 6 +-
+ .../ethernet/stmicro/stmmac/dwxgmac2_dma.c | 14 +-
+ .../net/ethernet/stmicro/stmmac/enh_desc.c | 20 +-
+ drivers/net/ethernet/stmicro/stmmac/hwif.h | 12 +-
+ .../net/ethernet/stmicro/stmmac/norm_desc.c | 15 +-
+ drivers/net/ethernet/stmicro/stmmac/stmmac.h | 2 +
+ .../ethernet/stmicro/stmmac/stmmac_ethtool.c | 123 ++++++++---
+ .../net/ethernet/stmicro/stmmac/stmmac_main.c | 200 ++++++++++++++----
+ 14 files changed, 335 insertions(+), 158 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/common.h b/drivers/net/ethernet/stmicro/stmmac/common.h
+index c11d62685624..471729c0bd70 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/common.h
++++ b/drivers/net/ethernet/stmicro/stmmac/common.h
+@@ -59,13 +59,25 @@
+ /* #define FRAME_FILTER_DEBUG */
+
+ struct stmmac_txq_stats {
+- unsigned long tx_pkt_n;
+- unsigned long tx_normal_irq_n;
++ u64 tx_bytes;
++ u64 tx_packets;
++ u64 tx_pkt_n;
++ u64 tx_normal_irq_n;
++ u64 napi_poll;
++ u64 tx_clean;
++ u64 tx_set_ic_bit;
++ u64 tx_tso_frames;
++ u64 tx_tso_nfrags;
++ struct u64_stats_sync syncp;
+ };
+
+ struct stmmac_rxq_stats {
+- unsigned long rx_pkt_n;
+- unsigned long rx_normal_irq_n;
++ u64 rx_bytes;
++ u64 rx_packets;
++ u64 rx_pkt_n;
++ u64 rx_normal_irq_n;
++ u64 napi_poll;
++ struct u64_stats_sync syncp;
+ };
+
+ /* Extra statistic and debug information exposed by ethtool */
+@@ -81,6 +93,7 @@ struct stmmac_extra_stats {
+ unsigned long tx_frame_flushed;
+ unsigned long tx_payload_error;
+ unsigned long tx_ip_header_error;
++ unsigned long tx_collision;
+ /* Receive errors */
+ unsigned long rx_desc;
+ unsigned long sa_filter_fail;
+@@ -113,14 +126,6 @@ struct stmmac_extra_stats {
+ /* Tx/Rx IRQ Events */
+ unsigned long rx_early_irq;
+ unsigned long threshold;
+- unsigned long tx_pkt_n;
+- unsigned long rx_pkt_n;
+- unsigned long normal_irq_n;
+- unsigned long rx_normal_irq_n;
+- unsigned long napi_poll;
+- unsigned long tx_normal_irq_n;
+- unsigned long tx_clean;
+- unsigned long tx_set_ic_bit;
+ unsigned long irq_receive_pmt_irq_n;
+ /* MMC info */
+ unsigned long mmc_tx_irq_n;
+@@ -190,18 +195,16 @@ struct stmmac_extra_stats {
+ unsigned long mtl_rx_fifo_ctrl_active;
+ unsigned long mac_rx_frame_ctrl_fifo;
+ unsigned long mac_gmii_rx_proto_engine;
+- /* TSO */
+- unsigned long tx_tso_frames;
+- unsigned long tx_tso_nfrags;
+ /* EST */
+ unsigned long mtl_est_cgce;
+ unsigned long mtl_est_hlbs;
+ unsigned long mtl_est_hlbf;
+ unsigned long mtl_est_btre;
+ unsigned long mtl_est_btrlm;
+- /* per queue statistics */
+- struct stmmac_txq_stats txq_stats[MTL_MAX_TX_QUEUES];
+- struct stmmac_rxq_stats rxq_stats[MTL_MAX_RX_QUEUES];
++ unsigned long rx_dropped;
++ unsigned long rx_errors;
++ unsigned long tx_dropped;
++ unsigned long tx_errors;
+ };
+
+ /* Safety Feature statistics exposed by ethtool */
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c
+index b44e76a25965..87f0e65bfaa8 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c
+@@ -440,8 +440,10 @@ static int sun8i_dwmac_dma_interrupt(struct stmmac_priv *priv,
+ struct stmmac_extra_stats *x, u32 chan,
+ u32 dir)
+ {
+- u32 v;
++ struct stmmac_rx_queue *rx_q = &priv->dma_conf.rx_queue[chan];
++ struct stmmac_tx_queue *tx_q = &priv->dma_conf.tx_queue[chan];
+ int ret = 0;
++ u32 v;
+
+ v = readl(ioaddr + EMAC_INT_STA);
+
+@@ -452,7 +454,9 @@ static int sun8i_dwmac_dma_interrupt(struct stmmac_priv *priv,
+
+ if (v & EMAC_TX_INT) {
+ ret |= handle_tx;
+- x->tx_normal_irq_n++;
++ u64_stats_update_begin(&tx_q->txq_stats.syncp);
++ tx_q->txq_stats.tx_normal_irq_n++;
++ u64_stats_update_end(&tx_q->txq_stats.syncp);
+ }
+
+ if (v & EMAC_TX_DMA_STOP_INT)
+@@ -474,7 +478,9 @@ static int sun8i_dwmac_dma_interrupt(struct stmmac_priv *priv,
+
+ if (v & EMAC_RX_INT) {
+ ret |= handle_rx;
+- x->rx_normal_irq_n++;
++ u64_stats_update_begin(&rx_q->rxq_stats.syncp);
++ rx_q->rxq_stats.rx_normal_irq_n++;
++ u64_stats_update_end(&rx_q->rxq_stats.syncp);
+ }
+
+ if (v & EMAC_RX_BUF_UA_INT)
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac100_dma.c b/drivers/net/ethernet/stmicro/stmmac/dwmac100_dma.c
+index 1c32b1788f02..dea270f60cc3 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac100_dma.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac100_dma.c
+@@ -82,29 +82,24 @@ static void dwmac100_dump_dma_regs(struct stmmac_priv *priv,
+ }
+
+ /* DMA controller has two counters to track the number of the missed frames. */
+-static void dwmac100_dma_diagnostic_fr(struct net_device_stats *stats,
+- struct stmmac_extra_stats *x,
++static void dwmac100_dma_diagnostic_fr(struct stmmac_extra_stats *x,
+ void __iomem *ioaddr)
+ {
+ u32 csr8 = readl(ioaddr + DMA_MISSED_FRAME_CTR);
+
+ if (unlikely(csr8)) {
+ if (csr8 & DMA_MISSED_FRAME_OVE) {
+- stats->rx_over_errors += 0x800;
+ x->rx_overflow_cntr += 0x800;
+ } else {
+ unsigned int ove_cntr;
+ ove_cntr = ((csr8 & DMA_MISSED_FRAME_OVE_CNTR) >> 17);
+- stats->rx_over_errors += ove_cntr;
+ x->rx_overflow_cntr += ove_cntr;
+ }
+
+ if (csr8 & DMA_MISSED_FRAME_OVE_M) {
+- stats->rx_missed_errors += 0xffff;
+ x->rx_missed_cntr += 0xffff;
+ } else {
+ unsigned int miss_f = (csr8 & DMA_MISSED_FRAME_M_CNTR);
+- stats->rx_missed_errors += miss_f;
+ x->rx_missed_cntr += miss_f;
+ }
+ }
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_descs.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_descs.c
+index 6a011d8633e8..89a14084c611 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_descs.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_descs.c
+@@ -13,8 +13,7 @@
+ #include "dwmac4.h"
+ #include "dwmac4_descs.h"
+
+-static int dwmac4_wrback_get_tx_status(struct net_device_stats *stats,
+- struct stmmac_extra_stats *x,
++static int dwmac4_wrback_get_tx_status(struct stmmac_extra_stats *x,
+ struct dma_desc *p,
+ void __iomem *ioaddr)
+ {
+@@ -40,15 +39,13 @@ static int dwmac4_wrback_get_tx_status(struct net_device_stats *stats,
+ x->tx_frame_flushed++;
+ if (unlikely(tdes3 & TDES3_LOSS_CARRIER)) {
+ x->tx_losscarrier++;
+- stats->tx_carrier_errors++;
+ }
+ if (unlikely(tdes3 & TDES3_NO_CARRIER)) {
+ x->tx_carrier++;
+- stats->tx_carrier_errors++;
+ }
+ if (unlikely((tdes3 & TDES3_LATE_COLLISION) ||
+ (tdes3 & TDES3_EXCESSIVE_COLLISION)))
+- stats->collisions +=
++ x->tx_collision +=
+ (tdes3 & TDES3_COLLISION_COUNT_MASK)
+ >> TDES3_COLLISION_COUNT_SHIFT;
+
+@@ -73,8 +70,7 @@ static int dwmac4_wrback_get_tx_status(struct net_device_stats *stats,
+ return ret;
+ }
+
+-static int dwmac4_wrback_get_rx_status(struct net_device_stats *stats,
+- struct stmmac_extra_stats *x,
++static int dwmac4_wrback_get_rx_status(struct stmmac_extra_stats *x,
+ struct dma_desc *p)
+ {
+ unsigned int rdes1 = le32_to_cpu(p->des1);
+@@ -93,7 +89,7 @@ static int dwmac4_wrback_get_rx_status(struct net_device_stats *stats,
+
+ if (unlikely(rdes3 & RDES3_ERROR_SUMMARY)) {
+ if (unlikely(rdes3 & RDES3_GIANT_PACKET))
+- stats->rx_length_errors++;
++ x->rx_length++;
+ if (unlikely(rdes3 & RDES3_OVERFLOW_ERROR))
+ x->rx_gmac_overflow++;
+
+@@ -103,10 +99,8 @@ static int dwmac4_wrback_get_rx_status(struct net_device_stats *stats,
+ if (unlikely(rdes3 & RDES3_RECEIVE_ERROR))
+ x->rx_mii++;
+
+- if (unlikely(rdes3 & RDES3_CRC_ERROR)) {
++ if (unlikely(rdes3 & RDES3_CRC_ERROR))
+ x->rx_crc_errors++;
+- stats->rx_crc_errors++;
+- }
+
+ if (unlikely(rdes3 & RDES3_DRIBBLE_ERROR))
+ x->dribbling_bit++;
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_lib.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_lib.c
+index 03ceb6a94073..980e5f8a37ec 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_lib.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_lib.c
+@@ -171,6 +171,8 @@ int dwmac4_dma_interrupt(struct stmmac_priv *priv, void __iomem *ioaddr,
+ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs;
+ u32 intr_status = readl(ioaddr + DMA_CHAN_STATUS(dwmac4_addrs, chan));
+ u32 intr_en = readl(ioaddr + DMA_CHAN_INTR_ENA(dwmac4_addrs, chan));
++ struct stmmac_rx_queue *rx_q = &priv->dma_conf.rx_queue[chan];
++ struct stmmac_tx_queue *tx_q = &priv->dma_conf.tx_queue[chan];
+ int ret = 0;
+
+ if (dir == DMA_DIR_RX)
+@@ -198,18 +200,19 @@ int dwmac4_dma_interrupt(struct stmmac_priv *priv, void __iomem *ioaddr,
+ }
+ }
+ /* TX/RX NORMAL interrupts */
+- if (likely(intr_status & DMA_CHAN_STATUS_NIS))
+- x->normal_irq_n++;
+ if (likely(intr_status & DMA_CHAN_STATUS_RI)) {
+- x->rx_normal_irq_n++;
+- x->rxq_stats[chan].rx_normal_irq_n++;
++ u64_stats_update_begin(&rx_q->rxq_stats.syncp);
++ rx_q->rxq_stats.rx_normal_irq_n++;
++ u64_stats_update_end(&rx_q->rxq_stats.syncp);
+ ret |= handle_rx;
+ }
+ if (likely(intr_status & DMA_CHAN_STATUS_TI)) {
+- x->tx_normal_irq_n++;
+- x->txq_stats[chan].tx_normal_irq_n++;
++ u64_stats_update_begin(&tx_q->txq_stats.syncp);
++ tx_q->txq_stats.tx_normal_irq_n++;
++ u64_stats_update_end(&tx_q->txq_stats.syncp);
+ ret |= handle_tx;
+ }
++
+ if (unlikely(intr_status & DMA_CHAN_STATUS_TBU))
+ ret |= handle_tx;
+ if (unlikely(intr_status & DMA_CHAN_STATUS_ERI))
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac_lib.c b/drivers/net/ethernet/stmicro/stmmac/dwmac_lib.c
+index 0b6f999a8305..aaa09b16b016 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac_lib.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac_lib.c
+@@ -10,6 +10,7 @@
+ #include <linux/iopoll.h>
+ #include "common.h"
+ #include "dwmac_dma.h"
++#include "stmmac.h"
+
+ #define GMAC_HI_REG_AE 0x80000000
+
+@@ -161,6 +162,8 @@ static void show_rx_process_state(unsigned int status)
+ int dwmac_dma_interrupt(struct stmmac_priv *priv, void __iomem *ioaddr,
+ struct stmmac_extra_stats *x, u32 chan, u32 dir)
+ {
++ struct stmmac_rx_queue *rx_q = &priv->dma_conf.rx_queue[chan];
++ struct stmmac_tx_queue *tx_q = &priv->dma_conf.tx_queue[chan];
+ int ret = 0;
+ /* read the status register (CSR5) */
+ u32 intr_status = readl(ioaddr + DMA_STATUS);
+@@ -208,17 +211,20 @@ int dwmac_dma_interrupt(struct stmmac_priv *priv, void __iomem *ioaddr,
+ }
+ /* TX/RX NORMAL interrupts */
+ if (likely(intr_status & DMA_STATUS_NIS)) {
+- x->normal_irq_n++;
+ if (likely(intr_status & DMA_STATUS_RI)) {
+ u32 value = readl(ioaddr + DMA_INTR_ENA);
+ /* to schedule NAPI on real RIE event. */
+ if (likely(value & DMA_INTR_ENA_RIE)) {
+- x->rx_normal_irq_n++;
++ u64_stats_update_begin(&rx_q->rxq_stats.syncp);
++ rx_q->rxq_stats.rx_normal_irq_n++;
++ u64_stats_update_end(&rx_q->rxq_stats.syncp);
+ ret |= handle_rx;
+ }
+ }
+ if (likely(intr_status & DMA_STATUS_TI)) {
+- x->tx_normal_irq_n++;
++ u64_stats_update_begin(&tx_q->txq_stats.syncp);
++ tx_q->txq_stats.tx_normal_irq_n++;
++ u64_stats_update_end(&tx_q->txq_stats.syncp);
+ ret |= handle_tx;
+ }
+ if (unlikely(intr_status & DMA_STATUS_ERI))
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_descs.c b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_descs.c
+index 13c347ee8be9..fc82862a612c 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_descs.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_descs.c
+@@ -8,8 +8,7 @@
+ #include "common.h"
+ #include "dwxgmac2.h"
+
+-static int dwxgmac2_get_tx_status(struct net_device_stats *stats,
+- struct stmmac_extra_stats *x,
++static int dwxgmac2_get_tx_status(struct stmmac_extra_stats *x,
+ struct dma_desc *p, void __iomem *ioaddr)
+ {
+ unsigned int tdes3 = le32_to_cpu(p->des3);
+@@ -23,8 +22,7 @@ static int dwxgmac2_get_tx_status(struct net_device_stats *stats,
+ return ret;
+ }
+
+-static int dwxgmac2_get_rx_status(struct net_device_stats *stats,
+- struct stmmac_extra_stats *x,
++static int dwxgmac2_get_rx_status(struct stmmac_extra_stats *x,
+ struct dma_desc *p)
+ {
+ unsigned int rdes3 = le32_to_cpu(p->des3);
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c
+index 5187c5da709a..136ef20d827f 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c
+@@ -333,6 +333,8 @@ static int dwxgmac2_dma_interrupt(struct stmmac_priv *priv,
+ struct stmmac_extra_stats *x, u32 chan,
+ u32 dir)
+ {
++ struct stmmac_rx_queue *rx_q = &priv->dma_conf.rx_queue[chan];
++ struct stmmac_tx_queue *tx_q = &priv->dma_conf.tx_queue[chan];
+ u32 intr_status = readl(ioaddr + XGMAC_DMA_CH_STATUS(chan));
+ u32 intr_en = readl(ioaddr + XGMAC_DMA_CH_INT_EN(chan));
+ int ret = 0;
+@@ -360,16 +362,16 @@ static int dwxgmac2_dma_interrupt(struct stmmac_priv *priv,
+
+ /* TX/RX NORMAL interrupts */
+ if (likely(intr_status & XGMAC_NIS)) {
+- x->normal_irq_n++;
+-
+ if (likely(intr_status & XGMAC_RI)) {
+- x->rx_normal_irq_n++;
+- x->rxq_stats[chan].rx_normal_irq_n++;
++ u64_stats_update_begin(&rx_q->rxq_stats.syncp);
++ rx_q->rxq_stats.rx_normal_irq_n++;
++ u64_stats_update_end(&rx_q->rxq_stats.syncp);
+ ret |= handle_rx;
+ }
+ if (likely(intr_status & (XGMAC_TI | XGMAC_TBU))) {
+- x->tx_normal_irq_n++;
+- x->txq_stats[chan].tx_normal_irq_n++;
++ u64_stats_update_begin(&tx_q->txq_stats.syncp);
++ tx_q->txq_stats.tx_normal_irq_n++;
++ u64_stats_update_end(&tx_q->txq_stats.syncp);
+ ret |= handle_tx;
+ }
+ }
+diff --git a/drivers/net/ethernet/stmicro/stmmac/enh_desc.c b/drivers/net/ethernet/stmicro/stmmac/enh_desc.c
+index a91d8f13a931..937b7a0466fc 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/enh_desc.c
++++ b/drivers/net/ethernet/stmicro/stmmac/enh_desc.c
+@@ -12,8 +12,7 @@
+ #include "common.h"
+ #include "descs_com.h"
+
+-static int enh_desc_get_tx_status(struct net_device_stats *stats,
+- struct stmmac_extra_stats *x,
++static int enh_desc_get_tx_status(struct stmmac_extra_stats *x,
+ struct dma_desc *p, void __iomem *ioaddr)
+ {
+ unsigned int tdes0 = le32_to_cpu(p->des0);
+@@ -38,15 +37,13 @@ static int enh_desc_get_tx_status(struct net_device_stats *stats,
+
+ if (unlikely(tdes0 & ETDES0_LOSS_CARRIER)) {
+ x->tx_losscarrier++;
+- stats->tx_carrier_errors++;
+ }
+ if (unlikely(tdes0 & ETDES0_NO_CARRIER)) {
+ x->tx_carrier++;
+- stats->tx_carrier_errors++;
+ }
+ if (unlikely((tdes0 & ETDES0_LATE_COLLISION) ||
+ (tdes0 & ETDES0_EXCESSIVE_COLLISIONS)))
+- stats->collisions +=
++ x->tx_collision +=
+ (tdes0 & ETDES0_COLLISION_COUNT_MASK) >> 3;
+
+ if (unlikely(tdes0 & ETDES0_EXCESSIVE_DEFERRAL))
+@@ -117,8 +114,7 @@ static int enh_desc_coe_rdes0(int ipc_err, int type, int payload_err)
+ return ret;
+ }
+
+-static void enh_desc_get_ext_status(struct net_device_stats *stats,
+- struct stmmac_extra_stats *x,
++static void enh_desc_get_ext_status(struct stmmac_extra_stats *x,
+ struct dma_extended_desc *p)
+ {
+ unsigned int rdes0 = le32_to_cpu(p->basic.des0);
+@@ -182,8 +178,7 @@ static void enh_desc_get_ext_status(struct net_device_stats *stats,
+ }
+ }
+
+-static int enh_desc_get_rx_status(struct net_device_stats *stats,
+- struct stmmac_extra_stats *x,
++static int enh_desc_get_rx_status(struct stmmac_extra_stats *x,
+ struct dma_desc *p)
+ {
+ unsigned int rdes0 = le32_to_cpu(p->des0);
+@@ -193,14 +188,14 @@ static int enh_desc_get_rx_status(struct net_device_stats *stats,
+ return dma_own;
+
+ if (unlikely(!(rdes0 & RDES0_LAST_DESCRIPTOR))) {
+- stats->rx_length_errors++;
++ x->rx_length++;
+ return discard_frame;
+ }
+
+ if (unlikely(rdes0 & RDES0_ERROR_SUMMARY)) {
+ if (unlikely(rdes0 & RDES0_DESCRIPTOR_ERROR)) {
+ x->rx_desc++;
+- stats->rx_length_errors++;
++ x->rx_length++;
+ }
+ if (unlikely(rdes0 & RDES0_OVERFLOW_ERROR))
+ x->rx_gmac_overflow++;
+@@ -209,7 +204,7 @@ static int enh_desc_get_rx_status(struct net_device_stats *stats,
+ pr_err("\tIPC Csum Error/Giant frame\n");
+
+ if (unlikely(rdes0 & RDES0_COLLISION))
+- stats->collisions++;
++ x->rx_collision++;
+ if (unlikely(rdes0 & RDES0_RECEIVE_WATCHDOG))
+ x->rx_watchdog++;
+
+@@ -218,7 +213,6 @@ static int enh_desc_get_rx_status(struct net_device_stats *stats,
+
+ if (unlikely(rdes0 & RDES0_CRC_ERROR)) {
+ x->rx_crc_errors++;
+- stats->rx_crc_errors++;
+ }
+ ret = discard_frame;
+ }
+diff --git a/drivers/net/ethernet/stmicro/stmmac/hwif.h b/drivers/net/ethernet/stmicro/stmmac/hwif.h
+index 87161c85b1a1..19424af936d2 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/hwif.h
++++ b/drivers/net/ethernet/stmicro/stmmac/hwif.h
+@@ -57,8 +57,7 @@ struct stmmac_desc_ops {
+ /* Last tx segment reports the transmit status */
+ int (*get_tx_ls)(struct dma_desc *p);
+ /* Return the transmit status looking at the TDES1 */
+- int (*tx_status)(struct net_device_stats *stats,
+- struct stmmac_extra_stats *x,
++ int (*tx_status)(struct stmmac_extra_stats *x,
+ struct dma_desc *p, void __iomem *ioaddr);
+ /* Get the buffer size from the descriptor */
+ int (*get_tx_len)(struct dma_desc *p);
+@@ -67,11 +66,9 @@ struct stmmac_desc_ops {
+ /* Get the receive frame size */
+ int (*get_rx_frame_len)(struct dma_desc *p, int rx_coe_type);
+ /* Return the reception status looking at the RDES1 */
+- int (*rx_status)(struct net_device_stats *stats,
+- struct stmmac_extra_stats *x,
++ int (*rx_status)(struct stmmac_extra_stats *x,
+ struct dma_desc *p);
+- void (*rx_extended_status)(struct net_device_stats *stats,
+- struct stmmac_extra_stats *x,
++ void (*rx_extended_status)(struct stmmac_extra_stats *x,
+ struct dma_extended_desc *p);
+ /* Set tx timestamp enable bit */
+ void (*enable_tx_timestamp) (struct dma_desc *p);
+@@ -191,8 +188,7 @@ struct stmmac_dma_ops {
+ void (*dma_tx_mode)(struct stmmac_priv *priv, void __iomem *ioaddr,
+ int mode, u32 channel, int fifosz, u8 qmode);
+ /* To track extra statistic (if supported) */
+- void (*dma_diagnostic_fr)(struct net_device_stats *stats,
+- struct stmmac_extra_stats *x,
++ void (*dma_diagnostic_fr)(struct stmmac_extra_stats *x,
+ void __iomem *ioaddr);
+ void (*enable_dma_transmission) (void __iomem *ioaddr);
+ void (*enable_dma_irq)(struct stmmac_priv *priv, void __iomem *ioaddr,
+diff --git a/drivers/net/ethernet/stmicro/stmmac/norm_desc.c b/drivers/net/ethernet/stmicro/stmmac/norm_desc.c
+index 350e6670a576..68a7cfcb1d8f 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/norm_desc.c
++++ b/drivers/net/ethernet/stmicro/stmmac/norm_desc.c
+@@ -12,8 +12,7 @@
+ #include "common.h"
+ #include "descs_com.h"
+
+-static int ndesc_get_tx_status(struct net_device_stats *stats,
+- struct stmmac_extra_stats *x,
++static int ndesc_get_tx_status(struct stmmac_extra_stats *x,
+ struct dma_desc *p, void __iomem *ioaddr)
+ {
+ unsigned int tdes0 = le32_to_cpu(p->des0);
+@@ -31,15 +30,12 @@ static int ndesc_get_tx_status(struct net_device_stats *stats,
+ if (unlikely(tdes0 & TDES0_ERROR_SUMMARY)) {
+ if (unlikely(tdes0 & TDES0_UNDERFLOW_ERROR)) {
+ x->tx_underflow++;
+- stats->tx_fifo_errors++;
+ }
+ if (unlikely(tdes0 & TDES0_NO_CARRIER)) {
+ x->tx_carrier++;
+- stats->tx_carrier_errors++;
+ }
+ if (unlikely(tdes0 & TDES0_LOSS_CARRIER)) {
+ x->tx_losscarrier++;
+- stats->tx_carrier_errors++;
+ }
+ if (unlikely((tdes0 & TDES0_EXCESSIVE_DEFERRAL) ||
+ (tdes0 & TDES0_EXCESSIVE_COLLISIONS) ||
+@@ -47,7 +43,7 @@ static int ndesc_get_tx_status(struct net_device_stats *stats,
+ unsigned int collisions;
+
+ collisions = (tdes0 & TDES0_COLLISION_COUNT_MASK) >> 3;
+- stats->collisions += collisions;
++ x->tx_collision += collisions;
+ }
+ ret = tx_err;
+ }
+@@ -70,8 +66,7 @@ static int ndesc_get_tx_len(struct dma_desc *p)
+ * and, if required, updates the multicast statistics.
+ * In case of success, it returns good_frame because the GMAC device
+ * is supposed to be able to compute the csum in HW. */
+-static int ndesc_get_rx_status(struct net_device_stats *stats,
+- struct stmmac_extra_stats *x,
++static int ndesc_get_rx_status(struct stmmac_extra_stats *x,
+ struct dma_desc *p)
+ {
+ int ret = good_frame;
+@@ -81,7 +76,7 @@ static int ndesc_get_rx_status(struct net_device_stats *stats,
+ return dma_own;
+
+ if (unlikely(!(rdes0 & RDES0_LAST_DESCRIPTOR))) {
+- stats->rx_length_errors++;
++ x->rx_length++;
+ return discard_frame;
+ }
+
+@@ -96,11 +91,9 @@ static int ndesc_get_rx_status(struct net_device_stats *stats,
+ x->ipc_csum_error++;
+ if (unlikely(rdes0 & RDES0_COLLISION)) {
+ x->rx_collision++;
+- stats->collisions++;
+ }
+ if (unlikely(rdes0 & RDES0_CRC_ERROR)) {
+ x->rx_crc_errors++;
+- stats->rx_crc_errors++;
+ }
+ ret = discard_frame;
+ }
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac.h b/drivers/net/ethernet/stmicro/stmmac/stmmac.h
+index b9b41dd18cde..b3f9e318f6e2 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac.h
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac.h
+@@ -77,6 +77,7 @@ struct stmmac_tx_queue {
+ dma_addr_t dma_tx_phy;
+ dma_addr_t tx_tail_addr;
+ u32 mss;
++ struct stmmac_txq_stats txq_stats;
+ };
+
+ struct stmmac_rx_buffer {
+@@ -118,6 +119,7 @@ struct stmmac_rx_queue {
+ unsigned int len;
+ unsigned int error;
+ } state;
++ struct stmmac_rxq_stats rxq_stats;
+ };
+
+ struct stmmac_channel {
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
+index f03aa8a0b895..a808a32e52d1 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
+@@ -89,14 +89,6 @@ static const struct stmmac_stats stmmac_gstrings_stats[] = {
+ /* Tx/Rx IRQ Events */
+ STMMAC_STAT(rx_early_irq),
+ STMMAC_STAT(threshold),
+- STMMAC_STAT(tx_pkt_n),
+- STMMAC_STAT(rx_pkt_n),
+- STMMAC_STAT(normal_irq_n),
+- STMMAC_STAT(rx_normal_irq_n),
+- STMMAC_STAT(napi_poll),
+- STMMAC_STAT(tx_normal_irq_n),
+- STMMAC_STAT(tx_clean),
+- STMMAC_STAT(tx_set_ic_bit),
+ STMMAC_STAT(irq_receive_pmt_irq_n),
+ /* MMC info */
+ STMMAC_STAT(mmc_tx_irq_n),
+@@ -163,9 +155,6 @@ static const struct stmmac_stats stmmac_gstrings_stats[] = {
+ STMMAC_STAT(mtl_rx_fifo_ctrl_active),
+ STMMAC_STAT(mac_rx_frame_ctrl_fifo),
+ STMMAC_STAT(mac_gmii_rx_proto_engine),
+- /* TSO */
+- STMMAC_STAT(tx_tso_frames),
+- STMMAC_STAT(tx_tso_nfrags),
+ /* EST */
+ STMMAC_STAT(mtl_est_cgce),
+ STMMAC_STAT(mtl_est_hlbs),
+@@ -175,6 +164,23 @@ static const struct stmmac_stats stmmac_gstrings_stats[] = {
+ };
+ #define STMMAC_STATS_LEN ARRAY_SIZE(stmmac_gstrings_stats)
+
++/* statistics collected in queue which will be summed up for all TX or RX
++ * queues, or summed up for both TX and RX queues(napi_poll, normal_irq_n).
++ */
++static const char stmmac_qstats_string[][ETH_GSTRING_LEN] = {
++ "rx_pkt_n",
++ "rx_normal_irq_n",
++ "tx_pkt_n",
++ "tx_normal_irq_n",
++ "tx_clean",
++ "tx_set_ic_bit",
++ "tx_tso_frames",
++ "tx_tso_nfrags",
++ "normal_irq_n",
++ "napi_poll",
++};
++#define STMMAC_QSTATS ARRAY_SIZE(stmmac_qstats_string)
++
+ /* HW MAC Management counters (if supported) */
+ #define STMMAC_MMC_STAT(m) \
+ { #m, sizeof_field(struct stmmac_counters, m), \
+@@ -544,23 +550,44 @@ static void stmmac_get_per_qstats(struct stmmac_priv *priv, u64 *data)
+ {
+ u32 tx_cnt = priv->plat->tx_queues_to_use;
+ u32 rx_cnt = priv->plat->rx_queues_to_use;
++ unsigned int start;
+ int q, stat;
++ u64 *pos;
+ char *p;
+
++ pos = data;
+ for (q = 0; q < tx_cnt; q++) {
+- p = (char *)priv + offsetof(struct stmmac_priv,
+- xstats.txq_stats[q].tx_pkt_n);
++ struct stmmac_tx_queue *tx_q = &priv->dma_conf.tx_queue[q];
++ struct stmmac_txq_stats snapshot;
++
++ data = pos;
++ do {
++ start = u64_stats_fetch_begin(&tx_q->txq_stats.syncp);
++ snapshot = tx_q->txq_stats;
++ } while (u64_stats_fetch_retry(&tx_q->txq_stats.syncp, start));
++
++ p = (char *)&snapshot + offsetof(struct stmmac_txq_stats, tx_pkt_n);
+ for (stat = 0; stat < STMMAC_TXQ_STATS; stat++) {
+- *data++ = (*(unsigned long *)p);
+- p += sizeof(unsigned long);
++ *data++ += (*(u64 *)p);
++ p += sizeof(u64);
+ }
+ }
++
++ pos = data;
+ for (q = 0; q < rx_cnt; q++) {
+- p = (char *)priv + offsetof(struct stmmac_priv,
+- xstats.rxq_stats[q].rx_pkt_n);
++ struct stmmac_rx_queue *rx_q = &priv->dma_conf.rx_queue[q];
++ struct stmmac_rxq_stats snapshot;
++
++ data = pos;
++ do {
++ start = u64_stats_fetch_begin(&rx_q->rxq_stats.syncp);
++ snapshot = rx_q->rxq_stats;
++ } while (u64_stats_fetch_retry(&rx_q->rxq_stats.syncp, start));
++
++ p = (char *)&snapshot + offsetof(struct stmmac_rxq_stats, rx_pkt_n);
+ for (stat = 0; stat < STMMAC_RXQ_STATS; stat++) {
+- *data++ = (*(unsigned long *)p);
+- p += sizeof(unsigned long);
++ *data++ += (*(u64 *)p);
++ p += sizeof(u64);
+ }
+ }
+ }
+@@ -571,8 +598,10 @@ static void stmmac_get_ethtool_stats(struct net_device *dev,
+ struct stmmac_priv *priv = netdev_priv(dev);
+ u32 rx_queues_count = priv->plat->rx_queues_to_use;
+ u32 tx_queues_count = priv->plat->tx_queues_to_use;
++ u64 napi_poll = 0, normal_irq_n = 0;
++ int i, j = 0, pos, ret;
+ unsigned long count;
+- int i, j = 0, ret;
++ unsigned int start;
+
+ if (priv->dma_cap.asp) {
+ for (i = 0; i < STMMAC_SAFETY_FEAT_SIZE; i++) {
+@@ -583,8 +612,7 @@ static void stmmac_get_ethtool_stats(struct net_device *dev,
+ }
+
+ /* Update the DMA HW counters for dwmac10/100 */
+- ret = stmmac_dma_diagnostic_fr(priv, &dev->stats, (void *) &priv->xstats,
+- priv->ioaddr);
++ ret = stmmac_dma_diagnostic_fr(priv, &priv->xstats, priv->ioaddr);
+ if (ret) {
+ /* If supported, for new GMAC chips expose the MMC counters */
+ if (priv->dma_cap.rmon) {
+@@ -615,6 +643,48 @@ static void stmmac_get_ethtool_stats(struct net_device *dev,
+ data[j++] = (stmmac_gstrings_stats[i].sizeof_stat ==
+ sizeof(u64)) ? (*(u64 *)p) : (*(u32 *)p);
+ }
++
++ pos = j;
++ for (i = 0; i < rx_queues_count; i++) {
++ struct stmmac_rx_queue *rx_q = &priv->dma_conf.rx_queue[i];
++ struct stmmac_rxq_stats snapshot;
++
++ j = pos;
++ do {
++ start = u64_stats_fetch_begin(&rx_q->rxq_stats.syncp);
++ snapshot = rx_q->rxq_stats;
++ } while (u64_stats_fetch_retry(&rx_q->rxq_stats.syncp, start));
++
++ data[j++] += snapshot.rx_pkt_n;
++ data[j++] += snapshot.rx_normal_irq_n;
++ normal_irq_n += snapshot.rx_normal_irq_n;
++ napi_poll += snapshot.napi_poll;
++ }
++
++ pos = j;
++ for (i = 0; i < tx_queues_count; i++) {
++ struct stmmac_tx_queue *tx_q = &priv->dma_conf.tx_queue[i];
++ struct stmmac_txq_stats snapshot;
++
++ j = pos;
++ do {
++ start = u64_stats_fetch_begin(&tx_q->txq_stats.syncp);
++ snapshot = tx_q->txq_stats;
++ } while (u64_stats_fetch_retry(&tx_q->txq_stats.syncp, start));
++
++ data[j++] += snapshot.tx_pkt_n;
++ data[j++] += snapshot.tx_normal_irq_n;
++ normal_irq_n += snapshot.tx_normal_irq_n;
++ data[j++] += snapshot.tx_clean;
++ data[j++] += snapshot.tx_set_ic_bit;
++ data[j++] += snapshot.tx_tso_frames;
++ data[j++] += snapshot.tx_tso_nfrags;
++ napi_poll += snapshot.napi_poll;
++ }
++ normal_irq_n += priv->xstats.rx_early_irq;
++ data[j++] = normal_irq_n;
++ data[j++] = napi_poll;
++
+ stmmac_get_per_qstats(priv, &data[j]);
+ }
+
+@@ -627,7 +697,7 @@ static int stmmac_get_sset_count(struct net_device *netdev, int sset)
+
+ switch (sset) {
+ case ETH_SS_STATS:
+- len = STMMAC_STATS_LEN +
++ len = STMMAC_STATS_LEN + STMMAC_QSTATS +
+ STMMAC_TXQ_STATS * tx_cnt +
+ STMMAC_RXQ_STATS * rx_cnt;
+
+@@ -700,8 +770,11 @@ static void stmmac_get_strings(struct net_device *dev, u32 stringset, u8 *data)
+ p += ETH_GSTRING_LEN;
+ }
+ for (i = 0; i < STMMAC_STATS_LEN; i++) {
+- memcpy(p, stmmac_gstrings_stats[i].stat_string,
+- ETH_GSTRING_LEN);
++ memcpy(p, stmmac_gstrings_stats[i].stat_string, ETH_GSTRING_LEN);
++ p += ETH_GSTRING_LEN;
++ }
++ for (i = 0; i < STMMAC_QSTATS; i++) {
++ memcpy(p, stmmac_qstats_string[i], ETH_GSTRING_LEN);
+ p += ETH_GSTRING_LEN;
+ }
+ stmmac_get_qstats_string(priv, p);
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index 4aeacb5fe81e..b2362e107f20 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -2430,6 +2430,8 @@ static bool stmmac_xdp_xmit_zc(struct stmmac_priv *priv, u32 queue, u32 budget)
+ struct dma_desc *tx_desc = NULL;
+ struct xdp_desc xdp_desc;
+ bool work_done = true;
++ u32 tx_set_ic_bit = 0;
++ unsigned long flags;
+
+ /* Avoids TX time-out as we are sharing with slow path */
+ txq_trans_cond_update(nq);
+@@ -2490,7 +2492,7 @@ static bool stmmac_xdp_xmit_zc(struct stmmac_priv *priv, u32 queue, u32 budget)
+ if (set_ic) {
+ tx_q->tx_count_frames = 0;
+ stmmac_set_tx_ic(priv, tx_desc);
+- priv->xstats.tx_set_ic_bit++;
++ tx_set_ic_bit++;
+ }
+
+ stmmac_prepare_tx_desc(priv, tx_desc, 1, xdp_desc.len,
+@@ -2502,6 +2504,9 @@ static bool stmmac_xdp_xmit_zc(struct stmmac_priv *priv, u32 queue, u32 budget)
+ tx_q->cur_tx = STMMAC_GET_ENTRY(tx_q->cur_tx, priv->dma_conf.dma_tx_size);
+ entry = tx_q->cur_tx;
+ }
++ flags = u64_stats_update_begin_irqsave(&tx_q->txq_stats.syncp);
++ tx_q->txq_stats.tx_set_ic_bit += tx_set_ic_bit;
++ u64_stats_update_end_irqrestore(&tx_q->txq_stats.syncp, flags);
+
+ if (tx_desc) {
+ stmmac_flush_tx_descriptors(priv, queue);
+@@ -2543,11 +2548,11 @@ static int stmmac_tx_clean(struct stmmac_priv *priv, int budget, u32 queue)
+ struct stmmac_tx_queue *tx_q = &priv->dma_conf.tx_queue[queue];
+ unsigned int bytes_compl = 0, pkts_compl = 0;
+ unsigned int entry, xmits = 0, count = 0;
++ u32 tx_packets = 0, tx_errors = 0;
++ unsigned long flags;
+
+ __netif_tx_lock_bh(netdev_get_tx_queue(priv->dev, queue));
+
+- priv->xstats.tx_clean++;
+-
+ tx_q->xsk_frames_done = 0;
+
+ entry = tx_q->dirty_tx;
+@@ -2578,8 +2583,7 @@ static int stmmac_tx_clean(struct stmmac_priv *priv, int budget, u32 queue)
+ else
+ p = tx_q->dma_tx + entry;
+
+- status = stmmac_tx_status(priv, &priv->dev->stats,
+- &priv->xstats, p, priv->ioaddr);
++ status = stmmac_tx_status(priv, &priv->xstats, p, priv->ioaddr);
+ /* Check if the descriptor is owned by the DMA */
+ if (unlikely(status & tx_dma_own))
+ break;
+@@ -2595,13 +2599,11 @@ static int stmmac_tx_clean(struct stmmac_priv *priv, int budget, u32 queue)
+ if (likely(!(status & tx_not_ls))) {
+ /* ... verify the status error condition */
+ if (unlikely(status & tx_err)) {
+- priv->dev->stats.tx_errors++;
++ tx_errors++;
+ if (unlikely(status & tx_err_bump_tc))
+ stmmac_bump_dma_threshold(priv, queue);
+ } else {
+- priv->dev->stats.tx_packets++;
+- priv->xstats.tx_pkt_n++;
+- priv->xstats.txq_stats[queue].tx_pkt_n++;
++ tx_packets++;
+ }
+ if (skb)
+ stmmac_get_tx_hwtstamp(priv, p, skb);
+@@ -2703,6 +2705,14 @@ static int stmmac_tx_clean(struct stmmac_priv *priv, int budget, u32 queue)
+ if (tx_q->dirty_tx != tx_q->cur_tx)
+ stmmac_tx_timer_arm(priv, queue);
+
++ flags = u64_stats_update_begin_irqsave(&tx_q->txq_stats.syncp);
++ tx_q->txq_stats.tx_packets += tx_packets;
++ tx_q->txq_stats.tx_pkt_n += tx_packets;
++ tx_q->txq_stats.tx_clean++;
++ u64_stats_update_end_irqrestore(&tx_q->txq_stats.syncp, flags);
++
++ priv->xstats.tx_errors += tx_errors;
++
+ __netif_tx_unlock_bh(netdev_get_tx_queue(priv->dev, queue));
+
+ /* Combine decisions from TX clean and XSK TX */
+@@ -2730,7 +2740,7 @@ static void stmmac_tx_err(struct stmmac_priv *priv, u32 chan)
+ tx_q->dma_tx_phy, chan);
+ stmmac_start_tx_dma(priv, chan);
+
+- priv->dev->stats.tx_errors++;
++ priv->xstats.tx_errors++;
+ netif_tx_wake_queue(netdev_get_tx_queue(priv->dev, chan));
+ }
+
+@@ -4116,6 +4126,7 @@ static netdev_tx_t stmmac_tso_xmit(struct sk_buff *skb, struct net_device *dev)
+ struct stmmac_tx_queue *tx_q;
+ bool has_vlan, set_ic;
+ u8 proto_hdr_len, hdr;
++ unsigned long flags;
+ u32 pay_len, mss;
+ dma_addr_t des;
+ int i;
+@@ -4276,7 +4287,6 @@ static netdev_tx_t stmmac_tso_xmit(struct sk_buff *skb, struct net_device *dev)
+
+ tx_q->tx_count_frames = 0;
+ stmmac_set_tx_ic(priv, desc);
+- priv->xstats.tx_set_ic_bit++;
+ }
+
+ /* We've used all descriptors we need for this skb, however,
+@@ -4292,9 +4302,13 @@ static netdev_tx_t stmmac_tso_xmit(struct sk_buff *skb, struct net_device *dev)
+ netif_tx_stop_queue(netdev_get_tx_queue(priv->dev, queue));
+ }
+
+- dev->stats.tx_bytes += skb->len;
+- priv->xstats.tx_tso_frames++;
+- priv->xstats.tx_tso_nfrags += nfrags;
++ flags = u64_stats_update_begin_irqsave(&tx_q->txq_stats.syncp);
++ tx_q->txq_stats.tx_bytes += skb->len;
++ tx_q->txq_stats.tx_tso_frames++;
++ tx_q->txq_stats.tx_tso_nfrags += nfrags;
++ if (set_ic)
++ tx_q->txq_stats.tx_set_ic_bit++;
++ u64_stats_update_end_irqrestore(&tx_q->txq_stats.syncp, flags);
+
+ if (priv->sarc_type)
+ stmmac_set_desc_sarc(priv, first, priv->sarc_type);
+@@ -4344,7 +4358,7 @@ static netdev_tx_t stmmac_tso_xmit(struct sk_buff *skb, struct net_device *dev)
+ dma_map_err:
+ dev_err(priv->device, "Tx dma map failed\n");
+ dev_kfree_skb(skb);
+- priv->dev->stats.tx_dropped++;
++ priv->xstats.tx_dropped++;
+ return NETDEV_TX_OK;
+ }
+
+@@ -4370,6 +4384,7 @@ static netdev_tx_t stmmac_xmit(struct sk_buff *skb, struct net_device *dev)
+ struct stmmac_tx_queue *tx_q;
+ bool has_vlan, set_ic;
+ int entry, first_tx;
++ unsigned long flags;
+ dma_addr_t des;
+
+ tx_q = &priv->dma_conf.tx_queue[queue];
+@@ -4498,7 +4513,6 @@ static netdev_tx_t stmmac_xmit(struct sk_buff *skb, struct net_device *dev)
+
+ tx_q->tx_count_frames = 0;
+ stmmac_set_tx_ic(priv, desc);
+- priv->xstats.tx_set_ic_bit++;
+ }
+
+ /* We've used all descriptors we need for this skb, however,
+@@ -4525,7 +4539,11 @@ static netdev_tx_t stmmac_xmit(struct sk_buff *skb, struct net_device *dev)
+ netif_tx_stop_queue(netdev_get_tx_queue(priv->dev, queue));
+ }
+
+- dev->stats.tx_bytes += skb->len;
++ flags = u64_stats_update_begin_irqsave(&tx_q->txq_stats.syncp);
++ tx_q->txq_stats.tx_bytes += skb->len;
++ if (set_ic)
++ tx_q->txq_stats.tx_set_ic_bit++;
++ u64_stats_update_end_irqrestore(&tx_q->txq_stats.syncp, flags);
+
+ if (priv->sarc_type)
+ stmmac_set_desc_sarc(priv, first, priv->sarc_type);
+@@ -4587,7 +4605,7 @@ static netdev_tx_t stmmac_xmit(struct sk_buff *skb, struct net_device *dev)
+ dma_map_err:
+ netdev_err(priv->dev, "Tx DMA map failed\n");
+ dev_kfree_skb(skb);
+- priv->dev->stats.tx_dropped++;
++ priv->xstats.tx_dropped++;
+ return NETDEV_TX_OK;
+ }
+
+@@ -4788,9 +4806,12 @@ static int stmmac_xdp_xmit_xdpf(struct stmmac_priv *priv, int queue,
+ set_ic = false;
+
+ if (set_ic) {
++ unsigned long flags;
+ tx_q->tx_count_frames = 0;
+ stmmac_set_tx_ic(priv, tx_desc);
+- priv->xstats.tx_set_ic_bit++;
++ flags = u64_stats_update_begin_irqsave(&tx_q->txq_stats.syncp);
++ tx_q->txq_stats.tx_set_ic_bit++;
++ u64_stats_update_end_irqrestore(&tx_q->txq_stats.syncp, flags);
+ }
+
+ stmmac_enable_dma_transmission(priv, priv->ioaddr);
+@@ -4935,16 +4956,18 @@ static void stmmac_dispatch_skb_zc(struct stmmac_priv *priv, u32 queue,
+ struct dma_desc *p, struct dma_desc *np,
+ struct xdp_buff *xdp)
+ {
++ struct stmmac_rx_queue *rx_q = &priv->dma_conf.rx_queue[queue];
+ struct stmmac_channel *ch = &priv->channel[queue];
+ unsigned int len = xdp->data_end - xdp->data;
+ enum pkt_hash_types hash_type;
+ int coe = priv->hw->rx_csum;
++ unsigned long flags;
+ struct sk_buff *skb;
+ u32 hash;
+
+ skb = stmmac_construct_skb_zc(ch, xdp);
+ if (!skb) {
+- priv->dev->stats.rx_dropped++;
++ priv->xstats.rx_dropped++;
+ return;
+ }
+
+@@ -4963,8 +4986,10 @@ static void stmmac_dispatch_skb_zc(struct stmmac_priv *priv, u32 queue,
+ skb_record_rx_queue(skb, queue);
+ napi_gro_receive(&ch->rxtx_napi, skb);
+
+- priv->dev->stats.rx_packets++;
+- priv->dev->stats.rx_bytes += len;
++ flags = u64_stats_update_begin_irqsave(&rx_q->rxq_stats.syncp);
++ rx_q->rxq_stats.rx_pkt_n++;
++ rx_q->rxq_stats.rx_bytes += len;
++ u64_stats_update_end_irqrestore(&rx_q->rxq_stats.syncp, flags);
+ }
+
+ static bool stmmac_rx_refill_zc(struct stmmac_priv *priv, u32 queue, u32 budget)
+@@ -5031,9 +5056,11 @@ static int stmmac_rx_zc(struct stmmac_priv *priv, int limit, u32 queue)
+ unsigned int count = 0, error = 0, len = 0;
+ int dirty = stmmac_rx_dirty(priv, queue);
+ unsigned int next_entry = rx_q->cur_rx;
++ u32 rx_errors = 0, rx_dropped = 0;
+ unsigned int desc_size;
+ struct bpf_prog *prog;
+ bool failure = false;
++ unsigned long flags;
+ int xdp_status = 0;
+ int status = 0;
+
+@@ -5088,8 +5115,7 @@ static int stmmac_rx_zc(struct stmmac_priv *priv, int limit, u32 queue)
+ p = rx_q->dma_rx + entry;
+
+ /* read the status of the incoming frame */
+- status = stmmac_rx_status(priv, &priv->dev->stats,
+- &priv->xstats, p);
++ status = stmmac_rx_status(priv, &priv->xstats, p);
+ /* check if managed by the DMA otherwise go ahead */
+ if (unlikely(status & dma_own))
+ break;
+@@ -5111,8 +5137,7 @@ static int stmmac_rx_zc(struct stmmac_priv *priv, int limit, u32 queue)
+ break;
+
+ if (priv->extend_desc)
+- stmmac_rx_extended_status(priv, &priv->dev->stats,
+- &priv->xstats,
++ stmmac_rx_extended_status(priv, &priv->xstats,
+ rx_q->dma_erx + entry);
+ if (unlikely(status == discard_frame)) {
+ xsk_buff_free(buf->xdp);
+@@ -5120,7 +5145,7 @@ static int stmmac_rx_zc(struct stmmac_priv *priv, int limit, u32 queue)
+ dirty++;
+ error = 1;
+ if (!priv->hwts_rx_en)
+- priv->dev->stats.rx_errors++;
++ rx_errors++;
+ }
+
+ if (unlikely(error && (status & rx_not_ls)))
+@@ -5163,7 +5188,7 @@ static int stmmac_rx_zc(struct stmmac_priv *priv, int limit, u32 queue)
+ break;
+ case STMMAC_XDP_CONSUMED:
+ xsk_buff_free(buf->xdp);
+- priv->dev->stats.rx_dropped++;
++ rx_dropped++;
+ break;
+ case STMMAC_XDP_TX:
+ case STMMAC_XDP_REDIRECT:
+@@ -5184,8 +5209,12 @@ static int stmmac_rx_zc(struct stmmac_priv *priv, int limit, u32 queue)
+
+ stmmac_finalize_xdp_rx(priv, xdp_status);
+
+- priv->xstats.rx_pkt_n += count;
+- priv->xstats.rxq_stats[queue].rx_pkt_n += count;
++ flags = u64_stats_update_begin_irqsave(&rx_q->rxq_stats.syncp);
++ rx_q->rxq_stats.rx_pkt_n += count;
++ u64_stats_update_end_irqrestore(&rx_q->rxq_stats.syncp, flags);
++
++ priv->xstats.rx_dropped += rx_dropped;
++ priv->xstats.rx_errors += rx_errors;
+
+ if (xsk_uses_need_wakeup(rx_q->xsk_pool)) {
+ if (failure || stmmac_rx_dirty(priv, queue) > 0)
+@@ -5209,6 +5238,7 @@ static int stmmac_rx_zc(struct stmmac_priv *priv, int limit, u32 queue)
+ */
+ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue)
+ {
++ u32 rx_errors = 0, rx_dropped = 0, rx_bytes = 0, rx_packets = 0;
+ struct stmmac_rx_queue *rx_q = &priv->dma_conf.rx_queue[queue];
+ struct stmmac_channel *ch = &priv->channel[queue];
+ unsigned int count = 0, error = 0, len = 0;
+@@ -5218,6 +5248,7 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue)
+ unsigned int desc_size;
+ struct sk_buff *skb = NULL;
+ struct stmmac_xdp_buff ctx;
++ unsigned long flags;
+ int xdp_status = 0;
+ int buf_sz;
+
+@@ -5274,8 +5305,7 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue)
+ p = rx_q->dma_rx + entry;
+
+ /* read the status of the incoming frame */
+- status = stmmac_rx_status(priv, &priv->dev->stats,
+- &priv->xstats, p);
++ status = stmmac_rx_status(priv, &priv->xstats, p);
+ /* check if managed by the DMA otherwise go ahead */
+ if (unlikely(status & dma_own))
+ break;
+@@ -5292,14 +5322,13 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue)
+ prefetch(np);
+
+ if (priv->extend_desc)
+- stmmac_rx_extended_status(priv, &priv->dev->stats,
+- &priv->xstats, rx_q->dma_erx + entry);
++ stmmac_rx_extended_status(priv, &priv->xstats, rx_q->dma_erx + entry);
+ if (unlikely(status == discard_frame)) {
+ page_pool_recycle_direct(rx_q->page_pool, buf->page);
+ buf->page = NULL;
+ error = 1;
+ if (!priv->hwts_rx_en)
+- priv->dev->stats.rx_errors++;
++ rx_errors++;
+ }
+
+ if (unlikely(error && (status & rx_not_ls)))
+@@ -5362,7 +5391,7 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue)
+ virt_to_head_page(ctx.xdp.data),
+ sync_len, true);
+ buf->page = NULL;
+- priv->dev->stats.rx_dropped++;
++ rx_dropped++;
+
+ /* Clear skb as it was set as
+ * status by XDP program.
+@@ -5391,7 +5420,7 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue)
+
+ skb = napi_alloc_skb(&ch->rx_napi, buf1_len);
+ if (!skb) {
+- priv->dev->stats.rx_dropped++;
++ rx_dropped++;
+ count++;
+ goto drain_data;
+ }
+@@ -5451,8 +5480,8 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue)
+ napi_gro_receive(&ch->rx_napi, skb);
+ skb = NULL;
+
+- priv->dev->stats.rx_packets++;
+- priv->dev->stats.rx_bytes += len;
++ rx_packets++;
++ rx_bytes += len;
+ count++;
+ }
+
+@@ -5467,8 +5496,14 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue)
+
+ stmmac_rx_refill(priv, queue);
+
+- priv->xstats.rx_pkt_n += count;
+- priv->xstats.rxq_stats[queue].rx_pkt_n += count;
++ flags = u64_stats_update_begin_irqsave(&rx_q->rxq_stats.syncp);
++ rx_q->rxq_stats.rx_packets += rx_packets;
++ rx_q->rxq_stats.rx_bytes += rx_bytes;
++ rx_q->rxq_stats.rx_pkt_n += count;
++ u64_stats_update_end_irqrestore(&rx_q->rxq_stats.syncp, flags);
++
++ priv->xstats.rx_dropped += rx_dropped;
++ priv->xstats.rx_errors += rx_errors;
+
+ return count;
+ }
+@@ -5478,10 +5513,15 @@ static int stmmac_napi_poll_rx(struct napi_struct *napi, int budget)
+ struct stmmac_channel *ch =
+ container_of(napi, struct stmmac_channel, rx_napi);
+ struct stmmac_priv *priv = ch->priv_data;
++ struct stmmac_rx_queue *rx_q;
+ u32 chan = ch->index;
++ unsigned long flags;
+ int work_done;
+
+- priv->xstats.napi_poll++;
++ rx_q = &priv->dma_conf.rx_queue[chan];
++ flags = u64_stats_update_begin_irqsave(&rx_q->rxq_stats.syncp);
++ rx_q->rxq_stats.napi_poll++;
++ u64_stats_update_end_irqrestore(&rx_q->rxq_stats.syncp, flags);
+
+ work_done = stmmac_rx(priv, budget, chan);
+ if (work_done < budget && napi_complete_done(napi, work_done)) {
+@@ -5500,10 +5540,15 @@ static int stmmac_napi_poll_tx(struct napi_struct *napi, int budget)
+ struct stmmac_channel *ch =
+ container_of(napi, struct stmmac_channel, tx_napi);
+ struct stmmac_priv *priv = ch->priv_data;
++ struct stmmac_tx_queue *tx_q;
+ u32 chan = ch->index;
++ unsigned long flags;
+ int work_done;
+
+- priv->xstats.napi_poll++;
++ tx_q = &priv->dma_conf.tx_queue[chan];
++ flags = u64_stats_update_begin_irqsave(&tx_q->txq_stats.syncp);
++ tx_q->txq_stats.napi_poll++;
++ u64_stats_update_end_irqrestore(&tx_q->txq_stats.syncp, flags);
+
+ work_done = stmmac_tx_clean(priv, budget, chan);
+ work_done = min(work_done, budget);
+@@ -5525,9 +5570,20 @@ static int stmmac_napi_poll_rxtx(struct napi_struct *napi, int budget)
+ container_of(napi, struct stmmac_channel, rxtx_napi);
+ struct stmmac_priv *priv = ch->priv_data;
+ int rx_done, tx_done, rxtx_done;
++ struct stmmac_rx_queue *rx_q;
++ struct stmmac_tx_queue *tx_q;
+ u32 chan = ch->index;
++ unsigned long flags;
++
++ rx_q = &priv->dma_conf.rx_queue[chan];
++ flags = u64_stats_update_begin_irqsave(&rx_q->rxq_stats.syncp);
++ rx_q->rxq_stats.napi_poll++;
++ u64_stats_update_end_irqrestore(&rx_q->rxq_stats.syncp, flags);
+
+- priv->xstats.napi_poll++;
++ tx_q = &priv->dma_conf.tx_queue[chan];
++ flags = u64_stats_update_begin_irqsave(&tx_q->txq_stats.syncp);
++ tx_q->txq_stats.napi_poll++;
++ u64_stats_update_end_irqrestore(&tx_q->txq_stats.syncp, flags);
+
+ tx_done = stmmac_tx_clean(priv, budget, chan);
+ tx_done = min(tx_done, budget);
+@@ -6765,6 +6821,56 @@ int stmmac_xsk_wakeup(struct net_device *dev, u32 queue, u32 flags)
+ return 0;
+ }
+
++static void stmmac_get_stats64(struct net_device *dev, struct rtnl_link_stats64 *stats)
++{
++ struct stmmac_priv *priv = netdev_priv(dev);
++ u32 tx_cnt = priv->plat->tx_queues_to_use;
++ u32 rx_cnt = priv->plat->rx_queues_to_use;
++ unsigned int start;
++ int q;
++
++ for (q = 0; q < tx_cnt; q++) {
++ struct stmmac_txq_stats *txq_stats = &priv->dma_conf.tx_queue[q].txq_stats;
++ u64 tx_packets;
++ u64 tx_bytes;
++
++ do {
++ start = u64_stats_fetch_begin(&txq_stats->syncp);
++ tx_packets = txq_stats->tx_packets;
++ tx_bytes = txq_stats->tx_bytes;
++ } while (u64_stats_fetch_retry(&txq_stats->syncp, start));
++
++ stats->tx_packets += tx_packets;
++ stats->tx_bytes += tx_bytes;
++ }
++
++ for (q = 0; q < rx_cnt; q++) {
++ struct stmmac_rxq_stats *rxq_stats = &priv->dma_conf.rx_queue[q].rxq_stats;
++ u64 rx_packets;
++ u64 rx_bytes;
++
++ do {
++ start = u64_stats_fetch_begin(&rxq_stats->syncp);
++ rx_packets = rxq_stats->rx_packets;
++ rx_bytes = rxq_stats->rx_bytes;
++ } while (u64_stats_fetch_retry(&rxq_stats->syncp, start));
++
++ stats->rx_packets += rx_packets;
++ stats->rx_bytes += rx_bytes;
++ }
++
++ stats->rx_dropped = priv->xstats.rx_dropped;
++ stats->rx_errors = priv->xstats.rx_errors;
++ stats->tx_dropped = priv->xstats.tx_dropped;
++ stats->tx_errors = priv->xstats.tx_errors;
++ stats->tx_carrier_errors = priv->xstats.tx_losscarrier + priv->xstats.tx_carrier;
++ stats->collisions = priv->xstats.tx_collision + priv->xstats.rx_collision;
++ stats->rx_length_errors = priv->xstats.rx_length;
++ stats->rx_crc_errors = priv->xstats.rx_crc_errors;
++ stats->rx_over_errors = priv->xstats.rx_overflow_cntr;
++ stats->rx_missed_errors = priv->xstats.rx_missed_cntr;
++}
++
+ static const struct net_device_ops stmmac_netdev_ops = {
+ .ndo_open = stmmac_open,
+ .ndo_start_xmit = stmmac_xmit,
+@@ -6775,6 +6881,7 @@ static const struct net_device_ops stmmac_netdev_ops = {
+ .ndo_set_rx_mode = stmmac_set_rx_mode,
+ .ndo_tx_timeout = stmmac_tx_timeout,
+ .ndo_eth_ioctl = stmmac_ioctl,
++ .ndo_get_stats64 = stmmac_get_stats64,
+ .ndo_setup_tc = stmmac_setup_tc,
+ .ndo_select_queue = stmmac_select_queue,
+ #ifdef CONFIG_NET_POLL_CONTROLLER
+@@ -7109,6 +7216,11 @@ int stmmac_dvr_probe(struct device *device,
+ priv->device = device;
+ priv->dev = ndev;
+
++ for (i = 0; i < MTL_MAX_RX_QUEUES; i++)
++ u64_stats_init(&priv->dma_conf.rx_queue[i].rxq_stats.syncp);
++ for (i = 0; i < MTL_MAX_TX_QUEUES; i++)
++ u64_stats_init(&priv->dma_conf.tx_queue[i].txq_stats.syncp);
++
+ stmmac_set_ethtool_ops(ndev);
+ priv->pause = pause;
+ priv->plat = plat_dat;
+--
+2.51.0
+
--- /dev/null
+From a31cfd15fdc0acb4acf585d391447312bf7e8c97 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 May 2023 22:43:40 +0800
+Subject: net: stmmac: xgmac: add ethtool per-queue irq statistic support
+
+From: Teoh Ji Sheng <ji.sheng.teoh@intel.com>
+
+[ Upstream commit af8eacf2b42e0a736a7a2a1379fb6c0b7fd66da4 ]
+
+Commit af9bf70154eb ("net: stmmac: add ethtool per-queue irq statistic
+support") introduced ethtool per-queue statistics support to display
+number of interrupts generated by DMA tx and DMA rx for DWMAC4 core.
+This patch extend the support to XGMAC core.
+
+Signed-off-by: Teoh Ji Sheng <ji.sheng.teoh@intel.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/20230508144339.3014402-1-ji.sheng.teoh@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: a48e23221000 ("net: stmmac: fix the crash issue for zero copy XDP_TX action")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c
+index e92c29199e77..5187c5da709a 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c
+@@ -364,10 +364,12 @@ static int dwxgmac2_dma_interrupt(struct stmmac_priv *priv,
+
+ if (likely(intr_status & XGMAC_RI)) {
+ x->rx_normal_irq_n++;
++ x->rxq_stats[chan].rx_normal_irq_n++;
+ ret |= handle_rx;
+ }
+ if (likely(intr_status & (XGMAC_TI | XGMAC_TBU))) {
+ x->tx_normal_irq_n++;
++ x->txq_stats[chan].tx_normal_irq_n++;
+ ret |= handle_tx;
+ }
+ }
+--
+2.51.0
+
--- /dev/null
+From 6dbe1d2db9ac4e7415cf671d1d8d93a60b53e265 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Dec 2025 06:41:56 +0530
+Subject: net: usb: asix: validate PHY address before use
+
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+
+[ Upstream commit a1e077a3f76eea0dc671ed6792e7d543946227e8 ]
+
+The ASIX driver reads the PHY address from the USB device via
+asix_read_phy_addr(). A malicious or faulty device can return an
+invalid address (>= PHY_MAX_ADDR), which causes a warning in
+mdiobus_get_phy():
+
+ addr 207 out of range
+ WARNING: drivers/net/phy/mdio_bus.c:76
+
+Validate the PHY address in asix_read_phy_addr() and remove the
+now-redundant check in ax88172a.c.
+
+Reported-by: syzbot+3d43c9066a5b54902232@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=3d43c9066a5b54902232
+Tested-by: syzbot+3d43c9066a5b54902232@syzkaller.appspotmail.com
+Fixes: 7e88b11a862a ("net: usb: asix: refactor asix_read_phy_addr() and handle errors on return")
+Link: https://lore.kernel.org/all/20251217085057.270704-1-kartikey406@gmail.com/T/ [v1]
+Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20251218011156.276824-1-kartikey406@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/asix_common.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c
+index 72ffc89b477a..9d6eb88083b6 100644
+--- a/drivers/net/usb/asix_common.c
++++ b/drivers/net/usb/asix_common.c
+@@ -335,6 +335,11 @@ int asix_read_phy_addr(struct usbnet *dev, bool internal)
+ offset = (internal ? 1 : 0);
+ ret = buf[offset];
+
++ if (ret >= PHY_MAX_ADDR) {
++ netdev_err(dev->net, "invalid PHY address: %d\n", ret);
++ return -ENODEV;
++ }
++
+ netdev_dbg(dev->net, "%s PHY address 0x%x\n",
+ internal ? "internal" : "external", ret);
+
+--
+2.51.0
+
--- /dev/null
+From f51e0249e167c6ed09400a1e00a3c4c7c09fe297 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Dec 2025 20:43:05 +0530
+Subject: net: usb: rtl8150: fix memory leak on usb_submit_urb() failure
+
+From: Deepakkumar Karn <dkarn@redhat.com>
+
+[ Upstream commit 12cab1191d9890097171156d06bfa8d31f1e39c8 ]
+
+In async_set_registers(), when usb_submit_urb() fails, the allocated
+ async_req structure and URB are not freed, causing a memory leak.
+
+ The completion callback async_set_reg_cb() is responsible for freeing
+ these allocations, but it is only called after the URB is successfully
+ submitted and completes (successfully or with error). If submission
+ fails, the callback never runs and the memory is leaked.
+
+ Fix this by freeing both the URB and the request structure in the error
+ path when usb_submit_urb() fails.
+
+Reported-by: syzbot+8dd915c7cb0490fc8c52@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=8dd915c7cb0490fc8c52
+Fixes: 4d12997a9bb3 ("drivers: net: usb: rtl8150: concurrent URB bugfix")
+Signed-off-by: Deepakkumar Karn <dkarn@redhat.com>
+Link: https://patch.msgid.link/20251216151304.59865-2-dkarn@redhat.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/rtl8150.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
+index 278e6cb6f4d9..e40b0669d9f4 100644
+--- a/drivers/net/usb/rtl8150.c
++++ b/drivers/net/usb/rtl8150.c
+@@ -211,6 +211,8 @@ static int async_set_registers(rtl8150_t *dev, u16 indx, u16 size, u16 reg)
+ if (res == -ENODEV)
+ netif_device_detach(dev->netdev);
+ dev_err(&dev->udev->dev, "%s failed with %d\n", __func__, res);
++ kfree(req);
++ usb_free_urb(async_urb);
+ }
+ return res;
+ }
+--
+2.51.0
+
--- /dev/null
+From 1e7f08ac528e8e7cfa202effabffbc32bf336f9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 11:52:26 +0530
+Subject: octeontx2-pf: fix "UBSAN: shift-out-of-bounds error"
+
+From: Anshumali Gaur <agaur@marvell.com>
+
+[ Upstream commit 85f4b0c650d9f9db10bda8d3acfa1af83bf78cf7 ]
+
+This patch ensures that the RX ring size (rx_pending) is not
+set below the permitted length. This avoids UBSAN
+shift-out-of-bounds errors when users passes small or zero
+ring sizes via ethtool -G.
+
+Fixes: d45d8979840d ("octeontx2-pf: Add basic ethtool support")
+Signed-off-by: Anshumali Gaur <agaur@marvell.com>
+Link: https://patch.msgid.link/20251219062226.524844-1-agaur@marvell.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
+index 2d6f6edb1510..835e85f0667a 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
+@@ -422,6 +422,14 @@ static int otx2_set_ringparam(struct net_device *netdev,
+ */
+ if (rx_count < pfvf->hw.rq_skid)
+ rx_count = pfvf->hw.rq_skid;
++
++ if (ring->rx_pending < 16) {
++ netdev_err(netdev,
++ "rx ring size %u invalid, min is 16\n",
++ ring->rx_pending);
++ return -EINVAL;
++ }
++
+ rx_count = Q_COUNT(Q_SIZE(rx_count, 3));
+
+ /* Due pipelining impact minimum 2000 unused SQ CQE's
+--
+2.51.0
+
--- /dev/null
+From 0e20f0b754f619c00194690fcb3673a8c78f6b3c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 16:30:29 +0800
+Subject: platform/x86: ibm_rtl: fix EBDA signature search pointer arithmetic
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Junrui Luo <moonafterrain@outlook.com>
+
+[ Upstream commit 15dd100349b8526cbdf2de0ce3e72e700eb6c208 ]
+
+The ibm_rtl_init() function searches for the signature but has a pointer
+arithmetic error. The loop counter suggests searching at 4-byte intervals
+but the implementation only advances by 1 byte per iteration.
+
+Fix by properly advancing the pointer by sizeof(unsigned int) bytes
+each iteration.
+
+Reported-by: Yuhao Jiang <danisjiang@gmail.com>
+Reported-by: Junrui Luo <moonafterrain@outlook.com>
+Fixes: 35f0ce032b0f ("IBM Real-Time "SMI Free" mode driver -v7")
+Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
+Link: https://patch.msgid.link/SYBPR01MB78812D887A92DE3802D0D06EAFA9A@SYBPR01MB7881.ausprd01.prod.outlook.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/ibm_rtl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/ibm_rtl.c b/drivers/platform/x86/ibm_rtl.c
+index 5fc665f7d9b3..10cab7bdfe15 100644
+--- a/drivers/platform/x86/ibm_rtl.c
++++ b/drivers/platform/x86/ibm_rtl.c
+@@ -262,7 +262,7 @@ static int __init ibm_rtl_init(void) {
+ /* search for the _RTL_ signature at the start of the table */
+ for (i = 0 ; i < ebda_size/sizeof(unsigned int); i++) {
+ struct ibm_rtl_table __iomem * tmp;
+- tmp = (struct ibm_rtl_table __iomem *) (ebda_map+i);
++ tmp = (struct ibm_rtl_table __iomem *) (ebda_map + i*sizeof(unsigned int));
+ if ((readq(&tmp->signature) & RTL_MASK) == RTL_SIGNATURE) {
+ phys_addr_t addr;
+ unsigned int plen;
+--
+2.51.0
+
--- /dev/null
+From cd1942939880ba0c0ada410553647e12a5d93b45 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Dec 2025 11:36:13 +0100
+Subject: platform/x86: msi-laptop: add missing sysfs_remove_group()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 1461209cf813b6ee6d40f29b96b544587df6d2b1 ]
+
+A sysfs group is created in msi_init() when old_ec_model is enabled, but
+never removed. Remove the msipf_old_attribute_group in that case.
+
+Fixes: 03696e51d75a ("msi-laptop: Disable brightness control for new EC")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://patch.msgid.link/20251217103617.27668-2-fourier.thomas@gmail.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/msi-laptop.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/platform/x86/msi-laptop.c b/drivers/platform/x86/msi-laptop.c
+index f4c6c36e05a5..2a8839135492 100644
+--- a/drivers/platform/x86/msi-laptop.c
++++ b/drivers/platform/x86/msi-laptop.c
+@@ -1130,6 +1130,9 @@ static void __exit msi_cleanup(void)
+ sysfs_remove_group(&msipf_device->dev.kobj, &msipf_attribute_group);
+ if (!quirks->old_ec_model && threeg_exists)
+ device_remove_file(&msipf_device->dev, &dev_attr_threeg);
++ if (quirks->old_ec_model)
++ sysfs_remove_group(&msipf_device->dev.kobj,
++ &msipf_old_attribute_group);
+ platform_device_unregister(msipf_device);
+ platform_driver_unregister(&msipf_driver);
+ backlight_device_unregister(msibl_device);
+--
+2.51.0
+
--- /dev/null
+From 731f18bde9fcd4de97b7aee93d7d43528b7a2c5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Dec 2025 09:51:21 +0100
+Subject: RDMA/bnxt_re: fix dma_free_coherent() pointer
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit fcd431a9627f272b4c0bec445eba365fe2232a94 ]
+
+The dma_alloc_coherent() allocates a dma-mapped buffer, pbl->pg_arr[i].
+The dma_free_coherent() should pass the same buffer to
+dma_free_coherent() and not page-aligned.
+
+Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://patch.msgid.link/20251230085121.8023-2-fourier.thomas@gmail.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_res.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+index 5edad6a5a112..6d811f67934e 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+@@ -70,9 +70,7 @@ static void __free_pbl(struct bnxt_qplib_res *res, struct bnxt_qplib_pbl *pbl,
+ for (i = 0; i < pbl->pg_count; i++) {
+ if (pbl->pg_arr[i])
+ dma_free_coherent(&pdev->dev, pbl->pg_size,
+- (void *)((unsigned long)
+- pbl->pg_arr[i] &
+- PAGE_MASK),
++ pbl->pg_arr[i],
+ pbl->pg_map_arr[i]);
+ else
+ dev_warn(&pdev->dev,
+--
+2.51.0
+
--- /dev/null
+From 51e5b3b22d912bc21be72c972eb87bff97b3b72d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 01:32:57 -0800
+Subject: RDMA/bnxt_re: Fix IB_SEND_IP_CSUM handling in post_send
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit f01765a2361323e78e3d91b1cb1d5527a83c5cf7 ]
+
+The bnxt_re SEND path checks wr->send_flags to enable features such as
+IP checksum offload. However, send_flags is a bitmask and may contain
+multiple flags (e.g. IB_SEND_SIGNALED | IB_SEND_IP_CSUM), while the
+existing code uses a switch() statement that only matches when
+send_flags is exactly IB_SEND_IP_CSUM.
+
+As a result, checksum offload is not enabled when additional SEND
+flags are present.
+
+Replace the switch() with a bitmask test:
+
+ if (wr->send_flags & IB_SEND_IP_CSUM)
+
+This ensures IP checksum offload is enabled correctly when multiple
+SEND flags are used.
+
+Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Link: https://patch.msgid.link/20251219093308.2415620-1-alok.a.tiwari@oracle.com
+Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/ib_verbs.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+index 94c34ba103ea..edd1457a99b2 100644
+--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+@@ -2650,14 +2650,9 @@ int bnxt_re_post_send(struct ib_qp *ib_qp, const struct ib_send_wr *wr,
+ wqe.rawqp1.lflags |=
+ SQ_SEND_RAWETH_QP1_LFLAGS_ROCE_CRC;
+ }
+- switch (wr->send_flags) {
+- case IB_SEND_IP_CSUM:
++ if (wr->send_flags & IB_SEND_IP_CSUM)
+ wqe.rawqp1.lflags |=
+ SQ_SEND_RAWETH_QP1_LFLAGS_IP_CHKSUM;
+- break;
+- default:
+- break;
+- }
+ fallthrough;
+ case IB_WR_SEND_WITH_INV:
+ rc = bnxt_re_build_send_wqe(qp, wr, &wqe);
+--
+2.51.0
+
--- /dev/null
+From 7efc35b3e84696297b046a10a42c04327521b040 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Dec 2025 02:01:41 -0800
+Subject: RDMA/bnxt_re: Fix incorrect BAR check in bnxt_qplib_map_creq_db()
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit 145a417a39d7efbc881f52e829817376972b278c ]
+
+RCFW_COMM_CONS_PCI_BAR_REGION is defined as BAR 2, so checking
+!creq_db->reg.bar_id is incorrect and always false.
+
+pci_resource_start() returns the BAR base address, and a value of 0
+indicates that the BAR is unassigned. Update the condition to test
+bar_base == 0 instead.
+
+This ensures the driver detects and logs an error for an unassigned
+RCFW communication BAR.
+
+Fixes: cee0c7bba486 ("RDMA/bnxt_re: Refactor command queue management code")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Link: https://patch.msgid.link/20251217100158.752504-1-alok.a.tiwari@oracle.com
+Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
+index c03475b9fa28..69eb6408ce86 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
+@@ -777,7 +777,7 @@ static int bnxt_qplib_map_creq_db(struct bnxt_qplib_rcfw *rcfw, u32 reg_offt)
+
+ creq_db->reg.bar_id = RCFW_COMM_CONS_PCI_BAR_REGION;
+ creq_db->reg.bar_base = pci_resource_start(pdev, creq_db->reg.bar_id);
+- if (!creq_db->reg.bar_id)
++ if (!creq_db->reg.bar_base)
+ dev_err(&pdev->dev,
+ "QPLIB: CREQ BAR region %d resc start is 0!",
+ creq_db->reg.bar_id);
+--
+2.51.0
+
--- /dev/null
+From 88a945f53d28a0c610eb1d6b0ebbbf7a8f5851ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Dec 2025 18:48:55 +0530
+Subject: RDMA/bnxt_re: Fix to use correct page size for PDE table
+
+From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+
+[ Upstream commit 3d70e0fb0f289b0c778041c5bb04d099e1aa7c1c ]
+
+In bnxt_qplib_alloc_init_hwq(), while allocating memory for PDE table
+driver incorrectly is using the "pg_size" value passed to the function.
+Fixed to use the right value 4K. Also, fixed the allocation size for
+PBL table.
+
+Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation")
+Signed-off-by: Damodharam Ammepalli <damodharam.ammepalli@broadcom.com>
+Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Link: https://patch.msgid.link/20251223131855.145955-1-kalesh-anakkur.purayil@broadcom.com
+Reviewed-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_res.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+index 4962d68bf217..5edad6a5a112 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+@@ -243,7 +243,7 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq,
+ if (npbl % BIT(MAX_PDL_LVL_SHIFT))
+ npde++;
+ /* Alloc PDE pages */
+- sginfo.pgsize = npde * pg_size;
++ sginfo.pgsize = npde * ROCE_PG_SIZE_4K;
+ sginfo.npages = 1;
+ rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_0], &sginfo);
+ if (rc)
+@@ -251,7 +251,7 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq,
+
+ /* Alloc PBL pages */
+ sginfo.npages = npbl;
+- sginfo.pgsize = PAGE_SIZE;
++ sginfo.pgsize = ROCE_PG_SIZE_4K;
+ rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_1], &sginfo);
+ if (rc)
+ goto fail;
+--
+2.51.0
+
--- /dev/null
+From df136f01d73226b3de870fc03664da9079aaa6fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 13:15:08 +0900
+Subject: RDMA/core: Fix logic error in ib_get_gids_from_rdma_hdr()
+
+From: Jang Ingyu <ingyujang25@korea.ac.kr>
+
+[ Upstream commit 8aaa848eaddd9ef8680fc6aafbd3a0646da5df40 ]
+
+Fix missing comparison operator for RDMA_NETWORK_ROCE_V1 in the
+conditional statement. The constant was used directly instead of
+being compared with net_type, causing the condition to always
+evaluate to true.
+
+Fixes: 1c15b4f2a42f ("RDMA/core: Modify enum ib_gid_type and enum rdma_network_type")
+Signed-off-by: Jang Ingyu <ingyujang25@korea.ac.kr>
+Link: https://patch.msgid.link/20251219041508.1725947-1-ingyujang25@korea.ac.kr
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/verbs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c
+index 97a116960f31..d0c8ad45f3c2 100644
+--- a/drivers/infiniband/core/verbs.c
++++ b/drivers/infiniband/core/verbs.c
+@@ -732,7 +732,7 @@ int ib_get_gids_from_rdma_hdr(const union rdma_network_hdr *hdr,
+ (struct in6_addr *)dgid);
+ return 0;
+ } else if (net_type == RDMA_NETWORK_IPV6 ||
+- net_type == RDMA_NETWORK_IB || RDMA_NETWORK_ROCE_V1) {
++ net_type == RDMA_NETWORK_IB || net_type == RDMA_NETWORK_ROCE_V1) {
+ *dgid = hdr->ibgrh.dgid;
+ *sgid = hdr->ibgrh.sgid;
+ return 0;
+--
+2.51.0
+
--- /dev/null
+From 7d4979950db216d4deef88415e7d7a8f21ae461a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Dec 2025 17:36:56 +0000
+Subject: RDMA/efa: Remove possible negative shift
+
+From: Michael Margolin <mrgolin@amazon.com>
+
+[ Upstream commit 85463eb6a46caf2f1e0e1a6d0731f2f3bab17780 ]
+
+The page size used for device might in some cases be smaller than
+PAGE_SIZE what results in a negative shift when calculating the number of
+host pages in PAGE_SIZE for a debug log. Remove the debug line together
+with the calculation.
+
+Fixes: 40909f664d27 ("RDMA/efa: Add EFA verbs implementation")
+Link: https://patch.msgid.link/r/20251210173656.8180-1-mrgolin@amazon.com
+Reviewed-by: Tom Sela <tomsela@amazon.com>
+Reviewed-by: Yonatan Nachum <ynachum@amazon.com>
+Signed-off-by: Michael Margolin <mrgolin@amazon.com>
+Reviewed-by: Gal Pressman <gal.pressman@linux.dev>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/efa/efa_verbs.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/infiniband/hw/efa/efa_verbs.c b/drivers/infiniband/hw/efa/efa_verbs.c
+index 90d5f1a96f3e..a22ddb2088f6 100644
+--- a/drivers/infiniband/hw/efa/efa_verbs.c
++++ b/drivers/infiniband/hw/efa/efa_verbs.c
+@@ -1214,13 +1214,9 @@ static int umem_to_page_list(struct efa_dev *dev,
+ u32 hp_cnt,
+ u8 hp_shift)
+ {
+- u32 pages_in_hp = BIT(hp_shift - PAGE_SHIFT);
+ struct ib_block_iter biter;
+ unsigned int hp_idx = 0;
+
+- ibdev_dbg(&dev->ibdev, "hp_cnt[%u], pages_in_hp[%u]\n",
+- hp_cnt, pages_in_hp);
+-
+ rdma_umem_for_each_dma_block(umem, &biter, BIT(hp_shift))
+ page_list[hp_idx++] = rdma_block_iter_dma_address(&biter);
+
+--
+2.51.0
+
--- /dev/null
+From eced0ef7173df1b639930dab23b5a2e518d00ee9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Nov 2025 15:31:50 +0100
+Subject: RDMA/irdma: avoid invalid read in irdma_net_event
+
+From: Michal Schmidt <mschmidt@redhat.com>
+
+[ Upstream commit 6f05611728e9d0ab024832a4f1abb74a5f5d0bb0 ]
+
+irdma_net_event() should not dereference anything from "neigh" (alias
+"ptr") until it has checked that the event is NETEVENT_NEIGH_UPDATE.
+Other events come with different structures pointed to by "ptr" and they
+may be smaller than struct neighbour.
+
+Move the read of neigh->dev under the NETEVENT_NEIGH_UPDATE case.
+
+The bug is mostly harmless, but it triggers KASAN on debug kernels:
+
+ BUG: KASAN: stack-out-of-bounds in irdma_net_event+0x32e/0x3b0 [irdma]
+ Read of size 8 at addr ffffc900075e07f0 by task kworker/27:2/542554
+
+ CPU: 27 PID: 542554 Comm: kworker/27:2 Kdump: loaded Not tainted 5.14.0-630.el9.x86_64+debug #1
+ Hardware name: [...]
+ Workqueue: events rt6_probe_deferred
+ Call Trace:
+ <IRQ>
+ dump_stack_lvl+0x60/0xb0
+ print_address_description.constprop.0+0x2c/0x3f0
+ print_report+0xb4/0x270
+ kasan_report+0x92/0xc0
+ irdma_net_event+0x32e/0x3b0 [irdma]
+ notifier_call_chain+0x9e/0x180
+ atomic_notifier_call_chain+0x5c/0x110
+ rt6_do_redirect+0xb91/0x1080
+ tcp_v6_err+0xe9b/0x13e0
+ icmpv6_notify+0x2b2/0x630
+ ndisc_redirect_rcv+0x328/0x530
+ icmpv6_rcv+0xc16/0x1360
+ ip6_protocol_deliver_rcu+0xb84/0x12e0
+ ip6_input_finish+0x117/0x240
+ ip6_input+0xc4/0x370
+ ipv6_rcv+0x420/0x7d0
+ __netif_receive_skb_one_core+0x118/0x1b0
+ process_backlog+0xd1/0x5d0
+ __napi_poll.constprop.0+0xa3/0x440
+ net_rx_action+0x78a/0xba0
+ handle_softirqs+0x2d4/0x9c0
+ do_softirq+0xad/0xe0
+ </IRQ>
+
+Fixes: 915cc7ac0f8e ("RDMA/irdma: Add miscellaneous utility definitions")
+Link: https://patch.msgid.link/r/20251127143150.121099-1-mschmidt@redhat.com
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/irdma/utils.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/irdma/utils.c b/drivers/infiniband/hw/irdma/utils.c
+index 8c7617776e58..d236e4a27ca9 100644
+--- a/drivers/infiniband/hw/irdma/utils.c
++++ b/drivers/infiniband/hw/irdma/utils.c
+@@ -251,7 +251,7 @@ int irdma_net_event(struct notifier_block *notifier, unsigned long event,
+ void *ptr)
+ {
+ struct neighbour *neigh = ptr;
+- struct net_device *real_dev, *netdev = (struct net_device *)neigh->dev;
++ struct net_device *real_dev, *netdev;
+ struct irdma_device *iwdev;
+ struct ib_device *ibdev;
+ __be32 *p;
+@@ -260,6 +260,7 @@ int irdma_net_event(struct notifier_block *notifier, unsigned long event,
+
+ switch (event) {
+ case NETEVENT_NEIGH_UPDATE:
++ netdev = neigh->dev;
+ real_dev = rdma_vlan_dev_real_dev(netdev);
+ if (!real_dev)
+ real_dev = netdev;
+--
+2.51.0
+
--- /dev/null
+From 8086c614ba71db3d90a0fd550c365671812fdb32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Dec 2025 10:56:17 +0800
+Subject: RDMA/rtrs: Fix clt_path::max_pages_per_mr calculation
+
+From: Honggang LI <honggangli@163.com>
+
+[ Upstream commit 43bd09d5b750f700499ae8ec45fd41a4c48673e6 ]
+
+If device max_mr_size bits in the range [mr_page_shift+31:mr_page_shift]
+are zero, the `min3` function will set clt_path::max_pages_per_mr to
+zero.
+
+`alloc_path_reqs` will pass zero, which is invalid, as the third parameter
+to `ib_alloc_mr`.
+
+Fixes: 6a98d71daea1 ("RDMA/rtrs: client: main functionality")
+Signed-off-by: Honggang LI <honggangli@163.com>
+Link: https://patch.msgid.link/20251229025617.13241-1-honggangli@163.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/rtrs/rtrs-clt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/infiniband/ulp/rtrs/rtrs-clt.c b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
+index dac8ddfc89e7..7c81452d73cf 100644
+--- a/drivers/infiniband/ulp/rtrs/rtrs-clt.c
++++ b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
+@@ -1465,6 +1465,7 @@ static void query_fast_reg_mode(struct rtrs_clt_path *clt_path)
+ mr_page_shift = max(12, ffs(ib_dev->attrs.page_size_cap) - 1);
+ max_pages_per_mr = ib_dev->attrs.max_mr_size;
+ do_div(max_pages_per_mr, (1ull << mr_page_shift));
++ max_pages_per_mr = min_not_zero((u32)max_pages_per_mr, U32_MAX);
+ clt_path->max_pages_per_mr =
+ min3(clt_path->max_pages_per_mr, (u32)max_pages_per_mr,
+ ib_dev->attrs.max_fast_reg_page_list_len);
+--
+2.51.0
+
--- /dev/null
+From b26b0ca07ed85ce9ce7bb50da2346ad8518d9ab6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Mar 2023 14:44:47 +0100
+Subject: sched/isolation: add cpu_is_isolated() API
+
+From: Frederic Weisbecker <frederic@kernel.org>
+
+[ Upstream commit a85c2257a8ac353af16dbcbf32c50d3380860bc5 ]
+
+Patch series "memcg, cpuisol: do not interfere pcp cache charges draining
+with cpuisol workloads".
+
+Leonardo has reported [1] that pcp memcg charge draining can interfere
+with cpu isolated workloads. The said draining is done from a WQ context
+with a pcp worker scheduled on each CPU which holds any cached charges for
+a specific memcg hierarchy. Operation is not really a common operation
+[2]. It can be triggered from the userspace though so some care is
+definitely due.
+
+Leonardo has tried to address the issue by allowing remote charge draining
+[3]. This approach requires an additional locking to synchronize pcp
+caches sync from a remote cpu from local pcp consumers. Even though the
+proposed lock was per-cpu there is still potential for contention and less
+predictable behavior.
+
+This patchset addresses the issue from a different angle. Rather than
+dealing with a potential synchronization, cpus which are isolated are
+simply never scheduled to be drained. This means that a small amount of
+charges could be laying around and waiting for a later use or they are
+flushed when a different memcg is charged from the same cpu. More details
+are in patch 2. The first patch from Frederic is implementing an
+abstraction to tell whether a specific cpu has been isolated and therefore
+require a special treatment.
+
+This patch (of 2):
+
+Provide this new API to check if a CPU has been isolated either through
+isolcpus= or nohz_full= kernel parameter.
+
+It aims at avoiding kernel load deemed to be safely spared on CPUs running
+sensitive workload that can't bear any disturbance, such as pcp cache
+draining.
+
+Link: https://lkml.kernel.org/r/20230317134448.11082-1-mhocko@kernel.org
+Link: https://lkml.kernel.org/r/20230317134448.11082-2-mhocko@kernel.org
+Signed-off-by: Frederic Weisbecker <frederic@kernel.org>
+Signed-off-by: Michal Hocko <mhocko@suse.com>
+Suggested-by: Michal Hocko <mhocko@suse.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Marcelo Tosatti <mtosatti@redhat.com>
+Cc: Muchun Song <muchun.song@linux.dev>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Roman Gushchin <roman.gushchin@linux.dev>
+Cc: Shakeel Butt <shakeelb@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Leonardo Bras <leobras@redhat.com>
+Cc: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: 10845a105bbc ("blk-mq: skip CPU offline notify on unmapped hctx")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/sched/isolation.h | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/include/linux/sched/isolation.h b/include/linux/sched/isolation.h
+index 8c15abd67aed..fe1a46f30d24 100644
+--- a/include/linux/sched/isolation.h
++++ b/include/linux/sched/isolation.h
+@@ -46,6 +46,12 @@ static inline bool housekeeping_enabled(enum hk_type type)
+
+ static inline void housekeeping_affine(struct task_struct *t,
+ enum hk_type type) { }
++
++static inline bool housekeeping_test_cpu(int cpu, enum hk_type type)
++{
++ return true;
++}
++
+ static inline void housekeeping_init(void) { }
+ #endif /* CONFIG_CPU_ISOLATION */
+
+@@ -58,4 +64,10 @@ static inline bool housekeeping_cpu(int cpu, enum hk_type type)
+ return true;
+ }
+
++static inline bool cpu_is_isolated(int cpu)
++{
++ return !housekeeping_test_cpu(cpu, HK_TYPE_DOMAIN) ||
++ !housekeeping_test_cpu(cpu, HK_TYPE_TICK);
++}
++
+ #endif /* _LINUX_SCHED_ISOLATION_H */
+--
+2.51.0
+
--- /dev/null
+From e7616533164df6299c1a78a576fb88c7ac951ab1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Aug 2023 09:32:26 +0800
+Subject: selftests/ftrace: traceonoff_triggers: strip off names
+
+From: Yipeng Zou <zouyipeng@huawei.com>
+
+[ Upstream commit b889b4fb4cbea3ca7eb9814075d6a51936394bd9 ]
+
+The func_traceonoff_triggers.tc sometimes goes to fail
+on my board, Kunpeng-920.
+
+[root@localhost]# ./ftracetest ./test.d/ftrace/func_traceonoff_triggers.tc -l fail.log
+=== Ftrace unit tests ===
+[1] ftrace - test for function traceon/off triggers [FAIL]
+[2] (instance) ftrace - test for function traceon/off triggers [UNSUPPORTED]
+
+I look up the log, and it shows that the md5sum is different between csum1 and csum2.
+
+++ cnt=611
+++ sleep .1
++++ cnt_trace
++++ grep -v '^#' trace
++++ wc -l
+++ cnt2=611
+++ '[' 611 -ne 611 ']'
++++ cat tracing_on
+++ on=0
+++ '[' 0 '!=' 0 ']'
++++ md5sum trace
+++ csum1='76896aa74362fff66a6a5f3cf8a8a500 trace'
+++ sleep .1
++++ md5sum trace
+++ csum2='ee8625a21c058818fc26e45c1ed3f6de trace'
+++ '[' '76896aa74362fff66a6a5f3cf8a8a500 trace' '!=' 'ee8625a21c058818fc26e45c1ed3f6de trace' ']'
+++ fail 'Tracing file is still changing'
+++ echo Tracing file is still changing
+Tracing file is still changing
+++ exit_fail
+++ exit 1
+
+So I directly dump the trace file before md5sum, the diff shows that:
+
+[root@localhost]# diff trace_1.log trace_2.log -y --suppress-common-lines
+dockerd-12285 [036] d.... 18385.510290: sched_stat | <...>-12285 [036] d.... 18385.510290: sched_stat
+dockerd-12285 [036] d.... 18385.510291: sched_swit | <...>-12285 [036] d.... 18385.510291: sched_swit
+<...>-740 [044] d.... 18385.602859: sched_stat | kworker/44:1-740 [044] d.... 18385.602859: sched_stat
+<...>-740 [044] d.... 18385.602860: sched_swit | kworker/44:1-740 [044] d.... 18385.602860: sched_swit
+
+And we can see that <...> filed be filled with names.
+
+We can strip off the names there to fix that.
+
+After strip off the names:
+
+kworker/u257:0-12 [019] d..2. 2528.758910: sched_stat | -12 [019] d..2. 2528.758910: sched_stat_runtime: comm=k
+kworker/u257:0-12 [019] d..2. 2528.758912: sched_swit | -12 [019] d..2. 2528.758912: sched_switch: prev_comm=kw
+<idle>-0 [000] d.s5. 2528.762318: sched_waki | -0 [000] d.s5. 2528.762318: sched_waking: comm=sshd pi
+<idle>-0 [037] dNh2. 2528.762326: sched_wake | -0 [037] dNh2. 2528.762326: sched_wakeup: comm=sshd pi
+<idle>-0 [037] d..2. 2528.762334: sched_swit | -0 [037] d..2. 2528.762334: sched_switch: prev_comm=sw
+
+Link: https://lore.kernel.org/r/20230818013226.2182299-1-zouyipeng@huawei.com
+Fixes: d87b29179aa0 ("selftests: ftrace: Use md5sum to take less time of checking logs")
+Suggested-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Yipeng Zou <zouyipeng@huawei.com>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ftrace/test.d/ftrace/func_traceonoff_triggers.tc | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc b/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc
+index aee22289536b..1b57771dbfdf 100644
+--- a/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc
++++ b/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc
+@@ -90,9 +90,10 @@ if [ $on != "0" ]; then
+ fail "Tracing is not off"
+ fi
+
+-csum1=`md5sum trace`
++# Cannot rely on names being around as they are only cached, strip them
++csum1=`cat trace | sed -e 's/^ *[^ ]*\(-[0-9][0-9]*\)/\1/' | md5sum`
+ sleep $SLEEP_TIME
+-csum2=`md5sum trace`
++csum2=`cat trace | sed -e 's/^ *[^ ]*\(-[0-9][0-9]*\)/\1/' | md5sum`
+
+ if [ "$csum1" != "$csum2" ]; then
+ fail "Tracing file is still changing"
+--
+2.51.0
+
--- /dev/null
+From 918046859d11369e146c1f1661ee0565567522fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Dec 2025 12:06:41 -0500
+Subject: selftests: net: fix "buffer overflow detected" for tap.c
+
+From: Alice C. Munduruca <alice.munduruca@canonical.com>
+
+[ Upstream commit 472c5dd6b95c02b3e5d7395acf542150e91165e7 ]
+
+When the selftest 'tap.c' is compiled with '-D_FORTIFY_SOURCE=3',
+the strcpy() in rtattr_add_strsz() is replaced with a checked
+version which causes the test to consistently fail when compiled
+with toolchains for which this option is enabled by default.
+
+ TAP version 13
+ 1..3
+ # Starting 3 tests from 1 test cases.
+ # RUN tap.test_packet_valid_udp_gso ...
+ *** buffer overflow detected ***: terminated
+ # test_packet_valid_udp_gso: Test terminated by assertion
+ # FAIL tap.test_packet_valid_udp_gso
+ not ok 1 tap.test_packet_valid_udp_gso
+ # RUN tap.test_packet_valid_udp_csum ...
+ *** buffer overflow detected ***: terminated
+ # test_packet_valid_udp_csum: Test terminated by assertion
+ # FAIL tap.test_packet_valid_udp_csum
+ not ok 2 tap.test_packet_valid_udp_csum
+ # RUN tap.test_packet_crash_tap_invalid_eth_proto ...
+ *** buffer overflow detected ***: terminated
+ # test_packet_crash_tap_invalid_eth_proto: Test terminated by assertion
+ # FAIL tap.test_packet_crash_tap_invalid_eth_proto
+ not ok 3 tap.test_packet_crash_tap_invalid_eth_proto
+ # FAILED: 0 / 3 tests passed.
+ # Totals: pass:0 fail:3 xfail:0 xpass:0 skip:0 error:0
+
+A buffer overflow is detected by the fortified glibc __strcpy_chk()
+since the __builtin_object_size() of `RTA_DATA(rta)` is incorrectly
+reported as 1, even though there is ample space in its bounding
+buffer `req`.
+
+Additionally, given that IFLA_IFNAME also expects a null-terminated
+string, callers of rtaddr_add_str{,sz}() could simply use the
+rtaddr_add_strsz() variant. (which has been renamed to remove the
+trailing `sz`) memset() has been used for this function since it
+is unchecked and thus circumvents the issue discussed in the
+previous paragraph.
+
+Fixes: 2e64fe4624d1 ("selftests: add few test cases for tap driver")
+Signed-off-by: Alice C. Munduruca <alice.munduruca@canonical.com>
+Reviewed-by: Cengiz Can <cengiz.can@canonical.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://patch.msgid.link/20251216170641.250494-1-alice.munduruca@canonical.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/tap.c | 16 +++++-----------
+ 1 file changed, 5 insertions(+), 11 deletions(-)
+
+diff --git a/tools/testing/selftests/net/tap.c b/tools/testing/selftests/net/tap.c
+index 247c3b3ac1c9..51a209014f1c 100644
+--- a/tools/testing/selftests/net/tap.c
++++ b/tools/testing/selftests/net/tap.c
+@@ -56,18 +56,12 @@ static void rtattr_end(struct nlmsghdr *nh, struct rtattr *attr)
+ static struct rtattr *rtattr_add_str(struct nlmsghdr *nh, unsigned short type,
+ const char *s)
+ {
+- struct rtattr *rta = rtattr_add(nh, type, strlen(s));
++ unsigned int strsz = strlen(s) + 1;
++ struct rtattr *rta;
+
+- memcpy(RTA_DATA(rta), s, strlen(s));
+- return rta;
+-}
+-
+-static struct rtattr *rtattr_add_strsz(struct nlmsghdr *nh, unsigned short type,
+- const char *s)
+-{
+- struct rtattr *rta = rtattr_add(nh, type, strlen(s) + 1);
++ rta = rtattr_add(nh, type, strsz);
+
+- strcpy(RTA_DATA(rta), s);
++ memcpy(RTA_DATA(rta), s, strsz);
+ return rta;
+ }
+
+@@ -119,7 +113,7 @@ static int dev_create(const char *dev, const char *link_type,
+
+ link_info = rtattr_begin(&req.nh, IFLA_LINKINFO);
+
+- rtattr_add_strsz(&req.nh, IFLA_INFO_KIND, link_type);
++ rtattr_add_str(&req.nh, IFLA_INFO_KIND, link_type);
+
+ if (fill_info_data) {
+ info_data = rtattr_begin(&req.nh, IFLA_INFO_DATA);
+--
+2.51.0
+
hwmon-max16065-use-local-variable-to-avoid-toctou.patch
hwmon-w83791d-convert-macros-to-functions-to-avoid-toctou.patch
hwmon-w83l786ng-convert-macros-to-functions-to-avoid-toctou.patch
+wifi-cfg80211-sme-store-capped-length-in-__cfg80211_.patch
+cfg80211-update-transition-disable-policy-during-por.patch
+wifi-mac80211-mlme-handle-eht-channel-puncturing.patch
+wifi-cfg80211-move-puncturing-bitmap-validation-from.patch
+wifi-nl80211-validate-and-configure-puncturing-bitma.patch
+wifi-nl80211-add-a-command-to-enable-disable-hw-time.patch
+wifi-mac80211-generate-ema-beacons-in-ap-mode.patch
+cfg80211-support-rnr-for-ema-ap.patch
+mac80211-support-rnr-for-ema-ap.patch
+wifi-mac80211-do-not-use-old-mbssid-elements.patch
+i40e-fix-scheduling-in-set_rx_mode.patch
+i40e-refactor-argument-of-several-client-notificatio.patch
+i40e-refactor-argument-of-i40e_detect_recover_hung.patch
+i40e-validate-ring_len-parameter-against-hardware-sp.patch
+iavf-fix-off-by-one-issues-in-iavf_config_rss_reg.patch
+crypto-seqiv-do-not-use-req-iv-after-crypto_aead_enc.patch
+bluetooth-btusb-revert-use-of-devm_kzalloc-in-btusb.patch
+net-mdio-aspeed-add-dummy-read-to-avoid-read-after-w.patch
+net-openvswitch-avoid-needlessly-taking-the-rtnl-on-.patch
+ip6_gre-make-ip6gre_header-robust.patch
+platform-x86-msi-laptop-add-missing-sysfs_remove_gro.patch
+platform-x86-ibm_rtl-fix-ebda-signature-search-point.patch
+team-fix-check-for-port-enabled-in-team_queue_overri.patch
+net-usb-rtl8150-fix-memory-leak-on-usb_submit_urb-fa.patch
+selftests-net-fix-buffer-overflow-detected-for-tap.c.patch
+smc91x-fix-broken-irq-context-in-preempt_rt.patch
+genalloc.h-fix-htmldocs-warning.patch
+firewire-nosy-fix-dma_free_coherent-size.patch
+net-dsa-b53-skip-multicast-entries-for-fdb_dump.patch
+net-usb-asix-validate-phy-address-before-use.patch
+net-bridge-describe-tunnel_hash-member-in-net_bridge.patch
+octeontx2-pf-fix-ubsan-shift-out-of-bounds-error.patch
+net-stmmac-power-up-serdes-after-the-phy-link.patch
+net-stmmac-remove-some-unnecessary-void-pointers.patch
+net-stmmac-pass-stmmac_priv-in-some-callbacks.patch
+net-stmmac-dwmac4-allow-platforms-to-specify-some-dm.patch
+net-stmmac-introduce-wrapper-for-struct-xdp_buff.patch
+net-stmmac-xgmac-add-ethtool-per-queue-irq-statistic.patch
+net-stmmac-use-per-queue-64-bit-statistics-where-nec.patch
+net-stmmac-fix-the-crash-issue-for-zero-copy-xdp_tx-.patch
+ipv6-bug-in-pskb_expand_head-as-part-of-calipso_skbu.patch
+ipv4-fix-reference-count-leak-when-using-error-route.patch
+net-rose-fix-invalid-array-index-in-rose_kill_by_dev.patch
+rdma-irdma-avoid-invalid-read-in-irdma_net_event.patch
+rdma-efa-remove-possible-negative-shift.patch
+rdma-core-fix-logic-error-in-ib_get_gids_from_rdma_h.patch
+rdma-bnxt_re-fix-incorrect-bar-check-in-bnxt_qplib_m.patch
+rdma-bnxt_re-fix-ib_send_ip_csum-handling-in-post_se.patch
+rdma-bnxt_re-fix-to-use-correct-page-size-for-pde-ta.patch
+rdma-rtrs-fix-clt_path-max_pages_per_mr-calculation.patch
+rdma-bnxt_re-fix-dma_free_coherent-pointer.patch
+sched-isolation-add-cpu_is_isolated-api.patch
+blk-mq-don-t-schedule-block-kworker-on-isolated-cpus.patch
+blk-mq-skip-cpu-offline-notify-on-unmapped-hctx.patch
+selftests-ftrace-traceonoff_triggers-strip-off-names.patch
--- /dev/null
+From 8e704f3fd97768b59c87bdba9d520a5ea00d9f1b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Dec 2025 08:51:15 +0000
+Subject: smc91x: fix broken irq-context in PREEMPT_RT
+
+From: Yeoreum Yun <yeoreum.yun@arm.com>
+
+[ Upstream commit 6402078bd9d1ed46e79465e1faaa42e3458f8a33 ]
+
+When smc91x.c is built with PREEMPT_RT, the following splat occurs
+in FVP_RevC:
+
+[ 13.055000] smc91x LNRO0003:00 eth0: link up, 10Mbps, half-duplex, lpa 0x0000
+[ 13.062137] BUG: workqueue leaked atomic, lock or RCU: kworker/2:1[106]
+[ 13.062137] preempt=0x00000000 lock=0->0 RCU=0->1 workfn=mld_ifc_work
+[ 13.062266] C
+** replaying previous printk message **
+[ 13.062266] CPU: 2 UID: 0 PID: 106 Comm: kworker/2:1 Not tainted 6.18.0-dirty #179 PREEMPT_{RT,(full)}
+[ 13.062353] Hardware name: , BIOS
+[ 13.062382] Workqueue: mld mld_ifc_work
+[ 13.062469] Call trace:
+[ 13.062494] show_stack+0x24/0x40 (C)
+[ 13.062602] __dump_stack+0x28/0x48
+[ 13.062710] dump_stack_lvl+0x7c/0xb0
+[ 13.062818] dump_stack+0x18/0x34
+[ 13.062926] process_scheduled_works+0x294/0x450
+[ 13.063043] worker_thread+0x260/0x3d8
+[ 13.063124] kthread+0x1c4/0x228
+[ 13.063235] ret_from_fork+0x10/0x20
+
+This happens because smc_special_trylock() disables IRQs even on PREEMPT_RT,
+but smc_special_unlock() does not restore IRQs on PREEMPT_RT.
+The reason is that smc_special_unlock() calls spin_unlock_irqrestore(),
+and rcu_read_unlock_bh() in __dev_queue_xmit() cannot invoke
+rcu_read_unlock() through __local_bh_enable_ip() when current->softirq_disable_cnt becomes zero.
+
+To address this issue, replace smc_special_trylock() with spin_trylock_irqsave().
+
+Fixes: 342a93247e08 ("locking/spinlock: Provide RT variant header: <linux/spinlock_rt.h>")
+Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20251217085115.1730036-1-yeoreum.yun@arm.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/smsc/smc91x.c | 10 +---------
+ 1 file changed, 1 insertion(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/smsc/smc91x.c b/drivers/net/ethernet/smsc/smc91x.c
+index 35e99bf0c401..b4da1e5af753 100644
+--- a/drivers/net/ethernet/smsc/smc91x.c
++++ b/drivers/net/ethernet/smsc/smc91x.c
+@@ -515,15 +515,7 @@ static inline void smc_rcv(struct net_device *dev)
+ * any other concurrent access and C would always interrupt B. But life
+ * isn't that easy in a SMP world...
+ */
+-#define smc_special_trylock(lock, flags) \
+-({ \
+- int __ret; \
+- local_irq_save(flags); \
+- __ret = spin_trylock(lock); \
+- if (!__ret) \
+- local_irq_restore(flags); \
+- __ret; \
+-})
++#define smc_special_trylock(lock, flags) spin_trylock_irqsave(lock, flags)
+ #define smc_special_lock(lock, flags) spin_lock_irqsave(lock, flags)
+ #define smc_special_unlock(lock, flags) spin_unlock_irqrestore(lock, flags)
+ #else
+--
+2.51.0
+
--- /dev/null
+From 183e2706bd728ea42633351100affb66794b57ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Dec 2025 11:29:53 +0100
+Subject: team: fix check for port enabled in
+ team_queue_override_port_prio_changed()
+
+From: Jiri Pirko <jiri@nvidia.com>
+
+[ Upstream commit 932ac51d9953eaf77a1252f79b656d4ca86163c6 ]
+
+There has been a syzkaller bug reported recently with the following
+trace:
+
+list_del corruption, ffff888058bea080->prev is LIST_POISON2 (dead000000000122)
+------------[ cut here ]------------
+kernel BUG at lib/list_debug.c:59!
+Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
+CPU: 3 UID: 0 PID: 21246 Comm: syz.0.2928 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+RIP: 0010:__list_del_entry_valid_or_report+0x13e/0x200 lib/list_debug.c:59
+Code: 48 c7 c7 e0 71 f0 8b e8 30 08 ef fc 90 0f 0b 48 89 ef e8 a5 02 55 fd 48 89 ea 48 89 de 48 c7 c7 40 72 f0 8b e8 13 08 ef fc 90 <0f> 0b 48 89 ef e8 88 02 55 fd 48 89 ea 48 b8 00 00 00 00 00 fc ff
+RSP: 0018:ffffc9000d49f370 EFLAGS: 00010286
+RAX: 000000000000004e RBX: ffff888058bea080 RCX: ffffc9002817d000
+RDX: 0000000000000000 RSI: ffffffff819becc6 RDI: 0000000000000005
+RBP: dead000000000122 R08: 0000000000000005 R09: 0000000000000000
+R10: 0000000080000000 R11: 0000000000000001 R12: ffff888039e9c230
+R13: ffff888058bea088 R14: ffff888058bea080 R15: ffff888055461480
+FS: 00007fbbcfe6f6c0(0000) GS:ffff8880d6d0a000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 000000110c3afcb0 CR3: 00000000382c7000 CR4: 0000000000352ef0
+Call Trace:
+ <TASK>
+ __list_del_entry_valid include/linux/list.h:132 [inline]
+ __list_del_entry include/linux/list.h:223 [inline]
+ list_del_rcu include/linux/rculist.h:178 [inline]
+ __team_queue_override_port_del drivers/net/team/team_core.c:826 [inline]
+ __team_queue_override_port_del drivers/net/team/team_core.c:821 [inline]
+ team_queue_override_port_prio_changed drivers/net/team/team_core.c:883 [inline]
+ team_priority_option_set+0x171/0x2f0 drivers/net/team/team_core.c:1534
+ team_option_set drivers/net/team/team_core.c:376 [inline]
+ team_nl_options_set_doit+0x8ae/0xe60 drivers/net/team/team_core.c:2653
+ genl_family_rcv_msg_doit+0x209/0x2f0 net/netlink/genetlink.c:1115
+ genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
+ genl_rcv_msg+0x55c/0x800 net/netlink/genetlink.c:1210
+ netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552
+ genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
+ netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
+ netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346
+ netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1896
+ sock_sendmsg_nosec net/socket.c:727 [inline]
+ __sock_sendmsg net/socket.c:742 [inline]
+ ____sys_sendmsg+0xa98/0xc70 net/socket.c:2630
+ ___sys_sendmsg+0x134/0x1d0 net/socket.c:2684
+ __sys_sendmsg+0x16d/0x220 net/socket.c:2716
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+The problem is in this flow:
+1) Port is enabled, queue_id != 0, in qom_list
+2) Port gets disabled
+ -> team_port_disable()
+ -> team_queue_override_port_del()
+ -> del (removed from list)
+3) Port is disabled, queue_id != 0, not in any list
+4) Priority changes
+ -> team_queue_override_port_prio_changed()
+ -> checks: port disabled && queue_id != 0
+ -> calls del - hits the BUG as it is removed already
+
+To fix this, change the check in team_queue_override_port_prio_changed()
+so it returns early if port is not enabled.
+
+Reported-by: syzbot+422806e5f4cce722a71f@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=422806e5f4cce722a71f
+Fixes: 6c31ff366c11 ("team: remove synchronize_rcu() called during queue override change")
+Signed-off-by: Jiri Pirko <jiri@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20251212102953.167287-1-jiri@resnulli.us
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/team/team.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
+index c2327fa10747..e315a1d3a9e9 100644
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -878,7 +878,7 @@ static void __team_queue_override_enabled_check(struct team *team)
+ static void team_queue_override_port_prio_changed(struct team *team,
+ struct team_port *port)
+ {
+- if (!port->queue_id || team_port_enabled(port))
++ if (!port->queue_id || !team_port_enabled(port))
+ return;
+ __team_queue_override_port_del(team, port);
+ __team_queue_override_port_add(team, port);
+--
+2.51.0
+
--- /dev/null
+From 5c7d856063ef5d5bc59d6c11e67c9e4c991a9249 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jan 2023 16:12:24 -0800
+Subject: wifi: cfg80211: move puncturing bitmap validation from mac80211
+
+From: Aloka Dixit <quic_alokad@quicinc.com>
+
+[ Upstream commit b25413fed3d43e1ed3340df4d928971bb8639f66 ]
+
+- Move ieee80211_valid_disable_subchannel_bitmap() from mlme.c to
+ chan.c, rename it as cfg80211_valid_disable_subchannel_bitmap()
+ and export it.
+- Modify the prototype to include struct cfg80211_chan_def instead
+ of only bandwidth to support a check which returns false if the
+ primary channel is punctured.
+
+Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
+Link: https://lore.kernel.org/r/20230131001227.25014-2-quic_alokad@quicinc.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Stable-dep-of: a519be2f5d95 ("wifi: mac80211: do not use old MBSSID elements")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/cfg80211.h | 12 +++++++
+ net/mac80211/mlme.c | 73 ++++--------------------------------------
+ net/wireless/chan.c | 69 +++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 87 insertions(+), 67 deletions(-)
+
+diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
+index d15033420ca3..bf79788f1c5d 100644
+--- a/include/net/cfg80211.h
++++ b/include/net/cfg80211.h
+@@ -9056,4 +9056,16 @@ static inline int cfg80211_color_change_notify(struct net_device *dev)
+ 0, 0);
+ }
+
++/**
++ * cfg80211_valid_disable_subchannel_bitmap - validate puncturing bitmap
++ * @bitmap: bitmap to be validated
++ * @chandef: channel definition
++ *
++ * Validate the puncturing bitmap.
++ *
++ * Return: %true if the bitmap is valid. %false otherwise.
++ */
++bool cfg80211_valid_disable_subchannel_bitmap(u16 *bitmap,
++ const struct cfg80211_chan_def *chandef);
++
+ #endif /* __NET_CFG80211_H */
+diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
+index 25483596f22e..1fb41e5cc577 100644
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -88,67 +88,6 @@ MODULE_PARM_DESC(probe_wait_ms,
+ */
+ #define IEEE80211_SIGNAL_AVE_MIN_COUNT 4
+
+-struct ieee80211_per_bw_puncturing_values {
+- u8 len;
+- const u16 *valid_values;
+-};
+-
+-static const u16 puncturing_values_80mhz[] = {
+- 0x8, 0x4, 0x2, 0x1
+-};
+-
+-static const u16 puncturing_values_160mhz[] = {
+- 0x80, 0x40, 0x20, 0x10, 0x8, 0x4, 0x2, 0x1, 0xc0, 0x30, 0xc, 0x3
+-};
+-
+-static const u16 puncturing_values_320mhz[] = {
+- 0xc000, 0x3000, 0xc00, 0x300, 0xc0, 0x30, 0xc, 0x3, 0xf000, 0xf00,
+- 0xf0, 0xf, 0xfc00, 0xf300, 0xf0c0, 0xf030, 0xf00c, 0xf003, 0xc00f,
+- 0x300f, 0xc0f, 0x30f, 0xcf, 0x3f
+-};
+-
+-#define IEEE80211_PER_BW_VALID_PUNCTURING_VALUES(_bw) \
+- { \
+- .len = ARRAY_SIZE(puncturing_values_ ## _bw ## mhz), \
+- .valid_values = puncturing_values_ ## _bw ## mhz \
+- }
+-
+-static const struct ieee80211_per_bw_puncturing_values per_bw_puncturing[] = {
+- IEEE80211_PER_BW_VALID_PUNCTURING_VALUES(80),
+- IEEE80211_PER_BW_VALID_PUNCTURING_VALUES(160),
+- IEEE80211_PER_BW_VALID_PUNCTURING_VALUES(320)
+-};
+-
+-static bool ieee80211_valid_disable_subchannel_bitmap(u16 *bitmap,
+- enum nl80211_chan_width bw)
+-{
+- u32 idx, i;
+-
+- switch (bw) {
+- case NL80211_CHAN_WIDTH_80:
+- idx = 0;
+- break;
+- case NL80211_CHAN_WIDTH_160:
+- idx = 1;
+- break;
+- case NL80211_CHAN_WIDTH_320:
+- idx = 2;
+- break;
+- default:
+- *bitmap = 0;
+- break;
+- }
+-
+- if (!*bitmap)
+- return true;
+-
+- for (i = 0; i < per_bw_puncturing[idx].len; i++)
+- if (per_bw_puncturing[idx].valid_values[i] == *bitmap)
+- return true;
+-
+- return false;
+-}
+-
+ /*
+ * Extract from the given disabled subchannel bitmap (raw format
+ * from the EHT Operation Element) the bits for the subchannel
+@@ -206,8 +145,8 @@ ieee80211_handle_puncturing_bitmap(struct ieee80211_link_data *link,
+ ieee80211_extract_dis_subch_bmap(eht_oper, chandef,
+ bitmap);
+
+- if (ieee80211_valid_disable_subchannel_bitmap(&bitmap,
+- chandef->width))
++ if (cfg80211_valid_disable_subchannel_bitmap(&bitmap,
++ chandef))
+ break;
+ link->u.mgd.conn_flags |=
+ ieee80211_chandef_downgrade(chandef);
+@@ -5621,8 +5560,8 @@ static bool ieee80211_config_puncturing(struct ieee80211_link_data *link,
+ extracted == link->conf->eht_puncturing)
+ return true;
+
+- if (!ieee80211_valid_disable_subchannel_bitmap(&bitmap,
+- link->conf->chandef.width)) {
++ if (!cfg80211_valid_disable_subchannel_bitmap(&bitmap,
++ &link->conf->chandef)) {
+ link_info(link,
+ "Got an invalid disable subchannel bitmap from AP %pM: bitmap = 0x%x, bw = 0x%x. disconnect\n",
+ link->u.mgd.bssid,
+@@ -7110,8 +7049,8 @@ ieee80211_setup_assoc_link(struct ieee80211_sub_if_data *sdata,
+ u16 bitmap;
+
+ bitmap = get_unaligned_le16(disable_subchannel_bitmap);
+- if (ieee80211_valid_disable_subchannel_bitmap(&bitmap,
+- link->conf->chandef.width))
++ if (cfg80211_valid_disable_subchannel_bitmap(&bitmap,
++ &link->conf->chandef))
+ ieee80211_handle_puncturing_bitmap(link,
+ eht_oper,
+ bitmap,
+diff --git a/net/wireless/chan.c b/net/wireless/chan.c
+index 0e5835cd8c61..0b7e81db383d 100644
+--- a/net/wireless/chan.c
++++ b/net/wireless/chan.c
+@@ -1460,3 +1460,72 @@ struct cfg80211_chan_def *wdev_chandef(struct wireless_dev *wdev,
+ }
+ }
+ EXPORT_SYMBOL(wdev_chandef);
++
++struct cfg80211_per_bw_puncturing_values {
++ u8 len;
++ const u16 *valid_values;
++};
++
++static const u16 puncturing_values_80mhz[] = {
++ 0x8, 0x4, 0x2, 0x1
++};
++
++static const u16 puncturing_values_160mhz[] = {
++ 0x80, 0x40, 0x20, 0x10, 0x8, 0x4, 0x2, 0x1, 0xc0, 0x30, 0xc, 0x3
++};
++
++static const u16 puncturing_values_320mhz[] = {
++ 0xc000, 0x3000, 0xc00, 0x300, 0xc0, 0x30, 0xc, 0x3, 0xf000, 0xf00,
++ 0xf0, 0xf, 0xfc00, 0xf300, 0xf0c0, 0xf030, 0xf00c, 0xf003, 0xc00f,
++ 0x300f, 0xc0f, 0x30f, 0xcf, 0x3f
++};
++
++#define CFG80211_PER_BW_VALID_PUNCTURING_VALUES(_bw) \
++ { \
++ .len = ARRAY_SIZE(puncturing_values_ ## _bw ## mhz), \
++ .valid_values = puncturing_values_ ## _bw ## mhz \
++ }
++
++static const struct cfg80211_per_bw_puncturing_values per_bw_puncturing[] = {
++ CFG80211_PER_BW_VALID_PUNCTURING_VALUES(80),
++ CFG80211_PER_BW_VALID_PUNCTURING_VALUES(160),
++ CFG80211_PER_BW_VALID_PUNCTURING_VALUES(320)
++};
++
++bool cfg80211_valid_disable_subchannel_bitmap(u16 *bitmap,
++ const struct cfg80211_chan_def *chandef)
++{
++ u32 idx, i, start_freq;
++
++ switch (chandef->width) {
++ case NL80211_CHAN_WIDTH_80:
++ idx = 0;
++ start_freq = chandef->center_freq1 - 40;
++ break;
++ case NL80211_CHAN_WIDTH_160:
++ idx = 1;
++ start_freq = chandef->center_freq1 - 80;
++ break;
++ case NL80211_CHAN_WIDTH_320:
++ idx = 2;
++ start_freq = chandef->center_freq1 - 160;
++ break;
++ default:
++ *bitmap = 0;
++ break;
++ }
++
++ if (!*bitmap)
++ return true;
++
++ /* check if primary channel is punctured */
++ if (*bitmap & (u16)BIT((chandef->chan->center_freq - start_freq) / 20))
++ return false;
++
++ for (i = 0; i < per_bw_puncturing[idx].len; i++)
++ if (per_bw_puncturing[idx].valid_values[i] == *bitmap)
++ return true;
++
++ return false;
++}
++EXPORT_SYMBOL(cfg80211_valid_disable_subchannel_bitmap);
+--
+2.51.0
+
--- /dev/null
+From 6b61dbb58c21e501b1858fbfc20b82b985332015 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Dec 2025 14:14:47 +0300
+Subject: wifi: cfg80211: sme: store capped length in
+ __cfg80211_connect_result()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 2b77b9551d1184cb5af8271ff350e6e2c1b3db0d ]
+
+The QGenie AI code review tool says we should store the capped length to
+wdev->u.client.ssid_len. The AI is correct.
+
+Fixes: 62b635dcd69c ("wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result()")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/aTAbp5RleyH_lnZE@stanley.mountain
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/sme.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/wireless/sme.c b/net/wireless/sme.c
+index ed16e852133e..26106802b17b 100644
+--- a/net/wireless/sme.c
++++ b/net/wireless/sme.c
+@@ -896,7 +896,7 @@ void __cfg80211_connect_result(struct net_device *dev,
+
+ ssid_len = min(ssid->datalen, IEEE80211_MAX_SSID_LEN);
+ memcpy(wdev->u.client.ssid, ssid->data, ssid_len);
+- wdev->u.client.ssid_len = ssid->datalen;
++ wdev->u.client.ssid_len = ssid_len;
+ break;
+ }
+ rcu_read_unlock();
+--
+2.51.0
+
--- /dev/null
+From 975399347ab2523563e4fe3dd7bdc66cf311303a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Dec 2025 09:46:56 -0800
+Subject: wifi: mac80211: do not use old MBSSID elements
+
+From: Aloka Dixit <aloka.dixit@oss.qualcomm.com>
+
+[ Upstream commit a519be2f5d958c5804f2cfd68f1f384291271fab ]
+
+When userspace brings down and deletes a non-transmitted profile,
+it is expected to send a new updated Beacon template for the
+transmitted profile of that multiple BSSID (MBSSID) group which
+does not include the removed profile in MBSSID element. This
+update comes via NL80211_CMD_SET_BEACON.
+
+Such updates work well as long as the group continues to have at
+least one non-transmitted profile as NL80211_ATTR_MBSSID_ELEMS
+is included in the new Beacon template.
+
+But when the last non-trasmitted profile is removed, it still
+gets included in Beacon templates sent to driver. This happens
+because when no MBSSID elements are sent by the userspace,
+ieee80211_assign_beacon() ends up using the element stored from
+earlier Beacon template.
+
+Do not copy old MBSSID elements, instead userspace should always
+include these when applicable.
+
+Fixes: 2b3171c6fe0a ("mac80211: MBSSID beacon handling in AP mode")
+Signed-off-by: Aloka Dixit <aloka.dixit@oss.qualcomm.com>
+Link: https://patch.msgid.link/20251215174656.2866319-2-aloka.dixit@oss.qualcomm.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/cfg.c | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index a25d647c1c4b..0d5ddd3d2c5f 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1139,7 +1139,6 @@ static int ieee80211_assign_beacon(struct ieee80211_sub_if_data *sdata,
+
+ size = sizeof(*new) + new_head_len + new_tail_len;
+
+- /* new or old multiple BSSID elements? */
+ if (params->mbssid_ies) {
+ mbssid = params->mbssid_ies;
+ size += struct_size(new->mbssid_ies, elem, mbssid->cnt);
+@@ -1149,15 +1148,6 @@ static int ieee80211_assign_beacon(struct ieee80211_sub_if_data *sdata,
+ }
+ size += ieee80211_get_mbssid_beacon_len(mbssid, rnr,
+ mbssid->cnt);
+- } else if (old && old->mbssid_ies) {
+- mbssid = old->mbssid_ies;
+- size += struct_size(new->mbssid_ies, elem, mbssid->cnt);
+- if (old && old->rnr_ies) {
+- rnr = old->rnr_ies;
+- size += struct_size(new->rnr_ies, elem, rnr->cnt);
+- }
+- size += ieee80211_get_mbssid_beacon_len(mbssid, rnr,
+- mbssid->cnt);
+ }
+
+ new = kzalloc(size, GFP_KERNEL);
+--
+2.51.0
+
--- /dev/null
+From ad41fc40c94996782f18c49bc3eebc84b158ce00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Dec 2022 16:50:37 -0800
+Subject: wifi: mac80211: generate EMA beacons in AP mode
+
+From: Aloka Dixit <quic_alokad@quicinc.com>
+
+[ Upstream commit bd54f3c29077f23dad92ef82a78061b40be30c65 ]
+
+Add APIs to generate an array of beacons for an EMA AP (enhanced
+multiple BSSID advertisements), each including a single MBSSID element.
+EMA profile periodicity equals the count of elements.
+
+- ieee80211_beacon_get_template_ema_list() - Generate and return all
+EMA beacon templates. Drivers must call ieee80211_beacon_free_ema_list()
+to free the memory. No change in the prototype for the existing API,
+ieee80211_beacon_get_template(), which should be used for non-EMA AP.
+
+- ieee80211_beacon_get_template_ema_index() - Generate a beacon which
+includes the multiple BSSID element at the given index. Drivers can use
+this function in a loop until NULL is returned which indicates end of
+available MBSSID elements.
+
+- ieee80211_beacon_free_ema_list() - free the memory allocated for the
+list of EMA beacon templates.
+
+Modify existing functions ieee80211_beacon_get_ap(),
+ieee80211_get_mbssid_beacon_len() and ieee80211_beacon_add_mbssid()
+to accept a new parameter for EMA index.
+
+Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
+Co-developed-by: John Crispin <john@phrozen.org>
+Signed-off-by: John Crispin <john@phrozen.org>
+Link: https://lore.kernel.org/r/20221206005040.3177-2-quic_alokad@quicinc.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Stable-dep-of: a519be2f5d95 ("wifi: mac80211: do not use old MBSSID elements")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/mac80211.h | 68 +++++++++++++++++++
+ net/mac80211/cfg.c | 11 +--
+ net/mac80211/ieee80211_i.h | 10 ++-
+ net/mac80211/tx.c | 134 ++++++++++++++++++++++++++++++++++---
+ 4 files changed, 205 insertions(+), 18 deletions(-)
+
+diff --git a/include/net/mac80211.h b/include/net/mac80211.h
+index b2f0a2cf5f38..62e0847d3793 100644
+--- a/include/net/mac80211.h
++++ b/include/net/mac80211.h
+@@ -5222,6 +5222,74 @@ ieee80211_beacon_get_template(struct ieee80211_hw *hw,
+ struct ieee80211_mutable_offsets *offs,
+ unsigned int link_id);
+
++/**
++ * ieee80211_beacon_get_template_ema_index - EMA beacon template generation
++ * @hw: pointer obtained from ieee80211_alloc_hw().
++ * @vif: &struct ieee80211_vif pointer from the add_interface callback.
++ * @offs: &struct ieee80211_mutable_offsets pointer to struct that will
++ * receive the offsets that may be updated by the driver.
++ * @link_id: the link id to which the beacon belongs (or 0 for a non-MLD AP).
++ * @ema_index: index of the beacon in the EMA set.
++ *
++ * This function follows the same rules as ieee80211_beacon_get_template()
++ * but returns a beacon template which includes multiple BSSID element at the
++ * requested index.
++ *
++ * Return: The beacon template. %NULL indicates the end of EMA templates.
++ */
++struct sk_buff *
++ieee80211_beacon_get_template_ema_index(struct ieee80211_hw *hw,
++ struct ieee80211_vif *vif,
++ struct ieee80211_mutable_offsets *offs,
++ unsigned int link_id, u8 ema_index);
++
++/**
++ * struct ieee80211_ema_beacons - List of EMA beacons
++ * @cnt: count of EMA beacons.
++ *
++ * @bcn: array of EMA beacons.
++ * @bcn.skb: the skb containing this specific beacon
++ * @bcn.offs: &struct ieee80211_mutable_offsets pointer to struct that will
++ * receive the offsets that may be updated by the driver.
++ */
++struct ieee80211_ema_beacons {
++ u8 cnt;
++ struct {
++ struct sk_buff *skb;
++ struct ieee80211_mutable_offsets offs;
++ } bcn[];
++};
++
++/**
++ * ieee80211_beacon_get_template_ema_list - EMA beacon template generation
++ * @hw: pointer obtained from ieee80211_alloc_hw().
++ * @vif: &struct ieee80211_vif pointer from the add_interface callback.
++ * @link_id: the link id to which the beacon belongs (or 0 for a non-MLD AP)
++ *
++ * This function follows the same rules as ieee80211_beacon_get_template()
++ * but allocates and returns a pointer to list of all beacon templates required
++ * to cover all profiles in the multiple BSSID set. Each template includes only
++ * one multiple BSSID element.
++ *
++ * Driver must call ieee80211_beacon_free_ema_list() to free the memory.
++ *
++ * Return: EMA beacon templates of type struct ieee80211_ema_beacons *.
++ * %NULL on error.
++ */
++struct ieee80211_ema_beacons *
++ieee80211_beacon_get_template_ema_list(struct ieee80211_hw *hw,
++ struct ieee80211_vif *vif,
++ unsigned int link_id);
++
++/**
++ * ieee80211_beacon_free_ema_list - free an EMA beacon template list
++ * @ema_beacons: list of EMA beacons of type &struct ieee80211_ema_beacons pointers.
++ *
++ * This function will free a list previously acquired by calling
++ * ieee80211_beacon_get_template_ema_list()
++ */
++void ieee80211_beacon_free_ema_list(struct ieee80211_ema_beacons *ema_beacons);
++
+ /**
+ * ieee80211_beacon_get_tim - beacon generation function
+ * @hw: pointer obtained from ieee80211_alloc_hw().
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index 2e99207bf0c7..72dd534492bf 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1125,11 +1125,11 @@ static int ieee80211_assign_beacon(struct ieee80211_sub_if_data *sdata,
+ if (params->mbssid_ies) {
+ mbssid = params->mbssid_ies;
+ size += struct_size(new->mbssid_ies, elem, mbssid->cnt);
+- size += ieee80211_get_mbssid_beacon_len(mbssid);
++ size += ieee80211_get_mbssid_beacon_len(mbssid, mbssid->cnt);
+ } else if (old && old->mbssid_ies) {
+ mbssid = old->mbssid_ies;
+ size += struct_size(new->mbssid_ies, elem, mbssid->cnt);
+- size += ieee80211_get_mbssid_beacon_len(mbssid);
++ size += ieee80211_get_mbssid_beacon_len(mbssid, mbssid->cnt);
+ }
+
+ new = kzalloc(size, GFP_KERNEL);
+@@ -3356,8 +3356,11 @@ cfg80211_beacon_dup(struct cfg80211_beacon_data *beacon)
+
+ len = beacon->head_len + beacon->tail_len + beacon->beacon_ies_len +
+ beacon->proberesp_ies_len + beacon->assocresp_ies_len +
+- beacon->probe_resp_len + beacon->lci_len + beacon->civicloc_len +
+- ieee80211_get_mbssid_beacon_len(beacon->mbssid_ies);
++ beacon->probe_resp_len + beacon->lci_len + beacon->civicloc_len;
++
++ if (beacon->mbssid_ies)
++ len += ieee80211_get_mbssid_beacon_len(beacon->mbssid_ies,
++ beacon->mbssid_ies->cnt);
+
+ new_beacon = kzalloc(sizeof(*new_beacon) + len, GFP_KERNEL);
+ if (!new_beacon)
+diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
+index a82392314778..d08aa09002df 100644
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -1165,13 +1165,17 @@ ieee80211_vif_get_shift(struct ieee80211_vif *vif)
+ }
+
+ static inline int
+-ieee80211_get_mbssid_beacon_len(struct cfg80211_mbssid_elems *elems)
++ieee80211_get_mbssid_beacon_len(struct cfg80211_mbssid_elems *elems, u8 i)
+ {
+- int i, len = 0;
++ int len = 0;
+
+- if (!elems)
++ if (!elems || !elems->cnt || i > elems->cnt)
+ return 0;
+
++ if (i < elems->cnt)
++ return elems->elem[i].len;
++
++ /* i == elems->cnt, calculate total length of all MBSSID elements */
+ for (i = 0; i < elems->cnt; i++)
+ len += elems->elem[i].len;
+
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index e6cf5ab928a6..854bad6fbe19 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -5139,13 +5139,20 @@ ieee80211_beacon_get_finish(struct ieee80211_hw *hw,
+ }
+
+ static void
+-ieee80211_beacon_add_mbssid(struct sk_buff *skb, struct beacon_data *beacon)
++ieee80211_beacon_add_mbssid(struct sk_buff *skb, struct beacon_data *beacon,
++ u8 i)
+ {
+- int i;
++ if (!beacon->mbssid_ies || !beacon->mbssid_ies->cnt ||
++ i > beacon->mbssid_ies->cnt)
++ return;
+
+- if (!beacon->mbssid_ies)
++ if (i < beacon->mbssid_ies->cnt) {
++ skb_put_data(skb, beacon->mbssid_ies->elem[i].data,
++ beacon->mbssid_ies->elem[i].len);
+ return;
++ }
+
++ /* i == beacon->mbssid_ies->cnt, include all MBSSID elements */
+ for (i = 0; i < beacon->mbssid_ies->cnt; i++)
+ skb_put_data(skb, beacon->mbssid_ies->elem[i].data,
+ beacon->mbssid_ies->elem[i].len);
+@@ -5158,7 +5165,8 @@ ieee80211_beacon_get_ap(struct ieee80211_hw *hw,
+ struct ieee80211_mutable_offsets *offs,
+ bool is_template,
+ struct beacon_data *beacon,
+- struct ieee80211_chanctx_conf *chanctx_conf)
++ struct ieee80211_chanctx_conf *chanctx_conf,
++ u8 ema_index)
+ {
+ struct ieee80211_local *local = hw_to_local(hw);
+ struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
+@@ -5177,7 +5185,9 @@ ieee80211_beacon_get_ap(struct ieee80211_hw *hw,
+ /* headroom, head length,
+ * tail length, maximum TIM length and multiple BSSID length
+ */
+- mbssid_len = ieee80211_get_mbssid_beacon_len(beacon->mbssid_ies);
++ mbssid_len = ieee80211_get_mbssid_beacon_len(beacon->mbssid_ies,
++ ema_index);
++
+ skb = dev_alloc_skb(local->tx_headroom + beacon->head_len +
+ beacon->tail_len + 256 +
+ local->hw.extra_beacon_tailroom + mbssid_len);
+@@ -5195,7 +5205,7 @@ ieee80211_beacon_get_ap(struct ieee80211_hw *hw,
+ offs->cntdwn_counter_offs[0] = beacon->cntdwn_counter_offsets[0];
+
+ if (mbssid_len) {
+- ieee80211_beacon_add_mbssid(skb, beacon);
++ ieee80211_beacon_add_mbssid(skb, beacon, ema_index);
+ offs->mbssid_off = skb->len - mbssid_len;
+ }
+
+@@ -5216,12 +5226,51 @@ ieee80211_beacon_get_ap(struct ieee80211_hw *hw,
+ return skb;
+ }
+
++static struct ieee80211_ema_beacons *
++ieee80211_beacon_get_ap_ema_list(struct ieee80211_hw *hw,
++ struct ieee80211_vif *vif,
++ struct ieee80211_link_data *link,
++ struct ieee80211_mutable_offsets *offs,
++ bool is_template, struct beacon_data *beacon,
++ struct ieee80211_chanctx_conf *chanctx_conf)
++{
++ struct ieee80211_ema_beacons *ema = NULL;
++
++ if (!beacon->mbssid_ies || !beacon->mbssid_ies->cnt)
++ return NULL;
++
++ ema = kzalloc(struct_size(ema, bcn, beacon->mbssid_ies->cnt),
++ GFP_ATOMIC);
++ if (!ema)
++ return NULL;
++
++ for (ema->cnt = 0; ema->cnt < beacon->mbssid_ies->cnt; ema->cnt++) {
++ ema->bcn[ema->cnt].skb =
++ ieee80211_beacon_get_ap(hw, vif, link,
++ &ema->bcn[ema->cnt].offs,
++ is_template, beacon,
++ chanctx_conf, ema->cnt);
++ if (!ema->bcn[ema->cnt].skb)
++ break;
++ }
++
++ if (ema->cnt == beacon->mbssid_ies->cnt)
++ return ema;
++
++ ieee80211_beacon_free_ema_list(ema);
++ return NULL;
++}
++
++#define IEEE80211_INCLUDE_ALL_MBSSID_ELEMS -1
++
+ static struct sk_buff *
+ __ieee80211_beacon_get(struct ieee80211_hw *hw,
+ struct ieee80211_vif *vif,
+ struct ieee80211_mutable_offsets *offs,
+ bool is_template,
+- unsigned int link_id)
++ unsigned int link_id,
++ int ema_index,
++ struct ieee80211_ema_beacons **ema_beacons)
+ {
+ struct ieee80211_local *local = hw_to_local(hw);
+ struct beacon_data *beacon = NULL;
+@@ -5250,8 +5299,29 @@ __ieee80211_beacon_get(struct ieee80211_hw *hw,
+ if (!beacon)
+ goto out;
+
+- skb = ieee80211_beacon_get_ap(hw, vif, link, offs, is_template,
+- beacon, chanctx_conf);
++ if (ema_beacons) {
++ *ema_beacons =
++ ieee80211_beacon_get_ap_ema_list(hw, vif, link,
++ offs,
++ is_template,
++ beacon,
++ chanctx_conf);
++ } else {
++ if (beacon->mbssid_ies && beacon->mbssid_ies->cnt) {
++ if (ema_index >= beacon->mbssid_ies->cnt)
++ goto out; /* End of MBSSID elements */
++
++ if (ema_index <= IEEE80211_INCLUDE_ALL_MBSSID_ELEMS)
++ ema_index = beacon->mbssid_ies->cnt;
++ } else {
++ ema_index = 0;
++ }
++
++ skb = ieee80211_beacon_get_ap(hw, vif, link, offs,
++ is_template, beacon,
++ chanctx_conf,
++ ema_index);
++ }
+ } else if (sdata->vif.type == NL80211_IFTYPE_ADHOC) {
+ struct ieee80211_if_ibss *ifibss = &sdata->u.ibss;
+ struct ieee80211_hdr *hdr;
+@@ -5339,10 +5409,50 @@ ieee80211_beacon_get_template(struct ieee80211_hw *hw,
+ struct ieee80211_mutable_offsets *offs,
+ unsigned int link_id)
+ {
+- return __ieee80211_beacon_get(hw, vif, offs, true, link_id);
++ return __ieee80211_beacon_get(hw, vif, offs, true, link_id,
++ IEEE80211_INCLUDE_ALL_MBSSID_ELEMS, NULL);
+ }
+ EXPORT_SYMBOL(ieee80211_beacon_get_template);
+
++struct sk_buff *
++ieee80211_beacon_get_template_ema_index(struct ieee80211_hw *hw,
++ struct ieee80211_vif *vif,
++ struct ieee80211_mutable_offsets *offs,
++ unsigned int link_id, u8 ema_index)
++{
++ return __ieee80211_beacon_get(hw, vif, offs, true, link_id, ema_index,
++ NULL);
++}
++EXPORT_SYMBOL(ieee80211_beacon_get_template_ema_index);
++
++void ieee80211_beacon_free_ema_list(struct ieee80211_ema_beacons *ema_beacons)
++{
++ u8 i;
++
++ if (!ema_beacons)
++ return;
++
++ for (i = 0; i < ema_beacons->cnt; i++)
++ kfree_skb(ema_beacons->bcn[i].skb);
++
++ kfree(ema_beacons);
++}
++EXPORT_SYMBOL(ieee80211_beacon_free_ema_list);
++
++struct ieee80211_ema_beacons *
++ieee80211_beacon_get_template_ema_list(struct ieee80211_hw *hw,
++ struct ieee80211_vif *vif,
++ unsigned int link_id)
++{
++ struct ieee80211_ema_beacons *ema_beacons = NULL;
++
++ WARN_ON(__ieee80211_beacon_get(hw, vif, NULL, false, link_id, 0,
++ &ema_beacons));
++
++ return ema_beacons;
++}
++EXPORT_SYMBOL(ieee80211_beacon_get_template_ema_list);
++
+ struct sk_buff *ieee80211_beacon_get_tim(struct ieee80211_hw *hw,
+ struct ieee80211_vif *vif,
+ u16 *tim_offset, u16 *tim_length,
+@@ -5350,7 +5460,9 @@ struct sk_buff *ieee80211_beacon_get_tim(struct ieee80211_hw *hw,
+ {
+ struct ieee80211_mutable_offsets offs = {};
+ struct sk_buff *bcn = __ieee80211_beacon_get(hw, vif, &offs, false,
+- link_id);
++ link_id,
++ IEEE80211_INCLUDE_ALL_MBSSID_ELEMS,
++ NULL);
+ struct sk_buff *copy;
+ int shift;
+
+--
+2.51.0
+
--- /dev/null
+From f9831f36df2f21f837f6dcb20ad12ca00eebc2f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jan 2023 12:39:31 +0100
+Subject: wifi: mac80211: mlme: handle EHT channel puncturing
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit aa87cd8b35736a5183745ab0ec4b82419024dfd7 ]
+
+Handle the Puncturing info received from the AP in the
+EHT Operation element in beacons.
+
+If the info is invalid:
+ - during association: disable EHT connection for the AP
+ - after association: disconnect
+
+This commit includes many (internal) bugfixes and spec
+updates various people.
+
+Co-developed-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://lore.kernel.org/r/20230127123930.4fbc74582331.I3547481d49f958389f59dfeba3fcc75e72b0aa6e@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Stable-dep-of: a519be2f5d95 ("wifi: mac80211: do not use old MBSSID elements")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/mac80211.h | 5 +-
+ net/mac80211/cfg.c | 2 +-
+ net/mac80211/chan.c | 2 +-
+ net/mac80211/ieee80211_i.h | 2 +-
+ net/mac80211/mlme.c | 224 ++++++++++++++++++++++++++++++++++++-
+ 5 files changed, 228 insertions(+), 7 deletions(-)
+
+diff --git a/include/net/mac80211.h b/include/net/mac80211.h
+index 28a9b9c00e6b..b2f0a2cf5f38 100644
+--- a/include/net/mac80211.h
++++ b/include/net/mac80211.h
+@@ -339,7 +339,7 @@ struct ieee80211_vif_chanctx_switch {
+ * @BSS_CHANGED_FILS_DISCOVERY: FILS discovery status changed.
+ * @BSS_CHANGED_UNSOL_BCAST_PROBE_RESP: Unsolicited broadcast probe response
+ * status changed.
+- *
++ * @BSS_CHANGED_EHT_PUNCTURING: The channel puncturing bitmap changed.
+ */
+ enum ieee80211_bss_change {
+ BSS_CHANGED_ASSOC = 1<<0,
+@@ -374,6 +374,7 @@ enum ieee80211_bss_change {
+ BSS_CHANGED_HE_BSS_COLOR = 1<<29,
+ BSS_CHANGED_FILS_DISCOVERY = 1<<30,
+ BSS_CHANGED_UNSOL_BCAST_PROBE_RESP = 1<<31,
++ BSS_CHANGED_EHT_PUNCTURING = BIT_ULL(32),
+
+ /* when adding here, make sure to change ieee80211_reconfig */
+ };
+@@ -639,6 +640,7 @@ struct ieee80211_fils_discovery {
+ * @tx_pwr_env_num: number of @tx_pwr_env.
+ * @pwr_reduction: power constraint of BSS.
+ * @eht_support: does this BSS support EHT
++ * @eht_puncturing: bitmap to indicate which channels are punctured in this BSS
+ * @csa_active: marks whether a channel switch is going on. Internally it is
+ * write-protected by sdata_lock and local->mtx so holding either is fine
+ * for read access.
+@@ -718,6 +720,7 @@ struct ieee80211_bss_conf {
+ u8 tx_pwr_env_num;
+ u8 pwr_reduction;
+ bool eht_support;
++ u16 eht_puncturing;
+
+ bool csa_active;
+ bool mu_mimo_owner;
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index b42eb781d7f7..2e99207bf0c7 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -4154,7 +4154,7 @@ static int ieee80211_set_ap_chanwidth(struct wiphy *wiphy,
+ struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
+ struct ieee80211_link_data *link;
+ int ret;
+- u32 changed = 0;
++ u64 changed = 0;
+
+ link = sdata_dereference(sdata->link[link_id], sdata);
+
+diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c
+index 648af67b8ec8..26e692a853d9 100644
+--- a/net/mac80211/chan.c
++++ b/net/mac80211/chan.c
+@@ -1936,7 +1936,7 @@ int ieee80211_link_use_reserved_context(struct ieee80211_link_data *link)
+
+ int ieee80211_link_change_bandwidth(struct ieee80211_link_data *link,
+ const struct cfg80211_chan_def *chandef,
+- u32 *changed)
++ u64 *changed)
+ {
+ struct ieee80211_sub_if_data *sdata = link->sdata;
+ struct ieee80211_bss_conf *link_conf = link->conf;
+diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
+index 4cd413bd764f..a82392314778 100644
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -2465,7 +2465,7 @@ int ieee80211_link_unreserve_chanctx(struct ieee80211_link_data *link);
+ int __must_check
+ ieee80211_link_change_bandwidth(struct ieee80211_link_data *link,
+ const struct cfg80211_chan_def *chandef,
+- u32 *changed);
++ u64 *changed);
+ void ieee80211_link_release_channel(struct ieee80211_link_data *link);
+ void ieee80211_link_vlan_copy_chanctx(struct ieee80211_link_data *link);
+ void ieee80211_link_copy_chanctx_to_vlans(struct ieee80211_link_data *link,
+diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
+index 15826bbde70c..25483596f22e 100644
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -8,7 +8,7 @@
+ * Copyright 2007, Michael Wu <flamingice@sourmilk.net>
+ * Copyright 2013-2014 Intel Mobile Communications GmbH
+ * Copyright (C) 2015 - 2017 Intel Deutschland GmbH
+- * Copyright (C) 2018 - 2022 Intel Corporation
++ * Copyright (C) 2018 - 2023 Intel Corporation
+ */
+
+ #include <linux/delay.h>
+@@ -88,6 +88,141 @@ MODULE_PARM_DESC(probe_wait_ms,
+ */
+ #define IEEE80211_SIGNAL_AVE_MIN_COUNT 4
+
++struct ieee80211_per_bw_puncturing_values {
++ u8 len;
++ const u16 *valid_values;
++};
++
++static const u16 puncturing_values_80mhz[] = {
++ 0x8, 0x4, 0x2, 0x1
++};
++
++static const u16 puncturing_values_160mhz[] = {
++ 0x80, 0x40, 0x20, 0x10, 0x8, 0x4, 0x2, 0x1, 0xc0, 0x30, 0xc, 0x3
++};
++
++static const u16 puncturing_values_320mhz[] = {
++ 0xc000, 0x3000, 0xc00, 0x300, 0xc0, 0x30, 0xc, 0x3, 0xf000, 0xf00,
++ 0xf0, 0xf, 0xfc00, 0xf300, 0xf0c0, 0xf030, 0xf00c, 0xf003, 0xc00f,
++ 0x300f, 0xc0f, 0x30f, 0xcf, 0x3f
++};
++
++#define IEEE80211_PER_BW_VALID_PUNCTURING_VALUES(_bw) \
++ { \
++ .len = ARRAY_SIZE(puncturing_values_ ## _bw ## mhz), \
++ .valid_values = puncturing_values_ ## _bw ## mhz \
++ }
++
++static const struct ieee80211_per_bw_puncturing_values per_bw_puncturing[] = {
++ IEEE80211_PER_BW_VALID_PUNCTURING_VALUES(80),
++ IEEE80211_PER_BW_VALID_PUNCTURING_VALUES(160),
++ IEEE80211_PER_BW_VALID_PUNCTURING_VALUES(320)
++};
++
++static bool ieee80211_valid_disable_subchannel_bitmap(u16 *bitmap,
++ enum nl80211_chan_width bw)
++{
++ u32 idx, i;
++
++ switch (bw) {
++ case NL80211_CHAN_WIDTH_80:
++ idx = 0;
++ break;
++ case NL80211_CHAN_WIDTH_160:
++ idx = 1;
++ break;
++ case NL80211_CHAN_WIDTH_320:
++ idx = 2;
++ break;
++ default:
++ *bitmap = 0;
++ break;
++ }
++
++ if (!*bitmap)
++ return true;
++
++ for (i = 0; i < per_bw_puncturing[idx].len; i++)
++ if (per_bw_puncturing[idx].valid_values[i] == *bitmap)
++ return true;
++
++ return false;
++}
++
++/*
++ * Extract from the given disabled subchannel bitmap (raw format
++ * from the EHT Operation Element) the bits for the subchannel
++ * we're using right now.
++ */
++static u16
++ieee80211_extract_dis_subch_bmap(const struct ieee80211_eht_operation *eht_oper,
++ struct cfg80211_chan_def *chandef, u16 bitmap)
++{
++ struct ieee80211_eht_operation_info *info = (void *)eht_oper->optional;
++ struct cfg80211_chan_def ap_chandef = *chandef;
++ u32 ap_center_freq, local_center_freq;
++ u32 ap_bw, local_bw;
++ int ap_start_freq, local_start_freq;
++ u16 shift, mask;
++
++ if (!(eht_oper->params & IEEE80211_EHT_OPER_INFO_PRESENT) ||
++ !(eht_oper->params &
++ IEEE80211_EHT_OPER_DISABLED_SUBCHANNEL_BITMAP_PRESENT))
++ return 0;
++
++ /* set 160/320 supported to get the full AP definition */
++ ieee80211_chandef_eht_oper(eht_oper, true, true, &ap_chandef);
++ ap_center_freq = ap_chandef.center_freq1;
++ ap_bw = 20 * BIT(u8_get_bits(info->control,
++ IEEE80211_EHT_OPER_CHAN_WIDTH));
++ ap_start_freq = ap_center_freq - ap_bw / 2;
++ local_center_freq = chandef->center_freq1;
++ local_bw = 20 * BIT(ieee80211_chan_width_to_rx_bw(chandef->width));
++ local_start_freq = local_center_freq - local_bw / 2;
++ shift = (local_start_freq - ap_start_freq) / 20;
++ mask = BIT(local_bw / 20) - 1;
++
++ return (bitmap >> shift) & mask;
++}
++
++/*
++ * Handle the puncturing bitmap, possibly downgrading bandwidth to get a
++ * valid bitmap.
++ */
++static void
++ieee80211_handle_puncturing_bitmap(struct ieee80211_link_data *link,
++ const struct ieee80211_eht_operation *eht_oper,
++ u16 bitmap, u64 *changed)
++{
++ struct cfg80211_chan_def *chandef = &link->conf->chandef;
++ u16 extracted;
++ u64 _changed = 0;
++
++ if (!changed)
++ changed = &_changed;
++
++ while (chandef->width > NL80211_CHAN_WIDTH_40) {
++ extracted =
++ ieee80211_extract_dis_subch_bmap(eht_oper, chandef,
++ bitmap);
++
++ if (ieee80211_valid_disable_subchannel_bitmap(&bitmap,
++ chandef->width))
++ break;
++ link->u.mgd.conn_flags |=
++ ieee80211_chandef_downgrade(chandef);
++ *changed |= BSS_CHANGED_BANDWIDTH;
++ }
++
++ if (chandef->width <= NL80211_CHAN_WIDTH_40)
++ extracted = 0;
++
++ if (link->conf->eht_puncturing != extracted) {
++ link->conf->eht_puncturing = extracted;
++ *changed |= BSS_CHANGED_EHT_PUNCTURING;
++ }
++}
++
+ /*
+ * We can have multiple work items (and connection probing)
+ * scheduling this timer, but we need to take care to only
+@@ -413,7 +548,7 @@ static int ieee80211_config_bw(struct ieee80211_link_data *link,
+ const struct ieee80211_he_operation *he_oper,
+ const struct ieee80211_eht_operation *eht_oper,
+ const struct ieee80211_s1g_oper_ie *s1g_oper,
+- const u8 *bssid, u32 *changed)
++ const u8 *bssid, u64 *changed)
+ {
+ struct ieee80211_sub_if_data *sdata = link->sdata;
+ struct ieee80211_local *local = sdata->local;
+@@ -4148,6 +4283,7 @@ static bool ieee80211_assoc_config_link(struct ieee80211_link_data *link,
+ link_sta);
+
+ bss_conf->eht_support = link_sta->pub->eht_cap.has_eht;
++ *changed |= BSS_CHANGED_EHT_PUNCTURING;
+ } else {
+ bss_conf->eht_support = false;
+ }
+@@ -5460,6 +5596,45 @@ static bool ieee80211_rx_our_beacon(const u8 *tx_bssid,
+ return ether_addr_equal(tx_bssid, bss->transmitted_bss->bssid);
+ }
+
++static bool ieee80211_config_puncturing(struct ieee80211_link_data *link,
++ const struct ieee80211_eht_operation *eht_oper,
++ u64 *changed)
++{
++ u16 bitmap = 0, extracted;
++
++ if ((eht_oper->params & IEEE80211_EHT_OPER_INFO_PRESENT) &&
++ (eht_oper->params &
++ IEEE80211_EHT_OPER_DISABLED_SUBCHANNEL_BITMAP_PRESENT)) {
++ const struct ieee80211_eht_operation_info *info =
++ (void *)eht_oper->optional;
++ const u8 *disable_subchannel_bitmap = info->optional;
++
++ bitmap = get_unaligned_le16(disable_subchannel_bitmap);
++ }
++
++ extracted = ieee80211_extract_dis_subch_bmap(eht_oper,
++ &link->conf->chandef,
++ bitmap);
++
++ /* accept if there are no changes */
++ if (!(*changed & BSS_CHANGED_BANDWIDTH) &&
++ extracted == link->conf->eht_puncturing)
++ return true;
++
++ if (!ieee80211_valid_disable_subchannel_bitmap(&bitmap,
++ link->conf->chandef.width)) {
++ link_info(link,
++ "Got an invalid disable subchannel bitmap from AP %pM: bitmap = 0x%x, bw = 0x%x. disconnect\n",
++ link->u.mgd.bssid,
++ bitmap,
++ link->conf->chandef.width);
++ return false;
++ }
++
++ ieee80211_handle_puncturing_bitmap(link, eht_oper, bitmap, changed);
++ return true;
++}
++
+ static void ieee80211_rx_mgmt_beacon(struct ieee80211_link_data *link,
+ struct ieee80211_hdr *hdr, size_t len,
+ struct ieee80211_rx_status *rx_status)
+@@ -5476,7 +5651,7 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_link_data *link,
+ struct ieee80211_channel *chan;
+ struct link_sta_info *link_sta;
+ struct sta_info *sta;
+- u32 changed = 0;
++ u64 changed = 0;
+ bool erp_valid;
+ u8 erp_value = 0;
+ u32 ncrc = 0;
+@@ -5769,6 +5944,21 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_link_data *link,
+ elems->pwr_constr_elem,
+ elems->cisco_dtpc_elem);
+
++ if (elems->eht_operation &&
++ !(link->u.mgd.conn_flags & IEEE80211_CONN_DISABLE_EHT)) {
++ if (!ieee80211_config_puncturing(link, elems->eht_operation,
++ &changed)) {
++ ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH,
++ WLAN_REASON_DEAUTH_LEAVING,
++ true, deauth_buf);
++ ieee80211_report_disconnect(sdata, deauth_buf,
++ sizeof(deauth_buf), true,
++ WLAN_REASON_DEAUTH_LEAVING,
++ false);
++ goto free;
++ }
++ }
++
+ ieee80211_link_info_change_notify(sdata, link, changed);
+ free:
+ kfree(elems);
+@@ -6870,9 +7060,12 @@ ieee80211_setup_assoc_link(struct ieee80211_sub_if_data *sdata,
+ ieee80211_apply_htcap_overrides(sdata, &sta_ht_cap);
+ }
+
++ link->conf->eht_puncturing = 0;
++
+ rcu_read_lock();
+ beacon_ies = rcu_dereference(cbss->beacon_ies);
+ if (beacon_ies) {
++ const struct ieee80211_eht_operation *eht_oper;
+ const struct element *elem;
+ u8 dtim_count = 0;
+
+@@ -6901,6 +7094,31 @@ ieee80211_setup_assoc_link(struct ieee80211_sub_if_data *sdata,
+ link->conf->ema_ap = true;
+ else
+ link->conf->ema_ap = false;
++
++ elem = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_OPERATION,
++ beacon_ies->data, beacon_ies->len);
++ eht_oper = (const void *)(elem->data + 1);
++
++ if (elem &&
++ ieee80211_eht_oper_size_ok((const void *)(elem->data + 1),
++ elem->datalen - 1) &&
++ (eht_oper->params & IEEE80211_EHT_OPER_INFO_PRESENT) &&
++ (eht_oper->params & IEEE80211_EHT_OPER_DISABLED_SUBCHANNEL_BITMAP_PRESENT)) {
++ const struct ieee80211_eht_operation_info *info =
++ (void *)eht_oper->optional;
++ const u8 *disable_subchannel_bitmap = info->optional;
++ u16 bitmap;
++
++ bitmap = get_unaligned_le16(disable_subchannel_bitmap);
++ if (ieee80211_valid_disable_subchannel_bitmap(&bitmap,
++ link->conf->chandef.width))
++ ieee80211_handle_puncturing_bitmap(link,
++ eht_oper,
++ bitmap,
++ NULL);
++ else
++ conn_flags |= IEEE80211_CONN_DISABLE_EHT;
++ }
+ }
+ rcu_read_unlock();
+
+--
+2.51.0
+
--- /dev/null
+From bc25a3bf5bc3c24a45c98e6a97e22a27fb4c364c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Mar 2023 12:09:21 +0200
+Subject: wifi: nl80211: add a command to enable/disable HW timestamping
+
+From: Avraham Stern <avraham.stern@intel.com>
+
+[ Upstream commit cbbaf2bb829b6c4ef911d4a725fc9b1fadc1e43f ]
+
+Add a command to enable and disable HW timestamping of TM and FTM
+frames. HW timestamping can be enabled for a specific mac address
+or for all addresses.
+
+The low level driver will indicate how many peers HW timestamping
+can be enabled concurrently, and this information will be passed
+to userspace.
+
+Signed-off-by: Avraham Stern <avraham.stern@intel.com>
+Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
+Link: https://lore.kernel.org/r/20230301115906.05678d7b1c17.Iccc08869ea8156f1c71a3111a47f86dd56234bd0@changeid
+[switch to needing netdev UP, minor edits]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Stable-dep-of: a519be2f5d95 ("wifi: mac80211: do not use old MBSSID elements")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/cfg80211.h | 27 ++++++++++++++++++++++++++
+ include/uapi/linux/nl80211.h | 22 +++++++++++++++++++++
+ net/wireless/nl80211.c | 37 ++++++++++++++++++++++++++++++++++++
+ net/wireless/rdev-ops.h | 17 +++++++++++++++++
+ net/wireless/trace.h | 25 ++++++++++++++++++++++++
+ 5 files changed, 128 insertions(+)
+
+diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
+index 7efa3adf234d..34709bd733ed 100644
+--- a/include/net/cfg80211.h
++++ b/include/net/cfg80211.h
+@@ -830,6 +830,18 @@ struct cfg80211_fils_aad {
+ const u8 *anonce;
+ };
+
++/**
++ * struct cfg80211_set_hw_timestamp - enable/disable HW timestamping
++ * @macaddr: peer MAC address. NULL to enable/disable HW timestamping for all
++ * addresses.
++ * @enable: if set, enable HW timestamping for the specified MAC address.
++ * Otherwise disable HW timestamping for the specified MAC address.
++ */
++struct cfg80211_set_hw_timestamp {
++ const u8 *macaddr;
++ bool enable;
++};
++
+ /**
+ * cfg80211_get_chandef_type - return old channel type from chandef
+ * @chandef: the channel definition
+@@ -4291,6 +4303,8 @@ struct mgmt_frame_regs {
+ * @add_link_station: Add a link to a station.
+ * @mod_link_station: Modify a link of a station.
+ * @del_link_station: Remove a link of a station.
++ *
++ * @set_hw_timestamp: Enable/disable HW timestamping of TM/FTM frames.
+ */
+ struct cfg80211_ops {
+ int (*suspend)(struct wiphy *wiphy, struct cfg80211_wowlan *wow);
+@@ -4644,6 +4658,8 @@ struct cfg80211_ops {
+ struct link_station_parameters *params);
+ int (*del_link_station)(struct wiphy *wiphy, struct net_device *dev,
+ struct link_station_del_parameters *params);
++ int (*set_hw_timestamp)(struct wiphy *wiphy, struct net_device *dev,
++ struct cfg80211_set_hw_timestamp *hwts);
+ };
+
+ /*
+@@ -5099,6 +5115,8 @@ struct wiphy_iftype_akm_suites {
+ int n_akm_suites;
+ };
+
++#define CFG80211_HW_TIMESTAMP_ALL_PEERS 0xffff
++
+ /**
+ * struct wiphy - wireless hardware description
+ * @mtx: mutex for the data (structures) of this device
+@@ -5308,6 +5326,13 @@ struct wiphy_iftype_akm_suites {
+ * NL80211_MAX_NR_AKM_SUITES in order to avoid compatibility issues with
+ * legacy userspace and maximum allowed value is
+ * CFG80211_MAX_NUM_AKM_SUITES.
++ *
++ * @hw_timestamp_max_peers: maximum number of peers that the driver supports
++ * enabling HW timestamping for concurrently. Setting this field to a
++ * non-zero value indicates that the driver supports HW timestamping.
++ * A value of %CFG80211_HW_TIMESTAMP_ALL_PEERS indicates the driver
++ * supports enabling HW timestamping for all peers (i.e. no need to
++ * specify a mac address).
+ */
+ struct wiphy {
+ struct mutex mtx;
+@@ -5456,6 +5481,8 @@ struct wiphy {
+ u8 ema_max_profile_periodicity;
+ u16 max_num_akm_suites;
+
++ u16 hw_timestamp_max_peers;
++
+ char priv[] __aligned(NETDEV_ALIGN);
+ };
+
+diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
+index 173aef8916ae..274d1b34c954 100644
+--- a/include/uapi/linux/nl80211.h
++++ b/include/uapi/linux/nl80211.h
+@@ -1281,6 +1281,16 @@
+ * @NL80211_CMD_MODIFY_LINK_STA: Modify a link of an MLD station
+ * @NL80211_CMD_REMOVE_LINK_STA: Remove a link of an MLD station
+ *
++ * @NL80211_CMD_SET_HW_TIMESTAMP: Enable/disable HW timestamping of Timing
++ * measurement and Fine timing measurement frames. If %NL80211_ATTR_MAC
++ * is included, enable/disable HW timestamping only for frames to/from the
++ * specified MAC address. Otherwise enable/disable HW timestamping for
++ * all TM/FTM frames (including ones that were enabled with specific MAC
++ * address). If %NL80211_ATTR_HW_TIMESTAMP_ENABLED is not included, disable
++ * HW timestamping.
++ * The number of peers that HW timestamping can be enabled for concurrently
++ * is indicated by %NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS.
++ *
+ * @NL80211_CMD_MAX: highest used command number
+ * @__NL80211_CMD_AFTER_LAST: internal use
+ */
+@@ -1532,6 +1542,8 @@ enum nl80211_commands {
+ NL80211_CMD_MODIFY_LINK_STA,
+ NL80211_CMD_REMOVE_LINK_STA,
+
++ NL80211_CMD_SET_HW_TIMESTAMP,
++
+ /* add new commands above here */
+
+ /* used to define NL80211_CMD_MAX below */
+@@ -2757,6 +2769,13 @@ enum nl80211_commands {
+ * indicates that the sub-channel is punctured. Higher 16 bits are
+ * reserved.
+ *
++ * @NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS: Maximum number of peers that HW
++ * timestamping can be enabled for concurrently (u16), a wiphy attribute.
++ * A value of 0xffff indicates setting for all peers (i.e. not specifying
++ * an address with %NL80211_CMD_SET_HW_TIMESTAMP) is supported.
++ * @NL80211_ATTR_HW_TIMESTAMP_ENABLED: Indicates whether HW timestamping should
++ * be enabled or not (flag attribute).
++ *
+ * @NUM_NL80211_ATTR: total number of nl80211_attrs available
+ * @NL80211_ATTR_MAX: highest attribute number currently defined
+ * @__NL80211_ATTR_AFTER_LAST: internal use
+@@ -3288,6 +3307,9 @@ enum nl80211_attrs {
+
+ NL80211_ATTR_PUNCT_BITMAP,
+
++ NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS,
++ NL80211_ATTR_HW_TIMESTAMP_ENABLED,
++
+ /* add attributes here, update the policy in nl80211.c */
+
+ __NL80211_ATTR_AFTER_LAST,
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 0eb8c8e0bf18..5e2b676f5ce0 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -811,6 +811,9 @@ static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
+ [NL80211_ATTR_MLO_SUPPORT] = { .type = NLA_FLAG },
+ [NL80211_ATTR_MAX_NUM_AKM_SUITES] = { .type = NLA_REJECT },
+ [NL80211_ATTR_PUNCT_BITMAP] = NLA_POLICY_RANGE(NLA_U8, 0, 0xffff),
++
++ [NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS] = { .type = NLA_U16 },
++ [NL80211_ATTR_HW_TIMESTAMP_ENABLED] = { .type = NLA_FLAG },
+ };
+
+ /* policy for the key attributes */
+@@ -2965,6 +2968,11 @@ static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
+ if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO)
+ nla_put_flag(msg, NL80211_ATTR_MLO_SUPPORT);
+
++ if (rdev->wiphy.hw_timestamp_max_peers &&
++ nla_put_u16(msg, NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS,
++ rdev->wiphy.hw_timestamp_max_peers))
++ goto nla_put_failure;
++
+ /* done */
+ state->split_start = 0;
+ break;
+@@ -16162,6 +16170,29 @@ nl80211_remove_link_station(struct sk_buff *skb, struct genl_info *info)
+ return ret;
+ }
+
++static int nl80211_set_hw_timestamp(struct sk_buff *skb,
++ struct genl_info *info)
++{
++ struct cfg80211_registered_device *rdev = info->user_ptr[0];
++ struct net_device *dev = info->user_ptr[1];
++ struct cfg80211_set_hw_timestamp hwts = {};
++
++ if (!rdev->wiphy.hw_timestamp_max_peers)
++ return -EOPNOTSUPP;
++
++ if (!info->attrs[NL80211_ATTR_MAC] &&
++ rdev->wiphy.hw_timestamp_max_peers != CFG80211_HW_TIMESTAMP_ALL_PEERS)
++ return -EOPNOTSUPP;
++
++ if (info->attrs[NL80211_ATTR_MAC])
++ hwts.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
++
++ hwts.enable =
++ nla_get_flag(info->attrs[NL80211_ATTR_HW_TIMESTAMP_ENABLED]);
++
++ return rdev_set_hw_timestamp(rdev, dev, &hwts);
++}
++
+ #define NL80211_FLAG_NEED_WIPHY 0x01
+ #define NL80211_FLAG_NEED_NETDEV 0x02
+ #define NL80211_FLAG_NEED_RTNL 0x04
+@@ -17333,6 +17364,12 @@ static const struct genl_small_ops nl80211_small_ops[] = {
+ .internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
+ NL80211_FLAG_MLO_VALID_LINK_ID),
+ },
++ {
++ .cmd = NL80211_CMD_SET_HW_TIMESTAMP,
++ .doit = nl80211_set_hw_timestamp,
++ .flags = GENL_UNS_ADMIN_PERM,
++ .internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
++ },
+ };
+
+ static struct genl_family nl80211_fam __ro_after_init = {
+diff --git a/net/wireless/rdev-ops.h b/net/wireless/rdev-ops.h
+index 5f210686c411..df7f88ca0db3 100644
+--- a/net/wireless/rdev-ops.h
++++ b/net/wireless/rdev-ops.h
+@@ -1498,4 +1498,21 @@ rdev_del_link_station(struct cfg80211_registered_device *rdev,
+ return ret;
+ }
+
++static inline int
++rdev_set_hw_timestamp(struct cfg80211_registered_device *rdev,
++ struct net_device *dev,
++ struct cfg80211_set_hw_timestamp *hwts)
++{
++ struct wiphy *wiphy = &rdev->wiphy;
++ int ret;
++
++ if (!rdev->ops->set_hw_timestamp)
++ return -EOPNOTSUPP;
++
++ trace_rdev_set_hw_timestamp(wiphy, dev, hwts);
++ ret = rdev->ops->set_hw_timestamp(wiphy, dev, hwts);
++ trace_rdev_return_int(wiphy, ret);
++
++ return ret;
++}
+ #endif /* __CFG80211_RDEV_OPS */
+diff --git a/net/wireless/trace.h b/net/wireless/trace.h
+index 137937b1f4b3..f325ca28face 100644
+--- a/net/wireless/trace.h
++++ b/net/wireless/trace.h
+@@ -3901,6 +3901,31 @@ TRACE_EVENT(rdev_del_link_station,
+ __entry->link_id)
+ );
+
++TRACE_EVENT(rdev_set_hw_timestamp,
++ TP_PROTO(struct wiphy *wiphy, struct net_device *netdev,
++ struct cfg80211_set_hw_timestamp *hwts),
++
++ TP_ARGS(wiphy, netdev, hwts),
++
++ TP_STRUCT__entry(
++ WIPHY_ENTRY
++ NETDEV_ENTRY
++ MAC_ENTRY(macaddr)
++ __field(bool, enable)
++ ),
++
++ TP_fast_assign(
++ WIPHY_ASSIGN;
++ NETDEV_ASSIGN;
++ MAC_ASSIGN(macaddr, hwts->macaddr);
++ __entry->enable = hwts->enable;
++ ),
++
++ TP_printk(WIPHY_PR_FMT ", " NETDEV_PR_FMT ", mac %pM, enable: %u",
++ WIPHY_PR_ARG, NETDEV_PR_ARG, __entry->macaddr,
++ __entry->enable)
++);
++
+ #endif /* !__RDEV_OPS_TRACE || TRACE_HEADER_MULTI_READ */
+
+ #undef TRACE_INCLUDE_PATH
+--
+2.51.0
+
--- /dev/null
+From 99d1ac33cbc58770b40c2fbd2139bbd5009c95eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jan 2023 16:12:25 -0800
+Subject: wifi: nl80211: validate and configure puncturing bitmap
+
+From: Aloka Dixit <quic_alokad@quicinc.com>
+
+[ Upstream commit d7c1a9a0ed180d8884798ce97afe7283622a484f ]
+
+- New feature flag, NL80211_EXT_FEATURE_PUNCT, to advertise
+ driver support for preamble puncturing in AP mode.
+- New attribute, NL80211_ATTR_PUNCT_BITMAP, to receive a puncturing
+ bitmap from the userspace during AP bring up (NL80211_CMD_START_AP)
+ and channel switch (NL80211_CMD_CHANNEL_SWITCH) operations. Each bit
+ corresponds to a 20 MHz channel in the operating bandwidth, lowest
+ bit for the lowest channel. Bit set to 1 indicates that the channel
+ is punctured. Higher 16 bits are reserved.
+- New members added to structures cfg80211_ap_settings and
+ cfg80211_csa_settings to propagate the bitmap to the driver after
+ validation.
+
+Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
+Signed-off-by: Muna Sinada <quic_msinada@quicinc.com>
+Link: https://lore.kernel.org/r/20230131001227.25014-3-quic_alokad@quicinc.com
+[move validation against 0xffff into policy]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Stable-dep-of: a519be2f5d95 ("wifi: mac80211: do not use old MBSSID elements")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/cfg80211.h | 8 ++++++++
+ include/uapi/linux/nl80211.h | 11 +++++++++++
+ net/wireless/nl80211.c | 32 ++++++++++++++++++++++++++++++++
+ 3 files changed, 51 insertions(+)
+
+diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
+index bf79788f1c5d..7efa3adf234d 100644
+--- a/include/net/cfg80211.h
++++ b/include/net/cfg80211.h
+@@ -1325,6 +1325,9 @@ struct cfg80211_unsol_bcast_probe_resp {
+ * @fils_discovery: FILS discovery transmission parameters
+ * @unsol_bcast_probe_resp: Unsolicited broadcast probe response parameters
+ * @mbssid_config: AP settings for multiple bssid
++ * @punct_bitmap: Preamble puncturing bitmap. Each bit represents
++ * a 20 MHz channel, lowest bit corresponding to the lowest channel.
++ * Bit set to 1 indicates that the channel is punctured.
+ */
+ struct cfg80211_ap_settings {
+ struct cfg80211_chan_def chandef;
+@@ -1359,6 +1362,7 @@ struct cfg80211_ap_settings {
+ struct cfg80211_fils_discovery fils_discovery;
+ struct cfg80211_unsol_bcast_probe_resp unsol_bcast_probe_resp;
+ struct cfg80211_mbssid_config mbssid_config;
++ u16 punct_bitmap;
+ };
+
+ /**
+@@ -1376,6 +1380,9 @@ struct cfg80211_ap_settings {
+ * @radar_required: whether radar detection is required on the new channel
+ * @block_tx: whether transmissions should be blocked while changing
+ * @count: number of beacons until switch
++ * @punct_bitmap: Preamble puncturing bitmap. Each bit represents
++ * a 20 MHz channel, lowest bit corresponding to the lowest channel.
++ * Bit set to 1 indicates that the channel is punctured.
+ */
+ struct cfg80211_csa_settings {
+ struct cfg80211_chan_def chandef;
+@@ -1388,6 +1395,7 @@ struct cfg80211_csa_settings {
+ bool radar_required;
+ bool block_tx;
+ u8 count;
++ u16 punct_bitmap;
+ };
+
+ /**
+diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
+index c14a91bbca7c..173aef8916ae 100644
+--- a/include/uapi/linux/nl80211.h
++++ b/include/uapi/linux/nl80211.h
+@@ -2751,6 +2751,12 @@ enum nl80211_commands {
+ * the incoming frame RX timestamp.
+ * @NL80211_ATTR_TD_BITMAP: Transition Disable bitmap, for subsequent
+ * (re)associations.
++ *
++ * @NL80211_ATTR_PUNCT_BITMAP: (u32) Preamble puncturing bitmap, lowest
++ * bit corresponds to the lowest 20 MHz channel. Each bit set to 1
++ * indicates that the sub-channel is punctured. Higher 16 bits are
++ * reserved.
++ *
+ * @NUM_NL80211_ATTR: total number of nl80211_attrs available
+ * @NL80211_ATTR_MAX: highest attribute number currently defined
+ * @__NL80211_ATTR_AFTER_LAST: internal use
+@@ -3280,6 +3286,8 @@ enum nl80211_attrs {
+ NL80211_ATTR_RX_HW_TIMESTAMP,
+ NL80211_ATTR_TD_BITMAP,
+
++ NL80211_ATTR_PUNCT_BITMAP,
++
+ /* add attributes here, update the policy in nl80211.c */
+
+ __NL80211_ATTR_AFTER_LAST,
+@@ -6294,6 +6302,8 @@ enum nl80211_feature_flags {
+ * might apply, e.g. no scans in progress, no offchannel operations
+ * in progress, and no active connections.
+ *
++ * @NL80211_EXT_FEATURE_PUNCT: Driver supports preamble puncturing in AP mode.
++ *
+ * @NUM_NL80211_EXT_FEATURES: number of extended features.
+ * @MAX_NL80211_EXT_FEATURES: highest extended feature index.
+ */
+@@ -6362,6 +6372,7 @@ enum nl80211_ext_feature_index {
+ NL80211_EXT_FEATURE_FILS_CRYPTO_OFFLOAD,
+ NL80211_EXT_FEATURE_RADAR_BACKGROUND,
+ NL80211_EXT_FEATURE_POWERED_ADDR_CHANGE,
++ NL80211_EXT_FEATURE_PUNCT,
+
+ /* add new features before the definition below */
+ NUM_NL80211_EXT_FEATURES,
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 1ab60967d6cd..0eb8c8e0bf18 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -810,6 +810,7 @@ static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
+ [NL80211_ATTR_MLD_ADDR] = NLA_POLICY_EXACT_LEN(ETH_ALEN),
+ [NL80211_ATTR_MLO_SUPPORT] = { .type = NLA_FLAG },
+ [NL80211_ATTR_MAX_NUM_AKM_SUITES] = { .type = NLA_REJECT },
++ [NL80211_ATTR_PUNCT_BITMAP] = NLA_POLICY_RANGE(NLA_U8, 0, 0xffff),
+ };
+
+ /* policy for the key attributes */
+@@ -3178,6 +3179,21 @@ static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
+ wdev->iftype == NL80211_IFTYPE_P2P_GO;
+ }
+
++static int nl80211_parse_punct_bitmap(struct cfg80211_registered_device *rdev,
++ struct genl_info *info,
++ const struct cfg80211_chan_def *chandef,
++ u16 *punct_bitmap)
++{
++ if (!wiphy_ext_feature_isset(&rdev->wiphy, NL80211_EXT_FEATURE_PUNCT))
++ return -EINVAL;
++
++ *punct_bitmap = nla_get_u32(info->attrs[NL80211_ATTR_PUNCT_BITMAP]);
++ if (!cfg80211_valid_disable_subchannel_bitmap(punct_bitmap, chandef))
++ return -EINVAL;
++
++ return 0;
++}
++
+ int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
+ struct genl_info *info,
+ struct cfg80211_chan_def *chandef)
+@@ -5955,6 +5971,14 @@ static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
+ goto out;
+ }
+
++ if (info->attrs[NL80211_ATTR_PUNCT_BITMAP]) {
++ err = nl80211_parse_punct_bitmap(rdev, info,
++ ¶ms->chandef,
++ ¶ms->punct_bitmap);
++ if (err)
++ goto out;
++ }
++
+ if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, ¶ms->chandef,
+ wdev->iftype)) {
+ err = -EINVAL;
+@@ -10107,6 +10131,14 @@ static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
+ if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
+ params.block_tx = true;
+
++ if (info->attrs[NL80211_ATTR_PUNCT_BITMAP]) {
++ err = nl80211_parse_punct_bitmap(rdev, info,
++ ¶ms.chandef,
++ ¶ms.punct_bitmap);
++ if (err)
++ goto free;
++ }
++
+ wdev_lock(wdev);
+ err = rdev_channel_switch(rdev, dev, ¶ms);
+ wdev_unlock(wdev);
+--
+2.51.0
+
--- /dev/null
+From 429b53df98fe56ed7ac2d8c1031eb8b60dad1fee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Dec 2025 20:47:28 +0530
+Subject: amd-xgbe: reset retries and mode on RX adapt failures
+
+From: Raju Rangoju <Raju.Rangoju@amd.com>
+
+[ Upstream commit df60c332caf95d70f967aeace826e7e2f0847361 ]
+
+During the stress tests, early RX adaptation handshakes can fail, such
+as missing the RX_ADAPT ACK or not receiving a coefficient update before
+block lock is established. Continuing to retry RX adaptation in this
+state is often ineffective if the current mode selection is not viable.
+
+Resetting the RX adaptation retry counter when an RX_ADAPT request fails
+to receive ACK or a coefficient update prior to block lock, and clearing
+mode_set so the next bring-up performs a fresh mode selection rather
+than looping on a likely invalid configuration.
+
+Fixes: 4f3b20bfbb75 ("amd-xgbe: add support for rx-adaptation")
+Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
+Link: https://patch.msgid.link/20251215151728.311713-1-Raju.Rangoju@amd.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
+index 32e633d11348..6d2c401bb246 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
+@@ -2036,6 +2036,7 @@ static void xgbe_set_rx_adap_mode(struct xgbe_prv_data *pdata,
+ {
+ if (pdata->rx_adapt_retries++ >= MAX_RX_ADAPT_RETRIES) {
+ pdata->rx_adapt_retries = 0;
++ pdata->mode_set = false;
+ return;
+ }
+
+@@ -2082,6 +2083,7 @@ static void xgbe_rx_adaptation(struct xgbe_prv_data *pdata)
+ */
+ netif_dbg(pdata, link, pdata->netdev, "Block_lock done");
+ pdata->rx_adapt_done = true;
++ pdata->rx_adapt_retries = 0;
+ pdata->mode_set = false;
+ return;
+ }
+--
+2.51.0
+
--- /dev/null
+From d9b9b18a333a85abb3b115e2f5dc0de524529027 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Dec 2025 17:17:05 +0800
+Subject: blk-mq: skip CPU offline notify on unmapped hctx
+
+From: Cong Zhang <cong.zhang@oss.qualcomm.com>
+
+[ Upstream commit 10845a105bbcb030647a729f1716c2309da71d33 ]
+
+If an hctx has no software ctx mapped, blk_mq_map_swqueue() never
+allocates tags and leaves hctx->tags NULL. The CPU hotplug offline
+notifier can still run for that hctx, return early since hctx cannot
+hold any requests.
+
+Signed-off-by: Cong Zhang <cong.zhang@oss.qualcomm.com>
+Fixes: bf0beec0607d ("blk-mq: drain I/O when all CPUs in a hctx are offline")
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-mq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/block/blk-mq.c b/block/blk-mq.c
+index db72779760d5..1891863dcba1 100644
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -3658,7 +3658,7 @@ static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node)
+ struct blk_mq_hw_ctx, cpuhp_online);
+ int ret = 0;
+
+- if (blk_mq_hctx_has_online_cpu(hctx, cpu))
++ if (!hctx->nr_ctx || blk_mq_hctx_has_online_cpu(hctx, cpu))
+ return 0;
+
+ /*
+--
+2.51.0
+
--- /dev/null
+From 05016d9b6419d3b5583b9d1827beeb5180b932c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Dec 2025 11:02:28 -0500
+Subject: Bluetooth: btusb: revert use of devm_kzalloc in btusb
+
+From: Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
+
+[ Upstream commit 252714f1e8bdd542025b16321c790458014d6880 ]
+
+This reverts commit 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in
+btusb.c file").
+
+In btusb_probe(), we use devm_kzalloc() to allocate the btusb data. This
+ties the lifetime of all the btusb data to the binding of a driver to
+one interface, INTF. In a driver that binds to other interfaces, ISOC
+and DIAG, this is an accident waiting to happen.
+
+The issue is revealed in btusb_disconnect(), where calling
+usb_driver_release_interface(&btusb_driver, data->intf) will have devm
+free the data that is also being used by the other interfaces of the
+driver that may not be released yet.
+
+To fix this, revert the use of devm and go back to freeing memory
+explicitly.
+
+Fixes: 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in btusb.c file")
+Signed-off-by: Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btusb.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index fc7b3e02f14b..603ff13d9f7c 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -3835,7 +3835,7 @@ static int btusb_probe(struct usb_interface *intf,
+ return -ENODEV;
+ }
+
+- data = devm_kzalloc(&intf->dev, sizeof(*data), GFP_KERNEL);
++ data = kzalloc(sizeof(*data), GFP_KERNEL);
+ if (!data)
+ return -ENOMEM;
+
+@@ -3858,8 +3858,10 @@ static int btusb_probe(struct usb_interface *intf,
+ }
+ }
+
+- if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep)
++ if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep) {
++ kfree(data);
+ return -ENODEV;
++ }
+
+ if (id->driver_info & BTUSB_AMP) {
+ data->cmdreq_type = USB_TYPE_CLASS | 0x01;
+@@ -3914,8 +3916,10 @@ static int btusb_probe(struct usb_interface *intf,
+ data->recv_acl = hci_recv_frame;
+
+ hdev = hci_alloc_dev_priv(priv_size);
+- if (!hdev)
++ if (!hdev) {
++ kfree(data);
+ return -ENOMEM;
++ }
+
+ hdev->bus = HCI_USB;
+ hci_set_drvdata(hdev, data);
+@@ -4187,6 +4191,7 @@ static int btusb_probe(struct usb_interface *intf,
+ if (data->reset_gpio)
+ gpiod_put(data->reset_gpio);
+ hci_free_dev(hdev);
++ kfree(data);
+ return err;
+ }
+
+@@ -4235,6 +4240,7 @@ static void btusb_disconnect(struct usb_interface *intf)
+ }
+
+ hci_free_dev(hdev);
++ kfree(data);
+ }
+
+ #ifdef CONFIG_PM
+--
+2.51.0
+
--- /dev/null
+From b0b987f46a56a095baaae6e72ff02ae5bc4b9d7e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Dec 2025 14:15:41 +0800
+Subject: crypto: seqiv - Do not use req->iv after crypto_aead_encrypt
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 50fdb78b7c0bcc550910ef69c0984e751cac72fa ]
+
+As soon as crypto_aead_encrypt is called, the underlying request
+may be freed by an asynchronous completion. Thus dereferencing
+req->iv after it returns is invalid.
+
+Instead of checking req->iv against info, create a new variable
+unaligned_info and use it for that purpose instead.
+
+Fixes: 0a270321dbf9 ("[CRYPTO] seqiv: Add Sequence Number IV Generator")
+Reported-by: Xiumei Mu <xmu@redhat.com>
+Reported-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/seqiv.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/seqiv.c b/crypto/seqiv.c
+index 17e11d51ddc3..04928df0095b 100644
+--- a/crypto/seqiv.c
++++ b/crypto/seqiv.c
+@@ -50,6 +50,7 @@ static int seqiv_aead_encrypt(struct aead_request *req)
+ struct aead_geniv_ctx *ctx = crypto_aead_ctx(geniv);
+ struct aead_request *subreq = aead_request_ctx(req);
+ crypto_completion_t compl;
++ bool unaligned_info;
+ void *data;
+ u8 *info;
+ unsigned int ivsize = 8;
+@@ -79,8 +80,9 @@ static int seqiv_aead_encrypt(struct aead_request *req)
+ return err;
+ }
+
+- if (unlikely(!IS_ALIGNED((unsigned long)info,
+- crypto_aead_alignmask(geniv) + 1))) {
++ unaligned_info = !IS_ALIGNED((unsigned long)info,
++ crypto_aead_alignmask(geniv) + 1);
++ if (unlikely(unaligned_info)) {
+ info = kmemdup(req->iv, ivsize, req->base.flags &
+ CRYPTO_TFM_REQ_MAY_SLEEP ? GFP_KERNEL :
+ GFP_ATOMIC);
+@@ -100,7 +102,7 @@ static int seqiv_aead_encrypt(struct aead_request *req)
+ scatterwalk_map_and_copy(info, req->dst, req->assoclen, ivsize, 1);
+
+ err = crypto_aead_encrypt(subreq);
+- if (unlikely(info != req->iv))
++ if (unlikely(unaligned_info))
+ seqiv_aead_encrypt_complete2(req, err);
+ return err;
+ }
+--
+2.51.0
+
--- /dev/null
+From 23865985d70fae84b9e97249b3ffc12ad111d0c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Dec 2025 17:54:18 +0100
+Subject: firewire: nosy: Fix dma_free_coherent() size
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit c48c0fd0e19684b6ecdb4108a429e3a4e73f5e21 ]
+
+It looks like the buffer allocated and mapped in add_card() is done
+with size RCV_BUFFER_SIZE which is 16 KB and 4KB.
+
+Fixes: 286468210d83 ("firewire: new driver: nosy - IEEE 1394 traffic sniffer")
+Co-developed-by: Thomas Fourier <fourier.thomas@gmail.com>
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Co-developed-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/20251216165420.38355-2-fourier.thomas@gmail.com
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firewire/nosy.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/firewire/nosy.c b/drivers/firewire/nosy.c
+index ea31ac7ac1ca..e59053738a43 100644
+--- a/drivers/firewire/nosy.c
++++ b/drivers/firewire/nosy.c
+@@ -36,6 +36,8 @@
+
+ static char driver_name[] = KBUILD_MODNAME;
+
++#define RCV_BUFFER_SIZE (16 * 1024)
++
+ /* this is the physical layout of a PCL, its size is 128 bytes */
+ struct pcl {
+ __le32 next;
+@@ -517,16 +519,14 @@ remove_card(struct pci_dev *dev)
+ lynx->rcv_start_pcl, lynx->rcv_start_pcl_bus);
+ dma_free_coherent(&lynx->pci_device->dev, sizeof(struct pcl),
+ lynx->rcv_pcl, lynx->rcv_pcl_bus);
+- dma_free_coherent(&lynx->pci_device->dev, PAGE_SIZE, lynx->rcv_buffer,
+- lynx->rcv_buffer_bus);
++ dma_free_coherent(&lynx->pci_device->dev, RCV_BUFFER_SIZE,
++ lynx->rcv_buffer, lynx->rcv_buffer_bus);
+
+ iounmap(lynx->registers);
+ pci_disable_device(dev);
+ lynx_put(lynx);
+ }
+
+-#define RCV_BUFFER_SIZE (16 * 1024)
+-
+ static int
+ add_card(struct pci_dev *dev, const struct pci_device_id *unused)
+ {
+@@ -680,7 +680,7 @@ add_card(struct pci_dev *dev, const struct pci_device_id *unused)
+ dma_free_coherent(&lynx->pci_device->dev, sizeof(struct pcl),
+ lynx->rcv_pcl, lynx->rcv_pcl_bus);
+ if (lynx->rcv_buffer)
+- dma_free_coherent(&lynx->pci_device->dev, PAGE_SIZE,
++ dma_free_coherent(&lynx->pci_device->dev, RCV_BUFFER_SIZE,
+ lynx->rcv_buffer, lynx->rcv_buffer_bus);
+ iounmap(lynx->registers);
+
+--
+2.51.0
+
--- /dev/null
+From d4259c27b91389004e04050a2e418489bb03d6a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Nov 2025 10:39:24 -0800
+Subject: genalloc.h: fix htmldocs warning
+
+From: Andrew Morton <akpm@linux-foundation.org>
+
+[ Upstream commit 5393802c94e0ab1295c04c94c57bcb00222d4674 ]
+
+WARNING: include/linux/genalloc.h:52 function parameter 'start_addr' not described in 'genpool_algo_t'
+
+Fixes: 52fbf1134d47 ("lib/genalloc.c: fix allocation of aligned buffer from non-aligned chunk")
+Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Closes: https://lkml.kernel.org/r/20251127130624.563597e3@canb.auug.org.au
+Acked-by: Randy Dunlap <rdunlap@infradead.org>
+Tested-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Alexey Skidanov <alexey.skidanov@intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/genalloc.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/linux/genalloc.h b/include/linux/genalloc.h
+index 0bd581003cd5..60de63e46b33 100644
+--- a/include/linux/genalloc.h
++++ b/include/linux/genalloc.h
+@@ -44,6 +44,7 @@ struct gen_pool;
+ * @nr: The number of zeroed bits we're looking for
+ * @data: optional additional data used by the callback
+ * @pool: the pool being allocated from
++ * @start_addr: start address of memory chunk
+ */
+ typedef unsigned long (*genpool_algo_t)(unsigned long *map,
+ unsigned long size,
+--
+2.51.0
+
--- /dev/null
+From 6a38c5ed8ce2a4de8f464335653e53549f08a221 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Nov 2025 13:07:28 +0100
+Subject: i40e: fix scheduling in set_rx_mode
+
+From: Przemyslaw Korba <przemyslaw.korba@intel.com>
+
+[ Upstream commit be43abc5514167cc129a8d8e9727b89b8e1d9719 ]
+
+Add service task schedule to set_rx_mode.
+In some cases there are error messages printed out in PTP application
+(ptp4l):
+
+ptp4l[13848.762]: port 1 (ens2f3np3): received SYNC without timestamp
+ptp4l[13848.825]: port 1 (ens2f3np3): received SYNC without timestamp
+ptp4l[13848.887]: port 1 (ens2f3np3): received SYNC without timestamp
+
+This happens when service task would not run immediately after
+set_rx_mode, and we need it for setup tasks. This service task checks, if
+PTP RX packets are hung in firmware, and propagate correct settings such
+as multicast address for IEEE 1588 Precision Time Protocol.
+RX timestamping depends on some of these filters set. Bug happens only
+with high PTP packets frequency incoming, and not every run since
+sometimes service task is being ran from a different place immediately
+after starting ptp4l.
+
+Fixes: 0e4425ed641f ("i40e: fix: do not sleep in netdev_ops")
+Reviewed-by: Grzegorz Nitka <grzegorz.nitka@intel.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Przemyslaw Korba <przemyslaw.korba@intel.com>
+Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index eae5923104f7..2dc737c7e3fd 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -2256,6 +2256,7 @@ static void i40e_set_rx_mode(struct net_device *netdev)
+ vsi->flags |= I40E_VSI_FLAG_FILTER_CHANGED;
+ set_bit(__I40E_MACVLAN_SYNC_PENDING, vsi->back->state);
+ }
++ i40e_service_event_schedule(vsi->back);
+ }
+
+ /**
+--
+2.51.0
+
--- /dev/null
+From faa8f60d572e95bba57a5d16dacf0c2615cb04e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Dec 2025 22:06:43 +0100
+Subject: i40e: validate ring_len parameter against hardware-specific values
+
+From: Gregory Herrero <gregory.herrero@oracle.com>
+
+[ Upstream commit 69942834215323cd9131db557091b4dec43f19c5 ]
+
+The maximum number of descriptors supported by the hardware is
+hardware-dependent and can be retrieved using
+i40e_get_max_num_descriptors(). Move this function to a shared header
+and use it when checking for valid ring_len parameter rather than using
+hardcoded value.
+
+By fixing an over-acceptance issue, behavior change could be seen where
+ring_len could now be rejected while configuring rx and tx queues if its
+size is larger than the hardware-dependent maximum number of
+descriptors.
+
+Fixes: 55d225670def ("i40e: add validation for ring_len param")
+Signed-off-by: Gregory Herrero <gregory.herrero@oracle.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e.h | 11 +++++++++++
+ drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 12 ------------
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 4 ++--
+ 3 files changed, 13 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e.h b/drivers/net/ethernet/intel/i40e/i40e.h
+index b8de97343ad3..de3d5e5b8306 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e.h
++++ b/drivers/net/ethernet/intel/i40e/i40e.h
+@@ -1415,4 +1415,15 @@ static inline struct i40e_veb *i40e_pf_get_main_veb(struct i40e_pf *pf)
+ return (pf->lan_veb != I40E_NO_VEB) ? pf->veb[pf->lan_veb] : NULL;
+ }
+
++static inline u32 i40e_get_max_num_descriptors(const struct i40e_pf *pf)
++{
++ const struct i40e_hw *hw = &pf->hw;
++
++ switch (hw->mac.type) {
++ case I40E_MAC_XL710:
++ return I40E_MAX_NUM_DESCRIPTORS_XL710;
++ default:
++ return I40E_MAX_NUM_DESCRIPTORS;
++ }
++}
+ #endif /* _I40E_H_ */
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
+index bce5b76f1e7a..9a96f67fb648 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
+@@ -2010,18 +2010,6 @@ static void i40e_get_drvinfo(struct net_device *netdev,
+ drvinfo->n_priv_flags += I40E_GL_PRIV_FLAGS_STR_LEN;
+ }
+
+-static u32 i40e_get_max_num_descriptors(struct i40e_pf *pf)
+-{
+- struct i40e_hw *hw = &pf->hw;
+-
+- switch (hw->mac.type) {
+- case I40E_MAC_XL710:
+- return I40E_MAX_NUM_DESCRIPTORS_XL710;
+- default:
+- return I40E_MAX_NUM_DESCRIPTORS;
+- }
+-}
+-
+ static void i40e_get_ringparam(struct net_device *netdev,
+ struct ethtool_ringparam *ring,
+ struct kernel_ethtool_ringparam *kernel_ring,
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+index 646e394f5190..3251ffa7d994 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -656,7 +656,7 @@ static int i40e_config_vsi_tx_queue(struct i40e_vf *vf, u16 vsi_id,
+
+ /* ring_len has to be multiple of 8 */
+ if (!IS_ALIGNED(info->ring_len, 8) ||
+- info->ring_len > I40E_MAX_NUM_DESCRIPTORS_XL710) {
++ info->ring_len > i40e_get_max_num_descriptors(pf)) {
+ ret = -EINVAL;
+ goto error_context;
+ }
+@@ -726,7 +726,7 @@ static int i40e_config_vsi_rx_queue(struct i40e_vf *vf, u16 vsi_id,
+
+ /* ring_len has to be multiple of 32 */
+ if (!IS_ALIGNED(info->ring_len, 32) ||
+- info->ring_len > I40E_MAX_NUM_DESCRIPTORS_XL710) {
++ info->ring_len > i40e_get_max_num_descriptors(pf)) {
+ ret = -EINVAL;
+ goto error_param;
+ }
+--
+2.51.0
+
--- /dev/null
+From 73965ba79f463e594a8a6487ce26f2731db1669c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Oct 2025 01:58:50 +0900
+Subject: iavf: fix off-by-one issues in iavf_config_rss_reg()
+
+From: Kohei Enju <enjuk@amazon.com>
+
+[ Upstream commit 6daa2893f323981c7894c68440823326e93a7d61 ]
+
+There are off-by-one bugs when configuring RSS hash key and lookup
+table, causing out-of-bounds reads to memory [1] and out-of-bounds
+writes to device registers.
+
+Before commit 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS"),
+the loop upper bounds were:
+ i <= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX
+which is safe since the value is the last valid index.
+
+That commit changed the bounds to:
+ i <= adapter->rss_{key,lut}_size / 4
+where `rss_{key,lut}_size / 4` is the number of dwords, so the last
+valid index is `(rss_{key,lut}_size / 4) - 1`. Therefore, using `<=`
+accesses one element past the end.
+
+Fix the issues by using `<` instead of `<=`, ensuring we do not exceed
+the bounds.
+
+[1] KASAN splat about rss_key_size off-by-one
+ BUG: KASAN: slab-out-of-bounds in iavf_config_rss+0x619/0x800
+ Read of size 4 at addr ffff888102c50134 by task kworker/u8:6/63
+
+ CPU: 0 UID: 0 PID: 63 Comm: kworker/u8:6 Not tainted 6.18.0-rc2-enjuk-tnguy-00378-g3005f5b77652-dirty #156 PREEMPT(voluntary)
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+ Workqueue: iavf iavf_watchdog_task
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x6f/0xb0
+ print_report+0x170/0x4f3
+ kasan_report+0xe1/0x1a0
+ iavf_config_rss+0x619/0x800
+ iavf_watchdog_task+0x2be7/0x3230
+ process_one_work+0x7fd/0x1420
+ worker_thread+0x4d1/0xd40
+ kthread+0x344/0x660
+ ret_from_fork+0x249/0x320
+ ret_from_fork_asm+0x1a/0x30
+ </TASK>
+
+ Allocated by task 63:
+ kasan_save_stack+0x30/0x50
+ kasan_save_track+0x14/0x30
+ __kasan_kmalloc+0x7f/0x90
+ __kmalloc_noprof+0x246/0x6f0
+ iavf_watchdog_task+0x28fc/0x3230
+ process_one_work+0x7fd/0x1420
+ worker_thread+0x4d1/0xd40
+ kthread+0x344/0x660
+ ret_from_fork+0x249/0x320
+ ret_from_fork_asm+0x1a/0x30
+
+ The buggy address belongs to the object at ffff888102c50100
+ which belongs to the cache kmalloc-64 of size 64
+ The buggy address is located 0 bytes to the right of
+ allocated 52-byte region [ffff888102c50100, ffff888102c50134)
+
+ The buggy address belongs to the physical page:
+ page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c50
+ flags: 0x200000000000000(node=0|zone=2)
+ page_type: f5(slab)
+ raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000
+ raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
+ page dumped because: kasan: bad access detected
+
+ Memory state around the buggy address:
+ ffff888102c50000: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
+ ffff888102c50080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
+ >ffff888102c50100: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc
+ ^
+ ffff888102c50180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
+ ffff888102c50200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+
+Fixes: 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS")
+Signed-off-by: Kohei Enju <enjuk@amazon.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index 5516795cc250..422af897d933 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -1718,11 +1718,11 @@ static int iavf_config_rss_reg(struct iavf_adapter *adapter)
+ u16 i;
+
+ dw = (u32 *)adapter->rss_key;
+- for (i = 0; i <= adapter->rss_key_size / 4; i++)
++ for (i = 0; i < adapter->rss_key_size / 4; i++)
+ wr32(hw, IAVF_VFQF_HKEY(i), dw[i]);
+
+ dw = (u32 *)adapter->rss_lut;
+- for (i = 0; i <= adapter->rss_lut_size / 4; i++)
++ for (i = 0; i < adapter->rss_lut_size / 4; i++)
+ wr32(hw, IAVF_VFQF_HLUT(i), dw[i]);
+
+ iavf_flush(hw);
+--
+2.51.0
+
--- /dev/null
+From e32cb708e8bfb8972daa71e68ab516a026209bab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Nov 2025 20:58:37 +0000
+Subject: idpf: reduce mbx_task schedule delay to 300us
+
+From: Brian Vazquez <brianvv@google.com>
+
+[ Upstream commit b3d6bbae1d6d5638a4ab702ab195476787cde857 ]
+
+During the IDPF init phase, the mailbox runs in poll mode until it is
+configured to properly handle interrupts. The previous delay of 300ms is
+excessively long for the mailbox polling mechanism, which causes a slow
+initialization of ~2s:
+
+echo 0000:06:12.4 > /sys/bus/pci/drivers/idpf/bind
+
+[ 52.444239] idpf 0000:06:12.4: enabling device (0000 -> 0002)
+[ 52.485005] idpf 0000:06:12.4: Device HW Reset initiated
+[ 54.177181] idpf 0000:06:12.4: PTP init failed, err=-EOPNOTSUPP
+[ 54.206177] idpf 0000:06:12.4: Minimum RX descriptor support not provided, using the default
+[ 54.206182] idpf 0000:06:12.4: Minimum TX descriptor support not provided, using the default
+
+Changing the delay to 300us avoids the delays during the initial mailbox
+transactions, making the init phase much faster:
+
+[ 83.342590] idpf 0000:06:12.4: enabling device (0000 -> 0002)
+[ 83.384402] idpf 0000:06:12.4: Device HW Reset initiated
+[ 83.518323] idpf 0000:06:12.4: PTP init failed, err=-EOPNOTSUPP
+[ 83.547430] idpf 0000:06:12.4: Minimum RX descriptor support not provided, using the default
+[ 83.547435] idpf 0000:06:12.4: Minimum TX descriptor support not provided, using the default
+
+Fixes: 4930fbf419a7 ("idpf: add core init and interrupt request")
+Signed-off-by: Brian Vazquez <brianvv@google.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Tested-by: Samuel Salin <Samuel.salin@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/idpf/idpf_lib.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c
+index 371fc5052420..173ddc248867 100644
+--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c
++++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c
+@@ -1214,7 +1214,7 @@ void idpf_mbx_task(struct work_struct *work)
+ idpf_mb_irq_enable(adapter);
+ else
+ queue_delayed_work(adapter->mbx_wq, &adapter->mbx_task,
+- msecs_to_jiffies(300));
++ usecs_to_jiffies(300));
+
+ idpf_recv_mb_msg(adapter);
+ }
+--
+2.51.0
+
--- /dev/null
+From 1345effc81373c79d0a983c637a645b136f3a48e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Dec 2025 17:35:50 +0000
+Subject: ip6_gre: make ip6gre_header() robust
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit db5b4e39c4e63700c68a7e65fc4e1f1375273476 ]
+
+Over the years, syzbot found many ways to crash the kernel
+in ip6gre_header() [1].
+
+This involves team or bonding drivers ability to dynamically
+change their dev->needed_headroom and/or dev->hard_header_len
+
+In this particular crash mld_newpack() allocated an skb
+with a too small reserve/headroom, and by the time mld_sendpack()
+was called, syzbot managed to attach an ip6gre device.
+
+[1]
+skbuff: skb_under_panic: text:ffffffff8a1d69a8 len:136 put:40 head:ffff888059bc7000 data:ffff888059bc6fe8 tail:0x70 end:0x6c0 dev:team0
+------------[ cut here ]------------
+ kernel BUG at net/core/skbuff.c:213 !
+ <TASK>
+ skb_under_panic net/core/skbuff.c:223 [inline]
+ skb_push+0xc3/0xe0 net/core/skbuff.c:2641
+ ip6gre_header+0xc8/0x790 net/ipv6/ip6_gre.c:1371
+ dev_hard_header include/linux/netdevice.h:3436 [inline]
+ neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618
+ neigh_output include/net/neighbour.h:556 [inline]
+ ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136
+ __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline]
+ ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:220
+ NF_HOOK_COND include/linux/netfilter.h:307 [inline]
+ ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247
+ NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318
+ mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855
+ mld_send_cr net/ipv6/mcast.c:2154 [inline]
+ mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693
+
+Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
+Reported-by: syzbot+43a2ebcf2a64b1102d64@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/693b002c.a70a0220.33cd7b.0033.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20251211173550.2032674-1-edumazet@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6_gre.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
+index 68e9a41eed49..1c186d132fe0 100644
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -1395,9 +1395,16 @@ static int ip6gre_header(struct sk_buff *skb, struct net_device *dev,
+ {
+ struct ip6_tnl *t = netdev_priv(dev);
+ struct ipv6hdr *ipv6h;
++ int needed;
+ __be16 *p;
+
+- ipv6h = skb_push(skb, t->hlen + sizeof(*ipv6h));
++ needed = t->hlen + sizeof(*ipv6h);
++ if (skb_headroom(skb) < needed &&
++ pskb_expand_head(skb, HH_DATA_ALIGN(needed - skb_headroom(skb)),
++ 0, GFP_ATOMIC))
++ return -needed;
++
++ ipv6h = skb_push(skb, needed);
+ ip6_flow_hdr(ipv6h, 0, ip6_make_flowlabel(dev_net(dev), skb,
+ t->fl.u.ip6.flowlabel,
+ true, &t->fl.u.ip6));
+--
+2.51.0
+
--- /dev/null
+From e2fd2e52436a14bf9626f9331efdfa7ab2de5a02 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Dec 2025 16:48:28 +0200
+Subject: ipv4: Fix reference count leak when using error routes with nexthop
+ objects
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit ac782f4e3bfcde145b8a7f8af31d9422d94d172a ]
+
+When a nexthop object is deleted, it is marked as dead and then
+fib_table_flush() is called to flush all the routes that are using the
+dead nexthop.
+
+The current logic in fib_table_flush() is to only flush error routes
+(e.g., blackhole) when it is called as part of network namespace
+dismantle (i.e., with flush_all=true). Therefore, error routes are not
+flushed when their nexthop object is deleted:
+
+ # ip link add name dummy1 up type dummy
+ # ip nexthop add id 1 dev dummy1
+ # ip route add 198.51.100.1/32 nhid 1
+ # ip route add blackhole 198.51.100.2/32 nhid 1
+ # ip nexthop del id 1
+ # ip route show
+ blackhole 198.51.100.2 nhid 1 dev dummy1
+
+As such, they keep holding a reference on the nexthop object which in
+turn holds a reference on the nexthop device, resulting in a reference
+count leak:
+
+ # ip link del dev dummy1
+ [ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2
+
+Fix by flushing error routes when their nexthop is marked as dead.
+
+IPv6 does not suffer from this problem.
+
+Fixes: 493ced1ac47c ("ipv4: Allow routes to use nexthop objects")
+Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Closes: https://lore.kernel.org/netdev/d943f806-4da6-4970-ac28-b9373b0e63ac@I-love.SAKURA.ne.jp/
+Reported-by: syzbot+881d65229ca4f9ae8c84@syzkaller.appspotmail.com
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://patch.msgid.link/20251221144829.197694-1-idosch@nvidia.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/fib_trie.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
+index cc86031d2050..658f26d9a9ec 100644
+--- a/net/ipv4/fib_trie.c
++++ b/net/ipv4/fib_trie.c
+@@ -2059,10 +2059,11 @@ int fib_table_flush(struct net *net, struct fib_table *tb, bool flush_all)
+ continue;
+ }
+
+- /* Do not flush error routes if network namespace is
+- * not being dismantled
++ /* When not flushing the entire table, skip error
++ * routes that are not marked for deletion.
+ */
+- if (!flush_all && fib_props[fa->fa_type].error) {
++ if (!flush_all && fib_props[fa->fa_type].error &&
++ !(fi->fib_flags & RTNH_F_DEAD)) {
+ slen = fa->fa_slen;
+ continue;
+ }
+--
+2.51.0
+
--- /dev/null
+From 7f0bf7f4239f770d4c188ed0c358522f70959309 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 10:36:37 -0700
+Subject: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()
+
+From: Will Rosenberg <whrosenb@asu.edu>
+
+[ Upstream commit 58fc7342b529803d3c221101102fe913df7adb83 ]
+
+There exists a kernel oops caused by a BUG_ON(nhead < 0) at
+net/core/skbuff.c:2232 in pskb_expand_head().
+This bug is triggered as part of the calipso_skbuff_setattr()
+routine when skb_cow() is passed headroom > INT_MAX
+(i.e. (int)(skb_headroom(skb) + len_delta) < 0).
+
+The root cause of the bug is due to an implicit integer cast in
+__skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure
+that delta = headroom - skb_headroom(skb) is never negative, otherwise
+we will trigger a BUG_ON in pskb_expand_head(). However, if
+headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta
+becomes negative, and pskb_expand_head() is passed a negative value for
+nhead.
+
+Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing
+"negative" headroom sizes to skb_cow() within calipso_skbuff_setattr()
+by only using skb_cow() to grow headroom.
+
+PoC:
+ Using `netlabelctl` tool:
+
+ netlabelctl map del default
+ netlabelctl calipso add pass doi:7
+ netlabelctl map add default address:0::1/128 protocol:calipso,7
+
+ Then run the following PoC:
+
+ int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
+
+ // setup msghdr
+ int cmsg_size = 2;
+ int cmsg_len = 0x60;
+ struct msghdr msg;
+ struct sockaddr_in6 dest_addr;
+ struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1,
+ sizeof(struct cmsghdr) + cmsg_len);
+ msg.msg_name = &dest_addr;
+ msg.msg_namelen = sizeof(dest_addr);
+ msg.msg_iov = NULL;
+ msg.msg_iovlen = 0;
+ msg.msg_control = cmsg;
+ msg.msg_controllen = cmsg_len;
+ msg.msg_flags = 0;
+
+ // setup sockaddr
+ dest_addr.sin6_family = AF_INET6;
+ dest_addr.sin6_port = htons(31337);
+ dest_addr.sin6_flowinfo = htonl(31337);
+ dest_addr.sin6_addr = in6addr_loopback;
+ dest_addr.sin6_scope_id = 31337;
+
+ // setup cmsghdr
+ cmsg->cmsg_len = cmsg_len;
+ cmsg->cmsg_level = IPPROTO_IPV6;
+ cmsg->cmsg_type = IPV6_HOPOPTS;
+ char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr);
+ hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80
+
+ sendmsg(fd, &msg, 0);
+
+Fixes: 2917f57b6bc1 ("calipso: Allow the lsm to label the skbuff directly.")
+Suggested-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Will Rosenberg <whrosenb@asu.edu>
+Acked-by: Paul Moore <paul@paul-moore.com>
+Link: https://patch.msgid.link/20251219173637.797418-1-whrosenb@asu.edu
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/calipso.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c
+index a247bb93908b..f5cc02ea3092 100644
+--- a/net/ipv6/calipso.c
++++ b/net/ipv6/calipso.c
+@@ -1342,7 +1342,8 @@ static int calipso_skbuff_setattr(struct sk_buff *skb,
+ /* At this point new_end aligns to 4n, so (new_end & 4) pads to 8n */
+ pad = ((new_end & 4) + (end & 7)) & 7;
+ len_delta = new_end - (int)end + pad;
+- ret_val = skb_cow(skb, skb_headroom(skb) + len_delta);
++ ret_val = skb_cow(skb,
++ skb_headroom(skb) + (len_delta > 0 ? len_delta : 0));
+ if (ret_val < 0)
+ return ret_val;
+
+--
+2.51.0
+
--- /dev/null
+From 20a59d097bd5ff5dc7cc3f14fcb680b14a47bdce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Dec 2025 13:14:12 +0800
+Subject: ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT
+
+From: Jiayuan Chen <jiayuan.chen@linux.dev>
+
+[ Upstream commit 1adaea51c61b52e24e7ab38f7d3eba023b2d050d ]
+
+On PREEMPT_RT kernels, after rt6_get_pcpu_route() returns NULL, the
+current task can be preempted. Another task running on the same CPU
+may then execute rt6_make_pcpu_route() and successfully install a
+pcpu_rt entry. When the first task resumes execution, its cmpxchg()
+in rt6_make_pcpu_route() will fail because rt6i_pcpu is no longer
+NULL, triggering the BUG_ON(prev). It's easy to reproduce it by adding
+mdelay() after rt6_get_pcpu_route().
+
+Using preempt_disable/enable is not appropriate here because
+ip6_rt_pcpu_alloc() may sleep.
+
+Fix this by handling the cmpxchg() failure gracefully on PREEMPT_RT:
+free our allocation and return the existing pcpu_rt installed by
+another task. The BUG_ON is replaced by WARN_ON_ONCE for non-PREEMPT_RT
+kernels where such races should not occur.
+
+Link: https://syzkaller.appspot.com/bug?extid=9b35e9bc0951140d13e6
+Fixes: d2d6422f8bd1 ("x86: Allow to enable PREEMPT_RT.")
+Reported-by: syzbot+9b35e9bc0951140d13e6@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/6918cd88.050a0220.1c914e.0045.GAE@google.com/T/
+Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
+Link: https://patch.msgid.link/20251223051413.124687-1-jiayuan.chen@linux.dev
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/route.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index 22866444efc0..276fa74af206 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -1470,7 +1470,18 @@ static struct rt6_info *rt6_make_pcpu_route(struct net *net,
+
+ p = this_cpu_ptr(res->nh->rt6i_pcpu);
+ prev = cmpxchg(p, NULL, pcpu_rt);
+- BUG_ON(prev);
++ if (unlikely(prev)) {
++ /*
++ * Another task on this CPU already installed a pcpu_rt.
++ * This can happen on PREEMPT_RT where preemption is possible.
++ * Free our allocation and return the existing one.
++ */
++ WARN_ON_ONCE(!IS_ENABLED(CONFIG_PREEMPT_RT));
++
++ dst_dev_put(&pcpu_rt->dst);
++ dst_release(&pcpu_rt->dst);
++ return prev;
++ }
+
+ if (res->f6i->fib6_destroying) {
+ struct fib6_info *from;
+--
+2.51.0
+
--- /dev/null
+From fe3e3cb2e41be380e0ff0c3a7e01d4427a922177 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Nov 2025 11:00:16 +0100
+Subject: kbuild: fix compilation of dtb specified on command-line without make
+ rule
+
+From: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
+
+[ Upstream commit b08fc4d0ec2466558f6d5511434efdfabbddf2a6 ]
+
+Since commit e7e2941300d2 ("kbuild: split device tree build rules into
+scripts/Makefile.dtbs"), it is no longer possible to compile a device tree
+blob that is not specified in a make rule
+like:
+ dtb-$(CONFIG_FOO) += foo.dtb
+
+Before the mentioned commit, one could copy a dts file to e.g.
+arch/arm64/boot/dts/ (or a new subdirectory) and then convert it to a dtb
+file using:
+ make ARCH=arm64 foo.dtb
+
+In this scenario, both 'dtb-y' and 'dtb-' are empty, and the inclusion of
+scripts/Makefile.dtbs relies on 'targets' to contain the MAKECMDGOALS. The
+value of 'targets', however, is only final later in the code.
+
+Move the conditional include of scripts/Makefile.dtbs down to where the
+value of 'targets' is final. Since Makefile.dtbs updates 'always-y' which is
+used as a prerequisite in the build rule, the build rule also needs to move
+down.
+
+Fixes: e7e2941300d2 ("kbuild: split device tree build rules into scripts/Makefile.dtbs")
+Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
+Reviewed-by: Nathan Chancellor <nathan@kernel.org>
+Tested-by: Nathan Chancellor <nathan@kernel.org>
+Acked-by: Rob Herring (Arm) <robh@kernel.org>
+Link: https://patch.msgid.link/20251126100017.1162330-1-thomas.de_schampheleire@nokia.com
+Signed-off-by: Nicolas Schier <nsc@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/Makefile.build | 26 ++++++++++++++------------
+ 1 file changed, 14 insertions(+), 12 deletions(-)
+
+diff --git a/scripts/Makefile.build b/scripts/Makefile.build
+index 2c5c1a214f3b..6e07023b5442 100644
+--- a/scripts/Makefile.build
++++ b/scripts/Makefile.build
+@@ -449,18 +449,6 @@ ifneq ($(userprogs),)
+ include $(srctree)/scripts/Makefile.userprogs
+ endif
+
+-ifneq ($(need-dtbslist)$(dtb-y)$(dtb-)$(filter %.dtb %.dtb.o %.dtbo.o,$(targets)),)
+-include $(srctree)/scripts/Makefile.dtbs
+-endif
+-
+-# Build
+-# ---------------------------------------------------------------------------
+-
+-$(obj)/: $(if $(KBUILD_BUILTIN), $(targets-for-builtin)) \
+- $(if $(KBUILD_MODULES), $(targets-for-modules)) \
+- $(subdir-ym) $(always-y)
+- @:
+-
+ # Single targets
+ # ---------------------------------------------------------------------------
+
+@@ -490,6 +478,20 @@ FORCE:
+ targets += $(filter-out $(single-subdir-goals), $(MAKECMDGOALS))
+ targets := $(filter-out $(PHONY), $(targets))
+
++# Now that targets is fully known, include dtb rules if needed
++ifneq ($(need-dtbslist)$(dtb-y)$(dtb-)$(filter %.dtb %.dtb.o %.dtbo.o,$(targets)),)
++include $(srctree)/scripts/Makefile.dtbs
++endif
++
++# Build
++# Needs to be after the include of Makefile.dtbs, which updates always-y
++# ---------------------------------------------------------------------------
++
++$(obj)/: $(if $(KBUILD_BUILTIN), $(targets-for-builtin)) \
++ $(if $(KBUILD_MODULES), $(targets-for-modules)) \
++ $(subdir-ym) $(always-y)
++ @:
++
+ # Read all saved command lines and dependencies for the $(targets) we
+ # may be building above, using $(if_changed{,_dep}). As an
+ # optimization, we don't need to read them if the target does not
+--
+2.51.0
+
--- /dev/null
+From cc03dfe20f7a118b98814b23c388685d61662464 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Dec 2025 14:20:16 +0000
+Subject: ksmbd: Fix memory leak in get_file_all_info()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 0c56693b06a68476ba113db6347e7897475f9e4c ]
+
+In get_file_all_info(), if vfs_getattr() fails, the function returns
+immediately without freeing the allocated filename, leading to a memory
+leak.
+
+Fix this by freeing the filename before returning in this error case.
+
+Fixes: 5614c8c487f6a ("ksmbd: replace generic_fillattr with vfs_getattr")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/server/smb2pdu.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
+index a1579f76e063..e2cde9723001 100644
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -4926,8 +4926,10 @@ static int get_file_all_info(struct ksmbd_work *work,
+
+ ret = vfs_getattr(&fp->filp->f_path, &stat, STATX_BASIC_STATS,
+ AT_STATX_SYNC_AS_STAT);
+- if (ret)
++ if (ret) {
++ kfree(filename);
+ return ret;
++ }
+
+ ksmbd_debug(SMB, "filename = %s\n", filename);
+ delete_pending = ksmbd_inode_pending_delete(fp);
+--
+2.51.0
+
--- /dev/null
+From 2fe74dc8c6330e27051c103a60f0c4d2990d9459 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Dec 2025 20:44:12 +0800
+Subject: md: Fix static checker warning in analyze_sbs
+
+From: Li Nan <linan122@huawei.com>
+
+[ Upstream commit 00f6c1b4d15d35fadb7f34768a1831c81aaa8936 ]
+
+The following warn is reported:
+
+ drivers/md/md.c:3912 analyze_sbs()
+ warn: iterator 'i' not incremented
+
+Fixes: d8730f0cf4ef ("md: Remove deprecated CONFIG_MD_MULTIPATH")
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Closes: https://lore.kernel.org/linux-raid/7e2e95ce-3740-09d8-a561-af6bfb767f18@huaweicloud.com/T/#t
+Signed-off-by: Li Nan <linan122@huawei.com>
+Link: https://lore.kernel.org/linux-raid/20251215124412.4015572-1-linan666@huaweicloud.com
+Signed-off-by: Yu Kuai <yukuai@fnnas.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index 5c39246c467e..26056d53f40c 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -3729,7 +3729,6 @@ static struct md_rdev *md_import_device(dev_t newdev, int super_format, int supe
+
+ static int analyze_sbs(struct mddev *mddev)
+ {
+- int i;
+ struct md_rdev *rdev, *freshest, *tmp;
+
+ freshest = NULL;
+@@ -3756,11 +3755,9 @@ static int analyze_sbs(struct mddev *mddev)
+ super_types[mddev->major_version].
+ validate_super(mddev, NULL/*freshest*/, freshest);
+
+- i = 0;
+ rdev_for_each_safe(rdev, tmp, mddev) {
+ if (mddev->max_disks &&
+- (rdev->desc_nr >= mddev->max_disks ||
+- i > mddev->max_disks)) {
++ rdev->desc_nr >= mddev->max_disks) {
+ pr_warn("md: %s: %pg: only %d devices permitted\n",
+ mdname(mddev), rdev->bdev,
+ mddev->max_disks);
+--
+2.51.0
+
--- /dev/null
+From 30f54808084e545a5408a84c6ec14c9bab2941b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Dec 2025 21:03:26 +0800
+Subject: md/raid5: fix possible null-pointer dereferences in
+ raid5_store_group_thread_cnt()
+
+From: Tuo Li <islituo@gmail.com>
+
+[ Upstream commit 7ad6ef91d8745d04aff9cce7bdbc6320d8e05fe9 ]
+
+The variable mddev->private is first assigned to conf and then checked:
+
+ conf = mddev->private;
+ if (!conf) ...
+
+If conf is NULL, then mddev->private is also NULL. In this case,
+null-pointer dereferences can occur when calling raid5_quiesce():
+
+ raid5_quiesce(mddev, true);
+ raid5_quiesce(mddev, false);
+
+since mddev->private is assigned to conf again in raid5_quiesce(), and conf
+is dereferenced in several places, for example:
+
+ conf->quiesce = 0;
+ wake_up(&conf->wait_for_quiescent);
+
+To fix this issue, the function should unlock mddev and return before
+invoking raid5_quiesce() when conf is NULL, following the existing pattern
+in raid5_change_consistency_policy().
+
+Fixes: fa1944bbe622 ("md/raid5: Wait sync io to finish before changing group cnt")
+Signed-off-by: Tuo Li <islituo@gmail.com>
+Reviewed-by: Xiao Ni <xni@redhat.com>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Link: https://lore.kernel.org/linux-raid/20251225130326.67780-1-islituo@gmail.com
+Signed-off-by: Yu Kuai <yukuai@fnnas.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/raid5.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
+index 8e5ccca3b68b..7262b77a8e02 100644
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -7181,12 +7181,14 @@ raid5_store_group_thread_cnt(struct mddev *mddev, const char *page, size_t len)
+ err = mddev_suspend_and_lock(mddev);
+ if (err)
+ return err;
++ conf = mddev->private;
++ if (!conf) {
++ mddev_unlock_and_resume(mddev);
++ return -ENODEV;
++ }
+ raid5_quiesce(mddev, true);
+
+- conf = mddev->private;
+- if (!conf)
+- err = -ENODEV;
+- else if (new != conf->worker_cnt_per_group) {
++ if (new != conf->worker_cnt_per_group) {
+ old_groups = conf->worker_groups;
+ if (old_groups)
+ flush_workqueue(raid5_wq);
+--
+2.51.0
+
--- /dev/null
+From dc8994cd16febc6b94207c7550367576733fbdad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Dec 2025 11:29:37 +0700
+Subject: net: bridge: Describe @tunnel_hash member in net_bridge_vlan_group
+ struct
+
+From: Bagas Sanjaya <bagasdotme@gmail.com>
+
+[ Upstream commit f79f9b7ace1713e4b83888c385f5f55519dfb687 ]
+
+Sphinx reports kernel-doc warning:
+
+WARNING: ./net/bridge/br_private.h:267 struct member 'tunnel_hash' not described in 'net_bridge_vlan_group'
+
+Fix it by describing @tunnel_hash member.
+
+Fixes: efa5356b0d9753 ("bridge: per vlan dst_metadata netlink support")
+Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20251218042936.24175-2-bagasdotme@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_private.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
+index 741b0b8c4bab..a2e59108a5dc 100644
+--- a/net/bridge/br_private.h
++++ b/net/bridge/br_private.h
+@@ -247,6 +247,7 @@ struct net_bridge_vlan {
+ * struct net_bridge_vlan_group
+ *
+ * @vlan_hash: VLAN entry rhashtable
++ * @tunnel_hash: Hash table to map from tunnel key ID (e.g. VXLAN VNI) to VLAN
+ * @vlan_list: sorted VLAN entry list
+ * @num_vlans: number of total VLAN entries
+ * @pvid: PVID VLAN id
+--
+2.51.0
+
--- /dev/null
+From 964c8c9ef49bb5c0e9910fbf12b04ed83d975ae8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Dec 2025 21:57:56 +0100
+Subject: net: dsa: b53: skip multicast entries for fdb_dump()
+
+From: Jonas Gorski <jonas.gorski@gmail.com>
+
+[ Upstream commit d42bce414d1c5c0b536758466a1f63ac358e613c ]
+
+port_fdb_dump() is supposed to only add fdb entries, but we iterate over
+the full ARL table, which also includes multicast entries.
+
+So check if the entry is a multicast entry before passing it on to the
+callback().
+
+Additionally, the port of those entries is a bitmask, not a port number,
+so any included entries would have even be for the wrong port.
+
+Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations")
+Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20251217205756.172123-1-jonas.gorski@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/b53/b53_common.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
+index 01eb62706412..0b666a77ea97 100644
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -1972,6 +1972,9 @@ static int b53_fdb_copy(int port, const struct b53_arl_entry *ent,
+ if (!ent->is_valid)
+ return 0;
+
++ if (is_multicast_ether_addr(ent->mac))
++ return 0;
++
+ if (port != ent->port)
+ return 0;
+
+--
+2.51.0
+
--- /dev/null
+From 25c5abc3bc60380302345ac31310b487c0704e3e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Dec 2025 17:02:36 +0200
+Subject: net: dsa: fix missing put_device() in dsa_tree_find_first_conduit()
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit a9f96dc59b4a50ffbf86158f315e115969172d48 ]
+
+of_find_net_device_by_node() searches net devices by their /sys/class/net/,
+entry. It is documented in its kernel-doc that:
+
+ * If successful, returns a pointer to the net_device with the embedded
+ * struct device refcount incremented by one, or NULL on failure. The
+ * refcount must be dropped when done with the net_device.
+
+We are missing a put_device(&conduit->dev) which we could place at the
+end of dsa_tree_find_first_conduit(). But to explain why calling
+put_device() right away is safe is the same as to explain why the chosen
+solution is different.
+
+The code is very poorly split: dsa_tree_find_first_conduit() was first
+introduced in commit 95f510d0b792 ("net: dsa: allow the DSA master to be
+seen and changed through rtnetlink") but was first used several commits
+later, in commit acc43b7bf52a ("net: dsa: allow masters to join a LAG").
+
+Assume there is a switch with 2 CPU ports and 2 conduits, eno2 and eno3.
+When we create a LAG (bonding or team device) and place eno2 and eno3
+beneath it, we create a 3rd conduit (the LAG device itself), but this is
+slightly different than the first two.
+
+Namely, the cpu_dp->conduit pointer of the CPU ports does not change,
+and remains pointing towards the physical Ethernet controllers which are
+now LAG ports. Only 2 things change:
+- the LAG device has a dev->dsa_ptr which marks it as a DSA conduit
+- dsa_port_to_conduit(user port) finds the LAG and not the physical
+ conduit, because of the dp->cpu_port_in_lag bit being set.
+
+When the LAG device is destroyed, dsa_tree_migrate_ports_from_lag_conduit()
+is called and this is where dsa_tree_find_first_conduit() kicks in.
+
+This is the logical mistake and the reason why introducing code in one
+patch and using it from another is bad practice. I didn't realize that I
+don't have to call of_find_net_device_by_node() again; the cpu_dp->conduit
+association was never undone, and is still available for direct (re)use.
+There's only one concern - maybe the conduit disappeared in the
+meantime, but the netdev_hold() call we made during dsa_port_parse_cpu()
+(see previous change) ensures that this was not the case.
+
+Therefore, fixing the code means reimplementing it in the simplest way.
+
+I am blaming the time of use, since this is what "git blame" would show
+if we were to monitor for the conduit's kobject's refcount remaining
+elevated instead of being freed.
+
+Tested on the NXP LS1028A, using the steps from
+Documentation/networking/dsa/configuration.rst section "Affinity of user
+ports to CPU ports", followed by (extra prints added by me):
+
+$ ip link del bond0
+mscc_felix 0000:00:00.5 swp3: Link is Down
+bond0 (unregistering): (slave eno2): Releasing backup interface
+fsl_enetc 0000:00:00.2 eno2: Link is Down
+mscc_felix 0000:00:00.5 swp0: bond0 disappeared, migrating to eno2
+mscc_felix 0000:00:00.5 swp1: bond0 disappeared, migrating to eno2
+mscc_felix 0000:00:00.5 swp2: bond0 disappeared, migrating to eno2
+mscc_felix 0000:00:00.5 swp3: bond0 disappeared, migrating to eno2
+
+Fixes: acc43b7bf52a ("net: dsa: allow masters to join a LAG")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Link: https://patch.msgid.link/20251215150236.3931670-2-vladimir.oltean@nxp.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/dsa/dsa.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+diff --git a/net/dsa/dsa.c b/net/dsa/dsa.c
+index ac3a252969cb..97599e0d5a1d 100644
+--- a/net/dsa/dsa.c
++++ b/net/dsa/dsa.c
+@@ -366,16 +366,10 @@ static struct dsa_port *dsa_tree_find_first_cpu(struct dsa_switch_tree *dst)
+
+ struct net_device *dsa_tree_find_first_conduit(struct dsa_switch_tree *dst)
+ {
+- struct device_node *ethernet;
+- struct net_device *conduit;
+ struct dsa_port *cpu_dp;
+
+ cpu_dp = dsa_tree_find_first_cpu(dst);
+- ethernet = of_parse_phandle(cpu_dp->dn, "ethernet", 0);
+- conduit = of_find_net_device_by_node(ethernet);
+- of_node_put(ethernet);
+-
+- return conduit;
++ return cpu_dp->conduit;
+ }
+
+ /* Assign the default CPU port (the first one in the tree) to all ports of the
+--
+2.51.0
+
--- /dev/null
+From 761547384ebf3b3a849b85d02366cf622b9d5149 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Dec 2025 14:24:58 +0800
+Subject: net: mdio: aspeed: add dummy read to avoid read-after-write issue
+
+From: Jacky Chou <jacky_chou@aspeedtech.com>
+
+[ Upstream commit d1a1a4bade4b20c0858d0b2f81d2611de055f675 ]
+
+The Aspeed MDIO controller may return incorrect data when a read operation
+follows immediately after a write. Due to a controller bug, the subsequent
+read can latch stale data, causing the polling logic to terminate earlier
+than expected.
+
+To work around this hardware issue, insert a dummy read after each write
+operation. This ensures that the next actual read returns the correct
+data and prevents premature polling exit.
+
+This workaround has been verified to stabilize MDIO transactions on
+affected Aspeed platforms.
+
+Fixes: f160e99462c6 ("net: phy: Add mdio-aspeed")
+Signed-off-by: Jacky Chou <jacky_chou@aspeedtech.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20251211-aspeed_mdio_add_dummy_read-v3-1-382868869004@aspeedtech.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/mdio/mdio-aspeed.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/net/mdio/mdio-aspeed.c b/drivers/net/mdio/mdio-aspeed.c
+index c2170650415c..4f2bd20cdc05 100644
+--- a/drivers/net/mdio/mdio-aspeed.c
++++ b/drivers/net/mdio/mdio-aspeed.c
+@@ -63,6 +63,13 @@ static int aspeed_mdio_op(struct mii_bus *bus, u8 st, u8 op, u8 phyad, u8 regad,
+
+ iowrite32(ctrl, ctx->base + ASPEED_MDIO_CTRL);
+
++ /* Workaround for read-after-write issue.
++ * The controller may return stale data if a read follows immediately
++ * after a write. A dummy read forces the hardware to update its
++ * internal state, ensuring that the next real read returns correct data.
++ */
++ ioread32(ctx->base + ASPEED_MDIO_CTRL);
++
+ return readl_poll_timeout(ctx->base + ASPEED_MDIO_CTRL, ctrl,
+ !(ctrl & ASPEED_MDIO_CTRL_FIRE),
+ ASPEED_MDIO_INTERVAL_US,
+--
+2.51.0
+
--- /dev/null
+From 684fa7ea55ff8d8e1c7dd0c3a9d7258411769dc2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Dec 2025 12:50:05 +0100
+Subject: net: openvswitch: Avoid needlessly taking the RTNL on vport destroy
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Toke Høiland-Jørgensen <toke@redhat.com>
+
+[ Upstream commit 5498227676303e3ffa9a3a46214af96bc3e81314 ]
+
+The openvswitch teardown code will immediately call
+ovs_netdev_detach_dev() in response to a NETDEV_UNREGISTER notification.
+It will then start the dp_notify_work workqueue, which will later end up
+calling the vport destroy() callback. This callback takes the RTNL to do
+another ovs_netdev_detach_port(), which in this case is unnecessary.
+This causes extra pressure on the RTNL, in some cases leading to
+"unregister_netdevice: waiting for XX to become free" warnings on
+teardown.
+
+We can straight-forwardly avoid the extra RTNL lock acquisition by
+checking the device flags before taking the lock, and skip the locking
+altogether if the IFF_OVS_DATAPATH flag has already been unset.
+
+Fixes: b07c26511e94 ("openvswitch: fix vport-netdev unregister")
+Tested-by: Adrian Moreno <amorenoz@redhat.com>
+Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Acked-by: Eelco Chaudron <echaudro@redhat.com>
+Acked-by: Aaron Conole <aconole@redhat.com>
+Link: https://patch.msgid.link/20251211115006.228876-1-toke@redhat.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/openvswitch/vport-netdev.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/net/openvswitch/vport-netdev.c b/net/openvswitch/vport-netdev.c
+index 91a11067e458..6574f9bcdc02 100644
+--- a/net/openvswitch/vport-netdev.c
++++ b/net/openvswitch/vport-netdev.c
+@@ -160,10 +160,19 @@ void ovs_netdev_detach_dev(struct vport *vport)
+
+ static void netdev_destroy(struct vport *vport)
+ {
+- rtnl_lock();
+- if (netif_is_ovs_port(vport->dev))
+- ovs_netdev_detach_dev(vport);
+- rtnl_unlock();
++ /* When called from ovs_db_notify_wq() after a dp_device_event(), the
++ * port has already been detached, so we can avoid taking the RTNL by
++ * checking this first.
++ */
++ if (netif_is_ovs_port(vport->dev)) {
++ rtnl_lock();
++ /* Check again while holding the lock to ensure we don't race
++ * with the netdev notifier and detach twice.
++ */
++ if (netif_is_ovs_port(vport->dev))
++ ovs_netdev_detach_dev(vport);
++ rtnl_unlock();
++ }
+
+ call_rcu(&vport->rcu, vport_netdev_free);
+ }
+--
+2.51.0
+
--- /dev/null
+From f0f83b0bc0dbeeb8d731969debaabdd66436faa2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Dec 2025 21:22:27 +0000
+Subject: net: rose: fix invalid array index in rose_kill_by_device()
+
+From: Pwnverse <stanksal@purdue.edu>
+
+[ Upstream commit 6595beb40fb0ec47223d3f6058ee40354694c8e4 ]
+
+rose_kill_by_device() collects sockets into a local array[] and then
+iterates over them to disconnect sockets bound to a device being brought
+down.
+
+The loop mistakenly indexes array[cnt] instead of array[i]. For cnt <
+ARRAY_SIZE(array), this reads an uninitialized entry; for cnt ==
+ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to
+an invalid socket pointer dereference and also leaks references taken
+via sock_hold().
+
+Fix the index to use i.
+
+Fixes: 64b8bc7d5f143 ("net/rose: fix races in rose_kill_by_device()")
+Co-developed-by: Fatma Alwasmi <falwasmi@purdue.edu>
+Signed-off-by: Fatma Alwasmi <falwasmi@purdue.edu>
+Signed-off-by: Pwnverse <stanksal@purdue.edu>
+Link: https://patch.msgid.link/20251222212227.4116041-1-ritviktanksalkar@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rose/af_rose.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
+index b8078b42f5de..1676c9f4ab84 100644
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -205,7 +205,7 @@ static void rose_kill_by_device(struct net_device *dev)
+ spin_unlock_bh(&rose_list_lock);
+
+ for (i = 0; i < cnt; i++) {
+- sk = array[cnt];
++ sk = array[i];
+ rose = rose_sk(sk);
+ lock_sock(sk);
+ spin_lock_bh(&rose_list_lock);
+--
+2.51.0
+
--- /dev/null
+From b73f0ed1b4a7f57a6ba81a7c2d4e4af9830812a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Dec 2025 15:13:32 +0800
+Subject: net: stmmac: fix the crash issue for zero copy XDP_TX action
+
+From: Wei Fang <wei.fang@nxp.com>
+
+[ Upstream commit a48e232210009be50591fdea8ba7c07b0f566a13 ]
+
+There is a crash issue when running zero copy XDP_TX action, the crash
+log is shown below.
+
+[ 216.122464] Unable to handle kernel paging request at virtual address fffeffff80000000
+[ 216.187524] Internal error: Oops: 0000000096000144 [#1] SMP
+[ 216.301694] Call trace:
+[ 216.304130] dcache_clean_poc+0x20/0x38 (P)
+[ 216.308308] __dma_sync_single_for_device+0x1bc/0x1e0
+[ 216.313351] stmmac_xdp_xmit_xdpf+0x354/0x400
+[ 216.317701] __stmmac_xdp_run_prog+0x164/0x368
+[ 216.322139] stmmac_napi_poll_rxtx+0xba8/0xf00
+[ 216.326576] __napi_poll+0x40/0x218
+[ 216.408054] Kernel panic - not syncing: Oops: Fatal exception in interrupt
+
+For XDP_TX action, the xdp_buff is converted to xdp_frame by
+xdp_convert_buff_to_frame(). The memory type of the resulting xdp_frame
+depends on the memory type of the xdp_buff. For page pool based xdp_buff
+it produces xdp_frame with memory type MEM_TYPE_PAGE_POOL. For zero copy
+XSK pool based xdp_buff it produces xdp_frame with memory type
+MEM_TYPE_PAGE_ORDER0. However, stmmac_xdp_xmit_back() does not check the
+memory type and always uses the page pool type, this leads to invalid
+mappings and causes the crash. Therefore, check the xdp_buff memory type
+in stmmac_xdp_xmit_back() to fix this issue.
+
+Fixes: bba2556efad6 ("net: stmmac: Enable RX via AF_XDP zero-copy")
+Signed-off-by: Wei Fang <wei.fang@nxp.com>
+Reviewed-by: Hariprasad Kelam <hkelam@marvell.com>
+Link: https://patch.msgid.link/20251204071332.1907111-1-wei.fang@nxp.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/stmicro/stmmac/stmmac_main.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index ce35a6f12679..112287a6e9ab 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -87,6 +87,7 @@ MODULE_PARM_DESC(phyaddr, "Physical device address");
+ #define STMMAC_XDP_CONSUMED BIT(0)
+ #define STMMAC_XDP_TX BIT(1)
+ #define STMMAC_XDP_REDIRECT BIT(2)
++#define STMMAC_XSK_CONSUMED BIT(3)
+
+ static int flow_ctrl = FLOW_AUTO;
+ module_param(flow_ctrl, int, 0644);
+@@ -4998,6 +4999,7 @@ static int stmmac_xdp_get_tx_queue(struct stmmac_priv *priv,
+ static int stmmac_xdp_xmit_back(struct stmmac_priv *priv,
+ struct xdp_buff *xdp)
+ {
++ bool zc = !!(xdp->rxq->mem.type == MEM_TYPE_XSK_BUFF_POOL);
+ struct xdp_frame *xdpf = xdp_convert_buff_to_frame(xdp);
+ int cpu = smp_processor_id();
+ struct netdev_queue *nq;
+@@ -5014,9 +5016,18 @@ static int stmmac_xdp_xmit_back(struct stmmac_priv *priv,
+ /* Avoids TX time-out as we are sharing with slow path */
+ txq_trans_cond_update(nq);
+
+- res = stmmac_xdp_xmit_xdpf(priv, queue, xdpf, false);
+- if (res == STMMAC_XDP_TX)
++ /* For zero copy XDP_TX action, dma_map is true */
++ res = stmmac_xdp_xmit_xdpf(priv, queue, xdpf, zc);
++ if (res == STMMAC_XDP_TX) {
+ stmmac_flush_tx_descriptors(priv, queue);
++ } else if (res == STMMAC_XDP_CONSUMED && zc) {
++ /* xdp has been freed by xdp_convert_buff_to_frame(),
++ * no need to call xsk_buff_free() again, so return
++ * STMMAC_XSK_CONSUMED.
++ */
++ res = STMMAC_XSK_CONSUMED;
++ xdp_return_frame(xdpf);
++ }
+
+ __netif_tx_unlock(nq);
+
+@@ -5366,6 +5377,8 @@ static int stmmac_rx_zc(struct stmmac_priv *priv, int limit, u32 queue)
+ break;
+ case STMMAC_XDP_CONSUMED:
+ xsk_buff_free(buf->xdp);
++ fallthrough;
++ case STMMAC_XSK_CONSUMED:
+ rx_dropped++;
+ break;
+ case STMMAC_XDP_TX:
+--
+2.51.0
+
--- /dev/null
+From 6b36b6b00f66b71c85a3613772dd95cc0c648d2a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Dec 2025 06:41:56 +0530
+Subject: net: usb: asix: validate PHY address before use
+
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+
+[ Upstream commit a1e077a3f76eea0dc671ed6792e7d543946227e8 ]
+
+The ASIX driver reads the PHY address from the USB device via
+asix_read_phy_addr(). A malicious or faulty device can return an
+invalid address (>= PHY_MAX_ADDR), which causes a warning in
+mdiobus_get_phy():
+
+ addr 207 out of range
+ WARNING: drivers/net/phy/mdio_bus.c:76
+
+Validate the PHY address in asix_read_phy_addr() and remove the
+now-redundant check in ax88172a.c.
+
+Reported-by: syzbot+3d43c9066a5b54902232@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=3d43c9066a5b54902232
+Tested-by: syzbot+3d43c9066a5b54902232@syzkaller.appspotmail.com
+Fixes: 7e88b11a862a ("net: usb: asix: refactor asix_read_phy_addr() and handle errors on return")
+Link: https://lore.kernel.org/all/20251217085057.270704-1-kartikey406@gmail.com/T/ [v1]
+Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20251218011156.276824-1-kartikey406@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/asix_common.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c
+index 7fd763917ae2..6ab3486072cb 100644
+--- a/drivers/net/usb/asix_common.c
++++ b/drivers/net/usb/asix_common.c
+@@ -335,6 +335,11 @@ int asix_read_phy_addr(struct usbnet *dev, bool internal)
+ offset = (internal ? 1 : 0);
+ ret = buf[offset];
+
++ if (ret >= PHY_MAX_ADDR) {
++ netdev_err(dev->net, "invalid PHY address: %d\n", ret);
++ return -ENODEV;
++ }
++
+ netdev_dbg(dev->net, "%s PHY address 0x%x\n",
+ internal ? "internal" : "external", ret);
+
+--
+2.51.0
+
--- /dev/null
+From 02f1ecc3b56d1eb5d7a66e7aafc4e53f55dd1555 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Dec 2025 20:43:05 +0530
+Subject: net: usb: rtl8150: fix memory leak on usb_submit_urb() failure
+
+From: Deepakkumar Karn <dkarn@redhat.com>
+
+[ Upstream commit 12cab1191d9890097171156d06bfa8d31f1e39c8 ]
+
+In async_set_registers(), when usb_submit_urb() fails, the allocated
+ async_req structure and URB are not freed, causing a memory leak.
+
+ The completion callback async_set_reg_cb() is responsible for freeing
+ these allocations, but it is only called after the URB is successfully
+ submitted and completes (successfully or with error). If submission
+ fails, the callback never runs and the memory is leaked.
+
+ Fix this by freeing both the URB and the request structure in the error
+ path when usb_submit_urb() fails.
+
+Reported-by: syzbot+8dd915c7cb0490fc8c52@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=8dd915c7cb0490fc8c52
+Fixes: 4d12997a9bb3 ("drivers: net: usb: rtl8150: concurrent URB bugfix")
+Signed-off-by: Deepakkumar Karn <dkarn@redhat.com>
+Link: https://patch.msgid.link/20251216151304.59865-2-dkarn@redhat.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/rtl8150.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
+index 278e6cb6f4d9..e40b0669d9f4 100644
+--- a/drivers/net/usb/rtl8150.c
++++ b/drivers/net/usb/rtl8150.c
+@@ -211,6 +211,8 @@ static int async_set_registers(rtl8150_t *dev, u16 indx, u16 size, u16 reg)
+ if (res == -ENODEV)
+ netif_device_detach(dev->netdev);
+ dev_err(&dev->udev->dev, "%s failed with %d\n", __func__, res);
++ kfree(req);
++ usb_free_urb(async_urb);
+ }
+ return res;
+ }
+--
+2.51.0
+
--- /dev/null
+From 2624de2fa3da88c72903d4b8496dfef13912f4d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 11:52:26 +0530
+Subject: octeontx2-pf: fix "UBSAN: shift-out-of-bounds error"
+
+From: Anshumali Gaur <agaur@marvell.com>
+
+[ Upstream commit 85f4b0c650d9f9db10bda8d3acfa1af83bf78cf7 ]
+
+This patch ensures that the RX ring size (rx_pending) is not
+set below the permitted length. This avoids UBSAN
+shift-out-of-bounds errors when users passes small or zero
+ring sizes via ethtool -G.
+
+Fixes: d45d8979840d ("octeontx2-pf: Add basic ethtool support")
+Signed-off-by: Anshumali Gaur <agaur@marvell.com>
+Link: https://patch.msgid.link/20251219062226.524844-1-agaur@marvell.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
+index 5197ce816581..cc6a63e2573f 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
+@@ -432,6 +432,14 @@ static int otx2_set_ringparam(struct net_device *netdev,
+ */
+ if (rx_count < pfvf->hw.rq_skid)
+ rx_count = pfvf->hw.rq_skid;
++
++ if (ring->rx_pending < 16) {
++ netdev_err(netdev,
++ "rx ring size %u invalid, min is 16\n",
++ ring->rx_pending);
++ return -EINVAL;
++ }
++
+ rx_count = Q_COUNT(Q_SIZE(rx_count, 3));
+
+ /* Due pipelining impact minimum 2000 unused SQ CQE's
+--
+2.51.0
+
--- /dev/null
+From e98df0b4da1603824e9da1cbdbc3d387e4388abb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Dec 2025 12:18:13 +0000
+Subject: platform/mellanox: mlxbf-pmc: Remove trailing whitespaces from event
+ names
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Shravan Kumar Ramani <shravankr@nvidia.com>
+
+[ Upstream commit f13bce715d1600698310a4a7832f6a52499d5395 ]
+
+Some event names have trailing whitespaces at the end which causes programming
+of counters using the name for these specific events to fail and hence need to
+be removed.
+
+Fixes: 423c3361855c ("platform/mellanox: mlxbf-pmc: Add support for BlueField-3")
+Signed-off-by: Shravan Kumar Ramani <shravankr@nvidia.com>
+Reviewed-by: David Thompson <davthompson@nvidia.com>
+Link: https://patch.msgid.link/065cbae0717dcc1169681c4dbb1a6e050b8574b3.1766059953.git.shravankr@nvidia.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/mellanox/mlxbf-pmc.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/platform/mellanox/mlxbf-pmc.c b/drivers/platform/mellanox/mlxbf-pmc.c
+index 9a0220b4de3c..67d9b19731ed 100644
+--- a/drivers/platform/mellanox/mlxbf-pmc.c
++++ b/drivers/platform/mellanox/mlxbf-pmc.c
+@@ -796,18 +796,18 @@ static const struct mlxbf_pmc_events mlxbf_pmc_llt_miss_events[] = {
+ {11, "GDC_MISS_MACHINE_CHI_TXDAT"},
+ {12, "GDC_MISS_MACHINE_CHI_RXDAT"},
+ {13, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC0_0"},
+- {14, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC0_1 "},
++ {14, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC0_1"},
+ {15, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC0_2"},
+- {16, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC0_3 "},
+- {17, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_0 "},
+- {18, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_1 "},
+- {19, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_2 "},
+- {20, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_3 "},
++ {16, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC0_3"},
++ {17, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_0"},
++ {18, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_1"},
++ {19, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_2"},
++ {20, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_3"},
+ {21, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE0_0"},
+ {22, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE0_1"},
+ {23, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE0_2"},
+ {24, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE0_3"},
+- {25, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE1_0 "},
++ {25, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE1_0"},
+ {26, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE1_1"},
+ {27, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE1_2"},
+ {28, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE1_3"},
+--
+2.51.0
+
--- /dev/null
+From b9576a13baa179ed9d882e514323d90496fbd9fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Dec 2025 19:42:05 +0800
+Subject: platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI
+ package parsing
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Junrui Luo <moonafterrain@outlook.com>
+
+[ Upstream commit e44c42c830b7ab36e3a3a86321c619f24def5206 ]
+
+The hp_populate_*_elements_from_package() functions in the hp-bioscfg
+driver contain out-of-bounds array access vulnerabilities.
+
+These functions parse ACPI packages into internal data structures using
+a for loop with index variable 'elem' that iterates through
+enum_obj/integer_obj/order_obj/password_obj/string_obj arrays.
+
+When processing multi-element fields like PREREQUISITES and
+ENUM_POSSIBLE_VALUES, these functions read multiple consecutive array
+elements using expressions like 'enum_obj[elem + reqs]' and
+'enum_obj[elem + pos_values]' within nested loops.
+
+The bug is that the bounds check only validated elem, but did not consider
+the additional offset when accessing elem + reqs or elem + pos_values.
+
+The fix changes the bounds check to validate the actual accessed index.
+
+Reported-by: Yuhao Jiang <danisjiang@gmail.com>
+Reported-by: Junrui Luo <moonafterrain@outlook.com>
+Fixes: e6c7b3e15559 ("platform/x86: hp-bioscfg: string-attributes")
+Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
+Link: https://patch.msgid.link/SYBPR01MB788173D7DD4EA2CB6383683DAFB0A@SYBPR01MB7881.ausprd01.prod.outlook.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c | 4 ++--
+ drivers/platform/x86/hp/hp-bioscfg/int-attributes.c | 2 +-
+ drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c | 5 +++++
+ drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c | 5 +++++
+ drivers/platform/x86/hp/hp-bioscfg/string-attributes.c | 2 +-
+ 5 files changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c
+index c50ad5880503..f346aad8e9d8 100644
+--- a/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c
++++ b/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c
+@@ -207,7 +207,7 @@ static int hp_populate_enumeration_elements_from_package(union acpi_object *enum
+ case PREREQUISITES:
+ size = min_t(u32, enum_data->common.prerequisites_size, MAX_PREREQUISITES_SIZE);
+ for (reqs = 0; reqs < size; reqs++) {
+- if (elem >= enum_obj_count) {
++ if (elem + reqs >= enum_obj_count) {
+ pr_err("Error enum-objects package is too small\n");
+ return -EINVAL;
+ }
+@@ -255,7 +255,7 @@ static int hp_populate_enumeration_elements_from_package(union acpi_object *enum
+
+ for (pos_values = 0; pos_values < size && pos_values < MAX_VALUES_SIZE;
+ pos_values++) {
+- if (elem >= enum_obj_count) {
++ if (elem + pos_values >= enum_obj_count) {
+ pr_err("Error enum-objects package is too small\n");
+ return -EINVAL;
+ }
+diff --git a/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c
+index 6c7f4d5fa9cb..63b1fda2be4e 100644
+--- a/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c
++++ b/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c
+@@ -227,7 +227,7 @@ static int hp_populate_integer_elements_from_package(union acpi_object *integer_
+ size = min_t(u32, integer_data->common.prerequisites_size, MAX_PREREQUISITES_SIZE);
+
+ for (reqs = 0; reqs < size; reqs++) {
+- if (elem >= integer_obj_count) {
++ if (elem + reqs >= integer_obj_count) {
+ pr_err("Error elem-objects package is too small\n");
+ return -EINVAL;
+ }
+diff --git a/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c
+index c6e57bb9d8b7..6a31f47ce3f5 100644
+--- a/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c
++++ b/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c
+@@ -216,6 +216,11 @@ static int hp_populate_ordered_list_elements_from_package(union acpi_object *ord
+ size = min_t(u32, ordered_list_data->common.prerequisites_size,
+ MAX_PREREQUISITES_SIZE);
+ for (reqs = 0; reqs < size; reqs++) {
++ if (elem + reqs >= order_obj_count) {
++ pr_err("Error elem-objects package is too small\n");
++ return -EINVAL;
++ }
++
+ ret = hp_convert_hexstr_to_str(order_obj[elem + reqs].string.pointer,
+ order_obj[elem + reqs].string.length,
+ &str_value, &value_len);
+diff --git a/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c
+index 35936c05e45b..a5c457d06b9c 100644
+--- a/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c
++++ b/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c
+@@ -303,6 +303,11 @@ static int hp_populate_password_elements_from_package(union acpi_object *passwor
+ MAX_PREREQUISITES_SIZE);
+
+ for (reqs = 0; reqs < size; reqs++) {
++ if (elem + reqs >= password_obj_count) {
++ pr_err("Error elem-objects package is too small\n");
++ return -EINVAL;
++ }
++
+ ret = hp_convert_hexstr_to_str(password_obj[elem + reqs].string.pointer,
+ password_obj[elem + reqs].string.length,
+ &str_value, &value_len);
+diff --git a/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c
+index 27758b779b2d..7b885d25650c 100644
+--- a/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c
++++ b/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c
+@@ -217,7 +217,7 @@ static int hp_populate_string_elements_from_package(union acpi_object *string_ob
+ MAX_PREREQUISITES_SIZE);
+
+ for (reqs = 0; reqs < size; reqs++) {
+- if (elem >= string_obj_count) {
++ if (elem + reqs >= string_obj_count) {
+ pr_err("Error elem-objects package is too small\n");
+ return -EINVAL;
+ }
+--
+2.51.0
+
--- /dev/null
+From 7ad288b22f92889a268c54071e95353776d26e81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 16:30:29 +0800
+Subject: platform/x86: ibm_rtl: fix EBDA signature search pointer arithmetic
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Junrui Luo <moonafterrain@outlook.com>
+
+[ Upstream commit 15dd100349b8526cbdf2de0ce3e72e700eb6c208 ]
+
+The ibm_rtl_init() function searches for the signature but has a pointer
+arithmetic error. The loop counter suggests searching at 4-byte intervals
+but the implementation only advances by 1 byte per iteration.
+
+Fix by properly advancing the pointer by sizeof(unsigned int) bytes
+each iteration.
+
+Reported-by: Yuhao Jiang <danisjiang@gmail.com>
+Reported-by: Junrui Luo <moonafterrain@outlook.com>
+Fixes: 35f0ce032b0f ("IBM Real-Time "SMI Free" mode driver -v7")
+Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
+Link: https://patch.msgid.link/SYBPR01MB78812D887A92DE3802D0D06EAFA9A@SYBPR01MB7881.ausprd01.prod.outlook.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/ibm_rtl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/ibm_rtl.c b/drivers/platform/x86/ibm_rtl.c
+index 231b37909801..139956168cf9 100644
+--- a/drivers/platform/x86/ibm_rtl.c
++++ b/drivers/platform/x86/ibm_rtl.c
+@@ -273,7 +273,7 @@ static int __init ibm_rtl_init(void) {
+ /* search for the _RTL_ signature at the start of the table */
+ for (i = 0 ; i < ebda_size/sizeof(unsigned int); i++) {
+ struct ibm_rtl_table __iomem * tmp;
+- tmp = (struct ibm_rtl_table __iomem *) (ebda_map+i);
++ tmp = (struct ibm_rtl_table __iomem *) (ebda_map + i*sizeof(unsigned int));
+ if ((readq(&tmp->signature) & RTL_MASK) == RTL_SIGNATURE) {
+ phys_addr_t addr;
+ unsigned int plen;
+--
+2.51.0
+
--- /dev/null
+From c042a37fe7032d78793766b8ebe87f159dba6b59 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Dec 2025 11:36:13 +0100
+Subject: platform/x86: msi-laptop: add missing sysfs_remove_group()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 1461209cf813b6ee6d40f29b96b544587df6d2b1 ]
+
+A sysfs group is created in msi_init() when old_ec_model is enabled, but
+never removed. Remove the msipf_old_attribute_group in that case.
+
+Fixes: 03696e51d75a ("msi-laptop: Disable brightness control for new EC")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://patch.msgid.link/20251217103617.27668-2-fourier.thomas@gmail.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/msi-laptop.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/platform/x86/msi-laptop.c b/drivers/platform/x86/msi-laptop.c
+index e5391a37014d..db3dadd29b29 100644
+--- a/drivers/platform/x86/msi-laptop.c
++++ b/drivers/platform/x86/msi-laptop.c
+@@ -1130,6 +1130,9 @@ static void __exit msi_cleanup(void)
+ sysfs_remove_group(&msipf_device->dev.kobj, &msipf_attribute_group);
+ if (!quirks->old_ec_model && threeg_exists)
+ device_remove_file(&msipf_device->dev, &dev_attr_threeg);
++ if (quirks->old_ec_model)
++ sysfs_remove_group(&msipf_device->dev.kobj,
++ &msipf_old_attribute_group);
+ platform_device_unregister(msipf_device);
+ platform_driver_unregister(&msipf_driver);
+ backlight_device_unregister(msibl_device);
+--
+2.51.0
+
--- /dev/null
+From 7628cb03dc1300330f5e3ffa942d517d632d0a1a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Dec 2025 09:51:21 +0100
+Subject: RDMA/bnxt_re: fix dma_free_coherent() pointer
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit fcd431a9627f272b4c0bec445eba365fe2232a94 ]
+
+The dma_alloc_coherent() allocates a dma-mapped buffer, pbl->pg_arr[i].
+The dma_free_coherent() should pass the same buffer to
+dma_free_coherent() and not page-aligned.
+
+Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://patch.msgid.link/20251230085121.8023-2-fourier.thomas@gmail.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_res.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+index f1a4bce6ce64..dfb72a5adc91 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+@@ -70,9 +70,7 @@ static void __free_pbl(struct bnxt_qplib_res *res, struct bnxt_qplib_pbl *pbl,
+ for (i = 0; i < pbl->pg_count; i++) {
+ if (pbl->pg_arr[i])
+ dma_free_coherent(&pdev->dev, pbl->pg_size,
+- (void *)((unsigned long)
+- pbl->pg_arr[i] &
+- PAGE_MASK),
++ pbl->pg_arr[i],
+ pbl->pg_map_arr[i]);
+ else
+ dev_warn(&pdev->dev,
+--
+2.51.0
+
--- /dev/null
+From c3b6fececed402cfe0760ccc8dcee03a35731b69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 01:32:57 -0800
+Subject: RDMA/bnxt_re: Fix IB_SEND_IP_CSUM handling in post_send
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit f01765a2361323e78e3d91b1cb1d5527a83c5cf7 ]
+
+The bnxt_re SEND path checks wr->send_flags to enable features such as
+IP checksum offload. However, send_flags is a bitmask and may contain
+multiple flags (e.g. IB_SEND_SIGNALED | IB_SEND_IP_CSUM), while the
+existing code uses a switch() statement that only matches when
+send_flags is exactly IB_SEND_IP_CSUM.
+
+As a result, checksum offload is not enabled when additional SEND
+flags are present.
+
+Replace the switch() with a bitmask test:
+
+ if (wr->send_flags & IB_SEND_IP_CSUM)
+
+This ensures IP checksum offload is enabled correctly when multiple
+SEND flags are used.
+
+Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Link: https://patch.msgid.link/20251219093308.2415620-1-alok.a.tiwari@oracle.com
+Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/ib_verbs.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+index c2abf2bb8026..c1587845f280 100644
+--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+@@ -2823,14 +2823,9 @@ int bnxt_re_post_send(struct ib_qp *ib_qp, const struct ib_send_wr *wr,
+ wqe.rawqp1.lflags |=
+ SQ_SEND_RAWETH_QP1_LFLAGS_ROCE_CRC;
+ }
+- switch (wr->send_flags) {
+- case IB_SEND_IP_CSUM:
++ if (wr->send_flags & IB_SEND_IP_CSUM)
+ wqe.rawqp1.lflags |=
+ SQ_SEND_RAWETH_QP1_LFLAGS_IP_CHKSUM;
+- break;
+- default:
+- break;
+- }
+ fallthrough;
+ case IB_WR_SEND_WITH_INV:
+ rc = bnxt_re_build_send_wqe(qp, wr, &wqe);
+--
+2.51.0
+
--- /dev/null
+From 724757e79b1d7f5c61c143f75a2443a8a4f38caa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Dec 2025 02:01:41 -0800
+Subject: RDMA/bnxt_re: Fix incorrect BAR check in bnxt_qplib_map_creq_db()
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit 145a417a39d7efbc881f52e829817376972b278c ]
+
+RCFW_COMM_CONS_PCI_BAR_REGION is defined as BAR 2, so checking
+!creq_db->reg.bar_id is incorrect and always false.
+
+pci_resource_start() returns the BAR base address, and a value of 0
+indicates that the BAR is unassigned. Update the condition to test
+bar_base == 0 instead.
+
+This ensures the driver detects and logs an error for an unassigned
+RCFW communication BAR.
+
+Fixes: cee0c7bba486 ("RDMA/bnxt_re: Refactor command queue management code")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Link: https://patch.msgid.link/20251217100158.752504-1-alok.a.tiwari@oracle.com
+Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
+index 7a099580ca8b..38ded4687122 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
+@@ -1117,7 +1117,7 @@ static int bnxt_qplib_map_creq_db(struct bnxt_qplib_rcfw *rcfw, u32 reg_offt)
+ creq_db->dbinfo.flags = 0;
+ creq_db->reg.bar_id = RCFW_COMM_CONS_PCI_BAR_REGION;
+ creq_db->reg.bar_base = pci_resource_start(pdev, creq_db->reg.bar_id);
+- if (!creq_db->reg.bar_id)
++ if (!creq_db->reg.bar_base)
+ dev_err(&pdev->dev,
+ "QPLIB: CREQ BAR region %d resc start is 0!",
+ creq_db->reg.bar_id);
+--
+2.51.0
+
--- /dev/null
+From 8af2d7058a6126389d1be138d58680df12ba1bb3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Dec 2025 18:48:55 +0530
+Subject: RDMA/bnxt_re: Fix to use correct page size for PDE table
+
+From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+
+[ Upstream commit 3d70e0fb0f289b0c778041c5bb04d099e1aa7c1c ]
+
+In bnxt_qplib_alloc_init_hwq(), while allocating memory for PDE table
+driver incorrectly is using the "pg_size" value passed to the function.
+Fixed to use the right value 4K. Also, fixed the allocation size for
+PBL table.
+
+Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation")
+Signed-off-by: Damodharam Ammepalli <damodharam.ammepalli@broadcom.com>
+Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Link: https://patch.msgid.link/20251223131855.145955-1-kalesh-anakkur.purayil@broadcom.com
+Reviewed-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_res.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+index b785d9e7774c..f1a4bce6ce64 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+@@ -243,7 +243,7 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq,
+ if (npbl % BIT(MAX_PDL_LVL_SHIFT))
+ npde++;
+ /* Alloc PDE pages */
+- sginfo.pgsize = npde * pg_size;
++ sginfo.pgsize = npde * ROCE_PG_SIZE_4K;
+ sginfo.npages = 1;
+ rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_0], &sginfo);
+ if (rc)
+@@ -251,7 +251,7 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq,
+
+ /* Alloc PBL pages */
+ sginfo.npages = npbl;
+- sginfo.pgsize = PAGE_SIZE;
++ sginfo.pgsize = ROCE_PG_SIZE_4K;
+ rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_1], &sginfo);
+ if (rc)
+ goto fail;
+--
+2.51.0
+
--- /dev/null
+From 55c6ff662e7dbd0450ad8280d4ba499e320477ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 Dec 2025 11:11:33 +0900
+Subject: RDMA/core: always drop device refcount in ib_del_sub_device_and_put()
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+[ Upstream commit fa3c411d21ebc26ffd175c7256c37cefa35020aa ]
+
+Since nldev_deldev() (introduced by commit 060c642b2ab8 ("RDMA/nldev: Add
+support to add/delete a sub IB device through netlink") grabs a reference
+using ib_device_get_by_index() before calling ib_del_sub_device_and_put(),
+we need to drop that reference before returning -EOPNOTSUPP error.
+
+Reported-by: syzbot+881d65229ca4f9ae8c84@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=881d65229ca4f9ae8c84
+Fixes: bca51197620a ("RDMA/core: Support IB sub device with type "SMI"")
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Link: https://patch.msgid.link/80749a85-cbe2-460c-8451-42516013f9fa@I-love.SAKURA.ne.jp
+Reviewed-by: Parav Pandit <parav@nvidia.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/device.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c
+index df2aa15a5bc9..bbc131737378 100644
+--- a/drivers/infiniband/core/device.c
++++ b/drivers/infiniband/core/device.c
+@@ -2823,8 +2823,10 @@ int ib_del_sub_device_and_put(struct ib_device *sub)
+ {
+ struct ib_device *parent = sub->parent;
+
+- if (!parent)
++ if (!parent) {
++ ib_device_put(sub);
+ return -EOPNOTSUPP;
++ }
+
+ mutex_lock(&parent->subdev_lock);
+ list_del(&sub->subdev_list);
+--
+2.51.0
+
--- /dev/null
+From c84ee1b1235bb823a22048224ecd3359e2f5fb75 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 13:15:08 +0900
+Subject: RDMA/core: Fix logic error in ib_get_gids_from_rdma_hdr()
+
+From: Jang Ingyu <ingyujang25@korea.ac.kr>
+
+[ Upstream commit 8aaa848eaddd9ef8680fc6aafbd3a0646da5df40 ]
+
+Fix missing comparison operator for RDMA_NETWORK_ROCE_V1 in the
+conditional statement. The constant was used directly instead of
+being compared with net_type, causing the condition to always
+evaluate to true.
+
+Fixes: 1c15b4f2a42f ("RDMA/core: Modify enum ib_gid_type and enum rdma_network_type")
+Signed-off-by: Jang Ingyu <ingyujang25@korea.ac.kr>
+Link: https://patch.msgid.link/20251219041508.1725947-1-ingyujang25@korea.ac.kr
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/verbs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c
+index dc40001072a5..8dd96dc98fd3 100644
+--- a/drivers/infiniband/core/verbs.c
++++ b/drivers/infiniband/core/verbs.c
+@@ -735,7 +735,7 @@ int ib_get_gids_from_rdma_hdr(const union rdma_network_hdr *hdr,
+ (struct in6_addr *)dgid);
+ return 0;
+ } else if (net_type == RDMA_NETWORK_IPV6 ||
+- net_type == RDMA_NETWORK_IB || RDMA_NETWORK_ROCE_V1) {
++ net_type == RDMA_NETWORK_IB || net_type == RDMA_NETWORK_ROCE_V1) {
+ *dgid = hdr->ibgrh.dgid;
+ *sgid = hdr->ibgrh.sgid;
+ return 0;
+--
+2.51.0
+
--- /dev/null
+From 162e579f34793fe8cce7d39acce35de590ac33aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Dec 2025 17:36:56 +0000
+Subject: RDMA/efa: Remove possible negative shift
+
+From: Michael Margolin <mrgolin@amazon.com>
+
+[ Upstream commit 85463eb6a46caf2f1e0e1a6d0731f2f3bab17780 ]
+
+The page size used for device might in some cases be smaller than
+PAGE_SIZE what results in a negative shift when calculating the number of
+host pages in PAGE_SIZE for a debug log. Remove the debug line together
+with the calculation.
+
+Fixes: 40909f664d27 ("RDMA/efa: Add EFA verbs implementation")
+Link: https://patch.msgid.link/r/20251210173656.8180-1-mrgolin@amazon.com
+Reviewed-by: Tom Sela <tomsela@amazon.com>
+Reviewed-by: Yonatan Nachum <ynachum@amazon.com>
+Signed-off-by: Michael Margolin <mrgolin@amazon.com>
+Reviewed-by: Gal Pressman <gal.pressman@linux.dev>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/efa/efa_verbs.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/infiniband/hw/efa/efa_verbs.c b/drivers/infiniband/hw/efa/efa_verbs.c
+index cc13415ff7e7..46eddef7a1cc 100644
+--- a/drivers/infiniband/hw/efa/efa_verbs.c
++++ b/drivers/infiniband/hw/efa/efa_verbs.c
+@@ -1241,13 +1241,9 @@ static int umem_to_page_list(struct efa_dev *dev,
+ u32 hp_cnt,
+ u8 hp_shift)
+ {
+- u32 pages_in_hp = BIT(hp_shift - PAGE_SHIFT);
+ struct ib_block_iter biter;
+ unsigned int hp_idx = 0;
+
+- ibdev_dbg(&dev->ibdev, "hp_cnt[%u], pages_in_hp[%u]\n",
+- hp_cnt, pages_in_hp);
+-
+ rdma_umem_for_each_dma_block(umem, &biter, BIT(hp_shift))
+ page_list[hp_idx++] = rdma_block_iter_dma_address(&biter);
+
+--
+2.51.0
+
--- /dev/null
+From 501569d4a9c76750abba2432d2fe4d880a7de990 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Nov 2025 15:31:50 +0100
+Subject: RDMA/irdma: avoid invalid read in irdma_net_event
+
+From: Michal Schmidt <mschmidt@redhat.com>
+
+[ Upstream commit 6f05611728e9d0ab024832a4f1abb74a5f5d0bb0 ]
+
+irdma_net_event() should not dereference anything from "neigh" (alias
+"ptr") until it has checked that the event is NETEVENT_NEIGH_UPDATE.
+Other events come with different structures pointed to by "ptr" and they
+may be smaller than struct neighbour.
+
+Move the read of neigh->dev under the NETEVENT_NEIGH_UPDATE case.
+
+The bug is mostly harmless, but it triggers KASAN on debug kernels:
+
+ BUG: KASAN: stack-out-of-bounds in irdma_net_event+0x32e/0x3b0 [irdma]
+ Read of size 8 at addr ffffc900075e07f0 by task kworker/27:2/542554
+
+ CPU: 27 PID: 542554 Comm: kworker/27:2 Kdump: loaded Not tainted 5.14.0-630.el9.x86_64+debug #1
+ Hardware name: [...]
+ Workqueue: events rt6_probe_deferred
+ Call Trace:
+ <IRQ>
+ dump_stack_lvl+0x60/0xb0
+ print_address_description.constprop.0+0x2c/0x3f0
+ print_report+0xb4/0x270
+ kasan_report+0x92/0xc0
+ irdma_net_event+0x32e/0x3b0 [irdma]
+ notifier_call_chain+0x9e/0x180
+ atomic_notifier_call_chain+0x5c/0x110
+ rt6_do_redirect+0xb91/0x1080
+ tcp_v6_err+0xe9b/0x13e0
+ icmpv6_notify+0x2b2/0x630
+ ndisc_redirect_rcv+0x328/0x530
+ icmpv6_rcv+0xc16/0x1360
+ ip6_protocol_deliver_rcu+0xb84/0x12e0
+ ip6_input_finish+0x117/0x240
+ ip6_input+0xc4/0x370
+ ipv6_rcv+0x420/0x7d0
+ __netif_receive_skb_one_core+0x118/0x1b0
+ process_backlog+0xd1/0x5d0
+ __napi_poll.constprop.0+0xa3/0x440
+ net_rx_action+0x78a/0xba0
+ handle_softirqs+0x2d4/0x9c0
+ do_softirq+0xad/0xe0
+ </IRQ>
+
+Fixes: 915cc7ac0f8e ("RDMA/irdma: Add miscellaneous utility definitions")
+Link: https://patch.msgid.link/r/20251127143150.121099-1-mschmidt@redhat.com
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/irdma/utils.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/irdma/utils.c b/drivers/infiniband/hw/irdma/utils.c
+index 0422787592d8..87a6d58663de 100644
+--- a/drivers/infiniband/hw/irdma/utils.c
++++ b/drivers/infiniband/hw/irdma/utils.c
+@@ -251,7 +251,7 @@ int irdma_net_event(struct notifier_block *notifier, unsigned long event,
+ void *ptr)
+ {
+ struct neighbour *neigh = ptr;
+- struct net_device *real_dev, *netdev = (struct net_device *)neigh->dev;
++ struct net_device *real_dev, *netdev;
+ struct irdma_device *iwdev;
+ struct ib_device *ibdev;
+ __be32 *p;
+@@ -260,6 +260,7 @@ int irdma_net_event(struct notifier_block *notifier, unsigned long event,
+
+ switch (event) {
+ case NETEVENT_NEIGH_UPDATE:
++ netdev = neigh->dev;
+ real_dev = rdma_vlan_dev_real_dev(netdev);
+ if (!real_dev)
+ real_dev = netdev;
+--
+2.51.0
+
--- /dev/null
+From 3e6a4e86b6893cbacfc99391e648cf3b96133ccd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Dec 2025 10:56:17 +0800
+Subject: RDMA/rtrs: Fix clt_path::max_pages_per_mr calculation
+
+From: Honggang LI <honggangli@163.com>
+
+[ Upstream commit 43bd09d5b750f700499ae8ec45fd41a4c48673e6 ]
+
+If device max_mr_size bits in the range [mr_page_shift+31:mr_page_shift]
+are zero, the `min3` function will set clt_path::max_pages_per_mr to
+zero.
+
+`alloc_path_reqs` will pass zero, which is invalid, as the third parameter
+to `ib_alloc_mr`.
+
+Fixes: 6a98d71daea1 ("RDMA/rtrs: client: main functionality")
+Signed-off-by: Honggang LI <honggangli@163.com>
+Link: https://patch.msgid.link/20251229025617.13241-1-honggangli@163.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/rtrs/rtrs-clt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/infiniband/ulp/rtrs/rtrs-clt.c b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
+index 71387811b281..2b397a544cb9 100644
+--- a/drivers/infiniband/ulp/rtrs/rtrs-clt.c
++++ b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
+@@ -1464,6 +1464,7 @@ static void query_fast_reg_mode(struct rtrs_clt_path *clt_path)
+ mr_page_shift = max(12, ffs(ib_dev->attrs.page_size_cap) - 1);
+ max_pages_per_mr = ib_dev->attrs.max_mr_size;
+ do_div(max_pages_per_mr, (1ull << mr_page_shift));
++ max_pages_per_mr = min_not_zero((u32)max_pages_per_mr, U32_MAX);
+ clt_path->max_pages_per_mr =
+ min3(clt_path->max_pages_per_mr, (u32)max_pages_per_mr,
+ ib_dev->attrs.max_fast_reg_page_list_len);
+--
+2.51.0
+
--- /dev/null
+From 48a3c7ee27dd803d504bcfec034202209ff1451c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Aug 2023 09:32:26 +0800
+Subject: selftests/ftrace: traceonoff_triggers: strip off names
+
+From: Yipeng Zou <zouyipeng@huawei.com>
+
+[ Upstream commit b889b4fb4cbea3ca7eb9814075d6a51936394bd9 ]
+
+The func_traceonoff_triggers.tc sometimes goes to fail
+on my board, Kunpeng-920.
+
+[root@localhost]# ./ftracetest ./test.d/ftrace/func_traceonoff_triggers.tc -l fail.log
+=== Ftrace unit tests ===
+[1] ftrace - test for function traceon/off triggers [FAIL]
+[2] (instance) ftrace - test for function traceon/off triggers [UNSUPPORTED]
+
+I look up the log, and it shows that the md5sum is different between csum1 and csum2.
+
+++ cnt=611
+++ sleep .1
++++ cnt_trace
++++ grep -v '^#' trace
++++ wc -l
+++ cnt2=611
+++ '[' 611 -ne 611 ']'
++++ cat tracing_on
+++ on=0
+++ '[' 0 '!=' 0 ']'
++++ md5sum trace
+++ csum1='76896aa74362fff66a6a5f3cf8a8a500 trace'
+++ sleep .1
++++ md5sum trace
+++ csum2='ee8625a21c058818fc26e45c1ed3f6de trace'
+++ '[' '76896aa74362fff66a6a5f3cf8a8a500 trace' '!=' 'ee8625a21c058818fc26e45c1ed3f6de trace' ']'
+++ fail 'Tracing file is still changing'
+++ echo Tracing file is still changing
+Tracing file is still changing
+++ exit_fail
+++ exit 1
+
+So I directly dump the trace file before md5sum, the diff shows that:
+
+[root@localhost]# diff trace_1.log trace_2.log -y --suppress-common-lines
+dockerd-12285 [036] d.... 18385.510290: sched_stat | <...>-12285 [036] d.... 18385.510290: sched_stat
+dockerd-12285 [036] d.... 18385.510291: sched_swit | <...>-12285 [036] d.... 18385.510291: sched_swit
+<...>-740 [044] d.... 18385.602859: sched_stat | kworker/44:1-740 [044] d.... 18385.602859: sched_stat
+<...>-740 [044] d.... 18385.602860: sched_swit | kworker/44:1-740 [044] d.... 18385.602860: sched_swit
+
+And we can see that <...> filed be filled with names.
+
+We can strip off the names there to fix that.
+
+After strip off the names:
+
+kworker/u257:0-12 [019] d..2. 2528.758910: sched_stat | -12 [019] d..2. 2528.758910: sched_stat_runtime: comm=k
+kworker/u257:0-12 [019] d..2. 2528.758912: sched_swit | -12 [019] d..2. 2528.758912: sched_switch: prev_comm=kw
+<idle>-0 [000] d.s5. 2528.762318: sched_waki | -0 [000] d.s5. 2528.762318: sched_waking: comm=sshd pi
+<idle>-0 [037] dNh2. 2528.762326: sched_wake | -0 [037] dNh2. 2528.762326: sched_wakeup: comm=sshd pi
+<idle>-0 [037] d..2. 2528.762334: sched_swit | -0 [037] d..2. 2528.762334: sched_switch: prev_comm=sw
+
+Link: https://lore.kernel.org/r/20230818013226.2182299-1-zouyipeng@huawei.com
+Fixes: d87b29179aa0 ("selftests: ftrace: Use md5sum to take less time of checking logs")
+Suggested-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Yipeng Zou <zouyipeng@huawei.com>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ftrace/test.d/ftrace/func_traceonoff_triggers.tc | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc b/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc
+index aee22289536b..1b57771dbfdf 100644
+--- a/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc
++++ b/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc
+@@ -90,9 +90,10 @@ if [ $on != "0" ]; then
+ fail "Tracing is not off"
+ fi
+
+-csum1=`md5sum trace`
++# Cannot rely on names being around as they are only cached, strip them
++csum1=`cat trace | sed -e 's/^ *[^ ]*\(-[0-9][0-9]*\)/\1/' | md5sum`
+ sleep $SLEEP_TIME
+-csum2=`md5sum trace`
++csum2=`cat trace | sed -e 's/^ *[^ ]*\(-[0-9][0-9]*\)/\1/' | md5sum`
+
+ if [ "$csum1" != "$csum2" ]; then
+ fail "Tracing file is still changing"
+--
+2.51.0
+
--- /dev/null
+From 3f7e17de91ced4c2779738522f3c3685ab6a937d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Dec 2025 12:06:41 -0500
+Subject: selftests: net: fix "buffer overflow detected" for tap.c
+
+From: Alice C. Munduruca <alice.munduruca@canonical.com>
+
+[ Upstream commit 472c5dd6b95c02b3e5d7395acf542150e91165e7 ]
+
+When the selftest 'tap.c' is compiled with '-D_FORTIFY_SOURCE=3',
+the strcpy() in rtattr_add_strsz() is replaced with a checked
+version which causes the test to consistently fail when compiled
+with toolchains for which this option is enabled by default.
+
+ TAP version 13
+ 1..3
+ # Starting 3 tests from 1 test cases.
+ # RUN tap.test_packet_valid_udp_gso ...
+ *** buffer overflow detected ***: terminated
+ # test_packet_valid_udp_gso: Test terminated by assertion
+ # FAIL tap.test_packet_valid_udp_gso
+ not ok 1 tap.test_packet_valid_udp_gso
+ # RUN tap.test_packet_valid_udp_csum ...
+ *** buffer overflow detected ***: terminated
+ # test_packet_valid_udp_csum: Test terminated by assertion
+ # FAIL tap.test_packet_valid_udp_csum
+ not ok 2 tap.test_packet_valid_udp_csum
+ # RUN tap.test_packet_crash_tap_invalid_eth_proto ...
+ *** buffer overflow detected ***: terminated
+ # test_packet_crash_tap_invalid_eth_proto: Test terminated by assertion
+ # FAIL tap.test_packet_crash_tap_invalid_eth_proto
+ not ok 3 tap.test_packet_crash_tap_invalid_eth_proto
+ # FAILED: 0 / 3 tests passed.
+ # Totals: pass:0 fail:3 xfail:0 xpass:0 skip:0 error:0
+
+A buffer overflow is detected by the fortified glibc __strcpy_chk()
+since the __builtin_object_size() of `RTA_DATA(rta)` is incorrectly
+reported as 1, even though there is ample space in its bounding
+buffer `req`.
+
+Additionally, given that IFLA_IFNAME also expects a null-terminated
+string, callers of rtaddr_add_str{,sz}() could simply use the
+rtaddr_add_strsz() variant. (which has been renamed to remove the
+trailing `sz`) memset() has been used for this function since it
+is unchecked and thus circumvents the issue discussed in the
+previous paragraph.
+
+Fixes: 2e64fe4624d1 ("selftests: add few test cases for tap driver")
+Signed-off-by: Alice C. Munduruca <alice.munduruca@canonical.com>
+Reviewed-by: Cengiz Can <cengiz.can@canonical.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://patch.msgid.link/20251216170641.250494-1-alice.munduruca@canonical.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/tap.c | 16 +++++-----------
+ 1 file changed, 5 insertions(+), 11 deletions(-)
+
+diff --git a/tools/testing/selftests/net/tap.c b/tools/testing/selftests/net/tap.c
+index 247c3b3ac1c9..51a209014f1c 100644
+--- a/tools/testing/selftests/net/tap.c
++++ b/tools/testing/selftests/net/tap.c
+@@ -56,18 +56,12 @@ static void rtattr_end(struct nlmsghdr *nh, struct rtattr *attr)
+ static struct rtattr *rtattr_add_str(struct nlmsghdr *nh, unsigned short type,
+ const char *s)
+ {
+- struct rtattr *rta = rtattr_add(nh, type, strlen(s));
++ unsigned int strsz = strlen(s) + 1;
++ struct rtattr *rta;
+
+- memcpy(RTA_DATA(rta), s, strlen(s));
+- return rta;
+-}
+-
+-static struct rtattr *rtattr_add_strsz(struct nlmsghdr *nh, unsigned short type,
+- const char *s)
+-{
+- struct rtattr *rta = rtattr_add(nh, type, strlen(s) + 1);
++ rta = rtattr_add(nh, type, strsz);
+
+- strcpy(RTA_DATA(rta), s);
++ memcpy(RTA_DATA(rta), s, strsz);
+ return rta;
+ }
+
+@@ -119,7 +113,7 @@ static int dev_create(const char *dev, const char *link_type,
+
+ link_info = rtattr_begin(&req.nh, IFLA_LINKINFO);
+
+- rtattr_add_strsz(&req.nh, IFLA_INFO_KIND, link_type);
++ rtattr_add_str(&req.nh, IFLA_INFO_KIND, link_type);
+
+ if (fill_info_data) {
+ info_data = rtattr_begin(&req.nh, IFLA_INFO_DATA);
+--
+2.51.0
+
x86-msi-make-irq_retrigger-functional-for-posted-msi.patch
iommu-mediatek-fix-use-after-free-on-probe-deferral.patch
fuse-fix-readahead-reclaim-deadlock.patch
+wifi-rtw88-limit-indirect-io-under-powered-off-for-r.patch
+wifi-rtlwifi-8192cu-fix-tid-out-of-range-in-rtl92cu_.patch
+wifi-cfg80211-sme-store-capped-length-in-__cfg80211_.patch
+wifi-mac80211-do-not-use-old-mbssid-elements.patch
+i40e-fix-scheduling-in-set_rx_mode.patch
+i40e-validate-ring_len-parameter-against-hardware-sp.patch
+iavf-fix-off-by-one-issues-in-iavf_config_rss_reg.patch
+idpf-reduce-mbx_task-schedule-delay-to-300us.patch
+crypto-seqiv-do-not-use-req-iv-after-crypto_aead_enc.patch
+bluetooth-btusb-revert-use-of-devm_kzalloc-in-btusb.patch
+net-mdio-aspeed-add-dummy-read-to-avoid-read-after-w.patch
+net-openvswitch-avoid-needlessly-taking-the-rtnl-on-.patch
+ip6_gre-make-ip6gre_header-robust.patch
+platform-mellanox-mlxbf-pmc-remove-trailing-whitespa.patch
+platform-x86-msi-laptop-add-missing-sysfs_remove_gro.patch
+platform-x86-ibm_rtl-fix-ebda-signature-search-point.patch
+team-fix-check-for-port-enabled-in-team_queue_overri.patch
+net-dsa-fix-missing-put_device-in-dsa_tree_find_firs.patch
+amd-xgbe-reset-retries-and-mode-on-rx-adapt-failures.patch
+net-usb-rtl8150-fix-memory-leak-on-usb_submit_urb-fa.patch
+selftests-net-fix-buffer-overflow-detected-for-tap.c.patch
+smc91x-fix-broken-irq-context-in-preempt_rt.patch
+genalloc.h-fix-htmldocs-warning.patch
+firewire-nosy-fix-dma_free_coherent-size.patch
+net-dsa-b53-skip-multicast-entries-for-fdb_dump.patch
+kbuild-fix-compilation-of-dtb-specified-on-command-l.patch
+net-usb-asix-validate-phy-address-before-use.patch
+net-bridge-describe-tunnel_hash-member-in-net_bridge.patch
+vfio-pds-fix-memory-leak-in-pds_vfio_dirty_enable.patch
+platform-x86-hp-bioscfg-fix-out-of-bounds-array-acce.patch
+octeontx2-pf-fix-ubsan-shift-out-of-bounds-error.patch
+net-stmmac-fix-the-crash-issue-for-zero-copy-xdp_tx-.patch
+ipv6-bug-in-pskb_expand_head-as-part-of-calipso_skbu.patch
+ipv4-fix-reference-count-leak-when-using-error-route.patch
+net-rose-fix-invalid-array-index-in-rose_kill_by_dev.patch
+ipv6-fix-a-bug-in-rt6_get_pcpu_route-under-preempt_r.patch
+rdma-irdma-avoid-invalid-read-in-irdma_net_event.patch
+rdma-efa-remove-possible-negative-shift.patch
+rdma-core-fix-logic-error-in-ib_get_gids_from_rdma_h.patch
+rdma-bnxt_re-fix-incorrect-bar-check-in-bnxt_qplib_m.patch
+rdma-core-always-drop-device-refcount-in-ib_del_sub_.patch
+rdma-bnxt_re-fix-ib_send_ip_csum-handling-in-post_se.patch
+rdma-bnxt_re-fix-to-use-correct-page-size-for-pde-ta.patch
+md-fix-static-checker-warning-in-analyze_sbs.patch
+md-raid5-fix-possible-null-pointer-dereferences-in-r.patch
+ksmbd-fix-memory-leak-in-get_file_all_info.patch
+rdma-rtrs-fix-clt_path-max_pages_per_mr-calculation.patch
+rdma-bnxt_re-fix-dma_free_coherent-pointer.patch
+blk-mq-skip-cpu-offline-notify-on-unmapped-hctx.patch
+selftests-ftrace-traceonoff_triggers-strip-off-names.patch
--- /dev/null
+From 045b7ff22780ba6efad0d64191c8e7f382272897 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Dec 2025 08:51:15 +0000
+Subject: smc91x: fix broken irq-context in PREEMPT_RT
+
+From: Yeoreum Yun <yeoreum.yun@arm.com>
+
+[ Upstream commit 6402078bd9d1ed46e79465e1faaa42e3458f8a33 ]
+
+When smc91x.c is built with PREEMPT_RT, the following splat occurs
+in FVP_RevC:
+
+[ 13.055000] smc91x LNRO0003:00 eth0: link up, 10Mbps, half-duplex, lpa 0x0000
+[ 13.062137] BUG: workqueue leaked atomic, lock or RCU: kworker/2:1[106]
+[ 13.062137] preempt=0x00000000 lock=0->0 RCU=0->1 workfn=mld_ifc_work
+[ 13.062266] C
+** replaying previous printk message **
+[ 13.062266] CPU: 2 UID: 0 PID: 106 Comm: kworker/2:1 Not tainted 6.18.0-dirty #179 PREEMPT_{RT,(full)}
+[ 13.062353] Hardware name: , BIOS
+[ 13.062382] Workqueue: mld mld_ifc_work
+[ 13.062469] Call trace:
+[ 13.062494] show_stack+0x24/0x40 (C)
+[ 13.062602] __dump_stack+0x28/0x48
+[ 13.062710] dump_stack_lvl+0x7c/0xb0
+[ 13.062818] dump_stack+0x18/0x34
+[ 13.062926] process_scheduled_works+0x294/0x450
+[ 13.063043] worker_thread+0x260/0x3d8
+[ 13.063124] kthread+0x1c4/0x228
+[ 13.063235] ret_from_fork+0x10/0x20
+
+This happens because smc_special_trylock() disables IRQs even on PREEMPT_RT,
+but smc_special_unlock() does not restore IRQs on PREEMPT_RT.
+The reason is that smc_special_unlock() calls spin_unlock_irqrestore(),
+and rcu_read_unlock_bh() in __dev_queue_xmit() cannot invoke
+rcu_read_unlock() through __local_bh_enable_ip() when current->softirq_disable_cnt becomes zero.
+
+To address this issue, replace smc_special_trylock() with spin_trylock_irqsave().
+
+Fixes: 342a93247e08 ("locking/spinlock: Provide RT variant header: <linux/spinlock_rt.h>")
+Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20251217085115.1730036-1-yeoreum.yun@arm.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/smsc/smc91x.c | 10 +---------
+ 1 file changed, 1 insertion(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/smsc/smc91x.c b/drivers/net/ethernet/smsc/smc91x.c
+index a5e23e2da90f..953a1d22e60a 100644
+--- a/drivers/net/ethernet/smsc/smc91x.c
++++ b/drivers/net/ethernet/smsc/smc91x.c
+@@ -516,15 +516,7 @@ static inline void smc_rcv(struct net_device *dev)
+ * any other concurrent access and C would always interrupt B. But life
+ * isn't that easy in a SMP world...
+ */
+-#define smc_special_trylock(lock, flags) \
+-({ \
+- int __ret; \
+- local_irq_save(flags); \
+- __ret = spin_trylock(lock); \
+- if (!__ret) \
+- local_irq_restore(flags); \
+- __ret; \
+-})
++#define smc_special_trylock(lock, flags) spin_trylock_irqsave(lock, flags)
+ #define smc_special_lock(lock, flags) spin_lock_irqsave(lock, flags)
+ #define smc_special_unlock(lock, flags) spin_unlock_irqrestore(lock, flags)
+ #else
+--
+2.51.0
+
--- /dev/null
+From 841d764e95725834b429d7720cbb85295e063247 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Dec 2025 11:29:53 +0100
+Subject: team: fix check for port enabled in
+ team_queue_override_port_prio_changed()
+
+From: Jiri Pirko <jiri@nvidia.com>
+
+[ Upstream commit 932ac51d9953eaf77a1252f79b656d4ca86163c6 ]
+
+There has been a syzkaller bug reported recently with the following
+trace:
+
+list_del corruption, ffff888058bea080->prev is LIST_POISON2 (dead000000000122)
+------------[ cut here ]------------
+kernel BUG at lib/list_debug.c:59!
+Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
+CPU: 3 UID: 0 PID: 21246 Comm: syz.0.2928 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+RIP: 0010:__list_del_entry_valid_or_report+0x13e/0x200 lib/list_debug.c:59
+Code: 48 c7 c7 e0 71 f0 8b e8 30 08 ef fc 90 0f 0b 48 89 ef e8 a5 02 55 fd 48 89 ea 48 89 de 48 c7 c7 40 72 f0 8b e8 13 08 ef fc 90 <0f> 0b 48 89 ef e8 88 02 55 fd 48 89 ea 48 b8 00 00 00 00 00 fc ff
+RSP: 0018:ffffc9000d49f370 EFLAGS: 00010286
+RAX: 000000000000004e RBX: ffff888058bea080 RCX: ffffc9002817d000
+RDX: 0000000000000000 RSI: ffffffff819becc6 RDI: 0000000000000005
+RBP: dead000000000122 R08: 0000000000000005 R09: 0000000000000000
+R10: 0000000080000000 R11: 0000000000000001 R12: ffff888039e9c230
+R13: ffff888058bea088 R14: ffff888058bea080 R15: ffff888055461480
+FS: 00007fbbcfe6f6c0(0000) GS:ffff8880d6d0a000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 000000110c3afcb0 CR3: 00000000382c7000 CR4: 0000000000352ef0
+Call Trace:
+ <TASK>
+ __list_del_entry_valid include/linux/list.h:132 [inline]
+ __list_del_entry include/linux/list.h:223 [inline]
+ list_del_rcu include/linux/rculist.h:178 [inline]
+ __team_queue_override_port_del drivers/net/team/team_core.c:826 [inline]
+ __team_queue_override_port_del drivers/net/team/team_core.c:821 [inline]
+ team_queue_override_port_prio_changed drivers/net/team/team_core.c:883 [inline]
+ team_priority_option_set+0x171/0x2f0 drivers/net/team/team_core.c:1534
+ team_option_set drivers/net/team/team_core.c:376 [inline]
+ team_nl_options_set_doit+0x8ae/0xe60 drivers/net/team/team_core.c:2653
+ genl_family_rcv_msg_doit+0x209/0x2f0 net/netlink/genetlink.c:1115
+ genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
+ genl_rcv_msg+0x55c/0x800 net/netlink/genetlink.c:1210
+ netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552
+ genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
+ netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
+ netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346
+ netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1896
+ sock_sendmsg_nosec net/socket.c:727 [inline]
+ __sock_sendmsg net/socket.c:742 [inline]
+ ____sys_sendmsg+0xa98/0xc70 net/socket.c:2630
+ ___sys_sendmsg+0x134/0x1d0 net/socket.c:2684
+ __sys_sendmsg+0x16d/0x220 net/socket.c:2716
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+The problem is in this flow:
+1) Port is enabled, queue_id != 0, in qom_list
+2) Port gets disabled
+ -> team_port_disable()
+ -> team_queue_override_port_del()
+ -> del (removed from list)
+3) Port is disabled, queue_id != 0, not in any list
+4) Priority changes
+ -> team_queue_override_port_prio_changed()
+ -> checks: port disabled && queue_id != 0
+ -> calls del - hits the BUG as it is removed already
+
+To fix this, change the check in team_queue_override_port_prio_changed()
+so it returns early if port is not enabled.
+
+Reported-by: syzbot+422806e5f4cce722a71f@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=422806e5f4cce722a71f
+Fixes: 6c31ff366c11 ("team: remove synchronize_rcu() called during queue override change")
+Signed-off-by: Jiri Pirko <jiri@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20251212102953.167287-1-jiri@resnulli.us
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/team/team_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/team/team_core.c b/drivers/net/team/team_core.c
+index 94c40c5cebdd..50732f9699ee 100644
+--- a/drivers/net/team/team_core.c
++++ b/drivers/net/team/team_core.c
+@@ -877,7 +877,7 @@ static void __team_queue_override_enabled_check(struct team *team)
+ static void team_queue_override_port_prio_changed(struct team *team,
+ struct team_port *port)
+ {
+- if (!port->queue_id || team_port_enabled(port))
++ if (!port->queue_id || !team_port_enabled(port))
+ return;
+ __team_queue_override_port_del(team, port);
+ __team_queue_override_port_add(team, port);
+--
+2.51.0
+
--- /dev/null
+From 3786d5569429e25ca3831c35967e66b40d11fa1c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Dec 2025 14:31:50 +0000
+Subject: vfio/pds: Fix memory leak in pds_vfio_dirty_enable()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 665077d78dc7941ce6a330c02023a2b469cc8cc7 ]
+
+pds_vfio_dirty_enable() allocates memory for region_info. If
+interval_tree_iter_first() returns NULL, the function returns -EINVAL
+immediately without freeing the allocated memory, causing a memory leak.
+
+Fix this by jumping to the out_free_region_info label to ensure
+region_info is freed.
+
+Fixes: 2e7c6feb4ef52 ("vfio/pds: Add multi-region support")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Link: https://lore.kernel.org/r/20251225143150.1117366-1-zilin@seu.edu.cn
+Signed-off-by: Alex Williamson <alex@shazbot.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/pci/pds/dirty.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/vfio/pci/pds/dirty.c b/drivers/vfio/pci/pds/dirty.c
+index 481992142f79..4915a7c1c491 100644
+--- a/drivers/vfio/pci/pds/dirty.c
++++ b/drivers/vfio/pci/pds/dirty.c
+@@ -292,8 +292,11 @@ static int pds_vfio_dirty_enable(struct pds_vfio_pci_device *pds_vfio,
+ len = num_ranges * sizeof(*region_info);
+
+ node = interval_tree_iter_first(ranges, 0, ULONG_MAX);
+- if (!node)
+- return -EINVAL;
++ if (!node) {
++ err = -EINVAL;
++ goto out_free_region_info;
++ }
++
+ for (int i = 0; i < num_ranges; i++) {
+ struct pds_lm_dirty_region_info *ri = ®ion_info[i];
+ u64 region_size = node->last - node->start + 1;
+--
+2.51.0
+
--- /dev/null
+From e08e94dc4d4633f818d3a59fd0d4939ae9128b0a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Dec 2025 14:14:47 +0300
+Subject: wifi: cfg80211: sme: store capped length in
+ __cfg80211_connect_result()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 2b77b9551d1184cb5af8271ff350e6e2c1b3db0d ]
+
+The QGenie AI code review tool says we should store the capped length to
+wdev->u.client.ssid_len. The AI is correct.
+
+Fixes: 62b635dcd69c ("wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result()")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/aTAbp5RleyH_lnZE@stanley.mountain
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/sme.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/wireless/sme.c b/net/wireless/sme.c
+index e0d3c713538b..d8250ae17d94 100644
+--- a/net/wireless/sme.c
++++ b/net/wireless/sme.c
+@@ -913,7 +913,7 @@ void __cfg80211_connect_result(struct net_device *dev,
+
+ ssid_len = min(ssid->datalen, IEEE80211_MAX_SSID_LEN);
+ memcpy(wdev->u.client.ssid, ssid->data, ssid_len);
+- wdev->u.client.ssid_len = ssid->datalen;
++ wdev->u.client.ssid_len = ssid_len;
+ break;
+ }
+ rcu_read_unlock();
+--
+2.51.0
+
--- /dev/null
+From 22a4a71bec6dca8c19fc3b474db95cb145627087 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Dec 2025 09:46:56 -0800
+Subject: wifi: mac80211: do not use old MBSSID elements
+
+From: Aloka Dixit <aloka.dixit@oss.qualcomm.com>
+
+[ Upstream commit a519be2f5d958c5804f2cfd68f1f384291271fab ]
+
+When userspace brings down and deletes a non-transmitted profile,
+it is expected to send a new updated Beacon template for the
+transmitted profile of that multiple BSSID (MBSSID) group which
+does not include the removed profile in MBSSID element. This
+update comes via NL80211_CMD_SET_BEACON.
+
+Such updates work well as long as the group continues to have at
+least one non-transmitted profile as NL80211_ATTR_MBSSID_ELEMS
+is included in the new Beacon template.
+
+But when the last non-trasmitted profile is removed, it still
+gets included in Beacon templates sent to driver. This happens
+because when no MBSSID elements are sent by the userspace,
+ieee80211_assign_beacon() ends up using the element stored from
+earlier Beacon template.
+
+Do not copy old MBSSID elements, instead userspace should always
+include these when applicable.
+
+Fixes: 2b3171c6fe0a ("mac80211: MBSSID beacon handling in AP mode")
+Signed-off-by: Aloka Dixit <aloka.dixit@oss.qualcomm.com>
+Link: https://patch.msgid.link/20251215174656.2866319-2-aloka.dixit@oss.qualcomm.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/cfg.c | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index 2df4df75f195..0abb687fd58d 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1140,7 +1140,6 @@ ieee80211_assign_beacon(struct ieee80211_sub_if_data *sdata,
+
+ size = sizeof(*new) + new_head_len + new_tail_len;
+
+- /* new or old multiple BSSID elements? */
+ if (params->mbssid_ies) {
+ mbssid = params->mbssid_ies;
+ size += struct_size(new->mbssid_ies, elem, mbssid->cnt);
+@@ -1150,15 +1149,6 @@ ieee80211_assign_beacon(struct ieee80211_sub_if_data *sdata,
+ }
+ size += ieee80211_get_mbssid_beacon_len(mbssid, rnr,
+ mbssid->cnt);
+- } else if (old && old->mbssid_ies) {
+- mbssid = old->mbssid_ies;
+- size += struct_size(new->mbssid_ies, elem, mbssid->cnt);
+- if (old && old->rnr_ies) {
+- rnr = old->rnr_ies;
+- size += struct_size(new->rnr_ies, elem, rnr->cnt);
+- }
+- size += ieee80211_get_mbssid_beacon_len(mbssid, rnr,
+- mbssid->cnt);
+ }
+
+ new = kzalloc(size, GFP_KERNEL);
+--
+2.51.0
+
--- /dev/null
+From fa69d7c6d0b101a451fdae8e12d1cfe4b9fd99c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Nov 2025 16:37:08 +0800
+Subject: wifi: rtlwifi: 8192cu: fix tid out of range in rtl92cu_tx_fill_desc()
+
+From: Morning Star <alexbestoso@gmail.com>
+
+[ Upstream commit dd39edb445f07400e748da967a07d5dca5c5f96e ]
+
+TID getting from ieee80211_get_tid() might be out of range of array size
+of sta_entry->tids[], so check TID is less than MAX_TID_COUNT. Othwerwise,
+UBSAN warn:
+
+ UBSAN: array-index-out-of-bounds in drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c:514:30
+ index 10 is out of range for type 'rtl_tid_data [9]'
+
+Fixes: 8ca4cdef9329 ("wifi: rtlwifi: rtl8192cu: Fix TX aggregation")
+Signed-off-by: Morning Star <alexbestoso@gmail.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/1764232628-13625-1-git-send-email-pkshih@realtek.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c
+index aa702ba7c9f5..d6c35e8d02a5 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c
+@@ -511,7 +511,8 @@ void rtl92cu_tx_fill_desc(struct ieee80211_hw *hw,
+ if (sta) {
+ sta_entry = (struct rtl_sta_info *)sta->drv_priv;
+ tid = ieee80211_get_tid(hdr);
+- agg_state = sta_entry->tids[tid].agg.agg_state;
++ if (tid < MAX_TID_COUNT)
++ agg_state = sta_entry->tids[tid].agg.agg_state;
+ ampdu_density = sta->deflink.ht_cap.ampdu_density;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 58b7e6d207a46a5155840b11e93b81d20a107638 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Nov 2025 09:38:49 +0800
+Subject: wifi: rtw88: limit indirect IO under powered off for RTL8822CS
+
+From: Ping-Ke Shih <pkshih@realtek.com>
+
+[ Upstream commit f3ccdfda345ca9a624ea425840a926b8338c1e25 ]
+
+The indirect IO is necessary for RTL8822CS, but not necessary for other
+chips. Otherwiese, it throws errors and becomes unusable.
+
+ rtw88_8723cs mmc1:0001:1: WOW Firmware version 11.0.0, H2C version 0
+ rtw88_8723cs mmc1:0001:1: Firmware version 11.0.0, H2C version 0
+ rtw88_8723cs mmc1:0001:1: sdio read32 failed (0xf0): -110
+ rtw88_8723cs mmc1:0001:1: sdio write8 failed (0x1c): -110
+ rtw88_8723cs mmc1:0001:1: sdio read32 failed (0xf0): -110
+
+By vendor driver, only RTL8822CS and RTL8822ES need indirect IO, but
+RTL8822ES isn't supported yet. Therefore, limit it to RTL8822CS only.
+
+Reported-by: Andrey Skvortsov <andrej.skvortzov@gmail.com>
+Closes: https://lore.kernel.org/linux-wireless/07a32e2d6c764eb1bd9415b5a921a652@realtek.com/T/#m997b4522f7209ba629561c776bfd1d13ab24c1d4
+Fixes: 58de1f91e033 ("wifi: rtw88: sdio: use indirect IO for device registers before power-on")
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Tested-by: Andrey Skvortsov <andrej.skvortzov@gmail.com>
+Link: https://patch.msgid.link/1764034729-1251-1-git-send-email-pkshih@realtek.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw88/sdio.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw88/sdio.c b/drivers/net/wireless/realtek/rtw88/sdio.c
+index d6bea5ec8e24..d8db341a5731 100644
+--- a/drivers/net/wireless/realtek/rtw88/sdio.c
++++ b/drivers/net/wireless/realtek/rtw88/sdio.c
+@@ -144,8 +144,10 @@ static u32 rtw_sdio_to_io_address(struct rtw_dev *rtwdev, u32 addr,
+
+ static bool rtw_sdio_use_direct_io(struct rtw_dev *rtwdev, u32 addr)
+ {
++ bool might_indirect_under_power_off = rtwdev->chip->id == RTW_CHIP_TYPE_8822C;
++
+ if (!test_bit(RTW_FLAG_POWERON, rtwdev->flags) &&
+- !rtw_sdio_is_bus_addr(addr))
++ !rtw_sdio_is_bus_addr(addr) && might_indirect_under_power_off)
+ return false;
+
+ return !rtw_sdio_is_sdio30_supported(rtwdev) ||
+--
+2.51.0
+
--- /dev/null
+From 9f22c45d81f4dc61945063744f4792f13b70ee23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Dec 2025 20:47:28 +0530
+Subject: amd-xgbe: reset retries and mode on RX adapt failures
+
+From: Raju Rangoju <Raju.Rangoju@amd.com>
+
+[ Upstream commit df60c332caf95d70f967aeace826e7e2f0847361 ]
+
+During the stress tests, early RX adaptation handshakes can fail, such
+as missing the RX_ADAPT ACK or not receiving a coefficient update before
+block lock is established. Continuing to retry RX adaptation in this
+state is often ineffective if the current mode selection is not viable.
+
+Resetting the RX adaptation retry counter when an RX_ADAPT request fails
+to receive ACK or a coefficient update prior to block lock, and clearing
+mode_set so the next bring-up performs a fresh mode selection rather
+than looping on a likely invalid configuration.
+
+Fixes: 4f3b20bfbb75 ("amd-xgbe: add support for rx-adaptation")
+Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
+Link: https://patch.msgid.link/20251215151728.311713-1-Raju.Rangoju@amd.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
+index a56efc1bee33..450a573960e7 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
+@@ -1927,6 +1927,7 @@ static void xgbe_set_rx_adap_mode(struct xgbe_prv_data *pdata,
+ {
+ if (pdata->rx_adapt_retries++ >= MAX_RX_ADAPT_RETRIES) {
+ pdata->rx_adapt_retries = 0;
++ pdata->mode_set = false;
+ return;
+ }
+
+@@ -1973,6 +1974,7 @@ static void xgbe_rx_adaptation(struct xgbe_prv_data *pdata)
+ */
+ netif_dbg(pdata, link, pdata->netdev, "Block_lock done");
+ pdata->rx_adapt_done = true;
++ pdata->rx_adapt_retries = 0;
+ pdata->mode_set = false;
+ return;
+ }
+--
+2.51.0
+
--- /dev/null
+From b3cd50a05f25456b4ac830355422fb8b5e795f5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Dec 2025 17:17:05 +0800
+Subject: blk-mq: skip CPU offline notify on unmapped hctx
+
+From: Cong Zhang <cong.zhang@oss.qualcomm.com>
+
+[ Upstream commit 10845a105bbcb030647a729f1716c2309da71d33 ]
+
+If an hctx has no software ctx mapped, blk_mq_map_swqueue() never
+allocates tags and leaves hctx->tags NULL. The CPU hotplug offline
+notifier can still run for that hctx, return early since hctx cannot
+hold any requests.
+
+Signed-off-by: Cong Zhang <cong.zhang@oss.qualcomm.com>
+Fixes: bf0beec0607d ("blk-mq: drain I/O when all CPUs in a hctx are offline")
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-mq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/block/blk-mq.c b/block/blk-mq.c
+index ea5f948af7a4..a03f52ab87d6 100644
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -3710,7 +3710,7 @@ static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node)
+ struct blk_mq_hw_ctx, cpuhp_online);
+ int ret = 0;
+
+- if (blk_mq_hctx_has_online_cpu(hctx, cpu))
++ if (!hctx->nr_ctx || blk_mq_hctx_has_online_cpu(hctx, cpu))
+ return 0;
+
+ /*
+--
+2.51.0
+
--- /dev/null
+From 932f197cbd5a7f8cda9a482a817ea7243aac5400 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Dec 2025 11:02:28 -0500
+Subject: Bluetooth: btusb: revert use of devm_kzalloc in btusb
+
+From: Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
+
+[ Upstream commit 252714f1e8bdd542025b16321c790458014d6880 ]
+
+This reverts commit 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in
+btusb.c file").
+
+In btusb_probe(), we use devm_kzalloc() to allocate the btusb data. This
+ties the lifetime of all the btusb data to the binding of a driver to
+one interface, INTF. In a driver that binds to other interfaces, ISOC
+and DIAG, this is an accident waiting to happen.
+
+The issue is revealed in btusb_disconnect(), where calling
+usb_driver_release_interface(&btusb_driver, data->intf) will have devm
+free the data that is also being used by the other interfaces of the
+driver that may not be released yet.
+
+To fix this, revert the use of devm and go back to freeing memory
+explicitly.
+
+Fixes: 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in btusb.c file")
+Signed-off-by: Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btusb.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index b92bfd131567..3420f711f0f0 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -4017,7 +4017,7 @@ static int btusb_probe(struct usb_interface *intf,
+ return -ENODEV;
+ }
+
+- data = devm_kzalloc(&intf->dev, sizeof(*data), GFP_KERNEL);
++ data = kzalloc(sizeof(*data), GFP_KERNEL);
+ if (!data)
+ return -ENOMEM;
+
+@@ -4040,8 +4040,10 @@ static int btusb_probe(struct usb_interface *intf,
+ }
+ }
+
+- if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep)
++ if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep) {
++ kfree(data);
+ return -ENODEV;
++ }
+
+ if (id->driver_info & BTUSB_AMP) {
+ data->cmdreq_type = USB_TYPE_CLASS | 0x01;
+@@ -4096,8 +4098,10 @@ static int btusb_probe(struct usb_interface *intf,
+ data->recv_acl = hci_recv_frame;
+
+ hdev = hci_alloc_dev_priv(priv_size);
+- if (!hdev)
++ if (!hdev) {
++ kfree(data);
+ return -ENOMEM;
++ }
+
+ hdev->bus = HCI_USB;
+ hci_set_drvdata(hdev, data);
+@@ -4370,6 +4374,7 @@ static int btusb_probe(struct usb_interface *intf,
+ if (data->reset_gpio)
+ gpiod_put(data->reset_gpio);
+ hci_free_dev(hdev);
++ kfree(data);
+ return err;
+ }
+
+@@ -4418,6 +4423,7 @@ static void btusb_disconnect(struct usb_interface *intf)
+ }
+
+ hci_free_dev(hdev);
++ kfree(data);
+ }
+
+ #ifdef CONFIG_PM
+--
+2.51.0
+
--- /dev/null
+From 0c32f7ce8eb96314fa555eb1edd2fe9c9640d15a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Dec 2025 22:40:20 +0200
+Subject: Bluetooth: MGMT: report BIS capability flags in supported settings
+
+From: Pauli Virtanen <pav@iki.fi>
+
+[ Upstream commit 348240e5fa901d3d4ba8dffa0e2ba9fc7aba93ab ]
+
+MGMT_SETTING_ISO_BROADCASTER and MGMT_SETTING_ISO_RECEIVER flags are
+missing from supported_settings although they are in current_settings.
+
+Report them also in supported_settings to be consistent.
+
+Fixes: ae7533613133 ("Bluetooth: Check for ISO support in controller")
+Signed-off-by: Pauli Virtanen <pav@iki.fi>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/mgmt.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
+index 262bf984d2aa..211951eb832a 100644
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -849,6 +849,12 @@ static u32 get_supported_settings(struct hci_dev *hdev)
+ if (cis_peripheral_capable(hdev))
+ settings |= MGMT_SETTING_CIS_PERIPHERAL;
+
++ if (bis_capable(hdev))
++ settings |= MGMT_SETTING_ISO_BROADCASTER;
++
++ if (sync_recv_capable(hdev))
++ settings |= MGMT_SETTING_ISO_SYNC_RECEIVER;
++
+ if (ll_privacy_capable(hdev))
+ settings |= MGMT_SETTING_LL_PRIVACY;
+
+--
+2.51.0
+
--- /dev/null
+From d0a934d5fcd0916fca73dee6f9299d077e89f3cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Dec 2025 02:47:48 -0800
+Subject: bng_en: update module description
+
+From: Rajashekar Hudumula <rajashekar.hudumula@broadcom.com>
+
+[ Upstream commit d5dc28305143f126dc3d8da21e1ad75865b194e2 ]
+
+The Broadcom BCM57708/800G NIC family is branded as ThorUltra.
+Update the driver description accordingly.
+
+Fixes: 74715c4ab0fa0 ("bng_en: Add PCI interface")
+Signed-off-by: Rajashekar Hudumula <rajashekar.hudumula@broadcom.com>
+Reviewed-by: Vikas Gupta <vikas.gupta@broadcom.com>
+Reviewed-by: Bhargava Chenna Marreddy <bhargava.marreddy@broadcom.com>
+Link: https://patch.msgid.link/20251217104748.3004706-1-rajashekar.hudumula@broadcom.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/Kconfig | 8 ++++----
+ drivers/net/ethernet/broadcom/bnge/bnge.h | 2 +-
+ drivers/net/ethernet/broadcom/bnge/bnge_core.c | 2 +-
+ 3 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/Kconfig b/drivers/net/ethernet/broadcom/Kconfig
+index 9fdef874f5ca..fe15d684990f 100644
+--- a/drivers/net/ethernet/broadcom/Kconfig
++++ b/drivers/net/ethernet/broadcom/Kconfig
+@@ -254,14 +254,14 @@ config BNXT_HWMON
+ devices, via the hwmon sysfs interface.
+
+ config BNGE
+- tristate "Broadcom Ethernet device support"
++ tristate "Broadcom ThorUltra Ethernet device support"
+ depends on PCI
+ select NET_DEVLINK
+ select PAGE_POOL
+ help
+- This driver supports Broadcom 50/100/200/400/800 gigabit Ethernet cards.
+- The module will be called bng_en. To compile this driver as a module,
+- choose M here.
++ This driver supports Broadcom ThorUltra 50/100/200/400/800 gigabit
++ Ethernet cards. The module will be called bng_en. To compile this
++ driver as a module, choose M here.
+
+ config BCMASP
+ tristate "Broadcom ASP 2.0 Ethernet support"
+diff --git a/drivers/net/ethernet/broadcom/bnge/bnge.h b/drivers/net/ethernet/broadcom/bnge/bnge.h
+index 7aed5f81cd51..0c154995d9ab 100644
+--- a/drivers/net/ethernet/broadcom/bnge/bnge.h
++++ b/drivers/net/ethernet/broadcom/bnge/bnge.h
+@@ -5,7 +5,7 @@
+ #define _BNGE_H_
+
+ #define DRV_NAME "bng_en"
+-#define DRV_SUMMARY "Broadcom 800G Ethernet Linux Driver"
++#define DRV_SUMMARY "Broadcom ThorUltra NIC Ethernet Driver"
+
+ #include <linux/etherdevice.h>
+ #include <linux/bnxt/hsi.h>
+diff --git a/drivers/net/ethernet/broadcom/bnge/bnge_core.c b/drivers/net/ethernet/broadcom/bnge/bnge_core.c
+index 2c72dd34d50d..312a9db4d75d 100644
+--- a/drivers/net/ethernet/broadcom/bnge/bnge_core.c
++++ b/drivers/net/ethernet/broadcom/bnge/bnge_core.c
+@@ -19,7 +19,7 @@ char bnge_driver_name[] = DRV_NAME;
+ static const struct {
+ char *name;
+ } board_info[] = {
+- [BCM57708] = { "Broadcom BCM57708 50Gb/100Gb/200Gb/400Gb/800Gb Ethernet" },
++ [BCM57708] = { "Broadcom BCM57708 ThorUltra 50Gb/100Gb/200Gb/400Gb/800Gb Ethernet" },
+ };
+
+ static const struct pci_device_id bnge_pci_tbl[] = {
+--
+2.51.0
+
--- /dev/null
+From 371447746dc672f52d5cd33f60026f461b8b709f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Dec 2025 01:59:50 +0000
+Subject: cpuset: fix warning when disabling remote partition
+
+From: Chen Ridong <chenridong@huawei.com>
+
+[ Upstream commit aa7d3a56a20f07978d9f401e13637a6479b13bd0 ]
+
+A warning was triggered as follows:
+
+WARNING: kernel/cgroup/cpuset.c:1651 at remote_partition_disable+0xf7/0x110
+RIP: 0010:remote_partition_disable+0xf7/0x110
+RSP: 0018:ffffc90001947d88 EFLAGS: 00000206
+RAX: 0000000000007fff RBX: ffff888103b6e000 RCX: 0000000000006f40
+RDX: 0000000000006f00 RSI: ffffc90001947da8 RDI: ffff888103b6e000
+RBP: ffff888103b6e000 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000001 R11: ffff88810b2e2728 R12: ffffc90001947da8
+R13: 0000000000000000 R14: ffffc90001947da8 R15: ffff8881081f1c00
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f55c8bbe0b2 CR3: 000000010b14c000 CR4: 00000000000006f0
+Call Trace:
+ <TASK>
+ update_prstate+0x2d3/0x580
+ cpuset_partition_write+0x94/0xf0
+ kernfs_fop_write_iter+0x147/0x200
+ vfs_write+0x35d/0x500
+ ksys_write+0x66/0xe0
+ do_syscall_64+0x6b/0x390
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+RIP: 0033:0x7f55c8cd4887
+
+Reproduction steps (on a 16-CPU machine):
+
+ # cd /sys/fs/cgroup/
+ # mkdir A1
+ # echo +cpuset > A1/cgroup.subtree_control
+ # echo "0-14" > A1/cpuset.cpus.exclusive
+ # mkdir A1/A2
+ # echo "0-14" > A1/A2/cpuset.cpus.exclusive
+ # echo "root" > A1/A2/cpuset.cpus.partition
+ # echo 0 > /sys/devices/system/cpu/cpu15/online
+ # echo member > A1/A2/cpuset.cpus.partition
+
+When CPU 15 is offlined, subpartitions_cpus gets cleared because no CPUs
+remain available for the top_cpuset, forcing partitions to share CPUs with
+the top_cpuset. In this scenario, disabling the remote partition triggers
+a warning stating that effective_xcpus is not a subset of
+subpartitions_cpus. Partitions should be invalidated in this case to
+inform users that the partition is now invalid(cpus are shared with
+top_cpuset).
+
+To fix this issue:
+1. Only emit the warning only if subpartitions_cpus is not empty and the
+ effective_xcpus is not a subset of subpartitions_cpus.
+2. During the CPU hotplug process, invalidate partitions if
+ subpartitions_cpus is empty.
+
+Fixes: f62a5d39368e ("cgroup/cpuset: Remove remote_partition_check() & make update_cpumasks_hier() handle remote partition")
+Signed-off-by: Chen Ridong <chenridong@huawei.com>
+Reviewed-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/cgroup/cpuset.c | 21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c
+index 4dcd633fd6df..61b56b6ca66a 100644
+--- a/kernel/cgroup/cpuset.c
++++ b/kernel/cgroup/cpuset.c
+@@ -1600,7 +1600,14 @@ static void remote_partition_disable(struct cpuset *cs, struct tmpmasks *tmp)
+ bool isolcpus_updated;
+
+ WARN_ON_ONCE(!is_remote_partition(cs));
+- WARN_ON_ONCE(!cpumask_subset(cs->effective_xcpus, subpartitions_cpus));
++ /*
++ * When a CPU is offlined, top_cpuset may end up with no available CPUs,
++ * which should clear subpartitions_cpus. We should not emit a warning for this
++ * scenario: the hierarchy is updated from top to bottom, so subpartitions_cpus
++ * may already be cleared when disabling the partition.
++ */
++ WARN_ON_ONCE(!cpumask_subset(cs->effective_xcpus, subpartitions_cpus) &&
++ !cpumask_empty(subpartitions_cpus));
+
+ spin_lock_irq(&callback_lock);
+ list_del_init(&cs->remote_sibling);
+@@ -3927,8 +3934,9 @@ static void cpuset_hotplug_update_tasks(struct cpuset *cs, struct tmpmasks *tmp)
+ if (remote || (is_partition_valid(cs) && is_partition_valid(parent)))
+ compute_partition_effective_cpumask(cs, &new_cpus);
+
+- if (remote && cpumask_empty(&new_cpus) &&
+- partition_is_populated(cs, NULL)) {
++ if (remote && (cpumask_empty(subpartitions_cpus) ||
++ (cpumask_empty(&new_cpus) &&
++ partition_is_populated(cs, NULL)))) {
+ cs->prs_err = PERR_HOTPLUG;
+ remote_partition_disable(cs, tmp);
+ compute_effective_cpumask(&new_cpus, cs, parent);
+@@ -3941,9 +3949,12 @@ static void cpuset_hotplug_update_tasks(struct cpuset *cs, struct tmpmasks *tmp)
+ * 1) empty effective cpus but not valid empty partition.
+ * 2) parent is invalid or doesn't grant any cpus to child
+ * partitions.
++ * 3) subpartitions_cpus is empty.
+ */
+- if (is_local_partition(cs) && (!is_partition_valid(parent) ||
+- tasks_nocpu_error(parent, cs, &new_cpus)))
++ if (is_local_partition(cs) &&
++ (!is_partition_valid(parent) ||
++ tasks_nocpu_error(parent, cs, &new_cpus) ||
++ cpumask_empty(subpartitions_cpus)))
+ partcmd = partcmd_invalidate;
+ /*
+ * On the other hand, an invalid partition root may be transitioned
+--
+2.51.0
+
--- /dev/null
+From fb00e49ef424e8eea9835386d36612a6f65224ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Dec 2025 14:15:41 +0800
+Subject: crypto: seqiv - Do not use req->iv after crypto_aead_encrypt
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 50fdb78b7c0bcc550910ef69c0984e751cac72fa ]
+
+As soon as crypto_aead_encrypt is called, the underlying request
+may be freed by an asynchronous completion. Thus dereferencing
+req->iv after it returns is invalid.
+
+Instead of checking req->iv against info, create a new variable
+unaligned_info and use it for that purpose instead.
+
+Fixes: 0a270321dbf9 ("[CRYPTO] seqiv: Add Sequence Number IV Generator")
+Reported-by: Xiumei Mu <xmu@redhat.com>
+Reported-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/seqiv.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/seqiv.c b/crypto/seqiv.c
+index 2bae99e33526..678bb4145d78 100644
+--- a/crypto/seqiv.c
++++ b/crypto/seqiv.c
+@@ -50,6 +50,7 @@ static int seqiv_aead_encrypt(struct aead_request *req)
+ struct aead_geniv_ctx *ctx = crypto_aead_ctx(geniv);
+ struct aead_request *subreq = aead_request_ctx(req);
+ crypto_completion_t compl;
++ bool unaligned_info;
+ void *data;
+ u8 *info;
+ unsigned int ivsize = 8;
+@@ -68,8 +69,9 @@ static int seqiv_aead_encrypt(struct aead_request *req)
+ memcpy_sglist(req->dst, req->src,
+ req->assoclen + req->cryptlen);
+
+- if (unlikely(!IS_ALIGNED((unsigned long)info,
+- crypto_aead_alignmask(geniv) + 1))) {
++ unaligned_info = !IS_ALIGNED((unsigned long)info,
++ crypto_aead_alignmask(geniv) + 1);
++ if (unlikely(unaligned_info)) {
+ info = kmemdup(req->iv, ivsize, req->base.flags &
+ CRYPTO_TFM_REQ_MAY_SLEEP ? GFP_KERNEL :
+ GFP_ATOMIC);
+@@ -89,7 +91,7 @@ static int seqiv_aead_encrypt(struct aead_request *req)
+ scatterwalk_map_and_copy(info, req->dst, req->assoclen, ivsize, 1);
+
+ err = crypto_aead_encrypt(subreq);
+- if (unlikely(info != req->iv))
++ if (unlikely(unaligned_info))
+ seqiv_aead_encrypt_complete2(req, err);
+ return err;
+ }
+--
+2.51.0
+
--- /dev/null
+From 3e92f2d2f02fc6846484e1d2a8535acc02a00d60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Dec 2025 14:41:59 +0100
+Subject: drm/gem-shmem: Fix the MODULE_LICENSE() string
+
+From: Thomas Zimmermann <tzimmermann@suse.de>
+
+[ Upstream commit 3fbd97618f49e07e05aad96510e5f2ed22d68809 ]
+
+Replace the bogus "GPL v2" with "GPL" as MODULE_LICNSE() string. The
+value does not declare the module's exact license, but only lets the
+module loader test whether the module is Free Software or not.
+
+See commit bf7fbeeae6db ("module: Cure the MODULE_LICENSE "GPL" vs.
+"GPL v2" bogosity") in the details of the issue. The fix is to use
+"GPL" for all modules under any variant of the GPL.
+
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Reviewed-by: Boris Brezillon <boris.brezillon@collabora.com>
+Fixes: 4b2b5e142ff4 ("drm: Move GEM memory managers into modules")
+Link: https://patch.msgid.link/20251209140141.94407-3-tzimmermann@suse.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_gem_shmem_helper.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/drm_gem_shmem_helper.c b/drivers/gpu/drm/drm_gem_shmem_helper.c
+index 5d1349c34afd..365b5737ca2c 100644
+--- a/drivers/gpu/drm/drm_gem_shmem_helper.c
++++ b/drivers/gpu/drm/drm_gem_shmem_helper.c
+@@ -863,4 +863,4 @@ EXPORT_SYMBOL_GPL(drm_gem_shmem_prime_import_no_map);
+
+ MODULE_DESCRIPTION("DRM SHMEM memory-management helpers");
+ MODULE_IMPORT_NS("DMA_BUF");
+-MODULE_LICENSE("GPL v2");
++MODULE_LICENSE("GPL");
+--
+2.51.0
+
--- /dev/null
+From c3a15c7ecb300c15e3f2779483a9e42f2ed70e43 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Dec 2025 20:19:59 +0000
+Subject: drm/xe/guc: READ/WRITE_ONCE g2h_fence->done
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonathan Cavitt <jonathan.cavitt@intel.com>
+
+[ Upstream commit bed2a6bd20681aacfb063015c1edfab6f58a333e ]
+
+Use READ_ONCE and WRITE_ONCE when operating on g2h_fence->done
+to prevent the compiler from ignoring important modifications
+to its value.
+
+Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
+Suggested-by: Matthew Brost <matthew.brost@intel.com>
+Signed-off-by: Jonathan Cavitt <jonathan.cavitt@intel.com>
+Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Reviewed-by: Matthew Brost <matthew.brost@intel.com>
+Link: https://patch.msgid.link/20251222201957.63245-5-jonathan.cavitt@intel.com
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+(cherry picked from commit b5179dbd1c14743ae80f0aaa28eaaf35c361608f)
+Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/xe_guc_ct.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/xe/xe_guc_ct.c b/drivers/gpu/drm/xe/xe_guc_ct.c
+index b7afe8e983cb..3aac1a7aa2e7 100644
+--- a/drivers/gpu/drm/xe/xe_guc_ct.c
++++ b/drivers/gpu/drm/xe/xe_guc_ct.c
+@@ -106,7 +106,9 @@ static void g2h_fence_cancel(struct g2h_fence *g2h_fence)
+ {
+ g2h_fence->cancel = true;
+ g2h_fence->fail = true;
+- g2h_fence->done = true;
++
++ /* WRITE_ONCE pairs with READ_ONCEs in guc_ct_send_recv. */
++ WRITE_ONCE(g2h_fence->done, true);
+ }
+
+ static bool g2h_fence_needs_alloc(struct g2h_fence *g2h_fence)
+@@ -1128,10 +1130,13 @@ static int guc_ct_send_recv(struct xe_guc_ct *ct, const u32 *action, u32 len,
+ return ret;
+ }
+
+- ret = wait_event_timeout(ct->g2h_fence_wq, g2h_fence.done, HZ);
++ /* READ_ONCEs pairs with WRITE_ONCEs in parse_g2h_response
++ * and g2h_fence_cancel.
++ */
++ ret = wait_event_timeout(ct->g2h_fence_wq, READ_ONCE(g2h_fence.done), HZ);
+ if (!ret) {
+ LNL_FLUSH_WORK(&ct->g2h_worker);
+- if (g2h_fence.done) {
++ if (READ_ONCE(g2h_fence.done)) {
+ xe_gt_warn(gt, "G2H fence %u, action %04x, done\n",
+ g2h_fence.seqno, action[0]);
+ ret = 1;
+@@ -1375,7 +1380,8 @@ static int parse_g2h_response(struct xe_guc_ct *ct, u32 *msg, u32 len)
+
+ g2h_release_space(ct, GUC_CTB_HXG_MSG_MAX_LEN);
+
+- g2h_fence->done = true;
++ /* WRITE_ONCE pairs with READ_ONCEs in guc_ct_send_recv. */
++ WRITE_ONCE(g2h_fence->done, true);
+ smp_mb();
+
+ wake_up_all(&ct->g2h_fence_wq);
+--
+2.51.0
+
--- /dev/null
+From d348a62120dc8ec7563612376f1c35a95e94bd0a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Dec 2025 17:54:18 +0100
+Subject: firewire: nosy: Fix dma_free_coherent() size
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit c48c0fd0e19684b6ecdb4108a429e3a4e73f5e21 ]
+
+It looks like the buffer allocated and mapped in add_card() is done
+with size RCV_BUFFER_SIZE which is 16 KB and 4KB.
+
+Fixes: 286468210d83 ("firewire: new driver: nosy - IEEE 1394 traffic sniffer")
+Co-developed-by: Thomas Fourier <fourier.thomas@gmail.com>
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Co-developed-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/20251216165420.38355-2-fourier.thomas@gmail.com
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firewire/nosy.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/firewire/nosy.c b/drivers/firewire/nosy.c
+index ea31ac7ac1ca..e59053738a43 100644
+--- a/drivers/firewire/nosy.c
++++ b/drivers/firewire/nosy.c
+@@ -36,6 +36,8 @@
+
+ static char driver_name[] = KBUILD_MODNAME;
+
++#define RCV_BUFFER_SIZE (16 * 1024)
++
+ /* this is the physical layout of a PCL, its size is 128 bytes */
+ struct pcl {
+ __le32 next;
+@@ -517,16 +519,14 @@ remove_card(struct pci_dev *dev)
+ lynx->rcv_start_pcl, lynx->rcv_start_pcl_bus);
+ dma_free_coherent(&lynx->pci_device->dev, sizeof(struct pcl),
+ lynx->rcv_pcl, lynx->rcv_pcl_bus);
+- dma_free_coherent(&lynx->pci_device->dev, PAGE_SIZE, lynx->rcv_buffer,
+- lynx->rcv_buffer_bus);
++ dma_free_coherent(&lynx->pci_device->dev, RCV_BUFFER_SIZE,
++ lynx->rcv_buffer, lynx->rcv_buffer_bus);
+
+ iounmap(lynx->registers);
+ pci_disable_device(dev);
+ lynx_put(lynx);
+ }
+
+-#define RCV_BUFFER_SIZE (16 * 1024)
+-
+ static int
+ add_card(struct pci_dev *dev, const struct pci_device_id *unused)
+ {
+@@ -680,7 +680,7 @@ add_card(struct pci_dev *dev, const struct pci_device_id *unused)
+ dma_free_coherent(&lynx->pci_device->dev, sizeof(struct pcl),
+ lynx->rcv_pcl, lynx->rcv_pcl_bus);
+ if (lynx->rcv_buffer)
+- dma_free_coherent(&lynx->pci_device->dev, PAGE_SIZE,
++ dma_free_coherent(&lynx->pci_device->dev, RCV_BUFFER_SIZE,
+ lynx->rcv_buffer, lynx->rcv_buffer_bus);
+ iounmap(lynx->registers);
+
+--
+2.51.0
+
--- /dev/null
+From 4542eca4e41c4602cc182e8ca51cdb395c24fcab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Nov 2025 10:39:24 -0800
+Subject: genalloc.h: fix htmldocs warning
+
+From: Andrew Morton <akpm@linux-foundation.org>
+
+[ Upstream commit 5393802c94e0ab1295c04c94c57bcb00222d4674 ]
+
+WARNING: include/linux/genalloc.h:52 function parameter 'start_addr' not described in 'genpool_algo_t'
+
+Fixes: 52fbf1134d47 ("lib/genalloc.c: fix allocation of aligned buffer from non-aligned chunk")
+Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Closes: https://lkml.kernel.org/r/20251127130624.563597e3@canb.auug.org.au
+Acked-by: Randy Dunlap <rdunlap@infradead.org>
+Tested-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Alexey Skidanov <alexey.skidanov@intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/genalloc.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/linux/genalloc.h b/include/linux/genalloc.h
+index 0bd581003cd5..60de63e46b33 100644
+--- a/include/linux/genalloc.h
++++ b/include/linux/genalloc.h
+@@ -44,6 +44,7 @@ struct gen_pool;
+ * @nr: The number of zeroed bits we're looking for
+ * @data: optional additional data used by the callback
+ * @pool: the pool being allocated from
++ * @start_addr: start address of memory chunk
+ */
+ typedef unsigned long (*genpool_algo_t)(unsigned long *map,
+ unsigned long size,
+--
+2.51.0
+
--- /dev/null
+From 11c61e88afeb0b1286bd5b1012d499fdd4b255d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Nov 2025 13:07:28 +0100
+Subject: i40e: fix scheduling in set_rx_mode
+
+From: Przemyslaw Korba <przemyslaw.korba@intel.com>
+
+[ Upstream commit be43abc5514167cc129a8d8e9727b89b8e1d9719 ]
+
+Add service task schedule to set_rx_mode.
+In some cases there are error messages printed out in PTP application
+(ptp4l):
+
+ptp4l[13848.762]: port 1 (ens2f3np3): received SYNC without timestamp
+ptp4l[13848.825]: port 1 (ens2f3np3): received SYNC without timestamp
+ptp4l[13848.887]: port 1 (ens2f3np3): received SYNC without timestamp
+
+This happens when service task would not run immediately after
+set_rx_mode, and we need it for setup tasks. This service task checks, if
+PTP RX packets are hung in firmware, and propagate correct settings such
+as multicast address for IEEE 1588 Precision Time Protocol.
+RX timestamping depends on some of these filters set. Bug happens only
+with high PTP packets frequency incoming, and not every run since
+sometimes service task is being ran from a different place immediately
+after starting ptp4l.
+
+Fixes: 0e4425ed641f ("i40e: fix: do not sleep in netdev_ops")
+Reviewed-by: Grzegorz Nitka <grzegorz.nitka@intel.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Przemyslaw Korba <przemyslaw.korba@intel.com>
+Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index 50be0a60ae13..07d32f2586c8 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -2234,6 +2234,7 @@ static void i40e_set_rx_mode(struct net_device *netdev)
+ vsi->flags |= I40E_VSI_FLAG_FILTER_CHANGED;
+ set_bit(__I40E_MACVLAN_SYNC_PENDING, vsi->back->state);
+ }
++ i40e_service_event_schedule(vsi->back);
+ }
+
+ /**
+--
+2.51.0
+
--- /dev/null
+From b71f7e003f7201edcc381f1a6e1af66f09c48b02 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Dec 2025 22:06:43 +0100
+Subject: i40e: validate ring_len parameter against hardware-specific values
+
+From: Gregory Herrero <gregory.herrero@oracle.com>
+
+[ Upstream commit 69942834215323cd9131db557091b4dec43f19c5 ]
+
+The maximum number of descriptors supported by the hardware is
+hardware-dependent and can be retrieved using
+i40e_get_max_num_descriptors(). Move this function to a shared header
+and use it when checking for valid ring_len parameter rather than using
+hardcoded value.
+
+By fixing an over-acceptance issue, behavior change could be seen where
+ring_len could now be rejected while configuring rx and tx queues if its
+size is larger than the hardware-dependent maximum number of
+descriptors.
+
+Fixes: 55d225670def ("i40e: add validation for ring_len param")
+Signed-off-by: Gregory Herrero <gregory.herrero@oracle.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e.h | 11 +++++++++++
+ drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 12 ------------
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 4 ++--
+ 3 files changed, 13 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e.h b/drivers/net/ethernet/intel/i40e/i40e.h
+index 801a57a925da..feec9e1e13b3 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e.h
++++ b/drivers/net/ethernet/intel/i40e/i40e.h
+@@ -1418,4 +1418,15 @@ static inline struct i40e_veb *i40e_pf_get_main_veb(struct i40e_pf *pf)
+ return (pf->lan_veb != I40E_NO_VEB) ? pf->veb[pf->lan_veb] : NULL;
+ }
+
++static inline u32 i40e_get_max_num_descriptors(const struct i40e_pf *pf)
++{
++ const struct i40e_hw *hw = &pf->hw;
++
++ switch (hw->mac.type) {
++ case I40E_MAC_XL710:
++ return I40E_MAX_NUM_DESCRIPTORS_XL710;
++ default:
++ return I40E_MAX_NUM_DESCRIPTORS;
++ }
++}
+ #endif /* _I40E_H_ */
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
+index 86c72596617a..61c39e881b00 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
+@@ -2013,18 +2013,6 @@ static void i40e_get_drvinfo(struct net_device *netdev,
+ drvinfo->n_priv_flags += I40E_GL_PRIV_FLAGS_STR_LEN;
+ }
+
+-static u32 i40e_get_max_num_descriptors(struct i40e_pf *pf)
+-{
+- struct i40e_hw *hw = &pf->hw;
+-
+- switch (hw->mac.type) {
+- case I40E_MAC_XL710:
+- return I40E_MAX_NUM_DESCRIPTORS_XL710;
+- default:
+- return I40E_MAX_NUM_DESCRIPTORS;
+- }
+-}
+-
+ static void i40e_get_ringparam(struct net_device *netdev,
+ struct ethtool_ringparam *ring,
+ struct kernel_ethtool_ringparam *kernel_ring,
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+index 081a4526a2f0..cf831c649c9c 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -656,7 +656,7 @@ static int i40e_config_vsi_tx_queue(struct i40e_vf *vf, u16 vsi_id,
+
+ /* ring_len has to be multiple of 8 */
+ if (!IS_ALIGNED(info->ring_len, 8) ||
+- info->ring_len > I40E_MAX_NUM_DESCRIPTORS_XL710) {
++ info->ring_len > i40e_get_max_num_descriptors(pf)) {
+ ret = -EINVAL;
+ goto error_context;
+ }
+@@ -726,7 +726,7 @@ static int i40e_config_vsi_rx_queue(struct i40e_vf *vf, u16 vsi_id,
+
+ /* ring_len has to be multiple of 32 */
+ if (!IS_ALIGNED(info->ring_len, 32) ||
+- info->ring_len > I40E_MAX_NUM_DESCRIPTORS_XL710) {
++ info->ring_len > i40e_get_max_num_descriptors(pf)) {
+ ret = -EINVAL;
+ goto error_param;
+ }
+--
+2.51.0
+
--- /dev/null
+From 5020f0e7ec8501924a1cec6b81f23932473368ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Oct 2025 01:58:50 +0900
+Subject: iavf: fix off-by-one issues in iavf_config_rss_reg()
+
+From: Kohei Enju <enjuk@amazon.com>
+
+[ Upstream commit 6daa2893f323981c7894c68440823326e93a7d61 ]
+
+There are off-by-one bugs when configuring RSS hash key and lookup
+table, causing out-of-bounds reads to memory [1] and out-of-bounds
+writes to device registers.
+
+Before commit 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS"),
+the loop upper bounds were:
+ i <= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX
+which is safe since the value is the last valid index.
+
+That commit changed the bounds to:
+ i <= adapter->rss_{key,lut}_size / 4
+where `rss_{key,lut}_size / 4` is the number of dwords, so the last
+valid index is `(rss_{key,lut}_size / 4) - 1`. Therefore, using `<=`
+accesses one element past the end.
+
+Fix the issues by using `<` instead of `<=`, ensuring we do not exceed
+the bounds.
+
+[1] KASAN splat about rss_key_size off-by-one
+ BUG: KASAN: slab-out-of-bounds in iavf_config_rss+0x619/0x800
+ Read of size 4 at addr ffff888102c50134 by task kworker/u8:6/63
+
+ CPU: 0 UID: 0 PID: 63 Comm: kworker/u8:6 Not tainted 6.18.0-rc2-enjuk-tnguy-00378-g3005f5b77652-dirty #156 PREEMPT(voluntary)
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+ Workqueue: iavf iavf_watchdog_task
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x6f/0xb0
+ print_report+0x170/0x4f3
+ kasan_report+0xe1/0x1a0
+ iavf_config_rss+0x619/0x800
+ iavf_watchdog_task+0x2be7/0x3230
+ process_one_work+0x7fd/0x1420
+ worker_thread+0x4d1/0xd40
+ kthread+0x344/0x660
+ ret_from_fork+0x249/0x320
+ ret_from_fork_asm+0x1a/0x30
+ </TASK>
+
+ Allocated by task 63:
+ kasan_save_stack+0x30/0x50
+ kasan_save_track+0x14/0x30
+ __kasan_kmalloc+0x7f/0x90
+ __kmalloc_noprof+0x246/0x6f0
+ iavf_watchdog_task+0x28fc/0x3230
+ process_one_work+0x7fd/0x1420
+ worker_thread+0x4d1/0xd40
+ kthread+0x344/0x660
+ ret_from_fork+0x249/0x320
+ ret_from_fork_asm+0x1a/0x30
+
+ The buggy address belongs to the object at ffff888102c50100
+ which belongs to the cache kmalloc-64 of size 64
+ The buggy address is located 0 bytes to the right of
+ allocated 52-byte region [ffff888102c50100, ffff888102c50134)
+
+ The buggy address belongs to the physical page:
+ page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c50
+ flags: 0x200000000000000(node=0|zone=2)
+ page_type: f5(slab)
+ raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000
+ raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
+ page dumped because: kasan: bad access detected
+
+ Memory state around the buggy address:
+ ffff888102c50000: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
+ ffff888102c50080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
+ >ffff888102c50100: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc
+ ^
+ ffff888102c50180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
+ ffff888102c50200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+
+Fixes: 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS")
+Signed-off-by: Kohei Enju <enjuk@amazon.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index c2fbe443ef85..4b0fc8f354bc 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -1726,11 +1726,11 @@ static int iavf_config_rss_reg(struct iavf_adapter *adapter)
+ u16 i;
+
+ dw = (u32 *)adapter->rss_key;
+- for (i = 0; i <= adapter->rss_key_size / 4; i++)
++ for (i = 0; i < adapter->rss_key_size / 4; i++)
+ wr32(hw, IAVF_VFQF_HKEY(i), dw[i]);
+
+ dw = (u32 *)adapter->rss_lut;
+- for (i = 0; i <= adapter->rss_lut_size / 4; i++)
++ for (i = 0; i < adapter->rss_lut_size / 4; i++)
+ wr32(hw, IAVF_VFQF_HLUT(i), dw[i]);
+
+ iavf_flush(hw);
+--
+2.51.0
+
--- /dev/null
+From d6abe3e5c06dcac6cdf552fd89e07004784e47f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Dec 2025 17:41:12 +0800
+Subject: IB/rxe: Fix missing umem_odp->umem_mutex unlock on error path
+
+From: Li Zhijian <lizhijian@fujitsu.com>
+
+[ Upstream commit 3c68cf68233e556e0102f45b69f7448908dc1f44 ]
+
+rxe_odp_map_range_and_lock() must release umem_odp->umem_mutex when an
+error occurs, including cases where rxe_check_pagefault() fails.
+
+Fixes: 2fae67ab63db ("RDMA/rxe: Add support for Send/Recv/Write/Read with ODP")
+Signed-off-by: Li Zhijian <lizhijian@fujitsu.com>
+Link: https://patch.msgid.link/20251226094112.3042583-1-lizhijian@fujitsu.com
+Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/rxe/rxe_odp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/sw/rxe/rxe_odp.c b/drivers/infiniband/sw/rxe/rxe_odp.c
+index f58e3ec6252f..4d4e3b324dd2 100644
+--- a/drivers/infiniband/sw/rxe/rxe_odp.c
++++ b/drivers/infiniband/sw/rxe/rxe_odp.c
+@@ -179,8 +179,10 @@ static int rxe_odp_map_range_and_lock(struct rxe_mr *mr, u64 iova, int length, u
+ return err;
+
+ need_fault = rxe_check_pagefault(umem_odp, iova, length);
+- if (need_fault)
++ if (need_fault) {
++ mutex_unlock(&umem_odp->umem_mutex);
+ return -EFAULT;
++ }
+ }
+
+ return 0;
+--
+2.51.0
+
--- /dev/null
+From 88bd28f9bdab3723b57887dc9c98353047ea0b31 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Oct 2025 13:46:22 +0200
+Subject: idpf: fix LAN memory regions command on some NVMs
+
+From: Larysa Zaremba <larysa.zaremba@intel.com>
+
+[ Upstream commit 4af1f9a47291f7d446398065e0d6eb4943f7e184 ]
+
+IPU SDK versions 1.9 through 2.0.5 require send buffer to contain a single
+empty memory region. Set number of regions to 1 and use appropriate send
+buffer size to satisfy this requirement.
+
+Fixes: 6aa53e861c1a ("idpf: implement get LAN MMIO memory regions")
+Suggested-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Larysa Zaremba <larysa.zaremba@intel.com>
+Tested-by: Krishneil Singh <krishneil.k.singh@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/idpf/idpf_virtchnl.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c
+index cbb5fa30f5a0..fc03d55bc9b9 100644
+--- a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c
++++ b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c
+@@ -1016,6 +1016,9 @@ static int idpf_send_get_lan_memory_regions(struct idpf_adapter *adapter)
+ struct idpf_vc_xn_params xn_params = {
+ .vc_op = VIRTCHNL2_OP_GET_LAN_MEMORY_REGIONS,
+ .recv_buf.iov_len = IDPF_CTLQ_MAX_BUF_LEN,
++ .send_buf.iov_len =
++ sizeof(struct virtchnl2_get_lan_memory_regions) +
++ sizeof(struct virtchnl2_mem_region),
+ .timeout_ms = IDPF_VC_XN_DEFAULT_TIMEOUT_MSEC,
+ };
+ int num_regions, size;
+@@ -1028,6 +1031,8 @@ static int idpf_send_get_lan_memory_regions(struct idpf_adapter *adapter)
+ return -ENOMEM;
+
+ xn_params.recv_buf.iov_base = rcvd_regions;
++ rcvd_regions->num_memory_regions = cpu_to_le16(1);
++ xn_params.send_buf.iov_base = rcvd_regions;
+ reply_sz = idpf_vc_xn_exec(adapter, &xn_params);
+ if (reply_sz < 0)
+ return reply_sz;
+--
+2.51.0
+
--- /dev/null
+From 2004766d0aa6e97c338473a60abb42e08e08159c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Nov 2025 20:58:37 +0000
+Subject: idpf: reduce mbx_task schedule delay to 300us
+
+From: Brian Vazquez <brianvv@google.com>
+
+[ Upstream commit b3d6bbae1d6d5638a4ab702ab195476787cde857 ]
+
+During the IDPF init phase, the mailbox runs in poll mode until it is
+configured to properly handle interrupts. The previous delay of 300ms is
+excessively long for the mailbox polling mechanism, which causes a slow
+initialization of ~2s:
+
+echo 0000:06:12.4 > /sys/bus/pci/drivers/idpf/bind
+
+[ 52.444239] idpf 0000:06:12.4: enabling device (0000 -> 0002)
+[ 52.485005] idpf 0000:06:12.4: Device HW Reset initiated
+[ 54.177181] idpf 0000:06:12.4: PTP init failed, err=-EOPNOTSUPP
+[ 54.206177] idpf 0000:06:12.4: Minimum RX descriptor support not provided, using the default
+[ 54.206182] idpf 0000:06:12.4: Minimum TX descriptor support not provided, using the default
+
+Changing the delay to 300us avoids the delays during the initial mailbox
+transactions, making the init phase much faster:
+
+[ 83.342590] idpf 0000:06:12.4: enabling device (0000 -> 0002)
+[ 83.384402] idpf 0000:06:12.4: Device HW Reset initiated
+[ 83.518323] idpf 0000:06:12.4: PTP init failed, err=-EOPNOTSUPP
+[ 83.547430] idpf 0000:06:12.4: Minimum RX descriptor support not provided, using the default
+[ 83.547435] idpf 0000:06:12.4: Minimum TX descriptor support not provided, using the default
+
+Fixes: 4930fbf419a7 ("idpf: add core init and interrupt request")
+Signed-off-by: Brian Vazquez <brianvv@google.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Tested-by: Samuel Salin <Samuel.salin@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/idpf/idpf_lib.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c
+index 8a941f0fb048..aaafe40f5eaf 100644
+--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c
++++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c
+@@ -1271,7 +1271,7 @@ void idpf_mbx_task(struct work_struct *work)
+ idpf_mb_irq_enable(adapter);
+ else
+ queue_delayed_work(adapter->mbx_wq, &adapter->mbx_task,
+- msecs_to_jiffies(300));
++ usecs_to_jiffies(300));
+
+ idpf_recv_mb_msg(adapter);
+ }
+--
+2.51.0
+
--- /dev/null
+From 018fae30571975a5c4b132155c1749e03e709911 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Dec 2025 17:35:50 +0000
+Subject: ip6_gre: make ip6gre_header() robust
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit db5b4e39c4e63700c68a7e65fc4e1f1375273476 ]
+
+Over the years, syzbot found many ways to crash the kernel
+in ip6gre_header() [1].
+
+This involves team or bonding drivers ability to dynamically
+change their dev->needed_headroom and/or dev->hard_header_len
+
+In this particular crash mld_newpack() allocated an skb
+with a too small reserve/headroom, and by the time mld_sendpack()
+was called, syzbot managed to attach an ip6gre device.
+
+[1]
+skbuff: skb_under_panic: text:ffffffff8a1d69a8 len:136 put:40 head:ffff888059bc7000 data:ffff888059bc6fe8 tail:0x70 end:0x6c0 dev:team0
+------------[ cut here ]------------
+ kernel BUG at net/core/skbuff.c:213 !
+ <TASK>
+ skb_under_panic net/core/skbuff.c:223 [inline]
+ skb_push+0xc3/0xe0 net/core/skbuff.c:2641
+ ip6gre_header+0xc8/0x790 net/ipv6/ip6_gre.c:1371
+ dev_hard_header include/linux/netdevice.h:3436 [inline]
+ neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618
+ neigh_output include/net/neighbour.h:556 [inline]
+ ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136
+ __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline]
+ ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:220
+ NF_HOOK_COND include/linux/netfilter.h:307 [inline]
+ ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247
+ NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318
+ mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855
+ mld_send_cr net/ipv6/mcast.c:2154 [inline]
+ mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693
+
+Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
+Reported-by: syzbot+43a2ebcf2a64b1102d64@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/693b002c.a70a0220.33cd7b.0033.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20251211173550.2032674-1-edumazet@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6_gre.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
+index c82a75510c0e..8bc3f05f594e 100644
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -1366,9 +1366,16 @@ static int ip6gre_header(struct sk_buff *skb, struct net_device *dev,
+ {
+ struct ip6_tnl *t = netdev_priv(dev);
+ struct ipv6hdr *ipv6h;
++ int needed;
+ __be16 *p;
+
+- ipv6h = skb_push(skb, t->hlen + sizeof(*ipv6h));
++ needed = t->hlen + sizeof(*ipv6h);
++ if (skb_headroom(skb) < needed &&
++ pskb_expand_head(skb, HH_DATA_ALIGN(needed - skb_headroom(skb)),
++ 0, GFP_ATOMIC))
++ return -needed;
++
++ ipv6h = skb_push(skb, needed);
+ ip6_flow_hdr(ipv6h, 0, ip6_make_flowlabel(dev_net(dev), skb,
+ t->fl.u.ip6.flowlabel,
+ true, &t->fl.u.ip6));
+--
+2.51.0
+
--- /dev/null
+From 56ecf88ab5ae8c037fb6fe4561549ccf8c66eaf9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Dec 2025 16:48:28 +0200
+Subject: ipv4: Fix reference count leak when using error routes with nexthop
+ objects
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit ac782f4e3bfcde145b8a7f8af31d9422d94d172a ]
+
+When a nexthop object is deleted, it is marked as dead and then
+fib_table_flush() is called to flush all the routes that are using the
+dead nexthop.
+
+The current logic in fib_table_flush() is to only flush error routes
+(e.g., blackhole) when it is called as part of network namespace
+dismantle (i.e., with flush_all=true). Therefore, error routes are not
+flushed when their nexthop object is deleted:
+
+ # ip link add name dummy1 up type dummy
+ # ip nexthop add id 1 dev dummy1
+ # ip route add 198.51.100.1/32 nhid 1
+ # ip route add blackhole 198.51.100.2/32 nhid 1
+ # ip nexthop del id 1
+ # ip route show
+ blackhole 198.51.100.2 nhid 1 dev dummy1
+
+As such, they keep holding a reference on the nexthop object which in
+turn holds a reference on the nexthop device, resulting in a reference
+count leak:
+
+ # ip link del dev dummy1
+ [ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2
+
+Fix by flushing error routes when their nexthop is marked as dead.
+
+IPv6 does not suffer from this problem.
+
+Fixes: 493ced1ac47c ("ipv4: Allow routes to use nexthop objects")
+Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Closes: https://lore.kernel.org/netdev/d943f806-4da6-4970-ac28-b9373b0e63ac@I-love.SAKURA.ne.jp/
+Reported-by: syzbot+881d65229ca4f9ae8c84@syzkaller.appspotmail.com
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://patch.msgid.link/20251221144829.197694-1-idosch@nvidia.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/fib_trie.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
+index 59a6f0a9638f..7e2c17fec3fc 100644
+--- a/net/ipv4/fib_trie.c
++++ b/net/ipv4/fib_trie.c
+@@ -2053,10 +2053,11 @@ int fib_table_flush(struct net *net, struct fib_table *tb, bool flush_all)
+ continue;
+ }
+
+- /* Do not flush error routes if network namespace is
+- * not being dismantled
++ /* When not flushing the entire table, skip error
++ * routes that are not marked for deletion.
+ */
+- if (!flush_all && fib_props[fa->fa_type].error) {
++ if (!flush_all && fib_props[fa->fa_type].error &&
++ !(fi->fib_flags & RTNH_F_DEAD)) {
+ slen = fa->fa_slen;
+ continue;
+ }
+--
+2.51.0
+
--- /dev/null
+From 6e72dfcf52f3fb4d21b0ef67308c8de5b896fc2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 10:36:37 -0700
+Subject: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()
+
+From: Will Rosenberg <whrosenb@asu.edu>
+
+[ Upstream commit 58fc7342b529803d3c221101102fe913df7adb83 ]
+
+There exists a kernel oops caused by a BUG_ON(nhead < 0) at
+net/core/skbuff.c:2232 in pskb_expand_head().
+This bug is triggered as part of the calipso_skbuff_setattr()
+routine when skb_cow() is passed headroom > INT_MAX
+(i.e. (int)(skb_headroom(skb) + len_delta) < 0).
+
+The root cause of the bug is due to an implicit integer cast in
+__skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure
+that delta = headroom - skb_headroom(skb) is never negative, otherwise
+we will trigger a BUG_ON in pskb_expand_head(). However, if
+headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta
+becomes negative, and pskb_expand_head() is passed a negative value for
+nhead.
+
+Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing
+"negative" headroom sizes to skb_cow() within calipso_skbuff_setattr()
+by only using skb_cow() to grow headroom.
+
+PoC:
+ Using `netlabelctl` tool:
+
+ netlabelctl map del default
+ netlabelctl calipso add pass doi:7
+ netlabelctl map add default address:0::1/128 protocol:calipso,7
+
+ Then run the following PoC:
+
+ int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
+
+ // setup msghdr
+ int cmsg_size = 2;
+ int cmsg_len = 0x60;
+ struct msghdr msg;
+ struct sockaddr_in6 dest_addr;
+ struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1,
+ sizeof(struct cmsghdr) + cmsg_len);
+ msg.msg_name = &dest_addr;
+ msg.msg_namelen = sizeof(dest_addr);
+ msg.msg_iov = NULL;
+ msg.msg_iovlen = 0;
+ msg.msg_control = cmsg;
+ msg.msg_controllen = cmsg_len;
+ msg.msg_flags = 0;
+
+ // setup sockaddr
+ dest_addr.sin6_family = AF_INET6;
+ dest_addr.sin6_port = htons(31337);
+ dest_addr.sin6_flowinfo = htonl(31337);
+ dest_addr.sin6_addr = in6addr_loopback;
+ dest_addr.sin6_scope_id = 31337;
+
+ // setup cmsghdr
+ cmsg->cmsg_len = cmsg_len;
+ cmsg->cmsg_level = IPPROTO_IPV6;
+ cmsg->cmsg_type = IPV6_HOPOPTS;
+ char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr);
+ hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80
+
+ sendmsg(fd, &msg, 0);
+
+Fixes: 2917f57b6bc1 ("calipso: Allow the lsm to label the skbuff directly.")
+Suggested-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Will Rosenberg <whrosenb@asu.edu>
+Acked-by: Paul Moore <paul@paul-moore.com>
+Link: https://patch.msgid.link/20251219173637.797418-1-whrosenb@asu.edu
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/calipso.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c
+index df1986973430..21f6ed126253 100644
+--- a/net/ipv6/calipso.c
++++ b/net/ipv6/calipso.c
+@@ -1342,7 +1342,8 @@ static int calipso_skbuff_setattr(struct sk_buff *skb,
+ /* At this point new_end aligns to 4n, so (new_end & 4) pads to 8n */
+ pad = ((new_end & 4) + (end & 7)) & 7;
+ len_delta = new_end - (int)end + pad;
+- ret_val = skb_cow(skb, skb_headroom(skb) + len_delta);
++ ret_val = skb_cow(skb,
++ skb_headroom(skb) + (len_delta > 0 ? len_delta : 0));
+ if (ret_val < 0)
+ return ret_val;
+
+--
+2.51.0
+
--- /dev/null
+From 98f161be8e8989b929106983e7efb77748c49c5d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Dec 2025 13:14:12 +0800
+Subject: ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT
+
+From: Jiayuan Chen <jiayuan.chen@linux.dev>
+
+[ Upstream commit 1adaea51c61b52e24e7ab38f7d3eba023b2d050d ]
+
+On PREEMPT_RT kernels, after rt6_get_pcpu_route() returns NULL, the
+current task can be preempted. Another task running on the same CPU
+may then execute rt6_make_pcpu_route() and successfully install a
+pcpu_rt entry. When the first task resumes execution, its cmpxchg()
+in rt6_make_pcpu_route() will fail because rt6i_pcpu is no longer
+NULL, triggering the BUG_ON(prev). It's easy to reproduce it by adding
+mdelay() after rt6_get_pcpu_route().
+
+Using preempt_disable/enable is not appropriate here because
+ip6_rt_pcpu_alloc() may sleep.
+
+Fix this by handling the cmpxchg() failure gracefully on PREEMPT_RT:
+free our allocation and return the existing pcpu_rt installed by
+another task. The BUG_ON is replaced by WARN_ON_ONCE for non-PREEMPT_RT
+kernels where such races should not occur.
+
+Link: https://syzkaller.appspot.com/bug?extid=9b35e9bc0951140d13e6
+Fixes: d2d6422f8bd1 ("x86: Allow to enable PREEMPT_RT.")
+Reported-by: syzbot+9b35e9bc0951140d13e6@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/6918cd88.050a0220.1c914e.0045.GAE@google.com/T/
+Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
+Link: https://patch.msgid.link/20251223051413.124687-1-jiayuan.chen@linux.dev
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/route.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index aee6a10b112a..a3e051dc66ee 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -1470,7 +1470,18 @@ static struct rt6_info *rt6_make_pcpu_route(struct net *net,
+
+ p = this_cpu_ptr(res->nh->rt6i_pcpu);
+ prev = cmpxchg(p, NULL, pcpu_rt);
+- BUG_ON(prev);
++ if (unlikely(prev)) {
++ /*
++ * Another task on this CPU already installed a pcpu_rt.
++ * This can happen on PREEMPT_RT where preemption is possible.
++ * Free our allocation and return the existing one.
++ */
++ WARN_ON_ONCE(!IS_ENABLED(CONFIG_PREEMPT_RT));
++
++ dst_dev_put(&pcpu_rt->dst);
++ dst_release(&pcpu_rt->dst);
++ return prev;
++ }
+
+ if (res->f6i->fib6_destroying) {
+ struct fib6_info *from;
+--
+2.51.0
+
--- /dev/null
+From b0a00c7d2e89c9a80574fdcb9660abae2929e459 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Nov 2025 11:00:16 +0100
+Subject: kbuild: fix compilation of dtb specified on command-line without make
+ rule
+
+From: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
+
+[ Upstream commit b08fc4d0ec2466558f6d5511434efdfabbddf2a6 ]
+
+Since commit e7e2941300d2 ("kbuild: split device tree build rules into
+scripts/Makefile.dtbs"), it is no longer possible to compile a device tree
+blob that is not specified in a make rule
+like:
+ dtb-$(CONFIG_FOO) += foo.dtb
+
+Before the mentioned commit, one could copy a dts file to e.g.
+arch/arm64/boot/dts/ (or a new subdirectory) and then convert it to a dtb
+file using:
+ make ARCH=arm64 foo.dtb
+
+In this scenario, both 'dtb-y' and 'dtb-' are empty, and the inclusion of
+scripts/Makefile.dtbs relies on 'targets' to contain the MAKECMDGOALS. The
+value of 'targets', however, is only final later in the code.
+
+Move the conditional include of scripts/Makefile.dtbs down to where the
+value of 'targets' is final. Since Makefile.dtbs updates 'always-y' which is
+used as a prerequisite in the build rule, the build rule also needs to move
+down.
+
+Fixes: e7e2941300d2 ("kbuild: split device tree build rules into scripts/Makefile.dtbs")
+Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
+Reviewed-by: Nathan Chancellor <nathan@kernel.org>
+Tested-by: Nathan Chancellor <nathan@kernel.org>
+Acked-by: Rob Herring (Arm) <robh@kernel.org>
+Link: https://patch.msgid.link/20251126100017.1162330-1-thomas.de_schampheleire@nokia.com
+Signed-off-by: Nicolas Schier <nsc@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/Makefile.build | 26 ++++++++++++++------------
+ 1 file changed, 14 insertions(+), 12 deletions(-)
+
+diff --git a/scripts/Makefile.build b/scripts/Makefile.build
+index 52c08c4eb0b9..5037f4715d74 100644
+--- a/scripts/Makefile.build
++++ b/scripts/Makefile.build
+@@ -527,18 +527,6 @@ ifneq ($(userprogs),)
+ include $(srctree)/scripts/Makefile.userprogs
+ endif
+
+-ifneq ($(need-dtbslist)$(dtb-y)$(dtb-)$(filter %.dtb %.dtb.o %.dtbo.o,$(targets)),)
+-include $(srctree)/scripts/Makefile.dtbs
+-endif
+-
+-# Build
+-# ---------------------------------------------------------------------------
+-
+-$(obj)/: $(if $(KBUILD_BUILTIN), $(targets-for-builtin)) \
+- $(if $(KBUILD_MODULES), $(targets-for-modules)) \
+- $(subdir-ym) $(always-y)
+- @:
+-
+ # Single targets
+ # ---------------------------------------------------------------------------
+
+@@ -568,6 +556,20 @@ FORCE:
+ targets += $(filter-out $(single-subdir-goals), $(MAKECMDGOALS))
+ targets := $(filter-out $(PHONY), $(targets))
+
++# Now that targets is fully known, include dtb rules if needed
++ifneq ($(need-dtbslist)$(dtb-y)$(dtb-)$(filter %.dtb %.dtb.o %.dtbo.o,$(targets)),)
++include $(srctree)/scripts/Makefile.dtbs
++endif
++
++# Build
++# Needs to be after the include of Makefile.dtbs, which updates always-y
++# ---------------------------------------------------------------------------
++
++$(obj)/: $(if $(KBUILD_BUILTIN), $(targets-for-builtin)) \
++ $(if $(KBUILD_MODULES), $(targets-for-modules)) \
++ $(subdir-ym) $(always-y)
++ @:
++
+ # Read all saved command lines and dependencies for the $(targets) we
+ # may be building above, using $(if_changed{,_dep}). As an
+ # optimization, we don't need to read them if the target does not
+--
+2.51.0
+
--- /dev/null
+From 1fc7a3c2308e6e45f2b397682fd125a04882d80d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Dec 2025 14:20:16 +0000
+Subject: ksmbd: Fix memory leak in get_file_all_info()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 0c56693b06a68476ba113db6347e7897475f9e4c ]
+
+In get_file_all_info(), if vfs_getattr() fails, the function returns
+immediately without freeing the allocated filename, leading to a memory
+leak.
+
+Fix this by freeing the filename before returning in this error case.
+
+Fixes: 5614c8c487f6a ("ksmbd: replace generic_fillattr with vfs_getattr")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/server/smb2pdu.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
+index 6a94cda0927d..2b59c282cda5 100644
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -4933,8 +4933,10 @@ static int get_file_all_info(struct ksmbd_work *work,
+
+ ret = vfs_getattr(&fp->filp->f_path, &stat, STATX_BASIC_STATS,
+ AT_STATX_SYNC_AS_STAT);
+- if (ret)
++ if (ret) {
++ kfree(filename);
+ return ret;
++ }
+
+ ksmbd_debug(SMB, "filename = %s\n", filename);
+ delete_pending = ksmbd_inode_pending_delete(fp);
+--
+2.51.0
+
--- /dev/null
+From 74953336f59a7fbcbb06134843a49a795088d6ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 16:52:58 +0800
+Subject: kunit: Enforce task execution in {soft,hard}irq contexts
+
+From: David Gow <davidgow@google.com>
+
+[ Upstream commit c31f4aa8fed048fa70e742c4bb49bb48dc489ab3 ]
+
+The kunit_run_irq_test() helper allows a function to be run in hardirq
+and softirq contexts (in addition to the task context). It does this by
+running the user-provided function concurrently in the three contexts,
+until either a timeout has expired or a number of iterations have
+completed in the normal task context.
+
+However, on setups where the initialisation of the hardirq and softirq
+contexts (or, indeed, the scheduling of those tasks) is significantly
+slower than the function execution, it's possible for that number of
+iterations to be exceeded before any runs in irq contexts actually
+occur. This occurs with the polyval.test_polyval_preparekey_in_irqs
+test, which runs 20000 iterations of the relatively fast preparekey
+function, and therefore fails often under many UML, 32-bit arm, m68k and
+other environments.
+
+Instead, ensure that the max_iterations limit counts executions in all
+three contexts, and requires at least one of each. This will cause the
+test to continue iterating until at least the irq contexts have been
+tested, or the 1s wall-clock limit has been exceeded. This causes the
+test to pass in all of my environments.
+
+In so doing, we also update the task counters to atomic ints, to better
+match both the 'int' max_iterations input, and to ensure they are
+correctly updated across contexts.
+
+Finally, we also fix a few potential assertion messages to be
+less-specific to the original crypto usecases.
+
+Fixes: 950a81224e8b ("lib/crypto: tests: Add hash-test-template.h and gen-hash-testvecs.py")
+Signed-off-by: David Gow <davidgow@google.com>
+Link: https://lore.kernel.org/r/20251219085259.1163048-1-davidgow@google.com
+Signed-off-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/kunit/run-in-irq-context.h | 53 +++++++++++++++++++-----------
+ 1 file changed, 33 insertions(+), 20 deletions(-)
+
+diff --git a/include/kunit/run-in-irq-context.h b/include/kunit/run-in-irq-context.h
+index 108e96433ea4..c89b1b1b12dd 100644
+--- a/include/kunit/run-in-irq-context.h
++++ b/include/kunit/run-in-irq-context.h
+@@ -20,8 +20,8 @@ struct kunit_irq_test_state {
+ bool task_func_reported_failure;
+ bool hardirq_func_reported_failure;
+ bool softirq_func_reported_failure;
+- unsigned long hardirq_func_calls;
+- unsigned long softirq_func_calls;
++ atomic_t hardirq_func_calls;
++ atomic_t softirq_func_calls;
+ struct hrtimer timer;
+ struct work_struct bh_work;
+ };
+@@ -32,7 +32,7 @@ static enum hrtimer_restart kunit_irq_test_timer_func(struct hrtimer *timer)
+ container_of(timer, typeof(*state), timer);
+
+ WARN_ON_ONCE(!in_hardirq());
+- state->hardirq_func_calls++;
++ atomic_inc(&state->hardirq_func_calls);
+
+ if (!state->func(state->test_specific_state))
+ state->hardirq_func_reported_failure = true;
+@@ -48,7 +48,7 @@ static void kunit_irq_test_bh_work_func(struct work_struct *work)
+ container_of(work, typeof(*state), bh_work);
+
+ WARN_ON_ONCE(!in_serving_softirq());
+- state->softirq_func_calls++;
++ atomic_inc(&state->softirq_func_calls);
+
+ if (!state->func(state->test_specific_state))
+ state->softirq_func_reported_failure = true;
+@@ -59,7 +59,10 @@ static void kunit_irq_test_bh_work_func(struct work_struct *work)
+ * hardirq context concurrently, and reports a failure to KUnit if any
+ * invocation of @func in any context returns false. @func is passed
+ * @test_specific_state as its argument. At most 3 invocations of @func will
+- * run concurrently: one in each of task, softirq, and hardirq context.
++ * run concurrently: one in each of task, softirq, and hardirq context. @func
++ * will continue running until either @max_iterations calls have been made (so
++ * long as at least one each runs in task, softirq, and hardirq contexts), or
++ * one second has passed.
+ *
+ * The main purpose of this interrupt context testing is to validate fallback
+ * code paths that run in contexts where the normal code path cannot be used,
+@@ -85,6 +88,8 @@ static inline void kunit_run_irq_test(struct kunit *test, bool (*func)(void *),
+ .test_specific_state = test_specific_state,
+ };
+ unsigned long end_jiffies;
++ int hardirq_calls, softirq_calls;
++ bool allctx = false;
+
+ /*
+ * Set up a hrtimer (the way we access hardirq context) and a work
+@@ -94,14 +99,25 @@ static inline void kunit_run_irq_test(struct kunit *test, bool (*func)(void *),
+ CLOCK_MONOTONIC, HRTIMER_MODE_REL_HARD);
+ INIT_WORK_ONSTACK(&state.bh_work, kunit_irq_test_bh_work_func);
+
+- /* Run for up to max_iterations or 1 second, whichever comes first. */
++ /*
++ * Run for up to max_iterations (including at least one task, softirq,
++ * and hardirq), or 1 second, whichever comes first.
++ */
+ end_jiffies = jiffies + HZ;
+ hrtimer_start(&state.timer, KUNIT_IRQ_TEST_HRTIMER_INTERVAL,
+ HRTIMER_MODE_REL_HARD);
+- for (int i = 0; i < max_iterations && !time_after(jiffies, end_jiffies);
+- i++) {
++ for (int task_calls = 0, calls = 0;
++ ((calls < max_iterations) || !allctx) &&
++ !time_after(jiffies, end_jiffies);
++ task_calls++) {
+ if (!func(test_specific_state))
+ state.task_func_reported_failure = true;
++
++ hardirq_calls = atomic_read(&state.hardirq_func_calls);
++ softirq_calls = atomic_read(&state.softirq_func_calls);
++ calls = task_calls + hardirq_calls + softirq_calls;
++ allctx = (task_calls > 0) && (hardirq_calls > 0) &&
++ (softirq_calls > 0);
+ }
+
+ /* Cancel the timer and work. */
+@@ -109,21 +125,18 @@ static inline void kunit_run_irq_test(struct kunit *test, bool (*func)(void *),
+ flush_work(&state.bh_work);
+
+ /* Sanity check: the timer and BH functions should have been run. */
+- KUNIT_EXPECT_GT_MSG(test, state.hardirq_func_calls, 0,
++ KUNIT_EXPECT_GT_MSG(test, atomic_read(&state.hardirq_func_calls), 0,
+ "Timer function was not called");
+- KUNIT_EXPECT_GT_MSG(test, state.softirq_func_calls, 0,
++ KUNIT_EXPECT_GT_MSG(test, atomic_read(&state.softirq_func_calls), 0,
+ "BH work function was not called");
+
+- /* Check for incorrect hash values reported from any context. */
+- KUNIT_EXPECT_FALSE_MSG(
+- test, state.task_func_reported_failure,
+- "Incorrect hash values reported from task context");
+- KUNIT_EXPECT_FALSE_MSG(
+- test, state.hardirq_func_reported_failure,
+- "Incorrect hash values reported from hardirq context");
+- KUNIT_EXPECT_FALSE_MSG(
+- test, state.softirq_func_reported_failure,
+- "Incorrect hash values reported from softirq context");
++ /* Check for failure reported from any context. */
++ KUNIT_EXPECT_FALSE_MSG(test, state.task_func_reported_failure,
++ "Failure reported from task context");
++ KUNIT_EXPECT_FALSE_MSG(test, state.hardirq_func_reported_failure,
++ "Failure reported from hardirq context");
++ KUNIT_EXPECT_FALSE_MSG(test, state.softirq_func_reported_failure,
++ "Failure reported from softirq context");
+ }
+
+ #endif /* _KUNIT_RUN_IN_IRQ_CONTEXT_H */
+--
+2.51.0
+
--- /dev/null
+From b809b678a677148f72ce7ef18f404526311d8cfb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Dec 2025 09:42:00 +0100
+Subject: mcb: Add missing modpost build support
+
+From: Jose Javier Rodriguez Barbarin <dev-josejavier.rodriguez@duagon.com>
+
+[ Upstream commit 1f4ea4838b13c3b2278436a8dcb148e3c23f4b64 ]
+
+mcb bus is not prepared to autoload client drivers with the data defined on
+the drivers' MODULE_DEVICE_TABLE. modpost cannot access to mcb_table_id
+inside MODULE_DEVICE_TABLE so the data declared inside is ignored.
+
+Add modpost build support for accessing to the mcb_table_id coded on device
+drivers' MODULE_DEVICE_TABLE.
+
+Fixes: 3764e82e5150 ("drivers: Introduce MEN Chameleon Bus")
+Reviewed-by: Jorge Sanjuan Garcia <dev-jorge.sanjuangarcia@duagon.com>
+Signed-off-by: Jose Javier Rodriguez Barbarin <dev-josejavier.rodriguez@duagon.com>
+Acked-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
+Link: https://patch.msgid.link/20251202084200.10410-1-dev-josejavier.rodriguez@duagon.com
+Signed-off-by: Nicolas Schier <nsc@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/mod/devicetable-offsets.c | 3 +++
+ scripts/mod/file2alias.c | 9 +++++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/scripts/mod/devicetable-offsets.c b/scripts/mod/devicetable-offsets.c
+index d3d00e85edf7..0470ba7c796d 100644
+--- a/scripts/mod/devicetable-offsets.c
++++ b/scripts/mod/devicetable-offsets.c
+@@ -198,6 +198,9 @@ int main(void)
+ DEVID(cpu_feature);
+ DEVID_FIELD(cpu_feature, feature);
+
++ DEVID(mcb_device_id);
++ DEVID_FIELD(mcb_device_id, device);
++
+ DEVID(mei_cl_device_id);
+ DEVID_FIELD(mei_cl_device_id, name);
+ DEVID_FIELD(mei_cl_device_id, uuid);
+diff --git a/scripts/mod/file2alias.c b/scripts/mod/file2alias.c
+index b3333560b95e..4e99393a35f1 100644
+--- a/scripts/mod/file2alias.c
++++ b/scripts/mod/file2alias.c
+@@ -1110,6 +1110,14 @@ static void do_cpu_entry(struct module *mod, void *symval)
+ module_alias_printf(mod, false, "cpu:type:*:feature:*%04X*", feature);
+ }
+
++/* Looks like: mcb:16zN */
++static void do_mcb_entry(struct module *mod, void *symval)
++{
++ DEF_FIELD(symval, mcb_device_id, device);
++
++ module_alias_printf(mod, false, "mcb:16z%03d", device);
++}
++
+ /* Looks like: mei:S:uuid:N:* */
+ static void do_mei_entry(struct module *mod, void *symval)
+ {
+@@ -1444,6 +1452,7 @@ static const struct devtable devtable[] = {
+ {"mipscdmm", SIZE_mips_cdmm_device_id, do_mips_cdmm_entry},
+ {"x86cpu", SIZE_x86_cpu_id, do_x86cpu_entry},
+ {"cpu", SIZE_cpu_feature, do_cpu_entry},
++ {"mcb", SIZE_mcb_device_id, do_mcb_entry},
+ {"mei", SIZE_mei_cl_device_id, do_mei_entry},
+ {"rapidio", SIZE_rio_device_id, do_rio_entry},
+ {"ulpi", SIZE_ulpi_device_id, do_ulpi_entry},
+--
+2.51.0
+
--- /dev/null
+From f6849f97240b04d09d2b5e9d6655b38cf8103a48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Dec 2025 20:44:12 +0800
+Subject: md: Fix static checker warning in analyze_sbs
+
+From: Li Nan <linan122@huawei.com>
+
+[ Upstream commit 00f6c1b4d15d35fadb7f34768a1831c81aaa8936 ]
+
+The following warn is reported:
+
+ drivers/md/md.c:3912 analyze_sbs()
+ warn: iterator 'i' not incremented
+
+Fixes: d8730f0cf4ef ("md: Remove deprecated CONFIG_MD_MULTIPATH")
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Closes: https://lore.kernel.org/linux-raid/7e2e95ce-3740-09d8-a561-af6bfb767f18@huaweicloud.com/T/#t
+Signed-off-by: Li Nan <linan122@huawei.com>
+Link: https://lore.kernel.org/linux-raid/20251215124412.4015572-1-linan666@huaweicloud.com
+Signed-off-by: Yu Kuai <yukuai@fnnas.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index cef5b2954ac5..7b1365143f58 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -3874,7 +3874,6 @@ static struct md_rdev *md_import_device(dev_t newdev, int super_format, int supe
+
+ static int analyze_sbs(struct mddev *mddev)
+ {
+- int i;
+ struct md_rdev *rdev, *freshest, *tmp;
+
+ freshest = NULL;
+@@ -3901,11 +3900,9 @@ static int analyze_sbs(struct mddev *mddev)
+ super_types[mddev->major_version].
+ validate_super(mddev, NULL/*freshest*/, freshest);
+
+- i = 0;
+ rdev_for_each_safe(rdev, tmp, mddev) {
+ if (mddev->max_disks &&
+- (rdev->desc_nr >= mddev->max_disks ||
+- i > mddev->max_disks)) {
++ rdev->desc_nr >= mddev->max_disks) {
+ pr_warn("md: %s: %pg: only %d devices permitted\n",
+ mdname(mddev), rdev->bdev,
+ mddev->max_disks);
+--
+2.51.0
+
--- /dev/null
+From a5fb0f1f78f879c39351d598a2a0851b3228a024 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Dec 2025 21:03:26 +0800
+Subject: md/raid5: fix possible null-pointer dereferences in
+ raid5_store_group_thread_cnt()
+
+From: Tuo Li <islituo@gmail.com>
+
+[ Upstream commit 7ad6ef91d8745d04aff9cce7bdbc6320d8e05fe9 ]
+
+The variable mddev->private is first assigned to conf and then checked:
+
+ conf = mddev->private;
+ if (!conf) ...
+
+If conf is NULL, then mddev->private is also NULL. In this case,
+null-pointer dereferences can occur when calling raid5_quiesce():
+
+ raid5_quiesce(mddev, true);
+ raid5_quiesce(mddev, false);
+
+since mddev->private is assigned to conf again in raid5_quiesce(), and conf
+is dereferenced in several places, for example:
+
+ conf->quiesce = 0;
+ wake_up(&conf->wait_for_quiescent);
+
+To fix this issue, the function should unlock mddev and return before
+invoking raid5_quiesce() when conf is NULL, following the existing pattern
+in raid5_change_consistency_policy().
+
+Fixes: fa1944bbe622 ("md/raid5: Wait sync io to finish before changing group cnt")
+Signed-off-by: Tuo Li <islituo@gmail.com>
+Reviewed-by: Xiao Ni <xni@redhat.com>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Link: https://lore.kernel.org/linux-raid/20251225130326.67780-1-islituo@gmail.com
+Signed-off-by: Yu Kuai <yukuai@fnnas.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/raid5.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
+index 8b5f8a12d417..41de29206402 100644
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -7187,12 +7187,14 @@ raid5_store_group_thread_cnt(struct mddev *mddev, const char *page, size_t len)
+ err = mddev_suspend_and_lock(mddev);
+ if (err)
+ return err;
++ conf = mddev->private;
++ if (!conf) {
++ mddev_unlock_and_resume(mddev);
++ return -ENODEV;
++ }
+ raid5_quiesce(mddev, true);
+
+- conf = mddev->private;
+- if (!conf)
+- err = -ENODEV;
+- else if (new != conf->worker_cnt_per_group) {
++ if (new != conf->worker_cnt_per_group) {
+ old_groups = conf->worker_groups;
+ if (old_groups)
+ flush_workqueue(raid5_wq);
+--
+2.51.0
+
--- /dev/null
+From 099c6e980e2fdaf084683213533dfcef48dcaf79 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Dec 2025 10:30:07 +0100
+Subject: net: airoha: Move net_devs registration in a dedicated routine
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit 5e7365b5a1ac8f517a7a84442289d7de242deb76 ]
+
+Since airoha_probe() is not executed under rtnl lock, there is small race
+where a given device is configured by user-space while the remaining ones
+are not completely loaded from the dts yet. This condition will allow a
+hw device misconfiguration since there are some conditions (e.g. GDM2 check
+in airoha_dev_init()) that require all device are properly loaded from the
+device tree. Fix the issue moving net_devices registration at the end of
+the airoha_probe routine.
+
+Fixes: 9cd451d414f6e ("net: airoha: Add loopback support for GDM2")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20251214-airoha-fix-dev-registration-v1-1-860e027ad4c6@kernel.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/airoha/airoha_eth.c | 39 ++++++++++++++++--------
+ 1 file changed, 26 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c
+index 433a646e9831..0394ba6a90a9 100644
+--- a/drivers/net/ethernet/airoha/airoha_eth.c
++++ b/drivers/net/ethernet/airoha/airoha_eth.c
+@@ -2900,19 +2900,26 @@ static int airoha_alloc_gdm_port(struct airoha_eth *eth,
+ port->id = id;
+ eth->ports[p] = port;
+
+- err = airoha_metadata_dst_alloc(port);
+- if (err)
+- return err;
++ return airoha_metadata_dst_alloc(port);
++}
+
+- err = register_netdev(dev);
+- if (err)
+- goto free_metadata_dst;
++static int airoha_register_gdm_devices(struct airoha_eth *eth)
++{
++ int i;
+
+- return 0;
++ for (i = 0; i < ARRAY_SIZE(eth->ports); i++) {
++ struct airoha_gdm_port *port = eth->ports[i];
++ int err;
+
+-free_metadata_dst:
+- airoha_metadata_dst_free(port);
+- return err;
++ if (!port)
++ continue;
++
++ err = register_netdev(port->dev);
++ if (err)
++ return err;
++ }
++
++ return 0;
+ }
+
+ static int airoha_probe(struct platform_device *pdev)
+@@ -2993,6 +3000,10 @@ static int airoha_probe(struct platform_device *pdev)
+ }
+ }
+
++ err = airoha_register_gdm_devices(eth);
++ if (err)
++ goto error_napi_stop;
++
+ return 0;
+
+ error_napi_stop:
+@@ -3006,10 +3017,12 @@ static int airoha_probe(struct platform_device *pdev)
+ for (i = 0; i < ARRAY_SIZE(eth->ports); i++) {
+ struct airoha_gdm_port *port = eth->ports[i];
+
+- if (port && port->dev->reg_state == NETREG_REGISTERED) {
++ if (!port)
++ continue;
++
++ if (port->dev->reg_state == NETREG_REGISTERED)
+ unregister_netdev(port->dev);
+- airoha_metadata_dst_free(port);
+- }
++ airoha_metadata_dst_free(port);
+ }
+ free_netdev(eth->napi_dev);
+ platform_set_drvdata(pdev, NULL);
+--
+2.51.0
+
--- /dev/null
+From 3c99d05166484bcccc0710afa6d9122e8c7725c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Dec 2025 11:29:37 +0700
+Subject: net: bridge: Describe @tunnel_hash member in net_bridge_vlan_group
+ struct
+
+From: Bagas Sanjaya <bagasdotme@gmail.com>
+
+[ Upstream commit f79f9b7ace1713e4b83888c385f5f55519dfb687 ]
+
+Sphinx reports kernel-doc warning:
+
+WARNING: ./net/bridge/br_private.h:267 struct member 'tunnel_hash' not described in 'net_bridge_vlan_group'
+
+Fix it by describing @tunnel_hash member.
+
+Fixes: efa5356b0d9753 ("bridge: per vlan dst_metadata netlink support")
+Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20251218042936.24175-2-bagasdotme@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_private.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
+index 7280c4e9305f..b9b2981c4841 100644
+--- a/net/bridge/br_private.h
++++ b/net/bridge/br_private.h
+@@ -247,6 +247,7 @@ struct net_bridge_vlan {
+ * struct net_bridge_vlan_group
+ *
+ * @vlan_hash: VLAN entry rhashtable
++ * @tunnel_hash: Hash table to map from tunnel key ID (e.g. VXLAN VNI) to VLAN
+ * @vlan_list: sorted VLAN entry list
+ * @num_vlans: number of total VLAN entries
+ * @pvid: PVID VLAN id
+--
+2.51.0
+
--- /dev/null
+From fc5fda716f0474924b8e2d26972c63be12bd7ee5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Dec 2025 21:57:56 +0100
+Subject: net: dsa: b53: skip multicast entries for fdb_dump()
+
+From: Jonas Gorski <jonas.gorski@gmail.com>
+
+[ Upstream commit d42bce414d1c5c0b536758466a1f63ac358e613c ]
+
+port_fdb_dump() is supposed to only add fdb entries, but we iterate over
+the full ARL table, which also includes multicast entries.
+
+So check if the entry is a multicast entry before passing it on to the
+callback().
+
+Additionally, the port of those entries is a bitmask, not a port number,
+so any included entries would have even be for the wrong port.
+
+Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations")
+Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20251217205756.172123-1-jonas.gorski@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/b53/b53_common.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
+index 62cafced758e..7d6ec2eb7c75 100644
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -2155,6 +2155,9 @@ static int b53_fdb_copy(int port, const struct b53_arl_entry *ent,
+ if (!ent->is_valid)
+ return 0;
+
++ if (is_multicast_ether_addr(ent->mac))
++ return 0;
++
+ if (port != ent->port)
+ return 0;
+
+--
+2.51.0
+
--- /dev/null
+From 48ff9e70107cf8ecbbd9b96f794e1af14c370eb8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Dec 2025 17:02:36 +0200
+Subject: net: dsa: fix missing put_device() in dsa_tree_find_first_conduit()
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit a9f96dc59b4a50ffbf86158f315e115969172d48 ]
+
+of_find_net_device_by_node() searches net devices by their /sys/class/net/,
+entry. It is documented in its kernel-doc that:
+
+ * If successful, returns a pointer to the net_device with the embedded
+ * struct device refcount incremented by one, or NULL on failure. The
+ * refcount must be dropped when done with the net_device.
+
+We are missing a put_device(&conduit->dev) which we could place at the
+end of dsa_tree_find_first_conduit(). But to explain why calling
+put_device() right away is safe is the same as to explain why the chosen
+solution is different.
+
+The code is very poorly split: dsa_tree_find_first_conduit() was first
+introduced in commit 95f510d0b792 ("net: dsa: allow the DSA master to be
+seen and changed through rtnetlink") but was first used several commits
+later, in commit acc43b7bf52a ("net: dsa: allow masters to join a LAG").
+
+Assume there is a switch with 2 CPU ports and 2 conduits, eno2 and eno3.
+When we create a LAG (bonding or team device) and place eno2 and eno3
+beneath it, we create a 3rd conduit (the LAG device itself), but this is
+slightly different than the first two.
+
+Namely, the cpu_dp->conduit pointer of the CPU ports does not change,
+and remains pointing towards the physical Ethernet controllers which are
+now LAG ports. Only 2 things change:
+- the LAG device has a dev->dsa_ptr which marks it as a DSA conduit
+- dsa_port_to_conduit(user port) finds the LAG and not the physical
+ conduit, because of the dp->cpu_port_in_lag bit being set.
+
+When the LAG device is destroyed, dsa_tree_migrate_ports_from_lag_conduit()
+is called and this is where dsa_tree_find_first_conduit() kicks in.
+
+This is the logical mistake and the reason why introducing code in one
+patch and using it from another is bad practice. I didn't realize that I
+don't have to call of_find_net_device_by_node() again; the cpu_dp->conduit
+association was never undone, and is still available for direct (re)use.
+There's only one concern - maybe the conduit disappeared in the
+meantime, but the netdev_hold() call we made during dsa_port_parse_cpu()
+(see previous change) ensures that this was not the case.
+
+Therefore, fixing the code means reimplementing it in the simplest way.
+
+I am blaming the time of use, since this is what "git blame" would show
+if we were to monitor for the conduit's kobject's refcount remaining
+elevated instead of being freed.
+
+Tested on the NXP LS1028A, using the steps from
+Documentation/networking/dsa/configuration.rst section "Affinity of user
+ports to CPU ports", followed by (extra prints added by me):
+
+$ ip link del bond0
+mscc_felix 0000:00:00.5 swp3: Link is Down
+bond0 (unregistering): (slave eno2): Releasing backup interface
+fsl_enetc 0000:00:00.2 eno2: Link is Down
+mscc_felix 0000:00:00.5 swp0: bond0 disappeared, migrating to eno2
+mscc_felix 0000:00:00.5 swp1: bond0 disappeared, migrating to eno2
+mscc_felix 0000:00:00.5 swp2: bond0 disappeared, migrating to eno2
+mscc_felix 0000:00:00.5 swp3: bond0 disappeared, migrating to eno2
+
+Fixes: acc43b7bf52a ("net: dsa: allow masters to join a LAG")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Link: https://patch.msgid.link/20251215150236.3931670-2-vladimir.oltean@nxp.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/dsa/dsa.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+diff --git a/net/dsa/dsa.c b/net/dsa/dsa.c
+index d466d0234087..ded9a291e620 100644
+--- a/net/dsa/dsa.c
++++ b/net/dsa/dsa.c
+@@ -366,16 +366,10 @@ static struct dsa_port *dsa_tree_find_first_cpu(struct dsa_switch_tree *dst)
+
+ struct net_device *dsa_tree_find_first_conduit(struct dsa_switch_tree *dst)
+ {
+- struct device_node *ethernet;
+- struct net_device *conduit;
+ struct dsa_port *cpu_dp;
+
+ cpu_dp = dsa_tree_find_first_cpu(dst);
+- ethernet = of_parse_phandle(cpu_dp->dn, "ethernet", 0);
+- conduit = of_find_net_device_by_node(ethernet);
+- of_node_put(ethernet);
+-
+- return conduit;
++ return cpu_dp->conduit;
+ }
+
+ /* Assign the default CPU port (the first one in the tree) to all ports of the
+--
+2.51.0
+
--- /dev/null
+From 14cfe3444719fde80e2aab3cf1c6a7f98adafcaf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Dec 2025 17:02:35 +0200
+Subject: net: dsa: properly keep track of conduit reference
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 06e219f6a706c367c93051f408ac61417643d2f9 ]
+
+Problem description
+-------------------
+
+DSA has a mumbo-jumbo of reference handling of the conduit net device
+and its kobject which, sadly, is just wrong and doesn't make sense.
+
+There are two distinct problems.
+
+1. The OF path, which uses of_find_net_device_by_node(), never releases
+ the elevated refcount on the conduit's kobject. Nominally, the OF and
+ non-OF paths should result in objects having identical reference
+ counts taken, and it is already suspicious that
+ dsa_dev_to_net_device() has a put_device() call which is missing in
+ dsa_port_parse_of(), but we can actually even verify that an issue
+ exists. With CONFIG_DEBUG_KOBJECT_RELEASE=y, if we run this command
+ "before" and "after" applying this patch:
+
+(unbind the conduit driver for net device eno2)
+echo 0000:00:00.2 > /sys/bus/pci/drivers/fsl_enetc/unbind
+
+we see these lines in the output diff which appear only with the patch
+applied:
+
+kobject: 'eno2' (ffff002009a3a6b8): kobject_release, parent 0000000000000000 (delayed 1000)
+kobject: '109' (ffff0020099d59a0): kobject_release, parent 0000000000000000 (delayed 1000)
+
+2. After we find the conduit interface one way (OF) or another (non-OF),
+ it can get unregistered at any time, and DSA remains with a long-lived,
+ but in this case stale, cpu_dp->conduit pointer. Holding the net
+ device's underlying kobject isn't actually of much help, it just
+ prevents it from being freed (but we never need that kobject
+ directly). What helps us to prevent the net device from being
+ unregistered is the parallel netdev reference mechanism (dev_hold()
+ and dev_put()).
+
+Actually we actually use that netdev tracker mechanism implicitly on
+user ports since commit 2f1e8ea726e9 ("net: dsa: link interfaces with
+the DSA master to get rid of lockdep warnings"), via netdev_upper_dev_link().
+But time still passes at DSA switch probe time between the initial
+of_find_net_device_by_node() code and the user port creation time, time
+during which the conduit could unregister itself and DSA wouldn't know
+about it.
+
+So we have to run of_find_net_device_by_node() under rtnl_lock() to
+prevent that from happening, and release the lock only with the netdev
+tracker having acquired the reference.
+
+Do we need to keep the reference until dsa_unregister_switch() /
+dsa_switch_shutdown()?
+1: Maybe yes. A switch device will still be registered even if all user
+ ports failed to probe, see commit 86f8b1c01a0a ("net: dsa: Do not
+ make user port errors fatal"), and the cpu_dp->conduit pointers
+ remain valid. I haven't audited all call paths to see whether they
+ will actually use the conduit in lack of any user port, but if they
+ do, it seems safer to not rely on user ports for that reference.
+2. Definitely yes. We support changing the conduit which a user port is
+ associated to, and we can get into a situation where we've moved all
+ user ports away from a conduit, thus no longer hold any reference to
+ it via the net device tracker. But we shouldn't let it go nonetheless
+ - see the next change in relation to dsa_tree_find_first_conduit()
+ and LAG conduits which disappear.
+ We have to be prepared to return to the physical conduit, so the CPU
+ port must explicitly keep another reference to it. This is also to
+ say: the user ports and their CPU ports may not always keep a
+ reference to the same conduit net device, and both are needed.
+
+As for the conduit's kobject for the /sys/class/net/ entry, we don't
+care about it, we can release it as soon as we hold the net device
+object itself.
+
+History and blame attribution
+-----------------------------
+
+The code has been refactored so many times, it is very difficult to
+follow and properly attribute a blame, but I'll try to make a short
+history which I hope to be correct.
+
+We have two distinct probing paths:
+- one for OF, introduced in 2016 in commit 83c0afaec7b7 ("net: dsa: Add
+ new binding implementation")
+- one for non-OF, introduced in 2017 in commit 71e0bbde0d88 ("net: dsa:
+ Add support for platform data")
+
+These are both complete rewrites of the original probing paths (which
+used struct dsa_switch_driver and other weird stuff, instead of regular
+devices on their respective buses for register access, like MDIO, SPI,
+I2C etc):
+- one for OF, introduced in 2013 in commit 5e95329b701c ("dsa: add
+ device tree bindings to register DSA switches")
+- one for non-OF, introduced in 2008 in commit 91da11f870f0 ("net:
+ Distributed Switch Architecture protocol support")
+
+except for tiny bits and pieces like dsa_dev_to_net_device() which were
+seemingly carried over since the original commit, and used to this day.
+
+The point is that the original probing paths received a fix in 2015 in
+the form of commit 679fb46c5785 ("net: dsa: Add missing master netdev
+dev_put() calls"), but the fix never made it into the "new" (dsa2)
+probing paths that can still be traced to today, and the fixed probing
+path was later deleted in 2019 in commit 93e86b3bc842 ("net: dsa: Remove
+legacy probing support").
+
+That is to say, the new probing paths were never quite correct in this
+area.
+
+The existence of the legacy probing support which was deleted in 2019
+explains why dsa_dev_to_net_device() returns a conduit with elevated
+refcount (because it was supposed to be released during
+dsa_remove_dst()). After the removal of the legacy code, the only user
+of dsa_dev_to_net_device() calls dev_put(conduit) immediately after this
+function returns. This pattern makes no sense today, and can only be
+interpreted historically to understand why dev_hold() was there in the
+first place.
+
+Change details
+--------------
+
+Today we have a better netdev tracking infrastructure which we should
+use. Logically netdev_hold() belongs in common code
+(dsa_port_parse_cpu(), where dp->conduit is assigned), but there is a
+tradeoff to be made with the rtnl_lock() section which would become a
+bit too long if we did that - dsa_port_parse_cpu() also calls
+request_module(). So we duplicate a bit of logic in order for the
+callers of dsa_port_parse_cpu() to be the ones responsible of holding
+the conduit reference and releasing it on error. This shortens the
+rtnl_lock() section significantly.
+
+In the dsa_switch_probe() error path, dsa_switch_release_ports() will be
+called in a number of situations, one being where dsa_port_parse_cpu()
+maybe didn't get the chance to run at all (a different port failed
+earlier, etc). So we have to test for the conduit being NULL prior to
+calling netdev_put().
+
+There have still been so many transformations to the code since the
+blamed commits (rename master -> conduit, commit 0650bf52b31f ("net:
+dsa: be compatible with masters which unregister on shutdown")), that it
+only makes sense to fix the code using the best methods available today
+and see how it can be backported to stable later. I suspect the fix
+cannot even be backported to kernels which lack dsa_switch_shutdown(),
+and I suspect this is also maybe why the long-lived conduit reference
+didn't make it into the new DSA probing paths at the time (problems
+during shutdown).
+
+Because dsa_dev_to_net_device() has a single call site and has to be
+changed anyway, the logic was just absorbed into the non-OF
+dsa_port_parse().
+
+Tested on the ocelot/felix switch and on dsa_loop, both on the NXP
+LS1028A with CONFIG_DEBUG_KOBJECT_RELEASE=y.
+
+Reported-by: Ma Ke <make24@iscas.ac.cn>
+Closes: https://lore.kernel.org/netdev/20251214131204.4684-1-make24@iscas.ac.cn/
+Fixes: 83c0afaec7b7 ("net: dsa: Add new binding implementation")
+Fixes: 71e0bbde0d88 ("net: dsa: Add support for platform data")
+Reviewed-by: Jonas Gorski <jonas.gorski@gmail.com>
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Link: https://patch.msgid.link/20251215150236.3931670-1-vladimir.oltean@nxp.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/dsa.h | 1 +
+ net/dsa/dsa.c | 59 +++++++++++++++++++++++++++--------------------
+ 2 files changed, 35 insertions(+), 25 deletions(-)
+
+diff --git a/include/net/dsa.h b/include/net/dsa.h
+index d73ea0880066..5cb456bf4639 100644
+--- a/include/net/dsa.h
++++ b/include/net/dsa.h
+@@ -298,6 +298,7 @@ struct dsa_port {
+ struct devlink_port devlink_port;
+ struct phylink *pl;
+ struct phylink_config pl_config;
++ netdevice_tracker conduit_tracker;
+ struct dsa_lag *lag;
+ struct net_device *hsr_dev;
+
+diff --git a/net/dsa/dsa.c b/net/dsa/dsa.c
+index 5b01a0e43ebe..d466d0234087 100644
+--- a/net/dsa/dsa.c
++++ b/net/dsa/dsa.c
+@@ -1252,14 +1252,25 @@ static int dsa_port_parse_of(struct dsa_port *dp, struct device_node *dn)
+ if (ethernet) {
+ struct net_device *conduit;
+ const char *user_protocol;
++ int err;
+
++ rtnl_lock();
+ conduit = of_find_net_device_by_node(ethernet);
+ of_node_put(ethernet);
+- if (!conduit)
++ if (!conduit) {
++ rtnl_unlock();
+ return -EPROBE_DEFER;
++ }
++
++ netdev_hold(conduit, &dp->conduit_tracker, GFP_KERNEL);
++ put_device(&conduit->dev);
++ rtnl_unlock();
+
+ user_protocol = of_get_property(dn, "dsa-tag-protocol", NULL);
+- return dsa_port_parse_cpu(dp, conduit, user_protocol);
++ err = dsa_port_parse_cpu(dp, conduit, user_protocol);
++ if (err)
++ netdev_put(conduit, &dp->conduit_tracker);
++ return err;
+ }
+
+ if (link)
+@@ -1392,37 +1403,30 @@ static struct device *dev_find_class(struct device *parent, char *class)
+ return device_find_child(parent, class, dev_is_class);
+ }
+
+-static struct net_device *dsa_dev_to_net_device(struct device *dev)
+-{
+- struct device *d;
+-
+- d = dev_find_class(dev, "net");
+- if (d != NULL) {
+- struct net_device *nd;
+-
+- nd = to_net_dev(d);
+- dev_hold(nd);
+- put_device(d);
+-
+- return nd;
+- }
+-
+- return NULL;
+-}
+-
+ static int dsa_port_parse(struct dsa_port *dp, const char *name,
+ struct device *dev)
+ {
+ if (!strcmp(name, "cpu")) {
+ struct net_device *conduit;
++ struct device *d;
++ int err;
+
+- conduit = dsa_dev_to_net_device(dev);
+- if (!conduit)
++ rtnl_lock();
++ d = dev_find_class(dev, "net");
++ if (!d) {
++ rtnl_unlock();
+ return -EPROBE_DEFER;
++ }
+
+- dev_put(conduit);
++ conduit = to_net_dev(d);
++ netdev_hold(conduit, &dp->conduit_tracker, GFP_KERNEL);
++ put_device(d);
++ rtnl_unlock();
+
+- return dsa_port_parse_cpu(dp, conduit, NULL);
++ err = dsa_port_parse_cpu(dp, conduit, NULL);
++ if (err)
++ netdev_put(conduit, &dp->conduit_tracker);
++ return err;
+ }
+
+ if (!strcmp(name, "dsa"))
+@@ -1490,6 +1494,9 @@ static void dsa_switch_release_ports(struct dsa_switch *ds)
+ struct dsa_vlan *v, *n;
+
+ dsa_switch_for_each_port_safe(dp, next, ds) {
++ if (dsa_port_is_cpu(dp) && dp->conduit)
++ netdev_put(dp->conduit, &dp->conduit_tracker);
++
+ /* These are either entries that upper layers lost track of
+ * (probably due to bugs), or installed through interfaces
+ * where one does not necessarily have to remove them, like
+@@ -1634,8 +1641,10 @@ void dsa_switch_shutdown(struct dsa_switch *ds)
+ /* Disconnect from further netdevice notifiers on the conduit,
+ * since netdev_uses_dsa() will now return false.
+ */
+- dsa_switch_for_each_cpu_port(dp, ds)
++ dsa_switch_for_each_cpu_port(dp, ds) {
+ dp->conduit->dsa_ptr = NULL;
++ netdev_put(dp->conduit, &dp->conduit_tracker);
++ }
+
+ rtnl_unlock();
+ out:
+--
+2.51.0
+
--- /dev/null
+From 4cb09782da5bf920877de3147f59fe3658365783 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Dec 2025 19:26:38 +0000
+Subject: net: fib: restore ECMP balance from loopback
+
+From: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+
+[ Upstream commit 6e17474aa9fe15015c9921a5081c7ca71783aac6 ]
+
+Preference of nexthop with source address broke ECMP for packets with
+source addresses which are not in the broadcast domain, but rather added
+to loopback/dummy interfaces. Original behaviour was to balance over
+nexthops while now it uses the latest nexthop from the group. To fix the
+issue introduce next hop scoring system where next hops with source
+address equal to requested will always have higher priority.
+
+For the case with 198.51.100.1/32 assigned to dummy0 and routed using
+192.0.2.0/24 and 203.0.113.0/24 networks:
+
+2: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
+ link/ether d6:54:8a:ff:78:f5 brd ff:ff:ff:ff:ff:ff
+ inet 198.51.100.1/32 scope global dummy0
+ valid_lft forever preferred_lft forever
+7: veth1@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
+ link/ether 06:ed:98:87:6d:8a brd ff:ff:ff:ff:ff:ff link-netnsid 0
+ inet 192.0.2.2/24 scope global veth1
+ valid_lft forever preferred_lft forever
+ inet6 fe80::4ed:98ff:fe87:6d8a/64 scope link proto kernel_ll
+ valid_lft forever preferred_lft forever
+9: veth3@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
+ link/ether ae:75:23:38:a0:d2 brd ff:ff:ff:ff:ff:ff link-netnsid 0
+ inet 203.0.113.2/24 scope global veth3
+ valid_lft forever preferred_lft forever
+ inet6 fe80::ac75:23ff:fe38:a0d2/64 scope link proto kernel_ll
+ valid_lft forever preferred_lft forever
+
+~ ip ro list:
+default
+ nexthop via 192.0.2.1 dev veth1 weight 1
+ nexthop via 203.0.113.1 dev veth3 weight 1
+192.0.2.0/24 dev veth1 proto kernel scope link src 192.0.2.2
+203.0.113.0/24 dev veth3 proto kernel scope link src 203.0.113.2
+
+before:
+ for i in {1..255} ; do ip ro get 10.0.0.$i; done | grep veth | awk ' {print $(NF-2)}' | sort | uniq -c:
+ 255 veth3
+
+after:
+ for i in {1..255} ; do ip ro get 10.0.0.$i; done | grep veth | awk ' {print $(NF-2)}' | sort | uniq -c:
+ 122 veth1
+ 133 veth3
+
+Fixes: 32607a332cfe ("ipv4: prefer multipath nexthop that matches source address")
+Signed-off-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://patch.msgid.link/20251221192639.3911901-1-vadim.fedorenko@linux.dev
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/fib_semantics.c | 26 ++++++++++----------------
+ 1 file changed, 10 insertions(+), 16 deletions(-)
+
+diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
+index a5f3c8459758..0caf38e44c73 100644
+--- a/net/ipv4/fib_semantics.c
++++ b/net/ipv4/fib_semantics.c
+@@ -2167,8 +2167,8 @@ void fib_select_multipath(struct fib_result *res, int hash,
+ {
+ struct fib_info *fi = res->fi;
+ struct net *net = fi->fib_net;
+- bool found = false;
+ bool use_neigh;
++ int score = -1;
+ __be32 saddr;
+
+ if (unlikely(res->fi->nh)) {
+@@ -2180,7 +2180,7 @@ void fib_select_multipath(struct fib_result *res, int hash,
+ saddr = fl4 ? fl4->saddr : 0;
+
+ change_nexthops(fi) {
+- int nh_upper_bound;
++ int nh_upper_bound, nh_score = 0;
+
+ /* Nexthops without a carrier are assigned an upper bound of
+ * minus one when "ignore_routes_with_linkdown" is set.
+@@ -2190,24 +2190,18 @@ void fib_select_multipath(struct fib_result *res, int hash,
+ (use_neigh && !fib_good_nh(nexthop_nh)))
+ continue;
+
+- if (!found) {
++ if (saddr && nexthop_nh->nh_saddr == saddr)
++ nh_score += 2;
++ if (hash <= nh_upper_bound)
++ nh_score++;
++ if (score < nh_score) {
+ res->nh_sel = nhsel;
+ res->nhc = &nexthop_nh->nh_common;
+- found = !saddr || nexthop_nh->nh_saddr == saddr;
++ if (nh_score == 3 || (!saddr && nh_score == 1))
++ return;
++ score = nh_score;
+ }
+
+- if (hash > nh_upper_bound)
+- continue;
+-
+- if (!saddr || nexthop_nh->nh_saddr == saddr) {
+- res->nh_sel = nhsel;
+- res->nhc = &nexthop_nh->nh_common;
+- return;
+- }
+-
+- if (found)
+- return;
+-
+ } endfor_nexthops(fi);
+ }
+ #endif
+--
+2.51.0
+
--- /dev/null
+From cd049b55cbff0c6d46d2ce8043577c305a002a82 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Dec 2025 14:24:58 +0800
+Subject: net: mdio: aspeed: add dummy read to avoid read-after-write issue
+
+From: Jacky Chou <jacky_chou@aspeedtech.com>
+
+[ Upstream commit d1a1a4bade4b20c0858d0b2f81d2611de055f675 ]
+
+The Aspeed MDIO controller may return incorrect data when a read operation
+follows immediately after a write. Due to a controller bug, the subsequent
+read can latch stale data, causing the polling logic to terminate earlier
+than expected.
+
+To work around this hardware issue, insert a dummy read after each write
+operation. This ensures that the next actual read returns the correct
+data and prevents premature polling exit.
+
+This workaround has been verified to stabilize MDIO transactions on
+affected Aspeed platforms.
+
+Fixes: f160e99462c6 ("net: phy: Add mdio-aspeed")
+Signed-off-by: Jacky Chou <jacky_chou@aspeedtech.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20251211-aspeed_mdio_add_dummy_read-v3-1-382868869004@aspeedtech.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/mdio/mdio-aspeed.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/net/mdio/mdio-aspeed.c b/drivers/net/mdio/mdio-aspeed.c
+index e55be6dc9ae7..d6b9004c61dc 100644
+--- a/drivers/net/mdio/mdio-aspeed.c
++++ b/drivers/net/mdio/mdio-aspeed.c
+@@ -63,6 +63,13 @@ static int aspeed_mdio_op(struct mii_bus *bus, u8 st, u8 op, u8 phyad, u8 regad,
+
+ iowrite32(ctrl, ctx->base + ASPEED_MDIO_CTRL);
+
++ /* Workaround for read-after-write issue.
++ * The controller may return stale data if a read follows immediately
++ * after a write. A dummy read forces the hardware to update its
++ * internal state, ensuring that the next real read returns correct data.
++ */
++ ioread32(ctx->base + ASPEED_MDIO_CTRL);
++
+ return readl_poll_timeout(ctx->base + ASPEED_MDIO_CTRL, ctrl,
+ !(ctrl & ASPEED_MDIO_CTRL_FIRE),
+ ASPEED_MDIO_INTERVAL_US,
+--
+2.51.0
+
--- /dev/null
+From 312152e8c0e1ef5596ddd96366ef62569556fff8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Dec 2025 13:01:53 -0800
+Subject: net: mdio: rtl9300: use scoped for loops
+
+From: Rosen Penev <rosenp@gmail.com>
+
+[ Upstream commit a4f800c4487dc5d6fcc28da89c7cc3c187ccc731 ]
+
+Currently in the return path, fwnode_handle_put calls are missing. Just use
+_scoped to avoid the issue.
+
+Fixes: 24e31e474769 ("net: mdio: Add RTL9300 MDIO driver")
+Signed-off-by: Rosen Penev <rosenp@gmail.com>
+Link: https://patch.msgid.link/20251217210153.14641-1-rosenp@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/mdio/mdio-realtek-rtl9300.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/mdio/mdio-realtek-rtl9300.c b/drivers/net/mdio/mdio-realtek-rtl9300.c
+index 33694c3ff9a7..405a07075dd1 100644
+--- a/drivers/net/mdio/mdio-realtek-rtl9300.c
++++ b/drivers/net/mdio/mdio-realtek-rtl9300.c
+@@ -354,7 +354,6 @@ static int rtl9300_mdiobus_probe_one(struct device *dev, struct rtl9300_mdio_pri
+ struct fwnode_handle *node)
+ {
+ struct rtl9300_mdio_chan *chan;
+- struct fwnode_handle *child;
+ struct mii_bus *bus;
+ u32 mdio_bus;
+ int err;
+@@ -371,7 +370,7 @@ static int rtl9300_mdiobus_probe_one(struct device *dev, struct rtl9300_mdio_pri
+ * compatible = "ethernet-phy-ieee802.3-c45". This does mean we can't
+ * support both c45 and c22 on the same MDIO bus.
+ */
+- fwnode_for_each_child_node(node, child)
++ fwnode_for_each_child_node_scoped(node, child)
+ if (fwnode_device_is_compatible(child, "ethernet-phy-ieee802.3-c45"))
+ priv->smi_bus_is_c45[mdio_bus] = true;
+
+@@ -409,7 +408,6 @@ static int rtl9300_mdiobus_map_ports(struct device *dev)
+ {
+ struct rtl9300_mdio_priv *priv = dev_get_drvdata(dev);
+ struct device *parent = dev->parent;
+- struct fwnode_handle *port;
+ int err;
+
+ struct fwnode_handle *ports __free(fwnode_handle) =
+@@ -418,7 +416,7 @@ static int rtl9300_mdiobus_map_ports(struct device *dev)
+ return dev_err_probe(dev, -EINVAL, "%pfwP missing ethernet-ports\n",
+ dev_fwnode(parent));
+
+- fwnode_for_each_child_node(ports, port) {
++ fwnode_for_each_child_node_scoped(ports, port) {
+ struct device_node *mdio_dn;
+ u32 addr;
+ u32 bus;
+--
+2.51.0
+
--- /dev/null
+From e467464de2e2d52dbf4502024a809d2f30af768b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Dec 2025 12:50:05 +0100
+Subject: net: openvswitch: Avoid needlessly taking the RTNL on vport destroy
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Toke Høiland-Jørgensen <toke@redhat.com>
+
+[ Upstream commit 5498227676303e3ffa9a3a46214af96bc3e81314 ]
+
+The openvswitch teardown code will immediately call
+ovs_netdev_detach_dev() in response to a NETDEV_UNREGISTER notification.
+It will then start the dp_notify_work workqueue, which will later end up
+calling the vport destroy() callback. This callback takes the RTNL to do
+another ovs_netdev_detach_port(), which in this case is unnecessary.
+This causes extra pressure on the RTNL, in some cases leading to
+"unregister_netdevice: waiting for XX to become free" warnings on
+teardown.
+
+We can straight-forwardly avoid the extra RTNL lock acquisition by
+checking the device flags before taking the lock, and skip the locking
+altogether if the IFF_OVS_DATAPATH flag has already been unset.
+
+Fixes: b07c26511e94 ("openvswitch: fix vport-netdev unregister")
+Tested-by: Adrian Moreno <amorenoz@redhat.com>
+Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Acked-by: Eelco Chaudron <echaudro@redhat.com>
+Acked-by: Aaron Conole <aconole@redhat.com>
+Link: https://patch.msgid.link/20251211115006.228876-1-toke@redhat.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/openvswitch/vport-netdev.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/net/openvswitch/vport-netdev.c b/net/openvswitch/vport-netdev.c
+index 91a11067e458..6574f9bcdc02 100644
+--- a/net/openvswitch/vport-netdev.c
++++ b/net/openvswitch/vport-netdev.c
+@@ -160,10 +160,19 @@ void ovs_netdev_detach_dev(struct vport *vport)
+
+ static void netdev_destroy(struct vport *vport)
+ {
+- rtnl_lock();
+- if (netif_is_ovs_port(vport->dev))
+- ovs_netdev_detach_dev(vport);
+- rtnl_unlock();
++ /* When called from ovs_db_notify_wq() after a dp_device_event(), the
++ * port has already been detached, so we can avoid taking the RTNL by
++ * checking this first.
++ */
++ if (netif_is_ovs_port(vport->dev)) {
++ rtnl_lock();
++ /* Check again while holding the lock to ensure we don't race
++ * with the netdev notifier and detach twice.
++ */
++ if (netif_is_ovs_port(vport->dev))
++ ovs_netdev_detach_dev(vport);
++ rtnl_unlock();
++ }
+
+ call_rcu(&vport->rcu, vport_netdev_free);
+ }
+--
+2.51.0
+
--- /dev/null
+From 7827a7a6470c60bf54ddfe557656e21ff66357b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Dec 2025 21:22:27 +0000
+Subject: net: rose: fix invalid array index in rose_kill_by_device()
+
+From: Pwnverse <stanksal@purdue.edu>
+
+[ Upstream commit 6595beb40fb0ec47223d3f6058ee40354694c8e4 ]
+
+rose_kill_by_device() collects sockets into a local array[] and then
+iterates over them to disconnect sockets bound to a device being brought
+down.
+
+The loop mistakenly indexes array[cnt] instead of array[i]. For cnt <
+ARRAY_SIZE(array), this reads an uninitialized entry; for cnt ==
+ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to
+an invalid socket pointer dereference and also leaks references taken
+via sock_hold().
+
+Fix the index to use i.
+
+Fixes: 64b8bc7d5f143 ("net/rose: fix races in rose_kill_by_device()")
+Co-developed-by: Fatma Alwasmi <falwasmi@purdue.edu>
+Signed-off-by: Fatma Alwasmi <falwasmi@purdue.edu>
+Signed-off-by: Pwnverse <stanksal@purdue.edu>
+Link: https://patch.msgid.link/20251222212227.4116041-1-ritviktanksalkar@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rose/af_rose.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
+index 543f9e8ebb69..fad6518e6e39 100644
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -205,7 +205,7 @@ static void rose_kill_by_device(struct net_device *dev)
+ spin_unlock_bh(&rose_list_lock);
+
+ for (i = 0; i < cnt; i++) {
+- sk = array[cnt];
++ sk = array[i];
+ rose = rose_sk(sk);
+ lock_sock(sk);
+ spin_lock_bh(&rose_list_lock);
+--
+2.51.0
+
--- /dev/null
+From a69c584adf112a34a97d27046c10d089bd33f60b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Dec 2025 15:13:32 +0800
+Subject: net: stmmac: fix the crash issue for zero copy XDP_TX action
+
+From: Wei Fang <wei.fang@nxp.com>
+
+[ Upstream commit a48e232210009be50591fdea8ba7c07b0f566a13 ]
+
+There is a crash issue when running zero copy XDP_TX action, the crash
+log is shown below.
+
+[ 216.122464] Unable to handle kernel paging request at virtual address fffeffff80000000
+[ 216.187524] Internal error: Oops: 0000000096000144 [#1] SMP
+[ 216.301694] Call trace:
+[ 216.304130] dcache_clean_poc+0x20/0x38 (P)
+[ 216.308308] __dma_sync_single_for_device+0x1bc/0x1e0
+[ 216.313351] stmmac_xdp_xmit_xdpf+0x354/0x400
+[ 216.317701] __stmmac_xdp_run_prog+0x164/0x368
+[ 216.322139] stmmac_napi_poll_rxtx+0xba8/0xf00
+[ 216.326576] __napi_poll+0x40/0x218
+[ 216.408054] Kernel panic - not syncing: Oops: Fatal exception in interrupt
+
+For XDP_TX action, the xdp_buff is converted to xdp_frame by
+xdp_convert_buff_to_frame(). The memory type of the resulting xdp_frame
+depends on the memory type of the xdp_buff. For page pool based xdp_buff
+it produces xdp_frame with memory type MEM_TYPE_PAGE_POOL. For zero copy
+XSK pool based xdp_buff it produces xdp_frame with memory type
+MEM_TYPE_PAGE_ORDER0. However, stmmac_xdp_xmit_back() does not check the
+memory type and always uses the page pool type, this leads to invalid
+mappings and causes the crash. Therefore, check the xdp_buff memory type
+in stmmac_xdp_xmit_back() to fix this issue.
+
+Fixes: bba2556efad6 ("net: stmmac: Enable RX via AF_XDP zero-copy")
+Signed-off-by: Wei Fang <wei.fang@nxp.com>
+Reviewed-by: Hariprasad Kelam <hkelam@marvell.com>
+Link: https://patch.msgid.link/20251204071332.1907111-1-wei.fang@nxp.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/stmicro/stmmac/stmmac_main.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index 86e912471dea..0dd17179c85d 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -88,6 +88,7 @@ MODULE_PARM_DESC(phyaddr, "Physical device address");
+ #define STMMAC_XDP_CONSUMED BIT(0)
+ #define STMMAC_XDP_TX BIT(1)
+ #define STMMAC_XDP_REDIRECT BIT(2)
++#define STMMAC_XSK_CONSUMED BIT(3)
+
+ static int flow_ctrl = 0xdead;
+ module_param(flow_ctrl, int, 0644);
+@@ -4988,6 +4989,7 @@ static int stmmac_xdp_get_tx_queue(struct stmmac_priv *priv,
+ static int stmmac_xdp_xmit_back(struct stmmac_priv *priv,
+ struct xdp_buff *xdp)
+ {
++ bool zc = !!(xdp->rxq->mem.type == MEM_TYPE_XSK_BUFF_POOL);
+ struct xdp_frame *xdpf = xdp_convert_buff_to_frame(xdp);
+ int cpu = smp_processor_id();
+ struct netdev_queue *nq;
+@@ -5004,9 +5006,18 @@ static int stmmac_xdp_xmit_back(struct stmmac_priv *priv,
+ /* Avoids TX time-out as we are sharing with slow path */
+ txq_trans_cond_update(nq);
+
+- res = stmmac_xdp_xmit_xdpf(priv, queue, xdpf, false);
+- if (res == STMMAC_XDP_TX)
++ /* For zero copy XDP_TX action, dma_map is true */
++ res = stmmac_xdp_xmit_xdpf(priv, queue, xdpf, zc);
++ if (res == STMMAC_XDP_TX) {
+ stmmac_flush_tx_descriptors(priv, queue);
++ } else if (res == STMMAC_XDP_CONSUMED && zc) {
++ /* xdp has been freed by xdp_convert_buff_to_frame(),
++ * no need to call xsk_buff_free() again, so return
++ * STMMAC_XSK_CONSUMED.
++ */
++ res = STMMAC_XSK_CONSUMED;
++ xdp_return_frame(xdpf);
++ }
+
+ __netif_tx_unlock(nq);
+
+@@ -5356,6 +5367,8 @@ static int stmmac_rx_zc(struct stmmac_priv *priv, int limit, u32 queue)
+ break;
+ case STMMAC_XDP_CONSUMED:
+ xsk_buff_free(buf->xdp);
++ fallthrough;
++ case STMMAC_XSK_CONSUMED:
+ rx_dropped++;
+ break;
+ case STMMAC_XDP_TX:
+--
+2.51.0
+
--- /dev/null
+From f6db1de271cccfc868eca4a6e06c00632e1ee3b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Dec 2025 06:41:56 +0530
+Subject: net: usb: asix: validate PHY address before use
+
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+
+[ Upstream commit a1e077a3f76eea0dc671ed6792e7d543946227e8 ]
+
+The ASIX driver reads the PHY address from the USB device via
+asix_read_phy_addr(). A malicious or faulty device can return an
+invalid address (>= PHY_MAX_ADDR), which causes a warning in
+mdiobus_get_phy():
+
+ addr 207 out of range
+ WARNING: drivers/net/phy/mdio_bus.c:76
+
+Validate the PHY address in asix_read_phy_addr() and remove the
+now-redundant check in ax88172a.c.
+
+Reported-by: syzbot+3d43c9066a5b54902232@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=3d43c9066a5b54902232
+Tested-by: syzbot+3d43c9066a5b54902232@syzkaller.appspotmail.com
+Fixes: 7e88b11a862a ("net: usb: asix: refactor asix_read_phy_addr() and handle errors on return")
+Link: https://lore.kernel.org/all/20251217085057.270704-1-kartikey406@gmail.com/T/ [v1]
+Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20251218011156.276824-1-kartikey406@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/asix_common.c | 5 +++++
+ drivers/net/usb/ax88172a.c | 6 +-----
+ 2 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c
+index 7fd763917ae2..6ab3486072cb 100644
+--- a/drivers/net/usb/asix_common.c
++++ b/drivers/net/usb/asix_common.c
+@@ -335,6 +335,11 @@ int asix_read_phy_addr(struct usbnet *dev, bool internal)
+ offset = (internal ? 1 : 0);
+ ret = buf[offset];
+
++ if (ret >= PHY_MAX_ADDR) {
++ netdev_err(dev->net, "invalid PHY address: %d\n", ret);
++ return -ENODEV;
++ }
++
+ netdev_dbg(dev->net, "%s PHY address 0x%x\n",
+ internal ? "internal" : "external", ret);
+
+diff --git a/drivers/net/usb/ax88172a.c b/drivers/net/usb/ax88172a.c
+index f613e4bc68c8..758a423a459b 100644
+--- a/drivers/net/usb/ax88172a.c
++++ b/drivers/net/usb/ax88172a.c
+@@ -210,11 +210,7 @@ static int ax88172a_bind(struct usbnet *dev, struct usb_interface *intf)
+ ret = asix_read_phy_addr(dev, priv->use_embdphy);
+ if (ret < 0)
+ goto free;
+- if (ret >= PHY_MAX_ADDR) {
+- netdev_err(dev->net, "Invalid PHY address %#x\n", ret);
+- ret = -ENODEV;
+- goto free;
+- }
++
+ priv->phy_addr = ret;
+
+ ax88172a_reset_phy(dev, priv->use_embdphy);
+--
+2.51.0
+
--- /dev/null
+From 942b88d71b698aa4561ad2c14a92e25da405507d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Dec 2025 20:43:05 +0530
+Subject: net: usb: rtl8150: fix memory leak on usb_submit_urb() failure
+
+From: Deepakkumar Karn <dkarn@redhat.com>
+
+[ Upstream commit 12cab1191d9890097171156d06bfa8d31f1e39c8 ]
+
+In async_set_registers(), when usb_submit_urb() fails, the allocated
+ async_req structure and URB are not freed, causing a memory leak.
+
+ The completion callback async_set_reg_cb() is responsible for freeing
+ these allocations, but it is only called after the URB is successfully
+ submitted and completes (successfully or with error). If submission
+ fails, the callback never runs and the memory is leaked.
+
+ Fix this by freeing both the URB and the request structure in the error
+ path when usb_submit_urb() fails.
+
+Reported-by: syzbot+8dd915c7cb0490fc8c52@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=8dd915c7cb0490fc8c52
+Fixes: 4d12997a9bb3 ("drivers: net: usb: rtl8150: concurrent URB bugfix")
+Signed-off-by: Deepakkumar Karn <dkarn@redhat.com>
+Link: https://patch.msgid.link/20251216151304.59865-2-dkarn@redhat.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/rtl8150.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
+index 278e6cb6f4d9..e40b0669d9f4 100644
+--- a/drivers/net/usb/rtl8150.c
++++ b/drivers/net/usb/rtl8150.c
+@@ -211,6 +211,8 @@ static int async_set_registers(rtl8150_t *dev, u16 indx, u16 size, u16 reg)
+ if (res == -ENODEV)
+ netif_device_detach(dev->netdev);
+ dev_err(&dev->udev->dev, "%s failed with %d\n", __func__, res);
++ kfree(req);
++ usb_free_urb(async_urb);
+ }
+ return res;
+ }
+--
+2.51.0
+
--- /dev/null
+From f7dd1a8e9fca940d9b3ee00c50c85f225bf3fed4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Dec 2025 22:35:42 +0100
+Subject: net: wangxun: move PHYLINK dependency
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit b94f11af9d9201426f4d6c8a753493fd58d6ac16 ]
+
+The LIBWX library code is what calls into phylink, so any user of
+it has to select CONFIG_PHYLINK at the moment, with NGBEVF missing this:
+
+x86_64-linux-ld: drivers/net/ethernet/wangxun/libwx/wx_ethtool.o: in function `wx_nway_reset':
+wx_ethtool.c:(.text+0x613): undefined reference to `phylink_ethtool_nway_reset'
+x86_64-linux-ld: drivers/net/ethernet/wangxun/libwx/wx_ethtool.o: in function `wx_get_link_ksettings':
+wx_ethtool.c:(.text+0x62b): undefined reference to `phylink_ethtool_ksettings_get'
+x86_64-linux-ld: drivers/net/ethernet/wangxun/libwx/wx_ethtool.o: in function `wx_set_link_ksettings':
+wx_ethtool.c:(.text+0x643): undefined reference to `phylink_ethtool_ksettings_set'
+x86_64-linux-ld: drivers/net/ethernet/wangxun/libwx/wx_ethtool.o: in function `wx_get_pauseparam':
+wx_ethtool.c:(.text+0x65b): undefined reference to `phylink_ethtool_get_pauseparam'
+x86_64-linux-ld: drivers/net/ethernet/wangxun/libwx/wx_ethtool.o: in function `wx_set_pauseparam':
+wx_ethtool.c:(.text+0x677): undefined reference to `phylink_ethtool_set_pauseparam'
+
+Add the 'select PHYLINK' line in the libwx option directly so this will
+always be enabled for all current and future wangxun drivers, and remove
+the now duplicate lines.
+
+Fixes: a0008a3658a3 ("net: wangxun: add ngbevf build")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+Link: https://patch.msgid.link/20251216213547.115026-1-arnd@kernel.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/wangxun/Kconfig | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/wangxun/Kconfig b/drivers/net/ethernet/wangxun/Kconfig
+index d138dea7d208..ec278f99d295 100644
+--- a/drivers/net/ethernet/wangxun/Kconfig
++++ b/drivers/net/ethernet/wangxun/Kconfig
+@@ -21,6 +21,7 @@ config LIBWX
+ depends on PTP_1588_CLOCK_OPTIONAL
+ select PAGE_POOL
+ select DIMLIB
++ select PHYLINK
+ help
+ Common library for Wangxun(R) Ethernet drivers.
+
+@@ -29,7 +30,6 @@ config NGBE
+ depends on PCI
+ depends on PTP_1588_CLOCK_OPTIONAL
+ select LIBWX
+- select PHYLINK
+ help
+ This driver supports Wangxun(R) GbE PCI Express family of
+ adapters.
+@@ -48,7 +48,6 @@ config TXGBE
+ depends on PTP_1588_CLOCK_OPTIONAL
+ select MARVELL_10G_PHY
+ select REGMAP
+- select PHYLINK
+ select HWMON if TXGBE=y
+ select SFP
+ select GPIOLIB
+@@ -71,7 +70,6 @@ config TXGBEVF
+ depends on PCI_MSI
+ depends on PTP_1588_CLOCK_OPTIONAL
+ select LIBWX
+- select PHYLINK
+ help
+ This driver supports virtual functions for SP1000A, WX1820AL,
+ WX5XXX, WX5XXXAL.
+--
+2.51.0
+
--- /dev/null
+From db35ae8bc3ff10f293285ed183199327b6d08972 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 11:52:26 +0530
+Subject: octeontx2-pf: fix "UBSAN: shift-out-of-bounds error"
+
+From: Anshumali Gaur <agaur@marvell.com>
+
+[ Upstream commit 85f4b0c650d9f9db10bda8d3acfa1af83bf78cf7 ]
+
+This patch ensures that the RX ring size (rx_pending) is not
+set below the permitted length. This avoids UBSAN
+shift-out-of-bounds errors when users passes small or zero
+ring sizes via ethtool -G.
+
+Fixes: d45d8979840d ("octeontx2-pf: Add basic ethtool support")
+Signed-off-by: Anshumali Gaur <agaur@marvell.com>
+Link: https://patch.msgid.link/20251219062226.524844-1-agaur@marvell.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
+index b90e23dc49de..b6449f0a9e7d 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
+@@ -418,6 +418,14 @@ static int otx2_set_ringparam(struct net_device *netdev,
+ */
+ if (rx_count < pfvf->hw.rq_skid)
+ rx_count = pfvf->hw.rq_skid;
++
++ if (ring->rx_pending < 16) {
++ netdev_err(netdev,
++ "rx ring size %u invalid, min is 16\n",
++ ring->rx_pending);
++ return -EINVAL;
++ }
++
+ rx_count = Q_COUNT(Q_SIZE(rx_count, 3));
+
+ /* Due pipelining impact minimum 2000 unused SQ CQE's
+--
+2.51.0
+
--- /dev/null
+From 82e213e5adbc84e5bbe9b28d66d1ae3c72888c31 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Dec 2025 12:18:13 +0000
+Subject: platform/mellanox: mlxbf-pmc: Remove trailing whitespaces from event
+ names
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Shravan Kumar Ramani <shravankr@nvidia.com>
+
+[ Upstream commit f13bce715d1600698310a4a7832f6a52499d5395 ]
+
+Some event names have trailing whitespaces at the end which causes programming
+of counters using the name for these specific events to fail and hence need to
+be removed.
+
+Fixes: 423c3361855c ("platform/mellanox: mlxbf-pmc: Add support for BlueField-3")
+Signed-off-by: Shravan Kumar Ramani <shravankr@nvidia.com>
+Reviewed-by: David Thompson <davthompson@nvidia.com>
+Link: https://patch.msgid.link/065cbae0717dcc1169681c4dbb1a6e050b8574b3.1766059953.git.shravankr@nvidia.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/mellanox/mlxbf-pmc.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/platform/mellanox/mlxbf-pmc.c b/drivers/platform/mellanox/mlxbf-pmc.c
+index 16a2fd9fdd9b..5ec1ad471696 100644
+--- a/drivers/platform/mellanox/mlxbf-pmc.c
++++ b/drivers/platform/mellanox/mlxbf-pmc.c
+@@ -801,18 +801,18 @@ static const struct mlxbf_pmc_events mlxbf_pmc_llt_miss_events[] = {
+ {11, "GDC_MISS_MACHINE_CHI_TXDAT"},
+ {12, "GDC_MISS_MACHINE_CHI_RXDAT"},
+ {13, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC0_0"},
+- {14, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC0_1 "},
++ {14, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC0_1"},
+ {15, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC0_2"},
+- {16, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC0_3 "},
+- {17, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_0 "},
+- {18, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_1 "},
+- {19, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_2 "},
+- {20, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_3 "},
++ {16, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC0_3"},
++ {17, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_0"},
++ {18, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_1"},
++ {19, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_2"},
++ {20, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_3"},
+ {21, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE0_0"},
+ {22, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE0_1"},
+ {23, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE0_2"},
+ {24, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE0_3"},
+- {25, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE1_0 "},
++ {25, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE1_0"},
+ {26, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE1_1"},
+ {27, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE1_2"},
+ {28, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE1_3"},
+--
+2.51.0
+
--- /dev/null
+From abd8f0c43e201d426317630466a8d7332f5d00f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Dec 2025 19:42:05 +0800
+Subject: platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI
+ package parsing
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Junrui Luo <moonafterrain@outlook.com>
+
+[ Upstream commit e44c42c830b7ab36e3a3a86321c619f24def5206 ]
+
+The hp_populate_*_elements_from_package() functions in the hp-bioscfg
+driver contain out-of-bounds array access vulnerabilities.
+
+These functions parse ACPI packages into internal data structures using
+a for loop with index variable 'elem' that iterates through
+enum_obj/integer_obj/order_obj/password_obj/string_obj arrays.
+
+When processing multi-element fields like PREREQUISITES and
+ENUM_POSSIBLE_VALUES, these functions read multiple consecutive array
+elements using expressions like 'enum_obj[elem + reqs]' and
+'enum_obj[elem + pos_values]' within nested loops.
+
+The bug is that the bounds check only validated elem, but did not consider
+the additional offset when accessing elem + reqs or elem + pos_values.
+
+The fix changes the bounds check to validate the actual accessed index.
+
+Reported-by: Yuhao Jiang <danisjiang@gmail.com>
+Reported-by: Junrui Luo <moonafterrain@outlook.com>
+Fixes: e6c7b3e15559 ("platform/x86: hp-bioscfg: string-attributes")
+Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
+Link: https://patch.msgid.link/SYBPR01MB788173D7DD4EA2CB6383683DAFB0A@SYBPR01MB7881.ausprd01.prod.outlook.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c | 4 ++--
+ drivers/platform/x86/hp/hp-bioscfg/int-attributes.c | 2 +-
+ drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c | 5 +++++
+ drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c | 5 +++++
+ drivers/platform/x86/hp/hp-bioscfg/string-attributes.c | 2 +-
+ 5 files changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c
+index c50ad5880503..f346aad8e9d8 100644
+--- a/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c
++++ b/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c
+@@ -207,7 +207,7 @@ static int hp_populate_enumeration_elements_from_package(union acpi_object *enum
+ case PREREQUISITES:
+ size = min_t(u32, enum_data->common.prerequisites_size, MAX_PREREQUISITES_SIZE);
+ for (reqs = 0; reqs < size; reqs++) {
+- if (elem >= enum_obj_count) {
++ if (elem + reqs >= enum_obj_count) {
+ pr_err("Error enum-objects package is too small\n");
+ return -EINVAL;
+ }
+@@ -255,7 +255,7 @@ static int hp_populate_enumeration_elements_from_package(union acpi_object *enum
+
+ for (pos_values = 0; pos_values < size && pos_values < MAX_VALUES_SIZE;
+ pos_values++) {
+- if (elem >= enum_obj_count) {
++ if (elem + pos_values >= enum_obj_count) {
+ pr_err("Error enum-objects package is too small\n");
+ return -EINVAL;
+ }
+diff --git a/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c
+index 6c7f4d5fa9cb..63b1fda2be4e 100644
+--- a/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c
++++ b/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c
+@@ -227,7 +227,7 @@ static int hp_populate_integer_elements_from_package(union acpi_object *integer_
+ size = min_t(u32, integer_data->common.prerequisites_size, MAX_PREREQUISITES_SIZE);
+
+ for (reqs = 0; reqs < size; reqs++) {
+- if (elem >= integer_obj_count) {
++ if (elem + reqs >= integer_obj_count) {
+ pr_err("Error elem-objects package is too small\n");
+ return -EINVAL;
+ }
+diff --git a/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c
+index c6e57bb9d8b7..6a31f47ce3f5 100644
+--- a/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c
++++ b/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c
+@@ -216,6 +216,11 @@ static int hp_populate_ordered_list_elements_from_package(union acpi_object *ord
+ size = min_t(u32, ordered_list_data->common.prerequisites_size,
+ MAX_PREREQUISITES_SIZE);
+ for (reqs = 0; reqs < size; reqs++) {
++ if (elem + reqs >= order_obj_count) {
++ pr_err("Error elem-objects package is too small\n");
++ return -EINVAL;
++ }
++
+ ret = hp_convert_hexstr_to_str(order_obj[elem + reqs].string.pointer,
+ order_obj[elem + reqs].string.length,
+ &str_value, &value_len);
+diff --git a/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c
+index 187b372123ed..ec79d9d50377 100644
+--- a/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c
++++ b/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c
+@@ -303,6 +303,11 @@ static int hp_populate_password_elements_from_package(union acpi_object *passwor
+ MAX_PREREQUISITES_SIZE);
+
+ for (reqs = 0; reqs < size; reqs++) {
++ if (elem + reqs >= password_obj_count) {
++ pr_err("Error elem-objects package is too small\n");
++ return -EINVAL;
++ }
++
+ ret = hp_convert_hexstr_to_str(password_obj[elem + reqs].string.pointer,
+ password_obj[elem + reqs].string.length,
+ &str_value, &value_len);
+diff --git a/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c
+index 27758b779b2d..7b885d25650c 100644
+--- a/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c
++++ b/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c
+@@ -217,7 +217,7 @@ static int hp_populate_string_elements_from_package(union acpi_object *string_ob
+ MAX_PREREQUISITES_SIZE);
+
+ for (reqs = 0; reqs < size; reqs++) {
+- if (elem >= string_obj_count) {
++ if (elem + reqs >= string_obj_count) {
+ pr_err("Error elem-objects package is too small\n");
+ return -EINVAL;
+ }
+--
+2.51.0
+
--- /dev/null
+From 303907a0363ccd588182b9c72a2f106cb98c18df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 16:30:29 +0800
+Subject: platform/x86: ibm_rtl: fix EBDA signature search pointer arithmetic
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Junrui Luo <moonafterrain@outlook.com>
+
+[ Upstream commit 15dd100349b8526cbdf2de0ce3e72e700eb6c208 ]
+
+The ibm_rtl_init() function searches for the signature but has a pointer
+arithmetic error. The loop counter suggests searching at 4-byte intervals
+but the implementation only advances by 1 byte per iteration.
+
+Fix by properly advancing the pointer by sizeof(unsigned int) bytes
+each iteration.
+
+Reported-by: Yuhao Jiang <danisjiang@gmail.com>
+Reported-by: Junrui Luo <moonafterrain@outlook.com>
+Fixes: 35f0ce032b0f ("IBM Real-Time "SMI Free" mode driver -v7")
+Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
+Link: https://patch.msgid.link/SYBPR01MB78812D887A92DE3802D0D06EAFA9A@SYBPR01MB7881.ausprd01.prod.outlook.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/ibm_rtl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/ibm_rtl.c b/drivers/platform/x86/ibm_rtl.c
+index 231b37909801..139956168cf9 100644
+--- a/drivers/platform/x86/ibm_rtl.c
++++ b/drivers/platform/x86/ibm_rtl.c
+@@ -273,7 +273,7 @@ static int __init ibm_rtl_init(void) {
+ /* search for the _RTL_ signature at the start of the table */
+ for (i = 0 ; i < ebda_size/sizeof(unsigned int); i++) {
+ struct ibm_rtl_table __iomem * tmp;
+- tmp = (struct ibm_rtl_table __iomem *) (ebda_map+i);
++ tmp = (struct ibm_rtl_table __iomem *) (ebda_map + i*sizeof(unsigned int));
+ if ((readq(&tmp->signature) & RTL_MASK) == RTL_SIGNATURE) {
+ phys_addr_t addr;
+ unsigned int plen;
+--
+2.51.0
+
--- /dev/null
+From 9d97bd7567db5f013d3122d4b3d26545b5034658 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Dec 2025 01:51:09 -0800
+Subject: platform/x86/intel/pmt/discovery: use valid device pointer in
+ dev_err_probe
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit 66e245db16f0175af656cd812b6dc1a5e1f7b80a ]
+
+The PMT feature probe creates a child device with device_create().
+If device creation fail, the code pass priv->dev (which is an ERR_PTR)
+to dev_err_probe(), which is not a valid device pointer.
+
+This patch change the dev_err_probe() call to use the parent auxiliary
+device (&auxdev->dev) and update the error message to reference the
+parent device name. It ensure correct error reporting and avoid
+passing an invalid device pointer.
+
+Fixes: d9a078809356 ("platform/x86/intel/pmt: Add PMT Discovery driver")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Link: https://patch.msgid.link/20251224095133.115678-1-alok.a.tiwari@oracle.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel/pmt/discovery.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/platform/x86/intel/pmt/discovery.c b/drivers/platform/x86/intel/pmt/discovery.c
+index 9c5b4d0e1fae..e500aa327d23 100644
+--- a/drivers/platform/x86/intel/pmt/discovery.c
++++ b/drivers/platform/x86/intel/pmt/discovery.c
+@@ -548,9 +548,9 @@ static int pmt_features_probe(struct auxiliary_device *auxdev, const struct auxi
+ priv->dev = device_create(&intel_pmt_class, &auxdev->dev, MKDEV(0, 0), priv,
+ "%s-%s", "features", dev_name(priv->parent));
+ if (IS_ERR(priv->dev))
+- return dev_err_probe(priv->dev, PTR_ERR(priv->dev),
++ return dev_err_probe(&auxdev->dev, PTR_ERR(priv->dev),
+ "Could not create %s-%s device node\n",
+- "features", dev_name(priv->dev));
++ "features", dev_name(priv->parent));
+
+ /* Initialize each feature */
+ for (i = 0; i < ivdev->num_resources; i++) {
+--
+2.51.0
+
--- /dev/null
+From c41ee97df586f5c07604c782a90d19b421280577 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Dec 2025 14:10:41 +0530
+Subject: platform/x86/intel/pmt: Fix kobject memory leak on init failure
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kaushlendra Kumar <kaushlendra.kumar@intel.com>
+
+[ Upstream commit 00c22b1e84288bf0e17ab1e7e59d75237cf0d0dc ]
+
+When kobject_init_and_add() fails in pmt_features_discovery(), the
+function returns without calling kobject_put(). This violates the
+kobject API contract where kobject_put() must be called even on
+initialization failure to properly release allocated resources.
+
+Fixes: d9a078809356 ("platform/x86/intel/pmt: Add PMT Discovery driver")
+Signed-off-by: Kaushlendra Kumar <kaushlendra.kumar@intel.com>
+Link: https://patch.msgid.link/20251223084041.3832933-1-kaushlendra.kumar@intel.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel/pmt/discovery.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/intel/pmt/discovery.c b/drivers/platform/x86/intel/pmt/discovery.c
+index 32713a194a55..9c5b4d0e1fae 100644
+--- a/drivers/platform/x86/intel/pmt/discovery.c
++++ b/drivers/platform/x86/intel/pmt/discovery.c
+@@ -503,8 +503,10 @@ static int pmt_features_discovery(struct pmt_features_priv *priv,
+
+ ret = kobject_init_and_add(&feature->kobj, ktype, &priv->dev->kobj,
+ "%s", pmt_feature_names[feature->id]);
+- if (ret)
++ if (ret) {
++ kobject_put(&feature->kobj);
+ return ret;
++ }
+
+ kobject_uevent(&feature->kobj, KOBJ_ADD);
+ pmt_features_add_feat(feature);
+--
+2.51.0
+
--- /dev/null
+From 01b7712404170fc68d2ed13f2a8cdd82a7b7b8a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Dec 2025 11:36:13 +0100
+Subject: platform/x86: msi-laptop: add missing sysfs_remove_group()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 1461209cf813b6ee6d40f29b96b544587df6d2b1 ]
+
+A sysfs group is created in msi_init() when old_ec_model is enabled, but
+never removed. Remove the msipf_old_attribute_group in that case.
+
+Fixes: 03696e51d75a ("msi-laptop: Disable brightness control for new EC")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://patch.msgid.link/20251217103617.27668-2-fourier.thomas@gmail.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/msi-laptop.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/platform/x86/msi-laptop.c b/drivers/platform/x86/msi-laptop.c
+index c4b150fa093f..ddef6b78d2fa 100644
+--- a/drivers/platform/x86/msi-laptop.c
++++ b/drivers/platform/x86/msi-laptop.c
+@@ -1130,6 +1130,9 @@ static void __exit msi_cleanup(void)
+ sysfs_remove_group(&msipf_device->dev.kobj, &msipf_attribute_group);
+ if (!quirks->old_ec_model && threeg_exists)
+ device_remove_file(&msipf_device->dev, &dev_attr_threeg);
++ if (quirks->old_ec_model)
++ sysfs_remove_group(&msipf_device->dev.kobj,
++ &msipf_old_attribute_group);
+ platform_device_unregister(msipf_device);
+ platform_driver_unregister(&msipf_driver);
+ backlight_device_unregister(msibl_device);
+--
+2.51.0
+
--- /dev/null
+From 8e5fde095f392995561bb37d56203ec1793459a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Sep 2025 17:32:16 +0200
+Subject: powerpc/tools: drop `-o pipefail` in gcc check scripts
+
+From: Jan Stancek <jstancek@redhat.com>
+
+[ Upstream commit f1164534ad62f0cc247d99650b07bd59ad2a49fd ]
+
+Fixes: 0f71dcfb4aef ("powerpc/ftrace: Add support for -fpatchable-function-entry")
+Fixes: b71c9ffb1405 ("powerpc: Add arch/powerpc/tools directory")
+Reported-by: Joe Lawrence <joe.lawrence@redhat.com>
+Acked-by: Joe Lawrence <joe.lawrence@redhat.com>
+Signed-off-by: Jan Stancek <jstancek@redhat.com>
+Fixes: 8c50b72a3b4f ("powerpc/ftrace: Add Kconfig & Make glue for mprofile-kernel")
+Fixes: abba759796f9 ("powerpc/kbuild: move -mprofile-kernel check to Kconfig")
+Tested-by: Justin M. Forbes <jforbes@fedoraproject.org>
+Reviewed-by: Naveen N Rao (AMD) <naveen@kernel.org>
+Reviewed-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/cc6cdd116c3ad9d990df21f13c6d8e8a83815bbd.1758641374.git.jstancek@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/tools/gcc-check-fpatchable-function-entry.sh | 1 -
+ arch/powerpc/tools/gcc-check-mprofile-kernel.sh | 1 -
+ 2 files changed, 2 deletions(-)
+
+diff --git a/arch/powerpc/tools/gcc-check-fpatchable-function-entry.sh b/arch/powerpc/tools/gcc-check-fpatchable-function-entry.sh
+index 06706903503b..baed467a016b 100755
+--- a/arch/powerpc/tools/gcc-check-fpatchable-function-entry.sh
++++ b/arch/powerpc/tools/gcc-check-fpatchable-function-entry.sh
+@@ -2,7 +2,6 @@
+ # SPDX-License-Identifier: GPL-2.0
+
+ set -e
+-set -o pipefail
+
+ # To debug, uncomment the following line
+ # set -x
+diff --git a/arch/powerpc/tools/gcc-check-mprofile-kernel.sh b/arch/powerpc/tools/gcc-check-mprofile-kernel.sh
+index 73e331e7660e..6193b0ed0c77 100755
+--- a/arch/powerpc/tools/gcc-check-mprofile-kernel.sh
++++ b/arch/powerpc/tools/gcc-check-mprofile-kernel.sh
+@@ -2,7 +2,6 @@
+ # SPDX-License-Identifier: GPL-2.0
+
+ set -e
+-set -o pipefail
+
+ # To debug, uncomment the following line
+ # set -x
+--
+2.51.0
+
--- /dev/null
+From 09851a4d00950b00603210ffe226ea319a655ec6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Dec 2025 09:51:21 +0100
+Subject: RDMA/bnxt_re: fix dma_free_coherent() pointer
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit fcd431a9627f272b4c0bec445eba365fe2232a94 ]
+
+The dma_alloc_coherent() allocates a dma-mapped buffer, pbl->pg_arr[i].
+The dma_free_coherent() should pass the same buffer to
+dma_free_coherent() and not page-aligned.
+
+Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://patch.msgid.link/20251230085121.8023-2-fourier.thomas@gmail.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_res.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+index d5c12a51aa43..4d674a3aee1a 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+@@ -64,9 +64,7 @@ static void __free_pbl(struct bnxt_qplib_res *res, struct bnxt_qplib_pbl *pbl,
+ for (i = 0; i < pbl->pg_count; i++) {
+ if (pbl->pg_arr[i])
+ dma_free_coherent(&pdev->dev, pbl->pg_size,
+- (void *)((unsigned long)
+- pbl->pg_arr[i] &
+- PAGE_MASK),
++ pbl->pg_arr[i],
+ pbl->pg_map_arr[i]);
+ else
+ dev_warn(&pdev->dev,
+--
+2.51.0
+
--- /dev/null
+From 6afbe4008ac1da1f8e16ff84d5cfdfa8b2568561 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 01:32:57 -0800
+Subject: RDMA/bnxt_re: Fix IB_SEND_IP_CSUM handling in post_send
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit f01765a2361323e78e3d91b1cb1d5527a83c5cf7 ]
+
+The bnxt_re SEND path checks wr->send_flags to enable features such as
+IP checksum offload. However, send_flags is a bitmask and may contain
+multiple flags (e.g. IB_SEND_SIGNALED | IB_SEND_IP_CSUM), while the
+existing code uses a switch() statement that only matches when
+send_flags is exactly IB_SEND_IP_CSUM.
+
+As a result, checksum offload is not enabled when additional SEND
+flags are present.
+
+Replace the switch() with a bitmask test:
+
+ if (wr->send_flags & IB_SEND_IP_CSUM)
+
+This ensures IP checksum offload is enabled correctly when multiple
+SEND flags are used.
+
+Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Link: https://patch.msgid.link/20251219093308.2415620-1-alok.a.tiwari@oracle.com
+Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/ib_verbs.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+index f19b55c13d58..ff91511bd338 100644
+--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+@@ -2919,14 +2919,9 @@ int bnxt_re_post_send(struct ib_qp *ib_qp, const struct ib_send_wr *wr,
+ wqe.rawqp1.lflags |=
+ SQ_SEND_RAWETH_QP1_LFLAGS_ROCE_CRC;
+ }
+- switch (wr->send_flags) {
+- case IB_SEND_IP_CSUM:
++ if (wr->send_flags & IB_SEND_IP_CSUM)
+ wqe.rawqp1.lflags |=
+ SQ_SEND_RAWETH_QP1_LFLAGS_IP_CHKSUM;
+- break;
+- default:
+- break;
+- }
+ fallthrough;
+ case IB_WR_SEND_WITH_INV:
+ rc = bnxt_re_build_send_wqe(qp, wr, &wqe);
+--
+2.51.0
+
--- /dev/null
+From 373a15aa009e8c46c60402bb434431efb42a3aee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Dec 2025 02:01:41 -0800
+Subject: RDMA/bnxt_re: Fix incorrect BAR check in bnxt_qplib_map_creq_db()
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit 145a417a39d7efbc881f52e829817376972b278c ]
+
+RCFW_COMM_CONS_PCI_BAR_REGION is defined as BAR 2, so checking
+!creq_db->reg.bar_id is incorrect and always false.
+
+pci_resource_start() returns the BAR base address, and a value of 0
+indicates that the BAR is unassigned. Update the condition to test
+bar_base == 0 instead.
+
+This ensures the driver detects and logs an error for an unassigned
+RCFW communication BAR.
+
+Fixes: cee0c7bba486 ("RDMA/bnxt_re: Refactor command queue management code")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Link: https://patch.msgid.link/20251217100158.752504-1-alok.a.tiwari@oracle.com
+Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
+index 295a9610f3e6..4dad0cfcfa98 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
+@@ -1112,7 +1112,7 @@ static int bnxt_qplib_map_creq_db(struct bnxt_qplib_rcfw *rcfw, u32 reg_offt)
+ creq_db->dbinfo.flags = 0;
+ creq_db->reg.bar_id = RCFW_COMM_CONS_PCI_BAR_REGION;
+ creq_db->reg.bar_base = pci_resource_start(pdev, creq_db->reg.bar_id);
+- if (!creq_db->reg.bar_id)
++ if (!creq_db->reg.bar_base)
+ dev_err(&pdev->dev,
+ "QPLIB: CREQ BAR region %d resc start is 0!",
+ creq_db->reg.bar_id);
+--
+2.51.0
+
--- /dev/null
+From ae9a4687c852b4bde6bbd9ab70bdacd8e6d8ecb9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Dec 2025 15:21:10 +0800
+Subject: RDMA/bnxt_re: Fix OOB write in bnxt_re_copy_err_stats()
+
+From: Ding Hui <dinghui@sangfor.com.cn>
+
+[ Upstream commit 9b68a1cc966bc947d00e4c0df7722d118125aa37 ]
+
+Commit ef56081d1864 ("RDMA/bnxt_re: RoCE related hardware counters
+update") added three new counters and placed them after
+BNXT_RE_OUT_OF_SEQ_ERR.
+
+BNXT_RE_OUT_OF_SEQ_ERR acts as a boundary marker for allocating hardware
+statistics with different num_counters values on chip_gen_p5_p7 devices.
+
+As a result, BNXT_RE_NUM_STD_COUNTERS are used when allocating
+hw_stats, which leads to an out-of-bounds write in
+bnxt_re_copy_err_stats().
+
+The counters BNXT_RE_REQ_CQE_ERROR, BNXT_RE_RESP_CQE_ERROR, and
+BNXT_RE_RESP_REMOTE_ACCESS_ERRS are applicable to generic hardware, not
+only p5/p7 devices.
+
+Fix this by moving these counters before BNXT_RE_OUT_OF_SEQ_ERR so they
+are included in the generic counter set.
+
+Fixes: ef56081d1864 ("RDMA/bnxt_re: RoCE related hardware counters update")
+Reported-by: Yingying Zheng <zhengyingying@sangfor.com.cn>
+Signed-off-by: Ding Hui <dinghui@sangfor.com.cn>
+Link: https://patch.msgid.link/20251208072110.28874-1-dinghui@sangfor.com.cn
+Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Tested-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/hw_counters.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/hw_counters.h b/drivers/infiniband/hw/bnxt_re/hw_counters.h
+index 09d371d442aa..cebec033f4a0 100644
+--- a/drivers/infiniband/hw/bnxt_re/hw_counters.h
++++ b/drivers/infiniband/hw/bnxt_re/hw_counters.h
+@@ -89,6 +89,9 @@ enum bnxt_re_hw_stats {
+ BNXT_RE_RES_SRQ_LOAD_ERR,
+ BNXT_RE_RES_TX_PCI_ERR,
+ BNXT_RE_RES_RX_PCI_ERR,
++ BNXT_RE_REQ_CQE_ERROR,
++ BNXT_RE_RESP_CQE_ERROR,
++ BNXT_RE_RESP_REMOTE_ACCESS_ERRS,
+ BNXT_RE_OUT_OF_SEQ_ERR,
+ BNXT_RE_TX_ATOMIC_REQ,
+ BNXT_RE_TX_READ_REQ,
+@@ -110,9 +113,6 @@ enum bnxt_re_hw_stats {
+ BNXT_RE_TX_CNP,
+ BNXT_RE_RX_CNP,
+ BNXT_RE_RX_ECN,
+- BNXT_RE_REQ_CQE_ERROR,
+- BNXT_RE_RESP_CQE_ERROR,
+- BNXT_RE_RESP_REMOTE_ACCESS_ERRS,
+ BNXT_RE_NUM_EXT_COUNTERS
+ };
+
+--
+2.51.0
+
--- /dev/null
+From 7475dafe0d7d7a53827c9fb014367325d3dd6e3e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Dec 2025 18:48:55 +0530
+Subject: RDMA/bnxt_re: Fix to use correct page size for PDE table
+
+From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+
+[ Upstream commit 3d70e0fb0f289b0c778041c5bb04d099e1aa7c1c ]
+
+In bnxt_qplib_alloc_init_hwq(), while allocating memory for PDE table
+driver incorrectly is using the "pg_size" value passed to the function.
+Fixed to use the right value 4K. Also, fixed the allocation size for
+PBL table.
+
+Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation")
+Signed-off-by: Damodharam Ammepalli <damodharam.ammepalli@broadcom.com>
+Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Link: https://patch.msgid.link/20251223131855.145955-1-kalesh-anakkur.purayil@broadcom.com
+Reviewed-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_res.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+index 875d7b52c06a..d5c12a51aa43 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+@@ -237,7 +237,7 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq,
+ if (npbl % BIT(MAX_PDL_LVL_SHIFT))
+ npde++;
+ /* Alloc PDE pages */
+- sginfo.pgsize = npde * pg_size;
++ sginfo.pgsize = npde * ROCE_PG_SIZE_4K;
+ sginfo.npages = 1;
+ rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_0], &sginfo);
+ if (rc)
+@@ -245,7 +245,7 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq,
+
+ /* Alloc PBL pages */
+ sginfo.npages = npbl;
+- sginfo.pgsize = PAGE_SIZE;
++ sginfo.pgsize = ROCE_PG_SIZE_4K;
+ rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_1], &sginfo);
+ if (rc)
+ goto fail;
+--
+2.51.0
+
--- /dev/null
+From 75218538a44fa721165b3de05336138a60979716 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 Dec 2025 11:11:33 +0900
+Subject: RDMA/core: always drop device refcount in ib_del_sub_device_and_put()
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+[ Upstream commit fa3c411d21ebc26ffd175c7256c37cefa35020aa ]
+
+Since nldev_deldev() (introduced by commit 060c642b2ab8 ("RDMA/nldev: Add
+support to add/delete a sub IB device through netlink") grabs a reference
+using ib_device_get_by_index() before calling ib_del_sub_device_and_put(),
+we need to drop that reference before returning -EOPNOTSUPP error.
+
+Reported-by: syzbot+881d65229ca4f9ae8c84@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=881d65229ca4f9ae8c84
+Fixes: bca51197620a ("RDMA/core: Support IB sub device with type "SMI"")
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Link: https://patch.msgid.link/80749a85-cbe2-460c-8451-42516013f9fa@I-love.SAKURA.ne.jp
+Reviewed-by: Parav Pandit <parav@nvidia.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/device.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c
+index b4f3c835844a..e3ba236d7c09 100644
+--- a/drivers/infiniband/core/device.c
++++ b/drivers/infiniband/core/device.c
+@@ -2881,8 +2881,10 @@ int ib_del_sub_device_and_put(struct ib_device *sub)
+ {
+ struct ib_device *parent = sub->parent;
+
+- if (!parent)
++ if (!parent) {
++ ib_device_put(sub);
+ return -EOPNOTSUPP;
++ }
+
+ mutex_lock(&parent->subdev_lock);
+ list_del(&sub->subdev_list);
+--
+2.51.0
+
--- /dev/null
+From 30f9f6b3d44f7caf475cab8dc6c6bf8507ecfa35 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 13:15:08 +0900
+Subject: RDMA/core: Fix logic error in ib_get_gids_from_rdma_hdr()
+
+From: Jang Ingyu <ingyujang25@korea.ac.kr>
+
+[ Upstream commit 8aaa848eaddd9ef8680fc6aafbd3a0646da5df40 ]
+
+Fix missing comparison operator for RDMA_NETWORK_ROCE_V1 in the
+conditional statement. The constant was used directly instead of
+being compared with net_type, causing the condition to always
+evaluate to true.
+
+Fixes: 1c15b4f2a42f ("RDMA/core: Modify enum ib_gid_type and enum rdma_network_type")
+Signed-off-by: Jang Ingyu <ingyujang25@korea.ac.kr>
+Link: https://patch.msgid.link/20251219041508.1725947-1-ingyujang25@korea.ac.kr
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/verbs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c
+index 3a5f81402d2f..d279e301f5a1 100644
+--- a/drivers/infiniband/core/verbs.c
++++ b/drivers/infiniband/core/verbs.c
+@@ -735,7 +735,7 @@ int ib_get_gids_from_rdma_hdr(const union rdma_network_hdr *hdr,
+ (struct in6_addr *)dgid);
+ return 0;
+ } else if (net_type == RDMA_NETWORK_IPV6 ||
+- net_type == RDMA_NETWORK_IB || RDMA_NETWORK_ROCE_V1) {
++ net_type == RDMA_NETWORK_IB || net_type == RDMA_NETWORK_ROCE_V1) {
+ *dgid = hdr->ibgrh.dgid;
+ *sgid = hdr->ibgrh.sgid;
+ return 0;
+--
+2.51.0
+
--- /dev/null
+From 90441d55ba5e51995b89b3aa7a2999bd5362fad0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Dec 2025 17:36:56 +0000
+Subject: RDMA/efa: Remove possible negative shift
+
+From: Michael Margolin <mrgolin@amazon.com>
+
+[ Upstream commit 85463eb6a46caf2f1e0e1a6d0731f2f3bab17780 ]
+
+The page size used for device might in some cases be smaller than
+PAGE_SIZE what results in a negative shift when calculating the number of
+host pages in PAGE_SIZE for a debug log. Remove the debug line together
+with the calculation.
+
+Fixes: 40909f664d27 ("RDMA/efa: Add EFA verbs implementation")
+Link: https://patch.msgid.link/r/20251210173656.8180-1-mrgolin@amazon.com
+Reviewed-by: Tom Sela <tomsela@amazon.com>
+Reviewed-by: Yonatan Nachum <ynachum@amazon.com>
+Signed-off-by: Michael Margolin <mrgolin@amazon.com>
+Reviewed-by: Gal Pressman <gal.pressman@linux.dev>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/efa/efa_verbs.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/infiniband/hw/efa/efa_verbs.c b/drivers/infiniband/hw/efa/efa_verbs.c
+index 22d3e25c3b9d..755bba8d58bb 100644
+--- a/drivers/infiniband/hw/efa/efa_verbs.c
++++ b/drivers/infiniband/hw/efa/efa_verbs.c
+@@ -1320,13 +1320,9 @@ static int umem_to_page_list(struct efa_dev *dev,
+ u32 hp_cnt,
+ u8 hp_shift)
+ {
+- u32 pages_in_hp = BIT(hp_shift - PAGE_SHIFT);
+ struct ib_block_iter biter;
+ unsigned int hp_idx = 0;
+
+- ibdev_dbg(&dev->ibdev, "hp_cnt[%u], pages_in_hp[%u]\n",
+- hp_cnt, pages_in_hp);
+-
+ rdma_umem_for_each_dma_block(umem, &biter, BIT(hp_shift))
+ page_list[hp_idx++] = rdma_block_iter_dma_address(&biter);
+
+--
+2.51.0
+
--- /dev/null
+From d8635b5660ce3db15c3374adeb73f2beaf72f053 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Nov 2025 15:31:50 +0100
+Subject: RDMA/irdma: avoid invalid read in irdma_net_event
+
+From: Michal Schmidt <mschmidt@redhat.com>
+
+[ Upstream commit 6f05611728e9d0ab024832a4f1abb74a5f5d0bb0 ]
+
+irdma_net_event() should not dereference anything from "neigh" (alias
+"ptr") until it has checked that the event is NETEVENT_NEIGH_UPDATE.
+Other events come with different structures pointed to by "ptr" and they
+may be smaller than struct neighbour.
+
+Move the read of neigh->dev under the NETEVENT_NEIGH_UPDATE case.
+
+The bug is mostly harmless, but it triggers KASAN on debug kernels:
+
+ BUG: KASAN: stack-out-of-bounds in irdma_net_event+0x32e/0x3b0 [irdma]
+ Read of size 8 at addr ffffc900075e07f0 by task kworker/27:2/542554
+
+ CPU: 27 PID: 542554 Comm: kworker/27:2 Kdump: loaded Not tainted 5.14.0-630.el9.x86_64+debug #1
+ Hardware name: [...]
+ Workqueue: events rt6_probe_deferred
+ Call Trace:
+ <IRQ>
+ dump_stack_lvl+0x60/0xb0
+ print_address_description.constprop.0+0x2c/0x3f0
+ print_report+0xb4/0x270
+ kasan_report+0x92/0xc0
+ irdma_net_event+0x32e/0x3b0 [irdma]
+ notifier_call_chain+0x9e/0x180
+ atomic_notifier_call_chain+0x5c/0x110
+ rt6_do_redirect+0xb91/0x1080
+ tcp_v6_err+0xe9b/0x13e0
+ icmpv6_notify+0x2b2/0x630
+ ndisc_redirect_rcv+0x328/0x530
+ icmpv6_rcv+0xc16/0x1360
+ ip6_protocol_deliver_rcu+0xb84/0x12e0
+ ip6_input_finish+0x117/0x240
+ ip6_input+0xc4/0x370
+ ipv6_rcv+0x420/0x7d0
+ __netif_receive_skb_one_core+0x118/0x1b0
+ process_backlog+0xd1/0x5d0
+ __napi_poll.constprop.0+0xa3/0x440
+ net_rx_action+0x78a/0xba0
+ handle_softirqs+0x2d4/0x9c0
+ do_softirq+0xad/0xe0
+ </IRQ>
+
+Fixes: 915cc7ac0f8e ("RDMA/irdma: Add miscellaneous utility definitions")
+Link: https://patch.msgid.link/r/20251127143150.121099-1-mschmidt@redhat.com
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/irdma/utils.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/irdma/utils.c b/drivers/infiniband/hw/irdma/utils.c
+index 8b94d87b0192..b6c4ccf38eb7 100644
+--- a/drivers/infiniband/hw/irdma/utils.c
++++ b/drivers/infiniband/hw/irdma/utils.c
+@@ -251,7 +251,7 @@ int irdma_net_event(struct notifier_block *notifier, unsigned long event,
+ void *ptr)
+ {
+ struct neighbour *neigh = ptr;
+- struct net_device *real_dev, *netdev = (struct net_device *)neigh->dev;
++ struct net_device *real_dev, *netdev;
+ struct irdma_device *iwdev;
+ struct ib_device *ibdev;
+ __be32 *p;
+@@ -260,6 +260,7 @@ int irdma_net_event(struct notifier_block *notifier, unsigned long event,
+
+ switch (event) {
+ case NETEVENT_NEIGH_UPDATE:
++ netdev = neigh->dev;
+ real_dev = rdma_vlan_dev_real_dev(netdev);
+ if (!real_dev)
+ real_dev = netdev;
+--
+2.51.0
+
--- /dev/null
+From 692834666454c1c7510c52c4e2fca82aa3ac8a70 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Dec 2025 14:38:44 +0100
+Subject: RDMA/irdma: Fix irdma_alloc_ucontext_resp padding
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit d95e99a74eaf35c070f5939295331e5d7857c723 ]
+
+A recent commit modified struct irdma_alloc_ucontext_resp by adding a
+member with implicit padding in front of it, though this does not change
+the offset of the data members other than m68k. Reported by
+scripts/check-uapi.sh:
+
+==== ABI differences detected in include/rdma/irdma-abi.h from 1dd7bde2e91c -> HEAD ====
+ [C] 'struct irdma_alloc_ucontext_resp' changed:
+ type size changed from 704 to 640 (in bits)
+ 1 data member deletion:
+ '__u8 rsvd3[2]', at offset 640 (in bits) at irdma-abi.h:61:1
+ 1 data member insertion:
+ '__u8 revd3[2]', at offset 592 (in bits) at irdma-abi.h:60:1
+
+Change the size back to the previous version, and remove the implicit
+padding by making it explicit and matching what x86-64 would do by placing
+max_hw_srq_quanta member into a naturally aligned location.
+
+Fixes: 563e1feb5f6e ("RDMA/irdma: Add SRQ support")
+Link: https://patch.msgid.link/r/20251208133849.315451-1-arnd@kernel.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Tested-by: Jacob Moroni <jmoroni@google.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/rdma/irdma-abi.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/uapi/rdma/irdma-abi.h b/include/uapi/rdma/irdma-abi.h
+index f7788d33376b..36f20802bcc8 100644
+--- a/include/uapi/rdma/irdma-abi.h
++++ b/include/uapi/rdma/irdma-abi.h
+@@ -57,8 +57,8 @@ struct irdma_alloc_ucontext_resp {
+ __u8 rsvd2;
+ __aligned_u64 comp_mask;
+ __u16 min_hw_wq_size;
++ __u8 revd3[2];
+ __u32 max_hw_srq_quanta;
+- __u8 rsvd3[2];
+ };
+
+ struct irdma_alloc_pd_resp {
+--
+2.51.0
+
--- /dev/null
+From afa09123554f3685993d3de3bf05c8c0217881d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Oct 2025 03:03:00 -0700
+Subject: RDMA/mana_ib: check cqe length for kernel CQs
+
+From: Konstantin Taranov <kotaranov@microsoft.com>
+
+[ Upstream commit 887bfe5986396aca908b7afd2d214471ba7d5544 ]
+
+Check queue size during kernel CQ creation to prevent overflow of u32.
+
+Fixes: bec127e45d9f ("RDMA/mana_ib: create kernel-level CQs")
+Link: https://patch.msgid.link/r/1761213780-5457-1-git-send-email-kotaranov@linux.microsoft.com
+Signed-off-by: Konstantin Taranov <kotaranov@microsoft.com>
+Reviewed-by: Long Li <longli@microsoft.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mana/cq.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/infiniband/hw/mana/cq.c b/drivers/infiniband/hw/mana/cq.c
+index 1becc8779123..7600412b0739 100644
+--- a/drivers/infiniband/hw/mana/cq.c
++++ b/drivers/infiniband/hw/mana/cq.c
+@@ -56,6 +56,10 @@ int mana_ib_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr,
+ doorbell = mana_ucontext->doorbell;
+ } else {
+ is_rnic_cq = true;
++ if (attr->cqe > U32_MAX / COMP_ENTRY_SIZE / 2 + 1) {
++ ibdev_dbg(ibdev, "CQE %d exceeding limit\n", attr->cqe);
++ return -EINVAL;
++ }
+ buf_size = MANA_PAGE_ALIGN(roundup_pow_of_two(attr->cqe * COMP_ENTRY_SIZE));
+ cq->cqe = buf_size / COMP_ENTRY_SIZE;
+ err = mana_ib_create_kernel_queue(mdev, buf_size, GDMA_CQ, &cq->queue);
+--
+2.51.0
+
--- /dev/null
+From 8380e178838cc18f930962b2ecb3f737c6bbdb4b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Dec 2025 10:56:17 +0800
+Subject: RDMA/rtrs: Fix clt_path::max_pages_per_mr calculation
+
+From: Honggang LI <honggangli@163.com>
+
+[ Upstream commit 43bd09d5b750f700499ae8ec45fd41a4c48673e6 ]
+
+If device max_mr_size bits in the range [mr_page_shift+31:mr_page_shift]
+are zero, the `min3` function will set clt_path::max_pages_per_mr to
+zero.
+
+`alloc_path_reqs` will pass zero, which is invalid, as the third parameter
+to `ib_alloc_mr`.
+
+Fixes: 6a98d71daea1 ("RDMA/rtrs: client: main functionality")
+Signed-off-by: Honggang LI <honggangli@163.com>
+Link: https://patch.msgid.link/20251229025617.13241-1-honggangli@163.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/rtrs/rtrs-clt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/infiniband/ulp/rtrs/rtrs-clt.c b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
+index 71387811b281..2b397a544cb9 100644
+--- a/drivers/infiniband/ulp/rtrs/rtrs-clt.c
++++ b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
+@@ -1464,6 +1464,7 @@ static void query_fast_reg_mode(struct rtrs_clt_path *clt_path)
+ mr_page_shift = max(12, ffs(ib_dev->attrs.page_size_cap) - 1);
+ max_pages_per_mr = ib_dev->attrs.max_mr_size;
+ do_div(max_pages_per_mr, (1ull << mr_page_shift));
++ max_pages_per_mr = min_not_zero((u32)max_pages_per_mr, U32_MAX);
+ clt_path->max_pages_per_mr =
+ min3(clt_path->max_pages_per_mr, (u32)max_pages_per_mr,
+ ib_dev->attrs.max_fast_reg_page_list_len);
+--
+2.51.0
+
--- /dev/null
+From 34f184f64d39f36f7762f1919307e0d8423c942a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Dec 2025 14:33:05 +0100
+Subject: RDMA/ucma: Fix rdma_ucm_query_ib_service_resp struct padding
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 2dc675f614850b80deab7cf6d12902636ed8a7f4 ]
+
+On a few 32-bit architectures, the newly added ib_user_service_rec
+structure is not 64-bit aligned the way it is on most regular ones.
+
+Add explicit padding into the rdma_ucm_query_ib_service_resp and
+rdma_ucm_resolve_ib_service structures that embed it, so that the layout
+is compatible across all of them.
+
+This is an ABI change on i386, aligning it with x86_64 and the other
+64-bit architectures to avoid having to use a compat ioctl handler.
+
+Fixes: 810f874eda8e ("RDMA/ucma: Support query resolved service records")
+Link: https://patch.msgid.link/r/20251208133311.313977-1-arnd@kernel.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/rdma/rdma_user_cm.h | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/include/uapi/rdma/rdma_user_cm.h b/include/uapi/rdma/rdma_user_cm.h
+index 5ded174687ee..838f8d460256 100644
+--- a/include/uapi/rdma/rdma_user_cm.h
++++ b/include/uapi/rdma/rdma_user_cm.h
+@@ -192,6 +192,7 @@ struct rdma_ucm_query_path_resp {
+
+ struct rdma_ucm_query_ib_service_resp {
+ __u32 num_service_recs;
++ __u32 reserved;
+ struct ib_user_service_rec recs[];
+ };
+
+@@ -354,7 +355,7 @@ enum {
+
+ #define RDMA_USER_CM_IB_SERVICE_NAME_SIZE 64
+ struct rdma_ucm_ib_service {
+- __u64 service_id;
++ __aligned_u64 service_id;
+ __u8 service_name[RDMA_USER_CM_IB_SERVICE_NAME_SIZE];
+ __u32 flags;
+ __u32 reserved;
+@@ -362,6 +363,7 @@ struct rdma_ucm_ib_service {
+
+ struct rdma_ucm_resolve_ib_service {
+ __u32 id;
++ __u32 reserved;
+ struct rdma_ucm_ib_service ibs;
+ };
+
+--
+2.51.0
+
--- /dev/null
+From a72f86d6f19bf3e263bfa7ab17d826abba836f5d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Dec 2025 17:39:55 +0800
+Subject: sched_ext: fix uninitialized ret on alloc_percpu() failure
+
+From: Liang Jie <liangjie@lixiang.com>
+
+[ Upstream commit b0101ccb5b4641885f30fecc352ef891ed06e083 ]
+
+Smatch reported:
+
+ kernel/sched/ext.c:5332 scx_alloc_and_add_sched() warn: passing zero to 'ERR_PTR'
+
+In scx_alloc_and_add_sched(), the alloc_percpu() failure path jumps to
+err_free_gdsqs without initializing @ret. That can lead to returning
+ERR_PTR(0), which violates the ERR_PTR() convention and confuses
+callers.
+
+Set @ret to -ENOMEM before jumping to the error path when
+alloc_percpu() fails.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/r/202512141601.yAXDAeA9-lkp@intel.com/
+Reported-by: Dan Carpenter <error27@gmail.com>
+Fixes: c201ea1578d3 ("sched_ext: Move event_stats_cpu into scx_sched")
+Signed-off-by: Liang Jie <liangjie@lixiang.com>
+Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
+Reviewed-by: Andrea Righi <arighi@nvidia.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/ext.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c
+index 6139263afd59..31eda2a56920 100644
+--- a/kernel/sched/ext.c
++++ b/kernel/sched/ext.c
+@@ -4508,8 +4508,10 @@ static struct scx_sched *scx_alloc_and_add_sched(struct sched_ext_ops *ops)
+ }
+
+ sch->pcpu = alloc_percpu(struct scx_sched_pcpu);
+- if (!sch->pcpu)
++ if (!sch->pcpu) {
++ ret = -ENOMEM;
+ goto err_free_gdsqs;
++ }
+
+ sch->helper = kthread_run_worker(0, "sched_ext_helper");
+ if (IS_ERR(sch->helper)) {
+--
+2.51.0
+
--- /dev/null
+From 4025a4bb71bcfca984df28cfc48bc6933a65099a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Dec 2025 06:21:35 -0800
+Subject: selftests: drv-net: psp: fix templated test names in
+ psp_ip_ver_test_builder()
+
+From: Daniel Zahka <daniel.zahka@gmail.com>
+
+[ Upstream commit d52668cac3f98f86aa1fb238dec1320c80fbefea ]
+
+test_case will only take on its formatted name after it is called by
+the test runner. Move the assignment to test_case.__name__ to when the
+test_case is constructed, not called.
+
+Fixes: 8f90dc6e417a ("selftests: drv-net: psp: add basic data transfer and key rotation tests")
+Signed-off-by: Daniel Zahka <daniel.zahka@gmail.com>
+Link: https://patch.msgid.link/20251216-psp-test-fix-v1-1-3b5a6dde186f@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/drivers/net/psp.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/drivers/net/psp.py b/tools/testing/selftests/drivers/net/psp.py
+index 4ae7a785ff10..827e04cc8423 100755
+--- a/tools/testing/selftests/drivers/net/psp.py
++++ b/tools/testing/selftests/drivers/net/psp.py
+@@ -560,8 +560,9 @@ def psp_ip_ver_test_builder(name, test_func, psp_ver, ipver):
+ """Build test cases for each combo of PSP version and IP version"""
+ def test_case(cfg):
+ cfg.require_ipver(ipver)
+- test_case.__name__ = f"{name}_v{psp_ver}_ip{ipver}"
+ test_func(cfg, psp_ver, ipver)
++
++ test_case.__name__ = f"{name}_v{psp_ver}_ip{ipver}"
+ return test_case
+
+
+--
+2.51.0
+
--- /dev/null
+From e72a250baf99be2b4bef1df1496802cec295e4c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Dec 2025 06:21:36 -0800
+Subject: selftests: drv-net: psp: fix test names in ipver_test_builder()
+
+From: Daniel Zahka <daniel.zahka@gmail.com>
+
+[ Upstream commit f0e5126f5e55d4939784ff61b0b7e9f9636d787d ]
+
+test_case will only take on the formatted name after being
+called. This does not work with the way ksft_run() currently
+works. Assign the name after the test_case is created.
+
+Fixes: 81236c74dba6 ("selftests: drv-net: psp: add test for auto-adjusting TCP MSS")
+Signed-off-by: Daniel Zahka <daniel.zahka@gmail.com>
+Link: https://patch.msgid.link/20251216-psp-test-fix-v1-2-3b5a6dde186f@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/drivers/net/psp.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/drivers/net/psp.py b/tools/testing/selftests/drivers/net/psp.py
+index 827e04cc8423..473573e216e3 100755
+--- a/tools/testing/selftests/drivers/net/psp.py
++++ b/tools/testing/selftests/drivers/net/psp.py
+@@ -570,8 +570,9 @@ def ipver_test_builder(name, test_func, ipver):
+ """Build test cases for each IP version"""
+ def test_case(cfg):
+ cfg.require_ipver(ipver)
+- test_case.__name__ = f"{name}_ip{ipver}"
+ test_func(cfg, ipver)
++
++ test_case.__name__ = f"{name}_ip{ipver}"
+ return test_case
+
+
+--
+2.51.0
+
--- /dev/null
+From 22abf245a454ca0266421d23145228d09c6436ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Aug 2023 09:32:26 +0800
+Subject: selftests/ftrace: traceonoff_triggers: strip off names
+
+From: Yipeng Zou <zouyipeng@huawei.com>
+
+[ Upstream commit b889b4fb4cbea3ca7eb9814075d6a51936394bd9 ]
+
+The func_traceonoff_triggers.tc sometimes goes to fail
+on my board, Kunpeng-920.
+
+[root@localhost]# ./ftracetest ./test.d/ftrace/func_traceonoff_triggers.tc -l fail.log
+=== Ftrace unit tests ===
+[1] ftrace - test for function traceon/off triggers [FAIL]
+[2] (instance) ftrace - test for function traceon/off triggers [UNSUPPORTED]
+
+I look up the log, and it shows that the md5sum is different between csum1 and csum2.
+
+++ cnt=611
+++ sleep .1
++++ cnt_trace
++++ grep -v '^#' trace
++++ wc -l
+++ cnt2=611
+++ '[' 611 -ne 611 ']'
++++ cat tracing_on
+++ on=0
+++ '[' 0 '!=' 0 ']'
++++ md5sum trace
+++ csum1='76896aa74362fff66a6a5f3cf8a8a500 trace'
+++ sleep .1
++++ md5sum trace
+++ csum2='ee8625a21c058818fc26e45c1ed3f6de trace'
+++ '[' '76896aa74362fff66a6a5f3cf8a8a500 trace' '!=' 'ee8625a21c058818fc26e45c1ed3f6de trace' ']'
+++ fail 'Tracing file is still changing'
+++ echo Tracing file is still changing
+Tracing file is still changing
+++ exit_fail
+++ exit 1
+
+So I directly dump the trace file before md5sum, the diff shows that:
+
+[root@localhost]# diff trace_1.log trace_2.log -y --suppress-common-lines
+dockerd-12285 [036] d.... 18385.510290: sched_stat | <...>-12285 [036] d.... 18385.510290: sched_stat
+dockerd-12285 [036] d.... 18385.510291: sched_swit | <...>-12285 [036] d.... 18385.510291: sched_swit
+<...>-740 [044] d.... 18385.602859: sched_stat | kworker/44:1-740 [044] d.... 18385.602859: sched_stat
+<...>-740 [044] d.... 18385.602860: sched_swit | kworker/44:1-740 [044] d.... 18385.602860: sched_swit
+
+And we can see that <...> filed be filled with names.
+
+We can strip off the names there to fix that.
+
+After strip off the names:
+
+kworker/u257:0-12 [019] d..2. 2528.758910: sched_stat | -12 [019] d..2. 2528.758910: sched_stat_runtime: comm=k
+kworker/u257:0-12 [019] d..2. 2528.758912: sched_swit | -12 [019] d..2. 2528.758912: sched_switch: prev_comm=kw
+<idle>-0 [000] d.s5. 2528.762318: sched_waki | -0 [000] d.s5. 2528.762318: sched_waking: comm=sshd pi
+<idle>-0 [037] dNh2. 2528.762326: sched_wake | -0 [037] dNh2. 2528.762326: sched_wakeup: comm=sshd pi
+<idle>-0 [037] d..2. 2528.762334: sched_swit | -0 [037] d..2. 2528.762334: sched_switch: prev_comm=sw
+
+Link: https://lore.kernel.org/r/20230818013226.2182299-1-zouyipeng@huawei.com
+Fixes: d87b29179aa0 ("selftests: ftrace: Use md5sum to take less time of checking logs")
+Suggested-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Yipeng Zou <zouyipeng@huawei.com>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ftrace/test.d/ftrace/func_traceonoff_triggers.tc | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc b/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc
+index aee22289536b..1b57771dbfdf 100644
+--- a/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc
++++ b/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc
+@@ -90,9 +90,10 @@ if [ $on != "0" ]; then
+ fail "Tracing is not off"
+ fi
+
+-csum1=`md5sum trace`
++# Cannot rely on names being around as they are only cached, strip them
++csum1=`cat trace | sed -e 's/^ *[^ ]*\(-[0-9][0-9]*\)/\1/' | md5sum`
+ sleep $SLEEP_TIME
+-csum2=`md5sum trace`
++csum2=`cat trace | sed -e 's/^ *[^ ]*\(-[0-9][0-9]*\)/\1/' | md5sum`
+
+ if [ "$csum1" != "$csum2" ]; then
+ fail "Tracing file is still changing"
+--
+2.51.0
+
--- /dev/null
+From 519df61f68c044a033e9f43f041fa7dd443e5882 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Dec 2025 12:06:41 -0500
+Subject: selftests: net: fix "buffer overflow detected" for tap.c
+
+From: Alice C. Munduruca <alice.munduruca@canonical.com>
+
+[ Upstream commit 472c5dd6b95c02b3e5d7395acf542150e91165e7 ]
+
+When the selftest 'tap.c' is compiled with '-D_FORTIFY_SOURCE=3',
+the strcpy() in rtattr_add_strsz() is replaced with a checked
+version which causes the test to consistently fail when compiled
+with toolchains for which this option is enabled by default.
+
+ TAP version 13
+ 1..3
+ # Starting 3 tests from 1 test cases.
+ # RUN tap.test_packet_valid_udp_gso ...
+ *** buffer overflow detected ***: terminated
+ # test_packet_valid_udp_gso: Test terminated by assertion
+ # FAIL tap.test_packet_valid_udp_gso
+ not ok 1 tap.test_packet_valid_udp_gso
+ # RUN tap.test_packet_valid_udp_csum ...
+ *** buffer overflow detected ***: terminated
+ # test_packet_valid_udp_csum: Test terminated by assertion
+ # FAIL tap.test_packet_valid_udp_csum
+ not ok 2 tap.test_packet_valid_udp_csum
+ # RUN tap.test_packet_crash_tap_invalid_eth_proto ...
+ *** buffer overflow detected ***: terminated
+ # test_packet_crash_tap_invalid_eth_proto: Test terminated by assertion
+ # FAIL tap.test_packet_crash_tap_invalid_eth_proto
+ not ok 3 tap.test_packet_crash_tap_invalid_eth_proto
+ # FAILED: 0 / 3 tests passed.
+ # Totals: pass:0 fail:3 xfail:0 xpass:0 skip:0 error:0
+
+A buffer overflow is detected by the fortified glibc __strcpy_chk()
+since the __builtin_object_size() of `RTA_DATA(rta)` is incorrectly
+reported as 1, even though there is ample space in its bounding
+buffer `req`.
+
+Additionally, given that IFLA_IFNAME also expects a null-terminated
+string, callers of rtaddr_add_str{,sz}() could simply use the
+rtaddr_add_strsz() variant. (which has been renamed to remove the
+trailing `sz`) memset() has been used for this function since it
+is unchecked and thus circumvents the issue discussed in the
+previous paragraph.
+
+Fixes: 2e64fe4624d1 ("selftests: add few test cases for tap driver")
+Signed-off-by: Alice C. Munduruca <alice.munduruca@canonical.com>
+Reviewed-by: Cengiz Can <cengiz.can@canonical.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://patch.msgid.link/20251216170641.250494-1-alice.munduruca@canonical.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/tap.c | 16 +++++-----------
+ 1 file changed, 5 insertions(+), 11 deletions(-)
+
+diff --git a/tools/testing/selftests/net/tap.c b/tools/testing/selftests/net/tap.c
+index 247c3b3ac1c9..51a209014f1c 100644
+--- a/tools/testing/selftests/net/tap.c
++++ b/tools/testing/selftests/net/tap.c
+@@ -56,18 +56,12 @@ static void rtattr_end(struct nlmsghdr *nh, struct rtattr *attr)
+ static struct rtattr *rtattr_add_str(struct nlmsghdr *nh, unsigned short type,
+ const char *s)
+ {
+- struct rtattr *rta = rtattr_add(nh, type, strlen(s));
++ unsigned int strsz = strlen(s) + 1;
++ struct rtattr *rta;
+
+- memcpy(RTA_DATA(rta), s, strlen(s));
+- return rta;
+-}
+-
+-static struct rtattr *rtattr_add_strsz(struct nlmsghdr *nh, unsigned short type,
+- const char *s)
+-{
+- struct rtattr *rta = rtattr_add(nh, type, strlen(s) + 1);
++ rta = rtattr_add(nh, type, strsz);
+
+- strcpy(RTA_DATA(rta), s);
++ memcpy(RTA_DATA(rta), s, strsz);
+ return rta;
+ }
+
+@@ -119,7 +113,7 @@ static int dev_create(const char *dev, const char *link_type,
+
+ link_info = rtattr_begin(&req.nh, IFLA_LINKINFO);
+
+- rtattr_add_strsz(&req.nh, IFLA_INFO_KIND, link_type);
++ rtattr_add_str(&req.nh, IFLA_INFO_KIND, link_type);
+
+ if (fill_info_data) {
+ info_data = rtattr_begin(&req.nh, IFLA_INFO_DATA);
+--
+2.51.0
+
kvm-s390-fix-gmap_helper_zap_one_page-again.patch
drm-edid-add-drm_edid_ident_init-to-initialize-struct-drm_edid_ident.patch
drm-displayid-add-quirk-to-ignore-displayid-checksum-errors.patch
+wifi-rtw88-limit-indirect-io-under-powered-off-for-r.patch
+wifi-rtlwifi-8192cu-fix-tid-out-of-range-in-rtl92cu_.patch
+wifi-cfg80211-sme-store-capped-length-in-__cfg80211_.patch
+wifi-mac80211-do-not-use-old-mbssid-elements.patch
+sched_ext-fix-uninitialized-ret-on-alloc_percpu-fail.patch
+i40e-fix-scheduling-in-set_rx_mode.patch
+i40e-validate-ring_len-parameter-against-hardware-sp.patch
+iavf-fix-off-by-one-issues-in-iavf_config_rss_reg.patch
+idpf-fix-lan-memory-regions-command-on-some-nvms.patch
+idpf-reduce-mbx_task-schedule-delay-to-300us.patch
+cpuset-fix-warning-when-disabling-remote-partition.patch
+crypto-seqiv-do-not-use-req-iv-after-crypto_aead_enc.patch
+bluetooth-mgmt-report-bis-capability-flags-in-suppor.patch
+bluetooth-btusb-revert-use-of-devm_kzalloc-in-btusb.patch
+net-mdio-aspeed-add-dummy-read-to-avoid-read-after-w.patch
+net-openvswitch-avoid-needlessly-taking-the-rtnl-on-.patch
+ip6_gre-make-ip6gre_header-robust.patch
+powerpc-tools-drop-o-pipefail-in-gcc-check-scripts.patch
+platform-mellanox-mlxbf-pmc-remove-trailing-whitespa.patch
+platform-x86-msi-laptop-add-missing-sysfs_remove_gro.patch
+platform-x86-ibm_rtl-fix-ebda-signature-search-point.patch
+team-fix-check-for-port-enabled-in-team_queue_overri.patch
+net-airoha-move-net_devs-registration-in-a-dedicated.patch
+net-dsa-properly-keep-track-of-conduit-reference.patch
+net-dsa-fix-missing-put_device-in-dsa_tree_find_firs.patch
+amd-xgbe-reset-retries-and-mode-on-rx-adapt-failures.patch
+selftests-drv-net-psp-fix-templated-test-names-in-ps.patch
+selftests-drv-net-psp-fix-test-names-in-ipver_test_b.patch
+net-usb-rtl8150-fix-memory-leak-on-usb_submit_urb-fa.patch
+selftests-net-fix-buffer-overflow-detected-for-tap.c.patch
+net-wangxun-move-phylink-dependency.patch
+platform-x86-intel-pmt-fix-kobject-memory-leak-on-in.patch
+smc91x-fix-broken-irq-context-in-preempt_rt.patch
+genalloc.h-fix-htmldocs-warning.patch
+firewire-nosy-fix-dma_free_coherent-size.patch
+bng_en-update-module-description.patch
+net-dsa-b53-skip-multicast-entries-for-fdb_dump.patch
+kbuild-fix-compilation-of-dtb-specified-on-command-l.patch
+mcb-add-missing-modpost-build-support.patch
+net-mdio-rtl9300-use-scoped-for-loops.patch
+net-usb-asix-validate-phy-address-before-use.patch
+net-bridge-describe-tunnel_hash-member-in-net_bridge.patch
+tools-sched_ext-fix-scx_show_state.py-for-scx_root-c.patch
+vfio-pds-fix-memory-leak-in-pds_vfio_dirty_enable.patch
+platform-x86-hp-bioscfg-fix-out-of-bounds-array-acce.patch
+platform-x86-intel-pmt-discovery-use-valid-device-po.patch
+octeontx2-pf-fix-ubsan-shift-out-of-bounds-error.patch
+net-stmmac-fix-the-crash-issue-for-zero-copy-xdp_tx-.patch
+ipv6-bug-in-pskb_expand_head-as-part-of-calipso_skbu.patch
+ipv4-fix-reference-count-leak-when-using-error-route.patch
+net-fib-restore-ecmp-balance-from-loopback.patch
+net-rose-fix-invalid-array-index-in-rose_kill_by_dev.patch
+ipv6-fix-a-bug-in-rt6_get_pcpu_route-under-preempt_r.patch
+rdma-ucma-fix-rdma_ucm_query_ib_service_resp-struct-.patch
+rdma-irdma-fix-irdma_alloc_ucontext_resp-padding.patch
+rdma-mana_ib-check-cqe-length-for-kernel-cqs.patch
+rdma-irdma-avoid-invalid-read-in-irdma_net_event.patch
+rdma-efa-remove-possible-negative-shift.patch
+rdma-core-fix-logic-error-in-ib_get_gids_from_rdma_h.patch
+rdma-bnxt_re-fix-incorrect-bar-check-in-bnxt_qplib_m.patch
+rdma-core-always-drop-device-refcount-in-ib_del_sub_.patch
+drm-gem-shmem-fix-the-module_license-string.patch
+rdma-bnxt_re-fix-ib_send_ip_csum-handling-in-post_se.patch
+rdma-bnxt_re-fix-oob-write-in-bnxt_re_copy_err_stats.patch
+kunit-enforce-task-execution-in-soft-hard-irq-contex.patch
+rdma-bnxt_re-fix-to-use-correct-page-size-for-pde-ta.patch
+md-fix-static-checker-warning-in-analyze_sbs.patch
+md-raid5-fix-possible-null-pointer-dereferences-in-r.patch
+ublk-implement-numa-aware-memory-allocation.patch
+ublk-scan-partition-in-async-way.patch
+drm-xe-guc-read-write_once-g2h_fence-done.patch
+ksmbd-fix-memory-leak-in-get_file_all_info.patch
+ib-rxe-fix-missing-umem_odp-umem_mutex-unlock-on-err.patch
+rdma-rtrs-fix-clt_path-max_pages_per_mr-calculation.patch
+rdma-bnxt_re-fix-dma_free_coherent-pointer.patch
+blk-mq-skip-cpu-offline-notify-on-unmapped-hctx.patch
+selftests-ftrace-traceonoff_triggers-strip-off-names.patch
--- /dev/null
+From c94e4e7ff4ae4079984c6584227a75ef0489c56d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Dec 2025 08:51:15 +0000
+Subject: smc91x: fix broken irq-context in PREEMPT_RT
+
+From: Yeoreum Yun <yeoreum.yun@arm.com>
+
+[ Upstream commit 6402078bd9d1ed46e79465e1faaa42e3458f8a33 ]
+
+When smc91x.c is built with PREEMPT_RT, the following splat occurs
+in FVP_RevC:
+
+[ 13.055000] smc91x LNRO0003:00 eth0: link up, 10Mbps, half-duplex, lpa 0x0000
+[ 13.062137] BUG: workqueue leaked atomic, lock or RCU: kworker/2:1[106]
+[ 13.062137] preempt=0x00000000 lock=0->0 RCU=0->1 workfn=mld_ifc_work
+[ 13.062266] C
+** replaying previous printk message **
+[ 13.062266] CPU: 2 UID: 0 PID: 106 Comm: kworker/2:1 Not tainted 6.18.0-dirty #179 PREEMPT_{RT,(full)}
+[ 13.062353] Hardware name: , BIOS
+[ 13.062382] Workqueue: mld mld_ifc_work
+[ 13.062469] Call trace:
+[ 13.062494] show_stack+0x24/0x40 (C)
+[ 13.062602] __dump_stack+0x28/0x48
+[ 13.062710] dump_stack_lvl+0x7c/0xb0
+[ 13.062818] dump_stack+0x18/0x34
+[ 13.062926] process_scheduled_works+0x294/0x450
+[ 13.063043] worker_thread+0x260/0x3d8
+[ 13.063124] kthread+0x1c4/0x228
+[ 13.063235] ret_from_fork+0x10/0x20
+
+This happens because smc_special_trylock() disables IRQs even on PREEMPT_RT,
+but smc_special_unlock() does not restore IRQs on PREEMPT_RT.
+The reason is that smc_special_unlock() calls spin_unlock_irqrestore(),
+and rcu_read_unlock_bh() in __dev_queue_xmit() cannot invoke
+rcu_read_unlock() through __local_bh_enable_ip() when current->softirq_disable_cnt becomes zero.
+
+To address this issue, replace smc_special_trylock() with spin_trylock_irqsave().
+
+Fixes: 342a93247e08 ("locking/spinlock: Provide RT variant header: <linux/spinlock_rt.h>")
+Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20251217085115.1730036-1-yeoreum.yun@arm.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/smsc/smc91x.c | 10 +---------
+ 1 file changed, 1 insertion(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/smsc/smc91x.c b/drivers/net/ethernet/smsc/smc91x.c
+index 9d1a83a5fa7e..d16c178d1034 100644
+--- a/drivers/net/ethernet/smsc/smc91x.c
++++ b/drivers/net/ethernet/smsc/smc91x.c
+@@ -516,15 +516,7 @@ static inline void smc_rcv(struct net_device *dev)
+ * any other concurrent access and C would always interrupt B. But life
+ * isn't that easy in a SMP world...
+ */
+-#define smc_special_trylock(lock, flags) \
+-({ \
+- int __ret; \
+- local_irq_save(flags); \
+- __ret = spin_trylock(lock); \
+- if (!__ret) \
+- local_irq_restore(flags); \
+- __ret; \
+-})
++#define smc_special_trylock(lock, flags) spin_trylock_irqsave(lock, flags)
+ #define smc_special_lock(lock, flags) spin_lock_irqsave(lock, flags)
+ #define smc_special_unlock(lock, flags) spin_unlock_irqrestore(lock, flags)
+ #else
+--
+2.51.0
+
--- /dev/null
+From 1087b2442e32ab9bf9acaaa2243b8712fb12ecaa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Dec 2025 11:29:53 +0100
+Subject: team: fix check for port enabled in
+ team_queue_override_port_prio_changed()
+
+From: Jiri Pirko <jiri@nvidia.com>
+
+[ Upstream commit 932ac51d9953eaf77a1252f79b656d4ca86163c6 ]
+
+There has been a syzkaller bug reported recently with the following
+trace:
+
+list_del corruption, ffff888058bea080->prev is LIST_POISON2 (dead000000000122)
+------------[ cut here ]------------
+kernel BUG at lib/list_debug.c:59!
+Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
+CPU: 3 UID: 0 PID: 21246 Comm: syz.0.2928 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+RIP: 0010:__list_del_entry_valid_or_report+0x13e/0x200 lib/list_debug.c:59
+Code: 48 c7 c7 e0 71 f0 8b e8 30 08 ef fc 90 0f 0b 48 89 ef e8 a5 02 55 fd 48 89 ea 48 89 de 48 c7 c7 40 72 f0 8b e8 13 08 ef fc 90 <0f> 0b 48 89 ef e8 88 02 55 fd 48 89 ea 48 b8 00 00 00 00 00 fc ff
+RSP: 0018:ffffc9000d49f370 EFLAGS: 00010286
+RAX: 000000000000004e RBX: ffff888058bea080 RCX: ffffc9002817d000
+RDX: 0000000000000000 RSI: ffffffff819becc6 RDI: 0000000000000005
+RBP: dead000000000122 R08: 0000000000000005 R09: 0000000000000000
+R10: 0000000080000000 R11: 0000000000000001 R12: ffff888039e9c230
+R13: ffff888058bea088 R14: ffff888058bea080 R15: ffff888055461480
+FS: 00007fbbcfe6f6c0(0000) GS:ffff8880d6d0a000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 000000110c3afcb0 CR3: 00000000382c7000 CR4: 0000000000352ef0
+Call Trace:
+ <TASK>
+ __list_del_entry_valid include/linux/list.h:132 [inline]
+ __list_del_entry include/linux/list.h:223 [inline]
+ list_del_rcu include/linux/rculist.h:178 [inline]
+ __team_queue_override_port_del drivers/net/team/team_core.c:826 [inline]
+ __team_queue_override_port_del drivers/net/team/team_core.c:821 [inline]
+ team_queue_override_port_prio_changed drivers/net/team/team_core.c:883 [inline]
+ team_priority_option_set+0x171/0x2f0 drivers/net/team/team_core.c:1534
+ team_option_set drivers/net/team/team_core.c:376 [inline]
+ team_nl_options_set_doit+0x8ae/0xe60 drivers/net/team/team_core.c:2653
+ genl_family_rcv_msg_doit+0x209/0x2f0 net/netlink/genetlink.c:1115
+ genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
+ genl_rcv_msg+0x55c/0x800 net/netlink/genetlink.c:1210
+ netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552
+ genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
+ netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
+ netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346
+ netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1896
+ sock_sendmsg_nosec net/socket.c:727 [inline]
+ __sock_sendmsg net/socket.c:742 [inline]
+ ____sys_sendmsg+0xa98/0xc70 net/socket.c:2630
+ ___sys_sendmsg+0x134/0x1d0 net/socket.c:2684
+ __sys_sendmsg+0x16d/0x220 net/socket.c:2716
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+The problem is in this flow:
+1) Port is enabled, queue_id != 0, in qom_list
+2) Port gets disabled
+ -> team_port_disable()
+ -> team_queue_override_port_del()
+ -> del (removed from list)
+3) Port is disabled, queue_id != 0, not in any list
+4) Priority changes
+ -> team_queue_override_port_prio_changed()
+ -> checks: port disabled && queue_id != 0
+ -> calls del - hits the BUG as it is removed already
+
+To fix this, change the check in team_queue_override_port_prio_changed()
+so it returns early if port is not enabled.
+
+Reported-by: syzbot+422806e5f4cce722a71f@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=422806e5f4cce722a71f
+Fixes: 6c31ff366c11 ("team: remove synchronize_rcu() called during queue override change")
+Signed-off-by: Jiri Pirko <jiri@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20251212102953.167287-1-jiri@resnulli.us
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/team/team_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/team/team_core.c b/drivers/net/team/team_core.c
+index 25562b17debe..2fd3469d1046 100644
+--- a/drivers/net/team/team_core.c
++++ b/drivers/net/team/team_core.c
+@@ -878,7 +878,7 @@ static void __team_queue_override_enabled_check(struct team *team)
+ static void team_queue_override_port_prio_changed(struct team *team,
+ struct team_port *port)
+ {
+- if (!port->queue_id || team_port_enabled(port))
++ if (!port->queue_id || !team_port_enabled(port))
+ return;
+ __team_queue_override_port_del(team, port);
+ __team_queue_override_port_add(team, port);
+--
+2.51.0
+
--- /dev/null
+From d0d3729af9a1838951e54f02bbe4ba5e83b8d543 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Dec 2025 17:46:49 +0900
+Subject: tools/sched_ext: fix scx_show_state.py for scx_root change
+
+From: Kohei Enju <enjuk@amazon.com>
+
+[ Upstream commit f92ff79ba2640fc482bf2bfb5b42e33957f90caf ]
+
+Commit 48e126777386 ("sched_ext: Introduce scx_sched") introduced
+scx_root and removed scx_ops, causing scx_show_state.py to fail when
+searching for the 'scx_ops' object. [1]
+
+Fix by using 'scx_root' instead, with NULL pointer handling.
+
+[1]
+ # drgn -s vmlinux ./tools/sched_ext/scx_show_state.py
+ Traceback (most recent call last):
+ File "/root/.venv/bin/drgn", line 8, in <module>
+ sys.exit(_main())
+ ~~~~~^^
+ File "/root/.venv/lib64/python3.14/site-packages/drgn/cli.py", line 625, in _main
+ runpy.run_path(
+ ~~~~~~~~~~~~~~^
+ script_path, init_globals={"prog": prog}, run_name="__main__"
+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+ )
+ ^
+ File "<frozen runpy>", line 287, in run_path
+ File "<frozen runpy>", line 98, in _run_module_code
+ File "<frozen runpy>", line 88, in _run_code
+ File "./tools/sched_ext/scx_show_state.py", line 30, in <module>
+ ops = prog['scx_ops']
+ ~~~~^^^^^^^^^^^
+ _drgn.ObjectNotFoundError: could not find 'scx_ops'
+
+Fixes: 48e126777386 ("sched_ext: Introduce scx_sched")
+Signed-off-by: Kohei Enju <enjuk@amazon.com>
+Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/sched_ext/scx_show_state.py | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/tools/sched_ext/scx_show_state.py b/tools/sched_ext/scx_show_state.py
+index 7cdcc6729ea4..aec4a4498140 100644
+--- a/tools/sched_ext/scx_show_state.py
++++ b/tools/sched_ext/scx_show_state.py
+@@ -27,10 +27,13 @@ def read_static_key(name):
+ def state_str(state):
+ return prog['scx_enable_state_str'][state].string_().decode()
+
+-ops = prog['scx_ops']
++root = prog['scx_root']
+ enable_state = read_atomic("scx_enable_state_var")
+
+-print(f'ops : {ops.name.string_().decode()}')
++if root:
++ print(f'ops : {root.ops.name.string_().decode()}')
++else:
++ print('ops : ')
+ print(f'enabled : {read_static_key("__scx_enabled")}')
+ print(f'switching_all : {read_int("scx_switching_all")}')
+ print(f'switched_all : {read_static_key("__scx_switched_all")}')
+--
+2.51.0
+
--- /dev/null
+From 3da67f136c0f825a36708935a3202d97ede8240b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 Nov 2025 21:31:17 +0800
+Subject: ublk: implement NUMA-aware memory allocation
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit 529d4d6327880e5c60f4e0def39b3faaa7954e54 ]
+
+Implement NUMA-friendly memory allocation for ublk driver to improve
+performance on multi-socket systems.
+
+This commit includes the following changes:
+
+1. Rename __queues to queues, dropping the __ prefix since the field is
+ now accessed directly throughout the codebase rather than only through
+ the ublk_get_queue() helper.
+
+2. Remove the queue_size field from struct ublk_device as it is no longer
+ needed.
+
+3. Move queue allocation and deallocation into ublk_init_queue() and
+ ublk_deinit_queue() respectively, improving encapsulation. This
+ simplifies ublk_init_queues() and ublk_deinit_queues() to just
+ iterate and call the per-queue functions.
+
+4. Add ublk_get_queue_numa_node() helper function to determine the
+ appropriate NUMA node for a queue by finding the first CPU mapped
+ to that queue via tag_set.map[HCTX_TYPE_DEFAULT].mq_map[] and
+ converting it to a NUMA node using cpu_to_node(). This function is
+ called internally by ublk_init_queue() to determine the allocation
+ node.
+
+5. Allocate each queue structure on its local NUMA node using
+ kvzalloc_node() in ublk_init_queue().
+
+6. Allocate the I/O command buffer on the same NUMA node using
+ alloc_pages_node().
+
+This reduces memory access latency on multi-socket NUMA systems by
+ensuring each queue's data structures are local to the CPUs that
+access them.
+
+Reviewed-by: Caleb Sander Mateos <csander@purestorage.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Stable-dep-of: 7fc4da6a304b ("ublk: scan partition in async way")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/ublk_drv.c | 84 +++++++++++++++++++++++++---------------
+ 1 file changed, 53 insertions(+), 31 deletions(-)
+
+diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
+index d8079ea8f8ca..796035891888 100644
+--- a/drivers/block/ublk_drv.c
++++ b/drivers/block/ublk_drv.c
+@@ -210,9 +210,6 @@ struct ublk_queue {
+ struct ublk_device {
+ struct gendisk *ub_disk;
+
+- char *__queues;
+-
+- unsigned int queue_size;
+ struct ublksrv_ctrl_dev_info dev_info;
+
+ struct blk_mq_tag_set tag_set;
+@@ -240,6 +237,8 @@ struct ublk_device {
+ bool canceling;
+ pid_t ublksrv_tgid;
+ struct delayed_work exit_work;
++
++ struct ublk_queue *queues[];
+ };
+
+ /* header of ublk_params */
+@@ -782,7 +781,7 @@ static noinline void ublk_put_device(struct ublk_device *ub)
+ static inline struct ublk_queue *ublk_get_queue(struct ublk_device *dev,
+ int qid)
+ {
+- return (struct ublk_queue *)&(dev->__queues[qid * dev->queue_size]);
++ return dev->queues[qid];
+ }
+
+ static inline bool ublk_rq_has_data(const struct request *rq)
+@@ -2713,9 +2712,13 @@ static const struct file_operations ublk_ch_fops = {
+
+ static void ublk_deinit_queue(struct ublk_device *ub, int q_id)
+ {
+- int size = ublk_queue_cmd_buf_size(ub);
+- struct ublk_queue *ubq = ublk_get_queue(ub, q_id);
+- int i;
++ struct ublk_queue *ubq = ub->queues[q_id];
++ int size, i;
++
++ if (!ubq)
++ return;
++
++ size = ublk_queue_cmd_buf_size(ub);
+
+ for (i = 0; i < ubq->q_depth; i++) {
+ struct ublk_io *io = &ubq->ios[i];
+@@ -2727,57 +2730,76 @@ static void ublk_deinit_queue(struct ublk_device *ub, int q_id)
+
+ if (ubq->io_cmd_buf)
+ free_pages((unsigned long)ubq->io_cmd_buf, get_order(size));
++
++ kvfree(ubq);
++ ub->queues[q_id] = NULL;
++}
++
++static int ublk_get_queue_numa_node(struct ublk_device *ub, int q_id)
++{
++ unsigned int cpu;
++
++ /* Find first CPU mapped to this queue */
++ for_each_possible_cpu(cpu) {
++ if (ub->tag_set.map[HCTX_TYPE_DEFAULT].mq_map[cpu] == q_id)
++ return cpu_to_node(cpu);
++ }
++
++ return NUMA_NO_NODE;
+ }
+
+ static int ublk_init_queue(struct ublk_device *ub, int q_id)
+ {
+- struct ublk_queue *ubq = ublk_get_queue(ub, q_id);
++ int depth = ub->dev_info.queue_depth;
++ int ubq_size = sizeof(struct ublk_queue) + depth * sizeof(struct ublk_io);
+ gfp_t gfp_flags = GFP_KERNEL | __GFP_ZERO;
+- void *ptr;
++ struct ublk_queue *ubq;
++ struct page *page;
++ int numa_node;
+ int size;
+
++ /* Determine NUMA node based on queue's CPU affinity */
++ numa_node = ublk_get_queue_numa_node(ub, q_id);
++
++ /* Allocate queue structure on local NUMA node */
++ ubq = kvzalloc_node(ubq_size, GFP_KERNEL, numa_node);
++ if (!ubq)
++ return -ENOMEM;
++
+ spin_lock_init(&ubq->cancel_lock);
+ ubq->flags = ub->dev_info.flags;
+ ubq->q_id = q_id;
+- ubq->q_depth = ub->dev_info.queue_depth;
++ ubq->q_depth = depth;
+ size = ublk_queue_cmd_buf_size(ub);
+
+- ptr = (void *) __get_free_pages(gfp_flags, get_order(size));
+- if (!ptr)
++ /* Allocate I/O command buffer on local NUMA node */
++ page = alloc_pages_node(numa_node, gfp_flags, get_order(size));
++ if (!page) {
++ kvfree(ubq);
+ return -ENOMEM;
++ }
++ ubq->io_cmd_buf = page_address(page);
+
+- ubq->io_cmd_buf = ptr;
++ ub->queues[q_id] = ubq;
+ ubq->dev = ub;
+ return 0;
+ }
+
+ static void ublk_deinit_queues(struct ublk_device *ub)
+ {
+- int nr_queues = ub->dev_info.nr_hw_queues;
+ int i;
+
+- if (!ub->__queues)
+- return;
+-
+- for (i = 0; i < nr_queues; i++)
++ for (i = 0; i < ub->dev_info.nr_hw_queues; i++)
+ ublk_deinit_queue(ub, i);
+- kvfree(ub->__queues);
+ }
+
+ static int ublk_init_queues(struct ublk_device *ub)
+ {
+- int nr_queues = ub->dev_info.nr_hw_queues;
+- int depth = ub->dev_info.queue_depth;
+- int ubq_size = sizeof(struct ublk_queue) + depth * sizeof(struct ublk_io);
+- int i, ret = -ENOMEM;
++ int i, ret;
+
+- ub->queue_size = ubq_size;
+- ub->__queues = kvcalloc(nr_queues, ubq_size, GFP_KERNEL);
+- if (!ub->__queues)
+- return ret;
+-
+- for (i = 0; i < nr_queues; i++) {
+- if (ublk_init_queue(ub, i))
++ for (i = 0; i < ub->dev_info.nr_hw_queues; i++) {
++ ret = ublk_init_queue(ub, i);
++ if (ret)
+ goto fail;
+ }
+
+@@ -3179,7 +3201,7 @@ static int ublk_ctrl_add_dev(const struct ublksrv_ctrl_cmd *header)
+ goto out_unlock;
+
+ ret = -ENOMEM;
+- ub = kzalloc(sizeof(*ub), GFP_KERNEL);
++ ub = kzalloc(struct_size(ub, queues, info.nr_hw_queues), GFP_KERNEL);
+ if (!ub)
+ goto out_unlock;
+ mutex_init(&ub->mutex);
+--
+2.51.0
+
--- /dev/null
+From db4903c2e7c23cb6914052f287d18a50855256b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Dec 2025 11:27:40 +0800
+Subject: ublk: scan partition in async way
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit 7fc4da6a304bdcd3de14fc946dc2c19437a9cc5a ]
+
+Implement async partition scan to avoid IO hang when reading partition
+tables. Similar to nvme_partition_scan_work(), partition scanning is
+deferred to a work queue to prevent deadlocks.
+
+When partition scan happens synchronously during add_disk(), IO errors
+can cause the partition scan to wait while holding ub->mutex, which
+can deadlock with other operations that need the mutex.
+
+Changes:
+- Add partition_scan_work to ublk_device structure
+- Implement ublk_partition_scan_work() to perform async scan
+- Always suppress sync partition scan during add_disk()
+- Schedule async work after add_disk() for trusted daemons
+- Add flush_work() in ublk_stop_dev() before grabbing ub->mutex
+
+Reviewed-by: Caleb Sander Mateos <csander@purestorage.com>
+Reported-by: Yoav Cohen <yoav@nvidia.com>
+Closes: https://lore.kernel.org/linux-block/DM4PR12MB63280C5637917C071C2F0D65A9A8A@DM4PR12MB6328.namprd12.prod.outlook.com/
+Fixes: 71f28f3136af ("ublk_drv: add io_uring based userspace block driver")
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/ublk_drv.c | 35 ++++++++++++++++++++++++++++++++---
+ 1 file changed, 32 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
+index 796035891888..23aba73d24dc 100644
+--- a/drivers/block/ublk_drv.c
++++ b/drivers/block/ublk_drv.c
+@@ -237,6 +237,7 @@ struct ublk_device {
+ bool canceling;
+ pid_t ublksrv_tgid;
+ struct delayed_work exit_work;
++ struct work_struct partition_scan_work;
+
+ struct ublk_queue *queues[];
+ };
+@@ -254,6 +255,20 @@ static inline struct request *__ublk_check_and_get_req(struct ublk_device *ub,
+ u16 q_id, u16 tag, struct ublk_io *io, size_t offset);
+ static inline unsigned int ublk_req_build_flags(struct request *req);
+
++static void ublk_partition_scan_work(struct work_struct *work)
++{
++ struct ublk_device *ub =
++ container_of(work, struct ublk_device, partition_scan_work);
++
++ if (WARN_ON_ONCE(!test_and_clear_bit(GD_SUPPRESS_PART_SCAN,
++ &ub->ub_disk->state)))
++ return;
++
++ mutex_lock(&ub->ub_disk->open_mutex);
++ bdev_disk_changed(ub->ub_disk, false);
++ mutex_unlock(&ub->ub_disk->open_mutex);
++}
++
+ static inline struct ublksrv_io_desc *
+ ublk_get_iod(const struct ublk_queue *ubq, unsigned tag)
+ {
+@@ -2092,6 +2107,7 @@ static void ublk_stop_dev(struct ublk_device *ub)
+ mutex_lock(&ub->mutex);
+ ublk_stop_dev_unlocked(ub);
+ mutex_unlock(&ub->mutex);
++ flush_work(&ub->partition_scan_work);
+ ublk_cancel_dev(ub);
+ }
+
+@@ -3023,9 +3039,17 @@ static int ublk_ctrl_start_dev(struct ublk_device *ub,
+
+ ublk_apply_params(ub);
+
+- /* don't probe partitions if any daemon task is un-trusted */
+- if (ub->unprivileged_daemons)
+- set_bit(GD_SUPPRESS_PART_SCAN, &disk->state);
++ /*
++ * Suppress partition scan to avoid potential IO hang.
++ *
++ * If ublk server error occurs during partition scan, the IO may
++ * wait while holding ub->mutex, which can deadlock with other
++ * operations that need the mutex. Defer partition scan to async
++ * work.
++ * For unprivileged daemons, keep GD_SUPPRESS_PART_SCAN set
++ * permanently.
++ */
++ set_bit(GD_SUPPRESS_PART_SCAN, &disk->state);
+
+ ublk_get_device(ub);
+ ub->dev_info.state = UBLK_S_DEV_LIVE;
+@@ -3042,6 +3066,10 @@ static int ublk_ctrl_start_dev(struct ublk_device *ub,
+
+ set_bit(UB_STATE_USED, &ub->state);
+
++ /* Schedule async partition scan for trusted daemons */
++ if (!ub->unprivileged_daemons)
++ schedule_work(&ub->partition_scan_work);
++
+ out_put_cdev:
+ if (ret) {
+ ublk_detach_disk(ub);
+@@ -3207,6 +3235,7 @@ static int ublk_ctrl_add_dev(const struct ublksrv_ctrl_cmd *header)
+ mutex_init(&ub->mutex);
+ spin_lock_init(&ub->lock);
+ mutex_init(&ub->cancel_mutex);
++ INIT_WORK(&ub->partition_scan_work, ublk_partition_scan_work);
+
+ ret = ublk_alloc_dev_number(ub, header->dev_id);
+ if (ret < 0)
+--
+2.51.0
+
--- /dev/null
+From d53c035913c58d7348701d4bc70e2369ffa4a15c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Dec 2025 14:31:50 +0000
+Subject: vfio/pds: Fix memory leak in pds_vfio_dirty_enable()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 665077d78dc7941ce6a330c02023a2b469cc8cc7 ]
+
+pds_vfio_dirty_enable() allocates memory for region_info. If
+interval_tree_iter_first() returns NULL, the function returns -EINVAL
+immediately without freeing the allocated memory, causing a memory leak.
+
+Fix this by jumping to the out_free_region_info label to ensure
+region_info is freed.
+
+Fixes: 2e7c6feb4ef52 ("vfio/pds: Add multi-region support")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Link: https://lore.kernel.org/r/20251225143150.1117366-1-zilin@seu.edu.cn
+Signed-off-by: Alex Williamson <alex@shazbot.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/pci/pds/dirty.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/vfio/pci/pds/dirty.c b/drivers/vfio/pci/pds/dirty.c
+index 481992142f79..4915a7c1c491 100644
+--- a/drivers/vfio/pci/pds/dirty.c
++++ b/drivers/vfio/pci/pds/dirty.c
+@@ -292,8 +292,11 @@ static int pds_vfio_dirty_enable(struct pds_vfio_pci_device *pds_vfio,
+ len = num_ranges * sizeof(*region_info);
+
+ node = interval_tree_iter_first(ranges, 0, ULONG_MAX);
+- if (!node)
+- return -EINVAL;
++ if (!node) {
++ err = -EINVAL;
++ goto out_free_region_info;
++ }
++
+ for (int i = 0; i < num_ranges; i++) {
+ struct pds_lm_dirty_region_info *ri = ®ion_info[i];
+ u64 region_size = node->last - node->start + 1;
+--
+2.51.0
+
--- /dev/null
+From 014b9d4e9dc58d57fde2f8d52e71d51b69ef9125 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Dec 2025 14:14:47 +0300
+Subject: wifi: cfg80211: sme: store capped length in
+ __cfg80211_connect_result()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 2b77b9551d1184cb5af8271ff350e6e2c1b3db0d ]
+
+The QGenie AI code review tool says we should store the capped length to
+wdev->u.client.ssid_len. The AI is correct.
+
+Fixes: 62b635dcd69c ("wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result()")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/aTAbp5RleyH_lnZE@stanley.mountain
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/sme.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/wireless/sme.c b/net/wireless/sme.c
+index 3a028ff287fb..4e629ca305bc 100644
+--- a/net/wireless/sme.c
++++ b/net/wireless/sme.c
+@@ -910,7 +910,7 @@ void __cfg80211_connect_result(struct net_device *dev,
+
+ ssid_len = min(ssid->datalen, IEEE80211_MAX_SSID_LEN);
+ memcpy(wdev->u.client.ssid, ssid->data, ssid_len);
+- wdev->u.client.ssid_len = ssid->datalen;
++ wdev->u.client.ssid_len = ssid_len;
+ break;
+ }
+ rcu_read_unlock();
+--
+2.51.0
+
--- /dev/null
+From 88eb399ada4f20fad8f75ec7f380ae5cdb4b567c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Dec 2025 09:46:56 -0800
+Subject: wifi: mac80211: do not use old MBSSID elements
+
+From: Aloka Dixit <aloka.dixit@oss.qualcomm.com>
+
+[ Upstream commit a519be2f5d958c5804f2cfd68f1f384291271fab ]
+
+When userspace brings down and deletes a non-transmitted profile,
+it is expected to send a new updated Beacon template for the
+transmitted profile of that multiple BSSID (MBSSID) group which
+does not include the removed profile in MBSSID element. This
+update comes via NL80211_CMD_SET_BEACON.
+
+Such updates work well as long as the group continues to have at
+least one non-transmitted profile as NL80211_ATTR_MBSSID_ELEMS
+is included in the new Beacon template.
+
+But when the last non-trasmitted profile is removed, it still
+gets included in Beacon templates sent to driver. This happens
+because when no MBSSID elements are sent by the userspace,
+ieee80211_assign_beacon() ends up using the element stored from
+earlier Beacon template.
+
+Do not copy old MBSSID elements, instead userspace should always
+include these when applicable.
+
+Fixes: 2b3171c6fe0a ("mac80211: MBSSID beacon handling in AP mode")
+Signed-off-by: Aloka Dixit <aloka.dixit@oss.qualcomm.com>
+Link: https://patch.msgid.link/20251215174656.2866319-2-aloka.dixit@oss.qualcomm.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/cfg.c | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index c52b0456039d..e18df59951a8 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1328,7 +1328,6 @@ ieee80211_assign_beacon(struct ieee80211_sub_if_data *sdata,
+
+ size = sizeof(*new) + new_head_len + new_tail_len;
+
+- /* new or old multiple BSSID elements? */
+ if (params->mbssid_ies) {
+ mbssid = params->mbssid_ies;
+ size += struct_size(new->mbssid_ies, elem, mbssid->cnt);
+@@ -1338,15 +1337,6 @@ ieee80211_assign_beacon(struct ieee80211_sub_if_data *sdata,
+ }
+ size += ieee80211_get_mbssid_beacon_len(mbssid, rnr,
+ mbssid->cnt);
+- } else if (old && old->mbssid_ies) {
+- mbssid = old->mbssid_ies;
+- size += struct_size(new->mbssid_ies, elem, mbssid->cnt);
+- if (old && old->rnr_ies) {
+- rnr = old->rnr_ies;
+- size += struct_size(new->rnr_ies, elem, rnr->cnt);
+- }
+- size += ieee80211_get_mbssid_beacon_len(mbssid, rnr,
+- mbssid->cnt);
+ }
+
+ new = kzalloc(size, GFP_KERNEL);
+--
+2.51.0
+
--- /dev/null
+From fb8d0081636731abd0dee633ebf6e39451cbfc68 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Nov 2025 16:37:08 +0800
+Subject: wifi: rtlwifi: 8192cu: fix tid out of range in rtl92cu_tx_fill_desc()
+
+From: Morning Star <alexbestoso@gmail.com>
+
+[ Upstream commit dd39edb445f07400e748da967a07d5dca5c5f96e ]
+
+TID getting from ieee80211_get_tid() might be out of range of array size
+of sta_entry->tids[], so check TID is less than MAX_TID_COUNT. Othwerwise,
+UBSAN warn:
+
+ UBSAN: array-index-out-of-bounds in drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c:514:30
+ index 10 is out of range for type 'rtl_tid_data [9]'
+
+Fixes: 8ca4cdef9329 ("wifi: rtlwifi: rtl8192cu: Fix TX aggregation")
+Signed-off-by: Morning Star <alexbestoso@gmail.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/1764232628-13625-1-git-send-email-pkshih@realtek.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c
+index aa702ba7c9f5..d6c35e8d02a5 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c
+@@ -511,7 +511,8 @@ void rtl92cu_tx_fill_desc(struct ieee80211_hw *hw,
+ if (sta) {
+ sta_entry = (struct rtl_sta_info *)sta->drv_priv;
+ tid = ieee80211_get_tid(hdr);
+- agg_state = sta_entry->tids[tid].agg.agg_state;
++ if (tid < MAX_TID_COUNT)
++ agg_state = sta_entry->tids[tid].agg.agg_state;
+ ampdu_density = sta->deflink.ht_cap.ampdu_density;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 1e780c62309355e1fe612abe5f6d0316f428bf15 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Nov 2025 09:38:49 +0800
+Subject: wifi: rtw88: limit indirect IO under powered off for RTL8822CS
+
+From: Ping-Ke Shih <pkshih@realtek.com>
+
+[ Upstream commit f3ccdfda345ca9a624ea425840a926b8338c1e25 ]
+
+The indirect IO is necessary for RTL8822CS, but not necessary for other
+chips. Otherwiese, it throws errors and becomes unusable.
+
+ rtw88_8723cs mmc1:0001:1: WOW Firmware version 11.0.0, H2C version 0
+ rtw88_8723cs mmc1:0001:1: Firmware version 11.0.0, H2C version 0
+ rtw88_8723cs mmc1:0001:1: sdio read32 failed (0xf0): -110
+ rtw88_8723cs mmc1:0001:1: sdio write8 failed (0x1c): -110
+ rtw88_8723cs mmc1:0001:1: sdio read32 failed (0xf0): -110
+
+By vendor driver, only RTL8822CS and RTL8822ES need indirect IO, but
+RTL8822ES isn't supported yet. Therefore, limit it to RTL8822CS only.
+
+Reported-by: Andrey Skvortsov <andrej.skvortzov@gmail.com>
+Closes: https://lore.kernel.org/linux-wireless/07a32e2d6c764eb1bd9415b5a921a652@realtek.com/T/#m997b4522f7209ba629561c776bfd1d13ab24c1d4
+Fixes: 58de1f91e033 ("wifi: rtw88: sdio: use indirect IO for device registers before power-on")
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Tested-by: Andrey Skvortsov <andrej.skvortzov@gmail.com>
+Link: https://patch.msgid.link/1764034729-1251-1-git-send-email-pkshih@realtek.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw88/sdio.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw88/sdio.c b/drivers/net/wireless/realtek/rtw88/sdio.c
+index 99d7c629eac6..e35de52d8eb4 100644
+--- a/drivers/net/wireless/realtek/rtw88/sdio.c
++++ b/drivers/net/wireless/realtek/rtw88/sdio.c
+@@ -144,8 +144,10 @@ static u32 rtw_sdio_to_io_address(struct rtw_dev *rtwdev, u32 addr,
+
+ static bool rtw_sdio_use_direct_io(struct rtw_dev *rtwdev, u32 addr)
+ {
++ bool might_indirect_under_power_off = rtwdev->chip->id == RTW_CHIP_TYPE_8822C;
++
+ if (!test_bit(RTW_FLAG_POWERON, rtwdev->flags) &&
+- !rtw_sdio_is_bus_addr(addr))
++ !rtw_sdio_is_bus_addr(addr) && might_indirect_under_power_off)
+ return false;
+
+ return !rtw_sdio_is_sdio30_supported(rtwdev) ||
+--
+2.51.0
+
--- /dev/null
+From 0ff5ed9996181009e5e18f330f287a0a3b76be77 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Dec 2025 20:47:28 +0530
+Subject: amd-xgbe: reset retries and mode on RX adapt failures
+
+From: Raju Rangoju <Raju.Rangoju@amd.com>
+
+[ Upstream commit df60c332caf95d70f967aeace826e7e2f0847361 ]
+
+During the stress tests, early RX adaptation handshakes can fail, such
+as missing the RX_ADAPT ACK or not receiving a coefficient update before
+block lock is established. Continuing to retry RX adaptation in this
+state is often ineffective if the current mode selection is not viable.
+
+Resetting the RX adaptation retry counter when an RX_ADAPT request fails
+to receive ACK or a coefficient update prior to block lock, and clearing
+mode_set so the next bring-up performs a fresh mode selection rather
+than looping on a likely invalid configuration.
+
+Fixes: 4f3b20bfbb75 ("amd-xgbe: add support for rx-adaptation")
+Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
+Link: https://patch.msgid.link/20251215151728.311713-1-Raju.Rangoju@amd.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
+index 32e633d11348..6d2c401bb246 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
+@@ -2036,6 +2036,7 @@ static void xgbe_set_rx_adap_mode(struct xgbe_prv_data *pdata,
+ {
+ if (pdata->rx_adapt_retries++ >= MAX_RX_ADAPT_RETRIES) {
+ pdata->rx_adapt_retries = 0;
++ pdata->mode_set = false;
+ return;
+ }
+
+@@ -2082,6 +2083,7 @@ static void xgbe_rx_adaptation(struct xgbe_prv_data *pdata)
+ */
+ netif_dbg(pdata, link, pdata->netdev, "Block_lock done");
+ pdata->rx_adapt_done = true;
++ pdata->rx_adapt_retries = 0;
+ pdata->mode_set = false;
+ return;
+ }
+--
+2.51.0
+
--- /dev/null
+From b486ce3914982fe695311552d240ae08827c049c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Mar 2024 10:12:44 +0800
+Subject: blk-mq: don't schedule block kworker on isolated CPUs
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit a46c27026da10a126dd870f7b65380010bd20db5 ]
+
+Kernel parameter of `isolcpus=` or 'nohz_full=' are used to isolate CPUs
+for specific task, and it isn't expected to let block IO disturb these CPUs.
+blk-mq kworker shouldn't be scheduled on isolated CPUs. Also if isolated
+CPUs is run for blk-mq kworker, long block IO latency can be caused.
+
+Kernel workqueue only respects CPU isolation for WQ_UNBOUND, for bound
+WQ, the responsibility is on user because CPU is specified as WQ API
+parameter, such as mod_delayed_work_on(cpu), queue_delayed_work_on(cpu)
+and queue_work_on(cpu).
+
+So not run blk-mq kworker on isolated CPUs by removing isolated CPUs
+from hctx->cpumask. Meantime use queue map to check if all CPUs in this
+hw queue are offline instead of hctx->cpumask, this way can avoid any
+cost in fast IO code path, and is safe since hctx->cpumask are only
+used in the two cases.
+
+Cc: Tim Chen <tim.c.chen@linux.intel.com>
+Cc: Juri Lelli <juri.lelli@redhat.com>
+Cc: Andrew Theurer <atheurer@redhat.com>
+Cc: Joe Mario <jmario@redhat.com>
+Cc: Sebastian Jug <sejug@redhat.com>
+Cc: Frederic Weisbecker <frederic@kernel.org>
+Cc: Bart Van Assche <bvanassche@acm.org>
+Cc: Tejun Heo <tj@kernel.org>
+Tesed-by: Joe Mario <jmario@redhat.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Ewan D. Milne <emilne@redhat.com>
+Link: https://lore.kernel.org/r/20240322021244.1056223-1-ming.lei@redhat.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Stable-dep-of: 10845a105bbc ("blk-mq: skip CPU offline notify on unmapped hctx")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-mq.c | 57 +++++++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 47 insertions(+), 10 deletions(-)
+
+diff --git a/block/blk-mq.c b/block/blk-mq.c
+index 01fe1e715669..a3cd5079557b 100644
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -30,6 +30,7 @@
+ #include <linux/prefetch.h>
+ #include <linux/blk-crypto.h>
+ #include <linux/part_stat.h>
++#include <linux/sched/isolation.h>
+
+ #include <trace/events/block.h>
+
+@@ -2193,6 +2194,15 @@ static inline int blk_mq_first_mapped_cpu(struct blk_mq_hw_ctx *hctx)
+ return cpu;
+ }
+
++/*
++ * ->next_cpu is always calculated from hctx->cpumask, so simply use
++ * it for speeding up the check
++ */
++static bool blk_mq_hctx_empty_cpumask(struct blk_mq_hw_ctx *hctx)
++{
++ return hctx->next_cpu >= nr_cpu_ids;
++}
++
+ /*
+ * It'd be great if the workqueue API had a way to pass
+ * in a mask and had some smarts for more clever placement.
+@@ -2204,7 +2214,8 @@ static int blk_mq_hctx_next_cpu(struct blk_mq_hw_ctx *hctx)
+ bool tried = false;
+ int next_cpu = hctx->next_cpu;
+
+- if (hctx->queue->nr_hw_queues == 1)
++ /* Switch to unbound if no allowable CPUs in this hctx */
++ if (hctx->queue->nr_hw_queues == 1 || blk_mq_hctx_empty_cpumask(hctx))
+ return WORK_CPU_UNBOUND;
+
+ if (--hctx->next_cpu_batch <= 0) {
+@@ -3535,14 +3546,30 @@ static bool blk_mq_hctx_has_requests(struct blk_mq_hw_ctx *hctx)
+ return data.has_rq;
+ }
+
+-static inline bool blk_mq_last_cpu_in_hctx(unsigned int cpu,
+- struct blk_mq_hw_ctx *hctx)
++static bool blk_mq_hctx_has_online_cpu(struct blk_mq_hw_ctx *hctx,
++ unsigned int this_cpu)
+ {
+- if (cpumask_first_and(hctx->cpumask, cpu_online_mask) != cpu)
+- return false;
+- if (cpumask_next_and(cpu, hctx->cpumask, cpu_online_mask) < nr_cpu_ids)
+- return false;
+- return true;
++ enum hctx_type type = hctx->type;
++ int cpu;
++
++ /*
++ * hctx->cpumask has to rule out isolated CPUs, but userspace still
++ * might submit IOs on these isolated CPUs, so use the queue map to
++ * check if all CPUs mapped to this hctx are offline
++ */
++ for_each_online_cpu(cpu) {
++ struct blk_mq_hw_ctx *h = blk_mq_map_queue_type(hctx->queue,
++ type, cpu);
++
++ if (h != hctx)
++ continue;
++
++ /* this hctx has at least one online CPU */
++ if (this_cpu != cpu)
++ return true;
++ }
++
++ return false;
+ }
+
+ static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node)
+@@ -3551,8 +3578,7 @@ static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node)
+ struct blk_mq_hw_ctx, cpuhp_online);
+ int ret = 0;
+
+- if (!cpumask_test_cpu(cpu, hctx->cpumask) ||
+- !blk_mq_last_cpu_in_hctx(cpu, hctx))
++ if (blk_mq_hctx_has_online_cpu(hctx, cpu))
+ return 0;
+
+ /*
+@@ -4045,6 +4071,8 @@ static void blk_mq_map_swqueue(struct request_queue *q)
+ }
+
+ queue_for_each_hw_ctx(q, hctx, i) {
++ int cpu;
++
+ /*
+ * If no software queues are mapped to this hardware queue,
+ * disable it and free the request entries.
+@@ -4071,6 +4099,15 @@ static void blk_mq_map_swqueue(struct request_queue *q)
+ */
+ sbitmap_resize(&hctx->ctx_map, hctx->nr_ctx);
+
++ /*
++ * Rule out isolated CPUs from hctx->cpumask to avoid
++ * running block kworker on isolated CPUs
++ */
++ for_each_cpu(cpu, hctx->cpumask) {
++ if (cpu_is_isolated(cpu))
++ cpumask_clear_cpu(cpu, hctx->cpumask);
++ }
++
+ /*
+ * Initialize batch roundrobin counts
+ */
+--
+2.51.0
+
--- /dev/null
+From 310ae2979779bc3494ac470120dbd92849e86758 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Dec 2025 17:17:05 +0800
+Subject: blk-mq: skip CPU offline notify on unmapped hctx
+
+From: Cong Zhang <cong.zhang@oss.qualcomm.com>
+
+[ Upstream commit 10845a105bbcb030647a729f1716c2309da71d33 ]
+
+If an hctx has no software ctx mapped, blk_mq_map_swqueue() never
+allocates tags and leaves hctx->tags NULL. The CPU hotplug offline
+notifier can still run for that hctx, return early since hctx cannot
+hold any requests.
+
+Signed-off-by: Cong Zhang <cong.zhang@oss.qualcomm.com>
+Fixes: bf0beec0607d ("blk-mq: drain I/O when all CPUs in a hctx are offline")
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-mq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/block/blk-mq.c b/block/blk-mq.c
+index a3cd5079557b..427a36237da3 100644
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -3578,7 +3578,7 @@ static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node)
+ struct blk_mq_hw_ctx, cpuhp_online);
+ int ret = 0;
+
+- if (blk_mq_hctx_has_online_cpu(hctx, cpu))
++ if (!hctx->nr_ctx || blk_mq_hctx_has_online_cpu(hctx, cpu))
+ return 0;
+
+ /*
+--
+2.51.0
+
--- /dev/null
+From 30a16aa1680585028b9589908672142136d27986 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Dec 2025 11:02:28 -0500
+Subject: Bluetooth: btusb: revert use of devm_kzalloc in btusb
+
+From: Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
+
+[ Upstream commit 252714f1e8bdd542025b16321c790458014d6880 ]
+
+This reverts commit 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in
+btusb.c file").
+
+In btusb_probe(), we use devm_kzalloc() to allocate the btusb data. This
+ties the lifetime of all the btusb data to the binding of a driver to
+one interface, INTF. In a driver that binds to other interfaces, ISOC
+and DIAG, this is an accident waiting to happen.
+
+The issue is revealed in btusb_disconnect(), where calling
+usb_driver_release_interface(&btusb_driver, data->intf) will have devm
+free the data that is also being used by the other interfaces of the
+driver that may not be released yet.
+
+To fix this, revert the use of devm and go back to freeing memory
+explicitly.
+
+Fixes: 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in btusb.c file")
+Signed-off-by: Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btusb.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index 7bc7ee4eebd3..1309e9318bdb 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -4342,7 +4342,7 @@ static int btusb_probe(struct usb_interface *intf,
+ return -ENODEV;
+ }
+
+- data = devm_kzalloc(&intf->dev, sizeof(*data), GFP_KERNEL);
++ data = kzalloc(sizeof(*data), GFP_KERNEL);
+ if (!data)
+ return -ENOMEM;
+
+@@ -4365,8 +4365,10 @@ static int btusb_probe(struct usb_interface *intf,
+ }
+ }
+
+- if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep)
++ if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep) {
++ kfree(data);
+ return -ENODEV;
++ }
+
+ if (id->driver_info & BTUSB_AMP) {
+ data->cmdreq_type = USB_TYPE_CLASS | 0x01;
+@@ -4421,8 +4423,10 @@ static int btusb_probe(struct usb_interface *intf,
+ data->recv_acl = hci_recv_frame;
+
+ hdev = hci_alloc_dev_priv(priv_size);
+- if (!hdev)
++ if (!hdev) {
++ kfree(data);
+ return -ENOMEM;
++ }
+
+ hdev->bus = HCI_USB;
+ hci_set_drvdata(hdev, data);
+@@ -4690,6 +4694,7 @@ static int btusb_probe(struct usb_interface *intf,
+ if (data->reset_gpio)
+ gpiod_put(data->reset_gpio);
+ hci_free_dev(hdev);
++ kfree(data);
+ return err;
+ }
+
+@@ -4738,6 +4743,7 @@ static void btusb_disconnect(struct usb_interface *intf)
+ }
+
+ hci_free_dev(hdev);
++ kfree(data);
+ }
+
+ #ifdef CONFIG_PM
+--
+2.51.0
+
--- /dev/null
+From a3f9fe27db9335006df92ce348abf41fe0b9b484 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Dec 2025 14:15:41 +0800
+Subject: crypto: seqiv - Do not use req->iv after crypto_aead_encrypt
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 50fdb78b7c0bcc550910ef69c0984e751cac72fa ]
+
+As soon as crypto_aead_encrypt is called, the underlying request
+may be freed by an asynchronous completion. Thus dereferencing
+req->iv after it returns is invalid.
+
+Instead of checking req->iv against info, create a new variable
+unaligned_info and use it for that purpose instead.
+
+Fixes: 0a270321dbf9 ("[CRYPTO] seqiv: Add Sequence Number IV Generator")
+Reported-by: Xiumei Mu <xmu@redhat.com>
+Reported-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/seqiv.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/seqiv.c b/crypto/seqiv.c
+index 17e11d51ddc3..04928df0095b 100644
+--- a/crypto/seqiv.c
++++ b/crypto/seqiv.c
+@@ -50,6 +50,7 @@ static int seqiv_aead_encrypt(struct aead_request *req)
+ struct aead_geniv_ctx *ctx = crypto_aead_ctx(geniv);
+ struct aead_request *subreq = aead_request_ctx(req);
+ crypto_completion_t compl;
++ bool unaligned_info;
+ void *data;
+ u8 *info;
+ unsigned int ivsize = 8;
+@@ -79,8 +80,9 @@ static int seqiv_aead_encrypt(struct aead_request *req)
+ return err;
+ }
+
+- if (unlikely(!IS_ALIGNED((unsigned long)info,
+- crypto_aead_alignmask(geniv) + 1))) {
++ unaligned_info = !IS_ALIGNED((unsigned long)info,
++ crypto_aead_alignmask(geniv) + 1);
++ if (unlikely(unaligned_info)) {
+ info = kmemdup(req->iv, ivsize, req->base.flags &
+ CRYPTO_TFM_REQ_MAY_SLEEP ? GFP_KERNEL :
+ GFP_ATOMIC);
+@@ -100,7 +102,7 @@ static int seqiv_aead_encrypt(struct aead_request *req)
+ scatterwalk_map_and_copy(info, req->dst, req->assoclen, ivsize, 1);
+
+ err = crypto_aead_encrypt(subreq);
+- if (unlikely(info != req->iv))
++ if (unlikely(unaligned_info))
+ seqiv_aead_encrypt_complete2(req, err);
+ return err;
+ }
+--
+2.51.0
+
--- /dev/null
+From 086ae0a837ed10c810ec9845f5cae4e1ab1ca99a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Dec 2025 17:54:18 +0100
+Subject: firewire: nosy: Fix dma_free_coherent() size
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit c48c0fd0e19684b6ecdb4108a429e3a4e73f5e21 ]
+
+It looks like the buffer allocated and mapped in add_card() is done
+with size RCV_BUFFER_SIZE which is 16 KB and 4KB.
+
+Fixes: 286468210d83 ("firewire: new driver: nosy - IEEE 1394 traffic sniffer")
+Co-developed-by: Thomas Fourier <fourier.thomas@gmail.com>
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Co-developed-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/20251216165420.38355-2-fourier.thomas@gmail.com
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firewire/nosy.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/firewire/nosy.c b/drivers/firewire/nosy.c
+index ea31ac7ac1ca..e59053738a43 100644
+--- a/drivers/firewire/nosy.c
++++ b/drivers/firewire/nosy.c
+@@ -36,6 +36,8 @@
+
+ static char driver_name[] = KBUILD_MODNAME;
+
++#define RCV_BUFFER_SIZE (16 * 1024)
++
+ /* this is the physical layout of a PCL, its size is 128 bytes */
+ struct pcl {
+ __le32 next;
+@@ -517,16 +519,14 @@ remove_card(struct pci_dev *dev)
+ lynx->rcv_start_pcl, lynx->rcv_start_pcl_bus);
+ dma_free_coherent(&lynx->pci_device->dev, sizeof(struct pcl),
+ lynx->rcv_pcl, lynx->rcv_pcl_bus);
+- dma_free_coherent(&lynx->pci_device->dev, PAGE_SIZE, lynx->rcv_buffer,
+- lynx->rcv_buffer_bus);
++ dma_free_coherent(&lynx->pci_device->dev, RCV_BUFFER_SIZE,
++ lynx->rcv_buffer, lynx->rcv_buffer_bus);
+
+ iounmap(lynx->registers);
+ pci_disable_device(dev);
+ lynx_put(lynx);
+ }
+
+-#define RCV_BUFFER_SIZE (16 * 1024)
+-
+ static int
+ add_card(struct pci_dev *dev, const struct pci_device_id *unused)
+ {
+@@ -680,7 +680,7 @@ add_card(struct pci_dev *dev, const struct pci_device_id *unused)
+ dma_free_coherent(&lynx->pci_device->dev, sizeof(struct pcl),
+ lynx->rcv_pcl, lynx->rcv_pcl_bus);
+ if (lynx->rcv_buffer)
+- dma_free_coherent(&lynx->pci_device->dev, PAGE_SIZE,
++ dma_free_coherent(&lynx->pci_device->dev, RCV_BUFFER_SIZE,
+ lynx->rcv_buffer, lynx->rcv_buffer_bus);
+ iounmap(lynx->registers);
+
+--
+2.51.0
+
--- /dev/null
+From 37f4c2668d8a07b78cd404219b10c1fa89551bb5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Nov 2025 10:39:24 -0800
+Subject: genalloc.h: fix htmldocs warning
+
+From: Andrew Morton <akpm@linux-foundation.org>
+
+[ Upstream commit 5393802c94e0ab1295c04c94c57bcb00222d4674 ]
+
+WARNING: include/linux/genalloc.h:52 function parameter 'start_addr' not described in 'genpool_algo_t'
+
+Fixes: 52fbf1134d47 ("lib/genalloc.c: fix allocation of aligned buffer from non-aligned chunk")
+Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Closes: https://lkml.kernel.org/r/20251127130624.563597e3@canb.auug.org.au
+Acked-by: Randy Dunlap <rdunlap@infradead.org>
+Tested-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Alexey Skidanov <alexey.skidanov@intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/genalloc.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/linux/genalloc.h b/include/linux/genalloc.h
+index 0bd581003cd5..60de63e46b33 100644
+--- a/include/linux/genalloc.h
++++ b/include/linux/genalloc.h
+@@ -44,6 +44,7 @@ struct gen_pool;
+ * @nr: The number of zeroed bits we're looking for
+ * @data: optional additional data used by the callback
+ * @pool: the pool being allocated from
++ * @start_addr: start address of memory chunk
+ */
+ typedef unsigned long (*genpool_algo_t)(unsigned long *map,
+ unsigned long size,
+--
+2.51.0
+
--- /dev/null
+From e5264aaa2b26f56024adbb8653361db27224e4e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Nov 2025 13:07:28 +0100
+Subject: i40e: fix scheduling in set_rx_mode
+
+From: Przemyslaw Korba <przemyslaw.korba@intel.com>
+
+[ Upstream commit be43abc5514167cc129a8d8e9727b89b8e1d9719 ]
+
+Add service task schedule to set_rx_mode.
+In some cases there are error messages printed out in PTP application
+(ptp4l):
+
+ptp4l[13848.762]: port 1 (ens2f3np3): received SYNC without timestamp
+ptp4l[13848.825]: port 1 (ens2f3np3): received SYNC without timestamp
+ptp4l[13848.887]: port 1 (ens2f3np3): received SYNC without timestamp
+
+This happens when service task would not run immediately after
+set_rx_mode, and we need it for setup tasks. This service task checks, if
+PTP RX packets are hung in firmware, and propagate correct settings such
+as multicast address for IEEE 1588 Precision Time Protocol.
+RX timestamping depends on some of these filters set. Bug happens only
+with high PTP packets frequency incoming, and not every run since
+sometimes service task is being ran from a different place immediately
+after starting ptp4l.
+
+Fixes: 0e4425ed641f ("i40e: fix: do not sleep in netdev_ops")
+Reviewed-by: Grzegorz Nitka <grzegorz.nitka@intel.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Przemyslaw Korba <przemyslaw.korba@intel.com>
+Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index affdbd3ee76c..8a0eb51fe974 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -2260,6 +2260,7 @@ static void i40e_set_rx_mode(struct net_device *netdev)
+ vsi->flags |= I40E_VSI_FLAG_FILTER_CHANGED;
+ set_bit(__I40E_MACVLAN_SYNC_PENDING, vsi->back->state);
+ }
++ i40e_service_event_schedule(vsi->back);
+ }
+
+ /**
+--
+2.51.0
+
--- /dev/null
+From 933c10f3f4dca56c414a1f37229eeb511c804ff6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Oct 2025 01:58:50 +0900
+Subject: iavf: fix off-by-one issues in iavf_config_rss_reg()
+
+From: Kohei Enju <enjuk@amazon.com>
+
+[ Upstream commit 6daa2893f323981c7894c68440823326e93a7d61 ]
+
+There are off-by-one bugs when configuring RSS hash key and lookup
+table, causing out-of-bounds reads to memory [1] and out-of-bounds
+writes to device registers.
+
+Before commit 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS"),
+the loop upper bounds were:
+ i <= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX
+which is safe since the value is the last valid index.
+
+That commit changed the bounds to:
+ i <= adapter->rss_{key,lut}_size / 4
+where `rss_{key,lut}_size / 4` is the number of dwords, so the last
+valid index is `(rss_{key,lut}_size / 4) - 1`. Therefore, using `<=`
+accesses one element past the end.
+
+Fix the issues by using `<` instead of `<=`, ensuring we do not exceed
+the bounds.
+
+[1] KASAN splat about rss_key_size off-by-one
+ BUG: KASAN: slab-out-of-bounds in iavf_config_rss+0x619/0x800
+ Read of size 4 at addr ffff888102c50134 by task kworker/u8:6/63
+
+ CPU: 0 UID: 0 PID: 63 Comm: kworker/u8:6 Not tainted 6.18.0-rc2-enjuk-tnguy-00378-g3005f5b77652-dirty #156 PREEMPT(voluntary)
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+ Workqueue: iavf iavf_watchdog_task
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x6f/0xb0
+ print_report+0x170/0x4f3
+ kasan_report+0xe1/0x1a0
+ iavf_config_rss+0x619/0x800
+ iavf_watchdog_task+0x2be7/0x3230
+ process_one_work+0x7fd/0x1420
+ worker_thread+0x4d1/0xd40
+ kthread+0x344/0x660
+ ret_from_fork+0x249/0x320
+ ret_from_fork_asm+0x1a/0x30
+ </TASK>
+
+ Allocated by task 63:
+ kasan_save_stack+0x30/0x50
+ kasan_save_track+0x14/0x30
+ __kasan_kmalloc+0x7f/0x90
+ __kmalloc_noprof+0x246/0x6f0
+ iavf_watchdog_task+0x28fc/0x3230
+ process_one_work+0x7fd/0x1420
+ worker_thread+0x4d1/0xd40
+ kthread+0x344/0x660
+ ret_from_fork+0x249/0x320
+ ret_from_fork_asm+0x1a/0x30
+
+ The buggy address belongs to the object at ffff888102c50100
+ which belongs to the cache kmalloc-64 of size 64
+ The buggy address is located 0 bytes to the right of
+ allocated 52-byte region [ffff888102c50100, ffff888102c50134)
+
+ The buggy address belongs to the physical page:
+ page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c50
+ flags: 0x200000000000000(node=0|zone=2)
+ page_type: f5(slab)
+ raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000
+ raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
+ page dumped because: kasan: bad access detected
+
+ Memory state around the buggy address:
+ ffff888102c50000: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
+ ffff888102c50080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
+ >ffff888102c50100: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc
+ ^
+ ffff888102c50180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
+ ffff888102c50200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+
+Fixes: 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS")
+Signed-off-by: Kohei Enju <enjuk@amazon.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index fde8d7b80ca6..f6a748ae1c95 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -1750,11 +1750,11 @@ static int iavf_config_rss_reg(struct iavf_adapter *adapter)
+ u16 i;
+
+ dw = (u32 *)adapter->rss_key;
+- for (i = 0; i <= adapter->rss_key_size / 4; i++)
++ for (i = 0; i < adapter->rss_key_size / 4; i++)
+ wr32(hw, IAVF_VFQF_HKEY(i), dw[i]);
+
+ dw = (u32 *)adapter->rss_lut;
+- for (i = 0; i <= adapter->rss_lut_size / 4; i++)
++ for (i = 0; i < adapter->rss_lut_size / 4; i++)
+ wr32(hw, IAVF_VFQF_HLUT(i), dw[i]);
+
+ iavf_flush(hw);
+--
+2.51.0
+
--- /dev/null
+From c88760e2a83e6451f009d434719efe404fce78c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Dec 2025 17:35:50 +0000
+Subject: ip6_gre: make ip6gre_header() robust
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit db5b4e39c4e63700c68a7e65fc4e1f1375273476 ]
+
+Over the years, syzbot found many ways to crash the kernel
+in ip6gre_header() [1].
+
+This involves team or bonding drivers ability to dynamically
+change their dev->needed_headroom and/or dev->hard_header_len
+
+In this particular crash mld_newpack() allocated an skb
+with a too small reserve/headroom, and by the time mld_sendpack()
+was called, syzbot managed to attach an ip6gre device.
+
+[1]
+skbuff: skb_under_panic: text:ffffffff8a1d69a8 len:136 put:40 head:ffff888059bc7000 data:ffff888059bc6fe8 tail:0x70 end:0x6c0 dev:team0
+------------[ cut here ]------------
+ kernel BUG at net/core/skbuff.c:213 !
+ <TASK>
+ skb_under_panic net/core/skbuff.c:223 [inline]
+ skb_push+0xc3/0xe0 net/core/skbuff.c:2641
+ ip6gre_header+0xc8/0x790 net/ipv6/ip6_gre.c:1371
+ dev_hard_header include/linux/netdevice.h:3436 [inline]
+ neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618
+ neigh_output include/net/neighbour.h:556 [inline]
+ ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136
+ __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline]
+ ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:220
+ NF_HOOK_COND include/linux/netfilter.h:307 [inline]
+ ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247
+ NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318
+ mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855
+ mld_send_cr net/ipv6/mcast.c:2154 [inline]
+ mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693
+
+Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
+Reported-by: syzbot+43a2ebcf2a64b1102d64@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/693b002c.a70a0220.33cd7b.0033.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20251211173550.2032674-1-edumazet@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6_gre.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
+index 289b83347d9d..63ac4a8e095b 100644
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -1382,9 +1382,16 @@ static int ip6gre_header(struct sk_buff *skb, struct net_device *dev,
+ {
+ struct ip6_tnl *t = netdev_priv(dev);
+ struct ipv6hdr *ipv6h;
++ int needed;
+ __be16 *p;
+
+- ipv6h = skb_push(skb, t->hlen + sizeof(*ipv6h));
++ needed = t->hlen + sizeof(*ipv6h);
++ if (skb_headroom(skb) < needed &&
++ pskb_expand_head(skb, HH_DATA_ALIGN(needed - skb_headroom(skb)),
++ 0, GFP_ATOMIC))
++ return -needed;
++
++ ipv6h = skb_push(skb, needed);
+ ip6_flow_hdr(ipv6h, 0, ip6_make_flowlabel(dev_net(dev), skb,
+ t->fl.u.ip6.flowlabel,
+ true, &t->fl.u.ip6));
+--
+2.51.0
+
--- /dev/null
+From 2b60146c867b915dc893e9ee920d4e662f548bc4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Dec 2025 16:48:28 +0200
+Subject: ipv4: Fix reference count leak when using error routes with nexthop
+ objects
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit ac782f4e3bfcde145b8a7f8af31d9422d94d172a ]
+
+When a nexthop object is deleted, it is marked as dead and then
+fib_table_flush() is called to flush all the routes that are using the
+dead nexthop.
+
+The current logic in fib_table_flush() is to only flush error routes
+(e.g., blackhole) when it is called as part of network namespace
+dismantle (i.e., with flush_all=true). Therefore, error routes are not
+flushed when their nexthop object is deleted:
+
+ # ip link add name dummy1 up type dummy
+ # ip nexthop add id 1 dev dummy1
+ # ip route add 198.51.100.1/32 nhid 1
+ # ip route add blackhole 198.51.100.2/32 nhid 1
+ # ip nexthop del id 1
+ # ip route show
+ blackhole 198.51.100.2 nhid 1 dev dummy1
+
+As such, they keep holding a reference on the nexthop object which in
+turn holds a reference on the nexthop device, resulting in a reference
+count leak:
+
+ # ip link del dev dummy1
+ [ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2
+
+Fix by flushing error routes when their nexthop is marked as dead.
+
+IPv6 does not suffer from this problem.
+
+Fixes: 493ced1ac47c ("ipv4: Allow routes to use nexthop objects")
+Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Closes: https://lore.kernel.org/netdev/d943f806-4da6-4970-ac28-b9373b0e63ac@I-love.SAKURA.ne.jp/
+Reported-by: syzbot+881d65229ca4f9ae8c84@syzkaller.appspotmail.com
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://patch.msgid.link/20251221144829.197694-1-idosch@nvidia.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/fib_trie.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
+index fa54b36b241a..4d148d089232 100644
+--- a/net/ipv4/fib_trie.c
++++ b/net/ipv4/fib_trie.c
+@@ -2059,10 +2059,11 @@ int fib_table_flush(struct net *net, struct fib_table *tb, bool flush_all)
+ continue;
+ }
+
+- /* Do not flush error routes if network namespace is
+- * not being dismantled
++ /* When not flushing the entire table, skip error
++ * routes that are not marked for deletion.
+ */
+- if (!flush_all && fib_props[fa->fa_type].error) {
++ if (!flush_all && fib_props[fa->fa_type].error &&
++ !(fi->fib_flags & RTNH_F_DEAD)) {
+ slen = fa->fa_slen;
+ continue;
+ }
+--
+2.51.0
+
--- /dev/null
+From 833f20844a89120ed483dccb63055ebf89cc8a4c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 10:36:37 -0700
+Subject: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()
+
+From: Will Rosenberg <whrosenb@asu.edu>
+
+[ Upstream commit 58fc7342b529803d3c221101102fe913df7adb83 ]
+
+There exists a kernel oops caused by a BUG_ON(nhead < 0) at
+net/core/skbuff.c:2232 in pskb_expand_head().
+This bug is triggered as part of the calipso_skbuff_setattr()
+routine when skb_cow() is passed headroom > INT_MAX
+(i.e. (int)(skb_headroom(skb) + len_delta) < 0).
+
+The root cause of the bug is due to an implicit integer cast in
+__skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure
+that delta = headroom - skb_headroom(skb) is never negative, otherwise
+we will trigger a BUG_ON in pskb_expand_head(). However, if
+headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta
+becomes negative, and pskb_expand_head() is passed a negative value for
+nhead.
+
+Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing
+"negative" headroom sizes to skb_cow() within calipso_skbuff_setattr()
+by only using skb_cow() to grow headroom.
+
+PoC:
+ Using `netlabelctl` tool:
+
+ netlabelctl map del default
+ netlabelctl calipso add pass doi:7
+ netlabelctl map add default address:0::1/128 protocol:calipso,7
+
+ Then run the following PoC:
+
+ int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
+
+ // setup msghdr
+ int cmsg_size = 2;
+ int cmsg_len = 0x60;
+ struct msghdr msg;
+ struct sockaddr_in6 dest_addr;
+ struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1,
+ sizeof(struct cmsghdr) + cmsg_len);
+ msg.msg_name = &dest_addr;
+ msg.msg_namelen = sizeof(dest_addr);
+ msg.msg_iov = NULL;
+ msg.msg_iovlen = 0;
+ msg.msg_control = cmsg;
+ msg.msg_controllen = cmsg_len;
+ msg.msg_flags = 0;
+
+ // setup sockaddr
+ dest_addr.sin6_family = AF_INET6;
+ dest_addr.sin6_port = htons(31337);
+ dest_addr.sin6_flowinfo = htonl(31337);
+ dest_addr.sin6_addr = in6addr_loopback;
+ dest_addr.sin6_scope_id = 31337;
+
+ // setup cmsghdr
+ cmsg->cmsg_len = cmsg_len;
+ cmsg->cmsg_level = IPPROTO_IPV6;
+ cmsg->cmsg_type = IPV6_HOPOPTS;
+ char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr);
+ hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80
+
+ sendmsg(fd, &msg, 0);
+
+Fixes: 2917f57b6bc1 ("calipso: Allow the lsm to label the skbuff directly.")
+Suggested-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Will Rosenberg <whrosenb@asu.edu>
+Acked-by: Paul Moore <paul@paul-moore.com>
+Link: https://patch.msgid.link/20251219173637.797418-1-whrosenb@asu.edu
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/calipso.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c
+index 24666291c54a..72079ef2959b 100644
+--- a/net/ipv6/calipso.c
++++ b/net/ipv6/calipso.c
+@@ -1345,7 +1345,8 @@ static int calipso_skbuff_setattr(struct sk_buff *skb,
+ /* At this point new_end aligns to 4n, so (new_end & 4) pads to 8n */
+ pad = ((new_end & 4) + (end & 7)) & 7;
+ len_delta = new_end - (int)end + pad;
+- ret_val = skb_cow(skb, skb_headroom(skb) + len_delta);
++ ret_val = skb_cow(skb,
++ skb_headroom(skb) + (len_delta > 0 ? len_delta : 0));
+ if (ret_val < 0)
+ return ret_val;
+
+--
+2.51.0
+
--- /dev/null
+From 4c60d919c0dbc04c0dc8d6ad094cde74d77ba6ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Dec 2025 14:20:16 +0000
+Subject: ksmbd: Fix memory leak in get_file_all_info()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit 0c56693b06a68476ba113db6347e7897475f9e4c ]
+
+In get_file_all_info(), if vfs_getattr() fails, the function returns
+immediately without freeing the allocated filename, leading to a memory
+leak.
+
+Fix this by freeing the filename before returning in this error case.
+
+Fixes: 5614c8c487f6a ("ksmbd: replace generic_fillattr with vfs_getattr")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/server/smb2pdu.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
+index 3ed78decdca4..f4b3798279d9 100644
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -4912,8 +4912,10 @@ static int get_file_all_info(struct ksmbd_work *work,
+
+ ret = vfs_getattr(&fp->filp->f_path, &stat, STATX_BASIC_STATS,
+ AT_STATX_SYNC_AS_STAT);
+- if (ret)
++ if (ret) {
++ kfree(filename);
+ return ret;
++ }
+
+ ksmbd_debug(SMB, "filename = %s\n", filename);
+ delete_pending = ksmbd_inode_pending_delete(fp);
+--
+2.51.0
+
--- /dev/null
+From 42f8d77b03efe54397ea38ad225077e20ddc5a1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Dec 2025 11:29:37 +0700
+Subject: net: bridge: Describe @tunnel_hash member in net_bridge_vlan_group
+ struct
+
+From: Bagas Sanjaya <bagasdotme@gmail.com>
+
+[ Upstream commit f79f9b7ace1713e4b83888c385f5f55519dfb687 ]
+
+Sphinx reports kernel-doc warning:
+
+WARNING: ./net/bridge/br_private.h:267 struct member 'tunnel_hash' not described in 'net_bridge_vlan_group'
+
+Fix it by describing @tunnel_hash member.
+
+Fixes: efa5356b0d9753 ("bridge: per vlan dst_metadata netlink support")
+Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20251218042936.24175-2-bagasdotme@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_private.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
+index c8a4e3b39b0e..371a948d29cc 100644
+--- a/net/bridge/br_private.h
++++ b/net/bridge/br_private.h
+@@ -245,6 +245,7 @@ struct net_bridge_vlan {
+ * struct net_bridge_vlan_group
+ *
+ * @vlan_hash: VLAN entry rhashtable
++ * @tunnel_hash: Hash table to map from tunnel key ID (e.g. VXLAN VNI) to VLAN
+ * @vlan_list: sorted VLAN entry list
+ * @num_vlans: number of total VLAN entries
+ * @pvid: PVID VLAN id
+--
+2.51.0
+
--- /dev/null
+From 37e19142043c943e32e774d49258d863fc3be81a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Dec 2025 21:57:56 +0100
+Subject: net: dsa: b53: skip multicast entries for fdb_dump()
+
+From: Jonas Gorski <jonas.gorski@gmail.com>
+
+[ Upstream commit d42bce414d1c5c0b536758466a1f63ac358e613c ]
+
+port_fdb_dump() is supposed to only add fdb entries, but we iterate over
+the full ARL table, which also includes multicast entries.
+
+So check if the entry is a multicast entry before passing it on to the
+callback().
+
+Additionally, the port of those entries is a bitmask, not a port number,
+so any included entries would have even be for the wrong port.
+
+Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations")
+Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20251217205756.172123-1-jonas.gorski@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/b53/b53_common.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
+index ffe8db7c2f1f..ee20f6487a02 100644
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -1846,6 +1846,9 @@ static int b53_fdb_copy(int port, const struct b53_arl_entry *ent,
+ if (!ent->is_valid)
+ return 0;
+
++ if (is_multicast_ether_addr(ent->mac))
++ return 0;
++
+ if (port != ent->port)
+ return 0;
+
+--
+2.51.0
+
--- /dev/null
+From 67bc6f3f803679ba47d4f0489c2a47a7baf558fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Dec 2025 14:24:58 +0800
+Subject: net: mdio: aspeed: add dummy read to avoid read-after-write issue
+
+From: Jacky Chou <jacky_chou@aspeedtech.com>
+
+[ Upstream commit d1a1a4bade4b20c0858d0b2f81d2611de055f675 ]
+
+The Aspeed MDIO controller may return incorrect data when a read operation
+follows immediately after a write. Due to a controller bug, the subsequent
+read can latch stale data, causing the polling logic to terminate earlier
+than expected.
+
+To work around this hardware issue, insert a dummy read after each write
+operation. This ensures that the next actual read returns the correct
+data and prevents premature polling exit.
+
+This workaround has been verified to stabilize MDIO transactions on
+affected Aspeed platforms.
+
+Fixes: f160e99462c6 ("net: phy: Add mdio-aspeed")
+Signed-off-by: Jacky Chou <jacky_chou@aspeedtech.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20251211-aspeed_mdio_add_dummy_read-v3-1-382868869004@aspeedtech.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/mdio/mdio-aspeed.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/net/mdio/mdio-aspeed.c b/drivers/net/mdio/mdio-aspeed.c
+index c727103c8b05..339198a4dbc0 100644
+--- a/drivers/net/mdio/mdio-aspeed.c
++++ b/drivers/net/mdio/mdio-aspeed.c
+@@ -63,6 +63,13 @@ static int aspeed_mdio_op(struct mii_bus *bus, u8 st, u8 op, u8 phyad, u8 regad,
+
+ iowrite32(ctrl, ctx->base + ASPEED_MDIO_CTRL);
+
++ /* Workaround for read-after-write issue.
++ * The controller may return stale data if a read follows immediately
++ * after a write. A dummy read forces the hardware to update its
++ * internal state, ensuring that the next real read returns correct data.
++ */
++ ioread32(ctx->base + ASPEED_MDIO_CTRL);
++
+ return readl_poll_timeout(ctx->base + ASPEED_MDIO_CTRL, ctrl,
+ !(ctrl & ASPEED_MDIO_CTRL_FIRE),
+ ASPEED_MDIO_INTERVAL_US,
+--
+2.51.0
+
--- /dev/null
+From 2af538c35ad42eaa0cc08b129754e184bf25456b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Dec 2025 12:50:05 +0100
+Subject: net: openvswitch: Avoid needlessly taking the RTNL on vport destroy
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Toke Høiland-Jørgensen <toke@redhat.com>
+
+[ Upstream commit 5498227676303e3ffa9a3a46214af96bc3e81314 ]
+
+The openvswitch teardown code will immediately call
+ovs_netdev_detach_dev() in response to a NETDEV_UNREGISTER notification.
+It will then start the dp_notify_work workqueue, which will later end up
+calling the vport destroy() callback. This callback takes the RTNL to do
+another ovs_netdev_detach_port(), which in this case is unnecessary.
+This causes extra pressure on the RTNL, in some cases leading to
+"unregister_netdevice: waiting for XX to become free" warnings on
+teardown.
+
+We can straight-forwardly avoid the extra RTNL lock acquisition by
+checking the device flags before taking the lock, and skip the locking
+altogether if the IFF_OVS_DATAPATH flag has already been unset.
+
+Fixes: b07c26511e94 ("openvswitch: fix vport-netdev unregister")
+Tested-by: Adrian Moreno <amorenoz@redhat.com>
+Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Acked-by: Eelco Chaudron <echaudro@redhat.com>
+Acked-by: Aaron Conole <aconole@redhat.com>
+Link: https://patch.msgid.link/20251211115006.228876-1-toke@redhat.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/openvswitch/vport-netdev.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/net/openvswitch/vport-netdev.c b/net/openvswitch/vport-netdev.c
+index 903537a5da22..3c41d53bb9e9 100644
+--- a/net/openvswitch/vport-netdev.c
++++ b/net/openvswitch/vport-netdev.c
+@@ -153,10 +153,19 @@ void ovs_netdev_detach_dev(struct vport *vport)
+
+ static void netdev_destroy(struct vport *vport)
+ {
+- rtnl_lock();
+- if (netif_is_ovs_port(vport->dev))
+- ovs_netdev_detach_dev(vport);
+- rtnl_unlock();
++ /* When called from ovs_db_notify_wq() after a dp_device_event(), the
++ * port has already been detached, so we can avoid taking the RTNL by
++ * checking this first.
++ */
++ if (netif_is_ovs_port(vport->dev)) {
++ rtnl_lock();
++ /* Check again while holding the lock to ensure we don't race
++ * with the netdev notifier and detach twice.
++ */
++ if (netif_is_ovs_port(vport->dev))
++ ovs_netdev_detach_dev(vport);
++ rtnl_unlock();
++ }
+
+ call_rcu(&vport->rcu, vport_netdev_free);
+ }
+--
+2.51.0
+
--- /dev/null
+From fd7b5b8a4fcb288b7cd00082577c976d50248b08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Dec 2025 21:22:27 +0000
+Subject: net: rose: fix invalid array index in rose_kill_by_device()
+
+From: Pwnverse <stanksal@purdue.edu>
+
+[ Upstream commit 6595beb40fb0ec47223d3f6058ee40354694c8e4 ]
+
+rose_kill_by_device() collects sockets into a local array[] and then
+iterates over them to disconnect sockets bound to a device being brought
+down.
+
+The loop mistakenly indexes array[cnt] instead of array[i]. For cnt <
+ARRAY_SIZE(array), this reads an uninitialized entry; for cnt ==
+ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to
+an invalid socket pointer dereference and also leaks references taken
+via sock_hold().
+
+Fix the index to use i.
+
+Fixes: 64b8bc7d5f143 ("net/rose: fix races in rose_kill_by_device()")
+Co-developed-by: Fatma Alwasmi <falwasmi@purdue.edu>
+Signed-off-by: Fatma Alwasmi <falwasmi@purdue.edu>
+Signed-off-by: Pwnverse <stanksal@purdue.edu>
+Link: https://patch.msgid.link/20251222212227.4116041-1-ritviktanksalkar@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rose/af_rose.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
+index 614695444b6a..1cc5eaeb1c60 100644
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -205,7 +205,7 @@ static void rose_kill_by_device(struct net_device *dev)
+ spin_unlock_bh(&rose_list_lock);
+
+ for (i = 0; i < cnt; i++) {
+- sk = array[cnt];
++ sk = array[i];
+ rose = rose_sk(sk);
+ lock_sock(sk);
+ spin_lock_bh(&rose_list_lock);
+--
+2.51.0
+
--- /dev/null
+From 1dbb1c5c9d3abc472627d4ac332d5643d9b07646 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Dec 2025 15:13:32 +0800
+Subject: net: stmmac: fix the crash issue for zero copy XDP_TX action
+
+From: Wei Fang <wei.fang@nxp.com>
+
+[ Upstream commit a48e232210009be50591fdea8ba7c07b0f566a13 ]
+
+There is a crash issue when running zero copy XDP_TX action, the crash
+log is shown below.
+
+[ 216.122464] Unable to handle kernel paging request at virtual address fffeffff80000000
+[ 216.187524] Internal error: Oops: 0000000096000144 [#1] SMP
+[ 216.301694] Call trace:
+[ 216.304130] dcache_clean_poc+0x20/0x38 (P)
+[ 216.308308] __dma_sync_single_for_device+0x1bc/0x1e0
+[ 216.313351] stmmac_xdp_xmit_xdpf+0x354/0x400
+[ 216.317701] __stmmac_xdp_run_prog+0x164/0x368
+[ 216.322139] stmmac_napi_poll_rxtx+0xba8/0xf00
+[ 216.326576] __napi_poll+0x40/0x218
+[ 216.408054] Kernel panic - not syncing: Oops: Fatal exception in interrupt
+
+For XDP_TX action, the xdp_buff is converted to xdp_frame by
+xdp_convert_buff_to_frame(). The memory type of the resulting xdp_frame
+depends on the memory type of the xdp_buff. For page pool based xdp_buff
+it produces xdp_frame with memory type MEM_TYPE_PAGE_POOL. For zero copy
+XSK pool based xdp_buff it produces xdp_frame with memory type
+MEM_TYPE_PAGE_ORDER0. However, stmmac_xdp_xmit_back() does not check the
+memory type and always uses the page pool type, this leads to invalid
+mappings and causes the crash. Therefore, check the xdp_buff memory type
+in stmmac_xdp_xmit_back() to fix this issue.
+
+Fixes: bba2556efad6 ("net: stmmac: Enable RX via AF_XDP zero-copy")
+Signed-off-by: Wei Fang <wei.fang@nxp.com>
+Reviewed-by: Hariprasad Kelam <hkelam@marvell.com>
+Link: https://patch.msgid.link/20251204071332.1907111-1-wei.fang@nxp.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/stmicro/stmmac/stmmac_main.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index 255c95988675..7a8861d77e04 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -87,6 +87,7 @@ MODULE_PARM_DESC(phyaddr, "Physical device address");
+ #define STMMAC_XDP_CONSUMED BIT(0)
+ #define STMMAC_XDP_TX BIT(1)
+ #define STMMAC_XDP_REDIRECT BIT(2)
++#define STMMAC_XSK_CONSUMED BIT(3)
+
+ static int flow_ctrl = FLOW_AUTO;
+ module_param(flow_ctrl, int, 0644);
+@@ -4875,6 +4876,7 @@ static int stmmac_xdp_get_tx_queue(struct stmmac_priv *priv,
+ static int stmmac_xdp_xmit_back(struct stmmac_priv *priv,
+ struct xdp_buff *xdp)
+ {
++ bool zc = !!(xdp->rxq->mem.type == MEM_TYPE_XSK_BUFF_POOL);
+ struct xdp_frame *xdpf = xdp_convert_buff_to_frame(xdp);
+ int cpu = smp_processor_id();
+ struct netdev_queue *nq;
+@@ -4891,9 +4893,18 @@ static int stmmac_xdp_xmit_back(struct stmmac_priv *priv,
+ /* Avoids TX time-out as we are sharing with slow path */
+ txq_trans_cond_update(nq);
+
+- res = stmmac_xdp_xmit_xdpf(priv, queue, xdpf, false);
+- if (res == STMMAC_XDP_TX)
++ /* For zero copy XDP_TX action, dma_map is true */
++ res = stmmac_xdp_xmit_xdpf(priv, queue, xdpf, zc);
++ if (res == STMMAC_XDP_TX) {
+ stmmac_flush_tx_descriptors(priv, queue);
++ } else if (res == STMMAC_XDP_CONSUMED && zc) {
++ /* xdp has been freed by xdp_convert_buff_to_frame(),
++ * no need to call xsk_buff_free() again, so return
++ * STMMAC_XSK_CONSUMED.
++ */
++ res = STMMAC_XSK_CONSUMED;
++ xdp_return_frame(xdpf);
++ }
+
+ __netif_tx_unlock(nq);
+
+@@ -5239,6 +5250,8 @@ static int stmmac_rx_zc(struct stmmac_priv *priv, int limit, u32 queue)
+ break;
+ case STMMAC_XDP_CONSUMED:
+ xsk_buff_free(buf->xdp);
++ fallthrough;
++ case STMMAC_XSK_CONSUMED:
+ rx_dropped++;
+ break;
+ case STMMAC_XDP_TX:
+--
+2.51.0
+
--- /dev/null
+From c203e307d6cd761bfbe1f2fe4ee77a0be46e60f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Dec 2025 06:41:56 +0530
+Subject: net: usb: asix: validate PHY address before use
+
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+
+[ Upstream commit a1e077a3f76eea0dc671ed6792e7d543946227e8 ]
+
+The ASIX driver reads the PHY address from the USB device via
+asix_read_phy_addr(). A malicious or faulty device can return an
+invalid address (>= PHY_MAX_ADDR), which causes a warning in
+mdiobus_get_phy():
+
+ addr 207 out of range
+ WARNING: drivers/net/phy/mdio_bus.c:76
+
+Validate the PHY address in asix_read_phy_addr() and remove the
+now-redundant check in ax88172a.c.
+
+Reported-by: syzbot+3d43c9066a5b54902232@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=3d43c9066a5b54902232
+Tested-by: syzbot+3d43c9066a5b54902232@syzkaller.appspotmail.com
+Fixes: 7e88b11a862a ("net: usb: asix: refactor asix_read_phy_addr() and handle errors on return")
+Link: https://lore.kernel.org/all/20251217085057.270704-1-kartikey406@gmail.com/T/ [v1]
+Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20251218011156.276824-1-kartikey406@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/asix_common.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c
+index 7fd763917ae2..6ab3486072cb 100644
+--- a/drivers/net/usb/asix_common.c
++++ b/drivers/net/usb/asix_common.c
+@@ -335,6 +335,11 @@ int asix_read_phy_addr(struct usbnet *dev, bool internal)
+ offset = (internal ? 1 : 0);
+ ret = buf[offset];
+
++ if (ret >= PHY_MAX_ADDR) {
++ netdev_err(dev->net, "invalid PHY address: %d\n", ret);
++ return -ENODEV;
++ }
++
+ netdev_dbg(dev->net, "%s PHY address 0x%x\n",
+ internal ? "internal" : "external", ret);
+
+--
+2.51.0
+
--- /dev/null
+From f309a658b46a14a094ab0cce0b48df6dea4da132 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Dec 2025 20:43:05 +0530
+Subject: net: usb: rtl8150: fix memory leak on usb_submit_urb() failure
+
+From: Deepakkumar Karn <dkarn@redhat.com>
+
+[ Upstream commit 12cab1191d9890097171156d06bfa8d31f1e39c8 ]
+
+In async_set_registers(), when usb_submit_urb() fails, the allocated
+ async_req structure and URB are not freed, causing a memory leak.
+
+ The completion callback async_set_reg_cb() is responsible for freeing
+ these allocations, but it is only called after the URB is successfully
+ submitted and completes (successfully or with error). If submission
+ fails, the callback never runs and the memory is leaked.
+
+ Fix this by freeing both the URB and the request structure in the error
+ path when usb_submit_urb() fails.
+
+Reported-by: syzbot+8dd915c7cb0490fc8c52@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=8dd915c7cb0490fc8c52
+Fixes: 4d12997a9bb3 ("drivers: net: usb: rtl8150: concurrent URB bugfix")
+Signed-off-by: Deepakkumar Karn <dkarn@redhat.com>
+Link: https://patch.msgid.link/20251216151304.59865-2-dkarn@redhat.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/rtl8150.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
+index 278e6cb6f4d9..e40b0669d9f4 100644
+--- a/drivers/net/usb/rtl8150.c
++++ b/drivers/net/usb/rtl8150.c
+@@ -211,6 +211,8 @@ static int async_set_registers(rtl8150_t *dev, u16 indx, u16 size, u16 reg)
+ if (res == -ENODEV)
+ netif_device_detach(dev->netdev);
+ dev_err(&dev->udev->dev, "%s failed with %d\n", __func__, res);
++ kfree(req);
++ usb_free_urb(async_urb);
+ }
+ return res;
+ }
+--
+2.51.0
+
--- /dev/null
+From 06da88a378fb115f5366c96cee876e0b87411038 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 11:52:26 +0530
+Subject: octeontx2-pf: fix "UBSAN: shift-out-of-bounds error"
+
+From: Anshumali Gaur <agaur@marvell.com>
+
+[ Upstream commit 85f4b0c650d9f9db10bda8d3acfa1af83bf78cf7 ]
+
+This patch ensures that the RX ring size (rx_pending) is not
+set below the permitted length. This avoids UBSAN
+shift-out-of-bounds errors when users passes small or zero
+ring sizes via ethtool -G.
+
+Fixes: d45d8979840d ("octeontx2-pf: Add basic ethtool support")
+Signed-off-by: Anshumali Gaur <agaur@marvell.com>
+Link: https://patch.msgid.link/20251219062226.524844-1-agaur@marvell.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
+index 532e84bc38c7..bd01c538f208 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
+@@ -432,6 +432,14 @@ static int otx2_set_ringparam(struct net_device *netdev,
+ */
+ if (rx_count < pfvf->hw.rq_skid)
+ rx_count = pfvf->hw.rq_skid;
++
++ if (ring->rx_pending < 16) {
++ netdev_err(netdev,
++ "rx ring size %u invalid, min is 16\n",
++ ring->rx_pending);
++ return -EINVAL;
++ }
++
+ rx_count = Q_COUNT(Q_SIZE(rx_count, 3));
+
+ /* Due pipelining impact minimum 2000 unused SQ CQE's
+--
+2.51.0
+
--- /dev/null
+From 7feb9df01cae85e81cb13708f521bd7f5a258756 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Dec 2025 19:42:05 +0800
+Subject: platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI
+ package parsing
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Junrui Luo <moonafterrain@outlook.com>
+
+[ Upstream commit e44c42c830b7ab36e3a3a86321c619f24def5206 ]
+
+The hp_populate_*_elements_from_package() functions in the hp-bioscfg
+driver contain out-of-bounds array access vulnerabilities.
+
+These functions parse ACPI packages into internal data structures using
+a for loop with index variable 'elem' that iterates through
+enum_obj/integer_obj/order_obj/password_obj/string_obj arrays.
+
+When processing multi-element fields like PREREQUISITES and
+ENUM_POSSIBLE_VALUES, these functions read multiple consecutive array
+elements using expressions like 'enum_obj[elem + reqs]' and
+'enum_obj[elem + pos_values]' within nested loops.
+
+The bug is that the bounds check only validated elem, but did not consider
+the additional offset when accessing elem + reqs or elem + pos_values.
+
+The fix changes the bounds check to validate the actual accessed index.
+
+Reported-by: Yuhao Jiang <danisjiang@gmail.com>
+Reported-by: Junrui Luo <moonafterrain@outlook.com>
+Fixes: e6c7b3e15559 ("platform/x86: hp-bioscfg: string-attributes")
+Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
+Link: https://patch.msgid.link/SYBPR01MB788173D7DD4EA2CB6383683DAFB0A@SYBPR01MB7881.ausprd01.prod.outlook.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c | 4 ++--
+ drivers/platform/x86/hp/hp-bioscfg/int-attributes.c | 2 +-
+ drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c | 5 +++++
+ drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c | 5 +++++
+ drivers/platform/x86/hp/hp-bioscfg/string-attributes.c | 2 +-
+ 5 files changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c
+index a2402d31c146..20de4596e301 100644
+--- a/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c
++++ b/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c
+@@ -210,7 +210,7 @@ static int hp_populate_enumeration_elements_from_package(union acpi_object *enum
+ case PREREQUISITES:
+ size = min_t(u32, enum_data->common.prerequisites_size, MAX_PREREQUISITES_SIZE);
+ for (reqs = 0; reqs < size; reqs++) {
+- if (elem >= enum_obj_count) {
++ if (elem + reqs >= enum_obj_count) {
+ pr_err("Error enum-objects package is too small\n");
+ return -EINVAL;
+ }
+@@ -261,7 +261,7 @@ static int hp_populate_enumeration_elements_from_package(union acpi_object *enum
+
+ for (pos_values = 0; pos_values < size && pos_values < MAX_VALUES_SIZE;
+ pos_values++) {
+- if (elem >= enum_obj_count) {
++ if (elem + pos_values >= enum_obj_count) {
+ pr_err("Error enum-objects package is too small\n");
+ return -EINVAL;
+ }
+diff --git a/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c
+index 86b7ac63fec2..875a807ccb89 100644
+--- a/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c
++++ b/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c
+@@ -228,7 +228,7 @@ static int hp_populate_integer_elements_from_package(union acpi_object *integer_
+ size = min_t(u32, integer_data->common.prerequisites_size, MAX_PREREQUISITES_SIZE);
+
+ for (reqs = 0; reqs < size; reqs++) {
+- if (elem >= integer_obj_count) {
++ if (elem + reqs >= integer_obj_count) {
+ pr_err("Error elem-objects package is too small\n");
+ return -EINVAL;
+ }
+diff --git a/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c
+index 1ff09dfb7d7e..94a95ee57810 100644
+--- a/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c
++++ b/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c
+@@ -220,6 +220,11 @@ static int hp_populate_ordered_list_elements_from_package(union acpi_object *ord
+ size = min_t(u32, ordered_list_data->common.prerequisites_size,
+ MAX_PREREQUISITES_SIZE);
+ for (reqs = 0; reqs < size; reqs++) {
++ if (elem + reqs >= order_obj_count) {
++ pr_err("Error elem-objects package is too small\n");
++ return -EINVAL;
++ }
++
+ ret = hp_convert_hexstr_to_str(order_obj[elem + reqs].string.pointer,
+ order_obj[elem + reqs].string.length,
+ &str_value, &value_len);
+diff --git a/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c
+index 03d0188804ba..6775a7ca74f5 100644
+--- a/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c
++++ b/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c
+@@ -309,6 +309,11 @@ static int hp_populate_password_elements_from_package(union acpi_object *passwor
+ MAX_PREREQUISITES_SIZE);
+
+ for (reqs = 0; reqs < size; reqs++) {
++ if (elem + reqs >= password_obj_count) {
++ pr_err("Error elem-objects package is too small\n");
++ return -EINVAL;
++ }
++
+ ret = hp_convert_hexstr_to_str(password_obj[elem + reqs].string.pointer,
+ password_obj[elem + reqs].string.length,
+ &str_value, &value_len);
+diff --git a/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c
+index f0c20070094d..5b3eac7f1685 100644
+--- a/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c
++++ b/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c
+@@ -219,7 +219,7 @@ static int hp_populate_string_elements_from_package(union acpi_object *string_ob
+ MAX_PREREQUISITES_SIZE);
+
+ for (reqs = 0; reqs < size; reqs++) {
+- if (elem >= string_obj_count) {
++ if (elem + reqs >= string_obj_count) {
+ pr_err("Error elem-objects package is too small\n");
+ return -EINVAL;
+ }
+--
+2.51.0
+
--- /dev/null
+From 586f36de1a7a6862200f205feefacc978f478ec5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 16:30:29 +0800
+Subject: platform/x86: ibm_rtl: fix EBDA signature search pointer arithmetic
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Junrui Luo <moonafterrain@outlook.com>
+
+[ Upstream commit 15dd100349b8526cbdf2de0ce3e72e700eb6c208 ]
+
+The ibm_rtl_init() function searches for the signature but has a pointer
+arithmetic error. The loop counter suggests searching at 4-byte intervals
+but the implementation only advances by 1 byte per iteration.
+
+Fix by properly advancing the pointer by sizeof(unsigned int) bytes
+each iteration.
+
+Reported-by: Yuhao Jiang <danisjiang@gmail.com>
+Reported-by: Junrui Luo <moonafterrain@outlook.com>
+Fixes: 35f0ce032b0f ("IBM Real-Time "SMI Free" mode driver -v7")
+Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
+Link: https://patch.msgid.link/SYBPR01MB78812D887A92DE3802D0D06EAFA9A@SYBPR01MB7881.ausprd01.prod.outlook.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/ibm_rtl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/ibm_rtl.c b/drivers/platform/x86/ibm_rtl.c
+index 2ab7d9ac542d..5fb25a602533 100644
+--- a/drivers/platform/x86/ibm_rtl.c
++++ b/drivers/platform/x86/ibm_rtl.c
+@@ -272,7 +272,7 @@ static int __init ibm_rtl_init(void) {
+ /* search for the _RTL_ signature at the start of the table */
+ for (i = 0 ; i < ebda_size/sizeof(unsigned int); i++) {
+ struct ibm_rtl_table __iomem * tmp;
+- tmp = (struct ibm_rtl_table __iomem *) (ebda_map+i);
++ tmp = (struct ibm_rtl_table __iomem *) (ebda_map + i*sizeof(unsigned int));
+ if ((readq(&tmp->signature) & RTL_MASK) == RTL_SIGNATURE) {
+ phys_addr_t addr;
+ unsigned int plen;
+--
+2.51.0
+
--- /dev/null
+From ce9abe3283f740a666abf7360dbe59467dc7f351 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Dec 2025 11:36:13 +0100
+Subject: platform/x86: msi-laptop: add missing sysfs_remove_group()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 1461209cf813b6ee6d40f29b96b544587df6d2b1 ]
+
+A sysfs group is created in msi_init() when old_ec_model is enabled, but
+never removed. Remove the msipf_old_attribute_group in that case.
+
+Fixes: 03696e51d75a ("msi-laptop: Disable brightness control for new EC")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://patch.msgid.link/20251217103617.27668-2-fourier.thomas@gmail.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/msi-laptop.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/platform/x86/msi-laptop.c b/drivers/platform/x86/msi-laptop.c
+index f4c6c36e05a5..2a8839135492 100644
+--- a/drivers/platform/x86/msi-laptop.c
++++ b/drivers/platform/x86/msi-laptop.c
+@@ -1130,6 +1130,9 @@ static void __exit msi_cleanup(void)
+ sysfs_remove_group(&msipf_device->dev.kobj, &msipf_attribute_group);
+ if (!quirks->old_ec_model && threeg_exists)
+ device_remove_file(&msipf_device->dev, &dev_attr_threeg);
++ if (quirks->old_ec_model)
++ sysfs_remove_group(&msipf_device->dev.kobj,
++ &msipf_old_attribute_group);
+ platform_device_unregister(msipf_device);
+ platform_driver_unregister(&msipf_driver);
+ backlight_device_unregister(msibl_device);
+--
+2.51.0
+
--- /dev/null
+From aaae849280f14cf1d19182d3356b592064b6afb2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Dec 2025 09:51:21 +0100
+Subject: RDMA/bnxt_re: fix dma_free_coherent() pointer
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit fcd431a9627f272b4c0bec445eba365fe2232a94 ]
+
+The dma_alloc_coherent() allocates a dma-mapped buffer, pbl->pg_arr[i].
+The dma_free_coherent() should pass the same buffer to
+dma_free_coherent() and not page-aligned.
+
+Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://patch.msgid.link/20251230085121.8023-2-fourier.thomas@gmail.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_res.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+index 1c56a0107d1e..d2c8f21468dc 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+@@ -70,9 +70,7 @@ static void __free_pbl(struct bnxt_qplib_res *res, struct bnxt_qplib_pbl *pbl,
+ for (i = 0; i < pbl->pg_count; i++) {
+ if (pbl->pg_arr[i])
+ dma_free_coherent(&pdev->dev, pbl->pg_size,
+- (void *)((unsigned long)
+- pbl->pg_arr[i] &
+- PAGE_MASK),
++ pbl->pg_arr[i],
+ pbl->pg_map_arr[i]);
+ else
+ dev_warn(&pdev->dev,
+--
+2.51.0
+
--- /dev/null
+From aa6d84d27aacf2b7e7e2514db3b819ca3bd69306 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 01:32:57 -0800
+Subject: RDMA/bnxt_re: Fix IB_SEND_IP_CSUM handling in post_send
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit f01765a2361323e78e3d91b1cb1d5527a83c5cf7 ]
+
+The bnxt_re SEND path checks wr->send_flags to enable features such as
+IP checksum offload. However, send_flags is a bitmask and may contain
+multiple flags (e.g. IB_SEND_SIGNALED | IB_SEND_IP_CSUM), while the
+existing code uses a switch() statement that only matches when
+send_flags is exactly IB_SEND_IP_CSUM.
+
+As a result, checksum offload is not enabled when additional SEND
+flags are present.
+
+Replace the switch() with a bitmask test:
+
+ if (wr->send_flags & IB_SEND_IP_CSUM)
+
+This ensures IP checksum offload is enabled correctly when multiple
+SEND flags are used.
+
+Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Link: https://patch.msgid.link/20251219093308.2415620-1-alok.a.tiwari@oracle.com
+Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/ib_verbs.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+index 31fff5885f1a..5a4644f7ad98 100644
+--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+@@ -2771,14 +2771,9 @@ int bnxt_re_post_send(struct ib_qp *ib_qp, const struct ib_send_wr *wr,
+ wqe.rawqp1.lflags |=
+ SQ_SEND_RAWETH_QP1_LFLAGS_ROCE_CRC;
+ }
+- switch (wr->send_flags) {
+- case IB_SEND_IP_CSUM:
++ if (wr->send_flags & IB_SEND_IP_CSUM)
+ wqe.rawqp1.lflags |=
+ SQ_SEND_RAWETH_QP1_LFLAGS_IP_CHKSUM;
+- break;
+- default:
+- break;
+- }
+ fallthrough;
+ case IB_WR_SEND_WITH_INV:
+ rc = bnxt_re_build_send_wqe(qp, wr, &wqe);
+--
+2.51.0
+
--- /dev/null
+From 47d6ae44c5222fedb5ce02ffcf69463e788b6a6d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Dec 2025 02:01:41 -0800
+Subject: RDMA/bnxt_re: Fix incorrect BAR check in bnxt_qplib_map_creq_db()
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit 145a417a39d7efbc881f52e829817376972b278c ]
+
+RCFW_COMM_CONS_PCI_BAR_REGION is defined as BAR 2, so checking
+!creq_db->reg.bar_id is incorrect and always false.
+
+pci_resource_start() returns the BAR base address, and a value of 0
+indicates that the BAR is unassigned. Update the condition to test
+bar_base == 0 instead.
+
+This ensures the driver detects and logs an error for an unassigned
+RCFW communication BAR.
+
+Fixes: cee0c7bba486 ("RDMA/bnxt_re: Refactor command queue management code")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Link: https://patch.msgid.link/20251217100158.752504-1-alok.a.tiwari@oracle.com
+Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
+index e82bd37158ad..2accda5a04a1 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
+@@ -1116,7 +1116,7 @@ static int bnxt_qplib_map_creq_db(struct bnxt_qplib_rcfw *rcfw, u32 reg_offt)
+ creq_db->dbinfo.flags = 0;
+ creq_db->reg.bar_id = RCFW_COMM_CONS_PCI_BAR_REGION;
+ creq_db->reg.bar_base = pci_resource_start(pdev, creq_db->reg.bar_id);
+- if (!creq_db->reg.bar_id)
++ if (!creq_db->reg.bar_base)
+ dev_err(&pdev->dev,
+ "QPLIB: CREQ BAR region %d resc start is 0!",
+ creq_db->reg.bar_id);
+--
+2.51.0
+
--- /dev/null
+From e8d3c17158939ad9caeb49728ec4d5839dd91741 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Dec 2025 18:48:55 +0530
+Subject: RDMA/bnxt_re: Fix to use correct page size for PDE table
+
+From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+
+[ Upstream commit 3d70e0fb0f289b0c778041c5bb04d099e1aa7c1c ]
+
+In bnxt_qplib_alloc_init_hwq(), while allocating memory for PDE table
+driver incorrectly is using the "pg_size" value passed to the function.
+Fixed to use the right value 4K. Also, fixed the allocation size for
+PBL table.
+
+Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation")
+Signed-off-by: Damodharam Ammepalli <damodharam.ammepalli@broadcom.com>
+Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Link: https://patch.msgid.link/20251223131855.145955-1-kalesh-anakkur.purayil@broadcom.com
+Reviewed-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_res.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+index 77da7cf34427..1c56a0107d1e 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+@@ -243,7 +243,7 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq,
+ if (npbl % BIT(MAX_PDL_LVL_SHIFT))
+ npde++;
+ /* Alloc PDE pages */
+- sginfo.pgsize = npde * pg_size;
++ sginfo.pgsize = npde * ROCE_PG_SIZE_4K;
+ sginfo.npages = 1;
+ rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_0], &sginfo);
+ if (rc)
+@@ -251,7 +251,7 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq,
+
+ /* Alloc PBL pages */
+ sginfo.npages = npbl;
+- sginfo.pgsize = PAGE_SIZE;
++ sginfo.pgsize = ROCE_PG_SIZE_4K;
+ rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_1], &sginfo);
+ if (rc)
+ goto fail;
+--
+2.51.0
+
--- /dev/null
+From 52e1c89a5ca0de08bfe23dc6e0791b8cd75a2e07 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Dec 2025 13:15:08 +0900
+Subject: RDMA/core: Fix logic error in ib_get_gids_from_rdma_hdr()
+
+From: Jang Ingyu <ingyujang25@korea.ac.kr>
+
+[ Upstream commit 8aaa848eaddd9ef8680fc6aafbd3a0646da5df40 ]
+
+Fix missing comparison operator for RDMA_NETWORK_ROCE_V1 in the
+conditional statement. The constant was used directly instead of
+being compared with net_type, causing the condition to always
+evaluate to true.
+
+Fixes: 1c15b4f2a42f ("RDMA/core: Modify enum ib_gid_type and enum rdma_network_type")
+Signed-off-by: Jang Ingyu <ingyujang25@korea.ac.kr>
+Link: https://patch.msgid.link/20251219041508.1725947-1-ingyujang25@korea.ac.kr
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/verbs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c
+index 6567d4375128..615b73f038bb 100644
+--- a/drivers/infiniband/core/verbs.c
++++ b/drivers/infiniband/core/verbs.c
+@@ -735,7 +735,7 @@ int ib_get_gids_from_rdma_hdr(const union rdma_network_hdr *hdr,
+ (struct in6_addr *)dgid);
+ return 0;
+ } else if (net_type == RDMA_NETWORK_IPV6 ||
+- net_type == RDMA_NETWORK_IB || RDMA_NETWORK_ROCE_V1) {
++ net_type == RDMA_NETWORK_IB || net_type == RDMA_NETWORK_ROCE_V1) {
+ *dgid = hdr->ibgrh.dgid;
+ *sgid = hdr->ibgrh.sgid;
+ return 0;
+--
+2.51.0
+
--- /dev/null
+From 528a6b29ec2544383748338c458225ec59a3abe0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Dec 2025 17:36:56 +0000
+Subject: RDMA/efa: Remove possible negative shift
+
+From: Michael Margolin <mrgolin@amazon.com>
+
+[ Upstream commit 85463eb6a46caf2f1e0e1a6d0731f2f3bab17780 ]
+
+The page size used for device might in some cases be smaller than
+PAGE_SIZE what results in a negative shift when calculating the number of
+host pages in PAGE_SIZE for a debug log. Remove the debug line together
+with the calculation.
+
+Fixes: 40909f664d27 ("RDMA/efa: Add EFA verbs implementation")
+Link: https://patch.msgid.link/r/20251210173656.8180-1-mrgolin@amazon.com
+Reviewed-by: Tom Sela <tomsela@amazon.com>
+Reviewed-by: Yonatan Nachum <ynachum@amazon.com>
+Signed-off-by: Michael Margolin <mrgolin@amazon.com>
+Reviewed-by: Gal Pressman <gal.pressman@linux.dev>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/efa/efa_verbs.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/infiniband/hw/efa/efa_verbs.c b/drivers/infiniband/hw/efa/efa_verbs.c
+index 0f8ca99d0827..2a5b93ef4b33 100644
+--- a/drivers/infiniband/hw/efa/efa_verbs.c
++++ b/drivers/infiniband/hw/efa/efa_verbs.c
+@@ -1224,13 +1224,9 @@ static int umem_to_page_list(struct efa_dev *dev,
+ u32 hp_cnt,
+ u8 hp_shift)
+ {
+- u32 pages_in_hp = BIT(hp_shift - PAGE_SHIFT);
+ struct ib_block_iter biter;
+ unsigned int hp_idx = 0;
+
+- ibdev_dbg(&dev->ibdev, "hp_cnt[%u], pages_in_hp[%u]\n",
+- hp_cnt, pages_in_hp);
+-
+ rdma_umem_for_each_dma_block(umem, &biter, BIT(hp_shift))
+ page_list[hp_idx++] = rdma_block_iter_dma_address(&biter);
+
+--
+2.51.0
+
--- /dev/null
+From 80c93bccadfa02988e23d9423ef45f0d8a187559 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Nov 2025 15:31:50 +0100
+Subject: RDMA/irdma: avoid invalid read in irdma_net_event
+
+From: Michal Schmidt <mschmidt@redhat.com>
+
+[ Upstream commit 6f05611728e9d0ab024832a4f1abb74a5f5d0bb0 ]
+
+irdma_net_event() should not dereference anything from "neigh" (alias
+"ptr") until it has checked that the event is NETEVENT_NEIGH_UPDATE.
+Other events come with different structures pointed to by "ptr" and they
+may be smaller than struct neighbour.
+
+Move the read of neigh->dev under the NETEVENT_NEIGH_UPDATE case.
+
+The bug is mostly harmless, but it triggers KASAN on debug kernels:
+
+ BUG: KASAN: stack-out-of-bounds in irdma_net_event+0x32e/0x3b0 [irdma]
+ Read of size 8 at addr ffffc900075e07f0 by task kworker/27:2/542554
+
+ CPU: 27 PID: 542554 Comm: kworker/27:2 Kdump: loaded Not tainted 5.14.0-630.el9.x86_64+debug #1
+ Hardware name: [...]
+ Workqueue: events rt6_probe_deferred
+ Call Trace:
+ <IRQ>
+ dump_stack_lvl+0x60/0xb0
+ print_address_description.constprop.0+0x2c/0x3f0
+ print_report+0xb4/0x270
+ kasan_report+0x92/0xc0
+ irdma_net_event+0x32e/0x3b0 [irdma]
+ notifier_call_chain+0x9e/0x180
+ atomic_notifier_call_chain+0x5c/0x110
+ rt6_do_redirect+0xb91/0x1080
+ tcp_v6_err+0xe9b/0x13e0
+ icmpv6_notify+0x2b2/0x630
+ ndisc_redirect_rcv+0x328/0x530
+ icmpv6_rcv+0xc16/0x1360
+ ip6_protocol_deliver_rcu+0xb84/0x12e0
+ ip6_input_finish+0x117/0x240
+ ip6_input+0xc4/0x370
+ ipv6_rcv+0x420/0x7d0
+ __netif_receive_skb_one_core+0x118/0x1b0
+ process_backlog+0xd1/0x5d0
+ __napi_poll.constprop.0+0xa3/0x440
+ net_rx_action+0x78a/0xba0
+ handle_softirqs+0x2d4/0x9c0
+ do_softirq+0xad/0xe0
+ </IRQ>
+
+Fixes: 915cc7ac0f8e ("RDMA/irdma: Add miscellaneous utility definitions")
+Link: https://patch.msgid.link/r/20251127143150.121099-1-mschmidt@redhat.com
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/irdma/utils.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/irdma/utils.c b/drivers/infiniband/hw/irdma/utils.c
+index 6cd5cb85dafe..91ed7edcd788 100644
+--- a/drivers/infiniband/hw/irdma/utils.c
++++ b/drivers/infiniband/hw/irdma/utils.c
+@@ -251,7 +251,7 @@ int irdma_net_event(struct notifier_block *notifier, unsigned long event,
+ void *ptr)
+ {
+ struct neighbour *neigh = ptr;
+- struct net_device *real_dev, *netdev = (struct net_device *)neigh->dev;
++ struct net_device *real_dev, *netdev;
+ struct irdma_device *iwdev;
+ struct ib_device *ibdev;
+ __be32 *p;
+@@ -260,6 +260,7 @@ int irdma_net_event(struct notifier_block *notifier, unsigned long event,
+
+ switch (event) {
+ case NETEVENT_NEIGH_UPDATE:
++ netdev = neigh->dev;
+ real_dev = rdma_vlan_dev_real_dev(netdev);
+ if (!real_dev)
+ real_dev = netdev;
+--
+2.51.0
+
--- /dev/null
+From 82f77faafdde18144153c9c176cad7e558105b4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Dec 2025 10:56:17 +0800
+Subject: RDMA/rtrs: Fix clt_path::max_pages_per_mr calculation
+
+From: Honggang LI <honggangli@163.com>
+
+[ Upstream commit 43bd09d5b750f700499ae8ec45fd41a4c48673e6 ]
+
+If device max_mr_size bits in the range [mr_page_shift+31:mr_page_shift]
+are zero, the `min3` function will set clt_path::max_pages_per_mr to
+zero.
+
+`alloc_path_reqs` will pass zero, which is invalid, as the third parameter
+to `ib_alloc_mr`.
+
+Fixes: 6a98d71daea1 ("RDMA/rtrs: client: main functionality")
+Signed-off-by: Honggang LI <honggangli@163.com>
+Link: https://patch.msgid.link/20251229025617.13241-1-honggangli@163.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/rtrs/rtrs-clt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/infiniband/ulp/rtrs/rtrs-clt.c b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
+index 82aa47efb807..eaf911e2ffa9 100644
+--- a/drivers/infiniband/ulp/rtrs/rtrs-clt.c
++++ b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
+@@ -1465,6 +1465,7 @@ static void query_fast_reg_mode(struct rtrs_clt_path *clt_path)
+ mr_page_shift = max(12, ffs(ib_dev->attrs.page_size_cap) - 1);
+ max_pages_per_mr = ib_dev->attrs.max_mr_size;
+ do_div(max_pages_per_mr, (1ull << mr_page_shift));
++ max_pages_per_mr = min_not_zero((u32)max_pages_per_mr, U32_MAX);
+ clt_path->max_pages_per_mr =
+ min3(clt_path->max_pages_per_mr, (u32)max_pages_per_mr,
+ ib_dev->attrs.max_fast_reg_page_list_len);
+--
+2.51.0
+
--- /dev/null
+From 7fa8e3f56ed7e7e49093c691e11f095655d3fab4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Aug 2023 09:32:26 +0800
+Subject: selftests/ftrace: traceonoff_triggers: strip off names
+
+From: Yipeng Zou <zouyipeng@huawei.com>
+
+[ Upstream commit b889b4fb4cbea3ca7eb9814075d6a51936394bd9 ]
+
+The func_traceonoff_triggers.tc sometimes goes to fail
+on my board, Kunpeng-920.
+
+[root@localhost]# ./ftracetest ./test.d/ftrace/func_traceonoff_triggers.tc -l fail.log
+=== Ftrace unit tests ===
+[1] ftrace - test for function traceon/off triggers [FAIL]
+[2] (instance) ftrace - test for function traceon/off triggers [UNSUPPORTED]
+
+I look up the log, and it shows that the md5sum is different between csum1 and csum2.
+
+++ cnt=611
+++ sleep .1
++++ cnt_trace
++++ grep -v '^#' trace
++++ wc -l
+++ cnt2=611
+++ '[' 611 -ne 611 ']'
++++ cat tracing_on
+++ on=0
+++ '[' 0 '!=' 0 ']'
++++ md5sum trace
+++ csum1='76896aa74362fff66a6a5f3cf8a8a500 trace'
+++ sleep .1
++++ md5sum trace
+++ csum2='ee8625a21c058818fc26e45c1ed3f6de trace'
+++ '[' '76896aa74362fff66a6a5f3cf8a8a500 trace' '!=' 'ee8625a21c058818fc26e45c1ed3f6de trace' ']'
+++ fail 'Tracing file is still changing'
+++ echo Tracing file is still changing
+Tracing file is still changing
+++ exit_fail
+++ exit 1
+
+So I directly dump the trace file before md5sum, the diff shows that:
+
+[root@localhost]# diff trace_1.log trace_2.log -y --suppress-common-lines
+dockerd-12285 [036] d.... 18385.510290: sched_stat | <...>-12285 [036] d.... 18385.510290: sched_stat
+dockerd-12285 [036] d.... 18385.510291: sched_swit | <...>-12285 [036] d.... 18385.510291: sched_swit
+<...>-740 [044] d.... 18385.602859: sched_stat | kworker/44:1-740 [044] d.... 18385.602859: sched_stat
+<...>-740 [044] d.... 18385.602860: sched_swit | kworker/44:1-740 [044] d.... 18385.602860: sched_swit
+
+And we can see that <...> filed be filled with names.
+
+We can strip off the names there to fix that.
+
+After strip off the names:
+
+kworker/u257:0-12 [019] d..2. 2528.758910: sched_stat | -12 [019] d..2. 2528.758910: sched_stat_runtime: comm=k
+kworker/u257:0-12 [019] d..2. 2528.758912: sched_swit | -12 [019] d..2. 2528.758912: sched_switch: prev_comm=kw
+<idle>-0 [000] d.s5. 2528.762318: sched_waki | -0 [000] d.s5. 2528.762318: sched_waking: comm=sshd pi
+<idle>-0 [037] dNh2. 2528.762326: sched_wake | -0 [037] dNh2. 2528.762326: sched_wakeup: comm=sshd pi
+<idle>-0 [037] d..2. 2528.762334: sched_swit | -0 [037] d..2. 2528.762334: sched_switch: prev_comm=sw
+
+Link: https://lore.kernel.org/r/20230818013226.2182299-1-zouyipeng@huawei.com
+Fixes: d87b29179aa0 ("selftests: ftrace: Use md5sum to take less time of checking logs")
+Suggested-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Yipeng Zou <zouyipeng@huawei.com>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ftrace/test.d/ftrace/func_traceonoff_triggers.tc | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc b/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc
+index aee22289536b..1b57771dbfdf 100644
+--- a/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc
++++ b/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc
+@@ -90,9 +90,10 @@ if [ $on != "0" ]; then
+ fail "Tracing is not off"
+ fi
+
+-csum1=`md5sum trace`
++# Cannot rely on names being around as they are only cached, strip them
++csum1=`cat trace | sed -e 's/^ *[^ ]*\(-[0-9][0-9]*\)/\1/' | md5sum`
+ sleep $SLEEP_TIME
+-csum2=`md5sum trace`
++csum2=`cat trace | sed -e 's/^ *[^ ]*\(-[0-9][0-9]*\)/\1/' | md5sum`
+
+ if [ "$csum1" != "$csum2" ]; then
+ fail "Tracing file is still changing"
+--
+2.51.0
+
--- /dev/null
+From 04f670d77e0e7f24bc5e1b56622da202591c83f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Dec 2025 12:06:41 -0500
+Subject: selftests: net: fix "buffer overflow detected" for tap.c
+
+From: Alice C. Munduruca <alice.munduruca@canonical.com>
+
+[ Upstream commit 472c5dd6b95c02b3e5d7395acf542150e91165e7 ]
+
+When the selftest 'tap.c' is compiled with '-D_FORTIFY_SOURCE=3',
+the strcpy() in rtattr_add_strsz() is replaced with a checked
+version which causes the test to consistently fail when compiled
+with toolchains for which this option is enabled by default.
+
+ TAP version 13
+ 1..3
+ # Starting 3 tests from 1 test cases.
+ # RUN tap.test_packet_valid_udp_gso ...
+ *** buffer overflow detected ***: terminated
+ # test_packet_valid_udp_gso: Test terminated by assertion
+ # FAIL tap.test_packet_valid_udp_gso
+ not ok 1 tap.test_packet_valid_udp_gso
+ # RUN tap.test_packet_valid_udp_csum ...
+ *** buffer overflow detected ***: terminated
+ # test_packet_valid_udp_csum: Test terminated by assertion
+ # FAIL tap.test_packet_valid_udp_csum
+ not ok 2 tap.test_packet_valid_udp_csum
+ # RUN tap.test_packet_crash_tap_invalid_eth_proto ...
+ *** buffer overflow detected ***: terminated
+ # test_packet_crash_tap_invalid_eth_proto: Test terminated by assertion
+ # FAIL tap.test_packet_crash_tap_invalid_eth_proto
+ not ok 3 tap.test_packet_crash_tap_invalid_eth_proto
+ # FAILED: 0 / 3 tests passed.
+ # Totals: pass:0 fail:3 xfail:0 xpass:0 skip:0 error:0
+
+A buffer overflow is detected by the fortified glibc __strcpy_chk()
+since the __builtin_object_size() of `RTA_DATA(rta)` is incorrectly
+reported as 1, even though there is ample space in its bounding
+buffer `req`.
+
+Additionally, given that IFLA_IFNAME also expects a null-terminated
+string, callers of rtaddr_add_str{,sz}() could simply use the
+rtaddr_add_strsz() variant. (which has been renamed to remove the
+trailing `sz`) memset() has been used for this function since it
+is unchecked and thus circumvents the issue discussed in the
+previous paragraph.
+
+Fixes: 2e64fe4624d1 ("selftests: add few test cases for tap driver")
+Signed-off-by: Alice C. Munduruca <alice.munduruca@canonical.com>
+Reviewed-by: Cengiz Can <cengiz.can@canonical.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://patch.msgid.link/20251216170641.250494-1-alice.munduruca@canonical.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/tap.c | 16 +++++-----------
+ 1 file changed, 5 insertions(+), 11 deletions(-)
+
+diff --git a/tools/testing/selftests/net/tap.c b/tools/testing/selftests/net/tap.c
+index 247c3b3ac1c9..51a209014f1c 100644
+--- a/tools/testing/selftests/net/tap.c
++++ b/tools/testing/selftests/net/tap.c
+@@ -56,18 +56,12 @@ static void rtattr_end(struct nlmsghdr *nh, struct rtattr *attr)
+ static struct rtattr *rtattr_add_str(struct nlmsghdr *nh, unsigned short type,
+ const char *s)
+ {
+- struct rtattr *rta = rtattr_add(nh, type, strlen(s));
++ unsigned int strsz = strlen(s) + 1;
++ struct rtattr *rta;
+
+- memcpy(RTA_DATA(rta), s, strlen(s));
+- return rta;
+-}
+-
+-static struct rtattr *rtattr_add_strsz(struct nlmsghdr *nh, unsigned short type,
+- const char *s)
+-{
+- struct rtattr *rta = rtattr_add(nh, type, strlen(s) + 1);
++ rta = rtattr_add(nh, type, strsz);
+
+- strcpy(RTA_DATA(rta), s);
++ memcpy(RTA_DATA(rta), s, strsz);
+ return rta;
+ }
+
+@@ -119,7 +113,7 @@ static int dev_create(const char *dev, const char *link_type,
+
+ link_info = rtattr_begin(&req.nh, IFLA_LINKINFO);
+
+- rtattr_add_strsz(&req.nh, IFLA_INFO_KIND, link_type);
++ rtattr_add_str(&req.nh, IFLA_INFO_KIND, link_type);
+
+ if (fill_info_data) {
+ info_data = rtattr_begin(&req.nh, IFLA_INFO_DATA);
+--
+2.51.0
+
hwmon-w83l786ng-convert-macros-to-functions-to-avoid-toctou.patch
arm-dts-microchip-sama5d2-fix-spi-flexcom-fifo-size-to-32.patch
iommu-mediatek-fix-use-after-free-on-probe-deferral.patch
+wifi-rtw88-limit-indirect-io-under-powered-off-for-r.patch
+wifi-cfg80211-sme-store-capped-length-in-__cfg80211_.patch
+wifi-mac80211-do-not-use-old-mbssid-elements.patch
+i40e-fix-scheduling-in-set_rx_mode.patch
+iavf-fix-off-by-one-issues-in-iavf_config_rss_reg.patch
+crypto-seqiv-do-not-use-req-iv-after-crypto_aead_enc.patch
+bluetooth-btusb-revert-use-of-devm_kzalloc-in-btusb.patch
+net-mdio-aspeed-add-dummy-read-to-avoid-read-after-w.patch
+net-openvswitch-avoid-needlessly-taking-the-rtnl-on-.patch
+ip6_gre-make-ip6gre_header-robust.patch
+platform-x86-msi-laptop-add-missing-sysfs_remove_gro.patch
+platform-x86-ibm_rtl-fix-ebda-signature-search-point.patch
+team-fix-check-for-port-enabled-in-team_queue_overri.patch
+amd-xgbe-reset-retries-and-mode-on-rx-adapt-failures.patch
+net-usb-rtl8150-fix-memory-leak-on-usb_submit_urb-fa.patch
+selftests-net-fix-buffer-overflow-detected-for-tap.c.patch
+smc91x-fix-broken-irq-context-in-preempt_rt.patch
+genalloc.h-fix-htmldocs-warning.patch
+firewire-nosy-fix-dma_free_coherent-size.patch
+net-dsa-b53-skip-multicast-entries-for-fdb_dump.patch
+net-usb-asix-validate-phy-address-before-use.patch
+net-bridge-describe-tunnel_hash-member-in-net_bridge.patch
+platform-x86-hp-bioscfg-fix-out-of-bounds-array-acce.patch
+octeontx2-pf-fix-ubsan-shift-out-of-bounds-error.patch
+net-stmmac-fix-the-crash-issue-for-zero-copy-xdp_tx-.patch
+ipv6-bug-in-pskb_expand_head-as-part-of-calipso_skbu.patch
+ipv4-fix-reference-count-leak-when-using-error-route.patch
+net-rose-fix-invalid-array-index-in-rose_kill_by_dev.patch
+rdma-irdma-avoid-invalid-read-in-irdma_net_event.patch
+rdma-efa-remove-possible-negative-shift.patch
+rdma-core-fix-logic-error-in-ib_get_gids_from_rdma_h.patch
+rdma-bnxt_re-fix-incorrect-bar-check-in-bnxt_qplib_m.patch
+rdma-bnxt_re-fix-ib_send_ip_csum-handling-in-post_se.patch
+rdma-bnxt_re-fix-to-use-correct-page-size-for-pde-ta.patch
+ksmbd-fix-memory-leak-in-get_file_all_info.patch
+rdma-rtrs-fix-clt_path-max_pages_per_mr-calculation.patch
+rdma-bnxt_re-fix-dma_free_coherent-pointer.patch
+blk-mq-don-t-schedule-block-kworker-on-isolated-cpus.patch
+blk-mq-skip-cpu-offline-notify-on-unmapped-hctx.patch
+selftests-ftrace-traceonoff_triggers-strip-off-names.patch
--- /dev/null
+From 6991cbe534e61cadaf5cad1b4a7954809e95f06b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Dec 2025 08:51:15 +0000
+Subject: smc91x: fix broken irq-context in PREEMPT_RT
+
+From: Yeoreum Yun <yeoreum.yun@arm.com>
+
+[ Upstream commit 6402078bd9d1ed46e79465e1faaa42e3458f8a33 ]
+
+When smc91x.c is built with PREEMPT_RT, the following splat occurs
+in FVP_RevC:
+
+[ 13.055000] smc91x LNRO0003:00 eth0: link up, 10Mbps, half-duplex, lpa 0x0000
+[ 13.062137] BUG: workqueue leaked atomic, lock or RCU: kworker/2:1[106]
+[ 13.062137] preempt=0x00000000 lock=0->0 RCU=0->1 workfn=mld_ifc_work
+[ 13.062266] C
+** replaying previous printk message **
+[ 13.062266] CPU: 2 UID: 0 PID: 106 Comm: kworker/2:1 Not tainted 6.18.0-dirty #179 PREEMPT_{RT,(full)}
+[ 13.062353] Hardware name: , BIOS
+[ 13.062382] Workqueue: mld mld_ifc_work
+[ 13.062469] Call trace:
+[ 13.062494] show_stack+0x24/0x40 (C)
+[ 13.062602] __dump_stack+0x28/0x48
+[ 13.062710] dump_stack_lvl+0x7c/0xb0
+[ 13.062818] dump_stack+0x18/0x34
+[ 13.062926] process_scheduled_works+0x294/0x450
+[ 13.063043] worker_thread+0x260/0x3d8
+[ 13.063124] kthread+0x1c4/0x228
+[ 13.063235] ret_from_fork+0x10/0x20
+
+This happens because smc_special_trylock() disables IRQs even on PREEMPT_RT,
+but smc_special_unlock() does not restore IRQs on PREEMPT_RT.
+The reason is that smc_special_unlock() calls spin_unlock_irqrestore(),
+and rcu_read_unlock_bh() in __dev_queue_xmit() cannot invoke
+rcu_read_unlock() through __local_bh_enable_ip() when current->softirq_disable_cnt becomes zero.
+
+To address this issue, replace smc_special_trylock() with spin_trylock_irqsave().
+
+Fixes: 342a93247e08 ("locking/spinlock: Provide RT variant header: <linux/spinlock_rt.h>")
+Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20251217085115.1730036-1-yeoreum.yun@arm.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/smsc/smc91x.c | 10 +---------
+ 1 file changed, 1 insertion(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/smsc/smc91x.c b/drivers/net/ethernet/smsc/smc91x.c
+index 032eccf8eb42..7c2fdd02f1d3 100644
+--- a/drivers/net/ethernet/smsc/smc91x.c
++++ b/drivers/net/ethernet/smsc/smc91x.c
+@@ -515,15 +515,7 @@ static inline void smc_rcv(struct net_device *dev)
+ * any other concurrent access and C would always interrupt B. But life
+ * isn't that easy in a SMP world...
+ */
+-#define smc_special_trylock(lock, flags) \
+-({ \
+- int __ret; \
+- local_irq_save(flags); \
+- __ret = spin_trylock(lock); \
+- if (!__ret) \
+- local_irq_restore(flags); \
+- __ret; \
+-})
++#define smc_special_trylock(lock, flags) spin_trylock_irqsave(lock, flags)
+ #define smc_special_lock(lock, flags) spin_lock_irqsave(lock, flags)
+ #define smc_special_unlock(lock, flags) spin_unlock_irqrestore(lock, flags)
+ #else
+--
+2.51.0
+
--- /dev/null
+From 30b2c22eeca58ab02261831d7a126e93321dabad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Dec 2025 11:29:53 +0100
+Subject: team: fix check for port enabled in
+ team_queue_override_port_prio_changed()
+
+From: Jiri Pirko <jiri@nvidia.com>
+
+[ Upstream commit 932ac51d9953eaf77a1252f79b656d4ca86163c6 ]
+
+There has been a syzkaller bug reported recently with the following
+trace:
+
+list_del corruption, ffff888058bea080->prev is LIST_POISON2 (dead000000000122)
+------------[ cut here ]------------
+kernel BUG at lib/list_debug.c:59!
+Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
+CPU: 3 UID: 0 PID: 21246 Comm: syz.0.2928 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+RIP: 0010:__list_del_entry_valid_or_report+0x13e/0x200 lib/list_debug.c:59
+Code: 48 c7 c7 e0 71 f0 8b e8 30 08 ef fc 90 0f 0b 48 89 ef e8 a5 02 55 fd 48 89 ea 48 89 de 48 c7 c7 40 72 f0 8b e8 13 08 ef fc 90 <0f> 0b 48 89 ef e8 88 02 55 fd 48 89 ea 48 b8 00 00 00 00 00 fc ff
+RSP: 0018:ffffc9000d49f370 EFLAGS: 00010286
+RAX: 000000000000004e RBX: ffff888058bea080 RCX: ffffc9002817d000
+RDX: 0000000000000000 RSI: ffffffff819becc6 RDI: 0000000000000005
+RBP: dead000000000122 R08: 0000000000000005 R09: 0000000000000000
+R10: 0000000080000000 R11: 0000000000000001 R12: ffff888039e9c230
+R13: ffff888058bea088 R14: ffff888058bea080 R15: ffff888055461480
+FS: 00007fbbcfe6f6c0(0000) GS:ffff8880d6d0a000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 000000110c3afcb0 CR3: 00000000382c7000 CR4: 0000000000352ef0
+Call Trace:
+ <TASK>
+ __list_del_entry_valid include/linux/list.h:132 [inline]
+ __list_del_entry include/linux/list.h:223 [inline]
+ list_del_rcu include/linux/rculist.h:178 [inline]
+ __team_queue_override_port_del drivers/net/team/team_core.c:826 [inline]
+ __team_queue_override_port_del drivers/net/team/team_core.c:821 [inline]
+ team_queue_override_port_prio_changed drivers/net/team/team_core.c:883 [inline]
+ team_priority_option_set+0x171/0x2f0 drivers/net/team/team_core.c:1534
+ team_option_set drivers/net/team/team_core.c:376 [inline]
+ team_nl_options_set_doit+0x8ae/0xe60 drivers/net/team/team_core.c:2653
+ genl_family_rcv_msg_doit+0x209/0x2f0 net/netlink/genetlink.c:1115
+ genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
+ genl_rcv_msg+0x55c/0x800 net/netlink/genetlink.c:1210
+ netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552
+ genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
+ netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
+ netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346
+ netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1896
+ sock_sendmsg_nosec net/socket.c:727 [inline]
+ __sock_sendmsg net/socket.c:742 [inline]
+ ____sys_sendmsg+0xa98/0xc70 net/socket.c:2630
+ ___sys_sendmsg+0x134/0x1d0 net/socket.c:2684
+ __sys_sendmsg+0x16d/0x220 net/socket.c:2716
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+The problem is in this flow:
+1) Port is enabled, queue_id != 0, in qom_list
+2) Port gets disabled
+ -> team_port_disable()
+ -> team_queue_override_port_del()
+ -> del (removed from list)
+3) Port is disabled, queue_id != 0, not in any list
+4) Priority changes
+ -> team_queue_override_port_prio_changed()
+ -> checks: port disabled && queue_id != 0
+ -> calls del - hits the BUG as it is removed already
+
+To fix this, change the check in team_queue_override_port_prio_changed()
+so it returns early if port is not enabled.
+
+Reported-by: syzbot+422806e5f4cce722a71f@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=422806e5f4cce722a71f
+Fixes: 6c31ff366c11 ("team: remove synchronize_rcu() called during queue override change")
+Signed-off-by: Jiri Pirko <jiri@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20251212102953.167287-1-jiri@resnulli.us
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/team/team.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
+index 1ce3bccd4ebd..9baa13808933 100644
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -876,7 +876,7 @@ static void __team_queue_override_enabled_check(struct team *team)
+ static void team_queue_override_port_prio_changed(struct team *team,
+ struct team_port *port)
+ {
+- if (!port->queue_id || team_port_enabled(port))
++ if (!port->queue_id || !team_port_enabled(port))
+ return;
+ __team_queue_override_port_del(team, port);
+ __team_queue_override_port_add(team, port);
+--
+2.51.0
+
--- /dev/null
+From efdfcc61c2c3c29f609ce37a6bf71d8d9817c8dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Dec 2025 14:14:47 +0300
+Subject: wifi: cfg80211: sme: store capped length in
+ __cfg80211_connect_result()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 2b77b9551d1184cb5af8271ff350e6e2c1b3db0d ]
+
+The QGenie AI code review tool says we should store the capped length to
+wdev->u.client.ssid_len. The AI is correct.
+
+Fixes: 62b635dcd69c ("wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result()")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/aTAbp5RleyH_lnZE@stanley.mountain
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/sme.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/wireless/sme.c b/net/wireless/sme.c
+index 5904c869085c..6f116ae5442b 100644
+--- a/net/wireless/sme.c
++++ b/net/wireless/sme.c
+@@ -925,7 +925,7 @@ void __cfg80211_connect_result(struct net_device *dev,
+
+ ssid_len = min(ssid->datalen, IEEE80211_MAX_SSID_LEN);
+ memcpy(wdev->u.client.ssid, ssid->data, ssid_len);
+- wdev->u.client.ssid_len = ssid->datalen;
++ wdev->u.client.ssid_len = ssid_len;
+ break;
+ }
+ rcu_read_unlock();
+--
+2.51.0
+
--- /dev/null
+From 0805129f2988a88b8a44c7e217a77dc91a3e66ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Dec 2025 09:46:56 -0800
+Subject: wifi: mac80211: do not use old MBSSID elements
+
+From: Aloka Dixit <aloka.dixit@oss.qualcomm.com>
+
+[ Upstream commit a519be2f5d958c5804f2cfd68f1f384291271fab ]
+
+When userspace brings down and deletes a non-transmitted profile,
+it is expected to send a new updated Beacon template for the
+transmitted profile of that multiple BSSID (MBSSID) group which
+does not include the removed profile in MBSSID element. This
+update comes via NL80211_CMD_SET_BEACON.
+
+Such updates work well as long as the group continues to have at
+least one non-transmitted profile as NL80211_ATTR_MBSSID_ELEMS
+is included in the new Beacon template.
+
+But when the last non-trasmitted profile is removed, it still
+gets included in Beacon templates sent to driver. This happens
+because when no MBSSID elements are sent by the userspace,
+ieee80211_assign_beacon() ends up using the element stored from
+earlier Beacon template.
+
+Do not copy old MBSSID elements, instead userspace should always
+include these when applicable.
+
+Fixes: 2b3171c6fe0a ("mac80211: MBSSID beacon handling in AP mode")
+Signed-off-by: Aloka Dixit <aloka.dixit@oss.qualcomm.com>
+Link: https://patch.msgid.link/20251215174656.2866319-2-aloka.dixit@oss.qualcomm.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/cfg.c | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index 1addfba4b285..16270bea49a2 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1147,7 +1147,6 @@ ieee80211_assign_beacon(struct ieee80211_sub_if_data *sdata,
+
+ size = sizeof(*new) + new_head_len + new_tail_len;
+
+- /* new or old multiple BSSID elements? */
+ if (params->mbssid_ies) {
+ mbssid = params->mbssid_ies;
+ size += struct_size(new->mbssid_ies, elem, mbssid->cnt);
+@@ -1157,15 +1156,6 @@ ieee80211_assign_beacon(struct ieee80211_sub_if_data *sdata,
+ }
+ size += ieee80211_get_mbssid_beacon_len(mbssid, rnr,
+ mbssid->cnt);
+- } else if (old && old->mbssid_ies) {
+- mbssid = old->mbssid_ies;
+- size += struct_size(new->mbssid_ies, elem, mbssid->cnt);
+- if (old && old->rnr_ies) {
+- rnr = old->rnr_ies;
+- size += struct_size(new->rnr_ies, elem, rnr->cnt);
+- }
+- size += ieee80211_get_mbssid_beacon_len(mbssid, rnr,
+- mbssid->cnt);
+ }
+
+ new = kzalloc(size, GFP_KERNEL);
+--
+2.51.0
+
--- /dev/null
+From 5fad4bd838a0466b371f7ab6b6281a1c2fd600a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Nov 2025 09:38:49 +0800
+Subject: wifi: rtw88: limit indirect IO under powered off for RTL8822CS
+
+From: Ping-Ke Shih <pkshih@realtek.com>
+
+[ Upstream commit f3ccdfda345ca9a624ea425840a926b8338c1e25 ]
+
+The indirect IO is necessary for RTL8822CS, but not necessary for other
+chips. Otherwiese, it throws errors and becomes unusable.
+
+ rtw88_8723cs mmc1:0001:1: WOW Firmware version 11.0.0, H2C version 0
+ rtw88_8723cs mmc1:0001:1: Firmware version 11.0.0, H2C version 0
+ rtw88_8723cs mmc1:0001:1: sdio read32 failed (0xf0): -110
+ rtw88_8723cs mmc1:0001:1: sdio write8 failed (0x1c): -110
+ rtw88_8723cs mmc1:0001:1: sdio read32 failed (0xf0): -110
+
+By vendor driver, only RTL8822CS and RTL8822ES need indirect IO, but
+RTL8822ES isn't supported yet. Therefore, limit it to RTL8822CS only.
+
+Reported-by: Andrey Skvortsov <andrej.skvortzov@gmail.com>
+Closes: https://lore.kernel.org/linux-wireless/07a32e2d6c764eb1bd9415b5a921a652@realtek.com/T/#m997b4522f7209ba629561c776bfd1d13ab24c1d4
+Fixes: 58de1f91e033 ("wifi: rtw88: sdio: use indirect IO for device registers before power-on")
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Tested-by: Andrey Skvortsov <andrej.skvortzov@gmail.com>
+Link: https://patch.msgid.link/1764034729-1251-1-git-send-email-pkshih@realtek.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw88/sdio.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw88/sdio.c b/drivers/net/wireless/realtek/rtw88/sdio.c
+index df4248744d87..025a97526551 100644
+--- a/drivers/net/wireless/realtek/rtw88/sdio.c
++++ b/drivers/net/wireless/realtek/rtw88/sdio.c
+@@ -143,8 +143,10 @@ static u32 rtw_sdio_to_io_address(struct rtw_dev *rtwdev, u32 addr,
+
+ static bool rtw_sdio_use_direct_io(struct rtw_dev *rtwdev, u32 addr)
+ {
++ bool might_indirect_under_power_off = rtwdev->chip->id == RTW_CHIP_TYPE_8822C;
++
+ if (!test_bit(RTW_FLAG_POWERON, rtwdev->flags) &&
+- !rtw_sdio_is_bus_addr(addr))
++ !rtw_sdio_is_bus_addr(addr) && might_indirect_under_power_off)
+ return false;
+
+ return !rtw_sdio_is_sdio30_supported(rtwdev) ||
+--
+2.51.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
