--- /dev/null
+From stable+bounces-215915-greg=kroah.com@vger.kernel.org Thu Feb 12 07:39:29 2026
+From: Rajani Kantha <681739313@139.com>
+Date: Thu, 12 Feb 2026 14:36:05 +0800
+Subject: ACPI: APEI: send SIGBUS to current task if synchronous memory error not recovered
+To: xueshuai@linux.alibaba.com, jarkko@kernel.org, Jonathan.Cameron@huawei.com, yazen.ghannam@amd.com, jane.chu@oracle.com, guohanjun@huawei.com, stable@vger.kernel.org
+Message-ID: <20260212063605.2284-1-681739313@139.com>
+
+From: Shuai Xue <xueshuai@linux.alibaba.com>
+
+[ Upstream commit 79a5ae3c4c5eb7e38e0ebe4d6bf602d296080060 ]
+
+If a synchronous error is detected as a result of user-space process
+triggering a 2-bit uncorrected error, the CPU will take a synchronous
+error exception such as Synchronous External Abort (SEA) on Arm64. The
+kernel will queue a memory_failure() work which poisons the related
+page, unmaps the page, and then sends a SIGBUS to the process, so that
+a system wide panic can be avoided.
+
+However, no memory_failure() work will be queued when abnormal
+synchronous errors occur. These errors can include situations like
+invalid PA, unexpected severity, no memory failure config support,
+invalid GUID section, etc. In such a case, the user-space process will
+trigger SEA again. This loop can potentially exceed the platform
+firmware threshold or even trigger a kernel hard lockup, leading to a
+system reboot.
+
+Fix it by performing a force kill if no memory_failure() work is queued
+for synchronous errors.
+
+Signed-off-by: Shuai Xue <xueshuai@linux.alibaba.com>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Yazen Ghannam <yazen.ghannam@amd.com>
+Reviewed-by: Jane Chu <jane.chu@oracle.com>
+Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
+Link: https://patch.msgid.link/20250714114212.31660-2-xueshuai@linux.alibaba.com
+[ rjw: Changelog edits ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+[ Using pr_err instead of dev_err due to ghes doesn't have member "dev"]
+Signed-off-by: Rajani Kantha <681739313@139.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/apei/ghes.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/acpi/apei/ghes.c
++++ b/drivers/acpi/apei/ghes.c
+@@ -684,6 +684,16 @@ static bool ghes_do_proc(struct ghes *gh
+ }
+ }
+
++ /*
++ * If no memory failure work is queued for abnormal synchronous
++ * errors, do a force kill.
++ */
++ if (sync && !queued) {
++ pr_err(GHES_PFX "%s:%d: synchronous unrecoverable error (SIGBUS)\n",
++ current->comm, task_pid_nr(current));
++ force_sig(SIGBUS);
++ }
++
+ return queued;
+ }
+
--- /dev/null
+From stable+bounces-215733-greg=kroah.com@vger.kernel.org Wed Feb 11 02:24:25 2026
+From: Li hongliang <1468888505@139.com>
+Date: Wed, 11 Feb 2026 09:23:51 +0800
+Subject: clk: mediatek: fix of_iomap memory leak
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org, u201911157@hust.edu.cn
+Cc: patches@lists.linux.dev, linux-kernel@vger.kernel.org, mturquette@baylibre.com, sboyd@kernel.org, matthias.bgg@gmail.com, angelogioacchino.delregno@collabora.com, miles.chen@mediatek.com, wenst@chromium.org, chun-jie.chen@mediatek.com, ikjn@chromium.org, weiyi.lu@mediatek.com, linux-clk@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, dzm91@hust.edu.cn
+Message-ID: <20260211012351.2076922-1-1468888505@139.com>
+
+From: Bosi Zhang <u201911157@hust.edu.cn>
+
+[ Upstream commit 3db7285e044144fd88a356f5b641b9cd4b231a77 ]
+
+Smatch reports:
+drivers/clk/mediatek/clk-mtk.c:583 mtk_clk_simple_probe() warn:
+ 'base' from of_iomap() not released on lines: 496.
+
+This problem was also found in linux-next. In mtk_clk_simple_probe(),
+base is not released when handling errors
+if clk_data is not existed, which may cause a leak.
+So free_base should be added here to release base.
+
+Fixes: c58cd0e40ffa ("clk: mediatek: Add mtk_clk_simple_probe() to simplify clock providers")
+Signed-off-by: Bosi Zhang <u201911157@hust.edu.cn>
+Reviewed-by: Dongliang Mu <dzm91@hust.edu.cn>
+Link: https://lore.kernel.org/r/20230422084331.47198-1-u201911157@hust.edu.cn
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Li hongliang <1468888505@139.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/mediatek/clk-mtk.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/clk/mediatek/clk-mtk.c
++++ b/drivers/clk/mediatek/clk-mtk.c
+@@ -505,8 +505,10 @@ int mtk_clk_simple_probe(struct platform
+ num_clks += mcd->num_mux_clks;
+
+ clk_data = mtk_alloc_clk_data(num_clks);
+- if (!clk_data)
+- return -ENOMEM;
++ if (!clk_data) {
++ r = -ENOMEM;
++ goto free_base;
++ }
+
+ if (mcd->fixed_clks) {
+ r = mtk_clk_register_fixed_clks(mcd->fixed_clks,
+@@ -594,6 +596,7 @@ unregister_fixed_clks:
+ mcd->num_fixed_clks, clk_data);
+ free_data:
+ mtk_free_clk_data(clk_data);
++free_base:
+ if (mcd->shared_io && base)
+ iounmap(base);
+
--- /dev/null
+From stable+bounces-215594-greg=kroah.com@vger.kernel.org Tue Feb 10 04:02:55 2026
+From: Li hongliang <1468888505@139.com>
+Date: Tue, 10 Feb 2026 11:02:34 +0800
+Subject: devlink: rate: Unset parent pointer in devl_rate_nodes_destroy
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org, shayd@nvidia.com
+Cc: patches@lists.linux.dev, linux-kernel@vger.kernel.org, jiri@nvidia.com, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, dlinkin@nvidia.com, vladbu@nvidia.com, netdev@vger.kernel.org, cjubran@nvidia.com, tariqt@nvidia.com
+Message-ID: <20260210030234.1532584-1-1468888505@139.com>
+
+From: Shay Drory <shayd@nvidia.com>
+
+[ Upstream commit f94c1a114ac209977bdf5ca841b98424295ab1f0 ]
+
+The function devl_rate_nodes_destroy is documented to "Unset parent for
+all rate objects". However, it was only calling the driver-specific
+`rate_leaf_parent_set` or `rate_node_parent_set` ops and decrementing
+the parent's refcount, without actually setting the
+`devlink_rate->parent` pointer to NULL.
+
+This leaves a dangling pointer in the `devlink_rate` struct, which cause
+refcount error in netdevsim[1] and mlx5[2]. In addition, this is
+inconsistent with the behavior of `devlink_nl_rate_parent_node_set`,
+where the parent pointer is correctly cleared.
+
+This patch fixes the issue by explicitly setting `devlink_rate->parent`
+to NULL after notifying the driver, thus fulfilling the function's
+documented behavior for all rate objects.
+
+[1]
+repro steps:
+echo 1 > /sys/bus/netdevsim/new_device
+devlink dev eswitch set netdevsim/netdevsim1 mode switchdev
+echo 1 > /sys/bus/netdevsim/devices/netdevsim1/sriov_numvfs
+devlink port function rate add netdevsim/netdevsim1/test_node
+devlink port function rate set netdevsim/netdevsim1/128 parent test_node
+echo 1 > /sys/bus/netdevsim/del_device
+
+dmesg:
+refcount_t: decrement hit 0; leaking memory.
+WARNING: CPU: 8 PID: 1530 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0
+CPU: 8 UID: 0 PID: 1530 Comm: bash Not tainted 6.18.0-rc4+ #1 NONE
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+RIP: 0010:refcount_warn_saturate+0x42/0xe0
+Call Trace:
+ <TASK>
+ devl_rate_leaf_destroy+0x8d/0x90
+ __nsim_dev_port_del+0x6c/0x70 [netdevsim]
+ nsim_dev_reload_destroy+0x11c/0x140 [netdevsim]
+ nsim_drv_remove+0x2b/0xb0 [netdevsim]
+ device_release_driver_internal+0x194/0x1f0
+ bus_remove_device+0xc6/0x130
+ device_del+0x159/0x3c0
+ device_unregister+0x1a/0x60
+ del_device_store+0x111/0x170 [netdevsim]
+ kernfs_fop_write_iter+0x12e/0x1e0
+ vfs_write+0x215/0x3d0
+ ksys_write+0x5f/0xd0
+ do_syscall_64+0x55/0x10f0
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+[2]
+devlink dev eswitch set pci/0000:08:00.0 mode switchdev
+devlink port add pci/0000:08:00.0 flavour pcisf pfnum 0 sfnum 1000
+devlink port function rate add pci/0000:08:00.0/group1
+devlink port function rate set pci/0000:08:00.0/32768 parent group1
+modprobe -r mlx5_ib mlx5_fwctl mlx5_core
+
+dmesg:
+refcount_t: decrement hit 0; leaking memory.
+WARNING: CPU: 7 PID: 16151 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0
+CPU: 7 UID: 0 PID: 16151 Comm: bash Not tainted 6.17.0-rc7_for_upstream_min_debug_2025_10_02_12_44 #1 NONE
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
+RIP: 0010:refcount_warn_saturate+0x42/0xe0
+Call Trace:
+ <TASK>
+ devl_rate_leaf_destroy+0x8d/0x90
+ mlx5_esw_offloads_devlink_port_unregister+0x33/0x60 [mlx5_core]
+ mlx5_esw_offloads_unload_rep+0x3f/0x50 [mlx5_core]
+ mlx5_eswitch_unload_sf_vport+0x40/0x90 [mlx5_core]
+ mlx5_sf_esw_event+0xc4/0x120 [mlx5_core]
+ notifier_call_chain+0x33/0xa0
+ blocking_notifier_call_chain+0x3b/0x50
+ mlx5_eswitch_disable_locked+0x50/0x110 [mlx5_core]
+ mlx5_eswitch_disable+0x63/0x90 [mlx5_core]
+ mlx5_unload+0x1d/0x170 [mlx5_core]
+ mlx5_uninit_one+0xa2/0x130 [mlx5_core]
+ remove_one+0x78/0xd0 [mlx5_core]
+ pci_device_remove+0x39/0xa0
+ device_release_driver_internal+0x194/0x1f0
+ unbind_store+0x99/0xa0
+ kernfs_fop_write_iter+0x12e/0x1e0
+ vfs_write+0x215/0x3d0
+ ksys_write+0x5f/0xd0
+ do_syscall_64+0x53/0x1f0
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+Fixes: d75559845078 ("devlink: Allow setting parent node of rate objects")
+Signed-off-by: Shay Drory <shayd@nvidia.com>
+Reviewed-by: Carolina Jubran <cjubran@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/1763381149-1234377-1-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ Routine devl_rate_nodes_destroy is moved to net/devlink/rate.c by commit
+ 7cc7194e85ca ("devlink: push rate related code into separate file") after linux-6.6.
+ This fix applies the same update to its original location in net/devlink/leftover.c. ]
+Signed-off-by: Li hongliang <1468888505@139.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/devlink/leftover.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/devlink/leftover.c
++++ b/net/devlink/leftover.c
+@@ -10274,13 +10274,15 @@ void devl_rate_nodes_destroy(struct devl
+ if (!devlink_rate->parent)
+ continue;
+
+- refcount_dec(&devlink_rate->parent->refcnt);
+ if (devlink_rate_is_leaf(devlink_rate))
+ ops->rate_leaf_parent_set(devlink_rate, NULL, devlink_rate->priv,
+ NULL, NULL);
+ else if (devlink_rate_is_node(devlink_rate))
+ ops->rate_node_parent_set(devlink_rate, NULL, devlink_rate->priv,
+ NULL, NULL);
++
++ refcount_dec(&devlink_rate->parent->refcnt);
++ devlink_rate->parent = NULL;
+ }
+ list_for_each_entry_safe(devlink_rate, tmp, &devlink->rate_list, list) {
+ if (devlink_rate_is_node(devlink_rate)) {
--- /dev/null
+From stable+bounces-215750-greg=kroah.com@vger.kernel.org Wed Feb 11 06:54:55 2026
+From: Li hongliang <1468888505@139.com>
+Date: Wed, 11 Feb 2026 13:54:37 +0800
+Subject: ksmbd: set ATTR_CTIME flags when setting mtime
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org, linkinjeon@kernel.org
+Cc: patches@lists.linux.dev, linux-kernel@vger.kernel.org, sfrench@samba.org, senozhatsky@chromium.org, tom@talpey.com, ddiss@suse.de, linux-cifs@vger.kernel.org, stfrench@microsoft.com
+Message-ID: <20260211055437.2798668-1-1468888505@139.com>
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+[ Upstream commit 21e46a79bbe6c4e1aa73b3ed998130f2ff07b128 ]
+
+David reported that the new warning from setattr_copy_mgtime is coming
+like the following.
+
+[ 113.215316] ------------[ cut here ]------------
+[ 113.215974] WARNING: CPU: 1 PID: 31 at fs/attr.c:300 setattr_copy+0x1ee/0x200
+[ 113.219192] CPU: 1 UID: 0 PID: 31 Comm: kworker/1:1 Not tainted 6.13.0-rc1+ #234
+[ 113.220127] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
+[ 113.221530] Workqueue: ksmbd-io handle_ksmbd_work [ksmbd]
+[ 113.222220] RIP: 0010:setattr_copy+0x1ee/0x200
+[ 113.222833] Code: 24 28 49 8b 44 24 30 48 89 53 58 89 43 6c 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 48 89 df e8 77 d6 ff ff e9 cd fe ff ff <0f> 0b e9 be fe ff ff 66 0
+[ 113.225110] RSP: 0018:ffffaf218010fb68 EFLAGS: 00010202
+[ 113.225765] RAX: 0000000000000120 RBX: ffffa446815f8568 RCX: 0000000000000003
+[ 113.226667] RDX: ffffaf218010fd38 RSI: ffffa446815f8568 RDI: ffffffff94eb03a0
+[ 113.227531] RBP: ffffaf218010fb90 R08: 0000001a251e217d R09: 00000000675259fa
+[ 113.228426] R10: 0000000002ba8a6d R11: ffffa4468196c7a8 R12: ffffaf218010fd38
+[ 113.229304] R13: 0000000000000120 R14: ffffffff94eb03a0 R15: 0000000000000000
+[ 113.230210] FS: 0000000000000000(0000) GS:ffffa44739d00000(0000) knlGS:0000000000000000
+[ 113.231215] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 113.232055] CR2: 00007efe0053d27e CR3: 000000000331a000 CR4: 00000000000006b0
+[ 113.232926] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 113.233812] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 113.234797] Call Trace:
+[ 113.235116] <TASK>
+[ 113.235393] ? __warn+0x73/0xd0
+[ 113.235802] ? setattr_copy+0x1ee/0x200
+[ 113.236299] ? report_bug+0xf3/0x1e0
+[ 113.236757] ? handle_bug+0x4d/0x90
+[ 113.237202] ? exc_invalid_op+0x13/0x60
+[ 113.237689] ? asm_exc_invalid_op+0x16/0x20
+[ 113.238185] ? setattr_copy+0x1ee/0x200
+[ 113.238692] btrfs_setattr+0x80/0x820 [btrfs]
+[ 113.239285] ? get_stack_info_noinstr+0x12/0xf0
+[ 113.239857] ? __module_address+0x22/0xa0
+[ 113.240368] ? handle_ksmbd_work+0x6e/0x460 [ksmbd]
+[ 113.240993] ? __module_text_address+0x9/0x50
+[ 113.241545] ? __module_address+0x22/0xa0
+[ 113.242033] ? unwind_next_frame+0x10e/0x920
+[ 113.242600] ? __pfx_stack_trace_consume_entry+0x10/0x10
+[ 113.243268] notify_change+0x2c2/0x4e0
+[ 113.243746] ? stack_depot_save_flags+0x27/0x730
+[ 113.244339] ? set_file_basic_info+0x130/0x2b0 [ksmbd]
+[ 113.244993] set_file_basic_info+0x130/0x2b0 [ksmbd]
+[ 113.245613] ? process_scheduled_works+0xbe/0x310
+[ 113.246181] ? worker_thread+0x100/0x240
+[ 113.246696] ? kthread+0xc8/0x100
+[ 113.247126] ? ret_from_fork+0x2b/0x40
+[ 113.247606] ? ret_from_fork_asm+0x1a/0x30
+[ 113.248132] smb2_set_info+0x63f/0xa70 [ksmbd]
+
+ksmbd is trying to set the atime and mtime via notify_change without also
+setting the ctime. so This patch add ATTR_CTIME flags when setting mtime
+to avoid a warning.
+
+Reported-by: David Disseldorp <ddiss@suse.de>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+[ Minor conflict resolved. ]
+Signed-off-by: Li hongliang <1468888505@139.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -5739,15 +5739,13 @@ static int set_file_basic_info(struct ks
+ attrs.ia_valid |= (ATTR_ATIME | ATTR_ATIME_SET);
+ }
+
+- attrs.ia_valid |= ATTR_CTIME;
+ if (file_info->ChangeTime)
+- attrs.ia_ctime = ksmbd_NTtimeToUnix(file_info->ChangeTime);
+- else
+- attrs.ia_ctime = inode->i_ctime;
++ inode_set_ctime_to_ts(inode,
++ ksmbd_NTtimeToUnix(file_info->ChangeTime));
+
+ if (file_info->LastWriteTime) {
+ attrs.ia_mtime = ksmbd_NTtimeToUnix(file_info->LastWriteTime);
+- attrs.ia_valid |= (ATTR_MTIME | ATTR_MTIME_SET);
++ attrs.ia_valid |= (ATTR_MTIME | ATTR_MTIME_SET | ATTR_CTIME);
+ }
+
+ if (file_info->Attributes) {
+@@ -5789,8 +5787,6 @@ static int set_file_basic_info(struct ks
+ return -EACCES;
+
+ inode_lock(inode);
+- inode->i_ctime = attrs.ia_ctime;
+- attrs.ia_valid &= ~ATTR_CTIME;
+ rc = notify_change(user_ns, dentry, &attrs, NULL);
+ inode_unlock(inode);
+ }
--- /dev/null
+From stable+bounces-215983-greg=kroah.com@vger.kernel.org Thu Feb 12 18:41:08 2026
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Thu, 12 Feb 2026 18:40:52 +0100
+Subject: mptcp: fix race in mptcp_pm_nl_flush_addrs_doit()
+To: stable@vger.kernel.org, gregkh@linuxfoundation.org
+Cc: MPTCP Upstream <mptcp@lists.linux.dev>, Eric Dumazet <edumazet@google.com>, syzbot+5498a510ff9de39d37da@syzkaller.appspotmail.com, Eulgyu Kim <eulgyukim@snu.ac.kr>, Mat Martineau <martineau@kernel.org>, "Matthieu Baerts (NGI0)" <matttbe@kernel.org>, Jakub Kicinski <kuba@kernel.org>
+Message-ID: <20260212174051.1839592-2-matttbe@kernel.org>
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit e2a9eeb69f7d4ca4cf4c70463af77664fdb6ab1d upstream.
+
+syzbot and Eulgyu Kim reported crashes in mptcp_pm_nl_get_local_id()
+and/or mptcp_pm_nl_is_backup()
+
+Root cause is list_splice_init() in mptcp_pm_nl_flush_addrs_doit()
+which is not RCU ready.
+
+list_splice_init_rcu() can not be called here while holding pernet->lock
+spinlock.
+
+Many thanks to Eulgyu Kim for providing a repro and testing our patches.
+
+Fixes: 141694df6573 ("mptcp: remove address when netlink flushes addrs")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot+5498a510ff9de39d37da@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/6970a46d.a00a0220.3ad28e.5cf0.GAE@google.com/T/
+Reported-by: Eulgyu Kim <eulgyukim@snu.ac.kr>
+Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/611
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20260124-net-mptcp-race_nl_flush_addrs-v3-1-b2dc1b613e9d@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ Conflicts because the code has been moved from pm_netlink.c to
+ pm_kernel.c later on in commit 8617e85e04bd ("mptcp: pm: split
+ in-kernel PM specific code"). The same modifications can be applied
+ in pm_netlink.c with one exception, because 'pernet->local_addr_list'
+ has been renamed to 'pernet->endp_list' in commit 35e71e43a56d
+ ("mptcp: pm: in-kernel: rename 'local_addr_list' to 'endp_list'"). The
+ previous name is then still being used in this version.
+ Also, another conflict is caused by commit 7bcf4d8022f9 ("mptcp: pm:
+ rename helpers linked to 'flush'") which is not in this version:
+ mptcp_nl_remove_addrs_list() has been renamed to
+ mptcp_nl_flush_addrs_list(). The previous name has then been kept. ]
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/pm_netlink.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+--- a/net/mptcp/pm_netlink.c
++++ b/net/mptcp/pm_netlink.c
+@@ -1855,16 +1855,26 @@ static void __reset_counters(struct pm_n
+ static int mptcp_nl_cmd_flush_addrs(struct sk_buff *skb, struct genl_info *info)
+ {
+ struct pm_nl_pernet *pernet = genl_info_pm_nl(info);
+- LIST_HEAD(free_list);
++ struct list_head free_list;
+
+ spin_lock_bh(&pernet->lock);
+- list_splice_init(&pernet->local_addr_list, &free_list);
++ free_list = pernet->local_addr_list;
++ INIT_LIST_HEAD_RCU(&pernet->local_addr_list);
+ __reset_counters(pernet);
+ pernet->next_id = 1;
+ bitmap_zero(pernet->id_bitmap, MPTCP_PM_MAX_ADDR_ID + 1);
+ spin_unlock_bh(&pernet->lock);
+- mptcp_nl_remove_addrs_list(sock_net(skb->sk), &free_list);
++
++ if (free_list.next == &pernet->local_addr_list)
++ return 0;
++
+ synchronize_rcu();
++
++ /* Adjust the pointers to free_list instead of pernet->local_addr_list */
++ free_list.prev->next = &free_list;
++ free_list.next->prev = &free_list;
++
++ mptcp_nl_remove_addrs_list(sock_net(skb->sk), &free_list);
+ __flush_addrs(&free_list);
+ return 0;
+ }
--- /dev/null
+From lanbincn@139.com Thu Feb 12 11:53:39 2026
+From: Bin Lan <lanbincn@139.com>
+Date: Thu, 12 Feb 2026 10:53:04 +0000
+Subject: net: dsa: free routing table on probe failure
+To: stable@vger.kernel.org, gregkh@linuxfoundation.org
+Cc: Vladimir Oltean <vladimir.oltean@nxp.com>, Jakub Kicinski <kuba@kernel.org>, Bin Lan <lanbincn@139.com>
+Message-ID: <20260212105304.4210-1-lanbincn@139.com>
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 8bf108d7161ffc6880ad13a0cc109de3cf631727 ]
+
+If complete = true in dsa_tree_setup(), it means that we are the last
+switch of the tree which is successfully probing, and we should be
+setting up all switches from our probe path.
+
+After "complete" becomes true, dsa_tree_setup_cpu_ports() or any
+subsequent function may fail. If that happens, the entire tree setup is
+in limbo: the first N-1 switches have successfully finished probing
+(doing nothing but having allocated persistent memory in the tree's
+dst->ports, and maybe dst->rtable), and switch N failed to probe, ending
+the tree setup process before anything is tangible from the user's PoV.
+
+If switch N fails to probe, its memory (ports) will be freed and removed
+from dst->ports. However, the dst->rtable elements pointing to its ports,
+as created by dsa_link_touch(), will remain there, and will lead to
+use-after-free if dereferenced.
+
+If dsa_tree_setup_switches() returns -EPROBE_DEFER, which is entirely
+possible because that is where ds->ops->setup() is, we get a kasan
+report like this:
+
+==================================================================
+BUG: KASAN: slab-use-after-free in mv88e6xxx_setup_upstream_port+0x240/0x568
+Read of size 8 at addr ffff000004f56020 by task kworker/u8:3/42
+
+Call trace:
+ __asan_report_load8_noabort+0x20/0x30
+ mv88e6xxx_setup_upstream_port+0x240/0x568
+ mv88e6xxx_setup+0xebc/0x1eb0
+ dsa_register_switch+0x1af4/0x2ae0
+ mv88e6xxx_register_switch+0x1b8/0x2a8
+ mv88e6xxx_probe+0xc4c/0xf60
+ mdio_probe+0x78/0xb8
+ really_probe+0x2b8/0x5a8
+ __driver_probe_device+0x164/0x298
+ driver_probe_device+0x78/0x258
+ __device_attach_driver+0x274/0x350
+
+Allocated by task 42:
+ __kasan_kmalloc+0x84/0xa0
+ __kmalloc_cache_noprof+0x298/0x490
+ dsa_switch_touch_ports+0x174/0x3d8
+ dsa_register_switch+0x800/0x2ae0
+ mv88e6xxx_register_switch+0x1b8/0x2a8
+ mv88e6xxx_probe+0xc4c/0xf60
+ mdio_probe+0x78/0xb8
+ really_probe+0x2b8/0x5a8
+ __driver_probe_device+0x164/0x298
+ driver_probe_device+0x78/0x258
+ __device_attach_driver+0x274/0x350
+
+Freed by task 42:
+ __kasan_slab_free+0x48/0x68
+ kfree+0x138/0x418
+ dsa_register_switch+0x2694/0x2ae0
+ mv88e6xxx_register_switch+0x1b8/0x2a8
+ mv88e6xxx_probe+0xc4c/0xf60
+ mdio_probe+0x78/0xb8
+ really_probe+0x2b8/0x5a8
+ __driver_probe_device+0x164/0x298
+ driver_probe_device+0x78/0x258
+ __device_attach_driver+0x274/0x350
+
+The simplest way to fix the bug is to delete the routing table in its
+entirety. dsa_tree_setup_routing_table() has no problem in regenerating
+it even if we deleted links between ports other than those of switch N,
+because dsa_link_touch() first checks whether the port pair already
+exists in dst->rtable, allocating if not.
+
+The deletion of the routing table in its entirety already exists in
+dsa_tree_teardown(), so refactor that into a function that can also be
+called from the tree setup error path.
+
+In my analysis of the commit to blame, it is the one which added
+dsa_link elements to dst->rtable. Prior to that, each switch had its own
+ds->rtable which is freed when the switch fails to probe. But the tree
+is potentially persistent memory.
+
+Fixes: c5f51765a1f6 ("net: dsa: list DSA links in the fabric")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Link: https://patch.msgid.link/20250414213001.2957964-1-vladimir.oltean@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ Backport the fix to net/dsa/dsa2.c in v6.1.y for dsa2.c was
+renamed back into dsa.c by commit
+47d2ce03dcfb ("net: dsa: rename dsa2.c back into dsa.c and create its header")
+since v6.2. ]
+Signed-off-by: Bin Lan <lanbincn@139.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dsa/dsa2.c | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+--- a/net/dsa/dsa2.c
++++ b/net/dsa/dsa2.c
+@@ -1148,6 +1148,16 @@ static void dsa_tree_teardown_lags(struc
+ kfree(dst->lags);
+ }
+
++static void dsa_tree_teardown_routing_table(struct dsa_switch_tree *dst)
++{
++ struct dsa_link *dl, *next;
++
++ list_for_each_entry_safe(dl, next, &dst->rtable, list) {
++ list_del(&dl->list);
++ kfree(dl);
++ }
++}
++
+ static int dsa_tree_setup(struct dsa_switch_tree *dst)
+ {
+ bool complete;
+@@ -1165,7 +1175,7 @@ static int dsa_tree_setup(struct dsa_swi
+
+ err = dsa_tree_setup_cpu_ports(dst);
+ if (err)
+- return err;
++ goto teardown_rtable;
+
+ err = dsa_tree_setup_switches(dst);
+ if (err)
+@@ -1197,14 +1207,14 @@ teardown_switches:
+ dsa_tree_teardown_switches(dst);
+ teardown_cpu_ports:
+ dsa_tree_teardown_cpu_ports(dst);
++teardown_rtable:
++ dsa_tree_teardown_routing_table(dst);
+
+ return err;
+ }
+
+ static void dsa_tree_teardown(struct dsa_switch_tree *dst)
+ {
+- struct dsa_link *dl, *next;
+-
+ if (!dst->setup)
+ return;
+
+@@ -1218,10 +1228,7 @@ static void dsa_tree_teardown(struct dsa
+
+ dsa_tree_teardown_cpu_ports(dst);
+
+- list_for_each_entry_safe(dl, next, &dst->rtable, list) {
+- list_del(&dl->list);
+- kfree(dl);
+- }
++ dsa_tree_teardown_routing_table(dst);
+
+ pr_info("DSA: tree %d torn down\n", dst->index);
+
--- /dev/null
+From stable+bounces-215916-greg=kroah.com@vger.kernel.org Thu Feb 12 07:51:32 2026
+From: Rajani Kantha <681739313@139.com>
+Date: Thu, 12 Feb 2026 14:51:14 +0800
+Subject: net: stmmac: Fix accessing freed irq affinity_hint
+To: dqfext@gmail.com, jacob.e.keller@intel.com, kuba@kernel.org, stable@vger.kernel.org
+Message-ID: <20260212065114.2532-1-681739313@139.com>
+
+From: Qingfang Deng <dqfext@gmail.com>
+
+[ Upstream commit c60d101a226f18e9a8f01bb4c6ca2b47dfcb15ef ]
+
+The cpumask should not be a local variable, since its pointer is saved
+to irq_desc and may be accessed from procfs.
+To fix it, use the persistent mask cpumask_of(cpu#).
+
+Cc: stable@vger.kernel.org
+Fixes: 8deec94c6040 ("net: stmmac: set IRQ affinity hint for multi MSI vectors")
+Signed-off-by: Qingfang Deng <dqfext@gmail.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://patch.msgid.link/20250318032424.112067-1-dqfext@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Rajani Kantha <681739313@139.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -3518,7 +3518,6 @@ static int stmmac_request_irq_multi_msi(
+ {
+ struct stmmac_priv *priv = netdev_priv(dev);
+ enum request_irq_err irq_err;
+- cpumask_t cpu_mask;
+ int irq_idx = 0;
+ char *int_name;
+ int ret;
+@@ -3630,9 +3629,8 @@ static int stmmac_request_irq_multi_msi(
+ irq_idx = i;
+ goto irq_error;
+ }
+- cpumask_clear(&cpu_mask);
+- cpumask_set_cpu(i % num_online_cpus(), &cpu_mask);
+- irq_set_affinity_hint(priv->rx_irq[i], &cpu_mask);
++ irq_set_affinity_hint(priv->rx_irq[i],
++ cpumask_of(i % num_online_cpus()));
+ }
+
+ /* Request Tx MSI irq */
+@@ -3655,9 +3653,8 @@ static int stmmac_request_irq_multi_msi(
+ irq_idx = i;
+ goto irq_error;
+ }
+- cpumask_clear(&cpu_mask);
+- cpumask_set_cpu(i % num_online_cpus(), &cpu_mask);
+- irq_set_affinity_hint(priv->tx_irq[i], &cpu_mask);
++ irq_set_affinity_hint(priv->tx_irq[i],
++ cpumask_of(i % num_online_cpus()));
+ }
+
+ return 0;
--- /dev/null
+From stable+bounces-215737-greg=kroah.com@vger.kernel.org Wed Feb 11 04:06:17 2026
+From: Jianqiang kang <jianqkang@sina.cn>
+Date: Wed, 11 Feb 2026 11:05:45 +0800
+Subject: nfsd: don't ignore the return code of svc_proc_register()
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org, jlayton@kernel.org
+Cc: patches@lists.linux.dev, linux-kernel@vger.kernel.org, chuck.lever@oracle.com, neilb@suse.de, kolga@netapp.com, Dai.Ngo@oracle.com, tom@talpey.com, linux-nfs@vger.kernel.org
+Message-ID: <20260211030545.2704021-1-jianqkang@sina.cn>
+
+From: Jeff Layton <jlayton@kernel.org>
+
+[ Upstream commit 930b64ca0c511521f0abdd1d57ce52b2a6e3476b ]
+
+Currently, nfsd_proc_stat_init() ignores the return value of
+svc_proc_register(). If the procfile creation fails, then the kernel
+will WARN when it tries to remove the entry later.
+
+Fix nfsd_proc_stat_init() to return the same type of pointer as
+svc_proc_register(), and fix up nfsd_net_init() to check that and fail
+the nfsd_net construction if it occurs.
+
+svc_proc_register() can fail if the dentry can't be allocated, or if an
+identical dentry already exists. The second case is pretty unlikely in
+the nfsd_net construction codepath, so if this happens, return -ENOMEM.
+
+Reported-by: syzbot+e34ad04f27991521104c@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-nfs/67a47501.050a0220.19061f.05f9.GAE@google.com/
+Cc: stable@vger.kernel.org # v6.9
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+[ Update the cleanup path to use nfsd_stat_counters_destroy. This ensures
+ the teardown logic is correctly paired with nfsd_stat_counters_init, as
+ required by the current NFSD implementation.]
+Signed-off-by: Jianqiang kang <jianqkang@sina.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfsctl.c | 9 ++++++++-
+ fs/nfsd/stats.c | 4 ++--
+ fs/nfsd/stats.h | 2 +-
+ 3 files changed, 11 insertions(+), 4 deletions(-)
+
+--- a/fs/nfsd/nfsctl.c
++++ b/fs/nfsd/nfsctl.c
+@@ -1460,17 +1460,24 @@ static __net_init int nfsd_init_net(stru
+ retval = nfsd_stat_counters_init(nn);
+ if (retval)
+ goto out_repcache_error;
++
+ memset(&nn->nfsd_svcstats, 0, sizeof(nn->nfsd_svcstats));
+ nn->nfsd_svcstats.program = &nfsd_program;
++ if (!nfsd_proc_stat_init(net)) {
++ retval = -ENOMEM;
++ goto out_proc_error;
++ }
++
+ nn->nfsd_versions = NULL;
+ nn->nfsd4_minorversions = NULL;
+ nfsd4_init_leases_net(nn);
+ get_random_bytes(&nn->siphash_key, sizeof(nn->siphash_key));
+ seqlock_init(&nn->writeverf_lock);
+- nfsd_proc_stat_init(net);
+
+ return 0;
+
++out_proc_error:
++ nfsd_stat_counters_destroy(nn);
+ out_repcache_error:
+ nfsd_idmap_shutdown(net);
+ out_idmap_error:
+--- a/fs/nfsd/stats.c
++++ b/fs/nfsd/stats.c
+@@ -113,11 +113,11 @@ void nfsd_stat_counters_destroy(struct n
+ nfsd_percpu_counters_destroy(nn->counter, NFSD_STATS_COUNTERS_NUM);
+ }
+
+-void nfsd_proc_stat_init(struct net *net)
++struct proc_dir_entry *nfsd_proc_stat_init(struct net *net)
+ {
+ struct nfsd_net *nn = net_generic(net, nfsd_net_id);
+
+- svc_proc_register(net, &nn->nfsd_svcstats, &nfsd_proc_ops);
++ return svc_proc_register(net, &nn->nfsd_svcstats, &nfsd_proc_ops);
+ }
+
+ void nfsd_proc_stat_shutdown(struct net *net)
+--- a/fs/nfsd/stats.h
++++ b/fs/nfsd/stats.h
+@@ -15,7 +15,7 @@ void nfsd_percpu_counters_reset(struct p
+ void nfsd_percpu_counters_destroy(struct percpu_counter *counters, int num);
+ int nfsd_stat_counters_init(struct nfsd_net *nn);
+ void nfsd_stat_counters_destroy(struct nfsd_net *nn);
+-void nfsd_proc_stat_init(struct net *net);
++struct proc_dir_entry *nfsd_proc_stat_init(struct net *net);
+ void nfsd_proc_stat_shutdown(struct net *net);
+
+ static inline void nfsd_stats_rc_hits_inc(struct nfsd_net *nn)
selftests-mptcp-check-no-dup-close-events-after-error.patch
selftests-mptcp-check-subflow-errors-in-close-events.patch
selftests-mptcp-join-fix-local-endp-not-being-tracked.patch
+xsk-fix-race-condition-in-af_xdp-generic-rx-path.patch
+devlink-rate-unset-parent-pointer-in-devl_rate_nodes_destroy.patch
+clk-mediatek-fix-of_iomap-memory-leak.patch
+nfsd-don-t-ignore-the-return-code-of-svc_proc_register.patch
+ksmbd-set-attr_ctime-flags-when-setting-mtime.patch
+acpi-apei-send-sigbus-to-current-task-if-synchronous-memory-error-not-recovered.patch
+net-stmmac-fix-accessing-freed-irq-affinity_hint.patch
+net-dsa-free-routing-table-on-probe-failure.patch
+mptcp-fix-race-in-mptcp_pm_nl_flush_addrs_doit.patch
+wifi-cfg80211-add-missing-lock-in-cfg80211_check_and_end_cac.patch
--- /dev/null
+From stable+bounces-216034-greg=kroah.com@vger.kernel.org Fri Feb 13 09:27:49 2026
+From: Bin Lan <lanbincn@139.com>
+Date: Fri, 13 Feb 2026 08:26:24 +0000
+Subject: wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac()
+To: stable@vger.kernel.org, gregkh@linuxfoundation.org
+Cc: Alexander Wetzel <Alexander@wetzel-home.de>, Johannes Berg <johannes.berg@intel.com>, Bin Lan <lanbincn@139.com>
+Message-ID: <20260213082624.4190-1-lanbincn@139.com>
+
+From: Alexander Wetzel <Alexander@wetzel-home.de>
+
+[ Upstream commit 2c5dee15239f3f3e31aa5c8808f18996c039e2c1 ]
+
+Callers of wdev_chandef() must hold the wiphy mutex.
+
+But the worker cfg80211_propagate_cac_done_wk() never takes the lock.
+Which triggers the warning below with the mesh_peer_connected_dfs
+test from hostapd and not (yet) released mac80211 code changes:
+
+WARNING: CPU: 0 PID: 495 at net/wireless/chan.c:1552 wdev_chandef+0x60/0x165
+Modules linked in:
+CPU: 0 UID: 0 PID: 495 Comm: kworker/u4:2 Not tainted 6.14.0-rc5-wt-g03960e6f9d47 #33 13c287eeabfe1efea01c0bcc863723ab082e17cf
+Workqueue: cfg80211 cfg80211_propagate_cac_done_wk
+Stack:
+ 00000000 00000001 ffffff00 6093267c
+ 00000000 6002ec30 6d577c50 60037608
+ 00000000 67e8d108 6063717b 00000000
+Call Trace:
+ [<6002ec30>] ? _printk+0x0/0x98
+ [<6003c2b3>] show_stack+0x10e/0x11a
+ [<6002ec30>] ? _printk+0x0/0x98
+ [<60037608>] dump_stack_lvl+0x71/0xb8
+ [<6063717b>] ? wdev_chandef+0x60/0x165
+ [<6003766d>] dump_stack+0x1e/0x20
+ [<6005d1b7>] __warn+0x101/0x20f
+ [<6005d3a8>] warn_slowpath_fmt+0xe3/0x15d
+ [<600b0c5c>] ? mark_lock.part.0+0x0/0x4ec
+ [<60751191>] ? __this_cpu_preempt_check+0x0/0x16
+ [<600b11a2>] ? mark_held_locks+0x5a/0x6e
+ [<6005d2c5>] ? warn_slowpath_fmt+0x0/0x15d
+ [<60052e53>] ? unblock_signals+0x3a/0xe7
+ [<60052f2d>] ? um_set_signals+0x2d/0x43
+ [<60751191>] ? __this_cpu_preempt_check+0x0/0x16
+ [<607508b2>] ? lock_is_held_type+0x207/0x21f
+ [<6063717b>] wdev_chandef+0x60/0x165
+ [<605f89b4>] regulatory_propagate_dfs_state+0x247/0x43f
+ [<60052f00>] ? um_set_signals+0x0/0x43
+ [<605e6bfd>] cfg80211_propagate_cac_done_wk+0x3a/0x4a
+ [<6007e460>] process_scheduled_works+0x3bc/0x60e
+ [<6007d0ec>] ? move_linked_works+0x4d/0x81
+ [<6007d120>] ? assign_work+0x0/0xaa
+ [<6007f81f>] worker_thread+0x220/0x2dc
+ [<600786ef>] ? set_pf_worker+0x0/0x57
+ [<60087c96>] ? to_kthread+0x0/0x43
+ [<6008ab3c>] kthread+0x2d3/0x2e2
+ [<6007f5ff>] ? worker_thread+0x0/0x2dc
+ [<6006c05b>] ? calculate_sigpending+0x0/0x56
+ [<6003b37d>] new_thread_handler+0x4a/0x64
+irq event stamp: 614611
+hardirqs last enabled at (614621): [<00000000600bc96b>] __up_console_sem+0x82/0xaf
+hardirqs last disabled at (614630): [<00000000600bc92c>] __up_console_sem+0x43/0xaf
+softirqs last enabled at (614268): [<00000000606c55c6>] __ieee80211_wake_queue+0x933/0x985
+softirqs last disabled at (614266): [<00000000606c52d6>] __ieee80211_wake_queue+0x643/0x985
+
+Fixes: 26ec17a1dc5e ("cfg80211: Fix radar event during another phy CAC")
+Signed-off-by: Alexander Wetzel <Alexander@wetzel-home.de>
+Link: https://patch.msgid.link/20250717162547.94582-1-Alexander@wetzel-home.de
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+[ Use wiphy_lock() and wiphy_unlock() instead of guard() in v6.1.y. ]
+Signed-off-by: Bin Lan <lanbincn@139.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/reg.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/wireless/reg.c
++++ b/net/wireless/reg.c
+@@ -4241,6 +4241,9 @@ EXPORT_SYMBOL(regulatory_pre_cac_allowed
+ static void cfg80211_check_and_end_cac(struct cfg80211_registered_device *rdev)
+ {
+ struct wireless_dev *wdev;
++
++ wiphy_lock(&rdev->wiphy);
++
+ /* If we finished CAC or received radar, we should end any
+ * CAC running on the same channels.
+ * the check !cfg80211_chandef_dfs_usable contain 2 options:
+@@ -4264,6 +4267,8 @@ static void cfg80211_check_and_end_cac(s
+ if (!cfg80211_chandef_dfs_usable(&rdev->wiphy, chandef))
+ rdev_end_cac(rdev, wdev->netdev);
+ }
++
++ wiphy_unlock(&rdev->wiphy);
+ }
+
+ void regulatory_propagate_dfs_state(struct wiphy *wiphy,
--- /dev/null
+From stable+bounces-215625-greg=kroah.com@vger.kernel.org Tue Feb 10 10:14:03 2026
+From: Jianqiang kang <jianqkang@sina.cn>
+Date: Tue, 10 Feb 2026 17:12:51 +0800
+Subject: xsk: Fix race condition in AF_XDP generic RX path
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org, e.kubanski@partner.samsung.com
+Cc: patches@lists.linux.dev, linux-kernel@vger.kernel.org, bjorn@kernel.org, magnus.karlsson@intel.com, maciej.fijalkowski@intel.com, jonathan.lemon@gmail.com, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, ast@kernel.org, daniel@iogearbox.net, hawk@kernel.org, john.fastabend@gmail.com, i.maximets@samsung.com, netdev@vger.kernel.org, bpf@vger.kernel.org
+Message-ID: <20260210091251.1690056-1-jianqkang@sina.cn>
+
+From: "e.kubanski" <e.kubanski@partner.samsung.com>
+
+[ Upstream commit a1356ac7749cafc4e27aa62c0c4604b5dca4983e ]
+
+Move rx_lock from xsk_socket to xsk_buff_pool.
+Fix synchronization for shared umem mode in
+generic RX path where multiple sockets share
+single xsk_buff_pool.
+
+RX queue is exclusive to xsk_socket, while FILL
+queue can be shared between multiple sockets.
+This could result in race condition where two
+CPU cores access RX path of two different sockets
+sharing the same umem.
+
+Protect both queues by acquiring spinlock in shared
+xsk_buff_pool.
+
+Lock contention may be minimized in the future by some
+per-thread FQ buffering.
+
+It's safe and necessary to move spin_lock_bh(rx_lock)
+after xsk_rcv_check():
+* xs->pool and spinlock_init is synchronized by
+ xsk_bind() -> xsk_is_bound() memory barriers.
+* xsk_rcv_check() may return true at the moment
+ of xsk_release() or xsk_unbind_dev(),
+ however this will not cause any data races or
+ race conditions. xsk_unbind_dev() removes xdp
+ socket from all maps and waits for completion
+ of all outstanding rx operations. Packets in
+ RX path will either complete safely or drop.
+
+Signed-off-by: Eryk Kubanski <e.kubanski@partner.samsung.com>
+Fixes: bf0bdd1343efb ("xdp: fix race on generic receive path")
+Acked-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Link: https://patch.msgid.link/20250416101908.10919-1-e.kubanski@partner.samsung.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ Conflict is resolved when backporting this fix. ]
+Signed-off-by: Jianqiang kang <jianqkang@sina.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/xdp_sock.h | 2 --
+ include/net/xsk_buff_pool.h | 2 ++
+ net/xdp/xsk.c | 6 +++---
+ net/xdp/xsk_buff_pool.c | 1 +
+ 4 files changed, 6 insertions(+), 5 deletions(-)
+
+--- a/include/net/xdp_sock.h
++++ b/include/net/xdp_sock.h
+@@ -59,8 +59,6 @@ struct xdp_sock {
+
+ struct xsk_queue *tx ____cacheline_aligned_in_smp;
+ struct list_head tx_list;
+- /* Protects generic receive. */
+- spinlock_t rx_lock;
+
+ /* Statistics */
+ u64 rx_dropped;
+--- a/include/net/xsk_buff_pool.h
++++ b/include/net/xsk_buff_pool.h
+@@ -48,6 +48,8 @@ struct xsk_buff_pool {
+ refcount_t users;
+ struct xdp_umem *umem;
+ struct work_struct work;
++ /* Protects generic receive in shared and non-shared umem mode. */
++ spinlock_t rx_lock;
+ struct list_head free_list;
+ u32 heads_cnt;
+ u16 queue_id;
+--- a/net/xdp/xsk.c
++++ b/net/xdp/xsk.c
+@@ -237,13 +237,14 @@ int xsk_generic_rcv(struct xdp_sock *xs,
+ {
+ int err;
+
+- spin_lock_bh(&xs->rx_lock);
+ err = xsk_rcv_check(xs, xdp);
+ if (!err) {
++ spin_lock_bh(&xs->pool->rx_lock);
+ err = __xsk_rcv(xs, xdp);
+ xsk_flush(xs);
++ spin_unlock_bh(&xs->pool->rx_lock);
+ }
+- spin_unlock_bh(&xs->rx_lock);
++
+ return err;
+ }
+
+@@ -1448,7 +1449,6 @@ static int xsk_create(struct net *net, s
+ xs = xdp_sk(sk);
+ xs->state = XSK_READY;
+ mutex_init(&xs->mutex);
+- spin_lock_init(&xs->rx_lock);
+
+ INIT_LIST_HEAD(&xs->map_list);
+ spin_lock_init(&xs->map_list_lock);
+--- a/net/xdp/xsk_buff_pool.c
++++ b/net/xdp/xsk_buff_pool.c
+@@ -85,6 +85,7 @@ struct xsk_buff_pool *xp_create_and_assi
+ XDP_PACKET_HEADROOM;
+ pool->umem = umem;
+ pool->addrs = umem->addrs;
++ spin_lock_init(&pool->rx_lock);
+ INIT_LIST_HEAD(&pool->free_list);
+ INIT_LIST_HEAD(&pool->xsk_tx_list);
+ spin_lock_init(&pool->xsk_tx_list_lock);
projects / thirdparty / kernel / stable-queue.git / commitdiff
