--- /dev/null
+From b98767ac503b3ac3817e296b074206a8bb055f22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jan 2026 22:00:37 +0530
+Subject: amd-xgbe: avoid misleading per-packet error log
+
+From: Raju Rangoju <Raju.Rangoju@amd.com>
+
+[ Upstream commit c158f985cf6c2c36c99c4f67af2ff3f5ebe09f8f ]
+
+On the receive path, packet can be damaged because of buffer
+overflow in Rx FIFO. Avoid misleading per-packet error log when
+packet->errors is set, this can flood the log. Instead, rely on the
+standard rtnl_link_stats64 stats.
+
+Fixes: c5aa9e3b8156 ("amd-xgbe: Initial AMD 10GbE platform driver")
+Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
+Link: https://patch.msgid.link/20260114163037.2062606-1-Raju.Rangoju@amd.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
+index 9cd6dac033630..3de7674a84675 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
+@@ -2112,7 +2112,7 @@ static void xgbe_get_stats64(struct net_device *netdev,
+ s->multicast = pstats->rxmulticastframes_g;
+ s->rx_length_errors = pstats->rxlengtherror;
+ s->rx_crc_errors = pstats->rxcrcerror;
+- s->rx_fifo_errors = pstats->rxfifooverflow;
++ s->rx_over_errors = pstats->rxfifooverflow;
+
+ s->tx_packets = pstats->txframecount_gb;
+ s->tx_bytes = pstats->txoctetcount_gb;
+@@ -2568,9 +2568,6 @@ static int xgbe_rx_poll(struct xgbe_channel *channel, int budget)
+ goto read_again;
+
+ if (error || packet->errors) {
+- if (packet->errors)
+- netif_err(pdata, rx_err, netdev,
+- "error in received packet\n");
+ dev_kfree_skb(skb);
+ goto next_packet;
+ }
+--
+2.51.0
+
--- /dev/null
+From ffa4bd8f9a3937a71d2f0c4edb1d0daa8b137420 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jan 2026 16:03:58 +0900
+Subject: crypto: authencesn - reject too-short AAD (assoclen<8) to match
+ ESP/ESN spec
+
+From: Taeyang Lee <0wn@theori.io>
+
+[ Upstream commit 2397e9264676be7794f8f7f1e9763d90bd3c7335 ]
+
+authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than
+the minimum expected length, crypto_authenc_esn_decrypt() can advance past
+the end of the destination scatterlist and trigger a NULL pointer dereference
+in scatterwalk_map_and_copy(), leading to a kernel panic (DoS).
+
+Add a minimum AAD length check to fail fast on invalid inputs.
+
+Fixes: 104880a6b470 ("crypto: authencesn - Convert to new AEAD interface")
+Reported-By: Taeyang Lee <0wn@theori.io>
+Signed-off-by: Taeyang Lee <0wn@theori.io>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/authencesn.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/crypto/authencesn.c b/crypto/authencesn.c
+index b60e61b1904cb..6487b35851d54 100644
+--- a/crypto/authencesn.c
++++ b/crypto/authencesn.c
+@@ -191,6 +191,9 @@ static int crypto_authenc_esn_encrypt(struct aead_request *req)
+ struct scatterlist *src, *dst;
+ int err;
+
++ if (assoclen < 8)
++ return -EINVAL;
++
+ sg_init_table(areq_ctx->src, 2);
+ src = scatterwalk_ffwd(areq_ctx->src, req->src, assoclen);
+ dst = src;
+@@ -284,6 +287,9 @@ static int crypto_authenc_esn_decrypt(struct aead_request *req)
+ u32 tmp[2];
+ int err;
+
++ if (assoclen < 8)
++ return -EINVAL;
++
+ cryptlen -= authsize;
+
+ if (req->src != dst) {
+--
+2.51.0
+
--- /dev/null
+From 470815db4f847c7cfc1284040ce43f75e705f049 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jan 2026 17:24:48 +0000
+Subject: fou: Don't allow 0 for FOU_ATTR_IPPROTO.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 7a9bc9e3f42391e4c187e099263cf7a1c4b69ff5 ]
+
+fou_udp_recv() has the same problem mentioned in the previous
+patch.
+
+If FOU_ATTR_IPPROTO is set to 0, skb is not freed by
+fou_udp_recv() nor "resubmit"-ted in ip_protocol_deliver_rcu().
+
+Let's forbid 0 for FOU_ATTR_IPPROTO.
+
+Fixes: 23461551c0062 ("fou: Support for foo-over-udp RX path")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260115172533.693652-4-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/netlink/specs/fou.yaml | 2 ++
+ net/ipv4/fou_nl.c | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/Documentation/netlink/specs/fou.yaml b/Documentation/netlink/specs/fou.yaml
+index 266c386eedf3a..e5753a30a29a2 100644
+--- a/Documentation/netlink/specs/fou.yaml
++++ b/Documentation/netlink/specs/fou.yaml
+@@ -36,6 +36,8 @@ attribute-sets:
+ -
+ name: ipproto
+ type: u8
++ checks:
++ min: 1
+ -
+ name: type
+ type: u8
+diff --git a/net/ipv4/fou_nl.c b/net/ipv4/fou_nl.c
+index 6c3820f41dd5d..5bb8133ed7a89 100644
+--- a/net/ipv4/fou_nl.c
++++ b/net/ipv4/fou_nl.c
+@@ -14,7 +14,7 @@
+ const struct nla_policy fou_nl_policy[FOU_ATTR_IFINDEX + 1] = {
+ [FOU_ATTR_PORT] = { .type = NLA_U16, },
+ [FOU_ATTR_AF] = { .type = NLA_U8, },
+- [FOU_ATTR_IPPROTO] = { .type = NLA_U8, },
++ [FOU_ATTR_IPPROTO] = NLA_POLICY_MIN(NLA_U8, 1),
+ [FOU_ATTR_TYPE] = { .type = NLA_U8, },
+ [FOU_ATTR_REMCSUM_NOPARTIAL] = { .type = NLA_FLAG, },
+ [FOU_ATTR_LOCAL_V4] = { .type = NLA_U32, },
+--
+2.51.0
+
--- /dev/null
+From cbbfcb60156fb20f6a8116c8d7bc41fa77a73a62 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jan 2026 17:24:46 +0000
+Subject: gue: Fix skb memleak with inner IP protocol 0.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 9a56796ad258786d3624eef5aefba394fc9bdded ]
+
+syzbot reported skb memleak below. [0]
+
+The repro generated a GUE packet with its inner protocol 0.
+
+gue_udp_recv() returns -guehdr->proto_ctype for "resubmit"
+in ip_protocol_deliver_rcu(), but this only works with
+non-zero protocol number.
+
+Let's drop such packets.
+
+Note that 0 is a valid number (IPv6 Hop-by-Hop Option).
+
+I think it is not practical to encap HOPOPT in GUE, so once
+someone starts to complain, we could pass down a resubmit
+flag pointer to distinguish two zeros from the upper layer:
+
+ * no error
+ * resubmit HOPOPT
+
+[0]
+BUG: memory leak
+unreferenced object 0xffff888109695a00 (size 240):
+ comm "syz.0.17", pid 6088, jiffies 4294943096
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 40 c2 10 81 88 ff ff 00 00 00 00 00 00 00 00 .@..............
+ backtrace (crc a84b336f):
+ kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
+ slab_post_alloc_hook mm/slub.c:4958 [inline]
+ slab_alloc_node mm/slub.c:5263 [inline]
+ kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
+ __build_skb+0x23/0x60 net/core/skbuff.c:474
+ build_skb+0x20/0x190 net/core/skbuff.c:490
+ __tun_build_skb drivers/net/tun.c:1541 [inline]
+ tun_build_skb+0x4a1/0xa40 drivers/net/tun.c:1636
+ tun_get_user+0xc12/0x2030 drivers/net/tun.c:1770
+ tun_chr_write_iter+0x71/0x120 drivers/net/tun.c:1999
+ new_sync_write fs/read_write.c:593 [inline]
+ vfs_write+0x45d/0x710 fs/read_write.c:686
+ ksys_write+0xa7/0x170 fs/read_write.c:738
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: 37dd0247797b1 ("gue: Receive side for Generic UDP Encapsulation")
+Reported-by: syzbot+4d8c7d16b0e95c0d0f0d@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/6965534b.050a0220.38aacd.0001.GAE@google.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260115172533.693652-2-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/fou.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c
+index b1a8e4eec3f6e..e63aa6b52460c 100644
+--- a/net/ipv4/fou.c
++++ b/net/ipv4/fou.c
+@@ -213,6 +213,9 @@ static int gue_udp_recv(struct sock *sk, struct sk_buff *skb)
+ return gue_control_message(skb, guehdr);
+
+ proto_ctype = guehdr->proto_ctype;
++ if (unlikely(!proto_ctype))
++ goto drop;
++
+ __skb_pull(skb, sizeof(struct udphdr) + hdrlen);
+ skb_reset_transport_header(skb);
+
+--
+2.51.0
+
--- /dev/null
+From ef35faa2b81fa476c4ddd5b911ee3ace6e203a51 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 17:24:06 +0300
+Subject: ipvlan: Make the addrs_lock be per port
+
+From: Dmitry Skorodumov <dskr99@gmail.com>
+
+[ Upstream commit d3ba32162488283c0a4c5bedd8817aec91748802 ]
+
+Make the addrs_lock be per port, not per ipvlan dev.
+
+Initial code seems to be written in the assumption,
+that any address change must occur under RTNL.
+But it is not so for the case of IPv6. So
+
+1) Introduce per-port addrs_lock.
+
+2) It was needed to fix places where it was forgotten
+to take lock (ipvlan_open/ipvlan_close)
+
+This appears to be a very minor problem though.
+Since it's highly unlikely that ipvlan_add_addr() will
+be called on 2 CPU simultaneously. But nevertheless,
+this could cause:
+
+1) False-negative of ipvlan_addr_busy(): one interface
+iterated through all port->ipvlans + ipvlan->addrs
+under some ipvlan spinlock, and another added IP
+under its own lock. Though this is only possible
+for IPv6, since looks like only ipvlan_addr6_event() can be
+called without rtnl_lock.
+
+2) Race since ipvlan_ht_addr_add(port) is called under
+different ipvlan->addrs_lock locks
+
+This should not affect performance, since add/remove IP
+is a rare situation and spinlock is not taken on fast
+paths.
+
+Fixes: 8230819494b3 ("ipvlan: use per device spinlock to protect addrs list updates")
+Signed-off-by: Dmitry Skorodumov <skorodumov.dmitry@huawei.com>
+Reviewed-by: Paolo Abeni <pabeni@redhat.com>
+Link: https://patch.msgid.link/20260112142417.4039566-2-skorodumov.dmitry@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ipvlan/ipvlan.h | 2 +-
+ drivers/net/ipvlan/ipvlan_core.c | 16 +++++------
+ drivers/net/ipvlan/ipvlan_main.c | 49 +++++++++++++++++++-------------
+ 3 files changed, 37 insertions(+), 30 deletions(-)
+
+diff --git a/drivers/net/ipvlan/ipvlan.h b/drivers/net/ipvlan/ipvlan.h
+index 3837c897832ea..befb61e00d07d 100644
+--- a/drivers/net/ipvlan/ipvlan.h
++++ b/drivers/net/ipvlan/ipvlan.h
+@@ -69,7 +69,6 @@ struct ipvl_dev {
+ DECLARE_BITMAP(mac_filters, IPVLAN_MAC_FILTER_SIZE);
+ netdev_features_t sfeatures;
+ u32 msg_enable;
+- spinlock_t addrs_lock;
+ };
+
+ struct ipvl_addr {
+@@ -90,6 +89,7 @@ struct ipvl_port {
+ struct net_device *dev;
+ possible_net_t pnet;
+ struct hlist_head hlhead[IPVLAN_HASH_SIZE];
++ spinlock_t addrs_lock; /* guards hash-table and addrs */
+ struct list_head ipvlans;
+ u16 mode;
+ u16 flags;
+diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c
+index a113a06c98a55..c1f57db3f1851 100644
+--- a/drivers/net/ipvlan/ipvlan_core.c
++++ b/drivers/net/ipvlan/ipvlan_core.c
+@@ -104,17 +104,15 @@ void ipvlan_ht_addr_del(struct ipvl_addr *addr)
+ struct ipvl_addr *ipvlan_find_addr(const struct ipvl_dev *ipvlan,
+ const void *iaddr, bool is_v6)
+ {
+- struct ipvl_addr *addr, *ret = NULL;
++ struct ipvl_addr *addr;
+
+- rcu_read_lock();
+- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode) {
+- if (addr_equal(is_v6, addr, iaddr)) {
+- ret = addr;
+- break;
+- }
++ assert_spin_locked(&ipvlan->port->addrs_lock);
++
++ list_for_each_entry(addr, &ipvlan->addrs, anode) {
++ if (addr_equal(is_v6, addr, iaddr))
++ return addr;
+ }
+- rcu_read_unlock();
+- return ret;
++ return NULL;
+ }
+
+ bool ipvlan_addr_busy(struct ipvl_port *port, void *iaddr, bool is_v6)
+diff --git a/drivers/net/ipvlan/ipvlan_main.c b/drivers/net/ipvlan/ipvlan_main.c
+index f59ef2e2a614b..964e1449a0c6f 100644
+--- a/drivers/net/ipvlan/ipvlan_main.c
++++ b/drivers/net/ipvlan/ipvlan_main.c
+@@ -72,6 +72,7 @@ static int ipvlan_port_create(struct net_device *dev)
+ for (idx = 0; idx < IPVLAN_HASH_SIZE; idx++)
+ INIT_HLIST_HEAD(&port->hlhead[idx]);
+
++ spin_lock_init(&port->addrs_lock);
+ skb_queue_head_init(&port->backlog);
+ INIT_WORK(&port->wq, ipvlan_process_multicast);
+ ida_init(&port->ida);
+@@ -177,6 +178,7 @@ static void ipvlan_uninit(struct net_device *dev)
+ static int ipvlan_open(struct net_device *dev)
+ {
+ struct ipvl_dev *ipvlan = netdev_priv(dev);
++ struct ipvl_port *port = ipvlan->port;
+ struct ipvl_addr *addr;
+
+ if (ipvlan->port->mode == IPVLAN_MODE_L3 ||
+@@ -185,10 +187,10 @@ static int ipvlan_open(struct net_device *dev)
+ else
+ dev->flags &= ~IFF_NOARP;
+
+- rcu_read_lock();
+- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode)
++ spin_lock_bh(&port->addrs_lock);
++ list_for_each_entry(addr, &ipvlan->addrs, anode)
+ ipvlan_ht_addr_add(ipvlan, addr);
+- rcu_read_unlock();
++ spin_unlock_bh(&port->addrs_lock);
+
+ return 0;
+ }
+@@ -202,10 +204,10 @@ static int ipvlan_stop(struct net_device *dev)
+ dev_uc_unsync(phy_dev, dev);
+ dev_mc_unsync(phy_dev, dev);
+
+- rcu_read_lock();
+- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode)
++ spin_lock_bh(&ipvlan->port->addrs_lock);
++ list_for_each_entry(addr, &ipvlan->addrs, anode)
+ ipvlan_ht_addr_del(addr);
+- rcu_read_unlock();
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+
+ return 0;
+ }
+@@ -572,7 +574,6 @@ int ipvlan_link_new(struct net *src_net, struct net_device *dev,
+ if (!tb[IFLA_MTU])
+ ipvlan_adjust_mtu(ipvlan, phy_dev);
+ INIT_LIST_HEAD(&ipvlan->addrs);
+- spin_lock_init(&ipvlan->addrs_lock);
+
+ /* TODO Probably put random address here to be presented to the
+ * world but keep using the physical-dev address for the outgoing
+@@ -650,13 +651,13 @@ void ipvlan_link_delete(struct net_device *dev, struct list_head *head)
+ struct ipvl_dev *ipvlan = netdev_priv(dev);
+ struct ipvl_addr *addr, *next;
+
+- spin_lock_bh(&ipvlan->addrs_lock);
++ spin_lock_bh(&ipvlan->port->addrs_lock);
+ list_for_each_entry_safe(addr, next, &ipvlan->addrs, anode) {
+ ipvlan_ht_addr_del(addr);
+ list_del_rcu(&addr->anode);
+ kfree_rcu(addr, rcu);
+ }
+- spin_unlock_bh(&ipvlan->addrs_lock);
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+
+ ida_simple_remove(&ipvlan->port->ida, dev->dev_id);
+ list_del_rcu(&ipvlan->pnode);
+@@ -803,6 +804,8 @@ static int ipvlan_add_addr(struct ipvl_dev *ipvlan, void *iaddr, bool is_v6)
+ {
+ struct ipvl_addr *addr;
+
++ assert_spin_locked(&ipvlan->port->addrs_lock);
++
+ addr = kzalloc(sizeof(struct ipvl_addr), GFP_ATOMIC);
+ if (!addr)
+ return -ENOMEM;
+@@ -833,16 +836,16 @@ static void ipvlan_del_addr(struct ipvl_dev *ipvlan, void *iaddr, bool is_v6)
+ {
+ struct ipvl_addr *addr;
+
+- spin_lock_bh(&ipvlan->addrs_lock);
++ spin_lock_bh(&ipvlan->port->addrs_lock);
+ addr = ipvlan_find_addr(ipvlan, iaddr, is_v6);
+ if (!addr) {
+- spin_unlock_bh(&ipvlan->addrs_lock);
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+ return;
+ }
+
+ ipvlan_ht_addr_del(addr);
+ list_del_rcu(&addr->anode);
+- spin_unlock_bh(&ipvlan->addrs_lock);
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+ kfree_rcu(addr, rcu);
+ }
+
+@@ -864,14 +867,14 @@ static int ipvlan_add_addr6(struct ipvl_dev *ipvlan, struct in6_addr *ip6_addr)
+ {
+ int ret = -EINVAL;
+
+- spin_lock_bh(&ipvlan->addrs_lock);
++ spin_lock_bh(&ipvlan->port->addrs_lock);
+ if (ipvlan_addr_busy(ipvlan->port, ip6_addr, true))
+ netif_err(ipvlan, ifup, ipvlan->dev,
+ "Failed to add IPv6=%pI6c addr for %s intf\n",
+ ip6_addr, ipvlan->dev->name);
+ else
+ ret = ipvlan_add_addr(ipvlan, ip6_addr, true);
+- spin_unlock_bh(&ipvlan->addrs_lock);
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+ return ret;
+ }
+
+@@ -910,21 +913,24 @@ static int ipvlan_addr6_validator_event(struct notifier_block *unused,
+ struct in6_validator_info *i6vi = (struct in6_validator_info *)ptr;
+ struct net_device *dev = (struct net_device *)i6vi->i6vi_dev->dev;
+ struct ipvl_dev *ipvlan = netdev_priv(dev);
++ int ret = NOTIFY_OK;
+
+ if (!ipvlan_is_valid_dev(dev))
+ return NOTIFY_DONE;
+
+ switch (event) {
+ case NETDEV_UP:
++ spin_lock_bh(&ipvlan->port->addrs_lock);
+ if (ipvlan_addr_busy(ipvlan->port, &i6vi->i6vi_addr, true)) {
+ NL_SET_ERR_MSG(i6vi->extack,
+ "Address already assigned to an ipvlan device");
+- return notifier_from_errno(-EADDRINUSE);
++ ret = notifier_from_errno(-EADDRINUSE);
+ }
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+ break;
+ }
+
+- return NOTIFY_OK;
++ return ret;
+ }
+ #endif
+
+@@ -932,14 +938,14 @@ static int ipvlan_add_addr4(struct ipvl_dev *ipvlan, struct in_addr *ip4_addr)
+ {
+ int ret = -EINVAL;
+
+- spin_lock_bh(&ipvlan->addrs_lock);
++ spin_lock_bh(&ipvlan->port->addrs_lock);
+ if (ipvlan_addr_busy(ipvlan->port, ip4_addr, false))
+ netif_err(ipvlan, ifup, ipvlan->dev,
+ "Failed to add IPv4=%pI4 on %s intf.\n",
+ ip4_addr, ipvlan->dev->name);
+ else
+ ret = ipvlan_add_addr(ipvlan, ip4_addr, false);
+- spin_unlock_bh(&ipvlan->addrs_lock);
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+ return ret;
+ }
+
+@@ -981,21 +987,24 @@ static int ipvlan_addr4_validator_event(struct notifier_block *unused,
+ struct in_validator_info *ivi = (struct in_validator_info *)ptr;
+ struct net_device *dev = (struct net_device *)ivi->ivi_dev->dev;
+ struct ipvl_dev *ipvlan = netdev_priv(dev);
++ int ret = NOTIFY_OK;
+
+ if (!ipvlan_is_valid_dev(dev))
+ return NOTIFY_DONE;
+
+ switch (event) {
+ case NETDEV_UP:
++ spin_lock_bh(&ipvlan->port->addrs_lock);
+ if (ipvlan_addr_busy(ipvlan->port, &ivi->ivi_addr, false)) {
+ NL_SET_ERR_MSG(ivi->extack,
+ "Address already assigned to an ipvlan device");
+- return notifier_from_errno(-EADDRINUSE);
++ ret = notifier_from_errno(-EADDRINUSE);
+ }
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+ break;
+ }
+
+- return NOTIFY_OK;
++ return ret;
+ }
+
+ static struct notifier_block ipvlan_addr4_notifier_block __read_mostly = {
+--
+2.51.0
+
--- /dev/null
+From 45e71bcb4dfe9acfb11eb3d88b39cd255820bb14 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jan 2026 09:21:39 +0000
+Subject: l2tp: avoid one data-race in l2tp_tunnel_del_work()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 7a29f6bf60f2590fe5e9c4decb451e19afad2bcf ]
+
+We should read sk->sk_socket only when dealing with kernel sockets.
+
+syzbot reported the following data-race:
+
+BUG: KCSAN: data-race in l2tp_tunnel_del_work / sk_common_release
+
+write to 0xffff88811c182b20 of 8 bytes by task 5365 on cpu 0:
+ sk_set_socket include/net/sock.h:2092 [inline]
+ sock_orphan include/net/sock.h:2118 [inline]
+ sk_common_release+0xae/0x230 net/core/sock.c:4003
+ udp_lib_close+0x15/0x20 include/net/udp.h:325
+ inet_release+0xce/0xf0 net/ipv4/af_inet.c:437
+ __sock_release net/socket.c:662 [inline]
+ sock_close+0x6b/0x150 net/socket.c:1455
+ __fput+0x29b/0x650 fs/file_table.c:468
+ ____fput+0x1c/0x30 fs/file_table.c:496
+ task_work_run+0x131/0x1a0 kernel/task_work.c:233
+ resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
+ __exit_to_user_mode_loop kernel/entry/common.c:44 [inline]
+ exit_to_user_mode_loop+0x1fe/0x740 kernel/entry/common.c:75
+ __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
+ syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
+ syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
+ syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
+ do_syscall_64+0x1e1/0x2b0 arch/x86/entry/syscall_64.c:100
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+read to 0xffff88811c182b20 of 8 bytes by task 827 on cpu 1:
+ l2tp_tunnel_del_work+0x2f/0x1a0 net/l2tp/l2tp_core.c:1418
+ process_one_work kernel/workqueue.c:3257 [inline]
+ process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3340
+ worker_thread+0x582/0x770 kernel/workqueue.c:3421
+ kthread+0x489/0x510 kernel/kthread.c:463
+ ret_from_fork+0x149/0x290 arch/x86/kernel/process.c:158
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
+
+value changed: 0xffff88811b818000 -> 0x0000000000000000
+
+Fixes: d00fa9adc528 ("l2tp: fix races with tunnel socket close")
+Reported-by: syzbot+7312e82745f7fa2526db@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/6968b029.050a0220.58bed.0016.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: James Chapman <jchapman@katalix.com>
+Reviewed-by: Guillaume Nault <gnault@redhat.com>
+Link: https://patch.msgid.link/20260115092139.3066180-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/l2tp/l2tp_core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
+index b6dcfca740c1c..83615f5968dd5 100644
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -1252,8 +1252,6 @@ static void l2tp_tunnel_del_work(struct work_struct *work)
+ {
+ struct l2tp_tunnel *tunnel = container_of(work, struct l2tp_tunnel,
+ del_work);
+- struct sock *sk = tunnel->sock;
+- struct socket *sock = sk->sk_socket;
+
+ l2tp_tunnel_closeall(tunnel);
+
+@@ -1261,6 +1259,8 @@ static void l2tp_tunnel_del_work(struct work_struct *work)
+ * the sk API to release it here.
+ */
+ if (tunnel->fd < 0) {
++ struct socket *sock = tunnel->sock->sk_socket;
++
+ if (sock) {
+ kernel_sock_shutdown(sock, SHUT_RDWR);
+ sock_release(sock);
+--
+2.51.0
+
--- /dev/null
+From 59e742db93c3fbff603d285f53bf91a87b81aec1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jan 2023 09:50:39 -0800
+Subject: net: fou: rename the source for linking
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 08d323234d10eab077cbf0093eeb5991478a261a ]
+
+We'll need to link two objects together to form the fou module.
+This means the source can't be called fou, the build system expects
+fou.o to be the combined object.
+
+Acked-by: Stanislav Fomichev <sdf@google.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Stable-dep-of: 7a9bc9e3f423 ("fou: Don't allow 0 for FOU_ATTR_IPPROTO.")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/Makefile | 1 +
+ net/ipv4/{fou.c => fou_core.c} | 0
+ 2 files changed, 1 insertion(+)
+ rename net/ipv4/{fou.c => fou_core.c} (100%)
+
+diff --git a/net/ipv4/Makefile b/net/ipv4/Makefile
+index bbdd9c44f14e3..e694a5e5b0302 100644
+--- a/net/ipv4/Makefile
++++ b/net/ipv4/Makefile
+@@ -26,6 +26,7 @@ obj-$(CONFIG_IP_MROUTE) += ipmr.o
+ obj-$(CONFIG_IP_MROUTE_COMMON) += ipmr_base.o
+ obj-$(CONFIG_NET_IPIP) += ipip.o
+ gre-y := gre_demux.o
++fou-y := fou_core.o
+ obj-$(CONFIG_NET_FOU) += fou.o
+ obj-$(CONFIG_NET_IPGRE_DEMUX) += gre.o
+ obj-$(CONFIG_NET_IPGRE) += ip_gre.o
+diff --git a/net/ipv4/fou.c b/net/ipv4/fou_core.c
+similarity index 100%
+rename from net/ipv4/fou.c
+rename to net/ipv4/fou_core.c
+--
+2.51.0
+
--- /dev/null
+From 842646cdd658ed09c3abc73f7e6437514bed3b90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jan 2023 09:50:40 -0800
+Subject: net: fou: use policy and operation tables generated from the spec
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 1d562c32e4392cc091c940918ee1ffd7bfcb9e96 ]
+
+Generate and plug in the spec-based tables.
+
+A little bit of renaming is needed in the FOU code.
+
+Acked-by: Stanislav Fomichev <sdf@google.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Stable-dep-of: 7a9bc9e3f423 ("fou: Don't allow 0 for FOU_ATTR_IPPROTO.")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/Makefile | 2 +-
+ net/ipv4/fou_core.c | 47 +++++++-------------------------------------
+ net/ipv4/fou_nl.c | 48 +++++++++++++++++++++++++++++++++++++++++++++
+ net/ipv4/fou_nl.h | 25 +++++++++++++++++++++++
+ 4 files changed, 81 insertions(+), 41 deletions(-)
+ create mode 100644 net/ipv4/fou_nl.c
+ create mode 100644 net/ipv4/fou_nl.h
+
+diff --git a/net/ipv4/Makefile b/net/ipv4/Makefile
+index e694a5e5b0302..d1c8d4beb77d4 100644
+--- a/net/ipv4/Makefile
++++ b/net/ipv4/Makefile
+@@ -26,7 +26,7 @@ obj-$(CONFIG_IP_MROUTE) += ipmr.o
+ obj-$(CONFIG_IP_MROUTE_COMMON) += ipmr_base.o
+ obj-$(CONFIG_NET_IPIP) += ipip.o
+ gre-y := gre_demux.o
+-fou-y := fou_core.o
++fou-y := fou_core.o fou_nl.o
+ obj-$(CONFIG_NET_FOU) += fou.o
+ obj-$(CONFIG_NET_IPGRE_DEMUX) += gre.o
+ obj-$(CONFIG_NET_IPGRE) += ip_gre.o
+diff --git a/net/ipv4/fou_core.c b/net/ipv4/fou_core.c
+index e63aa6b52460c..118b48279da32 100644
+--- a/net/ipv4/fou_core.c
++++ b/net/ipv4/fou_core.c
+@@ -19,6 +19,8 @@
+ #include <uapi/linux/fou.h>
+ #include <uapi/linux/genetlink.h>
+
++#include "fou_nl.h"
++
+ struct fou {
+ struct socket *sock;
+ u8 protocol;
+@@ -665,20 +667,6 @@ static int fou_destroy(struct net *net, struct fou_cfg *cfg)
+
+ static struct genl_family fou_nl_family;
+
+-static const struct nla_policy fou_nl_policy[FOU_ATTR_MAX + 1] = {
+- [FOU_ATTR_PORT] = { .type = NLA_U16, },
+- [FOU_ATTR_AF] = { .type = NLA_U8, },
+- [FOU_ATTR_IPPROTO] = { .type = NLA_U8, },
+- [FOU_ATTR_TYPE] = { .type = NLA_U8, },
+- [FOU_ATTR_REMCSUM_NOPARTIAL] = { .type = NLA_FLAG, },
+- [FOU_ATTR_LOCAL_V4] = { .type = NLA_U32, },
+- [FOU_ATTR_PEER_V4] = { .type = NLA_U32, },
+- [FOU_ATTR_LOCAL_V6] = { .len = sizeof(struct in6_addr), },
+- [FOU_ATTR_PEER_V6] = { .len = sizeof(struct in6_addr), },
+- [FOU_ATTR_PEER_PORT] = { .type = NLA_U16, },
+- [FOU_ATTR_IFINDEX] = { .type = NLA_S32, },
+-};
+-
+ static int parse_nl_config(struct genl_info *info,
+ struct fou_cfg *cfg)
+ {
+@@ -770,7 +758,7 @@ static int parse_nl_config(struct genl_info *info,
+ return 0;
+ }
+
+-static int fou_nl_cmd_add_port(struct sk_buff *skb, struct genl_info *info)
++int fou_nl_add_doit(struct sk_buff *skb, struct genl_info *info)
+ {
+ struct net *net = genl_info_net(info);
+ struct fou_cfg cfg;
+@@ -783,7 +771,7 @@ static int fou_nl_cmd_add_port(struct sk_buff *skb, struct genl_info *info)
+ return fou_create(net, &cfg, NULL);
+ }
+
+-static int fou_nl_cmd_rm_port(struct sk_buff *skb, struct genl_info *info)
++int fou_nl_del_doit(struct sk_buff *skb, struct genl_info *info)
+ {
+ struct net *net = genl_info_net(info);
+ struct fou_cfg cfg;
+@@ -852,7 +840,7 @@ static int fou_dump_info(struct fou *fou, u32 portid, u32 seq,
+ return -EMSGSIZE;
+ }
+
+-static int fou_nl_cmd_get_port(struct sk_buff *skb, struct genl_info *info)
++int fou_nl_get_doit(struct sk_buff *skb, struct genl_info *info)
+ {
+ struct net *net = genl_info_net(info);
+ struct fou_net *fn = net_generic(net, fou_net_id);
+@@ -899,7 +887,7 @@ static int fou_nl_cmd_get_port(struct sk_buff *skb, struct genl_info *info)
+ return ret;
+ }
+
+-static int fou_nl_dump(struct sk_buff *skb, struct netlink_callback *cb)
++int fou_nl_get_dumpit(struct sk_buff *skb, struct netlink_callback *cb)
+ {
+ struct net *net = sock_net(skb->sk);
+ struct fou_net *fn = net_generic(net, fou_net_id);
+@@ -922,33 +910,12 @@ static int fou_nl_dump(struct sk_buff *skb, struct netlink_callback *cb)
+ return skb->len;
+ }
+
+-static const struct genl_small_ops fou_nl_ops[] = {
+- {
+- .cmd = FOU_CMD_ADD,
+- .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+- .doit = fou_nl_cmd_add_port,
+- .flags = GENL_ADMIN_PERM,
+- },
+- {
+- .cmd = FOU_CMD_DEL,
+- .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+- .doit = fou_nl_cmd_rm_port,
+- .flags = GENL_ADMIN_PERM,
+- },
+- {
+- .cmd = FOU_CMD_GET,
+- .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+- .doit = fou_nl_cmd_get_port,
+- .dumpit = fou_nl_dump,
+- },
+-};
+-
+ static struct genl_family fou_nl_family __ro_after_init = {
+ .hdrsize = 0,
+ .name = FOU_GENL_NAME,
+ .version = FOU_GENL_VERSION,
+ .maxattr = FOU_ATTR_MAX,
+- .policy = fou_nl_policy,
++ .policy = fou_nl_policy,
+ .netnsok = true,
+ .module = THIS_MODULE,
+ .small_ops = fou_nl_ops,
+diff --git a/net/ipv4/fou_nl.c b/net/ipv4/fou_nl.c
+new file mode 100644
+index 0000000000000..6c3820f41dd5d
+--- /dev/null
++++ b/net/ipv4/fou_nl.c
+@@ -0,0 +1,48 @@
++// SPDX-License-Identifier: BSD-3-Clause
++/* Do not edit directly, auto-generated from: */
++/* Documentation/netlink/specs/fou.yaml */
++/* YNL-GEN kernel source */
++
++#include <net/netlink.h>
++#include <net/genetlink.h>
++
++#include "fou_nl.h"
++
++#include <linux/fou.h>
++
++/* Global operation policy for fou */
++const struct nla_policy fou_nl_policy[FOU_ATTR_IFINDEX + 1] = {
++ [FOU_ATTR_PORT] = { .type = NLA_U16, },
++ [FOU_ATTR_AF] = { .type = NLA_U8, },
++ [FOU_ATTR_IPPROTO] = { .type = NLA_U8, },
++ [FOU_ATTR_TYPE] = { .type = NLA_U8, },
++ [FOU_ATTR_REMCSUM_NOPARTIAL] = { .type = NLA_FLAG, },
++ [FOU_ATTR_LOCAL_V4] = { .type = NLA_U32, },
++ [FOU_ATTR_LOCAL_V6] = { .len = 16, },
++ [FOU_ATTR_PEER_V4] = { .type = NLA_U32, },
++ [FOU_ATTR_PEER_V6] = { .len = 16, },
++ [FOU_ATTR_PEER_PORT] = { .type = NLA_U16, },
++ [FOU_ATTR_IFINDEX] = { .type = NLA_S32, },
++};
++
++/* Ops table for fou */
++const struct genl_small_ops fou_nl_ops[3] = {
++ {
++ .cmd = FOU_CMD_ADD,
++ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
++ .doit = fou_nl_add_doit,
++ .flags = GENL_ADMIN_PERM,
++ },
++ {
++ .cmd = FOU_CMD_DEL,
++ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
++ .doit = fou_nl_del_doit,
++ .flags = GENL_ADMIN_PERM,
++ },
++ {
++ .cmd = FOU_CMD_GET,
++ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
++ .doit = fou_nl_get_doit,
++ .dumpit = fou_nl_get_dumpit,
++ },
++};
+diff --git a/net/ipv4/fou_nl.h b/net/ipv4/fou_nl.h
+new file mode 100644
+index 0000000000000..b7a68121ce6f7
+--- /dev/null
++++ b/net/ipv4/fou_nl.h
+@@ -0,0 +1,25 @@
++/* SPDX-License-Identifier: BSD-3-Clause */
++/* Do not edit directly, auto-generated from: */
++/* Documentation/netlink/specs/fou.yaml */
++/* YNL-GEN kernel header */
++
++#ifndef _LINUX_FOU_GEN_H
++#define _LINUX_FOU_GEN_H
++
++#include <net/netlink.h>
++#include <net/genetlink.h>
++
++#include <linux/fou.h>
++
++/* Global operation policy for fou */
++extern const struct nla_policy fou_nl_policy[FOU_ATTR_IFINDEX + 1];
++
++/* Ops table for fou */
++extern const struct genl_small_ops fou_nl_ops[3];
++
++int fou_nl_add_doit(struct sk_buff *skb, struct genl_info *info);
++int fou_nl_del_doit(struct sk_buff *skb, struct genl_info *info);
++int fou_nl_get_doit(struct sk_buff *skb, struct genl_info *info);
++int fou_nl_get_dumpit(struct sk_buff *skb, struct netlink_callback *cb);
++
++#endif /* _LINUX_FOU_GEN_H */
+--
+2.51.0
+
--- /dev/null
+From 24f8bc818b3ed8d89530cf3019d5fa5ee3e5b949 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jan 2026 11:02:41 -0500
+Subject: net/sched: Enforce that teql can only be used as root qdisc
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jamal Hadi Salim <jhs@mojatatu.com>
+
+[ Upstream commit 50da4b9d07a7a463e2cfb738f3ad4cff6b2c9c3b ]
+
+Design intent of teql is that it is only supposed to be used as root qdisc.
+We need to check for that constraint.
+
+Although not important, I will describe the scenario that unearthed this
+issue for the curious.
+
+GangMin Kim <km.kim1503@gmail.com> managed to concot a scenario as follows:
+
+ROOT qdisc 1:0 (QFQ)
+ ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s
+ └── class 1:2 (weight=1, lmax=1514) teql
+
+GangMin sends a packet which is enqueued to 1:1 (netem).
+Any invocation of dequeue by QFQ from this class will not return a packet
+until after 6.4s. In the meantime, a second packet is sent and it lands on
+1:2. teql's enqueue will return success and this will activate class 1:2.
+Main issue is that teql only updates the parent visible qlen (sch->q.qlen)
+at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's
+peek always returns NULL), dequeue will never be called and thus the qlen
+will remain as 0. With that in mind, when GangMin updates 1:2's lmax value,
+the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's
+qlen was not incremented, qfq fails to deactivate the class, but still
+frees its pointers from the aggregate. So when the first packet is
+rescheduled after 6.4 seconds (netem's delay), a dangling pointer is
+accessed causing GangMin's causing a UAF.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: GangMin Kim <km.kim1503@gmail.com>
+Tested-by: Victor Nogueira <victor@mojatatu.com>
+Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/20260114160243.913069-2-jhs@mojatatu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_teql.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/sched/sch_teql.c b/net/sched/sch_teql.c
+index 79aaab51cbf5c..e9dfa140799c3 100644
+--- a/net/sched/sch_teql.c
++++ b/net/sched/sch_teql.c
+@@ -178,6 +178,11 @@ static int teql_qdisc_init(struct Qdisc *sch, struct nlattr *opt,
+ if (m->dev == dev)
+ return -ELOOP;
+
++ if (sch->parent != TC_H_ROOT) {
++ NL_SET_ERR_MSG_MOD(extack, "teql can only be used as root");
++ return -EOPNOTSUPP;
++ }
++
+ q->m = m;
+
+ skb_queue_head_init(&q->q);
+--
+2.51.0
+
--- /dev/null
+From f0aabf644ca49c9bb1ac0763cd34abb72c85b390 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jan 2026 11:02:42 -0500
+Subject: net/sched: qfq: Use cl_is_active to determine whether class is active
+ in qfq_rm_from_ag
+
+From: Jamal Hadi Salim <jhs@mojatatu.com>
+
+[ Upstream commit d837fbee92453fbb829f950c8e7cf76207d73f33 ]
+
+This is more of a preventive patch to make the code more consistent and
+to prevent possible exploits that employ child qlen manipulations on qfq.
+use cl_is_active instead of relying on the child qdisc's qlen to determine
+class activation.
+
+Fixes: 462dbc9101acd ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost")
+Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/20260114160243.913069-3-jhs@mojatatu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_qfq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
+index 9751de2d95e78..1c38447b456a7 100644
+--- a/net/sched/sch_qfq.c
++++ b/net/sched/sch_qfq.c
+@@ -375,7 +375,7 @@ static void qfq_rm_from_agg(struct qfq_sched *q, struct qfq_class *cl)
+ /* Deschedule class and remove it from its parent aggregate. */
+ static void qfq_deact_rm_from_agg(struct qfq_sched *q, struct qfq_class *cl)
+ {
+- if (cl->qdisc->q.qlen > 0) /* class is active */
++ if (cl_is_active(cl)) /* class is active */
+ qfq_deactivate_class(q, cl);
+
+ qfq_rm_from_agg(q, cl);
+--
+2.51.0
+
--- /dev/null
+From 0ffa9d03c9109d17524f79bfd28061b5298023a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 22:39:24 -0800
+Subject: net: usb: dm9601: remove broken SR9700 support
+
+From: Ethan Nelson-Moore <enelsonmoore@gmail.com>
+
+[ Upstream commit 7d7dbafefbe74f5a25efc4807af093b857a7612e ]
+
+The SR9700 chip sends more than one packet in a USB transaction,
+like the DM962x chips can optionally do, but the dm9601 driver does not
+support this mode, and the hardware does not have the DM962x
+MODE_CTL register to disable it, so this driver drops packets on SR9700
+devices. The sr9700 driver correctly handles receiving more than one
+packet per transaction.
+
+While the dm9601 driver could be improved to handle this, the easiest
+way to fix this issue in the short term is to remove the SR9700 device
+ID from the dm9601 driver so the sr9700 driver is always used. This
+device ID should not have been in more than one driver to begin with.
+
+The "Fixes" commit was chosen so that the patch is automatically
+included in all kernels that have the sr9700 driver, even though the
+issue affects dm9601.
+
+Fixes: c9b37458e956 ("USB2NET : SR9700 : One chip USB 1.1 USB2NET SR9700Device Driver Support")
+Signed-off-by: Ethan Nelson-Moore <enelsonmoore@gmail.com>
+Acked-by: Peter Korsgaard <peter@korsgaard.com>
+Link: https://patch.msgid.link/20260113063924.74464-1-enelsonmoore@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/dm9601.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/net/usb/dm9601.c b/drivers/net/usb/dm9601.c
+index 9b7db5fd9e08f..287d54ada4714 100644
+--- a/drivers/net/usb/dm9601.c
++++ b/drivers/net/usb/dm9601.c
+@@ -602,10 +602,6 @@ static const struct usb_device_id products[] = {
+ USB_DEVICE(0x0fe6, 0x8101), /* DM9601 USB to Fast Ethernet Adapter */
+ .driver_info = (unsigned long)&dm9601_info,
+ },
+- {
+- USB_DEVICE(0x0fe6, 0x9700), /* DM9601 USB to Fast Ethernet Adapter */
+- .driver_info = (unsigned long)&dm9601_info,
+- },
+ {
+ USB_DEVICE(0x0a46, 0x9000), /* DM9000E */
+ .driver_info = (unsigned long)&dm9601_info,
+--
+2.51.0
+
--- /dev/null
+From 5c771e1621ba0541032a994eed0276384f0b5fc1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jan 2023 09:50:37 -0800
+Subject: netlink: add a proto specification for FOU
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 4eb77b4ecd3c5eaab83adf76e67e0a7ed2a24418 ]
+
+FOU has a reasonably modern Genetlink family. Add a spec.
+
+Acked-by: Stanislav Fomichev <sdf@google.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Stable-dep-of: 7a9bc9e3f423 ("fou: Don't allow 0 for FOU_ATTR_IPPROTO.")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/netlink/specs/fou.yaml | 128 +++++++++++++++++++++++++++
+ 1 file changed, 128 insertions(+)
+ create mode 100644 Documentation/netlink/specs/fou.yaml
+
+diff --git a/Documentation/netlink/specs/fou.yaml b/Documentation/netlink/specs/fou.yaml
+new file mode 100644
+index 0000000000000..266c386eedf3a
+--- /dev/null
++++ b/Documentation/netlink/specs/fou.yaml
+@@ -0,0 +1,128 @@
++name: fou
++
++protocol: genetlink-legacy
++
++doc: |
++ Foo-over-UDP.
++
++c-family-name: fou-genl-name
++c-version-name: fou-genl-version
++max-by-define: true
++kernel-policy: global
++
++definitions:
++ -
++ type: enum
++ name: encap_type
++ name-prefix: fou-encap-
++ enum-name:
++ entries: [ unspec, direct, gue ]
++
++attribute-sets:
++ -
++ name: fou
++ name-prefix: fou-attr-
++ attributes:
++ -
++ name: unspec
++ type: unused
++ -
++ name: port
++ type: u16
++ byte-order: big-endian
++ -
++ name: af
++ type: u8
++ -
++ name: ipproto
++ type: u8
++ -
++ name: type
++ type: u8
++ -
++ name: remcsum_nopartial
++ type: flag
++ -
++ name: local_v4
++ type: u32
++ -
++ name: local_v6
++ type: binary
++ checks:
++ min-len: 16
++ -
++ name: peer_v4
++ type: u32
++ -
++ name: peer_v6
++ type: binary
++ checks:
++ min-len: 16
++ -
++ name: peer_port
++ type: u16
++ byte-order: big-endian
++ -
++ name: ifindex
++ type: s32
++
++operations:
++ list:
++ -
++ name: unspec
++ doc: unused
++
++ -
++ name: add
++ doc: Add port.
++ attribute-set: fou
++
++ dont-validate: [ strict, dump ]
++ flags: [ admin-perm ]
++
++ do:
++ request: &all_attrs
++ attributes:
++ - port
++ - ipproto
++ - type
++ - remcsum_nopartial
++ - local_v4
++ - peer_v4
++ - local_v6
++ - peer_v6
++ - peer_port
++ - ifindex
++
++ -
++ name: del
++ doc: Delete port.
++ attribute-set: fou
++
++ dont-validate: [ strict, dump ]
++ flags: [ admin-perm ]
++
++ do:
++ request: &select_attrs
++ attributes:
++ - af
++ - ifindex
++ - port
++ - peer_port
++ - local_v4
++ - peer_v4
++ - local_v6
++ - peer_v6
++
++ -
++ name: get
++ doc: Get tunnel info.
++ attribute-set: fou
++ dont-validate: [ strict, dump ]
++
++ do:
++ request: *select_attrs
++ reply: *all_attrs
++
++ dump:
++ reply: *all_attrs
+--
+2.51.0
+
--- /dev/null
+From 9f136eb06987683f7741a332c42ca361e861fc50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 12:10:26 -0500
+Subject: sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit a80c9d945aef55b23b54838334345f20251dad83 ]
+
+A null-ptr-deref was reported in the SCTP transmit path when SCTP-AUTH key
+initialization fails:
+
+ ==================================================================
+ KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
+ CPU: 0 PID: 16 Comm: ksoftirqd/0 Tainted: G W 6.6.0 #2
+ RIP: 0010:sctp_packet_bundle_auth net/sctp/output.c:264 [inline]
+ RIP: 0010:sctp_packet_append_chunk+0xb36/0x1260 net/sctp/output.c:401
+ Call Trace:
+
+ sctp_packet_transmit_chunk+0x31/0x250 net/sctp/output.c:189
+ sctp_outq_flush_data+0xa29/0x26d0 net/sctp/outqueue.c:1111
+ sctp_outq_flush+0xc80/0x1240 net/sctp/outqueue.c:1217
+ sctp_cmd_interpreter.isra.0+0x19a5/0x62c0 net/sctp/sm_sideeffect.c:1787
+ sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]
+ sctp_do_sm+0x1a3/0x670 net/sctp/sm_sideeffect.c:1169
+ sctp_assoc_bh_rcv+0x33e/0x640 net/sctp/associola.c:1052
+ sctp_inq_push+0x1dd/0x280 net/sctp/inqueue.c:88
+ sctp_rcv+0x11ae/0x3100 net/sctp/input.c:243
+ sctp6_rcv+0x3d/0x60 net/sctp/ipv6.c:1127
+
+The issue is triggered when sctp_auth_asoc_init_active_key() fails in
+sctp_sf_do_5_1C_ack() while processing an INIT_ACK. In this case, the
+command sequence is currently:
+
+- SCTP_CMD_PEER_INIT
+- SCTP_CMD_TIMER_STOP (T1_INIT)
+- SCTP_CMD_TIMER_START (T1_COOKIE)
+- SCTP_CMD_NEW_STATE (COOKIE_ECHOED)
+- SCTP_CMD_ASSOC_SHKEY
+- SCTP_CMD_GEN_COOKIE_ECHO
+
+If SCTP_CMD_ASSOC_SHKEY fails, asoc->shkey remains NULL, while
+asoc->peer.auth_capable and asoc->peer.peer_chunks have already been set by
+SCTP_CMD_PEER_INIT. This allows a DATA chunk with auth = 1 and shkey = NULL
+to be queued by sctp_datamsg_from_user().
+
+Since command interpretation stops on failure, no COOKIE_ECHO should been
+sent via SCTP_CMD_GEN_COOKIE_ECHO. However, the T1_COOKIE timer has already
+been started, and it may enqueue a COOKIE_ECHO into the outqueue later. As
+a result, the DATA chunk can be transmitted together with the COOKIE_ECHO
+in sctp_outq_flush_data(), leading to the observed issue.
+
+Similar to the other places where it calls sctp_auth_asoc_init_active_key()
+right after sctp_process_init(), this patch moves the SCTP_CMD_ASSOC_SHKEY
+immediately after SCTP_CMD_PEER_INIT, before stopping T1_INIT and starting
+T1_COOKIE. This ensures that if shared key generation fails, authenticated
+DATA cannot be sent. It also allows the T1_INIT timer to retransmit INIT,
+giving the client another chance to process INIT_ACK and retry key setup.
+
+Fixes: 730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing")
+Reported-by: Zhen Chen <chenzhen126@huawei.com>
+Tested-by: Zhen Chen <chenzhen126@huawei.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Link: https://patch.msgid.link/44881224b375aa8853f5e19b4055a1a56d895813.1768324226.git.lucien.xin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/sm_statefuns.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
+index 9a0ba3747711c..c91f712ce1fab 100644
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -594,6 +594,11 @@ enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net,
+ sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT,
+ SCTP_PEER_INIT(initchunk));
+
++ /* SCTP-AUTH: generate the association shared keys so that
++ * we can potentially sign the COOKIE-ECHO.
++ */
++ sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL());
++
+ /* Reset init error count upon receipt of INIT-ACK. */
+ sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
+
+@@ -608,11 +613,6 @@ enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net,
+ sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
+ SCTP_STATE(SCTP_STATE_COOKIE_ECHOED));
+
+- /* SCTP-AUTH: generate the association shared keys so that
+- * we can potentially sign the COOKIE-ECHO.
+- */
+- sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL());
+-
+ /* 5.1 C) "A" shall then send the State Cookie received in the
+ * INIT ACK chunk in a COOKIE ECHO chunk, ...
+ */
+--
+2.51.0
+
--- /dev/null
+From 65df3158095ca251aa302e420003efe0c0d92b18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jun 2021 10:08:01 +0800
+Subject: sctp: sm_statefuns: Fix spelling mistakes
+
+From: Zheng Yongjun <zhengyongjun3@huawei.com>
+
+[ Upstream commit 0c2c366e0ec55533decb00d0f1ea1cbc42247e7b ]
+
+Fix some spelling mistakes in comments:
+genereate ==> generate
+correclty ==> correctly
+boundries ==> boundaries
+failes ==> fails
+isses ==> issues
+assocition ==> association
+signe ==> sign
+assocaition ==> association
+managemement ==> management
+restransmissions ==> retransmission
+sideffect ==> sideeffect
+bomming ==> booming
+chukns ==> chunks
+SHUDOWN ==> SHUTDOWN
+violationg ==> violating
+explcitly ==> explicitly
+CHunk ==> Chunk
+
+Signed-off-by: Zheng Yongjun <zhengyongjun3@huawei.com>
+Link: https://lore.kernel.org/r/20210601020801.3625358-1-zhengyongjun3@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: a80c9d945aef ("sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/sm_statefuns.c | 30 +++++++++++++++---------------
+ 1 file changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
+index 29b879bf86975..9a0ba3747711c 100644
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -361,7 +361,7 @@ enum sctp_disposition sctp_sf_do_5_1B_init(struct net *net,
+
+ /* If the INIT is coming toward a closing socket, we'll send back
+ * and ABORT. Essentially, this catches the race of INIT being
+- * backloged to the socket at the same time as the user isses close().
++ * backloged to the socket at the same time as the user issues close().
+ * Since the socket and all its associations are going away, we
+ * can treat this OOTB
+ */
+@@ -608,8 +608,8 @@ enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net,
+ sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
+ SCTP_STATE(SCTP_STATE_COOKIE_ECHOED));
+
+- /* SCTP-AUTH: genereate the assocition shared keys so that
+- * we can potentially signe the COOKIE-ECHO.
++ /* SCTP-AUTH: generate the association shared keys so that
++ * we can potentially sign the COOKIE-ECHO.
+ */
+ sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL());
+
+@@ -791,7 +791,7 @@ enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net,
+ goto nomem_init;
+
+ /* SCTP-AUTH: Now that we've populate required fields in
+- * sctp_process_init, set up the assocaition shared keys as
++ * sctp_process_init, set up the association shared keys as
+ * necessary so that we can potentially authenticate the ACK
+ */
+ error = sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC);
+@@ -842,7 +842,7 @@ enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net,
+
+ /* Add all the state machine commands now since we've created
+ * everything. This way we don't introduce memory corruptions
+- * during side-effect processing and correclty count established
++ * during side-effect processing and correctly count established
+ * associations.
+ */
+ sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
+@@ -928,7 +928,7 @@ enum sctp_disposition sctp_sf_do_5_1E_ca(struct net *net,
+ commands);
+
+ /* Reset init error count upon receipt of COOKIE-ACK,
+- * to avoid problems with the managemement of this
++ * to avoid problems with the management of this
+ * counter in stale cookie situations when a transition back
+ * from the COOKIE-ECHOED state to the COOKIE-WAIT
+ * state is performed.
+@@ -2935,7 +2935,7 @@ __sctp_sf_do_9_2_reshutack(struct net *net, const struct sctp_endpoint *ep,
+ commands);
+
+ /* Since we are not going to really process this INIT, there
+- * is no point in verifying chunk boundries. Just generate
++ * is no point in verifying chunk boundaries. Just generate
+ * the SHUTDOWN ACK.
+ */
+ reply = sctp_make_shutdown_ack(asoc, chunk);
+@@ -3526,7 +3526,7 @@ enum sctp_disposition sctp_sf_do_9_2_final(struct net *net,
+ goto nomem_chunk;
+
+ /* Do all the commands now (after allocation), so that we
+- * have consistent state if memory allocation failes
++ * have consistent state if memory allocation fails
+ */
+ sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
+
+@@ -3710,7 +3710,7 @@ static enum sctp_disposition sctp_sf_shut_8_4_5(
+ SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
+
+ /* We need to discard the rest of the packet to prevent
+- * potential bomming attacks from additional bundled chunks.
++ * potential boomming attacks from additional bundled chunks.
+ * This is documented in SCTP Threats ID.
+ */
+ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+@@ -4221,7 +4221,7 @@ enum sctp_disposition sctp_sf_eat_fwd_tsn_fast(
+ }
+
+ /*
+- * SCTP-AUTH Section 6.3 Receiving authenticated chukns
++ * SCTP-AUTH Section 6.3 Receiving authenticated chunks
+ *
+ * The receiver MUST use the HMAC algorithm indicated in the HMAC
+ * Identifier field. If this algorithm was not specified by the
+@@ -4782,7 +4782,7 @@ static enum sctp_disposition sctp_sf_violation_ctsn(
+
+ /* Handle protocol violation of an invalid chunk bundling. For example,
+ * when we have an association and we receive bundled INIT-ACK, or
+- * SHUDOWN-COMPLETE, our peer is clearly violationg the "MUST NOT bundle"
++ * SHUTDOWN-COMPLETE, our peer is clearly violating the "MUST NOT bundle"
+ * statement from the specs. Additionally, there might be an attacker
+ * on the path and we may not want to continue this communication.
+ */
+@@ -5178,7 +5178,7 @@ enum sctp_disposition sctp_sf_cookie_wait_prm_shutdown(
+ * Inputs
+ * (endpoint, asoc)
+ *
+- * The RFC does not explcitly address this issue, but is the route through the
++ * The RFC does not explicitly address this issue, but is the route through the
+ * state table when someone issues a shutdown while in COOKIE_ECHOED state.
+ *
+ * Outputs
+@@ -5902,7 +5902,7 @@ enum sctp_disposition sctp_sf_t1_cookie_timer_expire(
+ /* RFC2960 9.2 If the timer expires, the endpoint must re-send the SHUTDOWN
+ * with the updated last sequential TSN received from its peer.
+ *
+- * An endpoint should limit the number of retransmissions of the
++ * An endpoint should limit the number of retransmission of the
+ * SHUTDOWN chunk to the protocol parameter 'Association.Max.Retrans'.
+ * If this threshold is exceeded the endpoint should destroy the TCB and
+ * MUST report the peer endpoint unreachable to the upper layer (and
+@@ -5980,7 +5980,7 @@ enum sctp_disposition sctp_sf_t2_timer_expire(
+ }
+
+ /*
+- * ADDIP Section 4.1 ASCONF CHunk Procedures
++ * ADDIP Section 4.1 ASCONF Chunk Procedures
+ * If the T4 RTO timer expires the endpoint should do B1 to B5
+ */
+ enum sctp_disposition sctp_sf_t4_timer_expire(
+@@ -6410,7 +6410,7 @@ static int sctp_eat_data(const struct sctp_association *asoc,
+ chunk->ecn_ce_done = 1;
+
+ if (af->is_ce(sctp_gso_headskb(chunk->skb))) {
+- /* Do real work as sideffect. */
++ /* Do real work as side effect. */
+ sctp_add_cmd_sf(commands, SCTP_CMD_ECN_CE,
+ SCTP_U32(tsn));
+ }
+--
+2.51.0
+
--- /dev/null
+From 40fe487e8b4f535a68ccc96dea8f4688c8f61ed4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Dec 2023 14:08:53 +0800
+Subject: selftests/net: convert fib-onlink-tests.sh to run it in unique
+ namespace
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 3a06833b2adc0a902f2469ad4ce41ccd64f1f3ab ]
+
+Remove PEER_CMD, which is not used in this test
+
+Here is the test result after conversion.
+
+ ]# ./fib-onlink-tests.sh
+ Error: ipv4: FIB table does not exist.
+ Flush terminated
+ Error: ipv6: FIB table does not exist.
+ Flush terminated
+
+ ########################################
+ Configuring interfaces
+
+ ...
+
+ TEST: Gateway resolves to wrong nexthop device - VRF [ OK ]
+
+ Tests passed: 38
+ Tests failed: 0
+
+Acked-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Link: https://lore.kernel.org/r/20231213060856.4030084-11-liuhangbin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 4f5f148dd7c0 ("selftests: net: fib-onlink-tests: Convert to use namespaces by default")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/fib-onlink-tests.sh | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/tools/testing/selftests/net/fib-onlink-tests.sh b/tools/testing/selftests/net/fib-onlink-tests.sh
+index c287b90b8af80..ec2d6ceb1f08d 100755
+--- a/tools/testing/selftests/net/fib-onlink-tests.sh
++++ b/tools/testing/selftests/net/fib-onlink-tests.sh
+@@ -3,6 +3,7 @@
+
+ # IPv4 and IPv6 onlink tests
+
++source lib.sh
+ PAUSE_ON_FAIL=${PAUSE_ON_FAIL:=no}
+ VERBOSE=0
+
+@@ -74,9 +75,6 @@ TEST_NET4IN6[2]=10.2.1.254
+ # mcast address
+ MCAST6=ff02::1
+
+-
+-PEER_NS=bart
+-PEER_CMD="ip netns exec ${PEER_NS}"
+ VRF=lisa
+ VRF_TABLE=1101
+ PBR_TABLE=101
+@@ -176,8 +174,7 @@ setup()
+ set -e
+
+ # create namespace
+- ip netns add ${PEER_NS}
+- ip -netns ${PEER_NS} li set lo up
++ setup_ns PEER_NS
+
+ # add vrf table
+ ip li add ${VRF} type vrf table ${VRF_TABLE}
+@@ -219,7 +216,7 @@ setup()
+ cleanup()
+ {
+ # make sure we start from a clean slate
+- ip netns del ${PEER_NS} 2>/dev/null
++ cleanup_ns ${PEER_NS} 2>/dev/null
+ for n in 1 3 5 7; do
+ ip link del ${NETIFS[p${n}]} 2>/dev/null
+ done
+--
+2.51.0
+
--- /dev/null
+From c2a286b60cf757072288d6549a41900ba89ad47d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 12:37:44 -0300
+Subject: selftests: net: fib-onlink-tests: Convert to use namespaces by
+ default
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ricardo B. Marlière <rbm@suse.com>
+
+[ Upstream commit 4f5f148dd7c0459229d2ab9a769b2e820f9ee6a2 ]
+
+Currently, the test breaks if the SUT already has a default route
+configured for IPv6. Fix by avoiding the use of the default namespace.
+
+Fixes: 4ed591c8ab44 ("net/ipv6: Allow onlink routes to have a device mismatch if it is the default route")
+Suggested-by: Fernando Fernandez Mancera <fmancera@suse.de>
+Signed-off-by: Ricardo B. Marlière <rbm@suse.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
+Link: https://patch.msgid.link/20260113-selftests-net-fib-onlink-v2-1-89de2b931389@suse.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../testing/selftests/net/fib-onlink-tests.sh | 71 ++++++++-----------
+ 1 file changed, 30 insertions(+), 41 deletions(-)
+
+diff --git a/tools/testing/selftests/net/fib-onlink-tests.sh b/tools/testing/selftests/net/fib-onlink-tests.sh
+index ec2d6ceb1f08d..c01be076b210d 100755
+--- a/tools/testing/selftests/net/fib-onlink-tests.sh
++++ b/tools/testing/selftests/net/fib-onlink-tests.sh
+@@ -120,7 +120,7 @@ log_subsection()
+
+ run_cmd()
+ {
+- local cmd="$*"
++ local cmd="$1"
+ local out
+ local rc
+
+@@ -145,7 +145,7 @@ get_linklocal()
+ local pfx
+ local addr
+
+- addr=$(${pfx} ip -6 -br addr show dev ${dev} | \
++ addr=$(${pfx} ${IP} -6 -br addr show dev ${dev} | \
+ awk '{
+ for (i = 3; i <= NF; ++i) {
+ if ($i ~ /^fe80/)
+@@ -173,58 +173,48 @@ setup()
+
+ set -e
+
+- # create namespace
+- setup_ns PEER_NS
++ # create namespaces
++ setup_ns ns1
++ IP="ip -netns $ns1"
++ setup_ns ns2
+
+ # add vrf table
+- ip li add ${VRF} type vrf table ${VRF_TABLE}
+- ip li set ${VRF} up
+- ip ro add table ${VRF_TABLE} unreachable default metric 8192
+- ip -6 ro add table ${VRF_TABLE} unreachable default metric 8192
++ ${IP} li add ${VRF} type vrf table ${VRF_TABLE}
++ ${IP} li set ${VRF} up
++ ${IP} ro add table ${VRF_TABLE} unreachable default metric 8192
++ ${IP} -6 ro add table ${VRF_TABLE} unreachable default metric 8192
+
+ # create test interfaces
+- ip li add ${NETIFS[p1]} type veth peer name ${NETIFS[p2]}
+- ip li add ${NETIFS[p3]} type veth peer name ${NETIFS[p4]}
+- ip li add ${NETIFS[p5]} type veth peer name ${NETIFS[p6]}
+- ip li add ${NETIFS[p7]} type veth peer name ${NETIFS[p8]}
++ ${IP} li add ${NETIFS[p1]} type veth peer name ${NETIFS[p2]}
++ ${IP} li add ${NETIFS[p3]} type veth peer name ${NETIFS[p4]}
++ ${IP} li add ${NETIFS[p5]} type veth peer name ${NETIFS[p6]}
++ ${IP} li add ${NETIFS[p7]} type veth peer name ${NETIFS[p8]}
+
+ # enslave vrf interfaces
+ for n in 5 7; do
+- ip li set ${NETIFS[p${n}]} vrf ${VRF}
++ ${IP} li set ${NETIFS[p${n}]} vrf ${VRF}
+ done
+
+ # add addresses
+ for n in 1 3 5 7; do
+- ip li set ${NETIFS[p${n}]} up
+- ip addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]}
+- ip addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad
++ ${IP} li set ${NETIFS[p${n}]} up
++ ${IP} addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]}
++ ${IP} addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad
+ done
+
+ # move peer interfaces to namespace and add addresses
+ for n in 2 4 6 8; do
+- ip li set ${NETIFS[p${n}]} netns ${PEER_NS} up
+- ip -netns ${PEER_NS} addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]}
+- ip -netns ${PEER_NS} addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad
++ ${IP} li set ${NETIFS[p${n}]} netns ${ns2} up
++ ip -netns $ns2 addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]}
++ ip -netns $ns2 addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad
+ done
+
+- ip -6 ro add default via ${V6ADDRS[p3]/::[0-9]/::64}
+- ip -6 ro add table ${VRF_TABLE} default via ${V6ADDRS[p7]/::[0-9]/::64}
++ ${IP} -6 ro add default via ${V6ADDRS[p3]/::[0-9]/::64}
++ ${IP} -6 ro add table ${VRF_TABLE} default via ${V6ADDRS[p7]/::[0-9]/::64}
+
+ set +e
+ }
+
+-cleanup()
+-{
+- # make sure we start from a clean slate
+- cleanup_ns ${PEER_NS} 2>/dev/null
+- for n in 1 3 5 7; do
+- ip link del ${NETIFS[p${n}]} 2>/dev/null
+- done
+- ip link del ${VRF} 2>/dev/null
+- ip ro flush table ${VRF_TABLE}
+- ip -6 ro flush table ${VRF_TABLE}
+-}
+-
+ ################################################################################
+ # IPv4 tests
+ #
+@@ -241,7 +231,7 @@ run_ip()
+ # dev arg may be empty
+ [ -n "${dev}" ] && dev="dev ${dev}"
+
+- run_cmd ip ro add table "${table}" "${prefix}"/32 via "${gw}" "${dev}" onlink
++ run_cmd "${IP} ro add table ${table} ${prefix}/32 via ${gw} ${dev} onlink"
+ log_test $? ${exp_rc} "${desc}"
+ }
+
+@@ -257,8 +247,8 @@ run_ip_mpath()
+ # dev arg may be empty
+ [ -n "${dev}" ] && dev="dev ${dev}"
+
+- run_cmd ip ro add table "${table}" "${prefix}"/32 \
+- nexthop via ${nh1} nexthop via ${nh2}
++ run_cmd "${IP} ro add table ${table} ${prefix}/32 \
++ nexthop via ${nh1} nexthop via ${nh2}"
+ log_test $? ${exp_rc} "${desc}"
+ }
+
+@@ -339,7 +329,7 @@ run_ip6()
+ # dev arg may be empty
+ [ -n "${dev}" ] && dev="dev ${dev}"
+
+- run_cmd ip -6 ro add table "${table}" "${prefix}"/128 via "${gw}" "${dev}" onlink
++ run_cmd "${IP} -6 ro add table ${table} ${prefix}/128 via ${gw} ${dev} onlink"
+ log_test $? ${exp_rc} "${desc}"
+ }
+
+@@ -353,8 +343,8 @@ run_ip6_mpath()
+ local exp_rc="$6"
+ local desc="$7"
+
+- run_cmd ip -6 ro add table "${table}" "${prefix}"/128 "${opts}" \
+- nexthop via ${nh1} nexthop via ${nh2}
++ run_cmd "${IP} -6 ro add table ${table} ${prefix}/128 ${opts} \
++ nexthop via ${nh1} nexthop via ${nh2}"
+ log_test $? ${exp_rc} "${desc}"
+ }
+
+@@ -491,10 +481,9 @@ do
+ esac
+ done
+
+-cleanup
+ setup
+ run_onlink_tests
+-cleanup
++cleanup_ns ${ns1} ${ns2}
+
+ if [ "$TESTS" != "none" ]; then
+ printf "\nTests passed: %3d\n" ${nsuccess}
+--
+2.51.0
+
fix-memory-leak-in-posix_clock_open.patch
posix-clock-store-file-pointer-in-struct-posix_clock.patch
ptp-add-phc-file-mode-checks.-allow-ro-adjtime-witho.patch
+net-usb-dm9601-remove-broken-sr9700-support.patch
+selftests-net-convert-fib-onlink-tests.sh-to-run-it-.patch
+selftests-net-fib-onlink-tests-convert-to-use-namesp.patch
+sctp-sm_statefuns-fix-spelling-mistakes.patch
+sctp-move-sctp_cmd_assoc_shkey-right-after-sctp_cmd_.patch
+amd-xgbe-avoid-misleading-per-packet-error-log.patch
+gue-fix-skb-memleak-with-inner-ip-protocol-0.patch
+netlink-add-a-proto-specification-for-fou.patch
+net-fou-rename-the-source-for-linking.patch
+net-fou-use-policy-and-operation-tables-generated-fr.patch
+fou-don-t-allow-0-for-fou_attr_ipproto.patch
+l2tp-avoid-one-data-race-in-l2tp_tunnel_del_work.patch
+ipvlan-make-the-addrs_lock-be-per-port.patch
+net-sched-enforce-that-teql-can-only-be-used-as-root.patch
+net-sched-qfq-use-cl_is_active-to-determine-whether-.patch
+crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch
--- /dev/null
+From 24d1eed1b4fa797893dcfe4faccc4830e4bfaa6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jan 2026 22:00:37 +0530
+Subject: amd-xgbe: avoid misleading per-packet error log
+
+From: Raju Rangoju <Raju.Rangoju@amd.com>
+
+[ Upstream commit c158f985cf6c2c36c99c4f67af2ff3f5ebe09f8f ]
+
+On the receive path, packet can be damaged because of buffer
+overflow in Rx FIFO. Avoid misleading per-packet error log when
+packet->errors is set, this can flood the log. Instead, rely on the
+standard rtnl_link_stats64 stats.
+
+Fixes: c5aa9e3b8156 ("amd-xgbe: Initial AMD 10GbE platform driver")
+Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
+Link: https://patch.msgid.link/20260114163037.2062606-1-Raju.Rangoju@amd.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
+index 32397517807b0..00312543f2267 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
+@@ -2112,7 +2112,7 @@ static void xgbe_get_stats64(struct net_device *netdev,
+ s->multicast = pstats->rxmulticastframes_g;
+ s->rx_length_errors = pstats->rxlengtherror;
+ s->rx_crc_errors = pstats->rxcrcerror;
+- s->rx_fifo_errors = pstats->rxfifooverflow;
++ s->rx_over_errors = pstats->rxfifooverflow;
+
+ s->tx_packets = pstats->txframecount_gb;
+ s->tx_bytes = pstats->txoctetcount_gb;
+@@ -2566,9 +2566,6 @@ static int xgbe_rx_poll(struct xgbe_channel *channel, int budget)
+ goto read_again;
+
+ if (error || packet->errors) {
+- if (packet->errors)
+- netif_err(pdata, rx_err, netdev,
+- "error in received packet\n");
+ dev_kfree_skb(skb);
+ goto next_packet;
+ }
+--
+2.51.0
+
--- /dev/null
+From 73a8574122f0bde6b20a1c48d0b93c7fe62b5c94 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 19:12:01 +0000
+Subject: bonding: limit BOND_MODE_8023AD to Ethernet devices
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit c84fcb79e5dbde0b8d5aeeaf04282d2149aebcf6 ]
+
+BOND_MODE_8023AD makes sense for ARPHRD_ETHER only.
+
+syzbot reported:
+
+ BUG: KASAN: global-out-of-bounds in __hw_addr_create net/core/dev_addr_lists.c:63 [inline]
+ BUG: KASAN: global-out-of-bounds in __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118
+Read of size 16 at addr ffffffff8bf94040 by task syz.1.3580/19497
+
+CPU: 1 UID: 0 PID: 19497 Comm: syz.1.3580 Tainted: G L syzkaller #0 PREEMPT(full)
+Tainted: [L]=SOFTLOCKUP
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0xca/0x240 mm/kasan/report.c:482
+ kasan_report+0x118/0x150 mm/kasan/report.c:595
+ check_region_inline mm/kasan/generic.c:-1 [inline]
+ kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:200
+ __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105
+ __hw_addr_create net/core/dev_addr_lists.c:63 [inline]
+ __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118
+ __dev_mc_add net/core/dev_addr_lists.c:868 [inline]
+ dev_mc_add+0xa1/0x120 net/core/dev_addr_lists.c:886
+ bond_enslave+0x2b8b/0x3ac0 drivers/net/bonding/bond_main.c:2180
+ do_set_master+0x533/0x6d0 net/core/rtnetlink.c:2963
+ do_setlink+0xcf0/0x41c0 net/core/rtnetlink.c:3165
+ rtnl_changelink net/core/rtnetlink.c:3776 [inline]
+ __rtnl_newlink net/core/rtnetlink.c:3935 [inline]
+ rtnl_newlink+0x161c/0x1c90 net/core/rtnetlink.c:4072
+ rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6958
+ netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2550
+ netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
+ netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344
+ netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1894
+ sock_sendmsg_nosec net/socket.c:727 [inline]
+ __sock_sendmsg+0x21c/0x270 net/socket.c:742
+ ____sys_sendmsg+0x505/0x820 net/socket.c:2592
+ ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2646
+ __sys_sendmsg+0x164/0x220 net/socket.c:2678
+ do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
+ __do_fast_syscall_32+0x1dc/0x560 arch/x86/entry/syscall_32.c:307
+ do_fast_syscall_32+0x34/0x80 arch/x86/entry/syscall_32.c:332
+ entry_SYSENTER_compat_after_hwframe+0x84/0x8e
+ </TASK>
+
+The buggy address belongs to the variable:
+ lacpdu_mcast_addr+0x0/0x40
+
+Fixes: 872254dd6b1f ("net/bonding: Enable bonding to enslave non ARPHRD_ETHER")
+Reported-by: syzbot+9c081b17773615f24672@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/6966946b.a70a0220.245e30.0002.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Andrew Lunn <andrew+netdev@lunn.ch>
+Acked-by: Jay Vosburgh <jv@jvosburgh.net>
+Link: https://patch.msgid.link/20260113191201.3970737-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 3fae636eb9ddd..86be928b210a2 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1836,6 +1836,12 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev,
+ */
+ if (!bond_has_slaves(bond)) {
+ if (bond_dev->type != slave_dev->type) {
++ if (slave_dev->type != ARPHRD_ETHER &&
++ BOND_MODE(bond) == BOND_MODE_8023AD) {
++ SLAVE_NL_ERR(bond_dev, slave_dev, extack,
++ "8023AD mode requires Ethernet devices");
++ return -EINVAL;
++ }
+ slave_dbg(bond_dev, slave_dev, "change device type from %d to %d\n",
+ bond_dev->type, slave_dev->type);
+
+--
+2.51.0
+
--- /dev/null
+From c23204f90f925449abc0bc3ac21f10835d2cf04b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jan 2026 16:03:58 +0900
+Subject: crypto: authencesn - reject too-short AAD (assoclen<8) to match
+ ESP/ESN spec
+
+From: Taeyang Lee <0wn@theori.io>
+
+[ Upstream commit 2397e9264676be7794f8f7f1e9763d90bd3c7335 ]
+
+authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than
+the minimum expected length, crypto_authenc_esn_decrypt() can advance past
+the end of the destination scatterlist and trigger a NULL pointer dereference
+in scatterwalk_map_and_copy(), leading to a kernel panic (DoS).
+
+Add a minimum AAD length check to fail fast on invalid inputs.
+
+Fixes: 104880a6b470 ("crypto: authencesn - Convert to new AEAD interface")
+Reported-By: Taeyang Lee <0wn@theori.io>
+Signed-off-by: Taeyang Lee <0wn@theori.io>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/authencesn.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/crypto/authencesn.c b/crypto/authencesn.c
+index b60e61b1904cb..6487b35851d54 100644
+--- a/crypto/authencesn.c
++++ b/crypto/authencesn.c
+@@ -191,6 +191,9 @@ static int crypto_authenc_esn_encrypt(struct aead_request *req)
+ struct scatterlist *src, *dst;
+ int err;
+
++ if (assoclen < 8)
++ return -EINVAL;
++
+ sg_init_table(areq_ctx->src, 2);
+ src = scatterwalk_ffwd(areq_ctx->src, req->src, assoclen);
+ dst = src;
+@@ -284,6 +287,9 @@ static int crypto_authenc_esn_decrypt(struct aead_request *req)
+ u32 tmp[2];
+ int err;
+
++ if (assoclen < 8)
++ return -EINVAL;
++
+ cryptlen -= authsize;
+
+ if (req->src != dst) {
+--
+2.51.0
+
--- /dev/null
+From 8aec5f9fa06ee0bd212038eb1e8ccdbadcca36ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jan 2026 17:24:48 +0000
+Subject: fou: Don't allow 0 for FOU_ATTR_IPPROTO.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 7a9bc9e3f42391e4c187e099263cf7a1c4b69ff5 ]
+
+fou_udp_recv() has the same problem mentioned in the previous
+patch.
+
+If FOU_ATTR_IPPROTO is set to 0, skb is not freed by
+fou_udp_recv() nor "resubmit"-ted in ip_protocol_deliver_rcu().
+
+Let's forbid 0 for FOU_ATTR_IPPROTO.
+
+Fixes: 23461551c0062 ("fou: Support for foo-over-udp RX path")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260115172533.693652-4-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/netlink/specs/fou.yaml | 2 ++
+ net/ipv4/fou_nl.c | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/Documentation/netlink/specs/fou.yaml b/Documentation/netlink/specs/fou.yaml
+index 266c386eedf3a..e5753a30a29a2 100644
+--- a/Documentation/netlink/specs/fou.yaml
++++ b/Documentation/netlink/specs/fou.yaml
+@@ -36,6 +36,8 @@ attribute-sets:
+ -
+ name: ipproto
+ type: u8
++ checks:
++ min: 1
+ -
+ name: type
+ type: u8
+diff --git a/net/ipv4/fou_nl.c b/net/ipv4/fou_nl.c
+index 6c3820f41dd5d..5bb8133ed7a89 100644
+--- a/net/ipv4/fou_nl.c
++++ b/net/ipv4/fou_nl.c
+@@ -14,7 +14,7 @@
+ const struct nla_policy fou_nl_policy[FOU_ATTR_IFINDEX + 1] = {
+ [FOU_ATTR_PORT] = { .type = NLA_U16, },
+ [FOU_ATTR_AF] = { .type = NLA_U8, },
+- [FOU_ATTR_IPPROTO] = { .type = NLA_U8, },
++ [FOU_ATTR_IPPROTO] = NLA_POLICY_MIN(NLA_U8, 1),
+ [FOU_ATTR_TYPE] = { .type = NLA_U8, },
+ [FOU_ATTR_REMCSUM_NOPARTIAL] = { .type = NLA_FLAG, },
+ [FOU_ATTR_LOCAL_V4] = { .type = NLA_U32, },
+--
+2.51.0
+
--- /dev/null
+From d272078a4af0a27767d76c5492a72c57316e03f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jan 2026 17:24:46 +0000
+Subject: gue: Fix skb memleak with inner IP protocol 0.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 9a56796ad258786d3624eef5aefba394fc9bdded ]
+
+syzbot reported skb memleak below. [0]
+
+The repro generated a GUE packet with its inner protocol 0.
+
+gue_udp_recv() returns -guehdr->proto_ctype for "resubmit"
+in ip_protocol_deliver_rcu(), but this only works with
+non-zero protocol number.
+
+Let's drop such packets.
+
+Note that 0 is a valid number (IPv6 Hop-by-Hop Option).
+
+I think it is not practical to encap HOPOPT in GUE, so once
+someone starts to complain, we could pass down a resubmit
+flag pointer to distinguish two zeros from the upper layer:
+
+ * no error
+ * resubmit HOPOPT
+
+[0]
+BUG: memory leak
+unreferenced object 0xffff888109695a00 (size 240):
+ comm "syz.0.17", pid 6088, jiffies 4294943096
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 40 c2 10 81 88 ff ff 00 00 00 00 00 00 00 00 .@..............
+ backtrace (crc a84b336f):
+ kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
+ slab_post_alloc_hook mm/slub.c:4958 [inline]
+ slab_alloc_node mm/slub.c:5263 [inline]
+ kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
+ __build_skb+0x23/0x60 net/core/skbuff.c:474
+ build_skb+0x20/0x190 net/core/skbuff.c:490
+ __tun_build_skb drivers/net/tun.c:1541 [inline]
+ tun_build_skb+0x4a1/0xa40 drivers/net/tun.c:1636
+ tun_get_user+0xc12/0x2030 drivers/net/tun.c:1770
+ tun_chr_write_iter+0x71/0x120 drivers/net/tun.c:1999
+ new_sync_write fs/read_write.c:593 [inline]
+ vfs_write+0x45d/0x710 fs/read_write.c:686
+ ksys_write+0xa7/0x170 fs/read_write.c:738
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: 37dd0247797b1 ("gue: Receive side for Generic UDP Encapsulation")
+Reported-by: syzbot+4d8c7d16b0e95c0d0f0d@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/6965534b.050a0220.38aacd.0001.GAE@google.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260115172533.693652-2-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/fou.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c
+index b1a8e4eec3f6e..e63aa6b52460c 100644
+--- a/net/ipv4/fou.c
++++ b/net/ipv4/fou.c
+@@ -213,6 +213,9 @@ static int gue_udp_recv(struct sock *sk, struct sk_buff *skb)
+ return gue_control_message(skb, guehdr);
+
+ proto_ctype = guehdr->proto_ctype;
++ if (unlikely(!proto_ctype))
++ goto drop;
++
+ __skb_pull(skb, sizeof(struct udphdr) + hdrlen);
+ skb_reset_transport_header(skb);
+
+--
+2.51.0
+
--- /dev/null
+From f127255c140bb5551bac79366d1e92e90436c542 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 17:24:06 +0300
+Subject: ipvlan: Make the addrs_lock be per port
+
+From: Dmitry Skorodumov <dskr99@gmail.com>
+
+[ Upstream commit d3ba32162488283c0a4c5bedd8817aec91748802 ]
+
+Make the addrs_lock be per port, not per ipvlan dev.
+
+Initial code seems to be written in the assumption,
+that any address change must occur under RTNL.
+But it is not so for the case of IPv6. So
+
+1) Introduce per-port addrs_lock.
+
+2) It was needed to fix places where it was forgotten
+to take lock (ipvlan_open/ipvlan_close)
+
+This appears to be a very minor problem though.
+Since it's highly unlikely that ipvlan_add_addr() will
+be called on 2 CPU simultaneously. But nevertheless,
+this could cause:
+
+1) False-negative of ipvlan_addr_busy(): one interface
+iterated through all port->ipvlans + ipvlan->addrs
+under some ipvlan spinlock, and another added IP
+under its own lock. Though this is only possible
+for IPv6, since looks like only ipvlan_addr6_event() can be
+called without rtnl_lock.
+
+2) Race since ipvlan_ht_addr_add(port) is called under
+different ipvlan->addrs_lock locks
+
+This should not affect performance, since add/remove IP
+is a rare situation and spinlock is not taken on fast
+paths.
+
+Fixes: 8230819494b3 ("ipvlan: use per device spinlock to protect addrs list updates")
+Signed-off-by: Dmitry Skorodumov <skorodumov.dmitry@huawei.com>
+Reviewed-by: Paolo Abeni <pabeni@redhat.com>
+Link: https://patch.msgid.link/20260112142417.4039566-2-skorodumov.dmitry@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ipvlan/ipvlan.h | 2 +-
+ drivers/net/ipvlan/ipvlan_core.c | 16 +++++------
+ drivers/net/ipvlan/ipvlan_main.c | 49 +++++++++++++++++++-------------
+ 3 files changed, 37 insertions(+), 30 deletions(-)
+
+diff --git a/drivers/net/ipvlan/ipvlan.h b/drivers/net/ipvlan/ipvlan.h
+index 3837c897832ea..befb61e00d07d 100644
+--- a/drivers/net/ipvlan/ipvlan.h
++++ b/drivers/net/ipvlan/ipvlan.h
+@@ -69,7 +69,6 @@ struct ipvl_dev {
+ DECLARE_BITMAP(mac_filters, IPVLAN_MAC_FILTER_SIZE);
+ netdev_features_t sfeatures;
+ u32 msg_enable;
+- spinlock_t addrs_lock;
+ };
+
+ struct ipvl_addr {
+@@ -90,6 +89,7 @@ struct ipvl_port {
+ struct net_device *dev;
+ possible_net_t pnet;
+ struct hlist_head hlhead[IPVLAN_HASH_SIZE];
++ spinlock_t addrs_lock; /* guards hash-table and addrs */
+ struct list_head ipvlans;
+ u16 mode;
+ u16 flags;
+diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c
+index 35ec6d1af6ea6..3d8b646c16b71 100644
+--- a/drivers/net/ipvlan/ipvlan_core.c
++++ b/drivers/net/ipvlan/ipvlan_core.c
+@@ -104,17 +104,15 @@ void ipvlan_ht_addr_del(struct ipvl_addr *addr)
+ struct ipvl_addr *ipvlan_find_addr(const struct ipvl_dev *ipvlan,
+ const void *iaddr, bool is_v6)
+ {
+- struct ipvl_addr *addr, *ret = NULL;
++ struct ipvl_addr *addr;
+
+- rcu_read_lock();
+- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode) {
+- if (addr_equal(is_v6, addr, iaddr)) {
+- ret = addr;
+- break;
+- }
++ assert_spin_locked(&ipvlan->port->addrs_lock);
++
++ list_for_each_entry(addr, &ipvlan->addrs, anode) {
++ if (addr_equal(is_v6, addr, iaddr))
++ return addr;
+ }
+- rcu_read_unlock();
+- return ret;
++ return NULL;
+ }
+
+ bool ipvlan_addr_busy(struct ipvl_port *port, void *iaddr, bool is_v6)
+diff --git a/drivers/net/ipvlan/ipvlan_main.c b/drivers/net/ipvlan/ipvlan_main.c
+index 8660d452f642b..fe4399af8eea7 100644
+--- a/drivers/net/ipvlan/ipvlan_main.c
++++ b/drivers/net/ipvlan/ipvlan_main.c
+@@ -74,6 +74,7 @@ static int ipvlan_port_create(struct net_device *dev)
+ for (idx = 0; idx < IPVLAN_HASH_SIZE; idx++)
+ INIT_HLIST_HEAD(&port->hlhead[idx]);
+
++ spin_lock_init(&port->addrs_lock);
+ skb_queue_head_init(&port->backlog);
+ INIT_WORK(&port->wq, ipvlan_process_multicast);
+ ida_init(&port->ida);
+@@ -179,6 +180,7 @@ static void ipvlan_uninit(struct net_device *dev)
+ static int ipvlan_open(struct net_device *dev)
+ {
+ struct ipvl_dev *ipvlan = netdev_priv(dev);
++ struct ipvl_port *port = ipvlan->port;
+ struct ipvl_addr *addr;
+
+ if (ipvlan->port->mode == IPVLAN_MODE_L3 ||
+@@ -187,10 +189,10 @@ static int ipvlan_open(struct net_device *dev)
+ else
+ dev->flags &= ~IFF_NOARP;
+
+- rcu_read_lock();
+- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode)
++ spin_lock_bh(&port->addrs_lock);
++ list_for_each_entry(addr, &ipvlan->addrs, anode)
+ ipvlan_ht_addr_add(ipvlan, addr);
+- rcu_read_unlock();
++ spin_unlock_bh(&port->addrs_lock);
+
+ return 0;
+ }
+@@ -204,10 +206,10 @@ static int ipvlan_stop(struct net_device *dev)
+ dev_uc_unsync(phy_dev, dev);
+ dev_mc_unsync(phy_dev, dev);
+
+- rcu_read_lock();
+- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode)
++ spin_lock_bh(&ipvlan->port->addrs_lock);
++ list_for_each_entry(addr, &ipvlan->addrs, anode)
+ ipvlan_ht_addr_del(addr);
+- rcu_read_unlock();
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+
+ return 0;
+ }
+@@ -574,7 +576,6 @@ int ipvlan_link_new(struct net *src_net, struct net_device *dev,
+ if (!tb[IFLA_MTU])
+ ipvlan_adjust_mtu(ipvlan, phy_dev);
+ INIT_LIST_HEAD(&ipvlan->addrs);
+- spin_lock_init(&ipvlan->addrs_lock);
+
+ /* TODO Probably put random address here to be presented to the
+ * world but keep using the physical-dev address for the outgoing
+@@ -652,13 +653,13 @@ void ipvlan_link_delete(struct net_device *dev, struct list_head *head)
+ struct ipvl_dev *ipvlan = netdev_priv(dev);
+ struct ipvl_addr *addr, *next;
+
+- spin_lock_bh(&ipvlan->addrs_lock);
++ spin_lock_bh(&ipvlan->port->addrs_lock);
+ list_for_each_entry_safe(addr, next, &ipvlan->addrs, anode) {
+ ipvlan_ht_addr_del(addr);
+ list_del_rcu(&addr->anode);
+ kfree_rcu(addr, rcu);
+ }
+- spin_unlock_bh(&ipvlan->addrs_lock);
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+
+ ida_simple_remove(&ipvlan->port->ida, dev->dev_id);
+ list_del_rcu(&ipvlan->pnode);
+@@ -806,6 +807,8 @@ static int ipvlan_add_addr(struct ipvl_dev *ipvlan, void *iaddr, bool is_v6)
+ {
+ struct ipvl_addr *addr;
+
++ assert_spin_locked(&ipvlan->port->addrs_lock);
++
+ addr = kzalloc(sizeof(struct ipvl_addr), GFP_ATOMIC);
+ if (!addr)
+ return -ENOMEM;
+@@ -836,16 +839,16 @@ static void ipvlan_del_addr(struct ipvl_dev *ipvlan, void *iaddr, bool is_v6)
+ {
+ struct ipvl_addr *addr;
+
+- spin_lock_bh(&ipvlan->addrs_lock);
++ spin_lock_bh(&ipvlan->port->addrs_lock);
+ addr = ipvlan_find_addr(ipvlan, iaddr, is_v6);
+ if (!addr) {
+- spin_unlock_bh(&ipvlan->addrs_lock);
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+ return;
+ }
+
+ ipvlan_ht_addr_del(addr);
+ list_del_rcu(&addr->anode);
+- spin_unlock_bh(&ipvlan->addrs_lock);
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+ kfree_rcu(addr, rcu);
+ }
+
+@@ -867,14 +870,14 @@ static int ipvlan_add_addr6(struct ipvl_dev *ipvlan, struct in6_addr *ip6_addr)
+ {
+ int ret = -EINVAL;
+
+- spin_lock_bh(&ipvlan->addrs_lock);
++ spin_lock_bh(&ipvlan->port->addrs_lock);
+ if (ipvlan_addr_busy(ipvlan->port, ip6_addr, true))
+ netif_err(ipvlan, ifup, ipvlan->dev,
+ "Failed to add IPv6=%pI6c addr for %s intf\n",
+ ip6_addr, ipvlan->dev->name);
+ else
+ ret = ipvlan_add_addr(ipvlan, ip6_addr, true);
+- spin_unlock_bh(&ipvlan->addrs_lock);
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+ return ret;
+ }
+
+@@ -913,21 +916,24 @@ static int ipvlan_addr6_validator_event(struct notifier_block *unused,
+ struct in6_validator_info *i6vi = (struct in6_validator_info *)ptr;
+ struct net_device *dev = (struct net_device *)i6vi->i6vi_dev->dev;
+ struct ipvl_dev *ipvlan = netdev_priv(dev);
++ int ret = NOTIFY_OK;
+
+ if (!ipvlan_is_valid_dev(dev))
+ return NOTIFY_DONE;
+
+ switch (event) {
+ case NETDEV_UP:
++ spin_lock_bh(&ipvlan->port->addrs_lock);
+ if (ipvlan_addr_busy(ipvlan->port, &i6vi->i6vi_addr, true)) {
+ NL_SET_ERR_MSG(i6vi->extack,
+ "Address already assigned to an ipvlan device");
+- return notifier_from_errno(-EADDRINUSE);
++ ret = notifier_from_errno(-EADDRINUSE);
+ }
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+ break;
+ }
+
+- return NOTIFY_OK;
++ return ret;
+ }
+ #endif
+
+@@ -935,14 +941,14 @@ static int ipvlan_add_addr4(struct ipvl_dev *ipvlan, struct in_addr *ip4_addr)
+ {
+ int ret = -EINVAL;
+
+- spin_lock_bh(&ipvlan->addrs_lock);
++ spin_lock_bh(&ipvlan->port->addrs_lock);
+ if (ipvlan_addr_busy(ipvlan->port, ip4_addr, false))
+ netif_err(ipvlan, ifup, ipvlan->dev,
+ "Failed to add IPv4=%pI4 on %s intf.\n",
+ ip4_addr, ipvlan->dev->name);
+ else
+ ret = ipvlan_add_addr(ipvlan, ip4_addr, false);
+- spin_unlock_bh(&ipvlan->addrs_lock);
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+ return ret;
+ }
+
+@@ -984,21 +990,24 @@ static int ipvlan_addr4_validator_event(struct notifier_block *unused,
+ struct in_validator_info *ivi = (struct in_validator_info *)ptr;
+ struct net_device *dev = (struct net_device *)ivi->ivi_dev->dev;
+ struct ipvl_dev *ipvlan = netdev_priv(dev);
++ int ret = NOTIFY_OK;
+
+ if (!ipvlan_is_valid_dev(dev))
+ return NOTIFY_DONE;
+
+ switch (event) {
+ case NETDEV_UP:
++ spin_lock_bh(&ipvlan->port->addrs_lock);
+ if (ipvlan_addr_busy(ipvlan->port, &ivi->ivi_addr, false)) {
+ NL_SET_ERR_MSG(ivi->extack,
+ "Address already assigned to an ipvlan device");
+- return notifier_from_errno(-EADDRINUSE);
++ ret = notifier_from_errno(-EADDRINUSE);
+ }
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+ break;
+ }
+
+- return NOTIFY_OK;
++ return ret;
+ }
+
+ static struct notifier_block ipvlan_addr4_notifier_block __read_mostly = {
+--
+2.51.0
+
--- /dev/null
+From ee3dcff0a297b2db6f0c652de0ff0d89cf9ca996 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jan 2026 09:21:39 +0000
+Subject: l2tp: avoid one data-race in l2tp_tunnel_del_work()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 7a29f6bf60f2590fe5e9c4decb451e19afad2bcf ]
+
+We should read sk->sk_socket only when dealing with kernel sockets.
+
+syzbot reported the following data-race:
+
+BUG: KCSAN: data-race in l2tp_tunnel_del_work / sk_common_release
+
+write to 0xffff88811c182b20 of 8 bytes by task 5365 on cpu 0:
+ sk_set_socket include/net/sock.h:2092 [inline]
+ sock_orphan include/net/sock.h:2118 [inline]
+ sk_common_release+0xae/0x230 net/core/sock.c:4003
+ udp_lib_close+0x15/0x20 include/net/udp.h:325
+ inet_release+0xce/0xf0 net/ipv4/af_inet.c:437
+ __sock_release net/socket.c:662 [inline]
+ sock_close+0x6b/0x150 net/socket.c:1455
+ __fput+0x29b/0x650 fs/file_table.c:468
+ ____fput+0x1c/0x30 fs/file_table.c:496
+ task_work_run+0x131/0x1a0 kernel/task_work.c:233
+ resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
+ __exit_to_user_mode_loop kernel/entry/common.c:44 [inline]
+ exit_to_user_mode_loop+0x1fe/0x740 kernel/entry/common.c:75
+ __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
+ syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
+ syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
+ syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
+ do_syscall_64+0x1e1/0x2b0 arch/x86/entry/syscall_64.c:100
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+read to 0xffff88811c182b20 of 8 bytes by task 827 on cpu 1:
+ l2tp_tunnel_del_work+0x2f/0x1a0 net/l2tp/l2tp_core.c:1418
+ process_one_work kernel/workqueue.c:3257 [inline]
+ process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3340
+ worker_thread+0x582/0x770 kernel/workqueue.c:3421
+ kthread+0x489/0x510 kernel/kthread.c:463
+ ret_from_fork+0x149/0x290 arch/x86/kernel/process.c:158
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
+
+value changed: 0xffff88811b818000 -> 0x0000000000000000
+
+Fixes: d00fa9adc528 ("l2tp: fix races with tunnel socket close")
+Reported-by: syzbot+7312e82745f7fa2526db@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/6968b029.050a0220.58bed.0016.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: James Chapman <jchapman@katalix.com>
+Reviewed-by: Guillaume Nault <gnault@redhat.com>
+Link: https://patch.msgid.link/20260115092139.3066180-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/l2tp/l2tp_core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
+index acd5b67858ddc..7e242ebac664a 100644
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -1252,8 +1252,6 @@ static void l2tp_tunnel_del_work(struct work_struct *work)
+ {
+ struct l2tp_tunnel *tunnel = container_of(work, struct l2tp_tunnel,
+ del_work);
+- struct sock *sk = tunnel->sock;
+- struct socket *sock = sk->sk_socket;
+
+ l2tp_tunnel_closeall(tunnel);
+
+@@ -1261,6 +1259,8 @@ static void l2tp_tunnel_del_work(struct work_struct *work)
+ * the sk API to release it here.
+ */
+ if (tunnel->fd < 0) {
++ struct socket *sock = tunnel->sock->sk_socket;
++
+ if (sock) {
+ kernel_sock_shutdown(sock, SHUT_RDWR);
+ sock_release(sock);
+--
+2.51.0
+
--- /dev/null
+From 7035565e9d1e5a58831964e2eac979a2d2e14619 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jan 2023 09:50:39 -0800
+Subject: net: fou: rename the source for linking
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 08d323234d10eab077cbf0093eeb5991478a261a ]
+
+We'll need to link two objects together to form the fou module.
+This means the source can't be called fou, the build system expects
+fou.o to be the combined object.
+
+Acked-by: Stanislav Fomichev <sdf@google.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Stable-dep-of: 7a9bc9e3f423 ("fou: Don't allow 0 for FOU_ATTR_IPPROTO.")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/Makefile | 1 +
+ net/ipv4/{fou.c => fou_core.c} | 0
+ 2 files changed, 1 insertion(+)
+ rename net/ipv4/{fou.c => fou_core.c} (100%)
+
+diff --git a/net/ipv4/Makefile b/net/ipv4/Makefile
+index bbdd9c44f14e3..e694a5e5b0302 100644
+--- a/net/ipv4/Makefile
++++ b/net/ipv4/Makefile
+@@ -26,6 +26,7 @@ obj-$(CONFIG_IP_MROUTE) += ipmr.o
+ obj-$(CONFIG_IP_MROUTE_COMMON) += ipmr_base.o
+ obj-$(CONFIG_NET_IPIP) += ipip.o
+ gre-y := gre_demux.o
++fou-y := fou_core.o
+ obj-$(CONFIG_NET_FOU) += fou.o
+ obj-$(CONFIG_NET_IPGRE_DEMUX) += gre.o
+ obj-$(CONFIG_NET_IPGRE) += ip_gre.o
+diff --git a/net/ipv4/fou.c b/net/ipv4/fou_core.c
+similarity index 100%
+rename from net/ipv4/fou.c
+rename to net/ipv4/fou_core.c
+--
+2.51.0
+
--- /dev/null
+From c3967cacfe4a145cbbec97861b67702265aebc84 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jan 2023 09:50:40 -0800
+Subject: net: fou: use policy and operation tables generated from the spec
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 1d562c32e4392cc091c940918ee1ffd7bfcb9e96 ]
+
+Generate and plug in the spec-based tables.
+
+A little bit of renaming is needed in the FOU code.
+
+Acked-by: Stanislav Fomichev <sdf@google.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Stable-dep-of: 7a9bc9e3f423 ("fou: Don't allow 0 for FOU_ATTR_IPPROTO.")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/Makefile | 2 +-
+ net/ipv4/fou_core.c | 47 +++++++-------------------------------------
+ net/ipv4/fou_nl.c | 48 +++++++++++++++++++++++++++++++++++++++++++++
+ net/ipv4/fou_nl.h | 25 +++++++++++++++++++++++
+ 4 files changed, 81 insertions(+), 41 deletions(-)
+ create mode 100644 net/ipv4/fou_nl.c
+ create mode 100644 net/ipv4/fou_nl.h
+
+diff --git a/net/ipv4/Makefile b/net/ipv4/Makefile
+index e694a5e5b0302..d1c8d4beb77d4 100644
+--- a/net/ipv4/Makefile
++++ b/net/ipv4/Makefile
+@@ -26,7 +26,7 @@ obj-$(CONFIG_IP_MROUTE) += ipmr.o
+ obj-$(CONFIG_IP_MROUTE_COMMON) += ipmr_base.o
+ obj-$(CONFIG_NET_IPIP) += ipip.o
+ gre-y := gre_demux.o
+-fou-y := fou_core.o
++fou-y := fou_core.o fou_nl.o
+ obj-$(CONFIG_NET_FOU) += fou.o
+ obj-$(CONFIG_NET_IPGRE_DEMUX) += gre.o
+ obj-$(CONFIG_NET_IPGRE) += ip_gre.o
+diff --git a/net/ipv4/fou_core.c b/net/ipv4/fou_core.c
+index e63aa6b52460c..118b48279da32 100644
+--- a/net/ipv4/fou_core.c
++++ b/net/ipv4/fou_core.c
+@@ -19,6 +19,8 @@
+ #include <uapi/linux/fou.h>
+ #include <uapi/linux/genetlink.h>
+
++#include "fou_nl.h"
++
+ struct fou {
+ struct socket *sock;
+ u8 protocol;
+@@ -665,20 +667,6 @@ static int fou_destroy(struct net *net, struct fou_cfg *cfg)
+
+ static struct genl_family fou_nl_family;
+
+-static const struct nla_policy fou_nl_policy[FOU_ATTR_MAX + 1] = {
+- [FOU_ATTR_PORT] = { .type = NLA_U16, },
+- [FOU_ATTR_AF] = { .type = NLA_U8, },
+- [FOU_ATTR_IPPROTO] = { .type = NLA_U8, },
+- [FOU_ATTR_TYPE] = { .type = NLA_U8, },
+- [FOU_ATTR_REMCSUM_NOPARTIAL] = { .type = NLA_FLAG, },
+- [FOU_ATTR_LOCAL_V4] = { .type = NLA_U32, },
+- [FOU_ATTR_PEER_V4] = { .type = NLA_U32, },
+- [FOU_ATTR_LOCAL_V6] = { .len = sizeof(struct in6_addr), },
+- [FOU_ATTR_PEER_V6] = { .len = sizeof(struct in6_addr), },
+- [FOU_ATTR_PEER_PORT] = { .type = NLA_U16, },
+- [FOU_ATTR_IFINDEX] = { .type = NLA_S32, },
+-};
+-
+ static int parse_nl_config(struct genl_info *info,
+ struct fou_cfg *cfg)
+ {
+@@ -770,7 +758,7 @@ static int parse_nl_config(struct genl_info *info,
+ return 0;
+ }
+
+-static int fou_nl_cmd_add_port(struct sk_buff *skb, struct genl_info *info)
++int fou_nl_add_doit(struct sk_buff *skb, struct genl_info *info)
+ {
+ struct net *net = genl_info_net(info);
+ struct fou_cfg cfg;
+@@ -783,7 +771,7 @@ static int fou_nl_cmd_add_port(struct sk_buff *skb, struct genl_info *info)
+ return fou_create(net, &cfg, NULL);
+ }
+
+-static int fou_nl_cmd_rm_port(struct sk_buff *skb, struct genl_info *info)
++int fou_nl_del_doit(struct sk_buff *skb, struct genl_info *info)
+ {
+ struct net *net = genl_info_net(info);
+ struct fou_cfg cfg;
+@@ -852,7 +840,7 @@ static int fou_dump_info(struct fou *fou, u32 portid, u32 seq,
+ return -EMSGSIZE;
+ }
+
+-static int fou_nl_cmd_get_port(struct sk_buff *skb, struct genl_info *info)
++int fou_nl_get_doit(struct sk_buff *skb, struct genl_info *info)
+ {
+ struct net *net = genl_info_net(info);
+ struct fou_net *fn = net_generic(net, fou_net_id);
+@@ -899,7 +887,7 @@ static int fou_nl_cmd_get_port(struct sk_buff *skb, struct genl_info *info)
+ return ret;
+ }
+
+-static int fou_nl_dump(struct sk_buff *skb, struct netlink_callback *cb)
++int fou_nl_get_dumpit(struct sk_buff *skb, struct netlink_callback *cb)
+ {
+ struct net *net = sock_net(skb->sk);
+ struct fou_net *fn = net_generic(net, fou_net_id);
+@@ -922,33 +910,12 @@ static int fou_nl_dump(struct sk_buff *skb, struct netlink_callback *cb)
+ return skb->len;
+ }
+
+-static const struct genl_small_ops fou_nl_ops[] = {
+- {
+- .cmd = FOU_CMD_ADD,
+- .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+- .doit = fou_nl_cmd_add_port,
+- .flags = GENL_ADMIN_PERM,
+- },
+- {
+- .cmd = FOU_CMD_DEL,
+- .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+- .doit = fou_nl_cmd_rm_port,
+- .flags = GENL_ADMIN_PERM,
+- },
+- {
+- .cmd = FOU_CMD_GET,
+- .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+- .doit = fou_nl_cmd_get_port,
+- .dumpit = fou_nl_dump,
+- },
+-};
+-
+ static struct genl_family fou_nl_family __ro_after_init = {
+ .hdrsize = 0,
+ .name = FOU_GENL_NAME,
+ .version = FOU_GENL_VERSION,
+ .maxattr = FOU_ATTR_MAX,
+- .policy = fou_nl_policy,
++ .policy = fou_nl_policy,
+ .netnsok = true,
+ .module = THIS_MODULE,
+ .small_ops = fou_nl_ops,
+diff --git a/net/ipv4/fou_nl.c b/net/ipv4/fou_nl.c
+new file mode 100644
+index 0000000000000..6c3820f41dd5d
+--- /dev/null
++++ b/net/ipv4/fou_nl.c
+@@ -0,0 +1,48 @@
++// SPDX-License-Identifier: BSD-3-Clause
++/* Do not edit directly, auto-generated from: */
++/* Documentation/netlink/specs/fou.yaml */
++/* YNL-GEN kernel source */
++
++#include <net/netlink.h>
++#include <net/genetlink.h>
++
++#include "fou_nl.h"
++
++#include <linux/fou.h>
++
++/* Global operation policy for fou */
++const struct nla_policy fou_nl_policy[FOU_ATTR_IFINDEX + 1] = {
++ [FOU_ATTR_PORT] = { .type = NLA_U16, },
++ [FOU_ATTR_AF] = { .type = NLA_U8, },
++ [FOU_ATTR_IPPROTO] = { .type = NLA_U8, },
++ [FOU_ATTR_TYPE] = { .type = NLA_U8, },
++ [FOU_ATTR_REMCSUM_NOPARTIAL] = { .type = NLA_FLAG, },
++ [FOU_ATTR_LOCAL_V4] = { .type = NLA_U32, },
++ [FOU_ATTR_LOCAL_V6] = { .len = 16, },
++ [FOU_ATTR_PEER_V4] = { .type = NLA_U32, },
++ [FOU_ATTR_PEER_V6] = { .len = 16, },
++ [FOU_ATTR_PEER_PORT] = { .type = NLA_U16, },
++ [FOU_ATTR_IFINDEX] = { .type = NLA_S32, },
++};
++
++/* Ops table for fou */
++const struct genl_small_ops fou_nl_ops[3] = {
++ {
++ .cmd = FOU_CMD_ADD,
++ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
++ .doit = fou_nl_add_doit,
++ .flags = GENL_ADMIN_PERM,
++ },
++ {
++ .cmd = FOU_CMD_DEL,
++ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
++ .doit = fou_nl_del_doit,
++ .flags = GENL_ADMIN_PERM,
++ },
++ {
++ .cmd = FOU_CMD_GET,
++ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
++ .doit = fou_nl_get_doit,
++ .dumpit = fou_nl_get_dumpit,
++ },
++};
+diff --git a/net/ipv4/fou_nl.h b/net/ipv4/fou_nl.h
+new file mode 100644
+index 0000000000000..b7a68121ce6f7
+--- /dev/null
++++ b/net/ipv4/fou_nl.h
+@@ -0,0 +1,25 @@
++/* SPDX-License-Identifier: BSD-3-Clause */
++/* Do not edit directly, auto-generated from: */
++/* Documentation/netlink/specs/fou.yaml */
++/* YNL-GEN kernel header */
++
++#ifndef _LINUX_FOU_GEN_H
++#define _LINUX_FOU_GEN_H
++
++#include <net/netlink.h>
++#include <net/genetlink.h>
++
++#include <linux/fou.h>
++
++/* Global operation policy for fou */
++extern const struct nla_policy fou_nl_policy[FOU_ATTR_IFINDEX + 1];
++
++/* Ops table for fou */
++extern const struct genl_small_ops fou_nl_ops[3];
++
++int fou_nl_add_doit(struct sk_buff *skb, struct genl_info *info);
++int fou_nl_del_doit(struct sk_buff *skb, struct genl_info *info);
++int fou_nl_get_doit(struct sk_buff *skb, struct genl_info *info);
++int fou_nl_get_dumpit(struct sk_buff *skb, struct netlink_callback *cb);
++
++#endif /* _LINUX_FOU_GEN_H */
+--
+2.51.0
+
--- /dev/null
+From 51ee73e0e7fecd74ed49f4805b8bae46cbe6ba8a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jan 2026 11:02:41 -0500
+Subject: net/sched: Enforce that teql can only be used as root qdisc
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jamal Hadi Salim <jhs@mojatatu.com>
+
+[ Upstream commit 50da4b9d07a7a463e2cfb738f3ad4cff6b2c9c3b ]
+
+Design intent of teql is that it is only supposed to be used as root qdisc.
+We need to check for that constraint.
+
+Although not important, I will describe the scenario that unearthed this
+issue for the curious.
+
+GangMin Kim <km.kim1503@gmail.com> managed to concot a scenario as follows:
+
+ROOT qdisc 1:0 (QFQ)
+ ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s
+ └── class 1:2 (weight=1, lmax=1514) teql
+
+GangMin sends a packet which is enqueued to 1:1 (netem).
+Any invocation of dequeue by QFQ from this class will not return a packet
+until after 6.4s. In the meantime, a second packet is sent and it lands on
+1:2. teql's enqueue will return success and this will activate class 1:2.
+Main issue is that teql only updates the parent visible qlen (sch->q.qlen)
+at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's
+peek always returns NULL), dequeue will never be called and thus the qlen
+will remain as 0. With that in mind, when GangMin updates 1:2's lmax value,
+the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's
+qlen was not incremented, qfq fails to deactivate the class, but still
+frees its pointers from the aggregate. So when the first packet is
+rescheduled after 6.4 seconds (netem's delay), a dangling pointer is
+accessed causing GangMin's causing a UAF.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: GangMin Kim <km.kim1503@gmail.com>
+Tested-by: Victor Nogueira <victor@mojatatu.com>
+Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/20260114160243.913069-2-jhs@mojatatu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_teql.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/sched/sch_teql.c b/net/sched/sch_teql.c
+index 79aaab51cbf5c..e9dfa140799c3 100644
+--- a/net/sched/sch_teql.c
++++ b/net/sched/sch_teql.c
+@@ -178,6 +178,11 @@ static int teql_qdisc_init(struct Qdisc *sch, struct nlattr *opt,
+ if (m->dev == dev)
+ return -ELOOP;
+
++ if (sch->parent != TC_H_ROOT) {
++ NL_SET_ERR_MSG_MOD(extack, "teql can only be used as root");
++ return -EOPNOTSUPP;
++ }
++
+ q->m = m;
+
+ skb_queue_head_init(&q->q);
+--
+2.51.0
+
--- /dev/null
+From 440bab96679d08b70da173c4f3c87710b17e4f6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jan 2026 11:02:42 -0500
+Subject: net/sched: qfq: Use cl_is_active to determine whether class is active
+ in qfq_rm_from_ag
+
+From: Jamal Hadi Salim <jhs@mojatatu.com>
+
+[ Upstream commit d837fbee92453fbb829f950c8e7cf76207d73f33 ]
+
+This is more of a preventive patch to make the code more consistent and
+to prevent possible exploits that employ child qlen manipulations on qfq.
+use cl_is_active instead of relying on the child qdisc's qlen to determine
+class activation.
+
+Fixes: 462dbc9101acd ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost")
+Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/20260114160243.913069-3-jhs@mojatatu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_qfq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
+index d201bcb5edc42..8e5b30c447b86 100644
+--- a/net/sched/sch_qfq.c
++++ b/net/sched/sch_qfq.c
+@@ -375,7 +375,7 @@ static void qfq_rm_from_agg(struct qfq_sched *q, struct qfq_class *cl)
+ /* Deschedule class and remove it from its parent aggregate. */
+ static void qfq_deact_rm_from_agg(struct qfq_sched *q, struct qfq_class *cl)
+ {
+- if (cl->qdisc->q.qlen > 0) /* class is active */
++ if (cl_is_active(cl)) /* class is active */
+ qfq_deactivate_class(q, cl);
+
+ qfq_rm_from_agg(q, cl);
+--
+2.51.0
+
--- /dev/null
+From 286c113926fe022f733ce765156d1eee14654411 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 22:39:24 -0800
+Subject: net: usb: dm9601: remove broken SR9700 support
+
+From: Ethan Nelson-Moore <enelsonmoore@gmail.com>
+
+[ Upstream commit 7d7dbafefbe74f5a25efc4807af093b857a7612e ]
+
+The SR9700 chip sends more than one packet in a USB transaction,
+like the DM962x chips can optionally do, but the dm9601 driver does not
+support this mode, and the hardware does not have the DM962x
+MODE_CTL register to disable it, so this driver drops packets on SR9700
+devices. The sr9700 driver correctly handles receiving more than one
+packet per transaction.
+
+While the dm9601 driver could be improved to handle this, the easiest
+way to fix this issue in the short term is to remove the SR9700 device
+ID from the dm9601 driver so the sr9700 driver is always used. This
+device ID should not have been in more than one driver to begin with.
+
+The "Fixes" commit was chosen so that the patch is automatically
+included in all kernels that have the sr9700 driver, even though the
+issue affects dm9601.
+
+Fixes: c9b37458e956 ("USB2NET : SR9700 : One chip USB 1.1 USB2NET SR9700Device Driver Support")
+Signed-off-by: Ethan Nelson-Moore <enelsonmoore@gmail.com>
+Acked-by: Peter Korsgaard <peter@korsgaard.com>
+Link: https://patch.msgid.link/20260113063924.74464-1-enelsonmoore@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/dm9601.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/net/usb/dm9601.c b/drivers/net/usb/dm9601.c
+index f7357d884d6aa..2d98238293a64 100644
+--- a/drivers/net/usb/dm9601.c
++++ b/drivers/net/usb/dm9601.c
+@@ -603,10 +603,6 @@ static const struct usb_device_id products[] = {
+ USB_DEVICE(0x0fe6, 0x8101), /* DM9601 USB to Fast Ethernet Adapter */
+ .driver_info = (unsigned long)&dm9601_info,
+ },
+- {
+- USB_DEVICE(0x0fe6, 0x9700), /* DM9601 USB to Fast Ethernet Adapter */
+- .driver_info = (unsigned long)&dm9601_info,
+- },
+ {
+ USB_DEVICE(0x0a46, 0x9000), /* DM9000E */
+ .driver_info = (unsigned long)&dm9601_info,
+--
+2.51.0
+
--- /dev/null
+From 6baa7e95d82a4a9355ce58f406e8d8a7158dd3b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jan 2023 09:50:37 -0800
+Subject: netlink: add a proto specification for FOU
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 4eb77b4ecd3c5eaab83adf76e67e0a7ed2a24418 ]
+
+FOU has a reasonably modern Genetlink family. Add a spec.
+
+Acked-by: Stanislav Fomichev <sdf@google.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Stable-dep-of: 7a9bc9e3f423 ("fou: Don't allow 0 for FOU_ATTR_IPPROTO.")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/netlink/specs/fou.yaml | 128 +++++++++++++++++++++++++++
+ 1 file changed, 128 insertions(+)
+ create mode 100644 Documentation/netlink/specs/fou.yaml
+
+diff --git a/Documentation/netlink/specs/fou.yaml b/Documentation/netlink/specs/fou.yaml
+new file mode 100644
+index 0000000000000..266c386eedf3a
+--- /dev/null
++++ b/Documentation/netlink/specs/fou.yaml
+@@ -0,0 +1,128 @@
++name: fou
++
++protocol: genetlink-legacy
++
++doc: |
++ Foo-over-UDP.
++
++c-family-name: fou-genl-name
++c-version-name: fou-genl-version
++max-by-define: true
++kernel-policy: global
++
++definitions:
++ -
++ type: enum
++ name: encap_type
++ name-prefix: fou-encap-
++ enum-name:
++ entries: [ unspec, direct, gue ]
++
++attribute-sets:
++ -
++ name: fou
++ name-prefix: fou-attr-
++ attributes:
++ -
++ name: unspec
++ type: unused
++ -
++ name: port
++ type: u16
++ byte-order: big-endian
++ -
++ name: af
++ type: u8
++ -
++ name: ipproto
++ type: u8
++ -
++ name: type
++ type: u8
++ -
++ name: remcsum_nopartial
++ type: flag
++ -
++ name: local_v4
++ type: u32
++ -
++ name: local_v6
++ type: binary
++ checks:
++ min-len: 16
++ -
++ name: peer_v4
++ type: u32
++ -
++ name: peer_v6
++ type: binary
++ checks:
++ min-len: 16
++ -
++ name: peer_port
++ type: u16
++ byte-order: big-endian
++ -
++ name: ifindex
++ type: s32
++
++operations:
++ list:
++ -
++ name: unspec
++ doc: unused
++
++ -
++ name: add
++ doc: Add port.
++ attribute-set: fou
++
++ dont-validate: [ strict, dump ]
++ flags: [ admin-perm ]
++
++ do:
++ request: &all_attrs
++ attributes:
++ - port
++ - ipproto
++ - type
++ - remcsum_nopartial
++ - local_v4
++ - peer_v4
++ - local_v6
++ - peer_v6
++ - peer_port
++ - ifindex
++
++ -
++ name: del
++ doc: Delete port.
++ attribute-set: fou
++
++ dont-validate: [ strict, dump ]
++ flags: [ admin-perm ]
++
++ do:
++ request: &select_attrs
++ attributes:
++ - af
++ - ifindex
++ - port
++ - peer_port
++ - local_v4
++ - peer_v4
++ - local_v6
++ - peer_v6
++
++ -
++ name: get
++ doc: Get tunnel info.
++ attribute-set: fou
++ dont-validate: [ strict, dump ]
++
++ do:
++ request: *select_attrs
++ reply: *all_attrs
++
++ dump:
++ reply: *all_attrs
+--
+2.51.0
+
--- /dev/null
+From d2147952b5b4aa94fbe8a5716c4779e10bfbd334 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 12:10:26 -0500
+Subject: sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit a80c9d945aef55b23b54838334345f20251dad83 ]
+
+A null-ptr-deref was reported in the SCTP transmit path when SCTP-AUTH key
+initialization fails:
+
+ ==================================================================
+ KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
+ CPU: 0 PID: 16 Comm: ksoftirqd/0 Tainted: G W 6.6.0 #2
+ RIP: 0010:sctp_packet_bundle_auth net/sctp/output.c:264 [inline]
+ RIP: 0010:sctp_packet_append_chunk+0xb36/0x1260 net/sctp/output.c:401
+ Call Trace:
+
+ sctp_packet_transmit_chunk+0x31/0x250 net/sctp/output.c:189
+ sctp_outq_flush_data+0xa29/0x26d0 net/sctp/outqueue.c:1111
+ sctp_outq_flush+0xc80/0x1240 net/sctp/outqueue.c:1217
+ sctp_cmd_interpreter.isra.0+0x19a5/0x62c0 net/sctp/sm_sideeffect.c:1787
+ sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]
+ sctp_do_sm+0x1a3/0x670 net/sctp/sm_sideeffect.c:1169
+ sctp_assoc_bh_rcv+0x33e/0x640 net/sctp/associola.c:1052
+ sctp_inq_push+0x1dd/0x280 net/sctp/inqueue.c:88
+ sctp_rcv+0x11ae/0x3100 net/sctp/input.c:243
+ sctp6_rcv+0x3d/0x60 net/sctp/ipv6.c:1127
+
+The issue is triggered when sctp_auth_asoc_init_active_key() fails in
+sctp_sf_do_5_1C_ack() while processing an INIT_ACK. In this case, the
+command sequence is currently:
+
+- SCTP_CMD_PEER_INIT
+- SCTP_CMD_TIMER_STOP (T1_INIT)
+- SCTP_CMD_TIMER_START (T1_COOKIE)
+- SCTP_CMD_NEW_STATE (COOKIE_ECHOED)
+- SCTP_CMD_ASSOC_SHKEY
+- SCTP_CMD_GEN_COOKIE_ECHO
+
+If SCTP_CMD_ASSOC_SHKEY fails, asoc->shkey remains NULL, while
+asoc->peer.auth_capable and asoc->peer.peer_chunks have already been set by
+SCTP_CMD_PEER_INIT. This allows a DATA chunk with auth = 1 and shkey = NULL
+to be queued by sctp_datamsg_from_user().
+
+Since command interpretation stops on failure, no COOKIE_ECHO should been
+sent via SCTP_CMD_GEN_COOKIE_ECHO. However, the T1_COOKIE timer has already
+been started, and it may enqueue a COOKIE_ECHO into the outqueue later. As
+a result, the DATA chunk can be transmitted together with the COOKIE_ECHO
+in sctp_outq_flush_data(), leading to the observed issue.
+
+Similar to the other places where it calls sctp_auth_asoc_init_active_key()
+right after sctp_process_init(), this patch moves the SCTP_CMD_ASSOC_SHKEY
+immediately after SCTP_CMD_PEER_INIT, before stopping T1_INIT and starting
+T1_COOKIE. This ensures that if shared key generation fails, authenticated
+DATA cannot be sent. It also allows the T1_INIT timer to retransmit INIT,
+giving the client another chance to process INIT_ACK and retry key setup.
+
+Fixes: 730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing")
+Reported-by: Zhen Chen <chenzhen126@huawei.com>
+Tested-by: Zhen Chen <chenzhen126@huawei.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Link: https://patch.msgid.link/44881224b375aa8853f5e19b4055a1a56d895813.1768324226.git.lucien.xin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/sm_statefuns.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
+index f9882e0e67b1b..dc758ad0051e0 100644
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -601,6 +601,11 @@ enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net,
+ sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT,
+ SCTP_PEER_INIT(initchunk));
+
++ /* SCTP-AUTH: generate the association shared keys so that
++ * we can potentially sign the COOKIE-ECHO.
++ */
++ sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL());
++
+ /* Reset init error count upon receipt of INIT-ACK. */
+ sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
+
+@@ -615,11 +620,6 @@ enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net,
+ sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
+ SCTP_STATE(SCTP_STATE_COOKIE_ECHOED));
+
+- /* SCTP-AUTH: generate the association shared keys so that
+- * we can potentially sign the COOKIE-ECHO.
+- */
+- sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL());
+-
+ /* 5.1 C) "A" shall then send the State Cookie received in the
+ * INIT ACK chunk in a COOKIE ECHO chunk, ...
+ */
+--
+2.51.0
+
--- /dev/null
+From 0ee8141aafe9e3a20dc8545f78fa2f0f9498e53b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Dec 2023 14:08:53 +0800
+Subject: selftests/net: convert fib-onlink-tests.sh to run it in unique
+ namespace
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 3a06833b2adc0a902f2469ad4ce41ccd64f1f3ab ]
+
+Remove PEER_CMD, which is not used in this test
+
+Here is the test result after conversion.
+
+ ]# ./fib-onlink-tests.sh
+ Error: ipv4: FIB table does not exist.
+ Flush terminated
+ Error: ipv6: FIB table does not exist.
+ Flush terminated
+
+ ########################################
+ Configuring interfaces
+
+ ...
+
+ TEST: Gateway resolves to wrong nexthop device - VRF [ OK ]
+
+ Tests passed: 38
+ Tests failed: 0
+
+Acked-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Link: https://lore.kernel.org/r/20231213060856.4030084-11-liuhangbin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 4f5f148dd7c0 ("selftests: net: fib-onlink-tests: Convert to use namespaces by default")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/fib-onlink-tests.sh | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/tools/testing/selftests/net/fib-onlink-tests.sh b/tools/testing/selftests/net/fib-onlink-tests.sh
+index c287b90b8af80..ec2d6ceb1f08d 100755
+--- a/tools/testing/selftests/net/fib-onlink-tests.sh
++++ b/tools/testing/selftests/net/fib-onlink-tests.sh
+@@ -3,6 +3,7 @@
+
+ # IPv4 and IPv6 onlink tests
+
++source lib.sh
+ PAUSE_ON_FAIL=${PAUSE_ON_FAIL:=no}
+ VERBOSE=0
+
+@@ -74,9 +75,6 @@ TEST_NET4IN6[2]=10.2.1.254
+ # mcast address
+ MCAST6=ff02::1
+
+-
+-PEER_NS=bart
+-PEER_CMD="ip netns exec ${PEER_NS}"
+ VRF=lisa
+ VRF_TABLE=1101
+ PBR_TABLE=101
+@@ -176,8 +174,7 @@ setup()
+ set -e
+
+ # create namespace
+- ip netns add ${PEER_NS}
+- ip -netns ${PEER_NS} li set lo up
++ setup_ns PEER_NS
+
+ # add vrf table
+ ip li add ${VRF} type vrf table ${VRF_TABLE}
+@@ -219,7 +216,7 @@ setup()
+ cleanup()
+ {
+ # make sure we start from a clean slate
+- ip netns del ${PEER_NS} 2>/dev/null
++ cleanup_ns ${PEER_NS} 2>/dev/null
+ for n in 1 3 5 7; do
+ ip link del ${NETIFS[p${n}]} 2>/dev/null
+ done
+--
+2.51.0
+
--- /dev/null
+From 0988a747ae7612c0c63226918633bd02837d8ab0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 12:37:44 -0300
+Subject: selftests: net: fib-onlink-tests: Convert to use namespaces by
+ default
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ricardo B. Marlière <rbm@suse.com>
+
+[ Upstream commit 4f5f148dd7c0459229d2ab9a769b2e820f9ee6a2 ]
+
+Currently, the test breaks if the SUT already has a default route
+configured for IPv6. Fix by avoiding the use of the default namespace.
+
+Fixes: 4ed591c8ab44 ("net/ipv6: Allow onlink routes to have a device mismatch if it is the default route")
+Suggested-by: Fernando Fernandez Mancera <fmancera@suse.de>
+Signed-off-by: Ricardo B. Marlière <rbm@suse.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
+Link: https://patch.msgid.link/20260113-selftests-net-fib-onlink-v2-1-89de2b931389@suse.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../testing/selftests/net/fib-onlink-tests.sh | 71 ++++++++-----------
+ 1 file changed, 30 insertions(+), 41 deletions(-)
+
+diff --git a/tools/testing/selftests/net/fib-onlink-tests.sh b/tools/testing/selftests/net/fib-onlink-tests.sh
+index ec2d6ceb1f08d..c01be076b210d 100755
+--- a/tools/testing/selftests/net/fib-onlink-tests.sh
++++ b/tools/testing/selftests/net/fib-onlink-tests.sh
+@@ -120,7 +120,7 @@ log_subsection()
+
+ run_cmd()
+ {
+- local cmd="$*"
++ local cmd="$1"
+ local out
+ local rc
+
+@@ -145,7 +145,7 @@ get_linklocal()
+ local pfx
+ local addr
+
+- addr=$(${pfx} ip -6 -br addr show dev ${dev} | \
++ addr=$(${pfx} ${IP} -6 -br addr show dev ${dev} | \
+ awk '{
+ for (i = 3; i <= NF; ++i) {
+ if ($i ~ /^fe80/)
+@@ -173,58 +173,48 @@ setup()
+
+ set -e
+
+- # create namespace
+- setup_ns PEER_NS
++ # create namespaces
++ setup_ns ns1
++ IP="ip -netns $ns1"
++ setup_ns ns2
+
+ # add vrf table
+- ip li add ${VRF} type vrf table ${VRF_TABLE}
+- ip li set ${VRF} up
+- ip ro add table ${VRF_TABLE} unreachable default metric 8192
+- ip -6 ro add table ${VRF_TABLE} unreachable default metric 8192
++ ${IP} li add ${VRF} type vrf table ${VRF_TABLE}
++ ${IP} li set ${VRF} up
++ ${IP} ro add table ${VRF_TABLE} unreachable default metric 8192
++ ${IP} -6 ro add table ${VRF_TABLE} unreachable default metric 8192
+
+ # create test interfaces
+- ip li add ${NETIFS[p1]} type veth peer name ${NETIFS[p2]}
+- ip li add ${NETIFS[p3]} type veth peer name ${NETIFS[p4]}
+- ip li add ${NETIFS[p5]} type veth peer name ${NETIFS[p6]}
+- ip li add ${NETIFS[p7]} type veth peer name ${NETIFS[p8]}
++ ${IP} li add ${NETIFS[p1]} type veth peer name ${NETIFS[p2]}
++ ${IP} li add ${NETIFS[p3]} type veth peer name ${NETIFS[p4]}
++ ${IP} li add ${NETIFS[p5]} type veth peer name ${NETIFS[p6]}
++ ${IP} li add ${NETIFS[p7]} type veth peer name ${NETIFS[p8]}
+
+ # enslave vrf interfaces
+ for n in 5 7; do
+- ip li set ${NETIFS[p${n}]} vrf ${VRF}
++ ${IP} li set ${NETIFS[p${n}]} vrf ${VRF}
+ done
+
+ # add addresses
+ for n in 1 3 5 7; do
+- ip li set ${NETIFS[p${n}]} up
+- ip addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]}
+- ip addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad
++ ${IP} li set ${NETIFS[p${n}]} up
++ ${IP} addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]}
++ ${IP} addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad
+ done
+
+ # move peer interfaces to namespace and add addresses
+ for n in 2 4 6 8; do
+- ip li set ${NETIFS[p${n}]} netns ${PEER_NS} up
+- ip -netns ${PEER_NS} addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]}
+- ip -netns ${PEER_NS} addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad
++ ${IP} li set ${NETIFS[p${n}]} netns ${ns2} up
++ ip -netns $ns2 addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]}
++ ip -netns $ns2 addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad
+ done
+
+- ip -6 ro add default via ${V6ADDRS[p3]/::[0-9]/::64}
+- ip -6 ro add table ${VRF_TABLE} default via ${V6ADDRS[p7]/::[0-9]/::64}
++ ${IP} -6 ro add default via ${V6ADDRS[p3]/::[0-9]/::64}
++ ${IP} -6 ro add table ${VRF_TABLE} default via ${V6ADDRS[p7]/::[0-9]/::64}
+
+ set +e
+ }
+
+-cleanup()
+-{
+- # make sure we start from a clean slate
+- cleanup_ns ${PEER_NS} 2>/dev/null
+- for n in 1 3 5 7; do
+- ip link del ${NETIFS[p${n}]} 2>/dev/null
+- done
+- ip link del ${VRF} 2>/dev/null
+- ip ro flush table ${VRF_TABLE}
+- ip -6 ro flush table ${VRF_TABLE}
+-}
+-
+ ################################################################################
+ # IPv4 tests
+ #
+@@ -241,7 +231,7 @@ run_ip()
+ # dev arg may be empty
+ [ -n "${dev}" ] && dev="dev ${dev}"
+
+- run_cmd ip ro add table "${table}" "${prefix}"/32 via "${gw}" "${dev}" onlink
++ run_cmd "${IP} ro add table ${table} ${prefix}/32 via ${gw} ${dev} onlink"
+ log_test $? ${exp_rc} "${desc}"
+ }
+
+@@ -257,8 +247,8 @@ run_ip_mpath()
+ # dev arg may be empty
+ [ -n "${dev}" ] && dev="dev ${dev}"
+
+- run_cmd ip ro add table "${table}" "${prefix}"/32 \
+- nexthop via ${nh1} nexthop via ${nh2}
++ run_cmd "${IP} ro add table ${table} ${prefix}/32 \
++ nexthop via ${nh1} nexthop via ${nh2}"
+ log_test $? ${exp_rc} "${desc}"
+ }
+
+@@ -339,7 +329,7 @@ run_ip6()
+ # dev arg may be empty
+ [ -n "${dev}" ] && dev="dev ${dev}"
+
+- run_cmd ip -6 ro add table "${table}" "${prefix}"/128 via "${gw}" "${dev}" onlink
++ run_cmd "${IP} -6 ro add table ${table} ${prefix}/128 via ${gw} ${dev} onlink"
+ log_test $? ${exp_rc} "${desc}"
+ }
+
+@@ -353,8 +343,8 @@ run_ip6_mpath()
+ local exp_rc="$6"
+ local desc="$7"
+
+- run_cmd ip -6 ro add table "${table}" "${prefix}"/128 "${opts}" \
+- nexthop via ${nh1} nexthop via ${nh2}
++ run_cmd "${IP} -6 ro add table ${table} ${prefix}/128 ${opts} \
++ nexthop via ${nh1} nexthop via ${nh2}"
+ log_test $? ${exp_rc} "${desc}"
+ }
+
+@@ -491,10 +481,9 @@ do
+ esac
+ done
+
+-cleanup
+ setup
+ run_onlink_tests
+-cleanup
++cleanup_ns ${ns1} ${ns2}
+
+ if [ "$TESTS" != "none" ]; then
+ printf "\nTests passed: %3d\n" ${nsuccess}
+--
+2.51.0
+
ptp-add-testptp-mask-test.patch
selftest-ptp-update-ptp-selftest-to-exercise-the-get.patch
testptp-add-option-to-open-phc-in-readonly-mode.patch
+net-usb-dm9601-remove-broken-sr9700-support.patch
+bonding-limit-bond_mode_8023ad-to-ethernet-devices.patch
+selftests-net-convert-fib-onlink-tests.sh-to-run-it-.patch
+selftests-net-fib-onlink-tests-convert-to-use-namesp.patch
+sctp-move-sctp_cmd_assoc_shkey-right-after-sctp_cmd_.patch
+amd-xgbe-avoid-misleading-per-packet-error-log.patch
+gue-fix-skb-memleak-with-inner-ip-protocol-0.patch
+netlink-add-a-proto-specification-for-fou.patch
+net-fou-rename-the-source-for-linking.patch
+net-fou-use-policy-and-operation-tables-generated-fr.patch
+fou-don-t-allow-0-for-fou_attr_ipproto.patch
+l2tp-avoid-one-data-race-in-l2tp_tunnel_del_work.patch
+ipvlan-make-the-addrs_lock-be-per-port.patch
+net-sched-enforce-that-teql-can-only-be-used-as-root.patch
+net-sched-qfq-use-cl_is_active-to-determine-whether-.patch
+crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch
--- /dev/null
+From ca9c31dcaff134cca1afcc7af9f48783e367d81e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jan 2026 22:00:37 +0530
+Subject: amd-xgbe: avoid misleading per-packet error log
+
+From: Raju Rangoju <Raju.Rangoju@amd.com>
+
+[ Upstream commit c158f985cf6c2c36c99c4f67af2ff3f5ebe09f8f ]
+
+On the receive path, packet can be damaged because of buffer
+overflow in Rx FIFO. Avoid misleading per-packet error log when
+packet->errors is set, this can flood the log. Instead, rely on the
+standard rtnl_link_stats64 stats.
+
+Fixes: c5aa9e3b8156 ("amd-xgbe: Initial AMD 10GbE platform driver")
+Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
+Link: https://patch.msgid.link/20260114163037.2062606-1-Raju.Rangoju@amd.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
+index b4d57da71de2a..3d6f8f3a83366 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
+@@ -2105,7 +2105,7 @@ static void xgbe_get_stats64(struct net_device *netdev,
+ s->multicast = pstats->rxmulticastframes_g;
+ s->rx_length_errors = pstats->rxlengtherror;
+ s->rx_crc_errors = pstats->rxcrcerror;
+- s->rx_fifo_errors = pstats->rxfifooverflow;
++ s->rx_over_errors = pstats->rxfifooverflow;
+
+ s->tx_packets = pstats->txframecount_gb;
+ s->tx_bytes = pstats->txoctetcount_gb;
+@@ -2559,9 +2559,6 @@ static int xgbe_rx_poll(struct xgbe_channel *channel, int budget)
+ goto read_again;
+
+ if (error || packet->errors) {
+- if (packet->errors)
+- netif_err(pdata, rx_err, netdev,
+- "error in received packet\n");
+ dev_kfree_skb(skb);
+ goto next_packet;
+ }
+--
+2.51.0
+
--- /dev/null
+From ec6f9ac67d0cecda46e68eb4dedfbbad6a89239f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 13:20:49 +0100
+Subject: ata: libata: Add cpr_log to ata_dev_print_features() early return
+
+From: Niklas Cassel <cassel@kernel.org>
+
+[ Upstream commit a6bee5e5243ad02cae575becc4c83df66fc29573 ]
+
+ata_dev_print_features() is supposed to return early and not print anything
+if there are no features supported.
+
+However, commit fe22e1c2f705 ("libata: support concurrent positioning
+ranges log") added another feature to ata_dev_print_features() without
+updating the early return conditional.
+
+Add the missing feature to the early return conditional.
+
+Fixes: fe22e1c2f705 ("libata: support concurrent positioning ranges log")
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Tested-by: Wolf <wolf@yoxt.cc>
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
+index 14bcfebf20b8f..98d610c37e8c7 100644
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -2597,7 +2597,7 @@ static void ata_dev_config_cpr(struct ata_device *dev)
+
+ static void ata_dev_print_features(struct ata_device *dev)
+ {
+- if (!(dev->flags & ATA_DFLAG_FEATURES_MASK))
++ if (!(dev->flags & ATA_DFLAG_FEATURES_MASK) && !dev->cpr_log)
+ return;
+
+ ata_dev_info(dev,
+--
+2.51.0
+
--- /dev/null
+From c5fa3b1d713e1213dffa8b64e2a609bf261536c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 13:20:47 +0100
+Subject: ata: libata: Call ata_dev_config_lpm() for ATAPI devices
+
+From: Niklas Cassel <cassel@kernel.org>
+
+[ Upstream commit 8f3fb33f8f3f825c708ece800c921977c157f9b6 ]
+
+Commit d360121832d8 ("ata: libata-core: Introduce ata_dev_config_lpm()")
+introduced ata_dev_config_lpm(). However, it only called this function for
+ATA_DEV_ATA and ATA_DEV_ZAC devices, not for ATA_DEV_ATAPI devices.
+
+Additionally, commit d99a9142e782 ("ata: libata-core: Move device LPM quirk
+settings to ata_dev_config_lpm()") moved the LPM quirk application from
+ata_dev_configure() to ata_dev_config_lpm(), causing LPM quirks for ATAPI
+devices to no longer be applied.
+
+Call ata_dev_config_lpm() also for ATAPI devices, such that LPM quirks are
+applied for ATAPI devices with an entry in __ata_dev_quirks once again.
+
+Fixes: d360121832d8 ("ata: libata-core: Introduce ata_dev_config_lpm()")
+Fixes: d99a9142e782 ("ata: libata-core: Move device LPM quirk settings to ata_dev_config_lpm()")
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Tested-by: Wolf <wolf@yoxt.cc>
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Stable-dep-of: c8c6fb886f57 ("ata: libata: Print features also for ATAPI devices")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
+index 1277b80726535..3fb7f7a5181a9 100644
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -2882,6 +2882,8 @@ int ata_dev_configure(struct ata_device *dev)
+ ata_mode_string(xfer_mask),
+ cdb_intr_string, atapi_an_string,
+ dma_dir_string);
++
++ ata_dev_config_lpm(dev);
+ }
+
+ /* determine max_sectors */
+--
+2.51.0
+
--- /dev/null
+From ae98e781252cbc289ab7899be4b9dd4555ed7b14 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Oct 2022 18:05:38 +0900
+Subject: ata: libata: cleanup fua support detection
+
+From: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+
+[ Upstream commit 4d2e4980a5289ae31a1cff40d258b68573182a37 ]
+
+Move the detection of a device FUA support from
+ata_scsiop_mode_sense()/ata_dev_supports_fua() to device scan time in
+ata_dev_configure().
+
+The function ata_dev_config_fua() is introduced to detect if a device
+supports FUA and this support is indicated using the new device flag
+ATA_DFLAG_FUA.
+
+In order to blacklist known buggy devices, the horkage flag
+ATA_HORKAGE_NO_FUA is introduced. Similarly to other horkage flags, the
+libata.force= arguments "fua" and "nofua" are also introduced to allow
+a user to control this horkage flag through the "force" libata
+module parameter.
+
+The ATA_DFLAG_FUA device flag is set only and only if all the following
+conditions are met:
+* libata.fua module parameter is set to 1
+* The device supports the WRITE DMA FUA EXT command,
+* The device is not marked with the ATA_HORKAGE_NO_FUA flag, either from
+ the blacklist or set by the user with libata.force=nofua
+* The device supports NCQ (while this is not mandated by the standards,
+ this restriction is introduced to avoid problems with older non-NCQ
+ devices).
+
+Enabling or diabling libata FUA support for all devices can now also be
+done using the "force=[no]fua" module parameter when libata.fua is set
+to 1.
+
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Reviewed-by: Niklas Cassel <niklas.cassel@wdc.com>
+Stable-dep-of: c8c6fb886f57 ("ata: libata: Print features also for ATAPI devices")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../admin-guide/kernel-parameters.txt | 3 ++
+ drivers/ata/libata-core.c | 30 ++++++++++++++++++-
+ drivers/ata/libata-scsi.c | 30 ++-----------------
+ include/linux/libata.h | 8 +++--
+ 4 files changed, 39 insertions(+), 32 deletions(-)
+
+diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
+index 05ab068c1cc6d..b026eb1c4c7db 100644
+--- a/Documentation/admin-guide/kernel-parameters.txt
++++ b/Documentation/admin-guide/kernel-parameters.txt
+@@ -2852,6 +2852,9 @@
+ * [no]setxfer: Indicate if transfer speed mode setting
+ should be skipped.
+
++ * [no]fua: Disable or enable FUA (Force Unit Access)
++ support for devices supporting this feature.
++
+ * dump_id: Dump IDENTIFY data.
+
+ * disable: Disable this device.
+diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
+index 98d610c37e8c7..31c8156a4f3d3 100644
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -2513,6 +2513,28 @@ static void ata_dev_config_chs(struct ata_device *dev)
+ dev->heads, dev->sectors);
+ }
+
++static void ata_dev_config_fua(struct ata_device *dev)
++{
++ /* Ignore FUA support if its use is disabled globally */
++ if (!libata_fua)
++ goto nofua;
++
++ /* Ignore devices without support for WRITE DMA FUA EXT */
++ if (!(dev->flags & ATA_DFLAG_LBA48) || !ata_id_has_fua(dev->id))
++ goto nofua;
++
++ /* Ignore known bad devices and devices that lack NCQ support */
++ if (!ata_ncq_supported(dev) || (dev->horkage & ATA_HORKAGE_NO_FUA))
++ goto nofua;
++
++ dev->flags |= ATA_DFLAG_FUA;
++
++ return;
++
++nofua:
++ dev->flags &= ~ATA_DFLAG_FUA;
++}
++
+ static void ata_dev_config_devslp(struct ata_device *dev)
+ {
+ u8 *sata_setting = dev->link->ap->sector_buf;
+@@ -2601,7 +2623,8 @@ static void ata_dev_print_features(struct ata_device *dev)
+ return;
+
+ ata_dev_info(dev,
+- "Features:%s%s%s%s%s%s\n",
++ "Features:%s%s%s%s%s%s%s\n",
++ dev->flags & ATA_DFLAG_FUA ? " FUA" : "",
+ dev->flags & ATA_DFLAG_TRUSTED ? " Trust" : "",
+ dev->flags & ATA_DFLAG_DA ? " Dev-Attention" : "",
+ dev->flags & ATA_DFLAG_DEVSLP ? " Dev-Sleep" : "",
+@@ -2762,6 +2785,7 @@ int ata_dev_configure(struct ata_device *dev)
+ ata_dev_config_chs(dev);
+ }
+
++ ata_dev_config_fua(dev);
+ ata_dev_config_devslp(dev);
+ ata_dev_config_sense_reporting(dev);
+ ata_dev_config_zac(dev);
+@@ -4199,6 +4223,9 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = {
+ */
+ { "SATADOM-ML 3ME", NULL, ATA_HORKAGE_NO_LOG_DIR },
+
++ /* Buggy FUA */
++ { "Maxtor", "BANC1G10", ATA_HORKAGE_NO_FUA },
++
+ /* End Marker */
+ { }
+ };
+@@ -6351,6 +6378,7 @@ static const struct ata_force_param force_tbl[] __initconst = {
+ force_horkage_onoff(lpm, ATA_HORKAGE_NOLPM),
+ force_horkage_onoff(setxfer, ATA_HORKAGE_NOSETXFER),
+ force_horkage_on(dump_id, ATA_HORKAGE_DUMP_ID),
++ force_horkage_onoff(fua, ATA_HORKAGE_NO_FUA),
+
+ force_horkage_on(disable, ATA_HORKAGE_DISABLE),
+ };
+diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c
+index c838bc8cc4f3d..430970db482a8 100644
+--- a/drivers/ata/libata-scsi.c
++++ b/drivers/ata/libata-scsi.c
+@@ -2283,30 +2283,6 @@ static unsigned int ata_msense_rw_recovery(u8 *buf, bool changeable)
+ return sizeof(def_rw_recovery_mpage);
+ }
+
+-/*
+- * We can turn this into a real blacklist if it's needed, for now just
+- * blacklist any Maxtor BANC1G10 revision firmware
+- */
+-static int ata_dev_supports_fua(u16 *id)
+-{
+- unsigned char model[ATA_ID_PROD_LEN + 1], fw[ATA_ID_FW_REV_LEN + 1];
+-
+- if (!libata_fua)
+- return 0;
+- if (!ata_id_has_fua(id))
+- return 0;
+-
+- ata_id_c_string(id, model, ATA_ID_PROD, sizeof(model));
+- ata_id_c_string(id, fw, ATA_ID_FW_REV, sizeof(fw));
+-
+- if (strcmp(model, "Maxtor"))
+- return 1;
+- if (strcmp(fw, "BANC1G10"))
+- return 1;
+-
+- return 0; /* blacklisted */
+-}
+-
+ /**
+ * ata_scsiop_mode_sense - Simulate MODE SENSE 6, 10 commands
+ * @args: device IDENTIFY data / SCSI command of interest.
+@@ -2330,7 +2306,7 @@ static unsigned int ata_scsiop_mode_sense(struct ata_scsi_args *args, u8 *rbuf)
+ };
+ u8 pg, spg;
+ unsigned int ebd, page_control, six_byte;
+- u8 dpofua, bp = 0xff;
++ u8 dpofua = 0, bp = 0xff;
+ u16 fp;
+
+ six_byte = (scsicmd[0] == MODE_SENSE);
+@@ -2393,9 +2369,7 @@ static unsigned int ata_scsiop_mode_sense(struct ata_scsi_args *args, u8 *rbuf)
+ goto invalid_fld;
+ }
+
+- dpofua = 0;
+- if (ata_dev_supports_fua(args->id) && (dev->flags & ATA_DFLAG_LBA48) &&
+- (!(dev->flags & ATA_DFLAG_PIO) || dev->multi_count))
++ if (dev->flags & ATA_DFLAG_FUA)
+ dpofua = 1 << 4;
+
+ if (six_byte) {
+diff --git a/include/linux/libata.h b/include/linux/libata.h
+index 99886930fb819..d7f86de11d18e 100644
+--- a/include/linux/libata.h
++++ b/include/linux/libata.h
+@@ -90,6 +90,7 @@ enum {
+ ATA_DFLAG_ACPI_FAILED = (1 << 6), /* ACPI on devcfg has failed */
+ ATA_DFLAG_AN = (1 << 7), /* AN configured */
+ ATA_DFLAG_TRUSTED = (1 << 8), /* device supports trusted send/recv */
++ ATA_DFLAG_FUA = (1 << 9), /* device supports FUA */
+ ATA_DFLAG_DMADIR = (1 << 10), /* device requires DMADIR */
+ ATA_DFLAG_CFG_MASK = (1 << 12) - 1,
+
+@@ -114,9 +115,9 @@ enum {
+ ATA_DFLAG_D_SENSE = (1 << 29), /* Descriptor sense requested */
+ ATA_DFLAG_ZAC = (1 << 30), /* ZAC device */
+
+- ATA_DFLAG_FEATURES_MASK = ATA_DFLAG_TRUSTED | ATA_DFLAG_DA | \
+- ATA_DFLAG_DEVSLP | ATA_DFLAG_NCQ_SEND_RECV | \
+- ATA_DFLAG_NCQ_PRIO,
++ ATA_DFLAG_FEATURES_MASK = (ATA_DFLAG_TRUSTED | ATA_DFLAG_DA | \
++ ATA_DFLAG_DEVSLP | ATA_DFLAG_NCQ_SEND_RECV | \
++ ATA_DFLAG_NCQ_PRIO | ATA_DFLAG_FUA),
+
+ ATA_DEV_UNKNOWN = 0, /* unknown device */
+ ATA_DEV_ATA = 1, /* ATA device */
+@@ -389,6 +390,7 @@ enum {
+ ATA_HORKAGE_NO_NCQ_ON_ATI = (1 << 27), /* Disable NCQ on ATI chipset */
+ ATA_HORKAGE_NO_ID_DEV_LOG = (1 << 28), /* Identify device log missing */
+ ATA_HORKAGE_NO_LOG_DIR = (1 << 29), /* Do not read log directory */
++ ATA_HORKAGE_NO_FUA = (1 << 30), /* Do not use FUA */
+
+ /* DMA mask for user DMA control: User visible values; DO NOT
+ renumber */
+--
+2.51.0
+
--- /dev/null
+From 945e78c24453cd996c4239b951382335a791bd8a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 21:53:12 +0900
+Subject: ata: libata-core: Introduce ata_dev_config_lpm()
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+[ Upstream commit d360121832d8a36871249271df5b9ff05f835f62 ]
+
+If the port of a device does not support Device Initiated Power
+Management (DIPM), that is, the port is flagged with ATA_FLAG_NO_DIPM,
+the DIPM feature of a device should not be used. Though DIPM is disabled
+by default on a device, the "Software Settings Preservation feature"
+may keep DIPM enabled or DIPM may have been enabled by the system
+firmware.
+
+Introduce the function ata_dev_config_lpm() to always disable DIPM on a
+device that supports this feature if the port of the device is flagged
+with ATA_FLAG_NO_DIPM. ata_dev_config_lpm() is called from
+ata_dev_configure(), ensuring that a device DIPM feature is disabled
+when it cannot be used.
+
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Niklas Cassel <cassel@kernel.org>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Link: https://lore.kernel.org/r/20250701125321.69496-2-dlemoal@kernel.org
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Stable-dep-of: c8c6fb886f57 ("ata: libata: Print features also for ATAPI devices")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-core.c | 25 +++++++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
+index 31c8156a4f3d3..1277b80726535 100644
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -2617,6 +2617,30 @@ static void ata_dev_config_cpr(struct ata_device *dev)
+ kfree(buf);
+ }
+
++/*
++ * Configure features related to link power management.
++ */
++static void ata_dev_config_lpm(struct ata_device *dev)
++{
++ struct ata_port *ap = dev->link->ap;
++ unsigned int err_mask;
++
++ /*
++ * Device Initiated Power Management (DIPM) is normally disabled by
++ * default on a device. However, DIPM may have been enabled and that
++ * setting kept even after COMRESET because of the Software Settings
++ * Preservation feature. So if the port does not support DIPM and the
++ * device does, disable DIPM on the device.
++ */
++ if (ap->flags & ATA_FLAG_NO_DIPM && ata_id_has_dipm(dev->id)) {
++ err_mask = ata_dev_set_feature(dev,
++ SETFEATURES_SATA_DISABLE, SATA_DIPM);
++ if (err_mask && err_mask != AC_ERR_DEV)
++ ata_dev_err(dev, "Disable DIPM failed, Emask 0x%x\n",
++ err_mask);
++ }
++}
++
+ static void ata_dev_print_features(struct ata_device *dev)
+ {
+ if (!(dev->flags & ATA_DFLAG_FEATURES_MASK) && !dev->cpr_log)
+@@ -2785,6 +2809,7 @@ int ata_dev_configure(struct ata_device *dev)
+ ata_dev_config_chs(dev);
+ }
+
++ ata_dev_config_lpm(dev);
+ ata_dev_config_fua(dev);
+ ata_dev_config_devslp(dev);
+ ata_dev_config_sense_reporting(dev);
+--
+2.51.0
+
--- /dev/null
+From 8eb3f7c7468970d4580413bec28d39d4eb1ab17b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Oct 2022 13:07:55 +0900
+Subject: ata: libata: Introduce ata_ncq_supported()
+
+From: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+
+[ Upstream commit fa5bde139ee43ab91087c01e690c61aec957c339 ]
+
+Introduce the inline helper function ata_ncq_supported() to test if a
+device supports NCQ commands. The function ata_ncq_enabled() is also
+rewritten using this new helper function.
+
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Reviewed-by: Niklas Cassel <niklas.cassel@wdc.com>
+Stable-dep-of: c8c6fb886f57 ("ata: libata: Print features also for ATAPI devices")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/libata.h | 28 +++++++++++++++++++++-------
+ 1 file changed, 21 insertions(+), 7 deletions(-)
+
+diff --git a/include/linux/libata.h b/include/linux/libata.h
+index 363462d3f0773..99886930fb819 100644
+--- a/include/linux/libata.h
++++ b/include/linux/libata.h
+@@ -1694,21 +1694,35 @@ extern struct ata_device *ata_dev_next(struct ata_device *dev,
+ (dev) = ata_dev_next((dev), (link), ATA_DITER_##mode))
+
+ /**
+- * ata_ncq_enabled - Test whether NCQ is enabled
+- * @dev: ATA device to test for
++ * ata_ncq_supported - Test whether NCQ is supported
++ * @dev: ATA device to test
+ *
+ * LOCKING:
+ * spin_lock_irqsave(host lock)
+ *
+ * RETURNS:
+- * 1 if NCQ is enabled for @dev, 0 otherwise.
++ * true if @dev supports NCQ, false otherwise.
+ */
+-static inline int ata_ncq_enabled(struct ata_device *dev)
++static inline bool ata_ncq_supported(struct ata_device *dev)
+ {
+ if (!IS_ENABLED(CONFIG_SATA_HOST))
+- return 0;
+- return (dev->flags & (ATA_DFLAG_PIO | ATA_DFLAG_NCQ_OFF |
+- ATA_DFLAG_NCQ)) == ATA_DFLAG_NCQ;
++ return false;
++ return (dev->flags & (ATA_DFLAG_PIO | ATA_DFLAG_NCQ)) == ATA_DFLAG_NCQ;
++}
++
++/**
++ * ata_ncq_enabled - Test whether NCQ is enabled
++ * @dev: ATA device to test
++ *
++ * LOCKING:
++ * spin_lock_irqsave(host lock)
++ *
++ * RETURNS:
++ * true if NCQ is enabled for @dev, false otherwise.
++ */
++static inline bool ata_ncq_enabled(struct ata_device *dev)
++{
++ return ata_ncq_supported(dev) && !(dev->flags & ATA_DFLAG_NCQ_OFF);
+ }
+
+ static inline bool ata_fpdma_dsm_supported(struct ata_device *dev)
+--
+2.51.0
+
--- /dev/null
+From 1ebb12d5d0e086533933ea179cdb49b4d53b11bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 13:20:51 +0100
+Subject: ata: libata: Print features also for ATAPI devices
+
+From: Niklas Cassel <cassel@kernel.org>
+
+[ Upstream commit c8c6fb886f57d5bf71fb6de6334a143608d35707 ]
+
+Commit d633b8a702ab ("libata: print feature list on device scan")
+added a print of the features supported by the device for ATA_DEV_ATA and
+ATA_DEV_ZAC devices, but not for ATA_DEV_ATAPI devices.
+
+Fix this by printing the features also for ATAPI devices.
+
+Before changes:
+ata1.00: ATAPI: Slimtype DVD A DU8AESH, 6C2M, max UDMA/133
+
+After changes:
+ata1.00: ATAPI: Slimtype DVD A DU8AESH, 6C2M, max UDMA/133
+ata1.00: Features: Dev-Attention HIPM DIPM
+
+Fixes: d633b8a702ab ("libata: print feature list on device scan")
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Tested-by: Wolf <wolf@yoxt.cc>
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
+index 3fb7f7a5181a9..96b13b89f0a73 100644
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -2884,6 +2884,9 @@ int ata_dev_configure(struct ata_device *dev)
+ dma_dir_string);
+
+ ata_dev_config_lpm(dev);
++
++ if (print_info)
++ ata_dev_print_features(dev);
+ }
+
+ /* determine max_sectors */
+--
+2.51.0
+
--- /dev/null
+From 9fc3d5a46935efe2e2e2aeb137b78449305188bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 19:12:01 +0000
+Subject: bonding: limit BOND_MODE_8023AD to Ethernet devices
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit c84fcb79e5dbde0b8d5aeeaf04282d2149aebcf6 ]
+
+BOND_MODE_8023AD makes sense for ARPHRD_ETHER only.
+
+syzbot reported:
+
+ BUG: KASAN: global-out-of-bounds in __hw_addr_create net/core/dev_addr_lists.c:63 [inline]
+ BUG: KASAN: global-out-of-bounds in __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118
+Read of size 16 at addr ffffffff8bf94040 by task syz.1.3580/19497
+
+CPU: 1 UID: 0 PID: 19497 Comm: syz.1.3580 Tainted: G L syzkaller #0 PREEMPT(full)
+Tainted: [L]=SOFTLOCKUP
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0xca/0x240 mm/kasan/report.c:482
+ kasan_report+0x118/0x150 mm/kasan/report.c:595
+ check_region_inline mm/kasan/generic.c:-1 [inline]
+ kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:200
+ __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105
+ __hw_addr_create net/core/dev_addr_lists.c:63 [inline]
+ __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118
+ __dev_mc_add net/core/dev_addr_lists.c:868 [inline]
+ dev_mc_add+0xa1/0x120 net/core/dev_addr_lists.c:886
+ bond_enslave+0x2b8b/0x3ac0 drivers/net/bonding/bond_main.c:2180
+ do_set_master+0x533/0x6d0 net/core/rtnetlink.c:2963
+ do_setlink+0xcf0/0x41c0 net/core/rtnetlink.c:3165
+ rtnl_changelink net/core/rtnetlink.c:3776 [inline]
+ __rtnl_newlink net/core/rtnetlink.c:3935 [inline]
+ rtnl_newlink+0x161c/0x1c90 net/core/rtnetlink.c:4072
+ rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6958
+ netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2550
+ netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
+ netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344
+ netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1894
+ sock_sendmsg_nosec net/socket.c:727 [inline]
+ __sock_sendmsg+0x21c/0x270 net/socket.c:742
+ ____sys_sendmsg+0x505/0x820 net/socket.c:2592
+ ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2646
+ __sys_sendmsg+0x164/0x220 net/socket.c:2678
+ do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
+ __do_fast_syscall_32+0x1dc/0x560 arch/x86/entry/syscall_32.c:307
+ do_fast_syscall_32+0x34/0x80 arch/x86/entry/syscall_32.c:332
+ entry_SYSENTER_compat_after_hwframe+0x84/0x8e
+ </TASK>
+
+The buggy address belongs to the variable:
+ lacpdu_mcast_addr+0x0/0x40
+
+Fixes: 872254dd6b1f ("net/bonding: Enable bonding to enslave non ARPHRD_ETHER")
+Reported-by: syzbot+9c081b17773615f24672@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/6966946b.a70a0220.245e30.0002.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Andrew Lunn <andrew+netdev@lunn.ch>
+Acked-by: Jay Vosburgh <jv@jvosburgh.net>
+Link: https://patch.msgid.link/20260113191201.3970737-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index cefe37c447a26..dd0ea86d7934a 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1906,6 +1906,12 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev,
+ */
+ if (!bond_has_slaves(bond)) {
+ if (bond_dev->type != slave_dev->type) {
++ if (slave_dev->type != ARPHRD_ETHER &&
++ BOND_MODE(bond) == BOND_MODE_8023AD) {
++ SLAVE_NL_ERR(bond_dev, slave_dev, extack,
++ "8023AD mode requires Ethernet devices");
++ return -EINVAL;
++ }
+ slave_dbg(bond_dev, slave_dev, "change device type from %d to %d\n",
+ bond_dev->type, slave_dev->type);
+
+--
+2.51.0
+
--- /dev/null
+From 6ddac67dcf3f902de43f9bd9072ba57d6bd34fd9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jan 2026 14:10:10 +0100
+Subject: can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on
+ usb_submit_urb() error
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+[ Upstream commit 79a6d1bfe1148bc921b8d7f3371a7fbce44e30f7 ]
+
+In commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix
+URB memory leak"), the URB was re-anchored before usb_submit_urb() in
+gs_usb_receive_bulk_callback() to prevent a leak of this URB during
+cleanup.
+
+However, this patch did not take into account that usb_submit_urb() could
+fail. The URB remains anchored and
+usb_kill_anchored_urbs(&parent->rx_submitted) in gs_can_close() loops
+infinitely since the anchor list never becomes empty.
+
+To fix the bug, unanchor the URB when an usb_submit_urb() error occurs,
+also print an info message.
+
+Fixes: 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak")
+Reported-by: Jakub Kicinski <kuba@kernel.org>
+Closes: https://lore.kernel.org/all/20260110223836.3890248-1-kuba@kernel.org/
+Link: https://patch.msgid.link/20260116-can_usb-fix-reanchor-v1-1-9d74e7289225@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/usb/gs_usb.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c
+index da05c2aa90d7b..f782c3aa179e0 100644
+--- a/drivers/net/can/usb/gs_usb.c
++++ b/drivers/net/can/usb/gs_usb.c
+@@ -660,6 +660,10 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
+ usb_anchor_urb(urb, &parent->rx_submitted);
+
+ rc = usb_submit_urb(urb, GFP_ATOMIC);
++ if (!rc)
++ return;
++
++ usb_unanchor_urb(urb);
+
+ /* USB failure take down all interfaces */
+ if (rc == -ENODEV) {
+@@ -668,6 +672,9 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
+ if (parent->canch[rc])
+ netif_device_detach(parent->canch[rc]->netdev);
+ }
++ } else if (rc != -ESHUTDOWN && net_ratelimit()) {
++ netdev_info(netdev, "failed to re-submit IN URB: %pe\n",
++ ERR_PTR(urb->status));
+ }
+ }
+
+--
+2.51.0
+
--- /dev/null
+From c3f9abadfbf3c5e294032391729b12335d13f639 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jan 2026 16:03:58 +0900
+Subject: crypto: authencesn - reject too-short AAD (assoclen<8) to match
+ ESP/ESN spec
+
+From: Taeyang Lee <0wn@theori.io>
+
+[ Upstream commit 2397e9264676be7794f8f7f1e9763d90bd3c7335 ]
+
+authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than
+the minimum expected length, crypto_authenc_esn_decrypt() can advance past
+the end of the destination scatterlist and trigger a NULL pointer dereference
+in scatterwalk_map_and_copy(), leading to a kernel panic (DoS).
+
+Add a minimum AAD length check to fail fast on invalid inputs.
+
+Fixes: 104880a6b470 ("crypto: authencesn - Convert to new AEAD interface")
+Reported-By: Taeyang Lee <0wn@theori.io>
+Signed-off-by: Taeyang Lee <0wn@theori.io>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/authencesn.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/crypto/authencesn.c b/crypto/authencesn.c
+index b60e61b1904cb..6487b35851d54 100644
+--- a/crypto/authencesn.c
++++ b/crypto/authencesn.c
+@@ -191,6 +191,9 @@ static int crypto_authenc_esn_encrypt(struct aead_request *req)
+ struct scatterlist *src, *dst;
+ int err;
+
++ if (assoclen < 8)
++ return -EINVAL;
++
+ sg_init_table(areq_ctx->src, 2);
+ src = scatterwalk_ffwd(areq_ctx->src, req->src, assoclen);
+ dst = src;
+@@ -284,6 +287,9 @@ static int crypto_authenc_esn_decrypt(struct aead_request *req)
+ u32 tmp[2];
+ int err;
+
++ if (assoclen < 8)
++ return -EINVAL;
++
+ cryptlen -= authsize;
+
+ if (req->src != dst) {
+--
+2.51.0
+
--- /dev/null
+From 1477ee15bd0e5976007a23e59c51ee781354d887 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jan 2026 17:24:48 +0000
+Subject: fou: Don't allow 0 for FOU_ATTR_IPPROTO.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 7a9bc9e3f42391e4c187e099263cf7a1c4b69ff5 ]
+
+fou_udp_recv() has the same problem mentioned in the previous
+patch.
+
+If FOU_ATTR_IPPROTO is set to 0, skb is not freed by
+fou_udp_recv() nor "resubmit"-ted in ip_protocol_deliver_rcu().
+
+Let's forbid 0 for FOU_ATTR_IPPROTO.
+
+Fixes: 23461551c0062 ("fou: Support for foo-over-udp RX path")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260115172533.693652-4-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/netlink/specs/fou.yaml | 2 ++
+ net/ipv4/fou_nl.c | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/Documentation/netlink/specs/fou.yaml b/Documentation/netlink/specs/fou.yaml
+index 266c386eedf3a..e5753a30a29a2 100644
+--- a/Documentation/netlink/specs/fou.yaml
++++ b/Documentation/netlink/specs/fou.yaml
+@@ -36,6 +36,8 @@ attribute-sets:
+ -
+ name: ipproto
+ type: u8
++ checks:
++ min: 1
+ -
+ name: type
+ type: u8
+diff --git a/net/ipv4/fou_nl.c b/net/ipv4/fou_nl.c
+index 6c3820f41dd5d..5bb8133ed7a89 100644
+--- a/net/ipv4/fou_nl.c
++++ b/net/ipv4/fou_nl.c
+@@ -14,7 +14,7 @@
+ const struct nla_policy fou_nl_policy[FOU_ATTR_IFINDEX + 1] = {
+ [FOU_ATTR_PORT] = { .type = NLA_U16, },
+ [FOU_ATTR_AF] = { .type = NLA_U8, },
+- [FOU_ATTR_IPPROTO] = { .type = NLA_U8, },
++ [FOU_ATTR_IPPROTO] = NLA_POLICY_MIN(NLA_U8, 1),
+ [FOU_ATTR_TYPE] = { .type = NLA_U8, },
+ [FOU_ATTR_REMCSUM_NOPARTIAL] = { .type = NLA_FLAG, },
+ [FOU_ATTR_LOCAL_V4] = { .type = NLA_U32, },
+--
+2.51.0
+
--- /dev/null
+From b704d1c29e9338a2c2fae0ca810d734ce501175e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jan 2026 17:24:46 +0000
+Subject: gue: Fix skb memleak with inner IP protocol 0.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 9a56796ad258786d3624eef5aefba394fc9bdded ]
+
+syzbot reported skb memleak below. [0]
+
+The repro generated a GUE packet with its inner protocol 0.
+
+gue_udp_recv() returns -guehdr->proto_ctype for "resubmit"
+in ip_protocol_deliver_rcu(), but this only works with
+non-zero protocol number.
+
+Let's drop such packets.
+
+Note that 0 is a valid number (IPv6 Hop-by-Hop Option).
+
+I think it is not practical to encap HOPOPT in GUE, so once
+someone starts to complain, we could pass down a resubmit
+flag pointer to distinguish two zeros from the upper layer:
+
+ * no error
+ * resubmit HOPOPT
+
+[0]
+BUG: memory leak
+unreferenced object 0xffff888109695a00 (size 240):
+ comm "syz.0.17", pid 6088, jiffies 4294943096
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 40 c2 10 81 88 ff ff 00 00 00 00 00 00 00 00 .@..............
+ backtrace (crc a84b336f):
+ kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
+ slab_post_alloc_hook mm/slub.c:4958 [inline]
+ slab_alloc_node mm/slub.c:5263 [inline]
+ kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
+ __build_skb+0x23/0x60 net/core/skbuff.c:474
+ build_skb+0x20/0x190 net/core/skbuff.c:490
+ __tun_build_skb drivers/net/tun.c:1541 [inline]
+ tun_build_skb+0x4a1/0xa40 drivers/net/tun.c:1636
+ tun_get_user+0xc12/0x2030 drivers/net/tun.c:1770
+ tun_chr_write_iter+0x71/0x120 drivers/net/tun.c:1999
+ new_sync_write fs/read_write.c:593 [inline]
+ vfs_write+0x45d/0x710 fs/read_write.c:686
+ ksys_write+0xa7/0x170 fs/read_write.c:738
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: 37dd0247797b1 ("gue: Receive side for Generic UDP Encapsulation")
+Reported-by: syzbot+4d8c7d16b0e95c0d0f0d@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/6965534b.050a0220.38aacd.0001.GAE@google.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260115172533.693652-2-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/fou.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c
+index c29c976a25965..9d4ae723d2e7d 100644
+--- a/net/ipv4/fou.c
++++ b/net/ipv4/fou.c
+@@ -213,6 +213,9 @@ static int gue_udp_recv(struct sock *sk, struct sk_buff *skb)
+ return gue_control_message(skb, guehdr);
+
+ proto_ctype = guehdr->proto_ctype;
++ if (unlikely(!proto_ctype))
++ goto drop;
++
+ __skb_pull(skb, sizeof(struct udphdr) + hdrlen);
+ skb_reset_transport_header(skb);
+
+--
+2.51.0
+
--- /dev/null
+From 3c11c648dc12392a3ac8a0d1d52da879e8642b7f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 17:24:06 +0300
+Subject: ipvlan: Make the addrs_lock be per port
+
+From: Dmitry Skorodumov <dskr99@gmail.com>
+
+[ Upstream commit d3ba32162488283c0a4c5bedd8817aec91748802 ]
+
+Make the addrs_lock be per port, not per ipvlan dev.
+
+Initial code seems to be written in the assumption,
+that any address change must occur under RTNL.
+But it is not so for the case of IPv6. So
+
+1) Introduce per-port addrs_lock.
+
+2) It was needed to fix places where it was forgotten
+to take lock (ipvlan_open/ipvlan_close)
+
+This appears to be a very minor problem though.
+Since it's highly unlikely that ipvlan_add_addr() will
+be called on 2 CPU simultaneously. But nevertheless,
+this could cause:
+
+1) False-negative of ipvlan_addr_busy(): one interface
+iterated through all port->ipvlans + ipvlan->addrs
+under some ipvlan spinlock, and another added IP
+under its own lock. Though this is only possible
+for IPv6, since looks like only ipvlan_addr6_event() can be
+called without rtnl_lock.
+
+2) Race since ipvlan_ht_addr_add(port) is called under
+different ipvlan->addrs_lock locks
+
+This should not affect performance, since add/remove IP
+is a rare situation and spinlock is not taken on fast
+paths.
+
+Fixes: 8230819494b3 ("ipvlan: use per device spinlock to protect addrs list updates")
+Signed-off-by: Dmitry Skorodumov <skorodumov.dmitry@huawei.com>
+Reviewed-by: Paolo Abeni <pabeni@redhat.com>
+Link: https://patch.msgid.link/20260112142417.4039566-2-skorodumov.dmitry@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ipvlan/ipvlan.h | 2 +-
+ drivers/net/ipvlan/ipvlan_core.c | 16 +++++------
+ drivers/net/ipvlan/ipvlan_main.c | 49 +++++++++++++++++++-------------
+ 3 files changed, 37 insertions(+), 30 deletions(-)
+
+diff --git a/drivers/net/ipvlan/ipvlan.h b/drivers/net/ipvlan/ipvlan.h
+index 025e0c19ec255..fce3ced90bd3d 100644
+--- a/drivers/net/ipvlan/ipvlan.h
++++ b/drivers/net/ipvlan/ipvlan.h
+@@ -69,7 +69,6 @@ struct ipvl_dev {
+ DECLARE_BITMAP(mac_filters, IPVLAN_MAC_FILTER_SIZE);
+ netdev_features_t sfeatures;
+ u32 msg_enable;
+- spinlock_t addrs_lock;
+ };
+
+ struct ipvl_addr {
+@@ -90,6 +89,7 @@ struct ipvl_port {
+ struct net_device *dev;
+ possible_net_t pnet;
+ struct hlist_head hlhead[IPVLAN_HASH_SIZE];
++ spinlock_t addrs_lock; /* guards hash-table and addrs */
+ struct list_head ipvlans;
+ u16 mode;
+ u16 flags;
+diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c
+index a8017424ab538..bf57e4427eb4f 100644
+--- a/drivers/net/ipvlan/ipvlan_core.c
++++ b/drivers/net/ipvlan/ipvlan_core.c
+@@ -107,17 +107,15 @@ void ipvlan_ht_addr_del(struct ipvl_addr *addr)
+ struct ipvl_addr *ipvlan_find_addr(const struct ipvl_dev *ipvlan,
+ const void *iaddr, bool is_v6)
+ {
+- struct ipvl_addr *addr, *ret = NULL;
++ struct ipvl_addr *addr;
+
+- rcu_read_lock();
+- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode) {
+- if (addr_equal(is_v6, addr, iaddr)) {
+- ret = addr;
+- break;
+- }
++ assert_spin_locked(&ipvlan->port->addrs_lock);
++
++ list_for_each_entry(addr, &ipvlan->addrs, anode) {
++ if (addr_equal(is_v6, addr, iaddr))
++ return addr;
+ }
+- rcu_read_unlock();
+- return ret;
++ return NULL;
+ }
+
+ bool ipvlan_addr_busy(struct ipvl_port *port, void *iaddr, bool is_v6)
+diff --git a/drivers/net/ipvlan/ipvlan_main.c b/drivers/net/ipvlan/ipvlan_main.c
+index fbf2d5b67aafa..a9aeaa9b5779d 100644
+--- a/drivers/net/ipvlan/ipvlan_main.c
++++ b/drivers/net/ipvlan/ipvlan_main.c
+@@ -74,6 +74,7 @@ static int ipvlan_port_create(struct net_device *dev)
+ for (idx = 0; idx < IPVLAN_HASH_SIZE; idx++)
+ INIT_HLIST_HEAD(&port->hlhead[idx]);
+
++ spin_lock_init(&port->addrs_lock);
+ skb_queue_head_init(&port->backlog);
+ INIT_WORK(&port->wq, ipvlan_process_multicast);
+ ida_init(&port->ida);
+@@ -179,6 +180,7 @@ static void ipvlan_uninit(struct net_device *dev)
+ static int ipvlan_open(struct net_device *dev)
+ {
+ struct ipvl_dev *ipvlan = netdev_priv(dev);
++ struct ipvl_port *port = ipvlan->port;
+ struct ipvl_addr *addr;
+
+ if (ipvlan->port->mode == IPVLAN_MODE_L3 ||
+@@ -187,10 +189,10 @@ static int ipvlan_open(struct net_device *dev)
+ else
+ dev->flags &= ~IFF_NOARP;
+
+- rcu_read_lock();
+- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode)
++ spin_lock_bh(&port->addrs_lock);
++ list_for_each_entry(addr, &ipvlan->addrs, anode)
+ ipvlan_ht_addr_add(ipvlan, addr);
+- rcu_read_unlock();
++ spin_unlock_bh(&port->addrs_lock);
+
+ return 0;
+ }
+@@ -204,10 +206,10 @@ static int ipvlan_stop(struct net_device *dev)
+ dev_uc_unsync(phy_dev, dev);
+ dev_mc_unsync(phy_dev, dev);
+
+- rcu_read_lock();
+- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode)
++ spin_lock_bh(&ipvlan->port->addrs_lock);
++ list_for_each_entry(addr, &ipvlan->addrs, anode)
+ ipvlan_ht_addr_del(addr);
+- rcu_read_unlock();
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+
+ return 0;
+ }
+@@ -574,7 +576,6 @@ int ipvlan_link_new(struct net *src_net, struct net_device *dev,
+ if (!tb[IFLA_MTU])
+ ipvlan_adjust_mtu(ipvlan, phy_dev);
+ INIT_LIST_HEAD(&ipvlan->addrs);
+- spin_lock_init(&ipvlan->addrs_lock);
+
+ /* TODO Probably put random address here to be presented to the
+ * world but keep using the physical-dev address for the outgoing
+@@ -652,13 +653,13 @@ void ipvlan_link_delete(struct net_device *dev, struct list_head *head)
+ struct ipvl_dev *ipvlan = netdev_priv(dev);
+ struct ipvl_addr *addr, *next;
+
+- spin_lock_bh(&ipvlan->addrs_lock);
++ spin_lock_bh(&ipvlan->port->addrs_lock);
+ list_for_each_entry_safe(addr, next, &ipvlan->addrs, anode) {
+ ipvlan_ht_addr_del(addr);
+ list_del_rcu(&addr->anode);
+ kfree_rcu(addr, rcu);
+ }
+- spin_unlock_bh(&ipvlan->addrs_lock);
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+
+ ida_simple_remove(&ipvlan->port->ida, dev->dev_id);
+ list_del_rcu(&ipvlan->pnode);
+@@ -805,6 +806,8 @@ static int ipvlan_add_addr(struct ipvl_dev *ipvlan, void *iaddr, bool is_v6)
+ {
+ struct ipvl_addr *addr;
+
++ assert_spin_locked(&ipvlan->port->addrs_lock);
++
+ addr = kzalloc(sizeof(struct ipvl_addr), GFP_ATOMIC);
+ if (!addr)
+ return -ENOMEM;
+@@ -835,16 +838,16 @@ static void ipvlan_del_addr(struct ipvl_dev *ipvlan, void *iaddr, bool is_v6)
+ {
+ struct ipvl_addr *addr;
+
+- spin_lock_bh(&ipvlan->addrs_lock);
++ spin_lock_bh(&ipvlan->port->addrs_lock);
+ addr = ipvlan_find_addr(ipvlan, iaddr, is_v6);
+ if (!addr) {
+- spin_unlock_bh(&ipvlan->addrs_lock);
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+ return;
+ }
+
+ ipvlan_ht_addr_del(addr);
+ list_del_rcu(&addr->anode);
+- spin_unlock_bh(&ipvlan->addrs_lock);
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+ kfree_rcu(addr, rcu);
+ }
+
+@@ -866,14 +869,14 @@ static int ipvlan_add_addr6(struct ipvl_dev *ipvlan, struct in6_addr *ip6_addr)
+ {
+ int ret = -EINVAL;
+
+- spin_lock_bh(&ipvlan->addrs_lock);
++ spin_lock_bh(&ipvlan->port->addrs_lock);
+ if (ipvlan_addr_busy(ipvlan->port, ip6_addr, true))
+ netif_err(ipvlan, ifup, ipvlan->dev,
+ "Failed to add IPv6=%pI6c addr for %s intf\n",
+ ip6_addr, ipvlan->dev->name);
+ else
+ ret = ipvlan_add_addr(ipvlan, ip6_addr, true);
+- spin_unlock_bh(&ipvlan->addrs_lock);
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+ return ret;
+ }
+
+@@ -912,21 +915,24 @@ static int ipvlan_addr6_validator_event(struct notifier_block *unused,
+ struct in6_validator_info *i6vi = (struct in6_validator_info *)ptr;
+ struct net_device *dev = (struct net_device *)i6vi->i6vi_dev->dev;
+ struct ipvl_dev *ipvlan = netdev_priv(dev);
++ int ret = NOTIFY_OK;
+
+ if (!ipvlan_is_valid_dev(dev))
+ return NOTIFY_DONE;
+
+ switch (event) {
+ case NETDEV_UP:
++ spin_lock_bh(&ipvlan->port->addrs_lock);
+ if (ipvlan_addr_busy(ipvlan->port, &i6vi->i6vi_addr, true)) {
+ NL_SET_ERR_MSG(i6vi->extack,
+ "Address already assigned to an ipvlan device");
+- return notifier_from_errno(-EADDRINUSE);
++ ret = notifier_from_errno(-EADDRINUSE);
+ }
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+ break;
+ }
+
+- return NOTIFY_OK;
++ return ret;
+ }
+ #endif
+
+@@ -934,14 +940,14 @@ static int ipvlan_add_addr4(struct ipvl_dev *ipvlan, struct in_addr *ip4_addr)
+ {
+ int ret = -EINVAL;
+
+- spin_lock_bh(&ipvlan->addrs_lock);
++ spin_lock_bh(&ipvlan->port->addrs_lock);
+ if (ipvlan_addr_busy(ipvlan->port, ip4_addr, false))
+ netif_err(ipvlan, ifup, ipvlan->dev,
+ "Failed to add IPv4=%pI4 on %s intf.\n",
+ ip4_addr, ipvlan->dev->name);
+ else
+ ret = ipvlan_add_addr(ipvlan, ip4_addr, false);
+- spin_unlock_bh(&ipvlan->addrs_lock);
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+ return ret;
+ }
+
+@@ -983,21 +989,24 @@ static int ipvlan_addr4_validator_event(struct notifier_block *unused,
+ struct in_validator_info *ivi = (struct in_validator_info *)ptr;
+ struct net_device *dev = (struct net_device *)ivi->ivi_dev->dev;
+ struct ipvl_dev *ipvlan = netdev_priv(dev);
++ int ret = NOTIFY_OK;
+
+ if (!ipvlan_is_valid_dev(dev))
+ return NOTIFY_DONE;
+
+ switch (event) {
+ case NETDEV_UP:
++ spin_lock_bh(&ipvlan->port->addrs_lock);
+ if (ipvlan_addr_busy(ipvlan->port, &ivi->ivi_addr, false)) {
+ NL_SET_ERR_MSG(ivi->extack,
+ "Address already assigned to an ipvlan device");
+- return notifier_from_errno(-EADDRINUSE);
++ ret = notifier_from_errno(-EADDRINUSE);
+ }
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+ break;
+ }
+
+- return NOTIFY_OK;
++ return ret;
+ }
+
+ static struct notifier_block ipvlan_addr4_notifier_block __read_mostly = {
+--
+2.51.0
+
--- /dev/null
+From 134b677aee2446fb83450f00738188b4ae84699e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jan 2026 09:21:39 +0000
+Subject: l2tp: avoid one data-race in l2tp_tunnel_del_work()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 7a29f6bf60f2590fe5e9c4decb451e19afad2bcf ]
+
+We should read sk->sk_socket only when dealing with kernel sockets.
+
+syzbot reported the following data-race:
+
+BUG: KCSAN: data-race in l2tp_tunnel_del_work / sk_common_release
+
+write to 0xffff88811c182b20 of 8 bytes by task 5365 on cpu 0:
+ sk_set_socket include/net/sock.h:2092 [inline]
+ sock_orphan include/net/sock.h:2118 [inline]
+ sk_common_release+0xae/0x230 net/core/sock.c:4003
+ udp_lib_close+0x15/0x20 include/net/udp.h:325
+ inet_release+0xce/0xf0 net/ipv4/af_inet.c:437
+ __sock_release net/socket.c:662 [inline]
+ sock_close+0x6b/0x150 net/socket.c:1455
+ __fput+0x29b/0x650 fs/file_table.c:468
+ ____fput+0x1c/0x30 fs/file_table.c:496
+ task_work_run+0x131/0x1a0 kernel/task_work.c:233
+ resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
+ __exit_to_user_mode_loop kernel/entry/common.c:44 [inline]
+ exit_to_user_mode_loop+0x1fe/0x740 kernel/entry/common.c:75
+ __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
+ syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
+ syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
+ syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
+ do_syscall_64+0x1e1/0x2b0 arch/x86/entry/syscall_64.c:100
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+read to 0xffff88811c182b20 of 8 bytes by task 827 on cpu 1:
+ l2tp_tunnel_del_work+0x2f/0x1a0 net/l2tp/l2tp_core.c:1418
+ process_one_work kernel/workqueue.c:3257 [inline]
+ process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3340
+ worker_thread+0x582/0x770 kernel/workqueue.c:3421
+ kthread+0x489/0x510 kernel/kthread.c:463
+ ret_from_fork+0x149/0x290 arch/x86/kernel/process.c:158
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
+
+value changed: 0xffff88811b818000 -> 0x0000000000000000
+
+Fixes: d00fa9adc528 ("l2tp: fix races with tunnel socket close")
+Reported-by: syzbot+7312e82745f7fa2526db@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/6968b029.050a0220.58bed.0016.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: James Chapman <jchapman@katalix.com>
+Reviewed-by: Guillaume Nault <gnault@redhat.com>
+Link: https://patch.msgid.link/20260115092139.3066180-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/l2tp/l2tp_core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
+index 70da78ab95202..e0ca08ebd16a9 100644
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -1250,8 +1250,6 @@ static void l2tp_tunnel_del_work(struct work_struct *work)
+ {
+ struct l2tp_tunnel *tunnel = container_of(work, struct l2tp_tunnel,
+ del_work);
+- struct sock *sk = tunnel->sock;
+- struct socket *sock = sk->sk_socket;
+
+ l2tp_tunnel_closeall(tunnel);
+
+@@ -1259,6 +1257,8 @@ static void l2tp_tunnel_del_work(struct work_struct *work)
+ * the sk API to release it here.
+ */
+ if (tunnel->fd < 0) {
++ struct socket *sock = tunnel->sock->sk_socket;
++
+ if (sock) {
+ kernel_sock_shutdown(sock, SHUT_RDWR);
+ sock_release(sock);
+--
+2.51.0
+
--- /dev/null
+From 9f91820ac130c7e13f1318960c18329d621ba8d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jan 2023 09:50:39 -0800
+Subject: net: fou: rename the source for linking
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 08d323234d10eab077cbf0093eeb5991478a261a ]
+
+We'll need to link two objects together to form the fou module.
+This means the source can't be called fou, the build system expects
+fou.o to be the combined object.
+
+Acked-by: Stanislav Fomichev <sdf@google.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Stable-dep-of: 7a9bc9e3f423 ("fou: Don't allow 0 for FOU_ATTR_IPPROTO.")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/Makefile | 1 +
+ net/ipv4/{fou.c => fou_core.c} | 0
+ 2 files changed, 1 insertion(+)
+ rename net/ipv4/{fou.c => fou_core.c} (100%)
+
+diff --git a/net/ipv4/Makefile b/net/ipv4/Makefile
+index bbdd9c44f14e3..e694a5e5b0302 100644
+--- a/net/ipv4/Makefile
++++ b/net/ipv4/Makefile
+@@ -26,6 +26,7 @@ obj-$(CONFIG_IP_MROUTE) += ipmr.o
+ obj-$(CONFIG_IP_MROUTE_COMMON) += ipmr_base.o
+ obj-$(CONFIG_NET_IPIP) += ipip.o
+ gre-y := gre_demux.o
++fou-y := fou_core.o
+ obj-$(CONFIG_NET_FOU) += fou.o
+ obj-$(CONFIG_NET_IPGRE_DEMUX) += gre.o
+ obj-$(CONFIG_NET_IPGRE) += ip_gre.o
+diff --git a/net/ipv4/fou.c b/net/ipv4/fou_core.c
+similarity index 100%
+rename from net/ipv4/fou.c
+rename to net/ipv4/fou_core.c
+--
+2.51.0
+
--- /dev/null
+From e70ea5c6d67e984570ca297effdac0601f32334d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jan 2023 09:50:40 -0800
+Subject: net: fou: use policy and operation tables generated from the spec
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 1d562c32e4392cc091c940918ee1ffd7bfcb9e96 ]
+
+Generate and plug in the spec-based tables.
+
+A little bit of renaming is needed in the FOU code.
+
+Acked-by: Stanislav Fomichev <sdf@google.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Stable-dep-of: 7a9bc9e3f423 ("fou: Don't allow 0 for FOU_ATTR_IPPROTO.")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/Makefile | 2 +-
+ net/ipv4/fou_core.c | 47 +++++++-------------------------------------
+ net/ipv4/fou_nl.c | 48 +++++++++++++++++++++++++++++++++++++++++++++
+ net/ipv4/fou_nl.h | 25 +++++++++++++++++++++++
+ 4 files changed, 81 insertions(+), 41 deletions(-)
+ create mode 100644 net/ipv4/fou_nl.c
+ create mode 100644 net/ipv4/fou_nl.h
+
+diff --git a/net/ipv4/Makefile b/net/ipv4/Makefile
+index e694a5e5b0302..d1c8d4beb77d4 100644
+--- a/net/ipv4/Makefile
++++ b/net/ipv4/Makefile
+@@ -26,7 +26,7 @@ obj-$(CONFIG_IP_MROUTE) += ipmr.o
+ obj-$(CONFIG_IP_MROUTE_COMMON) += ipmr_base.o
+ obj-$(CONFIG_NET_IPIP) += ipip.o
+ gre-y := gre_demux.o
+-fou-y := fou_core.o
++fou-y := fou_core.o fou_nl.o
+ obj-$(CONFIG_NET_FOU) += fou.o
+ obj-$(CONFIG_NET_IPGRE_DEMUX) += gre.o
+ obj-$(CONFIG_NET_IPGRE) += ip_gre.o
+diff --git a/net/ipv4/fou_core.c b/net/ipv4/fou_core.c
+index 9d4ae723d2e7d..4ee6c424d96b7 100644
+--- a/net/ipv4/fou_core.c
++++ b/net/ipv4/fou_core.c
+@@ -19,6 +19,8 @@
+ #include <uapi/linux/fou.h>
+ #include <uapi/linux/genetlink.h>
+
++#include "fou_nl.h"
++
+ struct fou {
+ struct socket *sock;
+ u8 protocol;
+@@ -662,20 +664,6 @@ static int fou_destroy(struct net *net, struct fou_cfg *cfg)
+
+ static struct genl_family fou_nl_family;
+
+-static const struct nla_policy fou_nl_policy[FOU_ATTR_MAX + 1] = {
+- [FOU_ATTR_PORT] = { .type = NLA_U16, },
+- [FOU_ATTR_AF] = { .type = NLA_U8, },
+- [FOU_ATTR_IPPROTO] = { .type = NLA_U8, },
+- [FOU_ATTR_TYPE] = { .type = NLA_U8, },
+- [FOU_ATTR_REMCSUM_NOPARTIAL] = { .type = NLA_FLAG, },
+- [FOU_ATTR_LOCAL_V4] = { .type = NLA_U32, },
+- [FOU_ATTR_PEER_V4] = { .type = NLA_U32, },
+- [FOU_ATTR_LOCAL_V6] = { .len = sizeof(struct in6_addr), },
+- [FOU_ATTR_PEER_V6] = { .len = sizeof(struct in6_addr), },
+- [FOU_ATTR_PEER_PORT] = { .type = NLA_U16, },
+- [FOU_ATTR_IFINDEX] = { .type = NLA_S32, },
+-};
+-
+ static int parse_nl_config(struct genl_info *info,
+ struct fou_cfg *cfg)
+ {
+@@ -767,7 +755,7 @@ static int parse_nl_config(struct genl_info *info,
+ return 0;
+ }
+
+-static int fou_nl_cmd_add_port(struct sk_buff *skb, struct genl_info *info)
++int fou_nl_add_doit(struct sk_buff *skb, struct genl_info *info)
+ {
+ struct net *net = genl_info_net(info);
+ struct fou_cfg cfg;
+@@ -780,7 +768,7 @@ static int fou_nl_cmd_add_port(struct sk_buff *skb, struct genl_info *info)
+ return fou_create(net, &cfg, NULL);
+ }
+
+-static int fou_nl_cmd_rm_port(struct sk_buff *skb, struct genl_info *info)
++int fou_nl_del_doit(struct sk_buff *skb, struct genl_info *info)
+ {
+ struct net *net = genl_info_net(info);
+ struct fou_cfg cfg;
+@@ -849,7 +837,7 @@ static int fou_dump_info(struct fou *fou, u32 portid, u32 seq,
+ return -EMSGSIZE;
+ }
+
+-static int fou_nl_cmd_get_port(struct sk_buff *skb, struct genl_info *info)
++int fou_nl_get_doit(struct sk_buff *skb, struct genl_info *info)
+ {
+ struct net *net = genl_info_net(info);
+ struct fou_net *fn = net_generic(net, fou_net_id);
+@@ -896,7 +884,7 @@ static int fou_nl_cmd_get_port(struct sk_buff *skb, struct genl_info *info)
+ return ret;
+ }
+
+-static int fou_nl_dump(struct sk_buff *skb, struct netlink_callback *cb)
++int fou_nl_get_dumpit(struct sk_buff *skb, struct netlink_callback *cb)
+ {
+ struct net *net = sock_net(skb->sk);
+ struct fou_net *fn = net_generic(net, fou_net_id);
+@@ -919,33 +907,12 @@ static int fou_nl_dump(struct sk_buff *skb, struct netlink_callback *cb)
+ return skb->len;
+ }
+
+-static const struct genl_small_ops fou_nl_ops[] = {
+- {
+- .cmd = FOU_CMD_ADD,
+- .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+- .doit = fou_nl_cmd_add_port,
+- .flags = GENL_ADMIN_PERM,
+- },
+- {
+- .cmd = FOU_CMD_DEL,
+- .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+- .doit = fou_nl_cmd_rm_port,
+- .flags = GENL_ADMIN_PERM,
+- },
+- {
+- .cmd = FOU_CMD_GET,
+- .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+- .doit = fou_nl_cmd_get_port,
+- .dumpit = fou_nl_dump,
+- },
+-};
+-
+ static struct genl_family fou_nl_family __ro_after_init = {
+ .hdrsize = 0,
+ .name = FOU_GENL_NAME,
+ .version = FOU_GENL_VERSION,
+ .maxattr = FOU_ATTR_MAX,
+- .policy = fou_nl_policy,
++ .policy = fou_nl_policy,
+ .netnsok = true,
+ .module = THIS_MODULE,
+ .small_ops = fou_nl_ops,
+diff --git a/net/ipv4/fou_nl.c b/net/ipv4/fou_nl.c
+new file mode 100644
+index 0000000000000..6c3820f41dd5d
+--- /dev/null
++++ b/net/ipv4/fou_nl.c
+@@ -0,0 +1,48 @@
++// SPDX-License-Identifier: BSD-3-Clause
++/* Do not edit directly, auto-generated from: */
++/* Documentation/netlink/specs/fou.yaml */
++/* YNL-GEN kernel source */
++
++#include <net/netlink.h>
++#include <net/genetlink.h>
++
++#include "fou_nl.h"
++
++#include <linux/fou.h>
++
++/* Global operation policy for fou */
++const struct nla_policy fou_nl_policy[FOU_ATTR_IFINDEX + 1] = {
++ [FOU_ATTR_PORT] = { .type = NLA_U16, },
++ [FOU_ATTR_AF] = { .type = NLA_U8, },
++ [FOU_ATTR_IPPROTO] = { .type = NLA_U8, },
++ [FOU_ATTR_TYPE] = { .type = NLA_U8, },
++ [FOU_ATTR_REMCSUM_NOPARTIAL] = { .type = NLA_FLAG, },
++ [FOU_ATTR_LOCAL_V4] = { .type = NLA_U32, },
++ [FOU_ATTR_LOCAL_V6] = { .len = 16, },
++ [FOU_ATTR_PEER_V4] = { .type = NLA_U32, },
++ [FOU_ATTR_PEER_V6] = { .len = 16, },
++ [FOU_ATTR_PEER_PORT] = { .type = NLA_U16, },
++ [FOU_ATTR_IFINDEX] = { .type = NLA_S32, },
++};
++
++/* Ops table for fou */
++const struct genl_small_ops fou_nl_ops[3] = {
++ {
++ .cmd = FOU_CMD_ADD,
++ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
++ .doit = fou_nl_add_doit,
++ .flags = GENL_ADMIN_PERM,
++ },
++ {
++ .cmd = FOU_CMD_DEL,
++ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
++ .doit = fou_nl_del_doit,
++ .flags = GENL_ADMIN_PERM,
++ },
++ {
++ .cmd = FOU_CMD_GET,
++ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
++ .doit = fou_nl_get_doit,
++ .dumpit = fou_nl_get_dumpit,
++ },
++};
+diff --git a/net/ipv4/fou_nl.h b/net/ipv4/fou_nl.h
+new file mode 100644
+index 0000000000000..b7a68121ce6f7
+--- /dev/null
++++ b/net/ipv4/fou_nl.h
+@@ -0,0 +1,25 @@
++/* SPDX-License-Identifier: BSD-3-Clause */
++/* Do not edit directly, auto-generated from: */
++/* Documentation/netlink/specs/fou.yaml */
++/* YNL-GEN kernel header */
++
++#ifndef _LINUX_FOU_GEN_H
++#define _LINUX_FOU_GEN_H
++
++#include <net/netlink.h>
++#include <net/genetlink.h>
++
++#include <linux/fou.h>
++
++/* Global operation policy for fou */
++extern const struct nla_policy fou_nl_policy[FOU_ATTR_IFINDEX + 1];
++
++/* Ops table for fou */
++extern const struct genl_small_ops fou_nl_ops[3];
++
++int fou_nl_add_doit(struct sk_buff *skb, struct genl_info *info);
++int fou_nl_del_doit(struct sk_buff *skb, struct genl_info *info);
++int fou_nl_get_doit(struct sk_buff *skb, struct genl_info *info);
++int fou_nl_get_dumpit(struct sk_buff *skb, struct netlink_callback *cb);
++
++#endif /* _LINUX_FOU_GEN_H */
+--
+2.51.0
+
--- /dev/null
+From 92592adbc021576cfdc4547ccaa524ffc924860b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jan 2026 11:02:41 -0500
+Subject: net/sched: Enforce that teql can only be used as root qdisc
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jamal Hadi Salim <jhs@mojatatu.com>
+
+[ Upstream commit 50da4b9d07a7a463e2cfb738f3ad4cff6b2c9c3b ]
+
+Design intent of teql is that it is only supposed to be used as root qdisc.
+We need to check for that constraint.
+
+Although not important, I will describe the scenario that unearthed this
+issue for the curious.
+
+GangMin Kim <km.kim1503@gmail.com> managed to concot a scenario as follows:
+
+ROOT qdisc 1:0 (QFQ)
+ ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s
+ └── class 1:2 (weight=1, lmax=1514) teql
+
+GangMin sends a packet which is enqueued to 1:1 (netem).
+Any invocation of dequeue by QFQ from this class will not return a packet
+until after 6.4s. In the meantime, a second packet is sent and it lands on
+1:2. teql's enqueue will return success and this will activate class 1:2.
+Main issue is that teql only updates the parent visible qlen (sch->q.qlen)
+at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's
+peek always returns NULL), dequeue will never be called and thus the qlen
+will remain as 0. With that in mind, when GangMin updates 1:2's lmax value,
+the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's
+qlen was not incremented, qfq fails to deactivate the class, but still
+frees its pointers from the aggregate. So when the first packet is
+rescheduled after 6.4 seconds (netem's delay), a dangling pointer is
+accessed causing GangMin's causing a UAF.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: GangMin Kim <km.kim1503@gmail.com>
+Tested-by: Victor Nogueira <victor@mojatatu.com>
+Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/20260114160243.913069-2-jhs@mojatatu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_teql.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/sched/sch_teql.c b/net/sched/sch_teql.c
+index 7721239c185fb..0a7856e14a975 100644
+--- a/net/sched/sch_teql.c
++++ b/net/sched/sch_teql.c
+@@ -178,6 +178,11 @@ static int teql_qdisc_init(struct Qdisc *sch, struct nlattr *opt,
+ if (m->dev == dev)
+ return -ELOOP;
+
++ if (sch->parent != TC_H_ROOT) {
++ NL_SET_ERR_MSG_MOD(extack, "teql can only be used as root");
++ return -EOPNOTSUPP;
++ }
++
+ q->m = m;
+
+ skb_queue_head_init(&q->q);
+--
+2.51.0
+
--- /dev/null
+From aa3bb937526b67ff81a101b196c5fadf60b9d8a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jan 2026 11:02:42 -0500
+Subject: net/sched: qfq: Use cl_is_active to determine whether class is active
+ in qfq_rm_from_ag
+
+From: Jamal Hadi Salim <jhs@mojatatu.com>
+
+[ Upstream commit d837fbee92453fbb829f950c8e7cf76207d73f33 ]
+
+This is more of a preventive patch to make the code more consistent and
+to prevent possible exploits that employ child qlen manipulations on qfq.
+use cl_is_active instead of relying on the child qdisc's qlen to determine
+class activation.
+
+Fixes: 462dbc9101acd ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost")
+Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/20260114160243.913069-3-jhs@mojatatu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_qfq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
+index 0047f35504348..51d962e5113bc 100644
+--- a/net/sched/sch_qfq.c
++++ b/net/sched/sch_qfq.c
+@@ -375,7 +375,7 @@ static void qfq_rm_from_agg(struct qfq_sched *q, struct qfq_class *cl)
+ /* Deschedule class and remove it from its parent aggregate. */
+ static void qfq_deact_rm_from_agg(struct qfq_sched *q, struct qfq_class *cl)
+ {
+- if (cl->qdisc->q.qlen > 0) /* class is active */
++ if (cl_is_active(cl)) /* class is active */
+ qfq_deactivate_class(q, cl);
+
+ qfq_rm_from_agg(q, cl);
+--
+2.51.0
+
--- /dev/null
+From 075859af3b3cfb6f904e6ba97bc743bdc8a5e2a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 22:39:24 -0800
+Subject: net: usb: dm9601: remove broken SR9700 support
+
+From: Ethan Nelson-Moore <enelsonmoore@gmail.com>
+
+[ Upstream commit 7d7dbafefbe74f5a25efc4807af093b857a7612e ]
+
+The SR9700 chip sends more than one packet in a USB transaction,
+like the DM962x chips can optionally do, but the dm9601 driver does not
+support this mode, and the hardware does not have the DM962x
+MODE_CTL register to disable it, so this driver drops packets on SR9700
+devices. The sr9700 driver correctly handles receiving more than one
+packet per transaction.
+
+While the dm9601 driver could be improved to handle this, the easiest
+way to fix this issue in the short term is to remove the SR9700 device
+ID from the dm9601 driver so the sr9700 driver is always used. This
+device ID should not have been in more than one driver to begin with.
+
+The "Fixes" commit was chosen so that the patch is automatically
+included in all kernels that have the sr9700 driver, even though the
+issue affects dm9601.
+
+Fixes: c9b37458e956 ("USB2NET : SR9700 : One chip USB 1.1 USB2NET SR9700Device Driver Support")
+Signed-off-by: Ethan Nelson-Moore <enelsonmoore@gmail.com>
+Acked-by: Peter Korsgaard <peter@korsgaard.com>
+Link: https://patch.msgid.link/20260113063924.74464-1-enelsonmoore@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/dm9601.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/net/usb/dm9601.c b/drivers/net/usb/dm9601.c
+index 8b6d6a1b3c2ec..2b4716ccf0c5b 100644
+--- a/drivers/net/usb/dm9601.c
++++ b/drivers/net/usb/dm9601.c
+@@ -603,10 +603,6 @@ static const struct usb_device_id products[] = {
+ USB_DEVICE(0x0fe6, 0x8101), /* DM9601 USB to Fast Ethernet Adapter */
+ .driver_info = (unsigned long)&dm9601_info,
+ },
+- {
+- USB_DEVICE(0x0fe6, 0x9700), /* DM9601 USB to Fast Ethernet Adapter */
+- .driver_info = (unsigned long)&dm9601_info,
+- },
+ {
+ USB_DEVICE(0x0a46, 0x9000), /* DM9000E */
+ .driver_info = (unsigned long)&dm9601_info,
+--
+2.51.0
+
--- /dev/null
+From 4753f47ecb87163809abb3e7aa37cf5efc53b357 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jan 2023 09:50:37 -0800
+Subject: netlink: add a proto specification for FOU
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 4eb77b4ecd3c5eaab83adf76e67e0a7ed2a24418 ]
+
+FOU has a reasonably modern Genetlink family. Add a spec.
+
+Acked-by: Stanislav Fomichev <sdf@google.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Stable-dep-of: 7a9bc9e3f423 ("fou: Don't allow 0 for FOU_ATTR_IPPROTO.")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/netlink/specs/fou.yaml | 128 +++++++++++++++++++++++++++
+ 1 file changed, 128 insertions(+)
+ create mode 100644 Documentation/netlink/specs/fou.yaml
+
+diff --git a/Documentation/netlink/specs/fou.yaml b/Documentation/netlink/specs/fou.yaml
+new file mode 100644
+index 0000000000000..266c386eedf3a
+--- /dev/null
++++ b/Documentation/netlink/specs/fou.yaml
+@@ -0,0 +1,128 @@
++name: fou
++
++protocol: genetlink-legacy
++
++doc: |
++ Foo-over-UDP.
++
++c-family-name: fou-genl-name
++c-version-name: fou-genl-version
++max-by-define: true
++kernel-policy: global
++
++definitions:
++ -
++ type: enum
++ name: encap_type
++ name-prefix: fou-encap-
++ enum-name:
++ entries: [ unspec, direct, gue ]
++
++attribute-sets:
++ -
++ name: fou
++ name-prefix: fou-attr-
++ attributes:
++ -
++ name: unspec
++ type: unused
++ -
++ name: port
++ type: u16
++ byte-order: big-endian
++ -
++ name: af
++ type: u8
++ -
++ name: ipproto
++ type: u8
++ -
++ name: type
++ type: u8
++ -
++ name: remcsum_nopartial
++ type: flag
++ -
++ name: local_v4
++ type: u32
++ -
++ name: local_v6
++ type: binary
++ checks:
++ min-len: 16
++ -
++ name: peer_v4
++ type: u32
++ -
++ name: peer_v6
++ type: binary
++ checks:
++ min-len: 16
++ -
++ name: peer_port
++ type: u16
++ byte-order: big-endian
++ -
++ name: ifindex
++ type: s32
++
++operations:
++ list:
++ -
++ name: unspec
++ doc: unused
++
++ -
++ name: add
++ doc: Add port.
++ attribute-set: fou
++
++ dont-validate: [ strict, dump ]
++ flags: [ admin-perm ]
++
++ do:
++ request: &all_attrs
++ attributes:
++ - port
++ - ipproto
++ - type
++ - remcsum_nopartial
++ - local_v4
++ - peer_v4
++ - local_v6
++ - peer_v6
++ - peer_port
++ - ifindex
++
++ -
++ name: del
++ doc: Delete port.
++ attribute-set: fou
++
++ dont-validate: [ strict, dump ]
++ flags: [ admin-perm ]
++
++ do:
++ request: &select_attrs
++ attributes:
++ - af
++ - ifindex
++ - port
++ - peer_port
++ - local_v4
++ - peer_v4
++ - local_v6
++ - peer_v6
++
++ -
++ name: get
++ doc: Get tunnel info.
++ attribute-set: fou
++ dont-validate: [ strict, dump ]
++
++ do:
++ request: *select_attrs
++ reply: *all_attrs
++
++ dump:
++ reply: *all_attrs
+--
+2.51.0
+
--- /dev/null
+From 764580e1fa027be209700139060850c6e7569e2e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jan 2026 08:47:12 -0800
+Subject: octeontx2: cn10k: fix RX flowid TCAM mask handling
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit ab9b218a1521133a4410722907fa7189566be9bc ]
+
+The RX flowid programming initializes the TCAM mask to all ones, but
+then overwrites it when clearing the MAC DA mask bits. This results
+in losing the intended initialization and may affect other match fields.
+
+Update the code to clear the MAC DA bits using an AND operation, making
+the handling of mask[0] consistent with mask[1], where the field-specific
+bits are cleared after initializing the mask to ~0ULL.
+
+Fixes: 57d00d4364f3 ("octeontx2-pf: mcs: Match macsec ethertype along with DMAC")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Reviewed-by: Subbaraya Sundeep <sbhatta@marvell.com>
+Link: https://patch.msgid.link/20260116164724.2733511-1-alok.a.tiwari@oracle.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c
+index 6da8d8f2a8701..60425e6ce0767 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c
+@@ -265,7 +265,7 @@ static int cn10k_mcs_write_rx_flowid(struct otx2_nic *pfvf,
+
+ req->data[0] = FIELD_PREP(MCS_TCAM0_MAC_DA_MASK, mac_da);
+ req->mask[0] = ~0ULL;
+- req->mask[0] = ~MCS_TCAM0_MAC_DA_MASK;
++ req->mask[0] &= ~MCS_TCAM0_MAC_DA_MASK;
+
+ req->data[1] = FIELD_PREP(MCS_TCAM1_ETYPE_MASK, ETH_P_MACSEC);
+ req->mask[1] = ~0ULL;
+--
+2.51.0
+
--- /dev/null
+From 5e9a99c28e626004076c814d7e5b9f5bd9cf1668 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 12:10:26 -0500
+Subject: sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit a80c9d945aef55b23b54838334345f20251dad83 ]
+
+A null-ptr-deref was reported in the SCTP transmit path when SCTP-AUTH key
+initialization fails:
+
+ ==================================================================
+ KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
+ CPU: 0 PID: 16 Comm: ksoftirqd/0 Tainted: G W 6.6.0 #2
+ RIP: 0010:sctp_packet_bundle_auth net/sctp/output.c:264 [inline]
+ RIP: 0010:sctp_packet_append_chunk+0xb36/0x1260 net/sctp/output.c:401
+ Call Trace:
+
+ sctp_packet_transmit_chunk+0x31/0x250 net/sctp/output.c:189
+ sctp_outq_flush_data+0xa29/0x26d0 net/sctp/outqueue.c:1111
+ sctp_outq_flush+0xc80/0x1240 net/sctp/outqueue.c:1217
+ sctp_cmd_interpreter.isra.0+0x19a5/0x62c0 net/sctp/sm_sideeffect.c:1787
+ sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]
+ sctp_do_sm+0x1a3/0x670 net/sctp/sm_sideeffect.c:1169
+ sctp_assoc_bh_rcv+0x33e/0x640 net/sctp/associola.c:1052
+ sctp_inq_push+0x1dd/0x280 net/sctp/inqueue.c:88
+ sctp_rcv+0x11ae/0x3100 net/sctp/input.c:243
+ sctp6_rcv+0x3d/0x60 net/sctp/ipv6.c:1127
+
+The issue is triggered when sctp_auth_asoc_init_active_key() fails in
+sctp_sf_do_5_1C_ack() while processing an INIT_ACK. In this case, the
+command sequence is currently:
+
+- SCTP_CMD_PEER_INIT
+- SCTP_CMD_TIMER_STOP (T1_INIT)
+- SCTP_CMD_TIMER_START (T1_COOKIE)
+- SCTP_CMD_NEW_STATE (COOKIE_ECHOED)
+- SCTP_CMD_ASSOC_SHKEY
+- SCTP_CMD_GEN_COOKIE_ECHO
+
+If SCTP_CMD_ASSOC_SHKEY fails, asoc->shkey remains NULL, while
+asoc->peer.auth_capable and asoc->peer.peer_chunks have already been set by
+SCTP_CMD_PEER_INIT. This allows a DATA chunk with auth = 1 and shkey = NULL
+to be queued by sctp_datamsg_from_user().
+
+Since command interpretation stops on failure, no COOKIE_ECHO should been
+sent via SCTP_CMD_GEN_COOKIE_ECHO. However, the T1_COOKIE timer has already
+been started, and it may enqueue a COOKIE_ECHO into the outqueue later. As
+a result, the DATA chunk can be transmitted together with the COOKIE_ECHO
+in sctp_outq_flush_data(), leading to the observed issue.
+
+Similar to the other places where it calls sctp_auth_asoc_init_active_key()
+right after sctp_process_init(), this patch moves the SCTP_CMD_ASSOC_SHKEY
+immediately after SCTP_CMD_PEER_INIT, before stopping T1_INIT and starting
+T1_COOKIE. This ensures that if shared key generation fails, authenticated
+DATA cannot be sent. It also allows the T1_INIT timer to retransmit INIT,
+giving the client another chance to process INIT_ACK and retry key setup.
+
+Fixes: 730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing")
+Reported-by: Zhen Chen <chenzhen126@huawei.com>
+Tested-by: Zhen Chen <chenzhen126@huawei.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Link: https://patch.msgid.link/44881224b375aa8853f5e19b4055a1a56d895813.1768324226.git.lucien.xin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/sm_statefuns.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
+index beae92ad25bb0..80a6b9fc964e5 100644
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -602,6 +602,11 @@ enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net,
+ sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT,
+ SCTP_PEER_INIT(initchunk));
+
++ /* SCTP-AUTH: generate the association shared keys so that
++ * we can potentially sign the COOKIE-ECHO.
++ */
++ sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL());
++
+ /* Reset init error count upon receipt of INIT-ACK. */
+ sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
+
+@@ -616,11 +621,6 @@ enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net,
+ sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
+ SCTP_STATE(SCTP_STATE_COOKIE_ECHOED));
+
+- /* SCTP-AUTH: generate the association shared keys so that
+- * we can potentially sign the COOKIE-ECHO.
+- */
+- sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL());
+-
+ /* 5.1 C) "A" shall then send the State Cookie received in the
+ * INIT ACK chunk in a COOKIE ECHO chunk, ...
+ */
+--
+2.51.0
+
--- /dev/null
+From 042b574cae1694c5f62d3065cc0f95c340762218 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Dec 2023 14:08:53 +0800
+Subject: selftests/net: convert fib-onlink-tests.sh to run it in unique
+ namespace
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 3a06833b2adc0a902f2469ad4ce41ccd64f1f3ab ]
+
+Remove PEER_CMD, which is not used in this test
+
+Here is the test result after conversion.
+
+ ]# ./fib-onlink-tests.sh
+ Error: ipv4: FIB table does not exist.
+ Flush terminated
+ Error: ipv6: FIB table does not exist.
+ Flush terminated
+
+ ########################################
+ Configuring interfaces
+
+ ...
+
+ TEST: Gateway resolves to wrong nexthop device - VRF [ OK ]
+
+ Tests passed: 38
+ Tests failed: 0
+
+Acked-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Link: https://lore.kernel.org/r/20231213060856.4030084-11-liuhangbin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 4f5f148dd7c0 ("selftests: net: fib-onlink-tests: Convert to use namespaces by default")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/fib-onlink-tests.sh | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/tools/testing/selftests/net/fib-onlink-tests.sh b/tools/testing/selftests/net/fib-onlink-tests.sh
+index c287b90b8af80..ec2d6ceb1f08d 100755
+--- a/tools/testing/selftests/net/fib-onlink-tests.sh
++++ b/tools/testing/selftests/net/fib-onlink-tests.sh
+@@ -3,6 +3,7 @@
+
+ # IPv4 and IPv6 onlink tests
+
++source lib.sh
+ PAUSE_ON_FAIL=${PAUSE_ON_FAIL:=no}
+ VERBOSE=0
+
+@@ -74,9 +75,6 @@ TEST_NET4IN6[2]=10.2.1.254
+ # mcast address
+ MCAST6=ff02::1
+
+-
+-PEER_NS=bart
+-PEER_CMD="ip netns exec ${PEER_NS}"
+ VRF=lisa
+ VRF_TABLE=1101
+ PBR_TABLE=101
+@@ -176,8 +174,7 @@ setup()
+ set -e
+
+ # create namespace
+- ip netns add ${PEER_NS}
+- ip -netns ${PEER_NS} li set lo up
++ setup_ns PEER_NS
+
+ # add vrf table
+ ip li add ${VRF} type vrf table ${VRF_TABLE}
+@@ -219,7 +216,7 @@ setup()
+ cleanup()
+ {
+ # make sure we start from a clean slate
+- ip netns del ${PEER_NS} 2>/dev/null
++ cleanup_ns ${PEER_NS} 2>/dev/null
+ for n in 1 3 5 7; do
+ ip link del ${NETIFS[p${n}]} 2>/dev/null
+ done
+--
+2.51.0
+
--- /dev/null
+From a448636a7d38638fecdb3b032d9f98e06720459e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 12:37:44 -0300
+Subject: selftests: net: fib-onlink-tests: Convert to use namespaces by
+ default
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ricardo B. Marlière <rbm@suse.com>
+
+[ Upstream commit 4f5f148dd7c0459229d2ab9a769b2e820f9ee6a2 ]
+
+Currently, the test breaks if the SUT already has a default route
+configured for IPv6. Fix by avoiding the use of the default namespace.
+
+Fixes: 4ed591c8ab44 ("net/ipv6: Allow onlink routes to have a device mismatch if it is the default route")
+Suggested-by: Fernando Fernandez Mancera <fmancera@suse.de>
+Signed-off-by: Ricardo B. Marlière <rbm@suse.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
+Link: https://patch.msgid.link/20260113-selftests-net-fib-onlink-v2-1-89de2b931389@suse.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../testing/selftests/net/fib-onlink-tests.sh | 71 ++++++++-----------
+ 1 file changed, 30 insertions(+), 41 deletions(-)
+
+diff --git a/tools/testing/selftests/net/fib-onlink-tests.sh b/tools/testing/selftests/net/fib-onlink-tests.sh
+index ec2d6ceb1f08d..c01be076b210d 100755
+--- a/tools/testing/selftests/net/fib-onlink-tests.sh
++++ b/tools/testing/selftests/net/fib-onlink-tests.sh
+@@ -120,7 +120,7 @@ log_subsection()
+
+ run_cmd()
+ {
+- local cmd="$*"
++ local cmd="$1"
+ local out
+ local rc
+
+@@ -145,7 +145,7 @@ get_linklocal()
+ local pfx
+ local addr
+
+- addr=$(${pfx} ip -6 -br addr show dev ${dev} | \
++ addr=$(${pfx} ${IP} -6 -br addr show dev ${dev} | \
+ awk '{
+ for (i = 3; i <= NF; ++i) {
+ if ($i ~ /^fe80/)
+@@ -173,58 +173,48 @@ setup()
+
+ set -e
+
+- # create namespace
+- setup_ns PEER_NS
++ # create namespaces
++ setup_ns ns1
++ IP="ip -netns $ns1"
++ setup_ns ns2
+
+ # add vrf table
+- ip li add ${VRF} type vrf table ${VRF_TABLE}
+- ip li set ${VRF} up
+- ip ro add table ${VRF_TABLE} unreachable default metric 8192
+- ip -6 ro add table ${VRF_TABLE} unreachable default metric 8192
++ ${IP} li add ${VRF} type vrf table ${VRF_TABLE}
++ ${IP} li set ${VRF} up
++ ${IP} ro add table ${VRF_TABLE} unreachable default metric 8192
++ ${IP} -6 ro add table ${VRF_TABLE} unreachable default metric 8192
+
+ # create test interfaces
+- ip li add ${NETIFS[p1]} type veth peer name ${NETIFS[p2]}
+- ip li add ${NETIFS[p3]} type veth peer name ${NETIFS[p4]}
+- ip li add ${NETIFS[p5]} type veth peer name ${NETIFS[p6]}
+- ip li add ${NETIFS[p7]} type veth peer name ${NETIFS[p8]}
++ ${IP} li add ${NETIFS[p1]} type veth peer name ${NETIFS[p2]}
++ ${IP} li add ${NETIFS[p3]} type veth peer name ${NETIFS[p4]}
++ ${IP} li add ${NETIFS[p5]} type veth peer name ${NETIFS[p6]}
++ ${IP} li add ${NETIFS[p7]} type veth peer name ${NETIFS[p8]}
+
+ # enslave vrf interfaces
+ for n in 5 7; do
+- ip li set ${NETIFS[p${n}]} vrf ${VRF}
++ ${IP} li set ${NETIFS[p${n}]} vrf ${VRF}
+ done
+
+ # add addresses
+ for n in 1 3 5 7; do
+- ip li set ${NETIFS[p${n}]} up
+- ip addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]}
+- ip addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad
++ ${IP} li set ${NETIFS[p${n}]} up
++ ${IP} addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]}
++ ${IP} addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad
+ done
+
+ # move peer interfaces to namespace and add addresses
+ for n in 2 4 6 8; do
+- ip li set ${NETIFS[p${n}]} netns ${PEER_NS} up
+- ip -netns ${PEER_NS} addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]}
+- ip -netns ${PEER_NS} addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad
++ ${IP} li set ${NETIFS[p${n}]} netns ${ns2} up
++ ip -netns $ns2 addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]}
++ ip -netns $ns2 addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad
+ done
+
+- ip -6 ro add default via ${V6ADDRS[p3]/::[0-9]/::64}
+- ip -6 ro add table ${VRF_TABLE} default via ${V6ADDRS[p7]/::[0-9]/::64}
++ ${IP} -6 ro add default via ${V6ADDRS[p3]/::[0-9]/::64}
++ ${IP} -6 ro add table ${VRF_TABLE} default via ${V6ADDRS[p7]/::[0-9]/::64}
+
+ set +e
+ }
+
+-cleanup()
+-{
+- # make sure we start from a clean slate
+- cleanup_ns ${PEER_NS} 2>/dev/null
+- for n in 1 3 5 7; do
+- ip link del ${NETIFS[p${n}]} 2>/dev/null
+- done
+- ip link del ${VRF} 2>/dev/null
+- ip ro flush table ${VRF_TABLE}
+- ip -6 ro flush table ${VRF_TABLE}
+-}
+-
+ ################################################################################
+ # IPv4 tests
+ #
+@@ -241,7 +231,7 @@ run_ip()
+ # dev arg may be empty
+ [ -n "${dev}" ] && dev="dev ${dev}"
+
+- run_cmd ip ro add table "${table}" "${prefix}"/32 via "${gw}" "${dev}" onlink
++ run_cmd "${IP} ro add table ${table} ${prefix}/32 via ${gw} ${dev} onlink"
+ log_test $? ${exp_rc} "${desc}"
+ }
+
+@@ -257,8 +247,8 @@ run_ip_mpath()
+ # dev arg may be empty
+ [ -n "${dev}" ] && dev="dev ${dev}"
+
+- run_cmd ip ro add table "${table}" "${prefix}"/32 \
+- nexthop via ${nh1} nexthop via ${nh2}
++ run_cmd "${IP} ro add table ${table} ${prefix}/32 \
++ nexthop via ${nh1} nexthop via ${nh2}"
+ log_test $? ${exp_rc} "${desc}"
+ }
+
+@@ -339,7 +329,7 @@ run_ip6()
+ # dev arg may be empty
+ [ -n "${dev}" ] && dev="dev ${dev}"
+
+- run_cmd ip -6 ro add table "${table}" "${prefix}"/128 via "${gw}" "${dev}" onlink
++ run_cmd "${IP} -6 ro add table ${table} ${prefix}/128 via ${gw} ${dev} onlink"
+ log_test $? ${exp_rc} "${desc}"
+ }
+
+@@ -353,8 +343,8 @@ run_ip6_mpath()
+ local exp_rc="$6"
+ local desc="$7"
+
+- run_cmd ip -6 ro add table "${table}" "${prefix}"/128 "${opts}" \
+- nexthop via ${nh1} nexthop via ${nh2}
++ run_cmd "${IP} -6 ro add table ${table} ${prefix}/128 ${opts} \
++ nexthop via ${nh1} nexthop via ${nh2}"
+ log_test $? ${exp_rc} "${desc}"
+ }
+
+@@ -491,10 +481,9 @@ do
+ esac
+ done
+
+-cleanup
+ setup
+ run_onlink_tests
+-cleanup
++cleanup_ns ${ns1} ${ns2}
+
+ if [ "$TESTS" != "none" ]; then
+ printf "\nTests passed: %3d\n" ${nsuccess}
+--
+2.51.0
+
testptp-add-option-to-open-phc-in-readonly-mode.patch
arm64-dts-qcom-sc8280xp-add-missing-vdd_mxc-links.patch
btrfs-fix-missing-fields-in-superblock-backup-with-b.patch
+ata-libata-add-cpr_log-to-ata_dev_print_features-ear.patch
+ata-libata-introduce-ata_ncq_supported.patch
+ata-libata-cleanup-fua-support-detection.patch
+ata-libata-core-introduce-ata_dev_config_lpm.patch
+ata-libata-call-ata_dev_config_lpm-for-atapi-devices.patch
+ata-libata-print-features-also-for-atapi-devices.patch
+net-usb-dm9601-remove-broken-sr9700-support.patch
+bonding-limit-bond_mode_8023ad-to-ethernet-devices.patch
+selftests-net-convert-fib-onlink-tests.sh-to-run-it-.patch
+selftests-net-fib-onlink-tests-convert-to-use-namesp.patch
+can-gs_usb-gs_usb_receive_bulk_callback-unanchor-url.patch
+sctp-move-sctp_cmd_assoc_shkey-right-after-sctp_cmd_.patch
+amd-xgbe-avoid-misleading-per-packet-error-log.patch
+gue-fix-skb-memleak-with-inner-ip-protocol-0.patch
+netlink-add-a-proto-specification-for-fou.patch
+net-fou-rename-the-source-for-linking.patch
+net-fou-use-policy-and-operation-tables-generated-fr.patch
+fou-don-t-allow-0-for-fou_attr_ipproto.patch
+l2tp-avoid-one-data-race-in-l2tp_tunnel_del_work.patch
+ipvlan-make-the-addrs_lock-be-per-port.patch
+octeontx2-cn10k-fix-rx-flowid-tcam-mask-handling.patch
+net-sched-enforce-that-teql-can-only-be-used-as-root.patch
+net-sched-qfq-use-cl_is_active-to-determine-whether-.patch
+crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch
--- /dev/null
+From faebdb6f9e605bb3c612a2d3b100ac6aab020728 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jan 2026 22:00:37 +0530
+Subject: amd-xgbe: avoid misleading per-packet error log
+
+From: Raju Rangoju <Raju.Rangoju@amd.com>
+
+[ Upstream commit c158f985cf6c2c36c99c4f67af2ff3f5ebe09f8f ]
+
+On the receive path, packet can be damaged because of buffer
+overflow in Rx FIFO. Avoid misleading per-packet error log when
+packet->errors is set, this can flood the log. Instead, rely on the
+standard rtnl_link_stats64 stats.
+
+Fixes: c5aa9e3b8156 ("amd-xgbe: Initial AMD 10GbE platform driver")
+Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
+Link: https://patch.msgid.link/20260114163037.2062606-1-Raju.Rangoju@amd.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
+index 32a6d52614242..e6a2492360227 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
+@@ -2105,7 +2105,7 @@ static void xgbe_get_stats64(struct net_device *netdev,
+ s->multicast = pstats->rxmulticastframes_g;
+ s->rx_length_errors = pstats->rxlengtherror;
+ s->rx_crc_errors = pstats->rxcrcerror;
+- s->rx_fifo_errors = pstats->rxfifooverflow;
++ s->rx_over_errors = pstats->rxfifooverflow;
+
+ s->tx_packets = pstats->txframecount_gb;
+ s->tx_bytes = pstats->txoctetcount_gb;
+@@ -2559,9 +2559,6 @@ static int xgbe_rx_poll(struct xgbe_channel *channel, int budget)
+ goto read_again;
+
+ if (error || packet->errors) {
+- if (packet->errors)
+- netif_err(pdata, rx_err, netdev,
+- "error in received packet\n");
+ dev_kfree_skb(skb);
+ goto next_packet;
+ }
+--
+2.51.0
+
--- /dev/null
+From aa58ecf7083f2e9be07f7eb7e5f80864a6b05a99 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 13:20:46 +0100
+Subject: ata: ahci: Do not read the per port area for unimplemented ports
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Niklas Cassel <cassel@kernel.org>
+
+[ Upstream commit ea4d4ea6d10a561043922d285f1765c7e4bfd32a ]
+
+An AHCI HBA specifies the number of ports it supports using CAP.NP.
+The HBA is free to only make a subset of the number of ports available
+using the PI (Ports Implemented) register.
+
+libata currently creates dummy ports for HBA ports that are provided by
+the HBA, but which are marked as "unavailable" using the PI register.
+
+Each port will have a per port area of registers in the HBA, regardless
+if the port is marked as "unavailable" or not.
+
+ahci_mark_external_port() currently reads this per port area of registers
+using readl() to see if the port is marked as external/hotplug-capable.
+
+However, AHCI 1.3.1, section "3.1.4 Offset 0Ch: PI – Ports Implemented"
+states: "Software must not read or write to registers within unavailable
+ports."
+
+Thus, make sure that we only call ahci_mark_external_port() and
+ahci_update_initial_lpm_policy() for ports that are implemented.
+
+From a libata perspective, this should not change anything related to LPM,
+as dummy ports do not provide any ap->ops (they do not have a .set_lpm()
+callback), so even if EH were to call .set_lpm() on a dummy port, it was
+already a no-op.
+
+Fixes: f7131935238d ("ata: ahci: move marking of external port earlier")
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Tested-by: Wolf <wolf@yoxt.cc>
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/ahci.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
+index 944e44caa2606..e78b97fe81708 100644
+--- a/drivers/ata/ahci.c
++++ b/drivers/ata/ahci.c
+@@ -2071,13 +2071,13 @@ static int ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
+ if (ap->flags & ATA_FLAG_EM)
+ ap->em_message_type = hpriv->em_msg_type;
+
+- ahci_mark_external_port(ap);
+-
+- ahci_update_initial_lpm_policy(ap);
+-
+ /* disabled/not-implemented port */
+- if (!(hpriv->port_map & (1 << i)))
++ if (!(hpriv->port_map & (1 << i))) {
+ ap->ops = &ata_dummy_port_ops;
++ } else {
++ ahci_mark_external_port(ap);
++ ahci_update_initial_lpm_policy(ap);
++ }
+ }
+
+ /* apply workaround for ASUS P5W DH Deluxe mainboard */
+--
+2.51.0
+
--- /dev/null
+From 867ef1820489468ef8e967923a925b612c2e86a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 13:20:49 +0100
+Subject: ata: libata: Add cpr_log to ata_dev_print_features() early return
+
+From: Niklas Cassel <cassel@kernel.org>
+
+[ Upstream commit a6bee5e5243ad02cae575becc4c83df66fc29573 ]
+
+ata_dev_print_features() is supposed to return early and not print anything
+if there are no features supported.
+
+However, commit fe22e1c2f705 ("libata: support concurrent positioning
+ranges log") added another feature to ata_dev_print_features() without
+updating the early return conditional.
+
+Add the missing feature to the early return conditional.
+
+Fixes: fe22e1c2f705 ("libata: support concurrent positioning ranges log")
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Tested-by: Wolf <wolf@yoxt.cc>
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
+index 802967eabc344..864248ff1faf9 100644
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -2803,7 +2803,7 @@ static void ata_dev_config_cpr(struct ata_device *dev)
+
+ static void ata_dev_print_features(struct ata_device *dev)
+ {
+- if (!(dev->flags & ATA_DFLAG_FEATURES_MASK))
++ if (!(dev->flags & ATA_DFLAG_FEATURES_MASK) && !dev->cpr_log)
+ return;
+
+ ata_dev_info(dev,
+--
+2.51.0
+
--- /dev/null
+From 25f70641db26591e0fd171b920cdbbb96a1d507b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 13:20:47 +0100
+Subject: ata: libata: Call ata_dev_config_lpm() for ATAPI devices
+
+From: Niklas Cassel <cassel@kernel.org>
+
+[ Upstream commit 8f3fb33f8f3f825c708ece800c921977c157f9b6 ]
+
+Commit d360121832d8 ("ata: libata-core: Introduce ata_dev_config_lpm()")
+introduced ata_dev_config_lpm(). However, it only called this function for
+ATA_DEV_ATA and ATA_DEV_ZAC devices, not for ATA_DEV_ATAPI devices.
+
+Additionally, commit d99a9142e782 ("ata: libata-core: Move device LPM quirk
+settings to ata_dev_config_lpm()") moved the LPM quirk application from
+ata_dev_configure() to ata_dev_config_lpm(), causing LPM quirks for ATAPI
+devices to no longer be applied.
+
+Call ata_dev_config_lpm() also for ATAPI devices, such that LPM quirks are
+applied for ATAPI devices with an entry in __ata_dev_quirks once again.
+
+Fixes: d360121832d8 ("ata: libata-core: Introduce ata_dev_config_lpm()")
+Fixes: d99a9142e782 ("ata: libata-core: Move device LPM quirk settings to ata_dev_config_lpm()")
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Tested-by: Wolf <wolf@yoxt.cc>
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Stable-dep-of: c8c6fb886f57 ("ata: libata: Print features also for ATAPI devices")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
+index cdb41b66bff2b..fba5166168978 100644
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -3073,6 +3073,8 @@ int ata_dev_configure(struct ata_device *dev)
+ ata_mode_string(xfer_mask),
+ cdb_intr_string, atapi_an_string,
+ dma_dir_string);
++
++ ata_dev_config_lpm(dev);
+ }
+
+ /* determine max_sectors */
+--
+2.51.0
+
--- /dev/null
+From 764895a55b39534218f482ef443e1e3b9e2afe8c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 21:53:12 +0900
+Subject: ata: libata-core: Introduce ata_dev_config_lpm()
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+[ Upstream commit d360121832d8a36871249271df5b9ff05f835f62 ]
+
+If the port of a device does not support Device Initiated Power
+Management (DIPM), that is, the port is flagged with ATA_FLAG_NO_DIPM,
+the DIPM feature of a device should not be used. Though DIPM is disabled
+by default on a device, the "Software Settings Preservation feature"
+may keep DIPM enabled or DIPM may have been enabled by the system
+firmware.
+
+Introduce the function ata_dev_config_lpm() to always disable DIPM on a
+device that supports this feature if the port of the device is flagged
+with ATA_FLAG_NO_DIPM. ata_dev_config_lpm() is called from
+ata_dev_configure(), ensuring that a device DIPM feature is disabled
+when it cannot be used.
+
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Niklas Cassel <cassel@kernel.org>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Link: https://lore.kernel.org/r/20250701125321.69496-2-dlemoal@kernel.org
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Stable-dep-of: c8c6fb886f57 ("ata: libata: Print features also for ATAPI devices")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-core.c | 25 +++++++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
+index 864248ff1faf9..cdb41b66bff2b 100644
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -2801,6 +2801,30 @@ static void ata_dev_config_cpr(struct ata_device *dev)
+ kfree(buf);
+ }
+
++/*
++ * Configure features related to link power management.
++ */
++static void ata_dev_config_lpm(struct ata_device *dev)
++{
++ struct ata_port *ap = dev->link->ap;
++ unsigned int err_mask;
++
++ /*
++ * Device Initiated Power Management (DIPM) is normally disabled by
++ * default on a device. However, DIPM may have been enabled and that
++ * setting kept even after COMRESET because of the Software Settings
++ * Preservation feature. So if the port does not support DIPM and the
++ * device does, disable DIPM on the device.
++ */
++ if (ap->flags & ATA_FLAG_NO_DIPM && ata_id_has_dipm(dev->id)) {
++ err_mask = ata_dev_set_feature(dev,
++ SETFEATURES_SATA_DISABLE, SATA_DIPM);
++ if (err_mask && err_mask != AC_ERR_DEV)
++ ata_dev_err(dev, "Disable DIPM failed, Emask 0x%x\n",
++ err_mask);
++ }
++}
++
+ static void ata_dev_print_features(struct ata_device *dev)
+ {
+ if (!(dev->flags & ATA_DFLAG_FEATURES_MASK) && !dev->cpr_log)
+@@ -2974,6 +2998,7 @@ int ata_dev_configure(struct ata_device *dev)
+ ata_dev_config_chs(dev);
+ }
+
++ ata_dev_config_lpm(dev);
+ ata_dev_config_fua(dev);
+ ata_dev_config_devslp(dev);
+ ata_dev_config_sense_reporting(dev);
+--
+2.51.0
+
--- /dev/null
+From bca069a8e73fe0030b36eb5e23e9601fb68a5288 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 13:20:51 +0100
+Subject: ata: libata: Print features also for ATAPI devices
+
+From: Niklas Cassel <cassel@kernel.org>
+
+[ Upstream commit c8c6fb886f57d5bf71fb6de6334a143608d35707 ]
+
+Commit d633b8a702ab ("libata: print feature list on device scan")
+added a print of the features supported by the device for ATA_DEV_ATA and
+ATA_DEV_ZAC devices, but not for ATA_DEV_ATAPI devices.
+
+Fix this by printing the features also for ATAPI devices.
+
+Before changes:
+ata1.00: ATAPI: Slimtype DVD A DU8AESH, 6C2M, max UDMA/133
+
+After changes:
+ata1.00: ATAPI: Slimtype DVD A DU8AESH, 6C2M, max UDMA/133
+ata1.00: Features: Dev-Attention HIPM DIPM
+
+Fixes: d633b8a702ab ("libata: print feature list on device scan")
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Tested-by: Wolf <wolf@yoxt.cc>
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
+index fba5166168978..33454d01c2044 100644
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -3075,6 +3075,9 @@ int ata_dev_configure(struct ata_device *dev)
+ dma_dir_string);
+
+ ata_dev_config_lpm(dev);
++
++ if (print_info)
++ ata_dev_print_features(dev);
+ }
+
+ /* determine max_sectors */
+--
+2.51.0
+
--- /dev/null
+From 574fdd81c3928e1848a0f30a5513801cb5a439b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 13:20:48 +0100
+Subject: ata: libata-sata: Improve link_power_management_supported sysfs
+ attribute
+
+From: Niklas Cassel <cassel@kernel.org>
+
+[ Upstream commit ce83767ea323baf8509a75eb0c783cd203e14789 ]
+
+The link_power_management_supported sysfs attribute is currently set as
+true even for ata ports that lack a .set_lpm() callback, e.g. dummy ports.
+
+This is a bit silly, because while writing to the
+link_power_management_policy sysfs attribute will make ata_scsi_lpm_store()
+update ap->target_lpm_policy (thus sysfs will reflect the new value) and
+call ata_port_schedule_eh() for the port, it is essentially a no-op.
+
+This is because for a port without a .set_lpm() callback, once EH gets to
+run, the ata_eh_link_set_lpm() will simply return, since the port does not
+provide a .set_lpm() callback.
+
+Thus, make sure that the link_power_management_supported sysfs attribute
+is set to false for ports that lack a .set_lpm() callback. This way the
+link_power_management_policy sysfs attribute will no longer be writable,
+so we will no longer be misleading users to think that their sysfs write
+actually does something.
+
+Fixes: 0060beec0bfa ("ata: libata-sata: Add link_power_management_supported sysfs attribute")
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Tested-by: Wolf <wolf@yoxt.cc>
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-sata.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/ata/libata-sata.c b/drivers/ata/libata-sata.c
+index cad3855373cb1..5fbbdf6f87e34 100644
+--- a/drivers/ata/libata-sata.c
++++ b/drivers/ata/libata-sata.c
+@@ -909,7 +909,7 @@ static bool ata_scsi_lpm_supported(struct ata_port *ap)
+ struct ata_link *link;
+ struct ata_device *dev;
+
+- if (ap->flags & ATA_FLAG_NO_LPM)
++ if ((ap->flags & ATA_FLAG_NO_LPM) || !ap->ops->set_lpm)
+ return false;
+
+ ata_for_each_link(link, ap, EDGE) {
+--
+2.51.0
+
--- /dev/null
+From b6d14502320935940e320905349680f690afbd17 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 19:12:01 +0000
+Subject: bonding: limit BOND_MODE_8023AD to Ethernet devices
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit c84fcb79e5dbde0b8d5aeeaf04282d2149aebcf6 ]
+
+BOND_MODE_8023AD makes sense for ARPHRD_ETHER only.
+
+syzbot reported:
+
+ BUG: KASAN: global-out-of-bounds in __hw_addr_create net/core/dev_addr_lists.c:63 [inline]
+ BUG: KASAN: global-out-of-bounds in __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118
+Read of size 16 at addr ffffffff8bf94040 by task syz.1.3580/19497
+
+CPU: 1 UID: 0 PID: 19497 Comm: syz.1.3580 Tainted: G L syzkaller #0 PREEMPT(full)
+Tainted: [L]=SOFTLOCKUP
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0xca/0x240 mm/kasan/report.c:482
+ kasan_report+0x118/0x150 mm/kasan/report.c:595
+ check_region_inline mm/kasan/generic.c:-1 [inline]
+ kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:200
+ __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105
+ __hw_addr_create net/core/dev_addr_lists.c:63 [inline]
+ __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118
+ __dev_mc_add net/core/dev_addr_lists.c:868 [inline]
+ dev_mc_add+0xa1/0x120 net/core/dev_addr_lists.c:886
+ bond_enslave+0x2b8b/0x3ac0 drivers/net/bonding/bond_main.c:2180
+ do_set_master+0x533/0x6d0 net/core/rtnetlink.c:2963
+ do_setlink+0xcf0/0x41c0 net/core/rtnetlink.c:3165
+ rtnl_changelink net/core/rtnetlink.c:3776 [inline]
+ __rtnl_newlink net/core/rtnetlink.c:3935 [inline]
+ rtnl_newlink+0x161c/0x1c90 net/core/rtnetlink.c:4072
+ rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6958
+ netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2550
+ netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
+ netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344
+ netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1894
+ sock_sendmsg_nosec net/socket.c:727 [inline]
+ __sock_sendmsg+0x21c/0x270 net/socket.c:742
+ ____sys_sendmsg+0x505/0x820 net/socket.c:2592
+ ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2646
+ __sys_sendmsg+0x164/0x220 net/socket.c:2678
+ do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
+ __do_fast_syscall_32+0x1dc/0x560 arch/x86/entry/syscall_32.c:307
+ do_fast_syscall_32+0x34/0x80 arch/x86/entry/syscall_32.c:332
+ entry_SYSENTER_compat_after_hwframe+0x84/0x8e
+ </TASK>
+
+The buggy address belongs to the variable:
+ lacpdu_mcast_addr+0x0/0x40
+
+Fixes: 872254dd6b1f ("net/bonding: Enable bonding to enslave non ARPHRD_ETHER")
+Reported-by: syzbot+9c081b17773615f24672@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/6966946b.a70a0220.245e30.0002.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Andrew Lunn <andrew+netdev@lunn.ch>
+Acked-by: Jay Vosburgh <jv@jvosburgh.net>
+Link: https://patch.msgid.link/20260113191201.3970737-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index f17a170d1be47..6f87d7e29e19b 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -2017,6 +2017,12 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev,
+ */
+ if (!bond_has_slaves(bond)) {
+ if (bond_dev->type != slave_dev->type) {
++ if (slave_dev->type != ARPHRD_ETHER &&
++ BOND_MODE(bond) == BOND_MODE_8023AD) {
++ SLAVE_NL_ERR(bond_dev, slave_dev, extack,
++ "8023AD mode requires Ethernet devices");
++ return -EINVAL;
++ }
+ slave_dbg(bond_dev, slave_dev, "change device type from %d to %d\n",
+ bond_dev->type, slave_dev->type);
+
+--
+2.51.0
+
--- /dev/null
+From 3b99d7e48abd5374b072d2ecd2138c911c6cf577 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jan 2026 14:10:10 +0100
+Subject: can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on
+ usb_submit_urb() error
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+[ Upstream commit 79a6d1bfe1148bc921b8d7f3371a7fbce44e30f7 ]
+
+In commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix
+URB memory leak"), the URB was re-anchored before usb_submit_urb() in
+gs_usb_receive_bulk_callback() to prevent a leak of this URB during
+cleanup.
+
+However, this patch did not take into account that usb_submit_urb() could
+fail. The URB remains anchored and
+usb_kill_anchored_urbs(&parent->rx_submitted) in gs_can_close() loops
+infinitely since the anchor list never becomes empty.
+
+To fix the bug, unanchor the URB when an usb_submit_urb() error occurs,
+also print an info message.
+
+Fixes: 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak")
+Reported-by: Jakub Kicinski <kuba@kernel.org>
+Closes: https://lore.kernel.org/all/20260110223836.3890248-1-kuba@kernel.org/
+Link: https://patch.msgid.link/20260116-can_usb-fix-reanchor-v1-1-9d74e7289225@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/usb/gs_usb.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c
+index 1aa2f99f92b20..e63e77f21801c 100644
+--- a/drivers/net/can/usb/gs_usb.c
++++ b/drivers/net/can/usb/gs_usb.c
+@@ -751,6 +751,10 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
+ usb_anchor_urb(urb, &parent->rx_submitted);
+
+ rc = usb_submit_urb(urb, GFP_ATOMIC);
++ if (!rc)
++ return;
++
++ usb_unanchor_urb(urb);
+
+ /* USB failure take down all interfaces */
+ if (rc == -ENODEV) {
+@@ -759,6 +763,9 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
+ if (parent->canch[rc])
+ netif_device_detach(parent->canch[rc]->netdev);
+ }
++ } else if (rc != -ESHUTDOWN && net_ratelimit()) {
++ netdev_info(netdev, "failed to re-submit IN URB: %pe\n",
++ ERR_PTR(urb->status));
+ }
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 9822c82e5e3b7005ac0d73cd42c64b8b95b194cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jan 2026 16:03:58 +0900
+Subject: crypto: authencesn - reject too-short AAD (assoclen<8) to match
+ ESP/ESN spec
+
+From: Taeyang Lee <0wn@theori.io>
+
+[ Upstream commit 2397e9264676be7794f8f7f1e9763d90bd3c7335 ]
+
+authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than
+the minimum expected length, crypto_authenc_esn_decrypt() can advance past
+the end of the destination scatterlist and trigger a NULL pointer dereference
+in scatterwalk_map_and_copy(), leading to a kernel panic (DoS).
+
+Add a minimum AAD length check to fail fast on invalid inputs.
+
+Fixes: 104880a6b470 ("crypto: authencesn - Convert to new AEAD interface")
+Reported-By: Taeyang Lee <0wn@theori.io>
+Signed-off-by: Taeyang Lee <0wn@theori.io>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/authencesn.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/crypto/authencesn.c b/crypto/authencesn.c
+index 2cc933e2f7901..e08032e80f188 100644
+--- a/crypto/authencesn.c
++++ b/crypto/authencesn.c
+@@ -185,6 +185,9 @@ static int crypto_authenc_esn_encrypt(struct aead_request *req)
+ struct scatterlist *src, *dst;
+ int err;
+
++ if (assoclen < 8)
++ return -EINVAL;
++
+ sg_init_table(areq_ctx->src, 2);
+ src = scatterwalk_ffwd(areq_ctx->src, req->src, assoclen);
+ dst = src;
+@@ -275,6 +278,9 @@ static int crypto_authenc_esn_decrypt(struct aead_request *req)
+ u32 tmp[2];
+ int err;
+
++ if (assoclen < 8)
++ return -EINVAL;
++
+ cryptlen -= authsize;
+
+ if (req->src != dst) {
+--
+2.51.0
+
--- /dev/null
+From 1073f8b0d85b37d3d7e3bb49401bb7ae2f659d39 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jan 2026 17:24:48 +0000
+Subject: fou: Don't allow 0 for FOU_ATTR_IPPROTO.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 7a9bc9e3f42391e4c187e099263cf7a1c4b69ff5 ]
+
+fou_udp_recv() has the same problem mentioned in the previous
+patch.
+
+If FOU_ATTR_IPPROTO is set to 0, skb is not freed by
+fou_udp_recv() nor "resubmit"-ted in ip_protocol_deliver_rcu().
+
+Let's forbid 0 for FOU_ATTR_IPPROTO.
+
+Fixes: 23461551c0062 ("fou: Support for foo-over-udp RX path")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260115172533.693652-4-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/netlink/specs/fou.yaml | 2 ++
+ net/ipv4/fou_nl.c | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/Documentation/netlink/specs/fou.yaml b/Documentation/netlink/specs/fou.yaml
+index 0af5ab842c04d..91721ee406413 100644
+--- a/Documentation/netlink/specs/fou.yaml
++++ b/Documentation/netlink/specs/fou.yaml
+@@ -39,6 +39,8 @@ attribute-sets:
+ -
+ name: ipproto
+ type: u8
++ checks:
++ min: 1
+ -
+ name: type
+ type: u8
+diff --git a/net/ipv4/fou_nl.c b/net/ipv4/fou_nl.c
+index 98b90107b5abc..bbd955f4c9d19 100644
+--- a/net/ipv4/fou_nl.c
++++ b/net/ipv4/fou_nl.c
+@@ -14,7 +14,7 @@
+ const struct nla_policy fou_nl_policy[FOU_ATTR_IFINDEX + 1] = {
+ [FOU_ATTR_PORT] = { .type = NLA_U16, },
+ [FOU_ATTR_AF] = { .type = NLA_U8, },
+- [FOU_ATTR_IPPROTO] = { .type = NLA_U8, },
++ [FOU_ATTR_IPPROTO] = NLA_POLICY_MIN(NLA_U8, 1),
+ [FOU_ATTR_TYPE] = { .type = NLA_U8, },
+ [FOU_ATTR_REMCSUM_NOPARTIAL] = { .type = NLA_FLAG, },
+ [FOU_ATTR_LOCAL_V4] = { .type = NLA_U32, },
+--
+2.51.0
+
--- /dev/null
+From 70be1d8653838b83730f3e434c2e9114e7d44af1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jan 2026 17:24:46 +0000
+Subject: gue: Fix skb memleak with inner IP protocol 0.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 9a56796ad258786d3624eef5aefba394fc9bdded ]
+
+syzbot reported skb memleak below. [0]
+
+The repro generated a GUE packet with its inner protocol 0.
+
+gue_udp_recv() returns -guehdr->proto_ctype for "resubmit"
+in ip_protocol_deliver_rcu(), but this only works with
+non-zero protocol number.
+
+Let's drop such packets.
+
+Note that 0 is a valid number (IPv6 Hop-by-Hop Option).
+
+I think it is not practical to encap HOPOPT in GUE, so once
+someone starts to complain, we could pass down a resubmit
+flag pointer to distinguish two zeros from the upper layer:
+
+ * no error
+ * resubmit HOPOPT
+
+[0]
+BUG: memory leak
+unreferenced object 0xffff888109695a00 (size 240):
+ comm "syz.0.17", pid 6088, jiffies 4294943096
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 40 c2 10 81 88 ff ff 00 00 00 00 00 00 00 00 .@..............
+ backtrace (crc a84b336f):
+ kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
+ slab_post_alloc_hook mm/slub.c:4958 [inline]
+ slab_alloc_node mm/slub.c:5263 [inline]
+ kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
+ __build_skb+0x23/0x60 net/core/skbuff.c:474
+ build_skb+0x20/0x190 net/core/skbuff.c:490
+ __tun_build_skb drivers/net/tun.c:1541 [inline]
+ tun_build_skb+0x4a1/0xa40 drivers/net/tun.c:1636
+ tun_get_user+0xc12/0x2030 drivers/net/tun.c:1770
+ tun_chr_write_iter+0x71/0x120 drivers/net/tun.c:1999
+ new_sync_write fs/read_write.c:593 [inline]
+ vfs_write+0x45d/0x710 fs/read_write.c:686
+ ksys_write+0xa7/0x170 fs/read_write.c:738
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: 37dd0247797b1 ("gue: Receive side for Generic UDP Encapsulation")
+Reported-by: syzbot+4d8c7d16b0e95c0d0f0d@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/6965534b.050a0220.38aacd.0001.GAE@google.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260115172533.693652-2-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/fou_core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/ipv4/fou_core.c b/net/ipv4/fou_core.c
+index 3e30745e2c09a..0e173998f1d7a 100644
+--- a/net/ipv4/fou_core.c
++++ b/net/ipv4/fou_core.c
+@@ -215,6 +215,9 @@ static int gue_udp_recv(struct sock *sk, struct sk_buff *skb)
+ return gue_control_message(skb, guehdr);
+
+ proto_ctype = guehdr->proto_ctype;
++ if (unlikely(!proto_ctype))
++ goto drop;
++
+ __skb_pull(skb, sizeof(struct udphdr) + hdrlen);
+ skb_reset_transport_header(skb);
+
+--
+2.51.0
+
--- /dev/null
+From ff60f3f938363419a27d87f6d4739a6b5ee365ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Nov 2025 09:58:26 -0800
+Subject: ice: Avoid detrimental cleanup for bond during interface stop
+
+From: Dave Ertman <david.m.ertman@intel.com>
+
+[ Upstream commit a9d45c22ed120cdd15ff56d0a6e4700c46451901 ]
+
+When the user issues an administrative down to an interface that is the
+primary for an aggregate bond, the prune lists are being purged. This
+breaks communication to the secondary interface, which shares a prune
+list on the main switch block while bonded together.
+
+For the primary interface of an aggregate, avoid deleting these prune
+lists during stop, and since they are hardcoded to specific values for
+the default vlan and QinQ vlans, the attempt to re-add them during the
+up phase will quietly fail without any additional problem.
+
+Fixes: 1e0f9881ef79 ("ice: Flesh out implementation of support for SRIOV on bonded interface")
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Marcin Szycik <marcin.szycik@linux.intel.com>
+Signed-off-by: Dave Ertman <david.m.ertman@intel.com>
+Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_lib.c | 25 ++++++++++++++++--------
+ 1 file changed, 17 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c
+index 8f8bdc3072ccc..4e022de9e4bbd 100644
+--- a/drivers/net/ethernet/intel/ice/ice_lib.c
++++ b/drivers/net/ethernet/intel/ice/ice_lib.c
+@@ -3746,22 +3746,31 @@ int ice_vsi_add_vlan_zero(struct ice_vsi *vsi)
+ int ice_vsi_del_vlan_zero(struct ice_vsi *vsi)
+ {
+ struct ice_vsi_vlan_ops *vlan_ops = ice_get_compat_vsi_vlan_ops(vsi);
++ struct ice_pf *pf = vsi->back;
+ struct ice_vlan vlan;
+ int err;
+
+- vlan = ICE_VLAN(0, 0, 0);
+- err = vlan_ops->del_vlan(vsi, &vlan);
+- if (err && err != -EEXIST)
+- return err;
++ if (pf->lag && pf->lag->primary) {
++ dev_dbg(ice_pf_to_dev(pf), "Interface is primary in aggregate - not deleting prune list\n");
++ } else {
++ vlan = ICE_VLAN(0, 0, 0);
++ err = vlan_ops->del_vlan(vsi, &vlan);
++ if (err && err != -EEXIST)
++ return err;
++ }
+
+ /* in SVM both VLAN 0 filters are identical */
+ if (!ice_is_dvm_ena(&vsi->back->hw))
+ return 0;
+
+- vlan = ICE_VLAN(ETH_P_8021Q, 0, 0);
+- err = vlan_ops->del_vlan(vsi, &vlan);
+- if (err && err != -EEXIST)
+- return err;
++ if (pf->lag && pf->lag->primary) {
++ dev_dbg(ice_pf_to_dev(pf), "Interface is primary in aggregate - not deleting QinQ prune list\n");
++ } else {
++ vlan = ICE_VLAN(ETH_P_8021Q, 0, 0);
++ err = vlan_ops->del_vlan(vsi, &vlan);
++ if (err && err != -EEXIST)
++ return err;
++ }
+
+ /* when deleting the last VLAN filter, make sure to disable the VLAN
+ * promisc mode so the filter isn't left by accident
+--
+2.51.0
+
--- /dev/null
+From 33ccf859a3176a0f1ad0c72257ec5b3f675d6af7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 6 Dec 2025 21:46:09 +0800
+Subject: ice: Fix incorrect timeout ice_release_res()
+
+From: Ding Hui <dinghui@sangfor.com.cn>
+
+[ Upstream commit 01139a2ce532d77379e1593230127caa261a8036 ]
+
+The commit 5f6df173f92e ("ice: implement and use rd32_poll_timeout for
+ice_sq_done timeout") converted ICE_CTL_Q_SQ_CMD_TIMEOUT from jiffies
+to microseconds.
+
+But the ice_release_res() function was missed, and its logic still
+treats ICE_CTL_Q_SQ_CMD_TIMEOUT as a jiffies value.
+
+So correct the issue by usecs_to_jiffies().
+
+Found by inspection of the DDP downloading process.
+Compile and modprobe tested only.
+
+Fixes: 5f6df173f92e ("ice: implement and use rd32_poll_timeout for ice_sq_done timeout")
+Signed-off-by: Ding Hui <dinghui@sangfor.com.cn>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_common.c b/drivers/net/ethernet/intel/ice/ice_common.c
+index 068a467de1d56..36b3912761870 100644
+--- a/drivers/net/ethernet/intel/ice/ice_common.c
++++ b/drivers/net/ethernet/intel/ice/ice_common.c
+@@ -1951,7 +1951,7 @@ void ice_release_res(struct ice_hw *hw, enum ice_aq_res_ids res)
+ /* there are some rare cases when trying to release the resource
+ * results in an admin queue timeout, so handle them correctly
+ */
+- timeout = jiffies + 10 * ICE_CTL_Q_SQ_CMD_TIMEOUT;
++ timeout = jiffies + 10 * usecs_to_jiffies(ICE_CTL_Q_SQ_CMD_TIMEOUT);
+ do {
+ status = ice_aq_release_res(hw, res, 0, NULL);
+ if (status != -EIO)
+--
+2.51.0
+
--- /dev/null
+From df49d6632f7c3145ad38992627d5000557831471 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Nov 2025 12:20:41 -0800
+Subject: ice: initialize ring_stats->syncp
+
+From: Jacob Keller <jacob.e.keller@intel.com>
+
+[ Upstream commit 8439016c3b8b5ab687c2420317b1691585106611 ]
+
+The u64_stats_sync structure is empty on 64-bit systems. However, on 32-bit
+systems it contains a seqcount_t which needs to be initialized. While the
+memory is zero-initialized, a lack of u64_stats_init means that lockdep
+won't get initialized properly. Fix this by adding u64_stats_init() calls
+to the rings just after allocation.
+
+Fixes: 2b245cb29421 ("ice: Implement transmit and NAPI support")
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_lib.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c
+index 8961eebe67aa2..8f8bdc3072ccc 100644
+--- a/drivers/net/ethernet/intel/ice/ice_lib.c
++++ b/drivers/net/ethernet/intel/ice/ice_lib.c
+@@ -394,6 +394,8 @@ static int ice_vsi_alloc_ring_stats(struct ice_vsi *vsi)
+ if (!ring_stats)
+ goto err_out;
+
++ u64_stats_init(&ring_stats->syncp);
++
+ WRITE_ONCE(tx_ring_stats[i], ring_stats);
+ }
+
+@@ -413,6 +415,8 @@ static int ice_vsi_alloc_ring_stats(struct ice_vsi *vsi)
+ if (!ring_stats)
+ goto err_out;
+
++ u64_stats_init(&ring_stats->syncp);
++
+ WRITE_ONCE(rx_ring_stats[i], ring_stats);
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 383c43bc60db7e99e3dff98146efed6c12da234a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Nov 2025 18:53:04 +0800
+Subject: igc: fix race condition in TX timestamp read for register 0
+
+From: Chwee-Lin Choong <chwee.lin.choong@intel.com>
+
+[ Upstream commit 6990dc392a9ab10e52af37e0bee8c7b753756dc4 ]
+
+The current HW bug workaround checks the TXTT_0 ready bit first,
+then reads TXSTMPL_0 twice (before and after reading TXSTMPH_0)
+to detect whether a new timestamp was captured by timestamp
+register 0 during the workaround.
+
+This sequence has a race: if a new timestamp is captured after
+checking the TXTT_0 bit but before the first TXSTMPL_0 read, the
+detection fails because both the "old" and "new" values come from
+the same timestamp.
+
+Fix by reading TXSTMPL_0 first to establish a baseline, then
+checking the TXTT_0 bit. This ensures any timestamp captured
+during the race window will be detected.
+
+Old sequence:
+ 1. Check TXTT_0 ready bit
+ 2. Read TXSTMPL_0 (baseline)
+ 3. Read TXSTMPH_0 (interrupt workaround)
+ 4. Read TXSTMPL_0 (detect changes vs baseline)
+
+New sequence:
+ 1. Read TXSTMPL_0 (baseline)
+ 2. Check TXTT_0 ready bit
+ 3. Read TXSTMPH_0 (interrupt workaround)
+ 4. Read TXSTMPL_0 (detect changes vs baseline)
+
+Fixes: c789ad7cbebc ("igc: Work around HW bug causing missing timestamps")
+Suggested-by: Avi Shalev <avi.shalev@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Co-developed-by: Song Yoong Siang <yoong.siang.song@intel.com>
+Signed-off-by: Song Yoong Siang <yoong.siang.song@intel.com>
+Signed-off-by: Chwee-Lin Choong <chwee.lin.choong@intel.com>
+Tested-by: Avigail Dahan <avigailx.dahan@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_ptp.c | 43 ++++++++++++++----------
+ 1 file changed, 25 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_ptp.c b/drivers/net/ethernet/intel/igc/igc_ptp.c
+index efc7b30e42113..a272d1a29eadb 100644
+--- a/drivers/net/ethernet/intel/igc/igc_ptp.c
++++ b/drivers/net/ethernet/intel/igc/igc_ptp.c
+@@ -785,36 +785,43 @@ static void igc_ptp_tx_reg_to_stamp(struct igc_adapter *adapter,
+ static void igc_ptp_tx_hwtstamp(struct igc_adapter *adapter)
+ {
+ struct igc_hw *hw = &adapter->hw;
++ u32 txstmpl_old;
+ u64 regval;
+ u32 mask;
+ int i;
+
++ /* Establish baseline of TXSTMPL_0 before checking TXTT_0.
++ * This baseline is used to detect if a new timestamp arrives in
++ * register 0 during the hardware bug workaround below.
++ */
++ txstmpl_old = rd32(IGC_TXSTMPL);
++
+ mask = rd32(IGC_TSYNCTXCTL) & IGC_TSYNCTXCTL_TXTT_ANY;
+ if (mask & IGC_TSYNCTXCTL_TXTT_0) {
+ regval = rd32(IGC_TXSTMPL);
+ regval |= (u64)rd32(IGC_TXSTMPH) << 32;
+ } else {
+- /* There's a bug in the hardware that could cause
+- * missing interrupts for TX timestamping. The issue
+- * is that for new interrupts to be triggered, the
+- * IGC_TXSTMPH_0 register must be read.
++ /* TXTT_0 not set - register 0 has no new timestamp initially.
++ *
++ * Hardware bug: Future timestamp interrupts won't fire unless
++ * TXSTMPH_0 is read, even if the timestamp was captured in
++ * registers 1-3.
+ *
+- * To avoid discarding a valid timestamp that just
+- * happened at the "wrong" time, we need to confirm
+- * that there was no timestamp captured, we do that by
+- * assuming that no two timestamps in sequence have
+- * the same nanosecond value.
++ * Workaround: Read TXSTMPH_0 here to enable future interrupts.
++ * However, this read clears TXTT_0. If a timestamp arrives in
++ * register 0 after checking TXTT_0 but before this read, it
++ * would be lost.
+ *
+- * So, we read the "low" register, read the "high"
+- * register (to latch a new timestamp) and read the
+- * "low" register again, if "old" and "new" versions
+- * of the "low" register are different, a valid
+- * timestamp was captured, we can read the "high"
+- * register again.
++ * To detect this race: We saved a baseline read of TXSTMPL_0
++ * before TXTT_0 check. After performing the workaround read of
++ * TXSTMPH_0, we read TXSTMPL_0 again. Since consecutive
++ * timestamps never share the same nanosecond value, a change
++ * between the baseline and new TXSTMPL_0 indicates a timestamp
++ * arrived during the race window. If so, read the complete
++ * timestamp.
+ */
+- u32 txstmpl_old, txstmpl_new;
++ u32 txstmpl_new;
+
+- txstmpl_old = rd32(IGC_TXSTMPL);
+ rd32(IGC_TXSTMPH);
+ txstmpl_new = rd32(IGC_TXSTMPL);
+
+@@ -829,7 +836,7 @@ static void igc_ptp_tx_hwtstamp(struct igc_adapter *adapter)
+
+ done:
+ /* Now that the problematic first register was handled, we can
+- * use retrieve the timestamps from the other registers
++ * retrieve the timestamps from the other registers
+ * (starting from '1') with less complications.
+ */
+ for (i = 1; i < IGC_MAX_TX_TSTAMP_REGS; i++) {
+--
+2.51.0
+
--- /dev/null
+From 9823ddc43cc0310af6678988c731f0fd23d97abc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Nov 2025 09:18:29 +0100
+Subject: igc: Restore default Qbv schedule when changing channels
+
+From: Kurt Kanzenbach <kurt@linutronix.de>
+
+[ Upstream commit 41a9a6826f20a524242a6c984845c4855f629841 ]
+
+The Multi-queue Priority (MQPRIO) and Earliest TxTime First (ETF) offloads
+utilize the Time Sensitive Networking (TSN) Tx mode. This mode is always
+coupled to IEEE 802.1Qbv time aware shaper (Qbv). Therefore, the driver
+sets a default Qbv schedule of all gates opened and a cycle time of
+1s. This schedule is set during probe.
+
+However, the following sequence of events lead to Tx issues:
+
+ - Boot a dual core system
+ igc_probe():
+ igc_tsn_clear_schedule():
+ -> Default Schedule is set
+ Note: At this point the driver has allocated two Tx/Rx queues, because
+ there are only two CPUs.
+
+ - ethtool -L enp3s0 combined 4
+ igc_ethtool_set_channels():
+ igc_reinit_queues()
+ -> Default schedule is gone, per Tx ring start and end time are zero
+
+ - tc qdisc replace dev enp3s0 handle 100 parent root mqprio \
+ num_tc 4 map 3 3 2 2 0 1 1 1 3 3 3 3 3 3 3 3 \
+ queues 1@0 1@1 1@2 1@3 hw 1
+ igc_tsn_offload_apply():
+ igc_tsn_enable_offload():
+ -> Writes zeros to IGC_STQT(i) and IGC_ENDQT(i), causing Tx to stall/fail
+
+Therefore, restore the default Qbv schedule after changing the number of
+channels.
+
+Furthermore, add a restriction to not allow queue reconfiguration when
+TSN/Qbv is enabled, because it may lead to inconsistent states.
+
+Fixes: c814a2d2d48f ("igc: Use default cycle 'start' and 'end' values for queues")
+Signed-off-by: Kurt Kanzenbach <kurt@linutronix.de>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Tested-by: Avigail Dahan <avigailx.dahan@intel.com>
+Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_ethtool.c | 4 ++--
+ drivers/net/ethernet/intel/igc/igc_main.c | 5 +++++
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_ethtool.c b/drivers/net/ethernet/intel/igc/igc_ethtool.c
+index 5b0c6f4337679..f4179b814eafc 100644
+--- a/drivers/net/ethernet/intel/igc/igc_ethtool.c
++++ b/drivers/net/ethernet/intel/igc/igc_ethtool.c
+@@ -1540,8 +1540,8 @@ static int igc_ethtool_set_channels(struct net_device *netdev,
+ if (ch->other_count != NON_Q_VECTORS)
+ return -EINVAL;
+
+- /* Do not allow channel reconfiguration when mqprio is enabled */
+- if (adapter->strict_priority_enable)
++ /* Do not allow channel reconfiguration when any TSN qdisc is enabled */
++ if (adapter->flags & IGC_FLAG_TSN_ANY_ENABLED)
+ return -EINVAL;
+
+ /* Verify the number of channels doesn't exceed hw limits */
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index 9ba41a427e141..18dad521aefcc 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -7582,6 +7582,11 @@ int igc_reinit_queues(struct igc_adapter *adapter)
+ if (netif_running(netdev))
+ err = igc_open(netdev);
+
++ if (!err) {
++ /* Restore default IEEE 802.1Qbv schedule after queue reinit */
++ igc_tsn_clear_schedule(adapter);
++ }
++
+ return err;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 706e732cbb85b1d5acfa2b8221597a7388c6a2d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 17:24:06 +0300
+Subject: ipvlan: Make the addrs_lock be per port
+
+From: Dmitry Skorodumov <dskr99@gmail.com>
+
+[ Upstream commit d3ba32162488283c0a4c5bedd8817aec91748802 ]
+
+Make the addrs_lock be per port, not per ipvlan dev.
+
+Initial code seems to be written in the assumption,
+that any address change must occur under RTNL.
+But it is not so for the case of IPv6. So
+
+1) Introduce per-port addrs_lock.
+
+2) It was needed to fix places where it was forgotten
+to take lock (ipvlan_open/ipvlan_close)
+
+This appears to be a very minor problem though.
+Since it's highly unlikely that ipvlan_add_addr() will
+be called on 2 CPU simultaneously. But nevertheless,
+this could cause:
+
+1) False-negative of ipvlan_addr_busy(): one interface
+iterated through all port->ipvlans + ipvlan->addrs
+under some ipvlan spinlock, and another added IP
+under its own lock. Though this is only possible
+for IPv6, since looks like only ipvlan_addr6_event() can be
+called without rtnl_lock.
+
+2) Race since ipvlan_ht_addr_add(port) is called under
+different ipvlan->addrs_lock locks
+
+This should not affect performance, since add/remove IP
+is a rare situation and spinlock is not taken on fast
+paths.
+
+Fixes: 8230819494b3 ("ipvlan: use per device spinlock to protect addrs list updates")
+Signed-off-by: Dmitry Skorodumov <skorodumov.dmitry@huawei.com>
+Reviewed-by: Paolo Abeni <pabeni@redhat.com>
+Link: https://patch.msgid.link/20260112142417.4039566-2-skorodumov.dmitry@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ipvlan/ipvlan.h | 2 +-
+ drivers/net/ipvlan/ipvlan_core.c | 16 +++++------
+ drivers/net/ipvlan/ipvlan_main.c | 49 +++++++++++++++++++-------------
+ 3 files changed, 37 insertions(+), 30 deletions(-)
+
+diff --git a/drivers/net/ipvlan/ipvlan.h b/drivers/net/ipvlan/ipvlan.h
+index 025e0c19ec255..fce3ced90bd3d 100644
+--- a/drivers/net/ipvlan/ipvlan.h
++++ b/drivers/net/ipvlan/ipvlan.h
+@@ -69,7 +69,6 @@ struct ipvl_dev {
+ DECLARE_BITMAP(mac_filters, IPVLAN_MAC_FILTER_SIZE);
+ netdev_features_t sfeatures;
+ u32 msg_enable;
+- spinlock_t addrs_lock;
+ };
+
+ struct ipvl_addr {
+@@ -90,6 +89,7 @@ struct ipvl_port {
+ struct net_device *dev;
+ possible_net_t pnet;
+ struct hlist_head hlhead[IPVLAN_HASH_SIZE];
++ spinlock_t addrs_lock; /* guards hash-table and addrs */
+ struct list_head ipvlans;
+ u16 mode;
+ u16 flags;
+diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c
+index 83bd65a227709..268ea41a17d52 100644
+--- a/drivers/net/ipvlan/ipvlan_core.c
++++ b/drivers/net/ipvlan/ipvlan_core.c
+@@ -107,17 +107,15 @@ void ipvlan_ht_addr_del(struct ipvl_addr *addr)
+ struct ipvl_addr *ipvlan_find_addr(const struct ipvl_dev *ipvlan,
+ const void *iaddr, bool is_v6)
+ {
+- struct ipvl_addr *addr, *ret = NULL;
++ struct ipvl_addr *addr;
+
+- rcu_read_lock();
+- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode) {
+- if (addr_equal(is_v6, addr, iaddr)) {
+- ret = addr;
+- break;
+- }
++ assert_spin_locked(&ipvlan->port->addrs_lock);
++
++ list_for_each_entry(addr, &ipvlan->addrs, anode) {
++ if (addr_equal(is_v6, addr, iaddr))
++ return addr;
+ }
+- rcu_read_unlock();
+- return ret;
++ return NULL;
+ }
+
+ bool ipvlan_addr_busy(struct ipvl_port *port, void *iaddr, bool is_v6)
+diff --git a/drivers/net/ipvlan/ipvlan_main.c b/drivers/net/ipvlan/ipvlan_main.c
+index ee2c3cf4df365..bce52c743f0e8 100644
+--- a/drivers/net/ipvlan/ipvlan_main.c
++++ b/drivers/net/ipvlan/ipvlan_main.c
+@@ -74,6 +74,7 @@ static int ipvlan_port_create(struct net_device *dev)
+ for (idx = 0; idx < IPVLAN_HASH_SIZE; idx++)
+ INIT_HLIST_HEAD(&port->hlhead[idx]);
+
++ spin_lock_init(&port->addrs_lock);
+ skb_queue_head_init(&port->backlog);
+ INIT_WORK(&port->wq, ipvlan_process_multicast);
+ ida_init(&port->ida);
+@@ -180,6 +181,7 @@ static void ipvlan_uninit(struct net_device *dev)
+ static int ipvlan_open(struct net_device *dev)
+ {
+ struct ipvl_dev *ipvlan = netdev_priv(dev);
++ struct ipvl_port *port = ipvlan->port;
+ struct ipvl_addr *addr;
+
+ if (ipvlan->port->mode == IPVLAN_MODE_L3 ||
+@@ -188,10 +190,10 @@ static int ipvlan_open(struct net_device *dev)
+ else
+ dev->flags &= ~IFF_NOARP;
+
+- rcu_read_lock();
+- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode)
++ spin_lock_bh(&port->addrs_lock);
++ list_for_each_entry(addr, &ipvlan->addrs, anode)
+ ipvlan_ht_addr_add(ipvlan, addr);
+- rcu_read_unlock();
++ spin_unlock_bh(&port->addrs_lock);
+
+ return 0;
+ }
+@@ -205,10 +207,10 @@ static int ipvlan_stop(struct net_device *dev)
+ dev_uc_unsync(phy_dev, dev);
+ dev_mc_unsync(phy_dev, dev);
+
+- rcu_read_lock();
+- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode)
++ spin_lock_bh(&ipvlan->port->addrs_lock);
++ list_for_each_entry(addr, &ipvlan->addrs, anode)
+ ipvlan_ht_addr_del(addr);
+- rcu_read_unlock();
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+
+ return 0;
+ }
+@@ -576,7 +578,6 @@ int ipvlan_link_new(struct net *src_net, struct net_device *dev,
+ if (!tb[IFLA_MTU])
+ ipvlan_adjust_mtu(ipvlan, phy_dev);
+ INIT_LIST_HEAD(&ipvlan->addrs);
+- spin_lock_init(&ipvlan->addrs_lock);
+
+ /* TODO Probably put random address here to be presented to the
+ * world but keep using the physical-dev address for the outgoing
+@@ -654,13 +655,13 @@ void ipvlan_link_delete(struct net_device *dev, struct list_head *head)
+ struct ipvl_dev *ipvlan = netdev_priv(dev);
+ struct ipvl_addr *addr, *next;
+
+- spin_lock_bh(&ipvlan->addrs_lock);
++ spin_lock_bh(&ipvlan->port->addrs_lock);
+ list_for_each_entry_safe(addr, next, &ipvlan->addrs, anode) {
+ ipvlan_ht_addr_del(addr);
+ list_del_rcu(&addr->anode);
+ kfree_rcu(addr, rcu);
+ }
+- spin_unlock_bh(&ipvlan->addrs_lock);
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+
+ ida_free(&ipvlan->port->ida, dev->dev_id);
+ list_del_rcu(&ipvlan->pnode);
+@@ -808,6 +809,8 @@ static int ipvlan_add_addr(struct ipvl_dev *ipvlan, void *iaddr, bool is_v6)
+ {
+ struct ipvl_addr *addr;
+
++ assert_spin_locked(&ipvlan->port->addrs_lock);
++
+ addr = kzalloc(sizeof(struct ipvl_addr), GFP_ATOMIC);
+ if (!addr)
+ return -ENOMEM;
+@@ -838,16 +841,16 @@ static void ipvlan_del_addr(struct ipvl_dev *ipvlan, void *iaddr, bool is_v6)
+ {
+ struct ipvl_addr *addr;
+
+- spin_lock_bh(&ipvlan->addrs_lock);
++ spin_lock_bh(&ipvlan->port->addrs_lock);
+ addr = ipvlan_find_addr(ipvlan, iaddr, is_v6);
+ if (!addr) {
+- spin_unlock_bh(&ipvlan->addrs_lock);
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+ return;
+ }
+
+ ipvlan_ht_addr_del(addr);
+ list_del_rcu(&addr->anode);
+- spin_unlock_bh(&ipvlan->addrs_lock);
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+ kfree_rcu(addr, rcu);
+ }
+
+@@ -869,14 +872,14 @@ static int ipvlan_add_addr6(struct ipvl_dev *ipvlan, struct in6_addr *ip6_addr)
+ {
+ int ret = -EINVAL;
+
+- spin_lock_bh(&ipvlan->addrs_lock);
++ spin_lock_bh(&ipvlan->port->addrs_lock);
+ if (ipvlan_addr_busy(ipvlan->port, ip6_addr, true))
+ netif_err(ipvlan, ifup, ipvlan->dev,
+ "Failed to add IPv6=%pI6c addr for %s intf\n",
+ ip6_addr, ipvlan->dev->name);
+ else
+ ret = ipvlan_add_addr(ipvlan, ip6_addr, true);
+- spin_unlock_bh(&ipvlan->addrs_lock);
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+ return ret;
+ }
+
+@@ -915,21 +918,24 @@ static int ipvlan_addr6_validator_event(struct notifier_block *unused,
+ struct in6_validator_info *i6vi = (struct in6_validator_info *)ptr;
+ struct net_device *dev = (struct net_device *)i6vi->i6vi_dev->dev;
+ struct ipvl_dev *ipvlan = netdev_priv(dev);
++ int ret = NOTIFY_OK;
+
+ if (!ipvlan_is_valid_dev(dev))
+ return NOTIFY_DONE;
+
+ switch (event) {
+ case NETDEV_UP:
++ spin_lock_bh(&ipvlan->port->addrs_lock);
+ if (ipvlan_addr_busy(ipvlan->port, &i6vi->i6vi_addr, true)) {
+ NL_SET_ERR_MSG(i6vi->extack,
+ "Address already assigned to an ipvlan device");
+- return notifier_from_errno(-EADDRINUSE);
++ ret = notifier_from_errno(-EADDRINUSE);
+ }
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+ break;
+ }
+
+- return NOTIFY_OK;
++ return ret;
+ }
+ #endif
+
+@@ -937,14 +943,14 @@ static int ipvlan_add_addr4(struct ipvl_dev *ipvlan, struct in_addr *ip4_addr)
+ {
+ int ret = -EINVAL;
+
+- spin_lock_bh(&ipvlan->addrs_lock);
++ spin_lock_bh(&ipvlan->port->addrs_lock);
+ if (ipvlan_addr_busy(ipvlan->port, ip4_addr, false))
+ netif_err(ipvlan, ifup, ipvlan->dev,
+ "Failed to add IPv4=%pI4 on %s intf.\n",
+ ip4_addr, ipvlan->dev->name);
+ else
+ ret = ipvlan_add_addr(ipvlan, ip4_addr, false);
+- spin_unlock_bh(&ipvlan->addrs_lock);
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+ return ret;
+ }
+
+@@ -986,21 +992,24 @@ static int ipvlan_addr4_validator_event(struct notifier_block *unused,
+ struct in_validator_info *ivi = (struct in_validator_info *)ptr;
+ struct net_device *dev = (struct net_device *)ivi->ivi_dev->dev;
+ struct ipvl_dev *ipvlan = netdev_priv(dev);
++ int ret = NOTIFY_OK;
+
+ if (!ipvlan_is_valid_dev(dev))
+ return NOTIFY_DONE;
+
+ switch (event) {
+ case NETDEV_UP:
++ spin_lock_bh(&ipvlan->port->addrs_lock);
+ if (ipvlan_addr_busy(ipvlan->port, &ivi->ivi_addr, false)) {
+ NL_SET_ERR_MSG(ivi->extack,
+ "Address already assigned to an ipvlan device");
+- return notifier_from_errno(-EADDRINUSE);
++ ret = notifier_from_errno(-EADDRINUSE);
+ }
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+ break;
+ }
+
+- return NOTIFY_OK;
++ return ret;
+ }
+
+ static struct notifier_block ipvlan_addr4_notifier_block __read_mostly = {
+--
+2.51.0
+
--- /dev/null
+From 1ecaf032a3ff4f9c0cbf3dba6fb3efa653858a8b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jan 2026 09:21:39 +0000
+Subject: l2tp: avoid one data-race in l2tp_tunnel_del_work()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 7a29f6bf60f2590fe5e9c4decb451e19afad2bcf ]
+
+We should read sk->sk_socket only when dealing with kernel sockets.
+
+syzbot reported the following data-race:
+
+BUG: KCSAN: data-race in l2tp_tunnel_del_work / sk_common_release
+
+write to 0xffff88811c182b20 of 8 bytes by task 5365 on cpu 0:
+ sk_set_socket include/net/sock.h:2092 [inline]
+ sock_orphan include/net/sock.h:2118 [inline]
+ sk_common_release+0xae/0x230 net/core/sock.c:4003
+ udp_lib_close+0x15/0x20 include/net/udp.h:325
+ inet_release+0xce/0xf0 net/ipv4/af_inet.c:437
+ __sock_release net/socket.c:662 [inline]
+ sock_close+0x6b/0x150 net/socket.c:1455
+ __fput+0x29b/0x650 fs/file_table.c:468
+ ____fput+0x1c/0x30 fs/file_table.c:496
+ task_work_run+0x131/0x1a0 kernel/task_work.c:233
+ resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
+ __exit_to_user_mode_loop kernel/entry/common.c:44 [inline]
+ exit_to_user_mode_loop+0x1fe/0x740 kernel/entry/common.c:75
+ __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
+ syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
+ syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
+ syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
+ do_syscall_64+0x1e1/0x2b0 arch/x86/entry/syscall_64.c:100
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+read to 0xffff88811c182b20 of 8 bytes by task 827 on cpu 1:
+ l2tp_tunnel_del_work+0x2f/0x1a0 net/l2tp/l2tp_core.c:1418
+ process_one_work kernel/workqueue.c:3257 [inline]
+ process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3340
+ worker_thread+0x582/0x770 kernel/workqueue.c:3421
+ kthread+0x489/0x510 kernel/kthread.c:463
+ ret_from_fork+0x149/0x290 arch/x86/kernel/process.c:158
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
+
+value changed: 0xffff88811b818000 -> 0x0000000000000000
+
+Fixes: d00fa9adc528 ("l2tp: fix races with tunnel socket close")
+Reported-by: syzbot+7312e82745f7fa2526db@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/6968b029.050a0220.58bed.0016.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: James Chapman <jchapman@katalix.com>
+Reviewed-by: Guillaume Nault <gnault@redhat.com>
+Link: https://patch.msgid.link/20260115092139.3066180-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/l2tp/l2tp_core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
+index 61fe27d71c230..95060ff7adc5f 100644
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -1416,8 +1416,6 @@ static void l2tp_tunnel_del_work(struct work_struct *work)
+ {
+ struct l2tp_tunnel *tunnel = container_of(work, struct l2tp_tunnel,
+ del_work);
+- struct sock *sk = tunnel->sock;
+- struct socket *sock = sk->sk_socket;
+
+ l2tp_tunnel_closeall(tunnel);
+
+@@ -1425,6 +1423,8 @@ static void l2tp_tunnel_del_work(struct work_struct *work)
+ * the sk API to release it here.
+ */
+ if (tunnel->fd < 0) {
++ struct socket *sock = tunnel->sock->sk_socket;
++
+ if (sock) {
+ kernel_sock_shutdown(sock, SHUT_RDWR);
+ sock_release(sock);
+--
+2.51.0
+
--- /dev/null
+From ab18b3b8dca7550c571a6977b8c4877b787e0670 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 18:54:44 +0000
+Subject: l2tp: Fix memleak in l2tp_udp_encap_recv().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 4d10edfd1475b69dbd4c47f34b61a3772ece83ca ]
+
+syzbot reported memleak of struct l2tp_session, l2tp_tunnel,
+sock, etc. [0]
+
+The cited commit moved down the validation of the protocol
+version in l2tp_udp_encap_recv().
+
+The new place requires an extra error handling to avoid the
+memleak.
+
+Let's call l2tp_session_put() there.
+
+[0]:
+BUG: memory leak
+unreferenced object 0xffff88810a290200 (size 512):
+ comm "syz.0.17", pid 6086, jiffies 4294944299
+ hex dump (first 32 bytes):
+ 7d eb 04 0c 00 00 00 00 01 00 00 00 00 00 00 00 }...............
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace (crc babb6a4f):
+ kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
+ slab_post_alloc_hook mm/slub.c:4958 [inline]
+ slab_alloc_node mm/slub.c:5263 [inline]
+ __do_kmalloc_node mm/slub.c:5656 [inline]
+ __kmalloc_noprof+0x3e0/0x660 mm/slub.c:5669
+ kmalloc_noprof include/linux/slab.h:961 [inline]
+ kzalloc_noprof include/linux/slab.h:1094 [inline]
+ l2tp_session_create+0x3a/0x3b0 net/l2tp/l2tp_core.c:1778
+ pppol2tp_connect+0x48b/0x920 net/l2tp/l2tp_ppp.c:755
+ __sys_connect_file+0x7a/0xb0 net/socket.c:2089
+ __sys_connect+0xde/0x110 net/socket.c:2108
+ __do_sys_connect net/socket.c:2114 [inline]
+ __se_sys_connect net/socket.c:2111 [inline]
+ __x64_sys_connect+0x1c/0x30 net/socket.c:2111
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: 364798056f518 ("l2tp: Support different protocol versions with same IP/port quadruple")
+Reported-by: syzbot+2c42ea4485b29beb0643@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/696693f2.a70a0220.245e30.0001.GAE@google.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Guillaume Nault <gnault@redhat.com>
+Link: https://patch.msgid.link/20260113185446.2533333-1-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/l2tp/l2tp_core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
+index 369a2f2e459cd..61fe27d71c230 100644
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -1086,8 +1086,10 @@ int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
+ tunnel = session->tunnel;
+
+ /* Check protocol version */
+- if (version != tunnel->version)
++ if (version != tunnel->version) {
++ l2tp_session_put(session);
+ goto invalid;
++ }
+
+ if (version == L2TP_HDR_VER_3 &&
+ l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr)) {
+--
+2.51.0
+
--- /dev/null
+From 5b5592730b9f2879ef25a6d249d92843f007b77d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jan 2026 11:02:41 -0500
+Subject: net/sched: Enforce that teql can only be used as root qdisc
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jamal Hadi Salim <jhs@mojatatu.com>
+
+[ Upstream commit 50da4b9d07a7a463e2cfb738f3ad4cff6b2c9c3b ]
+
+Design intent of teql is that it is only supposed to be used as root qdisc.
+We need to check for that constraint.
+
+Although not important, I will describe the scenario that unearthed this
+issue for the curious.
+
+GangMin Kim <km.kim1503@gmail.com> managed to concot a scenario as follows:
+
+ROOT qdisc 1:0 (QFQ)
+ ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s
+ └── class 1:2 (weight=1, lmax=1514) teql
+
+GangMin sends a packet which is enqueued to 1:1 (netem).
+Any invocation of dequeue by QFQ from this class will not return a packet
+until after 6.4s. In the meantime, a second packet is sent and it lands on
+1:2. teql's enqueue will return success and this will activate class 1:2.
+Main issue is that teql only updates the parent visible qlen (sch->q.qlen)
+at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's
+peek always returns NULL), dequeue will never be called and thus the qlen
+will remain as 0. With that in mind, when GangMin updates 1:2's lmax value,
+the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's
+qlen was not incremented, qfq fails to deactivate the class, but still
+frees its pointers from the aggregate. So when the first packet is
+rescheduled after 6.4 seconds (netem's delay), a dangling pointer is
+accessed causing GangMin's causing a UAF.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: GangMin Kim <km.kim1503@gmail.com>
+Tested-by: Victor Nogueira <victor@mojatatu.com>
+Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/20260114160243.913069-2-jhs@mojatatu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_teql.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/sched/sch_teql.c b/net/sched/sch_teql.c
+index 8badec6d82a24..6e4bdaa876ed6 100644
+--- a/net/sched/sch_teql.c
++++ b/net/sched/sch_teql.c
+@@ -178,6 +178,11 @@ static int teql_qdisc_init(struct Qdisc *sch, struct nlattr *opt,
+ if (m->dev == dev)
+ return -ELOOP;
+
++ if (sch->parent != TC_H_ROOT) {
++ NL_SET_ERR_MSG_MOD(extack, "teql can only be used as root");
++ return -EOPNOTSUPP;
++ }
++
+ q->m = m;
+
+ skb_queue_head_init(&q->q);
+--
+2.51.0
+
--- /dev/null
+From 51aedbde7588d510ad80da0a754bcb292253512a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jan 2026 11:02:42 -0500
+Subject: net/sched: qfq: Use cl_is_active to determine whether class is active
+ in qfq_rm_from_ag
+
+From: Jamal Hadi Salim <jhs@mojatatu.com>
+
+[ Upstream commit d837fbee92453fbb829f950c8e7cf76207d73f33 ]
+
+This is more of a preventive patch to make the code more consistent and
+to prevent possible exploits that employ child qlen manipulations on qfq.
+use cl_is_active instead of relying on the child qdisc's qlen to determine
+class activation.
+
+Fixes: 462dbc9101acd ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost")
+Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/20260114160243.913069-3-jhs@mojatatu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_qfq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
+index d8dabc1a620bd..c7c8e8dde31d1 100644
+--- a/net/sched/sch_qfq.c
++++ b/net/sched/sch_qfq.c
+@@ -373,7 +373,7 @@ static void qfq_rm_from_agg(struct qfq_sched *q, struct qfq_class *cl)
+ /* Deschedule class and remove it from its parent aggregate. */
+ static void qfq_deact_rm_from_agg(struct qfq_sched *q, struct qfq_class *cl)
+ {
+- if (cl->qdisc->q.qlen > 0) /* class is active */
++ if (cl_is_active(cl)) /* class is active */
+ qfq_deactivate_class(q, cl);
+
+ qfq_rm_from_agg(q, cl);
+--
+2.51.0
+
--- /dev/null
+From b7b96963ea85c454272127a2a03ee9c0815d63bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 22:39:24 -0800
+Subject: net: usb: dm9601: remove broken SR9700 support
+
+From: Ethan Nelson-Moore <enelsonmoore@gmail.com>
+
+[ Upstream commit 7d7dbafefbe74f5a25efc4807af093b857a7612e ]
+
+The SR9700 chip sends more than one packet in a USB transaction,
+like the DM962x chips can optionally do, but the dm9601 driver does not
+support this mode, and the hardware does not have the DM962x
+MODE_CTL register to disable it, so this driver drops packets on SR9700
+devices. The sr9700 driver correctly handles receiving more than one
+packet per transaction.
+
+While the dm9601 driver could be improved to handle this, the easiest
+way to fix this issue in the short term is to remove the SR9700 device
+ID from the dm9601 driver so the sr9700 driver is always used. This
+device ID should not have been in more than one driver to begin with.
+
+The "Fixes" commit was chosen so that the patch is automatically
+included in all kernels that have the sr9700 driver, even though the
+issue affects dm9601.
+
+Fixes: c9b37458e956 ("USB2NET : SR9700 : One chip USB 1.1 USB2NET SR9700Device Driver Support")
+Signed-off-by: Ethan Nelson-Moore <enelsonmoore@gmail.com>
+Acked-by: Peter Korsgaard <peter@korsgaard.com>
+Link: https://patch.msgid.link/20260113063924.74464-1-enelsonmoore@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/dm9601.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/net/usb/dm9601.c b/drivers/net/usb/dm9601.c
+index 8b6d6a1b3c2ec..2b4716ccf0c5b 100644
+--- a/drivers/net/usb/dm9601.c
++++ b/drivers/net/usb/dm9601.c
+@@ -603,10 +603,6 @@ static const struct usb_device_id products[] = {
+ USB_DEVICE(0x0fe6, 0x8101), /* DM9601 USB to Fast Ethernet Adapter */
+ .driver_info = (unsigned long)&dm9601_info,
+ },
+- {
+- USB_DEVICE(0x0fe6, 0x9700), /* DM9601 USB to Fast Ethernet Adapter */
+- .driver_info = (unsigned long)&dm9601_info,
+- },
+ {
+ USB_DEVICE(0x0a46, 0x9000), /* DM9000E */
+ .driver_info = (unsigned long)&dm9601_info,
+--
+2.51.0
+
--- /dev/null
+From 073bcc2aa41cf98d9612aa7f042fb52c094753f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jan 2026 08:47:12 -0800
+Subject: octeontx2: cn10k: fix RX flowid TCAM mask handling
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit ab9b218a1521133a4410722907fa7189566be9bc ]
+
+The RX flowid programming initializes the TCAM mask to all ones, but
+then overwrites it when clearing the MAC DA mask bits. This results
+in losing the intended initialization and may affect other match fields.
+
+Update the code to clear the MAC DA bits using an AND operation, making
+the handling of mask[0] consistent with mask[1], where the field-specific
+bits are cleared after initializing the mask to ~0ULL.
+
+Fixes: 57d00d4364f3 ("octeontx2-pf: mcs: Match macsec ethertype along with DMAC")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Reviewed-by: Subbaraya Sundeep <sbhatta@marvell.com>
+Link: https://patch.msgid.link/20260116164724.2733511-1-alok.a.tiwari@oracle.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c
+index 74953f67a2bf9..3af58bc9f533c 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c
+@@ -330,7 +330,7 @@ static int cn10k_mcs_write_rx_flowid(struct otx2_nic *pfvf,
+
+ req->data[0] = FIELD_PREP(MCS_TCAM0_MAC_DA_MASK, mac_da);
+ req->mask[0] = ~0ULL;
+- req->mask[0] = ~MCS_TCAM0_MAC_DA_MASK;
++ req->mask[0] &= ~MCS_TCAM0_MAC_DA_MASK;
+
+ req->data[1] = FIELD_PREP(MCS_TCAM1_ETYPE_MASK, ETH_P_MACSEC);
+ req->mask[1] = ~0ULL;
+--
+2.51.0
+
--- /dev/null
+From c7af868174019716eb50f491452c26dbdeec339a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 12:10:26 -0500
+Subject: sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit a80c9d945aef55b23b54838334345f20251dad83 ]
+
+A null-ptr-deref was reported in the SCTP transmit path when SCTP-AUTH key
+initialization fails:
+
+ ==================================================================
+ KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
+ CPU: 0 PID: 16 Comm: ksoftirqd/0 Tainted: G W 6.6.0 #2
+ RIP: 0010:sctp_packet_bundle_auth net/sctp/output.c:264 [inline]
+ RIP: 0010:sctp_packet_append_chunk+0xb36/0x1260 net/sctp/output.c:401
+ Call Trace:
+
+ sctp_packet_transmit_chunk+0x31/0x250 net/sctp/output.c:189
+ sctp_outq_flush_data+0xa29/0x26d0 net/sctp/outqueue.c:1111
+ sctp_outq_flush+0xc80/0x1240 net/sctp/outqueue.c:1217
+ sctp_cmd_interpreter.isra.0+0x19a5/0x62c0 net/sctp/sm_sideeffect.c:1787
+ sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]
+ sctp_do_sm+0x1a3/0x670 net/sctp/sm_sideeffect.c:1169
+ sctp_assoc_bh_rcv+0x33e/0x640 net/sctp/associola.c:1052
+ sctp_inq_push+0x1dd/0x280 net/sctp/inqueue.c:88
+ sctp_rcv+0x11ae/0x3100 net/sctp/input.c:243
+ sctp6_rcv+0x3d/0x60 net/sctp/ipv6.c:1127
+
+The issue is triggered when sctp_auth_asoc_init_active_key() fails in
+sctp_sf_do_5_1C_ack() while processing an INIT_ACK. In this case, the
+command sequence is currently:
+
+- SCTP_CMD_PEER_INIT
+- SCTP_CMD_TIMER_STOP (T1_INIT)
+- SCTP_CMD_TIMER_START (T1_COOKIE)
+- SCTP_CMD_NEW_STATE (COOKIE_ECHOED)
+- SCTP_CMD_ASSOC_SHKEY
+- SCTP_CMD_GEN_COOKIE_ECHO
+
+If SCTP_CMD_ASSOC_SHKEY fails, asoc->shkey remains NULL, while
+asoc->peer.auth_capable and asoc->peer.peer_chunks have already been set by
+SCTP_CMD_PEER_INIT. This allows a DATA chunk with auth = 1 and shkey = NULL
+to be queued by sctp_datamsg_from_user().
+
+Since command interpretation stops on failure, no COOKIE_ECHO should been
+sent via SCTP_CMD_GEN_COOKIE_ECHO. However, the T1_COOKIE timer has already
+been started, and it may enqueue a COOKIE_ECHO into the outqueue later. As
+a result, the DATA chunk can be transmitted together with the COOKIE_ECHO
+in sctp_outq_flush_data(), leading to the observed issue.
+
+Similar to the other places where it calls sctp_auth_asoc_init_active_key()
+right after sctp_process_init(), this patch moves the SCTP_CMD_ASSOC_SHKEY
+immediately after SCTP_CMD_PEER_INIT, before stopping T1_INIT and starting
+T1_COOKIE. This ensures that if shared key generation fails, authenticated
+DATA cannot be sent. It also allows the T1_INIT timer to retransmit INIT,
+giving the client another chance to process INIT_ACK and retry key setup.
+
+Fixes: 730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing")
+Reported-by: Zhen Chen <chenzhen126@huawei.com>
+Tested-by: Zhen Chen <chenzhen126@huawei.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Link: https://patch.msgid.link/44881224b375aa8853f5e19b4055a1a56d895813.1768324226.git.lucien.xin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/sm_statefuns.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
+index dc66dff33d6d4..966bd6a44594a 100644
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -603,6 +603,11 @@ enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net,
+ sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT,
+ SCTP_PEER_INIT(initchunk));
+
++ /* SCTP-AUTH: generate the association shared keys so that
++ * we can potentially sign the COOKIE-ECHO.
++ */
++ sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL());
++
+ /* Reset init error count upon receipt of INIT-ACK. */
+ sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
+
+@@ -617,11 +622,6 @@ enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net,
+ sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
+ SCTP_STATE(SCTP_STATE_COOKIE_ECHOED));
+
+- /* SCTP-AUTH: generate the association shared keys so that
+- * we can potentially sign the COOKIE-ECHO.
+- */
+- sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL());
+-
+ /* 5.1 C) "A" shall then send the State Cookie received in the
+ * INIT ACK chunk in a COOKIE ECHO chunk, ...
+ */
+--
+2.51.0
+
--- /dev/null
+From acd06a4061854f627dd7b90635e645db6ae63848 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 12:37:44 -0300
+Subject: selftests: net: fib-onlink-tests: Convert to use namespaces by
+ default
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ricardo B. Marlière <rbm@suse.com>
+
+[ Upstream commit 4f5f148dd7c0459229d2ab9a769b2e820f9ee6a2 ]
+
+Currently, the test breaks if the SUT already has a default route
+configured for IPv6. Fix by avoiding the use of the default namespace.
+
+Fixes: 4ed591c8ab44 ("net/ipv6: Allow onlink routes to have a device mismatch if it is the default route")
+Suggested-by: Fernando Fernandez Mancera <fmancera@suse.de>
+Signed-off-by: Ricardo B. Marlière <rbm@suse.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
+Link: https://patch.msgid.link/20260113-selftests-net-fib-onlink-v2-1-89de2b931389@suse.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../testing/selftests/net/fib-onlink-tests.sh | 71 ++++++++-----------
+ 1 file changed, 30 insertions(+), 41 deletions(-)
+
+diff --git a/tools/testing/selftests/net/fib-onlink-tests.sh b/tools/testing/selftests/net/fib-onlink-tests.sh
+index ec2d6ceb1f08d..c01be076b210d 100755
+--- a/tools/testing/selftests/net/fib-onlink-tests.sh
++++ b/tools/testing/selftests/net/fib-onlink-tests.sh
+@@ -120,7 +120,7 @@ log_subsection()
+
+ run_cmd()
+ {
+- local cmd="$*"
++ local cmd="$1"
+ local out
+ local rc
+
+@@ -145,7 +145,7 @@ get_linklocal()
+ local pfx
+ local addr
+
+- addr=$(${pfx} ip -6 -br addr show dev ${dev} | \
++ addr=$(${pfx} ${IP} -6 -br addr show dev ${dev} | \
+ awk '{
+ for (i = 3; i <= NF; ++i) {
+ if ($i ~ /^fe80/)
+@@ -173,58 +173,48 @@ setup()
+
+ set -e
+
+- # create namespace
+- setup_ns PEER_NS
++ # create namespaces
++ setup_ns ns1
++ IP="ip -netns $ns1"
++ setup_ns ns2
+
+ # add vrf table
+- ip li add ${VRF} type vrf table ${VRF_TABLE}
+- ip li set ${VRF} up
+- ip ro add table ${VRF_TABLE} unreachable default metric 8192
+- ip -6 ro add table ${VRF_TABLE} unreachable default metric 8192
++ ${IP} li add ${VRF} type vrf table ${VRF_TABLE}
++ ${IP} li set ${VRF} up
++ ${IP} ro add table ${VRF_TABLE} unreachable default metric 8192
++ ${IP} -6 ro add table ${VRF_TABLE} unreachable default metric 8192
+
+ # create test interfaces
+- ip li add ${NETIFS[p1]} type veth peer name ${NETIFS[p2]}
+- ip li add ${NETIFS[p3]} type veth peer name ${NETIFS[p4]}
+- ip li add ${NETIFS[p5]} type veth peer name ${NETIFS[p6]}
+- ip li add ${NETIFS[p7]} type veth peer name ${NETIFS[p8]}
++ ${IP} li add ${NETIFS[p1]} type veth peer name ${NETIFS[p2]}
++ ${IP} li add ${NETIFS[p3]} type veth peer name ${NETIFS[p4]}
++ ${IP} li add ${NETIFS[p5]} type veth peer name ${NETIFS[p6]}
++ ${IP} li add ${NETIFS[p7]} type veth peer name ${NETIFS[p8]}
+
+ # enslave vrf interfaces
+ for n in 5 7; do
+- ip li set ${NETIFS[p${n}]} vrf ${VRF}
++ ${IP} li set ${NETIFS[p${n}]} vrf ${VRF}
+ done
+
+ # add addresses
+ for n in 1 3 5 7; do
+- ip li set ${NETIFS[p${n}]} up
+- ip addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]}
+- ip addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad
++ ${IP} li set ${NETIFS[p${n}]} up
++ ${IP} addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]}
++ ${IP} addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad
+ done
+
+ # move peer interfaces to namespace and add addresses
+ for n in 2 4 6 8; do
+- ip li set ${NETIFS[p${n}]} netns ${PEER_NS} up
+- ip -netns ${PEER_NS} addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]}
+- ip -netns ${PEER_NS} addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad
++ ${IP} li set ${NETIFS[p${n}]} netns ${ns2} up
++ ip -netns $ns2 addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]}
++ ip -netns $ns2 addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad
+ done
+
+- ip -6 ro add default via ${V6ADDRS[p3]/::[0-9]/::64}
+- ip -6 ro add table ${VRF_TABLE} default via ${V6ADDRS[p7]/::[0-9]/::64}
++ ${IP} -6 ro add default via ${V6ADDRS[p3]/::[0-9]/::64}
++ ${IP} -6 ro add table ${VRF_TABLE} default via ${V6ADDRS[p7]/::[0-9]/::64}
+
+ set +e
+ }
+
+-cleanup()
+-{
+- # make sure we start from a clean slate
+- cleanup_ns ${PEER_NS} 2>/dev/null
+- for n in 1 3 5 7; do
+- ip link del ${NETIFS[p${n}]} 2>/dev/null
+- done
+- ip link del ${VRF} 2>/dev/null
+- ip ro flush table ${VRF_TABLE}
+- ip -6 ro flush table ${VRF_TABLE}
+-}
+-
+ ################################################################################
+ # IPv4 tests
+ #
+@@ -241,7 +231,7 @@ run_ip()
+ # dev arg may be empty
+ [ -n "${dev}" ] && dev="dev ${dev}"
+
+- run_cmd ip ro add table "${table}" "${prefix}"/32 via "${gw}" "${dev}" onlink
++ run_cmd "${IP} ro add table ${table} ${prefix}/32 via ${gw} ${dev} onlink"
+ log_test $? ${exp_rc} "${desc}"
+ }
+
+@@ -257,8 +247,8 @@ run_ip_mpath()
+ # dev arg may be empty
+ [ -n "${dev}" ] && dev="dev ${dev}"
+
+- run_cmd ip ro add table "${table}" "${prefix}"/32 \
+- nexthop via ${nh1} nexthop via ${nh2}
++ run_cmd "${IP} ro add table ${table} ${prefix}/32 \
++ nexthop via ${nh1} nexthop via ${nh2}"
+ log_test $? ${exp_rc} "${desc}"
+ }
+
+@@ -339,7 +329,7 @@ run_ip6()
+ # dev arg may be empty
+ [ -n "${dev}" ] && dev="dev ${dev}"
+
+- run_cmd ip -6 ro add table "${table}" "${prefix}"/128 via "${gw}" "${dev}" onlink
++ run_cmd "${IP} -6 ro add table ${table} ${prefix}/128 via ${gw} ${dev} onlink"
+ log_test $? ${exp_rc} "${desc}"
+ }
+
+@@ -353,8 +343,8 @@ run_ip6_mpath()
+ local exp_rc="$6"
+ local desc="$7"
+
+- run_cmd ip -6 ro add table "${table}" "${prefix}"/128 "${opts}" \
+- nexthop via ${nh1} nexthop via ${nh2}
++ run_cmd "${IP} -6 ro add table ${table} ${prefix}/128 ${opts} \
++ nexthop via ${nh1} nexthop via ${nh2}"
+ log_test $? ${exp_rc} "${desc}"
+ }
+
+@@ -491,10 +481,9 @@ do
+ esac
+ done
+
+-cleanup
+ setup
+ run_onlink_tests
+-cleanup
++cleanup_ns ${ns1} ${ns2}
+
+ if [ "$TESTS" != "none" ]; then
+ printf "\nTests passed: %3d\n" ${nsuccess}
+--
+2.51.0
+
arm64-dts-qcom-sc8280xp-add-missing-vdd_mxc-links.patch
drivers-hv-always-do-hyper-v-panic-notification-in-h.patch
btrfs-fix-missing-fields-in-superblock-backup-with-b.patch
+ata-ahci-do-not-read-the-per-port-area-for-unimpleme.patch
+ata-libata-sata-improve-link_power_management_suppor.patch
+ata-libata-add-cpr_log-to-ata_dev_print_features-ear.patch
+ata-libata-core-introduce-ata_dev_config_lpm.patch
+ata-libata-call-ata_dev_config_lpm-for-atapi-devices.patch
+ata-libata-print-features-also-for-atapi-devices.patch
+ice-initialize-ring_stats-syncp.patch
+ice-avoid-detrimental-cleanup-for-bond-during-interf.patch
+ice-fix-incorrect-timeout-ice_release_res.patch
+igc-restore-default-qbv-schedule-when-changing-chann.patch
+igc-fix-race-condition-in-tx-timestamp-read-for-regi.patch
+vsock-virtio-coalesce-only-linear-skb.patch
+net-usb-dm9601-remove-broken-sr9700-support.patch
+bonding-limit-bond_mode_8023ad-to-ethernet-devices.patch
+l2tp-fix-memleak-in-l2tp_udp_encap_recv.patch
+selftests-net-fib-onlink-tests-convert-to-use-namesp.patch
+can-gs_usb-gs_usb_receive_bulk_callback-unanchor-url.patch
+sctp-move-sctp_cmd_assoc_shkey-right-after-sctp_cmd_.patch
+amd-xgbe-avoid-misleading-per-packet-error-log.patch
+gue-fix-skb-memleak-with-inner-ip-protocol-0.patch
+tools-ynl-specify-no-line-number-in-ynl-regen.sh.patch
+fou-don-t-allow-0-for-fou_attr_ipproto.patch
+veth-fix-data-race-in-veth_get_ethtool_stats.patch
+l2tp-avoid-one-data-race-in-l2tp_tunnel_del_work.patch
+ipvlan-make-the-addrs_lock-be-per-port.patch
+octeontx2-cn10k-fix-rx-flowid-tcam-mask-handling.patch
+net-sched-enforce-that-teql-can-only-be-used-as-root.patch
+net-sched-qfq-use-cl_is_active-to-determine-whether-.patch
+crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch
+wifi-mac80211-don-t-perform-da-check-on-s1g-beacon.patch
--- /dev/null
+From 3e0c9ab61f31368d397b58140ef4f82ddb782ff1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jan 2026 17:24:47 +0000
+Subject: tools: ynl: Specify --no-line-number in ynl-regen.sh.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 68578370f9b3a2aba5964b273312d51c581b6aad ]
+
+If grep.lineNumber is enabled in .gitconfig,
+
+ [grep]
+ lineNumber = true
+
+ynl-regen.sh fails with the following error:
+
+ $ ./tools/net/ynl/ynl-regen.sh -f
+ ...
+ ynl_gen_c.py: error: argument --mode: invalid choice: '4:' (choose from user, kernel, uapi)
+ GEN 4: net/ipv4/fou_nl.c
+
+Let's specify --no-line-number explicitly.
+
+Fixes: be5bea1cc0bf ("net: add basic C code generators for Netlink")
+Suggested-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260115172533.693652-3-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/net/ynl/ynl-regen.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/net/ynl/ynl-regen.sh b/tools/net/ynl/ynl-regen.sh
+index a37304dcc88e1..7bfe773dce1bf 100755
+--- a/tools/net/ynl/ynl-regen.sh
++++ b/tools/net/ynl/ynl-regen.sh
+@@ -21,7 +21,7 @@ files=$(git grep --files-with-matches '^/\* YNL-GEN \(kernel\|uapi\|user\)')
+ for f in $files; do
+ # params: 0 1 2 3
+ # $YAML YNL-GEN kernel $mode
+- params=( $(git grep -B1 -h '/\* YNL-GEN' $f | sed 's@/\*\(.*\)\*/@\1@') )
++ params=( $(git grep --no-line-number -B1 -h '/\* YNL-GEN' $f | sed 's@/\*\(.*\)\*/@\1@') )
+ args=$(sed -n 's@/\* YNL-ARG \(.*\) \*/@\1@p' $f)
+
+ if [ $f -nt ${params[0]} -a -z "$force" ]; then
+--
+2.51.0
+
--- /dev/null
+From 1c95764aa9d2297e9f6af50d7173a2bc385b90d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jan 2026 20:24:45 +0800
+Subject: veth: fix data race in veth_get_ethtool_stats
+
+From: David Yang <mmyangfl@gmail.com>
+
+[ Upstream commit b47adaab8b3d443868096bac08fdbb3d403194ba ]
+
+In veth_get_ethtool_stats(), some statistics protected by
+u64_stats_sync, are read and accumulated in ignorance of possible
+u64_stats_fetch_retry() events. These statistics, peer_tq_xdp_xmit and
+peer_tq_xdp_xmit_err, are already accumulated by veth_xdp_xmit(). Fix
+this by reading them into a temporary buffer first.
+
+Fixes: 5fe6e56776ba ("veth: rely on peer veth_rq for ndo_xdp_xmit accounting")
+Signed-off-by: David Yang <mmyangfl@gmail.com>
+Link: https://patch.msgid.link/20260114122450.227982-1-mmyangfl@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/veth.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/veth.c b/drivers/net/veth.c
+index 4ff0d4232914f..77e4b0d1ca557 100644
+--- a/drivers/net/veth.c
++++ b/drivers/net/veth.c
+@@ -227,16 +227,20 @@ static void veth_get_ethtool_stats(struct net_device *dev,
+ const struct veth_rq_stats *rq_stats = &rcv_priv->rq[i].stats;
+ const void *base = (void *)&rq_stats->vs;
+ unsigned int start, tx_idx = idx;
++ u64 buf[VETH_TQ_STATS_LEN];
+ size_t offset;
+
+- tx_idx += (i % dev->real_num_tx_queues) * VETH_TQ_STATS_LEN;
+ do {
+ start = u64_stats_fetch_begin(&rq_stats->syncp);
+ for (j = 0; j < VETH_TQ_STATS_LEN; j++) {
+ offset = veth_tq_stats_desc[j].offset;
+- data[tx_idx + j] += *(u64 *)(base + offset);
++ buf[j] = *(u64 *)(base + offset);
+ }
+ } while (u64_stats_fetch_retry(&rq_stats->syncp, start));
++
++ tx_idx += (i % dev->real_num_tx_queues) * VETH_TQ_STATS_LEN;
++ for (j = 0; j < VETH_TQ_STATS_LEN; j++)
++ data[tx_idx + j] += buf[j];
+ }
+ pp_idx = idx + dev->real_num_tx_queues * VETH_TQ_STATS_LEN;
+
+--
+2.51.0
+
--- /dev/null
+From 173a22c3509a43dee477a9d0d62e622a436a1619 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 16:08:18 +0100
+Subject: vsock/virtio: Coalesce only linear skb
+
+From: Michal Luczaj <mhal@rbox.co>
+
+[ Upstream commit 0386bd321d0f95d041a7b3d7b07643411b044a96 ]
+
+vsock/virtio common tries to coalesce buffers in rx queue: if a linear skb
+(with a spare tail room) is followed by a small skb (length limited by
+GOOD_COPY_LEN = 128), an attempt is made to join them.
+
+Since the introduction of MSG_ZEROCOPY support, assumption that a small skb
+will always be linear is incorrect. In the zerocopy case, data is lost and
+the linear skb is appended with uninitialized kernel memory.
+
+Of all 3 supported virtio-based transports, only loopback-transport is
+affected. G2H virtio-transport rx queue operates on explicitly linear skbs;
+see virtio_vsock_alloc_linear_skb() in virtio_vsock_rx_fill(). H2G
+vhost-transport may allocate non-linear skbs, but only for sizes that are
+not considered for coalescence; see PAGE_ALLOC_COSTLY_ORDER in
+virtio_vsock_alloc_skb().
+
+Ensure only linear skbs are coalesced. Note that skb_tailroom(last_skb) > 0
+guarantees last_skb is linear.
+
+Fixes: 581512a6dc93 ("vsock/virtio: MSG_ZEROCOPY flag support")
+Signed-off-by: Michal Luczaj <mhal@rbox.co>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://patch.msgid.link/20260113-vsock-recv-coalescence-v2-1-552b17837cf4@rbox.co
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/virtio_transport_common.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c
+index 2c9b1011cdcc8..4e8a9771a04d6 100644
+--- a/net/vmw_vsock/virtio_transport_common.c
++++ b/net/vmw_vsock/virtio_transport_common.c
+@@ -1374,9 +1374,11 @@ virtio_transport_recv_enqueue(struct vsock_sock *vsk,
+
+ /* Try to copy small packets into the buffer of last packet queued,
+ * to avoid wasting memory queueing the entire buffer with a small
+- * payload.
++ * payload. Skip non-linear (e.g. zerocopy) skbs; these carry payload
++ * in skb_shinfo.
+ */
+- if (len <= GOOD_COPY_LEN && !skb_queue_empty(&vvs->rx_queue)) {
++ if (len <= GOOD_COPY_LEN && !skb_queue_empty(&vvs->rx_queue) &&
++ !skb_is_nonlinear(skb)) {
+ struct virtio_vsock_hdr *last_hdr;
+ struct sk_buff *last_skb;
+
+--
+2.51.0
+
--- /dev/null
+From 7cce5ce90d69fd68b0a081328379d8b4a61d3b38 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jan 2026 14:11:21 +1100
+Subject: wifi: mac80211: don't perform DA check on S1G beacon
+
+From: Lachlan Hodges <lachlan.hodges@morsemicro.com>
+
+[ Upstream commit 5dc6975566f5d142ec53eb7e97af688c45dd314d ]
+
+S1G beacons don't contain the DA field as per IEEE80211-2024 9.3.4.3,
+so the DA broadcast check reads the SA address of the S1G beacon which
+will subsequently lead to the beacon being dropped. As a result, passive
+scanning is not possible. Fix this by only performing the check on
+non-S1G beacons to allow S1G long beacons to be processed during a
+passive scan.
+
+Fixes: ddf82e752f8a ("wifi: mac80211: Allow beacons to update BSS table regardless of scan")
+Signed-off-by: Lachlan Hodges <lachlan.hodges@morsemicro.com>
+Link: https://patch.msgid.link/20260120031122.309942-1-lachlan.hodges@morsemicro.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/scan.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
+index ce6d5857214eb..8675d2e99c564 100644
+--- a/net/mac80211/scan.c
++++ b/net/mac80211/scan.c
+@@ -327,8 +327,13 @@ void ieee80211_scan_rx(struct ieee80211_local *local, struct sk_buff *skb)
+ mgmt->da))
+ return;
+ } else {
+- /* Beacons are expected only with broadcast address */
+- if (!is_broadcast_ether_addr(mgmt->da))
++ /*
++ * Non-S1G beacons are expected only with broadcast address.
++ * S1G beacons only carry the SA so no DA check is required
++ * nor possible.
++ */
++ if (!ieee80211_is_s1g_beacon(mgmt->frame_control) &&
++ !is_broadcast_ether_addr(mgmt->da))
+ return;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From c9524e3725ba3ad2d715393d573b26fed68c1a32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jan 2026 22:00:37 +0530
+Subject: amd-xgbe: avoid misleading per-packet error log
+
+From: Raju Rangoju <Raju.Rangoju@amd.com>
+
+[ Upstream commit c158f985cf6c2c36c99c4f67af2ff3f5ebe09f8f ]
+
+On the receive path, packet can be damaged because of buffer
+overflow in Rx FIFO. Avoid misleading per-packet error log when
+packet->errors is set, this can flood the log. Instead, rely on the
+standard rtnl_link_stats64 stats.
+
+Fixes: c5aa9e3b8156 ("amd-xgbe: Initial AMD 10GbE platform driver")
+Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
+Link: https://patch.msgid.link/20260114163037.2062606-1-Raju.Rangoju@amd.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
+index 4dc631af79332..ba5e728ae6308 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
+@@ -1823,7 +1823,7 @@ static void xgbe_get_stats64(struct net_device *netdev,
+ s->multicast = pstats->rxmulticastframes_g;
+ s->rx_length_errors = pstats->rxlengtherror;
+ s->rx_crc_errors = pstats->rxcrcerror;
+- s->rx_fifo_errors = pstats->rxfifooverflow;
++ s->rx_over_errors = pstats->rxfifooverflow;
+
+ s->tx_packets = pstats->txframecount_gb;
+ s->tx_bytes = pstats->txoctetcount_gb;
+@@ -2277,9 +2277,6 @@ static int xgbe_rx_poll(struct xgbe_channel *channel, int budget)
+ goto read_again;
+
+ if (error || packet->errors) {
+- if (packet->errors)
+- netif_err(pdata, rx_err, netdev,
+- "error in received packet\n");
+ dev_kfree_skb(skb);
+ goto next_packet;
+ }
+--
+2.51.0
+
--- /dev/null
+From e76b6e9fa0fd3ca6282537ad77bc2ef4c17939e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 13:20:46 +0100
+Subject: ata: ahci: Do not read the per port area for unimplemented ports
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Niklas Cassel <cassel@kernel.org>
+
+[ Upstream commit ea4d4ea6d10a561043922d285f1765c7e4bfd32a ]
+
+An AHCI HBA specifies the number of ports it supports using CAP.NP.
+The HBA is free to only make a subset of the number of ports available
+using the PI (Ports Implemented) register.
+
+libata currently creates dummy ports for HBA ports that are provided by
+the HBA, but which are marked as "unavailable" using the PI register.
+
+Each port will have a per port area of registers in the HBA, regardless
+if the port is marked as "unavailable" or not.
+
+ahci_mark_external_port() currently reads this per port area of registers
+using readl() to see if the port is marked as external/hotplug-capable.
+
+However, AHCI 1.3.1, section "3.1.4 Offset 0Ch: PI – Ports Implemented"
+states: "Software must not read or write to registers within unavailable
+ports."
+
+Thus, make sure that we only call ahci_mark_external_port() and
+ahci_update_initial_lpm_policy() for ports that are implemented.
+
+From a libata perspective, this should not change anything related to LPM,
+as dummy ports do not provide any ap->ops (they do not have a .set_lpm()
+callback), so even if EH were to call .set_lpm() on a dummy port, it was
+already a no-op.
+
+Fixes: f7131935238d ("ata: ahci: move marking of external port earlier")
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Tested-by: Wolf <wolf@yoxt.cc>
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/ahci.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
+index 7a7f88b3fa2b1..931d0081169b9 100644
+--- a/drivers/ata/ahci.c
++++ b/drivers/ata/ahci.c
+@@ -2094,13 +2094,13 @@ static int ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
+ if (ap->flags & ATA_FLAG_EM)
+ ap->em_message_type = hpriv->em_msg_type;
+
+- ahci_mark_external_port(ap);
+-
+- ahci_update_initial_lpm_policy(ap);
+-
+ /* disabled/not-implemented port */
+- if (!(hpriv->port_map & (1 << i)))
++ if (!(hpriv->port_map & (1 << i))) {
+ ap->ops = &ata_dummy_port_ops;
++ } else {
++ ahci_mark_external_port(ap);
++ ahci_update_initial_lpm_policy(ap);
++ }
+ }
+
+ /* apply workaround for ASUS P5W DH Deluxe mainboard */
+--
+2.51.0
+
--- /dev/null
+From 8e1e327136aba08009c1664512ef8eb8824e7786 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 13:20:49 +0100
+Subject: ata: libata: Add cpr_log to ata_dev_print_features() early return
+
+From: Niklas Cassel <cassel@kernel.org>
+
+[ Upstream commit a6bee5e5243ad02cae575becc4c83df66fc29573 ]
+
+ata_dev_print_features() is supposed to return early and not print anything
+if there are no features supported.
+
+However, commit fe22e1c2f705 ("libata: support concurrent positioning
+ranges log") added another feature to ata_dev_print_features() without
+updating the early return conditional.
+
+Add the missing feature to the early return conditional.
+
+Fixes: fe22e1c2f705 ("libata: support concurrent positioning ranges log")
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Tested-by: Wolf <wolf@yoxt.cc>
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
+index 0a21804b133a4..490cc0d628d3b 100644
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -2872,7 +2872,7 @@ static void ata_dev_config_lpm(struct ata_device *dev)
+
+ static void ata_dev_print_features(struct ata_device *dev)
+ {
+- if (!(dev->flags & ATA_DFLAG_FEATURES_MASK))
++ if (!(dev->flags & ATA_DFLAG_FEATURES_MASK) && !dev->cpr_log)
+ return;
+
+ ata_dev_info(dev,
+--
+2.51.0
+
--- /dev/null
+From c72c3d384da322db202e64bb05fc2c7f72e05053 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 13:20:50 +0100
+Subject: ata: libata: Add DIPM and HIPM to ata_dev_print_features() early
+ return
+
+From: Niklas Cassel <cassel@kernel.org>
+
+[ Upstream commit 89531b68fc293e91187bf0992147e8d22c65cff3 ]
+
+ata_dev_print_features() is supposed to return early and not print anything
+if there are no features supported.
+
+However, commit b1f5af54f1f5 ("ata: libata-core: Advertize device support
+for DIPM and HIPM features") added additional features to
+ata_dev_print_features() without updating the early return conditional.
+
+Add the missing features to the early return conditional.
+
+Fixes: b1f5af54f1f5 ("ata: libata-core: Advertize device support for DIPM and HIPM features")
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Tested-by: Wolf <wolf@yoxt.cc>
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
+index 490cc0d628d3b..c41714bea77e8 100644
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -2872,7 +2872,8 @@ static void ata_dev_config_lpm(struct ata_device *dev)
+
+ static void ata_dev_print_features(struct ata_device *dev)
+ {
+- if (!(dev->flags & ATA_DFLAG_FEATURES_MASK) && !dev->cpr_log)
++ if (!(dev->flags & ATA_DFLAG_FEATURES_MASK) && !dev->cpr_log &&
++ !ata_id_has_hipm(dev->id) && !ata_id_has_dipm(dev->id))
+ return;
+
+ ata_dev_info(dev,
+--
+2.51.0
+
--- /dev/null
+From 8df3d6d66c279663f8281a35f142368f3fe70764 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 13:20:47 +0100
+Subject: ata: libata: Call ata_dev_config_lpm() for ATAPI devices
+
+From: Niklas Cassel <cassel@kernel.org>
+
+[ Upstream commit 8f3fb33f8f3f825c708ece800c921977c157f9b6 ]
+
+Commit d360121832d8 ("ata: libata-core: Introduce ata_dev_config_lpm()")
+introduced ata_dev_config_lpm(). However, it only called this function for
+ATA_DEV_ATA and ATA_DEV_ZAC devices, not for ATA_DEV_ATAPI devices.
+
+Additionally, commit d99a9142e782 ("ata: libata-core: Move device LPM quirk
+settings to ata_dev_config_lpm()") moved the LPM quirk application from
+ata_dev_configure() to ata_dev_config_lpm(), causing LPM quirks for ATAPI
+devices to no longer be applied.
+
+Call ata_dev_config_lpm() also for ATAPI devices, such that LPM quirks are
+applied for ATAPI devices with an entry in __ata_dev_quirks once again.
+
+Fixes: d360121832d8 ("ata: libata-core: Introduce ata_dev_config_lpm()")
+Fixes: d99a9142e782 ("ata: libata-core: Move device LPM quirk settings to ata_dev_config_lpm()")
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Tested-by: Wolf <wolf@yoxt.cc>
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
+index 1216b4f2eb904..0a21804b133a4 100644
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -3116,6 +3116,8 @@ int ata_dev_configure(struct ata_device *dev)
+ ata_mode_string(xfer_mask),
+ cdb_intr_string, atapi_an_string,
+ dma_dir_string);
++
++ ata_dev_config_lpm(dev);
+ }
+
+ /* determine max_sectors */
+--
+2.51.0
+
--- /dev/null
+From 68e42d6aa101896b7d3a3f25cdb299468a6d8b8a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 13:20:51 +0100
+Subject: ata: libata: Print features also for ATAPI devices
+
+From: Niklas Cassel <cassel@kernel.org>
+
+[ Upstream commit c8c6fb886f57d5bf71fb6de6334a143608d35707 ]
+
+Commit d633b8a702ab ("libata: print feature list on device scan")
+added a print of the features supported by the device for ATA_DEV_ATA and
+ATA_DEV_ZAC devices, but not for ATA_DEV_ATAPI devices.
+
+Fix this by printing the features also for ATAPI devices.
+
+Before changes:
+ata1.00: ATAPI: Slimtype DVD A DU8AESH, 6C2M, max UDMA/133
+
+After changes:
+ata1.00: ATAPI: Slimtype DVD A DU8AESH, 6C2M, max UDMA/133
+ata1.00: Features: Dev-Attention HIPM DIPM
+
+Fixes: d633b8a702ab ("libata: print feature list on device scan")
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Tested-by: Wolf <wolf@yoxt.cc>
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
+index c41714bea77e8..699919e4579e1 100644
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -3119,6 +3119,9 @@ int ata_dev_configure(struct ata_device *dev)
+ dma_dir_string);
+
+ ata_dev_config_lpm(dev);
++
++ if (print_info)
++ ata_dev_print_features(dev);
+ }
+
+ /* determine max_sectors */
+--
+2.51.0
+
--- /dev/null
+From 257bb1b74f9ab50ff2c05b9b4d8141b8acbeee65 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 13:20:48 +0100
+Subject: ata: libata-sata: Improve link_power_management_supported sysfs
+ attribute
+
+From: Niklas Cassel <cassel@kernel.org>
+
+[ Upstream commit ce83767ea323baf8509a75eb0c783cd203e14789 ]
+
+The link_power_management_supported sysfs attribute is currently set as
+true even for ata ports that lack a .set_lpm() callback, e.g. dummy ports.
+
+This is a bit silly, because while writing to the
+link_power_management_policy sysfs attribute will make ata_scsi_lpm_store()
+update ap->target_lpm_policy (thus sysfs will reflect the new value) and
+call ata_port_schedule_eh() for the port, it is essentially a no-op.
+
+This is because for a port without a .set_lpm() callback, once EH gets to
+run, the ata_eh_link_set_lpm() will simply return, since the port does not
+provide a .set_lpm() callback.
+
+Thus, make sure that the link_power_management_supported sysfs attribute
+is set to false for ports that lack a .set_lpm() callback. This way the
+link_power_management_policy sysfs attribute will no longer be writable,
+so we will no longer be misleading users to think that their sysfs write
+actually does something.
+
+Fixes: 0060beec0bfa ("ata: libata-sata: Add link_power_management_supported sysfs attribute")
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Tested-by: Wolf <wolf@yoxt.cc>
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-sata.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/ata/libata-sata.c b/drivers/ata/libata-sata.c
+index b2817a2995d6b..04e1e774645e2 100644
+--- a/drivers/ata/libata-sata.c
++++ b/drivers/ata/libata-sata.c
+@@ -909,7 +909,7 @@ static bool ata_scsi_lpm_supported(struct ata_port *ap)
+ struct ata_link *link;
+ struct ata_device *dev;
+
+- if (ap->flags & ATA_FLAG_NO_LPM)
++ if ((ap->flags & ATA_FLAG_NO_LPM) || !ap->ops->set_lpm)
+ return false;
+
+ ata_for_each_link(link, ap, EDGE) {
+--
+2.51.0
+
--- /dev/null
+From fba41d9ebc13a8cfd2c3a44b2242051814aa989e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 19:12:01 +0000
+Subject: bonding: limit BOND_MODE_8023AD to Ethernet devices
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit c84fcb79e5dbde0b8d5aeeaf04282d2149aebcf6 ]
+
+BOND_MODE_8023AD makes sense for ARPHRD_ETHER only.
+
+syzbot reported:
+
+ BUG: KASAN: global-out-of-bounds in __hw_addr_create net/core/dev_addr_lists.c:63 [inline]
+ BUG: KASAN: global-out-of-bounds in __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118
+Read of size 16 at addr ffffffff8bf94040 by task syz.1.3580/19497
+
+CPU: 1 UID: 0 PID: 19497 Comm: syz.1.3580 Tainted: G L syzkaller #0 PREEMPT(full)
+Tainted: [L]=SOFTLOCKUP
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0xca/0x240 mm/kasan/report.c:482
+ kasan_report+0x118/0x150 mm/kasan/report.c:595
+ check_region_inline mm/kasan/generic.c:-1 [inline]
+ kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:200
+ __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105
+ __hw_addr_create net/core/dev_addr_lists.c:63 [inline]
+ __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118
+ __dev_mc_add net/core/dev_addr_lists.c:868 [inline]
+ dev_mc_add+0xa1/0x120 net/core/dev_addr_lists.c:886
+ bond_enslave+0x2b8b/0x3ac0 drivers/net/bonding/bond_main.c:2180
+ do_set_master+0x533/0x6d0 net/core/rtnetlink.c:2963
+ do_setlink+0xcf0/0x41c0 net/core/rtnetlink.c:3165
+ rtnl_changelink net/core/rtnetlink.c:3776 [inline]
+ __rtnl_newlink net/core/rtnetlink.c:3935 [inline]
+ rtnl_newlink+0x161c/0x1c90 net/core/rtnetlink.c:4072
+ rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6958
+ netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2550
+ netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
+ netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344
+ netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1894
+ sock_sendmsg_nosec net/socket.c:727 [inline]
+ __sock_sendmsg+0x21c/0x270 net/socket.c:742
+ ____sys_sendmsg+0x505/0x820 net/socket.c:2592
+ ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2646
+ __sys_sendmsg+0x164/0x220 net/socket.c:2678
+ do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
+ __do_fast_syscall_32+0x1dc/0x560 arch/x86/entry/syscall_32.c:307
+ do_fast_syscall_32+0x34/0x80 arch/x86/entry/syscall_32.c:332
+ entry_SYSENTER_compat_after_hwframe+0x84/0x8e
+ </TASK>
+
+The buggy address belongs to the variable:
+ lacpdu_mcast_addr+0x0/0x40
+
+Fixes: 872254dd6b1f ("net/bonding: Enable bonding to enslave non ARPHRD_ETHER")
+Reported-by: syzbot+9c081b17773615f24672@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/6966946b.a70a0220.245e30.0002.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Andrew Lunn <andrew+netdev@lunn.ch>
+Acked-by: Jay Vosburgh <jv@jvosburgh.net>
+Link: https://patch.msgid.link/20260113191201.3970737-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 5abef8a3b7758..c66cb2d43dcf1 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1953,6 +1953,12 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev,
+ */
+ if (!bond_has_slaves(bond)) {
+ if (bond_dev->type != slave_dev->type) {
++ if (slave_dev->type != ARPHRD_ETHER &&
++ BOND_MODE(bond) == BOND_MODE_8023AD) {
++ SLAVE_NL_ERR(bond_dev, slave_dev, extack,
++ "8023AD mode requires Ethernet devices");
++ return -EINVAL;
++ }
+ slave_dbg(bond_dev, slave_dev, "change device type from %d to %d\n",
+ bond_dev->type, slave_dev->type);
+
+--
+2.51.0
+
--- /dev/null
+From bd99d5eb5a41c847b628e77e94ca509ce7f56321 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jan 2026 14:10:10 +0100
+Subject: can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on
+ usb_submit_urb() error
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+[ Upstream commit 79a6d1bfe1148bc921b8d7f3371a7fbce44e30f7 ]
+
+In commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix
+URB memory leak"), the URB was re-anchored before usb_submit_urb() in
+gs_usb_receive_bulk_callback() to prevent a leak of this URB during
+cleanup.
+
+However, this patch did not take into account that usb_submit_urb() could
+fail. The URB remains anchored and
+usb_kill_anchored_urbs(&parent->rx_submitted) in gs_can_close() loops
+infinitely since the anchor list never becomes empty.
+
+To fix the bug, unanchor the URB when an usb_submit_urb() error occurs,
+also print an info message.
+
+Fixes: 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak")
+Reported-by: Jakub Kicinski <kuba@kernel.org>
+Closes: https://lore.kernel.org/all/20260110223836.3890248-1-kuba@kernel.org/
+Link: https://patch.msgid.link/20260116-can_usb-fix-reanchor-v1-1-9d74e7289225@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/usb/gs_usb.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c
+index b14b132ad8e6a..fd7fb21b10989 100644
+--- a/drivers/net/can/usb/gs_usb.c
++++ b/drivers/net/can/usb/gs_usb.c
+@@ -754,6 +754,10 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
+ usb_anchor_urb(urb, &parent->rx_submitted);
+
+ rc = usb_submit_urb(urb, GFP_ATOMIC);
++ if (!rc)
++ return;
++
++ usb_unanchor_urb(urb);
+
+ /* USB failure take down all interfaces */
+ if (rc == -ENODEV) {
+@@ -762,6 +766,9 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
+ if (parent->canch[rc])
+ netif_device_detach(parent->canch[rc]->netdev);
+ }
++ } else if (rc != -ESHUTDOWN && net_ratelimit()) {
++ netdev_info(netdev, "failed to re-submit IN URB: %pe\n",
++ ERR_PTR(urb->status));
+ }
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 5dd6eea975f1e60103153fd8b1a2d31a720648ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jan 2026 16:03:58 +0900
+Subject: crypto: authencesn - reject too-short AAD (assoclen<8) to match
+ ESP/ESN spec
+
+From: Taeyang Lee <0wn@theori.io>
+
+[ Upstream commit 2397e9264676be7794f8f7f1e9763d90bd3c7335 ]
+
+authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than
+the minimum expected length, crypto_authenc_esn_decrypt() can advance past
+the end of the destination scatterlist and trigger a NULL pointer dereference
+in scatterwalk_map_and_copy(), leading to a kernel panic (DoS).
+
+Add a minimum AAD length check to fail fast on invalid inputs.
+
+Fixes: 104880a6b470 ("crypto: authencesn - Convert to new AEAD interface")
+Reported-By: Taeyang Lee <0wn@theori.io>
+Signed-off-by: Taeyang Lee <0wn@theori.io>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/authencesn.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/crypto/authencesn.c b/crypto/authencesn.c
+index d1bf0fda3f2ef..542a978663b9e 100644
+--- a/crypto/authencesn.c
++++ b/crypto/authencesn.c
+@@ -169,6 +169,9 @@ static int crypto_authenc_esn_encrypt(struct aead_request *req)
+ struct scatterlist *src, *dst;
+ int err;
+
++ if (assoclen < 8)
++ return -EINVAL;
++
+ sg_init_table(areq_ctx->src, 2);
+ src = scatterwalk_ffwd(areq_ctx->src, req->src, assoclen);
+ dst = src;
+@@ -256,6 +259,9 @@ static int crypto_authenc_esn_decrypt(struct aead_request *req)
+ u32 tmp[2];
+ int err;
+
++ if (assoclen < 8)
++ return -EINVAL;
++
+ cryptlen -= authsize;
+
+ if (req->src != dst)
+--
+2.51.0
+
--- /dev/null
+From 9356bdc73af15f74a402704622b4710fec692855 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Dec 2025 18:36:20 +0100
+Subject: dt-bindings: power: qcom,rpmpd: Add SC8280XP_MXC_AO
+
+From: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+
+[ Upstream commit 45e1be5ddec98db71e7481fa7a3005673200d85c ]
+
+Not sure how useful it's gonna be in practice, but the definition is
+missing (unlike the previously-unused SC8280XP_MXC-non-_AO), so add it
+to allow the driver to create the corresponding pmdomain.
+
+Fixes: dbfb5f94e084 ("dt-bindings: power: rpmpd: Add sc8280xp RPMh power-domains")
+Acked-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
+Link: https://lore.kernel.org/r/20251202-topic-8280_mxc-v2-1-46cdf47a829e@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/dt-bindings/power/qcom,rpmhpd.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/dt-bindings/power/qcom,rpmhpd.h b/include/dt-bindings/power/qcom,rpmhpd.h
+index 73cceb88953f7..269b73ff866a8 100644
+--- a/include/dt-bindings/power/qcom,rpmhpd.h
++++ b/include/dt-bindings/power/qcom,rpmhpd.h
+@@ -261,5 +261,6 @@
+ #define SC8280XP_NSP 13
+ #define SC8280XP_QPHY 14
+ #define SC8280XP_XO 15
++#define SC8280XP_MXC_AO 16
+
+ #endif
+--
+2.51.0
+
--- /dev/null
+From 6f7c40c88c06abec7a111976f5ffdff9bb3d386d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jan 2026 17:24:48 +0000
+Subject: fou: Don't allow 0 for FOU_ATTR_IPPROTO.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 7a9bc9e3f42391e4c187e099263cf7a1c4b69ff5 ]
+
+fou_udp_recv() has the same problem mentioned in the previous
+patch.
+
+If FOU_ATTR_IPPROTO is set to 0, skb is not freed by
+fou_udp_recv() nor "resubmit"-ted in ip_protocol_deliver_rcu().
+
+Let's forbid 0 for FOU_ATTR_IPPROTO.
+
+Fixes: 23461551c0062 ("fou: Support for foo-over-udp RX path")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260115172533.693652-4-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/netlink/specs/fou.yaml | 2 ++
+ net/ipv4/fou_nl.c | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/Documentation/netlink/specs/fou.yaml b/Documentation/netlink/specs/fou.yaml
+index 8e7974ec453fc..331f1b342b3ad 100644
+--- a/Documentation/netlink/specs/fou.yaml
++++ b/Documentation/netlink/specs/fou.yaml
+@@ -39,6 +39,8 @@ attribute-sets:
+ -
+ name: ipproto
+ type: u8
++ checks:
++ min: 1
+ -
+ name: type
+ type: u8
+diff --git a/net/ipv4/fou_nl.c b/net/ipv4/fou_nl.c
+index 506260b4a4dc2..9ff7797ef7c4f 100644
+--- a/net/ipv4/fou_nl.c
++++ b/net/ipv4/fou_nl.c
+@@ -14,7 +14,7 @@
+ const struct nla_policy fou_nl_policy[FOU_ATTR_IFINDEX + 1] = {
+ [FOU_ATTR_PORT] = { .type = NLA_BE16, },
+ [FOU_ATTR_AF] = { .type = NLA_U8, },
+- [FOU_ATTR_IPPROTO] = { .type = NLA_U8, },
++ [FOU_ATTR_IPPROTO] = NLA_POLICY_MIN(NLA_U8, 1),
+ [FOU_ATTR_TYPE] = { .type = NLA_U8, },
+ [FOU_ATTR_REMCSUM_NOPARTIAL] = { .type = NLA_FLAG, },
+ [FOU_ATTR_LOCAL_V4] = { .type = NLA_U32, },
+--
+2.51.0
+
--- /dev/null
+From b198e8a953e24141b6f8b0701897d47f52fdb653 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jan 2026 17:24:46 +0000
+Subject: gue: Fix skb memleak with inner IP protocol 0.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 9a56796ad258786d3624eef5aefba394fc9bdded ]
+
+syzbot reported skb memleak below. [0]
+
+The repro generated a GUE packet with its inner protocol 0.
+
+gue_udp_recv() returns -guehdr->proto_ctype for "resubmit"
+in ip_protocol_deliver_rcu(), but this only works with
+non-zero protocol number.
+
+Let's drop such packets.
+
+Note that 0 is a valid number (IPv6 Hop-by-Hop Option).
+
+I think it is not practical to encap HOPOPT in GUE, so once
+someone starts to complain, we could pass down a resubmit
+flag pointer to distinguish two zeros from the upper layer:
+
+ * no error
+ * resubmit HOPOPT
+
+[0]
+BUG: memory leak
+unreferenced object 0xffff888109695a00 (size 240):
+ comm "syz.0.17", pid 6088, jiffies 4294943096
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 40 c2 10 81 88 ff ff 00 00 00 00 00 00 00 00 .@..............
+ backtrace (crc a84b336f):
+ kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
+ slab_post_alloc_hook mm/slub.c:4958 [inline]
+ slab_alloc_node mm/slub.c:5263 [inline]
+ kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
+ __build_skb+0x23/0x60 net/core/skbuff.c:474
+ build_skb+0x20/0x190 net/core/skbuff.c:490
+ __tun_build_skb drivers/net/tun.c:1541 [inline]
+ tun_build_skb+0x4a1/0xa40 drivers/net/tun.c:1636
+ tun_get_user+0xc12/0x2030 drivers/net/tun.c:1770
+ tun_chr_write_iter+0x71/0x120 drivers/net/tun.c:1999
+ new_sync_write fs/read_write.c:593 [inline]
+ vfs_write+0x45d/0x710 fs/read_write.c:686
+ ksys_write+0xa7/0x170 fs/read_write.c:738
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: 37dd0247797b1 ("gue: Receive side for Generic UDP Encapsulation")
+Reported-by: syzbot+4d8c7d16b0e95c0d0f0d@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/6965534b.050a0220.38aacd.0001.GAE@google.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260115172533.693652-2-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/fou_core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/ipv4/fou_core.c b/net/ipv4/fou_core.c
+index 3970b6b7ace53..ab8f309f8925d 100644
+--- a/net/ipv4/fou_core.c
++++ b/net/ipv4/fou_core.c
+@@ -215,6 +215,9 @@ static int gue_udp_recv(struct sock *sk, struct sk_buff *skb)
+ return gue_control_message(skb, guehdr);
+
+ proto_ctype = guehdr->proto_ctype;
++ if (unlikely(!proto_ctype))
++ goto drop;
++
+ __skb_pull(skb, sizeof(struct udphdr) + hdrlen);
+ skb_reset_transport_header(skb);
+
+--
+2.51.0
+
--- /dev/null
+From 1975cdc2e2797170d8f26d61eef97e4c9b38b05a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Nov 2025 09:58:26 -0800
+Subject: ice: Avoid detrimental cleanup for bond during interface stop
+
+From: Dave Ertman <david.m.ertman@intel.com>
+
+[ Upstream commit a9d45c22ed120cdd15ff56d0a6e4700c46451901 ]
+
+When the user issues an administrative down to an interface that is the
+primary for an aggregate bond, the prune lists are being purged. This
+breaks communication to the secondary interface, which shares a prune
+list on the main switch block while bonded together.
+
+For the primary interface of an aggregate, avoid deleting these prune
+lists during stop, and since they are hardcoded to specific values for
+the default vlan and QinQ vlans, the attempt to re-add them during the
+up phase will quietly fail without any additional problem.
+
+Fixes: 1e0f9881ef79 ("ice: Flesh out implementation of support for SRIOV on bonded interface")
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Marcin Szycik <marcin.szycik@linux.intel.com>
+Signed-off-by: Dave Ertman <david.m.ertman@intel.com>
+Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_lib.c | 25 ++++++++++++++++--------
+ 1 file changed, 17 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c
+index c0d221d4b4f47..5a3e7d6697325 100644
+--- a/drivers/net/ethernet/intel/ice/ice_lib.c
++++ b/drivers/net/ethernet/intel/ice/ice_lib.c
+@@ -3810,22 +3810,31 @@ int ice_vsi_add_vlan_zero(struct ice_vsi *vsi)
+ int ice_vsi_del_vlan_zero(struct ice_vsi *vsi)
+ {
+ struct ice_vsi_vlan_ops *vlan_ops = ice_get_compat_vsi_vlan_ops(vsi);
++ struct ice_pf *pf = vsi->back;
+ struct ice_vlan vlan;
+ int err;
+
+- vlan = ICE_VLAN(0, 0, 0);
+- err = vlan_ops->del_vlan(vsi, &vlan);
+- if (err && err != -EEXIST)
+- return err;
++ if (pf->lag && pf->lag->primary) {
++ dev_dbg(ice_pf_to_dev(pf), "Interface is primary in aggregate - not deleting prune list\n");
++ } else {
++ vlan = ICE_VLAN(0, 0, 0);
++ err = vlan_ops->del_vlan(vsi, &vlan);
++ if (err && err != -EEXIST)
++ return err;
++ }
+
+ /* in SVM both VLAN 0 filters are identical */
+ if (!ice_is_dvm_ena(&vsi->back->hw))
+ return 0;
+
+- vlan = ICE_VLAN(ETH_P_8021Q, 0, 0);
+- err = vlan_ops->del_vlan(vsi, &vlan);
+- if (err && err != -EEXIST)
+- return err;
++ if (pf->lag && pf->lag->primary) {
++ dev_dbg(ice_pf_to_dev(pf), "Interface is primary in aggregate - not deleting QinQ prune list\n");
++ } else {
++ vlan = ICE_VLAN(ETH_P_8021Q, 0, 0);
++ err = vlan_ops->del_vlan(vsi, &vlan);
++ if (err && err != -EEXIST)
++ return err;
++ }
+
+ /* when deleting the last VLAN filter, make sure to disable the VLAN
+ * promisc mode so the filter isn't left by accident
+--
+2.51.0
+
--- /dev/null
+From 9ba242c0a4ce1dd750382132bd63857a935cc473 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 6 Dec 2025 21:46:09 +0800
+Subject: ice: Fix incorrect timeout ice_release_res()
+
+From: Ding Hui <dinghui@sangfor.com.cn>
+
+[ Upstream commit 01139a2ce532d77379e1593230127caa261a8036 ]
+
+The commit 5f6df173f92e ("ice: implement and use rd32_poll_timeout for
+ice_sq_done timeout") converted ICE_CTL_Q_SQ_CMD_TIMEOUT from jiffies
+to microseconds.
+
+But the ice_release_res() function was missed, and its logic still
+treats ICE_CTL_Q_SQ_CMD_TIMEOUT as a jiffies value.
+
+So correct the issue by usecs_to_jiffies().
+
+Found by inspection of the DDP downloading process.
+Compile and modprobe tested only.
+
+Fixes: 5f6df173f92e ("ice: implement and use rd32_poll_timeout for ice_sq_done timeout")
+Signed-off-by: Ding Hui <dinghui@sangfor.com.cn>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_common.c b/drivers/net/ethernet/intel/ice/ice_common.c
+index 6edeb06b4dce2..eb148c8d9e083 100644
+--- a/drivers/net/ethernet/intel/ice/ice_common.c
++++ b/drivers/net/ethernet/intel/ice/ice_common.c
+@@ -2251,7 +2251,7 @@ void ice_release_res(struct ice_hw *hw, enum ice_aq_res_ids res)
+ /* there are some rare cases when trying to release the resource
+ * results in an admin queue timeout, so handle them correctly
+ */
+- timeout = jiffies + 10 * ICE_CTL_Q_SQ_CMD_TIMEOUT;
++ timeout = jiffies + 10 * usecs_to_jiffies(ICE_CTL_Q_SQ_CMD_TIMEOUT);
+ do {
+ status = ice_aq_release_res(hw, res, 0, NULL);
+ if (status != -EIO)
+--
+2.51.0
+
--- /dev/null
+From 18226482d3ddc0a6456e14d676d5d29f1fb08f36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Nov 2025 12:20:41 -0800
+Subject: ice: initialize ring_stats->syncp
+
+From: Jacob Keller <jacob.e.keller@intel.com>
+
+[ Upstream commit 8439016c3b8b5ab687c2420317b1691585106611 ]
+
+The u64_stats_sync structure is empty on 64-bit systems. However, on 32-bit
+systems it contains a seqcount_t which needs to be initialized. While the
+memory is zero-initialized, a lack of u64_stats_init means that lockdep
+won't get initialized properly. Fix this by adding u64_stats_init() calls
+to the rings just after allocation.
+
+Fixes: 2b245cb29421 ("ice: Implement transmit and NAPI support")
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_lib.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c
+index 4479c824561e9..c0d221d4b4f47 100644
+--- a/drivers/net/ethernet/intel/ice/ice_lib.c
++++ b/drivers/net/ethernet/intel/ice/ice_lib.c
+@@ -398,6 +398,8 @@ static int ice_vsi_alloc_ring_stats(struct ice_vsi *vsi)
+ if (!ring_stats)
+ goto err_out;
+
++ u64_stats_init(&ring_stats->syncp);
++
+ WRITE_ONCE(tx_ring_stats[i], ring_stats);
+ }
+
+@@ -417,6 +419,8 @@ static int ice_vsi_alloc_ring_stats(struct ice_vsi *vsi)
+ if (!ring_stats)
+ goto err_out;
+
++ u64_stats_init(&ring_stats->syncp);
++
+ WRITE_ONCE(rx_ring_stats[i], ring_stats);
+ }
+
+--
+2.51.0
+
--- /dev/null
+From b9671f974ffde0f27d3e25eb09395a5ef7b3a913 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Nov 2025 18:53:04 +0800
+Subject: igc: fix race condition in TX timestamp read for register 0
+
+From: Chwee-Lin Choong <chwee.lin.choong@intel.com>
+
+[ Upstream commit 6990dc392a9ab10e52af37e0bee8c7b753756dc4 ]
+
+The current HW bug workaround checks the TXTT_0 ready bit first,
+then reads TXSTMPL_0 twice (before and after reading TXSTMPH_0)
+to detect whether a new timestamp was captured by timestamp
+register 0 during the workaround.
+
+This sequence has a race: if a new timestamp is captured after
+checking the TXTT_0 bit but before the first TXSTMPL_0 read, the
+detection fails because both the "old" and "new" values come from
+the same timestamp.
+
+Fix by reading TXSTMPL_0 first to establish a baseline, then
+checking the TXTT_0 bit. This ensures any timestamp captured
+during the race window will be detected.
+
+Old sequence:
+ 1. Check TXTT_0 ready bit
+ 2. Read TXSTMPL_0 (baseline)
+ 3. Read TXSTMPH_0 (interrupt workaround)
+ 4. Read TXSTMPL_0 (detect changes vs baseline)
+
+New sequence:
+ 1. Read TXSTMPL_0 (baseline)
+ 2. Check TXTT_0 ready bit
+ 3. Read TXSTMPH_0 (interrupt workaround)
+ 4. Read TXSTMPL_0 (detect changes vs baseline)
+
+Fixes: c789ad7cbebc ("igc: Work around HW bug causing missing timestamps")
+Suggested-by: Avi Shalev <avi.shalev@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Co-developed-by: Song Yoong Siang <yoong.siang.song@intel.com>
+Signed-off-by: Song Yoong Siang <yoong.siang.song@intel.com>
+Signed-off-by: Chwee-Lin Choong <chwee.lin.choong@intel.com>
+Tested-by: Avigail Dahan <avigailx.dahan@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_ptp.c | 43 ++++++++++++++----------
+ 1 file changed, 25 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_ptp.c b/drivers/net/ethernet/intel/igc/igc_ptp.c
+index b7b46d863bee4..7aae83c108fd7 100644
+--- a/drivers/net/ethernet/intel/igc/igc_ptp.c
++++ b/drivers/net/ethernet/intel/igc/igc_ptp.c
+@@ -774,36 +774,43 @@ static void igc_ptp_tx_reg_to_stamp(struct igc_adapter *adapter,
+ static void igc_ptp_tx_hwtstamp(struct igc_adapter *adapter)
+ {
+ struct igc_hw *hw = &adapter->hw;
++ u32 txstmpl_old;
+ u64 regval;
+ u32 mask;
+ int i;
+
++ /* Establish baseline of TXSTMPL_0 before checking TXTT_0.
++ * This baseline is used to detect if a new timestamp arrives in
++ * register 0 during the hardware bug workaround below.
++ */
++ txstmpl_old = rd32(IGC_TXSTMPL);
++
+ mask = rd32(IGC_TSYNCTXCTL) & IGC_TSYNCTXCTL_TXTT_ANY;
+ if (mask & IGC_TSYNCTXCTL_TXTT_0) {
+ regval = rd32(IGC_TXSTMPL);
+ regval |= (u64)rd32(IGC_TXSTMPH) << 32;
+ } else {
+- /* There's a bug in the hardware that could cause
+- * missing interrupts for TX timestamping. The issue
+- * is that for new interrupts to be triggered, the
+- * IGC_TXSTMPH_0 register must be read.
++ /* TXTT_0 not set - register 0 has no new timestamp initially.
++ *
++ * Hardware bug: Future timestamp interrupts won't fire unless
++ * TXSTMPH_0 is read, even if the timestamp was captured in
++ * registers 1-3.
+ *
+- * To avoid discarding a valid timestamp that just
+- * happened at the "wrong" time, we need to confirm
+- * that there was no timestamp captured, we do that by
+- * assuming that no two timestamps in sequence have
+- * the same nanosecond value.
++ * Workaround: Read TXSTMPH_0 here to enable future interrupts.
++ * However, this read clears TXTT_0. If a timestamp arrives in
++ * register 0 after checking TXTT_0 but before this read, it
++ * would be lost.
+ *
+- * So, we read the "low" register, read the "high"
+- * register (to latch a new timestamp) and read the
+- * "low" register again, if "old" and "new" versions
+- * of the "low" register are different, a valid
+- * timestamp was captured, we can read the "high"
+- * register again.
++ * To detect this race: We saved a baseline read of TXSTMPL_0
++ * before TXTT_0 check. After performing the workaround read of
++ * TXSTMPH_0, we read TXSTMPL_0 again. Since consecutive
++ * timestamps never share the same nanosecond value, a change
++ * between the baseline and new TXSTMPL_0 indicates a timestamp
++ * arrived during the race window. If so, read the complete
++ * timestamp.
+ */
+- u32 txstmpl_old, txstmpl_new;
++ u32 txstmpl_new;
+
+- txstmpl_old = rd32(IGC_TXSTMPL);
+ rd32(IGC_TXSTMPH);
+ txstmpl_new = rd32(IGC_TXSTMPL);
+
+@@ -818,7 +825,7 @@ static void igc_ptp_tx_hwtstamp(struct igc_adapter *adapter)
+
+ done:
+ /* Now that the problematic first register was handled, we can
+- * use retrieve the timestamps from the other registers
++ * retrieve the timestamps from the other registers
+ * (starting from '1') with less complications.
+ */
+ for (i = 1; i < IGC_MAX_TX_TSTAMP_REGS; i++) {
+--
+2.51.0
+
--- /dev/null
+From 0676dab16094caf09fa50d9cfbeb34fe10775748 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Dec 2025 20:21:50 +0800
+Subject: igc: Reduce TSN TX packet buffer from 7KB to 5KB per queue
+
+From: Chwee-Lin Choong <chwee.lin.choong@intel.com>
+
+[ Upstream commit 8ad1b6c1e63d25f5465b7a8aa403bdcee84b86f9 ]
+
+The previous 7 KB per queue caused TX unit hangs under heavy
+timestamping load. Reducing to 5 KB avoids these hangs and matches
+the TSN recommendation in I225/I226 SW User Manual Section 7.5.4.
+
+The 8 KB "freed" by this change is currently unused. This reduction
+is not expected to impact throughput, as the i226 is PCIe-limited
+for small TSN packets rather than TX-buffer-limited.
+
+Fixes: 0d58cdc902da ("igc: optimize TX packet buffer utilization for TSN mode")
+Reported-by: Zdenek Bouska <zdenek.bouska@siemens.com>
+Closes: https://lore.kernel.org/netdev/AS1PR10MB5675DBFE7CE5F2A9336ABFA4EBEAA@AS1PR10MB5675.EURPRD10.PROD.OUTLOOK.COM/
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Chwee-Lin Choong <chwee.lin.choong@intel.com>
+Tested-by: Avigail Dahan <avigailx.dahan@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_defines.h | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_defines.h b/drivers/net/ethernet/intel/igc/igc_defines.h
+index 498ba1522ca4d..9482ab11f050f 100644
+--- a/drivers/net/ethernet/intel/igc/igc_defines.h
++++ b/drivers/net/ethernet/intel/igc/igc_defines.h
+@@ -443,9 +443,10 @@
+ #define IGC_TXPBSIZE_DEFAULT ( \
+ IGC_TXPB0SIZE(20) | IGC_TXPB1SIZE(0) | IGC_TXPB2SIZE(0) | \
+ IGC_TXPB3SIZE(0) | IGC_OS2BMCPBSIZE(4))
++/* TSN value following I225/I226 SW User Manual Section 7.5.4 */
+ #define IGC_TXPBSIZE_TSN ( \
+- IGC_TXPB0SIZE(7) | IGC_TXPB1SIZE(7) | IGC_TXPB2SIZE(7) | \
+- IGC_TXPB3SIZE(7) | IGC_OS2BMCPBSIZE(4))
++ IGC_TXPB0SIZE(5) | IGC_TXPB1SIZE(5) | IGC_TXPB2SIZE(5) | \
++ IGC_TXPB3SIZE(5) | IGC_OS2BMCPBSIZE(4))
+
+ #define IGC_DTXMXPKTSZ_TSN 0x19 /* 1600 bytes of max TX DMA packet size */
+ #define IGC_DTXMXPKTSZ_DEFAULT 0x98 /* 9728-byte Jumbo frames */
+--
+2.51.0
+
--- /dev/null
+From 8ecb03fe0f17b237b76a174c14430aeb5f1ffffd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Nov 2025 09:18:29 +0100
+Subject: igc: Restore default Qbv schedule when changing channels
+
+From: Kurt Kanzenbach <kurt@linutronix.de>
+
+[ Upstream commit 41a9a6826f20a524242a6c984845c4855f629841 ]
+
+The Multi-queue Priority (MQPRIO) and Earliest TxTime First (ETF) offloads
+utilize the Time Sensitive Networking (TSN) Tx mode. This mode is always
+coupled to IEEE 802.1Qbv time aware shaper (Qbv). Therefore, the driver
+sets a default Qbv schedule of all gates opened and a cycle time of
+1s. This schedule is set during probe.
+
+However, the following sequence of events lead to Tx issues:
+
+ - Boot a dual core system
+ igc_probe():
+ igc_tsn_clear_schedule():
+ -> Default Schedule is set
+ Note: At this point the driver has allocated two Tx/Rx queues, because
+ there are only two CPUs.
+
+ - ethtool -L enp3s0 combined 4
+ igc_ethtool_set_channels():
+ igc_reinit_queues()
+ -> Default schedule is gone, per Tx ring start and end time are zero
+
+ - tc qdisc replace dev enp3s0 handle 100 parent root mqprio \
+ num_tc 4 map 3 3 2 2 0 1 1 1 3 3 3 3 3 3 3 3 \
+ queues 1@0 1@1 1@2 1@3 hw 1
+ igc_tsn_offload_apply():
+ igc_tsn_enable_offload():
+ -> Writes zeros to IGC_STQT(i) and IGC_ENDQT(i), causing Tx to stall/fail
+
+Therefore, restore the default Qbv schedule after changing the number of
+channels.
+
+Furthermore, add a restriction to not allow queue reconfiguration when
+TSN/Qbv is enabled, because it may lead to inconsistent states.
+
+Fixes: c814a2d2d48f ("igc: Use default cycle 'start' and 'end' values for queues")
+Signed-off-by: Kurt Kanzenbach <kurt@linutronix.de>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Tested-by: Avigail Dahan <avigailx.dahan@intel.com>
+Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_ethtool.c | 4 ++--
+ drivers/net/ethernet/intel/igc/igc_main.c | 5 +++++
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_ethtool.c b/drivers/net/ethernet/intel/igc/igc_ethtool.c
+index bb783042d1af9..4b39329e9e32b 100644
+--- a/drivers/net/ethernet/intel/igc/igc_ethtool.c
++++ b/drivers/net/ethernet/intel/igc/igc_ethtool.c
+@@ -1561,8 +1561,8 @@ static int igc_ethtool_set_channels(struct net_device *netdev,
+ if (ch->other_count != NON_Q_VECTORS)
+ return -EINVAL;
+
+- /* Do not allow channel reconfiguration when mqprio is enabled */
+- if (adapter->strict_priority_enable)
++ /* Do not allow channel reconfiguration when any TSN qdisc is enabled */
++ if (adapter->flags & IGC_FLAG_TSN_ANY_ENABLED)
+ return -EINVAL;
+
+ /* Verify the number of channels doesn't exceed hw limits */
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index 728d7ca5338bf..21e67e7534562 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -7761,6 +7761,11 @@ int igc_reinit_queues(struct igc_adapter *adapter)
+ if (netif_running(netdev))
+ err = igc_open(netdev);
+
++ if (!err) {
++ /* Restore default IEEE 802.1Qbv schedule after queue reinit */
++ igc_tsn_clear_schedule(adapter);
++ }
++
+ return err;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 2fdfdadc404dc14780fe20b33aaf5aac0a59e705 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 17:24:06 +0300
+Subject: ipvlan: Make the addrs_lock be per port
+
+From: Dmitry Skorodumov <dskr99@gmail.com>
+
+[ Upstream commit d3ba32162488283c0a4c5bedd8817aec91748802 ]
+
+Make the addrs_lock be per port, not per ipvlan dev.
+
+Initial code seems to be written in the assumption,
+that any address change must occur under RTNL.
+But it is not so for the case of IPv6. So
+
+1) Introduce per-port addrs_lock.
+
+2) It was needed to fix places where it was forgotten
+to take lock (ipvlan_open/ipvlan_close)
+
+This appears to be a very minor problem though.
+Since it's highly unlikely that ipvlan_add_addr() will
+be called on 2 CPU simultaneously. But nevertheless,
+this could cause:
+
+1) False-negative of ipvlan_addr_busy(): one interface
+iterated through all port->ipvlans + ipvlan->addrs
+under some ipvlan spinlock, and another added IP
+under its own lock. Though this is only possible
+for IPv6, since looks like only ipvlan_addr6_event() can be
+called without rtnl_lock.
+
+2) Race since ipvlan_ht_addr_add(port) is called under
+different ipvlan->addrs_lock locks
+
+This should not affect performance, since add/remove IP
+is a rare situation and spinlock is not taken on fast
+paths.
+
+Fixes: 8230819494b3 ("ipvlan: use per device spinlock to protect addrs list updates")
+Signed-off-by: Dmitry Skorodumov <skorodumov.dmitry@huawei.com>
+Reviewed-by: Paolo Abeni <pabeni@redhat.com>
+Link: https://patch.msgid.link/20260112142417.4039566-2-skorodumov.dmitry@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ipvlan/ipvlan.h | 2 +-
+ drivers/net/ipvlan/ipvlan_core.c | 16 +++++------
+ drivers/net/ipvlan/ipvlan_main.c | 49 +++++++++++++++++++-------------
+ 3 files changed, 37 insertions(+), 30 deletions(-)
+
+diff --git a/drivers/net/ipvlan/ipvlan.h b/drivers/net/ipvlan/ipvlan.h
+index 50de3ee204dbc..80f84fc87008b 100644
+--- a/drivers/net/ipvlan/ipvlan.h
++++ b/drivers/net/ipvlan/ipvlan.h
+@@ -69,7 +69,6 @@ struct ipvl_dev {
+ DECLARE_BITMAP(mac_filters, IPVLAN_MAC_FILTER_SIZE);
+ netdev_features_t sfeatures;
+ u32 msg_enable;
+- spinlock_t addrs_lock;
+ };
+
+ struct ipvl_addr {
+@@ -90,6 +89,7 @@ struct ipvl_port {
+ struct net_device *dev;
+ possible_net_t pnet;
+ struct hlist_head hlhead[IPVLAN_HASH_SIZE];
++ spinlock_t addrs_lock; /* guards hash-table and addrs */
+ struct list_head ipvlans;
+ u16 mode;
+ u16 flags;
+diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c
+index baf2ef3bcd54b..6c6677ded82ef 100644
+--- a/drivers/net/ipvlan/ipvlan_core.c
++++ b/drivers/net/ipvlan/ipvlan_core.c
+@@ -107,17 +107,15 @@ void ipvlan_ht_addr_del(struct ipvl_addr *addr)
+ struct ipvl_addr *ipvlan_find_addr(const struct ipvl_dev *ipvlan,
+ const void *iaddr, bool is_v6)
+ {
+- struct ipvl_addr *addr, *ret = NULL;
++ struct ipvl_addr *addr;
+
+- rcu_read_lock();
+- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode) {
+- if (addr_equal(is_v6, addr, iaddr)) {
+- ret = addr;
+- break;
+- }
++ assert_spin_locked(&ipvlan->port->addrs_lock);
++
++ list_for_each_entry(addr, &ipvlan->addrs, anode) {
++ if (addr_equal(is_v6, addr, iaddr))
++ return addr;
+ }
+- rcu_read_unlock();
+- return ret;
++ return NULL;
+ }
+
+ bool ipvlan_addr_busy(struct ipvl_port *port, void *iaddr, bool is_v6)
+diff --git a/drivers/net/ipvlan/ipvlan_main.c b/drivers/net/ipvlan/ipvlan_main.c
+index 660f3db117664..baccdad695fda 100644
+--- a/drivers/net/ipvlan/ipvlan_main.c
++++ b/drivers/net/ipvlan/ipvlan_main.c
+@@ -75,6 +75,7 @@ static int ipvlan_port_create(struct net_device *dev)
+ for (idx = 0; idx < IPVLAN_HASH_SIZE; idx++)
+ INIT_HLIST_HEAD(&port->hlhead[idx]);
+
++ spin_lock_init(&port->addrs_lock);
+ skb_queue_head_init(&port->backlog);
+ INIT_WORK(&port->wq, ipvlan_process_multicast);
+ ida_init(&port->ida);
+@@ -181,6 +182,7 @@ static void ipvlan_uninit(struct net_device *dev)
+ static int ipvlan_open(struct net_device *dev)
+ {
+ struct ipvl_dev *ipvlan = netdev_priv(dev);
++ struct ipvl_port *port = ipvlan->port;
+ struct ipvl_addr *addr;
+
+ if (ipvlan->port->mode == IPVLAN_MODE_L3 ||
+@@ -189,10 +191,10 @@ static int ipvlan_open(struct net_device *dev)
+ else
+ dev->flags &= ~IFF_NOARP;
+
+- rcu_read_lock();
+- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode)
++ spin_lock_bh(&port->addrs_lock);
++ list_for_each_entry(addr, &ipvlan->addrs, anode)
+ ipvlan_ht_addr_add(ipvlan, addr);
+- rcu_read_unlock();
++ spin_unlock_bh(&port->addrs_lock);
+
+ return 0;
+ }
+@@ -206,10 +208,10 @@ static int ipvlan_stop(struct net_device *dev)
+ dev_uc_unsync(phy_dev, dev);
+ dev_mc_unsync(phy_dev, dev);
+
+- rcu_read_lock();
+- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode)
++ spin_lock_bh(&ipvlan->port->addrs_lock);
++ list_for_each_entry(addr, &ipvlan->addrs, anode)
+ ipvlan_ht_addr_del(addr);
+- rcu_read_unlock();
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+
+ return 0;
+ }
+@@ -579,7 +581,6 @@ int ipvlan_link_new(struct net_device *dev, struct rtnl_newlink_params *params,
+ if (!tb[IFLA_MTU])
+ ipvlan_adjust_mtu(ipvlan, phy_dev);
+ INIT_LIST_HEAD(&ipvlan->addrs);
+- spin_lock_init(&ipvlan->addrs_lock);
+
+ /* TODO Probably put random address here to be presented to the
+ * world but keep using the physical-dev address for the outgoing
+@@ -657,13 +658,13 @@ void ipvlan_link_delete(struct net_device *dev, struct list_head *head)
+ struct ipvl_dev *ipvlan = netdev_priv(dev);
+ struct ipvl_addr *addr, *next;
+
+- spin_lock_bh(&ipvlan->addrs_lock);
++ spin_lock_bh(&ipvlan->port->addrs_lock);
+ list_for_each_entry_safe(addr, next, &ipvlan->addrs, anode) {
+ ipvlan_ht_addr_del(addr);
+ list_del_rcu(&addr->anode);
+ kfree_rcu(addr, rcu);
+ }
+- spin_unlock_bh(&ipvlan->addrs_lock);
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+
+ ida_free(&ipvlan->port->ida, dev->dev_id);
+ list_del_rcu(&ipvlan->pnode);
+@@ -817,6 +818,8 @@ static int ipvlan_add_addr(struct ipvl_dev *ipvlan, void *iaddr, bool is_v6)
+ {
+ struct ipvl_addr *addr;
+
++ assert_spin_locked(&ipvlan->port->addrs_lock);
++
+ addr = kzalloc(sizeof(struct ipvl_addr), GFP_ATOMIC);
+ if (!addr)
+ return -ENOMEM;
+@@ -847,16 +850,16 @@ static void ipvlan_del_addr(struct ipvl_dev *ipvlan, void *iaddr, bool is_v6)
+ {
+ struct ipvl_addr *addr;
+
+- spin_lock_bh(&ipvlan->addrs_lock);
++ spin_lock_bh(&ipvlan->port->addrs_lock);
+ addr = ipvlan_find_addr(ipvlan, iaddr, is_v6);
+ if (!addr) {
+- spin_unlock_bh(&ipvlan->addrs_lock);
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+ return;
+ }
+
+ ipvlan_ht_addr_del(addr);
+ list_del_rcu(&addr->anode);
+- spin_unlock_bh(&ipvlan->addrs_lock);
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+ kfree_rcu(addr, rcu);
+ }
+
+@@ -878,14 +881,14 @@ static int ipvlan_add_addr6(struct ipvl_dev *ipvlan, struct in6_addr *ip6_addr)
+ {
+ int ret = -EINVAL;
+
+- spin_lock_bh(&ipvlan->addrs_lock);
++ spin_lock_bh(&ipvlan->port->addrs_lock);
+ if (ipvlan_addr_busy(ipvlan->port, ip6_addr, true))
+ netif_err(ipvlan, ifup, ipvlan->dev,
+ "Failed to add IPv6=%pI6c addr for %s intf\n",
+ ip6_addr, ipvlan->dev->name);
+ else
+ ret = ipvlan_add_addr(ipvlan, ip6_addr, true);
+- spin_unlock_bh(&ipvlan->addrs_lock);
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+ return ret;
+ }
+
+@@ -924,21 +927,24 @@ static int ipvlan_addr6_validator_event(struct notifier_block *unused,
+ struct in6_validator_info *i6vi = (struct in6_validator_info *)ptr;
+ struct net_device *dev = (struct net_device *)i6vi->i6vi_dev->dev;
+ struct ipvl_dev *ipvlan = netdev_priv(dev);
++ int ret = NOTIFY_OK;
+
+ if (!ipvlan_is_valid_dev(dev))
+ return NOTIFY_DONE;
+
+ switch (event) {
+ case NETDEV_UP:
++ spin_lock_bh(&ipvlan->port->addrs_lock);
+ if (ipvlan_addr_busy(ipvlan->port, &i6vi->i6vi_addr, true)) {
+ NL_SET_ERR_MSG(i6vi->extack,
+ "Address already assigned to an ipvlan device");
+- return notifier_from_errno(-EADDRINUSE);
++ ret = notifier_from_errno(-EADDRINUSE);
+ }
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+ break;
+ }
+
+- return NOTIFY_OK;
++ return ret;
+ }
+ #endif
+
+@@ -946,14 +952,14 @@ static int ipvlan_add_addr4(struct ipvl_dev *ipvlan, struct in_addr *ip4_addr)
+ {
+ int ret = -EINVAL;
+
+- spin_lock_bh(&ipvlan->addrs_lock);
++ spin_lock_bh(&ipvlan->port->addrs_lock);
+ if (ipvlan_addr_busy(ipvlan->port, ip4_addr, false))
+ netif_err(ipvlan, ifup, ipvlan->dev,
+ "Failed to add IPv4=%pI4 on %s intf.\n",
+ ip4_addr, ipvlan->dev->name);
+ else
+ ret = ipvlan_add_addr(ipvlan, ip4_addr, false);
+- spin_unlock_bh(&ipvlan->addrs_lock);
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+ return ret;
+ }
+
+@@ -995,21 +1001,24 @@ static int ipvlan_addr4_validator_event(struct notifier_block *unused,
+ struct in_validator_info *ivi = (struct in_validator_info *)ptr;
+ struct net_device *dev = (struct net_device *)ivi->ivi_dev->dev;
+ struct ipvl_dev *ipvlan = netdev_priv(dev);
++ int ret = NOTIFY_OK;
+
+ if (!ipvlan_is_valid_dev(dev))
+ return NOTIFY_DONE;
+
+ switch (event) {
+ case NETDEV_UP:
++ spin_lock_bh(&ipvlan->port->addrs_lock);
+ if (ipvlan_addr_busy(ipvlan->port, &ivi->ivi_addr, false)) {
+ NL_SET_ERR_MSG(ivi->extack,
+ "Address already assigned to an ipvlan device");
+- return notifier_from_errno(-EADDRINUSE);
++ ret = notifier_from_errno(-EADDRINUSE);
+ }
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+ break;
+ }
+
+- return NOTIFY_OK;
++ return ret;
+ }
+
+ static struct notifier_block ipvlan_addr4_notifier_block __read_mostly = {
+--
+2.51.0
+
--- /dev/null
+From af3fddfa7095dc1e2b461e1a40cc135b415a4229 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jan 2026 09:21:39 +0000
+Subject: l2tp: avoid one data-race in l2tp_tunnel_del_work()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 7a29f6bf60f2590fe5e9c4decb451e19afad2bcf ]
+
+We should read sk->sk_socket only when dealing with kernel sockets.
+
+syzbot reported the following data-race:
+
+BUG: KCSAN: data-race in l2tp_tunnel_del_work / sk_common_release
+
+write to 0xffff88811c182b20 of 8 bytes by task 5365 on cpu 0:
+ sk_set_socket include/net/sock.h:2092 [inline]
+ sock_orphan include/net/sock.h:2118 [inline]
+ sk_common_release+0xae/0x230 net/core/sock.c:4003
+ udp_lib_close+0x15/0x20 include/net/udp.h:325
+ inet_release+0xce/0xf0 net/ipv4/af_inet.c:437
+ __sock_release net/socket.c:662 [inline]
+ sock_close+0x6b/0x150 net/socket.c:1455
+ __fput+0x29b/0x650 fs/file_table.c:468
+ ____fput+0x1c/0x30 fs/file_table.c:496
+ task_work_run+0x131/0x1a0 kernel/task_work.c:233
+ resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
+ __exit_to_user_mode_loop kernel/entry/common.c:44 [inline]
+ exit_to_user_mode_loop+0x1fe/0x740 kernel/entry/common.c:75
+ __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
+ syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
+ syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
+ syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
+ do_syscall_64+0x1e1/0x2b0 arch/x86/entry/syscall_64.c:100
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+read to 0xffff88811c182b20 of 8 bytes by task 827 on cpu 1:
+ l2tp_tunnel_del_work+0x2f/0x1a0 net/l2tp/l2tp_core.c:1418
+ process_one_work kernel/workqueue.c:3257 [inline]
+ process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3340
+ worker_thread+0x582/0x770 kernel/workqueue.c:3421
+ kthread+0x489/0x510 kernel/kthread.c:463
+ ret_from_fork+0x149/0x290 arch/x86/kernel/process.c:158
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
+
+value changed: 0xffff88811b818000 -> 0x0000000000000000
+
+Fixes: d00fa9adc528 ("l2tp: fix races with tunnel socket close")
+Reported-by: syzbot+7312e82745f7fa2526db@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/6968b029.050a0220.58bed.0016.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: James Chapman <jchapman@katalix.com>
+Reviewed-by: Guillaume Nault <gnault@redhat.com>
+Link: https://patch.msgid.link/20260115092139.3066180-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/l2tp/l2tp_core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
+index d6f4bef0236dc..a0682e63fc637 100644
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -1416,8 +1416,6 @@ static void l2tp_tunnel_del_work(struct work_struct *work)
+ {
+ struct l2tp_tunnel *tunnel = container_of(work, struct l2tp_tunnel,
+ del_work);
+- struct sock *sk = tunnel->sock;
+- struct socket *sock = sk->sk_socket;
+
+ l2tp_tunnel_closeall(tunnel);
+
+@@ -1425,6 +1423,8 @@ static void l2tp_tunnel_del_work(struct work_struct *work)
+ * the sk API to release it here.
+ */
+ if (tunnel->fd < 0) {
++ struct socket *sock = tunnel->sock->sk_socket;
++
+ if (sock) {
+ kernel_sock_shutdown(sock, SHUT_RDWR);
+ sock_release(sock);
+--
+2.51.0
+
--- /dev/null
+From 0ba3549e6887f903b489cbaa5bf1e2829187cd2e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 18:54:44 +0000
+Subject: l2tp: Fix memleak in l2tp_udp_encap_recv().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 4d10edfd1475b69dbd4c47f34b61a3772ece83ca ]
+
+syzbot reported memleak of struct l2tp_session, l2tp_tunnel,
+sock, etc. [0]
+
+The cited commit moved down the validation of the protocol
+version in l2tp_udp_encap_recv().
+
+The new place requires an extra error handling to avoid the
+memleak.
+
+Let's call l2tp_session_put() there.
+
+[0]:
+BUG: memory leak
+unreferenced object 0xffff88810a290200 (size 512):
+ comm "syz.0.17", pid 6086, jiffies 4294944299
+ hex dump (first 32 bytes):
+ 7d eb 04 0c 00 00 00 00 01 00 00 00 00 00 00 00 }...............
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace (crc babb6a4f):
+ kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
+ slab_post_alloc_hook mm/slub.c:4958 [inline]
+ slab_alloc_node mm/slub.c:5263 [inline]
+ __do_kmalloc_node mm/slub.c:5656 [inline]
+ __kmalloc_noprof+0x3e0/0x660 mm/slub.c:5669
+ kmalloc_noprof include/linux/slab.h:961 [inline]
+ kzalloc_noprof include/linux/slab.h:1094 [inline]
+ l2tp_session_create+0x3a/0x3b0 net/l2tp/l2tp_core.c:1778
+ pppol2tp_connect+0x48b/0x920 net/l2tp/l2tp_ppp.c:755
+ __sys_connect_file+0x7a/0xb0 net/socket.c:2089
+ __sys_connect+0xde/0x110 net/socket.c:2108
+ __do_sys_connect net/socket.c:2114 [inline]
+ __se_sys_connect net/socket.c:2111 [inline]
+ __x64_sys_connect+0x1c/0x30 net/socket.c:2111
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: 364798056f518 ("l2tp: Support different protocol versions with same IP/port quadruple")
+Reported-by: syzbot+2c42ea4485b29beb0643@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/696693f2.a70a0220.245e30.0001.GAE@google.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Guillaume Nault <gnault@redhat.com>
+Link: https://patch.msgid.link/20260113185446.2533333-1-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/l2tp/l2tp_core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
+index 0710281dd95aa..d6f4bef0236dc 100644
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -1086,8 +1086,10 @@ int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
+ tunnel = session->tunnel;
+
+ /* Check protocol version */
+- if (version != tunnel->version)
++ if (version != tunnel->version) {
++ l2tp_session_put(session);
+ goto invalid;
++ }
+
+ if (version == L2TP_HDR_VER_3 &&
+ l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr)) {
+--
+2.51.0
+
--- /dev/null
+From 3173fdfa21957438a98d98979adf62946bdde9c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jan 2026 09:02:46 +0100
+Subject: net: freescale: ucc_geth: Return early when TBI PHY can't be found
+
+From: Maxime Chevallier <maxime.chevallier@bootlin.com>
+
+[ Upstream commit a74c7a58ca2ca1cbb93f4c01421cf24b8642b962 ]
+
+In ucc_geth's .mac_config(), we configure the TBI Serdes block represented by a
+struct phy_device that we get from firmware.
+
+While porting to phylink, a check was missed to make sure we don't try
+to access the TBI PHY if we can't get it. Let's add it and return early
+in case of error
+
+Reported-by: kernel test robot <lkp@intel.com>
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Closes: https://lore.kernel.org/r/202601130843.rFGNXA5a-lkp@intel.com/
+Fixes: 53036aa8d031 ("net: freescale: ucc_geth: phylink conversion")
+Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Link: https://patch.msgid.link/20260114080247.366252-1-maxime.chevallier@bootlin.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/ucc_geth.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/freescale/ucc_geth.c b/drivers/net/ethernet/freescale/ucc_geth.c
+index affd5a6c44e7b..131d1210dc4a8 100644
+--- a/drivers/net/ethernet/freescale/ucc_geth.c
++++ b/drivers/net/ethernet/freescale/ucc_geth.c
+@@ -1602,8 +1602,10 @@ static void ugeth_mac_config(struct phylink_config *config, unsigned int mode,
+ pr_warn("TBI mode requires that the device tree specify a tbi-handle\n");
+
+ tbiphy = of_phy_find_device(ug_info->tbi_node);
+- if (!tbiphy)
++ if (!tbiphy) {
+ pr_warn("Could not get TBI device\n");
++ return;
++ }
+
+ value = phy_read(tbiphy, ENET_TBI_MII_CR);
+ value &= ~0x1000; /* Turn off autonegotiation */
+--
+2.51.0
+
--- /dev/null
+From ec9c4391c49d5b8a0408ddcf0d7872f3ee5a015a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jan 2026 11:02:41 -0500
+Subject: net/sched: Enforce that teql can only be used as root qdisc
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jamal Hadi Salim <jhs@mojatatu.com>
+
+[ Upstream commit 50da4b9d07a7a463e2cfb738f3ad4cff6b2c9c3b ]
+
+Design intent of teql is that it is only supposed to be used as root qdisc.
+We need to check for that constraint.
+
+Although not important, I will describe the scenario that unearthed this
+issue for the curious.
+
+GangMin Kim <km.kim1503@gmail.com> managed to concot a scenario as follows:
+
+ROOT qdisc 1:0 (QFQ)
+ ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s
+ └── class 1:2 (weight=1, lmax=1514) teql
+
+GangMin sends a packet which is enqueued to 1:1 (netem).
+Any invocation of dequeue by QFQ from this class will not return a packet
+until after 6.4s. In the meantime, a second packet is sent and it lands on
+1:2. teql's enqueue will return success and this will activate class 1:2.
+Main issue is that teql only updates the parent visible qlen (sch->q.qlen)
+at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's
+peek always returns NULL), dequeue will never be called and thus the qlen
+will remain as 0. With that in mind, when GangMin updates 1:2's lmax value,
+the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's
+qlen was not incremented, qfq fails to deactivate the class, but still
+frees its pointers from the aggregate. So when the first packet is
+rescheduled after 6.4 seconds (netem's delay), a dangling pointer is
+accessed causing GangMin's causing a UAF.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: GangMin Kim <km.kim1503@gmail.com>
+Tested-by: Victor Nogueira <victor@mojatatu.com>
+Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/20260114160243.913069-2-jhs@mojatatu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_teql.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/sched/sch_teql.c b/net/sched/sch_teql.c
+index 8badec6d82a24..6e4bdaa876ed6 100644
+--- a/net/sched/sch_teql.c
++++ b/net/sched/sch_teql.c
+@@ -178,6 +178,11 @@ static int teql_qdisc_init(struct Qdisc *sch, struct nlattr *opt,
+ if (m->dev == dev)
+ return -ELOOP;
+
++ if (sch->parent != TC_H_ROOT) {
++ NL_SET_ERR_MSG_MOD(extack, "teql can only be used as root");
++ return -EOPNOTSUPP;
++ }
++
+ q->m = m;
+
+ skb_queue_head_init(&q->q);
+--
+2.51.0
+
--- /dev/null
+From b10d8fb2bd5af1dd0ae64b539b176f78346d6cff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jan 2026 11:02:42 -0500
+Subject: net/sched: qfq: Use cl_is_active to determine whether class is active
+ in qfq_rm_from_ag
+
+From: Jamal Hadi Salim <jhs@mojatatu.com>
+
+[ Upstream commit d837fbee92453fbb829f950c8e7cf76207d73f33 ]
+
+This is more of a preventive patch to make the code more consistent and
+to prevent possible exploits that employ child qlen manipulations on qfq.
+use cl_is_active instead of relying on the child qdisc's qlen to determine
+class activation.
+
+Fixes: 462dbc9101acd ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost")
+Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/20260114160243.913069-3-jhs@mojatatu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_qfq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
+index 9b16ad431028f..f94c9c9c90424 100644
+--- a/net/sched/sch_qfq.c
++++ b/net/sched/sch_qfq.c
+@@ -373,7 +373,7 @@ static void qfq_rm_from_agg(struct qfq_sched *q, struct qfq_class *cl)
+ /* Deschedule class and remove it from its parent aggregate. */
+ static void qfq_deact_rm_from_agg(struct qfq_sched *q, struct qfq_class *cl)
+ {
+- if (cl->qdisc->q.qlen > 0) /* class is active */
++ if (cl_is_active(cl)) /* class is active */
+ qfq_deactivate_class(q, cl);
+
+ qfq_rm_from_agg(q, cl);
+--
+2.51.0
+
--- /dev/null
+From 6b2a4797477ed35ebabd12c625e22e86e5444d0b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 22:39:24 -0800
+Subject: net: usb: dm9601: remove broken SR9700 support
+
+From: Ethan Nelson-Moore <enelsonmoore@gmail.com>
+
+[ Upstream commit 7d7dbafefbe74f5a25efc4807af093b857a7612e ]
+
+The SR9700 chip sends more than one packet in a USB transaction,
+like the DM962x chips can optionally do, but the dm9601 driver does not
+support this mode, and the hardware does not have the DM962x
+MODE_CTL register to disable it, so this driver drops packets on SR9700
+devices. The sr9700 driver correctly handles receiving more than one
+packet per transaction.
+
+While the dm9601 driver could be improved to handle this, the easiest
+way to fix this issue in the short term is to remove the SR9700 device
+ID from the dm9601 driver so the sr9700 driver is always used. This
+device ID should not have been in more than one driver to begin with.
+
+The "Fixes" commit was chosen so that the patch is automatically
+included in all kernels that have the sr9700 driver, even though the
+issue affects dm9601.
+
+Fixes: c9b37458e956 ("USB2NET : SR9700 : One chip USB 1.1 USB2NET SR9700Device Driver Support")
+Signed-off-by: Ethan Nelson-Moore <enelsonmoore@gmail.com>
+Acked-by: Peter Korsgaard <peter@korsgaard.com>
+Link: https://patch.msgid.link/20260113063924.74464-1-enelsonmoore@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/dm9601.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/net/usb/dm9601.c b/drivers/net/usb/dm9601.c
+index 8b6d6a1b3c2ec..2b4716ccf0c5b 100644
+--- a/drivers/net/usb/dm9601.c
++++ b/drivers/net/usb/dm9601.c
+@@ -603,10 +603,6 @@ static const struct usb_device_id products[] = {
+ USB_DEVICE(0x0fe6, 0x8101), /* DM9601 USB to Fast Ethernet Adapter */
+ .driver_info = (unsigned long)&dm9601_info,
+ },
+- {
+- USB_DEVICE(0x0fe6, 0x9700), /* DM9601 USB to Fast Ethernet Adapter */
+- .driver_info = (unsigned long)&dm9601_info,
+- },
+ {
+ USB_DEVICE(0x0a46, 0x9000), /* DM9000E */
+ .driver_info = (unsigned long)&dm9601_info,
+--
+2.51.0
+
--- /dev/null
+From 9631fe523c3274d10c963636bfa78d79872d9950 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jan 2026 08:47:12 -0800
+Subject: octeontx2: cn10k: fix RX flowid TCAM mask handling
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit ab9b218a1521133a4410722907fa7189566be9bc ]
+
+The RX flowid programming initializes the TCAM mask to all ones, but
+then overwrites it when clearing the MAC DA mask bits. This results
+in losing the intended initialization and may affect other match fields.
+
+Update the code to clear the MAC DA bits using an AND operation, making
+the handling of mask[0] consistent with mask[1], where the field-specific
+bits are cleared after initializing the mask to ~0ULL.
+
+Fixes: 57d00d4364f3 ("octeontx2-pf: mcs: Match macsec ethertype along with DMAC")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Reviewed-by: Subbaraya Sundeep <sbhatta@marvell.com>
+Link: https://patch.msgid.link/20260116164724.2733511-1-alok.a.tiwari@oracle.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c
+index 4c7e0f345cb5b..060c715ebad0a 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c
+@@ -328,7 +328,7 @@ static int cn10k_mcs_write_rx_flowid(struct otx2_nic *pfvf,
+
+ req->data[0] = FIELD_PREP(MCS_TCAM0_MAC_DA_MASK, mac_da);
+ req->mask[0] = ~0ULL;
+- req->mask[0] = ~MCS_TCAM0_MAC_DA_MASK;
++ req->mask[0] &= ~MCS_TCAM0_MAC_DA_MASK;
+
+ req->data[1] = FIELD_PREP(MCS_TCAM1_ETYPE_MASK, ETH_P_MACSEC);
+ req->mask[1] = ~0ULL;
+--
+2.51.0
+
--- /dev/null
+From 7c6723a15304c465b922c375a92c30a5bd9d1879 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Dec 2025 18:36:21 +0100
+Subject: pmdomain: qcom: rpmhpd: Add MXC to SC8280XP
+
+From: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+
+[ Upstream commit 5bc3e720e725cd5fa34875fa1e5434d565858067 ]
+
+This was apparently accounted for in dt-bindings, but never made its
+way into the driver.
+
+Fix it for SC8280XP and its VDD_GFX-less cousin, SA8540P.
+
+Fixes: f68f1cb3437d ("soc: qcom: rpmhpd: add sc8280xp & sa8540p rpmh power-domains")
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
+Link: https://lore.kernel.org/r/20251202-topic-8280_mxc-v2-2-46cdf47a829e@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pmdomain/qcom/rpmhpd.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/pmdomain/qcom/rpmhpd.c b/drivers/pmdomain/qcom/rpmhpd.c
+index 4faa8a2561862..4c3cbf3abc750 100644
+--- a/drivers/pmdomain/qcom/rpmhpd.c
++++ b/drivers/pmdomain/qcom/rpmhpd.c
+@@ -246,6 +246,8 @@ static struct rpmhpd *sa8540p_rpmhpds[] = {
+ [SC8280XP_MMCX_AO] = &mmcx_ao,
+ [SC8280XP_MX] = &mx,
+ [SC8280XP_MX_AO] = &mx_ao,
++ [SC8280XP_MXC] = &mxc,
++ [SC8280XP_MXC_AO] = &mxc_ao,
+ [SC8280XP_NSP] = &nsp,
+ };
+
+@@ -675,6 +677,8 @@ static struct rpmhpd *sc8280xp_rpmhpds[] = {
+ [SC8280XP_MMCX_AO] = &mmcx_ao,
+ [SC8280XP_MX] = &mx,
+ [SC8280XP_MX_AO] = &mx_ao,
++ [SC8280XP_MXC] = &mxc,
++ [SC8280XP_MXC_AO] = &mxc_ao,
+ [SC8280XP_NSP] = &nsp,
+ [SC8280XP_QPHY] = &qphy,
+ };
+--
+2.51.0
+
--- /dev/null
+From e2f2edb76b63e22a3964bb0184a1965673c4dcda Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Jan 2026 16:13:26 +0100
+Subject: pwm: Ensure ioctl() returns a negative errno on error
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
+
+[ Upstream commit c198b7773ca5bc3bdfb15b85e414fb9a99a5e5ba ]
+
+copy_to_user() returns the number of bytes not copied, thus if there is
+a problem a positive number. However the ioctl callback is supposed to
+return a negative error code on error.
+
+This error is a unfortunate as strictly speaking it became ABI with the
+introduction of pwm character devices. However I never saw the issue in
+real life -- I found this by code inspection -- and it only affects an
+error case where readonly memory is passed to the ioctls or the address
+mapping changes while the ioctl is active. Also there are already error
+cases returning negative values, so the calling code must be prepared to
+see such values already.
+
+Fixes: 9c06f26ba5f5 ("pwm: Add support for pwmchip devices for faster and easier userspace access")
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
+Link: https://patch.msgid.link/20260119151325.571857-2-u.kleine-koenig@baylibre.com
+Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/core.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/pwm/core.c b/drivers/pwm/core.c
+index 7dd1cf2ba4025..462c91a034c8e 100644
+--- a/drivers/pwm/core.c
++++ b/drivers/pwm/core.c
+@@ -2294,8 +2294,9 @@ static long pwm_cdev_ioctl(struct file *file, unsigned int cmd, unsigned long ar
+ .duty_offset_ns = wf.duty_offset_ns,
+ };
+
+- return copy_to_user((struct pwmchip_waveform __user *)arg,
+- &cwf, sizeof(cwf));
++ ret = copy_to_user((struct pwmchip_waveform __user *)arg,
++ &cwf, sizeof(cwf));
++ return ret ? -EFAULT : 0;
+ }
+
+ case PWM_IOCTL_GETWF:
+@@ -2328,8 +2329,9 @@ static long pwm_cdev_ioctl(struct file *file, unsigned int cmd, unsigned long ar
+ .duty_offset_ns = wf.duty_offset_ns,
+ };
+
+- return copy_to_user((struct pwmchip_waveform __user *)arg,
+- &cwf, sizeof(cwf));
++ ret = copy_to_user((struct pwmchip_waveform __user *)arg,
++ &cwf, sizeof(cwf));
++ return ret ? -EFAULT : 0;
+ }
+
+ case PWM_IOCTL_SETROUNDEDWF:
+--
+2.51.0
+
--- /dev/null
+From 48c8c0966f6cd24cfcf38a3046b30be5ebfb4e82 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 17:39:07 +0100
+Subject: pwm: max7360: Populate missing .sizeof_wfhw in max7360_pwm_ops
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Richard Genoud <richard.genoud@bootlin.com>
+
+[ Upstream commit 63faf32666e03a78cc985bcbae196418cf7d7938 ]
+
+The sizeof_wfhw field wasn't populated in max7360_pwm_ops so it was set
+to 0 by default.
+While this is ok for now because:
+sizeof(struct max7360_pwm_waveform) < PWM_WFHWSIZE
+in the future, if struct max7360_pwm_waveform grows, it could lead to
+stack corruption.
+
+Fixes: d93a75d94b79 ("pwm: max7360: Add MAX7360 PWM support")
+Signed-off-by: Richard Genoud <richard.genoud@bootlin.com>
+Link: https://patch.msgid.link/20260113163907.368919-1-richard.genoud@bootlin.com
+Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/pwm-max7360.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pwm/pwm-max7360.c b/drivers/pwm/pwm-max7360.c
+index ebf93a7aee5be..31972bd00ebe9 100644
+--- a/drivers/pwm/pwm-max7360.c
++++ b/drivers/pwm/pwm-max7360.c
+@@ -153,6 +153,7 @@ static int max7360_pwm_read_waveform(struct pwm_chip *chip,
+ }
+
+ static const struct pwm_ops max7360_pwm_ops = {
++ .sizeof_wfhw = sizeof(struct max7360_pwm_waveform),
+ .request = max7360_pwm_request,
+ .round_waveform_tohw = max7360_pwm_round_waveform_tohw,
+ .round_waveform_fromhw = max7360_pwm_round_waveform_fromhw,
+--
+2.51.0
+
--- /dev/null
+From c11190f02b70937cf7ecaa2783fc339964c3a7ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 12:10:26 -0500
+Subject: sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit a80c9d945aef55b23b54838334345f20251dad83 ]
+
+A null-ptr-deref was reported in the SCTP transmit path when SCTP-AUTH key
+initialization fails:
+
+ ==================================================================
+ KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
+ CPU: 0 PID: 16 Comm: ksoftirqd/0 Tainted: G W 6.6.0 #2
+ RIP: 0010:sctp_packet_bundle_auth net/sctp/output.c:264 [inline]
+ RIP: 0010:sctp_packet_append_chunk+0xb36/0x1260 net/sctp/output.c:401
+ Call Trace:
+
+ sctp_packet_transmit_chunk+0x31/0x250 net/sctp/output.c:189
+ sctp_outq_flush_data+0xa29/0x26d0 net/sctp/outqueue.c:1111
+ sctp_outq_flush+0xc80/0x1240 net/sctp/outqueue.c:1217
+ sctp_cmd_interpreter.isra.0+0x19a5/0x62c0 net/sctp/sm_sideeffect.c:1787
+ sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]
+ sctp_do_sm+0x1a3/0x670 net/sctp/sm_sideeffect.c:1169
+ sctp_assoc_bh_rcv+0x33e/0x640 net/sctp/associola.c:1052
+ sctp_inq_push+0x1dd/0x280 net/sctp/inqueue.c:88
+ sctp_rcv+0x11ae/0x3100 net/sctp/input.c:243
+ sctp6_rcv+0x3d/0x60 net/sctp/ipv6.c:1127
+
+The issue is triggered when sctp_auth_asoc_init_active_key() fails in
+sctp_sf_do_5_1C_ack() while processing an INIT_ACK. In this case, the
+command sequence is currently:
+
+- SCTP_CMD_PEER_INIT
+- SCTP_CMD_TIMER_STOP (T1_INIT)
+- SCTP_CMD_TIMER_START (T1_COOKIE)
+- SCTP_CMD_NEW_STATE (COOKIE_ECHOED)
+- SCTP_CMD_ASSOC_SHKEY
+- SCTP_CMD_GEN_COOKIE_ECHO
+
+If SCTP_CMD_ASSOC_SHKEY fails, asoc->shkey remains NULL, while
+asoc->peer.auth_capable and asoc->peer.peer_chunks have already been set by
+SCTP_CMD_PEER_INIT. This allows a DATA chunk with auth = 1 and shkey = NULL
+to be queued by sctp_datamsg_from_user().
+
+Since command interpretation stops on failure, no COOKIE_ECHO should been
+sent via SCTP_CMD_GEN_COOKIE_ECHO. However, the T1_COOKIE timer has already
+been started, and it may enqueue a COOKIE_ECHO into the outqueue later. As
+a result, the DATA chunk can be transmitted together with the COOKIE_ECHO
+in sctp_outq_flush_data(), leading to the observed issue.
+
+Similar to the other places where it calls sctp_auth_asoc_init_active_key()
+right after sctp_process_init(), this patch moves the SCTP_CMD_ASSOC_SHKEY
+immediately after SCTP_CMD_PEER_INIT, before stopping T1_INIT and starting
+T1_COOKIE. This ensures that if shared key generation fails, authenticated
+DATA cannot be sent. It also allows the T1_INIT timer to retransmit INIT,
+giving the client another chance to process INIT_ACK and retry key setup.
+
+Fixes: 730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing")
+Reported-by: Zhen Chen <chenzhen126@huawei.com>
+Tested-by: Zhen Chen <chenzhen126@huawei.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Link: https://patch.msgid.link/44881224b375aa8853f5e19b4055a1a56d895813.1768324226.git.lucien.xin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/sm_statefuns.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
+index 3755ba079d077..7b823d7591419 100644
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -603,6 +603,11 @@ enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net,
+ sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT,
+ SCTP_PEER_INIT(initchunk));
+
++ /* SCTP-AUTH: generate the association shared keys so that
++ * we can potentially sign the COOKIE-ECHO.
++ */
++ sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL());
++
+ /* Reset init error count upon receipt of INIT-ACK. */
+ sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
+
+@@ -617,11 +622,6 @@ enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net,
+ sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
+ SCTP_STATE(SCTP_STATE_COOKIE_ECHOED));
+
+- /* SCTP-AUTH: generate the association shared keys so that
+- * we can potentially sign the COOKIE-ECHO.
+- */
+- sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL());
+-
+ /* 5.1 C) "A" shall then send the State Cookie received in the
+ * INIT ACK chunk in a COOKIE ECHO chunk, ...
+ */
+--
+2.51.0
+
--- /dev/null
+From bac1c29bb17c2da579204237c4d1fa7a74f53eb9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 12:37:44 -0300
+Subject: selftests: net: fib-onlink-tests: Convert to use namespaces by
+ default
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ricardo B. Marlière <rbm@suse.com>
+
+[ Upstream commit 4f5f148dd7c0459229d2ab9a769b2e820f9ee6a2 ]
+
+Currently, the test breaks if the SUT already has a default route
+configured for IPv6. Fix by avoiding the use of the default namespace.
+
+Fixes: 4ed591c8ab44 ("net/ipv6: Allow onlink routes to have a device mismatch if it is the default route")
+Suggested-by: Fernando Fernandez Mancera <fmancera@suse.de>
+Signed-off-by: Ricardo B. Marlière <rbm@suse.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
+Link: https://patch.msgid.link/20260113-selftests-net-fib-onlink-v2-1-89de2b931389@suse.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../testing/selftests/net/fib-onlink-tests.sh | 71 ++++++++-----------
+ 1 file changed, 30 insertions(+), 41 deletions(-)
+
+diff --git a/tools/testing/selftests/net/fib-onlink-tests.sh b/tools/testing/selftests/net/fib-onlink-tests.sh
+index ec2d6ceb1f08d..c01be076b210d 100755
+--- a/tools/testing/selftests/net/fib-onlink-tests.sh
++++ b/tools/testing/selftests/net/fib-onlink-tests.sh
+@@ -120,7 +120,7 @@ log_subsection()
+
+ run_cmd()
+ {
+- local cmd="$*"
++ local cmd="$1"
+ local out
+ local rc
+
+@@ -145,7 +145,7 @@ get_linklocal()
+ local pfx
+ local addr
+
+- addr=$(${pfx} ip -6 -br addr show dev ${dev} | \
++ addr=$(${pfx} ${IP} -6 -br addr show dev ${dev} | \
+ awk '{
+ for (i = 3; i <= NF; ++i) {
+ if ($i ~ /^fe80/)
+@@ -173,58 +173,48 @@ setup()
+
+ set -e
+
+- # create namespace
+- setup_ns PEER_NS
++ # create namespaces
++ setup_ns ns1
++ IP="ip -netns $ns1"
++ setup_ns ns2
+
+ # add vrf table
+- ip li add ${VRF} type vrf table ${VRF_TABLE}
+- ip li set ${VRF} up
+- ip ro add table ${VRF_TABLE} unreachable default metric 8192
+- ip -6 ro add table ${VRF_TABLE} unreachable default metric 8192
++ ${IP} li add ${VRF} type vrf table ${VRF_TABLE}
++ ${IP} li set ${VRF} up
++ ${IP} ro add table ${VRF_TABLE} unreachable default metric 8192
++ ${IP} -6 ro add table ${VRF_TABLE} unreachable default metric 8192
+
+ # create test interfaces
+- ip li add ${NETIFS[p1]} type veth peer name ${NETIFS[p2]}
+- ip li add ${NETIFS[p3]} type veth peer name ${NETIFS[p4]}
+- ip li add ${NETIFS[p5]} type veth peer name ${NETIFS[p6]}
+- ip li add ${NETIFS[p7]} type veth peer name ${NETIFS[p8]}
++ ${IP} li add ${NETIFS[p1]} type veth peer name ${NETIFS[p2]}
++ ${IP} li add ${NETIFS[p3]} type veth peer name ${NETIFS[p4]}
++ ${IP} li add ${NETIFS[p5]} type veth peer name ${NETIFS[p6]}
++ ${IP} li add ${NETIFS[p7]} type veth peer name ${NETIFS[p8]}
+
+ # enslave vrf interfaces
+ for n in 5 7; do
+- ip li set ${NETIFS[p${n}]} vrf ${VRF}
++ ${IP} li set ${NETIFS[p${n}]} vrf ${VRF}
+ done
+
+ # add addresses
+ for n in 1 3 5 7; do
+- ip li set ${NETIFS[p${n}]} up
+- ip addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]}
+- ip addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad
++ ${IP} li set ${NETIFS[p${n}]} up
++ ${IP} addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]}
++ ${IP} addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad
+ done
+
+ # move peer interfaces to namespace and add addresses
+ for n in 2 4 6 8; do
+- ip li set ${NETIFS[p${n}]} netns ${PEER_NS} up
+- ip -netns ${PEER_NS} addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]}
+- ip -netns ${PEER_NS} addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad
++ ${IP} li set ${NETIFS[p${n}]} netns ${ns2} up
++ ip -netns $ns2 addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]}
++ ip -netns $ns2 addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad
+ done
+
+- ip -6 ro add default via ${V6ADDRS[p3]/::[0-9]/::64}
+- ip -6 ro add table ${VRF_TABLE} default via ${V6ADDRS[p7]/::[0-9]/::64}
++ ${IP} -6 ro add default via ${V6ADDRS[p3]/::[0-9]/::64}
++ ${IP} -6 ro add table ${VRF_TABLE} default via ${V6ADDRS[p7]/::[0-9]/::64}
+
+ set +e
+ }
+
+-cleanup()
+-{
+- # make sure we start from a clean slate
+- cleanup_ns ${PEER_NS} 2>/dev/null
+- for n in 1 3 5 7; do
+- ip link del ${NETIFS[p${n}]} 2>/dev/null
+- done
+- ip link del ${VRF} 2>/dev/null
+- ip ro flush table ${VRF_TABLE}
+- ip -6 ro flush table ${VRF_TABLE}
+-}
+-
+ ################################################################################
+ # IPv4 tests
+ #
+@@ -241,7 +231,7 @@ run_ip()
+ # dev arg may be empty
+ [ -n "${dev}" ] && dev="dev ${dev}"
+
+- run_cmd ip ro add table "${table}" "${prefix}"/32 via "${gw}" "${dev}" onlink
++ run_cmd "${IP} ro add table ${table} ${prefix}/32 via ${gw} ${dev} onlink"
+ log_test $? ${exp_rc} "${desc}"
+ }
+
+@@ -257,8 +247,8 @@ run_ip_mpath()
+ # dev arg may be empty
+ [ -n "${dev}" ] && dev="dev ${dev}"
+
+- run_cmd ip ro add table "${table}" "${prefix}"/32 \
+- nexthop via ${nh1} nexthop via ${nh2}
++ run_cmd "${IP} ro add table ${table} ${prefix}/32 \
++ nexthop via ${nh1} nexthop via ${nh2}"
+ log_test $? ${exp_rc} "${desc}"
+ }
+
+@@ -339,7 +329,7 @@ run_ip6()
+ # dev arg may be empty
+ [ -n "${dev}" ] && dev="dev ${dev}"
+
+- run_cmd ip -6 ro add table "${table}" "${prefix}"/128 via "${gw}" "${dev}" onlink
++ run_cmd "${IP} -6 ro add table ${table} ${prefix}/128 via ${gw} ${dev} onlink"
+ log_test $? ${exp_rc} "${desc}"
+ }
+
+@@ -353,8 +343,8 @@ run_ip6_mpath()
+ local exp_rc="$6"
+ local desc="$7"
+
+- run_cmd ip -6 ro add table "${table}" "${prefix}"/128 "${opts}" \
+- nexthop via ${nh1} nexthop via ${nh2}
++ run_cmd "${IP} -6 ro add table ${table} ${prefix}/128 ${opts} \
++ nexthop via ${nh1} nexthop via ${nh2}"
+ log_test $? ${exp_rc} "${desc}"
+ }
+
+@@ -491,10 +481,9 @@ do
+ esac
+ done
+
+-cleanup
+ setup
+ run_onlink_tests
+-cleanup
++cleanup_ns ${ns1} ${ns2}
+
+ if [ "$TESTS" != "none" ]; then
+ printf "\nTests passed: %3d\n" ${nsuccess}
+--
+2.51.0
+
perf-parse-events-fix-evsel-allocation-failure.patch
drivers-hv-always-do-hyper-v-panic-notification-in-h.patch
btrfs-fix-missing-fields-in-superblock-backup-with-b.patch
+dt-bindings-power-qcom-rpmpd-add-sc8280xp_mxc_ao.patch
+pmdomain-qcom-rpmhpd-add-mxc-to-sc8280xp.patch
+wifi-ath12k-don-t-force-radio-frequency-check-in-fre.patch
+ata-ahci-do-not-read-the-per-port-area-for-unimpleme.patch
+ata-libata-call-ata_dev_config_lpm-for-atapi-devices.patch
+ata-libata-sata-improve-link_power_management_suppor.patch
+ata-libata-add-cpr_log-to-ata_dev_print_features-ear.patch
+ata-libata-add-dipm-and-hipm-to-ata_dev_print_featur.patch
+ata-libata-print-features-also-for-atapi-devices.patch
+wifi-ath12k-cancel-scan-only-on-active-scan-vdev.patch
+wifi-ath12k-fix-scan-state-stuck-in-aborting-after-c.patch
+wifi-ath12k-fix-dead-lock-while-flushing-management-.patch
+wifi-ath12k-fix-wrong-p2p-device-link-id-issue.patch
+ice-initialize-ring_stats-syncp.patch
+ice-avoid-detrimental-cleanup-for-bond-during-interf.patch
+ice-fix-incorrect-timeout-ice_release_res.patch
+igc-restore-default-qbv-schedule-when-changing-chann.patch
+igc-fix-race-condition-in-tx-timestamp-read-for-regi.patch
+igc-reduce-tsn-tx-packet-buffer-from-7kb-to-5kb-per-.patch
+vsock-virtio-coalesce-only-linear-skb.patch
+net-usb-dm9601-remove-broken-sr9700-support.patch
+bonding-limit-bond_mode_8023ad-to-ethernet-devices.patch
+l2tp-fix-memleak-in-l2tp_udp_encap_recv.patch
+selftests-net-fib-onlink-tests-convert-to-use-namesp.patch
+net-freescale-ucc_geth-return-early-when-tbi-phy-can.patch
+can-gs_usb-gs_usb_receive_bulk_callback-unanchor-url.patch
+sctp-move-sctp_cmd_assoc_shkey-right-after-sctp_cmd_.patch
+amd-xgbe-avoid-misleading-per-packet-error-log.patch
+gue-fix-skb-memleak-with-inner-ip-protocol-0.patch
+tools-ynl-specify-no-line-number-in-ynl-regen.sh.patch
+fou-don-t-allow-0-for-fou_attr_ipproto.patch
+veth-fix-data-race-in-veth_get_ethtool_stats.patch
+pwm-ensure-ioctl-returns-a-negative-errno-on-error.patch
+pwm-max7360-populate-missing-.sizeof_wfhw-in-max7360.patch
+l2tp-avoid-one-data-race-in-l2tp_tunnel_del_work.patch
+ipvlan-make-the-addrs_lock-be-per-port.patch
+octeontx2-cn10k-fix-rx-flowid-tcam-mask-handling.patch
+net-sched-enforce-that-teql-can-only-be-used-as-root.patch
+net-sched-qfq-use-cl_is_active-to-determine-whether-.patch
+crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch
+wifi-mac80211-don-t-perform-da-check-on-s1g-beacon.patch
--- /dev/null
+From 84c528c0173f7c16be7e11b2536d973489b5585f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jan 2026 17:24:47 +0000
+Subject: tools: ynl: Specify --no-line-number in ynl-regen.sh.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 68578370f9b3a2aba5964b273312d51c581b6aad ]
+
+If grep.lineNumber is enabled in .gitconfig,
+
+ [grep]
+ lineNumber = true
+
+ynl-regen.sh fails with the following error:
+
+ $ ./tools/net/ynl/ynl-regen.sh -f
+ ...
+ ynl_gen_c.py: error: argument --mode: invalid choice: '4:' (choose from user, kernel, uapi)
+ GEN 4: net/ipv4/fou_nl.c
+
+Let's specify --no-line-number explicitly.
+
+Fixes: be5bea1cc0bf ("net: add basic C code generators for Netlink")
+Suggested-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260115172533.693652-3-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/net/ynl/ynl-regen.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/net/ynl/ynl-regen.sh b/tools/net/ynl/ynl-regen.sh
+index 81b4ecd891006..d9809276db982 100755
+--- a/tools/net/ynl/ynl-regen.sh
++++ b/tools/net/ynl/ynl-regen.sh
+@@ -21,7 +21,7 @@ files=$(git grep --files-with-matches '^/\* YNL-GEN \(kernel\|uapi\|user\)')
+ for f in $files; do
+ # params: 0 1 2 3
+ # $YAML YNL-GEN kernel $mode
+- params=( $(git grep -B1 -h '/\* YNL-GEN' $f | sed 's@/\*\(.*\)\*/@\1@') )
++ params=( $(git grep --no-line-number -B1 -h '/\* YNL-GEN' $f | sed 's@/\*\(.*\)\*/@\1@') )
+ args=$(sed -n 's@/\* YNL-ARG \(.*\) \*/@\1@p' $f)
+
+ if [ $f -nt ${params[0]} -a -z "$force" ]; then
+--
+2.51.0
+
--- /dev/null
+From 9a6dc2be8146092fd877d290c00b0758bd30e0f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jan 2026 20:24:45 +0800
+Subject: veth: fix data race in veth_get_ethtool_stats
+
+From: David Yang <mmyangfl@gmail.com>
+
+[ Upstream commit b47adaab8b3d443868096bac08fdbb3d403194ba ]
+
+In veth_get_ethtool_stats(), some statistics protected by
+u64_stats_sync, are read and accumulated in ignorance of possible
+u64_stats_fetch_retry() events. These statistics, peer_tq_xdp_xmit and
+peer_tq_xdp_xmit_err, are already accumulated by veth_xdp_xmit(). Fix
+this by reading them into a temporary buffer first.
+
+Fixes: 5fe6e56776ba ("veth: rely on peer veth_rq for ndo_xdp_xmit accounting")
+Signed-off-by: David Yang <mmyangfl@gmail.com>
+Link: https://patch.msgid.link/20260114122450.227982-1-mmyangfl@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/veth.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/veth.c b/drivers/net/veth.c
+index cc502bf022d55..b00613cb07cf0 100644
+--- a/drivers/net/veth.c
++++ b/drivers/net/veth.c
+@@ -228,16 +228,20 @@ static void veth_get_ethtool_stats(struct net_device *dev,
+ const struct veth_rq_stats *rq_stats = &rcv_priv->rq[i].stats;
+ const void *base = (void *)&rq_stats->vs;
+ unsigned int start, tx_idx = idx;
++ u64 buf[VETH_TQ_STATS_LEN];
+ size_t offset;
+
+- tx_idx += (i % dev->real_num_tx_queues) * VETH_TQ_STATS_LEN;
+ do {
+ start = u64_stats_fetch_begin(&rq_stats->syncp);
+ for (j = 0; j < VETH_TQ_STATS_LEN; j++) {
+ offset = veth_tq_stats_desc[j].offset;
+- data[tx_idx + j] += *(u64 *)(base + offset);
++ buf[j] = *(u64 *)(base + offset);
+ }
+ } while (u64_stats_fetch_retry(&rq_stats->syncp, start));
++
++ tx_idx += (i % dev->real_num_tx_queues) * VETH_TQ_STATS_LEN;
++ for (j = 0; j < VETH_TQ_STATS_LEN; j++)
++ data[tx_idx + j] += buf[j];
+ }
+ pp_idx = idx + dev->real_num_tx_queues * VETH_TQ_STATS_LEN;
+
+--
+2.51.0
+
--- /dev/null
+From 9548cb333a7070516bb1c4ec93b32e7df7fef4fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 16:08:18 +0100
+Subject: vsock/virtio: Coalesce only linear skb
+
+From: Michal Luczaj <mhal@rbox.co>
+
+[ Upstream commit 0386bd321d0f95d041a7b3d7b07643411b044a96 ]
+
+vsock/virtio common tries to coalesce buffers in rx queue: if a linear skb
+(with a spare tail room) is followed by a small skb (length limited by
+GOOD_COPY_LEN = 128), an attempt is made to join them.
+
+Since the introduction of MSG_ZEROCOPY support, assumption that a small skb
+will always be linear is incorrect. In the zerocopy case, data is lost and
+the linear skb is appended with uninitialized kernel memory.
+
+Of all 3 supported virtio-based transports, only loopback-transport is
+affected. G2H virtio-transport rx queue operates on explicitly linear skbs;
+see virtio_vsock_alloc_linear_skb() in virtio_vsock_rx_fill(). H2G
+vhost-transport may allocate non-linear skbs, but only for sizes that are
+not considered for coalescence; see PAGE_ALLOC_COSTLY_ORDER in
+virtio_vsock_alloc_skb().
+
+Ensure only linear skbs are coalesced. Note that skb_tailroom(last_skb) > 0
+guarantees last_skb is linear.
+
+Fixes: 581512a6dc93 ("vsock/virtio: MSG_ZEROCOPY flag support")
+Signed-off-by: Michal Luczaj <mhal@rbox.co>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://patch.msgid.link/20260113-vsock-recv-coalescence-v2-1-552b17837cf4@rbox.co
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/virtio_transport_common.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c
+index dcc8a1d5851e6..26b979ad71f09 100644
+--- a/net/vmw_vsock/virtio_transport_common.c
++++ b/net/vmw_vsock/virtio_transport_common.c
+@@ -1359,9 +1359,11 @@ virtio_transport_recv_enqueue(struct vsock_sock *vsk,
+
+ /* Try to copy small packets into the buffer of last packet queued,
+ * to avoid wasting memory queueing the entire buffer with a small
+- * payload.
++ * payload. Skip non-linear (e.g. zerocopy) skbs; these carry payload
++ * in skb_shinfo.
+ */
+- if (len <= GOOD_COPY_LEN && !skb_queue_empty(&vvs->rx_queue)) {
++ if (len <= GOOD_COPY_LEN && !skb_queue_empty(&vvs->rx_queue) &&
++ !skb_is_nonlinear(skb)) {
+ struct virtio_vsock_hdr *last_hdr;
+ struct sk_buff *last_skb;
+
+--
+2.51.0
+
--- /dev/null
+From cd3f960d0134da4510864b74a0352eb151b33758 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jan 2026 11:32:35 +0530
+Subject: wifi: ath12k: cancel scan only on active scan vdev
+
+From: Manish Dharanenthiran <manish.dharanenthiran@oss.qualcomm.com>
+
+[ Upstream commit 39c90b1a1dbe6d7c49d19da6e5aec00980c55d8b ]
+
+Cancel the scheduled scan request only on the vdev that has an active
+scan running. Currently, ahvif->links_map is used to obtain the links,
+but this includes links for which no scan is scheduled. In failure cases
+where the scan fails due to an invalid channel definition, other links
+which are not yet brought up (vdev not created) may also be accessed,
+leading to the following trace:
+
+Unable to handle kernel paging request at virtual address 0000000000004c8c
+pc : _raw_spin_lock_bh+0x1c/0x54
+lr : ath12k_scan_abort+0x20/0xc8 [ath12k]
+
+Call trace:
+ _raw_spin_lock_bh+0x1c/0x54 (P)
+ ath12k_mac_op_cancel_hw_scan+0xac/0xc4 [ath12k]
+ ieee80211_scan_cancel+0xcc/0x12c [mac80211]
+ ieee80211_do_stop+0x6c4/0x7a8 [mac80211]
+ ieee80211_stop+0x60/0xd8 [mac80211]
+
+Skip links that are not created or are not the current scan vdev. This
+ensures only the scan for the matching links is aborted and avoids
+aborting unrelated links during cancellation, thus aligning with how
+start/cleanup manage ar->scan.arvif.
+
+Also, remove the redundant arvif->is_started check from
+ath12k_mac_op_cancel_hw_scan() that was introduced in commit 3863f014ad23
+("wifi: ath12k: symmetrize scan vdev creation and deletion during HW
+scan") to avoid deleting the scan interface if the scan is triggered on
+the existing AP vdev as this use case is already handled in
+ath12k_scan_vdev_clean_work().
+
+Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
+
+Fixes: feed05f1526e ("wifi: ath12k: Split scan request for split band device")
+Signed-off-by: Manish Dharanenthiran <manish.dharanenthiran@oss.qualcomm.com>
+Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
+Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260107-scan_vdev-v1-1-b600aedc645a@qti.qualcomm.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath12k/mac.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c
+index 095b49a39683c..ffeb667734358 100644
+--- a/drivers/net/wireless/ath/ath12k/mac.c
++++ b/drivers/net/wireless/ath/ath12k/mac.c
+@@ -5254,7 +5254,8 @@ static void ath12k_mac_op_cancel_hw_scan(struct ieee80211_hw *hw,
+
+ for_each_set_bit(link_id, &links_map, ATH12K_NUM_MAX_LINKS) {
+ arvif = wiphy_dereference(hw->wiphy, ahvif->link[link_id]);
+- if (!arvif || arvif->is_started)
++ if (!arvif || !arvif->is_created ||
++ arvif->ar->scan.arvif != arvif)
+ continue;
+
+ ar = arvif->ar;
+--
+2.51.0
+
--- /dev/null
+From 2b30aa371fb100388bdd154dcd88f4d8cdc1a72f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jan 2026 11:21:46 +0800
+Subject: wifi: ath12k: don't force radio frequency check in freq_to_idx()
+
+From: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
+
+[ Upstream commit 1fed08c5519d2f929457f354d3c06c6a8c33829c ]
+
+freq_to_idx() is used to map a channel to a survey index. Commit
+acc152f9be20 ("wifi: ath12k: combine channel list for split-phy devices in
+single-wiphy") adds radio specific frequency range check in this helper to
+make sure an invalid index is returned if the channel falls outside that
+range. However, this check introduces a race, resulting in below warnings
+as reported in [1].
+
+ ath12k_pci 0000:08:00.0: chan info: invalid frequency 6455 (idx 101 out of bounds)
+ ath12k_pci 0000:08:00.0: chan info: invalid frequency 6535 (idx 101 out of bounds)
+ ath12k_pci 0000:08:00.0: chan info: invalid frequency 6615 (idx 101 out of bounds)
+ ath12k_pci 0000:08:00.0: chan info: invalid frequency 6695 (idx 101 out of bounds)
+ ath12k_pci 0000:08:00.0: chan info: invalid frequency 6775 (idx 101 out of bounds)
+ ath12k_pci 0000:08:00.0: chan info: invalid frequency 6855 (idx 101 out of bounds)
+ ath12k_pci 0000:08:00.0: chan info: invalid frequency 6935 (idx 101 out of bounds)
+ ath12k_pci 0000:08:00.0: chan info: invalid frequency 7015 (idx 101 out of bounds)
+ ath12k_pci 0000:08:00.0: chan info: invalid frequency 7095 (idx 101 out of bounds)
+ ath12k_pci 0000:08:00.0: chan info: invalid frequency 6435 (idx 101 out of bounds)
+
+Race scenario:
+
+ 1) A regdomain covering below frequency range is uploaded to host via
+ WMI_REG_CHAN_LIST_CC_EXT_EVENTID event:
+
+ Country 00, CFG Regdomain UNSET FW Regdomain 0, num_reg_rules 6
+ 1. (2402 - 2472 @ 40) (0, 20) (0 ms) (FLAGS 360448) (0, 0)
+ 2. (2457 - 2477 @ 20) (0, 20) (0 ms) (FLAGS 360576) (0, 0)
+ 3. (5170 - 5330 @ 160) (0, 20) (0 ms) (FLAGS 264320) (0, 0)
+ 4. (5490 - 5730 @ 160) (0, 20) (0 ms) (FLAGS 264320) (0, 0)
+ 5. (5735 - 5895 @ 160) (0, 20) (0 ms) (FLAGS 264320) (0, 0)
+ 6. (5925 - 7125 @ 320) (0, 24) (0 ms) (FLAGS 2056) (0, 255)
+
+ As a result, radio frequency range is updated as [2402, 7125]
+
+ ath12k_pci 0000:08:00.0: mac pdev 0 freq limit updated. New range 2402->7125 MHz
+
+ If no scan in progress or after scan finished, command
+ WMI_SCAN_CHAN_LIST_CMDID is sent to firmware notifying that firmware
+ is allowed to do scan on all channels within that range.
+
+ The running path is:
+
+ /* redomain uploaded */
+ 1. WMI_REG_CHAN_LIST_CC_EXT_EVENTID
+ 2. ath12k_reg_chan_list_event()
+ 3. ath12k_reg_handle_chan_list()
+ 4. queue_work(..., &ar->regd_update_work)
+ 5. ath12k_regd_update_work()
+ 6. ath12k_regd_update()
+ /* update radio frequency range */
+ 7. ath12k_mac_update_freq_range()
+ 8. regulatory_set_wiphy_regd()
+ 9. ath12k_reg_notifier()
+ 10. ath12k_reg_update_chan_list()
+ 11. queue_work(..., &ar->regd_channel_update_work)
+ 12. ath12k_regd_update_chan_list_work()
+ /* wait scan finishes */
+ 13. wait_for_completion_timeout(&ar->scan.completed, ...)
+ /* command notifying list of valid channels */
+ 14. ath12k_wmi_send_scan_chan_list_cmd()
+
+ 2) Hardware scan is triggered on all allowed channels.
+ 3) Before scan completed, 11D mechanism detects a new country code
+
+ ath12k_pci 0000:08:00.0: wmi 11d new cc GB
+
+ With this code sent to firmware, firmware uploads a new regdomain
+
+ Country GB, CFG Regdomain ETSI FW Regdomain 2, num_reg_rules 9
+ 1. (2402 - 2482 @ 40) (0, 20) (0 ms) (FLAGS 360448) (0, 0)
+ 2. (5170 - 5250 @ 80) (0, 23) (0 ms) (FLAGS 264192) (0, 0)
+ 3. (5250 - 5330 @ 80) (0, 23) (0 ms) (FLAGS 264216) (0, 0)
+ 4. (5490 - 5590 @ 80) (0, 30) (0 ms) (FLAGS 264208)
+ 5. (5590 - 5650 @ 40) (0, 30) (600000 ms) (FLAGS 264208)
+ 6. (5650 - 5730 @ 80) (0, 30) (0 ms) (FLAGS 264208)
+ 7. (5735 - 5875 @ 80) (0, 14) (0 ms) (FLAGS 264192) (0, 0)
+ 8. (5855 - 5875 @ 20) (0, 14) (0 ms) (FLAGS 264192) (0, 0)
+ 9. (5945 - 6425 @ 320) (0, 24) (0 ms) (FLAGS 2056) (0, 11)
+
+ Then radio frequency range is updated as [2402, 6425]
+
+ ath12k_pci 0000:08:00.0: mac pdev 0 freq limit updated. New range 2402->6425 MHz
+
+ Please note this is a smaller range than the previous one. Later host
+ runs the same path for the purpose of notifying the new channel list.
+ However since scan not completed, host just waits there. Meanwhile,
+ firmware is possibly scanning channels outside the new range. As a
+ result, WMI_CHAN_INFO_EVENTID events for those channels fail
+ freq_to_idx() check and triggers warnings above.
+
+Fix this issue by removing radio frequency check in freq_to_idx(). This is
+valid because channels being scanned do not synchronize with frequency
+range update. Besides, this won't cause any problem, since freq_to_idx()
+is only used for survey data. Even out-of-range channels filled in the
+survey, they won't get delivered to userspace due to the range check
+already there in ath12k_mac_op_get_survey().
+
+Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.115823.3
+
+Fixes: acc152f9be20 ("wifi: ath12k: combine channel list for split-phy devices in single-wiphy")
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220871 # 1
+Signed-off-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260108-ath12k-fix-freq-to-idx-v1-1-b2458cf7aa0d@oss.qualcomm.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath12k/wmi.c | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c
+index e647b842a6a1c..44e99b47e445d 100644
+--- a/drivers/net/wireless/ath/ath12k/wmi.c
++++ b/drivers/net/wireless/ath/ath12k/wmi.c
+@@ -6520,16 +6520,9 @@ static int freq_to_idx(struct ath12k *ar, int freq)
+ if (!sband)
+ continue;
+
+- for (ch = 0; ch < sband->n_channels; ch++, idx++) {
+- if (sband->channels[ch].center_freq <
+- KHZ_TO_MHZ(ar->freq_range.start_freq) ||
+- sband->channels[ch].center_freq >
+- KHZ_TO_MHZ(ar->freq_range.end_freq))
+- continue;
+-
++ for (ch = 0; ch < sband->n_channels; ch++, idx++)
+ if (sband->channels[ch].center_freq == freq)
+ goto exit;
+- }
+ }
+
+ exit:
+--
+2.51.0
+
--- /dev/null
+From e5e8a31d85b94633eb6bb37825ad3fcdd3b694f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 09:48:11 +0800
+Subject: wifi: ath12k: fix dead lock while flushing management frames
+
+From: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
+
+[ Upstream commit f88e9fc30a261d63946ddc6cc6a33405e6aa27c3 ]
+
+Commit [1] converted the management transmission work item into a
+wiphy work. Since a wiphy work can only run under wiphy lock
+protection, a race condition happens in below scenario:
+
+1. a management frame is queued for transmission.
+2. ath12k_mac_op_flush() gets called to flush pending frames associated
+ with the hardware (i.e, vif being NULL). Then in ath12k_mac_flush()
+ the process waits for the transmission done.
+3. Since wiphy lock has been taken by the flush process, the transmission
+ work item has no chance to run, hence the dead lock.
+
+>From user view, this dead lock results in below issue:
+
+ wlp8s0: authenticate with xxxxxx (local address=xxxxxx)
+ wlp8s0: send auth to xxxxxx (try 1/3)
+ wlp8s0: authenticate with xxxxxx (local address=xxxxxx)
+ wlp8s0: send auth to xxxxxx (try 1/3)
+ wlp8s0: authenticated
+ wlp8s0: associate with xxxxxx (try 1/3)
+ wlp8s0: aborting association with xxxxxx by local choice (Reason: 3=DEAUTH_LEAVING)
+ ath12k_pci 0000:08:00.0: failed to flush mgmt transmit queue, mgmt pkts pending 1
+
+The dead lock can be avoided by invoking wiphy_work_flush() to proactively
+run the queued work item. Note actually it is already present in
+ath12k_mac_op_flush(), however it does not protect the case where vif
+being NULL. Hence move it ahead to cover this case as well.
+
+Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.115823.3
+
+Fixes: 56dcbf0b5207 ("wifi: ath12k: convert struct ath12k::wmi_mgmt_tx_work to struct wiphy_work") # [1]
+Reported-by: Stuart Hayhurst <stuart.a.hayhurst@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220959
+Signed-off-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
+Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260113-ath12k-fix-dead-lock-while-flushing-v1-1-9713621f3a0f@oss.qualcomm.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath12k/mac.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c
+index 00b3bf4d882a5..d6a44c19e2245 100644
+--- a/drivers/net/wireless/ath/ath12k/mac.c
++++ b/drivers/net/wireless/ath/ath12k/mac.c
+@@ -11798,6 +11798,9 @@ static void ath12k_mac_op_flush(struct ieee80211_hw *hw, struct ieee80211_vif *v
+ if (drop)
+ return;
+
++ for_each_ar(ah, ar, i)
++ wiphy_work_flush(hw->wiphy, &ar->wmi_mgmt_tx_work);
++
+ /* vif can be NULL when flush() is considered for hw */
+ if (!vif) {
+ for_each_ar(ah, ar, i)
+@@ -11805,9 +11808,6 @@ static void ath12k_mac_op_flush(struct ieee80211_hw *hw, struct ieee80211_vif *v
+ return;
+ }
+
+- for_each_ar(ah, ar, i)
+- wiphy_work_flush(hw->wiphy, &ar->wmi_mgmt_tx_work);
+-
+ ahvif = ath12k_vif_to_ahvif(vif);
+ links = ahvif->links_map;
+ for_each_set_bit(link_id, &links, IEEE80211_MLD_MAX_NUM_LINKS) {
+--
+2.51.0
+
--- /dev/null
+From d97271ab63232ccecd25c11cf5558dfc4c510524 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 19:55:16 +0800
+Subject: wifi: ath12k: Fix scan state stuck in ABORTING after
+ cancel_remain_on_channel
+
+From: Yingying Tang <yingying.tang@oss.qualcomm.com>
+
+[ Upstream commit 8b8d6ee53dfdee61b0beff66afe3f712456e707a ]
+
+Scan finish workqueue was introduced in __ath12k_mac_scan_finish() by [1].
+
+During ath12k_mac_op_cancel_remain_on_channel(), scan state is set to
+ABORTING and should be reset to IDLE in the queued work. However,
+wiphy_work_cancel() is called before exiting
+ath12k_mac_op_cancel_remain_on_channel(), which prevents the work
+from running and leaves the state in ABORTING. This blocks all
+subsequent scan requests.
+
+Replace wiphy_work_cancel() with wiphy_work_flush() to ensure the
+queued work runs and scan state is reset to IDLE.
+
+Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.115823.3
+
+Fixes: 3863f014ad23 ("wifi: ath12k: symmetrize scan vdev creation and deletion during HW scan") # [1]
+Signed-off-by: Yingying Tang <yingying.tang@oss.qualcomm.com>
+Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
+Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260112115516.2144219-1-yingying.tang@oss.qualcomm.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath12k/mac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c
+index ffeb667734358..00b3bf4d882a5 100644
+--- a/drivers/net/wireless/ath/ath12k/mac.c
++++ b/drivers/net/wireless/ath/ath12k/mac.c
+@@ -12833,7 +12833,7 @@ static int ath12k_mac_op_cancel_remain_on_channel(struct ieee80211_hw *hw,
+ ath12k_scan_abort(ar);
+
+ cancel_delayed_work_sync(&ar->scan.timeout);
+- wiphy_work_cancel(hw->wiphy, &ar->scan.vdev_clean_wk);
++ wiphy_work_flush(hw->wiphy, &ar->scan.vdev_clean_wk);
+
+ return 0;
+ }
+--
+2.51.0
+
--- /dev/null
+From 4bf43a7d93cb16975551c41e7052577e586b3590 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 13:46:36 +0800
+Subject: wifi: ath12k: Fix wrong P2P device link id issue
+
+From: Yingying Tang <yingying.tang@oss.qualcomm.com>
+
+[ Upstream commit 31707572108da55a005e7fed32cc3869c16b7c16 ]
+
+Wrong P2P device link id value of 0 was introduced in ath12k_mac_op_tx() by [1].
+
+During the P2P negotiation process, there is only one scan vdev with link ID 15.
+Currently, the device link ID is incorrectly set to 0 in ath12k_mac_op_tx()
+during the P2P negotiation process, which leads to TX failures.
+
+Set the correct P2P device link ID to 15 to fix the TX failure issue.
+
+Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.115823.3
+
+Fixes: 648a121bafa3 ("wifi: ath12k: ath12k_mac_op_tx(): MLO support") # [1]
+Signed-off-by: Yingying Tang <yingying.tang@oss.qualcomm.com>
+Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
+Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
+Cc: linux-next@vger.kernel.org
+Cc: netdev@vger.kernel.org
+Link: https://patch.msgid.link/20260113054636.2620035-1-yingying.tang@oss.qualcomm.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+
+---
+
+Note to linux-next and netdev maintainers:
+
+This patch going through the "current" tree conflicts with
+the following going through the "next" tree:
+commit 631ee338f04d ("Merge branch 'ath12k-ng' into ath-next")
+
+The conflict resolution is to leave the following file unmodified:
+drivers/net/wireless/ath/ath12k/mac.
+
+And to apply the following patch to ath12k_wifi7_mac_op_tx()
+in the file drivers/net/wireless/ath/ath12k/wifi7/hw.c -705,7 +705,10
+
+ return;
+ }
+ } else {
+- link_id = 0;
++ if (vif->type == NL80211_IFTYPE_P2P_DEVICE)
++ link_id = ATH12K_FIRST_SCAN_LINK;
++ else
++ link_id = 0;
+ }
+
+ arvif = rcu_dereference(ahvif->link[link_id]);
+
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath12k/mac.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c
+index d6a44c19e2245..256ffae4d7f7d 100644
+--- a/drivers/net/wireless/ath/ath12k/mac.c
++++ b/drivers/net/wireless/ath/ath12k/mac.c
+@@ -8840,7 +8840,10 @@ static void ath12k_mac_op_tx(struct ieee80211_hw *hw,
+ return;
+ }
+ } else {
+- link_id = 0;
++ if (vif->type == NL80211_IFTYPE_P2P_DEVICE)
++ link_id = ATH12K_FIRST_SCAN_LINK;
++ else
++ link_id = 0;
+ }
+
+ arvif = rcu_dereference(ahvif->link[link_id]);
+--
+2.51.0
+
--- /dev/null
+From 044ee9451d71697f880f1e07c76b92a1eb105ae5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jan 2026 14:11:21 +1100
+Subject: wifi: mac80211: don't perform DA check on S1G beacon
+
+From: Lachlan Hodges <lachlan.hodges@morsemicro.com>
+
+[ Upstream commit 5dc6975566f5d142ec53eb7e97af688c45dd314d ]
+
+S1G beacons don't contain the DA field as per IEEE80211-2024 9.3.4.3,
+so the DA broadcast check reads the SA address of the S1G beacon which
+will subsequently lead to the beacon being dropped. As a result, passive
+scanning is not possible. Fix this by only performing the check on
+non-S1G beacons to allow S1G long beacons to be processed during a
+passive scan.
+
+Fixes: ddf82e752f8a ("wifi: mac80211: Allow beacons to update BSS table regardless of scan")
+Signed-off-by: Lachlan Hodges <lachlan.hodges@morsemicro.com>
+Link: https://patch.msgid.link/20260120031122.309942-1-lachlan.hodges@morsemicro.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/scan.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
+index bb9563f50e7b4..1e06a465b49e3 100644
+--- a/net/mac80211/scan.c
++++ b/net/mac80211/scan.c
+@@ -343,8 +343,13 @@ void ieee80211_scan_rx(struct ieee80211_local *local, struct sk_buff *skb)
+ mgmt->da))
+ return;
+ } else {
+- /* Beacons are expected only with broadcast address */
+- if (!is_broadcast_ether_addr(mgmt->da))
++ /*
++ * Non-S1G beacons are expected only with broadcast address.
++ * S1G beacons only carry the SA so no DA check is required
++ * nor possible.
++ */
++ if (!ieee80211_is_s1g_beacon(mgmt->frame_control) &&
++ !is_broadcast_ether_addr(mgmt->da))
+ return;
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 22ea4f4c7532b32c1787d70f39db957793adee0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jan 2026 22:00:37 +0530
+Subject: amd-xgbe: avoid misleading per-packet error log
+
+From: Raju Rangoju <Raju.Rangoju@amd.com>
+
+[ Upstream commit c158f985cf6c2c36c99c4f67af2ff3f5ebe09f8f ]
+
+On the receive path, packet can be damaged because of buffer
+overflow in Rx FIFO. Avoid misleading per-packet error log when
+packet->errors is set, this can flood the log. Instead, rely on the
+standard rtnl_link_stats64 stats.
+
+Fixes: c5aa9e3b8156 ("amd-xgbe: Initial AMD 10GbE platform driver")
+Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
+Link: https://patch.msgid.link/20260114163037.2062606-1-Raju.Rangoju@amd.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
+index b4d57da71de2a..3d6f8f3a83366 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
+@@ -2105,7 +2105,7 @@ static void xgbe_get_stats64(struct net_device *netdev,
+ s->multicast = pstats->rxmulticastframes_g;
+ s->rx_length_errors = pstats->rxlengtherror;
+ s->rx_crc_errors = pstats->rxcrcerror;
+- s->rx_fifo_errors = pstats->rxfifooverflow;
++ s->rx_over_errors = pstats->rxfifooverflow;
+
+ s->tx_packets = pstats->txframecount_gb;
+ s->tx_bytes = pstats->txoctetcount_gb;
+@@ -2559,9 +2559,6 @@ static int xgbe_rx_poll(struct xgbe_channel *channel, int budget)
+ goto read_again;
+
+ if (error || packet->errors) {
+- if (packet->errors)
+- netif_err(pdata, rx_err, netdev,
+- "error in received packet\n");
+ dev_kfree_skb(skb);
+ goto next_packet;
+ }
+--
+2.51.0
+
--- /dev/null
+From 9b16963d86b0a58d5e6541140e9be53189223db2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 13:20:49 +0100
+Subject: ata: libata: Add cpr_log to ata_dev_print_features() early return
+
+From: Niklas Cassel <cassel@kernel.org>
+
+[ Upstream commit a6bee5e5243ad02cae575becc4c83df66fc29573 ]
+
+ata_dev_print_features() is supposed to return early and not print anything
+if there are no features supported.
+
+However, commit fe22e1c2f705 ("libata: support concurrent positioning
+ranges log") added another feature to ata_dev_print_features() without
+updating the early return conditional.
+
+Add the missing feature to the early return conditional.
+
+Fixes: fe22e1c2f705 ("libata: support concurrent positioning ranges log")
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Tested-by: Wolf <wolf@yoxt.cc>
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
+index f627753519b97..f332835156dbc 100644
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -2782,7 +2782,7 @@ static void ata_dev_config_cpr(struct ata_device *dev)
+
+ static void ata_dev_print_features(struct ata_device *dev)
+ {
+- if (!(dev->flags & ATA_DFLAG_FEATURES_MASK))
++ if (!(dev->flags & ATA_DFLAG_FEATURES_MASK) && !dev->cpr_log)
+ return;
+
+ ata_dev_info(dev,
+--
+2.51.0
+
--- /dev/null
+From 7c9945e440086ed4cb8cda6f1c76deb6794fd6e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 13:20:47 +0100
+Subject: ata: libata: Call ata_dev_config_lpm() for ATAPI devices
+
+From: Niklas Cassel <cassel@kernel.org>
+
+[ Upstream commit 8f3fb33f8f3f825c708ece800c921977c157f9b6 ]
+
+Commit d360121832d8 ("ata: libata-core: Introduce ata_dev_config_lpm()")
+introduced ata_dev_config_lpm(). However, it only called this function for
+ATA_DEV_ATA and ATA_DEV_ZAC devices, not for ATA_DEV_ATAPI devices.
+
+Additionally, commit d99a9142e782 ("ata: libata-core: Move device LPM quirk
+settings to ata_dev_config_lpm()") moved the LPM quirk application from
+ata_dev_configure() to ata_dev_config_lpm(), causing LPM quirks for ATAPI
+devices to no longer be applied.
+
+Call ata_dev_config_lpm() also for ATAPI devices, such that LPM quirks are
+applied for ATAPI devices with an entry in __ata_dev_quirks once again.
+
+Fixes: d360121832d8 ("ata: libata-core: Introduce ata_dev_config_lpm()")
+Fixes: d99a9142e782 ("ata: libata-core: Move device LPM quirk settings to ata_dev_config_lpm()")
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Tested-by: Wolf <wolf@yoxt.cc>
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Stable-dep-of: c8c6fb886f57 ("ata: libata: Print features also for ATAPI devices")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
+index b748c8ead39de..e51a27ae0a7d2 100644
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -3047,6 +3047,8 @@ int ata_dev_configure(struct ata_device *dev)
+ ata_mode_string(xfer_mask),
+ cdb_intr_string, atapi_an_string,
+ dma_dir_string);
++
++ ata_dev_config_lpm(dev);
+ }
+
+ /* determine max_sectors */
+--
+2.51.0
+
--- /dev/null
+From 04818c634eaa7204577ff7f521357c15170651d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 21:53:12 +0900
+Subject: ata: libata-core: Introduce ata_dev_config_lpm()
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+[ Upstream commit d360121832d8a36871249271df5b9ff05f835f62 ]
+
+If the port of a device does not support Device Initiated Power
+Management (DIPM), that is, the port is flagged with ATA_FLAG_NO_DIPM,
+the DIPM feature of a device should not be used. Though DIPM is disabled
+by default on a device, the "Software Settings Preservation feature"
+may keep DIPM enabled or DIPM may have been enabled by the system
+firmware.
+
+Introduce the function ata_dev_config_lpm() to always disable DIPM on a
+device that supports this feature if the port of the device is flagged
+with ATA_FLAG_NO_DIPM. ata_dev_config_lpm() is called from
+ata_dev_configure(), ensuring that a device DIPM feature is disabled
+when it cannot be used.
+
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Niklas Cassel <cassel@kernel.org>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Link: https://lore.kernel.org/r/20250701125321.69496-2-dlemoal@kernel.org
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Stable-dep-of: c8c6fb886f57 ("ata: libata: Print features also for ATAPI devices")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-core.c | 25 +++++++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
+index f332835156dbc..b748c8ead39de 100644
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -2780,6 +2780,30 @@ static void ata_dev_config_cpr(struct ata_device *dev)
+ kfree(buf);
+ }
+
++/*
++ * Configure features related to link power management.
++ */
++static void ata_dev_config_lpm(struct ata_device *dev)
++{
++ struct ata_port *ap = dev->link->ap;
++ unsigned int err_mask;
++
++ /*
++ * Device Initiated Power Management (DIPM) is normally disabled by
++ * default on a device. However, DIPM may have been enabled and that
++ * setting kept even after COMRESET because of the Software Settings
++ * Preservation feature. So if the port does not support DIPM and the
++ * device does, disable DIPM on the device.
++ */
++ if (ap->flags & ATA_FLAG_NO_DIPM && ata_id_has_dipm(dev->id)) {
++ err_mask = ata_dev_set_feature(dev,
++ SETFEATURES_SATA_DISABLE, SATA_DIPM);
++ if (err_mask && err_mask != AC_ERR_DEV)
++ ata_dev_err(dev, "Disable DIPM failed, Emask 0x%x\n",
++ err_mask);
++ }
++}
++
+ static void ata_dev_print_features(struct ata_device *dev)
+ {
+ if (!(dev->flags & ATA_DFLAG_FEATURES_MASK) && !dev->cpr_log)
+@@ -2949,6 +2973,7 @@ int ata_dev_configure(struct ata_device *dev)
+ ata_dev_config_chs(dev);
+ }
+
++ ata_dev_config_lpm(dev);
+ ata_dev_config_fua(dev);
+ ata_dev_config_devslp(dev);
+ ata_dev_config_sense_reporting(dev);
+--
+2.51.0
+
--- /dev/null
+From 22f2f80d73dd72d7ae81c4180662d1d72ed26f0d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 13:20:51 +0100
+Subject: ata: libata: Print features also for ATAPI devices
+
+From: Niklas Cassel <cassel@kernel.org>
+
+[ Upstream commit c8c6fb886f57d5bf71fb6de6334a143608d35707 ]
+
+Commit d633b8a702ab ("libata: print feature list on device scan")
+added a print of the features supported by the device for ATA_DEV_ATA and
+ATA_DEV_ZAC devices, but not for ATA_DEV_ATAPI devices.
+
+Fix this by printing the features also for ATAPI devices.
+
+Before changes:
+ata1.00: ATAPI: Slimtype DVD A DU8AESH, 6C2M, max UDMA/133
+
+After changes:
+ata1.00: ATAPI: Slimtype DVD A DU8AESH, 6C2M, max UDMA/133
+ata1.00: Features: Dev-Attention HIPM DIPM
+
+Fixes: d633b8a702ab ("libata: print feature list on device scan")
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Tested-by: Wolf <wolf@yoxt.cc>
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
+index e51a27ae0a7d2..d5e713f284b71 100644
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -3049,6 +3049,9 @@ int ata_dev_configure(struct ata_device *dev)
+ dma_dir_string);
+
+ ata_dev_config_lpm(dev);
++
++ if (print_info)
++ ata_dev_print_features(dev);
+ }
+
+ /* determine max_sectors */
+--
+2.51.0
+
--- /dev/null
+From 2aaf19d90798be40bfc7c1579316d0e683702471 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 19:12:01 +0000
+Subject: bonding: limit BOND_MODE_8023AD to Ethernet devices
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit c84fcb79e5dbde0b8d5aeeaf04282d2149aebcf6 ]
+
+BOND_MODE_8023AD makes sense for ARPHRD_ETHER only.
+
+syzbot reported:
+
+ BUG: KASAN: global-out-of-bounds in __hw_addr_create net/core/dev_addr_lists.c:63 [inline]
+ BUG: KASAN: global-out-of-bounds in __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118
+Read of size 16 at addr ffffffff8bf94040 by task syz.1.3580/19497
+
+CPU: 1 UID: 0 PID: 19497 Comm: syz.1.3580 Tainted: G L syzkaller #0 PREEMPT(full)
+Tainted: [L]=SOFTLOCKUP
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0xca/0x240 mm/kasan/report.c:482
+ kasan_report+0x118/0x150 mm/kasan/report.c:595
+ check_region_inline mm/kasan/generic.c:-1 [inline]
+ kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:200
+ __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105
+ __hw_addr_create net/core/dev_addr_lists.c:63 [inline]
+ __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118
+ __dev_mc_add net/core/dev_addr_lists.c:868 [inline]
+ dev_mc_add+0xa1/0x120 net/core/dev_addr_lists.c:886
+ bond_enslave+0x2b8b/0x3ac0 drivers/net/bonding/bond_main.c:2180
+ do_set_master+0x533/0x6d0 net/core/rtnetlink.c:2963
+ do_setlink+0xcf0/0x41c0 net/core/rtnetlink.c:3165
+ rtnl_changelink net/core/rtnetlink.c:3776 [inline]
+ __rtnl_newlink net/core/rtnetlink.c:3935 [inline]
+ rtnl_newlink+0x161c/0x1c90 net/core/rtnetlink.c:4072
+ rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6958
+ netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2550
+ netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
+ netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344
+ netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1894
+ sock_sendmsg_nosec net/socket.c:727 [inline]
+ __sock_sendmsg+0x21c/0x270 net/socket.c:742
+ ____sys_sendmsg+0x505/0x820 net/socket.c:2592
+ ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2646
+ __sys_sendmsg+0x164/0x220 net/socket.c:2678
+ do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
+ __do_fast_syscall_32+0x1dc/0x560 arch/x86/entry/syscall_32.c:307
+ do_fast_syscall_32+0x34/0x80 arch/x86/entry/syscall_32.c:332
+ entry_SYSENTER_compat_after_hwframe+0x84/0x8e
+ </TASK>
+
+The buggy address belongs to the variable:
+ lacpdu_mcast_addr+0x0/0x40
+
+Fixes: 872254dd6b1f ("net/bonding: Enable bonding to enslave non ARPHRD_ETHER")
+Reported-by: syzbot+9c081b17773615f24672@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/6966946b.a70a0220.245e30.0002.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Andrew Lunn <andrew+netdev@lunn.ch>
+Acked-by: Jay Vosburgh <jv@jvosburgh.net>
+Link: https://patch.msgid.link/20260113191201.3970737-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index b3ccc064cbff2..9dfbbf4cd71f0 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1942,6 +1942,12 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev,
+ */
+ if (!bond_has_slaves(bond)) {
+ if (bond_dev->type != slave_dev->type) {
++ if (slave_dev->type != ARPHRD_ETHER &&
++ BOND_MODE(bond) == BOND_MODE_8023AD) {
++ SLAVE_NL_ERR(bond_dev, slave_dev, extack,
++ "8023AD mode requires Ethernet devices");
++ return -EINVAL;
++ }
+ slave_dbg(bond_dev, slave_dev, "change device type from %d to %d\n",
+ bond_dev->type, slave_dev->type);
+
+--
+2.51.0
+
--- /dev/null
+From 64c992f99f08f5823cf15cb6c357519d38147563 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jan 2026 14:10:10 +0100
+Subject: can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on
+ usb_submit_urb() error
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+[ Upstream commit 79a6d1bfe1148bc921b8d7f3371a7fbce44e30f7 ]
+
+In commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix
+URB memory leak"), the URB was re-anchored before usb_submit_urb() in
+gs_usb_receive_bulk_callback() to prevent a leak of this URB during
+cleanup.
+
+However, this patch did not take into account that usb_submit_urb() could
+fail. The URB remains anchored and
+usb_kill_anchored_urbs(&parent->rx_submitted) in gs_can_close() loops
+infinitely since the anchor list never becomes empty.
+
+To fix the bug, unanchor the URB when an usb_submit_urb() error occurs,
+also print an info message.
+
+Fixes: 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak")
+Reported-by: Jakub Kicinski <kuba@kernel.org>
+Closes: https://lore.kernel.org/all/20260110223836.3890248-1-kuba@kernel.org/
+Link: https://patch.msgid.link/20260116-can_usb-fix-reanchor-v1-1-9d74e7289225@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/usb/gs_usb.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c
+index d3837252e505a..63439affd59d5 100644
+--- a/drivers/net/can/usb/gs_usb.c
++++ b/drivers/net/can/usb/gs_usb.c
+@@ -751,6 +751,10 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
+ usb_anchor_urb(urb, &parent->rx_submitted);
+
+ rc = usb_submit_urb(urb, GFP_ATOMIC);
++ if (!rc)
++ return;
++
++ usb_unanchor_urb(urb);
+
+ /* USB failure take down all interfaces */
+ if (rc == -ENODEV) {
+@@ -759,6 +763,9 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
+ if (parent->canch[rc])
+ netif_device_detach(parent->canch[rc]->netdev);
+ }
++ } else if (rc != -ESHUTDOWN && net_ratelimit()) {
++ netdev_info(netdev, "failed to re-submit IN URB: %pe\n",
++ ERR_PTR(urb->status));
+ }
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 5bde089ad117356b8b9bf33680fbd3b7bfbe71d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jan 2026 16:03:58 +0900
+Subject: crypto: authencesn - reject too-short AAD (assoclen<8) to match
+ ESP/ESN spec
+
+From: Taeyang Lee <0wn@theori.io>
+
+[ Upstream commit 2397e9264676be7794f8f7f1e9763d90bd3c7335 ]
+
+authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than
+the minimum expected length, crypto_authenc_esn_decrypt() can advance past
+the end of the destination scatterlist and trigger a NULL pointer dereference
+in scatterwalk_map_and_copy(), leading to a kernel panic (DoS).
+
+Add a minimum AAD length check to fail fast on invalid inputs.
+
+Fixes: 104880a6b470 ("crypto: authencesn - Convert to new AEAD interface")
+Reported-By: Taeyang Lee <0wn@theori.io>
+Signed-off-by: Taeyang Lee <0wn@theori.io>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/authencesn.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/crypto/authencesn.c b/crypto/authencesn.c
+index 91424e791d5c7..29ff3a0e86c09 100644
+--- a/crypto/authencesn.c
++++ b/crypto/authencesn.c
+@@ -189,6 +189,9 @@ static int crypto_authenc_esn_encrypt(struct aead_request *req)
+ struct scatterlist *src, *dst;
+ int err;
+
++ if (assoclen < 8)
++ return -EINVAL;
++
+ sg_init_table(areq_ctx->src, 2);
+ src = scatterwalk_ffwd(areq_ctx->src, req->src, assoclen);
+ dst = src;
+@@ -281,6 +284,9 @@ static int crypto_authenc_esn_decrypt(struct aead_request *req)
+ u32 tmp[2];
+ int err;
+
++ if (assoclen < 8)
++ return -EINVAL;
++
+ cryptlen -= authsize;
+
+ if (req->src != dst) {
+--
+2.51.0
+
--- /dev/null
+From ea00a65b0be91f41e857fbf0db5413bf6206979e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Dec 2025 18:36:20 +0100
+Subject: dt-bindings: power: qcom,rpmpd: Add SC8280XP_MXC_AO
+
+From: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+
+[ Upstream commit 45e1be5ddec98db71e7481fa7a3005673200d85c ]
+
+Not sure how useful it's gonna be in practice, but the definition is
+missing (unlike the previously-unused SC8280XP_MXC-non-_AO), so add it
+to allow the driver to create the corresponding pmdomain.
+
+Fixes: dbfb5f94e084 ("dt-bindings: power: rpmpd: Add sc8280xp RPMh power-domains")
+Acked-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
+Link: https://lore.kernel.org/r/20251202-topic-8280_mxc-v2-1-46cdf47a829e@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/dt-bindings/power/qcom,rpmhpd.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/dt-bindings/power/qcom,rpmhpd.h b/include/dt-bindings/power/qcom,rpmhpd.h
+index 758c3487bd662..0abd1c4c53143 100644
+--- a/include/dt-bindings/power/qcom,rpmhpd.h
++++ b/include/dt-bindings/power/qcom,rpmhpd.h
+@@ -260,5 +260,6 @@
+ #define SC8280XP_NSP 13
+ #define SC8280XP_QPHY 14
+ #define SC8280XP_XO 15
++#define SC8280XP_MXC_AO 16
+
+ #endif
+--
+2.51.0
+
--- /dev/null
+From 56f9f23952a0e7d1ff44bfbf2be7af82a1df9849 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 Sep 2023 20:59:51 +0300
+Subject: dt-bindings: power: qcom,rpmpd: Add SM7150
+
+From: Danila Tikhonov <danila@jiaxyga.com>
+
+[ Upstream commit 0cd3f86ad558d3f585634e211c6fccbe786cbc28 ]
+
+Add a compatible for SM7150 platforms.
+
+Signed-off-by: Danila Tikhonov <danila@jiaxyga.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20230916175952.178611-2-danila@jiaxyga.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Stable-dep-of: 45e1be5ddec9 ("dt-bindings: power: qcom,rpmpd: Add SC8280XP_MXC_AO")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/devicetree/bindings/power/qcom,rpmpd.yaml | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml b/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml
+index 9b03c41d3604e..53886f02d98a9 100644
+--- a/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml
++++ b/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml
+@@ -46,6 +46,7 @@ properties:
+ - qcom,sm6125-rpmpd
+ - qcom,sm6350-rpmhpd
+ - qcom,sm6375-rpmpd
++ - qcom,sm7150-rpmhpd
+ - qcom,sm8150-rpmhpd
+ - qcom,sm8250-rpmhpd
+ - qcom,sm8350-rpmhpd
+--
+2.51.0
+
--- /dev/null
+From 89e504561952780ccced0b7980a7571738b47559 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 21:50:45 +0530
+Subject: dt-bindings: power: qcom,rpmpd: add Turbo L5 corner
+
+From: Akhil P Oommen <akhilpo@oss.qualcomm.com>
+
+[ Upstream commit 1c402295c10891988fb2a6fc658e6e95d4852a20 ]
+
+Update the RPMH level definitions to include TURBO_L5 corner.
+
+Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Akhil P Oommen <akhilpo@oss.qualcomm.com>
+Patchwork: https://patchwork.freedesktop.org/patch/661840/
+Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
+Stable-dep-of: 45e1be5ddec9 ("dt-bindings: power: qcom,rpmpd: Add SC8280XP_MXC_AO")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/dt-bindings/power/qcom-rpmpd.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/dt-bindings/power/qcom-rpmpd.h b/include/dt-bindings/power/qcom-rpmpd.h
+index ced784a8afc12..73b3655155ec0 100644
+--- a/include/dt-bindings/power/qcom-rpmpd.h
++++ b/include/dt-bindings/power/qcom-rpmpd.h
+@@ -240,6 +240,7 @@
+ #define RPMH_REGULATOR_LEVEL_TURBO_L2 432
+ #define RPMH_REGULATOR_LEVEL_TURBO_L3 448
+ #define RPMH_REGULATOR_LEVEL_TURBO_L4 452
++#define RPMH_REGULATOR_LEVEL_TURBO_L5 456
+ #define RPMH_REGULATOR_LEVEL_SUPER_TURBO 464
+ #define RPMH_REGULATOR_LEVEL_SUPER_TURBO_NO_CPR 480
+
+--
+2.51.0
+
--- /dev/null
+From 33a389b1e1a546b4f2812b245838eeb3e47b8b9e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Oct 2023 09:32:02 +0200
+Subject: dt-bindings: power: qcom,rpmpd: document the SM8650 RPMh Power
+ Domains
+
+From: Neil Armstrong <neil.armstrong@linaro.org>
+
+[ Upstream commit d4d56c079ddd19293b11de1f2309add0b8972af2 ]
+
+Document the RPMh Power Domains on the SM8650 Platform.
+
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20231025-topic-sm8650-upstream-rpmpd-v1-1-f25d313104c6@linaro.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Stable-dep-of: 45e1be5ddec9 ("dt-bindings: power: qcom,rpmpd: Add SC8280XP_MXC_AO")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/devicetree/bindings/power/qcom,rpmpd.yaml | 1 +
+ include/dt-bindings/power/qcom,rpmhpd.h | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml b/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml
+index d38c762e12804..2803f7d568217 100644
+--- a/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml
++++ b/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml
+@@ -55,6 +55,7 @@ properties:
+ - qcom,sm8350-rpmhpd
+ - qcom,sm8450-rpmhpd
+ - qcom,sm8550-rpmhpd
++ - qcom,sm8650-rpmhpd
+ - items:
+ - enum:
+ - qcom,msm8937-rpmpd
+diff --git a/include/dt-bindings/power/qcom,rpmhpd.h b/include/dt-bindings/power/qcom,rpmhpd.h
+index 7c201a66bc691..0f6a74e099701 100644
+--- a/include/dt-bindings/power/qcom,rpmhpd.h
++++ b/include/dt-bindings/power/qcom,rpmhpd.h
+@@ -26,5 +26,6 @@
+ #define RPMHPD_QPHY 16
+ #define RPMHPD_DDR 17
+ #define RPMHPD_XO 18
++#define RPMHPD_NSP2 19
+
+ #endif
+--
+2.51.0
+
--- /dev/null
+From ceb54ef56e6a0c89c1747822403df993e3641210 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Nov 2024 16:24:43 -0800
+Subject: dt-bindings: power: qcom,rpmpd: document the SM8750 RPMh Power
+ Domains
+
+From: Taniya Das <quic_tdas@quicinc.com>
+
+[ Upstream commit 134e9d035d830aabd1121bcda89f7ee9a476d3a3 ]
+
+Document the RPMh Power Domains on the SM8750 Platform.
+
+Signed-off-by: Taniya Das <quic_tdas@quicinc.com>
+Signed-off-by: Jishnu Prakash <quic_jprakash@quicinc.com>
+Signed-off-by: Melody Olvera <quic_molvera@quicinc.com>
+Message-ID: <20241112002444.2802092-2-quic_molvera@quicinc.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Stable-dep-of: 45e1be5ddec9 ("dt-bindings: power: qcom,rpmpd: Add SC8280XP_MXC_AO")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/devicetree/bindings/power/qcom,rpmpd.yaml | 1 +
+ include/dt-bindings/power/qcom-rpmpd.h | 2 ++
+ 2 files changed, 3 insertions(+)
+
+diff --git a/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml b/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml
+index 2ff246cf8b81d..bb01bf5663f37 100644
+--- a/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml
++++ b/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml
+@@ -56,6 +56,7 @@ properties:
+ - qcom,sm8450-rpmhpd
+ - qcom,sm8550-rpmhpd
+ - qcom,sm8650-rpmhpd
++ - qcom,sm8750-rpmhpd
+ - qcom,x1e80100-rpmhpd
+ - items:
+ - enum:
+diff --git a/include/dt-bindings/power/qcom-rpmpd.h b/include/dt-bindings/power/qcom-rpmpd.h
+index 7f4e2983a4c57..ced784a8afc12 100644
+--- a/include/dt-bindings/power/qcom-rpmpd.h
++++ b/include/dt-bindings/power/qcom-rpmpd.h
+@@ -218,6 +218,7 @@
+ /* SDM845 Power Domain performance levels */
+ #define RPMH_REGULATOR_LEVEL_RETENTION 16
+ #define RPMH_REGULATOR_LEVEL_MIN_SVS 48
++#define RPMH_REGULATOR_LEVEL_LOW_SVS_D3 50
+ #define RPMH_REGULATOR_LEVEL_LOW_SVS_D2 52
+ #define RPMH_REGULATOR_LEVEL_LOW_SVS_D1 56
+ #define RPMH_REGULATOR_LEVEL_LOW_SVS_D0 60
+@@ -238,6 +239,7 @@
+ #define RPMH_REGULATOR_LEVEL_TURBO_L1 416
+ #define RPMH_REGULATOR_LEVEL_TURBO_L2 432
+ #define RPMH_REGULATOR_LEVEL_TURBO_L3 448
++#define RPMH_REGULATOR_LEVEL_TURBO_L4 452
+ #define RPMH_REGULATOR_LEVEL_SUPER_TURBO 464
+ #define RPMH_REGULATOR_LEVEL_SUPER_TURBO_NO_CPR 480
+
+--
+2.51.0
+
--- /dev/null
+From f9206e3ae1b74cd3b04266a0725b1921f6d0d692 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jul 2025 19:13:39 +0300
+Subject: dt-bindings: power: qcom-rpmpd: split RPMh domains definitions
+
+From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+
+[ Upstream commit dcb8d01b65fb5a891ddbbedcbe6eff0b8ec37867 ]
+
+Historically both RPM and RPMh domain definitions were a part of the
+same, qcom-rpmpd.h header. Now as we have a separate header for RPMh
+definitions, qcom,rpmhpd.h, move all RPMh power domain definitions to
+that header.
+
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Acked-by: Rob Herring (Arm) <robh@kernel.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Reviewed-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20250718-rework-rpmhpd-rpmpd-v1-1-eedca108e540@oss.qualcomm.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Stable-dep-of: 45e1be5ddec9 ("dt-bindings: power: qcom,rpmpd: Add SC8280XP_MXC_AO")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/dt-bindings/power/qcom,rpmhpd.h | 233 ++++++++++++++++++++++++
+ include/dt-bindings/power/qcom-rpmpd.h | 228 +----------------------
+ 2 files changed, 234 insertions(+), 227 deletions(-)
+
+diff --git a/include/dt-bindings/power/qcom,rpmhpd.h b/include/dt-bindings/power/qcom,rpmhpd.h
+index 0f6a74e099701..758c3487bd662 100644
+--- a/include/dt-bindings/power/qcom,rpmhpd.h
++++ b/include/dt-bindings/power/qcom,rpmhpd.h
+@@ -28,4 +28,237 @@
+ #define RPMHPD_XO 18
+ #define RPMHPD_NSP2 19
+
++/* RPMh Power Domain performance levels */
++#define RPMH_REGULATOR_LEVEL_RETENTION 16
++#define RPMH_REGULATOR_LEVEL_MIN_SVS 48
++#define RPMH_REGULATOR_LEVEL_LOW_SVS_D3 50
++#define RPMH_REGULATOR_LEVEL_LOW_SVS_D2 52
++#define RPMH_REGULATOR_LEVEL_LOW_SVS_D1 56
++#define RPMH_REGULATOR_LEVEL_LOW_SVS_D0 60
++#define RPMH_REGULATOR_LEVEL_LOW_SVS 64
++#define RPMH_REGULATOR_LEVEL_LOW_SVS_P1 72
++#define RPMH_REGULATOR_LEVEL_LOW_SVS_L1 80
++#define RPMH_REGULATOR_LEVEL_LOW_SVS_L2 96
++#define RPMH_REGULATOR_LEVEL_SVS 128
++#define RPMH_REGULATOR_LEVEL_SVS_L0 144
++#define RPMH_REGULATOR_LEVEL_SVS_L1 192
++#define RPMH_REGULATOR_LEVEL_SVS_L2 224
++#define RPMH_REGULATOR_LEVEL_NOM 256
++#define RPMH_REGULATOR_LEVEL_NOM_L0 288
++#define RPMH_REGULATOR_LEVEL_NOM_L1 320
++#define RPMH_REGULATOR_LEVEL_NOM_L2 336
++#define RPMH_REGULATOR_LEVEL_TURBO 384
++#define RPMH_REGULATOR_LEVEL_TURBO_L0 400
++#define RPMH_REGULATOR_LEVEL_TURBO_L1 416
++#define RPMH_REGULATOR_LEVEL_TURBO_L2 432
++#define RPMH_REGULATOR_LEVEL_TURBO_L3 448
++#define RPMH_REGULATOR_LEVEL_TURBO_L4 452
++#define RPMH_REGULATOR_LEVEL_TURBO_L5 456
++#define RPMH_REGULATOR_LEVEL_SUPER_TURBO 464
++#define RPMH_REGULATOR_LEVEL_SUPER_TURBO_NO_CPR 480
++
++/*
++ * Platform-specific power domain bindings. Don't add new entries here, use
++ * RPMHPD_* above.
++ */
++
++/* SA8775P Power Domain Indexes */
++#define SA8775P_CX 0
++#define SA8775P_CX_AO 1
++#define SA8775P_DDR 2
++#define SA8775P_EBI 3
++#define SA8775P_GFX 4
++#define SA8775P_LCX 5
++#define SA8775P_LMX 6
++#define SA8775P_MMCX 7
++#define SA8775P_MMCX_AO 8
++#define SA8775P_MSS 9
++#define SA8775P_MX 10
++#define SA8775P_MX_AO 11
++#define SA8775P_MXC 12
++#define SA8775P_MXC_AO 13
++#define SA8775P_NSP0 14
++#define SA8775P_NSP1 15
++#define SA8775P_XO 16
++
++/* SDM670 Power Domain Indexes */
++#define SDM670_MX 0
++#define SDM670_MX_AO 1
++#define SDM670_CX 2
++#define SDM670_CX_AO 3
++#define SDM670_LMX 4
++#define SDM670_LCX 5
++#define SDM670_GFX 6
++#define SDM670_MSS 7
++
++/* SDM845 Power Domain Indexes */
++#define SDM845_EBI 0
++#define SDM845_MX 1
++#define SDM845_MX_AO 2
++#define SDM845_CX 3
++#define SDM845_CX_AO 4
++#define SDM845_LMX 5
++#define SDM845_LCX 6
++#define SDM845_GFX 7
++#define SDM845_MSS 8
++
++/* SDX55 Power Domain Indexes */
++#define SDX55_MSS 0
++#define SDX55_MX 1
++#define SDX55_CX 2
++
++/* SDX65 Power Domain Indexes */
++#define SDX65_MSS 0
++#define SDX65_MX 1
++#define SDX65_MX_AO 2
++#define SDX65_CX 3
++#define SDX65_CX_AO 4
++#define SDX65_MXC 5
++
++/* SM6350 Power Domain Indexes */
++#define SM6350_CX 0
++#define SM6350_GFX 1
++#define SM6350_LCX 2
++#define SM6350_LMX 3
++#define SM6350_MSS 4
++#define SM6350_MX 5
++
++/* SM8150 Power Domain Indexes */
++#define SM8150_MSS 0
++#define SM8150_EBI 1
++#define SM8150_LMX 2
++#define SM8150_LCX 3
++#define SM8150_GFX 4
++#define SM8150_MX 5
++#define SM8150_MX_AO 6
++#define SM8150_CX 7
++#define SM8150_CX_AO 8
++#define SM8150_MMCX 9
++#define SM8150_MMCX_AO 10
++
++/* SA8155P is a special case, kept for backwards compatibility */
++#define SA8155P_CX SM8150_CX
++#define SA8155P_CX_AO SM8150_CX_AO
++#define SA8155P_EBI SM8150_EBI
++#define SA8155P_GFX SM8150_GFX
++#define SA8155P_MSS SM8150_MSS
++#define SA8155P_MX SM8150_MX
++#define SA8155P_MX_AO SM8150_MX_AO
++
++/* SM8250 Power Domain Indexes */
++#define SM8250_CX 0
++#define SM8250_CX_AO 1
++#define SM8250_EBI 2
++#define SM8250_GFX 3
++#define SM8250_LCX 4
++#define SM8250_LMX 5
++#define SM8250_MMCX 6
++#define SM8250_MMCX_AO 7
++#define SM8250_MX 8
++#define SM8250_MX_AO 9
++
++/* SM8350 Power Domain Indexes */
++#define SM8350_CX 0
++#define SM8350_CX_AO 1
++#define SM8350_EBI 2
++#define SM8350_GFX 3
++#define SM8350_LCX 4
++#define SM8350_LMX 5
++#define SM8350_MMCX 6
++#define SM8350_MMCX_AO 7
++#define SM8350_MX 8
++#define SM8350_MX_AO 9
++#define SM8350_MXC 10
++#define SM8350_MXC_AO 11
++#define SM8350_MSS 12
++
++/* SM8450 Power Domain Indexes */
++#define SM8450_CX 0
++#define SM8450_CX_AO 1
++#define SM8450_EBI 2
++#define SM8450_GFX 3
++#define SM8450_LCX 4
++#define SM8450_LMX 5
++#define SM8450_MMCX 6
++#define SM8450_MMCX_AO 7
++#define SM8450_MX 8
++#define SM8450_MX_AO 9
++#define SM8450_MXC 10
++#define SM8450_MXC_AO 11
++#define SM8450_MSS 12
++
++/* SM8550 Power Domain Indexes */
++#define SM8550_CX 0
++#define SM8550_CX_AO 1
++#define SM8550_EBI 2
++#define SM8550_GFX 3
++#define SM8550_LCX 4
++#define SM8550_LMX 5
++#define SM8550_MMCX 6
++#define SM8550_MMCX_AO 7
++#define SM8550_MX 8
++#define SM8550_MX_AO 9
++#define SM8550_MXC 10
++#define SM8550_MXC_AO 11
++#define SM8550_MSS 12
++#define SM8550_NSP 13
++
++/* QDU1000/QRU1000 Power Domain Indexes */
++#define QDU1000_EBI 0
++#define QDU1000_MSS 1
++#define QDU1000_CX 2
++#define QDU1000_MX 3
++
++/* SC7180 Power Domain Indexes */
++#define SC7180_CX 0
++#define SC7180_CX_AO 1
++#define SC7180_GFX 2
++#define SC7180_MX 3
++#define SC7180_MX_AO 4
++#define SC7180_LMX 5
++#define SC7180_LCX 6
++#define SC7180_MSS 7
++
++/* SC7280 Power Domain Indexes */
++#define SC7280_CX 0
++#define SC7280_CX_AO 1
++#define SC7280_EBI 2
++#define SC7280_GFX 3
++#define SC7280_MX 4
++#define SC7280_MX_AO 5
++#define SC7280_LMX 6
++#define SC7280_LCX 7
++#define SC7280_MSS 8
++
++/* SC8180X Power Domain Indexes */
++#define SC8180X_CX 0
++#define SC8180X_CX_AO 1
++#define SC8180X_EBI 2
++#define SC8180X_GFX 3
++#define SC8180X_LCX 4
++#define SC8180X_LMX 5
++#define SC8180X_MMCX 6
++#define SC8180X_MMCX_AO 7
++#define SC8180X_MSS 8
++#define SC8180X_MX 9
++#define SC8180X_MX_AO 10
++
++/* SC8280XP Power Domain Indexes */
++#define SC8280XP_CX 0
++#define SC8280XP_CX_AO 1
++#define SC8280XP_DDR 2
++#define SC8280XP_EBI 3
++#define SC8280XP_GFX 4
++#define SC8280XP_LCX 5
++#define SC8280XP_LMX 6
++#define SC8280XP_MMCX 7
++#define SC8280XP_MMCX_AO 8
++#define SC8280XP_MSS 9
++#define SC8280XP_MX 10
++#define SC8280XP_MXC 12
++#define SC8280XP_MX_AO 11
++#define SC8280XP_NSP 13
++#define SC8280XP_QPHY 14
++#define SC8280XP_XO 15
++
+ #endif
+diff --git a/include/dt-bindings/power/qcom-rpmpd.h b/include/dt-bindings/power/qcom-rpmpd.h
+index 73b3655155ec0..f160f373be2a3 100644
+--- a/include/dt-bindings/power/qcom-rpmpd.h
++++ b/include/dt-bindings/power/qcom-rpmpd.h
+@@ -4,66 +4,7 @@
+ #ifndef _DT_BINDINGS_POWER_QCOM_RPMPD_H
+ #define _DT_BINDINGS_POWER_QCOM_RPMPD_H
+
+-/* SA8775P Power Domain Indexes */
+-#define SA8775P_CX 0
+-#define SA8775P_CX_AO 1
+-#define SA8775P_DDR 2
+-#define SA8775P_EBI 3
+-#define SA8775P_GFX 4
+-#define SA8775P_LCX 5
+-#define SA8775P_LMX 6
+-#define SA8775P_MMCX 7
+-#define SA8775P_MMCX_AO 8
+-#define SA8775P_MSS 9
+-#define SA8775P_MX 10
+-#define SA8775P_MX_AO 11
+-#define SA8775P_MXC 12
+-#define SA8775P_MXC_AO 13
+-#define SA8775P_NSP0 14
+-#define SA8775P_NSP1 15
+-#define SA8775P_XO 16
+-
+-/* SDM670 Power Domain Indexes */
+-#define SDM670_MX 0
+-#define SDM670_MX_AO 1
+-#define SDM670_CX 2
+-#define SDM670_CX_AO 3
+-#define SDM670_LMX 4
+-#define SDM670_LCX 5
+-#define SDM670_GFX 6
+-#define SDM670_MSS 7
+-
+-/* SDM845 Power Domain Indexes */
+-#define SDM845_EBI 0
+-#define SDM845_MX 1
+-#define SDM845_MX_AO 2
+-#define SDM845_CX 3
+-#define SDM845_CX_AO 4
+-#define SDM845_LMX 5
+-#define SDM845_LCX 6
+-#define SDM845_GFX 7
+-#define SDM845_MSS 8
+-
+-/* SDX55 Power Domain Indexes */
+-#define SDX55_MSS 0
+-#define SDX55_MX 1
+-#define SDX55_CX 2
+-
+-/* SDX65 Power Domain Indexes */
+-#define SDX65_MSS 0
+-#define SDX65_MX 1
+-#define SDX65_MX_AO 2
+-#define SDX65_CX 3
+-#define SDX65_CX_AO 4
+-#define SDX65_MXC 5
+-
+-/* SM6350 Power Domain Indexes */
+-#define SM6350_CX 0
+-#define SM6350_GFX 1
+-#define SM6350_LCX 2
+-#define SM6350_LMX 3
+-#define SM6350_MSS 4
+-#define SM6350_MX 5
++#include <dt-bindings/power/qcom,rpmhpd.h>
+
+ /* SM6350 Power Domain Indexes */
+ #define SM6375_VDDCX 0
+@@ -77,173 +18,6 @@
+ #define SM6375_VDD_LPI_CX 8
+ #define SM6375_VDD_LPI_MX 9
+
+-/* SM8150 Power Domain Indexes */
+-#define SM8150_MSS 0
+-#define SM8150_EBI 1
+-#define SM8150_LMX 2
+-#define SM8150_LCX 3
+-#define SM8150_GFX 4
+-#define SM8150_MX 5
+-#define SM8150_MX_AO 6
+-#define SM8150_CX 7
+-#define SM8150_CX_AO 8
+-#define SM8150_MMCX 9
+-#define SM8150_MMCX_AO 10
+-
+-/* SA8155P is a special case, kept for backwards compatibility */
+-#define SA8155P_CX SM8150_CX
+-#define SA8155P_CX_AO SM8150_CX_AO
+-#define SA8155P_EBI SM8150_EBI
+-#define SA8155P_GFX SM8150_GFX
+-#define SA8155P_MSS SM8150_MSS
+-#define SA8155P_MX SM8150_MX
+-#define SA8155P_MX_AO SM8150_MX_AO
+-
+-/* SM8250 Power Domain Indexes */
+-#define SM8250_CX 0
+-#define SM8250_CX_AO 1
+-#define SM8250_EBI 2
+-#define SM8250_GFX 3
+-#define SM8250_LCX 4
+-#define SM8250_LMX 5
+-#define SM8250_MMCX 6
+-#define SM8250_MMCX_AO 7
+-#define SM8250_MX 8
+-#define SM8250_MX_AO 9
+-
+-/* SM8350 Power Domain Indexes */
+-#define SM8350_CX 0
+-#define SM8350_CX_AO 1
+-#define SM8350_EBI 2
+-#define SM8350_GFX 3
+-#define SM8350_LCX 4
+-#define SM8350_LMX 5
+-#define SM8350_MMCX 6
+-#define SM8350_MMCX_AO 7
+-#define SM8350_MX 8
+-#define SM8350_MX_AO 9
+-#define SM8350_MXC 10
+-#define SM8350_MXC_AO 11
+-#define SM8350_MSS 12
+-
+-/* SM8450 Power Domain Indexes */
+-#define SM8450_CX 0
+-#define SM8450_CX_AO 1
+-#define SM8450_EBI 2
+-#define SM8450_GFX 3
+-#define SM8450_LCX 4
+-#define SM8450_LMX 5
+-#define SM8450_MMCX 6
+-#define SM8450_MMCX_AO 7
+-#define SM8450_MX 8
+-#define SM8450_MX_AO 9
+-#define SM8450_MXC 10
+-#define SM8450_MXC_AO 11
+-#define SM8450_MSS 12
+-
+-/* SM8550 Power Domain Indexes */
+-#define SM8550_CX 0
+-#define SM8550_CX_AO 1
+-#define SM8550_EBI 2
+-#define SM8550_GFX 3
+-#define SM8550_LCX 4
+-#define SM8550_LMX 5
+-#define SM8550_MMCX 6
+-#define SM8550_MMCX_AO 7
+-#define SM8550_MX 8
+-#define SM8550_MX_AO 9
+-#define SM8550_MXC 10
+-#define SM8550_MXC_AO 11
+-#define SM8550_MSS 12
+-#define SM8550_NSP 13
+-
+-/* QDU1000/QRU1000 Power Domain Indexes */
+-#define QDU1000_EBI 0
+-#define QDU1000_MSS 1
+-#define QDU1000_CX 2
+-#define QDU1000_MX 3
+-
+-/* SC7180 Power Domain Indexes */
+-#define SC7180_CX 0
+-#define SC7180_CX_AO 1
+-#define SC7180_GFX 2
+-#define SC7180_MX 3
+-#define SC7180_MX_AO 4
+-#define SC7180_LMX 5
+-#define SC7180_LCX 6
+-#define SC7180_MSS 7
+-
+-/* SC7280 Power Domain Indexes */
+-#define SC7280_CX 0
+-#define SC7280_CX_AO 1
+-#define SC7280_EBI 2
+-#define SC7280_GFX 3
+-#define SC7280_MX 4
+-#define SC7280_MX_AO 5
+-#define SC7280_LMX 6
+-#define SC7280_LCX 7
+-#define SC7280_MSS 8
+-
+-/* SC8180X Power Domain Indexes */
+-#define SC8180X_CX 0
+-#define SC8180X_CX_AO 1
+-#define SC8180X_EBI 2
+-#define SC8180X_GFX 3
+-#define SC8180X_LCX 4
+-#define SC8180X_LMX 5
+-#define SC8180X_MMCX 6
+-#define SC8180X_MMCX_AO 7
+-#define SC8180X_MSS 8
+-#define SC8180X_MX 9
+-#define SC8180X_MX_AO 10
+-
+-/* SC8280XP Power Domain Indexes */
+-#define SC8280XP_CX 0
+-#define SC8280XP_CX_AO 1
+-#define SC8280XP_DDR 2
+-#define SC8280XP_EBI 3
+-#define SC8280XP_GFX 4
+-#define SC8280XP_LCX 5
+-#define SC8280XP_LMX 6
+-#define SC8280XP_MMCX 7
+-#define SC8280XP_MMCX_AO 8
+-#define SC8280XP_MSS 9
+-#define SC8280XP_MX 10
+-#define SC8280XP_MXC 12
+-#define SC8280XP_MX_AO 11
+-#define SC8280XP_NSP 13
+-#define SC8280XP_QPHY 14
+-#define SC8280XP_XO 15
+-
+-/* SDM845 Power Domain performance levels */
+-#define RPMH_REGULATOR_LEVEL_RETENTION 16
+-#define RPMH_REGULATOR_LEVEL_MIN_SVS 48
+-#define RPMH_REGULATOR_LEVEL_LOW_SVS_D3 50
+-#define RPMH_REGULATOR_LEVEL_LOW_SVS_D2 52
+-#define RPMH_REGULATOR_LEVEL_LOW_SVS_D1 56
+-#define RPMH_REGULATOR_LEVEL_LOW_SVS_D0 60
+-#define RPMH_REGULATOR_LEVEL_LOW_SVS 64
+-#define RPMH_REGULATOR_LEVEL_LOW_SVS_P1 72
+-#define RPMH_REGULATOR_LEVEL_LOW_SVS_L1 80
+-#define RPMH_REGULATOR_LEVEL_LOW_SVS_L2 96
+-#define RPMH_REGULATOR_LEVEL_SVS 128
+-#define RPMH_REGULATOR_LEVEL_SVS_L0 144
+-#define RPMH_REGULATOR_LEVEL_SVS_L1 192
+-#define RPMH_REGULATOR_LEVEL_SVS_L2 224
+-#define RPMH_REGULATOR_LEVEL_NOM 256
+-#define RPMH_REGULATOR_LEVEL_NOM_L0 288
+-#define RPMH_REGULATOR_LEVEL_NOM_L1 320
+-#define RPMH_REGULATOR_LEVEL_NOM_L2 336
+-#define RPMH_REGULATOR_LEVEL_TURBO 384
+-#define RPMH_REGULATOR_LEVEL_TURBO_L0 400
+-#define RPMH_REGULATOR_LEVEL_TURBO_L1 416
+-#define RPMH_REGULATOR_LEVEL_TURBO_L2 432
+-#define RPMH_REGULATOR_LEVEL_TURBO_L3 448
+-#define RPMH_REGULATOR_LEVEL_TURBO_L4 452
+-#define RPMH_REGULATOR_LEVEL_TURBO_L5 456
+-#define RPMH_REGULATOR_LEVEL_SUPER_TURBO 464
+-#define RPMH_REGULATOR_LEVEL_SUPER_TURBO_NO_CPR 480
+-
+ /* MDM9607 Power Domains */
+ #define MDM9607_VDDCX 0
+ #define MDM9607_VDDCX_AO 1
+--
+2.51.0
+
--- /dev/null
+From 3679a73e5aecd0ab7e2851b322d19be28052df76 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Oct 2023 15:38:21 +0200
+Subject: dt-bindings: power: rpmpd: Add MSM8917, MSM8937 and QM215
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Otto Pflüger <otto.pflueger@abscue.de>
+
+[ Upstream commit 61848698288d93a230cab9c0585e726df66f2402 ]
+
+The MSM8917, MSM8937 and QM215 SoCs have VDDCX and VDDMX power domains
+controlled in voltage level mode. Define the MSM8937 and QM215 power
+domains as aliases because these SoCs are similar to MSM8917 and may
+share some parts of the device tree.
+
+Also add the compatibles for these SoCs to the documentation, with
+qcom,msm8937-rpmpd using qcom,msm8917-rpmpd as a fallback compatible
+because there are no known differences. QM215 is not compatible with
+these because it uses different regulators.
+
+Signed-off-by: Otto Pflüger <otto.pflueger@abscue.de>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20231014133823.14088-2-otto.pflueger@abscue.de
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Stable-dep-of: 45e1be5ddec9 ("dt-bindings: power: qcom,rpmpd: Add SC8280XP_MXC_AO")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../devicetree/bindings/power/qcom,rpmpd.yaml | 81 ++++++++++---------
+ include/dt-bindings/power/qcom-rpmpd.h | 21 +++++
+ 2 files changed, 65 insertions(+), 37 deletions(-)
+
+diff --git a/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml b/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml
+index 53886f02d98a9..d38c762e12804 100644
+--- a/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml
++++ b/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml
+@@ -15,43 +15,50 @@ description:
+
+ properties:
+ compatible:
+- enum:
+- - qcom,mdm9607-rpmpd
+- - qcom,msm8226-rpmpd
+- - qcom,msm8909-rpmpd
+- - qcom,msm8916-rpmpd
+- - qcom,msm8939-rpmpd
+- - qcom,msm8953-rpmpd
+- - qcom,msm8976-rpmpd
+- - qcom,msm8994-rpmpd
+- - qcom,msm8996-rpmpd
+- - qcom,msm8998-rpmpd
+- - qcom,qcm2290-rpmpd
+- - qcom,qcs404-rpmpd
+- - qcom,qdu1000-rpmhpd
+- - qcom,sa8155p-rpmhpd
+- - qcom,sa8540p-rpmhpd
+- - qcom,sa8775p-rpmhpd
+- - qcom,sdm660-rpmpd
+- - qcom,sc7180-rpmhpd
+- - qcom,sc7280-rpmhpd
+- - qcom,sc8180x-rpmhpd
+- - qcom,sc8280xp-rpmhpd
+- - qcom,sdm670-rpmhpd
+- - qcom,sdm845-rpmhpd
+- - qcom,sdx55-rpmhpd
+- - qcom,sdx65-rpmhpd
+- - qcom,sdx75-rpmhpd
+- - qcom,sm6115-rpmpd
+- - qcom,sm6125-rpmpd
+- - qcom,sm6350-rpmhpd
+- - qcom,sm6375-rpmpd
+- - qcom,sm7150-rpmhpd
+- - qcom,sm8150-rpmhpd
+- - qcom,sm8250-rpmhpd
+- - qcom,sm8350-rpmhpd
+- - qcom,sm8450-rpmhpd
+- - qcom,sm8550-rpmhpd
++ oneOf:
++ - enum:
++ - qcom,mdm9607-rpmpd
++ - qcom,msm8226-rpmpd
++ - qcom,msm8909-rpmpd
++ - qcom,msm8916-rpmpd
++ - qcom,msm8917-rpmpd
++ - qcom,msm8939-rpmpd
++ - qcom,msm8953-rpmpd
++ - qcom,msm8976-rpmpd
++ - qcom,msm8994-rpmpd
++ - qcom,msm8996-rpmpd
++ - qcom,msm8998-rpmpd
++ - qcom,qcm2290-rpmpd
++ - qcom,qcs404-rpmpd
++ - qcom,qdu1000-rpmhpd
++ - qcom,qm215-rpmpd
++ - qcom,sa8155p-rpmhpd
++ - qcom,sa8540p-rpmhpd
++ - qcom,sa8775p-rpmhpd
++ - qcom,sc7180-rpmhpd
++ - qcom,sc7280-rpmhpd
++ - qcom,sc8180x-rpmhpd
++ - qcom,sc8280xp-rpmhpd
++ - qcom,sdm660-rpmpd
++ - qcom,sdm670-rpmhpd
++ - qcom,sdm845-rpmhpd
++ - qcom,sdx55-rpmhpd
++ - qcom,sdx65-rpmhpd
++ - qcom,sdx75-rpmhpd
++ - qcom,sm6115-rpmpd
++ - qcom,sm6125-rpmpd
++ - qcom,sm6350-rpmhpd
++ - qcom,sm6375-rpmpd
++ - qcom,sm7150-rpmhpd
++ - qcom,sm8150-rpmhpd
++ - qcom,sm8250-rpmhpd
++ - qcom,sm8350-rpmhpd
++ - qcom,sm8450-rpmhpd
++ - qcom,sm8550-rpmhpd
++ - items:
++ - enum:
++ - qcom,msm8937-rpmpd
++ - const: qcom,msm8917-rpmpd
+
+ '#power-domain-cells':
+ const: 1
+diff --git a/include/dt-bindings/power/qcom-rpmpd.h b/include/dt-bindings/power/qcom-rpmpd.h
+index 83be996cb5eb9..7f4e2983a4c57 100644
+--- a/include/dt-bindings/power/qcom-rpmpd.h
++++ b/include/dt-bindings/power/qcom-rpmpd.h
+@@ -278,6 +278,27 @@
+ #define MSM8909_VDDMX MSM8916_VDDMX
+ #define MSM8909_VDDMX_AO MSM8916_VDDMX_AO
+
++/* MSM8917 Power Domain Indexes */
++#define MSM8917_VDDCX 0
++#define MSM8917_VDDCX_AO 1
++#define MSM8917_VDDCX_VFL 2
++#define MSM8917_VDDMX 3
++#define MSM8917_VDDMX_AO 4
++
++/* MSM8937 Power Domain Indexes */
++#define MSM8937_VDDCX MSM8917_VDDCX
++#define MSM8937_VDDCX_AO MSM8917_VDDCX_AO
++#define MSM8937_VDDCX_VFL MSM8917_VDDCX_VFL
++#define MSM8937_VDDMX MSM8917_VDDMX
++#define MSM8937_VDDMX_AO MSM8917_VDDMX_AO
++
++/* QM215 Power Domain Indexes */
++#define QM215_VDDCX MSM8917_VDDCX
++#define QM215_VDDCX_AO MSM8917_VDDCX_AO
++#define QM215_VDDCX_VFL MSM8917_VDDCX_VFL
++#define QM215_VDDMX MSM8917_VDDMX
++#define QM215_VDDMX_AO MSM8917_VDDMX_AO
++
+ /* MSM8953 Power Domain Indexes */
+ #define MSM8953_VDDMD 0
+ #define MSM8953_VDDMD_AO 1
+--
+2.51.0
+
--- /dev/null
+From 319d767af3f1f02be668992b316054b56a82ed22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Nov 2023 15:30:20 +0530
+Subject: dt-bindings: power: rpmpd: Update part number to X1E80100
+
+From: Sibi Sankar <quic_sibis@quicinc.com>
+
+[ Upstream commit 3d123f513af055b4c085b555f9c856bbd7390536 ]
+
+There was a recent part number update from SC8380XP to X1E80100 and as
+a result of which the SC8380xp rpmpd bindings introduced is no longer
+correct. Given that it currently has no users, it was agreed that it
+can be updated to the correct part number (X1E80100) without causing
+any binding breakage.
+
+Signed-off-by: Sibi Sankar <quic_sibis@quicinc.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20231123100021.10918-2-quic_sibis@quicinc.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Stable-dep-of: 45e1be5ddec9 ("dt-bindings: power: qcom,rpmpd: Add SC8280XP_MXC_AO")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/devicetree/bindings/power/qcom,rpmpd.yaml | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml b/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml
+index 2803f7d568217..2ff246cf8b81d 100644
+--- a/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml
++++ b/Documentation/devicetree/bindings/power/qcom,rpmpd.yaml
+@@ -56,6 +56,7 @@ properties:
+ - qcom,sm8450-rpmhpd
+ - qcom,sm8550-rpmhpd
+ - qcom,sm8650-rpmhpd
++ - qcom,x1e80100-rpmhpd
+ - items:
+ - enum:
+ - qcom,msm8937-rpmpd
+--
+2.51.0
+
--- /dev/null
+From e995ee522f4d5f145fc33b749493c26abbfc1ba9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jan 2026 17:24:48 +0000
+Subject: fou: Don't allow 0 for FOU_ATTR_IPPROTO.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 7a9bc9e3f42391e4c187e099263cf7a1c4b69ff5 ]
+
+fou_udp_recv() has the same problem mentioned in the previous
+patch.
+
+If FOU_ATTR_IPPROTO is set to 0, skb is not freed by
+fou_udp_recv() nor "resubmit"-ted in ip_protocol_deliver_rcu().
+
+Let's forbid 0 for FOU_ATTR_IPPROTO.
+
+Fixes: 23461551c0062 ("fou: Support for foo-over-udp RX path")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260115172533.693652-4-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/netlink/specs/fou.yaml | 2 ++
+ net/ipv4/fou_nl.c | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/Documentation/netlink/specs/fou.yaml b/Documentation/netlink/specs/fou.yaml
+index 0af5ab842c04d..91721ee406413 100644
+--- a/Documentation/netlink/specs/fou.yaml
++++ b/Documentation/netlink/specs/fou.yaml
+@@ -39,6 +39,8 @@ attribute-sets:
+ -
+ name: ipproto
+ type: u8
++ checks:
++ min: 1
+ -
+ name: type
+ type: u8
+diff --git a/net/ipv4/fou_nl.c b/net/ipv4/fou_nl.c
+index 98b90107b5abc..bbd955f4c9d19 100644
+--- a/net/ipv4/fou_nl.c
++++ b/net/ipv4/fou_nl.c
+@@ -14,7 +14,7 @@
+ const struct nla_policy fou_nl_policy[FOU_ATTR_IFINDEX + 1] = {
+ [FOU_ATTR_PORT] = { .type = NLA_U16, },
+ [FOU_ATTR_AF] = { .type = NLA_U8, },
+- [FOU_ATTR_IPPROTO] = { .type = NLA_U8, },
++ [FOU_ATTR_IPPROTO] = NLA_POLICY_MIN(NLA_U8, 1),
+ [FOU_ATTR_TYPE] = { .type = NLA_U8, },
+ [FOU_ATTR_REMCSUM_NOPARTIAL] = { .type = NLA_FLAG, },
+ [FOU_ATTR_LOCAL_V4] = { .type = NLA_U32, },
+--
+2.51.0
+
--- /dev/null
+From 9d3fa7347622064c6f82423fbe41af78c9ce5abb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jan 2026 17:24:46 +0000
+Subject: gue: Fix skb memleak with inner IP protocol 0.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 9a56796ad258786d3624eef5aefba394fc9bdded ]
+
+syzbot reported skb memleak below. [0]
+
+The repro generated a GUE packet with its inner protocol 0.
+
+gue_udp_recv() returns -guehdr->proto_ctype for "resubmit"
+in ip_protocol_deliver_rcu(), but this only works with
+non-zero protocol number.
+
+Let's drop such packets.
+
+Note that 0 is a valid number (IPv6 Hop-by-Hop Option).
+
+I think it is not practical to encap HOPOPT in GUE, so once
+someone starts to complain, we could pass down a resubmit
+flag pointer to distinguish two zeros from the upper layer:
+
+ * no error
+ * resubmit HOPOPT
+
+[0]
+BUG: memory leak
+unreferenced object 0xffff888109695a00 (size 240):
+ comm "syz.0.17", pid 6088, jiffies 4294943096
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 40 c2 10 81 88 ff ff 00 00 00 00 00 00 00 00 .@..............
+ backtrace (crc a84b336f):
+ kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
+ slab_post_alloc_hook mm/slub.c:4958 [inline]
+ slab_alloc_node mm/slub.c:5263 [inline]
+ kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270
+ __build_skb+0x23/0x60 net/core/skbuff.c:474
+ build_skb+0x20/0x190 net/core/skbuff.c:490
+ __tun_build_skb drivers/net/tun.c:1541 [inline]
+ tun_build_skb+0x4a1/0xa40 drivers/net/tun.c:1636
+ tun_get_user+0xc12/0x2030 drivers/net/tun.c:1770
+ tun_chr_write_iter+0x71/0x120 drivers/net/tun.c:1999
+ new_sync_write fs/read_write.c:593 [inline]
+ vfs_write+0x45d/0x710 fs/read_write.c:686
+ ksys_write+0xa7/0x170 fs/read_write.c:738
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: 37dd0247797b1 ("gue: Receive side for Generic UDP Encapsulation")
+Reported-by: syzbot+4d8c7d16b0e95c0d0f0d@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/6965534b.050a0220.38aacd.0001.GAE@google.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260115172533.693652-2-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/fou_core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/ipv4/fou_core.c b/net/ipv4/fou_core.c
+index 4e0a7d038e219..6df7a0c614d56 100644
+--- a/net/ipv4/fou_core.c
++++ b/net/ipv4/fou_core.c
+@@ -215,6 +215,9 @@ static int gue_udp_recv(struct sock *sk, struct sk_buff *skb)
+ return gue_control_message(skb, guehdr);
+
+ proto_ctype = guehdr->proto_ctype;
++ if (unlikely(!proto_ctype))
++ goto drop;
++
+ __skb_pull(skb, sizeof(struct udphdr) + hdrlen);
+ skb_reset_transport_header(skb);
+
+--
+2.51.0
+
--- /dev/null
+From 1c0785be906750e17903fb56fbe2a982f28f7239 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Nov 2025 09:58:26 -0800
+Subject: ice: Avoid detrimental cleanup for bond during interface stop
+
+From: Dave Ertman <david.m.ertman@intel.com>
+
+[ Upstream commit a9d45c22ed120cdd15ff56d0a6e4700c46451901 ]
+
+When the user issues an administrative down to an interface that is the
+primary for an aggregate bond, the prune lists are being purged. This
+breaks communication to the secondary interface, which shares a prune
+list on the main switch block while bonded together.
+
+For the primary interface of an aggregate, avoid deleting these prune
+lists during stop, and since they are hardcoded to specific values for
+the default vlan and QinQ vlans, the attempt to re-add them during the
+up phase will quietly fail without any additional problem.
+
+Fixes: 1e0f9881ef79 ("ice: Flesh out implementation of support for SRIOV on bonded interface")
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Marcin Szycik <marcin.szycik@linux.intel.com>
+Signed-off-by: Dave Ertman <david.m.ertman@intel.com>
+Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_lib.c | 25 ++++++++++++++++--------
+ 1 file changed, 17 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c
+index 972c515d8789f..7aef40b50b898 100644
+--- a/drivers/net/ethernet/intel/ice/ice_lib.c
++++ b/drivers/net/ethernet/intel/ice/ice_lib.c
+@@ -3897,22 +3897,31 @@ int ice_vsi_add_vlan_zero(struct ice_vsi *vsi)
+ int ice_vsi_del_vlan_zero(struct ice_vsi *vsi)
+ {
+ struct ice_vsi_vlan_ops *vlan_ops = ice_get_compat_vsi_vlan_ops(vsi);
++ struct ice_pf *pf = vsi->back;
+ struct ice_vlan vlan;
+ int err;
+
+- vlan = ICE_VLAN(0, 0, 0);
+- err = vlan_ops->del_vlan(vsi, &vlan);
+- if (err && err != -EEXIST)
+- return err;
++ if (pf->lag && pf->lag->primary) {
++ dev_dbg(ice_pf_to_dev(pf), "Interface is primary in aggregate - not deleting prune list\n");
++ } else {
++ vlan = ICE_VLAN(0, 0, 0);
++ err = vlan_ops->del_vlan(vsi, &vlan);
++ if (err && err != -EEXIST)
++ return err;
++ }
+
+ /* in SVM both VLAN 0 filters are identical */
+ if (!ice_is_dvm_ena(&vsi->back->hw))
+ return 0;
+
+- vlan = ICE_VLAN(ETH_P_8021Q, 0, 0);
+- err = vlan_ops->del_vlan(vsi, &vlan);
+- if (err && err != -EEXIST)
+- return err;
++ if (pf->lag && pf->lag->primary) {
++ dev_dbg(ice_pf_to_dev(pf), "Interface is primary in aggregate - not deleting QinQ prune list\n");
++ } else {
++ vlan = ICE_VLAN(ETH_P_8021Q, 0, 0);
++ err = vlan_ops->del_vlan(vsi, &vlan);
++ if (err && err != -EEXIST)
++ return err;
++ }
+
+ /* when deleting the last VLAN filter, make sure to disable the VLAN
+ * promisc mode so the filter isn't left by accident
+--
+2.51.0
+
--- /dev/null
+From 1e936de7df30aa9b7bc55f95d2222f0c449bfadf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Nov 2025 12:20:41 -0800
+Subject: ice: initialize ring_stats->syncp
+
+From: Jacob Keller <jacob.e.keller@intel.com>
+
+[ Upstream commit 8439016c3b8b5ab687c2420317b1691585106611 ]
+
+The u64_stats_sync structure is empty on 64-bit systems. However, on 32-bit
+systems it contains a seqcount_t which needs to be initialized. While the
+memory is zero-initialized, a lack of u64_stats_init means that lockdep
+won't get initialized properly. Fix this by adding u64_stats_init() calls
+to the rings just after allocation.
+
+Fixes: 2b245cb29421 ("ice: Implement transmit and NAPI support")
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_lib.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c
+index a6a290514e548..972c515d8789f 100644
+--- a/drivers/net/ethernet/intel/ice/ice_lib.c
++++ b/drivers/net/ethernet/intel/ice/ice_lib.c
+@@ -396,6 +396,8 @@ static int ice_vsi_alloc_ring_stats(struct ice_vsi *vsi)
+ if (!ring_stats)
+ goto err_out;
+
++ u64_stats_init(&ring_stats->syncp);
++
+ WRITE_ONCE(tx_ring_stats[i], ring_stats);
+ }
+
+@@ -415,6 +417,8 @@ static int ice_vsi_alloc_ring_stats(struct ice_vsi *vsi)
+ if (!ring_stats)
+ goto err_out;
+
++ u64_stats_init(&ring_stats->syncp);
++
+ WRITE_ONCE(rx_ring_stats[i], ring_stats);
+ }
+
+--
+2.51.0
+
--- /dev/null
+From ba27ea4f6fd4647906d4cc15f1b7ab36a41d344d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Nov 2025 18:53:04 +0800
+Subject: igc: fix race condition in TX timestamp read for register 0
+
+From: Chwee-Lin Choong <chwee.lin.choong@intel.com>
+
+[ Upstream commit 6990dc392a9ab10e52af37e0bee8c7b753756dc4 ]
+
+The current HW bug workaround checks the TXTT_0 ready bit first,
+then reads TXSTMPL_0 twice (before and after reading TXSTMPH_0)
+to detect whether a new timestamp was captured by timestamp
+register 0 during the workaround.
+
+This sequence has a race: if a new timestamp is captured after
+checking the TXTT_0 bit but before the first TXSTMPL_0 read, the
+detection fails because both the "old" and "new" values come from
+the same timestamp.
+
+Fix by reading TXSTMPL_0 first to establish a baseline, then
+checking the TXTT_0 bit. This ensures any timestamp captured
+during the race window will be detected.
+
+Old sequence:
+ 1. Check TXTT_0 ready bit
+ 2. Read TXSTMPL_0 (baseline)
+ 3. Read TXSTMPH_0 (interrupt workaround)
+ 4. Read TXSTMPL_0 (detect changes vs baseline)
+
+New sequence:
+ 1. Read TXSTMPL_0 (baseline)
+ 2. Check TXTT_0 ready bit
+ 3. Read TXSTMPH_0 (interrupt workaround)
+ 4. Read TXSTMPL_0 (detect changes vs baseline)
+
+Fixes: c789ad7cbebc ("igc: Work around HW bug causing missing timestamps")
+Suggested-by: Avi Shalev <avi.shalev@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Co-developed-by: Song Yoong Siang <yoong.siang.song@intel.com>
+Signed-off-by: Song Yoong Siang <yoong.siang.song@intel.com>
+Signed-off-by: Chwee-Lin Choong <chwee.lin.choong@intel.com>
+Tested-by: Avigail Dahan <avigailx.dahan@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_ptp.c | 43 ++++++++++++++----------
+ 1 file changed, 25 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_ptp.c b/drivers/net/ethernet/intel/igc/igc_ptp.c
+index a82af96e6bd12..4c07c1e4aa997 100644
+--- a/drivers/net/ethernet/intel/igc/igc_ptp.c
++++ b/drivers/net/ethernet/intel/igc/igc_ptp.c
+@@ -758,36 +758,43 @@ static void igc_ptp_tx_reg_to_stamp(struct igc_adapter *adapter,
+ static void igc_ptp_tx_hwtstamp(struct igc_adapter *adapter)
+ {
+ struct igc_hw *hw = &adapter->hw;
++ u32 txstmpl_old;
+ u64 regval;
+ u32 mask;
+ int i;
+
++ /* Establish baseline of TXSTMPL_0 before checking TXTT_0.
++ * This baseline is used to detect if a new timestamp arrives in
++ * register 0 during the hardware bug workaround below.
++ */
++ txstmpl_old = rd32(IGC_TXSTMPL);
++
+ mask = rd32(IGC_TSYNCTXCTL) & IGC_TSYNCTXCTL_TXTT_ANY;
+ if (mask & IGC_TSYNCTXCTL_TXTT_0) {
+ regval = rd32(IGC_TXSTMPL);
+ regval |= (u64)rd32(IGC_TXSTMPH) << 32;
+ } else {
+- /* There's a bug in the hardware that could cause
+- * missing interrupts for TX timestamping. The issue
+- * is that for new interrupts to be triggered, the
+- * IGC_TXSTMPH_0 register must be read.
++ /* TXTT_0 not set - register 0 has no new timestamp initially.
++ *
++ * Hardware bug: Future timestamp interrupts won't fire unless
++ * TXSTMPH_0 is read, even if the timestamp was captured in
++ * registers 1-3.
+ *
+- * To avoid discarding a valid timestamp that just
+- * happened at the "wrong" time, we need to confirm
+- * that there was no timestamp captured, we do that by
+- * assuming that no two timestamps in sequence have
+- * the same nanosecond value.
++ * Workaround: Read TXSTMPH_0 here to enable future interrupts.
++ * However, this read clears TXTT_0. If a timestamp arrives in
++ * register 0 after checking TXTT_0 but before this read, it
++ * would be lost.
+ *
+- * So, we read the "low" register, read the "high"
+- * register (to latch a new timestamp) and read the
+- * "low" register again, if "old" and "new" versions
+- * of the "low" register are different, a valid
+- * timestamp was captured, we can read the "high"
+- * register again.
++ * To detect this race: We saved a baseline read of TXSTMPL_0
++ * before TXTT_0 check. After performing the workaround read of
++ * TXSTMPH_0, we read TXSTMPL_0 again. Since consecutive
++ * timestamps never share the same nanosecond value, a change
++ * between the baseline and new TXSTMPL_0 indicates a timestamp
++ * arrived during the race window. If so, read the complete
++ * timestamp.
+ */
+- u32 txstmpl_old, txstmpl_new;
++ u32 txstmpl_new;
+
+- txstmpl_old = rd32(IGC_TXSTMPL);
+ rd32(IGC_TXSTMPH);
+ txstmpl_new = rd32(IGC_TXSTMPL);
+
+@@ -802,7 +809,7 @@ static void igc_ptp_tx_hwtstamp(struct igc_adapter *adapter)
+
+ done:
+ /* Now that the problematic first register was handled, we can
+- * use retrieve the timestamps from the other registers
++ * retrieve the timestamps from the other registers
+ * (starting from '1') with less complications.
+ */
+ for (i = 1; i < IGC_MAX_TX_TSTAMP_REGS; i++) {
+--
+2.51.0
+
--- /dev/null
+From 1091b6211f70af11706003e4f479ee908d0cde45 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 17:24:06 +0300
+Subject: ipvlan: Make the addrs_lock be per port
+
+From: Dmitry Skorodumov <dskr99@gmail.com>
+
+[ Upstream commit d3ba32162488283c0a4c5bedd8817aec91748802 ]
+
+Make the addrs_lock be per port, not per ipvlan dev.
+
+Initial code seems to be written in the assumption,
+that any address change must occur under RTNL.
+But it is not so for the case of IPv6. So
+
+1) Introduce per-port addrs_lock.
+
+2) It was needed to fix places where it was forgotten
+to take lock (ipvlan_open/ipvlan_close)
+
+This appears to be a very minor problem though.
+Since it's highly unlikely that ipvlan_add_addr() will
+be called on 2 CPU simultaneously. But nevertheless,
+this could cause:
+
+1) False-negative of ipvlan_addr_busy(): one interface
+iterated through all port->ipvlans + ipvlan->addrs
+under some ipvlan spinlock, and another added IP
+under its own lock. Though this is only possible
+for IPv6, since looks like only ipvlan_addr6_event() can be
+called without rtnl_lock.
+
+2) Race since ipvlan_ht_addr_add(port) is called under
+different ipvlan->addrs_lock locks
+
+This should not affect performance, since add/remove IP
+is a rare situation and spinlock is not taken on fast
+paths.
+
+Fixes: 8230819494b3 ("ipvlan: use per device spinlock to protect addrs list updates")
+Signed-off-by: Dmitry Skorodumov <skorodumov.dmitry@huawei.com>
+Reviewed-by: Paolo Abeni <pabeni@redhat.com>
+Link: https://patch.msgid.link/20260112142417.4039566-2-skorodumov.dmitry@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ipvlan/ipvlan.h | 2 +-
+ drivers/net/ipvlan/ipvlan_core.c | 16 +++++------
+ drivers/net/ipvlan/ipvlan_main.c | 49 +++++++++++++++++++-------------
+ 3 files changed, 37 insertions(+), 30 deletions(-)
+
+diff --git a/drivers/net/ipvlan/ipvlan.h b/drivers/net/ipvlan/ipvlan.h
+index 025e0c19ec255..fce3ced90bd3d 100644
+--- a/drivers/net/ipvlan/ipvlan.h
++++ b/drivers/net/ipvlan/ipvlan.h
+@@ -69,7 +69,6 @@ struct ipvl_dev {
+ DECLARE_BITMAP(mac_filters, IPVLAN_MAC_FILTER_SIZE);
+ netdev_features_t sfeatures;
+ u32 msg_enable;
+- spinlock_t addrs_lock;
+ };
+
+ struct ipvl_addr {
+@@ -90,6 +89,7 @@ struct ipvl_port {
+ struct net_device *dev;
+ possible_net_t pnet;
+ struct hlist_head hlhead[IPVLAN_HASH_SIZE];
++ spinlock_t addrs_lock; /* guards hash-table and addrs */
+ struct list_head ipvlans;
+ u16 mode;
+ u16 flags;
+diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c
+index 83bd65a227709..268ea41a17d52 100644
+--- a/drivers/net/ipvlan/ipvlan_core.c
++++ b/drivers/net/ipvlan/ipvlan_core.c
+@@ -107,17 +107,15 @@ void ipvlan_ht_addr_del(struct ipvl_addr *addr)
+ struct ipvl_addr *ipvlan_find_addr(const struct ipvl_dev *ipvlan,
+ const void *iaddr, bool is_v6)
+ {
+- struct ipvl_addr *addr, *ret = NULL;
++ struct ipvl_addr *addr;
+
+- rcu_read_lock();
+- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode) {
+- if (addr_equal(is_v6, addr, iaddr)) {
+- ret = addr;
+- break;
+- }
++ assert_spin_locked(&ipvlan->port->addrs_lock);
++
++ list_for_each_entry(addr, &ipvlan->addrs, anode) {
++ if (addr_equal(is_v6, addr, iaddr))
++ return addr;
+ }
+- rcu_read_unlock();
+- return ret;
++ return NULL;
+ }
+
+ bool ipvlan_addr_busy(struct ipvl_port *port, void *iaddr, bool is_v6)
+diff --git a/drivers/net/ipvlan/ipvlan_main.c b/drivers/net/ipvlan/ipvlan_main.c
+index 57c79f5f29916..679e816146d81 100644
+--- a/drivers/net/ipvlan/ipvlan_main.c
++++ b/drivers/net/ipvlan/ipvlan_main.c
+@@ -74,6 +74,7 @@ static int ipvlan_port_create(struct net_device *dev)
+ for (idx = 0; idx < IPVLAN_HASH_SIZE; idx++)
+ INIT_HLIST_HEAD(&port->hlhead[idx]);
+
++ spin_lock_init(&port->addrs_lock);
+ skb_queue_head_init(&port->backlog);
+ INIT_WORK(&port->wq, ipvlan_process_multicast);
+ ida_init(&port->ida);
+@@ -179,6 +180,7 @@ static void ipvlan_uninit(struct net_device *dev)
+ static int ipvlan_open(struct net_device *dev)
+ {
+ struct ipvl_dev *ipvlan = netdev_priv(dev);
++ struct ipvl_port *port = ipvlan->port;
+ struct ipvl_addr *addr;
+
+ if (ipvlan->port->mode == IPVLAN_MODE_L3 ||
+@@ -187,10 +189,10 @@ static int ipvlan_open(struct net_device *dev)
+ else
+ dev->flags &= ~IFF_NOARP;
+
+- rcu_read_lock();
+- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode)
++ spin_lock_bh(&port->addrs_lock);
++ list_for_each_entry(addr, &ipvlan->addrs, anode)
+ ipvlan_ht_addr_add(ipvlan, addr);
+- rcu_read_unlock();
++ spin_unlock_bh(&port->addrs_lock);
+
+ return 0;
+ }
+@@ -204,10 +206,10 @@ static int ipvlan_stop(struct net_device *dev)
+ dev_uc_unsync(phy_dev, dev);
+ dev_mc_unsync(phy_dev, dev);
+
+- rcu_read_lock();
+- list_for_each_entry_rcu(addr, &ipvlan->addrs, anode)
++ spin_lock_bh(&ipvlan->port->addrs_lock);
++ list_for_each_entry(addr, &ipvlan->addrs, anode)
+ ipvlan_ht_addr_del(addr);
+- rcu_read_unlock();
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+
+ return 0;
+ }
+@@ -574,7 +576,6 @@ int ipvlan_link_new(struct net *src_net, struct net_device *dev,
+ if (!tb[IFLA_MTU])
+ ipvlan_adjust_mtu(ipvlan, phy_dev);
+ INIT_LIST_HEAD(&ipvlan->addrs);
+- spin_lock_init(&ipvlan->addrs_lock);
+
+ /* TODO Probably put random address here to be presented to the
+ * world but keep using the physical-dev address for the outgoing
+@@ -652,13 +653,13 @@ void ipvlan_link_delete(struct net_device *dev, struct list_head *head)
+ struct ipvl_dev *ipvlan = netdev_priv(dev);
+ struct ipvl_addr *addr, *next;
+
+- spin_lock_bh(&ipvlan->addrs_lock);
++ spin_lock_bh(&ipvlan->port->addrs_lock);
+ list_for_each_entry_safe(addr, next, &ipvlan->addrs, anode) {
+ ipvlan_ht_addr_del(addr);
+ list_del_rcu(&addr->anode);
+ kfree_rcu(addr, rcu);
+ }
+- spin_unlock_bh(&ipvlan->addrs_lock);
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+
+ ida_simple_remove(&ipvlan->port->ida, dev->dev_id);
+ list_del_rcu(&ipvlan->pnode);
+@@ -805,6 +806,8 @@ static int ipvlan_add_addr(struct ipvl_dev *ipvlan, void *iaddr, bool is_v6)
+ {
+ struct ipvl_addr *addr;
+
++ assert_spin_locked(&ipvlan->port->addrs_lock);
++
+ addr = kzalloc(sizeof(struct ipvl_addr), GFP_ATOMIC);
+ if (!addr)
+ return -ENOMEM;
+@@ -835,16 +838,16 @@ static void ipvlan_del_addr(struct ipvl_dev *ipvlan, void *iaddr, bool is_v6)
+ {
+ struct ipvl_addr *addr;
+
+- spin_lock_bh(&ipvlan->addrs_lock);
++ spin_lock_bh(&ipvlan->port->addrs_lock);
+ addr = ipvlan_find_addr(ipvlan, iaddr, is_v6);
+ if (!addr) {
+- spin_unlock_bh(&ipvlan->addrs_lock);
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+ return;
+ }
+
+ ipvlan_ht_addr_del(addr);
+ list_del_rcu(&addr->anode);
+- spin_unlock_bh(&ipvlan->addrs_lock);
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+ kfree_rcu(addr, rcu);
+ }
+
+@@ -866,14 +869,14 @@ static int ipvlan_add_addr6(struct ipvl_dev *ipvlan, struct in6_addr *ip6_addr)
+ {
+ int ret = -EINVAL;
+
+- spin_lock_bh(&ipvlan->addrs_lock);
++ spin_lock_bh(&ipvlan->port->addrs_lock);
+ if (ipvlan_addr_busy(ipvlan->port, ip6_addr, true))
+ netif_err(ipvlan, ifup, ipvlan->dev,
+ "Failed to add IPv6=%pI6c addr for %s intf\n",
+ ip6_addr, ipvlan->dev->name);
+ else
+ ret = ipvlan_add_addr(ipvlan, ip6_addr, true);
+- spin_unlock_bh(&ipvlan->addrs_lock);
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+ return ret;
+ }
+
+@@ -912,21 +915,24 @@ static int ipvlan_addr6_validator_event(struct notifier_block *unused,
+ struct in6_validator_info *i6vi = (struct in6_validator_info *)ptr;
+ struct net_device *dev = (struct net_device *)i6vi->i6vi_dev->dev;
+ struct ipvl_dev *ipvlan = netdev_priv(dev);
++ int ret = NOTIFY_OK;
+
+ if (!ipvlan_is_valid_dev(dev))
+ return NOTIFY_DONE;
+
+ switch (event) {
+ case NETDEV_UP:
++ spin_lock_bh(&ipvlan->port->addrs_lock);
+ if (ipvlan_addr_busy(ipvlan->port, &i6vi->i6vi_addr, true)) {
+ NL_SET_ERR_MSG(i6vi->extack,
+ "Address already assigned to an ipvlan device");
+- return notifier_from_errno(-EADDRINUSE);
++ ret = notifier_from_errno(-EADDRINUSE);
+ }
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+ break;
+ }
+
+- return NOTIFY_OK;
++ return ret;
+ }
+ #endif
+
+@@ -934,14 +940,14 @@ static int ipvlan_add_addr4(struct ipvl_dev *ipvlan, struct in_addr *ip4_addr)
+ {
+ int ret = -EINVAL;
+
+- spin_lock_bh(&ipvlan->addrs_lock);
++ spin_lock_bh(&ipvlan->port->addrs_lock);
+ if (ipvlan_addr_busy(ipvlan->port, ip4_addr, false))
+ netif_err(ipvlan, ifup, ipvlan->dev,
+ "Failed to add IPv4=%pI4 on %s intf.\n",
+ ip4_addr, ipvlan->dev->name);
+ else
+ ret = ipvlan_add_addr(ipvlan, ip4_addr, false);
+- spin_unlock_bh(&ipvlan->addrs_lock);
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+ return ret;
+ }
+
+@@ -983,21 +989,24 @@ static int ipvlan_addr4_validator_event(struct notifier_block *unused,
+ struct in_validator_info *ivi = (struct in_validator_info *)ptr;
+ struct net_device *dev = (struct net_device *)ivi->ivi_dev->dev;
+ struct ipvl_dev *ipvlan = netdev_priv(dev);
++ int ret = NOTIFY_OK;
+
+ if (!ipvlan_is_valid_dev(dev))
+ return NOTIFY_DONE;
+
+ switch (event) {
+ case NETDEV_UP:
++ spin_lock_bh(&ipvlan->port->addrs_lock);
+ if (ipvlan_addr_busy(ipvlan->port, &ivi->ivi_addr, false)) {
+ NL_SET_ERR_MSG(ivi->extack,
+ "Address already assigned to an ipvlan device");
+- return notifier_from_errno(-EADDRINUSE);
++ ret = notifier_from_errno(-EADDRINUSE);
+ }
++ spin_unlock_bh(&ipvlan->port->addrs_lock);
+ break;
+ }
+
+- return NOTIFY_OK;
++ return ret;
+ }
+
+ static struct notifier_block ipvlan_addr4_notifier_block __read_mostly = {
+--
+2.51.0
+
--- /dev/null
+From c42dec56a0172d287b9cecf9068cc7b2595e12fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jan 2026 09:21:39 +0000
+Subject: l2tp: avoid one data-race in l2tp_tunnel_del_work()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 7a29f6bf60f2590fe5e9c4decb451e19afad2bcf ]
+
+We should read sk->sk_socket only when dealing with kernel sockets.
+
+syzbot reported the following data-race:
+
+BUG: KCSAN: data-race in l2tp_tunnel_del_work / sk_common_release
+
+write to 0xffff88811c182b20 of 8 bytes by task 5365 on cpu 0:
+ sk_set_socket include/net/sock.h:2092 [inline]
+ sock_orphan include/net/sock.h:2118 [inline]
+ sk_common_release+0xae/0x230 net/core/sock.c:4003
+ udp_lib_close+0x15/0x20 include/net/udp.h:325
+ inet_release+0xce/0xf0 net/ipv4/af_inet.c:437
+ __sock_release net/socket.c:662 [inline]
+ sock_close+0x6b/0x150 net/socket.c:1455
+ __fput+0x29b/0x650 fs/file_table.c:468
+ ____fput+0x1c/0x30 fs/file_table.c:496
+ task_work_run+0x131/0x1a0 kernel/task_work.c:233
+ resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
+ __exit_to_user_mode_loop kernel/entry/common.c:44 [inline]
+ exit_to_user_mode_loop+0x1fe/0x740 kernel/entry/common.c:75
+ __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
+ syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
+ syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
+ syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
+ do_syscall_64+0x1e1/0x2b0 arch/x86/entry/syscall_64.c:100
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+read to 0xffff88811c182b20 of 8 bytes by task 827 on cpu 1:
+ l2tp_tunnel_del_work+0x2f/0x1a0 net/l2tp/l2tp_core.c:1418
+ process_one_work kernel/workqueue.c:3257 [inline]
+ process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3340
+ worker_thread+0x582/0x770 kernel/workqueue.c:3421
+ kthread+0x489/0x510 kernel/kthread.c:463
+ ret_from_fork+0x149/0x290 arch/x86/kernel/process.c:158
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
+
+value changed: 0xffff88811b818000 -> 0x0000000000000000
+
+Fixes: d00fa9adc528 ("l2tp: fix races with tunnel socket close")
+Reported-by: syzbot+7312e82745f7fa2526db@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/6968b029.050a0220.58bed.0016.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: James Chapman <jchapman@katalix.com>
+Reviewed-by: Guillaume Nault <gnault@redhat.com>
+Link: https://patch.msgid.link/20260115092139.3066180-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/l2tp/l2tp_core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
+index 70da78ab95202..e0ca08ebd16a9 100644
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -1250,8 +1250,6 @@ static void l2tp_tunnel_del_work(struct work_struct *work)
+ {
+ struct l2tp_tunnel *tunnel = container_of(work, struct l2tp_tunnel,
+ del_work);
+- struct sock *sk = tunnel->sock;
+- struct socket *sock = sk->sk_socket;
+
+ l2tp_tunnel_closeall(tunnel);
+
+@@ -1259,6 +1257,8 @@ static void l2tp_tunnel_del_work(struct work_struct *work)
+ * the sk API to release it here.
+ */
+ if (tunnel->fd < 0) {
++ struct socket *sock = tunnel->sock->sk_socket;
++
+ if (sock) {
+ kernel_sock_shutdown(sock, SHUT_RDWR);
+ sock_release(sock);
+--
+2.51.0
+
--- /dev/null
+From 84b00cb5f4d2f302d4f27b77eb52c3f4118594f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jan 2026 11:02:41 -0500
+Subject: net/sched: Enforce that teql can only be used as root qdisc
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jamal Hadi Salim <jhs@mojatatu.com>
+
+[ Upstream commit 50da4b9d07a7a463e2cfb738f3ad4cff6b2c9c3b ]
+
+Design intent of teql is that it is only supposed to be used as root qdisc.
+We need to check for that constraint.
+
+Although not important, I will describe the scenario that unearthed this
+issue for the curious.
+
+GangMin Kim <km.kim1503@gmail.com> managed to concot a scenario as follows:
+
+ROOT qdisc 1:0 (QFQ)
+ ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s
+ └── class 1:2 (weight=1, lmax=1514) teql
+
+GangMin sends a packet which is enqueued to 1:1 (netem).
+Any invocation of dequeue by QFQ from this class will not return a packet
+until after 6.4s. In the meantime, a second packet is sent and it lands on
+1:2. teql's enqueue will return success and this will activate class 1:2.
+Main issue is that teql only updates the parent visible qlen (sch->q.qlen)
+at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql's
+peek always returns NULL), dequeue will never be called and thus the qlen
+will remain as 0. With that in mind, when GangMin updates 1:2's lmax value,
+the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc's
+qlen was not incremented, qfq fails to deactivate the class, but still
+frees its pointers from the aggregate. So when the first packet is
+rescheduled after 6.4 seconds (netem's delay), a dangling pointer is
+accessed causing GangMin's causing a UAF.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: GangMin Kim <km.kim1503@gmail.com>
+Tested-by: Victor Nogueira <victor@mojatatu.com>
+Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/20260114160243.913069-2-jhs@mojatatu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_teql.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/sched/sch_teql.c b/net/sched/sch_teql.c
+index 7721239c185fb..0a7856e14a975 100644
+--- a/net/sched/sch_teql.c
++++ b/net/sched/sch_teql.c
+@@ -178,6 +178,11 @@ static int teql_qdisc_init(struct Qdisc *sch, struct nlattr *opt,
+ if (m->dev == dev)
+ return -ELOOP;
+
++ if (sch->parent != TC_H_ROOT) {
++ NL_SET_ERR_MSG_MOD(extack, "teql can only be used as root");
++ return -EOPNOTSUPP;
++ }
++
+ q->m = m;
+
+ skb_queue_head_init(&q->q);
+--
+2.51.0
+
--- /dev/null
+From 8b59586dda88c8cc54fe789441140e27f4e3cfb0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jan 2026 11:02:42 -0500
+Subject: net/sched: qfq: Use cl_is_active to determine whether class is active
+ in qfq_rm_from_ag
+
+From: Jamal Hadi Salim <jhs@mojatatu.com>
+
+[ Upstream commit d837fbee92453fbb829f950c8e7cf76207d73f33 ]
+
+This is more of a preventive patch to make the code more consistent and
+to prevent possible exploits that employ child qlen manipulations on qfq.
+use cl_is_active instead of relying on the child qdisc's qlen to determine
+class activation.
+
+Fixes: 462dbc9101acd ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost")
+Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/20260114160243.913069-3-jhs@mojatatu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_qfq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
+index 7c6b5428b8ed4..a17f7c31378e6 100644
+--- a/net/sched/sch_qfq.c
++++ b/net/sched/sch_qfq.c
+@@ -373,7 +373,7 @@ static void qfq_rm_from_agg(struct qfq_sched *q, struct qfq_class *cl)
+ /* Deschedule class and remove it from its parent aggregate. */
+ static void qfq_deact_rm_from_agg(struct qfq_sched *q, struct qfq_class *cl)
+ {
+- if (cl->qdisc->q.qlen > 0) /* class is active */
++ if (cl_is_active(cl)) /* class is active */
+ qfq_deactivate_class(q, cl);
+
+ qfq_rm_from_agg(q, cl);
+--
+2.51.0
+
--- /dev/null
+From 3a07c352258950d07c6db4289f05e68a3287e7ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jan 2026 22:39:24 -0800
+Subject: net: usb: dm9601: remove broken SR9700 support
+
+From: Ethan Nelson-Moore <enelsonmoore@gmail.com>
+
+[ Upstream commit 7d7dbafefbe74f5a25efc4807af093b857a7612e ]
+
+The SR9700 chip sends more than one packet in a USB transaction,
+like the DM962x chips can optionally do, but the dm9601 driver does not
+support this mode, and the hardware does not have the DM962x
+MODE_CTL register to disable it, so this driver drops packets on SR9700
+devices. The sr9700 driver correctly handles receiving more than one
+packet per transaction.
+
+While the dm9601 driver could be improved to handle this, the easiest
+way to fix this issue in the short term is to remove the SR9700 device
+ID from the dm9601 driver so the sr9700 driver is always used. This
+device ID should not have been in more than one driver to begin with.
+
+The "Fixes" commit was chosen so that the patch is automatically
+included in all kernels that have the sr9700 driver, even though the
+issue affects dm9601.
+
+Fixes: c9b37458e956 ("USB2NET : SR9700 : One chip USB 1.1 USB2NET SR9700Device Driver Support")
+Signed-off-by: Ethan Nelson-Moore <enelsonmoore@gmail.com>
+Acked-by: Peter Korsgaard <peter@korsgaard.com>
+Link: https://patch.msgid.link/20260113063924.74464-1-enelsonmoore@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/dm9601.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/net/usb/dm9601.c b/drivers/net/usb/dm9601.c
+index 8b6d6a1b3c2ec..2b4716ccf0c5b 100644
+--- a/drivers/net/usb/dm9601.c
++++ b/drivers/net/usb/dm9601.c
+@@ -603,10 +603,6 @@ static const struct usb_device_id products[] = {
+ USB_DEVICE(0x0fe6, 0x8101), /* DM9601 USB to Fast Ethernet Adapter */
+ .driver_info = (unsigned long)&dm9601_info,
+ },
+- {
+- USB_DEVICE(0x0fe6, 0x9700), /* DM9601 USB to Fast Ethernet Adapter */
+- .driver_info = (unsigned long)&dm9601_info,
+- },
+ {
+ USB_DEVICE(0x0a46, 0x9000), /* DM9000E */
+ .driver_info = (unsigned long)&dm9601_info,
+--
+2.51.0
+
--- /dev/null
+From 6543d4c84b21c27ed4d88574901d9f1921ea748e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jan 2026 08:47:12 -0800
+Subject: octeontx2: cn10k: fix RX flowid TCAM mask handling
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit ab9b218a1521133a4410722907fa7189566be9bc ]
+
+The RX flowid programming initializes the TCAM mask to all ones, but
+then overwrites it when clearing the MAC DA mask bits. This results
+in losing the intended initialization and may affect other match fields.
+
+Update the code to clear the MAC DA bits using an AND operation, making
+the handling of mask[0] consistent with mask[1], where the field-specific
+bits are cleared after initializing the mask to ~0ULL.
+
+Fixes: 57d00d4364f3 ("octeontx2-pf: mcs: Match macsec ethertype along with DMAC")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Reviewed-by: Subbaraya Sundeep <sbhatta@marvell.com>
+Link: https://patch.msgid.link/20260116164724.2733511-1-alok.a.tiwari@oracle.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c
+index 74953f67a2bf9..3af58bc9f533c 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c
+@@ -330,7 +330,7 @@ static int cn10k_mcs_write_rx_flowid(struct otx2_nic *pfvf,
+
+ req->data[0] = FIELD_PREP(MCS_TCAM0_MAC_DA_MASK, mac_da);
+ req->mask[0] = ~0ULL;
+- req->mask[0] = ~MCS_TCAM0_MAC_DA_MASK;
++ req->mask[0] &= ~MCS_TCAM0_MAC_DA_MASK;
+
+ req->data[1] = FIELD_PREP(MCS_TCAM1_ETYPE_MASK, ETH_P_MACSEC);
+ req->mask[1] = ~0ULL;
+--
+2.51.0
+
--- /dev/null
+From 9dc81537e3ffece8b40fc1d80be2c50c2fff75ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Dec 2025 18:36:21 +0100
+Subject: pmdomain: qcom: rpmhpd: Add MXC to SC8280XP
+
+From: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+
+[ Upstream commit 5bc3e720e725cd5fa34875fa1e5434d565858067 ]
+
+This was apparently accounted for in dt-bindings, but never made its
+way into the driver.
+
+Fix it for SC8280XP and its VDD_GFX-less cousin, SA8540P.
+
+Fixes: f68f1cb3437d ("soc: qcom: rpmhpd: add sc8280xp & sa8540p rpmh power-domains")
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
+Link: https://lore.kernel.org/r/20251202-topic-8280_mxc-v2-2-46cdf47a829e@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pmdomain/qcom/rpmhpd.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/pmdomain/qcom/rpmhpd.c b/drivers/pmdomain/qcom/rpmhpd.c
+index 1bb9f70ab04c8..823604952b5ec 100644
+--- a/drivers/pmdomain/qcom/rpmhpd.c
++++ b/drivers/pmdomain/qcom/rpmhpd.c
+@@ -217,6 +217,8 @@ static struct rpmhpd *sa8540p_rpmhpds[] = {
+ [SC8280XP_MMCX_AO] = &mmcx_ao,
+ [SC8280XP_MX] = &mx,
+ [SC8280XP_MX_AO] = &mx_ao,
++ [SC8280XP_MXC] = &mxc,
++ [SC8280XP_MXC_AO] = &mxc_ao,
+ [SC8280XP_NSP] = &nsp,
+ };
+
+@@ -541,6 +543,8 @@ static struct rpmhpd *sc8280xp_rpmhpds[] = {
+ [SC8280XP_MMCX_AO] = &mmcx_ao,
+ [SC8280XP_MX] = &mx,
+ [SC8280XP_MX_AO] = &mx_ao,
++ [SC8280XP_MXC] = &mxc,
++ [SC8280XP_MXC_AO] = &mxc_ao,
+ [SC8280XP_NSP] = &nsp,
+ [SC8280XP_QPHY] = &qphy,
+ };
+--
+2.51.0
+
--- /dev/null
+From 8ac6e13e3a1a453086d0c615c9565b8018287a04 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 12:10:26 -0500
+Subject: sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit a80c9d945aef55b23b54838334345f20251dad83 ]
+
+A null-ptr-deref was reported in the SCTP transmit path when SCTP-AUTH key
+initialization fails:
+
+ ==================================================================
+ KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
+ CPU: 0 PID: 16 Comm: ksoftirqd/0 Tainted: G W 6.6.0 #2
+ RIP: 0010:sctp_packet_bundle_auth net/sctp/output.c:264 [inline]
+ RIP: 0010:sctp_packet_append_chunk+0xb36/0x1260 net/sctp/output.c:401
+ Call Trace:
+
+ sctp_packet_transmit_chunk+0x31/0x250 net/sctp/output.c:189
+ sctp_outq_flush_data+0xa29/0x26d0 net/sctp/outqueue.c:1111
+ sctp_outq_flush+0xc80/0x1240 net/sctp/outqueue.c:1217
+ sctp_cmd_interpreter.isra.0+0x19a5/0x62c0 net/sctp/sm_sideeffect.c:1787
+ sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]
+ sctp_do_sm+0x1a3/0x670 net/sctp/sm_sideeffect.c:1169
+ sctp_assoc_bh_rcv+0x33e/0x640 net/sctp/associola.c:1052
+ sctp_inq_push+0x1dd/0x280 net/sctp/inqueue.c:88
+ sctp_rcv+0x11ae/0x3100 net/sctp/input.c:243
+ sctp6_rcv+0x3d/0x60 net/sctp/ipv6.c:1127
+
+The issue is triggered when sctp_auth_asoc_init_active_key() fails in
+sctp_sf_do_5_1C_ack() while processing an INIT_ACK. In this case, the
+command sequence is currently:
+
+- SCTP_CMD_PEER_INIT
+- SCTP_CMD_TIMER_STOP (T1_INIT)
+- SCTP_CMD_TIMER_START (T1_COOKIE)
+- SCTP_CMD_NEW_STATE (COOKIE_ECHOED)
+- SCTP_CMD_ASSOC_SHKEY
+- SCTP_CMD_GEN_COOKIE_ECHO
+
+If SCTP_CMD_ASSOC_SHKEY fails, asoc->shkey remains NULL, while
+asoc->peer.auth_capable and asoc->peer.peer_chunks have already been set by
+SCTP_CMD_PEER_INIT. This allows a DATA chunk with auth = 1 and shkey = NULL
+to be queued by sctp_datamsg_from_user().
+
+Since command interpretation stops on failure, no COOKIE_ECHO should been
+sent via SCTP_CMD_GEN_COOKIE_ECHO. However, the T1_COOKIE timer has already
+been started, and it may enqueue a COOKIE_ECHO into the outqueue later. As
+a result, the DATA chunk can be transmitted together with the COOKIE_ECHO
+in sctp_outq_flush_data(), leading to the observed issue.
+
+Similar to the other places where it calls sctp_auth_asoc_init_active_key()
+right after sctp_process_init(), this patch moves the SCTP_CMD_ASSOC_SHKEY
+immediately after SCTP_CMD_PEER_INIT, before stopping T1_INIT and starting
+T1_COOKIE. This ensures that if shared key generation fails, authenticated
+DATA cannot be sent. It also allows the T1_INIT timer to retransmit INIT,
+giving the client another chance to process INIT_ACK and retry key setup.
+
+Fixes: 730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing")
+Reported-by: Zhen Chen <chenzhen126@huawei.com>
+Tested-by: Zhen Chen <chenzhen126@huawei.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Link: https://patch.msgid.link/44881224b375aa8853f5e19b4055a1a56d895813.1768324226.git.lucien.xin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/sm_statefuns.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
+index cd18b22b2bbae..e0e626dc79535 100644
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -602,6 +602,11 @@ enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net,
+ sctp_add_cmd_sf(commands, SCTP_CMD_PEER_INIT,
+ SCTP_PEER_INIT(initchunk));
+
++ /* SCTP-AUTH: generate the association shared keys so that
++ * we can potentially sign the COOKIE-ECHO.
++ */
++ sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL());
++
+ /* Reset init error count upon receipt of INIT-ACK. */
+ sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
+
+@@ -616,11 +621,6 @@ enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net,
+ sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
+ SCTP_STATE(SCTP_STATE_COOKIE_ECHOED));
+
+- /* SCTP-AUTH: generate the association shared keys so that
+- * we can potentially sign the COOKIE-ECHO.
+- */
+- sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_SHKEY, SCTP_NULL());
+-
+ /* 5.1 C) "A" shall then send the State Cookie received in the
+ * INIT ACK chunk in a COOKIE ECHO chunk, ...
+ */
+--
+2.51.0
+
--- /dev/null
+From cb6e7d33abd712a1bed47b1562ce61b4a8eb5212 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Dec 2023 14:08:53 +0800
+Subject: selftests/net: convert fib-onlink-tests.sh to run it in unique
+ namespace
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 3a06833b2adc0a902f2469ad4ce41ccd64f1f3ab ]
+
+Remove PEER_CMD, which is not used in this test
+
+Here is the test result after conversion.
+
+ ]# ./fib-onlink-tests.sh
+ Error: ipv4: FIB table does not exist.
+ Flush terminated
+ Error: ipv6: FIB table does not exist.
+ Flush terminated
+
+ ########################################
+ Configuring interfaces
+
+ ...
+
+ TEST: Gateway resolves to wrong nexthop device - VRF [ OK ]
+
+ Tests passed: 38
+ Tests failed: 0
+
+Acked-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Link: https://lore.kernel.org/r/20231213060856.4030084-11-liuhangbin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 4f5f148dd7c0 ("selftests: net: fib-onlink-tests: Convert to use namespaces by default")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/fib-onlink-tests.sh | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/tools/testing/selftests/net/fib-onlink-tests.sh b/tools/testing/selftests/net/fib-onlink-tests.sh
+index c287b90b8af80..ec2d6ceb1f08d 100755
+--- a/tools/testing/selftests/net/fib-onlink-tests.sh
++++ b/tools/testing/selftests/net/fib-onlink-tests.sh
+@@ -3,6 +3,7 @@
+
+ # IPv4 and IPv6 onlink tests
+
++source lib.sh
+ PAUSE_ON_FAIL=${PAUSE_ON_FAIL:=no}
+ VERBOSE=0
+
+@@ -74,9 +75,6 @@ TEST_NET4IN6[2]=10.2.1.254
+ # mcast address
+ MCAST6=ff02::1
+
+-
+-PEER_NS=bart
+-PEER_CMD="ip netns exec ${PEER_NS}"
+ VRF=lisa
+ VRF_TABLE=1101
+ PBR_TABLE=101
+@@ -176,8 +174,7 @@ setup()
+ set -e
+
+ # create namespace
+- ip netns add ${PEER_NS}
+- ip -netns ${PEER_NS} li set lo up
++ setup_ns PEER_NS
+
+ # add vrf table
+ ip li add ${VRF} type vrf table ${VRF_TABLE}
+@@ -219,7 +216,7 @@ setup()
+ cleanup()
+ {
+ # make sure we start from a clean slate
+- ip netns del ${PEER_NS} 2>/dev/null
++ cleanup_ns ${PEER_NS} 2>/dev/null
+ for n in 1 3 5 7; do
+ ip link del ${NETIFS[p${n}]} 2>/dev/null
+ done
+--
+2.51.0
+
--- /dev/null
+From f3fa96e923d5a1ebc34f23fe850819cba25a822e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jan 2026 12:37:44 -0300
+Subject: selftests: net: fib-onlink-tests: Convert to use namespaces by
+ default
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ricardo B. Marlière <rbm@suse.com>
+
+[ Upstream commit 4f5f148dd7c0459229d2ab9a769b2e820f9ee6a2 ]
+
+Currently, the test breaks if the SUT already has a default route
+configured for IPv6. Fix by avoiding the use of the default namespace.
+
+Fixes: 4ed591c8ab44 ("net/ipv6: Allow onlink routes to have a device mismatch if it is the default route")
+Suggested-by: Fernando Fernandez Mancera <fmancera@suse.de>
+Signed-off-by: Ricardo B. Marlière <rbm@suse.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
+Link: https://patch.msgid.link/20260113-selftests-net-fib-onlink-v2-1-89de2b931389@suse.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../testing/selftests/net/fib-onlink-tests.sh | 71 ++++++++-----------
+ 1 file changed, 30 insertions(+), 41 deletions(-)
+
+diff --git a/tools/testing/selftests/net/fib-onlink-tests.sh b/tools/testing/selftests/net/fib-onlink-tests.sh
+index ec2d6ceb1f08d..c01be076b210d 100755
+--- a/tools/testing/selftests/net/fib-onlink-tests.sh
++++ b/tools/testing/selftests/net/fib-onlink-tests.sh
+@@ -120,7 +120,7 @@ log_subsection()
+
+ run_cmd()
+ {
+- local cmd="$*"
++ local cmd="$1"
+ local out
+ local rc
+
+@@ -145,7 +145,7 @@ get_linklocal()
+ local pfx
+ local addr
+
+- addr=$(${pfx} ip -6 -br addr show dev ${dev} | \
++ addr=$(${pfx} ${IP} -6 -br addr show dev ${dev} | \
+ awk '{
+ for (i = 3; i <= NF; ++i) {
+ if ($i ~ /^fe80/)
+@@ -173,58 +173,48 @@ setup()
+
+ set -e
+
+- # create namespace
+- setup_ns PEER_NS
++ # create namespaces
++ setup_ns ns1
++ IP="ip -netns $ns1"
++ setup_ns ns2
+
+ # add vrf table
+- ip li add ${VRF} type vrf table ${VRF_TABLE}
+- ip li set ${VRF} up
+- ip ro add table ${VRF_TABLE} unreachable default metric 8192
+- ip -6 ro add table ${VRF_TABLE} unreachable default metric 8192
++ ${IP} li add ${VRF} type vrf table ${VRF_TABLE}
++ ${IP} li set ${VRF} up
++ ${IP} ro add table ${VRF_TABLE} unreachable default metric 8192
++ ${IP} -6 ro add table ${VRF_TABLE} unreachable default metric 8192
+
+ # create test interfaces
+- ip li add ${NETIFS[p1]} type veth peer name ${NETIFS[p2]}
+- ip li add ${NETIFS[p3]} type veth peer name ${NETIFS[p4]}
+- ip li add ${NETIFS[p5]} type veth peer name ${NETIFS[p6]}
+- ip li add ${NETIFS[p7]} type veth peer name ${NETIFS[p8]}
++ ${IP} li add ${NETIFS[p1]} type veth peer name ${NETIFS[p2]}
++ ${IP} li add ${NETIFS[p3]} type veth peer name ${NETIFS[p4]}
++ ${IP} li add ${NETIFS[p5]} type veth peer name ${NETIFS[p6]}
++ ${IP} li add ${NETIFS[p7]} type veth peer name ${NETIFS[p8]}
+
+ # enslave vrf interfaces
+ for n in 5 7; do
+- ip li set ${NETIFS[p${n}]} vrf ${VRF}
++ ${IP} li set ${NETIFS[p${n}]} vrf ${VRF}
+ done
+
+ # add addresses
+ for n in 1 3 5 7; do
+- ip li set ${NETIFS[p${n}]} up
+- ip addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]}
+- ip addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad
++ ${IP} li set ${NETIFS[p${n}]} up
++ ${IP} addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]}
++ ${IP} addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad
+ done
+
+ # move peer interfaces to namespace and add addresses
+ for n in 2 4 6 8; do
+- ip li set ${NETIFS[p${n}]} netns ${PEER_NS} up
+- ip -netns ${PEER_NS} addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]}
+- ip -netns ${PEER_NS} addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad
++ ${IP} li set ${NETIFS[p${n}]} netns ${ns2} up
++ ip -netns $ns2 addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]}
++ ip -netns $ns2 addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad
+ done
+
+- ip -6 ro add default via ${V6ADDRS[p3]/::[0-9]/::64}
+- ip -6 ro add table ${VRF_TABLE} default via ${V6ADDRS[p7]/::[0-9]/::64}
++ ${IP} -6 ro add default via ${V6ADDRS[p3]/::[0-9]/::64}
++ ${IP} -6 ro add table ${VRF_TABLE} default via ${V6ADDRS[p7]/::[0-9]/::64}
+
+ set +e
+ }
+
+-cleanup()
+-{
+- # make sure we start from a clean slate
+- cleanup_ns ${PEER_NS} 2>/dev/null
+- for n in 1 3 5 7; do
+- ip link del ${NETIFS[p${n}]} 2>/dev/null
+- done
+- ip link del ${VRF} 2>/dev/null
+- ip ro flush table ${VRF_TABLE}
+- ip -6 ro flush table ${VRF_TABLE}
+-}
+-
+ ################################################################################
+ # IPv4 tests
+ #
+@@ -241,7 +231,7 @@ run_ip()
+ # dev arg may be empty
+ [ -n "${dev}" ] && dev="dev ${dev}"
+
+- run_cmd ip ro add table "${table}" "${prefix}"/32 via "${gw}" "${dev}" onlink
++ run_cmd "${IP} ro add table ${table} ${prefix}/32 via ${gw} ${dev} onlink"
+ log_test $? ${exp_rc} "${desc}"
+ }
+
+@@ -257,8 +247,8 @@ run_ip_mpath()
+ # dev arg may be empty
+ [ -n "${dev}" ] && dev="dev ${dev}"
+
+- run_cmd ip ro add table "${table}" "${prefix}"/32 \
+- nexthop via ${nh1} nexthop via ${nh2}
++ run_cmd "${IP} ro add table ${table} ${prefix}/32 \
++ nexthop via ${nh1} nexthop via ${nh2}"
+ log_test $? ${exp_rc} "${desc}"
+ }
+
+@@ -339,7 +329,7 @@ run_ip6()
+ # dev arg may be empty
+ [ -n "${dev}" ] && dev="dev ${dev}"
+
+- run_cmd ip -6 ro add table "${table}" "${prefix}"/128 via "${gw}" "${dev}" onlink
++ run_cmd "${IP} -6 ro add table ${table} ${prefix}/128 via ${gw} ${dev} onlink"
+ log_test $? ${exp_rc} "${desc}"
+ }
+
+@@ -353,8 +343,8 @@ run_ip6_mpath()
+ local exp_rc="$6"
+ local desc="$7"
+
+- run_cmd ip -6 ro add table "${table}" "${prefix}"/128 "${opts}" \
+- nexthop via ${nh1} nexthop via ${nh2}
++ run_cmd "${IP} -6 ro add table ${table} ${prefix}/128 ${opts} \
++ nexthop via ${nh1} nexthop via ${nh2}"
+ log_test $? ${exp_rc} "${desc}"
+ }
+
+@@ -491,10 +481,9 @@ do
+ esac
+ done
+
+-cleanup
+ setup
+ run_onlink_tests
+-cleanup
++cleanup_ns ${ns1} ${ns2}
+
+ if [ "$TESTS" != "none" ]; then
+ printf "\nTests passed: %3d\n" ${nsuccess}
+--
+2.51.0
+
hyperv-tlfs-change-prefix-of-generic-hv_register_-ms.patch
drivers-hv-always-do-hyper-v-panic-notification-in-h.patch
btrfs-fix-missing-fields-in-superblock-backup-with-b.patch
+dt-bindings-power-qcom-rpmpd-add-sm7150.patch
+dt-bindings-power-rpmpd-add-msm8917-msm8937-and-qm21.patch
+dt-bindings-power-qcom-rpmpd-document-the-sm8650-rpm.patch
+dt-bindings-power-rpmpd-update-part-number-to-x1e801.patch
+dt-bindings-power-qcom-rpmpd-document-the-sm8750-rpm.patch
+dt-bindings-power-qcom-rpmpd-add-turbo-l5-corner.patch
+dt-bindings-power-qcom-rpmpd-split-rpmh-domains-defi.patch
+dt-bindings-power-qcom-rpmpd-add-sc8280xp_mxc_ao.patch
+pmdomain-qcom-rpmhpd-add-mxc-to-sc8280xp.patch
+ata-libata-add-cpr_log-to-ata_dev_print_features-ear.patch
+ata-libata-core-introduce-ata_dev_config_lpm.patch
+ata-libata-call-ata_dev_config_lpm-for-atapi-devices.patch
+ata-libata-print-features-also-for-atapi-devices.patch
+ice-initialize-ring_stats-syncp.patch
+ice-avoid-detrimental-cleanup-for-bond-during-interf.patch
+igc-fix-race-condition-in-tx-timestamp-read-for-regi.patch
+net-usb-dm9601-remove-broken-sr9700-support.patch
+bonding-limit-bond_mode_8023ad-to-ethernet-devices.patch
+selftests-net-convert-fib-onlink-tests.sh-to-run-it-.patch
+selftests-net-fib-onlink-tests-convert-to-use-namesp.patch
+can-gs_usb-gs_usb_receive_bulk_callback-unanchor-url.patch
+sctp-move-sctp_cmd_assoc_shkey-right-after-sctp_cmd_.patch
+amd-xgbe-avoid-misleading-per-packet-error-log.patch
+gue-fix-skb-memleak-with-inner-ip-protocol-0.patch
+tools-ynl-specify-no-line-number-in-ynl-regen.sh.patch
+fou-don-t-allow-0-for-fou_attr_ipproto.patch
+veth-fix-data-race-in-veth_get_ethtool_stats.patch
+l2tp-avoid-one-data-race-in-l2tp_tunnel_del_work.patch
+ipvlan-make-the-addrs_lock-be-per-port.patch
+octeontx2-cn10k-fix-rx-flowid-tcam-mask-handling.patch
+net-sched-enforce-that-teql-can-only-be-used-as-root.patch
+net-sched-qfq-use-cl_is_active-to-determine-whether-.patch
+crypto-authencesn-reject-too-short-aad-assoclen-8-to.patch
--- /dev/null
+From 49b6a5e1236dca01e494d7fc1bdd33c6c2eeffc1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jan 2026 17:24:47 +0000
+Subject: tools: ynl: Specify --no-line-number in ynl-regen.sh.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 68578370f9b3a2aba5964b273312d51c581b6aad ]
+
+If grep.lineNumber is enabled in .gitconfig,
+
+ [grep]
+ lineNumber = true
+
+ynl-regen.sh fails with the following error:
+
+ $ ./tools/net/ynl/ynl-regen.sh -f
+ ...
+ ynl_gen_c.py: error: argument --mode: invalid choice: '4:' (choose from user, kernel, uapi)
+ GEN 4: net/ipv4/fou_nl.c
+
+Let's specify --no-line-number explicitly.
+
+Fixes: be5bea1cc0bf ("net: add basic C code generators for Netlink")
+Suggested-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20260115172533.693652-3-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/net/ynl/ynl-regen.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/net/ynl/ynl-regen.sh b/tools/net/ynl/ynl-regen.sh
+index bdba24066cf10..88bd42496cac5 100755
+--- a/tools/net/ynl/ynl-regen.sh
++++ b/tools/net/ynl/ynl-regen.sh
+@@ -21,7 +21,7 @@ files=$(git grep --files-with-matches '^/\* YNL-GEN \(kernel\|uapi\|user\)')
+ for f in $files; do
+ # params: 0 1 2 3
+ # $YAML YNL-GEN kernel $mode
+- params=( $(git grep -B1 -h '/\* YNL-GEN' $f | sed 's@/\*\(.*\)\*/@\1@') )
++ params=( $(git grep --no-line-number -B1 -h '/\* YNL-GEN' $f | sed 's@/\*\(.*\)\*/@\1@') )
+ args=$(sed -n 's@/\* YNL-ARG \(.*\) \*/@\1@p' $f)
+
+ if [ $f -nt ${params[0]} -a -z "$force" ]; then
+--
+2.51.0
+
--- /dev/null
+From f04438f01746e6f3c04ae30243dbb88e5e3e424c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jan 2026 20:24:45 +0800
+Subject: veth: fix data race in veth_get_ethtool_stats
+
+From: David Yang <mmyangfl@gmail.com>
+
+[ Upstream commit b47adaab8b3d443868096bac08fdbb3d403194ba ]
+
+In veth_get_ethtool_stats(), some statistics protected by
+u64_stats_sync, are read and accumulated in ignorance of possible
+u64_stats_fetch_retry() events. These statistics, peer_tq_xdp_xmit and
+peer_tq_xdp_xmit_err, are already accumulated by veth_xdp_xmit(). Fix
+this by reading them into a temporary buffer first.
+
+Fixes: 5fe6e56776ba ("veth: rely on peer veth_rq for ndo_xdp_xmit accounting")
+Signed-off-by: David Yang <mmyangfl@gmail.com>
+Link: https://patch.msgid.link/20260114122450.227982-1-mmyangfl@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/veth.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/veth.c b/drivers/net/veth.c
+index 7767b6ff5a155..2b3b0beb55c88 100644
+--- a/drivers/net/veth.c
++++ b/drivers/net/veth.c
+@@ -226,16 +226,20 @@ static void veth_get_ethtool_stats(struct net_device *dev,
+ const struct veth_rq_stats *rq_stats = &rcv_priv->rq[i].stats;
+ const void *base = (void *)&rq_stats->vs;
+ unsigned int start, tx_idx = idx;
++ u64 buf[VETH_TQ_STATS_LEN];
+ size_t offset;
+
+- tx_idx += (i % dev->real_num_tx_queues) * VETH_TQ_STATS_LEN;
+ do {
+ start = u64_stats_fetch_begin(&rq_stats->syncp);
+ for (j = 0; j < VETH_TQ_STATS_LEN; j++) {
+ offset = veth_tq_stats_desc[j].offset;
+- data[tx_idx + j] += *(u64 *)(base + offset);
++ buf[j] = *(u64 *)(base + offset);
+ }
+ } while (u64_stats_fetch_retry(&rq_stats->syncp, start));
++
++ tx_idx += (i % dev->real_num_tx_queues) * VETH_TQ_STATS_LEN;
++ for (j = 0; j < VETH_TQ_STATS_LEN; j++)
++ data[tx_idx + j] += buf[j];
+ }
+ pp_idx = idx + dev->real_num_tx_queues * VETH_TQ_STATS_LEN;
+
+--
+2.51.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
