From: Greg Kroah-Hartman Date: Sat, 21 Mar 2026 14:51:56 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v6.1.167~50 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=19dffbaee4a8e5774bed95e09e9e99f6b2e086f0;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: dm-verity-disable-recursive-forward-error-correction.patch drm-exynos-vidi-fix-to-avoid-directly-dereferencing-user-pointer.patch drm-exynos-vidi-use-ctx-lock-to-protect-struct-vidi_context-member-variables-related-to-memory-alloc-free.patch drm-exynos-vidi-use-priv-vidi_dev-for-ctx-lookup-in-vidi_connection_ioctl.patch gve-defer-interrupt-enabling-until-napi-registration.patch net-add-skb_header_pointer_careful-helper.patch net-enetc-allocate-vf_state-during-pf-probes.patch net-enetc-reimplement-rfs-rss-memory-clearing-as-pci-quirk.patch net-handle-napi_schedule-calls-from-non-interrupt.patch net-sched-cls_u32-use-skb_header_pointer_careful.patch net-stmmac-dwmac-loongson-set-clk_csr_i-to-100-150mhz.patch scsi-ufs-core-fix-handling-of-lrbp-cmd.patch --- diff --git a/queue-6.1/dm-verity-disable-recursive-forward-error-correction.patch b/queue-6.1/dm-verity-disable-recursive-forward-error-correction.patch new file mode 100644 index 0000000000..37b3b4889f --- /dev/null +++ b/queue-6.1/dm-verity-disable-recursive-forward-error-correction.patch @@ -0,0 +1,68 @@ +From stable+bounces-219754-greg=kroah.com@vger.kernel.org Thu Feb 26 06:44:29 2026 +From: Rahul Sharma +Date: Thu, 26 Feb 2026 13:43:31 +0800 +Subject: dm-verity: disable recursive forward error correction +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: linux-kernel@vger.kernel.org, Mikulas Patocka , Guangwu Zhang , Sami Tolvanen , Eric Biggers , Rahul Sharma +Message-ID: <20260226054331.945438-1-black.hawk@163.com> + +From: Mikulas Patocka + +[ Upstream commit d9f3e47d3fae0c101d9094bc956ed24e7a0ee801 ] + +There are two problems with the recursive correction: + +1. It may cause denial-of-service. In fec_read_bufs, there is a loop that +has 253 iterations. For each iteration, we may call verity_hash_for_block +recursively. There is a limit of 4 nested recursions - that means that +there may be at most 253^4 (4 billion) iterations. Red Hat QE team +actually created an image that pushes dm-verity to this limit - and this +image just makes the udev-worker process get stuck in the 'D' state. + +2. It doesn't work. In fec_read_bufs we store data into the variable +"fio->bufs", but fio bufs is shared between recursive invocations, if +"verity_hash_for_block" invoked correction recursively, it would +overwrite partially filled fio->bufs. + +Signed-off-by: Mikulas Patocka +Reported-by: Guangwu Zhang +Reviewed-by: Sami Tolvanen +Reviewed-by: Eric Biggers +[ The context change is due to the commit bdf253d580d7 +("dm-verity: remove support for asynchronous hashes") +in v6.18 and the commit 9356fcfe0ac4 +("dm verity: set DM_TARGET_SINGLETON feature flag") in v6.9 +which are irrelevant to the logic of this patch. ] +Signed-off-by: Rahul Sharma +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-verity-fec.c | 4 +--- + drivers/md/dm-verity-fec.h | 3 --- + 2 files changed, 1 insertion(+), 6 deletions(-) + +--- a/drivers/md/dm-verity-fec.c ++++ b/drivers/md/dm-verity-fec.c +@@ -439,10 +439,8 @@ int verity_fec_decode(struct dm_verity * + if (!verity_fec_is_enabled(v)) + return -EOPNOTSUPP; + +- if (fio->level >= DM_VERITY_FEC_MAX_RECURSION) { +- DMWARN_LIMIT("%s: FEC: recursion too deep", v->data_dev->name); ++ if (fio->level) + return -EIO; +- } + + fio->level++; + +--- a/drivers/md/dm-verity-fec.h ++++ b/drivers/md/dm-verity-fec.h +@@ -23,9 +23,6 @@ + #define DM_VERITY_FEC_BUF_MAX \ + (1 << (PAGE_SHIFT - DM_VERITY_FEC_BUF_RS_BITS)) + +-/* maximum recursion level for verity_fec_decode */ +-#define DM_VERITY_FEC_MAX_RECURSION 4 +- + #define DM_VERITY_OPT_FEC_DEV "use_fec_from_device" + #define DM_VERITY_OPT_FEC_BLOCKS "fec_blocks" + #define DM_VERITY_OPT_FEC_START "fec_start" diff --git a/queue-6.1/drm-exynos-vidi-fix-to-avoid-directly-dereferencing-user-pointer.patch b/queue-6.1/drm-exynos-vidi-fix-to-avoid-directly-dereferencing-user-pointer.patch new file mode 100644 index 0000000000..309adc768f --- /dev/null +++ b/queue-6.1/drm-exynos-vidi-fix-to-avoid-directly-dereferencing-user-pointer.patch @@ -0,0 +1,57 @@ +From d4c98c077c7fb2dfdece7d605e694b5ea2665085 Mon Sep 17 00:00:00 2001 +From: Jeongjun Park +Date: Mon, 19 Jan 2026 17:25:52 +0900 +Subject: drm/exynos: vidi: fix to avoid directly dereferencing user pointer + +From: Jeongjun Park + +commit d4c98c077c7fb2dfdece7d605e694b5ea2665085 upstream. + +In vidi_connection_ioctl(), vidi->edid(user pointer) is directly +dereferenced in the kernel. + +This allows arbitrary kernel memory access from the user space, so instead +of directly accessing the user pointer in the kernel, we should modify it +to copy edid to kernel memory using copy_from_user() and use it. + +Cc: +Signed-off-by: Jeongjun Park +Signed-off-by: Inki Dae +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/exynos/exynos_drm_vidi.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c ++++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c +@@ -252,19 +252,26 @@ int vidi_connection_ioctl(struct drm_dev + + if (vidi->connection) { + struct edid *raw_edid; ++ struct edid edid_buf; ++ void *edid_userptr = u64_to_user_ptr(vidi->edid); + +- raw_edid = (struct edid *)(unsigned long)vidi->edid; +- if (!drm_edid_is_valid(raw_edid)) { ++ if (copy_from_user(&edid_buf, edid_userptr, sizeof(struct edid))) ++ return -EFAULT; ++ ++ if (!drm_edid_is_valid(&edid_buf)) { + DRM_DEV_DEBUG_KMS(ctx->dev, + "edid data is invalid.\n"); + return -EINVAL; + } +- ctx->raw_edid = drm_edid_duplicate(raw_edid); +- if (!ctx->raw_edid) { ++ ++ raw_edid = drm_edid_duplicate(&edid_buf); ++ ++ if (!raw_edid) { + DRM_DEV_DEBUG_KMS(ctx->dev, + "failed to allocate raw_edid.\n"); + return -ENOMEM; + } ++ ctx->raw_edid = raw_edid; + } else { + /* + * with connection = 0, free raw_edid diff --git a/queue-6.1/drm-exynos-vidi-use-ctx-lock-to-protect-struct-vidi_context-member-variables-related-to-memory-alloc-free.patch b/queue-6.1/drm-exynos-vidi-use-ctx-lock-to-protect-struct-vidi_context-member-variables-related-to-memory-alloc-free.patch new file mode 100644 index 0000000000..095273f90d --- /dev/null +++ b/queue-6.1/drm-exynos-vidi-use-ctx-lock-to-protect-struct-vidi_context-member-variables-related-to-memory-alloc-free.patch @@ -0,0 +1,200 @@ +From 52b330799e2d6f825ae2bb74662ec1b10eb954bb Mon Sep 17 00:00:00 2001 +From: Jeongjun Park +Date: Mon, 19 Jan 2026 17:25:53 +0900 +Subject: drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free + +From: Jeongjun Park + +commit 52b330799e2d6f825ae2bb74662ec1b10eb954bb upstream. + +Exynos Virtual Display driver performs memory alloc/free operations +without lock protection, which easily causes concurrency problem. + +For example, use-after-free can occur in race scenario like this: +``` + CPU0 CPU1 CPU2 + ---- ---- ---- + vidi_connection_ioctl() + if (vidi->connection) // true + drm_edid = drm_edid_alloc(); // alloc drm_edid + ... + ctx->raw_edid = drm_edid; + ... + drm_mode_getconnector() + drm_helper_probe_single_connector_modes() + vidi_get_modes() + if (ctx->raw_edid) // true + drm_edid_dup(ctx->raw_edid); + if (!drm_edid) // false + ... + vidi_connection_ioctl() + if (vidi->connection) // false + drm_edid_free(ctx->raw_edid); // free drm_edid + ... + drm_edid_alloc(drm_edid->edid) + kmemdup(edid); // UAF!! + ... +``` + +To prevent these vulns, at least in vidi_context, member variables related +to memory alloc/free should be protected with ctx->lock. + +Cc: +Signed-off-by: Jeongjun Park +Signed-off-by: Inki Dae +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/exynos/exynos_drm_vidi.c | 43 +++++++++++++++++++++++++------ + 1 file changed, 35 insertions(+), 8 deletions(-) + +--- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c ++++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c +@@ -186,15 +186,17 @@ static ssize_t vidi_store_connection(str + const char *buf, size_t len) + { + struct vidi_context *ctx = dev_get_drvdata(dev); +- int ret; ++ int ret, new_connected; + +- ret = kstrtoint(buf, 0, &ctx->connected); ++ ret = kstrtoint(buf, 0, &new_connected); + if (ret) + return ret; + +- if (ctx->connected > 1) ++ if (new_connected > 1) + return -EINVAL; + ++ mutex_lock(&ctx->lock); ++ + /* use fake edid data for test. */ + if (!ctx->raw_edid) + ctx->raw_edid = (struct edid *)fake_edid_info; +@@ -202,14 +204,21 @@ static ssize_t vidi_store_connection(str + /* if raw_edid isn't same as fake data then it can't be tested. */ + if (ctx->raw_edid != (struct edid *)fake_edid_info) { + DRM_DEV_DEBUG_KMS(dev, "edid data is not fake data.\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto fail; + } + ++ ctx->connected = new_connected; ++ mutex_unlock(&ctx->lock); ++ + DRM_DEV_DEBUG_KMS(dev, "requested connection.\n"); + + drm_helper_hpd_irq_event(ctx->drm_dev); + + return len; ++fail: ++ mutex_unlock(&ctx->lock); ++ return ret; + } + + static DEVICE_ATTR(connection, 0644, vidi_show_connection, +@@ -244,11 +253,14 @@ int vidi_connection_ioctl(struct drm_dev + return -EINVAL; + } + ++ mutex_lock(&ctx->lock); + if (ctx->connected == vidi->connection) { ++ mutex_unlock(&ctx->lock); + DRM_DEV_DEBUG_KMS(ctx->dev, + "same connection request.\n"); + return -EINVAL; + } ++ mutex_unlock(&ctx->lock); + + if (vidi->connection) { + struct edid *raw_edid; +@@ -271,20 +283,27 @@ int vidi_connection_ioctl(struct drm_dev + "failed to allocate raw_edid.\n"); + return -ENOMEM; + } ++ mutex_lock(&ctx->lock); + ctx->raw_edid = raw_edid; ++ mutex_unlock(&ctx->lock); + } else { + /* + * with connection = 0, free raw_edid + * only if raw edid data isn't same as fake data. + */ ++ mutex_lock(&ctx->lock); + if (ctx->raw_edid && ctx->raw_edid != + (struct edid *)fake_edid_info) { + kfree(ctx->raw_edid); + ctx->raw_edid = NULL; + } ++ mutex_unlock(&ctx->lock); + } + ++ mutex_lock(&ctx->lock); + ctx->connected = vidi->connection; ++ mutex_unlock(&ctx->lock); ++ + drm_helper_hpd_irq_event(ctx->drm_dev); + + return 0; +@@ -299,7 +318,7 @@ static enum drm_connector_status vidi_de + * connection request would come from user side + * to do hotplug through specific ioctl. + */ +- return ctx->connected ? connector_status_connected : ++ return READ_ONCE(ctx->connected) ? connector_status_connected : + connector_status_disconnected; + } + +@@ -321,22 +340,24 @@ static int vidi_get_modes(struct drm_con + struct vidi_context *ctx = ctx_from_connector(connector); + struct edid *edid; + int edid_len; +- int count; ++ int count = 0; + + /* + * the edid data comes from user side and it would be set + * to ctx->raw_edid through specific ioctl. + */ ++ ++ mutex_lock(&ctx->lock); + if (!ctx->raw_edid) { + DRM_DEV_DEBUG_KMS(ctx->dev, "raw_edid is null.\n"); +- return 0; ++ goto fail; + } + + edid_len = (1 + ctx->raw_edid->extensions) * EDID_LENGTH; + edid = kmemdup(ctx->raw_edid, edid_len, GFP_KERNEL); + if (!edid) { + DRM_DEV_DEBUG_KMS(ctx->dev, "failed to allocate edid\n"); +- return 0; ++ goto fail; + } + + drm_connector_update_edid_property(connector, edid); +@@ -345,6 +366,8 @@ static int vidi_get_modes(struct drm_con + + kfree(edid); + ++fail: ++ mutex_unlock(&ctx->lock); + return count; + } + +@@ -490,11 +513,15 @@ static int vidi_remove(struct platform_d + { + struct vidi_context *ctx = platform_get_drvdata(pdev); + ++ mutex_lock(&ctx->lock); ++ + if (ctx->raw_edid != (struct edid *)fake_edid_info) { + kfree(ctx->raw_edid); + ctx->raw_edid = NULL; + } + ++ mutex_unlock(&ctx->lock); ++ + component_del(&pdev->dev, &vidi_component_ops); + + return 0; diff --git a/queue-6.1/drm-exynos-vidi-use-priv-vidi_dev-for-ctx-lookup-in-vidi_connection_ioctl.patch b/queue-6.1/drm-exynos-vidi-use-priv-vidi_dev-for-ctx-lookup-in-vidi_connection_ioctl.patch new file mode 100644 index 0000000000..c06c94a369 --- /dev/null +++ b/queue-6.1/drm-exynos-vidi-use-priv-vidi_dev-for-ctx-lookup-in-vidi_connection_ioctl.patch @@ -0,0 +1,90 @@ +From d3968a0d85b211e197f2f4f06268a7031079e0d0 Mon Sep 17 00:00:00 2001 +From: Jeongjun Park +Date: Mon, 19 Jan 2026 17:25:51 +0900 +Subject: drm/exynos: vidi: use priv->vidi_dev for ctx lookup in vidi_connection_ioctl() + +From: Jeongjun Park + +commit d3968a0d85b211e197f2f4f06268a7031079e0d0 upstream. + +vidi_connection_ioctl() retrieves the driver_data from drm_dev->dev to +obtain a struct vidi_context pointer. However, drm_dev->dev is the +exynos-drm master device, and the driver_data contained therein is not +the vidi component device, but a completely different device. + +This can lead to various bugs, ranging from null pointer dereferences and +garbage value accesses to, in unlucky cases, out-of-bounds errors, +use-after-free errors, and more. + +To resolve this issue, we need to store/delete the vidi device pointer in +exynos_drm_private->vidi_dev during bind/unbind, and then read this +exynos_drm_private->vidi_dev within ioctl() to obtain the correct +struct vidi_context pointer. + +Cc: +Signed-off-by: Jeongjun Park +Signed-off-by: Inki Dae +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/exynos/exynos_drm_drv.h | 1 + + drivers/gpu/drm/exynos/exynos_drm_vidi.c | 14 +++++++++++++- + 2 files changed, 14 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/exynos/exynos_drm_drv.h ++++ b/drivers/gpu/drm/exynos/exynos_drm_drv.h +@@ -201,6 +201,7 @@ struct exynos_drm_private { + + struct device *g2d_dev; + struct device *dma_dev; ++ struct device *vidi_dev; + void *mapping; + + /* for atomic commit */ +--- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c ++++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c +@@ -224,9 +224,14 @@ ATTRIBUTE_GROUPS(vidi); + int vidi_connection_ioctl(struct drm_device *drm_dev, void *data, + struct drm_file *file_priv) + { +- struct vidi_context *ctx = dev_get_drvdata(drm_dev->dev); ++ struct exynos_drm_private *priv = drm_dev->dev_private; ++ struct device *dev = priv ? priv->vidi_dev : NULL; ++ struct vidi_context *ctx = dev ? dev_get_drvdata(dev) : NULL; + struct drm_exynos_vidi_connection *vidi = data; + ++ if (!ctx) ++ return -ENODEV; ++ + if (!vidi) { + DRM_DEV_DEBUG_KMS(ctx->dev, + "user data for vidi is null.\n"); +@@ -386,6 +391,7 @@ static int vidi_bind(struct device *dev, + { + struct vidi_context *ctx = dev_get_drvdata(dev); + struct drm_device *drm_dev = data; ++ struct exynos_drm_private *priv = drm_dev->dev_private; + struct drm_encoder *encoder = &ctx->encoder; + struct exynos_drm_plane *exynos_plane; + struct exynos_drm_plane_config plane_config = { 0 }; +@@ -393,6 +399,8 @@ static int vidi_bind(struct device *dev, + int ret; + + ctx->drm_dev = drm_dev; ++ if (priv) ++ priv->vidi_dev = dev; + + plane_config.pixel_formats = formats; + plane_config.num_pixel_formats = ARRAY_SIZE(formats); +@@ -438,8 +446,12 @@ static int vidi_bind(struct device *dev, + static void vidi_unbind(struct device *dev, struct device *master, void *data) + { + struct vidi_context *ctx = dev_get_drvdata(dev); ++ struct drm_device *drm_dev = data; ++ struct exynos_drm_private *priv = drm_dev->dev_private; + + del_timer_sync(&ctx->timer); ++ if (priv) ++ priv->vidi_dev = NULL; + } + + static const struct component_ops vidi_component_ops = { diff --git a/queue-6.1/gve-defer-interrupt-enabling-until-napi-registration.patch b/queue-6.1/gve-defer-interrupt-enabling-until-napi-registration.patch new file mode 100644 index 0000000000..819838dfd2 --- /dev/null +++ b/queue-6.1/gve-defer-interrupt-enabling-until-napi-registration.patch @@ -0,0 +1,91 @@ +From 3d970eda003441f66551a91fda16478ac0711617 Mon Sep 17 00:00:00 2001 +From: Ankit Garg +Date: Fri, 19 Dec 2025 10:29:45 +0000 +Subject: gve: defer interrupt enabling until NAPI registration + +From: Ankit Garg + +commit 3d970eda003441f66551a91fda16478ac0711617 upstream. + +Currently, interrupts are automatically enabled immediately upon +request. This allows interrupt to fire before the associated NAPI +context is fully initialized and cause failures like below: + +[ 0.946369] Call Trace: +[ 0.946369] +[ 0.946369] __napi_poll+0x2a/0x1e0 +[ 0.946369] net_rx_action+0x2f9/0x3f0 +[ 0.946369] handle_softirqs+0xd6/0x2c0 +[ 0.946369] ? handle_edge_irq+0xc1/0x1b0 +[ 0.946369] __irq_exit_rcu+0xc3/0xe0 +[ 0.946369] common_interrupt+0x81/0xa0 +[ 0.946369] +[ 0.946369] +[ 0.946369] asm_common_interrupt+0x22/0x40 +[ 0.946369] RIP: 0010:pv_native_safe_halt+0xb/0x10 + +Use the `IRQF_NO_AUTOEN` flag when requesting interrupts to prevent auto +enablement and explicitly enable the interrupt in NAPI initialization +path (and disable it during NAPI teardown). + +This ensures that interrupt lifecycle is strictly coupled with +readiness of NAPI context. + +Cc: stable@vger.kernel.org +Fixes: 1dfc2e46117e ("gve: Refactor napi add and remove functions") +Signed-off-by: Ankit Garg +Reviewed-by: Jordan Rhee +Reviewed-by: Joshua Washington +Signed-off-by: Harshitha Ramamurthy +Link: https://patch.msgid.link/20251219102945.2193617-1-hramamurthy@google.com +Signed-off-by: Paolo Abeni +[ modified to re-introduce the irq member to struct gve_notify_block, + which was introuduced in commit 9a5e0776d11f ("gve: Avoid rescheduling + napi if on wrong cpu"). ] +Signed-off-by: Joshua Washington +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/google/gve/gve.h | 1 + + drivers/net/ethernet/google/gve/gve_main.c | 5 ++++- + 2 files changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/google/gve/gve.h ++++ b/drivers/net/ethernet/google/gve/gve.h +@@ -450,6 +450,7 @@ struct gve_notify_block { + struct gve_priv *priv; + struct gve_tx_ring *tx; /* tx rings on this block */ + struct gve_rx_ring *rx; /* rx rings on this block */ ++ u32 irq; + }; + + /* Tracks allowed and current queue settings */ +--- a/drivers/net/ethernet/google/gve/gve_main.c ++++ b/drivers/net/ethernet/google/gve/gve_main.c +@@ -353,9 +353,10 @@ static int gve_alloc_notify_blocks(struc + snprintf(block->name, sizeof(block->name), "%s-ntfy-block.%d", + name, i); + block->priv = priv; ++ block->irq = priv->msix_vectors[msix_idx].vector; + err = request_irq(priv->msix_vectors[msix_idx].vector, + gve_is_gqi(priv) ? gve_intr : gve_intr_dqo, +- 0, block->name, block); ++ IRQF_NO_AUTOEN, block->name, block); + if (err) { + dev_err(&priv->pdev->dev, + "Failed to receive msix vector %d\n", i); +@@ -521,6 +522,7 @@ static void gve_add_napi(struct gve_priv + struct gve_notify_block *block = &priv->ntfy_blocks[ntfy_idx]; + + netif_napi_add(priv->dev, &block->napi, gve_poll); ++ enable_irq(block->irq); + } + + static void gve_remove_napi(struct gve_priv *priv, int ntfy_idx) +@@ -528,6 +530,7 @@ static void gve_remove_napi(struct gve_p + struct gve_notify_block *block = &priv->ntfy_blocks[ntfy_idx]; + + netif_napi_del(&block->napi); ++ disable_irq(block->irq); + } + + static int gve_register_qpls(struct gve_priv *priv) diff --git a/queue-6.1/net-add-skb_header_pointer_careful-helper.patch b/queue-6.1/net-add-skb_header_pointer_careful-helper.patch new file mode 100644 index 0000000000..9aa2707068 --- /dev/null +++ b/queue-6.1/net-add-skb_header_pointer_careful-helper.patch @@ -0,0 +1,49 @@ +From lanbincn@139.com Thu Feb 26 10:56:06 2026 +From: Bin Lan +Date: Thu, 26 Feb 2026 17:55:50 +0800 +Subject: net: add skb_header_pointer_careful() helper +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: Eric Dumazet , Jakub Kicinski , Bin Lan +Message-ID: <20260226095551.4183-1-lanbincn@139.com> + +From: Eric Dumazet + +[ Upstream commit 13e00fdc9236bd4d0bff4109d2983171fbcb74c4 ] + +This variant of skb_header_pointer() should be used in contexts +where @offset argument is user-controlled and could be negative. + +Negative offsets are supported, as long as the zone starts +between skb->head and skb->data. + +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260128141539.3404400-2-edumazet@google.com +Signed-off-by: Jakub Kicinski +[ Adjust context ] +Signed-off-by: Bin Lan +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/skbuff.h | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -4113,6 +4113,18 @@ skb_header_pointer(const struct sk_buff + skb_headlen(skb), buffer); + } + ++/* Variant of skb_header_pointer() where @offset is user-controlled ++ * and potentially negative. ++ */ ++static inline void * __must_check ++skb_header_pointer_careful(const struct sk_buff *skb, int offset, ++ int len, void *buffer) ++{ ++ if (unlikely(offset < 0 && -offset > skb_headroom(skb))) ++ return NULL; ++ return skb_header_pointer(skb, offset, len, buffer); ++} ++ + /** + * skb_needs_linearize - check if we need to linearize a given skb + * depending on the given device features. diff --git a/queue-6.1/net-enetc-allocate-vf_state-during-pf-probes.patch b/queue-6.1/net-enetc-allocate-vf_state-during-pf-probes.patch new file mode 100644 index 0000000000..848b2e8c1b --- /dev/null +++ b/queue-6.1/net-enetc-allocate-vf_state-during-pf-probes.patch @@ -0,0 +1,104 @@ +From stable+bounces-219189-greg=kroah.com@vger.kernel.org Wed Feb 25 05:16:47 2026 +From: Rahul Sharma +Date: Wed, 25 Feb 2026 12:16:05 +0800 +Subject: net: enetc: allocate vf_state during PF probes +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: linux-kernel@vger.kernel.org, Wei Fang , Vladimir Oltean , Jakub Kicinski , Rahul Sharma +Message-ID: <20260225041605.1563705-2-black.hawk@163.com> + +From: Wei Fang + +[ Upstream commit e15c5506dd39885cd047f811a64240e2e8ab401b ] + +In the previous implementation, vf_state is allocated memory only when VF +is enabled. However, net_device_ops::ndo_set_vf_mac() may be called before +VF is enabled to configure the MAC address of VF. If this is the case, +enetc_pf_set_vf_mac() will access vf_state, resulting in access to a null +pointer. The simplified error log is as follows. + +root@ls1028ardb:~# ip link set eno0 vf 1 mac 00:0c:e7:66:77:89 +[ 173.543315] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004 +[ 173.637254] pc : enetc_pf_set_vf_mac+0x3c/0x80 Message from sy +[ 173.641973] lr : do_setlink+0x4a8/0xec8 +[ 173.732292] Call trace: +[ 173.734740] enetc_pf_set_vf_mac+0x3c/0x80 +[ 173.738847] __rtnl_newlink+0x530/0x89c +[ 173.742692] rtnl_newlink+0x50/0x7c +[ 173.746189] rtnetlink_rcv_msg+0x128/0x390 +[ 173.750298] netlink_rcv_skb+0x60/0x130 +[ 173.754145] rtnetlink_rcv+0x18/0x24 +[ 173.757731] netlink_unicast+0x318/0x380 +[ 173.761665] netlink_sendmsg+0x17c/0x3c8 + +Fixes: d4fd0404c1c9 ("enetc: Introduce basic PF and VF ENETC ethernet drivers") +Signed-off-by: Wei Fang +Reviewed-by: Vladimir Oltean +Tested-by: Vladimir Oltean +Link: https://patch.msgid.link/20241031060247.1290941-2-wei.fang@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Rahul Sharma +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/enetc/enetc_pf.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/drivers/net/ethernet/freescale/enetc/enetc_pf.c ++++ b/drivers/net/ethernet/freescale/enetc/enetc_pf.c +@@ -683,19 +683,11 @@ static int enetc_sriov_configure(struct + + if (!num_vfs) { + enetc_msg_psi_free(pf); +- kfree(pf->vf_state); + pf->num_vfs = 0; + pci_disable_sriov(pdev); + } else { + pf->num_vfs = num_vfs; + +- pf->vf_state = kcalloc(num_vfs, sizeof(struct enetc_vf_state), +- GFP_KERNEL); +- if (!pf->vf_state) { +- pf->num_vfs = 0; +- return -ENOMEM; +- } +- + err = enetc_msg_psi_init(pf); + if (err) { + dev_err(&pdev->dev, "enetc_msg_psi_init (%d)\n", err); +@@ -714,7 +706,6 @@ static int enetc_sriov_configure(struct + err_en_sriov: + enetc_msg_psi_free(pf); + err_msg_psi: +- kfree(pf->vf_state); + pf->num_vfs = 0; + + return err; +@@ -1322,6 +1313,12 @@ static int enetc_pf_probe(struct pci_dev + pf = enetc_si_priv(si); + pf->si = si; + pf->total_vfs = pci_sriov_get_totalvfs(pdev); ++ if (pf->total_vfs) { ++ pf->vf_state = kcalloc(pf->total_vfs, sizeof(struct enetc_vf_state), ++ GFP_KERNEL); ++ if (!pf->vf_state) ++ goto err_alloc_vf_state; ++ } + + err = enetc_setup_mac_addresses(node, pf); + if (err) +@@ -1398,6 +1395,8 @@ err_alloc_si_res: + err_alloc_netdev: + err_device_disabled: + err_setup_mac_addresses: ++ kfree(pf->vf_state); ++err_alloc_vf_state: + enetc_psi_destroy(pdev); + err_psi_create: + return err; +@@ -1424,6 +1423,7 @@ static void enetc_pf_remove(struct pci_d + enetc_free_si_resources(priv); + + free_netdev(si->ndev); ++ kfree(pf->vf_state); + + enetc_psi_destroy(pdev); + } diff --git a/queue-6.1/net-enetc-reimplement-rfs-rss-memory-clearing-as-pci-quirk.patch b/queue-6.1/net-enetc-reimplement-rfs-rss-memory-clearing-as-pci-quirk.patch new file mode 100644 index 0000000000..ed79c3bc4e --- /dev/null +++ b/queue-6.1/net-enetc-reimplement-rfs-rss-memory-clearing-as-pci-quirk.patch @@ -0,0 +1,203 @@ +From stable+bounces-219188-greg=kroah.com@vger.kernel.org Wed Feb 25 05:16:43 2026 +From: Rahul Sharma +Date: Wed, 25 Feb 2026 12:16:04 +0800 +Subject: net: enetc: reimplement RFS/RSS memory clearing as PCI quirk +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: linux-kernel@vger.kernel.org, Vladimir Oltean , Rob Herring , "David S . Miller" , Rahul Sharma +Message-ID: <20260225041605.1563705-1-black.hawk@163.com> + +From: Vladimir Oltean + +[ Upstream commit f0168042a21292d20007d24ab2e4fc32f79ebf11 ] + +The workaround implemented in commit 3222b5b613db ("net: enetc: +initialize RFS/RSS memories for unused ports too") is no longer +effective after commit 6fffbc7ae137 ("PCI: Honor firmware's device +disabled status"). Thus, it has introduced a regression and we see AER +errors being reported again: + +$ ip link set sw2p0 up && dhclient -i sw2p0 && ip addr show sw2p0 +fsl_enetc 0000:00:00.2 eno2: configuring for fixed/internal link mode +fsl_enetc 0000:00:00.2 eno2: Link is Up - 2.5Gbps/Full - flow control rx/tx +mscc_felix 0000:00:00.5 swp2: configuring for fixed/sgmii link mode +mscc_felix 0000:00:00.5 swp2: Link is Up - 1Gbps/Full - flow control off +sja1105 spi2.2 sw2p0: configuring for phy/rgmii-id link mode +sja1105 spi2.2 sw2p0: Link is Up - 1Gbps/Full - flow control off +pcieport 0000:00:1f.0: AER: Multiple Corrected error received: 0000:00:00.0 +pcieport 0000:00:1f.0: AER: can't find device of ID0000 + +Rob's suggestion is to reimplement the enetc driver workaround as a +PCI fixup, and to modify the PCI core to run the fixups for all PCI +functions. This change handles the first part. + +We refactor the common code in enetc_psi_create() and enetc_psi_destroy(), +and use the PCI fixup only for those functions for which enetc_pf_probe() +won't get called. This avoids some work being done twice for the PFs +which are enabled. + +Fixes: 6fffbc7ae137 ("PCI: Honor firmware's device disabled status") +Link: https://lore.kernel.org/netdev/CAL_JsqLsVYiPLx2kcHkDQ4t=hQVCR7NHziDwi9cCFUFhx48Qow@mail.gmail.com/ +Suggested-by: Rob Herring +Signed-off-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Rahul Sharma +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/enetc/enetc_pf.c | 103 +++++++++++++++++------- + 1 file changed, 73 insertions(+), 30 deletions(-) + +--- a/drivers/net/ethernet/freescale/enetc/enetc_pf.c ++++ b/drivers/net/ethernet/freescale/enetc/enetc_pf.c +@@ -1236,50 +1236,81 @@ static int enetc_pf_register_with_ierb(s + return ret; + } + +-static int enetc_pf_probe(struct pci_dev *pdev, +- const struct pci_device_id *ent) ++static struct enetc_si *enetc_psi_create(struct pci_dev *pdev) + { +- struct device_node *node = pdev->dev.of_node; +- struct enetc_ndev_priv *priv; +- struct net_device *ndev; + struct enetc_si *si; +- struct enetc_pf *pf; + int err; + +- err = enetc_pf_register_with_ierb(pdev); +- if (err == -EPROBE_DEFER) +- return err; +- if (err) +- dev_warn(&pdev->dev, +- "Could not register with IERB driver: %pe, please update the device tree\n", +- ERR_PTR(err)); +- +- err = enetc_pci_probe(pdev, KBUILD_MODNAME, sizeof(*pf)); +- if (err) +- return dev_err_probe(&pdev->dev, err, "PCI probing failed\n"); ++ err = enetc_pci_probe(pdev, KBUILD_MODNAME, sizeof(struct enetc_pf)); ++ if (err) { ++ dev_err_probe(&pdev->dev, err, "PCI probing failed\n"); ++ goto out; ++ } + + si = pci_get_drvdata(pdev); + if (!si->hw.port || !si->hw.global) { + err = -ENODEV; + dev_err(&pdev->dev, "could not map PF space, probing a VF?\n"); +- goto err_map_pf_space; ++ goto out_pci_remove; + } + + err = enetc_setup_cbdr(&pdev->dev, &si->hw, ENETC_CBDR_DEFAULT_SIZE, + &si->cbd_ring); + if (err) +- goto err_setup_cbdr; ++ goto out_pci_remove; + + err = enetc_init_port_rfs_memory(si); + if (err) { + dev_err(&pdev->dev, "Failed to initialize RFS memory\n"); +- goto err_init_port_rfs; ++ goto out_teardown_cbdr; + } + + err = enetc_init_port_rss_memory(si); + if (err) { + dev_err(&pdev->dev, "Failed to initialize RSS memory\n"); +- goto err_init_port_rss; ++ goto out_teardown_cbdr; ++ } ++ ++ return si; ++ ++out_teardown_cbdr: ++ enetc_teardown_cbdr(&si->cbd_ring); ++out_pci_remove: ++ enetc_pci_remove(pdev); ++out: ++ return ERR_PTR(err); ++} ++ ++static void enetc_psi_destroy(struct pci_dev *pdev) ++{ ++ struct enetc_si *si = pci_get_drvdata(pdev); ++ ++ enetc_teardown_cbdr(&si->cbd_ring); ++ enetc_pci_remove(pdev); ++} ++ ++static int enetc_pf_probe(struct pci_dev *pdev, ++ const struct pci_device_id *ent) ++{ ++ struct device_node *node = pdev->dev.of_node; ++ struct enetc_ndev_priv *priv; ++ struct net_device *ndev; ++ struct enetc_si *si; ++ struct enetc_pf *pf; ++ int err; ++ ++ err = enetc_pf_register_with_ierb(pdev); ++ if (err == -EPROBE_DEFER) ++ return err; ++ if (err) ++ dev_warn(&pdev->dev, ++ "Could not register with IERB driver: %pe, please update the device tree\n", ++ ERR_PTR(err)); ++ ++ si = enetc_psi_create(pdev); ++ if (IS_ERR(si)) { ++ err = PTR_ERR(si); ++ goto err_psi_create; + } + + if (node && !of_device_is_available(node)) { +@@ -1365,15 +1396,10 @@ err_alloc_si_res: + si->ndev = NULL; + free_netdev(ndev); + err_alloc_netdev: +-err_init_port_rss: +-err_init_port_rfs: + err_device_disabled: + err_setup_mac_addresses: +- enetc_teardown_cbdr(&si->cbd_ring); +-err_setup_cbdr: +-err_map_pf_space: +- enetc_pci_remove(pdev); +- ++ enetc_psi_destroy(pdev); ++err_psi_create: + return err; + } + +@@ -1396,12 +1422,29 @@ static void enetc_pf_remove(struct pci_d + enetc_free_msix(priv); + + enetc_free_si_resources(priv); +- enetc_teardown_cbdr(&si->cbd_ring); + + free_netdev(si->ndev); + +- enetc_pci_remove(pdev); ++ enetc_psi_destroy(pdev); ++} ++ ++static void enetc_fixup_clear_rss_rfs(struct pci_dev *pdev) ++{ ++ struct device_node *node = pdev->dev.of_node; ++ struct enetc_si *si; ++ ++ /* Only apply quirk for disabled functions. For the ones ++ * that are enabled, enetc_pf_probe() will apply it. ++ */ ++ if (node && of_device_is_available(node)) ++ return; ++ ++ si = enetc_psi_create(pdev); ++ if (si) ++ enetc_psi_destroy(pdev); + } ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_FREESCALE, ENETC_DEV_ID_PF, ++ enetc_fixup_clear_rss_rfs); + + static const struct pci_device_id enetc_pf_id_table[] = { + { PCI_DEVICE(PCI_VENDOR_ID_FREESCALE, ENETC_DEV_ID_PF) }, diff --git a/queue-6.1/net-handle-napi_schedule-calls-from-non-interrupt.patch b/queue-6.1/net-handle-napi_schedule-calls-from-non-interrupt.patch new file mode 100644 index 0000000000..945b24255c --- /dev/null +++ b/queue-6.1/net-handle-napi_schedule-calls-from-non-interrupt.patch @@ -0,0 +1,105 @@ +From 77e45145e3039a0fb212556ab3f8c87f54771757 Mon Sep 17 00:00:00 2001 +From: Frederic Weisbecker +Date: Sun, 23 Feb 2025 23:17:08 +0100 +Subject: net: Handle napi_schedule() calls from non-interrupt + +From: Frederic Weisbecker + +commit 77e45145e3039a0fb212556ab3f8c87f54771757 upstream. + +napi_schedule() is expected to be called either: + +* From an interrupt, where raised softirqs are handled on IRQ exit + +* From a softirq disabled section, where raised softirqs are handled on + the next call to local_bh_enable(). + +* From a softirq handler, where raised softirqs are handled on the next + round in do_softirq(), or further deferred to a dedicated kthread. + +Other bare tasks context may end up ignoring the raised NET_RX vector +until the next random softirq handling opportunity, which may not +happen before a while if the CPU goes idle afterwards with the tick +stopped. + +Such "misuses" have been detected on several places thanks to messages +of the kind: + + "NOHZ tick-stop error: local softirq work is pending, handler #08!!!" + +For example: + + __raise_softirq_irqoff + __napi_schedule + rtl8152_runtime_resume.isra.0 + rtl8152_resume + usb_resume_interface.isra.0 + usb_resume_both + __rpm_callback + rpm_callback + rpm_resume + __pm_runtime_resume + usb_autoresume_device + usb_remote_wakeup + hub_event + process_one_work + worker_thread + kthread + ret_from_fork + ret_from_fork_asm + +And also: + +* drivers/net/usb/r8152.c::rtl_work_func_t +* drivers/net/netdevsim/netdev.c::nsim_start_xmit + +There is a long history of issues of this kind: + + 019edd01d174 ("ath10k: sdio: Add missing BH locking around napi_schdule()") + 330068589389 ("idpf: disable local BH when scheduling napi for marker packets") + e3d5d70cb483 ("net: lan78xx: fix "softirq work is pending" error") + e55c27ed9ccf ("mt76: mt7615: add missing bh-disable around rx napi schedule") + c0182aa98570 ("mt76: mt7915: add missing bh-disable around tx napi enable/schedule") + 970be1dff26d ("mt76: disable BH around napi_schedule() calls") + 019edd01d174 ("ath10k: sdio: Add missing BH locking around napi_schdule()") + 30bfec4fec59 ("can: rx-offload: can_rx_offload_threaded_irq_finish(): add new function to be called from threaded interrupt") + e63052a5dd3c ("mlx5e: add add missing BH locking around napi_schdule()") + 83a0c6e58901 ("i40e: Invoke softirqs after napi_reschedule") + bd4ce941c8d5 ("mlx4: Invoke softirqs after napi_reschedule") + 8cf699ec849f ("mlx4: do not call napi_schedule() without care") + ec13ee80145c ("virtio_net: invoke softirqs after __napi_schedule") + +This shows that relying on the caller to arrange a proper context for +the softirqs to be handled while calling napi_schedule() is very fragile +and error prone. Also fixing them can also prove challenging if the +caller may be called from different kinds of contexts. + +Therefore fix this from napi_schedule() itself with waking up ksoftirqd +when softirqs are raised from task contexts. + +Reported-by: Paul Menzel +Reported-by: Jakub Kicinski +Reported-by: Francois Romieu +Closes: https://lore.kernel.org/lkml/354a2690-9bbf-4ccb-8769-fa94707a9340@molgen.mpg.de/ +Cc: Breno Leitao +Signed-off-by: Frederic Weisbecker +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20250223221708.27130-1-frederic@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Jan Kiszka +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -4486,7 +4486,7 @@ static inline void ____napi_schedule(str + } + + list_add_tail(&napi->poll_list, &sd->poll_list); +- __raise_softirq_irqoff(NET_RX_SOFTIRQ); ++ raise_softirq_irqoff(NET_RX_SOFTIRQ); + } + + #ifdef CONFIG_RPS diff --git a/queue-6.1/net-sched-cls_u32-use-skb_header_pointer_careful.patch b/queue-6.1/net-sched-cls_u32-use-skb_header_pointer_careful.patch new file mode 100644 index 0000000000..486e1ca26d --- /dev/null +++ b/queue-6.1/net-sched-cls_u32-use-skb_header_pointer_careful.patch @@ -0,0 +1,69 @@ +From lanbincn@139.com Thu Feb 26 10:56:09 2026 +From: Bin Lan +Date: Thu, 26 Feb 2026 17:55:51 +0800 +Subject: net/sched: cls_u32: use skb_header_pointer_careful() +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: Eric Dumazet , GangMin Kim , Jakub Kicinski , Bin Lan +Message-ID: <20260226095551.4183-2-lanbincn@139.com> + +From: Eric Dumazet + +[ Upstream commit cabd1a976375780dabab888784e356f574bbaed8 ] + +skb_header_pointer() does not fully validate negative @offset values. + +Use skb_header_pointer_careful() instead. + +GangMin Kim provided a report and a repro fooling u32_classify(): + +BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0 +net/sched/cls_u32.c:221 + +Fixes: fbc2e7d9cf49 ("cls_u32: use skb_header_pointer() to dereference data safely") +Reported-by: GangMin Kim +Closes: https://lore.kernel.org/netdev/CANn89iJkyUZ=mAzLzC4GdcAgLuPnUoivdLaOs6B9rq5_erj76w@mail.gmail.com/T/ +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260128141539.3404400-3-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Bin Lan +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/cls_u32.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +--- a/net/sched/cls_u32.c ++++ b/net/sched/cls_u32.c +@@ -159,10 +159,8 @@ next_knode: + int toff = off + key->off + (off2 & key->offmask); + __be32 *data, hdata; + +- if (skb_headroom(skb) + toff > INT_MAX) +- goto out; +- +- data = skb_header_pointer(skb, toff, 4, &hdata); ++ data = skb_header_pointer_careful(skb, toff, 4, ++ &hdata); + if (!data) + goto out; + if ((*data ^ key->val) & key->mask) { +@@ -212,8 +210,9 @@ check_terminal: + if (ht->divisor) { + __be32 *data, hdata; + +- data = skb_header_pointer(skb, off + n->sel.hoff, 4, +- &hdata); ++ data = skb_header_pointer_careful(skb, ++ off + n->sel.hoff, ++ 4, &hdata); + if (!data) + goto out; + sel = ht->divisor & u32_hash_fold(*data, &n->sel, +@@ -227,7 +226,7 @@ check_terminal: + if (n->sel.flags & TC_U32_VAROFFSET) { + __be16 *data, hdata; + +- data = skb_header_pointer(skb, ++ data = skb_header_pointer_careful(skb, + off + n->sel.offoff, + 2, &hdata); + if (!data) diff --git a/queue-6.1/net-stmmac-dwmac-loongson-set-clk_csr_i-to-100-150mhz.patch b/queue-6.1/net-stmmac-dwmac-loongson-set-clk_csr_i-to-100-150mhz.patch new file mode 100644 index 0000000000..3a7c15dc50 --- /dev/null +++ b/queue-6.1/net-stmmac-dwmac-loongson-set-clk_csr_i-to-100-150mhz.patch @@ -0,0 +1,38 @@ +From e1aa5ef892fb4fa9014a25e87b64b97347919d37 Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Tue, 3 Feb 2026 14:29:01 +0800 +Subject: net: stmmac: dwmac-loongson: Set clk_csr_i to 100-150MHz + +From: Huacai Chen + +commit e1aa5ef892fb4fa9014a25e87b64b97347919d37 upstream. + +Current clk_csr_i setting of Loongson STMMAC (including LS7A1000/2000 +and LS2K1000/2000/3000) are copy & paste from other drivers. In fact, +Loongson STMMAC use 125MHz clocks and need 62 freq division to within +2.5MHz, meeting most PHY MDC requirement. So fix by setting clk_csr_i +to 100-150MHz, otherwise some PHYs may link fail. + +Cc: stable@vger.kernel.org +Fixes: 30bba69d7db40e7 ("stmmac: pci: Add dwmac support for Loongson") +Signed-off-by: Hongliang Wang +Signed-off-by: Huacai Chen +Link: https://patch.msgid.link/20260203062901.2158236-1-chenhuacai@loongson.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-loongson.c +@@ -11,7 +11,7 @@ + + static int loongson_default_data(struct plat_stmmacenet_data *plat) + { +- plat->clk_csr = 2; /* clk_csr_i = 20-35MHz & MDC = clk_csr_i/16 */ ++ plat->clk_csr = 1; /* clk_csr_i = 100-150MHz & MDC = clk_csr_i/62 */ + plat->has_gmac = 1; + plat->force_sf_dma_mode = 1; + diff --git a/queue-6.1/scsi-ufs-core-fix-handling-of-lrbp-cmd.patch b/queue-6.1/scsi-ufs-core-fix-handling-of-lrbp-cmd.patch new file mode 100644 index 0000000000..3090734d83 --- /dev/null +++ b/queue-6.1/scsi-ufs-core-fix-handling-of-lrbp-cmd.patch @@ -0,0 +1,89 @@ +From stable+bounces-219894-greg=kroah.com@vger.kernel.org Fri Feb 27 04:12:46 2026 +From: Rajani Kantha <681739313@139.com> +Date: Fri, 27 Feb 2026 11:12:23 +0800 +Subject: scsi: ufs: core: Fix handling of lrbp->cmd +To: bvanassche@acm.org, adrian.hunter@intel.com, martin.petersen@oracle.com, gregkh@linuxfoundation.org +Cc: stable@vger.kernel.org +Message-ID: <20260227031223.1643-1-681739313@139.com> + +From: Bart Van Assche + +[ Upstream commit 549e91a9bbaa0ee480f59357868421a61d369770 ] + +ufshcd_queuecommand() may be called two times in a row for a SCSI command +before it is completed. Hence make the following changes: + + - In the functions that submit a command, do not check the old value of + lrbp->cmd nor clear lrbp->cmd in error paths. + + - In ufshcd_release_scsi_cmd(), do not clear lrbp->cmd. + +See also scsi_send_eh_cmnd(). + +This commit prevents that the following appears if a command times out: + +WARNING: at drivers/ufs/core/ufshcd.c:2965 ufshcd_queuecommand+0x6f8/0x9a8 +Call trace: + ufshcd_queuecommand+0x6f8/0x9a8 + scsi_send_eh_cmnd+0x2c0/0x960 + scsi_eh_test_devices+0x100/0x314 + scsi_eh_ready_devs+0xd90/0x114c + scsi_error_handler+0x2b4/0xb70 + kthread+0x16c/0x1e0 + +Fixes: 5a0b0cb9bee7 ("[SCSI] ufs: Add support for sending NOP OUT UPIU") +Signed-off-by: Bart Van Assche +Link: https://lore.kernel.org/r/20230524203659.1394307-3-bvanassche@acm.org +Acked-by: Adrian Hunter +Signed-off-by: Martin K. Petersen +[ Removed the change in ufshcd_advanced_rpmb_req_handler() due to missing +commit:6ff265fc5ef6("scsi: ufs: core: bsg: Add advanced RPMB support in ufs_bsg") ] +Signed-off-by: Rajani Kantha <681739313@139.com> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ufs/core/ufshcd.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -2821,7 +2821,6 @@ static int ufshcd_queuecommand(struct Sc + (hba->clk_gating.state != CLKS_ON)); + + lrbp = &hba->lrb[tag]; +- WARN_ON(lrbp->cmd); + lrbp->cmd = cmd; + lrbp->task_tag = tag; + lrbp->lun = ufshcd_scsi_to_upiu_lun(cmd->device->lun); +@@ -2837,7 +2836,6 @@ static int ufshcd_queuecommand(struct Sc + + err = ufshcd_map_sg(hba, lrbp); + if (err) { +- lrbp->cmd = NULL; + ufshcd_release(hba); + goto out; + } +@@ -3047,7 +3045,7 @@ static int ufshcd_exec_dev_cmd(struct uf + down_read(&hba->clk_scaling_lock); + + lrbp = &hba->lrb[tag]; +- WARN_ON(lrbp->cmd); ++ lrbp->cmd = NULL; + err = ufshcd_compose_dev_cmd(hba, lrbp, cmd_type, tag); + if (unlikely(err)) + goto out; +@@ -5357,7 +5355,6 @@ static void ufshcd_release_scsi_cmd(stru + struct scsi_cmnd *cmd = lrbp->cmd; + + scsi_dma_unmap(cmd); +- lrbp->cmd = NULL; /* Mark the command as completed. */ + ufshcd_release(hba); + ufshcd_clk_scaling_update_busy(hba); + } +@@ -6936,7 +6933,6 @@ static int ufshcd_issue_devman_upiu_cmd( + down_read(&hba->clk_scaling_lock); + + lrbp = &hba->lrb[tag]; +- WARN_ON(lrbp->cmd); + lrbp->cmd = NULL; + lrbp->task_tag = tag; + lrbp->lun = 0; diff --git a/queue-6.1/series b/queue-6.1/series index 3a00fbb07c..8e6ff3f202 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -375,3 +375,15 @@ smb-client-compare-macs-in-constant-time.patch ksmbd-compare-macs-in-constant-time.patch net-tcp-md5-fix-mac-comparison-to-be-constant-time.patch mtd-spinand-macronix-use-scratch-buffer-for-dma-operation.patch +net-enetc-reimplement-rfs-rss-memory-clearing-as-pci-quirk.patch +net-enetc-allocate-vf_state-during-pf-probes.patch +dm-verity-disable-recursive-forward-error-correction.patch +net-add-skb_header_pointer_careful-helper.patch +net-sched-cls_u32-use-skb_header_pointer_careful.patch +scsi-ufs-core-fix-handling-of-lrbp-cmd.patch +net-stmmac-dwmac-loongson-set-clk_csr_i-to-100-150mhz.patch +net-handle-napi_schedule-calls-from-non-interrupt.patch +gve-defer-interrupt-enabling-until-napi-registration.patch +drm-exynos-vidi-use-priv-vidi_dev-for-ctx-lookup-in-vidi_connection_ioctl.patch +drm-exynos-vidi-fix-to-avoid-directly-dereferencing-user-pointer.patch +drm-exynos-vidi-use-ctx-lock-to-protect-struct-vidi_context-member-variables-related-to-memory-alloc-free.patch