From: Sasha Levin Date: Tue, 20 Jan 2026 04:51:29 +0000 (-0500) Subject: Fixes for all trees X-Git-Tag: v6.12.67~30 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=29b8b8c3780457df05950fd7a161c1be67b99b78;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for all trees Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/asoc-tlv320adcx140-fix-word-length.patch b/queue-5.10/asoc-tlv320adcx140-fix-word-length.patch new file mode 100644 index 0000000000..71636f6fc2 --- /dev/null +++ b/queue-5.10/asoc-tlv320adcx140-fix-word-length.patch @@ -0,0 +1,50 @@ +From 339865008fb564078a23840c0a7520e696133ee1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 11:58:47 +0100 +Subject: ASoC: tlv320adcx140: fix word length + +From: Emil Svendsen + +[ Upstream commit 46378ab9fcb796dca46b51e10646f636e2c661f9 ] + +The word length is the physical width of the channel slots. So the +hw_params would misconfigure when format width and physical width +doesn't match. Like S24_LE which has data width of 24 bits but physical +width of 32 bits. So if using asymmetric formats you will get a lot of +noise. + +Fixes: 689c7655b50c5 ("ASoC: tlv320adcx140: Add the tlv320adcx140 codec driver family") +Signed-off-by: Emil Svendsen +Signed-off-by: Sascha Hauer +Link: https://patch.msgid.link/20260113-sound-soc-codecs-tvl320adcx140-v4-4-8f7ecec525c8@pengutronix.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/tlv320adcx140.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/tlv320adcx140.c b/sound/soc/codecs/tlv320adcx140.c +index a6241a0453694..c7a591ee25900 100644 +--- a/sound/soc/codecs/tlv320adcx140.c ++++ b/sound/soc/codecs/tlv320adcx140.c +@@ -673,7 +673,7 @@ static int adcx140_hw_params(struct snd_pcm_substream *substream, + struct adcx140_priv *adcx140 = snd_soc_component_get_drvdata(component); + u8 data = 0; + +- switch (params_width(params)) { ++ switch (params_physical_width(params)) { + case 16: + data = ADCX140_16_BIT_WORD; + break; +@@ -688,7 +688,7 @@ static int adcx140_hw_params(struct snd_pcm_substream *substream, + break; + default: + dev_err(component->dev, "%s: Unsupported width %d\n", +- __func__, params_width(params)); ++ __func__, params_physical_width(params)); + return -EINVAL; + } + +-- +2.51.0 + diff --git a/queue-5.10/btrfs-send-check-for-inline-extents-in-range_is_hole.patch b/queue-5.10/btrfs-send-check-for-inline-extents-in-range_is_hole.patch new file mode 100644 index 0000000000..eec2651ccf --- /dev/null +++ b/queue-5.10/btrfs-send-check-for-inline-extents-in-range_is_hole.patch @@ -0,0 +1,44 @@ +From f4428dfbae8cee287fcf7bc4ab5e7efdaeeac8ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jan 2026 20:26:40 +1030 +Subject: btrfs: send: check for inline extents in range_is_hole_in_parent() + +From: Qu Wenruo + +[ Upstream commit 08b096c1372cd69627f4f559fb47c9fb67a52b39 ] + +Before accessing the disk_bytenr field of a file extent item we need +to check if we are dealing with an inline extent. +This is because for inline extents their data starts at the offset of +the disk_bytenr field. So accessing the disk_bytenr +means we are accessing inline data or in case the inline data is less +than 8 bytes we can actually cause an invalid +memory access if this inline extent item is the first item in the leaf +or access metadata from other items. + +Fixes: 82bfb2e7b645 ("Btrfs: incremental send, fix unnecessary hole writes for sparse files") +Reviewed-by: Filipe Manana +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/send.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c +index d86b4d13cae48..f144171ed6b7e 100644 +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -5892,6 +5892,8 @@ static int range_is_hole_in_parent(struct send_ctx *sctx, + extent_end = btrfs_file_extent_end(path); + if (extent_end <= start) + goto next; ++ if (btrfs_file_extent_type(leaf, fi) == BTRFS_FILE_EXTENT_INLINE) ++ return 0; + if (btrfs_file_extent_disk_bytenr(leaf, fi) == 0) { + search_start = extent_end; + goto next; +-- +2.51.0 + diff --git a/queue-5.10/dmaengine-omap-dma-fix-dma_pool-resource-leak-in-err.patch b/queue-5.10/dmaengine-omap-dma-fix-dma_pool-resource-leak-in-err.patch new file mode 100644 index 0000000000..e807cfba1a --- /dev/null +++ b/queue-5.10/dmaengine-omap-dma-fix-dma_pool-resource-leak-in-err.patch @@ -0,0 +1,50 @@ +From 4f2435c1bcffa5ebd2423f071b02d5b271767757 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Nov 2025 15:30:18 +0800 +Subject: dmaengine: omap-dma: fix dma_pool resource leak in error paths + +From: Haotian Zhang + +[ Upstream commit 2e1136acf8a8887c29f52e35a77b537309af321f ] + +The dma_pool created by dma_pool_create() is not destroyed when +dma_async_device_register() or of_dma_controller_register() fails, +causing a resource leak in the probe error paths. + +Add dma_pool_destroy() in both error paths to properly release the +allocated dma_pool resource. + +Fixes: 7bedaa553760 ("dmaengine: add OMAP DMA engine driver") +Signed-off-by: Haotian Zhang +Link: https://patch.msgid.link/20251103073018.643-1-vulab@iscas.ac.cn +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/ti/omap-dma.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/dma/ti/omap-dma.c b/drivers/dma/ti/omap-dma.c +index 268a080587149..6c6a34265b063 100644 +--- a/drivers/dma/ti/omap-dma.c ++++ b/drivers/dma/ti/omap-dma.c +@@ -1803,6 +1803,8 @@ static int omap_dma_probe(struct platform_device *pdev) + if (rc) { + pr_warn("OMAP-DMA: failed to register slave DMA engine device: %d\n", + rc); ++ if (od->ll123_supported) ++ dma_pool_destroy(od->desc_pool); + omap_dma_free(od); + return rc; + } +@@ -1818,6 +1820,8 @@ static int omap_dma_probe(struct platform_device *pdev) + if (rc) { + pr_warn("OMAP-DMA: failed to register DMA controller\n"); + dma_async_device_unregister(&od->ddev); ++ if (od->ll123_supported) ++ dma_pool_destroy(od->desc_pool); + omap_dma_free(od); + } + } +-- +2.51.0 + diff --git a/queue-5.10/dmaengine-tegra-adma-fix-use-after-free.patch b/queue-5.10/dmaengine-tegra-adma-fix-use-after-free.patch new file mode 100644 index 0000000000..65c57633c6 --- /dev/null +++ b/queue-5.10/dmaengine-tegra-adma-fix-use-after-free.patch @@ -0,0 +1,110 @@ +From 59e2ce65563f3cfd5329dc29a20faaf37e61b295 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Nov 2025 19:54:45 +0530 +Subject: dmaengine: tegra-adma: Fix use-after-free + +From: Sheetal + +[ Upstream commit 2efd07a7c36949e6fa36a69183df24d368bf9e96 ] + +A use-after-free bug exists in the Tegra ADMA driver when audio streams +are terminated, particularly during XRUN conditions. The issue occurs +when the DMA buffer is freed by tegra_adma_terminate_all() before the +vchan completion tasklet finishes accessing it. + +The race condition follows this sequence: + + 1. DMA transfer completes, triggering an interrupt that schedules the + completion tasklet (tasklet has not executed yet) + 2. Audio playback stops, calling tegra_adma_terminate_all() which + frees the DMA buffer memory via kfree() + 3. The scheduled tasklet finally executes, calling vchan_complete() + which attempts to access the already-freed memory + +Since tasklets can execute at any time after being scheduled, there is +no guarantee that the buffer will remain valid when vchan_complete() +runs. + +Fix this by properly synchronizing the virtual channel completion: + - Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the + descriptors as terminated instead of freeing the descriptor. + - Add the callback tegra_adma_synchronize() that calls + vchan_synchronize() which kills any pending tasklets and frees any + terminated descriptors. + +Crash logs: +[ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0 +[ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0 + +[ 337.427562] Call trace: +[ 337.427564] dump_backtrace+0x0/0x320 +[ 337.427571] show_stack+0x20/0x30 +[ 337.427575] dump_stack_lvl+0x68/0x84 +[ 337.427584] print_address_description.constprop.0+0x74/0x2b8 +[ 337.427590] kasan_report+0x1f4/0x210 +[ 337.427598] __asan_load8+0xa0/0xd0 +[ 337.427603] vchan_complete+0x124/0x3b0 +[ 337.427609] tasklet_action_common.constprop.0+0x190/0x1d0 +[ 337.427617] tasklet_action+0x30/0x40 +[ 337.427623] __do_softirq+0x1a0/0x5c4 +[ 337.427628] irq_exit+0x110/0x140 +[ 337.427633] handle_domain_irq+0xa4/0xe0 +[ 337.427640] gic_handle_irq+0x64/0x160 +[ 337.427644] call_on_irq_stack+0x20/0x4c +[ 337.427649] do_interrupt_handler+0x7c/0x90 +[ 337.427654] el1_interrupt+0x30/0x80 +[ 337.427659] el1h_64_irq_handler+0x18/0x30 +[ 337.427663] el1h_64_irq+0x7c/0x80 +[ 337.427667] cpuidle_enter_state+0xe4/0x540 +[ 337.427674] cpuidle_enter+0x54/0x80 +[ 337.427679] do_idle+0x2e0/0x380 +[ 337.427685] cpu_startup_entry+0x2c/0x70 +[ 337.427690] rest_init+0x114/0x130 +[ 337.427695] arch_call_rest_init+0x18/0x24 +[ 337.427702] start_kernel+0x380/0x3b4 +[ 337.427706] __primary_switched+0xc0/0xc8 + +Fixes: f46b195799b5 ("dmaengine: tegra-adma: Add support for Tegra210 ADMA") +Signed-off-by: Sheetal +Acked-by: Thierry Reding +Link: https://patch.msgid.link/20251110142445.3842036-1-sheetal@nvidia.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/tegra210-adma.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/dma/tegra210-adma.c b/drivers/dma/tegra210-adma.c +index d84010c2e4bf1..bcd1deb082615 100644 +--- a/drivers/dma/tegra210-adma.c ++++ b/drivers/dma/tegra210-adma.c +@@ -344,10 +344,17 @@ static void tegra_adma_stop(struct tegra_adma_chan *tdc) + return; + } + +- kfree(tdc->desc); ++ vchan_terminate_vdesc(&tdc->desc->vd); + tdc->desc = NULL; + } + ++static void tegra_adma_synchronize(struct dma_chan *dc) ++{ ++ struct tegra_adma_chan *tdc = to_tegra_adma_chan(dc); ++ ++ vchan_synchronize(&tdc->vc); ++} ++ + static void tegra_adma_start(struct tegra_adma_chan *tdc) + { + struct virt_dma_desc *vd = vchan_next_desc(&tdc->vc); +@@ -893,6 +900,7 @@ static int tegra_adma_probe(struct platform_device *pdev) + tdma->dma_dev.device_config = tegra_adma_slave_config; + tdma->dma_dev.device_tx_status = tegra_adma_tx_status; + tdma->dma_dev.device_terminate_all = tegra_adma_terminate_all; ++ tdma->dma_dev.device_synchronize = tegra_adma_synchronize; + tdma->dma_dev.src_addr_widths = BIT(DMA_SLAVE_BUSWIDTH_4_BYTES); + tdma->dma_dev.dst_addr_widths = BIT(DMA_SLAVE_BUSWIDTH_4_BYTES); + tdma->dma_dev.directions = BIT(DMA_DEV_TO_MEM) | BIT(DMA_MEM_TO_DEV); +-- +2.51.0 + diff --git a/queue-5.10/dmaengine-xilinx_dma-fix-uninitialized-addr_width-wh.patch b/queue-5.10/dmaengine-xilinx_dma-fix-uninitialized-addr_width-wh.patch new file mode 100644 index 0000000000..de71d2731a --- /dev/null +++ b/queue-5.10/dmaengine-xilinx_dma-fix-uninitialized-addr_width-wh.patch @@ -0,0 +1,61 @@ +From 34eaa5a53df1b47ff5a3825585c4913a8a51720e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Oct 2025 00:00:06 +0530 +Subject: dmaengine: xilinx_dma: Fix uninitialized addr_width when + "xlnx,addrwidth" property is missing + +From: Suraj Gupta + +[ Upstream commit c0732fe78728718c853ef8e7af5bbb05262acbd1 ] + +When device tree lacks optional "xlnx,addrwidth" property, the addr_width +variable remained uninitialized with garbage values, causing incorrect +DMA mask configuration and subsequent probe failure. The fix ensures a +fallback to the default 32-bit address width when this property is missing. + +Signed-off-by: Suraj Gupta +Fixes: b72db4005fe4 ("dmaengine: vdma: Add 64 bit addressing support to the driver") +Reviewed-by: Radhey Shyam Pandey +Reviewed-by: Folker Schwesinger +Link: https://patch.msgid.link/20251021183006.3434495-1-suraj.gupta2@amd.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/xilinx/xilinx_dma.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c +index 3ecf0109af2ba..12e9ba5b114db 100644 +--- a/drivers/dma/xilinx/xilinx_dma.c ++++ b/drivers/dma/xilinx/xilinx_dma.c +@@ -128,6 +128,7 @@ + #define XILINX_MCDMA_MAX_CHANS_PER_DEVICE 0x20 + #define XILINX_DMA_MAX_CHANS_PER_DEVICE 0x2 + #define XILINX_CDMA_MAX_CHANS_PER_DEVICE 0x1 ++#define XILINX_DMA_DFAULT_ADDRWIDTH 0x20 + + #define XILINX_DMA_DMAXR_ALL_IRQ_MASK \ + (XILINX_DMA_DMASR_FRM_CNT_IRQ | \ +@@ -2996,7 +2997,7 @@ static int xilinx_dma_probe(struct platform_device *pdev) + struct device_node *node = pdev->dev.of_node; + struct xilinx_dma_device *xdev; + struct device_node *child, *np = pdev->dev.of_node; +- u32 num_frames, addr_width, len_width; ++ u32 num_frames, addr_width = XILINX_DMA_DFAULT_ADDRWIDTH, len_width; + int i, err; + + /* Allocate and initialize the DMA engine structure */ +@@ -3065,7 +3066,9 @@ static int xilinx_dma_probe(struct platform_device *pdev) + + err = of_property_read_u32(node, "xlnx,addrwidth", &addr_width); + if (err < 0) +- dev_warn(xdev->dev, "missing xlnx,addrwidth property\n"); ++ dev_warn(xdev->dev, ++ "missing xlnx,addrwidth property, using default value %d\n", ++ XILINX_DMA_DFAULT_ADDRWIDTH); + + if (addr_width > 32) + xdev->ext_addr = true; +-- +2.51.0 + diff --git a/queue-5.10/ip6_tunnel-use-skb_vlan_inet_prepare-in-__ip6_tnl_rc.patch b/queue-5.10/ip6_tunnel-use-skb_vlan_inet_prepare-in-__ip6_tnl_rc.patch new file mode 100644 index 0000000000..d28ce8c764 --- /dev/null +++ b/queue-5.10/ip6_tunnel-use-skb_vlan_inet_prepare-in-__ip6_tnl_rc.patch @@ -0,0 +1,105 @@ +From 2cfbfa927d0e599fb06d55f312356505d9b755be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jan 2026 16:31:09 +0000 +Subject: ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv() + +From: Eric Dumazet + +[ Upstream commit 81c734dae203757fb3c9eee6f9896386940776bd ] + +Blamed commit did not take care of VLAN encapsulations +as spotted by syzbot [1]. + +Use skb_vlan_inet_prepare() instead of pskb_inet_may_pull(). + +[1] + BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] + BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] + BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321 + __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] + INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] + IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321 + ip6ip6_dscp_ecn_decapsulate+0x16f/0x1b0 net/ipv6/ip6_tunnel.c:729 + __ip6_tnl_rcv+0xed9/0x1b50 net/ipv6/ip6_tunnel.c:860 + ip6_tnl_rcv+0xc3/0x100 net/ipv6/ip6_tunnel.c:903 + gre_rcv+0x1529/0x1b90 net/ipv6/ip6_gre.c:-1 + ip6_protocol_deliver_rcu+0x1c89/0x2c60 net/ipv6/ip6_input.c:438 + ip6_input_finish+0x1f4/0x4a0 net/ipv6/ip6_input.c:489 + NF_HOOK include/linux/netfilter.h:318 [inline] + ip6_input+0x9c/0x330 net/ipv6/ip6_input.c:500 + ip6_mc_input+0x7ca/0xc10 net/ipv6/ip6_input.c:590 + dst_input include/net/dst.h:474 [inline] + ip6_rcv_finish+0x958/0x990 net/ipv6/ip6_input.c:79 + NF_HOOK include/linux/netfilter.h:318 [inline] + ipv6_rcv+0xf1/0x3c0 net/ipv6/ip6_input.c:311 + __netif_receive_skb_one_core net/core/dev.c:6139 [inline] + __netif_receive_skb+0x1df/0xac0 net/core/dev.c:6252 + netif_receive_skb_internal net/core/dev.c:6338 [inline] + netif_receive_skb+0x57/0x630 net/core/dev.c:6397 + tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485 + tun_get_user+0x5c0e/0x6c60 drivers/net/tun.c:1953 + tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999 + new_sync_write fs/read_write.c:593 [inline] + vfs_write+0xbe2/0x15d0 fs/read_write.c:686 + ksys_write fs/read_write.c:738 [inline] + __do_sys_write fs/read_write.c:749 [inline] + __se_sys_write fs/read_write.c:746 [inline] + __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746 + x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Uninit was created at: + slab_post_alloc_hook mm/slub.c:4960 [inline] + slab_alloc_node mm/slub.c:5263 [inline] + kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315 + kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586 + __alloc_skb+0x805/0x1040 net/core/skbuff.c:690 + alloc_skb include/linux/skbuff.h:1383 [inline] + alloc_skb_with_frags+0xc5/0xa60 net/core/skbuff.c:6712 + sock_alloc_send_pskb+0xacc/0xc60 net/core/sock.c:2995 + tun_alloc_skb drivers/net/tun.c:1461 [inline] + tun_get_user+0x1142/0x6c60 drivers/net/tun.c:1794 + tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999 + new_sync_write fs/read_write.c:593 [inline] + vfs_write+0xbe2/0x15d0 fs/read_write.c:686 + ksys_write fs/read_write.c:738 [inline] + __do_sys_write fs/read_write.c:749 [inline] + __se_sys_write fs/read_write.c:746 [inline] + __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746 + x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +CPU: 0 UID: 0 PID: 6465 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 + +Fixes: 8d975c15c0cd ("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()") +Reported-by: syzbot+d4dda070f833dc5dc89a@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/695e88b2.050a0220.1c677c.036d.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260107163109.4188620-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_tunnel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c +index 6efad8d6653b6..855622a6a304f 100644 +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -876,7 +876,7 @@ static int __ip6_tnl_rcv(struct ip6_tnl *tunnel, struct sk_buff *skb, + + skb_reset_network_header(skb); + +- if (!pskb_inet_may_pull(skb)) { ++ if (skb_vlan_inet_prepare(skb, true)) { + DEV_STATS_INC(tunnel->dev, rx_length_errors); + DEV_STATS_INC(tunnel->dev, rx_errors); + goto drop; +-- +2.51.0 + diff --git a/queue-5.10/ipv4-ip_gre-make-ipgre_header-robust.patch b/queue-5.10/ipv4-ip_gre-make-ipgre_header-robust.patch new file mode 100644 index 0000000000..92c974fa31 --- /dev/null +++ b/queue-5.10/ipv4-ip_gre-make-ipgre_header-robust.patch @@ -0,0 +1,87 @@ +From 48a83fa65fbd8b1b0968bba1421d8c14bfc244c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 19:02:14 +0000 +Subject: ipv4: ip_gre: make ipgre_header() robust + +From: Eric Dumazet + +[ Upstream commit e67c577d89894811ce4dcd1a9ed29d8b63476667 ] + +Analog to commit db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust") + +Over the years, syzbot found many ways to crash the kernel +in ipgre_header() [1]. + +This involves team or bonding drivers ability to dynamically +change their dev->needed_headroom and/or dev->hard_header_len + +In this particular crash mld_newpack() allocated an skb +with a too small reserve/headroom, and by the time mld_sendpack() +was called, syzbot managed to attach an ipgre device. + +[1] +skbuff: skb_under_panic: text:ffffffff89ea3cb7 len:2030915468 put:2030915372 head:ffff888058b43000 data:ffff887fdfa6e194 tail:0x120 end:0x6c0 dev:team0 + kernel BUG at net/core/skbuff.c:213 ! +Oops: invalid opcode: 0000 [#1] SMP KASAN PTI +CPU: 1 UID: 0 PID: 1322 Comm: kworker/1:9 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 +Workqueue: mld mld_ifc_work + RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:213 +Call Trace: + + skb_under_panic net/core/skbuff.c:223 [inline] + skb_push+0xc3/0xe0 net/core/skbuff.c:2641 + ipgre_header+0x67/0x290 net/ipv4/ip_gre.c:897 + dev_hard_header include/linux/netdevice.h:3436 [inline] + neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618 + NF_HOOK_COND include/linux/netfilter.h:307 [inline] + ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247 + NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318 + mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855 + mld_send_cr net/ipv6/mcast.c:2154 [inline] + mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 + process_one_work kernel/workqueue.c:3257 [inline] + process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 + worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 + kthread+0x711/0x8a0 kernel/kthread.c:463 + ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + +Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.") +Reported-by: syzbot+7c134e1c3aa3283790b9@syzkaller.appspotmail.com +Closes: https://www.spinics.net/lists/netdev/msg1147302.html +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260108190214.1667040-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_gre.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c +index ae0189828aa92..c56848f36298d 100644 +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -852,10 +852,17 @@ static int ipgre_header(struct sk_buff *skb, struct net_device *dev, + const void *daddr, const void *saddr, unsigned int len) + { + struct ip_tunnel *t = netdev_priv(dev); +- struct iphdr *iph; + struct gre_base_hdr *greh; ++ struct iphdr *iph; ++ int needed; ++ ++ needed = t->hlen + sizeof(*iph); ++ if (skb_headroom(skb) < needed && ++ pskb_expand_head(skb, HH_DATA_ALIGN(needed - skb_headroom(skb)), ++ 0, GFP_ATOMIC)) ++ return -needed; + +- iph = skb_push(skb, t->hlen + sizeof(*iph)); ++ iph = skb_push(skb, needed); + greh = (struct gre_base_hdr *)(iph+1); + greh->flags = gre_tnl_flags_to_gre_flags(t->parms.o_flags); + greh->protocol = htons(type); +-- +2.51.0 + diff --git a/queue-5.10/macvlan-add-nodst-option-to-macvlan-type-source.patch b/queue-5.10/macvlan-add-nodst-option-to-macvlan-type-source.patch new file mode 100644 index 0000000000..c51fd0dc32 --- /dev/null +++ b/queue-5.10/macvlan-add-nodst-option-to-macvlan-type-source.patch @@ -0,0 +1,105 @@ +From a2dea7978eb4c3fccdf13c2fd4e6c08dc3596f61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Apr 2021 11:22:03 +0200 +Subject: macvlan: Add nodst option to macvlan type source + +From: Jethro Beekman + +[ Upstream commit 427f0c8c194b22edcafef1b0a42995ddc5c2227d ] + +The default behavior for source MACVLAN is to duplicate packets to +appropriate type source devices, and then do the normal destination MACVLAN +flow. This patch adds an option to skip destination MACVLAN processing if +any matching source MACVLAN device has the option set. + +This allows setting up a "catch all" device for source MACVLAN: create one +or more devices with type source nodst, and one device with e.g. type vepa, +and incoming traffic will be received on exactly one device. + +v2: netdev wants non-standard line length + +Signed-off-by: Jethro Beekman +Signed-off-by: David S. Miller +Stable-dep-of: 7470a7a63dc1 ("macvlan: fix possible UAF in macvlan_forward_source()") +Signed-off-by: Sasha Levin +--- + drivers/net/macvlan.c | 19 ++++++++++++++----- + include/uapi/linux/if_link.h | 1 + + 2 files changed, 15 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c +index 9c77e6ab2b307..9a6d31cdc4ce6 100644 +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -421,18 +421,24 @@ static void macvlan_forward_source_one(struct sk_buff *skb, + macvlan_count_rx(vlan, len, ret == NET_RX_SUCCESS, false); + } + +-static void macvlan_forward_source(struct sk_buff *skb, ++static bool macvlan_forward_source(struct sk_buff *skb, + struct macvlan_port *port, + const unsigned char *addr) + { + struct macvlan_source_entry *entry; + u32 idx = macvlan_eth_hash(addr); + struct hlist_head *h = &port->vlan_source_hash[idx]; ++ bool consume = false; + + hlist_for_each_entry_rcu(entry, h, hlist) { +- if (ether_addr_equal_64bits(entry->addr, addr)) ++ if (ether_addr_equal_64bits(entry->addr, addr)) { ++ if (entry->vlan->flags & MACVLAN_FLAG_NODST) ++ consume = true; + macvlan_forward_source_one(skb, entry->vlan); ++ } + } ++ ++ return consume; + } + + /* called under rcu_read_lock() from netif_receive_skb */ +@@ -461,7 +467,8 @@ static rx_handler_result_t macvlan_handle_frame(struct sk_buff **pskb) + return RX_HANDLER_CONSUMED; + *pskb = skb; + eth = eth_hdr(skb); +- macvlan_forward_source(skb, port, eth->h_source); ++ if (macvlan_forward_source(skb, port, eth->h_source)) ++ return RX_HANDLER_CONSUMED; + src = macvlan_hash_lookup(port, eth->h_source); + if (src && src->mode != MACVLAN_MODE_VEPA && + src->mode != MACVLAN_MODE_BRIDGE) { +@@ -480,7 +487,8 @@ static rx_handler_result_t macvlan_handle_frame(struct sk_buff **pskb) + return RX_HANDLER_PASS; + } + +- macvlan_forward_source(skb, port, eth->h_source); ++ if (macvlan_forward_source(skb, port, eth->h_source)) ++ return RX_HANDLER_CONSUMED; + if (macvlan_passthru(port)) + vlan = list_first_or_null_rcu(&port->vlans, + struct macvlan_dev, list); +@@ -1283,7 +1291,8 @@ static int macvlan_validate(struct nlattr *tb[], struct nlattr *data[], + return 0; + + if (data[IFLA_MACVLAN_FLAGS] && +- nla_get_u16(data[IFLA_MACVLAN_FLAGS]) & ~MACVLAN_FLAG_NOPROMISC) ++ nla_get_u16(data[IFLA_MACVLAN_FLAGS]) & ~(MACVLAN_FLAG_NOPROMISC | ++ MACVLAN_FLAG_NODST)) + return -EINVAL; + + if (data[IFLA_MACVLAN_MODE]) { +diff --git a/include/uapi/linux/if_link.h b/include/uapi/linux/if_link.h +index 9334f2128bb2e..33c3b684f6de4 100644 +--- a/include/uapi/linux/if_link.h ++++ b/include/uapi/linux/if_link.h +@@ -609,6 +609,7 @@ enum macvlan_macaddr_mode { + }; + + #define MACVLAN_FLAG_NOPROMISC 1 ++#define MACVLAN_FLAG_NODST 2 /* skip dst macvlan if matching src macvlan */ + + /* VRF section */ + enum { +-- +2.51.0 + diff --git a/queue-5.10/macvlan-fix-possible-uaf-in-macvlan_forward_source.patch b/queue-5.10/macvlan-fix-possible-uaf-in-macvlan_forward_source.patch new file mode 100644 index 0000000000..dfaac07806 --- /dev/null +++ b/queue-5.10/macvlan-fix-possible-uaf-in-macvlan_forward_source.patch @@ -0,0 +1,108 @@ +From 366cd0dc8fef205a09a508a91c9b121aea0ad5e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 13:36:51 +0000 +Subject: macvlan: fix possible UAF in macvlan_forward_source() + +From: Eric Dumazet + +[ Upstream commit 7470a7a63dc162f07c26dbf960e41ee1e248d80e ] + +Add RCU protection on (struct macvlan_source_entry)->vlan. + +Whenever macvlan_hash_del_source() is called, we must clear +entry->vlan pointer before RCU grace period starts. + +This allows macvlan_forward_source() to skip over +entries queued for freeing. + +Note that macvlan_dev are already RCU protected, as they +are embedded in a standard netdev (netdev_priv(ndev)). + +Fixes: 79cf79abce71 ("macvlan: add source mode") +Reported-by: syzbot+7182fbe91e58602ec1fe@syzkaller.appspotmail.com +https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260108133651.1130486-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/macvlan.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c +index a0d5d0c41b611..ed02451051aee 100644 +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -55,7 +55,7 @@ struct macvlan_port { + + struct macvlan_source_entry { + struct hlist_node hlist; +- struct macvlan_dev *vlan; ++ struct macvlan_dev __rcu *vlan; + unsigned char addr[6+2] __aligned(sizeof(u16)); + struct rcu_head rcu; + }; +@@ -141,7 +141,7 @@ static struct macvlan_source_entry *macvlan_hash_lookup_source( + + hlist_for_each_entry_rcu(entry, h, hlist, lockdep_rtnl_is_held()) { + if (ether_addr_equal_64bits(entry->addr, addr) && +- entry->vlan == vlan) ++ rcu_access_pointer(entry->vlan) == vlan) + return entry; + } + return NULL; +@@ -163,7 +163,7 @@ static int macvlan_hash_add_source(struct macvlan_dev *vlan, + return -ENOMEM; + + ether_addr_copy(entry->addr, addr); +- entry->vlan = vlan; ++ RCU_INIT_POINTER(entry->vlan, vlan); + h = &port->vlan_source_hash[macvlan_eth_hash(addr)]; + hlist_add_head_rcu(&entry->hlist, h); + vlan->macaddr_count++; +@@ -182,6 +182,7 @@ static void macvlan_hash_add(struct macvlan_dev *vlan) + + static void macvlan_hash_del_source(struct macvlan_source_entry *entry) + { ++ RCU_INIT_POINTER(entry->vlan, NULL); + hlist_del_rcu(&entry->hlist); + kfree_rcu(entry, rcu); + } +@@ -380,7 +381,7 @@ static void macvlan_flush_sources(struct macvlan_port *port, + int i; + + hash_for_each_safe(port->vlan_source_hash, i, next, entry, hlist) +- if (entry->vlan == vlan) ++ if (rcu_access_pointer(entry->vlan) == vlan) + macvlan_hash_del_source(entry); + + vlan->macaddr_count = 0; +@@ -423,9 +424,14 @@ static bool macvlan_forward_source(struct sk_buff *skb, + + hlist_for_each_entry_rcu(entry, h, hlist) { + if (ether_addr_equal_64bits(entry->addr, addr)) { +- if (entry->vlan->flags & MACVLAN_FLAG_NODST) ++ struct macvlan_dev *vlan = rcu_dereference(entry->vlan); ++ ++ if (!vlan) ++ continue; ++ ++ if (vlan->flags & MACVLAN_FLAG_NODST) + consume = true; +- macvlan_forward_source_one(skb, entry->vlan); ++ macvlan_forward_source_one(skb, vlan); + } + } + +@@ -1615,7 +1621,7 @@ static int macvlan_fill_info_macaddr(struct sk_buff *skb, + struct macvlan_source_entry *entry; + + hlist_for_each_entry_rcu(entry, h, hlist, lockdep_rtnl_is_held()) { +- if (entry->vlan != vlan) ++ if (rcu_access_pointer(entry->vlan) != vlan) + continue; + if (nla_put(skb, IFLA_MACVLAN_MACADDR, ETH_ALEN, entry->addr)) + return 1; +-- +2.51.0 + diff --git a/queue-5.10/macvlan-use-hash-iterators-to-simplify-code.patch b/queue-5.10/macvlan-use-hash-iterators-to-simplify-code.patch new file mode 100644 index 0000000000..28b3a8be31 --- /dev/null +++ b/queue-5.10/macvlan-use-hash-iterators-to-simplify-code.patch @@ -0,0 +1,93 @@ +From fe4852fde658ae44fd28e6374f8fb290473eaedb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Apr 2021 18:14:10 +0200 +Subject: macvlan: Use 'hash' iterators to simplify code + +From: Christophe JAILLET + +[ Upstream commit bb23ffa1015cb57e0c9ec3c6135275b38d66a780 ] + +Use 'hash_for_each_rcu' and 'hash_for_each_safe' instead of hand writing +them. This saves some lines of code, reduce indentation and improve +readability. + +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Stable-dep-of: 7470a7a63dc1 ("macvlan: fix possible UAF in macvlan_forward_source()") +Signed-off-by: Sasha Levin +--- + drivers/net/macvlan.c | 45 +++++++++++++++++-------------------------- + 1 file changed, 18 insertions(+), 27 deletions(-) + +diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c +index 9a6d31cdc4ce6..a0d5d0c41b611 100644 +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -270,25 +270,22 @@ static void macvlan_broadcast(struct sk_buff *skb, + if (skb->protocol == htons(ETH_P_PAUSE)) + return; + +- for (i = 0; i < MACVLAN_HASH_SIZE; i++) { +- hlist_for_each_entry_rcu(vlan, &port->vlan_hash[i], hlist) { +- if (vlan->dev == src || !(vlan->mode & mode)) +- continue; ++ hash_for_each_rcu(port->vlan_hash, i, vlan, hlist) { ++ if (vlan->dev == src || !(vlan->mode & mode)) ++ continue; + +- hash = mc_hash(vlan, eth->h_dest); +- if (!test_bit(hash, vlan->mc_filter)) +- continue; ++ hash = mc_hash(vlan, eth->h_dest); ++ if (!test_bit(hash, vlan->mc_filter)) ++ continue; + +- err = NET_RX_DROP; +- nskb = skb_clone(skb, GFP_ATOMIC); +- if (likely(nskb)) +- err = macvlan_broadcast_one( +- nskb, vlan, eth, ++ err = NET_RX_DROP; ++ nskb = skb_clone(skb, GFP_ATOMIC); ++ if (likely(nskb)) ++ err = macvlan_broadcast_one(nskb, vlan, eth, + mode == MACVLAN_MODE_BRIDGE) ?: +- netif_rx_ni(nskb); +- macvlan_count_rx(vlan, skb->len + ETH_HLEN, +- err == NET_RX_SUCCESS, true); +- } ++ netif_rx_ni(nskb); ++ macvlan_count_rx(vlan, skb->len + ETH_HLEN, ++ err == NET_RX_SUCCESS, true); + } + } + +@@ -378,20 +375,14 @@ static void macvlan_broadcast_enqueue(struct macvlan_port *port, + static void macvlan_flush_sources(struct macvlan_port *port, + struct macvlan_dev *vlan) + { ++ struct macvlan_source_entry *entry; ++ struct hlist_node *next; + int i; + +- for (i = 0; i < MACVLAN_HASH_SIZE; i++) { +- struct hlist_node *h, *n; +- +- hlist_for_each_safe(h, n, &port->vlan_source_hash[i]) { +- struct macvlan_source_entry *entry; ++ hash_for_each_safe(port->vlan_source_hash, i, next, entry, hlist) ++ if (entry->vlan == vlan) ++ macvlan_hash_del_source(entry); + +- entry = hlist_entry(h, struct macvlan_source_entry, +- hlist); +- if (entry->vlan == vlan) +- macvlan_hash_del_source(entry); +- } +- } + vlan->macaddr_count = 0; + } + +-- +2.51.0 + diff --git a/queue-5.10/net-sched-sch_qfq-do-not-free-existing-class-in-qfq_.patch b/queue-5.10/net-sched-sch_qfq-do-not-free-existing-class-in-qfq_.patch new file mode 100644 index 0000000000..ad6512e2dd --- /dev/null +++ b/queue-5.10/net-sched-sch_qfq-do-not-free-existing-class-in-qfq_.patch @@ -0,0 +1,46 @@ +From b0c7398035937160337126eac40e3ed1cd10124a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 17:56:56 +0000 +Subject: net/sched: sch_qfq: do not free existing class in qfq_change_class() + +From: Eric Dumazet + +[ Upstream commit 3879cffd9d07aa0377c4b8835c4f64b4fb24ac78 ] + +Fixes qfq_change_class() error case. + +cl->qdisc and cl should only be freed if a new class and qdisc +were allocated, or we risk various UAF. + +Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost") +Reported-by: syzbot+07f3f38f723c335f106d@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6965351d.050a0220.eaf7.00c5.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Reviewed-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20260112175656.17605-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_qfq.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index 34a6c4ec9a157..9751de2d95e78 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -532,8 +532,10 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid, + return 0; + + destroy_class: +- qdisc_put(cl->qdisc); +- kfree(cl); ++ if (!existing) { ++ qdisc_put(cl->qdisc); ++ kfree(cl); ++ } + return err; + } + +-- +2.51.0 + diff --git a/queue-5.10/nvme-tcp-fix-null-pointer-dereferences-in-nvmet_tcp_.patch b/queue-5.10/nvme-tcp-fix-null-pointer-dereferences-in-nvmet_tcp_.patch new file mode 100644 index 0000000000..2daa3bcfc7 --- /dev/null +++ b/queue-5.10/nvme-tcp-fix-null-pointer-dereferences-in-nvmet_tcp_.patch @@ -0,0 +1,69 @@ +From 18e5de17d1bc4f733e5f2d30b5a14d41993db3e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Dec 2025 13:57:48 -0500 +Subject: nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Shivam Kumar + +[ Upstream commit 32b63acd78f577b332d976aa06b56e70d054cbba ] + +Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length") +added ttag bounds checking and data_offset +validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate +whether the command's data structures (cmd->req.sg and cmd->iov) have +been properly initialized before processing H2C_DATA PDUs. + +The nvmet_tcp_build_pdu_iovec() function dereferences these pointers +without NULL checks. This can be triggered by sending H2C_DATA PDU +immediately after the ICREQ/ICRESP handshake, before +sending a CONNECT command or NVMe write command. + +Attack vectors that trigger NULL pointer dereferences: +1. H2C_DATA PDU sent before CONNECT → both pointers NULL +2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL +3. H2C_DATA PDU for uninitialized command slot → both pointers NULL + +The fix validates both cmd->req.sg and cmd->iov before calling +nvmet_tcp_build_pdu_iovec(). Both checks are required because: +- Uninitialized commands: both NULL +- READ commands: cmd->req.sg allocated, cmd->iov NULL +- WRITE commands: both allocated + +Fixes: efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length") +Reviewed-by: Sagi Grimberg +Signed-off-by: Shivam Kumar +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/tcp.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c +index d7b368102ad9a..94ed4b5b725c7 100644 +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -959,6 +959,18 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue) + pr_err("H2CData PDU len %u is invalid\n", cmd->pdu_len); + goto err_proto; + } ++ /* ++ * Ensure command data structures are initialized. We must check both ++ * cmd->req.sg and cmd->iov because they can have different NULL states: ++ * - Uninitialized commands: both NULL ++ * - READ commands: cmd->req.sg allocated, cmd->iov NULL ++ * - WRITE commands: both allocated ++ */ ++ if (unlikely(!cmd->req.sg || !cmd->iov)) { ++ pr_err("queue %d: H2CData PDU received for invalid command state (ttag %u)\n", ++ queue->idx, data->ttag); ++ goto err_proto; ++ } + cmd->pdu_recv = 0; + nvmet_tcp_map_pdu_iovec(cmd); + queue->cmd = cmd; +-- +2.51.0 + diff --git a/queue-5.10/nvmet-tcp-remove-boilerplate-code.patch b/queue-5.10/nvmet-tcp-remove-boilerplate-code.patch new file mode 100644 index 0000000000..9525b91c5d --- /dev/null +++ b/queue-5.10/nvmet-tcp-remove-boilerplate-code.patch @@ -0,0 +1,72 @@ +From 93a8a40e191b9d60cab5c06d0d8f91f090cf0179 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Dec 2023 16:17:50 +0100 +Subject: nvmet-tcp: remove boilerplate code + +From: Maurizio Lombardi + +[ Upstream commit 75011bd0f9c55db523242f9f9a0b0b826165f14b ] + +Simplify the nvmet_tcp_handle_h2c_data_pdu() function by removing +boilerplate code. + +Signed-off-by: Maurizio Lombardi +Reviewed-by: Sagi Grimberg +Signed-off-by: Keith Busch +Stable-dep-of: 32b63acd78f5 ("nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec") +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/tcp.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c +index 6019eee1f9bdf..d7b368102ad9a 100644 +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -933,8 +933,7 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue) + if (unlikely(data->ttag >= queue->nr_cmds)) { + pr_err("queue %d: received out of bound ttag %u, nr_cmds %u\n", + queue->idx, data->ttag, queue->nr_cmds); +- nvmet_tcp_fatal_error(queue); +- return -EPROTO; ++ goto err_proto; + } + cmd = &queue->cmds[data->ttag]; + } else { +@@ -945,9 +944,7 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue) + pr_err("ttag %u unexpected data offset %u (expected %u)\n", + data->ttag, le32_to_cpu(data->data_offset), + cmd->rbytes_done); +- /* FIXME: use path and transport errors */ +- nvmet_tcp_fatal_error(queue); +- return -EPROTO; ++ goto err_proto; + } + + exp_data_len = le32_to_cpu(data->hdr.plen) - +@@ -960,9 +957,7 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue) + cmd->pdu_len == 0 || + cmd->pdu_len > NVMET_TCP_MAXH2CDATA)) { + pr_err("H2CData PDU len %u is invalid\n", cmd->pdu_len); +- /* FIXME: use proper transport errors */ +- nvmet_tcp_fatal_error(queue); +- return -EPROTO; ++ goto err_proto; + } + cmd->pdu_recv = 0; + nvmet_tcp_map_pdu_iovec(cmd); +@@ -970,6 +965,11 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue) + queue->rcv_state = NVMET_TCP_RECV_DATA; + + return 0; ++ ++err_proto: ++ /* FIXME: use proper transport errors */ ++ nvmet_tcp_fatal_error(queue); ++ return -EPROTO; + } + + static int nvmet_tcp_done_recv_pdu(struct nvmet_tcp_queue *queue) +-- +2.51.0 + diff --git a/queue-5.10/phy-broadcom-ns-usb3-fix-wvoid-pointer-to-enum-cast-.patch b/queue-5.10/phy-broadcom-ns-usb3-fix-wvoid-pointer-to-enum-cast-.patch new file mode 100644 index 0000000000..e0e2e4238c --- /dev/null +++ b/queue-5.10/phy-broadcom-ns-usb3-fix-wvoid-pointer-to-enum-cast-.patch @@ -0,0 +1,47 @@ +From 11a36ee2552c1c640b695806c072ce0d6f1d108b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 12:55:34 +0100 +Subject: phy: broadcom: ns-usb3: Fix Wvoid-pointer-to-enum-cast warning + (again) + +From: Krzysztof Kozlowski + +[ Upstream commit fb21116099bbea1fc59efa9207e63c4be390ab72 ] + +"family" is an enum, thus cast of pointer on 64-bit compile test with +clang W=1 causes: + + phy-bcm-ns-usb3.c:206:17: error: cast to smaller integer type 'enum bcm_ns_family' from 'const void *' [-Werror,-Wvoid-pointer-to-enum-cast] + +This was already fixed in commit bd6e74a2f0a0 ("phy: broadcom: ns-usb3: +fix Wvoid-pointer-to-enum-cast warning") but then got bad in commit +21bf6fc47a1e ("phy: Use device_get_match_data()"). + +Note that after various discussions the preferred cast is via "unsigned +long", not "uintptr_t". + +Fixes: 21bf6fc47a1e ("phy: Use device_get_match_data()") +Signed-off-by: Krzysztof Kozlowski +Link: https://patch.msgid.link/20251224115533.154162-2-krzysztof.kozlowski@oss.qualcomm.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/broadcom/phy-bcm-ns-usb3.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/phy/broadcom/phy-bcm-ns-usb3.c b/drivers/phy/broadcom/phy-bcm-ns-usb3.c +index 45b366855e80d..e04a42fe6b654 100644 +--- a/drivers/phy/broadcom/phy-bcm-ns-usb3.c ++++ b/drivers/phy/broadcom/phy-bcm-ns-usb3.c +@@ -203,7 +203,7 @@ static int bcm_ns_usb3_mdio_probe(struct mdio_device *mdiodev) + usb3->dev = dev; + usb3->mdiodev = mdiodev; + +- usb3->family = (enum bcm_ns_family)device_get_match_data(dev); ++ usb3->family = (unsigned long)device_get_match_data(dev); + + syscon_np = of_parse_phandle(dev->of_node, "usb3-dmp-syscon", 0); + err = of_address_to_resource(syscon_np, 0, &res); +-- +2.51.0 + diff --git a/queue-5.10/phy-stm32-usphyc-fix-off-by-one-in-probe.patch b/queue-5.10/phy-stm32-usphyc-fix-off-by-one-in-probe.patch new file mode 100644 index 0000000000..385ec28ea5 --- /dev/null +++ b/queue-5.10/phy-stm32-usphyc-fix-off-by-one-in-probe.patch @@ -0,0 +1,41 @@ +From 858a1e7382a0320dafe3465d0094217202b6eb54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Dec 2025 09:53:36 +0300 +Subject: phy: stm32-usphyc: Fix off by one in probe() + +From: Dan Carpenter + +[ Upstream commit cabd25b57216ddc132efbcc31f972baa03aad15a ] + +The "index" variable is used as an index into the usbphyc->phys[] array +which has usbphyc->nphys elements. So if it is equal to usbphyc->nphys +then it is one element out of bounds. The "index" comes from the +device tree so it's data that we trust and it's unlikely to be wrong, +however it's obviously still worth fixing the bug. Change the > to >=. + +Fixes: 94c358da3a05 ("phy: stm32: add support for STM32 USB PHY Controller (USBPHYC)") +Signed-off-by: Dan Carpenter +Reviewed-by: Amelie Delaunay +Link: https://patch.msgid.link/aTfHcMJK1wFVnvEe@stanley.mountain +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/st/phy-stm32-usbphyc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/phy/st/phy-stm32-usbphyc.c b/drivers/phy/st/phy-stm32-usbphyc.c +index 03fc567e9f188..9b1b6e9d819ca 100644 +--- a/drivers/phy/st/phy-stm32-usbphyc.c ++++ b/drivers/phy/st/phy-stm32-usbphyc.c +@@ -391,7 +391,7 @@ static int stm32_usbphyc_probe(struct platform_device *pdev) + } + + ret = of_property_read_u32(child, "reg", &index); +- if (ret || index > usbphyc->nphys) { ++ if (ret || index >= usbphyc->nphys) { + dev_err(&phy->dev, "invalid reg property: %d\n", ret); + if (!ret) + ret = -EINVAL; +-- +2.51.0 + diff --git a/queue-5.10/pnfs-flexfiles-fix-memory-leak-in-nfs4_ff_alloc_devi.patch b/queue-5.10/pnfs-flexfiles-fix-memory-leak-in-nfs4_ff_alloc_devi.patch new file mode 100644 index 0000000000..b261e0345a --- /dev/null +++ b/queue-5.10/pnfs-flexfiles-fix-memory-leak-in-nfs4_ff_alloc_devi.patch @@ -0,0 +1,40 @@ +From 891660490936ec259941e16141cf1cacef2ab1ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Dec 2025 07:41:03 +0000 +Subject: pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node() + +From: Zilin Guan + +[ Upstream commit 0c728083654f0066f5e10a1d2b0bd0907af19a58 ] + +In nfs4_ff_alloc_deviceid_node(), if the allocation for ds_versions fails, +the function jumps to the out_scratch label without freeing the already +allocated dsaddrs list, leading to a memory leak. + +Fix this by jumping to the out_err_drain_dsaddrs label, which properly +frees the dsaddrs list before cleaning up other resources. + +Fixes: d67ae825a59d6 ("pnfs/flexfiles: Add the FlexFile Layout Driver") +Signed-off-by: Zilin Guan +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/flexfilelayout/flexfilelayoutdev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/flexfilelayout/flexfilelayoutdev.c b/fs/nfs/flexfilelayout/flexfilelayoutdev.c +index 11777d33a85e8..35cac4d3f2e8a 100644 +--- a/fs/nfs/flexfilelayout/flexfilelayoutdev.c ++++ b/fs/nfs/flexfilelayout/flexfilelayoutdev.c +@@ -103,7 +103,7 @@ nfs4_ff_alloc_deviceid_node(struct nfs_server *server, struct pnfs_device *pdev, + sizeof(struct nfs4_ff_ds_version), + gfp_flags); + if (!ds_versions) +- goto out_scratch; ++ goto out_err_drain_dsaddrs; + + for (i = 0; i < version_count; i++) { + /* 20 = version(4) + minor_version(4) + rsize(4) + wsize(4) + +-- +2.51.0 + diff --git a/queue-5.10/series b/queue-5.10/series new file mode 100644 index 0000000000..421470a54c --- /dev/null +++ b/queue-5.10/series @@ -0,0 +1,18 @@ +pnfs-flexfiles-fix-memory-leak-in-nfs4_ff_alloc_devi.patch +nvmet-tcp-remove-boilerplate-code.patch +nvme-tcp-fix-null-pointer-dereferences-in-nvmet_tcp_.patch +btrfs-send-check-for-inline-extents-in-range_is_hole.patch +ip6_tunnel-use-skb_vlan_inet_prepare-in-__ip6_tnl_rc.patch +macvlan-add-nodst-option-to-macvlan-type-source.patch +macvlan-use-hash-iterators-to-simplify-code.patch +macvlan-fix-possible-uaf-in-macvlan_forward_source.patch +ipv4-ip_gre-make-ipgre_header-robust.patch +vsock-test-add-a-final-full-barrier-after-run-all-te.patch +net-sched-sch_qfq-do-not-free-existing-class-in-qfq_.patch +asoc-tlv320adcx140-fix-word-length.patch +textsearch-describe-list-member-in-ts_ops-search.patch +dmaengine-tegra-adma-fix-use-after-free.patch +dmaengine-xilinx_dma-fix-uninitialized-addr_width-wh.patch +phy-stm32-usphyc-fix-off-by-one-in-probe.patch +phy-broadcom-ns-usb3-fix-wvoid-pointer-to-enum-cast-.patch +dmaengine-omap-dma-fix-dma_pool-resource-leak-in-err.patch diff --git a/queue-5.10/textsearch-describe-list-member-in-ts_ops-search.patch b/queue-5.10/textsearch-describe-list-member-in-ts_ops-search.patch new file mode 100644 index 0000000000..3511e18e4d --- /dev/null +++ b/queue-5.10/textsearch-describe-list-member-in-ts_ops-search.patch @@ -0,0 +1,41 @@ +From 289980f1c1dd8106d6c49aa41989028062a4734c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 08:40:05 +0700 +Subject: textsearch: describe @list member in ts_ops search + +From: Bagas Sanjaya + +[ Upstream commit f26528478bb102c28e7ac0cbfc8ec8185afdafc7 ] + +Sphinx reports kernel-doc warning: + +WARNING: ./include/linux/textsearch.h:49 struct member 'list' not described in 'ts_ops' + +Describe @list member to fix it. + +Link: https://lkml.kernel.org/r/20251219014006.16328-4-bagasdotme@gmail.com +Fixes: 2de4ff7bd658 ("[LIB]: Textsearch infrastructure.") +Signed-off-by: Bagas Sanjaya +Cc: Thomas Graf +Cc: "David S. Miller" +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + include/linux/textsearch.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/textsearch.h b/include/linux/textsearch.h +index 13770cfe33ad8..1389959b68422 100644 +--- a/include/linux/textsearch.h ++++ b/include/linux/textsearch.h +@@ -35,6 +35,7 @@ struct ts_state + * @get_pattern: return head of pattern + * @get_pattern_len: return length of pattern + * @owner: module reference to algorithm ++ * @list: list to search + */ + struct ts_ops + { +-- +2.51.0 + diff --git a/queue-5.10/vsock-test-add-a-final-full-barrier-after-run-all-te.patch b/queue-5.10/vsock-test-add-a-final-full-barrier-after-run-all-te.patch new file mode 100644 index 0000000000..7a23e50e91 --- /dev/null +++ b/queue-5.10/vsock-test-add-a-final-full-barrier-after-run-all-te.patch @@ -0,0 +1,52 @@ +From bf1553f03d56ec03337ccdb0fe85ff19bbe7433a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 12:44:19 +0100 +Subject: vsock/test: add a final full barrier after run all tests + +From: Stefano Garzarella + +[ Upstream commit c39a6a277e0e67ffff6a8efcbbf7e7e23ce9e38c ] + +If the last test fails, the other side still completes correctly, +which could lead to false positives. + +Let's add a final barrier that ensures that the last test has finished +correctly on both sides, but also that the two sides agree on the +number of tests to be performed. + +Fixes: 2f65b44e199c ("VSOCK: add full barrier between test cases") +Reviewed-by: Luigi Leonardi +Signed-off-by: Stefano Garzarella +Link: https://patch.msgid.link/20260108114419.52747-1-sgarzare@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/vsock/util.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/tools/testing/vsock/util.c b/tools/testing/vsock/util.c +index 93cbd6f603f97..356acac85d862 100644 +--- a/tools/testing/vsock/util.c ++++ b/tools/testing/vsock/util.c +@@ -338,6 +338,18 @@ void run_tests(const struct test_case *test_cases, + + printf("ok\n"); + } ++ ++ printf("All tests have been executed. Waiting other peer..."); ++ fflush(stdout); ++ ++ /* ++ * Final full barrier, to ensure that all tests have been run and ++ * that even the last one has been successful on both sides. ++ */ ++ control_writeln("COMPLETED"); ++ control_expectln("COMPLETED"); ++ ++ printf("ok\n"); + } + + void list_tests(const struct test_case *test_cases) +-- +2.51.0 + diff --git a/queue-5.15/asoc-tlv320adcx140-fix-word-length.patch b/queue-5.15/asoc-tlv320adcx140-fix-word-length.patch new file mode 100644 index 0000000000..52b931b683 --- /dev/null +++ b/queue-5.15/asoc-tlv320adcx140-fix-word-length.patch @@ -0,0 +1,50 @@ +From 08789012addbee5a1af96d5f0a6476faeb913319 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 11:58:47 +0100 +Subject: ASoC: tlv320adcx140: fix word length + +From: Emil Svendsen + +[ Upstream commit 46378ab9fcb796dca46b51e10646f636e2c661f9 ] + +The word length is the physical width of the channel slots. So the +hw_params would misconfigure when format width and physical width +doesn't match. Like S24_LE which has data width of 24 bits but physical +width of 32 bits. So if using asymmetric formats you will get a lot of +noise. + +Fixes: 689c7655b50c5 ("ASoC: tlv320adcx140: Add the tlv320adcx140 codec driver family") +Signed-off-by: Emil Svendsen +Signed-off-by: Sascha Hauer +Link: https://patch.msgid.link/20260113-sound-soc-codecs-tvl320adcx140-v4-4-8f7ecec525c8@pengutronix.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/tlv320adcx140.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/tlv320adcx140.c b/sound/soc/codecs/tlv320adcx140.c +index 06d2502b13478..f7fbe3795f98a 100644 +--- a/sound/soc/codecs/tlv320adcx140.c ++++ b/sound/soc/codecs/tlv320adcx140.c +@@ -673,7 +673,7 @@ static int adcx140_hw_params(struct snd_pcm_substream *substream, + struct adcx140_priv *adcx140 = snd_soc_component_get_drvdata(component); + u8 data = 0; + +- switch (params_width(params)) { ++ switch (params_physical_width(params)) { + case 16: + data = ADCX140_16_BIT_WORD; + break; +@@ -688,7 +688,7 @@ static int adcx140_hw_params(struct snd_pcm_substream *substream, + break; + default: + dev_err(component->dev, "%s: Unsupported width %d\n", +- __func__, params_width(params)); ++ __func__, params_physical_width(params)); + return -EINVAL; + } + +-- +2.51.0 + diff --git a/queue-5.15/btrfs-send-check-for-inline-extents-in-range_is_hole.patch b/queue-5.15/btrfs-send-check-for-inline-extents-in-range_is_hole.patch new file mode 100644 index 0000000000..3acd211601 --- /dev/null +++ b/queue-5.15/btrfs-send-check-for-inline-extents-in-range_is_hole.patch @@ -0,0 +1,44 @@ +From 3f97e9a5e114017142ccae1a86b3481779f4cc92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jan 2026 20:26:40 +1030 +Subject: btrfs: send: check for inline extents in range_is_hole_in_parent() + +From: Qu Wenruo + +[ Upstream commit 08b096c1372cd69627f4f559fb47c9fb67a52b39 ] + +Before accessing the disk_bytenr field of a file extent item we need +to check if we are dealing with an inline extent. +This is because for inline extents their data starts at the offset of +the disk_bytenr field. So accessing the disk_bytenr +means we are accessing inline data or in case the inline data is less +than 8 bytes we can actually cause an invalid +memory access if this inline extent item is the first item in the leaf +or access metadata from other items. + +Fixes: 82bfb2e7b645 ("Btrfs: incremental send, fix unnecessary hole writes for sparse files") +Reviewed-by: Filipe Manana +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/send.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c +index a46076788bd7e..32992b2fdd384 100644 +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -5892,6 +5892,8 @@ static int range_is_hole_in_parent(struct send_ctx *sctx, + extent_end = btrfs_file_extent_end(path); + if (extent_end <= start) + goto next; ++ if (btrfs_file_extent_type(leaf, fi) == BTRFS_FILE_EXTENT_INLINE) ++ return 0; + if (btrfs_file_extent_disk_bytenr(leaf, fi) == 0) { + search_start = extent_end; + goto next; +-- +2.51.0 + diff --git a/queue-5.15/can-etas_es58x-allow-partial-rx-urb-allocation-to-su.patch b/queue-5.15/can-etas_es58x-allow-partial-rx-urb-allocation-to-su.patch new file mode 100644 index 0000000000..1fd6cd6edb --- /dev/null +++ b/queue-5.15/can-etas_es58x-allow-partial-rx-urb-allocation-to-su.patch @@ -0,0 +1,50 @@ +From d4d1cc8455cd8901178c7bc2f09b796c6d2a5dfd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Dec 2025 02:17:32 +0100 +Subject: can: etas_es58x: allow partial RX URB allocation to succeed + +From: Szymon Wilczek + +[ Upstream commit b1979778e98569c1e78c2c7f16bb24d76541ab00 ] + +When es58x_alloc_rx_urbs() fails to allocate the requested number of +URBs but succeeds in allocating some, it returns an error code. +This causes es58x_open() to return early, skipping the cleanup label +'free_urbs', which leads to the anchored URBs being leaked. + +As pointed out by maintainer Vincent Mailhol, the driver is designed +to handle partial URB allocation gracefully. Therefore, partial +allocation should not be treated as a fatal error. + +Modify es58x_alloc_rx_urbs() to return 0 if at least one URB has been +allocated, restoring the intended behavior and preventing the leak +in es58x_open(). + +Fixes: 8537257874e9 ("can: etas_es58x: add core support for ETAS ES58X CAN USB interfaces") +Reported-by: syzbot+e8cb6691a7cf68256cb8@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=e8cb6691a7cf68256cb8 +Signed-off-by: Szymon Wilczek +Reviewed-by: Vincent Mailhol +Link: https://patch.msgid.link/20251223011732.39361-1-swilczek.lx@gmail.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/etas_es58x/es58x_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/can/usb/etas_es58x/es58x_core.c b/drivers/net/can/usb/etas_es58x/es58x_core.c +index a8273ad5dd9e0..bb73680f8dcee 100644 +--- a/drivers/net/can/usb/etas_es58x/es58x_core.c ++++ b/drivers/net/can/usb/etas_es58x/es58x_core.c +@@ -1743,7 +1743,7 @@ static int es58x_alloc_rx_urbs(struct es58x_device *es58x_dev) + dev_dbg(dev, "%s: Allocated %d rx URBs each of size %zu\n", + __func__, i, rx_buf_len); + +- return ret; ++ return 0; + } + + /** +-- +2.51.0 + diff --git a/queue-5.15/dmaengine-omap-dma-fix-dma_pool-resource-leak-in-err.patch b/queue-5.15/dmaengine-omap-dma-fix-dma_pool-resource-leak-in-err.patch new file mode 100644 index 0000000000..f9ce43877d --- /dev/null +++ b/queue-5.15/dmaengine-omap-dma-fix-dma_pool-resource-leak-in-err.patch @@ -0,0 +1,50 @@ +From 251305d75b2e83def8a1e4216ae88f744051e23e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Nov 2025 15:30:18 +0800 +Subject: dmaengine: omap-dma: fix dma_pool resource leak in error paths + +From: Haotian Zhang + +[ Upstream commit 2e1136acf8a8887c29f52e35a77b537309af321f ] + +The dma_pool created by dma_pool_create() is not destroyed when +dma_async_device_register() or of_dma_controller_register() fails, +causing a resource leak in the probe error paths. + +Add dma_pool_destroy() in both error paths to properly release the +allocated dma_pool resource. + +Fixes: 7bedaa553760 ("dmaengine: add OMAP DMA engine driver") +Signed-off-by: Haotian Zhang +Link: https://patch.msgid.link/20251103073018.643-1-vulab@iscas.ac.cn +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/ti/omap-dma.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/dma/ti/omap-dma.c b/drivers/dma/ti/omap-dma.c +index 7cb577e6587b1..be47a9b8ac96e 100644 +--- a/drivers/dma/ti/omap-dma.c ++++ b/drivers/dma/ti/omap-dma.c +@@ -1804,6 +1804,8 @@ static int omap_dma_probe(struct platform_device *pdev) + if (rc) { + pr_warn("OMAP-DMA: failed to register slave DMA engine device: %d\n", + rc); ++ if (od->ll123_supported) ++ dma_pool_destroy(od->desc_pool); + omap_dma_free(od); + return rc; + } +@@ -1819,6 +1821,8 @@ static int omap_dma_probe(struct platform_device *pdev) + if (rc) { + pr_warn("OMAP-DMA: failed to register DMA controller\n"); + dma_async_device_unregister(&od->ddev); ++ if (od->ll123_supported) ++ dma_pool_destroy(od->desc_pool); + omap_dma_free(od); + } + } +-- +2.51.0 + diff --git a/queue-5.15/dmaengine-tegra-adma-fix-use-after-free.patch b/queue-5.15/dmaengine-tegra-adma-fix-use-after-free.patch new file mode 100644 index 0000000000..12f0f72eff --- /dev/null +++ b/queue-5.15/dmaengine-tegra-adma-fix-use-after-free.patch @@ -0,0 +1,110 @@ +From bae45712cc8774302d46761c20bb6e6b14594c8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Nov 2025 19:54:45 +0530 +Subject: dmaengine: tegra-adma: Fix use-after-free + +From: Sheetal + +[ Upstream commit 2efd07a7c36949e6fa36a69183df24d368bf9e96 ] + +A use-after-free bug exists in the Tegra ADMA driver when audio streams +are terminated, particularly during XRUN conditions. The issue occurs +when the DMA buffer is freed by tegra_adma_terminate_all() before the +vchan completion tasklet finishes accessing it. + +The race condition follows this sequence: + + 1. DMA transfer completes, triggering an interrupt that schedules the + completion tasklet (tasklet has not executed yet) + 2. Audio playback stops, calling tegra_adma_terminate_all() which + frees the DMA buffer memory via kfree() + 3. The scheduled tasklet finally executes, calling vchan_complete() + which attempts to access the already-freed memory + +Since tasklets can execute at any time after being scheduled, there is +no guarantee that the buffer will remain valid when vchan_complete() +runs. + +Fix this by properly synchronizing the virtual channel completion: + - Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the + descriptors as terminated instead of freeing the descriptor. + - Add the callback tegra_adma_synchronize() that calls + vchan_synchronize() which kills any pending tasklets and frees any + terminated descriptors. + +Crash logs: +[ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0 +[ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0 + +[ 337.427562] Call trace: +[ 337.427564] dump_backtrace+0x0/0x320 +[ 337.427571] show_stack+0x20/0x30 +[ 337.427575] dump_stack_lvl+0x68/0x84 +[ 337.427584] print_address_description.constprop.0+0x74/0x2b8 +[ 337.427590] kasan_report+0x1f4/0x210 +[ 337.427598] __asan_load8+0xa0/0xd0 +[ 337.427603] vchan_complete+0x124/0x3b0 +[ 337.427609] tasklet_action_common.constprop.0+0x190/0x1d0 +[ 337.427617] tasklet_action+0x30/0x40 +[ 337.427623] __do_softirq+0x1a0/0x5c4 +[ 337.427628] irq_exit+0x110/0x140 +[ 337.427633] handle_domain_irq+0xa4/0xe0 +[ 337.427640] gic_handle_irq+0x64/0x160 +[ 337.427644] call_on_irq_stack+0x20/0x4c +[ 337.427649] do_interrupt_handler+0x7c/0x90 +[ 337.427654] el1_interrupt+0x30/0x80 +[ 337.427659] el1h_64_irq_handler+0x18/0x30 +[ 337.427663] el1h_64_irq+0x7c/0x80 +[ 337.427667] cpuidle_enter_state+0xe4/0x540 +[ 337.427674] cpuidle_enter+0x54/0x80 +[ 337.427679] do_idle+0x2e0/0x380 +[ 337.427685] cpu_startup_entry+0x2c/0x70 +[ 337.427690] rest_init+0x114/0x130 +[ 337.427695] arch_call_rest_init+0x18/0x24 +[ 337.427702] start_kernel+0x380/0x3b4 +[ 337.427706] __primary_switched+0xc0/0xc8 + +Fixes: f46b195799b5 ("dmaengine: tegra-adma: Add support for Tegra210 ADMA") +Signed-off-by: Sheetal +Acked-by: Thierry Reding +Link: https://patch.msgid.link/20251110142445.3842036-1-sheetal@nvidia.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/tegra210-adma.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/dma/tegra210-adma.c b/drivers/dma/tegra210-adma.c +index f4f722eacee2b..94ac5240ab200 100644 +--- a/drivers/dma/tegra210-adma.c ++++ b/drivers/dma/tegra210-adma.c +@@ -344,10 +344,17 @@ static void tegra_adma_stop(struct tegra_adma_chan *tdc) + return; + } + +- kfree(tdc->desc); ++ vchan_terminate_vdesc(&tdc->desc->vd); + tdc->desc = NULL; + } + ++static void tegra_adma_synchronize(struct dma_chan *dc) ++{ ++ struct tegra_adma_chan *tdc = to_tegra_adma_chan(dc); ++ ++ vchan_synchronize(&tdc->vc); ++} ++ + static void tegra_adma_start(struct tegra_adma_chan *tdc) + { + struct virt_dma_desc *vd = vchan_next_desc(&tdc->vc); +@@ -889,6 +896,7 @@ static int tegra_adma_probe(struct platform_device *pdev) + tdma->dma_dev.device_config = tegra_adma_slave_config; + tdma->dma_dev.device_tx_status = tegra_adma_tx_status; + tdma->dma_dev.device_terminate_all = tegra_adma_terminate_all; ++ tdma->dma_dev.device_synchronize = tegra_adma_synchronize; + tdma->dma_dev.src_addr_widths = BIT(DMA_SLAVE_BUSWIDTH_4_BYTES); + tdma->dma_dev.dst_addr_widths = BIT(DMA_SLAVE_BUSWIDTH_4_BYTES); + tdma->dma_dev.directions = BIT(DMA_DEV_TO_MEM) | BIT(DMA_MEM_TO_DEV); +-- +2.51.0 + diff --git a/queue-5.15/dmaengine-xilinx_dma-fix-uninitialized-addr_width-wh.patch b/queue-5.15/dmaengine-xilinx_dma-fix-uninitialized-addr_width-wh.patch new file mode 100644 index 0000000000..0aafdf45e8 --- /dev/null +++ b/queue-5.15/dmaengine-xilinx_dma-fix-uninitialized-addr_width-wh.patch @@ -0,0 +1,61 @@ +From dfebe2112bcefb0435d14c42ee55e40593d1ad6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Oct 2025 00:00:06 +0530 +Subject: dmaengine: xilinx_dma: Fix uninitialized addr_width when + "xlnx,addrwidth" property is missing + +From: Suraj Gupta + +[ Upstream commit c0732fe78728718c853ef8e7af5bbb05262acbd1 ] + +When device tree lacks optional "xlnx,addrwidth" property, the addr_width +variable remained uninitialized with garbage values, causing incorrect +DMA mask configuration and subsequent probe failure. The fix ensures a +fallback to the default 32-bit address width when this property is missing. + +Signed-off-by: Suraj Gupta +Fixes: b72db4005fe4 ("dmaengine: vdma: Add 64 bit addressing support to the driver") +Reviewed-by: Radhey Shyam Pandey +Reviewed-by: Folker Schwesinger +Link: https://patch.msgid.link/20251021183006.3434495-1-suraj.gupta2@amd.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/xilinx/xilinx_dma.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c +index 48ac51447baee..ba5850ca39ddd 100644 +--- a/drivers/dma/xilinx/xilinx_dma.c ++++ b/drivers/dma/xilinx/xilinx_dma.c +@@ -128,6 +128,7 @@ + #define XILINX_MCDMA_MAX_CHANS_PER_DEVICE 0x20 + #define XILINX_DMA_MAX_CHANS_PER_DEVICE 0x2 + #define XILINX_CDMA_MAX_CHANS_PER_DEVICE 0x1 ++#define XILINX_DMA_DFAULT_ADDRWIDTH 0x20 + + #define XILINX_DMA_DMAXR_ALL_IRQ_MASK \ + (XILINX_DMA_DMASR_FRM_CNT_IRQ | \ +@@ -3013,7 +3014,7 @@ static int xilinx_dma_probe(struct platform_device *pdev) + struct device_node *node = pdev->dev.of_node; + struct xilinx_dma_device *xdev; + struct device_node *child, *np = pdev->dev.of_node; +- u32 num_frames, addr_width, len_width; ++ u32 num_frames, addr_width = XILINX_DMA_DFAULT_ADDRWIDTH, len_width; + int i, err; + + /* Allocate and initialize the DMA engine structure */ +@@ -3082,7 +3083,9 @@ static int xilinx_dma_probe(struct platform_device *pdev) + + err = of_property_read_u32(node, "xlnx,addrwidth", &addr_width); + if (err < 0) +- dev_warn(xdev->dev, "missing xlnx,addrwidth property\n"); ++ dev_warn(xdev->dev, ++ "missing xlnx,addrwidth property, using default value %d\n", ++ XILINX_DMA_DFAULT_ADDRWIDTH); + + if (addr_width > 32) + xdev->ext_addr = true; +-- +2.51.0 + diff --git a/queue-5.15/ip6_tunnel-use-skb_vlan_inet_prepare-in-__ip6_tnl_rc.patch b/queue-5.15/ip6_tunnel-use-skb_vlan_inet_prepare-in-__ip6_tnl_rc.patch new file mode 100644 index 0000000000..6b21de4c09 --- /dev/null +++ b/queue-5.15/ip6_tunnel-use-skb_vlan_inet_prepare-in-__ip6_tnl_rc.patch @@ -0,0 +1,105 @@ +From ab34518da73823058db234d780807e3ea7629088 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jan 2026 16:31:09 +0000 +Subject: ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv() + +From: Eric Dumazet + +[ Upstream commit 81c734dae203757fb3c9eee6f9896386940776bd ] + +Blamed commit did not take care of VLAN encapsulations +as spotted by syzbot [1]. + +Use skb_vlan_inet_prepare() instead of pskb_inet_may_pull(). + +[1] + BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] + BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] + BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321 + __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] + INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] + IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321 + ip6ip6_dscp_ecn_decapsulate+0x16f/0x1b0 net/ipv6/ip6_tunnel.c:729 + __ip6_tnl_rcv+0xed9/0x1b50 net/ipv6/ip6_tunnel.c:860 + ip6_tnl_rcv+0xc3/0x100 net/ipv6/ip6_tunnel.c:903 + gre_rcv+0x1529/0x1b90 net/ipv6/ip6_gre.c:-1 + ip6_protocol_deliver_rcu+0x1c89/0x2c60 net/ipv6/ip6_input.c:438 + ip6_input_finish+0x1f4/0x4a0 net/ipv6/ip6_input.c:489 + NF_HOOK include/linux/netfilter.h:318 [inline] + ip6_input+0x9c/0x330 net/ipv6/ip6_input.c:500 + ip6_mc_input+0x7ca/0xc10 net/ipv6/ip6_input.c:590 + dst_input include/net/dst.h:474 [inline] + ip6_rcv_finish+0x958/0x990 net/ipv6/ip6_input.c:79 + NF_HOOK include/linux/netfilter.h:318 [inline] + ipv6_rcv+0xf1/0x3c0 net/ipv6/ip6_input.c:311 + __netif_receive_skb_one_core net/core/dev.c:6139 [inline] + __netif_receive_skb+0x1df/0xac0 net/core/dev.c:6252 + netif_receive_skb_internal net/core/dev.c:6338 [inline] + netif_receive_skb+0x57/0x630 net/core/dev.c:6397 + tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485 + tun_get_user+0x5c0e/0x6c60 drivers/net/tun.c:1953 + tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999 + new_sync_write fs/read_write.c:593 [inline] + vfs_write+0xbe2/0x15d0 fs/read_write.c:686 + ksys_write fs/read_write.c:738 [inline] + __do_sys_write fs/read_write.c:749 [inline] + __se_sys_write fs/read_write.c:746 [inline] + __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746 + x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Uninit was created at: + slab_post_alloc_hook mm/slub.c:4960 [inline] + slab_alloc_node mm/slub.c:5263 [inline] + kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315 + kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586 + __alloc_skb+0x805/0x1040 net/core/skbuff.c:690 + alloc_skb include/linux/skbuff.h:1383 [inline] + alloc_skb_with_frags+0xc5/0xa60 net/core/skbuff.c:6712 + sock_alloc_send_pskb+0xacc/0xc60 net/core/sock.c:2995 + tun_alloc_skb drivers/net/tun.c:1461 [inline] + tun_get_user+0x1142/0x6c60 drivers/net/tun.c:1794 + tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999 + new_sync_write fs/read_write.c:593 [inline] + vfs_write+0xbe2/0x15d0 fs/read_write.c:686 + ksys_write fs/read_write.c:738 [inline] + __do_sys_write fs/read_write.c:749 [inline] + __se_sys_write fs/read_write.c:746 [inline] + __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746 + x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +CPU: 0 UID: 0 PID: 6465 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 + +Fixes: 8d975c15c0cd ("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()") +Reported-by: syzbot+d4dda070f833dc5dc89a@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/695e88b2.050a0220.1c677c.036d.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260107163109.4188620-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_tunnel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c +index ccdea44438940..553851e3aca14 100644 +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -846,7 +846,7 @@ static int __ip6_tnl_rcv(struct ip6_tnl *tunnel, struct sk_buff *skb, + + skb_reset_network_header(skb); + +- if (!pskb_inet_may_pull(skb)) { ++ if (skb_vlan_inet_prepare(skb, true)) { + DEV_STATS_INC(tunnel->dev, rx_length_errors); + DEV_STATS_INC(tunnel->dev, rx_errors); + goto drop; +-- +2.51.0 + diff --git a/queue-5.15/ipv4-ip_gre-make-ipgre_header-robust.patch b/queue-5.15/ipv4-ip_gre-make-ipgre_header-robust.patch new file mode 100644 index 0000000000..b846725aa8 --- /dev/null +++ b/queue-5.15/ipv4-ip_gre-make-ipgre_header-robust.patch @@ -0,0 +1,87 @@ +From 5b7bae5cd1d2f0f806828ed45113d10cebeea99f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 19:02:14 +0000 +Subject: ipv4: ip_gre: make ipgre_header() robust + +From: Eric Dumazet + +[ Upstream commit e67c577d89894811ce4dcd1a9ed29d8b63476667 ] + +Analog to commit db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust") + +Over the years, syzbot found many ways to crash the kernel +in ipgre_header() [1]. + +This involves team or bonding drivers ability to dynamically +change their dev->needed_headroom and/or dev->hard_header_len + +In this particular crash mld_newpack() allocated an skb +with a too small reserve/headroom, and by the time mld_sendpack() +was called, syzbot managed to attach an ipgre device. + +[1] +skbuff: skb_under_panic: text:ffffffff89ea3cb7 len:2030915468 put:2030915372 head:ffff888058b43000 data:ffff887fdfa6e194 tail:0x120 end:0x6c0 dev:team0 + kernel BUG at net/core/skbuff.c:213 ! +Oops: invalid opcode: 0000 [#1] SMP KASAN PTI +CPU: 1 UID: 0 PID: 1322 Comm: kworker/1:9 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 +Workqueue: mld mld_ifc_work + RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:213 +Call Trace: + + skb_under_panic net/core/skbuff.c:223 [inline] + skb_push+0xc3/0xe0 net/core/skbuff.c:2641 + ipgre_header+0x67/0x290 net/ipv4/ip_gre.c:897 + dev_hard_header include/linux/netdevice.h:3436 [inline] + neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618 + NF_HOOK_COND include/linux/netfilter.h:307 [inline] + ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247 + NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318 + mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855 + mld_send_cr net/ipv6/mcast.c:2154 [inline] + mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 + process_one_work kernel/workqueue.c:3257 [inline] + process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 + worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 + kthread+0x711/0x8a0 kernel/kthread.c:463 + ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + +Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.") +Reported-by: syzbot+7c134e1c3aa3283790b9@syzkaller.appspotmail.com +Closes: https://www.spinics.net/lists/netdev/msg1147302.html +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260108190214.1667040-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_gre.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c +index eeb48b0bb94cd..2f9f5c583dba1 100644 +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -857,10 +857,17 @@ static int ipgre_header(struct sk_buff *skb, struct net_device *dev, + const void *daddr, const void *saddr, unsigned int len) + { + struct ip_tunnel *t = netdev_priv(dev); +- struct iphdr *iph; + struct gre_base_hdr *greh; ++ struct iphdr *iph; ++ int needed; ++ ++ needed = t->hlen + sizeof(*iph); ++ if (skb_headroom(skb) < needed && ++ pskb_expand_head(skb, HH_DATA_ALIGN(needed - skb_headroom(skb)), ++ 0, GFP_ATOMIC)) ++ return -needed; + +- iph = skb_push(skb, t->hlen + sizeof(*iph)); ++ iph = skb_push(skb, needed); + greh = (struct gre_base_hdr *)(iph+1); + greh->flags = gre_tnl_flags_to_gre_flags(t->parms.o_flags); + greh->protocol = htons(type); +-- +2.51.0 + diff --git a/queue-5.15/macvlan-fix-possible-uaf-in-macvlan_forward_source.patch b/queue-5.15/macvlan-fix-possible-uaf-in-macvlan_forward_source.patch new file mode 100644 index 0000000000..d185661645 --- /dev/null +++ b/queue-5.15/macvlan-fix-possible-uaf-in-macvlan_forward_source.patch @@ -0,0 +1,108 @@ +From a8a66261df235ed5f17718fecbac14e7b840a721 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 13:36:51 +0000 +Subject: macvlan: fix possible UAF in macvlan_forward_source() + +From: Eric Dumazet + +[ Upstream commit 7470a7a63dc162f07c26dbf960e41ee1e248d80e ] + +Add RCU protection on (struct macvlan_source_entry)->vlan. + +Whenever macvlan_hash_del_source() is called, we must clear +entry->vlan pointer before RCU grace period starts. + +This allows macvlan_forward_source() to skip over +entries queued for freeing. + +Note that macvlan_dev are already RCU protected, as they +are embedded in a standard netdev (netdev_priv(ndev)). + +Fixes: 79cf79abce71 ("macvlan: add source mode") +Reported-by: syzbot+7182fbe91e58602ec1fe@syzkaller.appspotmail.com +https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260108133651.1130486-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/macvlan.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c +index 6f0b6c924d724..0f863e72714ca 100644 +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -56,7 +56,7 @@ struct macvlan_port { + + struct macvlan_source_entry { + struct hlist_node hlist; +- struct macvlan_dev *vlan; ++ struct macvlan_dev __rcu *vlan; + unsigned char addr[6+2] __aligned(sizeof(u16)); + struct rcu_head rcu; + }; +@@ -143,7 +143,7 @@ static struct macvlan_source_entry *macvlan_hash_lookup_source( + + hlist_for_each_entry_rcu(entry, h, hlist, lockdep_rtnl_is_held()) { + if (ether_addr_equal_64bits(entry->addr, addr) && +- entry->vlan == vlan) ++ rcu_access_pointer(entry->vlan) == vlan) + return entry; + } + return NULL; +@@ -165,7 +165,7 @@ static int macvlan_hash_add_source(struct macvlan_dev *vlan, + return -ENOMEM; + + ether_addr_copy(entry->addr, addr); +- entry->vlan = vlan; ++ RCU_INIT_POINTER(entry->vlan, vlan); + h = &port->vlan_source_hash[macvlan_eth_hash(addr)]; + hlist_add_head_rcu(&entry->hlist, h); + vlan->macaddr_count++; +@@ -184,6 +184,7 @@ static void macvlan_hash_add(struct macvlan_dev *vlan) + + static void macvlan_hash_del_source(struct macvlan_source_entry *entry) + { ++ RCU_INIT_POINTER(entry->vlan, NULL); + hlist_del_rcu(&entry->hlist); + kfree_rcu(entry, rcu); + } +@@ -382,7 +383,7 @@ static void macvlan_flush_sources(struct macvlan_port *port, + int i; + + hash_for_each_safe(port->vlan_source_hash, i, next, entry, hlist) +- if (entry->vlan == vlan) ++ if (rcu_access_pointer(entry->vlan) == vlan) + macvlan_hash_del_source(entry); + + vlan->macaddr_count = 0; +@@ -425,9 +426,14 @@ static bool macvlan_forward_source(struct sk_buff *skb, + + hlist_for_each_entry_rcu(entry, h, hlist) { + if (ether_addr_equal_64bits(entry->addr, addr)) { +- if (entry->vlan->flags & MACVLAN_FLAG_NODST) ++ struct macvlan_dev *vlan = rcu_dereference(entry->vlan); ++ ++ if (!vlan) ++ continue; ++ ++ if (vlan->flags & MACVLAN_FLAG_NODST) + consume = true; +- macvlan_forward_source_one(skb, entry->vlan); ++ macvlan_forward_source_one(skb, vlan); + } + } + +@@ -1636,7 +1642,7 @@ static int macvlan_fill_info_macaddr(struct sk_buff *skb, + struct macvlan_source_entry *entry; + + hlist_for_each_entry_rcu(entry, h, hlist, lockdep_rtnl_is_held()) { +- if (entry->vlan != vlan) ++ if (rcu_access_pointer(entry->vlan) != vlan) + continue; + if (nla_put(skb, IFLA_MACVLAN_MACADDR, ETH_ALEN, entry->addr)) + return 1; +-- +2.51.0 + diff --git a/queue-5.15/mm-kfence-describe-slab-parameter-in-__kfence_obj_in.patch b/queue-5.15/mm-kfence-describe-slab-parameter-in-__kfence_obj_in.patch new file mode 100644 index 0000000000..d116d9d0a8 --- /dev/null +++ b/queue-5.15/mm-kfence-describe-slab-parameter-in-__kfence_obj_in.patch @@ -0,0 +1,42 @@ +From 45b4556837929938faf4dec3733d74679771c917 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 08:40:07 +0700 +Subject: mm, kfence: describe @slab parameter in __kfence_obj_info() + +From: Bagas Sanjaya + +[ Upstream commit 6cfab50e1440fde19af7c614aacd85e11aa4dcea ] + +Sphinx reports kernel-doc warning: + +WARNING: ./include/linux/kfence.h:220 function parameter 'slab' not described in '__kfence_obj_info' + +Fix it by describing @slab parameter. + +Link: https://lkml.kernel.org/r/20251219014006.16328-6-bagasdotme@gmail.com +Fixes: 2dfe63e61cc3 ("mm, kfence: support kmem_dump_obj() for KFENCE objects") +Signed-off-by: Bagas Sanjaya +Acked-by: Marco Elver +Acked-by: David Hildenbrand (Red Hat) +Acked-by: Harry Yoo +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + include/linux/kfence.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/kfence.h b/include/linux/kfence.h +index 3c75209a545e1..a8d9e6ff73629 100644 +--- a/include/linux/kfence.h ++++ b/include/linux/kfence.h +@@ -208,6 +208,7 @@ struct kmem_obj_info; + * __kfence_obj_info() - fill kmem_obj_info struct + * @kpp: kmem_obj_info to be filled + * @object: the object ++ * @slab: the slab + * + * Return: + * * false - not a KFENCE object +-- +2.51.0 + diff --git a/queue-5.15/net-mlx5e-restore-destroying-state-bit-after-profile.patch b/queue-5.15/net-mlx5e-restore-destroying-state-bit-after-profile.patch new file mode 100644 index 0000000000..726f2c5197 --- /dev/null +++ b/queue-5.15/net-mlx5e-restore-destroying-state-bit-after-profile.patch @@ -0,0 +1,69 @@ +From d0414521b15109e68c1e73ae862989d54b6b43f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 13:26:57 -0800 +Subject: net/mlx5e: Restore destroying state bit after profile cleanup + +From: Saeed Mahameed + +[ Upstream commit 5629f8859dca7ef74d7314b60de6a957f23166c0 ] + +Profile rollback can fail in mlx5e_netdev_change_profile() and we will +end up with invalid mlx5e_priv memset to 0, we must maintain the +'destroying' bit in order to gracefully shutdown even if the +profile/priv are not valid. + +This patch maintains the previous state of the 'destroying' state of +mlx5e_priv after priv cleanup, to allow the remove flow to cleanup +common resources from mlx5_core to avoid FW fatal errors as seen below: + +$ devlink dev eswitch set pci/0000:00:03.0 mode switchdev + Error: mlx5_core: Failed setting eswitch to offloads. +dmesg: mlx5_core 0000:00:03.0 enp0s3np0: failed to rollback to orig profile, ... + +$ devlink dev reload pci/0000:00:03.0 + +mlx5_core 0000:00:03.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0) +mlx5_core 0000:00:03.0: poll_health:803:(pid 519): Fatal error 3 detected +mlx5_core 0000:00:03.0: firmware version: 28.41.1000 +mlx5_core 0000:00:03.0: 0.000 Gb/s available PCIe bandwidth (Unknown x255 link) +mlx5_core 0000:00:03.0: mlx5_function_enable:1200:(pid 519): enable hca failed +mlx5_core 0000:00:03.0: mlx5_function_enable:1200:(pid 519): enable hca failed +mlx5_core 0000:00:03.0: mlx5_health_try_recover:340:(pid 141): handling bad device here +mlx5_core 0000:00:03.0: mlx5_handle_bad_state:285:(pid 141): Expected to see disabled NIC but it is full driver +mlx5_core 0000:00:03.0: mlx5_error_sw_reset:236:(pid 141): start +mlx5_core 0000:00:03.0: NIC IFC still 0 after 4000ms. + +Fixes: c4d7eb57687f ("net/mxl5e: Add change profile method") +Signed-off-by: Saeed Mahameed +Reviewed-by: Tariq Toukan +Link: https://patch.msgid.link/20260108212657.25090-5-saeed@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 321441e6ad328..ba36e500c1ff1 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -4856,6 +4856,7 @@ int mlx5e_priv_init(struct mlx5e_priv *priv, + + void mlx5e_priv_cleanup(struct mlx5e_priv *priv) + { ++ bool destroying = test_bit(MLX5E_STATE_DESTROYING, &priv->state); + int i; + + /* bail if change profile failed and also rollback failed */ +@@ -4870,6 +4871,8 @@ void mlx5e_priv_cleanup(struct mlx5e_priv *priv) + kvfree(priv->htb.qos_sq_stats); + + memset(priv, 0, sizeof(*priv)); ++ if (destroying) /* restore destroying bit, to allow unload */ ++ set_bit(MLX5E_STATE_DESTROYING, &priv->state); + } + + struct net_device * +-- +2.51.0 + diff --git a/queue-5.15/net-sched-sch_qfq-do-not-free-existing-class-in-qfq_.patch b/queue-5.15/net-sched-sch_qfq-do-not-free-existing-class-in-qfq_.patch new file mode 100644 index 0000000000..bdb28bc096 --- /dev/null +++ b/queue-5.15/net-sched-sch_qfq-do-not-free-existing-class-in-qfq_.patch @@ -0,0 +1,46 @@ +From 7b9c99f72cdac6a3aadaa1b72b9aabecf30076c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 17:56:56 +0000 +Subject: net/sched: sch_qfq: do not free existing class in qfq_change_class() + +From: Eric Dumazet + +[ Upstream commit 3879cffd9d07aa0377c4b8835c4f64b4fb24ac78 ] + +Fixes qfq_change_class() error case. + +cl->qdisc and cl should only be freed if a new class and qdisc +were allocated, or we risk various UAF. + +Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost") +Reported-by: syzbot+07f3f38f723c335f106d@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6965351d.050a0220.eaf7.00c5.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Reviewed-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20260112175656.17605-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_qfq.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index aa049dd33a74e..d201bcb5edc42 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -532,8 +532,10 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid, + return 0; + + destroy_class: +- qdisc_put(cl->qdisc); +- kfree(cl); ++ if (!existing) { ++ qdisc_put(cl->qdisc); ++ kfree(cl); ++ } + return err; + } + +-- +2.51.0 + diff --git a/queue-5.15/net-update-netdev_lock_-type-name.patch b/queue-5.15/net-update-netdev_lock_-type-name.patch new file mode 100644 index 0000000000..c61c6ff779 --- /dev/null +++ b/queue-5.15/net-update-netdev_lock_-type-name.patch @@ -0,0 +1,91 @@ +From 2adca4a92f15dff068468efc208f285ed4ffe992 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 09:32:44 +0000 +Subject: net: update netdev_lock_{type,name} + +From: Eric Dumazet + +[ Upstream commit eb74c19fe10872ee1f29a8f90ca5ce943921afe9 ] + +Add missing entries in netdev_lock_type[] and netdev_lock_name[] : + +CAN, MCTP, RAWIP, CAIF, IP6GRE, 6LOWPAN, NETLINK, VSOCKMON, +IEEE802154_MONITOR. + +Also add a WARN_ONCE() in netdev_lock_pos() to help future bug hunting +next time a protocol is added without updating these arrays. + +Fixes: 1a33e10e4a95 ("net: partially revert dynamic lockdep key changes") +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260108093244.830280-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 2f7bd1fe58515..977146a70b8c1 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -426,15 +426,21 @@ static const unsigned short netdev_lock_type[] = { + ARPHRD_IEEE1394, ARPHRD_EUI64, ARPHRD_INFINIBAND, ARPHRD_SLIP, + ARPHRD_CSLIP, ARPHRD_SLIP6, ARPHRD_CSLIP6, ARPHRD_RSRVD, + ARPHRD_ADAPT, ARPHRD_ROSE, ARPHRD_X25, ARPHRD_HWX25, ++ ARPHRD_CAN, ARPHRD_MCTP, + ARPHRD_PPP, ARPHRD_CISCO, ARPHRD_LAPB, ARPHRD_DDCMP, +- ARPHRD_RAWHDLC, ARPHRD_TUNNEL, ARPHRD_TUNNEL6, ARPHRD_FRAD, ++ ARPHRD_RAWHDLC, ARPHRD_RAWIP, ++ ARPHRD_TUNNEL, ARPHRD_TUNNEL6, ARPHRD_FRAD, + ARPHRD_SKIP, ARPHRD_LOOPBACK, ARPHRD_LOCALTLK, ARPHRD_FDDI, + ARPHRD_BIF, ARPHRD_SIT, ARPHRD_IPDDP, ARPHRD_IPGRE, + ARPHRD_PIMREG, ARPHRD_HIPPI, ARPHRD_ASH, ARPHRD_ECONET, + ARPHRD_IRDA, ARPHRD_FCPP, ARPHRD_FCAL, ARPHRD_FCPL, + ARPHRD_FCFABRIC, ARPHRD_IEEE80211, ARPHRD_IEEE80211_PRISM, +- ARPHRD_IEEE80211_RADIOTAP, ARPHRD_PHONET, ARPHRD_PHONET_PIPE, +- ARPHRD_IEEE802154, ARPHRD_VOID, ARPHRD_NONE}; ++ ARPHRD_IEEE80211_RADIOTAP, ++ ARPHRD_IEEE802154, ARPHRD_IEEE802154_MONITOR, ++ ARPHRD_PHONET, ARPHRD_PHONET_PIPE, ++ ARPHRD_CAIF, ARPHRD_IP6GRE, ARPHRD_NETLINK, ARPHRD_6LOWPAN, ++ ARPHRD_VSOCKMON, ++ ARPHRD_VOID, ARPHRD_NONE}; + + static const char *const netdev_lock_name[] = { + "_xmit_NETROM", "_xmit_ETHER", "_xmit_EETHER", "_xmit_AX25", +@@ -443,15 +449,21 @@ static const char *const netdev_lock_name[] = { + "_xmit_IEEE1394", "_xmit_EUI64", "_xmit_INFINIBAND", "_xmit_SLIP", + "_xmit_CSLIP", "_xmit_SLIP6", "_xmit_CSLIP6", "_xmit_RSRVD", + "_xmit_ADAPT", "_xmit_ROSE", "_xmit_X25", "_xmit_HWX25", ++ "_xmit_CAN", "_xmit_MCTP", + "_xmit_PPP", "_xmit_CISCO", "_xmit_LAPB", "_xmit_DDCMP", +- "_xmit_RAWHDLC", "_xmit_TUNNEL", "_xmit_TUNNEL6", "_xmit_FRAD", ++ "_xmit_RAWHDLC", "_xmit_RAWIP", ++ "_xmit_TUNNEL", "_xmit_TUNNEL6", "_xmit_FRAD", + "_xmit_SKIP", "_xmit_LOOPBACK", "_xmit_LOCALTLK", "_xmit_FDDI", + "_xmit_BIF", "_xmit_SIT", "_xmit_IPDDP", "_xmit_IPGRE", + "_xmit_PIMREG", "_xmit_HIPPI", "_xmit_ASH", "_xmit_ECONET", + "_xmit_IRDA", "_xmit_FCPP", "_xmit_FCAL", "_xmit_FCPL", + "_xmit_FCFABRIC", "_xmit_IEEE80211", "_xmit_IEEE80211_PRISM", +- "_xmit_IEEE80211_RADIOTAP", "_xmit_PHONET", "_xmit_PHONET_PIPE", +- "_xmit_IEEE802154", "_xmit_VOID", "_xmit_NONE"}; ++ "_xmit_IEEE80211_RADIOTAP", ++ "_xmit_IEEE802154", "_xmit_IEEE802154_MONITOR", ++ "_xmit_PHONET", "_xmit_PHONET_PIPE", ++ "_xmit_CAIF", "_xmit_IP6GRE", "_xmit_NETLINK", "_xmit_6LOWPAN", ++ "_xmit_VSOCKMON", ++ "_xmit_VOID", "_xmit_NONE"}; + + static struct lock_class_key netdev_xmit_lock_key[ARRAY_SIZE(netdev_lock_type)]; + static struct lock_class_key netdev_addr_lock_key[ARRAY_SIZE(netdev_lock_type)]; +@@ -464,6 +476,7 @@ static inline unsigned short netdev_lock_pos(unsigned short dev_type) + if (netdev_lock_type[i] == dev_type) + return i; + /* the last key is used by default */ ++ WARN_ONCE(1, "netdev_lock_pos() could not find dev_type=%u\n", dev_type); + return ARRAY_SIZE(netdev_lock_type) - 1; + } + +-- +2.51.0 + diff --git a/queue-5.15/nvme-tcp-fix-null-pointer-dereferences-in-nvmet_tcp_.patch b/queue-5.15/nvme-tcp-fix-null-pointer-dereferences-in-nvmet_tcp_.patch new file mode 100644 index 0000000000..b1be9e94f6 --- /dev/null +++ b/queue-5.15/nvme-tcp-fix-null-pointer-dereferences-in-nvmet_tcp_.patch @@ -0,0 +1,69 @@ +From da97e6437b592d682925a696988a9efe3206dd19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Dec 2025 13:57:48 -0500 +Subject: nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Shivam Kumar + +[ Upstream commit 32b63acd78f577b332d976aa06b56e70d054cbba ] + +Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length") +added ttag bounds checking and data_offset +validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate +whether the command's data structures (cmd->req.sg and cmd->iov) have +been properly initialized before processing H2C_DATA PDUs. + +The nvmet_tcp_build_pdu_iovec() function dereferences these pointers +without NULL checks. This can be triggered by sending H2C_DATA PDU +immediately after the ICREQ/ICRESP handshake, before +sending a CONNECT command or NVMe write command. + +Attack vectors that trigger NULL pointer dereferences: +1. H2C_DATA PDU sent before CONNECT → both pointers NULL +2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL +3. H2C_DATA PDU for uninitialized command slot → both pointers NULL + +The fix validates both cmd->req.sg and cmd->iov before calling +nvmet_tcp_build_pdu_iovec(). Both checks are required because: +- Uninitialized commands: both NULL +- READ commands: cmd->req.sg allocated, cmd->iov NULL +- WRITE commands: both allocated + +Fixes: efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length") +Reviewed-by: Sagi Grimberg +Signed-off-by: Shivam Kumar +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/tcp.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c +index 9610f0981b9ec..051798ef7431c 100644 +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -971,6 +971,18 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue) + pr_err("H2CData PDU len %u is invalid\n", cmd->pdu_len); + goto err_proto; + } ++ /* ++ * Ensure command data structures are initialized. We must check both ++ * cmd->req.sg and cmd->iov because they can have different NULL states: ++ * - Uninitialized commands: both NULL ++ * - READ commands: cmd->req.sg allocated, cmd->iov NULL ++ * - WRITE commands: both allocated ++ */ ++ if (unlikely(!cmd->req.sg || !cmd->iov)) { ++ pr_err("queue %d: H2CData PDU received for invalid command state (ttag %u)\n", ++ queue->idx, data->ttag); ++ goto err_proto; ++ } + cmd->pdu_recv = 0; + nvmet_tcp_map_pdu_iovec(cmd); + queue->cmd = cmd; +-- +2.51.0 + diff --git a/queue-5.15/nvmet-tcp-remove-boilerplate-code.patch b/queue-5.15/nvmet-tcp-remove-boilerplate-code.patch new file mode 100644 index 0000000000..9fe7e07814 --- /dev/null +++ b/queue-5.15/nvmet-tcp-remove-boilerplate-code.patch @@ -0,0 +1,72 @@ +From ecc7396e22403037b6a737ea1d80a7a7be141bad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Dec 2023 16:17:50 +0100 +Subject: nvmet-tcp: remove boilerplate code + +From: Maurizio Lombardi + +[ Upstream commit 75011bd0f9c55db523242f9f9a0b0b826165f14b ] + +Simplify the nvmet_tcp_handle_h2c_data_pdu() function by removing +boilerplate code. + +Signed-off-by: Maurizio Lombardi +Reviewed-by: Sagi Grimberg +Signed-off-by: Keith Busch +Stable-dep-of: 32b63acd78f5 ("nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec") +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/tcp.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c +index 18127bbc64230..9610f0981b9ec 100644 +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -945,8 +945,7 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue) + if (unlikely(data->ttag >= queue->nr_cmds)) { + pr_err("queue %d: received out of bound ttag %u, nr_cmds %u\n", + queue->idx, data->ttag, queue->nr_cmds); +- nvmet_tcp_fatal_error(queue); +- return -EPROTO; ++ goto err_proto; + } + cmd = &queue->cmds[data->ttag]; + } else { +@@ -957,9 +956,7 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue) + pr_err("ttag %u unexpected data offset %u (expected %u)\n", + data->ttag, le32_to_cpu(data->data_offset), + cmd->rbytes_done); +- /* FIXME: use path and transport errors */ +- nvmet_tcp_fatal_error(queue); +- return -EPROTO; ++ goto err_proto; + } + + exp_data_len = le32_to_cpu(data->hdr.plen) - +@@ -972,9 +969,7 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue) + cmd->pdu_len == 0 || + cmd->pdu_len > NVMET_TCP_MAXH2CDATA)) { + pr_err("H2CData PDU len %u is invalid\n", cmd->pdu_len); +- /* FIXME: use proper transport errors */ +- nvmet_tcp_fatal_error(queue); +- return -EPROTO; ++ goto err_proto; + } + cmd->pdu_recv = 0; + nvmet_tcp_map_pdu_iovec(cmd); +@@ -982,6 +977,11 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue) + queue->rcv_state = NVMET_TCP_RECV_DATA; + + return 0; ++ ++err_proto: ++ /* FIXME: use proper transport errors */ ++ nvmet_tcp_fatal_error(queue); ++ return -EPROTO; + } + + static int nvmet_tcp_done_recv_pdu(struct nvmet_tcp_queue *queue) +-- +2.51.0 + diff --git a/queue-5.15/phy-broadcom-ns-usb3-fix-wvoid-pointer-to-enum-cast-.patch b/queue-5.15/phy-broadcom-ns-usb3-fix-wvoid-pointer-to-enum-cast-.patch new file mode 100644 index 0000000000..b1fa828095 --- /dev/null +++ b/queue-5.15/phy-broadcom-ns-usb3-fix-wvoid-pointer-to-enum-cast-.patch @@ -0,0 +1,47 @@ +From 6f815ee9591054270de3c0db55ab9240f49d113b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 12:55:34 +0100 +Subject: phy: broadcom: ns-usb3: Fix Wvoid-pointer-to-enum-cast warning + (again) + +From: Krzysztof Kozlowski + +[ Upstream commit fb21116099bbea1fc59efa9207e63c4be390ab72 ] + +"family" is an enum, thus cast of pointer on 64-bit compile test with +clang W=1 causes: + + phy-bcm-ns-usb3.c:206:17: error: cast to smaller integer type 'enum bcm_ns_family' from 'const void *' [-Werror,-Wvoid-pointer-to-enum-cast] + +This was already fixed in commit bd6e74a2f0a0 ("phy: broadcom: ns-usb3: +fix Wvoid-pointer-to-enum-cast warning") but then got bad in commit +21bf6fc47a1e ("phy: Use device_get_match_data()"). + +Note that after various discussions the preferred cast is via "unsigned +long", not "uintptr_t". + +Fixes: 21bf6fc47a1e ("phy: Use device_get_match_data()") +Signed-off-by: Krzysztof Kozlowski +Link: https://patch.msgid.link/20251224115533.154162-2-krzysztof.kozlowski@oss.qualcomm.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/broadcom/phy-bcm-ns-usb3.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/phy/broadcom/phy-bcm-ns-usb3.c b/drivers/phy/broadcom/phy-bcm-ns-usb3.c +index a6c5985051b14..c19953ecfee66 100644 +--- a/drivers/phy/broadcom/phy-bcm-ns-usb3.c ++++ b/drivers/phy/broadcom/phy-bcm-ns-usb3.c +@@ -203,7 +203,7 @@ static int bcm_ns_usb3_mdio_probe(struct mdio_device *mdiodev) + usb3->dev = dev; + usb3->mdiodev = mdiodev; + +- usb3->family = (enum bcm_ns_family)device_get_match_data(dev); ++ usb3->family = (unsigned long)device_get_match_data(dev); + + syscon_np = of_parse_phandle(dev->of_node, "usb3-dmp-syscon", 0); + err = of_address_to_resource(syscon_np, 0, &res); +-- +2.51.0 + diff --git a/queue-5.15/phy-stm32-usphyc-fix-off-by-one-in-probe.patch b/queue-5.15/phy-stm32-usphyc-fix-off-by-one-in-probe.patch new file mode 100644 index 0000000000..55191cd8a4 --- /dev/null +++ b/queue-5.15/phy-stm32-usphyc-fix-off-by-one-in-probe.patch @@ -0,0 +1,41 @@ +From b660a7f77597afb1e329c927d91515fdfdf88c48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Dec 2025 09:53:36 +0300 +Subject: phy: stm32-usphyc: Fix off by one in probe() + +From: Dan Carpenter + +[ Upstream commit cabd25b57216ddc132efbcc31f972baa03aad15a ] + +The "index" variable is used as an index into the usbphyc->phys[] array +which has usbphyc->nphys elements. So if it is equal to usbphyc->nphys +then it is one element out of bounds. The "index" comes from the +device tree so it's data that we trust and it's unlikely to be wrong, +however it's obviously still worth fixing the bug. Change the > to >=. + +Fixes: 94c358da3a05 ("phy: stm32: add support for STM32 USB PHY Controller (USBPHYC)") +Signed-off-by: Dan Carpenter +Reviewed-by: Amelie Delaunay +Link: https://patch.msgid.link/aTfHcMJK1wFVnvEe@stanley.mountain +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/st/phy-stm32-usbphyc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/phy/st/phy-stm32-usbphyc.c b/drivers/phy/st/phy-stm32-usbphyc.c +index 27f7e2292cf0b..1e3f73cee9efd 100644 +--- a/drivers/phy/st/phy-stm32-usbphyc.c ++++ b/drivers/phy/st/phy-stm32-usbphyc.c +@@ -530,7 +530,7 @@ static int stm32_usbphyc_probe(struct platform_device *pdev) + } + + ret = of_property_read_u32(child, "reg", &index); +- if (ret || index > usbphyc->nphys) { ++ if (ret || index >= usbphyc->nphys) { + dev_err(&phy->dev, "invalid reg property: %d\n", ret); + if (!ret) + ret = -EINVAL; +-- +2.51.0 + diff --git a/queue-5.15/pnfs-flexfiles-fix-memory-leak-in-nfs4_ff_alloc_devi.patch b/queue-5.15/pnfs-flexfiles-fix-memory-leak-in-nfs4_ff_alloc_devi.patch new file mode 100644 index 0000000000..78c901df8d --- /dev/null +++ b/queue-5.15/pnfs-flexfiles-fix-memory-leak-in-nfs4_ff_alloc_devi.patch @@ -0,0 +1,40 @@ +From e08aa6dd846643ef751a311c872c7c969a6e0da8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Dec 2025 07:41:03 +0000 +Subject: pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node() + +From: Zilin Guan + +[ Upstream commit 0c728083654f0066f5e10a1d2b0bd0907af19a58 ] + +In nfs4_ff_alloc_deviceid_node(), if the allocation for ds_versions fails, +the function jumps to the out_scratch label without freeing the already +allocated dsaddrs list, leading to a memory leak. + +Fix this by jumping to the out_err_drain_dsaddrs label, which properly +frees the dsaddrs list before cleaning up other resources. + +Fixes: d67ae825a59d6 ("pnfs/flexfiles: Add the FlexFile Layout Driver") +Signed-off-by: Zilin Guan +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/flexfilelayout/flexfilelayoutdev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/flexfilelayout/flexfilelayoutdev.c b/fs/nfs/flexfilelayout/flexfilelayoutdev.c +index 11777d33a85e8..35cac4d3f2e8a 100644 +--- a/fs/nfs/flexfilelayout/flexfilelayoutdev.c ++++ b/fs/nfs/flexfilelayout/flexfilelayoutdev.c +@@ -103,7 +103,7 @@ nfs4_ff_alloc_deviceid_node(struct nfs_server *server, struct pnfs_device *pdev, + sizeof(struct nfs4_ff_ds_version), + gfp_flags); + if (!ds_versions) +- goto out_scratch; ++ goto out_err_drain_dsaddrs; + + for (i = 0; i < version_count; i++) { + /* 20 = version(4) + minor_version(4) + rsize(4) + wsize(4) + +-- +2.51.0 + diff --git a/queue-5.15/selftests-drv-net-fix-rps-mask-handling-for-high-cpu.patch b/queue-5.15/selftests-drv-net-fix-rps-mask-handling-for-high-cpu.patch new file mode 100644 index 0000000000..4becb479d4 --- /dev/null +++ b/queue-5.15/selftests-drv-net-fix-rps-mask-handling-for-high-cpu.patch @@ -0,0 +1,44 @@ +From 61ae8e9de7d512b595f7641d173f73e9bf25143c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 19:37:15 +0200 +Subject: selftests: drv-net: fix RPS mask handling for high CPU numbers + +From: Gal Pressman + +[ Upstream commit cf055f8c000445aa688c53a706ef4f580818eedb ] + +The RPS bitmask bounds check uses ~(RPS_MAX_CPUS - 1) which equals ~15 = +0xfff0, only allowing CPUs 0-3. + +Change the mask to ~((1UL << RPS_MAX_CPUS) - 1) = ~0xffff to allow CPUs +0-15. + +Fixes: 5ebfb4cc3048 ("selftests/net: toeplitz test") +Reviewed-by: Nimrod Oren +Signed-off-by: Gal Pressman +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/20260112173715.384843-3-gal@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/toeplitz.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/net/toeplitz.c b/tools/testing/selftests/net/toeplitz.c +index 8ce96028341d5..09771d61ea344 100644 +--- a/tools/testing/selftests/net/toeplitz.c ++++ b/tools/testing/selftests/net/toeplitz.c +@@ -471,8 +471,8 @@ static void parse_rps_bitmap(const char *arg) + + bitmap = strtoul(arg, NULL, 0); + +- if (bitmap & ~(RPS_MAX_CPUS - 1)) +- error(1, 0, "rps bitmap 0x%lx out of bounds 0..%lu", ++ if (bitmap & ~((1UL << RPS_MAX_CPUS) - 1)) ++ error(1, 0, "rps bitmap 0x%lx out of bounds, max cpu %lu", + bitmap, RPS_MAX_CPUS - 1); + + for (i = 0; i < RPS_MAX_CPUS; i++) +-- +2.51.0 + diff --git a/queue-5.15/series b/queue-5.15/series new file mode 100644 index 0000000000..791c5a5089 --- /dev/null +++ b/queue-5.15/series @@ -0,0 +1,21 @@ +pnfs-flexfiles-fix-memory-leak-in-nfs4_ff_alloc_devi.patch +can-etas_es58x-allow-partial-rx-urb-allocation-to-su.patch +nvmet-tcp-remove-boilerplate-code.patch +nvme-tcp-fix-null-pointer-dereferences-in-nvmet_tcp_.patch +btrfs-send-check-for-inline-extents-in-range_is_hole.patch +ip6_tunnel-use-skb_vlan_inet_prepare-in-__ip6_tnl_rc.patch +net-update-netdev_lock_-type-name.patch +macvlan-fix-possible-uaf-in-macvlan_forward_source.patch +ipv4-ip_gre-make-ipgre_header-robust.patch +vsock-test-add-a-final-full-barrier-after-run-all-te.patch +net-mlx5e-restore-destroying-state-bit-after-profile.patch +selftests-drv-net-fix-rps-mask-handling-for-high-cpu.patch +net-sched-sch_qfq-do-not-free-existing-class-in-qfq_.patch +asoc-tlv320adcx140-fix-word-length.patch +textsearch-describe-list-member-in-ts_ops-search.patch +mm-kfence-describe-slab-parameter-in-__kfence_obj_in.patch +dmaengine-tegra-adma-fix-use-after-free.patch +dmaengine-xilinx_dma-fix-uninitialized-addr_width-wh.patch +phy-stm32-usphyc-fix-off-by-one-in-probe.patch +phy-broadcom-ns-usb3-fix-wvoid-pointer-to-enum-cast-.patch +dmaengine-omap-dma-fix-dma_pool-resource-leak-in-err.patch diff --git a/queue-5.15/textsearch-describe-list-member-in-ts_ops-search.patch b/queue-5.15/textsearch-describe-list-member-in-ts_ops-search.patch new file mode 100644 index 0000000000..78e2da0841 --- /dev/null +++ b/queue-5.15/textsearch-describe-list-member-in-ts_ops-search.patch @@ -0,0 +1,41 @@ +From 9520b77166c15ec40f59843609bb87d9a454dbea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 08:40:05 +0700 +Subject: textsearch: describe @list member in ts_ops search + +From: Bagas Sanjaya + +[ Upstream commit f26528478bb102c28e7ac0cbfc8ec8185afdafc7 ] + +Sphinx reports kernel-doc warning: + +WARNING: ./include/linux/textsearch.h:49 struct member 'list' not described in 'ts_ops' + +Describe @list member to fix it. + +Link: https://lkml.kernel.org/r/20251219014006.16328-4-bagasdotme@gmail.com +Fixes: 2de4ff7bd658 ("[LIB]: Textsearch infrastructure.") +Signed-off-by: Bagas Sanjaya +Cc: Thomas Graf +Cc: "David S. Miller" +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + include/linux/textsearch.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/textsearch.h b/include/linux/textsearch.h +index 6673e4d4ac2e1..4933777404d61 100644 +--- a/include/linux/textsearch.h ++++ b/include/linux/textsearch.h +@@ -35,6 +35,7 @@ struct ts_state + * @get_pattern: return head of pattern + * @get_pattern_len: return length of pattern + * @owner: module reference to algorithm ++ * @list: list to search + */ + struct ts_ops + { +-- +2.51.0 + diff --git a/queue-5.15/vsock-test-add-a-final-full-barrier-after-run-all-te.patch b/queue-5.15/vsock-test-add-a-final-full-barrier-after-run-all-te.patch new file mode 100644 index 0000000000..76169a5c4a --- /dev/null +++ b/queue-5.15/vsock-test-add-a-final-full-barrier-after-run-all-te.patch @@ -0,0 +1,52 @@ +From 8c4d7134163165cbbff6d8c9c89226d009816da7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 12:44:19 +0100 +Subject: vsock/test: add a final full barrier after run all tests + +From: Stefano Garzarella + +[ Upstream commit c39a6a277e0e67ffff6a8efcbbf7e7e23ce9e38c ] + +If the last test fails, the other side still completes correctly, +which could lead to false positives. + +Let's add a final barrier that ensures that the last test has finished +correctly on both sides, but also that the two sides agree on the +number of tests to be performed. + +Fixes: 2f65b44e199c ("VSOCK: add full barrier between test cases") +Reviewed-by: Luigi Leonardi +Signed-off-by: Stefano Garzarella +Link: https://patch.msgid.link/20260108114419.52747-1-sgarzare@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/vsock/util.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/tools/testing/vsock/util.c b/tools/testing/vsock/util.c +index 2acbb7703c6a0..259d33ae6293b 100644 +--- a/tools/testing/vsock/util.c ++++ b/tools/testing/vsock/util.c +@@ -360,6 +360,18 @@ void run_tests(const struct test_case *test_cases, + + printf("ok\n"); + } ++ ++ printf("All tests have been executed. Waiting other peer..."); ++ fflush(stdout); ++ ++ /* ++ * Final full barrier, to ensure that all tests have been run and ++ * that even the last one has been successful on both sides. ++ */ ++ control_writeln("COMPLETED"); ++ control_expectln("COMPLETED"); ++ ++ printf("ok\n"); + } + + void list_tests(const struct test_case *test_cases) +-- +2.51.0 + diff --git a/queue-6.1/asoc-tlv320adcx140-fix-null-pointer.patch b/queue-6.1/asoc-tlv320adcx140-fix-null-pointer.patch new file mode 100644 index 0000000000..b50fefbd58 --- /dev/null +++ b/queue-6.1/asoc-tlv320adcx140-fix-null-pointer.patch @@ -0,0 +1,55 @@ +From 4ef201b297a3570064b76561198c63148c3e3847 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 11:58:45 +0100 +Subject: ASoC: tlv320adcx140: fix null pointer + +From: Emil Svendsen + +[ Upstream commit be7664c81d3129fc313ef62ff275fd3d33cfecd4 ] + +The "snd_soc_component" in "adcx140_priv" was only used once but never +set. It was only used for reaching "dev" which is already present in +"adcx140_priv". + +Fixes: 4e82971f7b55 ("ASoC: tlv320adcx140: Add a new kcontrol") +Signed-off-by: Emil Svendsen +Signed-off-by: Sascha Hauer +Link: https://patch.msgid.link/20260113-sound-soc-codecs-tvl320adcx140-v4-2-8f7ecec525c8@pengutronix.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/tlv320adcx140.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/sound/soc/codecs/tlv320adcx140.c b/sound/soc/codecs/tlv320adcx140.c +index 530f321d08e9c..4405934120e51 100644 +--- a/sound/soc/codecs/tlv320adcx140.c ++++ b/sound/soc/codecs/tlv320adcx140.c +@@ -24,7 +24,6 @@ + #include "tlv320adcx140.h" + + struct adcx140_priv { +- struct snd_soc_component *component; + struct regulator *supply_areg; + struct gpio_desc *gpio_reset; + struct regmap *regmap; +@@ -702,7 +701,6 @@ static void adcx140_pwr_ctrl(struct adcx140_priv *adcx140, bool power_state) + { + int pwr_ctrl = 0; + int ret = 0; +- struct snd_soc_component *component = adcx140->component; + + if (power_state) + pwr_ctrl = ADCX140_PWR_CFG_ADC_PDZ | ADCX140_PWR_CFG_PLL_PDZ; +@@ -714,7 +712,7 @@ static void adcx140_pwr_ctrl(struct adcx140_priv *adcx140, bool power_state) + ret = regmap_write(adcx140->regmap, ADCX140_PHASE_CALIB, + adcx140->phase_calib_on ? 0x00 : 0x40); + if (ret) +- dev_err(component->dev, "%s: register write error %d\n", ++ dev_err(adcx140->dev, "%s: register write error %d\n", + __func__, ret); + } + +-- +2.51.0 + diff --git a/queue-6.1/asoc-tlv320adcx140-fix-word-length.patch b/queue-6.1/asoc-tlv320adcx140-fix-word-length.patch new file mode 100644 index 0000000000..4e4997b18e --- /dev/null +++ b/queue-6.1/asoc-tlv320adcx140-fix-word-length.patch @@ -0,0 +1,50 @@ +From 35ca40e3aeef39be98c16f8fc6b0f966cc2ee622 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 11:58:47 +0100 +Subject: ASoC: tlv320adcx140: fix word length + +From: Emil Svendsen + +[ Upstream commit 46378ab9fcb796dca46b51e10646f636e2c661f9 ] + +The word length is the physical width of the channel slots. So the +hw_params would misconfigure when format width and physical width +doesn't match. Like S24_LE which has data width of 24 bits but physical +width of 32 bits. So if using asymmetric formats you will get a lot of +noise. + +Fixes: 689c7655b50c5 ("ASoC: tlv320adcx140: Add the tlv320adcx140 codec driver family") +Signed-off-by: Emil Svendsen +Signed-off-by: Sascha Hauer +Link: https://patch.msgid.link/20260113-sound-soc-codecs-tvl320adcx140-v4-4-8f7ecec525c8@pengutronix.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/tlv320adcx140.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/tlv320adcx140.c b/sound/soc/codecs/tlv320adcx140.c +index 4405934120e51..67eef894d0c2d 100644 +--- a/sound/soc/codecs/tlv320adcx140.c ++++ b/sound/soc/codecs/tlv320adcx140.c +@@ -728,7 +728,7 @@ static int adcx140_hw_params(struct snd_pcm_substream *substream, + struct adcx140_priv *adcx140 = snd_soc_component_get_drvdata(component); + u8 data = 0; + +- switch (params_width(params)) { ++ switch (params_physical_width(params)) { + case 16: + data = ADCX140_16_BIT_WORD; + break; +@@ -743,7 +743,7 @@ static int adcx140_hw_params(struct snd_pcm_substream *substream, + break; + default: + dev_err(component->dev, "%s: Unsupported width %d\n", +- __func__, params_width(params)); ++ __func__, params_physical_width(params)); + return -EINVAL; + } + +-- +2.51.0 + diff --git a/queue-6.1/btrfs-factor-out-check_removing_space_info-from-btrf.patch b/queue-6.1/btrfs-factor-out-check_removing_space_info-from-btrf.patch new file mode 100644 index 0000000000..b1fc26af0d --- /dev/null +++ b/queue-6.1/btrfs-factor-out-check_removing_space_info-from-btrf.patch @@ -0,0 +1,93 @@ +From 1ee7b494ed4876593056b4acb7cc31d9e774eb60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Apr 2025 11:43:45 +0900 +Subject: btrfs: factor out check_removing_space_info() from + btrfs_free_block_groups() + +From: Naohiro Aota + +[ Upstream commit 1cfdbe0d53b27b4b4a4f4cf2a4e430bc65ba2ba5 ] + +Factor out check_removing_space_info() from btrfs_free_block_groups(). It +sanity checks a to-be-removed space_info. There is no functional change. + +Reviewed-by: Johannes Thumshirn +Signed-off-by: Naohiro Aota +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Stable-dep-of: a11224a016d6 ("btrfs: fix memory leaks in create_space_info() error paths") +Signed-off-by: Sasha Levin +--- + fs/btrfs/block-group.c | 49 +++++++++++++++++++++++------------------- + 1 file changed, 27 insertions(+), 22 deletions(-) + +diff --git a/fs/btrfs/block-group.c b/fs/btrfs/block-group.c +index 3295fb978a35b..797df5ddbcd12 100644 +--- a/fs/btrfs/block-group.c ++++ b/fs/btrfs/block-group.c +@@ -4145,6 +4145,32 @@ void btrfs_put_block_group_cache(struct btrfs_fs_info *info) + } + } + ++static void check_removing_space_info(struct btrfs_space_info *space_info) ++{ ++ struct btrfs_fs_info *info = space_info->fs_info; ++ ++ /* ++ * Do not hide this behind enospc_debug, this is actually important and ++ * indicates a real bug if this happens. ++ */ ++ if (WARN_ON(space_info->bytes_pinned > 0 || space_info->bytes_may_use > 0)) ++ btrfs_dump_space_info(info, space_info, 0, 0); ++ ++ /* ++ * If there was a failure to cleanup a log tree, very likely due to an ++ * IO failure on a writeback attempt of one or more of its extent ++ * buffers, we could not do proper (and cheap) unaccounting of their ++ * reserved space, so don't warn on bytes_reserved > 0 in that case. ++ */ ++ if (!(space_info->flags & BTRFS_BLOCK_GROUP_METADATA) || ++ !BTRFS_FS_LOG_CLEANUP_ERROR(info)) { ++ if (WARN_ON(space_info->bytes_reserved > 0)) ++ btrfs_dump_space_info(info, space_info, 0, 0); ++ } ++ ++ WARN_ON(space_info->reclaim_size > 0); ++} ++ + /* + * Must be called only after stopping all workers, since we could have block + * group caching kthreads running, and therefore they could race with us if we +@@ -4235,28 +4261,7 @@ int btrfs_free_block_groups(struct btrfs_fs_info *info) + struct btrfs_space_info, + list); + +- /* +- * Do not hide this behind enospc_debug, this is actually +- * important and indicates a real bug if this happens. +- */ +- if (WARN_ON(space_info->bytes_pinned > 0 || +- space_info->bytes_may_use > 0)) +- btrfs_dump_space_info(info, space_info, 0, 0); +- +- /* +- * If there was a failure to cleanup a log tree, very likely due +- * to an IO failure on a writeback attempt of one or more of its +- * extent buffers, we could not do proper (and cheap) unaccounting +- * of their reserved space, so don't warn on bytes_reserved > 0 in +- * that case. +- */ +- if (!(space_info->flags & BTRFS_BLOCK_GROUP_METADATA) || +- !BTRFS_FS_LOG_CLEANUP_ERROR(info)) { +- if (WARN_ON(space_info->bytes_reserved > 0)) +- btrfs_dump_space_info(info, space_info, 0, 0); +- } +- +- WARN_ON(space_info->reclaim_size > 0); ++ check_removing_space_info(space_info); + list_del(&space_info->list); + btrfs_sysfs_remove_space_info(space_info); + } +-- +2.51.0 + diff --git a/queue-6.1/btrfs-factor-out-init_space_info-from-create_space_i.patch b/queue-6.1/btrfs-factor-out-init_space_info-from-create_space_i.patch new file mode 100644 index 0000000000..4543884614 --- /dev/null +++ b/queue-6.1/btrfs-factor-out-init_space_info-from-create_space_i.patch @@ -0,0 +1,72 @@ +From aa5d737516b0ca5383ebd4e3e8060c463e4f360f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Apr 2025 11:43:43 +0900 +Subject: btrfs: factor out init_space_info() from create_space_info() + +From: Naohiro Aota + +[ Upstream commit ac5578fef380e68e539a2238ba63dd978a450ef2 ] + +Factor out initialization of the space_info struct, which is used in a +later patch. There is no functional change. + +Reviewed-by: Johannes Thumshirn +Signed-off-by: Naohiro Aota +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Stable-dep-of: a11224a016d6 ("btrfs: fix memory leaks in create_space_info() error paths") +Signed-off-by: Sasha Levin +--- + fs/btrfs/space-info.c | 27 ++++++++++++++++----------- + 1 file changed, 16 insertions(+), 11 deletions(-) + +diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c +index 069df2ebd1ca5..88cd37a13c0ee 100644 +--- a/fs/btrfs/space-info.c ++++ b/fs/btrfs/space-info.c +@@ -219,19 +219,11 @@ void btrfs_update_space_info_chunk_size(struct btrfs_space_info *space_info, + WRITE_ONCE(space_info->chunk_size, chunk_size); + } + +-static int create_space_info(struct btrfs_fs_info *info, u64 flags) ++static void init_space_info(struct btrfs_fs_info *info, ++ struct btrfs_space_info *space_info, u64 flags) + { +- +- struct btrfs_space_info *space_info; +- int i; +- int ret; +- +- space_info = kzalloc(sizeof(*space_info), GFP_NOFS); +- if (!space_info) +- return -ENOMEM; +- + space_info->fs_info = info; +- for (i = 0; i < BTRFS_NR_RAID_TYPES; i++) ++ for (int i = 0; i < BTRFS_NR_RAID_TYPES; i++) + INIT_LIST_HEAD(&space_info->block_groups[i]); + init_rwsem(&space_info->groups_sem); + spin_lock_init(&space_info->lock); +@@ -245,6 +237,19 @@ static int create_space_info(struct btrfs_fs_info *info, u64 flags) + + if (btrfs_is_zoned(info)) + space_info->bg_reclaim_threshold = BTRFS_DEFAULT_ZONED_RECLAIM_THRESH; ++} ++ ++static int create_space_info(struct btrfs_fs_info *info, u64 flags) ++{ ++ ++ struct btrfs_space_info *space_info; ++ int ret; ++ ++ space_info = kzalloc(sizeof(*space_info), GFP_NOFS); ++ if (!space_info) ++ return -ENOMEM; ++ ++ init_space_info(info, space_info, flags); + + ret = btrfs_sysfs_add_space_info_type(info, space_info); + if (ret) +-- +2.51.0 + diff --git a/queue-6.1/btrfs-fix-memory-leaks-in-create_space_info-error-pa.patch b/queue-6.1/btrfs-fix-memory-leaks-in-create_space_info-error-pa.patch new file mode 100644 index 0000000000..a95d592e9c --- /dev/null +++ b/queue-6.1/btrfs-fix-memory-leaks-in-create_space_info-error-pa.patch @@ -0,0 +1,61 @@ +From 949e71557d66b3eda50b68996876d5f5b845b9e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Jan 2026 19:20:37 +0000 +Subject: btrfs: fix memory leaks in create_space_info() error paths + +From: Jiasheng Jiang + +[ Upstream commit a11224a016d6d1d46a4d9b6573244448a80d4d7f ] + +In create_space_info(), the 'space_info' object is allocated at the +beginning of the function. However, there are two error paths where the +function returns an error code without freeing the allocated memory: + +1. When create_space_info_sub_group() fails in zoned mode. +2. When btrfs_sysfs_add_space_info_type() fails. + +In both cases, 'space_info' has not yet been added to the +fs_info->space_info list, resulting in a memory leak. Fix this by +adding an error handling label to kfree(space_info) before returning. + +Fixes: 2be12ef79fe9 ("btrfs: Separate space_info create/update") +Reviewed-by: Qu Wenruo +Signed-off-by: Jiasheng Jiang +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/space-info.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c +index 15c578f49caab..230e086ddee8e 100644 +--- a/fs/btrfs/space-info.c ++++ b/fs/btrfs/space-info.c +@@ -285,18 +285,22 @@ static int create_space_info(struct btrfs_fs_info *info, u64 flags) + BTRFS_SUB_GROUP_DATA_RELOC, + 0); + if (ret) +- return ret; ++ goto out_free; + } + + ret = btrfs_sysfs_add_space_info_type(info, space_info); + if (ret) +- return ret; ++ goto out_free; + + list_add(&space_info->list, &info->space_info); + if (flags & BTRFS_BLOCK_GROUP_DATA) + info->data_sinfo = space_info; + + return ret; ++ ++out_free: ++ kfree(space_info); ++ return ret; + } + + int btrfs_init_space_info(struct btrfs_fs_info *fs_info) +-- +2.51.0 + diff --git a/queue-6.1/btrfs-introduce-btrfs_space_info-sub-group.patch b/queue-6.1/btrfs-introduce-btrfs_space_info-sub-group.patch new file mode 100644 index 0000000000..77461799de --- /dev/null +++ b/queue-6.1/btrfs-introduce-btrfs_space_info-sub-group.patch @@ -0,0 +1,214 @@ +From cce046a5184993ae379e14748f33f0fe04aaad58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Apr 2025 11:43:48 +0900 +Subject: btrfs: introduce btrfs_space_info sub-group + +From: Naohiro Aota + +[ Upstream commit f92ee31e031c7819126d2febdda0c3e91f5d2eb9 ] + +Current code assumes we have only one space_info for each block group type +(DATA, METADATA, and SYSTEM). We sometime need multiple space infos to +manage special block groups. + +One example is handling the data relocation block group for the zoned mode. +That block group is dedicated for writing relocated data and we cannot +allocate any regular extent from that block group, which is implemented in +the zoned extent allocator. This block group still belongs to the normal +data space_info. So, when all the normal data block groups are full and +there is some free space in the dedicated block group, the space_info +looks to have some free space, while it cannot allocate normal extent +anymore. That results in a strange ENOSPC error. We need to have a +space_info for the relocation data block group to represent the situation +properly. + +Adds a basic infrastructure for having a "sub-group" of a space_info: +creation and removing. A sub-group space_info belongs to one of the +primary space_infos and has the same flags as its parent. + +This commit first introduces the relocation data sub-space_info, and the +next commit will introduce tree-log sub-space_info. In the future, it could +be useful to implement tiered storage for btrfs e.g. by implementing a +sub-group space_info for block groups resides on a fast storage. + +Reviewed-by: Johannes Thumshirn +Signed-off-by: Naohiro Aota +Signed-off-by: David Sterba +Stable-dep-of: a11224a016d6 ("btrfs: fix memory leaks in create_space_info() error paths") +Signed-off-by: Sasha Levin +--- + fs/btrfs/block-group.c | 11 +++++++++++ + fs/btrfs/space-info.c | 44 +++++++++++++++++++++++++++++++++++++++--- + fs/btrfs/space-info.h | 9 +++++++++ + fs/btrfs/sysfs.c | 18 ++++++++++++++--- + 4 files changed, 76 insertions(+), 6 deletions(-) + +diff --git a/fs/btrfs/block-group.c b/fs/btrfs/block-group.c +index 797df5ddbcd12..2338d42b8f4e6 100644 +--- a/fs/btrfs/block-group.c ++++ b/fs/btrfs/block-group.c +@@ -4149,6 +4149,17 @@ static void check_removing_space_info(struct btrfs_space_info *space_info) + { + struct btrfs_fs_info *info = space_info->fs_info; + ++ if (space_info->subgroup_id == BTRFS_SUB_GROUP_PRIMARY) { ++ /* This is a top space_info, proceed with its children first. */ ++ for (int i = 0; i < BTRFS_SPACE_INFO_SUB_GROUP_MAX; i++) { ++ if (space_info->sub_group[i]) { ++ check_removing_space_info(space_info->sub_group[i]); ++ kfree(space_info->sub_group[i]); ++ space_info->sub_group[i] = NULL; ++ } ++ } ++ } ++ + /* + * Do not hide this behind enospc_debug, this is actually important and + * indicates a real bug if this happens. +diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c +index 88cd37a13c0ee..15c578f49caab 100644 +--- a/fs/btrfs/space-info.c ++++ b/fs/btrfs/space-info.c +@@ -234,16 +234,44 @@ static void init_space_info(struct btrfs_fs_info *info, + INIT_LIST_HEAD(&space_info->priority_tickets); + space_info->clamp = 1; + btrfs_update_space_info_chunk_size(space_info, calc_chunk_size(info, flags)); ++ space_info->subgroup_id = BTRFS_SUB_GROUP_PRIMARY; + + if (btrfs_is_zoned(info)) + space_info->bg_reclaim_threshold = BTRFS_DEFAULT_ZONED_RECLAIM_THRESH; + } + ++static int create_space_info_sub_group(struct btrfs_space_info *parent, u64 flags, ++ enum btrfs_space_info_sub_group id, int index) ++{ ++ struct btrfs_fs_info *fs_info = parent->fs_info; ++ struct btrfs_space_info *sub_group; ++ int ret; ++ ++ ASSERT(parent->subgroup_id == BTRFS_SUB_GROUP_PRIMARY); ++ ASSERT(id != BTRFS_SUB_GROUP_PRIMARY); ++ ++ sub_group = kzalloc(sizeof(*sub_group), GFP_NOFS); ++ if (!sub_group) ++ return -ENOMEM; ++ ++ init_space_info(fs_info, sub_group, flags); ++ parent->sub_group[index] = sub_group; ++ sub_group->parent = parent; ++ sub_group->subgroup_id = id; ++ ++ ret = btrfs_sysfs_add_space_info_type(fs_info, sub_group); ++ if (ret) { ++ kfree(sub_group); ++ parent->sub_group[index] = NULL; ++ } ++ return ret; ++} ++ + static int create_space_info(struct btrfs_fs_info *info, u64 flags) + { + + struct btrfs_space_info *space_info; +- int ret; ++ int ret = 0; + + space_info = kzalloc(sizeof(*space_info), GFP_NOFS); + if (!space_info) +@@ -251,6 +279,15 @@ static int create_space_info(struct btrfs_fs_info *info, u64 flags) + + init_space_info(info, space_info, flags); + ++ if (btrfs_is_zoned(info)) { ++ if (flags & BTRFS_BLOCK_GROUP_DATA) ++ ret = create_space_info_sub_group(space_info, flags, ++ BTRFS_SUB_GROUP_DATA_RELOC, ++ 0); ++ if (ret) ++ return ret; ++ } ++ + ret = btrfs_sysfs_add_space_info_type(info, space_info); + if (ret) + return ret; +@@ -511,8 +548,9 @@ static void __btrfs_dump_space_info(struct btrfs_fs_info *fs_info, + lockdep_assert_held(&info->lock); + + /* The free space could be negative in case of overcommit */ +- btrfs_info(fs_info, "space_info %s has %lld free, is %sfull", +- flag_str, ++ btrfs_info(fs_info, ++ "space_info %s (sub-group id %d) has %lld free, is %sfull", ++ flag_str, info->subgroup_id, + (s64)(info->total_bytes - btrfs_space_info_used(info, true)), + info->full ? "" : "not "); + btrfs_info(fs_info, +diff --git a/fs/btrfs/space-info.h b/fs/btrfs/space-info.h +index d6b34f2738b53..dc69138f3de17 100644 +--- a/fs/btrfs/space-info.h ++++ b/fs/btrfs/space-info.h +@@ -64,8 +64,17 @@ enum btrfs_flush_state { + COMMIT_TRANS = 11, + }; + ++enum btrfs_space_info_sub_group { ++ BTRFS_SUB_GROUP_PRIMARY, ++ BTRFS_SUB_GROUP_DATA_RELOC, ++}; ++ ++#define BTRFS_SPACE_INFO_SUB_GROUP_MAX 1 + struct btrfs_space_info { + struct btrfs_fs_info *fs_info; ++ struct btrfs_space_info *parent; ++ struct btrfs_space_info *sub_group[BTRFS_SPACE_INFO_SUB_GROUP_MAX]; ++ int subgroup_id; + spinlock_t lock; + + u64 total_bytes; /* total bytes in the space, +diff --git a/fs/btrfs/sysfs.c b/fs/btrfs/sysfs.c +index 44a94ac21e2fa..693ae78705684 100644 +--- a/fs/btrfs/sysfs.c ++++ b/fs/btrfs/sysfs.c +@@ -1585,16 +1585,28 @@ void btrfs_sysfs_remove_space_info(struct btrfs_space_info *space_info) + kobject_put(&space_info->kobj); + } + +-static const char *alloc_name(u64 flags) ++static const char *alloc_name(struct btrfs_space_info *space_info) + { ++ u64 flags = space_info->flags; ++ + switch (flags) { + case BTRFS_BLOCK_GROUP_METADATA | BTRFS_BLOCK_GROUP_DATA: + return "mixed"; + case BTRFS_BLOCK_GROUP_METADATA: ++ ASSERT(space_info->subgroup_id == BTRFS_SUB_GROUP_PRIMARY); + return "metadata"; + case BTRFS_BLOCK_GROUP_DATA: +- return "data"; ++ switch (space_info->subgroup_id) { ++ case BTRFS_SUB_GROUP_PRIMARY: ++ return "data"; ++ case BTRFS_SUB_GROUP_DATA_RELOC: ++ return "data-reloc"; ++ default: ++ WARN_ON_ONCE(1); ++ return "data (unknown sub-group)"; ++ } + case BTRFS_BLOCK_GROUP_SYSTEM: ++ ASSERT(space_info->subgroup_id == BTRFS_SUB_GROUP_PRIMARY); + return "system"; + default: + WARN_ON(1); +@@ -1613,7 +1625,7 @@ int btrfs_sysfs_add_space_info_type(struct btrfs_fs_info *fs_info, + + ret = kobject_init_and_add(&space_info->kobj, &space_info_ktype, + fs_info->space_info_kobj, "%s", +- alloc_name(space_info->flags)); ++ alloc_name(space_info)); + if (ret) { + kobject_put(&space_info->kobj); + return ret; +-- +2.51.0 + diff --git a/queue-6.1/btrfs-move-flush-related-definitions-to-space-info.h.patch b/queue-6.1/btrfs-move-flush-related-definitions-to-space-info.h.patch new file mode 100644 index 0000000000..41d8c393e5 --- /dev/null +++ b/queue-6.1/btrfs-move-flush-related-definitions-to-space-info.h.patch @@ -0,0 +1,218 @@ +From a99f4affd7f06d93b2e02994488456e18649cb8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Sep 2022 11:06:35 -0400 +Subject: btrfs: move flush related definitions to space-info.h + +From: Josef Bacik + +[ Upstream commit f1e5c6185ca166cde0c7c2eeeab5d233ef315140 ] + +This code is used in space-info.c, move the definitions to space-info.h. + +Reviewed-by: Qu Wenruo +Reviewed-by: Johannes Thumshirn +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Stable-dep-of: a11224a016d6 ("btrfs: fix memory leaks in create_space_info() error paths") +Signed-off-by: Sasha Levin +--- + fs/btrfs/ctree.h | 59 ---------------------------------------- + fs/btrfs/delayed-inode.c | 1 + + fs/btrfs/inode-item.c | 1 + + fs/btrfs/props.c | 1 + + fs/btrfs/relocation.c | 1 + + fs/btrfs/space-info.h | 59 ++++++++++++++++++++++++++++++++++++++++ + 6 files changed, 63 insertions(+), 59 deletions(-) + +diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h +index da8986e0c4222..bd84a8b774a68 100644 +--- a/fs/btrfs/ctree.h ++++ b/fs/btrfs/ctree.h +@@ -2925,65 +2925,6 @@ int btrfs_inc_extent_ref(struct btrfs_trans_handle *trans, + + void btrfs_clear_space_info_full(struct btrfs_fs_info *info); + +-/* +- * Different levels for to flush space when doing space reservations. +- * +- * The higher the level, the more methods we try to reclaim space. +- */ +-enum btrfs_reserve_flush_enum { +- /* If we are in the transaction, we can't flush anything.*/ +- BTRFS_RESERVE_NO_FLUSH, +- +- /* +- * Flush space by: +- * - Running delayed inode items +- * - Allocating a new chunk +- */ +- BTRFS_RESERVE_FLUSH_LIMIT, +- +- /* +- * Flush space by: +- * - Running delayed inode items +- * - Running delayed refs +- * - Running delalloc and waiting for ordered extents +- * - Allocating a new chunk +- */ +- BTRFS_RESERVE_FLUSH_EVICT, +- +- /* +- * Flush space by above mentioned methods and by: +- * - Running delayed iputs +- * - Committing transaction +- * +- * Can be interrupted by a fatal signal. +- */ +- BTRFS_RESERVE_FLUSH_DATA, +- BTRFS_RESERVE_FLUSH_FREE_SPACE_INODE, +- BTRFS_RESERVE_FLUSH_ALL, +- +- /* +- * Pretty much the same as FLUSH_ALL, but can also steal space from +- * global rsv. +- * +- * Can be interrupted by a fatal signal. +- */ +- BTRFS_RESERVE_FLUSH_ALL_STEAL, +-}; +- +-enum btrfs_flush_state { +- FLUSH_DELAYED_ITEMS_NR = 1, +- FLUSH_DELAYED_ITEMS = 2, +- FLUSH_DELAYED_REFS_NR = 3, +- FLUSH_DELAYED_REFS = 4, +- FLUSH_DELALLOC = 5, +- FLUSH_DELALLOC_WAIT = 6, +- FLUSH_DELALLOC_FULL = 7, +- ALLOC_CHUNK = 8, +- ALLOC_CHUNK_FORCE = 9, +- RUN_DELAYED_IPUTS = 10, +- COMMIT_TRANS = 11, +-}; +- + int btrfs_subvolume_reserve_metadata(struct btrfs_root *root, + struct btrfs_block_rsv *rsv, + int nitems, bool use_global_rsv); +diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c +index 052112d0daa74..214168868ac08 100644 +--- a/fs/btrfs/delayed-inode.c ++++ b/fs/btrfs/delayed-inode.c +@@ -14,6 +14,7 @@ + #include "qgroup.h" + #include "locking.h" + #include "inode-item.h" ++#include "space-info.h" + + #define BTRFS_DELAYED_WRITEBACK 512 + #define BTRFS_DELAYED_BACKGROUND 128 +diff --git a/fs/btrfs/inode-item.c b/fs/btrfs/inode-item.c +index 5add022d3534f..ce5c51ffdc0d0 100644 +--- a/fs/btrfs/inode-item.c ++++ b/fs/btrfs/inode-item.c +@@ -8,6 +8,7 @@ + #include "disk-io.h" + #include "transaction.h" + #include "print-tree.h" ++#include "space-info.h" + + struct btrfs_inode_ref *btrfs_find_name_in_backref(struct extent_buffer *leaf, + int slot, +diff --git a/fs/btrfs/props.c b/fs/btrfs/props.c +index 055a631276ce1..07f62e3ba6a51 100644 +--- a/fs/btrfs/props.c ++++ b/fs/btrfs/props.c +@@ -10,6 +10,7 @@ + #include "ctree.h" + #include "xattr.h" + #include "compression.h" ++#include "space-info.h" + + #define BTRFS_PROP_HANDLERS_HT_BITS 8 + static DEFINE_HASHTABLE(prop_handlers_ht, BTRFS_PROP_HANDLERS_HT_BITS); +diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c +index 3fdf5519336f9..795df859cdbfc 100644 +--- a/fs/btrfs/relocation.c ++++ b/fs/btrfs/relocation.c +@@ -27,6 +27,7 @@ + #include "subpage.h" + #include "zoned.h" + #include "inode-item.h" ++#include "space-info.h" + + /* + * Relocation overview +diff --git a/fs/btrfs/space-info.h b/fs/btrfs/space-info.h +index 99ce3225dd59d..fea2f93674e7c 100644 +--- a/fs/btrfs/space-info.h ++++ b/fs/btrfs/space-info.h +@@ -5,6 +5,65 @@ + + #include "volumes.h" + ++/* ++ * Different levels for to flush space when doing space reservations. ++ * ++ * The higher the level, the more methods we try to reclaim space. ++ */ ++enum btrfs_reserve_flush_enum { ++ /* If we are in the transaction, we can't flush anything.*/ ++ BTRFS_RESERVE_NO_FLUSH, ++ ++ /* ++ * Flush space by: ++ * - Running delayed inode items ++ * - Allocating a new chunk ++ */ ++ BTRFS_RESERVE_FLUSH_LIMIT, ++ ++ /* ++ * Flush space by: ++ * - Running delayed inode items ++ * - Running delayed refs ++ * - Running delalloc and waiting for ordered extents ++ * - Allocating a new chunk ++ */ ++ BTRFS_RESERVE_FLUSH_EVICT, ++ ++ /* ++ * Flush space by above mentioned methods and by: ++ * - Running delayed iputs ++ * - Committing transaction ++ * ++ * Can be interrupted by a fatal signal. ++ */ ++ BTRFS_RESERVE_FLUSH_DATA, ++ BTRFS_RESERVE_FLUSH_FREE_SPACE_INODE, ++ BTRFS_RESERVE_FLUSH_ALL, ++ ++ /* ++ * Pretty much the same as FLUSH_ALL, but can also steal space from ++ * global rsv. ++ * ++ * Can be interrupted by a fatal signal. ++ */ ++ BTRFS_RESERVE_FLUSH_ALL_STEAL, ++}; ++ ++enum btrfs_flush_state { ++ FLUSH_DELAYED_ITEMS_NR = 1, ++ FLUSH_DELAYED_ITEMS = 2, ++ FLUSH_DELAYED_REFS_NR = 3, ++ FLUSH_DELAYED_REFS = 4, ++ FLUSH_DELALLOC = 5, ++ FLUSH_DELALLOC_WAIT = 6, ++ FLUSH_DELALLOC_FULL = 7, ++ ALLOC_CHUNK = 8, ++ ALLOC_CHUNK_FORCE = 9, ++ RUN_DELAYED_IPUTS = 10, ++ COMMIT_TRANS = 11, ++}; ++ + struct btrfs_space_info { + spinlock_t lock; + +-- +2.51.0 + diff --git a/queue-6.1/btrfs-send-check-for-inline-extents-in-range_is_hole.patch b/queue-6.1/btrfs-send-check-for-inline-extents-in-range_is_hole.patch new file mode 100644 index 0000000000..4529f5fb82 --- /dev/null +++ b/queue-6.1/btrfs-send-check-for-inline-extents-in-range_is_hole.patch @@ -0,0 +1,44 @@ +From 490ad73c778c85ee344947164934a2bb2913f757 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jan 2026 20:26:40 +1030 +Subject: btrfs: send: check for inline extents in range_is_hole_in_parent() + +From: Qu Wenruo + +[ Upstream commit 08b096c1372cd69627f4f559fb47c9fb67a52b39 ] + +Before accessing the disk_bytenr field of a file extent item we need +to check if we are dealing with an inline extent. +This is because for inline extents their data starts at the offset of +the disk_bytenr field. So accessing the disk_bytenr +means we are accessing inline data or in case the inline data is less +than 8 bytes we can actually cause an invalid +memory access if this inline extent item is the first item in the leaf +or access metadata from other items. + +Fixes: 82bfb2e7b645 ("Btrfs: incremental send, fix unnecessary hole writes for sparse files") +Reviewed-by: Filipe Manana +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/send.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c +index f5a9f6689c460..486d4fcc597b2 100644 +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -6289,6 +6289,8 @@ static int range_is_hole_in_parent(struct send_ctx *sctx, + extent_end = btrfs_file_extent_end(path); + if (extent_end <= start) + goto next; ++ if (btrfs_file_extent_type(leaf, fi) == BTRFS_FILE_EXTENT_INLINE) ++ return 0; + if (btrfs_file_extent_disk_bytenr(leaf, fi) == 0) { + search_start = extent_end; + goto next; +-- +2.51.0 + diff --git a/queue-6.1/btrfs-store-fs_info-in-space_info.patch b/queue-6.1/btrfs-store-fs_info-in-space_info.patch new file mode 100644 index 0000000000..c284155304 --- /dev/null +++ b/queue-6.1/btrfs-store-fs_info-in-space_info.patch @@ -0,0 +1,53 @@ +From 28f74803c4677d31e42bc2bca3065d1dca65776b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Feb 2024 11:52:57 -0800 +Subject: btrfs: store fs_info in space_info + +From: Boris Burkov + +[ Upstream commit 42f620aec182f62ee72e3fce41cb3353951b3508 ] + +This is handy when computing space_info dynamic reclaim thresholds where +we do not have access to a block group. We could add it to the various +functions as a parameter, but it seems reasonable for space_info to have +an fs_info pointer. + +Reviewed-by: Josef Bacik +Reviewed-by: Johannes Thumshirn +Signed-off-by: Boris Burkov +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Stable-dep-of: a11224a016d6 ("btrfs: fix memory leaks in create_space_info() error paths") +Signed-off-by: Sasha Levin +--- + fs/btrfs/space-info.c | 1 + + fs/btrfs/space-info.h | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c +index bede72f3dffc3..069df2ebd1ca5 100644 +--- a/fs/btrfs/space-info.c ++++ b/fs/btrfs/space-info.c +@@ -230,6 +230,7 @@ static int create_space_info(struct btrfs_fs_info *info, u64 flags) + if (!space_info) + return -ENOMEM; + ++ space_info->fs_info = info; + for (i = 0; i < BTRFS_NR_RAID_TYPES; i++) + INIT_LIST_HEAD(&space_info->block_groups[i]); + init_rwsem(&space_info->groups_sem); +diff --git a/fs/btrfs/space-info.h b/fs/btrfs/space-info.h +index fea2f93674e7c..d6b34f2738b53 100644 +--- a/fs/btrfs/space-info.h ++++ b/fs/btrfs/space-info.h +@@ -65,6 +65,7 @@ enum btrfs_flush_state { + }; + + struct btrfs_space_info { ++ struct btrfs_fs_info *fs_info; + spinlock_t lock; + + u64 total_bytes; /* total bytes in the space, +-- +2.51.0 + diff --git a/queue-6.1/can-etas_es58x-allow-partial-rx-urb-allocation-to-su.patch b/queue-6.1/can-etas_es58x-allow-partial-rx-urb-allocation-to-su.patch new file mode 100644 index 0000000000..a0998ba365 --- /dev/null +++ b/queue-6.1/can-etas_es58x-allow-partial-rx-urb-allocation-to-su.patch @@ -0,0 +1,50 @@ +From 12d75396c09cd3f0f8936228418426dbc0cf9ee2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Dec 2025 02:17:32 +0100 +Subject: can: etas_es58x: allow partial RX URB allocation to succeed + +From: Szymon Wilczek + +[ Upstream commit b1979778e98569c1e78c2c7f16bb24d76541ab00 ] + +When es58x_alloc_rx_urbs() fails to allocate the requested number of +URBs but succeeds in allocating some, it returns an error code. +This causes es58x_open() to return early, skipping the cleanup label +'free_urbs', which leads to the anchored URBs being leaked. + +As pointed out by maintainer Vincent Mailhol, the driver is designed +to handle partial URB allocation gracefully. Therefore, partial +allocation should not be treated as a fatal error. + +Modify es58x_alloc_rx_urbs() to return 0 if at least one URB has been +allocated, restoring the intended behavior and preventing the leak +in es58x_open(). + +Fixes: 8537257874e9 ("can: etas_es58x: add core support for ETAS ES58X CAN USB interfaces") +Reported-by: syzbot+e8cb6691a7cf68256cb8@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=e8cb6691a7cf68256cb8 +Signed-off-by: Szymon Wilczek +Reviewed-by: Vincent Mailhol +Link: https://patch.msgid.link/20251223011732.39361-1-swilczek.lx@gmail.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/etas_es58x/es58x_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/can/usb/etas_es58x/es58x_core.c b/drivers/net/can/usb/etas_es58x/es58x_core.c +index 41bea531234db..6995fbce829ad 100644 +--- a/drivers/net/can/usb/etas_es58x/es58x_core.c ++++ b/drivers/net/can/usb/etas_es58x/es58x_core.c +@@ -1735,7 +1735,7 @@ static int es58x_alloc_rx_urbs(struct es58x_device *es58x_dev) + dev_dbg(dev, "%s: Allocated %d rx URBs each of size %u\n", + __func__, i, rx_buf_len); + +- return ret; ++ return 0; + } + + /** +-- +2.51.0 + diff --git a/queue-6.1/dmaengine-omap-dma-fix-dma_pool-resource-leak-in-err.patch b/queue-6.1/dmaengine-omap-dma-fix-dma_pool-resource-leak-in-err.patch new file mode 100644 index 0000000000..d0bdee84fc --- /dev/null +++ b/queue-6.1/dmaengine-omap-dma-fix-dma_pool-resource-leak-in-err.patch @@ -0,0 +1,50 @@ +From db709298cd30a6836ee1b638b06abd8b47a0e754 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Nov 2025 15:30:18 +0800 +Subject: dmaengine: omap-dma: fix dma_pool resource leak in error paths + +From: Haotian Zhang + +[ Upstream commit 2e1136acf8a8887c29f52e35a77b537309af321f ] + +The dma_pool created by dma_pool_create() is not destroyed when +dma_async_device_register() or of_dma_controller_register() fails, +causing a resource leak in the probe error paths. + +Add dma_pool_destroy() in both error paths to properly release the +allocated dma_pool resource. + +Fixes: 7bedaa553760 ("dmaengine: add OMAP DMA engine driver") +Signed-off-by: Haotian Zhang +Link: https://patch.msgid.link/20251103073018.643-1-vulab@iscas.ac.cn +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/ti/omap-dma.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/dma/ti/omap-dma.c b/drivers/dma/ti/omap-dma.c +index 27f5019bdc1ed..7755a79b429f4 100644 +--- a/drivers/dma/ti/omap-dma.c ++++ b/drivers/dma/ti/omap-dma.c +@@ -1811,6 +1811,8 @@ static int omap_dma_probe(struct platform_device *pdev) + if (rc) { + pr_warn("OMAP-DMA: failed to register slave DMA engine device: %d\n", + rc); ++ if (od->ll123_supported) ++ dma_pool_destroy(od->desc_pool); + omap_dma_free(od); + return rc; + } +@@ -1826,6 +1828,8 @@ static int omap_dma_probe(struct platform_device *pdev) + if (rc) { + pr_warn("OMAP-DMA: failed to register DMA controller\n"); + dma_async_device_unregister(&od->ddev); ++ if (od->ll123_supported) ++ dma_pool_destroy(od->desc_pool); + omap_dma_free(od); + } + } +-- +2.51.0 + diff --git a/queue-6.1/dmaengine-tegra-adma-fix-use-after-free.patch b/queue-6.1/dmaengine-tegra-adma-fix-use-after-free.patch new file mode 100644 index 0000000000..84c216027b --- /dev/null +++ b/queue-6.1/dmaengine-tegra-adma-fix-use-after-free.patch @@ -0,0 +1,110 @@ +From 9b8ffe19179e7223e7e7c547c949170908edfb38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Nov 2025 19:54:45 +0530 +Subject: dmaengine: tegra-adma: Fix use-after-free + +From: Sheetal + +[ Upstream commit 2efd07a7c36949e6fa36a69183df24d368bf9e96 ] + +A use-after-free bug exists in the Tegra ADMA driver when audio streams +are terminated, particularly during XRUN conditions. The issue occurs +when the DMA buffer is freed by tegra_adma_terminate_all() before the +vchan completion tasklet finishes accessing it. + +The race condition follows this sequence: + + 1. DMA transfer completes, triggering an interrupt that schedules the + completion tasklet (tasklet has not executed yet) + 2. Audio playback stops, calling tegra_adma_terminate_all() which + frees the DMA buffer memory via kfree() + 3. The scheduled tasklet finally executes, calling vchan_complete() + which attempts to access the already-freed memory + +Since tasklets can execute at any time after being scheduled, there is +no guarantee that the buffer will remain valid when vchan_complete() +runs. + +Fix this by properly synchronizing the virtual channel completion: + - Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the + descriptors as terminated instead of freeing the descriptor. + - Add the callback tegra_adma_synchronize() that calls + vchan_synchronize() which kills any pending tasklets and frees any + terminated descriptors. + +Crash logs: +[ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0 +[ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0 + +[ 337.427562] Call trace: +[ 337.427564] dump_backtrace+0x0/0x320 +[ 337.427571] show_stack+0x20/0x30 +[ 337.427575] dump_stack_lvl+0x68/0x84 +[ 337.427584] print_address_description.constprop.0+0x74/0x2b8 +[ 337.427590] kasan_report+0x1f4/0x210 +[ 337.427598] __asan_load8+0xa0/0xd0 +[ 337.427603] vchan_complete+0x124/0x3b0 +[ 337.427609] tasklet_action_common.constprop.0+0x190/0x1d0 +[ 337.427617] tasklet_action+0x30/0x40 +[ 337.427623] __do_softirq+0x1a0/0x5c4 +[ 337.427628] irq_exit+0x110/0x140 +[ 337.427633] handle_domain_irq+0xa4/0xe0 +[ 337.427640] gic_handle_irq+0x64/0x160 +[ 337.427644] call_on_irq_stack+0x20/0x4c +[ 337.427649] do_interrupt_handler+0x7c/0x90 +[ 337.427654] el1_interrupt+0x30/0x80 +[ 337.427659] el1h_64_irq_handler+0x18/0x30 +[ 337.427663] el1h_64_irq+0x7c/0x80 +[ 337.427667] cpuidle_enter_state+0xe4/0x540 +[ 337.427674] cpuidle_enter+0x54/0x80 +[ 337.427679] do_idle+0x2e0/0x380 +[ 337.427685] cpu_startup_entry+0x2c/0x70 +[ 337.427690] rest_init+0x114/0x130 +[ 337.427695] arch_call_rest_init+0x18/0x24 +[ 337.427702] start_kernel+0x380/0x3b4 +[ 337.427706] __primary_switched+0xc0/0xc8 + +Fixes: f46b195799b5 ("dmaengine: tegra-adma: Add support for Tegra210 ADMA") +Signed-off-by: Sheetal +Acked-by: Thierry Reding +Link: https://patch.msgid.link/20251110142445.3842036-1-sheetal@nvidia.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/tegra210-adma.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/dma/tegra210-adma.c b/drivers/dma/tegra210-adma.c +index 79da93cc77b64..db79e92f5e611 100644 +--- a/drivers/dma/tegra210-adma.c ++++ b/drivers/dma/tegra210-adma.c +@@ -341,10 +341,17 @@ static void tegra_adma_stop(struct tegra_adma_chan *tdc) + return; + } + +- kfree(tdc->desc); ++ vchan_terminate_vdesc(&tdc->desc->vd); + tdc->desc = NULL; + } + ++static void tegra_adma_synchronize(struct dma_chan *dc) ++{ ++ struct tegra_adma_chan *tdc = to_tegra_adma_chan(dc); ++ ++ vchan_synchronize(&tdc->vc); ++} ++ + static void tegra_adma_start(struct tegra_adma_chan *tdc) + { + struct virt_dma_desc *vd = vchan_next_desc(&tdc->vc); +@@ -910,6 +917,7 @@ static int tegra_adma_probe(struct platform_device *pdev) + tdma->dma_dev.device_config = tegra_adma_slave_config; + tdma->dma_dev.device_tx_status = tegra_adma_tx_status; + tdma->dma_dev.device_terminate_all = tegra_adma_terminate_all; ++ tdma->dma_dev.device_synchronize = tegra_adma_synchronize; + tdma->dma_dev.src_addr_widths = BIT(DMA_SLAVE_BUSWIDTH_4_BYTES); + tdma->dma_dev.dst_addr_widths = BIT(DMA_SLAVE_BUSWIDTH_4_BYTES); + tdma->dma_dev.directions = BIT(DMA_DEV_TO_MEM) | BIT(DMA_MEM_TO_DEV); +-- +2.51.0 + diff --git a/queue-6.1/dmaengine-xilinx_dma-fix-uninitialized-addr_width-wh.patch b/queue-6.1/dmaengine-xilinx_dma-fix-uninitialized-addr_width-wh.patch new file mode 100644 index 0000000000..52d43bcfac --- /dev/null +++ b/queue-6.1/dmaengine-xilinx_dma-fix-uninitialized-addr_width-wh.patch @@ -0,0 +1,61 @@ +From 4b5f786c1791ac4c123a7edba4de8e02c345e8cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Oct 2025 00:00:06 +0530 +Subject: dmaengine: xilinx_dma: Fix uninitialized addr_width when + "xlnx,addrwidth" property is missing + +From: Suraj Gupta + +[ Upstream commit c0732fe78728718c853ef8e7af5bbb05262acbd1 ] + +When device tree lacks optional "xlnx,addrwidth" property, the addr_width +variable remained uninitialized with garbage values, causing incorrect +DMA mask configuration and subsequent probe failure. The fix ensures a +fallback to the default 32-bit address width when this property is missing. + +Signed-off-by: Suraj Gupta +Fixes: b72db4005fe4 ("dmaengine: vdma: Add 64 bit addressing support to the driver") +Reviewed-by: Radhey Shyam Pandey +Reviewed-by: Folker Schwesinger +Link: https://patch.msgid.link/20251021183006.3434495-1-suraj.gupta2@amd.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/xilinx/xilinx_dma.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c +index e2175651f9795..8402dc3d3a352 100644 +--- a/drivers/dma/xilinx/xilinx_dma.c ++++ b/drivers/dma/xilinx/xilinx_dma.c +@@ -128,6 +128,7 @@ + #define XILINX_MCDMA_MAX_CHANS_PER_DEVICE 0x20 + #define XILINX_DMA_MAX_CHANS_PER_DEVICE 0x2 + #define XILINX_CDMA_MAX_CHANS_PER_DEVICE 0x1 ++#define XILINX_DMA_DFAULT_ADDRWIDTH 0x20 + + #define XILINX_DMA_DMAXR_ALL_IRQ_MASK \ + (XILINX_DMA_DMASR_FRM_CNT_IRQ | \ +@@ -3016,7 +3017,7 @@ static int xilinx_dma_probe(struct platform_device *pdev) + struct device_node *node = pdev->dev.of_node; + struct xilinx_dma_device *xdev; + struct device_node *child, *np = pdev->dev.of_node; +- u32 num_frames, addr_width, len_width; ++ u32 num_frames, addr_width = XILINX_DMA_DFAULT_ADDRWIDTH, len_width; + int i, err; + + /* Allocate and initialize the DMA engine structure */ +@@ -3085,7 +3086,9 @@ static int xilinx_dma_probe(struct platform_device *pdev) + + err = of_property_read_u32(node, "xlnx,addrwidth", &addr_width); + if (err < 0) +- dev_warn(xdev->dev, "missing xlnx,addrwidth property\n"); ++ dev_warn(xdev->dev, ++ "missing xlnx,addrwidth property, using default value %d\n", ++ XILINX_DMA_DFAULT_ADDRWIDTH); + + if (addr_width > 32) + xdev->ext_addr = true; +-- +2.51.0 + diff --git a/queue-6.1/hv_netvsc-allocate-rx-indirection-table-size-dynamic.patch b/queue-6.1/hv_netvsc-allocate-rx-indirection-table-size-dynamic.patch new file mode 100644 index 0000000000..74a5d6f3bb --- /dev/null +++ b/queue-6.1/hv_netvsc-allocate-rx-indirection-table-size-dynamic.patch @@ -0,0 +1,181 @@ +From 79f5b429cb643726d438575067ece32d53e1a1ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jun 2023 04:30:06 -0700 +Subject: hv_netvsc: Allocate rx indirection table size dynamically + +From: Shradha Gupta + +[ Upstream commit 4cab498f33f7adaa01ad15909c0f34a81e5a0b0a ] + +Allocate the size of rx indirection table dynamically in netvsc +from the value of size provided by OID_GEN_RECEIVE_SCALE_CAPABILITIES +query instead of using a constant value of ITAB_NUM. + +Signed-off-by: Shradha Gupta +Reviewed-by: Haiyang Zhang +Tested-on: Ubuntu22 (azure VM, SKU size: Standard_F72s_v2) +Testcases: +1. ethtool -x eth0 output +2. LISA testcase:PERF-NETWORK-TCP-THROUGHPUT-MULTICONNECTION-NTTTCP-Synthetic +3. LISA testcase:PERF-NETWORK-TCP-THROUGHPUT-MULTICONNECTION-NTTTCP-SRIOV +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Stable-dep-of: d23564955811 ("net: hv_netvsc: reject RSS hash key programming without RX indirection table") +Signed-off-by: Sasha Levin +--- + drivers/net/hyperv/hyperv_net.h | 5 ++++- + drivers/net/hyperv/netvsc_drv.c | 10 ++++++---- + drivers/net/hyperv/rndis_filter.c | 29 +++++++++++++++++++++++++---- + 3 files changed, 35 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/hyperv/hyperv_net.h b/drivers/net/hyperv/hyperv_net.h +index ea9cb1ac4bbe1..97952229a7b77 100644 +--- a/drivers/net/hyperv/hyperv_net.h ++++ b/drivers/net/hyperv/hyperv_net.h +@@ -74,6 +74,7 @@ struct ndis_recv_scale_cap { /* NDIS_RECEIVE_SCALE_CAPABILITIES */ + #define NDIS_RSS_HASH_SECRET_KEY_MAX_SIZE_REVISION_2 40 + + #define ITAB_NUM 128 ++#define ITAB_NUM_MAX 256 + + struct ndis_recv_scale_param { /* NDIS_RECEIVE_SCALE_PARAMETERS */ + struct ndis_obj_header hdr; +@@ -1045,7 +1046,9 @@ struct net_device_context { + + u32 tx_table[VRSS_SEND_TAB_SIZE]; + +- u16 rx_table[ITAB_NUM]; ++ u16 *rx_table; ++ ++ u32 rx_table_sz; + + /* Ethtool settings */ + u8 duplex; +diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c +index 7433fe7699432..68dfe77a6bbfe 100644 +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -1717,7 +1717,9 @@ static u32 netvsc_get_rxfh_key_size(struct net_device *dev) + + static u32 netvsc_rss_indir_size(struct net_device *dev) + { +- return ITAB_NUM; ++ struct net_device_context *ndc = netdev_priv(dev); ++ ++ return ndc->rx_table_sz; + } + + static int netvsc_get_rxfh(struct net_device *dev, u32 *indir, u8 *key, +@@ -1736,7 +1738,7 @@ static int netvsc_get_rxfh(struct net_device *dev, u32 *indir, u8 *key, + + rndis_dev = ndev->extension; + if (indir) { +- for (i = 0; i < ITAB_NUM; i++) ++ for (i = 0; i < ndc->rx_table_sz; i++) + indir[i] = ndc->rx_table[i]; + } + +@@ -1762,11 +1764,11 @@ static int netvsc_set_rxfh(struct net_device *dev, const u32 *indir, + + rndis_dev = ndev->extension; + if (indir) { +- for (i = 0; i < ITAB_NUM; i++) ++ for (i = 0; i < ndc->rx_table_sz; i++) + if (indir[i] >= ndev->num_chn) + return -EINVAL; + +- for (i = 0; i < ITAB_NUM; i++) ++ for (i = 0; i < ndc->rx_table_sz; i++) + ndc->rx_table[i] = indir[i]; + } + +diff --git a/drivers/net/hyperv/rndis_filter.c b/drivers/net/hyperv/rndis_filter.c +index bb656ea097731..09144f0ec2aa4 100644 +--- a/drivers/net/hyperv/rndis_filter.c ++++ b/drivers/net/hyperv/rndis_filter.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + + #include "hyperv_net.h" + #include "netvsc_trace.h" +@@ -913,7 +914,7 @@ static int rndis_set_rss_param_msg(struct rndis_device *rdev, + struct rndis_set_request *set; + struct rndis_set_complete *set_complete; + u32 extlen = sizeof(struct ndis_recv_scale_param) + +- 4 * ITAB_NUM + NETVSC_HASH_KEYLEN; ++ 4 * ndc->rx_table_sz + NETVSC_HASH_KEYLEN; + struct ndis_recv_scale_param *rssp; + u32 *itab; + u8 *keyp; +@@ -939,7 +940,7 @@ static int rndis_set_rss_param_msg(struct rndis_device *rdev, + rssp->hashinfo = NDIS_HASH_FUNC_TOEPLITZ | NDIS_HASH_IPV4 | + NDIS_HASH_TCP_IPV4 | NDIS_HASH_IPV6 | + NDIS_HASH_TCP_IPV6; +- rssp->indirect_tabsize = 4*ITAB_NUM; ++ rssp->indirect_tabsize = 4 * ndc->rx_table_sz; + rssp->indirect_taboffset = sizeof(struct ndis_recv_scale_param); + rssp->hashkey_size = NETVSC_HASH_KEYLEN; + rssp->hashkey_offset = rssp->indirect_taboffset + +@@ -947,7 +948,7 @@ static int rndis_set_rss_param_msg(struct rndis_device *rdev, + + /* Set indirection table entries */ + itab = (u32 *)(rssp + 1); +- for (i = 0; i < ITAB_NUM; i++) ++ for (i = 0; i < ndc->rx_table_sz; i++) + itab[i] = ndc->rx_table[i]; + + /* Set hask key values */ +@@ -1534,6 +1535,18 @@ struct netvsc_device *rndis_filter_device_add(struct hv_device *dev, + if (ret || rsscap.num_recv_que < 2) + goto out; + ++ if (rsscap.num_indirect_tabent && ++ rsscap.num_indirect_tabent <= ITAB_NUM_MAX) ++ ndc->rx_table_sz = rsscap.num_indirect_tabent; ++ else ++ ndc->rx_table_sz = ITAB_NUM; ++ ++ ndc->rx_table = kcalloc(ndc->rx_table_sz, sizeof(u16), GFP_KERNEL); ++ if (!ndc->rx_table) { ++ ret = -ENOMEM; ++ goto err_dev_remv; ++ } ++ + /* This guarantees that num_possible_rss_qs <= num_online_cpus */ + num_possible_rss_qs = min_t(u32, num_online_cpus(), + rsscap.num_recv_que); +@@ -1544,7 +1557,7 @@ struct netvsc_device *rndis_filter_device_add(struct hv_device *dev, + net_device->num_chn = min(net_device->max_chn, device_info->num_chn); + + if (!netif_is_rxfh_configured(net)) { +- for (i = 0; i < ITAB_NUM; i++) ++ for (i = 0; i < ndc->rx_table_sz; i++) + ndc->rx_table[i] = ethtool_rxfh_indir_default( + i, net_device->num_chn); + } +@@ -1582,11 +1595,19 @@ void rndis_filter_device_remove(struct hv_device *dev, + struct netvsc_device *net_dev) + { + struct rndis_device *rndis_dev = net_dev->extension; ++ struct net_device *net = hv_get_drvdata(dev); ++ struct net_device_context *ndc; ++ ++ ndc = netdev_priv(net); + + /* Halt and release the rndis device */ + rndis_filter_halt_device(net_dev, rndis_dev); + + netvsc_device_remove(dev); ++ ++ ndc->rx_table_sz = 0; ++ kfree(ndc->rx_table); ++ ndc->rx_table = NULL; + } + + int rndis_filter_open(struct netvsc_device *nvdev) +-- +2.51.0 + diff --git a/queue-6.1/ip6_tunnel-use-skb_vlan_inet_prepare-in-__ip6_tnl_rc.patch b/queue-6.1/ip6_tunnel-use-skb_vlan_inet_prepare-in-__ip6_tnl_rc.patch new file mode 100644 index 0000000000..0bb3f80fcf --- /dev/null +++ b/queue-6.1/ip6_tunnel-use-skb_vlan_inet_prepare-in-__ip6_tnl_rc.patch @@ -0,0 +1,105 @@ +From fd73284b7d4f7c2cfcfdddc827da7e6a24f7a974 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jan 2026 16:31:09 +0000 +Subject: ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv() + +From: Eric Dumazet + +[ Upstream commit 81c734dae203757fb3c9eee6f9896386940776bd ] + +Blamed commit did not take care of VLAN encapsulations +as spotted by syzbot [1]. + +Use skb_vlan_inet_prepare() instead of pskb_inet_may_pull(). + +[1] + BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] + BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] + BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321 + __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] + INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] + IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321 + ip6ip6_dscp_ecn_decapsulate+0x16f/0x1b0 net/ipv6/ip6_tunnel.c:729 + __ip6_tnl_rcv+0xed9/0x1b50 net/ipv6/ip6_tunnel.c:860 + ip6_tnl_rcv+0xc3/0x100 net/ipv6/ip6_tunnel.c:903 + gre_rcv+0x1529/0x1b90 net/ipv6/ip6_gre.c:-1 + ip6_protocol_deliver_rcu+0x1c89/0x2c60 net/ipv6/ip6_input.c:438 + ip6_input_finish+0x1f4/0x4a0 net/ipv6/ip6_input.c:489 + NF_HOOK include/linux/netfilter.h:318 [inline] + ip6_input+0x9c/0x330 net/ipv6/ip6_input.c:500 + ip6_mc_input+0x7ca/0xc10 net/ipv6/ip6_input.c:590 + dst_input include/net/dst.h:474 [inline] + ip6_rcv_finish+0x958/0x990 net/ipv6/ip6_input.c:79 + NF_HOOK include/linux/netfilter.h:318 [inline] + ipv6_rcv+0xf1/0x3c0 net/ipv6/ip6_input.c:311 + __netif_receive_skb_one_core net/core/dev.c:6139 [inline] + __netif_receive_skb+0x1df/0xac0 net/core/dev.c:6252 + netif_receive_skb_internal net/core/dev.c:6338 [inline] + netif_receive_skb+0x57/0x630 net/core/dev.c:6397 + tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485 + tun_get_user+0x5c0e/0x6c60 drivers/net/tun.c:1953 + tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999 + new_sync_write fs/read_write.c:593 [inline] + vfs_write+0xbe2/0x15d0 fs/read_write.c:686 + ksys_write fs/read_write.c:738 [inline] + __do_sys_write fs/read_write.c:749 [inline] + __se_sys_write fs/read_write.c:746 [inline] + __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746 + x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Uninit was created at: + slab_post_alloc_hook mm/slub.c:4960 [inline] + slab_alloc_node mm/slub.c:5263 [inline] + kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315 + kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586 + __alloc_skb+0x805/0x1040 net/core/skbuff.c:690 + alloc_skb include/linux/skbuff.h:1383 [inline] + alloc_skb_with_frags+0xc5/0xa60 net/core/skbuff.c:6712 + sock_alloc_send_pskb+0xacc/0xc60 net/core/sock.c:2995 + tun_alloc_skb drivers/net/tun.c:1461 [inline] + tun_get_user+0x1142/0x6c60 drivers/net/tun.c:1794 + tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999 + new_sync_write fs/read_write.c:593 [inline] + vfs_write+0xbe2/0x15d0 fs/read_write.c:686 + ksys_write fs/read_write.c:738 [inline] + __do_sys_write fs/read_write.c:749 [inline] + __se_sys_write fs/read_write.c:746 [inline] + __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746 + x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +CPU: 0 UID: 0 PID: 6465 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 + +Fixes: 8d975c15c0cd ("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()") +Reported-by: syzbot+d4dda070f833dc5dc89a@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/695e88b2.050a0220.1c677c.036d.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260107163109.4188620-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_tunnel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c +index dfca22c6d345d..8ce36fcc3dd5b 100644 +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -844,7 +844,7 @@ static int __ip6_tnl_rcv(struct ip6_tnl *tunnel, struct sk_buff *skb, + + skb_reset_network_header(skb); + +- if (!pskb_inet_may_pull(skb)) { ++ if (skb_vlan_inet_prepare(skb, true)) { + DEV_STATS_INC(tunnel->dev, rx_length_errors); + DEV_STATS_INC(tunnel->dev, rx_errors); + goto drop; +-- +2.51.0 + diff --git a/queue-6.1/ipv4-ip_gre-make-ipgre_header-robust.patch b/queue-6.1/ipv4-ip_gre-make-ipgre_header-robust.patch new file mode 100644 index 0000000000..853a8159e8 --- /dev/null +++ b/queue-6.1/ipv4-ip_gre-make-ipgre_header-robust.patch @@ -0,0 +1,87 @@ +From 73f5a3728cf43ebdcad08f123ddb30783ed4a93a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 19:02:14 +0000 +Subject: ipv4: ip_gre: make ipgre_header() robust + +From: Eric Dumazet + +[ Upstream commit e67c577d89894811ce4dcd1a9ed29d8b63476667 ] + +Analog to commit db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust") + +Over the years, syzbot found many ways to crash the kernel +in ipgre_header() [1]. + +This involves team or bonding drivers ability to dynamically +change their dev->needed_headroom and/or dev->hard_header_len + +In this particular crash mld_newpack() allocated an skb +with a too small reserve/headroom, and by the time mld_sendpack() +was called, syzbot managed to attach an ipgre device. + +[1] +skbuff: skb_under_panic: text:ffffffff89ea3cb7 len:2030915468 put:2030915372 head:ffff888058b43000 data:ffff887fdfa6e194 tail:0x120 end:0x6c0 dev:team0 + kernel BUG at net/core/skbuff.c:213 ! +Oops: invalid opcode: 0000 [#1] SMP KASAN PTI +CPU: 1 UID: 0 PID: 1322 Comm: kworker/1:9 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 +Workqueue: mld mld_ifc_work + RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:213 +Call Trace: + + skb_under_panic net/core/skbuff.c:223 [inline] + skb_push+0xc3/0xe0 net/core/skbuff.c:2641 + ipgre_header+0x67/0x290 net/ipv4/ip_gre.c:897 + dev_hard_header include/linux/netdevice.h:3436 [inline] + neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618 + NF_HOOK_COND include/linux/netfilter.h:307 [inline] + ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247 + NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318 + mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855 + mld_send_cr net/ipv6/mcast.c:2154 [inline] + mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 + process_one_work kernel/workqueue.c:3257 [inline] + process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 + worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 + kthread+0x711/0x8a0 kernel/kthread.c:463 + ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + +Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.") +Reported-by: syzbot+7c134e1c3aa3283790b9@syzkaller.appspotmail.com +Closes: https://www.spinics.net/lists/netdev/msg1147302.html +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260108190214.1667040-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_gre.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c +index 2c311ed84a3b3..b90241aff93c3 100644 +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -854,10 +854,17 @@ static int ipgre_header(struct sk_buff *skb, struct net_device *dev, + const void *daddr, const void *saddr, unsigned int len) + { + struct ip_tunnel *t = netdev_priv(dev); +- struct iphdr *iph; + struct gre_base_hdr *greh; ++ struct iphdr *iph; ++ int needed; ++ ++ needed = t->hlen + sizeof(*iph); ++ if (skb_headroom(skb) < needed && ++ pskb_expand_head(skb, HH_DATA_ALIGN(needed - skb_headroom(skb)), ++ 0, GFP_ATOMIC)) ++ return -needed; + +- iph = skb_push(skb, t->hlen + sizeof(*iph)); ++ iph = skb_push(skb, needed); + greh = (struct gre_base_hdr *)(iph+1); + greh->flags = gre_tnl_flags_to_gre_flags(t->parms.o_flags); + greh->protocol = htons(type); +-- +2.51.0 + diff --git a/queue-6.1/ipv6-fix-use-after-free-in-inet6_addr_del.patch b/queue-6.1/ipv6-fix-use-after-free-in-inet6_addr_del.patch new file mode 100644 index 0000000000..3329330b2d --- /dev/null +++ b/queue-6.1/ipv6-fix-use-after-free-in-inet6_addr_del.patch @@ -0,0 +1,132 @@ +From fe1e75806a4dee523026318ef9a49897d86187d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 01:05:08 +0000 +Subject: ipv6: Fix use-after-free in inet6_addr_del(). + +From: Kuniyuki Iwashima + +[ Upstream commit ddf96c393a33aef4887e2e406c76c2f8cda1419c ] + +syzbot reported use-after-free of inet6_ifaddr in +inet6_addr_del(). [0] + +The cited commit accidentally moved ipv6_del_addr() for +mngtmpaddr before reading its ifp->flags for temporary +addresses in inet6_addr_del(). + +Let's move ipv6_del_addr() down to fix the UAF. + +[0]: +BUG: KASAN: slab-use-after-free in inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117 +Read of size 4 at addr ffff88807b89c86c by task syz.3.1618/9593 + +CPU: 0 UID: 0 PID: 9593 Comm: syz.3.1618 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xcd/0x630 mm/kasan/report.c:482 + kasan_report+0xe0/0x110 mm/kasan/report.c:595 + inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117 + addrconf_del_ifaddr+0x11e/0x190 net/ipv6/addrconf.c:3181 + inet6_ioctl+0x1e5/0x2b0 net/ipv6/af_inet6.c:582 + sock_do_ioctl+0x118/0x280 net/socket.c:1254 + sock_ioctl+0x227/0x6b0 net/socket.c:1375 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:597 [inline] + __se_sys_ioctl fs/ioctl.c:583 [inline] + __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f164cf8f749 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f164de64038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 00007f164d1e5fa0 RCX: 00007f164cf8f749 +RDX: 0000200000000000 RSI: 0000000000008936 RDI: 0000000000000003 +RBP: 00007f164d013f91 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007f164d1e6038 R14: 00007f164d1e5fa0 R15: 00007ffde15c8288 + + +Allocated by task 9593: + kasan_save_stack+0x33/0x60 mm/kasan/common.c:56 + kasan_save_track+0x14/0x30 mm/kasan/common.c:77 + poison_kmalloc_redzone mm/kasan/common.c:397 [inline] + __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:414 + kmalloc_noprof include/linux/slab.h:957 [inline] + kzalloc_noprof include/linux/slab.h:1094 [inline] + ipv6_add_addr+0x4e3/0x2010 net/ipv6/addrconf.c:1120 + inet6_addr_add+0x256/0x9b0 net/ipv6/addrconf.c:3050 + addrconf_add_ifaddr+0x1fc/0x450 net/ipv6/addrconf.c:3160 + inet6_ioctl+0x103/0x2b0 net/ipv6/af_inet6.c:580 + sock_do_ioctl+0x118/0x280 net/socket.c:1254 + sock_ioctl+0x227/0x6b0 net/socket.c:1375 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:597 [inline] + __se_sys_ioctl fs/ioctl.c:583 [inline] + __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Freed by task 6099: + kasan_save_stack+0x33/0x60 mm/kasan/common.c:56 + kasan_save_track+0x14/0x30 mm/kasan/common.c:77 + kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:584 + poison_slab_object mm/kasan/common.c:252 [inline] + __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284 + kasan_slab_free include/linux/kasan.h:234 [inline] + slab_free_hook mm/slub.c:2540 [inline] + slab_free_freelist_hook mm/slub.c:2569 [inline] + slab_free_bulk mm/slub.c:6696 [inline] + kmem_cache_free_bulk mm/slub.c:7383 [inline] + kmem_cache_free_bulk+0x2bf/0x680 mm/slub.c:7362 + kfree_bulk include/linux/slab.h:830 [inline] + kvfree_rcu_bulk+0x1b7/0x1e0 mm/slab_common.c:1523 + kvfree_rcu_drain_ready mm/slab_common.c:1728 [inline] + kfree_rcu_monitor+0x1d0/0x2f0 mm/slab_common.c:1801 + process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257 + process_scheduled_works kernel/workqueue.c:3340 [inline] + worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421 + kthread+0x3c5/0x780 kernel/kthread.c:463 + ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + +Fixes: 00b5b7aab9e42 ("net/ipv6: delete temporary address if mngtmpaddr is removed or unmanaged") +Reported-by: syzbot+72e610f4f1a930ca9d8a@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/696598e9.050a0220.3be5c5.0009.GAE@google.com/ +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Hangbin Liu +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20260113010538.2019411-1-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/addrconf.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index 03961f8080757..d6a33452dd369 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -3068,12 +3068,12 @@ static int inet6_addr_del(struct net *net, int ifindex, u32 ifa_flags, + in6_ifa_hold(ifp); + read_unlock_bh(&idev->lock); + +- ipv6_del_addr(ifp); +- + if (!(ifp->flags & IFA_F_TEMPORARY) && + (ifp->flags & IFA_F_MANAGETEMPADDR)) + delete_tempaddrs(idev, ifp); + ++ ipv6_del_addr(ifp); ++ + addrconf_verify_rtnl(net); + if (ipv6_addr_is_multicast(pfx)) { + ipv6_mc_config(net->ipv6.mc_autojoin_sk, +-- +2.51.0 + diff --git a/queue-6.1/macvlan-fix-possible-uaf-in-macvlan_forward_source.patch b/queue-6.1/macvlan-fix-possible-uaf-in-macvlan_forward_source.patch new file mode 100644 index 0000000000..f2fe825542 --- /dev/null +++ b/queue-6.1/macvlan-fix-possible-uaf-in-macvlan_forward_source.patch @@ -0,0 +1,108 @@ +From 5fc02041557ade2dae7d125188e3b793f5323afb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 13:36:51 +0000 +Subject: macvlan: fix possible UAF in macvlan_forward_source() + +From: Eric Dumazet + +[ Upstream commit 7470a7a63dc162f07c26dbf960e41ee1e248d80e ] + +Add RCU protection on (struct macvlan_source_entry)->vlan. + +Whenever macvlan_hash_del_source() is called, we must clear +entry->vlan pointer before RCU grace period starts. + +This allows macvlan_forward_source() to skip over +entries queued for freeing. + +Note that macvlan_dev are already RCU protected, as they +are embedded in a standard netdev (netdev_priv(ndev)). + +Fixes: 79cf79abce71 ("macvlan: add source mode") +Reported-by: syzbot+7182fbe91e58602ec1fe@syzkaller.appspotmail.com +https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260108133651.1130486-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/macvlan.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c +index 012830d12fde6..428b139822cf6 100644 +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -56,7 +56,7 @@ struct macvlan_port { + + struct macvlan_source_entry { + struct hlist_node hlist; +- struct macvlan_dev *vlan; ++ struct macvlan_dev __rcu *vlan; + unsigned char addr[6+2] __aligned(sizeof(u16)); + struct rcu_head rcu; + }; +@@ -143,7 +143,7 @@ static struct macvlan_source_entry *macvlan_hash_lookup_source( + + hlist_for_each_entry_rcu(entry, h, hlist, lockdep_rtnl_is_held()) { + if (ether_addr_equal_64bits(entry->addr, addr) && +- entry->vlan == vlan) ++ rcu_access_pointer(entry->vlan) == vlan) + return entry; + } + return NULL; +@@ -165,7 +165,7 @@ static int macvlan_hash_add_source(struct macvlan_dev *vlan, + return -ENOMEM; + + ether_addr_copy(entry->addr, addr); +- entry->vlan = vlan; ++ RCU_INIT_POINTER(entry->vlan, vlan); + h = &port->vlan_source_hash[macvlan_eth_hash(addr)]; + hlist_add_head_rcu(&entry->hlist, h); + vlan->macaddr_count++; +@@ -184,6 +184,7 @@ static void macvlan_hash_add(struct macvlan_dev *vlan) + + static void macvlan_hash_del_source(struct macvlan_source_entry *entry) + { ++ RCU_INIT_POINTER(entry->vlan, NULL); + hlist_del_rcu(&entry->hlist); + kfree_rcu(entry, rcu); + } +@@ -382,7 +383,7 @@ static void macvlan_flush_sources(struct macvlan_port *port, + int i; + + hash_for_each_safe(port->vlan_source_hash, i, next, entry, hlist) +- if (entry->vlan == vlan) ++ if (rcu_access_pointer(entry->vlan) == vlan) + macvlan_hash_del_source(entry); + + vlan->macaddr_count = 0; +@@ -425,9 +426,14 @@ static bool macvlan_forward_source(struct sk_buff *skb, + + hlist_for_each_entry_rcu(entry, h, hlist) { + if (ether_addr_equal_64bits(entry->addr, addr)) { +- if (entry->vlan->flags & MACVLAN_FLAG_NODST) ++ struct macvlan_dev *vlan = rcu_dereference(entry->vlan); ++ ++ if (!vlan) ++ continue; ++ ++ if (vlan->flags & MACVLAN_FLAG_NODST) + consume = true; +- macvlan_forward_source_one(skb, entry->vlan); ++ macvlan_forward_source_one(skb, vlan); + } + } + +@@ -1648,7 +1654,7 @@ static int macvlan_fill_info_macaddr(struct sk_buff *skb, + struct macvlan_source_entry *entry; + + hlist_for_each_entry_rcu(entry, h, hlist, lockdep_rtnl_is_held()) { +- if (entry->vlan != vlan) ++ if (rcu_access_pointer(entry->vlan) != vlan) + continue; + if (nla_put(skb, IFLA_MACVLAN_MACADDR, ETH_ALEN, entry->addr)) + return 1; +-- +2.51.0 + diff --git a/queue-6.1/mm-kfence-describe-slab-parameter-in-__kfence_obj_in.patch b/queue-6.1/mm-kfence-describe-slab-parameter-in-__kfence_obj_in.patch new file mode 100644 index 0000000000..f1ed25fe50 --- /dev/null +++ b/queue-6.1/mm-kfence-describe-slab-parameter-in-__kfence_obj_in.patch @@ -0,0 +1,42 @@ +From f745ea972c620de5fa7f2ad7288a1d8c6a49f51d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 08:40:07 +0700 +Subject: mm, kfence: describe @slab parameter in __kfence_obj_info() + +From: Bagas Sanjaya + +[ Upstream commit 6cfab50e1440fde19af7c614aacd85e11aa4dcea ] + +Sphinx reports kernel-doc warning: + +WARNING: ./include/linux/kfence.h:220 function parameter 'slab' not described in '__kfence_obj_info' + +Fix it by describing @slab parameter. + +Link: https://lkml.kernel.org/r/20251219014006.16328-6-bagasdotme@gmail.com +Fixes: 2dfe63e61cc3 ("mm, kfence: support kmem_dump_obj() for KFENCE objects") +Signed-off-by: Bagas Sanjaya +Acked-by: Marco Elver +Acked-by: David Hildenbrand (Red Hat) +Acked-by: Harry Yoo +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + include/linux/kfence.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/kfence.h b/include/linux/kfence.h +index 726857a4b6805..d5258c63ffd7c 100644 +--- a/include/linux/kfence.h ++++ b/include/linux/kfence.h +@@ -210,6 +210,7 @@ struct kmem_obj_info; + * __kfence_obj_info() - fill kmem_obj_info struct + * @kpp: kmem_obj_info to be filled + * @object: the object ++ * @slab: the slab + * + * Return: + * * false - not a KFENCE object +-- +2.51.0 + diff --git a/queue-6.1/net-hv_netvsc-reject-rss-hash-key-programming-withou.patch b/queue-6.1/net-hv_netvsc-reject-rss-hash-key-programming-withou.patch new file mode 100644 index 0000000000..ae9bfc50b0 --- /dev/null +++ b/queue-6.1/net-hv_netvsc-reject-rss-hash-key-programming-withou.patch @@ -0,0 +1,47 @@ +From 041018e08c94f34d791aa059c2a0939f06ec1ab9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 02:01:33 -0800 +Subject: net: hv_netvsc: reject RSS hash key programming without RX + indirection table + +From: Aditya Garg + +[ Upstream commit d23564955811da493f34412d7de60fa268c8cb50 ] + +RSS configuration requires a valid RX indirection table. When the device +reports a single receive queue, rndis_filter_device_add() does not +allocate an indirection table, accepting RSS hash key updates in this +state leads to a hang. + +Fix this by gating netvsc_set_rxfh() on ndc->rx_table_sz and return +-EOPNOTSUPP when the table is absent. This aligns set_rxfh with the device +capabilities and prevents incorrect behavior. + +Fixes: 962f3fee83a4 ("netvsc: add ethtool ops to get/set RSS key") +Signed-off-by: Aditya Garg +Reviewed-by: Dipayaan Roy +Reviewed-by: Haiyang Zhang +Link: https://patch.msgid.link/1768212093-1594-1-git-send-email-gargaditya@linux.microsoft.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/hyperv/netvsc_drv.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c +index 68dfe77a6bbfe..20c584f46ec01 100644 +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -1762,6 +1762,9 @@ static int netvsc_set_rxfh(struct net_device *dev, const u32 *indir, + if (hfunc != ETH_RSS_HASH_NO_CHANGE && hfunc != ETH_RSS_HASH_TOP) + return -EOPNOTSUPP; + ++ if (!ndc->rx_table_sz) ++ return -EOPNOTSUPP; ++ + rndis_dev = ndev->extension; + if (indir) { + for (i = 0; i < ndc->rx_table_sz; i++) +-- +2.51.0 + diff --git a/queue-6.1/net-mlx5e-restore-destroying-state-bit-after-profile.patch b/queue-6.1/net-mlx5e-restore-destroying-state-bit-after-profile.patch new file mode 100644 index 0000000000..dfa2fba026 --- /dev/null +++ b/queue-6.1/net-mlx5e-restore-destroying-state-bit-after-profile.patch @@ -0,0 +1,69 @@ +From 4a84098b73fe408b67259ed0926bc33f9f193e86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 13:26:57 -0800 +Subject: net/mlx5e: Restore destroying state bit after profile cleanup + +From: Saeed Mahameed + +[ Upstream commit 5629f8859dca7ef74d7314b60de6a957f23166c0 ] + +Profile rollback can fail in mlx5e_netdev_change_profile() and we will +end up with invalid mlx5e_priv memset to 0, we must maintain the +'destroying' bit in order to gracefully shutdown even if the +profile/priv are not valid. + +This patch maintains the previous state of the 'destroying' state of +mlx5e_priv after priv cleanup, to allow the remove flow to cleanup +common resources from mlx5_core to avoid FW fatal errors as seen below: + +$ devlink dev eswitch set pci/0000:00:03.0 mode switchdev + Error: mlx5_core: Failed setting eswitch to offloads. +dmesg: mlx5_core 0000:00:03.0 enp0s3np0: failed to rollback to orig profile, ... + +$ devlink dev reload pci/0000:00:03.0 + +mlx5_core 0000:00:03.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0) +mlx5_core 0000:00:03.0: poll_health:803:(pid 519): Fatal error 3 detected +mlx5_core 0000:00:03.0: firmware version: 28.41.1000 +mlx5_core 0000:00:03.0: 0.000 Gb/s available PCIe bandwidth (Unknown x255 link) +mlx5_core 0000:00:03.0: mlx5_function_enable:1200:(pid 519): enable hca failed +mlx5_core 0000:00:03.0: mlx5_function_enable:1200:(pid 519): enable hca failed +mlx5_core 0000:00:03.0: mlx5_health_try_recover:340:(pid 141): handling bad device here +mlx5_core 0000:00:03.0: mlx5_handle_bad_state:285:(pid 141): Expected to see disabled NIC but it is full driver +mlx5_core 0000:00:03.0: mlx5_error_sw_reset:236:(pid 141): start +mlx5_core 0000:00:03.0: NIC IFC still 0 after 4000ms. + +Fixes: c4d7eb57687f ("net/mxl5e: Add change profile method") +Signed-off-by: Saeed Mahameed +Reviewed-by: Tariq Toukan +Link: https://patch.msgid.link/20260108212657.25090-5-saeed@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 0c1f89196f6c1..73011870e5ff6 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -5566,6 +5566,7 @@ int mlx5e_priv_init(struct mlx5e_priv *priv, + + void mlx5e_priv_cleanup(struct mlx5e_priv *priv) + { ++ bool destroying = test_bit(MLX5E_STATE_DESTROYING, &priv->state); + int i; + + /* bail if change profile failed and also rollback failed */ +@@ -5591,6 +5592,8 @@ void mlx5e_priv_cleanup(struct mlx5e_priv *priv) + } + + memset(priv, 0, sizeof(*priv)); ++ if (destroying) /* restore destroying bit, to allow unload */ ++ set_bit(MLX5E_STATE_DESTROYING, &priv->state); + } + + static unsigned int mlx5e_get_max_num_txqs(struct mlx5_core_dev *mdev, +-- +2.51.0 + diff --git a/queue-6.1/net-sched-sch_qfq-do-not-free-existing-class-in-qfq_.patch b/queue-6.1/net-sched-sch_qfq-do-not-free-existing-class-in-qfq_.patch new file mode 100644 index 0000000000..4dd5240ea5 --- /dev/null +++ b/queue-6.1/net-sched-sch_qfq-do-not-free-existing-class-in-qfq_.patch @@ -0,0 +1,46 @@ +From 697d3e3285239b3291d0a0f9b93d8f0c8a493c67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 17:56:56 +0000 +Subject: net/sched: sch_qfq: do not free existing class in qfq_change_class() + +From: Eric Dumazet + +[ Upstream commit 3879cffd9d07aa0377c4b8835c4f64b4fb24ac78 ] + +Fixes qfq_change_class() error case. + +cl->qdisc and cl should only be freed if a new class and qdisc +were allocated, or we risk various UAF. + +Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost") +Reported-by: syzbot+07f3f38f723c335f106d@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6965351d.050a0220.eaf7.00c5.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Reviewed-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20260112175656.17605-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_qfq.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index 80a7173843b90..0047f35504348 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -533,8 +533,10 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid, + return 0; + + destroy_class: +- qdisc_put(cl->qdisc); +- kfree(cl); ++ if (!existing) { ++ qdisc_put(cl->qdisc); ++ kfree(cl); ++ } + return err; + } + +-- +2.51.0 + diff --git a/queue-6.1/net-update-netdev_lock_-type-name.patch b/queue-6.1/net-update-netdev_lock_-type-name.patch new file mode 100644 index 0000000000..152710fc02 --- /dev/null +++ b/queue-6.1/net-update-netdev_lock_-type-name.patch @@ -0,0 +1,91 @@ +From e37f43822f5dce5893fa8fea7bdeb5bb24bd16c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 09:32:44 +0000 +Subject: net: update netdev_lock_{type,name} + +From: Eric Dumazet + +[ Upstream commit eb74c19fe10872ee1f29a8f90ca5ce943921afe9 ] + +Add missing entries in netdev_lock_type[] and netdev_lock_name[] : + +CAN, MCTP, RAWIP, CAIF, IP6GRE, 6LOWPAN, NETLINK, VSOCKMON, +IEEE802154_MONITOR. + +Also add a WARN_ONCE() in netdev_lock_pos() to help future bug hunting +next time a protocol is added without updating these arrays. + +Fixes: 1a33e10e4a95 ("net: partially revert dynamic lockdep key changes") +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260108093244.830280-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 114fc8bc37f8b..69bb7ac73d047 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -449,15 +449,21 @@ static const unsigned short netdev_lock_type[] = { + ARPHRD_IEEE1394, ARPHRD_EUI64, ARPHRD_INFINIBAND, ARPHRD_SLIP, + ARPHRD_CSLIP, ARPHRD_SLIP6, ARPHRD_CSLIP6, ARPHRD_RSRVD, + ARPHRD_ADAPT, ARPHRD_ROSE, ARPHRD_X25, ARPHRD_HWX25, ++ ARPHRD_CAN, ARPHRD_MCTP, + ARPHRD_PPP, ARPHRD_CISCO, ARPHRD_LAPB, ARPHRD_DDCMP, +- ARPHRD_RAWHDLC, ARPHRD_TUNNEL, ARPHRD_TUNNEL6, ARPHRD_FRAD, ++ ARPHRD_RAWHDLC, ARPHRD_RAWIP, ++ ARPHRD_TUNNEL, ARPHRD_TUNNEL6, ARPHRD_FRAD, + ARPHRD_SKIP, ARPHRD_LOOPBACK, ARPHRD_LOCALTLK, ARPHRD_FDDI, + ARPHRD_BIF, ARPHRD_SIT, ARPHRD_IPDDP, ARPHRD_IPGRE, + ARPHRD_PIMREG, ARPHRD_HIPPI, ARPHRD_ASH, ARPHRD_ECONET, + ARPHRD_IRDA, ARPHRD_FCPP, ARPHRD_FCAL, ARPHRD_FCPL, + ARPHRD_FCFABRIC, ARPHRD_IEEE80211, ARPHRD_IEEE80211_PRISM, +- ARPHRD_IEEE80211_RADIOTAP, ARPHRD_PHONET, ARPHRD_PHONET_PIPE, +- ARPHRD_IEEE802154, ARPHRD_VOID, ARPHRD_NONE}; ++ ARPHRD_IEEE80211_RADIOTAP, ++ ARPHRD_IEEE802154, ARPHRD_IEEE802154_MONITOR, ++ ARPHRD_PHONET, ARPHRD_PHONET_PIPE, ++ ARPHRD_CAIF, ARPHRD_IP6GRE, ARPHRD_NETLINK, ARPHRD_6LOWPAN, ++ ARPHRD_VSOCKMON, ++ ARPHRD_VOID, ARPHRD_NONE}; + + static const char *const netdev_lock_name[] = { + "_xmit_NETROM", "_xmit_ETHER", "_xmit_EETHER", "_xmit_AX25", +@@ -466,15 +472,21 @@ static const char *const netdev_lock_name[] = { + "_xmit_IEEE1394", "_xmit_EUI64", "_xmit_INFINIBAND", "_xmit_SLIP", + "_xmit_CSLIP", "_xmit_SLIP6", "_xmit_CSLIP6", "_xmit_RSRVD", + "_xmit_ADAPT", "_xmit_ROSE", "_xmit_X25", "_xmit_HWX25", ++ "_xmit_CAN", "_xmit_MCTP", + "_xmit_PPP", "_xmit_CISCO", "_xmit_LAPB", "_xmit_DDCMP", +- "_xmit_RAWHDLC", "_xmit_TUNNEL", "_xmit_TUNNEL6", "_xmit_FRAD", ++ "_xmit_RAWHDLC", "_xmit_RAWIP", ++ "_xmit_TUNNEL", "_xmit_TUNNEL6", "_xmit_FRAD", + "_xmit_SKIP", "_xmit_LOOPBACK", "_xmit_LOCALTLK", "_xmit_FDDI", + "_xmit_BIF", "_xmit_SIT", "_xmit_IPDDP", "_xmit_IPGRE", + "_xmit_PIMREG", "_xmit_HIPPI", "_xmit_ASH", "_xmit_ECONET", + "_xmit_IRDA", "_xmit_FCPP", "_xmit_FCAL", "_xmit_FCPL", + "_xmit_FCFABRIC", "_xmit_IEEE80211", "_xmit_IEEE80211_PRISM", +- "_xmit_IEEE80211_RADIOTAP", "_xmit_PHONET", "_xmit_PHONET_PIPE", +- "_xmit_IEEE802154", "_xmit_VOID", "_xmit_NONE"}; ++ "_xmit_IEEE80211_RADIOTAP", ++ "_xmit_IEEE802154", "_xmit_IEEE802154_MONITOR", ++ "_xmit_PHONET", "_xmit_PHONET_PIPE", ++ "_xmit_CAIF", "_xmit_IP6GRE", "_xmit_NETLINK", "_xmit_6LOWPAN", ++ "_xmit_VSOCKMON", ++ "_xmit_VOID", "_xmit_NONE"}; + + static struct lock_class_key netdev_xmit_lock_key[ARRAY_SIZE(netdev_lock_type)]; + static struct lock_class_key netdev_addr_lock_key[ARRAY_SIZE(netdev_lock_type)]; +@@ -487,6 +499,7 @@ static inline unsigned short netdev_lock_pos(unsigned short dev_type) + if (netdev_lock_type[i] == dev_type) + return i; + /* the last key is used by default */ ++ WARN_ONCE(1, "netdev_lock_pos() could not find dev_type=%u\n", dev_type); + return ARRAY_SIZE(netdev_lock_type) - 1; + } + +-- +2.51.0 + diff --git a/queue-6.1/nvme-tcp-fix-null-pointer-dereferences-in-nvmet_tcp_.patch b/queue-6.1/nvme-tcp-fix-null-pointer-dereferences-in-nvmet_tcp_.patch new file mode 100644 index 0000000000..efd33a2e60 --- /dev/null +++ b/queue-6.1/nvme-tcp-fix-null-pointer-dereferences-in-nvmet_tcp_.patch @@ -0,0 +1,69 @@ +From 3dcd04adfbc192fc09f552f709c0006deb22c822 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Dec 2025 13:57:48 -0500 +Subject: nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Shivam Kumar + +[ Upstream commit 32b63acd78f577b332d976aa06b56e70d054cbba ] + +Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length") +added ttag bounds checking and data_offset +validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate +whether the command's data structures (cmd->req.sg and cmd->iov) have +been properly initialized before processing H2C_DATA PDUs. + +The nvmet_tcp_build_pdu_iovec() function dereferences these pointers +without NULL checks. This can be triggered by sending H2C_DATA PDU +immediately after the ICREQ/ICRESP handshake, before +sending a CONNECT command or NVMe write command. + +Attack vectors that trigger NULL pointer dereferences: +1. H2C_DATA PDU sent before CONNECT → both pointers NULL +2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL +3. H2C_DATA PDU for uninitialized command slot → both pointers NULL + +The fix validates both cmd->req.sg and cmd->iov before calling +nvmet_tcp_build_pdu_iovec(). Both checks are required because: +- Uninitialized commands: both NULL +- READ commands: cmd->req.sg allocated, cmd->iov NULL +- WRITE commands: both allocated + +Fixes: efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length") +Reviewed-by: Sagi Grimberg +Signed-off-by: Shivam Kumar +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/tcp.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c +index 8fc626ddc1275..7fae0103a515b 100644 +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -956,6 +956,18 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue) + pr_err("H2CData PDU len %u is invalid\n", cmd->pdu_len); + goto err_proto; + } ++ /* ++ * Ensure command data structures are initialized. We must check both ++ * cmd->req.sg and cmd->iov because they can have different NULL states: ++ * - Uninitialized commands: both NULL ++ * - READ commands: cmd->req.sg allocated, cmd->iov NULL ++ * - WRITE commands: both allocated ++ */ ++ if (unlikely(!cmd->req.sg || !cmd->iov)) { ++ pr_err("queue %d: H2CData PDU received for invalid command state (ttag %u)\n", ++ queue->idx, data->ttag); ++ goto err_proto; ++ } + cmd->pdu_recv = 0; + nvmet_tcp_build_pdu_iovec(cmd); + queue->cmd = cmd; +-- +2.51.0 + diff --git a/queue-6.1/nvmet-tcp-remove-boilerplate-code.patch b/queue-6.1/nvmet-tcp-remove-boilerplate-code.patch new file mode 100644 index 0000000000..3c83bd0c69 --- /dev/null +++ b/queue-6.1/nvmet-tcp-remove-boilerplate-code.patch @@ -0,0 +1,72 @@ +From 3ee4ea396c9f194220654cb3e06b99c27dc891e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Dec 2023 16:17:50 +0100 +Subject: nvmet-tcp: remove boilerplate code + +From: Maurizio Lombardi + +[ Upstream commit 75011bd0f9c55db523242f9f9a0b0b826165f14b ] + +Simplify the nvmet_tcp_handle_h2c_data_pdu() function by removing +boilerplate code. + +Signed-off-by: Maurizio Lombardi +Reviewed-by: Sagi Grimberg +Signed-off-by: Keith Busch +Stable-dep-of: 32b63acd78f5 ("nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec") +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/tcp.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c +index eee052dbf80c1..8fc626ddc1275 100644 +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -930,8 +930,7 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue) + if (unlikely(data->ttag >= queue->nr_cmds)) { + pr_err("queue %d: received out of bound ttag %u, nr_cmds %u\n", + queue->idx, data->ttag, queue->nr_cmds); +- nvmet_tcp_fatal_error(queue); +- return -EPROTO; ++ goto err_proto; + } + cmd = &queue->cmds[data->ttag]; + } else { +@@ -942,9 +941,7 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue) + pr_err("ttag %u unexpected data offset %u (expected %u)\n", + data->ttag, le32_to_cpu(data->data_offset), + cmd->rbytes_done); +- /* FIXME: use path and transport errors */ +- nvmet_tcp_fatal_error(queue); +- return -EPROTO; ++ goto err_proto; + } + + exp_data_len = le32_to_cpu(data->hdr.plen) - +@@ -957,9 +954,7 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue) + cmd->pdu_len == 0 || + cmd->pdu_len > NVMET_TCP_MAXH2CDATA)) { + pr_err("H2CData PDU len %u is invalid\n", cmd->pdu_len); +- /* FIXME: use proper transport errors */ +- nvmet_tcp_fatal_error(queue); +- return -EPROTO; ++ goto err_proto; + } + cmd->pdu_recv = 0; + nvmet_tcp_build_pdu_iovec(cmd); +@@ -967,6 +962,11 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue) + queue->rcv_state = NVMET_TCP_RECV_DATA; + + return 0; ++ ++err_proto: ++ /* FIXME: use proper transport errors */ ++ nvmet_tcp_fatal_error(queue); ++ return -EPROTO; + } + + static int nvmet_tcp_done_recv_pdu(struct nvmet_tcp_queue *queue) +-- +2.51.0 + diff --git a/queue-6.1/phy-broadcom-ns-usb3-fix-wvoid-pointer-to-enum-cast-.patch b/queue-6.1/phy-broadcom-ns-usb3-fix-wvoid-pointer-to-enum-cast-.patch new file mode 100644 index 0000000000..9a64decf7e --- /dev/null +++ b/queue-6.1/phy-broadcom-ns-usb3-fix-wvoid-pointer-to-enum-cast-.patch @@ -0,0 +1,47 @@ +From f19c0124005f1cd56af4b22cebafa2ac4b5dce1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 12:55:34 +0100 +Subject: phy: broadcom: ns-usb3: Fix Wvoid-pointer-to-enum-cast warning + (again) + +From: Krzysztof Kozlowski + +[ Upstream commit fb21116099bbea1fc59efa9207e63c4be390ab72 ] + +"family" is an enum, thus cast of pointer on 64-bit compile test with +clang W=1 causes: + + phy-bcm-ns-usb3.c:206:17: error: cast to smaller integer type 'enum bcm_ns_family' from 'const void *' [-Werror,-Wvoid-pointer-to-enum-cast] + +This was already fixed in commit bd6e74a2f0a0 ("phy: broadcom: ns-usb3: +fix Wvoid-pointer-to-enum-cast warning") but then got bad in commit +21bf6fc47a1e ("phy: Use device_get_match_data()"). + +Note that after various discussions the preferred cast is via "unsigned +long", not "uintptr_t". + +Fixes: 21bf6fc47a1e ("phy: Use device_get_match_data()") +Signed-off-by: Krzysztof Kozlowski +Link: https://patch.msgid.link/20251224115533.154162-2-krzysztof.kozlowski@oss.qualcomm.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/broadcom/phy-bcm-ns-usb3.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/phy/broadcom/phy-bcm-ns-usb3.c b/drivers/phy/broadcom/phy-bcm-ns-usb3.c +index 2c8b1b7dda5bd..5c2710597df2c 100644 +--- a/drivers/phy/broadcom/phy-bcm-ns-usb3.c ++++ b/drivers/phy/broadcom/phy-bcm-ns-usb3.c +@@ -203,7 +203,7 @@ static int bcm_ns_usb3_mdio_probe(struct mdio_device *mdiodev) + usb3->dev = dev; + usb3->mdiodev = mdiodev; + +- usb3->family = (enum bcm_ns_family)device_get_match_data(dev); ++ usb3->family = (unsigned long)device_get_match_data(dev); + + syscon_np = of_parse_phandle(dev->of_node, "usb3-dmp-syscon", 0); + err = of_address_to_resource(syscon_np, 0, &res); +-- +2.51.0 + diff --git a/queue-6.1/phy-stm32-usphyc-fix-off-by-one-in-probe.patch b/queue-6.1/phy-stm32-usphyc-fix-off-by-one-in-probe.patch new file mode 100644 index 0000000000..0e76c19513 --- /dev/null +++ b/queue-6.1/phy-stm32-usphyc-fix-off-by-one-in-probe.patch @@ -0,0 +1,41 @@ +From 7f6ffc218b7025fbffbe3040d54c4c0d9355bfd1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Dec 2025 09:53:36 +0300 +Subject: phy: stm32-usphyc: Fix off by one in probe() + +From: Dan Carpenter + +[ Upstream commit cabd25b57216ddc132efbcc31f972baa03aad15a ] + +The "index" variable is used as an index into the usbphyc->phys[] array +which has usbphyc->nphys elements. So if it is equal to usbphyc->nphys +then it is one element out of bounds. The "index" comes from the +device tree so it's data that we trust and it's unlikely to be wrong, +however it's obviously still worth fixing the bug. Change the > to >=. + +Fixes: 94c358da3a05 ("phy: stm32: add support for STM32 USB PHY Controller (USBPHYC)") +Signed-off-by: Dan Carpenter +Reviewed-by: Amelie Delaunay +Link: https://patch.msgid.link/aTfHcMJK1wFVnvEe@stanley.mountain +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/st/phy-stm32-usbphyc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/phy/st/phy-stm32-usbphyc.c b/drivers/phy/st/phy-stm32-usbphyc.c +index 5bb9647b078f1..c2947159e8b41 100644 +--- a/drivers/phy/st/phy-stm32-usbphyc.c ++++ b/drivers/phy/st/phy-stm32-usbphyc.c +@@ -708,7 +708,7 @@ static int stm32_usbphyc_probe(struct platform_device *pdev) + } + + ret = of_property_read_u32(child, "reg", &index); +- if (ret || index > usbphyc->nphys) { ++ if (ret || index >= usbphyc->nphys) { + dev_err(&phy->dev, "invalid reg property: %d\n", ret); + if (!ret) + ret = -EINVAL; +-- +2.51.0 + diff --git a/queue-6.1/pnfs-flexfiles-fix-memory-leak-in-nfs4_ff_alloc_devi.patch b/queue-6.1/pnfs-flexfiles-fix-memory-leak-in-nfs4_ff_alloc_devi.patch new file mode 100644 index 0000000000..55bc611f8d --- /dev/null +++ b/queue-6.1/pnfs-flexfiles-fix-memory-leak-in-nfs4_ff_alloc_devi.patch @@ -0,0 +1,40 @@ +From dc9a7992068ef3955a597a9d6f4606898aa8d67a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Dec 2025 07:41:03 +0000 +Subject: pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node() + +From: Zilin Guan + +[ Upstream commit 0c728083654f0066f5e10a1d2b0bd0907af19a58 ] + +In nfs4_ff_alloc_deviceid_node(), if the allocation for ds_versions fails, +the function jumps to the out_scratch label without freeing the already +allocated dsaddrs list, leading to a memory leak. + +Fix this by jumping to the out_err_drain_dsaddrs label, which properly +frees the dsaddrs list before cleaning up other resources. + +Fixes: d67ae825a59d6 ("pnfs/flexfiles: Add the FlexFile Layout Driver") +Signed-off-by: Zilin Guan +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/flexfilelayout/flexfilelayoutdev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/flexfilelayout/flexfilelayoutdev.c b/fs/nfs/flexfilelayout/flexfilelayoutdev.c +index 95d5dca671456..ed18e9e87c25f 100644 +--- a/fs/nfs/flexfilelayout/flexfilelayoutdev.c ++++ b/fs/nfs/flexfilelayout/flexfilelayoutdev.c +@@ -103,7 +103,7 @@ nfs4_ff_alloc_deviceid_node(struct nfs_server *server, struct pnfs_device *pdev, + sizeof(struct nfs4_ff_ds_version), + gfp_flags); + if (!ds_versions) +- goto out_scratch; ++ goto out_err_drain_dsaddrs; + + for (i = 0; i < version_count; i++) { + /* 20 = version(4) + minor_version(4) + rsize(4) + wsize(4) + +-- +2.51.0 + diff --git a/queue-6.1/selftests-drv-net-fix-rps-mask-handling-for-high-cpu.patch b/queue-6.1/selftests-drv-net-fix-rps-mask-handling-for-high-cpu.patch new file mode 100644 index 0000000000..a9fa37e7e2 --- /dev/null +++ b/queue-6.1/selftests-drv-net-fix-rps-mask-handling-for-high-cpu.patch @@ -0,0 +1,44 @@ +From 3e7a47d5303d9aa2e9c51d76d58d1f6734c77956 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 19:37:15 +0200 +Subject: selftests: drv-net: fix RPS mask handling for high CPU numbers + +From: Gal Pressman + +[ Upstream commit cf055f8c000445aa688c53a706ef4f580818eedb ] + +The RPS bitmask bounds check uses ~(RPS_MAX_CPUS - 1) which equals ~15 = +0xfff0, only allowing CPUs 0-3. + +Change the mask to ~((1UL << RPS_MAX_CPUS) - 1) = ~0xffff to allow CPUs +0-15. + +Fixes: 5ebfb4cc3048 ("selftests/net: toeplitz test") +Reviewed-by: Nimrod Oren +Signed-off-by: Gal Pressman +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/20260112173715.384843-3-gal@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/toeplitz.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/net/toeplitz.c b/tools/testing/selftests/net/toeplitz.c +index 9ba03164d73a6..5099157f01b9a 100644 +--- a/tools/testing/selftests/net/toeplitz.c ++++ b/tools/testing/selftests/net/toeplitz.c +@@ -473,8 +473,8 @@ static void parse_rps_bitmap(const char *arg) + + bitmap = strtoul(arg, NULL, 0); + +- if (bitmap & ~(RPS_MAX_CPUS - 1)) +- error(1, 0, "rps bitmap 0x%lx out of bounds 0..%lu", ++ if (bitmap & ~((1UL << RPS_MAX_CPUS) - 1)) ++ error(1, 0, "rps bitmap 0x%lx out of bounds, max cpu %lu", + bitmap, RPS_MAX_CPUS - 1); + + for (i = 0; i < RPS_MAX_CPUS; i++) +-- +2.51.0 + diff --git a/queue-6.1/series b/queue-6.1/series index da626167bd..e0619fdd07 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -1,3 +1,35 @@ firmware-imx-scu-irq-set-mu_resource_id-before-get-handle.patch efi-cper-fix-cper_bits_to_str-buffer-handling-and-return-value.patch revert-gfs2-fix-use-of-bio_chain.patch +xfrm-fix-inner-mode-lookup-in-tunnel-mode-gso-segmen.patch +pnfs-flexfiles-fix-memory-leak-in-nfs4_ff_alloc_devi.patch +can-etas_es58x-allow-partial-rx-urb-allocation-to-su.patch +nvmet-tcp-remove-boilerplate-code.patch +nvme-tcp-fix-null-pointer-dereferences-in-nvmet_tcp_.patch +btrfs-send-check-for-inline-extents-in-range_is_hole.patch +ip6_tunnel-use-skb_vlan_inet_prepare-in-__ip6_tnl_rc.patch +net-update-netdev_lock_-type-name.patch +macvlan-fix-possible-uaf-in-macvlan_forward_source.patch +ipv4-ip_gre-make-ipgre_header-robust.patch +vsock-test-add-a-final-full-barrier-after-run-all-te.patch +net-mlx5e-restore-destroying-state-bit-after-profile.patch +btrfs-move-flush-related-definitions-to-space-info.h.patch +btrfs-store-fs_info-in-space_info.patch +btrfs-factor-out-init_space_info-from-create_space_i.patch +btrfs-factor-out-check_removing_space_info-from-btrf.patch +btrfs-introduce-btrfs_space_info-sub-group.patch +btrfs-fix-memory-leaks-in-create_space_info-error-pa.patch +hv_netvsc-allocate-rx-indirection-table-size-dynamic.patch +net-hv_netvsc-reject-rss-hash-key-programming-withou.patch +ipv6-fix-use-after-free-in-inet6_addr_del.patch +selftests-drv-net-fix-rps-mask-handling-for-high-cpu.patch +net-sched-sch_qfq-do-not-free-existing-class-in-qfq_.patch +asoc-tlv320adcx140-fix-null-pointer.patch +asoc-tlv320adcx140-fix-word-length.patch +textsearch-describe-list-member-in-ts_ops-search.patch +mm-kfence-describe-slab-parameter-in-__kfence_obj_in.patch +dmaengine-tegra-adma-fix-use-after-free.patch +dmaengine-xilinx_dma-fix-uninitialized-addr_width-wh.patch +phy-stm32-usphyc-fix-off-by-one-in-probe.patch +phy-broadcom-ns-usb3-fix-wvoid-pointer-to-enum-cast-.patch +dmaengine-omap-dma-fix-dma_pool-resource-leak-in-err.patch diff --git a/queue-6.1/textsearch-describe-list-member-in-ts_ops-search.patch b/queue-6.1/textsearch-describe-list-member-in-ts_ops-search.patch new file mode 100644 index 0000000000..0173a6f59c --- /dev/null +++ b/queue-6.1/textsearch-describe-list-member-in-ts_ops-search.patch @@ -0,0 +1,41 @@ +From ff499d5be736992e2c7c5755063007d7d0829007 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 08:40:05 +0700 +Subject: textsearch: describe @list member in ts_ops search + +From: Bagas Sanjaya + +[ Upstream commit f26528478bb102c28e7ac0cbfc8ec8185afdafc7 ] + +Sphinx reports kernel-doc warning: + +WARNING: ./include/linux/textsearch.h:49 struct member 'list' not described in 'ts_ops' + +Describe @list member to fix it. + +Link: https://lkml.kernel.org/r/20251219014006.16328-4-bagasdotme@gmail.com +Fixes: 2de4ff7bd658 ("[LIB]: Textsearch infrastructure.") +Signed-off-by: Bagas Sanjaya +Cc: Thomas Graf +Cc: "David S. Miller" +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + include/linux/textsearch.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/textsearch.h b/include/linux/textsearch.h +index 6673e4d4ac2e1..4933777404d61 100644 +--- a/include/linux/textsearch.h ++++ b/include/linux/textsearch.h +@@ -35,6 +35,7 @@ struct ts_state + * @get_pattern: return head of pattern + * @get_pattern_len: return length of pattern + * @owner: module reference to algorithm ++ * @list: list to search + */ + struct ts_ops + { +-- +2.51.0 + diff --git a/queue-6.1/vsock-test-add-a-final-full-barrier-after-run-all-te.patch b/queue-6.1/vsock-test-add-a-final-full-barrier-after-run-all-te.patch new file mode 100644 index 0000000000..34b6505d1c --- /dev/null +++ b/queue-6.1/vsock-test-add-a-final-full-barrier-after-run-all-te.patch @@ -0,0 +1,52 @@ +From e9e9713d6ff1253833ed6e60715591995deed32e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 12:44:19 +0100 +Subject: vsock/test: add a final full barrier after run all tests + +From: Stefano Garzarella + +[ Upstream commit c39a6a277e0e67ffff6a8efcbbf7e7e23ce9e38c ] + +If the last test fails, the other side still completes correctly, +which could lead to false positives. + +Let's add a final barrier that ensures that the last test has finished +correctly on both sides, but also that the two sides agree on the +number of tests to be performed. + +Fixes: 2f65b44e199c ("VSOCK: add full barrier between test cases") +Reviewed-by: Luigi Leonardi +Signed-off-by: Stefano Garzarella +Link: https://patch.msgid.link/20260108114419.52747-1-sgarzare@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/vsock/util.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/tools/testing/vsock/util.c b/tools/testing/vsock/util.c +index 2acbb7703c6a0..259d33ae6293b 100644 +--- a/tools/testing/vsock/util.c ++++ b/tools/testing/vsock/util.c +@@ -360,6 +360,18 @@ void run_tests(const struct test_case *test_cases, + + printf("ok\n"); + } ++ ++ printf("All tests have been executed. Waiting other peer..."); ++ fflush(stdout); ++ ++ /* ++ * Final full barrier, to ensure that all tests have been run and ++ * that even the last one has been successful on both sides. ++ */ ++ control_writeln("COMPLETED"); ++ control_expectln("COMPLETED"); ++ ++ printf("ok\n"); + } + + void list_tests(const struct test_case *test_cases) +-- +2.51.0 + diff --git a/queue-6.1/xfrm-fix-inner-mode-lookup-in-tunnel-mode-gso-segmen.patch b/queue-6.1/xfrm-fix-inner-mode-lookup-in-tunnel-mode-gso-segmen.patch new file mode 100644 index 0000000000..4e91a56d02 --- /dev/null +++ b/queue-6.1/xfrm-fix-inner-mode-lookup-in-tunnel-mode-gso-segmen.patch @@ -0,0 +1,67 @@ +From 4d749cb49f104f1772df45c207fcc0dc65a7ff7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Nov 2025 05:56:09 +0200 +Subject: xfrm: Fix inner mode lookup in tunnel mode GSO segmentation + +From: Jianbo Liu + +[ Upstream commit 3d5221af9c7711b7aec8da1298c8fc393ef6183d ] + +Commit 61fafbee6cfe ("xfrm: Determine inner GSO type from packet inner +protocol") attempted to fix GSO segmentation by reading the inner +protocol from XFRM_MODE_SKB_CB(skb)->protocol. This was incorrect +because the field holds the inner L4 protocol (TCP/UDP) instead of the +required tunnel protocol. Also, the memory location (shared by +XFRM_SKB_CB(skb) which could be overwritten by xfrm_replay_overflow()) +is prone to corruption. This combination caused the kernel to select +the wrong inner mode and get the wrong address family. + +The correct value is in xfrm_offload(skb)->proto, which is set from +the outer tunnel header's protocol field by esp[4|6]_gso_encap(). It +is initialized by xfrm[4|6]_tunnel_encap_add() to either IPPROTO_IPIP +or IPPROTO_IPV6, using xfrm_af2proto() and correctly reflects the +inner packet's address family. + +Fixes: 61fafbee6cfe ("xfrm: Determine inner GSO type from packet inner protocol") +Signed-off-by: Jianbo Liu +Reviewed-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv4/esp4_offload.c | 4 ++-- + net/ipv6/esp6_offload.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c +index cbfc8b5b15bd2..8d6a40054eaab 100644 +--- a/net/ipv4/esp4_offload.c ++++ b/net/ipv4/esp4_offload.c +@@ -110,8 +110,8 @@ static struct sk_buff *xfrm4_tunnel_gso_segment(struct xfrm_state *x, + struct sk_buff *skb, + netdev_features_t features) + { +- const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, +- XFRM_MODE_SKB_CB(skb)->protocol); ++ struct xfrm_offload *xo = xfrm_offload(skb); ++ const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, xo->proto); + __be16 type = inner_mode->family == AF_INET6 ? htons(ETH_P_IPV6) + : htons(ETH_P_IP); + +diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c +index 65d628e500059..460cf1dab9da2 100644 +--- a/net/ipv6/esp6_offload.c ++++ b/net/ipv6/esp6_offload.c +@@ -145,8 +145,8 @@ static struct sk_buff *xfrm6_tunnel_gso_segment(struct xfrm_state *x, + struct sk_buff *skb, + netdev_features_t features) + { +- const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, +- XFRM_MODE_SKB_CB(skb)->protocol); ++ struct xfrm_offload *xo = xfrm_offload(skb); ++ const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, xo->proto); + __be16 type = inner_mode->family == AF_INET ? htons(ETH_P_IP) + : htons(ETH_P_IPV6); + +-- +2.51.0 + diff --git a/queue-6.12/alsa-hda-cirrus_scodec_test-fix-incorrect-setup-of-g.patch b/queue-6.12/alsa-hda-cirrus_scodec_test-fix-incorrect-setup-of-g.patch new file mode 100644 index 0000000000..58e966346f --- /dev/null +++ b/queue-6.12/alsa-hda-cirrus_scodec_test-fix-incorrect-setup-of-g.patch @@ -0,0 +1,44 @@ +From 3ba2c88466dfec43966aea75f9e62a22841778ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 13:09:54 +0000 +Subject: ALSA: hda/cirrus_scodec_test: Fix incorrect setup of gpiochip + +From: Richard Fitzgerald + +[ Upstream commit c5e96e54eca3876d4ce8857e2e22adbe9f44f4a2 ] + +Set gpiochip parent to the struct device of the dummy GPIO driver +so that the software node will be associated with the GPIO chip. + +The recent commit e5d527be7e698 ("gpio: swnode: don't use the +swnode's name as the key for GPIO lookup") broke cirrus_scodec_test, +because the software node no longer gets associated with the GPIO +driver by name. + +Instead, setting struct gpio_chip.parent to the owning struct device +will find the node using a normal fwnode lookup. + +Signed-off-by: Richard Fitzgerald +Fixes: 2144833e7b414 ("ALSA: hda: cirrus_scodec: Add KUnit test") +Link: https://patch.msgid.link/20260113130954.574670-1-rf@opensource.cirrus.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/cirrus_scodec_test.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/pci/hda/cirrus_scodec_test.c b/sound/pci/hda/cirrus_scodec_test.c +index e925ebe21ccba..140b2a6be8dca 100644 +--- a/sound/pci/hda/cirrus_scodec_test.c ++++ b/sound/pci/hda/cirrus_scodec_test.c +@@ -92,6 +92,7 @@ static int cirrus_scodec_test_gpio_probe(struct platform_device *pdev) + + /* GPIO core modifies our struct gpio_chip so use a copy */ + gpio_priv->chip = cirrus_scodec_test_gpio_chip; ++ gpio_priv->chip.parent = &pdev->dev; + ret = devm_gpiochip_add_data(&pdev->dev, &gpio_priv->chip, gpio_priv); + if (ret) + return dev_err_probe(&pdev->dev, ret, "Failed to add gpiochip\n"); +-- +2.51.0 + diff --git a/queue-6.12/asoc-sdw_utils-cs42l43-enable-headphone-pin-for-line.patch b/queue-6.12/asoc-sdw_utils-cs42l43-enable-headphone-pin-for-line.patch new file mode 100644 index 0000000000..fd01ac835c --- /dev/null +++ b/queue-6.12/asoc-sdw_utils-cs42l43-enable-headphone-pin-for-line.patch @@ -0,0 +1,52 @@ +From 0b2d5704804cc4aabb61a3b1741eaf7c8b9b3a35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 19:55:18 -0700 +Subject: ASoC: sdw_utils: cs42l43: Enable Headphone pin for LINEOUT jack type + +From: Cole Leavitt + +[ Upstream commit 390caeed0897fcac75f3c414dbdd85d593183d9c ] + +The CS42L43 codec's load detection can return different impedance values +that map to either HEADPHONE or LINEOUT jack types. However, the +soc_jack_pins array only maps SND_JACK_HEADPHONE to the "Headphone" DAPM +pin, not SND_JACK_LINEOUT. + +When headphones are detected with an impedance that maps to LINEOUT +(such as impedance value 0x2), the driver reports SND_JACK_LINEOUT. +Since this doesn't match the jack pin mask, the "Headphone" DAPM pin +is not activated, and no audio is routed to the headphone outputs. + +Fix by adding SND_JACK_LINEOUT to the Headphone pin mask, so that both +headphone and line-out detection properly enable the headphone output +path. + +This fixes no audio output on devices like the Lenovo ThinkPad P16 Gen 3 +where headphones are detected with LINEOUT impedance. + +Fixes: d74bad3b7452 ("ASoC: intel: sof_sdw_cs42l43: Create separate jacks for hp and mic") +Reviewed-by: Charles Keepax +Signed-off-by: Cole Leavitt +Link: https://patch.msgid.link/20260114025518.28519-1-cole@unwrap.rs +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sdw_utils/soc_sdw_cs42l43.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/sdw_utils/soc_sdw_cs42l43.c b/sound/soc/sdw_utils/soc_sdw_cs42l43.c +index 2dc7787234c36..dacd050439439 100644 +--- a/sound/soc/sdw_utils/soc_sdw_cs42l43.c ++++ b/sound/soc/sdw_utils/soc_sdw_cs42l43.c +@@ -44,7 +44,7 @@ static const struct snd_soc_dapm_route cs42l43_dmic_map[] = { + static struct snd_soc_jack_pin soc_jack_pins[] = { + { + .pin = "Headphone", +- .mask = SND_JACK_HEADPHONE, ++ .mask = SND_JACK_HEADPHONE | SND_JACK_LINEOUT, + }, + { + .pin = "Headset Mic", +-- +2.51.0 + diff --git a/queue-6.12/asoc-tlv320adcx140-fix-null-pointer.patch b/queue-6.12/asoc-tlv320adcx140-fix-null-pointer.patch new file mode 100644 index 0000000000..5424f76155 --- /dev/null +++ b/queue-6.12/asoc-tlv320adcx140-fix-null-pointer.patch @@ -0,0 +1,55 @@ +From 8755569bfcbf15eb2f9425e59be6846da82ecf23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 11:58:45 +0100 +Subject: ASoC: tlv320adcx140: fix null pointer + +From: Emil Svendsen + +[ Upstream commit be7664c81d3129fc313ef62ff275fd3d33cfecd4 ] + +The "snd_soc_component" in "adcx140_priv" was only used once but never +set. It was only used for reaching "dev" which is already present in +"adcx140_priv". + +Fixes: 4e82971f7b55 ("ASoC: tlv320adcx140: Add a new kcontrol") +Signed-off-by: Emil Svendsen +Signed-off-by: Sascha Hauer +Link: https://patch.msgid.link/20260113-sound-soc-codecs-tvl320adcx140-v4-2-8f7ecec525c8@pengutronix.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/tlv320adcx140.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/sound/soc/codecs/tlv320adcx140.c b/sound/soc/codecs/tlv320adcx140.c +index d594bf166c0e7..ccfec4c0c159a 100644 +--- a/sound/soc/codecs/tlv320adcx140.c ++++ b/sound/soc/codecs/tlv320adcx140.c +@@ -23,7 +23,6 @@ + #include "tlv320adcx140.h" + + struct adcx140_priv { +- struct snd_soc_component *component; + struct regulator *supply_areg; + struct gpio_desc *gpio_reset; + struct regmap *regmap; +@@ -701,7 +700,6 @@ static void adcx140_pwr_ctrl(struct adcx140_priv *adcx140, bool power_state) + { + int pwr_ctrl = 0; + int ret = 0; +- struct snd_soc_component *component = adcx140->component; + + if (power_state) + pwr_ctrl = ADCX140_PWR_CFG_ADC_PDZ | ADCX140_PWR_CFG_PLL_PDZ; +@@ -713,7 +711,7 @@ static void adcx140_pwr_ctrl(struct adcx140_priv *adcx140, bool power_state) + ret = regmap_write(adcx140->regmap, ADCX140_PHASE_CALIB, + adcx140->phase_calib_on ? 0x00 : 0x40); + if (ret) +- dev_err(component->dev, "%s: register write error %d\n", ++ dev_err(adcx140->dev, "%s: register write error %d\n", + __func__, ret); + } + +-- +2.51.0 + diff --git a/queue-6.12/asoc-tlv320adcx140-fix-word-length.patch b/queue-6.12/asoc-tlv320adcx140-fix-word-length.patch new file mode 100644 index 0000000000..2b365338e3 --- /dev/null +++ b/queue-6.12/asoc-tlv320adcx140-fix-word-length.patch @@ -0,0 +1,50 @@ +From fb019175b06904e8a4d8252c0925e33c62140d66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 11:58:47 +0100 +Subject: ASoC: tlv320adcx140: fix word length + +From: Emil Svendsen + +[ Upstream commit 46378ab9fcb796dca46b51e10646f636e2c661f9 ] + +The word length is the physical width of the channel slots. So the +hw_params would misconfigure when format width and physical width +doesn't match. Like S24_LE which has data width of 24 bits but physical +width of 32 bits. So if using asymmetric formats you will get a lot of +noise. + +Fixes: 689c7655b50c5 ("ASoC: tlv320adcx140: Add the tlv320adcx140 codec driver family") +Signed-off-by: Emil Svendsen +Signed-off-by: Sascha Hauer +Link: https://patch.msgid.link/20260113-sound-soc-codecs-tvl320adcx140-v4-4-8f7ecec525c8@pengutronix.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/tlv320adcx140.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/tlv320adcx140.c b/sound/soc/codecs/tlv320adcx140.c +index ccfec4c0c159a..62d936c2838c9 100644 +--- a/sound/soc/codecs/tlv320adcx140.c ++++ b/sound/soc/codecs/tlv320adcx140.c +@@ -727,7 +727,7 @@ static int adcx140_hw_params(struct snd_pcm_substream *substream, + struct adcx140_priv *adcx140 = snd_soc_component_get_drvdata(component); + u8 data = 0; + +- switch (params_width(params)) { ++ switch (params_physical_width(params)) { + case 16: + data = ADCX140_16_BIT_WORD; + break; +@@ -742,7 +742,7 @@ static int adcx140_hw_params(struct snd_pcm_substream *substream, + break; + default: + dev_err(component->dev, "%s: Unsupported width %d\n", +- __func__, params_width(params)); ++ __func__, params_physical_width(params)); + return -EINVAL; + } + +-- +2.51.0 + diff --git a/queue-6.12/btrfs-factor-out-check_removing_space_info-from-btrf.patch b/queue-6.12/btrfs-factor-out-check_removing_space_info-from-btrf.patch new file mode 100644 index 0000000000..aedf1964b1 --- /dev/null +++ b/queue-6.12/btrfs-factor-out-check_removing_space_info-from-btrf.patch @@ -0,0 +1,93 @@ +From 39c8976a52974e8e6afdb0bd7af78a99c88cfd82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Apr 2025 11:43:45 +0900 +Subject: btrfs: factor out check_removing_space_info() from + btrfs_free_block_groups() + +From: Naohiro Aota + +[ Upstream commit 1cfdbe0d53b27b4b4a4f4cf2a4e430bc65ba2ba5 ] + +Factor out check_removing_space_info() from btrfs_free_block_groups(). It +sanity checks a to-be-removed space_info. There is no functional change. + +Reviewed-by: Johannes Thumshirn +Signed-off-by: Naohiro Aota +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Stable-dep-of: a11224a016d6 ("btrfs: fix memory leaks in create_space_info() error paths") +Signed-off-by: Sasha Levin +--- + fs/btrfs/block-group.c | 49 +++++++++++++++++++++++------------------- + 1 file changed, 27 insertions(+), 22 deletions(-) + +diff --git a/fs/btrfs/block-group.c b/fs/btrfs/block-group.c +index 83a196521670b..8dce7046940c4 100644 +--- a/fs/btrfs/block-group.c ++++ b/fs/btrfs/block-group.c +@@ -4416,6 +4416,32 @@ void btrfs_put_block_group_cache(struct btrfs_fs_info *info) + } + } + ++static void check_removing_space_info(struct btrfs_space_info *space_info) ++{ ++ struct btrfs_fs_info *info = space_info->fs_info; ++ ++ /* ++ * Do not hide this behind enospc_debug, this is actually important and ++ * indicates a real bug if this happens. ++ */ ++ if (WARN_ON(space_info->bytes_pinned > 0 || space_info->bytes_may_use > 0)) ++ btrfs_dump_space_info(info, space_info, 0, 0); ++ ++ /* ++ * If there was a failure to cleanup a log tree, very likely due to an ++ * IO failure on a writeback attempt of one or more of its extent ++ * buffers, we could not do proper (and cheap) unaccounting of their ++ * reserved space, so don't warn on bytes_reserved > 0 in that case. ++ */ ++ if (!(space_info->flags & BTRFS_BLOCK_GROUP_METADATA) || ++ !BTRFS_FS_LOG_CLEANUP_ERROR(info)) { ++ if (WARN_ON(space_info->bytes_reserved > 0)) ++ btrfs_dump_space_info(info, space_info, 0, 0); ++ } ++ ++ WARN_ON(space_info->reclaim_size > 0); ++} ++ + /* + * Must be called only after stopping all workers, since we could have block + * group caching kthreads running, and therefore they could race with us if we +@@ -4517,28 +4543,7 @@ int btrfs_free_block_groups(struct btrfs_fs_info *info) + struct btrfs_space_info, + list); + +- /* +- * Do not hide this behind enospc_debug, this is actually +- * important and indicates a real bug if this happens. +- */ +- if (WARN_ON(space_info->bytes_pinned > 0 || +- space_info->bytes_may_use > 0)) +- btrfs_dump_space_info(info, space_info, 0, 0); +- +- /* +- * If there was a failure to cleanup a log tree, very likely due +- * to an IO failure on a writeback attempt of one or more of its +- * extent buffers, we could not do proper (and cheap) unaccounting +- * of their reserved space, so don't warn on bytes_reserved > 0 in +- * that case. +- */ +- if (!(space_info->flags & BTRFS_BLOCK_GROUP_METADATA) || +- !BTRFS_FS_LOG_CLEANUP_ERROR(info)) { +- if (WARN_ON(space_info->bytes_reserved > 0)) +- btrfs_dump_space_info(info, space_info, 0, 0); +- } +- +- WARN_ON(space_info->reclaim_size > 0); ++ check_removing_space_info(space_info); + list_del(&space_info->list); + btrfs_sysfs_remove_space_info(space_info); + } +-- +2.51.0 + diff --git a/queue-6.12/btrfs-factor-out-init_space_info-from-create_space_i.patch b/queue-6.12/btrfs-factor-out-init_space_info-from-create_space_i.patch new file mode 100644 index 0000000000..eb14c3be7a --- /dev/null +++ b/queue-6.12/btrfs-factor-out-init_space_info-from-create_space_i.patch @@ -0,0 +1,72 @@ +From 132218b6addbfa7358ab1952861584b77fe65cbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Apr 2025 11:43:43 +0900 +Subject: btrfs: factor out init_space_info() from create_space_info() + +From: Naohiro Aota + +[ Upstream commit ac5578fef380e68e539a2238ba63dd978a450ef2 ] + +Factor out initialization of the space_info struct, which is used in a +later patch. There is no functional change. + +Reviewed-by: Johannes Thumshirn +Signed-off-by: Naohiro Aota +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Stable-dep-of: a11224a016d6 ("btrfs: fix memory leaks in create_space_info() error paths") +Signed-off-by: Sasha Levin +--- + fs/btrfs/space-info.c | 27 ++++++++++++++++----------- + 1 file changed, 16 insertions(+), 11 deletions(-) + +diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c +index d5a9cd8a4fd8d..6497398fb4e2e 100644 +--- a/fs/btrfs/space-info.c ++++ b/fs/btrfs/space-info.c +@@ -225,19 +225,11 @@ void btrfs_update_space_info_chunk_size(struct btrfs_space_info *space_info, + WRITE_ONCE(space_info->chunk_size, chunk_size); + } + +-static int create_space_info(struct btrfs_fs_info *info, u64 flags) ++static void init_space_info(struct btrfs_fs_info *info, ++ struct btrfs_space_info *space_info, u64 flags) + { +- +- struct btrfs_space_info *space_info; +- int i; +- int ret; +- +- space_info = kzalloc(sizeof(*space_info), GFP_NOFS); +- if (!space_info) +- return -ENOMEM; +- + space_info->fs_info = info; +- for (i = 0; i < BTRFS_NR_RAID_TYPES; i++) ++ for (int i = 0; i < BTRFS_NR_RAID_TYPES; i++) + INIT_LIST_HEAD(&space_info->block_groups[i]); + init_rwsem(&space_info->groups_sem); + spin_lock_init(&space_info->lock); +@@ -251,6 +243,19 @@ static int create_space_info(struct btrfs_fs_info *info, u64 flags) + + if (btrfs_is_zoned(info)) + space_info->bg_reclaim_threshold = BTRFS_DEFAULT_ZONED_RECLAIM_THRESH; ++} ++ ++static int create_space_info(struct btrfs_fs_info *info, u64 flags) ++{ ++ ++ struct btrfs_space_info *space_info; ++ int ret; ++ ++ space_info = kzalloc(sizeof(*space_info), GFP_NOFS); ++ if (!space_info) ++ return -ENOMEM; ++ ++ init_space_info(info, space_info, flags); + + ret = btrfs_sysfs_add_space_info_type(info, space_info); + if (ret) +-- +2.51.0 + diff --git a/queue-6.12/btrfs-fix-memory-leaks-in-create_space_info-error-pa.patch b/queue-6.12/btrfs-fix-memory-leaks-in-create_space_info-error-pa.patch new file mode 100644 index 0000000000..4e144805d0 --- /dev/null +++ b/queue-6.12/btrfs-fix-memory-leaks-in-create_space_info-error-pa.patch @@ -0,0 +1,61 @@ +From 74a7e28e4ace62ab39839d9a9a0489fc6a6ec712 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Jan 2026 19:20:37 +0000 +Subject: btrfs: fix memory leaks in create_space_info() error paths + +From: Jiasheng Jiang + +[ Upstream commit a11224a016d6d1d46a4d9b6573244448a80d4d7f ] + +In create_space_info(), the 'space_info' object is allocated at the +beginning of the function. However, there are two error paths where the +function returns an error code without freeing the allocated memory: + +1. When create_space_info_sub_group() fails in zoned mode. +2. When btrfs_sysfs_add_space_info_type() fails. + +In both cases, 'space_info' has not yet been added to the +fs_info->space_info list, resulting in a memory leak. Fix this by +adding an error handling label to kfree(space_info) before returning. + +Fixes: 2be12ef79fe9 ("btrfs: Separate space_info create/update") +Reviewed-by: Qu Wenruo +Signed-off-by: Jiasheng Jiang +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/space-info.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c +index 9d47678875b76..b2c90696b86b2 100644 +--- a/fs/btrfs/space-info.c ++++ b/fs/btrfs/space-info.c +@@ -291,18 +291,22 @@ static int create_space_info(struct btrfs_fs_info *info, u64 flags) + BTRFS_SUB_GROUP_DATA_RELOC, + 0); + if (ret) +- return ret; ++ goto out_free; + } + + ret = btrfs_sysfs_add_space_info_type(info, space_info); + if (ret) +- return ret; ++ goto out_free; + + list_add(&space_info->list, &info->space_info); + if (flags & BTRFS_BLOCK_GROUP_DATA) + info->data_sinfo = space_info; + + return ret; ++ ++out_free: ++ kfree(space_info); ++ return ret; + } + + int btrfs_init_space_info(struct btrfs_fs_info *fs_info) +-- +2.51.0 + diff --git a/queue-6.12/btrfs-introduce-btrfs_space_info-sub-group.patch b/queue-6.12/btrfs-introduce-btrfs_space_info-sub-group.patch new file mode 100644 index 0000000000..8a7e65da4f --- /dev/null +++ b/queue-6.12/btrfs-introduce-btrfs_space_info-sub-group.patch @@ -0,0 +1,214 @@ +From 11089e1726271eb473a4d59d923ea79f22916345 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Apr 2025 11:43:48 +0900 +Subject: btrfs: introduce btrfs_space_info sub-group + +From: Naohiro Aota + +[ Upstream commit f92ee31e031c7819126d2febdda0c3e91f5d2eb9 ] + +Current code assumes we have only one space_info for each block group type +(DATA, METADATA, and SYSTEM). We sometime need multiple space infos to +manage special block groups. + +One example is handling the data relocation block group for the zoned mode. +That block group is dedicated for writing relocated data and we cannot +allocate any regular extent from that block group, which is implemented in +the zoned extent allocator. This block group still belongs to the normal +data space_info. So, when all the normal data block groups are full and +there is some free space in the dedicated block group, the space_info +looks to have some free space, while it cannot allocate normal extent +anymore. That results in a strange ENOSPC error. We need to have a +space_info for the relocation data block group to represent the situation +properly. + +Adds a basic infrastructure for having a "sub-group" of a space_info: +creation and removing. A sub-group space_info belongs to one of the +primary space_infos and has the same flags as its parent. + +This commit first introduces the relocation data sub-space_info, and the +next commit will introduce tree-log sub-space_info. In the future, it could +be useful to implement tiered storage for btrfs e.g. by implementing a +sub-group space_info for block groups resides on a fast storage. + +Reviewed-by: Johannes Thumshirn +Signed-off-by: Naohiro Aota +Signed-off-by: David Sterba +Stable-dep-of: a11224a016d6 ("btrfs: fix memory leaks in create_space_info() error paths") +Signed-off-by: Sasha Levin +--- + fs/btrfs/block-group.c | 11 +++++++++++ + fs/btrfs/space-info.c | 44 +++++++++++++++++++++++++++++++++++++++--- + fs/btrfs/space-info.h | 9 +++++++++ + fs/btrfs/sysfs.c | 18 ++++++++++++++--- + 4 files changed, 76 insertions(+), 6 deletions(-) + +diff --git a/fs/btrfs/block-group.c b/fs/btrfs/block-group.c +index 8dce7046940c4..c3aec02bf199e 100644 +--- a/fs/btrfs/block-group.c ++++ b/fs/btrfs/block-group.c +@@ -4420,6 +4420,17 @@ static void check_removing_space_info(struct btrfs_space_info *space_info) + { + struct btrfs_fs_info *info = space_info->fs_info; + ++ if (space_info->subgroup_id == BTRFS_SUB_GROUP_PRIMARY) { ++ /* This is a top space_info, proceed with its children first. */ ++ for (int i = 0; i < BTRFS_SPACE_INFO_SUB_GROUP_MAX; i++) { ++ if (space_info->sub_group[i]) { ++ check_removing_space_info(space_info->sub_group[i]); ++ kfree(space_info->sub_group[i]); ++ space_info->sub_group[i] = NULL; ++ } ++ } ++ } ++ + /* + * Do not hide this behind enospc_debug, this is actually important and + * indicates a real bug if this happens. +diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c +index 6497398fb4e2e..9d47678875b76 100644 +--- a/fs/btrfs/space-info.c ++++ b/fs/btrfs/space-info.c +@@ -240,16 +240,44 @@ static void init_space_info(struct btrfs_fs_info *info, + INIT_LIST_HEAD(&space_info->priority_tickets); + space_info->clamp = 1; + btrfs_update_space_info_chunk_size(space_info, calc_chunk_size(info, flags)); ++ space_info->subgroup_id = BTRFS_SUB_GROUP_PRIMARY; + + if (btrfs_is_zoned(info)) + space_info->bg_reclaim_threshold = BTRFS_DEFAULT_ZONED_RECLAIM_THRESH; + } + ++static int create_space_info_sub_group(struct btrfs_space_info *parent, u64 flags, ++ enum btrfs_space_info_sub_group id, int index) ++{ ++ struct btrfs_fs_info *fs_info = parent->fs_info; ++ struct btrfs_space_info *sub_group; ++ int ret; ++ ++ ASSERT(parent->subgroup_id == BTRFS_SUB_GROUP_PRIMARY); ++ ASSERT(id != BTRFS_SUB_GROUP_PRIMARY); ++ ++ sub_group = kzalloc(sizeof(*sub_group), GFP_NOFS); ++ if (!sub_group) ++ return -ENOMEM; ++ ++ init_space_info(fs_info, sub_group, flags); ++ parent->sub_group[index] = sub_group; ++ sub_group->parent = parent; ++ sub_group->subgroup_id = id; ++ ++ ret = btrfs_sysfs_add_space_info_type(fs_info, sub_group); ++ if (ret) { ++ kfree(sub_group); ++ parent->sub_group[index] = NULL; ++ } ++ return ret; ++} ++ + static int create_space_info(struct btrfs_fs_info *info, u64 flags) + { + + struct btrfs_space_info *space_info; +- int ret; ++ int ret = 0; + + space_info = kzalloc(sizeof(*space_info), GFP_NOFS); + if (!space_info) +@@ -257,6 +285,15 @@ static int create_space_info(struct btrfs_fs_info *info, u64 flags) + + init_space_info(info, space_info, flags); + ++ if (btrfs_is_zoned(info)) { ++ if (flags & BTRFS_BLOCK_GROUP_DATA) ++ ret = create_space_info_sub_group(space_info, flags, ++ BTRFS_SUB_GROUP_DATA_RELOC, ++ 0); ++ if (ret) ++ return ret; ++ } ++ + ret = btrfs_sysfs_add_space_info_type(info, space_info); + if (ret) + return ret; +@@ -554,8 +591,9 @@ static void __btrfs_dump_space_info(const struct btrfs_fs_info *fs_info, + lockdep_assert_held(&info->lock); + + /* The free space could be negative in case of overcommit */ +- btrfs_info(fs_info, "space_info %s has %lld free, is %sfull", +- flag_str, ++ btrfs_info(fs_info, ++ "space_info %s (sub-group id %d) has %lld free, is %sfull", ++ flag_str, info->subgroup_id, + (s64)(info->total_bytes - btrfs_space_info_used(info, true)), + info->full ? "" : "not "); + btrfs_info(fs_info, +diff --git a/fs/btrfs/space-info.h b/fs/btrfs/space-info.h +index efbecc0c5258d..12c337b473870 100644 +--- a/fs/btrfs/space-info.h ++++ b/fs/btrfs/space-info.h +@@ -93,8 +93,17 @@ enum btrfs_flush_state { + COMMIT_TRANS = 11, + }; + ++enum btrfs_space_info_sub_group { ++ BTRFS_SUB_GROUP_PRIMARY, ++ BTRFS_SUB_GROUP_DATA_RELOC, ++}; ++ ++#define BTRFS_SPACE_INFO_SUB_GROUP_MAX 1 + struct btrfs_space_info { + struct btrfs_fs_info *fs_info; ++ struct btrfs_space_info *parent; ++ struct btrfs_space_info *sub_group[BTRFS_SPACE_INFO_SUB_GROUP_MAX]; ++ int subgroup_id; + spinlock_t lock; + + u64 total_bytes; /* total bytes in the space, +diff --git a/fs/btrfs/sysfs.c b/fs/btrfs/sysfs.c +index 5912d50577666..ea13e3eee7d90 100644 +--- a/fs/btrfs/sysfs.c ++++ b/fs/btrfs/sysfs.c +@@ -1792,16 +1792,28 @@ void btrfs_sysfs_remove_space_info(struct btrfs_space_info *space_info) + kobject_put(&space_info->kobj); + } + +-static const char *alloc_name(u64 flags) ++static const char *alloc_name(struct btrfs_space_info *space_info) + { ++ u64 flags = space_info->flags; ++ + switch (flags) { + case BTRFS_BLOCK_GROUP_METADATA | BTRFS_BLOCK_GROUP_DATA: + return "mixed"; + case BTRFS_BLOCK_GROUP_METADATA: ++ ASSERT(space_info->subgroup_id == BTRFS_SUB_GROUP_PRIMARY); + return "metadata"; + case BTRFS_BLOCK_GROUP_DATA: +- return "data"; ++ switch (space_info->subgroup_id) { ++ case BTRFS_SUB_GROUP_PRIMARY: ++ return "data"; ++ case BTRFS_SUB_GROUP_DATA_RELOC: ++ return "data-reloc"; ++ default: ++ WARN_ON_ONCE(1); ++ return "data (unknown sub-group)"; ++ } + case BTRFS_BLOCK_GROUP_SYSTEM: ++ ASSERT(space_info->subgroup_id == BTRFS_SUB_GROUP_PRIMARY); + return "system"; + default: + WARN_ON(1); +@@ -1820,7 +1832,7 @@ int btrfs_sysfs_add_space_info_type(struct btrfs_fs_info *fs_info, + + ret = kobject_init_and_add(&space_info->kobj, &space_info_ktype, + fs_info->space_info_kobj, "%s", +- alloc_name(space_info->flags)); ++ alloc_name(space_info)); + if (ret) { + kobject_put(&space_info->kobj); + return ret; +-- +2.51.0 + diff --git a/queue-6.12/btrfs-send-check-for-inline-extents-in-range_is_hole.patch b/queue-6.12/btrfs-send-check-for-inline-extents-in-range_is_hole.patch new file mode 100644 index 0000000000..fb72909b72 --- /dev/null +++ b/queue-6.12/btrfs-send-check-for-inline-extents-in-range_is_hole.patch @@ -0,0 +1,44 @@ +From c40c9c2f31cc6e48e98e0e3eff5b099d10f84935 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jan 2026 20:26:40 +1030 +Subject: btrfs: send: check for inline extents in range_is_hole_in_parent() + +From: Qu Wenruo + +[ Upstream commit 08b096c1372cd69627f4f559fb47c9fb67a52b39 ] + +Before accessing the disk_bytenr field of a file extent item we need +to check if we are dealing with an inline extent. +This is because for inline extents their data starts at the offset of +the disk_bytenr field. So accessing the disk_bytenr +means we are accessing inline data or in case the inline data is less +than 8 bytes we can actually cause an invalid +memory access if this inline extent item is the first item in the leaf +or access metadata from other items. + +Fixes: 82bfb2e7b645 ("Btrfs: incremental send, fix unnecessary hole writes for sparse files") +Reviewed-by: Filipe Manana +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/send.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c +index 41b7cbd070254..2fa577d4a232d 100644 +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -6550,6 +6550,8 @@ static int range_is_hole_in_parent(struct send_ctx *sctx, + extent_end = btrfs_file_extent_end(path); + if (extent_end <= start) + goto next; ++ if (btrfs_file_extent_type(leaf, fi) == BTRFS_FILE_EXTENT_INLINE) ++ return 0; + if (btrfs_file_extent_disk_bytenr(leaf, fi) == 0) { + search_start = extent_end; + goto next; +-- +2.51.0 + diff --git a/queue-6.12/can-etas_es58x-allow-partial-rx-urb-allocation-to-su.patch b/queue-6.12/can-etas_es58x-allow-partial-rx-urb-allocation-to-su.patch new file mode 100644 index 0000000000..3f481b0aae --- /dev/null +++ b/queue-6.12/can-etas_es58x-allow-partial-rx-urb-allocation-to-su.patch @@ -0,0 +1,50 @@ +From f746832ab50b726d16918cf87fb23f2672cf1606 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Dec 2025 02:17:32 +0100 +Subject: can: etas_es58x: allow partial RX URB allocation to succeed + +From: Szymon Wilczek + +[ Upstream commit b1979778e98569c1e78c2c7f16bb24d76541ab00 ] + +When es58x_alloc_rx_urbs() fails to allocate the requested number of +URBs but succeeds in allocating some, it returns an error code. +This causes es58x_open() to return early, skipping the cleanup label +'free_urbs', which leads to the anchored URBs being leaked. + +As pointed out by maintainer Vincent Mailhol, the driver is designed +to handle partial URB allocation gracefully. Therefore, partial +allocation should not be treated as a fatal error. + +Modify es58x_alloc_rx_urbs() to return 0 if at least one URB has been +allocated, restoring the intended behavior and preventing the leak +in es58x_open(). + +Fixes: 8537257874e9 ("can: etas_es58x: add core support for ETAS ES58X CAN USB interfaces") +Reported-by: syzbot+e8cb6691a7cf68256cb8@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=e8cb6691a7cf68256cb8 +Signed-off-by: Szymon Wilczek +Reviewed-by: Vincent Mailhol +Link: https://patch.msgid.link/20251223011732.39361-1-swilczek.lx@gmail.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/etas_es58x/es58x_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/can/usb/etas_es58x/es58x_core.c b/drivers/net/can/usb/etas_es58x/es58x_core.c +index 4fc9bed0d2e1e..d483cb7cfbcd5 100644 +--- a/drivers/net/can/usb/etas_es58x/es58x_core.c ++++ b/drivers/net/can/usb/etas_es58x/es58x_core.c +@@ -1736,7 +1736,7 @@ static int es58x_alloc_rx_urbs(struct es58x_device *es58x_dev) + dev_dbg(dev, "%s: Allocated %d rx URBs each of size %u\n", + __func__, i, rx_buf_len); + +- return ret; ++ return 0; + } + + /** +-- +2.51.0 + diff --git a/queue-6.12/dmaengine-omap-dma-fix-dma_pool-resource-leak-in-err.patch b/queue-6.12/dmaengine-omap-dma-fix-dma_pool-resource-leak-in-err.patch new file mode 100644 index 0000000000..10304dd5a0 --- /dev/null +++ b/queue-6.12/dmaengine-omap-dma-fix-dma_pool-resource-leak-in-err.patch @@ -0,0 +1,50 @@ +From dde3463ae0e297cd9fbda1b0f63d336f80a706d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Nov 2025 15:30:18 +0800 +Subject: dmaengine: omap-dma: fix dma_pool resource leak in error paths + +From: Haotian Zhang + +[ Upstream commit 2e1136acf8a8887c29f52e35a77b537309af321f ] + +The dma_pool created by dma_pool_create() is not destroyed when +dma_async_device_register() or of_dma_controller_register() fails, +causing a resource leak in the probe error paths. + +Add dma_pool_destroy() in both error paths to properly release the +allocated dma_pool resource. + +Fixes: 7bedaa553760 ("dmaengine: add OMAP DMA engine driver") +Signed-off-by: Haotian Zhang +Link: https://patch.msgid.link/20251103073018.643-1-vulab@iscas.ac.cn +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/ti/omap-dma.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/dma/ti/omap-dma.c b/drivers/dma/ti/omap-dma.c +index 6ab9bfbdc4809..d0c2fd5c62074 100644 +--- a/drivers/dma/ti/omap-dma.c ++++ b/drivers/dma/ti/omap-dma.c +@@ -1808,6 +1808,8 @@ static int omap_dma_probe(struct platform_device *pdev) + if (rc) { + pr_warn("OMAP-DMA: failed to register slave DMA engine device: %d\n", + rc); ++ if (od->ll123_supported) ++ dma_pool_destroy(od->desc_pool); + omap_dma_free(od); + return rc; + } +@@ -1823,6 +1825,8 @@ static int omap_dma_probe(struct platform_device *pdev) + if (rc) { + pr_warn("OMAP-DMA: failed to register DMA controller\n"); + dma_async_device_unregister(&od->ddev); ++ if (od->ll123_supported) ++ dma_pool_destroy(od->desc_pool); + omap_dma_free(od); + } + } +-- +2.51.0 + diff --git a/queue-6.12/dmaengine-tegra-adma-fix-use-after-free.patch b/queue-6.12/dmaengine-tegra-adma-fix-use-after-free.patch new file mode 100644 index 0000000000..d0e7dc1932 --- /dev/null +++ b/queue-6.12/dmaengine-tegra-adma-fix-use-after-free.patch @@ -0,0 +1,110 @@ +From e737c3ca594789a5662441fbe7e4c6650ee2628b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Nov 2025 19:54:45 +0530 +Subject: dmaengine: tegra-adma: Fix use-after-free + +From: Sheetal + +[ Upstream commit 2efd07a7c36949e6fa36a69183df24d368bf9e96 ] + +A use-after-free bug exists in the Tegra ADMA driver when audio streams +are terminated, particularly during XRUN conditions. The issue occurs +when the DMA buffer is freed by tegra_adma_terminate_all() before the +vchan completion tasklet finishes accessing it. + +The race condition follows this sequence: + + 1. DMA transfer completes, triggering an interrupt that schedules the + completion tasklet (tasklet has not executed yet) + 2. Audio playback stops, calling tegra_adma_terminate_all() which + frees the DMA buffer memory via kfree() + 3. The scheduled tasklet finally executes, calling vchan_complete() + which attempts to access the already-freed memory + +Since tasklets can execute at any time after being scheduled, there is +no guarantee that the buffer will remain valid when vchan_complete() +runs. + +Fix this by properly synchronizing the virtual channel completion: + - Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the + descriptors as terminated instead of freeing the descriptor. + - Add the callback tegra_adma_synchronize() that calls + vchan_synchronize() which kills any pending tasklets and frees any + terminated descriptors. + +Crash logs: +[ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0 +[ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0 + +[ 337.427562] Call trace: +[ 337.427564] dump_backtrace+0x0/0x320 +[ 337.427571] show_stack+0x20/0x30 +[ 337.427575] dump_stack_lvl+0x68/0x84 +[ 337.427584] print_address_description.constprop.0+0x74/0x2b8 +[ 337.427590] kasan_report+0x1f4/0x210 +[ 337.427598] __asan_load8+0xa0/0xd0 +[ 337.427603] vchan_complete+0x124/0x3b0 +[ 337.427609] tasklet_action_common.constprop.0+0x190/0x1d0 +[ 337.427617] tasklet_action+0x30/0x40 +[ 337.427623] __do_softirq+0x1a0/0x5c4 +[ 337.427628] irq_exit+0x110/0x140 +[ 337.427633] handle_domain_irq+0xa4/0xe0 +[ 337.427640] gic_handle_irq+0x64/0x160 +[ 337.427644] call_on_irq_stack+0x20/0x4c +[ 337.427649] do_interrupt_handler+0x7c/0x90 +[ 337.427654] el1_interrupt+0x30/0x80 +[ 337.427659] el1h_64_irq_handler+0x18/0x30 +[ 337.427663] el1h_64_irq+0x7c/0x80 +[ 337.427667] cpuidle_enter_state+0xe4/0x540 +[ 337.427674] cpuidle_enter+0x54/0x80 +[ 337.427679] do_idle+0x2e0/0x380 +[ 337.427685] cpu_startup_entry+0x2c/0x70 +[ 337.427690] rest_init+0x114/0x130 +[ 337.427695] arch_call_rest_init+0x18/0x24 +[ 337.427702] start_kernel+0x380/0x3b4 +[ 337.427706] __primary_switched+0xc0/0xc8 + +Fixes: f46b195799b5 ("dmaengine: tegra-adma: Add support for Tegra210 ADMA") +Signed-off-by: Sheetal +Acked-by: Thierry Reding +Link: https://patch.msgid.link/20251110142445.3842036-1-sheetal@nvidia.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/tegra210-adma.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/dma/tegra210-adma.c b/drivers/dma/tegra210-adma.c +index 24ad7077c53ba..55e9dcca55390 100644 +--- a/drivers/dma/tegra210-adma.c ++++ b/drivers/dma/tegra210-adma.c +@@ -343,10 +343,17 @@ static void tegra_adma_stop(struct tegra_adma_chan *tdc) + return; + } + +- kfree(tdc->desc); ++ vchan_terminate_vdesc(&tdc->desc->vd); + tdc->desc = NULL; + } + ++static void tegra_adma_synchronize(struct dma_chan *dc) ++{ ++ struct tegra_adma_chan *tdc = to_tegra_adma_chan(dc); ++ ++ vchan_synchronize(&tdc->vc); ++} ++ + static void tegra_adma_start(struct tegra_adma_chan *tdc) + { + struct virt_dma_desc *vd = vchan_next_desc(&tdc->vc); +@@ -938,6 +945,7 @@ static int tegra_adma_probe(struct platform_device *pdev) + tdma->dma_dev.device_config = tegra_adma_slave_config; + tdma->dma_dev.device_tx_status = tegra_adma_tx_status; + tdma->dma_dev.device_terminate_all = tegra_adma_terminate_all; ++ tdma->dma_dev.device_synchronize = tegra_adma_synchronize; + tdma->dma_dev.src_addr_widths = BIT(DMA_SLAVE_BUSWIDTH_4_BYTES); + tdma->dma_dev.dst_addr_widths = BIT(DMA_SLAVE_BUSWIDTH_4_BYTES); + tdma->dma_dev.directions = BIT(DMA_DEV_TO_MEM) | BIT(DMA_MEM_TO_DEV); +-- +2.51.0 + diff --git a/queue-6.12/dmaengine-xilinx-xdma-fix-regmap-max_register.patch b/queue-6.12/dmaengine-xilinx-xdma-fix-regmap-max_register.patch new file mode 100644 index 0000000000..f1b0bca084 --- /dev/null +++ b/queue-6.12/dmaengine-xilinx-xdma-fix-regmap-max_register.patch @@ -0,0 +1,85 @@ +From fac0e78ad7cd38129e2700314c555003155e507f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Oct 2025 17:48:49 +0200 +Subject: dmaengine: xilinx: xdma: Fix regmap max_register + +From: Anthony Brandon + +[ Upstream commit c7d436a6c1a274c1ac28d5fb3b8eb8f03b6d0e10 ] + +The max_register field is assigned the size of the register memory +region instead of the offset of the last register. +The result is that reading from the regmap via debugfs can cause +a segmentation fault: + +tail /sys/kernel/debug/regmap/xdma.1.auto/registers +Unable to handle kernel paging request at virtual address ffff800082f70000 +Mem abort info: + ESR = 0x0000000096000007 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + FSC = 0x07: level 3 translation fault +[...] +Call trace: + regmap_mmio_read32le+0x10/0x30 + _regmap_bus_reg_read+0x74/0xc0 + _regmap_read+0x68/0x198 + regmap_read+0x54/0x88 + regmap_read_debugfs+0x140/0x380 + regmap_map_read_file+0x30/0x48 + full_proxy_read+0x68/0xc8 + vfs_read+0xcc/0x310 + ksys_read+0x7c/0x120 + __arm64_sys_read+0x24/0x40 + invoke_syscall.constprop.0+0x64/0x108 + do_el0_svc+0xb0/0xd8 + el0_svc+0x38/0x130 + el0t_64_sync_handler+0x120/0x138 + el0t_64_sync+0x194/0x198 +Code: aa1e03e9 d503201f f9400000 8b214000 (b9400000) +---[ end trace 0000000000000000 ]--- +note: tail[1217] exited with irqs disabled +note: tail[1217] exited with preempt_count 1 +Segmentation fault + +Fixes: 17ce252266c7 ("dmaengine: xilinx: xdma: Add xilinx xdma driver") +Reviewed-by: Lizhi Hou +Reviewed-by: Radhey Shyam Pandey +Reviewed-by: Alexander Stein +Signed-off-by: Anthony Brandon +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/xilinx/xdma-regs.h | 1 + + drivers/dma/xilinx/xdma.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/dma/xilinx/xdma-regs.h b/drivers/dma/xilinx/xdma-regs.h +index 6ad08878e9386..70bca92621aa4 100644 +--- a/drivers/dma/xilinx/xdma-regs.h ++++ b/drivers/dma/xilinx/xdma-regs.h +@@ -9,6 +9,7 @@ + + /* The length of register space exposed to host */ + #define XDMA_REG_SPACE_LEN 65536 ++#define XDMA_MAX_REG_OFFSET (XDMA_REG_SPACE_LEN - 4) + + /* + * maximum number of DMA channels for each direction: +diff --git a/drivers/dma/xilinx/xdma.c b/drivers/dma/xilinx/xdma.c +index 718842fdaf98e..2726c7154fcef 100644 +--- a/drivers/dma/xilinx/xdma.c ++++ b/drivers/dma/xilinx/xdma.c +@@ -38,7 +38,7 @@ static const struct regmap_config xdma_regmap_config = { + .reg_bits = 32, + .val_bits = 32, + .reg_stride = 4, +- .max_register = XDMA_REG_SPACE_LEN, ++ .max_register = XDMA_MAX_REG_OFFSET, + }; + + /** +-- +2.51.0 + diff --git a/queue-6.12/dmaengine-xilinx_dma-fix-uninitialized-addr_width-wh.patch b/queue-6.12/dmaengine-xilinx_dma-fix-uninitialized-addr_width-wh.patch new file mode 100644 index 0000000000..7e5a7f5729 --- /dev/null +++ b/queue-6.12/dmaengine-xilinx_dma-fix-uninitialized-addr_width-wh.patch @@ -0,0 +1,61 @@ +From bf98764610883dae8db0bcd17c9aedc5024abf2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Oct 2025 00:00:06 +0530 +Subject: dmaengine: xilinx_dma: Fix uninitialized addr_width when + "xlnx,addrwidth" property is missing + +From: Suraj Gupta + +[ Upstream commit c0732fe78728718c853ef8e7af5bbb05262acbd1 ] + +When device tree lacks optional "xlnx,addrwidth" property, the addr_width +variable remained uninitialized with garbage values, causing incorrect +DMA mask configuration and subsequent probe failure. The fix ensures a +fallback to the default 32-bit address width when this property is missing. + +Signed-off-by: Suraj Gupta +Fixes: b72db4005fe4 ("dmaengine: vdma: Add 64 bit addressing support to the driver") +Reviewed-by: Radhey Shyam Pandey +Reviewed-by: Folker Schwesinger +Link: https://patch.msgid.link/20251021183006.3434495-1-suraj.gupta2@amd.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/xilinx/xilinx_dma.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c +index aa59b62cd83fb..3ad37e9b924a7 100644 +--- a/drivers/dma/xilinx/xilinx_dma.c ++++ b/drivers/dma/xilinx/xilinx_dma.c +@@ -130,6 +130,7 @@ + #define XILINX_MCDMA_MAX_CHANS_PER_DEVICE 0x20 + #define XILINX_DMA_MAX_CHANS_PER_DEVICE 0x2 + #define XILINX_CDMA_MAX_CHANS_PER_DEVICE 0x1 ++#define XILINX_DMA_DFAULT_ADDRWIDTH 0x20 + + #define XILINX_DMA_DMAXR_ALL_IRQ_MASK \ + (XILINX_DMA_DMASR_FRM_CNT_IRQ | \ +@@ -3063,7 +3064,7 @@ static int xilinx_dma_probe(struct platform_device *pdev) + struct device_node *node = pdev->dev.of_node; + struct xilinx_dma_device *xdev; + struct device_node *child, *np = pdev->dev.of_node; +- u32 num_frames, addr_width, len_width; ++ u32 num_frames, addr_width = XILINX_DMA_DFAULT_ADDRWIDTH, len_width; + int i, err; + + /* Allocate and initialize the DMA engine structure */ +@@ -3137,7 +3138,9 @@ static int xilinx_dma_probe(struct platform_device *pdev) + + err = of_property_read_u32(node, "xlnx,addrwidth", &addr_width); + if (err < 0) +- dev_warn(xdev->dev, "missing xlnx,addrwidth property\n"); ++ dev_warn(xdev->dev, ++ "missing xlnx,addrwidth property, using default value %d\n", ++ XILINX_DMA_DFAULT_ADDRWIDTH); + + if (addr_width > 32) + xdev->ext_addr = true; +-- +2.51.0 + diff --git a/queue-6.12/drm-amd-pm-fix-smu-overdrive-data-type-wrong-issue-o.patch b/queue-6.12/drm-amd-pm-fix-smu-overdrive-data-type-wrong-issue-o.patch new file mode 100644 index 0000000000..cffacaedfe --- /dev/null +++ b/queue-6.12/drm-amd-pm-fix-smu-overdrive-data-type-wrong-issue-o.patch @@ -0,0 +1,39 @@ +From c39362b22dcd8f81a2ad279f2bdee48bc1a53ddc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jan 2026 14:42:40 +0800 +Subject: drm/amd/pm: fix smu overdrive data type wrong issue on smu 14.0.2 + +From: Yang Wang + +[ Upstream commit 90dbc0bc2aa60021615969841fed06790c992bde ] + +resolving the issue of incorrect type definitions potentially causing calculation errors. + +Fixes: 54f7f3ca982a ("drm/amdgpu/swm14: Update power limit logic") +Signed-off-by: Yang Wang +Reviewed-by: Hawking Zhang +Signed-off-by: Alex Deucher +(cherry picked from commit e3a03d0ae16d6b56e893cce8e52b44140e1ed985) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c +index d0aed85db18cc..f34cef26b382c 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c +@@ -1672,8 +1672,9 @@ static int smu_v14_0_2_get_power_limit(struct smu_context *smu, + table_context->power_play_table; + PPTable_t *pptable = table_context->driver_pptable; + CustomSkuTable_t *skutable = &pptable->CustomSkuTable; +- uint32_t power_limit, od_percent_upper = 0, od_percent_lower = 0; ++ int16_t od_percent_upper = 0, od_percent_lower = 0; + uint32_t msg_limit = pptable->SkuTable.MsgLimits.Power[PPT_THROTTLER_PPT0][POWER_SOURCE_AC]; ++ uint32_t power_limit; + + if (smu_v14_0_get_current_power_limit(smu, &power_limit)) + power_limit = smu->adev->pm.ac_power ? +-- +2.51.0 + diff --git a/queue-6.12/drm-vmwgfx-merge-vmw_bo_release-and-vmw_bo_free-func.patch b/queue-6.12/drm-vmwgfx-merge-vmw_bo_release-and-vmw_bo_free-func.patch new file mode 100644 index 0000000000..dd37d1e334 --- /dev/null +++ b/queue-6.12/drm-vmwgfx-merge-vmw_bo_release-and-vmw_bo_free-func.patch @@ -0,0 +1,68 @@ +From 9de050d671c9fe2a3aa270dfab08ba10db8528d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jan 2026 09:20:59 -0600 +Subject: drm/vmwgfx: Merge vmw_bo_release and vmw_bo_free functions + +From: Ian Forbes + +[ Upstream commit 37a0cff4551c14aca4cfa6ef3f2f0e0f61d66825 ] + +Some of the warnings need to be reordered between these two functions +in order to be correct. This has happened multiple times. +Merging them solves this problem once and for all. + +Fixes: d6667f0ddf46 ("drm/vmwgfx: Fix handling of dumb buffers") +Signed-off-by: Ian Forbes +Signed-off-by: Zack Rusin +Link: https://patch.msgid.link/20260107152059.3048329-1-ian.forbes@broadcom.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_bo.c | 22 ++++++++-------------- + 1 file changed, 8 insertions(+), 14 deletions(-) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c +index e8e49f13cfa2c..86834005de713 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c +@@ -32,9 +32,15 @@ + + #include + +-static void vmw_bo_release(struct vmw_bo *vbo) ++/** ++ * vmw_bo_free - vmw_bo destructor ++ * ++ * @bo: Pointer to the embedded struct ttm_buffer_object ++ */ ++static void vmw_bo_free(struct ttm_buffer_object *bo) + { + struct vmw_resource *res; ++ struct vmw_bo *vbo = to_vmw_bo(&bo->base); + + WARN_ON(vbo->tbo.base.funcs && + kref_read(&vbo->tbo.base.refcount) != 0); +@@ -63,20 +69,8 @@ static void vmw_bo_release(struct vmw_bo *vbo) + } + vmw_surface_unreference(&vbo->dumb_surface); + } +- drm_gem_object_release(&vbo->tbo.base); +-} +- +-/** +- * vmw_bo_free - vmw_bo destructor +- * +- * @bo: Pointer to the embedded struct ttm_buffer_object +- */ +-static void vmw_bo_free(struct ttm_buffer_object *bo) +-{ +- struct vmw_bo *vbo = to_vmw_bo(&bo->base); +- + WARN_ON(!RB_EMPTY_ROOT(&vbo->res_tree)); +- vmw_bo_release(vbo); ++ drm_gem_object_release(&vbo->tbo.base); + WARN_ON(vbo->dirty); + kfree(vbo); + } +-- +2.51.0 + diff --git a/queue-6.12/i2c-qcom-geni-make-sure-i2c-hub-controllers-can-t-us.patch b/queue-6.12/i2c-qcom-geni-make-sure-i2c-hub-controllers-can-t-us.patch new file mode 100644 index 0000000000..2784ca7010 --- /dev/null +++ b/queue-6.12/i2c-qcom-geni-make-sure-i2c-hub-controllers-can-t-us.patch @@ -0,0 +1,71 @@ +From 9707ac30d666e98a705e338750f8e832186a7d02 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Oct 2025 19:07:42 +0100 +Subject: i2c: qcom-geni: make sure I2C hub controllers can't use SE DMA + +From: Neil Armstrong + +[ Upstream commit c0c50e3743e467ec4752c638e10e97f89c8644e2 ] + +The I2C Hub controller is a simpler GENI I2C variant that doesn't +support DMA at all, add a no_dma flag to make sure it nevers selects +the SE DMA mode with mappable 32bytes long transfers. + +Fixes: cacd9643eca7 ("i2c: qcom-geni: add support for I2C Master Hub variant") +Signed-off-by: Neil Armstrong +Reviewed-by: Konrad Dybcio +Reviewed-by: Mukesh Kumar Savaliya > +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-qcom-geni.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-qcom-geni.c b/drivers/i2c/busses/i2c-qcom-geni.c +index 212336f724a69..96b024dc3f20f 100644 +--- a/drivers/i2c/busses/i2c-qcom-geni.c ++++ b/drivers/i2c/busses/i2c-qcom-geni.c +@@ -97,6 +97,7 @@ struct geni_i2c_dev { + dma_addr_t dma_addr; + struct dma_chan *tx_c; + struct dma_chan *rx_c; ++ bool no_dma; + bool gpi_mode; + bool abort_done; + }; +@@ -411,7 +412,7 @@ static int geni_i2c_rx_one_msg(struct geni_i2c_dev *gi2c, struct i2c_msg *msg, + size_t len = msg->len; + struct i2c_msg *cur; + +- dma_buf = i2c_get_dma_safe_msg_buf(msg, 32); ++ dma_buf = gi2c->no_dma ? NULL : i2c_get_dma_safe_msg_buf(msg, 32); + if (dma_buf) + geni_se_select_mode(se, GENI_SE_DMA); + else +@@ -450,7 +451,7 @@ static int geni_i2c_tx_one_msg(struct geni_i2c_dev *gi2c, struct i2c_msg *msg, + size_t len = msg->len; + struct i2c_msg *cur; + +- dma_buf = i2c_get_dma_safe_msg_buf(msg, 32); ++ dma_buf = gi2c->no_dma ? NULL : i2c_get_dma_safe_msg_buf(msg, 32); + if (dma_buf) + geni_se_select_mode(se, GENI_SE_DMA); + else +@@ -865,10 +866,12 @@ static int geni_i2c_probe(struct platform_device *pdev) + return -ENXIO; + } + +- if (desc && desc->no_dma_support) ++ if (desc && desc->no_dma_support) { + fifo_disable = false; +- else ++ gi2c->no_dma = true; ++ } else { + fifo_disable = readl_relaxed(gi2c->se.base + GENI_IF_DISABLE_RO) & FIFO_IF_DISABLE; ++ } + + if (fifo_disable) { + /* FIFO is disabled, so we can only use GPI DMA */ +-- +2.51.0 + diff --git a/queue-6.12/ip6_tunnel-use-skb_vlan_inet_prepare-in-__ip6_tnl_rc.patch b/queue-6.12/ip6_tunnel-use-skb_vlan_inet_prepare-in-__ip6_tnl_rc.patch new file mode 100644 index 0000000000..dee4e0e885 --- /dev/null +++ b/queue-6.12/ip6_tunnel-use-skb_vlan_inet_prepare-in-__ip6_tnl_rc.patch @@ -0,0 +1,105 @@ +From 135f2e49c0d865d112d3bafd11679f4a64d6654e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jan 2026 16:31:09 +0000 +Subject: ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv() + +From: Eric Dumazet + +[ Upstream commit 81c734dae203757fb3c9eee6f9896386940776bd ] + +Blamed commit did not take care of VLAN encapsulations +as spotted by syzbot [1]. + +Use skb_vlan_inet_prepare() instead of pskb_inet_may_pull(). + +[1] + BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] + BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] + BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321 + __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] + INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] + IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321 + ip6ip6_dscp_ecn_decapsulate+0x16f/0x1b0 net/ipv6/ip6_tunnel.c:729 + __ip6_tnl_rcv+0xed9/0x1b50 net/ipv6/ip6_tunnel.c:860 + ip6_tnl_rcv+0xc3/0x100 net/ipv6/ip6_tunnel.c:903 + gre_rcv+0x1529/0x1b90 net/ipv6/ip6_gre.c:-1 + ip6_protocol_deliver_rcu+0x1c89/0x2c60 net/ipv6/ip6_input.c:438 + ip6_input_finish+0x1f4/0x4a0 net/ipv6/ip6_input.c:489 + NF_HOOK include/linux/netfilter.h:318 [inline] + ip6_input+0x9c/0x330 net/ipv6/ip6_input.c:500 + ip6_mc_input+0x7ca/0xc10 net/ipv6/ip6_input.c:590 + dst_input include/net/dst.h:474 [inline] + ip6_rcv_finish+0x958/0x990 net/ipv6/ip6_input.c:79 + NF_HOOK include/linux/netfilter.h:318 [inline] + ipv6_rcv+0xf1/0x3c0 net/ipv6/ip6_input.c:311 + __netif_receive_skb_one_core net/core/dev.c:6139 [inline] + __netif_receive_skb+0x1df/0xac0 net/core/dev.c:6252 + netif_receive_skb_internal net/core/dev.c:6338 [inline] + netif_receive_skb+0x57/0x630 net/core/dev.c:6397 + tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485 + tun_get_user+0x5c0e/0x6c60 drivers/net/tun.c:1953 + tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999 + new_sync_write fs/read_write.c:593 [inline] + vfs_write+0xbe2/0x15d0 fs/read_write.c:686 + ksys_write fs/read_write.c:738 [inline] + __do_sys_write fs/read_write.c:749 [inline] + __se_sys_write fs/read_write.c:746 [inline] + __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746 + x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Uninit was created at: + slab_post_alloc_hook mm/slub.c:4960 [inline] + slab_alloc_node mm/slub.c:5263 [inline] + kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315 + kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586 + __alloc_skb+0x805/0x1040 net/core/skbuff.c:690 + alloc_skb include/linux/skbuff.h:1383 [inline] + alloc_skb_with_frags+0xc5/0xa60 net/core/skbuff.c:6712 + sock_alloc_send_pskb+0xacc/0xc60 net/core/sock.c:2995 + tun_alloc_skb drivers/net/tun.c:1461 [inline] + tun_get_user+0x1142/0x6c60 drivers/net/tun.c:1794 + tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999 + new_sync_write fs/read_write.c:593 [inline] + vfs_write+0xbe2/0x15d0 fs/read_write.c:686 + ksys_write fs/read_write.c:738 [inline] + __do_sys_write fs/read_write.c:749 [inline] + __se_sys_write fs/read_write.c:746 [inline] + __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746 + x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +CPU: 0 UID: 0 PID: 6465 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 + +Fixes: 8d975c15c0cd ("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()") +Reported-by: syzbot+d4dda070f833dc5dc89a@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/695e88b2.050a0220.1c677c.036d.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260107163109.4188620-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_tunnel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c +index 6450ecf0d0a74..9f1b66bb513c7 100644 +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -844,7 +844,7 @@ static int __ip6_tnl_rcv(struct ip6_tnl *tunnel, struct sk_buff *skb, + + skb_reset_network_header(skb); + +- if (!pskb_inet_may_pull(skb)) { ++ if (skb_vlan_inet_prepare(skb, true)) { + DEV_STATS_INC(tunnel->dev, rx_length_errors); + DEV_STATS_INC(tunnel->dev, rx_errors); + goto drop; +-- +2.51.0 + diff --git a/queue-6.12/ipv4-ip_gre-make-ipgre_header-robust.patch b/queue-6.12/ipv4-ip_gre-make-ipgre_header-robust.patch new file mode 100644 index 0000000000..73576782e0 --- /dev/null +++ b/queue-6.12/ipv4-ip_gre-make-ipgre_header-robust.patch @@ -0,0 +1,87 @@ +From c1f071ac1316f4f00d8fe1d6bc5efe84d43d3245 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 19:02:14 +0000 +Subject: ipv4: ip_gre: make ipgre_header() robust + +From: Eric Dumazet + +[ Upstream commit e67c577d89894811ce4dcd1a9ed29d8b63476667 ] + +Analog to commit db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust") + +Over the years, syzbot found many ways to crash the kernel +in ipgre_header() [1]. + +This involves team or bonding drivers ability to dynamically +change their dev->needed_headroom and/or dev->hard_header_len + +In this particular crash mld_newpack() allocated an skb +with a too small reserve/headroom, and by the time mld_sendpack() +was called, syzbot managed to attach an ipgre device. + +[1] +skbuff: skb_under_panic: text:ffffffff89ea3cb7 len:2030915468 put:2030915372 head:ffff888058b43000 data:ffff887fdfa6e194 tail:0x120 end:0x6c0 dev:team0 + kernel BUG at net/core/skbuff.c:213 ! +Oops: invalid opcode: 0000 [#1] SMP KASAN PTI +CPU: 1 UID: 0 PID: 1322 Comm: kworker/1:9 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 +Workqueue: mld mld_ifc_work + RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:213 +Call Trace: + + skb_under_panic net/core/skbuff.c:223 [inline] + skb_push+0xc3/0xe0 net/core/skbuff.c:2641 + ipgre_header+0x67/0x290 net/ipv4/ip_gre.c:897 + dev_hard_header include/linux/netdevice.h:3436 [inline] + neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618 + NF_HOOK_COND include/linux/netfilter.h:307 [inline] + ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247 + NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318 + mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855 + mld_send_cr net/ipv6/mcast.c:2154 [inline] + mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 + process_one_work kernel/workqueue.c:3257 [inline] + process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 + worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 + kthread+0x711/0x8a0 kernel/kthread.c:463 + ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + +Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.") +Reported-by: syzbot+7c134e1c3aa3283790b9@syzkaller.appspotmail.com +Closes: https://www.spinics.net/lists/netdev/msg1147302.html +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260108190214.1667040-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_gre.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c +index 9667f27740258..be85dbe74ac8c 100644 +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -889,10 +889,17 @@ static int ipgre_header(struct sk_buff *skb, struct net_device *dev, + const void *daddr, const void *saddr, unsigned int len) + { + struct ip_tunnel *t = netdev_priv(dev); +- struct iphdr *iph; + struct gre_base_hdr *greh; ++ struct iphdr *iph; ++ int needed; ++ ++ needed = t->hlen + sizeof(*iph); ++ if (skb_headroom(skb) < needed && ++ pskb_expand_head(skb, HH_DATA_ALIGN(needed - skb_headroom(skb)), ++ 0, GFP_ATOMIC)) ++ return -needed; + +- iph = skb_push(skb, t->hlen + sizeof(*iph)); ++ iph = skb_push(skb, needed); + greh = (struct gre_base_hdr *)(iph+1); + greh->flags = gre_tnl_flags_to_gre_flags(t->parms.o_flags); + greh->protocol = htons(type); +-- +2.51.0 + diff --git a/queue-6.12/ipv6-fix-use-after-free-in-inet6_addr_del.patch b/queue-6.12/ipv6-fix-use-after-free-in-inet6_addr_del.patch new file mode 100644 index 0000000000..b9fd1d1f84 --- /dev/null +++ b/queue-6.12/ipv6-fix-use-after-free-in-inet6_addr_del.patch @@ -0,0 +1,132 @@ +From ee1176c1b8b5be253eff33bc4ce7b027c93083d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 01:05:08 +0000 +Subject: ipv6: Fix use-after-free in inet6_addr_del(). + +From: Kuniyuki Iwashima + +[ Upstream commit ddf96c393a33aef4887e2e406c76c2f8cda1419c ] + +syzbot reported use-after-free of inet6_ifaddr in +inet6_addr_del(). [0] + +The cited commit accidentally moved ipv6_del_addr() for +mngtmpaddr before reading its ifp->flags for temporary +addresses in inet6_addr_del(). + +Let's move ipv6_del_addr() down to fix the UAF. + +[0]: +BUG: KASAN: slab-use-after-free in inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117 +Read of size 4 at addr ffff88807b89c86c by task syz.3.1618/9593 + +CPU: 0 UID: 0 PID: 9593 Comm: syz.3.1618 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xcd/0x630 mm/kasan/report.c:482 + kasan_report+0xe0/0x110 mm/kasan/report.c:595 + inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117 + addrconf_del_ifaddr+0x11e/0x190 net/ipv6/addrconf.c:3181 + inet6_ioctl+0x1e5/0x2b0 net/ipv6/af_inet6.c:582 + sock_do_ioctl+0x118/0x280 net/socket.c:1254 + sock_ioctl+0x227/0x6b0 net/socket.c:1375 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:597 [inline] + __se_sys_ioctl fs/ioctl.c:583 [inline] + __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f164cf8f749 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f164de64038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 00007f164d1e5fa0 RCX: 00007f164cf8f749 +RDX: 0000200000000000 RSI: 0000000000008936 RDI: 0000000000000003 +RBP: 00007f164d013f91 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007f164d1e6038 R14: 00007f164d1e5fa0 R15: 00007ffde15c8288 + + +Allocated by task 9593: + kasan_save_stack+0x33/0x60 mm/kasan/common.c:56 + kasan_save_track+0x14/0x30 mm/kasan/common.c:77 + poison_kmalloc_redzone mm/kasan/common.c:397 [inline] + __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:414 + kmalloc_noprof include/linux/slab.h:957 [inline] + kzalloc_noprof include/linux/slab.h:1094 [inline] + ipv6_add_addr+0x4e3/0x2010 net/ipv6/addrconf.c:1120 + inet6_addr_add+0x256/0x9b0 net/ipv6/addrconf.c:3050 + addrconf_add_ifaddr+0x1fc/0x450 net/ipv6/addrconf.c:3160 + inet6_ioctl+0x103/0x2b0 net/ipv6/af_inet6.c:580 + sock_do_ioctl+0x118/0x280 net/socket.c:1254 + sock_ioctl+0x227/0x6b0 net/socket.c:1375 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:597 [inline] + __se_sys_ioctl fs/ioctl.c:583 [inline] + __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Freed by task 6099: + kasan_save_stack+0x33/0x60 mm/kasan/common.c:56 + kasan_save_track+0x14/0x30 mm/kasan/common.c:77 + kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:584 + poison_slab_object mm/kasan/common.c:252 [inline] + __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284 + kasan_slab_free include/linux/kasan.h:234 [inline] + slab_free_hook mm/slub.c:2540 [inline] + slab_free_freelist_hook mm/slub.c:2569 [inline] + slab_free_bulk mm/slub.c:6696 [inline] + kmem_cache_free_bulk mm/slub.c:7383 [inline] + kmem_cache_free_bulk+0x2bf/0x680 mm/slub.c:7362 + kfree_bulk include/linux/slab.h:830 [inline] + kvfree_rcu_bulk+0x1b7/0x1e0 mm/slab_common.c:1523 + kvfree_rcu_drain_ready mm/slab_common.c:1728 [inline] + kfree_rcu_monitor+0x1d0/0x2f0 mm/slab_common.c:1801 + process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257 + process_scheduled_works kernel/workqueue.c:3340 [inline] + worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421 + kthread+0x3c5/0x780 kernel/kthread.c:463 + ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + +Fixes: 00b5b7aab9e42 ("net/ipv6: delete temporary address if mngtmpaddr is removed or unmanaged") +Reported-by: syzbot+72e610f4f1a930ca9d8a@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/696598e9.050a0220.3be5c5.0009.GAE@google.com/ +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Hangbin Liu +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20260113010538.2019411-1-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/addrconf.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index 228cf72e52503..e57a2b1841616 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -3141,12 +3141,12 @@ static int inet6_addr_del(struct net *net, int ifindex, u32 ifa_flags, + in6_ifa_hold(ifp); + read_unlock_bh(&idev->lock); + +- ipv6_del_addr(ifp); +- + if (!(ifp->flags & IFA_F_TEMPORARY) && + (ifp->flags & IFA_F_MANAGETEMPADDR)) + delete_tempaddrs(idev, ifp); + ++ ipv6_del_addr(ifp); ++ + addrconf_verify_rtnl(net); + if (ipv6_addr_is_multicast(pfx)) { + ipv6_mc_config(net->ipv6.mc_autojoin_sk, +-- +2.51.0 + diff --git a/queue-6.12/macvlan-fix-possible-uaf-in-macvlan_forward_source.patch b/queue-6.12/macvlan-fix-possible-uaf-in-macvlan_forward_source.patch new file mode 100644 index 0000000000..fed088ac1b --- /dev/null +++ b/queue-6.12/macvlan-fix-possible-uaf-in-macvlan_forward_source.patch @@ -0,0 +1,108 @@ +From 7d656fafd59cffa4e59d9287a09378465c68e790 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 13:36:51 +0000 +Subject: macvlan: fix possible UAF in macvlan_forward_source() + +From: Eric Dumazet + +[ Upstream commit 7470a7a63dc162f07c26dbf960e41ee1e248d80e ] + +Add RCU protection on (struct macvlan_source_entry)->vlan. + +Whenever macvlan_hash_del_source() is called, we must clear +entry->vlan pointer before RCU grace period starts. + +This allows macvlan_forward_source() to skip over +entries queued for freeing. + +Note that macvlan_dev are already RCU protected, as they +are embedded in a standard netdev (netdev_priv(ndev)). + +Fixes: 79cf79abce71 ("macvlan: add source mode") +Reported-by: syzbot+7182fbe91e58602ec1fe@syzkaller.appspotmail.com +https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260108133651.1130486-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/macvlan.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c +index cf18e66de142c..ee59b57dfb53a 100644 +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -58,7 +58,7 @@ struct macvlan_port { + + struct macvlan_source_entry { + struct hlist_node hlist; +- struct macvlan_dev *vlan; ++ struct macvlan_dev __rcu *vlan; + unsigned char addr[6+2] __aligned(sizeof(u16)); + struct rcu_head rcu; + }; +@@ -145,7 +145,7 @@ static struct macvlan_source_entry *macvlan_hash_lookup_source( + + hlist_for_each_entry_rcu(entry, h, hlist, lockdep_rtnl_is_held()) { + if (ether_addr_equal_64bits(entry->addr, addr) && +- entry->vlan == vlan) ++ rcu_access_pointer(entry->vlan) == vlan) + return entry; + } + return NULL; +@@ -167,7 +167,7 @@ static int macvlan_hash_add_source(struct macvlan_dev *vlan, + return -ENOMEM; + + ether_addr_copy(entry->addr, addr); +- entry->vlan = vlan; ++ RCU_INIT_POINTER(entry->vlan, vlan); + h = &port->vlan_source_hash[macvlan_eth_hash(addr)]; + hlist_add_head_rcu(&entry->hlist, h); + vlan->macaddr_count++; +@@ -186,6 +186,7 @@ static void macvlan_hash_add(struct macvlan_dev *vlan) + + static void macvlan_hash_del_source(struct macvlan_source_entry *entry) + { ++ RCU_INIT_POINTER(entry->vlan, NULL); + hlist_del_rcu(&entry->hlist); + kfree_rcu(entry, rcu); + } +@@ -389,7 +390,7 @@ static void macvlan_flush_sources(struct macvlan_port *port, + int i; + + hash_for_each_safe(port->vlan_source_hash, i, next, entry, hlist) +- if (entry->vlan == vlan) ++ if (rcu_access_pointer(entry->vlan) == vlan) + macvlan_hash_del_source(entry); + + vlan->macaddr_count = 0; +@@ -432,9 +433,14 @@ static bool macvlan_forward_source(struct sk_buff *skb, + + hlist_for_each_entry_rcu(entry, h, hlist) { + if (ether_addr_equal_64bits(entry->addr, addr)) { +- if (entry->vlan->flags & MACVLAN_FLAG_NODST) ++ struct macvlan_dev *vlan = rcu_dereference(entry->vlan); ++ ++ if (!vlan) ++ continue; ++ ++ if (vlan->flags & MACVLAN_FLAG_NODST) + consume = true; +- macvlan_forward_source_one(skb, entry->vlan); ++ macvlan_forward_source_one(skb, vlan); + } + } + +@@ -1676,7 +1682,7 @@ static int macvlan_fill_info_macaddr(struct sk_buff *skb, + struct macvlan_source_entry *entry; + + hlist_for_each_entry_rcu(entry, h, hlist, lockdep_rtnl_is_held()) { +- if (entry->vlan != vlan) ++ if (rcu_access_pointer(entry->vlan) != vlan) + continue; + if (nla_put(skb, IFLA_MACVLAN_MACADDR, ETH_ALEN, entry->addr)) + return 1; +-- +2.51.0 + diff --git a/queue-6.12/mm-describe-flags-parameter-in-memalloc_flags_save.patch b/queue-6.12/mm-describe-flags-parameter-in-memalloc_flags_save.patch new file mode 100644 index 0000000000..ee3aa047a1 --- /dev/null +++ b/queue-6.12/mm-describe-flags-parameter-in-memalloc_flags_save.patch @@ -0,0 +1,50 @@ +From 713c6d9d2eac2e6f7aafd5645a50f7bad2a15872 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 08:40:04 +0700 +Subject: mm: describe @flags parameter in memalloc_flags_save() + +From: Bagas Sanjaya + +[ Upstream commit e2fb7836b01747815f8bb94981c35f2688afb120 ] + +Patch series "mm kernel-doc fixes". + +Here are kernel-doc fixes for mm subsystem. I'm also including textsearch +fix since there's currently no maintainer for include/linux/textsearch.h +(get_maintainer.pl only shows LKML). + +This patch (of 4): + +Sphinx reports kernel-doc warning: + +WARNING: ./include/linux/sched/mm.h:332 function parameter 'flags' not described in 'memalloc_flags_save' + +Describe @flags to fix it. + +Link: https://lkml.kernel.org/r/20251219014006.16328-2-bagasdotme@gmail.com +Link: https://lkml.kernel.org/r/20251219014006.16328-3-bagasdotme@gmail.com +Signed-off-by: Bagas Sanjaya +Fixes: 3f6d5e6a468d ("mm: introduce memalloc_flags_{save,restore}") +Acked-by: David Hildenbrand (Red Hat) +Acked-by: Harry Yoo +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + include/linux/sched/mm.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/sched/mm.h b/include/linux/sched/mm.h +index 928a626725e69..ddcaaa499a044 100644 +--- a/include/linux/sched/mm.h ++++ b/include/linux/sched/mm.h +@@ -323,6 +323,7 @@ static inline void might_alloc(gfp_t gfp_mask) + + /** + * memalloc_flags_save - Add a PF_* flag to current->flags, save old value ++ * @flags: Flags to add. + * + * This allows PF_* flags to be conveniently added, irrespective of current + * value, and then the old version restored with memalloc_flags_restore(). +-- +2.51.0 + diff --git a/queue-6.12/mm-kfence-describe-slab-parameter-in-__kfence_obj_in.patch b/queue-6.12/mm-kfence-describe-slab-parameter-in-__kfence_obj_in.patch new file mode 100644 index 0000000000..49c1709a2b --- /dev/null +++ b/queue-6.12/mm-kfence-describe-slab-parameter-in-__kfence_obj_in.patch @@ -0,0 +1,42 @@ +From 7b641a42c5e77f6e6766075d8c657a16689c9c9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 08:40:07 +0700 +Subject: mm, kfence: describe @slab parameter in __kfence_obj_info() + +From: Bagas Sanjaya + +[ Upstream commit 6cfab50e1440fde19af7c614aacd85e11aa4dcea ] + +Sphinx reports kernel-doc warning: + +WARNING: ./include/linux/kfence.h:220 function parameter 'slab' not described in '__kfence_obj_info' + +Fix it by describing @slab parameter. + +Link: https://lkml.kernel.org/r/20251219014006.16328-6-bagasdotme@gmail.com +Fixes: 2dfe63e61cc3 ("mm, kfence: support kmem_dump_obj() for KFENCE objects") +Signed-off-by: Bagas Sanjaya +Acked-by: Marco Elver +Acked-by: David Hildenbrand (Red Hat) +Acked-by: Harry Yoo +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + include/linux/kfence.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/kfence.h b/include/linux/kfence.h +index 0ad1ddbb8b996..e5822f6e7f279 100644 +--- a/include/linux/kfence.h ++++ b/include/linux/kfence.h +@@ -211,6 +211,7 @@ struct kmem_obj_info; + * __kfence_obj_info() - fill kmem_obj_info struct + * @kpp: kmem_obj_info to be filled + * @object: the object ++ * @slab: the slab + * + * Return: + * * false - not a KFENCE object +-- +2.51.0 + diff --git a/queue-6.12/net-bridge-annotate-data-races-around-fdb-updated-us.patch b/queue-6.12/net-bridge-annotate-data-races-around-fdb-updated-us.patch new file mode 100644 index 0000000000..5c6050c50c --- /dev/null +++ b/queue-6.12/net-bridge-annotate-data-races-around-fdb-updated-us.patch @@ -0,0 +1,143 @@ +From 7276775f90a7f0883d4f6e38989234b1ddef4807 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 09:38:06 +0000 +Subject: net: bridge: annotate data-races around fdb->{updated,used} + +From: Eric Dumazet + +[ Upstream commit b25a0b4a2193407aa72a4cd1df66a7ed07dd4f1e ] + +fdb->updated and fdb->used are read and written locklessly. + +Add READ_ONCE()/WRITE_ONCE() annotations. + +Fixes: 31cbc39b6344 ("net: bridge: add option to allow activity notifications for any fdb entries") +Reported-by: syzbot+bfab43087ad57222ce96@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/695e3d74.050a0220.1c677c.035f.GAE@google.com/ +Signed-off-by: Eric Dumazet +Acked-by: Nikolay Aleksandrov +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20260108093806.834459-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_fdb.c | 28 ++++++++++++++++------------ + net/bridge/br_input.c | 4 ++-- + 2 files changed, 18 insertions(+), 14 deletions(-) + +diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c +index 642b8ccaae8ea..9dd405b64fcc9 100644 +--- a/net/bridge/br_fdb.c ++++ b/net/bridge/br_fdb.c +@@ -70,7 +70,7 @@ static inline int has_expired(const struct net_bridge *br, + { + return !test_bit(BR_FDB_STATIC, &fdb->flags) && + !test_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags) && +- time_before_eq(fdb->updated + hold_time(br), jiffies); ++ time_before_eq(READ_ONCE(fdb->updated) + hold_time(br), jiffies); + } + + static void fdb_rcu_free(struct rcu_head *head) +@@ -133,9 +133,9 @@ static int fdb_fill_info(struct sk_buff *skb, const struct net_bridge *br, + if (nla_put_u32(skb, NDA_FLAGS_EXT, ext_flags)) + goto nla_put_failure; + +- ci.ndm_used = jiffies_to_clock_t(now - fdb->used); ++ ci.ndm_used = jiffies_to_clock_t(now - READ_ONCE(fdb->used)); + ci.ndm_confirmed = 0; +- ci.ndm_updated = jiffies_to_clock_t(now - fdb->updated); ++ ci.ndm_updated = jiffies_to_clock_t(now - READ_ONCE(fdb->updated)); + ci.ndm_refcnt = 0; + if (nla_put(skb, NDA_CACHEINFO, sizeof(ci), &ci)) + goto nla_put_failure; +@@ -552,7 +552,7 @@ void br_fdb_cleanup(struct work_struct *work) + */ + rcu_read_lock(); + hlist_for_each_entry_rcu(f, &br->fdb_list, fdb_node) { +- unsigned long this_timer = f->updated + delay; ++ unsigned long this_timer = READ_ONCE(f->updated) + delay; + + if (test_bit(BR_FDB_STATIC, &f->flags) || + test_bit(BR_FDB_ADDED_BY_EXT_LEARN, &f->flags)) { +@@ -829,6 +829,7 @@ int br_fdb_fillbuf(struct net_bridge *br, void *buf, + { + struct net_bridge_fdb_entry *f; + struct __fdb_entry *fe = buf; ++ unsigned long delta; + int num = 0; + + memset(buf, 0, maxnum*sizeof(struct __fdb_entry)); +@@ -858,8 +859,11 @@ int br_fdb_fillbuf(struct net_bridge *br, void *buf, + fe->port_hi = f->dst->port_no >> 8; + + fe->is_local = test_bit(BR_FDB_LOCAL, &f->flags); +- if (!test_bit(BR_FDB_STATIC, &f->flags)) +- fe->ageing_timer_value = jiffies_delta_to_clock_t(jiffies - f->updated); ++ if (!test_bit(BR_FDB_STATIC, &f->flags)) { ++ delta = jiffies - READ_ONCE(f->updated); ++ fe->ageing_timer_value = ++ jiffies_delta_to_clock_t(delta); ++ } + ++fe; + ++num; + } +@@ -907,8 +911,8 @@ void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source, + unsigned long now = jiffies; + bool fdb_modified = false; + +- if (now != fdb->updated) { +- fdb->updated = now; ++ if (now != READ_ONCE(fdb->updated)) { ++ WRITE_ONCE(fdb->updated, now); + fdb_modified = __fdb_mark_active(fdb); + } + +@@ -1146,10 +1150,10 @@ static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source, + if (fdb_handle_notify(fdb, notify)) + modified = true; + +- fdb->used = jiffies; ++ WRITE_ONCE(fdb->used, jiffies); + if (modified) { + if (refresh) +- fdb->updated = jiffies; ++ WRITE_ONCE(fdb->updated, jiffies); + fdb_notify(br, fdb, RTM_NEWNEIGH, true); + } + +@@ -1462,7 +1466,7 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p, + goto err_unlock; + } + +- fdb->updated = jiffies; ++ WRITE_ONCE(fdb->updated, jiffies); + + if (READ_ONCE(fdb->dst) != p) { + WRITE_ONCE(fdb->dst, p); +@@ -1471,7 +1475,7 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p, + + if (test_and_set_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags)) { + /* Refresh entry */ +- fdb->used = jiffies; ++ WRITE_ONCE(fdb->used, jiffies); + } else { + modified = true; + } +diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c +index 2eb2bb6643885..8c26605c4cc1e 100644 +--- a/net/bridge/br_input.c ++++ b/net/bridge/br_input.c +@@ -207,8 +207,8 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb + if (test_bit(BR_FDB_LOCAL, &dst->flags)) + return br_pass_frame_up(skb, false); + +- if (now != dst->used) +- dst->used = now; ++ if (now != READ_ONCE(dst->used)) ++ WRITE_ONCE(dst->used, now); + br_forward(dst->dst, skb, local_rcv, false); + } else { + if (!mcast_hit) +-- +2.51.0 + diff --git a/queue-6.12/net-hv_netvsc-reject-rss-hash-key-programming-withou.patch b/queue-6.12/net-hv_netvsc-reject-rss-hash-key-programming-withou.patch new file mode 100644 index 0000000000..04f81f21a2 --- /dev/null +++ b/queue-6.12/net-hv_netvsc-reject-rss-hash-key-programming-withou.patch @@ -0,0 +1,47 @@ +From 6eebcf6d9bf65b890546fc514db40c66e96b4cc4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 02:01:33 -0800 +Subject: net: hv_netvsc: reject RSS hash key programming without RX + indirection table + +From: Aditya Garg + +[ Upstream commit d23564955811da493f34412d7de60fa268c8cb50 ] + +RSS configuration requires a valid RX indirection table. When the device +reports a single receive queue, rndis_filter_device_add() does not +allocate an indirection table, accepting RSS hash key updates in this +state leads to a hang. + +Fix this by gating netvsc_set_rxfh() on ndc->rx_table_sz and return +-EOPNOTSUPP when the table is absent. This aligns set_rxfh with the device +capabilities and prevents incorrect behavior. + +Fixes: 962f3fee83a4 ("netvsc: add ethtool ops to get/set RSS key") +Signed-off-by: Aditya Garg +Reviewed-by: Dipayaan Roy +Reviewed-by: Haiyang Zhang +Link: https://patch.msgid.link/1768212093-1594-1-git-send-email-gargaditya@linux.microsoft.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/hyperv/netvsc_drv.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c +index d6fe8b5184a99..5f612528aa53a 100644 +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -1765,6 +1765,9 @@ static int netvsc_set_rxfh(struct net_device *dev, + rxfh->hfunc != ETH_RSS_HASH_TOP) + return -EOPNOTSUPP; + ++ if (!ndc->rx_table_sz) ++ return -EOPNOTSUPP; ++ + rndis_dev = ndev->extension; + if (rxfh->indir) { + for (i = 0; i < ndc->rx_table_sz; i++) +-- +2.51.0 + diff --git a/queue-6.12/net-mlx5e-don-t-store-mlx5e_priv-in-mlx5e_dev-devlin.patch b/queue-6.12/net-mlx5e-don-t-store-mlx5e_priv-in-mlx5e_dev-devlin.patch new file mode 100644 index 0000000000..650a2d4efb --- /dev/null +++ b/queue-6.12/net-mlx5e-don-t-store-mlx5e_priv-in-mlx5e_dev-devlin.patch @@ -0,0 +1,152 @@ +From 50bcef8a1afb9a4fcb28e9dd27bbd580a4749f04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 13:26:55 -0800 +Subject: net/mlx5e: Don't store mlx5e_priv in mlx5e_dev devlink priv + +From: Saeed Mahameed + +[ Upstream commit 123eda2e5b1638e298e3a66bb1e64a8da92de5e1 ] + +mlx5e_priv is an unstable structure that can be memset(0) if profile +attaching fails, mlx5e_priv in mlx5e_dev devlink private is used to +reference the netdev and mdev associated with that struct. Instead, +store netdev directly into mlx5e_dev and get mdev from the containing +mlx5_adev aux device structure. + +This fixes a kernel oops in mlx5e_remove when switchdev mode fails due +to change profile failure. + +$ devlink dev eswitch set pci/0000:00:03.0 mode switchdev +Error: mlx5_core: Failed setting eswitch to offloads. +dmesg: +workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR +mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 +mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12 +workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR +mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 +mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12 + +$ devlink dev reload pci/0000:00:03.0 ==> oops + +BUG: kernel NULL pointer dereference, address: 0000000000000520 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page +PGD 0 P4D 0 +Oops: Oops: 0000 [#1] SMP NOPTI +CPU: 3 UID: 0 PID: 521 Comm: devlink Not tainted 6.18.0-rc5+ #117 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 +RIP: 0010:mlx5e_remove+0x68/0x130 +RSP: 0018:ffffc900034838f0 EFLAGS: 00010246 +RAX: ffff88810283c380 RBX: ffff888101874400 RCX: ffffffff826ffc45 +RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 +RBP: ffff888102d789c0 R08: ffff8881007137f0 R09: ffff888100264e10 +R10: ffffc90003483898 R11: ffffc900034838a0 R12: ffff888100d261a0 +R13: ffff888100d261a0 R14: ffff8881018749a0 R15: ffff888101874400 +FS: 00007f8565fea740(0000) GS:ffff88856a759000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000520 CR3: 000000010b11a004 CR4: 0000000000370ef0 +Call Trace: + + device_release_driver_internal+0x19c/0x200 + bus_remove_device+0xc6/0x130 + device_del+0x160/0x3d0 + ? devl_param_driverinit_value_get+0x2d/0x90 + mlx5_detach_device+0x89/0xe0 + mlx5_unload_one_devl_locked+0x3a/0x70 + mlx5_devlink_reload_down+0xc8/0x220 + devlink_reload+0x7d/0x260 + devlink_nl_reload_doit+0x45b/0x5a0 + genl_family_rcv_msg_doit+0xe8/0x140 + +Fixes: ee75f1fc44dd ("net/mlx5e: Create separate devlink instance for ethernet auxiliary device") +Fixes: c4d7eb57687f ("net/mxl5e: Add change profile method") +Signed-off-by: Saeed Mahameed +Link: https://patch.msgid.link/20260108212657.25090-3-saeed@kernel.org +Signed-off-by: Jakub Kicinski +Stable-dep-of: 4ef8512e1427 ("net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en.h | 2 +- + .../net/ethernet/mellanox/mlx5/core/en_main.c | 20 ++++++++++--------- + 2 files changed, 12 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/ethernet/mellanox/mlx5/core/en.h +index 7c0420deb270c..084c68479f734 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h +@@ -946,7 +946,7 @@ struct mlx5e_priv { + }; + + struct mlx5e_dev { +- struct mlx5e_priv *priv; ++ struct net_device *netdev; + struct devlink_port dl_port; + }; + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index af70025b129b7..4e2f985273a39 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -6323,8 +6323,8 @@ static int _mlx5e_resume(struct auxiliary_device *adev) + { + struct mlx5_adev *edev = container_of(adev, struct mlx5_adev, adev); + struct mlx5e_dev *mlx5e_dev = auxiliary_get_drvdata(adev); +- struct mlx5e_priv *priv = mlx5e_dev->priv; +- struct net_device *netdev = priv->netdev; ++ struct mlx5e_priv *priv = netdev_priv(mlx5e_dev->netdev); ++ struct net_device *netdev = mlx5e_dev->netdev; + struct mlx5_core_dev *mdev = edev->mdev; + struct mlx5_core_dev *pos, *to; + int err, i; +@@ -6370,10 +6370,11 @@ static int mlx5e_resume(struct auxiliary_device *adev) + + static int _mlx5e_suspend(struct auxiliary_device *adev, bool pre_netdev_reg) + { ++ struct mlx5_adev *edev = container_of(adev, struct mlx5_adev, adev); + struct mlx5e_dev *mlx5e_dev = auxiliary_get_drvdata(adev); +- struct mlx5e_priv *priv = mlx5e_dev->priv; +- struct net_device *netdev = priv->netdev; +- struct mlx5_core_dev *mdev = priv->mdev; ++ struct mlx5e_priv *priv = netdev_priv(mlx5e_dev->netdev); ++ struct net_device *netdev = mlx5e_dev->netdev; ++ struct mlx5_core_dev *mdev = edev->mdev; + struct mlx5_core_dev *pos; + int i; + +@@ -6434,11 +6435,11 @@ static int _mlx5e_probe(struct auxiliary_device *adev) + goto err_devlink_port_unregister; + } + SET_NETDEV_DEVLINK_PORT(netdev, &mlx5e_dev->dl_port); ++ mlx5e_dev->netdev = netdev; + + mlx5e_build_nic_netdev(netdev); + + priv = netdev_priv(netdev); +- mlx5e_dev->priv = priv; + + priv->profile = profile; + priv->ppriv = NULL; +@@ -6501,7 +6502,8 @@ static void _mlx5e_remove(struct auxiliary_device *adev) + { + struct mlx5_adev *edev = container_of(adev, struct mlx5_adev, adev); + struct mlx5e_dev *mlx5e_dev = auxiliary_get_drvdata(adev); +- struct mlx5e_priv *priv = mlx5e_dev->priv; ++ struct net_device *netdev = mlx5e_dev->netdev; ++ struct mlx5e_priv *priv = netdev_priv(netdev); + struct mlx5_core_dev *mdev = edev->mdev; + + mlx5_core_uplink_netdev_set(mdev, NULL); +@@ -6510,8 +6512,8 @@ static void _mlx5e_remove(struct auxiliary_device *adev) + * if it's from legacy mode. If from switchdev mode, it + * is already unregistered before changing to NIC profile. + */ +- if (priv->netdev->reg_state == NETREG_REGISTERED) { +- unregister_netdev(priv->netdev); ++ if (netdev->reg_state == NETREG_REGISTERED) { ++ unregister_netdev(netdev); + _mlx5e_suspend(adev, false); + } else { + struct mlx5_core_dev *pos; +-- +2.51.0 + diff --git a/queue-6.12/net-mlx5e-fix-crash-on-profile-change-rollback-failu.patch b/queue-6.12/net-mlx5e-fix-crash-on-profile-change-rollback-failu.patch new file mode 100644 index 0000000000..199c65f443 --- /dev/null +++ b/queue-6.12/net-mlx5e-fix-crash-on-profile-change-rollback-failu.patch @@ -0,0 +1,232 @@ +From def160ec1a755ae8664a4b14221148e5f6f67228 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 13:26:54 -0800 +Subject: net/mlx5e: Fix crash on profile change rollback failure + +From: Saeed Mahameed + +[ Upstream commit 4dadc4077e3f77d6d31e199a925fc7a705e7adeb ] + +mlx5e_netdev_change_profile can fail to attach a new profile and can +fail to rollback to old profile, in such case, we could end up with a +dangling netdev with a fully reset netdev_priv. A retry to change +profile, e.g. another attempt to call mlx5e_netdev_change_profile via +switchdev mode change, will crash trying to access the now NULL +priv->mdev. + +This fix allows mlx5e_netdev_change_profile() to handle previous +failures and an empty priv, by not assuming priv is valid. + +Pass netdev and mdev to all flows requiring +mlx5e_netdev_change_profile() and avoid passing priv. +In mlx5e_netdev_change_profile() check if current priv is valid, and if +not, just attach the new profile without trying to access the old one. + +This fixes the following oops, when enabling switchdev mode for the 2nd +time after first time failure: + + ## Enabling switchdev mode first time: + +mlx5_core 0012:03:00.1: E-Switch: Supported tc chains and prios offload +workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR +mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 +mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12 +workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR +mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 +mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12 + ^^^^^^^^ +mlx5_core 0000:00:03.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0) + + ## retry: Enabling switchdev mode 2nd time: + +mlx5_core 0000:00:03.0: E-Switch: Supported tc chains and prios offload +BUG: kernel NULL pointer dereference, address: 0000000000000038 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page +PGD 0 P4D 0 +Oops: Oops: 0000 [#1] SMP NOPTI +CPU: 13 UID: 0 PID: 520 Comm: devlink Not tainted 6.18.0-rc4+ #91 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 +RIP: 0010:mlx5e_detach_netdev+0x3c/0x90 +Code: 50 00 00 f0 80 4f 78 02 48 8b bf e8 07 00 00 48 85 ff 74 16 48 8b 73 78 48 d1 ee 83 e6 01 83 f6 01 40 0f b6 f6 e8 c4 42 00 00 <48> 8b 45 38 48 85 c0 74 08 48 89 df e8 cc 47 40 1e 48 8b bb f0 07 +RSP: 0018:ffffc90000673890 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: ffff8881036a89c0 RCX: 0000000000000000 +RDX: ffff888113f63800 RSI: ffffffff822fe720 RDI: 0000000000000000 +RBP: 0000000000000000 R08: 0000000000002dcd R09: 0000000000000000 +R10: ffffc900006738e8 R11: 00000000ffffffff R12: 0000000000000000 +R13: 0000000000000000 R14: ffff8881036a89c0 R15: 0000000000000000 +FS: 00007fdfb8384740(0000) GS:ffff88856a9d6000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000038 CR3: 0000000112ae0005 CR4: 0000000000370ef0 +Call Trace: + + mlx5e_netdev_change_profile+0x45/0xb0 + mlx5e_vport_rep_load+0x27b/0x2d0 + mlx5_esw_offloads_rep_load+0x72/0xf0 + esw_offloads_enable+0x5d0/0x970 + mlx5_eswitch_enable_locked+0x349/0x430 + ? is_mp_supported+0x57/0xb0 + mlx5_devlink_eswitch_mode_set+0x26b/0x430 + devlink_nl_eswitch_set_doit+0x6f/0xf0 + genl_family_rcv_msg_doit+0xe8/0x140 + genl_rcv_msg+0x18b/0x290 + ? __pfx_devlink_nl_pre_doit+0x10/0x10 + ? __pfx_devlink_nl_eswitch_set_doit+0x10/0x10 + ? __pfx_devlink_nl_post_doit+0x10/0x10 + ? __pfx_genl_rcv_msg+0x10/0x10 + netlink_rcv_skb+0x52/0x100 + genl_rcv+0x28/0x40 + netlink_unicast+0x282/0x3e0 + ? __alloc_skb+0xd6/0x190 + netlink_sendmsg+0x1f7/0x430 + __sys_sendto+0x213/0x220 + ? __sys_recvmsg+0x6a/0xd0 + __x64_sys_sendto+0x24/0x30 + do_syscall_64+0x50/0x1f0 + entry_SYSCALL_64_after_hwframe+0x76/0x7e +RIP: 0033:0x7fdfb8495047 + +Fixes: c4d7eb57687f ("net/mxl5e: Add change profile method") +Signed-off-by: Saeed Mahameed +Reviewed-by: Tariq Toukan +Link: https://patch.msgid.link/20260108212657.25090-2-saeed@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en.h | 9 ++-- + .../net/ethernet/mellanox/mlx5/core/en_main.c | 48 +++++++++++++------ + .../net/ethernet/mellanox/mlx5/core/en_rep.c | 11 ++--- + 3 files changed, 44 insertions(+), 24 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/ethernet/mellanox/mlx5/core/en.h +index f2952a6b0db73..7c0420deb270c 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h +@@ -1221,9 +1221,12 @@ mlx5e_create_netdev(struct mlx5_core_dev *mdev, const struct mlx5e_profile *prof + int mlx5e_attach_netdev(struct mlx5e_priv *priv); + void mlx5e_detach_netdev(struct mlx5e_priv *priv); + void mlx5e_destroy_netdev(struct mlx5e_priv *priv); +-int mlx5e_netdev_change_profile(struct mlx5e_priv *priv, +- const struct mlx5e_profile *new_profile, void *new_ppriv); +-void mlx5e_netdev_attach_nic_profile(struct mlx5e_priv *priv); ++int mlx5e_netdev_change_profile(struct net_device *netdev, ++ struct mlx5_core_dev *mdev, ++ const struct mlx5e_profile *new_profile, ++ void *new_ppriv); ++void mlx5e_netdev_attach_nic_profile(struct net_device *netdev, ++ struct mlx5_core_dev *mdev); + void mlx5e_set_netdev_mtu_boundaries(struct mlx5e_priv *priv); + void mlx5e_build_nic_params(struct mlx5e_priv *priv, struct mlx5e_xsk *xsk, u16 mtu); + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 7e04a17fa3b82..af70025b129b7 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -6252,19 +6252,28 @@ mlx5e_netdev_attach_profile(struct net_device *netdev, struct mlx5_core_dev *mde + return err; + } + +-int mlx5e_netdev_change_profile(struct mlx5e_priv *priv, +- const struct mlx5e_profile *new_profile, void *new_ppriv) ++int mlx5e_netdev_change_profile(struct net_device *netdev, ++ struct mlx5_core_dev *mdev, ++ const struct mlx5e_profile *new_profile, ++ void *new_ppriv) + { +- const struct mlx5e_profile *orig_profile = priv->profile; +- struct net_device *netdev = priv->netdev; +- struct mlx5_core_dev *mdev = priv->mdev; +- void *orig_ppriv = priv->ppriv; ++ struct mlx5e_priv *priv = netdev_priv(netdev); ++ const struct mlx5e_profile *orig_profile; + int err, rollback_err; ++ void *orig_ppriv; + +- /* cleanup old profile */ +- mlx5e_detach_netdev(priv); +- priv->profile->cleanup(priv); +- mlx5e_priv_cleanup(priv); ++ orig_profile = priv->profile; ++ orig_ppriv = priv->ppriv; ++ ++ /* NULL could happen if previous change_profile failed to rollback */ ++ if (priv->profile) { ++ WARN_ON_ONCE(priv->mdev != mdev); ++ /* cleanup old profile */ ++ mlx5e_detach_netdev(priv); ++ priv->profile->cleanup(priv); ++ mlx5e_priv_cleanup(priv); ++ } ++ /* priv members are not valid from this point ... */ + + if (mdev->state == MLX5_DEVICE_STATE_INTERNAL_ERROR) { + mlx5e_netdev_init_profile(netdev, mdev, new_profile, new_ppriv); +@@ -6281,16 +6290,25 @@ int mlx5e_netdev_change_profile(struct mlx5e_priv *priv, + return 0; + + rollback: ++ if (!orig_profile) { ++ netdev_warn(netdev, "no original profile to rollback to\n"); ++ priv->profile = NULL; ++ return err; ++ } ++ + rollback_err = mlx5e_netdev_attach_profile(netdev, mdev, orig_profile, orig_ppriv); +- if (rollback_err) +- netdev_err(netdev, "%s: failed to rollback to orig profile, %d\n", +- __func__, rollback_err); ++ if (rollback_err) { ++ netdev_err(netdev, "failed to rollback to orig profile, %d\n", ++ rollback_err); ++ priv->profile = NULL; ++ } + return err; + } + +-void mlx5e_netdev_attach_nic_profile(struct mlx5e_priv *priv) ++void mlx5e_netdev_attach_nic_profile(struct net_device *netdev, ++ struct mlx5_core_dev *mdev) + { +- mlx5e_netdev_change_profile(priv, &mlx5e_nic_profile, NULL); ++ mlx5e_netdev_change_profile(netdev, mdev, &mlx5e_nic_profile, NULL); + } + + void mlx5e_destroy_netdev(struct mlx5e_priv *priv) +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +index b561358474c4f..b461954b974c6 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +@@ -1499,17 +1499,16 @@ mlx5e_vport_uplink_rep_load(struct mlx5_core_dev *dev, struct mlx5_eswitch_rep * + { + struct mlx5e_rep_priv *rpriv = mlx5e_rep_to_rep_priv(rep); + struct net_device *netdev; +- struct mlx5e_priv *priv; + int err; + + netdev = mlx5_uplink_netdev_get(dev); + if (!netdev) + return 0; + +- priv = netdev_priv(netdev); +- rpriv->netdev = priv->netdev; +- err = mlx5e_netdev_change_profile(priv, &mlx5e_uplink_rep_profile, +- rpriv); ++ /* must not use netdev_priv(netdev), it might not be initialized yet */ ++ rpriv->netdev = netdev; ++ err = mlx5e_netdev_change_profile(netdev, dev, ++ &mlx5e_uplink_rep_profile, rpriv); + mlx5_uplink_netdev_put(dev, netdev); + return err; + } +@@ -1537,7 +1536,7 @@ mlx5e_vport_uplink_rep_unload(struct mlx5e_rep_priv *rpriv) + if (!(priv->mdev->priv.flags & MLX5_PRIV_FLAGS_SWITCH_LEGACY)) + unregister_netdev(netdev); + +- mlx5e_netdev_attach_nic_profile(priv); ++ mlx5e_netdev_attach_nic_profile(netdev, priv->mdev); + } + + static int +-- +2.51.0 + diff --git a/queue-6.12/net-mlx5e-pass-netdev-to-mlx5e_destroy_netdev-instea.patch b/queue-6.12/net-mlx5e-pass-netdev-to-mlx5e_destroy_netdev-instea.patch new file mode 100644 index 0000000000..7a7029fcea --- /dev/null +++ b/queue-6.12/net-mlx5e-pass-netdev-to-mlx5e_destroy_netdev-instea.patch @@ -0,0 +1,162 @@ +From 826bbea43f9cbd4af1dd896e291f843271a9e1cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 13:26:56 -0800 +Subject: net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv + +From: Saeed Mahameed + +[ Upstream commit 4ef8512e1427111f7ba92b4a847d181ff0aeec42 ] + +mlx5e_priv is an unstable structure that can be memset(0) if profile +attaching fails. + +Pass netdev to mlx5e_destroy_netdev() to guarantee it will work on a +valid netdev. + +On mlx5e_remove: Check validity of priv->profile, before attempting +to cleanup any resources that might be not there. + +This fixes a kernel oops in mlx5e_remove when switchdev mode fails due +to change profile failure. + +$ devlink dev eswitch set pci/0000:00:03.0 mode switchdev +Error: mlx5_core: Failed setting eswitch to offloads. +dmesg: +workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR +mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 +mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12 +workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR +mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 +mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12 + +$ devlink dev reload pci/0000:00:03.0 ==> oops + +BUG: kernel NULL pointer dereference, address: 0000000000000370 +PGD 0 P4D 0 +Oops: Oops: 0000 [#1] SMP NOPTI +CPU: 15 UID: 0 PID: 520 Comm: devlink Not tainted 6.18.0-rc5+ #115 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 +RIP: 0010:mlx5e_dcbnl_dscp_app+0x23/0x100 +RSP: 0018:ffffc9000083f8b8 EFLAGS: 00010286 +RAX: ffff8881126fc380 RBX: ffff8881015ac400 RCX: ffffffff826ffc45 +RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8881035109c0 +RBP: ffff8881035109c0 R08: ffff888101e3e838 R09: ffff888100264e10 +R10: ffffc9000083f898 R11: ffffc9000083f8a0 R12: ffff888101b921a0 +R13: ffff888101b921a0 R14: ffff8881015ac9a0 R15: ffff8881015ac400 +FS: 00007f789a3c8740(0000) GS:ffff88856aa59000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000370 CR3: 000000010b6c0001 CR4: 0000000000370ef0 +Call Trace: + + mlx5e_remove+0x57/0x110 + device_release_driver_internal+0x19c/0x200 + bus_remove_device+0xc6/0x130 + device_del+0x160/0x3d0 + ? devl_param_driverinit_value_get+0x2d/0x90 + mlx5_detach_device+0x89/0xe0 + mlx5_unload_one_devl_locked+0x3a/0x70 + mlx5_devlink_reload_down+0xc8/0x220 + devlink_reload+0x7d/0x260 + devlink_nl_reload_doit+0x45b/0x5a0 + genl_family_rcv_msg_doit+0xe8/0x140 + +Fixes: c4d7eb57687f ("net/mxl5e: Add change profile method") +Signed-off-by: Saeed Mahameed +Reviewed-by: Shay Drori +Reviewed-by: Tariq Toukan +Link: https://patch.msgid.link/20260108212657.25090-4-saeed@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en.h | 2 +- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 15 +++++++++------ + drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 4 ++-- + 3 files changed, 12 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/ethernet/mellanox/mlx5/core/en.h +index 084c68479f734..8245a149cdf85 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h +@@ -1220,7 +1220,7 @@ struct net_device * + mlx5e_create_netdev(struct mlx5_core_dev *mdev, const struct mlx5e_profile *profile); + int mlx5e_attach_netdev(struct mlx5e_priv *priv); + void mlx5e_detach_netdev(struct mlx5e_priv *priv); +-void mlx5e_destroy_netdev(struct mlx5e_priv *priv); ++void mlx5e_destroy_netdev(struct net_device *netdev); + int mlx5e_netdev_change_profile(struct net_device *netdev, + struct mlx5_core_dev *mdev, + const struct mlx5e_profile *new_profile, +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 4e2f985273a39..5085bc8965dff 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -6311,11 +6311,12 @@ void mlx5e_netdev_attach_nic_profile(struct net_device *netdev, + mlx5e_netdev_change_profile(netdev, mdev, &mlx5e_nic_profile, NULL); + } + +-void mlx5e_destroy_netdev(struct mlx5e_priv *priv) ++void mlx5e_destroy_netdev(struct net_device *netdev) + { +- struct net_device *netdev = priv->netdev; ++ struct mlx5e_priv *priv = netdev_priv(netdev); + +- mlx5e_priv_cleanup(priv); ++ if (priv->profile) ++ mlx5e_priv_cleanup(priv); + free_netdev(netdev); + } + +@@ -6472,7 +6473,7 @@ static int _mlx5e_probe(struct auxiliary_device *adev) + err_profile_cleanup: + profile->cleanup(priv); + err_destroy_netdev: +- mlx5e_destroy_netdev(priv); ++ mlx5e_destroy_netdev(netdev); + err_devlink_port_unregister: + mlx5e_devlink_port_unregister(mlx5e_dev); + err_devlink_unregister: +@@ -6507,7 +6508,9 @@ static void _mlx5e_remove(struct auxiliary_device *adev) + struct mlx5_core_dev *mdev = edev->mdev; + + mlx5_core_uplink_netdev_set(mdev, NULL); +- mlx5e_dcbnl_delete_app(priv); ++ ++ if (priv->profile) ++ mlx5e_dcbnl_delete_app(priv); + /* When unload driver, the netdev is in registered state + * if it's from legacy mode. If from switchdev mode, it + * is already unregistered before changing to NIC profile. +@@ -6528,7 +6531,7 @@ static void _mlx5e_remove(struct auxiliary_device *adev) + /* Avoid cleanup if profile rollback failed. */ + if (priv->profile) + priv->profile->cleanup(priv); +- mlx5e_destroy_netdev(priv); ++ mlx5e_destroy_netdev(netdev); + mlx5e_devlink_port_unregister(mlx5e_dev); + mlx5e_destroy_devlink(mlx5e_dev); + } +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +index b461954b974c6..763b264721af1 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +@@ -1602,7 +1602,7 @@ mlx5e_vport_vf_rep_load(struct mlx5_core_dev *dev, struct mlx5_eswitch_rep *rep) + priv->profile->cleanup(priv); + + err_destroy_netdev: +- mlx5e_destroy_netdev(netdev_priv(netdev)); ++ mlx5e_destroy_netdev(netdev); + return err; + } + +@@ -1657,7 +1657,7 @@ mlx5e_vport_rep_unload(struct mlx5_eswitch_rep *rep) + mlx5e_rep_vnic_reporter_destroy(priv); + mlx5e_detach_netdev(priv); + priv->profile->cleanup(priv); +- mlx5e_destroy_netdev(priv); ++ mlx5e_destroy_netdev(netdev); + free_ppriv: + kvfree(ppriv); /* mlx5e_rep_priv */ + } +-- +2.51.0 + diff --git a/queue-6.12/net-mlx5e-restore-destroying-state-bit-after-profile.patch b/queue-6.12/net-mlx5e-restore-destroying-state-bit-after-profile.patch new file mode 100644 index 0000000000..70464d58d9 --- /dev/null +++ b/queue-6.12/net-mlx5e-restore-destroying-state-bit-after-profile.patch @@ -0,0 +1,69 @@ +From 8c0990cdac9c743e14cc590c25db1d33f4e778ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 13:26:57 -0800 +Subject: net/mlx5e: Restore destroying state bit after profile cleanup + +From: Saeed Mahameed + +[ Upstream commit 5629f8859dca7ef74d7314b60de6a957f23166c0 ] + +Profile rollback can fail in mlx5e_netdev_change_profile() and we will +end up with invalid mlx5e_priv memset to 0, we must maintain the +'destroying' bit in order to gracefully shutdown even if the +profile/priv are not valid. + +This patch maintains the previous state of the 'destroying' state of +mlx5e_priv after priv cleanup, to allow the remove flow to cleanup +common resources from mlx5_core to avoid FW fatal errors as seen below: + +$ devlink dev eswitch set pci/0000:00:03.0 mode switchdev + Error: mlx5_core: Failed setting eswitch to offloads. +dmesg: mlx5_core 0000:00:03.0 enp0s3np0: failed to rollback to orig profile, ... + +$ devlink dev reload pci/0000:00:03.0 + +mlx5_core 0000:00:03.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0) +mlx5_core 0000:00:03.0: poll_health:803:(pid 519): Fatal error 3 detected +mlx5_core 0000:00:03.0: firmware version: 28.41.1000 +mlx5_core 0000:00:03.0: 0.000 Gb/s available PCIe bandwidth (Unknown x255 link) +mlx5_core 0000:00:03.0: mlx5_function_enable:1200:(pid 519): enable hca failed +mlx5_core 0000:00:03.0: mlx5_function_enable:1200:(pid 519): enable hca failed +mlx5_core 0000:00:03.0: mlx5_health_try_recover:340:(pid 141): handling bad device here +mlx5_core 0000:00:03.0: mlx5_handle_bad_state:285:(pid 141): Expected to see disabled NIC but it is full driver +mlx5_core 0000:00:03.0: mlx5_error_sw_reset:236:(pid 141): start +mlx5_core 0000:00:03.0: NIC IFC still 0 after 4000ms. + +Fixes: c4d7eb57687f ("net/mxl5e: Add change profile method") +Signed-off-by: Saeed Mahameed +Reviewed-by: Tariq Toukan +Link: https://patch.msgid.link/20260108212657.25090-5-saeed@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 5085bc8965dff..5736ed61e6eba 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -6000,6 +6000,7 @@ int mlx5e_priv_init(struct mlx5e_priv *priv, + + void mlx5e_priv_cleanup(struct mlx5e_priv *priv) + { ++ bool destroying = test_bit(MLX5E_STATE_DESTROYING, &priv->state); + int i; + + /* bail if change profile failed and also rollback failed */ +@@ -6026,6 +6027,8 @@ void mlx5e_priv_cleanup(struct mlx5e_priv *priv) + } + + memset(priv, 0, sizeof(*priv)); ++ if (destroying) /* restore destroying bit, to allow unload */ ++ set_bit(MLX5E_STATE_DESTROYING, &priv->state); + } + + static unsigned int mlx5e_get_max_num_txqs(struct mlx5_core_dev *mdev, +-- +2.51.0 + diff --git a/queue-6.12/net-octeon_ep_vf-fix-free_irq-dev_id-mismatch-in-irq.patch b/queue-6.12/net-octeon_ep_vf-fix-free_irq-dev_id-mismatch-in-irq.patch new file mode 100644 index 0000000000..06e34db345 --- /dev/null +++ b/queue-6.12/net-octeon_ep_vf-fix-free_irq-dev_id-mismatch-in-irq.patch @@ -0,0 +1,46 @@ +From 86e84db3b43e89b0fe7b64732b6ccf731dcdcc41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jan 2026 00:42:57 +0800 +Subject: net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback + +From: Kery Qi + +[ Upstream commit f93fc5d12d69012788f82151bee55fce937e1432 ] + +octep_vf_request_irqs() requests MSI-X queue IRQs with dev_id set to +ioq_vector. If request_irq() fails part-way, the rollback loop calls +free_irq() with dev_id set to 'oct', which does not match the original +dev_id and may leave the irqaction registered. + +This can keep IRQ handlers alive while ioq_vector is later freed during +unwind/teardown, leading to a use-after-free or crash when an interrupt +fires. + +Fix the error path to free IRQs with the same ioq_vector dev_id used +during request_irq(). + +Fixes: 1cd3b407977c ("octeon_ep_vf: add Tx/Rx processing and interrupt support") +Signed-off-by: Kery Qi +Link: https://patch.msgid.link/20260108164256.1749-2-qikeyu2017@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_main.c b/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_main.c +index ccb69bc5c9529..b9430c4a33a32 100644 +--- a/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_main.c ++++ b/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_main.c +@@ -220,7 +220,7 @@ static int octep_vf_request_irqs(struct octep_vf_device *oct) + ioq_irq_err: + while (i) { + --i; +- free_irq(oct->msix_entries[i].vector, oct); ++ free_irq(oct->msix_entries[i].vector, oct->ioq_vector[i]); + } + return -1; + } +-- +2.51.0 + diff --git a/queue-6.12/net-sched-sch_qfq-do-not-free-existing-class-in-qfq_.patch b/queue-6.12/net-sched-sch_qfq-do-not-free-existing-class-in-qfq_.patch new file mode 100644 index 0000000000..1ba97a2715 --- /dev/null +++ b/queue-6.12/net-sched-sch_qfq-do-not-free-existing-class-in-qfq_.patch @@ -0,0 +1,46 @@ +From 7e103bc11882acc672661d4af7f5cbc1a15df98e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 17:56:56 +0000 +Subject: net/sched: sch_qfq: do not free existing class in qfq_change_class() + +From: Eric Dumazet + +[ Upstream commit 3879cffd9d07aa0377c4b8835c4f64b4fb24ac78 ] + +Fixes qfq_change_class() error case. + +cl->qdisc and cl should only be freed if a new class and qdisc +were allocated, or we risk various UAF. + +Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost") +Reported-by: syzbot+07f3f38f723c335f106d@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6965351d.050a0220.eaf7.00c5.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Reviewed-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20260112175656.17605-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_qfq.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index 998030d6ce2dd..d8dabc1a620bd 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -532,8 +532,10 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid, + return 0; + + destroy_class: +- qdisc_put(cl->qdisc); +- kfree(cl); ++ if (!existing) { ++ qdisc_put(cl->qdisc); ++ kfree(cl); ++ } + return err; + } + +-- +2.51.0 + diff --git a/queue-6.12/net-update-netdev_lock_-type-name.patch b/queue-6.12/net-update-netdev_lock_-type-name.patch new file mode 100644 index 0000000000..6465fd422d --- /dev/null +++ b/queue-6.12/net-update-netdev_lock_-type-name.patch @@ -0,0 +1,91 @@ +From d0fb3322fd902e4f09457f6a09a2b2e37636d978 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 09:32:44 +0000 +Subject: net: update netdev_lock_{type,name} + +From: Eric Dumazet + +[ Upstream commit eb74c19fe10872ee1f29a8f90ca5ce943921afe9 ] + +Add missing entries in netdev_lock_type[] and netdev_lock_name[] : + +CAN, MCTP, RAWIP, CAIF, IP6GRE, 6LOWPAN, NETLINK, VSOCKMON, +IEEE802154_MONITOR. + +Also add a WARN_ONCE() in netdev_lock_pos() to help future bug hunting +next time a protocol is added without updating these arrays. + +Fixes: 1a33e10e4a95 ("net: partially revert dynamic lockdep key changes") +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260108093244.830280-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index cfd32bd02a698..1d276a26a360d 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -474,15 +474,21 @@ static const unsigned short netdev_lock_type[] = { + ARPHRD_IEEE1394, ARPHRD_EUI64, ARPHRD_INFINIBAND, ARPHRD_SLIP, + ARPHRD_CSLIP, ARPHRD_SLIP6, ARPHRD_CSLIP6, ARPHRD_RSRVD, + ARPHRD_ADAPT, ARPHRD_ROSE, ARPHRD_X25, ARPHRD_HWX25, ++ ARPHRD_CAN, ARPHRD_MCTP, + ARPHRD_PPP, ARPHRD_CISCO, ARPHRD_LAPB, ARPHRD_DDCMP, +- ARPHRD_RAWHDLC, ARPHRD_TUNNEL, ARPHRD_TUNNEL6, ARPHRD_FRAD, ++ ARPHRD_RAWHDLC, ARPHRD_RAWIP, ++ ARPHRD_TUNNEL, ARPHRD_TUNNEL6, ARPHRD_FRAD, + ARPHRD_SKIP, ARPHRD_LOOPBACK, ARPHRD_LOCALTLK, ARPHRD_FDDI, + ARPHRD_BIF, ARPHRD_SIT, ARPHRD_IPDDP, ARPHRD_IPGRE, + ARPHRD_PIMREG, ARPHRD_HIPPI, ARPHRD_ASH, ARPHRD_ECONET, + ARPHRD_IRDA, ARPHRD_FCPP, ARPHRD_FCAL, ARPHRD_FCPL, + ARPHRD_FCFABRIC, ARPHRD_IEEE80211, ARPHRD_IEEE80211_PRISM, +- ARPHRD_IEEE80211_RADIOTAP, ARPHRD_PHONET, ARPHRD_PHONET_PIPE, +- ARPHRD_IEEE802154, ARPHRD_VOID, ARPHRD_NONE}; ++ ARPHRD_IEEE80211_RADIOTAP, ++ ARPHRD_IEEE802154, ARPHRD_IEEE802154_MONITOR, ++ ARPHRD_PHONET, ARPHRD_PHONET_PIPE, ++ ARPHRD_CAIF, ARPHRD_IP6GRE, ARPHRD_NETLINK, ARPHRD_6LOWPAN, ++ ARPHRD_VSOCKMON, ++ ARPHRD_VOID, ARPHRD_NONE}; + + static const char *const netdev_lock_name[] = { + "_xmit_NETROM", "_xmit_ETHER", "_xmit_EETHER", "_xmit_AX25", +@@ -491,15 +497,21 @@ static const char *const netdev_lock_name[] = { + "_xmit_IEEE1394", "_xmit_EUI64", "_xmit_INFINIBAND", "_xmit_SLIP", + "_xmit_CSLIP", "_xmit_SLIP6", "_xmit_CSLIP6", "_xmit_RSRVD", + "_xmit_ADAPT", "_xmit_ROSE", "_xmit_X25", "_xmit_HWX25", ++ "_xmit_CAN", "_xmit_MCTP", + "_xmit_PPP", "_xmit_CISCO", "_xmit_LAPB", "_xmit_DDCMP", +- "_xmit_RAWHDLC", "_xmit_TUNNEL", "_xmit_TUNNEL6", "_xmit_FRAD", ++ "_xmit_RAWHDLC", "_xmit_RAWIP", ++ "_xmit_TUNNEL", "_xmit_TUNNEL6", "_xmit_FRAD", + "_xmit_SKIP", "_xmit_LOOPBACK", "_xmit_LOCALTLK", "_xmit_FDDI", + "_xmit_BIF", "_xmit_SIT", "_xmit_IPDDP", "_xmit_IPGRE", + "_xmit_PIMREG", "_xmit_HIPPI", "_xmit_ASH", "_xmit_ECONET", + "_xmit_IRDA", "_xmit_FCPP", "_xmit_FCAL", "_xmit_FCPL", + "_xmit_FCFABRIC", "_xmit_IEEE80211", "_xmit_IEEE80211_PRISM", +- "_xmit_IEEE80211_RADIOTAP", "_xmit_PHONET", "_xmit_PHONET_PIPE", +- "_xmit_IEEE802154", "_xmit_VOID", "_xmit_NONE"}; ++ "_xmit_IEEE80211_RADIOTAP", ++ "_xmit_IEEE802154", "_xmit_IEEE802154_MONITOR", ++ "_xmit_PHONET", "_xmit_PHONET_PIPE", ++ "_xmit_CAIF", "_xmit_IP6GRE", "_xmit_NETLINK", "_xmit_6LOWPAN", ++ "_xmit_VSOCKMON", ++ "_xmit_VOID", "_xmit_NONE"}; + + static struct lock_class_key netdev_xmit_lock_key[ARRAY_SIZE(netdev_lock_type)]; + static struct lock_class_key netdev_addr_lock_key[ARRAY_SIZE(netdev_lock_type)]; +@@ -512,6 +524,7 @@ static inline unsigned short netdev_lock_pos(unsigned short dev_type) + if (netdev_lock_type[i] == dev_type) + return i; + /* the last key is used by default */ ++ WARN_ONCE(1, "netdev_lock_pos() could not find dev_type=%u\n", dev_type); + return ARRAY_SIZE(netdev_lock_type) - 1; + } + +-- +2.51.0 + diff --git a/queue-6.12/nfs-fix-a-deadlock-involving-nfs_release_folio.patch b/queue-6.12/nfs-fix-a-deadlock-involving-nfs_release_folio.patch new file mode 100644 index 0000000000..010eafa0c0 --- /dev/null +++ b/queue-6.12/nfs-fix-a-deadlock-involving-nfs_release_folio.patch @@ -0,0 +1,116 @@ +From dc839798cda2082a37fff918a76ef602ca3dcf83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Dec 2025 11:42:31 -0500 +Subject: NFS: Fix a deadlock involving nfs_release_folio() + +From: Trond Myklebust + +[ Upstream commit cce0be6eb4971456b703aaeafd571650d314bcca ] + +Wang Zhaolong reports a deadlock involving NFSv4.1 state recovery +waiting on kthreadd, which is attempting to reclaim memory by calling +nfs_release_folio(). The latter cannot make progress due to state +recovery being needed. + +It seems that the only safe thing to do here is to kick off a writeback +of the folio, without waiting for completion, or else kicking off an +asynchronous commit. + +Reported-by: Wang Zhaolong +Fixes: 96780ca55e3c ("NFS: fix up nfs_release_folio() to try to release the page") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/file.c | 3 ++- + fs/nfs/nfstrace.h | 3 +++ + fs/nfs/write.c | 33 +++++++++++++++++++++++++++++++++ + include/linux/nfs_fs.h | 1 + + 4 files changed, 39 insertions(+), 1 deletion(-) + +diff --git a/fs/nfs/file.c b/fs/nfs/file.c +index a16a619fb8c33..7d1840cea4444 100644 +--- a/fs/nfs/file.c ++++ b/fs/nfs/file.c +@@ -461,7 +461,8 @@ static bool nfs_release_folio(struct folio *folio, gfp_t gfp) + if ((current_gfp_context(gfp) & GFP_KERNEL) != GFP_KERNEL || + current_is_kswapd() || current_is_kcompactd()) + return false; +- if (nfs_wb_folio(folio->mapping->host, folio) < 0) ++ if (nfs_wb_folio_reclaim(folio->mapping->host, folio) < 0 || ++ folio_test_private(folio)) + return false; + } + return nfs_fscache_release_folio(folio, gfp); +diff --git a/fs/nfs/nfstrace.h b/fs/nfs/nfstrace.h +index 1eab98c277fab..2989b6f284ff4 100644 +--- a/fs/nfs/nfstrace.h ++++ b/fs/nfs/nfstrace.h +@@ -1039,6 +1039,9 @@ DECLARE_EVENT_CLASS(nfs_folio_event_done, + DEFINE_NFS_FOLIO_EVENT(nfs_aop_readpage); + DEFINE_NFS_FOLIO_EVENT_DONE(nfs_aop_readpage_done); + ++DEFINE_NFS_FOLIO_EVENT(nfs_writeback_folio_reclaim); ++DEFINE_NFS_FOLIO_EVENT_DONE(nfs_writeback_folio_reclaim_done); ++ + DEFINE_NFS_FOLIO_EVENT(nfs_writeback_folio); + DEFINE_NFS_FOLIO_EVENT_DONE(nfs_writeback_folio_done); + +diff --git a/fs/nfs/write.c b/fs/nfs/write.c +index 88d0e5168093a..48a8866220d1a 100644 +--- a/fs/nfs/write.c ++++ b/fs/nfs/write.c +@@ -2065,6 +2065,39 @@ int nfs_wb_folio_cancel(struct inode *inode, struct folio *folio) + return ret; + } + ++/** ++ * nfs_wb_folio_reclaim - Write back all requests on one page ++ * @inode: pointer to page ++ * @folio: pointer to folio ++ * ++ * Assumes that the folio has been locked by the caller ++ */ ++int nfs_wb_folio_reclaim(struct inode *inode, struct folio *folio) ++{ ++ loff_t range_start = folio_pos(folio); ++ size_t len = folio_size(folio); ++ struct writeback_control wbc = { ++ .sync_mode = WB_SYNC_ALL, ++ .nr_to_write = 0, ++ .range_start = range_start, ++ .range_end = range_start + len - 1, ++ .for_sync = 1, ++ }; ++ int ret; ++ ++ if (folio_test_writeback(folio)) ++ return -EBUSY; ++ if (folio_clear_dirty_for_io(folio)) { ++ trace_nfs_writeback_folio_reclaim(inode, range_start, len); ++ ret = nfs_writepage_locked(folio, &wbc); ++ trace_nfs_writeback_folio_reclaim_done(inode, range_start, len, ++ ret); ++ return ret; ++ } ++ nfs_commit_inode(inode, 0); ++ return 0; ++} ++ + /** + * nfs_wb_folio - Write back all requests on one page + * @inode: pointer to page +diff --git a/include/linux/nfs_fs.h b/include/linux/nfs_fs.h +index 039898d70954f..8d2cf10294a42 100644 +--- a/include/linux/nfs_fs.h ++++ b/include/linux/nfs_fs.h +@@ -610,6 +610,7 @@ extern int nfs_update_folio(struct file *file, struct folio *folio, + extern int nfs_sync_inode(struct inode *inode); + extern int nfs_wb_all(struct inode *inode); + extern int nfs_wb_folio(struct inode *inode, struct folio *folio); ++extern int nfs_wb_folio_reclaim(struct inode *inode, struct folio *folio); + int nfs_wb_folio_cancel(struct inode *inode, struct folio *folio); + extern int nfs_commit_inode(struct inode *, int); + extern struct nfs_commit_data *nfs_commitdata_alloc(void); +-- +2.51.0 + diff --git a/queue-6.12/nvme-tcp-fix-null-pointer-dereferences-in-nvmet_tcp_.patch b/queue-6.12/nvme-tcp-fix-null-pointer-dereferences-in-nvmet_tcp_.patch new file mode 100644 index 0000000000..c799efc165 --- /dev/null +++ b/queue-6.12/nvme-tcp-fix-null-pointer-dereferences-in-nvmet_tcp_.patch @@ -0,0 +1,69 @@ +From 60b0205c3f0cef96d7ee6ec02e884f707d190dbb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Dec 2025 13:57:48 -0500 +Subject: nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Shivam Kumar + +[ Upstream commit 32b63acd78f577b332d976aa06b56e70d054cbba ] + +Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length") +added ttag bounds checking and data_offset +validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate +whether the command's data structures (cmd->req.sg and cmd->iov) have +been properly initialized before processing H2C_DATA PDUs. + +The nvmet_tcp_build_pdu_iovec() function dereferences these pointers +without NULL checks. This can be triggered by sending H2C_DATA PDU +immediately after the ICREQ/ICRESP handshake, before +sending a CONNECT command or NVMe write command. + +Attack vectors that trigger NULL pointer dereferences: +1. H2C_DATA PDU sent before CONNECT → both pointers NULL +2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL +3. H2C_DATA PDU for uninitialized command slot → both pointers NULL + +The fix validates both cmd->req.sg and cmd->iov before calling +nvmet_tcp_build_pdu_iovec(). Both checks are required because: +- Uninitialized commands: both NULL +- READ commands: cmd->req.sg allocated, cmd->iov NULL +- WRITE commands: both allocated + +Fixes: efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length") +Reviewed-by: Sagi Grimberg +Signed-off-by: Shivam Kumar +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/tcp.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c +index 6268b18d24569..94fab721f8cd7 100644 +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -1021,6 +1021,18 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue) + pr_err("H2CData PDU len %u is invalid\n", cmd->pdu_len); + goto err_proto; + } ++ /* ++ * Ensure command data structures are initialized. We must check both ++ * cmd->req.sg and cmd->iov because they can have different NULL states: ++ * - Uninitialized commands: both NULL ++ * - READ commands: cmd->req.sg allocated, cmd->iov NULL ++ * - WRITE commands: both allocated ++ */ ++ if (unlikely(!cmd->req.sg || !cmd->iov)) { ++ pr_err("queue %d: H2CData PDU received for invalid command state (ttag %u)\n", ++ queue->idx, data->ttag); ++ goto err_proto; ++ } + cmd->pdu_recv = 0; + nvmet_tcp_build_pdu_iovec(cmd); + queue->cmd = cmd; +-- +2.51.0 + diff --git a/queue-6.12/phy-broadcom-ns-usb3-fix-wvoid-pointer-to-enum-cast-.patch b/queue-6.12/phy-broadcom-ns-usb3-fix-wvoid-pointer-to-enum-cast-.patch new file mode 100644 index 0000000000..f8fc1e2955 --- /dev/null +++ b/queue-6.12/phy-broadcom-ns-usb3-fix-wvoid-pointer-to-enum-cast-.patch @@ -0,0 +1,47 @@ +From 2558901f60b27759f4b847b55e7c955b02395f25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 12:55:34 +0100 +Subject: phy: broadcom: ns-usb3: Fix Wvoid-pointer-to-enum-cast warning + (again) + +From: Krzysztof Kozlowski + +[ Upstream commit fb21116099bbea1fc59efa9207e63c4be390ab72 ] + +"family" is an enum, thus cast of pointer on 64-bit compile test with +clang W=1 causes: + + phy-bcm-ns-usb3.c:206:17: error: cast to smaller integer type 'enum bcm_ns_family' from 'const void *' [-Werror,-Wvoid-pointer-to-enum-cast] + +This was already fixed in commit bd6e74a2f0a0 ("phy: broadcom: ns-usb3: +fix Wvoid-pointer-to-enum-cast warning") but then got bad in commit +21bf6fc47a1e ("phy: Use device_get_match_data()"). + +Note that after various discussions the preferred cast is via "unsigned +long", not "uintptr_t". + +Fixes: 21bf6fc47a1e ("phy: Use device_get_match_data()") +Signed-off-by: Krzysztof Kozlowski +Link: https://patch.msgid.link/20251224115533.154162-2-krzysztof.kozlowski@oss.qualcomm.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/broadcom/phy-bcm-ns-usb3.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/phy/broadcom/phy-bcm-ns-usb3.c b/drivers/phy/broadcom/phy-bcm-ns-usb3.c +index 9f995e156f755..6e56498d0644b 100644 +--- a/drivers/phy/broadcom/phy-bcm-ns-usb3.c ++++ b/drivers/phy/broadcom/phy-bcm-ns-usb3.c +@@ -203,7 +203,7 @@ static int bcm_ns_usb3_mdio_probe(struct mdio_device *mdiodev) + usb3->dev = dev; + usb3->mdiodev = mdiodev; + +- usb3->family = (enum bcm_ns_family)device_get_match_data(dev); ++ usb3->family = (unsigned long)device_get_match_data(dev); + + syscon_np = of_parse_phandle(dev->of_node, "usb3-dmp-syscon", 0); + err = of_address_to_resource(syscon_np, 0, &res); +-- +2.51.0 + diff --git a/queue-6.12/phy-drop-probe-registration-printks.patch b/queue-6.12/phy-drop-probe-registration-printks.patch new file mode 100644 index 0000000000..9bc5ac26a1 --- /dev/null +++ b/queue-6.12/phy-drop-probe-registration-printks.patch @@ -0,0 +1,205 @@ +From 31da01179913fe2fcc6f18677d97735c4afb5b74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 May 2025 10:51:12 +0200 +Subject: phy: drop probe registration printks + +From: Johan Hovold + +[ Upstream commit 95463cbb4fe6489921fb8c72890113dca54ce83f ] + +Drivers should generally be quiet on successful probe, but this is not +followed by some PHY drivers, for example: + + snps-eusb2-hsphy 88e1000.phy: Registered Snps-eUSB2 phy + qcom-eusb2-repeater c432000.spmi:pmic@7:phy@fd00: Registered Qcom-eUSB2 repeater + qcom-eusb2-repeater c432000.spmi:pmic@a:phy@fd00: Registered Qcom-eUSB2 repeater + qcom-eusb2-repeater c432000.spmi:pmic@b:phy@fd00: Registered Qcom-eUSB2 repeater + snps-eusb2-hsphy fd3000.phy: Registered Snps-eUSB2 phy + snps-eusb2-hsphy fd9000.phy: Registered Snps-eUSB2 phy + snps-eusb2-hsphy fde000.phy: Registered Snps-eUSB2 phy + snps-eusb2-hsphy 88e0000.phy: Registered Snps-eUSB2 phy + snps-eusb2-hsphy 88e2000.phy: Registered Snps-eUSB2 phy + +Drop (or demote to debug level) unnecessary registration info messages +to make boot logs a little less noisy. + +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20250523085112.11287-1-johan+linaro@kernel.org +Signed-off-by: Vinod Koul +Stable-dep-of: 1ca52c0983c3 ("phy: qcom-qusb2: Fix NULL pointer dereference on early suspend") +Signed-off-by: Sasha Levin +--- + drivers/phy/broadcom/phy-bcm-ns2-pcie.c | 2 -- + drivers/phy/broadcom/phy-bcm-ns2-usbdrd.c | 1 - + drivers/phy/broadcom/phy-bcm-sr-pcie.c | 2 -- + drivers/phy/broadcom/phy-brcm-sata.c | 2 +- + drivers/phy/marvell/phy-pxa-usb.c | 1 - + drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c | 2 -- + drivers/phy/qualcomm/phy-qcom-m31.c | 2 -- + drivers/phy/qualcomm/phy-qcom-qusb2.c | 4 +--- + drivers/phy/qualcomm/phy-qcom-snps-eusb2.c | 2 -- + drivers/phy/st/phy-stih407-usb.c | 2 -- + drivers/phy/st/phy-stm32-usbphyc.c | 4 ++-- + drivers/phy/ti/phy-twl4030-usb.c | 1 - + 12 files changed, 4 insertions(+), 21 deletions(-) + +diff --git a/drivers/phy/broadcom/phy-bcm-ns2-pcie.c b/drivers/phy/broadcom/phy-bcm-ns2-pcie.c +index 2eaa41f8fc70c..67a6ae5ecba02 100644 +--- a/drivers/phy/broadcom/phy-bcm-ns2-pcie.c ++++ b/drivers/phy/broadcom/phy-bcm-ns2-pcie.c +@@ -61,8 +61,6 @@ static int ns2_pci_phy_probe(struct mdio_device *mdiodev) + return PTR_ERR(provider); + } + +- dev_info(dev, "%s PHY registered\n", dev_name(dev)); +- + return 0; + } + +diff --git a/drivers/phy/broadcom/phy-bcm-ns2-usbdrd.c b/drivers/phy/broadcom/phy-bcm-ns2-usbdrd.c +index 36ad02c33ac55..8473fa5745296 100644 +--- a/drivers/phy/broadcom/phy-bcm-ns2-usbdrd.c ++++ b/drivers/phy/broadcom/phy-bcm-ns2-usbdrd.c +@@ -395,7 +395,6 @@ static int ns2_drd_phy_probe(struct platform_device *pdev) + + platform_set_drvdata(pdev, driver); + +- dev_info(dev, "Registered NS2 DRD Phy device\n"); + queue_delayed_work(system_power_efficient_wq, &driver->wq_extcon, + driver->debounce_jiffies); + +diff --git a/drivers/phy/broadcom/phy-bcm-sr-pcie.c b/drivers/phy/broadcom/phy-bcm-sr-pcie.c +index ff9b3862bf7af..706e1d83b4cee 100644 +--- a/drivers/phy/broadcom/phy-bcm-sr-pcie.c ++++ b/drivers/phy/broadcom/phy-bcm-sr-pcie.c +@@ -277,8 +277,6 @@ static int sr_pcie_phy_probe(struct platform_device *pdev) + return PTR_ERR(provider); + } + +- dev_info(dev, "Stingray PCIe PHY driver initialized\n"); +- + return 0; + } + +diff --git a/drivers/phy/broadcom/phy-brcm-sata.c b/drivers/phy/broadcom/phy-brcm-sata.c +index 228100357054d..d52dd065e8622 100644 +--- a/drivers/phy/broadcom/phy-brcm-sata.c ++++ b/drivers/phy/broadcom/phy-brcm-sata.c +@@ -832,7 +832,7 @@ static int brcm_sata_phy_probe(struct platform_device *pdev) + return PTR_ERR(provider); + } + +- dev_info(dev, "registered %d port(s)\n", count); ++ dev_dbg(dev, "registered %d port(s)\n", count); + + return 0; + } +diff --git a/drivers/phy/marvell/phy-pxa-usb.c b/drivers/phy/marvell/phy-pxa-usb.c +index 6c98eb9608e9c..c0bb71f80c042 100644 +--- a/drivers/phy/marvell/phy-pxa-usb.c ++++ b/drivers/phy/marvell/phy-pxa-usb.c +@@ -325,7 +325,6 @@ static int pxa_usb_phy_probe(struct platform_device *pdev) + phy_create_lookup(pxa_usb_phy->phy, "usb", "mv-otg"); + } + +- dev_info(dev, "Marvell PXA USB PHY"); + return 0; + } + +diff --git a/drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c b/drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c +index c173c6244d9e5..3b68d20142e01 100644 +--- a/drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c ++++ b/drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c +@@ -241,8 +241,6 @@ static int eusb2_repeater_probe(struct platform_device *pdev) + if (IS_ERR(phy_provider)) + return PTR_ERR(phy_provider); + +- dev_info(dev, "Registered Qcom-eUSB2 repeater\n"); +- + return 0; + } + +diff --git a/drivers/phy/qualcomm/phy-qcom-m31.c b/drivers/phy/qualcomm/phy-qcom-m31.c +index 8b0f8a3a059c2..168ea980fda03 100644 +--- a/drivers/phy/qualcomm/phy-qcom-m31.c ++++ b/drivers/phy/qualcomm/phy-qcom-m31.c +@@ -311,8 +311,6 @@ static int m31usb_phy_probe(struct platform_device *pdev) + phy_set_drvdata(qphy->phy, qphy); + + phy_provider = devm_of_phy_provider_register(dev, of_phy_simple_xlate); +- if (!IS_ERR(phy_provider)) +- dev_info(dev, "Registered M31 USB phy\n"); + + return PTR_ERR_OR_ZERO(phy_provider); + } +diff --git a/drivers/phy/qualcomm/phy-qcom-qusb2.c b/drivers/phy/qualcomm/phy-qcom-qusb2.c +index c52655a383cef..531c3860c3160 100644 +--- a/drivers/phy/qualcomm/phy-qcom-qusb2.c ++++ b/drivers/phy/qualcomm/phy-qcom-qusb2.c +@@ -1084,9 +1084,7 @@ static int qusb2_phy_probe(struct platform_device *pdev) + phy_set_drvdata(generic_phy, qphy); + + phy_provider = devm_of_phy_provider_register(dev, of_phy_simple_xlate); +- if (!IS_ERR(phy_provider)) +- dev_info(dev, "Registered Qcom-QUSB2 phy\n"); +- else ++ if (IS_ERR(phy_provider)) + pm_runtime_disable(dev); + + return PTR_ERR_OR_ZERO(phy_provider); +diff --git a/drivers/phy/qualcomm/phy-qcom-snps-eusb2.c b/drivers/phy/qualcomm/phy-qcom-snps-eusb2.c +index e1b175f481b4e..4a1dfef5ff8ff 100644 +--- a/drivers/phy/qualcomm/phy-qcom-snps-eusb2.c ++++ b/drivers/phy/qualcomm/phy-qcom-snps-eusb2.c +@@ -418,8 +418,6 @@ static int snps_eusb2_hsphy_probe(struct platform_device *pdev) + if (IS_ERR(phy_provider)) + return PTR_ERR(phy_provider); + +- dev_info(dev, "Registered Snps-eUSB2 phy\n"); +- + return 0; + } + +diff --git a/drivers/phy/st/phy-stih407-usb.c b/drivers/phy/st/phy-stih407-usb.c +index a4ae2cca7f637..02e6117709dca 100644 +--- a/drivers/phy/st/phy-stih407-usb.c ++++ b/drivers/phy/st/phy-stih407-usb.c +@@ -149,8 +149,6 @@ static int stih407_usb2_picophy_probe(struct platform_device *pdev) + if (IS_ERR(phy_provider)) + return PTR_ERR(phy_provider); + +- dev_info(dev, "STiH407 USB Generic picoPHY driver probed!"); +- + return 0; + } + +diff --git a/drivers/phy/st/phy-stm32-usbphyc.c b/drivers/phy/st/phy-stm32-usbphyc.c +index 9dbe60dcf3190..dbf23ae38255a 100644 +--- a/drivers/phy/st/phy-stm32-usbphyc.c ++++ b/drivers/phy/st/phy-stm32-usbphyc.c +@@ -757,8 +757,8 @@ static int stm32_usbphyc_probe(struct platform_device *pdev) + } + + version = readl_relaxed(usbphyc->base + STM32_USBPHYC_VERSION); +- dev_info(dev, "registered rev:%lu.%lu\n", +- FIELD_GET(MAJREV, version), FIELD_GET(MINREV, version)); ++ dev_dbg(dev, "registered rev: %lu.%lu\n", ++ FIELD_GET(MAJREV, version), FIELD_GET(MINREV, version)); + + return 0; + +diff --git a/drivers/phy/ti/phy-twl4030-usb.c b/drivers/phy/ti/phy-twl4030-usb.c +index 6b265992d988f..e5918d3b486cc 100644 +--- a/drivers/phy/ti/phy-twl4030-usb.c ++++ b/drivers/phy/ti/phy-twl4030-usb.c +@@ -784,7 +784,6 @@ static int twl4030_usb_probe(struct platform_device *pdev) + pm_runtime_mark_last_busy(&pdev->dev); + pm_runtime_put_autosuspend(twl->dev); + +- dev_info(&pdev->dev, "Initialized TWL4030 USB module\n"); + return 0; + } + +-- +2.51.0 + diff --git a/queue-6.12/phy-fsl-imx8mq-usb-clear-the-pcs_tx_swing_full-field.patch b/queue-6.12/phy-fsl-imx8mq-usb-clear-the-pcs_tx_swing_full-field.patch new file mode 100644 index 0000000000..7e63f5397c --- /dev/null +++ b/queue-6.12/phy-fsl-imx8mq-usb-clear-the-pcs_tx_swing_full-field.patch @@ -0,0 +1,45 @@ +From f751b913f2de094958e765a3056927a89a0b65ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 17:09:12 +0100 +Subject: phy: fsl-imx8mq-usb: Clear the PCS_TX_SWING_FULL field before using + it + +From: Stefano Radaelli + +[ Upstream commit 8becf9179a4b45104a1701010ed666b55bf4b3a6 ] + +Clear the PCS_TX_SWING_FULL field mask before setting the new value +in PHY_CTRL5 register. Without clearing the mask first, the OR operation +could leave previously set bits, resulting in incorrect register +configuration. + +Fixes: 63c85ad0cd81 ("phy: fsl-imx8mp-usb: add support for phy tuning") +Suggested-by: Leonid Segal +Acked-by: Pierluigi Passaro +Signed-off-by: Stefano Radaelli +Reviewed-by: Xu Yang +Reviewed-by: Frank Li +Reviewed-by: Fabio Estevam +Reviewed-by: Ahmad Fatoum +Link: https://patch.msgid.link/20251219160912.561431-1-stefano.r@variscite.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/freescale/phy-fsl-imx8mq-usb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/phy/freescale/phy-fsl-imx8mq-usb.c b/drivers/phy/freescale/phy-fsl-imx8mq-usb.c +index f914f016b3d2c..043063699e064 100644 +--- a/drivers/phy/freescale/phy-fsl-imx8mq-usb.c ++++ b/drivers/phy/freescale/phy-fsl-imx8mq-usb.c +@@ -206,6 +206,7 @@ static void imx8m_phy_tune(struct imx8mq_usb_phy *imx_phy) + + if (imx_phy->pcs_tx_swing_full != PHY_TUNE_DEFAULT) { + value = readl(imx_phy->base + PHY_CTRL5); ++ value &= ~PHY_CTRL5_PCS_TX_SWING_FULL_MASK; + value |= FIELD_PREP(PHY_CTRL5_PCS_TX_SWING_FULL_MASK, + imx_phy->pcs_tx_swing_full); + writel(value, imx_phy->base + PHY_CTRL5); +-- +2.51.0 + diff --git a/queue-6.12/phy-phy-snps-eusb2-refactor-constructs-names.patch b/queue-6.12/phy-phy-snps-eusb2-refactor-constructs-names.patch new file mode 100644 index 0000000000..df3b35a49f --- /dev/null +++ b/queue-6.12/phy-phy-snps-eusb2-refactor-constructs-names.patch @@ -0,0 +1,509 @@ +From b3a17815ec087e4acc1b46f69427c8560ae1f097 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 May 2025 17:45:21 +0300 +Subject: phy: phy-snps-eusb2: refactor constructs names + +From: Ivaylo Ivanov + +[ Upstream commit 93dbe9b5b3a265c7e5466c7b6ada439b01577de5 ] + +As the driver now resides outside the phy subdirectory under a different +name, refactor all definitions, structures and functions to explicitly +specify what code is Qualcomm-specific and what is not. + +Signed-off-by: Ivaylo Ivanov +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20250504144527.1723980-5-ivo.ivanov.ivanov1@gmail.com +Signed-off-by: Vinod Koul +Stable-dep-of: 1ca52c0983c3 ("phy: qcom-qusb2: Fix NULL pointer dereference on early suspend") +Signed-off-by: Sasha Levin +--- + drivers/phy/qualcomm/phy-qcom-snps-eusb2.c | 256 ++++++++++----------- + 1 file changed, 128 insertions(+), 128 deletions(-) + +diff --git a/drivers/phy/qualcomm/phy-qcom-snps-eusb2.c b/drivers/phy/qualcomm/phy-qcom-snps-eusb2.c +index 1484691a41d59..e1b175f481b4e 100644 +--- a/drivers/phy/qualcomm/phy-qcom-snps-eusb2.c ++++ b/drivers/phy/qualcomm/phy-qcom-snps-eusb2.c +@@ -13,15 +13,15 @@ + #include + #include + +-#define USB_PHY_UTMI_CTRL0 (0x3c) ++#define QCOM_USB_PHY_UTMI_CTRL0 (0x3c) + #define SLEEPM BIT(0) + #define OPMODE_MASK GENMASK(4, 3) + #define OPMODE_NONDRIVING BIT(3) + +-#define USB_PHY_UTMI_CTRL5 (0x50) ++#define QCOM_USB_PHY_UTMI_CTRL5 (0x50) + #define POR BIT(1) + +-#define USB_PHY_HS_PHY_CTRL_COMMON0 (0x54) ++#define QCOM_USB_PHY_HS_PHY_CTRL_COMMON0 (0x54) + #define PHY_ENABLE BIT(0) + #define SIDDQ_SEL BIT(1) + #define SIDDQ BIT(2) +@@ -30,15 +30,15 @@ + #define FSEL_19_2_MHZ_VAL (0x0) + #define FSEL_38_4_MHZ_VAL (0x4) + +-#define USB_PHY_CFG_CTRL_1 (0x58) ++#define QCOM_USB_PHY_CFG_CTRL_1 (0x58) + #define PHY_CFG_PLL_CPBIAS_CNTRL_MASK GENMASK(7, 1) + +-#define USB_PHY_CFG_CTRL_2 (0x5c) ++#define QCOM_USB_PHY_CFG_CTRL_2 (0x5c) + #define PHY_CFG_PLL_FB_DIV_7_0_MASK GENMASK(7, 0) + #define DIV_7_0_19_2_MHZ_VAL (0x90) + #define DIV_7_0_38_4_MHZ_VAL (0xc8) + +-#define USB_PHY_CFG_CTRL_3 (0x60) ++#define QCOM_USB_PHY_CFG_CTRL_3 (0x60) + #define PHY_CFG_PLL_FB_DIV_11_8_MASK GENMASK(3, 0) + #define DIV_11_8_19_2_MHZ_VAL (0x1) + #define DIV_11_8_38_4_MHZ_VAL (0x0) +@@ -46,73 +46,73 @@ + #define PHY_CFG_PLL_REF_DIV GENMASK(7, 4) + #define PLL_REF_DIV_VAL (0x0) + +-#define USB_PHY_HS_PHY_CTRL2 (0x64) ++#define QCOM_USB_PHY_HS_PHY_CTRL2 (0x64) + #define VBUSVLDEXT0 BIT(0) + #define USB2_SUSPEND_N BIT(2) + #define USB2_SUSPEND_N_SEL BIT(3) + #define VBUS_DET_EXT_SEL BIT(4) + +-#define USB_PHY_CFG_CTRL_4 (0x68) ++#define QCOM_USB_PHY_CFG_CTRL_4 (0x68) + #define PHY_CFG_PLL_GMP_CNTRL_MASK GENMASK(1, 0) + #define PHY_CFG_PLL_INT_CNTRL_MASK GENMASK(7, 2) + +-#define USB_PHY_CFG_CTRL_5 (0x6c) ++#define QCOM_USB_PHY_CFG_CTRL_5 (0x6c) + #define PHY_CFG_PLL_PROP_CNTRL_MASK GENMASK(4, 0) + #define PHY_CFG_PLL_VREF_TUNE_MASK GENMASK(7, 6) + +-#define USB_PHY_CFG_CTRL_6 (0x70) ++#define QCOM_USB_PHY_CFG_CTRL_6 (0x70) + #define PHY_CFG_PLL_VCO_CNTRL_MASK GENMASK(2, 0) + +-#define USB_PHY_CFG_CTRL_7 (0x74) ++#define QCOM_USB_PHY_CFG_CTRL_7 (0x74) + +-#define USB_PHY_CFG_CTRL_8 (0x78) ++#define QCOM_USB_PHY_CFG_CTRL_8 (0x78) + #define PHY_CFG_TX_FSLS_VREF_TUNE_MASK GENMASK(1, 0) + #define PHY_CFG_TX_FSLS_VREG_BYPASS BIT(2) + #define PHY_CFG_TX_HS_VREF_TUNE_MASK GENMASK(5, 3) + #define PHY_CFG_TX_HS_XV_TUNE_MASK GENMASK(7, 6) + +-#define USB_PHY_CFG_CTRL_9 (0x7c) ++#define QCOM_USB_PHY_CFG_CTRL_9 (0x7c) + #define PHY_CFG_TX_PREEMP_TUNE_MASK GENMASK(2, 0) + #define PHY_CFG_TX_RES_TUNE_MASK GENMASK(4, 3) + #define PHY_CFG_TX_RISE_TUNE_MASK GENMASK(6, 5) + #define PHY_CFG_RCAL_BYPASS BIT(7) + +-#define USB_PHY_CFG_CTRL_10 (0x80) ++#define QCOM_USB_PHY_CFG_CTRL_10 (0x80) + +-#define USB_PHY_CFG0 (0x94) ++#define QCOM_USB_PHY_CFG0 (0x94) + #define DATAPATH_CTRL_OVERRIDE_EN BIT(0) + #define CMN_CTRL_OVERRIDE_EN BIT(1) + +-#define UTMI_PHY_CMN_CTRL0 (0x98) ++#define QCOM_UTMI_PHY_CMN_CTRL0 (0x98) + #define TESTBURNIN BIT(6) + +-#define USB_PHY_FSEL_SEL (0xb8) ++#define QCOM_USB_PHY_FSEL_SEL (0xb8) + #define FSEL_SEL BIT(0) + +-#define USB_PHY_APB_ACCESS_CMD (0x130) ++#define QCOM_USB_PHY_APB_ACCESS_CMD (0x130) + #define RW_ACCESS BIT(0) + #define APB_START_CMD BIT(1) + #define APB_LOGIC_RESET BIT(2) + +-#define USB_PHY_APB_ACCESS_STATUS (0x134) ++#define QCOM_USB_PHY_APB_ACCESS_STATUS (0x134) + #define ACCESS_DONE BIT(0) + #define TIMED_OUT BIT(1) + #define ACCESS_ERROR BIT(2) + #define ACCESS_IN_PROGRESS BIT(3) + +-#define USB_PHY_APB_ADDRESS (0x138) ++#define QCOM_USB_PHY_APB_ADDRESS (0x138) + #define APB_REG_ADDR_MASK GENMASK(7, 0) + +-#define USB_PHY_APB_WRDATA_LSB (0x13c) ++#define QCOM_USB_PHY_APB_WRDATA_LSB (0x13c) + #define APB_REG_WRDATA_7_0_MASK GENMASK(3, 0) + +-#define USB_PHY_APB_WRDATA_MSB (0x140) ++#define QCOM_USB_PHY_APB_WRDATA_MSB (0x140) + #define APB_REG_WRDATA_15_8_MASK GENMASK(7, 4) + +-#define USB_PHY_APB_RDDATA_LSB (0x144) ++#define QCOM_USB_PHY_APB_RDDATA_LSB (0x144) + #define APB_REG_RDDATA_7_0_MASK GENMASK(3, 0) + +-#define USB_PHY_APB_RDDATA_MSB (0x148) ++#define QCOM_USB_PHY_APB_RDDATA_MSB (0x148) + #define APB_REG_RDDATA_15_8_MASK GENMASK(7, 4) + + static const char * const eusb2_hsphy_vreg_names[] = { +@@ -121,7 +121,7 @@ static const char * const eusb2_hsphy_vreg_names[] = { + + #define EUSB2_NUM_VREGS ARRAY_SIZE(eusb2_hsphy_vreg_names) + +-struct qcom_snps_eusb2_hsphy { ++struct snps_eusb2_hsphy { + struct phy *phy; + void __iomem *base; + +@@ -135,17 +135,17 @@ struct qcom_snps_eusb2_hsphy { + struct phy *repeater; + }; + +-static int qcom_snps_eusb2_hsphy_set_mode(struct phy *p, enum phy_mode mode, int submode) ++static int snps_eusb2_hsphy_set_mode(struct phy *p, enum phy_mode mode, int submode) + { +- struct qcom_snps_eusb2_hsphy *phy = phy_get_drvdata(p); ++ struct snps_eusb2_hsphy *phy = phy_get_drvdata(p); + + phy->mode = mode; + + return phy_set_mode_ext(phy->repeater, mode, submode); + } + +-static void qcom_snps_eusb2_hsphy_write_mask(void __iomem *base, u32 offset, +- u32 mask, u32 val) ++static void snps_eusb2_hsphy_write_mask(void __iomem *base, u32 offset, ++ u32 mask, u32 val) + { + u32 reg; + +@@ -158,65 +158,65 @@ static void qcom_snps_eusb2_hsphy_write_mask(void __iomem *base, u32 offset, + readl_relaxed(base + offset); + } + +-static void qcom_eusb2_default_parameters(struct qcom_snps_eusb2_hsphy *phy) ++static void qcom_eusb2_default_parameters(struct snps_eusb2_hsphy *phy) + { + /* default parameters: tx pre-emphasis */ +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_9, +- PHY_CFG_TX_PREEMP_TUNE_MASK, +- FIELD_PREP(PHY_CFG_TX_PREEMP_TUNE_MASK, 0)); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_9, ++ PHY_CFG_TX_PREEMP_TUNE_MASK, ++ FIELD_PREP(PHY_CFG_TX_PREEMP_TUNE_MASK, 0)); + + /* tx rise/fall time */ +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_9, +- PHY_CFG_TX_RISE_TUNE_MASK, +- FIELD_PREP(PHY_CFG_TX_RISE_TUNE_MASK, 0x2)); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_9, ++ PHY_CFG_TX_RISE_TUNE_MASK, ++ FIELD_PREP(PHY_CFG_TX_RISE_TUNE_MASK, 0x2)); + + /* source impedance adjustment */ +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_9, +- PHY_CFG_TX_RES_TUNE_MASK, +- FIELD_PREP(PHY_CFG_TX_RES_TUNE_MASK, 0x1)); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_9, ++ PHY_CFG_TX_RES_TUNE_MASK, ++ FIELD_PREP(PHY_CFG_TX_RES_TUNE_MASK, 0x1)); + + /* dc voltage level adjustement */ +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_8, +- PHY_CFG_TX_HS_VREF_TUNE_MASK, +- FIELD_PREP(PHY_CFG_TX_HS_VREF_TUNE_MASK, 0x3)); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_8, ++ PHY_CFG_TX_HS_VREF_TUNE_MASK, ++ FIELD_PREP(PHY_CFG_TX_HS_VREF_TUNE_MASK, 0x3)); + + /* transmitter HS crossover adjustement */ +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_8, +- PHY_CFG_TX_HS_XV_TUNE_MASK, +- FIELD_PREP(PHY_CFG_TX_HS_XV_TUNE_MASK, 0x0)); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_8, ++ PHY_CFG_TX_HS_XV_TUNE_MASK, ++ FIELD_PREP(PHY_CFG_TX_HS_XV_TUNE_MASK, 0x0)); + } + +-static int qcom_eusb2_ref_clk_init(struct qcom_snps_eusb2_hsphy *phy) ++static int qcom_eusb2_ref_clk_init(struct snps_eusb2_hsphy *phy) + { + unsigned long ref_clk_freq = clk_get_rate(phy->ref_clk); + + switch (ref_clk_freq) { + case 19200000: +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_HS_PHY_CTRL_COMMON0, +- FSEL_MASK, +- FIELD_PREP(FSEL_MASK, FSEL_19_2_MHZ_VAL)); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_HS_PHY_CTRL_COMMON0, ++ FSEL_MASK, ++ FIELD_PREP(FSEL_MASK, FSEL_19_2_MHZ_VAL)); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_2, +- PHY_CFG_PLL_FB_DIV_7_0_MASK, +- DIV_7_0_19_2_MHZ_VAL); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_2, ++ PHY_CFG_PLL_FB_DIV_7_0_MASK, ++ DIV_7_0_19_2_MHZ_VAL); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_3, +- PHY_CFG_PLL_FB_DIV_11_8_MASK, +- DIV_11_8_19_2_MHZ_VAL); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_3, ++ PHY_CFG_PLL_FB_DIV_11_8_MASK, ++ DIV_11_8_19_2_MHZ_VAL); + break; + + case 38400000: +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_HS_PHY_CTRL_COMMON0, +- FSEL_MASK, +- FIELD_PREP(FSEL_MASK, FSEL_38_4_MHZ_VAL)); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_HS_PHY_CTRL_COMMON0, ++ FSEL_MASK, ++ FIELD_PREP(FSEL_MASK, FSEL_38_4_MHZ_VAL)); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_2, +- PHY_CFG_PLL_FB_DIV_7_0_MASK, +- DIV_7_0_38_4_MHZ_VAL); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_2, ++ PHY_CFG_PLL_FB_DIV_7_0_MASK, ++ DIV_7_0_38_4_MHZ_VAL); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_3, +- PHY_CFG_PLL_FB_DIV_11_8_MASK, +- DIV_11_8_38_4_MHZ_VAL); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_3, ++ PHY_CFG_PLL_FB_DIV_11_8_MASK, ++ DIV_11_8_38_4_MHZ_VAL); + break; + + default: +@@ -224,15 +224,15 @@ static int qcom_eusb2_ref_clk_init(struct qcom_snps_eusb2_hsphy *phy) + return -EINVAL; + } + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_3, +- PHY_CFG_PLL_REF_DIV, PLL_REF_DIV_VAL); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_3, ++ PHY_CFG_PLL_REF_DIV, PLL_REF_DIV_VAL); + + return 0; + } + +-static int qcom_snps_eusb2_hsphy_init(struct phy *p) ++static int snps_eusb2_hsphy_init(struct phy *p) + { +- struct qcom_snps_eusb2_hsphy *phy = phy_get_drvdata(p); ++ struct snps_eusb2_hsphy *phy = phy_get_drvdata(p); + int ret; + + ret = regulator_bulk_enable(ARRAY_SIZE(phy->vregs), phy->vregs); +@@ -265,73 +265,73 @@ static int qcom_snps_eusb2_hsphy_init(struct phy *p) + goto disable_ref_clk; + } + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG0, +- CMN_CTRL_OVERRIDE_EN, CMN_CTRL_OVERRIDE_EN); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG0, ++ CMN_CTRL_OVERRIDE_EN, CMN_CTRL_OVERRIDE_EN); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_UTMI_CTRL5, POR, POR); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_UTMI_CTRL5, POR, POR); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_HS_PHY_CTRL_COMMON0, +- PHY_ENABLE | RETENABLEN, PHY_ENABLE | RETENABLEN); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_HS_PHY_CTRL_COMMON0, ++ PHY_ENABLE | RETENABLEN, PHY_ENABLE | RETENABLEN); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_APB_ACCESS_CMD, +- APB_LOGIC_RESET, APB_LOGIC_RESET); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_APB_ACCESS_CMD, ++ APB_LOGIC_RESET, APB_LOGIC_RESET); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, UTMI_PHY_CMN_CTRL0, TESTBURNIN, 0); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_UTMI_PHY_CMN_CTRL0, TESTBURNIN, 0); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_FSEL_SEL, +- FSEL_SEL, FSEL_SEL); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_FSEL_SEL, ++ FSEL_SEL, FSEL_SEL); + + /* update ref_clk related registers */ + ret = qcom_eusb2_ref_clk_init(phy); + if (ret) +- goto disable_ref_clk; ++ return ret; + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_1, +- PHY_CFG_PLL_CPBIAS_CNTRL_MASK, +- FIELD_PREP(PHY_CFG_PLL_CPBIAS_CNTRL_MASK, 0x1)); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_1, ++ PHY_CFG_PLL_CPBIAS_CNTRL_MASK, ++ FIELD_PREP(PHY_CFG_PLL_CPBIAS_CNTRL_MASK, 0x1)); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_4, +- PHY_CFG_PLL_INT_CNTRL_MASK, +- FIELD_PREP(PHY_CFG_PLL_INT_CNTRL_MASK, 0x8)); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_4, ++ PHY_CFG_PLL_INT_CNTRL_MASK, ++ FIELD_PREP(PHY_CFG_PLL_INT_CNTRL_MASK, 0x8)); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_4, +- PHY_CFG_PLL_GMP_CNTRL_MASK, +- FIELD_PREP(PHY_CFG_PLL_GMP_CNTRL_MASK, 0x1)); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_4, ++ PHY_CFG_PLL_GMP_CNTRL_MASK, ++ FIELD_PREP(PHY_CFG_PLL_GMP_CNTRL_MASK, 0x1)); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_5, +- PHY_CFG_PLL_PROP_CNTRL_MASK, +- FIELD_PREP(PHY_CFG_PLL_PROP_CNTRL_MASK, 0x10)); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_5, ++ PHY_CFG_PLL_PROP_CNTRL_MASK, ++ FIELD_PREP(PHY_CFG_PLL_PROP_CNTRL_MASK, 0x10)); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_6, +- PHY_CFG_PLL_VCO_CNTRL_MASK, +- FIELD_PREP(PHY_CFG_PLL_VCO_CNTRL_MASK, 0x0)); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_6, ++ PHY_CFG_PLL_VCO_CNTRL_MASK, ++ FIELD_PREP(PHY_CFG_PLL_VCO_CNTRL_MASK, 0x0)); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_5, +- PHY_CFG_PLL_VREF_TUNE_MASK, +- FIELD_PREP(PHY_CFG_PLL_VREF_TUNE_MASK, 0x1)); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_5, ++ PHY_CFG_PLL_VREF_TUNE_MASK, ++ FIELD_PREP(PHY_CFG_PLL_VREF_TUNE_MASK, 0x1)); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_HS_PHY_CTRL2, +- VBUS_DET_EXT_SEL, VBUS_DET_EXT_SEL); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_HS_PHY_CTRL2, ++ VBUS_DET_EXT_SEL, VBUS_DET_EXT_SEL); + + /* set default parameters */ + qcom_eusb2_default_parameters(phy); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_HS_PHY_CTRL2, +- USB2_SUSPEND_N_SEL | USB2_SUSPEND_N, +- USB2_SUSPEND_N_SEL | USB2_SUSPEND_N); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_HS_PHY_CTRL2, ++ USB2_SUSPEND_N_SEL | USB2_SUSPEND_N, ++ USB2_SUSPEND_N_SEL | USB2_SUSPEND_N); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_UTMI_CTRL0, SLEEPM, SLEEPM); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_UTMI_CTRL0, SLEEPM, SLEEPM); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_HS_PHY_CTRL_COMMON0, +- SIDDQ_SEL, SIDDQ_SEL); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_HS_PHY_CTRL_COMMON0, ++ SIDDQ_SEL, SIDDQ_SEL); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_HS_PHY_CTRL_COMMON0, +- SIDDQ, 0); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_HS_PHY_CTRL_COMMON0, ++ SIDDQ, 0); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_UTMI_CTRL5, POR, 0); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_UTMI_CTRL5, POR, 0); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_HS_PHY_CTRL2, +- USB2_SUSPEND_N_SEL, 0); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_HS_PHY_CTRL2, ++ USB2_SUSPEND_N_SEL, 0); + + return 0; + +@@ -344,9 +344,9 @@ static int qcom_snps_eusb2_hsphy_init(struct phy *p) + return ret; + } + +-static int qcom_snps_eusb2_hsphy_exit(struct phy *p) ++static int snps_eusb2_hsphy_exit(struct phy *p) + { +- struct qcom_snps_eusb2_hsphy *phy = phy_get_drvdata(p); ++ struct snps_eusb2_hsphy *phy = phy_get_drvdata(p); + + clk_disable_unprepare(phy->ref_clk); + +@@ -357,18 +357,18 @@ static int qcom_snps_eusb2_hsphy_exit(struct phy *p) + return 0; + } + +-static const struct phy_ops qcom_snps_eusb2_hsphy_ops = { +- .init = qcom_snps_eusb2_hsphy_init, +- .exit = qcom_snps_eusb2_hsphy_exit, +- .set_mode = qcom_snps_eusb2_hsphy_set_mode, ++static const struct phy_ops snps_eusb2_hsphy_ops = { ++ .init = snps_eusb2_hsphy_init, ++ .exit = snps_eusb2_hsphy_exit, ++ .set_mode = snps_eusb2_hsphy_set_mode, + .owner = THIS_MODULE, + }; + +-static int qcom_snps_eusb2_hsphy_probe(struct platform_device *pdev) ++static int snps_eusb2_hsphy_probe(struct platform_device *pdev) + { + struct device *dev = &pdev->dev; + struct device_node *np = dev->of_node; +- struct qcom_snps_eusb2_hsphy *phy; ++ struct snps_eusb2_hsphy *phy; + struct phy_provider *phy_provider; + struct phy *generic_phy; + int ret, i; +@@ -405,7 +405,7 @@ static int qcom_snps_eusb2_hsphy_probe(struct platform_device *pdev) + return dev_err_probe(dev, PTR_ERR(phy->repeater), + "failed to get repeater\n"); + +- generic_phy = devm_phy_create(dev, NULL, &qcom_snps_eusb2_hsphy_ops); ++ generic_phy = devm_phy_create(dev, NULL, &snps_eusb2_hsphy_ops); + if (IS_ERR(generic_phy)) { + dev_err(dev, "failed to create phy %d\n", ret); + return PTR_ERR(generic_phy); +@@ -418,25 +418,25 @@ static int qcom_snps_eusb2_hsphy_probe(struct platform_device *pdev) + if (IS_ERR(phy_provider)) + return PTR_ERR(phy_provider); + +- dev_info(dev, "Registered Qcom-eUSB2 phy\n"); ++ dev_info(dev, "Registered Snps-eUSB2 phy\n"); + + return 0; + } + +-static const struct of_device_id qcom_snps_eusb2_hsphy_of_match_table[] = { ++static const struct of_device_id snps_eusb2_hsphy_of_match_table[] = { + { .compatible = "qcom,sm8550-snps-eusb2-phy", }, + { }, + }; +-MODULE_DEVICE_TABLE(of, qcom_snps_eusb2_hsphy_of_match_table); ++MODULE_DEVICE_TABLE(of, snps_eusb2_hsphy_of_match_table); + +-static struct platform_driver qcom_snps_eusb2_hsphy_driver = { +- .probe = qcom_snps_eusb2_hsphy_probe, ++static struct platform_driver snps_eusb2_hsphy_driver = { ++ .probe = snps_eusb2_hsphy_probe, + .driver = { +- .name = "qcom-snps-eusb2-hsphy", +- .of_match_table = qcom_snps_eusb2_hsphy_of_match_table, ++ .name = "snps-eusb2-hsphy", ++ .of_match_table = snps_eusb2_hsphy_of_match_table, + }, + }; + +-module_platform_driver(qcom_snps_eusb2_hsphy_driver); +-MODULE_DESCRIPTION("Qualcomm SNPS eUSB2 HS PHY driver"); ++module_platform_driver(snps_eusb2_hsphy_driver); ++MODULE_DESCRIPTION("Synopsys eUSB2 HS PHY driver"); + MODULE_LICENSE("GPL"); +-- +2.51.0 + diff --git a/queue-6.12/phy-qcom-qusb2-fix-null-pointer-dereference-on-early.patch b/queue-6.12/phy-qcom-qusb2-fix-null-pointer-dereference-on-early.patch new file mode 100644 index 0000000000..4963cf37a2 --- /dev/null +++ b/queue-6.12/phy-qcom-qusb2-fix-null-pointer-dereference-on-early.patch @@ -0,0 +1,91 @@ +From a61d79b384438a86b1cfbbff85c9d2e985a2237c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 09:56:40 +0100 +Subject: phy: qcom-qusb2: Fix NULL pointer dereference on early suspend + +From: Loic Poulain + +[ Upstream commit 1ca52c0983c34fca506921791202ed5bdafd5306 ] + +Enabling runtime PM before attaching the QPHY instance as driver data +can lead to a NULL pointer dereference in runtime PM callbacks that +expect valid driver data. There is a small window where the suspend +callback may run after PM runtime enabling and before runtime forbid. +This causes a sporadic crash during boot: + +``` +Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a1 +[...] +CPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Not tainted 6.16.7+ #116 PREEMPT +Workqueue: pm pm_runtime_work +pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : qusb2_phy_runtime_suspend+0x14/0x1e0 [phy_qcom_qusb2] +lr : pm_generic_runtime_suspend+0x2c/0x44 +[...] +``` + +Attach the QPHY instance as driver data before enabling runtime PM to +prevent NULL pointer dereference in runtime PM callbacks. + +Reorder pm_runtime_enable() and pm_runtime_forbid() to prevent a +short window where an unnecessary runtime suspend can occur. + +Use the devres-managed version to ensure PM runtime is symmetrically +disabled during driver removal for proper cleanup. + +Fixes: 891a96f65ac3 ("phy: qcom-qusb2: Add support for runtime PM") +Signed-off-by: Loic Poulain +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Abel Vesa +Link: https://patch.msgid.link/20251219085640.114473-1-loic.poulain@oss.qualcomm.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/qualcomm/phy-qcom-qusb2.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/phy/qualcomm/phy-qcom-qusb2.c b/drivers/phy/qualcomm/phy-qcom-qusb2.c +index 531c3860c3160..d3c26a39873f7 100644 +--- a/drivers/phy/qualcomm/phy-qcom-qusb2.c ++++ b/drivers/phy/qualcomm/phy-qcom-qusb2.c +@@ -1063,29 +1063,29 @@ static int qusb2_phy_probe(struct platform_device *pdev) + or->hsdisc_trim.override = true; + } + +- pm_runtime_set_active(dev); +- pm_runtime_enable(dev); ++ dev_set_drvdata(dev, qphy); ++ + /* +- * Prevent runtime pm from being ON by default. Users can enable +- * it using power/control in sysfs. ++ * Enable runtime PM support, but forbid it by default. ++ * Users can allow it again via the power/control attribute in sysfs. + */ ++ pm_runtime_set_active(dev); + pm_runtime_forbid(dev); ++ ret = devm_pm_runtime_enable(dev); ++ if (ret) ++ return ret; + + generic_phy = devm_phy_create(dev, NULL, &qusb2_phy_gen_ops); + if (IS_ERR(generic_phy)) { + ret = PTR_ERR(generic_phy); + dev_err(dev, "failed to create phy, %d\n", ret); +- pm_runtime_disable(dev); + return ret; + } + qphy->phy = generic_phy; + +- dev_set_drvdata(dev, qphy); + phy_set_drvdata(generic_phy, qphy); + + phy_provider = devm_of_phy_provider_register(dev, of_phy_simple_xlate); +- if (IS_ERR(phy_provider)) +- pm_runtime_disable(dev); + + return PTR_ERR_OR_ZERO(phy_provider); + } +-- +2.51.0 + diff --git a/queue-6.12/phy-stm32-usphyc-fix-off-by-one-in-probe.patch b/queue-6.12/phy-stm32-usphyc-fix-off-by-one-in-probe.patch new file mode 100644 index 0000000000..018e1283ed --- /dev/null +++ b/queue-6.12/phy-stm32-usphyc-fix-off-by-one-in-probe.patch @@ -0,0 +1,41 @@ +From 27f286196a4687cb5c5ecc299a97107763df28fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Dec 2025 09:53:36 +0300 +Subject: phy: stm32-usphyc: Fix off by one in probe() + +From: Dan Carpenter + +[ Upstream commit cabd25b57216ddc132efbcc31f972baa03aad15a ] + +The "index" variable is used as an index into the usbphyc->phys[] array +which has usbphyc->nphys elements. So if it is equal to usbphyc->nphys +then it is one element out of bounds. The "index" comes from the +device tree so it's data that we trust and it's unlikely to be wrong, +however it's obviously still worth fixing the bug. Change the > to >=. + +Fixes: 94c358da3a05 ("phy: stm32: add support for STM32 USB PHY Controller (USBPHYC)") +Signed-off-by: Dan Carpenter +Reviewed-by: Amelie Delaunay +Link: https://patch.msgid.link/aTfHcMJK1wFVnvEe@stanley.mountain +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/st/phy-stm32-usbphyc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/phy/st/phy-stm32-usbphyc.c b/drivers/phy/st/phy-stm32-usbphyc.c +index dbf23ae38255a..797d45747406d 100644 +--- a/drivers/phy/st/phy-stm32-usbphyc.c ++++ b/drivers/phy/st/phy-stm32-usbphyc.c +@@ -712,7 +712,7 @@ static int stm32_usbphyc_probe(struct platform_device *pdev) + } + + ret = of_property_read_u32(child, "reg", &index); +- if (ret || index > usbphyc->nphys) { ++ if (ret || index >= usbphyc->nphys) { + dev_err(&phy->dev, "invalid reg property: %d\n", ret); + if (!ret) + ret = -EINVAL; +-- +2.51.0 + diff --git a/queue-6.12/phy-ti-da8xx-usb-handle-devm_pm_runtime_enable-error.patch b/queue-6.12/phy-ti-da8xx-usb-handle-devm_pm_runtime_enable-error.patch new file mode 100644 index 0000000000..8bb8adbef5 --- /dev/null +++ b/queue-6.12/phy-ti-da8xx-usb-handle-devm_pm_runtime_enable-error.patch @@ -0,0 +1,64 @@ +From 46200edffaa534a67897163ee87994de862f9c4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Nov 2025 18:57:34 +0800 +Subject: phy: ti: da8xx-usb: Handle devm_pm_runtime_enable() errors + +From: Haotian Zhang + +[ Upstream commit 08aa19de72110df8ac10c9e67349dd884eeed41d ] + +devm_pm_runtime_enable() can fail due to memory allocation. The current +code ignores its return value after calling pm_runtime_set_active(), +leaving the device in an inconsistent state if runtime PM initialization +fails. + +Check the return value of devm_pm_runtime_enable() and return on +failure. Also move the declaration of 'ret' to the function scope +to support this check. + +Fixes: ee8e41b5044f ("phy: ti: phy-da8xx-usb: Add runtime PM support") +Suggested-by: Neil Armstrong +Signed-off-by: Haotian Zhang +Reviewed-by: Neil Armstrong +Link: https://patch.msgid.link/20251124105734.1027-1-vulab@iscas.ac.cn +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/ti/phy-da8xx-usb.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/phy/ti/phy-da8xx-usb.c b/drivers/phy/ti/phy-da8xx-usb.c +index 68aa595b6ad8d..256f5238153a5 100644 +--- a/drivers/phy/ti/phy-da8xx-usb.c ++++ b/drivers/phy/ti/phy-da8xx-usb.c +@@ -180,6 +180,7 @@ static int da8xx_usb_phy_probe(struct platform_device *pdev) + struct da8xx_usb_phy_platform_data *pdata = dev->platform_data; + struct device_node *node = dev->of_node; + struct da8xx_usb_phy *d_phy; ++ int ret; + + d_phy = devm_kzalloc(dev, sizeof(*d_phy), GFP_KERNEL); + if (!d_phy) +@@ -233,8 +234,6 @@ static int da8xx_usb_phy_probe(struct platform_device *pdev) + return PTR_ERR(d_phy->phy_provider); + } + } else { +- int ret; +- + ret = phy_create_lookup(d_phy->usb11_phy, "usb-phy", + "ohci-da8xx"); + if (ret) +@@ -249,7 +248,9 @@ static int da8xx_usb_phy_probe(struct platform_device *pdev) + PHY_INIT_BITS, PHY_INIT_BITS); + + pm_runtime_set_active(dev); +- devm_pm_runtime_enable(dev); ++ ret = devm_pm_runtime_enable(dev); ++ if (ret) ++ return ret; + /* + * Prevent runtime pm from being ON by default. Users can enable + * it using power/control in sysfs. +-- +2.51.0 + diff --git a/queue-6.12/pm-em-fix-incorrect-description-of-the-cost-field-in.patch b/queue-6.12/pm-em-fix-incorrect-description-of-the-cost-field-in.patch new file mode 100644 index 0000000000..a6eef4f162 --- /dev/null +++ b/queue-6.12/pm-em-fix-incorrect-description-of-the-cost-field-in.patch @@ -0,0 +1,45 @@ +From 327a007d00e323864e42c31a0c924f0e567b45ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Dec 2025 14:15:34 +0800 +Subject: PM: EM: Fix incorrect description of the cost field in struct + em_perf_state + +From: Yaxiong Tian + +[ Upstream commit 54b603f2db6b95495bc33a8f2bde80f044baff9a ] + +Due to commit 1b600da51073 ("PM: EM: Optimize em_cpu_energy() and remove +division"), the logic for energy consumption calculation has been modified. +The actual calculation of cost is 10 * power * max_frequency / frequency +instead of power * max_frequency / frequency. + +Therefore, the comment for cost has been updated to reflect the correct +content. + +Fixes: 1b600da51073 ("PM: EM: Optimize em_cpu_energy() and remove division") +Signed-off-by: Yaxiong Tian +Reviewed-by: Lukasz Luba +[ rjw: Added Fixes: tag ] +Link: https://patch.msgid.link/20251230061534.816894-1-tianyaxiong@kylinos.cn +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + include/linux/energy_model.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/energy_model.h b/include/linux/energy_model.h +index 34498652f7802..09ce3dc4eab5c 100644 +--- a/include/linux/energy_model.h ++++ b/include/linux/energy_model.h +@@ -18,7 +18,7 @@ + * @power: The power consumed at this level (by 1 CPU or by a registered + * device). It can be a total power: static and dynamic. + * @cost: The cost coefficient associated with this level, used during +- * energy calculation. Equal to: power * max_frequency / frequency ++ * energy calculation. Equal to: 10 * power * max_frequency / frequency + * @flags: see "em_perf_state flags" description below. + */ + struct em_perf_state { +-- +2.51.0 + diff --git a/queue-6.12/pnfs-blocklayout-fix-memory-leak-in-bl_parse_scsi.patch b/queue-6.12/pnfs-blocklayout-fix-memory-leak-in-bl_parse_scsi.patch new file mode 100644 index 0000000000..55bc7f2897 --- /dev/null +++ b/queue-6.12/pnfs-blocklayout-fix-memory-leak-in-bl_parse_scsi.patch @@ -0,0 +1,44 @@ +From 26f1679412357d2c50643cc0b3ca6aedd6d2cd07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Dec 2025 08:45:26 +0000 +Subject: pnfs/blocklayout: Fix memory leak in bl_parse_scsi() + +From: Zilin Guan + +[ Upstream commit 5a74af51c3a6f4cd22c128b0c1c019f68fa90011 ] + +In bl_parse_scsi(), if the block device length is zero, the function +returns immediately without releasing the file reference obtained via +bl_open_path(), leading to a memory leak. + +Fix this by jumping to the out_blkdev_put label to ensure the file +reference is properly released. + +Fixes: d76c769c8db4c ("pnfs/blocklayout: Don't add zero-length pnfs_block_dev") +Signed-off-by: Zilin Guan +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/blocklayout/dev.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/nfs/blocklayout/dev.c b/fs/nfs/blocklayout/dev.c +index 44306ac22353b..22d4529c61933 100644 +--- a/fs/nfs/blocklayout/dev.c ++++ b/fs/nfs/blocklayout/dev.c +@@ -417,8 +417,10 @@ bl_parse_scsi(struct nfs_server *server, struct pnfs_block_dev *d, + d->map = bl_map_simple; + d->pr_key = v->scsi.pr_key; + +- if (d->len == 0) +- return -ENODEV; ++ if (d->len == 0) { ++ error = -ENODEV; ++ goto out_blkdev_put; ++ } + + ops = bdev->bd_disk->fops->pr_ops; + if (!ops) { +-- +2.51.0 + diff --git a/queue-6.12/pnfs-fix-a-deadlock-when-returning-a-delegation-duri.patch b/queue-6.12/pnfs-fix-a-deadlock-when-returning-a-delegation-duri.patch new file mode 100644 index 0000000000..8da14987ad --- /dev/null +++ b/queue-6.12/pnfs-fix-a-deadlock-when-returning-a-delegation-duri.patch @@ -0,0 +1,218 @@ +From 89ee3777125d2000e8d2ae8b63da61cd03154a1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Dec 2025 14:45:00 -0500 +Subject: pNFS: Fix a deadlock when returning a delegation during open() + +From: Trond Myklebust + +[ Upstream commit 857bf9056291a16785ae3be1d291026b2437fc48 ] + +Ben Coddington reports seeing a hang in the following stack trace: + 0 [ffffd0b50e1774e0] __schedule at ffffffff9ca05415 + 1 [ffffd0b50e177548] schedule at ffffffff9ca05717 + 2 [ffffd0b50e177558] bit_wait at ffffffff9ca061e1 + 3 [ffffd0b50e177568] __wait_on_bit at ffffffff9ca05cfb + 4 [ffffd0b50e1775c8] out_of_line_wait_on_bit at ffffffff9ca05ea5 + 5 [ffffd0b50e177618] pnfs_roc at ffffffffc154207b [nfsv4] + 6 [ffffd0b50e1776b8] _nfs4_proc_delegreturn at ffffffffc1506586 [nfsv4] + 7 [ffffd0b50e177788] nfs4_proc_delegreturn at ffffffffc1507480 [nfsv4] + 8 [ffffd0b50e1777f8] nfs_do_return_delegation at ffffffffc1523e41 [nfsv4] + 9 [ffffd0b50e177838] nfs_inode_set_delegation at ffffffffc1524a75 [nfsv4] + 10 [ffffd0b50e177888] nfs4_process_delegation at ffffffffc14f41dd [nfsv4] + 11 [ffffd0b50e1778a0] _nfs4_opendata_to_nfs4_state at ffffffffc1503edf [nfsv4] + 12 [ffffd0b50e1778c0] _nfs4_open_and_get_state at ffffffffc1504e56 [nfsv4] + 13 [ffffd0b50e177978] _nfs4_do_open at ffffffffc15051b8 [nfsv4] + 14 [ffffd0b50e1779f8] nfs4_do_open at ffffffffc150559c [nfsv4] + 15 [ffffd0b50e177a80] nfs4_atomic_open at ffffffffc15057fb [nfsv4] + 16 [ffffd0b50e177ad0] nfs4_file_open at ffffffffc15219be [nfsv4] + 17 [ffffd0b50e177b78] do_dentry_open at ffffffff9c09e6ea + 18 [ffffd0b50e177ba8] vfs_open at ffffffff9c0a082e + 19 [ffffd0b50e177bd0] dentry_open at ffffffff9c0a0935 + +The issue is that the delegreturn is being asked to wait for a layout +return that cannot complete because a state recovery was initiated. The +state recovery cannot complete until the open() finishes processing the +delegations it was given. + +The solution is to propagate the existing flags that indicate a +non-blocking call to the function pnfs_roc(), so that it knows not to +wait in this situation. + +Reported-by: Benjamin Coddington +Fixes: 29ade5db1293 ("pNFS: Wait on outstanding layoutreturns to complete in pnfs_roc()") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4proc.c | 6 ++--- + fs/nfs/pnfs.c | 58 +++++++++++++++++++++++++++++++++-------------- + fs/nfs/pnfs.h | 17 ++++++-------- + 3 files changed, 51 insertions(+), 30 deletions(-) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 89f779f16f0dc..c76acd537be05 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -3868,8 +3868,8 @@ int nfs4_do_close(struct nfs4_state *state, gfp_t gfp_mask, int wait) + calldata->res.seqid = calldata->arg.seqid; + calldata->res.server = server; + calldata->res.lr_ret = -NFS4ERR_NOMATCHING_LAYOUT; +- calldata->lr.roc = pnfs_roc(state->inode, +- &calldata->lr.arg, &calldata->lr.res, msg.rpc_cred); ++ calldata->lr.roc = pnfs_roc(state->inode, &calldata->lr.arg, ++ &calldata->lr.res, msg.rpc_cred, wait); + if (calldata->lr.roc) { + calldata->arg.lr_args = &calldata->lr.arg; + calldata->res.lr_res = &calldata->lr.res; +@@ -6895,7 +6895,7 @@ static int _nfs4_proc_delegreturn(struct inode *inode, const struct cred *cred, + data->inode = nfs_igrab_and_active(inode); + if (data->inode || issync) { + data->lr.roc = pnfs_roc(inode, &data->lr.arg, &data->lr.res, +- cred); ++ cred, issync); + if (data->lr.roc) { + data->args.lr_args = &data->lr.arg; + data->res.lr_res = &data->lr.res; +diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c +index 7a742bcff687b..16981d0389c4c 100644 +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -1546,10 +1546,9 @@ static int pnfs_layout_return_on_reboot(struct pnfs_layout_hdr *lo) + PNFS_FL_LAYOUTRETURN_PRIVILEGED); + } + +-bool pnfs_roc(struct inode *ino, +- struct nfs4_layoutreturn_args *args, +- struct nfs4_layoutreturn_res *res, +- const struct cred *cred) ++bool pnfs_roc(struct inode *ino, struct nfs4_layoutreturn_args *args, ++ struct nfs4_layoutreturn_res *res, const struct cred *cred, ++ bool sync) + { + struct nfs_inode *nfsi = NFS_I(ino); + struct nfs_open_context *ctx; +@@ -1560,7 +1559,7 @@ bool pnfs_roc(struct inode *ino, + nfs4_stateid stateid; + enum pnfs_iomode iomode = 0; + bool layoutreturn = false, roc = false; +- bool skip_read = false; ++ bool skip_read; + + if (!nfs_have_layout(ino)) + return false; +@@ -1573,20 +1572,14 @@ bool pnfs_roc(struct inode *ino, + lo = NULL; + goto out_noroc; + } +- pnfs_get_layout_hdr(lo); +- if (test_bit(NFS_LAYOUT_RETURN_LOCK, &lo->plh_flags)) { +- spin_unlock(&ino->i_lock); +- rcu_read_unlock(); +- wait_on_bit(&lo->plh_flags, NFS_LAYOUT_RETURN, +- TASK_UNINTERRUPTIBLE); +- pnfs_put_layout_hdr(lo); +- goto retry; +- } + + /* no roc if we hold a delegation */ ++ skip_read = false; + if (nfs4_check_delegation(ino, FMODE_READ)) { +- if (nfs4_check_delegation(ino, FMODE_WRITE)) ++ if (nfs4_check_delegation(ino, FMODE_WRITE)) { ++ lo = NULL; + goto out_noroc; ++ } + skip_read = true; + } + +@@ -1595,12 +1588,43 @@ bool pnfs_roc(struct inode *ino, + if (state == NULL) + continue; + /* Don't return layout if there is open file state */ +- if (state->state & FMODE_WRITE) ++ if (state->state & FMODE_WRITE) { ++ lo = NULL; + goto out_noroc; ++ } + if (state->state & FMODE_READ) + skip_read = true; + } + ++ if (skip_read) { ++ bool writes = false; ++ ++ list_for_each_entry(lseg, &lo->plh_segs, pls_list) { ++ if (lseg->pls_range.iomode != IOMODE_READ) { ++ writes = true; ++ break; ++ } ++ } ++ if (!writes) { ++ lo = NULL; ++ goto out_noroc; ++ } ++ } ++ ++ pnfs_get_layout_hdr(lo); ++ if (test_bit(NFS_LAYOUT_RETURN_LOCK, &lo->plh_flags)) { ++ if (!sync) { ++ pnfs_set_plh_return_info( ++ lo, skip_read ? IOMODE_RW : IOMODE_ANY, 0); ++ goto out_noroc; ++ } ++ spin_unlock(&ino->i_lock); ++ rcu_read_unlock(); ++ wait_on_bit(&lo->plh_flags, NFS_LAYOUT_RETURN, ++ TASK_UNINTERRUPTIBLE); ++ pnfs_put_layout_hdr(lo); ++ goto retry; ++ } + + list_for_each_entry_safe(lseg, next, &lo->plh_segs, pls_list) { + if (skip_read && lseg->pls_range.iomode == IOMODE_READ) +@@ -1640,7 +1664,7 @@ bool pnfs_roc(struct inode *ino, + out_noroc: + spin_unlock(&ino->i_lock); + rcu_read_unlock(); +- pnfs_layoutcommit_inode(ino, true); ++ pnfs_layoutcommit_inode(ino, sync); + if (roc) { + struct pnfs_layoutdriver_type *ld = NFS_SERVER(ino)->pnfs_curr_ld; + if (ld->prepare_layoutreturn) +diff --git a/fs/nfs/pnfs.h b/fs/nfs/pnfs.h +index 91ff877185c8a..3db8f13d8fe4e 100644 +--- a/fs/nfs/pnfs.h ++++ b/fs/nfs/pnfs.h +@@ -303,10 +303,9 @@ int pnfs_mark_matching_lsegs_return(struct pnfs_layout_hdr *lo, + u32 seq); + int pnfs_mark_layout_stateid_invalid(struct pnfs_layout_hdr *lo, + struct list_head *lseg_list); +-bool pnfs_roc(struct inode *ino, +- struct nfs4_layoutreturn_args *args, +- struct nfs4_layoutreturn_res *res, +- const struct cred *cred); ++bool pnfs_roc(struct inode *ino, struct nfs4_layoutreturn_args *args, ++ struct nfs4_layoutreturn_res *res, const struct cred *cred, ++ bool sync); + int pnfs_roc_done(struct rpc_task *task, struct nfs4_layoutreturn_args **argpp, + struct nfs4_layoutreturn_res **respp, int *ret); + void pnfs_roc_release(struct nfs4_layoutreturn_args *args, +@@ -773,12 +772,10 @@ pnfs_layoutcommit_outstanding(struct inode *inode) + return false; + } + +- +-static inline bool +-pnfs_roc(struct inode *ino, +- struct nfs4_layoutreturn_args *args, +- struct nfs4_layoutreturn_res *res, +- const struct cred *cred) ++static inline bool pnfs_roc(struct inode *ino, ++ struct nfs4_layoutreturn_args *args, ++ struct nfs4_layoutreturn_res *res, ++ const struct cred *cred, bool sync) + { + return false; + } +-- +2.51.0 + diff --git a/queue-6.12/pnfs-flexfiles-fix-memory-leak-in-nfs4_ff_alloc_devi.patch b/queue-6.12/pnfs-flexfiles-fix-memory-leak-in-nfs4_ff_alloc_devi.patch new file mode 100644 index 0000000000..e5a7f902a2 --- /dev/null +++ b/queue-6.12/pnfs-flexfiles-fix-memory-leak-in-nfs4_ff_alloc_devi.patch @@ -0,0 +1,40 @@ +From b8ab82b5c93667068f8666d00b2c806b9ed58209 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Dec 2025 07:41:03 +0000 +Subject: pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node() + +From: Zilin Guan + +[ Upstream commit 0c728083654f0066f5e10a1d2b0bd0907af19a58 ] + +In nfs4_ff_alloc_deviceid_node(), if the allocation for ds_versions fails, +the function jumps to the out_scratch label without freeing the already +allocated dsaddrs list, leading to a memory leak. + +Fix this by jumping to the out_err_drain_dsaddrs label, which properly +frees the dsaddrs list before cleaning up other resources. + +Fixes: d67ae825a59d6 ("pnfs/flexfiles: Add the FlexFile Layout Driver") +Signed-off-by: Zilin Guan +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/flexfilelayout/flexfilelayoutdev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/flexfilelayout/flexfilelayoutdev.c b/fs/nfs/flexfilelayout/flexfilelayoutdev.c +index ef535baeefb60..5ab9ac32f858e 100644 +--- a/fs/nfs/flexfilelayout/flexfilelayoutdev.c ++++ b/fs/nfs/flexfilelayout/flexfilelayoutdev.c +@@ -103,7 +103,7 @@ nfs4_ff_alloc_deviceid_node(struct nfs_server *server, struct pnfs_device *pdev, + sizeof(struct nfs4_ff_ds_version), + gfp_flags); + if (!ds_versions) +- goto out_scratch; ++ goto out_err_drain_dsaddrs; + + for (i = 0; i < version_count; i++) { + /* 20 = version(4) + minor_version(4) + rsize(4) + wsize(4) + +-- +2.51.0 + diff --git a/queue-6.12/selftests-drv-net-fix-rps-mask-handling-for-high-cpu.patch b/queue-6.12/selftests-drv-net-fix-rps-mask-handling-for-high-cpu.patch new file mode 100644 index 0000000000..1f17a5e4e7 --- /dev/null +++ b/queue-6.12/selftests-drv-net-fix-rps-mask-handling-for-high-cpu.patch @@ -0,0 +1,44 @@ +From a70d9b6ad80f7fca7b714ff28935290e1b1332e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 19:37:15 +0200 +Subject: selftests: drv-net: fix RPS mask handling for high CPU numbers + +From: Gal Pressman + +[ Upstream commit cf055f8c000445aa688c53a706ef4f580818eedb ] + +The RPS bitmask bounds check uses ~(RPS_MAX_CPUS - 1) which equals ~15 = +0xfff0, only allowing CPUs 0-3. + +Change the mask to ~((1UL << RPS_MAX_CPUS) - 1) = ~0xffff to allow CPUs +0-15. + +Fixes: 5ebfb4cc3048 ("selftests/net: toeplitz test") +Reviewed-by: Nimrod Oren +Signed-off-by: Gal Pressman +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/20260112173715.384843-3-gal@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/toeplitz.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/net/toeplitz.c b/tools/testing/selftests/net/toeplitz.c +index 9ba03164d73a6..5099157f01b9a 100644 +--- a/tools/testing/selftests/net/toeplitz.c ++++ b/tools/testing/selftests/net/toeplitz.c +@@ -473,8 +473,8 @@ static void parse_rps_bitmap(const char *arg) + + bitmap = strtoul(arg, NULL, 0); + +- if (bitmap & ~(RPS_MAX_CPUS - 1)) +- error(1, 0, "rps bitmap 0x%lx out of bounds 0..%lu", ++ if (bitmap & ~((1UL << RPS_MAX_CPUS) - 1)) ++ error(1, 0, "rps bitmap 0x%lx out of bounds, max cpu %lu", + bitmap, RPS_MAX_CPUS - 1); + + for (i = 0; i < RPS_MAX_CPUS; i++) +-- +2.51.0 + diff --git a/queue-6.12/selftests-landlock-fix-tcp-bind-af_unspec-test-case.patch b/queue-6.12/selftests-landlock-fix-tcp-bind-af_unspec-test-case.patch new file mode 100644 index 0000000000..f1b9c78e2a --- /dev/null +++ b/queue-6.12/selftests-landlock-fix-tcp-bind-af_unspec-test-case.patch @@ -0,0 +1,107 @@ +From 95b634e9dd3bfa3486087e3afc8fe98e251fd3dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Oct 2025 20:07:24 +0100 +Subject: selftests/landlock: Fix TCP bind(AF_UNSPEC) test case +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matthieu Buffet + +[ Upstream commit bd09d9a05cf04028f639e209b416bacaeffd4909 ] + +The nominal error code for bind(AF_UNSPEC) on an IPv6 socket +is -EAFNOSUPPORT, not -EINVAL. -EINVAL is only returned when +the supplied address struct is too short, which happens to be +the case in current selftests because they treat AF_UNSPEC +like IPv4 sockets do: as an alias for AF_INET (which is a +16-byte struct instead of the 24 bytes required by IPv6 +sockets). + +Make the union large enough for any address (by adding struct +sockaddr_storage to the union), and make AF_UNSPEC addresses +large enough for any family. + +Test for -EAFNOSUPPORT instead, and add a dedicated test case +for truncated inputs with -EINVAL. + +Fixes: a549d055a22e ("selftests/landlock: Add network tests") +Signed-off-by: Matthieu Buffet +Link: https://lore.kernel.org/r/20251027190726.626244-2-matthieu@buffet.re +Signed-off-by: Mickaël Salaün +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/landlock/common.h | 1 + + tools/testing/selftests/landlock/net_test.c | 16 +++++++++++++++- + 2 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/landlock/common.h b/tools/testing/selftests/landlock/common.h +index 60afc1ce11bcd..8be801c45f9b9 100644 +--- a/tools/testing/selftests/landlock/common.h ++++ b/tools/testing/selftests/landlock/common.h +@@ -249,6 +249,7 @@ struct service_fixture { + struct sockaddr_un unix_addr; + socklen_t unix_addr_len; + }; ++ struct sockaddr_storage _largest; + }; + }; + +diff --git a/tools/testing/selftests/landlock/net_test.c b/tools/testing/selftests/landlock/net_test.c +index 376079d70d3fc..c3642c17b251d 100644 +--- a/tools/testing/selftests/landlock/net_test.c ++++ b/tools/testing/selftests/landlock/net_test.c +@@ -120,6 +120,10 @@ static socklen_t get_addrlen(const struct service_fixture *const srv, + { + switch (srv->protocol.domain) { + case AF_UNSPEC: ++ if (minimal) ++ return sizeof(sa_family_t); ++ return sizeof(struct sockaddr_storage); ++ + case AF_INET: + return sizeof(srv->ipv4_addr); + +@@ -757,6 +761,11 @@ TEST_F(protocol, bind_unspec) + bind_fd = socket_variant(&self->srv0); + ASSERT_LE(0, bind_fd); + ++ /* Tries to bind with too small addrlen. */ ++ EXPECT_EQ(-EINVAL, bind_variant_addrlen( ++ bind_fd, &self->unspec_any0, ++ get_addrlen(&self->unspec_any0, true) - 1)); ++ + /* Allowed bind on AF_UNSPEC/INADDR_ANY. */ + ret = bind_variant(bind_fd, &self->unspec_any0); + if (variant->prot.domain == AF_INET) { +@@ -765,6 +774,8 @@ TEST_F(protocol, bind_unspec) + TH_LOG("Failed to bind to unspec/any socket: %s", + strerror(errno)); + } ++ } else if (variant->prot.domain == AF_INET6) { ++ EXPECT_EQ(-EAFNOSUPPORT, ret); + } else { + EXPECT_EQ(-EINVAL, ret); + } +@@ -791,6 +802,8 @@ TEST_F(protocol, bind_unspec) + } else { + EXPECT_EQ(0, ret); + } ++ } else if (variant->prot.domain == AF_INET6) { ++ EXPECT_EQ(-EAFNOSUPPORT, ret); + } else { + EXPECT_EQ(-EINVAL, ret); + } +@@ -800,7 +813,8 @@ TEST_F(protocol, bind_unspec) + bind_fd = socket_variant(&self->srv0); + ASSERT_LE(0, bind_fd); + ret = bind_variant(bind_fd, &self->unspec_srv0); +- if (variant->prot.domain == AF_INET) { ++ if (variant->prot.domain == AF_INET || ++ variant->prot.domain == AF_INET6) { + EXPECT_EQ(-EAFNOSUPPORT, ret); + } else { + EXPECT_EQ(-EINVAL, ret) +-- +2.51.0 + diff --git a/queue-6.12/selftests-landlock-properly-close-a-file-descriptor.patch b/queue-6.12/selftests-landlock-properly-close-a-file-descriptor.patch new file mode 100644 index 0000000000..608d785a0b --- /dev/null +++ b/queue-6.12/selftests-landlock-properly-close-a-file-descriptor.patch @@ -0,0 +1,42 @@ +From b658c50054f669a011ec84788db8835f91d24cd3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jan 2026 14:40:58 +0100 +Subject: selftests/landlock: Properly close a file descriptor +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Günther Noack + +[ Upstream commit 15e8d739fda1084d81f7d3813e9600eba6e0f134 ] + +Add a missing close(srv_fd) call, and use EXPECT_EQ() to check the +result. + +Signed-off-by: Günther Noack +Fixes: f83d51a5bdfe ("selftests/landlock: Check IOCTL restrictions for named UNIX domain sockets") +Link: https://lore.kernel.org/r/20260101134102.25938-2-gnoack3000@gmail.com +[mic: Use EXPECT_EQ() and update commit message] +Signed-off-by: Mickaël Salaün +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/landlock/fs_test.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c +index 01bb59938dd7a..c781014e6a5c6 100644 +--- a/tools/testing/selftests/landlock/fs_test.c ++++ b/tools/testing/selftests/landlock/fs_test.c +@@ -4189,7 +4189,8 @@ TEST_F_FORK(layout1, named_unix_domain_socket_ioctl) + /* FIONREAD and other IOCTLs should not be forbidden. */ + EXPECT_EQ(0, test_fionread_ioctl(cli_fd)); + +- ASSERT_EQ(0, close(cli_fd)); ++ EXPECT_EQ(0, close(cli_fd)); ++ EXPECT_EQ(0, close(srv_fd)); + } + + /* clang-format off */ +-- +2.51.0 + diff --git a/queue-6.12/selftests-landlock-remove-invalid-unix-socket-bind.patch b/queue-6.12/selftests-landlock-remove-invalid-unix-socket-bind.patch new file mode 100644 index 0000000000..9d7e966410 --- /dev/null +++ b/queue-6.12/selftests-landlock-remove-invalid-unix-socket-bind.patch @@ -0,0 +1,46 @@ +From 8be63e9474104e11bb65b56529a9a0358c15b9cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Dec 2025 01:36:31 +0100 +Subject: selftests/landlock: Remove invalid unix socket bind() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matthieu Buffet + +[ Upstream commit e1a57c33590a50a6639798e60a597af4a23b0340 ] + +Remove bind() call on a client socket that doesn't make sense. +Since strlen(cli_un.sun_path) returns a random value depending on stack +garbage, that many uninitialized bytes are read from the stack as an +unix socket address. This creates random test failures due to the bind +address being invalid or already in use if the same stack value comes up +twice. + +Fixes: f83d51a5bdfe ("selftests/landlock: Check IOCTL restrictions for named UNIX domain sockets") +Signed-off-by: Matthieu Buffet +Reviewed-by: Günther Noack +Link: https://lore.kernel.org/r/20251201003631.190817-1-matthieu@buffet.re +Signed-off-by: Mickaël Salaün +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/landlock/fs_test.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c +index 97d360eae4f69..01bb59938dd7a 100644 +--- a/tools/testing/selftests/landlock/fs_test.c ++++ b/tools/testing/selftests/landlock/fs_test.c +@@ -4179,9 +4179,6 @@ TEST_F_FORK(layout1, named_unix_domain_socket_ioctl) + cli_fd = socket(AF_UNIX, SOCK_STREAM, 0); + ASSERT_LE(0, cli_fd); + +- size = offsetof(struct sockaddr_un, sun_path) + strlen(cli_un.sun_path); +- ASSERT_EQ(0, bind(cli_fd, (struct sockaddr *)&cli_un, size)); +- + bzero(&cli_un, sizeof(cli_un)); + cli_un.sun_family = AF_UNIX; + strncpy(cli_un.sun_path, path, sizeof(cli_un.sun_path)); +-- +2.51.0 + diff --git a/queue-6.12/series b/queue-6.12/series index 4fcac2c749..b14aacc9bc 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -3,3 +3,56 @@ efi-cper-fix-cper_bits_to_str-buffer-handling-and-return-value.patch revert-gfs2-fix-use-of-bio_chain.patch x86-fpu-clear-xstate_bv-in-guest-xsave-state-whenever-xfd-1.patch asoc-codecs-wsa884x-fix-codec-initialisation.patch +xfrm-fix-inner-mode-lookup-in-tunnel-mode-gso-segmen.patch +xfrm-set-ipv4-no_pmtu_disc-flag-only-on-output-sa-wh.patch +pnfs-fix-a-deadlock-when-returning-a-delegation-duri.patch +nfs-fix-a-deadlock-involving-nfs_release_folio.patch +pnfs-flexfiles-fix-memory-leak-in-nfs4_ff_alloc_devi.patch +pnfs-blocklayout-fix-memory-leak-in-bl_parse_scsi.patch +drm-vmwgfx-merge-vmw_bo_release-and-vmw_bo_free-func.patch +pm-em-fix-incorrect-description-of-the-cost-field-in.patch +can-etas_es58x-allow-partial-rx-urb-allocation-to-su.patch +nvme-tcp-fix-null-pointer-dereferences-in-nvmet_tcp_.patch +btrfs-send-check-for-inline-extents-in-range_is_hole.patch +net-bridge-annotate-data-races-around-fdb-updated-us.patch +ip6_tunnel-use-skb_vlan_inet_prepare-in-__ip6_tnl_rc.patch +net-update-netdev_lock_-type-name.patch +macvlan-fix-possible-uaf-in-macvlan_forward_source.patch +ipv4-ip_gre-make-ipgre_header-robust.patch +vsock-test-add-a-final-full-barrier-after-run-all-te.patch +net-mlx5e-fix-crash-on-profile-change-rollback-failu.patch +net-mlx5e-don-t-store-mlx5e_priv-in-mlx5e_dev-devlin.patch +net-mlx5e-pass-netdev-to-mlx5e_destroy_netdev-instea.patch +net-mlx5e-restore-destroying-state-bit-after-profile.patch +btrfs-factor-out-init_space_info-from-create_space_i.patch +btrfs-factor-out-check_removing_space_info-from-btrf.patch +btrfs-introduce-btrfs_space_info-sub-group.patch +btrfs-fix-memory-leaks-in-create_space_info-error-pa.patch +net-octeon_ep_vf-fix-free_irq-dev_id-mismatch-in-irq.patch +alsa-hda-cirrus_scodec_test-fix-incorrect-setup-of-g.patch +net-hv_netvsc-reject-rss-hash-key-programming-withou.patch +ipv6-fix-use-after-free-in-inet6_addr_del.patch +selftests-drv-net-fix-rps-mask-handling-for-high-cpu.patch +net-sched-sch_qfq-do-not-free-existing-class-in-qfq_.patch +asoc-sdw_utils-cs42l43-enable-headphone-pin-for-line.patch +asoc-tlv320adcx140-fix-null-pointer.patch +asoc-tlv320adcx140-fix-word-length.patch +drm-amd-pm-fix-smu-overdrive-data-type-wrong-issue-o.patch +mm-describe-flags-parameter-in-memalloc_flags_save.patch +textsearch-describe-list-member-in-ts_ops-search.patch +mm-kfence-describe-slab-parameter-in-__kfence_obj_in.patch +dmaengine-xilinx-xdma-fix-regmap-max_register.patch +dmaengine-tegra-adma-fix-use-after-free.patch +dmaengine-xilinx_dma-fix-uninitialized-addr_width-wh.patch +phy-fsl-imx8mq-usb-clear-the-pcs_tx_swing_full-field.patch +phy-phy-snps-eusb2-refactor-constructs-names.patch +phy-drop-probe-registration-printks.patch +phy-qcom-qusb2-fix-null-pointer-dereference-on-early.patch +phy-stm32-usphyc-fix-off-by-one-in-probe.patch +phy-ti-da8xx-usb-handle-devm_pm_runtime_enable-error.patch +selftests-landlock-fix-tcp-bind-af_unspec-test-case.patch +selftests-landlock-remove-invalid-unix-socket-bind.patch +phy-broadcom-ns-usb3-fix-wvoid-pointer-to-enum-cast-.patch +selftests-landlock-properly-close-a-file-descriptor.patch +dmaengine-omap-dma-fix-dma_pool-resource-leak-in-err.patch +i2c-qcom-geni-make-sure-i2c-hub-controllers-can-t-us.patch diff --git a/queue-6.12/textsearch-describe-list-member-in-ts_ops-search.patch b/queue-6.12/textsearch-describe-list-member-in-ts_ops-search.patch new file mode 100644 index 0000000000..04144512ee --- /dev/null +++ b/queue-6.12/textsearch-describe-list-member-in-ts_ops-search.patch @@ -0,0 +1,41 @@ +From 6a66fe5bb10b0aa6e9c9351164e225b05e0f5f08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 08:40:05 +0700 +Subject: textsearch: describe @list member in ts_ops search + +From: Bagas Sanjaya + +[ Upstream commit f26528478bb102c28e7ac0cbfc8ec8185afdafc7 ] + +Sphinx reports kernel-doc warning: + +WARNING: ./include/linux/textsearch.h:49 struct member 'list' not described in 'ts_ops' + +Describe @list member to fix it. + +Link: https://lkml.kernel.org/r/20251219014006.16328-4-bagasdotme@gmail.com +Fixes: 2de4ff7bd658 ("[LIB]: Textsearch infrastructure.") +Signed-off-by: Bagas Sanjaya +Cc: Thomas Graf +Cc: "David S. Miller" +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + include/linux/textsearch.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/textsearch.h b/include/linux/textsearch.h +index 6673e4d4ac2e1..4933777404d61 100644 +--- a/include/linux/textsearch.h ++++ b/include/linux/textsearch.h +@@ -35,6 +35,7 @@ struct ts_state + * @get_pattern: return head of pattern + * @get_pattern_len: return length of pattern + * @owner: module reference to algorithm ++ * @list: list to search + */ + struct ts_ops + { +-- +2.51.0 + diff --git a/queue-6.12/vsock-test-add-a-final-full-barrier-after-run-all-te.patch b/queue-6.12/vsock-test-add-a-final-full-barrier-after-run-all-te.patch new file mode 100644 index 0000000000..e99681de23 --- /dev/null +++ b/queue-6.12/vsock-test-add-a-final-full-barrier-after-run-all-te.patch @@ -0,0 +1,52 @@ +From 8f7d17dd04d6eec0628fa250b3303f1682af0937 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 12:44:19 +0100 +Subject: vsock/test: add a final full barrier after run all tests + +From: Stefano Garzarella + +[ Upstream commit c39a6a277e0e67ffff6a8efcbbf7e7e23ce9e38c ] + +If the last test fails, the other side still completes correctly, +which could lead to false positives. + +Let's add a final barrier that ensures that the last test has finished +correctly on both sides, but also that the two sides agree on the +number of tests to be performed. + +Fixes: 2f65b44e199c ("VSOCK: add full barrier between test cases") +Reviewed-by: Luigi Leonardi +Signed-off-by: Stefano Garzarella +Link: https://patch.msgid.link/20260108114419.52747-1-sgarzare@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/vsock/util.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/tools/testing/vsock/util.c b/tools/testing/vsock/util.c +index a3d448a075e3a..8a899a9fc9a98 100644 +--- a/tools/testing/vsock/util.c ++++ b/tools/testing/vsock/util.c +@@ -472,6 +472,18 @@ void run_tests(const struct test_case *test_cases, + + printf("ok\n"); + } ++ ++ printf("All tests have been executed. Waiting other peer..."); ++ fflush(stdout); ++ ++ /* ++ * Final full barrier, to ensure that all tests have been run and ++ * that even the last one has been successful on both sides. ++ */ ++ control_writeln("COMPLETED"); ++ control_expectln("COMPLETED"); ++ ++ printf("ok\n"); + } + + void list_tests(const struct test_case *test_cases) +-- +2.51.0 + diff --git a/queue-6.12/xfrm-fix-inner-mode-lookup-in-tunnel-mode-gso-segmen.patch b/queue-6.12/xfrm-fix-inner-mode-lookup-in-tunnel-mode-gso-segmen.patch new file mode 100644 index 0000000000..4c84512b3e --- /dev/null +++ b/queue-6.12/xfrm-fix-inner-mode-lookup-in-tunnel-mode-gso-segmen.patch @@ -0,0 +1,67 @@ +From 0567af2d454faaca416ee83f174ac772cc81885d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Nov 2025 05:56:09 +0200 +Subject: xfrm: Fix inner mode lookup in tunnel mode GSO segmentation + +From: Jianbo Liu + +[ Upstream commit 3d5221af9c7711b7aec8da1298c8fc393ef6183d ] + +Commit 61fafbee6cfe ("xfrm: Determine inner GSO type from packet inner +protocol") attempted to fix GSO segmentation by reading the inner +protocol from XFRM_MODE_SKB_CB(skb)->protocol. This was incorrect +because the field holds the inner L4 protocol (TCP/UDP) instead of the +required tunnel protocol. Also, the memory location (shared by +XFRM_SKB_CB(skb) which could be overwritten by xfrm_replay_overflow()) +is prone to corruption. This combination caused the kernel to select +the wrong inner mode and get the wrong address family. + +The correct value is in xfrm_offload(skb)->proto, which is set from +the outer tunnel header's protocol field by esp[4|6]_gso_encap(). It +is initialized by xfrm[4|6]_tunnel_encap_add() to either IPPROTO_IPIP +or IPPROTO_IPV6, using xfrm_af2proto() and correctly reflects the +inner packet's address family. + +Fixes: 61fafbee6cfe ("xfrm: Determine inner GSO type from packet inner protocol") +Signed-off-by: Jianbo Liu +Reviewed-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv4/esp4_offload.c | 4 ++-- + net/ipv6/esp6_offload.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c +index 05828d4cb6cdb..abd77162f5e75 100644 +--- a/net/ipv4/esp4_offload.c ++++ b/net/ipv4/esp4_offload.c +@@ -122,8 +122,8 @@ static struct sk_buff *xfrm4_tunnel_gso_segment(struct xfrm_state *x, + struct sk_buff *skb, + netdev_features_t features) + { +- const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, +- XFRM_MODE_SKB_CB(skb)->protocol); ++ struct xfrm_offload *xo = xfrm_offload(skb); ++ const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, xo->proto); + __be16 type = inner_mode->family == AF_INET6 ? htons(ETH_P_IPV6) + : htons(ETH_P_IP); + +diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c +index 22410243ebe88..22895521a57d0 100644 +--- a/net/ipv6/esp6_offload.c ++++ b/net/ipv6/esp6_offload.c +@@ -158,8 +158,8 @@ static struct sk_buff *xfrm6_tunnel_gso_segment(struct xfrm_state *x, + struct sk_buff *skb, + netdev_features_t features) + { +- const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, +- XFRM_MODE_SKB_CB(skb)->protocol); ++ struct xfrm_offload *xo = xfrm_offload(skb); ++ const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, xo->proto); + __be16 type = inner_mode->family == AF_INET ? htons(ETH_P_IP) + : htons(ETH_P_IPV6); + +-- +2.51.0 + diff --git a/queue-6.12/xfrm-set-ipv4-no_pmtu_disc-flag-only-on-output-sa-wh.patch b/queue-6.12/xfrm-set-ipv4-no_pmtu_disc-flag-only-on-output-sa-wh.patch new file mode 100644 index 0000000000..9f503b4602 --- /dev/null +++ b/queue-6.12/xfrm-set-ipv4-no_pmtu_disc-flag-only-on-output-sa-wh.patch @@ -0,0 +1,41 @@ +From aca319d58c4572642e0bc202ec8041e63d507509 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Dec 2025 11:30:27 +0100 +Subject: xfrm: set ipv4 no_pmtu_disc flag only on output sa when direction is + set + +From: Antony Antony + +[ Upstream commit c196def07bbc6e8306d7a274433913444b0db20a ] + +The XFRM_STATE_NOPMTUDISC flag is only meaningful for output SAs, but +it was being applied regardless of the SA direction when the sysctl +ip_no_pmtu_disc is enabled. This can unintentionally affect input SAs. + +Limit setting XFRM_STATE_NOPMTUDISC to output SAs when the SA direction +is configured. + +Closes: https://github.com/strongswan/strongswan/issues/2946 +Fixes: a4a87fa4e96c ("xfrm: Add Direction to the SA in or out") +Signed-off-by: Antony Antony +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_state.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c +index b9bac68364527..c927560a77316 100644 +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -3058,6 +3058,7 @@ int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload, + int err; + + if (family == AF_INET && ++ (!x->dir || x->dir == XFRM_SA_DIR_OUT) && + READ_ONCE(xs_net(x)->ipv4.sysctl_ip_no_pmtu_disc)) + x->props.flags |= XFRM_STATE_NOPMTUDISC; + +-- +2.51.0 + diff --git a/queue-6.18/alsa-hda-cirrus_scodec_test-fix-incorrect-setup-of-g.patch b/queue-6.18/alsa-hda-cirrus_scodec_test-fix-incorrect-setup-of-g.patch new file mode 100644 index 0000000000..5f5666b149 --- /dev/null +++ b/queue-6.18/alsa-hda-cirrus_scodec_test-fix-incorrect-setup-of-g.patch @@ -0,0 +1,44 @@ +From 6db319d852b5e7d08c7b0a558a2ef73d7a445147 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 13:09:54 +0000 +Subject: ALSA: hda/cirrus_scodec_test: Fix incorrect setup of gpiochip + +From: Richard Fitzgerald + +[ Upstream commit c5e96e54eca3876d4ce8857e2e22adbe9f44f4a2 ] + +Set gpiochip parent to the struct device of the dummy GPIO driver +so that the software node will be associated with the GPIO chip. + +The recent commit e5d527be7e698 ("gpio: swnode: don't use the +swnode's name as the key for GPIO lookup") broke cirrus_scodec_test, +because the software node no longer gets associated with the GPIO +driver by name. + +Instead, setting struct gpio_chip.parent to the owning struct device +will find the node using a normal fwnode lookup. + +Signed-off-by: Richard Fitzgerald +Fixes: 2144833e7b414 ("ALSA: hda: cirrus_scodec: Add KUnit test") +Link: https://patch.msgid.link/20260113130954.574670-1-rf@opensource.cirrus.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/codecs/side-codecs/cirrus_scodec_test.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/hda/codecs/side-codecs/cirrus_scodec_test.c b/sound/hda/codecs/side-codecs/cirrus_scodec_test.c +index 3cca750857b68..159ac80a93144 100644 +--- a/sound/hda/codecs/side-codecs/cirrus_scodec_test.c ++++ b/sound/hda/codecs/side-codecs/cirrus_scodec_test.c +@@ -103,6 +103,7 @@ static int cirrus_scodec_test_gpio_probe(struct platform_device *pdev) + + /* GPIO core modifies our struct gpio_chip so use a copy */ + gpio_priv->chip = cirrus_scodec_test_gpio_chip; ++ gpio_priv->chip.parent = &pdev->dev; + ret = devm_gpiochip_add_data(&pdev->dev, &gpio_priv->chip, gpio_priv); + if (ret) + return dev_err_probe(&pdev->dev, ret, "Failed to add gpiochip\n"); +-- +2.51.0 + diff --git a/queue-6.18/alsa-hda-cirrus_scodec_test-fix-test-suite-name.patch b/queue-6.18/alsa-hda-cirrus_scodec_test-fix-test-suite-name.patch new file mode 100644 index 0000000000..5e68b801b0 --- /dev/null +++ b/queue-6.18/alsa-hda-cirrus_scodec_test-fix-test-suite-name.patch @@ -0,0 +1,39 @@ +From db344b335832ba758b004045781ca8215d5d75ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 13:40:56 +0000 +Subject: ALSA: hda/cirrus_scodec_test: Fix test suite name + +From: Richard Fitzgerald + +[ Upstream commit 6a0243c4020636482797acfd48d7d9b0ea2f2a20 ] + +Change the test suite name string to "snd-hda-cirrus-scodec-test". + +It was incorrectly named "snd-hda-scodec-cs35l56-test", a leftover +from when the code under test was actually in the cs35l56 driver. + +Signed-off-by: Richard Fitzgerald +Fixes: 2144833e7b414 ("ALSA: hda: cirrus_scodec: Add KUnit test") +Link: https://patch.msgid.link/20260113134056.619051-1-rf@opensource.cirrus.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/hda/codecs/side-codecs/cirrus_scodec_test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/hda/codecs/side-codecs/cirrus_scodec_test.c b/sound/hda/codecs/side-codecs/cirrus_scodec_test.c +index 159ac80a93144..dc35932b6b22f 100644 +--- a/sound/hda/codecs/side-codecs/cirrus_scodec_test.c ++++ b/sound/hda/codecs/side-codecs/cirrus_scodec_test.c +@@ -320,7 +320,7 @@ static struct kunit_case cirrus_scodec_test_cases[] = { + }; + + static struct kunit_suite cirrus_scodec_test_suite = { +- .name = "snd-hda-scodec-cs35l56-test", ++ .name = "snd-hda-cirrus-scodec-test", + .init = cirrus_scodec_test_case_init, + .test_cases = cirrus_scodec_test_cases, + }; +-- +2.51.0 + diff --git a/queue-6.18/asoc-sdw_utils-cs42l43-enable-headphone-pin-for-line.patch b/queue-6.18/asoc-sdw_utils-cs42l43-enable-headphone-pin-for-line.patch new file mode 100644 index 0000000000..61620e0e49 --- /dev/null +++ b/queue-6.18/asoc-sdw_utils-cs42l43-enable-headphone-pin-for-line.patch @@ -0,0 +1,52 @@ +From 10c5405fd300572fca13269451084d93b1ea8c76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 19:55:18 -0700 +Subject: ASoC: sdw_utils: cs42l43: Enable Headphone pin for LINEOUT jack type + +From: Cole Leavitt + +[ Upstream commit 390caeed0897fcac75f3c414dbdd85d593183d9c ] + +The CS42L43 codec's load detection can return different impedance values +that map to either HEADPHONE or LINEOUT jack types. However, the +soc_jack_pins array only maps SND_JACK_HEADPHONE to the "Headphone" DAPM +pin, not SND_JACK_LINEOUT. + +When headphones are detected with an impedance that maps to LINEOUT +(such as impedance value 0x2), the driver reports SND_JACK_LINEOUT. +Since this doesn't match the jack pin mask, the "Headphone" DAPM pin +is not activated, and no audio is routed to the headphone outputs. + +Fix by adding SND_JACK_LINEOUT to the Headphone pin mask, so that both +headphone and line-out detection properly enable the headphone output +path. + +This fixes no audio output on devices like the Lenovo ThinkPad P16 Gen 3 +where headphones are detected with LINEOUT impedance. + +Fixes: d74bad3b7452 ("ASoC: intel: sof_sdw_cs42l43: Create separate jacks for hp and mic") +Reviewed-by: Charles Keepax +Signed-off-by: Cole Leavitt +Link: https://patch.msgid.link/20260114025518.28519-1-cole@unwrap.rs +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sdw_utils/soc_sdw_cs42l43.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/sdw_utils/soc_sdw_cs42l43.c b/sound/soc/sdw_utils/soc_sdw_cs42l43.c +index b415d45d520d0..3e8e2e3bdf7c5 100644 +--- a/sound/soc/sdw_utils/soc_sdw_cs42l43.c ++++ b/sound/soc/sdw_utils/soc_sdw_cs42l43.c +@@ -44,7 +44,7 @@ static const struct snd_soc_dapm_route cs42l43_dmic_map[] = { + static struct snd_soc_jack_pin soc_jack_pins[] = { + { + .pin = "Headphone", +- .mask = SND_JACK_HEADPHONE, ++ .mask = SND_JACK_HEADPHONE | SND_JACK_LINEOUT, + }, + { + .pin = "Headset Mic", +-- +2.51.0 + diff --git a/queue-6.18/asoc-tlv320adcx140-fix-null-pointer.patch b/queue-6.18/asoc-tlv320adcx140-fix-null-pointer.patch new file mode 100644 index 0000000000..7af3cfc670 --- /dev/null +++ b/queue-6.18/asoc-tlv320adcx140-fix-null-pointer.patch @@ -0,0 +1,55 @@ +From 9a0cfb6a5b1299d170c37d760866853d149a9001 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 11:58:45 +0100 +Subject: ASoC: tlv320adcx140: fix null pointer + +From: Emil Svendsen + +[ Upstream commit be7664c81d3129fc313ef62ff275fd3d33cfecd4 ] + +The "snd_soc_component" in "adcx140_priv" was only used once but never +set. It was only used for reaching "dev" which is already present in +"adcx140_priv". + +Fixes: 4e82971f7b55 ("ASoC: tlv320adcx140: Add a new kcontrol") +Signed-off-by: Emil Svendsen +Signed-off-by: Sascha Hauer +Link: https://patch.msgid.link/20260113-sound-soc-codecs-tvl320adcx140-v4-2-8f7ecec525c8@pengutronix.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/tlv320adcx140.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/sound/soc/codecs/tlv320adcx140.c b/sound/soc/codecs/tlv320adcx140.c +index d594bf166c0e7..ccfec4c0c159a 100644 +--- a/sound/soc/codecs/tlv320adcx140.c ++++ b/sound/soc/codecs/tlv320adcx140.c +@@ -23,7 +23,6 @@ + #include "tlv320adcx140.h" + + struct adcx140_priv { +- struct snd_soc_component *component; + struct regulator *supply_areg; + struct gpio_desc *gpio_reset; + struct regmap *regmap; +@@ -701,7 +700,6 @@ static void adcx140_pwr_ctrl(struct adcx140_priv *adcx140, bool power_state) + { + int pwr_ctrl = 0; + int ret = 0; +- struct snd_soc_component *component = adcx140->component; + + if (power_state) + pwr_ctrl = ADCX140_PWR_CFG_ADC_PDZ | ADCX140_PWR_CFG_PLL_PDZ; +@@ -713,7 +711,7 @@ static void adcx140_pwr_ctrl(struct adcx140_priv *adcx140, bool power_state) + ret = regmap_write(adcx140->regmap, ADCX140_PHASE_CALIB, + adcx140->phase_calib_on ? 0x00 : 0x40); + if (ret) +- dev_err(component->dev, "%s: register write error %d\n", ++ dev_err(adcx140->dev, "%s: register write error %d\n", + __func__, ret); + } + +-- +2.51.0 + diff --git a/queue-6.18/asoc-tlv320adcx140-fix-word-length.patch b/queue-6.18/asoc-tlv320adcx140-fix-word-length.patch new file mode 100644 index 0000000000..8dae213f79 --- /dev/null +++ b/queue-6.18/asoc-tlv320adcx140-fix-word-length.patch @@ -0,0 +1,50 @@ +From 5a3357b2a5f53c44fb9fb15b13213b97e20485f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 11:58:47 +0100 +Subject: ASoC: tlv320adcx140: fix word length + +From: Emil Svendsen + +[ Upstream commit 46378ab9fcb796dca46b51e10646f636e2c661f9 ] + +The word length is the physical width of the channel slots. So the +hw_params would misconfigure when format width and physical width +doesn't match. Like S24_LE which has data width of 24 bits but physical +width of 32 bits. So if using asymmetric formats you will get a lot of +noise. + +Fixes: 689c7655b50c5 ("ASoC: tlv320adcx140: Add the tlv320adcx140 codec driver family") +Signed-off-by: Emil Svendsen +Signed-off-by: Sascha Hauer +Link: https://patch.msgid.link/20260113-sound-soc-codecs-tvl320adcx140-v4-4-8f7ecec525c8@pengutronix.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/tlv320adcx140.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/tlv320adcx140.c b/sound/soc/codecs/tlv320adcx140.c +index ccfec4c0c159a..62d936c2838c9 100644 +--- a/sound/soc/codecs/tlv320adcx140.c ++++ b/sound/soc/codecs/tlv320adcx140.c +@@ -727,7 +727,7 @@ static int adcx140_hw_params(struct snd_pcm_substream *substream, + struct adcx140_priv *adcx140 = snd_soc_component_get_drvdata(component); + u8 data = 0; + +- switch (params_width(params)) { ++ switch (params_physical_width(params)) { + case 16: + data = ADCX140_16_BIT_WORD; + break; +@@ -742,7 +742,7 @@ static int adcx140_hw_params(struct snd_pcm_substream *substream, + break; + default: + dev_err(component->dev, "%s: Unsupported width %d\n", +- __func__, params_width(params)); ++ __func__, params_physical_width(params)); + return -EINVAL; + } + +-- +2.51.0 + diff --git a/queue-6.18/block-zero-non-pi-portion-of-auto-integrity-buffer.patch b/queue-6.18/block-zero-non-pi-portion-of-auto-integrity-buffer.patch new file mode 100644 index 0000000000..efbea0180b --- /dev/null +++ b/queue-6.18/block-zero-non-pi-portion-of-auto-integrity-buffer.patch @@ -0,0 +1,49 @@ +From eca93dba351323767e350574a8ca659fb8e5c162 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 10:22:10 -0700 +Subject: block: zero non-PI portion of auto integrity buffer + +From: Caleb Sander Mateos + +[ Upstream commit ca22c566b89164f6e670af56ecc45f47ef3df819 ] + +The auto-generated integrity buffer for writes needs to be fully +initialized before being passed to the underlying block device, +otherwise the uninitialized memory can be read back by userspace or +anyone with physical access to the storage device. If protection +information is generated, that portion of the integrity buffer is +already initialized. The integrity data is also zeroed if PI generation +is disabled via sysfs or the PI tuple size is 0. However, this misses +the case where PI is generated and the PI tuple size is nonzero, but the +metadata size is larger than the PI tuple. In this case, the remainder +("opaque") of the metadata is left uninitialized. +Generalize the BLK_INTEGRITY_CSUM_NONE check to cover any case when the +metadata is larger than just the PI tuple. + +Signed-off-by: Caleb Sander Mateos +Fixes: c546d6f43833 ("block: only zero non-PI metadata tuples in bio_integrity_prep") +Reviewed-by: Anuj Gupta +Reviewed-by: Christoph Hellwig +Reviewed-by: Martin K. Petersen +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bio-integrity-auto.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/bio-integrity-auto.c b/block/bio-integrity-auto.c +index 687952f63bbbf..b8b7587be9679 100644 +--- a/block/bio-integrity-auto.c ++++ b/block/bio-integrity-auto.c +@@ -142,7 +142,7 @@ bool bio_integrity_prep(struct bio *bio) + return true; + set_flags = false; + gfp |= __GFP_ZERO; +- } else if (bi->csum_type == BLK_INTEGRITY_CSUM_NONE) ++ } else if (bi->metadata_size > bi->pi_tuple_size) + gfp |= __GFP_ZERO; + break; + default: +-- +2.51.0 + diff --git a/queue-6.18/bluetooth-hci_sync-enable-pa-sync-lost-event.patch b/queue-6.18/bluetooth-hci_sync-enable-pa-sync-lost-event.patch new file mode 100644 index 0000000000..fc42fa3cec --- /dev/null +++ b/queue-6.18/bluetooth-hci_sync-enable-pa-sync-lost-event.patch @@ -0,0 +1,35 @@ +From d290e5779642d0544bad78026fafd10aab19ede4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 10:43:09 +0800 +Subject: Bluetooth: hci_sync: enable PA Sync Lost event + +From: Yang Li + +[ Upstream commit ab749bfe6a1fc233213f2d00facea5233139d509 ] + +Enable the PA Sync Lost event mask to ensure PA sync loss is properly +reported and handled. + +Fixes: 485e0626e587 ("Bluetooth: hci_event: Fix not handling PA Sync Lost event") +Signed-off-by: Yang Li +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_sync.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index 6e76798ec786b..f5896c023a9fa 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -4402,6 +4402,7 @@ static int hci_le_set_event_mask_sync(struct hci_dev *hdev) + if (bis_capable(hdev)) { + events[1] |= 0x20; /* LE PA Report */ + events[1] |= 0x40; /* LE PA Sync Established */ ++ events[1] |= 0x80; /* LE PA Sync Lost */ + events[3] |= 0x04; /* LE Create BIG Complete */ + events[3] |= 0x08; /* LE Terminate BIG Complete */ + events[3] |= 0x10; /* LE BIG Sync Established */ +-- +2.51.0 + diff --git a/queue-6.18/btrfs-fix-memory-leaks-in-create_space_info-error-pa.patch b/queue-6.18/btrfs-fix-memory-leaks-in-create_space_info-error-pa.patch new file mode 100644 index 0000000000..217378a7b3 --- /dev/null +++ b/queue-6.18/btrfs-fix-memory-leaks-in-create_space_info-error-pa.patch @@ -0,0 +1,61 @@ +From a91bc7e5733820305048fd6a785502faa52b731c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Jan 2026 19:20:37 +0000 +Subject: btrfs: fix memory leaks in create_space_info() error paths + +From: Jiasheng Jiang + +[ Upstream commit a11224a016d6d1d46a4d9b6573244448a80d4d7f ] + +In create_space_info(), the 'space_info' object is allocated at the +beginning of the function. However, there are two error paths where the +function returns an error code without freeing the allocated memory: + +1. When create_space_info_sub_group() fails in zoned mode. +2. When btrfs_sysfs_add_space_info_type() fails. + +In both cases, 'space_info' has not yet been added to the +fs_info->space_info list, resulting in a memory leak. Fix this by +adding an error handling label to kfree(space_info) before returning. + +Fixes: 2be12ef79fe9 ("btrfs: Separate space_info create/update") +Reviewed-by: Qu Wenruo +Signed-off-by: Jiasheng Jiang +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/space-info.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c +index 85c466c85910a..a6f94e9f55915 100644 +--- a/fs/btrfs/space-info.c ++++ b/fs/btrfs/space-info.c +@@ -305,18 +305,22 @@ static int create_space_info(struct btrfs_fs_info *info, u64 flags) + 0); + + if (ret) +- return ret; ++ goto out_free; + } + + ret = btrfs_sysfs_add_space_info_type(info, space_info); + if (ret) +- return ret; ++ goto out_free; + + list_add(&space_info->list, &info->space_info); + if (flags & BTRFS_BLOCK_GROUP_DATA) + info->data_sinfo = space_info; + + return ret; ++ ++out_free: ++ kfree(space_info); ++ return ret; + } + + int btrfs_init_space_info(struct btrfs_fs_info *fs_info) +-- +2.51.0 + diff --git a/queue-6.18/btrfs-release-path-before-iget_failed-in-btrfs_read_.patch b/queue-6.18/btrfs-release-path-before-iget_failed-in-btrfs_read_.patch new file mode 100644 index 0000000000..785405bf39 --- /dev/null +++ b/queue-6.18/btrfs-release-path-before-iget_failed-in-btrfs_read_.patch @@ -0,0 +1,166 @@ +From e3069bed77b28a84e0ee8197ac1c3f5fca03d6fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 11:26:02 +0000 +Subject: btrfs: release path before iget_failed() in btrfs_read_locked_inode() + +From: Filipe Manana + +[ Upstream commit 1e1f2055ad5a7a5d548789b334a4473a7665c418 ] + +In btrfs_read_locked_inode() if we fail to lookup the inode, we jump to +the 'out' label with a path that has a read locked leaf and then we call +iget_failed(). This can result in a ABBA deadlock, since iget_failed() +triggers inode eviction and that causes the release of the delayed inode, +which must lock the delayed inode's mutex, and a task updating a delayed +inode starts by taking the node's mutex and then modifying the inode's +subvolume btree. + +Syzbot reported the following lockdep splat for this: + + ====================================================== + WARNING: possible circular locking dependency detected + syzkaller #0 Not tainted + ------------------------------------------------------ + btrfs-cleaner/8725 is trying to acquire lock: + ffff0000d6826a48 (&delayed_node->mutex){+.+.}-{4:4}, at: __btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290 + + but task is already holding lock: + ffff0000dbeba878 (btrfs-tree-00){++++}-{4:4}, at: btrfs_tree_read_lock_nested+0x44/0x2ec fs/btrfs/locking.c:145 + + which lock already depends on the new lock. + + the existing dependency chain (in reverse order) is: + + -> #1 (btrfs-tree-00){++++}-{4:4}: + __lock_release kernel/locking/lockdep.c:5574 [inline] + lock_release+0x198/0x39c kernel/locking/lockdep.c:5889 + up_read+0x24/0x3c kernel/locking/rwsem.c:1632 + btrfs_tree_read_unlock+0xdc/0x298 fs/btrfs/locking.c:169 + btrfs_tree_unlock_rw fs/btrfs/locking.h:218 [inline] + btrfs_search_slot+0xa6c/0x223c fs/btrfs/ctree.c:2133 + btrfs_lookup_inode+0xd8/0x38c fs/btrfs/inode-item.c:395 + __btrfs_update_delayed_inode+0x124/0xed0 fs/btrfs/delayed-inode.c:1032 + btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1118 [inline] + __btrfs_commit_inode_delayed_items+0x15f8/0x1748 fs/btrfs/delayed-inode.c:1141 + __btrfs_run_delayed_items+0x1ac/0x514 fs/btrfs/delayed-inode.c:1176 + btrfs_run_delayed_items_nr+0x28/0x38 fs/btrfs/delayed-inode.c:1219 + flush_space+0x26c/0xb68 fs/btrfs/space-info.c:828 + do_async_reclaim_metadata_space+0x110/0x364 fs/btrfs/space-info.c:1158 + btrfs_async_reclaim_metadata_space+0x90/0xd8 fs/btrfs/space-info.c:1226 + process_one_work+0x7e8/0x155c kernel/workqueue.c:3263 + process_scheduled_works kernel/workqueue.c:3346 [inline] + worker_thread+0x958/0xed8 kernel/workqueue.c:3427 + kthread+0x5fc/0x75c kernel/kthread.c:463 + ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844 + + -> #0 (&delayed_node->mutex){+.+.}-{4:4}: + check_prev_add kernel/locking/lockdep.c:3165 [inline] + check_prevs_add kernel/locking/lockdep.c:3284 [inline] + validate_chain kernel/locking/lockdep.c:3908 [inline] + __lock_acquire+0x1774/0x30a4 kernel/locking/lockdep.c:5237 + lock_acquire+0x14c/0x2e0 kernel/locking/lockdep.c:5868 + __mutex_lock_common+0x1d0/0x2678 kernel/locking/mutex.c:598 + __mutex_lock kernel/locking/mutex.c:760 [inline] + mutex_lock_nested+0x2c/0x38 kernel/locking/mutex.c:812 + __btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290 + btrfs_release_delayed_node fs/btrfs/delayed-inode.c:315 [inline] + btrfs_remove_delayed_node+0x68/0x84 fs/btrfs/delayed-inode.c:1326 + btrfs_evict_inode+0x578/0xe28 fs/btrfs/inode.c:5587 + evict+0x414/0x928 fs/inode.c:810 + iput_final fs/inode.c:1914 [inline] + iput+0x95c/0xad4 fs/inode.c:1966 + iget_failed+0xec/0x134 fs/bad_inode.c:248 + btrfs_read_locked_inode+0xe1c/0x1234 fs/btrfs/inode.c:4101 + btrfs_iget+0x1b0/0x264 fs/btrfs/inode.c:5837 + btrfs_run_defrag_inode fs/btrfs/defrag.c:237 [inline] + btrfs_run_defrag_inodes+0x520/0xdc4 fs/btrfs/defrag.c:309 + cleaner_kthread+0x21c/0x418 fs/btrfs/disk-io.c:1516 + kthread+0x5fc/0x75c kernel/kthread.c:463 + ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844 + + other info that might help us debug this: + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + rlock(btrfs-tree-00); + lock(&delayed_node->mutex); + lock(btrfs-tree-00); + lock(&delayed_node->mutex); + + *** DEADLOCK *** + + 1 lock held by btrfs-cleaner/8725: + #0: ffff0000dbeba878 (btrfs-tree-00){++++}-{4:4}, at: btrfs_tree_read_lock_nested+0x44/0x2ec fs/btrfs/locking.c:145 + + stack backtrace: + CPU: 0 UID: 0 PID: 8725 Comm: btrfs-cleaner Not tainted syzkaller #0 PREEMPT + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025 + Call trace: + show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C) + __dump_stack+0x30/0x40 lib/dump_stack.c:94 + dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 + dump_stack+0x1c/0x28 lib/dump_stack.c:129 + print_circular_bug+0x324/0x32c kernel/locking/lockdep.c:2043 + check_noncircular+0x154/0x174 kernel/locking/lockdep.c:2175 + check_prev_add kernel/locking/lockdep.c:3165 [inline] + check_prevs_add kernel/locking/lockdep.c:3284 [inline] + validate_chain kernel/locking/lockdep.c:3908 [inline] + __lock_acquire+0x1774/0x30a4 kernel/locking/lockdep.c:5237 + lock_acquire+0x14c/0x2e0 kernel/locking/lockdep.c:5868 + __mutex_lock_common+0x1d0/0x2678 kernel/locking/mutex.c:598 + __mutex_lock kernel/locking/mutex.c:760 [inline] + mutex_lock_nested+0x2c/0x38 kernel/locking/mutex.c:812 + __btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290 + btrfs_release_delayed_node fs/btrfs/delayed-inode.c:315 [inline] + btrfs_remove_delayed_node+0x68/0x84 fs/btrfs/delayed-inode.c:1326 + btrfs_evict_inode+0x578/0xe28 fs/btrfs/inode.c:5587 + evict+0x414/0x928 fs/inode.c:810 + iput_final fs/inode.c:1914 [inline] + iput+0x95c/0xad4 fs/inode.c:1966 + iget_failed+0xec/0x134 fs/bad_inode.c:248 + btrfs_read_locked_inode+0xe1c/0x1234 fs/btrfs/inode.c:4101 + btrfs_iget+0x1b0/0x264 fs/btrfs/inode.c:5837 + btrfs_run_defrag_inode fs/btrfs/defrag.c:237 [inline] + btrfs_run_defrag_inodes+0x520/0xdc4 fs/btrfs/defrag.c:309 + cleaner_kthread+0x21c/0x418 fs/btrfs/disk-io.c:1516 + kthread+0x5fc/0x75c kernel/kthread.c:463 + ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844 + +Fix this by releasing the path before calling iget_failed(). + +Reported-by: syzbot+c1c6edb02bea1da754d8@syzkaller.appspotmail.com +Link: https://lore.kernel.org/linux-btrfs/694530c2.a70a0220.207337.010d.GAE@google.com/ +Fixes: 69673992b1ae ("btrfs: push cleanup into btrfs_read_locked_inode()") +Reviewed-by: Boris Burkov +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/inode.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index 27a562bad6e87..1af9b05328ce8 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -4108,6 +4108,15 @@ static int btrfs_read_locked_inode(struct btrfs_inode *inode, struct btrfs_path + + return 0; + out: ++ /* ++ * We may have a read locked leaf and iget_failed() triggers inode ++ * eviction which needs to release the delayed inode and that needs ++ * to lock the delayed inode's mutex. This can cause a ABBA deadlock ++ * with a task running delayed items, as that require first locking ++ * the delayed inode's mutex and then modifying its subvolume btree. ++ * So release the path before iget_failed(). ++ */ ++ btrfs_release_path(path); + iget_failed(vfs_inode); + return ret; + } +-- +2.51.0 + diff --git a/queue-6.18/btrfs-send-check-for-inline-extents-in-range_is_hole.patch b/queue-6.18/btrfs-send-check-for-inline-extents-in-range_is_hole.patch new file mode 100644 index 0000000000..43d1dfce98 --- /dev/null +++ b/queue-6.18/btrfs-send-check-for-inline-extents-in-range_is_hole.patch @@ -0,0 +1,44 @@ +From a658b467a7318130ecc2f28276a197ebd4402b7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jan 2026 20:26:40 +1030 +Subject: btrfs: send: check for inline extents in range_is_hole_in_parent() + +From: Qu Wenruo + +[ Upstream commit 08b096c1372cd69627f4f559fb47c9fb67a52b39 ] + +Before accessing the disk_bytenr field of a file extent item we need +to check if we are dealing with an inline extent. +This is because for inline extents their data starts at the offset of +the disk_bytenr field. So accessing the disk_bytenr +means we are accessing inline data or in case the inline data is less +than 8 bytes we can actually cause an invalid +memory access if this inline extent item is the first item in the leaf +or access metadata from other items. + +Fixes: 82bfb2e7b645 ("Btrfs: incremental send, fix unnecessary hole writes for sparse files") +Reviewed-by: Filipe Manana +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/send.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c +index 96a030d28e091..9012ce7a742f4 100644 +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -6399,6 +6399,8 @@ static int range_is_hole_in_parent(struct send_ctx *sctx, + extent_end = btrfs_file_extent_end(path); + if (extent_end <= start) + goto next; ++ if (btrfs_file_extent_type(leaf, fi) == BTRFS_FILE_EXTENT_INLINE) ++ return 0; + if (btrfs_file_extent_disk_bytenr(leaf, fi) == 0) { + search_start = extent_end; + goto next; +-- +2.51.0 + diff --git a/queue-6.18/can-etas_es58x-allow-partial-rx-urb-allocation-to-su.patch b/queue-6.18/can-etas_es58x-allow-partial-rx-urb-allocation-to-su.patch new file mode 100644 index 0000000000..95af9dd515 --- /dev/null +++ b/queue-6.18/can-etas_es58x-allow-partial-rx-urb-allocation-to-su.patch @@ -0,0 +1,50 @@ +From 8ee486ae08b35cc73abb3243e23ad921cc436dc9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Dec 2025 02:17:32 +0100 +Subject: can: etas_es58x: allow partial RX URB allocation to succeed + +From: Szymon Wilczek + +[ Upstream commit b1979778e98569c1e78c2c7f16bb24d76541ab00 ] + +When es58x_alloc_rx_urbs() fails to allocate the requested number of +URBs but succeeds in allocating some, it returns an error code. +This causes es58x_open() to return early, skipping the cleanup label +'free_urbs', which leads to the anchored URBs being leaked. + +As pointed out by maintainer Vincent Mailhol, the driver is designed +to handle partial URB allocation gracefully. Therefore, partial +allocation should not be treated as a fatal error. + +Modify es58x_alloc_rx_urbs() to return 0 if at least one URB has been +allocated, restoring the intended behavior and preventing the leak +in es58x_open(). + +Fixes: 8537257874e9 ("can: etas_es58x: add core support for ETAS ES58X CAN USB interfaces") +Reported-by: syzbot+e8cb6691a7cf68256cb8@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=e8cb6691a7cf68256cb8 +Signed-off-by: Szymon Wilczek +Reviewed-by: Vincent Mailhol +Link: https://patch.msgid.link/20251223011732.39361-1-swilczek.lx@gmail.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/etas_es58x/es58x_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/can/usb/etas_es58x/es58x_core.c b/drivers/net/can/usb/etas_es58x/es58x_core.c +index adc91873c083f..6eeba9baa1317 100644 +--- a/drivers/net/can/usb/etas_es58x/es58x_core.c ++++ b/drivers/net/can/usb/etas_es58x/es58x_core.c +@@ -1736,7 +1736,7 @@ static int es58x_alloc_rx_urbs(struct es58x_device *es58x_dev) + dev_dbg(dev, "%s: Allocated %d rx URBs each of size %u\n", + __func__, i, rx_buf_len); + +- return ret; ++ return 0; + } + + /** +-- +2.51.0 + diff --git a/queue-6.18/cxl-hdm-fix-potential-infinite-loop-in-__cxl_dpa_res.patch b/queue-6.18/cxl-hdm-fix-potential-infinite-loop-in-__cxl_dpa_res.patch new file mode 100644 index 0000000000..a1ea24fa50 --- /dev/null +++ b/queue-6.18/cxl-hdm-fix-potential-infinite-loop-in-__cxl_dpa_res.patch @@ -0,0 +1,44 @@ +From 0cb37efea4eee23b477ac643b5625cbe3753ace6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 20:05:26 +0800 +Subject: cxl/hdm: Fix potential infinite loop in __cxl_dpa_reserve() + +From: Li Ming + +[ Upstream commit d4026a44626490dc4eca4dd2c4d0816338fa179b ] + +In __cxl_dpa_reserve(), it will check if the new resource range is +included in one of paritions of the cxl memory device. +cxlds->nr_paritions is used to represent how many partitions information +the cxl memory device has. In the loop, if driver cannot find a +partition including the new resource range, it will be an infinite loop. + +[ dj: Removed incorrect fixes tag ] + +Fixes: 991d98f17d31 ("cxl: Make cxl_dpa_alloc() DPA partition number agnostic") +Signed-off-by: Li Ming +Reviewed-by: Ira Weiny +Reviewed-by: Dave Jiang +Link: https://patch.msgid.link/20260112120526.530232-1-ming.li@zohomail.com +Signed-off-by: Dave Jiang +Signed-off-by: Sasha Levin +--- + drivers/cxl/core/hdm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/cxl/core/hdm.c b/drivers/cxl/core/hdm.c +index d3a094ca01ad9..20dd638108062 100644 +--- a/drivers/cxl/core/hdm.c ++++ b/drivers/cxl/core/hdm.c +@@ -403,7 +403,7 @@ static int __cxl_dpa_reserve(struct cxl_endpoint_decoder *cxled, + * is not set. + */ + if (cxled->part < 0) +- for (int i = 0; cxlds->nr_partitions; i++) ++ for (int i = 0; i < cxlds->nr_partitions; i++) + if (resource_contains(&cxlds->part[i].res, res)) { + cxled->part = i; + break; +-- +2.51.0 + diff --git a/queue-6.18/cxl-port-fix-target-list-setup-for-multiple-decoders.patch b/queue-6.18/cxl-port-fix-target-list-setup-for-multiple-decoders.patch new file mode 100644 index 0000000000..6512476a2c --- /dev/null +++ b/queue-6.18/cxl-port-fix-target-list-setup-for-multiple-decoders.patch @@ -0,0 +1,111 @@ +From 6d5c8c5a4c63e633a41281138bc56e0e7ef0c1e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 11:13:23 +0100 +Subject: cxl/port: Fix target list setup for multiple decoders sharing the + same dport + +From: Robert Richter + +[ Upstream commit 3e8aaacdad4f66641f87ab441fe644b45f8ebdff ] + +If a switch port has more than one decoder that is using the same +downstream port, the enumeration of the target lists may fail with: + + # dmesg | grep target.list + update_decoder_targets: cxl decoder1.0: dport3 found in target list, index 3 + update_decoder_targets: cxl decoder1.0: dport2 found in target list, index 2 + update_decoder_targets: cxl decoder1.0: dport0 found in target list, index 0 + update_decoder_targets: cxl decoder2.0: dport3 found in target list, index 1 + update_decoder_targets: cxl decoder4.0: dport3 found in target list, index 1 + cxl_mem mem6: failed to find endpoint12:0000:00:01.4 in target list of decoder2.1 + cxl_mem mem8: failed to find endpoint13:0000:20:01.4 in target list of decoder4.1 + +The case, that the same downstream port can be used in multiple target +lists, is allowed and possible. + +Fix the update of the target list. Enumerate all children of the +switch port and do not stop the iteration after the first matching +target was found. + +With the fix applied: + + # dmesg | grep target.list + update_decoder_targets: cxl decoder1.0: dport2 found in target list, index 2 + update_decoder_targets: cxl decoder1.0: dport0 found in target list, index 0 + update_decoder_targets: cxl decoder1.0: dport3 found in target list, index 3 + update_decoder_targets: cxl decoder2.0: dport3 found in target list, index 1 + update_decoder_targets: cxl decoder2.1: dport3 found in target list, index 1 + update_decoder_targets: cxl decoder4.0: dport3 found in target list, index 1 + update_decoder_targets: cxl decoder4.1: dport3 found in target list, index 1 + +Analyzing the conditions when this happens: + +1) A dport is shared by multiple decoders. + +2) The decoders have interleaving configured (ways > 1). + +The configuration above has the following hierarchy details (fixed +version): + + root0 + |_ + | | + | decoder0.1 + | ways: 2 + | target_list: 0,1 + |_______________________________________ + | | + | dport0 | dport1 + | | + port2 port4 + | | + |___________________ |_____________________ + | | | | | | + | decoder2.0 decoder2.1 | decoder4.0 decoder4.1 + | ways: 2 ways: 2 | ways: 2 ways: 2 + | target_list: 2,3 target_list: 2,3 | target_list: 2,3 target_list: 2,3 + |___________________ |___________________ + | | | | + | dport2 | dport3 | dport2 | dport3 + | | | | + endpoint7 endpoint12 endpoint9 endpoint13 + |_ |_ |_ |_ + | | | | | | | | + | decoder7.0 | decoder12.0 | decoder9.0 | decoder13.0 + | decoder7.2 | decoder12.2 | decoder9.2 | decoder13.2 + | | | | + mem3 mem5 mem6 mem8 + +Note: Device numbers vary for every boot. + +Current kernel fails to enumerate endpoint12 and endpoint13 as the +target list is not updated for the second decoder. + +Fixes: 4f06d81e7c6a ("cxl: Defer dport allocation for switch ports") +Reviewed-by: Dave Jiang +Reviewed-by: Alison Schofield +Reviewed-by: Jonathan Cameron +Signed-off-by: Robert Richter +Link: https://patch.msgid.link/20260108101324.509667-1-rrichter@amd.com +Signed-off-by: Dave Jiang +Signed-off-by: Sasha Levin +--- + drivers/cxl/core/port.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/cxl/core/port.c b/drivers/cxl/core/port.c +index 8128fd2b5b317..804e4a48540f6 100644 +--- a/drivers/cxl/core/port.c ++++ b/drivers/cxl/core/port.c +@@ -1591,7 +1591,7 @@ static int update_decoder_targets(struct device *dev, void *data) + cxlsd->target[i] = dport; + dev_dbg(dev, "dport%d found in target list, index %d\n", + dport->port_id, i); +- return 1; ++ return 0; + } + } + +-- +2.51.0 + diff --git a/queue-6.18/dmaengine-mmp_pdma-fix-dma-mask-handling.patch b/queue-6.18/dmaengine-mmp_pdma-fix-dma-mask-handling.patch new file mode 100644 index 0000000000..0a6301e250 --- /dev/null +++ b/queue-6.18/dmaengine-mmp_pdma-fix-dma-mask-handling.patch @@ -0,0 +1,109 @@ +From 62dba1dd845c71cdbcbeb5ea54a22eccc75b6817 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Sep 2025 22:27:27 +0800 +Subject: dmaengine: mmp_pdma: fix DMA mask handling + +From: Guodong Xu + +[ Upstream commit 49400b701eca849c1b53717b1f5d779a8d066ec0 ] + +The driver's existing logic for setting the DMA mask for "marvell,pdma-1.0" +was flawed. It incorrectly relied on pdev->dev->coherent_dma_mask instead +of declaring the hardware's fixed addressing capability. A cleaner and +more correct approach is to define the mask directly based on the hardware +limitations. + +The MMP/PXA PDMA controller is a 32-bit DMA engine. This is supported by +datasheets and various dtsi files for PXA25x, PXA27x, PXA3xx, and MMP2, +all of which are 32-bit systems. + +This patch simplifies the driver's logic by replacing the 'u64 dma_mask' +field with a simpler 'u32 dma_width' to store the addressing capability +in bits. The complex if/else block in probe() is then replaced with a +single, clear call to dma_set_mask_and_coherent(). This sets a fixed +32-bit DMA mask for "marvell,pdma-1.0" and a 64-bit mask for +"spacemit,k1-pdma," matching each device's hardware capabilities. + +Finally, this change also works around a specific build error encountered +with clang-20 on x86_64 allyesconfig. The shift-count-overflow error is +caused by a known clang compiler issue where the DMA_BIT_MASK(n) macro's +ternary operator is not correctly evaluated in static initializers. By +moving the macro's evaluation into the probe() function, the driver avoids +this compiler bug. + +Fixes: 5cfe585d8624 ("dmaengine: mmp_pdma: Add SpacemiT K1 PDMA support with 64-bit addressing") +Reported-by: Naresh Kamboju +Closes: https://lore.kernel.org/lkml/CA+G9fYsPcMfW-e_0_TRqu4cnwqOqYF3aJOeKUYk6Z4qRStdFvg@mail.gmail.com +Suggested-by: Arnd Bergmann +Signed-off-by: Guodong Xu +Reviewed-by: Arnd Bergmann +Tested-by: Nathan Chancellor # build +Tested-by: Naresh Kamboju +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/mmp_pdma.c | 20 ++++++++------------ + 1 file changed, 8 insertions(+), 12 deletions(-) + +diff --git a/drivers/dma/mmp_pdma.c b/drivers/dma/mmp_pdma.c +index d07229a748868..86661eb3cde1f 100644 +--- a/drivers/dma/mmp_pdma.c ++++ b/drivers/dma/mmp_pdma.c +@@ -152,8 +152,8 @@ struct mmp_pdma_phy { + * + * Controller Configuration: + * @run_bits: Control bits in DCSR register for channel start/stop +- * @dma_mask: DMA addressing capability of controller. 0 to use OF/platform +- * settings, or explicit mask like DMA_BIT_MASK(32/64) ++ * @dma_width: DMA addressing width in bits (32 or 64). Determines the ++ * DMA mask capability of the controller hardware. + */ + struct mmp_pdma_ops { + /* Hardware Register Operations */ +@@ -173,7 +173,7 @@ struct mmp_pdma_ops { + + /* Controller Configuration */ + u32 run_bits; +- u64 dma_mask; ++ u32 dma_width; + }; + + struct mmp_pdma_device { +@@ -1172,7 +1172,7 @@ static const struct mmp_pdma_ops marvell_pdma_v1_ops = { + .get_desc_src_addr = get_desc_src_addr_32, + .get_desc_dst_addr = get_desc_dst_addr_32, + .run_bits = (DCSR_RUN), +- .dma_mask = 0, /* let OF/platform set DMA mask */ ++ .dma_width = 32, + }; + + static const struct mmp_pdma_ops spacemit_k1_pdma_ops = { +@@ -1185,7 +1185,7 @@ static const struct mmp_pdma_ops spacemit_k1_pdma_ops = { + .get_desc_src_addr = get_desc_src_addr_64, + .get_desc_dst_addr = get_desc_dst_addr_64, + .run_bits = (DCSR_RUN | DCSR_LPAEEN), +- .dma_mask = DMA_BIT_MASK(64), /* force 64-bit DMA addr capability */ ++ .dma_width = 64, + }; + + static const struct of_device_id mmp_pdma_dt_ids[] = { +@@ -1314,13 +1314,9 @@ static int mmp_pdma_probe(struct platform_device *op) + pdev->device.directions = BIT(DMA_MEM_TO_DEV) | BIT(DMA_DEV_TO_MEM); + pdev->device.residue_granularity = DMA_RESIDUE_GRANULARITY_DESCRIPTOR; + +- /* Set DMA mask based on ops->dma_mask, or OF/platform */ +- if (pdev->ops->dma_mask) +- dma_set_mask(pdev->dev, pdev->ops->dma_mask); +- else if (pdev->dev->coherent_dma_mask) +- dma_set_mask(pdev->dev, pdev->dev->coherent_dma_mask); +- else +- dma_set_mask(pdev->dev, DMA_BIT_MASK(64)); ++ /* Set DMA mask based on controller hardware capabilities */ ++ dma_set_mask_and_coherent(pdev->dev, ++ DMA_BIT_MASK(pdev->ops->dma_width)); + + ret = dma_async_device_register(&pdev->device); + if (ret) { +-- +2.51.0 + diff --git a/queue-6.18/dmaengine-omap-dma-fix-dma_pool-resource-leak-in-err.patch b/queue-6.18/dmaengine-omap-dma-fix-dma_pool-resource-leak-in-err.patch new file mode 100644 index 0000000000..a586601403 --- /dev/null +++ b/queue-6.18/dmaengine-omap-dma-fix-dma_pool-resource-leak-in-err.patch @@ -0,0 +1,50 @@ +From a88ef02bc732144972eeace0c6556c2abe3909ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Nov 2025 15:30:18 +0800 +Subject: dmaengine: omap-dma: fix dma_pool resource leak in error paths + +From: Haotian Zhang + +[ Upstream commit 2e1136acf8a8887c29f52e35a77b537309af321f ] + +The dma_pool created by dma_pool_create() is not destroyed when +dma_async_device_register() or of_dma_controller_register() fails, +causing a resource leak in the probe error paths. + +Add dma_pool_destroy() in both error paths to properly release the +allocated dma_pool resource. + +Fixes: 7bedaa553760 ("dmaengine: add OMAP DMA engine driver") +Signed-off-by: Haotian Zhang +Link: https://patch.msgid.link/20251103073018.643-1-vulab@iscas.ac.cn +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/ti/omap-dma.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/dma/ti/omap-dma.c b/drivers/dma/ti/omap-dma.c +index 8c023c6e623a5..73ed4b7946304 100644 +--- a/drivers/dma/ti/omap-dma.c ++++ b/drivers/dma/ti/omap-dma.c +@@ -1808,6 +1808,8 @@ static int omap_dma_probe(struct platform_device *pdev) + if (rc) { + pr_warn("OMAP-DMA: failed to register slave DMA engine device: %d\n", + rc); ++ if (od->ll123_supported) ++ dma_pool_destroy(od->desc_pool); + omap_dma_free(od); + return rc; + } +@@ -1823,6 +1825,8 @@ static int omap_dma_probe(struct platform_device *pdev) + if (rc) { + pr_warn("OMAP-DMA: failed to register DMA controller\n"); + dma_async_device_unregister(&od->ddev); ++ if (od->ll123_supported) ++ dma_pool_destroy(od->desc_pool); + omap_dma_free(od); + } + } +-- +2.51.0 + diff --git a/queue-6.18/dmaengine-tegra-adma-fix-use-after-free.patch b/queue-6.18/dmaengine-tegra-adma-fix-use-after-free.patch new file mode 100644 index 0000000000..a617e8853c --- /dev/null +++ b/queue-6.18/dmaengine-tegra-adma-fix-use-after-free.patch @@ -0,0 +1,110 @@ +From 2c44dea761eed0944c308c61710d14a15bc1c01a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Nov 2025 19:54:45 +0530 +Subject: dmaengine: tegra-adma: Fix use-after-free + +From: Sheetal + +[ Upstream commit 2efd07a7c36949e6fa36a69183df24d368bf9e96 ] + +A use-after-free bug exists in the Tegra ADMA driver when audio streams +are terminated, particularly during XRUN conditions. The issue occurs +when the DMA buffer is freed by tegra_adma_terminate_all() before the +vchan completion tasklet finishes accessing it. + +The race condition follows this sequence: + + 1. DMA transfer completes, triggering an interrupt that schedules the + completion tasklet (tasklet has not executed yet) + 2. Audio playback stops, calling tegra_adma_terminate_all() which + frees the DMA buffer memory via kfree() + 3. The scheduled tasklet finally executes, calling vchan_complete() + which attempts to access the already-freed memory + +Since tasklets can execute at any time after being scheduled, there is +no guarantee that the buffer will remain valid when vchan_complete() +runs. + +Fix this by properly synchronizing the virtual channel completion: + - Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the + descriptors as terminated instead of freeing the descriptor. + - Add the callback tegra_adma_synchronize() that calls + vchan_synchronize() which kills any pending tasklets and frees any + terminated descriptors. + +Crash logs: +[ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0 +[ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0 + +[ 337.427562] Call trace: +[ 337.427564] dump_backtrace+0x0/0x320 +[ 337.427571] show_stack+0x20/0x30 +[ 337.427575] dump_stack_lvl+0x68/0x84 +[ 337.427584] print_address_description.constprop.0+0x74/0x2b8 +[ 337.427590] kasan_report+0x1f4/0x210 +[ 337.427598] __asan_load8+0xa0/0xd0 +[ 337.427603] vchan_complete+0x124/0x3b0 +[ 337.427609] tasklet_action_common.constprop.0+0x190/0x1d0 +[ 337.427617] tasklet_action+0x30/0x40 +[ 337.427623] __do_softirq+0x1a0/0x5c4 +[ 337.427628] irq_exit+0x110/0x140 +[ 337.427633] handle_domain_irq+0xa4/0xe0 +[ 337.427640] gic_handle_irq+0x64/0x160 +[ 337.427644] call_on_irq_stack+0x20/0x4c +[ 337.427649] do_interrupt_handler+0x7c/0x90 +[ 337.427654] el1_interrupt+0x30/0x80 +[ 337.427659] el1h_64_irq_handler+0x18/0x30 +[ 337.427663] el1h_64_irq+0x7c/0x80 +[ 337.427667] cpuidle_enter_state+0xe4/0x540 +[ 337.427674] cpuidle_enter+0x54/0x80 +[ 337.427679] do_idle+0x2e0/0x380 +[ 337.427685] cpu_startup_entry+0x2c/0x70 +[ 337.427690] rest_init+0x114/0x130 +[ 337.427695] arch_call_rest_init+0x18/0x24 +[ 337.427702] start_kernel+0x380/0x3b4 +[ 337.427706] __primary_switched+0xc0/0xc8 + +Fixes: f46b195799b5 ("dmaengine: tegra-adma: Add support for Tegra210 ADMA") +Signed-off-by: Sheetal +Acked-by: Thierry Reding +Link: https://patch.msgid.link/20251110142445.3842036-1-sheetal@nvidia.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/tegra210-adma.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/dma/tegra210-adma.c b/drivers/dma/tegra210-adma.c +index fad896ff29a2d..812f64569e6d8 100644 +--- a/drivers/dma/tegra210-adma.c ++++ b/drivers/dma/tegra210-adma.c +@@ -429,10 +429,17 @@ static void tegra_adma_stop(struct tegra_adma_chan *tdc) + return; + } + +- kfree(tdc->desc); ++ vchan_terminate_vdesc(&tdc->desc->vd); + tdc->desc = NULL; + } + ++static void tegra_adma_synchronize(struct dma_chan *dc) ++{ ++ struct tegra_adma_chan *tdc = to_tegra_adma_chan(dc); ++ ++ vchan_synchronize(&tdc->vc); ++} ++ + static void tegra_adma_start(struct tegra_adma_chan *tdc) + { + struct virt_dma_desc *vd = vchan_next_desc(&tdc->vc); +@@ -1155,6 +1162,7 @@ static int tegra_adma_probe(struct platform_device *pdev) + tdma->dma_dev.device_config = tegra_adma_slave_config; + tdma->dma_dev.device_tx_status = tegra_adma_tx_status; + tdma->dma_dev.device_terminate_all = tegra_adma_terminate_all; ++ tdma->dma_dev.device_synchronize = tegra_adma_synchronize; + tdma->dma_dev.src_addr_widths = BIT(DMA_SLAVE_BUSWIDTH_4_BYTES); + tdma->dma_dev.dst_addr_widths = BIT(DMA_SLAVE_BUSWIDTH_4_BYTES); + tdma->dma_dev.directions = BIT(DMA_DEV_TO_MEM) | BIT(DMA_MEM_TO_DEV); +-- +2.51.0 + diff --git a/queue-6.18/dmaengine-xilinx-xdma-fix-regmap-max_register.patch b/queue-6.18/dmaengine-xilinx-xdma-fix-regmap-max_register.patch new file mode 100644 index 0000000000..d4ba7fcc1d --- /dev/null +++ b/queue-6.18/dmaengine-xilinx-xdma-fix-regmap-max_register.patch @@ -0,0 +1,85 @@ +From 664e7ac05f45daea74da0fb26b8ce378e2181bdb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Oct 2025 17:48:49 +0200 +Subject: dmaengine: xilinx: xdma: Fix regmap max_register + +From: Anthony Brandon + +[ Upstream commit c7d436a6c1a274c1ac28d5fb3b8eb8f03b6d0e10 ] + +The max_register field is assigned the size of the register memory +region instead of the offset of the last register. +The result is that reading from the regmap via debugfs can cause +a segmentation fault: + +tail /sys/kernel/debug/regmap/xdma.1.auto/registers +Unable to handle kernel paging request at virtual address ffff800082f70000 +Mem abort info: + ESR = 0x0000000096000007 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + FSC = 0x07: level 3 translation fault +[...] +Call trace: + regmap_mmio_read32le+0x10/0x30 + _regmap_bus_reg_read+0x74/0xc0 + _regmap_read+0x68/0x198 + regmap_read+0x54/0x88 + regmap_read_debugfs+0x140/0x380 + regmap_map_read_file+0x30/0x48 + full_proxy_read+0x68/0xc8 + vfs_read+0xcc/0x310 + ksys_read+0x7c/0x120 + __arm64_sys_read+0x24/0x40 + invoke_syscall.constprop.0+0x64/0x108 + do_el0_svc+0xb0/0xd8 + el0_svc+0x38/0x130 + el0t_64_sync_handler+0x120/0x138 + el0t_64_sync+0x194/0x198 +Code: aa1e03e9 d503201f f9400000 8b214000 (b9400000) +---[ end trace 0000000000000000 ]--- +note: tail[1217] exited with irqs disabled +note: tail[1217] exited with preempt_count 1 +Segmentation fault + +Fixes: 17ce252266c7 ("dmaengine: xilinx: xdma: Add xilinx xdma driver") +Reviewed-by: Lizhi Hou +Reviewed-by: Radhey Shyam Pandey +Reviewed-by: Alexander Stein +Signed-off-by: Anthony Brandon +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/xilinx/xdma-regs.h | 1 + + drivers/dma/xilinx/xdma.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/dma/xilinx/xdma-regs.h b/drivers/dma/xilinx/xdma-regs.h +index 6ad08878e9386..70bca92621aa4 100644 +--- a/drivers/dma/xilinx/xdma-regs.h ++++ b/drivers/dma/xilinx/xdma-regs.h +@@ -9,6 +9,7 @@ + + /* The length of register space exposed to host */ + #define XDMA_REG_SPACE_LEN 65536 ++#define XDMA_MAX_REG_OFFSET (XDMA_REG_SPACE_LEN - 4) + + /* + * maximum number of DMA channels for each direction: +diff --git a/drivers/dma/xilinx/xdma.c b/drivers/dma/xilinx/xdma.c +index 0d88b1a670e14..5ecf8223c112e 100644 +--- a/drivers/dma/xilinx/xdma.c ++++ b/drivers/dma/xilinx/xdma.c +@@ -38,7 +38,7 @@ static const struct regmap_config xdma_regmap_config = { + .reg_bits = 32, + .val_bits = 32, + .reg_stride = 4, +- .max_register = XDMA_REG_SPACE_LEN, ++ .max_register = XDMA_MAX_REG_OFFSET, + }; + + /** +-- +2.51.0 + diff --git a/queue-6.18/dmaengine-xilinx_dma-fix-uninitialized-addr_width-wh.patch b/queue-6.18/dmaengine-xilinx_dma-fix-uninitialized-addr_width-wh.patch new file mode 100644 index 0000000000..449a2032f2 --- /dev/null +++ b/queue-6.18/dmaengine-xilinx_dma-fix-uninitialized-addr_width-wh.patch @@ -0,0 +1,61 @@ +From a27d857a73fd224bbd87933bfa477daa6a1fb7f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Oct 2025 00:00:06 +0530 +Subject: dmaengine: xilinx_dma: Fix uninitialized addr_width when + "xlnx,addrwidth" property is missing + +From: Suraj Gupta + +[ Upstream commit c0732fe78728718c853ef8e7af5bbb05262acbd1 ] + +When device tree lacks optional "xlnx,addrwidth" property, the addr_width +variable remained uninitialized with garbage values, causing incorrect +DMA mask configuration and subsequent probe failure. The fix ensures a +fallback to the default 32-bit address width when this property is missing. + +Signed-off-by: Suraj Gupta +Fixes: b72db4005fe4 ("dmaengine: vdma: Add 64 bit addressing support to the driver") +Reviewed-by: Radhey Shyam Pandey +Reviewed-by: Folker Schwesinger +Link: https://patch.msgid.link/20251021183006.3434495-1-suraj.gupta2@amd.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/xilinx/xilinx_dma.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c +index fabff602065f6..89a8254d9cdc6 100644 +--- a/drivers/dma/xilinx/xilinx_dma.c ++++ b/drivers/dma/xilinx/xilinx_dma.c +@@ -131,6 +131,7 @@ + #define XILINX_MCDMA_MAX_CHANS_PER_DEVICE 0x20 + #define XILINX_DMA_MAX_CHANS_PER_DEVICE 0x2 + #define XILINX_CDMA_MAX_CHANS_PER_DEVICE 0x1 ++#define XILINX_DMA_DFAULT_ADDRWIDTH 0x20 + + #define XILINX_DMA_DMAXR_ALL_IRQ_MASK \ + (XILINX_DMA_DMASR_FRM_CNT_IRQ | \ +@@ -3159,7 +3160,7 @@ static int xilinx_dma_probe(struct platform_device *pdev) + struct device_node *node = pdev->dev.of_node; + struct xilinx_dma_device *xdev; + struct device_node *child, *np = pdev->dev.of_node; +- u32 num_frames, addr_width, len_width; ++ u32 num_frames, addr_width = XILINX_DMA_DFAULT_ADDRWIDTH, len_width; + int i, err; + + /* Allocate and initialize the DMA engine structure */ +@@ -3235,7 +3236,9 @@ static int xilinx_dma_probe(struct platform_device *pdev) + + err = of_property_read_u32(node, "xlnx,addrwidth", &addr_width); + if (err < 0) +- dev_warn(xdev->dev, "missing xlnx,addrwidth property\n"); ++ dev_warn(xdev->dev, ++ "missing xlnx,addrwidth property, using default value %d\n", ++ XILINX_DMA_DFAULT_ADDRWIDTH); + + if (addr_width > 32) + xdev->ext_addr = true; +-- +2.51.0 + diff --git a/queue-6.18/drivers-dax-add-some-missing-kerneldoc-comment-field.patch b/queue-6.18/drivers-dax-add-some-missing-kerneldoc-comment-field.patch new file mode 100644 index 0000000000..812fe3aab7 --- /dev/null +++ b/queue-6.18/drivers-dax-add-some-missing-kerneldoc-comment-field.patch @@ -0,0 +1,57 @@ +From c1cbf7644efabf96b90826ae965c1155a653aaac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Jan 2026 13:18:04 -0600 +Subject: drivers/dax: add some missing kerneldoc comment fields for struct + dev_dax + +From: John Groves + +[ Upstream commit 3e8e590fd65d0572584ab7bba89a35e6d19931f1 ] + +Add the missing @align and @memmap_on_memory fields to kerneldoc comment +header for struct dev_dax. + +Also, some other fields were followed by '-' and others by ':'. Fix all +to be ':' for actual kerneldoc compliance. + +Link: https://lkml.kernel.org/r/20260110191804.5739-1-john@groves.net +Fixes: 33cf94d71766 ("device-dax: make align a per-device property") +Fixes: 4eca0ef49af9 ("dax/kmem: allow kmem to add memory with memmap_on_memory") +Signed-off-by: John Groves +Cc: Dan Williams +Cc: Joao Martins +Cc: Vishal Verma +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + drivers/dax/dax-private.h | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/dax/dax-private.h b/drivers/dax/dax-private.h +index 0867115aeef2e..c6ae27c982f43 100644 +--- a/drivers/dax/dax-private.h ++++ b/drivers/dax/dax-private.h +@@ -67,14 +67,16 @@ struct dev_dax_range { + /** + * struct dev_dax - instance data for a subdivision of a dax region, and + * data while the device is activated in the driver. +- * @region - parent region +- * @dax_dev - core dax functionality ++ * @region: parent region ++ * @dax_dev: core dax functionality ++ * @align: alignment of this instance + * @target_node: effective numa node if dev_dax memory range is onlined + * @dyn_id: is this a dynamic or statically created instance + * @id: ida allocated id when the dax_region is not static + * @ida: mapping id allocator +- * @dev - device core +- * @pgmap - pgmap for memmap setup / lifetime (driver owned) ++ * @dev: device core ++ * @pgmap: pgmap for memmap setup / lifetime (driver owned) ++ * @memmap_on_memory: allow kmem to put the memmap in the memory + * @nr_range: size of @ranges + * @ranges: range tuples of memory used + */ +-- +2.51.0 + diff --git a/queue-6.18/drm-amd-display-show-link-name-in-psr-status-message.patch b/queue-6.18/drm-amd-display-show-link-name-in-psr-status-message.patch new file mode 100644 index 0000000000..7f75a14f08 --- /dev/null +++ b/queue-6.18/drm-amd-display-show-link-name-in-psr-status-message.patch @@ -0,0 +1,47 @@ +From 4f32188314279e42a63e2aaa58f965c095bf087b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Dec 2025 08:59:16 -0600 +Subject: drm/amd/display: Show link name in PSR status message + +From: Mario Limonciello (AMD) + +[ Upstream commit 0a1253ba5096f531eaaef40caa4c069da6ad48ae ] + +[Why] +The PSR message was moved in commit 4321742c394e ("drm/amd/display: +Move PSR support message into amdgpu_dm"). This message however shows +for every single link without showing which link is which. This can +send a confusing message to the user. + +[How] +Add link name into the message. + +Fixes: 4321742c394e ("drm/amd/display: Move PSR support message into amdgpu_dm") +Reviewed-by: Alex Hung +Signed-off-by: Mario Limonciello (AMD) +Signed-off-by: Matthew Stewart +Tested-by: Dan Wheeler +Signed-off-by: Alex Deucher +(cherry picked from commit 99f77f6229c0766b980ae05affcf9f742d97de6a) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index 7fe40bbba2658..f4381d44864f1 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -5545,7 +5545,8 @@ static int amdgpu_dm_initialize_drm_device(struct amdgpu_device *adev) + + if (psr_feature_enabled) { + amdgpu_dm_set_psr_caps(link); +- drm_info(adev_to_drm(adev), "PSR support %d, DC PSR ver %d, sink PSR ver %d DPCD caps 0x%x su_y_granularity %d\n", ++ drm_info(adev_to_drm(adev), "%s: PSR support %d, DC PSR ver %d, sink PSR ver %d DPCD caps 0x%x su_y_granularity %d\n", ++ aconnector->base.name, + link->psr_settings.psr_feature_enabled, + link->psr_settings.psr_version, + link->dpcd_caps.psr_info.psr_version, +-- +2.51.0 + diff --git a/queue-6.18/drm-amd-pm-fix-smu-overdrive-data-type-wrong-issue-o.patch b/queue-6.18/drm-amd-pm-fix-smu-overdrive-data-type-wrong-issue-o.patch new file mode 100644 index 0000000000..b125c96a4f --- /dev/null +++ b/queue-6.18/drm-amd-pm-fix-smu-overdrive-data-type-wrong-issue-o.patch @@ -0,0 +1,39 @@ +From 244665f2104799a262cc8e6e2415a36819444eb7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jan 2026 14:42:40 +0800 +Subject: drm/amd/pm: fix smu overdrive data type wrong issue on smu 14.0.2 + +From: Yang Wang + +[ Upstream commit 90dbc0bc2aa60021615969841fed06790c992bde ] + +resolving the issue of incorrect type definitions potentially causing calculation errors. + +Fixes: 54f7f3ca982a ("drm/amdgpu/swm14: Update power limit logic") +Signed-off-by: Yang Wang +Reviewed-by: Hawking Zhang +Signed-off-by: Alex Deucher +(cherry picked from commit e3a03d0ae16d6b56e893cce8e52b44140e1ed985) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c +index 086501cc5213b..e735da7ab6126 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c +@@ -1701,8 +1701,9 @@ static int smu_v14_0_2_get_power_limit(struct smu_context *smu, + table_context->power_play_table; + PPTable_t *pptable = table_context->driver_pptable; + CustomSkuTable_t *skutable = &pptable->CustomSkuTable; +- uint32_t power_limit, od_percent_upper = 0, od_percent_lower = 0; ++ int16_t od_percent_upper = 0, od_percent_lower = 0; + uint32_t msg_limit = pptable->SkuTable.MsgLimits.Power[PPT_THROTTLER_PPT0][POWER_SOURCE_AC]; ++ uint32_t power_limit; + + if (smu_v14_0_get_current_power_limit(smu, &power_limit)) + power_limit = smu->adev->pm.ac_power ? +-- +2.51.0 + diff --git a/queue-6.18/drm-amdgpu-fix-drm-panic-null-pointer-when-driver-no.patch b/queue-6.18/drm-amdgpu-fix-drm-panic-null-pointer-when-driver-no.patch new file mode 100644 index 0000000000..78249e9b91 --- /dev/null +++ b/queue-6.18/drm-amdgpu-fix-drm-panic-null-pointer-when-driver-no.patch @@ -0,0 +1,42 @@ +From e5303c6e7b3d543406ca69b080450f4cac830a88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jan 2026 10:37:12 +0800 +Subject: drm/amdgpu: fix drm panic null pointer when driver not support atomic + +From: Lu Yao + +[ Upstream commit 9cb6278b44c38899961b36d303d7b18b38be2a6e ] + +When driver not support atomic, fb using plane->fb rather than +plane->state->fb. + +Fixes: fe151ed7af54 ("drm/amdgpu: add generic display panic helper code") +Signed-off-by: Lu Yao +Signed-off-by: Alex Deucher +(cherry picked from commit 2f2a72de673513247cd6fae14e53f6c40c5841ef) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c +index 51bab32fd8c6f..2f416d12e2e7e 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c +@@ -1824,7 +1824,12 @@ int amdgpu_display_get_scanout_buffer(struct drm_plane *plane, + struct drm_scanout_buffer *sb) + { + struct amdgpu_bo *abo; +- struct drm_framebuffer *fb = plane->state->fb; ++ struct drm_framebuffer *fb; ++ ++ if (drm_drv_uses_atomic_modeset(plane->dev)) ++ fb = plane->state->fb; ++ else ++ fb = plane->fb; + + if (!fb) + return -EINVAL; +-- +2.51.0 + diff --git a/queue-6.18/drm-amdgpu-userq-fix-fence-reference-leak-on-queue-t.patch b/queue-6.18/drm-amdgpu-userq-fix-fence-reference-leak-on-queue-t.patch new file mode 100644 index 0000000000..cc79a617cc --- /dev/null +++ b/queue-6.18/drm-amdgpu-userq-fix-fence-reference-leak-on-queue-t.patch @@ -0,0 +1,69 @@ +From adef375ff138b3e719ee70f387c94503ad6ac20b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jan 2026 16:14:53 +0530 +Subject: drm/amdgpu/userq: Fix fence reference leak on queue teardown v2 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Srinivasan Shanmugam + +[ Upstream commit b2426a211dba6432e32a2e70e9183c6e134475c6 ] + +The user mode queue keeps a pointer to the most recent fence in +userq->last_fence. This pointer holds an extra dma_fence reference. + +When the queue is destroyed, we free the fence driver and its xarray, +but we forgot to drop the last_fence reference. + +Because of the missing dma_fence_put(), the last fence object can stay +alive when the driver unloads. This leaves an allocated object in the +amdgpu_userq_fence slab cache and triggers + +This is visible during driver unload as: + + BUG amdgpu_userq_fence: Objects remaining on __kmem_cache_shutdown() + kmem_cache_destroy amdgpu_userq_fence: Slab cache still has objects + Call Trace: + kmem_cache_destroy + amdgpu_userq_fence_slab_fini + amdgpu_exit + __do_sys_delete_module + +Fix this by putting userq->last_fence and clearing the pointer during +amdgpu_userq_fence_driver_free(). + +This makes sure the fence reference is released and the slab cache is +empty when the module exits. + +v2: Update to only release userq->last_fence with dma_fence_put() + (Christian) + +Fixes: edc762a51c71 ("drm/amdgpu/userq: move some code around") +Cc: Alex Deucher +Cc: Christian König +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +(cherry picked from commit 8e051e38a8d45caf6a866d4ff842105b577953bb) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c +index 4d0096d0baa9d..53fe10931fab0 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c +@@ -141,6 +141,8 @@ static void amdgpu_userq_walk_and_drop_fence_drv(struct xarray *xa) + void + amdgpu_userq_fence_driver_free(struct amdgpu_usermode_queue *userq) + { ++ dma_fence_put(userq->last_fence); ++ + amdgpu_userq_walk_and_drop_fence_drv(&userq->fence_drv_xa); + xa_destroy(&userq->fence_drv_xa); + /* Drop the fence_drv reference held by user queue */ +-- +2.51.0 + diff --git a/queue-6.18/drm-amdkfd-no-need-to-suspend-whole-mes-to-evict-pro.patch b/queue-6.18/drm-amdkfd-no-need-to-suspend-whole-mes-to-evict-pro.patch new file mode 100644 index 0000000000..319e09bcb6 --- /dev/null +++ b/queue-6.18/drm-amdkfd-no-need-to-suspend-whole-mes-to-evict-pro.patch @@ -0,0 +1,58 @@ +From eb4543198341c39f004d99495ddd6d177f8f0031 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Jan 2026 16:53:18 -0500 +Subject: drm/amdkfd: No need to suspend whole MES to evict process + +From: Harish Kasiviswanathan + +[ Upstream commit 18dbcfb46f692e665c3fe3eee804e56c4eae53d6 ] + +Each queue of the process is individually removed and there is not need +to suspend whole mes. Suspending mes stops kernel mode queues also +causing unnecessary timeouts when running mixed work loads + +Fixes: 079ae5118e1f ("drm/amdkfd: fix suspend/resume all calls in mes based eviction path") +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4765 +Signed-off-by: Harish Kasiviswanathan +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +(cherry picked from commit 3fd20580b96a6e9da65b94ac3b58ee288239b731) +Signed-off-by: Sasha Levin +--- + .../gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 12 +----------- + 1 file changed, 1 insertion(+), 11 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c +index 6e7bc983fc0b6..36fb3db16572a 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c +@@ -1209,14 +1209,8 @@ static int evict_process_queues_cpsch(struct device_queue_manager *dqm, + pr_debug_ratelimited("Evicting process pid %d queues\n", + pdd->process->lead_thread->pid); + +- if (dqm->dev->kfd->shared_resources.enable_mes) { ++ if (dqm->dev->kfd->shared_resources.enable_mes) + pdd->last_evict_timestamp = get_jiffies_64(); +- retval = suspend_all_queues_mes(dqm); +- if (retval) { +- dev_err(dev, "Suspending all queues failed"); +- goto out; +- } +- } + + /* Mark all queues as evicted. Deactivate all active queues on + * the qpd. +@@ -1246,10 +1240,6 @@ static int evict_process_queues_cpsch(struct device_queue_manager *dqm, + KFD_UNMAP_QUEUES_FILTER_ALL_QUEUES : + KFD_UNMAP_QUEUES_FILTER_DYNAMIC_QUEUES, 0, + USE_DEFAULT_GRACE_PERIOD); +- } else { +- retval = resume_all_queues_mes(dqm); +- if (retval) +- dev_err(dev, "Resuming all queues failed"); + } + + out: +-- +2.51.0 + diff --git a/queue-6.18/drm-bridge-dw-hdmi-qp-fix-spurious-irq-on-resume.patch b/queue-6.18/drm-bridge-dw-hdmi-qp-fix-spurious-irq-on-resume.patch new file mode 100644 index 0000000000..ea55dedf08 --- /dev/null +++ b/queue-6.18/drm-bridge-dw-hdmi-qp-fix-spurious-irq-on-resume.patch @@ -0,0 +1,120 @@ +From 36ffbe0a161928093369245b53a5b915033d4962 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Oct 2025 18:00:57 +0200 +Subject: drm/bridge: dw-hdmi-qp: Fix spurious IRQ on resume + +From: Sebastian Reichel + +[ Upstream commit 14adddc65340f2034751c95616861c0e888e2bb1 ] + +After resume from suspend to RAM, the following splash is generated if +the HDMI driver is probed (independent of a connected cable): + +[ 1194.484052] irq 80: nobody cared (try booting with the "irqpoll" option) +[ 1194.484074] CPU: 0 UID: 0 PID: 627 Comm: rtcwake Not tainted 6.17.0-rc7-g96f1a11414b3 #1 PREEMPT +[ 1194.484082] Hardware name: Rockchip RK3576 EVB V10 Board (DT) +[ 1194.484085] Call trace: +[ 1194.484087] ... (stripped) +[ 1194.484283] handlers: +[ 1194.484285] [<00000000bc363dcb>] dw_hdmi_qp_main_hardirq [dw_hdmi_qp] +[ 1194.484302] Disabling IRQ #80 + +Apparently the HDMI IP is losing part of its state while the system +is suspended and generates spurious interrupts during resume. The +bug has not yet been noticed, as system suspend does not yet work +properly on upstream kernel with either the Rockchip RK3588 or RK3576 +platform. + +Fixes: 128a9bf8ace2 ("drm/rockchip: Add basic RK3588 HDMI output support") +Signed-off-by: Sebastian Reichel +Reviewed-by: Cristian Ciocaltea +Signed-off-by: Heiko Stuebner +Link: https://patch.msgid.link/20251014-rockchip-hdmi-suspend-fix-v1-1-983fcbf44839@collabora.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c | 9 +++++++++ + drivers/gpu/drm/rockchip/dw_hdmi_qp-rockchip.c | 12 +++++++++++- + include/drm/bridge/dw_hdmi_qp.h | 1 + + 3 files changed, 21 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c +index 39332c57f2c54..c85eb340e5a35 100644 +--- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c ++++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c +@@ -143,6 +143,7 @@ struct dw_hdmi_qp { + } phy; + + struct regmap *regm; ++ int main_irq; + + unsigned long tmds_char_rate; + }; +@@ -1068,6 +1069,7 @@ struct dw_hdmi_qp *dw_hdmi_qp_bind(struct platform_device *pdev, + + dw_hdmi_qp_init_hw(hdmi); + ++ hdmi->main_irq = plat_data->main_irq; + ret = devm_request_threaded_irq(dev, plat_data->main_irq, + dw_hdmi_qp_main_hardirq, NULL, + IRQF_SHARED, dev_name(dev), hdmi); +@@ -1106,9 +1108,16 @@ struct dw_hdmi_qp *dw_hdmi_qp_bind(struct platform_device *pdev, + } + EXPORT_SYMBOL_GPL(dw_hdmi_qp_bind); + ++void dw_hdmi_qp_suspend(struct device *dev, struct dw_hdmi_qp *hdmi) ++{ ++ disable_irq(hdmi->main_irq); ++} ++EXPORT_SYMBOL_GPL(dw_hdmi_qp_suspend); ++ + void dw_hdmi_qp_resume(struct device *dev, struct dw_hdmi_qp *hdmi) + { + dw_hdmi_qp_init_hw(hdmi); ++ enable_irq(hdmi->main_irq); + } + EXPORT_SYMBOL_GPL(dw_hdmi_qp_resume); + +diff --git a/drivers/gpu/drm/rockchip/dw_hdmi_qp-rockchip.c b/drivers/gpu/drm/rockchip/dw_hdmi_qp-rockchip.c +index ed6e8f036f4b3..9ac45e7bc987a 100644 +--- a/drivers/gpu/drm/rockchip/dw_hdmi_qp-rockchip.c ++++ b/drivers/gpu/drm/rockchip/dw_hdmi_qp-rockchip.c +@@ -597,6 +597,15 @@ static void dw_hdmi_qp_rockchip_remove(struct platform_device *pdev) + component_del(&pdev->dev, &dw_hdmi_qp_rockchip_ops); + } + ++static int __maybe_unused dw_hdmi_qp_rockchip_suspend(struct device *dev) ++{ ++ struct rockchip_hdmi_qp *hdmi = dev_get_drvdata(dev); ++ ++ dw_hdmi_qp_suspend(dev, hdmi->hdmi); ++ ++ return 0; ++} ++ + static int __maybe_unused dw_hdmi_qp_rockchip_resume(struct device *dev) + { + struct rockchip_hdmi_qp *hdmi = dev_get_drvdata(dev); +@@ -612,7 +621,8 @@ static int __maybe_unused dw_hdmi_qp_rockchip_resume(struct device *dev) + } + + static const struct dev_pm_ops dw_hdmi_qp_rockchip_pm = { +- SET_SYSTEM_SLEEP_PM_OPS(NULL, dw_hdmi_qp_rockchip_resume) ++ SET_SYSTEM_SLEEP_PM_OPS(dw_hdmi_qp_rockchip_suspend, ++ dw_hdmi_qp_rockchip_resume) + }; + + struct platform_driver dw_hdmi_qp_rockchip_pltfm_driver = { +diff --git a/include/drm/bridge/dw_hdmi_qp.h b/include/drm/bridge/dw_hdmi_qp.h +index e9be6d507ad9c..8955450663e53 100644 +--- a/include/drm/bridge/dw_hdmi_qp.h ++++ b/include/drm/bridge/dw_hdmi_qp.h +@@ -28,5 +28,6 @@ struct dw_hdmi_qp_plat_data { + struct dw_hdmi_qp *dw_hdmi_qp_bind(struct platform_device *pdev, + struct drm_encoder *encoder, + const struct dw_hdmi_qp_plat_data *plat_data); ++void dw_hdmi_qp_suspend(struct device *dev, struct dw_hdmi_qp *hdmi); + void dw_hdmi_qp_resume(struct device *dev, struct dw_hdmi_qp *hdmi); + #endif /* __DW_HDMI_QP__ */ +-- +2.51.0 + diff --git a/queue-6.18/drm-rockchip-vop2-add-delay-between-poll-registers.patch b/queue-6.18/drm-rockchip-vop2-add-delay-between-poll-registers.patch new file mode 100644 index 0000000000..f07a9398d1 --- /dev/null +++ b/queue-6.18/drm-rockchip-vop2-add-delay-between-poll-registers.patch @@ -0,0 +1,50 @@ +From 740d14dc3be17f41142fd8a7b683a4293581d23a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jul 2025 14:41:13 +0800 +Subject: drm/rockchip: vop2: Add delay between poll registers + +From: Andy Yan + +[ Upstream commit 9fae82450d8a5f9c8fa016cd15186e975609b2ac ] + +According to the implementation of read_poll_timeout_atomic, if the +delay time is 0, it will only use a simple loop based on timeout_us to +decrement the count. Therefore, the final timeout time will differ +significantly from the set timeout time. So, here we set a specific +delay time to ensure that the calculation of the timeout duration +is accurate. + +Fixes: 3e89a8c68354 ("drm/rockchip: vop2: Fix the update of LAYER/PORT select registers when there are multi display output on rk3588/rk3568") +Signed-off-by: Andy Yan +Signed-off-by: Heiko Stuebner +Link: https://patch.msgid.link/20250718064120.8811-1-andyshrk@163.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/rockchip_vop2_reg.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/rockchip/rockchip_vop2_reg.c b/drivers/gpu/drm/rockchip/rockchip_vop2_reg.c +index cd8380f0eddc8..855386a6a9f5c 100644 +--- a/drivers/gpu/drm/rockchip/rockchip_vop2_reg.c ++++ b/drivers/gpu/drm/rockchip/rockchip_vop2_reg.c +@@ -2104,7 +2104,7 @@ static void rk3568_vop2_wait_for_port_mux_done(struct vop2 *vop2) + * Spin until the previous port_mux figuration is done. + */ + ret = readx_poll_timeout_atomic(rk3568_vop2_read_port_mux, vop2, port_mux_sel, +- port_mux_sel == vop2->old_port_sel, 0, 50 * 1000); ++ port_mux_sel == vop2->old_port_sel, 10, 50 * 1000); + if (ret) + DRM_DEV_ERROR(vop2->dev, "wait port_mux done timeout: 0x%x--0x%x\n", + port_mux_sel, vop2->old_port_sel); +@@ -2124,7 +2124,7 @@ static void rk3568_vop2_wait_for_layer_cfg_done(struct vop2 *vop2, u32 cfg) + * Spin until the previous layer configuration is done. + */ + ret = readx_poll_timeout_atomic(rk3568_vop2_read_layer_cfg, vop2, atv_layer_cfg, +- atv_layer_cfg == cfg, 0, 50 * 1000); ++ atv_layer_cfg == cfg, 10, 50 * 1000); + if (ret) + DRM_DEV_ERROR(vop2->dev, "wait layer cfg done timeout: 0x%x--0x%x\n", + atv_layer_cfg, cfg); +-- +2.51.0 + diff --git a/queue-6.18/drm-rockchip-vop2-only-wait-for-changed-layer-cfg-do.patch b/queue-6.18/drm-rockchip-vop2-only-wait-for-changed-layer-cfg-do.patch new file mode 100644 index 0000000000..f9823f1e38 --- /dev/null +++ b/queue-6.18/drm-rockchip-vop2-only-wait-for-changed-layer-cfg-do.patch @@ -0,0 +1,59 @@ +From 09560dbe2fdb16621fe3de84bb3f932ce6a7d078 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jul 2025 14:41:14 +0800 +Subject: drm/rockchip: vop2: Only wait for changed layer cfg done when there + is pending cfgdone bits + +From: Andy Yan + +[ Upstream commit 7f6721b767e219343cfe9a894f5bd869ff5b9d3a ] + +The write of cfgdone bits always done at .atomic_flush. +When userspace makes plane zpos changes of two crtc within one commit, +at the .atomic_begin stage, crtcN will never receive the "layer change +cfg done" event of crtcM because crtcM has not yet written "cfgdone". +So only wait when there is pending cfgdone bits to avoid long timeout. + +Fixes: 3e89a8c68354 ("drm/rockchip: vop2: Fix the update of LAYER/PORT select registers when there are multi display output on rk3588/rk3568") +Signed-off-by: Andy Yan +Signed-off-by: Heiko Stuebner +Link: https://patch.msgid.link/20250718064120.8811-2-andyshrk@163.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/rockchip_vop2_reg.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/rockchip/rockchip_vop2_reg.c b/drivers/gpu/drm/rockchip/rockchip_vop2_reg.c +index 855386a6a9f5c..f3950e8476a75 100644 +--- a/drivers/gpu/drm/rockchip/rockchip_vop2_reg.c ++++ b/drivers/gpu/drm/rockchip/rockchip_vop2_reg.c +@@ -2144,6 +2144,7 @@ static void rk3568_vop2_setup_layer_mixer(struct vop2_video_port *vp) + u8 layer_sel_id; + unsigned int ofs; + u32 ovl_ctrl; ++ u32 cfg_done; + int i; + struct vop2_video_port *vp0 = &vop2->vps[0]; + struct vop2_video_port *vp1 = &vop2->vps[1]; +@@ -2298,8 +2299,16 @@ static void rk3568_vop2_setup_layer_mixer(struct vop2_video_port *vp) + rk3568_vop2_wait_for_port_mux_done(vop2); + } + +- if (layer_sel != old_layer_sel && atv_layer_sel != old_layer_sel) +- rk3568_vop2_wait_for_layer_cfg_done(vop2, vop2->old_layer_sel); ++ if (layer_sel != old_layer_sel && atv_layer_sel != old_layer_sel) { ++ cfg_done = vop2_readl(vop2, RK3568_REG_CFG_DONE); ++ cfg_done &= (BIT(vop2->data->nr_vps) - 1); ++ cfg_done &= ~BIT(vp->id); ++ /* ++ * Changes of other VPs' overlays have not taken effect ++ */ ++ if (cfg_done) ++ rk3568_vop2_wait_for_layer_cfg_done(vop2, vop2->old_layer_sel); ++ } + + vop2_writel(vop2, RK3568_OVL_LAYER_SEL, layer_sel); + mutex_unlock(&vop2->ovl_lock); +-- +2.51.0 + diff --git a/queue-6.18/drm-vmwgfx-fix-kms-with-3d-on-hw-version-10.patch b/queue-6.18/drm-vmwgfx-fix-kms-with-3d-on-hw-version-10.patch new file mode 100644 index 0000000000..b0a189788c --- /dev/null +++ b/queue-6.18/drm-vmwgfx-fix-kms-with-3d-on-hw-version-10.patch @@ -0,0 +1,52 @@ +From e739984d2b5490587cf37e91c153d18dbfd2393a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Nov 2025 14:37:03 -0600 +Subject: drm/vmwgfx: Fix KMS with 3D on HW version 10 + +From: Ian Forbes + +[ Upstream commit d9186faeae6efb7d0841a5e8eb213ff4c7966614 ] + +HW version 10 does not have GB Surfaces so there is no backing buffer for +surface backed FBs. This would result in a nullptr dereference and crash +the driver causing a black screen. + +Fixes: 965544150d1c ("drm/vmwgfx: Refactor cursor handling") +Signed-off-by: Ian Forbes +Reviewed-by: Zack Rusin +Signed-off-by: Zack Rusin +Link: https://patch.msgid.link/20251114203703.1946616-1-ian.forbes@broadcom.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +index 54ea1b513950a..535d844191e7a 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +@@ -763,13 +763,15 @@ static struct drm_framebuffer *vmw_kms_fb_create(struct drm_device *dev, + return ERR_PTR(ret); + } + +- ttm_bo_reserve(&bo->tbo, false, false, NULL); +- ret = vmw_bo_dirty_add(bo); +- if (!ret && surface && surface->res.func->dirty_alloc) { +- surface->res.coherent = true; +- ret = surface->res.func->dirty_alloc(&surface->res); ++ if (bo) { ++ ttm_bo_reserve(&bo->tbo, false, false, NULL); ++ ret = vmw_bo_dirty_add(bo); ++ if (!ret && surface && surface->res.func->dirty_alloc) { ++ surface->res.coherent = true; ++ ret = surface->res.func->dirty_alloc(&surface->res); ++ } ++ ttm_bo_unreserve(&bo->tbo); + } +- ttm_bo_unreserve(&bo->tbo); + + return &vfb->base; + } +-- +2.51.0 + diff --git a/queue-6.18/drm-vmwgfx-merge-vmw_bo_release-and-vmw_bo_free-func.patch b/queue-6.18/drm-vmwgfx-merge-vmw_bo_release-and-vmw_bo_free-func.patch new file mode 100644 index 0000000000..d924f0b9b3 --- /dev/null +++ b/queue-6.18/drm-vmwgfx-merge-vmw_bo_release-and-vmw_bo_free-func.patch @@ -0,0 +1,68 @@ +From 7af5e46694e58918445daf8535f96730de70dacb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jan 2026 09:20:59 -0600 +Subject: drm/vmwgfx: Merge vmw_bo_release and vmw_bo_free functions + +From: Ian Forbes + +[ Upstream commit 37a0cff4551c14aca4cfa6ef3f2f0e0f61d66825 ] + +Some of the warnings need to be reordered between these two functions +in order to be correct. This has happened multiple times. +Merging them solves this problem once and for all. + +Fixes: d6667f0ddf46 ("drm/vmwgfx: Fix handling of dumb buffers") +Signed-off-by: Ian Forbes +Signed-off-by: Zack Rusin +Link: https://patch.msgid.link/20260107152059.3048329-1-ian.forbes@broadcom.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_bo.c | 22 ++++++++-------------- + 1 file changed, 8 insertions(+), 14 deletions(-) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c +index f031a312c7835..b22887e8c8815 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c +@@ -32,9 +32,15 @@ + + #include + +-static void vmw_bo_release(struct vmw_bo *vbo) ++/** ++ * vmw_bo_free - vmw_bo destructor ++ * ++ * @bo: Pointer to the embedded struct ttm_buffer_object ++ */ ++static void vmw_bo_free(struct ttm_buffer_object *bo) + { + struct vmw_resource *res; ++ struct vmw_bo *vbo = to_vmw_bo(&bo->base); + + WARN_ON(kref_read(&vbo->tbo.base.refcount) != 0); + vmw_bo_unmap(vbo); +@@ -62,20 +68,8 @@ static void vmw_bo_release(struct vmw_bo *vbo) + } + vmw_surface_unreference(&vbo->dumb_surface); + } +- drm_gem_object_release(&vbo->tbo.base); +-} +- +-/** +- * vmw_bo_free - vmw_bo destructor +- * +- * @bo: Pointer to the embedded struct ttm_buffer_object +- */ +-static void vmw_bo_free(struct ttm_buffer_object *bo) +-{ +- struct vmw_bo *vbo = to_vmw_bo(&bo->base); +- + WARN_ON(!RB_EMPTY_ROOT(&vbo->res_tree)); +- vmw_bo_release(vbo); ++ drm_gem_object_release(&vbo->tbo.base); + WARN_ON(vbo->dirty); + kfree(vbo); + } +-- +2.51.0 + diff --git a/queue-6.18/dst-fix-races-in-rt6_uncached_list_del-and-rt_del_un.patch b/queue-6.18/dst-fix-races-in-rt6_uncached_list_del-and-rt_del_un.patch new file mode 100644 index 0000000000..aa5a28ad42 --- /dev/null +++ b/queue-6.18/dst-fix-races-in-rt6_uncached_list_del-and-rt_del_un.patch @@ -0,0 +1,268 @@ +From d06d5ddc5ab1e6fdab76087e1ed55ae2c561d3e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 10:38:25 +0000 +Subject: dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() + +From: Eric Dumazet + +[ Upstream commit 9a6f0c4d5796ab89b5a28a890ce542344d58bd69 ] + +syzbot was able to crash the kernel in rt6_uncached_list_flush_dev() +in an interesting way [1] + +Crash happens in list_del_init()/INIT_LIST_HEAD() while writing +list->prev, while the prior write on list->next went well. + +static inline void INIT_LIST_HEAD(struct list_head *list) +{ + WRITE_ONCE(list->next, list); // This went well + WRITE_ONCE(list->prev, list); // Crash, @list has been freed. +} + +Issue here is that rt6_uncached_list_del() did not attempt to lock +ul->lock, as list_empty(&rt->dst.rt_uncached) returned +true because the WRITE_ONCE(list->next, list) happened on the other CPU. + +We might use list_del_init_careful() and list_empty_careful(), +or make sure rt6_uncached_list_del() always grabs the spinlock +whenever rt->dst.rt_uncached_list has been set. + +A similar fix is neeed for IPv4. + +[1] + + BUG: KASAN: slab-use-after-free in INIT_LIST_HEAD include/linux/list.h:46 [inline] + BUG: KASAN: slab-use-after-free in list_del_init include/linux/list.h:296 [inline] + BUG: KASAN: slab-use-after-free in rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline] + BUG: KASAN: slab-use-after-free in rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020 +Write of size 8 at addr ffff8880294cfa78 by task kworker/u8:14/3450 + +CPU: 0 UID: 0 PID: 3450 Comm: kworker/u8:14 Tainted: G L syzkaller #0 PREEMPT_{RT,(full)} +Tainted: [L]=SOFTLOCKUP +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 +Workqueue: netns cleanup_net +Call Trace: + + dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xca/0x240 mm/kasan/report.c:482 + kasan_report+0x118/0x150 mm/kasan/report.c:595 + INIT_LIST_HEAD include/linux/list.h:46 [inline] + list_del_init include/linux/list.h:296 [inline] + rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline] + rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020 + addrconf_ifdown+0x143/0x18a0 net/ipv6/addrconf.c:3853 + addrconf_notify+0x1bc/0x1050 net/ipv6/addrconf.c:-1 + notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 + call_netdevice_notifiers_extack net/core/dev.c:2268 [inline] + call_netdevice_notifiers net/core/dev.c:2282 [inline] + netif_close_many+0x29c/0x410 net/core/dev.c:1785 + unregister_netdevice_many_notify+0xb50/0x2330 net/core/dev.c:12353 + ops_exit_rtnl_list net/core/net_namespace.c:187 [inline] + ops_undo_list+0x3dc/0x990 net/core/net_namespace.c:248 + cleanup_net+0x4de/0x7b0 net/core/net_namespace.c:696 + process_one_work kernel/workqueue.c:3257 [inline] + process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 + worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 + kthread+0x711/0x8a0 kernel/kthread.c:463 + ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + + +Allocated by task 803: + kasan_save_stack mm/kasan/common.c:57 [inline] + kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 + unpoison_slab_object mm/kasan/common.c:340 [inline] + __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366 + kasan_slab_alloc include/linux/kasan.h:253 [inline] + slab_post_alloc_hook mm/slub.c:4953 [inline] + slab_alloc_node mm/slub.c:5263 [inline] + kmem_cache_alloc_noprof+0x18d/0x6c0 mm/slub.c:5270 + dst_alloc+0x105/0x170 net/core/dst.c:89 + ip6_dst_alloc net/ipv6/route.c:342 [inline] + icmp6_dst_alloc+0x75/0x460 net/ipv6/route.c:3333 + mld_sendpack+0x683/0xe60 net/ipv6/mcast.c:1844 + mld_send_cr net/ipv6/mcast.c:2154 [inline] + mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 + process_one_work kernel/workqueue.c:3257 [inline] + process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 + worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 + kthread+0x711/0x8a0 kernel/kthread.c:463 + ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + +Freed by task 20: + kasan_save_stack mm/kasan/common.c:57 [inline] + kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 + kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 + poison_slab_object mm/kasan/common.c:253 [inline] + __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 + kasan_slab_free include/linux/kasan.h:235 [inline] + slab_free_hook mm/slub.c:2540 [inline] + slab_free mm/slub.c:6670 [inline] + kmem_cache_free+0x18f/0x8d0 mm/slub.c:6781 + dst_destroy+0x235/0x350 net/core/dst.c:121 + rcu_do_batch kernel/rcu/tree.c:2605 [inline] + rcu_core kernel/rcu/tree.c:2857 [inline] + rcu_cpu_kthread+0xba5/0x1af0 kernel/rcu/tree.c:2945 + smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160 + kthread+0x711/0x8a0 kernel/kthread.c:463 + ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + +Last potentially related work creation: + kasan_save_stack+0x3e/0x60 mm/kasan/common.c:57 + kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:556 + __call_rcu_common kernel/rcu/tree.c:3119 [inline] + call_rcu+0xee/0x890 kernel/rcu/tree.c:3239 + refdst_drop include/net/dst.h:266 [inline] + skb_dst_drop include/net/dst.h:278 [inline] + skb_release_head_state+0x71/0x360 net/core/skbuff.c:1156 + skb_release_all net/core/skbuff.c:1180 [inline] + __kfree_skb net/core/skbuff.c:1196 [inline] + sk_skb_reason_drop+0xe9/0x170 net/core/skbuff.c:1234 + kfree_skb_reason include/linux/skbuff.h:1322 [inline] + tcf_kfree_skb_list include/net/sch_generic.h:1127 [inline] + __dev_xmit_skb net/core/dev.c:4260 [inline] + __dev_queue_xmit+0x26aa/0x3210 net/core/dev.c:4785 + NF_HOOK_COND include/linux/netfilter.h:307 [inline] + ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247 + NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318 + mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855 + mld_send_cr net/ipv6/mcast.c:2154 [inline] + mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 + process_one_work kernel/workqueue.c:3257 [inline] + process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 + worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 + kthread+0x711/0x8a0 kernel/kthread.c:463 + ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + +The buggy address belongs to the object at ffff8880294cfa00 + which belongs to the cache ip6_dst_cache of size 232 +The buggy address is located 120 bytes inside of + freed 232-byte region [ffff8880294cfa00, ffff8880294cfae8) + +The buggy address belongs to the physical page: +page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x294cf +memcg:ffff88803536b781 +flags: 0x80000000000000(node=0|zone=1) +page_type: f5(slab) +raw: 0080000000000000 ffff88802ff1c8c0 ffffea0000bf2bc0 dead000000000006 +raw: 0000000000000000 00000000800c000c 00000000f5000000 ffff88803536b781 +page dumped because: kasan: bad access detected +page_owner tracks the page as allocated +page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 9, tgid 9 (kworker/0:0), ts 91119585830, free_ts 91088628818 + set_page_owner include/linux/page_owner.h:32 [inline] + post_alloc_hook+0x234/0x290 mm/page_alloc.c:1857 + prep_new_page mm/page_alloc.c:1865 [inline] + get_page_from_freelist+0x28c0/0x2960 mm/page_alloc.c:3915 + __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5210 + alloc_pages_mpol+0xd1/0x380 mm/mempolicy.c:2486 + alloc_slab_page mm/slub.c:3075 [inline] + allocate_slab+0x86/0x3b0 mm/slub.c:3248 + new_slab mm/slub.c:3302 [inline] + ___slab_alloc+0xb10/0x13e0 mm/slub.c:4656 + __slab_alloc+0xc6/0x1f0 mm/slub.c:4779 + __slab_alloc_node mm/slub.c:4855 [inline] + slab_alloc_node mm/slub.c:5251 [inline] + kmem_cache_alloc_noprof+0x101/0x6c0 mm/slub.c:5270 + dst_alloc+0x105/0x170 net/core/dst.c:89 + ip6_dst_alloc net/ipv6/route.c:342 [inline] + icmp6_dst_alloc+0x75/0x460 net/ipv6/route.c:3333 + mld_sendpack+0x683/0xe60 net/ipv6/mcast.c:1844 + mld_send_cr net/ipv6/mcast.c:2154 [inline] + mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 + process_one_work kernel/workqueue.c:3257 [inline] + process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 + worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 + kthread+0x711/0x8a0 kernel/kthread.c:463 + ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 +page last free pid 5859 tgid 5859 stack trace: + reset_page_owner include/linux/page_owner.h:25 [inline] + free_pages_prepare mm/page_alloc.c:1406 [inline] + __free_frozen_pages+0xfe1/0x1170 mm/page_alloc.c:2943 + discard_slab mm/slub.c:3346 [inline] + __put_partials+0x149/0x170 mm/slub.c:3886 + __slab_free+0x2af/0x330 mm/slub.c:5952 + qlink_free mm/kasan/quarantine.c:163 [inline] + qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179 + kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286 + __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350 + kasan_slab_alloc include/linux/kasan.h:253 [inline] + slab_post_alloc_hook mm/slub.c:4953 [inline] + slab_alloc_node mm/slub.c:5263 [inline] + kmem_cache_alloc_noprof+0x18d/0x6c0 mm/slub.c:5270 + getname_flags+0xb8/0x540 fs/namei.c:146 + getname include/linux/fs.h:2498 [inline] + do_sys_openat2+0xbc/0x200 fs/open.c:1426 + do_sys_open fs/open.c:1436 [inline] + __do_sys_openat fs/open.c:1452 [inline] + __se_sys_openat fs/open.c:1447 [inline] + __x64_sys_openat+0x138/0x170 fs/open.c:1447 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94 + +Fixes: 8d0b94afdca8 ("ipv6: Keep track of DST_NOCACHE routes in case of iface down/unregister") +Fixes: 78df76a065ae ("ipv4: take rt_uncached_lock only if needed") +Reported-by: syzbot+179fc225724092b8b2b2@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6964cdf2.050a0220.eaf7.009d.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Martin KaFai Lau +Reviewed-by: David Ahern +Link: https://patch.msgid.link/20260112103825.3810713-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/dst.c | 1 + + net/ipv4/route.c | 4 ++-- + net/ipv6/route.c | 4 ++-- + 3 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/net/core/dst.c b/net/core/dst.c +index e9d35f49c9e78..1dae26c51ebec 100644 +--- a/net/core/dst.c ++++ b/net/core/dst.c +@@ -68,6 +68,7 @@ void dst_init(struct dst_entry *dst, struct dst_ops *ops, + dst->lwtstate = NULL; + rcuref_init(&dst->__rcuref, 1); + INIT_LIST_HEAD(&dst->rt_uncached); ++ dst->rt_uncached_list = NULL; + dst->__use = 0; + dst->lastuse = jiffies; + dst->flags = flags; +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index b549d6a573073..11d990703d31a 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1537,9 +1537,9 @@ void rt_add_uncached_list(struct rtable *rt) + + void rt_del_uncached_list(struct rtable *rt) + { +- if (!list_empty(&rt->dst.rt_uncached)) { +- struct uncached_list *ul = rt->dst.rt_uncached_list; ++ struct uncached_list *ul = rt->dst.rt_uncached_list; + ++ if (ul) { + spin_lock_bh(&ul->lock); + list_del_init(&rt->dst.rt_uncached); + spin_unlock_bh(&ul->lock); +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index a3e051dc66ee0..e3a260a5564ba 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -148,9 +148,9 @@ void rt6_uncached_list_add(struct rt6_info *rt) + + void rt6_uncached_list_del(struct rt6_info *rt) + { +- if (!list_empty(&rt->dst.rt_uncached)) { +- struct uncached_list *ul = rt->dst.rt_uncached_list; ++ struct uncached_list *ul = rt->dst.rt_uncached_list; + ++ if (ul) { + spin_lock_bh(&ul->lock); + list_del_init(&rt->dst.rt_uncached); + spin_unlock_bh(&ul->lock); +-- +2.51.0 + diff --git a/queue-6.18/i2c-imx-lpi2c-change-to-pio-mode-in-system-wide-susp.patch b/queue-6.18/i2c-imx-lpi2c-change-to-pio-mode-in-system-wide-susp.patch new file mode 100644 index 0000000000..80f5faf444 --- /dev/null +++ b/queue-6.18/i2c-imx-lpi2c-change-to-pio-mode-in-system-wide-susp.patch @@ -0,0 +1,51 @@ +From fb553ddd20056ed96dba427448adf58199d16764 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Nov 2025 11:00:30 +0800 +Subject: i2c: imx-lpi2c: change to PIO mode in system-wide suspend/resume + progress + +From: Carlos Song + +[ Upstream commit f2a3f51365bf672dab4b58d1e8954926a9196b44 ] + +EDMA resumes early and suspends late in the system power transition +sequence, while LPI2C enters the NOIRQ stage for both suspend and resume. +This means LPI2C resources become available before EDMA is fully resumed. +Once IRQs are enabled, a slave device may immediately trigger an LPI2C +transfer. If the transfer length meets DMA requirements, the driver will +attempt to use EDMA even though EDMA may still be unavailable. + +This timing gap can lead to transfer failures. To prevent this, force +LPI2C to use PIO mode during system-wide suspend and resume transitions. +This reduces dependency on EDMA and avoids using an unready DMA resource. + +Fixes: a09c8b3f9047 ("i2c: imx-lpi2c: add eDMA mode support for LPI2C") +Signed-off-by: Carlos Song +Reviewed-by: Frank Li +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-imx-lpi2c.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/i2c/busses/i2c-imx-lpi2c.c b/drivers/i2c/busses/i2c-imx-lpi2c.c +index 2a0962a0b4417..d882126c1778c 100644 +--- a/drivers/i2c/busses/i2c-imx-lpi2c.c ++++ b/drivers/i2c/busses/i2c-imx-lpi2c.c +@@ -592,6 +592,13 @@ static bool is_use_dma(struct lpi2c_imx_struct *lpi2c_imx, struct i2c_msg *msg) + if (!lpi2c_imx->can_use_dma) + return false; + ++ /* ++ * A system-wide suspend or resume transition is in progress. LPI2C should use PIO to ++ * transfer data to avoid issue caused by no ready DMA HW resource. ++ */ ++ if (pm_suspend_in_progress()) ++ return false; ++ + /* + * When the length of data is less than I2C_DMA_THRESHOLD, + * cpu mode is used directly to avoid low performance. +-- +2.51.0 + diff --git a/queue-6.18/i2c-qcom-geni-make-sure-i2c-hub-controllers-can-t-us.patch b/queue-6.18/i2c-qcom-geni-make-sure-i2c-hub-controllers-can-t-us.patch new file mode 100644 index 0000000000..0cc75cb138 --- /dev/null +++ b/queue-6.18/i2c-qcom-geni-make-sure-i2c-hub-controllers-can-t-us.patch @@ -0,0 +1,71 @@ +From 65a9c428e0e22b1fbe6d8524dbc194d57d4e335b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Oct 2025 19:07:42 +0100 +Subject: i2c: qcom-geni: make sure I2C hub controllers can't use SE DMA + +From: Neil Armstrong + +[ Upstream commit c0c50e3743e467ec4752c638e10e97f89c8644e2 ] + +The I2C Hub controller is a simpler GENI I2C variant that doesn't +support DMA at all, add a no_dma flag to make sure it nevers selects +the SE DMA mode with mappable 32bytes long transfers. + +Fixes: cacd9643eca7 ("i2c: qcom-geni: add support for I2C Master Hub variant") +Signed-off-by: Neil Armstrong +Reviewed-by: Konrad Dybcio +Reviewed-by: Mukesh Kumar Savaliya > +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-qcom-geni.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-qcom-geni.c b/drivers/i2c/busses/i2c-qcom-geni.c +index 43fdd89b8bebc..bfb352b04902c 100644 +--- a/drivers/i2c/busses/i2c-qcom-geni.c ++++ b/drivers/i2c/busses/i2c-qcom-geni.c +@@ -97,6 +97,7 @@ struct geni_i2c_dev { + dma_addr_t dma_addr; + struct dma_chan *tx_c; + struct dma_chan *rx_c; ++ bool no_dma; + bool gpi_mode; + bool abort_done; + }; +@@ -425,7 +426,7 @@ static int geni_i2c_rx_one_msg(struct geni_i2c_dev *gi2c, struct i2c_msg *msg, + size_t len = msg->len; + struct i2c_msg *cur; + +- dma_buf = i2c_get_dma_safe_msg_buf(msg, 32); ++ dma_buf = gi2c->no_dma ? NULL : i2c_get_dma_safe_msg_buf(msg, 32); + if (dma_buf) + geni_se_select_mode(se, GENI_SE_DMA); + else +@@ -464,7 +465,7 @@ static int geni_i2c_tx_one_msg(struct geni_i2c_dev *gi2c, struct i2c_msg *msg, + size_t len = msg->len; + struct i2c_msg *cur; + +- dma_buf = i2c_get_dma_safe_msg_buf(msg, 32); ++ dma_buf = gi2c->no_dma ? NULL : i2c_get_dma_safe_msg_buf(msg, 32); + if (dma_buf) + geni_se_select_mode(se, GENI_SE_DMA); + else +@@ -880,10 +881,12 @@ static int geni_i2c_probe(struct platform_device *pdev) + goto err_resources; + } + +- if (desc && desc->no_dma_support) ++ if (desc && desc->no_dma_support) { + fifo_disable = false; +- else ++ gi2c->no_dma = true; ++ } else { + fifo_disable = readl_relaxed(gi2c->se.base + GENI_IF_DISABLE_RO) & FIFO_IF_DISABLE; ++ } + + if (fifo_disable) { + /* FIFO is disabled, so we can only use GPI DMA */ +-- +2.51.0 + diff --git a/queue-6.18/ip6_tunnel-use-skb_vlan_inet_prepare-in-__ip6_tnl_rc.patch b/queue-6.18/ip6_tunnel-use-skb_vlan_inet_prepare-in-__ip6_tnl_rc.patch new file mode 100644 index 0000000000..a72a9a43b5 --- /dev/null +++ b/queue-6.18/ip6_tunnel-use-skb_vlan_inet_prepare-in-__ip6_tnl_rc.patch @@ -0,0 +1,105 @@ +From 5c5b923c2f0a8daf456a3de259ced97d32510c16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jan 2026 16:31:09 +0000 +Subject: ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv() + +From: Eric Dumazet + +[ Upstream commit 81c734dae203757fb3c9eee6f9896386940776bd ] + +Blamed commit did not take care of VLAN encapsulations +as spotted by syzbot [1]. + +Use skb_vlan_inet_prepare() instead of pskb_inet_may_pull(). + +[1] + BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] + BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] + BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321 + __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] + INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] + IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321 + ip6ip6_dscp_ecn_decapsulate+0x16f/0x1b0 net/ipv6/ip6_tunnel.c:729 + __ip6_tnl_rcv+0xed9/0x1b50 net/ipv6/ip6_tunnel.c:860 + ip6_tnl_rcv+0xc3/0x100 net/ipv6/ip6_tunnel.c:903 + gre_rcv+0x1529/0x1b90 net/ipv6/ip6_gre.c:-1 + ip6_protocol_deliver_rcu+0x1c89/0x2c60 net/ipv6/ip6_input.c:438 + ip6_input_finish+0x1f4/0x4a0 net/ipv6/ip6_input.c:489 + NF_HOOK include/linux/netfilter.h:318 [inline] + ip6_input+0x9c/0x330 net/ipv6/ip6_input.c:500 + ip6_mc_input+0x7ca/0xc10 net/ipv6/ip6_input.c:590 + dst_input include/net/dst.h:474 [inline] + ip6_rcv_finish+0x958/0x990 net/ipv6/ip6_input.c:79 + NF_HOOK include/linux/netfilter.h:318 [inline] + ipv6_rcv+0xf1/0x3c0 net/ipv6/ip6_input.c:311 + __netif_receive_skb_one_core net/core/dev.c:6139 [inline] + __netif_receive_skb+0x1df/0xac0 net/core/dev.c:6252 + netif_receive_skb_internal net/core/dev.c:6338 [inline] + netif_receive_skb+0x57/0x630 net/core/dev.c:6397 + tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485 + tun_get_user+0x5c0e/0x6c60 drivers/net/tun.c:1953 + tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999 + new_sync_write fs/read_write.c:593 [inline] + vfs_write+0xbe2/0x15d0 fs/read_write.c:686 + ksys_write fs/read_write.c:738 [inline] + __do_sys_write fs/read_write.c:749 [inline] + __se_sys_write fs/read_write.c:746 [inline] + __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746 + x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Uninit was created at: + slab_post_alloc_hook mm/slub.c:4960 [inline] + slab_alloc_node mm/slub.c:5263 [inline] + kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315 + kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586 + __alloc_skb+0x805/0x1040 net/core/skbuff.c:690 + alloc_skb include/linux/skbuff.h:1383 [inline] + alloc_skb_with_frags+0xc5/0xa60 net/core/skbuff.c:6712 + sock_alloc_send_pskb+0xacc/0xc60 net/core/sock.c:2995 + tun_alloc_skb drivers/net/tun.c:1461 [inline] + tun_get_user+0x1142/0x6c60 drivers/net/tun.c:1794 + tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999 + new_sync_write fs/read_write.c:593 [inline] + vfs_write+0xbe2/0x15d0 fs/read_write.c:686 + ksys_write fs/read_write.c:738 [inline] + __do_sys_write fs/read_write.c:749 [inline] + __se_sys_write fs/read_write.c:746 [inline] + __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746 + x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +CPU: 0 UID: 0 PID: 6465 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 + +Fixes: 8d975c15c0cd ("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()") +Reported-by: syzbot+d4dda070f833dc5dc89a@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/695e88b2.050a0220.1c677c.036d.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260107163109.4188620-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_tunnel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c +index 6405072050e0e..c1f39735a2367 100644 +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -844,7 +844,7 @@ static int __ip6_tnl_rcv(struct ip6_tnl *tunnel, struct sk_buff *skb, + + skb_reset_network_header(skb); + +- if (!pskb_inet_may_pull(skb)) { ++ if (skb_vlan_inet_prepare(skb, true)) { + DEV_STATS_INC(tunnel->dev, rx_length_errors); + DEV_STATS_INC(tunnel->dev, rx_errors); + goto drop; +-- +2.51.0 + diff --git a/queue-6.18/ipv4-ip_gre-make-ipgre_header-robust.patch b/queue-6.18/ipv4-ip_gre-make-ipgre_header-robust.patch new file mode 100644 index 0000000000..c9c2c48a86 --- /dev/null +++ b/queue-6.18/ipv4-ip_gre-make-ipgre_header-robust.patch @@ -0,0 +1,87 @@ +From 1ef4263ff3ab282ccd61b6d14426f9af251f73c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 19:02:14 +0000 +Subject: ipv4: ip_gre: make ipgre_header() robust + +From: Eric Dumazet + +[ Upstream commit e67c577d89894811ce4dcd1a9ed29d8b63476667 ] + +Analog to commit db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust") + +Over the years, syzbot found many ways to crash the kernel +in ipgre_header() [1]. + +This involves team or bonding drivers ability to dynamically +change their dev->needed_headroom and/or dev->hard_header_len + +In this particular crash mld_newpack() allocated an skb +with a too small reserve/headroom, and by the time mld_sendpack() +was called, syzbot managed to attach an ipgre device. + +[1] +skbuff: skb_under_panic: text:ffffffff89ea3cb7 len:2030915468 put:2030915372 head:ffff888058b43000 data:ffff887fdfa6e194 tail:0x120 end:0x6c0 dev:team0 + kernel BUG at net/core/skbuff.c:213 ! +Oops: invalid opcode: 0000 [#1] SMP KASAN PTI +CPU: 1 UID: 0 PID: 1322 Comm: kworker/1:9 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 +Workqueue: mld mld_ifc_work + RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:213 +Call Trace: + + skb_under_panic net/core/skbuff.c:223 [inline] + skb_push+0xc3/0xe0 net/core/skbuff.c:2641 + ipgre_header+0x67/0x290 net/ipv4/ip_gre.c:897 + dev_hard_header include/linux/netdevice.h:3436 [inline] + neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618 + NF_HOOK_COND include/linux/netfilter.h:307 [inline] + ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247 + NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318 + mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855 + mld_send_cr net/ipv6/mcast.c:2154 [inline] + mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 + process_one_work kernel/workqueue.c:3257 [inline] + process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 + worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 + kthread+0x711/0x8a0 kernel/kthread.c:463 + ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + +Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.") +Reported-by: syzbot+7c134e1c3aa3283790b9@syzkaller.appspotmail.com +Closes: https://www.spinics.net/lists/netdev/msg1147302.html +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260108190214.1667040-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_gre.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c +index 8178c44a3cdd4..e13244729ad8d 100644 +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -891,10 +891,17 @@ static int ipgre_header(struct sk_buff *skb, struct net_device *dev, + const void *daddr, const void *saddr, unsigned int len) + { + struct ip_tunnel *t = netdev_priv(dev); +- struct iphdr *iph; + struct gre_base_hdr *greh; ++ struct iphdr *iph; ++ int needed; ++ ++ needed = t->hlen + sizeof(*iph); ++ if (skb_headroom(skb) < needed && ++ pskb_expand_head(skb, HH_DATA_ALIGN(needed - skb_headroom(skb)), ++ 0, GFP_ATOMIC)) ++ return -needed; + +- iph = skb_push(skb, t->hlen + sizeof(*iph)); ++ iph = skb_push(skb, needed); + greh = (struct gre_base_hdr *)(iph+1); + greh->flags = gre_tnl_flags_to_gre_flags(t->parms.o_flags); + greh->protocol = htons(type); +-- +2.51.0 + diff --git a/queue-6.18/ipv4-ip_tunnel-spread-netdev_lockdep_set_classes.patch b/queue-6.18/ipv4-ip_tunnel-spread-netdev_lockdep_set_classes.patch new file mode 100644 index 0000000000..879a3b05a6 --- /dev/null +++ b/queue-6.18/ipv4-ip_tunnel-spread-netdev_lockdep_set_classes.patch @@ -0,0 +1,89 @@ +From 2fccc0ee7eeb8f7f6d40004d0b964e41f7e8a129 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jan 2026 17:24:26 +0000 +Subject: ipv4: ip_tunnel: spread netdev_lockdep_set_classes() + +From: Eric Dumazet + +[ Upstream commit 872ac785e7680dac9ec7f8c5ccd4f667f49d6997 ] + +Inspired by yet another syzbot report. + +IPv6 tunnels call netdev_lockdep_set_classes() for each tunnel type, +while IPv4 currently centralizes netdev_lockdep_set_classes() call from +ip_tunnel_init(). + +Make ip_tunnel_init() a macro, so that we have different lockdep +classes per tunnel type. + +Fixes: 0bef512012b1 ("net: add netdev_lockdep_set_classes() to virtual drivers") +Reported-by: syzbot+1240b33467289f5ab50b@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/695d439f.050a0220.1c677c.0347.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260106172426.1760721-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/ip_tunnels.h | 13 ++++++++++++- + net/ipv4/ip_tunnel.c | 5 ++--- + 2 files changed, 14 insertions(+), 4 deletions(-) + +diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h +index ecae35512b9b4..4021e6a73e32b 100644 +--- a/include/net/ip_tunnels.h ++++ b/include/net/ip_tunnels.h +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + + #if IS_ENABLED(CONFIG_IPV6) + #include +@@ -372,7 +373,17 @@ static inline void ip_tunnel_init_flow(struct flowi4 *fl4, + fl4->flowi4_flags = flow_flags; + } + +-int ip_tunnel_init(struct net_device *dev); ++int __ip_tunnel_init(struct net_device *dev); ++#define ip_tunnel_init(DEV) \ ++({ \ ++ struct net_device *__dev = (DEV); \ ++ int __res = __ip_tunnel_init(__dev); \ ++ \ ++ if (!__res) \ ++ netdev_lockdep_set_classes(__dev);\ ++ __res; \ ++}) ++ + void ip_tunnel_uninit(struct net_device *dev); + void ip_tunnel_dellink(struct net_device *dev, struct list_head *head); + struct net *ip_tunnel_get_link_net(const struct net_device *dev); +diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c +index 158a30ae7c5f2..50d0f5fe4e4c6 100644 +--- a/net/ipv4/ip_tunnel.c ++++ b/net/ipv4/ip_tunnel.c +@@ -1281,7 +1281,7 @@ int ip_tunnel_changelink(struct net_device *dev, struct nlattr *tb[], + } + EXPORT_SYMBOL_GPL(ip_tunnel_changelink); + +-int ip_tunnel_init(struct net_device *dev) ++int __ip_tunnel_init(struct net_device *dev) + { + struct ip_tunnel *tunnel = netdev_priv(dev); + struct iphdr *iph = &tunnel->parms.iph; +@@ -1308,10 +1308,9 @@ int ip_tunnel_init(struct net_device *dev) + + if (tunnel->collect_md) + netif_keep_dst(dev); +- netdev_lockdep_set_classes(dev); + return 0; + } +-EXPORT_SYMBOL_GPL(ip_tunnel_init); ++EXPORT_SYMBOL_GPL(__ip_tunnel_init); + + void ip_tunnel_uninit(struct net_device *dev) + { +-- +2.51.0 + diff --git a/queue-6.18/ipv6-fix-use-after-free-in-inet6_addr_del.patch b/queue-6.18/ipv6-fix-use-after-free-in-inet6_addr_del.patch new file mode 100644 index 0000000000..77881394cd --- /dev/null +++ b/queue-6.18/ipv6-fix-use-after-free-in-inet6_addr_del.patch @@ -0,0 +1,132 @@ +From 3cb2e995f30d07952308bf251ed0932e3d9f5e12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 01:05:08 +0000 +Subject: ipv6: Fix use-after-free in inet6_addr_del(). + +From: Kuniyuki Iwashima + +[ Upstream commit ddf96c393a33aef4887e2e406c76c2f8cda1419c ] + +syzbot reported use-after-free of inet6_ifaddr in +inet6_addr_del(). [0] + +The cited commit accidentally moved ipv6_del_addr() for +mngtmpaddr before reading its ifp->flags for temporary +addresses in inet6_addr_del(). + +Let's move ipv6_del_addr() down to fix the UAF. + +[0]: +BUG: KASAN: slab-use-after-free in inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117 +Read of size 4 at addr ffff88807b89c86c by task syz.3.1618/9593 + +CPU: 0 UID: 0 PID: 9593 Comm: syz.3.1618 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xcd/0x630 mm/kasan/report.c:482 + kasan_report+0xe0/0x110 mm/kasan/report.c:595 + inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117 + addrconf_del_ifaddr+0x11e/0x190 net/ipv6/addrconf.c:3181 + inet6_ioctl+0x1e5/0x2b0 net/ipv6/af_inet6.c:582 + sock_do_ioctl+0x118/0x280 net/socket.c:1254 + sock_ioctl+0x227/0x6b0 net/socket.c:1375 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:597 [inline] + __se_sys_ioctl fs/ioctl.c:583 [inline] + __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f164cf8f749 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f164de64038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 00007f164d1e5fa0 RCX: 00007f164cf8f749 +RDX: 0000200000000000 RSI: 0000000000008936 RDI: 0000000000000003 +RBP: 00007f164d013f91 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007f164d1e6038 R14: 00007f164d1e5fa0 R15: 00007ffde15c8288 + + +Allocated by task 9593: + kasan_save_stack+0x33/0x60 mm/kasan/common.c:56 + kasan_save_track+0x14/0x30 mm/kasan/common.c:77 + poison_kmalloc_redzone mm/kasan/common.c:397 [inline] + __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:414 + kmalloc_noprof include/linux/slab.h:957 [inline] + kzalloc_noprof include/linux/slab.h:1094 [inline] + ipv6_add_addr+0x4e3/0x2010 net/ipv6/addrconf.c:1120 + inet6_addr_add+0x256/0x9b0 net/ipv6/addrconf.c:3050 + addrconf_add_ifaddr+0x1fc/0x450 net/ipv6/addrconf.c:3160 + inet6_ioctl+0x103/0x2b0 net/ipv6/af_inet6.c:580 + sock_do_ioctl+0x118/0x280 net/socket.c:1254 + sock_ioctl+0x227/0x6b0 net/socket.c:1375 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:597 [inline] + __se_sys_ioctl fs/ioctl.c:583 [inline] + __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Freed by task 6099: + kasan_save_stack+0x33/0x60 mm/kasan/common.c:56 + kasan_save_track+0x14/0x30 mm/kasan/common.c:77 + kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:584 + poison_slab_object mm/kasan/common.c:252 [inline] + __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284 + kasan_slab_free include/linux/kasan.h:234 [inline] + slab_free_hook mm/slub.c:2540 [inline] + slab_free_freelist_hook mm/slub.c:2569 [inline] + slab_free_bulk mm/slub.c:6696 [inline] + kmem_cache_free_bulk mm/slub.c:7383 [inline] + kmem_cache_free_bulk+0x2bf/0x680 mm/slub.c:7362 + kfree_bulk include/linux/slab.h:830 [inline] + kvfree_rcu_bulk+0x1b7/0x1e0 mm/slab_common.c:1523 + kvfree_rcu_drain_ready mm/slab_common.c:1728 [inline] + kfree_rcu_monitor+0x1d0/0x2f0 mm/slab_common.c:1801 + process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257 + process_scheduled_works kernel/workqueue.c:3340 [inline] + worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421 + kthread+0x3c5/0x780 kernel/kthread.c:463 + ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + +Fixes: 00b5b7aab9e42 ("net/ipv6: delete temporary address if mngtmpaddr is removed or unmanaged") +Reported-by: syzbot+72e610f4f1a930ca9d8a@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/696598e9.050a0220.3be5c5.0009.GAE@google.com/ +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Hangbin Liu +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20260113010538.2019411-1-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/addrconf.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index 40e9c336f6c55..cad5e4ab8c3db 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -3112,12 +3112,12 @@ static int inet6_addr_del(struct net *net, int ifindex, u32 ifa_flags, + in6_ifa_hold(ifp); + read_unlock_bh(&idev->lock); + +- ipv6_del_addr(ifp); +- + if (!(ifp->flags & IFA_F_TEMPORARY) && + (ifp->flags & IFA_F_MANAGETEMPADDR)) + delete_tempaddrs(idev, ifp); + ++ ipv6_del_addr(ifp); ++ + addrconf_verify_rtnl(net); + if (ipv6_addr_is_multicast(pfx)) { + ipv6_mc_config(net->ipv6.mc_autojoin_sk, +-- +2.51.0 + diff --git a/queue-6.18/landlock-fix-tcp-handling-of-short-af_unspec-address.patch b/queue-6.18/landlock-fix-tcp-handling-of-short-af_unspec-address.patch new file mode 100644 index 0000000000..42964f0b95 --- /dev/null +++ b/queue-6.18/landlock-fix-tcp-handling-of-short-af_unspec-address.patch @@ -0,0 +1,173 @@ +From b0b0f0a417cec3a60914bab05452163a9acb5424 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Oct 2025 20:07:26 +0100 +Subject: landlock: Fix TCP handling of short AF_UNSPEC addresses +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matthieu Buffet + +[ Upstream commit e4d82cbce2258f454634307fdabf33aa46b61ab0 ] + +current_check_access_socket() treats AF_UNSPEC addresses as +AF_INET ones, and only later adds special case handling to +allow connect(AF_UNSPEC), and on IPv4 sockets +bind(AF_UNSPEC+INADDR_ANY). +This would be fine except AF_UNSPEC addresses can be as +short as a bare AF_UNSPEC sa_family_t field, and nothing +more. The AF_INET code path incorrectly enforces a length of +sizeof(struct sockaddr_in) instead. + +Move AF_UNSPEC edge case handling up inside the switch-case, +before the address is (potentially incorrectly) treated as +AF_INET. + +Fixes: fff69fb03dde ("landlock: Support network rules with TCP bind and connect") +Signed-off-by: Matthieu Buffet +Link: https://lore.kernel.org/r/20251027190726.626244-4-matthieu@buffet.re +Signed-off-by: Mickaël Salaün +Signed-off-by: Sasha Levin +--- + security/landlock/net.c | 118 +++++++++++++++++++++++----------------- + 1 file changed, 67 insertions(+), 51 deletions(-) + +diff --git a/security/landlock/net.c b/security/landlock/net.c +index 1f3915a90a808..e6367e30e5b0e 100644 +--- a/security/landlock/net.c ++++ b/security/landlock/net.c +@@ -71,6 +71,61 @@ static int current_check_access_socket(struct socket *const sock, + + switch (address->sa_family) { + case AF_UNSPEC: ++ if (access_request == LANDLOCK_ACCESS_NET_CONNECT_TCP) { ++ /* ++ * Connecting to an address with AF_UNSPEC dissolves ++ * the TCP association, which have the same effect as ++ * closing the connection while retaining the socket ++ * object (i.e., the file descriptor). As for dropping ++ * privileges, closing connections is always allowed. ++ * ++ * For a TCP access control system, this request is ++ * legitimate. Let the network stack handle potential ++ * inconsistencies and return -EINVAL if needed. ++ */ ++ return 0; ++ } else if (access_request == LANDLOCK_ACCESS_NET_BIND_TCP) { ++ /* ++ * Binding to an AF_UNSPEC address is treated ++ * differently by IPv4 and IPv6 sockets. The socket's ++ * family may change under our feet due to ++ * setsockopt(IPV6_ADDRFORM), but that's ok: we either ++ * reject entirely or require ++ * %LANDLOCK_ACCESS_NET_BIND_TCP for the given port, so ++ * it cannot be used to bypass the policy. ++ * ++ * IPv4 sockets map AF_UNSPEC to AF_INET for ++ * retrocompatibility for bind accesses, only if the ++ * address is INADDR_ANY (cf. __inet_bind). IPv6 ++ * sockets always reject it. ++ * ++ * Checking the address is required to not wrongfully ++ * return -EACCES instead of -EAFNOSUPPORT or -EINVAL. ++ * We could return 0 and let the network stack handle ++ * these checks, but it is safer to return a proper ++ * error and test consistency thanks to kselftest. ++ */ ++ if (sock->sk->__sk_common.skc_family == AF_INET) { ++ const struct sockaddr_in *const sockaddr = ++ (struct sockaddr_in *)address; ++ ++ if (addrlen < sizeof(struct sockaddr_in)) ++ return -EINVAL; ++ ++ if (sockaddr->sin_addr.s_addr != ++ htonl(INADDR_ANY)) ++ return -EAFNOSUPPORT; ++ } else { ++ if (addrlen < SIN6_LEN_RFC2133) ++ return -EINVAL; ++ else ++ return -EAFNOSUPPORT; ++ } ++ } else { ++ WARN_ON_ONCE(1); ++ } ++ /* Only for bind(AF_UNSPEC+INADDR_ANY) on IPv4 socket. */ ++ fallthrough; + case AF_INET: { + const struct sockaddr_in *addr4; + +@@ -119,57 +174,18 @@ static int current_check_access_socket(struct socket *const sock, + return 0; + } + +- /* Specific AF_UNSPEC handling. */ +- if (address->sa_family == AF_UNSPEC) { +- /* +- * Connecting to an address with AF_UNSPEC dissolves the TCP +- * association, which have the same effect as closing the +- * connection while retaining the socket object (i.e., the file +- * descriptor). As for dropping privileges, closing +- * connections is always allowed. +- * +- * For a TCP access control system, this request is legitimate. +- * Let the network stack handle potential inconsistencies and +- * return -EINVAL if needed. +- */ +- if (access_request == LANDLOCK_ACCESS_NET_CONNECT_TCP) +- return 0; +- +- /* +- * For compatibility reason, accept AF_UNSPEC for bind +- * accesses (mapped to AF_INET) only if the address is +- * INADDR_ANY (cf. __inet_bind). Checking the address is +- * required to not wrongfully return -EACCES instead of +- * -EAFNOSUPPORT. +- * +- * We could return 0 and let the network stack handle these +- * checks, but it is safer to return a proper error and test +- * consistency thanks to kselftest. +- */ +- if (access_request == LANDLOCK_ACCESS_NET_BIND_TCP) { +- /* addrlen has already been checked for AF_UNSPEC. */ +- const struct sockaddr_in *const sockaddr = +- (struct sockaddr_in *)address; +- +- if (sock->sk->__sk_common.skc_family != AF_INET) +- return -EINVAL; +- +- if (sockaddr->sin_addr.s_addr != htonl(INADDR_ANY)) +- return -EAFNOSUPPORT; +- } +- } else { +- /* +- * Checks sa_family consistency to not wrongfully return +- * -EACCES instead of -EINVAL. Valid sa_family changes are +- * only (from AF_INET or AF_INET6) to AF_UNSPEC. +- * +- * We could return 0 and let the network stack handle this +- * check, but it is safer to return a proper error and test +- * consistency thanks to kselftest. +- */ +- if (address->sa_family != sock->sk->__sk_common.skc_family) +- return -EINVAL; +- } ++ /* ++ * Checks sa_family consistency to not wrongfully return ++ * -EACCES instead of -EINVAL. Valid sa_family changes are ++ * only (from AF_INET or AF_INET6) to AF_UNSPEC. ++ * ++ * We could return 0 and let the network stack handle this ++ * check, but it is safer to return a proper error and test ++ * consistency thanks to kselftest. ++ */ ++ if (address->sa_family != sock->sk->__sk_common.skc_family && ++ address->sa_family != AF_UNSPEC) ++ return -EINVAL; + + id.key.data = (__force uintptr_t)port; + BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data)); +-- +2.51.0 + diff --git a/queue-6.18/landlock-fix-wrong-type-usage.patch b/queue-6.18/landlock-fix-wrong-type-usage.patch new file mode 100644 index 0000000000..f601b02b2e --- /dev/null +++ b/queue-6.18/landlock-fix-wrong-type-usage.patch @@ -0,0 +1,41 @@ +From 841d2a8622ad548e7a2906eba0f15a05acaf1646 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 Dec 2025 17:11:06 +0000 +Subject: landlock: Fix wrong type usage +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tingmao Wang + +[ Upstream commit 29fbfa46e4287c596bdc77e2c599e3a1bbf8bb67 ] + +I think, based on my best understanding, that this type is likely a typo +(even though in the end both are u16) + +Signed-off-by: Tingmao Wang +Fixes: 2fc80c69df82 ("landlock: Log file-related denials") +Reviewed-by: Günther Noack +Link: https://lore.kernel.org/r/7339ad7b47f998affd84ca629a334a71f913616d.1765040503.git.m@maowtm.org +Signed-off-by: Mickaël Salaün +Signed-off-by: Sasha Levin +--- + security/landlock/audit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/landlock/audit.c b/security/landlock/audit.c +index c52d079cdb77b..e899995f1fd59 100644 +--- a/security/landlock/audit.c ++++ b/security/landlock/audit.c +@@ -191,7 +191,7 @@ static size_t get_denied_layer(const struct landlock_ruleset *const domain, + long youngest_layer = -1; + + for_each_set_bit(access_bit, &access_req, layer_masks_size) { +- const access_mask_t mask = (*layer_masks)[access_bit]; ++ const layer_mask_t mask = (*layer_masks)[access_bit]; + long layer; + + if (!mask) +-- +2.51.0 + diff --git a/queue-6.18/macvlan-fix-possible-uaf-in-macvlan_forward_source.patch b/queue-6.18/macvlan-fix-possible-uaf-in-macvlan_forward_source.patch new file mode 100644 index 0000000000..69c6c8bcf4 --- /dev/null +++ b/queue-6.18/macvlan-fix-possible-uaf-in-macvlan_forward_source.patch @@ -0,0 +1,108 @@ +From 331b3586607bf149e33fb22e786488903bf93855 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 13:36:51 +0000 +Subject: macvlan: fix possible UAF in macvlan_forward_source() + +From: Eric Dumazet + +[ Upstream commit 7470a7a63dc162f07c26dbf960e41ee1e248d80e ] + +Add RCU protection on (struct macvlan_source_entry)->vlan. + +Whenever macvlan_hash_del_source() is called, we must clear +entry->vlan pointer before RCU grace period starts. + +This allows macvlan_forward_source() to skip over +entries queued for freeing. + +Note that macvlan_dev are already RCU protected, as they +are embedded in a standard netdev (netdev_priv(ndev)). + +Fixes: 79cf79abce71 ("macvlan: add source mode") +Reported-by: syzbot+7182fbe91e58602ec1fe@syzkaller.appspotmail.com +https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260108133651.1130486-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/macvlan.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c +index 7966545512cfe..b4df7e184791d 100644 +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -59,7 +59,7 @@ struct macvlan_port { + + struct macvlan_source_entry { + struct hlist_node hlist; +- struct macvlan_dev *vlan; ++ struct macvlan_dev __rcu *vlan; + unsigned char addr[6+2] __aligned(sizeof(u16)); + struct rcu_head rcu; + }; +@@ -146,7 +146,7 @@ static struct macvlan_source_entry *macvlan_hash_lookup_source( + + hlist_for_each_entry_rcu(entry, h, hlist, lockdep_rtnl_is_held()) { + if (ether_addr_equal_64bits(entry->addr, addr) && +- entry->vlan == vlan) ++ rcu_access_pointer(entry->vlan) == vlan) + return entry; + } + return NULL; +@@ -168,7 +168,7 @@ static int macvlan_hash_add_source(struct macvlan_dev *vlan, + return -ENOMEM; + + ether_addr_copy(entry->addr, addr); +- entry->vlan = vlan; ++ RCU_INIT_POINTER(entry->vlan, vlan); + h = &port->vlan_source_hash[macvlan_eth_hash(addr)]; + hlist_add_head_rcu(&entry->hlist, h); + vlan->macaddr_count++; +@@ -187,6 +187,7 @@ static void macvlan_hash_add(struct macvlan_dev *vlan) + + static void macvlan_hash_del_source(struct macvlan_source_entry *entry) + { ++ RCU_INIT_POINTER(entry->vlan, NULL); + hlist_del_rcu(&entry->hlist); + kfree_rcu(entry, rcu); + } +@@ -390,7 +391,7 @@ static void macvlan_flush_sources(struct macvlan_port *port, + int i; + + hash_for_each_safe(port->vlan_source_hash, i, next, entry, hlist) +- if (entry->vlan == vlan) ++ if (rcu_access_pointer(entry->vlan) == vlan) + macvlan_hash_del_source(entry); + + vlan->macaddr_count = 0; +@@ -433,9 +434,14 @@ static bool macvlan_forward_source(struct sk_buff *skb, + + hlist_for_each_entry_rcu(entry, h, hlist) { + if (ether_addr_equal_64bits(entry->addr, addr)) { +- if (entry->vlan->flags & MACVLAN_FLAG_NODST) ++ struct macvlan_dev *vlan = rcu_dereference(entry->vlan); ++ ++ if (!vlan) ++ continue; ++ ++ if (vlan->flags & MACVLAN_FLAG_NODST) + consume = true; +- macvlan_forward_source_one(skb, entry->vlan); ++ macvlan_forward_source_one(skb, vlan); + } + } + +@@ -1680,7 +1686,7 @@ static int macvlan_fill_info_macaddr(struct sk_buff *skb, + struct macvlan_source_entry *entry; + + hlist_for_each_entry_rcu(entry, h, hlist, lockdep_rtnl_is_held()) { +- if (entry->vlan != vlan) ++ if (rcu_access_pointer(entry->vlan) != vlan) + continue; + if (nla_put(skb, IFLA_MACVLAN_MACADDR, ETH_ALEN, entry->addr)) + return 1; +-- +2.51.0 + diff --git a/queue-6.18/mips-fix-highmem-initialization.patch b/queue-6.18/mips-fix-highmem-initialization.patch new file mode 100644 index 0000000000..df6bb39609 --- /dev/null +++ b/queue-6.18/mips-fix-highmem-initialization.patch @@ -0,0 +1,75 @@ +From cebbcbbcfd756f29a3a5b246189cfc87a4d37fca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Dec 2025 12:57:01 +0200 +Subject: mips: fix HIGHMEM initialization + +From: Mike Rapoport (Microsoft) + +[ Upstream commit f171b55f1441294344b86edfeaa575ea9673fd23 ] + +Commit 6faea3422e3b ("arch, mm: streamline HIGHMEM freeing") overzealously +removed mem_init_free_highmem() function that beside freeing high memory +pages checked for CPU support for high memory as a prerequisite. + +Partially restore mem_init_free_highmem() with a new highmem_init() name +and make it discard high memory in case there is no CPU support for it. + +Link: https://lkml.kernel.org/r/20251231105701.519711-1-rppt@kernel.org +Fixes: 6faea3422e3b ("arch, mm: streamline HIGHMEM freeing") +Signed-off-by: Mike Rapoport (Microsoft) +Reported-by: Markus Stockhausen +Cc: Chris Packham +Cc: Hauke Mehrtens +Cc: Jonas Jelonek +Cc: Thomas Bogendoerfer +Cc: Thomas Gleinxer +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + arch/mips/mm/init.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +diff --git a/arch/mips/mm/init.c b/arch/mips/mm/init.c +index a673d3d68254b..8986048f9b110 100644 +--- a/arch/mips/mm/init.c ++++ b/arch/mips/mm/init.c +@@ -425,6 +425,28 @@ void __init paging_init(void) + static struct kcore_list kcore_kseg0; + #endif + ++static inline void __init highmem_init(void) ++{ ++#ifdef CONFIG_HIGHMEM ++ unsigned long tmp; ++ ++ /* ++ * If CPU cannot support HIGHMEM discard the memory above highstart_pfn ++ */ ++ if (cpu_has_dc_aliases) { ++ memblock_remove(PFN_PHYS(highstart_pfn), -1); ++ return; ++ } ++ ++ for (tmp = highstart_pfn; tmp < highend_pfn; tmp++) { ++ struct page *page = pfn_to_page(tmp); ++ ++ if (!memblock_is_memory(PFN_PHYS(tmp))) ++ SetPageReserved(page); ++ } ++#endif ++} ++ + void __init arch_mm_preinit(void) + { + /* +@@ -435,6 +457,7 @@ void __init arch_mm_preinit(void) + + maar_init(); + setup_zero_pages(); /* Setup zeroed pages. */ ++ highmem_init(); + + #ifdef CONFIG_64BIT + if ((unsigned long) &_text > (unsigned long) CKSEG0) +-- +2.51.0 + diff --git a/queue-6.18/mm-describe-flags-parameter-in-memalloc_flags_save.patch b/queue-6.18/mm-describe-flags-parameter-in-memalloc_flags_save.patch new file mode 100644 index 0000000000..48d44a7940 --- /dev/null +++ b/queue-6.18/mm-describe-flags-parameter-in-memalloc_flags_save.patch @@ -0,0 +1,50 @@ +From 5777265df7bdf433c91f533ac92b05c8dfab1d4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 08:40:04 +0700 +Subject: mm: describe @flags parameter in memalloc_flags_save() + +From: Bagas Sanjaya + +[ Upstream commit e2fb7836b01747815f8bb94981c35f2688afb120 ] + +Patch series "mm kernel-doc fixes". + +Here are kernel-doc fixes for mm subsystem. I'm also including textsearch +fix since there's currently no maintainer for include/linux/textsearch.h +(get_maintainer.pl only shows LKML). + +This patch (of 4): + +Sphinx reports kernel-doc warning: + +WARNING: ./include/linux/sched/mm.h:332 function parameter 'flags' not described in 'memalloc_flags_save' + +Describe @flags to fix it. + +Link: https://lkml.kernel.org/r/20251219014006.16328-2-bagasdotme@gmail.com +Link: https://lkml.kernel.org/r/20251219014006.16328-3-bagasdotme@gmail.com +Signed-off-by: Bagas Sanjaya +Fixes: 3f6d5e6a468d ("mm: introduce memalloc_flags_{save,restore}") +Acked-by: David Hildenbrand (Red Hat) +Acked-by: Harry Yoo +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + include/linux/sched/mm.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/sched/mm.h b/include/linux/sched/mm.h +index 0232d983b7153..a3094379b5790 100644 +--- a/include/linux/sched/mm.h ++++ b/include/linux/sched/mm.h +@@ -323,6 +323,7 @@ static inline void might_alloc(gfp_t gfp_mask) + + /** + * memalloc_flags_save - Add a PF_* flag to current->flags, save old value ++ * @flags: Flags to add. + * + * This allows PF_* flags to be conveniently added, irrespective of current + * value, and then the old version restored with memalloc_flags_restore(). +-- +2.51.0 + diff --git a/queue-6.18/mm-kfence-describe-slab-parameter-in-__kfence_obj_in.patch b/queue-6.18/mm-kfence-describe-slab-parameter-in-__kfence_obj_in.patch new file mode 100644 index 0000000000..cdb58e9e00 --- /dev/null +++ b/queue-6.18/mm-kfence-describe-slab-parameter-in-__kfence_obj_in.patch @@ -0,0 +1,42 @@ +From 60f4b124ba6d65ba052577049824c7d74d59cc4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 08:40:07 +0700 +Subject: mm, kfence: describe @slab parameter in __kfence_obj_info() + +From: Bagas Sanjaya + +[ Upstream commit 6cfab50e1440fde19af7c614aacd85e11aa4dcea ] + +Sphinx reports kernel-doc warning: + +WARNING: ./include/linux/kfence.h:220 function parameter 'slab' not described in '__kfence_obj_info' + +Fix it by describing @slab parameter. + +Link: https://lkml.kernel.org/r/20251219014006.16328-6-bagasdotme@gmail.com +Fixes: 2dfe63e61cc3 ("mm, kfence: support kmem_dump_obj() for KFENCE objects") +Signed-off-by: Bagas Sanjaya +Acked-by: Marco Elver +Acked-by: David Hildenbrand (Red Hat) +Acked-by: Harry Yoo +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + include/linux/kfence.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/kfence.h b/include/linux/kfence.h +index 0ad1ddbb8b996..e5822f6e7f279 100644 +--- a/include/linux/kfence.h ++++ b/include/linux/kfence.h +@@ -211,6 +211,7 @@ struct kmem_obj_info; + * __kfence_obj_info() - fill kmem_obj_info struct + * @kpp: kmem_obj_info to be filled + * @object: the object ++ * @slab: the slab + * + * Return: + * * false - not a KFENCE object +-- +2.51.0 + diff --git a/queue-6.18/net-airoha-fix-typo-in-airoha_ppe_setup_tc_block_cb-.patch b/queue-6.18/net-airoha-fix-typo-in-airoha_ppe_setup_tc_block_cb-.patch new file mode 100644 index 0000000000..98677618a0 --- /dev/null +++ b/queue-6.18/net-airoha-fix-typo-in-airoha_ppe_setup_tc_block_cb-.patch @@ -0,0 +1,41 @@ +From ca71951876aad81e00e6fd5c37ea443fe49a9c86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jan 2026 10:29:06 +0100 +Subject: net: airoha: Fix typo in airoha_ppe_setup_tc_block_cb definition + +From: Lorenzo Bianconi + +[ Upstream commit dfdf774656205515b2d6ad94fce63c7ccbe92d91 ] + +Fix Typo in airoha_ppe_dev_setup_tc_block_cb routine definition when +CONFIG_NET_AIROHA is not enabled. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202601090517.Fj6v501r-lkp@intel.com/ +Fixes: f45fc18b6de04 ("net: airoha: Add airoha_ppe_dev struct definition") +Signed-off-by: Lorenzo Bianconi +Link: https://patch.msgid.link/20260109-airoha_ppe_dev_setup_tc_block_cb-typo-v1-1-282e8834a9f9@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/soc/airoha/airoha_offload.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/linux/soc/airoha/airoha_offload.h b/include/linux/soc/airoha/airoha_offload.h +index 1a33f846afafa..0e82f1f4d36c4 100644 +--- a/include/linux/soc/airoha/airoha_offload.h ++++ b/include/linux/soc/airoha/airoha_offload.h +@@ -51,8 +51,8 @@ static inline void airoha_ppe_put_dev(struct airoha_ppe_dev *dev) + { + } + +-static inline int airoha_ppe_setup_tc_block_cb(struct airoha_ppe_dev *dev, +- void *type_data) ++static inline int airoha_ppe_dev_setup_tc_block_cb(struct airoha_ppe_dev *dev, ++ void *type_data) + { + return -EOPNOTSUPP; + } +-- +2.51.0 + diff --git a/queue-6.18/net-bridge-annotate-data-races-around-fdb-updated-us.patch b/queue-6.18/net-bridge-annotate-data-races-around-fdb-updated-us.patch new file mode 100644 index 0000000000..1ef4de6960 --- /dev/null +++ b/queue-6.18/net-bridge-annotate-data-races-around-fdb-updated-us.patch @@ -0,0 +1,143 @@ +From 3cc8222d7aaf76db55b4c8599446f0b22b29b893 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 09:38:06 +0000 +Subject: net: bridge: annotate data-races around fdb->{updated,used} + +From: Eric Dumazet + +[ Upstream commit b25a0b4a2193407aa72a4cd1df66a7ed07dd4f1e ] + +fdb->updated and fdb->used are read and written locklessly. + +Add READ_ONCE()/WRITE_ONCE() annotations. + +Fixes: 31cbc39b6344 ("net: bridge: add option to allow activity notifications for any fdb entries") +Reported-by: syzbot+bfab43087ad57222ce96@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/695e3d74.050a0220.1c677c.035f.GAE@google.com/ +Signed-off-by: Eric Dumazet +Acked-by: Nikolay Aleksandrov +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20260108093806.834459-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_fdb.c | 28 ++++++++++++++++------------ + net/bridge/br_input.c | 4 ++-- + 2 files changed, 18 insertions(+), 14 deletions(-) + +diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c +index 58d22e2b85fc3..0501ffcb8a3dd 100644 +--- a/net/bridge/br_fdb.c ++++ b/net/bridge/br_fdb.c +@@ -70,7 +70,7 @@ static inline int has_expired(const struct net_bridge *br, + { + return !test_bit(BR_FDB_STATIC, &fdb->flags) && + !test_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags) && +- time_before_eq(fdb->updated + hold_time(br), jiffies); ++ time_before_eq(READ_ONCE(fdb->updated) + hold_time(br), jiffies); + } + + static int fdb_to_nud(const struct net_bridge *br, +@@ -126,9 +126,9 @@ static int fdb_fill_info(struct sk_buff *skb, const struct net_bridge *br, + if (nla_put_u32(skb, NDA_FLAGS_EXT, ext_flags)) + goto nla_put_failure; + +- ci.ndm_used = jiffies_to_clock_t(now - fdb->used); ++ ci.ndm_used = jiffies_to_clock_t(now - READ_ONCE(fdb->used)); + ci.ndm_confirmed = 0; +- ci.ndm_updated = jiffies_to_clock_t(now - fdb->updated); ++ ci.ndm_updated = jiffies_to_clock_t(now - READ_ONCE(fdb->updated)); + ci.ndm_refcnt = 0; + if (nla_put(skb, NDA_CACHEINFO, sizeof(ci), &ci)) + goto nla_put_failure; +@@ -551,7 +551,7 @@ void br_fdb_cleanup(struct work_struct *work) + */ + rcu_read_lock(); + hlist_for_each_entry_rcu(f, &br->fdb_list, fdb_node) { +- unsigned long this_timer = f->updated + delay; ++ unsigned long this_timer = READ_ONCE(f->updated) + delay; + + if (test_bit(BR_FDB_STATIC, &f->flags) || + test_bit(BR_FDB_ADDED_BY_EXT_LEARN, &f->flags)) { +@@ -924,6 +924,7 @@ int br_fdb_fillbuf(struct net_bridge *br, void *buf, + { + struct net_bridge_fdb_entry *f; + struct __fdb_entry *fe = buf; ++ unsigned long delta; + int num = 0; + + memset(buf, 0, maxnum*sizeof(struct __fdb_entry)); +@@ -953,8 +954,11 @@ int br_fdb_fillbuf(struct net_bridge *br, void *buf, + fe->port_hi = f->dst->port_no >> 8; + + fe->is_local = test_bit(BR_FDB_LOCAL, &f->flags); +- if (!test_bit(BR_FDB_STATIC, &f->flags)) +- fe->ageing_timer_value = jiffies_delta_to_clock_t(jiffies - f->updated); ++ if (!test_bit(BR_FDB_STATIC, &f->flags)) { ++ delta = jiffies - READ_ONCE(f->updated); ++ fe->ageing_timer_value = ++ jiffies_delta_to_clock_t(delta); ++ } + ++fe; + ++num; + } +@@ -1002,8 +1006,8 @@ void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source, + unsigned long now = jiffies; + bool fdb_modified = false; + +- if (now != fdb->updated) { +- fdb->updated = now; ++ if (now != READ_ONCE(fdb->updated)) { ++ WRITE_ONCE(fdb->updated, now); + fdb_modified = __fdb_mark_active(fdb); + } + +@@ -1242,10 +1246,10 @@ static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source, + if (fdb_handle_notify(fdb, notify)) + modified = true; + +- fdb->used = jiffies; ++ WRITE_ONCE(fdb->used, jiffies); + if (modified) { + if (refresh) +- fdb->updated = jiffies; ++ WRITE_ONCE(fdb->updated, jiffies); + fdb_notify(br, fdb, RTM_NEWNEIGH, true); + } + +@@ -1556,7 +1560,7 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p, + goto err_unlock; + } + +- fdb->updated = jiffies; ++ WRITE_ONCE(fdb->updated, jiffies); + + if (READ_ONCE(fdb->dst) != p) { + WRITE_ONCE(fdb->dst, p); +@@ -1565,7 +1569,7 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p, + + if (test_and_set_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags)) { + /* Refresh entry */ +- fdb->used = jiffies; ++ WRITE_ONCE(fdb->used, jiffies); + } else { + modified = true; + } +diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c +index 777fa869c1a14..e355a15bf5ab1 100644 +--- a/net/bridge/br_input.c ++++ b/net/bridge/br_input.c +@@ -221,8 +221,8 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb + if (test_bit(BR_FDB_LOCAL, &dst->flags)) + return br_pass_frame_up(skb, false); + +- if (now != dst->used) +- dst->used = now; ++ if (now != READ_ONCE(dst->used)) ++ WRITE_ONCE(dst->used, now); + br_forward(dst->dst, skb, local_rcv, false); + } else { + if (!mcast_hit) +-- +2.51.0 + diff --git a/queue-6.18/net-hv_netvsc-reject-rss-hash-key-programming-withou.patch b/queue-6.18/net-hv_netvsc-reject-rss-hash-key-programming-withou.patch new file mode 100644 index 0000000000..9eb045a316 --- /dev/null +++ b/queue-6.18/net-hv_netvsc-reject-rss-hash-key-programming-withou.patch @@ -0,0 +1,47 @@ +From 7576fbbfe0c6fee8876cd07f240f717ee0e108d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 02:01:33 -0800 +Subject: net: hv_netvsc: reject RSS hash key programming without RX + indirection table + +From: Aditya Garg + +[ Upstream commit d23564955811da493f34412d7de60fa268c8cb50 ] + +RSS configuration requires a valid RX indirection table. When the device +reports a single receive queue, rndis_filter_device_add() does not +allocate an indirection table, accepting RSS hash key updates in this +state leads to a hang. + +Fix this by gating netvsc_set_rxfh() on ndc->rx_table_sz and return +-EOPNOTSUPP when the table is absent. This aligns set_rxfh with the device +capabilities and prevents incorrect behavior. + +Fixes: 962f3fee83a4 ("netvsc: add ethtool ops to get/set RSS key") +Signed-off-by: Aditya Garg +Reviewed-by: Dipayaan Roy +Reviewed-by: Haiyang Zhang +Link: https://patch.msgid.link/1768212093-1594-1-git-send-email-gargaditya@linux.microsoft.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/hyperv/netvsc_drv.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c +index 39c892e46cb01..25a358524a096 100644 +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -1757,6 +1757,9 @@ static int netvsc_set_rxfh(struct net_device *dev, + rxfh->hfunc != ETH_RSS_HASH_TOP) + return -EOPNOTSUPP; + ++ if (!ndc->rx_table_sz) ++ return -EOPNOTSUPP; ++ + rndis_dev = ndev->extension; + if (rxfh->indir) { + for (i = 0; i < ndc->rx_table_sz; i++) +-- +2.51.0 + diff --git a/queue-6.18/net-mlx5e-don-t-store-mlx5e_priv-in-mlx5e_dev-devlin.patch b/queue-6.18/net-mlx5e-don-t-store-mlx5e_priv-in-mlx5e_dev-devlin.patch new file mode 100644 index 0000000000..a6e78471fa --- /dev/null +++ b/queue-6.18/net-mlx5e-don-t-store-mlx5e_priv-in-mlx5e_dev-devlin.patch @@ -0,0 +1,151 @@ +From 937dbba5960728d0c9a88771e9921003d0e9bd04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 13:26:55 -0800 +Subject: net/mlx5e: Don't store mlx5e_priv in mlx5e_dev devlink priv + +From: Saeed Mahameed + +[ Upstream commit 123eda2e5b1638e298e3a66bb1e64a8da92de5e1 ] + +mlx5e_priv is an unstable structure that can be memset(0) if profile +attaching fails, mlx5e_priv in mlx5e_dev devlink private is used to +reference the netdev and mdev associated with that struct. Instead, +store netdev directly into mlx5e_dev and get mdev from the containing +mlx5_adev aux device structure. + +This fixes a kernel oops in mlx5e_remove when switchdev mode fails due +to change profile failure. + +$ devlink dev eswitch set pci/0000:00:03.0 mode switchdev +Error: mlx5_core: Failed setting eswitch to offloads. +dmesg: +workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR +mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 +mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12 +workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR +mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 +mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12 + +$ devlink dev reload pci/0000:00:03.0 ==> oops + +BUG: kernel NULL pointer dereference, address: 0000000000000520 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page +PGD 0 P4D 0 +Oops: Oops: 0000 [#1] SMP NOPTI +CPU: 3 UID: 0 PID: 521 Comm: devlink Not tainted 6.18.0-rc5+ #117 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 +RIP: 0010:mlx5e_remove+0x68/0x130 +RSP: 0018:ffffc900034838f0 EFLAGS: 00010246 +RAX: ffff88810283c380 RBX: ffff888101874400 RCX: ffffffff826ffc45 +RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 +RBP: ffff888102d789c0 R08: ffff8881007137f0 R09: ffff888100264e10 +R10: ffffc90003483898 R11: ffffc900034838a0 R12: ffff888100d261a0 +R13: ffff888100d261a0 R14: ffff8881018749a0 R15: ffff888101874400 +FS: 00007f8565fea740(0000) GS:ffff88856a759000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000520 CR3: 000000010b11a004 CR4: 0000000000370ef0 +Call Trace: + + device_release_driver_internal+0x19c/0x200 + bus_remove_device+0xc6/0x130 + device_del+0x160/0x3d0 + ? devl_param_driverinit_value_get+0x2d/0x90 + mlx5_detach_device+0x89/0xe0 + mlx5_unload_one_devl_locked+0x3a/0x70 + mlx5_devlink_reload_down+0xc8/0x220 + devlink_reload+0x7d/0x260 + devlink_nl_reload_doit+0x45b/0x5a0 + genl_family_rcv_msg_doit+0xe8/0x140 + +Fixes: ee75f1fc44dd ("net/mlx5e: Create separate devlink instance for ethernet auxiliary device") +Fixes: c4d7eb57687f ("net/mxl5e: Add change profile method") +Signed-off-by: Saeed Mahameed +Link: https://patch.msgid.link/20260108212657.25090-3-saeed@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en.h | 2 +- + .../net/ethernet/mellanox/mlx5/core/en_main.c | 20 ++++++++++--------- + 2 files changed, 12 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/ethernet/mellanox/mlx5/core/en.h +index cfdbeb21b61cf..bc1b343f89a25 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h +@@ -963,7 +963,7 @@ struct mlx5e_priv { + }; + + struct mlx5e_dev { +- struct mlx5e_priv *priv; ++ struct net_device *netdev; + struct devlink_port dl_port; + }; + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 3850c267dfc02..dcf1cd3488709 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -6635,8 +6635,8 @@ static int _mlx5e_resume(struct auxiliary_device *adev) + { + struct mlx5_adev *edev = container_of(adev, struct mlx5_adev, adev); + struct mlx5e_dev *mlx5e_dev = auxiliary_get_drvdata(adev); +- struct mlx5e_priv *priv = mlx5e_dev->priv; +- struct net_device *netdev = priv->netdev; ++ struct mlx5e_priv *priv = netdev_priv(mlx5e_dev->netdev); ++ struct net_device *netdev = mlx5e_dev->netdev; + struct mlx5_core_dev *mdev = edev->mdev; + struct mlx5_core_dev *pos, *to; + int err, i; +@@ -6682,10 +6682,11 @@ static int mlx5e_resume(struct auxiliary_device *adev) + + static int _mlx5e_suspend(struct auxiliary_device *adev, bool pre_netdev_reg) + { ++ struct mlx5_adev *edev = container_of(adev, struct mlx5_adev, adev); + struct mlx5e_dev *mlx5e_dev = auxiliary_get_drvdata(adev); +- struct mlx5e_priv *priv = mlx5e_dev->priv; +- struct net_device *netdev = priv->netdev; +- struct mlx5_core_dev *mdev = priv->mdev; ++ struct mlx5e_priv *priv = netdev_priv(mlx5e_dev->netdev); ++ struct net_device *netdev = mlx5e_dev->netdev; ++ struct mlx5_core_dev *mdev = edev->mdev; + struct mlx5_core_dev *pos; + int i; + +@@ -6746,11 +6747,11 @@ static int _mlx5e_probe(struct auxiliary_device *adev) + goto err_devlink_port_unregister; + } + SET_NETDEV_DEVLINK_PORT(netdev, &mlx5e_dev->dl_port); ++ mlx5e_dev->netdev = netdev; + + mlx5e_build_nic_netdev(netdev); + + priv = netdev_priv(netdev); +- mlx5e_dev->priv = priv; + + priv->profile = profile; + priv->ppriv = NULL; +@@ -6813,7 +6814,8 @@ static void _mlx5e_remove(struct auxiliary_device *adev) + { + struct mlx5_adev *edev = container_of(adev, struct mlx5_adev, adev); + struct mlx5e_dev *mlx5e_dev = auxiliary_get_drvdata(adev); +- struct mlx5e_priv *priv = mlx5e_dev->priv; ++ struct net_device *netdev = mlx5e_dev->netdev; ++ struct mlx5e_priv *priv = netdev_priv(netdev); + struct mlx5_core_dev *mdev = edev->mdev; + + mlx5_core_uplink_netdev_set(mdev, NULL); +@@ -6822,8 +6824,8 @@ static void _mlx5e_remove(struct auxiliary_device *adev) + * if it's from legacy mode. If from switchdev mode, it + * is already unregistered before changing to NIC profile. + */ +- if (priv->netdev->reg_state == NETREG_REGISTERED) { +- unregister_netdev(priv->netdev); ++ if (netdev->reg_state == NETREG_REGISTERED) { ++ unregister_netdev(netdev); + _mlx5e_suspend(adev, false); + } else { + struct mlx5_core_dev *pos; +-- +2.51.0 + diff --git a/queue-6.18/net-mlx5e-fix-crash-on-profile-change-rollback-failu.patch b/queue-6.18/net-mlx5e-fix-crash-on-profile-change-rollback-failu.patch new file mode 100644 index 0000000000..c2f9dc1c50 --- /dev/null +++ b/queue-6.18/net-mlx5e-fix-crash-on-profile-change-rollback-failu.patch @@ -0,0 +1,232 @@ +From 1d0e6b364087e8fa75f6f8c897eb324a20cdd128 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 13:26:54 -0800 +Subject: net/mlx5e: Fix crash on profile change rollback failure + +From: Saeed Mahameed + +[ Upstream commit 4dadc4077e3f77d6d31e199a925fc7a705e7adeb ] + +mlx5e_netdev_change_profile can fail to attach a new profile and can +fail to rollback to old profile, in such case, we could end up with a +dangling netdev with a fully reset netdev_priv. A retry to change +profile, e.g. another attempt to call mlx5e_netdev_change_profile via +switchdev mode change, will crash trying to access the now NULL +priv->mdev. + +This fix allows mlx5e_netdev_change_profile() to handle previous +failures and an empty priv, by not assuming priv is valid. + +Pass netdev and mdev to all flows requiring +mlx5e_netdev_change_profile() and avoid passing priv. +In mlx5e_netdev_change_profile() check if current priv is valid, and if +not, just attach the new profile without trying to access the old one. + +This fixes the following oops, when enabling switchdev mode for the 2nd +time after first time failure: + + ## Enabling switchdev mode first time: + +mlx5_core 0012:03:00.1: E-Switch: Supported tc chains and prios offload +workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR +mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 +mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12 +workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR +mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 +mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12 + ^^^^^^^^ +mlx5_core 0000:00:03.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0) + + ## retry: Enabling switchdev mode 2nd time: + +mlx5_core 0000:00:03.0: E-Switch: Supported tc chains and prios offload +BUG: kernel NULL pointer dereference, address: 0000000000000038 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page +PGD 0 P4D 0 +Oops: Oops: 0000 [#1] SMP NOPTI +CPU: 13 UID: 0 PID: 520 Comm: devlink Not tainted 6.18.0-rc4+ #91 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 +RIP: 0010:mlx5e_detach_netdev+0x3c/0x90 +Code: 50 00 00 f0 80 4f 78 02 48 8b bf e8 07 00 00 48 85 ff 74 16 48 8b 73 78 48 d1 ee 83 e6 01 83 f6 01 40 0f b6 f6 e8 c4 42 00 00 <48> 8b 45 38 48 85 c0 74 08 48 89 df e8 cc 47 40 1e 48 8b bb f0 07 +RSP: 0018:ffffc90000673890 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: ffff8881036a89c0 RCX: 0000000000000000 +RDX: ffff888113f63800 RSI: ffffffff822fe720 RDI: 0000000000000000 +RBP: 0000000000000000 R08: 0000000000002dcd R09: 0000000000000000 +R10: ffffc900006738e8 R11: 00000000ffffffff R12: 0000000000000000 +R13: 0000000000000000 R14: ffff8881036a89c0 R15: 0000000000000000 +FS: 00007fdfb8384740(0000) GS:ffff88856a9d6000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000038 CR3: 0000000112ae0005 CR4: 0000000000370ef0 +Call Trace: + + mlx5e_netdev_change_profile+0x45/0xb0 + mlx5e_vport_rep_load+0x27b/0x2d0 + mlx5_esw_offloads_rep_load+0x72/0xf0 + esw_offloads_enable+0x5d0/0x970 + mlx5_eswitch_enable_locked+0x349/0x430 + ? is_mp_supported+0x57/0xb0 + mlx5_devlink_eswitch_mode_set+0x26b/0x430 + devlink_nl_eswitch_set_doit+0x6f/0xf0 + genl_family_rcv_msg_doit+0xe8/0x140 + genl_rcv_msg+0x18b/0x290 + ? __pfx_devlink_nl_pre_doit+0x10/0x10 + ? __pfx_devlink_nl_eswitch_set_doit+0x10/0x10 + ? __pfx_devlink_nl_post_doit+0x10/0x10 + ? __pfx_genl_rcv_msg+0x10/0x10 + netlink_rcv_skb+0x52/0x100 + genl_rcv+0x28/0x40 + netlink_unicast+0x282/0x3e0 + ? __alloc_skb+0xd6/0x190 + netlink_sendmsg+0x1f7/0x430 + __sys_sendto+0x213/0x220 + ? __sys_recvmsg+0x6a/0xd0 + __x64_sys_sendto+0x24/0x30 + do_syscall_64+0x50/0x1f0 + entry_SYSCALL_64_after_hwframe+0x76/0x7e +RIP: 0033:0x7fdfb8495047 + +Fixes: c4d7eb57687f ("net/mxl5e: Add change profile method") +Signed-off-by: Saeed Mahameed +Reviewed-by: Tariq Toukan +Link: https://patch.msgid.link/20260108212657.25090-2-saeed@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en.h | 9 ++-- + .../net/ethernet/mellanox/mlx5/core/en_main.c | 48 +++++++++++++------ + .../net/ethernet/mellanox/mlx5/core/en_rep.c | 11 ++--- + 3 files changed, 44 insertions(+), 24 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/ethernet/mellanox/mlx5/core/en.h +index a6479e4d8d8c6..cfdbeb21b61cf 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h +@@ -1239,9 +1239,12 @@ mlx5e_create_netdev(struct mlx5_core_dev *mdev, const struct mlx5e_profile *prof + int mlx5e_attach_netdev(struct mlx5e_priv *priv); + void mlx5e_detach_netdev(struct mlx5e_priv *priv); + void mlx5e_destroy_netdev(struct mlx5e_priv *priv); +-int mlx5e_netdev_change_profile(struct mlx5e_priv *priv, +- const struct mlx5e_profile *new_profile, void *new_ppriv); +-void mlx5e_netdev_attach_nic_profile(struct mlx5e_priv *priv); ++int mlx5e_netdev_change_profile(struct net_device *netdev, ++ struct mlx5_core_dev *mdev, ++ const struct mlx5e_profile *new_profile, ++ void *new_ppriv); ++void mlx5e_netdev_attach_nic_profile(struct net_device *netdev, ++ struct mlx5_core_dev *mdev); + void mlx5e_set_netdev_mtu_boundaries(struct mlx5e_priv *priv); + void mlx5e_build_nic_params(struct mlx5e_priv *priv, struct mlx5e_xsk *xsk, u16 mtu); + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 1545f9c008f49..3850c267dfc02 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -6564,19 +6564,28 @@ mlx5e_netdev_attach_profile(struct net_device *netdev, struct mlx5_core_dev *mde + return err; + } + +-int mlx5e_netdev_change_profile(struct mlx5e_priv *priv, +- const struct mlx5e_profile *new_profile, void *new_ppriv) ++int mlx5e_netdev_change_profile(struct net_device *netdev, ++ struct mlx5_core_dev *mdev, ++ const struct mlx5e_profile *new_profile, ++ void *new_ppriv) + { +- const struct mlx5e_profile *orig_profile = priv->profile; +- struct net_device *netdev = priv->netdev; +- struct mlx5_core_dev *mdev = priv->mdev; +- void *orig_ppriv = priv->ppriv; ++ struct mlx5e_priv *priv = netdev_priv(netdev); ++ const struct mlx5e_profile *orig_profile; + int err, rollback_err; ++ void *orig_ppriv; + +- /* cleanup old profile */ +- mlx5e_detach_netdev(priv); +- priv->profile->cleanup(priv); +- mlx5e_priv_cleanup(priv); ++ orig_profile = priv->profile; ++ orig_ppriv = priv->ppriv; ++ ++ /* NULL could happen if previous change_profile failed to rollback */ ++ if (priv->profile) { ++ WARN_ON_ONCE(priv->mdev != mdev); ++ /* cleanup old profile */ ++ mlx5e_detach_netdev(priv); ++ priv->profile->cleanup(priv); ++ mlx5e_priv_cleanup(priv); ++ } ++ /* priv members are not valid from this point ... */ + + if (mdev->state == MLX5_DEVICE_STATE_INTERNAL_ERROR) { + mlx5e_netdev_init_profile(netdev, mdev, new_profile, new_ppriv); +@@ -6593,16 +6602,25 @@ int mlx5e_netdev_change_profile(struct mlx5e_priv *priv, + return 0; + + rollback: ++ if (!orig_profile) { ++ netdev_warn(netdev, "no original profile to rollback to\n"); ++ priv->profile = NULL; ++ return err; ++ } ++ + rollback_err = mlx5e_netdev_attach_profile(netdev, mdev, orig_profile, orig_ppriv); +- if (rollback_err) +- netdev_err(netdev, "%s: failed to rollback to orig profile, %d\n", +- __func__, rollback_err); ++ if (rollback_err) { ++ netdev_err(netdev, "failed to rollback to orig profile, %d\n", ++ rollback_err); ++ priv->profile = NULL; ++ } + return err; + } + +-void mlx5e_netdev_attach_nic_profile(struct mlx5e_priv *priv) ++void mlx5e_netdev_attach_nic_profile(struct net_device *netdev, ++ struct mlx5_core_dev *mdev) + { +- mlx5e_netdev_change_profile(priv, &mlx5e_nic_profile, NULL); ++ mlx5e_netdev_change_profile(netdev, mdev, &mlx5e_nic_profile, NULL); + } + + void mlx5e_destroy_netdev(struct mlx5e_priv *priv) +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +index 0335ca8277efa..2f6aa5e61747c 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +@@ -1508,17 +1508,16 @@ mlx5e_vport_uplink_rep_load(struct mlx5_core_dev *dev, struct mlx5_eswitch_rep * + { + struct mlx5e_rep_priv *rpriv = mlx5e_rep_to_rep_priv(rep); + struct net_device *netdev; +- struct mlx5e_priv *priv; + int err; + + netdev = mlx5_uplink_netdev_get(dev); + if (!netdev) + return 0; + +- priv = netdev_priv(netdev); +- rpriv->netdev = priv->netdev; +- err = mlx5e_netdev_change_profile(priv, &mlx5e_uplink_rep_profile, +- rpriv); ++ /* must not use netdev_priv(netdev), it might not be initialized yet */ ++ rpriv->netdev = netdev; ++ err = mlx5e_netdev_change_profile(netdev, dev, ++ &mlx5e_uplink_rep_profile, rpriv); + mlx5_uplink_netdev_put(dev, netdev); + return err; + } +@@ -1546,7 +1545,7 @@ mlx5e_vport_uplink_rep_unload(struct mlx5e_rep_priv *rpriv) + if (!(priv->mdev->priv.flags & MLX5_PRIV_FLAGS_SWITCH_LEGACY)) + unregister_netdev(netdev); + +- mlx5e_netdev_attach_nic_profile(priv); ++ mlx5e_netdev_attach_nic_profile(netdev, priv->mdev); + } + + static int +-- +2.51.0 + diff --git a/queue-6.18/net-mlx5e-pass-netdev-to-mlx5e_destroy_netdev-instea.patch b/queue-6.18/net-mlx5e-pass-netdev-to-mlx5e_destroy_netdev-instea.patch new file mode 100644 index 0000000000..7ed9473742 --- /dev/null +++ b/queue-6.18/net-mlx5e-pass-netdev-to-mlx5e_destroy_netdev-instea.patch @@ -0,0 +1,162 @@ +From 03196f0d214285a9959efb43faf3672e0a624e22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 13:26:56 -0800 +Subject: net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv + +From: Saeed Mahameed + +[ Upstream commit 4ef8512e1427111f7ba92b4a847d181ff0aeec42 ] + +mlx5e_priv is an unstable structure that can be memset(0) if profile +attaching fails. + +Pass netdev to mlx5e_destroy_netdev() to guarantee it will work on a +valid netdev. + +On mlx5e_remove: Check validity of priv->profile, before attempting +to cleanup any resources that might be not there. + +This fixes a kernel oops in mlx5e_remove when switchdev mode fails due +to change profile failure. + +$ devlink dev eswitch set pci/0000:00:03.0 mode switchdev +Error: mlx5_core: Failed setting eswitch to offloads. +dmesg: +workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR +mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 +mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12 +workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR +mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 +mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12 + +$ devlink dev reload pci/0000:00:03.0 ==> oops + +BUG: kernel NULL pointer dereference, address: 0000000000000370 +PGD 0 P4D 0 +Oops: Oops: 0000 [#1] SMP NOPTI +CPU: 15 UID: 0 PID: 520 Comm: devlink Not tainted 6.18.0-rc5+ #115 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 +RIP: 0010:mlx5e_dcbnl_dscp_app+0x23/0x100 +RSP: 0018:ffffc9000083f8b8 EFLAGS: 00010286 +RAX: ffff8881126fc380 RBX: ffff8881015ac400 RCX: ffffffff826ffc45 +RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8881035109c0 +RBP: ffff8881035109c0 R08: ffff888101e3e838 R09: ffff888100264e10 +R10: ffffc9000083f898 R11: ffffc9000083f8a0 R12: ffff888101b921a0 +R13: ffff888101b921a0 R14: ffff8881015ac9a0 R15: ffff8881015ac400 +FS: 00007f789a3c8740(0000) GS:ffff88856aa59000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000370 CR3: 000000010b6c0001 CR4: 0000000000370ef0 +Call Trace: + + mlx5e_remove+0x57/0x110 + device_release_driver_internal+0x19c/0x200 + bus_remove_device+0xc6/0x130 + device_del+0x160/0x3d0 + ? devl_param_driverinit_value_get+0x2d/0x90 + mlx5_detach_device+0x89/0xe0 + mlx5_unload_one_devl_locked+0x3a/0x70 + mlx5_devlink_reload_down+0xc8/0x220 + devlink_reload+0x7d/0x260 + devlink_nl_reload_doit+0x45b/0x5a0 + genl_family_rcv_msg_doit+0xe8/0x140 + +Fixes: c4d7eb57687f ("net/mxl5e: Add change profile method") +Signed-off-by: Saeed Mahameed +Reviewed-by: Shay Drori +Reviewed-by: Tariq Toukan +Link: https://patch.msgid.link/20260108212657.25090-4-saeed@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en.h | 2 +- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 15 +++++++++------ + drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 4 ++-- + 3 files changed, 12 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/ethernet/mellanox/mlx5/core/en.h +index bc1b343f89a25..b34b85539f3b1 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h +@@ -1238,7 +1238,7 @@ struct net_device * + mlx5e_create_netdev(struct mlx5_core_dev *mdev, const struct mlx5e_profile *profile); + int mlx5e_attach_netdev(struct mlx5e_priv *priv); + void mlx5e_detach_netdev(struct mlx5e_priv *priv); +-void mlx5e_destroy_netdev(struct mlx5e_priv *priv); ++void mlx5e_destroy_netdev(struct net_device *netdev); + int mlx5e_netdev_change_profile(struct net_device *netdev, + struct mlx5_core_dev *mdev, + const struct mlx5e_profile *new_profile, +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index dcf1cd3488709..3863fb40ff929 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -6623,11 +6623,12 @@ void mlx5e_netdev_attach_nic_profile(struct net_device *netdev, + mlx5e_netdev_change_profile(netdev, mdev, &mlx5e_nic_profile, NULL); + } + +-void mlx5e_destroy_netdev(struct mlx5e_priv *priv) ++void mlx5e_destroy_netdev(struct net_device *netdev) + { +- struct net_device *netdev = priv->netdev; ++ struct mlx5e_priv *priv = netdev_priv(netdev); + +- mlx5e_priv_cleanup(priv); ++ if (priv->profile) ++ mlx5e_priv_cleanup(priv); + free_netdev(netdev); + } + +@@ -6784,7 +6785,7 @@ static int _mlx5e_probe(struct auxiliary_device *adev) + err_profile_cleanup: + profile->cleanup(priv); + err_destroy_netdev: +- mlx5e_destroy_netdev(priv); ++ mlx5e_destroy_netdev(netdev); + err_devlink_port_unregister: + mlx5e_devlink_port_unregister(mlx5e_dev); + err_devlink_unregister: +@@ -6819,7 +6820,9 @@ static void _mlx5e_remove(struct auxiliary_device *adev) + struct mlx5_core_dev *mdev = edev->mdev; + + mlx5_core_uplink_netdev_set(mdev, NULL); +- mlx5e_dcbnl_delete_app(priv); ++ ++ if (priv->profile) ++ mlx5e_dcbnl_delete_app(priv); + /* When unload driver, the netdev is in registered state + * if it's from legacy mode. If from switchdev mode, it + * is already unregistered before changing to NIC profile. +@@ -6840,7 +6843,7 @@ static void _mlx5e_remove(struct auxiliary_device *adev) + /* Avoid cleanup if profile rollback failed. */ + if (priv->profile) + priv->profile->cleanup(priv); +- mlx5e_destroy_netdev(priv); ++ mlx5e_destroy_netdev(netdev); + mlx5e_devlink_port_unregister(mlx5e_dev); + mlx5e_destroy_devlink(mlx5e_dev); + } +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +index 2f6aa5e61747c..8b65441246244 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +@@ -1611,7 +1611,7 @@ mlx5e_vport_vf_rep_load(struct mlx5_core_dev *dev, struct mlx5_eswitch_rep *rep) + priv->profile->cleanup(priv); + + err_destroy_netdev: +- mlx5e_destroy_netdev(netdev_priv(netdev)); ++ mlx5e_destroy_netdev(netdev); + return err; + } + +@@ -1666,7 +1666,7 @@ mlx5e_vport_rep_unload(struct mlx5_eswitch_rep *rep) + mlx5e_rep_vnic_reporter_destroy(priv); + mlx5e_detach_netdev(priv); + priv->profile->cleanup(priv); +- mlx5e_destroy_netdev(priv); ++ mlx5e_destroy_netdev(netdev); + free_ppriv: + kvfree(ppriv); /* mlx5e_rep_priv */ + } +-- +2.51.0 + diff --git a/queue-6.18/net-mlx5e-restore-destroying-state-bit-after-profile.patch b/queue-6.18/net-mlx5e-restore-destroying-state-bit-after-profile.patch new file mode 100644 index 0000000000..444d7a9d42 --- /dev/null +++ b/queue-6.18/net-mlx5e-restore-destroying-state-bit-after-profile.patch @@ -0,0 +1,69 @@ +From b754de54e6650b886bb60826d8fd7e00b4be7a95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 13:26:57 -0800 +Subject: net/mlx5e: Restore destroying state bit after profile cleanup + +From: Saeed Mahameed + +[ Upstream commit 5629f8859dca7ef74d7314b60de6a957f23166c0 ] + +Profile rollback can fail in mlx5e_netdev_change_profile() and we will +end up with invalid mlx5e_priv memset to 0, we must maintain the +'destroying' bit in order to gracefully shutdown even if the +profile/priv are not valid. + +This patch maintains the previous state of the 'destroying' state of +mlx5e_priv after priv cleanup, to allow the remove flow to cleanup +common resources from mlx5_core to avoid FW fatal errors as seen below: + +$ devlink dev eswitch set pci/0000:00:03.0 mode switchdev + Error: mlx5_core: Failed setting eswitch to offloads. +dmesg: mlx5_core 0000:00:03.0 enp0s3np0: failed to rollback to orig profile, ... + +$ devlink dev reload pci/0000:00:03.0 + +mlx5_core 0000:00:03.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0) +mlx5_core 0000:00:03.0: poll_health:803:(pid 519): Fatal error 3 detected +mlx5_core 0000:00:03.0: firmware version: 28.41.1000 +mlx5_core 0000:00:03.0: 0.000 Gb/s available PCIe bandwidth (Unknown x255 link) +mlx5_core 0000:00:03.0: mlx5_function_enable:1200:(pid 519): enable hca failed +mlx5_core 0000:00:03.0: mlx5_function_enable:1200:(pid 519): enable hca failed +mlx5_core 0000:00:03.0: mlx5_health_try_recover:340:(pid 141): handling bad device here +mlx5_core 0000:00:03.0: mlx5_handle_bad_state:285:(pid 141): Expected to see disabled NIC but it is full driver +mlx5_core 0000:00:03.0: mlx5_error_sw_reset:236:(pid 141): start +mlx5_core 0000:00:03.0: NIC IFC still 0 after 4000ms. + +Fixes: c4d7eb57687f ("net/mxl5e: Add change profile method") +Signed-off-by: Saeed Mahameed +Reviewed-by: Tariq Toukan +Link: https://patch.msgid.link/20260108212657.25090-5-saeed@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 3863fb40ff929..f8d9968542d9c 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -6305,6 +6305,7 @@ int mlx5e_priv_init(struct mlx5e_priv *priv, + + void mlx5e_priv_cleanup(struct mlx5e_priv *priv) + { ++ bool destroying = test_bit(MLX5E_STATE_DESTROYING, &priv->state); + int i; + + /* bail if change profile failed and also rollback failed */ +@@ -6332,6 +6333,8 @@ void mlx5e_priv_cleanup(struct mlx5e_priv *priv) + } + + memset(priv, 0, sizeof(*priv)); ++ if (destroying) /* restore destroying bit, to allow unload */ ++ set_bit(MLX5E_STATE_DESTROYING, &priv->state); + } + + static unsigned int mlx5e_get_max_num_txqs(struct mlx5_core_dev *mdev, +-- +2.51.0 + diff --git a/queue-6.18/net-octeon_ep_vf-fix-free_irq-dev_id-mismatch-in-irq.patch b/queue-6.18/net-octeon_ep_vf-fix-free_irq-dev_id-mismatch-in-irq.patch new file mode 100644 index 0000000000..73e33a01fe --- /dev/null +++ b/queue-6.18/net-octeon_ep_vf-fix-free_irq-dev_id-mismatch-in-irq.patch @@ -0,0 +1,46 @@ +From 0ee50d47d305dddec32abcc6e03cd685c8763e67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jan 2026 00:42:57 +0800 +Subject: net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback + +From: Kery Qi + +[ Upstream commit f93fc5d12d69012788f82151bee55fce937e1432 ] + +octep_vf_request_irqs() requests MSI-X queue IRQs with dev_id set to +ioq_vector. If request_irq() fails part-way, the rollback loop calls +free_irq() with dev_id set to 'oct', which does not match the original +dev_id and may leave the irqaction registered. + +This can keep IRQ handlers alive while ioq_vector is later freed during +unwind/teardown, leading to a use-after-free or crash when an interrupt +fires. + +Fix the error path to free IRQs with the same ioq_vector dev_id used +during request_irq(). + +Fixes: 1cd3b407977c ("octeon_ep_vf: add Tx/Rx processing and interrupt support") +Signed-off-by: Kery Qi +Link: https://patch.msgid.link/20260108164256.1749-2-qikeyu2017@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_main.c b/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_main.c +index 420c3f4cf7417..1d9760b4b8f47 100644 +--- a/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_main.c ++++ b/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_main.c +@@ -218,7 +218,7 @@ static int octep_vf_request_irqs(struct octep_vf_device *oct) + ioq_irq_err: + while (i) { + --i; +- free_irq(oct->msix_entries[i].vector, oct); ++ free_irq(oct->msix_entries[i].vector, oct->ioq_vector[i]); + } + return -1; + } +-- +2.51.0 + diff --git a/queue-6.18/net-phy-motorcomm-fix-duplex-setting-error-for-phy-l.patch b/queue-6.18/net-phy-motorcomm-fix-duplex-setting-error-for-phy-l.patch new file mode 100644 index 0000000000..b4cdb648d2 --- /dev/null +++ b/queue-6.18/net-phy-motorcomm-fix-duplex-setting-error-for-phy-l.patch @@ -0,0 +1,41 @@ +From d030a49fcb812e894eca8ed65b85381b5b1deef3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 15:14:09 +0800 +Subject: net: phy: motorcomm: fix duplex setting error for phy leds + +From: Jijie Shao + +[ Upstream commit e02f2a0f1f9b6d4f0c620de2ce037d4436b58f70 ] + +fix duplex setting error for phy leds + +Fixes: 355b82c54c12 ("net: phy: motorcomm: Add support for PHY LEDs on YT8521") +Signed-off-by: Jijie Shao +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20260108071409.2750607-1-shaojijie@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/motorcomm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/phy/motorcomm.c b/drivers/net/phy/motorcomm.c +index a3593e6630594..b49897500a592 100644 +--- a/drivers/net/phy/motorcomm.c ++++ b/drivers/net/phy/motorcomm.c +@@ -1741,10 +1741,10 @@ static int yt8521_led_hw_control_set(struct phy_device *phydev, u8 index, + val |= YT8521_LED_1000_ON_EN; + + if (test_bit(TRIGGER_NETDEV_FULL_DUPLEX, &rules)) +- val |= YT8521_LED_HDX_ON_EN; ++ val |= YT8521_LED_FDX_ON_EN; + + if (test_bit(TRIGGER_NETDEV_HALF_DUPLEX, &rules)) +- val |= YT8521_LED_FDX_ON_EN; ++ val |= YT8521_LED_HDX_ON_EN; + + if (test_bit(TRIGGER_NETDEV_TX, &rules) || + test_bit(TRIGGER_NETDEV_RX, &rules)) +-- +2.51.0 + diff --git a/queue-6.18/net-sched-sch_qfq-do-not-free-existing-class-in-qfq_.patch b/queue-6.18/net-sched-sch_qfq-do-not-free-existing-class-in-qfq_.patch new file mode 100644 index 0000000000..ca8ce077c1 --- /dev/null +++ b/queue-6.18/net-sched-sch_qfq-do-not-free-existing-class-in-qfq_.patch @@ -0,0 +1,46 @@ +From 36200ed54a77398deeb56c261709cc1eb13f4c88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 17:56:56 +0000 +Subject: net/sched: sch_qfq: do not free existing class in qfq_change_class() + +From: Eric Dumazet + +[ Upstream commit 3879cffd9d07aa0377c4b8835c4f64b4fb24ac78 ] + +Fixes qfq_change_class() error case. + +cl->qdisc and cl should only be freed if a new class and qdisc +were allocated, or we risk various UAF. + +Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost") +Reported-by: syzbot+07f3f38f723c335f106d@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6965351d.050a0220.eaf7.00c5.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Reviewed-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20260112175656.17605-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_qfq.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index a91a5bac8f737..9b16ad431028f 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -529,8 +529,10 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid, + return 0; + + destroy_class: +- qdisc_put(cl->qdisc); +- kfree(cl); ++ if (!existing) { ++ qdisc_put(cl->qdisc); ++ kfree(cl); ++ } + return err; + } + +-- +2.51.0 + diff --git a/queue-6.18/net-update-netdev_lock_-type-name.patch b/queue-6.18/net-update-netdev_lock_-type-name.patch new file mode 100644 index 0000000000..9b0adedc61 --- /dev/null +++ b/queue-6.18/net-update-netdev_lock_-type-name.patch @@ -0,0 +1,91 @@ +From 12e500d97fe9ff28f2aea3f2d2734fe1f3bb9fd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 09:32:44 +0000 +Subject: net: update netdev_lock_{type,name} + +From: Eric Dumazet + +[ Upstream commit eb74c19fe10872ee1f29a8f90ca5ce943921afe9 ] + +Add missing entries in netdev_lock_type[] and netdev_lock_name[] : + +CAN, MCTP, RAWIP, CAIF, IP6GRE, 6LOWPAN, NETLINK, VSOCKMON, +IEEE802154_MONITOR. + +Also add a WARN_ONCE() in netdev_lock_pos() to help future bug hunting +next time a protocol is added without updating these arrays. + +Fixes: 1a33e10e4a95 ("net: partially revert dynamic lockdep key changes") +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260108093244.830280-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 2acfa44927daa..5b536860138d1 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -478,15 +478,21 @@ static const unsigned short netdev_lock_type[] = { + ARPHRD_IEEE1394, ARPHRD_EUI64, ARPHRD_INFINIBAND, ARPHRD_SLIP, + ARPHRD_CSLIP, ARPHRD_SLIP6, ARPHRD_CSLIP6, ARPHRD_RSRVD, + ARPHRD_ADAPT, ARPHRD_ROSE, ARPHRD_X25, ARPHRD_HWX25, ++ ARPHRD_CAN, ARPHRD_MCTP, + ARPHRD_PPP, ARPHRD_CISCO, ARPHRD_LAPB, ARPHRD_DDCMP, +- ARPHRD_RAWHDLC, ARPHRD_TUNNEL, ARPHRD_TUNNEL6, ARPHRD_FRAD, ++ ARPHRD_RAWHDLC, ARPHRD_RAWIP, ++ ARPHRD_TUNNEL, ARPHRD_TUNNEL6, ARPHRD_FRAD, + ARPHRD_SKIP, ARPHRD_LOOPBACK, ARPHRD_LOCALTLK, ARPHRD_FDDI, + ARPHRD_BIF, ARPHRD_SIT, ARPHRD_IPDDP, ARPHRD_IPGRE, + ARPHRD_PIMREG, ARPHRD_HIPPI, ARPHRD_ASH, ARPHRD_ECONET, + ARPHRD_IRDA, ARPHRD_FCPP, ARPHRD_FCAL, ARPHRD_FCPL, + ARPHRD_FCFABRIC, ARPHRD_IEEE80211, ARPHRD_IEEE80211_PRISM, +- ARPHRD_IEEE80211_RADIOTAP, ARPHRD_PHONET, ARPHRD_PHONET_PIPE, +- ARPHRD_IEEE802154, ARPHRD_VOID, ARPHRD_NONE}; ++ ARPHRD_IEEE80211_RADIOTAP, ++ ARPHRD_IEEE802154, ARPHRD_IEEE802154_MONITOR, ++ ARPHRD_PHONET, ARPHRD_PHONET_PIPE, ++ ARPHRD_CAIF, ARPHRD_IP6GRE, ARPHRD_NETLINK, ARPHRD_6LOWPAN, ++ ARPHRD_VSOCKMON, ++ ARPHRD_VOID, ARPHRD_NONE}; + + static const char *const netdev_lock_name[] = { + "_xmit_NETROM", "_xmit_ETHER", "_xmit_EETHER", "_xmit_AX25", +@@ -495,15 +501,21 @@ static const char *const netdev_lock_name[] = { + "_xmit_IEEE1394", "_xmit_EUI64", "_xmit_INFINIBAND", "_xmit_SLIP", + "_xmit_CSLIP", "_xmit_SLIP6", "_xmit_CSLIP6", "_xmit_RSRVD", + "_xmit_ADAPT", "_xmit_ROSE", "_xmit_X25", "_xmit_HWX25", ++ "_xmit_CAN", "_xmit_MCTP", + "_xmit_PPP", "_xmit_CISCO", "_xmit_LAPB", "_xmit_DDCMP", +- "_xmit_RAWHDLC", "_xmit_TUNNEL", "_xmit_TUNNEL6", "_xmit_FRAD", ++ "_xmit_RAWHDLC", "_xmit_RAWIP", ++ "_xmit_TUNNEL", "_xmit_TUNNEL6", "_xmit_FRAD", + "_xmit_SKIP", "_xmit_LOOPBACK", "_xmit_LOCALTLK", "_xmit_FDDI", + "_xmit_BIF", "_xmit_SIT", "_xmit_IPDDP", "_xmit_IPGRE", + "_xmit_PIMREG", "_xmit_HIPPI", "_xmit_ASH", "_xmit_ECONET", + "_xmit_IRDA", "_xmit_FCPP", "_xmit_FCAL", "_xmit_FCPL", + "_xmit_FCFABRIC", "_xmit_IEEE80211", "_xmit_IEEE80211_PRISM", +- "_xmit_IEEE80211_RADIOTAP", "_xmit_PHONET", "_xmit_PHONET_PIPE", +- "_xmit_IEEE802154", "_xmit_VOID", "_xmit_NONE"}; ++ "_xmit_IEEE80211_RADIOTAP", ++ "_xmit_IEEE802154", "_xmit_IEEE802154_MONITOR", ++ "_xmit_PHONET", "_xmit_PHONET_PIPE", ++ "_xmit_CAIF", "_xmit_IP6GRE", "_xmit_NETLINK", "_xmit_6LOWPAN", ++ "_xmit_VSOCKMON", ++ "_xmit_VOID", "_xmit_NONE"}; + + static struct lock_class_key netdev_xmit_lock_key[ARRAY_SIZE(netdev_lock_type)]; + static struct lock_class_key netdev_addr_lock_key[ARRAY_SIZE(netdev_lock_type)]; +@@ -516,6 +528,7 @@ static inline unsigned short netdev_lock_pos(unsigned short dev_type) + if (netdev_lock_type[i] == dev_type) + return i; + /* the last key is used by default */ ++ WARN_ONCE(1, "netdev_lock_pos() could not find dev_type=%u\n", dev_type); + return ARRAY_SIZE(netdev_lock_type) - 1; + } + +-- +2.51.0 + diff --git a/queue-6.18/nfs-fix-a-deadlock-involving-nfs_release_folio.patch b/queue-6.18/nfs-fix-a-deadlock-involving-nfs_release_folio.patch new file mode 100644 index 0000000000..436b2caf06 --- /dev/null +++ b/queue-6.18/nfs-fix-a-deadlock-involving-nfs_release_folio.patch @@ -0,0 +1,116 @@ +From 98f2a285ea9ba853060046f839d866fa792b0499 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Dec 2025 11:42:31 -0500 +Subject: NFS: Fix a deadlock involving nfs_release_folio() + +From: Trond Myklebust + +[ Upstream commit cce0be6eb4971456b703aaeafd571650d314bcca ] + +Wang Zhaolong reports a deadlock involving NFSv4.1 state recovery +waiting on kthreadd, which is attempting to reclaim memory by calling +nfs_release_folio(). The latter cannot make progress due to state +recovery being needed. + +It seems that the only safe thing to do here is to kick off a writeback +of the folio, without waiting for completion, or else kicking off an +asynchronous commit. + +Reported-by: Wang Zhaolong +Fixes: 96780ca55e3c ("NFS: fix up nfs_release_folio() to try to release the page") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/file.c | 3 ++- + fs/nfs/nfstrace.h | 3 +++ + fs/nfs/write.c | 33 +++++++++++++++++++++++++++++++++ + include/linux/nfs_fs.h | 1 + + 4 files changed, 39 insertions(+), 1 deletion(-) + +diff --git a/fs/nfs/file.c b/fs/nfs/file.c +index d020aab40c64e..d1c138a416cfb 100644 +--- a/fs/nfs/file.c ++++ b/fs/nfs/file.c +@@ -511,7 +511,8 @@ static bool nfs_release_folio(struct folio *folio, gfp_t gfp) + if ((current_gfp_context(gfp) & GFP_KERNEL) != GFP_KERNEL || + current_is_kswapd() || current_is_kcompactd()) + return false; +- if (nfs_wb_folio(folio->mapping->host, folio) < 0) ++ if (nfs_wb_folio_reclaim(folio->mapping->host, folio) < 0 || ++ folio_test_private(folio)) + return false; + } + return nfs_fscache_release_folio(folio, gfp); +diff --git a/fs/nfs/nfstrace.h b/fs/nfs/nfstrace.h +index 6ce55e8e6b67c..9f9ce4a565ea6 100644 +--- a/fs/nfs/nfstrace.h ++++ b/fs/nfs/nfstrace.h +@@ -1062,6 +1062,9 @@ DECLARE_EVENT_CLASS(nfs_folio_event_done, + DEFINE_NFS_FOLIO_EVENT(nfs_aop_readpage); + DEFINE_NFS_FOLIO_EVENT_DONE(nfs_aop_readpage_done); + ++DEFINE_NFS_FOLIO_EVENT(nfs_writeback_folio_reclaim); ++DEFINE_NFS_FOLIO_EVENT_DONE(nfs_writeback_folio_reclaim_done); ++ + DEFINE_NFS_FOLIO_EVENT(nfs_writeback_folio); + DEFINE_NFS_FOLIO_EVENT_DONE(nfs_writeback_folio_done); + +diff --git a/fs/nfs/write.c b/fs/nfs/write.c +index 336c510f37502..bf412455e8edf 100644 +--- a/fs/nfs/write.c ++++ b/fs/nfs/write.c +@@ -2024,6 +2024,39 @@ int nfs_wb_folio_cancel(struct inode *inode, struct folio *folio) + return ret; + } + ++/** ++ * nfs_wb_folio_reclaim - Write back all requests on one page ++ * @inode: pointer to page ++ * @folio: pointer to folio ++ * ++ * Assumes that the folio has been locked by the caller ++ */ ++int nfs_wb_folio_reclaim(struct inode *inode, struct folio *folio) ++{ ++ loff_t range_start = folio_pos(folio); ++ size_t len = folio_size(folio); ++ struct writeback_control wbc = { ++ .sync_mode = WB_SYNC_ALL, ++ .nr_to_write = 0, ++ .range_start = range_start, ++ .range_end = range_start + len - 1, ++ .for_sync = 1, ++ }; ++ int ret; ++ ++ if (folio_test_writeback(folio)) ++ return -EBUSY; ++ if (folio_clear_dirty_for_io(folio)) { ++ trace_nfs_writeback_folio_reclaim(inode, range_start, len); ++ ret = nfs_writepage_locked(folio, &wbc); ++ trace_nfs_writeback_folio_reclaim_done(inode, range_start, len, ++ ret); ++ return ret; ++ } ++ nfs_commit_inode(inode, 0); ++ return 0; ++} ++ + /** + * nfs_wb_folio - Write back all requests on one page + * @inode: pointer to page +diff --git a/include/linux/nfs_fs.h b/include/linux/nfs_fs.h +index c585939b6cd60..2cf490a3a239b 100644 +--- a/include/linux/nfs_fs.h ++++ b/include/linux/nfs_fs.h +@@ -636,6 +636,7 @@ extern int nfs_update_folio(struct file *file, struct folio *folio, + extern int nfs_sync_inode(struct inode *inode); + extern int nfs_wb_all(struct inode *inode); + extern int nfs_wb_folio(struct inode *inode, struct folio *folio); ++extern int nfs_wb_folio_reclaim(struct inode *inode, struct folio *folio); + int nfs_wb_folio_cancel(struct inode *inode, struct folio *folio); + extern int nfs_commit_inode(struct inode *, int); + extern struct nfs_commit_data *nfs_commitdata_alloc(void); +-- +2.51.0 + diff --git a/queue-6.18/nfs-fix-size-read-races-in-truncate-fallocate-and-co.patch b/queue-6.18/nfs-fix-size-read-races-in-truncate-fallocate-and-co.patch new file mode 100644 index 0000000000..f57cf8b60e --- /dev/null +++ b/queue-6.18/nfs-fix-size-read-races-in-truncate-fallocate-and-co.patch @@ -0,0 +1,188 @@ +From 0c9317427a6e67b75dafd808019f7f9e7ca9b705 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Jan 2026 18:53:34 -0500 +Subject: NFS: Fix size read races in truncate, fallocate and copy offload + +From: Trond Myklebust + +[ Upstream commit d5811e6297f3fd9020ac31f51fc317dfdb260cb0 ] + +If the pre-operation file size is read before locking the inode and +quiescing O_DIRECT writes, then nfs_truncate_last_folio() might end up +overwriting valid file data. + +Fixes: b1817b18ff20 ("NFS: Protect against 'eof page pollution'") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/inode.c | 10 ++++++---- + fs/nfs/io.c | 2 ++ + fs/nfs/nfs42proc.c | 29 +++++++++++++++++++---------- + 3 files changed, 27 insertions(+), 14 deletions(-) + +diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c +index 13ad70fc00d84..8c2bfcc323e02 100644 +--- a/fs/nfs/inode.c ++++ b/fs/nfs/inode.c +@@ -716,7 +716,7 @@ nfs_setattr(struct mnt_idmap *idmap, struct dentry *dentry, + { + struct inode *inode = d_inode(dentry); + struct nfs_fattr *fattr; +- loff_t oldsize = i_size_read(inode); ++ loff_t oldsize; + int error = 0; + kuid_t task_uid = current_fsuid(); + kuid_t owner_uid = inode->i_uid; +@@ -727,6 +727,10 @@ nfs_setattr(struct mnt_idmap *idmap, struct dentry *dentry, + if (attr->ia_valid & (ATTR_KILL_SUID | ATTR_KILL_SGID)) + attr->ia_valid &= ~ATTR_MODE; + ++ if (S_ISREG(inode->i_mode)) ++ nfs_file_block_o_direct(NFS_I(inode)); ++ ++ oldsize = i_size_read(inode); + if (attr->ia_valid & ATTR_SIZE) { + BUG_ON(!S_ISREG(inode->i_mode)); + +@@ -774,10 +778,8 @@ nfs_setattr(struct mnt_idmap *idmap, struct dentry *dentry, + trace_nfs_setattr_enter(inode); + + /* Write all dirty data */ +- if (S_ISREG(inode->i_mode)) { +- nfs_file_block_o_direct(NFS_I(inode)); ++ if (S_ISREG(inode->i_mode)) + nfs_sync_inode(inode); +- } + + fattr = nfs_alloc_fattr_with_label(NFS_SERVER(inode)); + if (fattr == NULL) { +diff --git a/fs/nfs/io.c b/fs/nfs/io.c +index d275b0a250bf3..8337f0ae852d4 100644 +--- a/fs/nfs/io.c ++++ b/fs/nfs/io.c +@@ -84,6 +84,7 @@ nfs_start_io_write(struct inode *inode) + nfs_file_block_o_direct(NFS_I(inode)); + return err; + } ++EXPORT_SYMBOL_GPL(nfs_start_io_write); + + /** + * nfs_end_io_write - declare that the buffered write operation is done +@@ -97,6 +98,7 @@ nfs_end_io_write(struct inode *inode) + { + up_write(&inode->i_rwsem); + } ++EXPORT_SYMBOL_GPL(nfs_end_io_write); + + /* Call with exclusively locked inode->i_rwsem */ + static void nfs_block_buffered(struct nfs_inode *nfsi, struct inode *inode) +diff --git a/fs/nfs/nfs42proc.c b/fs/nfs/nfs42proc.c +index d537fb0c230e8..c08520828708b 100644 +--- a/fs/nfs/nfs42proc.c ++++ b/fs/nfs/nfs42proc.c +@@ -114,7 +114,6 @@ static int nfs42_proc_fallocate(struct rpc_message *msg, struct file *filep, + exception.inode = inode; + exception.state = lock->open_context->state; + +- nfs_file_block_o_direct(NFS_I(inode)); + err = nfs_sync_inode(inode); + if (err) + goto out; +@@ -138,13 +137,17 @@ int nfs42_proc_allocate(struct file *filep, loff_t offset, loff_t len) + .rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_ALLOCATE], + }; + struct inode *inode = file_inode(filep); +- loff_t oldsize = i_size_read(inode); ++ loff_t oldsize; + int err; + + if (!nfs_server_capable(inode, NFS_CAP_ALLOCATE)) + return -EOPNOTSUPP; + +- inode_lock(inode); ++ err = nfs_start_io_write(inode); ++ if (err) ++ return err; ++ ++ oldsize = i_size_read(inode); + + err = nfs42_proc_fallocate(&msg, filep, offset, len); + +@@ -155,7 +158,7 @@ int nfs42_proc_allocate(struct file *filep, loff_t offset, loff_t len) + NFS_SERVER(inode)->caps &= ~(NFS_CAP_ALLOCATE | + NFS_CAP_ZERO_RANGE); + +- inode_unlock(inode); ++ nfs_end_io_write(inode); + return err; + } + +@@ -170,7 +173,9 @@ int nfs42_proc_deallocate(struct file *filep, loff_t offset, loff_t len) + if (!nfs_server_capable(inode, NFS_CAP_DEALLOCATE)) + return -EOPNOTSUPP; + +- inode_lock(inode); ++ err = nfs_start_io_write(inode); ++ if (err) ++ return err; + + err = nfs42_proc_fallocate(&msg, filep, offset, len); + if (err == 0) +@@ -179,7 +184,7 @@ int nfs42_proc_deallocate(struct file *filep, loff_t offset, loff_t len) + NFS_SERVER(inode)->caps &= ~(NFS_CAP_DEALLOCATE | + NFS_CAP_ZERO_RANGE); + +- inode_unlock(inode); ++ nfs_end_io_write(inode); + return err; + } + +@@ -189,14 +194,17 @@ int nfs42_proc_zero_range(struct file *filep, loff_t offset, loff_t len) + .rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_ZERO_RANGE], + }; + struct inode *inode = file_inode(filep); +- loff_t oldsize = i_size_read(inode); ++ loff_t oldsize; + int err; + + if (!nfs_server_capable(inode, NFS_CAP_ZERO_RANGE)) + return -EOPNOTSUPP; + +- inode_lock(inode); ++ err = nfs_start_io_write(inode); ++ if (err) ++ return err; + ++ oldsize = i_size_read(inode); + err = nfs42_proc_fallocate(&msg, filep, offset, len); + if (err == 0) { + nfs_truncate_last_folio(inode->i_mapping, oldsize, +@@ -205,7 +213,7 @@ int nfs42_proc_zero_range(struct file *filep, loff_t offset, loff_t len) + } else if (err == -EOPNOTSUPP) + NFS_SERVER(inode)->caps &= ~NFS_CAP_ZERO_RANGE; + +- inode_unlock(inode); ++ nfs_end_io_write(inode); + return err; + } + +@@ -416,7 +424,7 @@ static ssize_t _nfs42_proc_copy(struct file *src, + struct nfs_server *src_server = NFS_SERVER(src_inode); + loff_t pos_src = args->src_pos; + loff_t pos_dst = args->dst_pos; +- loff_t oldsize_dst = i_size_read(dst_inode); ++ loff_t oldsize_dst; + size_t count = args->count; + ssize_t status; + +@@ -461,6 +469,7 @@ static ssize_t _nfs42_proc_copy(struct file *src, + &src_lock->open_context->state->flags); + set_bit(NFS_CLNT_DST_SSC_COPY_STATE, + &dst_lock->open_context->state->flags); ++ oldsize_dst = i_size_read(dst_inode); + + status = nfs4_call_sync(dst_server->client, dst_server, &msg, + &args->seq_args, &res->seq_res, 0); +-- +2.51.0 + diff --git a/queue-6.18/nfs-localio-deal-with-page-bases-that-are-page_size.patch b/queue-6.18/nfs-localio-deal-with-page-bases-that-are-page_size.patch new file mode 100644 index 0000000000..570eebc596 --- /dev/null +++ b/queue-6.18/nfs-localio-deal-with-page-bases-that-are-page_size.patch @@ -0,0 +1,36 @@ +From 50fe87fb4a84054de6dada399029ec25b28f8fe7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jan 2026 18:55:08 -0500 +Subject: NFS/localio: Deal with page bases that are > PAGE_SIZE + +From: Trond Myklebust + +[ Upstream commit 60699ab7cbf0a4eb19929cce243002b39c67917d ] + +When resending requests, etc, the page base can quickly grow larger than +the page size. + +Fixes: 091bdcfcece0 ("nfs/localio: refactor iocb and iov_iter_bvec initialization") +Signed-off-by: Trond Myklebust +Reviewed-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + fs/nfs/localio.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/nfs/localio.c b/fs/nfs/localio.c +index ed2a7efaf8f20..f537bc3386bf2 100644 +--- a/fs/nfs/localio.c ++++ b/fs/nfs/localio.c +@@ -461,6 +461,8 @@ nfs_local_iters_init(struct nfs_local_kiocb *iocb, int rw) + v = 0; + total = hdr->args.count; + base = hdr->args.pgbase; ++ pagevec += base >> PAGE_SHIFT; ++ base &= ~PAGE_MASK; + while (total && v < hdr->page_array.npages) { + len = min_t(size_t, total, PAGE_SIZE - base); + bvec_set_page(&iocb->bvec[v], *pagevec, len, base); +-- +2.51.0 + diff --git a/queue-6.18/nvme-tcp-fix-null-pointer-dereferences-in-nvmet_tcp_.patch b/queue-6.18/nvme-tcp-fix-null-pointer-dereferences-in-nvmet_tcp_.patch new file mode 100644 index 0000000000..562d69ae62 --- /dev/null +++ b/queue-6.18/nvme-tcp-fix-null-pointer-dereferences-in-nvmet_tcp_.patch @@ -0,0 +1,69 @@ +From 292e11aabbffddf984c4c8a5869de6591469683b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Dec 2025 13:57:48 -0500 +Subject: nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Shivam Kumar + +[ Upstream commit 32b63acd78f577b332d976aa06b56e70d054cbba ] + +Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length") +added ttag bounds checking and data_offset +validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate +whether the command's data structures (cmd->req.sg and cmd->iov) have +been properly initialized before processing H2C_DATA PDUs. + +The nvmet_tcp_build_pdu_iovec() function dereferences these pointers +without NULL checks. This can be triggered by sending H2C_DATA PDU +immediately after the ICREQ/ICRESP handshake, before +sending a CONNECT command or NVMe write command. + +Attack vectors that trigger NULL pointer dereferences: +1. H2C_DATA PDU sent before CONNECT → both pointers NULL +2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL +3. H2C_DATA PDU for uninitialized command slot → both pointers NULL + +The fix validates both cmd->req.sg and cmd->iov before calling +nvmet_tcp_build_pdu_iovec(). Both checks are required because: +- Uninitialized commands: both NULL +- READ commands: cmd->req.sg allocated, cmd->iov NULL +- WRITE commands: both allocated + +Fixes: efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length") +Reviewed-by: Sagi Grimberg +Signed-off-by: Shivam Kumar +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/tcp.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c +index 470bf37e5a637..41b6fd05519e4 100644 +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -982,6 +982,18 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue) + pr_err("H2CData PDU len %u is invalid\n", cmd->pdu_len); + goto err_proto; + } ++ /* ++ * Ensure command data structures are initialized. We must check both ++ * cmd->req.sg and cmd->iov because they can have different NULL states: ++ * - Uninitialized commands: both NULL ++ * - READ commands: cmd->req.sg allocated, cmd->iov NULL ++ * - WRITE commands: both allocated ++ */ ++ if (unlikely(!cmd->req.sg || !cmd->iov)) { ++ pr_err("queue %d: H2CData PDU received for invalid command state (ttag %u)\n", ++ queue->idx, data->ttag); ++ goto err_proto; ++ } + cmd->pdu_recv = 0; + nvmet_tcp_build_pdu_iovec(cmd); + queue->cmd = cmd; +-- +2.51.0 + diff --git a/queue-6.18/phy-broadcom-ns-usb3-fix-wvoid-pointer-to-enum-cast-.patch b/queue-6.18/phy-broadcom-ns-usb3-fix-wvoid-pointer-to-enum-cast-.patch new file mode 100644 index 0000000000..2f693c211d --- /dev/null +++ b/queue-6.18/phy-broadcom-ns-usb3-fix-wvoid-pointer-to-enum-cast-.patch @@ -0,0 +1,47 @@ +From 43e81cb50298a7dc9ffd8fba5eb85ad47a6b207a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 12:55:34 +0100 +Subject: phy: broadcom: ns-usb3: Fix Wvoid-pointer-to-enum-cast warning + (again) + +From: Krzysztof Kozlowski + +[ Upstream commit fb21116099bbea1fc59efa9207e63c4be390ab72 ] + +"family" is an enum, thus cast of pointer on 64-bit compile test with +clang W=1 causes: + + phy-bcm-ns-usb3.c:206:17: error: cast to smaller integer type 'enum bcm_ns_family' from 'const void *' [-Werror,-Wvoid-pointer-to-enum-cast] + +This was already fixed in commit bd6e74a2f0a0 ("phy: broadcom: ns-usb3: +fix Wvoid-pointer-to-enum-cast warning") but then got bad in commit +21bf6fc47a1e ("phy: Use device_get_match_data()"). + +Note that after various discussions the preferred cast is via "unsigned +long", not "uintptr_t". + +Fixes: 21bf6fc47a1e ("phy: Use device_get_match_data()") +Signed-off-by: Krzysztof Kozlowski +Link: https://patch.msgid.link/20251224115533.154162-2-krzysztof.kozlowski@oss.qualcomm.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/broadcom/phy-bcm-ns-usb3.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/phy/broadcom/phy-bcm-ns-usb3.c b/drivers/phy/broadcom/phy-bcm-ns-usb3.c +index 9f995e156f755..6e56498d0644b 100644 +--- a/drivers/phy/broadcom/phy-bcm-ns-usb3.c ++++ b/drivers/phy/broadcom/phy-bcm-ns-usb3.c +@@ -203,7 +203,7 @@ static int bcm_ns_usb3_mdio_probe(struct mdio_device *mdiodev) + usb3->dev = dev; + usb3->mdiodev = mdiodev; + +- usb3->family = (enum bcm_ns_family)device_get_match_data(dev); ++ usb3->family = (unsigned long)device_get_match_data(dev); + + syscon_np = of_parse_phandle(dev->of_node, "usb3-dmp-syscon", 0); + err = of_address_to_resource(syscon_np, 0, &res); +-- +2.51.0 + diff --git a/queue-6.18/phy-fsl-imx8mq-usb-clear-the-pcs_tx_swing_full-field.patch b/queue-6.18/phy-fsl-imx8mq-usb-clear-the-pcs_tx_swing_full-field.patch new file mode 100644 index 0000000000..0576550eff --- /dev/null +++ b/queue-6.18/phy-fsl-imx8mq-usb-clear-the-pcs_tx_swing_full-field.patch @@ -0,0 +1,45 @@ +From 3b211b03eee4ee9f87885b124667fcbcae291a3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 17:09:12 +0100 +Subject: phy: fsl-imx8mq-usb: Clear the PCS_TX_SWING_FULL field before using + it + +From: Stefano Radaelli + +[ Upstream commit 8becf9179a4b45104a1701010ed666b55bf4b3a6 ] + +Clear the PCS_TX_SWING_FULL field mask before setting the new value +in PHY_CTRL5 register. Without clearing the mask first, the OR operation +could leave previously set bits, resulting in incorrect register +configuration. + +Fixes: 63c85ad0cd81 ("phy: fsl-imx8mp-usb: add support for phy tuning") +Suggested-by: Leonid Segal +Acked-by: Pierluigi Passaro +Signed-off-by: Stefano Radaelli +Reviewed-by: Xu Yang +Reviewed-by: Frank Li +Reviewed-by: Fabio Estevam +Reviewed-by: Ahmad Fatoum +Link: https://patch.msgid.link/20251219160912.561431-1-stefano.r@variscite.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/freescale/phy-fsl-imx8mq-usb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/phy/freescale/phy-fsl-imx8mq-usb.c b/drivers/phy/freescale/phy-fsl-imx8mq-usb.c +index b94f242420fc7..0c84f5f7a82cb 100644 +--- a/drivers/phy/freescale/phy-fsl-imx8mq-usb.c ++++ b/drivers/phy/freescale/phy-fsl-imx8mq-usb.c +@@ -502,6 +502,7 @@ static void imx8m_phy_tune(struct imx8mq_usb_phy *imx_phy) + + if (imx_phy->pcs_tx_swing_full != PHY_TUNE_DEFAULT) { + value = readl(imx_phy->base + PHY_CTRL5); ++ value &= ~PHY_CTRL5_PCS_TX_SWING_FULL_MASK; + value |= FIELD_PREP(PHY_CTRL5_PCS_TX_SWING_FULL_MASK, + imx_phy->pcs_tx_swing_full); + writel(value, imx_phy->base + PHY_CTRL5); +-- +2.51.0 + diff --git a/queue-6.18/phy-qcom-qusb2-fix-null-pointer-dereference-on-early.patch b/queue-6.18/phy-qcom-qusb2-fix-null-pointer-dereference-on-early.patch new file mode 100644 index 0000000000..868120b7ca --- /dev/null +++ b/queue-6.18/phy-qcom-qusb2-fix-null-pointer-dereference-on-early.patch @@ -0,0 +1,91 @@ +From 36bbf754cf61313145acaeee9117f914c3bff138 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 09:56:40 +0100 +Subject: phy: qcom-qusb2: Fix NULL pointer dereference on early suspend + +From: Loic Poulain + +[ Upstream commit 1ca52c0983c34fca506921791202ed5bdafd5306 ] + +Enabling runtime PM before attaching the QPHY instance as driver data +can lead to a NULL pointer dereference in runtime PM callbacks that +expect valid driver data. There is a small window where the suspend +callback may run after PM runtime enabling and before runtime forbid. +This causes a sporadic crash during boot: + +``` +Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a1 +[...] +CPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Not tainted 6.16.7+ #116 PREEMPT +Workqueue: pm pm_runtime_work +pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : qusb2_phy_runtime_suspend+0x14/0x1e0 [phy_qcom_qusb2] +lr : pm_generic_runtime_suspend+0x2c/0x44 +[...] +``` + +Attach the QPHY instance as driver data before enabling runtime PM to +prevent NULL pointer dereference in runtime PM callbacks. + +Reorder pm_runtime_enable() and pm_runtime_forbid() to prevent a +short window where an unnecessary runtime suspend can occur. + +Use the devres-managed version to ensure PM runtime is symmetrically +disabled during driver removal for proper cleanup. + +Fixes: 891a96f65ac3 ("phy: qcom-qusb2: Add support for runtime PM") +Signed-off-by: Loic Poulain +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Abel Vesa +Link: https://patch.msgid.link/20251219085640.114473-1-loic.poulain@oss.qualcomm.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/qualcomm/phy-qcom-qusb2.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/phy/qualcomm/phy-qcom-qusb2.c b/drivers/phy/qualcomm/phy-qcom-qusb2.c +index b5514a32ff8ff..eb93015be841f 100644 +--- a/drivers/phy/qualcomm/phy-qcom-qusb2.c ++++ b/drivers/phy/qualcomm/phy-qcom-qusb2.c +@@ -1093,29 +1093,29 @@ static int qusb2_phy_probe(struct platform_device *pdev) + or->hsdisc_trim.override = true; + } + +- pm_runtime_set_active(dev); +- pm_runtime_enable(dev); ++ dev_set_drvdata(dev, qphy); ++ + /* +- * Prevent runtime pm from being ON by default. Users can enable +- * it using power/control in sysfs. ++ * Enable runtime PM support, but forbid it by default. ++ * Users can allow it again via the power/control attribute in sysfs. + */ ++ pm_runtime_set_active(dev); + pm_runtime_forbid(dev); ++ ret = devm_pm_runtime_enable(dev); ++ if (ret) ++ return ret; + + generic_phy = devm_phy_create(dev, NULL, &qusb2_phy_gen_ops); + if (IS_ERR(generic_phy)) { + ret = PTR_ERR(generic_phy); + dev_err(dev, "failed to create phy, %d\n", ret); +- pm_runtime_disable(dev); + return ret; + } + qphy->phy = generic_phy; + +- dev_set_drvdata(dev, qphy); + phy_set_drvdata(generic_phy, qphy); + + phy_provider = devm_of_phy_provider_register(dev, of_phy_simple_xlate); +- if (IS_ERR(phy_provider)) +- pm_runtime_disable(dev); + + return PTR_ERR_OR_ZERO(phy_provider); + } +-- +2.51.0 + diff --git a/queue-6.18/phy-stm32-usphyc-fix-off-by-one-in-probe.patch b/queue-6.18/phy-stm32-usphyc-fix-off-by-one-in-probe.patch new file mode 100644 index 0000000000..feea37dbde --- /dev/null +++ b/queue-6.18/phy-stm32-usphyc-fix-off-by-one-in-probe.patch @@ -0,0 +1,41 @@ +From d492b6df611c4e3b1e82b55697e5133a9a375a99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Dec 2025 09:53:36 +0300 +Subject: phy: stm32-usphyc: Fix off by one in probe() + +From: Dan Carpenter + +[ Upstream commit cabd25b57216ddc132efbcc31f972baa03aad15a ] + +The "index" variable is used as an index into the usbphyc->phys[] array +which has usbphyc->nphys elements. So if it is equal to usbphyc->nphys +then it is one element out of bounds. The "index" comes from the +device tree so it's data that we trust and it's unlikely to be wrong, +however it's obviously still worth fixing the bug. Change the > to >=. + +Fixes: 94c358da3a05 ("phy: stm32: add support for STM32 USB PHY Controller (USBPHYC)") +Signed-off-by: Dan Carpenter +Reviewed-by: Amelie Delaunay +Link: https://patch.msgid.link/aTfHcMJK1wFVnvEe@stanley.mountain +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/st/phy-stm32-usbphyc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/phy/st/phy-stm32-usbphyc.c b/drivers/phy/st/phy-stm32-usbphyc.c +index 27fe92f73f331..b44afbff8616b 100644 +--- a/drivers/phy/st/phy-stm32-usbphyc.c ++++ b/drivers/phy/st/phy-stm32-usbphyc.c +@@ -712,7 +712,7 @@ static int stm32_usbphyc_probe(struct platform_device *pdev) + } + + ret = of_property_read_u32(child, "reg", &index); +- if (ret || index > usbphyc->nphys) { ++ if (ret || index >= usbphyc->nphys) { + dev_err(&phy->dev, "invalid reg property: %d\n", ret); + if (!ret) + ret = -EINVAL; +-- +2.51.0 + diff --git a/queue-6.18/phy-ti-da8xx-usb-handle-devm_pm_runtime_enable-error.patch b/queue-6.18/phy-ti-da8xx-usb-handle-devm_pm_runtime_enable-error.patch new file mode 100644 index 0000000000..7fe83146c8 --- /dev/null +++ b/queue-6.18/phy-ti-da8xx-usb-handle-devm_pm_runtime_enable-error.patch @@ -0,0 +1,64 @@ +From 206734292793245bc9b6e1029efe45188734fe43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Nov 2025 18:57:34 +0800 +Subject: phy: ti: da8xx-usb: Handle devm_pm_runtime_enable() errors + +From: Haotian Zhang + +[ Upstream commit 08aa19de72110df8ac10c9e67349dd884eeed41d ] + +devm_pm_runtime_enable() can fail due to memory allocation. The current +code ignores its return value after calling pm_runtime_set_active(), +leaving the device in an inconsistent state if runtime PM initialization +fails. + +Check the return value of devm_pm_runtime_enable() and return on +failure. Also move the declaration of 'ret' to the function scope +to support this check. + +Fixes: ee8e41b5044f ("phy: ti: phy-da8xx-usb: Add runtime PM support") +Suggested-by: Neil Armstrong +Signed-off-by: Haotian Zhang +Reviewed-by: Neil Armstrong +Link: https://patch.msgid.link/20251124105734.1027-1-vulab@iscas.ac.cn +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/ti/phy-da8xx-usb.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/phy/ti/phy-da8xx-usb.c b/drivers/phy/ti/phy-da8xx-usb.c +index 1d81a1e6ec6b6..62fa6f89c0e61 100644 +--- a/drivers/phy/ti/phy-da8xx-usb.c ++++ b/drivers/phy/ti/phy-da8xx-usb.c +@@ -180,6 +180,7 @@ static int da8xx_usb_phy_probe(struct platform_device *pdev) + struct da8xx_usb_phy_platform_data *pdata = dev->platform_data; + struct device_node *node = dev->of_node; + struct da8xx_usb_phy *d_phy; ++ int ret; + + d_phy = devm_kzalloc(dev, sizeof(*d_phy), GFP_KERNEL); + if (!d_phy) +@@ -233,8 +234,6 @@ static int da8xx_usb_phy_probe(struct platform_device *pdev) + return PTR_ERR(d_phy->phy_provider); + } + } else { +- int ret; +- + ret = phy_create_lookup(d_phy->usb11_phy, "usb-phy", + "ohci-da8xx"); + if (ret) +@@ -249,7 +248,9 @@ static int da8xx_usb_phy_probe(struct platform_device *pdev) + PHY_INIT_BITS, PHY_INIT_BITS); + + pm_runtime_set_active(dev); +- devm_pm_runtime_enable(dev); ++ ret = devm_pm_runtime_enable(dev); ++ if (ret) ++ return ret; + /* + * Prevent runtime pm from being ON by default. Users can enable + * it using power/control in sysfs. +-- +2.51.0 + diff --git a/queue-6.18/pm-em-fix-incorrect-description-of-the-cost-field-in.patch b/queue-6.18/pm-em-fix-incorrect-description-of-the-cost-field-in.patch new file mode 100644 index 0000000000..359859f543 --- /dev/null +++ b/queue-6.18/pm-em-fix-incorrect-description-of-the-cost-field-in.patch @@ -0,0 +1,45 @@ +From 748840f9dc9a4b51b2793cae377b3c1f74ccd648 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Dec 2025 14:15:34 +0800 +Subject: PM: EM: Fix incorrect description of the cost field in struct + em_perf_state + +From: Yaxiong Tian + +[ Upstream commit 54b603f2db6b95495bc33a8f2bde80f044baff9a ] + +Due to commit 1b600da51073 ("PM: EM: Optimize em_cpu_energy() and remove +division"), the logic for energy consumption calculation has been modified. +The actual calculation of cost is 10 * power * max_frequency / frequency +instead of power * max_frequency / frequency. + +Therefore, the comment for cost has been updated to reflect the correct +content. + +Fixes: 1b600da51073 ("PM: EM: Optimize em_cpu_energy() and remove division") +Signed-off-by: Yaxiong Tian +Reviewed-by: Lukasz Luba +[ rjw: Added Fixes: tag ] +Link: https://patch.msgid.link/20251230061534.816894-1-tianyaxiong@kylinos.cn +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + include/linux/energy_model.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/energy_model.h b/include/linux/energy_model.h +index 61d50571ad88a..ce2db5447d221 100644 +--- a/include/linux/energy_model.h ++++ b/include/linux/energy_model.h +@@ -18,7 +18,7 @@ + * @power: The power consumed at this level (by 1 CPU or by a registered + * device). It can be a total power: static and dynamic. + * @cost: The cost coefficient associated with this level, used during +- * energy calculation. Equal to: power * max_frequency / frequency ++ * energy calculation. Equal to: 10 * power * max_frequency / frequency + * @flags: see "em_perf_state flags" description below. + */ + struct em_perf_state { +-- +2.51.0 + diff --git a/queue-6.18/pnfs-blocklayout-fix-memory-leak-in-bl_parse_scsi.patch b/queue-6.18/pnfs-blocklayout-fix-memory-leak-in-bl_parse_scsi.patch new file mode 100644 index 0000000000..d2c345fb8d --- /dev/null +++ b/queue-6.18/pnfs-blocklayout-fix-memory-leak-in-bl_parse_scsi.patch @@ -0,0 +1,44 @@ +From a71db798d1bd1cd67468da8d1357cbfc0ced16a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Dec 2025 08:45:26 +0000 +Subject: pnfs/blocklayout: Fix memory leak in bl_parse_scsi() + +From: Zilin Guan + +[ Upstream commit 5a74af51c3a6f4cd22c128b0c1c019f68fa90011 ] + +In bl_parse_scsi(), if the block device length is zero, the function +returns immediately without releasing the file reference obtained via +bl_open_path(), leading to a memory leak. + +Fix this by jumping to the out_blkdev_put label to ensure the file +reference is properly released. + +Fixes: d76c769c8db4c ("pnfs/blocklayout: Don't add zero-length pnfs_block_dev") +Signed-off-by: Zilin Guan +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/blocklayout/dev.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/nfs/blocklayout/dev.c b/fs/nfs/blocklayout/dev.c +index ab76120705e20..134d7f760a33a 100644 +--- a/fs/nfs/blocklayout/dev.c ++++ b/fs/nfs/blocklayout/dev.c +@@ -417,8 +417,10 @@ bl_parse_scsi(struct nfs_server *server, struct pnfs_block_dev *d, + d->map = bl_map_simple; + d->pr_key = v->scsi.pr_key; + +- if (d->len == 0) +- return -ENODEV; ++ if (d->len == 0) { ++ error = -ENODEV; ++ goto out_blkdev_put; ++ } + + ops = bdev->bd_disk->fops->pr_ops; + if (!ops) { +-- +2.51.0 + diff --git a/queue-6.18/pnfs-fix-a-deadlock-when-returning-a-delegation-duri.patch b/queue-6.18/pnfs-fix-a-deadlock-when-returning-a-delegation-duri.patch new file mode 100644 index 0000000000..184d068669 --- /dev/null +++ b/queue-6.18/pnfs-fix-a-deadlock-when-returning-a-delegation-duri.patch @@ -0,0 +1,218 @@ +From 67707456780d46c36437de633354edcf50491aca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Dec 2025 14:45:00 -0500 +Subject: pNFS: Fix a deadlock when returning a delegation during open() + +From: Trond Myklebust + +[ Upstream commit 857bf9056291a16785ae3be1d291026b2437fc48 ] + +Ben Coddington reports seeing a hang in the following stack trace: + 0 [ffffd0b50e1774e0] __schedule at ffffffff9ca05415 + 1 [ffffd0b50e177548] schedule at ffffffff9ca05717 + 2 [ffffd0b50e177558] bit_wait at ffffffff9ca061e1 + 3 [ffffd0b50e177568] __wait_on_bit at ffffffff9ca05cfb + 4 [ffffd0b50e1775c8] out_of_line_wait_on_bit at ffffffff9ca05ea5 + 5 [ffffd0b50e177618] pnfs_roc at ffffffffc154207b [nfsv4] + 6 [ffffd0b50e1776b8] _nfs4_proc_delegreturn at ffffffffc1506586 [nfsv4] + 7 [ffffd0b50e177788] nfs4_proc_delegreturn at ffffffffc1507480 [nfsv4] + 8 [ffffd0b50e1777f8] nfs_do_return_delegation at ffffffffc1523e41 [nfsv4] + 9 [ffffd0b50e177838] nfs_inode_set_delegation at ffffffffc1524a75 [nfsv4] + 10 [ffffd0b50e177888] nfs4_process_delegation at ffffffffc14f41dd [nfsv4] + 11 [ffffd0b50e1778a0] _nfs4_opendata_to_nfs4_state at ffffffffc1503edf [nfsv4] + 12 [ffffd0b50e1778c0] _nfs4_open_and_get_state at ffffffffc1504e56 [nfsv4] + 13 [ffffd0b50e177978] _nfs4_do_open at ffffffffc15051b8 [nfsv4] + 14 [ffffd0b50e1779f8] nfs4_do_open at ffffffffc150559c [nfsv4] + 15 [ffffd0b50e177a80] nfs4_atomic_open at ffffffffc15057fb [nfsv4] + 16 [ffffd0b50e177ad0] nfs4_file_open at ffffffffc15219be [nfsv4] + 17 [ffffd0b50e177b78] do_dentry_open at ffffffff9c09e6ea + 18 [ffffd0b50e177ba8] vfs_open at ffffffff9c0a082e + 19 [ffffd0b50e177bd0] dentry_open at ffffffff9c0a0935 + +The issue is that the delegreturn is being asked to wait for a layout +return that cannot complete because a state recovery was initiated. The +state recovery cannot complete until the open() finishes processing the +delegations it was given. + +The solution is to propagate the existing flags that indicate a +non-blocking call to the function pnfs_roc(), so that it knows not to +wait in this situation. + +Reported-by: Benjamin Coddington +Fixes: 29ade5db1293 ("pNFS: Wait on outstanding layoutreturns to complete in pnfs_roc()") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4proc.c | 6 ++--- + fs/nfs/pnfs.c | 58 +++++++++++++++++++++++++++++++++-------------- + fs/nfs/pnfs.h | 17 ++++++-------- + 3 files changed, 51 insertions(+), 30 deletions(-) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 3b436ba2ed3bf..3745c59f0af25 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -3894,8 +3894,8 @@ int nfs4_do_close(struct nfs4_state *state, gfp_t gfp_mask, int wait) + calldata->res.seqid = calldata->arg.seqid; + calldata->res.server = server; + calldata->res.lr_ret = -NFS4ERR_NOMATCHING_LAYOUT; +- calldata->lr.roc = pnfs_roc(state->inode, +- &calldata->lr.arg, &calldata->lr.res, msg.rpc_cred); ++ calldata->lr.roc = pnfs_roc(state->inode, &calldata->lr.arg, ++ &calldata->lr.res, msg.rpc_cred, wait); + if (calldata->lr.roc) { + calldata->arg.lr_args = &calldata->lr.arg; + calldata->res.lr_res = &calldata->lr.res; +@@ -6946,7 +6946,7 @@ static int _nfs4_proc_delegreturn(struct inode *inode, const struct cred *cred, + data->inode = nfs_igrab_and_active(inode); + if (data->inode || issync) { + data->lr.roc = pnfs_roc(inode, &data->lr.arg, &data->lr.res, +- cred); ++ cred, issync); + if (data->lr.roc) { + data->args.lr_args = &data->lr.arg; + data->res.lr_res = &data->lr.res; +diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c +index 7ce2e840217cf..33bc6db0dc92f 100644 +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -1533,10 +1533,9 @@ static int pnfs_layout_return_on_reboot(struct pnfs_layout_hdr *lo) + PNFS_FL_LAYOUTRETURN_PRIVILEGED); + } + +-bool pnfs_roc(struct inode *ino, +- struct nfs4_layoutreturn_args *args, +- struct nfs4_layoutreturn_res *res, +- const struct cred *cred) ++bool pnfs_roc(struct inode *ino, struct nfs4_layoutreturn_args *args, ++ struct nfs4_layoutreturn_res *res, const struct cred *cred, ++ bool sync) + { + struct nfs_inode *nfsi = NFS_I(ino); + struct nfs_open_context *ctx; +@@ -1547,7 +1546,7 @@ bool pnfs_roc(struct inode *ino, + nfs4_stateid stateid; + enum pnfs_iomode iomode = 0; + bool layoutreturn = false, roc = false; +- bool skip_read = false; ++ bool skip_read; + + if (!nfs_have_layout(ino)) + return false; +@@ -1560,20 +1559,14 @@ bool pnfs_roc(struct inode *ino, + lo = NULL; + goto out_noroc; + } +- pnfs_get_layout_hdr(lo); +- if (test_bit(NFS_LAYOUT_RETURN_LOCK, &lo->plh_flags)) { +- spin_unlock(&ino->i_lock); +- rcu_read_unlock(); +- wait_on_bit(&lo->plh_flags, NFS_LAYOUT_RETURN, +- TASK_UNINTERRUPTIBLE); +- pnfs_put_layout_hdr(lo); +- goto retry; +- } + + /* no roc if we hold a delegation */ ++ skip_read = false; + if (nfs4_check_delegation(ino, FMODE_READ)) { +- if (nfs4_check_delegation(ino, FMODE_WRITE)) ++ if (nfs4_check_delegation(ino, FMODE_WRITE)) { ++ lo = NULL; + goto out_noroc; ++ } + skip_read = true; + } + +@@ -1582,12 +1575,43 @@ bool pnfs_roc(struct inode *ino, + if (state == NULL) + continue; + /* Don't return layout if there is open file state */ +- if (state->state & FMODE_WRITE) ++ if (state->state & FMODE_WRITE) { ++ lo = NULL; + goto out_noroc; ++ } + if (state->state & FMODE_READ) + skip_read = true; + } + ++ if (skip_read) { ++ bool writes = false; ++ ++ list_for_each_entry(lseg, &lo->plh_segs, pls_list) { ++ if (lseg->pls_range.iomode != IOMODE_READ) { ++ writes = true; ++ break; ++ } ++ } ++ if (!writes) { ++ lo = NULL; ++ goto out_noroc; ++ } ++ } ++ ++ pnfs_get_layout_hdr(lo); ++ if (test_bit(NFS_LAYOUT_RETURN_LOCK, &lo->plh_flags)) { ++ if (!sync) { ++ pnfs_set_plh_return_info( ++ lo, skip_read ? IOMODE_RW : IOMODE_ANY, 0); ++ goto out_noroc; ++ } ++ spin_unlock(&ino->i_lock); ++ rcu_read_unlock(); ++ wait_on_bit(&lo->plh_flags, NFS_LAYOUT_RETURN, ++ TASK_UNINTERRUPTIBLE); ++ pnfs_put_layout_hdr(lo); ++ goto retry; ++ } + + list_for_each_entry_safe(lseg, next, &lo->plh_segs, pls_list) { + if (skip_read && lseg->pls_range.iomode == IOMODE_READ) +@@ -1627,7 +1651,7 @@ bool pnfs_roc(struct inode *ino, + out_noroc: + spin_unlock(&ino->i_lock); + rcu_read_unlock(); +- pnfs_layoutcommit_inode(ino, true); ++ pnfs_layoutcommit_inode(ino, sync); + if (roc) { + struct pnfs_layoutdriver_type *ld = NFS_SERVER(ino)->pnfs_curr_ld; + if (ld->prepare_layoutreturn) +diff --git a/fs/nfs/pnfs.h b/fs/nfs/pnfs.h +index 91ff877185c8a..3db8f13d8fe4e 100644 +--- a/fs/nfs/pnfs.h ++++ b/fs/nfs/pnfs.h +@@ -303,10 +303,9 @@ int pnfs_mark_matching_lsegs_return(struct pnfs_layout_hdr *lo, + u32 seq); + int pnfs_mark_layout_stateid_invalid(struct pnfs_layout_hdr *lo, + struct list_head *lseg_list); +-bool pnfs_roc(struct inode *ino, +- struct nfs4_layoutreturn_args *args, +- struct nfs4_layoutreturn_res *res, +- const struct cred *cred); ++bool pnfs_roc(struct inode *ino, struct nfs4_layoutreturn_args *args, ++ struct nfs4_layoutreturn_res *res, const struct cred *cred, ++ bool sync); + int pnfs_roc_done(struct rpc_task *task, struct nfs4_layoutreturn_args **argpp, + struct nfs4_layoutreturn_res **respp, int *ret); + void pnfs_roc_release(struct nfs4_layoutreturn_args *args, +@@ -773,12 +772,10 @@ pnfs_layoutcommit_outstanding(struct inode *inode) + return false; + } + +- +-static inline bool +-pnfs_roc(struct inode *ino, +- struct nfs4_layoutreturn_args *args, +- struct nfs4_layoutreturn_res *res, +- const struct cred *cred) ++static inline bool pnfs_roc(struct inode *ino, ++ struct nfs4_layoutreturn_args *args, ++ struct nfs4_layoutreturn_res *res, ++ const struct cred *cred, bool sync) + { + return false; + } +-- +2.51.0 + diff --git a/queue-6.18/pnfs-flexfiles-fix-memory-leak-in-nfs4_ff_alloc_devi.patch b/queue-6.18/pnfs-flexfiles-fix-memory-leak-in-nfs4_ff_alloc_devi.patch new file mode 100644 index 0000000000..f504a6bd97 --- /dev/null +++ b/queue-6.18/pnfs-flexfiles-fix-memory-leak-in-nfs4_ff_alloc_devi.patch @@ -0,0 +1,40 @@ +From 3e8c1425b802f179319f43ef1ad06c7ca90a2199 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Dec 2025 07:41:03 +0000 +Subject: pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node() + +From: Zilin Guan + +[ Upstream commit 0c728083654f0066f5e10a1d2b0bd0907af19a58 ] + +In nfs4_ff_alloc_deviceid_node(), if the allocation for ds_versions fails, +the function jumps to the out_scratch label without freeing the already +allocated dsaddrs list, leading to a memory leak. + +Fix this by jumping to the out_err_drain_dsaddrs label, which properly +frees the dsaddrs list before cleaning up other resources. + +Fixes: d67ae825a59d6 ("pnfs/flexfiles: Add the FlexFile Layout Driver") +Signed-off-by: Zilin Guan +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/flexfilelayout/flexfilelayoutdev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/flexfilelayout/flexfilelayoutdev.c b/fs/nfs/flexfilelayout/flexfilelayoutdev.c +index c55ea8fa3bfa5..c2d8a13a9dbdd 100644 +--- a/fs/nfs/flexfilelayout/flexfilelayoutdev.c ++++ b/fs/nfs/flexfilelayout/flexfilelayoutdev.c +@@ -103,7 +103,7 @@ nfs4_ff_alloc_deviceid_node(struct nfs_server *server, struct pnfs_device *pdev, + sizeof(struct nfs4_ff_ds_version), + gfp_flags); + if (!ds_versions) +- goto out_scratch; ++ goto out_err_drain_dsaddrs; + + for (i = 0; i < version_count; i++) { + /* 20 = version(4) + minor_version(4) + rsize(4) + wsize(4) + +-- +2.51.0 + diff --git a/queue-6.18/sched-deadline-avoid-double-update_rq_clock.patch b/queue-6.18/sched-deadline-avoid-double-update_rq_clock.patch new file mode 100644 index 0000000000..01db5bcaa6 --- /dev/null +++ b/queue-6.18/sched-deadline-avoid-double-update_rq_clock.patch @@ -0,0 +1,50 @@ +From 1e4ab9ca75adf7f68e82e2283e2a93f613322424 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 12:57:14 +0100 +Subject: sched/deadline: Avoid double update_rq_clock() + +From: Peter Zijlstra + +[ Upstream commit 4de9ff76067b40c3660df73efaea57389e62ea7a ] + +When setup_new_dl_entity() is called from enqueue_task_dl() -> +enqueue_dl_entity(), the rq-clock should already be updated, and +calling update_rq_clock() again is not right. + +Move the update_rq_clock() to the one other caller of +setup_new_dl_entity(): sched_init_dl_server(). + +Fixes: 9f239df55546 ("sched/deadline: Initialize dl_servers after SMP") +Reported-by: Pierre Gondois +Signed-off-by: Peter Zijlstra (Intel) +Tested-by: Pierre Gondois +Link: https://patch.msgid.link/20260113115622.GA831285@noisy.programming.kicks-ass.net +Signed-off-by: Sasha Levin +--- + kernel/sched/deadline.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c +index d3be71d5a9ccc..465592fa530ef 100644 +--- a/kernel/sched/deadline.c ++++ b/kernel/sched/deadline.c +@@ -761,8 +761,6 @@ static inline void setup_new_dl_entity(struct sched_dl_entity *dl_se) + struct dl_rq *dl_rq = dl_rq_of_se(dl_se); + struct rq *rq = rq_of_dl_rq(dl_rq); + +- update_rq_clock(rq); +- + WARN_ON(is_dl_boosted(dl_se)); + WARN_ON(dl_time_before(rq_clock(rq), dl_se->deadline)); + +@@ -1623,6 +1621,7 @@ void sched_init_dl_servers(void) + rq = cpu_rq(cpu); + + guard(rq_lock_irq)(rq); ++ update_rq_clock(rq); + + dl_se = &rq->fair_server; + +-- +2.51.0 + diff --git a/queue-6.18/sched-deadline-has-dynamic-priority.patch b/queue-6.18/sched-deadline-has-dynamic-priority.patch new file mode 100644 index 0000000000..1a23f7017a --- /dev/null +++ b/queue-6.18/sched-deadline-has-dynamic-priority.patch @@ -0,0 +1,56 @@ +From 432a1129c9a1caa79fd8d3e8445319560720f1a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jan 2026 09:25:37 +0100 +Subject: sched: Deadline has dynamic priority + +From: Peter Zijlstra + +[ Upstream commit e008ec6c7904ed99d3b2cb634b6545b008a99288 ] + +While FIFO/RR have static priority, DEADLINE is a dynamic priority +scheme. Notably it has static priority -1. Do not assume the priority +doesn't change for deadline tasks just because the static priority +doesn't change. + +This ensures DL always sees {DE,EN}QUEUE_MOVE where appropriate. + +Fixes: ff77e4685359 ("sched/rt: Fix PI handling vs. sched_setscheduler()") +Signed-off-by: Peter Zijlstra (Intel) +Tested-by: Pierre Gondois +Tested-by: Juri Lelli +Link: https://patch.msgid.link/20260114130528.GB831285@noisy.programming.kicks-ass.net +Signed-off-by: Sasha Levin +--- + kernel/sched/core.c | 2 +- + kernel/sched/syscalls.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index eb47d294e2c5a..e460c22de8ad4 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -7383,7 +7383,7 @@ void rt_mutex_setprio(struct task_struct *p, struct task_struct *pi_task) + trace_sched_pi_setprio(p, pi_task); + oldprio = p->prio; + +- if (oldprio == prio) ++ if (oldprio == prio && !dl_prio(prio)) + queue_flag &= ~DEQUEUE_MOVE; + + prev_class = p->sched_class; +diff --git a/kernel/sched/syscalls.c b/kernel/sched/syscalls.c +index bf360a6fbb800..6805a63d47af7 100644 +--- a/kernel/sched/syscalls.c ++++ b/kernel/sched/syscalls.c +@@ -688,7 +688,7 @@ int __sched_setscheduler(struct task_struct *p, + * itself. + */ + newprio = rt_effective_prio(p, newprio); +- if (newprio == oldprio) ++ if (newprio == oldprio && !dl_prio(newprio)) + queue_flags &= ~DEQUEUE_MOVE; + } + +-- +2.51.0 + diff --git a/queue-6.18/selftests-drv-net-fix-rps-mask-handling-for-high-cpu.patch b/queue-6.18/selftests-drv-net-fix-rps-mask-handling-for-high-cpu.patch new file mode 100644 index 0000000000..1062d38941 --- /dev/null +++ b/queue-6.18/selftests-drv-net-fix-rps-mask-handling-for-high-cpu.patch @@ -0,0 +1,44 @@ +From 158b10aed5bd96915310c15cfd154c25a1e7a664 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 19:37:15 +0200 +Subject: selftests: drv-net: fix RPS mask handling for high CPU numbers + +From: Gal Pressman + +[ Upstream commit cf055f8c000445aa688c53a706ef4f580818eedb ] + +The RPS bitmask bounds check uses ~(RPS_MAX_CPUS - 1) which equals ~15 = +0xfff0, only allowing CPUs 0-3. + +Change the mask to ~((1UL << RPS_MAX_CPUS) - 1) = ~0xffff to allow CPUs +0-15. + +Fixes: 5ebfb4cc3048 ("selftests/net: toeplitz test") +Reviewed-by: Nimrod Oren +Signed-off-by: Gal Pressman +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/20260112173715.384843-3-gal@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/toeplitz.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/net/toeplitz.c b/tools/testing/selftests/net/toeplitz.c +index 9ba03164d73a6..5099157f01b9a 100644 +--- a/tools/testing/selftests/net/toeplitz.c ++++ b/tools/testing/selftests/net/toeplitz.c +@@ -473,8 +473,8 @@ static void parse_rps_bitmap(const char *arg) + + bitmap = strtoul(arg, NULL, 0); + +- if (bitmap & ~(RPS_MAX_CPUS - 1)) +- error(1, 0, "rps bitmap 0x%lx out of bounds 0..%lu", ++ if (bitmap & ~((1UL << RPS_MAX_CPUS) - 1)) ++ error(1, 0, "rps bitmap 0x%lx out of bounds, max cpu %lu", + bitmap, RPS_MAX_CPUS - 1); + + for (i = 0; i < RPS_MAX_CPUS; i++) +-- +2.51.0 + diff --git a/queue-6.18/selftests-landlock-fix-tcp-bind-af_unspec-test-case.patch b/queue-6.18/selftests-landlock-fix-tcp-bind-af_unspec-test-case.patch new file mode 100644 index 0000000000..8bcb7d8bc6 --- /dev/null +++ b/queue-6.18/selftests-landlock-fix-tcp-bind-af_unspec-test-case.patch @@ -0,0 +1,107 @@ +From 9eafd0369abd2b4f14806fc8146fb4c5f2c826f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Oct 2025 20:07:24 +0100 +Subject: selftests/landlock: Fix TCP bind(AF_UNSPEC) test case +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matthieu Buffet + +[ Upstream commit bd09d9a05cf04028f639e209b416bacaeffd4909 ] + +The nominal error code for bind(AF_UNSPEC) on an IPv6 socket +is -EAFNOSUPPORT, not -EINVAL. -EINVAL is only returned when +the supplied address struct is too short, which happens to be +the case in current selftests because they treat AF_UNSPEC +like IPv4 sockets do: as an alias for AF_INET (which is a +16-byte struct instead of the 24 bytes required by IPv6 +sockets). + +Make the union large enough for any address (by adding struct +sockaddr_storage to the union), and make AF_UNSPEC addresses +large enough for any family. + +Test for -EAFNOSUPPORT instead, and add a dedicated test case +for truncated inputs with -EINVAL. + +Fixes: a549d055a22e ("selftests/landlock: Add network tests") +Signed-off-by: Matthieu Buffet +Link: https://lore.kernel.org/r/20251027190726.626244-2-matthieu@buffet.re +Signed-off-by: Mickaël Salaün +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/landlock/common.h | 1 + + tools/testing/selftests/landlock/net_test.c | 16 +++++++++++++++- + 2 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/landlock/common.h b/tools/testing/selftests/landlock/common.h +index 9acecae36f51b..98c2362954e21 100644 +--- a/tools/testing/selftests/landlock/common.h ++++ b/tools/testing/selftests/landlock/common.h +@@ -237,6 +237,7 @@ struct service_fixture { + struct sockaddr_un unix_addr; + socklen_t unix_addr_len; + }; ++ struct sockaddr_storage _largest; + }; + }; + +diff --git a/tools/testing/selftests/landlock/net_test.c b/tools/testing/selftests/landlock/net_test.c +index 2a45208551e61..3bbc0508420b1 100644 +--- a/tools/testing/selftests/landlock/net_test.c ++++ b/tools/testing/selftests/landlock/net_test.c +@@ -121,6 +121,10 @@ static socklen_t get_addrlen(const struct service_fixture *const srv, + { + switch (srv->protocol.domain) { + case AF_UNSPEC: ++ if (minimal) ++ return sizeof(sa_family_t); ++ return sizeof(struct sockaddr_storage); ++ + case AF_INET: + return sizeof(srv->ipv4_addr); + +@@ -758,6 +762,11 @@ TEST_F(protocol, bind_unspec) + bind_fd = socket_variant(&self->srv0); + ASSERT_LE(0, bind_fd); + ++ /* Tries to bind with too small addrlen. */ ++ EXPECT_EQ(-EINVAL, bind_variant_addrlen( ++ bind_fd, &self->unspec_any0, ++ get_addrlen(&self->unspec_any0, true) - 1)); ++ + /* Allowed bind on AF_UNSPEC/INADDR_ANY. */ + ret = bind_variant(bind_fd, &self->unspec_any0); + if (variant->prot.domain == AF_INET) { +@@ -766,6 +775,8 @@ TEST_F(protocol, bind_unspec) + TH_LOG("Failed to bind to unspec/any socket: %s", + strerror(errno)); + } ++ } else if (variant->prot.domain == AF_INET6) { ++ EXPECT_EQ(-EAFNOSUPPORT, ret); + } else { + EXPECT_EQ(-EINVAL, ret); + } +@@ -792,6 +803,8 @@ TEST_F(protocol, bind_unspec) + } else { + EXPECT_EQ(0, ret); + } ++ } else if (variant->prot.domain == AF_INET6) { ++ EXPECT_EQ(-EAFNOSUPPORT, ret); + } else { + EXPECT_EQ(-EINVAL, ret); + } +@@ -801,7 +814,8 @@ TEST_F(protocol, bind_unspec) + bind_fd = socket_variant(&self->srv0); + ASSERT_LE(0, bind_fd); + ret = bind_variant(bind_fd, &self->unspec_srv0); +- if (variant->prot.domain == AF_INET) { ++ if (variant->prot.domain == AF_INET || ++ variant->prot.domain == AF_INET6) { + EXPECT_EQ(-EAFNOSUPPORT, ret); + } else { + EXPECT_EQ(-EINVAL, ret) +-- +2.51.0 + diff --git a/queue-6.18/selftests-landlock-properly-close-a-file-descriptor.patch b/queue-6.18/selftests-landlock-properly-close-a-file-descriptor.patch new file mode 100644 index 0000000000..b0d053d623 --- /dev/null +++ b/queue-6.18/selftests-landlock-properly-close-a-file-descriptor.patch @@ -0,0 +1,42 @@ +From 92d8a0c1d53aefbabe709ec9745d3684cc4050de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jan 2026 14:40:58 +0100 +Subject: selftests/landlock: Properly close a file descriptor +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Günther Noack + +[ Upstream commit 15e8d739fda1084d81f7d3813e9600eba6e0f134 ] + +Add a missing close(srv_fd) call, and use EXPECT_EQ() to check the +result. + +Signed-off-by: Günther Noack +Fixes: f83d51a5bdfe ("selftests/landlock: Check IOCTL restrictions for named UNIX domain sockets") +Link: https://lore.kernel.org/r/20260101134102.25938-2-gnoack3000@gmail.com +[mic: Use EXPECT_EQ() and update commit message] +Signed-off-by: Mickaël Salaün +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/landlock/fs_test.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c +index a6eb9681791a5..29cdbb8367358 100644 +--- a/tools/testing/selftests/landlock/fs_test.c ++++ b/tools/testing/selftests/landlock/fs_test.c +@@ -4385,7 +4385,8 @@ TEST_F_FORK(layout1, named_unix_domain_socket_ioctl) + /* FIONREAD and other IOCTLs should not be forbidden. */ + EXPECT_EQ(0, test_fionread_ioctl(cli_fd)); + +- ASSERT_EQ(0, close(cli_fd)); ++ EXPECT_EQ(0, close(cli_fd)); ++ EXPECT_EQ(0, close(srv_fd)); + } + + /* clang-format off */ +-- +2.51.0 + diff --git a/queue-6.18/selftests-landlock-remove-invalid-unix-socket-bind.patch b/queue-6.18/selftests-landlock-remove-invalid-unix-socket-bind.patch new file mode 100644 index 0000000000..7aba6cfd66 --- /dev/null +++ b/queue-6.18/selftests-landlock-remove-invalid-unix-socket-bind.patch @@ -0,0 +1,46 @@ +From 8e7ebb3b76375ed00e68af71bf462349a7ee1e0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Dec 2025 01:36:31 +0100 +Subject: selftests/landlock: Remove invalid unix socket bind() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matthieu Buffet + +[ Upstream commit e1a57c33590a50a6639798e60a597af4a23b0340 ] + +Remove bind() call on a client socket that doesn't make sense. +Since strlen(cli_un.sun_path) returns a random value depending on stack +garbage, that many uninitialized bytes are read from the stack as an +unix socket address. This creates random test failures due to the bind +address being invalid or already in use if the same stack value comes up +twice. + +Fixes: f83d51a5bdfe ("selftests/landlock: Check IOCTL restrictions for named UNIX domain sockets") +Signed-off-by: Matthieu Buffet +Reviewed-by: Günther Noack +Link: https://lore.kernel.org/r/20251201003631.190817-1-matthieu@buffet.re +Signed-off-by: Mickaël Salaün +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/landlock/fs_test.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c +index fa0f18ec62c41..a6eb9681791a5 100644 +--- a/tools/testing/selftests/landlock/fs_test.c ++++ b/tools/testing/selftests/landlock/fs_test.c +@@ -4375,9 +4375,6 @@ TEST_F_FORK(layout1, named_unix_domain_socket_ioctl) + cli_fd = socket(AF_UNIX, SOCK_STREAM, 0); + ASSERT_LE(0, cli_fd); + +- size = offsetof(struct sockaddr_un, sun_path) + strlen(cli_un.sun_path); +- ASSERT_EQ(0, bind(cli_fd, (struct sockaddr *)&cli_un, size)); +- + bzero(&cli_un, sizeof(cli_un)); + cli_un.sun_family = AF_UNIX; + strncpy(cli_un.sun_path, path, sizeof(cli_un.sun_path)); +-- +2.51.0 + diff --git a/queue-6.18/series b/queue-6.18/series index 13db14d2f8..2f0c0dac40 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -9,3 +9,80 @@ asoc-codecs-wsa883x-fix-unnecessary-initialisation.patch drm-gud-fix-null-fb-and-crtc-dereferences-on-usb-disconnect.patch virtio_net-fix-misalignment-bug-in-struct-virtnet_info.patch io_uring-move-local-task_work-in-exit-cancel-loop.patch +xfrm-fix-inner-mode-lookup-in-tunnel-mode-gso-segmen.patch +xfrm-set-ipv4-no_pmtu_disc-flag-only-on-output-sa-wh.patch +pnfs-fix-a-deadlock-when-returning-a-delegation-duri.patch +nfs-fix-a-deadlock-involving-nfs_release_folio.patch +pnfs-flexfiles-fix-memory-leak-in-nfs4_ff_alloc_devi.patch +pnfs-blocklayout-fix-memory-leak-in-bl_parse_scsi.patch +drm-bridge-dw-hdmi-qp-fix-spurious-irq-on-resume.patch +drm-vmwgfx-fix-kms-with-3d-on-hw-version-10.patch +drm-vmwgfx-merge-vmw_bo_release-and-vmw_bo_free-func.patch +nfs-localio-deal-with-page-bases-that-are-page_size.patch +drm-rockchip-vop2-add-delay-between-poll-registers.patch +drm-rockchip-vop2-only-wait-for-changed-layer-cfg-do.patch +pm-em-fix-incorrect-description-of-the-cost-field-in.patch +ipv4-ip_tunnel-spread-netdev_lockdep_set_classes.patch +can-etas_es58x-allow-partial-rx-urb-allocation-to-su.patch +nvme-tcp-fix-null-pointer-dereferences-in-nvmet_tcp_.patch +cxl-port-fix-target-list-setup-for-multiple-decoders.patch +btrfs-release-path-before-iget_failed-in-btrfs_read_.patch +btrfs-send-check-for-inline-extents-in-range_is_hole.patch +bluetooth-hci_sync-enable-pa-sync-lost-event.patch +net-bridge-annotate-data-races-around-fdb-updated-us.patch +ip6_tunnel-use-skb_vlan_inet_prepare-in-__ip6_tnl_rc.patch +net-update-netdev_lock_-type-name.patch +macvlan-fix-possible-uaf-in-macvlan_forward_source.patch +block-zero-non-pi-portion-of-auto-integrity-buffer.patch +ipv4-ip_gre-make-ipgre_header-robust.patch +vsock-test-add-a-final-full-barrier-after-run-all-te.patch +net-mlx5e-fix-crash-on-profile-change-rollback-failu.patch +net-mlx5e-don-t-store-mlx5e_priv-in-mlx5e_dev-devlin.patch +net-mlx5e-pass-netdev-to-mlx5e_destroy_netdev-instea.patch +net-mlx5e-restore-destroying-state-bit-after-profile.patch +btrfs-fix-memory-leaks-in-create_space_info-error-pa.patch +cxl-hdm-fix-potential-infinite-loop-in-__cxl_dpa_res.patch +net-octeon_ep_vf-fix-free_irq-dev_id-mismatch-in-irq.patch +net-phy-motorcomm-fix-duplex-setting-error-for-phy-l.patch +net-airoha-fix-typo-in-airoha_ppe_setup_tc_block_cb-.patch +alsa-hda-cirrus_scodec_test-fix-incorrect-setup-of-g.patch +alsa-hda-cirrus_scodec_test-fix-test-suite-name.patch +net-hv_netvsc-reject-rss-hash-key-programming-withou.patch +dst-fix-races-in-rt6_uncached_list_del-and-rt_del_un.patch +ipv6-fix-use-after-free-in-inet6_addr_del.patch +selftests-drv-net-fix-rps-mask-handling-for-high-cpu.patch +net-sched-sch_qfq-do-not-free-existing-class-in-qfq_.patch +asoc-sdw_utils-cs42l43-enable-headphone-pin-for-line.patch +asoc-tlv320adcx140-fix-null-pointer.patch +asoc-tlv320adcx140-fix-word-length.patch +drm-amdgpu-fix-drm-panic-null-pointer-when-driver-no.patch +drm-amd-display-show-link-name-in-psr-status-message.patch +drm-amd-pm-fix-smu-overdrive-data-type-wrong-issue-o.patch +drm-amdkfd-no-need-to-suspend-whole-mes-to-evict-pro.patch +drm-amdgpu-userq-fix-fence-reference-leak-on-queue-t.patch +mm-describe-flags-parameter-in-memalloc_flags_save.patch +textsearch-describe-list-member-in-ts_ops-search.patch +mm-kfence-describe-slab-parameter-in-__kfence_obj_in.patch +mips-fix-highmem-initialization.patch +drivers-dax-add-some-missing-kerneldoc-comment-field.patch +nfs-fix-size-read-races-in-truncate-fallocate-and-co.patch +dmaengine-mmp_pdma-fix-dma-mask-handling.patch +dmaengine-xilinx-xdma-fix-regmap-max_register.patch +dmaengine-tegra-adma-fix-use-after-free.patch +dmaengine-xilinx_dma-fix-uninitialized-addr_width-wh.patch +phy-fsl-imx8mq-usb-clear-the-pcs_tx_swing_full-field.patch +phy-qcom-qusb2-fix-null-pointer-dereference-on-early.patch +phy-stm32-usphyc-fix-off-by-one-in-probe.patch +phy-ti-da8xx-usb-handle-devm_pm_runtime_enable-error.patch +landlock-fix-tcp-handling-of-short-af_unspec-address.patch +selftests-landlock-fix-tcp-bind-af_unspec-test-case.patch +selftests-landlock-remove-invalid-unix-socket-bind.patch +landlock-fix-wrong-type-usage.patch +phy-broadcom-ns-usb3-fix-wvoid-pointer-to-enum-cast-.patch +selftests-landlock-properly-close-a-file-descriptor.patch +dmaengine-omap-dma-fix-dma_pool-resource-leak-in-err.patch +soundwire-bus-fix-off-by-one-when-allocating-slave-i.patch +i2c-qcom-geni-make-sure-i2c-hub-controllers-can-t-us.patch +i2c-imx-lpi2c-change-to-pio-mode-in-system-wide-susp.patch +sched-deadline-avoid-double-update_rq_clock.patch +sched-deadline-has-dynamic-priority.patch diff --git a/queue-6.18/soundwire-bus-fix-off-by-one-when-allocating-slave-i.patch b/queue-6.18/soundwire-bus-fix-off-by-one-when-allocating-slave-i.patch new file mode 100644 index 0000000000..f39256bfea --- /dev/null +++ b/queue-6.18/soundwire-bus-fix-off-by-one-when-allocating-slave-i.patch @@ -0,0 +1,47 @@ +From 262bd5295ccd84edf3e3b1d4c0820600f35eedeb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Jan 2026 12:19:58 -0800 +Subject: soundwire: bus: fix off-by-one when allocating slave IDs + +From: Harshit Mogalapalli + +[ Upstream commit 12d4fd9a657174496677cff2841315090f1c11fc ] + +ida_alloc_max() interprets its max argument as inclusive. + +Using SDW_FW_MAX_DEVICES(16) therefore allows an ID of 16 to be +allocated, but the IRQ domain created for the bus is sized for IDs +0-15. If 16 is returned, irq_create_mapping() fails and the driver +ends up with an invalid IRQ mapping. + +Limit the allocation to 0-15 by passing SDW_FW_MAX_DEVICES - 1. + +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/r/202512240450.hlDH3nCs-lkp@intel.com/ +Fixes: aab12022b076 ("soundwire: bus: Add internal slave ID and use for IRQs") +Signed-off-by: Harshit Mogalapalli +Reviewed-by: Charles Keepax +Link: https://patch.msgid.link/20260110201959.2523024-1-harshit.m.mogalapalli@oracle.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/soundwire/bus_type.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soundwire/bus_type.c b/drivers/soundwire/bus_type.c +index 91e70cb46fb57..5c67c13e57357 100644 +--- a/drivers/soundwire/bus_type.c ++++ b/drivers/soundwire/bus_type.c +@@ -105,7 +105,7 @@ static int sdw_drv_probe(struct device *dev) + if (ret) + return ret; + +- ret = ida_alloc_max(&slave->bus->slave_ida, SDW_FW_MAX_DEVICES, GFP_KERNEL); ++ ret = ida_alloc_max(&slave->bus->slave_ida, SDW_FW_MAX_DEVICES - 1, GFP_KERNEL); + if (ret < 0) { + dev_err(dev, "Failed to allocated ID: %d\n", ret); + return ret; +-- +2.51.0 + diff --git a/queue-6.18/textsearch-describe-list-member-in-ts_ops-search.patch b/queue-6.18/textsearch-describe-list-member-in-ts_ops-search.patch new file mode 100644 index 0000000000..b6077ab036 --- /dev/null +++ b/queue-6.18/textsearch-describe-list-member-in-ts_ops-search.patch @@ -0,0 +1,41 @@ +From aef085216dcdb4dbc361f91426a0461cb2a23966 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 08:40:05 +0700 +Subject: textsearch: describe @list member in ts_ops search + +From: Bagas Sanjaya + +[ Upstream commit f26528478bb102c28e7ac0cbfc8ec8185afdafc7 ] + +Sphinx reports kernel-doc warning: + +WARNING: ./include/linux/textsearch.h:49 struct member 'list' not described in 'ts_ops' + +Describe @list member to fix it. + +Link: https://lkml.kernel.org/r/20251219014006.16328-4-bagasdotme@gmail.com +Fixes: 2de4ff7bd658 ("[LIB]: Textsearch infrastructure.") +Signed-off-by: Bagas Sanjaya +Cc: Thomas Graf +Cc: "David S. Miller" +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + include/linux/textsearch.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/textsearch.h b/include/linux/textsearch.h +index 6673e4d4ac2e1..4933777404d61 100644 +--- a/include/linux/textsearch.h ++++ b/include/linux/textsearch.h +@@ -35,6 +35,7 @@ struct ts_state + * @get_pattern: return head of pattern + * @get_pattern_len: return length of pattern + * @owner: module reference to algorithm ++ * @list: list to search + */ + struct ts_ops + { +-- +2.51.0 + diff --git a/queue-6.18/vsock-test-add-a-final-full-barrier-after-run-all-te.patch b/queue-6.18/vsock-test-add-a-final-full-barrier-after-run-all-te.patch new file mode 100644 index 0000000000..84e0cdbd62 --- /dev/null +++ b/queue-6.18/vsock-test-add-a-final-full-barrier-after-run-all-te.patch @@ -0,0 +1,52 @@ +From 60092051fe502bd091967455785a401c7b78c657 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 12:44:19 +0100 +Subject: vsock/test: add a final full barrier after run all tests + +From: Stefano Garzarella + +[ Upstream commit c39a6a277e0e67ffff6a8efcbbf7e7e23ce9e38c ] + +If the last test fails, the other side still completes correctly, +which could lead to false positives. + +Let's add a final barrier that ensures that the last test has finished +correctly on both sides, but also that the two sides agree on the +number of tests to be performed. + +Fixes: 2f65b44e199c ("VSOCK: add full barrier between test cases") +Reviewed-by: Luigi Leonardi +Signed-off-by: Stefano Garzarella +Link: https://patch.msgid.link/20260108114419.52747-1-sgarzare@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/vsock/util.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/tools/testing/vsock/util.c b/tools/testing/vsock/util.c +index d843643ced6b7..9430ef5b8bc3e 100644 +--- a/tools/testing/vsock/util.c ++++ b/tools/testing/vsock/util.c +@@ -511,6 +511,18 @@ void run_tests(const struct test_case *test_cases, + + printf("ok\n"); + } ++ ++ printf("All tests have been executed. Waiting other peer..."); ++ fflush(stdout); ++ ++ /* ++ * Final full barrier, to ensure that all tests have been run and ++ * that even the last one has been successful on both sides. ++ */ ++ control_writeln("COMPLETED"); ++ control_expectln("COMPLETED"); ++ ++ printf("ok\n"); + } + + void list_tests(const struct test_case *test_cases) +-- +2.51.0 + diff --git a/queue-6.18/xfrm-fix-inner-mode-lookup-in-tunnel-mode-gso-segmen.patch b/queue-6.18/xfrm-fix-inner-mode-lookup-in-tunnel-mode-gso-segmen.patch new file mode 100644 index 0000000000..50b2b86cb9 --- /dev/null +++ b/queue-6.18/xfrm-fix-inner-mode-lookup-in-tunnel-mode-gso-segmen.patch @@ -0,0 +1,67 @@ +From 078a55769c8ccc066242dc92c7f3d9d108b6f833 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Nov 2025 05:56:09 +0200 +Subject: xfrm: Fix inner mode lookup in tunnel mode GSO segmentation + +From: Jianbo Liu + +[ Upstream commit 3d5221af9c7711b7aec8da1298c8fc393ef6183d ] + +Commit 61fafbee6cfe ("xfrm: Determine inner GSO type from packet inner +protocol") attempted to fix GSO segmentation by reading the inner +protocol from XFRM_MODE_SKB_CB(skb)->protocol. This was incorrect +because the field holds the inner L4 protocol (TCP/UDP) instead of the +required tunnel protocol. Also, the memory location (shared by +XFRM_SKB_CB(skb) which could be overwritten by xfrm_replay_overflow()) +is prone to corruption. This combination caused the kernel to select +the wrong inner mode and get the wrong address family. + +The correct value is in xfrm_offload(skb)->proto, which is set from +the outer tunnel header's protocol field by esp[4|6]_gso_encap(). It +is initialized by xfrm[4|6]_tunnel_encap_add() to either IPPROTO_IPIP +or IPPROTO_IPV6, using xfrm_af2proto() and correctly reflects the +inner packet's address family. + +Fixes: 61fafbee6cfe ("xfrm: Determine inner GSO type from packet inner protocol") +Signed-off-by: Jianbo Liu +Reviewed-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv4/esp4_offload.c | 4 ++-- + net/ipv6/esp6_offload.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c +index 05828d4cb6cdb..abd77162f5e75 100644 +--- a/net/ipv4/esp4_offload.c ++++ b/net/ipv4/esp4_offload.c +@@ -122,8 +122,8 @@ static struct sk_buff *xfrm4_tunnel_gso_segment(struct xfrm_state *x, + struct sk_buff *skb, + netdev_features_t features) + { +- const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, +- XFRM_MODE_SKB_CB(skb)->protocol); ++ struct xfrm_offload *xo = xfrm_offload(skb); ++ const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, xo->proto); + __be16 type = inner_mode->family == AF_INET6 ? htons(ETH_P_IPV6) + : htons(ETH_P_IP); + +diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c +index 22410243ebe88..22895521a57d0 100644 +--- a/net/ipv6/esp6_offload.c ++++ b/net/ipv6/esp6_offload.c +@@ -158,8 +158,8 @@ static struct sk_buff *xfrm6_tunnel_gso_segment(struct xfrm_state *x, + struct sk_buff *skb, + netdev_features_t features) + { +- const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, +- XFRM_MODE_SKB_CB(skb)->protocol); ++ struct xfrm_offload *xo = xfrm_offload(skb); ++ const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, xo->proto); + __be16 type = inner_mode->family == AF_INET ? htons(ETH_P_IP) + : htons(ETH_P_IPV6); + +-- +2.51.0 + diff --git a/queue-6.18/xfrm-set-ipv4-no_pmtu_disc-flag-only-on-output-sa-wh.patch b/queue-6.18/xfrm-set-ipv4-no_pmtu_disc-flag-only-on-output-sa-wh.patch new file mode 100644 index 0000000000..8d93773268 --- /dev/null +++ b/queue-6.18/xfrm-set-ipv4-no_pmtu_disc-flag-only-on-output-sa-wh.patch @@ -0,0 +1,41 @@ +From b98cec3f69e0eff81ebbab3e89441176cc145c63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Dec 2025 11:30:27 +0100 +Subject: xfrm: set ipv4 no_pmtu_disc flag only on output sa when direction is + set + +From: Antony Antony + +[ Upstream commit c196def07bbc6e8306d7a274433913444b0db20a ] + +The XFRM_STATE_NOPMTUDISC flag is only meaningful for output SAs, but +it was being applied regardless of the SA direction when the sysctl +ip_no_pmtu_disc is enabled. This can unintentionally affect input SAs. + +Limit setting XFRM_STATE_NOPMTUDISC to output SAs when the SA direction +is configured. + +Closes: https://github.com/strongswan/strongswan/issues/2946 +Fixes: a4a87fa4e96c ("xfrm: Add Direction to the SA in or out") +Signed-off-by: Antony Antony +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_state.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c +index 9e14e453b55cc..98b362d518363 100644 +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -3151,6 +3151,7 @@ int __xfrm_init_state(struct xfrm_state *x, struct netlink_ext_ack *extack) + int err; + + if (family == AF_INET && ++ (!x->dir || x->dir == XFRM_SA_DIR_OUT) && + READ_ONCE(xs_net(x)->ipv4.sysctl_ip_no_pmtu_disc)) + x->props.flags |= XFRM_STATE_NOPMTUDISC; + +-- +2.51.0 + diff --git a/queue-6.6/asoc-tlv320adcx140-fix-null-pointer.patch b/queue-6.6/asoc-tlv320adcx140-fix-null-pointer.patch new file mode 100644 index 0000000000..ea7edf44ed --- /dev/null +++ b/queue-6.6/asoc-tlv320adcx140-fix-null-pointer.patch @@ -0,0 +1,55 @@ +From 390eab5c16478c7b54a5b8bd6360d0daf1cf747f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 11:58:45 +0100 +Subject: ASoC: tlv320adcx140: fix null pointer + +From: Emil Svendsen + +[ Upstream commit be7664c81d3129fc313ef62ff275fd3d33cfecd4 ] + +The "snd_soc_component" in "adcx140_priv" was only used once but never +set. It was only used for reaching "dev" which is already present in +"adcx140_priv". + +Fixes: 4e82971f7b55 ("ASoC: tlv320adcx140: Add a new kcontrol") +Signed-off-by: Emil Svendsen +Signed-off-by: Sascha Hauer +Link: https://patch.msgid.link/20260113-sound-soc-codecs-tvl320adcx140-v4-2-8f7ecec525c8@pengutronix.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/tlv320adcx140.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/sound/soc/codecs/tlv320adcx140.c b/sound/soc/codecs/tlv320adcx140.c +index 41342b3406803..d366c1c51f07a 100644 +--- a/sound/soc/codecs/tlv320adcx140.c ++++ b/sound/soc/codecs/tlv320adcx140.c +@@ -24,7 +24,6 @@ + #include "tlv320adcx140.h" + + struct adcx140_priv { +- struct snd_soc_component *component; + struct regulator *supply_areg; + struct gpio_desc *gpio_reset; + struct regmap *regmap; +@@ -702,7 +701,6 @@ static void adcx140_pwr_ctrl(struct adcx140_priv *adcx140, bool power_state) + { + int pwr_ctrl = 0; + int ret = 0; +- struct snd_soc_component *component = adcx140->component; + + if (power_state) + pwr_ctrl = ADCX140_PWR_CFG_ADC_PDZ | ADCX140_PWR_CFG_PLL_PDZ; +@@ -714,7 +712,7 @@ static void adcx140_pwr_ctrl(struct adcx140_priv *adcx140, bool power_state) + ret = regmap_write(adcx140->regmap, ADCX140_PHASE_CALIB, + adcx140->phase_calib_on ? 0x00 : 0x40); + if (ret) +- dev_err(component->dev, "%s: register write error %d\n", ++ dev_err(adcx140->dev, "%s: register write error %d\n", + __func__, ret); + } + +-- +2.51.0 + diff --git a/queue-6.6/asoc-tlv320adcx140-fix-word-length.patch b/queue-6.6/asoc-tlv320adcx140-fix-word-length.patch new file mode 100644 index 0000000000..2433180112 --- /dev/null +++ b/queue-6.6/asoc-tlv320adcx140-fix-word-length.patch @@ -0,0 +1,50 @@ +From 0c65367382999c0893914b8069dbb642d3eef139 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 11:58:47 +0100 +Subject: ASoC: tlv320adcx140: fix word length + +From: Emil Svendsen + +[ Upstream commit 46378ab9fcb796dca46b51e10646f636e2c661f9 ] + +The word length is the physical width of the channel slots. So the +hw_params would misconfigure when format width and physical width +doesn't match. Like S24_LE which has data width of 24 bits but physical +width of 32 bits. So if using asymmetric formats you will get a lot of +noise. + +Fixes: 689c7655b50c5 ("ASoC: tlv320adcx140: Add the tlv320adcx140 codec driver family") +Signed-off-by: Emil Svendsen +Signed-off-by: Sascha Hauer +Link: https://patch.msgid.link/20260113-sound-soc-codecs-tvl320adcx140-v4-4-8f7ecec525c8@pengutronix.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/tlv320adcx140.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/tlv320adcx140.c b/sound/soc/codecs/tlv320adcx140.c +index d366c1c51f07a..78d95b8be2f29 100644 +--- a/sound/soc/codecs/tlv320adcx140.c ++++ b/sound/soc/codecs/tlv320adcx140.c +@@ -728,7 +728,7 @@ static int adcx140_hw_params(struct snd_pcm_substream *substream, + struct adcx140_priv *adcx140 = snd_soc_component_get_drvdata(component); + u8 data = 0; + +- switch (params_width(params)) { ++ switch (params_physical_width(params)) { + case 16: + data = ADCX140_16_BIT_WORD; + break; +@@ -743,7 +743,7 @@ static int adcx140_hw_params(struct snd_pcm_substream *substream, + break; + default: + dev_err(component->dev, "%s: Unsupported width %d\n", +- __func__, params_width(params)); ++ __func__, params_physical_width(params)); + return -EINVAL; + } + +-- +2.51.0 + diff --git a/queue-6.6/btrfs-factor-out-check_removing_space_info-from-btrf.patch b/queue-6.6/btrfs-factor-out-check_removing_space_info-from-btrf.patch new file mode 100644 index 0000000000..fc1b21aac9 --- /dev/null +++ b/queue-6.6/btrfs-factor-out-check_removing_space_info-from-btrf.patch @@ -0,0 +1,93 @@ +From d5019daced35ba04c9a269722df6295dac756a52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Apr 2025 11:43:45 +0900 +Subject: btrfs: factor out check_removing_space_info() from + btrfs_free_block_groups() + +From: Naohiro Aota + +[ Upstream commit 1cfdbe0d53b27b4b4a4f4cf2a4e430bc65ba2ba5 ] + +Factor out check_removing_space_info() from btrfs_free_block_groups(). It +sanity checks a to-be-removed space_info. There is no functional change. + +Reviewed-by: Johannes Thumshirn +Signed-off-by: Naohiro Aota +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Stable-dep-of: a11224a016d6 ("btrfs: fix memory leaks in create_space_info() error paths") +Signed-off-by: Sasha Levin +--- + fs/btrfs/block-group.c | 49 +++++++++++++++++++++++------------------- + 1 file changed, 27 insertions(+), 22 deletions(-) + +diff --git a/fs/btrfs/block-group.c b/fs/btrfs/block-group.c +index 5a3a41c6d509f..18409b6beaedc 100644 +--- a/fs/btrfs/block-group.c ++++ b/fs/btrfs/block-group.c +@@ -4377,6 +4377,32 @@ void btrfs_put_block_group_cache(struct btrfs_fs_info *info) + } + } + ++static void check_removing_space_info(struct btrfs_space_info *space_info) ++{ ++ struct btrfs_fs_info *info = space_info->fs_info; ++ ++ /* ++ * Do not hide this behind enospc_debug, this is actually important and ++ * indicates a real bug if this happens. ++ */ ++ if (WARN_ON(space_info->bytes_pinned > 0 || space_info->bytes_may_use > 0)) ++ btrfs_dump_space_info(info, space_info, 0, 0); ++ ++ /* ++ * If there was a failure to cleanup a log tree, very likely due to an ++ * IO failure on a writeback attempt of one or more of its extent ++ * buffers, we could not do proper (and cheap) unaccounting of their ++ * reserved space, so don't warn on bytes_reserved > 0 in that case. ++ */ ++ if (!(space_info->flags & BTRFS_BLOCK_GROUP_METADATA) || ++ !BTRFS_FS_LOG_CLEANUP_ERROR(info)) { ++ if (WARN_ON(space_info->bytes_reserved > 0)) ++ btrfs_dump_space_info(info, space_info, 0, 0); ++ } ++ ++ WARN_ON(space_info->reclaim_size > 0); ++} ++ + /* + * Must be called only after stopping all workers, since we could have block + * group caching kthreads running, and therefore they could race with us if we +@@ -4478,28 +4504,7 @@ int btrfs_free_block_groups(struct btrfs_fs_info *info) + struct btrfs_space_info, + list); + +- /* +- * Do not hide this behind enospc_debug, this is actually +- * important and indicates a real bug if this happens. +- */ +- if (WARN_ON(space_info->bytes_pinned > 0 || +- space_info->bytes_may_use > 0)) +- btrfs_dump_space_info(info, space_info, 0, 0); +- +- /* +- * If there was a failure to cleanup a log tree, very likely due +- * to an IO failure on a writeback attempt of one or more of its +- * extent buffers, we could not do proper (and cheap) unaccounting +- * of their reserved space, so don't warn on bytes_reserved > 0 in +- * that case. +- */ +- if (!(space_info->flags & BTRFS_BLOCK_GROUP_METADATA) || +- !BTRFS_FS_LOG_CLEANUP_ERROR(info)) { +- if (WARN_ON(space_info->bytes_reserved > 0)) +- btrfs_dump_space_info(info, space_info, 0, 0); +- } +- +- WARN_ON(space_info->reclaim_size > 0); ++ check_removing_space_info(space_info); + list_del(&space_info->list); + btrfs_sysfs_remove_space_info(space_info); + } +-- +2.51.0 + diff --git a/queue-6.6/btrfs-factor-out-init_space_info-from-create_space_i.patch b/queue-6.6/btrfs-factor-out-init_space_info-from-create_space_i.patch new file mode 100644 index 0000000000..fa9ed3b529 --- /dev/null +++ b/queue-6.6/btrfs-factor-out-init_space_info-from-create_space_i.patch @@ -0,0 +1,72 @@ +From 03e04c9c6b017a47098fa1913c027cd3d4369583 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Apr 2025 11:43:43 +0900 +Subject: btrfs: factor out init_space_info() from create_space_info() + +From: Naohiro Aota + +[ Upstream commit ac5578fef380e68e539a2238ba63dd978a450ef2 ] + +Factor out initialization of the space_info struct, which is used in a +later patch. There is no functional change. + +Reviewed-by: Johannes Thumshirn +Signed-off-by: Naohiro Aota +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Stable-dep-of: a11224a016d6 ("btrfs: fix memory leaks in create_space_info() error paths") +Signed-off-by: Sasha Levin +--- + fs/btrfs/space-info.c | 27 ++++++++++++++++----------- + 1 file changed, 16 insertions(+), 11 deletions(-) + +diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c +index bf5e509eb9fa8..38f730246e02f 100644 +--- a/fs/btrfs/space-info.c ++++ b/fs/btrfs/space-info.c +@@ -222,19 +222,11 @@ void btrfs_update_space_info_chunk_size(struct btrfs_space_info *space_info, + WRITE_ONCE(space_info->chunk_size, chunk_size); + } + +-static int create_space_info(struct btrfs_fs_info *info, u64 flags) ++static void init_space_info(struct btrfs_fs_info *info, ++ struct btrfs_space_info *space_info, u64 flags) + { +- +- struct btrfs_space_info *space_info; +- int i; +- int ret; +- +- space_info = kzalloc(sizeof(*space_info), GFP_NOFS); +- if (!space_info) +- return -ENOMEM; +- + space_info->fs_info = info; +- for (i = 0; i < BTRFS_NR_RAID_TYPES; i++) ++ for (int i = 0; i < BTRFS_NR_RAID_TYPES; i++) + INIT_LIST_HEAD(&space_info->block_groups[i]); + init_rwsem(&space_info->groups_sem); + spin_lock_init(&space_info->lock); +@@ -248,6 +240,19 @@ static int create_space_info(struct btrfs_fs_info *info, u64 flags) + + if (btrfs_is_zoned(info)) + space_info->bg_reclaim_threshold = BTRFS_DEFAULT_ZONED_RECLAIM_THRESH; ++} ++ ++static int create_space_info(struct btrfs_fs_info *info, u64 flags) ++{ ++ ++ struct btrfs_space_info *space_info; ++ int ret; ++ ++ space_info = kzalloc(sizeof(*space_info), GFP_NOFS); ++ if (!space_info) ++ return -ENOMEM; ++ ++ init_space_info(info, space_info, flags); + + ret = btrfs_sysfs_add_space_info_type(info, space_info); + if (ret) +-- +2.51.0 + diff --git a/queue-6.6/btrfs-fix-memory-leaks-in-create_space_info-error-pa.patch b/queue-6.6/btrfs-fix-memory-leaks-in-create_space_info-error-pa.patch new file mode 100644 index 0000000000..ad9eb83f1e --- /dev/null +++ b/queue-6.6/btrfs-fix-memory-leaks-in-create_space_info-error-pa.patch @@ -0,0 +1,61 @@ +From 8f18cb1dc0a78e6a71ba36beee5f07911d59ba65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Jan 2026 19:20:37 +0000 +Subject: btrfs: fix memory leaks in create_space_info() error paths + +From: Jiasheng Jiang + +[ Upstream commit a11224a016d6d1d46a4d9b6573244448a80d4d7f ] + +In create_space_info(), the 'space_info' object is allocated at the +beginning of the function. However, there are two error paths where the +function returns an error code without freeing the allocated memory: + +1. When create_space_info_sub_group() fails in zoned mode. +2. When btrfs_sysfs_add_space_info_type() fails. + +In both cases, 'space_info' has not yet been added to the +fs_info->space_info list, resulting in a memory leak. Fix this by +adding an error handling label to kfree(space_info) before returning. + +Fixes: 2be12ef79fe9 ("btrfs: Separate space_info create/update") +Reviewed-by: Qu Wenruo +Signed-off-by: Jiasheng Jiang +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/space-info.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c +index 01d9a93346c28..00d596a8176ff 100644 +--- a/fs/btrfs/space-info.c ++++ b/fs/btrfs/space-info.c +@@ -288,18 +288,22 @@ static int create_space_info(struct btrfs_fs_info *info, u64 flags) + BTRFS_SUB_GROUP_DATA_RELOC, + 0); + if (ret) +- return ret; ++ goto out_free; + } + + ret = btrfs_sysfs_add_space_info_type(info, space_info); + if (ret) +- return ret; ++ goto out_free; + + list_add(&space_info->list, &info->space_info); + if (flags & BTRFS_BLOCK_GROUP_DATA) + info->data_sinfo = space_info; + + return ret; ++ ++out_free: ++ kfree(space_info); ++ return ret; + } + + int btrfs_init_space_info(struct btrfs_fs_info *fs_info) +-- +2.51.0 + diff --git a/queue-6.6/btrfs-introduce-btrfs_space_info-sub-group.patch b/queue-6.6/btrfs-introduce-btrfs_space_info-sub-group.patch new file mode 100644 index 0000000000..11d7840808 --- /dev/null +++ b/queue-6.6/btrfs-introduce-btrfs_space_info-sub-group.patch @@ -0,0 +1,214 @@ +From a6d52090da482da56e9f480be877a0007851901b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Apr 2025 11:43:48 +0900 +Subject: btrfs: introduce btrfs_space_info sub-group + +From: Naohiro Aota + +[ Upstream commit f92ee31e031c7819126d2febdda0c3e91f5d2eb9 ] + +Current code assumes we have only one space_info for each block group type +(DATA, METADATA, and SYSTEM). We sometime need multiple space infos to +manage special block groups. + +One example is handling the data relocation block group for the zoned mode. +That block group is dedicated for writing relocated data and we cannot +allocate any regular extent from that block group, which is implemented in +the zoned extent allocator. This block group still belongs to the normal +data space_info. So, when all the normal data block groups are full and +there is some free space in the dedicated block group, the space_info +looks to have some free space, while it cannot allocate normal extent +anymore. That results in a strange ENOSPC error. We need to have a +space_info for the relocation data block group to represent the situation +properly. + +Adds a basic infrastructure for having a "sub-group" of a space_info: +creation and removing. A sub-group space_info belongs to one of the +primary space_infos and has the same flags as its parent. + +This commit first introduces the relocation data sub-space_info, and the +next commit will introduce tree-log sub-space_info. In the future, it could +be useful to implement tiered storage for btrfs e.g. by implementing a +sub-group space_info for block groups resides on a fast storage. + +Reviewed-by: Johannes Thumshirn +Signed-off-by: Naohiro Aota +Signed-off-by: David Sterba +Stable-dep-of: a11224a016d6 ("btrfs: fix memory leaks in create_space_info() error paths") +Signed-off-by: Sasha Levin +--- + fs/btrfs/block-group.c | 11 +++++++++++ + fs/btrfs/space-info.c | 44 +++++++++++++++++++++++++++++++++++++++--- + fs/btrfs/space-info.h | 9 +++++++++ + fs/btrfs/sysfs.c | 18 ++++++++++++++--- + 4 files changed, 76 insertions(+), 6 deletions(-) + +diff --git a/fs/btrfs/block-group.c b/fs/btrfs/block-group.c +index 18409b6beaedc..2dda388c98538 100644 +--- a/fs/btrfs/block-group.c ++++ b/fs/btrfs/block-group.c +@@ -4381,6 +4381,17 @@ static void check_removing_space_info(struct btrfs_space_info *space_info) + { + struct btrfs_fs_info *info = space_info->fs_info; + ++ if (space_info->subgroup_id == BTRFS_SUB_GROUP_PRIMARY) { ++ /* This is a top space_info, proceed with its children first. */ ++ for (int i = 0; i < BTRFS_SPACE_INFO_SUB_GROUP_MAX; i++) { ++ if (space_info->sub_group[i]) { ++ check_removing_space_info(space_info->sub_group[i]); ++ kfree(space_info->sub_group[i]); ++ space_info->sub_group[i] = NULL; ++ } ++ } ++ } ++ + /* + * Do not hide this behind enospc_debug, this is actually important and + * indicates a real bug if this happens. +diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c +index 38f730246e02f..01d9a93346c28 100644 +--- a/fs/btrfs/space-info.c ++++ b/fs/btrfs/space-info.c +@@ -237,16 +237,44 @@ static void init_space_info(struct btrfs_fs_info *info, + INIT_LIST_HEAD(&space_info->priority_tickets); + space_info->clamp = 1; + btrfs_update_space_info_chunk_size(space_info, calc_chunk_size(info, flags)); ++ space_info->subgroup_id = BTRFS_SUB_GROUP_PRIMARY; + + if (btrfs_is_zoned(info)) + space_info->bg_reclaim_threshold = BTRFS_DEFAULT_ZONED_RECLAIM_THRESH; + } + ++static int create_space_info_sub_group(struct btrfs_space_info *parent, u64 flags, ++ enum btrfs_space_info_sub_group id, int index) ++{ ++ struct btrfs_fs_info *fs_info = parent->fs_info; ++ struct btrfs_space_info *sub_group; ++ int ret; ++ ++ ASSERT(parent->subgroup_id == BTRFS_SUB_GROUP_PRIMARY); ++ ASSERT(id != BTRFS_SUB_GROUP_PRIMARY); ++ ++ sub_group = kzalloc(sizeof(*sub_group), GFP_NOFS); ++ if (!sub_group) ++ return -ENOMEM; ++ ++ init_space_info(fs_info, sub_group, flags); ++ parent->sub_group[index] = sub_group; ++ sub_group->parent = parent; ++ sub_group->subgroup_id = id; ++ ++ ret = btrfs_sysfs_add_space_info_type(fs_info, sub_group); ++ if (ret) { ++ kfree(sub_group); ++ parent->sub_group[index] = NULL; ++ } ++ return ret; ++} ++ + static int create_space_info(struct btrfs_fs_info *info, u64 flags) + { + + struct btrfs_space_info *space_info; +- int ret; ++ int ret = 0; + + space_info = kzalloc(sizeof(*space_info), GFP_NOFS); + if (!space_info) +@@ -254,6 +282,15 @@ static int create_space_info(struct btrfs_fs_info *info, u64 flags) + + init_space_info(info, space_info, flags); + ++ if (btrfs_is_zoned(info)) { ++ if (flags & BTRFS_BLOCK_GROUP_DATA) ++ ret = create_space_info_sub_group(space_info, flags, ++ BTRFS_SUB_GROUP_DATA_RELOC, ++ 0); ++ if (ret) ++ return ret; ++ } ++ + ret = btrfs_sysfs_add_space_info_type(info, space_info); + if (ret) + return ret; +@@ -496,8 +533,9 @@ static void __btrfs_dump_space_info(const struct btrfs_fs_info *fs_info, + lockdep_assert_held(&info->lock); + + /* The free space could be negative in case of overcommit */ +- btrfs_info(fs_info, "space_info %s has %lld free, is %sfull", +- flag_str, ++ btrfs_info(fs_info, ++ "space_info %s (sub-group id %d) has %lld free, is %sfull", ++ flag_str, info->subgroup_id, + (s64)(info->total_bytes - btrfs_space_info_used(info, true)), + info->full ? "" : "not "); + btrfs_info(fs_info, +diff --git a/fs/btrfs/space-info.h b/fs/btrfs/space-info.h +index 39452e36625ae..0670f074902d0 100644 +--- a/fs/btrfs/space-info.h ++++ b/fs/btrfs/space-info.h +@@ -83,8 +83,17 @@ enum btrfs_flush_state { + COMMIT_TRANS = 11, + }; + ++enum btrfs_space_info_sub_group { ++ BTRFS_SUB_GROUP_PRIMARY, ++ BTRFS_SUB_GROUP_DATA_RELOC, ++}; ++ ++#define BTRFS_SPACE_INFO_SUB_GROUP_MAX 1 + struct btrfs_space_info { + struct btrfs_fs_info *fs_info; ++ struct btrfs_space_info *parent; ++ struct btrfs_space_info *sub_group[BTRFS_SPACE_INFO_SUB_GROUP_MAX]; ++ int subgroup_id; + spinlock_t lock; + + u64 total_bytes; /* total bytes in the space, +diff --git a/fs/btrfs/sysfs.c b/fs/btrfs/sysfs.c +index 512d4cbac1ca0..9609579d2289c 100644 +--- a/fs/btrfs/sysfs.c ++++ b/fs/btrfs/sysfs.c +@@ -1641,16 +1641,28 @@ void btrfs_sysfs_remove_space_info(struct btrfs_space_info *space_info) + kobject_put(&space_info->kobj); + } + +-static const char *alloc_name(u64 flags) ++static const char *alloc_name(struct btrfs_space_info *space_info) + { ++ u64 flags = space_info->flags; ++ + switch (flags) { + case BTRFS_BLOCK_GROUP_METADATA | BTRFS_BLOCK_GROUP_DATA: + return "mixed"; + case BTRFS_BLOCK_GROUP_METADATA: ++ ASSERT(space_info->subgroup_id == BTRFS_SUB_GROUP_PRIMARY); + return "metadata"; + case BTRFS_BLOCK_GROUP_DATA: +- return "data"; ++ switch (space_info->subgroup_id) { ++ case BTRFS_SUB_GROUP_PRIMARY: ++ return "data"; ++ case BTRFS_SUB_GROUP_DATA_RELOC: ++ return "data-reloc"; ++ default: ++ WARN_ON_ONCE(1); ++ return "data (unknown sub-group)"; ++ } + case BTRFS_BLOCK_GROUP_SYSTEM: ++ ASSERT(space_info->subgroup_id == BTRFS_SUB_GROUP_PRIMARY); + return "system"; + default: + WARN_ON(1); +@@ -1669,7 +1681,7 @@ int btrfs_sysfs_add_space_info_type(struct btrfs_fs_info *fs_info, + + ret = kobject_init_and_add(&space_info->kobj, &space_info_ktype, + fs_info->space_info_kobj, "%s", +- alloc_name(space_info->flags)); ++ alloc_name(space_info)); + if (ret) { + kobject_put(&space_info->kobj); + return ret; +-- +2.51.0 + diff --git a/queue-6.6/btrfs-send-check-for-inline-extents-in-range_is_hole.patch b/queue-6.6/btrfs-send-check-for-inline-extents-in-range_is_hole.patch new file mode 100644 index 0000000000..7cad2c684b --- /dev/null +++ b/queue-6.6/btrfs-send-check-for-inline-extents-in-range_is_hole.patch @@ -0,0 +1,44 @@ +From dcf6af0bdb85654ea275e401f1249312f2561a48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jan 2026 20:26:40 +1030 +Subject: btrfs: send: check for inline extents in range_is_hole_in_parent() + +From: Qu Wenruo + +[ Upstream commit 08b096c1372cd69627f4f559fb47c9fb67a52b39 ] + +Before accessing the disk_bytenr field of a file extent item we need +to check if we are dealing with an inline extent. +This is because for inline extents their data starts at the offset of +the disk_bytenr field. So accessing the disk_bytenr +means we are accessing inline data or in case the inline data is less +than 8 bytes we can actually cause an invalid +memory access if this inline extent item is the first item in the leaf +or access metadata from other items. + +Fixes: 82bfb2e7b645 ("Btrfs: incremental send, fix unnecessary hole writes for sparse files") +Reviewed-by: Filipe Manana +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/send.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c +index c25eb4416a671..6768e2231d610 100644 +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -6545,6 +6545,8 @@ static int range_is_hole_in_parent(struct send_ctx *sctx, + extent_end = btrfs_file_extent_end(path); + if (extent_end <= start) + goto next; ++ if (btrfs_file_extent_type(leaf, fi) == BTRFS_FILE_EXTENT_INLINE) ++ return 0; + if (btrfs_file_extent_disk_bytenr(leaf, fi) == 0) { + search_start = extent_end; + goto next; +-- +2.51.0 + diff --git a/queue-6.6/btrfs-store-fs_info-in-space_info.patch b/queue-6.6/btrfs-store-fs_info-in-space_info.patch new file mode 100644 index 0000000000..c983e465ae --- /dev/null +++ b/queue-6.6/btrfs-store-fs_info-in-space_info.patch @@ -0,0 +1,53 @@ +From a329db8bdd8fa408954f7c4419cadccc138c4a6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Feb 2024 11:52:57 -0800 +Subject: btrfs: store fs_info in space_info + +From: Boris Burkov + +[ Upstream commit 42f620aec182f62ee72e3fce41cb3353951b3508 ] + +This is handy when computing space_info dynamic reclaim thresholds where +we do not have access to a block group. We could add it to the various +functions as a parameter, but it seems reasonable for space_info to have +an fs_info pointer. + +Reviewed-by: Josef Bacik +Reviewed-by: Johannes Thumshirn +Signed-off-by: Boris Burkov +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Stable-dep-of: a11224a016d6 ("btrfs: fix memory leaks in create_space_info() error paths") +Signed-off-by: Sasha Levin +--- + fs/btrfs/space-info.c | 1 + + fs/btrfs/space-info.h | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c +index 27690c518f6d7..bf5e509eb9fa8 100644 +--- a/fs/btrfs/space-info.c ++++ b/fs/btrfs/space-info.c +@@ -233,6 +233,7 @@ static int create_space_info(struct btrfs_fs_info *info, u64 flags) + if (!space_info) + return -ENOMEM; + ++ space_info->fs_info = info; + for (i = 0; i < BTRFS_NR_RAID_TYPES; i++) + INIT_LIST_HEAD(&space_info->block_groups[i]); + init_rwsem(&space_info->groups_sem); +diff --git a/fs/btrfs/space-info.h b/fs/btrfs/space-info.h +index b0187f25dbb5e..39452e36625ae 100644 +--- a/fs/btrfs/space-info.h ++++ b/fs/btrfs/space-info.h +@@ -84,6 +84,7 @@ enum btrfs_flush_state { + }; + + struct btrfs_space_info { ++ struct btrfs_fs_info *fs_info; + spinlock_t lock; + + u64 total_bytes; /* total bytes in the space, +-- +2.51.0 + diff --git a/queue-6.6/can-etas_es58x-allow-partial-rx-urb-allocation-to-su.patch b/queue-6.6/can-etas_es58x-allow-partial-rx-urb-allocation-to-su.patch new file mode 100644 index 0000000000..59821578b7 --- /dev/null +++ b/queue-6.6/can-etas_es58x-allow-partial-rx-urb-allocation-to-su.patch @@ -0,0 +1,50 @@ +From 83d90f84386c5469345e0e55bf46708df881320c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Dec 2025 02:17:32 +0100 +Subject: can: etas_es58x: allow partial RX URB allocation to succeed + +From: Szymon Wilczek + +[ Upstream commit b1979778e98569c1e78c2c7f16bb24d76541ab00 ] + +When es58x_alloc_rx_urbs() fails to allocate the requested number of +URBs but succeeds in allocating some, it returns an error code. +This causes es58x_open() to return early, skipping the cleanup label +'free_urbs', which leads to the anchored URBs being leaked. + +As pointed out by maintainer Vincent Mailhol, the driver is designed +to handle partial URB allocation gracefully. Therefore, partial +allocation should not be treated as a fatal error. + +Modify es58x_alloc_rx_urbs() to return 0 if at least one URB has been +allocated, restoring the intended behavior and preventing the leak +in es58x_open(). + +Fixes: 8537257874e9 ("can: etas_es58x: add core support for ETAS ES58X CAN USB interfaces") +Reported-by: syzbot+e8cb6691a7cf68256cb8@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=e8cb6691a7cf68256cb8 +Signed-off-by: Szymon Wilczek +Reviewed-by: Vincent Mailhol +Link: https://patch.msgid.link/20251223011732.39361-1-swilczek.lx@gmail.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/etas_es58x/es58x_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/can/usb/etas_es58x/es58x_core.c b/drivers/net/can/usb/etas_es58x/es58x_core.c +index bb49a2c0a9a5c..77f193861bccc 100644 +--- a/drivers/net/can/usb/etas_es58x/es58x_core.c ++++ b/drivers/net/can/usb/etas_es58x/es58x_core.c +@@ -1736,7 +1736,7 @@ static int es58x_alloc_rx_urbs(struct es58x_device *es58x_dev) + dev_dbg(dev, "%s: Allocated %d rx URBs each of size %u\n", + __func__, i, rx_buf_len); + +- return ret; ++ return 0; + } + + /** +-- +2.51.0 + diff --git a/queue-6.6/dmaengine-omap-dma-fix-dma_pool-resource-leak-in-err.patch b/queue-6.6/dmaengine-omap-dma-fix-dma_pool-resource-leak-in-err.patch new file mode 100644 index 0000000000..9fcea4d51c --- /dev/null +++ b/queue-6.6/dmaengine-omap-dma-fix-dma_pool-resource-leak-in-err.patch @@ -0,0 +1,50 @@ +From 4e498b08c3af5a754e730c07ae637256bf42d0b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Nov 2025 15:30:18 +0800 +Subject: dmaengine: omap-dma: fix dma_pool resource leak in error paths + +From: Haotian Zhang + +[ Upstream commit 2e1136acf8a8887c29f52e35a77b537309af321f ] + +The dma_pool created by dma_pool_create() is not destroyed when +dma_async_device_register() or of_dma_controller_register() fails, +causing a resource leak in the probe error paths. + +Add dma_pool_destroy() in both error paths to properly release the +allocated dma_pool resource. + +Fixes: 7bedaa553760 ("dmaengine: add OMAP DMA engine driver") +Signed-off-by: Haotian Zhang +Link: https://patch.msgid.link/20251103073018.643-1-vulab@iscas.ac.cn +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/ti/omap-dma.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/dma/ti/omap-dma.c b/drivers/dma/ti/omap-dma.c +index cf96cf915c0c7..efc9093707e5a 100644 +--- a/drivers/dma/ti/omap-dma.c ++++ b/drivers/dma/ti/omap-dma.c +@@ -1809,6 +1809,8 @@ static int omap_dma_probe(struct platform_device *pdev) + if (rc) { + pr_warn("OMAP-DMA: failed to register slave DMA engine device: %d\n", + rc); ++ if (od->ll123_supported) ++ dma_pool_destroy(od->desc_pool); + omap_dma_free(od); + return rc; + } +@@ -1824,6 +1826,8 @@ static int omap_dma_probe(struct platform_device *pdev) + if (rc) { + pr_warn("OMAP-DMA: failed to register DMA controller\n"); + dma_async_device_unregister(&od->ddev); ++ if (od->ll123_supported) ++ dma_pool_destroy(od->desc_pool); + omap_dma_free(od); + } + } +-- +2.51.0 + diff --git a/queue-6.6/dmaengine-tegra-adma-fix-use-after-free.patch b/queue-6.6/dmaengine-tegra-adma-fix-use-after-free.patch new file mode 100644 index 0000000000..ba35f98350 --- /dev/null +++ b/queue-6.6/dmaengine-tegra-adma-fix-use-after-free.patch @@ -0,0 +1,110 @@ +From 73fe152be2f09ee64027b632a4a709b7e46dc17c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Nov 2025 19:54:45 +0530 +Subject: dmaengine: tegra-adma: Fix use-after-free + +From: Sheetal + +[ Upstream commit 2efd07a7c36949e6fa36a69183df24d368bf9e96 ] + +A use-after-free bug exists in the Tegra ADMA driver when audio streams +are terminated, particularly during XRUN conditions. The issue occurs +when the DMA buffer is freed by tegra_adma_terminate_all() before the +vchan completion tasklet finishes accessing it. + +The race condition follows this sequence: + + 1. DMA transfer completes, triggering an interrupt that schedules the + completion tasklet (tasklet has not executed yet) + 2. Audio playback stops, calling tegra_adma_terminate_all() which + frees the DMA buffer memory via kfree() + 3. The scheduled tasklet finally executes, calling vchan_complete() + which attempts to access the already-freed memory + +Since tasklets can execute at any time after being scheduled, there is +no guarantee that the buffer will remain valid when vchan_complete() +runs. + +Fix this by properly synchronizing the virtual channel completion: + - Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the + descriptors as terminated instead of freeing the descriptor. + - Add the callback tegra_adma_synchronize() that calls + vchan_synchronize() which kills any pending tasklets and frees any + terminated descriptors. + +Crash logs: +[ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0 +[ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0 + +[ 337.427562] Call trace: +[ 337.427564] dump_backtrace+0x0/0x320 +[ 337.427571] show_stack+0x20/0x30 +[ 337.427575] dump_stack_lvl+0x68/0x84 +[ 337.427584] print_address_description.constprop.0+0x74/0x2b8 +[ 337.427590] kasan_report+0x1f4/0x210 +[ 337.427598] __asan_load8+0xa0/0xd0 +[ 337.427603] vchan_complete+0x124/0x3b0 +[ 337.427609] tasklet_action_common.constprop.0+0x190/0x1d0 +[ 337.427617] tasklet_action+0x30/0x40 +[ 337.427623] __do_softirq+0x1a0/0x5c4 +[ 337.427628] irq_exit+0x110/0x140 +[ 337.427633] handle_domain_irq+0xa4/0xe0 +[ 337.427640] gic_handle_irq+0x64/0x160 +[ 337.427644] call_on_irq_stack+0x20/0x4c +[ 337.427649] do_interrupt_handler+0x7c/0x90 +[ 337.427654] el1_interrupt+0x30/0x80 +[ 337.427659] el1h_64_irq_handler+0x18/0x30 +[ 337.427663] el1h_64_irq+0x7c/0x80 +[ 337.427667] cpuidle_enter_state+0xe4/0x540 +[ 337.427674] cpuidle_enter+0x54/0x80 +[ 337.427679] do_idle+0x2e0/0x380 +[ 337.427685] cpu_startup_entry+0x2c/0x70 +[ 337.427690] rest_init+0x114/0x130 +[ 337.427695] arch_call_rest_init+0x18/0x24 +[ 337.427702] start_kernel+0x380/0x3b4 +[ 337.427706] __primary_switched+0xc0/0xc8 + +Fixes: f46b195799b5 ("dmaengine: tegra-adma: Add support for Tegra210 ADMA") +Signed-off-by: Sheetal +Acked-by: Thierry Reding +Link: https://patch.msgid.link/20251110142445.3842036-1-sheetal@nvidia.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/tegra210-adma.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/dma/tegra210-adma.c b/drivers/dma/tegra210-adma.c +index e557bada15107..37848d558ae49 100644 +--- a/drivers/dma/tegra210-adma.c ++++ b/drivers/dma/tegra210-adma.c +@@ -342,10 +342,17 @@ static void tegra_adma_stop(struct tegra_adma_chan *tdc) + return; + } + +- kfree(tdc->desc); ++ vchan_terminate_vdesc(&tdc->desc->vd); + tdc->desc = NULL; + } + ++static void tegra_adma_synchronize(struct dma_chan *dc) ++{ ++ struct tegra_adma_chan *tdc = to_tegra_adma_chan(dc); ++ ++ vchan_synchronize(&tdc->vc); ++} ++ + static void tegra_adma_start(struct tegra_adma_chan *tdc) + { + struct virt_dma_desc *vd = vchan_next_desc(&tdc->vc); +@@ -909,6 +916,7 @@ static int tegra_adma_probe(struct platform_device *pdev) + tdma->dma_dev.device_config = tegra_adma_slave_config; + tdma->dma_dev.device_tx_status = tegra_adma_tx_status; + tdma->dma_dev.device_terminate_all = tegra_adma_terminate_all; ++ tdma->dma_dev.device_synchronize = tegra_adma_synchronize; + tdma->dma_dev.src_addr_widths = BIT(DMA_SLAVE_BUSWIDTH_4_BYTES); + tdma->dma_dev.dst_addr_widths = BIT(DMA_SLAVE_BUSWIDTH_4_BYTES); + tdma->dma_dev.directions = BIT(DMA_DEV_TO_MEM) | BIT(DMA_MEM_TO_DEV); +-- +2.51.0 + diff --git a/queue-6.6/dmaengine-xilinx-xdma-fix-regmap-max_register.patch b/queue-6.6/dmaengine-xilinx-xdma-fix-regmap-max_register.patch new file mode 100644 index 0000000000..edfc5a4845 --- /dev/null +++ b/queue-6.6/dmaengine-xilinx-xdma-fix-regmap-max_register.patch @@ -0,0 +1,85 @@ +From 32d2652159623771452eeecb602850a4cb629698 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Oct 2025 17:48:49 +0200 +Subject: dmaengine: xilinx: xdma: Fix regmap max_register + +From: Anthony Brandon + +[ Upstream commit c7d436a6c1a274c1ac28d5fb3b8eb8f03b6d0e10 ] + +The max_register field is assigned the size of the register memory +region instead of the offset of the last register. +The result is that reading from the regmap via debugfs can cause +a segmentation fault: + +tail /sys/kernel/debug/regmap/xdma.1.auto/registers +Unable to handle kernel paging request at virtual address ffff800082f70000 +Mem abort info: + ESR = 0x0000000096000007 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + FSC = 0x07: level 3 translation fault +[...] +Call trace: + regmap_mmio_read32le+0x10/0x30 + _regmap_bus_reg_read+0x74/0xc0 + _regmap_read+0x68/0x198 + regmap_read+0x54/0x88 + regmap_read_debugfs+0x140/0x380 + regmap_map_read_file+0x30/0x48 + full_proxy_read+0x68/0xc8 + vfs_read+0xcc/0x310 + ksys_read+0x7c/0x120 + __arm64_sys_read+0x24/0x40 + invoke_syscall.constprop.0+0x64/0x108 + do_el0_svc+0xb0/0xd8 + el0_svc+0x38/0x130 + el0t_64_sync_handler+0x120/0x138 + el0t_64_sync+0x194/0x198 +Code: aa1e03e9 d503201f f9400000 8b214000 (b9400000) +---[ end trace 0000000000000000 ]--- +note: tail[1217] exited with irqs disabled +note: tail[1217] exited with preempt_count 1 +Segmentation fault + +Fixes: 17ce252266c7 ("dmaengine: xilinx: xdma: Add xilinx xdma driver") +Reviewed-by: Lizhi Hou +Reviewed-by: Radhey Shyam Pandey +Reviewed-by: Alexander Stein +Signed-off-by: Anthony Brandon +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/xilinx/xdma-regs.h | 1 + + drivers/dma/xilinx/xdma.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/dma/xilinx/xdma-regs.h b/drivers/dma/xilinx/xdma-regs.h +index dd98b4526b90a..b19c173d8bfce 100644 +--- a/drivers/dma/xilinx/xdma-regs.h ++++ b/drivers/dma/xilinx/xdma-regs.h +@@ -9,6 +9,7 @@ + + /* The length of register space exposed to host */ + #define XDMA_REG_SPACE_LEN 65536 ++#define XDMA_MAX_REG_OFFSET (XDMA_REG_SPACE_LEN - 4) + + /* + * maximum number of DMA channels for each direction: +diff --git a/drivers/dma/xilinx/xdma.c b/drivers/dma/xilinx/xdma.c +index e0bfd129d563f..dbab4c4499143 100644 +--- a/drivers/dma/xilinx/xdma.c ++++ b/drivers/dma/xilinx/xdma.c +@@ -38,7 +38,7 @@ static const struct regmap_config xdma_regmap_config = { + .reg_bits = 32, + .val_bits = 32, + .reg_stride = 4, +- .max_register = XDMA_REG_SPACE_LEN, ++ .max_register = XDMA_MAX_REG_OFFSET, + }; + + /** +-- +2.51.0 + diff --git a/queue-6.6/dmaengine-xilinx_dma-fix-uninitialized-addr_width-wh.patch b/queue-6.6/dmaengine-xilinx_dma-fix-uninitialized-addr_width-wh.patch new file mode 100644 index 0000000000..c4d3887bc9 --- /dev/null +++ b/queue-6.6/dmaengine-xilinx_dma-fix-uninitialized-addr_width-wh.patch @@ -0,0 +1,61 @@ +From 4f19389116e34214e4d34f1e6a440f22c4baa221 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Oct 2025 00:00:06 +0530 +Subject: dmaengine: xilinx_dma: Fix uninitialized addr_width when + "xlnx,addrwidth" property is missing + +From: Suraj Gupta + +[ Upstream commit c0732fe78728718c853ef8e7af5bbb05262acbd1 ] + +When device tree lacks optional "xlnx,addrwidth" property, the addr_width +variable remained uninitialized with garbage values, causing incorrect +DMA mask configuration and subsequent probe failure. The fix ensures a +fallback to the default 32-bit address width when this property is missing. + +Signed-off-by: Suraj Gupta +Fixes: b72db4005fe4 ("dmaengine: vdma: Add 64 bit addressing support to the driver") +Reviewed-by: Radhey Shyam Pandey +Reviewed-by: Folker Schwesinger +Link: https://patch.msgid.link/20251021183006.3434495-1-suraj.gupta2@amd.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/xilinx/xilinx_dma.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c +index 14c4c5031b556..176cac3f37a73 100644 +--- a/drivers/dma/xilinx/xilinx_dma.c ++++ b/drivers/dma/xilinx/xilinx_dma.c +@@ -128,6 +128,7 @@ + #define XILINX_MCDMA_MAX_CHANS_PER_DEVICE 0x20 + #define XILINX_DMA_MAX_CHANS_PER_DEVICE 0x2 + #define XILINX_CDMA_MAX_CHANS_PER_DEVICE 0x1 ++#define XILINX_DMA_DFAULT_ADDRWIDTH 0x20 + + #define XILINX_DMA_DMAXR_ALL_IRQ_MASK \ + (XILINX_DMA_DMASR_FRM_CNT_IRQ | \ +@@ -3057,7 +3058,7 @@ static int xilinx_dma_probe(struct platform_device *pdev) + struct device_node *node = pdev->dev.of_node; + struct xilinx_dma_device *xdev; + struct device_node *child, *np = pdev->dev.of_node; +- u32 num_frames, addr_width, len_width; ++ u32 num_frames, addr_width = XILINX_DMA_DFAULT_ADDRWIDTH, len_width; + int i, err; + + /* Allocate and initialize the DMA engine structure */ +@@ -3131,7 +3132,9 @@ static int xilinx_dma_probe(struct platform_device *pdev) + + err = of_property_read_u32(node, "xlnx,addrwidth", &addr_width); + if (err < 0) +- dev_warn(xdev->dev, "missing xlnx,addrwidth property\n"); ++ dev_warn(xdev->dev, ++ "missing xlnx,addrwidth property, using default value %d\n", ++ XILINX_DMA_DFAULT_ADDRWIDTH); + + if (addr_width > 32) + xdev->ext_addr = true; +-- +2.51.0 + diff --git a/queue-6.6/i2c-qcom-geni-make-sure-i2c-hub-controllers-can-t-us.patch b/queue-6.6/i2c-qcom-geni-make-sure-i2c-hub-controllers-can-t-us.patch new file mode 100644 index 0000000000..a661c6b99a --- /dev/null +++ b/queue-6.6/i2c-qcom-geni-make-sure-i2c-hub-controllers-can-t-us.patch @@ -0,0 +1,71 @@ +From f7d6245385efaf77e08b53b345c2ecdcc9fdce0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Oct 2025 19:07:42 +0100 +Subject: i2c: qcom-geni: make sure I2C hub controllers can't use SE DMA + +From: Neil Armstrong + +[ Upstream commit c0c50e3743e467ec4752c638e10e97f89c8644e2 ] + +The I2C Hub controller is a simpler GENI I2C variant that doesn't +support DMA at all, add a no_dma flag to make sure it nevers selects +the SE DMA mode with mappable 32bytes long transfers. + +Fixes: cacd9643eca7 ("i2c: qcom-geni: add support for I2C Master Hub variant") +Signed-off-by: Neil Armstrong +Reviewed-by: Konrad Dybcio +Reviewed-by: Mukesh Kumar Savaliya > +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-qcom-geni.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-qcom-geni.c b/drivers/i2c/busses/i2c-qcom-geni.c +index 350f7827fbaca..f6e46168571f5 100644 +--- a/drivers/i2c/busses/i2c-qcom-geni.c ++++ b/drivers/i2c/busses/i2c-qcom-geni.c +@@ -97,6 +97,7 @@ struct geni_i2c_dev { + dma_addr_t dma_addr; + struct dma_chan *tx_c; + struct dma_chan *rx_c; ++ bool no_dma; + bool gpi_mode; + bool abort_done; + }; +@@ -411,7 +412,7 @@ static int geni_i2c_rx_one_msg(struct geni_i2c_dev *gi2c, struct i2c_msg *msg, + size_t len = msg->len; + struct i2c_msg *cur; + +- dma_buf = i2c_get_dma_safe_msg_buf(msg, 32); ++ dma_buf = gi2c->no_dma ? NULL : i2c_get_dma_safe_msg_buf(msg, 32); + if (dma_buf) + geni_se_select_mode(se, GENI_SE_DMA); + else +@@ -450,7 +451,7 @@ static int geni_i2c_tx_one_msg(struct geni_i2c_dev *gi2c, struct i2c_msg *msg, + size_t len = msg->len; + struct i2c_msg *cur; + +- dma_buf = i2c_get_dma_safe_msg_buf(msg, 32); ++ dma_buf = gi2c->no_dma ? NULL : i2c_get_dma_safe_msg_buf(msg, 32); + if (dma_buf) + geni_se_select_mode(se, GENI_SE_DMA); + else +@@ -866,10 +867,12 @@ static int geni_i2c_probe(struct platform_device *pdev) + return -ENXIO; + } + +- if (desc && desc->no_dma_support) ++ if (desc && desc->no_dma_support) { + fifo_disable = false; +- else ++ gi2c->no_dma = true; ++ } else { + fifo_disable = readl_relaxed(gi2c->se.base + GENI_IF_DISABLE_RO) & FIFO_IF_DISABLE; ++ } + + if (fifo_disable) { + /* FIFO is disabled, so we can only use GPI DMA */ +-- +2.51.0 + diff --git a/queue-6.6/ip6_tunnel-use-skb_vlan_inet_prepare-in-__ip6_tnl_rc.patch b/queue-6.6/ip6_tunnel-use-skb_vlan_inet_prepare-in-__ip6_tnl_rc.patch new file mode 100644 index 0000000000..56105e07a2 --- /dev/null +++ b/queue-6.6/ip6_tunnel-use-skb_vlan_inet_prepare-in-__ip6_tnl_rc.patch @@ -0,0 +1,105 @@ +From 12ef5c033cf0bd0fd0506036772a5117e7696b3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jan 2026 16:31:09 +0000 +Subject: ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv() + +From: Eric Dumazet + +[ Upstream commit 81c734dae203757fb3c9eee6f9896386940776bd ] + +Blamed commit did not take care of VLAN encapsulations +as spotted by syzbot [1]. + +Use skb_vlan_inet_prepare() instead of pskb_inet_may_pull(). + +[1] + BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] + BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] + BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321 + __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] + INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] + IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321 + ip6ip6_dscp_ecn_decapsulate+0x16f/0x1b0 net/ipv6/ip6_tunnel.c:729 + __ip6_tnl_rcv+0xed9/0x1b50 net/ipv6/ip6_tunnel.c:860 + ip6_tnl_rcv+0xc3/0x100 net/ipv6/ip6_tunnel.c:903 + gre_rcv+0x1529/0x1b90 net/ipv6/ip6_gre.c:-1 + ip6_protocol_deliver_rcu+0x1c89/0x2c60 net/ipv6/ip6_input.c:438 + ip6_input_finish+0x1f4/0x4a0 net/ipv6/ip6_input.c:489 + NF_HOOK include/linux/netfilter.h:318 [inline] + ip6_input+0x9c/0x330 net/ipv6/ip6_input.c:500 + ip6_mc_input+0x7ca/0xc10 net/ipv6/ip6_input.c:590 + dst_input include/net/dst.h:474 [inline] + ip6_rcv_finish+0x958/0x990 net/ipv6/ip6_input.c:79 + NF_HOOK include/linux/netfilter.h:318 [inline] + ipv6_rcv+0xf1/0x3c0 net/ipv6/ip6_input.c:311 + __netif_receive_skb_one_core net/core/dev.c:6139 [inline] + __netif_receive_skb+0x1df/0xac0 net/core/dev.c:6252 + netif_receive_skb_internal net/core/dev.c:6338 [inline] + netif_receive_skb+0x57/0x630 net/core/dev.c:6397 + tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485 + tun_get_user+0x5c0e/0x6c60 drivers/net/tun.c:1953 + tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999 + new_sync_write fs/read_write.c:593 [inline] + vfs_write+0xbe2/0x15d0 fs/read_write.c:686 + ksys_write fs/read_write.c:738 [inline] + __do_sys_write fs/read_write.c:749 [inline] + __se_sys_write fs/read_write.c:746 [inline] + __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746 + x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Uninit was created at: + slab_post_alloc_hook mm/slub.c:4960 [inline] + slab_alloc_node mm/slub.c:5263 [inline] + kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315 + kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586 + __alloc_skb+0x805/0x1040 net/core/skbuff.c:690 + alloc_skb include/linux/skbuff.h:1383 [inline] + alloc_skb_with_frags+0xc5/0xa60 net/core/skbuff.c:6712 + sock_alloc_send_pskb+0xacc/0xc60 net/core/sock.c:2995 + tun_alloc_skb drivers/net/tun.c:1461 [inline] + tun_get_user+0x1142/0x6c60 drivers/net/tun.c:1794 + tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999 + new_sync_write fs/read_write.c:593 [inline] + vfs_write+0xbe2/0x15d0 fs/read_write.c:686 + ksys_write fs/read_write.c:738 [inline] + __do_sys_write fs/read_write.c:749 [inline] + __se_sys_write fs/read_write.c:746 [inline] + __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746 + x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +CPU: 0 UID: 0 PID: 6465 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 + +Fixes: 8d975c15c0cd ("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()") +Reported-by: syzbot+d4dda070f833dc5dc89a@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/695e88b2.050a0220.1c677c.036d.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260107163109.4188620-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_tunnel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c +index e635ddd41aba6..69cace90ece16 100644 +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -844,7 +844,7 @@ static int __ip6_tnl_rcv(struct ip6_tnl *tunnel, struct sk_buff *skb, + + skb_reset_network_header(skb); + +- if (!pskb_inet_may_pull(skb)) { ++ if (skb_vlan_inet_prepare(skb, true)) { + DEV_STATS_INC(tunnel->dev, rx_length_errors); + DEV_STATS_INC(tunnel->dev, rx_errors); + goto drop; +-- +2.51.0 + diff --git a/queue-6.6/ipv4-ip_gre-make-ipgre_header-robust.patch b/queue-6.6/ipv4-ip_gre-make-ipgre_header-robust.patch new file mode 100644 index 0000000000..436aaf9c26 --- /dev/null +++ b/queue-6.6/ipv4-ip_gre-make-ipgre_header-robust.patch @@ -0,0 +1,87 @@ +From c511ec39b511c5888d6bfb15e55fa99c19a98d14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 19:02:14 +0000 +Subject: ipv4: ip_gre: make ipgre_header() robust + +From: Eric Dumazet + +[ Upstream commit e67c577d89894811ce4dcd1a9ed29d8b63476667 ] + +Analog to commit db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust") + +Over the years, syzbot found many ways to crash the kernel +in ipgre_header() [1]. + +This involves team or bonding drivers ability to dynamically +change their dev->needed_headroom and/or dev->hard_header_len + +In this particular crash mld_newpack() allocated an skb +with a too small reserve/headroom, and by the time mld_sendpack() +was called, syzbot managed to attach an ipgre device. + +[1] +skbuff: skb_under_panic: text:ffffffff89ea3cb7 len:2030915468 put:2030915372 head:ffff888058b43000 data:ffff887fdfa6e194 tail:0x120 end:0x6c0 dev:team0 + kernel BUG at net/core/skbuff.c:213 ! +Oops: invalid opcode: 0000 [#1] SMP KASAN PTI +CPU: 1 UID: 0 PID: 1322 Comm: kworker/1:9 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 +Workqueue: mld mld_ifc_work + RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:213 +Call Trace: + + skb_under_panic net/core/skbuff.c:223 [inline] + skb_push+0xc3/0xe0 net/core/skbuff.c:2641 + ipgre_header+0x67/0x290 net/ipv4/ip_gre.c:897 + dev_hard_header include/linux/netdevice.h:3436 [inline] + neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618 + NF_HOOK_COND include/linux/netfilter.h:307 [inline] + ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247 + NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318 + mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855 + mld_send_cr net/ipv6/mcast.c:2154 [inline] + mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 + process_one_work kernel/workqueue.c:3257 [inline] + process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 + worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 + kthread+0x711/0x8a0 kernel/kthread.c:463 + ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + +Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.") +Reported-by: syzbot+7c134e1c3aa3283790b9@syzkaller.appspotmail.com +Closes: https://www.spinics.net/lists/netdev/msg1147302.html +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260108190214.1667040-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_gre.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c +index f261e29adc7c2..75d388dd5ac62 100644 +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -860,10 +860,17 @@ static int ipgre_header(struct sk_buff *skb, struct net_device *dev, + const void *daddr, const void *saddr, unsigned int len) + { + struct ip_tunnel *t = netdev_priv(dev); +- struct iphdr *iph; + struct gre_base_hdr *greh; ++ struct iphdr *iph; ++ int needed; ++ ++ needed = t->hlen + sizeof(*iph); ++ if (skb_headroom(skb) < needed && ++ pskb_expand_head(skb, HH_DATA_ALIGN(needed - skb_headroom(skb)), ++ 0, GFP_ATOMIC)) ++ return -needed; + +- iph = skb_push(skb, t->hlen + sizeof(*iph)); ++ iph = skb_push(skb, needed); + greh = (struct gre_base_hdr *)(iph+1); + greh->flags = gre_tnl_flags_to_gre_flags(t->parms.o_flags); + greh->protocol = htons(type); +-- +2.51.0 + diff --git a/queue-6.6/ipv6-fix-use-after-free-in-inet6_addr_del.patch b/queue-6.6/ipv6-fix-use-after-free-in-inet6_addr_del.patch new file mode 100644 index 0000000000..fc9b3871d1 --- /dev/null +++ b/queue-6.6/ipv6-fix-use-after-free-in-inet6_addr_del.patch @@ -0,0 +1,132 @@ +From c9ab220c7e3b71f2c78a552245ada93798f4e62e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 01:05:08 +0000 +Subject: ipv6: Fix use-after-free in inet6_addr_del(). + +From: Kuniyuki Iwashima + +[ Upstream commit ddf96c393a33aef4887e2e406c76c2f8cda1419c ] + +syzbot reported use-after-free of inet6_ifaddr in +inet6_addr_del(). [0] + +The cited commit accidentally moved ipv6_del_addr() for +mngtmpaddr before reading its ifp->flags for temporary +addresses in inet6_addr_del(). + +Let's move ipv6_del_addr() down to fix the UAF. + +[0]: +BUG: KASAN: slab-use-after-free in inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117 +Read of size 4 at addr ffff88807b89c86c by task syz.3.1618/9593 + +CPU: 0 UID: 0 PID: 9593 Comm: syz.3.1618 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xcd/0x630 mm/kasan/report.c:482 + kasan_report+0xe0/0x110 mm/kasan/report.c:595 + inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117 + addrconf_del_ifaddr+0x11e/0x190 net/ipv6/addrconf.c:3181 + inet6_ioctl+0x1e5/0x2b0 net/ipv6/af_inet6.c:582 + sock_do_ioctl+0x118/0x280 net/socket.c:1254 + sock_ioctl+0x227/0x6b0 net/socket.c:1375 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:597 [inline] + __se_sys_ioctl fs/ioctl.c:583 [inline] + __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f164cf8f749 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f164de64038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 00007f164d1e5fa0 RCX: 00007f164cf8f749 +RDX: 0000200000000000 RSI: 0000000000008936 RDI: 0000000000000003 +RBP: 00007f164d013f91 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007f164d1e6038 R14: 00007f164d1e5fa0 R15: 00007ffde15c8288 + + +Allocated by task 9593: + kasan_save_stack+0x33/0x60 mm/kasan/common.c:56 + kasan_save_track+0x14/0x30 mm/kasan/common.c:77 + poison_kmalloc_redzone mm/kasan/common.c:397 [inline] + __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:414 + kmalloc_noprof include/linux/slab.h:957 [inline] + kzalloc_noprof include/linux/slab.h:1094 [inline] + ipv6_add_addr+0x4e3/0x2010 net/ipv6/addrconf.c:1120 + inet6_addr_add+0x256/0x9b0 net/ipv6/addrconf.c:3050 + addrconf_add_ifaddr+0x1fc/0x450 net/ipv6/addrconf.c:3160 + inet6_ioctl+0x103/0x2b0 net/ipv6/af_inet6.c:580 + sock_do_ioctl+0x118/0x280 net/socket.c:1254 + sock_ioctl+0x227/0x6b0 net/socket.c:1375 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:597 [inline] + __se_sys_ioctl fs/ioctl.c:583 [inline] + __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Freed by task 6099: + kasan_save_stack+0x33/0x60 mm/kasan/common.c:56 + kasan_save_track+0x14/0x30 mm/kasan/common.c:77 + kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:584 + poison_slab_object mm/kasan/common.c:252 [inline] + __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284 + kasan_slab_free include/linux/kasan.h:234 [inline] + slab_free_hook mm/slub.c:2540 [inline] + slab_free_freelist_hook mm/slub.c:2569 [inline] + slab_free_bulk mm/slub.c:6696 [inline] + kmem_cache_free_bulk mm/slub.c:7383 [inline] + kmem_cache_free_bulk+0x2bf/0x680 mm/slub.c:7362 + kfree_bulk include/linux/slab.h:830 [inline] + kvfree_rcu_bulk+0x1b7/0x1e0 mm/slab_common.c:1523 + kvfree_rcu_drain_ready mm/slab_common.c:1728 [inline] + kfree_rcu_monitor+0x1d0/0x2f0 mm/slab_common.c:1801 + process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257 + process_scheduled_works kernel/workqueue.c:3340 [inline] + worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421 + kthread+0x3c5/0x780 kernel/kthread.c:463 + ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + +Fixes: 00b5b7aab9e42 ("net/ipv6: delete temporary address if mngtmpaddr is removed or unmanaged") +Reported-by: syzbot+72e610f4f1a930ca9d8a@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/696598e9.050a0220.3be5c5.0009.GAE@google.com/ +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Hangbin Liu +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20260113010538.2019411-1-kuniyu@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/addrconf.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index 2737bb4751e4c..4958452cd3320 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -3111,12 +3111,12 @@ static int inet6_addr_del(struct net *net, int ifindex, u32 ifa_flags, + in6_ifa_hold(ifp); + read_unlock_bh(&idev->lock); + +- ipv6_del_addr(ifp); +- + if (!(ifp->flags & IFA_F_TEMPORARY) && + (ifp->flags & IFA_F_MANAGETEMPADDR)) + delete_tempaddrs(idev, ifp); + ++ ipv6_del_addr(ifp); ++ + addrconf_verify_rtnl(net); + if (ipv6_addr_is_multicast(pfx)) { + ipv6_mc_config(net->ipv6.mc_autojoin_sk, +-- +2.51.0 + diff --git a/queue-6.6/macvlan-fix-possible-uaf-in-macvlan_forward_source.patch b/queue-6.6/macvlan-fix-possible-uaf-in-macvlan_forward_source.patch new file mode 100644 index 0000000000..f84d38a398 --- /dev/null +++ b/queue-6.6/macvlan-fix-possible-uaf-in-macvlan_forward_source.patch @@ -0,0 +1,108 @@ +From d31e3b3fd6a86ff73bbe27d1474190dc3e56274e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 13:36:51 +0000 +Subject: macvlan: fix possible UAF in macvlan_forward_source() + +From: Eric Dumazet + +[ Upstream commit 7470a7a63dc162f07c26dbf960e41ee1e248d80e ] + +Add RCU protection on (struct macvlan_source_entry)->vlan. + +Whenever macvlan_hash_del_source() is called, we must clear +entry->vlan pointer before RCU grace period starts. + +This allows macvlan_forward_source() to skip over +entries queued for freeing. + +Note that macvlan_dev are already RCU protected, as they +are embedded in a standard netdev (netdev_priv(ndev)). + +Fixes: 79cf79abce71 ("macvlan: add source mode") +Reported-by: syzbot+7182fbe91e58602ec1fe@syzkaller.appspotmail.com +https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260108133651.1130486-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/macvlan.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c +index c8da94af4161a..09db43ce31767 100644 +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -58,7 +58,7 @@ struct macvlan_port { + + struct macvlan_source_entry { + struct hlist_node hlist; +- struct macvlan_dev *vlan; ++ struct macvlan_dev __rcu *vlan; + unsigned char addr[6+2] __aligned(sizeof(u16)); + struct rcu_head rcu; + }; +@@ -145,7 +145,7 @@ static struct macvlan_source_entry *macvlan_hash_lookup_source( + + hlist_for_each_entry_rcu(entry, h, hlist, lockdep_rtnl_is_held()) { + if (ether_addr_equal_64bits(entry->addr, addr) && +- entry->vlan == vlan) ++ rcu_access_pointer(entry->vlan) == vlan) + return entry; + } + return NULL; +@@ -167,7 +167,7 @@ static int macvlan_hash_add_source(struct macvlan_dev *vlan, + return -ENOMEM; + + ether_addr_copy(entry->addr, addr); +- entry->vlan = vlan; ++ RCU_INIT_POINTER(entry->vlan, vlan); + h = &port->vlan_source_hash[macvlan_eth_hash(addr)]; + hlist_add_head_rcu(&entry->hlist, h); + vlan->macaddr_count++; +@@ -186,6 +186,7 @@ static void macvlan_hash_add(struct macvlan_dev *vlan) + + static void macvlan_hash_del_source(struct macvlan_source_entry *entry) + { ++ RCU_INIT_POINTER(entry->vlan, NULL); + hlist_del_rcu(&entry->hlist); + kfree_rcu(entry, rcu); + } +@@ -389,7 +390,7 @@ static void macvlan_flush_sources(struct macvlan_port *port, + int i; + + hash_for_each_safe(port->vlan_source_hash, i, next, entry, hlist) +- if (entry->vlan == vlan) ++ if (rcu_access_pointer(entry->vlan) == vlan) + macvlan_hash_del_source(entry); + + vlan->macaddr_count = 0; +@@ -432,9 +433,14 @@ static bool macvlan_forward_source(struct sk_buff *skb, + + hlist_for_each_entry_rcu(entry, h, hlist) { + if (ether_addr_equal_64bits(entry->addr, addr)) { +- if (entry->vlan->flags & MACVLAN_FLAG_NODST) ++ struct macvlan_dev *vlan = rcu_dereference(entry->vlan); ++ ++ if (!vlan) ++ continue; ++ ++ if (vlan->flags & MACVLAN_FLAG_NODST) + consume = true; +- macvlan_forward_source_one(skb, entry->vlan); ++ macvlan_forward_source_one(skb, vlan); + } + } + +@@ -1685,7 +1691,7 @@ static int macvlan_fill_info_macaddr(struct sk_buff *skb, + struct macvlan_source_entry *entry; + + hlist_for_each_entry_rcu(entry, h, hlist, lockdep_rtnl_is_held()) { +- if (entry->vlan != vlan) ++ if (rcu_access_pointer(entry->vlan) != vlan) + continue; + if (nla_put(skb, IFLA_MACVLAN_MACADDR, ETH_ALEN, entry->addr)) + return 1; +-- +2.51.0 + diff --git a/queue-6.6/mm-kfence-describe-slab-parameter-in-__kfence_obj_in.patch b/queue-6.6/mm-kfence-describe-slab-parameter-in-__kfence_obj_in.patch new file mode 100644 index 0000000000..0e3c1fec28 --- /dev/null +++ b/queue-6.6/mm-kfence-describe-slab-parameter-in-__kfence_obj_in.patch @@ -0,0 +1,42 @@ +From e394c8ba82556fc39ddaacea44c723eae0b498c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 08:40:07 +0700 +Subject: mm, kfence: describe @slab parameter in __kfence_obj_info() + +From: Bagas Sanjaya + +[ Upstream commit 6cfab50e1440fde19af7c614aacd85e11aa4dcea ] + +Sphinx reports kernel-doc warning: + +WARNING: ./include/linux/kfence.h:220 function parameter 'slab' not described in '__kfence_obj_info' + +Fix it by describing @slab parameter. + +Link: https://lkml.kernel.org/r/20251219014006.16328-6-bagasdotme@gmail.com +Fixes: 2dfe63e61cc3 ("mm, kfence: support kmem_dump_obj() for KFENCE objects") +Signed-off-by: Bagas Sanjaya +Acked-by: Marco Elver +Acked-by: David Hildenbrand (Red Hat) +Acked-by: Harry Yoo +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + include/linux/kfence.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/kfence.h b/include/linux/kfence.h +index 401af47575141..90edba2e59f95 100644 +--- a/include/linux/kfence.h ++++ b/include/linux/kfence.h +@@ -211,6 +211,7 @@ struct kmem_obj_info; + * __kfence_obj_info() - fill kmem_obj_info struct + * @kpp: kmem_obj_info to be filled + * @object: the object ++ * @slab: the slab + * + * Return: + * * false - not a KFENCE object +-- +2.51.0 + diff --git a/queue-6.6/net-bridge-annotate-data-races-around-fdb-updated-us.patch b/queue-6.6/net-bridge-annotate-data-races-around-fdb-updated-us.patch new file mode 100644 index 0000000000..9cce1136ed --- /dev/null +++ b/queue-6.6/net-bridge-annotate-data-races-around-fdb-updated-us.patch @@ -0,0 +1,143 @@ +From d7e6dc7aa35791a894fd32fbbf27970dbc114dc8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 09:38:06 +0000 +Subject: net: bridge: annotate data-races around fdb->{updated,used} + +From: Eric Dumazet + +[ Upstream commit b25a0b4a2193407aa72a4cd1df66a7ed07dd4f1e ] + +fdb->updated and fdb->used are read and written locklessly. + +Add READ_ONCE()/WRITE_ONCE() annotations. + +Fixes: 31cbc39b6344 ("net: bridge: add option to allow activity notifications for any fdb entries") +Reported-by: syzbot+bfab43087ad57222ce96@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/695e3d74.050a0220.1c677c.035f.GAE@google.com/ +Signed-off-by: Eric Dumazet +Acked-by: Nikolay Aleksandrov +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20260108093806.834459-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/bridge/br_fdb.c | 28 ++++++++++++++++------------ + net/bridge/br_input.c | 4 ++-- + 2 files changed, 18 insertions(+), 14 deletions(-) + +diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c +index 91903076d30bd..fa2970db21301 100644 +--- a/net/bridge/br_fdb.c ++++ b/net/bridge/br_fdb.c +@@ -73,7 +73,7 @@ static inline int has_expired(const struct net_bridge *br, + { + return !test_bit(BR_FDB_STATIC, &fdb->flags) && + !test_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags) && +- time_before_eq(fdb->updated + hold_time(br), jiffies); ++ time_before_eq(READ_ONCE(fdb->updated) + hold_time(br), jiffies); + } + + static void fdb_rcu_free(struct rcu_head *head) +@@ -136,9 +136,9 @@ static int fdb_fill_info(struct sk_buff *skb, const struct net_bridge *br, + if (nla_put_u32(skb, NDA_FLAGS_EXT, ext_flags)) + goto nla_put_failure; + +- ci.ndm_used = jiffies_to_clock_t(now - fdb->used); ++ ci.ndm_used = jiffies_to_clock_t(now - READ_ONCE(fdb->used)); + ci.ndm_confirmed = 0; +- ci.ndm_updated = jiffies_to_clock_t(now - fdb->updated); ++ ci.ndm_updated = jiffies_to_clock_t(now - READ_ONCE(fdb->updated)); + ci.ndm_refcnt = 0; + if (nla_put(skb, NDA_CACHEINFO, sizeof(ci), &ci)) + goto nla_put_failure; +@@ -534,7 +534,7 @@ void br_fdb_cleanup(struct work_struct *work) + */ + rcu_read_lock(); + hlist_for_each_entry_rcu(f, &br->fdb_list, fdb_node) { +- unsigned long this_timer = f->updated + delay; ++ unsigned long this_timer = READ_ONCE(f->updated) + delay; + + if (test_bit(BR_FDB_STATIC, &f->flags) || + test_bit(BR_FDB_ADDED_BY_EXT_LEARN, &f->flags)) { +@@ -792,6 +792,7 @@ int br_fdb_fillbuf(struct net_bridge *br, void *buf, + { + struct net_bridge_fdb_entry *f; + struct __fdb_entry *fe = buf; ++ unsigned long delta; + int num = 0; + + memset(buf, 0, maxnum*sizeof(struct __fdb_entry)); +@@ -821,8 +822,11 @@ int br_fdb_fillbuf(struct net_bridge *br, void *buf, + fe->port_hi = f->dst->port_no >> 8; + + fe->is_local = test_bit(BR_FDB_LOCAL, &f->flags); +- if (!test_bit(BR_FDB_STATIC, &f->flags)) +- fe->ageing_timer_value = jiffies_delta_to_clock_t(jiffies - f->updated); ++ if (!test_bit(BR_FDB_STATIC, &f->flags)) { ++ delta = jiffies - READ_ONCE(f->updated); ++ fe->ageing_timer_value = ++ jiffies_delta_to_clock_t(delta); ++ } + ++fe; + ++num; + } +@@ -870,8 +874,8 @@ void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source, + unsigned long now = jiffies; + bool fdb_modified = false; + +- if (now != fdb->updated) { +- fdb->updated = now; ++ if (now != READ_ONCE(fdb->updated)) { ++ WRITE_ONCE(fdb->updated, now); + fdb_modified = __fdb_mark_active(fdb); + } + +@@ -1103,10 +1107,10 @@ static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source, + if (fdb_handle_notify(fdb, notify)) + modified = true; + +- fdb->used = jiffies; ++ WRITE_ONCE(fdb->used, jiffies); + if (modified) { + if (refresh) +- fdb->updated = jiffies; ++ WRITE_ONCE(fdb->updated, jiffies); + fdb_notify(br, fdb, RTM_NEWNEIGH, true); + } + +@@ -1419,7 +1423,7 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p, + goto err_unlock; + } + +- fdb->updated = jiffies; ++ WRITE_ONCE(fdb->updated, jiffies); + + if (READ_ONCE(fdb->dst) != p) { + WRITE_ONCE(fdb->dst, p); +@@ -1428,7 +1432,7 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p, + + if (test_and_set_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags)) { + /* Refresh entry */ +- fdb->used = jiffies; ++ WRITE_ONCE(fdb->used, jiffies); + } else { + modified = true; + } +diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c +index 951330c1a813b..2d5b81ebbaa6d 100644 +--- a/net/bridge/br_input.c ++++ b/net/bridge/br_input.c +@@ -207,8 +207,8 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb + if (test_bit(BR_FDB_LOCAL, &dst->flags)) + return br_pass_frame_up(skb, false); + +- if (now != dst->used) +- dst->used = now; ++ if (now != READ_ONCE(dst->used)) ++ WRITE_ONCE(dst->used, now); + br_forward(dst->dst, skb, local_rcv, false); + } else { + if (!mcast_hit) +-- +2.51.0 + diff --git a/queue-6.6/net-bridge-set-br_fdb_added_by_user-early-in-fdb_add.patch b/queue-6.6/net-bridge-set-br_fdb_added_by_user-early-in-fdb_add.patch new file mode 100644 index 0000000000..4e69a4ed1d --- /dev/null +++ b/queue-6.6/net-bridge-set-br_fdb_added_by_user-early-in-fdb_add.patch @@ -0,0 +1,59 @@ +From c011418195c96479b1173422a215f5f3a071b188 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Oct 2023 15:27:20 +0200 +Subject: net: bridge: Set BR_FDB_ADDED_BY_USER early in fdb_add_entry + +From: Johannes Nixdorf + +[ Upstream commit cbf51acbc5d50341290c79c97bda8cf46f5c4f22 ] + +In preparation of the following fdb limit for dynamically learned entries, +allow fdb_create to detect that the entry was added by the user. This +way it can skip applying the limit in this case. + +Reviewed-by: Ido Schimmel +Acked-by: Nikolay Aleksandrov +Signed-off-by: Johannes Nixdorf +Link: https://lore.kernel.org/r/20231016-fdb_limit-v5-1-32cddff87758@avm.de +Signed-off-by: Jakub Kicinski +Stable-dep-of: b25a0b4a2193 ("net: bridge: annotate data-races around fdb->{updated,used}") +Signed-off-by: Sasha Levin +--- + net/bridge/br_fdb.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c +index a6d8cd9a58078..91903076d30bd 100644 +--- a/net/bridge/br_fdb.c ++++ b/net/bridge/br_fdb.c +@@ -1056,7 +1056,8 @@ static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source, + if (!(flags & NLM_F_CREATE)) + return -ENOENT; + +- fdb = fdb_create(br, source, addr, vid, 0); ++ fdb = fdb_create(br, source, addr, vid, ++ BIT(BR_FDB_ADDED_BY_USER)); + if (!fdb) + return -ENOMEM; + +@@ -1069,6 +1070,8 @@ static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source, + WRITE_ONCE(fdb->dst, source); + modified = true; + } ++ ++ set_bit(BR_FDB_ADDED_BY_USER, &fdb->flags); + } + + if (fdb_to_nud(br, fdb) != state) { +@@ -1100,8 +1103,6 @@ static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source, + if (fdb_handle_notify(fdb, notify)) + modified = true; + +- set_bit(BR_FDB_ADDED_BY_USER, &fdb->flags); +- + fdb->used = jiffies; + if (modified) { + if (refresh) +-- +2.51.0 + diff --git a/queue-6.6/net-hv_netvsc-reject-rss-hash-key-programming-withou.patch b/queue-6.6/net-hv_netvsc-reject-rss-hash-key-programming-withou.patch new file mode 100644 index 0000000000..3e62375e8a --- /dev/null +++ b/queue-6.6/net-hv_netvsc-reject-rss-hash-key-programming-withou.patch @@ -0,0 +1,47 @@ +From 706520c89382306192852b6195a19fc8f360f318 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 02:01:33 -0800 +Subject: net: hv_netvsc: reject RSS hash key programming without RX + indirection table + +From: Aditya Garg + +[ Upstream commit d23564955811da493f34412d7de60fa268c8cb50 ] + +RSS configuration requires a valid RX indirection table. When the device +reports a single receive queue, rndis_filter_device_add() does not +allocate an indirection table, accepting RSS hash key updates in this +state leads to a hang. + +Fix this by gating netvsc_set_rxfh() on ndc->rx_table_sz and return +-EOPNOTSUPP when the table is absent. This aligns set_rxfh with the device +capabilities and prevents incorrect behavior. + +Fixes: 962f3fee83a4 ("netvsc: add ethtool ops to get/set RSS key") +Signed-off-by: Aditya Garg +Reviewed-by: Dipayaan Roy +Reviewed-by: Haiyang Zhang +Link: https://patch.msgid.link/1768212093-1594-1-git-send-email-gargaditya@linux.microsoft.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/hyperv/netvsc_drv.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c +index aa114240e340d..af001e2e688b2 100644 +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -1762,6 +1762,9 @@ static int netvsc_set_rxfh(struct net_device *dev, const u32 *indir, + if (hfunc != ETH_RSS_HASH_NO_CHANGE && hfunc != ETH_RSS_HASH_TOP) + return -EOPNOTSUPP; + ++ if (!ndc->rx_table_sz) ++ return -EOPNOTSUPP; ++ + rndis_dev = ndev->extension; + if (indir) { + for (i = 0; i < ndc->rx_table_sz; i++) +-- +2.51.0 + diff --git a/queue-6.6/net-mlx5e-restore-destroying-state-bit-after-profile.patch b/queue-6.6/net-mlx5e-restore-destroying-state-bit-after-profile.patch new file mode 100644 index 0000000000..e8acb0815a --- /dev/null +++ b/queue-6.6/net-mlx5e-restore-destroying-state-bit-after-profile.patch @@ -0,0 +1,69 @@ +From b2322a40c24603ee9337cb14b74c67c9ff9d0c10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 13:26:57 -0800 +Subject: net/mlx5e: Restore destroying state bit after profile cleanup + +From: Saeed Mahameed + +[ Upstream commit 5629f8859dca7ef74d7314b60de6a957f23166c0 ] + +Profile rollback can fail in mlx5e_netdev_change_profile() and we will +end up with invalid mlx5e_priv memset to 0, we must maintain the +'destroying' bit in order to gracefully shutdown even if the +profile/priv are not valid. + +This patch maintains the previous state of the 'destroying' state of +mlx5e_priv after priv cleanup, to allow the remove flow to cleanup +common resources from mlx5_core to avoid FW fatal errors as seen below: + +$ devlink dev eswitch set pci/0000:00:03.0 mode switchdev + Error: mlx5_core: Failed setting eswitch to offloads. +dmesg: mlx5_core 0000:00:03.0 enp0s3np0: failed to rollback to orig profile, ... + +$ devlink dev reload pci/0000:00:03.0 + +mlx5_core 0000:00:03.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0) +mlx5_core 0000:00:03.0: poll_health:803:(pid 519): Fatal error 3 detected +mlx5_core 0000:00:03.0: firmware version: 28.41.1000 +mlx5_core 0000:00:03.0: 0.000 Gb/s available PCIe bandwidth (Unknown x255 link) +mlx5_core 0000:00:03.0: mlx5_function_enable:1200:(pid 519): enable hca failed +mlx5_core 0000:00:03.0: mlx5_function_enable:1200:(pid 519): enable hca failed +mlx5_core 0000:00:03.0: mlx5_health_try_recover:340:(pid 141): handling bad device here +mlx5_core 0000:00:03.0: mlx5_handle_bad_state:285:(pid 141): Expected to see disabled NIC but it is full driver +mlx5_core 0000:00:03.0: mlx5_error_sw_reset:236:(pid 141): start +mlx5_core 0000:00:03.0: NIC IFC still 0 after 4000ms. + +Fixes: c4d7eb57687f ("net/mxl5e: Add change profile method") +Signed-off-by: Saeed Mahameed +Reviewed-by: Tariq Toukan +Link: https://patch.msgid.link/20260108212657.25090-5-saeed@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 5c6f01abdcb91..03201bcda1a68 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -5687,6 +5687,7 @@ int mlx5e_priv_init(struct mlx5e_priv *priv, + + void mlx5e_priv_cleanup(struct mlx5e_priv *priv) + { ++ bool destroying = test_bit(MLX5E_STATE_DESTROYING, &priv->state); + int i; + + /* bail if change profile failed and also rollback failed */ +@@ -5712,6 +5713,8 @@ void mlx5e_priv_cleanup(struct mlx5e_priv *priv) + } + + memset(priv, 0, sizeof(*priv)); ++ if (destroying) /* restore destroying bit, to allow unload */ ++ set_bit(MLX5E_STATE_DESTROYING, &priv->state); + } + + static unsigned int mlx5e_get_max_num_txqs(struct mlx5_core_dev *mdev, +-- +2.51.0 + diff --git a/queue-6.6/net-sched-sch_qfq-do-not-free-existing-class-in-qfq_.patch b/queue-6.6/net-sched-sch_qfq-do-not-free-existing-class-in-qfq_.patch new file mode 100644 index 0000000000..2aa8d1683a --- /dev/null +++ b/queue-6.6/net-sched-sch_qfq-do-not-free-existing-class-in-qfq_.patch @@ -0,0 +1,46 @@ +From 61498af5f1b44726f10e78d33687b9916af25839 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 17:56:56 +0000 +Subject: net/sched: sch_qfq: do not free existing class in qfq_change_class() + +From: Eric Dumazet + +[ Upstream commit 3879cffd9d07aa0377c4b8835c4f64b4fb24ac78 ] + +Fixes qfq_change_class() error case. + +cl->qdisc and cl should only be freed if a new class and qdisc +were allocated, or we risk various UAF. + +Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost") +Reported-by: syzbot+07f3f38f723c335f106d@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6965351d.050a0220.eaf7.00c5.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Reviewed-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20260112175656.17605-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_qfq.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index 29847c28ffaca..7c6b5428b8ed4 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -532,8 +532,10 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid, + return 0; + + destroy_class: +- qdisc_put(cl->qdisc); +- kfree(cl); ++ if (!existing) { ++ qdisc_put(cl->qdisc); ++ kfree(cl); ++ } + return err; + } + +-- +2.51.0 + diff --git a/queue-6.6/net-update-netdev_lock_-type-name.patch b/queue-6.6/net-update-netdev_lock_-type-name.patch new file mode 100644 index 0000000000..9ad1e66276 --- /dev/null +++ b/queue-6.6/net-update-netdev_lock_-type-name.patch @@ -0,0 +1,91 @@ +From 82c1f551a90fc08fcf1482e86fc110a985551503 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 09:32:44 +0000 +Subject: net: update netdev_lock_{type,name} + +From: Eric Dumazet + +[ Upstream commit eb74c19fe10872ee1f29a8f90ca5ce943921afe9 ] + +Add missing entries in netdev_lock_type[] and netdev_lock_name[] : + +CAN, MCTP, RAWIP, CAIF, IP6GRE, 6LOWPAN, NETLINK, VSOCKMON, +IEEE802154_MONITOR. + +Also add a WARN_ONCE() in netdev_lock_pos() to help future bug hunting +next time a protocol is added without updating these arrays. + +Fixes: 1a33e10e4a95 ("net: partially revert dynamic lockdep key changes") +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260108093244.830280-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index cf5b5a4cbfd70..8a7a5e16da00a 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -481,15 +481,21 @@ static const unsigned short netdev_lock_type[] = { + ARPHRD_IEEE1394, ARPHRD_EUI64, ARPHRD_INFINIBAND, ARPHRD_SLIP, + ARPHRD_CSLIP, ARPHRD_SLIP6, ARPHRD_CSLIP6, ARPHRD_RSRVD, + ARPHRD_ADAPT, ARPHRD_ROSE, ARPHRD_X25, ARPHRD_HWX25, ++ ARPHRD_CAN, ARPHRD_MCTP, + ARPHRD_PPP, ARPHRD_CISCO, ARPHRD_LAPB, ARPHRD_DDCMP, +- ARPHRD_RAWHDLC, ARPHRD_TUNNEL, ARPHRD_TUNNEL6, ARPHRD_FRAD, ++ ARPHRD_RAWHDLC, ARPHRD_RAWIP, ++ ARPHRD_TUNNEL, ARPHRD_TUNNEL6, ARPHRD_FRAD, + ARPHRD_SKIP, ARPHRD_LOOPBACK, ARPHRD_LOCALTLK, ARPHRD_FDDI, + ARPHRD_BIF, ARPHRD_SIT, ARPHRD_IPDDP, ARPHRD_IPGRE, + ARPHRD_PIMREG, ARPHRD_HIPPI, ARPHRD_ASH, ARPHRD_ECONET, + ARPHRD_IRDA, ARPHRD_FCPP, ARPHRD_FCAL, ARPHRD_FCPL, + ARPHRD_FCFABRIC, ARPHRD_IEEE80211, ARPHRD_IEEE80211_PRISM, +- ARPHRD_IEEE80211_RADIOTAP, ARPHRD_PHONET, ARPHRD_PHONET_PIPE, +- ARPHRD_IEEE802154, ARPHRD_VOID, ARPHRD_NONE}; ++ ARPHRD_IEEE80211_RADIOTAP, ++ ARPHRD_IEEE802154, ARPHRD_IEEE802154_MONITOR, ++ ARPHRD_PHONET, ARPHRD_PHONET_PIPE, ++ ARPHRD_CAIF, ARPHRD_IP6GRE, ARPHRD_NETLINK, ARPHRD_6LOWPAN, ++ ARPHRD_VSOCKMON, ++ ARPHRD_VOID, ARPHRD_NONE}; + + static const char *const netdev_lock_name[] = { + "_xmit_NETROM", "_xmit_ETHER", "_xmit_EETHER", "_xmit_AX25", +@@ -498,15 +504,21 @@ static const char *const netdev_lock_name[] = { + "_xmit_IEEE1394", "_xmit_EUI64", "_xmit_INFINIBAND", "_xmit_SLIP", + "_xmit_CSLIP", "_xmit_SLIP6", "_xmit_CSLIP6", "_xmit_RSRVD", + "_xmit_ADAPT", "_xmit_ROSE", "_xmit_X25", "_xmit_HWX25", ++ "_xmit_CAN", "_xmit_MCTP", + "_xmit_PPP", "_xmit_CISCO", "_xmit_LAPB", "_xmit_DDCMP", +- "_xmit_RAWHDLC", "_xmit_TUNNEL", "_xmit_TUNNEL6", "_xmit_FRAD", ++ "_xmit_RAWHDLC", "_xmit_RAWIP", ++ "_xmit_TUNNEL", "_xmit_TUNNEL6", "_xmit_FRAD", + "_xmit_SKIP", "_xmit_LOOPBACK", "_xmit_LOCALTLK", "_xmit_FDDI", + "_xmit_BIF", "_xmit_SIT", "_xmit_IPDDP", "_xmit_IPGRE", + "_xmit_PIMREG", "_xmit_HIPPI", "_xmit_ASH", "_xmit_ECONET", + "_xmit_IRDA", "_xmit_FCPP", "_xmit_FCAL", "_xmit_FCPL", + "_xmit_FCFABRIC", "_xmit_IEEE80211", "_xmit_IEEE80211_PRISM", +- "_xmit_IEEE80211_RADIOTAP", "_xmit_PHONET", "_xmit_PHONET_PIPE", +- "_xmit_IEEE802154", "_xmit_VOID", "_xmit_NONE"}; ++ "_xmit_IEEE80211_RADIOTAP", ++ "_xmit_IEEE802154", "_xmit_IEEE802154_MONITOR", ++ "_xmit_PHONET", "_xmit_PHONET_PIPE", ++ "_xmit_CAIF", "_xmit_IP6GRE", "_xmit_NETLINK", "_xmit_6LOWPAN", ++ "_xmit_VSOCKMON", ++ "_xmit_VOID", "_xmit_NONE"}; + + static struct lock_class_key netdev_xmit_lock_key[ARRAY_SIZE(netdev_lock_type)]; + static struct lock_class_key netdev_addr_lock_key[ARRAY_SIZE(netdev_lock_type)]; +@@ -519,6 +531,7 @@ static inline unsigned short netdev_lock_pos(unsigned short dev_type) + if (netdev_lock_type[i] == dev_type) + return i; + /* the last key is used by default */ ++ WARN_ONCE(1, "netdev_lock_pos() could not find dev_type=%u\n", dev_type); + return ARRAY_SIZE(netdev_lock_type) - 1; + } + +-- +2.51.0 + diff --git a/queue-6.6/nvme-tcp-fix-null-pointer-dereferences-in-nvmet_tcp_.patch b/queue-6.6/nvme-tcp-fix-null-pointer-dereferences-in-nvmet_tcp_.patch new file mode 100644 index 0000000000..88760e4bdd --- /dev/null +++ b/queue-6.6/nvme-tcp-fix-null-pointer-dereferences-in-nvmet_tcp_.patch @@ -0,0 +1,69 @@ +From 630e4652128019abaf0e7f1550b89ac55df9bb94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Dec 2025 13:57:48 -0500 +Subject: nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Shivam Kumar + +[ Upstream commit 32b63acd78f577b332d976aa06b56e70d054cbba ] + +Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length") +added ttag bounds checking and data_offset +validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate +whether the command's data structures (cmd->req.sg and cmd->iov) have +been properly initialized before processing H2C_DATA PDUs. + +The nvmet_tcp_build_pdu_iovec() function dereferences these pointers +without NULL checks. This can be triggered by sending H2C_DATA PDU +immediately after the ICREQ/ICRESP handshake, before +sending a CONNECT command or NVMe write command. + +Attack vectors that trigger NULL pointer dereferences: +1. H2C_DATA PDU sent before CONNECT → both pointers NULL +2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL +3. H2C_DATA PDU for uninitialized command slot → both pointers NULL + +The fix validates both cmd->req.sg and cmd->iov before calling +nvmet_tcp_build_pdu_iovec(). Both checks are required because: +- Uninitialized commands: both NULL +- READ commands: cmd->req.sg allocated, cmd->iov NULL +- WRITE commands: both allocated + +Fixes: efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length") +Reviewed-by: Sagi Grimberg +Signed-off-by: Shivam Kumar +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/tcp.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c +index 6975b2a054e0d..3bdff81eb3af8 100644 +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -995,6 +995,18 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue) + pr_err("H2CData PDU len %u is invalid\n", cmd->pdu_len); + goto err_proto; + } ++ /* ++ * Ensure command data structures are initialized. We must check both ++ * cmd->req.sg and cmd->iov because they can have different NULL states: ++ * - Uninitialized commands: both NULL ++ * - READ commands: cmd->req.sg allocated, cmd->iov NULL ++ * - WRITE commands: both allocated ++ */ ++ if (unlikely(!cmd->req.sg || !cmd->iov)) { ++ pr_err("queue %d: H2CData PDU received for invalid command state (ttag %u)\n", ++ queue->idx, data->ttag); ++ goto err_proto; ++ } + cmd->pdu_recv = 0; + nvmet_tcp_build_pdu_iovec(cmd); + queue->cmd = cmd; +-- +2.51.0 + diff --git a/queue-6.6/nvmet-tcp-remove-boilerplate-code.patch b/queue-6.6/nvmet-tcp-remove-boilerplate-code.patch new file mode 100644 index 0000000000..f45b687e58 --- /dev/null +++ b/queue-6.6/nvmet-tcp-remove-boilerplate-code.patch @@ -0,0 +1,72 @@ +From 43d4a73045201ed8d813b310fd9c1a0d01605b47 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Dec 2023 16:17:50 +0100 +Subject: nvmet-tcp: remove boilerplate code + +From: Maurizio Lombardi + +[ Upstream commit 75011bd0f9c55db523242f9f9a0b0b826165f14b ] + +Simplify the nvmet_tcp_handle_h2c_data_pdu() function by removing +boilerplate code. + +Signed-off-by: Maurizio Lombardi +Reviewed-by: Sagi Grimberg +Signed-off-by: Keith Busch +Stable-dep-of: 32b63acd78f5 ("nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec") +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/tcp.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c +index 6a539c3b8b530..6975b2a054e0d 100644 +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -969,8 +969,7 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue) + if (unlikely(data->ttag >= queue->nr_cmds)) { + pr_err("queue %d: received out of bound ttag %u, nr_cmds %u\n", + queue->idx, data->ttag, queue->nr_cmds); +- nvmet_tcp_fatal_error(queue); +- return -EPROTO; ++ goto err_proto; + } + cmd = &queue->cmds[data->ttag]; + } else { +@@ -981,9 +980,7 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue) + pr_err("ttag %u unexpected data offset %u (expected %u)\n", + data->ttag, le32_to_cpu(data->data_offset), + cmd->rbytes_done); +- /* FIXME: use path and transport errors */ +- nvmet_tcp_fatal_error(queue); +- return -EPROTO; ++ goto err_proto; + } + + exp_data_len = le32_to_cpu(data->hdr.plen) - +@@ -996,9 +993,7 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue) + cmd->pdu_len == 0 || + cmd->pdu_len > NVMET_TCP_MAXH2CDATA)) { + pr_err("H2CData PDU len %u is invalid\n", cmd->pdu_len); +- /* FIXME: use proper transport errors */ +- nvmet_tcp_fatal_error(queue); +- return -EPROTO; ++ goto err_proto; + } + cmd->pdu_recv = 0; + nvmet_tcp_build_pdu_iovec(cmd); +@@ -1006,6 +1001,11 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue) + queue->rcv_state = NVMET_TCP_RECV_DATA; + + return 0; ++ ++err_proto: ++ /* FIXME: use proper transport errors */ ++ nvmet_tcp_fatal_error(queue); ++ return -EPROTO; + } + + static int nvmet_tcp_done_recv_pdu(struct nvmet_tcp_queue *queue) +-- +2.51.0 + diff --git a/queue-6.6/phy-broadcom-ns-usb3-fix-wvoid-pointer-to-enum-cast-.patch b/queue-6.6/phy-broadcom-ns-usb3-fix-wvoid-pointer-to-enum-cast-.patch new file mode 100644 index 0000000000..19bb794d7a --- /dev/null +++ b/queue-6.6/phy-broadcom-ns-usb3-fix-wvoid-pointer-to-enum-cast-.patch @@ -0,0 +1,47 @@ +From 40830775959f7b346e35dbef7562b8703a75ed50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 12:55:34 +0100 +Subject: phy: broadcom: ns-usb3: Fix Wvoid-pointer-to-enum-cast warning + (again) + +From: Krzysztof Kozlowski + +[ Upstream commit fb21116099bbea1fc59efa9207e63c4be390ab72 ] + +"family" is an enum, thus cast of pointer on 64-bit compile test with +clang W=1 causes: + + phy-bcm-ns-usb3.c:206:17: error: cast to smaller integer type 'enum bcm_ns_family' from 'const void *' [-Werror,-Wvoid-pointer-to-enum-cast] + +This was already fixed in commit bd6e74a2f0a0 ("phy: broadcom: ns-usb3: +fix Wvoid-pointer-to-enum-cast warning") but then got bad in commit +21bf6fc47a1e ("phy: Use device_get_match_data()"). + +Note that after various discussions the preferred cast is via "unsigned +long", not "uintptr_t". + +Fixes: 21bf6fc47a1e ("phy: Use device_get_match_data()") +Signed-off-by: Krzysztof Kozlowski +Link: https://patch.msgid.link/20251224115533.154162-2-krzysztof.kozlowski@oss.qualcomm.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/broadcom/phy-bcm-ns-usb3.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/phy/broadcom/phy-bcm-ns-usb3.c b/drivers/phy/broadcom/phy-bcm-ns-usb3.c +index 2c8b1b7dda5bd..5c2710597df2c 100644 +--- a/drivers/phy/broadcom/phy-bcm-ns-usb3.c ++++ b/drivers/phy/broadcom/phy-bcm-ns-usb3.c +@@ -203,7 +203,7 @@ static int bcm_ns_usb3_mdio_probe(struct mdio_device *mdiodev) + usb3->dev = dev; + usb3->mdiodev = mdiodev; + +- usb3->family = (enum bcm_ns_family)device_get_match_data(dev); ++ usb3->family = (unsigned long)device_get_match_data(dev); + + syscon_np = of_parse_phandle(dev->of_node, "usb3-dmp-syscon", 0); + err = of_address_to_resource(syscon_np, 0, &res); +-- +2.51.0 + diff --git a/queue-6.6/phy-drop-probe-registration-printks.patch b/queue-6.6/phy-drop-probe-registration-printks.patch new file mode 100644 index 0000000000..3d422338a8 --- /dev/null +++ b/queue-6.6/phy-drop-probe-registration-printks.patch @@ -0,0 +1,205 @@ +From 8a3eed594fa24bcd5ecaff99b088b250491cfac8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 May 2025 10:51:12 +0200 +Subject: phy: drop probe registration printks + +From: Johan Hovold + +[ Upstream commit 95463cbb4fe6489921fb8c72890113dca54ce83f ] + +Drivers should generally be quiet on successful probe, but this is not +followed by some PHY drivers, for example: + + snps-eusb2-hsphy 88e1000.phy: Registered Snps-eUSB2 phy + qcom-eusb2-repeater c432000.spmi:pmic@7:phy@fd00: Registered Qcom-eUSB2 repeater + qcom-eusb2-repeater c432000.spmi:pmic@a:phy@fd00: Registered Qcom-eUSB2 repeater + qcom-eusb2-repeater c432000.spmi:pmic@b:phy@fd00: Registered Qcom-eUSB2 repeater + snps-eusb2-hsphy fd3000.phy: Registered Snps-eUSB2 phy + snps-eusb2-hsphy fd9000.phy: Registered Snps-eUSB2 phy + snps-eusb2-hsphy fde000.phy: Registered Snps-eUSB2 phy + snps-eusb2-hsphy 88e0000.phy: Registered Snps-eUSB2 phy + snps-eusb2-hsphy 88e2000.phy: Registered Snps-eUSB2 phy + +Drop (or demote to debug level) unnecessary registration info messages +to make boot logs a little less noisy. + +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20250523085112.11287-1-johan+linaro@kernel.org +Signed-off-by: Vinod Koul +Stable-dep-of: 1ca52c0983c3 ("phy: qcom-qusb2: Fix NULL pointer dereference on early suspend") +Signed-off-by: Sasha Levin +--- + drivers/phy/broadcom/phy-bcm-ns2-pcie.c | 2 -- + drivers/phy/broadcom/phy-bcm-ns2-usbdrd.c | 1 - + drivers/phy/broadcom/phy-bcm-sr-pcie.c | 2 -- + drivers/phy/broadcom/phy-brcm-sata.c | 2 +- + drivers/phy/marvell/phy-pxa-usb.c | 1 - + drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c | 2 -- + drivers/phy/qualcomm/phy-qcom-m31.c | 2 -- + drivers/phy/qualcomm/phy-qcom-qusb2.c | 4 +--- + drivers/phy/qualcomm/phy-qcom-snps-eusb2.c | 2 -- + drivers/phy/st/phy-stih407-usb.c | 2 -- + drivers/phy/st/phy-stm32-usbphyc.c | 4 ++-- + drivers/phy/ti/phy-twl4030-usb.c | 1 - + 12 files changed, 4 insertions(+), 21 deletions(-) + +diff --git a/drivers/phy/broadcom/phy-bcm-ns2-pcie.c b/drivers/phy/broadcom/phy-bcm-ns2-pcie.c +index 2eaa41f8fc70c..67a6ae5ecba02 100644 +--- a/drivers/phy/broadcom/phy-bcm-ns2-pcie.c ++++ b/drivers/phy/broadcom/phy-bcm-ns2-pcie.c +@@ -61,8 +61,6 @@ static int ns2_pci_phy_probe(struct mdio_device *mdiodev) + return PTR_ERR(provider); + } + +- dev_info(dev, "%s PHY registered\n", dev_name(dev)); +- + return 0; + } + +diff --git a/drivers/phy/broadcom/phy-bcm-ns2-usbdrd.c b/drivers/phy/broadcom/phy-bcm-ns2-usbdrd.c +index 36ad02c33ac55..8473fa5745296 100644 +--- a/drivers/phy/broadcom/phy-bcm-ns2-usbdrd.c ++++ b/drivers/phy/broadcom/phy-bcm-ns2-usbdrd.c +@@ -395,7 +395,6 @@ static int ns2_drd_phy_probe(struct platform_device *pdev) + + platform_set_drvdata(pdev, driver); + +- dev_info(dev, "Registered NS2 DRD Phy device\n"); + queue_delayed_work(system_power_efficient_wq, &driver->wq_extcon, + driver->debounce_jiffies); + +diff --git a/drivers/phy/broadcom/phy-bcm-sr-pcie.c b/drivers/phy/broadcom/phy-bcm-sr-pcie.c +index 8a4aadf166cf9..c85af65086773 100644 +--- a/drivers/phy/broadcom/phy-bcm-sr-pcie.c ++++ b/drivers/phy/broadcom/phy-bcm-sr-pcie.c +@@ -277,8 +277,6 @@ static int sr_pcie_phy_probe(struct platform_device *pdev) + return PTR_ERR(provider); + } + +- dev_info(dev, "Stingray PCIe PHY driver initialized\n"); +- + return 0; + } + +diff --git a/drivers/phy/broadcom/phy-brcm-sata.c b/drivers/phy/broadcom/phy-brcm-sata.c +index ed9e18791ec94..6838cb76e8268 100644 +--- a/drivers/phy/broadcom/phy-brcm-sata.c ++++ b/drivers/phy/broadcom/phy-brcm-sata.c +@@ -836,7 +836,7 @@ static int brcm_sata_phy_probe(struct platform_device *pdev) + return PTR_ERR(provider); + } + +- dev_info(dev, "registered %d port(s)\n", count); ++ dev_dbg(dev, "registered %d port(s)\n", count); + + return 0; + put_child: +diff --git a/drivers/phy/marvell/phy-pxa-usb.c b/drivers/phy/marvell/phy-pxa-usb.c +index 6c98eb9608e9c..c0bb71f80c042 100644 +--- a/drivers/phy/marvell/phy-pxa-usb.c ++++ b/drivers/phy/marvell/phy-pxa-usb.c +@@ -325,7 +325,6 @@ static int pxa_usb_phy_probe(struct platform_device *pdev) + phy_create_lookup(pxa_usb_phy->phy, "usb", "mv-otg"); + } + +- dev_info(dev, "Marvell PXA USB PHY"); + return 0; + } + +diff --git a/drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c b/drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c +index a43e20abb10d5..ad7bf049d7263 100644 +--- a/drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c ++++ b/drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c +@@ -251,8 +251,6 @@ static int eusb2_repeater_probe(struct platform_device *pdev) + if (IS_ERR(phy_provider)) + return PTR_ERR(phy_provider); + +- dev_info(dev, "Registered Qcom-eUSB2 repeater\n"); +- + return 0; + } + +diff --git a/drivers/phy/qualcomm/phy-qcom-m31.c b/drivers/phy/qualcomm/phy-qcom-m31.c +index a5e60039a264a..116cfa6ddac6f 100644 +--- a/drivers/phy/qualcomm/phy-qcom-m31.c ++++ b/drivers/phy/qualcomm/phy-qcom-m31.c +@@ -267,8 +267,6 @@ static int m31usb_phy_probe(struct platform_device *pdev) + phy_set_drvdata(qphy->phy, qphy); + + phy_provider = devm_of_phy_provider_register(dev, of_phy_simple_xlate); +- if (!IS_ERR(phy_provider)) +- dev_info(dev, "Registered M31 USB phy\n"); + + return PTR_ERR_OR_ZERO(phy_provider); + } +diff --git a/drivers/phy/qualcomm/phy-qcom-qusb2.c b/drivers/phy/qualcomm/phy-qcom-qusb2.c +index c52655a383cef..531c3860c3160 100644 +--- a/drivers/phy/qualcomm/phy-qcom-qusb2.c ++++ b/drivers/phy/qualcomm/phy-qcom-qusb2.c +@@ -1084,9 +1084,7 @@ static int qusb2_phy_probe(struct platform_device *pdev) + phy_set_drvdata(generic_phy, qphy); + + phy_provider = devm_of_phy_provider_register(dev, of_phy_simple_xlate); +- if (!IS_ERR(phy_provider)) +- dev_info(dev, "Registered Qcom-QUSB2 phy\n"); +- else ++ if (IS_ERR(phy_provider)) + pm_runtime_disable(dev); + + return PTR_ERR_OR_ZERO(phy_provider); +diff --git a/drivers/phy/qualcomm/phy-qcom-snps-eusb2.c b/drivers/phy/qualcomm/phy-qcom-snps-eusb2.c +index e1b175f481b4e..4a1dfef5ff8ff 100644 +--- a/drivers/phy/qualcomm/phy-qcom-snps-eusb2.c ++++ b/drivers/phy/qualcomm/phy-qcom-snps-eusb2.c +@@ -418,8 +418,6 @@ static int snps_eusb2_hsphy_probe(struct platform_device *pdev) + if (IS_ERR(phy_provider)) + return PTR_ERR(phy_provider); + +- dev_info(dev, "Registered Snps-eUSB2 phy\n"); +- + return 0; + } + +diff --git a/drivers/phy/st/phy-stih407-usb.c b/drivers/phy/st/phy-stih407-usb.c +index a4ae2cca7f637..02e6117709dca 100644 +--- a/drivers/phy/st/phy-stih407-usb.c ++++ b/drivers/phy/st/phy-stih407-usb.c +@@ -149,8 +149,6 @@ static int stih407_usb2_picophy_probe(struct platform_device *pdev) + if (IS_ERR(phy_provider)) + return PTR_ERR(phy_provider); + +- dev_info(dev, "STiH407 USB Generic picoPHY driver probed!"); +- + return 0; + } + +diff --git a/drivers/phy/st/phy-stm32-usbphyc.c b/drivers/phy/st/phy-stm32-usbphyc.c +index d5e7e44000b56..f8374a7f3a655 100644 +--- a/drivers/phy/st/phy-stm32-usbphyc.c ++++ b/drivers/phy/st/phy-stm32-usbphyc.c +@@ -757,8 +757,8 @@ static int stm32_usbphyc_probe(struct platform_device *pdev) + } + + version = readl_relaxed(usbphyc->base + STM32_USBPHYC_VERSION); +- dev_info(dev, "registered rev:%lu.%lu\n", +- FIELD_GET(MAJREV, version), FIELD_GET(MINREV, version)); ++ dev_dbg(dev, "registered rev: %lu.%lu\n", ++ FIELD_GET(MAJREV, version), FIELD_GET(MINREV, version)); + + return 0; + +diff --git a/drivers/phy/ti/phy-twl4030-usb.c b/drivers/phy/ti/phy-twl4030-usb.c +index 6b265992d988f..e5918d3b486cc 100644 +--- a/drivers/phy/ti/phy-twl4030-usb.c ++++ b/drivers/phy/ti/phy-twl4030-usb.c +@@ -784,7 +784,6 @@ static int twl4030_usb_probe(struct platform_device *pdev) + pm_runtime_mark_last_busy(&pdev->dev); + pm_runtime_put_autosuspend(twl->dev); + +- dev_info(&pdev->dev, "Initialized TWL4030 USB module\n"); + return 0; + } + +-- +2.51.0 + diff --git a/queue-6.6/phy-fsl-imx8mq-usb-clear-the-pcs_tx_swing_full-field.patch b/queue-6.6/phy-fsl-imx8mq-usb-clear-the-pcs_tx_swing_full-field.patch new file mode 100644 index 0000000000..9333a91b82 --- /dev/null +++ b/queue-6.6/phy-fsl-imx8mq-usb-clear-the-pcs_tx_swing_full-field.patch @@ -0,0 +1,45 @@ +From dac78f0c087c3937d09e8475ee6b37705be82ca2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 17:09:12 +0100 +Subject: phy: fsl-imx8mq-usb: Clear the PCS_TX_SWING_FULL field before using + it + +From: Stefano Radaelli + +[ Upstream commit 8becf9179a4b45104a1701010ed666b55bf4b3a6 ] + +Clear the PCS_TX_SWING_FULL field mask before setting the new value +in PHY_CTRL5 register. Without clearing the mask first, the OR operation +could leave previously set bits, resulting in incorrect register +configuration. + +Fixes: 63c85ad0cd81 ("phy: fsl-imx8mp-usb: add support for phy tuning") +Suggested-by: Leonid Segal +Acked-by: Pierluigi Passaro +Signed-off-by: Stefano Radaelli +Reviewed-by: Xu Yang +Reviewed-by: Frank Li +Reviewed-by: Fabio Estevam +Reviewed-by: Ahmad Fatoum +Link: https://patch.msgid.link/20251219160912.561431-1-stefano.r@variscite.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/freescale/phy-fsl-imx8mq-usb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/phy/freescale/phy-fsl-imx8mq-usb.c b/drivers/phy/freescale/phy-fsl-imx8mq-usb.c +index f914f016b3d2c..043063699e064 100644 +--- a/drivers/phy/freescale/phy-fsl-imx8mq-usb.c ++++ b/drivers/phy/freescale/phy-fsl-imx8mq-usb.c +@@ -206,6 +206,7 @@ static void imx8m_phy_tune(struct imx8mq_usb_phy *imx_phy) + + if (imx_phy->pcs_tx_swing_full != PHY_TUNE_DEFAULT) { + value = readl(imx_phy->base + PHY_CTRL5); ++ value &= ~PHY_CTRL5_PCS_TX_SWING_FULL_MASK; + value |= FIELD_PREP(PHY_CTRL5_PCS_TX_SWING_FULL_MASK, + imx_phy->pcs_tx_swing_full); + writel(value, imx_phy->base + PHY_CTRL5); +-- +2.51.0 + diff --git a/queue-6.6/phy-phy-snps-eusb2-refactor-constructs-names.patch b/queue-6.6/phy-phy-snps-eusb2-refactor-constructs-names.patch new file mode 100644 index 0000000000..ec35905bd2 --- /dev/null +++ b/queue-6.6/phy-phy-snps-eusb2-refactor-constructs-names.patch @@ -0,0 +1,509 @@ +From 5eab9af7e4e9c1257651e01217f04df582b7ab88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 May 2025 17:45:21 +0300 +Subject: phy: phy-snps-eusb2: refactor constructs names + +From: Ivaylo Ivanov + +[ Upstream commit 93dbe9b5b3a265c7e5466c7b6ada439b01577de5 ] + +As the driver now resides outside the phy subdirectory under a different +name, refactor all definitions, structures and functions to explicitly +specify what code is Qualcomm-specific and what is not. + +Signed-off-by: Ivaylo Ivanov +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20250504144527.1723980-5-ivo.ivanov.ivanov1@gmail.com +Signed-off-by: Vinod Koul +Stable-dep-of: 1ca52c0983c3 ("phy: qcom-qusb2: Fix NULL pointer dereference on early suspend") +Signed-off-by: Sasha Levin +--- + drivers/phy/qualcomm/phy-qcom-snps-eusb2.c | 256 ++++++++++----------- + 1 file changed, 128 insertions(+), 128 deletions(-) + +diff --git a/drivers/phy/qualcomm/phy-qcom-snps-eusb2.c b/drivers/phy/qualcomm/phy-qcom-snps-eusb2.c +index 1484691a41d59..e1b175f481b4e 100644 +--- a/drivers/phy/qualcomm/phy-qcom-snps-eusb2.c ++++ b/drivers/phy/qualcomm/phy-qcom-snps-eusb2.c +@@ -13,15 +13,15 @@ + #include + #include + +-#define USB_PHY_UTMI_CTRL0 (0x3c) ++#define QCOM_USB_PHY_UTMI_CTRL0 (0x3c) + #define SLEEPM BIT(0) + #define OPMODE_MASK GENMASK(4, 3) + #define OPMODE_NONDRIVING BIT(3) + +-#define USB_PHY_UTMI_CTRL5 (0x50) ++#define QCOM_USB_PHY_UTMI_CTRL5 (0x50) + #define POR BIT(1) + +-#define USB_PHY_HS_PHY_CTRL_COMMON0 (0x54) ++#define QCOM_USB_PHY_HS_PHY_CTRL_COMMON0 (0x54) + #define PHY_ENABLE BIT(0) + #define SIDDQ_SEL BIT(1) + #define SIDDQ BIT(2) +@@ -30,15 +30,15 @@ + #define FSEL_19_2_MHZ_VAL (0x0) + #define FSEL_38_4_MHZ_VAL (0x4) + +-#define USB_PHY_CFG_CTRL_1 (0x58) ++#define QCOM_USB_PHY_CFG_CTRL_1 (0x58) + #define PHY_CFG_PLL_CPBIAS_CNTRL_MASK GENMASK(7, 1) + +-#define USB_PHY_CFG_CTRL_2 (0x5c) ++#define QCOM_USB_PHY_CFG_CTRL_2 (0x5c) + #define PHY_CFG_PLL_FB_DIV_7_0_MASK GENMASK(7, 0) + #define DIV_7_0_19_2_MHZ_VAL (0x90) + #define DIV_7_0_38_4_MHZ_VAL (0xc8) + +-#define USB_PHY_CFG_CTRL_3 (0x60) ++#define QCOM_USB_PHY_CFG_CTRL_3 (0x60) + #define PHY_CFG_PLL_FB_DIV_11_8_MASK GENMASK(3, 0) + #define DIV_11_8_19_2_MHZ_VAL (0x1) + #define DIV_11_8_38_4_MHZ_VAL (0x0) +@@ -46,73 +46,73 @@ + #define PHY_CFG_PLL_REF_DIV GENMASK(7, 4) + #define PLL_REF_DIV_VAL (0x0) + +-#define USB_PHY_HS_PHY_CTRL2 (0x64) ++#define QCOM_USB_PHY_HS_PHY_CTRL2 (0x64) + #define VBUSVLDEXT0 BIT(0) + #define USB2_SUSPEND_N BIT(2) + #define USB2_SUSPEND_N_SEL BIT(3) + #define VBUS_DET_EXT_SEL BIT(4) + +-#define USB_PHY_CFG_CTRL_4 (0x68) ++#define QCOM_USB_PHY_CFG_CTRL_4 (0x68) + #define PHY_CFG_PLL_GMP_CNTRL_MASK GENMASK(1, 0) + #define PHY_CFG_PLL_INT_CNTRL_MASK GENMASK(7, 2) + +-#define USB_PHY_CFG_CTRL_5 (0x6c) ++#define QCOM_USB_PHY_CFG_CTRL_5 (0x6c) + #define PHY_CFG_PLL_PROP_CNTRL_MASK GENMASK(4, 0) + #define PHY_CFG_PLL_VREF_TUNE_MASK GENMASK(7, 6) + +-#define USB_PHY_CFG_CTRL_6 (0x70) ++#define QCOM_USB_PHY_CFG_CTRL_6 (0x70) + #define PHY_CFG_PLL_VCO_CNTRL_MASK GENMASK(2, 0) + +-#define USB_PHY_CFG_CTRL_7 (0x74) ++#define QCOM_USB_PHY_CFG_CTRL_7 (0x74) + +-#define USB_PHY_CFG_CTRL_8 (0x78) ++#define QCOM_USB_PHY_CFG_CTRL_8 (0x78) + #define PHY_CFG_TX_FSLS_VREF_TUNE_MASK GENMASK(1, 0) + #define PHY_CFG_TX_FSLS_VREG_BYPASS BIT(2) + #define PHY_CFG_TX_HS_VREF_TUNE_MASK GENMASK(5, 3) + #define PHY_CFG_TX_HS_XV_TUNE_MASK GENMASK(7, 6) + +-#define USB_PHY_CFG_CTRL_9 (0x7c) ++#define QCOM_USB_PHY_CFG_CTRL_9 (0x7c) + #define PHY_CFG_TX_PREEMP_TUNE_MASK GENMASK(2, 0) + #define PHY_CFG_TX_RES_TUNE_MASK GENMASK(4, 3) + #define PHY_CFG_TX_RISE_TUNE_MASK GENMASK(6, 5) + #define PHY_CFG_RCAL_BYPASS BIT(7) + +-#define USB_PHY_CFG_CTRL_10 (0x80) ++#define QCOM_USB_PHY_CFG_CTRL_10 (0x80) + +-#define USB_PHY_CFG0 (0x94) ++#define QCOM_USB_PHY_CFG0 (0x94) + #define DATAPATH_CTRL_OVERRIDE_EN BIT(0) + #define CMN_CTRL_OVERRIDE_EN BIT(1) + +-#define UTMI_PHY_CMN_CTRL0 (0x98) ++#define QCOM_UTMI_PHY_CMN_CTRL0 (0x98) + #define TESTBURNIN BIT(6) + +-#define USB_PHY_FSEL_SEL (0xb8) ++#define QCOM_USB_PHY_FSEL_SEL (0xb8) + #define FSEL_SEL BIT(0) + +-#define USB_PHY_APB_ACCESS_CMD (0x130) ++#define QCOM_USB_PHY_APB_ACCESS_CMD (0x130) + #define RW_ACCESS BIT(0) + #define APB_START_CMD BIT(1) + #define APB_LOGIC_RESET BIT(2) + +-#define USB_PHY_APB_ACCESS_STATUS (0x134) ++#define QCOM_USB_PHY_APB_ACCESS_STATUS (0x134) + #define ACCESS_DONE BIT(0) + #define TIMED_OUT BIT(1) + #define ACCESS_ERROR BIT(2) + #define ACCESS_IN_PROGRESS BIT(3) + +-#define USB_PHY_APB_ADDRESS (0x138) ++#define QCOM_USB_PHY_APB_ADDRESS (0x138) + #define APB_REG_ADDR_MASK GENMASK(7, 0) + +-#define USB_PHY_APB_WRDATA_LSB (0x13c) ++#define QCOM_USB_PHY_APB_WRDATA_LSB (0x13c) + #define APB_REG_WRDATA_7_0_MASK GENMASK(3, 0) + +-#define USB_PHY_APB_WRDATA_MSB (0x140) ++#define QCOM_USB_PHY_APB_WRDATA_MSB (0x140) + #define APB_REG_WRDATA_15_8_MASK GENMASK(7, 4) + +-#define USB_PHY_APB_RDDATA_LSB (0x144) ++#define QCOM_USB_PHY_APB_RDDATA_LSB (0x144) + #define APB_REG_RDDATA_7_0_MASK GENMASK(3, 0) + +-#define USB_PHY_APB_RDDATA_MSB (0x148) ++#define QCOM_USB_PHY_APB_RDDATA_MSB (0x148) + #define APB_REG_RDDATA_15_8_MASK GENMASK(7, 4) + + static const char * const eusb2_hsphy_vreg_names[] = { +@@ -121,7 +121,7 @@ static const char * const eusb2_hsphy_vreg_names[] = { + + #define EUSB2_NUM_VREGS ARRAY_SIZE(eusb2_hsphy_vreg_names) + +-struct qcom_snps_eusb2_hsphy { ++struct snps_eusb2_hsphy { + struct phy *phy; + void __iomem *base; + +@@ -135,17 +135,17 @@ struct qcom_snps_eusb2_hsphy { + struct phy *repeater; + }; + +-static int qcom_snps_eusb2_hsphy_set_mode(struct phy *p, enum phy_mode mode, int submode) ++static int snps_eusb2_hsphy_set_mode(struct phy *p, enum phy_mode mode, int submode) + { +- struct qcom_snps_eusb2_hsphy *phy = phy_get_drvdata(p); ++ struct snps_eusb2_hsphy *phy = phy_get_drvdata(p); + + phy->mode = mode; + + return phy_set_mode_ext(phy->repeater, mode, submode); + } + +-static void qcom_snps_eusb2_hsphy_write_mask(void __iomem *base, u32 offset, +- u32 mask, u32 val) ++static void snps_eusb2_hsphy_write_mask(void __iomem *base, u32 offset, ++ u32 mask, u32 val) + { + u32 reg; + +@@ -158,65 +158,65 @@ static void qcom_snps_eusb2_hsphy_write_mask(void __iomem *base, u32 offset, + readl_relaxed(base + offset); + } + +-static void qcom_eusb2_default_parameters(struct qcom_snps_eusb2_hsphy *phy) ++static void qcom_eusb2_default_parameters(struct snps_eusb2_hsphy *phy) + { + /* default parameters: tx pre-emphasis */ +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_9, +- PHY_CFG_TX_PREEMP_TUNE_MASK, +- FIELD_PREP(PHY_CFG_TX_PREEMP_TUNE_MASK, 0)); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_9, ++ PHY_CFG_TX_PREEMP_TUNE_MASK, ++ FIELD_PREP(PHY_CFG_TX_PREEMP_TUNE_MASK, 0)); + + /* tx rise/fall time */ +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_9, +- PHY_CFG_TX_RISE_TUNE_MASK, +- FIELD_PREP(PHY_CFG_TX_RISE_TUNE_MASK, 0x2)); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_9, ++ PHY_CFG_TX_RISE_TUNE_MASK, ++ FIELD_PREP(PHY_CFG_TX_RISE_TUNE_MASK, 0x2)); + + /* source impedance adjustment */ +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_9, +- PHY_CFG_TX_RES_TUNE_MASK, +- FIELD_PREP(PHY_CFG_TX_RES_TUNE_MASK, 0x1)); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_9, ++ PHY_CFG_TX_RES_TUNE_MASK, ++ FIELD_PREP(PHY_CFG_TX_RES_TUNE_MASK, 0x1)); + + /* dc voltage level adjustement */ +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_8, +- PHY_CFG_TX_HS_VREF_TUNE_MASK, +- FIELD_PREP(PHY_CFG_TX_HS_VREF_TUNE_MASK, 0x3)); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_8, ++ PHY_CFG_TX_HS_VREF_TUNE_MASK, ++ FIELD_PREP(PHY_CFG_TX_HS_VREF_TUNE_MASK, 0x3)); + + /* transmitter HS crossover adjustement */ +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_8, +- PHY_CFG_TX_HS_XV_TUNE_MASK, +- FIELD_PREP(PHY_CFG_TX_HS_XV_TUNE_MASK, 0x0)); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_8, ++ PHY_CFG_TX_HS_XV_TUNE_MASK, ++ FIELD_PREP(PHY_CFG_TX_HS_XV_TUNE_MASK, 0x0)); + } + +-static int qcom_eusb2_ref_clk_init(struct qcom_snps_eusb2_hsphy *phy) ++static int qcom_eusb2_ref_clk_init(struct snps_eusb2_hsphy *phy) + { + unsigned long ref_clk_freq = clk_get_rate(phy->ref_clk); + + switch (ref_clk_freq) { + case 19200000: +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_HS_PHY_CTRL_COMMON0, +- FSEL_MASK, +- FIELD_PREP(FSEL_MASK, FSEL_19_2_MHZ_VAL)); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_HS_PHY_CTRL_COMMON0, ++ FSEL_MASK, ++ FIELD_PREP(FSEL_MASK, FSEL_19_2_MHZ_VAL)); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_2, +- PHY_CFG_PLL_FB_DIV_7_0_MASK, +- DIV_7_0_19_2_MHZ_VAL); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_2, ++ PHY_CFG_PLL_FB_DIV_7_0_MASK, ++ DIV_7_0_19_2_MHZ_VAL); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_3, +- PHY_CFG_PLL_FB_DIV_11_8_MASK, +- DIV_11_8_19_2_MHZ_VAL); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_3, ++ PHY_CFG_PLL_FB_DIV_11_8_MASK, ++ DIV_11_8_19_2_MHZ_VAL); + break; + + case 38400000: +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_HS_PHY_CTRL_COMMON0, +- FSEL_MASK, +- FIELD_PREP(FSEL_MASK, FSEL_38_4_MHZ_VAL)); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_HS_PHY_CTRL_COMMON0, ++ FSEL_MASK, ++ FIELD_PREP(FSEL_MASK, FSEL_38_4_MHZ_VAL)); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_2, +- PHY_CFG_PLL_FB_DIV_7_0_MASK, +- DIV_7_0_38_4_MHZ_VAL); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_2, ++ PHY_CFG_PLL_FB_DIV_7_0_MASK, ++ DIV_7_0_38_4_MHZ_VAL); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_3, +- PHY_CFG_PLL_FB_DIV_11_8_MASK, +- DIV_11_8_38_4_MHZ_VAL); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_3, ++ PHY_CFG_PLL_FB_DIV_11_8_MASK, ++ DIV_11_8_38_4_MHZ_VAL); + break; + + default: +@@ -224,15 +224,15 @@ static int qcom_eusb2_ref_clk_init(struct qcom_snps_eusb2_hsphy *phy) + return -EINVAL; + } + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_3, +- PHY_CFG_PLL_REF_DIV, PLL_REF_DIV_VAL); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_3, ++ PHY_CFG_PLL_REF_DIV, PLL_REF_DIV_VAL); + + return 0; + } + +-static int qcom_snps_eusb2_hsphy_init(struct phy *p) ++static int snps_eusb2_hsphy_init(struct phy *p) + { +- struct qcom_snps_eusb2_hsphy *phy = phy_get_drvdata(p); ++ struct snps_eusb2_hsphy *phy = phy_get_drvdata(p); + int ret; + + ret = regulator_bulk_enable(ARRAY_SIZE(phy->vregs), phy->vregs); +@@ -265,73 +265,73 @@ static int qcom_snps_eusb2_hsphy_init(struct phy *p) + goto disable_ref_clk; + } + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG0, +- CMN_CTRL_OVERRIDE_EN, CMN_CTRL_OVERRIDE_EN); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG0, ++ CMN_CTRL_OVERRIDE_EN, CMN_CTRL_OVERRIDE_EN); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_UTMI_CTRL5, POR, POR); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_UTMI_CTRL5, POR, POR); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_HS_PHY_CTRL_COMMON0, +- PHY_ENABLE | RETENABLEN, PHY_ENABLE | RETENABLEN); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_HS_PHY_CTRL_COMMON0, ++ PHY_ENABLE | RETENABLEN, PHY_ENABLE | RETENABLEN); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_APB_ACCESS_CMD, +- APB_LOGIC_RESET, APB_LOGIC_RESET); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_APB_ACCESS_CMD, ++ APB_LOGIC_RESET, APB_LOGIC_RESET); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, UTMI_PHY_CMN_CTRL0, TESTBURNIN, 0); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_UTMI_PHY_CMN_CTRL0, TESTBURNIN, 0); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_FSEL_SEL, +- FSEL_SEL, FSEL_SEL); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_FSEL_SEL, ++ FSEL_SEL, FSEL_SEL); + + /* update ref_clk related registers */ + ret = qcom_eusb2_ref_clk_init(phy); + if (ret) +- goto disable_ref_clk; ++ return ret; + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_1, +- PHY_CFG_PLL_CPBIAS_CNTRL_MASK, +- FIELD_PREP(PHY_CFG_PLL_CPBIAS_CNTRL_MASK, 0x1)); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_1, ++ PHY_CFG_PLL_CPBIAS_CNTRL_MASK, ++ FIELD_PREP(PHY_CFG_PLL_CPBIAS_CNTRL_MASK, 0x1)); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_4, +- PHY_CFG_PLL_INT_CNTRL_MASK, +- FIELD_PREP(PHY_CFG_PLL_INT_CNTRL_MASK, 0x8)); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_4, ++ PHY_CFG_PLL_INT_CNTRL_MASK, ++ FIELD_PREP(PHY_CFG_PLL_INT_CNTRL_MASK, 0x8)); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_4, +- PHY_CFG_PLL_GMP_CNTRL_MASK, +- FIELD_PREP(PHY_CFG_PLL_GMP_CNTRL_MASK, 0x1)); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_4, ++ PHY_CFG_PLL_GMP_CNTRL_MASK, ++ FIELD_PREP(PHY_CFG_PLL_GMP_CNTRL_MASK, 0x1)); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_5, +- PHY_CFG_PLL_PROP_CNTRL_MASK, +- FIELD_PREP(PHY_CFG_PLL_PROP_CNTRL_MASK, 0x10)); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_5, ++ PHY_CFG_PLL_PROP_CNTRL_MASK, ++ FIELD_PREP(PHY_CFG_PLL_PROP_CNTRL_MASK, 0x10)); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_6, +- PHY_CFG_PLL_VCO_CNTRL_MASK, +- FIELD_PREP(PHY_CFG_PLL_VCO_CNTRL_MASK, 0x0)); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_6, ++ PHY_CFG_PLL_VCO_CNTRL_MASK, ++ FIELD_PREP(PHY_CFG_PLL_VCO_CNTRL_MASK, 0x0)); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_CFG_CTRL_5, +- PHY_CFG_PLL_VREF_TUNE_MASK, +- FIELD_PREP(PHY_CFG_PLL_VREF_TUNE_MASK, 0x1)); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_CFG_CTRL_5, ++ PHY_CFG_PLL_VREF_TUNE_MASK, ++ FIELD_PREP(PHY_CFG_PLL_VREF_TUNE_MASK, 0x1)); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_HS_PHY_CTRL2, +- VBUS_DET_EXT_SEL, VBUS_DET_EXT_SEL); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_HS_PHY_CTRL2, ++ VBUS_DET_EXT_SEL, VBUS_DET_EXT_SEL); + + /* set default parameters */ + qcom_eusb2_default_parameters(phy); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_HS_PHY_CTRL2, +- USB2_SUSPEND_N_SEL | USB2_SUSPEND_N, +- USB2_SUSPEND_N_SEL | USB2_SUSPEND_N); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_HS_PHY_CTRL2, ++ USB2_SUSPEND_N_SEL | USB2_SUSPEND_N, ++ USB2_SUSPEND_N_SEL | USB2_SUSPEND_N); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_UTMI_CTRL0, SLEEPM, SLEEPM); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_UTMI_CTRL0, SLEEPM, SLEEPM); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_HS_PHY_CTRL_COMMON0, +- SIDDQ_SEL, SIDDQ_SEL); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_HS_PHY_CTRL_COMMON0, ++ SIDDQ_SEL, SIDDQ_SEL); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_HS_PHY_CTRL_COMMON0, +- SIDDQ, 0); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_HS_PHY_CTRL_COMMON0, ++ SIDDQ, 0); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_UTMI_CTRL5, POR, 0); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_UTMI_CTRL5, POR, 0); + +- qcom_snps_eusb2_hsphy_write_mask(phy->base, USB_PHY_HS_PHY_CTRL2, +- USB2_SUSPEND_N_SEL, 0); ++ snps_eusb2_hsphy_write_mask(phy->base, QCOM_USB_PHY_HS_PHY_CTRL2, ++ USB2_SUSPEND_N_SEL, 0); + + return 0; + +@@ -344,9 +344,9 @@ static int qcom_snps_eusb2_hsphy_init(struct phy *p) + return ret; + } + +-static int qcom_snps_eusb2_hsphy_exit(struct phy *p) ++static int snps_eusb2_hsphy_exit(struct phy *p) + { +- struct qcom_snps_eusb2_hsphy *phy = phy_get_drvdata(p); ++ struct snps_eusb2_hsphy *phy = phy_get_drvdata(p); + + clk_disable_unprepare(phy->ref_clk); + +@@ -357,18 +357,18 @@ static int qcom_snps_eusb2_hsphy_exit(struct phy *p) + return 0; + } + +-static const struct phy_ops qcom_snps_eusb2_hsphy_ops = { +- .init = qcom_snps_eusb2_hsphy_init, +- .exit = qcom_snps_eusb2_hsphy_exit, +- .set_mode = qcom_snps_eusb2_hsphy_set_mode, ++static const struct phy_ops snps_eusb2_hsphy_ops = { ++ .init = snps_eusb2_hsphy_init, ++ .exit = snps_eusb2_hsphy_exit, ++ .set_mode = snps_eusb2_hsphy_set_mode, + .owner = THIS_MODULE, + }; + +-static int qcom_snps_eusb2_hsphy_probe(struct platform_device *pdev) ++static int snps_eusb2_hsphy_probe(struct platform_device *pdev) + { + struct device *dev = &pdev->dev; + struct device_node *np = dev->of_node; +- struct qcom_snps_eusb2_hsphy *phy; ++ struct snps_eusb2_hsphy *phy; + struct phy_provider *phy_provider; + struct phy *generic_phy; + int ret, i; +@@ -405,7 +405,7 @@ static int qcom_snps_eusb2_hsphy_probe(struct platform_device *pdev) + return dev_err_probe(dev, PTR_ERR(phy->repeater), + "failed to get repeater\n"); + +- generic_phy = devm_phy_create(dev, NULL, &qcom_snps_eusb2_hsphy_ops); ++ generic_phy = devm_phy_create(dev, NULL, &snps_eusb2_hsphy_ops); + if (IS_ERR(generic_phy)) { + dev_err(dev, "failed to create phy %d\n", ret); + return PTR_ERR(generic_phy); +@@ -418,25 +418,25 @@ static int qcom_snps_eusb2_hsphy_probe(struct platform_device *pdev) + if (IS_ERR(phy_provider)) + return PTR_ERR(phy_provider); + +- dev_info(dev, "Registered Qcom-eUSB2 phy\n"); ++ dev_info(dev, "Registered Snps-eUSB2 phy\n"); + + return 0; + } + +-static const struct of_device_id qcom_snps_eusb2_hsphy_of_match_table[] = { ++static const struct of_device_id snps_eusb2_hsphy_of_match_table[] = { + { .compatible = "qcom,sm8550-snps-eusb2-phy", }, + { }, + }; +-MODULE_DEVICE_TABLE(of, qcom_snps_eusb2_hsphy_of_match_table); ++MODULE_DEVICE_TABLE(of, snps_eusb2_hsphy_of_match_table); + +-static struct platform_driver qcom_snps_eusb2_hsphy_driver = { +- .probe = qcom_snps_eusb2_hsphy_probe, ++static struct platform_driver snps_eusb2_hsphy_driver = { ++ .probe = snps_eusb2_hsphy_probe, + .driver = { +- .name = "qcom-snps-eusb2-hsphy", +- .of_match_table = qcom_snps_eusb2_hsphy_of_match_table, ++ .name = "snps-eusb2-hsphy", ++ .of_match_table = snps_eusb2_hsphy_of_match_table, + }, + }; + +-module_platform_driver(qcom_snps_eusb2_hsphy_driver); +-MODULE_DESCRIPTION("Qualcomm SNPS eUSB2 HS PHY driver"); ++module_platform_driver(snps_eusb2_hsphy_driver); ++MODULE_DESCRIPTION("Synopsys eUSB2 HS PHY driver"); + MODULE_LICENSE("GPL"); +-- +2.51.0 + diff --git a/queue-6.6/phy-qcom-qusb2-fix-null-pointer-dereference-on-early.patch b/queue-6.6/phy-qcom-qusb2-fix-null-pointer-dereference-on-early.patch new file mode 100644 index 0000000000..c8f9f9b6ed --- /dev/null +++ b/queue-6.6/phy-qcom-qusb2-fix-null-pointer-dereference-on-early.patch @@ -0,0 +1,91 @@ +From 85f90803cb6ae0200f70662480649398b451c943 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 09:56:40 +0100 +Subject: phy: qcom-qusb2: Fix NULL pointer dereference on early suspend + +From: Loic Poulain + +[ Upstream commit 1ca52c0983c34fca506921791202ed5bdafd5306 ] + +Enabling runtime PM before attaching the QPHY instance as driver data +can lead to a NULL pointer dereference in runtime PM callbacks that +expect valid driver data. There is a small window where the suspend +callback may run after PM runtime enabling and before runtime forbid. +This causes a sporadic crash during boot: + +``` +Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a1 +[...] +CPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Not tainted 6.16.7+ #116 PREEMPT +Workqueue: pm pm_runtime_work +pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : qusb2_phy_runtime_suspend+0x14/0x1e0 [phy_qcom_qusb2] +lr : pm_generic_runtime_suspend+0x2c/0x44 +[...] +``` + +Attach the QPHY instance as driver data before enabling runtime PM to +prevent NULL pointer dereference in runtime PM callbacks. + +Reorder pm_runtime_enable() and pm_runtime_forbid() to prevent a +short window where an unnecessary runtime suspend can occur. + +Use the devres-managed version to ensure PM runtime is symmetrically +disabled during driver removal for proper cleanup. + +Fixes: 891a96f65ac3 ("phy: qcom-qusb2: Add support for runtime PM") +Signed-off-by: Loic Poulain +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Abel Vesa +Link: https://patch.msgid.link/20251219085640.114473-1-loic.poulain@oss.qualcomm.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/qualcomm/phy-qcom-qusb2.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/phy/qualcomm/phy-qcom-qusb2.c b/drivers/phy/qualcomm/phy-qcom-qusb2.c +index 531c3860c3160..d3c26a39873f7 100644 +--- a/drivers/phy/qualcomm/phy-qcom-qusb2.c ++++ b/drivers/phy/qualcomm/phy-qcom-qusb2.c +@@ -1063,29 +1063,29 @@ static int qusb2_phy_probe(struct platform_device *pdev) + or->hsdisc_trim.override = true; + } + +- pm_runtime_set_active(dev); +- pm_runtime_enable(dev); ++ dev_set_drvdata(dev, qphy); ++ + /* +- * Prevent runtime pm from being ON by default. Users can enable +- * it using power/control in sysfs. ++ * Enable runtime PM support, but forbid it by default. ++ * Users can allow it again via the power/control attribute in sysfs. + */ ++ pm_runtime_set_active(dev); + pm_runtime_forbid(dev); ++ ret = devm_pm_runtime_enable(dev); ++ if (ret) ++ return ret; + + generic_phy = devm_phy_create(dev, NULL, &qusb2_phy_gen_ops); + if (IS_ERR(generic_phy)) { + ret = PTR_ERR(generic_phy); + dev_err(dev, "failed to create phy, %d\n", ret); +- pm_runtime_disable(dev); + return ret; + } + qphy->phy = generic_phy; + +- dev_set_drvdata(dev, qphy); + phy_set_drvdata(generic_phy, qphy); + + phy_provider = devm_of_phy_provider_register(dev, of_phy_simple_xlate); +- if (IS_ERR(phy_provider)) +- pm_runtime_disable(dev); + + return PTR_ERR_OR_ZERO(phy_provider); + } +-- +2.51.0 + diff --git a/queue-6.6/phy-stm32-usphyc-fix-off-by-one-in-probe.patch b/queue-6.6/phy-stm32-usphyc-fix-off-by-one-in-probe.patch new file mode 100644 index 0000000000..46e14a966b --- /dev/null +++ b/queue-6.6/phy-stm32-usphyc-fix-off-by-one-in-probe.patch @@ -0,0 +1,41 @@ +From c23e30f6c0fd835e3f36f77b1f9358c7dbbf90ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Dec 2025 09:53:36 +0300 +Subject: phy: stm32-usphyc: Fix off by one in probe() + +From: Dan Carpenter + +[ Upstream commit cabd25b57216ddc132efbcc31f972baa03aad15a ] + +The "index" variable is used as an index into the usbphyc->phys[] array +which has usbphyc->nphys elements. So if it is equal to usbphyc->nphys +then it is one element out of bounds. The "index" comes from the +device tree so it's data that we trust and it's unlikely to be wrong, +however it's obviously still worth fixing the bug. Change the > to >=. + +Fixes: 94c358da3a05 ("phy: stm32: add support for STM32 USB PHY Controller (USBPHYC)") +Signed-off-by: Dan Carpenter +Reviewed-by: Amelie Delaunay +Link: https://patch.msgid.link/aTfHcMJK1wFVnvEe@stanley.mountain +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/st/phy-stm32-usbphyc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/phy/st/phy-stm32-usbphyc.c b/drivers/phy/st/phy-stm32-usbphyc.c +index f8374a7f3a655..4a8f2ab65571a 100644 +--- a/drivers/phy/st/phy-stm32-usbphyc.c ++++ b/drivers/phy/st/phy-stm32-usbphyc.c +@@ -712,7 +712,7 @@ static int stm32_usbphyc_probe(struct platform_device *pdev) + } + + ret = of_property_read_u32(child, "reg", &index); +- if (ret || index > usbphyc->nphys) { ++ if (ret || index >= usbphyc->nphys) { + dev_err(&phy->dev, "invalid reg property: %d\n", ret); + if (!ret) + ret = -EINVAL; +-- +2.51.0 + diff --git a/queue-6.6/pnfs-flexfiles-fix-memory-leak-in-nfs4_ff_alloc_devi.patch b/queue-6.6/pnfs-flexfiles-fix-memory-leak-in-nfs4_ff_alloc_devi.patch new file mode 100644 index 0000000000..d4e5f1d8a7 --- /dev/null +++ b/queue-6.6/pnfs-flexfiles-fix-memory-leak-in-nfs4_ff_alloc_devi.patch @@ -0,0 +1,40 @@ +From 46854c7919efbfb288ee9e4a0f88270ca45c6df6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Dec 2025 07:41:03 +0000 +Subject: pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node() + +From: Zilin Guan + +[ Upstream commit 0c728083654f0066f5e10a1d2b0bd0907af19a58 ] + +In nfs4_ff_alloc_deviceid_node(), if the allocation for ds_versions fails, +the function jumps to the out_scratch label without freeing the already +allocated dsaddrs list, leading to a memory leak. + +Fix this by jumping to the out_err_drain_dsaddrs label, which properly +frees the dsaddrs list before cleaning up other resources. + +Fixes: d67ae825a59d6 ("pnfs/flexfiles: Add the FlexFile Layout Driver") +Signed-off-by: Zilin Guan +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/flexfilelayout/flexfilelayoutdev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/flexfilelayout/flexfilelayoutdev.c b/fs/nfs/flexfilelayout/flexfilelayoutdev.c +index 95d5dca671456..ed18e9e87c25f 100644 +--- a/fs/nfs/flexfilelayout/flexfilelayoutdev.c ++++ b/fs/nfs/flexfilelayout/flexfilelayoutdev.c +@@ -103,7 +103,7 @@ nfs4_ff_alloc_deviceid_node(struct nfs_server *server, struct pnfs_device *pdev, + sizeof(struct nfs4_ff_ds_version), + gfp_flags); + if (!ds_versions) +- goto out_scratch; ++ goto out_err_drain_dsaddrs; + + for (i = 0; i < version_count; i++) { + /* 20 = version(4) + minor_version(4) + rsize(4) + wsize(4) + +-- +2.51.0 + diff --git a/queue-6.6/selftests-drv-net-fix-rps-mask-handling-for-high-cpu.patch b/queue-6.6/selftests-drv-net-fix-rps-mask-handling-for-high-cpu.patch new file mode 100644 index 0000000000..3a1a2bde8f --- /dev/null +++ b/queue-6.6/selftests-drv-net-fix-rps-mask-handling-for-high-cpu.patch @@ -0,0 +1,44 @@ +From db87b8f19b241380cdcd940bca10fcf0533f6e80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jan 2026 19:37:15 +0200 +Subject: selftests: drv-net: fix RPS mask handling for high CPU numbers + +From: Gal Pressman + +[ Upstream commit cf055f8c000445aa688c53a706ef4f580818eedb ] + +The RPS bitmask bounds check uses ~(RPS_MAX_CPUS - 1) which equals ~15 = +0xfff0, only allowing CPUs 0-3. + +Change the mask to ~((1UL << RPS_MAX_CPUS) - 1) = ~0xffff to allow CPUs +0-15. + +Fixes: 5ebfb4cc3048 ("selftests/net: toeplitz test") +Reviewed-by: Nimrod Oren +Signed-off-by: Gal Pressman +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/20260112173715.384843-3-gal@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/toeplitz.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/net/toeplitz.c b/tools/testing/selftests/net/toeplitz.c +index 9ba03164d73a6..5099157f01b9a 100644 +--- a/tools/testing/selftests/net/toeplitz.c ++++ b/tools/testing/selftests/net/toeplitz.c +@@ -473,8 +473,8 @@ static void parse_rps_bitmap(const char *arg) + + bitmap = strtoul(arg, NULL, 0); + +- if (bitmap & ~(RPS_MAX_CPUS - 1)) +- error(1, 0, "rps bitmap 0x%lx out of bounds 0..%lu", ++ if (bitmap & ~((1UL << RPS_MAX_CPUS) - 1)) ++ error(1, 0, "rps bitmap 0x%lx out of bounds, max cpu %lu", + bitmap, RPS_MAX_CPUS - 1); + + for (i = 0; i < RPS_MAX_CPUS; i++) +-- +2.51.0 + diff --git a/queue-6.6/series b/queue-6.6/series index ef480c19aa..daed5f935a 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -2,3 +2,41 @@ firmware-imx-scu-irq-set-mu_resource_id-before-get-handle.patch efi-cper-fix-cper_bits_to_str-buffer-handling-and-return-value.patch revert-gfs2-fix-use-of-bio_chain.patch asoc-codecs-wsa884x-fix-codec-initialisation.patch +xfrm-fix-inner-mode-lookup-in-tunnel-mode-gso-segmen.patch +pnfs-flexfiles-fix-memory-leak-in-nfs4_ff_alloc_devi.patch +can-etas_es58x-allow-partial-rx-urb-allocation-to-su.patch +nvmet-tcp-remove-boilerplate-code.patch +nvme-tcp-fix-null-pointer-dereferences-in-nvmet_tcp_.patch +btrfs-send-check-for-inline-extents-in-range_is_hole.patch +net-bridge-set-br_fdb_added_by_user-early-in-fdb_add.patch +net-bridge-annotate-data-races-around-fdb-updated-us.patch +ip6_tunnel-use-skb_vlan_inet_prepare-in-__ip6_tnl_rc.patch +net-update-netdev_lock_-type-name.patch +macvlan-fix-possible-uaf-in-macvlan_forward_source.patch +ipv4-ip_gre-make-ipgre_header-robust.patch +vsock-test-add-a-final-full-barrier-after-run-all-te.patch +net-mlx5e-restore-destroying-state-bit-after-profile.patch +btrfs-store-fs_info-in-space_info.patch +btrfs-factor-out-init_space_info-from-create_space_i.patch +btrfs-factor-out-check_removing_space_info-from-btrf.patch +btrfs-introduce-btrfs_space_info-sub-group.patch +btrfs-fix-memory-leaks-in-create_space_info-error-pa.patch +net-hv_netvsc-reject-rss-hash-key-programming-withou.patch +ipv6-fix-use-after-free-in-inet6_addr_del.patch +selftests-drv-net-fix-rps-mask-handling-for-high-cpu.patch +net-sched-sch_qfq-do-not-free-existing-class-in-qfq_.patch +asoc-tlv320adcx140-fix-null-pointer.patch +asoc-tlv320adcx140-fix-word-length.patch +textsearch-describe-list-member-in-ts_ops-search.patch +mm-kfence-describe-slab-parameter-in-__kfence_obj_in.patch +dmaengine-xilinx-xdma-fix-regmap-max_register.patch +dmaengine-tegra-adma-fix-use-after-free.patch +dmaengine-xilinx_dma-fix-uninitialized-addr_width-wh.patch +phy-fsl-imx8mq-usb-clear-the-pcs_tx_swing_full-field.patch +phy-phy-snps-eusb2-refactor-constructs-names.patch +phy-drop-probe-registration-printks.patch +phy-qcom-qusb2-fix-null-pointer-dereference-on-early.patch +phy-stm32-usphyc-fix-off-by-one-in-probe.patch +phy-broadcom-ns-usb3-fix-wvoid-pointer-to-enum-cast-.patch +dmaengine-omap-dma-fix-dma_pool-resource-leak-in-err.patch +i2c-qcom-geni-make-sure-i2c-hub-controllers-can-t-us.patch diff --git a/queue-6.6/textsearch-describe-list-member-in-ts_ops-search.patch b/queue-6.6/textsearch-describe-list-member-in-ts_ops-search.patch new file mode 100644 index 0000000000..86c8413d13 --- /dev/null +++ b/queue-6.6/textsearch-describe-list-member-in-ts_ops-search.patch @@ -0,0 +1,41 @@ +From 917994bd8ad30a24ca75d358250124ea6de06230 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 08:40:05 +0700 +Subject: textsearch: describe @list member in ts_ops search + +From: Bagas Sanjaya + +[ Upstream commit f26528478bb102c28e7ac0cbfc8ec8185afdafc7 ] + +Sphinx reports kernel-doc warning: + +WARNING: ./include/linux/textsearch.h:49 struct member 'list' not described in 'ts_ops' + +Describe @list member to fix it. + +Link: https://lkml.kernel.org/r/20251219014006.16328-4-bagasdotme@gmail.com +Fixes: 2de4ff7bd658 ("[LIB]: Textsearch infrastructure.") +Signed-off-by: Bagas Sanjaya +Cc: Thomas Graf +Cc: "David S. Miller" +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + include/linux/textsearch.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/textsearch.h b/include/linux/textsearch.h +index 6673e4d4ac2e1..4933777404d61 100644 +--- a/include/linux/textsearch.h ++++ b/include/linux/textsearch.h +@@ -35,6 +35,7 @@ struct ts_state + * @get_pattern: return head of pattern + * @get_pattern_len: return length of pattern + * @owner: module reference to algorithm ++ * @list: list to search + */ + struct ts_ops + { +-- +2.51.0 + diff --git a/queue-6.6/vsock-test-add-a-final-full-barrier-after-run-all-te.patch b/queue-6.6/vsock-test-add-a-final-full-barrier-after-run-all-te.patch new file mode 100644 index 0000000000..deecbe9a9f --- /dev/null +++ b/queue-6.6/vsock-test-add-a-final-full-barrier-after-run-all-te.patch @@ -0,0 +1,52 @@ +From e47355611caafa073aa30253d91e0a54aff6d469 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 12:44:19 +0100 +Subject: vsock/test: add a final full barrier after run all tests + +From: Stefano Garzarella + +[ Upstream commit c39a6a277e0e67ffff6a8efcbbf7e7e23ce9e38c ] + +If the last test fails, the other side still completes correctly, +which could lead to false positives. + +Let's add a final barrier that ensures that the last test has finished +correctly on both sides, but also that the two sides agree on the +number of tests to be performed. + +Fixes: 2f65b44e199c ("VSOCK: add full barrier between test cases") +Reviewed-by: Luigi Leonardi +Signed-off-by: Stefano Garzarella +Link: https://patch.msgid.link/20260108114419.52747-1-sgarzare@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/vsock/util.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/tools/testing/vsock/util.c b/tools/testing/vsock/util.c +index 01b636d3039a0..751fe7c6632ea 100644 +--- a/tools/testing/vsock/util.c ++++ b/tools/testing/vsock/util.c +@@ -360,6 +360,18 @@ void run_tests(const struct test_case *test_cases, + + printf("ok\n"); + } ++ ++ printf("All tests have been executed. Waiting other peer..."); ++ fflush(stdout); ++ ++ /* ++ * Final full barrier, to ensure that all tests have been run and ++ * that even the last one has been successful on both sides. ++ */ ++ control_writeln("COMPLETED"); ++ control_expectln("COMPLETED"); ++ ++ printf("ok\n"); + } + + void list_tests(const struct test_case *test_cases) +-- +2.51.0 + diff --git a/queue-6.6/xfrm-fix-inner-mode-lookup-in-tunnel-mode-gso-segmen.patch b/queue-6.6/xfrm-fix-inner-mode-lookup-in-tunnel-mode-gso-segmen.patch new file mode 100644 index 0000000000..8a05443169 --- /dev/null +++ b/queue-6.6/xfrm-fix-inner-mode-lookup-in-tunnel-mode-gso-segmen.patch @@ -0,0 +1,67 @@ +From da2467282d3f35f4bcfc9be4f3cbe0b61b983466 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Nov 2025 05:56:09 +0200 +Subject: xfrm: Fix inner mode lookup in tunnel mode GSO segmentation + +From: Jianbo Liu + +[ Upstream commit 3d5221af9c7711b7aec8da1298c8fc393ef6183d ] + +Commit 61fafbee6cfe ("xfrm: Determine inner GSO type from packet inner +protocol") attempted to fix GSO segmentation by reading the inner +protocol from XFRM_MODE_SKB_CB(skb)->protocol. This was incorrect +because the field holds the inner L4 protocol (TCP/UDP) instead of the +required tunnel protocol. Also, the memory location (shared by +XFRM_SKB_CB(skb) which could be overwritten by xfrm_replay_overflow()) +is prone to corruption. This combination caused the kernel to select +the wrong inner mode and get the wrong address family. + +The correct value is in xfrm_offload(skb)->proto, which is set from +the outer tunnel header's protocol field by esp[4|6]_gso_encap(). It +is initialized by xfrm[4|6]_tunnel_encap_add() to either IPPROTO_IPIP +or IPPROTO_IPV6, using xfrm_af2proto() and correctly reflects the +inner packet's address family. + +Fixes: 61fafbee6cfe ("xfrm: Determine inner GSO type from packet inner protocol") +Signed-off-by: Jianbo Liu +Reviewed-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv4/esp4_offload.c | 4 ++-- + net/ipv6/esp6_offload.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c +index 11e33a4312674..028d2d3477d13 100644 +--- a/net/ipv4/esp4_offload.c ++++ b/net/ipv4/esp4_offload.c +@@ -111,8 +111,8 @@ static struct sk_buff *xfrm4_tunnel_gso_segment(struct xfrm_state *x, + struct sk_buff *skb, + netdev_features_t features) + { +- const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, +- XFRM_MODE_SKB_CB(skb)->protocol); ++ struct xfrm_offload *xo = xfrm_offload(skb); ++ const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, xo->proto); + __be16 type = inner_mode->family == AF_INET6 ? htons(ETH_P_IPV6) + : htons(ETH_P_IP); + +diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c +index 438f9cbdca299..333d87557bf32 100644 +--- a/net/ipv6/esp6_offload.c ++++ b/net/ipv6/esp6_offload.c +@@ -145,8 +145,8 @@ static struct sk_buff *xfrm6_tunnel_gso_segment(struct xfrm_state *x, + struct sk_buff *skb, + netdev_features_t features) + { +- const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, +- XFRM_MODE_SKB_CB(skb)->protocol); ++ struct xfrm_offload *xo = xfrm_offload(skb); ++ const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, xo->proto); + __be16 type = inner_mode->family == AF_INET ? htons(ETH_P_IP) + : htons(ETH_P_IPV6); + +-- +2.51.0 +