From: Sasha Levin Date: Sun, 15 Mar 2026 14:33:35 +0000 (-0400) Subject: Fixes for all trees X-Git-Tag: v6.18.19~87 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9e227fe3fb7e605757c0577c0c5d9c2d3d5eeb1f;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for all trees Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/acpi-osl-fix-__iomem-type-on-return-from-acpi_os_map.patch b/queue-5.10/acpi-osl-fix-__iomem-type-on-return-from-acpi_os_map.patch new file mode 100644 index 0000000000..5d61c00107 --- /dev/null +++ b/queue-5.10/acpi-osl-fix-__iomem-type-on-return-from-acpi_os_map.patch @@ -0,0 +1,46 @@ +From f9b298577f68785ffebee2171a608f807dfc433e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 10:58:35 +0000 +Subject: ACPI: OSL: fix __iomem type on return from + acpi_os_map_generic_address() + +From: Ben Dooks + +[ Upstream commit 393815f57651101f1590632092986d1d5a3a41bd ] + +The pointer returned from acpi_os_map_generic_address() is +tagged with __iomem, so make the rv it is returned to also +of void __iomem * type. + +Fixes the following sparse warning: + +drivers/acpi/osl.c:1686:20: warning: incorrect type in assignment (different address spaces) +drivers/acpi/osl.c:1686:20: expected void *rv +drivers/acpi/osl.c:1686:20: got void [noderef] __iomem * + +Fixes: 6915564dc5a8 ("ACPI: OSL: Change the type of acpi_os_map_generic_address() return value") +Signed-off-by: Ben Dooks +[ rjw: Subject tweak, added Fixes tag ] +Link: https://patch.msgid.link/20260311105835.463030-1-ben.dooks@codethink.co.uk +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/osl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c +index 0418febc5cf20..6ed849172167a 100644 +--- a/drivers/acpi/osl.c ++++ b/drivers/acpi/osl.c +@@ -1755,7 +1755,7 @@ acpi_status __init acpi_os_initialize(void) + * Use acpi_os_map_generic_address to pre-map the reset + * register if it's in system memory. + */ +- void *rv; ++ void __iomem *rv; + + rv = acpi_os_map_generic_address(&acpi_gbl_FADT.reset_register); + pr_debug(PREFIX "%s: map reset_reg %s\n", __func__, +-- +2.51.0 + diff --git a/queue-5.10/asoc-amd-acp3x-rt5682-max9836-add-missing-error-chec.patch b/queue-5.10/asoc-amd-acp3x-rt5682-max9836-add-missing-error-chec.patch new file mode 100644 index 0000000000..22ef8715cc --- /dev/null +++ b/queue-5.10/asoc-amd-acp3x-rt5682-max9836-add-missing-error-chec.patch @@ -0,0 +1,50 @@ +From 2dbc2ea9a96acdac7b3c70577423531eb87b64d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 10:42:46 +0800 +Subject: ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock + acquisition + +From: Chen Ni + +[ Upstream commit 53f3a900e9a383d47af7253076e19f510c5708d0 ] + +The acp3x_5682_init() function did not check the return value of +clk_get(), which could lead to dereferencing error pointers in +rt5682_clk_enable(). + +Fix this by: +1. Changing clk_get() to the device-managed devm_clk_get(). +2. Adding proper IS_ERR() checks for both clock acquisitions. + +Fixes: 6b8e4e7db3cd ("ASoC: amd: Add machine driver for Raven based platform") +Signed-off-by: Chen Ni +Link: https://patch.msgid.link/20260310024246.2153827-1-nichen@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/acp3x-rt5682-max9836.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/amd/acp3x-rt5682-max9836.c b/sound/soc/amd/acp3x-rt5682-max9836.c +index 1a4e8ca0f99c2..7e2f8d628cbbc 100644 +--- a/sound/soc/amd/acp3x-rt5682-max9836.c ++++ b/sound/soc/amd/acp3x-rt5682-max9836.c +@@ -83,8 +83,13 @@ static int acp3x_5682_init(struct snd_soc_pcm_runtime *rtd) + return ret; + } + +- rt5682_dai_wclk = clk_get(component->dev, "rt5682-dai-wclk"); +- rt5682_dai_bclk = clk_get(component->dev, "rt5682-dai-bclk"); ++ rt5682_dai_wclk = devm_clk_get(component->dev, "rt5682-dai-wclk"); ++ if (IS_ERR(rt5682_dai_wclk)) ++ return PTR_ERR(rt5682_dai_wclk); ++ ++ rt5682_dai_bclk = devm_clk_get(component->dev, "rt5682-dai-bclk"); ++ if (IS_ERR(rt5682_dai_bclk)) ++ return PTR_ERR(rt5682_dai_bclk); + + ret = snd_soc_card_jack_new(card, "Headset Jack", + SND_JACK_HEADSET | SND_JACK_LINEOUT | +-- +2.51.0 + diff --git a/queue-5.10/asoc-core-do-not-call-link_exit-on-uninitialized-rtd.patch b/queue-5.10/asoc-core-do-not-call-link_exit-on-uninitialized-rtd.patch new file mode 100644 index 0000000000..fdfe1494cf --- /dev/null +++ b/queue-5.10/asoc-core-do-not-call-link_exit-on-uninitialized-rtd.patch @@ -0,0 +1,115 @@ +From 72a3016acfd12a8018a3f89c17ebb06e26e106f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Sep 2023 12:32:43 +0200 +Subject: ASoC: core: Do not call link_exit() on uninitialized rtd objects +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Amadeusz Sławiński + +[ Upstream commit dd9f9cc1e6b9391140afa5cf27bb47c9e2a08d02 ] + +On init we have sequence: + + for_each_card_prelinks(card, i, dai_link) { + ret = snd_soc_add_pcm_runtime(card, dai_link); + + ret = init_some_other_things(...); + if (ret) + goto probe_end: + + for_each_card_rtds(card, rtd) { + ret = soc_init_pcm_runtime(card, rtd); + +probe_end: + +while on exit: + for_each_card_rtds(card, rtd) + snd_soc_link_exit(rtd); + +If init_some_other_things() step fails due to error we end up with +not fully setup rtds and try to call snd_soc_link_exit on them, which +depending on contents on .link_exit handler, can end up dereferencing +NULL pointer. + +Reviewed-by: Cezary Rojewski +Signed-off-by: Amadeusz Sławiński +Link: https://lore.kernel.org/r/20230929103243.705433-2-amadeuszx.slawinski@linux.intel.com +Signed-off-by: Mark Brown +Stable-dep-of: 95bc5c225513 ("ASoC: soc-core: flush delayed work before removing DAIs and widgets") +Signed-off-by: Sasha Levin +--- + include/sound/soc.h | 2 ++ + sound/soc/soc-core.c | 20 +++++++++++++++----- + 2 files changed, 17 insertions(+), 5 deletions(-) + +diff --git a/include/sound/soc.h b/include/sound/soc.h +index e973044143bc9..ea343235098d6 100644 +--- a/include/sound/soc.h ++++ b/include/sound/soc.h +@@ -1177,6 +1177,8 @@ struct snd_soc_pcm_runtime { + unsigned int pop_wait:1; + unsigned int fe_compr:1; /* for Dynamic PCM */ + ++ bool initialized; ++ + int num_components; + struct snd_soc_component *components[]; /* CPU/Codec/Platform */ + }; +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index 562fbc0fb3475..39d511c21796e 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -1299,7 +1299,7 @@ static int soc_init_pcm_runtime(struct snd_soc_card *card, + snd_soc_runtime_get_dai_fmt(rtd); + ret = snd_soc_runtime_set_dai_fmt(rtd, dai_link->dai_fmt); + if (ret) +- return ret; ++ goto err; + + /* add DPCM sysfs entries */ + soc_dpcm_debugfs_add(rtd); +@@ -1324,17 +1324,26 @@ static int soc_init_pcm_runtime(struct snd_soc_card *card, + /* create compress_device if possible */ + ret = snd_soc_dai_compress_new(cpu_dai, rtd, num); + if (ret != -ENOTSUPP) +- return ret; ++ goto err; + + /* create the pcm */ + ret = soc_new_pcm(rtd, num); + if (ret < 0) { + dev_err(card->dev, "ASoC: can't create pcm %s :%d\n", + dai_link->stream_name, ret); +- return ret; ++ goto err; + } + +- return snd_soc_pcm_dai_new(rtd); ++ ret = snd_soc_pcm_dai_new(rtd); ++ if (ret < 0) ++ goto err; ++ ++ rtd->initialized = true; ++ ++ return 0; ++err: ++ snd_soc_link_exit(rtd); ++ return ret; + } + + static void soc_set_name_prefix(struct snd_soc_card *card, +@@ -1927,7 +1936,8 @@ static void soc_cleanup_card_resources(struct snd_soc_card *card) + + /* release machine specific resources */ + for_each_card_rtds(card, rtd) +- snd_soc_link_exit(rtd); ++ if (rtd->initialized) ++ snd_soc_link_exit(rtd); + /* remove and free each DAI */ + soc_remove_link_dais(card); + soc_remove_link_components(card); +-- +2.51.0 + diff --git a/queue-5.10/asoc-core-exit-all-links-before-removing-their-compo.patch b/queue-5.10/asoc-core-exit-all-links-before-removing-their-compo.patch new file mode 100644 index 0000000000..6ac70fdb05 --- /dev/null +++ b/queue-5.10/asoc-core-exit-all-links-before-removing-their-compo.patch @@ -0,0 +1,90 @@ +From 6201f2b973da1d55e971b92265a68f4b7731ecad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Oct 2022 10:58:40 +0200 +Subject: ASoC: core: Exit all links before removing their components +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Cezary Rojewski + +[ Upstream commit c7eb967d70446971413061effca3226578cb4dab ] + +Flows leading to link->init() and link->exit() are not symmetric. +Currently the relevant part of card probe sequence goes as: + + for_each_card_rtds(card, rtd) + for_each_rtd_components(rtd, i, component) + component->probe() + for_each_card_rtds(card, rtd) + for_each_rtd_dais(rtd, i, dai) + dai->probe() + for_each_card_rtds(card, rtd) + rtd->init() + +On the other side, equivalent remove sequence goes as: + + for_each_card_rtds(card, rtd) + for_each_rtd_dais(rtd, i, dai) + dai->remove() + for_each_card_rtds(card, rtd) + for_each_rtd_components(rtd, i, component) + component->remove() + for_each_card_rtds(card, rtd) + rtd->exit() + +what can lead to errors as link->exit() may still operate on resources +owned by its components despite the probability of them being freed +during the component->remove(). + +This change modifies the remove sequence to: + + for_each_card_rtds(card, rtd) + rtd->exit() + for_each_card_rtds(card, rtd) + for_each_rtd_dais(rtd, i, dai) + dai->remove() + for_each_card_rtds(card, rtd) + for_each_rtd_components(rtd, i, component) + component->remove() + +so code found in link->exit() is safe to touch any component stuff as +component->remove() has not been called yet. + +Signed-off-by: Cezary Rojewski +Reviewed-by: Amadeusz Sławiński +Link: https://lore.kernel.org/r/20221027085840.1562698-1-cezary.rojewski@intel.com +Signed-off-by: Mark Brown +Stable-dep-of: 95bc5c225513 ("ASoC: soc-core: flush delayed work before removing DAIs and widgets") +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index 4294206dff362..562fbc0fb3475 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -962,9 +962,6 @@ void snd_soc_remove_pcm_runtime(struct snd_soc_card *card, + + lockdep_assert_held(&client_mutex); + +- /* release machine specific resources */ +- snd_soc_link_exit(rtd); +- + /* + * Notify the machine driver for extra destruction + */ +@@ -1928,6 +1925,9 @@ static void soc_cleanup_card_resources(struct snd_soc_card *card) + + snd_soc_dapm_shutdown(card); + ++ /* release machine specific resources */ ++ for_each_card_rtds(card, rtd) ++ snd_soc_link_exit(rtd); + /* remove and free each DAI */ + soc_remove_link_dais(card); + soc_remove_link_components(card); +-- +2.51.0 + diff --git a/queue-5.10/asoc-detect-empty-dmi-strings.patch b/queue-5.10/asoc-detect-empty-dmi-strings.patch new file mode 100644 index 0000000000..ae550d4d20 --- /dev/null +++ b/queue-5.10/asoc-detect-empty-dmi-strings.patch @@ -0,0 +1,47 @@ +From 816f2f5cb680adef63adf6503442aa74cd51b421 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 18:47:07 +0100 +Subject: ASoC: detect empty DMI strings + +From: Casey Connolly + +[ Upstream commit a9683730e8b1d632674f81844ed03ddfbe4821c0 ] + +Some bootloaders like recent versions of U-Boot may install some DMI +properties with empty values rather than not populate them. This manages +to make its way through the validator and cleanup resulting in a rogue +hyphen being appended to the card longname. + +Fixes: 4e01e5dbba96 ("ASoC: improve the DMI long card code in asoc-core") +Signed-off-by: Casey Connolly +Link: https://patch.msgid.link/20260306174707.283071-2-casey.connolly@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index 7ecbea296e917..8ceffa6851bd0 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -1675,12 +1675,15 @@ static void cleanup_dmi_name(char *name) + + /* + * Check if a DMI field is valid, i.e. not containing any string +- * in the black list. ++ * in the black list and not the empty string. + */ + static int is_dmi_valid(const char *field) + { + int i = 0; + ++ if (!field[0]) ++ return 0; ++ + while (dmi_blacklist[i]) { + if (strstr(field, dmi_blacklist[i])) + return 0; +-- +2.51.0 + diff --git a/queue-5.10/asoc-don-t-indicate-error-message-for-snd_soc_-pcm_-.patch b/queue-5.10/asoc-don-t-indicate-error-message-for-snd_soc_-pcm_-.patch new file mode 100644 index 0000000000..1366918e51 --- /dev/null +++ b/queue-5.10/asoc-don-t-indicate-error-message-for-snd_soc_-pcm_-.patch @@ -0,0 +1,167 @@ +From ac9d89b4bb8c7078f592419f3d7263a2d78c839a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Mar 2021 09:58:37 +0900 +Subject: ASoC: don't indicate error message for snd_soc_[pcm_]dai_xxx() + +From: Kuninori Morimoto + +[ Upstream commit 62462e018220895267450155b188f5804f54c202 ] + +All snd_soc_dai_xxx() and snd_soc_pcm_dai_xxx() itself +indicate error message if failed. +Its caller doesn't need to indicate duplicated error message. +This patch removes it. + +Signed-off-by: Kuninori Morimoto +Link: https://lore.kernel.org/r/87a6r5utaa.wl-kuninori.morimoto.gx@renesas.com +Signed-off-by: Mark Brown +Stable-dep-of: 95bc5c225513 ("ASoC: soc-core: flush delayed work before removing DAIs and widgets") +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 16 +++------------- + sound/soc/soc-dapm.c | 24 ++++++------------------ + sound/soc/soc-pcm.c | 10 ++-------- + 3 files changed, 11 insertions(+), 39 deletions(-) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index 77f8d458406b0..8620e415f6fce 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -1099,12 +1099,8 @@ static int soc_init_pcm_runtime(struct snd_soc_card *card, + + /* create compress_device if possible */ + ret = snd_soc_dai_compress_new(cpu_dai, rtd, num); +- if (ret != -ENOTSUPP) { +- if (ret < 0) +- dev_err(card->dev, "ASoC: can't create compress %s\n", +- dai_link->stream_name); ++ if (ret != -ENOTSUPP) + return ret; +- } + + /* create the pcm */ + ret = soc_new_pcm(rtd, num); +@@ -1432,11 +1428,8 @@ int snd_soc_runtime_set_dai_fmt(struct snd_soc_pcm_runtime *rtd, + + for_each_rtd_codec_dais(rtd, i, codec_dai) { + ret = snd_soc_dai_set_fmt(codec_dai, dai_fmt); +- if (ret != 0 && ret != -ENOTSUPP) { +- dev_warn(codec_dai->dev, +- "ASoC: Failed to set DAI format: %d\n", ret); ++ if (ret != 0 && ret != -ENOTSUPP) + return ret; +- } + } + + /* +@@ -1465,11 +1458,8 @@ int snd_soc_runtime_set_dai_fmt(struct snd_soc_pcm_runtime *rtd, + fmt = inv_dai_fmt; + + ret = snd_soc_dai_set_fmt(cpu_dai, fmt); +- if (ret != 0 && ret != -ENOTSUPP) { +- dev_warn(cpu_dai->dev, +- "ASoC: Failed to set DAI format: %d\n", ret); ++ if (ret != 0 && ret != -ENOTSUPP) + return ret; +- } + } + + return 0; +diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c +index 175c8c264b62b..a3bebea5879b1 100644 +--- a/sound/soc/soc-dapm.c ++++ b/sound/soc/soc-dapm.c +@@ -3856,11 +3856,9 @@ snd_soc_dai_link_event_pre_pmu(struct snd_soc_dapm_widget *w, + source = path->source->priv; + + ret = snd_soc_dai_startup(source, substream); +- if (ret < 0) { +- dev_err(source->dev, +- "ASoC: startup() failed: %d\n", ret); ++ if (ret < 0) + goto out; +- } ++ + snd_soc_dai_activate(source, substream->stream); + } + +@@ -3869,11 +3867,9 @@ snd_soc_dai_link_event_pre_pmu(struct snd_soc_dapm_widget *w, + sink = path->sink->priv; + + ret = snd_soc_dai_startup(sink, substream); +- if (ret < 0) { +- dev_err(sink->dev, +- "ASoC: startup() failed: %d\n", ret); ++ if (ret < 0) + goto out; +- } ++ + snd_soc_dai_activate(sink, substream->stream); + } + +@@ -3968,11 +3964,7 @@ static int snd_soc_dai_link_event(struct snd_soc_dapm_widget *w, + snd_soc_dapm_widget_for_each_sink_path(w, path) { + sink = path->sink->priv; + +- ret = snd_soc_dai_digital_mute(sink, 0, +- SNDRV_PCM_STREAM_PLAYBACK); +- if (ret != 0 && ret != -ENOTSUPP) +- dev_warn(sink->dev, +- "ASoC: Failed to unmute: %d\n", ret); ++ snd_soc_dai_digital_mute(sink, 0, SNDRV_PCM_STREAM_PLAYBACK); + ret = 0; + } + break; +@@ -3981,11 +3973,7 @@ static int snd_soc_dai_link_event(struct snd_soc_dapm_widget *w, + snd_soc_dapm_widget_for_each_sink_path(w, path) { + sink = path->sink->priv; + +- ret = snd_soc_dai_digital_mute(sink, 1, +- SNDRV_PCM_STREAM_PLAYBACK); +- if (ret != 0 && ret != -ENOTSUPP) +- dev_warn(sink->dev, +- "ASoC: Failed to mute: %d\n", ret); ++ snd_soc_dai_digital_mute(sink, 1, SNDRV_PCM_STREAM_PLAYBACK); + ret = 0; + } + +diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c +index e52c030bd17a2..c82d653e6c378 100644 +--- a/sound/soc/soc-pcm.c ++++ b/sound/soc/soc-pcm.c +@@ -821,10 +821,8 @@ static int soc_pcm_prepare(struct snd_pcm_substream *substream) + goto out; + + ret = snd_soc_pcm_dai_prepare(substream); +- if (ret < 0) { +- dev_err(rtd->dev, "ASoC: DAI prepare error: %d\n", ret); ++ if (ret < 0) + goto out; +- } + + /* cancel any delayed stream shutdown that is pending */ + if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK && +@@ -2414,8 +2412,6 @@ static int dpcm_run_update_shutdown(struct snd_soc_pcm_runtime *fe, int stream) + fe->dai_link->name); + + err = snd_soc_pcm_dai_bespoke_trigger(substream, SNDRV_PCM_TRIGGER_STOP); +- if (err < 0) +- dev_err(fe->dev,"ASoC: trigger FE failed %d\n", err); + } else { + dev_dbg(fe->dev, "ASoC: trigger FE %s cmd stop\n", + fe->dai_link->name); +@@ -2492,10 +2488,8 @@ static int dpcm_run_update_startup(struct snd_soc_pcm_runtime *fe, int stream) + fe->dai_link->name); + + ret = snd_soc_pcm_dai_bespoke_trigger(substream, SNDRV_PCM_TRIGGER_START); +- if (ret < 0) { +- dev_err(fe->dev,"ASoC: bespoke trigger FE failed %d\n", ret); ++ if (ret < 0) + goto hw_free; +- } + } else { + dev_dbg(fe->dev, "ASoC: trigger FE %s cmd start\n", + fe->dai_link->name); +-- +2.51.0 + diff --git a/queue-5.10/asoc-soc-core-accept-zero-format-at-snd_soc_runtime_.patch b/queue-5.10/asoc-soc-core-accept-zero-format-at-snd_soc_runtime_.patch new file mode 100644 index 0000000000..9940f10521 --- /dev/null +++ b/queue-5.10/asoc-soc-core-accept-zero-format-at-snd_soc_runtime_.patch @@ -0,0 +1,68 @@ +From bfcb0d73ba727e8e3acefae776f44e97b9fb41f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Oct 2021 11:05:44 +0900 +Subject: ASoC: soc-core: accept zero format at snd_soc_runtime_set_dai_fmt() + +From: Kuninori Morimoto + +[ Upstream commit 7db07e37e13cfd46039d82aed91092185eac6565 ] + +Do nothing if format was zero at snd_soc_runtime_set_dai_fmt(). +soc-core.c can be more simple code by this patch. + +Signed-off-by: Kuninori Morimoto +Link: https://lore.kernel.org/r/87ee8jt7d3.wl-kuninori.morimoto.gx@renesas.com +Signed-off-by: Mark Brown +Stable-dep-of: 95bc5c225513 ("ASoC: soc-core: flush delayed work before removing DAIs and widgets") +Signed-off-by: Sasha Levin +--- + sound/soc/meson/meson-codec-glue.c | 3 --- + sound/soc/soc-core.c | 11 ++++++----- + 2 files changed, 6 insertions(+), 8 deletions(-) + +diff --git a/sound/soc/meson/meson-codec-glue.c b/sound/soc/meson/meson-codec-glue.c +index d07270d17cee7..2870cfad813ac 100644 +--- a/sound/soc/meson/meson-codec-glue.c ++++ b/sound/soc/meson/meson-codec-glue.c +@@ -113,9 +113,6 @@ int meson_codec_glue_output_startup(struct snd_pcm_substream *substream, + /* Replace link params with the input params */ + rtd->dai_link->params = &in_data->params; + +- if (!in_data->fmt) +- return 0; +- + return snd_soc_runtime_set_dai_fmt(rtd, in_data->fmt); + } + EXPORT_SYMBOL_GPL(meson_codec_glue_output_startup); +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index 2fca5d03fd4f7..4294206dff362 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -1240,6 +1240,9 @@ int snd_soc_runtime_set_dai_fmt(struct snd_soc_pcm_runtime *rtd, + unsigned int i; + int ret; + ++ if (!dai_fmt) ++ return 0; ++ + for_each_rtd_codec_dais(rtd, i, codec_dai) { + ret = snd_soc_dai_set_fmt(codec_dai, dai_fmt); + if (ret != 0 && ret != -ENOTSUPP) +@@ -1297,11 +1300,9 @@ static int soc_init_pcm_runtime(struct snd_soc_card *card, + return ret; + + snd_soc_runtime_get_dai_fmt(rtd); +- if (dai_link->dai_fmt) { +- ret = snd_soc_runtime_set_dai_fmt(rtd, dai_link->dai_fmt); +- if (ret) +- return ret; +- } ++ ret = snd_soc_runtime_set_dai_fmt(rtd, dai_link->dai_fmt); ++ if (ret) ++ return ret; + + /* add DPCM sysfs entries */ + soc_dpcm_debugfs_add(rtd); +-- +2.51.0 + diff --git a/queue-5.10/asoc-soc-core-add-snd_soc_runtime_get_dai_fmt.patch b/queue-5.10/asoc-soc-core-add-snd_soc_runtime_get_dai_fmt.patch new file mode 100644 index 0000000000..591af9dde6 --- /dev/null +++ b/queue-5.10/asoc-soc-core-add-snd_soc_runtime_get_dai_fmt.patch @@ -0,0 +1,461 @@ +From c82a6cd054034e36a154aa48cffc6d4933b50e0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 May 2021 11:26:12 +0900 +Subject: ASoC: soc-core: add snd_soc_runtime_get_dai_fmt() + +From: Kuninori Morimoto + +[ Upstream commit ba9e82a1c8919340bee0dd7f7cafb8749810aabe ] + +ASoC is using dai_link which specify DAI format (= dai_link->dai_fmt), +and it is selected by "Sound Card" driver in corrent implementation. +In other words, Sound Card *needs* to setup it. +But, it should be possible to automatically selected from CPU and +Codec driver settings. + +This patch adds new .auto_selectable_formats support +at snd_soc_dai_ops. + +By this patch, dai_fmt can be automatically selected from each +driver if both CPU / Codec driver had it. +Automatically selectable *field* is depends on each drivers. + +For example, some driver want to select format "automatically", +but want to select other fields "manually", because of complex limitation. +Or other example, in case of both CPU and Codec are possible to be +clock provider, but the quality was different. +In these case, user need/want to *manually* select each fields +from Sound Card driver. + +This .auto_selectable_formats can set priority. +For example, no limitaion format can be HI priority, +supported but has picky limitation format can be next priority, etc. + +It uses Sound Card specified fields preferentially, and try to select +non-specific fields from CPU and Codec driver automatically +if all drivers have .auto_selectable_formats. + +In other words, we can select all dai_fmt via Sound Card driver +same as before. + +Link: https://lore.kernel.org/r/871rb3hypy.wl-kuninori.morimoto.gx@renesas.com +Link: https://lore.kernel.org/r/871racbx0w.wl-kuninori.morimoto.gx@renesas.com +Signed-off-by: Kuninori Morimoto +Link: https://lore.kernel.org/r/87h7ionc8s.wl-kuninori.morimoto.gx@renesas.com +Signed-off-by: Mark Brown +Stable-dep-of: 95bc5c225513 ("ASoC: soc-core: flush delayed work before removing DAIs and widgets") +Signed-off-by: Sasha Levin +--- + include/sound/soc-dai.h | 55 ++++++++++++++ + sound/soc/soc-core.c | 164 ++++++++++++++++++++++++++++++++++++++++ + sound/soc/soc-dai.c | 63 +++++++++++++++ + sound/soc/soc-utils.c | 29 +++++++ + 4 files changed, 311 insertions(+) + +diff --git a/include/sound/soc-dai.h b/include/sound/soc-dai.h +index 580d1e6b935e6..2b8ae0c89e3fe 100644 +--- a/include/sound/soc-dai.h ++++ b/include/sound/soc-dai.h +@@ -36,6 +36,22 @@ struct snd_compr_stream; + #define SND_SOC_DAIFMT_MSB SND_SOC_DAIFMT_LEFT_J + #define SND_SOC_DAIFMT_LSB SND_SOC_DAIFMT_RIGHT_J + ++/* Describes the possible PCM format */ ++/* ++ * use SND_SOC_DAI_FORMAT_xx as eash shift. ++ * see ++ * snd_soc_runtime_get_dai_fmt() ++ */ ++#define SND_SOC_POSSIBLE_DAIFMT_FORMAT_SHIFT 0 ++#define SND_SOC_POSSIBLE_DAIFMT_FORMAT_MASK (0xFFFF << SND_SOC_POSSIBLE_DAIFMT_FORMAT_SHIFT) ++#define SND_SOC_POSSIBLE_DAIFMT_I2S (1 << SND_SOC_DAI_FORMAT_I2S) ++#define SND_SOC_POSSIBLE_DAIFMT_RIGHT_J (1 << SND_SOC_DAI_FORMAT_RIGHT_J) ++#define SND_SOC_POSSIBLE_DAIFMT_LEFT_J (1 << SND_SOC_DAI_FORMAT_LEFT_J) ++#define SND_SOC_POSSIBLE_DAIFMT_DSP_A (1 << SND_SOC_DAI_FORMAT_DSP_A) ++#define SND_SOC_POSSIBLE_DAIFMT_DSP_B (1 << SND_SOC_DAI_FORMAT_DSP_B) ++#define SND_SOC_POSSIBLE_DAIFMT_AC97 (1 << SND_SOC_DAI_FORMAT_AC97) ++#define SND_SOC_POSSIBLE_DAIFMT_PDM (1 << SND_SOC_DAI_FORMAT_PDM) ++ + /* + * DAI Clock gating. + * +@@ -45,6 +61,17 @@ struct snd_compr_stream; + #define SND_SOC_DAIFMT_CONT (1 << 4) /* continuous clock */ + #define SND_SOC_DAIFMT_GATED (0 << 4) /* clock is gated */ + ++/* Describes the possible PCM format */ ++/* ++ * define GATED -> CONT. GATED will be selected if both are selected. ++ * see ++ * snd_soc_runtime_get_dai_fmt() ++ */ ++#define SND_SOC_POSSIBLE_DAIFMT_CLOCK_SHIFT 16 ++#define SND_SOC_POSSIBLE_DAIFMT_CLOCK_MASK (0xFFFF << SND_SOC_POSSIBLE_DAIFMT_CLOCK_SHIFT) ++#define SND_SOC_POSSIBLE_DAIFMT_GATED (0x1ULL << SND_SOC_POSSIBLE_DAIFMT_CLOCK_SHIFT) ++#define SND_SOC_POSSIBLE_DAIFMT_CONT (0x2ULL << SND_SOC_POSSIBLE_DAIFMT_CLOCK_SHIFT) ++ + /* + * DAI hardware signal polarity. + * +@@ -71,6 +98,14 @@ struct snd_compr_stream; + #define SND_SOC_DAIFMT_IB_NF (3 << 8) /* invert BCLK + nor FRM */ + #define SND_SOC_DAIFMT_IB_IF (4 << 8) /* invert BCLK + FRM */ + ++/* Describes the possible PCM format */ ++#define SND_SOC_POSSIBLE_DAIFMT_INV_SHIFT 32 ++#define SND_SOC_POSSIBLE_DAIFMT_INV_MASK (0xFFFFULL << SND_SOC_POSSIBLE_DAIFMT_INV_SHIFT) ++#define SND_SOC_POSSIBLE_DAIFMT_NB_NF (0x1ULL << SND_SOC_POSSIBLE_DAIFMT_INV_SHIFT) ++#define SND_SOC_POSSIBLE_DAIFMT_NB_IF (0x2ULL << SND_SOC_POSSIBLE_DAIFMT_INV_SHIFT) ++#define SND_SOC_POSSIBLE_DAIFMT_IB_NF (0x4ULL << SND_SOC_POSSIBLE_DAIFMT_INV_SHIFT) ++#define SND_SOC_POSSIBLE_DAIFMT_IB_IF (0x8ULL << SND_SOC_POSSIBLE_DAIFMT_INV_SHIFT) ++ + /* + * DAI hardware clock providers/consumers + * +@@ -89,6 +124,14 @@ struct snd_compr_stream; + #define SND_SOC_DAIFMT_CBM_CFS SND_SOC_DAIFMT_CBP_CFC + #define SND_SOC_DAIFMT_CBS_CFS SND_SOC_DAIFMT_CBC_CFC + ++/* Describes the possible PCM format */ ++#define SND_SOC_POSSIBLE_DAIFMT_CLOCK_PROVIDER_SHIFT 48 ++#define SND_SOC_POSSIBLE_DAIFMT_CLOCK_PROVIDER_MASK (0xFFFFULL << SND_SOC_POSSIBLE_DAIFMT_CLOCK_PROVIDER_SHIFT) ++#define SND_SOC_POSSIBLE_DAIFMT_CBP_CFP (0x1ULL << SND_SOC_POSSIBLE_DAIFMT_CLOCK_PROVIDER_SHIFT) ++#define SND_SOC_POSSIBLE_DAIFMT_CBC_CFP (0x2ULL << SND_SOC_POSSIBLE_DAIFMT_CLOCK_PROVIDER_SHIFT) ++#define SND_SOC_POSSIBLE_DAIFMT_CBP_CFC (0x4ULL << SND_SOC_POSSIBLE_DAIFMT_CLOCK_PROVIDER_SHIFT) ++#define SND_SOC_POSSIBLE_DAIFMT_CBC_CFC (0x8ULL << SND_SOC_POSSIBLE_DAIFMT_CLOCK_PROVIDER_SHIFT) ++ + #define SND_SOC_DAIFMT_FORMAT_MASK 0x000f + #define SND_SOC_DAIFMT_CLOCK_MASK 0x00f0 + #define SND_SOC_DAIFMT_INV_MASK 0x0f00 +@@ -131,6 +174,8 @@ int snd_soc_dai_set_pll(struct snd_soc_dai *dai, + int snd_soc_dai_set_bclk_ratio(struct snd_soc_dai *dai, unsigned int ratio); + + /* Digital Audio interface formatting */ ++int snd_soc_dai_get_fmt_max_priority(struct snd_soc_pcm_runtime *rtd); ++u64 snd_soc_dai_get_fmt(struct snd_soc_dai *dai, int priority); + int snd_soc_dai_set_fmt(struct snd_soc_dai *dai, unsigned int fmt); + + int snd_soc_dai_set_tdm_slot(struct snd_soc_dai *dai, +@@ -289,6 +334,16 @@ struct snd_soc_dai_ops { + snd_pcm_sframes_t (*delay)(struct snd_pcm_substream *, + struct snd_soc_dai *); + ++ /* ++ * Format list for auto selection. ++ * Format will be increased if priority format was ++ * not selected. ++ * see ++ * snd_soc_dai_get_fmt() ++ */ ++ u64 *auto_selectable_formats; ++ int num_auto_selectable_formats; ++ + /* bit field */ + unsigned int no_capture_mute:1; + }; +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index 71219ceea3934..2fca5d03fd4f7 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -1055,6 +1055,169 @@ int snd_soc_add_pcm_runtime(struct snd_soc_card *card, + } + EXPORT_SYMBOL_GPL(snd_soc_add_pcm_runtime); + ++static void snd_soc_runtime_get_dai_fmt(struct snd_soc_pcm_runtime *rtd) ++{ ++ struct snd_soc_dai_link *dai_link = rtd->dai_link; ++ struct snd_soc_dai *dai, *not_used; ++ struct device *dev = rtd->dev; ++ u64 pos, possible_fmt; ++ unsigned int mask = 0, dai_fmt = 0; ++ int i, j, priority, pri, until; ++ ++ /* ++ * Get selectable format from each DAIs. ++ * ++ **************************** ++ * NOTE ++ * Using .auto_selectable_formats is not mandatory, ++ * we can select format manually from Sound Card. ++ * When use it, driver should list well tested format only. ++ **************************** ++ * ++ * ex) ++ * auto_selectable_formats (= SND_SOC_POSSIBLE_xxx) ++ * (A) (B) (C) ++ * DAI0_: { 0x000F, 0x00F0, 0x0F00 }; ++ * DAI1 : { 0xF000, 0x0F00 }; ++ * (X) (Y) ++ * ++ * "until" will be 3 in this case (MAX array size from DAI0 and DAI1) ++ * Here is dev_dbg() message and comments ++ * ++ * priority = 1 ++ * DAI0: (pri, fmt) = (1, 000000000000000F) // 1st check (A) DAI1 is not selected ++ * DAI1: (pri, fmt) = (0, 0000000000000000) // Necessary Waste ++ * DAI0: (pri, fmt) = (1, 000000000000000F) // 2nd check (A) ++ * DAI1: (pri, fmt) = (1, 000000000000F000) // (X) ++ * priority = 2 ++ * DAI0: (pri, fmt) = (2, 00000000000000FF) // 3rd check (A) + (B) ++ * DAI1: (pri, fmt) = (1, 000000000000F000) // (X) ++ * DAI0: (pri, fmt) = (2, 00000000000000FF) // 4th check (A) + (B) ++ * DAI1: (pri, fmt) = (2, 000000000000FF00) // (X) + (Y) ++ * priority = 3 ++ * DAI0: (pri, fmt) = (3, 0000000000000FFF) // 5th check (A) + (B) + (C) ++ * DAI1: (pri, fmt) = (2, 000000000000FF00) // (X) + (Y) ++ * found auto selected format: 0000000000000F00 ++ */ ++ until = snd_soc_dai_get_fmt_max_priority(rtd); ++ for (priority = 1; priority <= until; priority++) { ++ ++ dev_dbg(dev, "priority = %d\n", priority); ++ for_each_rtd_dais(rtd, j, not_used) { ++ ++ possible_fmt = ULLONG_MAX; ++ for_each_rtd_dais(rtd, i, dai) { ++ u64 fmt = 0; ++ ++ pri = (j >= i) ? priority : priority - 1; ++ fmt = snd_soc_dai_get_fmt(dai, pri); ++ dev_dbg(dev, "%s: (pri, fmt) = (%d, %016llX)\n", dai->name, pri, fmt); ++ possible_fmt &= fmt; ++ } ++ if (possible_fmt) ++ goto found; ++ } ++ } ++ /* Not Found */ ++ return; ++found: ++ dev_dbg(dev, "found auto selected format: %016llX\n", possible_fmt); ++ ++ /* ++ * convert POSSIBLE_DAIFMT to DAIFMT ++ * ++ * Some basic/default settings on each is defined as 0. ++ * see ++ * SND_SOC_DAIFMT_NB_NF ++ * SND_SOC_DAIFMT_GATED ++ * ++ * SND_SOC_DAIFMT_xxx_MASK can't notice it if Sound Card specify ++ * these value, and will be overwrite to auto selected value. ++ * ++ * To avoid such issue, loop from 63 to 0 here. ++ * Small number of SND_SOC_POSSIBLE_xxx will be Hi priority. ++ * Basic/Default settings of each part and aboves are defined ++ * as Hi priority (= small number) of SND_SOC_POSSIBLE_xxx. ++ */ ++ for (i = 63; i >= 0; i--) { ++ pos = 1ULL << i; ++ switch (possible_fmt & pos) { ++ /* ++ * for format ++ */ ++ case SND_SOC_POSSIBLE_DAIFMT_I2S: ++ case SND_SOC_POSSIBLE_DAIFMT_RIGHT_J: ++ case SND_SOC_POSSIBLE_DAIFMT_LEFT_J: ++ case SND_SOC_POSSIBLE_DAIFMT_DSP_A: ++ case SND_SOC_POSSIBLE_DAIFMT_DSP_B: ++ case SND_SOC_POSSIBLE_DAIFMT_AC97: ++ case SND_SOC_POSSIBLE_DAIFMT_PDM: ++ dai_fmt = (dai_fmt & ~SND_SOC_DAIFMT_FORMAT_MASK) | i; ++ break; ++ /* ++ * for clock ++ */ ++ case SND_SOC_POSSIBLE_DAIFMT_CONT: ++ dai_fmt = (dai_fmt & ~SND_SOC_DAIFMT_CLOCK_MASK) | SND_SOC_DAIFMT_CONT; ++ break; ++ case SND_SOC_POSSIBLE_DAIFMT_GATED: ++ dai_fmt = (dai_fmt & ~SND_SOC_DAIFMT_CLOCK_MASK) | SND_SOC_DAIFMT_GATED; ++ break; ++ /* ++ * for clock invert ++ */ ++ case SND_SOC_POSSIBLE_DAIFMT_NB_NF: ++ dai_fmt = (dai_fmt & ~SND_SOC_DAIFMT_INV_MASK) | SND_SOC_DAIFMT_NB_NF; ++ break; ++ case SND_SOC_POSSIBLE_DAIFMT_NB_IF: ++ dai_fmt = (dai_fmt & ~SND_SOC_DAIFMT_INV_MASK) | SND_SOC_DAIFMT_NB_IF; ++ break; ++ case SND_SOC_POSSIBLE_DAIFMT_IB_NF: ++ dai_fmt = (dai_fmt & ~SND_SOC_DAIFMT_INV_MASK) | SND_SOC_DAIFMT_IB_NF; ++ break; ++ case SND_SOC_POSSIBLE_DAIFMT_IB_IF: ++ dai_fmt = (dai_fmt & ~SND_SOC_DAIFMT_INV_MASK) | SND_SOC_DAIFMT_IB_IF; ++ break; ++ /* ++ * for clock provider / consumer ++ */ ++ case SND_SOC_POSSIBLE_DAIFMT_CBP_CFP: ++ dai_fmt = (dai_fmt & ~SND_SOC_DAIFMT_CLOCK_PROVIDER_MASK) | SND_SOC_DAIFMT_CBP_CFP; ++ break; ++ case SND_SOC_POSSIBLE_DAIFMT_CBC_CFP: ++ dai_fmt = (dai_fmt & ~SND_SOC_DAIFMT_CLOCK_PROVIDER_MASK) | SND_SOC_DAIFMT_CBC_CFP; ++ break; ++ case SND_SOC_POSSIBLE_DAIFMT_CBP_CFC: ++ dai_fmt = (dai_fmt & ~SND_SOC_DAIFMT_CLOCK_PROVIDER_MASK) | SND_SOC_DAIFMT_CBP_CFC; ++ break; ++ case SND_SOC_POSSIBLE_DAIFMT_CBC_CFC: ++ dai_fmt = (dai_fmt & ~SND_SOC_DAIFMT_CLOCK_PROVIDER_MASK) | SND_SOC_DAIFMT_CBC_CFC; ++ break; ++ } ++ } ++ ++ /* ++ * Some driver might have very complex limitation. ++ * In such case, user want to auto-select non-limitation part, ++ * and want to manually specify complex part. ++ * ++ * Or for example, if both CPU and Codec can be clock provider, ++ * but because of its quality, user want to specify it manually. ++ * ++ * Use manually specified settings if sound card did. ++ */ ++ if (!(dai_link->dai_fmt & SND_SOC_DAIFMT_FORMAT_MASK)) ++ mask |= SND_SOC_DAIFMT_FORMAT_MASK; ++ if (!(dai_link->dai_fmt & SND_SOC_DAIFMT_CLOCK_MASK)) ++ mask |= SND_SOC_DAIFMT_CLOCK_MASK; ++ if (!(dai_link->dai_fmt & SND_SOC_DAIFMT_INV_MASK)) ++ mask |= SND_SOC_DAIFMT_INV_MASK; ++ if (!(dai_link->dai_fmt & SND_SOC_DAIFMT_MASTER_MASK)) ++ mask |= SND_SOC_DAIFMT_MASTER_MASK; ++ ++ dai_link->dai_fmt |= (dai_fmt & mask); ++} ++ + /** + * snd_soc_runtime_set_dai_fmt() - Change DAI link format for a ASoC runtime + * @rtd: The runtime for which the DAI link format should be changed +@@ -1133,6 +1296,7 @@ static int soc_init_pcm_runtime(struct snd_soc_card *card, + if (ret < 0) + return ret; + ++ snd_soc_runtime_get_dai_fmt(rtd); + if (dai_link->dai_fmt) { + ret = snd_soc_runtime_set_dai_fmt(rtd, dai_link->dai_fmt); + if (ret) +diff --git a/sound/soc/soc-dai.c b/sound/soc/soc-dai.c +index 583b18d0f4465..a76d876f6729b 100644 +--- a/sound/soc/soc-dai.c ++++ b/sound/soc/soc-dai.c +@@ -134,6 +134,69 @@ int snd_soc_dai_set_bclk_ratio(struct snd_soc_dai *dai, unsigned int ratio) + } + EXPORT_SYMBOL_GPL(snd_soc_dai_set_bclk_ratio); + ++int snd_soc_dai_get_fmt_max_priority(struct snd_soc_pcm_runtime *rtd) ++{ ++ struct snd_soc_dai *dai; ++ int i, max = 0; ++ ++ /* ++ * return max num if *ALL* DAIs have .auto_selectable_formats ++ */ ++ for_each_rtd_dais(rtd, i, dai) { ++ if (dai->driver->ops && ++ dai->driver->ops->num_auto_selectable_formats) ++ max = max(max, dai->driver->ops->num_auto_selectable_formats); ++ else ++ return 0; ++ } ++ ++ return max; ++} ++ ++/** ++ * snd_soc_dai_get_fmt - get supported audio format. ++ * @dai: DAI ++ * @priority: priority level of supported audio format. ++ * ++ * This should return only formats implemented with high ++ * quality by the DAI so that the core can configure a ++ * format which will work well with other devices. ++ * For example devices which don't support both edges of the ++ * LRCLK signal in I2S style formats should only list DSP ++ * modes. This will mean that sometimes fewer formats ++ * are reported here than are supported by set_fmt(). ++ */ ++u64 snd_soc_dai_get_fmt(struct snd_soc_dai *dai, int priority) ++{ ++ const struct snd_soc_dai_ops *ops = dai->driver->ops; ++ u64 fmt = 0; ++ int i, max = 0, until = priority; ++ ++ /* ++ * Collect auto_selectable_formats until priority ++ * ++ * ex) ++ * auto_selectable_formats[] = { A, B, C }; ++ * (A, B, C = SND_SOC_POSSIBLE_DAIFMT_xxx) ++ * ++ * priority = 1 : A ++ * priority = 2 : A | B ++ * priority = 3 : A | B | C ++ * priority = 4 : A | B | C ++ * ... ++ */ ++ if (ops) ++ max = ops->num_auto_selectable_formats; ++ ++ if (max < until) ++ until = max; ++ ++ for (i = 0; i < until; i++) ++ fmt |= ops->auto_selectable_formats[i]; ++ ++ return fmt; ++} ++ + /** + * snd_soc_dai_set_fmt - configure DAI hardware audio format. + * @dai: DAI +diff --git a/sound/soc/soc-utils.c b/sound/soc/soc-utils.c +index 6b398ffabb02e..104d5ec135503 100644 +--- a/sound/soc/soc-utils.c ++++ b/sound/soc/soc-utils.c +@@ -97,6 +97,34 @@ static const struct snd_soc_component_driver dummy_codec = { + SNDRV_PCM_FMTBIT_S32_LE | \ + SNDRV_PCM_FMTBIT_U32_LE | \ + SNDRV_PCM_FMTBIT_IEC958_SUBFRAME_LE) ++ ++/* ++ * Select these from Sound Card Manually ++ * SND_SOC_POSSIBLE_DAIFMT_CBP_CFP ++ * SND_SOC_POSSIBLE_DAIFMT_CBP_CFC ++ * SND_SOC_POSSIBLE_DAIFMT_CBC_CFP ++ * SND_SOC_POSSIBLE_DAIFMT_CBC_CFC ++ */ ++static u64 dummy_dai_formats = ++ SND_SOC_POSSIBLE_DAIFMT_I2S | ++ SND_SOC_POSSIBLE_DAIFMT_RIGHT_J | ++ SND_SOC_POSSIBLE_DAIFMT_LEFT_J | ++ SND_SOC_POSSIBLE_DAIFMT_DSP_A | ++ SND_SOC_POSSIBLE_DAIFMT_DSP_B | ++ SND_SOC_POSSIBLE_DAIFMT_AC97 | ++ SND_SOC_POSSIBLE_DAIFMT_PDM | ++ SND_SOC_POSSIBLE_DAIFMT_GATED | ++ SND_SOC_POSSIBLE_DAIFMT_CONT | ++ SND_SOC_POSSIBLE_DAIFMT_NB_NF | ++ SND_SOC_POSSIBLE_DAIFMT_NB_IF | ++ SND_SOC_POSSIBLE_DAIFMT_IB_NF | ++ SND_SOC_POSSIBLE_DAIFMT_IB_IF; ++ ++static const struct snd_soc_dai_ops dummy_dai_ops = { ++ .auto_selectable_formats = &dummy_dai_formats, ++ .num_auto_selectable_formats = 1, ++}; ++ + /* + * The dummy CODEC is only meant to be used in situations where there is no + * actual hardware. +@@ -122,6 +150,7 @@ static struct snd_soc_dai_driver dummy_dai = { + .rates = STUB_RATES, + .formats = STUB_FORMATS, + }, ++ .ops = &dummy_dai_ops, + }; + + int snd_soc_dai_is_dummy(struct snd_soc_dai *dai) +-- +2.51.0 + diff --git a/queue-5.10/asoc-soc-core-drop-delayed_work_pending-check-before.patch b/queue-5.10/asoc-soc-core-drop-delayed_work_pending-check-before.patch new file mode 100644 index 0000000000..1b83b38dd1 --- /dev/null +++ b/queue-5.10/asoc-soc-core-drop-delayed_work_pending-check-before.patch @@ -0,0 +1,45 @@ +From 2cc6ab68230131e85865d59679621a4d49238ab7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Mar 2026 22:54:11 +0100 +Subject: ASoC: soc-core: drop delayed_work_pending() check before flush + +From: matteo.cotifava + +[ Upstream commit 3c99c9f0ed60582c1c9852b685d78d5d3a50de63 ] + +The delayed_work_pending() check before flush_delayed_work() in +soc_free_pcm_runtime() is unnecessary and racy. flush_delayed_work() +is safe to call unconditionally - it is a no-op when no work is +pending. Remove the check. + +The original check was added by commit 9c9b65203492 ("ASoC: core: +only flush inited work during free") but delayed_work_pending() +followed by flush_delayed_work() has a time-of-check/time-of-use +window where work can become pending between the two calls. + +Fixes: 9c9b65203492 ("ASoC: core: only flush inited work during free") +Signed-off-by: Matteo Cotifava +Link: https://patch.msgid.link/20260309215412.545628-2-cotifavamatteo@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index 1120d669fe2e3..77f8d458406b0 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -401,8 +401,7 @@ static void soc_free_pcm_runtime(struct snd_soc_pcm_runtime *rtd) + + list_del(&rtd->list); + +- if (delayed_work_pending(&rtd->delayed_work)) +- flush_delayed_work(&rtd->delayed_work); ++ flush_delayed_work(&rtd->delayed_work); + snd_soc_pcm_component_free(rtd); + + /* +-- +2.51.0 + diff --git a/queue-5.10/asoc-soc-core-flush-delayed-work-before-removing-dai.patch b/queue-5.10/asoc-soc-core-flush-delayed-work-before-removing-dai.patch new file mode 100644 index 0000000000..ad6912e020 --- /dev/null +++ b/queue-5.10/asoc-soc-core-flush-delayed-work-before-removing-dai.patch @@ -0,0 +1,57 @@ +From b7c9c1edf18b932e00c02791d47391b464301300 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Mar 2026 22:54:12 +0100 +Subject: ASoC: soc-core: flush delayed work before removing DAIs and widgets + +From: matteo.cotifava + +[ Upstream commit 95bc5c225513fc3c4ce169563fb5e3929fbb938b ] + +When a sound card is unbound while a PCM stream is open, a +use-after-free can occur in snd_soc_dapm_stream_event(), called from +the close_delayed_work workqueue handler. + +During unbind, snd_soc_unbind_card() flushes delayed work and then +calls soc_cleanup_card_resources(). Inside cleanup, +snd_card_disconnect_sync() releases all PCM file descriptors, and +the resulting PCM close path can call snd_soc_dapm_stream_stop() +which schedules new delayed work with a pmdown_time timer delay. +Since this happens after the flush in snd_soc_unbind_card(), the +new work is not caught. soc_remove_link_components() then frees +DAPM widgets before this work fires, leading to the use-after-free. + +The existing flush in soc_free_pcm_runtime() also cannot help as it +runs after soc_remove_link_components() has already freed the widgets. + +Add a flush in soc_cleanup_card_resources() after +snd_card_disconnect_sync() (after which no new PCM closes can +schedule further delayed work) and before soc_remove_link_dais() +and soc_remove_link_components() (which tear down the structures the +delayed work accesses). + +Fixes: e894efef9ac7 ("ASoC: core: add support to card rebind") +Signed-off-by: Matteo Cotifava +Link: https://patch.msgid.link/20260309215412.545628-3-cotifavamatteo@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index 39d511c21796e..7ecbea296e917 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -1938,6 +1938,9 @@ static void soc_cleanup_card_resources(struct snd_soc_card *card) + for_each_card_rtds(card, rtd) + if (rtd->initialized) + snd_soc_link_exit(rtd); ++ /* flush delayed work before removing DAIs and DAPM widgets */ ++ snd_soc_flush_all_delayed_work(card); ++ + /* remove and free each DAI */ + soc_remove_link_dais(card); + soc_remove_link_components(card); +-- +2.51.0 + diff --git a/queue-5.10/asoc-soc-core-move-snd_soc_runtime_set_dai_fmt-to-up.patch b/queue-5.10/asoc-soc-core-move-snd_soc_runtime_set_dai_fmt-to-up.patch new file mode 100644 index 0000000000..185e28b9d2 --- /dev/null +++ b/queue-5.10/asoc-soc-core-move-snd_soc_runtime_set_dai_fmt-to-up.patch @@ -0,0 +1,166 @@ +From b82038bdea29080993cbd028394136e1c623451a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 May 2021 11:25:36 +0900 +Subject: ASoC: soc-core: move snd_soc_runtime_set_dai_fmt() to upside + +From: Kuninori Morimoto + +[ Upstream commit 4d1a98b5f1abaad0ba7177fdb389a9f78584bc3a ] + +This patch moves snd_soc_runtime_set_dai_fmt() to upside. +This is prepare to support snd_soc_runtime_get_dai_fmt(). + +Signed-off-by: Kuninori Morimoto +Link: https://lore.kernel.org/r/87im34nc9r.wl-kuninori.morimoto.gx@renesas.com +Signed-off-by: Mark Brown +Stable-dep-of: 95bc5c225513 ("ASoC: soc-core: flush delayed work before removing DAIs and widgets") +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 124 +++++++++++++++++++++---------------------- + 1 file changed, 62 insertions(+), 62 deletions(-) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index 8620e415f6fce..71219ceea3934 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -1055,6 +1055,68 @@ int snd_soc_add_pcm_runtime(struct snd_soc_card *card, + } + EXPORT_SYMBOL_GPL(snd_soc_add_pcm_runtime); + ++/** ++ * snd_soc_runtime_set_dai_fmt() - Change DAI link format for a ASoC runtime ++ * @rtd: The runtime for which the DAI link format should be changed ++ * @dai_fmt: The new DAI link format ++ * ++ * This function updates the DAI link format for all DAIs connected to the DAI ++ * link for the specified runtime. ++ * ++ * Note: For setups with a static format set the dai_fmt field in the ++ * corresponding snd_dai_link struct instead of using this function. ++ * ++ * Returns 0 on success, otherwise a negative error code. ++ */ ++int snd_soc_runtime_set_dai_fmt(struct snd_soc_pcm_runtime *rtd, ++ unsigned int dai_fmt) ++{ ++ struct snd_soc_dai *cpu_dai; ++ struct snd_soc_dai *codec_dai; ++ unsigned int inv_dai_fmt; ++ unsigned int i; ++ int ret; ++ ++ for_each_rtd_codec_dais(rtd, i, codec_dai) { ++ ret = snd_soc_dai_set_fmt(codec_dai, dai_fmt); ++ if (ret != 0 && ret != -ENOTSUPP) ++ return ret; ++ } ++ ++ /* ++ * Flip the polarity for the "CPU" end of a CODEC<->CODEC link ++ * the component which has non_legacy_dai_naming is Codec ++ */ ++ inv_dai_fmt = dai_fmt & ~SND_SOC_DAIFMT_MASTER_MASK; ++ switch (dai_fmt & SND_SOC_DAIFMT_MASTER_MASK) { ++ case SND_SOC_DAIFMT_CBM_CFM: ++ inv_dai_fmt |= SND_SOC_DAIFMT_CBS_CFS; ++ break; ++ case SND_SOC_DAIFMT_CBM_CFS: ++ inv_dai_fmt |= SND_SOC_DAIFMT_CBS_CFM; ++ break; ++ case SND_SOC_DAIFMT_CBS_CFM: ++ inv_dai_fmt |= SND_SOC_DAIFMT_CBM_CFS; ++ break; ++ case SND_SOC_DAIFMT_CBS_CFS: ++ inv_dai_fmt |= SND_SOC_DAIFMT_CBM_CFM; ++ break; ++ } ++ for_each_rtd_cpu_dais(rtd, i, cpu_dai) { ++ unsigned int fmt = dai_fmt; ++ ++ if (cpu_dai->component->driver->non_legacy_dai_naming) ++ fmt = inv_dai_fmt; ++ ++ ret = snd_soc_dai_set_fmt(cpu_dai, fmt); ++ if (ret != 0 && ret != -ENOTSUPP) ++ return ret; ++ } ++ ++ return 0; ++} ++EXPORT_SYMBOL_GPL(snd_soc_runtime_set_dai_fmt); ++ + static int soc_init_pcm_runtime(struct snd_soc_card *card, + struct snd_soc_pcm_runtime *rtd) + { +@@ -1404,68 +1466,6 @@ static void soc_remove_aux_devices(struct snd_soc_card *card) + } + } + +-/** +- * snd_soc_runtime_set_dai_fmt() - Change DAI link format for a ASoC runtime +- * @rtd: The runtime for which the DAI link format should be changed +- * @dai_fmt: The new DAI link format +- * +- * This function updates the DAI link format for all DAIs connected to the DAI +- * link for the specified runtime. +- * +- * Note: For setups with a static format set the dai_fmt field in the +- * corresponding snd_dai_link struct instead of using this function. +- * +- * Returns 0 on success, otherwise a negative error code. +- */ +-int snd_soc_runtime_set_dai_fmt(struct snd_soc_pcm_runtime *rtd, +- unsigned int dai_fmt) +-{ +- struct snd_soc_dai *cpu_dai; +- struct snd_soc_dai *codec_dai; +- unsigned int inv_dai_fmt; +- unsigned int i; +- int ret; +- +- for_each_rtd_codec_dais(rtd, i, codec_dai) { +- ret = snd_soc_dai_set_fmt(codec_dai, dai_fmt); +- if (ret != 0 && ret != -ENOTSUPP) +- return ret; +- } +- +- /* +- * Flip the polarity for the "CPU" end of a CODEC<->CODEC link +- * the component which has non_legacy_dai_naming is Codec +- */ +- inv_dai_fmt = dai_fmt & ~SND_SOC_DAIFMT_MASTER_MASK; +- switch (dai_fmt & SND_SOC_DAIFMT_MASTER_MASK) { +- case SND_SOC_DAIFMT_CBM_CFM: +- inv_dai_fmt |= SND_SOC_DAIFMT_CBS_CFS; +- break; +- case SND_SOC_DAIFMT_CBM_CFS: +- inv_dai_fmt |= SND_SOC_DAIFMT_CBS_CFM; +- break; +- case SND_SOC_DAIFMT_CBS_CFM: +- inv_dai_fmt |= SND_SOC_DAIFMT_CBM_CFS; +- break; +- case SND_SOC_DAIFMT_CBS_CFS: +- inv_dai_fmt |= SND_SOC_DAIFMT_CBM_CFM; +- break; +- } +- for_each_rtd_cpu_dais(rtd, i, cpu_dai) { +- unsigned int fmt = dai_fmt; +- +- if (cpu_dai->component->driver->non_legacy_dai_naming) +- fmt = inv_dai_fmt; +- +- ret = snd_soc_dai_set_fmt(cpu_dai, fmt); +- if (ret != 0 && ret != -ENOTSUPP) +- return ret; +- } +- +- return 0; +-} +-EXPORT_SYMBOL_GPL(snd_soc_runtime_set_dai_fmt); +- + #ifdef CONFIG_DMI + /* + * If a DMI filed contain strings in this blacklist (e.g. +-- +2.51.0 + diff --git a/queue-5.10/asoc-topology-use-inclusive-language-for-bclk-and-fs.patch b/queue-5.10/asoc-topology-use-inclusive-language-for-bclk-and-fs.patch new file mode 100644 index 0000000000..3dc6b5ec4b --- /dev/null +++ b/queue-5.10/asoc-topology-use-inclusive-language-for-bclk-and-fs.patch @@ -0,0 +1,182 @@ +From d3d8ade5e96fb6256ff9138eb38b3dd86e47878c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Nov 2020 10:30:57 -0600 +Subject: ASoC: topology: use inclusive language for bclk and fsync + +From: Pierre-Louis Bossart + +[ Upstream commit f026c123001bcc15b78311495cec79a8b73c3cf2 ] + +Mirror suggested changes in alsa-lib. + +Signed-off-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20201112163100.5081-2-pierre-louis.bossart@linux.intel.com +Signed-off-by: Mark Brown +Stable-dep-of: 95bc5c225513 ("ASoC: soc-core: flush delayed work before removing DAIs and widgets") +Signed-off-by: Sasha Levin +--- + include/sound/soc-dai.h | 32 ++++++++++++++++++++------------ + include/uapi/sound/asoc.h | 22 ++++++++++++++-------- + sound/soc/soc-topology.c | 24 ++++++++++++------------ + sound/soc/sof/topology.c | 6 +++--- + 4 files changed, 49 insertions(+), 35 deletions(-) + +diff --git a/include/sound/soc-dai.h b/include/sound/soc-dai.h +index fe86172e86020..580d1e6b935e6 100644 +--- a/include/sound/soc-dai.h ++++ b/include/sound/soc-dai.h +@@ -72,21 +72,29 @@ struct snd_compr_stream; + #define SND_SOC_DAIFMT_IB_IF (4 << 8) /* invert BCLK + FRM */ + + /* +- * DAI hardware clock masters. ++ * DAI hardware clock providers/consumers + * + * This is wrt the codec, the inverse is true for the interface +- * i.e. if the codec is clk and FRM master then the interface is +- * clk and frame secondary. ++ * i.e. if the codec is clk and FRM provider then the interface is ++ * clk and frame consumer. + */ +-#define SND_SOC_DAIFMT_CBM_CFM (1 << 12) /* codec clk & FRM master */ +-#define SND_SOC_DAIFMT_CBS_CFM (2 << 12) /* codec clk secondary & FRM master */ +-#define SND_SOC_DAIFMT_CBM_CFS (3 << 12) /* codec clk master & frame secondary */ +-#define SND_SOC_DAIFMT_CBS_CFS (4 << 12) /* codec clk & FRM secondary */ +- +-#define SND_SOC_DAIFMT_FORMAT_MASK 0x000f +-#define SND_SOC_DAIFMT_CLOCK_MASK 0x00f0 +-#define SND_SOC_DAIFMT_INV_MASK 0x0f00 +-#define SND_SOC_DAIFMT_MASTER_MASK 0xf000 ++#define SND_SOC_DAIFMT_CBP_CFP (1 << 12) /* codec clk provider & frame provider */ ++#define SND_SOC_DAIFMT_CBC_CFP (2 << 12) /* codec clk consumer & frame provider */ ++#define SND_SOC_DAIFMT_CBP_CFC (3 << 12) /* codec clk provider & frame consumer */ ++#define SND_SOC_DAIFMT_CBC_CFC (4 << 12) /* codec clk consumer & frame follower */ ++ ++/* previous definitions kept for backwards-compatibility, do not use in new contributions */ ++#define SND_SOC_DAIFMT_CBM_CFM SND_SOC_DAIFMT_CBP_CFP ++#define SND_SOC_DAIFMT_CBS_CFM SND_SOC_DAIFMT_CBC_CFP ++#define SND_SOC_DAIFMT_CBM_CFS SND_SOC_DAIFMT_CBP_CFC ++#define SND_SOC_DAIFMT_CBS_CFS SND_SOC_DAIFMT_CBC_CFC ++ ++#define SND_SOC_DAIFMT_FORMAT_MASK 0x000f ++#define SND_SOC_DAIFMT_CLOCK_MASK 0x00f0 ++#define SND_SOC_DAIFMT_INV_MASK 0x0f00 ++#define SND_SOC_DAIFMT_CLOCK_PROVIDER_MASK 0xf000 ++ ++#define SND_SOC_DAIFMT_MASTER_MASK SND_SOC_DAIFMT_CLOCK_PROVIDER_MASK + + /* + * Master Clock Directions +diff --git a/include/uapi/sound/asoc.h b/include/uapi/sound/asoc.h +index a74ca232f1fc1..da61398b1f8f3 100644 +--- a/include/uapi/sound/asoc.h ++++ b/include/uapi/sound/asoc.h +@@ -170,16 +170,22 @@ + #define SND_SOC_TPLG_LNK_FLGBIT_VOICE_WAKEUP (1 << 3) + + /* DAI topology BCLK parameter +- * For the backwards capability, by default codec is bclk master ++ * For the backwards capability, by default codec is bclk provider + */ +-#define SND_SOC_TPLG_BCLK_CM 0 /* codec is bclk master */ +-#define SND_SOC_TPLG_BCLK_CS 1 /* codec is bclk slave */ ++#define SND_SOC_TPLG_BCLK_CP 0 /* codec is bclk provider */ ++#define SND_SOC_TPLG_BCLK_CC 1 /* codec is bclk consumer */ ++/* keep previous definitions for compatibility */ ++#define SND_SOC_TPLG_BCLK_CM SND_SOC_TPLG_BCLK_CP ++#define SND_SOC_TPLG_BCLK_CS SND_SOC_TPLG_BCLK_CC + + /* DAI topology FSYNC parameter +- * For the backwards capability, by default codec is fsync master ++ * For the backwards capability, by default codec is fsync provider + */ +-#define SND_SOC_TPLG_FSYNC_CM 0 /* codec is fsync master */ +-#define SND_SOC_TPLG_FSYNC_CS 1 /* codec is fsync slave */ ++#define SND_SOC_TPLG_FSYNC_CP 0 /* codec is fsync provider */ ++#define SND_SOC_TPLG_FSYNC_CC 1 /* codec is fsync consumer */ ++/* keep previous definitions for compatibility */ ++#define SND_SOC_TPLG_FSYNC_CM SND_SOC_TPLG_FSYNC_CP ++#define SND_SOC_TPLG_FSYNC_CS SND_SOC_TPLG_FSYNC_CC + + /* + * Block Header. +@@ -336,8 +342,8 @@ struct snd_soc_tplg_hw_config { + __u8 clock_gated; /* SND_SOC_TPLG_DAI_CLK_GATE_ value */ + __u8 invert_bclk; /* 1 for inverted BCLK, 0 for normal */ + __u8 invert_fsync; /* 1 for inverted frame clock, 0 for normal */ +- __u8 bclk_master; /* SND_SOC_TPLG_BCLK_ value */ +- __u8 fsync_master; /* SND_SOC_TPLG_FSYNC_ value */ ++ __u8 bclk_provider; /* SND_SOC_TPLG_BCLK_ value */ ++ __u8 fsync_provider; /* SND_SOC_TPLG_FSYNC_ value */ + __u8 mclk_direction; /* SND_SOC_TPLG_MCLK_ value */ + __le16 reserved; /* for 32bit alignment */ + __le32 mclk_rate; /* MCLK or SYSCLK freqency in Hz */ +diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c +index aa57f796e9dd3..b9ef95c99c6ee 100644 +--- a/sound/soc/soc-topology.c ++++ b/sound/soc/soc-topology.c +@@ -2173,7 +2173,7 @@ static void set_link_hw_format(struct snd_soc_dai_link *link, + struct snd_soc_tplg_link_config *cfg) + { + struct snd_soc_tplg_hw_config *hw_config; +- unsigned char bclk_master, fsync_master; ++ unsigned char bclk_provider, fsync_provider; + unsigned char invert_bclk, invert_fsync; + int i; + +@@ -2213,18 +2213,18 @@ static void set_link_hw_format(struct snd_soc_dai_link *link, + link->dai_fmt |= SND_SOC_DAIFMT_IB_IF; + + /* clock masters */ +- bclk_master = (hw_config->bclk_master == +- SND_SOC_TPLG_BCLK_CM); +- fsync_master = (hw_config->fsync_master == +- SND_SOC_TPLG_FSYNC_CM); +- if (bclk_master && fsync_master) +- link->dai_fmt |= SND_SOC_DAIFMT_CBM_CFM; +- else if (!bclk_master && fsync_master) +- link->dai_fmt |= SND_SOC_DAIFMT_CBS_CFM; +- else if (bclk_master && !fsync_master) +- link->dai_fmt |= SND_SOC_DAIFMT_CBM_CFS; ++ bclk_provider = (hw_config->bclk_provider == ++ SND_SOC_TPLG_BCLK_CP); ++ fsync_provider = (hw_config->fsync_provider == ++ SND_SOC_TPLG_FSYNC_CP); ++ if (bclk_provider && fsync_provider) ++ link->dai_fmt |= SND_SOC_DAIFMT_CBP_CFP; ++ else if (!bclk_provider && fsync_provider) ++ link->dai_fmt |= SND_SOC_DAIFMT_CBC_CFP; ++ else if (bclk_provider && !fsync_provider) ++ link->dai_fmt |= SND_SOC_DAIFMT_CBP_CFC; + else +- link->dai_fmt |= SND_SOC_DAIFMT_CBS_CFS; ++ link->dai_fmt |= SND_SOC_DAIFMT_CBC_CFC; + } + } + +diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c +index b6327c30c2b5a..e3aa9fa0f112f 100644 +--- a/sound/soc/sof/topology.c ++++ b/sound/soc/sof/topology.c +@@ -2786,15 +2786,15 @@ static void sof_dai_set_format(struct snd_soc_tplg_hw_config *hw_config, + struct sof_ipc_dai_config *config) + { + /* clock directions wrt codec */ +- if (hw_config->bclk_master == SND_SOC_TPLG_BCLK_CM) { ++ if (hw_config->bclk_provider == SND_SOC_TPLG_BCLK_CM) { + /* codec is bclk master */ +- if (hw_config->fsync_master == SND_SOC_TPLG_FSYNC_CM) ++ if (hw_config->fsync_provider == SND_SOC_TPLG_FSYNC_CM) + config->format |= SOF_DAI_FMT_CBM_CFM; + else + config->format |= SOF_DAI_FMT_CBM_CFS; + } else { + /* codec is bclk slave */ +- if (hw_config->fsync_master == SND_SOC_TPLG_FSYNC_CM) ++ if (hw_config->fsync_provider == SND_SOC_TPLG_FSYNC_CM) + config->format |= SOF_DAI_FMT_CBS_CFM; + else + config->format |= SOF_DAI_FMT_CBS_CFS; +-- +2.51.0 + diff --git a/queue-5.10/bonding-handle-bond_link_fail-bond_link_back-as-vali.patch b/queue-5.10/bonding-handle-bond_link_fail-bond_link_back-as-vali.patch new file mode 100644 index 0000000000..620e91ef52 --- /dev/null +++ b/queue-5.10/bonding-handle-bond_link_fail-bond_link_back-as-vali.patch @@ -0,0 +1,60 @@ +From 858628035af26a4bf384d0b9f67424cf9516e740 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 15:13:54 +0800 +Subject: bonding: handle BOND_LINK_FAIL, BOND_LINK_BACK as valid link states + +From: Hangbin Liu + +[ Upstream commit 3348be7978f450ede0c308a4e8416ac716cf1015 ] + +Before the fixed commit, we check slave->new_link during commit +state, which values are only BOND_LINK_{NOCHANGE, UP, DOWN}. After +the commit, we start using slave->link_new_state, which state also could +be BOND_LINK_{FAIL, BACK}. + +For example, when we set updelay/downdelay, after a failover, +the slave->link_new_state could be set to BOND_LINK_{FAIL, BACK} in +bond_miimon_inspect(). And later in bond_miimon_commit(), it will treat +it as invalid and print an error, which would cause confusion for users. + +[ 106.440254] bond0: (slave veth2): link status down for interface, disabling it in 200 ms +[ 106.440265] bond0: (slave veth2): invalid new link 1 on slave +[ 106.648276] bond0: (slave veth2): link status definitely down, disabling slave +[ 107.480271] bond0: (slave veth2): link status up, enabling it in 200 ms +[ 107.480288] bond0: (slave veth2): invalid new link 3 on slave +[ 107.688302] bond0: (slave veth2): link status definitely up, 10000 Mbps full duplex + +Let's handle BOND_LINK_{FAIL, BACK} as valid link states. + +Fixes: 1899bb325149 ("bonding: fix state transition issue in link monitoring") +Signed-off-by: Hangbin Liu +Link: https://patch.msgid.link/20260304-b4-bond_updelay-v1-2-f72eb2e454d0@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 87e23796680b3..812e1792c232e 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2592,8 +2592,14 @@ static void bond_miimon_commit(struct bonding *bond) + + continue; + ++ case BOND_LINK_FAIL: ++ case BOND_LINK_BACK: ++ slave_dbg(bond->dev, slave->dev, "link_new_state %d on slave\n", ++ slave->link_new_state); ++ continue; ++ + default: +- slave_err(bond->dev, slave->dev, "invalid new link %d on slave\n", ++ slave_err(bond->dev, slave->dev, "invalid link_new_state %d on slave\n", + slave->link_new_state); + bond_propose_link_state(slave, BOND_LINK_NOCHANGE); + +-- +2.51.0 + diff --git a/queue-5.10/can-hi311x-hi3110_open-add-check-for-hi3110_power_en.patch b/queue-5.10/can-hi311x-hi3110_open-add-check-for-hi3110_power_en.patch new file mode 100644 index 0000000000..1611d0057f --- /dev/null +++ b/queue-5.10/can-hi311x-hi3110_open-add-check-for-hi3110_power_en.patch @@ -0,0 +1,52 @@ +From 17309de8bdcf55b380259b5f881db5d1027ca757 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 13:08:44 +0800 +Subject: can: hi311x: hi3110_open(): add check for hi3110_power_enable() + return value + +From: Wenyuan Li <2063309626@qq.com> + +[ Upstream commit 47bba09b14fa21712398febf36cb14fd4fc3bded ] + +In hi3110_open(), the return value of hi3110_power_enable() is not checked. +If power enable fails, the device may not function correctly, while the +driver still returns success. + +Add a check for the return value and propagate the error accordingly. + +Signed-off-by: Wenyuan Li <2063309626@qq.com> +Link: https://patch.msgid.link/tencent_B5E2E7528BB28AA8A2A56E16C49BD58B8B07@qq.com +Fixes: 57e83fb9b746 ("can: hi311x: Add Holt HI-311x CAN driver") +[mkl: adjust subject, commit message and jump label] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/spi/hi311x.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/can/spi/hi311x.c b/drivers/net/can/spi/hi311x.c +index a7d594a5ad36f..f651a8ba7d53e 100644 +--- a/drivers/net/can/spi/hi311x.c ++++ b/drivers/net/can/spi/hi311x.c +@@ -751,7 +751,9 @@ static int hi3110_open(struct net_device *net) + return ret; + + mutex_lock(&priv->hi3110_lock); +- hi3110_power_enable(priv->transceiver, 1); ++ ret = hi3110_power_enable(priv->transceiver, 1); ++ if (ret) ++ goto out_close_candev; + + priv->force_quit = 0; + priv->tx_skb = NULL; +@@ -798,6 +800,7 @@ static int hi3110_open(struct net_device *net) + hi3110_hw_sleep(spi); + out_close: + hi3110_power_enable(priv->transceiver, 0); ++ out_close_candev: + close_candev(net); + mutex_unlock(&priv->hi3110_lock); + return ret; +-- +2.51.0 + diff --git a/queue-5.10/e1000-e1000e-fix-leak-in-dma-error-cleanup.patch b/queue-5.10/e1000-e1000e-fix-leak-in-dma-error-cleanup.patch new file mode 100644 index 0000000000..410bd5be57 --- /dev/null +++ b/queue-5.10/e1000-e1000e-fix-leak-in-dma-error-cleanup.patch @@ -0,0 +1,70 @@ +From 62ae0520a89438eea8d2bc30de5eed475cc51271 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Feb 2026 18:28:33 -0500 +Subject: e1000/e1000e: Fix leak in DMA error cleanup + +From: Matt Vollrath + +[ Upstream commit e94eaef11142b01f77bf8ba4d0b59720b7858109 ] + +If an error is encountered while mapping TX buffers, the driver should +unmap any buffers already mapped for that skb. + +Because count is incremented after a successful mapping, it will always +match the correct number of unmappings needed when dma_error is reached. +Decrementing count before the while loop in dma_error causes an +off-by-one error. If any mapping was successful before an unsuccessful +mapping, exactly one DMA mapping would leak. + +In these commits, a faulty while condition caused an infinite loop in +dma_error: +Commit 03b1320dfcee ("e1000e: remove use of skb_dma_map from e1000e +driver") +Commit 602c0554d7b0 ("e1000: remove use of skb_dma_map from e1000 driver") + +Commit c1fa347f20f1 ("e1000/e1000e/igb/igbvf/ixgb/ixgbe: Fix tests of +unsigned in *_tx_map()") fixed the infinite loop, but introduced the +off-by-one error. + +This issue may still exist in the igbvf driver, but I did not address it +in this patch. + +Fixes: c1fa347f20f1 ("e1000/e1000e/igb/igbvf/ixgb/ixgbe: Fix tests of unsigned in *_tx_map()") +Assisted-by: Claude:claude-4.6-opus +Signed-off-by: Matt Vollrath +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000/e1000_main.c | 2 -- + drivers/net/ethernet/intel/e1000e/netdev.c | 2 -- + 2 files changed, 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c +index 0b75029029132..d7e7c619a98e2 100644 +--- a/drivers/net/ethernet/intel/e1000/e1000_main.c ++++ b/drivers/net/ethernet/intel/e1000/e1000_main.c +@@ -2951,8 +2951,6 @@ static int e1000_tx_map(struct e1000_adapter *adapter, + dma_error: + dev_err(&pdev->dev, "TX DMA map failed\n"); + buffer_info->dma = 0; +- if (count) +- count--; + + while (count--) { + if (i == 0) +diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c +index b700663a634d2..902ada6a3b06c 100644 +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -5633,8 +5633,6 @@ static int e1000_tx_map(struct e1000_ring *tx_ring, struct sk_buff *skb, + dma_error: + dev_err(&pdev->dev, "Tx DMA map failed\n"); + buffer_info->dma = 0; +- if (count) +- count--; + + while (count--) { + if (i == 0) +-- +2.51.0 + diff --git a/queue-5.10/i40e-fix-src-ip-mask-checks-and-memcpy-argument-name.patch b/queue-5.10/i40e-fix-src-ip-mask-checks-and-memcpy-argument-name.patch new file mode 100644 index 0000000000..c6b9c3c6f6 --- /dev/null +++ b/queue-5.10/i40e-fix-src-ip-mask-checks-and-memcpy-argument-name.patch @@ -0,0 +1,86 @@ +From a3a869dfaf65520f04a05d8c2843ae820eb68a20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Nov 2025 11:13:38 -0800 +Subject: i40e: fix src IP mask checks and memcpy argument names in cloud + filter + +From: Alok Tiwari + +[ Upstream commit e809085f492842ce7a519c9ef72d40f4bca89c13 ] + +Fix following issues in the IPv4 and IPv6 cloud filter handling logic in +both the add and delete paths: + +- The source-IP mask check incorrectly compares mask.src_ip[0] against + tcf.dst_ip[0]. Update it to compare against tcf.src_ip[0]. This likely + goes unnoticed because the check is in an "else if" path that only + executes when dst_ip is not set, most cloud filter use cases focus on + destination-IP matching, and the buggy condition can accidentally + evaluate true in some cases. + +- memcpy() for the IPv4 source address incorrectly uses + ARRAY_SIZE(tcf.dst_ip) instead of ARRAY_SIZE(tcf.src_ip), although + both arrays are the same size. + +- The IPv4 memcpy operations used ARRAY_SIZE(tcf.dst_ip) and ARRAY_SIZE + (tcf.src_ip), Update these to use sizeof(cfilter->ip.v4.dst_ip) and + sizeof(cfilter->ip.v4.src_ip) to ensure correct and explicit copy size. + +- In the IPv6 delete path, memcmp() uses sizeof(src_ip6) when comparing + dst_ip6 fields. Replace this with sizeof(dst_ip6) to make the intent + explicit, even though both fields are struct in6_addr. + +Fixes: e284fc280473 ("i40e: Add and delete cloud filter") +Signed-off-by: Alok Tiwari +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Paul Menzel +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +index 3ddb712b732d5..014734ea71ff3 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +@@ -3655,10 +3655,10 @@ static int i40e_vc_del_cloud_filter(struct i40e_vf *vf, u8 *msg) + cfilter.n_proto = ETH_P_IP; + if (mask.dst_ip[0] & tcf.dst_ip[0]) + memcpy(&cfilter.ip.v4.dst_ip, tcf.dst_ip, +- ARRAY_SIZE(tcf.dst_ip)); +- else if (mask.src_ip[0] & tcf.dst_ip[0]) ++ sizeof(cfilter.ip.v4.dst_ip)); ++ else if (mask.src_ip[0] & tcf.src_ip[0]) + memcpy(&cfilter.ip.v4.src_ip, tcf.src_ip, +- ARRAY_SIZE(tcf.dst_ip)); ++ sizeof(cfilter.ip.v4.src_ip)); + break; + case VIRTCHNL_TCP_V6_FLOW: + cfilter.n_proto = ETH_P_IPV6; +@@ -3713,7 +3713,7 @@ static int i40e_vc_del_cloud_filter(struct i40e_vf *vf, u8 *msg) + /* for ipv6, mask is set for all sixteen bytes (4 words) */ + if (cfilter.n_proto == ETH_P_IPV6 && mask.dst_ip[3]) + if (memcmp(&cfilter.ip.v6.dst_ip6, &cf->ip.v6.dst_ip6, +- sizeof(cfilter.ip.v6.src_ip6))) ++ sizeof(cfilter.ip.v6.dst_ip6))) + continue; + if (mask.vlan_id) + if (cfilter.vlan_id != cf->vlan_id) +@@ -3799,10 +3799,10 @@ static int i40e_vc_add_cloud_filter(struct i40e_vf *vf, u8 *msg) + cfilter->n_proto = ETH_P_IP; + if (mask.dst_ip[0] & tcf.dst_ip[0]) + memcpy(&cfilter->ip.v4.dst_ip, tcf.dst_ip, +- ARRAY_SIZE(tcf.dst_ip)); +- else if (mask.src_ip[0] & tcf.dst_ip[0]) ++ sizeof(cfilter->ip.v4.dst_ip)); ++ else if (mask.src_ip[0] & tcf.src_ip[0]) + memcpy(&cfilter->ip.v4.src_ip, tcf.src_ip, +- ARRAY_SIZE(tcf.dst_ip)); ++ sizeof(cfilter->ip.v4.src_ip)); + break; + case VIRTCHNL_TCP_V6_FLOW: + cfilter->n_proto = ETH_P_IPV6; +-- +2.51.0 + diff --git a/queue-5.10/net-mlx5e-fix-dma-fifo-desync-on-error-cqe-sq-recove.patch b/queue-5.10/net-mlx5e-fix-dma-fifo-desync-on-error-cqe-sq-recove.patch new file mode 100644 index 0000000000..98d1bebc37 --- /dev/null +++ b/queue-5.10/net-mlx5e-fix-dma-fifo-desync-on-error-cqe-sq-recove.patch @@ -0,0 +1,82 @@ +From a311e9876face95abc40404127e1253bcc63ff7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 16:26:32 +0200 +Subject: net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery + +From: Gal Pressman + +[ Upstream commit 1633111d69053512d099658d4a05fc736fab36b0 ] + +In case of a TX error CQE, a recovery flow is triggered, +mlx5e_reset_txqsq_cc_pc() resets dma_fifo_cc to 0 but not dma_fifo_pc, +desyncing the DMA FIFO producer and consumer. + +After recovery, the producer pushes new DMA entries at the old +dma_fifo_pc, while the consumer reads from position 0. +This causes us to unmap stale DMA addresses from before the recovery. + +The DMA FIFO is a purely software construct with no HW counterpart. +At the point of reset, all WQEs have been flushed so dma_fifo_cc is +already equal to dma_fifo_pc. There is no need to reset either counter, +similar to how skb_fifo pc/cc are untouched. + +Remove the 'dma_fifo_cc = 0' reset. + +This fixes the following WARNING: + WARNING: CPU: 0 PID: 0 at drivers/iommu/dma-iommu.c:1240 iommu_dma_unmap_page+0x79/0x90 + Modules linked in: mlx5_vdpa vringh vdpa bonding mlx5_ib mlx5_vfio_pci ipip mlx5_fwctl tunnel4 mlx5_core ib_ipoib geneve ip6_gre ip_gre gre nf_tables ip6_tunnel rdma_ucm ib_uverbs ib_umad vfio_pci vfio_pci_core act_mirred act_skbedit act_vlan vhost_net vhost tap ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress vhost_iotlb iptable_raw tunnel6 vfio_iommu_type1 vfio openvswitch nsh rpcsec_gss_krb5 auth_rpcgss oid_registry xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter overlay zram zsmalloc rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core fuse [last unloaded: nf_tables] + CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5_for_upstream_min_debug_2024_12_30_21_33 #1 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 + RIP: 0010:iommu_dma_unmap_page+0x79/0x90 + Code: 2b 4d 3b 21 72 26 4d 3b 61 08 73 20 49 89 d8 44 89 f9 5b 4c 89 f2 4c 89 e6 48 89 ef 5d 41 5c 41 5d 41 5e 41 5f e9 c7 ae 9e ff <0f> 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 66 2e 0f 1f 84 00 00 00 00 + Call Trace: + + ? __warn+0x7d/0x110 + ? iommu_dma_unmap_page+0x79/0x90 + ? report_bug+0x16d/0x180 + ? handle_bug+0x4f/0x90 + ? exc_invalid_op+0x14/0x70 + ? asm_exc_invalid_op+0x16/0x20 + ? iommu_dma_unmap_page+0x79/0x90 + ? iommu_dma_unmap_page+0x2e/0x90 + dma_unmap_page_attrs+0x10d/0x1b0 + mlx5e_tx_wi_dma_unmap+0xbe/0x120 [mlx5_core] + mlx5e_poll_tx_cq+0x16d/0x690 [mlx5_core] + mlx5e_napi_poll+0x8b/0xac0 [mlx5_core] + __napi_poll+0x24/0x190 + net_rx_action+0x32a/0x3b0 + ? mlx5_eq_comp_int+0x7e/0x270 [mlx5_core] + ? notifier_call_chain+0x35/0xa0 + handle_softirqs+0xc9/0x270 + irq_exit_rcu+0x71/0xd0 + common_interrupt+0x7f/0xa0 + + + asm_common_interrupt+0x22/0x40 + +Fixes: db75373c91b0 ("net/mlx5e: Recover Send Queue (SQ) from error state") +Signed-off-by: Gal Pressman +Reviewed-by: Dragos Tatulea +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/20260305142634.1813208-4-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c b/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c +index 13dd34c571b9f..ce533e7d679a8 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c +@@ -28,7 +28,6 @@ static void mlx5e_reset_txqsq_cc_pc(struct mlx5e_txqsq *sq) + "SQ 0x%x: cc (0x%x) != pc (0x%x)\n", + sq->sqn, sq->cc, sq->pc); + sq->cc = 0; +- sq->dma_fifo_cc = 0; + sq->pc = 0; + } + +-- +2.51.0 + diff --git a/queue-5.10/net-sched-teql-fix-null-pointer-dereference-in-iptun.patch b/queue-5.10/net-sched-teql-fix-null-pointer-dereference-in-iptun.patch new file mode 100644 index 0000000000..006502e0a3 --- /dev/null +++ b/queue-5.10/net-sched-teql-fix-null-pointer-dereference-in-iptun.patch @@ -0,0 +1,80 @@ +From 2feed6922f6d018c16c6e5df519fbf883269d295 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 12:42:18 +0800 +Subject: net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on + TEQL slave xmit + +From: Weiming Shi + +[ Upstream commit 0cc0c2e661af418bbf7074179ea5cfffc0a5c466 ] + +teql_master_xmit() calls netdev_start_xmit(skb, slave) to transmit +through slave devices, but does not update skb->dev to the slave device +beforehand. + +When a gretap tunnel is a TEQL slave, the transmit path reaches +iptunnel_xmit() which saves dev = skb->dev (still pointing to teql0 +master) and later calls iptunnel_xmit_stats(dev, pkt_len). This +function does: + + get_cpu_ptr(dev->tstats) + +Since teql_master_setup() does not set dev->pcpu_stat_type to +NETDEV_PCPU_STAT_TSTATS, the core network stack never allocates tstats +for teql0, so dev->tstats is NULL. get_cpu_ptr(NULL) computes +NULL + __per_cpu_offset[cpu], resulting in a page fault. + + BUG: unable to handle page fault for address: ffff8880e6659018 + #PF: supervisor write access in kernel mode + #PF: error_code(0x0002) - not-present page + PGD 68bc067 P4D 68bc067 PUD 0 + Oops: Oops: 0002 [#1] SMP KASAN PTI + RIP: 0010:iptunnel_xmit (./include/net/ip_tunnels.h:664 net/ipv4/ip_tunnel_core.c:89) + Call Trace: + + ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) + __gre_xmit (net/ipv4/ip_gre.c:478) + gre_tap_xmit (net/ipv4/ip_gre.c:779) + teql_master_xmit (net/sched/sch_teql.c:319) + dev_hard_start_xmit (net/core/dev.c:3887) + sch_direct_xmit (net/sched/sch_generic.c:347) + __dev_queue_xmit (net/core/dev.c:4802) + neigh_direct_output (net/core/neighbour.c:1660) + ip_finish_output2 (net/ipv4/ip_output.c:237) + __ip_finish_output.part.0 (net/ipv4/ip_output.c:315) + ip_mc_output (net/ipv4/ip_output.c:369) + ip_send_skb (net/ipv4/ip_output.c:1508) + udp_send_skb (net/ipv4/udp.c:1195) + udp_sendmsg (net/ipv4/udp.c:1485) + inet_sendmsg (net/ipv4/af_inet.c:859) + __sys_sendto (net/socket.c:2206) + +Fix this by setting skb->dev = slave before calling +netdev_start_xmit(), so that tunnel xmit functions see the correct +slave device with properly allocated tstats. + +Fixes: 039f50629b7f ("ip_tunnel: Move stats update to iptunnel_xmit()") +Reported-by: Xiang Mei +Signed-off-by: Weiming Shi +Link: https://patch.msgid.link/20260304044216.3517851-3-bestswngs@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_teql.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/sched/sch_teql.c b/net/sched/sch_teql.c +index e9dfa140799c3..4c65b4ed5ccd3 100644 +--- a/net/sched/sch_teql.c ++++ b/net/sched/sch_teql.c +@@ -315,6 +315,7 @@ static netdev_tx_t teql_master_xmit(struct sk_buff *skb, struct net_device *dev) + if (__netif_tx_trylock(slave_txq)) { + unsigned int length = qdisc_pkt_len(skb); + ++ skb->dev = slave; + if (!netif_xmit_frozen_or_stopped(slave_txq) && + netdev_start_xmit(skb, slave, slave_txq, false) == + NETDEV_TX_OK) { +-- +2.51.0 + diff --git a/queue-5.10/netfilter-nfnetlink_cthelper-fix-oob-read-in-nfnl_ct.patch b/queue-5.10/netfilter-nfnetlink_cthelper-fix-oob-read-in-nfnl_ct.patch new file mode 100644 index 0000000000..812662eb5c --- /dev/null +++ b/queue-5.10/netfilter-nfnetlink_cthelper-fix-oob-read-in-nfnl_ct.patch @@ -0,0 +1,71 @@ +From 3b265af2f6277ba81e6f0a8a0a5fc50677e67c11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Mar 2026 02:23:34 +0900 +Subject: netfilter: nfnetlink_cthelper: fix OOB read in + nfnl_cthelper_dump_table() + +From: Hyunwoo Kim + +[ Upstream commit 6dcee8496d53165b2d8a5909b3050b62ae71fe89 ] + +nfnl_cthelper_dump_table() has a 'goto restart' that jumps to a label +inside the for loop body. When the "last" helper saved in cb->args[1] +is deleted between dump rounds, every entry fails the (cur != last) +check, so cb->args[1] is never cleared. The for loop finishes with +cb->args[0] == nf_ct_helper_hsize, and the 'goto restart' jumps back +into the loop body bypassing the bounds check, causing an 8-byte +out-of-bounds read on nf_ct_helper_hash[nf_ct_helper_hsize]. + +The 'goto restart' block was meant to re-traverse the current bucket +when "last" is no longer found, but it was placed after the for loop +instead of inside it. Move the block into the for loop body so that +the restart only occurs while cb->args[0] is still within bounds. + + BUG: KASAN: slab-out-of-bounds in nfnl_cthelper_dump_table+0x9f/0x1b0 + Read of size 8 at addr ffff888104ca3000 by task poc_cthelper/131 + Call Trace: + nfnl_cthelper_dump_table+0x9f/0x1b0 + netlink_dump+0x333/0x880 + netlink_recvmsg+0x3e2/0x4b0 + sock_recvmsg+0xde/0xf0 + __sys_recvfrom+0x150/0x200 + __x64_sys_recvfrom+0x76/0x90 + do_syscall_64+0xc3/0x6e0 + + Allocated by task 1: + __kvmalloc_node_noprof+0x21b/0x700 + nf_ct_alloc_hashtable+0x65/0xd0 + nf_conntrack_helper_init+0x21/0x60 + nf_conntrack_init_start+0x18d/0x300 + nf_conntrack_standalone_init+0x12/0xc0 + +Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure") +Signed-off-by: Hyunwoo Kim +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_cthelper.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c +index 52d5f24118342..8edad41e4db66 100644 +--- a/net/netfilter/nfnetlink_cthelper.c ++++ b/net/netfilter/nfnetlink_cthelper.c +@@ -601,10 +601,10 @@ nfnl_cthelper_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + goto out; + } + } +- } +- if (cb->args[1]) { +- cb->args[1] = 0; +- goto restart; ++ if (cb->args[1]) { ++ cb->args[1] = 0; ++ goto restart; ++ } + } + out: + rcu_read_unlock(); +-- +2.51.0 + diff --git a/queue-5.10/netfilter-nfnetlink_queue-fix-entry-leak-in-bridge-v.patch b/queue-5.10/netfilter-nfnetlink_queue-fix-entry-leak-in-bridge-v.patch new file mode 100644 index 0000000000..1a308dc5a2 --- /dev/null +++ b/queue-5.10/netfilter-nfnetlink_queue-fix-entry-leak-in-bridge-v.patch @@ -0,0 +1,52 @@ +From 2a109e8c074e44e3c4c09296f38c5056f2384074 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Mar 2026 02:24:06 +0900 +Subject: netfilter: nfnetlink_queue: fix entry leak in bridge verdict error + path + +From: Hyunwoo Kim + +[ Upstream commit f1ba83755d81c6fc66ac7acd723d238f974091e9 ] + +nfqnl_recv_verdict() calls find_dequeue_entry() to remove the queue +entry from the queue data structures, taking ownership of the entry. +For PF_BRIDGE packets, it then calls nfqa_parse_bridge() to parse VLAN +attributes. If nfqa_parse_bridge() returns an error (e.g. NFQA_VLAN +present but NFQA_VLAN_TCI missing), the function returns immediately +without freeing the dequeued entry or its sk_buff. + +This leaks the nf_queue_entry, its associated sk_buff, and all held +references (net_device refcounts, struct net refcount). Repeated +triggering exhausts kernel memory. + +Fix this by dropping the entry via nfqnl_reinject() with NF_DROP verdict +on the error path, consistent with other error handling in this file. + +Fixes: 8d45ff22f1b4 ("netfilter: bridge: nf queue verdict to use NFQA_VLAN and NFQA_L2HDR") +Reviewed-by: David Dull +Signed-off-by: Hyunwoo Kim +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_queue.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c +index dc6af1919deaf..bfe909267c9d9 100644 +--- a/net/netfilter/nfnetlink_queue.c ++++ b/net/netfilter/nfnetlink_queue.c +@@ -1209,8 +1209,10 @@ static int nfqnl_recv_verdict(struct net *net, struct sock *ctnl, + + if (entry->state.pf == PF_BRIDGE) { + err = nfqa_parse_bridge(entry, nfqa); +- if (err < 0) ++ if (err < 0) { ++ nfqnl_reinject(entry, NF_DROP); + return err; ++ } + } + + if (nfqa[NFQA_PAYLOAD]) { +-- +2.51.0 + diff --git a/queue-5.10/netfilter-nft_set_pipapo-fix-stack-out-of-bounds-rea.patch b/queue-5.10/netfilter-nft_set_pipapo-fix-stack-out-of-bounds-rea.patch new file mode 100644 index 0000000000..8e7df74898 --- /dev/null +++ b/queue-5.10/netfilter-nft_set_pipapo-fix-stack-out-of-bounds-rea.patch @@ -0,0 +1,65 @@ +From f8683d429a177c8e8b9a1dd295b29e0a3f0f6847 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 19:12:38 +0000 +Subject: netfilter: nft_set_pipapo: fix stack out-of-bounds read in + pipapo_drop() + +From: Jenny Guanni Qu + +[ Upstream commit d6d8cd2db236a9dd13dbc2d05843b3445cc964b5 ] + +pipapo_drop() passes rulemap[i + 1].n to pipapo_unmap() as the +to_offset argument on every iteration, including the last one where +i == m->field_count - 1. This reads one element past the end of the +stack-allocated rulemap array (declared as rulemap[NFT_PIPAPO_MAX_FIELDS] +with NFT_PIPAPO_MAX_FIELDS == 16). + +Although pipapo_unmap() returns early when is_last is true without +using the to_offset value, the argument is evaluated at the call site +before the function body executes, making this a genuine out-of-bounds +stack read confirmed by KASAN: + + BUG: KASAN: stack-out-of-bounds in pipapo_drop+0x50c/0x57c [nf_tables] + Read of size 4 at addr ffff8000810e71a4 + + This frame has 1 object: + [32, 160) 'rulemap' + + The buggy address is at offset 164 -- exactly 4 bytes past the end + of the rulemap array. + +Pass 0 instead of rulemap[i + 1].n on the last iteration to avoid +the out-of-bounds read. + +Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") +Signed-off-by: Jenny Guanni Qu +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_pipapo.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c +index a4fdd1587bb3b..07a8369a9f02f 100644 +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -1539,6 +1539,7 @@ static void pipapo_drop(struct nft_pipapo_match *m, + int i; + + nft_pipapo_for_each_field(f, i, m) { ++ bool last = i == m->field_count - 1; + int g; + + for (g = 0; g < f->groups; g++) { +@@ -1558,7 +1559,7 @@ static void pipapo_drop(struct nft_pipapo_match *m, + } + + pipapo_unmap(f->mt, f->rules, rulemap[i].to, rulemap[i].n, +- rulemap[i + 1].n, i == m->field_count - 1); ++ last ? 0 : rulemap[i + 1].n, last); + if (pipapo_resize(f, f->rules, f->rules - rulemap[i].n)) { + /* We can ignore this, a failure to shrink tables down + * doesn't make tables invalid. +-- +2.51.0 + diff --git a/queue-5.10/netfilter-x_tables-guard-option-walkers-against-1-by.patch b/queue-5.10/netfilter-x_tables-guard-option-walkers-against-1-by.patch new file mode 100644 index 0000000000..eb41c138ca --- /dev/null +++ b/queue-5.10/netfilter-x_tables-guard-option-walkers-against-1-by.patch @@ -0,0 +1,62 @@ +From a09e3da953da4c8ddc00625dc152dbaa69ef2a90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Mar 2026 20:26:21 +0200 +Subject: netfilter: x_tables: guard option walkers against 1-byte tail reads + +From: David Dull + +[ Upstream commit cfe770220ac2dbd3e104c6b45094037455da81d4 ] + +When the last byte of options is a non-single-byte option kind, walkers +that advance with i += op[i + 1] ? : 1 can read op[i + 1] past the end +of the option area. + +Add an explicit i == optlen - 1 check before dereferencing op[i + 1] +in xt_tcpudp and xt_dccp option walkers. + +Fixes: 2e4e6a17af35 ("[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables") +Signed-off-by: David Dull +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_dccp.c | 4 ++-- + net/netfilter/xt_tcpudp.c | 6 ++++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c +index e5a13ecbe67a0..037ab93e25d0a 100644 +--- a/net/netfilter/xt_dccp.c ++++ b/net/netfilter/xt_dccp.c +@@ -62,10 +62,10 @@ dccp_find_option(u_int8_t option, + return true; + } + +- if (op[i] < 2) ++ if (op[i] < 2 || i == optlen - 1) + i++; + else +- i += op[i+1]?:1; ++ i += op[i + 1] ? : 1; + } + + spin_unlock_bh(&dccp_buflock); +diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c +index 11ec2abf0c727..73f50dc01b19f 100644 +--- a/net/netfilter/xt_tcpudp.c ++++ b/net/netfilter/xt_tcpudp.c +@@ -56,8 +56,10 @@ tcp_find_option(u_int8_t option, + + for (i = 0; i < optlen; ) { + if (op[i] == option) return !invert; +- if (op[i] < 2) i++; +- else i += op[i+1]?:1; ++ if (op[i] < 2 || i == optlen - 1) ++ i++; ++ else ++ i += op[i + 1] ? : 1; + } + + return invert; +-- +2.51.0 + diff --git a/queue-5.10/netfilter-xt_idletimer-reject-rev0-reuse-of-alarm-ti.patch b/queue-5.10/netfilter-xt_idletimer-reject-rev0-reuse-of-alarm-ti.patch new file mode 100644 index 0000000000..a11d27ebf8 --- /dev/null +++ b/queue-5.10/netfilter-xt_idletimer-reject-rev0-reuse-of-alarm-ti.patch @@ -0,0 +1,54 @@ +From 137ca4aae05290db3c767e3dfc6a07e98f8f8f86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Mar 2026 03:41:46 -0700 +Subject: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels + +From: Yuan Tan + +[ Upstream commit 329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf ] + +IDLETIMER revision 0 rules reuse existing timers by label and always call +mod_timer() on timer->timer. + +If the label was created first by revision 1 with XT_IDLETIMER_ALARM, +the object uses alarm timer semantics and timer->timer is never initialized. +Reusing that object from revision 0 causes mod_timer() on an uninitialized +timer_list, triggering debugobjects warnings and possible panic when +panic_on_warn=1. + +Fix this by rejecting revision 0 rule insertion when an existing timer with +the same label is of ALARM type. + +Fixes: 68983a354a65 ("netfilter: xtables: Add snapshot of hardidletimer target") +Co-developed-by: Yifan Wu +Signed-off-by: Yifan Wu +Co-developed-by: Juefei Pu +Signed-off-by: Juefei Pu +Signed-off-by: Yuan Tan +Signed-off-by: Xin Liu +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_IDLETIMER.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c +index 2f7cf5ecebf4f..d35ff0a2cad83 100644 +--- a/net/netfilter/xt_IDLETIMER.c ++++ b/net/netfilter/xt_IDLETIMER.c +@@ -320,6 +320,12 @@ static int idletimer_tg_checkentry(const struct xt_tgchk_param *par) + + info->timer = __idletimer_tg_find_by_label(info->label); + if (info->timer) { ++ if (info->timer->timer_type & XT_IDLETIMER_ALARM) { ++ pr_debug("Adding/Replacing rule with same label and different timer type is not allowed\n"); ++ mutex_unlock(&list_mutex); ++ return -EINVAL; ++ } ++ + info->timer->refcnt++; + mod_timer(&info->timer->timer, + msecs_to_jiffies(info->timeout * 1000) + jiffies); +-- +2.51.0 + diff --git a/queue-5.10/nvme-pci-fix-slab-out-of-bounds-in-nvme_dbbuf_set.patch b/queue-5.10/nvme-pci-fix-slab-out-of-bounds-in-nvme_dbbuf_set.patch new file mode 100644 index 0000000000..c89b3496d7 --- /dev/null +++ b/queue-5.10/nvme-pci-fix-slab-out-of-bounds-in-nvme_dbbuf_set.patch @@ -0,0 +1,130 @@ +From 79fa56aa9ad136c4b0c29be58cbf53a15f06ef09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Mar 2026 14:20:59 -0400 +Subject: nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sungwoo Kim + +[ Upstream commit b4e78f1427c7d6859229ae9616df54e1fc05a516 ] + +dev->online_queues is a count incremented in nvme_init_queue. Thus, +valid indices are 0 through dev->online_queues − 1. + +This patch fixes the loop condition to ensure the index stays within the +valid range. Index 0 is excluded because it is the admin queue. + +KASAN splat: + +================================================================== +BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline] +BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404 +Read of size 2 at addr ffff88800592a574 by task kworker/u8:5/74 + +CPU: 0 UID: 0 PID: 74 Comm: kworker/u8:5 Not tainted 6.19.0-dirty #10 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 +Workqueue: nvme-reset-wq nvme_reset_work +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0xea/0x150 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xce/0x5d0 mm/kasan/report.c:482 + kasan_report+0xdc/0x110 mm/kasan/report.c:595 + __asan_report_load2_noabort+0x18/0x20 mm/kasan/report_generic.c:379 + nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline] + nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404 + nvme_reset_work+0x36b/0x8c0 drivers/nvme/host/pci.c:3252 + process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257 + process_scheduled_works kernel/workqueue.c:3340 [inline] + worker_thread+0x65c/0xe60 kernel/workqueue.c:3421 + kthread+0x41a/0x930 kernel/kthread.c:463 + ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + + +Allocated by task 34 on cpu 1 at 4.241550s: + kasan_save_stack+0x2c/0x60 mm/kasan/common.c:57 + kasan_save_track+0x1c/0x70 mm/kasan/common.c:78 + kasan_save_alloc_info+0x3c/0x50 mm/kasan/generic.c:570 + poison_kmalloc_redzone mm/kasan/common.c:398 [inline] + __kasan_kmalloc+0xb5/0xc0 mm/kasan/common.c:415 + kasan_kmalloc include/linux/kasan.h:263 [inline] + __do_kmalloc_node mm/slub.c:5657 [inline] + __kmalloc_node_noprof+0x2bf/0x8d0 mm/slub.c:5663 + kmalloc_array_node_noprof include/linux/slab.h:1075 [inline] + nvme_pci_alloc_dev drivers/nvme/host/pci.c:3479 [inline] + nvme_probe+0x2f1/0x1820 drivers/nvme/host/pci.c:3534 + local_pci_probe+0xef/0x1c0 drivers/pci/pci-driver.c:324 + pci_call_probe drivers/pci/pci-driver.c:392 [inline] + __pci_device_probe drivers/pci/pci-driver.c:417 [inline] + pci_device_probe+0x743/0x920 drivers/pci/pci-driver.c:451 + call_driver_probe drivers/base/dd.c:583 [inline] + really_probe+0x29b/0xb70 drivers/base/dd.c:661 + __driver_probe_device+0x3b0/0x4a0 drivers/base/dd.c:803 + driver_probe_device+0x56/0x1f0 drivers/base/dd.c:833 + __driver_attach_async_helper+0x155/0x340 drivers/base/dd.c:1159 + async_run_entry_fn+0xa6/0x4b0 kernel/async.c:129 + process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257 + process_scheduled_works kernel/workqueue.c:3340 [inline] + worker_thread+0x65c/0xe60 kernel/workqueue.c:3421 + kthread+0x41a/0x930 kernel/kthread.c:463 + ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + +The buggy address belongs to the object at ffff88800592a000 + which belongs to the cache kmalloc-2k of size 2048 +The buggy address is located 244 bytes to the right of + allocated 1152-byte region [ffff88800592a000, ffff88800592a480) + +The buggy address belongs to the physical page: +page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5928 +head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +anon flags: 0xfffffc0000040(head|node=0|zone=1|lastcpupid=0x1fffff) +page_type: f5(slab) +raw: 000fffffc0000040 ffff888001042000 0000000000000000 dead000000000001 +raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 +head: 000fffffc0000040 ffff888001042000 0000000000000000 dead000000000001 +head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 +head: 000fffffc0000003 ffffea0000164a01 00000000ffffffff 00000000ffffffff +head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88800592a400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff88800592a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +>ffff88800592a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffff88800592a580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff88800592a600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +================================================================== + +Fixes: 0f0d2c876c96 (nvme: free sq/cq dbbuf pointers when dbbuf set fails) +Acked-by: Chao Shi +Acked-by: Weidong Zhu +Acked-by: Dave Tian +Signed-off-by: Sungwoo Kim +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 7a6827306e740..fbf8961f69efa 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -324,7 +324,7 @@ static void nvme_dbbuf_set(struct nvme_dev *dev) + /* Free memory and continue on */ + nvme_dbbuf_dma_free(dev); + +- for (i = 1; i <= dev->online_queues; i++) ++ for (i = 1; i < dev->online_queues; i++) + nvme_dbbuf_free(&dev->queues[i]); + } + } +-- +2.51.0 + diff --git a/queue-5.10/regulator-pca9450-correct-interrupt-type.patch b/queue-5.10/regulator-pca9450-correct-interrupt-type.patch new file mode 100644 index 0000000000..1b20bc09ca --- /dev/null +++ b/queue-5.10/regulator-pca9450-correct-interrupt-type.patch @@ -0,0 +1,44 @@ +From 436edf6899203c1364be4d75a77e9310c50971d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 12:25:52 +0800 +Subject: regulator: pca9450: Correct interrupt type + +From: Peng Fan + +[ Upstream commit 5d0efaf47ee90ac60efae790acee3a3ed99ebf80 ] + +Kernel warning on i.MX8MP-EVK when doing module test: +irq: type mismatch, failed to map hwirq-3 for gpio@30200000! + +Per PCA945[X] specification: The IRQ_B pin is pulled low when any unmasked +interrupt bit status is changed and it is released high once application +processor read INT1 register. + +So the interrupt should be configured as IRQF_TRIGGER_LOW, not +IRQF_TRIGGER_FALLING. + +Fixes: 0935ff5f1f0a4 ("regulator: pca9450: add pca9450 pmic driver") +Signed-off-by: Peng Fan +Link: https://patch.msgid.link/20260310-pca9450-irq-v1-1-36adf52c2c55@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/pca9450-regulator.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/regulator/pca9450-regulator.c b/drivers/regulator/pca9450-regulator.c +index 6ec2ad5b9efcc..6f2f097b677d2 100644 +--- a/drivers/regulator/pca9450-regulator.c ++++ b/drivers/regulator/pca9450-regulator.c +@@ -773,7 +773,7 @@ static int pca9450_i2c_probe(struct i2c_client *i2c, + if (pca9450->irq) { + ret = devm_request_threaded_irq(pca9450->dev, pca9450->irq, NULL, + pca9450_irq_handler, +- (IRQF_TRIGGER_FALLING | IRQF_ONESHOT), ++ (IRQF_TRIGGER_LOW | IRQF_ONESHOT), + "pca9450-irq", pca9450); + if (ret != 0) { + dev_err(pca9450->dev, "Failed to request IRQ: %d\n", +-- +2.51.0 + diff --git a/queue-5.10/regulator-pca9450-make-irq-optional.patch b/queue-5.10/regulator-pca9450-make-irq-optional.patch new file mode 100644 index 0000000000..d417950f72 --- /dev/null +++ b/queue-5.10/regulator-pca9450-make-irq-optional.patch @@ -0,0 +1,83 @@ +From ced16ff3ac3ed26193ddd7aeab7a1fd722eb14cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Jul 2024 10:40:34 +0200 +Subject: regulator: pca9450: Make IRQ optional + +From: Frieder Schrempf + +[ Upstream commit 83808c54064eef620ad8645dfdcaffe125551532 ] + +The IRQ line might not be connected on some boards. Allow the driver +to be probed without it. + +Signed-off-by: Frieder Schrempf +Link: https://patch.msgid.link/20240708084107.38986-5-frieder@fris.de +Signed-off-by: Mark Brown +Stable-dep-of: 5d0efaf47ee9 ("regulator: pca9450: Correct interrupt type") +Signed-off-by: Sasha Levin +--- + drivers/regulator/pca9450-regulator.c | 41 +++++++++++++-------------- + 1 file changed, 19 insertions(+), 22 deletions(-) + +diff --git a/drivers/regulator/pca9450-regulator.c b/drivers/regulator/pca9450-regulator.c +index b3d206ebb2894..6ec2ad5b9efcc 100644 +--- a/drivers/regulator/pca9450-regulator.c ++++ b/drivers/regulator/pca9450-regulator.c +@@ -704,11 +704,6 @@ static int pca9450_i2c_probe(struct i2c_client *i2c, + unsigned int device_id, i; + int ret; + +- if (!i2c->irq) { +- dev_err(&i2c->dev, "No IRQ configured?\n"); +- return -EINVAL; +- } +- + pca9450 = devm_kzalloc(&i2c->dev, sizeof(struct pca9450), GFP_KERNEL); + if (!pca9450) + return -ENOMEM; +@@ -775,23 +770,25 @@ static int pca9450_i2c_probe(struct i2c_client *i2c, + } + } + +- ret = devm_request_threaded_irq(pca9450->dev, pca9450->irq, NULL, +- pca9450_irq_handler, +- (IRQF_TRIGGER_FALLING | IRQF_ONESHOT), +- "pca9450-irq", pca9450); +- if (ret != 0) { +- dev_err(pca9450->dev, "Failed to request IRQ: %d\n", +- pca9450->irq); +- return ret; +- } +- /* Unmask all interrupt except PWRON/WDOG/RSVD */ +- ret = regmap_update_bits(pca9450->regmap, PCA9450_REG_INT1_MSK, +- IRQ_VR_FLT1 | IRQ_VR_FLT2 | IRQ_LOWVSYS | +- IRQ_THERM_105 | IRQ_THERM_125, +- IRQ_PWRON | IRQ_WDOGB | IRQ_RSVD); +- if (ret) { +- dev_err(&i2c->dev, "Unmask irq error\n"); +- return ret; ++ if (pca9450->irq) { ++ ret = devm_request_threaded_irq(pca9450->dev, pca9450->irq, NULL, ++ pca9450_irq_handler, ++ (IRQF_TRIGGER_FALLING | IRQF_ONESHOT), ++ "pca9450-irq", pca9450); ++ if (ret != 0) { ++ dev_err(pca9450->dev, "Failed to request IRQ: %d\n", ++ pca9450->irq); ++ return ret; ++ } ++ /* Unmask all interrupt except PWRON/WDOG/RSVD */ ++ ret = regmap_update_bits(pca9450->regmap, PCA9450_REG_INT1_MSK, ++ IRQ_VR_FLT1 | IRQ_VR_FLT2 | IRQ_LOWVSYS | ++ IRQ_THERM_105 | IRQ_THERM_125, ++ IRQ_PWRON | IRQ_WDOGB | IRQ_RSVD); ++ if (ret) { ++ dev_err(&i2c->dev, "Unmask irq error\n"); ++ return ret; ++ } + } + + /* Clear PRESET_EN bit in BUCK123_DVS to use DVS registers */ +-- +2.51.0 + diff --git a/queue-5.10/sched-idle-make-skipping-governor-callbacks-more-con.patch b/queue-5.10/sched-idle-make-skipping-governor-callbacks-more-con.patch new file mode 100644 index 0000000000..e8054c8f58 --- /dev/null +++ b/queue-5.10/sched-idle-make-skipping-governor-callbacks-more-con.patch @@ -0,0 +1,79 @@ +From da5ce44b054892a7bafc6c3e70c6e9912c89816f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Mar 2026 17:12:05 +0100 +Subject: sched: idle: Make skipping governor callbacks more consistent + +From: Rafael J. Wysocki + +[ Upstream commit d557640e4ce589a24dca5ca7ce3b9680f471325f ] + +If the cpuidle governor .select() callback is skipped because there +is only one idle state in the cpuidle driver, the .reflect() callback +should be skipped as well, at least for consistency (if not for +correctness), so do it. + +Fixes: e5c9ffc6ae1b ("cpuidle: Skip governor when only one idle state is available") +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Christian Loehle +Reviewed-by: Aboorva Devarajan +Reviewed-by: Frederic Weisbecker +Link: https://patch.msgid.link/12857700.O9o76ZdvQC@rafael.j.wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpuidle/cpuidle.c | 10 ---------- + kernel/sched/idle.c | 11 ++++++++++- + 2 files changed, 10 insertions(+), 11 deletions(-) + +diff --git a/drivers/cpuidle/cpuidle.c b/drivers/cpuidle/cpuidle.c +index 87a57cee40fcb..1c1fa6ac9244a 100644 +--- a/drivers/cpuidle/cpuidle.c ++++ b/drivers/cpuidle/cpuidle.c +@@ -319,16 +319,6 @@ int cpuidle_enter_state(struct cpuidle_device *dev, struct cpuidle_driver *drv, + int cpuidle_select(struct cpuidle_driver *drv, struct cpuidle_device *dev, + bool *stop_tick) + { +- /* +- * If there is only a single idle state (or none), there is nothing +- * meaningful for the governor to choose. Skip the governor and +- * always use state 0 with the tick running. +- */ +- if (drv->state_count <= 1) { +- *stop_tick = false; +- return 0; +- } +- + return cpuidle_curr_governor->select(drv, dev, stop_tick); + } + +diff --git a/kernel/sched/idle.c b/kernel/sched/idle.c +index cdc3e690de714..8c38b4fe9ee72 100644 +--- a/kernel/sched/idle.c ++++ b/kernel/sched/idle.c +@@ -223,7 +223,7 @@ static void cpuidle_idle_call(void) + + next_state = cpuidle_find_deepest_state(drv, dev, max_latency_ns); + call_cpuidle(drv, dev, next_state); +- } else { ++ } else if (drv->state_count > 1) { + bool stop_tick = true; + + /* +@@ -241,6 +241,15 @@ static void cpuidle_idle_call(void) + * Give the governor an opportunity to reflect on the outcome + */ + cpuidle_reflect(dev, entered_state); ++ } else { ++ tick_nohz_idle_retain_tick(); ++ ++ /* ++ * If there is only a single idle state (or none), there is ++ * nothing meaningful for the governor to choose. Skip the ++ * governor and always use state 0. ++ */ ++ call_cpuidle(drv, dev, 0); + } + + exit_idle: +-- +2.51.0 + diff --git a/queue-5.10/serial-caif-hold-tty-link-reference-in-ldisc_open-an.patch b/queue-5.10/serial-caif-hold-tty-link-reference-in-ldisc_open-an.patch new file mode 100644 index 0000000000..d637059eb2 --- /dev/null +++ b/queue-5.10/serial-caif-hold-tty-link-reference-in-ldisc_open-an.patch @@ -0,0 +1,63 @@ +From e794ede649f3a34e77715ebc88d1423cddb088fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 22:40:06 -0500 +Subject: serial: caif: hold tty->link reference in ldisc_open and ser_release + +From: Shuangpeng Bai + +[ Upstream commit 288598d80a068a0e9281de35bcb4ce495f189e2a ] + +A reproducer triggers a KASAN slab-use-after-free in pty_write_room() +when caif_serial's TX path calls tty_write_room(). The faulting access +is on tty->link->port. + +Hold an extra kref on tty->link for the lifetime of the caif_serial line +discipline: get it in ldisc_open() and drop it in ser_release(), and +also drop it on the ldisc_open() error path. + +With this change applied, the reproducer no longer triggers the UAF in +my testing. + +Link: https://gist.github.com/shuangpengbai/c898debad6bdf170a84be7e6b3d8707f +Link: https://lore.kernel.org/netdev/20260301220525.1546355-1-shuangpeng.kernel@gmail.com +Fixes: e31d5a05948e ("caif: tty's are kref objects so take a reference") +Signed-off-by: Shuangpeng Bai +Reviewed-by: Jiayuan Chen +Link: https://patch.msgid.link/20260306034006.3395740-1-shuangpeng.kernel@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/caif/caif_serial.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c +index 1b6a696182f72..02aea5a4b8ca8 100644 +--- a/drivers/net/caif/caif_serial.c ++++ b/drivers/net/caif/caif_serial.c +@@ -312,6 +312,7 @@ static void ser_release(struct work_struct *work) + dev_close(ser->dev); + unregister_netdevice(ser->dev); + debugfs_deinit(ser); ++ tty_kref_put(tty->link); + tty_kref_put(tty); + } + rtnl_unlock(); +@@ -346,6 +347,7 @@ static int ldisc_open(struct tty_struct *tty) + + ser = netdev_priv(dev); + ser->tty = tty_kref_get(tty); ++ tty_kref_get(tty->link); + ser->dev = dev; + debugfs_init(ser, tty); + tty->receive_room = N_TTY_BUF_SIZE; +@@ -354,6 +356,7 @@ static int ldisc_open(struct tty_struct *tty) + rtnl_lock(); + result = register_netdevice(dev); + if (result) { ++ tty_kref_put(tty->link); + tty_kref_put(tty); + rtnl_unlock(); + free_netdev(dev); +-- +2.51.0 + diff --git a/queue-5.10/series b/queue-5.10/series index 51a213f204..d16c6078a1 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -58,3 +58,31 @@ scsi-ses-fix-devices-attaching-to-different-hosts.patch powerpc-uaccess-fix-inline-assembly-for-clang-build-.patch remoteproc-sysmon-correct-subsys_name_len-type-in-qm.patch powerpc-83xx-km83xx-fix-keymile-vendor-prefix.patch +bonding-handle-bond_link_fail-bond_link_back-as-vali.patch +net-mlx5e-fix-dma-fifo-desync-on-error-cqe-sq-recove.patch +net-sched-teql-fix-null-pointer-dereference-in-iptun.patch +asoc-soc-core-drop-delayed_work_pending-check-before.patch +asoc-topology-use-inclusive-language-for-bclk-and-fs.patch +asoc-don-t-indicate-error-message-for-snd_soc_-pcm_-.patch +asoc-soc-core-move-snd_soc_runtime_set_dai_fmt-to-up.patch +asoc-soc-core-add-snd_soc_runtime_get_dai_fmt.patch +asoc-soc-core-accept-zero-format-at-snd_soc_runtime_.patch +asoc-core-exit-all-links-before-removing-their-compo.patch +asoc-core-do-not-call-link_exit-on-uninitialized-rtd.patch +asoc-soc-core-flush-delayed-work-before-removing-dai.patch +serial-caif-hold-tty-link-reference-in-ldisc_open-an.patch +can-hi311x-hi3110_open-add-check-for-hi3110_power_en.patch +netfilter-nft_set_pipapo-fix-stack-out-of-bounds-rea.patch +netfilter-x_tables-guard-option-walkers-against-1-by.patch +netfilter-nfnetlink_queue-fix-entry-leak-in-bridge-v.patch +netfilter-nfnetlink_cthelper-fix-oob-read-in-nfnl_ct.patch +netfilter-xt_idletimer-reject-rev0-reuse-of-alarm-ti.patch +regulator-pca9450-make-irq-optional.patch +regulator-pca9450-correct-interrupt-type.patch +sched-idle-make-skipping-governor-callbacks-more-con.patch +nvme-pci-fix-slab-out-of-bounds-in-nvme_dbbuf_set.patch +i40e-fix-src-ip-mask-checks-and-memcpy-argument-name.patch +e1000-e1000e-fix-leak-in-dma-error-cleanup.patch +acpi-osl-fix-__iomem-type-on-return-from-acpi_os_map.patch +asoc-amd-acp3x-rt5682-max9836-add-missing-error-chec.patch +asoc-detect-empty-dmi-strings.patch diff --git a/queue-5.15/acpi-osl-fix-__iomem-type-on-return-from-acpi_os_map.patch b/queue-5.15/acpi-osl-fix-__iomem-type-on-return-from-acpi_os_map.patch new file mode 100644 index 0000000000..11adc8be95 --- /dev/null +++ b/queue-5.15/acpi-osl-fix-__iomem-type-on-return-from-acpi_os_map.patch @@ -0,0 +1,46 @@ +From 8455020438d88a45443249643f413e7f27104043 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 10:58:35 +0000 +Subject: ACPI: OSL: fix __iomem type on return from + acpi_os_map_generic_address() + +From: Ben Dooks + +[ Upstream commit 393815f57651101f1590632092986d1d5a3a41bd ] + +The pointer returned from acpi_os_map_generic_address() is +tagged with __iomem, so make the rv it is returned to also +of void __iomem * type. + +Fixes the following sparse warning: + +drivers/acpi/osl.c:1686:20: warning: incorrect type in assignment (different address spaces) +drivers/acpi/osl.c:1686:20: expected void *rv +drivers/acpi/osl.c:1686:20: got void [noderef] __iomem * + +Fixes: 6915564dc5a8 ("ACPI: OSL: Change the type of acpi_os_map_generic_address() return value") +Signed-off-by: Ben Dooks +[ rjw: Subject tweak, added Fixes tag ] +Link: https://patch.msgid.link/20260311105835.463030-1-ben.dooks@codethink.co.uk +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/osl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c +index 45c5c0e45e332..ee9123d553c83 100644 +--- a/drivers/acpi/osl.c ++++ b/drivers/acpi/osl.c +@@ -1739,7 +1739,7 @@ acpi_status __init acpi_os_initialize(void) + * Use acpi_os_map_generic_address to pre-map the reset + * register if it's in system memory. + */ +- void *rv; ++ void __iomem *rv; + + rv = acpi_os_map_generic_address(&acpi_gbl_FADT.reset_register); + pr_debug("%s: Reset register mapping %s\n", __func__, +-- +2.51.0 + diff --git a/queue-5.15/asoc-amd-acp3x-rt5682-max9836-add-missing-error-chec.patch b/queue-5.15/asoc-amd-acp3x-rt5682-max9836-add-missing-error-chec.patch new file mode 100644 index 0000000000..2e6cb1d0e5 --- /dev/null +++ b/queue-5.15/asoc-amd-acp3x-rt5682-max9836-add-missing-error-chec.patch @@ -0,0 +1,50 @@ +From c469f9e01ab1315fb43e5eded27c0cd8d5b76ce1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 10:42:46 +0800 +Subject: ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock + acquisition + +From: Chen Ni + +[ Upstream commit 53f3a900e9a383d47af7253076e19f510c5708d0 ] + +The acp3x_5682_init() function did not check the return value of +clk_get(), which could lead to dereferencing error pointers in +rt5682_clk_enable(). + +Fix this by: +1. Changing clk_get() to the device-managed devm_clk_get(). +2. Adding proper IS_ERR() checks for both clock acquisitions. + +Fixes: 6b8e4e7db3cd ("ASoC: amd: Add machine driver for Raven based platform") +Signed-off-by: Chen Ni +Link: https://patch.msgid.link/20260310024246.2153827-1-nichen@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/acp3x-rt5682-max9836.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/amd/acp3x-rt5682-max9836.c b/sound/soc/amd/acp3x-rt5682-max9836.c +index e561464f7d603..f8f268090d8a8 100644 +--- a/sound/soc/amd/acp3x-rt5682-max9836.c ++++ b/sound/soc/amd/acp3x-rt5682-max9836.c +@@ -83,8 +83,13 @@ static int acp3x_5682_init(struct snd_soc_pcm_runtime *rtd) + return ret; + } + +- rt5682_dai_wclk = clk_get(component->dev, "rt5682-dai-wclk"); +- rt5682_dai_bclk = clk_get(component->dev, "rt5682-dai-bclk"); ++ rt5682_dai_wclk = devm_clk_get(component->dev, "rt5682-dai-wclk"); ++ if (IS_ERR(rt5682_dai_wclk)) ++ return PTR_ERR(rt5682_dai_wclk); ++ ++ rt5682_dai_bclk = devm_clk_get(component->dev, "rt5682-dai-bclk"); ++ if (IS_ERR(rt5682_dai_bclk)) ++ return PTR_ERR(rt5682_dai_bclk); + + ret = snd_soc_card_jack_new(card, "Headset Jack", + SND_JACK_HEADSET | SND_JACK_LINEOUT | +-- +2.51.0 + diff --git a/queue-5.15/asoc-core-do-not-call-link_exit-on-uninitialized-rtd.patch b/queue-5.15/asoc-core-do-not-call-link_exit-on-uninitialized-rtd.patch new file mode 100644 index 0000000000..a80e4dd7d7 --- /dev/null +++ b/queue-5.15/asoc-core-do-not-call-link_exit-on-uninitialized-rtd.patch @@ -0,0 +1,115 @@ +From bc3927c0f9ea2c64582e72f3c2da5aac8168cd02 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Sep 2023 12:32:43 +0200 +Subject: ASoC: core: Do not call link_exit() on uninitialized rtd objects +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Amadeusz Sławiński + +[ Upstream commit dd9f9cc1e6b9391140afa5cf27bb47c9e2a08d02 ] + +On init we have sequence: + + for_each_card_prelinks(card, i, dai_link) { + ret = snd_soc_add_pcm_runtime(card, dai_link); + + ret = init_some_other_things(...); + if (ret) + goto probe_end: + + for_each_card_rtds(card, rtd) { + ret = soc_init_pcm_runtime(card, rtd); + +probe_end: + +while on exit: + for_each_card_rtds(card, rtd) + snd_soc_link_exit(rtd); + +If init_some_other_things() step fails due to error we end up with +not fully setup rtds and try to call snd_soc_link_exit on them, which +depending on contents on .link_exit handler, can end up dereferencing +NULL pointer. + +Reviewed-by: Cezary Rojewski +Signed-off-by: Amadeusz Sławiński +Link: https://lore.kernel.org/r/20230929103243.705433-2-amadeuszx.slawinski@linux.intel.com +Signed-off-by: Mark Brown +Stable-dep-of: 95bc5c225513 ("ASoC: soc-core: flush delayed work before removing DAIs and widgets") +Signed-off-by: Sasha Levin +--- + include/sound/soc.h | 2 ++ + sound/soc/soc-core.c | 20 +++++++++++++++----- + 2 files changed, 17 insertions(+), 5 deletions(-) + +diff --git a/include/sound/soc.h b/include/sound/soc.h +index 42358dbc19b8c..3986b8ea6ccfc 100644 +--- a/include/sound/soc.h ++++ b/include/sound/soc.h +@@ -1082,6 +1082,8 @@ struct snd_soc_pcm_runtime { + unsigned int pop_wait:1; + unsigned int fe_compr:1; /* for Dynamic PCM */ + ++ bool initialized; ++ + int num_components; + struct snd_soc_component *components[]; /* CPU/Codec/Platform */ + }; +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index 286bdc33274ba..a555fe0a837d5 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -1290,7 +1290,7 @@ static int soc_init_pcm_runtime(struct snd_soc_card *card, + snd_soc_runtime_get_dai_fmt(rtd); + ret = snd_soc_runtime_set_dai_fmt(rtd, dai_link->dai_fmt); + if (ret) +- return ret; ++ goto err; + + /* add DPCM sysfs entries */ + soc_dpcm_debugfs_add(rtd); +@@ -1315,17 +1315,26 @@ static int soc_init_pcm_runtime(struct snd_soc_card *card, + /* create compress_device if possible */ + ret = snd_soc_dai_compress_new(cpu_dai, rtd, num); + if (ret != -ENOTSUPP) +- return ret; ++ goto err; + + /* create the pcm */ + ret = soc_new_pcm(rtd, num); + if (ret < 0) { + dev_err(card->dev, "ASoC: can't create pcm %s :%d\n", + dai_link->stream_name, ret); +- return ret; ++ goto err; + } + +- return snd_soc_pcm_dai_new(rtd); ++ ret = snd_soc_pcm_dai_new(rtd); ++ if (ret < 0) ++ goto err; ++ ++ rtd->initialized = true; ++ ++ return 0; ++err: ++ snd_soc_link_exit(rtd); ++ return ret; + } + + static void soc_set_name_prefix(struct snd_soc_card *card, +@@ -1922,7 +1931,8 @@ static void soc_cleanup_card_resources(struct snd_soc_card *card) + + /* release machine specific resources */ + for_each_card_rtds(card, rtd) +- snd_soc_link_exit(rtd); ++ if (rtd->initialized) ++ snd_soc_link_exit(rtd); + /* remove and free each DAI */ + soc_remove_link_dais(card); + soc_remove_link_components(card); +-- +2.51.0 + diff --git a/queue-5.15/asoc-core-exit-all-links-before-removing-their-compo.patch b/queue-5.15/asoc-core-exit-all-links-before-removing-their-compo.patch new file mode 100644 index 0000000000..6b4e3ba72c --- /dev/null +++ b/queue-5.15/asoc-core-exit-all-links-before-removing-their-compo.patch @@ -0,0 +1,90 @@ +From a0a557068cfe2d492e8c6eba7c6fc8fbcc278fbb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Oct 2022 10:58:40 +0200 +Subject: ASoC: core: Exit all links before removing their components +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Cezary Rojewski + +[ Upstream commit c7eb967d70446971413061effca3226578cb4dab ] + +Flows leading to link->init() and link->exit() are not symmetric. +Currently the relevant part of card probe sequence goes as: + + for_each_card_rtds(card, rtd) + for_each_rtd_components(rtd, i, component) + component->probe() + for_each_card_rtds(card, rtd) + for_each_rtd_dais(rtd, i, dai) + dai->probe() + for_each_card_rtds(card, rtd) + rtd->init() + +On the other side, equivalent remove sequence goes as: + + for_each_card_rtds(card, rtd) + for_each_rtd_dais(rtd, i, dai) + dai->remove() + for_each_card_rtds(card, rtd) + for_each_rtd_components(rtd, i, component) + component->remove() + for_each_card_rtds(card, rtd) + rtd->exit() + +what can lead to errors as link->exit() may still operate on resources +owned by its components despite the probability of them being freed +during the component->remove(). + +This change modifies the remove sequence to: + + for_each_card_rtds(card, rtd) + rtd->exit() + for_each_card_rtds(card, rtd) + for_each_rtd_dais(rtd, i, dai) + dai->remove() + for_each_card_rtds(card, rtd) + for_each_rtd_components(rtd, i, component) + component->remove() + +so code found in link->exit() is safe to touch any component stuff as +component->remove() has not been called yet. + +Signed-off-by: Cezary Rojewski +Reviewed-by: Amadeusz Sławiński +Link: https://lore.kernel.org/r/20221027085840.1562698-1-cezary.rojewski@intel.com +Signed-off-by: Mark Brown +Stable-dep-of: 95bc5c225513 ("ASoC: soc-core: flush delayed work before removing DAIs and widgets") +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index a00b944be9977..286bdc33274ba 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -963,9 +963,6 @@ void snd_soc_remove_pcm_runtime(struct snd_soc_card *card, + + lockdep_assert_held(&client_mutex); + +- /* release machine specific resources */ +- snd_soc_link_exit(rtd); +- + /* + * Notify the machine driver for extra destruction + */ +@@ -1923,6 +1920,9 @@ static void soc_cleanup_card_resources(struct snd_soc_card *card) + + snd_soc_dapm_shutdown(card); + ++ /* release machine specific resources */ ++ for_each_card_rtds(card, rtd) ++ snd_soc_link_exit(rtd); + /* remove and free each DAI */ + soc_remove_link_dais(card); + soc_remove_link_components(card); +-- +2.51.0 + diff --git a/queue-5.15/asoc-detect-empty-dmi-strings.patch b/queue-5.15/asoc-detect-empty-dmi-strings.patch new file mode 100644 index 0000000000..83d8ca8f0b --- /dev/null +++ b/queue-5.15/asoc-detect-empty-dmi-strings.patch @@ -0,0 +1,47 @@ +From c0e0718adb5be444995e09b669b5df11da732c1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 18:47:07 +0100 +Subject: ASoC: detect empty DMI strings + +From: Casey Connolly + +[ Upstream commit a9683730e8b1d632674f81844ed03ddfbe4821c0 ] + +Some bootloaders like recent versions of U-Boot may install some DMI +properties with empty values rather than not populate them. This manages +to make its way through the validator and cleanup resulting in a rogue +hyphen being appended to the card longname. + +Fixes: 4e01e5dbba96 ("ASoC: improve the DMI long card code in asoc-core") +Signed-off-by: Casey Connolly +Link: https://patch.msgid.link/20260306174707.283071-2-casey.connolly@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index e406c896a511a..af8554e96035f 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -1665,12 +1665,15 @@ static void cleanup_dmi_name(char *name) + + /* + * Check if a DMI field is valid, i.e. not containing any string +- * in the black list. ++ * in the black list and not the empty string. + */ + static int is_dmi_valid(const char *field) + { + int i = 0; + ++ if (!field[0]) ++ return 0; ++ + while (dmi_blacklist[i]) { + if (strstr(field, dmi_blacklist[i])) + return 0; +-- +2.51.0 + diff --git a/queue-5.15/asoc-soc-core-accept-zero-format-at-snd_soc_runtime_.patch b/queue-5.15/asoc-soc-core-accept-zero-format-at-snd_soc_runtime_.patch new file mode 100644 index 0000000000..7a95bca661 --- /dev/null +++ b/queue-5.15/asoc-soc-core-accept-zero-format-at-snd_soc_runtime_.patch @@ -0,0 +1,68 @@ +From f8f87e5bbb50588d19b043f683da35fb519af5d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Oct 2021 11:05:44 +0900 +Subject: ASoC: soc-core: accept zero format at snd_soc_runtime_set_dai_fmt() + +From: Kuninori Morimoto + +[ Upstream commit 7db07e37e13cfd46039d82aed91092185eac6565 ] + +Do nothing if format was zero at snd_soc_runtime_set_dai_fmt(). +soc-core.c can be more simple code by this patch. + +Signed-off-by: Kuninori Morimoto +Link: https://lore.kernel.org/r/87ee8jt7d3.wl-kuninori.morimoto.gx@renesas.com +Signed-off-by: Mark Brown +Stable-dep-of: 95bc5c225513 ("ASoC: soc-core: flush delayed work before removing DAIs and widgets") +Signed-off-by: Sasha Levin +--- + sound/soc/meson/meson-codec-glue.c | 3 --- + sound/soc/soc-core.c | 11 ++++++----- + 2 files changed, 6 insertions(+), 8 deletions(-) + +diff --git a/sound/soc/meson/meson-codec-glue.c b/sound/soc/meson/meson-codec-glue.c +index d07270d17cee7..2870cfad813ac 100644 +--- a/sound/soc/meson/meson-codec-glue.c ++++ b/sound/soc/meson/meson-codec-glue.c +@@ -113,9 +113,6 @@ int meson_codec_glue_output_startup(struct snd_pcm_substream *substream, + /* Replace link params with the input params */ + rtd->dai_link->params = &in_data->params; + +- if (!in_data->fmt) +- return 0; +- + return snd_soc_runtime_set_dai_fmt(rtd, in_data->fmt); + } + EXPORT_SYMBOL_GPL(meson_codec_glue_output_startup); +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index 243c623598483..a00b944be9977 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -1244,6 +1244,9 @@ int snd_soc_runtime_set_dai_fmt(struct snd_soc_pcm_runtime *rtd, + unsigned int i; + int ret; + ++ if (!dai_fmt) ++ return 0; ++ + for_each_rtd_codec_dais(rtd, i, codec_dai) { + ret = snd_soc_dai_set_fmt(codec_dai, dai_fmt); + if (ret != 0 && ret != -ENOTSUPP) +@@ -1288,11 +1291,9 @@ static int soc_init_pcm_runtime(struct snd_soc_card *card, + return ret; + + snd_soc_runtime_get_dai_fmt(rtd); +- if (dai_link->dai_fmt) { +- ret = snd_soc_runtime_set_dai_fmt(rtd, dai_link->dai_fmt); +- if (ret) +- return ret; +- } ++ ret = snd_soc_runtime_set_dai_fmt(rtd, dai_link->dai_fmt); ++ if (ret) ++ return ret; + + /* add DPCM sysfs entries */ + soc_dpcm_debugfs_add(rtd); +-- +2.51.0 + diff --git a/queue-5.15/asoc-soc-core-drop-delayed_work_pending-check-before.patch b/queue-5.15/asoc-soc-core-drop-delayed_work_pending-check-before.patch new file mode 100644 index 0000000000..f3d8b95178 --- /dev/null +++ b/queue-5.15/asoc-soc-core-drop-delayed_work_pending-check-before.patch @@ -0,0 +1,45 @@ +From 214fd54bcb00b642e7580628b330a183ff4baddc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Mar 2026 22:54:11 +0100 +Subject: ASoC: soc-core: drop delayed_work_pending() check before flush + +From: matteo.cotifava + +[ Upstream commit 3c99c9f0ed60582c1c9852b685d78d5d3a50de63 ] + +The delayed_work_pending() check before flush_delayed_work() in +soc_free_pcm_runtime() is unnecessary and racy. flush_delayed_work() +is safe to call unconditionally - it is a no-op when no work is +pending. Remove the check. + +The original check was added by commit 9c9b65203492 ("ASoC: core: +only flush inited work during free") but delayed_work_pending() +followed by flush_delayed_work() has a time-of-check/time-of-use +window where work can become pending between the two calls. + +Fixes: 9c9b65203492 ("ASoC: core: only flush inited work during free") +Signed-off-by: Matteo Cotifava +Link: https://patch.msgid.link/20260309215412.545628-2-cotifavamatteo@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index 854d8f62008ee..243c623598483 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -400,8 +400,7 @@ static void soc_free_pcm_runtime(struct snd_soc_pcm_runtime *rtd) + + list_del(&rtd->list); + +- if (delayed_work_pending(&rtd->delayed_work)) +- flush_delayed_work(&rtd->delayed_work); ++ flush_delayed_work(&rtd->delayed_work); + snd_soc_pcm_component_free(rtd); + + /* +-- +2.51.0 + diff --git a/queue-5.15/asoc-soc-core-flush-delayed-work-before-removing-dai.patch b/queue-5.15/asoc-soc-core-flush-delayed-work-before-removing-dai.patch new file mode 100644 index 0000000000..2842972258 --- /dev/null +++ b/queue-5.15/asoc-soc-core-flush-delayed-work-before-removing-dai.patch @@ -0,0 +1,57 @@ +From feafbc9209f198ed21c05d08b7841411bf4a4a2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Mar 2026 22:54:12 +0100 +Subject: ASoC: soc-core: flush delayed work before removing DAIs and widgets + +From: matteo.cotifava + +[ Upstream commit 95bc5c225513fc3c4ce169563fb5e3929fbb938b ] + +When a sound card is unbound while a PCM stream is open, a +use-after-free can occur in snd_soc_dapm_stream_event(), called from +the close_delayed_work workqueue handler. + +During unbind, snd_soc_unbind_card() flushes delayed work and then +calls soc_cleanup_card_resources(). Inside cleanup, +snd_card_disconnect_sync() releases all PCM file descriptors, and +the resulting PCM close path can call snd_soc_dapm_stream_stop() +which schedules new delayed work with a pmdown_time timer delay. +Since this happens after the flush in snd_soc_unbind_card(), the +new work is not caught. soc_remove_link_components() then frees +DAPM widgets before this work fires, leading to the use-after-free. + +The existing flush in soc_free_pcm_runtime() also cannot help as it +runs after soc_remove_link_components() has already freed the widgets. + +Add a flush in soc_cleanup_card_resources() after +snd_card_disconnect_sync() (after which no new PCM closes can +schedule further delayed work) and before soc_remove_link_dais() +and soc_remove_link_components() (which tear down the structures the +delayed work accesses). + +Fixes: e894efef9ac7 ("ASoC: core: add support to card rebind") +Signed-off-by: Matteo Cotifava +Link: https://patch.msgid.link/20260309215412.545628-3-cotifavamatteo@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index a555fe0a837d5..e406c896a511a 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -1933,6 +1933,9 @@ static void soc_cleanup_card_resources(struct snd_soc_card *card) + for_each_card_rtds(card, rtd) + if (rtd->initialized) + snd_soc_link_exit(rtd); ++ /* flush delayed work before removing DAIs and DAPM widgets */ ++ snd_soc_flush_all_delayed_work(card); ++ + /* remove and free each DAI */ + soc_remove_link_dais(card); + soc_remove_link_components(card); +-- +2.51.0 + diff --git a/queue-5.15/bonding-handle-bond_link_fail-bond_link_back-as-vali.patch b/queue-5.15/bonding-handle-bond_link_fail-bond_link_back-as-vali.patch new file mode 100644 index 0000000000..85ccee7ed2 --- /dev/null +++ b/queue-5.15/bonding-handle-bond_link_fail-bond_link_back-as-vali.patch @@ -0,0 +1,60 @@ +From 7e8985c729bdc1700f574c0a57392a9ecb152184 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 15:13:54 +0800 +Subject: bonding: handle BOND_LINK_FAIL, BOND_LINK_BACK as valid link states + +From: Hangbin Liu + +[ Upstream commit 3348be7978f450ede0c308a4e8416ac716cf1015 ] + +Before the fixed commit, we check slave->new_link during commit +state, which values are only BOND_LINK_{NOCHANGE, UP, DOWN}. After +the commit, we start using slave->link_new_state, which state also could +be BOND_LINK_{FAIL, BACK}. + +For example, when we set updelay/downdelay, after a failover, +the slave->link_new_state could be set to BOND_LINK_{FAIL, BACK} in +bond_miimon_inspect(). And later in bond_miimon_commit(), it will treat +it as invalid and print an error, which would cause confusion for users. + +[ 106.440254] bond0: (slave veth2): link status down for interface, disabling it in 200 ms +[ 106.440265] bond0: (slave veth2): invalid new link 1 on slave +[ 106.648276] bond0: (slave veth2): link status definitely down, disabling slave +[ 107.480271] bond0: (slave veth2): link status up, enabling it in 200 ms +[ 107.480288] bond0: (slave veth2): invalid new link 3 on slave +[ 107.688302] bond0: (slave veth2): link status definitely up, 10000 Mbps full duplex + +Let's handle BOND_LINK_{FAIL, BACK} as valid link states. + +Fixes: 1899bb325149 ("bonding: fix state transition issue in link monitoring") +Signed-off-by: Hangbin Liu +Link: https://patch.msgid.link/20260304-b4-bond_updelay-v1-2-f72eb2e454d0@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 1323a619db4d2..5321d9dca698a 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2715,8 +2715,14 @@ static void bond_miimon_commit(struct bonding *bond) + + continue; + ++ case BOND_LINK_FAIL: ++ case BOND_LINK_BACK: ++ slave_dbg(bond->dev, slave->dev, "link_new_state %d on slave\n", ++ slave->link_new_state); ++ continue; ++ + default: +- slave_err(bond->dev, slave->dev, "invalid new link %d on slave\n", ++ slave_err(bond->dev, slave->dev, "invalid link_new_state %d on slave\n", + slave->link_new_state); + bond_propose_link_state(slave, BOND_LINK_NOCHANGE); + +-- +2.51.0 + diff --git a/queue-5.15/can-hi311x-hi3110_open-add-check-for-hi3110_power_en.patch b/queue-5.15/can-hi311x-hi3110_open-add-check-for-hi3110_power_en.patch new file mode 100644 index 0000000000..456c4d463b --- /dev/null +++ b/queue-5.15/can-hi311x-hi3110_open-add-check-for-hi3110_power_en.patch @@ -0,0 +1,52 @@ +From bf713d7264ecee4f6241f9740f13a99dfa3fd795 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 13:08:44 +0800 +Subject: can: hi311x: hi3110_open(): add check for hi3110_power_enable() + return value + +From: Wenyuan Li <2063309626@qq.com> + +[ Upstream commit 47bba09b14fa21712398febf36cb14fd4fc3bded ] + +In hi3110_open(), the return value of hi3110_power_enable() is not checked. +If power enable fails, the device may not function correctly, while the +driver still returns success. + +Add a check for the return value and propagate the error accordingly. + +Signed-off-by: Wenyuan Li <2063309626@qq.com> +Link: https://patch.msgid.link/tencent_B5E2E7528BB28AA8A2A56E16C49BD58B8B07@qq.com +Fixes: 57e83fb9b746 ("can: hi311x: Add Holt HI-311x CAN driver") +[mkl: adjust subject, commit message and jump label] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/spi/hi311x.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/can/spi/hi311x.c b/drivers/net/can/spi/hi311x.c +index 6df2e6fae2687..cc7e20a0e8691 100644 +--- a/drivers/net/can/spi/hi311x.c ++++ b/drivers/net/can/spi/hi311x.c +@@ -751,7 +751,9 @@ static int hi3110_open(struct net_device *net) + return ret; + + mutex_lock(&priv->hi3110_lock); +- hi3110_power_enable(priv->transceiver, 1); ++ ret = hi3110_power_enable(priv->transceiver, 1); ++ if (ret) ++ goto out_close_candev; + + priv->force_quit = 0; + priv->tx_skb = NULL; +@@ -798,6 +800,7 @@ static int hi3110_open(struct net_device *net) + hi3110_hw_sleep(spi); + out_close: + hi3110_power_enable(priv->transceiver, 0); ++ out_close_candev: + close_candev(net); + mutex_unlock(&priv->hi3110_lock); + return ret; +-- +2.51.0 + diff --git a/queue-5.15/e1000-e1000e-fix-leak-in-dma-error-cleanup.patch b/queue-5.15/e1000-e1000e-fix-leak-in-dma-error-cleanup.patch new file mode 100644 index 0000000000..e89ce6b01f --- /dev/null +++ b/queue-5.15/e1000-e1000e-fix-leak-in-dma-error-cleanup.patch @@ -0,0 +1,70 @@ +From e8a3aae65688c4e534bf06e85b95e290db9c5063 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Feb 2026 18:28:33 -0500 +Subject: e1000/e1000e: Fix leak in DMA error cleanup + +From: Matt Vollrath + +[ Upstream commit e94eaef11142b01f77bf8ba4d0b59720b7858109 ] + +If an error is encountered while mapping TX buffers, the driver should +unmap any buffers already mapped for that skb. + +Because count is incremented after a successful mapping, it will always +match the correct number of unmappings needed when dma_error is reached. +Decrementing count before the while loop in dma_error causes an +off-by-one error. If any mapping was successful before an unsuccessful +mapping, exactly one DMA mapping would leak. + +In these commits, a faulty while condition caused an infinite loop in +dma_error: +Commit 03b1320dfcee ("e1000e: remove use of skb_dma_map from e1000e +driver") +Commit 602c0554d7b0 ("e1000: remove use of skb_dma_map from e1000 driver") + +Commit c1fa347f20f1 ("e1000/e1000e/igb/igbvf/ixgb/ixgbe: Fix tests of +unsigned in *_tx_map()") fixed the infinite loop, but introduced the +off-by-one error. + +This issue may still exist in the igbvf driver, but I did not address it +in this patch. + +Fixes: c1fa347f20f1 ("e1000/e1000e/igb/igbvf/ixgb/ixgbe: Fix tests of unsigned in *_tx_map()") +Assisted-by: Claude:claude-4.6-opus +Signed-off-by: Matt Vollrath +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000/e1000_main.c | 2 -- + drivers/net/ethernet/intel/e1000e/netdev.c | 2 -- + 2 files changed, 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c +index b252373ec9fa6..e7e7b6255ddfe 100644 +--- a/drivers/net/ethernet/intel/e1000/e1000_main.c ++++ b/drivers/net/ethernet/intel/e1000/e1000_main.c +@@ -2950,8 +2950,6 @@ static int e1000_tx_map(struct e1000_adapter *adapter, + dma_error: + dev_err(&pdev->dev, "TX DMA map failed\n"); + buffer_info->dma = 0; +- if (count) +- count--; + + while (count--) { + if (i == 0) +diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c +index c153f44a6ab85..3216089642648 100644 +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -5637,8 +5637,6 @@ static int e1000_tx_map(struct e1000_ring *tx_ring, struct sk_buff *skb, + dma_error: + dev_err(&pdev->dev, "Tx DMA map failed\n"); + buffer_info->dma = 0; +- if (count) +- count--; + + while (count--) { + if (i == 0) +-- +2.51.0 + diff --git a/queue-5.15/i40e-fix-src-ip-mask-checks-and-memcpy-argument-name.patch b/queue-5.15/i40e-fix-src-ip-mask-checks-and-memcpy-argument-name.patch new file mode 100644 index 0000000000..2857ff0a49 --- /dev/null +++ b/queue-5.15/i40e-fix-src-ip-mask-checks-and-memcpy-argument-name.patch @@ -0,0 +1,86 @@ +From a115a9bd2ff9333886866e140fb47efe53579e7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Nov 2025 11:13:38 -0800 +Subject: i40e: fix src IP mask checks and memcpy argument names in cloud + filter + +From: Alok Tiwari + +[ Upstream commit e809085f492842ce7a519c9ef72d40f4bca89c13 ] + +Fix following issues in the IPv4 and IPv6 cloud filter handling logic in +both the add and delete paths: + +- The source-IP mask check incorrectly compares mask.src_ip[0] against + tcf.dst_ip[0]. Update it to compare against tcf.src_ip[0]. This likely + goes unnoticed because the check is in an "else if" path that only + executes when dst_ip is not set, most cloud filter use cases focus on + destination-IP matching, and the buggy condition can accidentally + evaluate true in some cases. + +- memcpy() for the IPv4 source address incorrectly uses + ARRAY_SIZE(tcf.dst_ip) instead of ARRAY_SIZE(tcf.src_ip), although + both arrays are the same size. + +- The IPv4 memcpy operations used ARRAY_SIZE(tcf.dst_ip) and ARRAY_SIZE + (tcf.src_ip), Update these to use sizeof(cfilter->ip.v4.dst_ip) and + sizeof(cfilter->ip.v4.src_ip) to ensure correct and explicit copy size. + +- In the IPv6 delete path, memcmp() uses sizeof(src_ip6) when comparing + dst_ip6 fields. Replace this with sizeof(dst_ip6) to make the intent + explicit, even though both fields are struct in6_addr. + +Fixes: e284fc280473 ("i40e: Add and delete cloud filter") +Signed-off-by: Alok Tiwari +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Paul Menzel +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +index 907727604c702..2d5d30702067e 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +@@ -3715,10 +3715,10 @@ static int i40e_vc_del_cloud_filter(struct i40e_vf *vf, u8 *msg) + cfilter.n_proto = ETH_P_IP; + if (mask.dst_ip[0] & tcf.dst_ip[0]) + memcpy(&cfilter.ip.v4.dst_ip, tcf.dst_ip, +- ARRAY_SIZE(tcf.dst_ip)); +- else if (mask.src_ip[0] & tcf.dst_ip[0]) ++ sizeof(cfilter.ip.v4.dst_ip)); ++ else if (mask.src_ip[0] & tcf.src_ip[0]) + memcpy(&cfilter.ip.v4.src_ip, tcf.src_ip, +- ARRAY_SIZE(tcf.dst_ip)); ++ sizeof(cfilter.ip.v4.src_ip)); + break; + case VIRTCHNL_TCP_V6_FLOW: + cfilter.n_proto = ETH_P_IPV6; +@@ -3773,7 +3773,7 @@ static int i40e_vc_del_cloud_filter(struct i40e_vf *vf, u8 *msg) + /* for ipv6, mask is set for all sixteen bytes (4 words) */ + if (cfilter.n_proto == ETH_P_IPV6 && mask.dst_ip[3]) + if (memcmp(&cfilter.ip.v6.dst_ip6, &cf->ip.v6.dst_ip6, +- sizeof(cfilter.ip.v6.src_ip6))) ++ sizeof(cfilter.ip.v6.dst_ip6))) + continue; + if (mask.vlan_id) + if (cfilter.vlan_id != cf->vlan_id) +@@ -3859,10 +3859,10 @@ static int i40e_vc_add_cloud_filter(struct i40e_vf *vf, u8 *msg) + cfilter->n_proto = ETH_P_IP; + if (mask.dst_ip[0] & tcf.dst_ip[0]) + memcpy(&cfilter->ip.v4.dst_ip, tcf.dst_ip, +- ARRAY_SIZE(tcf.dst_ip)); +- else if (mask.src_ip[0] & tcf.dst_ip[0]) ++ sizeof(cfilter->ip.v4.dst_ip)); ++ else if (mask.src_ip[0] & tcf.src_ip[0]) + memcpy(&cfilter->ip.v4.src_ip, tcf.src_ip, +- ARRAY_SIZE(tcf.dst_ip)); ++ sizeof(cfilter->ip.v4.src_ip)); + break; + case VIRTCHNL_TCP_V6_FLOW: + cfilter->n_proto = ETH_P_IPV6; +-- +2.51.0 + diff --git a/queue-5.15/net-mlx5e-fix-dma-fifo-desync-on-error-cqe-sq-recove.patch b/queue-5.15/net-mlx5e-fix-dma-fifo-desync-on-error-cqe-sq-recove.patch new file mode 100644 index 0000000000..6da4ef7186 --- /dev/null +++ b/queue-5.15/net-mlx5e-fix-dma-fifo-desync-on-error-cqe-sq-recove.patch @@ -0,0 +1,82 @@ +From a8e4ddb3c8dcfbba62d6e696b1e091c1c9df9653 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 16:26:32 +0200 +Subject: net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery + +From: Gal Pressman + +[ Upstream commit 1633111d69053512d099658d4a05fc736fab36b0 ] + +In case of a TX error CQE, a recovery flow is triggered, +mlx5e_reset_txqsq_cc_pc() resets dma_fifo_cc to 0 but not dma_fifo_pc, +desyncing the DMA FIFO producer and consumer. + +After recovery, the producer pushes new DMA entries at the old +dma_fifo_pc, while the consumer reads from position 0. +This causes us to unmap stale DMA addresses from before the recovery. + +The DMA FIFO is a purely software construct with no HW counterpart. +At the point of reset, all WQEs have been flushed so dma_fifo_cc is +already equal to dma_fifo_pc. There is no need to reset either counter, +similar to how skb_fifo pc/cc are untouched. + +Remove the 'dma_fifo_cc = 0' reset. + +This fixes the following WARNING: + WARNING: CPU: 0 PID: 0 at drivers/iommu/dma-iommu.c:1240 iommu_dma_unmap_page+0x79/0x90 + Modules linked in: mlx5_vdpa vringh vdpa bonding mlx5_ib mlx5_vfio_pci ipip mlx5_fwctl tunnel4 mlx5_core ib_ipoib geneve ip6_gre ip_gre gre nf_tables ip6_tunnel rdma_ucm ib_uverbs ib_umad vfio_pci vfio_pci_core act_mirred act_skbedit act_vlan vhost_net vhost tap ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress vhost_iotlb iptable_raw tunnel6 vfio_iommu_type1 vfio openvswitch nsh rpcsec_gss_krb5 auth_rpcgss oid_registry xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter overlay zram zsmalloc rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core fuse [last unloaded: nf_tables] + CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5_for_upstream_min_debug_2024_12_30_21_33 #1 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 + RIP: 0010:iommu_dma_unmap_page+0x79/0x90 + Code: 2b 4d 3b 21 72 26 4d 3b 61 08 73 20 49 89 d8 44 89 f9 5b 4c 89 f2 4c 89 e6 48 89 ef 5d 41 5c 41 5d 41 5e 41 5f e9 c7 ae 9e ff <0f> 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 66 2e 0f 1f 84 00 00 00 00 + Call Trace: + + ? __warn+0x7d/0x110 + ? iommu_dma_unmap_page+0x79/0x90 + ? report_bug+0x16d/0x180 + ? handle_bug+0x4f/0x90 + ? exc_invalid_op+0x14/0x70 + ? asm_exc_invalid_op+0x16/0x20 + ? iommu_dma_unmap_page+0x79/0x90 + ? iommu_dma_unmap_page+0x2e/0x90 + dma_unmap_page_attrs+0x10d/0x1b0 + mlx5e_tx_wi_dma_unmap+0xbe/0x120 [mlx5_core] + mlx5e_poll_tx_cq+0x16d/0x690 [mlx5_core] + mlx5e_napi_poll+0x8b/0xac0 [mlx5_core] + __napi_poll+0x24/0x190 + net_rx_action+0x32a/0x3b0 + ? mlx5_eq_comp_int+0x7e/0x270 [mlx5_core] + ? notifier_call_chain+0x35/0xa0 + handle_softirqs+0xc9/0x270 + irq_exit_rcu+0x71/0xd0 + common_interrupt+0x7f/0xa0 + + + asm_common_interrupt+0x22/0x40 + +Fixes: db75373c91b0 ("net/mlx5e: Recover Send Queue (SQ) from error state") +Signed-off-by: Gal Pressman +Reviewed-by: Dragos Tatulea +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/20260305142634.1813208-4-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c b/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c +index 8024599994642..e36913af7a43c 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c +@@ -30,7 +30,6 @@ static void mlx5e_reset_txqsq_cc_pc(struct mlx5e_txqsq *sq) + "SQ 0x%x: cc (0x%x) != pc (0x%x)\n", + sq->sqn, sq->cc, sq->pc); + sq->cc = 0; +- sq->dma_fifo_cc = 0; + sq->pc = 0; + } + +-- +2.51.0 + diff --git a/queue-5.15/net-sched-teql-fix-null-pointer-dereference-in-iptun.patch b/queue-5.15/net-sched-teql-fix-null-pointer-dereference-in-iptun.patch new file mode 100644 index 0000000000..9849f16fea --- /dev/null +++ b/queue-5.15/net-sched-teql-fix-null-pointer-dereference-in-iptun.patch @@ -0,0 +1,80 @@ +From bc43e39e4d98aa5844ffe889b4ae784046a5cf81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 12:42:18 +0800 +Subject: net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on + TEQL slave xmit + +From: Weiming Shi + +[ Upstream commit 0cc0c2e661af418bbf7074179ea5cfffc0a5c466 ] + +teql_master_xmit() calls netdev_start_xmit(skb, slave) to transmit +through slave devices, but does not update skb->dev to the slave device +beforehand. + +When a gretap tunnel is a TEQL slave, the transmit path reaches +iptunnel_xmit() which saves dev = skb->dev (still pointing to teql0 +master) and later calls iptunnel_xmit_stats(dev, pkt_len). This +function does: + + get_cpu_ptr(dev->tstats) + +Since teql_master_setup() does not set dev->pcpu_stat_type to +NETDEV_PCPU_STAT_TSTATS, the core network stack never allocates tstats +for teql0, so dev->tstats is NULL. get_cpu_ptr(NULL) computes +NULL + __per_cpu_offset[cpu], resulting in a page fault. + + BUG: unable to handle page fault for address: ffff8880e6659018 + #PF: supervisor write access in kernel mode + #PF: error_code(0x0002) - not-present page + PGD 68bc067 P4D 68bc067 PUD 0 + Oops: Oops: 0002 [#1] SMP KASAN PTI + RIP: 0010:iptunnel_xmit (./include/net/ip_tunnels.h:664 net/ipv4/ip_tunnel_core.c:89) + Call Trace: + + ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) + __gre_xmit (net/ipv4/ip_gre.c:478) + gre_tap_xmit (net/ipv4/ip_gre.c:779) + teql_master_xmit (net/sched/sch_teql.c:319) + dev_hard_start_xmit (net/core/dev.c:3887) + sch_direct_xmit (net/sched/sch_generic.c:347) + __dev_queue_xmit (net/core/dev.c:4802) + neigh_direct_output (net/core/neighbour.c:1660) + ip_finish_output2 (net/ipv4/ip_output.c:237) + __ip_finish_output.part.0 (net/ipv4/ip_output.c:315) + ip_mc_output (net/ipv4/ip_output.c:369) + ip_send_skb (net/ipv4/ip_output.c:1508) + udp_send_skb (net/ipv4/udp.c:1195) + udp_sendmsg (net/ipv4/udp.c:1485) + inet_sendmsg (net/ipv4/af_inet.c:859) + __sys_sendto (net/socket.c:2206) + +Fix this by setting skb->dev = slave before calling +netdev_start_xmit(), so that tunnel xmit functions see the correct +slave device with properly allocated tstats. + +Fixes: 039f50629b7f ("ip_tunnel: Move stats update to iptunnel_xmit()") +Reported-by: Xiang Mei +Signed-off-by: Weiming Shi +Link: https://patch.msgid.link/20260304044216.3517851-3-bestswngs@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_teql.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/sched/sch_teql.c b/net/sched/sch_teql.c +index e9dfa140799c3..4c65b4ed5ccd3 100644 +--- a/net/sched/sch_teql.c ++++ b/net/sched/sch_teql.c +@@ -315,6 +315,7 @@ static netdev_tx_t teql_master_xmit(struct sk_buff *skb, struct net_device *dev) + if (__netif_tx_trylock(slave_txq)) { + unsigned int length = qdisc_pkt_len(skb); + ++ skb->dev = slave; + if (!netif_xmit_frozen_or_stopped(slave_txq) && + netdev_start_xmit(skb, slave, slave_txq, false) == + NETDEV_TX_OK) { +-- +2.51.0 + diff --git a/queue-5.15/netfilter-nfnetlink_cthelper-fix-oob-read-in-nfnl_ct.patch b/queue-5.15/netfilter-nfnetlink_cthelper-fix-oob-read-in-nfnl_ct.patch new file mode 100644 index 0000000000..ceff2a6def --- /dev/null +++ b/queue-5.15/netfilter-nfnetlink_cthelper-fix-oob-read-in-nfnl_ct.patch @@ -0,0 +1,71 @@ +From 8c13ddd0e944a2a8abc1f7a2f05a92d471ff4654 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Mar 2026 02:23:34 +0900 +Subject: netfilter: nfnetlink_cthelper: fix OOB read in + nfnl_cthelper_dump_table() + +From: Hyunwoo Kim + +[ Upstream commit 6dcee8496d53165b2d8a5909b3050b62ae71fe89 ] + +nfnl_cthelper_dump_table() has a 'goto restart' that jumps to a label +inside the for loop body. When the "last" helper saved in cb->args[1] +is deleted between dump rounds, every entry fails the (cur != last) +check, so cb->args[1] is never cleared. The for loop finishes with +cb->args[0] == nf_ct_helper_hsize, and the 'goto restart' jumps back +into the loop body bypassing the bounds check, causing an 8-byte +out-of-bounds read on nf_ct_helper_hash[nf_ct_helper_hsize]. + +The 'goto restart' block was meant to re-traverse the current bucket +when "last" is no longer found, but it was placed after the for loop +instead of inside it. Move the block into the for loop body so that +the restart only occurs while cb->args[0] is still within bounds. + + BUG: KASAN: slab-out-of-bounds in nfnl_cthelper_dump_table+0x9f/0x1b0 + Read of size 8 at addr ffff888104ca3000 by task poc_cthelper/131 + Call Trace: + nfnl_cthelper_dump_table+0x9f/0x1b0 + netlink_dump+0x333/0x880 + netlink_recvmsg+0x3e2/0x4b0 + sock_recvmsg+0xde/0xf0 + __sys_recvfrom+0x150/0x200 + __x64_sys_recvfrom+0x76/0x90 + do_syscall_64+0xc3/0x6e0 + + Allocated by task 1: + __kvmalloc_node_noprof+0x21b/0x700 + nf_ct_alloc_hashtable+0x65/0xd0 + nf_conntrack_helper_init+0x21/0x60 + nf_conntrack_init_start+0x18d/0x300 + nf_conntrack_standalone_init+0x12/0xc0 + +Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure") +Signed-off-by: Hyunwoo Kim +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_cthelper.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c +index 5c622f55c9d68..e19e4f1bab05f 100644 +--- a/net/netfilter/nfnetlink_cthelper.c ++++ b/net/netfilter/nfnetlink_cthelper.c +@@ -599,10 +599,10 @@ nfnl_cthelper_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + goto out; + } + } +- } +- if (cb->args[1]) { +- cb->args[1] = 0; +- goto restart; ++ if (cb->args[1]) { ++ cb->args[1] = 0; ++ goto restart; ++ } + } + out: + rcu_read_unlock(); +-- +2.51.0 + diff --git a/queue-5.15/netfilter-nfnetlink_queue-fix-entry-leak-in-bridge-v.patch b/queue-5.15/netfilter-nfnetlink_queue-fix-entry-leak-in-bridge-v.patch new file mode 100644 index 0000000000..17e2c4f774 --- /dev/null +++ b/queue-5.15/netfilter-nfnetlink_queue-fix-entry-leak-in-bridge-v.patch @@ -0,0 +1,52 @@ +From 765bd39351612f47037367f96ca182fa2a1aaa52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Mar 2026 02:24:06 +0900 +Subject: netfilter: nfnetlink_queue: fix entry leak in bridge verdict error + path + +From: Hyunwoo Kim + +[ Upstream commit f1ba83755d81c6fc66ac7acd723d238f974091e9 ] + +nfqnl_recv_verdict() calls find_dequeue_entry() to remove the queue +entry from the queue data structures, taking ownership of the entry. +For PF_BRIDGE packets, it then calls nfqa_parse_bridge() to parse VLAN +attributes. If nfqa_parse_bridge() returns an error (e.g. NFQA_VLAN +present but NFQA_VLAN_TCI missing), the function returns immediately +without freeing the dequeued entry or its sk_buff. + +This leaks the nf_queue_entry, its associated sk_buff, and all held +references (net_device refcounts, struct net refcount). Repeated +triggering exhausts kernel memory. + +Fix this by dropping the entry via nfqnl_reinject() with NF_DROP verdict +on the error path, consistent with other error handling in this file. + +Fixes: 8d45ff22f1b4 ("netfilter: bridge: nf queue verdict to use NFQA_VLAN and NFQA_L2HDR") +Reviewed-by: David Dull +Signed-off-by: Hyunwoo Kim +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_queue.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c +index d5f5b93a99a08..3925fcb7a222c 100644 +--- a/net/netfilter/nfnetlink_queue.c ++++ b/net/netfilter/nfnetlink_queue.c +@@ -1250,8 +1250,10 @@ static int nfqnl_recv_verdict(struct sk_buff *skb, const struct nfnl_info *info, + + if (entry->state.pf == PF_BRIDGE) { + err = nfqa_parse_bridge(entry, nfqa); +- if (err < 0) ++ if (err < 0) { ++ nfqnl_reinject(entry, NF_DROP); + return err; ++ } + } + + if (nfqa[NFQA_PAYLOAD]) { +-- +2.51.0 + diff --git a/queue-5.15/netfilter-nft_set_pipapo-fix-stack-out-of-bounds-rea.patch b/queue-5.15/netfilter-nft_set_pipapo-fix-stack-out-of-bounds-rea.patch new file mode 100644 index 0000000000..1ec9b9b058 --- /dev/null +++ b/queue-5.15/netfilter-nft_set_pipapo-fix-stack-out-of-bounds-rea.patch @@ -0,0 +1,65 @@ +From 0acb9269af9b52ccb3e8e9999f3fbb0b9bb8fc98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 19:12:38 +0000 +Subject: netfilter: nft_set_pipapo: fix stack out-of-bounds read in + pipapo_drop() + +From: Jenny Guanni Qu + +[ Upstream commit d6d8cd2db236a9dd13dbc2d05843b3445cc964b5 ] + +pipapo_drop() passes rulemap[i + 1].n to pipapo_unmap() as the +to_offset argument on every iteration, including the last one where +i == m->field_count - 1. This reads one element past the end of the +stack-allocated rulemap array (declared as rulemap[NFT_PIPAPO_MAX_FIELDS] +with NFT_PIPAPO_MAX_FIELDS == 16). + +Although pipapo_unmap() returns early when is_last is true without +using the to_offset value, the argument is evaluated at the call site +before the function body executes, making this a genuine out-of-bounds +stack read confirmed by KASAN: + + BUG: KASAN: stack-out-of-bounds in pipapo_drop+0x50c/0x57c [nf_tables] + Read of size 4 at addr ffff8000810e71a4 + + This frame has 1 object: + [32, 160) 'rulemap' + + The buggy address is at offset 164 -- exactly 4 bytes past the end + of the rulemap array. + +Pass 0 instead of rulemap[i + 1].n on the last iteration to avoid +the out-of-bounds read. + +Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") +Signed-off-by: Jenny Guanni Qu +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_pipapo.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c +index 863162c823306..c8a5618742381 100644 +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -1541,6 +1541,7 @@ static void pipapo_drop(struct nft_pipapo_match *m, + int i; + + nft_pipapo_for_each_field(f, i, m) { ++ bool last = i == m->field_count - 1; + int g; + + for (g = 0; g < f->groups; g++) { +@@ -1560,7 +1561,7 @@ static void pipapo_drop(struct nft_pipapo_match *m, + } + + pipapo_unmap(f->mt, f->rules, rulemap[i].to, rulemap[i].n, +- rulemap[i + 1].n, i == m->field_count - 1); ++ last ? 0 : rulemap[i + 1].n, last); + if (pipapo_resize(f, f->rules, f->rules - rulemap[i].n)) { + /* We can ignore this, a failure to shrink tables down + * doesn't make tables invalid. +-- +2.51.0 + diff --git a/queue-5.15/netfilter-x_tables-guard-option-walkers-against-1-by.patch b/queue-5.15/netfilter-x_tables-guard-option-walkers-against-1-by.patch new file mode 100644 index 0000000000..3f7e8d3c1c --- /dev/null +++ b/queue-5.15/netfilter-x_tables-guard-option-walkers-against-1-by.patch @@ -0,0 +1,62 @@ +From 53ab62f880ebda1ad378c86d1f48871c80848ad8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Mar 2026 20:26:21 +0200 +Subject: netfilter: x_tables: guard option walkers against 1-byte tail reads + +From: David Dull + +[ Upstream commit cfe770220ac2dbd3e104c6b45094037455da81d4 ] + +When the last byte of options is a non-single-byte option kind, walkers +that advance with i += op[i + 1] ? : 1 can read op[i + 1] past the end +of the option area. + +Add an explicit i == optlen - 1 check before dereferencing op[i + 1] +in xt_tcpudp and xt_dccp option walkers. + +Fixes: 2e4e6a17af35 ("[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables") +Signed-off-by: David Dull +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_dccp.c | 4 ++-- + net/netfilter/xt_tcpudp.c | 6 ++++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c +index e5a13ecbe67a0..037ab93e25d0a 100644 +--- a/net/netfilter/xt_dccp.c ++++ b/net/netfilter/xt_dccp.c +@@ -62,10 +62,10 @@ dccp_find_option(u_int8_t option, + return true; + } + +- if (op[i] < 2) ++ if (op[i] < 2 || i == optlen - 1) + i++; + else +- i += op[i+1]?:1; ++ i += op[i + 1] ? : 1; + } + + spin_unlock_bh(&dccp_buflock); +diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c +index 11ec2abf0c727..73f50dc01b19f 100644 +--- a/net/netfilter/xt_tcpudp.c ++++ b/net/netfilter/xt_tcpudp.c +@@ -56,8 +56,10 @@ tcp_find_option(u_int8_t option, + + for (i = 0; i < optlen; ) { + if (op[i] == option) return !invert; +- if (op[i] < 2) i++; +- else i += op[i+1]?:1; ++ if (op[i] < 2 || i == optlen - 1) ++ i++; ++ else ++ i += op[i + 1] ? : 1; + } + + return invert; +-- +2.51.0 + diff --git a/queue-5.15/netfilter-xt_idletimer-reject-rev0-reuse-of-alarm-ti.patch b/queue-5.15/netfilter-xt_idletimer-reject-rev0-reuse-of-alarm-ti.patch new file mode 100644 index 0000000000..67eeb238d1 --- /dev/null +++ b/queue-5.15/netfilter-xt_idletimer-reject-rev0-reuse-of-alarm-ti.patch @@ -0,0 +1,54 @@ +From 4982116cf466d99f8dab05333d592db03a76f45c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Mar 2026 03:41:46 -0700 +Subject: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels + +From: Yuan Tan + +[ Upstream commit 329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf ] + +IDLETIMER revision 0 rules reuse existing timers by label and always call +mod_timer() on timer->timer. + +If the label was created first by revision 1 with XT_IDLETIMER_ALARM, +the object uses alarm timer semantics and timer->timer is never initialized. +Reusing that object from revision 0 causes mod_timer() on an uninitialized +timer_list, triggering debugobjects warnings and possible panic when +panic_on_warn=1. + +Fix this by rejecting revision 0 rule insertion when an existing timer with +the same label is of ALARM type. + +Fixes: 68983a354a65 ("netfilter: xtables: Add snapshot of hardidletimer target") +Co-developed-by: Yifan Wu +Signed-off-by: Yifan Wu +Co-developed-by: Juefei Pu +Signed-off-by: Juefei Pu +Signed-off-by: Yuan Tan +Signed-off-by: Xin Liu +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_IDLETIMER.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c +index a097686adbbd7..ba831c0e6d11e 100644 +--- a/net/netfilter/xt_IDLETIMER.c ++++ b/net/netfilter/xt_IDLETIMER.c +@@ -320,6 +320,12 @@ static int idletimer_tg_checkentry(const struct xt_tgchk_param *par) + + info->timer = __idletimer_tg_find_by_label(info->label); + if (info->timer) { ++ if (info->timer->timer_type & XT_IDLETIMER_ALARM) { ++ pr_debug("Adding/Replacing rule with same label and different timer type is not allowed\n"); ++ mutex_unlock(&list_mutex); ++ return -EINVAL; ++ } ++ + info->timer->refcnt++; + mod_timer(&info->timer->timer, + msecs_to_jiffies(info->timeout * 1000) + jiffies); +-- +2.51.0 + diff --git a/queue-5.15/nvme-pci-fix-slab-out-of-bounds-in-nvme_dbbuf_set.patch b/queue-5.15/nvme-pci-fix-slab-out-of-bounds-in-nvme_dbbuf_set.patch new file mode 100644 index 0000000000..73408fb3e1 --- /dev/null +++ b/queue-5.15/nvme-pci-fix-slab-out-of-bounds-in-nvme_dbbuf_set.patch @@ -0,0 +1,130 @@ +From 8930213462cf434845c25845a55f271b2f736848 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Mar 2026 14:20:59 -0400 +Subject: nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sungwoo Kim + +[ Upstream commit b4e78f1427c7d6859229ae9616df54e1fc05a516 ] + +dev->online_queues is a count incremented in nvme_init_queue. Thus, +valid indices are 0 through dev->online_queues − 1. + +This patch fixes the loop condition to ensure the index stays within the +valid range. Index 0 is excluded because it is the admin queue. + +KASAN splat: + +================================================================== +BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline] +BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404 +Read of size 2 at addr ffff88800592a574 by task kworker/u8:5/74 + +CPU: 0 UID: 0 PID: 74 Comm: kworker/u8:5 Not tainted 6.19.0-dirty #10 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 +Workqueue: nvme-reset-wq nvme_reset_work +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0xea/0x150 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xce/0x5d0 mm/kasan/report.c:482 + kasan_report+0xdc/0x110 mm/kasan/report.c:595 + __asan_report_load2_noabort+0x18/0x20 mm/kasan/report_generic.c:379 + nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline] + nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404 + nvme_reset_work+0x36b/0x8c0 drivers/nvme/host/pci.c:3252 + process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257 + process_scheduled_works kernel/workqueue.c:3340 [inline] + worker_thread+0x65c/0xe60 kernel/workqueue.c:3421 + kthread+0x41a/0x930 kernel/kthread.c:463 + ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + + +Allocated by task 34 on cpu 1 at 4.241550s: + kasan_save_stack+0x2c/0x60 mm/kasan/common.c:57 + kasan_save_track+0x1c/0x70 mm/kasan/common.c:78 + kasan_save_alloc_info+0x3c/0x50 mm/kasan/generic.c:570 + poison_kmalloc_redzone mm/kasan/common.c:398 [inline] + __kasan_kmalloc+0xb5/0xc0 mm/kasan/common.c:415 + kasan_kmalloc include/linux/kasan.h:263 [inline] + __do_kmalloc_node mm/slub.c:5657 [inline] + __kmalloc_node_noprof+0x2bf/0x8d0 mm/slub.c:5663 + kmalloc_array_node_noprof include/linux/slab.h:1075 [inline] + nvme_pci_alloc_dev drivers/nvme/host/pci.c:3479 [inline] + nvme_probe+0x2f1/0x1820 drivers/nvme/host/pci.c:3534 + local_pci_probe+0xef/0x1c0 drivers/pci/pci-driver.c:324 + pci_call_probe drivers/pci/pci-driver.c:392 [inline] + __pci_device_probe drivers/pci/pci-driver.c:417 [inline] + pci_device_probe+0x743/0x920 drivers/pci/pci-driver.c:451 + call_driver_probe drivers/base/dd.c:583 [inline] + really_probe+0x29b/0xb70 drivers/base/dd.c:661 + __driver_probe_device+0x3b0/0x4a0 drivers/base/dd.c:803 + driver_probe_device+0x56/0x1f0 drivers/base/dd.c:833 + __driver_attach_async_helper+0x155/0x340 drivers/base/dd.c:1159 + async_run_entry_fn+0xa6/0x4b0 kernel/async.c:129 + process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257 + process_scheduled_works kernel/workqueue.c:3340 [inline] + worker_thread+0x65c/0xe60 kernel/workqueue.c:3421 + kthread+0x41a/0x930 kernel/kthread.c:463 + ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + +The buggy address belongs to the object at ffff88800592a000 + which belongs to the cache kmalloc-2k of size 2048 +The buggy address is located 244 bytes to the right of + allocated 1152-byte region [ffff88800592a000, ffff88800592a480) + +The buggy address belongs to the physical page: +page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5928 +head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +anon flags: 0xfffffc0000040(head|node=0|zone=1|lastcpupid=0x1fffff) +page_type: f5(slab) +raw: 000fffffc0000040 ffff888001042000 0000000000000000 dead000000000001 +raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 +head: 000fffffc0000040 ffff888001042000 0000000000000000 dead000000000001 +head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 +head: 000fffffc0000003 ffffea0000164a01 00000000ffffffff 00000000ffffffff +head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88800592a400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff88800592a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +>ffff88800592a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffff88800592a580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff88800592a600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +================================================================== + +Fixes: 0f0d2c876c96 (nvme: free sq/cq dbbuf pointers when dbbuf set fails) +Acked-by: Chao Shi +Acked-by: Weidong Zhu +Acked-by: Dave Tian +Signed-off-by: Sungwoo Kim +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 0a2207a1be6a6..04cccbb05372a 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -321,7 +321,7 @@ static void nvme_dbbuf_set(struct nvme_dev *dev) + /* Free memory and continue on */ + nvme_dbbuf_dma_free(dev); + +- for (i = 1; i <= dev->online_queues; i++) ++ for (i = 1; i < dev->online_queues; i++) + nvme_dbbuf_free(&dev->queues[i]); + } + } +-- +2.51.0 + diff --git a/queue-5.15/octeontx2-af-devlink-fix-nix-ras-reporter-recovery-c.patch b/queue-5.15/octeontx2-af-devlink-fix-nix-ras-reporter-recovery-c.patch new file mode 100644 index 0000000000..045163bda1 --- /dev/null +++ b/queue-5.15/octeontx2-af-devlink-fix-nix-ras-reporter-recovery-c.patch @@ -0,0 +1,41 @@ +From 893c03c814fb5cfea6f6f825b256617ec14439d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 11:48:16 -0700 +Subject: octeontx2-af: devlink: fix NIX RAS reporter recovery condition + +From: Alok Tiwari + +[ Upstream commit dc26ca99b835e21e76a58b1463b84adb0ca34f58 ] + +The NIX RAS health reporter recovery routine checks nix_af_rvu_int to +decide whether to re-enable NIX_AF_RAS interrupts. This is the RVU +interrupt status field and is unrelated to RAS events, so the recovery +flow may incorrectly skip re-enabling NIX_AF_RAS interrupts. + +Check nix_af_rvu_ras instead before writing NIX_AF_RAS_ENA_W1S. + +Fixes: 5ed66306eab6 ("octeontx2-af: Add devlink health reporters for NIX") +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20260310184824.1183651-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c +index c5e3ef6b41a87..c3da400e87eba 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c +@@ -578,7 +578,7 @@ static int rvu_hw_nix_ras_recover(struct devlink_health_reporter *reporter, + if (blkaddr < 0) + return blkaddr; + +- if (nix_event_ctx->nix_af_rvu_int) ++ if (nix_event_ctx->nix_af_rvu_ras) + rvu_write64(rvu, blkaddr, NIX_AF_RAS_ENA_W1S, ~0ULL); + + return 0; +-- +2.51.0 + diff --git a/queue-5.15/octeontx2-af-devlink-fix-nix-ras-reporter-to-use-ras.patch b/queue-5.15/octeontx2-af-devlink-fix-nix-ras-reporter-to-use-ras.patch new file mode 100644 index 0000000000..b95e772619 --- /dev/null +++ b/queue-5.15/octeontx2-af-devlink-fix-nix-ras-reporter-to-use-ras.patch @@ -0,0 +1,45 @@ +From 87256b879d4c37ae6204013327e9e77672ed7899 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 11:48:17 -0700 +Subject: octeontx2-af: devlink: fix NIX RAS reporter to use RAS interrupt + status + +From: Alok Tiwari + +[ Upstream commit 87f7dff3ec75b91def0024ebaaf732457f47a63b ] + +The NIX RAS health report path uses nix_af_rvu_err when handling the +NIX_AF_RVU_RAS case, so the report prints the ERR interrupt status rather +than the RAS interrupt status. + +Use nix_af_rvu_ras for the NIX_AF_RVU_RAS report. + +Fixes: 5ed66306eab6 ("octeontx2-af: Add devlink health reporters for NIX") +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20260310184824.1183651-2-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c +index 8a63277aab1af..4991fafd04bad 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c +@@ -326,10 +326,10 @@ static int rvu_nix_report_show(struct devlink_fmsg *fmsg, void *ctx, + rvu_report_pair_end(fmsg); + break; + case NIX_AF_RVU_RAS: +- intr_val = nix_event_context->nix_af_rvu_err; ++ intr_val = nix_event_context->nix_af_rvu_ras; + rvu_report_pair_start(fmsg, "NIX_AF_RAS"); + devlink_fmsg_u64_pair_put(fmsg, "\tNIX RAS Interrupt Reg ", +- nix_event_context->nix_af_rvu_err); ++ nix_event_context->nix_af_rvu_ras); + devlink_fmsg_string_put(fmsg, "\n\tPoison Data on:"); + if (intr_val & BIT_ULL(34)) + devlink_fmsg_string_put(fmsg, "\n\tNIX_AQ_INST_S"); +-- +2.51.0 + diff --git a/queue-5.15/octeontx2-af-devlink-health-use-retained-error-fmsg-.patch b/queue-5.15/octeontx2-af-devlink-health-use-retained-error-fmsg-.patch new file mode 100644 index 0000000000..8da3bbc93e --- /dev/null +++ b/queue-5.15/octeontx2-af-devlink-health-use-retained-error-fmsg-.patch @@ -0,0 +1,550 @@ +From b4f7a750e8fc4dd71b7cec0d80d902c46eb10cbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Oct 2023 22:26:42 +0200 +Subject: octeontx2-af: devlink health: use retained error fmsg API + +From: Przemek Kitszel + +[ Upstream commit d8cf03fca3411de8a493dae5e9fcf815a4f0977e ] + +Drop unneeded error checking. + +devlink_fmsg_*() family of functions is now retaining errors, +so there is no need to check for them after each call. + +Reviewed-by: Jesse Brandeburg +Reviewed-by: Jiri Pirko +Signed-off-by: Przemek Kitszel +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Stable-dep-of: 87f7dff3ec75 ("octeontx2-af: devlink: fix NIX RAS reporter to use RAS interrupt status") +Signed-off-by: Sasha Levin +--- + .../marvell/octeontx2/af/rvu_devlink.c | 464 +++++------------- + 1 file changed, 133 insertions(+), 331 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c +index c3da400e87eba..8a63277aab1af 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c +@@ -13,26 +13,16 @@ + + #define DRV_NAME "octeontx2-af" + +-static int rvu_report_pair_start(struct devlink_fmsg *fmsg, const char *name) ++static void rvu_report_pair_start(struct devlink_fmsg *fmsg, const char *name) + { +- int err; +- +- err = devlink_fmsg_pair_nest_start(fmsg, name); +- if (err) +- return err; +- +- return devlink_fmsg_obj_nest_start(fmsg); ++ devlink_fmsg_pair_nest_start(fmsg, name); ++ devlink_fmsg_obj_nest_start(fmsg); + } + +-static int rvu_report_pair_end(struct devlink_fmsg *fmsg) ++static void rvu_report_pair_end(struct devlink_fmsg *fmsg) + { +- int err; +- +- err = devlink_fmsg_obj_nest_end(fmsg); +- if (err) +- return err; +- +- return devlink_fmsg_pair_nest_end(fmsg); ++ devlink_fmsg_obj_nest_end(fmsg); ++ devlink_fmsg_pair_nest_end(fmsg); + } + + static bool rvu_common_request_irq(struct rvu *rvu, int offset, +@@ -283,175 +273,81 @@ static int rvu_nix_report_show(struct devlink_fmsg *fmsg, void *ctx, + { + struct rvu_nix_event_ctx *nix_event_context; + u64 intr_val; +- int err; + + nix_event_context = ctx; + switch (health_reporter) { + case NIX_AF_RVU_INTR: + intr_val = nix_event_context->nix_af_rvu_int; +- err = rvu_report_pair_start(fmsg, "NIX_AF_RVU"); +- if (err) +- return err; +- err = devlink_fmsg_u64_pair_put(fmsg, "\tNIX RVU Interrupt Reg ", +- nix_event_context->nix_af_rvu_int); +- if (err) +- return err; +- if (intr_val & BIT_ULL(0)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tUnmap Slot Error"); +- if (err) +- return err; +- } +- err = rvu_report_pair_end(fmsg); +- if (err) +- return err; ++ rvu_report_pair_start(fmsg, "NIX_AF_RVU"); ++ devlink_fmsg_u64_pair_put(fmsg, "\tNIX RVU Interrupt Reg ", ++ nix_event_context->nix_af_rvu_int); ++ if (intr_val & BIT_ULL(0)) ++ devlink_fmsg_string_put(fmsg, "\n\tUnmap Slot Error"); ++ rvu_report_pair_end(fmsg); + break; + case NIX_AF_RVU_GEN: + intr_val = nix_event_context->nix_af_rvu_gen; +- err = rvu_report_pair_start(fmsg, "NIX_AF_GENERAL"); +- if (err) +- return err; +- err = devlink_fmsg_u64_pair_put(fmsg, "\tNIX General Interrupt Reg ", +- nix_event_context->nix_af_rvu_gen); +- if (err) +- return err; +- if (intr_val & BIT_ULL(0)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tRx multicast pkt drop"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(1)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tRx mirror pkt drop"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(4)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tSMQ flush done"); +- if (err) +- return err; +- } +- err = rvu_report_pair_end(fmsg); +- if (err) +- return err; ++ rvu_report_pair_start(fmsg, "NIX_AF_GENERAL"); ++ devlink_fmsg_u64_pair_put(fmsg, "\tNIX General Interrupt Reg ", ++ nix_event_context->nix_af_rvu_gen); ++ if (intr_val & BIT_ULL(0)) ++ devlink_fmsg_string_put(fmsg, "\n\tRx multicast pkt drop"); ++ if (intr_val & BIT_ULL(1)) ++ devlink_fmsg_string_put(fmsg, "\n\tRx mirror pkt drop"); ++ if (intr_val & BIT_ULL(4)) ++ devlink_fmsg_string_put(fmsg, "\n\tSMQ flush done"); ++ rvu_report_pair_end(fmsg); + break; + case NIX_AF_RVU_ERR: + intr_val = nix_event_context->nix_af_rvu_err; +- err = rvu_report_pair_start(fmsg, "NIX_AF_ERR"); +- if (err) +- return err; +- err = devlink_fmsg_u64_pair_put(fmsg, "\tNIX Error Interrupt Reg ", +- nix_event_context->nix_af_rvu_err); +- if (err) +- return err; +- if (intr_val & BIT_ULL(14)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFault on NIX_AQ_INST_S read"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(13)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFault on NIX_AQ_RES_S write"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(12)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tAQ Doorbell Error"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(6)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tRx on unmapped PF_FUNC"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(5)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tRx multicast replication error"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(4)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFault on NIX_RX_MCE_S read"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(3)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFault on multicast WQE read"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(2)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFault on mirror WQE read"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(1)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFault on mirror pkt write"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(0)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFault on multicast pkt write"); +- if (err) +- return err; +- } +- err = rvu_report_pair_end(fmsg); +- if (err) +- return err; ++ rvu_report_pair_start(fmsg, "NIX_AF_ERR"); ++ devlink_fmsg_u64_pair_put(fmsg, "\tNIX Error Interrupt Reg ", ++ nix_event_context->nix_af_rvu_err); ++ if (intr_val & BIT_ULL(14)) ++ devlink_fmsg_string_put(fmsg, "\n\tFault on NIX_AQ_INST_S read"); ++ if (intr_val & BIT_ULL(13)) ++ devlink_fmsg_string_put(fmsg, "\n\tFault on NIX_AQ_RES_S write"); ++ if (intr_val & BIT_ULL(12)) ++ devlink_fmsg_string_put(fmsg, "\n\tAQ Doorbell Error"); ++ if (intr_val & BIT_ULL(6)) ++ devlink_fmsg_string_put(fmsg, "\n\tRx on unmapped PF_FUNC"); ++ if (intr_val & BIT_ULL(5)) ++ devlink_fmsg_string_put(fmsg, "\n\tRx multicast replication error"); ++ if (intr_val & BIT_ULL(4)) ++ devlink_fmsg_string_put(fmsg, "\n\tFault on NIX_RX_MCE_S read"); ++ if (intr_val & BIT_ULL(3)) ++ devlink_fmsg_string_put(fmsg, "\n\tFault on multicast WQE read"); ++ if (intr_val & BIT_ULL(2)) ++ devlink_fmsg_string_put(fmsg, "\n\tFault on mirror WQE read"); ++ if (intr_val & BIT_ULL(1)) ++ devlink_fmsg_string_put(fmsg, "\n\tFault on mirror pkt write"); ++ if (intr_val & BIT_ULL(0)) ++ devlink_fmsg_string_put(fmsg, "\n\tFault on multicast pkt write"); ++ rvu_report_pair_end(fmsg); + break; + case NIX_AF_RVU_RAS: + intr_val = nix_event_context->nix_af_rvu_err; +- err = rvu_report_pair_start(fmsg, "NIX_AF_RAS"); +- if (err) +- return err; +- err = devlink_fmsg_u64_pair_put(fmsg, "\tNIX RAS Interrupt Reg ", +- nix_event_context->nix_af_rvu_err); +- if (err) +- return err; +- err = devlink_fmsg_string_put(fmsg, "\n\tPoison Data on:"); +- if (err) +- return err; +- if (intr_val & BIT_ULL(34)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tNIX_AQ_INST_S"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(33)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tNIX_AQ_RES_S"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(32)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tHW ctx"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(4)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tPacket from mirror buffer"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(3)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tPacket from multicast buffer"); +- +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(2)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tWQE read from mirror buffer"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(1)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tWQE read from multicast buffer"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(0)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tNIX_RX_MCE_S read"); +- if (err) +- return err; +- } +- err = rvu_report_pair_end(fmsg); +- if (err) +- return err; ++ rvu_report_pair_start(fmsg, "NIX_AF_RAS"); ++ devlink_fmsg_u64_pair_put(fmsg, "\tNIX RAS Interrupt Reg ", ++ nix_event_context->nix_af_rvu_err); ++ devlink_fmsg_string_put(fmsg, "\n\tPoison Data on:"); ++ if (intr_val & BIT_ULL(34)) ++ devlink_fmsg_string_put(fmsg, "\n\tNIX_AQ_INST_S"); ++ if (intr_val & BIT_ULL(33)) ++ devlink_fmsg_string_put(fmsg, "\n\tNIX_AQ_RES_S"); ++ if (intr_val & BIT_ULL(32)) ++ devlink_fmsg_string_put(fmsg, "\n\tHW ctx"); ++ if (intr_val & BIT_ULL(4)) ++ devlink_fmsg_string_put(fmsg, "\n\tPacket from mirror buffer"); ++ if (intr_val & BIT_ULL(3)) ++ devlink_fmsg_string_put(fmsg, "\n\tPacket from multicast buffer"); ++ if (intr_val & BIT_ULL(2)) ++ devlink_fmsg_string_put(fmsg, "\n\tWQE read from mirror buffer"); ++ if (intr_val & BIT_ULL(1)) ++ devlink_fmsg_string_put(fmsg, "\n\tWQE read from multicast buffer"); ++ if (intr_val & BIT_ULL(0)) ++ devlink_fmsg_string_put(fmsg, "\n\tNIX_RX_MCE_S read"); ++ rvu_report_pair_end(fmsg); + break; + default: + return -EINVAL; +@@ -918,181 +814,87 @@ static int rvu_npa_report_show(struct devlink_fmsg *fmsg, void *ctx, + struct rvu_npa_event_ctx *npa_event_context; + unsigned int alloc_dis, free_dis; + u64 intr_val; +- int err; + + npa_event_context = ctx; + switch (health_reporter) { + case NPA_AF_RVU_GEN: + intr_val = npa_event_context->npa_af_rvu_gen; +- err = rvu_report_pair_start(fmsg, "NPA_AF_GENERAL"); +- if (err) +- return err; +- err = devlink_fmsg_u64_pair_put(fmsg, "\tNPA General Interrupt Reg ", +- npa_event_context->npa_af_rvu_gen); +- if (err) +- return err; +- if (intr_val & BIT_ULL(32)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tUnmap PF Error"); +- if (err) +- return err; +- } ++ rvu_report_pair_start(fmsg, "NPA_AF_GENERAL"); ++ devlink_fmsg_u64_pair_put(fmsg, "\tNPA General Interrupt Reg ", ++ npa_event_context->npa_af_rvu_gen); ++ if (intr_val & BIT_ULL(32)) ++ devlink_fmsg_string_put(fmsg, "\n\tUnmap PF Error"); + + free_dis = FIELD_GET(GENMASK(15, 0), intr_val); +- if (free_dis & BIT(NPA_INPQ_NIX0_RX)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tNIX0: free disabled RX"); +- if (err) +- return err; +- } +- if (free_dis & BIT(NPA_INPQ_NIX0_TX)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tNIX0:free disabled TX"); +- if (err) +- return err; +- } +- if (free_dis & BIT(NPA_INPQ_NIX1_RX)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tNIX1: free disabled RX"); +- if (err) +- return err; +- } +- if (free_dis & BIT(NPA_INPQ_NIX1_TX)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tNIX1:free disabled TX"); +- if (err) +- return err; +- } +- if (free_dis & BIT(NPA_INPQ_SSO)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for SSO"); +- if (err) +- return err; +- } +- if (free_dis & BIT(NPA_INPQ_TIM)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for TIM"); +- if (err) +- return err; +- } +- if (free_dis & BIT(NPA_INPQ_DPI)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for DPI"); +- if (err) +- return err; +- } +- if (free_dis & BIT(NPA_INPQ_AURA_OP)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for AURA"); +- if (err) +- return err; +- } ++ if (free_dis & BIT(NPA_INPQ_NIX0_RX)) ++ devlink_fmsg_string_put(fmsg, "\n\tNIX0: free disabled RX"); ++ if (free_dis & BIT(NPA_INPQ_NIX0_TX)) ++ devlink_fmsg_string_put(fmsg, "\n\tNIX0:free disabled TX"); ++ if (free_dis & BIT(NPA_INPQ_NIX1_RX)) ++ devlink_fmsg_string_put(fmsg, "\n\tNIX1: free disabled RX"); ++ if (free_dis & BIT(NPA_INPQ_NIX1_TX)) ++ devlink_fmsg_string_put(fmsg, "\n\tNIX1:free disabled TX"); ++ if (free_dis & BIT(NPA_INPQ_SSO)) ++ devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for SSO"); ++ if (free_dis & BIT(NPA_INPQ_TIM)) ++ devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for TIM"); ++ if (free_dis & BIT(NPA_INPQ_DPI)) ++ devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for DPI"); ++ if (free_dis & BIT(NPA_INPQ_AURA_OP)) ++ devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for AURA"); + + alloc_dis = FIELD_GET(GENMASK(31, 16), intr_val); +- if (alloc_dis & BIT(NPA_INPQ_NIX0_RX)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tNIX0: alloc disabled RX"); +- if (err) +- return err; +- } +- if (alloc_dis & BIT(NPA_INPQ_NIX0_TX)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tNIX0:alloc disabled TX"); +- if (err) +- return err; +- } +- if (alloc_dis & BIT(NPA_INPQ_NIX1_RX)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tNIX1: alloc disabled RX"); +- if (err) +- return err; +- } +- if (alloc_dis & BIT(NPA_INPQ_NIX1_TX)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tNIX1:alloc disabled TX"); +- if (err) +- return err; +- } +- if (alloc_dis & BIT(NPA_INPQ_SSO)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for SSO"); +- if (err) +- return err; +- } +- if (alloc_dis & BIT(NPA_INPQ_TIM)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for TIM"); +- if (err) +- return err; +- } +- if (alloc_dis & BIT(NPA_INPQ_DPI)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for DPI"); +- if (err) +- return err; +- } +- if (alloc_dis & BIT(NPA_INPQ_AURA_OP)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for AURA"); +- if (err) +- return err; +- } +- err = rvu_report_pair_end(fmsg); +- if (err) +- return err; ++ if (alloc_dis & BIT(NPA_INPQ_NIX0_RX)) ++ devlink_fmsg_string_put(fmsg, "\n\tNIX0: alloc disabled RX"); ++ if (alloc_dis & BIT(NPA_INPQ_NIX0_TX)) ++ devlink_fmsg_string_put(fmsg, "\n\tNIX0:alloc disabled TX"); ++ if (alloc_dis & BIT(NPA_INPQ_NIX1_RX)) ++ devlink_fmsg_string_put(fmsg, "\n\tNIX1: alloc disabled RX"); ++ if (alloc_dis & BIT(NPA_INPQ_NIX1_TX)) ++ devlink_fmsg_string_put(fmsg, "\n\tNIX1:alloc disabled TX"); ++ if (alloc_dis & BIT(NPA_INPQ_SSO)) ++ devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for SSO"); ++ if (alloc_dis & BIT(NPA_INPQ_TIM)) ++ devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for TIM"); ++ if (alloc_dis & BIT(NPA_INPQ_DPI)) ++ devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for DPI"); ++ if (alloc_dis & BIT(NPA_INPQ_AURA_OP)) ++ devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for AURA"); ++ ++ rvu_report_pair_end(fmsg); + break; + case NPA_AF_RVU_ERR: +- err = rvu_report_pair_start(fmsg, "NPA_AF_ERR"); +- if (err) +- return err; +- err = devlink_fmsg_u64_pair_put(fmsg, "\tNPA Error Interrupt Reg ", +- npa_event_context->npa_af_rvu_err); +- if (err) +- return err; +- +- if (npa_event_context->npa_af_rvu_err & BIT_ULL(14)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFault on NPA_AQ_INST_S read"); +- if (err) +- return err; +- } +- if (npa_event_context->npa_af_rvu_err & BIT_ULL(13)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFault on NPA_AQ_RES_S write"); +- if (err) +- return err; +- } +- if (npa_event_context->npa_af_rvu_err & BIT_ULL(12)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tAQ Doorbell Error"); +- if (err) +- return err; +- } +- err = rvu_report_pair_end(fmsg); +- if (err) +- return err; ++ rvu_report_pair_start(fmsg, "NPA_AF_ERR"); ++ devlink_fmsg_u64_pair_put(fmsg, "\tNPA Error Interrupt Reg ", ++ npa_event_context->npa_af_rvu_err); ++ if (npa_event_context->npa_af_rvu_err & BIT_ULL(14)) ++ devlink_fmsg_string_put(fmsg, "\n\tFault on NPA_AQ_INST_S read"); ++ if (npa_event_context->npa_af_rvu_err & BIT_ULL(13)) ++ devlink_fmsg_string_put(fmsg, "\n\tFault on NPA_AQ_RES_S write"); ++ if (npa_event_context->npa_af_rvu_err & BIT_ULL(12)) ++ devlink_fmsg_string_put(fmsg, "\n\tAQ Doorbell Error"); ++ rvu_report_pair_end(fmsg); + break; + case NPA_AF_RVU_RAS: +- err = rvu_report_pair_start(fmsg, "NPA_AF_RVU_RAS"); +- if (err) +- return err; +- err = devlink_fmsg_u64_pair_put(fmsg, "\tNPA RAS Interrupt Reg ", +- npa_event_context->npa_af_rvu_ras); +- if (err) +- return err; +- if (npa_event_context->npa_af_rvu_ras & BIT_ULL(34)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tPoison data on NPA_AQ_INST_S"); +- if (err) +- return err; +- } +- if (npa_event_context->npa_af_rvu_ras & BIT_ULL(33)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tPoison data on NPA_AQ_RES_S"); +- if (err) +- return err; +- } +- if (npa_event_context->npa_af_rvu_ras & BIT_ULL(32)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tPoison data on HW context"); +- if (err) +- return err; +- } +- err = rvu_report_pair_end(fmsg); +- if (err) +- return err; ++ rvu_report_pair_start(fmsg, "NPA_AF_RVU_RAS"); ++ devlink_fmsg_u64_pair_put(fmsg, "\tNPA RAS Interrupt Reg ", ++ npa_event_context->npa_af_rvu_ras); ++ if (npa_event_context->npa_af_rvu_ras & BIT_ULL(34)) ++ devlink_fmsg_string_put(fmsg, "\n\tPoison data on NPA_AQ_INST_S"); ++ if (npa_event_context->npa_af_rvu_ras & BIT_ULL(33)) ++ devlink_fmsg_string_put(fmsg, "\n\tPoison data on NPA_AQ_RES_S"); ++ if (npa_event_context->npa_af_rvu_ras & BIT_ULL(32)) ++ devlink_fmsg_string_put(fmsg, "\n\tPoison data on HW context"); ++ rvu_report_pair_end(fmsg); + break; + case NPA_AF_RVU_INTR: +- err = rvu_report_pair_start(fmsg, "NPA_AF_RVU"); +- if (err) +- return err; +- err = devlink_fmsg_u64_pair_put(fmsg, "\tNPA RVU Interrupt Reg ", +- npa_event_context->npa_af_rvu_int); +- if (err) +- return err; +- if (npa_event_context->npa_af_rvu_int & BIT_ULL(0)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tUnmap Slot Error"); +- if (err) +- return err; +- } +- return rvu_report_pair_end(fmsg); ++ rvu_report_pair_start(fmsg, "NPA_AF_RVU"); ++ devlink_fmsg_u64_pair_put(fmsg, "\tNPA RVU Interrupt Reg ", ++ npa_event_context->npa_af_rvu_int); ++ if (npa_event_context->npa_af_rvu_int & BIT_ULL(0)) ++ devlink_fmsg_string_put(fmsg, "\n\tUnmap Slot Error"); ++ rvu_report_pair_end(fmsg); ++ break; + default: + return -EINVAL; + } +-- +2.51.0 + diff --git a/queue-5.15/regulator-pca9450-correct-interrupt-type.patch b/queue-5.15/regulator-pca9450-correct-interrupt-type.patch new file mode 100644 index 0000000000..a6346f6e80 --- /dev/null +++ b/queue-5.15/regulator-pca9450-correct-interrupt-type.patch @@ -0,0 +1,44 @@ +From a8b686ce66fe7aa25c4ad5d771aa28b84f6bcdb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 12:25:52 +0800 +Subject: regulator: pca9450: Correct interrupt type + +From: Peng Fan + +[ Upstream commit 5d0efaf47ee90ac60efae790acee3a3ed99ebf80 ] + +Kernel warning on i.MX8MP-EVK when doing module test: +irq: type mismatch, failed to map hwirq-3 for gpio@30200000! + +Per PCA945[X] specification: The IRQ_B pin is pulled low when any unmasked +interrupt bit status is changed and it is released high once application +processor read INT1 register. + +So the interrupt should be configured as IRQF_TRIGGER_LOW, not +IRQF_TRIGGER_FALLING. + +Fixes: 0935ff5f1f0a4 ("regulator: pca9450: add pca9450 pmic driver") +Signed-off-by: Peng Fan +Link: https://patch.msgid.link/20260310-pca9450-irq-v1-1-36adf52c2c55@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/pca9450-regulator.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/regulator/pca9450-regulator.c b/drivers/regulator/pca9450-regulator.c +index 756e4807d27a7..ba629181b0869 100644 +--- a/drivers/regulator/pca9450-regulator.c ++++ b/drivers/regulator/pca9450-regulator.c +@@ -773,7 +773,7 @@ static int pca9450_i2c_probe(struct i2c_client *i2c, + if (pca9450->irq) { + ret = devm_request_threaded_irq(pca9450->dev, pca9450->irq, NULL, + pca9450_irq_handler, +- (IRQF_TRIGGER_FALLING | IRQF_ONESHOT), ++ (IRQF_TRIGGER_LOW | IRQF_ONESHOT), + "pca9450-irq", pca9450); + if (ret != 0) { + dev_err(pca9450->dev, "Failed to request IRQ: %d\n", +-- +2.51.0 + diff --git a/queue-5.15/regulator-pca9450-make-irq-optional.patch b/queue-5.15/regulator-pca9450-make-irq-optional.patch new file mode 100644 index 0000000000..270cd83af3 --- /dev/null +++ b/queue-5.15/regulator-pca9450-make-irq-optional.patch @@ -0,0 +1,83 @@ +From d8a06bb441fb1d55d8953fb8ba95c597e90936df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Jul 2024 10:40:34 +0200 +Subject: regulator: pca9450: Make IRQ optional + +From: Frieder Schrempf + +[ Upstream commit 83808c54064eef620ad8645dfdcaffe125551532 ] + +The IRQ line might not be connected on some boards. Allow the driver +to be probed without it. + +Signed-off-by: Frieder Schrempf +Link: https://patch.msgid.link/20240708084107.38986-5-frieder@fris.de +Signed-off-by: Mark Brown +Stable-dep-of: 5d0efaf47ee9 ("regulator: pca9450: Correct interrupt type") +Signed-off-by: Sasha Levin +--- + drivers/regulator/pca9450-regulator.c | 41 +++++++++++++-------------- + 1 file changed, 19 insertions(+), 22 deletions(-) + +diff --git a/drivers/regulator/pca9450-regulator.c b/drivers/regulator/pca9450-regulator.c +index 556074d7fe242..756e4807d27a7 100644 +--- a/drivers/regulator/pca9450-regulator.c ++++ b/drivers/regulator/pca9450-regulator.c +@@ -704,11 +704,6 @@ static int pca9450_i2c_probe(struct i2c_client *i2c, + unsigned int device_id, i; + int ret; + +- if (!i2c->irq) { +- dev_err(&i2c->dev, "No IRQ configured?\n"); +- return -EINVAL; +- } +- + pca9450 = devm_kzalloc(&i2c->dev, sizeof(struct pca9450), GFP_KERNEL); + if (!pca9450) + return -ENOMEM; +@@ -775,23 +770,25 @@ static int pca9450_i2c_probe(struct i2c_client *i2c, + } + } + +- ret = devm_request_threaded_irq(pca9450->dev, pca9450->irq, NULL, +- pca9450_irq_handler, +- (IRQF_TRIGGER_FALLING | IRQF_ONESHOT), +- "pca9450-irq", pca9450); +- if (ret != 0) { +- dev_err(pca9450->dev, "Failed to request IRQ: %d\n", +- pca9450->irq); +- return ret; +- } +- /* Unmask all interrupt except PWRON/WDOG/RSVD */ +- ret = regmap_update_bits(pca9450->regmap, PCA9450_REG_INT1_MSK, +- IRQ_VR_FLT1 | IRQ_VR_FLT2 | IRQ_LOWVSYS | +- IRQ_THERM_105 | IRQ_THERM_125, +- IRQ_PWRON | IRQ_WDOGB | IRQ_RSVD); +- if (ret) { +- dev_err(&i2c->dev, "Unmask irq error\n"); +- return ret; ++ if (pca9450->irq) { ++ ret = devm_request_threaded_irq(pca9450->dev, pca9450->irq, NULL, ++ pca9450_irq_handler, ++ (IRQF_TRIGGER_FALLING | IRQF_ONESHOT), ++ "pca9450-irq", pca9450); ++ if (ret != 0) { ++ dev_err(pca9450->dev, "Failed to request IRQ: %d\n", ++ pca9450->irq); ++ return ret; ++ } ++ /* Unmask all interrupt except PWRON/WDOG/RSVD */ ++ ret = regmap_update_bits(pca9450->regmap, PCA9450_REG_INT1_MSK, ++ IRQ_VR_FLT1 | IRQ_VR_FLT2 | IRQ_LOWVSYS | ++ IRQ_THERM_105 | IRQ_THERM_125, ++ IRQ_PWRON | IRQ_WDOGB | IRQ_RSVD); ++ if (ret) { ++ dev_err(&i2c->dev, "Unmask irq error\n"); ++ return ret; ++ } + } + + /* Clear PRESET_EN bit in BUCK123_DVS to use DVS registers */ +-- +2.51.0 + diff --git a/queue-5.15/revert-arm64-dts-qcom-sdm845-oneplus-mark-l14a-regul.patch b/queue-5.15/revert-arm64-dts-qcom-sdm845-oneplus-mark-l14a-regul.patch new file mode 100644 index 0000000000..3d1d8165ed --- /dev/null +++ b/queue-5.15/revert-arm64-dts-qcom-sdm845-oneplus-mark-l14a-regul.patch @@ -0,0 +1,32 @@ +From 0751994a05b9cbe2b7e4e4400a05c93436e33ef8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Mar 2026 03:17:07 -0400 +Subject: Revert "arm64: dts: qcom: sdm845-oneplus: Mark l14a regulator as + boot-on" + +This reverts commit 018e8512fed90cb3f67851dcd3e4fb0891544871. + +The backport applied regulator-boot-on to vreg_l12a_1p8 (ldo12) instead +of vreg_l14a_1p88 (ldo14) due to identical surrounding context lines. + +Reported-by: Marco Mattiolo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi b/arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi +index 948ec59418017..66b86dd292c8a 100644 +--- a/arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi ++++ b/arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi +@@ -226,7 +226,6 @@ vreg_l12a_1p8: ldo12 { + regulator-min-microvolt = <1800000>; + regulator-max-microvolt = <1800000>; + regulator-initial-mode = ; +- regulator-boot-on; + }; + + vreg_l14a_1p88: ldo14 { +-- +2.51.0 + diff --git a/queue-5.15/sched-idle-make-skipping-governor-callbacks-more-con.patch b/queue-5.15/sched-idle-make-skipping-governor-callbacks-more-con.patch new file mode 100644 index 0000000000..a5a9ad69e9 --- /dev/null +++ b/queue-5.15/sched-idle-make-skipping-governor-callbacks-more-con.patch @@ -0,0 +1,79 @@ +From bf19658414327c586e117e1cede3c8cddddf1475 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Mar 2026 17:12:05 +0100 +Subject: sched: idle: Make skipping governor callbacks more consistent + +From: Rafael J. Wysocki + +[ Upstream commit d557640e4ce589a24dca5ca7ce3b9680f471325f ] + +If the cpuidle governor .select() callback is skipped because there +is only one idle state in the cpuidle driver, the .reflect() callback +should be skipped as well, at least for consistency (if not for +correctness), so do it. + +Fixes: e5c9ffc6ae1b ("cpuidle: Skip governor when only one idle state is available") +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Christian Loehle +Reviewed-by: Aboorva Devarajan +Reviewed-by: Frederic Weisbecker +Link: https://patch.msgid.link/12857700.O9o76ZdvQC@rafael.j.wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpuidle/cpuidle.c | 10 ---------- + kernel/sched/idle.c | 11 ++++++++++- + 2 files changed, 10 insertions(+), 11 deletions(-) + +diff --git a/drivers/cpuidle/cpuidle.c b/drivers/cpuidle/cpuidle.c +index 20b9f77a8fb02..e371d6972f8d9 100644 +--- a/drivers/cpuidle/cpuidle.c ++++ b/drivers/cpuidle/cpuidle.c +@@ -319,16 +319,6 @@ int cpuidle_enter_state(struct cpuidle_device *dev, struct cpuidle_driver *drv, + int cpuidle_select(struct cpuidle_driver *drv, struct cpuidle_device *dev, + bool *stop_tick) + { +- /* +- * If there is only a single idle state (or none), there is nothing +- * meaningful for the governor to choose. Skip the governor and +- * always use state 0 with the tick running. +- */ +- if (drv->state_count <= 1) { +- *stop_tick = false; +- return 0; +- } +- + return cpuidle_curr_governor->select(drv, dev, stop_tick); + } + +diff --git a/kernel/sched/idle.c b/kernel/sched/idle.c +index 499a3e286cd05..407835d23eacf 100644 +--- a/kernel/sched/idle.c ++++ b/kernel/sched/idle.c +@@ -223,7 +223,7 @@ static void cpuidle_idle_call(void) + + next_state = cpuidle_find_deepest_state(drv, dev, max_latency_ns); + call_cpuidle(drv, dev, next_state); +- } else { ++ } else if (drv->state_count > 1) { + bool stop_tick = true; + + /* +@@ -241,6 +241,15 @@ static void cpuidle_idle_call(void) + * Give the governor an opportunity to reflect on the outcome + */ + cpuidle_reflect(dev, entered_state); ++ } else { ++ tick_nohz_idle_retain_tick(); ++ ++ /* ++ * If there is only a single idle state (or none), there is ++ * nothing meaningful for the governor to choose. Skip the ++ * governor and always use state 0. ++ */ ++ call_cpuidle(drv, dev, 0); + } + + exit_idle: +-- +2.51.0 + diff --git a/queue-5.15/serial-caif-hold-tty-link-reference-in-ldisc_open-an.patch b/queue-5.15/serial-caif-hold-tty-link-reference-in-ldisc_open-an.patch new file mode 100644 index 0000000000..94b7e3605e --- /dev/null +++ b/queue-5.15/serial-caif-hold-tty-link-reference-in-ldisc_open-an.patch @@ -0,0 +1,63 @@ +From 9c5b3cf69b6be54be867184029264033e1a855e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 22:40:06 -0500 +Subject: serial: caif: hold tty->link reference in ldisc_open and ser_release + +From: Shuangpeng Bai + +[ Upstream commit 288598d80a068a0e9281de35bcb4ce495f189e2a ] + +A reproducer triggers a KASAN slab-use-after-free in pty_write_room() +when caif_serial's TX path calls tty_write_room(). The faulting access +is on tty->link->port. + +Hold an extra kref on tty->link for the lifetime of the caif_serial line +discipline: get it in ldisc_open() and drop it in ser_release(), and +also drop it on the ldisc_open() error path. + +With this change applied, the reproducer no longer triggers the UAF in +my testing. + +Link: https://gist.github.com/shuangpengbai/c898debad6bdf170a84be7e6b3d8707f +Link: https://lore.kernel.org/netdev/20260301220525.1546355-1-shuangpeng.kernel@gmail.com +Fixes: e31d5a05948e ("caif: tty's are kref objects so take a reference") +Signed-off-by: Shuangpeng Bai +Reviewed-by: Jiayuan Chen +Link: https://patch.msgid.link/20260306034006.3395740-1-shuangpeng.kernel@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/caif/caif_serial.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c +index 90b4820486990..32f396a8ff34f 100644 +--- a/drivers/net/caif/caif_serial.c ++++ b/drivers/net/caif/caif_serial.c +@@ -311,6 +311,7 @@ static void ser_release(struct work_struct *work) + dev_close(ser->dev); + unregister_netdevice(ser->dev); + debugfs_deinit(ser); ++ tty_kref_put(tty->link); + tty_kref_put(tty); + } + rtnl_unlock(); +@@ -345,6 +346,7 @@ static int ldisc_open(struct tty_struct *tty) + + ser = netdev_priv(dev); + ser->tty = tty_kref_get(tty); ++ tty_kref_get(tty->link); + ser->dev = dev; + debugfs_init(ser, tty); + tty->receive_room = N_TTY_BUF_SIZE; +@@ -353,6 +355,7 @@ static int ldisc_open(struct tty_struct *tty) + rtnl_lock(); + result = register_netdevice(dev); + if (result) { ++ tty_kref_put(tty->link); + tty_kref_put(tty); + rtnl_unlock(); + free_netdev(dev); +-- +2.51.0 + diff --git a/queue-5.15/series b/queue-5.15/series index 8695c3476b..2ab582095b 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -99,3 +99,32 @@ powerpc-uaccess-fix-inline-assembly-for-clang-build-.patch remoteproc-sysmon-correct-subsys_name_len-type-in-qm.patch remoteproc-mediatek-unprepare-scp-clock-during-syste.patch powerpc-83xx-km83xx-fix-keymile-vendor-prefix.patch +xprtrdma-decrement-re_receiving-on-the-early-exit-pa.patch +bonding-handle-bond_link_fail-bond_link_back-as-vali.patch +net-mlx5e-fix-dma-fifo-desync-on-error-cqe-sq-recove.patch +net-sched-teql-fix-null-pointer-dereference-in-iptun.patch +asoc-soc-core-drop-delayed_work_pending-check-before.patch +asoc-soc-core-accept-zero-format-at-snd_soc_runtime_.patch +asoc-core-exit-all-links-before-removing-their-compo.patch +asoc-core-do-not-call-link_exit-on-uninitialized-rtd.patch +asoc-soc-core-flush-delayed-work-before-removing-dai.patch +serial-caif-hold-tty-link-reference-in-ldisc_open-an.patch +can-hi311x-hi3110_open-add-check-for-hi3110_power_en.patch +netfilter-nft_set_pipapo-fix-stack-out-of-bounds-rea.patch +netfilter-x_tables-guard-option-walkers-against-1-by.patch +netfilter-nfnetlink_queue-fix-entry-leak-in-bridge-v.patch +netfilter-nfnetlink_cthelper-fix-oob-read-in-nfnl_ct.patch +netfilter-xt_idletimer-reject-rev0-reuse-of-alarm-ti.patch +regulator-pca9450-make-irq-optional.patch +regulator-pca9450-correct-interrupt-type.patch +sched-idle-make-skipping-governor-callbacks-more-con.patch +nvme-pci-fix-slab-out-of-bounds-in-nvme_dbbuf_set.patch +i40e-fix-src-ip-mask-checks-and-memcpy-argument-name.patch +e1000-e1000e-fix-leak-in-dma-error-cleanup.patch +acpi-osl-fix-__iomem-type-on-return-from-acpi_os_map.patch +asoc-amd-acp3x-rt5682-max9836-add-missing-error-chec.patch +asoc-detect-empty-dmi-strings.patch +octeontx2-af-devlink-fix-nix-ras-reporter-recovery-c.patch +octeontx2-af-devlink-health-use-retained-error-fmsg-.patch +octeontx2-af-devlink-fix-nix-ras-reporter-to-use-ras.patch +revert-arm64-dts-qcom-sdm845-oneplus-mark-l14a-regul.patch diff --git a/queue-5.15/xprtrdma-decrement-re_receiving-on-the-early-exit-pa.patch b/queue-5.15/xprtrdma-decrement-re_receiving-on-the-early-exit-pa.patch new file mode 100644 index 0000000000..02b92c3966 --- /dev/null +++ b/queue-5.15/xprtrdma-decrement-re_receiving-on-the-early-exit-pa.patch @@ -0,0 +1,90 @@ +From 5191eef0d9fe8b8c6944e01f3b7eaffd6b524dd1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Feb 2026 10:28:55 -0800 +Subject: xprtrdma: Decrement re_receiving on the early exit paths + +From: Eric Badger + +[ Upstream commit 7b6275c80a0c81c5f8943272292dfe67730ce849 ] + +In the event that rpcrdma_post_recvs() fails to create a work request +(due to memory allocation failure, say) or otherwise exits early, we +should decrement ep->re_receiving before returning. Otherwise we will +hang in rpcrdma_xprt_drain() as re_receiving will never reach zero and +the completion will never be triggered. + +On a system with high memory pressure, this can appear as the following +hung task: + + INFO: task kworker/u385:17:8393 blocked for more than 122 seconds. + Tainted: G S E 6.19.0 #3 + "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. + task:kworker/u385:17 state:D stack:0 pid:8393 tgid:8393 ppid:2 task_flags:0x4248060 flags:0x00080000 + Workqueue: xprtiod xprt_autoclose [sunrpc] + Call Trace: + + __schedule+0x48b/0x18b0 + ? ib_post_send_mad+0x247/0xae0 [ib_core] + schedule+0x27/0xf0 + schedule_timeout+0x104/0x110 + __wait_for_common+0x98/0x180 + ? __pfx_schedule_timeout+0x10/0x10 + wait_for_completion+0x24/0x40 + rpcrdma_xprt_disconnect+0x444/0x460 [rpcrdma] + xprt_rdma_close+0x12/0x40 [rpcrdma] + xprt_autoclose+0x5f/0x120 [sunrpc] + process_one_work+0x191/0x3e0 + worker_thread+0x2e3/0x420 + ? __pfx_worker_thread+0x10/0x10 + kthread+0x10d/0x230 + ? __pfx_kthread+0x10/0x10 + ret_from_fork+0x273/0x2b0 + ? __pfx_kthread+0x10/0x10 + ret_from_fork_asm+0x1a/0x30 + +Fixes: 15788d1d1077 ("xprtrdma: Do not refresh Receive Queue while it is draining") +Signed-off-by: Eric Badger +Reviewed-by: Chuck Lever +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + net/sunrpc/xprtrdma/verbs.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c +index b61ade10254d4..f1a6b98b8aa98 100644 +--- a/net/sunrpc/xprtrdma/verbs.c ++++ b/net/sunrpc/xprtrdma/verbs.c +@@ -1390,7 +1390,7 @@ void rpcrdma_post_recvs(struct rpcrdma_xprt *r_xprt, int needed, bool temp) + needed += RPCRDMA_MAX_RECV_BATCH; + + if (atomic_inc_return(&ep->re_receiving) > 1) +- goto out; ++ goto out_dec; + + /* fast path: all needed reps can be found on the free list */ + wr = NULL; +@@ -1417,7 +1417,7 @@ void rpcrdma_post_recvs(struct rpcrdma_xprt *r_xprt, int needed, bool temp) + ++count; + } + if (!wr) +- goto out; ++ goto out_dec; + + rc = ib_post_recv(ep->re_id->qp, wr, + (const struct ib_recv_wr **)&bad_wr); +@@ -1432,9 +1432,10 @@ void rpcrdma_post_recvs(struct rpcrdma_xprt *r_xprt, int needed, bool temp) + --count; + } + } ++ ++out_dec: + if (atomic_dec_return(&ep->re_receiving) > 0) + complete(&ep->re_done); +- + out: + trace_xprtrdma_post_recvs(r_xprt, count); + ep->re_receive_count += count; +-- +2.51.0 + diff --git a/queue-6.1/acpi-osl-fix-__iomem-type-on-return-from-acpi_os_map.patch b/queue-6.1/acpi-osl-fix-__iomem-type-on-return-from-acpi_os_map.patch new file mode 100644 index 0000000000..88888238f1 --- /dev/null +++ b/queue-6.1/acpi-osl-fix-__iomem-type-on-return-from-acpi_os_map.patch @@ -0,0 +1,46 @@ +From 5d8c6f7a4ffaf12b462d9116be52e3e710e6d853 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 10:58:35 +0000 +Subject: ACPI: OSL: fix __iomem type on return from + acpi_os_map_generic_address() + +From: Ben Dooks + +[ Upstream commit 393815f57651101f1590632092986d1d5a3a41bd ] + +The pointer returned from acpi_os_map_generic_address() is +tagged with __iomem, so make the rv it is returned to also +of void __iomem * type. + +Fixes the following sparse warning: + +drivers/acpi/osl.c:1686:20: warning: incorrect type in assignment (different address spaces) +drivers/acpi/osl.c:1686:20: expected void *rv +drivers/acpi/osl.c:1686:20: got void [noderef] __iomem * + +Fixes: 6915564dc5a8 ("ACPI: OSL: Change the type of acpi_os_map_generic_address() return value") +Signed-off-by: Ben Dooks +[ rjw: Subject tweak, added Fixes tag ] +Link: https://patch.msgid.link/20260311105835.463030-1-ben.dooks@codethink.co.uk +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/osl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c +index 3269a888fb7a9..d147c27bc6455 100644 +--- a/drivers/acpi/osl.c ++++ b/drivers/acpi/osl.c +@@ -1656,7 +1656,7 @@ acpi_status __init acpi_os_initialize(void) + * Use acpi_os_map_generic_address to pre-map the reset + * register if it's in system memory. + */ +- void *rv; ++ void __iomem *rv; + + rv = acpi_os_map_generic_address(&acpi_gbl_FADT.reset_register); + pr_debug("%s: Reset register mapping %s\n", __func__, +-- +2.51.0 + diff --git a/queue-6.1/asoc-amd-acp3x-rt5682-max9836-add-missing-error-chec.patch b/queue-6.1/asoc-amd-acp3x-rt5682-max9836-add-missing-error-chec.patch new file mode 100644 index 0000000000..499ca3aaca --- /dev/null +++ b/queue-6.1/asoc-amd-acp3x-rt5682-max9836-add-missing-error-chec.patch @@ -0,0 +1,50 @@ +From ee63991b169fe95bf51baa7149d84ac8c73202ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 10:42:46 +0800 +Subject: ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock + acquisition + +From: Chen Ni + +[ Upstream commit 53f3a900e9a383d47af7253076e19f510c5708d0 ] + +The acp3x_5682_init() function did not check the return value of +clk_get(), which could lead to dereferencing error pointers in +rt5682_clk_enable(). + +Fix this by: +1. Changing clk_get() to the device-managed devm_clk_get(). +2. Adding proper IS_ERR() checks for both clock acquisitions. + +Fixes: 6b8e4e7db3cd ("ASoC: amd: Add machine driver for Raven based platform") +Signed-off-by: Chen Ni +Link: https://patch.msgid.link/20260310024246.2153827-1-nichen@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/acp3x-rt5682-max9836.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/amd/acp3x-rt5682-max9836.c b/sound/soc/amd/acp3x-rt5682-max9836.c +index 0543dda75b99a..a557de7e39410 100644 +--- a/sound/soc/amd/acp3x-rt5682-max9836.c ++++ b/sound/soc/amd/acp3x-rt5682-max9836.c +@@ -83,8 +83,13 @@ static int acp3x_5682_init(struct snd_soc_pcm_runtime *rtd) + return ret; + } + +- rt5682_dai_wclk = clk_get(component->dev, "rt5682-dai-wclk"); +- rt5682_dai_bclk = clk_get(component->dev, "rt5682-dai-bclk"); ++ rt5682_dai_wclk = devm_clk_get(component->dev, "rt5682-dai-wclk"); ++ if (IS_ERR(rt5682_dai_wclk)) ++ return PTR_ERR(rt5682_dai_wclk); ++ ++ rt5682_dai_bclk = devm_clk_get(component->dev, "rt5682-dai-bclk"); ++ if (IS_ERR(rt5682_dai_bclk)) ++ return PTR_ERR(rt5682_dai_bclk); + + ret = snd_soc_card_jack_new(card, "Headset Jack", + SND_JACK_HEADSET | SND_JACK_LINEOUT | +-- +2.51.0 + diff --git a/queue-6.1/asoc-core-do-not-call-link_exit-on-uninitialized-rtd.patch b/queue-6.1/asoc-core-do-not-call-link_exit-on-uninitialized-rtd.patch new file mode 100644 index 0000000000..8f72952431 --- /dev/null +++ b/queue-6.1/asoc-core-do-not-call-link_exit-on-uninitialized-rtd.patch @@ -0,0 +1,115 @@ +From e208d6186e79608df510c0da461d003feecae9d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Sep 2023 12:32:43 +0200 +Subject: ASoC: core: Do not call link_exit() on uninitialized rtd objects +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Amadeusz Sławiński + +[ Upstream commit dd9f9cc1e6b9391140afa5cf27bb47c9e2a08d02 ] + +On init we have sequence: + + for_each_card_prelinks(card, i, dai_link) { + ret = snd_soc_add_pcm_runtime(card, dai_link); + + ret = init_some_other_things(...); + if (ret) + goto probe_end: + + for_each_card_rtds(card, rtd) { + ret = soc_init_pcm_runtime(card, rtd); + +probe_end: + +while on exit: + for_each_card_rtds(card, rtd) + snd_soc_link_exit(rtd); + +If init_some_other_things() step fails due to error we end up with +not fully setup rtds and try to call snd_soc_link_exit on them, which +depending on contents on .link_exit handler, can end up dereferencing +NULL pointer. + +Reviewed-by: Cezary Rojewski +Signed-off-by: Amadeusz Sławiński +Link: https://lore.kernel.org/r/20230929103243.705433-2-amadeuszx.slawinski@linux.intel.com +Signed-off-by: Mark Brown +Stable-dep-of: 95bc5c225513 ("ASoC: soc-core: flush delayed work before removing DAIs and widgets") +Signed-off-by: Sasha Levin +--- + include/sound/soc.h | 2 ++ + sound/soc/soc-core.c | 20 +++++++++++++++----- + 2 files changed, 17 insertions(+), 5 deletions(-) + +diff --git a/include/sound/soc.h b/include/sound/soc.h +index d63ac6d9fbdc4..015d5fff397fa 100644 +--- a/include/sound/soc.h ++++ b/include/sound/soc.h +@@ -1110,6 +1110,8 @@ struct snd_soc_pcm_runtime { + unsigned int pop_wait:1; + unsigned int fe_compr:1; /* for Dynamic PCM */ + ++ bool initialized; ++ + int num_components; + struct snd_soc_component *components[]; /* CPU/Codec/Platform */ + }; +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index d42cba7de0a3b..835a9251c074b 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -1256,7 +1256,7 @@ static int soc_init_pcm_runtime(struct snd_soc_card *card, + snd_soc_runtime_get_dai_fmt(rtd); + ret = snd_soc_runtime_set_dai_fmt(rtd, dai_link->dai_fmt); + if (ret) +- return ret; ++ goto err; + + /* add DPCM sysfs entries */ + soc_dpcm_debugfs_add(rtd); +@@ -1281,17 +1281,26 @@ static int soc_init_pcm_runtime(struct snd_soc_card *card, + /* create compress_device if possible */ + ret = snd_soc_dai_compress_new(cpu_dai, rtd, num); + if (ret != -ENOTSUPP) +- return ret; ++ goto err; + + /* create the pcm */ + ret = soc_new_pcm(rtd, num); + if (ret < 0) { + dev_err(card->dev, "ASoC: can't create pcm %s :%d\n", + dai_link->stream_name, ret); +- return ret; ++ goto err; + } + +- return snd_soc_pcm_dai_new(rtd); ++ ret = snd_soc_pcm_dai_new(rtd); ++ if (ret < 0) ++ goto err; ++ ++ rtd->initialized = true; ++ ++ return 0; ++err: ++ snd_soc_link_exit(rtd); ++ return ret; + } + + static void soc_set_name_prefix(struct snd_soc_card *card, +@@ -1894,7 +1903,8 @@ static void soc_cleanup_card_resources(struct snd_soc_card *card) + + /* release machine specific resources */ + for_each_card_rtds(card, rtd) +- snd_soc_link_exit(rtd); ++ if (rtd->initialized) ++ snd_soc_link_exit(rtd); + /* remove and free each DAI */ + soc_remove_link_dais(card); + soc_remove_link_components(card); +-- +2.51.0 + diff --git a/queue-6.1/asoc-core-exit-all-links-before-removing-their-compo.patch b/queue-6.1/asoc-core-exit-all-links-before-removing-their-compo.patch new file mode 100644 index 0000000000..e3fdb84421 --- /dev/null +++ b/queue-6.1/asoc-core-exit-all-links-before-removing-their-compo.patch @@ -0,0 +1,90 @@ +From 5a5f55d9073e05d218f91dd7ec1c1e969e5aef6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Oct 2022 10:58:40 +0200 +Subject: ASoC: core: Exit all links before removing their components +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Cezary Rojewski + +[ Upstream commit c7eb967d70446971413061effca3226578cb4dab ] + +Flows leading to link->init() and link->exit() are not symmetric. +Currently the relevant part of card probe sequence goes as: + + for_each_card_rtds(card, rtd) + for_each_rtd_components(rtd, i, component) + component->probe() + for_each_card_rtds(card, rtd) + for_each_rtd_dais(rtd, i, dai) + dai->probe() + for_each_card_rtds(card, rtd) + rtd->init() + +On the other side, equivalent remove sequence goes as: + + for_each_card_rtds(card, rtd) + for_each_rtd_dais(rtd, i, dai) + dai->remove() + for_each_card_rtds(card, rtd) + for_each_rtd_components(rtd, i, component) + component->remove() + for_each_card_rtds(card, rtd) + rtd->exit() + +what can lead to errors as link->exit() may still operate on resources +owned by its components despite the probability of them being freed +during the component->remove(). + +This change modifies the remove sequence to: + + for_each_card_rtds(card, rtd) + rtd->exit() + for_each_card_rtds(card, rtd) + for_each_rtd_dais(rtd, i, dai) + dai->remove() + for_each_card_rtds(card, rtd) + for_each_rtd_components(rtd, i, component) + component->remove() + +so code found in link->exit() is safe to touch any component stuff as +component->remove() has not been called yet. + +Signed-off-by: Cezary Rojewski +Reviewed-by: Amadeusz Sławiński +Link: https://lore.kernel.org/r/20221027085840.1562698-1-cezary.rojewski@intel.com +Signed-off-by: Mark Brown +Stable-dep-of: 95bc5c225513 ("ASoC: soc-core: flush delayed work before removing DAIs and widgets") +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index cb95a9293343f..d42cba7de0a3b 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -941,9 +941,6 @@ void snd_soc_remove_pcm_runtime(struct snd_soc_card *card, + + lockdep_assert_held(&client_mutex); + +- /* release machine specific resources */ +- snd_soc_link_exit(rtd); +- + /* + * Notify the machine driver for extra destruction + */ +@@ -1895,6 +1892,9 @@ static void soc_cleanup_card_resources(struct snd_soc_card *card) + + snd_soc_dapm_shutdown(card); + ++ /* release machine specific resources */ ++ for_each_card_rtds(card, rtd) ++ snd_soc_link_exit(rtd); + /* remove and free each DAI */ + soc_remove_link_dais(card); + soc_remove_link_components(card); +-- +2.51.0 + diff --git a/queue-6.1/asoc-detect-empty-dmi-strings.patch b/queue-6.1/asoc-detect-empty-dmi-strings.patch new file mode 100644 index 0000000000..0447b9879a --- /dev/null +++ b/queue-6.1/asoc-detect-empty-dmi-strings.patch @@ -0,0 +1,47 @@ +From e5b6b847ef3443a7692f7f60ded76b791212d66e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 18:47:07 +0100 +Subject: ASoC: detect empty DMI strings + +From: Casey Connolly + +[ Upstream commit a9683730e8b1d632674f81844ed03ddfbe4821c0 ] + +Some bootloaders like recent versions of U-Boot may install some DMI +properties with empty values rather than not populate them. This manages +to make its way through the validator and cleanup resulting in a rogue +hyphen being appended to the card longname. + +Fixes: 4e01e5dbba96 ("ASoC: improve the DMI long card code in asoc-core") +Signed-off-by: Casey Connolly +Link: https://patch.msgid.link/20260306174707.283071-2-casey.connolly@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index c673453e8a747..dfd58d9db7c1f 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -1628,12 +1628,15 @@ static void cleanup_dmi_name(char *name) + + /* + * Check if a DMI field is valid, i.e. not containing any string +- * in the black list. ++ * in the black list and not the empty string. + */ + static int is_dmi_valid(const char *field) + { + int i = 0; + ++ if (!field[0]) ++ return 0; ++ + while (dmi_blacklist[i]) { + if (strstr(field, dmi_blacklist[i])) + return 0; +-- +2.51.0 + diff --git a/queue-6.1/asoc-soc-core-drop-delayed_work_pending-check-before.patch b/queue-6.1/asoc-soc-core-drop-delayed_work_pending-check-before.patch new file mode 100644 index 0000000000..f2e23c3b64 --- /dev/null +++ b/queue-6.1/asoc-soc-core-drop-delayed_work_pending-check-before.patch @@ -0,0 +1,45 @@ +From 06dee395f76ecfd8b28902c7503ba59618ba8793 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Mar 2026 22:54:11 +0100 +Subject: ASoC: soc-core: drop delayed_work_pending() check before flush + +From: matteo.cotifava + +[ Upstream commit 3c99c9f0ed60582c1c9852b685d78d5d3a50de63 ] + +The delayed_work_pending() check before flush_delayed_work() in +soc_free_pcm_runtime() is unnecessary and racy. flush_delayed_work() +is safe to call unconditionally - it is a no-op when no work is +pending. Remove the check. + +The original check was added by commit 9c9b65203492 ("ASoC: core: +only flush inited work during free") but delayed_work_pending() +followed by flush_delayed_work() has a time-of-check/time-of-use +window where work can become pending between the two calls. + +Fixes: 9c9b65203492 ("ASoC: core: only flush inited work during free") +Signed-off-by: Matteo Cotifava +Link: https://patch.msgid.link/20260309215412.545628-2-cotifavamatteo@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index 80192b089f250..cb95a9293343f 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -381,8 +381,7 @@ static void soc_free_pcm_runtime(struct snd_soc_pcm_runtime *rtd) + + list_del(&rtd->list); + +- if (delayed_work_pending(&rtd->delayed_work)) +- flush_delayed_work(&rtd->delayed_work); ++ flush_delayed_work(&rtd->delayed_work); + snd_soc_pcm_component_free(rtd); + + /* +-- +2.51.0 + diff --git a/queue-6.1/asoc-soc-core-flush-delayed-work-before-removing-dai.patch b/queue-6.1/asoc-soc-core-flush-delayed-work-before-removing-dai.patch new file mode 100644 index 0000000000..5ddd5a0ff9 --- /dev/null +++ b/queue-6.1/asoc-soc-core-flush-delayed-work-before-removing-dai.patch @@ -0,0 +1,57 @@ +From dc1813e1158866d8eead1aeb84251e4d90dbfbbd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Mar 2026 22:54:12 +0100 +Subject: ASoC: soc-core: flush delayed work before removing DAIs and widgets + +From: matteo.cotifava + +[ Upstream commit 95bc5c225513fc3c4ce169563fb5e3929fbb938b ] + +When a sound card is unbound while a PCM stream is open, a +use-after-free can occur in snd_soc_dapm_stream_event(), called from +the close_delayed_work workqueue handler. + +During unbind, snd_soc_unbind_card() flushes delayed work and then +calls soc_cleanup_card_resources(). Inside cleanup, +snd_card_disconnect_sync() releases all PCM file descriptors, and +the resulting PCM close path can call snd_soc_dapm_stream_stop() +which schedules new delayed work with a pmdown_time timer delay. +Since this happens after the flush in snd_soc_unbind_card(), the +new work is not caught. soc_remove_link_components() then frees +DAPM widgets before this work fires, leading to the use-after-free. + +The existing flush in soc_free_pcm_runtime() also cannot help as it +runs after soc_remove_link_components() has already freed the widgets. + +Add a flush in soc_cleanup_card_resources() after +snd_card_disconnect_sync() (after which no new PCM closes can +schedule further delayed work) and before soc_remove_link_dais() +and soc_remove_link_components() (which tear down the structures the +delayed work accesses). + +Fixes: e894efef9ac7 ("ASoC: core: add support to card rebind") +Signed-off-by: Matteo Cotifava +Link: https://patch.msgid.link/20260309215412.545628-3-cotifavamatteo@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index 835a9251c074b..c673453e8a747 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -1905,6 +1905,9 @@ static void soc_cleanup_card_resources(struct snd_soc_card *card) + for_each_card_rtds(card, rtd) + if (rtd->initialized) + snd_soc_link_exit(rtd); ++ /* flush delayed work before removing DAIs and DAPM widgets */ ++ snd_soc_flush_all_delayed_work(card); ++ + /* remove and free each DAI */ + soc_remove_link_dais(card); + soc_remove_link_components(card); +-- +2.51.0 + diff --git a/queue-6.1/bonding-handle-bond_link_fail-bond_link_back-as-vali.patch b/queue-6.1/bonding-handle-bond_link_fail-bond_link_back-as-vali.patch new file mode 100644 index 0000000000..67eacfb205 --- /dev/null +++ b/queue-6.1/bonding-handle-bond_link_fail-bond_link_back-as-vali.patch @@ -0,0 +1,60 @@ +From de8c1059253a131375cd6ac8be5d7955128480f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 15:13:54 +0800 +Subject: bonding: handle BOND_LINK_FAIL, BOND_LINK_BACK as valid link states + +From: Hangbin Liu + +[ Upstream commit 3348be7978f450ede0c308a4e8416ac716cf1015 ] + +Before the fixed commit, we check slave->new_link during commit +state, which values are only BOND_LINK_{NOCHANGE, UP, DOWN}. After +the commit, we start using slave->link_new_state, which state also could +be BOND_LINK_{FAIL, BACK}. + +For example, when we set updelay/downdelay, after a failover, +the slave->link_new_state could be set to BOND_LINK_{FAIL, BACK} in +bond_miimon_inspect(). And later in bond_miimon_commit(), it will treat +it as invalid and print an error, which would cause confusion for users. + +[ 106.440254] bond0: (slave veth2): link status down for interface, disabling it in 200 ms +[ 106.440265] bond0: (slave veth2): invalid new link 1 on slave +[ 106.648276] bond0: (slave veth2): link status definitely down, disabling slave +[ 107.480271] bond0: (slave veth2): link status up, enabling it in 200 ms +[ 107.480288] bond0: (slave veth2): invalid new link 3 on slave +[ 107.688302] bond0: (slave veth2): link status definitely up, 10000 Mbps full duplex + +Let's handle BOND_LINK_{FAIL, BACK} as valid link states. + +Fixes: 1899bb325149 ("bonding: fix state transition issue in link monitoring") +Signed-off-by: Hangbin Liu +Link: https://patch.msgid.link/20260304-b4-bond_updelay-v1-2-f72eb2e454d0@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 8ff1c34b4db63..2296ca9003016 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2801,8 +2801,14 @@ static void bond_miimon_commit(struct bonding *bond) + + continue; + ++ case BOND_LINK_FAIL: ++ case BOND_LINK_BACK: ++ slave_dbg(bond->dev, slave->dev, "link_new_state %d on slave\n", ++ slave->link_new_state); ++ continue; ++ + default: +- slave_err(bond->dev, slave->dev, "invalid new link %d on slave\n", ++ slave_err(bond->dev, slave->dev, "invalid link_new_state %d on slave\n", + slave->link_new_state); + bond_propose_link_state(slave, BOND_LINK_NOCHANGE); + +-- +2.51.0 + diff --git a/queue-6.1/can-hi311x-hi3110_open-add-check-for-hi3110_power_en.patch b/queue-6.1/can-hi311x-hi3110_open-add-check-for-hi3110_power_en.patch new file mode 100644 index 0000000000..9704d8f255 --- /dev/null +++ b/queue-6.1/can-hi311x-hi3110_open-add-check-for-hi3110_power_en.patch @@ -0,0 +1,52 @@ +From 6ee2c39cdd3247111d4717285d8cf59ef3828f3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 13:08:44 +0800 +Subject: can: hi311x: hi3110_open(): add check for hi3110_power_enable() + return value + +From: Wenyuan Li <2063309626@qq.com> + +[ Upstream commit 47bba09b14fa21712398febf36cb14fd4fc3bded ] + +In hi3110_open(), the return value of hi3110_power_enable() is not checked. +If power enable fails, the device may not function correctly, while the +driver still returns success. + +Add a check for the return value and propagate the error accordingly. + +Signed-off-by: Wenyuan Li <2063309626@qq.com> +Link: https://patch.msgid.link/tencent_B5E2E7528BB28AA8A2A56E16C49BD58B8B07@qq.com +Fixes: 57e83fb9b746 ("can: hi311x: Add Holt HI-311x CAN driver") +[mkl: adjust subject, commit message and jump label] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/spi/hi311x.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/can/spi/hi311x.c b/drivers/net/can/spi/hi311x.c +index 1acd4fc7adc8b..2038b864832c9 100644 +--- a/drivers/net/can/spi/hi311x.c ++++ b/drivers/net/can/spi/hi311x.c +@@ -756,7 +756,9 @@ static int hi3110_open(struct net_device *net) + return ret; + + mutex_lock(&priv->hi3110_lock); +- hi3110_power_enable(priv->transceiver, 1); ++ ret = hi3110_power_enable(priv->transceiver, 1); ++ if (ret) ++ goto out_close_candev; + + priv->force_quit = 0; + priv->tx_skb = NULL; +@@ -791,6 +793,7 @@ static int hi3110_open(struct net_device *net) + hi3110_hw_sleep(spi); + out_close: + hi3110_power_enable(priv->transceiver, 0); ++ out_close_candev: + close_candev(net); + mutex_unlock(&priv->hi3110_lock); + return ret; +-- +2.51.0 + diff --git a/queue-6.1/e1000-e1000e-fix-leak-in-dma-error-cleanup.patch b/queue-6.1/e1000-e1000e-fix-leak-in-dma-error-cleanup.patch new file mode 100644 index 0000000000..125fe5bdc6 --- /dev/null +++ b/queue-6.1/e1000-e1000e-fix-leak-in-dma-error-cleanup.patch @@ -0,0 +1,70 @@ +From 530ffeab00cb2c80f5b387f2041d54060a4bd319 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Feb 2026 18:28:33 -0500 +Subject: e1000/e1000e: Fix leak in DMA error cleanup + +From: Matt Vollrath + +[ Upstream commit e94eaef11142b01f77bf8ba4d0b59720b7858109 ] + +If an error is encountered while mapping TX buffers, the driver should +unmap any buffers already mapped for that skb. + +Because count is incremented after a successful mapping, it will always +match the correct number of unmappings needed when dma_error is reached. +Decrementing count before the while loop in dma_error causes an +off-by-one error. If any mapping was successful before an unsuccessful +mapping, exactly one DMA mapping would leak. + +In these commits, a faulty while condition caused an infinite loop in +dma_error: +Commit 03b1320dfcee ("e1000e: remove use of skb_dma_map from e1000e +driver") +Commit 602c0554d7b0 ("e1000: remove use of skb_dma_map from e1000 driver") + +Commit c1fa347f20f1 ("e1000/e1000e/igb/igbvf/ixgb/ixgbe: Fix tests of +unsigned in *_tx_map()") fixed the infinite loop, but introduced the +off-by-one error. + +This issue may still exist in the igbvf driver, but I did not address it +in this patch. + +Fixes: c1fa347f20f1 ("e1000/e1000e/igb/igbvf/ixgb/ixgbe: Fix tests of unsigned in *_tx_map()") +Assisted-by: Claude:claude-4.6-opus +Signed-off-by: Matt Vollrath +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000/e1000_main.c | 2 -- + drivers/net/ethernet/intel/e1000e/netdev.c | 2 -- + 2 files changed, 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c +index 50436fee40463..372481e945513 100644 +--- a/drivers/net/ethernet/intel/e1000/e1000_main.c ++++ b/drivers/net/ethernet/intel/e1000/e1000_main.c +@@ -2951,8 +2951,6 @@ static int e1000_tx_map(struct e1000_adapter *adapter, + dma_error: + dev_err(&pdev->dev, "TX DMA map failed\n"); + buffer_info->dma = 0; +- if (count) +- count--; + + while (count--) { + if (i == 0) +diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c +index cbd8357c61edc..fd056c17bd62e 100644 +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -5632,8 +5632,6 @@ static int e1000_tx_map(struct e1000_ring *tx_ring, struct sk_buff *skb, + dma_error: + dev_err(&pdev->dev, "Tx DMA map failed\n"); + buffer_info->dma = 0; +- if (count) +- count--; + + while (count--) { + if (i == 0) +-- +2.51.0 + diff --git a/queue-6.1/i40e-fix-src-ip-mask-checks-and-memcpy-argument-name.patch b/queue-6.1/i40e-fix-src-ip-mask-checks-and-memcpy-argument-name.patch new file mode 100644 index 0000000000..b8324dec06 --- /dev/null +++ b/queue-6.1/i40e-fix-src-ip-mask-checks-and-memcpy-argument-name.patch @@ -0,0 +1,86 @@ +From 382165bb3ad19a581123168bec1745aff2aeec8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Nov 2025 11:13:38 -0800 +Subject: i40e: fix src IP mask checks and memcpy argument names in cloud + filter + +From: Alok Tiwari + +[ Upstream commit e809085f492842ce7a519c9ef72d40f4bca89c13 ] + +Fix following issues in the IPv4 and IPv6 cloud filter handling logic in +both the add and delete paths: + +- The source-IP mask check incorrectly compares mask.src_ip[0] against + tcf.dst_ip[0]. Update it to compare against tcf.src_ip[0]. This likely + goes unnoticed because the check is in an "else if" path that only + executes when dst_ip is not set, most cloud filter use cases focus on + destination-IP matching, and the buggy condition can accidentally + evaluate true in some cases. + +- memcpy() for the IPv4 source address incorrectly uses + ARRAY_SIZE(tcf.dst_ip) instead of ARRAY_SIZE(tcf.src_ip), although + both arrays are the same size. + +- The IPv4 memcpy operations used ARRAY_SIZE(tcf.dst_ip) and ARRAY_SIZE + (tcf.src_ip), Update these to use sizeof(cfilter->ip.v4.dst_ip) and + sizeof(cfilter->ip.v4.src_ip) to ensure correct and explicit copy size. + +- In the IPv6 delete path, memcmp() uses sizeof(src_ip6) when comparing + dst_ip6 fields. Replace this with sizeof(dst_ip6) to make the intent + explicit, even though both fields are struct in6_addr. + +Fixes: e284fc280473 ("i40e: Add and delete cloud filter") +Signed-off-by: Alok Tiwari +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Paul Menzel +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +index 1bba77347efbb..73ef73c69bd0a 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +@@ -3755,10 +3755,10 @@ static int i40e_vc_del_cloud_filter(struct i40e_vf *vf, u8 *msg) + cfilter.n_proto = ETH_P_IP; + if (mask.dst_ip[0] & tcf.dst_ip[0]) + memcpy(&cfilter.ip.v4.dst_ip, tcf.dst_ip, +- ARRAY_SIZE(tcf.dst_ip)); +- else if (mask.src_ip[0] & tcf.dst_ip[0]) ++ sizeof(cfilter.ip.v4.dst_ip)); ++ else if (mask.src_ip[0] & tcf.src_ip[0]) + memcpy(&cfilter.ip.v4.src_ip, tcf.src_ip, +- ARRAY_SIZE(tcf.dst_ip)); ++ sizeof(cfilter.ip.v4.src_ip)); + break; + case VIRTCHNL_TCP_V6_FLOW: + cfilter.n_proto = ETH_P_IPV6; +@@ -3813,7 +3813,7 @@ static int i40e_vc_del_cloud_filter(struct i40e_vf *vf, u8 *msg) + /* for ipv6, mask is set for all sixteen bytes (4 words) */ + if (cfilter.n_proto == ETH_P_IPV6 && mask.dst_ip[3]) + if (memcmp(&cfilter.ip.v6.dst_ip6, &cf->ip.v6.dst_ip6, +- sizeof(cfilter.ip.v6.src_ip6))) ++ sizeof(cfilter.ip.v6.dst_ip6))) + continue; + if (mask.vlan_id) + if (cfilter.vlan_id != cf->vlan_id) +@@ -3901,10 +3901,10 @@ static int i40e_vc_add_cloud_filter(struct i40e_vf *vf, u8 *msg) + cfilter->n_proto = ETH_P_IP; + if (mask.dst_ip[0] & tcf.dst_ip[0]) + memcpy(&cfilter->ip.v4.dst_ip, tcf.dst_ip, +- ARRAY_SIZE(tcf.dst_ip)); +- else if (mask.src_ip[0] & tcf.dst_ip[0]) ++ sizeof(cfilter->ip.v4.dst_ip)); ++ else if (mask.src_ip[0] & tcf.src_ip[0]) + memcpy(&cfilter->ip.v4.src_ip, tcf.src_ip, +- ARRAY_SIZE(tcf.dst_ip)); ++ sizeof(cfilter->ip.v4.src_ip)); + break; + case VIRTCHNL_TCP_V6_FLOW: + cfilter->n_proto = ETH_P_IPV6; +-- +2.51.0 + diff --git a/queue-6.1/mctp-i2c-fix-skb-memory-leak-in-receive-path.patch b/queue-6.1/mctp-i2c-fix-skb-memory-leak-in-receive-path.patch new file mode 100644 index 0000000000..52d3c0a6c6 --- /dev/null +++ b/queue-6.1/mctp-i2c-fix-skb-memory-leak-in-receive-path.patch @@ -0,0 +1,36 @@ +From 8aa12f20c5e182d265b15f7c05f51d081954077d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 22:32:34 +0800 +Subject: mctp: i2c: fix skb memory leak in receive path + +From: Haiyue Wang + +[ Upstream commit e3f5e0f22cfc2371e7471c9fd5b4da78f9df7c69 ] + +When 'midev->allow_rx' is false, the newly allocated skb isn't consumed +by netif_rx(), it needs to free the skb directly. + +Fixes: f5b8abf9fc3d ("mctp i2c: MCTP I2C binding driver") +Signed-off-by: Haiyue Wang +Link: https://patch.msgid.link/20260305143240.97592-1-haiyuewa@163.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/mctp/mctp-i2c.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/mctp/mctp-i2c.c b/drivers/net/mctp/mctp-i2c.c +index f77389c7006f8..2eeccc3b70eff 100644 +--- a/drivers/net/mctp/mctp-i2c.c ++++ b/drivers/net/mctp/mctp-i2c.c +@@ -344,6 +344,7 @@ static int mctp_i2c_recv(struct mctp_i2c_dev *midev) + } else { + status = NET_RX_DROP; + spin_unlock_irqrestore(&midev->lock, flags); ++ kfree_skb(skb); + } + + if (status == NET_RX_SUCCESS) { +-- +2.51.0 + diff --git a/queue-6.1/mctp-route-hold-key-lock-in-mctp_flow_prepare_output.patch b/queue-6.1/mctp-route-hold-key-lock-in-mctp_flow_prepare_output.patch new file mode 100644 index 0000000000..a8a3e63039 --- /dev/null +++ b/queue-6.1/mctp-route-hold-key-lock-in-mctp_flow_prepare_output.patch @@ -0,0 +1,85 @@ +From f91b0f1b66553a1e79a5cc38bfca85bc858ce2b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 03:14:02 +0000 +Subject: mctp: route: hold key->lock in mctp_flow_prepare_output() + +From: Chengfeng Ye + +[ Upstream commit 7d86aa41c073c4e7eb75fd2e674f1fd8f289728a ] + +mctp_flow_prepare_output() checks key->dev and may call +mctp_dev_set_key(), but it does not hold key->lock while doing so. + +mctp_dev_set_key() and mctp_dev_release_key() are annotated with +__must_hold(&key->lock), so key->dev access is intended to be +serialized by key->lock. The mctp_sendmsg() transmit path reaches +mctp_flow_prepare_output() via mctp_local_output() -> mctp_dst_output() +without holding key->lock, so the check-and-set sequence is racy. + +Example interleaving: + + CPU0 CPU1 + ---- ---- + mctp_flow_prepare_output(key, devA) + if (!key->dev) // sees NULL + mctp_flow_prepare_output( + key, devB) + if (!key->dev) // still NULL + mctp_dev_set_key(devB, key) + mctp_dev_hold(devB) + key->dev = devB + mctp_dev_set_key(devA, key) + mctp_dev_hold(devA) + key->dev = devA // overwrites devB + +Now both devA and devB references were acquired, but only the final +key->dev value is tracked for release. One reference can be lost, +causing a resource leak as mctp_dev_release_key() would only decrease +the reference on one dev. + +Fix by taking key->lock around the key->dev check and +mctp_dev_set_key() call. + +Fixes: 67737c457281 ("mctp: Pass flow data & flow release events to drivers") +Signed-off-by: Chengfeng Ye +Link: https://patch.msgid.link/20260306031402.857224-1-dg573847474@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/mctp/route.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/net/mctp/route.c b/net/mctp/route.c +index 62952ad5cb636..fdeaf80691e55 100644 +--- a/net/mctp/route.c ++++ b/net/mctp/route.c +@@ -267,6 +267,7 @@ static void mctp_flow_prepare_output(struct sk_buff *skb, struct mctp_dev *dev) + { + struct mctp_sk_key *key; + struct mctp_flow *flow; ++ unsigned long flags; + + flow = skb_ext_find(skb, SKB_EXT_MCTP); + if (!flow) +@@ -274,12 +275,14 @@ static void mctp_flow_prepare_output(struct sk_buff *skb, struct mctp_dev *dev) + + key = flow->key; + +- if (key->dev) { ++ spin_lock_irqsave(&key->lock, flags); ++ ++ if (!key->dev) ++ mctp_dev_set_key(dev, key); ++ else + WARN_ON(key->dev != dev); +- return; +- } + +- mctp_dev_set_key(dev, key); ++ spin_unlock_irqrestore(&key->lock, flags); + } + #else + static void mctp_skb_set_flow(struct sk_buff *skb, struct mctp_sk_key *key) {} +-- +2.51.0 + diff --git a/queue-6.1/net-bonding-fix-nd_tbl-null-dereference-when-ipv6-is.patch b/queue-6.1/net-bonding-fix-nd_tbl-null-dereference-when-ipv6-is.patch new file mode 100644 index 0000000000..a7b2b29894 --- /dev/null +++ b/queue-6.1/net-bonding-fix-nd_tbl-null-dereference-when-ipv6-is.patch @@ -0,0 +1,92 @@ +From f12596348d7e7395672de9173b8caae6da0107ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Mar 2026 17:50:54 -0300 +Subject: net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ricardo B. Marlière + +[ Upstream commit 30021e969d48e5819d5ae56936c2f34c0f7ce997 ] + +When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never +initialized because inet6_init() exits before ndisc_init() is called +which initializes it. If bonding ARP/NS validation is enabled, an IPv6 +NS/NA packet received on a slave can reach bond_validate_na(), which +calls bond_has_this_ip6(). That path calls ipv6_chk_addr() and can +crash in __ipv6_chk_addr_and_flags(). + + BUG: kernel NULL pointer dereference, address: 00000000000005d8 + Oops: Oops: 0000 [#1] SMP NOPTI + RIP: 0010:__ipv6_chk_addr_and_flags+0x69/0x170 + Call Trace: + + ipv6_chk_addr+0x1f/0x30 + bond_validate_na+0x12e/0x1d0 [bonding] + ? __pfx_bond_handle_frame+0x10/0x10 [bonding] + bond_rcv_validate+0x1a0/0x450 [bonding] + bond_handle_frame+0x5e/0x290 [bonding] + ? srso_alias_return_thunk+0x5/0xfbef5 + __netif_receive_skb_core.constprop.0+0x3e8/0xe50 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? update_cfs_rq_load_avg+0x1a/0x240 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? __enqueue_entity+0x5e/0x240 + __netif_receive_skb_one_core+0x39/0xa0 + process_backlog+0x9c/0x150 + __napi_poll+0x30/0x200 + ? srso_alias_return_thunk+0x5/0xfbef5 + net_rx_action+0x338/0x3b0 + handle_softirqs+0xc9/0x2a0 + do_softirq+0x42/0x60 + + + __local_bh_enable_ip+0x62/0x70 + __dev_queue_xmit+0x2d3/0x1000 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? packet_parse_headers+0x10a/0x1a0 + packet_sendmsg+0x10da/0x1700 + ? kick_pool+0x5f/0x140 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? __queue_work+0x12d/0x4f0 + __sys_sendto+0x1f3/0x220 + __x64_sys_sendto+0x24/0x30 + do_syscall_64+0x101/0xf80 + ? exc_page_fault+0x6e/0x170 + ? srso_alias_return_thunk+0x5/0xfbef5 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + +Fix this by checking ipv6_mod_enabled() before dispatching IPv6 packets to +bond_na_rcv(). If IPv6 is disabled, return early from bond_rcv_validate() +and avoid the path to ipv6_chk_addr(). + +Suggested-by: Fernando Fernandez Mancera +Fixes: 4e24be018eb9 ("bonding: add new parameter ns_targets") +Signed-off-by: Ricardo B. Marlière +Reviewed-by: Hangbin Liu +Link: https://patch.msgid.link/20260307-net-nd_tbl_fixes-v4-2-e2677e85628c@suse.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 2296ca9003016..7fe7485fbb160 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3387,7 +3387,7 @@ int bond_rcv_validate(const struct sk_buff *skb, struct bonding *bond, + } else if (is_arp) { + return bond_arp_rcv(skb, bond, slave); + #if IS_ENABLED(CONFIG_IPV6) +- } else if (is_ipv6) { ++ } else if (is_ipv6 && likely(ipv6_mod_enabled())) { + return bond_na_rcv(skb, bond, slave); + #endif + } else { +-- +2.51.0 + diff --git a/queue-6.1/net-dsa-realtek-rtl8365mb-remove-ifoutdiscards-from-.patch b/queue-6.1/net-dsa-realtek-rtl8365mb-remove-ifoutdiscards-from-.patch new file mode 100644 index 0000000000..3ff96b1e23 --- /dev/null +++ b/queue-6.1/net-dsa-realtek-rtl8365mb-remove-ifoutdiscards-from-.patch @@ -0,0 +1,48 @@ +From 0f696cbc13c0aeece460adc5a9a45d8669c3800c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Mar 2026 17:25:12 -0300 +Subject: net: dsa: realtek: rtl8365mb: remove ifOutDiscards from rx_packets + +From: Mieczyslaw Nalewaj + +[ Upstream commit f76a93241d71fbba8425e3967097b498c29264ed ] + +rx_packets should report the number of frames successfully received: +unicast + multicast + broadcast. Subtracting ifOutDiscards (a TX +counter) is incorrect and can undercount RX packets. RX drops are +already reported via rx_dropped (e.g. etherStatsDropEvents), so +there is no need to adjust rx_packets. + +This patch removes the subtraction of ifOutDiscards from rx_packets +in rtl8365mb_stats_update(). + +Link: https://lore.kernel.org/netdev/878777925.105015.1763423928520@mail.yahoo.com/ +Fixes: 4af2950c50c8 ("net: dsa: realtek-smi: add rtl8365mb subdriver for RTL8365MB-VC") +Signed-off-by: Mieczyslaw Nalewaj +Signed-off-by: Luiz Angelo Daros de Luca +Reviewed-by: Simon Horman +Acked-by: Linus Walleij +Link: https://patch.msgid.link/20260303-realtek_namiltd_fix2-v1-1-bfa433d3401e@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/realtek/rtl8365mb.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/realtek/rtl8365mb.c b/drivers/net/dsa/realtek/rtl8365mb.c +index abdff73aa9c32..c22e69ab0deb1 100644 +--- a/drivers/net/dsa/realtek/rtl8365mb.c ++++ b/drivers/net/dsa/realtek/rtl8365mb.c +@@ -1451,8 +1451,7 @@ static void rtl8365mb_stats_update(struct realtek_priv *priv, int port) + + stats->rx_packets = cnt[RTL8365MB_MIB_ifInUcastPkts] + + cnt[RTL8365MB_MIB_ifInMulticastPkts] + +- cnt[RTL8365MB_MIB_ifInBroadcastPkts] - +- cnt[RTL8365MB_MIB_ifOutDiscards]; ++ cnt[RTL8365MB_MIB_ifInBroadcastPkts]; + + stats->tx_packets = cnt[RTL8365MB_MIB_ifOutUcastPkts] + + cnt[RTL8365MB_MIB_ifOutMulticastPkts] + +-- +2.51.0 + diff --git a/queue-6.1/net-mlx5-fix-deadlock-between-devlink-lock-and-esw-w.patch b/queue-6.1/net-mlx5-fix-deadlock-between-devlink-lock-and-esw-w.patch new file mode 100644 index 0000000000..02fa4edba4 --- /dev/null +++ b/queue-6.1/net-mlx5-fix-deadlock-between-devlink-lock-and-esw-w.patch @@ -0,0 +1,152 @@ +From 9f33f9514606b10bbe2bd27326f0b06a6e74a002 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 10:10:19 +0200 +Subject: net/mlx5: Fix deadlock between devlink lock and esw->wq + +From: Cosmin Ratiu + +[ Upstream commit aed763abf0e905b4b8d747d1ba9e172961572f57 ] + +esw->work_queue executes esw_functions_changed_event_handler -> +esw_vfs_changed_event_handler and acquires the devlink lock. + +.eswitch_mode_set (acquires devlink lock in devlink_nl_pre_doit) -> +mlx5_devlink_eswitch_mode_set -> mlx5_eswitch_disable_locked -> +mlx5_eswitch_event_handler_unregister -> flush_workqueue deadlocks +when esw_vfs_changed_event_handler executes. + +Fix that by no longer flushing the work to avoid the deadlock, and using +a generation counter to keep track of work relevance. This avoids an old +handler manipulating an esw that has undergone one or more mode changes: +- the counter is incremented in mlx5_eswitch_event_handler_unregister. +- the counter is read and passed to the ephemeral mlx5_host_work struct. +- the work handler takes the devlink lock and bails out if the current + generation is different than the one it was scheduled to operate on. +- mlx5_eswitch_cleanup does the final draining before destroying the wq. + +No longer flushing the workqueue has the side effect of maybe no longer +cancelling pending vport_change_handler work items, but that's ok since +those are disabled elsewhere: +- mlx5_eswitch_disable_locked disables the vport eq notifier. +- mlx5_esw_vport_disable disarms the HW EQ notification and marks + vport->enabled under state_lock to false to prevent pending vport + handler from doing anything. +- mlx5_eswitch_cleanup destroys the workqueue and makes sure all events + are disabled/finished. + +Fixes: f1bc646c9a06 ("net/mlx5: Use devl_ API in mlx5_esw_offloads_devlink_port_register") +Signed-off-by: Cosmin Ratiu +Reviewed-by: Moshe Shemesh +Reviewed-by: Dragos Tatulea +Reviewed-by: Simon Horman +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/20260305081019.1811100-1-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/eswitch.c | 7 ++++--- + .../net/ethernet/mellanox/mlx5/core/eswitch.h | 2 ++ + .../mellanox/mlx5/core/eswitch_offloads.c | 18 +++++++++++++----- + 3 files changed, 19 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +index 3255af4313a29..8b2b78f05cbe7 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +@@ -999,10 +999,11 @@ static void mlx5_eswitch_event_handler_register(struct mlx5_eswitch *esw) + + static void mlx5_eswitch_event_handler_unregister(struct mlx5_eswitch *esw) + { +- if (esw->mode == MLX5_ESWITCH_OFFLOADS && mlx5_eswitch_is_funcs_handler(esw->dev)) ++ if (esw->mode == MLX5_ESWITCH_OFFLOADS && ++ mlx5_eswitch_is_funcs_handler(esw->dev)) { + mlx5_eq_notifier_unregister(esw->dev, &esw->esw_funcs.nb); +- +- flush_workqueue(esw->work_queue); ++ atomic_inc(&esw->esw_funcs.generation); ++ } + } + + static void mlx5_eswitch_clear_vf_vports_info(struct mlx5_eswitch *esw) +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h +index ff20b43a551de..00d169a11a0a8 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h +@@ -275,10 +275,12 @@ struct esw_mc_addr { /* SRIOV only */ + struct mlx5_host_work { + struct work_struct work; + struct mlx5_eswitch *esw; ++ int work_gen; + }; + + struct mlx5_esw_functions { + struct mlx5_nb nb; ++ atomic_t generation; + bool host_funcs_disabled; + u16 num_vfs; + }; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c +index f7f1eae998b5e..2a64d0fd2fe52 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c +@@ -3207,22 +3207,28 @@ static void esw_offloads_steering_cleanup(struct mlx5_eswitch *esw) + } + + static void +-esw_vfs_changed_event_handler(struct mlx5_eswitch *esw, const u32 *out) ++esw_vfs_changed_event_handler(struct mlx5_eswitch *esw, int work_gen, ++ const u32 *out) + { + struct devlink *devlink; + bool host_pf_disabled; + u16 new_num_vfs; + ++ devlink = priv_to_devlink(esw->dev); ++ devl_lock(devlink); ++ ++ /* Stale work from one or more mode changes ago. Bail out. */ ++ if (work_gen != atomic_read(&esw->esw_funcs.generation)) ++ goto unlock; ++ + new_num_vfs = MLX5_GET(query_esw_functions_out, out, + host_params_context.host_num_of_vfs); + host_pf_disabled = MLX5_GET(query_esw_functions_out, out, + host_params_context.host_pf_disabled); + + if (new_num_vfs == esw->esw_funcs.num_vfs || host_pf_disabled) +- return; ++ goto unlock; + +- devlink = priv_to_devlink(esw->dev); +- devl_lock(devlink); + /* Number of VFs can only change from "0 to x" or "x to 0". */ + if (esw->esw_funcs.num_vfs > 0) { + mlx5_eswitch_unload_vf_vports(esw, esw->esw_funcs.num_vfs); +@@ -3237,6 +3243,7 @@ esw_vfs_changed_event_handler(struct mlx5_eswitch *esw, const u32 *out) + } + } + esw->esw_funcs.num_vfs = new_num_vfs; ++unlock: + devl_unlock(devlink); + } + +@@ -3253,7 +3260,7 @@ static void esw_functions_changed_event_handler(struct work_struct *work) + if (IS_ERR(out)) + goto out; + +- esw_vfs_changed_event_handler(esw, out); ++ esw_vfs_changed_event_handler(esw, host_work->work_gen, out); + kvfree(out); + out: + kfree(host_work); +@@ -3273,6 +3280,7 @@ int mlx5_esw_funcs_changed_handler(struct notifier_block *nb, unsigned long type + esw = container_of(esw_funcs, struct mlx5_eswitch, esw_funcs); + + host_work->esw = esw; ++ host_work->work_gen = atomic_read(&esw_funcs->generation); + + INIT_WORK(&host_work->work, esw_functions_changed_event_handler); + queue_work(esw->work_queue, &host_work->work); +-- +2.51.0 + diff --git a/queue-6.1/net-mlx5-ifc-updates-for-disabled-host-pf.patch b/queue-6.1/net-mlx5-ifc-updates-for-disabled-host-pf.patch new file mode 100644 index 0000000000..1ef63e950f --- /dev/null +++ b/queue-6.1/net-mlx5-ifc-updates-for-disabled-host-pf.patch @@ -0,0 +1,40 @@ +From d89ebf74330f934d8e0c5e0816d654bb91363e02 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 15:41:07 +0300 +Subject: net/mlx5: IFC updates for disabled host PF + +From: Daniel Jurgens + +[ Upstream commit cd1746cb6555a2238c4aae9f9d60b637a61bf177 ] + +The port 2 host PF can be disabled, this bit reflects that setting. + +Signed-off-by: Daniel Jurgens +Reviewed-by: William Tu +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/1752064867-16874-3-git-send-email-tariqt@nvidia.com +Signed-off-by: Leon Romanovsky +Stable-dep-of: aed763abf0e9 ("net/mlx5: Fix deadlock between devlink lock and esw->wq") +Signed-off-by: Sasha Levin +--- + include/linux/mlx5/mlx5_ifc.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h +index 4df7b3d358607..9610b325f2b61 100644 +--- a/include/linux/mlx5/mlx5_ifc.h ++++ b/include/linux/mlx5/mlx5_ifc.h +@@ -11496,7 +11496,9 @@ struct mlx5_ifc_mtrc_ctrl_bits { + + struct mlx5_ifc_host_params_context_bits { + u8 host_number[0x8]; +- u8 reserved_at_8[0x7]; ++ u8 reserved_at_8[0x5]; ++ u8 host_pf_not_exist[0x1]; ++ u8 reserved_at_14[0x1]; + u8 host_pf_disabled[0x1]; + u8 host_num_of_vfs[0x10]; + +-- +2.51.0 + diff --git a/queue-6.1/net-mlx5-query-to-see-if-host-pf-is-disabled.patch b/queue-6.1/net-mlx5-query-to-see-if-host-pf-is-disabled.patch new file mode 100644 index 0000000000..153ffb5a28 --- /dev/null +++ b/queue-6.1/net-mlx5-query-to-see-if-host-pf-is-disabled.patch @@ -0,0 +1,80 @@ +From 17668776f31800bbfab5218db9334fecff8019ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Aug 2025 22:19:55 +0300 +Subject: net/mlx5: Query to see if host PF is disabled + +From: Daniel Jurgens + +[ Upstream commit 9e84de72aef9bcf0e751a0bff3ac91b0cf52366f ] + +The host PF can be disabled, query firmware to check if the host PF of +this function exists. + +Signed-off-by: Daniel Jurgens +Reviewed-by: William Tu +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/1755112796-467444-2-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: aed763abf0e9 ("net/mlx5: Fix deadlock between devlink lock and esw->wq") +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/eswitch.c | 23 +++++++++++++++++++ + .../net/ethernet/mellanox/mlx5/core/eswitch.h | 1 + + 2 files changed, 24 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +index 9ba825df9be0e..3255af4313a29 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +@@ -969,6 +969,25 @@ const u32 *mlx5_esw_query_functions(struct mlx5_core_dev *dev) + return ERR_PTR(err); + } + ++static int mlx5_esw_host_functions_enabled_query(struct mlx5_eswitch *esw) ++{ ++ const u32 *query_host_out; ++ ++ if (!mlx5_core_is_ecpf_esw_manager(esw->dev)) ++ return 0; ++ ++ query_host_out = mlx5_esw_query_functions(esw->dev); ++ if (IS_ERR(query_host_out)) ++ return PTR_ERR(query_host_out); ++ ++ esw->esw_funcs.host_funcs_disabled = ++ MLX5_GET(query_esw_functions_out, query_host_out, ++ host_params_context.host_pf_not_exist); ++ ++ kvfree(query_host_out); ++ return 0; ++} ++ + static void mlx5_eswitch_event_handler_register(struct mlx5_eswitch *esw) + { + if (esw->mode == MLX5_ESWITCH_OFFLOADS && mlx5_eswitch_is_funcs_handler(esw->dev)) { +@@ -1596,6 +1615,10 @@ int mlx5_eswitch_init(struct mlx5_core_dev *dev) + goto abort; + } + ++ err = mlx5_esw_host_functions_enabled_query(esw); ++ if (err) ++ goto abort; ++ + err = mlx5_esw_vports_init(esw); + if (err) + goto abort; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h +index a3daca44f74b1..ff20b43a551de 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h +@@ -279,6 +279,7 @@ struct mlx5_host_work { + + struct mlx5_esw_functions { + struct mlx5_nb nb; ++ bool host_funcs_disabled; + u16 num_vfs; + }; + +-- +2.51.0 + diff --git a/queue-6.1/net-mlx5e-fix-dma-fifo-desync-on-error-cqe-sq-recove.patch b/queue-6.1/net-mlx5e-fix-dma-fifo-desync-on-error-cqe-sq-recove.patch new file mode 100644 index 0000000000..81487cc43f --- /dev/null +++ b/queue-6.1/net-mlx5e-fix-dma-fifo-desync-on-error-cqe-sq-recove.patch @@ -0,0 +1,82 @@ +From 309da7e44da04efff6f9ea892c297d4f909e046e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 16:26:32 +0200 +Subject: net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery + +From: Gal Pressman + +[ Upstream commit 1633111d69053512d099658d4a05fc736fab36b0 ] + +In case of a TX error CQE, a recovery flow is triggered, +mlx5e_reset_txqsq_cc_pc() resets dma_fifo_cc to 0 but not dma_fifo_pc, +desyncing the DMA FIFO producer and consumer. + +After recovery, the producer pushes new DMA entries at the old +dma_fifo_pc, while the consumer reads from position 0. +This causes us to unmap stale DMA addresses from before the recovery. + +The DMA FIFO is a purely software construct with no HW counterpart. +At the point of reset, all WQEs have been flushed so dma_fifo_cc is +already equal to dma_fifo_pc. There is no need to reset either counter, +similar to how skb_fifo pc/cc are untouched. + +Remove the 'dma_fifo_cc = 0' reset. + +This fixes the following WARNING: + WARNING: CPU: 0 PID: 0 at drivers/iommu/dma-iommu.c:1240 iommu_dma_unmap_page+0x79/0x90 + Modules linked in: mlx5_vdpa vringh vdpa bonding mlx5_ib mlx5_vfio_pci ipip mlx5_fwctl tunnel4 mlx5_core ib_ipoib geneve ip6_gre ip_gre gre nf_tables ip6_tunnel rdma_ucm ib_uverbs ib_umad vfio_pci vfio_pci_core act_mirred act_skbedit act_vlan vhost_net vhost tap ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress vhost_iotlb iptable_raw tunnel6 vfio_iommu_type1 vfio openvswitch nsh rpcsec_gss_krb5 auth_rpcgss oid_registry xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter overlay zram zsmalloc rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core fuse [last unloaded: nf_tables] + CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5_for_upstream_min_debug_2024_12_30_21_33 #1 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 + RIP: 0010:iommu_dma_unmap_page+0x79/0x90 + Code: 2b 4d 3b 21 72 26 4d 3b 61 08 73 20 49 89 d8 44 89 f9 5b 4c 89 f2 4c 89 e6 48 89 ef 5d 41 5c 41 5d 41 5e 41 5f e9 c7 ae 9e ff <0f> 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 66 2e 0f 1f 84 00 00 00 00 + Call Trace: + + ? __warn+0x7d/0x110 + ? iommu_dma_unmap_page+0x79/0x90 + ? report_bug+0x16d/0x180 + ? handle_bug+0x4f/0x90 + ? exc_invalid_op+0x14/0x70 + ? asm_exc_invalid_op+0x16/0x20 + ? iommu_dma_unmap_page+0x79/0x90 + ? iommu_dma_unmap_page+0x2e/0x90 + dma_unmap_page_attrs+0x10d/0x1b0 + mlx5e_tx_wi_dma_unmap+0xbe/0x120 [mlx5_core] + mlx5e_poll_tx_cq+0x16d/0x690 [mlx5_core] + mlx5e_napi_poll+0x8b/0xac0 [mlx5_core] + __napi_poll+0x24/0x190 + net_rx_action+0x32a/0x3b0 + ? mlx5_eq_comp_int+0x7e/0x270 [mlx5_core] + ? notifier_call_chain+0x35/0xa0 + handle_softirqs+0xc9/0x270 + irq_exit_rcu+0x71/0xd0 + common_interrupt+0x7f/0xa0 + + + asm_common_interrupt+0x22/0x40 + +Fixes: db75373c91b0 ("net/mlx5e: Recover Send Queue (SQ) from error state") +Signed-off-by: Gal Pressman +Reviewed-by: Dragos Tatulea +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/20260305142634.1813208-4-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c b/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c +index 02d9fb0c5ec24..7c39f14e57cd8 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c +@@ -33,7 +33,6 @@ static void mlx5e_reset_txqsq_cc_pc(struct mlx5e_txqsq *sq) + "SQ 0x%x: cc (0x%x) != pc (0x%x)\n", + sq->sqn, sq->cc, sq->pc); + sq->cc = 0; +- sq->dma_fifo_cc = 0; + sq->pc = 0; + } + +-- +2.51.0 + diff --git a/queue-6.1/net-sched-teql-fix-null-pointer-dereference-in-iptun.patch b/queue-6.1/net-sched-teql-fix-null-pointer-dereference-in-iptun.patch new file mode 100644 index 0000000000..6cc9b94ec0 --- /dev/null +++ b/queue-6.1/net-sched-teql-fix-null-pointer-dereference-in-iptun.patch @@ -0,0 +1,80 @@ +From 03bb7a1de3b4cde9dd4c9eebc13cff771fc101db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 12:42:18 +0800 +Subject: net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on + TEQL slave xmit + +From: Weiming Shi + +[ Upstream commit 0cc0c2e661af418bbf7074179ea5cfffc0a5c466 ] + +teql_master_xmit() calls netdev_start_xmit(skb, slave) to transmit +through slave devices, but does not update skb->dev to the slave device +beforehand. + +When a gretap tunnel is a TEQL slave, the transmit path reaches +iptunnel_xmit() which saves dev = skb->dev (still pointing to teql0 +master) and later calls iptunnel_xmit_stats(dev, pkt_len). This +function does: + + get_cpu_ptr(dev->tstats) + +Since teql_master_setup() does not set dev->pcpu_stat_type to +NETDEV_PCPU_STAT_TSTATS, the core network stack never allocates tstats +for teql0, so dev->tstats is NULL. get_cpu_ptr(NULL) computes +NULL + __per_cpu_offset[cpu], resulting in a page fault. + + BUG: unable to handle page fault for address: ffff8880e6659018 + #PF: supervisor write access in kernel mode + #PF: error_code(0x0002) - not-present page + PGD 68bc067 P4D 68bc067 PUD 0 + Oops: Oops: 0002 [#1] SMP KASAN PTI + RIP: 0010:iptunnel_xmit (./include/net/ip_tunnels.h:664 net/ipv4/ip_tunnel_core.c:89) + Call Trace: + + ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) + __gre_xmit (net/ipv4/ip_gre.c:478) + gre_tap_xmit (net/ipv4/ip_gre.c:779) + teql_master_xmit (net/sched/sch_teql.c:319) + dev_hard_start_xmit (net/core/dev.c:3887) + sch_direct_xmit (net/sched/sch_generic.c:347) + __dev_queue_xmit (net/core/dev.c:4802) + neigh_direct_output (net/core/neighbour.c:1660) + ip_finish_output2 (net/ipv4/ip_output.c:237) + __ip_finish_output.part.0 (net/ipv4/ip_output.c:315) + ip_mc_output (net/ipv4/ip_output.c:369) + ip_send_skb (net/ipv4/ip_output.c:1508) + udp_send_skb (net/ipv4/udp.c:1195) + udp_sendmsg (net/ipv4/udp.c:1485) + inet_sendmsg (net/ipv4/af_inet.c:859) + __sys_sendto (net/socket.c:2206) + +Fix this by setting skb->dev = slave before calling +netdev_start_xmit(), so that tunnel xmit functions see the correct +slave device with properly allocated tstats. + +Fixes: 039f50629b7f ("ip_tunnel: Move stats update to iptunnel_xmit()") +Reported-by: Xiang Mei +Signed-off-by: Weiming Shi +Link: https://patch.msgid.link/20260304044216.3517851-3-bestswngs@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_teql.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/sched/sch_teql.c b/net/sched/sch_teql.c +index 0a7856e14a975..c89cb6eba27da 100644 +--- a/net/sched/sch_teql.c ++++ b/net/sched/sch_teql.c +@@ -315,6 +315,7 @@ static netdev_tx_t teql_master_xmit(struct sk_buff *skb, struct net_device *dev) + if (__netif_tx_trylock(slave_txq)) { + unsigned int length = qdisc_pkt_len(skb); + ++ skb->dev = slave; + if (!netif_xmit_frozen_or_stopped(slave_txq) && + netdev_start_xmit(skb, slave, slave_txq, false) == + NETDEV_TX_OK) { +-- +2.51.0 + diff --git a/queue-6.1/netfilter-nfnetlink_cthelper-fix-oob-read-in-nfnl_ct.patch b/queue-6.1/netfilter-nfnetlink_cthelper-fix-oob-read-in-nfnl_ct.patch new file mode 100644 index 0000000000..afa7002b09 --- /dev/null +++ b/queue-6.1/netfilter-nfnetlink_cthelper-fix-oob-read-in-nfnl_ct.patch @@ -0,0 +1,71 @@ +From 1634c4cb0b7fe764e61747a761cd6915b45c68b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Mar 2026 02:23:34 +0900 +Subject: netfilter: nfnetlink_cthelper: fix OOB read in + nfnl_cthelper_dump_table() + +From: Hyunwoo Kim + +[ Upstream commit 6dcee8496d53165b2d8a5909b3050b62ae71fe89 ] + +nfnl_cthelper_dump_table() has a 'goto restart' that jumps to a label +inside the for loop body. When the "last" helper saved in cb->args[1] +is deleted between dump rounds, every entry fails the (cur != last) +check, so cb->args[1] is never cleared. The for loop finishes with +cb->args[0] == nf_ct_helper_hsize, and the 'goto restart' jumps back +into the loop body bypassing the bounds check, causing an 8-byte +out-of-bounds read on nf_ct_helper_hash[nf_ct_helper_hsize]. + +The 'goto restart' block was meant to re-traverse the current bucket +when "last" is no longer found, but it was placed after the for loop +instead of inside it. Move the block into the for loop body so that +the restart only occurs while cb->args[0] is still within bounds. + + BUG: KASAN: slab-out-of-bounds in nfnl_cthelper_dump_table+0x9f/0x1b0 + Read of size 8 at addr ffff888104ca3000 by task poc_cthelper/131 + Call Trace: + nfnl_cthelper_dump_table+0x9f/0x1b0 + netlink_dump+0x333/0x880 + netlink_recvmsg+0x3e2/0x4b0 + sock_recvmsg+0xde/0xf0 + __sys_recvfrom+0x150/0x200 + __x64_sys_recvfrom+0x76/0x90 + do_syscall_64+0xc3/0x6e0 + + Allocated by task 1: + __kvmalloc_node_noprof+0x21b/0x700 + nf_ct_alloc_hashtable+0x65/0xd0 + nf_conntrack_helper_init+0x21/0x60 + nf_conntrack_init_start+0x18d/0x300 + nf_conntrack_standalone_init+0x12/0xc0 + +Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure") +Signed-off-by: Hyunwoo Kim +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_cthelper.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c +index 97248963a7d3b..71a248cca746a 100644 +--- a/net/netfilter/nfnetlink_cthelper.c ++++ b/net/netfilter/nfnetlink_cthelper.c +@@ -603,10 +603,10 @@ nfnl_cthelper_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + goto out; + } + } +- } +- if (cb->args[1]) { +- cb->args[1] = 0; +- goto restart; ++ if (cb->args[1]) { ++ cb->args[1] = 0; ++ goto restart; ++ } + } + out: + rcu_read_unlock(); +-- +2.51.0 + diff --git a/queue-6.1/netfilter-nfnetlink_queue-fix-entry-leak-in-bridge-v.patch b/queue-6.1/netfilter-nfnetlink_queue-fix-entry-leak-in-bridge-v.patch new file mode 100644 index 0000000000..5498b6ce70 --- /dev/null +++ b/queue-6.1/netfilter-nfnetlink_queue-fix-entry-leak-in-bridge-v.patch @@ -0,0 +1,52 @@ +From b80a30eee17b419b269149652f51bc6cf49bac6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Mar 2026 02:24:06 +0900 +Subject: netfilter: nfnetlink_queue: fix entry leak in bridge verdict error + path + +From: Hyunwoo Kim + +[ Upstream commit f1ba83755d81c6fc66ac7acd723d238f974091e9 ] + +nfqnl_recv_verdict() calls find_dequeue_entry() to remove the queue +entry from the queue data structures, taking ownership of the entry. +For PF_BRIDGE packets, it then calls nfqa_parse_bridge() to parse VLAN +attributes. If nfqa_parse_bridge() returns an error (e.g. NFQA_VLAN +present but NFQA_VLAN_TCI missing), the function returns immediately +without freeing the dequeued entry or its sk_buff. + +This leaks the nf_queue_entry, its associated sk_buff, and all held +references (net_device refcounts, struct net refcount). Repeated +triggering exhausts kernel memory. + +Fix this by dropping the entry via nfqnl_reinject() with NF_DROP verdict +on the error path, consistent with other error handling in this file. + +Fixes: 8d45ff22f1b4 ("netfilter: bridge: nf queue verdict to use NFQA_VLAN and NFQA_L2HDR") +Reviewed-by: David Dull +Signed-off-by: Hyunwoo Kim +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_queue.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c +index f13eed826cbb8..4e0d1362875bd 100644 +--- a/net/netfilter/nfnetlink_queue.c ++++ b/net/netfilter/nfnetlink_queue.c +@@ -1262,8 +1262,10 @@ static int nfqnl_recv_verdict(struct sk_buff *skb, const struct nfnl_info *info, + + if (entry->state.pf == PF_BRIDGE) { + err = nfqa_parse_bridge(entry, nfqa); +- if (err < 0) ++ if (err < 0) { ++ nfqnl_reinject(entry, NF_DROP); + return err; ++ } + } + + if (nfqa[NFQA_PAYLOAD]) { +-- +2.51.0 + diff --git a/queue-6.1/netfilter-nft_set_pipapo-fix-stack-out-of-bounds-rea.patch b/queue-6.1/netfilter-nft_set_pipapo-fix-stack-out-of-bounds-rea.patch new file mode 100644 index 0000000000..f1930d80c9 --- /dev/null +++ b/queue-6.1/netfilter-nft_set_pipapo-fix-stack-out-of-bounds-rea.patch @@ -0,0 +1,65 @@ +From 9a34b0d30f18662cf39f4c54429a515d883e497e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 19:12:38 +0000 +Subject: netfilter: nft_set_pipapo: fix stack out-of-bounds read in + pipapo_drop() + +From: Jenny Guanni Qu + +[ Upstream commit d6d8cd2db236a9dd13dbc2d05843b3445cc964b5 ] + +pipapo_drop() passes rulemap[i + 1].n to pipapo_unmap() as the +to_offset argument on every iteration, including the last one where +i == m->field_count - 1. This reads one element past the end of the +stack-allocated rulemap array (declared as rulemap[NFT_PIPAPO_MAX_FIELDS] +with NFT_PIPAPO_MAX_FIELDS == 16). + +Although pipapo_unmap() returns early when is_last is true without +using the to_offset value, the argument is evaluated at the call site +before the function body executes, making this a genuine out-of-bounds +stack read confirmed by KASAN: + + BUG: KASAN: stack-out-of-bounds in pipapo_drop+0x50c/0x57c [nf_tables] + Read of size 4 at addr ffff8000810e71a4 + + This frame has 1 object: + [32, 160) 'rulemap' + + The buggy address is at offset 164 -- exactly 4 bytes past the end + of the rulemap array. + +Pass 0 instead of rulemap[i + 1].n on the last iteration to avoid +the out-of-bounds read. + +Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") +Signed-off-by: Jenny Guanni Qu +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_pipapo.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c +index 863162c823306..c8a5618742381 100644 +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -1541,6 +1541,7 @@ static void pipapo_drop(struct nft_pipapo_match *m, + int i; + + nft_pipapo_for_each_field(f, i, m) { ++ bool last = i == m->field_count - 1; + int g; + + for (g = 0; g < f->groups; g++) { +@@ -1560,7 +1561,7 @@ static void pipapo_drop(struct nft_pipapo_match *m, + } + + pipapo_unmap(f->mt, f->rules, rulemap[i].to, rulemap[i].n, +- rulemap[i + 1].n, i == m->field_count - 1); ++ last ? 0 : rulemap[i + 1].n, last); + if (pipapo_resize(f, f->rules, f->rules - rulemap[i].n)) { + /* We can ignore this, a failure to shrink tables down + * doesn't make tables invalid. +-- +2.51.0 + diff --git a/queue-6.1/netfilter-x_tables-guard-option-walkers-against-1-by.patch b/queue-6.1/netfilter-x_tables-guard-option-walkers-against-1-by.patch new file mode 100644 index 0000000000..2d777d720f --- /dev/null +++ b/queue-6.1/netfilter-x_tables-guard-option-walkers-against-1-by.patch @@ -0,0 +1,62 @@ +From 3b562aa0c0094fa7495b956a3c2a4f4e4df5dc8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Mar 2026 20:26:21 +0200 +Subject: netfilter: x_tables: guard option walkers against 1-byte tail reads + +From: David Dull + +[ Upstream commit cfe770220ac2dbd3e104c6b45094037455da81d4 ] + +When the last byte of options is a non-single-byte option kind, walkers +that advance with i += op[i + 1] ? : 1 can read op[i + 1] past the end +of the option area. + +Add an explicit i == optlen - 1 check before dereferencing op[i + 1] +in xt_tcpudp and xt_dccp option walkers. + +Fixes: 2e4e6a17af35 ("[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables") +Signed-off-by: David Dull +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_dccp.c | 4 ++-- + net/netfilter/xt_tcpudp.c | 6 ++++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c +index e5a13ecbe67a0..037ab93e25d0a 100644 +--- a/net/netfilter/xt_dccp.c ++++ b/net/netfilter/xt_dccp.c +@@ -62,10 +62,10 @@ dccp_find_option(u_int8_t option, + return true; + } + +- if (op[i] < 2) ++ if (op[i] < 2 || i == optlen - 1) + i++; + else +- i += op[i+1]?:1; ++ i += op[i + 1] ? : 1; + } + + spin_unlock_bh(&dccp_buflock); +diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c +index 11ec2abf0c727..73f50dc01b19f 100644 +--- a/net/netfilter/xt_tcpudp.c ++++ b/net/netfilter/xt_tcpudp.c +@@ -56,8 +56,10 @@ tcp_find_option(u_int8_t option, + + for (i = 0; i < optlen; ) { + if (op[i] == option) return !invert; +- if (op[i] < 2) i++; +- else i += op[i+1]?:1; ++ if (op[i] < 2 || i == optlen - 1) ++ i++; ++ else ++ i += op[i + 1] ? : 1; + } + + return invert; +-- +2.51.0 + diff --git a/queue-6.1/netfilter-xt_idletimer-reject-rev0-reuse-of-alarm-ti.patch b/queue-6.1/netfilter-xt_idletimer-reject-rev0-reuse-of-alarm-ti.patch new file mode 100644 index 0000000000..222901cd99 --- /dev/null +++ b/queue-6.1/netfilter-xt_idletimer-reject-rev0-reuse-of-alarm-ti.patch @@ -0,0 +1,54 @@ +From 7232aa28ff41b6efba69a11a564e36df55379757 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Mar 2026 03:41:46 -0700 +Subject: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels + +From: Yuan Tan + +[ Upstream commit 329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf ] + +IDLETIMER revision 0 rules reuse existing timers by label and always call +mod_timer() on timer->timer. + +If the label was created first by revision 1 with XT_IDLETIMER_ALARM, +the object uses alarm timer semantics and timer->timer is never initialized. +Reusing that object from revision 0 causes mod_timer() on an uninitialized +timer_list, triggering debugobjects warnings and possible panic when +panic_on_warn=1. + +Fix this by rejecting revision 0 rule insertion when an existing timer with +the same label is of ALARM type. + +Fixes: 68983a354a65 ("netfilter: xtables: Add snapshot of hardidletimer target") +Co-developed-by: Yifan Wu +Signed-off-by: Yifan Wu +Co-developed-by: Juefei Pu +Signed-off-by: Juefei Pu +Signed-off-by: Yuan Tan +Signed-off-by: Xin Liu +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_IDLETIMER.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c +index 3f6a9770f74ba..9733f49847a6d 100644 +--- a/net/netfilter/xt_IDLETIMER.c ++++ b/net/netfilter/xt_IDLETIMER.c +@@ -320,6 +320,12 @@ static int idletimer_tg_checkentry(const struct xt_tgchk_param *par) + + info->timer = __idletimer_tg_find_by_label(info->label); + if (info->timer) { ++ if (info->timer->timer_type & XT_IDLETIMER_ALARM) { ++ pr_debug("Adding/Replacing rule with same label and different timer type is not allowed\n"); ++ mutex_unlock(&list_mutex); ++ return -EINVAL; ++ } ++ + info->timer->refcnt++; + mod_timer(&info->timer->timer, + msecs_to_jiffies(info->timeout * 1000) + jiffies); +-- +2.51.0 + diff --git a/queue-6.1/nvme-pci-fix-race-bug-in-nvme_poll_irqdisable.patch b/queue-6.1/nvme-pci-fix-race-bug-in-nvme_poll_irqdisable.patch new file mode 100644 index 0000000000..7d977a7b96 --- /dev/null +++ b/queue-6.1/nvme-pci-fix-race-bug-in-nvme_poll_irqdisable.patch @@ -0,0 +1,122 @@ +From a3d9ada69cded1c9d8665c801ddb728d59e5571d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Mar 2026 14:46:36 -0500 +Subject: nvme-pci: Fix race bug in nvme_poll_irqdisable() + +From: Sungwoo Kim + +[ Upstream commit fc71f409b22ca831a9f87a2712eaa09ef2bb4a5e ] + +In the following scenario, pdev can be disabled between (1) and (3) by +(2). This sets pdev->msix_enabled = 0. Then, pci_irq_vector() will +return MSI-X IRQ(>15) for (1) whereas return INTx IRQ(<=15) for (2). +This causes IRQ warning because it tries to enable INTx IRQ that has +never been disabled before. + +To fix this, save IRQ number into a local variable and ensure +disable_irq() and enable_irq() operate on the same IRQ number. Even if +pci_free_irq_vectors() frees the IRQ concurrently, disable_irq() and +enable_irq() on a stale IRQ number is still valid and safe, and the +depth accounting reamins balanced. + +task 1: +nvme_poll_irqdisable() + disable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)) ...(1) + enable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)) ...(3) + +task 2: +nvme_reset_work() + nvme_dev_disable() + pdev->msix_enable = 0; ...(2) + +crash log: + +------------[ cut here ]------------ +Unbalanced enable for IRQ 10 +WARNING: kernel/irq/manage.c:753 at __enable_irq+0x102/0x190 kernel/irq/manage.c:753, CPU#1: kworker/1:0H/26 +Modules linked in: +CPU: 1 UID: 0 PID: 26 Comm: kworker/1:0H Not tainted 6.19.0-dirty #9 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 +Workqueue: kblockd blk_mq_timeout_work +RIP: 0010:__enable_irq+0x107/0x190 kernel/irq/manage.c:753 +Code: ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 79 48 8d 3d 2e 7a 3f 05 41 8b 74 24 2c <67> 48 0f b9 3a e8 ef b9 21 00 5b 41 5c 5d e9 46 54 66 03 e8 e1 b9 +RSP: 0018:ffffc900001bf550 EFLAGS: 00010046 +RAX: 0000000000000007 RBX: 0000000000000000 RCX: ffffffffb20c0e90 +RDX: 0000000000000000 RSI: 000000000000000a RDI: ffffffffb74b88f0 +RBP: ffffc900001bf560 R08: ffff88800197cf00 R09: 0000000000000001 +R10: 0000000000000003 R11: 0000000000000003 R12: ffff8880012a6000 +R13: 1ffff92000037eae R14: 000000000000000a R15: 0000000000000293 +FS: 0000000000000000(0000) GS:ffff8880b49f7000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000555da4a25fa8 CR3: 00000000208e8000 CR4: 00000000000006f0 +Call Trace: + + enable_irq+0x121/0x1e0 kernel/irq/manage.c:797 + nvme_poll_irqdisable+0x162/0x1c0 drivers/nvme/host/pci.c:1494 + nvme_timeout+0x965/0x14b0 drivers/nvme/host/pci.c:1744 + blk_mq_rq_timed_out block/blk-mq.c:1653 [inline] + blk_mq_handle_expired+0x227/0x2d0 block/blk-mq.c:1721 + bt_iter+0x2fc/0x3a0 block/blk-mq-tag.c:292 + __sbitmap_for_each_set include/linux/sbitmap.h:269 [inline] + sbitmap_for_each_set include/linux/sbitmap.h:290 [inline] + bt_for_each block/blk-mq-tag.c:324 [inline] + blk_mq_queue_tag_busy_iter+0x969/0x1e80 block/blk-mq-tag.c:536 + blk_mq_timeout_work+0x627/0x870 block/blk-mq.c:1763 + process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257 + process_scheduled_works kernel/workqueue.c:3340 [inline] + worker_thread+0x65c/0xe60 kernel/workqueue.c:3421 + kthread+0x41a/0x930 kernel/kthread.c:463 + ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + +irq event stamp: 74478 +hardirqs last enabled at (74477): [] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:159 [inline] +hardirqs last enabled at (74477): [] _raw_spin_unlock_irq+0x2c/0x60 kernel/locking/spinlock.c:202 +hardirqs last disabled at (74478): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] +hardirqs last disabled at (74478): [] _raw_spin_lock_irqsave+0x85/0xa0 kernel/locking/spinlock.c:162 +softirqs last enabled at (74304): [] __do_softirq kernel/softirq.c:656 [inline] +softirqs last enabled at (74304): [] invoke_softirq kernel/softirq.c:496 [inline] +softirqs last enabled at (74304): [] __irq_exit_rcu+0xdc/0x120 kernel/softirq.c:723 +softirqs last disabled at (74287): [] __do_softirq kernel/softirq.c:656 [inline] +softirqs last disabled at (74287): [] invoke_softirq kernel/softirq.c:496 [inline] +softirqs last disabled at (74287): [] __irq_exit_rcu+0xdc/0x120 kernel/softirq.c:723 +---[ end trace 0000000000000000 ]--- + +Fixes: fa059b856a59 (nvme-pci: Simplify nvme_poll_irqdisable) +Acked-by: Chao Shi +Acked-by: Weidong Zhu +Acked-by: Dave Tian +Reviewed-by: Christoph Hellwig +Signed-off-by: Sungwoo Kim +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 9f3d5959755fd..518f8c5012bdf 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -1150,14 +1150,16 @@ static irqreturn_t nvme_irq_check(int irq, void *data) + static void nvme_poll_irqdisable(struct nvme_queue *nvmeq) + { + struct pci_dev *pdev = to_pci_dev(nvmeq->dev->dev); ++ int irq; + + WARN_ON_ONCE(test_bit(NVMEQ_POLLED, &nvmeq->flags)); + +- disable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)); ++ irq = pci_irq_vector(pdev, nvmeq->cq_vector); ++ disable_irq(irq); + spin_lock(&nvmeq->cq_poll_lock); + nvme_poll_cq(nvmeq, NULL); + spin_unlock(&nvmeq->cq_poll_lock); +- enable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)); ++ enable_irq(irq); + } + + static int nvme_poll(struct blk_mq_hw_ctx *hctx, struct io_comp_batch *iob) +-- +2.51.0 + diff --git a/queue-6.1/nvme-pci-fix-slab-out-of-bounds-in-nvme_dbbuf_set.patch b/queue-6.1/nvme-pci-fix-slab-out-of-bounds-in-nvme_dbbuf_set.patch new file mode 100644 index 0000000000..c2920efd5b --- /dev/null +++ b/queue-6.1/nvme-pci-fix-slab-out-of-bounds-in-nvme_dbbuf_set.patch @@ -0,0 +1,130 @@ +From 8b205a57c8e8071c4cca49e2d1400a05c5fd97a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Mar 2026 14:20:59 -0400 +Subject: nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sungwoo Kim + +[ Upstream commit b4e78f1427c7d6859229ae9616df54e1fc05a516 ] + +dev->online_queues is a count incremented in nvme_init_queue. Thus, +valid indices are 0 through dev->online_queues − 1. + +This patch fixes the loop condition to ensure the index stays within the +valid range. Index 0 is excluded because it is the admin queue. + +KASAN splat: + +================================================================== +BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline] +BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404 +Read of size 2 at addr ffff88800592a574 by task kworker/u8:5/74 + +CPU: 0 UID: 0 PID: 74 Comm: kworker/u8:5 Not tainted 6.19.0-dirty #10 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 +Workqueue: nvme-reset-wq nvme_reset_work +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0xea/0x150 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xce/0x5d0 mm/kasan/report.c:482 + kasan_report+0xdc/0x110 mm/kasan/report.c:595 + __asan_report_load2_noabort+0x18/0x20 mm/kasan/report_generic.c:379 + nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline] + nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404 + nvme_reset_work+0x36b/0x8c0 drivers/nvme/host/pci.c:3252 + process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257 + process_scheduled_works kernel/workqueue.c:3340 [inline] + worker_thread+0x65c/0xe60 kernel/workqueue.c:3421 + kthread+0x41a/0x930 kernel/kthread.c:463 + ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + + +Allocated by task 34 on cpu 1 at 4.241550s: + kasan_save_stack+0x2c/0x60 mm/kasan/common.c:57 + kasan_save_track+0x1c/0x70 mm/kasan/common.c:78 + kasan_save_alloc_info+0x3c/0x50 mm/kasan/generic.c:570 + poison_kmalloc_redzone mm/kasan/common.c:398 [inline] + __kasan_kmalloc+0xb5/0xc0 mm/kasan/common.c:415 + kasan_kmalloc include/linux/kasan.h:263 [inline] + __do_kmalloc_node mm/slub.c:5657 [inline] + __kmalloc_node_noprof+0x2bf/0x8d0 mm/slub.c:5663 + kmalloc_array_node_noprof include/linux/slab.h:1075 [inline] + nvme_pci_alloc_dev drivers/nvme/host/pci.c:3479 [inline] + nvme_probe+0x2f1/0x1820 drivers/nvme/host/pci.c:3534 + local_pci_probe+0xef/0x1c0 drivers/pci/pci-driver.c:324 + pci_call_probe drivers/pci/pci-driver.c:392 [inline] + __pci_device_probe drivers/pci/pci-driver.c:417 [inline] + pci_device_probe+0x743/0x920 drivers/pci/pci-driver.c:451 + call_driver_probe drivers/base/dd.c:583 [inline] + really_probe+0x29b/0xb70 drivers/base/dd.c:661 + __driver_probe_device+0x3b0/0x4a0 drivers/base/dd.c:803 + driver_probe_device+0x56/0x1f0 drivers/base/dd.c:833 + __driver_attach_async_helper+0x155/0x340 drivers/base/dd.c:1159 + async_run_entry_fn+0xa6/0x4b0 kernel/async.c:129 + process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257 + process_scheduled_works kernel/workqueue.c:3340 [inline] + worker_thread+0x65c/0xe60 kernel/workqueue.c:3421 + kthread+0x41a/0x930 kernel/kthread.c:463 + ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + +The buggy address belongs to the object at ffff88800592a000 + which belongs to the cache kmalloc-2k of size 2048 +The buggy address is located 244 bytes to the right of + allocated 1152-byte region [ffff88800592a000, ffff88800592a480) + +The buggy address belongs to the physical page: +page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5928 +head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +anon flags: 0xfffffc0000040(head|node=0|zone=1|lastcpupid=0x1fffff) +page_type: f5(slab) +raw: 000fffffc0000040 ffff888001042000 0000000000000000 dead000000000001 +raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 +head: 000fffffc0000040 ffff888001042000 0000000000000000 dead000000000001 +head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 +head: 000fffffc0000003 ffffea0000164a01 00000000ffffffff 00000000ffffffff +head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88800592a400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff88800592a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +>ffff88800592a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffff88800592a580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff88800592a600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +================================================================== + +Fixes: 0f0d2c876c96 (nvme: free sq/cq dbbuf pointers when dbbuf set fails) +Acked-by: Chao Shi +Acked-by: Weidong Zhu +Acked-by: Dave Tian +Signed-off-by: Sungwoo Kim +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 7ee4362f0ccae..9f3d5959755fd 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -329,7 +329,7 @@ static void nvme_dbbuf_set(struct nvme_dev *dev) + /* Free memory and continue on */ + nvme_dbbuf_dma_free(dev); + +- for (i = 1; i <= dev->online_queues; i++) ++ for (i = 1; i < dev->online_queues; i++) + nvme_dbbuf_free(&dev->queues[i]); + } + } +-- +2.51.0 + diff --git a/queue-6.1/octeontx2-af-devlink-fix-nix-ras-reporter-recovery-c.patch b/queue-6.1/octeontx2-af-devlink-fix-nix-ras-reporter-recovery-c.patch new file mode 100644 index 0000000000..9fac861851 --- /dev/null +++ b/queue-6.1/octeontx2-af-devlink-fix-nix-ras-reporter-recovery-c.patch @@ -0,0 +1,41 @@ +From 0d67d5f868f86941758365939e86897cc44fd4e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 11:48:16 -0700 +Subject: octeontx2-af: devlink: fix NIX RAS reporter recovery condition + +From: Alok Tiwari + +[ Upstream commit dc26ca99b835e21e76a58b1463b84adb0ca34f58 ] + +The NIX RAS health reporter recovery routine checks nix_af_rvu_int to +decide whether to re-enable NIX_AF_RAS interrupts. This is the RVU +interrupt status field and is unrelated to RAS events, so the recovery +flow may incorrectly skip re-enabling NIX_AF_RAS interrupts. + +Check nix_af_rvu_ras instead before writing NIX_AF_RAS_ENA_W1S. + +Fixes: 5ed66306eab6 ("octeontx2-af: Add devlink health reporters for NIX") +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20260310184824.1183651-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c +index 32fa8f2c5f4ee..48ce98ae56611 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c +@@ -579,7 +579,7 @@ static int rvu_hw_nix_ras_recover(struct devlink_health_reporter *reporter, + if (blkaddr < 0) + return blkaddr; + +- if (nix_event_ctx->nix_af_rvu_int) ++ if (nix_event_ctx->nix_af_rvu_ras) + rvu_write64(rvu, blkaddr, NIX_AF_RAS_ENA_W1S, ~0ULL); + + return 0; +-- +2.51.0 + diff --git a/queue-6.1/octeontx2-af-devlink-fix-nix-ras-reporter-to-use-ras.patch b/queue-6.1/octeontx2-af-devlink-fix-nix-ras-reporter-to-use-ras.patch new file mode 100644 index 0000000000..93acde53d2 --- /dev/null +++ b/queue-6.1/octeontx2-af-devlink-fix-nix-ras-reporter-to-use-ras.patch @@ -0,0 +1,45 @@ +From a5c28672205f54c9dc168e50c702de323d1e5258 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 11:48:17 -0700 +Subject: octeontx2-af: devlink: fix NIX RAS reporter to use RAS interrupt + status + +From: Alok Tiwari + +[ Upstream commit 87f7dff3ec75b91def0024ebaaf732457f47a63b ] + +The NIX RAS health report path uses nix_af_rvu_err when handling the +NIX_AF_RVU_RAS case, so the report prints the ERR interrupt status rather +than the RAS interrupt status. + +Use nix_af_rvu_ras for the NIX_AF_RVU_RAS report. + +Fixes: 5ed66306eab6 ("octeontx2-af: Add devlink health reporters for NIX") +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20260310184824.1183651-2-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c +index ae06742670dc8..d3aed339c69c3 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c +@@ -327,10 +327,10 @@ static int rvu_nix_report_show(struct devlink_fmsg *fmsg, void *ctx, + rvu_report_pair_end(fmsg); + break; + case NIX_AF_RVU_RAS: +- intr_val = nix_event_context->nix_af_rvu_err; ++ intr_val = nix_event_context->nix_af_rvu_ras; + rvu_report_pair_start(fmsg, "NIX_AF_RAS"); + devlink_fmsg_u64_pair_put(fmsg, "\tNIX RAS Interrupt Reg ", +- nix_event_context->nix_af_rvu_err); ++ nix_event_context->nix_af_rvu_ras); + devlink_fmsg_string_put(fmsg, "\n\tPoison Data on:"); + if (intr_val & BIT_ULL(34)) + devlink_fmsg_string_put(fmsg, "\n\tNIX_AQ_INST_S"); +-- +2.51.0 + diff --git a/queue-6.1/octeontx2-af-devlink-health-use-retained-error-fmsg-.patch b/queue-6.1/octeontx2-af-devlink-health-use-retained-error-fmsg-.patch new file mode 100644 index 0000000000..4493ba9731 --- /dev/null +++ b/queue-6.1/octeontx2-af-devlink-health-use-retained-error-fmsg-.patch @@ -0,0 +1,550 @@ +From b126ac798880226eabecae0aca5e9c5edd9afac3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Oct 2023 22:26:42 +0200 +Subject: octeontx2-af: devlink health: use retained error fmsg API + +From: Przemek Kitszel + +[ Upstream commit d8cf03fca3411de8a493dae5e9fcf815a4f0977e ] + +Drop unneeded error checking. + +devlink_fmsg_*() family of functions is now retaining errors, +so there is no need to check for them after each call. + +Reviewed-by: Jesse Brandeburg +Reviewed-by: Jiri Pirko +Signed-off-by: Przemek Kitszel +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Stable-dep-of: 87f7dff3ec75 ("octeontx2-af: devlink: fix NIX RAS reporter to use RAS interrupt status") +Signed-off-by: Sasha Levin +--- + .../marvell/octeontx2/af/rvu_devlink.c | 464 +++++------------- + 1 file changed, 133 insertions(+), 331 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c +index 48ce98ae56611..ae06742670dc8 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c +@@ -14,26 +14,16 @@ + + #define DRV_NAME "octeontx2-af" + +-static int rvu_report_pair_start(struct devlink_fmsg *fmsg, const char *name) ++static void rvu_report_pair_start(struct devlink_fmsg *fmsg, const char *name) + { +- int err; +- +- err = devlink_fmsg_pair_nest_start(fmsg, name); +- if (err) +- return err; +- +- return devlink_fmsg_obj_nest_start(fmsg); ++ devlink_fmsg_pair_nest_start(fmsg, name); ++ devlink_fmsg_obj_nest_start(fmsg); + } + +-static int rvu_report_pair_end(struct devlink_fmsg *fmsg) ++static void rvu_report_pair_end(struct devlink_fmsg *fmsg) + { +- int err; +- +- err = devlink_fmsg_obj_nest_end(fmsg); +- if (err) +- return err; +- +- return devlink_fmsg_pair_nest_end(fmsg); ++ devlink_fmsg_obj_nest_end(fmsg); ++ devlink_fmsg_pair_nest_end(fmsg); + } + + static bool rvu_common_request_irq(struct rvu *rvu, int offset, +@@ -284,175 +274,81 @@ static int rvu_nix_report_show(struct devlink_fmsg *fmsg, void *ctx, + { + struct rvu_nix_event_ctx *nix_event_context; + u64 intr_val; +- int err; + + nix_event_context = ctx; + switch (health_reporter) { + case NIX_AF_RVU_INTR: + intr_val = nix_event_context->nix_af_rvu_int; +- err = rvu_report_pair_start(fmsg, "NIX_AF_RVU"); +- if (err) +- return err; +- err = devlink_fmsg_u64_pair_put(fmsg, "\tNIX RVU Interrupt Reg ", +- nix_event_context->nix_af_rvu_int); +- if (err) +- return err; +- if (intr_val & BIT_ULL(0)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tUnmap Slot Error"); +- if (err) +- return err; +- } +- err = rvu_report_pair_end(fmsg); +- if (err) +- return err; ++ rvu_report_pair_start(fmsg, "NIX_AF_RVU"); ++ devlink_fmsg_u64_pair_put(fmsg, "\tNIX RVU Interrupt Reg ", ++ nix_event_context->nix_af_rvu_int); ++ if (intr_val & BIT_ULL(0)) ++ devlink_fmsg_string_put(fmsg, "\n\tUnmap Slot Error"); ++ rvu_report_pair_end(fmsg); + break; + case NIX_AF_RVU_GEN: + intr_val = nix_event_context->nix_af_rvu_gen; +- err = rvu_report_pair_start(fmsg, "NIX_AF_GENERAL"); +- if (err) +- return err; +- err = devlink_fmsg_u64_pair_put(fmsg, "\tNIX General Interrupt Reg ", +- nix_event_context->nix_af_rvu_gen); +- if (err) +- return err; +- if (intr_val & BIT_ULL(0)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tRx multicast pkt drop"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(1)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tRx mirror pkt drop"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(4)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tSMQ flush done"); +- if (err) +- return err; +- } +- err = rvu_report_pair_end(fmsg); +- if (err) +- return err; ++ rvu_report_pair_start(fmsg, "NIX_AF_GENERAL"); ++ devlink_fmsg_u64_pair_put(fmsg, "\tNIX General Interrupt Reg ", ++ nix_event_context->nix_af_rvu_gen); ++ if (intr_val & BIT_ULL(0)) ++ devlink_fmsg_string_put(fmsg, "\n\tRx multicast pkt drop"); ++ if (intr_val & BIT_ULL(1)) ++ devlink_fmsg_string_put(fmsg, "\n\tRx mirror pkt drop"); ++ if (intr_val & BIT_ULL(4)) ++ devlink_fmsg_string_put(fmsg, "\n\tSMQ flush done"); ++ rvu_report_pair_end(fmsg); + break; + case NIX_AF_RVU_ERR: + intr_val = nix_event_context->nix_af_rvu_err; +- err = rvu_report_pair_start(fmsg, "NIX_AF_ERR"); +- if (err) +- return err; +- err = devlink_fmsg_u64_pair_put(fmsg, "\tNIX Error Interrupt Reg ", +- nix_event_context->nix_af_rvu_err); +- if (err) +- return err; +- if (intr_val & BIT_ULL(14)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFault on NIX_AQ_INST_S read"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(13)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFault on NIX_AQ_RES_S write"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(12)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tAQ Doorbell Error"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(6)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tRx on unmapped PF_FUNC"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(5)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tRx multicast replication error"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(4)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFault on NIX_RX_MCE_S read"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(3)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFault on multicast WQE read"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(2)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFault on mirror WQE read"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(1)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFault on mirror pkt write"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(0)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFault on multicast pkt write"); +- if (err) +- return err; +- } +- err = rvu_report_pair_end(fmsg); +- if (err) +- return err; ++ rvu_report_pair_start(fmsg, "NIX_AF_ERR"); ++ devlink_fmsg_u64_pair_put(fmsg, "\tNIX Error Interrupt Reg ", ++ nix_event_context->nix_af_rvu_err); ++ if (intr_val & BIT_ULL(14)) ++ devlink_fmsg_string_put(fmsg, "\n\tFault on NIX_AQ_INST_S read"); ++ if (intr_val & BIT_ULL(13)) ++ devlink_fmsg_string_put(fmsg, "\n\tFault on NIX_AQ_RES_S write"); ++ if (intr_val & BIT_ULL(12)) ++ devlink_fmsg_string_put(fmsg, "\n\tAQ Doorbell Error"); ++ if (intr_val & BIT_ULL(6)) ++ devlink_fmsg_string_put(fmsg, "\n\tRx on unmapped PF_FUNC"); ++ if (intr_val & BIT_ULL(5)) ++ devlink_fmsg_string_put(fmsg, "\n\tRx multicast replication error"); ++ if (intr_val & BIT_ULL(4)) ++ devlink_fmsg_string_put(fmsg, "\n\tFault on NIX_RX_MCE_S read"); ++ if (intr_val & BIT_ULL(3)) ++ devlink_fmsg_string_put(fmsg, "\n\tFault on multicast WQE read"); ++ if (intr_val & BIT_ULL(2)) ++ devlink_fmsg_string_put(fmsg, "\n\tFault on mirror WQE read"); ++ if (intr_val & BIT_ULL(1)) ++ devlink_fmsg_string_put(fmsg, "\n\tFault on mirror pkt write"); ++ if (intr_val & BIT_ULL(0)) ++ devlink_fmsg_string_put(fmsg, "\n\tFault on multicast pkt write"); ++ rvu_report_pair_end(fmsg); + break; + case NIX_AF_RVU_RAS: + intr_val = nix_event_context->nix_af_rvu_err; +- err = rvu_report_pair_start(fmsg, "NIX_AF_RAS"); +- if (err) +- return err; +- err = devlink_fmsg_u64_pair_put(fmsg, "\tNIX RAS Interrupt Reg ", +- nix_event_context->nix_af_rvu_err); +- if (err) +- return err; +- err = devlink_fmsg_string_put(fmsg, "\n\tPoison Data on:"); +- if (err) +- return err; +- if (intr_val & BIT_ULL(34)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tNIX_AQ_INST_S"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(33)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tNIX_AQ_RES_S"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(32)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tHW ctx"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(4)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tPacket from mirror buffer"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(3)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tPacket from multicast buffer"); +- +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(2)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tWQE read from mirror buffer"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(1)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tWQE read from multicast buffer"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(0)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tNIX_RX_MCE_S read"); +- if (err) +- return err; +- } +- err = rvu_report_pair_end(fmsg); +- if (err) +- return err; ++ rvu_report_pair_start(fmsg, "NIX_AF_RAS"); ++ devlink_fmsg_u64_pair_put(fmsg, "\tNIX RAS Interrupt Reg ", ++ nix_event_context->nix_af_rvu_err); ++ devlink_fmsg_string_put(fmsg, "\n\tPoison Data on:"); ++ if (intr_val & BIT_ULL(34)) ++ devlink_fmsg_string_put(fmsg, "\n\tNIX_AQ_INST_S"); ++ if (intr_val & BIT_ULL(33)) ++ devlink_fmsg_string_put(fmsg, "\n\tNIX_AQ_RES_S"); ++ if (intr_val & BIT_ULL(32)) ++ devlink_fmsg_string_put(fmsg, "\n\tHW ctx"); ++ if (intr_val & BIT_ULL(4)) ++ devlink_fmsg_string_put(fmsg, "\n\tPacket from mirror buffer"); ++ if (intr_val & BIT_ULL(3)) ++ devlink_fmsg_string_put(fmsg, "\n\tPacket from multicast buffer"); ++ if (intr_val & BIT_ULL(2)) ++ devlink_fmsg_string_put(fmsg, "\n\tWQE read from mirror buffer"); ++ if (intr_val & BIT_ULL(1)) ++ devlink_fmsg_string_put(fmsg, "\n\tWQE read from multicast buffer"); ++ if (intr_val & BIT_ULL(0)) ++ devlink_fmsg_string_put(fmsg, "\n\tNIX_RX_MCE_S read"); ++ rvu_report_pair_end(fmsg); + break; + default: + return -EINVAL; +@@ -919,181 +815,87 @@ static int rvu_npa_report_show(struct devlink_fmsg *fmsg, void *ctx, + struct rvu_npa_event_ctx *npa_event_context; + unsigned int alloc_dis, free_dis; + u64 intr_val; +- int err; + + npa_event_context = ctx; + switch (health_reporter) { + case NPA_AF_RVU_GEN: + intr_val = npa_event_context->npa_af_rvu_gen; +- err = rvu_report_pair_start(fmsg, "NPA_AF_GENERAL"); +- if (err) +- return err; +- err = devlink_fmsg_u64_pair_put(fmsg, "\tNPA General Interrupt Reg ", +- npa_event_context->npa_af_rvu_gen); +- if (err) +- return err; +- if (intr_val & BIT_ULL(32)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tUnmap PF Error"); +- if (err) +- return err; +- } ++ rvu_report_pair_start(fmsg, "NPA_AF_GENERAL"); ++ devlink_fmsg_u64_pair_put(fmsg, "\tNPA General Interrupt Reg ", ++ npa_event_context->npa_af_rvu_gen); ++ if (intr_val & BIT_ULL(32)) ++ devlink_fmsg_string_put(fmsg, "\n\tUnmap PF Error"); + + free_dis = FIELD_GET(GENMASK(15, 0), intr_val); +- if (free_dis & BIT(NPA_INPQ_NIX0_RX)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tNIX0: free disabled RX"); +- if (err) +- return err; +- } +- if (free_dis & BIT(NPA_INPQ_NIX0_TX)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tNIX0:free disabled TX"); +- if (err) +- return err; +- } +- if (free_dis & BIT(NPA_INPQ_NIX1_RX)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tNIX1: free disabled RX"); +- if (err) +- return err; +- } +- if (free_dis & BIT(NPA_INPQ_NIX1_TX)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tNIX1:free disabled TX"); +- if (err) +- return err; +- } +- if (free_dis & BIT(NPA_INPQ_SSO)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for SSO"); +- if (err) +- return err; +- } +- if (free_dis & BIT(NPA_INPQ_TIM)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for TIM"); +- if (err) +- return err; +- } +- if (free_dis & BIT(NPA_INPQ_DPI)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for DPI"); +- if (err) +- return err; +- } +- if (free_dis & BIT(NPA_INPQ_AURA_OP)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for AURA"); +- if (err) +- return err; +- } ++ if (free_dis & BIT(NPA_INPQ_NIX0_RX)) ++ devlink_fmsg_string_put(fmsg, "\n\tNIX0: free disabled RX"); ++ if (free_dis & BIT(NPA_INPQ_NIX0_TX)) ++ devlink_fmsg_string_put(fmsg, "\n\tNIX0:free disabled TX"); ++ if (free_dis & BIT(NPA_INPQ_NIX1_RX)) ++ devlink_fmsg_string_put(fmsg, "\n\tNIX1: free disabled RX"); ++ if (free_dis & BIT(NPA_INPQ_NIX1_TX)) ++ devlink_fmsg_string_put(fmsg, "\n\tNIX1:free disabled TX"); ++ if (free_dis & BIT(NPA_INPQ_SSO)) ++ devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for SSO"); ++ if (free_dis & BIT(NPA_INPQ_TIM)) ++ devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for TIM"); ++ if (free_dis & BIT(NPA_INPQ_DPI)) ++ devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for DPI"); ++ if (free_dis & BIT(NPA_INPQ_AURA_OP)) ++ devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for AURA"); + + alloc_dis = FIELD_GET(GENMASK(31, 16), intr_val); +- if (alloc_dis & BIT(NPA_INPQ_NIX0_RX)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tNIX0: alloc disabled RX"); +- if (err) +- return err; +- } +- if (alloc_dis & BIT(NPA_INPQ_NIX0_TX)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tNIX0:alloc disabled TX"); +- if (err) +- return err; +- } +- if (alloc_dis & BIT(NPA_INPQ_NIX1_RX)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tNIX1: alloc disabled RX"); +- if (err) +- return err; +- } +- if (alloc_dis & BIT(NPA_INPQ_NIX1_TX)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tNIX1:alloc disabled TX"); +- if (err) +- return err; +- } +- if (alloc_dis & BIT(NPA_INPQ_SSO)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for SSO"); +- if (err) +- return err; +- } +- if (alloc_dis & BIT(NPA_INPQ_TIM)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for TIM"); +- if (err) +- return err; +- } +- if (alloc_dis & BIT(NPA_INPQ_DPI)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for DPI"); +- if (err) +- return err; +- } +- if (alloc_dis & BIT(NPA_INPQ_AURA_OP)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for AURA"); +- if (err) +- return err; +- } +- err = rvu_report_pair_end(fmsg); +- if (err) +- return err; ++ if (alloc_dis & BIT(NPA_INPQ_NIX0_RX)) ++ devlink_fmsg_string_put(fmsg, "\n\tNIX0: alloc disabled RX"); ++ if (alloc_dis & BIT(NPA_INPQ_NIX0_TX)) ++ devlink_fmsg_string_put(fmsg, "\n\tNIX0:alloc disabled TX"); ++ if (alloc_dis & BIT(NPA_INPQ_NIX1_RX)) ++ devlink_fmsg_string_put(fmsg, "\n\tNIX1: alloc disabled RX"); ++ if (alloc_dis & BIT(NPA_INPQ_NIX1_TX)) ++ devlink_fmsg_string_put(fmsg, "\n\tNIX1:alloc disabled TX"); ++ if (alloc_dis & BIT(NPA_INPQ_SSO)) ++ devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for SSO"); ++ if (alloc_dis & BIT(NPA_INPQ_TIM)) ++ devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for TIM"); ++ if (alloc_dis & BIT(NPA_INPQ_DPI)) ++ devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for DPI"); ++ if (alloc_dis & BIT(NPA_INPQ_AURA_OP)) ++ devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for AURA"); ++ ++ rvu_report_pair_end(fmsg); + break; + case NPA_AF_RVU_ERR: +- err = rvu_report_pair_start(fmsg, "NPA_AF_ERR"); +- if (err) +- return err; +- err = devlink_fmsg_u64_pair_put(fmsg, "\tNPA Error Interrupt Reg ", +- npa_event_context->npa_af_rvu_err); +- if (err) +- return err; +- +- if (npa_event_context->npa_af_rvu_err & BIT_ULL(14)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFault on NPA_AQ_INST_S read"); +- if (err) +- return err; +- } +- if (npa_event_context->npa_af_rvu_err & BIT_ULL(13)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFault on NPA_AQ_RES_S write"); +- if (err) +- return err; +- } +- if (npa_event_context->npa_af_rvu_err & BIT_ULL(12)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tAQ Doorbell Error"); +- if (err) +- return err; +- } +- err = rvu_report_pair_end(fmsg); +- if (err) +- return err; ++ rvu_report_pair_start(fmsg, "NPA_AF_ERR"); ++ devlink_fmsg_u64_pair_put(fmsg, "\tNPA Error Interrupt Reg ", ++ npa_event_context->npa_af_rvu_err); ++ if (npa_event_context->npa_af_rvu_err & BIT_ULL(14)) ++ devlink_fmsg_string_put(fmsg, "\n\tFault on NPA_AQ_INST_S read"); ++ if (npa_event_context->npa_af_rvu_err & BIT_ULL(13)) ++ devlink_fmsg_string_put(fmsg, "\n\tFault on NPA_AQ_RES_S write"); ++ if (npa_event_context->npa_af_rvu_err & BIT_ULL(12)) ++ devlink_fmsg_string_put(fmsg, "\n\tAQ Doorbell Error"); ++ rvu_report_pair_end(fmsg); + break; + case NPA_AF_RVU_RAS: +- err = rvu_report_pair_start(fmsg, "NPA_AF_RVU_RAS"); +- if (err) +- return err; +- err = devlink_fmsg_u64_pair_put(fmsg, "\tNPA RAS Interrupt Reg ", +- npa_event_context->npa_af_rvu_ras); +- if (err) +- return err; +- if (npa_event_context->npa_af_rvu_ras & BIT_ULL(34)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tPoison data on NPA_AQ_INST_S"); +- if (err) +- return err; +- } +- if (npa_event_context->npa_af_rvu_ras & BIT_ULL(33)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tPoison data on NPA_AQ_RES_S"); +- if (err) +- return err; +- } +- if (npa_event_context->npa_af_rvu_ras & BIT_ULL(32)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tPoison data on HW context"); +- if (err) +- return err; +- } +- err = rvu_report_pair_end(fmsg); +- if (err) +- return err; ++ rvu_report_pair_start(fmsg, "NPA_AF_RVU_RAS"); ++ devlink_fmsg_u64_pair_put(fmsg, "\tNPA RAS Interrupt Reg ", ++ npa_event_context->npa_af_rvu_ras); ++ if (npa_event_context->npa_af_rvu_ras & BIT_ULL(34)) ++ devlink_fmsg_string_put(fmsg, "\n\tPoison data on NPA_AQ_INST_S"); ++ if (npa_event_context->npa_af_rvu_ras & BIT_ULL(33)) ++ devlink_fmsg_string_put(fmsg, "\n\tPoison data on NPA_AQ_RES_S"); ++ if (npa_event_context->npa_af_rvu_ras & BIT_ULL(32)) ++ devlink_fmsg_string_put(fmsg, "\n\tPoison data on HW context"); ++ rvu_report_pair_end(fmsg); + break; + case NPA_AF_RVU_INTR: +- err = rvu_report_pair_start(fmsg, "NPA_AF_RVU"); +- if (err) +- return err; +- err = devlink_fmsg_u64_pair_put(fmsg, "\tNPA RVU Interrupt Reg ", +- npa_event_context->npa_af_rvu_int); +- if (err) +- return err; +- if (npa_event_context->npa_af_rvu_int & BIT_ULL(0)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tUnmap Slot Error"); +- if (err) +- return err; +- } +- return rvu_report_pair_end(fmsg); ++ rvu_report_pair_start(fmsg, "NPA_AF_RVU"); ++ devlink_fmsg_u64_pair_put(fmsg, "\tNPA RVU Interrupt Reg ", ++ npa_event_context->npa_af_rvu_int); ++ if (npa_event_context->npa_af_rvu_int & BIT_ULL(0)) ++ devlink_fmsg_string_put(fmsg, "\n\tUnmap Slot Error"); ++ rvu_report_pair_end(fmsg); ++ break; + default: + return -EINVAL; + } +-- +2.51.0 + diff --git a/queue-6.1/regulator-pca9450-correct-interrupt-type.patch b/queue-6.1/regulator-pca9450-correct-interrupt-type.patch new file mode 100644 index 0000000000..ed2e755a77 --- /dev/null +++ b/queue-6.1/regulator-pca9450-correct-interrupt-type.patch @@ -0,0 +1,44 @@ +From 213bb71c59854546d94795ac15b408def80fd7b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 12:25:52 +0800 +Subject: regulator: pca9450: Correct interrupt type + +From: Peng Fan + +[ Upstream commit 5d0efaf47ee90ac60efae790acee3a3ed99ebf80 ] + +Kernel warning on i.MX8MP-EVK when doing module test: +irq: type mismatch, failed to map hwirq-3 for gpio@30200000! + +Per PCA945[X] specification: The IRQ_B pin is pulled low when any unmasked +interrupt bit status is changed and it is released high once application +processor read INT1 register. + +So the interrupt should be configured as IRQF_TRIGGER_LOW, not +IRQF_TRIGGER_FALLING. + +Fixes: 0935ff5f1f0a4 ("regulator: pca9450: add pca9450 pmic driver") +Signed-off-by: Peng Fan +Link: https://patch.msgid.link/20260310-pca9450-irq-v1-1-36adf52c2c55@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/pca9450-regulator.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/regulator/pca9450-regulator.c b/drivers/regulator/pca9450-regulator.c +index 8848afa48598f..7922af4f7895b 100644 +--- a/drivers/regulator/pca9450-regulator.c ++++ b/drivers/regulator/pca9450-regulator.c +@@ -782,7 +782,7 @@ static int pca9450_i2c_probe(struct i2c_client *i2c, + if (pca9450->irq) { + ret = devm_request_threaded_irq(pca9450->dev, pca9450->irq, NULL, + pca9450_irq_handler, +- (IRQF_TRIGGER_FALLING | IRQF_ONESHOT), ++ (IRQF_TRIGGER_LOW | IRQF_ONESHOT), + "pca9450-irq", pca9450); + if (ret != 0) { + dev_err(pca9450->dev, "Failed to request IRQ: %d\n", +-- +2.51.0 + diff --git a/queue-6.1/regulator-pca9450-make-irq-optional.patch b/queue-6.1/regulator-pca9450-make-irq-optional.patch new file mode 100644 index 0000000000..2f561579b1 --- /dev/null +++ b/queue-6.1/regulator-pca9450-make-irq-optional.patch @@ -0,0 +1,83 @@ +From 4d75e2b79f7dbd02ce12532180c7b9bcf611a828 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Jul 2024 10:40:34 +0200 +Subject: regulator: pca9450: Make IRQ optional + +From: Frieder Schrempf + +[ Upstream commit 83808c54064eef620ad8645dfdcaffe125551532 ] + +The IRQ line might not be connected on some boards. Allow the driver +to be probed without it. + +Signed-off-by: Frieder Schrempf +Link: https://patch.msgid.link/20240708084107.38986-5-frieder@fris.de +Signed-off-by: Mark Brown +Stable-dep-of: 5d0efaf47ee9 ("regulator: pca9450: Correct interrupt type") +Signed-off-by: Sasha Levin +--- + drivers/regulator/pca9450-regulator.c | 41 +++++++++++++-------------- + 1 file changed, 19 insertions(+), 22 deletions(-) + +diff --git a/drivers/regulator/pca9450-regulator.c b/drivers/regulator/pca9450-regulator.c +index 0fcda40cefa6d..8848afa48598f 100644 +--- a/drivers/regulator/pca9450-regulator.c ++++ b/drivers/regulator/pca9450-regulator.c +@@ -713,11 +713,6 @@ static int pca9450_i2c_probe(struct i2c_client *i2c, + unsigned int reset_ctrl; + int ret; + +- if (!i2c->irq) { +- dev_err(&i2c->dev, "No IRQ configured?\n"); +- return -EINVAL; +- } +- + pca9450 = devm_kzalloc(&i2c->dev, sizeof(struct pca9450), GFP_KERNEL); + if (!pca9450) + return -ENOMEM; +@@ -784,23 +779,25 @@ static int pca9450_i2c_probe(struct i2c_client *i2c, + } + } + +- ret = devm_request_threaded_irq(pca9450->dev, pca9450->irq, NULL, +- pca9450_irq_handler, +- (IRQF_TRIGGER_FALLING | IRQF_ONESHOT), +- "pca9450-irq", pca9450); +- if (ret != 0) { +- dev_err(pca9450->dev, "Failed to request IRQ: %d\n", +- pca9450->irq); +- return ret; +- } +- /* Unmask all interrupt except PWRON/WDOG/RSVD */ +- ret = regmap_update_bits(pca9450->regmap, PCA9450_REG_INT1_MSK, +- IRQ_VR_FLT1 | IRQ_VR_FLT2 | IRQ_LOWVSYS | +- IRQ_THERM_105 | IRQ_THERM_125, +- IRQ_PWRON | IRQ_WDOGB | IRQ_RSVD); +- if (ret) { +- dev_err(&i2c->dev, "Unmask irq error\n"); +- return ret; ++ if (pca9450->irq) { ++ ret = devm_request_threaded_irq(pca9450->dev, pca9450->irq, NULL, ++ pca9450_irq_handler, ++ (IRQF_TRIGGER_FALLING | IRQF_ONESHOT), ++ "pca9450-irq", pca9450); ++ if (ret != 0) { ++ dev_err(pca9450->dev, "Failed to request IRQ: %d\n", ++ pca9450->irq); ++ return ret; ++ } ++ /* Unmask all interrupt except PWRON/WDOG/RSVD */ ++ ret = regmap_update_bits(pca9450->regmap, PCA9450_REG_INT1_MSK, ++ IRQ_VR_FLT1 | IRQ_VR_FLT2 | IRQ_LOWVSYS | ++ IRQ_THERM_105 | IRQ_THERM_125, ++ IRQ_PWRON | IRQ_WDOGB | IRQ_RSVD); ++ if (ret) { ++ dev_err(&i2c->dev, "Unmask irq error\n"); ++ return ret; ++ } + } + + /* Clear PRESET_EN bit in BUCK123_DVS to use DVS registers */ +-- +2.51.0 + diff --git a/queue-6.1/revert-arm64-dts-qcom-sdm845-oneplus-mark-l14a-regul.patch b/queue-6.1/revert-arm64-dts-qcom-sdm845-oneplus-mark-l14a-regul.patch new file mode 100644 index 0000000000..37292c2db7 --- /dev/null +++ b/queue-6.1/revert-arm64-dts-qcom-sdm845-oneplus-mark-l14a-regul.patch @@ -0,0 +1,32 @@ +From dd138d45bd183e8f0fbe483f72d4f7afceaebdad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Mar 2026 03:16:59 -0400 +Subject: Revert "arm64: dts: qcom: sdm845-oneplus: Mark l14a regulator as + boot-on" + +This reverts commit d2a3230c1f655e5d1560ec005805f800b9873292. + +The backport applied regulator-boot-on to vreg_l12a_1p8 (ldo12) instead +of vreg_l14a_1p88 (ldo14) due to identical surrounding context lines. + +Reported-by: Marco Mattiolo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi b/arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi +index ab2a9d1ff8865..281e1178a2f46 100644 +--- a/arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi ++++ b/arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi +@@ -224,7 +224,6 @@ vreg_l12a_1p8: ldo12 { + regulator-min-microvolt = <1800000>; + regulator-max-microvolt = <1800000>; + regulator-initial-mode = ; +- regulator-boot-on; + }; + + vreg_l14a_1p88: ldo14 { +-- +2.51.0 + diff --git a/queue-6.1/sched-idle-make-skipping-governor-callbacks-more-con.patch b/queue-6.1/sched-idle-make-skipping-governor-callbacks-more-con.patch new file mode 100644 index 0000000000..c1ada17a04 --- /dev/null +++ b/queue-6.1/sched-idle-make-skipping-governor-callbacks-more-con.patch @@ -0,0 +1,79 @@ +From ff5779a49754ad0b5caf1897fe39c26477ebfd66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Mar 2026 17:12:05 +0100 +Subject: sched: idle: Make skipping governor callbacks more consistent + +From: Rafael J. Wysocki + +[ Upstream commit d557640e4ce589a24dca5ca7ce3b9680f471325f ] + +If the cpuidle governor .select() callback is skipped because there +is only one idle state in the cpuidle driver, the .reflect() callback +should be skipped as well, at least for consistency (if not for +correctness), so do it. + +Fixes: e5c9ffc6ae1b ("cpuidle: Skip governor when only one idle state is available") +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Christian Loehle +Reviewed-by: Aboorva Devarajan +Reviewed-by: Frederic Weisbecker +Link: https://patch.msgid.link/12857700.O9o76ZdvQC@rafael.j.wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpuidle/cpuidle.c | 10 ---------- + kernel/sched/idle.c | 11 ++++++++++- + 2 files changed, 10 insertions(+), 11 deletions(-) + +diff --git a/drivers/cpuidle/cpuidle.c b/drivers/cpuidle/cpuidle.c +index 482bf87354a38..fdd25271106a3 100644 +--- a/drivers/cpuidle/cpuidle.c ++++ b/drivers/cpuidle/cpuidle.c +@@ -324,16 +324,6 @@ int cpuidle_enter_state(struct cpuidle_device *dev, struct cpuidle_driver *drv, + int cpuidle_select(struct cpuidle_driver *drv, struct cpuidle_device *dev, + bool *stop_tick) + { +- /* +- * If there is only a single idle state (or none), there is nothing +- * meaningful for the governor to choose. Skip the governor and +- * always use state 0 with the tick running. +- */ +- if (drv->state_count <= 1) { +- *stop_tick = false; +- return 0; +- } +- + return cpuidle_curr_governor->select(drv, dev, stop_tick); + } + +diff --git a/kernel/sched/idle.c b/kernel/sched/idle.c +index 200a0fac03b8e..6ff593a8eeb17 100644 +--- a/kernel/sched/idle.c ++++ b/kernel/sched/idle.c +@@ -220,7 +220,7 @@ static void cpuidle_idle_call(void) + + next_state = cpuidle_find_deepest_state(drv, dev, max_latency_ns); + call_cpuidle(drv, dev, next_state); +- } else { ++ } else if (drv->state_count > 1) { + bool stop_tick = true; + + /* +@@ -238,6 +238,15 @@ static void cpuidle_idle_call(void) + * Give the governor an opportunity to reflect on the outcome + */ + cpuidle_reflect(dev, entered_state); ++ } else { ++ tick_nohz_idle_retain_tick(); ++ ++ /* ++ * If there is only a single idle state (or none), there is ++ * nothing meaningful for the governor to choose. Skip the ++ * governor and always use state 0. ++ */ ++ call_cpuidle(drv, dev, 0); + } + + exit_idle: +-- +2.51.0 + diff --git a/queue-6.1/serial-caif-hold-tty-link-reference-in-ldisc_open-an.patch b/queue-6.1/serial-caif-hold-tty-link-reference-in-ldisc_open-an.patch new file mode 100644 index 0000000000..261ea01b6c --- /dev/null +++ b/queue-6.1/serial-caif-hold-tty-link-reference-in-ldisc_open-an.patch @@ -0,0 +1,63 @@ +From ff94d97e96298e6164127a206b6b84cb2ca85694 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 22:40:06 -0500 +Subject: serial: caif: hold tty->link reference in ldisc_open and ser_release + +From: Shuangpeng Bai + +[ Upstream commit 288598d80a068a0e9281de35bcb4ce495f189e2a ] + +A reproducer triggers a KASAN slab-use-after-free in pty_write_room() +when caif_serial's TX path calls tty_write_room(). The faulting access +is on tty->link->port. + +Hold an extra kref on tty->link for the lifetime of the caif_serial line +discipline: get it in ldisc_open() and drop it in ser_release(), and +also drop it on the ldisc_open() error path. + +With this change applied, the reproducer no longer triggers the UAF in +my testing. + +Link: https://gist.github.com/shuangpengbai/c898debad6bdf170a84be7e6b3d8707f +Link: https://lore.kernel.org/netdev/20260301220525.1546355-1-shuangpeng.kernel@gmail.com +Fixes: e31d5a05948e ("caif: tty's are kref objects so take a reference") +Signed-off-by: Shuangpeng Bai +Reviewed-by: Jiayuan Chen +Link: https://patch.msgid.link/20260306034006.3395740-1-shuangpeng.kernel@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/caif/caif_serial.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c +index 737faeaf847fe..03288b6436467 100644 +--- a/drivers/net/caif/caif_serial.c ++++ b/drivers/net/caif/caif_serial.c +@@ -311,6 +311,7 @@ static void ser_release(struct work_struct *work) + dev_close(ser->dev); + unregister_netdevice(ser->dev); + debugfs_deinit(ser); ++ tty_kref_put(tty->link); + tty_kref_put(tty); + } + rtnl_unlock(); +@@ -345,6 +346,7 @@ static int ldisc_open(struct tty_struct *tty) + + ser = netdev_priv(dev); + ser->tty = tty_kref_get(tty); ++ tty_kref_get(tty->link); + ser->dev = dev; + debugfs_init(ser, tty); + tty->receive_room = N_TTY_BUF_SIZE; +@@ -353,6 +355,7 @@ static int ldisc_open(struct tty_struct *tty) + rtnl_lock(); + result = register_netdevice(dev); + if (result) { ++ tty_kref_put(tty->link); + tty_kref_put(tty); + rtnl_unlock(); + free_netdev(dev); +-- +2.51.0 + diff --git a/queue-6.1/series b/queue-6.1/series index c546b5c0b1..345807cbc3 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -157,3 +157,40 @@ powerpc-uaccess-fix-inline-assembly-for-clang-build-.patch remoteproc-sysmon-correct-subsys_name_len-type-in-qm.patch remoteproc-mediatek-unprepare-scp-clock-during-syste.patch powerpc-83xx-km83xx-fix-keymile-vendor-prefix.patch +xprtrdma-decrement-re_receiving-on-the-early-exit-pa.patch +net-dsa-realtek-rtl8365mb-remove-ifoutdiscards-from-.patch +bonding-handle-bond_link_fail-bond_link_back-as-vali.patch +net-mlx5-ifc-updates-for-disabled-host-pf.patch +net-mlx5-query-to-see-if-host-pf-is-disabled.patch +net-mlx5-fix-deadlock-between-devlink-lock-and-esw-w.patch +net-mlx5e-fix-dma-fifo-desync-on-error-cqe-sq-recove.patch +net-sched-teql-fix-null-pointer-dereference-in-iptun.patch +asoc-soc-core-drop-delayed_work_pending-check-before.patch +asoc-core-exit-all-links-before-removing-their-compo.patch +asoc-core-do-not-call-link_exit-on-uninitialized-rtd.patch +asoc-soc-core-flush-delayed-work-before-removing-dai.patch +serial-caif-hold-tty-link-reference-in-ldisc_open-an.patch +mctp-i2c-fix-skb-memory-leak-in-receive-path.patch +can-hi311x-hi3110_open-add-check-for-hi3110_power_en.patch +mctp-route-hold-key-lock-in-mctp_flow_prepare_output.patch +netfilter-nft_set_pipapo-fix-stack-out-of-bounds-rea.patch +netfilter-x_tables-guard-option-walkers-against-1-by.patch +netfilter-nfnetlink_queue-fix-entry-leak-in-bridge-v.patch +netfilter-nfnetlink_cthelper-fix-oob-read-in-nfnl_ct.patch +netfilter-xt_idletimer-reject-rev0-reuse-of-alarm-ti.patch +regulator-pca9450-make-irq-optional.patch +regulator-pca9450-correct-interrupt-type.patch +sched-idle-make-skipping-governor-callbacks-more-con.patch +nvme-pci-fix-slab-out-of-bounds-in-nvme_dbbuf_set.patch +nvme-pci-fix-race-bug-in-nvme_poll_irqdisable.patch +i40e-fix-src-ip-mask-checks-and-memcpy-argument-name.patch +e1000-e1000e-fix-leak-in-dma-error-cleanup.patch +acpi-osl-fix-__iomem-type-on-return-from-acpi_os_map.patch +asoc-amd-acp3x-rt5682-max9836-add-missing-error-chec.patch +asoc-detect-empty-dmi-strings.patch +net-bonding-fix-nd_tbl-null-dereference-when-ipv6-is.patch +octeontx2-af-devlink-fix-nix-ras-reporter-recovery-c.patch +octeontx2-af-devlink-health-use-retained-error-fmsg-.patch +octeontx2-af-devlink-fix-nix-ras-reporter-to-use-ras.patch +usb-gadget-f_mass_storage-fix-potential-integer-over.patch +revert-arm64-dts-qcom-sdm845-oneplus-mark-l14a-regul.patch diff --git a/queue-6.1/usb-gadget-f_mass_storage-fix-potential-integer-over.patch b/queue-6.1/usb-gadget-f_mass_storage-fix-potential-integer-over.patch new file mode 100644 index 0000000000..a0f6bfe402 --- /dev/null +++ b/queue-6.1/usb-gadget-f_mass_storage-fix-potential-integer-over.patch @@ -0,0 +1,72 @@ +From 77764fa7b3f42e69398edb1482a0c58513d11f4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Feb 2026 05:43:25 -0500 +Subject: usb: gadget: f_mass_storage: Fix potential integer overflow in + check_command_size_in_blocks() + +From: Seungjin Bae + +[ Upstream commit 8479891d1f04a8ce55366fe4ca361ccdb96f02e1 ] + +The `check_command_size_in_blocks()` function calculates the data size +in bytes by left shifting `common->data_size_from_cmnd` by the block +size (`common->curlun->blkbits`). However, it does not validate whether +this shift operation will cause an integer overflow. + +Initially, the block size is set up in `fsg_lun_open()` , and the +`common->data_size_from_cmnd` is set up in `do_scsi_command()`. During +initialization, there is no integer overflow check for the interaction +between two variables. + +So if a malicious USB host sends a SCSI READ or WRITE command +requesting a large amount of data (`common->data_size_from_cmnd`), the +left shift operation can wrap around. This results in a truncated data +size, which can bypass boundary checks and potentially lead to memory +corruption or out-of-bounds accesses. + +Fix this by using the check_shl_overflow() macro to safely perform the +shift and catch any overflows. + +Fixes: 144974e7f9e3 ("usb: gadget: mass_storage: support multi-luns with different logic block size") +Signed-off-by: Seungjin Bae +Reviewed-by: Alan Stern +Link: https://patch.msgid.link/20260228104324.1696455-2-eeodqql09@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_mass_storage.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_mass_storage.c b/drivers/usb/gadget/function/f_mass_storage.c +index d35f30a9cae2c..e364b7b4d82b9 100644 +--- a/drivers/usb/gadget/function/f_mass_storage.c ++++ b/drivers/usb/gadget/function/f_mass_storage.c +@@ -179,6 +179,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1852,8 +1853,15 @@ static int check_command_size_in_blocks(struct fsg_common *common, + int cmnd_size, enum data_direction data_dir, + unsigned int mask, int needs_medium, const char *name) + { +- if (common->curlun) +- common->data_size_from_cmnd <<= common->curlun->blkbits; ++ if (common->curlun) { ++ if (check_shl_overflow(common->data_size_from_cmnd, ++ common->curlun->blkbits, ++ &common->data_size_from_cmnd)) { ++ common->phase_error = 1; ++ return -EINVAL; ++ } ++ } ++ + return check_command(common, cmnd_size, data_dir, + mask, needs_medium, name); + } +-- +2.51.0 + diff --git a/queue-6.1/xprtrdma-decrement-re_receiving-on-the-early-exit-pa.patch b/queue-6.1/xprtrdma-decrement-re_receiving-on-the-early-exit-pa.patch new file mode 100644 index 0000000000..33efb3b408 --- /dev/null +++ b/queue-6.1/xprtrdma-decrement-re_receiving-on-the-early-exit-pa.patch @@ -0,0 +1,90 @@ +From 3c0c3cc2d4f5c4e43cf214d65b03f49c9e00bc19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Feb 2026 10:28:55 -0800 +Subject: xprtrdma: Decrement re_receiving on the early exit paths + +From: Eric Badger + +[ Upstream commit 7b6275c80a0c81c5f8943272292dfe67730ce849 ] + +In the event that rpcrdma_post_recvs() fails to create a work request +(due to memory allocation failure, say) or otherwise exits early, we +should decrement ep->re_receiving before returning. Otherwise we will +hang in rpcrdma_xprt_drain() as re_receiving will never reach zero and +the completion will never be triggered. + +On a system with high memory pressure, this can appear as the following +hung task: + + INFO: task kworker/u385:17:8393 blocked for more than 122 seconds. + Tainted: G S E 6.19.0 #3 + "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. + task:kworker/u385:17 state:D stack:0 pid:8393 tgid:8393 ppid:2 task_flags:0x4248060 flags:0x00080000 + Workqueue: xprtiod xprt_autoclose [sunrpc] + Call Trace: + + __schedule+0x48b/0x18b0 + ? ib_post_send_mad+0x247/0xae0 [ib_core] + schedule+0x27/0xf0 + schedule_timeout+0x104/0x110 + __wait_for_common+0x98/0x180 + ? __pfx_schedule_timeout+0x10/0x10 + wait_for_completion+0x24/0x40 + rpcrdma_xprt_disconnect+0x444/0x460 [rpcrdma] + xprt_rdma_close+0x12/0x40 [rpcrdma] + xprt_autoclose+0x5f/0x120 [sunrpc] + process_one_work+0x191/0x3e0 + worker_thread+0x2e3/0x420 + ? __pfx_worker_thread+0x10/0x10 + kthread+0x10d/0x230 + ? __pfx_kthread+0x10/0x10 + ret_from_fork+0x273/0x2b0 + ? __pfx_kthread+0x10/0x10 + ret_from_fork_asm+0x1a/0x30 + +Fixes: 15788d1d1077 ("xprtrdma: Do not refresh Receive Queue while it is draining") +Signed-off-by: Eric Badger +Reviewed-by: Chuck Lever +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + net/sunrpc/xprtrdma/verbs.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c +index cb909329a5039..4132a505d742a 100644 +--- a/net/sunrpc/xprtrdma/verbs.c ++++ b/net/sunrpc/xprtrdma/verbs.c +@@ -1362,7 +1362,7 @@ void rpcrdma_post_recvs(struct rpcrdma_xprt *r_xprt, int needed, bool temp) + needed += RPCRDMA_MAX_RECV_BATCH; + + if (atomic_inc_return(&ep->re_receiving) > 1) +- goto out; ++ goto out_dec; + + /* fast path: all needed reps can be found on the free list */ + wr = NULL; +@@ -1389,7 +1389,7 @@ void rpcrdma_post_recvs(struct rpcrdma_xprt *r_xprt, int needed, bool temp) + ++count; + } + if (!wr) +- goto out; ++ goto out_dec; + + rc = ib_post_recv(ep->re_id->qp, wr, + (const struct ib_recv_wr **)&bad_wr); +@@ -1404,9 +1404,10 @@ void rpcrdma_post_recvs(struct rpcrdma_xprt *r_xprt, int needed, bool temp) + --count; + } + } ++ ++out_dec: + if (atomic_dec_return(&ep->re_receiving) > 0) + complete(&ep->re_done); +- + out: + trace_xprtrdma_post_recvs(r_xprt, count); + ep->re_receive_count += count; +-- +2.51.0 + diff --git a/queue-6.12/acpi-osl-fix-__iomem-type-on-return-from-acpi_os_map.patch b/queue-6.12/acpi-osl-fix-__iomem-type-on-return-from-acpi_os_map.patch new file mode 100644 index 0000000000..8b410efd30 --- /dev/null +++ b/queue-6.12/acpi-osl-fix-__iomem-type-on-return-from-acpi_os_map.patch @@ -0,0 +1,46 @@ +From a28de119d8d1132497d034ffcf0faa623ea994b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 10:58:35 +0000 +Subject: ACPI: OSL: fix __iomem type on return from + acpi_os_map_generic_address() + +From: Ben Dooks + +[ Upstream commit 393815f57651101f1590632092986d1d5a3a41bd ] + +The pointer returned from acpi_os_map_generic_address() is +tagged with __iomem, so make the rv it is returned to also +of void __iomem * type. + +Fixes the following sparse warning: + +drivers/acpi/osl.c:1686:20: warning: incorrect type in assignment (different address spaces) +drivers/acpi/osl.c:1686:20: expected void *rv +drivers/acpi/osl.c:1686:20: got void [noderef] __iomem * + +Fixes: 6915564dc5a8 ("ACPI: OSL: Change the type of acpi_os_map_generic_address() return value") +Signed-off-by: Ben Dooks +[ rjw: Subject tweak, added Fixes tag ] +Link: https://patch.msgid.link/20260311105835.463030-1-ben.dooks@codethink.co.uk +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/osl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c +index 70af3fbbebe54..6537644faf381 100644 +--- a/drivers/acpi/osl.c ++++ b/drivers/acpi/osl.c +@@ -1649,7 +1649,7 @@ acpi_status __init acpi_os_initialize(void) + * Use acpi_os_map_generic_address to pre-map the reset + * register if it's in system memory. + */ +- void *rv; ++ void __iomem *rv; + + rv = acpi_os_map_generic_address(&acpi_gbl_FADT.reset_register); + pr_debug("%s: Reset register mapping %s\n", __func__, +-- +2.51.0 + diff --git a/queue-6.12/amd-xgbe-fix-link-status-handling-in-xgbe_rx_adaptat.patch b/queue-6.12/amd-xgbe-fix-link-status-handling-in-xgbe_rx_adaptat.patch new file mode 100644 index 0000000000..067ce51113 --- /dev/null +++ b/queue-6.12/amd-xgbe-fix-link-status-handling-in-xgbe_rx_adaptat.patch @@ -0,0 +1,63 @@ +From cb9197978a421f69da83c83408f4cd2d756a2c34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 16:46:27 +0530 +Subject: amd-xgbe: fix link status handling in xgbe_rx_adaptation + +From: Raju Rangoju + +[ Upstream commit 6485cb96be5cd0f4bf39554737ba11322cc9b053 ] + +The link status bit is latched low to allow detection of momentary +link drops. If the status indicates that the link is already down, +read it again to obtain the current state. + +Fixes: 4f3b20bfbb75 ("amd-xgbe: add support for rx-adaptation") +Signed-off-by: Raju Rangoju +Link: https://patch.msgid.link/20260306111629.1515676-2-Raju.Rangoju@amd.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +index 6d2c401bb246e..469b28c159e7d 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +@@ -2050,7 +2050,7 @@ static void xgbe_set_rx_adap_mode(struct xgbe_prv_data *pdata, + static void xgbe_rx_adaptation(struct xgbe_prv_data *pdata) + { + struct xgbe_phy_data *phy_data = pdata->phy_data; +- unsigned int reg; ++ int reg; + + /* step 2: force PCS to send RX_ADAPT Req to PHY */ + XMDIO_WRITE_BITS(pdata, MDIO_MMD_PMAPMD, MDIO_PMA_RX_EQ_CTRL4, +@@ -2072,11 +2072,20 @@ static void xgbe_rx_adaptation(struct xgbe_prv_data *pdata) + + /* Step 4: Check for Block lock */ + +- /* Link status is latched low, so read once to clear +- * and then read again to get current state +- */ +- reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_STAT1); + reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_STAT1); ++ if (reg < 0) ++ goto set_mode; ++ ++ /* Link status is latched low so that momentary link drops ++ * can be detected. If link was already down read again ++ * to get the latest state. ++ */ ++ if (!pdata->phy.link && !(reg & MDIO_STAT1_LSTATUS)) { ++ reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_STAT1); ++ if (reg < 0) ++ goto set_mode; ++ } ++ + if (reg & MDIO_STAT1_LSTATUS) { + /* If the block lock is found, update the helpers + * and declare the link up +-- +2.51.0 + diff --git a/queue-6.12/amd-xgbe-prevent-crc-errors-during-rx-adaptation-wit.patch b/queue-6.12/amd-xgbe-prevent-crc-errors-during-rx-adaptation-wit.patch new file mode 100644 index 0000000000..d694c06a76 --- /dev/null +++ b/queue-6.12/amd-xgbe-prevent-crc-errors-during-rx-adaptation-wit.patch @@ -0,0 +1,168 @@ +From 49892f8d64bb351db02f7bf108f292b9aac1b872 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 16:46:28 +0530 +Subject: amd-xgbe: prevent CRC errors during RX adaptation with AN disabled + +From: Raju Rangoju + +[ Upstream commit 27a4dd0c702b3b2b9cf2c045d100cc2fe8720b81 ] + +When operating in 10GBASE-KR mode with auto-negotiation disabled and RX +adaptation enabled, CRC errors can occur during the RX adaptation +process. This happens because the driver continues transmitting and +receiving packets while adaptation is in progress. + +Fix this by stopping TX/RX immediately when the link goes down and RX +adaptation needs to be re-triggered, and only re-enabling TX/RX after +adaptation completes and the link is confirmed up. Introduce a flag to +track whether TX/RX was disabled for adaptation so it can be restored +correctly. + +This prevents packets from being transmitted or received during the RX +adaptation window and avoids CRC errors from corrupted frames. + +The flag tracking the data path state is synchronized with hardware +state in xgbe_start() to prevent stale state after device restarts. +This ensures that after a restart cycle (where xgbe_stop disables +TX/RX and xgbe_start re-enables them), the flag correctly reflects +that the data path is active. + +Fixes: 4f3b20bfbb75 ("amd-xgbe: add support for rx-adaptation") +Signed-off-by: Raju Rangoju +Link: https://patch.msgid.link/20260306111629.1515676-3-Raju.Rangoju@amd.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 4 ++ + drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 63 ++++++++++++++++++++- + drivers/net/ethernet/amd/xgbe/xgbe.h | 4 ++ + 3 files changed, 69 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +index c6fcddbff3f56..418f4513a0b95 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +@@ -1338,6 +1338,10 @@ static int xgbe_start(struct xgbe_prv_data *pdata) + + hw_if->enable_tx(pdata); + hw_if->enable_rx(pdata); ++ /* Synchronize flag with hardware state after enabling TX/RX. ++ * This prevents stale state after device restart cycles. ++ */ ++ pdata->data_path_stopped = false; + + udp_tunnel_nic_reset_ntf(netdev); + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +index 469b28c159e7d..0a99a21af5815 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +@@ -2125,6 +2125,48 @@ static void xgbe_phy_rx_adaptation(struct xgbe_prv_data *pdata) + xgbe_rx_adaptation(pdata); + } + ++/* ++ * xgbe_phy_stop_data_path - Stop TX/RX to prevent packet corruption ++ * @pdata: driver private data ++ * ++ * This function stops the data path (TX and RX) to prevent packet ++ * corruption during critical PHY operations like RX adaptation. ++ * Must be called before initiating RX adaptation when link goes down. ++ */ ++static void xgbe_phy_stop_data_path(struct xgbe_prv_data *pdata) ++{ ++ if (pdata->data_path_stopped) ++ return; ++ ++ /* Stop TX/RX to prevent packet corruption during RX adaptation */ ++ pdata->hw_if.disable_tx(pdata); ++ pdata->hw_if.disable_rx(pdata); ++ pdata->data_path_stopped = true; ++ ++ netif_dbg(pdata, link, pdata->netdev, ++ "stopping data path for RX adaptation\n"); ++} ++ ++/* ++ * xgbe_phy_start_data_path - Re-enable TX/RX after RX adaptation ++ * @pdata: driver private data ++ * ++ * This function re-enables the data path (TX and RX) after RX adaptation ++ * has completed successfully. Only called when link is confirmed up. ++ */ ++static void xgbe_phy_start_data_path(struct xgbe_prv_data *pdata) ++{ ++ if (!pdata->data_path_stopped) ++ return; ++ ++ pdata->hw_if.enable_rx(pdata); ++ pdata->hw_if.enable_tx(pdata); ++ pdata->data_path_stopped = false; ++ ++ netif_dbg(pdata, link, pdata->netdev, ++ "restarting data path after RX adaptation\n"); ++} ++ + static void xgbe_phy_rx_reset(struct xgbe_prv_data *pdata) + { + int reg; +@@ -2918,13 +2960,27 @@ static int xgbe_phy_link_status(struct xgbe_prv_data *pdata, int *an_restart) + if (pdata->en_rx_adap) { + /* if the link is available and adaptation is done, + * declare link up ++ * ++ * Note: When link is up and adaptation is done, we can ++ * safely re-enable the data path if it was stopped ++ * for adaptation. + */ +- if ((reg & MDIO_STAT1_LSTATUS) && pdata->rx_adapt_done) ++ if ((reg & MDIO_STAT1_LSTATUS) && pdata->rx_adapt_done) { ++ xgbe_phy_start_data_path(pdata); + return 1; ++ } + /* If either link is not available or adaptation is not done, + * retrigger the adaptation logic. (if the mode is not set, + * then issue mailbox command first) + */ ++ ++ /* CRITICAL: Stop data path BEFORE triggering RX adaptation ++ * to prevent CRC errors from packets corrupted during ++ * the adaptation process. This is especially important ++ * when AN is OFF in 10G KR mode. ++ */ ++ xgbe_phy_stop_data_path(pdata); ++ + if (pdata->mode_set) { + xgbe_phy_rx_adaptation(pdata); + } else { +@@ -2932,8 +2988,11 @@ static int xgbe_phy_link_status(struct xgbe_prv_data *pdata, int *an_restart) + xgbe_phy_set_mode(pdata, phy_data->cur_mode); + } + +- if (pdata->rx_adapt_done) ++ if (pdata->rx_adapt_done) { ++ /* Adaptation complete, safe to re-enable data path */ ++ xgbe_phy_start_data_path(pdata); + return 1; ++ } + } else if (reg & MDIO_STAT1_LSTATUS) + return 1; + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe.h b/drivers/net/ethernet/amd/xgbe/xgbe.h +index c98461252053f..ebe504cb9a117 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe.h ++++ b/drivers/net/ethernet/amd/xgbe/xgbe.h +@@ -1321,6 +1321,10 @@ struct xgbe_prv_data { + bool en_rx_adap; + int rx_adapt_retries; + bool rx_adapt_done; ++ /* Flag to track if data path (TX/RX) was stopped for RX adaptation. ++ * This prevents packet corruption during the adaptation window. ++ */ ++ bool data_path_stopped; + bool mode_set; + }; + +-- +2.51.0 + diff --git a/queue-6.12/asoc-amd-acp3x-rt5682-max9836-add-missing-error-chec.patch b/queue-6.12/asoc-amd-acp3x-rt5682-max9836-add-missing-error-chec.patch new file mode 100644 index 0000000000..ed18b89b35 --- /dev/null +++ b/queue-6.12/asoc-amd-acp3x-rt5682-max9836-add-missing-error-chec.patch @@ -0,0 +1,50 @@ +From 8485cb5984bf102a9ff366d00e716b62a3233017 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 10:42:46 +0800 +Subject: ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock + acquisition + +From: Chen Ni + +[ Upstream commit 53f3a900e9a383d47af7253076e19f510c5708d0 ] + +The acp3x_5682_init() function did not check the return value of +clk_get(), which could lead to dereferencing error pointers in +rt5682_clk_enable(). + +Fix this by: +1. Changing clk_get() to the device-managed devm_clk_get(). +2. Adding proper IS_ERR() checks for both clock acquisitions. + +Fixes: 6b8e4e7db3cd ("ASoC: amd: Add machine driver for Raven based platform") +Signed-off-by: Chen Ni +Link: https://patch.msgid.link/20260310024246.2153827-1-nichen@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/acp3x-rt5682-max9836.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/amd/acp3x-rt5682-max9836.c b/sound/soc/amd/acp3x-rt5682-max9836.c +index 357dfd016bafd..6c4716565ded0 100644 +--- a/sound/soc/amd/acp3x-rt5682-max9836.c ++++ b/sound/soc/amd/acp3x-rt5682-max9836.c +@@ -94,8 +94,13 @@ static int acp3x_5682_init(struct snd_soc_pcm_runtime *rtd) + return ret; + } + +- rt5682_dai_wclk = clk_get(component->dev, "rt5682-dai-wclk"); +- rt5682_dai_bclk = clk_get(component->dev, "rt5682-dai-bclk"); ++ rt5682_dai_wclk = devm_clk_get(component->dev, "rt5682-dai-wclk"); ++ if (IS_ERR(rt5682_dai_wclk)) ++ return PTR_ERR(rt5682_dai_wclk); ++ ++ rt5682_dai_bclk = devm_clk_get(component->dev, "rt5682-dai-bclk"); ++ if (IS_ERR(rt5682_dai_bclk)) ++ return PTR_ERR(rt5682_dai_bclk); + + ret = snd_soc_card_jack_new_pins(card, "Headset Jack", + SND_JACK_HEADSET | +-- +2.51.0 + diff --git a/queue-6.12/asoc-detect-empty-dmi-strings.patch b/queue-6.12/asoc-detect-empty-dmi-strings.patch new file mode 100644 index 0000000000..6d2e75e549 --- /dev/null +++ b/queue-6.12/asoc-detect-empty-dmi-strings.patch @@ -0,0 +1,47 @@ +From 026f6351db48741b2893841a3867e0f3d98d6685 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 18:47:07 +0100 +Subject: ASoC: detect empty DMI strings + +From: Casey Connolly + +[ Upstream commit a9683730e8b1d632674f81844ed03ddfbe4821c0 ] + +Some bootloaders like recent versions of U-Boot may install some DMI +properties with empty values rather than not populate them. This manages +to make its way through the validator and cleanup resulting in a rogue +hyphen being appended to the card longname. + +Fixes: 4e01e5dbba96 ("ASoC: improve the DMI long card code in asoc-core") +Signed-off-by: Casey Connolly +Link: https://patch.msgid.link/20260306174707.283071-2-casey.connolly@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index ea6b39003461f..a1e3829914268 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -1837,12 +1837,15 @@ static void cleanup_dmi_name(char *name) + + /* + * Check if a DMI field is valid, i.e. not containing any string +- * in the black list. ++ * in the black list and not the empty string. + */ + static int is_dmi_valid(const char *field) + { + int i = 0; + ++ if (!field[0]) ++ return 0; ++ + while (dmi_blacklist[i]) { + if (strstr(field, dmi_blacklist[i])) + return 0; +-- +2.51.0 + diff --git a/queue-6.12/asoc-simple-card-utils-fix-graph_util_is_ports0-for-.patch b/queue-6.12/asoc-simple-card-utils-fix-graph_util_is_ports0-for-.patch new file mode 100644 index 0000000000..82452b2537 --- /dev/null +++ b/queue-6.12/asoc-simple-card-utils-fix-graph_util_is_ports0-for-.patch @@ -0,0 +1,60 @@ +From b504fcc5b52c8e7b9125c9f6b58892839c43fce0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Mar 2026 23:21:09 -0500 +Subject: ASoC: simple-card-utils: fix graph_util_is_ports0() for DT overlays + +From: Sen Wang + +[ Upstream commit 4185b95f8a42d92d68c49289b4644546b51e252b ] + +graph_util_is_ports0() identifies DPCM front-end (ports@0) vs back-end +(ports@1) by calling of_get_child_by_name() to find the first "ports" +child and comparing pointers. This relies on child iteration order +matching DTS source order. + +When the DPCM topology comes from a DT overlay, __of_attach_node() +inserts new children at the head of the sibling list, reversing the +order. of_get_child_by_name() then returns ports@1 instead of ports@0, +causing all front-end links to be classified as back-ends. The card +registers with no PCM devices. + +Fix this by matching the unit address directly from the node name +instead of relying on sibling order. + +Fixes: 92939252458f ("ASoC: simple-card-utils: add asoc_graph_is_ports0()") +Signed-off-by: Sen Wang +Acked-by: Kuninori Morimoto +Link: https://patch.msgid.link/20260309042109.2576612-1-sen@ti.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/generic/simple-card-utils.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/sound/soc/generic/simple-card-utils.c b/sound/soc/generic/simple-card-utils.c +index 4857ceecbdc4a..c9f92d445f4c9 100644 +--- a/sound/soc/generic/simple-card-utils.c ++++ b/sound/soc/generic/simple-card-utils.c +@@ -1008,11 +1008,15 @@ int graph_util_is_ports0(struct device_node *np) + else + port = np; + +- struct device_node *ports __free(device_node) = of_get_parent(port); +- struct device_node *top __free(device_node) = of_get_parent(ports); +- struct device_node *ports0 __free(device_node) = of_get_child_by_name(top, "ports"); ++ struct device_node *ports __free(device_node) = of_get_parent(port); ++ const char *at = strchr(kbasename(ports->full_name), '@'); + +- return ports0 == ports; ++ /* ++ * Since child iteration order may differ ++ * between a base DT and DT overlays, ++ * string match "ports" or "ports@0" in the node name instead. ++ */ ++ return !at || !strcmp(at, "@0"); + } + EXPORT_SYMBOL_GPL(graph_util_is_ports0); + +-- +2.51.0 + diff --git a/queue-6.12/asoc-simple-card-utils-use-__free-device_node-for-de.patch b/queue-6.12/asoc-simple-card-utils-use-__free-device_node-for-de.patch new file mode 100644 index 0000000000..8956adea1e --- /dev/null +++ b/queue-6.12/asoc-simple-card-utils-use-__free-device_node-for-de.patch @@ -0,0 +1,129 @@ +From b83f12f60eb34827fd7c50cbd8015fbd8ba3bce3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2024 02:10:23 +0000 +Subject: ASoC: simple-card-utils: use __free(device_node) for device node + +From: Kuninori Morimoto + +[ Upstream commit 419d1918105e5d9926ab02f1f834bb416dc76f65 ] + +simple-card-utils handles many type of device_node, thus need to +use of_node_put() in many place. Let's use __free(device_node) +and avoid it. + +Signed-off-by: Kuninori Morimoto +Link: https://patch.msgid.link/87r06pfre8.wl-kuninori.morimoto.gx@renesas.com +Signed-off-by: Mark Brown +Stable-dep-of: 4185b95f8a42 ("ASoC: simple-card-utils: fix graph_util_is_ports0() for DT overlays") +Signed-off-by: Sasha Levin +--- + sound/soc/generic/simple-card-utils.c | 44 +++++++++------------------ + 1 file changed, 14 insertions(+), 30 deletions(-) + +diff --git a/sound/soc/generic/simple-card-utils.c b/sound/soc/generic/simple-card-utils.c +index 47933afdb7261..4857ceecbdc4a 100644 +--- a/sound/soc/generic/simple-card-utils.c ++++ b/sound/soc/generic/simple-card-utils.c +@@ -999,35 +999,27 @@ EXPORT_SYMBOL_GPL(graph_util_card_probe); + + int graph_util_is_ports0(struct device_node *np) + { +- struct device_node *port, *ports, *ports0, *top; +- int ret; ++ struct device_node *parent __free(device_node) = of_get_parent(np); ++ struct device_node *port; + + /* np is "endpoint" or "port" */ +- if (of_node_name_eq(np, "endpoint")) { +- port = of_get_parent(np); +- } else { ++ if (of_node_name_eq(np, "endpoint")) ++ port = parent; ++ else + port = np; +- of_node_get(port); +- } +- +- ports = of_get_parent(port); +- top = of_get_parent(ports); +- ports0 = of_get_child_by_name(top, "ports"); +- +- ret = ports0 == ports; + +- of_node_put(port); +- of_node_put(ports); +- of_node_put(ports0); +- of_node_put(top); ++ struct device_node *ports __free(device_node) = of_get_parent(port); ++ struct device_node *top __free(device_node) = of_get_parent(ports); ++ struct device_node *ports0 __free(device_node) = of_get_child_by_name(top, "ports"); + +- return ret; ++ return ports0 == ports; + } + EXPORT_SYMBOL_GPL(graph_util_is_ports0); + + static int graph_get_dai_id(struct device_node *ep) + { +- struct device_node *node; ++ struct device_node *node __free(device_node) = of_graph_get_port_parent(ep); ++ struct device_node *port __free(device_node) = of_get_parent(ep); + struct device_node *endpoint; + struct of_endpoint info; + int i, id; +@@ -1050,13 +1042,10 @@ static int graph_get_dai_id(struct device_node *ep) + if (of_property_present(ep, "reg")) + return info.id; + +- node = of_get_parent(ep); +- ret = of_property_present(node, "reg"); +- of_node_put(node); ++ ret = of_property_present(port, "reg"); + if (ret) + return info.port; + } +- node = of_graph_get_port_parent(ep); + + /* + * Non HDMI sound case, counting port/endpoint on its DT +@@ -1070,8 +1059,6 @@ static int graph_get_dai_id(struct device_node *ep) + i++; + } + +- of_node_put(node); +- + if (id < 0) + return -ENODEV; + +@@ -1081,7 +1068,6 @@ static int graph_get_dai_id(struct device_node *ep) + int graph_util_parse_dai(struct device *dev, struct device_node *ep, + struct snd_soc_dai_link_component *dlc, int *is_single_link) + { +- struct device_node *node; + struct of_phandle_args args = {}; + struct snd_soc_dai *dai; + int ret; +@@ -1089,7 +1075,7 @@ int graph_util_parse_dai(struct device *dev, struct device_node *ep, + if (!ep) + return 0; + +- node = of_graph_get_port_parent(ep); ++ struct device_node *node __free(device_node) = of_graph_get_port_parent(ep); + + /* + * Try to find from DAI node +@@ -1131,10 +1117,8 @@ int graph_util_parse_dai(struct device *dev, struct device_node *ep, + * if he unbinded CPU or Codec. + */ + ret = snd_soc_get_dlc(&args, dlc); +- if (ret < 0) { +- of_node_put(node); ++ if (ret < 0) + return ret; +- } + + parse_dai_end: + if (is_single_link) +-- +2.51.0 + diff --git a/queue-6.12/asoc-soc-core-drop-delayed_work_pending-check-before.patch b/queue-6.12/asoc-soc-core-drop-delayed_work_pending-check-before.patch new file mode 100644 index 0000000000..db6c70b8d6 --- /dev/null +++ b/queue-6.12/asoc-soc-core-drop-delayed_work_pending-check-before.patch @@ -0,0 +1,45 @@ +From 6d101c1c354b424350fd0122b86c5e8ed1505ee9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Mar 2026 22:54:11 +0100 +Subject: ASoC: soc-core: drop delayed_work_pending() check before flush + +From: matteo.cotifava + +[ Upstream commit 3c99c9f0ed60582c1c9852b685d78d5d3a50de63 ] + +The delayed_work_pending() check before flush_delayed_work() in +soc_free_pcm_runtime() is unnecessary and racy. flush_delayed_work() +is safe to call unconditionally - it is a no-op when no work is +pending. Remove the check. + +The original check was added by commit 9c9b65203492 ("ASoC: core: +only flush inited work during free") but delayed_work_pending() +followed by flush_delayed_work() has a time-of-check/time-of-use +window where work can become pending between the two calls. + +Fixes: 9c9b65203492 ("ASoC: core: only flush inited work during free") +Signed-off-by: Matteo Cotifava +Link: https://patch.msgid.link/20260309215412.545628-2-cotifavamatteo@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index 4ac870c2dafa2..791197c1e05b9 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -456,8 +456,7 @@ static void soc_free_pcm_runtime(struct snd_soc_pcm_runtime *rtd) + + list_del(&rtd->list); + +- if (delayed_work_pending(&rtd->delayed_work)) +- flush_delayed_work(&rtd->delayed_work); ++ flush_delayed_work(&rtd->delayed_work); + snd_soc_pcm_component_free(rtd); + + /* +-- +2.51.0 + diff --git a/queue-6.12/asoc-soc-core-flush-delayed-work-before-removing-dai.patch b/queue-6.12/asoc-soc-core-flush-delayed-work-before-removing-dai.patch new file mode 100644 index 0000000000..e3fe4e63da --- /dev/null +++ b/queue-6.12/asoc-soc-core-flush-delayed-work-before-removing-dai.patch @@ -0,0 +1,57 @@ +From dae48cf357b2fd2e36df2ad99a05ed6fd0d5f352 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Mar 2026 22:54:12 +0100 +Subject: ASoC: soc-core: flush delayed work before removing DAIs and widgets + +From: matteo.cotifava + +[ Upstream commit 95bc5c225513fc3c4ce169563fb5e3929fbb938b ] + +When a sound card is unbound while a PCM stream is open, a +use-after-free can occur in snd_soc_dapm_stream_event(), called from +the close_delayed_work workqueue handler. + +During unbind, snd_soc_unbind_card() flushes delayed work and then +calls soc_cleanup_card_resources(). Inside cleanup, +snd_card_disconnect_sync() releases all PCM file descriptors, and +the resulting PCM close path can call snd_soc_dapm_stream_stop() +which schedules new delayed work with a pmdown_time timer delay. +Since this happens after the flush in snd_soc_unbind_card(), the +new work is not caught. soc_remove_link_components() then frees +DAPM widgets before this work fires, leading to the use-after-free. + +The existing flush in soc_free_pcm_runtime() also cannot help as it +runs after soc_remove_link_components() has already freed the widgets. + +Add a flush in soc_cleanup_card_resources() after +snd_card_disconnect_sync() (after which no new PCM closes can +schedule further delayed work) and before soc_remove_link_dais() +and soc_remove_link_components() (which tear down the structures the +delayed work accesses). + +Fixes: e894efef9ac7 ("ASoC: core: add support to card rebind") +Signed-off-by: Matteo Cotifava +Link: https://patch.msgid.link/20260309215412.545628-3-cotifavamatteo@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index 791197c1e05b9..ea6b39003461f 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -2114,6 +2114,9 @@ static void soc_cleanup_card_resources(struct snd_soc_card *card) + for_each_card_rtds(card, rtd) + if (rtd->initialized) + snd_soc_link_exit(rtd); ++ /* flush delayed work before removing DAIs and DAPM widgets */ ++ snd_soc_flush_all_delayed_work(card); ++ + /* remove and free each DAI */ + soc_remove_link_dais(card); + soc_remove_link_components(card); +-- +2.51.0 + diff --git a/queue-6.12/bnxt_en-fix-rss-table-size-check-when-changing-ethto.patch b/queue-6.12/bnxt_en-fix-rss-table-size-check-when-changing-ethto.patch new file mode 100644 index 0000000000..e0953b7364 --- /dev/null +++ b/queue-6.12/bnxt_en-fix-rss-table-size-check-when-changing-ethto.patch @@ -0,0 +1,52 @@ +From f6ab59a7c232e1d2a0562b1c9cbdb05a2e6fe3e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 14:58:54 -0800 +Subject: bnxt_en: Fix RSS table size check when changing ethtool channels +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pavan Chebbi + +[ Upstream commit 0d9a60a0618d255530ca56072c5f39eb58e1ed4a ] + +When changing channels, the current check in bnxt_set_channels() +is not checking for non-default RSS contexts when the RSS table size +changes. The current check for IFF_RXFH_CONFIGURED is only sufficient +for the default RSS context. Expand the check to include the presence +of any non-default RSS contexts. + +Allowing such change will result in incorrect configuration of the +context's RSS table when the table size changes. + +Fixes: b3d0083caf9a ("bnxt_en: Support RSS contexts in ethtool .{get|set}_rxfh()") +Reported-by: Björn Töpel +Link: https://lore.kernel.org/netdev/20260303181535.2671734-1-bjorn@kernel.org/ +Reviewed-by: Andy Gospodarek +Signed-off-by: Pavan Chebbi +Signed-off-by: Michael Chan +Link: https://patch.msgid.link/20260306225854.3575672-1-michael.chan@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +index 0a8f3dc3c2f01..0be9c64ae2fad 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +@@ -958,8 +958,8 @@ static int bnxt_set_channels(struct net_device *dev, + + if (bnxt_get_nr_rss_ctxs(bp, req_rx_rings) != + bnxt_get_nr_rss_ctxs(bp, bp->rx_nr_rings) && +- netif_is_rxfh_configured(dev)) { +- netdev_warn(dev, "RSS table size change required, RSS table entries must be default to proceed\n"); ++ (netif_is_rxfh_configured(dev) || bp->num_rss_ctx)) { ++ netdev_warn(dev, "RSS table size change required, RSS table entries must be default (with no additional RSS contexts present) to proceed\n"); + return -EINVAL; + } + +-- +2.51.0 + diff --git a/queue-6.12/bonding-add-esp-offload-features-when-slaves-support.patch b/queue-6.12/bonding-add-esp-offload-features-when-slaves-support.patch new file mode 100644 index 0000000000..7219f84401 --- /dev/null +++ b/queue-6.12/bonding-add-esp-offload-features-when-slaves-support.patch @@ -0,0 +1,60 @@ +From 56d9177122080326aca2e689a730b41c2f9535d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Nov 2024 21:27:21 +0200 +Subject: bonding: add ESP offload features when slaves support + +From: Jianbo Liu + +[ Upstream commit 4861333b42178fa3d8fd1bb4e2cfb2fedc968dba ] + +Add NETIF_F_GSO_ESP bit to bond's gso_partial_features if all slaves +support it, such that ESP segmentation is handled by hardware if possible. + +Signed-off-by: Jianbo Liu +Reviewed-by: Boris Pismenny +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/20241105192721.584822-1-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 950803f72547 ("bonding: fix type confusion in bond_setup_by_slave()") +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index c71b52e2966fc..aac385607ac42 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1558,6 +1558,7 @@ static void bond_compute_features(struct bonding *bond) + { + unsigned int dst_release_flag = IFF_XMIT_DST_RELEASE | + IFF_XMIT_DST_RELEASE_PERM; ++ netdev_features_t gso_partial_features = NETIF_F_GSO_ESP; + netdev_features_t vlan_features = BOND_VLAN_FEATURES; + netdev_features_t enc_features = BOND_ENC_FEATURES; + #ifdef CONFIG_XFRM_OFFLOAD +@@ -1591,6 +1592,9 @@ static void bond_compute_features(struct bonding *bond) + BOND_XFRM_FEATURES); + #endif /* CONFIG_XFRM_OFFLOAD */ + ++ if (slave->dev->hw_enc_features & NETIF_F_GSO_PARTIAL) ++ gso_partial_features &= slave->dev->gso_partial_features; ++ + mpls_features = netdev_increment_features(mpls_features, + slave->dev->mpls_features, + BOND_MPLS_FEATURES); +@@ -1604,6 +1608,11 @@ static void bond_compute_features(struct bonding *bond) + } + bond_dev->hard_header_len = max_hard_header_len; + ++ if (gso_partial_features & NETIF_F_GSO_ESP) ++ bond_dev->gso_partial_features |= NETIF_F_GSO_ESP; ++ else ++ bond_dev->gso_partial_features &= ~NETIF_F_GSO_ESP; ++ + done: + bond_dev->vlan_features = vlan_features; + bond_dev->hw_enc_features = enc_features | NETIF_F_GSO_ENCAP_ALL | +-- +2.51.0 + diff --git a/queue-6.12/bonding-correctly-support-gso-esp-offload.patch b/queue-6.12/bonding-correctly-support-gso-esp-offload.patch new file mode 100644 index 0000000000..19bb39c461 --- /dev/null +++ b/queue-6.12/bonding-correctly-support-gso-esp-offload.patch @@ -0,0 +1,108 @@ +From ec0749aa77a7eff0ea136d57801dce9703eb2373 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Jan 2025 12:41:47 +0200 +Subject: bonding: Correctly support GSO ESP offload + +From: Cosmin Ratiu + +[ Upstream commit 9e6c4e6b605c1fa3e24f74ee0b641e95f090188a ] + +The referenced fix is incomplete. It correctly computes +bond_dev->gso_partial_features across slaves, but unfortunately +netdev_fix_features discards gso_partial_features from the feature set +if NETIF_F_GSO_PARTIAL isn't set in bond_dev->features. + +This is visible with ethtool -k bond0 | grep esp: +tx-esp-segmentation: off [requested on] +esp-hw-offload: on +esp-tx-csum-hw-offload: on + +This patch reworks the bonding GSO offload support by: +- making aggregating gso_partial_features across slaves similar to the + other feature sets (this part is a no-op). +- advertising the default partial gso features on empty bond devs, same + as with other feature sets (also a no-op). +- adding NETIF_F_GSO_PARTIAL to hw_enc_features filtered across slaves. +- adding NETIF_F_GSO_PARTIAL to features in bond_setup() + +With all of these, 'ethtool -k bond0 | grep esp' now reports: +tx-esp-segmentation: on +esp-hw-offload: on +esp-tx-csum-hw-offload: on + +Fixes: 4861333b4217 ("bonding: add ESP offload features when slaves support") +Signed-off-by: Hangbin Liu +Signed-off-by: Cosmin Ratiu +Acked-by: Jay Vosburgh +Link: https://patch.msgid.link/20250127104147.759658-1-cratiu@nvidia.com +Signed-off-by: Paolo Abeni +Stable-dep-of: 950803f72547 ("bonding: fix type confusion in bond_setup_by_slave()") +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index aac385607ac42..fe29a0911308d 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1548,17 +1548,20 @@ static netdev_features_t bond_fix_features(struct net_device *dev, + NETIF_F_HIGHDMA | NETIF_F_LRO) + + #define BOND_ENC_FEATURES (NETIF_F_HW_CSUM | NETIF_F_SG | \ +- NETIF_F_RXCSUM | NETIF_F_GSO_SOFTWARE) ++ NETIF_F_RXCSUM | NETIF_F_GSO_SOFTWARE | \ ++ NETIF_F_GSO_PARTIAL) + + #define BOND_MPLS_FEATURES (NETIF_F_HW_CSUM | NETIF_F_SG | \ + NETIF_F_GSO_SOFTWARE) + ++#define BOND_GSO_PARTIAL_FEATURES (NETIF_F_GSO_ESP) ++ + + static void bond_compute_features(struct bonding *bond) + { ++ netdev_features_t gso_partial_features = BOND_GSO_PARTIAL_FEATURES; + unsigned int dst_release_flag = IFF_XMIT_DST_RELEASE | + IFF_XMIT_DST_RELEASE_PERM; +- netdev_features_t gso_partial_features = NETIF_F_GSO_ESP; + netdev_features_t vlan_features = BOND_VLAN_FEATURES; + netdev_features_t enc_features = BOND_ENC_FEATURES; + #ifdef CONFIG_XFRM_OFFLOAD +@@ -1592,8 +1595,9 @@ static void bond_compute_features(struct bonding *bond) + BOND_XFRM_FEATURES); + #endif /* CONFIG_XFRM_OFFLOAD */ + +- if (slave->dev->hw_enc_features & NETIF_F_GSO_PARTIAL) +- gso_partial_features &= slave->dev->gso_partial_features; ++ gso_partial_features = netdev_increment_features(gso_partial_features, ++ slave->dev->gso_partial_features, ++ BOND_GSO_PARTIAL_FEATURES); + + mpls_features = netdev_increment_features(mpls_features, + slave->dev->mpls_features, +@@ -1608,12 +1612,8 @@ static void bond_compute_features(struct bonding *bond) + } + bond_dev->hard_header_len = max_hard_header_len; + +- if (gso_partial_features & NETIF_F_GSO_ESP) +- bond_dev->gso_partial_features |= NETIF_F_GSO_ESP; +- else +- bond_dev->gso_partial_features &= ~NETIF_F_GSO_ESP; +- + done: ++ bond_dev->gso_partial_features = gso_partial_features; + bond_dev->vlan_features = vlan_features; + bond_dev->hw_enc_features = enc_features | NETIF_F_GSO_ENCAP_ALL | + NETIF_F_HW_VLAN_CTAG_TX | +@@ -6082,6 +6082,7 @@ void bond_setup(struct net_device *bond_dev) + bond_dev->hw_features |= NETIF_F_GSO_ENCAP_ALL; + bond_dev->features |= bond_dev->hw_features; + bond_dev->features |= NETIF_F_HW_VLAN_CTAG_TX | NETIF_F_HW_VLAN_STAG_TX; ++ bond_dev->features |= NETIF_F_GSO_PARTIAL; + #ifdef CONFIG_XFRM_OFFLOAD + bond_dev->hw_features |= BOND_XFRM_FEATURES; + /* Only enable XFRM features if this is an active-backup config */ +-- +2.51.0 + diff --git a/queue-6.12/bonding-fix-type-confusion-in-bond_setup_by_slave.patch b/queue-6.12/bonding-fix-type-confusion-in-bond_setup_by_slave.patch new file mode 100644 index 0000000000..a56c7eeafa --- /dev/null +++ b/queue-6.12/bonding-fix-type-confusion-in-bond_setup_by_slave.patch @@ -0,0 +1,151 @@ +From 6e0bcdb62b00333fb21975add0ba467e9ff57040 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 10:15:07 +0800 +Subject: bonding: fix type confusion in bond_setup_by_slave() + +From: Jiayuan Chen + +[ Upstream commit 950803f7254721c1c15858fbbfae3deaaeeecb11 ] + +kernel BUG at net/core/skbuff.c:2306! +Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI +RIP: 0010:pskb_expand_head+0xa08/0xfe0 net/core/skbuff.c:2306 +RSP: 0018:ffffc90004aff760 EFLAGS: 00010293 +RAX: 0000000000000000 RBX: ffff88807e3c8780 RCX: ffffffff89593e0e +RDX: ffff88807b7c4900 RSI: ffffffff89594747 RDI: ffff88807b7c4900 +RBP: 0000000000000820 R08: 0000000000000005 R09: 0000000000000000 +R10: 00000000961a63e0 R11: 0000000000000000 R12: ffff88807e3c8780 +R13: 00000000961a6560 R14: dffffc0000000000 R15: 00000000961a63e0 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fe1a0ed8df0 CR3: 000000002d816000 CR4: 00000000003526f0 +Call Trace: + + ipgre_header+0xdd/0x540 net/ipv4/ip_gre.c:900 + dev_hard_header include/linux/netdevice.h:3439 [inline] + packet_snd net/packet/af_packet.c:3028 [inline] + packet_sendmsg+0x3ae5/0x53c0 net/packet/af_packet.c:3108 + sock_sendmsg_nosec net/socket.c:727 [inline] + __sock_sendmsg net/socket.c:742 [inline] + ____sys_sendmsg+0xa54/0xc30 net/socket.c:2592 + ___sys_sendmsg+0x190/0x1e0 net/socket.c:2646 + __sys_sendmsg+0x170/0x220 net/socket.c:2678 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7fe1a0e6c1a9 + +When a non-Ethernet device (e.g. GRE tunnel) is enslaved to a bond, +bond_setup_by_slave() directly copies the slave's header_ops to the +bond device: + + bond_dev->header_ops = slave_dev->header_ops; + +This causes a type confusion when dev_hard_header() is later called +on the bond device. Functions like ipgre_header(), ip6gre_header(),all use +netdev_priv(dev) to access their device-specific private data. When +called with the bond device, netdev_priv() returns the bond's private +data (struct bonding) instead of the expected type (e.g. struct +ip_tunnel), leading to garbage values being read and kernel crashes. + +Fix this by introducing bond_header_ops with wrapper functions that +delegate to the active slave's header_ops using the slave's own +device. This ensures netdev_priv() in the slave's header functions +always receives the correct device. + +The fix is placed in the bonding driver rather than individual device +drivers, as the root cause is bond blindly inheriting header_ops from +the slave without considering that these callbacks expect a specific +netdev_priv() layout. + +The type confusion can be observed by adding a printk in +ipgre_header() and running the following commands: + + ip link add dummy0 type dummy + ip addr add 10.0.0.1/24 dev dummy0 + ip link set dummy0 up + ip link add gre1 type gre local 10.0.0.1 + ip link add bond1 type bond mode active-backup + ip link set gre1 master bond1 + ip link set gre1 up + ip link set bond1 up + ip addr add fe80::1/64 dev bond1 + +Fixes: 1284cd3a2b74 ("bonding: two small fixes for IPoIB support") +Suggested-by: Jay Vosburgh +Reviewed-by: Eric Dumazet +Signed-off-by: Jiayuan Chen +Link: https://patch.msgid.link/20260306021508.222062-1-jiayuan.chen@linux.dev +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 47 ++++++++++++++++++++++++++++++++- + 1 file changed, 46 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 6f2b4734c9c06..546c9004c9e30 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1542,6 +1542,50 @@ static netdev_features_t bond_fix_features(struct net_device *dev, + return features; + } + ++static int bond_header_create(struct sk_buff *skb, struct net_device *bond_dev, ++ unsigned short type, const void *daddr, ++ const void *saddr, unsigned int len) ++{ ++ struct bonding *bond = netdev_priv(bond_dev); ++ const struct header_ops *slave_ops; ++ struct slave *slave; ++ int ret = 0; ++ ++ rcu_read_lock(); ++ slave = rcu_dereference(bond->curr_active_slave); ++ if (slave) { ++ slave_ops = READ_ONCE(slave->dev->header_ops); ++ if (slave_ops && slave_ops->create) ++ ret = slave_ops->create(skb, slave->dev, ++ type, daddr, saddr, len); ++ } ++ rcu_read_unlock(); ++ return ret; ++} ++ ++static int bond_header_parse(const struct sk_buff *skb, unsigned char *haddr) ++{ ++ struct bonding *bond = netdev_priv(skb->dev); ++ const struct header_ops *slave_ops; ++ struct slave *slave; ++ int ret = 0; ++ ++ rcu_read_lock(); ++ slave = rcu_dereference(bond->curr_active_slave); ++ if (slave) { ++ slave_ops = READ_ONCE(slave->dev->header_ops); ++ if (slave_ops && slave_ops->parse) ++ ret = slave_ops->parse(skb, haddr); ++ } ++ rcu_read_unlock(); ++ return ret; ++} ++ ++static const struct header_ops bond_header_ops = { ++ .create = bond_header_create, ++ .parse = bond_header_parse, ++}; ++ + static void bond_setup_by_slave(struct net_device *bond_dev, + struct net_device *slave_dev) + { +@@ -1549,7 +1593,8 @@ static void bond_setup_by_slave(struct net_device *bond_dev, + + dev_close(bond_dev); + +- bond_dev->header_ops = slave_dev->header_ops; ++ bond_dev->header_ops = slave_dev->header_ops ? ++ &bond_header_ops : NULL; + + bond_dev->type = slave_dev->type; + bond_dev->hard_header_len = slave_dev->hard_header_len; +-- +2.51.0 + diff --git a/queue-6.12/bonding-handle-bond_link_fail-bond_link_back-as-vali.patch b/queue-6.12/bonding-handle-bond_link_fail-bond_link_back-as-vali.patch new file mode 100644 index 0000000000..f32e122d8a --- /dev/null +++ b/queue-6.12/bonding-handle-bond_link_fail-bond_link_back-as-vali.patch @@ -0,0 +1,60 @@ +From 31eaf547469ef76761051307f650abba5864112f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 15:13:54 +0800 +Subject: bonding: handle BOND_LINK_FAIL, BOND_LINK_BACK as valid link states + +From: Hangbin Liu + +[ Upstream commit 3348be7978f450ede0c308a4e8416ac716cf1015 ] + +Before the fixed commit, we check slave->new_link during commit +state, which values are only BOND_LINK_{NOCHANGE, UP, DOWN}. After +the commit, we start using slave->link_new_state, which state also could +be BOND_LINK_{FAIL, BACK}. + +For example, when we set updelay/downdelay, after a failover, +the slave->link_new_state could be set to BOND_LINK_{FAIL, BACK} in +bond_miimon_inspect(). And later in bond_miimon_commit(), it will treat +it as invalid and print an error, which would cause confusion for users. + +[ 106.440254] bond0: (slave veth2): link status down for interface, disabling it in 200 ms +[ 106.440265] bond0: (slave veth2): invalid new link 1 on slave +[ 106.648276] bond0: (slave veth2): link status definitely down, disabling slave +[ 107.480271] bond0: (slave veth2): link status up, enabling it in 200 ms +[ 107.480288] bond0: (slave veth2): invalid new link 3 on slave +[ 107.688302] bond0: (slave veth2): link status definitely up, 10000 Mbps full duplex + +Let's handle BOND_LINK_{FAIL, BACK} as valid link states. + +Fixes: 1899bb325149 ("bonding: fix state transition issue in link monitoring") +Signed-off-by: Hangbin Liu +Link: https://patch.msgid.link/20260304-b4-bond_updelay-v1-2-f72eb2e454d0@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 2ac455a9d1bb1..c71b52e2966fc 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2936,8 +2936,14 @@ static void bond_miimon_commit(struct bonding *bond) + + continue; + ++ case BOND_LINK_FAIL: ++ case BOND_LINK_BACK: ++ slave_dbg(bond->dev, slave->dev, "link_new_state %d on slave\n", ++ slave->link_new_state); ++ continue; ++ + default: +- slave_err(bond->dev, slave->dev, "invalid new link %d on slave\n", ++ slave_err(bond->dev, slave->dev, "invalid link_new_state %d on slave\n", + slave->link_new_state); + bond_propose_link_state(slave, BOND_LINK_NOCHANGE); + +-- +2.51.0 + diff --git a/queue-6.12/bonding-use-common-function-to-compute-the-features.patch b/queue-6.12/bonding-use-common-function-to-compute-the-features.patch new file mode 100644 index 0000000000..d427b6b465 --- /dev/null +++ b/queue-6.12/bonding-use-common-function-to-compute-the-features.patch @@ -0,0 +1,172 @@ +From b2e89fa53e3e44c1896aae90e7e9a6a3babe5662 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Oct 2025 03:41:53 +0000 +Subject: bonding: use common function to compute the features + +From: Hangbin Liu + +[ Upstream commit d4fde269a970666a30dd3abd0413273a06dd972d ] + +Use the new functon netdev_compute_master_upper_features() to compute the bonding +features. + +Note that bond_compute_features() currently uses bond_for_each_slave() +to traverse the lower devices list, and that is just a macro wrapper of +netdev_for_each_lower_private(). We use similar helper +netdev_for_each_lower_dev() in netdev_compute_master_upper_features() to +iterate the slave device, as there is not need to get the private data. + +No functional change intended. + +Signed-off-by: Hangbin Liu +Reviewed-by: Sabrina Dubroca +Reviewed-by: Jiri Pirko +Link: https://patch.msgid.link/20251017034155.61990-3-liuhangbin@gmail.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 950803f72547 ("bonding: fix type confusion in bond_setup_by_slave()") +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 99 ++------------------------------- + 1 file changed, 4 insertions(+), 95 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index fe29a0911308d..6f2b4734c9c06 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1542,97 +1542,6 @@ static netdev_features_t bond_fix_features(struct net_device *dev, + return features; + } + +-#define BOND_VLAN_FEATURES (NETIF_F_HW_CSUM | NETIF_F_SG | \ +- NETIF_F_FRAGLIST | NETIF_F_GSO_SOFTWARE | \ +- NETIF_F_GSO_ENCAP_ALL | \ +- NETIF_F_HIGHDMA | NETIF_F_LRO) +- +-#define BOND_ENC_FEATURES (NETIF_F_HW_CSUM | NETIF_F_SG | \ +- NETIF_F_RXCSUM | NETIF_F_GSO_SOFTWARE | \ +- NETIF_F_GSO_PARTIAL) +- +-#define BOND_MPLS_FEATURES (NETIF_F_HW_CSUM | NETIF_F_SG | \ +- NETIF_F_GSO_SOFTWARE) +- +-#define BOND_GSO_PARTIAL_FEATURES (NETIF_F_GSO_ESP) +- +- +-static void bond_compute_features(struct bonding *bond) +-{ +- netdev_features_t gso_partial_features = BOND_GSO_PARTIAL_FEATURES; +- unsigned int dst_release_flag = IFF_XMIT_DST_RELEASE | +- IFF_XMIT_DST_RELEASE_PERM; +- netdev_features_t vlan_features = BOND_VLAN_FEATURES; +- netdev_features_t enc_features = BOND_ENC_FEATURES; +-#ifdef CONFIG_XFRM_OFFLOAD +- netdev_features_t xfrm_features = BOND_XFRM_FEATURES; +-#endif /* CONFIG_XFRM_OFFLOAD */ +- netdev_features_t mpls_features = BOND_MPLS_FEATURES; +- struct net_device *bond_dev = bond->dev; +- struct list_head *iter; +- struct slave *slave; +- unsigned short max_hard_header_len = ETH_HLEN; +- unsigned int tso_max_size = TSO_MAX_SIZE; +- u16 tso_max_segs = TSO_MAX_SEGS; +- +- if (!bond_has_slaves(bond)) +- goto done; +- +- vlan_features = netdev_base_features(vlan_features); +- mpls_features = netdev_base_features(mpls_features); +- +- bond_for_each_slave(bond, slave, iter) { +- vlan_features = netdev_increment_features(vlan_features, +- slave->dev->vlan_features, BOND_VLAN_FEATURES); +- +- enc_features = netdev_increment_features(enc_features, +- slave->dev->hw_enc_features, +- BOND_ENC_FEATURES); +- +-#ifdef CONFIG_XFRM_OFFLOAD +- xfrm_features = netdev_increment_features(xfrm_features, +- slave->dev->hw_enc_features, +- BOND_XFRM_FEATURES); +-#endif /* CONFIG_XFRM_OFFLOAD */ +- +- gso_partial_features = netdev_increment_features(gso_partial_features, +- slave->dev->gso_partial_features, +- BOND_GSO_PARTIAL_FEATURES); +- +- mpls_features = netdev_increment_features(mpls_features, +- slave->dev->mpls_features, +- BOND_MPLS_FEATURES); +- +- dst_release_flag &= slave->dev->priv_flags; +- if (slave->dev->hard_header_len > max_hard_header_len) +- max_hard_header_len = slave->dev->hard_header_len; +- +- tso_max_size = min(tso_max_size, slave->dev->tso_max_size); +- tso_max_segs = min(tso_max_segs, slave->dev->tso_max_segs); +- } +- bond_dev->hard_header_len = max_hard_header_len; +- +-done: +- bond_dev->gso_partial_features = gso_partial_features; +- bond_dev->vlan_features = vlan_features; +- bond_dev->hw_enc_features = enc_features | NETIF_F_GSO_ENCAP_ALL | +- NETIF_F_HW_VLAN_CTAG_TX | +- NETIF_F_HW_VLAN_STAG_TX; +-#ifdef CONFIG_XFRM_OFFLOAD +- bond_dev->hw_enc_features |= xfrm_features; +-#endif /* CONFIG_XFRM_OFFLOAD */ +- bond_dev->mpls_features = mpls_features; +- netif_set_tso_max_segs(bond_dev, tso_max_segs); +- netif_set_tso_max_size(bond_dev, tso_max_size); +- +- bond_dev->priv_flags &= ~IFF_XMIT_DST_RELEASE; +- if ((bond_dev->priv_flags & IFF_XMIT_DST_RELEASE_PERM) && +- dst_release_flag == (IFF_XMIT_DST_RELEASE | IFF_XMIT_DST_RELEASE_PERM)) +- bond_dev->priv_flags |= IFF_XMIT_DST_RELEASE; +- +- netdev_change_features(bond_dev); +-} +- + static void bond_setup_by_slave(struct net_device *bond_dev, + struct net_device *slave_dev) + { +@@ -2379,7 +2288,7 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev, + } + + bond->slave_cnt++; +- bond_compute_features(bond); ++ netdev_compute_master_upper_features(bond->dev, true); + bond_set_carrier(bond); + + /* Needs to be called before bond_select_active_slave(), which will +@@ -2631,7 +2540,7 @@ static int __bond_release_one(struct net_device *bond_dev, + call_netdevice_notifiers(NETDEV_RELEASE, bond->dev); + } + +- bond_compute_features(bond); ++ netdev_compute_master_upper_features(bond->dev, true); + if (!(bond_dev->features & NETIF_F_VLAN_CHALLENGED) && + (old_features & NETIF_F_VLAN_CHALLENGED)) + slave_info(bond_dev, slave_dev, "last VLAN challenged slave left bond - VLAN blocking is removed\n"); +@@ -4135,7 +4044,7 @@ static int bond_slave_netdev_event(unsigned long event, + case NETDEV_FEAT_CHANGE: + if (!bond->notifier_ctx) { + bond->notifier_ctx = true; +- bond_compute_features(bond); ++ netdev_compute_master_upper_features(bond->dev, true); + bond->notifier_ctx = false; + } + break; +@@ -6073,7 +5982,7 @@ void bond_setup(struct net_device *bond_dev) + * capable + */ + +- bond_dev->hw_features = BOND_VLAN_FEATURES | ++ bond_dev->hw_features = MASTER_UPPER_DEV_VLAN_FEATURES | + NETIF_F_HW_VLAN_CTAG_RX | + NETIF_F_HW_VLAN_CTAG_FILTER | + NETIF_F_HW_VLAN_STAG_RX | +-- +2.51.0 + diff --git a/queue-6.12/btrfs-hold-space_info-lock-when-clearing-periodic-re.patch b/queue-6.12/btrfs-hold-space_info-lock-when-clearing-periodic-re.patch new file mode 100644 index 0000000000..4d9ccfe00a --- /dev/null +++ b/queue-6.12/btrfs-hold-space_info-lock-when-clearing-periodic-re.patch @@ -0,0 +1,49 @@ +From a5dcd28343e99b1da1ebe70c01f6ba0adb27773a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Feb 2026 20:53:39 +0800 +Subject: btrfs: hold space_info->lock when clearing periodic reclaim ready + +From: Sun YangKai + +[ Upstream commit b8883b61f2fc50dcf22938cbed40fec05020552f ] + +btrfs_set_periodic_reclaim_ready() requires space_info->lock to be held, +as enforced by lockdep_assert_held(). However, btrfs_reclaim_sweep() was +calling it after do_reclaim_sweep() returns, at which point +space_info->lock is no longer held. + +Fix this by explicitly acquiring space_info->lock before clearing the +periodic reclaim ready flag in btrfs_reclaim_sweep(). + +Reported-by: Chris Mason +Link: https://lore.kernel.org/linux-btrfs/20260208182556.891815-1-clm@meta.com/ +Fixes: 19eff93dc738 ("btrfs: fix periodic reclaim condition") +Reviewed-by: Boris Burkov +Signed-off-by: Sun YangKai +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/space-info.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c +index af19f7a3e74a4..ada19b3288611 100644 +--- a/fs/btrfs/space-info.c ++++ b/fs/btrfs/space-info.c +@@ -2128,8 +2128,11 @@ void btrfs_reclaim_sweep(const struct btrfs_fs_info *fs_info) + if (!btrfs_should_periodic_reclaim(space_info)) + continue; + for (raid = 0; raid < BTRFS_NR_RAID_TYPES; raid++) { +- if (do_reclaim_sweep(space_info, raid)) ++ if (do_reclaim_sweep(space_info, raid)) { ++ spin_lock(&space_info->lock); + btrfs_set_periodic_reclaim_ready(space_info, false); ++ spin_unlock(&space_info->lock); ++ } + } + } + } +-- +2.51.0 + diff --git a/queue-6.12/can-hi311x-hi3110_open-add-check-for-hi3110_power_en.patch b/queue-6.12/can-hi311x-hi3110_open-add-check-for-hi3110_power_en.patch new file mode 100644 index 0000000000..abb93e156b --- /dev/null +++ b/queue-6.12/can-hi311x-hi3110_open-add-check-for-hi3110_power_en.patch @@ -0,0 +1,52 @@ +From 605e68fb3a1c5cf991462e03fb7b1bffa8259fc0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 13:08:44 +0800 +Subject: can: hi311x: hi3110_open(): add check for hi3110_power_enable() + return value + +From: Wenyuan Li <2063309626@qq.com> + +[ Upstream commit 47bba09b14fa21712398febf36cb14fd4fc3bded ] + +In hi3110_open(), the return value of hi3110_power_enable() is not checked. +If power enable fails, the device may not function correctly, while the +driver still returns success. + +Add a check for the return value and propagate the error accordingly. + +Signed-off-by: Wenyuan Li <2063309626@qq.com> +Link: https://patch.msgid.link/tencent_B5E2E7528BB28AA8A2A56E16C49BD58B8B07@qq.com +Fixes: 57e83fb9b746 ("can: hi311x: Add Holt HI-311x CAN driver") +[mkl: adjust subject, commit message and jump label] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/spi/hi311x.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/can/spi/hi311x.c b/drivers/net/can/spi/hi311x.c +index c9eba1d37b0eb..10470e7436158 100644 +--- a/drivers/net/can/spi/hi311x.c ++++ b/drivers/net/can/spi/hi311x.c +@@ -756,7 +756,9 @@ static int hi3110_open(struct net_device *net) + return ret; + + mutex_lock(&priv->hi3110_lock); +- hi3110_power_enable(priv->transceiver, 1); ++ ret = hi3110_power_enable(priv->transceiver, 1); ++ if (ret) ++ goto out_close_candev; + + priv->force_quit = 0; + priv->tx_skb = NULL; +@@ -791,6 +793,7 @@ static int hi3110_open(struct net_device *net) + hi3110_hw_sleep(spi); + out_close: + hi3110_power_enable(priv->transceiver, 0); ++ out_close_candev: + close_candev(net); + mutex_unlock(&priv->hi3110_lock); + return ret; +-- +2.51.0 + diff --git a/queue-6.12/drm-amd-pm-add-missing-od-setting-pp_od_feature_zero.patch b/queue-6.12/drm-amd-pm-add-missing-od-setting-pp_od_feature_zero.patch new file mode 100644 index 0000000000..fe0297a980 --- /dev/null +++ b/queue-6.12/drm-amd-pm-add-missing-od-setting-pp_od_feature_zero.patch @@ -0,0 +1,40 @@ +From cb8835c66d61dece23099203c429adf94082d765 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Mar 2026 21:14:10 -0500 +Subject: drm/amd/pm: add missing od setting PP_OD_FEATURE_ZERO_FAN_BIT for smu + v14 + +From: Yang Wang + +[ Upstream commit 9d4837a26149355ffe3a1f80de80531eafdd3353 ] + +add missing od setting PP_OD_FEATURE_ZERO_FAN_BIT for smu v14.0.2/14.0.3 + +Fixes: 9710b84e2a6a ("drm/amd/pm: add overdrive support on smu v14.0.2/3") +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/5018 +Signed-off-by: Yang Wang +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +(cherry picked from commit 1b5cf07d80bb16d1593579ccdb23f08ea4262c14) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c +index 3bab8269a46aa..d061467eba2ea 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c +@@ -2394,7 +2394,8 @@ static int smu_v14_0_2_restore_user_od_settings(struct smu_context *smu) + user_od_table->OverDriveTable.FeatureCtrlMask = BIT(PP_OD_FEATURE_GFXCLK_BIT) | + BIT(PP_OD_FEATURE_UCLK_BIT) | + BIT(PP_OD_FEATURE_GFX_VF_CURVE_BIT) | +- BIT(PP_OD_FEATURE_FAN_CURVE_BIT); ++ BIT(PP_OD_FEATURE_FAN_CURVE_BIT) | ++ BIT(PP_OD_FEATURE_ZERO_FAN_BIT); + res = smu_v14_0_2_upload_overdrive_table(smu, user_od_table); + user_od_table->OverDriveTable.FeatureCtrlMask = 0; + if (res == 0) +-- +2.51.0 + diff --git a/queue-6.12/drm-amdkfd-unreserve-bo-if-queue-update-failed.patch b/queue-6.12/drm-amdkfd-unreserve-bo-if-queue-update-failed.patch new file mode 100644 index 0000000000..dffcd77e37 --- /dev/null +++ b/queue-6.12/drm-amdkfd-unreserve-bo-if-queue-update-failed.patch @@ -0,0 +1,36 @@ +From 4b41c51a63e06f8ddf30205f0af7b43841b2b927 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Dec 2025 15:13:23 -0500 +Subject: drm/amdkfd: Unreserve bo if queue update failed + +From: Philip Yang + +[ Upstream commit 2ce75a0b7e1bfddbcb9bc8aeb2e5e7fa99971acf ] + +Error handling path should unreserve bo then return failed. + +Fixes: 305cd109b761 ("drm/amdkfd: Validate user queue update") +Signed-off-by: Philip Yang +Reviewed-by: Alex Sierra +Signed-off-by: Alex Deucher +(cherry picked from commit c24afed7de9ecce341825d8ab55a43a254348b33) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c +index 4078a81761871..e3749dae5e599 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c +@@ -600,6 +600,7 @@ int pqm_update_queue_properties(struct process_queue_manager *pqm, + p->queue_size)) { + pr_debug("ring buf 0x%llx size 0x%llx not mapped on GPU\n", + p->queue_address, p->queue_size); ++ amdgpu_bo_unreserve(vm->root.bo); + return -EFAULT; + } + +-- +2.51.0 + diff --git a/queue-6.12/drm-msm-dsi-fix-hdisplay-calculation-when-programmin.patch b/queue-6.12/drm-msm-dsi-fix-hdisplay-calculation-when-programmin.patch new file mode 100644 index 0000000000..63607fb531 --- /dev/null +++ b/queue-6.12/drm-msm-dsi-fix-hdisplay-calculation-when-programmin.patch @@ -0,0 +1,73 @@ +From 8463f813c40432b01b9f34069f43e748359b5df6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Feb 2026 18:51:28 +0800 +Subject: drm/msm/dsi: fix hdisplay calculation when programming dsi registers + +From: Pengyu Luo + +[ Upstream commit ac47870fd795549f03d57e0879fc730c79119f4b ] + +Recently, the hdisplay calculation is working for 3:1 compressed ratio +only. If we have a video panel with DSC BPP = 8, and BPC = 10, we still +use the default bits_per_pclk = 24, then we get the wrong hdisplay. We +can draw the conclusion by cross-comparing the calculation with the +calculation in dsi_adjust_pclk_for_compression(). + +Since CMD mode does not use this, we can remove +!(msm_host->mode_flags & MIPI_DSI_MODE_VIDEO) safely. + +Fixes: efcbd6f9cdeb ("drm/msm/dsi: Enable widebus for DSI") +Signed-off-by: Pengyu Luo +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/704822/ +Link: https://lore.kernel.org/r/20260214105145.105308-1-mitltlatltl@gmail.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/dsi_host.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c +index d22e01751f5ee..c85d0d5fc5800 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi_host.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c +@@ -944,7 +944,7 @@ static void dsi_timing_setup(struct msm_dsi_host *msm_host, bool is_bonded_dsi) + + if (msm_host->dsc) { + struct drm_dsc_config *dsc = msm_host->dsc; +- u32 bytes_per_pclk; ++ u32 bits_per_pclk; + + /* update dsc params with timing params */ + if (!dsc || !mode->hdisplay || !mode->vdisplay) { +@@ -966,7 +966,9 @@ static void dsi_timing_setup(struct msm_dsi_host *msm_host, bool is_bonded_dsi) + + /* + * DPU sends 3 bytes per pclk cycle to DSI. If widebus is +- * enabled, bus width is extended to 6 bytes. ++ * enabled, MDP always sends out 48-bit compressed data per ++ * pclk and on average, DSI consumes an amount of compressed ++ * data equivalent to the uncompressed pixel depth per pclk. + * + * Calculate the number of pclks needed to transmit one line of + * the compressed data. +@@ -978,12 +980,12 @@ static void dsi_timing_setup(struct msm_dsi_host *msm_host, bool is_bonded_dsi) + * unused anyway. + */ + h_total -= hdisplay; +- if (wide_bus_enabled && !(msm_host->mode_flags & MIPI_DSI_MODE_VIDEO)) +- bytes_per_pclk = 6; ++ if (wide_bus_enabled) ++ bits_per_pclk = mipi_dsi_pixel_format_to_bpp(msm_host->format); + else +- bytes_per_pclk = 3; ++ bits_per_pclk = 24; + +- hdisplay = DIV_ROUND_UP(msm_dsc_get_bytes_per_line(msm_host->dsc), bytes_per_pclk); ++ hdisplay = DIV_ROUND_UP(msm_dsc_get_bytes_per_line(msm_host->dsc) * 8, bits_per_pclk); + + h_total += hdisplay; + ha_end = ha_start + hdisplay; +-- +2.51.0 + diff --git a/queue-6.12/drm-msm-dsi-fix-pclk-rate-calculation-for-bonded-dsi.patch b/queue-6.12/drm-msm-dsi-fix-pclk-rate-calculation-for-bonded-dsi.patch new file mode 100644 index 0000000000..0919368920 --- /dev/null +++ b/queue-6.12/drm-msm-dsi-fix-pclk-rate-calculation-for-bonded-dsi.patch @@ -0,0 +1,85 @@ +From ce6c6f2ca62b9e08a7e5c4642bfecff3a832b849 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Mar 2026 00:32:38 +0800 +Subject: drm/msm/dsi: fix pclk rate calculation for bonded dsi + +From: Pengyu Luo + +[ Upstream commit e4eb11b34d6c84f398d8f08d7cb4d6c38e739dd2 ] + +Recently, we round up new_hdisplay once at most, for bonded dsi, we +may need twice, since they are independent links, we should round up +each half separately. This also aligns with the hdisplay we program +later in dsi_timing_setup() + +Example: + full_hdisplay = 1904, dsc_bpp = 8, bpc = 8 + new_full_hdisplay = DIV_ROUND_UP(1904 * 8, 8 * 3) = 635 + +if we use half display + new_half_hdisplay = DIV_ROUND_UP(952 * 8, 8 * 3) = 318 + new_full_display = 636 + +Fixes: 7c9e4a554d4a ("drm/msm/dsi: Reduce pclk rate for compression") +Signed-off-by: Pengyu Luo +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/709716/ +Link: https://lore.kernel.org/r/20260306163255.215456-1-mitltlatltl@gmail.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/dsi_host.c | 29 +++++++++++++++++++++++------ + 1 file changed, 23 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c +index c85d0d5fc5800..0c360e7903295 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi_host.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c +@@ -534,13 +534,30 @@ void dsi_link_clk_disable_v2(struct msm_dsi_host *msm_host) + * FIXME: Reconsider this if/when CMD mode handling is rewritten to use + * transfer time and data overhead as a starting point of the calculations. + */ +-static unsigned long dsi_adjust_pclk_for_compression(const struct drm_display_mode *mode, +- const struct drm_dsc_config *dsc) ++static unsigned long ++dsi_adjust_pclk_for_compression(const struct drm_display_mode *mode, ++ const struct drm_dsc_config *dsc, ++ bool is_bonded_dsi) + { +- int new_hdisplay = DIV_ROUND_UP(mode->hdisplay * drm_dsc_get_bpp_int(dsc), +- dsc->bits_per_component * 3); ++ int hdisplay, new_hdisplay, new_htotal; + +- int new_htotal = mode->htotal - mode->hdisplay + new_hdisplay; ++ /* ++ * For bonded DSI, split hdisplay across two links and round up each ++ * half separately, passing the full hdisplay would only round up once. ++ * This also aligns with the hdisplay we program later in ++ * dsi_timing_setup() ++ */ ++ hdisplay = mode->hdisplay; ++ if (is_bonded_dsi) ++ hdisplay /= 2; ++ ++ new_hdisplay = DIV_ROUND_UP(hdisplay * drm_dsc_get_bpp_int(dsc), ++ dsc->bits_per_component * 3); ++ ++ if (is_bonded_dsi) ++ new_hdisplay *= 2; ++ ++ new_htotal = mode->htotal - mode->hdisplay + new_hdisplay; + + return mult_frac(mode->clock * 1000u, new_htotal, mode->htotal); + } +@@ -553,7 +570,7 @@ static unsigned long dsi_get_pclk_rate(const struct drm_display_mode *mode, + pclk_rate = mode->clock * 1000u; + + if (dsc) +- pclk_rate = dsi_adjust_pclk_for_compression(mode, dsc); ++ pclk_rate = dsi_adjust_pclk_for_compression(mode, dsc, is_bonded_dsi); + + /* + * For bonded DSI mode, the current DRM mode has the complete width of the +-- +2.51.0 + diff --git a/queue-6.12/drm-sitronix-st7586-fix-bad-pixel-data-due-to-byte-s.patch b/queue-6.12/drm-sitronix-st7586-fix-bad-pixel-data-due-to-byte-s.patch new file mode 100644 index 0000000000..ff09c1f1e1 --- /dev/null +++ b/queue-6.12/drm-sitronix-st7586-fix-bad-pixel-data-due-to-byte-s.patch @@ -0,0 +1,68 @@ +From c2a81d3a2e1a733ed9133c9b24b5aa77b6c88870 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Feb 2026 22:30:30 -0600 +Subject: drm/sitronix/st7586: fix bad pixel data due to byte swap + +From: David Lechner + +[ Upstream commit 46d8a07b4ae262e2fec6ce2aa454e06243661265 ] + +Correctly set dbi->write_memory_bpw for the ST7586 driver. This driver +is for a monochrome display that has an unusual data format, so the +default value set in mipi_dbi_spi_init() is not correct simply because +this controller is non-standard. + +Previously, we were using dbi->swap_bytes to make the same sort of +workaround, but it was removed in the same commit that added +dbi->write_memory_bpw, so we need to use the latter now to have the +correct behavior. + +This fixes every 3 columns of pixels being swapped on the display. There +are 3 pixels per byte, so the byte swap caused this effect. + +Fixes: df3fb27a74a4 ("drm/mipi-dbi: Make bits per word configurable for pixel transfers") +Acked-by: Thomas Zimmermann +Reviewed-by: Javier Martinez Canillas +Signed-off-by: David Lechner +Link: https://patch.msgid.link/20260228-drm-mipi-dbi-fix-st7586-byte-swap-v1-1-e78f6c24cd28@baylibre.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tiny/st7586.c | 15 ++++++--------- + 1 file changed, 6 insertions(+), 9 deletions(-) + +diff --git a/drivers/gpu/drm/tiny/st7586.c b/drivers/gpu/drm/tiny/st7586.c +index b9c6ed352182f..f8b1eaffb5e87 100644 +--- a/drivers/gpu/drm/tiny/st7586.c ++++ b/drivers/gpu/drm/tiny/st7586.c +@@ -345,6 +345,12 @@ static int st7586_probe(struct spi_device *spi) + if (ret) + return ret; + ++ /* ++ * Override value set by mipi_dbi_spi_init(). This driver is a bit ++ * non-standard, so best to set it explicitly here. ++ */ ++ dbi->write_memory_bpw = 8; ++ + /* Cannot read from this controller via SPI */ + dbi->read_commands = NULL; + +@@ -354,15 +360,6 @@ static int st7586_probe(struct spi_device *spi) + if (ret) + return ret; + +- /* +- * we are using 8-bit data, so we are not actually swapping anything, +- * but setting mipi->swap_bytes makes mipi_dbi_typec3_command() do the +- * right thing and not use 16-bit transfers (which results in swapped +- * bytes on little-endian systems and causes out of order data to be +- * sent to the display). +- */ +- dbi->swap_bytes = true; +- + drm_mode_config_reset(drm); + + ret = drm_dev_register(drm, 0); +-- +2.51.0 + diff --git a/queue-6.12/e1000-e1000e-fix-leak-in-dma-error-cleanup.patch b/queue-6.12/e1000-e1000e-fix-leak-in-dma-error-cleanup.patch new file mode 100644 index 0000000000..0543759350 --- /dev/null +++ b/queue-6.12/e1000-e1000e-fix-leak-in-dma-error-cleanup.patch @@ -0,0 +1,70 @@ +From 222bb193e74e6393448d653a3e25cbda70500a4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Feb 2026 18:28:33 -0500 +Subject: e1000/e1000e: Fix leak in DMA error cleanup + +From: Matt Vollrath + +[ Upstream commit e94eaef11142b01f77bf8ba4d0b59720b7858109 ] + +If an error is encountered while mapping TX buffers, the driver should +unmap any buffers already mapped for that skb. + +Because count is incremented after a successful mapping, it will always +match the correct number of unmappings needed when dma_error is reached. +Decrementing count before the while loop in dma_error causes an +off-by-one error. If any mapping was successful before an unsuccessful +mapping, exactly one DMA mapping would leak. + +In these commits, a faulty while condition caused an infinite loop in +dma_error: +Commit 03b1320dfcee ("e1000e: remove use of skb_dma_map from e1000e +driver") +Commit 602c0554d7b0 ("e1000: remove use of skb_dma_map from e1000 driver") + +Commit c1fa347f20f1 ("e1000/e1000e/igb/igbvf/ixgb/ixgbe: Fix tests of +unsigned in *_tx_map()") fixed the infinite loop, but introduced the +off-by-one error. + +This issue may still exist in the igbvf driver, but I did not address it +in this patch. + +Fixes: c1fa347f20f1 ("e1000/e1000e/igb/igbvf/ixgb/ixgbe: Fix tests of unsigned in *_tx_map()") +Assisted-by: Claude:claude-4.6-opus +Signed-off-by: Matt Vollrath +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000/e1000_main.c | 2 -- + drivers/net/ethernet/intel/e1000e/netdev.c | 2 -- + 2 files changed, 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c +index 67d7651b6411d..8072aa8f05e38 100644 +--- a/drivers/net/ethernet/intel/e1000/e1000_main.c ++++ b/drivers/net/ethernet/intel/e1000/e1000_main.c +@@ -2948,8 +2948,6 @@ static int e1000_tx_map(struct e1000_adapter *adapter, + dma_error: + dev_err(&pdev->dev, "TX DMA map failed\n"); + buffer_info->dma = 0; +- if (count) +- count--; + + while (count--) { + if (i == 0) +diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c +index 5fe54e9b71e25..4d9dcb0001d21 100644 +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -5633,8 +5633,6 @@ static int e1000_tx_map(struct e1000_ring *tx_ring, struct sk_buff *skb, + dma_error: + dev_err(&pdev->dev, "Tx DMA map failed\n"); + buffer_info->dma = 0; +- if (count) +- count--; + + while (count--) { + if (i == 0) +-- +2.51.0 + diff --git a/queue-6.12/i40e-fix-src-ip-mask-checks-and-memcpy-argument-name.patch b/queue-6.12/i40e-fix-src-ip-mask-checks-and-memcpy-argument-name.patch new file mode 100644 index 0000000000..34e3acb8f2 --- /dev/null +++ b/queue-6.12/i40e-fix-src-ip-mask-checks-and-memcpy-argument-name.patch @@ -0,0 +1,86 @@ +From 78f3e12a2d4d66907d143b8913347d9e1a061a09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Nov 2025 11:13:38 -0800 +Subject: i40e: fix src IP mask checks and memcpy argument names in cloud + filter + +From: Alok Tiwari + +[ Upstream commit e809085f492842ce7a519c9ef72d40f4bca89c13 ] + +Fix following issues in the IPv4 and IPv6 cloud filter handling logic in +both the add and delete paths: + +- The source-IP mask check incorrectly compares mask.src_ip[0] against + tcf.dst_ip[0]. Update it to compare against tcf.src_ip[0]. This likely + goes unnoticed because the check is in an "else if" path that only + executes when dst_ip is not set, most cloud filter use cases focus on + destination-IP matching, and the buggy condition can accidentally + evaluate true in some cases. + +- memcpy() for the IPv4 source address incorrectly uses + ARRAY_SIZE(tcf.dst_ip) instead of ARRAY_SIZE(tcf.src_ip), although + both arrays are the same size. + +- The IPv4 memcpy operations used ARRAY_SIZE(tcf.dst_ip) and ARRAY_SIZE + (tcf.src_ip), Update these to use sizeof(cfilter->ip.v4.dst_ip) and + sizeof(cfilter->ip.v4.src_ip) to ensure correct and explicit copy size. + +- In the IPv6 delete path, memcmp() uses sizeof(src_ip6) when comparing + dst_ip6 fields. Replace this with sizeof(dst_ip6) to make the intent + explicit, even though both fields are struct in6_addr. + +Fixes: e284fc280473 ("i40e: Add and delete cloud filter") +Signed-off-by: Alok Tiwari +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Paul Menzel +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +index 3251ffa7d994b..9cf5b6349b0d7 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +@@ -3821,10 +3821,10 @@ static int i40e_vc_del_cloud_filter(struct i40e_vf *vf, u8 *msg) + cfilter.n_proto = ETH_P_IP; + if (mask.dst_ip[0] & tcf.dst_ip[0]) + memcpy(&cfilter.ip.v4.dst_ip, tcf.dst_ip, +- ARRAY_SIZE(tcf.dst_ip)); +- else if (mask.src_ip[0] & tcf.dst_ip[0]) ++ sizeof(cfilter.ip.v4.dst_ip)); ++ else if (mask.src_ip[0] & tcf.src_ip[0]) + memcpy(&cfilter.ip.v4.src_ip, tcf.src_ip, +- ARRAY_SIZE(tcf.dst_ip)); ++ sizeof(cfilter.ip.v4.src_ip)); + break; + case VIRTCHNL_TCP_V6_FLOW: + cfilter.n_proto = ETH_P_IPV6; +@@ -3879,7 +3879,7 @@ static int i40e_vc_del_cloud_filter(struct i40e_vf *vf, u8 *msg) + /* for ipv6, mask is set for all sixteen bytes (4 words) */ + if (cfilter.n_proto == ETH_P_IPV6 && mask.dst_ip[3]) + if (memcmp(&cfilter.ip.v6.dst_ip6, &cf->ip.v6.dst_ip6, +- sizeof(cfilter.ip.v6.src_ip6))) ++ sizeof(cfilter.ip.v6.dst_ip6))) + continue; + if (mask.vlan_id) + if (cfilter.vlan_id != cf->vlan_id) +@@ -3967,10 +3967,10 @@ static int i40e_vc_add_cloud_filter(struct i40e_vf *vf, u8 *msg) + cfilter->n_proto = ETH_P_IP; + if (mask.dst_ip[0] & tcf.dst_ip[0]) + memcpy(&cfilter->ip.v4.dst_ip, tcf.dst_ip, +- ARRAY_SIZE(tcf.dst_ip)); +- else if (mask.src_ip[0] & tcf.dst_ip[0]) ++ sizeof(cfilter->ip.v4.dst_ip)); ++ else if (mask.src_ip[0] & tcf.src_ip[0]) + memcpy(&cfilter->ip.v4.src_ip, tcf.src_ip, +- ARRAY_SIZE(tcf.dst_ip)); ++ sizeof(cfilter->ip.v4.src_ip)); + break; + case VIRTCHNL_TCP_V6_FLOW: + cfilter->n_proto = ETH_P_IPV6; +-- +2.51.0 + diff --git a/queue-6.12/iio-imu-inv-mpu9150-fix-irq-ack-preventing-irq-storm.patch b/queue-6.12/iio-imu-inv-mpu9150-fix-irq-ack-preventing-irq-storm.patch new file mode 100644 index 0000000000..32fe10053e --- /dev/null +++ b/queue-6.12/iio-imu-inv-mpu9150-fix-irq-ack-preventing-irq-storm.patch @@ -0,0 +1,86 @@ +From 07a5e56e682f5730bdcefdef5e172e4ac8d8b8d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Dec 2025 22:14:16 +0100 +Subject: iio: imu: inv-mpu9150: fix irq ack preventing irq storms + +From: Andreas Kemnade + +[ Upstream commit d23d763e00ace4e9c59f8d33e0713d401133ba88 ] + +IRQ needs to be acked. for some odd reasons, reading from irq status does +not reliable help, enable acking from any register to be on the safe side +and read the irq status register. Comments in the code indicate a known +unreliability with that register. +The blamed commit was tested with mpu6050 in lg,p895 and lg,p880 according +to Tested-bys. But with the MPU9150 in the Epson Moverio BT-200 this leads +to irq storms without properly acking the irq. + +Fixes: 0a3b517c8089 ("iio: imu: inv_mpu6050: fix interrupt status read for old buggy chips") +Signed-off-by: Andreas Kemnade +Acked-by: Jean-Baptiste Maneyrol +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/imu/inv_mpu6050/inv_mpu_core.c | 8 ++++++++ + drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h | 2 ++ + drivers/iio/imu/inv_mpu6050/inv_mpu_trigger.c | 5 ++++- + 3 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c b/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c +index 14d95f34e981c..6afc78810820d 100644 +--- a/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c ++++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c +@@ -1922,6 +1922,14 @@ int inv_mpu_core_probe(struct regmap *regmap, int irq, const char *name, + irq_type); + return -EINVAL; + } ++ ++ /* ++ * Acking interrupts by status register does not work reliably ++ * but seem to work when this bit is set. ++ */ ++ if (st->chip_type == INV_MPU9150) ++ st->irq_mask |= INV_MPU6050_INT_RD_CLEAR; ++ + device_set_wakeup_capable(dev, true); + + st->vdd_supply = devm_regulator_get(dev, "vdd"); +diff --git a/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h b/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h +index e1c0c51468761..e3618ca3fadd9 100644 +--- a/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h ++++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h +@@ -387,6 +387,8 @@ struct inv_mpu6050_state { + /* enable level triggering */ + #define INV_MPU6050_LATCH_INT_EN 0x20 + #define INV_MPU6050_BIT_BYPASS_EN 0x2 ++/* allow acking interrupts by any register read */ ++#define INV_MPU6050_INT_RD_CLEAR 0x10 + + /* Allowed timestamp period jitter in percent */ + #define INV_MPU6050_TS_PERIOD_JITTER 4 +diff --git a/drivers/iio/imu/inv_mpu6050/inv_mpu_trigger.c b/drivers/iio/imu/inv_mpu6050/inv_mpu_trigger.c +index 5b1088cc3704f..c60e4109ed1dc 100644 +--- a/drivers/iio/imu/inv_mpu6050/inv_mpu_trigger.c ++++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_trigger.c +@@ -249,7 +249,6 @@ static irqreturn_t inv_mpu6050_interrupt_handle(int irq, void *p) + switch (st->chip_type) { + case INV_MPU6000: + case INV_MPU6050: +- case INV_MPU9150: + /* + * WoM is not supported and interrupt status read seems to be broken for + * some chips. Since data ready is the only interrupt, bypass interrupt +@@ -258,6 +257,10 @@ static irqreturn_t inv_mpu6050_interrupt_handle(int irq, void *p) + wom_bits = 0; + int_status = INV_MPU6050_BIT_RAW_DATA_RDY_INT; + goto data_ready_interrupt; ++ case INV_MPU9150: ++ /* IRQ needs to be acked */ ++ wom_bits = 0; ++ break; + case INV_MPU6500: + case INV_MPU6515: + case INV_MPU6880: +-- +2.51.0 + diff --git a/queue-6.12/mctp-i2c-fix-skb-memory-leak-in-receive-path.patch b/queue-6.12/mctp-i2c-fix-skb-memory-leak-in-receive-path.patch new file mode 100644 index 0000000000..a4bcd30c55 --- /dev/null +++ b/queue-6.12/mctp-i2c-fix-skb-memory-leak-in-receive-path.patch @@ -0,0 +1,36 @@ +From 6a705055d538b5252d770c2c6c06339386a337c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 22:32:34 +0800 +Subject: mctp: i2c: fix skb memory leak in receive path + +From: Haiyue Wang + +[ Upstream commit e3f5e0f22cfc2371e7471c9fd5b4da78f9df7c69 ] + +When 'midev->allow_rx' is false, the newly allocated skb isn't consumed +by netif_rx(), it needs to free the skb directly. + +Fixes: f5b8abf9fc3d ("mctp i2c: MCTP I2C binding driver") +Signed-off-by: Haiyue Wang +Link: https://patch.msgid.link/20260305143240.97592-1-haiyuewa@163.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/mctp/mctp-i2c.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/mctp/mctp-i2c.c b/drivers/net/mctp/mctp-i2c.c +index 617333343ca00..f8f83fe424e51 100644 +--- a/drivers/net/mctp/mctp-i2c.c ++++ b/drivers/net/mctp/mctp-i2c.c +@@ -344,6 +344,7 @@ static int mctp_i2c_recv(struct mctp_i2c_dev *midev) + } else { + status = NET_RX_DROP; + spin_unlock_irqrestore(&midev->lock, flags); ++ kfree_skb(skb); + } + + if (status == NET_RX_SUCCESS) { +-- +2.51.0 + diff --git a/queue-6.12/mctp-route-hold-key-lock-in-mctp_flow_prepare_output.patch b/queue-6.12/mctp-route-hold-key-lock-in-mctp_flow_prepare_output.patch new file mode 100644 index 0000000000..bd97e1d7e9 --- /dev/null +++ b/queue-6.12/mctp-route-hold-key-lock-in-mctp_flow_prepare_output.patch @@ -0,0 +1,85 @@ +From aab36e6220b87cfcf7d1ff8494378eeff5522115 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 03:14:02 +0000 +Subject: mctp: route: hold key->lock in mctp_flow_prepare_output() + +From: Chengfeng Ye + +[ Upstream commit 7d86aa41c073c4e7eb75fd2e674f1fd8f289728a ] + +mctp_flow_prepare_output() checks key->dev and may call +mctp_dev_set_key(), but it does not hold key->lock while doing so. + +mctp_dev_set_key() and mctp_dev_release_key() are annotated with +__must_hold(&key->lock), so key->dev access is intended to be +serialized by key->lock. The mctp_sendmsg() transmit path reaches +mctp_flow_prepare_output() via mctp_local_output() -> mctp_dst_output() +without holding key->lock, so the check-and-set sequence is racy. + +Example interleaving: + + CPU0 CPU1 + ---- ---- + mctp_flow_prepare_output(key, devA) + if (!key->dev) // sees NULL + mctp_flow_prepare_output( + key, devB) + if (!key->dev) // still NULL + mctp_dev_set_key(devB, key) + mctp_dev_hold(devB) + key->dev = devB + mctp_dev_set_key(devA, key) + mctp_dev_hold(devA) + key->dev = devA // overwrites devB + +Now both devA and devB references were acquired, but only the final +key->dev value is tracked for release. One reference can be lost, +causing a resource leak as mctp_dev_release_key() would only decrease +the reference on one dev. + +Fix by taking key->lock around the key->dev check and +mctp_dev_set_key() call. + +Fixes: 67737c457281 ("mctp: Pass flow data & flow release events to drivers") +Signed-off-by: Chengfeng Ye +Link: https://patch.msgid.link/20260306031402.857224-1-dg573847474@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/mctp/route.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/net/mctp/route.c b/net/mctp/route.c +index 19ff259d7bc43..08bbd861dc42e 100644 +--- a/net/mctp/route.c ++++ b/net/mctp/route.c +@@ -306,6 +306,7 @@ static void mctp_flow_prepare_output(struct sk_buff *skb, struct mctp_dev *dev) + { + struct mctp_sk_key *key; + struct mctp_flow *flow; ++ unsigned long flags; + + flow = skb_ext_find(skb, SKB_EXT_MCTP); + if (!flow) +@@ -313,12 +314,14 @@ static void mctp_flow_prepare_output(struct sk_buff *skb, struct mctp_dev *dev) + + key = flow->key; + +- if (key->dev) { ++ spin_lock_irqsave(&key->lock, flags); ++ ++ if (!key->dev) ++ mctp_dev_set_key(dev, key); ++ else + WARN_ON(key->dev != dev); +- return; +- } + +- mctp_dev_set_key(dev, key); ++ spin_unlock_irqrestore(&key->lock, flags); + } + #else + static void mctp_skb_set_flow(struct sk_buff *skb, struct mctp_sk_key *key) {} +-- +2.51.0 + diff --git a/queue-6.12/net-add-a-common-function-to-compute-features-for-up.patch b/queue-6.12/net-add-a-common-function-to-compute-features-for-up.patch new file mode 100644 index 0000000000..6b102d60ff --- /dev/null +++ b/queue-6.12/net-add-a-common-function-to-compute-features-for-up.patch @@ -0,0 +1,175 @@ +From 43e003bc174336d2f3517e48d44c7786456cef4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Oct 2025 03:41:52 +0000 +Subject: net: add a common function to compute features for upper devices + +From: Hangbin Liu + +[ Upstream commit 28098defc79fe7d29e6bfe4eb6312991f6bdc3d3 ] + +Some high level software drivers need to compute features from lower +devices. But each has their own implementations and may lost some +feature compute. Let's use one common function to compute features +for kinds of these devices. + +The new helper uses the current bond implementation as the reference +one, as the latter already handles all the relevant aspects: netdev +features, TSO limits and dst retention. + +Suggested-by: Paolo Abeni +Signed-off-by: Hangbin Liu +Reviewed-by: Sabrina Dubroca +Reviewed-by: Jiri Pirko +Link: https://patch.msgid.link/20251017034155.61990-2-liuhangbin@gmail.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 950803f72547 ("bonding: fix type confusion in bond_setup_by_slave()") +Signed-off-by: Sasha Levin +--- + include/linux/netdev_features.h | 18 +++++++ + include/linux/netdevice.h | 1 + + net/core/dev.c | 88 +++++++++++++++++++++++++++++++++ + 3 files changed, 107 insertions(+) + +diff --git a/include/linux/netdev_features.h b/include/linux/netdev_features.h +index 11be70a7929f2..2f4243b61a525 100644 +--- a/include/linux/netdev_features.h ++++ b/include/linux/netdev_features.h +@@ -253,6 +253,24 @@ static inline int find_next_netdev_feature(u64 feature, unsigned long start) + NETIF_F_GSO_UDP_TUNNEL | \ + NETIF_F_GSO_UDP_TUNNEL_CSUM) + ++/* virtual device features */ ++#define MASTER_UPPER_DEV_VLAN_FEATURES (NETIF_F_HW_CSUM | NETIF_F_SG | \ ++ NETIF_F_FRAGLIST | NETIF_F_GSO_SOFTWARE | \ ++ NETIF_F_GSO_ENCAP_ALL | \ ++ NETIF_F_HIGHDMA | NETIF_F_LRO) ++ ++#define MASTER_UPPER_DEV_ENC_FEATURES (NETIF_F_HW_CSUM | NETIF_F_SG | \ ++ NETIF_F_RXCSUM | NETIF_F_GSO_SOFTWARE | \ ++ NETIF_F_GSO_PARTIAL) ++ ++#define MASTER_UPPER_DEV_MPLS_FEATURES (NETIF_F_HW_CSUM | NETIF_F_SG | \ ++ NETIF_F_GSO_SOFTWARE) ++ ++#define MASTER_UPPER_DEV_XFRM_FEATURES (NETIF_F_HW_ESP | NETIF_F_HW_ESP_TX_CSUM | \ ++ NETIF_F_GSO_ESP) ++ ++#define MASTER_UPPER_DEV_GSO_PARTIAL_FEATURES (NETIF_F_GSO_ESP) ++ + static inline netdev_features_t netdev_base_features(netdev_features_t features) + { + features &= ~NETIF_F_ONE_FOR_ALL; +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index 77a99c8ab01c7..3699c43731ccf 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -4993,6 +4993,7 @@ static inline netdev_features_t netdev_add_tso_features(netdev_features_t featur + int __netdev_update_features(struct net_device *dev); + void netdev_update_features(struct net_device *dev); + void netdev_change_features(struct net_device *dev); ++void netdev_compute_master_upper_features(struct net_device *dev, bool update_header); + + void netif_stacked_transfer_operstate(const struct net_device *rootdev, + struct net_device *dev); +diff --git a/net/core/dev.c b/net/core/dev.c +index e7127eca1afc5..a855cee5e5aeb 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -11851,6 +11851,94 @@ netdev_features_t netdev_increment_features(netdev_features_t all, + } + EXPORT_SYMBOL(netdev_increment_features); + ++/** ++ * netdev_compute_master_upper_features - compute feature from lowers ++ * @dev: the upper device ++ * @update_header: whether to update upper device's header_len/headroom/tailroom ++ * ++ * Recompute the upper device's feature based on all lower devices. ++ */ ++void netdev_compute_master_upper_features(struct net_device *dev, bool update_header) ++{ ++ unsigned int dst_release_flag = IFF_XMIT_DST_RELEASE | IFF_XMIT_DST_RELEASE_PERM; ++ netdev_features_t gso_partial_features = MASTER_UPPER_DEV_GSO_PARTIAL_FEATURES; ++ netdev_features_t xfrm_features = MASTER_UPPER_DEV_XFRM_FEATURES; ++ netdev_features_t mpls_features = MASTER_UPPER_DEV_MPLS_FEATURES; ++ netdev_features_t vlan_features = MASTER_UPPER_DEV_VLAN_FEATURES; ++ netdev_features_t enc_features = MASTER_UPPER_DEV_ENC_FEATURES; ++ unsigned short max_header_len = ETH_HLEN; ++ unsigned int tso_max_size = TSO_MAX_SIZE; ++ unsigned short max_headroom = 0; ++ unsigned short max_tailroom = 0; ++ u16 tso_max_segs = TSO_MAX_SEGS; ++ struct net_device *lower_dev; ++ struct list_head *iter; ++ ++ mpls_features = netdev_base_features(mpls_features); ++ vlan_features = netdev_base_features(vlan_features); ++ enc_features = netdev_base_features(enc_features); ++ ++ netdev_for_each_lower_dev(dev, lower_dev, iter) { ++ gso_partial_features = netdev_increment_features(gso_partial_features, ++ lower_dev->gso_partial_features, ++ MASTER_UPPER_DEV_GSO_PARTIAL_FEATURES); ++ ++ vlan_features = netdev_increment_features(vlan_features, ++ lower_dev->vlan_features, ++ MASTER_UPPER_DEV_VLAN_FEATURES); ++ ++ enc_features = netdev_increment_features(enc_features, ++ lower_dev->hw_enc_features, ++ MASTER_UPPER_DEV_ENC_FEATURES); ++ ++ if (IS_ENABLED(CONFIG_XFRM_OFFLOAD)) ++ xfrm_features = netdev_increment_features(xfrm_features, ++ lower_dev->hw_enc_features, ++ MASTER_UPPER_DEV_XFRM_FEATURES); ++ ++ mpls_features = netdev_increment_features(mpls_features, ++ lower_dev->mpls_features, ++ MASTER_UPPER_DEV_MPLS_FEATURES); ++ ++ dst_release_flag &= lower_dev->priv_flags; ++ ++ if (update_header) { ++ max_header_len = max(max_header_len, lower_dev->hard_header_len); ++ max_headroom = max(max_headroom, lower_dev->needed_headroom); ++ max_tailroom = max(max_tailroom, lower_dev->needed_tailroom); ++ } ++ ++ tso_max_size = min(tso_max_size, lower_dev->tso_max_size); ++ tso_max_segs = min(tso_max_segs, lower_dev->tso_max_segs); ++ } ++ ++ dev->gso_partial_features = gso_partial_features; ++ dev->vlan_features = vlan_features; ++ dev->hw_enc_features = enc_features | NETIF_F_GSO_ENCAP_ALL | ++ NETIF_F_HW_VLAN_CTAG_TX | ++ NETIF_F_HW_VLAN_STAG_TX; ++ if (IS_ENABLED(CONFIG_XFRM_OFFLOAD)) ++ dev->hw_enc_features |= xfrm_features; ++ dev->mpls_features = mpls_features; ++ ++ dev->priv_flags &= ~IFF_XMIT_DST_RELEASE; ++ if ((dev->priv_flags & IFF_XMIT_DST_RELEASE_PERM) && ++ dst_release_flag == (IFF_XMIT_DST_RELEASE | IFF_XMIT_DST_RELEASE_PERM)) ++ dev->priv_flags |= IFF_XMIT_DST_RELEASE; ++ ++ if (update_header) { ++ dev->hard_header_len = max_header_len; ++ dev->needed_headroom = max_headroom; ++ dev->needed_tailroom = max_tailroom; ++ } ++ ++ netif_set_tso_max_segs(dev, tso_max_segs); ++ netif_set_tso_max_size(dev, tso_max_size); ++ ++ netdev_change_features(dev); ++} ++EXPORT_SYMBOL(netdev_compute_master_upper_features); ++ + static struct hlist_head * __net_init netdev_create_hash(void) + { + int i; +-- +2.51.0 + diff --git a/queue-6.12/net-add-xmit-recursion-limit-to-tunnel-xmit-function.patch b/queue-6.12/net-add-xmit-recursion-limit-to-tunnel-xmit-function.patch new file mode 100644 index 0000000000..c08e909450 --- /dev/null +++ b/queue-6.12/net-add-xmit-recursion-limit-to-tunnel-xmit-function.patch @@ -0,0 +1,273 @@ +From c17d16049f1ff84e17e2c10bbfe695a95d4bb831 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Mar 2026 00:01:34 +0800 +Subject: net: add xmit recursion limit to tunnel xmit functions + +From: Weiming Shi + +[ Upstream commit 6f1a9140ecda3baba3d945b9a6155af4268aafc4 ] + +Tunnel xmit functions (iptunnel_xmit, ip6tunnel_xmit) lack their own +recursion limit. When a bond device in broadcast mode has GRE tap +interfaces as slaves, and those GRE tunnels route back through the +bond, multicast/broadcast traffic triggers infinite recursion between +bond_xmit_broadcast() and ip_tunnel_xmit()/ip6_tnl_xmit(), causing +kernel stack overflow. + +The existing XMIT_RECURSION_LIMIT (8) in the no-qdisc path is not +sufficient because tunnel recursion involves route lookups and full IP +output, consuming much more stack per level. Use a lower limit of 4 +(IP_TUNNEL_RECURSION_LIMIT) to prevent overflow. + +Add recursion detection using dev_xmit_recursion helpers directly in +iptunnel_xmit() and ip6tunnel_xmit() to cover all IPv4/IPv6 tunnel +paths including UDP encapsulated tunnels (VXLAN, Geneve, etc.). + +Move dev_xmit_recursion helpers from net/core/dev.h to public header +include/linux/netdevice.h so they can be used by tunnel code. + + BUG: KASAN: stack-out-of-bounds in blake2s.constprop.0+0xe7/0x160 + Write of size 32 at addr ffff88810033fed0 by task kworker/0:1/11 + Workqueue: mld mld_ifc_work + Call Trace: + + __build_flow_key.constprop.0 (net/ipv4/route.c:515) + ip_rt_update_pmtu (net/ipv4/route.c:1073) + iptunnel_xmit (net/ipv4/ip_tunnel_core.c:84) + ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) + gre_tap_xmit (net/ipv4/ip_gre.c:779) + dev_hard_start_xmit (net/core/dev.c:3887) + sch_direct_xmit (net/sched/sch_generic.c:347) + __dev_queue_xmit (net/core/dev.c:4802) + bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312) + bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279) + bond_start_xmit (drivers/net/bonding/bond_main.c:5530) + dev_hard_start_xmit (net/core/dev.c:3887) + __dev_queue_xmit (net/core/dev.c:4841) + ip_finish_output2 (net/ipv4/ip_output.c:237) + ip_output (net/ipv4/ip_output.c:438) + iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86) + gre_tap_xmit (net/ipv4/ip_gre.c:779) + dev_hard_start_xmit (net/core/dev.c:3887) + sch_direct_xmit (net/sched/sch_generic.c:347) + __dev_queue_xmit (net/core/dev.c:4802) + bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312) + bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279) + bond_start_xmit (drivers/net/bonding/bond_main.c:5530) + dev_hard_start_xmit (net/core/dev.c:3887) + __dev_queue_xmit (net/core/dev.c:4841) + ip_finish_output2 (net/ipv4/ip_output.c:237) + ip_output (net/ipv4/ip_output.c:438) + iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86) + ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) + gre_tap_xmit (net/ipv4/ip_gre.c:779) + dev_hard_start_xmit (net/core/dev.c:3887) + sch_direct_xmit (net/sched/sch_generic.c:347) + __dev_queue_xmit (net/core/dev.c:4802) + bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312) + bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279) + bond_start_xmit (drivers/net/bonding/bond_main.c:5530) + dev_hard_start_xmit (net/core/dev.c:3887) + __dev_queue_xmit (net/core/dev.c:4841) + mld_sendpack + mld_ifc_work + process_one_work + worker_thread + + +Fixes: 745e20f1b626 ("net: add a recursion limit in xmit path") +Reported-by: Xiang Mei +Signed-off-by: Weiming Shi +Link: https://patch.msgid.link/20260306160133.3852900-2-bestswngs@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + include/linux/netdevice.h | 32 ++++++++++++++++++++++++++++++++ + include/net/ip6_tunnel.h | 12 ++++++++++++ + include/net/ip_tunnels.h | 7 +++++++ + net/core/dev.h | 35 ----------------------------------- + net/ipv4/ip_tunnel_core.c | 13 +++++++++++++ + 5 files changed, 64 insertions(+), 35 deletions(-) + +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index d5215f23f2b99..12edeeb172c4e 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -3258,17 +3258,49 @@ struct softnet_data { + DECLARE_PER_CPU_ALIGNED(struct softnet_data, softnet_data); + DECLARE_PER_CPU(struct page_pool *, system_page_pool); + ++#define XMIT_RECURSION_LIMIT 8 ++ + #ifndef CONFIG_PREEMPT_RT + static inline int dev_recursion_level(void) + { + return this_cpu_read(softnet_data.xmit.recursion); + } ++ ++static inline bool dev_xmit_recursion(void) ++{ ++ return unlikely(__this_cpu_read(softnet_data.xmit.recursion) > ++ XMIT_RECURSION_LIMIT); ++} ++ ++static inline void dev_xmit_recursion_inc(void) ++{ ++ __this_cpu_inc(softnet_data.xmit.recursion); ++} ++ ++static inline void dev_xmit_recursion_dec(void) ++{ ++ __this_cpu_dec(softnet_data.xmit.recursion); ++} + #else + static inline int dev_recursion_level(void) + { + return current->net_xmit.recursion; + } + ++static inline bool dev_xmit_recursion(void) ++{ ++ return unlikely(current->net_xmit.recursion > XMIT_RECURSION_LIMIT); ++} ++ ++static inline void dev_xmit_recursion_inc(void) ++{ ++ current->net_xmit.recursion++; ++} ++ ++static inline void dev_xmit_recursion_dec(void) ++{ ++ current->net_xmit.recursion--; ++} + #endif + + void __netif_schedule(struct Qdisc *q); +diff --git a/include/net/ip6_tunnel.h b/include/net/ip6_tunnel.h +index 399592405c72a..dfdb4dba5be8f 100644 +--- a/include/net/ip6_tunnel.h ++++ b/include/net/ip6_tunnel.h +@@ -156,6 +156,16 @@ static inline void ip6tunnel_xmit(struct sock *sk, struct sk_buff *skb, + { + int pkt_len, err; + ++ if (dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT) { ++ net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n", ++ dev->name); ++ DEV_STATS_INC(dev, tx_errors); ++ kfree_skb(skb); ++ return; ++ } ++ ++ dev_xmit_recursion_inc(); ++ + memset(skb->cb, 0, sizeof(struct inet6_skb_parm)); + pkt_len = skb->len - skb_inner_network_offset(skb); + err = ip6_local_out(dev_net(skb_dst(skb)->dev), sk, skb); +@@ -165,6 +175,8 @@ static inline void ip6tunnel_xmit(struct sock *sk, struct sk_buff *skb, + pkt_len = -1; + iptunnel_xmit_stats(dev, pkt_len); + } ++ ++ dev_xmit_recursion_dec(); + } + #endif + #endif +diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h +index 1f92cc7fdbd21..0a5556ef16729 100644 +--- a/include/net/ip_tunnels.h ++++ b/include/net/ip_tunnels.h +@@ -24,6 +24,13 @@ + #include + #endif + ++/* Recursion limit for tunnel xmit to detect routing loops. ++ * Unlike XMIT_RECURSION_LIMIT (8) used in the no-qdisc path, tunnel ++ * recursion involves route lookups and full IP output, consuming much ++ * more stack per level, so a lower limit is needed. ++ */ ++#define IP_TUNNEL_RECURSION_LIMIT 4 ++ + /* Keep error state on tunnel for 30 sec */ + #define IPTUNNEL_ERR_TIMEO (30*HZ) + +diff --git a/net/core/dev.h b/net/core/dev.h +index 764e0097ccf22..e0603dcb6aa12 100644 +--- a/net/core/dev.h ++++ b/net/core/dev.h +@@ -162,41 +162,6 @@ static inline void napi_assert_will_not_race(const struct napi_struct *napi) + + void kick_defer_list_purge(struct softnet_data *sd, unsigned int cpu); + +-#define XMIT_RECURSION_LIMIT 8 +- +-#ifndef CONFIG_PREEMPT_RT +-static inline bool dev_xmit_recursion(void) +-{ +- return unlikely(__this_cpu_read(softnet_data.xmit.recursion) > +- XMIT_RECURSION_LIMIT); +-} +- +-static inline void dev_xmit_recursion_inc(void) +-{ +- __this_cpu_inc(softnet_data.xmit.recursion); +-} +- +-static inline void dev_xmit_recursion_dec(void) +-{ +- __this_cpu_dec(softnet_data.xmit.recursion); +-} +-#else +-static inline bool dev_xmit_recursion(void) +-{ +- return unlikely(current->net_xmit.recursion > XMIT_RECURSION_LIMIT); +-} +- +-static inline void dev_xmit_recursion_inc(void) +-{ +- current->net_xmit.recursion++; +-} +- +-static inline void dev_xmit_recursion_dec(void) +-{ +- current->net_xmit.recursion--; +-} +-#endif +- + int dev_set_hwtstamp_phylib(struct net_device *dev, + struct kernel_hwtstamp_config *cfg, + struct netlink_ext_ack *extack); +diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c +index 8392d304a72eb..53d02602c17a3 100644 +--- a/net/ipv4/ip_tunnel_core.c ++++ b/net/ipv4/ip_tunnel_core.c +@@ -57,6 +57,17 @@ void iptunnel_xmit(struct sock *sk, struct rtable *rt, struct sk_buff *skb, + struct iphdr *iph; + int err; + ++ if (dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT) { ++ net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n", ++ dev->name); ++ DEV_STATS_INC(dev, tx_errors); ++ ip_rt_put(rt); ++ kfree_skb(skb); ++ return; ++ } ++ ++ dev_xmit_recursion_inc(); ++ + skb_scrub_packet(skb, xnet); + + skb_clear_hash_if_not_l4(skb); +@@ -86,6 +97,8 @@ void iptunnel_xmit(struct sock *sk, struct rtable *rt, struct sk_buff *skb, + pkt_len = 0; + iptunnel_xmit_stats(dev, pkt_len); + } ++ ++ dev_xmit_recursion_dec(); + } + EXPORT_SYMBOL_GPL(iptunnel_xmit); + +-- +2.51.0 + diff --git a/queue-6.12/net-bcmgenet-fix-broken-eee-by-converting-to-phylib-.patch b/queue-6.12/net-bcmgenet-fix-broken-eee-by-converting-to-phylib-.patch new file mode 100644 index 0000000000..69a5bd7232 --- /dev/null +++ b/queue-6.12/net-bcmgenet-fix-broken-eee-by-converting-to-phylib-.patch @@ -0,0 +1,204 @@ +From bc3f9c2f6a46d4710df2be410ae21847e524ac3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 06:49:35 +0100 +Subject: net: bcmgenet: fix broken EEE by converting to phylib-managed state + +From: Nicolai Buchwitz + +[ Upstream commit 908c344d5cfac4160f49715da9efacdf5b6a28bd ] + +The bcmgenet EEE implementation is broken in several ways. +phy_support_eee() is never called, so the PHY never advertises EEE +and phylib never sets phydev->enable_tx_lpi. bcmgenet_mac_config() +checks priv->eee.eee_enabled to decide whether to enable the MAC +LPI logic, but that field is never initialised to true, so the MAC +never enters Low Power Idle even when EEE is negotiated - wasting +the power savings EEE is designed to provide. The only way to get +EEE working at all is a manual 'ethtool --set-eee eth0 eee on' after +every link-up, and even then bcmgenet_get_eee() immediately clobbers +the reported state because phy_ethtool_get_eee() overwrites +eee_enabled and tx_lpi_enabled with the uninitialised PHY eee_cfg +values. Finally, bcmgenet_mac_config() is only called on link-up, +so EEE is never disabled in hardware on link-down. + +Fix all of this by removing the MAC-side EEE state tracking +(priv->eee) and aligning with the pattern used by other non-phylink +MAC drivers such as FEC. + +Call phy_support_eee() in bcmgenet_mii_probe() so the PHY advertises +EEE link modes and phylib tracks negotiation state. Move the EEE +hardware control to bcmgenet_mii_setup(), which is called on every +link event, and drive it directly from phydev->enable_tx_lpi - the +flag phylib sets when EEE is negotiated and the user has not disabled +it. This enables EEE automatically once the link partner agrees and +disables it cleanly on link-down. + +Make bcmgenet_get_eee() and bcmgenet_set_eee() pure passthroughs to +phy_ethtool_get_eee() and phy_ethtool_set_eee(), with the MAC +hardware register read/written for tx_lpi_timer. Drop struct +ethtool_keee eee from struct bcmgenet_priv. + +Fixes: fe0d4fd9285e ("net: phy: Keep track of EEE configuration") +Link: https://lore.kernel.org/netdev/d352039f-4cbb-41e6-9aeb-0b4f3941b54c@lunn.ch/ +Suggested-by: Andrew Lunn +Signed-off-by: Nicolai Buchwitz +Reviewed-by: Florian Fainelli +Tested-by: Florian Fainelli +Link: https://patch.msgid.link/20260310054935.1238594-1-nb@tipi-net.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/broadcom/genet/bcmgenet.c | 31 +++++++------------ + .../net/ethernet/broadcom/genet/bcmgenet.h | 5 +-- + drivers/net/ethernet/broadcom/genet/bcmmii.c | 10 +++--- + 3 files changed, 18 insertions(+), 28 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +index f7be886570d88..49f6e83d60139 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -1272,8 +1272,7 @@ static void bcmgenet_get_ethtool_stats(struct net_device *dev, + } + } + +-void bcmgenet_eee_enable_set(struct net_device *dev, bool enable, +- bool tx_lpi_enabled) ++void bcmgenet_eee_enable_set(struct net_device *dev, bool enable) + { + struct bcmgenet_priv *priv = netdev_priv(dev); + u32 off = priv->hw_params->tbuf_offset + TBUF_ENERGY_CTRL; +@@ -1293,7 +1292,7 @@ void bcmgenet_eee_enable_set(struct net_device *dev, bool enable, + + /* Enable EEE and switch to a 27Mhz clock automatically */ + reg = bcmgenet_readl(priv->base + off); +- if (tx_lpi_enabled) ++ if (enable) + reg |= TBUF_EEE_EN | TBUF_PM_EN; + else + reg &= ~(TBUF_EEE_EN | TBUF_PM_EN); +@@ -1312,14 +1311,12 @@ void bcmgenet_eee_enable_set(struct net_device *dev, bool enable, + priv->clk_eee_enabled = false; + } + +- priv->eee.eee_enabled = enable; +- priv->eee.tx_lpi_enabled = tx_lpi_enabled; + } + + static int bcmgenet_get_eee(struct net_device *dev, struct ethtool_keee *e) + { + struct bcmgenet_priv *priv = netdev_priv(dev); +- struct ethtool_keee *p = &priv->eee; ++ int ret; + + if (GENET_IS_V1(priv)) + return -EOPNOTSUPP; +@@ -1327,17 +1324,21 @@ static int bcmgenet_get_eee(struct net_device *dev, struct ethtool_keee *e) + if (!dev->phydev) + return -ENODEV; + +- e->tx_lpi_enabled = p->tx_lpi_enabled; ++ ret = phy_ethtool_get_eee(dev->phydev, e); ++ if (ret) ++ return ret; ++ ++ /* tx_lpi_timer is maintained by the MAC hardware register; the ++ * PHY-level eee_cfg timer is not set for GENET. ++ */ + e->tx_lpi_timer = bcmgenet_umac_readl(priv, UMAC_EEE_LPI_TIMER); + +- return phy_ethtool_get_eee(dev->phydev, e); ++ return 0; + } + + static int bcmgenet_set_eee(struct net_device *dev, struct ethtool_keee *e) + { + struct bcmgenet_priv *priv = netdev_priv(dev); +- struct ethtool_keee *p = &priv->eee; +- bool active; + + if (GENET_IS_V1(priv)) + return -EOPNOTSUPP; +@@ -1345,15 +1346,7 @@ static int bcmgenet_set_eee(struct net_device *dev, struct ethtool_keee *e) + if (!dev->phydev) + return -ENODEV; + +- p->eee_enabled = e->eee_enabled; +- +- if (!p->eee_enabled) { +- bcmgenet_eee_enable_set(dev, false, false); +- } else { +- active = phy_init_eee(dev->phydev, false) >= 0; +- bcmgenet_umac_writel(priv, e->tx_lpi_timer, UMAC_EEE_LPI_TIMER); +- bcmgenet_eee_enable_set(dev, active, e->tx_lpi_enabled); +- } ++ bcmgenet_umac_writel(priv, e->tx_lpi_timer, UMAC_EEE_LPI_TIMER); + + return phy_ethtool_set_eee(dev->phydev, e); + } +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.h b/drivers/net/ethernet/broadcom/genet/bcmgenet.h +index 43b923c48b14f..c0005a0fff567 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.h ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.h +@@ -646,8 +646,6 @@ struct bcmgenet_priv { + bool wol_active; + + struct bcmgenet_mib_counters mib; +- +- struct ethtool_keee eee; + }; + + #define GENET_IO_MACRO(name, offset) \ +@@ -705,7 +703,6 @@ int bcmgenet_wol_power_down_cfg(struct bcmgenet_priv *priv, + void bcmgenet_wol_power_up_cfg(struct bcmgenet_priv *priv, + enum bcmgenet_power_mode mode); + +-void bcmgenet_eee_enable_set(struct net_device *dev, bool enable, +- bool tx_lpi_enabled); ++void bcmgenet_eee_enable_set(struct net_device *dev, bool enable); + + #endif /* __BCMGENET_H__ */ +diff --git a/drivers/net/ethernet/broadcom/genet/bcmmii.c b/drivers/net/ethernet/broadcom/genet/bcmmii.c +index c4a3698cef66f..9beb65e6d0a96 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmmii.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c +@@ -30,7 +30,6 @@ static void bcmgenet_mac_config(struct net_device *dev) + struct bcmgenet_priv *priv = netdev_priv(dev); + struct phy_device *phydev = dev->phydev; + u32 reg, cmd_bits = 0; +- bool active; + + /* speed */ + if (phydev->speed == SPEED_1000) +@@ -91,10 +90,6 @@ static void bcmgenet_mac_config(struct net_device *dev) + bcmgenet_umac_writel(priv, reg, UMAC_CMD); + spin_unlock_bh(&priv->reg_lock); + +- active = phy_init_eee(phydev, 0) >= 0; +- bcmgenet_eee_enable_set(dev, +- priv->eee.eee_enabled && active, +- priv->eee.tx_lpi_enabled); + } + + /* setup netdev link state when PHY link status change and +@@ -114,6 +109,8 @@ void bcmgenet_mii_setup(struct net_device *dev) + bcmgenet_ext_writel(priv, reg, EXT_RGMII_OOB_CTRL); + } + ++ bcmgenet_eee_enable_set(dev, phydev->enable_tx_lpi); ++ + phy_print_status(phydev); + } + +@@ -408,6 +405,9 @@ int bcmgenet_mii_probe(struct net_device *dev) + /* Indicate that the MAC is responsible for PHY PM */ + dev->phydev->mac_managed_pm = true; + ++ if (!GENET_IS_V1(priv)) ++ phy_support_eee(dev->phydev); ++ + return 0; + } + +-- +2.51.0 + diff --git a/queue-6.12/net-bonding-fix-nd_tbl-null-dereference-when-ipv6-is.patch b/queue-6.12/net-bonding-fix-nd_tbl-null-dereference-when-ipv6-is.patch new file mode 100644 index 0000000000..0cf6a1a47f --- /dev/null +++ b/queue-6.12/net-bonding-fix-nd_tbl-null-dereference-when-ipv6-is.patch @@ -0,0 +1,92 @@ +From 092f636bbb6554287dab211deb0e61a466ff4559 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Mar 2026 17:50:54 -0300 +Subject: net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ricardo B. Marlière + +[ Upstream commit 30021e969d48e5819d5ae56936c2f34c0f7ce997 ] + +When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never +initialized because inet6_init() exits before ndisc_init() is called +which initializes it. If bonding ARP/NS validation is enabled, an IPv6 +NS/NA packet received on a slave can reach bond_validate_na(), which +calls bond_has_this_ip6(). That path calls ipv6_chk_addr() and can +crash in __ipv6_chk_addr_and_flags(). + + BUG: kernel NULL pointer dereference, address: 00000000000005d8 + Oops: Oops: 0000 [#1] SMP NOPTI + RIP: 0010:__ipv6_chk_addr_and_flags+0x69/0x170 + Call Trace: + + ipv6_chk_addr+0x1f/0x30 + bond_validate_na+0x12e/0x1d0 [bonding] + ? __pfx_bond_handle_frame+0x10/0x10 [bonding] + bond_rcv_validate+0x1a0/0x450 [bonding] + bond_handle_frame+0x5e/0x290 [bonding] + ? srso_alias_return_thunk+0x5/0xfbef5 + __netif_receive_skb_core.constprop.0+0x3e8/0xe50 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? update_cfs_rq_load_avg+0x1a/0x240 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? __enqueue_entity+0x5e/0x240 + __netif_receive_skb_one_core+0x39/0xa0 + process_backlog+0x9c/0x150 + __napi_poll+0x30/0x200 + ? srso_alias_return_thunk+0x5/0xfbef5 + net_rx_action+0x338/0x3b0 + handle_softirqs+0xc9/0x2a0 + do_softirq+0x42/0x60 + + + __local_bh_enable_ip+0x62/0x70 + __dev_queue_xmit+0x2d3/0x1000 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? packet_parse_headers+0x10a/0x1a0 + packet_sendmsg+0x10da/0x1700 + ? kick_pool+0x5f/0x140 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? __queue_work+0x12d/0x4f0 + __sys_sendto+0x1f3/0x220 + __x64_sys_sendto+0x24/0x30 + do_syscall_64+0x101/0xf80 + ? exc_page_fault+0x6e/0x170 + ? srso_alias_return_thunk+0x5/0xfbef5 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + +Fix this by checking ipv6_mod_enabled() before dispatching IPv6 packets to +bond_na_rcv(). If IPv6 is disabled, return early from bond_rcv_validate() +and avoid the path to ipv6_chk_addr(). + +Suggested-by: Fernando Fernandez Mancera +Fixes: 4e24be018eb9 ("bonding: add new parameter ns_targets") +Signed-off-by: Ricardo B. Marlière +Reviewed-by: Hangbin Liu +Link: https://patch.msgid.link/20260307-net-nd_tbl_fixes-v4-2-e2677e85628c@suse.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 546c9004c9e30..d11ca46a5b1f7 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3487,7 +3487,7 @@ int bond_rcv_validate(const struct sk_buff *skb, struct bonding *bond, + } else if (is_arp) { + return bond_arp_rcv(skb, bond, slave); + #if IS_ENABLED(CONFIG_IPV6) +- } else if (is_ipv6) { ++ } else if (is_ipv6 && likely(ipv6_mod_enabled())) { + return bond_na_rcv(skb, bond, slave); + #endif + } else { +-- +2.51.0 + diff --git a/queue-6.12/net-dsa-realtek-fix-led-group-port-bit-for-non-zero-.patch b/queue-6.12/net-dsa-realtek-fix-led-group-port-bit-for-non-zero-.patch new file mode 100644 index 0000000000..36d312aa5a --- /dev/null +++ b/queue-6.12/net-dsa-realtek-fix-led-group-port-bit-for-non-zero-.patch @@ -0,0 +1,53 @@ +From 8bfefd21780c38a31521cdcacbfbca93b017607e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 12:12:37 +0100 +Subject: net: dsa: realtek: Fix LED group port bit for non-zero LED group +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Behún + +[ Upstream commit e8f0dc024ce55451ebd54bad975134ba802e4fcc ] + +The rtl8366rb_led_group_port_mask() function always returns LED port +bit in LED group 0; the switch statement returns the same thing in all +non-default cases. + +This means that the driver does not currently support configuring LEDs +in non-zero LED groups. + +Fix this. + +Fixes: 32d617005475a71e ("net: dsa: realtek: add LED drivers for rtl8366rb") +Signed-off-by: Marek Behún +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20260311111237.29002-1-kabel@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/realtek/rtl8366rb-leds.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/dsa/realtek/rtl8366rb-leds.c b/drivers/net/dsa/realtek/rtl8366rb-leds.c +index 99c890681ae60..509ffd3f8db5c 100644 +--- a/drivers/net/dsa/realtek/rtl8366rb-leds.c ++++ b/drivers/net/dsa/realtek/rtl8366rb-leds.c +@@ -12,11 +12,11 @@ static inline u32 rtl8366rb_led_group_port_mask(u8 led_group, u8 port) + case 0: + return FIELD_PREP(RTL8366RB_LED_0_X_CTRL_MASK, BIT(port)); + case 1: +- return FIELD_PREP(RTL8366RB_LED_0_X_CTRL_MASK, BIT(port)); ++ return FIELD_PREP(RTL8366RB_LED_X_1_CTRL_MASK, BIT(port)); + case 2: +- return FIELD_PREP(RTL8366RB_LED_0_X_CTRL_MASK, BIT(port)); ++ return FIELD_PREP(RTL8366RB_LED_2_X_CTRL_MASK, BIT(port)); + case 3: +- return FIELD_PREP(RTL8366RB_LED_0_X_CTRL_MASK, BIT(port)); ++ return FIELD_PREP(RTL8366RB_LED_X_3_CTRL_MASK, BIT(port)); + default: + return 0; + } +-- +2.51.0 + diff --git a/queue-6.12/net-dsa-realtek-rtl8365mb-remove-ifoutdiscards-from-.patch b/queue-6.12/net-dsa-realtek-rtl8365mb-remove-ifoutdiscards-from-.patch new file mode 100644 index 0000000000..13dd77d889 --- /dev/null +++ b/queue-6.12/net-dsa-realtek-rtl8365mb-remove-ifoutdiscards-from-.patch @@ -0,0 +1,48 @@ +From b2c2d7f773e9654fe4d47846b1c56462da47b1a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Mar 2026 17:25:12 -0300 +Subject: net: dsa: realtek: rtl8365mb: remove ifOutDiscards from rx_packets + +From: Mieczyslaw Nalewaj + +[ Upstream commit f76a93241d71fbba8425e3967097b498c29264ed ] + +rx_packets should report the number of frames successfully received: +unicast + multicast + broadcast. Subtracting ifOutDiscards (a TX +counter) is incorrect and can undercount RX packets. RX drops are +already reported via rx_dropped (e.g. etherStatsDropEvents), so +there is no need to adjust rx_packets. + +This patch removes the subtraction of ifOutDiscards from rx_packets +in rtl8365mb_stats_update(). + +Link: https://lore.kernel.org/netdev/878777925.105015.1763423928520@mail.yahoo.com/ +Fixes: 4af2950c50c8 ("net: dsa: realtek-smi: add rtl8365mb subdriver for RTL8365MB-VC") +Signed-off-by: Mieczyslaw Nalewaj +Signed-off-by: Luiz Angelo Daros de Luca +Reviewed-by: Simon Horman +Acked-by: Linus Walleij +Link: https://patch.msgid.link/20260303-realtek_namiltd_fix2-v1-1-bfa433d3401e@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/realtek/rtl8365mb.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/realtek/rtl8365mb.c b/drivers/net/dsa/realtek/rtl8365mb.c +index 74a8336174e50..4cb986988f1ad 100644 +--- a/drivers/net/dsa/realtek/rtl8365mb.c ++++ b/drivers/net/dsa/realtek/rtl8365mb.c +@@ -1480,8 +1480,7 @@ static void rtl8365mb_stats_update(struct realtek_priv *priv, int port) + + stats->rx_packets = cnt[RTL8365MB_MIB_ifInUcastPkts] + + cnt[RTL8365MB_MIB_ifInMulticastPkts] + +- cnt[RTL8365MB_MIB_ifInBroadcastPkts] - +- cnt[RTL8365MB_MIB_ifOutDiscards]; ++ cnt[RTL8365MB_MIB_ifInBroadcastPkts]; + + stats->tx_packets = cnt[RTL8365MB_MIB_ifOutUcastPkts] + + cnt[RTL8365MB_MIB_ifOutMulticastPkts] + +-- +2.51.0 + diff --git a/queue-6.12/net-mlx5-fix-crash-when-moving-to-switchdev-mode.patch b/queue-6.12/net-mlx5-fix-crash-when-moving-to-switchdev-mode.patch new file mode 100644 index 0000000000..d89024afeb --- /dev/null +++ b/queue-6.12/net-mlx5-fix-crash-when-moving-to-switchdev-mode.patch @@ -0,0 +1,148 @@ +From 769dc55493b59c6f4cf269c363ccecc226d20d3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 16:26:30 +0200 +Subject: net/mlx5: Fix crash when moving to switchdev mode + +From: Patrisious Haddad + +[ Upstream commit 24b2795f9683e092dc22a68f487e7aaaf2ddafea ] + +When moving to switchdev mode when the device doesn't support IPsec, +we try to clean up the IPsec resources anyway which causes the crash +below, fix that by correctly checking for IPsec support before trying +to clean up its resources. + +[27642.515799] WARNING: arch/x86/mm/fault.c:1276 at +do_user_addr_fault+0x18a/0x680, CPU#4: devlink/6490 +[27642.517159] Modules linked in: xt_conntrack xt_MASQUERADE +ip6table_nat ip6table_filter ip6_tables iptable_nat nf_nat xt_addrtype +rpcsec_gss_krb5 auth_rpcgss oid_registry overlay mlx5_fwctl nfnetlink +zram zsmalloc mlx5_ib fuse rpcrdma rdma_ucm ib_uverbs ib_iser libiscsi +scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_core +ib_core +[27642.521358] CPU: 4 UID: 0 PID: 6490 Comm: devlink Not tainted +6.19.0-rc5_for_upstream_min_debug_2026_01_14_16_47 #1 NONE +[27642.522923] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS +rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 +[27642.524528] RIP: 0010:do_user_addr_fault+0x18a/0x680 +[27642.525362] Code: ff 0f 84 75 03 00 00 48 89 ee 4c 89 e7 e8 5e b9 22 +00 49 89 c0 48 85 c0 0f 84 a8 02 00 00 f7 c3 60 80 00 00 74 22 31 c9 eb + ae <0f> 0b 48 83 c4 10 48 89 ea 48 89 de 4c 89 f7 5b 5d 41 5c 41 5d +41 +[27642.528166] RSP: 0018:ffff88810770f6b8 EFLAGS: 00010046 +[27642.529038] RAX: 0000000000000000 RBX: 0000000000000002 RCX: +ffff88810b980f00 +[27642.530158] RDX: 00000000000000a0 RSI: 0000000000000002 RDI: +ffff88810770f728 +[27642.531270] RBP: 00000000000000a0 R08: 0000000000000000 R09: +0000000000000000 +[27642.532383] R10: 0000000000000000 R11: 0000000000000000 R12: +ffff888103f3c4c0 +[27642.533499] R13: 0000000000000000 R14: ffff88810770f728 R15: +0000000000000000 +[27642.534614] FS: 00007f197c741740(0000) GS:ffff88856a94c000(0000) +knlGS:0000000000000000 +[27642.535915] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[27642.536858] CR2: 00000000000000a0 CR3: 000000011334c003 CR4: +0000000000172eb0 +[27642.537982] Call Trace: +[27642.538466] +[27642.538907] exc_page_fault+0x76/0x140 +[27642.539583] asm_exc_page_fault+0x22/0x30 +[27642.540282] RIP: 0010:_raw_spin_lock_irqsave+0x10/0x30 +[27642.541134] Code: 07 85 c0 75 11 ba ff 00 00 00 f0 0f b1 17 75 06 b8 +01 00 00 00 c3 31 c0 c3 90 0f 1f 44 00 00 53 9c 5b fa 31 c0 ba 01 00 00 + 00 0f b1 17 75 05 48 89 d8 5b c3 89 c6 e8 7e 02 00 00 48 89 d8 + 5b +[27642.543936] RSP: 0018:ffff88810770f7d8 EFLAGS: 00010046 +[27642.544803] RAX: 0000000000000000 RBX: 0000000000000202 RCX: +ffff888113ad96d8 +[27642.545916] RDX: 0000000000000001 RSI: ffff88810770f818 RDI: +00000000000000a0 +[27642.547027] RBP: 0000000000000098 R08: 0000000000000400 R09: +ffff88810b980f00 +[27642.548140] R10: 0000000000000001 R11: ffff888101845a80 R12: +00000000000000a8 +[27642.549263] R13: ffffffffa02a9060 R14: 00000000000000a0 R15: +ffff8881130d8a40 +[27642.550379] complete_all+0x20/0x90 +[27642.551010] mlx5e_ipsec_disable_events+0xb6/0xf0 [mlx5_core] +[27642.552022] mlx5e_nic_disable+0x12d/0x220 [mlx5_core] +[27642.552929] mlx5e_detach_netdev+0x66/0xf0 [mlx5_core] +[27642.553822] mlx5e_netdev_change_profile+0x5b/0x120 [mlx5_core] +[27642.554821] mlx5e_vport_rep_load+0x419/0x590 [mlx5_core] +[27642.555757] ? xa_load+0x53/0x90 +[27642.556361] __esw_offloads_load_rep+0x54/0x70 [mlx5_core] +[27642.557328] mlx5_esw_offloads_rep_load+0x45/0xd0 [mlx5_core] +[27642.558320] esw_offloads_enable+0xb4b/0xc90 [mlx5_core] +[27642.559247] mlx5_eswitch_enable_locked+0x34e/0x4f0 [mlx5_core] +[27642.560257] ? mlx5_rescan_drivers_locked+0x222/0x2d0 [mlx5_core] +[27642.561284] mlx5_devlink_eswitch_mode_set+0x5ac/0x9c0 [mlx5_core] +[27642.562334] ? devlink_rate_set_ops_supported+0x21/0x3a0 +[27642.563220] devlink_nl_eswitch_set_doit+0x67/0xe0 +[27642.564026] genl_family_rcv_msg_doit+0xe0/0x130 +[27642.564816] genl_rcv_msg+0x183/0x290 +[27642.565466] ? __devlink_nl_pre_doit.isra.0+0x160/0x160 +[27642.566329] ? devlink_nl_eswitch_get_doit+0x290/0x290 +[27642.567181] ? devlink_nl_pre_doit_parent_dev_optional+0x20/0x20 +[27642.568147] ? genl_family_rcv_msg_dumpit+0xf0/0xf0 +[27642.568966] netlink_rcv_skb+0x4b/0xf0 +[27642.569629] genl_rcv+0x24/0x40 +[27642.570215] netlink_unicast+0x255/0x380 +[27642.570901] ? __alloc_skb+0xfa/0x1e0 +[27642.571560] netlink_sendmsg+0x1f3/0x420 +[27642.572249] __sock_sendmsg+0x38/0x60 +[27642.572911] __sys_sendto+0x119/0x180 +[27642.573561] ? __sys_recvmsg+0x5c/0xb0 +[27642.574227] __x64_sys_sendto+0x20/0x30 +[27642.574904] do_syscall_64+0x55/0xc10 +[27642.575554] entry_SYSCALL_64_after_hwframe+0x4b/0x53 +[27642.576391] RIP: 0033:0x7f197c85e807 +[27642.577050] Code: c7 c0 ff ff ff ff eb be 66 2e 0f 1f 84 00 00 00 00 +00 90 f3 0f 1e fa 80 3d 45 08 0d 00 00 41 89 ca 74 10 b8 2c 00 00 00 0f + 05 <48> 3d 00 f0 ff ff 77 69 c3 55 48 89 e5 53 48 83 ec 38 44 89 4d + d0 +[27642.579846] RSP: 002b:00007ffebd4e2248 EFLAGS: 00000202 ORIG_RAX: +000000000000002c +[27642.581082] RAX: ffffffffffffffda RBX: 000055cfcd9cd2a0 RCX: +00007f197c85e807 +[27642.582200] RDX: 0000000000000038 RSI: 000055cfcd9cd490 RDI: +0000000000000003 +[27642.583320] RBP: 00007ffebd4e2290 R08: 00007f197c942200 R09: +000000000000000c +[27642.584437] R10: 0000000000000000 R11: 0000000000000202 R12: +0000000000000000 +[27642.585555] R13: 000055cfcd9cd490 R14: 00007ffebd4e45d1 R15: +000055cfcd9cd2a0 +[27642.586671] +[27642.587121] ---[ end trace 0000000000000000 ]--- +[27642.587910] BUG: kernel NULL pointer dereference, address: +00000000000000a0 + +Fixes: 664f76be38a1 ("net/mlx5: Fix IPsec cleanup over MPV device") +Signed-off-by: Patrisious Haddad +Reviewed-by: Leon Romanovsky +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/20260305142634.1813208-2-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c +index 831d4b17ad07a..c48eeb399a422 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c +@@ -2449,7 +2449,7 @@ void mlx5e_ipsec_disable_events(struct mlx5e_priv *priv) + goto out; + + peer_priv = mlx5_devcom_get_next_peer_data(priv->devcom, &tmp); +- if (peer_priv) ++ if (peer_priv && peer_priv->ipsec) + complete_all(&peer_priv->ipsec->comp); + + mlx5_devcom_for_each_peer_end(priv->devcom); +-- +2.51.0 + diff --git a/queue-6.12/net-mlx5-fix-deadlock-between-devlink-lock-and-esw-w.patch b/queue-6.12/net-mlx5-fix-deadlock-between-devlink-lock-and-esw-w.patch new file mode 100644 index 0000000000..a51fe766b7 --- /dev/null +++ b/queue-6.12/net-mlx5-fix-deadlock-between-devlink-lock-and-esw-w.patch @@ -0,0 +1,152 @@ +From 7739bc10354460aeb081780383935f574aecb9f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 10:10:19 +0200 +Subject: net/mlx5: Fix deadlock between devlink lock and esw->wq + +From: Cosmin Ratiu + +[ Upstream commit aed763abf0e905b4b8d747d1ba9e172961572f57 ] + +esw->work_queue executes esw_functions_changed_event_handler -> +esw_vfs_changed_event_handler and acquires the devlink lock. + +.eswitch_mode_set (acquires devlink lock in devlink_nl_pre_doit) -> +mlx5_devlink_eswitch_mode_set -> mlx5_eswitch_disable_locked -> +mlx5_eswitch_event_handler_unregister -> flush_workqueue deadlocks +when esw_vfs_changed_event_handler executes. + +Fix that by no longer flushing the work to avoid the deadlock, and using +a generation counter to keep track of work relevance. This avoids an old +handler manipulating an esw that has undergone one or more mode changes: +- the counter is incremented in mlx5_eswitch_event_handler_unregister. +- the counter is read and passed to the ephemeral mlx5_host_work struct. +- the work handler takes the devlink lock and bails out if the current + generation is different than the one it was scheduled to operate on. +- mlx5_eswitch_cleanup does the final draining before destroying the wq. + +No longer flushing the workqueue has the side effect of maybe no longer +cancelling pending vport_change_handler work items, but that's ok since +those are disabled elsewhere: +- mlx5_eswitch_disable_locked disables the vport eq notifier. +- mlx5_esw_vport_disable disarms the HW EQ notification and marks + vport->enabled under state_lock to false to prevent pending vport + handler from doing anything. +- mlx5_eswitch_cleanup destroys the workqueue and makes sure all events + are disabled/finished. + +Fixes: f1bc646c9a06 ("net/mlx5: Use devl_ API in mlx5_esw_offloads_devlink_port_register") +Signed-off-by: Cosmin Ratiu +Reviewed-by: Moshe Shemesh +Reviewed-by: Dragos Tatulea +Reviewed-by: Simon Horman +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/20260305081019.1811100-1-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/eswitch.c | 7 ++++--- + .../net/ethernet/mellanox/mlx5/core/eswitch.h | 2 ++ + .../mellanox/mlx5/core/eswitch_offloads.c | 18 +++++++++++++----- + 3 files changed, 19 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +index b26ab78006ea0..864e88f057714 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +@@ -1068,10 +1068,11 @@ static void mlx5_eswitch_event_handler_register(struct mlx5_eswitch *esw) + + static void mlx5_eswitch_event_handler_unregister(struct mlx5_eswitch *esw) + { +- if (esw->mode == MLX5_ESWITCH_OFFLOADS && mlx5_eswitch_is_funcs_handler(esw->dev)) ++ if (esw->mode == MLX5_ESWITCH_OFFLOADS && ++ mlx5_eswitch_is_funcs_handler(esw->dev)) { + mlx5_eq_notifier_unregister(esw->dev, &esw->esw_funcs.nb); +- +- flush_workqueue(esw->work_queue); ++ atomic_inc(&esw->esw_funcs.generation); ++ } + } + + static void mlx5_eswitch_clear_vf_vports_info(struct mlx5_eswitch *esw) +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h +index be6e60d961689..63c2b36ce967b 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h +@@ -312,10 +312,12 @@ struct esw_mc_addr { /* SRIOV only */ + struct mlx5_host_work { + struct work_struct work; + struct mlx5_eswitch *esw; ++ int work_gen; + }; + + struct mlx5_esw_functions { + struct mlx5_nb nb; ++ atomic_t generation; + bool host_funcs_disabled; + u16 num_vfs; + u16 num_ec_vfs; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c +index 7cead1ba0bfa1..b122003d8bcde 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c +@@ -3402,22 +3402,28 @@ static void esw_offloads_steering_cleanup(struct mlx5_eswitch *esw) + } + + static void +-esw_vfs_changed_event_handler(struct mlx5_eswitch *esw, const u32 *out) ++esw_vfs_changed_event_handler(struct mlx5_eswitch *esw, int work_gen, ++ const u32 *out) + { + struct devlink *devlink; + bool host_pf_disabled; + u16 new_num_vfs; + ++ devlink = priv_to_devlink(esw->dev); ++ devl_lock(devlink); ++ ++ /* Stale work from one or more mode changes ago. Bail out. */ ++ if (work_gen != atomic_read(&esw->esw_funcs.generation)) ++ goto unlock; ++ + new_num_vfs = MLX5_GET(query_esw_functions_out, out, + host_params_context.host_num_of_vfs); + host_pf_disabled = MLX5_GET(query_esw_functions_out, out, + host_params_context.host_pf_disabled); + + if (new_num_vfs == esw->esw_funcs.num_vfs || host_pf_disabled) +- return; ++ goto unlock; + +- devlink = priv_to_devlink(esw->dev); +- devl_lock(devlink); + /* Number of VFs can only change from "0 to x" or "x to 0". */ + if (esw->esw_funcs.num_vfs > 0) { + mlx5_eswitch_unload_vf_vports(esw, esw->esw_funcs.num_vfs); +@@ -3432,6 +3438,7 @@ esw_vfs_changed_event_handler(struct mlx5_eswitch *esw, const u32 *out) + } + } + esw->esw_funcs.num_vfs = new_num_vfs; ++unlock: + devl_unlock(devlink); + } + +@@ -3448,7 +3455,7 @@ static void esw_functions_changed_event_handler(struct work_struct *work) + if (IS_ERR(out)) + goto out; + +- esw_vfs_changed_event_handler(esw, out); ++ esw_vfs_changed_event_handler(esw, host_work->work_gen, out); + kvfree(out); + out: + kfree(host_work); +@@ -3468,6 +3475,7 @@ int mlx5_esw_funcs_changed_handler(struct notifier_block *nb, unsigned long type + esw = container_of(esw_funcs, struct mlx5_eswitch, esw_funcs); + + host_work->esw = esw; ++ host_work->work_gen = atomic_read(&esw_funcs->generation); + + INIT_WORK(&host_work->work, esw_functions_changed_event_handler); + queue_work(esw->work_queue, &host_work->work); +-- +2.51.0 + diff --git a/queue-6.12/net-mlx5-ifc-updates-for-disabled-host-pf.patch b/queue-6.12/net-mlx5-ifc-updates-for-disabled-host-pf.patch new file mode 100644 index 0000000000..094d791056 --- /dev/null +++ b/queue-6.12/net-mlx5-ifc-updates-for-disabled-host-pf.patch @@ -0,0 +1,40 @@ +From 94b4859fb97e25ab8b70894579d56b4960faf71c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 15:41:07 +0300 +Subject: net/mlx5: IFC updates for disabled host PF + +From: Daniel Jurgens + +[ Upstream commit cd1746cb6555a2238c4aae9f9d60b637a61bf177 ] + +The port 2 host PF can be disabled, this bit reflects that setting. + +Signed-off-by: Daniel Jurgens +Reviewed-by: William Tu +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/1752064867-16874-3-git-send-email-tariqt@nvidia.com +Signed-off-by: Leon Romanovsky +Stable-dep-of: aed763abf0e9 ("net/mlx5: Fix deadlock between devlink lock and esw->wq") +Signed-off-by: Sasha Levin +--- + include/linux/mlx5/mlx5_ifc.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h +index 2b1a816e4d59c..6ea35c8ce00fb 100644 +--- a/include/linux/mlx5/mlx5_ifc.h ++++ b/include/linux/mlx5/mlx5_ifc.h +@@ -12282,7 +12282,9 @@ struct mlx5_ifc_mtrc_ctrl_bits { + + struct mlx5_ifc_host_params_context_bits { + u8 host_number[0x8]; +- u8 reserved_at_8[0x7]; ++ u8 reserved_at_8[0x5]; ++ u8 host_pf_not_exist[0x1]; ++ u8 reserved_at_14[0x1]; + u8 host_pf_disabled[0x1]; + u8 host_num_of_vfs[0x10]; + +-- +2.51.0 + diff --git a/queue-6.12/net-mlx5-query-to-see-if-host-pf-is-disabled.patch b/queue-6.12/net-mlx5-query-to-see-if-host-pf-is-disabled.patch new file mode 100644 index 0000000000..6751ab1da3 --- /dev/null +++ b/queue-6.12/net-mlx5-query-to-see-if-host-pf-is-disabled.patch @@ -0,0 +1,80 @@ +From 393c189862a60c0afee5fcbbc877291413fee61e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Aug 2025 22:19:55 +0300 +Subject: net/mlx5: Query to see if host PF is disabled + +From: Daniel Jurgens + +[ Upstream commit 9e84de72aef9bcf0e751a0bff3ac91b0cf52366f ] + +The host PF can be disabled, query firmware to check if the host PF of +this function exists. + +Signed-off-by: Daniel Jurgens +Reviewed-by: William Tu +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/1755112796-467444-2-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: aed763abf0e9 ("net/mlx5: Fix deadlock between devlink lock and esw->wq") +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/eswitch.c | 23 +++++++++++++++++++ + .../net/ethernet/mellanox/mlx5/core/eswitch.h | 1 + + 2 files changed, 24 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +index 6544546a1153f..b26ab78006ea0 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +@@ -1038,6 +1038,25 @@ const u32 *mlx5_esw_query_functions(struct mlx5_core_dev *dev) + return ERR_PTR(err); + } + ++static int mlx5_esw_host_functions_enabled_query(struct mlx5_eswitch *esw) ++{ ++ const u32 *query_host_out; ++ ++ if (!mlx5_core_is_ecpf_esw_manager(esw->dev)) ++ return 0; ++ ++ query_host_out = mlx5_esw_query_functions(esw->dev); ++ if (IS_ERR(query_host_out)) ++ return PTR_ERR(query_host_out); ++ ++ esw->esw_funcs.host_funcs_disabled = ++ MLX5_GET(query_esw_functions_out, query_host_out, ++ host_params_context.host_pf_not_exist); ++ ++ kvfree(query_host_out); ++ return 0; ++} ++ + static void mlx5_eswitch_event_handler_register(struct mlx5_eswitch *esw) + { + if (esw->mode == MLX5_ESWITCH_OFFLOADS && mlx5_eswitch_is_funcs_handler(esw->dev)) { +@@ -1871,6 +1890,10 @@ int mlx5_eswitch_init(struct mlx5_core_dev *dev) + goto abort; + } + ++ err = mlx5_esw_host_functions_enabled_query(esw); ++ if (err) ++ goto abort; ++ + err = mlx5_esw_vports_init(esw); + if (err) + goto abort; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h +index 48fd0400ffd4e..be6e60d961689 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h +@@ -316,6 +316,7 @@ struct mlx5_host_work { + + struct mlx5_esw_functions { + struct mlx5_nb nb; ++ bool host_funcs_disabled; + u16 num_vfs; + u16 num_ec_vfs; + }; +-- +2.51.0 + diff --git a/queue-6.12/net-mlx5e-fix-dma-fifo-desync-on-error-cqe-sq-recove.patch b/queue-6.12/net-mlx5e-fix-dma-fifo-desync-on-error-cqe-sq-recove.patch new file mode 100644 index 0000000000..91ec6f5962 --- /dev/null +++ b/queue-6.12/net-mlx5e-fix-dma-fifo-desync-on-error-cqe-sq-recove.patch @@ -0,0 +1,82 @@ +From 934c0f47d8173a70bb8d6800cc9b52a5c916ce9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 16:26:32 +0200 +Subject: net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery + +From: Gal Pressman + +[ Upstream commit 1633111d69053512d099658d4a05fc736fab36b0 ] + +In case of a TX error CQE, a recovery flow is triggered, +mlx5e_reset_txqsq_cc_pc() resets dma_fifo_cc to 0 but not dma_fifo_pc, +desyncing the DMA FIFO producer and consumer. + +After recovery, the producer pushes new DMA entries at the old +dma_fifo_pc, while the consumer reads from position 0. +This causes us to unmap stale DMA addresses from before the recovery. + +The DMA FIFO is a purely software construct with no HW counterpart. +At the point of reset, all WQEs have been flushed so dma_fifo_cc is +already equal to dma_fifo_pc. There is no need to reset either counter, +similar to how skb_fifo pc/cc are untouched. + +Remove the 'dma_fifo_cc = 0' reset. + +This fixes the following WARNING: + WARNING: CPU: 0 PID: 0 at drivers/iommu/dma-iommu.c:1240 iommu_dma_unmap_page+0x79/0x90 + Modules linked in: mlx5_vdpa vringh vdpa bonding mlx5_ib mlx5_vfio_pci ipip mlx5_fwctl tunnel4 mlx5_core ib_ipoib geneve ip6_gre ip_gre gre nf_tables ip6_tunnel rdma_ucm ib_uverbs ib_umad vfio_pci vfio_pci_core act_mirred act_skbedit act_vlan vhost_net vhost tap ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress vhost_iotlb iptable_raw tunnel6 vfio_iommu_type1 vfio openvswitch nsh rpcsec_gss_krb5 auth_rpcgss oid_registry xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter overlay zram zsmalloc rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core fuse [last unloaded: nf_tables] + CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5_for_upstream_min_debug_2024_12_30_21_33 #1 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 + RIP: 0010:iommu_dma_unmap_page+0x79/0x90 + Code: 2b 4d 3b 21 72 26 4d 3b 61 08 73 20 49 89 d8 44 89 f9 5b 4c 89 f2 4c 89 e6 48 89 ef 5d 41 5c 41 5d 41 5e 41 5f e9 c7 ae 9e ff <0f> 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 66 2e 0f 1f 84 00 00 00 00 + Call Trace: + + ? __warn+0x7d/0x110 + ? iommu_dma_unmap_page+0x79/0x90 + ? report_bug+0x16d/0x180 + ? handle_bug+0x4f/0x90 + ? exc_invalid_op+0x14/0x70 + ? asm_exc_invalid_op+0x16/0x20 + ? iommu_dma_unmap_page+0x79/0x90 + ? iommu_dma_unmap_page+0x2e/0x90 + dma_unmap_page_attrs+0x10d/0x1b0 + mlx5e_tx_wi_dma_unmap+0xbe/0x120 [mlx5_core] + mlx5e_poll_tx_cq+0x16d/0x690 [mlx5_core] + mlx5e_napi_poll+0x8b/0xac0 [mlx5_core] + __napi_poll+0x24/0x190 + net_rx_action+0x32a/0x3b0 + ? mlx5_eq_comp_int+0x7e/0x270 [mlx5_core] + ? notifier_call_chain+0x35/0xa0 + handle_softirqs+0xc9/0x270 + irq_exit_rcu+0x71/0xd0 + common_interrupt+0x7f/0xa0 + + + asm_common_interrupt+0x22/0x40 + +Fixes: db75373c91b0 ("net/mlx5e: Recover Send Queue (SQ) from error state") +Signed-off-by: Gal Pressman +Reviewed-by: Dragos Tatulea +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/20260305142634.1813208-4-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c b/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c +index dbd9482359e1e..74f9703013b43 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c +@@ -45,7 +45,6 @@ static void mlx5e_reset_txqsq_cc_pc(struct mlx5e_txqsq *sq) + "SQ 0x%x: cc (0x%x) != pc (0x%x)\n", + sq->sqn, sq->cc, sq->pc); + sq->cc = 0; +- sq->dma_fifo_cc = 0; + sq->pc = 0; + } + +-- +2.51.0 + diff --git a/queue-6.12/net-prevent-null-deref-in-ip-6-tunnel_xmit.patch b/queue-6.12/net-prevent-null-deref-in-ip-6-tunnel_xmit.patch new file mode 100644 index 0000000000..c78765a1d4 --- /dev/null +++ b/queue-6.12/net-prevent-null-deref-in-ip-6-tunnel_xmit.patch @@ -0,0 +1,69 @@ +From b5bb0edb3e314fee1d3d92efb33e80a62ab488b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 04:39:08 +0000 +Subject: net: prevent NULL deref in ip[6]tunnel_xmit() + +From: Eric Dumazet + +[ Upstream commit c38b8f5f791ecce13ab77e2257f8fd2444ba80f6 ] + +Blamed commit missed that both functions can be called with dev == NULL. + +Also add unlikely() hints for these conditions that only fuzzers can hit. + +Fixes: 6f1a9140ecda ("net: add xmit recursion limit to tunnel xmit functions") +Signed-off-by: Eric Dumazet +CC: Weiming Shi +Link: https://patch.msgid.link/20260312043908.2790803-1-edumazet@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + include/net/ip6_tunnel.h | 10 ++++++---- + net/ipv4/ip_tunnel_core.c | 10 ++++++---- + 2 files changed, 12 insertions(+), 8 deletions(-) + +diff --git a/include/net/ip6_tunnel.h b/include/net/ip6_tunnel.h +index dfdb4dba5be8f..17913fca5445a 100644 +--- a/include/net/ip6_tunnel.h ++++ b/include/net/ip6_tunnel.h +@@ -156,10 +156,12 @@ static inline void ip6tunnel_xmit(struct sock *sk, struct sk_buff *skb, + { + int pkt_len, err; + +- if (dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT) { +- net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n", +- dev->name); +- DEV_STATS_INC(dev, tx_errors); ++ if (unlikely(dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT)) { ++ if (dev) { ++ net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n", ++ dev->name); ++ DEV_STATS_INC(dev, tx_errors); ++ } + kfree_skb(skb); + return; + } +diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c +index 53d02602c17a3..507f2f9ec400c 100644 +--- a/net/ipv4/ip_tunnel_core.c ++++ b/net/ipv4/ip_tunnel_core.c +@@ -57,10 +57,12 @@ void iptunnel_xmit(struct sock *sk, struct rtable *rt, struct sk_buff *skb, + struct iphdr *iph; + int err; + +- if (dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT) { +- net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n", +- dev->name); +- DEV_STATS_INC(dev, tx_errors); ++ if (unlikely(dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT)) { ++ if (dev) { ++ net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n", ++ dev->name); ++ DEV_STATS_INC(dev, tx_errors); ++ } + ip_rt_put(rt); + kfree_skb(skb); + return; +-- +2.51.0 + diff --git a/queue-6.12/net-sched-teql-fix-null-pointer-dereference-in-iptun.patch b/queue-6.12/net-sched-teql-fix-null-pointer-dereference-in-iptun.patch new file mode 100644 index 0000000000..32e810453c --- /dev/null +++ b/queue-6.12/net-sched-teql-fix-null-pointer-dereference-in-iptun.patch @@ -0,0 +1,80 @@ +From 16a4bdaca751bb0f786418d33a07294d77ce2270 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 12:42:18 +0800 +Subject: net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on + TEQL slave xmit + +From: Weiming Shi + +[ Upstream commit 0cc0c2e661af418bbf7074179ea5cfffc0a5c466 ] + +teql_master_xmit() calls netdev_start_xmit(skb, slave) to transmit +through slave devices, but does not update skb->dev to the slave device +beforehand. + +When a gretap tunnel is a TEQL slave, the transmit path reaches +iptunnel_xmit() which saves dev = skb->dev (still pointing to teql0 +master) and later calls iptunnel_xmit_stats(dev, pkt_len). This +function does: + + get_cpu_ptr(dev->tstats) + +Since teql_master_setup() does not set dev->pcpu_stat_type to +NETDEV_PCPU_STAT_TSTATS, the core network stack never allocates tstats +for teql0, so dev->tstats is NULL. get_cpu_ptr(NULL) computes +NULL + __per_cpu_offset[cpu], resulting in a page fault. + + BUG: unable to handle page fault for address: ffff8880e6659018 + #PF: supervisor write access in kernel mode + #PF: error_code(0x0002) - not-present page + PGD 68bc067 P4D 68bc067 PUD 0 + Oops: Oops: 0002 [#1] SMP KASAN PTI + RIP: 0010:iptunnel_xmit (./include/net/ip_tunnels.h:664 net/ipv4/ip_tunnel_core.c:89) + Call Trace: + + ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) + __gre_xmit (net/ipv4/ip_gre.c:478) + gre_tap_xmit (net/ipv4/ip_gre.c:779) + teql_master_xmit (net/sched/sch_teql.c:319) + dev_hard_start_xmit (net/core/dev.c:3887) + sch_direct_xmit (net/sched/sch_generic.c:347) + __dev_queue_xmit (net/core/dev.c:4802) + neigh_direct_output (net/core/neighbour.c:1660) + ip_finish_output2 (net/ipv4/ip_output.c:237) + __ip_finish_output.part.0 (net/ipv4/ip_output.c:315) + ip_mc_output (net/ipv4/ip_output.c:369) + ip_send_skb (net/ipv4/ip_output.c:1508) + udp_send_skb (net/ipv4/udp.c:1195) + udp_sendmsg (net/ipv4/udp.c:1485) + inet_sendmsg (net/ipv4/af_inet.c:859) + __sys_sendto (net/socket.c:2206) + +Fix this by setting skb->dev = slave before calling +netdev_start_xmit(), so that tunnel xmit functions see the correct +slave device with properly allocated tstats. + +Fixes: 039f50629b7f ("ip_tunnel: Move stats update to iptunnel_xmit()") +Reported-by: Xiang Mei +Signed-off-by: Weiming Shi +Link: https://patch.msgid.link/20260304044216.3517851-3-bestswngs@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_teql.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/sched/sch_teql.c b/net/sched/sch_teql.c +index 6e4bdaa876ed6..783300d8b0197 100644 +--- a/net/sched/sch_teql.c ++++ b/net/sched/sch_teql.c +@@ -315,6 +315,7 @@ static netdev_tx_t teql_master_xmit(struct sk_buff *skb, struct net_device *dev) + if (__netif_tx_trylock(slave_txq)) { + unsigned int length = qdisc_pkt_len(skb); + ++ skb->dev = slave; + if (!netif_xmit_frozen_or_stopped(slave_txq) && + netdev_start_xmit(skb, slave, slave_txq, false) == + NETDEV_TX_OK) { +-- +2.51.0 + diff --git a/queue-6.12/net-sfp-improve-huawei-ma5671a-fixup.patch b/queue-6.12/net-sfp-improve-huawei-ma5671a-fixup.patch new file mode 100644 index 0000000000..2c7b80f748 --- /dev/null +++ b/queue-6.12/net-sfp-improve-huawei-ma5671a-fixup.patch @@ -0,0 +1,58 @@ +From 35f26adc893ee22e4f6b843387b0a610057bccc7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 13:29:55 +0100 +Subject: net: sfp: improve Huawei MA5671a fixup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Álvaro Fernández Rojas + +[ Upstream commit 87d126852158467ab87d5cbc36ccfd3f15464a6c ] + +With the current sfp_fixup_ignore_tx_fault() fixup we ignore the TX_FAULT +signal, but we also need to apply sfp_fixup_ignore_los() in order to be +able to communicate with the module even if the fiber isn't connected for +configuration purposes. +This is needed for all the MA5671a firmwares, excluding the FS modded +firmware. + +Fixes: 2069624dac19 ("net: sfp: Add tx-fault workaround for Huawei MA5671A SFP ONT") +Signed-off-by: Álvaro Fernández Rojas +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20260306125139.213637-1-noltari@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/sfp.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c +index cae748b762236..dd8d37b44aac8 100644 +--- a/drivers/net/phy/sfp.c ++++ b/drivers/net/phy/sfp.c +@@ -360,6 +360,12 @@ static void sfp_fixup_ignore_tx_fault(struct sfp *sfp) + sfp->state_ignore_mask |= SFP_F_TX_FAULT; + } + ++static void sfp_fixup_ignore_tx_fault_and_los(struct sfp *sfp) ++{ ++ sfp_fixup_ignore_tx_fault(sfp); ++ sfp_fixup_ignore_los(sfp); ++} ++ + static void sfp_fixup_ignore_hw(struct sfp *sfp, unsigned int mask) + { + sfp->state_hw_mask &= ~mask; +@@ -523,7 +529,7 @@ static const struct sfp_quirk sfp_quirks[] = { + // Huawei MA5671A can operate at 2500base-X, but report 1.2GBd NRZ in + // their EEPROM + SFP_QUIRK("HUAWEI", "MA5671A", sfp_quirk_2500basex, +- sfp_fixup_ignore_tx_fault), ++ sfp_fixup_ignore_tx_fault_and_los), + + // Lantech 8330-262D-E and 8330-265D can operate at 2500base-X, but + // incorrectly report 2500MBd NRZ in their EEPROM. +-- +2.51.0 + diff --git a/queue-6.12/netfilter-nf_tables-always-walk-all-pending-catchall.patch b/queue-6.12/netfilter-nf_tables-always-walk-all-pending-catchall.patch new file mode 100644 index 0000000000..58465f4358 --- /dev/null +++ b/queue-6.12/netfilter-nf_tables-always-walk-all-pending-catchall.patch @@ -0,0 +1,57 @@ +From bde76b3d800e9d65c1843769c8cb89202bd9062a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 21:32:00 +0100 +Subject: netfilter: nf_tables: always walk all pending catchall elements + +From: Florian Westphal + +[ Upstream commit 7cb9a23d7ae40a702577d3d8bacb7026f04ac2a9 ] + +During transaction processing we might have more than one catchall element: +1 live catchall element and 1 pending element that is coming as part of the +new batch. + +If the map holding the catchall elements is also going away, its +required to toggle all catchall elements and not just the first viable +candidate. + +Otherwise, we get: + WARNING: ./include/net/netfilter/nf_tables.h:1281 at nft_data_release+0xb7/0xe0 [nf_tables], CPU#2: nft/1404 + RIP: 0010:nft_data_release+0xb7/0xe0 [nf_tables] + [..] + __nft_set_elem_destroy+0x106/0x380 [nf_tables] + nf_tables_abort_release+0x348/0x8d0 [nf_tables] + nf_tables_abort+0xcf2/0x3ac0 [nf_tables] + nfnetlink_rcv_batch+0x9c9/0x20e0 [..] + +Fixes: 628bd3e49cba ("netfilter: nf_tables: drop map element references from preparation phase") +Reported-by: Yiming Qian +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index c1b9b00907bbb..268d00ffee0cb 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -700,7 +700,6 @@ static void nft_map_catchall_deactivate(const struct nft_ctx *ctx, + + nft_set_elem_change_active(ctx->net, set, ext); + nft_setelem_data_deactivate(ctx->net, set, catchall->elem); +- break; + } + } + +@@ -5706,7 +5705,6 @@ static void nft_map_catchall_activate(const struct nft_ctx *ctx, + + nft_clear(ctx->net, ext); + nft_setelem_data_activate(ctx->net, set, catchall->elem); +- break; + } + } + +-- +2.51.0 + diff --git a/queue-6.12/netfilter-nfnetlink_cthelper-fix-oob-read-in-nfnl_ct.patch b/queue-6.12/netfilter-nfnetlink_cthelper-fix-oob-read-in-nfnl_ct.patch new file mode 100644 index 0000000000..64406149b7 --- /dev/null +++ b/queue-6.12/netfilter-nfnetlink_cthelper-fix-oob-read-in-nfnl_ct.patch @@ -0,0 +1,71 @@ +From df5a0b98e12e21640cb2250489e81ba75a585823 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Mar 2026 02:23:34 +0900 +Subject: netfilter: nfnetlink_cthelper: fix OOB read in + nfnl_cthelper_dump_table() + +From: Hyunwoo Kim + +[ Upstream commit 6dcee8496d53165b2d8a5909b3050b62ae71fe89 ] + +nfnl_cthelper_dump_table() has a 'goto restart' that jumps to a label +inside the for loop body. When the "last" helper saved in cb->args[1] +is deleted between dump rounds, every entry fails the (cur != last) +check, so cb->args[1] is never cleared. The for loop finishes with +cb->args[0] == nf_ct_helper_hsize, and the 'goto restart' jumps back +into the loop body bypassing the bounds check, causing an 8-byte +out-of-bounds read on nf_ct_helper_hash[nf_ct_helper_hsize]. + +The 'goto restart' block was meant to re-traverse the current bucket +when "last" is no longer found, but it was placed after the for loop +instead of inside it. Move the block into the for loop body so that +the restart only occurs while cb->args[0] is still within bounds. + + BUG: KASAN: slab-out-of-bounds in nfnl_cthelper_dump_table+0x9f/0x1b0 + Read of size 8 at addr ffff888104ca3000 by task poc_cthelper/131 + Call Trace: + nfnl_cthelper_dump_table+0x9f/0x1b0 + netlink_dump+0x333/0x880 + netlink_recvmsg+0x3e2/0x4b0 + sock_recvmsg+0xde/0xf0 + __sys_recvfrom+0x150/0x200 + __x64_sys_recvfrom+0x76/0x90 + do_syscall_64+0xc3/0x6e0 + + Allocated by task 1: + __kvmalloc_node_noprof+0x21b/0x700 + nf_ct_alloc_hashtable+0x65/0xd0 + nf_conntrack_helper_init+0x21/0x60 + nf_conntrack_init_start+0x18d/0x300 + nf_conntrack_standalone_init+0x12/0xc0 + +Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure") +Signed-off-by: Hyunwoo Kim +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_cthelper.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c +index 97248963a7d3b..71a248cca746a 100644 +--- a/net/netfilter/nfnetlink_cthelper.c ++++ b/net/netfilter/nfnetlink_cthelper.c +@@ -603,10 +603,10 @@ nfnl_cthelper_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + goto out; + } + } +- } +- if (cb->args[1]) { +- cb->args[1] = 0; +- goto restart; ++ if (cb->args[1]) { ++ cb->args[1] = 0; ++ goto restart; ++ } + } + out: + rcu_read_unlock(); +-- +2.51.0 + diff --git a/queue-6.12/netfilter-nfnetlink_queue-fix-entry-leak-in-bridge-v.patch b/queue-6.12/netfilter-nfnetlink_queue-fix-entry-leak-in-bridge-v.patch new file mode 100644 index 0000000000..88da2670e2 --- /dev/null +++ b/queue-6.12/netfilter-nfnetlink_queue-fix-entry-leak-in-bridge-v.patch @@ -0,0 +1,52 @@ +From a27902f4a5d012e53680255abec7c1ef4e160a0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Mar 2026 02:24:06 +0900 +Subject: netfilter: nfnetlink_queue: fix entry leak in bridge verdict error + path + +From: Hyunwoo Kim + +[ Upstream commit f1ba83755d81c6fc66ac7acd723d238f974091e9 ] + +nfqnl_recv_verdict() calls find_dequeue_entry() to remove the queue +entry from the queue data structures, taking ownership of the entry. +For PF_BRIDGE packets, it then calls nfqa_parse_bridge() to parse VLAN +attributes. If nfqa_parse_bridge() returns an error (e.g. NFQA_VLAN +present but NFQA_VLAN_TCI missing), the function returns immediately +without freeing the dequeued entry or its sk_buff. + +This leaks the nf_queue_entry, its associated sk_buff, and all held +references (net_device refcounts, struct net refcount). Repeated +triggering exhausts kernel memory. + +Fix this by dropping the entry via nfqnl_reinject() with NF_DROP verdict +on the error path, consistent with other error handling in this file. + +Fixes: 8d45ff22f1b4 ("netfilter: bridge: nf queue verdict to use NFQA_VLAN and NFQA_L2HDR") +Reviewed-by: David Dull +Signed-off-by: Hyunwoo Kim +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_queue.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c +index af35dbc19864a..df0232cf24ce2 100644 +--- a/net/netfilter/nfnetlink_queue.c ++++ b/net/netfilter/nfnetlink_queue.c +@@ -1547,8 +1547,10 @@ static int nfqnl_recv_verdict(struct sk_buff *skb, const struct nfnl_info *info, + + if (entry->state.pf == PF_BRIDGE) { + err = nfqa_parse_bridge(entry, nfqa); +- if (err < 0) ++ if (err < 0) { ++ nfqnl_reinject(entry, NF_DROP); + return err; ++ } + } + + if (nfqa[NFQA_PAYLOAD]) { +-- +2.51.0 + diff --git a/queue-6.12/netfilter-nft_set_pipapo-fix-stack-out-of-bounds-rea.patch b/queue-6.12/netfilter-nft_set_pipapo-fix-stack-out-of-bounds-rea.patch new file mode 100644 index 0000000000..4989271685 --- /dev/null +++ b/queue-6.12/netfilter-nft_set_pipapo-fix-stack-out-of-bounds-rea.patch @@ -0,0 +1,65 @@ +From d95e8245ab1f721800124facb70433aa1c820ae9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 19:12:38 +0000 +Subject: netfilter: nft_set_pipapo: fix stack out-of-bounds read in + pipapo_drop() + +From: Jenny Guanni Qu + +[ Upstream commit d6d8cd2db236a9dd13dbc2d05843b3445cc964b5 ] + +pipapo_drop() passes rulemap[i + 1].n to pipapo_unmap() as the +to_offset argument on every iteration, including the last one where +i == m->field_count - 1. This reads one element past the end of the +stack-allocated rulemap array (declared as rulemap[NFT_PIPAPO_MAX_FIELDS] +with NFT_PIPAPO_MAX_FIELDS == 16). + +Although pipapo_unmap() returns early when is_last is true without +using the to_offset value, the argument is evaluated at the call site +before the function body executes, making this a genuine out-of-bounds +stack read confirmed by KASAN: + + BUG: KASAN: stack-out-of-bounds in pipapo_drop+0x50c/0x57c [nf_tables] + Read of size 4 at addr ffff8000810e71a4 + + This frame has 1 object: + [32, 160) 'rulemap' + + The buggy address is at offset 164 -- exactly 4 bytes past the end + of the rulemap array. + +Pass 0 instead of rulemap[i + 1].n on the last iteration to avoid +the out-of-bounds read. + +Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") +Signed-off-by: Jenny Guanni Qu +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_pipapo.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c +index ab5045bf3e599..a2dd1212e0f0d 100644 +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -1627,6 +1627,7 @@ static void pipapo_drop(struct nft_pipapo_match *m, + int i; + + nft_pipapo_for_each_field(f, i, m) { ++ bool last = i == m->field_count - 1; + int g; + + for (g = 0; g < f->groups; g++) { +@@ -1646,7 +1647,7 @@ static void pipapo_drop(struct nft_pipapo_match *m, + } + + pipapo_unmap(f->mt, f->rules, rulemap[i].to, rulemap[i].n, +- rulemap[i + 1].n, i == m->field_count - 1); ++ last ? 0 : rulemap[i + 1].n, last); + if (pipapo_resize(f, f->rules, f->rules - rulemap[i].n)) { + /* We can ignore this, a failure to shrink tables down + * doesn't make tables invalid. +-- +2.51.0 + diff --git a/queue-6.12/netfilter-x_tables-guard-option-walkers-against-1-by.patch b/queue-6.12/netfilter-x_tables-guard-option-walkers-against-1-by.patch new file mode 100644 index 0000000000..937dd6200d --- /dev/null +++ b/queue-6.12/netfilter-x_tables-guard-option-walkers-against-1-by.patch @@ -0,0 +1,62 @@ +From 6b1170f1b4e95ad91a7b030806563f55b01cdfdb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Mar 2026 20:26:21 +0200 +Subject: netfilter: x_tables: guard option walkers against 1-byte tail reads + +From: David Dull + +[ Upstream commit cfe770220ac2dbd3e104c6b45094037455da81d4 ] + +When the last byte of options is a non-single-byte option kind, walkers +that advance with i += op[i + 1] ? : 1 can read op[i + 1] past the end +of the option area. + +Add an explicit i == optlen - 1 check before dereferencing op[i + 1] +in xt_tcpudp and xt_dccp option walkers. + +Fixes: 2e4e6a17af35 ("[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables") +Signed-off-by: David Dull +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_dccp.c | 4 ++-- + net/netfilter/xt_tcpudp.c | 6 ++++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c +index e5a13ecbe67a0..037ab93e25d0a 100644 +--- a/net/netfilter/xt_dccp.c ++++ b/net/netfilter/xt_dccp.c +@@ -62,10 +62,10 @@ dccp_find_option(u_int8_t option, + return true; + } + +- if (op[i] < 2) ++ if (op[i] < 2 || i == optlen - 1) + i++; + else +- i += op[i+1]?:1; ++ i += op[i + 1] ? : 1; + } + + spin_unlock_bh(&dccp_buflock); +diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c +index e8991130a3de0..f76cf18f1a244 100644 +--- a/net/netfilter/xt_tcpudp.c ++++ b/net/netfilter/xt_tcpudp.c +@@ -59,8 +59,10 @@ tcp_find_option(u_int8_t option, + + for (i = 0; i < optlen; ) { + if (op[i] == option) return !invert; +- if (op[i] < 2) i++; +- else i += op[i+1]?:1; ++ if (op[i] < 2 || i == optlen - 1) ++ i++; ++ else ++ i += op[i + 1] ? : 1; + } + + return invert; +-- +2.51.0 + diff --git a/queue-6.12/netfilter-xt_idletimer-reject-rev0-reuse-of-alarm-ti.patch b/queue-6.12/netfilter-xt_idletimer-reject-rev0-reuse-of-alarm-ti.patch new file mode 100644 index 0000000000..63599d5821 --- /dev/null +++ b/queue-6.12/netfilter-xt_idletimer-reject-rev0-reuse-of-alarm-ti.patch @@ -0,0 +1,54 @@ +From fb3cc7b84c87a5540b3d919e5fbb0d95e2c31bad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Mar 2026 03:41:46 -0700 +Subject: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels + +From: Yuan Tan + +[ Upstream commit 329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf ] + +IDLETIMER revision 0 rules reuse existing timers by label and always call +mod_timer() on timer->timer. + +If the label was created first by revision 1 with XT_IDLETIMER_ALARM, +the object uses alarm timer semantics and timer->timer is never initialized. +Reusing that object from revision 0 causes mod_timer() on an uninitialized +timer_list, triggering debugobjects warnings and possible panic when +panic_on_warn=1. + +Fix this by rejecting revision 0 rule insertion when an existing timer with +the same label is of ALARM type. + +Fixes: 68983a354a65 ("netfilter: xtables: Add snapshot of hardidletimer target") +Co-developed-by: Yifan Wu +Signed-off-by: Yifan Wu +Co-developed-by: Juefei Pu +Signed-off-by: Juefei Pu +Signed-off-by: Yuan Tan +Signed-off-by: Xin Liu +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_IDLETIMER.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c +index 9869ef3c2ab37..92a8289b1cb35 100644 +--- a/net/netfilter/xt_IDLETIMER.c ++++ b/net/netfilter/xt_IDLETIMER.c +@@ -320,6 +320,12 @@ static int idletimer_tg_checkentry(const struct xt_tgchk_param *par) + + info->timer = __idletimer_tg_find_by_label(info->label); + if (info->timer) { ++ if (info->timer->timer_type & XT_IDLETIMER_ALARM) { ++ pr_debug("Adding/Replacing rule with same label and different timer type is not allowed\n"); ++ mutex_unlock(&list_mutex); ++ return -EINVAL; ++ } ++ + info->timer->refcnt++; + mod_timer(&info->timer->timer, + msecs_to_jiffies(info->timeout * 1000) + jiffies); +-- +2.51.0 + diff --git a/queue-6.12/nfs-return-eisdir-on-nfs3_proc_create-if-d_alias-is-.patch b/queue-6.12/nfs-return-eisdir-on-nfs3_proc_create-if-d_alias-is-.patch new file mode 100644 index 0000000000..dd0c5ee17c --- /dev/null +++ b/queue-6.12/nfs-return-eisdir-on-nfs3_proc_create-if-d_alias-is-.patch @@ -0,0 +1,58 @@ +From 454358b89283c2afe71aa0f78fd561274d047142 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Feb 2026 13:04:40 +0100 +Subject: nfs: return EISDIR on nfs3_proc_create if d_alias is a dir + +From: Roberto Bergantinos Corpas + +[ Upstream commit 410666a298c34ebd57256fde6b24c96bd23059a2 ] + +If we found an alias through nfs3_do_create/nfs_add_or_obtain +/d_splice_alias which happens to be a dir dentry, we don't return +any error, and simply forget about this alias, but the original +dentry we were adding and passed as parameter remains negative. + +This later causes an oops on nfs_atomic_open_v23/finish_open since we +supply a negative dentry to do_dentry_open. + +This has been observed running lustre-racer, where dirs and files are +created/removed concurrently with the same name and O_EXCL is not +used to open files (frequent file redirection). + +While d_splice_alias typically returns a directory alias or NULL, we +explicitly check d_is_dir() to ensure that we don't attempt to perform +file operations (like finish_open) on a directory inode, which triggers +the observed oops. + +Fixes: 7c6c5249f061 ("NFS: add atomic_open for NFSv3 to handle O_TRUNC correctly.") +Reviewed-by: Olga Kornievskaia +Reviewed-by: Scott Mayhew +Signed-off-by: Roberto Bergantinos Corpas +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs3proc.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/fs/nfs/nfs3proc.c b/fs/nfs/nfs3proc.c +index 88b0fb343ae04..b02ea9fc812da 100644 +--- a/fs/nfs/nfs3proc.c ++++ b/fs/nfs/nfs3proc.c +@@ -393,8 +393,13 @@ nfs3_proc_create(struct inode *dir, struct dentry *dentry, struct iattr *sattr, + if (status != 0) + goto out_release_acls; + +- if (d_alias) ++ if (d_alias) { ++ if (d_is_dir(d_alias)) { ++ status = -EISDIR; ++ goto out_dput; ++ } + dentry = d_alias; ++ } + + /* When we created the file with exclusive semantics, make + * sure we set the attributes afterwards. */ +-- +2.51.0 + diff --git a/queue-6.12/nvme-pci-fix-race-bug-in-nvme_poll_irqdisable.patch b/queue-6.12/nvme-pci-fix-race-bug-in-nvme_poll_irqdisable.patch new file mode 100644 index 0000000000..7903c67026 --- /dev/null +++ b/queue-6.12/nvme-pci-fix-race-bug-in-nvme_poll_irqdisable.patch @@ -0,0 +1,122 @@ +From 183fc7e0d111ee2ad17b031c5c42aec3663bdb4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Mar 2026 14:46:36 -0500 +Subject: nvme-pci: Fix race bug in nvme_poll_irqdisable() + +From: Sungwoo Kim + +[ Upstream commit fc71f409b22ca831a9f87a2712eaa09ef2bb4a5e ] + +In the following scenario, pdev can be disabled between (1) and (3) by +(2). This sets pdev->msix_enabled = 0. Then, pci_irq_vector() will +return MSI-X IRQ(>15) for (1) whereas return INTx IRQ(<=15) for (2). +This causes IRQ warning because it tries to enable INTx IRQ that has +never been disabled before. + +To fix this, save IRQ number into a local variable and ensure +disable_irq() and enable_irq() operate on the same IRQ number. Even if +pci_free_irq_vectors() frees the IRQ concurrently, disable_irq() and +enable_irq() on a stale IRQ number is still valid and safe, and the +depth accounting reamins balanced. + +task 1: +nvme_poll_irqdisable() + disable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)) ...(1) + enable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)) ...(3) + +task 2: +nvme_reset_work() + nvme_dev_disable() + pdev->msix_enable = 0; ...(2) + +crash log: + +------------[ cut here ]------------ +Unbalanced enable for IRQ 10 +WARNING: kernel/irq/manage.c:753 at __enable_irq+0x102/0x190 kernel/irq/manage.c:753, CPU#1: kworker/1:0H/26 +Modules linked in: +CPU: 1 UID: 0 PID: 26 Comm: kworker/1:0H Not tainted 6.19.0-dirty #9 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 +Workqueue: kblockd blk_mq_timeout_work +RIP: 0010:__enable_irq+0x107/0x190 kernel/irq/manage.c:753 +Code: ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 79 48 8d 3d 2e 7a 3f 05 41 8b 74 24 2c <67> 48 0f b9 3a e8 ef b9 21 00 5b 41 5c 5d e9 46 54 66 03 e8 e1 b9 +RSP: 0018:ffffc900001bf550 EFLAGS: 00010046 +RAX: 0000000000000007 RBX: 0000000000000000 RCX: ffffffffb20c0e90 +RDX: 0000000000000000 RSI: 000000000000000a RDI: ffffffffb74b88f0 +RBP: ffffc900001bf560 R08: ffff88800197cf00 R09: 0000000000000001 +R10: 0000000000000003 R11: 0000000000000003 R12: ffff8880012a6000 +R13: 1ffff92000037eae R14: 000000000000000a R15: 0000000000000293 +FS: 0000000000000000(0000) GS:ffff8880b49f7000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000555da4a25fa8 CR3: 00000000208e8000 CR4: 00000000000006f0 +Call Trace: + + enable_irq+0x121/0x1e0 kernel/irq/manage.c:797 + nvme_poll_irqdisable+0x162/0x1c0 drivers/nvme/host/pci.c:1494 + nvme_timeout+0x965/0x14b0 drivers/nvme/host/pci.c:1744 + blk_mq_rq_timed_out block/blk-mq.c:1653 [inline] + blk_mq_handle_expired+0x227/0x2d0 block/blk-mq.c:1721 + bt_iter+0x2fc/0x3a0 block/blk-mq-tag.c:292 + __sbitmap_for_each_set include/linux/sbitmap.h:269 [inline] + sbitmap_for_each_set include/linux/sbitmap.h:290 [inline] + bt_for_each block/blk-mq-tag.c:324 [inline] + blk_mq_queue_tag_busy_iter+0x969/0x1e80 block/blk-mq-tag.c:536 + blk_mq_timeout_work+0x627/0x870 block/blk-mq.c:1763 + process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257 + process_scheduled_works kernel/workqueue.c:3340 [inline] + worker_thread+0x65c/0xe60 kernel/workqueue.c:3421 + kthread+0x41a/0x930 kernel/kthread.c:463 + ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + +irq event stamp: 74478 +hardirqs last enabled at (74477): [] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:159 [inline] +hardirqs last enabled at (74477): [] _raw_spin_unlock_irq+0x2c/0x60 kernel/locking/spinlock.c:202 +hardirqs last disabled at (74478): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] +hardirqs last disabled at (74478): [] _raw_spin_lock_irqsave+0x85/0xa0 kernel/locking/spinlock.c:162 +softirqs last enabled at (74304): [] __do_softirq kernel/softirq.c:656 [inline] +softirqs last enabled at (74304): [] invoke_softirq kernel/softirq.c:496 [inline] +softirqs last enabled at (74304): [] __irq_exit_rcu+0xdc/0x120 kernel/softirq.c:723 +softirqs last disabled at (74287): [] __do_softirq kernel/softirq.c:656 [inline] +softirqs last disabled at (74287): [] invoke_softirq kernel/softirq.c:496 [inline] +softirqs last disabled at (74287): [] __irq_exit_rcu+0xdc/0x120 kernel/softirq.c:723 +---[ end trace 0000000000000000 ]--- + +Fixes: fa059b856a59 (nvme-pci: Simplify nvme_poll_irqdisable) +Acked-by: Chao Shi +Acked-by: Weidong Zhu +Acked-by: Dave Tian +Reviewed-by: Christoph Hellwig +Signed-off-by: Sungwoo Kim +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index c7d1e9c2b1571..6bd02c9116501 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -1201,14 +1201,16 @@ static irqreturn_t nvme_irq_check(int irq, void *data) + static void nvme_poll_irqdisable(struct nvme_queue *nvmeq) + { + struct pci_dev *pdev = to_pci_dev(nvmeq->dev->dev); ++ int irq; + + WARN_ON_ONCE(test_bit(NVMEQ_POLLED, &nvmeq->flags)); + +- disable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)); ++ irq = pci_irq_vector(pdev, nvmeq->cq_vector); ++ disable_irq(irq); + spin_lock(&nvmeq->cq_poll_lock); + nvme_poll_cq(nvmeq, NULL); + spin_unlock(&nvmeq->cq_poll_lock); +- enable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)); ++ enable_irq(irq); + } + + static int nvme_poll(struct blk_mq_hw_ctx *hctx, struct io_comp_batch *iob) +-- +2.51.0 + diff --git a/queue-6.12/nvme-pci-fix-slab-out-of-bounds-in-nvme_dbbuf_set.patch b/queue-6.12/nvme-pci-fix-slab-out-of-bounds-in-nvme_dbbuf_set.patch new file mode 100644 index 0000000000..98b3cec71e --- /dev/null +++ b/queue-6.12/nvme-pci-fix-slab-out-of-bounds-in-nvme_dbbuf_set.patch @@ -0,0 +1,130 @@ +From 021304209e12111406d2fd767e866b05134636c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Mar 2026 14:20:59 -0400 +Subject: nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sungwoo Kim + +[ Upstream commit b4e78f1427c7d6859229ae9616df54e1fc05a516 ] + +dev->online_queues is a count incremented in nvme_init_queue. Thus, +valid indices are 0 through dev->online_queues − 1. + +This patch fixes the loop condition to ensure the index stays within the +valid range. Index 0 is excluded because it is the admin queue. + +KASAN splat: + +================================================================== +BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline] +BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404 +Read of size 2 at addr ffff88800592a574 by task kworker/u8:5/74 + +CPU: 0 UID: 0 PID: 74 Comm: kworker/u8:5 Not tainted 6.19.0-dirty #10 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 +Workqueue: nvme-reset-wq nvme_reset_work +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0xea/0x150 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xce/0x5d0 mm/kasan/report.c:482 + kasan_report+0xdc/0x110 mm/kasan/report.c:595 + __asan_report_load2_noabort+0x18/0x20 mm/kasan/report_generic.c:379 + nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline] + nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404 + nvme_reset_work+0x36b/0x8c0 drivers/nvme/host/pci.c:3252 + process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257 + process_scheduled_works kernel/workqueue.c:3340 [inline] + worker_thread+0x65c/0xe60 kernel/workqueue.c:3421 + kthread+0x41a/0x930 kernel/kthread.c:463 + ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + + +Allocated by task 34 on cpu 1 at 4.241550s: + kasan_save_stack+0x2c/0x60 mm/kasan/common.c:57 + kasan_save_track+0x1c/0x70 mm/kasan/common.c:78 + kasan_save_alloc_info+0x3c/0x50 mm/kasan/generic.c:570 + poison_kmalloc_redzone mm/kasan/common.c:398 [inline] + __kasan_kmalloc+0xb5/0xc0 mm/kasan/common.c:415 + kasan_kmalloc include/linux/kasan.h:263 [inline] + __do_kmalloc_node mm/slub.c:5657 [inline] + __kmalloc_node_noprof+0x2bf/0x8d0 mm/slub.c:5663 + kmalloc_array_node_noprof include/linux/slab.h:1075 [inline] + nvme_pci_alloc_dev drivers/nvme/host/pci.c:3479 [inline] + nvme_probe+0x2f1/0x1820 drivers/nvme/host/pci.c:3534 + local_pci_probe+0xef/0x1c0 drivers/pci/pci-driver.c:324 + pci_call_probe drivers/pci/pci-driver.c:392 [inline] + __pci_device_probe drivers/pci/pci-driver.c:417 [inline] + pci_device_probe+0x743/0x920 drivers/pci/pci-driver.c:451 + call_driver_probe drivers/base/dd.c:583 [inline] + really_probe+0x29b/0xb70 drivers/base/dd.c:661 + __driver_probe_device+0x3b0/0x4a0 drivers/base/dd.c:803 + driver_probe_device+0x56/0x1f0 drivers/base/dd.c:833 + __driver_attach_async_helper+0x155/0x340 drivers/base/dd.c:1159 + async_run_entry_fn+0xa6/0x4b0 kernel/async.c:129 + process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257 + process_scheduled_works kernel/workqueue.c:3340 [inline] + worker_thread+0x65c/0xe60 kernel/workqueue.c:3421 + kthread+0x41a/0x930 kernel/kthread.c:463 + ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + +The buggy address belongs to the object at ffff88800592a000 + which belongs to the cache kmalloc-2k of size 2048 +The buggy address is located 244 bytes to the right of + allocated 1152-byte region [ffff88800592a000, ffff88800592a480) + +The buggy address belongs to the physical page: +page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5928 +head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +anon flags: 0xfffffc0000040(head|node=0|zone=1|lastcpupid=0x1fffff) +page_type: f5(slab) +raw: 000fffffc0000040 ffff888001042000 0000000000000000 dead000000000001 +raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 +head: 000fffffc0000040 ffff888001042000 0000000000000000 dead000000000001 +head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 +head: 000fffffc0000003 ffffea0000164a01 00000000ffffffff 00000000ffffffff +head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88800592a400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff88800592a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +>ffff88800592a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffff88800592a580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff88800592a600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +================================================================== + +Fixes: 0f0d2c876c96 (nvme: free sq/cq dbbuf pointers when dbbuf set fails) +Acked-by: Chao Shi +Acked-by: Weidong Zhu +Acked-by: Dave Tian +Signed-off-by: Sungwoo Kim +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index b31a2dad361d6..c7d1e9c2b1571 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -343,7 +343,7 @@ static void nvme_dbbuf_set(struct nvme_dev *dev) + /* Free memory and continue on */ + nvme_dbbuf_dma_free(dev); + +- for (i = 1; i <= dev->online_queues; i++) ++ for (i = 1; i < dev->online_queues; i++) + nvme_dbbuf_free(&dev->queues[i]); + } + } +-- +2.51.0 + diff --git a/queue-6.12/octeontx2-af-devlink-fix-nix-ras-reporter-recovery-c.patch b/queue-6.12/octeontx2-af-devlink-fix-nix-ras-reporter-recovery-c.patch new file mode 100644 index 0000000000..1d6f4ed924 --- /dev/null +++ b/queue-6.12/octeontx2-af-devlink-fix-nix-ras-reporter-recovery-c.patch @@ -0,0 +1,41 @@ +From 2f505a13ce0c15aa284a15ff89ed2dcf02e3a78b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 11:48:16 -0700 +Subject: octeontx2-af: devlink: fix NIX RAS reporter recovery condition + +From: Alok Tiwari + +[ Upstream commit dc26ca99b835e21e76a58b1463b84adb0ca34f58 ] + +The NIX RAS health reporter recovery routine checks nix_af_rvu_int to +decide whether to re-enable NIX_AF_RAS interrupts. This is the RVU +interrupt status field and is unrelated to RAS events, so the recovery +flow may incorrectly skip re-enabling NIX_AF_RAS interrupts. + +Check nix_af_rvu_ras instead before writing NIX_AF_RAS_ENA_W1S. + +Fixes: 5ed66306eab6 ("octeontx2-af: Add devlink health reporters for NIX") +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20260310184824.1183651-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c +index 06f778baaeef2..79ab91de90e47 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c +@@ -475,7 +475,7 @@ static int rvu_hw_nix_ras_recover(struct devlink_health_reporter *reporter, + if (blkaddr < 0) + return blkaddr; + +- if (nix_event_ctx->nix_af_rvu_int) ++ if (nix_event_ctx->nix_af_rvu_ras) + rvu_write64(rvu, blkaddr, NIX_AF_RAS_ENA_W1S, ~0ULL); + + return 0; +-- +2.51.0 + diff --git a/queue-6.12/octeontx2-af-devlink-fix-nix-ras-reporter-to-use-ras.patch b/queue-6.12/octeontx2-af-devlink-fix-nix-ras-reporter-to-use-ras.patch new file mode 100644 index 0000000000..b1c3f188e4 --- /dev/null +++ b/queue-6.12/octeontx2-af-devlink-fix-nix-ras-reporter-to-use-ras.patch @@ -0,0 +1,45 @@ +From 749f5d23c079c6d03013bd832d0baaec7fe42e8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 11:48:17 -0700 +Subject: octeontx2-af: devlink: fix NIX RAS reporter to use RAS interrupt + status + +From: Alok Tiwari + +[ Upstream commit 87f7dff3ec75b91def0024ebaaf732457f47a63b ] + +The NIX RAS health report path uses nix_af_rvu_err when handling the +NIX_AF_RVU_RAS case, so the report prints the ERR interrupt status rather +than the RAS interrupt status. + +Use nix_af_rvu_ras for the NIX_AF_RVU_RAS report. + +Fixes: 5ed66306eab6 ("octeontx2-af: Add devlink health reporters for NIX") +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20260310184824.1183651-2-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c +index 79ab91de90e47..6f8914431de4f 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c +@@ -327,10 +327,10 @@ static int rvu_nix_report_show(struct devlink_fmsg *fmsg, void *ctx, + rvu_report_pair_end(fmsg); + break; + case NIX_AF_RVU_RAS: +- intr_val = nix_event_context->nix_af_rvu_err; ++ intr_val = nix_event_context->nix_af_rvu_ras; + rvu_report_pair_start(fmsg, "NIX_AF_RAS"); + devlink_fmsg_u64_pair_put(fmsg, "\tNIX RAS Interrupt Reg ", +- nix_event_context->nix_af_rvu_err); ++ nix_event_context->nix_af_rvu_ras); + devlink_fmsg_string_put(fmsg, "\n\tPoison Data on:"); + if (intr_val & BIT_ULL(34)) + devlink_fmsg_string_put(fmsg, "\n\tNIX_AQ_INST_S"); +-- +2.51.0 + diff --git a/queue-6.12/perf-annotate-fix-hashmap__new-error-checking.patch b/queue-6.12/perf-annotate-fix-hashmap__new-error-checking.patch new file mode 100644 index 0000000000..65751f4b69 --- /dev/null +++ b/queue-6.12/perf-annotate-fix-hashmap__new-error-checking.patch @@ -0,0 +1,60 @@ +From f75a7cfef17ad35ef3aff507fb3a31569983e0f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 11:56:48 +0800 +Subject: perf annotate: Fix hashmap__new() error checking + +From: Chen Ni + +[ Upstream commit bf29cb3641b80bac759c3332b02e0b270e16bf94 ] + +The hashmap__new() function never returns NULL, it returns error +pointers. Fix the error checking to match. + +Additionally, set src->samples to NULL to prevent any later code from +accidentally using the error pointer. + +Fixes: d3e7cad6f36d9e80 ("perf annotate: Add a hashmap for symbol histogram") +Reviewed-by: Ian Rogers +Signed-off-by: Chen Ni +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ingo Molnar +Cc: James Clark +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Tianyou Li +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/annotate.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c +index cb8f191e19fd9..890cc0a69fa5e 100644 +--- a/tools/perf/util/annotate.c ++++ b/tools/perf/util/annotate.c +@@ -44,6 +44,7 @@ + #include "strbuf.h" + #include + #include ++#include + #include + #include + #include +@@ -135,8 +136,10 @@ static int annotated_source__alloc_histograms(struct annotated_source *src, + return -1; + + src->samples = hashmap__new(sym_hist_hash, sym_hist_equal, NULL); +- if (src->samples == NULL) ++ if (IS_ERR(src->samples)) { + zfree(&src->histograms); ++ src->samples = NULL; ++ } + + return src->histograms ? 0 : -1; + } +-- +2.51.0 + diff --git a/queue-6.12/perf-disasm-fix-off-by-one-bug-in-outside-check.patch b/queue-6.12/perf-disasm-fix-off-by-one-bug-in-outside-check.patch new file mode 100644 index 0000000000..34801af93f --- /dev/null +++ b/queue-6.12/perf-disasm-fix-off-by-one-bug-in-outside-check.patch @@ -0,0 +1,53 @@ +From 3cc712d32e2dbad9d3339447c627177819216bfa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 11:06:12 -0800 +Subject: perf disasm: Fix off-by-one bug in outside check + +From: Peter Collingbourne + +[ Upstream commit b3ce769203a99d6f3c6d6269ec09232a8c5da422 ] + +If a branch target points to one past the end of a function, the branch +should be treated as a branch to another function. + +This can happen e.g. with a tail call to a function that is laid out +immediately after the caller. + +Fixes: 751b1783da784299 ("perf annotate: Mark jumps to outher functions with the call arrow") +Reviewed-by: Ian Rogers +Signed-off-by: Peter Collingbourne +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Bill Wendling +Cc: Ingo Molnar +Cc: James Clark +Cc: Jiri Olsa +Cc: Justin Stitt +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Nathan Chancellor +Cc: Nick Desaulniers +Cc: Peter Zijlstra +Link: https://linux-review.googlesource.com/id/Ide471112e82d68177e0faf08ca411d9fcf0a7bdf +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/disasm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/disasm.c b/tools/perf/util/disasm.c +index 2dc93199ac258..8a6f450c6f8e7 100644 +--- a/tools/perf/util/disasm.c ++++ b/tools/perf/util/disasm.c +@@ -408,7 +408,7 @@ static int jump__parse(struct arch *arch, struct ins_operands *ops, struct map_s + start = map__unmap_ip(map, sym->start); + end = map__unmap_ip(map, sym->end); + +- ops->target.outside = target.addr < start || target.addr > end; ++ ops->target.outside = target.addr < start || target.addr >= end; + + /* + * FIXME: things like this in _cpp_lex_token (gcc's cc1 program): +-- +2.51.0 + diff --git a/queue-6.12/perf-ftrace-fix-hashmap__new-error-checking.patch b/queue-6.12/perf-ftrace-fix-hashmap__new-error-checking.patch new file mode 100644 index 0000000000..e82bab26de --- /dev/null +++ b/queue-6.12/perf-ftrace-fix-hashmap__new-error-checking.patch @@ -0,0 +1,62 @@ +From 969fc43fcb66d3dfb73b608d0cd72fcacfcb841f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 12:10:52 +0800 +Subject: perf ftrace: Fix hashmap__new() error checking + +From: Chen Ni + +[ Upstream commit be34705aa527872e5ce83927b7bc9307ba8095ca ] + +The hashmap__new() function never returns NULL, it returns error +pointers. Fix the error checking to match. + +Additionally, set ftrace->profile_hash to NULL on error, and return the +exact error code from hashmap__new(). + +Fixes: 0f223813edd051a5 ("perf ftrace: Add 'profile' command") +Suggested-by: Ian Rogers +Signed-off-by: Chen Ni +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ingo Molnar +Cc: James Clark +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-ftrace.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/builtin-ftrace.c b/tools/perf/builtin-ftrace.c +index a56cf8b0a7d40..09c484182d5bc 100644 +--- a/tools/perf/builtin-ftrace.c ++++ b/tools/perf/builtin-ftrace.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + #include + + #include "debug.h" +@@ -998,8 +999,12 @@ static int prepare_func_profile(struct perf_ftrace *ftrace) + ftrace->graph_tail = 1; + + ftrace->profile_hash = hashmap__new(profile_hash, profile_equal, NULL); +- if (ftrace->profile_hash == NULL) +- return -ENOMEM; ++ if (IS_ERR(ftrace->profile_hash)) { ++ int err = PTR_ERR(ftrace->profile_hash); ++ ++ ftrace->profile_hash = NULL; ++ return err; ++ } + + return 0; + } +-- +2.51.0 + diff --git a/queue-6.12/regulator-pca9450-correct-interrupt-type.patch b/queue-6.12/regulator-pca9450-correct-interrupt-type.patch new file mode 100644 index 0000000000..6279a515b1 --- /dev/null +++ b/queue-6.12/regulator-pca9450-correct-interrupt-type.patch @@ -0,0 +1,44 @@ +From e66fde47c5d3bf34d55f094998868458d0259d51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 12:25:52 +0800 +Subject: regulator: pca9450: Correct interrupt type + +From: Peng Fan + +[ Upstream commit 5d0efaf47ee90ac60efae790acee3a3ed99ebf80 ] + +Kernel warning on i.MX8MP-EVK when doing module test: +irq: type mismatch, failed to map hwirq-3 for gpio@30200000! + +Per PCA945[X] specification: The IRQ_B pin is pulled low when any unmasked +interrupt bit status is changed and it is released high once application +processor read INT1 register. + +So the interrupt should be configured as IRQF_TRIGGER_LOW, not +IRQF_TRIGGER_FALLING. + +Fixes: 0935ff5f1f0a4 ("regulator: pca9450: add pca9450 pmic driver") +Signed-off-by: Peng Fan +Link: https://patch.msgid.link/20260310-pca9450-irq-v1-1-36adf52c2c55@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/pca9450-regulator.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/regulator/pca9450-regulator.c b/drivers/regulator/pca9450-regulator.c +index 1ffa145319f23..2a0fac873f9c1 100644 +--- a/drivers/regulator/pca9450-regulator.c ++++ b/drivers/regulator/pca9450-regulator.c +@@ -965,7 +965,7 @@ static int pca9450_i2c_probe(struct i2c_client *i2c) + if (pca9450->irq) { + ret = devm_request_threaded_irq(pca9450->dev, pca9450->irq, NULL, + pca9450_irq_handler, +- (IRQF_TRIGGER_FALLING | IRQF_ONESHOT), ++ (IRQF_TRIGGER_LOW | IRQF_ONESHOT), + "pca9450-irq", pca9450); + if (ret != 0) { + dev_err(pca9450->dev, "Failed to request IRQ: %d\n", +-- +2.51.0 + diff --git a/queue-6.12/revert-arm64-dts-qcom-sdm845-oneplus-mark-l14a-regul.patch b/queue-6.12/revert-arm64-dts-qcom-sdm845-oneplus-mark-l14a-regul.patch new file mode 100644 index 0000000000..436ce29604 --- /dev/null +++ b/queue-6.12/revert-arm64-dts-qcom-sdm845-oneplus-mark-l14a-regul.patch @@ -0,0 +1,32 @@ +From b1fd422ffd7acd456f201bfbc4d2fc8458fd2117 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Mar 2026 03:16:41 -0400 +Subject: Revert "arm64: dts: qcom: sdm845-oneplus: Mark l14a regulator as + boot-on" + +This reverts commit a7037c3eb0130a6167138e69178895b22758d7f3. + +The backport applied regulator-boot-on to vreg_l12a_1p8 (ldo12) instead +of vreg_l14a_1p88 (ldo14) due to identical surrounding context lines. + +Reported-by: Marco Mattiolo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi b/arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi +index 934bf9cfc5ac7..56840b6ed6449 100644 +--- a/arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi ++++ b/arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi +@@ -246,7 +246,6 @@ vreg_l12a_1p8: ldo12 { + regulator-min-microvolt = <1800000>; + regulator-max-microvolt = <1800000>; + regulator-initial-mode = ; +- regulator-boot-on; + }; + + vreg_l14a_1p88: ldo14 { +-- +2.51.0 + diff --git a/queue-6.12/sched-idle-make-skipping-governor-callbacks-more-con.patch b/queue-6.12/sched-idle-make-skipping-governor-callbacks-more-con.patch new file mode 100644 index 0000000000..87da06fce2 --- /dev/null +++ b/queue-6.12/sched-idle-make-skipping-governor-callbacks-more-con.patch @@ -0,0 +1,79 @@ +From f32ba17d1208c945532b5fc072a9cec15b604691 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Mar 2026 17:12:05 +0100 +Subject: sched: idle: Make skipping governor callbacks more consistent + +From: Rafael J. Wysocki + +[ Upstream commit d557640e4ce589a24dca5ca7ce3b9680f471325f ] + +If the cpuidle governor .select() callback is skipped because there +is only one idle state in the cpuidle driver, the .reflect() callback +should be skipped as well, at least for consistency (if not for +correctness), so do it. + +Fixes: e5c9ffc6ae1b ("cpuidle: Skip governor when only one idle state is available") +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Christian Loehle +Reviewed-by: Aboorva Devarajan +Reviewed-by: Frederic Weisbecker +Link: https://patch.msgid.link/12857700.O9o76ZdvQC@rafael.j.wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpuidle/cpuidle.c | 10 ---------- + kernel/sched/idle.c | 11 ++++++++++- + 2 files changed, 10 insertions(+), 11 deletions(-) + +diff --git a/drivers/cpuidle/cpuidle.c b/drivers/cpuidle/cpuidle.c +index 2cb11e5a11251..0e1bbc966135d 100644 +--- a/drivers/cpuidle/cpuidle.c ++++ b/drivers/cpuidle/cpuidle.c +@@ -353,16 +353,6 @@ noinstr int cpuidle_enter_state(struct cpuidle_device *dev, + int cpuidle_select(struct cpuidle_driver *drv, struct cpuidle_device *dev, + bool *stop_tick) + { +- /* +- * If there is only a single idle state (or none), there is nothing +- * meaningful for the governor to choose. Skip the governor and +- * always use state 0 with the tick running. +- */ +- if (drv->state_count <= 1) { +- *stop_tick = false; +- return 0; +- } +- + return cpuidle_curr_governor->select(drv, dev, stop_tick); + } + +diff --git a/kernel/sched/idle.c b/kernel/sched/idle.c +index 624ef809f6715..b6a072a323a44 100644 +--- a/kernel/sched/idle.c ++++ b/kernel/sched/idle.c +@@ -214,7 +214,7 @@ static void cpuidle_idle_call(void) + + next_state = cpuidle_find_deepest_state(drv, dev, max_latency_ns); + call_cpuidle(drv, dev, next_state); +- } else { ++ } else if (drv->state_count > 1) { + bool stop_tick = true; + + /* +@@ -232,6 +232,15 @@ static void cpuidle_idle_call(void) + * Give the governor an opportunity to reflect on the outcome + */ + cpuidle_reflect(dev, entered_state); ++ } else { ++ tick_nohz_idle_retain_tick(); ++ ++ /* ++ * If there is only a single idle state (or none), there is ++ * nothing meaningful for the governor to choose. Skip the ++ * governor and always use state 0. ++ */ ++ call_cpuidle(drv, dev, 0); + } + + exit_idle: +-- +2.51.0 + diff --git a/queue-6.12/serial-caif-hold-tty-link-reference-in-ldisc_open-an.patch b/queue-6.12/serial-caif-hold-tty-link-reference-in-ldisc_open-an.patch new file mode 100644 index 0000000000..90dd03ec04 --- /dev/null +++ b/queue-6.12/serial-caif-hold-tty-link-reference-in-ldisc_open-an.patch @@ -0,0 +1,63 @@ +From a2af194f25e59a14d934d771db01a8f812e61ace Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 22:40:06 -0500 +Subject: serial: caif: hold tty->link reference in ldisc_open and ser_release + +From: Shuangpeng Bai + +[ Upstream commit 288598d80a068a0e9281de35bcb4ce495f189e2a ] + +A reproducer triggers a KASAN slab-use-after-free in pty_write_room() +when caif_serial's TX path calls tty_write_room(). The faulting access +is on tty->link->port. + +Hold an extra kref on tty->link for the lifetime of the caif_serial line +discipline: get it in ldisc_open() and drop it in ser_release(), and +also drop it on the ldisc_open() error path. + +With this change applied, the reproducer no longer triggers the UAF in +my testing. + +Link: https://gist.github.com/shuangpengbai/c898debad6bdf170a84be7e6b3d8707f +Link: https://lore.kernel.org/netdev/20260301220525.1546355-1-shuangpeng.kernel@gmail.com +Fixes: e31d5a05948e ("caif: tty's are kref objects so take a reference") +Signed-off-by: Shuangpeng Bai +Reviewed-by: Jiayuan Chen +Link: https://patch.msgid.link/20260306034006.3395740-1-shuangpeng.kernel@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/caif/caif_serial.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c +index 699ed0ff461e8..6799dbf80f484 100644 +--- a/drivers/net/caif/caif_serial.c ++++ b/drivers/net/caif/caif_serial.c +@@ -311,6 +311,7 @@ static void ser_release(struct work_struct *work) + dev_close(ser->dev); + unregister_netdevice(ser->dev); + debugfs_deinit(ser); ++ tty_kref_put(tty->link); + tty_kref_put(tty); + } + rtnl_unlock(); +@@ -345,6 +346,7 @@ static int ldisc_open(struct tty_struct *tty) + + ser = netdev_priv(dev); + ser->tty = tty_kref_get(tty); ++ tty_kref_get(tty->link); + ser->dev = dev; + debugfs_init(ser, tty); + tty->receive_room = N_TTY_BUF_SIZE; +@@ -353,6 +355,7 @@ static int ldisc_open(struct tty_struct *tty) + rtnl_lock(); + result = register_netdevice(dev); + if (result) { ++ tty_kref_put(tty->link); + tty_kref_put(tty); + rtnl_unlock(); + free_netdev(dev); +-- +2.51.0 + diff --git a/queue-6.12/series b/queue-6.12/series index f2337badcb..390064f01f 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -22,3 +22,67 @@ remoteproc-sysmon-correct-subsys_name_len-type-in-qm.patch remoteproc-mediatek-unprepare-scp-clock-during-syste.patch powerpc-83xx-km83xx-fix-keymile-vendor-prefix.patch smb-server-fix-another-refcount-leak-in-smb2_open.patch +nfs-return-eisdir-on-nfs3_proc_create-if-d_alias-is-.patch +drm-msm-dsi-fix-hdisplay-calculation-when-programmin.patch +xprtrdma-decrement-re_receiving-on-the-early-exit-pa.patch +btrfs-hold-space_info-lock-when-clearing-periodic-re.patch +workqueue-use-pool_bh-instead-of-wq_bh-when-checking.patch +perf-disasm-fix-off-by-one-bug-in-outside-check.patch +net-dsa-realtek-rtl8365mb-remove-ifoutdiscards-from-.patch +drm-msm-dsi-fix-pclk-rate-calculation-for-bonded-dsi.patch +drm-amd-pm-add-missing-od-setting-pp_od_feature_zero.patch +bonding-handle-bond_link_fail-bond_link_back-as-vali.patch +net-mlx5-ifc-updates-for-disabled-host-pf.patch +net-mlx5-query-to-see-if-host-pf-is-disabled.patch +net-mlx5-fix-deadlock-between-devlink-lock-and-esw-w.patch +net-mlx5-fix-crash-when-moving-to-switchdev-mode.patch +net-mlx5e-fix-dma-fifo-desync-on-error-cqe-sq-recove.patch +net-sched-teql-fix-null-pointer-dereference-in-iptun.patch +drm-sitronix-st7586-fix-bad-pixel-data-due-to-byte-s.patch +asoc-soc-core-drop-delayed_work_pending-check-before.patch +asoc-soc-core-flush-delayed-work-before-removing-dai.patch +asoc-simple-card-utils-use-__free-device_node-for-de.patch +asoc-simple-card-utils-fix-graph_util_is_ports0-for-.patch +net-sfp-improve-huawei-ma5671a-fixup.patch +serial-caif-hold-tty-link-reference-in-ldisc_open-an.patch +bnxt_en-fix-rss-table-size-check-when-changing-ethto.patch +mctp-i2c-fix-skb-memory-leak-in-receive-path.patch +can-hi311x-hi3110_open-add-check-for-hi3110_power_en.patch +bonding-add-esp-offload-features-when-slaves-support.patch +bonding-correctly-support-gso-esp-offload.patch +net-add-a-common-function-to-compute-features-for-up.patch +bonding-use-common-function-to-compute-the-features.patch +bonding-fix-type-confusion-in-bond_setup_by_slave.patch +mctp-route-hold-key-lock-in-mctp_flow_prepare_output.patch +amd-xgbe-fix-link-status-handling-in-xgbe_rx_adaptat.patch +amd-xgbe-prevent-crc-errors-during-rx-adaptation-wit.patch +xdp-allow-attaching-already-registered-memory-model-.patch +xdp-register-system-page-pool-as-an-xdp-memory-model.patch +net-add-xmit-recursion-limit-to-tunnel-xmit-function.patch +netfilter-nf_tables-always-walk-all-pending-catchall.patch +netfilter-nft_set_pipapo-fix-stack-out-of-bounds-rea.patch +netfilter-x_tables-guard-option-walkers-against-1-by.patch +netfilter-nfnetlink_queue-fix-entry-leak-in-bridge-v.patch +netfilter-nfnetlink_cthelper-fix-oob-read-in-nfnl_ct.patch +netfilter-xt_idletimer-reject-rev0-reuse-of-alarm-ti.patch +perf-annotate-fix-hashmap__new-error-checking.patch +regulator-pca9450-correct-interrupt-type.patch +perf-ftrace-fix-hashmap__new-error-checking.patch +sched-idle-make-skipping-governor-callbacks-more-con.patch +nvme-pci-fix-slab-out-of-bounds-in-nvme_dbbuf_set.patch +nvme-pci-fix-race-bug-in-nvme_poll_irqdisable.patch +i40e-fix-src-ip-mask-checks-and-memcpy-argument-name.patch +e1000-e1000e-fix-leak-in-dma-error-cleanup.patch +net-bcmgenet-fix-broken-eee-by-converting-to-phylib-.patch +acpi-osl-fix-__iomem-type-on-return-from-acpi_os_map.patch +asoc-amd-acp3x-rt5682-max9836-add-missing-error-chec.patch +asoc-detect-empty-dmi-strings.patch +drm-amdkfd-unreserve-bo-if-queue-update-failed.patch +net-bonding-fix-nd_tbl-null-dereference-when-ipv6-is.patch +net-dsa-realtek-fix-led-group-port-bit-for-non-zero-.patch +octeontx2-af-devlink-fix-nix-ras-reporter-recovery-c.patch +octeontx2-af-devlink-fix-nix-ras-reporter-to-use-ras.patch +net-prevent-null-deref-in-ip-6-tunnel_xmit.patch +iio-imu-inv-mpu9150-fix-irq-ack-preventing-irq-storm.patch +usb-gadget-f_mass_storage-fix-potential-integer-over.patch +revert-arm64-dts-qcom-sdm845-oneplus-mark-l14a-regul.patch diff --git a/queue-6.12/usb-gadget-f_mass_storage-fix-potential-integer-over.patch b/queue-6.12/usb-gadget-f_mass_storage-fix-potential-integer-over.patch new file mode 100644 index 0000000000..b2f85a5b1d --- /dev/null +++ b/queue-6.12/usb-gadget-f_mass_storage-fix-potential-integer-over.patch @@ -0,0 +1,72 @@ +From 4521ad583618b15d2b8334fcf8af2924a8fc024c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Feb 2026 05:43:25 -0500 +Subject: usb: gadget: f_mass_storage: Fix potential integer overflow in + check_command_size_in_blocks() + +From: Seungjin Bae + +[ Upstream commit 8479891d1f04a8ce55366fe4ca361ccdb96f02e1 ] + +The `check_command_size_in_blocks()` function calculates the data size +in bytes by left shifting `common->data_size_from_cmnd` by the block +size (`common->curlun->blkbits`). However, it does not validate whether +this shift operation will cause an integer overflow. + +Initially, the block size is set up in `fsg_lun_open()` , and the +`common->data_size_from_cmnd` is set up in `do_scsi_command()`. During +initialization, there is no integer overflow check for the interaction +between two variables. + +So if a malicious USB host sends a SCSI READ or WRITE command +requesting a large amount of data (`common->data_size_from_cmnd`), the +left shift operation can wrap around. This results in a truncated data +size, which can bypass boundary checks and potentially lead to memory +corruption or out-of-bounds accesses. + +Fix this by using the check_shl_overflow() macro to safely perform the +shift and catch any overflows. + +Fixes: 144974e7f9e3 ("usb: gadget: mass_storage: support multi-luns with different logic block size") +Signed-off-by: Seungjin Bae +Reviewed-by: Alan Stern +Link: https://patch.msgid.link/20260228104324.1696455-2-eeodqql09@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_mass_storage.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_mass_storage.c b/drivers/usb/gadget/function/f_mass_storage.c +index 08e0d1c511e8d..74cb7e57a197c 100644 +--- a/drivers/usb/gadget/function/f_mass_storage.c ++++ b/drivers/usb/gadget/function/f_mass_storage.c +@@ -180,6 +180,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1853,8 +1854,15 @@ static int check_command_size_in_blocks(struct fsg_common *common, + int cmnd_size, enum data_direction data_dir, + unsigned int mask, int needs_medium, const char *name) + { +- if (common->curlun) +- common->data_size_from_cmnd <<= common->curlun->blkbits; ++ if (common->curlun) { ++ if (check_shl_overflow(common->data_size_from_cmnd, ++ common->curlun->blkbits, ++ &common->data_size_from_cmnd)) { ++ common->phase_error = 1; ++ return -EINVAL; ++ } ++ } ++ + return check_command(common, cmnd_size, data_dir, + mask, needs_medium, name); + } +-- +2.51.0 + diff --git a/queue-6.12/workqueue-use-pool_bh-instead-of-wq_bh-when-checking.patch b/queue-6.12/workqueue-use-pool_bh-instead-of-wq_bh-when-checking.patch new file mode 100644 index 0000000000..f9dd7357a1 --- /dev/null +++ b/queue-6.12/workqueue-use-pool_bh-instead-of-wq_bh-when-checking.patch @@ -0,0 +1,42 @@ +From c3c60862939f66b8cb390009fa3f8b77d9a016b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 08:15:37 -0800 +Subject: workqueue: Use POOL_BH instead of WQ_BH when checking pool flags + +From: Breno Leitao + +[ Upstream commit f42f9091be9e5ff57567a3945cfcdd498f475348 ] + +pr_cont_worker_id() checks pool->flags against WQ_BH, which is a +workqueue-level flag (defined in workqueue.h). Pool flags use a +separate namespace with POOL_* constants (defined in workqueue.c). +The correct constant is POOL_BH. Both WQ_BH and POOL_BH are defined +as (1 << 0) so this has no behavioral impact, but it is semantically +wrong and inconsistent with every other pool-level BH check in the +file. + +Fixes: 4cb1ef64609f ("workqueue: Implement BH workqueues to eventually replace tasklets") +Signed-off-by: Breno Leitao +Acked-by: Song Liu +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/workqueue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/workqueue.c b/kernel/workqueue.c +index 3840d7ce9cda0..b2fdb8719a744 100644 +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -6209,7 +6209,7 @@ static void pr_cont_worker_id(struct worker *worker) + { + struct worker_pool *pool = worker->pool; + +- if (pool->flags & WQ_BH) ++ if (pool->flags & POOL_BH) + pr_cont("bh%s", + pool->attrs->nice == HIGHPRI_NICE_LEVEL ? "-hi" : ""); + else +-- +2.51.0 + diff --git a/queue-6.12/xdp-allow-attaching-already-registered-memory-model-.patch b/queue-6.12/xdp-allow-attaching-already-registered-memory-model-.patch new file mode 100644 index 0000000000..016f40b24e --- /dev/null +++ b/queue-6.12/xdp-allow-attaching-already-registered-memory-model-.patch @@ -0,0 +1,145 @@ +From c5006ea14b752ba274304bf22e08c7752e00ddeb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2024 18:37:27 +0100 +Subject: xdp: allow attaching already registered memory model to xdp_rxq_info +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alexander Lobakin + +[ Upstream commit f65966fe0178c06065d354c22fb456fc4370b527 ] + +One may need to register memory model separately from xdp_rxq_info. One +simple example may be XDP test run code, but in general, it might be +useful when memory model registering is managed by one layer and then +XDP RxQ info by a different one. +Allow such scenarios by adding a simple helper which "attaches" +already registered memory model to the desired xdp_rxq_info. As this +is mostly needed for Page Pool, add a special function to do that for +a &page_pool pointer. + +Reviewed-by: Toke Høiland-Jørgensen +Signed-off-by: Alexander Lobakin +Link: https://patch.msgid.link/20241203173733.3181246-5-aleksander.lobakin@intel.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 6f1a9140ecda ("net: add xmit recursion limit to tunnel xmit functions") +Signed-off-by: Sasha Levin +--- + include/net/xdp.h | 32 +++++++++++++++++++++++++++ + net/core/xdp.c | 56 +++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 88 insertions(+) + +diff --git a/include/net/xdp.h b/include/net/xdp.h +index b80953f0affb0..05be2de2fd472 100644 +--- a/include/net/xdp.h ++++ b/include/net/xdp.h +@@ -356,6 +356,38 @@ void xdp_rxq_info_unreg_mem_model(struct xdp_rxq_info *xdp_rxq); + int xdp_reg_mem_model(struct xdp_mem_info *mem, + enum xdp_mem_type type, void *allocator); + void xdp_unreg_mem_model(struct xdp_mem_info *mem); ++int xdp_reg_page_pool(struct page_pool *pool); ++void xdp_unreg_page_pool(const struct page_pool *pool); ++void xdp_rxq_info_attach_page_pool(struct xdp_rxq_info *xdp_rxq, ++ const struct page_pool *pool); ++ ++/** ++ * xdp_rxq_info_attach_mem_model - attach registered mem info to RxQ info ++ * @xdp_rxq: XDP RxQ info to attach the memory info to ++ * @mem: already registered memory info ++ * ++ * If the driver registers its memory providers manually, it must use this ++ * function instead of xdp_rxq_info_reg_mem_model(). ++ */ ++static inline void ++xdp_rxq_info_attach_mem_model(struct xdp_rxq_info *xdp_rxq, ++ const struct xdp_mem_info *mem) ++{ ++ xdp_rxq->mem = *mem; ++} ++ ++/** ++ * xdp_rxq_info_detach_mem_model - detach registered mem info from RxQ info ++ * @xdp_rxq: XDP RxQ info to detach the memory info from ++ * ++ * If the driver registers its memory providers manually and then attaches it ++ * via xdp_rxq_info_attach_mem_model(), it must call this function before ++ * xdp_rxq_info_unreg(). ++ */ ++static inline void xdp_rxq_info_detach_mem_model(struct xdp_rxq_info *xdp_rxq) ++{ ++ xdp_rxq->mem = (struct xdp_mem_info){ }; ++} + + /* Drivers not supporting XDP metadata can use this helper, which + * rejects any room expansion for metadata as a result. +diff --git a/net/core/xdp.c b/net/core/xdp.c +index 23e7d736718b0..8a3ea90e8cf97 100644 +--- a/net/core/xdp.c ++++ b/net/core/xdp.c +@@ -365,6 +365,62 @@ int xdp_rxq_info_reg_mem_model(struct xdp_rxq_info *xdp_rxq, + + EXPORT_SYMBOL_GPL(xdp_rxq_info_reg_mem_model); + ++/** ++ * xdp_reg_page_pool - register &page_pool as a memory provider for XDP ++ * @pool: &page_pool to register ++ * ++ * Can be used to register pools manually without connecting to any XDP RxQ ++ * info, so that the XDP layer will be aware of them. Then, they can be ++ * attached to an RxQ info manually via xdp_rxq_info_attach_page_pool(). ++ * ++ * Return: %0 on success, -errno on error. ++ */ ++int xdp_reg_page_pool(struct page_pool *pool) ++{ ++ struct xdp_mem_info mem; ++ ++ return xdp_reg_mem_model(&mem, MEM_TYPE_PAGE_POOL, pool); ++} ++EXPORT_SYMBOL_GPL(xdp_reg_page_pool); ++ ++/** ++ * xdp_unreg_page_pool - unregister &page_pool from the memory providers list ++ * @pool: &page_pool to unregister ++ * ++ * A shorthand for manual unregistering page pools. If the pool was previously ++ * attached to an RxQ info, it must be detached first. ++ */ ++void xdp_unreg_page_pool(const struct page_pool *pool) ++{ ++ struct xdp_mem_info mem = { ++ .type = MEM_TYPE_PAGE_POOL, ++ .id = pool->xdp_mem_id, ++ }; ++ ++ xdp_unreg_mem_model(&mem); ++} ++EXPORT_SYMBOL_GPL(xdp_unreg_page_pool); ++ ++/** ++ * xdp_rxq_info_attach_page_pool - attach registered pool to RxQ info ++ * @xdp_rxq: XDP RxQ info to attach the pool to ++ * @pool: pool to attach ++ * ++ * If the pool was registered manually, this function must be called instead ++ * of xdp_rxq_info_reg_mem_model() to connect it to the RxQ info. ++ */ ++void xdp_rxq_info_attach_page_pool(struct xdp_rxq_info *xdp_rxq, ++ const struct page_pool *pool) ++{ ++ struct xdp_mem_info mem = { ++ .type = MEM_TYPE_PAGE_POOL, ++ .id = pool->xdp_mem_id, ++ }; ++ ++ xdp_rxq_info_attach_mem_model(xdp_rxq, &mem); ++} ++EXPORT_SYMBOL_GPL(xdp_rxq_info_attach_page_pool); ++ + /* XDP RX runs under NAPI protection, and in different delivery error + * scenarios (e.g. queue full), it is possible to return the xdp_frame + * while still leveraging this protection. The @napi_direct boolean +-- +2.51.0 + diff --git a/queue-6.12/xdp-register-system-page-pool-as-an-xdp-memory-model.patch b/queue-6.12/xdp-register-system-page-pool-as-an-xdp-memory-model.patch new file mode 100644 index 0000000000..d7f5eb8845 --- /dev/null +++ b/queue-6.12/xdp-register-system-page-pool-as-an-xdp-memory-model.patch @@ -0,0 +1,85 @@ +From 6badcea32033bdb08960b5537e8066eeaf25ef42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2024 18:37:29 +0100 +Subject: xdp: register system page pool as an XDP memory model +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit e77d9aee951341119be16a991fcfc76d1154d22a ] + +To make the system page pool usable as a source for allocating XDP +frames, we need to register it with xdp_reg_mem_model(), so that page +return works correctly. This is done in preparation for using the system +page_pool to convert XDP_PASS XSk frames to skbs; for the same reason, +make the per-cpu variable non-static so we can access it from other +source files as well (but w/o exporting). + +Signed-off-by: Toke Høiland-Jørgensen +Signed-off-by: Alexander Lobakin +Link: https://patch.msgid.link/20241203173733.3181246-7-aleksander.lobakin@intel.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 6f1a9140ecda ("net: add xmit recursion limit to tunnel xmit functions") +Signed-off-by: Sasha Levin +--- + include/linux/netdevice.h | 1 + + net/core/dev.c | 10 +++++++++- + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index 3699c43731ccf..d5215f23f2b99 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -3256,6 +3256,7 @@ struct softnet_data { + }; + + DECLARE_PER_CPU_ALIGNED(struct softnet_data, softnet_data); ++DECLARE_PER_CPU(struct page_pool *, system_page_pool); + + #ifndef CONFIG_PREEMPT_RT + static inline int dev_recursion_level(void) +diff --git a/net/core/dev.c b/net/core/dev.c +index a855cee5e5aeb..336257b515f04 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -460,7 +460,7 @@ EXPORT_PER_CPU_SYMBOL(softnet_data); + * PP consumers must pay attention to run APIs in the appropriate context + * (e.g. NAPI context). + */ +-static DEFINE_PER_CPU(struct page_pool *, system_page_pool); ++DEFINE_PER_CPU(struct page_pool *, system_page_pool); + + #ifdef CONFIG_LOCKDEP + /* +@@ -12225,11 +12225,18 @@ static int net_page_pool_create(int cpuid) + .nid = cpu_to_mem(cpuid), + }; + struct page_pool *pp_ptr; ++ int err; + + pp_ptr = page_pool_create_percpu(&page_pool_params, cpuid); + if (IS_ERR(pp_ptr)) + return -ENOMEM; + ++ err = xdp_reg_page_pool(pp_ptr); ++ if (err) { ++ page_pool_destroy(pp_ptr); ++ return err; ++ } ++ + per_cpu(system_page_pool, cpuid) = pp_ptr; + #endif + return 0; +@@ -12363,6 +12370,7 @@ static int __init net_dev_init(void) + if (!pp_ptr) + continue; + ++ xdp_unreg_page_pool(pp_ptr); + page_pool_destroy(pp_ptr); + per_cpu(system_page_pool, i) = NULL; + } +-- +2.51.0 + diff --git a/queue-6.12/xprtrdma-decrement-re_receiving-on-the-early-exit-pa.patch b/queue-6.12/xprtrdma-decrement-re_receiving-on-the-early-exit-pa.patch new file mode 100644 index 0000000000..3c213b573f --- /dev/null +++ b/queue-6.12/xprtrdma-decrement-re_receiving-on-the-early-exit-pa.patch @@ -0,0 +1,90 @@ +From 5d4c8bf32830e3f0c6b30bd10b053542810c7875 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Feb 2026 10:28:55 -0800 +Subject: xprtrdma: Decrement re_receiving on the early exit paths + +From: Eric Badger + +[ Upstream commit 7b6275c80a0c81c5f8943272292dfe67730ce849 ] + +In the event that rpcrdma_post_recvs() fails to create a work request +(due to memory allocation failure, say) or otherwise exits early, we +should decrement ep->re_receiving before returning. Otherwise we will +hang in rpcrdma_xprt_drain() as re_receiving will never reach zero and +the completion will never be triggered. + +On a system with high memory pressure, this can appear as the following +hung task: + + INFO: task kworker/u385:17:8393 blocked for more than 122 seconds. + Tainted: G S E 6.19.0 #3 + "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. + task:kworker/u385:17 state:D stack:0 pid:8393 tgid:8393 ppid:2 task_flags:0x4248060 flags:0x00080000 + Workqueue: xprtiod xprt_autoclose [sunrpc] + Call Trace: + + __schedule+0x48b/0x18b0 + ? ib_post_send_mad+0x247/0xae0 [ib_core] + schedule+0x27/0xf0 + schedule_timeout+0x104/0x110 + __wait_for_common+0x98/0x180 + ? __pfx_schedule_timeout+0x10/0x10 + wait_for_completion+0x24/0x40 + rpcrdma_xprt_disconnect+0x444/0x460 [rpcrdma] + xprt_rdma_close+0x12/0x40 [rpcrdma] + xprt_autoclose+0x5f/0x120 [sunrpc] + process_one_work+0x191/0x3e0 + worker_thread+0x2e3/0x420 + ? __pfx_worker_thread+0x10/0x10 + kthread+0x10d/0x230 + ? __pfx_kthread+0x10/0x10 + ret_from_fork+0x273/0x2b0 + ? __pfx_kthread+0x10/0x10 + ret_from_fork_asm+0x1a/0x30 + +Fixes: 15788d1d1077 ("xprtrdma: Do not refresh Receive Queue while it is draining") +Signed-off-by: Eric Badger +Reviewed-by: Chuck Lever +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + net/sunrpc/xprtrdma/verbs.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c +index 63262ef0c2e3a..8abbd9c4045a4 100644 +--- a/net/sunrpc/xprtrdma/verbs.c ++++ b/net/sunrpc/xprtrdma/verbs.c +@@ -1362,7 +1362,7 @@ void rpcrdma_post_recvs(struct rpcrdma_xprt *r_xprt, int needed) + needed += RPCRDMA_MAX_RECV_BATCH; + + if (atomic_inc_return(&ep->re_receiving) > 1) +- goto out; ++ goto out_dec; + + /* fast path: all needed reps can be found on the free list */ + wr = NULL; +@@ -1385,7 +1385,7 @@ void rpcrdma_post_recvs(struct rpcrdma_xprt *r_xprt, int needed) + ++count; + } + if (!wr) +- goto out; ++ goto out_dec; + + rc = ib_post_recv(ep->re_id->qp, wr, + (const struct ib_recv_wr **)&bad_wr); +@@ -1400,9 +1400,10 @@ void rpcrdma_post_recvs(struct rpcrdma_xprt *r_xprt, int needed) + --count; + } + } ++ ++out_dec: + if (atomic_dec_return(&ep->re_receiving) > 0) + complete(&ep->re_done); +- + out: + trace_xprtrdma_post_recvs(r_xprt, count); + ep->re_receive_count += count; +-- +2.51.0 + diff --git a/queue-6.18/acpi-osl-fix-__iomem-type-on-return-from-acpi_os_map.patch b/queue-6.18/acpi-osl-fix-__iomem-type-on-return-from-acpi_os_map.patch new file mode 100644 index 0000000000..4ab748884e --- /dev/null +++ b/queue-6.18/acpi-osl-fix-__iomem-type-on-return-from-acpi_os_map.patch @@ -0,0 +1,46 @@ +From 189920639e5b540fae77d83147d8cbd8c75d261b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 10:58:35 +0000 +Subject: ACPI: OSL: fix __iomem type on return from + acpi_os_map_generic_address() + +From: Ben Dooks + +[ Upstream commit 393815f57651101f1590632092986d1d5a3a41bd ] + +The pointer returned from acpi_os_map_generic_address() is +tagged with __iomem, so make the rv it is returned to also +of void __iomem * type. + +Fixes the following sparse warning: + +drivers/acpi/osl.c:1686:20: warning: incorrect type in assignment (different address spaces) +drivers/acpi/osl.c:1686:20: expected void *rv +drivers/acpi/osl.c:1686:20: got void [noderef] __iomem * + +Fixes: 6915564dc5a8 ("ACPI: OSL: Change the type of acpi_os_map_generic_address() return value") +Signed-off-by: Ben Dooks +[ rjw: Subject tweak, added Fixes tag ] +Link: https://patch.msgid.link/20260311105835.463030-1-ben.dooks@codethink.co.uk +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/osl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c +index 5ff343096ece0..fd3ac84b596fa 100644 +--- a/drivers/acpi/osl.c ++++ b/drivers/acpi/osl.c +@@ -1681,7 +1681,7 @@ acpi_status __init acpi_os_initialize(void) + * Use acpi_os_map_generic_address to pre-map the reset + * register if it's in system memory. + */ +- void *rv; ++ void __iomem *rv; + + rv = acpi_os_map_generic_address(&acpi_gbl_FADT.reset_register); + pr_debug("%s: Reset register mapping %s\n", __func__, +-- +2.51.0 + diff --git a/queue-6.18/amd-xgbe-fix-link-status-handling-in-xgbe_rx_adaptat.patch b/queue-6.18/amd-xgbe-fix-link-status-handling-in-xgbe_rx_adaptat.patch new file mode 100644 index 0000000000..86cf292864 --- /dev/null +++ b/queue-6.18/amd-xgbe-fix-link-status-handling-in-xgbe_rx_adaptat.patch @@ -0,0 +1,63 @@ +From 20bc2ccfae2a319ed64af10c555fbc6299b0b05c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 16:46:27 +0530 +Subject: amd-xgbe: fix link status handling in xgbe_rx_adaptation + +From: Raju Rangoju + +[ Upstream commit 6485cb96be5cd0f4bf39554737ba11322cc9b053 ] + +The link status bit is latched low to allow detection of momentary +link drops. If the status indicates that the link is already down, +read it again to obtain the current state. + +Fixes: 4f3b20bfbb75 ("amd-xgbe: add support for rx-adaptation") +Signed-off-by: Raju Rangoju +Link: https://patch.msgid.link/20260306111629.1515676-2-Raju.Rangoju@amd.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +index 450a573960e7a..92cb061c90ebc 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +@@ -1941,7 +1941,7 @@ static void xgbe_set_rx_adap_mode(struct xgbe_prv_data *pdata, + static void xgbe_rx_adaptation(struct xgbe_prv_data *pdata) + { + struct xgbe_phy_data *phy_data = pdata->phy_data; +- unsigned int reg; ++ int reg; + + /* step 2: force PCS to send RX_ADAPT Req to PHY */ + XMDIO_WRITE_BITS(pdata, MDIO_MMD_PMAPMD, MDIO_PMA_RX_EQ_CTRL4, +@@ -1963,11 +1963,20 @@ static void xgbe_rx_adaptation(struct xgbe_prv_data *pdata) + + /* Step 4: Check for Block lock */ + +- /* Link status is latched low, so read once to clear +- * and then read again to get current state +- */ +- reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_STAT1); + reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_STAT1); ++ if (reg < 0) ++ goto set_mode; ++ ++ /* Link status is latched low so that momentary link drops ++ * can be detected. If link was already down read again ++ * to get the latest state. ++ */ ++ if (!pdata->phy.link && !(reg & MDIO_STAT1_LSTATUS)) { ++ reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_STAT1); ++ if (reg < 0) ++ goto set_mode; ++ } ++ + if (reg & MDIO_STAT1_LSTATUS) { + /* If the block lock is found, update the helpers + * and declare the link up +-- +2.51.0 + diff --git a/queue-6.18/amd-xgbe-prevent-crc-errors-during-rx-adaptation-wit.patch b/queue-6.18/amd-xgbe-prevent-crc-errors-during-rx-adaptation-wit.patch new file mode 100644 index 0000000000..669124fce4 --- /dev/null +++ b/queue-6.18/amd-xgbe-prevent-crc-errors-during-rx-adaptation-wit.patch @@ -0,0 +1,168 @@ +From 7870038b6270af5d41e9a8aff304cedd80d6c591 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 16:46:28 +0530 +Subject: amd-xgbe: prevent CRC errors during RX adaptation with AN disabled + +From: Raju Rangoju + +[ Upstream commit 27a4dd0c702b3b2b9cf2c045d100cc2fe8720b81 ] + +When operating in 10GBASE-KR mode with auto-negotiation disabled and RX +adaptation enabled, CRC errors can occur during the RX adaptation +process. This happens because the driver continues transmitting and +receiving packets while adaptation is in progress. + +Fix this by stopping TX/RX immediately when the link goes down and RX +adaptation needs to be re-triggered, and only re-enabling TX/RX after +adaptation completes and the link is confirmed up. Introduce a flag to +track whether TX/RX was disabled for adaptation so it can be restored +correctly. + +This prevents packets from being transmitted or received during the RX +adaptation window and avoids CRC errors from corrupted frames. + +The flag tracking the data path state is synchronized with hardware +state in xgbe_start() to prevent stale state after device restarts. +This ensures that after a restart cycle (where xgbe_stop disables +TX/RX and xgbe_start re-enables them), the flag correctly reflects +that the data path is active. + +Fixes: 4f3b20bfbb75 ("amd-xgbe: add support for rx-adaptation") +Signed-off-by: Raju Rangoju +Link: https://patch.msgid.link/20260306111629.1515676-3-Raju.Rangoju@amd.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 4 ++ + drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 63 ++++++++++++++++++++- + drivers/net/ethernet/amd/xgbe/xgbe.h | 4 ++ + 3 files changed, 69 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +index 89ece3dbd773a..fe4233fef3089 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +@@ -1246,6 +1246,10 @@ static int xgbe_start(struct xgbe_prv_data *pdata) + + hw_if->enable_tx(pdata); + hw_if->enable_rx(pdata); ++ /* Synchronize flag with hardware state after enabling TX/RX. ++ * This prevents stale state after device restart cycles. ++ */ ++ pdata->data_path_stopped = false; + + udp_tunnel_nic_reset_ntf(netdev); + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +index 92cb061c90ebc..20d19d5a4effd 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +@@ -2016,6 +2016,48 @@ static void xgbe_phy_rx_adaptation(struct xgbe_prv_data *pdata) + xgbe_rx_adaptation(pdata); + } + ++/* ++ * xgbe_phy_stop_data_path - Stop TX/RX to prevent packet corruption ++ * @pdata: driver private data ++ * ++ * This function stops the data path (TX and RX) to prevent packet ++ * corruption during critical PHY operations like RX adaptation. ++ * Must be called before initiating RX adaptation when link goes down. ++ */ ++static void xgbe_phy_stop_data_path(struct xgbe_prv_data *pdata) ++{ ++ if (pdata->data_path_stopped) ++ return; ++ ++ /* Stop TX/RX to prevent packet corruption during RX adaptation */ ++ pdata->hw_if.disable_tx(pdata); ++ pdata->hw_if.disable_rx(pdata); ++ pdata->data_path_stopped = true; ++ ++ netif_dbg(pdata, link, pdata->netdev, ++ "stopping data path for RX adaptation\n"); ++} ++ ++/* ++ * xgbe_phy_start_data_path - Re-enable TX/RX after RX adaptation ++ * @pdata: driver private data ++ * ++ * This function re-enables the data path (TX and RX) after RX adaptation ++ * has completed successfully. Only called when link is confirmed up. ++ */ ++static void xgbe_phy_start_data_path(struct xgbe_prv_data *pdata) ++{ ++ if (!pdata->data_path_stopped) ++ return; ++ ++ pdata->hw_if.enable_rx(pdata); ++ pdata->hw_if.enable_tx(pdata); ++ pdata->data_path_stopped = false; ++ ++ netif_dbg(pdata, link, pdata->netdev, ++ "restarting data path after RX adaptation\n"); ++} ++ + static void xgbe_phy_rx_reset(struct xgbe_prv_data *pdata) + { + int reg; +@@ -2809,13 +2851,27 @@ static int xgbe_phy_link_status(struct xgbe_prv_data *pdata, int *an_restart) + if (pdata->en_rx_adap) { + /* if the link is available and adaptation is done, + * declare link up ++ * ++ * Note: When link is up and adaptation is done, we can ++ * safely re-enable the data path if it was stopped ++ * for adaptation. + */ +- if ((reg & MDIO_STAT1_LSTATUS) && pdata->rx_adapt_done) ++ if ((reg & MDIO_STAT1_LSTATUS) && pdata->rx_adapt_done) { ++ xgbe_phy_start_data_path(pdata); + return 1; ++ } + /* If either link is not available or adaptation is not done, + * retrigger the adaptation logic. (if the mode is not set, + * then issue mailbox command first) + */ ++ ++ /* CRITICAL: Stop data path BEFORE triggering RX adaptation ++ * to prevent CRC errors from packets corrupted during ++ * the adaptation process. This is especially important ++ * when AN is OFF in 10G KR mode. ++ */ ++ xgbe_phy_stop_data_path(pdata); ++ + if (pdata->mode_set) { + xgbe_phy_rx_adaptation(pdata); + } else { +@@ -2823,8 +2879,11 @@ static int xgbe_phy_link_status(struct xgbe_prv_data *pdata, int *an_restart) + xgbe_phy_set_mode(pdata, phy_data->cur_mode); + } + +- if (pdata->rx_adapt_done) ++ if (pdata->rx_adapt_done) { ++ /* Adaptation complete, safe to re-enable data path */ ++ xgbe_phy_start_data_path(pdata); + return 1; ++ } + } else if (reg & MDIO_STAT1_LSTATUS) + return 1; + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe.h b/drivers/net/ethernet/amd/xgbe/xgbe.h +index 6fec51a065e22..ac0ba3d899dfd 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe.h ++++ b/drivers/net/ethernet/amd/xgbe/xgbe.h +@@ -1242,6 +1242,10 @@ struct xgbe_prv_data { + bool en_rx_adap; + int rx_adapt_retries; + bool rx_adapt_done; ++ /* Flag to track if data path (TX/RX) was stopped for RX adaptation. ++ * This prevents packet corruption during the adaptation window. ++ */ ++ bool data_path_stopped; + bool mode_set; + }; + +-- +2.51.0 + diff --git a/queue-6.18/asoc-amd-acp3x-rt5682-max9836-add-missing-error-chec.patch b/queue-6.18/asoc-amd-acp3x-rt5682-max9836-add-missing-error-chec.patch new file mode 100644 index 0000000000..2ea2f179ce --- /dev/null +++ b/queue-6.18/asoc-amd-acp3x-rt5682-max9836-add-missing-error-chec.patch @@ -0,0 +1,50 @@ +From 1463b9b11b2287ff172ce4b3ee0e1c986b16392e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 10:42:46 +0800 +Subject: ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock + acquisition + +From: Chen Ni + +[ Upstream commit 53f3a900e9a383d47af7253076e19f510c5708d0 ] + +The acp3x_5682_init() function did not check the return value of +clk_get(), which could lead to dereferencing error pointers in +rt5682_clk_enable(). + +Fix this by: +1. Changing clk_get() to the device-managed devm_clk_get(). +2. Adding proper IS_ERR() checks for both clock acquisitions. + +Fixes: 6b8e4e7db3cd ("ASoC: amd: Add machine driver for Raven based platform") +Signed-off-by: Chen Ni +Link: https://patch.msgid.link/20260310024246.2153827-1-nichen@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/acp3x-rt5682-max9836.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/amd/acp3x-rt5682-max9836.c b/sound/soc/amd/acp3x-rt5682-max9836.c +index 4ca1978020a96..d1eb6f12a1830 100644 +--- a/sound/soc/amd/acp3x-rt5682-max9836.c ++++ b/sound/soc/amd/acp3x-rt5682-max9836.c +@@ -94,8 +94,13 @@ static int acp3x_5682_init(struct snd_soc_pcm_runtime *rtd) + return ret; + } + +- rt5682_dai_wclk = clk_get(component->dev, "rt5682-dai-wclk"); +- rt5682_dai_bclk = clk_get(component->dev, "rt5682-dai-bclk"); ++ rt5682_dai_wclk = devm_clk_get(component->dev, "rt5682-dai-wclk"); ++ if (IS_ERR(rt5682_dai_wclk)) ++ return PTR_ERR(rt5682_dai_wclk); ++ ++ rt5682_dai_bclk = devm_clk_get(component->dev, "rt5682-dai-bclk"); ++ if (IS_ERR(rt5682_dai_bclk)) ++ return PTR_ERR(rt5682_dai_bclk); + + ret = snd_soc_card_jack_new_pins(card, "Headset Jack", + SND_JACK_HEADSET | +-- +2.51.0 + diff --git a/queue-6.18/asoc-detect-empty-dmi-strings.patch b/queue-6.18/asoc-detect-empty-dmi-strings.patch new file mode 100644 index 0000000000..b6df247f75 --- /dev/null +++ b/queue-6.18/asoc-detect-empty-dmi-strings.patch @@ -0,0 +1,47 @@ +From da1930942d25cb7354057a9555f52e79083b25d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 18:47:07 +0100 +Subject: ASoC: detect empty DMI strings + +From: Casey Connolly + +[ Upstream commit a9683730e8b1d632674f81844ed03ddfbe4821c0 ] + +Some bootloaders like recent versions of U-Boot may install some DMI +properties with empty values rather than not populate them. This manages +to make its way through the validator and cleanup resulting in a rogue +hyphen being appended to the card longname. + +Fixes: 4e01e5dbba96 ("ASoC: improve the DMI long card code in asoc-core") +Signed-off-by: Casey Connolly +Link: https://patch.msgid.link/20260306174707.283071-2-casey.connolly@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index 013437f845e06..7a6b4ec3a6990 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -1860,12 +1860,15 @@ static void cleanup_dmi_name(char *name) + + /* + * Check if a DMI field is valid, i.e. not containing any string +- * in the black list. ++ * in the black list and not the empty string. + */ + static int is_dmi_valid(const char *field) + { + int i = 0; + ++ if (!field[0]) ++ return 0; ++ + while (dmi_blacklist[i]) { + if (strstr(field, dmi_blacklist[i])) + return 0; +-- +2.51.0 + diff --git a/queue-6.18/asoc-simple-card-utils-fix-graph_util_is_ports0-for-.patch b/queue-6.18/asoc-simple-card-utils-fix-graph_util_is_ports0-for-.patch new file mode 100644 index 0000000000..947716a37b --- /dev/null +++ b/queue-6.18/asoc-simple-card-utils-fix-graph_util_is_ports0-for-.patch @@ -0,0 +1,60 @@ +From 5896ad411a91938b205a81eb1d8c25505a3f6b14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Mar 2026 23:21:09 -0500 +Subject: ASoC: simple-card-utils: fix graph_util_is_ports0() for DT overlays + +From: Sen Wang + +[ Upstream commit 4185b95f8a42d92d68c49289b4644546b51e252b ] + +graph_util_is_ports0() identifies DPCM front-end (ports@0) vs back-end +(ports@1) by calling of_get_child_by_name() to find the first "ports" +child and comparing pointers. This relies on child iteration order +matching DTS source order. + +When the DPCM topology comes from a DT overlay, __of_attach_node() +inserts new children at the head of the sibling list, reversing the +order. of_get_child_by_name() then returns ports@1 instead of ports@0, +causing all front-end links to be classified as back-ends. The card +registers with no PCM devices. + +Fix this by matching the unit address directly from the node name +instead of relying on sibling order. + +Fixes: 92939252458f ("ASoC: simple-card-utils: add asoc_graph_is_ports0()") +Signed-off-by: Sen Wang +Acked-by: Kuninori Morimoto +Link: https://patch.msgid.link/20260309042109.2576612-1-sen@ti.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/generic/simple-card-utils.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/sound/soc/generic/simple-card-utils.c b/sound/soc/generic/simple-card-utils.c +index bdc02e85b089f..9e5be0eaa77f3 100644 +--- a/sound/soc/generic/simple-card-utils.c ++++ b/sound/soc/generic/simple-card-utils.c +@@ -1038,11 +1038,15 @@ int graph_util_is_ports0(struct device_node *np) + else + port = np; + +- struct device_node *ports __free(device_node) = of_get_parent(port); +- struct device_node *top __free(device_node) = of_get_parent(ports); +- struct device_node *ports0 __free(device_node) = of_get_child_by_name(top, "ports"); ++ struct device_node *ports __free(device_node) = of_get_parent(port); ++ const char *at = strchr(kbasename(ports->full_name), '@'); + +- return ports0 == ports; ++ /* ++ * Since child iteration order may differ ++ * between a base DT and DT overlays, ++ * string match "ports" or "ports@0" in the node name instead. ++ */ ++ return !at || !strcmp(at, "@0"); + } + EXPORT_SYMBOL_GPL(graph_util_is_ports0); + +-- +2.51.0 + diff --git a/queue-6.18/asoc-soc-core-drop-delayed_work_pending-check-before.patch b/queue-6.18/asoc-soc-core-drop-delayed_work_pending-check-before.patch new file mode 100644 index 0000000000..a6113f0844 --- /dev/null +++ b/queue-6.18/asoc-soc-core-drop-delayed_work_pending-check-before.patch @@ -0,0 +1,45 @@ +From 8ec45514c42f61efabbcce51418d338dbff6720d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Mar 2026 22:54:11 +0100 +Subject: ASoC: soc-core: drop delayed_work_pending() check before flush + +From: matteo.cotifava + +[ Upstream commit 3c99c9f0ed60582c1c9852b685d78d5d3a50de63 ] + +The delayed_work_pending() check before flush_delayed_work() in +soc_free_pcm_runtime() is unnecessary and racy. flush_delayed_work() +is safe to call unconditionally - it is a no-op when no work is +pending. Remove the check. + +The original check was added by commit 9c9b65203492 ("ASoC: core: +only flush inited work during free") but delayed_work_pending() +followed by flush_delayed_work() has a time-of-check/time-of-use +window where work can become pending between the two calls. + +Fixes: 9c9b65203492 ("ASoC: core: only flush inited work during free") +Signed-off-by: Matteo Cotifava +Link: https://patch.msgid.link/20260309215412.545628-2-cotifavamatteo@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index 9dd84d73046be..3b98b3f6cd5fe 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -462,8 +462,7 @@ static void soc_free_pcm_runtime(struct snd_soc_pcm_runtime *rtd) + + list_del(&rtd->list); + +- if (delayed_work_pending(&rtd->delayed_work)) +- flush_delayed_work(&rtd->delayed_work); ++ flush_delayed_work(&rtd->delayed_work); + snd_soc_pcm_component_free(rtd); + + /* +-- +2.51.0 + diff --git a/queue-6.18/asoc-soc-core-flush-delayed-work-before-removing-dai.patch b/queue-6.18/asoc-soc-core-flush-delayed-work-before-removing-dai.patch new file mode 100644 index 0000000000..55c994f563 --- /dev/null +++ b/queue-6.18/asoc-soc-core-flush-delayed-work-before-removing-dai.patch @@ -0,0 +1,57 @@ +From b63533d91cc2af988b6266c52cce268012dc49cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Mar 2026 22:54:12 +0100 +Subject: ASoC: soc-core: flush delayed work before removing DAIs and widgets + +From: matteo.cotifava + +[ Upstream commit 95bc5c225513fc3c4ce169563fb5e3929fbb938b ] + +When a sound card is unbound while a PCM stream is open, a +use-after-free can occur in snd_soc_dapm_stream_event(), called from +the close_delayed_work workqueue handler. + +During unbind, snd_soc_unbind_card() flushes delayed work and then +calls soc_cleanup_card_resources(). Inside cleanup, +snd_card_disconnect_sync() releases all PCM file descriptors, and +the resulting PCM close path can call snd_soc_dapm_stream_stop() +which schedules new delayed work with a pmdown_time timer delay. +Since this happens after the flush in snd_soc_unbind_card(), the +new work is not caught. soc_remove_link_components() then frees +DAPM widgets before this work fires, leading to the use-after-free. + +The existing flush in soc_free_pcm_runtime() also cannot help as it +runs after soc_remove_link_components() has already freed the widgets. + +Add a flush in soc_cleanup_card_resources() after +snd_card_disconnect_sync() (after which no new PCM closes can +schedule further delayed work) and before soc_remove_link_dais() +and soc_remove_link_components() (which tear down the structures the +delayed work accesses). + +Fixes: e894efef9ac7 ("ASoC: core: add support to card rebind") +Signed-off-by: Matteo Cotifava +Link: https://patch.msgid.link/20260309215412.545628-3-cotifavamatteo@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index 3b98b3f6cd5fe..013437f845e06 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -2118,6 +2118,9 @@ static void soc_cleanup_card_resources(struct snd_soc_card *card) + for_each_card_rtds(card, rtd) + if (rtd->initialized) + snd_soc_link_exit(rtd); ++ /* flush delayed work before removing DAIs and DAPM widgets */ ++ snd_soc_flush_all_delayed_work(card); ++ + /* remove and free each DAI */ + soc_remove_link_dais(card); + soc_remove_link_components(card); +-- +2.51.0 + diff --git a/queue-6.18/bnxt_en-fix-rss-table-size-check-when-changing-ethto.patch b/queue-6.18/bnxt_en-fix-rss-table-size-check-when-changing-ethto.patch new file mode 100644 index 0000000000..6a4dd398ff --- /dev/null +++ b/queue-6.18/bnxt_en-fix-rss-table-size-check-when-changing-ethto.patch @@ -0,0 +1,52 @@ +From e33bba10a1c8df015da7ff0a9abfdc432ca3a516 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 14:58:54 -0800 +Subject: bnxt_en: Fix RSS table size check when changing ethtool channels +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pavan Chebbi + +[ Upstream commit 0d9a60a0618d255530ca56072c5f39eb58e1ed4a ] + +When changing channels, the current check in bnxt_set_channels() +is not checking for non-default RSS contexts when the RSS table size +changes. The current check for IFF_RXFH_CONFIGURED is only sufficient +for the default RSS context. Expand the check to include the presence +of any non-default RSS contexts. + +Allowing such change will result in incorrect configuration of the +context's RSS table when the table size changes. + +Fixes: b3d0083caf9a ("bnxt_en: Support RSS contexts in ethtool .{get|set}_rxfh()") +Reported-by: Björn Töpel +Link: https://lore.kernel.org/netdev/20260303181535.2671734-1-bjorn@kernel.org/ +Reviewed-by: Andy Gospodarek +Signed-off-by: Pavan Chebbi +Signed-off-by: Michael Chan +Link: https://patch.msgid.link/20260306225854.3575672-1-michael.chan@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +index df4f0d15dd3d8..3237515f0e7ec 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +@@ -973,8 +973,8 @@ static int bnxt_set_channels(struct net_device *dev, + + if (bnxt_get_nr_rss_ctxs(bp, req_rx_rings) != + bnxt_get_nr_rss_ctxs(bp, bp->rx_nr_rings) && +- netif_is_rxfh_configured(dev)) { +- netdev_warn(dev, "RSS table size change required, RSS table entries must be default to proceed\n"); ++ (netif_is_rxfh_configured(dev) || bp->num_rss_ctx)) { ++ netdev_warn(dev, "RSS table size change required, RSS table entries must be default (with no additional RSS contexts present) to proceed\n"); + return -EINVAL; + } + +-- +2.51.0 + diff --git a/queue-6.18/bonding-do-not-set-usable_slaves-for-broadcast-mode.patch b/queue-6.18/bonding-do-not-set-usable_slaves-for-broadcast-mode.patch new file mode 100644 index 0000000000..ca47373a2f --- /dev/null +++ b/queue-6.18/bonding-do-not-set-usable_slaves-for-broadcast-mode.patch @@ -0,0 +1,65 @@ +From fb330f528caf358d058676975ba4de30881bdf40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 15:13:53 +0800 +Subject: bonding: do not set usable_slaves for broadcast mode + +From: Hangbin Liu + +[ Upstream commit 45fc134bcfadde456639c1b1e206e6918d69a553 ] + +After commit e0caeb24f538 ("net: bonding: update the slave array for broadcast mode"), +broadcast mode will also set all_slaves and usable_slaves during +bond_enslave(). But if we also set updelay, during enslave, the +slave init state will be BOND_LINK_BACK. And later +bond_update_slave_arr() will alloc usable_slaves but add nothing. +This will cause bond_miimon_inspect() to have ignore_updelay +always true. So the updelay will be always ignored. e.g. + +[ 6.498368] bond0: (slave veth2): link status definitely down, disabling slave +[ 7.536371] bond0: (slave veth2): link status up, enabling it in 0 ms +[ 7.536402] bond0: (slave veth2): link status definitely up, 10000 Mbps full duplex + +To fix it, we can either always call bond_update_slave_arr() on every +place when link changes. Or, let's just not set usable_slaves for +broadcast mode. + +Fixes: e0caeb24f538 ("net: bonding: update the slave array for broadcast mode") +Reported-by: Liang Li +Signed-off-by: Hangbin Liu +Link: https://patch.msgid.link/20260304-b4-bond_updelay-v1-1-f72eb2e454d0@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 55f98d6254af8..dca0bec7240ad 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -5132,13 +5132,18 @@ static void bond_set_slave_arr(struct bonding *bond, + { + struct bond_up_slave *usable, *all; + +- usable = rtnl_dereference(bond->usable_slaves); +- rcu_assign_pointer(bond->usable_slaves, usable_slaves); +- kfree_rcu(usable, rcu); +- + all = rtnl_dereference(bond->all_slaves); + rcu_assign_pointer(bond->all_slaves, all_slaves); + kfree_rcu(all, rcu); ++ ++ if (BOND_MODE(bond) == BOND_MODE_BROADCAST) { ++ kfree_rcu(usable_slaves, rcu); ++ return; ++ } ++ ++ usable = rtnl_dereference(bond->usable_slaves); ++ rcu_assign_pointer(bond->usable_slaves, usable_slaves); ++ kfree_rcu(usable, rcu); + } + + static void bond_reset_slave_arr(struct bonding *bond) +-- +2.51.0 + diff --git a/queue-6.18/bonding-fix-type-confusion-in-bond_setup_by_slave.patch b/queue-6.18/bonding-fix-type-confusion-in-bond_setup_by_slave.patch new file mode 100644 index 0000000000..bba199cd73 --- /dev/null +++ b/queue-6.18/bonding-fix-type-confusion-in-bond_setup_by_slave.patch @@ -0,0 +1,151 @@ +From c097e2550ccc594405666caf06ede9d2f7f87975 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 10:15:07 +0800 +Subject: bonding: fix type confusion in bond_setup_by_slave() + +From: Jiayuan Chen + +[ Upstream commit 950803f7254721c1c15858fbbfae3deaaeeecb11 ] + +kernel BUG at net/core/skbuff.c:2306! +Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI +RIP: 0010:pskb_expand_head+0xa08/0xfe0 net/core/skbuff.c:2306 +RSP: 0018:ffffc90004aff760 EFLAGS: 00010293 +RAX: 0000000000000000 RBX: ffff88807e3c8780 RCX: ffffffff89593e0e +RDX: ffff88807b7c4900 RSI: ffffffff89594747 RDI: ffff88807b7c4900 +RBP: 0000000000000820 R08: 0000000000000005 R09: 0000000000000000 +R10: 00000000961a63e0 R11: 0000000000000000 R12: ffff88807e3c8780 +R13: 00000000961a6560 R14: dffffc0000000000 R15: 00000000961a63e0 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fe1a0ed8df0 CR3: 000000002d816000 CR4: 00000000003526f0 +Call Trace: + + ipgre_header+0xdd/0x540 net/ipv4/ip_gre.c:900 + dev_hard_header include/linux/netdevice.h:3439 [inline] + packet_snd net/packet/af_packet.c:3028 [inline] + packet_sendmsg+0x3ae5/0x53c0 net/packet/af_packet.c:3108 + sock_sendmsg_nosec net/socket.c:727 [inline] + __sock_sendmsg net/socket.c:742 [inline] + ____sys_sendmsg+0xa54/0xc30 net/socket.c:2592 + ___sys_sendmsg+0x190/0x1e0 net/socket.c:2646 + __sys_sendmsg+0x170/0x220 net/socket.c:2678 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7fe1a0e6c1a9 + +When a non-Ethernet device (e.g. GRE tunnel) is enslaved to a bond, +bond_setup_by_slave() directly copies the slave's header_ops to the +bond device: + + bond_dev->header_ops = slave_dev->header_ops; + +This causes a type confusion when dev_hard_header() is later called +on the bond device. Functions like ipgre_header(), ip6gre_header(),all use +netdev_priv(dev) to access their device-specific private data. When +called with the bond device, netdev_priv() returns the bond's private +data (struct bonding) instead of the expected type (e.g. struct +ip_tunnel), leading to garbage values being read and kernel crashes. + +Fix this by introducing bond_header_ops with wrapper functions that +delegate to the active slave's header_ops using the slave's own +device. This ensures netdev_priv() in the slave's header functions +always receives the correct device. + +The fix is placed in the bonding driver rather than individual device +drivers, as the root cause is bond blindly inheriting header_ops from +the slave without considering that these callbacks expect a specific +netdev_priv() layout. + +The type confusion can be observed by adding a printk in +ipgre_header() and running the following commands: + + ip link add dummy0 type dummy + ip addr add 10.0.0.1/24 dev dummy0 + ip link set dummy0 up + ip link add gre1 type gre local 10.0.0.1 + ip link add bond1 type bond mode active-backup + ip link set gre1 master bond1 + ip link set gre1 up + ip link set bond1 up + ip addr add fe80::1/64 dev bond1 + +Fixes: 1284cd3a2b74 ("bonding: two small fixes for IPoIB support") +Suggested-by: Jay Vosburgh +Reviewed-by: Eric Dumazet +Signed-off-by: Jiayuan Chen +Link: https://patch.msgid.link/20260306021508.222062-1-jiayuan.chen@linux.dev +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 47 ++++++++++++++++++++++++++++++++- + 1 file changed, 46 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 8be99ae67b77f..139ece7676c50 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1476,6 +1476,50 @@ static netdev_features_t bond_fix_features(struct net_device *dev, + return features; + } + ++static int bond_header_create(struct sk_buff *skb, struct net_device *bond_dev, ++ unsigned short type, const void *daddr, ++ const void *saddr, unsigned int len) ++{ ++ struct bonding *bond = netdev_priv(bond_dev); ++ const struct header_ops *slave_ops; ++ struct slave *slave; ++ int ret = 0; ++ ++ rcu_read_lock(); ++ slave = rcu_dereference(bond->curr_active_slave); ++ if (slave) { ++ slave_ops = READ_ONCE(slave->dev->header_ops); ++ if (slave_ops && slave_ops->create) ++ ret = slave_ops->create(skb, slave->dev, ++ type, daddr, saddr, len); ++ } ++ rcu_read_unlock(); ++ return ret; ++} ++ ++static int bond_header_parse(const struct sk_buff *skb, unsigned char *haddr) ++{ ++ struct bonding *bond = netdev_priv(skb->dev); ++ const struct header_ops *slave_ops; ++ struct slave *slave; ++ int ret = 0; ++ ++ rcu_read_lock(); ++ slave = rcu_dereference(bond->curr_active_slave); ++ if (slave) { ++ slave_ops = READ_ONCE(slave->dev->header_ops); ++ if (slave_ops && slave_ops->parse) ++ ret = slave_ops->parse(skb, haddr); ++ } ++ rcu_read_unlock(); ++ return ret; ++} ++ ++static const struct header_ops bond_header_ops = { ++ .create = bond_header_create, ++ .parse = bond_header_parse, ++}; ++ + static void bond_setup_by_slave(struct net_device *bond_dev, + struct net_device *slave_dev) + { +@@ -1483,7 +1527,8 @@ static void bond_setup_by_slave(struct net_device *bond_dev, + + dev_close(bond_dev); + +- bond_dev->header_ops = slave_dev->header_ops; ++ bond_dev->header_ops = slave_dev->header_ops ? ++ &bond_header_ops : NULL; + + bond_dev->type = slave_dev->type; + bond_dev->hard_header_len = slave_dev->hard_header_len; +-- +2.51.0 + diff --git a/queue-6.18/bonding-handle-bond_link_fail-bond_link_back-as-vali.patch b/queue-6.18/bonding-handle-bond_link_fail-bond_link_back-as-vali.patch new file mode 100644 index 0000000000..ce55d2d944 --- /dev/null +++ b/queue-6.18/bonding-handle-bond_link_fail-bond_link_back-as-vali.patch @@ -0,0 +1,60 @@ +From ef03d593201c0cf38c652fec40514ea262bc4825 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 15:13:54 +0800 +Subject: bonding: handle BOND_LINK_FAIL, BOND_LINK_BACK as valid link states + +From: Hangbin Liu + +[ Upstream commit 3348be7978f450ede0c308a4e8416ac716cf1015 ] + +Before the fixed commit, we check slave->new_link during commit +state, which values are only BOND_LINK_{NOCHANGE, UP, DOWN}. After +the commit, we start using slave->link_new_state, which state also could +be BOND_LINK_{FAIL, BACK}. + +For example, when we set updelay/downdelay, after a failover, +the slave->link_new_state could be set to BOND_LINK_{FAIL, BACK} in +bond_miimon_inspect(). And later in bond_miimon_commit(), it will treat +it as invalid and print an error, which would cause confusion for users. + +[ 106.440254] bond0: (slave veth2): link status down for interface, disabling it in 200 ms +[ 106.440265] bond0: (slave veth2): invalid new link 1 on slave +[ 106.648276] bond0: (slave veth2): link status definitely down, disabling slave +[ 107.480271] bond0: (slave veth2): link status up, enabling it in 200 ms +[ 107.480288] bond0: (slave veth2): invalid new link 3 on slave +[ 107.688302] bond0: (slave veth2): link status definitely up, 10000 Mbps full duplex + +Let's handle BOND_LINK_{FAIL, BACK} as valid link states. + +Fixes: 1899bb325149 ("bonding: fix state transition issue in link monitoring") +Signed-off-by: Hangbin Liu +Link: https://patch.msgid.link/20260304-b4-bond_updelay-v1-2-f72eb2e454d0@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index dca0bec7240ad..322f910b06fc8 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2860,8 +2860,14 @@ static void bond_miimon_commit(struct bonding *bond) + + continue; + ++ case BOND_LINK_FAIL: ++ case BOND_LINK_BACK: ++ slave_dbg(bond->dev, slave->dev, "link_new_state %d on slave\n", ++ slave->link_new_state); ++ continue; ++ + default: +- slave_err(bond->dev, slave->dev, "invalid new link %d on slave\n", ++ slave_err(bond->dev, slave->dev, "invalid link_new_state %d on slave\n", + slave->link_new_state); + bond_propose_link_state(slave, BOND_LINK_NOCHANGE); + +-- +2.51.0 + diff --git a/queue-6.18/bonding-use-common-function-to-compute-the-features.patch b/queue-6.18/bonding-use-common-function-to-compute-the-features.patch new file mode 100644 index 0000000000..98b612341f --- /dev/null +++ b/queue-6.18/bonding-use-common-function-to-compute-the-features.patch @@ -0,0 +1,172 @@ +From e61ad60c2766b0d357863ec7d357d052bac4a334 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Oct 2025 03:41:53 +0000 +Subject: bonding: use common function to compute the features + +From: Hangbin Liu + +[ Upstream commit d4fde269a970666a30dd3abd0413273a06dd972d ] + +Use the new functon netdev_compute_master_upper_features() to compute the bonding +features. + +Note that bond_compute_features() currently uses bond_for_each_slave() +to traverse the lower devices list, and that is just a macro wrapper of +netdev_for_each_lower_private(). We use similar helper +netdev_for_each_lower_dev() in netdev_compute_master_upper_features() to +iterate the slave device, as there is not need to get the private data. + +No functional change intended. + +Signed-off-by: Hangbin Liu +Reviewed-by: Sabrina Dubroca +Reviewed-by: Jiri Pirko +Link: https://patch.msgid.link/20251017034155.61990-3-liuhangbin@gmail.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 950803f72547 ("bonding: fix type confusion in bond_setup_by_slave()") +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 99 ++------------------------------- + 1 file changed, 4 insertions(+), 95 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 322f910b06fc8..8be99ae67b77f 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1476,97 +1476,6 @@ static netdev_features_t bond_fix_features(struct net_device *dev, + return features; + } + +-#define BOND_VLAN_FEATURES (NETIF_F_HW_CSUM | NETIF_F_SG | \ +- NETIF_F_FRAGLIST | NETIF_F_GSO_SOFTWARE | \ +- NETIF_F_GSO_ENCAP_ALL | \ +- NETIF_F_HIGHDMA | NETIF_F_LRO) +- +-#define BOND_ENC_FEATURES (NETIF_F_HW_CSUM | NETIF_F_SG | \ +- NETIF_F_RXCSUM | NETIF_F_GSO_SOFTWARE | \ +- NETIF_F_GSO_PARTIAL) +- +-#define BOND_MPLS_FEATURES (NETIF_F_HW_CSUM | NETIF_F_SG | \ +- NETIF_F_GSO_SOFTWARE) +- +-#define BOND_GSO_PARTIAL_FEATURES (NETIF_F_GSO_ESP) +- +- +-static void bond_compute_features(struct bonding *bond) +-{ +- netdev_features_t gso_partial_features = BOND_GSO_PARTIAL_FEATURES; +- unsigned int dst_release_flag = IFF_XMIT_DST_RELEASE | +- IFF_XMIT_DST_RELEASE_PERM; +- netdev_features_t vlan_features = BOND_VLAN_FEATURES; +- netdev_features_t enc_features = BOND_ENC_FEATURES; +-#ifdef CONFIG_XFRM_OFFLOAD +- netdev_features_t xfrm_features = BOND_XFRM_FEATURES; +-#endif /* CONFIG_XFRM_OFFLOAD */ +- netdev_features_t mpls_features = BOND_MPLS_FEATURES; +- struct net_device *bond_dev = bond->dev; +- struct list_head *iter; +- struct slave *slave; +- unsigned short max_hard_header_len = ETH_HLEN; +- unsigned int tso_max_size = TSO_MAX_SIZE; +- u16 tso_max_segs = TSO_MAX_SEGS; +- +- if (!bond_has_slaves(bond)) +- goto done; +- +- vlan_features = netdev_base_features(vlan_features); +- mpls_features = netdev_base_features(mpls_features); +- +- bond_for_each_slave(bond, slave, iter) { +- vlan_features = netdev_increment_features(vlan_features, +- slave->dev->vlan_features, BOND_VLAN_FEATURES); +- +- enc_features = netdev_increment_features(enc_features, +- slave->dev->hw_enc_features, +- BOND_ENC_FEATURES); +- +-#ifdef CONFIG_XFRM_OFFLOAD +- xfrm_features = netdev_increment_features(xfrm_features, +- slave->dev->hw_enc_features, +- BOND_XFRM_FEATURES); +-#endif /* CONFIG_XFRM_OFFLOAD */ +- +- gso_partial_features = netdev_increment_features(gso_partial_features, +- slave->dev->gso_partial_features, +- BOND_GSO_PARTIAL_FEATURES); +- +- mpls_features = netdev_increment_features(mpls_features, +- slave->dev->mpls_features, +- BOND_MPLS_FEATURES); +- +- dst_release_flag &= slave->dev->priv_flags; +- if (slave->dev->hard_header_len > max_hard_header_len) +- max_hard_header_len = slave->dev->hard_header_len; +- +- tso_max_size = min(tso_max_size, slave->dev->tso_max_size); +- tso_max_segs = min(tso_max_segs, slave->dev->tso_max_segs); +- } +- bond_dev->hard_header_len = max_hard_header_len; +- +-done: +- bond_dev->gso_partial_features = gso_partial_features; +- bond_dev->vlan_features = vlan_features; +- bond_dev->hw_enc_features = enc_features | NETIF_F_GSO_ENCAP_ALL | +- NETIF_F_HW_VLAN_CTAG_TX | +- NETIF_F_HW_VLAN_STAG_TX; +-#ifdef CONFIG_XFRM_OFFLOAD +- bond_dev->hw_enc_features |= xfrm_features; +-#endif /* CONFIG_XFRM_OFFLOAD */ +- bond_dev->mpls_features = mpls_features; +- netif_set_tso_max_segs(bond_dev, tso_max_segs); +- netif_set_tso_max_size(bond_dev, tso_max_size); +- +- bond_dev->priv_flags &= ~IFF_XMIT_DST_RELEASE; +- if ((bond_dev->priv_flags & IFF_XMIT_DST_RELEASE_PERM) && +- dst_release_flag == (IFF_XMIT_DST_RELEASE | IFF_XMIT_DST_RELEASE_PERM)) +- bond_dev->priv_flags |= IFF_XMIT_DST_RELEASE; +- +- netdev_change_features(bond_dev); +-} +- + static void bond_setup_by_slave(struct net_device *bond_dev, + struct net_device *slave_dev) + { +@@ -2287,7 +2196,7 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev, + } + + bond->slave_cnt++; +- bond_compute_features(bond); ++ netdev_compute_master_upper_features(bond->dev, true); + bond_set_carrier(bond); + + /* Needs to be called before bond_select_active_slave(), which will +@@ -2542,7 +2451,7 @@ static int __bond_release_one(struct net_device *bond_dev, + call_netdevice_notifiers(NETDEV_RELEASE, bond->dev); + } + +- bond_compute_features(bond); ++ netdev_compute_master_upper_features(bond->dev, true); + if (!(bond_dev->features & NETIF_F_VLAN_CHALLENGED) && + (old_features & NETIF_F_VLAN_CHALLENGED)) + slave_info(bond_dev, slave_dev, "last VLAN challenged slave left bond - VLAN blocking is removed\n"); +@@ -4050,7 +3959,7 @@ static int bond_slave_netdev_event(unsigned long event, + case NETDEV_FEAT_CHANGE: + if (!bond->notifier_ctx) { + bond->notifier_ctx = true; +- bond_compute_features(bond); ++ netdev_compute_master_upper_features(bond->dev, true); + bond->notifier_ctx = false; + } + break; +@@ -6043,7 +5952,7 @@ void bond_setup(struct net_device *bond_dev) + * capable + */ + +- bond_dev->hw_features = BOND_VLAN_FEATURES | ++ bond_dev->hw_features = MASTER_UPPER_DEV_VLAN_FEATURES | + NETIF_F_HW_VLAN_CTAG_RX | + NETIF_F_HW_VLAN_CTAG_FILTER | + NETIF_F_HW_VLAN_STAG_RX | +-- +2.51.0 + diff --git a/queue-6.18/btrfs-hold-space_info-lock-when-clearing-periodic-re.patch b/queue-6.18/btrfs-hold-space_info-lock-when-clearing-periodic-re.patch new file mode 100644 index 0000000000..813d4c1c81 --- /dev/null +++ b/queue-6.18/btrfs-hold-space_info-lock-when-clearing-periodic-re.patch @@ -0,0 +1,49 @@ +From 95c2a7263c12973e780486a73014fd58c0529fdb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Feb 2026 20:53:39 +0800 +Subject: btrfs: hold space_info->lock when clearing periodic reclaim ready + +From: Sun YangKai + +[ Upstream commit b8883b61f2fc50dcf22938cbed40fec05020552f ] + +btrfs_set_periodic_reclaim_ready() requires space_info->lock to be held, +as enforced by lockdep_assert_held(). However, btrfs_reclaim_sweep() was +calling it after do_reclaim_sweep() returns, at which point +space_info->lock is no longer held. + +Fix this by explicitly acquiring space_info->lock before clearing the +periodic reclaim ready flag in btrfs_reclaim_sweep(). + +Reported-by: Chris Mason +Link: https://lore.kernel.org/linux-btrfs/20260208182556.891815-1-clm@meta.com/ +Fixes: 19eff93dc738 ("btrfs: fix periodic reclaim condition") +Reviewed-by: Boris Burkov +Signed-off-by: Sun YangKai +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/space-info.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c +index 6b64691034de4..194f590201658 100644 +--- a/fs/btrfs/space-info.c ++++ b/fs/btrfs/space-info.c +@@ -2171,8 +2171,11 @@ void btrfs_reclaim_sweep(const struct btrfs_fs_info *fs_info) + if (!btrfs_should_periodic_reclaim(space_info)) + continue; + for (raid = 0; raid < BTRFS_NR_RAID_TYPES; raid++) { +- if (do_reclaim_sweep(space_info, raid)) ++ if (do_reclaim_sweep(space_info, raid)) { ++ spin_lock(&space_info->lock); + btrfs_set_periodic_reclaim_ready(space_info, false); ++ spin_unlock(&space_info->lock); ++ } + } + } + } +-- +2.51.0 + diff --git a/queue-6.18/can-hi311x-hi3110_open-add-check-for-hi3110_power_en.patch b/queue-6.18/can-hi311x-hi3110_open-add-check-for-hi3110_power_en.patch new file mode 100644 index 0000000000..09e61355cd --- /dev/null +++ b/queue-6.18/can-hi311x-hi3110_open-add-check-for-hi3110_power_en.patch @@ -0,0 +1,52 @@ +From f8a53a93689450f905743b21bd764cf53420b4c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 13:08:44 +0800 +Subject: can: hi311x: hi3110_open(): add check for hi3110_power_enable() + return value + +From: Wenyuan Li <2063309626@qq.com> + +[ Upstream commit 47bba09b14fa21712398febf36cb14fd4fc3bded ] + +In hi3110_open(), the return value of hi3110_power_enable() is not checked. +If power enable fails, the device may not function correctly, while the +driver still returns success. + +Add a check for the return value and propagate the error accordingly. + +Signed-off-by: Wenyuan Li <2063309626@qq.com> +Link: https://patch.msgid.link/tencent_B5E2E7528BB28AA8A2A56E16C49BD58B8B07@qq.com +Fixes: 57e83fb9b746 ("can: hi311x: Add Holt HI-311x CAN driver") +[mkl: adjust subject, commit message and jump label] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/spi/hi311x.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/can/spi/hi311x.c b/drivers/net/can/spi/hi311x.c +index 6d4b643e135fd..5f5a7e7e547eb 100644 +--- a/drivers/net/can/spi/hi311x.c ++++ b/drivers/net/can/spi/hi311x.c +@@ -755,7 +755,9 @@ static int hi3110_open(struct net_device *net) + return ret; + + mutex_lock(&priv->hi3110_lock); +- hi3110_power_enable(priv->transceiver, 1); ++ ret = hi3110_power_enable(priv->transceiver, 1); ++ if (ret) ++ goto out_close_candev; + + priv->force_quit = 0; + priv->tx_skb = NULL; +@@ -790,6 +792,7 @@ static int hi3110_open(struct net_device *net) + hi3110_hw_sleep(spi); + out_close: + hi3110_power_enable(priv->transceiver, 0); ++ out_close_candev: + close_candev(net); + mutex_unlock(&priv->hi3110_lock); + return ret; +-- +2.51.0 + diff --git a/queue-6.18/drivers-net-ice-fix-devlink-parameters-get-without-i.patch b/queue-6.18/drivers-net-ice-fix-devlink-parameters-get-without-i.patch new file mode 100644 index 0000000000..54f1c3b30d --- /dev/null +++ b/queue-6.18/drivers-net-ice-fix-devlink-parameters-get-without-i.patch @@ -0,0 +1,59 @@ +From 0f062932886df78273011f5a26334e75e42f4896 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Feb 2026 10:48:41 +0200 +Subject: drivers: net: ice: fix devlink parameters get without irdma + +From: Nikolay Aleksandrov + +[ Upstream commit bd98c6204d1195973b1760fe45860863deb6200c ] + +If CONFIG_IRDMA isn't enabled but there are ice NICs in the system, the +driver will prevent full devlink dev param show dump because its rdma get +callbacks return ENODEV and stop the dump. For example: + $ devlink dev param show + pci/0000:82:00.0: + name msix_vec_per_pf_max type generic + values: + cmode driverinit value 2 + name msix_vec_per_pf_min type generic + values: + cmode driverinit value 2 + kernel answers: No such device + +Returning EOPNOTSUPP allows the dump to continue so we can see all devices' +devlink parameters. + +Fixes: c24a65b6a27c ("iidc/ice/irdma: Update IDC to support multiple consumers") +Signed-off-by: Nikolay Aleksandrov +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/devlink/devlink.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/devlink/devlink.c b/drivers/net/ethernet/intel/ice/devlink/devlink.c +index ac071c5b4ce38..862ff1cdd46d6 100644 +--- a/drivers/net/ethernet/intel/ice/devlink/devlink.c ++++ b/drivers/net/ethernet/intel/ice/devlink/devlink.c +@@ -1357,7 +1357,7 @@ ice_devlink_enable_roce_get(struct devlink *devlink, u32 id, + + cdev = pf->cdev_info; + if (!cdev) +- return -ENODEV; ++ return -EOPNOTSUPP; + + ctx->val.vbool = !!(cdev->rdma_protocol & IIDC_RDMA_PROTOCOL_ROCEV2); + +@@ -1423,7 +1423,7 @@ ice_devlink_enable_iw_get(struct devlink *devlink, u32 id, + + cdev = pf->cdev_info; + if (!cdev) +- return -ENODEV; ++ return -EOPNOTSUPP; + + ctx->val.vbool = !!(cdev->rdma_protocol & IIDC_RDMA_PROTOCOL_IWARP); + +-- +2.51.0 + diff --git a/queue-6.18/drm-amd-pm-add-missing-od-setting-pp_od_feature_zero.patch b/queue-6.18/drm-amd-pm-add-missing-od-setting-pp_od_feature_zero.patch new file mode 100644 index 0000000000..644b513202 --- /dev/null +++ b/queue-6.18/drm-amd-pm-add-missing-od-setting-pp_od_feature_zero.patch @@ -0,0 +1,55 @@ +From 41b66ae834598d1665ee9d6308d6dd1e53b3f915 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Mar 2026 21:10:11 -0500 +Subject: drm/amd/pm: add missing od setting PP_OD_FEATURE_ZERO_FAN_BIT for smu + v13 + +From: Yang Wang + +[ Upstream commit cb47c882c31334aadc13ace80781728ed22a05ee ] + +add missing od setting PP_OD_FEATURE_ZERO_FAN_BIT for smu v13.0.0/13.0.7 + +Fixes: cfffd980bf21 ("drm/amd/pm: add zero RPM OD setting support for SMU13") +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/5018 +Signed-off-by: Yang Wang +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +(cherry picked from commit 576a10797b607ee9e4068218daf367b481564120) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 3 ++- + drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c +index 8d070a9ea2c10..651fe1926a698 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c +@@ -2289,7 +2289,8 @@ static int smu_v13_0_0_restore_user_od_settings(struct smu_context *smu) + user_od_table->OverDriveTable.FeatureCtrlMask = BIT(PP_OD_FEATURE_GFXCLK_BIT) | + BIT(PP_OD_FEATURE_UCLK_BIT) | + BIT(PP_OD_FEATURE_GFX_VF_CURVE_BIT) | +- BIT(PP_OD_FEATURE_FAN_CURVE_BIT); ++ BIT(PP_OD_FEATURE_FAN_CURVE_BIT) | ++ BIT(PP_OD_FEATURE_ZERO_FAN_BIT); + res = smu_v13_0_0_upload_overdrive_table(smu, user_od_table); + user_od_table->OverDriveTable.FeatureCtrlMask = 0; + if (res == 0) +diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c +index c96fa5e49ed65..87dfc3c3cd9c3 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c +@@ -2275,7 +2275,8 @@ static int smu_v13_0_7_restore_user_od_settings(struct smu_context *smu) + user_od_table->OverDriveTable.FeatureCtrlMask = BIT(PP_OD_FEATURE_GFXCLK_BIT) | + BIT(PP_OD_FEATURE_UCLK_BIT) | + BIT(PP_OD_FEATURE_GFX_VF_CURVE_BIT) | +- BIT(PP_OD_FEATURE_FAN_CURVE_BIT); ++ BIT(PP_OD_FEATURE_FAN_CURVE_BIT) | ++ BIT(PP_OD_FEATURE_ZERO_FAN_BIT); + res = smu_v13_0_7_upload_overdrive_table(smu, user_od_table); + user_od_table->OverDriveTable.FeatureCtrlMask = 0; + if (res == 0) +-- +2.51.0 + diff --git a/queue-6.18/drm-amd-pm-add-missing-od-setting-pp_od_feature_zero.patch-5305 b/queue-6.18/drm-amd-pm-add-missing-od-setting-pp_od_feature_zero.patch-5305 new file mode 100644 index 0000000000..0f8105e8ab --- /dev/null +++ b/queue-6.18/drm-amd-pm-add-missing-od-setting-pp_od_feature_zero.patch-5305 @@ -0,0 +1,40 @@ +From 5bc2d2a49f23cee58ee45e4c6a3d6fde19227b71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Mar 2026 21:14:10 -0500 +Subject: drm/amd/pm: add missing od setting PP_OD_FEATURE_ZERO_FAN_BIT for smu + v14 + +From: Yang Wang + +[ Upstream commit 9d4837a26149355ffe3a1f80de80531eafdd3353 ] + +add missing od setting PP_OD_FEATURE_ZERO_FAN_BIT for smu v14.0.2/14.0.3 + +Fixes: 9710b84e2a6a ("drm/amd/pm: add overdrive support on smu v14.0.2/3") +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/5018 +Signed-off-by: Yang Wang +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +(cherry picked from commit 1b5cf07d80bb16d1593579ccdb23f08ea4262c14) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c +index bad8dd786bff2..470a901926f33 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c +@@ -2412,7 +2412,8 @@ static int smu_v14_0_2_restore_user_od_settings(struct smu_context *smu) + user_od_table->OverDriveTable.FeatureCtrlMask = BIT(PP_OD_FEATURE_GFXCLK_BIT) | + BIT(PP_OD_FEATURE_UCLK_BIT) | + BIT(PP_OD_FEATURE_GFX_VF_CURVE_BIT) | +- BIT(PP_OD_FEATURE_FAN_CURVE_BIT); ++ BIT(PP_OD_FEATURE_FAN_CURVE_BIT) | ++ BIT(PP_OD_FEATURE_ZERO_FAN_BIT); + res = smu_v14_0_2_upload_overdrive_table(smu, user_od_table); + user_od_table->OverDriveTable.FeatureCtrlMask = 0; + if (res == 0) +-- +2.51.0 + diff --git a/queue-6.18/drm-amdkfd-unreserve-bo-if-queue-update-failed.patch b/queue-6.18/drm-amdkfd-unreserve-bo-if-queue-update-failed.patch new file mode 100644 index 0000000000..f8a0414249 --- /dev/null +++ b/queue-6.18/drm-amdkfd-unreserve-bo-if-queue-update-failed.patch @@ -0,0 +1,36 @@ +From c20125ac85195ad8d8d6a600508f861a0f81f77f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Dec 2025 15:13:23 -0500 +Subject: drm/amdkfd: Unreserve bo if queue update failed + +From: Philip Yang + +[ Upstream commit 2ce75a0b7e1bfddbcb9bc8aeb2e5e7fa99971acf ] + +Error handling path should unreserve bo then return failed. + +Fixes: 305cd109b761 ("drm/amdkfd: Validate user queue update") +Signed-off-by: Philip Yang +Reviewed-by: Alex Sierra +Signed-off-by: Alex Deucher +(cherry picked from commit c24afed7de9ecce341825d8ab55a43a254348b33) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c +index 7fbb5c274ccc4..7bf712032c52c 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c +@@ -606,6 +606,7 @@ int pqm_update_queue_properties(struct process_queue_manager *pqm, + p->queue_size)) { + pr_debug("ring buf 0x%llx size 0x%llx not mapped on GPU\n", + p->queue_address, p->queue_size); ++ amdgpu_bo_unreserve(vm->root.bo); + return -EFAULT; + } + +-- +2.51.0 + diff --git a/queue-6.18/drm-msm-dsi-fix-hdisplay-calculation-when-programmin.patch b/queue-6.18/drm-msm-dsi-fix-hdisplay-calculation-when-programmin.patch new file mode 100644 index 0000000000..595484062a --- /dev/null +++ b/queue-6.18/drm-msm-dsi-fix-hdisplay-calculation-when-programmin.patch @@ -0,0 +1,73 @@ +From 6a31e3cbef73ad7bd05b29064ccca92eb604dcd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Feb 2026 18:51:28 +0800 +Subject: drm/msm/dsi: fix hdisplay calculation when programming dsi registers + +From: Pengyu Luo + +[ Upstream commit ac47870fd795549f03d57e0879fc730c79119f4b ] + +Recently, the hdisplay calculation is working for 3:1 compressed ratio +only. If we have a video panel with DSC BPP = 8, and BPC = 10, we still +use the default bits_per_pclk = 24, then we get the wrong hdisplay. We +can draw the conclusion by cross-comparing the calculation with the +calculation in dsi_adjust_pclk_for_compression(). + +Since CMD mode does not use this, we can remove +!(msm_host->mode_flags & MIPI_DSI_MODE_VIDEO) safely. + +Fixes: efcbd6f9cdeb ("drm/msm/dsi: Enable widebus for DSI") +Signed-off-by: Pengyu Luo +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/704822/ +Link: https://lore.kernel.org/r/20260214105145.105308-1-mitltlatltl@gmail.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/dsi_host.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c +index e0de545d40775..e8e83ee61eb09 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi_host.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c +@@ -993,7 +993,7 @@ static void dsi_timing_setup(struct msm_dsi_host *msm_host, bool is_bonded_dsi) + + if (msm_host->dsc) { + struct drm_dsc_config *dsc = msm_host->dsc; +- u32 bytes_per_pclk; ++ u32 bits_per_pclk; + + /* update dsc params with timing params */ + if (!dsc || !mode->hdisplay || !mode->vdisplay) { +@@ -1015,7 +1015,9 @@ static void dsi_timing_setup(struct msm_dsi_host *msm_host, bool is_bonded_dsi) + + /* + * DPU sends 3 bytes per pclk cycle to DSI. If widebus is +- * enabled, bus width is extended to 6 bytes. ++ * enabled, MDP always sends out 48-bit compressed data per ++ * pclk and on average, DSI consumes an amount of compressed ++ * data equivalent to the uncompressed pixel depth per pclk. + * + * Calculate the number of pclks needed to transmit one line of + * the compressed data. +@@ -1027,12 +1029,12 @@ static void dsi_timing_setup(struct msm_dsi_host *msm_host, bool is_bonded_dsi) + * unused anyway. + */ + h_total -= hdisplay; +- if (wide_bus_enabled && !(msm_host->mode_flags & MIPI_DSI_MODE_VIDEO)) +- bytes_per_pclk = 6; ++ if (wide_bus_enabled) ++ bits_per_pclk = mipi_dsi_pixel_format_to_bpp(msm_host->format); + else +- bytes_per_pclk = 3; ++ bits_per_pclk = 24; + +- hdisplay = DIV_ROUND_UP(msm_dsc_get_bytes_per_line(msm_host->dsc), bytes_per_pclk); ++ hdisplay = DIV_ROUND_UP(msm_dsc_get_bytes_per_line(msm_host->dsc) * 8, bits_per_pclk); + + h_total += hdisplay; + ha_end = ha_start + hdisplay; +-- +2.51.0 + diff --git a/queue-6.18/drm-msm-dsi-fix-pclk-rate-calculation-for-bonded-dsi.patch b/queue-6.18/drm-msm-dsi-fix-pclk-rate-calculation-for-bonded-dsi.patch new file mode 100644 index 0000000000..de7714e147 --- /dev/null +++ b/queue-6.18/drm-msm-dsi-fix-pclk-rate-calculation-for-bonded-dsi.patch @@ -0,0 +1,85 @@ +From 3ca8b72989a8e0eda2294bfbb6fb425dcf9cac48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Mar 2026 00:32:38 +0800 +Subject: drm/msm/dsi: fix pclk rate calculation for bonded dsi + +From: Pengyu Luo + +[ Upstream commit e4eb11b34d6c84f398d8f08d7cb4d6c38e739dd2 ] + +Recently, we round up new_hdisplay once at most, for bonded dsi, we +may need twice, since they are independent links, we should round up +each half separately. This also aligns with the hdisplay we program +later in dsi_timing_setup() + +Example: + full_hdisplay = 1904, dsc_bpp = 8, bpc = 8 + new_full_hdisplay = DIV_ROUND_UP(1904 * 8, 8 * 3) = 635 + +if we use half display + new_half_hdisplay = DIV_ROUND_UP(952 * 8, 8 * 3) = 318 + new_full_display = 636 + +Fixes: 7c9e4a554d4a ("drm/msm/dsi: Reduce pclk rate for compression") +Signed-off-by: Pengyu Luo +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/709716/ +Link: https://lore.kernel.org/r/20260306163255.215456-1-mitltlatltl@gmail.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/dsi_host.c | 29 +++++++++++++++++++++++------ + 1 file changed, 23 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c +index e8e83ee61eb09..db6da99375a18 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi_host.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c +@@ -584,13 +584,30 @@ void dsi_link_clk_disable_v2(struct msm_dsi_host *msm_host) + * FIXME: Reconsider this if/when CMD mode handling is rewritten to use + * transfer time and data overhead as a starting point of the calculations. + */ +-static unsigned long dsi_adjust_pclk_for_compression(const struct drm_display_mode *mode, +- const struct drm_dsc_config *dsc) ++static unsigned long ++dsi_adjust_pclk_for_compression(const struct drm_display_mode *mode, ++ const struct drm_dsc_config *dsc, ++ bool is_bonded_dsi) + { +- int new_hdisplay = DIV_ROUND_UP(mode->hdisplay * drm_dsc_get_bpp_int(dsc), +- dsc->bits_per_component * 3); ++ int hdisplay, new_hdisplay, new_htotal; + +- int new_htotal = mode->htotal - mode->hdisplay + new_hdisplay; ++ /* ++ * For bonded DSI, split hdisplay across two links and round up each ++ * half separately, passing the full hdisplay would only round up once. ++ * This also aligns with the hdisplay we program later in ++ * dsi_timing_setup() ++ */ ++ hdisplay = mode->hdisplay; ++ if (is_bonded_dsi) ++ hdisplay /= 2; ++ ++ new_hdisplay = DIV_ROUND_UP(hdisplay * drm_dsc_get_bpp_int(dsc), ++ dsc->bits_per_component * 3); ++ ++ if (is_bonded_dsi) ++ new_hdisplay *= 2; ++ ++ new_htotal = mode->htotal - mode->hdisplay + new_hdisplay; + + return mult_frac(mode->clock * 1000u, new_htotal, mode->htotal); + } +@@ -603,7 +620,7 @@ static unsigned long dsi_get_pclk_rate(const struct drm_display_mode *mode, + pclk_rate = mode->clock * 1000u; + + if (dsc) +- pclk_rate = dsi_adjust_pclk_for_compression(mode, dsc); ++ pclk_rate = dsi_adjust_pclk_for_compression(mode, dsc, is_bonded_dsi); + + /* + * For bonded DSI mode, the current DRM mode has the complete width of the +-- +2.51.0 + diff --git a/queue-6.18/drm-sitronix-st7586-fix-bad-pixel-data-due-to-byte-s.patch b/queue-6.18/drm-sitronix-st7586-fix-bad-pixel-data-due-to-byte-s.patch new file mode 100644 index 0000000000..0beb8b960f --- /dev/null +++ b/queue-6.18/drm-sitronix-st7586-fix-bad-pixel-data-due-to-byte-s.patch @@ -0,0 +1,68 @@ +From a653572988229d3b8907be5ce1a0a747665984ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Feb 2026 22:30:30 -0600 +Subject: drm/sitronix/st7586: fix bad pixel data due to byte swap + +From: David Lechner + +[ Upstream commit 46d8a07b4ae262e2fec6ce2aa454e06243661265 ] + +Correctly set dbi->write_memory_bpw for the ST7586 driver. This driver +is for a monochrome display that has an unusual data format, so the +default value set in mipi_dbi_spi_init() is not correct simply because +this controller is non-standard. + +Previously, we were using dbi->swap_bytes to make the same sort of +workaround, but it was removed in the same commit that added +dbi->write_memory_bpw, so we need to use the latter now to have the +correct behavior. + +This fixes every 3 columns of pixels being swapped on the display. There +are 3 pixels per byte, so the byte swap caused this effect. + +Fixes: df3fb27a74a4 ("drm/mipi-dbi: Make bits per word configurable for pixel transfers") +Acked-by: Thomas Zimmermann +Reviewed-by: Javier Martinez Canillas +Signed-off-by: David Lechner +Link: https://patch.msgid.link/20260228-drm-mipi-dbi-fix-st7586-byte-swap-v1-1-e78f6c24cd28@baylibre.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/sitronix/st7586.c | 15 ++++++--------- + 1 file changed, 6 insertions(+), 9 deletions(-) + +diff --git a/drivers/gpu/drm/sitronix/st7586.c b/drivers/gpu/drm/sitronix/st7586.c +index a29672d84eded..055383497aae7 100644 +--- a/drivers/gpu/drm/sitronix/st7586.c ++++ b/drivers/gpu/drm/sitronix/st7586.c +@@ -346,6 +346,12 @@ static int st7586_probe(struct spi_device *spi) + if (ret) + return ret; + ++ /* ++ * Override value set by mipi_dbi_spi_init(). This driver is a bit ++ * non-standard, so best to set it explicitly here. ++ */ ++ dbi->write_memory_bpw = 8; ++ + /* Cannot read from this controller via SPI */ + dbi->read_commands = NULL; + +@@ -355,15 +361,6 @@ static int st7586_probe(struct spi_device *spi) + if (ret) + return ret; + +- /* +- * we are using 8-bit data, so we are not actually swapping anything, +- * but setting mipi->swap_bytes makes mipi_dbi_typec3_command() do the +- * right thing and not use 16-bit transfers (which results in swapped +- * bytes on little-endian systems and causes out of order data to be +- * sent to the display). +- */ +- dbi->swap_bytes = true; +- + drm_mode_config_reset(drm); + + ret = drm_dev_register(drm, 0); +-- +2.51.0 + diff --git a/queue-6.18/dt-bindings-display-msm-qcom-sm8750-mdss-fix-model-t.patch b/queue-6.18/dt-bindings-display-msm-qcom-sm8750-mdss-fix-model-t.patch new file mode 100644 index 0000000000..9d988e334d --- /dev/null +++ b/queue-6.18/dt-bindings-display-msm-qcom-sm8750-mdss-fix-model-t.patch @@ -0,0 +1,38 @@ +From dd048a2f60a3251c1933a7fc691b1c55957796b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Feb 2026 18:34:20 +0100 +Subject: dt-bindings: display/msm: qcom,sm8750-mdss: Fix model typo + +From: Krzysztof Kozlowski + +[ Upstream commit 4355b13d46f696d687f42b982efed7570e03e532 ] + +Fix obvious model typo (SM8650->SM8750) in the description. + +Signed-off-by: Krzysztof Kozlowski +Fixes: 6b93840116df ("dt-bindings: display/msm: qcom,sm8750-mdss: Add SM8750") +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/707192/ +Link: https://lore.kernel.org/r/20260225173419.125565-2-krzysztof.kozlowski@oss.qualcomm.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + .../devicetree/bindings/display/msm/qcom,sm8750-mdss.yaml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Documentation/devicetree/bindings/display/msm/qcom,sm8750-mdss.yaml b/Documentation/devicetree/bindings/display/msm/qcom,sm8750-mdss.yaml +index 4151f475f3bc3..14942dfbdb09b 100644 +--- a/Documentation/devicetree/bindings/display/msm/qcom,sm8750-mdss.yaml ++++ b/Documentation/devicetree/bindings/display/msm/qcom,sm8750-mdss.yaml +@@ -10,7 +10,7 @@ maintainers: + - Krzysztof Kozlowski + + description: +- SM8650 MSM Mobile Display Subsystem(MDSS), which encapsulates sub-blocks like ++ SM8750 MSM Mobile Display Subsystem(MDSS), which encapsulates sub-blocks like + DPU display controller, DSI and DP interfaces etc. + + $ref: /schemas/display/msm/mdss-common.yaml# +-- +2.51.0 + diff --git a/queue-6.18/e1000-e1000e-fix-leak-in-dma-error-cleanup.patch b/queue-6.18/e1000-e1000e-fix-leak-in-dma-error-cleanup.patch new file mode 100644 index 0000000000..057577d076 --- /dev/null +++ b/queue-6.18/e1000-e1000e-fix-leak-in-dma-error-cleanup.patch @@ -0,0 +1,70 @@ +From c808eeeda0379b62955a10b8a0188b42f1088499 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Feb 2026 18:28:33 -0500 +Subject: e1000/e1000e: Fix leak in DMA error cleanup + +From: Matt Vollrath + +[ Upstream commit e94eaef11142b01f77bf8ba4d0b59720b7858109 ] + +If an error is encountered while mapping TX buffers, the driver should +unmap any buffers already mapped for that skb. + +Because count is incremented after a successful mapping, it will always +match the correct number of unmappings needed when dma_error is reached. +Decrementing count before the while loop in dma_error causes an +off-by-one error. If any mapping was successful before an unsuccessful +mapping, exactly one DMA mapping would leak. + +In these commits, a faulty while condition caused an infinite loop in +dma_error: +Commit 03b1320dfcee ("e1000e: remove use of skb_dma_map from e1000e +driver") +Commit 602c0554d7b0 ("e1000: remove use of skb_dma_map from e1000 driver") + +Commit c1fa347f20f1 ("e1000/e1000e/igb/igbvf/ixgb/ixgbe: Fix tests of +unsigned in *_tx_map()") fixed the infinite loop, but introduced the +off-by-one error. + +This issue may still exist in the igbvf driver, but I did not address it +in this patch. + +Fixes: c1fa347f20f1 ("e1000/e1000e/igb/igbvf/ixgb/ixgbe: Fix tests of unsigned in *_tx_map()") +Assisted-by: Claude:claude-4.6-opus +Signed-off-by: Matt Vollrath +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000/e1000_main.c | 2 -- + drivers/net/ethernet/intel/e1000e/netdev.c | 2 -- + 2 files changed, 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c +index 7f078ec9c14c5..15160427c8b30 100644 +--- a/drivers/net/ethernet/intel/e1000/e1000_main.c ++++ b/drivers/net/ethernet/intel/e1000/e1000_main.c +@@ -2952,8 +2952,6 @@ static int e1000_tx_map(struct e1000_adapter *adapter, + dma_error: + dev_err(&pdev->dev, "TX DMA map failed\n"); + buffer_info->dma = 0; +- if (count) +- count--; + + while (count--) { + if (i == 0) +diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c +index 75896602e732c..3e39032696100 100644 +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -5654,8 +5654,6 @@ static int e1000_tx_map(struct e1000_ring *tx_ring, struct sk_buff *skb, + dma_error: + dev_err(&pdev->dev, "Tx DMA map failed\n"); + buffer_info->dma = 0; +- if (count) +- count--; + + while (count--) { + if (i == 0) +-- +2.51.0 + diff --git a/queue-6.18/i40e-fix-src-ip-mask-checks-and-memcpy-argument-name.patch b/queue-6.18/i40e-fix-src-ip-mask-checks-and-memcpy-argument-name.patch new file mode 100644 index 0000000000..facae33e66 --- /dev/null +++ b/queue-6.18/i40e-fix-src-ip-mask-checks-and-memcpy-argument-name.patch @@ -0,0 +1,86 @@ +From 3f285990ba80514856403d50eed927a7ce463d88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Nov 2025 11:13:38 -0800 +Subject: i40e: fix src IP mask checks and memcpy argument names in cloud + filter + +From: Alok Tiwari + +[ Upstream commit e809085f492842ce7a519c9ef72d40f4bca89c13 ] + +Fix following issues in the IPv4 and IPv6 cloud filter handling logic in +both the add and delete paths: + +- The source-IP mask check incorrectly compares mask.src_ip[0] against + tcf.dst_ip[0]. Update it to compare against tcf.src_ip[0]. This likely + goes unnoticed because the check is in an "else if" path that only + executes when dst_ip is not set, most cloud filter use cases focus on + destination-IP matching, and the buggy condition can accidentally + evaluate true in some cases. + +- memcpy() for the IPv4 source address incorrectly uses + ARRAY_SIZE(tcf.dst_ip) instead of ARRAY_SIZE(tcf.src_ip), although + both arrays are the same size. + +- The IPv4 memcpy operations used ARRAY_SIZE(tcf.dst_ip) and ARRAY_SIZE + (tcf.src_ip), Update these to use sizeof(cfilter->ip.v4.dst_ip) and + sizeof(cfilter->ip.v4.src_ip) to ensure correct and explicit copy size. + +- In the IPv6 delete path, memcmp() uses sizeof(src_ip6) when comparing + dst_ip6 fields. Replace this with sizeof(dst_ip6) to make the intent + explicit, even though both fields are struct in6_addr. + +Fixes: e284fc280473 ("i40e: Add and delete cloud filter") +Signed-off-by: Alok Tiwari +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Paul Menzel +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +index cf831c649c9c5..8351330930429 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +@@ -3818,10 +3818,10 @@ static int i40e_vc_del_cloud_filter(struct i40e_vf *vf, u8 *msg) + cfilter.n_proto = ETH_P_IP; + if (mask.dst_ip[0] & tcf.dst_ip[0]) + memcpy(&cfilter.ip.v4.dst_ip, tcf.dst_ip, +- ARRAY_SIZE(tcf.dst_ip)); +- else if (mask.src_ip[0] & tcf.dst_ip[0]) ++ sizeof(cfilter.ip.v4.dst_ip)); ++ else if (mask.src_ip[0] & tcf.src_ip[0]) + memcpy(&cfilter.ip.v4.src_ip, tcf.src_ip, +- ARRAY_SIZE(tcf.dst_ip)); ++ sizeof(cfilter.ip.v4.src_ip)); + break; + case VIRTCHNL_TCP_V6_FLOW: + cfilter.n_proto = ETH_P_IPV6; +@@ -3876,7 +3876,7 @@ static int i40e_vc_del_cloud_filter(struct i40e_vf *vf, u8 *msg) + /* for ipv6, mask is set for all sixteen bytes (4 words) */ + if (cfilter.n_proto == ETH_P_IPV6 && mask.dst_ip[3]) + if (memcmp(&cfilter.ip.v6.dst_ip6, &cf->ip.v6.dst_ip6, +- sizeof(cfilter.ip.v6.src_ip6))) ++ sizeof(cfilter.ip.v6.dst_ip6))) + continue; + if (mask.vlan_id) + if (cfilter.vlan_id != cf->vlan_id) +@@ -3964,10 +3964,10 @@ static int i40e_vc_add_cloud_filter(struct i40e_vf *vf, u8 *msg) + cfilter->n_proto = ETH_P_IP; + if (mask.dst_ip[0] & tcf.dst_ip[0]) + memcpy(&cfilter->ip.v4.dst_ip, tcf.dst_ip, +- ARRAY_SIZE(tcf.dst_ip)); +- else if (mask.src_ip[0] & tcf.dst_ip[0]) ++ sizeof(cfilter->ip.v4.dst_ip)); ++ else if (mask.src_ip[0] & tcf.src_ip[0]) + memcpy(&cfilter->ip.v4.src_ip, tcf.src_ip, +- ARRAY_SIZE(tcf.dst_ip)); ++ sizeof(cfilter->ip.v4.src_ip)); + break; + case VIRTCHNL_TCP_V6_FLOW: + cfilter->n_proto = ETH_P_IPV6; +-- +2.51.0 + diff --git a/queue-6.18/iavf-fix-incorrect-reset-handling-in-callbacks.patch b/queue-6.18/iavf-fix-incorrect-reset-handling-in-callbacks.patch new file mode 100644 index 0000000000..428b593f2f --- /dev/null +++ b/queue-6.18/iavf-fix-incorrect-reset-handling-in-callbacks.patch @@ -0,0 +1,341 @@ +From 9d3dee305dd3a7a1458a7c248902f5c49850a203 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Feb 2026 20:18:55 +0100 +Subject: iavf: fix incorrect reset handling in callbacks + +From: Petr Oros + +[ Upstream commit fdadbf6e84c44df8dbb85cfdd38bc10e4431501d ] + +Three driver callbacks schedule a reset and wait for its completion: +ndo_change_mtu(), ethtool set_ringparam(), and ethtool set_channels(). + +Waiting for reset in ndo_change_mtu() and set_ringparam() was added by +commit c2ed2403f12c ("iavf: Wait for reset in callbacks which trigger +it") to fix a race condition where adding an interface to bonding +immediately after MTU or ring parameter change failed because the +interface was still in __RESETTING state. The same commit also added +waiting in iavf_set_priv_flags(), which was later removed by commit +53844673d555 ("iavf: kill "legacy-rx" for good"). + +Waiting in set_channels() was introduced earlier by commit 4e5e6b5d9d13 +("iavf: Fix return of set the new channel count") to ensure the PF has +enough time to complete the VF reset when changing channel count, and to +return correct error codes to userspace. + +Commit ef490bbb2267 ("iavf: Add net_shaper_ops support") added +net_shaper_ops to iavf, which required reset_task to use _locked NAPI +variants (napi_enable_locked, napi_disable_locked) that need the netdev +instance lock. + +Later, commit 7e4d784f5810 ("net: hold netdev instance lock during +rtnetlink operations") and commit 2bcf4772e45a ("net: ethtool: try to +protect all callback with netdev instance lock") started holding the +netdev instance lock during ndo and ethtool callbacks for drivers with +net_shaper_ops. + +Finally, commit 120f28a6f314 ("iavf: get rid of the crit lock") +replaced the driver's crit_lock with netdev_lock in reset_task, causing +incorrect behavior: the callback holds netdev_lock and waits for +reset_task, but reset_task needs the same lock: + + Thread 1 (callback) Thread 2 (reset_task) + ------------------- --------------------- + netdev_lock() [blocked on workqueue] + ndo_change_mtu() or ethtool op + iavf_schedule_reset() + iavf_wait_for_reset() iavf_reset_task() + waiting... netdev_lock() <- blocked + +This does not strictly deadlock because iavf_wait_for_reset() uses +wait_event_interruptible_timeout() with a 5-second timeout. The wait +eventually times out, the callback returns an error to userspace, and +after the lock is released reset_task completes the reset. This leads to +incorrect behavior: userspace sees an error even though the configuration +change silently takes effect after the timeout. + +Fix this by extracting the reset logic from iavf_reset_task() into a new +iavf_reset_step() function that expects netdev_lock to be already held. +The three callbacks now call iavf_reset_step() directly instead of +scheduling the work and waiting, performing the reset synchronously in +the caller's context which already holds netdev_lock. This eliminates +both the incorrect error reporting and the need for +iavf_wait_for_reset(), which is removed along with the now-unused +reset_waitqueue. + +The workqueue-based iavf_reset_task() becomes a thin wrapper that +acquires netdev_lock and calls iavf_reset_step(), preserving its use +for PF-initiated resets. + +The callbacks may block for several seconds while iavf_reset_step() +polls hardware registers, but this is acceptable since netdev_lock is a +per-device mutex and only serializes operations on the same interface. + +v3: +- Remove netif_running() guard from iavf_set_channels(). Unlike + set_ringparam where descriptor counts are picked up by iavf_open() + directly, num_req_queues is only consumed during + iavf_reinit_interrupt_scheme() in the reset path. Skipping the reset + on a down device would silently discard the channel count change. +- Remove dead reset_waitqueue code (struct field, init, and all + wake_up calls) since iavf_wait_for_reset() was the only consumer. + +Fixes: 120f28a6f314 ("iavf: get rid of the crit lock") +Reviewed-by: Jacob Keller +Signed-off-by: Petr Oros +Reviewed-by: Przemek Kitszel +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf.h | 3 +- + .../net/ethernet/intel/iavf/iavf_ethtool.c | 19 ++--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 77 ++++++------------- + .../net/ethernet/intel/iavf/iavf_virtchnl.c | 1 - + 4 files changed, 31 insertions(+), 69 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h +index a87e0c6d4017a..e9fb0a0919e37 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf.h ++++ b/drivers/net/ethernet/intel/iavf/iavf.h +@@ -260,7 +260,6 @@ struct iavf_adapter { + struct work_struct adminq_task; + struct work_struct finish_config; + wait_queue_head_t down_waitqueue; +- wait_queue_head_t reset_waitqueue; + wait_queue_head_t vc_waitqueue; + struct iavf_q_vector *q_vectors; + struct list_head vlan_filter_list; +@@ -626,5 +625,5 @@ void iavf_add_adv_rss_cfg(struct iavf_adapter *adapter); + void iavf_del_adv_rss_cfg(struct iavf_adapter *adapter); + struct iavf_mac_filter *iavf_add_filter(struct iavf_adapter *adapter, + const u8 *macaddr); +-int iavf_wait_for_reset(struct iavf_adapter *adapter); ++void iavf_reset_step(struct iavf_adapter *adapter); + #endif /* _IAVF_H_ */ +diff --git a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +index 05d72be3fe80c..cb3f78aab23a6 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +@@ -492,7 +492,6 @@ static int iavf_set_ringparam(struct net_device *netdev, + { + struct iavf_adapter *adapter = netdev_priv(netdev); + u32 new_rx_count, new_tx_count; +- int ret = 0; + + if ((ring->rx_mini_pending) || (ring->rx_jumbo_pending)) + return -EINVAL; +@@ -537,13 +536,11 @@ static int iavf_set_ringparam(struct net_device *netdev, + } + + if (netif_running(netdev)) { +- iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED); +- ret = iavf_wait_for_reset(adapter); +- if (ret) +- netdev_warn(netdev, "Changing ring parameters timeout or interrupted waiting for reset"); ++ adapter->flags |= IAVF_FLAG_RESET_NEEDED; ++ iavf_reset_step(adapter); + } + +- return ret; ++ return 0; + } + + /** +@@ -1625,7 +1622,6 @@ static int iavf_set_channels(struct net_device *netdev, + { + struct iavf_adapter *adapter = netdev_priv(netdev); + u32 num_req = ch->combined_count; +- int ret = 0; + + if ((adapter->vf_res->vf_cap_flags & VIRTCHNL_VF_OFFLOAD_ADQ) && + adapter->num_tc) { +@@ -1647,13 +1643,10 @@ static int iavf_set_channels(struct net_device *netdev, + + adapter->num_req_queues = num_req; + adapter->flags |= IAVF_FLAG_REINIT_ITR_NEEDED; +- iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED); ++ adapter->flags |= IAVF_FLAG_RESET_NEEDED; ++ iavf_reset_step(adapter); + +- ret = iavf_wait_for_reset(adapter); +- if (ret) +- netdev_warn(netdev, "Changing channel count timeout or interrupted waiting for reset"); +- +- return ret; ++ return 0; + } + + /** +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 3625c70bc3292..03ab2a4276bbf 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -185,31 +185,6 @@ static bool iavf_is_reset_in_progress(struct iavf_adapter *adapter) + return false; + } + +-/** +- * iavf_wait_for_reset - Wait for reset to finish. +- * @adapter: board private structure +- * +- * Returns 0 if reset finished successfully, negative on timeout or interrupt. +- */ +-int iavf_wait_for_reset(struct iavf_adapter *adapter) +-{ +- int ret = wait_event_interruptible_timeout(adapter->reset_waitqueue, +- !iavf_is_reset_in_progress(adapter), +- msecs_to_jiffies(5000)); +- +- /* If ret < 0 then it means wait was interrupted. +- * If ret == 0 then it means we got a timeout while waiting +- * for reset to finish. +- * If ret > 0 it means reset has finished. +- */ +- if (ret > 0) +- return 0; +- else if (ret < 0) +- return -EINTR; +- else +- return -EBUSY; +-} +- + /** + * iavf_allocate_dma_mem_d - OS specific memory alloc for shared code + * @hw: pointer to the HW structure +@@ -3117,18 +3092,16 @@ static void iavf_reconfig_qs_bw(struct iavf_adapter *adapter) + } + + /** +- * iavf_reset_task - Call-back task to handle hardware reset +- * @work: pointer to work_struct ++ * iavf_reset_step - Perform the VF reset sequence ++ * @adapter: board private structure + * +- * During reset we need to shut down and reinitialize the admin queue +- * before we can use it to communicate with the PF again. We also clear +- * and reinit the rings because that context is lost as well. +- **/ +-static void iavf_reset_task(struct work_struct *work) ++ * Requests a reset from PF, polls for completion, and reconfigures ++ * the driver. Caller must hold the netdev instance lock. ++ * ++ * This can sleep for several seconds while polling HW registers. ++ */ ++void iavf_reset_step(struct iavf_adapter *adapter) + { +- struct iavf_adapter *adapter = container_of(work, +- struct iavf_adapter, +- reset_task); + struct virtchnl_vf_resource *vfres = adapter->vf_res; + struct net_device *netdev = adapter->netdev; + struct iavf_hw *hw = &adapter->hw; +@@ -3139,7 +3112,7 @@ static void iavf_reset_task(struct work_struct *work) + int i = 0, err; + bool running; + +- netdev_lock(netdev); ++ netdev_assert_locked(netdev); + + iavf_misc_irq_disable(adapter); + if (adapter->flags & IAVF_FLAG_RESET_NEEDED) { +@@ -3184,7 +3157,6 @@ static void iavf_reset_task(struct work_struct *work) + dev_err(&adapter->pdev->dev, "Reset never finished (%x)\n", + reg_val); + iavf_disable_vf(adapter); +- netdev_unlock(netdev); + return; /* Do not attempt to reinit. It's dead, Jim. */ + } + +@@ -3196,7 +3168,6 @@ static void iavf_reset_task(struct work_struct *work) + iavf_startup(adapter); + queue_delayed_work(adapter->wq, &adapter->watchdog_task, + msecs_to_jiffies(30)); +- netdev_unlock(netdev); + return; + } + +@@ -3339,9 +3310,6 @@ static void iavf_reset_task(struct work_struct *work) + + adapter->flags &= ~IAVF_FLAG_REINIT_ITR_NEEDED; + +- wake_up(&adapter->reset_waitqueue); +- netdev_unlock(netdev); +- + return; + reset_err: + if (running) { +@@ -3350,10 +3318,21 @@ static void iavf_reset_task(struct work_struct *work) + } + iavf_disable_vf(adapter); + +- netdev_unlock(netdev); + dev_err(&adapter->pdev->dev, "failed to allocate resources during reinit\n"); + } + ++static void iavf_reset_task(struct work_struct *work) ++{ ++ struct iavf_adapter *adapter = container_of(work, ++ struct iavf_adapter, ++ reset_task); ++ struct net_device *netdev = adapter->netdev; ++ ++ netdev_lock(netdev); ++ iavf_reset_step(adapter); ++ netdev_unlock(netdev); ++} ++ + /** + * iavf_adminq_task - worker thread to clean the admin queue + * @work: pointer to work_struct containing our data +@@ -4619,22 +4598,17 @@ static int iavf_close(struct net_device *netdev) + static int iavf_change_mtu(struct net_device *netdev, int new_mtu) + { + struct iavf_adapter *adapter = netdev_priv(netdev); +- int ret = 0; + + netdev_dbg(netdev, "changing MTU from %d to %d\n", + netdev->mtu, new_mtu); + WRITE_ONCE(netdev->mtu, new_mtu); + + if (netif_running(netdev)) { +- iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED); +- ret = iavf_wait_for_reset(adapter); +- if (ret < 0) +- netdev_warn(netdev, "MTU change interrupted waiting for reset"); +- else if (ret) +- netdev_warn(netdev, "MTU change timed out waiting for reset"); ++ adapter->flags |= IAVF_FLAG_RESET_NEEDED; ++ iavf_reset_step(adapter); + } + +- return ret; ++ return 0; + } + + /** +@@ -5439,9 +5413,6 @@ static int iavf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + /* Setup the wait queue for indicating transition to down status */ + init_waitqueue_head(&adapter->down_waitqueue); + +- /* Setup the wait queue for indicating transition to running state */ +- init_waitqueue_head(&adapter->reset_waitqueue); +- + /* Setup the wait queue for indicating virtchannel events */ + init_waitqueue_head(&adapter->vc_waitqueue); + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +index 34a422a4a29c1..291b21230b65f 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +@@ -2732,7 +2732,6 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter, + case VIRTCHNL_OP_ENABLE_QUEUES: + /* enable transmits */ + iavf_irq_enable(adapter, true); +- wake_up(&adapter->reset_waitqueue); + adapter->flags &= ~IAVF_FLAG_QUEUES_DISABLED; + break; + case VIRTCHNL_OP_DISABLE_QUEUES: +-- +2.51.0 + diff --git a/queue-6.18/iavf-fix-ptp-use-after-free-during-reset.patch b/queue-6.18/iavf-fix-ptp-use-after-free-during-reset.patch new file mode 100644 index 0000000000..a3c9a3f9e3 --- /dev/null +++ b/queue-6.18/iavf-fix-ptp-use-after-free-during-reset.patch @@ -0,0 +1,59 @@ +From f8a0d3b44d2d9189646c9a968a2dc946b81b42f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jan 2026 10:57:23 +0100 +Subject: iavf: fix PTP use-after-free during reset + +From: Petr Oros + +[ Upstream commit efc54fb13d79117a825fef17364315a58682c7ec ] + +Commit 7c01dbfc8a1c5f ("iavf: periodically cache PHC time") introduced a +worker to cache PHC time, but failed to stop it during reset or disable. + +This creates a race condition where `iavf_reset_task()` or +`iavf_disable_vf()` free adapter resources (AQ) while the worker is still +running. If the worker triggers `iavf_queue_ptp_cmd()` during teardown, it +accesses freed memory/locks, leading to a crash. + +Fix this by calling `iavf_ptp_release()` before tearing down the adapter. +This ensures `ptp_clock_unregister()` synchronously cancels the worker and +cleans up the chardev before the backing resources are destroyed. + +Fixes: 7c01dbfc8a1c5f ("iavf: periodically cache PHC time") +Signed-off-by: Petr Oros +Reviewed-by: Ivan Vecera +Acked-by: Jacob Keller +Reviewed-by: Vadim Fedorenko +Reviewed-by: Paul Menzel +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 53a0366fbf998..3625c70bc3292 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -3040,6 +3040,8 @@ static void iavf_disable_vf(struct iavf_adapter *adapter) + + adapter->flags |= IAVF_FLAG_PF_COMMS_FAILED; + ++ iavf_ptp_release(adapter); ++ + /* We don't use netif_running() because it may be true prior to + * ndo_open() returning, so we can't assume it means all our open + * tasks have finished, since we're not holding the rtnl_lock here. +@@ -3215,6 +3217,8 @@ static void iavf_reset_task(struct work_struct *work) + iavf_change_state(adapter, __IAVF_RESETTING); + adapter->flags &= ~IAVF_FLAG_RESET_PENDING; + ++ iavf_ptp_release(adapter); ++ + /* free the Tx/Rx rings and descriptors, might be better to just + * re-use them sometime in the future + */ +-- +2.51.0 + diff --git a/queue-6.18/iio-imu-inv-mpu9150-fix-irq-ack-preventing-irq-storm.patch b/queue-6.18/iio-imu-inv-mpu9150-fix-irq-ack-preventing-irq-storm.patch new file mode 100644 index 0000000000..3c2961e304 --- /dev/null +++ b/queue-6.18/iio-imu-inv-mpu9150-fix-irq-ack-preventing-irq-storm.patch @@ -0,0 +1,86 @@ +From c08ebffc55b589ac023da167f17ea9938f4540c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Dec 2025 22:14:16 +0100 +Subject: iio: imu: inv-mpu9150: fix irq ack preventing irq storms + +From: Andreas Kemnade + +[ Upstream commit d23d763e00ace4e9c59f8d33e0713d401133ba88 ] + +IRQ needs to be acked. for some odd reasons, reading from irq status does +not reliable help, enable acking from any register to be on the safe side +and read the irq status register. Comments in the code indicate a known +unreliability with that register. +The blamed commit was tested with mpu6050 in lg,p895 and lg,p880 according +to Tested-bys. But with the MPU9150 in the Epson Moverio BT-200 this leads +to irq storms without properly acking the irq. + +Fixes: 0a3b517c8089 ("iio: imu: inv_mpu6050: fix interrupt status read for old buggy chips") +Signed-off-by: Andreas Kemnade +Acked-by: Jean-Baptiste Maneyrol +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/imu/inv_mpu6050/inv_mpu_core.c | 8 ++++++++ + drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h | 2 ++ + drivers/iio/imu/inv_mpu6050/inv_mpu_trigger.c | 5 ++++- + 3 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c b/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c +index b2fa1f4957a5b..5796896d54cd8 100644 +--- a/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c ++++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c +@@ -1943,6 +1943,14 @@ int inv_mpu_core_probe(struct regmap *regmap, int irq, const char *name, + irq_type); + return -EINVAL; + } ++ ++ /* ++ * Acking interrupts by status register does not work reliably ++ * but seem to work when this bit is set. ++ */ ++ if (st->chip_type == INV_MPU9150) ++ st->irq_mask |= INV_MPU6050_INT_RD_CLEAR; ++ + device_set_wakeup_capable(dev, true); + + st->vdd_supply = devm_regulator_get(dev, "vdd"); +diff --git a/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h b/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h +index 211901f8b8eb6..6239b1a803f77 100644 +--- a/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h ++++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h +@@ -390,6 +390,8 @@ struct inv_mpu6050_state { + /* enable level triggering */ + #define INV_MPU6050_LATCH_INT_EN 0x20 + #define INV_MPU6050_BIT_BYPASS_EN 0x2 ++/* allow acking interrupts by any register read */ ++#define INV_MPU6050_INT_RD_CLEAR 0x10 + + /* Allowed timestamp period jitter in percent */ + #define INV_MPU6050_TS_PERIOD_JITTER 4 +diff --git a/drivers/iio/imu/inv_mpu6050/inv_mpu_trigger.c b/drivers/iio/imu/inv_mpu6050/inv_mpu_trigger.c +index 10a4733420759..22c1ce66f99ee 100644 +--- a/drivers/iio/imu/inv_mpu6050/inv_mpu_trigger.c ++++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_trigger.c +@@ -248,7 +248,6 @@ static irqreturn_t inv_mpu6050_interrupt_handle(int irq, void *p) + switch (st->chip_type) { + case INV_MPU6000: + case INV_MPU6050: +- case INV_MPU9150: + /* + * WoM is not supported and interrupt status read seems to be broken for + * some chips. Since data ready is the only interrupt, bypass interrupt +@@ -257,6 +256,10 @@ static irqreturn_t inv_mpu6050_interrupt_handle(int irq, void *p) + wom_bits = 0; + int_status = INV_MPU6050_BIT_RAW_DATA_RDY_INT; + goto data_ready_interrupt; ++ case INV_MPU9150: ++ /* IRQ needs to be acked */ ++ wom_bits = 0; ++ break; + case INV_MPU6500: + case INV_MPU6515: + case INV_MPU6880: +-- +2.51.0 + diff --git a/queue-6.18/mctp-i2c-fix-skb-memory-leak-in-receive-path.patch b/queue-6.18/mctp-i2c-fix-skb-memory-leak-in-receive-path.patch new file mode 100644 index 0000000000..fcbee2a63f --- /dev/null +++ b/queue-6.18/mctp-i2c-fix-skb-memory-leak-in-receive-path.patch @@ -0,0 +1,36 @@ +From e7c49917d64786ed050f06a031f0e86fcc7d6563 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 22:32:34 +0800 +Subject: mctp: i2c: fix skb memory leak in receive path + +From: Haiyue Wang + +[ Upstream commit e3f5e0f22cfc2371e7471c9fd5b4da78f9df7c69 ] + +When 'midev->allow_rx' is false, the newly allocated skb isn't consumed +by netif_rx(), it needs to free the skb directly. + +Fixes: f5b8abf9fc3d ("mctp i2c: MCTP I2C binding driver") +Signed-off-by: Haiyue Wang +Link: https://patch.msgid.link/20260305143240.97592-1-haiyuewa@163.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/mctp/mctp-i2c.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/mctp/mctp-i2c.c b/drivers/net/mctp/mctp-i2c.c +index 8043b57bdf250..f138b0251313e 100644 +--- a/drivers/net/mctp/mctp-i2c.c ++++ b/drivers/net/mctp/mctp-i2c.c +@@ -343,6 +343,7 @@ static int mctp_i2c_recv(struct mctp_i2c_dev *midev) + } else { + status = NET_RX_DROP; + spin_unlock_irqrestore(&midev->lock, flags); ++ kfree_skb(skb); + } + + if (status == NET_RX_SUCCESS) { +-- +2.51.0 + diff --git a/queue-6.18/mctp-route-hold-key-lock-in-mctp_flow_prepare_output.patch b/queue-6.18/mctp-route-hold-key-lock-in-mctp_flow_prepare_output.patch new file mode 100644 index 0000000000..7c479c8370 --- /dev/null +++ b/queue-6.18/mctp-route-hold-key-lock-in-mctp_flow_prepare_output.patch @@ -0,0 +1,85 @@ +From 1b9bbe7a3bfa1365e30121b80cb89d58a0382dc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 03:14:02 +0000 +Subject: mctp: route: hold key->lock in mctp_flow_prepare_output() + +From: Chengfeng Ye + +[ Upstream commit 7d86aa41c073c4e7eb75fd2e674f1fd8f289728a ] + +mctp_flow_prepare_output() checks key->dev and may call +mctp_dev_set_key(), but it does not hold key->lock while doing so. + +mctp_dev_set_key() and mctp_dev_release_key() are annotated with +__must_hold(&key->lock), so key->dev access is intended to be +serialized by key->lock. The mctp_sendmsg() transmit path reaches +mctp_flow_prepare_output() via mctp_local_output() -> mctp_dst_output() +without holding key->lock, so the check-and-set sequence is racy. + +Example interleaving: + + CPU0 CPU1 + ---- ---- + mctp_flow_prepare_output(key, devA) + if (!key->dev) // sees NULL + mctp_flow_prepare_output( + key, devB) + if (!key->dev) // still NULL + mctp_dev_set_key(devB, key) + mctp_dev_hold(devB) + key->dev = devB + mctp_dev_set_key(devA, key) + mctp_dev_hold(devA) + key->dev = devA // overwrites devB + +Now both devA and devB references were acquired, but only the final +key->dev value is tracked for release. One reference can be lost, +causing a resource leak as mctp_dev_release_key() would only decrease +the reference on one dev. + +Fix by taking key->lock around the key->dev check and +mctp_dev_set_key() call. + +Fixes: 67737c457281 ("mctp: Pass flow data & flow release events to drivers") +Signed-off-by: Chengfeng Ye +Link: https://patch.msgid.link/20260306031402.857224-1-dg573847474@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/mctp/route.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/net/mctp/route.c b/net/mctp/route.c +index 2ac4011a953ff..bee225c821ed8 100644 +--- a/net/mctp/route.c ++++ b/net/mctp/route.c +@@ -359,6 +359,7 @@ static void mctp_flow_prepare_output(struct sk_buff *skb, struct mctp_dev *dev) + { + struct mctp_sk_key *key; + struct mctp_flow *flow; ++ unsigned long flags; + + flow = skb_ext_find(skb, SKB_EXT_MCTP); + if (!flow) +@@ -366,12 +367,14 @@ static void mctp_flow_prepare_output(struct sk_buff *skb, struct mctp_dev *dev) + + key = flow->key; + +- if (key->dev) { ++ spin_lock_irqsave(&key->lock, flags); ++ ++ if (!key->dev) ++ mctp_dev_set_key(dev, key); ++ else + WARN_ON(key->dev != dev); +- return; +- } + +- mctp_dev_set_key(dev, key); ++ spin_unlock_irqrestore(&key->lock, flags); + } + #else + static void mctp_skb_set_flow(struct sk_buff *skb, struct mctp_sk_key *key) {} +-- +2.51.0 + diff --git a/queue-6.18/neighbour-restore-protocol-0-check-in-pneigh-update.patch b/queue-6.18/neighbour-restore-protocol-0-check-in-pneigh-update.patch new file mode 100644 index 0000000000..4d1df91020 --- /dev/null +++ b/queue-6.18/neighbour-restore-protocol-0-check-in-pneigh-update.patch @@ -0,0 +1,43 @@ +From 7b0d9478a840f13db5e9be19a591a490d85547cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 22:59:16 +0100 +Subject: neighbour: restore protocol != 0 check in pneigh update + +From: Sabrina Dubroca + +[ Upstream commit cbada1048847a348797aec63a1d8056621cbe653 ] + +Prior to commit dc2a27e524ac ("neighbour: Update pneigh_entry in +pneigh_create()."), a pneigh's protocol was updated only when the +value of the NDA_PROTOCOL attribute was non-0. While moving the code, +that check was removed. This is a small change of user-visible +behavior, and inconsistent with the (non-proxy) neighbour behavior. + +Fixes: dc2a27e524ac ("neighbour: Update pneigh_entry in pneigh_create().") +Signed-off-by: Sabrina Dubroca +Reviewed-by: David Ahern +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/38c61de1bb032871a886aff9b9b52fe1cdd4cada.1772894876.git.sd@queasysnail.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/neighbour.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/core/neighbour.c b/net/core/neighbour.c +index bddfa389effa7..6dab4d1c2263d 100644 +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -821,7 +821,8 @@ int pneigh_create(struct neigh_table *tbl, struct net *net, + update: + WRITE_ONCE(n->flags, flags); + n->permanent = permanent; +- WRITE_ONCE(n->protocol, protocol); ++ if (protocol) ++ WRITE_ONCE(n->protocol, protocol); + out: + mutex_unlock(&tbl->phash_lock); + return err; +-- +2.51.0 + diff --git a/queue-6.18/net-add-xmit-recursion-limit-to-tunnel-xmit-function.patch b/queue-6.18/net-add-xmit-recursion-limit-to-tunnel-xmit-function.patch new file mode 100644 index 0000000000..e4d4b291c2 --- /dev/null +++ b/queue-6.18/net-add-xmit-recursion-limit-to-tunnel-xmit-function.patch @@ -0,0 +1,273 @@ +From 44fd3e479b730ffb4610b15c458a479506589949 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Mar 2026 00:01:34 +0800 +Subject: net: add xmit recursion limit to tunnel xmit functions + +From: Weiming Shi + +[ Upstream commit 6f1a9140ecda3baba3d945b9a6155af4268aafc4 ] + +Tunnel xmit functions (iptunnel_xmit, ip6tunnel_xmit) lack their own +recursion limit. When a bond device in broadcast mode has GRE tap +interfaces as slaves, and those GRE tunnels route back through the +bond, multicast/broadcast traffic triggers infinite recursion between +bond_xmit_broadcast() and ip_tunnel_xmit()/ip6_tnl_xmit(), causing +kernel stack overflow. + +The existing XMIT_RECURSION_LIMIT (8) in the no-qdisc path is not +sufficient because tunnel recursion involves route lookups and full IP +output, consuming much more stack per level. Use a lower limit of 4 +(IP_TUNNEL_RECURSION_LIMIT) to prevent overflow. + +Add recursion detection using dev_xmit_recursion helpers directly in +iptunnel_xmit() and ip6tunnel_xmit() to cover all IPv4/IPv6 tunnel +paths including UDP encapsulated tunnels (VXLAN, Geneve, etc.). + +Move dev_xmit_recursion helpers from net/core/dev.h to public header +include/linux/netdevice.h so they can be used by tunnel code. + + BUG: KASAN: stack-out-of-bounds in blake2s.constprop.0+0xe7/0x160 + Write of size 32 at addr ffff88810033fed0 by task kworker/0:1/11 + Workqueue: mld mld_ifc_work + Call Trace: + + __build_flow_key.constprop.0 (net/ipv4/route.c:515) + ip_rt_update_pmtu (net/ipv4/route.c:1073) + iptunnel_xmit (net/ipv4/ip_tunnel_core.c:84) + ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) + gre_tap_xmit (net/ipv4/ip_gre.c:779) + dev_hard_start_xmit (net/core/dev.c:3887) + sch_direct_xmit (net/sched/sch_generic.c:347) + __dev_queue_xmit (net/core/dev.c:4802) + bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312) + bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279) + bond_start_xmit (drivers/net/bonding/bond_main.c:5530) + dev_hard_start_xmit (net/core/dev.c:3887) + __dev_queue_xmit (net/core/dev.c:4841) + ip_finish_output2 (net/ipv4/ip_output.c:237) + ip_output (net/ipv4/ip_output.c:438) + iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86) + gre_tap_xmit (net/ipv4/ip_gre.c:779) + dev_hard_start_xmit (net/core/dev.c:3887) + sch_direct_xmit (net/sched/sch_generic.c:347) + __dev_queue_xmit (net/core/dev.c:4802) + bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312) + bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279) + bond_start_xmit (drivers/net/bonding/bond_main.c:5530) + dev_hard_start_xmit (net/core/dev.c:3887) + __dev_queue_xmit (net/core/dev.c:4841) + ip_finish_output2 (net/ipv4/ip_output.c:237) + ip_output (net/ipv4/ip_output.c:438) + iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86) + ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) + gre_tap_xmit (net/ipv4/ip_gre.c:779) + dev_hard_start_xmit (net/core/dev.c:3887) + sch_direct_xmit (net/sched/sch_generic.c:347) + __dev_queue_xmit (net/core/dev.c:4802) + bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312) + bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279) + bond_start_xmit (drivers/net/bonding/bond_main.c:5530) + dev_hard_start_xmit (net/core/dev.c:3887) + __dev_queue_xmit (net/core/dev.c:4841) + mld_sendpack + mld_ifc_work + process_one_work + worker_thread + + +Fixes: 745e20f1b626 ("net: add a recursion limit in xmit path") +Reported-by: Xiang Mei +Signed-off-by: Weiming Shi +Link: https://patch.msgid.link/20260306160133.3852900-2-bestswngs@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + include/linux/netdevice.h | 32 ++++++++++++++++++++++++++++++++ + include/net/ip6_tunnel.h | 12 ++++++++++++ + include/net/ip_tunnels.h | 7 +++++++ + net/core/dev.h | 35 ----------------------------------- + net/ipv4/ip_tunnel_core.c | 13 +++++++++++++ + 5 files changed, 64 insertions(+), 35 deletions(-) + +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index 8bb7b0e2c5438..0f425a1f80409 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -3549,17 +3549,49 @@ struct page_pool_bh { + }; + DECLARE_PER_CPU(struct page_pool_bh, system_page_pool); + ++#define XMIT_RECURSION_LIMIT 8 ++ + #ifndef CONFIG_PREEMPT_RT + static inline int dev_recursion_level(void) + { + return this_cpu_read(softnet_data.xmit.recursion); + } ++ ++static inline bool dev_xmit_recursion(void) ++{ ++ return unlikely(__this_cpu_read(softnet_data.xmit.recursion) > ++ XMIT_RECURSION_LIMIT); ++} ++ ++static inline void dev_xmit_recursion_inc(void) ++{ ++ __this_cpu_inc(softnet_data.xmit.recursion); ++} ++ ++static inline void dev_xmit_recursion_dec(void) ++{ ++ __this_cpu_dec(softnet_data.xmit.recursion); ++} + #else + static inline int dev_recursion_level(void) + { + return current->net_xmit.recursion; + } + ++static inline bool dev_xmit_recursion(void) ++{ ++ return unlikely(current->net_xmit.recursion > XMIT_RECURSION_LIMIT); ++} ++ ++static inline void dev_xmit_recursion_inc(void) ++{ ++ current->net_xmit.recursion++; ++} ++ ++static inline void dev_xmit_recursion_dec(void) ++{ ++ current->net_xmit.recursion--; ++} + #endif + + void __netif_schedule(struct Qdisc *q); +diff --git a/include/net/ip6_tunnel.h b/include/net/ip6_tunnel.h +index 120db28658112..1253cbb4b0a45 100644 +--- a/include/net/ip6_tunnel.h ++++ b/include/net/ip6_tunnel.h +@@ -156,6 +156,16 @@ static inline void ip6tunnel_xmit(struct sock *sk, struct sk_buff *skb, + { + int pkt_len, err; + ++ if (dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT) { ++ net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n", ++ dev->name); ++ DEV_STATS_INC(dev, tx_errors); ++ kfree_skb(skb); ++ return; ++ } ++ ++ dev_xmit_recursion_inc(); ++ + memset(skb->cb, 0, sizeof(struct inet6_skb_parm)); + IP6CB(skb)->flags = ip6cb_flags; + pkt_len = skb->len - skb_inner_network_offset(skb); +@@ -166,6 +176,8 @@ static inline void ip6tunnel_xmit(struct sock *sk, struct sk_buff *skb, + pkt_len = -1; + iptunnel_xmit_stats(dev, pkt_len); + } ++ ++ dev_xmit_recursion_dec(); + } + #endif + #endif +diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h +index 4021e6a73e32b..80662f8120803 100644 +--- a/include/net/ip_tunnels.h ++++ b/include/net/ip_tunnels.h +@@ -27,6 +27,13 @@ + #include + #endif + ++/* Recursion limit for tunnel xmit to detect routing loops. ++ * Unlike XMIT_RECURSION_LIMIT (8) used in the no-qdisc path, tunnel ++ * recursion involves route lookups and full IP output, consuming much ++ * more stack per level, so a lower limit is needed. ++ */ ++#define IP_TUNNEL_RECURSION_LIMIT 4 ++ + /* Keep error state on tunnel for 30 sec */ + #define IPTUNNEL_ERR_TIMEO (30*HZ) + +diff --git a/net/core/dev.h b/net/core/dev.h +index df8a90fe89f8f..b458e2777725e 100644 +--- a/net/core/dev.h ++++ b/net/core/dev.h +@@ -358,41 +358,6 @@ static inline void napi_assert_will_not_race(const struct napi_struct *napi) + + void kick_defer_list_purge(unsigned int cpu); + +-#define XMIT_RECURSION_LIMIT 8 +- +-#ifndef CONFIG_PREEMPT_RT +-static inline bool dev_xmit_recursion(void) +-{ +- return unlikely(__this_cpu_read(softnet_data.xmit.recursion) > +- XMIT_RECURSION_LIMIT); +-} +- +-static inline void dev_xmit_recursion_inc(void) +-{ +- __this_cpu_inc(softnet_data.xmit.recursion); +-} +- +-static inline void dev_xmit_recursion_dec(void) +-{ +- __this_cpu_dec(softnet_data.xmit.recursion); +-} +-#else +-static inline bool dev_xmit_recursion(void) +-{ +- return unlikely(current->net_xmit.recursion > XMIT_RECURSION_LIMIT); +-} +- +-static inline void dev_xmit_recursion_inc(void) +-{ +- current->net_xmit.recursion++; +-} +- +-static inline void dev_xmit_recursion_dec(void) +-{ +- current->net_xmit.recursion--; +-} +-#endif +- + int dev_set_hwtstamp_phylib(struct net_device *dev, + struct kernel_hwtstamp_config *cfg, + struct netlink_ext_ack *extack); +diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c +index 2e61ac1371289..b1b6bf949f65a 100644 +--- a/net/ipv4/ip_tunnel_core.c ++++ b/net/ipv4/ip_tunnel_core.c +@@ -58,6 +58,17 @@ void iptunnel_xmit(struct sock *sk, struct rtable *rt, struct sk_buff *skb, + struct iphdr *iph; + int err; + ++ if (dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT) { ++ net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n", ++ dev->name); ++ DEV_STATS_INC(dev, tx_errors); ++ ip_rt_put(rt); ++ kfree_skb(skb); ++ return; ++ } ++ ++ dev_xmit_recursion_inc(); ++ + skb_scrub_packet(skb, xnet); + + skb_clear_hash_if_not_l4(skb); +@@ -88,6 +99,8 @@ void iptunnel_xmit(struct sock *sk, struct rtable *rt, struct sk_buff *skb, + pkt_len = 0; + iptunnel_xmit_stats(dev, pkt_len); + } ++ ++ dev_xmit_recursion_dec(); + } + EXPORT_SYMBOL_GPL(iptunnel_xmit); + +-- +2.51.0 + diff --git a/queue-6.18/net-bcmgenet-fix-broken-eee-by-converting-to-phylib-.patch b/queue-6.18/net-bcmgenet-fix-broken-eee-by-converting-to-phylib-.patch new file mode 100644 index 0000000000..6a1edc82cb --- /dev/null +++ b/queue-6.18/net-bcmgenet-fix-broken-eee-by-converting-to-phylib-.patch @@ -0,0 +1,204 @@ +From 163cb2d13a6c4fb29a53971108e16d5f1e99ab93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 06:49:35 +0100 +Subject: net: bcmgenet: fix broken EEE by converting to phylib-managed state + +From: Nicolai Buchwitz + +[ Upstream commit 908c344d5cfac4160f49715da9efacdf5b6a28bd ] + +The bcmgenet EEE implementation is broken in several ways. +phy_support_eee() is never called, so the PHY never advertises EEE +and phylib never sets phydev->enable_tx_lpi. bcmgenet_mac_config() +checks priv->eee.eee_enabled to decide whether to enable the MAC +LPI logic, but that field is never initialised to true, so the MAC +never enters Low Power Idle even when EEE is negotiated - wasting +the power savings EEE is designed to provide. The only way to get +EEE working at all is a manual 'ethtool --set-eee eth0 eee on' after +every link-up, and even then bcmgenet_get_eee() immediately clobbers +the reported state because phy_ethtool_get_eee() overwrites +eee_enabled and tx_lpi_enabled with the uninitialised PHY eee_cfg +values. Finally, bcmgenet_mac_config() is only called on link-up, +so EEE is never disabled in hardware on link-down. + +Fix all of this by removing the MAC-side EEE state tracking +(priv->eee) and aligning with the pattern used by other non-phylink +MAC drivers such as FEC. + +Call phy_support_eee() in bcmgenet_mii_probe() so the PHY advertises +EEE link modes and phylib tracks negotiation state. Move the EEE +hardware control to bcmgenet_mii_setup(), which is called on every +link event, and drive it directly from phydev->enable_tx_lpi - the +flag phylib sets when EEE is negotiated and the user has not disabled +it. This enables EEE automatically once the link partner agrees and +disables it cleanly on link-down. + +Make bcmgenet_get_eee() and bcmgenet_set_eee() pure passthroughs to +phy_ethtool_get_eee() and phy_ethtool_set_eee(), with the MAC +hardware register read/written for tx_lpi_timer. Drop struct +ethtool_keee eee from struct bcmgenet_priv. + +Fixes: fe0d4fd9285e ("net: phy: Keep track of EEE configuration") +Link: https://lore.kernel.org/netdev/d352039f-4cbb-41e6-9aeb-0b4f3941b54c@lunn.ch/ +Suggested-by: Andrew Lunn +Signed-off-by: Nicolai Buchwitz +Reviewed-by: Florian Fainelli +Tested-by: Florian Fainelli +Link: https://patch.msgid.link/20260310054935.1238594-1-nb@tipi-net.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/broadcom/genet/bcmgenet.c | 31 +++++++------------ + .../net/ethernet/broadcom/genet/bcmgenet.h | 5 +-- + drivers/net/ethernet/broadcom/genet/bcmmii.c | 10 +++--- + 3 files changed, 18 insertions(+), 28 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +index 98971ae4f87df..e142939d87cbe 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -1343,8 +1343,7 @@ static void bcmgenet_get_ethtool_stats(struct net_device *dev, + } + } + +-void bcmgenet_eee_enable_set(struct net_device *dev, bool enable, +- bool tx_lpi_enabled) ++void bcmgenet_eee_enable_set(struct net_device *dev, bool enable) + { + struct bcmgenet_priv *priv = netdev_priv(dev); + u32 off = priv->hw_params->tbuf_offset + TBUF_ENERGY_CTRL; +@@ -1364,7 +1363,7 @@ void bcmgenet_eee_enable_set(struct net_device *dev, bool enable, + + /* Enable EEE and switch to a 27Mhz clock automatically */ + reg = bcmgenet_readl(priv->base + off); +- if (tx_lpi_enabled) ++ if (enable) + reg |= TBUF_EEE_EN | TBUF_PM_EN; + else + reg &= ~(TBUF_EEE_EN | TBUF_PM_EN); +@@ -1383,14 +1382,12 @@ void bcmgenet_eee_enable_set(struct net_device *dev, bool enable, + priv->clk_eee_enabled = false; + } + +- priv->eee.eee_enabled = enable; +- priv->eee.tx_lpi_enabled = tx_lpi_enabled; + } + + static int bcmgenet_get_eee(struct net_device *dev, struct ethtool_keee *e) + { + struct bcmgenet_priv *priv = netdev_priv(dev); +- struct ethtool_keee *p = &priv->eee; ++ int ret; + + if (GENET_IS_V1(priv)) + return -EOPNOTSUPP; +@@ -1398,17 +1395,21 @@ static int bcmgenet_get_eee(struct net_device *dev, struct ethtool_keee *e) + if (!dev->phydev) + return -ENODEV; + +- e->tx_lpi_enabled = p->tx_lpi_enabled; ++ ret = phy_ethtool_get_eee(dev->phydev, e); ++ if (ret) ++ return ret; ++ ++ /* tx_lpi_timer is maintained by the MAC hardware register; the ++ * PHY-level eee_cfg timer is not set for GENET. ++ */ + e->tx_lpi_timer = bcmgenet_umac_readl(priv, UMAC_EEE_LPI_TIMER); + +- return phy_ethtool_get_eee(dev->phydev, e); ++ return 0; + } + + static int bcmgenet_set_eee(struct net_device *dev, struct ethtool_keee *e) + { + struct bcmgenet_priv *priv = netdev_priv(dev); +- struct ethtool_keee *p = &priv->eee; +- bool active; + + if (GENET_IS_V1(priv)) + return -EOPNOTSUPP; +@@ -1416,15 +1417,7 @@ static int bcmgenet_set_eee(struct net_device *dev, struct ethtool_keee *e) + if (!dev->phydev) + return -ENODEV; + +- p->eee_enabled = e->eee_enabled; +- +- if (!p->eee_enabled) { +- bcmgenet_eee_enable_set(dev, false, false); +- } else { +- active = phy_init_eee(dev->phydev, false) >= 0; +- bcmgenet_umac_writel(priv, e->tx_lpi_timer, UMAC_EEE_LPI_TIMER); +- bcmgenet_eee_enable_set(dev, active, e->tx_lpi_enabled); +- } ++ bcmgenet_umac_writel(priv, e->tx_lpi_timer, UMAC_EEE_LPI_TIMER); + + return phy_ethtool_set_eee(dev->phydev, e); + } +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.h b/drivers/net/ethernet/broadcom/genet/bcmgenet.h +index 5ec3979779ece..9e4110c7fdf6f 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.h ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.h +@@ -665,8 +665,6 @@ struct bcmgenet_priv { + u8 sopass[SOPASS_MAX]; + + struct bcmgenet_mib_counters mib; +- +- struct ethtool_keee eee; + }; + + static inline bool bcmgenet_has_40bits(struct bcmgenet_priv *priv) +@@ -749,7 +747,6 @@ int bcmgenet_wol_power_down_cfg(struct bcmgenet_priv *priv, + int bcmgenet_wol_power_up_cfg(struct bcmgenet_priv *priv, + enum bcmgenet_power_mode mode); + +-void bcmgenet_eee_enable_set(struct net_device *dev, bool enable, +- bool tx_lpi_enabled); ++void bcmgenet_eee_enable_set(struct net_device *dev, bool enable); + + #endif /* __BCMGENET_H__ */ +diff --git a/drivers/net/ethernet/broadcom/genet/bcmmii.c b/drivers/net/ethernet/broadcom/genet/bcmmii.c +index 573e8b279e52f..33e3eec31cc9e 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmmii.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c +@@ -30,7 +30,6 @@ static void bcmgenet_mac_config(struct net_device *dev) + struct bcmgenet_priv *priv = netdev_priv(dev); + struct phy_device *phydev = dev->phydev; + u32 reg, cmd_bits = 0; +- bool active; + + /* speed */ + if (phydev->speed == SPEED_1000) +@@ -91,10 +90,6 @@ static void bcmgenet_mac_config(struct net_device *dev) + bcmgenet_umac_writel(priv, reg, UMAC_CMD); + spin_unlock_bh(&priv->reg_lock); + +- active = phy_init_eee(phydev, 0) >= 0; +- bcmgenet_eee_enable_set(dev, +- priv->eee.eee_enabled && active, +- priv->eee.tx_lpi_enabled); + } + + /* setup netdev link state when PHY link status change and +@@ -114,6 +109,8 @@ void bcmgenet_mii_setup(struct net_device *dev) + bcmgenet_ext_writel(priv, reg, EXT_RGMII_OOB_CTRL); + } + ++ bcmgenet_eee_enable_set(dev, phydev->enable_tx_lpi); ++ + phy_print_status(phydev); + } + +@@ -413,6 +410,9 @@ int bcmgenet_mii_probe(struct net_device *dev) + /* Indicate that the MAC is responsible for PHY PM */ + dev->phydev->mac_managed_pm = true; + ++ if (!GENET_IS_V1(priv)) ++ phy_support_eee(dev->phydev); ++ + return 0; + } + +-- +2.51.0 + diff --git a/queue-6.18/net-bonding-fix-nd_tbl-null-dereference-when-ipv6-is.patch b/queue-6.18/net-bonding-fix-nd_tbl-null-dereference-when-ipv6-is.patch new file mode 100644 index 0000000000..7fec5bc24d --- /dev/null +++ b/queue-6.18/net-bonding-fix-nd_tbl-null-dereference-when-ipv6-is.patch @@ -0,0 +1,92 @@ +From 0d5d1712128552571a4bb8407a00514e0e86a931 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Mar 2026 17:50:54 -0300 +Subject: net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ricardo B. Marlière + +[ Upstream commit 30021e969d48e5819d5ae56936c2f34c0f7ce997 ] + +When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never +initialized because inet6_init() exits before ndisc_init() is called +which initializes it. If bonding ARP/NS validation is enabled, an IPv6 +NS/NA packet received on a slave can reach bond_validate_na(), which +calls bond_has_this_ip6(). That path calls ipv6_chk_addr() and can +crash in __ipv6_chk_addr_and_flags(). + + BUG: kernel NULL pointer dereference, address: 00000000000005d8 + Oops: Oops: 0000 [#1] SMP NOPTI + RIP: 0010:__ipv6_chk_addr_and_flags+0x69/0x170 + Call Trace: + + ipv6_chk_addr+0x1f/0x30 + bond_validate_na+0x12e/0x1d0 [bonding] + ? __pfx_bond_handle_frame+0x10/0x10 [bonding] + bond_rcv_validate+0x1a0/0x450 [bonding] + bond_handle_frame+0x5e/0x290 [bonding] + ? srso_alias_return_thunk+0x5/0xfbef5 + __netif_receive_skb_core.constprop.0+0x3e8/0xe50 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? update_cfs_rq_load_avg+0x1a/0x240 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? __enqueue_entity+0x5e/0x240 + __netif_receive_skb_one_core+0x39/0xa0 + process_backlog+0x9c/0x150 + __napi_poll+0x30/0x200 + ? srso_alias_return_thunk+0x5/0xfbef5 + net_rx_action+0x338/0x3b0 + handle_softirqs+0xc9/0x2a0 + do_softirq+0x42/0x60 + + + __local_bh_enable_ip+0x62/0x70 + __dev_queue_xmit+0x2d3/0x1000 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? packet_parse_headers+0x10a/0x1a0 + packet_sendmsg+0x10da/0x1700 + ? kick_pool+0x5f/0x140 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? __queue_work+0x12d/0x4f0 + __sys_sendto+0x1f3/0x220 + __x64_sys_sendto+0x24/0x30 + do_syscall_64+0x101/0xf80 + ? exc_page_fault+0x6e/0x170 + ? srso_alias_return_thunk+0x5/0xfbef5 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + +Fix this by checking ipv6_mod_enabled() before dispatching IPv6 packets to +bond_na_rcv(). If IPv6 is disabled, return early from bond_rcv_validate() +and avoid the path to ipv6_chk_addr(). + +Suggested-by: Fernando Fernandez Mancera +Fixes: 4e24be018eb9 ("bonding: add new parameter ns_targets") +Signed-off-by: Ricardo B. Marlière +Reviewed-by: Hangbin Liu +Link: https://patch.msgid.link/20260307-net-nd_tbl_fixes-v4-2-e2677e85628c@suse.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 139ece7676c50..e8e261e0cb4e1 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3402,7 +3402,7 @@ int bond_rcv_validate(const struct sk_buff *skb, struct bonding *bond, + } else if (is_arp) { + return bond_arp_rcv(skb, bond, slave); + #if IS_ENABLED(CONFIG_IPV6) +- } else if (is_ipv6) { ++ } else if (is_ipv6 && likely(ipv6_mod_enabled())) { + return bond_na_rcv(skb, bond, slave); + #endif + } else { +-- +2.51.0 + diff --git a/queue-6.18/net-dsa-realtek-fix-led-group-port-bit-for-non-zero-.patch b/queue-6.18/net-dsa-realtek-fix-led-group-port-bit-for-non-zero-.patch new file mode 100644 index 0000000000..17a413d52d --- /dev/null +++ b/queue-6.18/net-dsa-realtek-fix-led-group-port-bit-for-non-zero-.patch @@ -0,0 +1,53 @@ +From 57117b3efd7f34bfad9b1b6ba6c40b1dd7a3c99a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 12:12:37 +0100 +Subject: net: dsa: realtek: Fix LED group port bit for non-zero LED group +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Behún + +[ Upstream commit e8f0dc024ce55451ebd54bad975134ba802e4fcc ] + +The rtl8366rb_led_group_port_mask() function always returns LED port +bit in LED group 0; the switch statement returns the same thing in all +non-default cases. + +This means that the driver does not currently support configuring LEDs +in non-zero LED groups. + +Fix this. + +Fixes: 32d617005475a71e ("net: dsa: realtek: add LED drivers for rtl8366rb") +Signed-off-by: Marek Behún +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20260311111237.29002-1-kabel@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/realtek/rtl8366rb-leds.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/dsa/realtek/rtl8366rb-leds.c b/drivers/net/dsa/realtek/rtl8366rb-leds.c +index 99c890681ae60..509ffd3f8db5c 100644 +--- a/drivers/net/dsa/realtek/rtl8366rb-leds.c ++++ b/drivers/net/dsa/realtek/rtl8366rb-leds.c +@@ -12,11 +12,11 @@ static inline u32 rtl8366rb_led_group_port_mask(u8 led_group, u8 port) + case 0: + return FIELD_PREP(RTL8366RB_LED_0_X_CTRL_MASK, BIT(port)); + case 1: +- return FIELD_PREP(RTL8366RB_LED_0_X_CTRL_MASK, BIT(port)); ++ return FIELD_PREP(RTL8366RB_LED_X_1_CTRL_MASK, BIT(port)); + case 2: +- return FIELD_PREP(RTL8366RB_LED_0_X_CTRL_MASK, BIT(port)); ++ return FIELD_PREP(RTL8366RB_LED_2_X_CTRL_MASK, BIT(port)); + case 3: +- return FIELD_PREP(RTL8366RB_LED_0_X_CTRL_MASK, BIT(port)); ++ return FIELD_PREP(RTL8366RB_LED_X_3_CTRL_MASK, BIT(port)); + default: + return 0; + } +-- +2.51.0 + diff --git a/queue-6.18/net-dsa-realtek-rtl8365mb-remove-ifoutdiscards-from-.patch b/queue-6.18/net-dsa-realtek-rtl8365mb-remove-ifoutdiscards-from-.patch new file mode 100644 index 0000000000..9bac907785 --- /dev/null +++ b/queue-6.18/net-dsa-realtek-rtl8365mb-remove-ifoutdiscards-from-.patch @@ -0,0 +1,48 @@ +From f90aeb527d8a34024d27fc214c51bbd2a5363277 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Mar 2026 17:25:12 -0300 +Subject: net: dsa: realtek: rtl8365mb: remove ifOutDiscards from rx_packets + +From: Mieczyslaw Nalewaj + +[ Upstream commit f76a93241d71fbba8425e3967097b498c29264ed ] + +rx_packets should report the number of frames successfully received: +unicast + multicast + broadcast. Subtracting ifOutDiscards (a TX +counter) is incorrect and can undercount RX packets. RX drops are +already reported via rx_dropped (e.g. etherStatsDropEvents), so +there is no need to adjust rx_packets. + +This patch removes the subtraction of ifOutDiscards from rx_packets +in rtl8365mb_stats_update(). + +Link: https://lore.kernel.org/netdev/878777925.105015.1763423928520@mail.yahoo.com/ +Fixes: 4af2950c50c8 ("net: dsa: realtek-smi: add rtl8365mb subdriver for RTL8365MB-VC") +Signed-off-by: Mieczyslaw Nalewaj +Signed-off-by: Luiz Angelo Daros de Luca +Reviewed-by: Simon Horman +Acked-by: Linus Walleij +Link: https://patch.msgid.link/20260303-realtek_namiltd_fix2-v1-1-bfa433d3401e@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/realtek/rtl8365mb.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/realtek/rtl8365mb.c b/drivers/net/dsa/realtek/rtl8365mb.c +index d06b384d47643..3a48db295e7e4 100644 +--- a/drivers/net/dsa/realtek/rtl8365mb.c ++++ b/drivers/net/dsa/realtek/rtl8365mb.c +@@ -1480,8 +1480,7 @@ static void rtl8365mb_stats_update(struct realtek_priv *priv, int port) + + stats->rx_packets = cnt[RTL8365MB_MIB_ifInUcastPkts] + + cnt[RTL8365MB_MIB_ifInMulticastPkts] + +- cnt[RTL8365MB_MIB_ifInBroadcastPkts] - +- cnt[RTL8365MB_MIB_ifOutDiscards]; ++ cnt[RTL8365MB_MIB_ifInBroadcastPkts]; + + stats->tx_packets = cnt[RTL8365MB_MIB_ifOutUcastPkts] + + cnt[RTL8365MB_MIB_ifOutMulticastPkts] + +-- +2.51.0 + diff --git a/queue-6.18/net-ethernet-ti-am65-cpsw-nuss-fix-rx_filter-value-f.patch b/queue-6.18/net-ethernet-ti-am65-cpsw-nuss-fix-rx_filter-value-f.patch new file mode 100644 index 0000000000..a6eeb892b0 --- /dev/null +++ b/queue-6.18/net-ethernet-ti-am65-cpsw-nuss-fix-rx_filter-value-f.patch @@ -0,0 +1,100 @@ +From 30702c1add6ceb695a6370279123c602255afce2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 21:39:40 +0530 +Subject: net: ethernet: ti: am65-cpsw-nuss: Fix rx_filter value for PTP + support + +From: Chintan Vankar + +[ Upstream commit 840c9d13cb1ca96683a5307ee8e221be163a2c1e ] + +The "rx_filter" member of "hwtstamp_config" structure is an enum field and +does not support bitwise OR combination of multiple filter values. It +causes error while linuxptp application tries to match rx filter version. +Fix this by storing the requested filter type in a new port field. + +Fixes: 97248adb5a3b ("net: ti: am65-cpsw: Update hw timestamping filter for PTPv1 RX packets") +Signed-off-by: Chintan Vankar +Link: https://patch.msgid.link/20260310160940.109822-1-c-vankar@ti.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/am65-cpsw-nuss.c | 16 +++++++++------- + drivers/net/ethernet/ti/am65-cpsw-nuss.h | 2 +- + 2 files changed, 10 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/ti/am65-cpsw-nuss.c b/drivers/net/ethernet/ti/am65-cpsw-nuss.c +index 071a7c42caa9a..31d436cdceb7c 100644 +--- a/drivers/net/ethernet/ti/am65-cpsw-nuss.c ++++ b/drivers/net/ethernet/ti/am65-cpsw-nuss.c +@@ -1351,7 +1351,7 @@ static int am65_cpsw_nuss_rx_packets(struct am65_cpsw_rx_flow *flow, + ndev_priv = netdev_priv(ndev); + am65_cpsw_nuss_set_offload_fwd_mark(skb, ndev_priv->offload_fwd_mark); + skb_put(skb, pkt_len); +- if (port->rx_ts_enabled) ++ if (port->rx_ts_filter) + am65_cpts_rx_timestamp(common->cpts, skb); + skb_mark_for_recycle(skb); + skb->protocol = eth_type_trans(skb, ndev); +@@ -1811,11 +1811,14 @@ static int am65_cpsw_nuss_hwtstamp_set(struct net_device *ndev, + + switch (cfg->rx_filter) { + case HWTSTAMP_FILTER_NONE: +- port->rx_ts_enabled = false; ++ port->rx_ts_filter = HWTSTAMP_FILTER_NONE; + break; + case HWTSTAMP_FILTER_PTP_V1_L4_EVENT: + case HWTSTAMP_FILTER_PTP_V1_L4_SYNC: + case HWTSTAMP_FILTER_PTP_V1_L4_DELAY_REQ: ++ port->rx_ts_filter = HWTSTAMP_FILTER_PTP_V1_L4_EVENT; ++ cfg->rx_filter = HWTSTAMP_FILTER_PTP_V1_L4_EVENT; ++ break; + case HWTSTAMP_FILTER_PTP_V2_L4_EVENT: + case HWTSTAMP_FILTER_PTP_V2_L4_SYNC: + case HWTSTAMP_FILTER_PTP_V2_L4_DELAY_REQ: +@@ -1825,8 +1828,8 @@ static int am65_cpsw_nuss_hwtstamp_set(struct net_device *ndev, + case HWTSTAMP_FILTER_PTP_V2_EVENT: + case HWTSTAMP_FILTER_PTP_V2_SYNC: + case HWTSTAMP_FILTER_PTP_V2_DELAY_REQ: +- port->rx_ts_enabled = true; +- cfg->rx_filter = HWTSTAMP_FILTER_PTP_V2_EVENT | HWTSTAMP_FILTER_PTP_V1_L4_EVENT; ++ port->rx_ts_filter = HWTSTAMP_FILTER_PTP_V2_EVENT; ++ cfg->rx_filter = HWTSTAMP_FILTER_PTP_V2_EVENT; + break; + case HWTSTAMP_FILTER_ALL: + case HWTSTAMP_FILTER_SOME: +@@ -1863,7 +1866,7 @@ static int am65_cpsw_nuss_hwtstamp_set(struct net_device *ndev, + ts_ctrl |= AM65_CPSW_TS_TX_ANX_ALL_EN | + AM65_CPSW_PN_TS_CTL_TX_VLAN_LT1_EN; + +- if (port->rx_ts_enabled) ++ if (port->rx_ts_filter) + ts_ctrl |= AM65_CPSW_TS_RX_ANX_ALL_EN | + AM65_CPSW_PN_TS_CTL_RX_VLAN_LT1_EN; + +@@ -1888,8 +1891,7 @@ static int am65_cpsw_nuss_hwtstamp_get(struct net_device *ndev, + cfg->flags = 0; + cfg->tx_type = port->tx_ts_enabled ? + HWTSTAMP_TX_ON : HWTSTAMP_TX_OFF; +- cfg->rx_filter = port->rx_ts_enabled ? HWTSTAMP_FILTER_PTP_V2_EVENT | +- HWTSTAMP_FILTER_PTP_V1_L4_EVENT : HWTSTAMP_FILTER_NONE; ++ cfg->rx_filter = port->rx_ts_filter; + + return 0; + } +diff --git a/drivers/net/ethernet/ti/am65-cpsw-nuss.h b/drivers/net/ethernet/ti/am65-cpsw-nuss.h +index 917c37e4e89bd..7750448e47468 100644 +--- a/drivers/net/ethernet/ti/am65-cpsw-nuss.h ++++ b/drivers/net/ethernet/ti/am65-cpsw-nuss.h +@@ -52,7 +52,7 @@ struct am65_cpsw_port { + bool disabled; + struct am65_cpsw_slave_data slave; + bool tx_ts_enabled; +- bool rx_ts_enabled; ++ enum hwtstamp_rx_filters rx_ts_filter; + struct am65_cpsw_qos qos; + struct devlink_port devlink_port; + struct bpf_prog *xdp_prog; +-- +2.51.0 + diff --git a/queue-6.18/net-mana-null-service_wq-on-setup-error-to-prevent-d.patch b/queue-6.18/net-mana-null-service_wq-on-setup-error-to-prevent-d.patch new file mode 100644 index 0000000000..93642e49bc --- /dev/null +++ b/queue-6.18/net-mana-null-service_wq-on-setup-error-to-prevent-d.patch @@ -0,0 +1,40 @@ +From 2513e4a2bd1ecbcb967024a7ecac23ae9cc11fa1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Mar 2026 10:24:43 -0700 +Subject: net/mana: Null service_wq on setup error to prevent double destroy + +From: Shiraz Saleem + +[ Upstream commit 87c2302813abc55c46485711a678e3c312b00666 ] + +In mana_gd_setup() error path, set gc->service_wq to NULL after +destroy_workqueue() to match the cleanup in mana_gd_cleanup(). +This prevents a use-after-free if the workqueue pointer is checked +after a failed setup. + +Fixes: f975a0955276 ("net: mana: Fix double destroy_workqueue on service rescan PCI path") +Signed-off-by: Shiraz Saleem +Signed-off-by: Konstantin Taranov +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260309172443.688392-1-kotaranov@linux.microsoft.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microsoft/mana/gdma_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/microsoft/mana/gdma_main.c b/drivers/net/ethernet/microsoft/mana/gdma_main.c +index e22a98a9c9856..962fdd29d6063 100644 +--- a/drivers/net/ethernet/microsoft/mana/gdma_main.c ++++ b/drivers/net/ethernet/microsoft/mana/gdma_main.c +@@ -1854,6 +1854,7 @@ static int mana_gd_setup(struct pci_dev *pdev) + mana_gd_remove_irqs(pdev); + free_workqueue: + destroy_workqueue(gc->service_wq); ++ gc->service_wq = NULL; + dev_err(&pdev->dev, "%s failed (error %d)\n", __func__, err); + return err; + } +-- +2.51.0 + diff --git a/queue-6.18/net-mlx5-fix-crash-when-moving-to-switchdev-mode.patch b/queue-6.18/net-mlx5-fix-crash-when-moving-to-switchdev-mode.patch new file mode 100644 index 0000000000..48f841d22a --- /dev/null +++ b/queue-6.18/net-mlx5-fix-crash-when-moving-to-switchdev-mode.patch @@ -0,0 +1,148 @@ +From d6d7d4aba31be3eede3bd921f698a72b5086bd20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 16:26:30 +0200 +Subject: net/mlx5: Fix crash when moving to switchdev mode + +From: Patrisious Haddad + +[ Upstream commit 24b2795f9683e092dc22a68f487e7aaaf2ddafea ] + +When moving to switchdev mode when the device doesn't support IPsec, +we try to clean up the IPsec resources anyway which causes the crash +below, fix that by correctly checking for IPsec support before trying +to clean up its resources. + +[27642.515799] WARNING: arch/x86/mm/fault.c:1276 at +do_user_addr_fault+0x18a/0x680, CPU#4: devlink/6490 +[27642.517159] Modules linked in: xt_conntrack xt_MASQUERADE +ip6table_nat ip6table_filter ip6_tables iptable_nat nf_nat xt_addrtype +rpcsec_gss_krb5 auth_rpcgss oid_registry overlay mlx5_fwctl nfnetlink +zram zsmalloc mlx5_ib fuse rpcrdma rdma_ucm ib_uverbs ib_iser libiscsi +scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_core +ib_core +[27642.521358] CPU: 4 UID: 0 PID: 6490 Comm: devlink Not tainted +6.19.0-rc5_for_upstream_min_debug_2026_01_14_16_47 #1 NONE +[27642.522923] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS +rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 +[27642.524528] RIP: 0010:do_user_addr_fault+0x18a/0x680 +[27642.525362] Code: ff 0f 84 75 03 00 00 48 89 ee 4c 89 e7 e8 5e b9 22 +00 49 89 c0 48 85 c0 0f 84 a8 02 00 00 f7 c3 60 80 00 00 74 22 31 c9 eb + ae <0f> 0b 48 83 c4 10 48 89 ea 48 89 de 4c 89 f7 5b 5d 41 5c 41 5d +41 +[27642.528166] RSP: 0018:ffff88810770f6b8 EFLAGS: 00010046 +[27642.529038] RAX: 0000000000000000 RBX: 0000000000000002 RCX: +ffff88810b980f00 +[27642.530158] RDX: 00000000000000a0 RSI: 0000000000000002 RDI: +ffff88810770f728 +[27642.531270] RBP: 00000000000000a0 R08: 0000000000000000 R09: +0000000000000000 +[27642.532383] R10: 0000000000000000 R11: 0000000000000000 R12: +ffff888103f3c4c0 +[27642.533499] R13: 0000000000000000 R14: ffff88810770f728 R15: +0000000000000000 +[27642.534614] FS: 00007f197c741740(0000) GS:ffff88856a94c000(0000) +knlGS:0000000000000000 +[27642.535915] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[27642.536858] CR2: 00000000000000a0 CR3: 000000011334c003 CR4: +0000000000172eb0 +[27642.537982] Call Trace: +[27642.538466] +[27642.538907] exc_page_fault+0x76/0x140 +[27642.539583] asm_exc_page_fault+0x22/0x30 +[27642.540282] RIP: 0010:_raw_spin_lock_irqsave+0x10/0x30 +[27642.541134] Code: 07 85 c0 75 11 ba ff 00 00 00 f0 0f b1 17 75 06 b8 +01 00 00 00 c3 31 c0 c3 90 0f 1f 44 00 00 53 9c 5b fa 31 c0 ba 01 00 00 + 00 0f b1 17 75 05 48 89 d8 5b c3 89 c6 e8 7e 02 00 00 48 89 d8 + 5b +[27642.543936] RSP: 0018:ffff88810770f7d8 EFLAGS: 00010046 +[27642.544803] RAX: 0000000000000000 RBX: 0000000000000202 RCX: +ffff888113ad96d8 +[27642.545916] RDX: 0000000000000001 RSI: ffff88810770f818 RDI: +00000000000000a0 +[27642.547027] RBP: 0000000000000098 R08: 0000000000000400 R09: +ffff88810b980f00 +[27642.548140] R10: 0000000000000001 R11: ffff888101845a80 R12: +00000000000000a8 +[27642.549263] R13: ffffffffa02a9060 R14: 00000000000000a0 R15: +ffff8881130d8a40 +[27642.550379] complete_all+0x20/0x90 +[27642.551010] mlx5e_ipsec_disable_events+0xb6/0xf0 [mlx5_core] +[27642.552022] mlx5e_nic_disable+0x12d/0x220 [mlx5_core] +[27642.552929] mlx5e_detach_netdev+0x66/0xf0 [mlx5_core] +[27642.553822] mlx5e_netdev_change_profile+0x5b/0x120 [mlx5_core] +[27642.554821] mlx5e_vport_rep_load+0x419/0x590 [mlx5_core] +[27642.555757] ? xa_load+0x53/0x90 +[27642.556361] __esw_offloads_load_rep+0x54/0x70 [mlx5_core] +[27642.557328] mlx5_esw_offloads_rep_load+0x45/0xd0 [mlx5_core] +[27642.558320] esw_offloads_enable+0xb4b/0xc90 [mlx5_core] +[27642.559247] mlx5_eswitch_enable_locked+0x34e/0x4f0 [mlx5_core] +[27642.560257] ? mlx5_rescan_drivers_locked+0x222/0x2d0 [mlx5_core] +[27642.561284] mlx5_devlink_eswitch_mode_set+0x5ac/0x9c0 [mlx5_core] +[27642.562334] ? devlink_rate_set_ops_supported+0x21/0x3a0 +[27642.563220] devlink_nl_eswitch_set_doit+0x67/0xe0 +[27642.564026] genl_family_rcv_msg_doit+0xe0/0x130 +[27642.564816] genl_rcv_msg+0x183/0x290 +[27642.565466] ? __devlink_nl_pre_doit.isra.0+0x160/0x160 +[27642.566329] ? devlink_nl_eswitch_get_doit+0x290/0x290 +[27642.567181] ? devlink_nl_pre_doit_parent_dev_optional+0x20/0x20 +[27642.568147] ? genl_family_rcv_msg_dumpit+0xf0/0xf0 +[27642.568966] netlink_rcv_skb+0x4b/0xf0 +[27642.569629] genl_rcv+0x24/0x40 +[27642.570215] netlink_unicast+0x255/0x380 +[27642.570901] ? __alloc_skb+0xfa/0x1e0 +[27642.571560] netlink_sendmsg+0x1f3/0x420 +[27642.572249] __sock_sendmsg+0x38/0x60 +[27642.572911] __sys_sendto+0x119/0x180 +[27642.573561] ? __sys_recvmsg+0x5c/0xb0 +[27642.574227] __x64_sys_sendto+0x20/0x30 +[27642.574904] do_syscall_64+0x55/0xc10 +[27642.575554] entry_SYSCALL_64_after_hwframe+0x4b/0x53 +[27642.576391] RIP: 0033:0x7f197c85e807 +[27642.577050] Code: c7 c0 ff ff ff ff eb be 66 2e 0f 1f 84 00 00 00 00 +00 90 f3 0f 1e fa 80 3d 45 08 0d 00 00 41 89 ca 74 10 b8 2c 00 00 00 0f + 05 <48> 3d 00 f0 ff ff 77 69 c3 55 48 89 e5 53 48 83 ec 38 44 89 4d + d0 +[27642.579846] RSP: 002b:00007ffebd4e2248 EFLAGS: 00000202 ORIG_RAX: +000000000000002c +[27642.581082] RAX: ffffffffffffffda RBX: 000055cfcd9cd2a0 RCX: +00007f197c85e807 +[27642.582200] RDX: 0000000000000038 RSI: 000055cfcd9cd490 RDI: +0000000000000003 +[27642.583320] RBP: 00007ffebd4e2290 R08: 00007f197c942200 R09: +000000000000000c +[27642.584437] R10: 0000000000000000 R11: 0000000000000202 R12: +0000000000000000 +[27642.585555] R13: 000055cfcd9cd490 R14: 00007ffebd4e45d1 R15: +000055cfcd9cd2a0 +[27642.586671] +[27642.587121] ---[ end trace 0000000000000000 ]--- +[27642.587910] BUG: kernel NULL pointer dereference, address: +00000000000000a0 + +Fixes: 664f76be38a1 ("net/mlx5: Fix IPsec cleanup over MPV device") +Signed-off-by: Patrisious Haddad +Reviewed-by: Leon Romanovsky +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/20260305142634.1813208-2-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c +index feef86fff4bfd..91cfabc450325 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c +@@ -2912,7 +2912,7 @@ void mlx5e_ipsec_disable_events(struct mlx5e_priv *priv) + goto out; + + peer_priv = mlx5_devcom_get_next_peer_data(priv->devcom, &tmp); +- if (peer_priv) ++ if (peer_priv && peer_priv->ipsec) + complete_all(&peer_priv->ipsec->comp); + + mlx5_devcom_for_each_peer_end(priv->devcom); +-- +2.51.0 + diff --git a/queue-6.18/net-mlx5-fix-deadlock-between-devlink-lock-and-esw-w.patch b/queue-6.18/net-mlx5-fix-deadlock-between-devlink-lock-and-esw-w.patch new file mode 100644 index 0000000000..1905465171 --- /dev/null +++ b/queue-6.18/net-mlx5-fix-deadlock-between-devlink-lock-and-esw-w.patch @@ -0,0 +1,152 @@ +From ea2fba43387e095f7b6ef425338ef1328b6c4331 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 10:10:19 +0200 +Subject: net/mlx5: Fix deadlock between devlink lock and esw->wq + +From: Cosmin Ratiu + +[ Upstream commit aed763abf0e905b4b8d747d1ba9e172961572f57 ] + +esw->work_queue executes esw_functions_changed_event_handler -> +esw_vfs_changed_event_handler and acquires the devlink lock. + +.eswitch_mode_set (acquires devlink lock in devlink_nl_pre_doit) -> +mlx5_devlink_eswitch_mode_set -> mlx5_eswitch_disable_locked -> +mlx5_eswitch_event_handler_unregister -> flush_workqueue deadlocks +when esw_vfs_changed_event_handler executes. + +Fix that by no longer flushing the work to avoid the deadlock, and using +a generation counter to keep track of work relevance. This avoids an old +handler manipulating an esw that has undergone one or more mode changes: +- the counter is incremented in mlx5_eswitch_event_handler_unregister. +- the counter is read and passed to the ephemeral mlx5_host_work struct. +- the work handler takes the devlink lock and bails out if the current + generation is different than the one it was scheduled to operate on. +- mlx5_eswitch_cleanup does the final draining before destroying the wq. + +No longer flushing the workqueue has the side effect of maybe no longer +cancelling pending vport_change_handler work items, but that's ok since +those are disabled elsewhere: +- mlx5_eswitch_disable_locked disables the vport eq notifier. +- mlx5_esw_vport_disable disarms the HW EQ notification and marks + vport->enabled under state_lock to false to prevent pending vport + handler from doing anything. +- mlx5_eswitch_cleanup destroys the workqueue and makes sure all events + are disabled/finished. + +Fixes: f1bc646c9a06 ("net/mlx5: Use devl_ API in mlx5_esw_offloads_devlink_port_register") +Signed-off-by: Cosmin Ratiu +Reviewed-by: Moshe Shemesh +Reviewed-by: Dragos Tatulea +Reviewed-by: Simon Horman +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/20260305081019.1811100-1-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/eswitch.c | 7 ++++--- + .../net/ethernet/mellanox/mlx5/core/eswitch.h | 2 ++ + .../mellanox/mlx5/core/eswitch_offloads.c | 18 +++++++++++++----- + 3 files changed, 19 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +index e2ffb87b94cbe..49bc409d7dbb0 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +@@ -1081,10 +1081,11 @@ static void mlx5_eswitch_event_handler_register(struct mlx5_eswitch *esw) + + static void mlx5_eswitch_event_handler_unregister(struct mlx5_eswitch *esw) + { +- if (esw->mode == MLX5_ESWITCH_OFFLOADS && mlx5_eswitch_is_funcs_handler(esw->dev)) ++ if (esw->mode == MLX5_ESWITCH_OFFLOADS && ++ mlx5_eswitch_is_funcs_handler(esw->dev)) { + mlx5_eq_notifier_unregister(esw->dev, &esw->esw_funcs.nb); +- +- flush_workqueue(esw->work_queue); ++ atomic_inc(&esw->esw_funcs.generation); ++ } + } + + static void mlx5_eswitch_clear_vf_vports_info(struct mlx5_eswitch *esw) +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h +index 2d91f77b01601..558055d214e10 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h +@@ -331,10 +331,12 @@ struct esw_mc_addr { /* SRIOV only */ + struct mlx5_host_work { + struct work_struct work; + struct mlx5_eswitch *esw; ++ int work_gen; + }; + + struct mlx5_esw_functions { + struct mlx5_nb nb; ++ atomic_t generation; + bool host_funcs_disabled; + u16 num_vfs; + u16 num_ec_vfs; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c +index 8c0e812f13c3f..1ff6c3d502e9b 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c +@@ -3451,22 +3451,28 @@ static void esw_offloads_steering_cleanup(struct mlx5_eswitch *esw) + } + + static void +-esw_vfs_changed_event_handler(struct mlx5_eswitch *esw, const u32 *out) ++esw_vfs_changed_event_handler(struct mlx5_eswitch *esw, int work_gen, ++ const u32 *out) + { + struct devlink *devlink; + bool host_pf_disabled; + u16 new_num_vfs; + ++ devlink = priv_to_devlink(esw->dev); ++ devl_lock(devlink); ++ ++ /* Stale work from one or more mode changes ago. Bail out. */ ++ if (work_gen != atomic_read(&esw->esw_funcs.generation)) ++ goto unlock; ++ + new_num_vfs = MLX5_GET(query_esw_functions_out, out, + host_params_context.host_num_of_vfs); + host_pf_disabled = MLX5_GET(query_esw_functions_out, out, + host_params_context.host_pf_disabled); + + if (new_num_vfs == esw->esw_funcs.num_vfs || host_pf_disabled) +- return; ++ goto unlock; + +- devlink = priv_to_devlink(esw->dev); +- devl_lock(devlink); + /* Number of VFs can only change from "0 to x" or "x to 0". */ + if (esw->esw_funcs.num_vfs > 0) { + mlx5_eswitch_unload_vf_vports(esw, esw->esw_funcs.num_vfs); +@@ -3481,6 +3487,7 @@ esw_vfs_changed_event_handler(struct mlx5_eswitch *esw, const u32 *out) + } + } + esw->esw_funcs.num_vfs = new_num_vfs; ++unlock: + devl_unlock(devlink); + } + +@@ -3497,7 +3504,7 @@ static void esw_functions_changed_event_handler(struct work_struct *work) + if (IS_ERR(out)) + goto out; + +- esw_vfs_changed_event_handler(esw, out); ++ esw_vfs_changed_event_handler(esw, host_work->work_gen, out); + kvfree(out); + out: + kfree(host_work); +@@ -3517,6 +3524,7 @@ int mlx5_esw_funcs_changed_handler(struct notifier_block *nb, unsigned long type + esw = container_of(esw_funcs, struct mlx5_eswitch, esw_funcs); + + host_work->esw = esw; ++ host_work->work_gen = atomic_read(&esw_funcs->generation); + + INIT_WORK(&host_work->work, esw_functions_changed_event_handler); + queue_work(esw->work_queue, &host_work->work); +-- +2.51.0 + diff --git a/queue-6.18/net-mlx5-fix-peer-miss-rules-host-disabled-checks.patch b/queue-6.18/net-mlx5-fix-peer-miss-rules-host-disabled-checks.patch new file mode 100644 index 0000000000..352ab82347 --- /dev/null +++ b/queue-6.18/net-mlx5-fix-peer-miss-rules-host-disabled-checks.patch @@ -0,0 +1,77 @@ +From fb968e1d2d5fc2ef337ad359676c3d0c0d0ba167 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 16:26:31 +0200 +Subject: net/mlx5: Fix peer miss rules host disabled checks + +From: Carolina Jubran + +[ Upstream commit 76324e4041c0efb4808702b05426d7a0a7d8df5b ] + +The check on mlx5_esw_host_functions_enabled(esw->dev) for adding VF +peer miss rules is incorrect. These rules match traffic from peer's VFs, +so the local device's host function status is irrelevant. Remove this +check to ensure peer VF traffic is properly handled regardless of local +host configuration. + +Also fix the PF peer miss rule deletion to be symmetric with the add +path, so only attempt to delete the rule if it was actually created. + +Fixes: 520369ef43a8 ("net/mlx5: Support disabling host PFs") +Signed-off-by: Carolina Jubran +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/20260305142634.1813208-3-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../mellanox/mlx5/core/eswitch_offloads.c | 27 +++++++++---------- + 1 file changed, 12 insertions(+), 15 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c +index 1ff6c3d502e9b..f1585df13b732 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c +@@ -1241,21 +1241,17 @@ static int esw_add_fdb_peer_miss_rules(struct mlx5_eswitch *esw, + flows[peer_vport->index] = flow; + } + +- if (mlx5_esw_host_functions_enabled(esw->dev)) { +- mlx5_esw_for_each_vf_vport(peer_esw, i, peer_vport, +- mlx5_core_max_vfs(peer_dev)) { +- esw_set_peer_miss_rule_source_port(esw, peer_esw, +- spec, +- peer_vport->vport); +- +- flow = mlx5_add_flow_rules(mlx5_eswitch_get_slow_fdb(esw), +- spec, &flow_act, &dest, 1); +- if (IS_ERR(flow)) { +- err = PTR_ERR(flow); +- goto add_vf_flow_err; +- } +- flows[peer_vport->index] = flow; ++ mlx5_esw_for_each_vf_vport(peer_esw, i, peer_vport, ++ mlx5_core_max_vfs(peer_dev)) { ++ esw_set_peer_miss_rule_source_port(esw, peer_esw, spec, ++ peer_vport->vport); ++ flow = mlx5_add_flow_rules(mlx5_eswitch_get_slow_fdb(esw), ++ spec, &flow_act, &dest, 1); ++ if (IS_ERR(flow)) { ++ err = PTR_ERR(flow); ++ goto add_vf_flow_err; + } ++ flows[peer_vport->index] = flow; + } + + if (mlx5_core_ec_sriov_enabled(peer_dev)) { +@@ -1347,7 +1343,8 @@ static void esw_del_fdb_peer_miss_rules(struct mlx5_eswitch *esw, + mlx5_del_flow_rules(flows[peer_vport->index]); + } + +- if (mlx5_core_is_ecpf_esw_manager(peer_dev)) { ++ if (mlx5_core_is_ecpf_esw_manager(peer_dev) && ++ mlx5_esw_host_functions_enabled(peer_dev)) { + peer_vport = mlx5_eswitch_get_vport(peer_esw, MLX5_VPORT_PF); + mlx5_del_flow_rules(flows[peer_vport->index]); + } +-- +2.51.0 + diff --git a/queue-6.18/net-mlx5e-fix-dma-fifo-desync-on-error-cqe-sq-recove.patch b/queue-6.18/net-mlx5e-fix-dma-fifo-desync-on-error-cqe-sq-recove.patch new file mode 100644 index 0000000000..958d61d473 --- /dev/null +++ b/queue-6.18/net-mlx5e-fix-dma-fifo-desync-on-error-cqe-sq-recove.patch @@ -0,0 +1,82 @@ +From 531c27a8a5bd175bca0ea4ea5f76614b3d80caa6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 16:26:32 +0200 +Subject: net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery + +From: Gal Pressman + +[ Upstream commit 1633111d69053512d099658d4a05fc736fab36b0 ] + +In case of a TX error CQE, a recovery flow is triggered, +mlx5e_reset_txqsq_cc_pc() resets dma_fifo_cc to 0 but not dma_fifo_pc, +desyncing the DMA FIFO producer and consumer. + +After recovery, the producer pushes new DMA entries at the old +dma_fifo_pc, while the consumer reads from position 0. +This causes us to unmap stale DMA addresses from before the recovery. + +The DMA FIFO is a purely software construct with no HW counterpart. +At the point of reset, all WQEs have been flushed so dma_fifo_cc is +already equal to dma_fifo_pc. There is no need to reset either counter, +similar to how skb_fifo pc/cc are untouched. + +Remove the 'dma_fifo_cc = 0' reset. + +This fixes the following WARNING: + WARNING: CPU: 0 PID: 0 at drivers/iommu/dma-iommu.c:1240 iommu_dma_unmap_page+0x79/0x90 + Modules linked in: mlx5_vdpa vringh vdpa bonding mlx5_ib mlx5_vfio_pci ipip mlx5_fwctl tunnel4 mlx5_core ib_ipoib geneve ip6_gre ip_gre gre nf_tables ip6_tunnel rdma_ucm ib_uverbs ib_umad vfio_pci vfio_pci_core act_mirred act_skbedit act_vlan vhost_net vhost tap ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress vhost_iotlb iptable_raw tunnel6 vfio_iommu_type1 vfio openvswitch nsh rpcsec_gss_krb5 auth_rpcgss oid_registry xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter overlay zram zsmalloc rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core fuse [last unloaded: nf_tables] + CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5_for_upstream_min_debug_2024_12_30_21_33 #1 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 + RIP: 0010:iommu_dma_unmap_page+0x79/0x90 + Code: 2b 4d 3b 21 72 26 4d 3b 61 08 73 20 49 89 d8 44 89 f9 5b 4c 89 f2 4c 89 e6 48 89 ef 5d 41 5c 41 5d 41 5e 41 5f e9 c7 ae 9e ff <0f> 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 66 2e 0f 1f 84 00 00 00 00 + Call Trace: + + ? __warn+0x7d/0x110 + ? iommu_dma_unmap_page+0x79/0x90 + ? report_bug+0x16d/0x180 + ? handle_bug+0x4f/0x90 + ? exc_invalid_op+0x14/0x70 + ? asm_exc_invalid_op+0x16/0x20 + ? iommu_dma_unmap_page+0x79/0x90 + ? iommu_dma_unmap_page+0x2e/0x90 + dma_unmap_page_attrs+0x10d/0x1b0 + mlx5e_tx_wi_dma_unmap+0xbe/0x120 [mlx5_core] + mlx5e_poll_tx_cq+0x16d/0x690 [mlx5_core] + mlx5e_napi_poll+0x8b/0xac0 [mlx5_core] + __napi_poll+0x24/0x190 + net_rx_action+0x32a/0x3b0 + ? mlx5_eq_comp_int+0x7e/0x270 [mlx5_core] + ? notifier_call_chain+0x35/0xa0 + handle_softirqs+0xc9/0x270 + irq_exit_rcu+0x71/0xd0 + common_interrupt+0x7f/0xa0 + + + asm_common_interrupt+0x22/0x40 + +Fixes: db75373c91b0 ("net/mlx5e: Recover Send Queue (SQ) from error state") +Signed-off-by: Gal Pressman +Reviewed-by: Dragos Tatulea +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/20260305142634.1813208-4-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c b/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c +index 9f6454102cf79..d6ace2b6fc1df 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c +@@ -46,7 +46,6 @@ static void mlx5e_reset_txqsq_cc_pc(struct mlx5e_txqsq *sq) + "SQ 0x%x: cc (0x%x) != pc (0x%x)\n", + sq->sqn, sq->cc, sq->pc); + sq->cc = 0; +- sq->dma_fifo_cc = 0; + sq->pc = 0; + } + +-- +2.51.0 + diff --git a/queue-6.18/net-mlx5e-rx-fix-xdp-multi-buf-frag-counting-for-leg.patch b/queue-6.18/net-mlx5e-rx-fix-xdp-multi-buf-frag-counting-for-leg.patch new file mode 100644 index 0000000000..8c6f5e4b00 --- /dev/null +++ b/queue-6.18/net-mlx5e-rx-fix-xdp-multi-buf-frag-counting-for-leg.patch @@ -0,0 +1,127 @@ +From 5bfc32b771031b325b582f023e57ccc42a7e56fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 16:26:34 +0200 +Subject: net/mlx5e: RX, Fix XDP multi-buf frag counting for legacy RQ + +From: Dragos Tatulea + +[ Upstream commit a6413e6f6c9d9bb9833324cb3753582f7bc0f2fa ] + +XDP multi-buf programs can modify the layout of the XDP buffer when the +program calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The +referenced commit in the fixes tag corrected the assumption in the mlx5 +driver that the XDP buffer layout doesn't change during a program +execution. However, this fix introduced another issue: the dropped +fragments still need to be counted on the driver side to avoid page +fragment reference counting issues. + +Such issue can be observed with the +test_xdp_native_adjst_tail_shrnk_data selftest when using a payload of +3600 and shrinking by 256 bytes (an upcoming selftest patch): the last +fragment gets released by the XDP code but doesn't get tracked by the +driver. This results in a negative pp_ref_count during page release and +the following splat: + + WARNING: include/net/page_pool/helpers.h:297 at mlx5e_page_release_fragmented.isra.0+0x4a/0x50 [mlx5_core], CPU#12: ip/3137 + Modules linked in: [...] + CPU: 12 UID: 0 PID: 3137 Comm: ip Not tainted 6.19.0-rc3+ #12 NONE + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 + RIP: 0010:mlx5e_page_release_fragmented.isra.0+0x4a/0x50 [mlx5_core] + [...] + Call Trace: + + mlx5e_dealloc_rx_wqe+0xcb/0x1a0 [mlx5_core] + mlx5e_free_rx_descs+0x7f/0x110 [mlx5_core] + mlx5e_close_rq+0x50/0x60 [mlx5_core] + mlx5e_close_queues+0x36/0x2c0 [mlx5_core] + mlx5e_close_channel+0x1c/0x50 [mlx5_core] + mlx5e_close_channels+0x45/0x80 [mlx5_core] + mlx5e_safe_switch_params+0x1a5/0x230 [mlx5_core] + mlx5e_change_mtu+0xf3/0x2f0 [mlx5_core] + netif_set_mtu_ext+0xf1/0x230 + do_setlink.isra.0+0x219/0x1180 + rtnl_newlink+0x79f/0xb60 + rtnetlink_rcv_msg+0x213/0x3a0 + netlink_rcv_skb+0x48/0xf0 + netlink_unicast+0x24a/0x350 + netlink_sendmsg+0x1ee/0x410 + __sock_sendmsg+0x38/0x60 + ____sys_sendmsg+0x232/0x280 + ___sys_sendmsg+0x78/0xb0 + __sys_sendmsg+0x5f/0xb0 + [...] + do_syscall_64+0x57/0xc50 + +This patch fixes the issue by doing page frag counting on all the +original XDP buffer fragments for all relevant XDP actions (XDP_TX , +XDP_REDIRECT and XDP_PASS). This is basically reverting to the original +counting before the commit in the fixes tag. + +As frag_page is still pointing to the original tail, the nr_frags +parameter to xdp_update_skb_frags_info() needs to be calculated +in a different way to reflect the new nr_frags. + +Fixes: afd5ba577c10 ("net/mlx5e: RX, Fix generating skb from non-linear xdp_buff for legacy RQ") +Signed-off-by: Dragos Tatulea +Signed-off-by: Tariq Toukan +Reviewed-by: Amery Hung +Link: https://patch.msgid.link/20260305142634.1813208-6-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +index 348c451473cd6..2ffa4e6b8c373 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +@@ -1759,6 +1759,7 @@ mlx5e_skb_from_cqe_nonlinear(struct mlx5e_rq *rq, struct mlx5e_wqe_frag_info *wi + struct skb_shared_info *sinfo; + u32 frag_consumed_bytes; + struct bpf_prog *prog; ++ u8 nr_frags_free = 0; + struct sk_buff *skb; + dma_addr_t addr; + u32 truesize; +@@ -1801,15 +1802,13 @@ mlx5e_skb_from_cqe_nonlinear(struct mlx5e_rq *rq, struct mlx5e_wqe_frag_info *wi + + prog = rcu_dereference(rq->xdp_prog); + if (prog) { +- u8 nr_frags_free, old_nr_frags = sinfo->nr_frags; ++ u8 old_nr_frags = sinfo->nr_frags; + + if (mlx5e_xdp_handle(rq, prog, mxbuf)) { + if (__test_and_clear_bit(MLX5E_RQ_FLAG_XDP_XMIT, + rq->flags)) { + struct mlx5e_wqe_frag_info *pwi; + +- wi -= old_nr_frags - sinfo->nr_frags; +- + for (pwi = head_wi; pwi < wi; pwi++) + pwi->frag_page->frags++; + } +@@ -1817,10 +1816,8 @@ mlx5e_skb_from_cqe_nonlinear(struct mlx5e_rq *rq, struct mlx5e_wqe_frag_info *wi + } + + nr_frags_free = old_nr_frags - sinfo->nr_frags; +- if (unlikely(nr_frags_free)) { +- wi -= nr_frags_free; ++ if (unlikely(nr_frags_free)) + truesize -= nr_frags_free * frag_info->frag_stride; +- } + } + + skb = mlx5e_build_linear_skb( +@@ -1836,7 +1833,7 @@ mlx5e_skb_from_cqe_nonlinear(struct mlx5e_rq *rq, struct mlx5e_wqe_frag_info *wi + + if (xdp_buff_has_frags(&mxbuf->xdp)) { + /* sinfo->nr_frags is reset by build_skb, calculate again. */ +- xdp_update_skb_frags_info(skb, wi - head_wi - 1, ++ xdp_update_skb_frags_info(skb, wi - head_wi - nr_frags_free - 1, + sinfo->xdp_frags_size, truesize, + xdp_buff_get_skb_flags(&mxbuf->xdp)); + +-- +2.51.0 + diff --git a/queue-6.18/net-mlx5e-rx-fix-xdp-multi-buf-frag-counting-for-str.patch b/queue-6.18/net-mlx5e-rx-fix-xdp-multi-buf-frag-counting-for-str.patch new file mode 100644 index 0000000000..e0acf7eab6 --- /dev/null +++ b/queue-6.18/net-mlx5e-rx-fix-xdp-multi-buf-frag-counting-for-str.patch @@ -0,0 +1,142 @@ +From 2323e3020c97b5ae1a34a498db911e2299ddffeb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 16:26:33 +0200 +Subject: net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ + +From: Dragos Tatulea + +[ Upstream commit db25c42c2e1f9c0d136420fff5e5700f7e771a6f ] + +XDP multi-buf programs can modify the layout of the XDP buffer when the +program calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The +referenced commit in the fixes tag corrected the assumption in the mlx5 +driver that the XDP buffer layout doesn't change during a program +execution. However, this fix introduced another issue: the dropped +fragments still need to be counted on the driver side to avoid page +fragment reference counting issues. + +The issue was discovered by the drivers/net/xdp.py selftest, +more specifically the test_xdp_native_tx_mb: +- The mlx5 driver allocates a page_pool page and initializes it with + a frag counter of 64 (pp_ref_count=64) and the internal frag counter + to 0. +- The test sends one packet with no payload. +- On RX (mlx5e_skb_from_cqe_mpwrq_nonlinear()), mlx5 configures the XDP + buffer with the packet data starting in the first fragment which is the + page mentioned above. +- The XDP program runs and calls bpf_xdp_pull_data() which moves the + header into the linear part of the XDP buffer. As the packet doesn't + contain more data, the program drops the tail fragment since it no + longer contains any payload (pp_ref_count=63). +- mlx5 device skips counting this fragment. Internal frag counter + remains 0. +- mlx5 releases all 64 fragments of the page but page pp_ref_count is + 63 => negative reference counting error. + +Resulting splat during the test: + + WARNING: CPU: 0 PID: 188225 at ./include/net/page_pool/helpers.h:297 mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core] + Modules linked in: [...] + CPU: 0 UID: 0 PID: 188225 Comm: ip Not tainted 6.18.0-rc7_for_upstream_min_debug_2025_12_08_11_44 #1 NONE + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 + RIP: 0010:mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core] + [...] + Call Trace: + + mlx5e_free_rx_mpwqe+0x20a/0x250 [mlx5_core] + mlx5e_dealloc_rx_mpwqe+0x37/0xb0 [mlx5_core] + mlx5e_free_rx_descs+0x11a/0x170 [mlx5_core] + mlx5e_close_rq+0x78/0xa0 [mlx5_core] + mlx5e_close_queues+0x46/0x2a0 [mlx5_core] + mlx5e_close_channel+0x24/0x90 [mlx5_core] + mlx5e_close_channels+0x5d/0xf0 [mlx5_core] + mlx5e_safe_switch_params+0x2ec/0x380 [mlx5_core] + mlx5e_change_mtu+0x11d/0x490 [mlx5_core] + mlx5e_change_nic_mtu+0x19/0x30 [mlx5_core] + netif_set_mtu_ext+0xfc/0x240 + do_setlink.isra.0+0x226/0x1100 + rtnl_newlink+0x7a9/0xba0 + rtnetlink_rcv_msg+0x220/0x3c0 + netlink_rcv_skb+0x4b/0xf0 + netlink_unicast+0x255/0x380 + netlink_sendmsg+0x1f3/0x420 + __sock_sendmsg+0x38/0x60 + ____sys_sendmsg+0x1e8/0x240 + ___sys_sendmsg+0x7c/0xb0 + [...] + __sys_sendmsg+0x5f/0xb0 + do_syscall_64+0x55/0xc70 + +The problem applies for XDP_PASS as well which is handled in a different +code path in the driver. + +This patch fixes the issue by doing page frag counting on all the +original XDP buffer fragments for all relevant XDP actions (XDP_TX , +XDP_REDIRECT and XDP_PASS). This is basically reverting to the original +counting before the commit in the fixes tag. + +As frag_page is still pointing to the original tail, the nr_frags +parameter to xdp_update_skb_frags_info() needs to be calculated +in a different way to reflect the new nr_frags. + +Fixes: 87bcef158ac1 ("net/mlx5e: RX, Fix generating skb from non-linear xdp_buff for striding RQ") +Signed-off-by: Dragos Tatulea +Cc: Amery Hung +Reviewed-by: Nimrod Oren +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/20260305142634.1813208-5-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +index 687cf123211d7..348c451473cd6 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +@@ -2118,14 +2118,13 @@ mlx5e_skb_from_cqe_mpwrq_nonlinear(struct mlx5e_rq *rq, struct mlx5e_mpw_info *w + + if (prog) { + u8 nr_frags_free, old_nr_frags = sinfo->nr_frags; ++ u8 new_nr_frags; + u32 len; + + if (mlx5e_xdp_handle(rq, prog, mxbuf)) { + if (__test_and_clear_bit(MLX5E_RQ_FLAG_XDP_XMIT, rq->flags)) { + struct mlx5e_frag_page *pfp; + +- frag_page -= old_nr_frags - sinfo->nr_frags; +- + for (pfp = head_page; pfp < frag_page; pfp++) + pfp->frags++; + +@@ -2136,13 +2135,12 @@ mlx5e_skb_from_cqe_mpwrq_nonlinear(struct mlx5e_rq *rq, struct mlx5e_mpw_info *w + return NULL; /* page/packet was consumed by XDP */ + } + +- nr_frags_free = old_nr_frags - sinfo->nr_frags; +- if (unlikely(nr_frags_free)) { +- frag_page -= nr_frags_free; ++ new_nr_frags = sinfo->nr_frags; ++ nr_frags_free = old_nr_frags - new_nr_frags; ++ if (unlikely(nr_frags_free)) + truesize -= (nr_frags_free - 1) * PAGE_SIZE + + ALIGN(pg_consumed_bytes, + BIT(rq->mpwqe.log_stride_sz)); +- } + + len = mxbuf->xdp.data_end - mxbuf->xdp.data; + +@@ -2164,7 +2162,7 @@ mlx5e_skb_from_cqe_mpwrq_nonlinear(struct mlx5e_rq *rq, struct mlx5e_mpw_info *w + struct mlx5e_frag_page *pagep; + + /* sinfo->nr_frags is reset by build_skb, calculate again. */ +- xdp_update_skb_frags_info(skb, frag_page - head_page, ++ xdp_update_skb_frags_info(skb, new_nr_frags, + sinfo->xdp_frags_size, + truesize, + xdp_buff_get_skb_flags(&mxbuf->xdp)); +-- +2.51.0 + diff --git a/queue-6.18/net-prevent-null-deref-in-ip-6-tunnel_xmit.patch b/queue-6.18/net-prevent-null-deref-in-ip-6-tunnel_xmit.patch new file mode 100644 index 0000000000..d8011c413d --- /dev/null +++ b/queue-6.18/net-prevent-null-deref-in-ip-6-tunnel_xmit.patch @@ -0,0 +1,69 @@ +From 37742fc76e53bbcd2ca2a0b6da8aef83ad977cc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 04:39:08 +0000 +Subject: net: prevent NULL deref in ip[6]tunnel_xmit() + +From: Eric Dumazet + +[ Upstream commit c38b8f5f791ecce13ab77e2257f8fd2444ba80f6 ] + +Blamed commit missed that both functions can be called with dev == NULL. + +Also add unlikely() hints for these conditions that only fuzzers can hit. + +Fixes: 6f1a9140ecda ("net: add xmit recursion limit to tunnel xmit functions") +Signed-off-by: Eric Dumazet +CC: Weiming Shi +Link: https://patch.msgid.link/20260312043908.2790803-1-edumazet@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + include/net/ip6_tunnel.h | 10 ++++++---- + net/ipv4/ip_tunnel_core.c | 10 ++++++---- + 2 files changed, 12 insertions(+), 8 deletions(-) + +diff --git a/include/net/ip6_tunnel.h b/include/net/ip6_tunnel.h +index 1253cbb4b0a45..359b595f1df93 100644 +--- a/include/net/ip6_tunnel.h ++++ b/include/net/ip6_tunnel.h +@@ -156,10 +156,12 @@ static inline void ip6tunnel_xmit(struct sock *sk, struct sk_buff *skb, + { + int pkt_len, err; + +- if (dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT) { +- net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n", +- dev->name); +- DEV_STATS_INC(dev, tx_errors); ++ if (unlikely(dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT)) { ++ if (dev) { ++ net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n", ++ dev->name); ++ DEV_STATS_INC(dev, tx_errors); ++ } + kfree_skb(skb); + return; + } +diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c +index b1b6bf949f65a..5683c328990f4 100644 +--- a/net/ipv4/ip_tunnel_core.c ++++ b/net/ipv4/ip_tunnel_core.c +@@ -58,10 +58,12 @@ void iptunnel_xmit(struct sock *sk, struct rtable *rt, struct sk_buff *skb, + struct iphdr *iph; + int err; + +- if (dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT) { +- net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n", +- dev->name); +- DEV_STATS_INC(dev, tx_errors); ++ if (unlikely(dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT)) { ++ if (dev) { ++ net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n", ++ dev->name); ++ DEV_STATS_INC(dev, tx_errors); ++ } + ip_rt_put(rt); + kfree_skb(skb); + return; +-- +2.51.0 + diff --git a/queue-6.18/net-sched-teql-fix-null-pointer-dereference-in-iptun.patch b/queue-6.18/net-sched-teql-fix-null-pointer-dereference-in-iptun.patch new file mode 100644 index 0000000000..d42142a3cc --- /dev/null +++ b/queue-6.18/net-sched-teql-fix-null-pointer-dereference-in-iptun.patch @@ -0,0 +1,80 @@ +From 2049e10e1e9dc89b82cae6ace07a3f058728ca81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 12:42:18 +0800 +Subject: net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on + TEQL slave xmit + +From: Weiming Shi + +[ Upstream commit 0cc0c2e661af418bbf7074179ea5cfffc0a5c466 ] + +teql_master_xmit() calls netdev_start_xmit(skb, slave) to transmit +through slave devices, but does not update skb->dev to the slave device +beforehand. + +When a gretap tunnel is a TEQL slave, the transmit path reaches +iptunnel_xmit() which saves dev = skb->dev (still pointing to teql0 +master) and later calls iptunnel_xmit_stats(dev, pkt_len). This +function does: + + get_cpu_ptr(dev->tstats) + +Since teql_master_setup() does not set dev->pcpu_stat_type to +NETDEV_PCPU_STAT_TSTATS, the core network stack never allocates tstats +for teql0, so dev->tstats is NULL. get_cpu_ptr(NULL) computes +NULL + __per_cpu_offset[cpu], resulting in a page fault. + + BUG: unable to handle page fault for address: ffff8880e6659018 + #PF: supervisor write access in kernel mode + #PF: error_code(0x0002) - not-present page + PGD 68bc067 P4D 68bc067 PUD 0 + Oops: Oops: 0002 [#1] SMP KASAN PTI + RIP: 0010:iptunnel_xmit (./include/net/ip_tunnels.h:664 net/ipv4/ip_tunnel_core.c:89) + Call Trace: + + ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) + __gre_xmit (net/ipv4/ip_gre.c:478) + gre_tap_xmit (net/ipv4/ip_gre.c:779) + teql_master_xmit (net/sched/sch_teql.c:319) + dev_hard_start_xmit (net/core/dev.c:3887) + sch_direct_xmit (net/sched/sch_generic.c:347) + __dev_queue_xmit (net/core/dev.c:4802) + neigh_direct_output (net/core/neighbour.c:1660) + ip_finish_output2 (net/ipv4/ip_output.c:237) + __ip_finish_output.part.0 (net/ipv4/ip_output.c:315) + ip_mc_output (net/ipv4/ip_output.c:369) + ip_send_skb (net/ipv4/ip_output.c:1508) + udp_send_skb (net/ipv4/udp.c:1195) + udp_sendmsg (net/ipv4/udp.c:1485) + inet_sendmsg (net/ipv4/af_inet.c:859) + __sys_sendto (net/socket.c:2206) + +Fix this by setting skb->dev = slave before calling +netdev_start_xmit(), so that tunnel xmit functions see the correct +slave device with properly allocated tstats. + +Fixes: 039f50629b7f ("ip_tunnel: Move stats update to iptunnel_xmit()") +Reported-by: Xiang Mei +Signed-off-by: Weiming Shi +Link: https://patch.msgid.link/20260304044216.3517851-3-bestswngs@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_teql.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/sched/sch_teql.c b/net/sched/sch_teql.c +index 6e4bdaa876ed6..783300d8b0197 100644 +--- a/net/sched/sch_teql.c ++++ b/net/sched/sch_teql.c +@@ -315,6 +315,7 @@ static netdev_tx_t teql_master_xmit(struct sk_buff *skb, struct net_device *dev) + if (__netif_tx_trylock(slave_txq)) { + unsigned int length = qdisc_pkt_len(skb); + ++ skb->dev = slave; + if (!netif_xmit_frozen_or_stopped(slave_txq) && + netdev_start_xmit(skb, slave, slave_txq, false) == + NETDEV_TX_OK) { +-- +2.51.0 + diff --git a/queue-6.18/net-sfp-improve-huawei-ma5671a-fixup.patch b/queue-6.18/net-sfp-improve-huawei-ma5671a-fixup.patch new file mode 100644 index 0000000000..35899fd0aa --- /dev/null +++ b/queue-6.18/net-sfp-improve-huawei-ma5671a-fixup.patch @@ -0,0 +1,58 @@ +From 8581eaccd41fe5e6fcbd5510627b8934eb6d7ff3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 13:29:55 +0100 +Subject: net: sfp: improve Huawei MA5671a fixup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Álvaro Fernández Rojas + +[ Upstream commit 87d126852158467ab87d5cbc36ccfd3f15464a6c ] + +With the current sfp_fixup_ignore_tx_fault() fixup we ignore the TX_FAULT +signal, but we also need to apply sfp_fixup_ignore_los() in order to be +able to communicate with the module even if the fiber isn't connected for +configuration purposes. +This is needed for all the MA5671a firmwares, excluding the FS modded +firmware. + +Fixes: 2069624dac19 ("net: sfp: Add tx-fault workaround for Huawei MA5671A SFP ONT") +Signed-off-by: Álvaro Fernández Rojas +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20260306125139.213637-1-noltari@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/sfp.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c +index 43aefdd8b70f7..ca09925335725 100644 +--- a/drivers/net/phy/sfp.c ++++ b/drivers/net/phy/sfp.c +@@ -367,6 +367,12 @@ static void sfp_fixup_ignore_tx_fault(struct sfp *sfp) + sfp->state_ignore_mask |= SFP_F_TX_FAULT; + } + ++static void sfp_fixup_ignore_tx_fault_and_los(struct sfp *sfp) ++{ ++ sfp_fixup_ignore_tx_fault(sfp); ++ sfp_fixup_ignore_los(sfp); ++} ++ + static void sfp_fixup_ignore_hw(struct sfp *sfp, unsigned int mask) + { + sfp->state_hw_mask &= ~mask; +@@ -530,7 +536,7 @@ static const struct sfp_quirk sfp_quirks[] = { + // Huawei MA5671A can operate at 2500base-X, but report 1.2GBd NRZ in + // their EEPROM + SFP_QUIRK("HUAWEI", "MA5671A", sfp_quirk_2500basex, +- sfp_fixup_ignore_tx_fault), ++ sfp_fixup_ignore_tx_fault_and_los), + + // Lantech 8330-262D-E and 8330-265D can operate at 2500base-X, but + // incorrectly report 2500MBd NRZ in their EEPROM. +-- +2.51.0 + diff --git a/queue-6.18/net-spacemit-fix-error-handling-in-emac_alloc_rx_des.patch b/queue-6.18/net-spacemit-fix-error-handling-in-emac_alloc_rx_des.patch new file mode 100644 index 0000000000..c06e2c715a --- /dev/null +++ b/queue-6.18/net-spacemit-fix-error-handling-in-emac_alloc_rx_des.patch @@ -0,0 +1,53 @@ +From 55ce84695d25c50037229a8883e5f748455f0f56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 14:39:38 +0800 +Subject: net: spacemit: Fix error handling in emac_alloc_rx_desc_buffers() + +From: Vivian Wang + +[ Upstream commit 3aa1417803c1833cbd5bacb7e6a6489a196f2519 ] + +Even if we get a dma_mapping_error() while mapping an RX buffer, we +should still update rx_ring->head to ensure that the buffers we were +able to allocate and map are used. Fix this by breaking out to the +existing code after the loop, analogous to the existing handling for skb +allocation failure. + +Fixes: bfec6d7f2001 ("net: spacemit: Add K1 Ethernet MAC") +Signed-off-by: Vivian Wang +Link: https://patch.msgid.link/20260305-k1-ethernet-more-fixes-v2-1-e4e434d65055@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/spacemit/k1_emac.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/spacemit/k1_emac.c b/drivers/net/ethernet/spacemit/k1_emac.c +index b49c4708bf9eb..5de69a105168a 100644 +--- a/drivers/net/ethernet/spacemit/k1_emac.c ++++ b/drivers/net/ethernet/spacemit/k1_emac.c +@@ -582,7 +582,9 @@ static void emac_alloc_rx_desc_buffers(struct emac_priv *priv) + DMA_FROM_DEVICE); + if (dma_mapping_error(&priv->pdev->dev, rx_buf->dma_addr)) { + dev_err_ratelimited(&ndev->dev, "Mapping skb failed\n"); +- goto err_free_skb; ++ dev_kfree_skb_any(skb); ++ rx_buf->skb = NULL; ++ break; + } + + rx_desc_addr = &((struct emac_desc *)rx_ring->desc_addr)[i]; +@@ -607,10 +609,6 @@ static void emac_alloc_rx_desc_buffers(struct emac_priv *priv) + + rx_ring->head = i; + return; +- +-err_free_skb: +- dev_kfree_skb_any(skb); +- rx_buf->skb = NULL; + } + + /* Returns number of packets received */ +-- +2.51.0 + diff --git a/queue-6.18/net-spacemit-fix-error-handling-in-emac_tx_mem_map.patch b/queue-6.18/net-spacemit-fix-error-handling-in-emac_tx_mem_map.patch new file mode 100644 index 0000000000..2936be3b3c --- /dev/null +++ b/queue-6.18/net-spacemit-fix-error-handling-in-emac_tx_mem_map.patch @@ -0,0 +1,53 @@ +From 939e36ee3dd593366a5d8f27275f0110b8cb4c54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 14:39:39 +0800 +Subject: net: spacemit: Fix error handling in emac_tx_mem_map() + +From: Vivian Wang + +[ Upstream commit 86292155bea578ebab0ca3b65d4d87ecd8a0e9ea ] + +The DMA mappings were leaked on mapping error. Free them with the +existing emac_free_tx_buf() function. + +Fixes: bfec6d7f2001 ("net: spacemit: Add K1 Ethernet MAC") +Signed-off-by: Vivian Wang +Link: https://patch.msgid.link/20260305-k1-ethernet-more-fixes-v2-2-e4e434d65055@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/spacemit/k1_emac.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/spacemit/k1_emac.c b/drivers/net/ethernet/spacemit/k1_emac.c +index 5de69a105168a..d64ca7bbda9ea 100644 +--- a/drivers/net/ethernet/spacemit/k1_emac.c ++++ b/drivers/net/ethernet/spacemit/k1_emac.c +@@ -750,7 +750,7 @@ static void emac_tx_mem_map(struct emac_priv *priv, struct sk_buff *skb) + struct emac_desc tx_desc, *tx_desc_addr; + struct device *dev = &priv->pdev->dev; + struct emac_tx_desc_buffer *tx_buf; +- u32 head, old_head, frag_num, f; ++ u32 head, old_head, frag_num, f, i; + bool buf_idx; + + frag_num = skb_shinfo(skb)->nr_frags; +@@ -818,6 +818,15 @@ static void emac_tx_mem_map(struct emac_priv *priv, struct sk_buff *skb) + + err_free_skb: + dev_dstats_tx_dropped(priv->ndev); ++ ++ i = old_head; ++ while (i != head) { ++ emac_free_tx_buf(priv, i); ++ ++ if (++i == tx_ring->total_cnt) ++ i = 0; ++ } ++ + dev_kfree_skb_any(skb); + } + +-- +2.51.0 + diff --git a/queue-6.18/net-ti-am65-cpsw-move-hw-timestamping-to-ndo-callbac.patch b/queue-6.18/net-ti-am65-cpsw-move-hw-timestamping-to-ndo-callbac.patch new file mode 100644 index 0000000000..4bd809d446 --- /dev/null +++ b/queue-6.18/net-ti-am65-cpsw-move-hw-timestamping-to-ndo-callbac.patch @@ -0,0 +1,143 @@ +From f68d9ae2c32321b58c18ee3b55d2200496fe323a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Oct 2025 15:25:09 +0000 +Subject: net: ti: am65-cpsw: move hw timestamping to ndo callback + +From: Vadim Fedorenko + +[ Upstream commit ed5d5928bd54f66af19b71ad342ebf0947d50674 ] + +Migrate driver to new API for HW timestamping. + +Reviewed-by: Simon Horman +Reviewed-by: Jacob Keller +Signed-off-by: Vadim Fedorenko +Link: https://patch.msgid.link/20251016152515.3510991-2-vadim.fedorenko@linux.dev +Signed-off-by: Jakub Kicinski +Stable-dep-of: 840c9d13cb1c ("net: ethernet: ti: am65-cpsw-nuss: Fix rx_filter value for PTP support") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/am65-cpsw-nuss.c | 44 +++++++++++------------- + 1 file changed, 20 insertions(+), 24 deletions(-) + +diff --git a/drivers/net/ethernet/ti/am65-cpsw-nuss.c b/drivers/net/ethernet/ti/am65-cpsw-nuss.c +index 77c2cf61c1fb4..071a7c42caa9a 100644 +--- a/drivers/net/ethernet/ti/am65-cpsw-nuss.c ++++ b/drivers/net/ethernet/ti/am65-cpsw-nuss.c +@@ -1788,28 +1788,28 @@ static int am65_cpsw_nuss_ndo_slave_set_mac_address(struct net_device *ndev, + } + + static int am65_cpsw_nuss_hwtstamp_set(struct net_device *ndev, +- struct ifreq *ifr) ++ struct kernel_hwtstamp_config *cfg, ++ struct netlink_ext_ack *extack) + { + struct am65_cpsw_port *port = am65_ndev_to_port(ndev); + u32 ts_ctrl, seq_id, ts_ctrl_ltype2, ts_vlan_ltype; +- struct hwtstamp_config cfg; + +- if (!IS_ENABLED(CONFIG_TI_K3_AM65_CPTS)) ++ if (!IS_ENABLED(CONFIG_TI_K3_AM65_CPTS)) { ++ NL_SET_ERR_MSG(extack, "Time stamping is not supported"); + return -EOPNOTSUPP; +- +- if (copy_from_user(&cfg, ifr->ifr_data, sizeof(cfg))) +- return -EFAULT; ++ } + + /* TX HW timestamp */ +- switch (cfg.tx_type) { ++ switch (cfg->tx_type) { + case HWTSTAMP_TX_OFF: + case HWTSTAMP_TX_ON: + break; + default: ++ NL_SET_ERR_MSG(extack, "TX mode is not supported"); + return -ERANGE; + } + +- switch (cfg.rx_filter) { ++ switch (cfg->rx_filter) { + case HWTSTAMP_FILTER_NONE: + port->rx_ts_enabled = false; + break; +@@ -1826,17 +1826,19 @@ static int am65_cpsw_nuss_hwtstamp_set(struct net_device *ndev, + case HWTSTAMP_FILTER_PTP_V2_SYNC: + case HWTSTAMP_FILTER_PTP_V2_DELAY_REQ: + port->rx_ts_enabled = true; +- cfg.rx_filter = HWTSTAMP_FILTER_PTP_V2_EVENT | HWTSTAMP_FILTER_PTP_V1_L4_EVENT; ++ cfg->rx_filter = HWTSTAMP_FILTER_PTP_V2_EVENT | HWTSTAMP_FILTER_PTP_V1_L4_EVENT; + break; + case HWTSTAMP_FILTER_ALL: + case HWTSTAMP_FILTER_SOME: + case HWTSTAMP_FILTER_NTP_ALL: ++ NL_SET_ERR_MSG(extack, "RX filter is not supported"); + return -EOPNOTSUPP; + default: ++ NL_SET_ERR_MSG(extack, "RX filter is not supported"); + return -ERANGE; + } + +- port->tx_ts_enabled = (cfg.tx_type == HWTSTAMP_TX_ON); ++ port->tx_ts_enabled = (cfg->tx_type == HWTSTAMP_TX_ON); + + /* cfg TX timestamp */ + seq_id = (AM65_CPSW_TS_SEQ_ID_OFFSET << +@@ -1872,25 +1874,24 @@ static int am65_cpsw_nuss_hwtstamp_set(struct net_device *ndev, + AM65_CPSW_PORTN_REG_TS_CTL_LTYPE2); + writel(ts_ctrl, port->port_base + AM65_CPSW_PORTN_REG_TS_CTL); + +- return copy_to_user(ifr->ifr_data, &cfg, sizeof(cfg)) ? -EFAULT : 0; ++ return 0; + } + + static int am65_cpsw_nuss_hwtstamp_get(struct net_device *ndev, +- struct ifreq *ifr) ++ struct kernel_hwtstamp_config *cfg) + { + struct am65_cpsw_port *port = am65_ndev_to_port(ndev); +- struct hwtstamp_config cfg; + + if (!IS_ENABLED(CONFIG_TI_K3_AM65_CPTS)) + return -EOPNOTSUPP; + +- cfg.flags = 0; +- cfg.tx_type = port->tx_ts_enabled ? ++ cfg->flags = 0; ++ cfg->tx_type = port->tx_ts_enabled ? + HWTSTAMP_TX_ON : HWTSTAMP_TX_OFF; +- cfg.rx_filter = port->rx_ts_enabled ? HWTSTAMP_FILTER_PTP_V2_EVENT | ++ cfg->rx_filter = port->rx_ts_enabled ? HWTSTAMP_FILTER_PTP_V2_EVENT | + HWTSTAMP_FILTER_PTP_V1_L4_EVENT : HWTSTAMP_FILTER_NONE; + +- return copy_to_user(ifr->ifr_data, &cfg, sizeof(cfg)) ? -EFAULT : 0; ++ return 0; + } + + static int am65_cpsw_nuss_ndo_slave_ioctl(struct net_device *ndev, +@@ -1901,13 +1902,6 @@ static int am65_cpsw_nuss_ndo_slave_ioctl(struct net_device *ndev, + if (!netif_running(ndev)) + return -EINVAL; + +- switch (cmd) { +- case SIOCSHWTSTAMP: +- return am65_cpsw_nuss_hwtstamp_set(ndev, req); +- case SIOCGHWTSTAMP: +- return am65_cpsw_nuss_hwtstamp_get(ndev, req); +- } +- + return phylink_mii_ioctl(port->slave.phylink, req, cmd); + } + +@@ -1991,6 +1985,8 @@ static const struct net_device_ops am65_cpsw_nuss_netdev_ops = { + .ndo_set_tx_maxrate = am65_cpsw_qos_ndo_tx_p0_set_maxrate, + .ndo_bpf = am65_cpsw_ndo_bpf, + .ndo_xdp_xmit = am65_cpsw_ndo_xdp_xmit, ++ .ndo_hwtstamp_get = am65_cpsw_nuss_hwtstamp_get, ++ .ndo_hwtstamp_set = am65_cpsw_nuss_hwtstamp_set, + }; + + static void am65_cpsw_disable_phy(struct phy *phy) +-- +2.51.0 + diff --git a/queue-6.18/netfilter-nf_tables-always-walk-all-pending-catchall.patch b/queue-6.18/netfilter-nf_tables-always-walk-all-pending-catchall.patch new file mode 100644 index 0000000000..9246b5a46d --- /dev/null +++ b/queue-6.18/netfilter-nf_tables-always-walk-all-pending-catchall.patch @@ -0,0 +1,57 @@ +From 2dff1d0b7450af4d650b53071810386ff00db329 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 21:32:00 +0100 +Subject: netfilter: nf_tables: always walk all pending catchall elements + +From: Florian Westphal + +[ Upstream commit 7cb9a23d7ae40a702577d3d8bacb7026f04ac2a9 ] + +During transaction processing we might have more than one catchall element: +1 live catchall element and 1 pending element that is coming as part of the +new batch. + +If the map holding the catchall elements is also going away, its +required to toggle all catchall elements and not just the first viable +candidate. + +Otherwise, we get: + WARNING: ./include/net/netfilter/nf_tables.h:1281 at nft_data_release+0xb7/0xe0 [nf_tables], CPU#2: nft/1404 + RIP: 0010:nft_data_release+0xb7/0xe0 [nf_tables] + [..] + __nft_set_elem_destroy+0x106/0x380 [nf_tables] + nf_tables_abort_release+0x348/0x8d0 [nf_tables] + nf_tables_abort+0xcf2/0x3ac0 [nf_tables] + nfnetlink_rcv_batch+0x9c9/0x20e0 [..] + +Fixes: 628bd3e49cba ("netfilter: nf_tables: drop map element references from preparation phase") +Reported-by: Yiming Qian +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index ed1d639fe34d7..b6a575ec33159 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -828,7 +828,6 @@ static void nft_map_catchall_deactivate(const struct nft_ctx *ctx, + + nft_set_elem_change_active(ctx->net, set, ext); + nft_setelem_data_deactivate(ctx->net, set, catchall->elem); +- break; + } + } + +@@ -5928,7 +5927,6 @@ static void nft_map_catchall_activate(const struct nft_ctx *ctx, + + nft_clear(ctx->net, ext); + nft_setelem_data_activate(ctx->net, set, catchall->elem); +- break; + } + } + +-- +2.51.0 + diff --git a/queue-6.18/netfilter-nf_tables-fix-for-duplicate-device-in-netd.patch b/queue-6.18/netfilter-nf_tables-fix-for-duplicate-device-in-netd.patch new file mode 100644 index 0000000000..efd0de78ab --- /dev/null +++ b/queue-6.18/netfilter-nf_tables-fix-for-duplicate-device-in-netd.patch @@ -0,0 +1,55 @@ +From 9682dc5d4651231cc340d8b7d47ef1481a801969 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 13:01:44 +0100 +Subject: netfilter: nf_tables: Fix for duplicate device in netdev hooks + +From: Phil Sutter + +[ Upstream commit b7cdc5a97d02c943f4bdde4d5767ad0c13cad92b ] + +When handling NETDEV_REGISTER notification, duplicate device +registration must be avoided since the device may have been added by +nft_netdev_hook_alloc() already when creating the hook. + +Suggested-by: Florian Westphal +Reported-by: syzbot+bb9127e278fa198e110c@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=bb9127e278fa198e110c +Fixes: a331b78a5525 ("netfilter: nf_tables: Respect NETDEV_REGISTER events") +Tested-by: Helen Koike +Signed-off-by: Phil Sutter +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 2 +- + net/netfilter/nft_chain_filter.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 598a9fe03fb0b..ed1d639fe34d7 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -9841,7 +9841,7 @@ static int nft_flowtable_event(unsigned long event, struct net_device *dev, + break; + case NETDEV_REGISTER: + /* NOP if not matching or already registered */ +- if (!match || (changename && ops)) ++ if (!match || ops) + continue; + + ops = kzalloc(sizeof(struct nf_hook_ops), +diff --git a/net/netfilter/nft_chain_filter.c b/net/netfilter/nft_chain_filter.c +index b16185e9a6dd7..041426e3bdbf1 100644 +--- a/net/netfilter/nft_chain_filter.c ++++ b/net/netfilter/nft_chain_filter.c +@@ -344,7 +344,7 @@ static int nft_netdev_event(unsigned long event, struct net_device *dev, + break; + case NETDEV_REGISTER: + /* NOP if not matching or already registered */ +- if (!match || (changename && ops)) ++ if (!match || ops) + continue; + + ops = kmemdup(&basechain->ops, +-- +2.51.0 + diff --git a/queue-6.18/netfilter-nfnetlink_cthelper-fix-oob-read-in-nfnl_ct.patch b/queue-6.18/netfilter-nfnetlink_cthelper-fix-oob-read-in-nfnl_ct.patch new file mode 100644 index 0000000000..fe61d66f18 --- /dev/null +++ b/queue-6.18/netfilter-nfnetlink_cthelper-fix-oob-read-in-nfnl_ct.patch @@ -0,0 +1,71 @@ +From bedb26765517f4bcc5a11bec39f43000488d5147 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Mar 2026 02:23:34 +0900 +Subject: netfilter: nfnetlink_cthelper: fix OOB read in + nfnl_cthelper_dump_table() + +From: Hyunwoo Kim + +[ Upstream commit 6dcee8496d53165b2d8a5909b3050b62ae71fe89 ] + +nfnl_cthelper_dump_table() has a 'goto restart' that jumps to a label +inside the for loop body. When the "last" helper saved in cb->args[1] +is deleted between dump rounds, every entry fails the (cur != last) +check, so cb->args[1] is never cleared. The for loop finishes with +cb->args[0] == nf_ct_helper_hsize, and the 'goto restart' jumps back +into the loop body bypassing the bounds check, causing an 8-byte +out-of-bounds read on nf_ct_helper_hash[nf_ct_helper_hsize]. + +The 'goto restart' block was meant to re-traverse the current bucket +when "last" is no longer found, but it was placed after the for loop +instead of inside it. Move the block into the for loop body so that +the restart only occurs while cb->args[0] is still within bounds. + + BUG: KASAN: slab-out-of-bounds in nfnl_cthelper_dump_table+0x9f/0x1b0 + Read of size 8 at addr ffff888104ca3000 by task poc_cthelper/131 + Call Trace: + nfnl_cthelper_dump_table+0x9f/0x1b0 + netlink_dump+0x333/0x880 + netlink_recvmsg+0x3e2/0x4b0 + sock_recvmsg+0xde/0xf0 + __sys_recvfrom+0x150/0x200 + __x64_sys_recvfrom+0x76/0x90 + do_syscall_64+0xc3/0x6e0 + + Allocated by task 1: + __kvmalloc_node_noprof+0x21b/0x700 + nf_ct_alloc_hashtable+0x65/0xd0 + nf_conntrack_helper_init+0x21/0x60 + nf_conntrack_init_start+0x18d/0x300 + nf_conntrack_standalone_init+0x12/0xc0 + +Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure") +Signed-off-by: Hyunwoo Kim +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_cthelper.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c +index 97248963a7d3b..71a248cca746a 100644 +--- a/net/netfilter/nfnetlink_cthelper.c ++++ b/net/netfilter/nfnetlink_cthelper.c +@@ -603,10 +603,10 @@ nfnl_cthelper_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + goto out; + } + } +- } +- if (cb->args[1]) { +- cb->args[1] = 0; +- goto restart; ++ if (cb->args[1]) { ++ cb->args[1] = 0; ++ goto restart; ++ } + } + out: + rcu_read_unlock(); +-- +2.51.0 + diff --git a/queue-6.18/netfilter-nfnetlink_queue-fix-entry-leak-in-bridge-v.patch b/queue-6.18/netfilter-nfnetlink_queue-fix-entry-leak-in-bridge-v.patch new file mode 100644 index 0000000000..0ed4ef50ce --- /dev/null +++ b/queue-6.18/netfilter-nfnetlink_queue-fix-entry-leak-in-bridge-v.patch @@ -0,0 +1,52 @@ +From de4fa59423052b6499ade63d86717f637a4061b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Mar 2026 02:24:06 +0900 +Subject: netfilter: nfnetlink_queue: fix entry leak in bridge verdict error + path + +From: Hyunwoo Kim + +[ Upstream commit f1ba83755d81c6fc66ac7acd723d238f974091e9 ] + +nfqnl_recv_verdict() calls find_dequeue_entry() to remove the queue +entry from the queue data structures, taking ownership of the entry. +For PF_BRIDGE packets, it then calls nfqa_parse_bridge() to parse VLAN +attributes. If nfqa_parse_bridge() returns an error (e.g. NFQA_VLAN +present but NFQA_VLAN_TCI missing), the function returns immediately +without freeing the dequeued entry or its sk_buff. + +This leaks the nf_queue_entry, its associated sk_buff, and all held +references (net_device refcounts, struct net refcount). Repeated +triggering exhausts kernel memory. + +Fix this by dropping the entry via nfqnl_reinject() with NF_DROP verdict +on the error path, consistent with other error handling in this file. + +Fixes: 8d45ff22f1b4 ("netfilter: bridge: nf queue verdict to use NFQA_VLAN and NFQA_L2HDR") +Reviewed-by: David Dull +Signed-off-by: Hyunwoo Kim +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_queue.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c +index 34548213f2f14..0b96d20bacb73 100644 +--- a/net/netfilter/nfnetlink_queue.c ++++ b/net/netfilter/nfnetlink_queue.c +@@ -1549,8 +1549,10 @@ static int nfqnl_recv_verdict(struct sk_buff *skb, const struct nfnl_info *info, + + if (entry->state.pf == PF_BRIDGE) { + err = nfqa_parse_bridge(entry, nfqa); +- if (err < 0) ++ if (err < 0) { ++ nfqnl_reinject(entry, NF_DROP); + return err; ++ } + } + + if (nfqa[NFQA_PAYLOAD]) { +-- +2.51.0 + diff --git a/queue-6.18/netfilter-nft_set_pipapo-fix-stack-out-of-bounds-rea.patch b/queue-6.18/netfilter-nft_set_pipapo-fix-stack-out-of-bounds-rea.patch new file mode 100644 index 0000000000..318b72db23 --- /dev/null +++ b/queue-6.18/netfilter-nft_set_pipapo-fix-stack-out-of-bounds-rea.patch @@ -0,0 +1,65 @@ +From b7e3f3f2683c703aab3d8f0edfd99bfb3a8ef8ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 19:12:38 +0000 +Subject: netfilter: nft_set_pipapo: fix stack out-of-bounds read in + pipapo_drop() + +From: Jenny Guanni Qu + +[ Upstream commit d6d8cd2db236a9dd13dbc2d05843b3445cc964b5 ] + +pipapo_drop() passes rulemap[i + 1].n to pipapo_unmap() as the +to_offset argument on every iteration, including the last one where +i == m->field_count - 1. This reads one element past the end of the +stack-allocated rulemap array (declared as rulemap[NFT_PIPAPO_MAX_FIELDS] +with NFT_PIPAPO_MAX_FIELDS == 16). + +Although pipapo_unmap() returns early when is_last is true without +using the to_offset value, the argument is evaluated at the call site +before the function body executes, making this a genuine out-of-bounds +stack read confirmed by KASAN: + + BUG: KASAN: stack-out-of-bounds in pipapo_drop+0x50c/0x57c [nf_tables] + Read of size 4 at addr ffff8000810e71a4 + + This frame has 1 object: + [32, 160) 'rulemap' + + The buggy address is at offset 164 -- exactly 4 bytes past the end + of the rulemap array. + +Pass 0 instead of rulemap[i + 1].n on the last iteration to avoid +the out-of-bounds read. + +Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") +Signed-off-by: Jenny Guanni Qu +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_pipapo.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c +index d9b74d588c768..394b78a00a6a5 100644 +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -1641,6 +1641,7 @@ static void pipapo_drop(struct nft_pipapo_match *m, + int i; + + nft_pipapo_for_each_field(f, i, m) { ++ bool last = i == m->field_count - 1; + int g; + + for (g = 0; g < f->groups; g++) { +@@ -1660,7 +1661,7 @@ static void pipapo_drop(struct nft_pipapo_match *m, + } + + pipapo_unmap(f->mt, f->rules, rulemap[i].to, rulemap[i].n, +- rulemap[i + 1].n, i == m->field_count - 1); ++ last ? 0 : rulemap[i + 1].n, last); + if (pipapo_resize(f, f->rules, f->rules - rulemap[i].n)) { + /* We can ignore this, a failure to shrink tables down + * doesn't make tables invalid. +-- +2.51.0 + diff --git a/queue-6.18/netfilter-x_tables-guard-option-walkers-against-1-by.patch b/queue-6.18/netfilter-x_tables-guard-option-walkers-against-1-by.patch new file mode 100644 index 0000000000..9c1e416476 --- /dev/null +++ b/queue-6.18/netfilter-x_tables-guard-option-walkers-against-1-by.patch @@ -0,0 +1,62 @@ +From 9d82d67f0aa5762925953cb615dd7605871855b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Mar 2026 20:26:21 +0200 +Subject: netfilter: x_tables: guard option walkers against 1-byte tail reads + +From: David Dull + +[ Upstream commit cfe770220ac2dbd3e104c6b45094037455da81d4 ] + +When the last byte of options is a non-single-byte option kind, walkers +that advance with i += op[i + 1] ? : 1 can read op[i + 1] past the end +of the option area. + +Add an explicit i == optlen - 1 check before dereferencing op[i + 1] +in xt_tcpudp and xt_dccp option walkers. + +Fixes: 2e4e6a17af35 ("[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables") +Signed-off-by: David Dull +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_dccp.c | 4 ++-- + net/netfilter/xt_tcpudp.c | 6 ++++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c +index e5a13ecbe67a0..037ab93e25d0a 100644 +--- a/net/netfilter/xt_dccp.c ++++ b/net/netfilter/xt_dccp.c +@@ -62,10 +62,10 @@ dccp_find_option(u_int8_t option, + return true; + } + +- if (op[i] < 2) ++ if (op[i] < 2 || i == optlen - 1) + i++; + else +- i += op[i+1]?:1; ++ i += op[i + 1] ? : 1; + } + + spin_unlock_bh(&dccp_buflock); +diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c +index e8991130a3de0..f76cf18f1a244 100644 +--- a/net/netfilter/xt_tcpudp.c ++++ b/net/netfilter/xt_tcpudp.c +@@ -59,8 +59,10 @@ tcp_find_option(u_int8_t option, + + for (i = 0; i < optlen; ) { + if (op[i] == option) return !invert; +- if (op[i] < 2) i++; +- else i += op[i+1]?:1; ++ if (op[i] < 2 || i == optlen - 1) ++ i++; ++ else ++ i += op[i + 1] ? : 1; + } + + return invert; +-- +2.51.0 + diff --git a/queue-6.18/netfilter-xt_idletimer-reject-rev0-reuse-of-alarm-ti.patch b/queue-6.18/netfilter-xt_idletimer-reject-rev0-reuse-of-alarm-ti.patch new file mode 100644 index 0000000000..2a42a3f6f4 --- /dev/null +++ b/queue-6.18/netfilter-xt_idletimer-reject-rev0-reuse-of-alarm-ti.patch @@ -0,0 +1,54 @@ +From f1181a3bd24aeaf93c0c03e333e5665edc4f5506 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Mar 2026 03:41:46 -0700 +Subject: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels + +From: Yuan Tan + +[ Upstream commit 329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf ] + +IDLETIMER revision 0 rules reuse existing timers by label and always call +mod_timer() on timer->timer. + +If the label was created first by revision 1 with XT_IDLETIMER_ALARM, +the object uses alarm timer semantics and timer->timer is never initialized. +Reusing that object from revision 0 causes mod_timer() on an uninitialized +timer_list, triggering debugobjects warnings and possible panic when +panic_on_warn=1. + +Fix this by rejecting revision 0 rule insertion when an existing timer with +the same label is of ALARM type. + +Fixes: 68983a354a65 ("netfilter: xtables: Add snapshot of hardidletimer target") +Co-developed-by: Yifan Wu +Signed-off-by: Yifan Wu +Co-developed-by: Juefei Pu +Signed-off-by: Juefei Pu +Signed-off-by: Yuan Tan +Signed-off-by: Xin Liu +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_IDLETIMER.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c +index d73957592c9d9..bb7af92ac82a4 100644 +--- a/net/netfilter/xt_IDLETIMER.c ++++ b/net/netfilter/xt_IDLETIMER.c +@@ -318,6 +318,12 @@ static int idletimer_tg_checkentry(const struct xt_tgchk_param *par) + + info->timer = __idletimer_tg_find_by_label(info->label); + if (info->timer) { ++ if (info->timer->timer_type & XT_IDLETIMER_ALARM) { ++ pr_debug("Adding/Replacing rule with same label and different timer type is not allowed\n"); ++ mutex_unlock(&list_mutex); ++ return -EINVAL; ++ } ++ + info->timer->refcnt++; + mod_timer(&info->timer->timer, + secs_to_jiffies(info->timeout) + jiffies); +-- +2.51.0 + diff --git a/queue-6.18/nfs-return-eisdir-on-nfs3_proc_create-if-d_alias-is-.patch b/queue-6.18/nfs-return-eisdir-on-nfs3_proc_create-if-d_alias-is-.patch new file mode 100644 index 0000000000..c6f8d2f64a --- /dev/null +++ b/queue-6.18/nfs-return-eisdir-on-nfs3_proc_create-if-d_alias-is-.patch @@ -0,0 +1,58 @@ +From 9325c043ea5dff5955013ac82c2a8eccf438ec27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Feb 2026 13:04:40 +0100 +Subject: nfs: return EISDIR on nfs3_proc_create if d_alias is a dir + +From: Roberto Bergantinos Corpas + +[ Upstream commit 410666a298c34ebd57256fde6b24c96bd23059a2 ] + +If we found an alias through nfs3_do_create/nfs_add_or_obtain +/d_splice_alias which happens to be a dir dentry, we don't return +any error, and simply forget about this alias, but the original +dentry we were adding and passed as parameter remains negative. + +This later causes an oops on nfs_atomic_open_v23/finish_open since we +supply a negative dentry to do_dentry_open. + +This has been observed running lustre-racer, where dirs and files are +created/removed concurrently with the same name and O_EXCL is not +used to open files (frequent file redirection). + +While d_splice_alias typically returns a directory alias or NULL, we +explicitly check d_is_dir() to ensure that we don't attempt to perform +file operations (like finish_open) on a directory inode, which triggers +the observed oops. + +Fixes: 7c6c5249f061 ("NFS: add atomic_open for NFSv3 to handle O_TRUNC correctly.") +Reviewed-by: Olga Kornievskaia +Reviewed-by: Scott Mayhew +Signed-off-by: Roberto Bergantinos Corpas +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs3proc.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/fs/nfs/nfs3proc.c b/fs/nfs/nfs3proc.c +index a4cb67573aa7c..993f62636a772 100644 +--- a/fs/nfs/nfs3proc.c ++++ b/fs/nfs/nfs3proc.c +@@ -392,8 +392,13 @@ nfs3_proc_create(struct inode *dir, struct dentry *dentry, struct iattr *sattr, + if (status != 0) + goto out_release_acls; + +- if (d_alias) ++ if (d_alias) { ++ if (d_is_dir(d_alias)) { ++ status = -EISDIR; ++ goto out_dput; ++ } + dentry = d_alias; ++ } + + /* When we created the file with exclusive semantics, make + * sure we set the attributes afterwards. */ +-- +2.51.0 + diff --git a/queue-6.18/nvme-pci-fix-race-bug-in-nvme_poll_irqdisable.patch b/queue-6.18/nvme-pci-fix-race-bug-in-nvme_poll_irqdisable.patch new file mode 100644 index 0000000000..dcc08bd48c --- /dev/null +++ b/queue-6.18/nvme-pci-fix-race-bug-in-nvme_poll_irqdisable.patch @@ -0,0 +1,122 @@ +From 1245222ad778a96bde36d971a03bde476c2e3c07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Mar 2026 14:46:36 -0500 +Subject: nvme-pci: Fix race bug in nvme_poll_irqdisable() + +From: Sungwoo Kim + +[ Upstream commit fc71f409b22ca831a9f87a2712eaa09ef2bb4a5e ] + +In the following scenario, pdev can be disabled between (1) and (3) by +(2). This sets pdev->msix_enabled = 0. Then, pci_irq_vector() will +return MSI-X IRQ(>15) for (1) whereas return INTx IRQ(<=15) for (2). +This causes IRQ warning because it tries to enable INTx IRQ that has +never been disabled before. + +To fix this, save IRQ number into a local variable and ensure +disable_irq() and enable_irq() operate on the same IRQ number. Even if +pci_free_irq_vectors() frees the IRQ concurrently, disable_irq() and +enable_irq() on a stale IRQ number is still valid and safe, and the +depth accounting reamins balanced. + +task 1: +nvme_poll_irqdisable() + disable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)) ...(1) + enable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)) ...(3) + +task 2: +nvme_reset_work() + nvme_dev_disable() + pdev->msix_enable = 0; ...(2) + +crash log: + +------------[ cut here ]------------ +Unbalanced enable for IRQ 10 +WARNING: kernel/irq/manage.c:753 at __enable_irq+0x102/0x190 kernel/irq/manage.c:753, CPU#1: kworker/1:0H/26 +Modules linked in: +CPU: 1 UID: 0 PID: 26 Comm: kworker/1:0H Not tainted 6.19.0-dirty #9 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 +Workqueue: kblockd blk_mq_timeout_work +RIP: 0010:__enable_irq+0x107/0x190 kernel/irq/manage.c:753 +Code: ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 79 48 8d 3d 2e 7a 3f 05 41 8b 74 24 2c <67> 48 0f b9 3a e8 ef b9 21 00 5b 41 5c 5d e9 46 54 66 03 e8 e1 b9 +RSP: 0018:ffffc900001bf550 EFLAGS: 00010046 +RAX: 0000000000000007 RBX: 0000000000000000 RCX: ffffffffb20c0e90 +RDX: 0000000000000000 RSI: 000000000000000a RDI: ffffffffb74b88f0 +RBP: ffffc900001bf560 R08: ffff88800197cf00 R09: 0000000000000001 +R10: 0000000000000003 R11: 0000000000000003 R12: ffff8880012a6000 +R13: 1ffff92000037eae R14: 000000000000000a R15: 0000000000000293 +FS: 0000000000000000(0000) GS:ffff8880b49f7000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000555da4a25fa8 CR3: 00000000208e8000 CR4: 00000000000006f0 +Call Trace: + + enable_irq+0x121/0x1e0 kernel/irq/manage.c:797 + nvme_poll_irqdisable+0x162/0x1c0 drivers/nvme/host/pci.c:1494 + nvme_timeout+0x965/0x14b0 drivers/nvme/host/pci.c:1744 + blk_mq_rq_timed_out block/blk-mq.c:1653 [inline] + blk_mq_handle_expired+0x227/0x2d0 block/blk-mq.c:1721 + bt_iter+0x2fc/0x3a0 block/blk-mq-tag.c:292 + __sbitmap_for_each_set include/linux/sbitmap.h:269 [inline] + sbitmap_for_each_set include/linux/sbitmap.h:290 [inline] + bt_for_each block/blk-mq-tag.c:324 [inline] + blk_mq_queue_tag_busy_iter+0x969/0x1e80 block/blk-mq-tag.c:536 + blk_mq_timeout_work+0x627/0x870 block/blk-mq.c:1763 + process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257 + process_scheduled_works kernel/workqueue.c:3340 [inline] + worker_thread+0x65c/0xe60 kernel/workqueue.c:3421 + kthread+0x41a/0x930 kernel/kthread.c:463 + ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + +irq event stamp: 74478 +hardirqs last enabled at (74477): [] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:159 [inline] +hardirqs last enabled at (74477): [] _raw_spin_unlock_irq+0x2c/0x60 kernel/locking/spinlock.c:202 +hardirqs last disabled at (74478): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] +hardirqs last disabled at (74478): [] _raw_spin_lock_irqsave+0x85/0xa0 kernel/locking/spinlock.c:162 +softirqs last enabled at (74304): [] __do_softirq kernel/softirq.c:656 [inline] +softirqs last enabled at (74304): [] invoke_softirq kernel/softirq.c:496 [inline] +softirqs last enabled at (74304): [] __irq_exit_rcu+0xdc/0x120 kernel/softirq.c:723 +softirqs last disabled at (74287): [] __do_softirq kernel/softirq.c:656 [inline] +softirqs last disabled at (74287): [] invoke_softirq kernel/softirq.c:496 [inline] +softirqs last disabled at (74287): [] __irq_exit_rcu+0xdc/0x120 kernel/softirq.c:723 +---[ end trace 0000000000000000 ]--- + +Fixes: fa059b856a59 (nvme-pci: Simplify nvme_poll_irqdisable) +Acked-by: Chao Shi +Acked-by: Weidong Zhu +Acked-by: Dave Tian +Reviewed-by: Christoph Hellwig +Signed-off-by: Sungwoo Kim +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index fe2343823e79e..9987b711091f0 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -1413,14 +1413,16 @@ static irqreturn_t nvme_irq_check(int irq, void *data) + static void nvme_poll_irqdisable(struct nvme_queue *nvmeq) + { + struct pci_dev *pdev = to_pci_dev(nvmeq->dev->dev); ++ int irq; + + WARN_ON_ONCE(test_bit(NVMEQ_POLLED, &nvmeq->flags)); + +- disable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)); ++ irq = pci_irq_vector(pdev, nvmeq->cq_vector); ++ disable_irq(irq); + spin_lock(&nvmeq->cq_poll_lock); + nvme_poll_cq(nvmeq, NULL); + spin_unlock(&nvmeq->cq_poll_lock); +- enable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)); ++ enable_irq(irq); + } + + static int nvme_poll(struct blk_mq_hw_ctx *hctx, struct io_comp_batch *iob) +-- +2.51.0 + diff --git a/queue-6.18/nvme-pci-fix-slab-out-of-bounds-in-nvme_dbbuf_set.patch b/queue-6.18/nvme-pci-fix-slab-out-of-bounds-in-nvme_dbbuf_set.patch new file mode 100644 index 0000000000..95c2870086 --- /dev/null +++ b/queue-6.18/nvme-pci-fix-slab-out-of-bounds-in-nvme_dbbuf_set.patch @@ -0,0 +1,130 @@ +From 9bd6edc819404c2c1e26bfc842c18e03ca015318 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Mar 2026 14:20:59 -0400 +Subject: nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sungwoo Kim + +[ Upstream commit b4e78f1427c7d6859229ae9616df54e1fc05a516 ] + +dev->online_queues is a count incremented in nvme_init_queue. Thus, +valid indices are 0 through dev->online_queues − 1. + +This patch fixes the loop condition to ensure the index stays within the +valid range. Index 0 is excluded because it is the admin queue. + +KASAN splat: + +================================================================== +BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline] +BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404 +Read of size 2 at addr ffff88800592a574 by task kworker/u8:5/74 + +CPU: 0 UID: 0 PID: 74 Comm: kworker/u8:5 Not tainted 6.19.0-dirty #10 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 +Workqueue: nvme-reset-wq nvme_reset_work +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0xea/0x150 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xce/0x5d0 mm/kasan/report.c:482 + kasan_report+0xdc/0x110 mm/kasan/report.c:595 + __asan_report_load2_noabort+0x18/0x20 mm/kasan/report_generic.c:379 + nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline] + nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404 + nvme_reset_work+0x36b/0x8c0 drivers/nvme/host/pci.c:3252 + process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257 + process_scheduled_works kernel/workqueue.c:3340 [inline] + worker_thread+0x65c/0xe60 kernel/workqueue.c:3421 + kthread+0x41a/0x930 kernel/kthread.c:463 + ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + + +Allocated by task 34 on cpu 1 at 4.241550s: + kasan_save_stack+0x2c/0x60 mm/kasan/common.c:57 + kasan_save_track+0x1c/0x70 mm/kasan/common.c:78 + kasan_save_alloc_info+0x3c/0x50 mm/kasan/generic.c:570 + poison_kmalloc_redzone mm/kasan/common.c:398 [inline] + __kasan_kmalloc+0xb5/0xc0 mm/kasan/common.c:415 + kasan_kmalloc include/linux/kasan.h:263 [inline] + __do_kmalloc_node mm/slub.c:5657 [inline] + __kmalloc_node_noprof+0x2bf/0x8d0 mm/slub.c:5663 + kmalloc_array_node_noprof include/linux/slab.h:1075 [inline] + nvme_pci_alloc_dev drivers/nvme/host/pci.c:3479 [inline] + nvme_probe+0x2f1/0x1820 drivers/nvme/host/pci.c:3534 + local_pci_probe+0xef/0x1c0 drivers/pci/pci-driver.c:324 + pci_call_probe drivers/pci/pci-driver.c:392 [inline] + __pci_device_probe drivers/pci/pci-driver.c:417 [inline] + pci_device_probe+0x743/0x920 drivers/pci/pci-driver.c:451 + call_driver_probe drivers/base/dd.c:583 [inline] + really_probe+0x29b/0xb70 drivers/base/dd.c:661 + __driver_probe_device+0x3b0/0x4a0 drivers/base/dd.c:803 + driver_probe_device+0x56/0x1f0 drivers/base/dd.c:833 + __driver_attach_async_helper+0x155/0x340 drivers/base/dd.c:1159 + async_run_entry_fn+0xa6/0x4b0 kernel/async.c:129 + process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257 + process_scheduled_works kernel/workqueue.c:3340 [inline] + worker_thread+0x65c/0xe60 kernel/workqueue.c:3421 + kthread+0x41a/0x930 kernel/kthread.c:463 + ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + +The buggy address belongs to the object at ffff88800592a000 + which belongs to the cache kmalloc-2k of size 2048 +The buggy address is located 244 bytes to the right of + allocated 1152-byte region [ffff88800592a000, ffff88800592a480) + +The buggy address belongs to the physical page: +page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5928 +head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +anon flags: 0xfffffc0000040(head|node=0|zone=1|lastcpupid=0x1fffff) +page_type: f5(slab) +raw: 000fffffc0000040 ffff888001042000 0000000000000000 dead000000000001 +raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 +head: 000fffffc0000040 ffff888001042000 0000000000000000 dead000000000001 +head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 +head: 000fffffc0000003 ffffea0000164a01 00000000ffffffff 00000000ffffffff +head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88800592a400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff88800592a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +>ffff88800592a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffff88800592a580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff88800592a600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +================================================================== + +Fixes: 0f0d2c876c96 (nvme: free sq/cq dbbuf pointers when dbbuf set fails) +Acked-by: Chao Shi +Acked-by: Weidong Zhu +Acked-by: Dave Tian +Signed-off-by: Sungwoo Kim +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 391c854428d3e..fe2343823e79e 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -388,7 +388,7 @@ static void nvme_dbbuf_set(struct nvme_dev *dev) + /* Free memory and continue on */ + nvme_dbbuf_dma_free(dev); + +- for (i = 1; i <= dev->online_queues; i++) ++ for (i = 1; i < dev->online_queues; i++) + nvme_dbbuf_free(&dev->queues[i]); + } + } +-- +2.51.0 + diff --git a/queue-6.18/octeontx2-af-devlink-fix-nix-ras-reporter-recovery-c.patch b/queue-6.18/octeontx2-af-devlink-fix-nix-ras-reporter-recovery-c.patch new file mode 100644 index 0000000000..fd16468686 --- /dev/null +++ b/queue-6.18/octeontx2-af-devlink-fix-nix-ras-reporter-recovery-c.patch @@ -0,0 +1,41 @@ +From 8c5b9aadef669872ba74ac5b0e2278de3f22dd28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 11:48:16 -0700 +Subject: octeontx2-af: devlink: fix NIX RAS reporter recovery condition + +From: Alok Tiwari + +[ Upstream commit dc26ca99b835e21e76a58b1463b84adb0ca34f58 ] + +The NIX RAS health reporter recovery routine checks nix_af_rvu_int to +decide whether to re-enable NIX_AF_RAS interrupts. This is the RVU +interrupt status field and is unrelated to RAS events, so the recovery +flow may incorrectly skip re-enabling NIX_AF_RAS interrupts. + +Check nix_af_rvu_ras instead before writing NIX_AF_RAS_ENA_W1S. + +Fixes: 5ed66306eab6 ("octeontx2-af: Add devlink health reporters for NIX") +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20260310184824.1183651-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c +index 3735372539bd9..23f51fed4666d 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c +@@ -475,7 +475,7 @@ static int rvu_hw_nix_ras_recover(struct devlink_health_reporter *reporter, + if (blkaddr < 0) + return blkaddr; + +- if (nix_event_ctx->nix_af_rvu_int) ++ if (nix_event_ctx->nix_af_rvu_ras) + rvu_write64(rvu, blkaddr, NIX_AF_RAS_ENA_W1S, ~0ULL); + + return 0; +-- +2.51.0 + diff --git a/queue-6.18/octeontx2-af-devlink-fix-nix-ras-reporter-to-use-ras.patch b/queue-6.18/octeontx2-af-devlink-fix-nix-ras-reporter-to-use-ras.patch new file mode 100644 index 0000000000..f32b3edd99 --- /dev/null +++ b/queue-6.18/octeontx2-af-devlink-fix-nix-ras-reporter-to-use-ras.patch @@ -0,0 +1,45 @@ +From 12b4d66660cd4adf8f2f634b8ac3584ed2a3bde8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 11:48:17 -0700 +Subject: octeontx2-af: devlink: fix NIX RAS reporter to use RAS interrupt + status + +From: Alok Tiwari + +[ Upstream commit 87f7dff3ec75b91def0024ebaaf732457f47a63b ] + +The NIX RAS health report path uses nix_af_rvu_err when handling the +NIX_AF_RVU_RAS case, so the report prints the ERR interrupt status rather +than the RAS interrupt status. + +Use nix_af_rvu_ras for the NIX_AF_RVU_RAS report. + +Fixes: 5ed66306eab6 ("octeontx2-af: Add devlink health reporters for NIX") +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20260310184824.1183651-2-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c +index 23f51fed4666d..5852a72b22306 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c +@@ -327,10 +327,10 @@ static int rvu_nix_report_show(struct devlink_fmsg *fmsg, void *ctx, + rvu_report_pair_end(fmsg); + break; + case NIX_AF_RVU_RAS: +- intr_val = nix_event_context->nix_af_rvu_err; ++ intr_val = nix_event_context->nix_af_rvu_ras; + rvu_report_pair_start(fmsg, "NIX_AF_RAS"); + devlink_fmsg_u64_pair_put(fmsg, "\tNIX RAS Interrupt Reg ", +- nix_event_context->nix_af_rvu_err); ++ nix_event_context->nix_af_rvu_ras); + devlink_fmsg_string_put(fmsg, "\n\tPoison Data on:"); + if (intr_val & BIT_ULL(34)) + devlink_fmsg_string_put(fmsg, "\n\tNIX_AQ_INST_S"); +-- +2.51.0 + diff --git a/queue-6.18/page_pool-store-detach_time-as-ktime_t-to-avoid-fals.patch b/queue-6.18/page_pool-store-detach_time-as-ktime_t-to-avoid-fals.patch new file mode 100644 index 0000000000..6c98ea9b1d --- /dev/null +++ b/queue-6.18/page_pool-store-detach_time-as-ktime_t-to-avoid-fals.patch @@ -0,0 +1,68 @@ +From f2d94d78920b894a1f495ebd1f462d352b6c8a25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Mar 2026 17:39:07 -0700 +Subject: page_pool: store detach_time as ktime_t to avoid false-negatives + +From: Jakub Kicinski + +[ Upstream commit 28b225282d44e2ef40e7f46cfdbd5d1b20b8874f ] + +While testing other changes in vng I noticed that +nl_netdev.page_pool_check flakes. This never happens in real CI. + +Turns out vng may boot and get to that test in less than a second. +page_pool_detached() records the detach time in seconds, so if +vng is fast enough detach time is set to 0. Other code treats +0 as "not detached". detach_time is only used to report the state +to the user, so it's not a huge deal in practice but let's fix it. +Store the raw ktime_t (nanoseconds) instead. A nanosecond value +of 0 is practically impossible. + +Acked-by: Jesper Dangaard Brouer +Fixes: 69cb4952b6f6 ("net: page_pool: report when page pool was destroyed") +Link: https://patch.msgid.link/20260310003907.3540019-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/page_pool/types.h | 2 +- + net/core/page_pool_user.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/include/net/page_pool/types.h b/include/net/page_pool/types.h +index 1509a536cb855..fb4f03ccd6156 100644 +--- a/include/net/page_pool/types.h ++++ b/include/net/page_pool/types.h +@@ -246,7 +246,7 @@ struct page_pool { + /* User-facing fields, protected by page_pools_lock */ + struct { + struct hlist_node list; +- u64 detach_time; ++ ktime_t detach_time; + u32 id; + } user; + }; +diff --git a/net/core/page_pool_user.c b/net/core/page_pool_user.c +index c82a95beceff8..ee5060d8eec0e 100644 +--- a/net/core/page_pool_user.c ++++ b/net/core/page_pool_user.c +@@ -245,7 +245,7 @@ page_pool_nl_fill(struct sk_buff *rsp, const struct page_pool *pool, + goto err_cancel; + if (pool->user.detach_time && + nla_put_uint(rsp, NETDEV_A_PAGE_POOL_DETACH_TIME, +- pool->user.detach_time)) ++ ktime_divns(pool->user.detach_time, NSEC_PER_SEC))) + goto err_cancel; + + if (pool->mp_ops && pool->mp_ops->nl_fill(pool->mp_priv, rsp, NULL)) +@@ -337,7 +337,7 @@ int page_pool_list(struct page_pool *pool) + void page_pool_detached(struct page_pool *pool) + { + mutex_lock(&page_pools_lock); +- pool->user.detach_time = ktime_get_boottime_seconds(); ++ pool->user.detach_time = ktime_get_boottime(); + netdev_nl_page_pool_event(pool, NETDEV_CMD_PAGE_POOL_CHANGE_NTF); + mutex_unlock(&page_pools_lock); + } +-- +2.51.0 + diff --git a/queue-6.18/perf-annotate-fix-hashmap__new-error-checking.patch b/queue-6.18/perf-annotate-fix-hashmap__new-error-checking.patch new file mode 100644 index 0000000000..a163402a14 --- /dev/null +++ b/queue-6.18/perf-annotate-fix-hashmap__new-error-checking.patch @@ -0,0 +1,60 @@ +From 690d0bbc3f6bbe3ff8a9242c6b2cbaa3c48fae26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 11:56:48 +0800 +Subject: perf annotate: Fix hashmap__new() error checking + +From: Chen Ni + +[ Upstream commit bf29cb3641b80bac759c3332b02e0b270e16bf94 ] + +The hashmap__new() function never returns NULL, it returns error +pointers. Fix the error checking to match. + +Additionally, set src->samples to NULL to prevent any later code from +accidentally using the error pointer. + +Fixes: d3e7cad6f36d9e80 ("perf annotate: Add a hashmap for symbol histogram") +Reviewed-by: Ian Rogers +Signed-off-by: Chen Ni +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ingo Molnar +Cc: James Clark +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Tianyou Li +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/annotate.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c +index dc80d922f450d..8c493608291c2 100644 +--- a/tools/perf/util/annotate.c ++++ b/tools/perf/util/annotate.c +@@ -44,6 +44,7 @@ + #include "strbuf.h" + #include + #include ++#include + #include + #include + #include +@@ -137,8 +138,10 @@ static int annotated_source__alloc_histograms(struct annotated_source *src, + return -1; + + src->samples = hashmap__new(sym_hist_hash, sym_hist_equal, NULL); +- if (src->samples == NULL) ++ if (IS_ERR(src->samples)) { + zfree(&src->histograms); ++ src->samples = NULL; ++ } + + return src->histograms ? 0 : -1; + } +-- +2.51.0 + diff --git a/queue-6.18/perf-disasm-fix-off-by-one-bug-in-outside-check.patch b/queue-6.18/perf-disasm-fix-off-by-one-bug-in-outside-check.patch new file mode 100644 index 0000000000..c8c4ca2605 --- /dev/null +++ b/queue-6.18/perf-disasm-fix-off-by-one-bug-in-outside-check.patch @@ -0,0 +1,53 @@ +From 8fa5fbac7c398e16c73cb8e190b0b4bd5e91b394 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 11:06:12 -0800 +Subject: perf disasm: Fix off-by-one bug in outside check + +From: Peter Collingbourne + +[ Upstream commit b3ce769203a99d6f3c6d6269ec09232a8c5da422 ] + +If a branch target points to one past the end of a function, the branch +should be treated as a branch to another function. + +This can happen e.g. with a tail call to a function that is laid out +immediately after the caller. + +Fixes: 751b1783da784299 ("perf annotate: Mark jumps to outher functions with the call arrow") +Reviewed-by: Ian Rogers +Signed-off-by: Peter Collingbourne +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Bill Wendling +Cc: Ingo Molnar +Cc: James Clark +Cc: Jiri Olsa +Cc: Justin Stitt +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Nathan Chancellor +Cc: Nick Desaulniers +Cc: Peter Zijlstra +Link: https://linux-review.googlesource.com/id/Ide471112e82d68177e0faf08ca411d9fcf0a7bdf +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/disasm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/disasm.c b/tools/perf/util/disasm.c +index 88706b98b9064..b1be847446fea 100644 +--- a/tools/perf/util/disasm.c ++++ b/tools/perf/util/disasm.c +@@ -412,7 +412,7 @@ static int jump__parse(struct arch *arch, struct ins_operands *ops, struct map_s + start = map__unmap_ip(map, sym->start); + end = map__unmap_ip(map, sym->end); + +- ops->target.outside = target.addr < start || target.addr > end; ++ ops->target.outside = target.addr < start || target.addr >= end; + + /* + * FIXME: things like this in _cpp_lex_token (gcc's cc1 program): +-- +2.51.0 + diff --git a/queue-6.18/perf-ftrace-fix-hashmap__new-error-checking.patch b/queue-6.18/perf-ftrace-fix-hashmap__new-error-checking.patch new file mode 100644 index 0000000000..03d5fc8a31 --- /dev/null +++ b/queue-6.18/perf-ftrace-fix-hashmap__new-error-checking.patch @@ -0,0 +1,62 @@ +From 56911fa93600126aff75d462442258ff1fac82b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 12:10:52 +0800 +Subject: perf ftrace: Fix hashmap__new() error checking + +From: Chen Ni + +[ Upstream commit be34705aa527872e5ce83927b7bc9307ba8095ca ] + +The hashmap__new() function never returns NULL, it returns error +pointers. Fix the error checking to match. + +Additionally, set ftrace->profile_hash to NULL on error, and return the +exact error code from hashmap__new(). + +Fixes: 0f223813edd051a5 ("perf ftrace: Add 'profile' command") +Suggested-by: Ian Rogers +Signed-off-by: Chen Ni +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ingo Molnar +Cc: James Clark +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-ftrace.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/builtin-ftrace.c b/tools/perf/builtin-ftrace.c +index 6b6eec65f93f5..4cc33452d79b6 100644 +--- a/tools/perf/builtin-ftrace.c ++++ b/tools/perf/builtin-ftrace.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -1209,8 +1210,12 @@ static int prepare_func_profile(struct perf_ftrace *ftrace) + ftrace->graph_verbose = 0; + + ftrace->profile_hash = hashmap__new(profile_hash, profile_equal, NULL); +- if (ftrace->profile_hash == NULL) +- return -ENOMEM; ++ if (IS_ERR(ftrace->profile_hash)) { ++ int err = PTR_ERR(ftrace->profile_hash); ++ ++ ftrace->profile_hash = NULL; ++ return err; ++ } + + return 0; + } +-- +2.51.0 + diff --git a/queue-6.18/perf-synthetic-events-fix-stale-build-id-in-module-m.patch b/queue-6.18/perf-synthetic-events-fix-stale-build-id-in-module-m.patch new file mode 100644 index 0000000000..962f01fa86 --- /dev/null +++ b/queue-6.18/perf-synthetic-events-fix-stale-build-id-in-module-m.patch @@ -0,0 +1,79 @@ +From 9cd6414f61dfe1e4d1698f9958648a6610599d45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 13:59:51 -0400 +Subject: perf synthetic-events: Fix stale build ID in module MMAP2 records + +From: Chuck Lever + +[ Upstream commit 35b16a7a2c4fc458304447128b86514ce9f70f3c ] + +perf_event__synthesize_modules() allocates a single union perf_event and +reuses it across every kernel module callback. + +After the first module is processed, perf_record_mmap2__read_build_id() +sets PERF_RECORD_MISC_MMAP_BUILD_ID in header.misc and writes that +module's build ID into the event. + +On subsequent iterations the callback overwrites start, len, pid, and +filename for the next module but never clears the stale build ID fields +or the MMAP_BUILD_ID flag. + +When perf_record_mmap2__read_build_id() runs for the second module it +sees the flag, reads the stale build ID into a dso_id, and +__dso__improve_id() permanently poisons the DSO with the wrong build ID. + +Every module after the first therefore receives the first module's build +ID in its MMAP2 record. + +On a system with the sunrpc and nfsd modules loaded, this causes perf +script and perf report to show [unknown] for all module symbols. + +The latent bug has existed since commit d9f2ecbc5e47fca7 ("perf dso: +Move build_id to dso_id") introduced the PERF_RECORD_MISC_MMAP_BUILD_ID +check in perf_record_mmap2__read_build_id(). + +Commit 53b00ff358dc75b1 ("perf record: Make --buildid-mmap the default") +then exposed it to all users by making the MMAP2-with-build-ID path the +default. Both commits were merged in the same series. + +Clear the MMAP_BUILD_ID flag and zero the build_id union before each +call to perf_record_mmap2__read_build_id() so that every module starts +with a clean slate. + +Fixes: d9f2ecbc5e47fca7 ("perf dso: Move build_id to dso_id") +Reviewed-by: Ian Rogers +Signed-off-by: Chuck Lever +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: James Clark +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/synthetic-events.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/tools/perf/util/synthetic-events.c b/tools/perf/util/synthetic-events.c +index fcd1fd13c30e6..c85d219928d47 100644 +--- a/tools/perf/util/synthetic-events.c ++++ b/tools/perf/util/synthetic-events.c +@@ -703,6 +703,11 @@ static int perf_event__synthesize_modules_maps_cb(struct map *map, void *data) + + memcpy(event->mmap2.filename, dso__long_name(dso), dso__long_name_len(dso) + 1); + ++ /* Clear stale build ID from previous module iteration */ ++ event->mmap2.header.misc &= ~PERF_RECORD_MISC_MMAP_BUILD_ID; ++ memset(event->mmap2.build_id, 0, sizeof(event->mmap2.build_id)); ++ event->mmap2.build_id_size = 0; ++ + perf_record_mmap2__read_build_id(&event->mmap2, args->machine, false); + } else { + size = PERF_ALIGN(dso__long_name_len(dso) + 1, sizeof(u64)); +-- +2.51.0 + diff --git a/queue-6.18/regulator-pca9450-add-support-for-setting-debounce-s.patch b/queue-6.18/regulator-pca9450-add-support-for-setting-debounce-s.patch new file mode 100644 index 0000000000..72be5c547d --- /dev/null +++ b/queue-6.18/regulator-pca9450-add-support-for-setting-debounce-s.patch @@ -0,0 +1,259 @@ +From df92bca5246662c72e67a94878ad097b53fd935d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Nov 2025 21:22:14 +0100 +Subject: regulator: pca9450: Add support for setting debounce settings + +From: Martijn de Gouw + +[ Upstream commit d9d0be59be2580f2c5e4b7217aafb980e8c371cf ] + +Make the different debounce timers configurable from the devicetree. +Depending on the board design, these have to be set different than the +default register values. + +Signed-off-by: Martijn de Gouw +Link: https://patch.msgid.link/20251117202215.1936139-2-martijn.de.gouw@prodrive-technologies.com +Signed-off-by: Mark Brown +Stable-dep-of: 21b3fb7dc19c ("regulator: pca9450: Correct probed name for PCA9452") +Signed-off-by: Sasha Levin +--- + drivers/regulator/pca9450-regulator.c | 158 ++++++++++++++++++++++---- + include/linux/regulator/pca9450.h | 32 ++++++ + 2 files changed, 171 insertions(+), 19 deletions(-) + +diff --git a/drivers/regulator/pca9450-regulator.c b/drivers/regulator/pca9450-regulator.c +index 086ea88413828..95632b1e8ce4c 100644 +--- a/drivers/regulator/pca9450-regulator.c ++++ b/drivers/regulator/pca9450-regulator.c +@@ -1117,6 +1117,143 @@ static int pca9450_i2c_restart_handler(struct sys_off_data *data) + return 0; + } + ++static int pca9450_of_init(struct pca9450 *pca9450) ++{ ++ struct i2c_client *i2c = container_of(pca9450->dev, struct i2c_client, dev); ++ int ret; ++ unsigned int val; ++ unsigned int reset_ctrl; ++ unsigned int rstb_deb_ctrl; ++ unsigned int t_on_deb, t_off_deb; ++ unsigned int t_on_step, t_off_step; ++ unsigned int t_restart; ++ ++ if (of_property_read_bool(i2c->dev.of_node, "nxp,wdog_b-warm-reset")) ++ reset_ctrl = WDOG_B_CFG_WARM; ++ else ++ reset_ctrl = WDOG_B_CFG_COLD_LDO12; ++ ++ /* Set reset behavior on assertion of WDOG_B signal */ ++ ret = regmap_update_bits(pca9450->regmap, PCA9450_REG_RESET_CTRL, ++ WDOG_B_CFG_MASK, reset_ctrl); ++ if (ret) ++ return dev_err_probe(&i2c->dev, ret, "Failed to set WDOG_B reset behavior\n"); ++ ++ ret = of_property_read_u32(i2c->dev.of_node, "npx,pmic-rst-b-debounce-ms", &val); ++ if (ret == -EINVAL) ++ rstb_deb_ctrl = T_PMIC_RST_DEB_50MS; ++ else if (ret) ++ return ret; ++ else { ++ switch (val) { ++ case 10: rstb_deb_ctrl = T_PMIC_RST_DEB_10MS; break; ++ case 50: rstb_deb_ctrl = T_PMIC_RST_DEB_50MS; break; ++ case 100: rstb_deb_ctrl = T_PMIC_RST_DEB_100MS; break; ++ case 500: rstb_deb_ctrl = T_PMIC_RST_DEB_500MS; break; ++ case 1000: rstb_deb_ctrl = T_PMIC_RST_DEB_1S; break; ++ case 2000: rstb_deb_ctrl = T_PMIC_RST_DEB_2S; break; ++ case 4000: rstb_deb_ctrl = T_PMIC_RST_DEB_4S; break; ++ case 8000: rstb_deb_ctrl = T_PMIC_RST_DEB_8S; break; ++ default: return -EINVAL; ++ } ++ } ++ ret = regmap_update_bits(pca9450->regmap, PCA9450_REG_RESET_CTRL, ++ T_PMIC_RST_DEB_MASK, rstb_deb_ctrl); ++ if (ret) ++ return dev_err_probe(&i2c->dev, ret, "Failed to set PMIC_RST_B debounce time\n"); ++ ++ ret = of_property_read_u32(i2c->dev.of_node, "nxp,pmic-on-req-on-debounce-us", &val); ++ if (ret == -EINVAL) ++ t_on_deb = T_ON_DEB_20MS; ++ else if (ret) ++ return ret; ++ else { ++ switch (val) { ++ case 120: t_on_deb = T_ON_DEB_120US; break; ++ case 20000: t_on_deb = T_ON_DEB_20MS; break; ++ case 100000: t_on_deb = T_ON_DEB_100MS; break; ++ case 750000: t_on_deb = T_ON_DEB_750MS; break; ++ default: return -EINVAL; ++ } ++ } ++ ++ ret = of_property_read_u32(i2c->dev.of_node, "nxp,pmic-on-req-off-debounce-us", &val); ++ if (ret == -EINVAL) ++ t_off_deb = T_OFF_DEB_120US; ++ else if (ret) ++ return ret; ++ else { ++ switch (val) { ++ case 120: t_off_deb = T_OFF_DEB_120US; break; ++ case 2000: t_off_deb = T_OFF_DEB_2MS; break; ++ default: return -EINVAL; ++ } ++ } ++ ++ ret = of_property_read_u32(i2c->dev.of_node, "nxp,power-on-step-ms", &val); ++ if (ret == -EINVAL) ++ t_on_step = T_ON_STEP_2MS; ++ else if (ret) ++ return ret; ++ else { ++ switch (val) { ++ case 1: t_on_step = T_ON_STEP_1MS; break; ++ case 2: t_on_step = T_ON_STEP_2MS; break; ++ case 4: t_on_step = T_ON_STEP_4MS; break; ++ case 8: t_on_step = T_ON_STEP_8MS; break; ++ default: return -EINVAL; ++ } ++ } ++ ++ ret = of_property_read_u32(i2c->dev.of_node, "nxp,power-down-step-ms", &val); ++ if (ret == -EINVAL) ++ t_off_step = T_OFF_STEP_8MS; ++ else if (ret) ++ return ret; ++ else { ++ switch (val) { ++ case 2: t_off_step = T_OFF_STEP_2MS; break; ++ case 4: t_off_step = T_OFF_STEP_4MS; break; ++ case 8: t_off_step = T_OFF_STEP_8MS; break; ++ case 16: t_off_step = T_OFF_STEP_16MS; break; ++ default: return -EINVAL; ++ } ++ } ++ ++ ret = of_property_read_u32(i2c->dev.of_node, "nxp,restart-ms", &val); ++ if (ret == -EINVAL) ++ t_restart = T_RESTART_250MS; ++ else if (ret) ++ return ret; ++ else { ++ switch (val) { ++ case 250: t_restart = T_RESTART_250MS; break; ++ case 500: t_restart = T_RESTART_500MS; break; ++ default: return -EINVAL; ++ } ++ } ++ ++ ret = regmap_update_bits(pca9450->regmap, PCA9450_REG_PWRCTRL, ++ T_ON_DEB_MASK | T_OFF_DEB_MASK | T_ON_STEP_MASK | ++ T_OFF_STEP_MASK | T_RESTART_MASK, ++ t_on_deb | t_off_deb | t_on_step | ++ t_off_step | t_restart); ++ if (ret) ++ return dev_err_probe(&i2c->dev, ret, ++ "Failed to set PWR_CTRL debounce configuration\n"); ++ ++ if (of_property_read_bool(i2c->dev.of_node, "nxp,i2c-lt-enable")) { ++ /* Enable I2C Level Translator */ ++ ret = regmap_update_bits(pca9450->regmap, PCA9450_REG_CONFIG2, ++ I2C_LT_MASK, I2C_LT_ON_STANDBY_RUN); ++ if (ret) ++ return dev_err_probe(&i2c->dev, ret, ++ "Failed to enable I2C level translator\n"); ++ } ++ ++ return 0; ++} ++ + static int pca9450_i2c_probe(struct i2c_client *i2c) + { + enum pca9450_chip_type type = (unsigned int)(uintptr_t) +@@ -1126,7 +1263,6 @@ static int pca9450_i2c_probe(struct i2c_client *i2c) + struct regulator_dev *ldo5; + struct pca9450 *pca9450; + unsigned int device_id, i; +- unsigned int reset_ctrl; + int ret; + + pca9450 = devm_kzalloc(&i2c->dev, sizeof(struct pca9450), GFP_KERNEL); +@@ -1224,25 +1360,9 @@ static int pca9450_i2c_probe(struct i2c_client *i2c) + if (ret) + return dev_err_probe(&i2c->dev, ret, "Failed to clear PRESET_EN bit\n"); + +- if (of_property_read_bool(i2c->dev.of_node, "nxp,wdog_b-warm-reset")) +- reset_ctrl = WDOG_B_CFG_WARM; +- else +- reset_ctrl = WDOG_B_CFG_COLD_LDO12; +- +- /* Set reset behavior on assertion of WDOG_B signal */ +- ret = regmap_update_bits(pca9450->regmap, PCA9450_REG_RESET_CTRL, +- WDOG_B_CFG_MASK, reset_ctrl); ++ ret = pca9450_of_init(pca9450); + if (ret) +- return dev_err_probe(&i2c->dev, ret, "Failed to set WDOG_B reset behavior\n"); +- +- if (of_property_read_bool(i2c->dev.of_node, "nxp,i2c-lt-enable")) { +- /* Enable I2C Level Translator */ +- ret = regmap_update_bits(pca9450->regmap, PCA9450_REG_CONFIG2, +- I2C_LT_MASK, I2C_LT_ON_STANDBY_RUN); +- if (ret) +- return dev_err_probe(&i2c->dev, ret, +- "Failed to enable I2C level translator\n"); +- } ++ return dev_err_probe(&i2c->dev, ret, "Unable to parse OF data\n"); + + /* + * For LDO5 we need to be able to check the status of the SD_VSEL input in +diff --git a/include/linux/regulator/pca9450.h b/include/linux/regulator/pca9450.h +index 85b4fecc10d82..0df8b3c48082f 100644 +--- a/include/linux/regulator/pca9450.h ++++ b/include/linux/regulator/pca9450.h +@@ -223,12 +223,44 @@ enum { + #define IRQ_THERM_105 0x02 + #define IRQ_THERM_125 0x01 + ++/* PCA9450_REG_PWRCTRL bits */ ++#define T_ON_DEB_MASK 0xC0 ++#define T_ON_DEB_120US (0 << 6) ++#define T_ON_DEB_20MS (1 << 6) ++#define T_ON_DEB_100MS (2 << 6) ++#define T_ON_DEB_750MS (3 << 6) ++#define T_OFF_DEB_MASK 0x20 ++#define T_OFF_DEB_120US (0 << 5) ++#define T_OFF_DEB_2MS (1 << 5) ++#define T_ON_STEP_MASK 0x18 ++#define T_ON_STEP_1MS (0 << 3) ++#define T_ON_STEP_2MS (1 << 3) ++#define T_ON_STEP_4MS (2 << 3) ++#define T_ON_STEP_8MS (3 << 3) ++#define T_OFF_STEP_MASK 0x06 ++#define T_OFF_STEP_2MS (0 << 1) ++#define T_OFF_STEP_4MS (1 << 1) ++#define T_OFF_STEP_8MS (2 << 1) ++#define T_OFF_STEP_16MS (3 << 1) ++#define T_RESTART_MASK 0x01 ++#define T_RESTART_250MS 0 ++#define T_RESTART_500MS 1 ++ + /* PCA9450_REG_RESET_CTRL bits */ + #define WDOG_B_CFG_MASK 0xC0 + #define WDOG_B_CFG_NONE 0x00 + #define WDOG_B_CFG_WARM 0x40 + #define WDOG_B_CFG_COLD_LDO12 0x80 + #define WDOG_B_CFG_COLD 0xC0 ++#define T_PMIC_RST_DEB_MASK 0x07 ++#define T_PMIC_RST_DEB_10MS 0x00 ++#define T_PMIC_RST_DEB_50MS 0x01 ++#define T_PMIC_RST_DEB_100MS 0x02 ++#define T_PMIC_RST_DEB_500MS 0x03 ++#define T_PMIC_RST_DEB_1S 0x04 ++#define T_PMIC_RST_DEB_2S 0x05 ++#define T_PMIC_RST_DEB_4S 0x06 ++#define T_PMIC_RST_DEB_8S 0x07 + + /* PCA9450_REG_CONFIG2 bits */ + #define I2C_LT_MASK 0x03 +-- +2.51.0 + diff --git a/queue-6.18/regulator-pca9450-correct-interrupt-type.patch b/queue-6.18/regulator-pca9450-correct-interrupt-type.patch new file mode 100644 index 0000000000..789bbed81e --- /dev/null +++ b/queue-6.18/regulator-pca9450-correct-interrupt-type.patch @@ -0,0 +1,44 @@ +From a3a88d89e95df800b55944200044f81e7364b8fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 12:25:52 +0800 +Subject: regulator: pca9450: Correct interrupt type + +From: Peng Fan + +[ Upstream commit 5d0efaf47ee90ac60efae790acee3a3ed99ebf80 ] + +Kernel warning on i.MX8MP-EVK when doing module test: +irq: type mismatch, failed to map hwirq-3 for gpio@30200000! + +Per PCA945[X] specification: The IRQ_B pin is pulled low when any unmasked +interrupt bit status is changed and it is released high once application +processor read INT1 register. + +So the interrupt should be configured as IRQF_TRIGGER_LOW, not +IRQF_TRIGGER_FALLING. + +Fixes: 0935ff5f1f0a4 ("regulator: pca9450: add pca9450 pmic driver") +Signed-off-by: Peng Fan +Link: https://patch.msgid.link/20260310-pca9450-irq-v1-1-36adf52c2c55@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/pca9450-regulator.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/regulator/pca9450-regulator.c b/drivers/regulator/pca9450-regulator.c +index 91b96dbab328b..086ea88413828 100644 +--- a/drivers/regulator/pca9450-regulator.c ++++ b/drivers/regulator/pca9450-regulator.c +@@ -1203,7 +1203,7 @@ static int pca9450_i2c_probe(struct i2c_client *i2c) + if (pca9450->irq) { + ret = devm_request_threaded_irq(pca9450->dev, pca9450->irq, NULL, + pca9450_irq_handler, +- (IRQF_TRIGGER_FALLING | IRQF_ONESHOT), ++ (IRQF_TRIGGER_LOW | IRQF_ONESHOT), + "pca9450-irq", pca9450); + if (ret != 0) + return dev_err_probe(pca9450->dev, ret, "Failed to request IRQ: %d\n", +-- +2.51.0 + diff --git a/queue-6.18/regulator-pca9450-correct-probed-name-for-pca9452.patch b/queue-6.18/regulator-pca9450-correct-probed-name-for-pca9452.patch new file mode 100644 index 0000000000..3e0d3aecd5 --- /dev/null +++ b/queue-6.18/regulator-pca9450-correct-probed-name-for-pca9452.patch @@ -0,0 +1,74 @@ +From fcc043c2c2daf82709cd2dd6900201e6b325015c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 12:25:53 +0800 +Subject: regulator: pca9450: Correct probed name for PCA9452 + +From: Peng Fan + +[ Upstream commit 21b3fb7dc19caa488d285e3c47999f7f1a179334 ] + +An incorrect device name was logged for PCA9452 because the dev_info() +ternary omitted PCA9452 and fell through to "pca9450bc". Introduce a +type_name and set it per device type so the probed message matches the +actual PMIC. While here, make the PCA9451A case explicit. + +No functional changes. + +Fixes: 017b76fb8e5b6 ("regulator: pca9450: Add PMIC pca9452 support") +Signed-off-by: Peng Fan +Link: https://patch.msgid.link/20260310-pca9450-irq-v1-2-36adf52c2c55@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/pca9450-regulator.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/regulator/pca9450-regulator.c b/drivers/regulator/pca9450-regulator.c +index 95632b1e8ce4c..f991dc9365f18 100644 +--- a/drivers/regulator/pca9450-regulator.c ++++ b/drivers/regulator/pca9450-regulator.c +@@ -1263,6 +1263,7 @@ static int pca9450_i2c_probe(struct i2c_client *i2c) + struct regulator_dev *ldo5; + struct pca9450 *pca9450; + unsigned int device_id, i; ++ const char *type_name; + int ret; + + pca9450 = devm_kzalloc(&i2c->dev, sizeof(struct pca9450), GFP_KERNEL); +@@ -1273,15 +1274,22 @@ static int pca9450_i2c_probe(struct i2c_client *i2c) + case PCA9450_TYPE_PCA9450A: + regulator_desc = pca9450a_regulators; + pca9450->rcnt = ARRAY_SIZE(pca9450a_regulators); ++ type_name = "pca9450a"; + break; + case PCA9450_TYPE_PCA9450BC: + regulator_desc = pca9450bc_regulators; + pca9450->rcnt = ARRAY_SIZE(pca9450bc_regulators); ++ type_name = "pca9450bc"; + break; + case PCA9450_TYPE_PCA9451A: ++ regulator_desc = pca9451a_regulators; ++ pca9450->rcnt = ARRAY_SIZE(pca9451a_regulators); ++ type_name = "pca9451a"; ++ break; + case PCA9450_TYPE_PCA9452: + regulator_desc = pca9451a_regulators; + pca9450->rcnt = ARRAY_SIZE(pca9451a_regulators); ++ type_name = "pca9452"; + break; + default: + dev_err(&i2c->dev, "Unknown device type"); +@@ -1383,9 +1391,7 @@ static int pca9450_i2c_probe(struct i2c_client *i2c) + pca9450_i2c_restart_handler, pca9450)) + dev_warn(&i2c->dev, "Failed to register restart handler\n"); + +- dev_info(&i2c->dev, "%s probed.\n", +- type == PCA9450_TYPE_PCA9450A ? "pca9450a" : +- (type == PCA9450_TYPE_PCA9451A ? "pca9451a" : "pca9450bc")); ++ dev_info(&i2c->dev, "%s probed.\n", type_name); + + return 0; + } +-- +2.51.0 + diff --git a/queue-6.18/rxrpc-afs-fix-missing-error-pointer-check-after-rxrp.patch b/queue-6.18/rxrpc-afs-fix-missing-error-pointer-check-after-rxrp.patch new file mode 100644 index 0000000000..c647d537f2 --- /dev/null +++ b/queue-6.18/rxrpc-afs-fix-missing-error-pointer-check-after-rxrp.patch @@ -0,0 +1,95 @@ +From 810528775d3280d54e54a79f0e72f6ed7cc7564f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 12:31:01 +0000 +Subject: rxrpc, afs: Fix missing error pointer check after + rxrpc_kernel_lookup_peer() + +From: Miaoqian Lin + +[ Upstream commit 4245a79003adf30e67f8e9060915bd05cb31d142 ] + +rxrpc_kernel_lookup_peer() can also return error pointers in addition to +NULL, so just checking for NULL is not sufficient. + +Fix this by: + + (1) Changing rxrpc_kernel_lookup_peer() to return -ENOMEM rather than NULL + on allocation failure. + + (2) Making the callers in afs use IS_ERR() and PTR_ERR() to pass on the + error code returned. + +Fixes: 72904d7b9bfb ("rxrpc, afs: Allow afs to pin rxrpc_peer objects") +Signed-off-by: Miaoqian Lin +Co-developed-by: David Howells +Signed-off-by: David Howells +cc: Marc Dionne +cc: Simon Horman +cc: linux-afs@lists.infradead.org +Link: https://patch.msgid.link/368272.1772713861@warthog.procyon.org.uk +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + fs/afs/addr_list.c | 8 ++++---- + net/rxrpc/af_rxrpc.c | 8 +++++--- + 2 files changed, 9 insertions(+), 7 deletions(-) + +diff --git a/fs/afs/addr_list.c b/fs/afs/addr_list.c +index e941da5b6dd92..b1704de3d95f5 100644 +--- a/fs/afs/addr_list.c ++++ b/fs/afs/addr_list.c +@@ -298,8 +298,8 @@ int afs_merge_fs_addr4(struct afs_net *net, struct afs_addr_list *alist, + srx.transport.sin.sin_addr.s_addr = xdr; + + peer = rxrpc_kernel_lookup_peer(net->socket, &srx, GFP_KERNEL); +- if (!peer) +- return -ENOMEM; ++ if (IS_ERR(peer)) ++ return PTR_ERR(peer); + + for (i = 0; i < alist->nr_ipv4; i++) { + if (peer == alist->addrs[i].peer) { +@@ -342,8 +342,8 @@ int afs_merge_fs_addr6(struct afs_net *net, struct afs_addr_list *alist, + memcpy(&srx.transport.sin6.sin6_addr, xdr, 16); + + peer = rxrpc_kernel_lookup_peer(net->socket, &srx, GFP_KERNEL); +- if (!peer) +- return -ENOMEM; ++ if (IS_ERR(peer)) ++ return PTR_ERR(peer); + + for (i = alist->nr_ipv4; i < alist->nr_addrs; i++) { + if (peer == alist->addrs[i].peer) { +diff --git a/net/rxrpc/af_rxrpc.c b/net/rxrpc/af_rxrpc.c +index 36df0274d7b74..d369e37525388 100644 +--- a/net/rxrpc/af_rxrpc.c ++++ b/net/rxrpc/af_rxrpc.c +@@ -267,12 +267,13 @@ static int rxrpc_listen(struct socket *sock, int backlog) + * Lookup or create a remote transport endpoint record for the specified + * address. + * +- * Return: The peer record found with a reference, %NULL if no record is found +- * or a negative error code if the address is invalid or unsupported. ++ * Return: The peer record found with a reference or a negative error code if ++ * the address is invalid or unsupported. + */ + struct rxrpc_peer *rxrpc_kernel_lookup_peer(struct socket *sock, + struct sockaddr_rxrpc *srx, gfp_t gfp) + { ++ struct rxrpc_peer *peer; + struct rxrpc_sock *rx = rxrpc_sk(sock->sk); + int ret; + +@@ -280,7 +281,8 @@ struct rxrpc_peer *rxrpc_kernel_lookup_peer(struct socket *sock, + if (ret < 0) + return ERR_PTR(ret); + +- return rxrpc_lookup_peer(rx->local, srx, gfp); ++ peer = rxrpc_lookup_peer(rx->local, srx, gfp); ++ return peer ?: ERR_PTR(-ENOMEM); + } + EXPORT_SYMBOL(rxrpc_kernel_lookup_peer); + +-- +2.51.0 + diff --git a/queue-6.18/sched-idle-make-skipping-governor-callbacks-more-con.patch b/queue-6.18/sched-idle-make-skipping-governor-callbacks-more-con.patch new file mode 100644 index 0000000000..3f026c147c --- /dev/null +++ b/queue-6.18/sched-idle-make-skipping-governor-callbacks-more-con.patch @@ -0,0 +1,79 @@ +From 3e95c1c312b430e5cf38ed6926e30c1990cba2d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Mar 2026 17:12:05 +0100 +Subject: sched: idle: Make skipping governor callbacks more consistent + +From: Rafael J. Wysocki + +[ Upstream commit d557640e4ce589a24dca5ca7ce3b9680f471325f ] + +If the cpuidle governor .select() callback is skipped because there +is only one idle state in the cpuidle driver, the .reflect() callback +should be skipped as well, at least for consistency (if not for +correctness), so do it. + +Fixes: e5c9ffc6ae1b ("cpuidle: Skip governor when only one idle state is available") +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Christian Loehle +Reviewed-by: Aboorva Devarajan +Reviewed-by: Frederic Weisbecker +Link: https://patch.msgid.link/12857700.O9o76ZdvQC@rafael.j.wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpuidle/cpuidle.c | 10 ---------- + kernel/sched/idle.c | 11 ++++++++++- + 2 files changed, 10 insertions(+), 11 deletions(-) + +diff --git a/drivers/cpuidle/cpuidle.c b/drivers/cpuidle/cpuidle.c +index 8950796a493de..56132e843c991 100644 +--- a/drivers/cpuidle/cpuidle.c ++++ b/drivers/cpuidle/cpuidle.c +@@ -357,16 +357,6 @@ noinstr int cpuidle_enter_state(struct cpuidle_device *dev, + int cpuidle_select(struct cpuidle_driver *drv, struct cpuidle_device *dev, + bool *stop_tick) + { +- /* +- * If there is only a single idle state (or none), there is nothing +- * meaningful for the governor to choose. Skip the governor and +- * always use state 0 with the tick running. +- */ +- if (drv->state_count <= 1) { +- *stop_tick = false; +- return 0; +- } +- + return cpuidle_curr_governor->select(drv, dev, stop_tick); + } + +diff --git a/kernel/sched/idle.c b/kernel/sched/idle.c +index ac9690805be4f..d9c515da328e5 100644 +--- a/kernel/sched/idle.c ++++ b/kernel/sched/idle.c +@@ -219,7 +219,7 @@ static void cpuidle_idle_call(void) + + next_state = cpuidle_find_deepest_state(drv, dev, max_latency_ns); + call_cpuidle(drv, dev, next_state); +- } else { ++ } else if (drv->state_count > 1) { + bool stop_tick = true; + + /* +@@ -237,6 +237,15 @@ static void cpuidle_idle_call(void) + * Give the governor an opportunity to reflect on the outcome + */ + cpuidle_reflect(dev, entered_state); ++ } else { ++ tick_nohz_idle_retain_tick(); ++ ++ /* ++ * If there is only a single idle state (or none), there is ++ * nothing meaningful for the governor to choose. Skip the ++ * governor and always use state 0. ++ */ ++ call_cpuidle(drv, dev, 0); + } + + exit_idle: +-- +2.51.0 + diff --git a/queue-6.18/serial-caif-hold-tty-link-reference-in-ldisc_open-an.patch b/queue-6.18/serial-caif-hold-tty-link-reference-in-ldisc_open-an.patch new file mode 100644 index 0000000000..6305efe977 --- /dev/null +++ b/queue-6.18/serial-caif-hold-tty-link-reference-in-ldisc_open-an.patch @@ -0,0 +1,63 @@ +From ab571b38a44f2922377f726d0065da70b0a73a27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 22:40:06 -0500 +Subject: serial: caif: hold tty->link reference in ldisc_open and ser_release + +From: Shuangpeng Bai + +[ Upstream commit 288598d80a068a0e9281de35bcb4ce495f189e2a ] + +A reproducer triggers a KASAN slab-use-after-free in pty_write_room() +when caif_serial's TX path calls tty_write_room(). The faulting access +is on tty->link->port. + +Hold an extra kref on tty->link for the lifetime of the caif_serial line +discipline: get it in ldisc_open() and drop it in ser_release(), and +also drop it on the ldisc_open() error path. + +With this change applied, the reproducer no longer triggers the UAF in +my testing. + +Link: https://gist.github.com/shuangpengbai/c898debad6bdf170a84be7e6b3d8707f +Link: https://lore.kernel.org/netdev/20260301220525.1546355-1-shuangpeng.kernel@gmail.com +Fixes: e31d5a05948e ("caif: tty's are kref objects so take a reference") +Signed-off-by: Shuangpeng Bai +Reviewed-by: Jiayuan Chen +Link: https://patch.msgid.link/20260306034006.3395740-1-shuangpeng.kernel@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/caif/caif_serial.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c +index b90890030751f..1873d8287bb9b 100644 +--- a/drivers/net/caif/caif_serial.c ++++ b/drivers/net/caif/caif_serial.c +@@ -297,6 +297,7 @@ static void ser_release(struct work_struct *work) + dev_close(ser->dev); + unregister_netdevice(ser->dev); + debugfs_deinit(ser); ++ tty_kref_put(tty->link); + tty_kref_put(tty); + } + rtnl_unlock(); +@@ -331,6 +332,7 @@ static int ldisc_open(struct tty_struct *tty) + + ser = netdev_priv(dev); + ser->tty = tty_kref_get(tty); ++ tty_kref_get(tty->link); + ser->dev = dev; + debugfs_init(ser, tty); + tty->receive_room = 4096; +@@ -339,6 +341,7 @@ static int ldisc_open(struct tty_struct *tty) + rtnl_lock(); + result = register_netdevice(dev); + if (result) { ++ tty_kref_put(tty->link); + tty_kref_put(tty); + rtnl_unlock(); + free_netdev(dev); +-- +2.51.0 + diff --git a/queue-6.18/series b/queue-6.18/series index 46d3dd8eae..0b734a441c 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -23,3 +23,81 @@ remoteproc-sysmon-correct-subsys_name_len-type-in-qm.patch remoteproc-mediatek-unprepare-scp-clock-during-syste.patch powerpc-83xx-km83xx-fix-keymile-vendor-prefix.patch smb-server-fix-another-refcount-leak-in-smb2_open.patch +nfs-return-eisdir-on-nfs3_proc_create-if-d_alias-is-.patch +drm-msm-dsi-fix-hdisplay-calculation-when-programmin.patch +xprtrdma-decrement-re_receiving-on-the-early-exit-pa.patch +btrfs-hold-space_info-lock-when-clearing-periodic-re.patch +workqueue-use-pool_bh-instead-of-wq_bh-when-checking.patch +perf-disasm-fix-off-by-one-bug-in-outside-check.patch +dt-bindings-display-msm-qcom-sm8750-mdss-fix-model-t.patch +net-dsa-realtek-rtl8365mb-remove-ifoutdiscards-from-.patch +drm-msm-dsi-fix-pclk-rate-calculation-for-bonded-dsi.patch +drm-amd-pm-add-missing-od-setting-pp_od_feature_zero.patch +drm-amd-pm-add-missing-od-setting-pp_od_feature_zero.patch-5305 +bonding-do-not-set-usable_slaves-for-broadcast-mode.patch +bonding-handle-bond_link_fail-bond_link_back-as-vali.patch +net-mlx5-fix-deadlock-between-devlink-lock-and-esw-w.patch +net-mlx5-fix-crash-when-moving-to-switchdev-mode.patch +net-mlx5-fix-peer-miss-rules-host-disabled-checks.patch +net-mlx5e-fix-dma-fifo-desync-on-error-cqe-sq-recove.patch +net-mlx5e-rx-fix-xdp-multi-buf-frag-counting-for-str.patch +net-mlx5e-rx-fix-xdp-multi-buf-frag-counting-for-leg.patch +net-sched-teql-fix-null-pointer-dereference-in-iptun.patch +rxrpc-afs-fix-missing-error-pointer-check-after-rxrp.patch +net-spacemit-fix-error-handling-in-emac_alloc_rx_des.patch +net-spacemit-fix-error-handling-in-emac_tx_mem_map.patch +drm-sitronix-st7586-fix-bad-pixel-data-due-to-byte-s.patch +spi-amlogic-spifc-a4-fix-dma-mapping-error-handling.patch +spi-rockchip-sfc-fix-double-free-in-remove-callback.patch +asoc-soc-core-drop-delayed_work_pending-check-before.patch +asoc-soc-core-flush-delayed-work-before-removing-dai.patch +asoc-simple-card-utils-fix-graph_util_is_ports0-for-.patch +net-sfp-improve-huawei-ma5671a-fixup.patch +serial-caif-hold-tty-link-reference-in-ldisc_open-an.patch +bnxt_en-fix-rss-table-size-check-when-changing-ethto.patch +mctp-i2c-fix-skb-memory-leak-in-receive-path.patch +can-hi311x-hi3110_open-add-check-for-hi3110_power_en.patch +bonding-use-common-function-to-compute-the-features.patch +bonding-fix-type-confusion-in-bond_setup_by_slave.patch +mctp-route-hold-key-lock-in-mctp_flow_prepare_output.patch +amd-xgbe-fix-link-status-handling-in-xgbe_rx_adaptat.patch +amd-xgbe-prevent-crc-errors-during-rx-adaptation-wit.patch +net-add-xmit-recursion-limit-to-tunnel-xmit-function.patch +netfilter-nf_tables-fix-for-duplicate-device-in-netd.patch +netfilter-nf_tables-always-walk-all-pending-catchall.patch +netfilter-nft_set_pipapo-fix-stack-out-of-bounds-rea.patch +netfilter-x_tables-guard-option-walkers-against-1-by.patch +netfilter-nfnetlink_queue-fix-entry-leak-in-bridge-v.patch +netfilter-nfnetlink_cthelper-fix-oob-read-in-nfnl_ct.patch +netfilter-xt_idletimer-reject-rev0-reuse-of-alarm-ti.patch +perf-annotate-fix-hashmap__new-error-checking.patch +regulator-pca9450-correct-interrupt-type.patch +regulator-pca9450-add-support-for-setting-debounce-s.patch +regulator-pca9450-correct-probed-name-for-pca9452.patch +perf-ftrace-fix-hashmap__new-error-checking.patch +sched-idle-make-skipping-governor-callbacks-more-con.patch +nvme-pci-fix-slab-out-of-bounds-in-nvme_dbbuf_set.patch +nvme-pci-fix-race-bug-in-nvme_poll_irqdisable.patch +drivers-net-ice-fix-devlink-parameters-get-without-i.patch +iavf-fix-ptp-use-after-free-during-reset.patch +iavf-fix-incorrect-reset-handling-in-callbacks.patch +i40e-fix-src-ip-mask-checks-and-memcpy-argument-name.patch +e1000-e1000e-fix-leak-in-dma-error-cleanup.patch +page_pool-store-detach_time-as-ktime_t-to-avoid-fals.patch +net-bcmgenet-fix-broken-eee-by-converting-to-phylib-.patch +acpi-osl-fix-__iomem-type-on-return-from-acpi_os_map.patch +asoc-amd-acp3x-rt5682-max9836-add-missing-error-chec.patch +asoc-detect-empty-dmi-strings.patch +drm-amdkfd-unreserve-bo-if-queue-update-failed.patch +perf-synthetic-events-fix-stale-build-id-in-module-m.patch +net-bonding-fix-nd_tbl-null-dereference-when-ipv6-is.patch +net-dsa-realtek-fix-led-group-port-bit-for-non-zero-.patch +neighbour-restore-protocol-0-check-in-pneigh-update.patch +net-mana-null-service_wq-on-setup-error-to-prevent-d.patch +net-ti-am65-cpsw-move-hw-timestamping-to-ndo-callbac.patch +net-ethernet-ti-am65-cpsw-nuss-fix-rx_filter-value-f.patch +octeontx2-af-devlink-fix-nix-ras-reporter-recovery-c.patch +octeontx2-af-devlink-fix-nix-ras-reporter-to-use-ras.patch +net-prevent-null-deref-in-ip-6-tunnel_xmit.patch +iio-imu-inv-mpu9150-fix-irq-ack-preventing-irq-storm.patch +usb-gadget-f_mass_storage-fix-potential-integer-over.patch diff --git a/queue-6.18/spi-amlogic-spifc-a4-fix-dma-mapping-error-handling.patch b/queue-6.18/spi-amlogic-spifc-a4-fix-dma-mapping-error-handling.patch new file mode 100644 index 0000000000..9130e3bf4e --- /dev/null +++ b/queue-6.18/spi-amlogic-spifc-a4-fix-dma-mapping-error-handling.patch @@ -0,0 +1,61 @@ +From c1baf96e98fb67a350a881ca4f728bf420a7e6fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 01:24:32 +0800 +Subject: spi: amlogic: spifc-a4: Fix DMA mapping error handling + +From: Felix Gu + +[ Upstream commit b20b437666e1cb26a7c499d1664e8f2a0ac67000 ] + +Fix three bugs in aml_sfc_dma_buffer_setup() error paths: +1. Unnecessary goto: When the first DMA mapping (sfc->daddr) fails, + nothing needs cleanup. Use direct return instead of goto. +2. Double-unmap bug: When info DMA mapping failed, the code would + unmap sfc->daddr inline, then fall through to out_map_data which + would unmap it again, causing a double-unmap. +3. Wrong unmap size: The out_map_info label used datalen instead of + infolen when unmapping sfc->iaddr, which could lead to incorrect + DMA sync behavior. + +Fixes: 4670db6f32e9 ("spi: amlogic: add driver for Amlogic SPI Flash Controller") +Signed-off-by: Felix Gu +Link: https://patch.msgid.link/20260306-spifc-a4-v1-1-f22c9965f64a@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-amlogic-spifc-a4.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/spi/spi-amlogic-spifc-a4.c b/drivers/spi/spi-amlogic-spifc-a4.c +index 35a7c4965e113..f324aa39a8976 100644 +--- a/drivers/spi/spi-amlogic-spifc-a4.c ++++ b/drivers/spi/spi-amlogic-spifc-a4.c +@@ -411,7 +411,7 @@ static int aml_sfc_dma_buffer_setup(struct aml_sfc *sfc, void *databuf, + ret = dma_mapping_error(sfc->dev, sfc->daddr); + if (ret) { + dev_err(sfc->dev, "DMA mapping error\n"); +- goto out_map_data; ++ return ret; + } + + cmd = CMD_DATA_ADDRL(sfc->daddr); +@@ -429,7 +429,6 @@ static int aml_sfc_dma_buffer_setup(struct aml_sfc *sfc, void *databuf, + ret = dma_mapping_error(sfc->dev, sfc->iaddr); + if (ret) { + dev_err(sfc->dev, "DMA mapping error\n"); +- dma_unmap_single(sfc->dev, sfc->daddr, datalen, dir); + goto out_map_data; + } + +@@ -448,7 +447,7 @@ static int aml_sfc_dma_buffer_setup(struct aml_sfc *sfc, void *databuf, + return 0; + + out_map_info: +- dma_unmap_single(sfc->dev, sfc->iaddr, datalen, dir); ++ dma_unmap_single(sfc->dev, sfc->iaddr, infolen, dir); + out_map_data: + dma_unmap_single(sfc->dev, sfc->daddr, datalen, dir); + +-- +2.51.0 + diff --git a/queue-6.18/spi-rockchip-sfc-fix-double-free-in-remove-callback.patch b/queue-6.18/spi-rockchip-sfc-fix-double-free-in-remove-callback.patch new file mode 100644 index 0000000000..2218396ec8 --- /dev/null +++ b/queue-6.18/spi-rockchip-sfc-fix-double-free-in-remove-callback.patch @@ -0,0 +1,42 @@ +From 27f2a8867abcb8cb118ab024987963d2d05c4e21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 02:01:34 +0800 +Subject: spi: rockchip-sfc: Fix double-free in remove() callback + +From: Felix Gu + +[ Upstream commit 111e2863372c322e836e0c896f6dd9cf4ee08c71 ] + +The driver uses devm_spi_register_controller() for registration, which +automatically unregisters the controller via devm cleanup when the +device is removed. The manual call to spi_unregister_controller() in +the remove() callback can lead to a double-free. + +And to make sure controller is unregistered before DMA buffer is +unmapped, switch to use spi_register_controller() in probe(). + +Fixes: 8011709906d0 ("spi: rockchip-sfc: Support pm ops") +Signed-off-by: Felix Gu +Link: https://patch.msgid.link/20260310-sfc-v2-1-67fab04b097f@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-rockchip-sfc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-rockchip-sfc.c b/drivers/spi/spi-rockchip-sfc.c +index b3c2b03b11535..8acf955636977 100644 +--- a/drivers/spi/spi-rockchip-sfc.c ++++ b/drivers/spi/spi-rockchip-sfc.c +@@ -712,7 +712,7 @@ static int rockchip_sfc_probe(struct platform_device *pdev) + } + } + +- ret = devm_spi_register_controller(dev, host); ++ ret = spi_register_controller(host); + if (ret) + goto err_register; + +-- +2.51.0 + diff --git a/queue-6.18/usb-gadget-f_mass_storage-fix-potential-integer-over.patch b/queue-6.18/usb-gadget-f_mass_storage-fix-potential-integer-over.patch new file mode 100644 index 0000000000..f90ceb68b9 --- /dev/null +++ b/queue-6.18/usb-gadget-f_mass_storage-fix-potential-integer-over.patch @@ -0,0 +1,72 @@ +From a87075efd05f534e0ef1b882ec1ad6b4ca54f7e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Feb 2026 05:43:25 -0500 +Subject: usb: gadget: f_mass_storage: Fix potential integer overflow in + check_command_size_in_blocks() + +From: Seungjin Bae + +[ Upstream commit 8479891d1f04a8ce55366fe4ca361ccdb96f02e1 ] + +The `check_command_size_in_blocks()` function calculates the data size +in bytes by left shifting `common->data_size_from_cmnd` by the block +size (`common->curlun->blkbits`). However, it does not validate whether +this shift operation will cause an integer overflow. + +Initially, the block size is set up in `fsg_lun_open()` , and the +`common->data_size_from_cmnd` is set up in `do_scsi_command()`. During +initialization, there is no integer overflow check for the interaction +between two variables. + +So if a malicious USB host sends a SCSI READ or WRITE command +requesting a large amount of data (`common->data_size_from_cmnd`), the +left shift operation can wrap around. This results in a truncated data +size, which can bypass boundary checks and potentially lead to memory +corruption or out-of-bounds accesses. + +Fix this by using the check_shl_overflow() macro to safely perform the +shift and catch any overflows. + +Fixes: 144974e7f9e3 ("usb: gadget: mass_storage: support multi-luns with different logic block size") +Signed-off-by: Seungjin Bae +Reviewed-by: Alan Stern +Link: https://patch.msgid.link/20260228104324.1696455-2-eeodqql09@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_mass_storage.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_mass_storage.c b/drivers/usb/gadget/function/f_mass_storage.c +index 94d478b6bcd3d..6f275c3d11ac5 100644 +--- a/drivers/usb/gadget/function/f_mass_storage.c ++++ b/drivers/usb/gadget/function/f_mass_storage.c +@@ -180,6 +180,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1853,8 +1854,15 @@ static int check_command_size_in_blocks(struct fsg_common *common, + int cmnd_size, enum data_direction data_dir, + unsigned int mask, int needs_medium, const char *name) + { +- if (common->curlun) +- common->data_size_from_cmnd <<= common->curlun->blkbits; ++ if (common->curlun) { ++ if (check_shl_overflow(common->data_size_from_cmnd, ++ common->curlun->blkbits, ++ &common->data_size_from_cmnd)) { ++ common->phase_error = 1; ++ return -EINVAL; ++ } ++ } ++ + return check_command(common, cmnd_size, data_dir, + mask, needs_medium, name); + } +-- +2.51.0 + diff --git a/queue-6.18/workqueue-use-pool_bh-instead-of-wq_bh-when-checking.patch b/queue-6.18/workqueue-use-pool_bh-instead-of-wq_bh-when-checking.patch new file mode 100644 index 0000000000..699ef6d094 --- /dev/null +++ b/queue-6.18/workqueue-use-pool_bh-instead-of-wq_bh-when-checking.patch @@ -0,0 +1,42 @@ +From 1f98572b26df3a8a4a6500e272938866820a4fd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 08:15:37 -0800 +Subject: workqueue: Use POOL_BH instead of WQ_BH when checking pool flags + +From: Breno Leitao + +[ Upstream commit f42f9091be9e5ff57567a3945cfcdd498f475348 ] + +pr_cont_worker_id() checks pool->flags against WQ_BH, which is a +workqueue-level flag (defined in workqueue.h). Pool flags use a +separate namespace with POOL_* constants (defined in workqueue.c). +The correct constant is POOL_BH. Both WQ_BH and POOL_BH are defined +as (1 << 0) so this has no behavioral impact, but it is semantically +wrong and inconsistent with every other pool-level BH check in the +file. + +Fixes: 4cb1ef64609f ("workqueue: Implement BH workqueues to eventually replace tasklets") +Signed-off-by: Breno Leitao +Acked-by: Song Liu +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/workqueue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/workqueue.c b/kernel/workqueue.c +index 885a8b31f855b..9111ef6ccfe65 100644 +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -6269,7 +6269,7 @@ static void pr_cont_worker_id(struct worker *worker) + { + struct worker_pool *pool = worker->pool; + +- if (pool->flags & WQ_BH) ++ if (pool->flags & POOL_BH) + pr_cont("bh%s", + pool->attrs->nice == HIGHPRI_NICE_LEVEL ? "-hi" : ""); + else +-- +2.51.0 + diff --git a/queue-6.18/xprtrdma-decrement-re_receiving-on-the-early-exit-pa.patch b/queue-6.18/xprtrdma-decrement-re_receiving-on-the-early-exit-pa.patch new file mode 100644 index 0000000000..236a497add --- /dev/null +++ b/queue-6.18/xprtrdma-decrement-re_receiving-on-the-early-exit-pa.patch @@ -0,0 +1,90 @@ +From e4f646a74e4cf73d4272dcb8262d115a8585444e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Feb 2026 10:28:55 -0800 +Subject: xprtrdma: Decrement re_receiving on the early exit paths + +From: Eric Badger + +[ Upstream commit 7b6275c80a0c81c5f8943272292dfe67730ce849 ] + +In the event that rpcrdma_post_recvs() fails to create a work request +(due to memory allocation failure, say) or otherwise exits early, we +should decrement ep->re_receiving before returning. Otherwise we will +hang in rpcrdma_xprt_drain() as re_receiving will never reach zero and +the completion will never be triggered. + +On a system with high memory pressure, this can appear as the following +hung task: + + INFO: task kworker/u385:17:8393 blocked for more than 122 seconds. + Tainted: G S E 6.19.0 #3 + "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. + task:kworker/u385:17 state:D stack:0 pid:8393 tgid:8393 ppid:2 task_flags:0x4248060 flags:0x00080000 + Workqueue: xprtiod xprt_autoclose [sunrpc] + Call Trace: + + __schedule+0x48b/0x18b0 + ? ib_post_send_mad+0x247/0xae0 [ib_core] + schedule+0x27/0xf0 + schedule_timeout+0x104/0x110 + __wait_for_common+0x98/0x180 + ? __pfx_schedule_timeout+0x10/0x10 + wait_for_completion+0x24/0x40 + rpcrdma_xprt_disconnect+0x444/0x460 [rpcrdma] + xprt_rdma_close+0x12/0x40 [rpcrdma] + xprt_autoclose+0x5f/0x120 [sunrpc] + process_one_work+0x191/0x3e0 + worker_thread+0x2e3/0x420 + ? __pfx_worker_thread+0x10/0x10 + kthread+0x10d/0x230 + ? __pfx_kthread+0x10/0x10 + ret_from_fork+0x273/0x2b0 + ? __pfx_kthread+0x10/0x10 + ret_from_fork_asm+0x1a/0x30 + +Fixes: 15788d1d1077 ("xprtrdma: Do not refresh Receive Queue while it is draining") +Signed-off-by: Eric Badger +Reviewed-by: Chuck Lever +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + net/sunrpc/xprtrdma/verbs.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c +index 63262ef0c2e3a..8abbd9c4045a4 100644 +--- a/net/sunrpc/xprtrdma/verbs.c ++++ b/net/sunrpc/xprtrdma/verbs.c +@@ -1362,7 +1362,7 @@ void rpcrdma_post_recvs(struct rpcrdma_xprt *r_xprt, int needed) + needed += RPCRDMA_MAX_RECV_BATCH; + + if (atomic_inc_return(&ep->re_receiving) > 1) +- goto out; ++ goto out_dec; + + /* fast path: all needed reps can be found on the free list */ + wr = NULL; +@@ -1385,7 +1385,7 @@ void rpcrdma_post_recvs(struct rpcrdma_xprt *r_xprt, int needed) + ++count; + } + if (!wr) +- goto out; ++ goto out_dec; + + rc = ib_post_recv(ep->re_id->qp, wr, + (const struct ib_recv_wr **)&bad_wr); +@@ -1400,9 +1400,10 @@ void rpcrdma_post_recvs(struct rpcrdma_xprt *r_xprt, int needed) + --count; + } + } ++ ++out_dec: + if (atomic_dec_return(&ep->re_receiving) > 0) + complete(&ep->re_done); +- + out: + trace_xprtrdma_post_recvs(r_xprt, count); + ep->re_receive_count += count; +-- +2.51.0 + diff --git a/queue-6.19/accel-amdxdna-fix-runtime-suspend-deadlock-when-ther.patch b/queue-6.19/accel-amdxdna-fix-runtime-suspend-deadlock-when-ther.patch new file mode 100644 index 0000000000..ae61d0ed8e --- /dev/null +++ b/queue-6.19/accel-amdxdna-fix-runtime-suspend-deadlock-when-ther.patch @@ -0,0 +1,116 @@ +From 3a4a6370dc2cf7ed14567573684366936cd2117c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 11:00:58 -0700 +Subject: accel/amdxdna: Fix runtime suspend deadlock when there is pending job + +From: Lizhi Hou + +[ Upstream commit 6b13cb8f48a42ddf6dd98865b673a82e37ff238b ] + +The runtime suspend callback drains the running job workqueue before +suspending the device. If a job is still executing and calls +pm_runtime_resume_and_get(), it can deadlock with the runtime suspend +path. + +Fix this by moving pm_runtime_resume_and_get() from the job execution +routine to the job submission routine, ensuring the device is resumed +before the job is queued and avoiding the deadlock during runtime +suspend. + +Fixes: 063db451832b ("accel/amdxdna: Enhance runtime power management") +Reviewed-by: Mario Limonciello (AMD) +Signed-off-by: Lizhi Hou +Link: https://patch.msgid.link/20260310180058.336348-1-lizhi.hou@amd.com +Signed-off-by: Sasha Levin +--- + drivers/accel/amdxdna/aie2_ctx.c | 14 ++------------ + drivers/accel/amdxdna/amdxdna_ctx.c | 10 ++++++++++ + 2 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/drivers/accel/amdxdna/aie2_ctx.c b/drivers/accel/amdxdna/aie2_ctx.c +index 9fc33b4298f23..9284c35aacfbf 100644 +--- a/drivers/accel/amdxdna/aie2_ctx.c ++++ b/drivers/accel/amdxdna/aie2_ctx.c +@@ -165,7 +165,6 @@ aie2_sched_notify(struct amdxdna_sched_job *job) + + trace_xdna_job(&job->base, job->hwctx->name, "signaled fence", job->seq); + +- amdxdna_pm_suspend_put(job->hwctx->client->xdna); + job->hwctx->priv->completed++; + dma_fence_signal(fence); + +@@ -290,19 +289,11 @@ aie2_sched_job_run(struct drm_sched_job *sched_job) + struct dma_fence *fence; + int ret; + +- ret = amdxdna_pm_resume_get(hwctx->client->xdna); +- if (ret) ++ if (!hwctx->priv->mbox_chann) + return NULL; + +- if (!hwctx->priv->mbox_chann) { +- amdxdna_pm_suspend_put(hwctx->client->xdna); +- return NULL; +- } +- +- if (!mmget_not_zero(job->mm)) { +- amdxdna_pm_suspend_put(hwctx->client->xdna); ++ if (!mmget_not_zero(job->mm)) + return ERR_PTR(-ESRCH); +- } + + kref_get(&job->refcnt); + fence = dma_fence_get(job->fence); +@@ -333,7 +324,6 @@ aie2_sched_job_run(struct drm_sched_job *sched_job) + + out: + if (ret) { +- amdxdna_pm_suspend_put(hwctx->client->xdna); + dma_fence_put(job->fence); + aie2_job_put(job); + mmput(job->mm); +diff --git a/drivers/accel/amdxdna/amdxdna_ctx.c b/drivers/accel/amdxdna/amdxdna_ctx.c +index 4e48519b699ac..f678ae4c682d1 100644 +--- a/drivers/accel/amdxdna/amdxdna_ctx.c ++++ b/drivers/accel/amdxdna/amdxdna_ctx.c +@@ -17,6 +17,7 @@ + #include "amdxdna_ctx.h" + #include "amdxdna_gem.h" + #include "amdxdna_pci_drv.h" ++#include "amdxdna_pm.h" + + #define MAX_HWCTX_ID 255 + #define MAX_ARG_COUNT 4095 +@@ -445,6 +446,7 @@ amdxdna_arg_bos_lookup(struct amdxdna_client *client, + void amdxdna_sched_job_cleanup(struct amdxdna_sched_job *job) + { + trace_amdxdna_debug_point(job->hwctx->name, job->seq, "job release"); ++ amdxdna_pm_suspend_put(job->hwctx->client->xdna); + amdxdna_arg_bos_put(job); + amdxdna_gem_put_obj(job->cmd_bo); + dma_fence_put(job->fence); +@@ -482,6 +484,12 @@ int amdxdna_cmd_submit(struct amdxdna_client *client, + goto cmd_put; + } + ++ ret = amdxdna_pm_resume_get(xdna); ++ if (ret) { ++ XDNA_ERR(xdna, "Resume failed, ret %d", ret); ++ goto put_bos; ++ } ++ + idx = srcu_read_lock(&client->hwctx_srcu); + hwctx = xa_load(&client->hwctx_xa, hwctx_hdl); + if (!hwctx) { +@@ -522,6 +530,8 @@ int amdxdna_cmd_submit(struct amdxdna_client *client, + dma_fence_put(job->fence); + unlock_srcu: + srcu_read_unlock(&client->hwctx_srcu, idx); ++ amdxdna_pm_suspend_put(xdna); ++put_bos: + amdxdna_arg_bos_put(job); + cmd_put: + amdxdna_gem_put_obj(job->cmd_bo); +-- +2.51.0 + diff --git a/queue-6.19/acpi-osl-fix-__iomem-type-on-return-from-acpi_os_map.patch b/queue-6.19/acpi-osl-fix-__iomem-type-on-return-from-acpi_os_map.patch new file mode 100644 index 0000000000..6b30222876 --- /dev/null +++ b/queue-6.19/acpi-osl-fix-__iomem-type-on-return-from-acpi_os_map.patch @@ -0,0 +1,46 @@ +From d7d759ddff1e27ae5063d1a9ebfac04cf89dbe7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 10:58:35 +0000 +Subject: ACPI: OSL: fix __iomem type on return from + acpi_os_map_generic_address() + +From: Ben Dooks + +[ Upstream commit 393815f57651101f1590632092986d1d5a3a41bd ] + +The pointer returned from acpi_os_map_generic_address() is +tagged with __iomem, so make the rv it is returned to also +of void __iomem * type. + +Fixes the following sparse warning: + +drivers/acpi/osl.c:1686:20: warning: incorrect type in assignment (different address spaces) +drivers/acpi/osl.c:1686:20: expected void *rv +drivers/acpi/osl.c:1686:20: got void [noderef] __iomem * + +Fixes: 6915564dc5a8 ("ACPI: OSL: Change the type of acpi_os_map_generic_address() return value") +Signed-off-by: Ben Dooks +[ rjw: Subject tweak, added Fixes tag ] +Link: https://patch.msgid.link/20260311105835.463030-1-ben.dooks@codethink.co.uk +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/osl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c +index 05393a7315fec..2addb40961b60 100644 +--- a/drivers/acpi/osl.c ++++ b/drivers/acpi/osl.c +@@ -1681,7 +1681,7 @@ acpi_status __init acpi_os_initialize(void) + * Use acpi_os_map_generic_address to pre-map the reset + * register if it's in system memory. + */ +- void *rv; ++ void __iomem *rv; + + rv = acpi_os_map_generic_address(&acpi_gbl_FADT.reset_register); + pr_debug("%s: Reset register mapping %s\n", __func__, +-- +2.51.0 + diff --git a/queue-6.19/amd-xgbe-fix-link-status-handling-in-xgbe_rx_adaptat.patch b/queue-6.19/amd-xgbe-fix-link-status-handling-in-xgbe_rx_adaptat.patch new file mode 100644 index 0000000000..a97d346174 --- /dev/null +++ b/queue-6.19/amd-xgbe-fix-link-status-handling-in-xgbe_rx_adaptat.patch @@ -0,0 +1,63 @@ +From cc41b11d5e909cdb7aa09643086cef5d928f7b58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 16:46:27 +0530 +Subject: amd-xgbe: fix link status handling in xgbe_rx_adaptation + +From: Raju Rangoju + +[ Upstream commit 6485cb96be5cd0f4bf39554737ba11322cc9b053 ] + +The link status bit is latched low to allow detection of momentary +link drops. If the status indicates that the link is already down, +read it again to obtain the current state. + +Fixes: 4f3b20bfbb75 ("amd-xgbe: add support for rx-adaptation") +Signed-off-by: Raju Rangoju +Link: https://patch.msgid.link/20260306111629.1515676-2-Raju.Rangoju@amd.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +index c63ddb12237ea..13c556dc0d67a 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +@@ -1942,7 +1942,7 @@ static void xgbe_set_rx_adap_mode(struct xgbe_prv_data *pdata, + static void xgbe_rx_adaptation(struct xgbe_prv_data *pdata) + { + struct xgbe_phy_data *phy_data = pdata->phy_data; +- unsigned int reg; ++ int reg; + + /* step 2: force PCS to send RX_ADAPT Req to PHY */ + XMDIO_WRITE_BITS(pdata, MDIO_MMD_PMAPMD, MDIO_PMA_RX_EQ_CTRL4, +@@ -1964,11 +1964,20 @@ static void xgbe_rx_adaptation(struct xgbe_prv_data *pdata) + + /* Step 4: Check for Block lock */ + +- /* Link status is latched low, so read once to clear +- * and then read again to get current state +- */ +- reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_STAT1); + reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_STAT1); ++ if (reg < 0) ++ goto set_mode; ++ ++ /* Link status is latched low so that momentary link drops ++ * can be detected. If link was already down read again ++ * to get the latest state. ++ */ ++ if (!pdata->phy.link && !(reg & MDIO_STAT1_LSTATUS)) { ++ reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_STAT1); ++ if (reg < 0) ++ goto set_mode; ++ } ++ + if (reg & MDIO_STAT1_LSTATUS) { + /* If the block lock is found, update the helpers + * and declare the link up +-- +2.51.0 + diff --git a/queue-6.19/amd-xgbe-prevent-crc-errors-during-rx-adaptation-wit.patch b/queue-6.19/amd-xgbe-prevent-crc-errors-during-rx-adaptation-wit.patch new file mode 100644 index 0000000000..8129561b90 --- /dev/null +++ b/queue-6.19/amd-xgbe-prevent-crc-errors-during-rx-adaptation-wit.patch @@ -0,0 +1,168 @@ +From 4958e6547e30b29eda0b105aeba0ccd5c2691404 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 16:46:28 +0530 +Subject: amd-xgbe: prevent CRC errors during RX adaptation with AN disabled + +From: Raju Rangoju + +[ Upstream commit 27a4dd0c702b3b2b9cf2c045d100cc2fe8720b81 ] + +When operating in 10GBASE-KR mode with auto-negotiation disabled and RX +adaptation enabled, CRC errors can occur during the RX adaptation +process. This happens because the driver continues transmitting and +receiving packets while adaptation is in progress. + +Fix this by stopping TX/RX immediately when the link goes down and RX +adaptation needs to be re-triggered, and only re-enabling TX/RX after +adaptation completes and the link is confirmed up. Introduce a flag to +track whether TX/RX was disabled for adaptation so it can be restored +correctly. + +This prevents packets from being transmitted or received during the RX +adaptation window and avoids CRC errors from corrupted frames. + +The flag tracking the data path state is synchronized with hardware +state in xgbe_start() to prevent stale state after device restarts. +This ensures that after a restart cycle (where xgbe_stop disables +TX/RX and xgbe_start re-enables them), the flag correctly reflects +that the data path is active. + +Fixes: 4f3b20bfbb75 ("amd-xgbe: add support for rx-adaptation") +Signed-off-by: Raju Rangoju +Link: https://patch.msgid.link/20260306111629.1515676-3-Raju.Rangoju@amd.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 4 ++ + drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 63 ++++++++++++++++++++- + drivers/net/ethernet/amd/xgbe/xgbe.h | 4 ++ + 3 files changed, 69 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +index 20ce2ed4cd9f7..3444ec681a11f 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +@@ -1277,6 +1277,10 @@ static int xgbe_start(struct xgbe_prv_data *pdata) + + hw_if->enable_tx(pdata); + hw_if->enable_rx(pdata); ++ /* Synchronize flag with hardware state after enabling TX/RX. ++ * This prevents stale state after device restart cycles. ++ */ ++ pdata->data_path_stopped = false; + + udp_tunnel_nic_reset_ntf(netdev); + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +index 13c556dc0d67a..b8cf6ccfe6414 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +@@ -2017,6 +2017,48 @@ static void xgbe_phy_rx_adaptation(struct xgbe_prv_data *pdata) + xgbe_rx_adaptation(pdata); + } + ++/* ++ * xgbe_phy_stop_data_path - Stop TX/RX to prevent packet corruption ++ * @pdata: driver private data ++ * ++ * This function stops the data path (TX and RX) to prevent packet ++ * corruption during critical PHY operations like RX adaptation. ++ * Must be called before initiating RX adaptation when link goes down. ++ */ ++static void xgbe_phy_stop_data_path(struct xgbe_prv_data *pdata) ++{ ++ if (pdata->data_path_stopped) ++ return; ++ ++ /* Stop TX/RX to prevent packet corruption during RX adaptation */ ++ pdata->hw_if.disable_tx(pdata); ++ pdata->hw_if.disable_rx(pdata); ++ pdata->data_path_stopped = true; ++ ++ netif_dbg(pdata, link, pdata->netdev, ++ "stopping data path for RX adaptation\n"); ++} ++ ++/* ++ * xgbe_phy_start_data_path - Re-enable TX/RX after RX adaptation ++ * @pdata: driver private data ++ * ++ * This function re-enables the data path (TX and RX) after RX adaptation ++ * has completed successfully. Only called when link is confirmed up. ++ */ ++static void xgbe_phy_start_data_path(struct xgbe_prv_data *pdata) ++{ ++ if (!pdata->data_path_stopped) ++ return; ++ ++ pdata->hw_if.enable_rx(pdata); ++ pdata->hw_if.enable_tx(pdata); ++ pdata->data_path_stopped = false; ++ ++ netif_dbg(pdata, link, pdata->netdev, ++ "restarting data path after RX adaptation\n"); ++} ++ + static void xgbe_phy_rx_reset(struct xgbe_prv_data *pdata) + { + int reg; +@@ -2810,13 +2852,27 @@ static int xgbe_phy_link_status(struct xgbe_prv_data *pdata, int *an_restart) + if (pdata->en_rx_adap) { + /* if the link is available and adaptation is done, + * declare link up ++ * ++ * Note: When link is up and adaptation is done, we can ++ * safely re-enable the data path if it was stopped ++ * for adaptation. + */ +- if ((reg & MDIO_STAT1_LSTATUS) && pdata->rx_adapt_done) ++ if ((reg & MDIO_STAT1_LSTATUS) && pdata->rx_adapt_done) { ++ xgbe_phy_start_data_path(pdata); + return 1; ++ } + /* If either link is not available or adaptation is not done, + * retrigger the adaptation logic. (if the mode is not set, + * then issue mailbox command first) + */ ++ ++ /* CRITICAL: Stop data path BEFORE triggering RX adaptation ++ * to prevent CRC errors from packets corrupted during ++ * the adaptation process. This is especially important ++ * when AN is OFF in 10G KR mode. ++ */ ++ xgbe_phy_stop_data_path(pdata); ++ + if (pdata->mode_set) { + xgbe_phy_rx_adaptation(pdata); + } else { +@@ -2824,8 +2880,11 @@ static int xgbe_phy_link_status(struct xgbe_prv_data *pdata, int *an_restart) + xgbe_phy_set_mode(pdata, phy_data->cur_mode); + } + +- if (pdata->rx_adapt_done) ++ if (pdata->rx_adapt_done) { ++ /* Adaptation complete, safe to re-enable data path */ ++ xgbe_phy_start_data_path(pdata); + return 1; ++ } + } else if (reg & MDIO_STAT1_LSTATUS) + return 1; + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe.h b/drivers/net/ethernet/amd/xgbe/xgbe.h +index 4ba23779b2b7e..3bc748c7cb24d 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe.h ++++ b/drivers/net/ethernet/amd/xgbe/xgbe.h +@@ -1242,6 +1242,10 @@ struct xgbe_prv_data { + bool en_rx_adap; + int rx_adapt_retries; + bool rx_adapt_done; ++ /* Flag to track if data path (TX/RX) was stopped for RX adaptation. ++ * This prevents packet corruption during the adaptation window. ++ */ ++ bool data_path_stopped; + bool mode_set; + bool sph; + }; +-- +2.51.0 + diff --git a/queue-6.19/amd-xgbe-reset-phy-settings-before-starting-phy.patch b/queue-6.19/amd-xgbe-reset-phy-settings-before-starting-phy.patch new file mode 100644 index 0000000000..fd2a33aea2 --- /dev/null +++ b/queue-6.19/amd-xgbe-reset-phy-settings-before-starting-phy.patch @@ -0,0 +1,70 @@ +From f6d162e5732a5a8beaaa1e61a6afe8729d2984da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 16:46:29 +0530 +Subject: amd-xgbe: reset PHY settings before starting PHY + +From: Raju Rangoju + +[ Upstream commit a8ba129af46856112981c124850ec6a85a1c1ab6 ] + +commit f93505f35745 ("amd-xgbe: let the MAC manage PHY PM") moved +xgbe_phy_reset() from xgbe_open() to xgbe_start(), placing it after +phy_start(). As a result, the PHY settings were being reset after the +PHY had already started. + +Reorder the calls so that the PHY settings are reset before +phy_start() is invoked. + +Fixes: f93505f35745 ("amd-xgbe: let the MAC manage PHY PM") +Reviewed-by: Maxime Chevallier +Signed-off-by: Raju Rangoju +Link: https://patch.msgid.link/20260306111629.1515676-4-Raju.Rangoju@amd.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 15 ++++++--------- + 1 file changed, 6 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +index 3444ec681a11f..6de12a0e06553 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +@@ -1271,6 +1271,12 @@ static int xgbe_start(struct xgbe_prv_data *pdata) + if (ret) + goto err_napi; + ++ /* Reset the phy settings */ ++ ret = xgbe_phy_reset(pdata); ++ if (ret) ++ goto err_irqs; ++ ++ /* Start the phy */ + ret = phy_if->phy_start(pdata); + if (ret) + goto err_irqs; +@@ -1284,11 +1290,6 @@ static int xgbe_start(struct xgbe_prv_data *pdata) + + udp_tunnel_nic_reset_ntf(netdev); + +- /* Reset the phy settings */ +- ret = xgbe_phy_reset(pdata); +- if (ret) +- goto err_txrx; +- + netif_tx_start_all_queues(netdev); + + xgbe_start_timers(pdata); +@@ -1298,10 +1299,6 @@ static int xgbe_start(struct xgbe_prv_data *pdata) + + return 0; + +-err_txrx: +- hw_if->disable_rx(pdata); +- hw_if->disable_tx(pdata); +- + err_irqs: + xgbe_free_irqs(pdata); + +-- +2.51.0 + diff --git a/queue-6.19/asoc-amd-acp-mach-common-add-missing-error-check-for.patch b/queue-6.19/asoc-amd-acp-mach-common-add-missing-error-check-for.patch new file mode 100644 index 0000000000..d912eabf59 --- /dev/null +++ b/queue-6.19/asoc-amd-acp-mach-common-add-missing-error-check-for.patch @@ -0,0 +1,68 @@ +From 946432ee1136d8e68cc606943604d547d5caff44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 12:43:27 +0800 +Subject: ASoC: amd: acp-mach-common: Add missing error check for clock + acquisition + +From: Chen Ni + +[ Upstream commit 30c64fb9839949f085c8eb55b979cbd8a4c51f00 ] + +The acp_card_rt5682_init() and acp_card_rt5682s_init() functions did not +check the return values of clk_get(). This could lead to a kernel crash +when the invalid pointers are later dereferenced by clock core +functions. + +Fix this by: +1. Changing clk_get() to the device-managed devm_clk_get(). +2. Adding IS_ERR() checks immediately after each clock acquisition. + +Fixes: 8b7256266848 ("ASoC: amd: acp: Add support for RT5682-VS codec") +Fixes: d4c750f2c7d4 ("ASoC: amd: acp: Add generic machine driver support for ACP cards") +Signed-off-by: Chen Ni +Link: https://patch.msgid.link/20260310044327.2582018-1-nichen@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/acp/acp-mach-common.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/sound/soc/amd/acp/acp-mach-common.c b/sound/soc/amd/acp/acp-mach-common.c +index 4d99472c75baf..09f6c9a2c0410 100644 +--- a/sound/soc/amd/acp/acp-mach-common.c ++++ b/sound/soc/amd/acp/acp-mach-common.c +@@ -127,8 +127,13 @@ static int acp_card_rt5682_init(struct snd_soc_pcm_runtime *rtd) + if (drvdata->hs_codec_id != RT5682) + return -EINVAL; + +- drvdata->wclk = clk_get(component->dev, "rt5682-dai-wclk"); +- drvdata->bclk = clk_get(component->dev, "rt5682-dai-bclk"); ++ drvdata->wclk = devm_clk_get(component->dev, "rt5682-dai-wclk"); ++ if (IS_ERR(drvdata->wclk)) ++ return PTR_ERR(drvdata->wclk); ++ ++ drvdata->bclk = devm_clk_get(component->dev, "rt5682-dai-bclk"); ++ if (IS_ERR(drvdata->bclk)) ++ return PTR_ERR(drvdata->bclk); + + ret = snd_soc_dapm_new_controls(dapm, rt5682_widgets, + ARRAY_SIZE(rt5682_widgets)); +@@ -370,8 +375,13 @@ static int acp_card_rt5682s_init(struct snd_soc_pcm_runtime *rtd) + return -EINVAL; + + if (!drvdata->soc_mclk) { +- drvdata->wclk = clk_get(component->dev, "rt5682-dai-wclk"); +- drvdata->bclk = clk_get(component->dev, "rt5682-dai-bclk"); ++ drvdata->wclk = devm_clk_get(component->dev, "rt5682-dai-wclk"); ++ if (IS_ERR(drvdata->wclk)) ++ return PTR_ERR(drvdata->wclk); ++ ++ drvdata->bclk = devm_clk_get(component->dev, "rt5682-dai-bclk"); ++ if (IS_ERR(drvdata->bclk)) ++ return PTR_ERR(drvdata->bclk); + } + + ret = snd_soc_dapm_new_controls(dapm, rt5682s_widgets, +-- +2.51.0 + diff --git a/queue-6.19/asoc-amd-acp3x-rt5682-max9836-add-missing-error-chec.patch b/queue-6.19/asoc-amd-acp3x-rt5682-max9836-add-missing-error-chec.patch new file mode 100644 index 0000000000..a8b7649fb8 --- /dev/null +++ b/queue-6.19/asoc-amd-acp3x-rt5682-max9836-add-missing-error-chec.patch @@ -0,0 +1,50 @@ +From d454496a6e2cd1c61885a72cafca3e6553c220f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 10:42:46 +0800 +Subject: ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock + acquisition + +From: Chen Ni + +[ Upstream commit 53f3a900e9a383d47af7253076e19f510c5708d0 ] + +The acp3x_5682_init() function did not check the return value of +clk_get(), which could lead to dereferencing error pointers in +rt5682_clk_enable(). + +Fix this by: +1. Changing clk_get() to the device-managed devm_clk_get(). +2. Adding proper IS_ERR() checks for both clock acquisitions. + +Fixes: 6b8e4e7db3cd ("ASoC: amd: Add machine driver for Raven based platform") +Signed-off-by: Chen Ni +Link: https://patch.msgid.link/20260310024246.2153827-1-nichen@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/acp3x-rt5682-max9836.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/amd/acp3x-rt5682-max9836.c b/sound/soc/amd/acp3x-rt5682-max9836.c +index 4ca1978020a96..d1eb6f12a1830 100644 +--- a/sound/soc/amd/acp3x-rt5682-max9836.c ++++ b/sound/soc/amd/acp3x-rt5682-max9836.c +@@ -94,8 +94,13 @@ static int acp3x_5682_init(struct snd_soc_pcm_runtime *rtd) + return ret; + } + +- rt5682_dai_wclk = clk_get(component->dev, "rt5682-dai-wclk"); +- rt5682_dai_bclk = clk_get(component->dev, "rt5682-dai-bclk"); ++ rt5682_dai_wclk = devm_clk_get(component->dev, "rt5682-dai-wclk"); ++ if (IS_ERR(rt5682_dai_wclk)) ++ return PTR_ERR(rt5682_dai_wclk); ++ ++ rt5682_dai_bclk = devm_clk_get(component->dev, "rt5682-dai-bclk"); ++ if (IS_ERR(rt5682_dai_bclk)) ++ return PTR_ERR(rt5682_dai_bclk); + + ret = snd_soc_card_jack_new_pins(card, "Headset Jack", + SND_JACK_HEADSET | +-- +2.51.0 + diff --git a/queue-6.19/asoc-codecs-rt1011-use-component-to-get-the-dapm-con.patch b/queue-6.19/asoc-codecs-rt1011-use-component-to-get-the-dapm-con.patch new file mode 100644 index 0000000000..5ef8ce9162 --- /dev/null +++ b/queue-6.19/asoc-codecs-rt1011-use-component-to-get-the-dapm-con.patch @@ -0,0 +1,40 @@ +From c155d4b11edc5a125fc4addf4b80ab36daf7045a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 08:53:50 +0200 +Subject: ASoC: codecs: rt1011: Use component to get the dapm context in + spk_mode_put + +From: Peter Ujfalusi + +[ Upstream commit 30e4b2290cc2a8d1b9ddb9dcb9c981df1f2a7399 ] + +The correct helper to use in rt1011_recv_spk_mode_put() to retrieve the +DAPM context is snd_soc_component_to_dapm(), from kcontrol we will +receive NULL pointer. + +Closes: https://github.com/thesofproject/linux/issues/5691 +Fixes: 5b35bb517f27 ("ASoC: codecs: rt1011: convert to snd_soc_dapm_xxx()") +Signed-off-by: Peter Ujfalusi +Link: https://patch.msgid.link/20260310065350.18921-1-peter.ujfalusi@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt1011.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/rt1011.c b/sound/soc/codecs/rt1011.c +index 9f34a6a354876..03f31d9d916e6 100644 +--- a/sound/soc/codecs/rt1011.c ++++ b/sound/soc/codecs/rt1011.c +@@ -1047,7 +1047,7 @@ static int rt1011_recv_spk_mode_put(struct snd_kcontrol *kcontrol, + struct snd_ctl_elem_value *ucontrol) + { + struct snd_soc_component *component = snd_kcontrol_chip(kcontrol); +- struct snd_soc_dapm_context *dapm = snd_soc_dapm_kcontrol_to_dapm(kcontrol); ++ struct snd_soc_dapm_context *dapm = snd_soc_component_to_dapm(component); + struct rt1011_priv *rt1011 = + snd_soc_component_get_drvdata(component); + +-- +2.51.0 + diff --git a/queue-6.19/asoc-detect-empty-dmi-strings.patch b/queue-6.19/asoc-detect-empty-dmi-strings.patch new file mode 100644 index 0000000000..f42b0d48e7 --- /dev/null +++ b/queue-6.19/asoc-detect-empty-dmi-strings.patch @@ -0,0 +1,47 @@ +From 50bfcf348fb914286877ee7115a0eab43f478e8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 18:47:07 +0100 +Subject: ASoC: detect empty DMI strings + +From: Casey Connolly + +[ Upstream commit a9683730e8b1d632674f81844ed03ddfbe4821c0 ] + +Some bootloaders like recent versions of U-Boot may install some DMI +properties with empty values rather than not populate them. This manages +to make its way through the validator and cleanup resulting in a rogue +hyphen being appended to the card longname. + +Fixes: 4e01e5dbba96 ("ASoC: improve the DMI long card code in asoc-core") +Signed-off-by: Casey Connolly +Link: https://patch.msgid.link/20260306174707.283071-2-casey.connolly@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index e6045d30ee8e1..23ba821cd759d 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -1863,12 +1863,15 @@ static void cleanup_dmi_name(char *name) + + /* + * Check if a DMI field is valid, i.e. not containing any string +- * in the black list. ++ * in the black list and not the empty string. + */ + static int is_dmi_valid(const char *field) + { + int i = 0; + ++ if (!field[0]) ++ return 0; ++ + while (dmi_blacklist[i]) { + if (strstr(field, dmi_blacklist[i])) + return 0; +-- +2.51.0 + diff --git a/queue-6.19/asoc-simple-card-utils-fix-graph_util_is_ports0-for-.patch b/queue-6.19/asoc-simple-card-utils-fix-graph_util_is_ports0-for-.patch new file mode 100644 index 0000000000..e371ede84e --- /dev/null +++ b/queue-6.19/asoc-simple-card-utils-fix-graph_util_is_ports0-for-.patch @@ -0,0 +1,60 @@ +From c450dbb7617a5d34f841c1554a34c4d983c6911b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Mar 2026 23:21:09 -0500 +Subject: ASoC: simple-card-utils: fix graph_util_is_ports0() for DT overlays + +From: Sen Wang + +[ Upstream commit 4185b95f8a42d92d68c49289b4644546b51e252b ] + +graph_util_is_ports0() identifies DPCM front-end (ports@0) vs back-end +(ports@1) by calling of_get_child_by_name() to find the first "ports" +child and comparing pointers. This relies on child iteration order +matching DTS source order. + +When the DPCM topology comes from a DT overlay, __of_attach_node() +inserts new children at the head of the sibling list, reversing the +order. of_get_child_by_name() then returns ports@1 instead of ports@0, +causing all front-end links to be classified as back-ends. The card +registers with no PCM devices. + +Fix this by matching the unit address directly from the node name +instead of relying on sibling order. + +Fixes: 92939252458f ("ASoC: simple-card-utils: add asoc_graph_is_ports0()") +Signed-off-by: Sen Wang +Acked-by: Kuninori Morimoto +Link: https://patch.msgid.link/20260309042109.2576612-1-sen@ti.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/generic/simple-card-utils.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/sound/soc/generic/simple-card-utils.c b/sound/soc/generic/simple-card-utils.c +index bdc02e85b089f..9e5be0eaa77f3 100644 +--- a/sound/soc/generic/simple-card-utils.c ++++ b/sound/soc/generic/simple-card-utils.c +@@ -1038,11 +1038,15 @@ int graph_util_is_ports0(struct device_node *np) + else + port = np; + +- struct device_node *ports __free(device_node) = of_get_parent(port); +- struct device_node *top __free(device_node) = of_get_parent(ports); +- struct device_node *ports0 __free(device_node) = of_get_child_by_name(top, "ports"); ++ struct device_node *ports __free(device_node) = of_get_parent(port); ++ const char *at = strchr(kbasename(ports->full_name), '@'); + +- return ports0 == ports; ++ /* ++ * Since child iteration order may differ ++ * between a base DT and DT overlays, ++ * string match "ports" or "ports@0" in the node name instead. ++ */ ++ return !at || !strcmp(at, "@0"); + } + EXPORT_SYMBOL_GPL(graph_util_is_ports0); + +-- +2.51.0 + diff --git a/queue-6.19/asoc-soc-core-drop-delayed_work_pending-check-before.patch b/queue-6.19/asoc-soc-core-drop-delayed_work_pending-check-before.patch new file mode 100644 index 0000000000..37f94701cd --- /dev/null +++ b/queue-6.19/asoc-soc-core-drop-delayed_work_pending-check-before.patch @@ -0,0 +1,45 @@ +From 4de4e48389c2108ef0935e0c1c5a2517d53db745 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Mar 2026 22:54:11 +0100 +Subject: ASoC: soc-core: drop delayed_work_pending() check before flush + +From: matteo.cotifava + +[ Upstream commit 3c99c9f0ed60582c1c9852b685d78d5d3a50de63 ] + +The delayed_work_pending() check before flush_delayed_work() in +soc_free_pcm_runtime() is unnecessary and racy. flush_delayed_work() +is safe to call unconditionally - it is a no-op when no work is +pending. Remove the check. + +The original check was added by commit 9c9b65203492 ("ASoC: core: +only flush inited work during free") but delayed_work_pending() +followed by flush_delayed_work() has a time-of-check/time-of-use +window where work can become pending between the two calls. + +Fixes: 9c9b65203492 ("ASoC: core: only flush inited work during free") +Signed-off-by: Matteo Cotifava +Link: https://patch.msgid.link/20260309215412.545628-2-cotifavamatteo@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index e4b21bf39e59f..182d2272c2f39 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -462,8 +462,7 @@ static void soc_free_pcm_runtime(struct snd_soc_pcm_runtime *rtd) + + list_del(&rtd->list); + +- if (delayed_work_pending(&rtd->delayed_work)) +- flush_delayed_work(&rtd->delayed_work); ++ flush_delayed_work(&rtd->delayed_work); + snd_soc_pcm_component_free(rtd); + + /* +-- +2.51.0 + diff --git a/queue-6.19/asoc-soc-core-flush-delayed-work-before-removing-dai.patch b/queue-6.19/asoc-soc-core-flush-delayed-work-before-removing-dai.patch new file mode 100644 index 0000000000..9e8c936fb7 --- /dev/null +++ b/queue-6.19/asoc-soc-core-flush-delayed-work-before-removing-dai.patch @@ -0,0 +1,57 @@ +From 8bb54af63d65f0799b569082282e2e8b97df1d27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Mar 2026 22:54:12 +0100 +Subject: ASoC: soc-core: flush delayed work before removing DAIs and widgets + +From: matteo.cotifava + +[ Upstream commit 95bc5c225513fc3c4ce169563fb5e3929fbb938b ] + +When a sound card is unbound while a PCM stream is open, a +use-after-free can occur in snd_soc_dapm_stream_event(), called from +the close_delayed_work workqueue handler. + +During unbind, snd_soc_unbind_card() flushes delayed work and then +calls soc_cleanup_card_resources(). Inside cleanup, +snd_card_disconnect_sync() releases all PCM file descriptors, and +the resulting PCM close path can call snd_soc_dapm_stream_stop() +which schedules new delayed work with a pmdown_time timer delay. +Since this happens after the flush in snd_soc_unbind_card(), the +new work is not caught. soc_remove_link_components() then frees +DAPM widgets before this work fires, leading to the use-after-free. + +The existing flush in soc_free_pcm_runtime() also cannot help as it +runs after soc_remove_link_components() has already freed the widgets. + +Add a flush in soc_cleanup_card_resources() after +snd_card_disconnect_sync() (after which no new PCM closes can +schedule further delayed work) and before soc_remove_link_dais() +and soc_remove_link_components() (which tear down the structures the +delayed work accesses). + +Fixes: e894efef9ac7 ("ASoC: core: add support to card rebind") +Signed-off-by: Matteo Cotifava +Link: https://patch.msgid.link/20260309215412.545628-3-cotifavamatteo@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index 182d2272c2f39..e6045d30ee8e1 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -2121,6 +2121,9 @@ static void soc_cleanup_card_resources(struct snd_soc_card *card) + for_each_card_rtds(card, rtd) + if (rtd->initialized) + snd_soc_link_exit(rtd); ++ /* flush delayed work before removing DAIs and DAPM widgets */ ++ snd_soc_flush_all_delayed_work(card); ++ + /* remove and free each DAI */ + soc_remove_link_dais(card); + soc_remove_link_components(card); +-- +2.51.0 + diff --git a/queue-6.19/bnxt_en-fix-rss-table-size-check-when-changing-ethto.patch b/queue-6.19/bnxt_en-fix-rss-table-size-check-when-changing-ethto.patch new file mode 100644 index 0000000000..90148ff36d --- /dev/null +++ b/queue-6.19/bnxt_en-fix-rss-table-size-check-when-changing-ethto.patch @@ -0,0 +1,52 @@ +From 7a1c65694c4f581546cbef80aa9ab247f939046e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 14:58:54 -0800 +Subject: bnxt_en: Fix RSS table size check when changing ethtool channels +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pavan Chebbi + +[ Upstream commit 0d9a60a0618d255530ca56072c5f39eb58e1ed4a ] + +When changing channels, the current check in bnxt_set_channels() +is not checking for non-default RSS contexts when the RSS table size +changes. The current check for IFF_RXFH_CONFIGURED is only sufficient +for the default RSS context. Expand the check to include the presence +of any non-default RSS contexts. + +Allowing such change will result in incorrect configuration of the +context's RSS table when the table size changes. + +Fixes: b3d0083caf9a ("bnxt_en: Support RSS contexts in ethtool .{get|set}_rxfh()") +Reported-by: Björn Töpel +Link: https://lore.kernel.org/netdev/20260303181535.2671734-1-bjorn@kernel.org/ +Reviewed-by: Andy Gospodarek +Signed-off-by: Pavan Chebbi +Signed-off-by: Michael Chan +Link: https://patch.msgid.link/20260306225854.3575672-1-michael.chan@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +index c76a7623870be..fa452d6272e0f 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +@@ -979,8 +979,8 @@ static int bnxt_set_channels(struct net_device *dev, + + if (bnxt_get_nr_rss_ctxs(bp, req_rx_rings) != + bnxt_get_nr_rss_ctxs(bp, bp->rx_nr_rings) && +- netif_is_rxfh_configured(dev)) { +- netdev_warn(dev, "RSS table size change required, RSS table entries must be default to proceed\n"); ++ (netif_is_rxfh_configured(dev) || bp->num_rss_ctx)) { ++ netdev_warn(dev, "RSS table size change required, RSS table entries must be default (with no additional RSS contexts present) to proceed\n"); + return -EINVAL; + } + +-- +2.51.0 + diff --git a/queue-6.19/bonding-do-not-set-usable_slaves-for-broadcast-mode.patch b/queue-6.19/bonding-do-not-set-usable_slaves-for-broadcast-mode.patch new file mode 100644 index 0000000000..e4d3c4c533 --- /dev/null +++ b/queue-6.19/bonding-do-not-set-usable_slaves-for-broadcast-mode.patch @@ -0,0 +1,65 @@ +From 0ba559f07b550afbb3180100fe2b61b4e62940be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 15:13:53 +0800 +Subject: bonding: do not set usable_slaves for broadcast mode + +From: Hangbin Liu + +[ Upstream commit 45fc134bcfadde456639c1b1e206e6918d69a553 ] + +After commit e0caeb24f538 ("net: bonding: update the slave array for broadcast mode"), +broadcast mode will also set all_slaves and usable_slaves during +bond_enslave(). But if we also set updelay, during enslave, the +slave init state will be BOND_LINK_BACK. And later +bond_update_slave_arr() will alloc usable_slaves but add nothing. +This will cause bond_miimon_inspect() to have ignore_updelay +always true. So the updelay will be always ignored. e.g. + +[ 6.498368] bond0: (slave veth2): link status definitely down, disabling slave +[ 7.536371] bond0: (slave veth2): link status up, enabling it in 0 ms +[ 7.536402] bond0: (slave veth2): link status definitely up, 10000 Mbps full duplex + +To fix it, we can either always call bond_update_slave_arr() on every +place when link changes. Or, let's just not set usable_slaves for +broadcast mode. + +Fixes: e0caeb24f538 ("net: bonding: update the slave array for broadcast mode") +Reported-by: Liang Li +Signed-off-by: Hangbin Liu +Link: https://patch.msgid.link/20260304-b4-bond_updelay-v1-1-f72eb2e454d0@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 739e6eea6b529..5de38258c7d8b 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -5041,13 +5041,18 @@ static void bond_set_slave_arr(struct bonding *bond, + { + struct bond_up_slave *usable, *all; + +- usable = rtnl_dereference(bond->usable_slaves); +- rcu_assign_pointer(bond->usable_slaves, usable_slaves); +- kfree_rcu(usable, rcu); +- + all = rtnl_dereference(bond->all_slaves); + rcu_assign_pointer(bond->all_slaves, all_slaves); + kfree_rcu(all, rcu); ++ ++ if (BOND_MODE(bond) == BOND_MODE_BROADCAST) { ++ kfree_rcu(usable_slaves, rcu); ++ return; ++ } ++ ++ usable = rtnl_dereference(bond->usable_slaves); ++ rcu_assign_pointer(bond->usable_slaves, usable_slaves); ++ kfree_rcu(usable, rcu); + } + + static void bond_reset_slave_arr(struct bonding *bond) +-- +2.51.0 + diff --git a/queue-6.19/bonding-fix-type-confusion-in-bond_setup_by_slave.patch b/queue-6.19/bonding-fix-type-confusion-in-bond_setup_by_slave.patch new file mode 100644 index 0000000000..c8181988d7 --- /dev/null +++ b/queue-6.19/bonding-fix-type-confusion-in-bond_setup_by_slave.patch @@ -0,0 +1,151 @@ +From bb3f0ff48ac6de088d04532153ea6ba085f16add Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 10:15:07 +0800 +Subject: bonding: fix type confusion in bond_setup_by_slave() + +From: Jiayuan Chen + +[ Upstream commit 950803f7254721c1c15858fbbfae3deaaeeecb11 ] + +kernel BUG at net/core/skbuff.c:2306! +Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI +RIP: 0010:pskb_expand_head+0xa08/0xfe0 net/core/skbuff.c:2306 +RSP: 0018:ffffc90004aff760 EFLAGS: 00010293 +RAX: 0000000000000000 RBX: ffff88807e3c8780 RCX: ffffffff89593e0e +RDX: ffff88807b7c4900 RSI: ffffffff89594747 RDI: ffff88807b7c4900 +RBP: 0000000000000820 R08: 0000000000000005 R09: 0000000000000000 +R10: 00000000961a63e0 R11: 0000000000000000 R12: ffff88807e3c8780 +R13: 00000000961a6560 R14: dffffc0000000000 R15: 00000000961a63e0 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fe1a0ed8df0 CR3: 000000002d816000 CR4: 00000000003526f0 +Call Trace: + + ipgre_header+0xdd/0x540 net/ipv4/ip_gre.c:900 + dev_hard_header include/linux/netdevice.h:3439 [inline] + packet_snd net/packet/af_packet.c:3028 [inline] + packet_sendmsg+0x3ae5/0x53c0 net/packet/af_packet.c:3108 + sock_sendmsg_nosec net/socket.c:727 [inline] + __sock_sendmsg net/socket.c:742 [inline] + ____sys_sendmsg+0xa54/0xc30 net/socket.c:2592 + ___sys_sendmsg+0x190/0x1e0 net/socket.c:2646 + __sys_sendmsg+0x170/0x220 net/socket.c:2678 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7fe1a0e6c1a9 + +When a non-Ethernet device (e.g. GRE tunnel) is enslaved to a bond, +bond_setup_by_slave() directly copies the slave's header_ops to the +bond device: + + bond_dev->header_ops = slave_dev->header_ops; + +This causes a type confusion when dev_hard_header() is later called +on the bond device. Functions like ipgre_header(), ip6gre_header(),all use +netdev_priv(dev) to access their device-specific private data. When +called with the bond device, netdev_priv() returns the bond's private +data (struct bonding) instead of the expected type (e.g. struct +ip_tunnel), leading to garbage values being read and kernel crashes. + +Fix this by introducing bond_header_ops with wrapper functions that +delegate to the active slave's header_ops using the slave's own +device. This ensures netdev_priv() in the slave's header functions +always receives the correct device. + +The fix is placed in the bonding driver rather than individual device +drivers, as the root cause is bond blindly inheriting header_ops from +the slave without considering that these callbacks expect a specific +netdev_priv() layout. + +The type confusion can be observed by adding a printk in +ipgre_header() and running the following commands: + + ip link add dummy0 type dummy + ip addr add 10.0.0.1/24 dev dummy0 + ip link set dummy0 up + ip link add gre1 type gre local 10.0.0.1 + ip link add bond1 type bond mode active-backup + ip link set gre1 master bond1 + ip link set gre1 up + ip link set bond1 up + ip addr add fe80::1/64 dev bond1 + +Fixes: 1284cd3a2b74 ("bonding: two small fixes for IPoIB support") +Suggested-by: Jay Vosburgh +Reviewed-by: Eric Dumazet +Signed-off-by: Jiayuan Chen +Link: https://patch.msgid.link/20260306021508.222062-1-jiayuan.chen@linux.dev +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 47 ++++++++++++++++++++++++++++++++- + 1 file changed, 46 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 8be99ae67b77f..139ece7676c50 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1476,6 +1476,50 @@ static netdev_features_t bond_fix_features(struct net_device *dev, + return features; + } + ++static int bond_header_create(struct sk_buff *skb, struct net_device *bond_dev, ++ unsigned short type, const void *daddr, ++ const void *saddr, unsigned int len) ++{ ++ struct bonding *bond = netdev_priv(bond_dev); ++ const struct header_ops *slave_ops; ++ struct slave *slave; ++ int ret = 0; ++ ++ rcu_read_lock(); ++ slave = rcu_dereference(bond->curr_active_slave); ++ if (slave) { ++ slave_ops = READ_ONCE(slave->dev->header_ops); ++ if (slave_ops && slave_ops->create) ++ ret = slave_ops->create(skb, slave->dev, ++ type, daddr, saddr, len); ++ } ++ rcu_read_unlock(); ++ return ret; ++} ++ ++static int bond_header_parse(const struct sk_buff *skb, unsigned char *haddr) ++{ ++ struct bonding *bond = netdev_priv(skb->dev); ++ const struct header_ops *slave_ops; ++ struct slave *slave; ++ int ret = 0; ++ ++ rcu_read_lock(); ++ slave = rcu_dereference(bond->curr_active_slave); ++ if (slave) { ++ slave_ops = READ_ONCE(slave->dev->header_ops); ++ if (slave_ops && slave_ops->parse) ++ ret = slave_ops->parse(skb, haddr); ++ } ++ rcu_read_unlock(); ++ return ret; ++} ++ ++static const struct header_ops bond_header_ops = { ++ .create = bond_header_create, ++ .parse = bond_header_parse, ++}; ++ + static void bond_setup_by_slave(struct net_device *bond_dev, + struct net_device *slave_dev) + { +@@ -1483,7 +1527,8 @@ static void bond_setup_by_slave(struct net_device *bond_dev, + + dev_close(bond_dev); + +- bond_dev->header_ops = slave_dev->header_ops; ++ bond_dev->header_ops = slave_dev->header_ops ? ++ &bond_header_ops : NULL; + + bond_dev->type = slave_dev->type; + bond_dev->hard_header_len = slave_dev->hard_header_len; +-- +2.51.0 + diff --git a/queue-6.19/bonding-handle-bond_link_fail-bond_link_back-as-vali.patch b/queue-6.19/bonding-handle-bond_link_fail-bond_link_back-as-vali.patch new file mode 100644 index 0000000000..29b225d59d --- /dev/null +++ b/queue-6.19/bonding-handle-bond_link_fail-bond_link_back-as-vali.patch @@ -0,0 +1,60 @@ +From 33a0acc87da74a0a7d8d91ce293a22a837f87f84 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 15:13:54 +0800 +Subject: bonding: handle BOND_LINK_FAIL, BOND_LINK_BACK as valid link states + +From: Hangbin Liu + +[ Upstream commit 3348be7978f450ede0c308a4e8416ac716cf1015 ] + +Before the fixed commit, we check slave->new_link during commit +state, which values are only BOND_LINK_{NOCHANGE, UP, DOWN}. After +the commit, we start using slave->link_new_state, which state also could +be BOND_LINK_{FAIL, BACK}. + +For example, when we set updelay/downdelay, after a failover, +the slave->link_new_state could be set to BOND_LINK_{FAIL, BACK} in +bond_miimon_inspect(). And later in bond_miimon_commit(), it will treat +it as invalid and print an error, which would cause confusion for users. + +[ 106.440254] bond0: (slave veth2): link status down for interface, disabling it in 200 ms +[ 106.440265] bond0: (slave veth2): invalid new link 1 on slave +[ 106.648276] bond0: (slave veth2): link status definitely down, disabling slave +[ 107.480271] bond0: (slave veth2): link status up, enabling it in 200 ms +[ 107.480288] bond0: (slave veth2): invalid new link 3 on slave +[ 107.688302] bond0: (slave veth2): link status definitely up, 10000 Mbps full duplex + +Let's handle BOND_LINK_{FAIL, BACK} as valid link states. + +Fixes: 1899bb325149 ("bonding: fix state transition issue in link monitoring") +Signed-off-by: Hangbin Liu +Link: https://patch.msgid.link/20260304-b4-bond_updelay-v1-2-f72eb2e454d0@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 5de38258c7d8b..8be99ae67b77f 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2769,8 +2769,14 @@ static void bond_miimon_commit(struct bonding *bond) + + continue; + ++ case BOND_LINK_FAIL: ++ case BOND_LINK_BACK: ++ slave_dbg(bond->dev, slave->dev, "link_new_state %d on slave\n", ++ slave->link_new_state); ++ continue; ++ + default: +- slave_err(bond->dev, slave->dev, "invalid new link %d on slave\n", ++ slave_err(bond->dev, slave->dev, "invalid link_new_state %d on slave\n", + slave->link_new_state); + bond_propose_link_state(slave, BOND_LINK_NOCHANGE); + +-- +2.51.0 + diff --git a/queue-6.19/btrfs-hold-space_info-lock-when-clearing-periodic-re.patch b/queue-6.19/btrfs-hold-space_info-lock-when-clearing-periodic-re.patch new file mode 100644 index 0000000000..3cb3133d20 --- /dev/null +++ b/queue-6.19/btrfs-hold-space_info-lock-when-clearing-periodic-re.patch @@ -0,0 +1,49 @@ +From f8834e328c7162892d73b959ddbdc6d6a37db5d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Feb 2026 20:53:39 +0800 +Subject: btrfs: hold space_info->lock when clearing periodic reclaim ready + +From: Sun YangKai + +[ Upstream commit b8883b61f2fc50dcf22938cbed40fec05020552f ] + +btrfs_set_periodic_reclaim_ready() requires space_info->lock to be held, +as enforced by lockdep_assert_held(). However, btrfs_reclaim_sweep() was +calling it after do_reclaim_sweep() returns, at which point +space_info->lock is no longer held. + +Fix this by explicitly acquiring space_info->lock before clearing the +periodic reclaim ready flag in btrfs_reclaim_sweep(). + +Reported-by: Chris Mason +Link: https://lore.kernel.org/linux-btrfs/20260208182556.891815-1-clm@meta.com/ +Fixes: 19eff93dc738 ("btrfs: fix periodic reclaim condition") +Reviewed-by: Boris Burkov +Signed-off-by: Sun YangKai +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/space-info.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c +index 30aedf596b548..13b2bbe674308 100644 +--- a/fs/btrfs/space-info.c ++++ b/fs/btrfs/space-info.c +@@ -2196,8 +2196,11 @@ void btrfs_reclaim_sweep(const struct btrfs_fs_info *fs_info) + if (!btrfs_should_periodic_reclaim(space_info)) + continue; + for (raid = 0; raid < BTRFS_NR_RAID_TYPES; raid++) { +- if (do_reclaim_sweep(space_info, raid)) ++ if (do_reclaim_sweep(space_info, raid)) { ++ spin_lock(&space_info->lock); + btrfs_set_periodic_reclaim_ready(space_info, false); ++ spin_unlock(&space_info->lock); ++ } + } + } + } +-- +2.51.0 + diff --git a/queue-6.19/can-hi311x-hi3110_open-add-check-for-hi3110_power_en.patch b/queue-6.19/can-hi311x-hi3110_open-add-check-for-hi3110_power_en.patch new file mode 100644 index 0000000000..3c25ff6b12 --- /dev/null +++ b/queue-6.19/can-hi311x-hi3110_open-add-check-for-hi3110_power_en.patch @@ -0,0 +1,52 @@ +From 286630f8e6823e06ae4f535bb43077bf28ace2e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 13:08:44 +0800 +Subject: can: hi311x: hi3110_open(): add check for hi3110_power_enable() + return value + +From: Wenyuan Li <2063309626@qq.com> + +[ Upstream commit 47bba09b14fa21712398febf36cb14fd4fc3bded ] + +In hi3110_open(), the return value of hi3110_power_enable() is not checked. +If power enable fails, the device may not function correctly, while the +driver still returns success. + +Add a check for the return value and propagate the error accordingly. + +Signed-off-by: Wenyuan Li <2063309626@qq.com> +Link: https://patch.msgid.link/tencent_B5E2E7528BB28AA8A2A56E16C49BD58B8B07@qq.com +Fixes: 57e83fb9b746 ("can: hi311x: Add Holt HI-311x CAN driver") +[mkl: adjust subject, commit message and jump label] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/spi/hi311x.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/can/spi/hi311x.c b/drivers/net/can/spi/hi311x.c +index e00d3dbc4cf43..91b1fa970f8fb 100644 +--- a/drivers/net/can/spi/hi311x.c ++++ b/drivers/net/can/spi/hi311x.c +@@ -755,7 +755,9 @@ static int hi3110_open(struct net_device *net) + return ret; + + mutex_lock(&priv->hi3110_lock); +- hi3110_power_enable(priv->transceiver, 1); ++ ret = hi3110_power_enable(priv->transceiver, 1); ++ if (ret) ++ goto out_close_candev; + + priv->force_quit = 0; + priv->tx_skb = NULL; +@@ -790,6 +792,7 @@ static int hi3110_open(struct net_device *net) + hi3110_hw_sleep(spi); + out_close: + hi3110_power_enable(priv->transceiver, 0); ++ out_close_candev: + close_candev(net); + mutex_unlock(&priv->hi3110_lock); + return ret; +-- +2.51.0 + diff --git a/queue-6.19/drivers-net-ice-fix-devlink-parameters-get-without-i.patch b/queue-6.19/drivers-net-ice-fix-devlink-parameters-get-without-i.patch new file mode 100644 index 0000000000..794a092104 --- /dev/null +++ b/queue-6.19/drivers-net-ice-fix-devlink-parameters-get-without-i.patch @@ -0,0 +1,59 @@ +From 79520fbee6ddb62a50f9d9264349993ca49c3d7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Feb 2026 10:48:41 +0200 +Subject: drivers: net: ice: fix devlink parameters get without irdma + +From: Nikolay Aleksandrov + +[ Upstream commit bd98c6204d1195973b1760fe45860863deb6200c ] + +If CONFIG_IRDMA isn't enabled but there are ice NICs in the system, the +driver will prevent full devlink dev param show dump because its rdma get +callbacks return ENODEV and stop the dump. For example: + $ devlink dev param show + pci/0000:82:00.0: + name msix_vec_per_pf_max type generic + values: + cmode driverinit value 2 + name msix_vec_per_pf_min type generic + values: + cmode driverinit value 2 + kernel answers: No such device + +Returning EOPNOTSUPP allows the dump to continue so we can see all devices' +devlink parameters. + +Fixes: c24a65b6a27c ("iidc/ice/irdma: Update IDC to support multiple consumers") +Signed-off-by: Nikolay Aleksandrov +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/devlink/devlink.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/devlink/devlink.c b/drivers/net/ethernet/intel/ice/devlink/devlink.c +index 2ef39cc70c21d..7de749d3f0479 100644 +--- a/drivers/net/ethernet/intel/ice/devlink/devlink.c ++++ b/drivers/net/ethernet/intel/ice/devlink/devlink.c +@@ -1360,7 +1360,7 @@ ice_devlink_enable_roce_get(struct devlink *devlink, u32 id, + + cdev = pf->cdev_info; + if (!cdev) +- return -ENODEV; ++ return -EOPNOTSUPP; + + ctx->val.vbool = !!(cdev->rdma_protocol & IIDC_RDMA_PROTOCOL_ROCEV2); + +@@ -1427,7 +1427,7 @@ ice_devlink_enable_iw_get(struct devlink *devlink, u32 id, + + cdev = pf->cdev_info; + if (!cdev) +- return -ENODEV; ++ return -EOPNOTSUPP; + + ctx->val.vbool = !!(cdev->rdma_protocol & IIDC_RDMA_PROTOCOL_IWARP); + +-- +2.51.0 + diff --git a/queue-6.19/drm-amd-pm-add-missing-od-setting-pp_od_feature_zero.patch b/queue-6.19/drm-amd-pm-add-missing-od-setting-pp_od_feature_zero.patch new file mode 100644 index 0000000000..fab36e238a --- /dev/null +++ b/queue-6.19/drm-amd-pm-add-missing-od-setting-pp_od_feature_zero.patch @@ -0,0 +1,55 @@ +From cd1a70e364fe5a8fb8c6410a4f074b8d78cbe7dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Mar 2026 21:10:11 -0500 +Subject: drm/amd/pm: add missing od setting PP_OD_FEATURE_ZERO_FAN_BIT for smu + v13 + +From: Yang Wang + +[ Upstream commit cb47c882c31334aadc13ace80781728ed22a05ee ] + +add missing od setting PP_OD_FEATURE_ZERO_FAN_BIT for smu v13.0.0/13.0.7 + +Fixes: cfffd980bf21 ("drm/amd/pm: add zero RPM OD setting support for SMU13") +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/5018 +Signed-off-by: Yang Wang +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +(cherry picked from commit 576a10797b607ee9e4068218daf367b481564120) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 3 ++- + drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c +index eaeff6a9bc50f..e8f8c3bae0ab0 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c +@@ -2290,7 +2290,8 @@ static int smu_v13_0_0_restore_user_od_settings(struct smu_context *smu) + user_od_table->OverDriveTable.FeatureCtrlMask = BIT(PP_OD_FEATURE_GFXCLK_BIT) | + BIT(PP_OD_FEATURE_UCLK_BIT) | + BIT(PP_OD_FEATURE_GFX_VF_CURVE_BIT) | +- BIT(PP_OD_FEATURE_FAN_CURVE_BIT); ++ BIT(PP_OD_FEATURE_FAN_CURVE_BIT) | ++ BIT(PP_OD_FEATURE_ZERO_FAN_BIT); + res = smu_v13_0_0_upload_overdrive_table(smu, user_od_table); + user_od_table->OverDriveTable.FeatureCtrlMask = 0; + if (res == 0) +diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c +index a3fc35b9011e4..3c3393297c630 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c +@@ -2276,7 +2276,8 @@ static int smu_v13_0_7_restore_user_od_settings(struct smu_context *smu) + user_od_table->OverDriveTable.FeatureCtrlMask = BIT(PP_OD_FEATURE_GFXCLK_BIT) | + BIT(PP_OD_FEATURE_UCLK_BIT) | + BIT(PP_OD_FEATURE_GFX_VF_CURVE_BIT) | +- BIT(PP_OD_FEATURE_FAN_CURVE_BIT); ++ BIT(PP_OD_FEATURE_FAN_CURVE_BIT) | ++ BIT(PP_OD_FEATURE_ZERO_FAN_BIT); + res = smu_v13_0_7_upload_overdrive_table(smu, user_od_table); + user_od_table->OverDriveTable.FeatureCtrlMask = 0; + if (res == 0) +-- +2.51.0 + diff --git a/queue-6.19/drm-amd-pm-add-missing-od-setting-pp_od_feature_zero.patch-1062 b/queue-6.19/drm-amd-pm-add-missing-od-setting-pp_od_feature_zero.patch-1062 new file mode 100644 index 0000000000..47ad8e8c94 --- /dev/null +++ b/queue-6.19/drm-amd-pm-add-missing-od-setting-pp_od_feature_zero.patch-1062 @@ -0,0 +1,40 @@ +From b63749fa3e27186d367951cf07a875bcd64a45da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Mar 2026 21:14:10 -0500 +Subject: drm/amd/pm: add missing od setting PP_OD_FEATURE_ZERO_FAN_BIT for smu + v14 + +From: Yang Wang + +[ Upstream commit 9d4837a26149355ffe3a1f80de80531eafdd3353 ] + +add missing od setting PP_OD_FEATURE_ZERO_FAN_BIT for smu v14.0.2/14.0.3 + +Fixes: 9710b84e2a6a ("drm/amd/pm: add overdrive support on smu v14.0.2/3") +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/5018 +Signed-off-by: Yang Wang +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +(cherry picked from commit 1b5cf07d80bb16d1593579ccdb23f08ea4262c14) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c +index d7642d388bc38..fa535f43876b5 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c +@@ -2413,7 +2413,8 @@ static int smu_v14_0_2_restore_user_od_settings(struct smu_context *smu) + user_od_table->OverDriveTable.FeatureCtrlMask = BIT(PP_OD_FEATURE_GFXCLK_BIT) | + BIT(PP_OD_FEATURE_UCLK_BIT) | + BIT(PP_OD_FEATURE_GFX_VF_CURVE_BIT) | +- BIT(PP_OD_FEATURE_FAN_CURVE_BIT); ++ BIT(PP_OD_FEATURE_FAN_CURVE_BIT) | ++ BIT(PP_OD_FEATURE_ZERO_FAN_BIT); + res = smu_v14_0_2_upload_overdrive_table(smu, user_od_table); + user_od_table->OverDriveTable.FeatureCtrlMask = 0; + if (res == 0) +-- +2.51.0 + diff --git a/queue-6.19/drm-amdgpu-fix-kernel-doc-comments-for-some-lut-prop.patch b/queue-6.19/drm-amdgpu-fix-kernel-doc-comments-for-some-lut-prop.patch new file mode 100644 index 0000000000..457cc1403c --- /dev/null +++ b/queue-6.19/drm-amdgpu-fix-kernel-doc-comments-for-some-lut-prop.patch @@ -0,0 +1,71 @@ +From cd9f6ed79c3c7fa40b53911a572bc90a7ee62d58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 13:16:36 +0200 +Subject: drm/amdgpu: Fix kernel-doc comments for some LUT properties + +From: Cristian Ciocaltea + +[ Upstream commit 52289ce48ef1f8a81cd39df1574098356e3c9d4c ] + +The following members of struct amdgpu_mode_info do not have valid +references in the related kernel-doc sections: + + - plane_shaper_lut_property + - plane_shaper_lut_size_property, + - plane_lut3d_size_property + +Correct all affected comment blocks. + +Fixes: f545d82479b4 ("drm/amd/display: add plane shaper LUT and TF driver-specific properties") +Fixes: 671994e3bf33 ("drm/amd/display: add plane 3D LUT driver-specific properties") +Reviewed-by: Melissa Wen +Signed-off-by: Cristian Ciocaltea +Signed-off-by: Alex Deucher +(cherry picked from commit ec5708d6e547f7efe2f009073bfa98dbc4c5c2ac) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_mode.h | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_mode.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_mode.h +index dc8d2f52c7d61..e244c12ceb238 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_mode.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_mode.h +@@ -368,15 +368,15 @@ struct amdgpu_mode_info { + + struct drm_property *plane_ctm_property; + /** +- * @shaper_lut_property: Plane property to set pre-blending shaper LUT +- * that converts color content before 3D LUT. If +- * plane_shaper_tf_property != Identity TF, AMD color module will ++ * @plane_shaper_lut_property: Plane property to set pre-blending ++ * shaper LUT that converts color content before 3D LUT. ++ * If plane_shaper_tf_property != Identity TF, AMD color module will + * combine the user LUT values with pre-defined TF into the LUT + * parameters to be programmed. + */ + struct drm_property *plane_shaper_lut_property; + /** +- * @shaper_lut_size_property: Plane property for the size of ++ * @plane_shaper_lut_size_property: Plane property for the size of + * pre-blending shaper LUT as supported by the driver (read-only). + */ + struct drm_property *plane_shaper_lut_size_property; +@@ -400,10 +400,10 @@ struct amdgpu_mode_info { + */ + struct drm_property *plane_lut3d_property; + /** +- * @plane_degamma_lut_size_property: Plane property to define the max +- * size of 3D LUT as supported by the driver (read-only). The max size +- * is the max size of one dimension and, therefore, the max number of +- * entries for 3D LUT array is the 3D LUT size cubed; ++ * @plane_lut3d_size_property: Plane property to define the max size ++ * of 3D LUT as supported by the driver (read-only). The max size is ++ * the max size of one dimension and, therefore, the max number of ++ * entries for 3D LUT array is the 3D LUT size cubed. + */ + struct drm_property *plane_lut3d_size_property; + /** +-- +2.51.0 + diff --git a/queue-6.19/drm-amdkfd-unreserve-bo-if-queue-update-failed.patch b/queue-6.19/drm-amdkfd-unreserve-bo-if-queue-update-failed.patch new file mode 100644 index 0000000000..c350cc9189 --- /dev/null +++ b/queue-6.19/drm-amdkfd-unreserve-bo-if-queue-update-failed.patch @@ -0,0 +1,36 @@ +From 2fd21c31e79a5d3b0958091256188459f5f9c484 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Dec 2025 15:13:23 -0500 +Subject: drm/amdkfd: Unreserve bo if queue update failed + +From: Philip Yang + +[ Upstream commit 2ce75a0b7e1bfddbcb9bc8aeb2e5e7fa99971acf ] + +Error handling path should unreserve bo then return failed. + +Fixes: 305cd109b761 ("drm/amdkfd: Validate user queue update") +Signed-off-by: Philip Yang +Reviewed-by: Alex Sierra +Signed-off-by: Alex Deucher +(cherry picked from commit c24afed7de9ecce341825d8ab55a43a254348b33) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c +index 7fbb5c274ccc4..7bf712032c52c 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c +@@ -606,6 +606,7 @@ int pqm_update_queue_properties(struct process_queue_manager *pqm, + p->queue_size)) { + pr_debug("ring buf 0x%llx size 0x%llx not mapped on GPU\n", + p->queue_address, p->queue_size); ++ amdgpu_bo_unreserve(vm->root.bo); + return -EFAULT; + } + +-- +2.51.0 + diff --git a/queue-6.19/drm-i915-dp-read-alpm-caps-after-dpcd-init.patch b/queue-6.19/drm-i915-dp-read-alpm-caps-after-dpcd-init.patch new file mode 100644 index 0000000000..4f36954079 --- /dev/null +++ b/queue-6.19/drm-i915-dp-read-alpm-caps-after-dpcd-init.patch @@ -0,0 +1,81 @@ +From 2b84b13342ce4eba66fe65e1a93147de096af124 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 12:51:57 +0530 +Subject: drm/i915/dp: Read ALPM caps after DPCD init +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arun R Murthy + +[ Upstream commit 335b237d902c7362cb7228802e68374406b24acf ] + +For eDP read the ALPM DPCD caps after DPCD initalization and just before +the PSR init. + +v2: Move intel_alpm_init to intel_edp_init_dpcd (Jouni) +v3: Add Fixes with commit-id (Jouni) +v4: Separated the alpm dpcd read caps from alpm_init and moved to +intel_edp_init_dpcd. +v5: Read alpm_caps always for eDP irrespective of the eDP version (Jouni) +v6: replace drm_dp_dpcd_readb with drm_dp_dpcd_read_byte (Jouni) + +Fixes: 15438b325987 ("drm/i915/alpm: Add compute config for lobf") +Signed-off-by: Arun R Murthy +Reviewed-by: Animesh Manna +Reviewed-by: Jouni Högander +Signed-off-by: Animesh Manna +Link: https://patch.msgid.link/20260304072157.1123283-1-arun.r.murthy@intel.com +(cherry picked from commit 88442ba208dd5d3405de3f5000cf5b2c86876ae3) +Signed-off-by: Tvrtko Ursulin +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_alpm.c | 6 ------ + drivers/gpu/drm/i915/display/intel_dp.c | 7 +++++++ + 2 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_alpm.c b/drivers/gpu/drm/i915/display/intel_alpm.c +index 6372f533f65b5..5ba767bb38521 100644 +--- a/drivers/gpu/drm/i915/display/intel_alpm.c ++++ b/drivers/gpu/drm/i915/display/intel_alpm.c +@@ -43,12 +43,6 @@ bool intel_alpm_is_alpm_aux_less(struct intel_dp *intel_dp, + + void intel_alpm_init(struct intel_dp *intel_dp) + { +- u8 dpcd; +- +- if (drm_dp_dpcd_readb(&intel_dp->aux, DP_RECEIVER_ALPM_CAP, &dpcd) < 0) +- return; +- +- intel_dp->alpm_dpcd = dpcd; + mutex_init(&intel_dp->alpm.lock); + } + +diff --git a/drivers/gpu/drm/i915/display/intel_dp.c b/drivers/gpu/drm/i915/display/intel_dp.c +index ee258df439a7d..b6ce11267b92d 100644 +--- a/drivers/gpu/drm/i915/display/intel_dp.c ++++ b/drivers/gpu/drm/i915/display/intel_dp.c +@@ -4547,6 +4547,7 @@ static bool + intel_edp_init_dpcd(struct intel_dp *intel_dp, struct intel_connector *connector) + { + struct intel_display *display = to_intel_display(intel_dp); ++ int ret; + + /* this function is meant to be called only once */ + drm_WARN_ON(display->drm, intel_dp->dpcd[DP_DPCD_REV] != 0); +@@ -4586,6 +4587,12 @@ intel_edp_init_dpcd(struct intel_dp *intel_dp, struct intel_connector *connector + */ + intel_dp_init_source_oui(intel_dp); + ++ /* Read the ALPM DPCD caps */ ++ ret = drm_dp_dpcd_read_byte(&intel_dp->aux, DP_RECEIVER_ALPM_CAP, ++ &intel_dp->alpm_dpcd); ++ if (ret < 0) ++ return false; ++ + /* + * This has to be called after intel_dp->edp_dpcd is filled, PSR checks + * for SET_POWER_CAPABLE bit in intel_dp->edp_dpcd[1] +-- +2.51.0 + diff --git a/queue-6.19/drm-msm-a6xx-fix-the-bogus-protect-error-on-x2-85.patch b/queue-6.19/drm-msm-a6xx-fix-the-bogus-protect-error-on-x2-85.patch new file mode 100644 index 0000000000..0e66a43753 --- /dev/null +++ b/queue-6.19/drm-msm-a6xx-fix-the-bogus-protect-error-on-x2-85.patch @@ -0,0 +1,52 @@ +From 95e2f217698d82dbad3aaebd1f4dc12e81c37e2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Feb 2026 13:11:57 +0530 +Subject: drm/msm/a6xx: Fix the bogus protect error on X2-85 + +From: Akhil P Oommen + +[ Upstream commit 20f644f42e3b8e729d3c3199d48e75c0b257de8f ] + +Update the X2-85 gpu's register protect count configuration with the +correct count_max value to avoid blocking the entire MMIO region from the +UMD. + +Protect configurations are a bit complicated on A8xx. There are 2 set of +protect registers with different counts: Global and Pipe-specific. The +last-span-unbound feature is available only on the Pipe-specific protect +registers. Due to this, we cannot use the BUILD_BUG sanity check for A8x +protect configurations, so remove the A840 entry from there. + +Fixes: 01ff3bf27215 ("drm/msm/a8xx: Add support for Adreno X2-85 GPU") +Signed-off-by: Akhil P Oommen +Reviewed-by: Konrad Dybcio +Patchwork: https://patchwork.freedesktop.org/patch/706944/ +Message-ID: <20260225-glymur-protect-fix-v1-1-0deddedf9277@oss.qualcomm.com> +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/a6xx_catalog.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/msm/adreno/a6xx_catalog.c b/drivers/gpu/drm/msm/adreno/a6xx_catalog.c +index 550a53a7865eb..38561f26837e3 100644 +--- a/drivers/gpu/drm/msm/adreno/a6xx_catalog.c ++++ b/drivers/gpu/drm/msm/adreno/a6xx_catalog.c +@@ -1759,7 +1759,7 @@ static const u32 x285_protect_regs[] = { + A6XX_PROTECT_NORDWR(0x27c06, 0x0000), + }; + +-DECLARE_ADRENO_PROTECT(x285_protect, 64); ++DECLARE_ADRENO_PROTECT(x285_protect, 15); + + static const struct adreno_reglist_pipe a840_nonctxt_regs[] = { + { REG_A8XX_CP_SMMU_STREAM_ID_LPAC, 0x00000101, BIT(PIPE_NONE) }, +@@ -1966,5 +1966,4 @@ static inline __always_unused void __build_asserts(void) + BUILD_BUG_ON(a660_protect.count > a660_protect.count_max); + BUILD_BUG_ON(a690_protect.count > a690_protect.count_max); + BUILD_BUG_ON(a730_protect.count > a730_protect.count_max); +- BUILD_BUG_ON(a840_protect.count > a840_protect.count_max); + } +-- +2.51.0 + diff --git a/queue-6.19/drm-msm-a8xx-fix-ubwc-config-related-to-swizzling.patch b/queue-6.19/drm-msm-a8xx-fix-ubwc-config-related-to-swizzling.patch new file mode 100644 index 0000000000..53fe16d8e7 --- /dev/null +++ b/queue-6.19/drm-msm-a8xx-fix-ubwc-config-related-to-swizzling.patch @@ -0,0 +1,54 @@ +From 97431bb0807fbd7d7c2c234d16a4fbb37cb098bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 23:51:16 +0530 +Subject: drm/msm/a8xx: Fix ubwc config related to swizzling + +From: Akhil P Oommen + +[ Upstream commit 7e459c41264fdd87b096ede8da796a302d569722 ] + +To disable l2/l3 swizzling in A8x, set the respective bits in both +GRAS_NC_MODE_CNTL and RB_CCU_NC_MODE_CNTL registers. This is required +for Glymur where it is recommended to keep l2/l3 swizzling disabled. + +Fixes: 288a93200892 ("drm/msm/adreno: Introduce A8x GPU Support") +Signed-off-by: Akhil P Oommen +Message-ID: <20260305-a8xx-ubwc-fix-v1-1-d99b6da4c5a9@oss.qualcomm.com> +Reviewed-by: Dmitry Baryshkov +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/a8xx_gpu.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/msm/adreno/a8xx_gpu.c b/drivers/gpu/drm/msm/adreno/a8xx_gpu.c +index 30de078e9dfd2..3b17ddac07532 100644 +--- a/drivers/gpu/drm/msm/adreno/a8xx_gpu.c ++++ b/drivers/gpu/drm/msm/adreno/a8xx_gpu.c +@@ -306,11 +306,21 @@ static void a8xx_set_ubwc_config(struct msm_gpu *gpu) + hbb = cfg->highest_bank_bit - 13; + hbb_hi = hbb >> 2; + hbb_lo = hbb & 3; +- a8xx_write_pipe(gpu, PIPE_BV, REG_A8XX_GRAS_NC_MODE_CNTL, hbb << 5); +- a8xx_write_pipe(gpu, PIPE_BR, REG_A8XX_GRAS_NC_MODE_CNTL, hbb << 5); ++ ++ a8xx_write_pipe(gpu, PIPE_BV, REG_A8XX_GRAS_NC_MODE_CNTL, ++ hbb << 5 | ++ level3_swizzling_dis << 4 | ++ level2_swizzling_dis << 3); ++ ++ a8xx_write_pipe(gpu, PIPE_BR, REG_A8XX_GRAS_NC_MODE_CNTL, ++ hbb << 5 | ++ level3_swizzling_dis << 4 | ++ level2_swizzling_dis << 3); + + a8xx_write_pipe(gpu, PIPE_BR, REG_A8XX_RB_CCU_NC_MODE_CNTL, + yuvnotcomptofc << 6 | ++ level3_swizzling_dis << 5 | ++ level2_swizzling_dis << 4 | + hbb_hi << 3 | + hbb_lo << 1); + +-- +2.51.0 + diff --git a/queue-6.19/drm-msm-dpu-fix-lm-size-on-a-number-of-platforms.patch b/queue-6.19/drm-msm-dpu-fix-lm-size-on-a-number-of-platforms.patch new file mode 100644 index 0000000000..9afdc3e689 --- /dev/null +++ b/queue-6.19/drm-msm-dpu-fix-lm-size-on-a-number-of-platforms.patch @@ -0,0 +1,320 @@ +From 535ec6ba3212a10d1b71aa3537f04476cb193dfe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jan 2026 11:58:49 +0100 +Subject: drm/msm/dpu: Fix LM size on a number of platforms + +From: Konrad Dybcio + +[ Upstream commit f7bf1319739291067b2bc4b22bd56336afad8f0a ] + +The register space has grown with what seems to be DPU8. +Bump up the .len to match. + +Fixes: e3b1f369db5a ("drm/msm/dpu: Add X1E80100 support") +Fixes: 4a352c2fc15a ("drm/msm/dpu: Introduce SC8280XP") +Fixes: efcd0107727c ("drm/msm/dpu: add support for SM8550") +Fixes: 100d7ef6995d ("drm/msm/dpu: add support for SM8450") +Fixes: 178575173472 ("drm/msm/dpu: add catalog entry for SAR2130P") +Signed-off-by: Konrad Dybcio +Reviewed-by: Abel Vesa +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/701063/ +Link: https://lore.kernel.org/r/20260127-topic-lm_size_fix-v1-1-25f88d014dfd@oss.qualcomm.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + .../gpu/drm/msm/disp/dpu1/catalog/dpu_8_0_sc8280xp.h | 12 ++++++------ + .../gpu/drm/msm/disp/dpu1/catalog/dpu_8_1_sm8450.h | 12 ++++++------ + .../gpu/drm/msm/disp/dpu1/catalog/dpu_9_0_sm8550.h | 12 ++++++------ + .../gpu/drm/msm/disp/dpu1/catalog/dpu_9_1_sar2130p.h | 12 ++++++------ + .../gpu/drm/msm/disp/dpu1/catalog/dpu_9_2_x1e80100.h | 12 ++++++------ + 5 files changed, 30 insertions(+), 30 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_8_0_sc8280xp.h b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_8_0_sc8280xp.h +index 303d33dc7783a..9f2bceca1789e 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_8_0_sc8280xp.h ++++ b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_8_0_sc8280xp.h +@@ -133,7 +133,7 @@ static const struct dpu_sspp_cfg sc8280xp_sspp[] = { + static const struct dpu_lm_cfg sc8280xp_lm[] = { + { + .name = "lm_0", .id = LM_0, +- .base = 0x44000, .len = 0x320, ++ .base = 0x44000, .len = 0x400, + .features = MIXER_MSM8998_MASK, + .sblk = &sdm845_lm_sblk, + .lm_pair = LM_1, +@@ -141,7 +141,7 @@ static const struct dpu_lm_cfg sc8280xp_lm[] = { + .dspp = DSPP_0, + }, { + .name = "lm_1", .id = LM_1, +- .base = 0x45000, .len = 0x320, ++ .base = 0x45000, .len = 0x400, + .features = MIXER_MSM8998_MASK, + .sblk = &sdm845_lm_sblk, + .lm_pair = LM_0, +@@ -149,7 +149,7 @@ static const struct dpu_lm_cfg sc8280xp_lm[] = { + .dspp = DSPP_1, + }, { + .name = "lm_2", .id = LM_2, +- .base = 0x46000, .len = 0x320, ++ .base = 0x46000, .len = 0x400, + .features = MIXER_MSM8998_MASK, + .sblk = &sdm845_lm_sblk, + .lm_pair = LM_3, +@@ -157,7 +157,7 @@ static const struct dpu_lm_cfg sc8280xp_lm[] = { + .dspp = DSPP_2, + }, { + .name = "lm_3", .id = LM_3, +- .base = 0x47000, .len = 0x320, ++ .base = 0x47000, .len = 0x400, + .features = MIXER_MSM8998_MASK, + .sblk = &sdm845_lm_sblk, + .lm_pair = LM_2, +@@ -165,14 +165,14 @@ static const struct dpu_lm_cfg sc8280xp_lm[] = { + .dspp = DSPP_3, + }, { + .name = "lm_4", .id = LM_4, +- .base = 0x48000, .len = 0x320, ++ .base = 0x48000, .len = 0x400, + .features = MIXER_MSM8998_MASK, + .sblk = &sdm845_lm_sblk, + .lm_pair = LM_5, + .pingpong = PINGPONG_4, + }, { + .name = "lm_5", .id = LM_5, +- .base = 0x49000, .len = 0x320, ++ .base = 0x49000, .len = 0x400, + .features = MIXER_MSM8998_MASK, + .sblk = &sdm845_lm_sblk, + .lm_pair = LM_4, +diff --git a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_8_1_sm8450.h b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_8_1_sm8450.h +index b09a6af4c474a..04b22167f93d6 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_8_1_sm8450.h ++++ b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_8_1_sm8450.h +@@ -134,7 +134,7 @@ static const struct dpu_sspp_cfg sm8450_sspp[] = { + static const struct dpu_lm_cfg sm8450_lm[] = { + { + .name = "lm_0", .id = LM_0, +- .base = 0x44000, .len = 0x320, ++ .base = 0x44000, .len = 0x400, + .features = MIXER_MSM8998_MASK, + .sblk = &sdm845_lm_sblk, + .lm_pair = LM_1, +@@ -142,7 +142,7 @@ static const struct dpu_lm_cfg sm8450_lm[] = { + .dspp = DSPP_0, + }, { + .name = "lm_1", .id = LM_1, +- .base = 0x45000, .len = 0x320, ++ .base = 0x45000, .len = 0x400, + .features = MIXER_MSM8998_MASK, + .sblk = &sdm845_lm_sblk, + .lm_pair = LM_0, +@@ -150,7 +150,7 @@ static const struct dpu_lm_cfg sm8450_lm[] = { + .dspp = DSPP_1, + }, { + .name = "lm_2", .id = LM_2, +- .base = 0x46000, .len = 0x320, ++ .base = 0x46000, .len = 0x400, + .features = MIXER_MSM8998_MASK, + .sblk = &sdm845_lm_sblk, + .lm_pair = LM_3, +@@ -158,7 +158,7 @@ static const struct dpu_lm_cfg sm8450_lm[] = { + .dspp = DSPP_2, + }, { + .name = "lm_3", .id = LM_3, +- .base = 0x47000, .len = 0x320, ++ .base = 0x47000, .len = 0x400, + .features = MIXER_MSM8998_MASK, + .sblk = &sdm845_lm_sblk, + .lm_pair = LM_2, +@@ -166,14 +166,14 @@ static const struct dpu_lm_cfg sm8450_lm[] = { + .dspp = DSPP_3, + }, { + .name = "lm_4", .id = LM_4, +- .base = 0x48000, .len = 0x320, ++ .base = 0x48000, .len = 0x400, + .features = MIXER_MSM8998_MASK, + .sblk = &sdm845_lm_sblk, + .lm_pair = LM_5, + .pingpong = PINGPONG_4, + }, { + .name = "lm_5", .id = LM_5, +- .base = 0x49000, .len = 0x320, ++ .base = 0x49000, .len = 0x400, + .features = MIXER_MSM8998_MASK, + .sblk = &sdm845_lm_sblk, + .lm_pair = LM_4, +diff --git a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_9_0_sm8550.h b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_9_0_sm8550.h +index 465b6460f8754..4c7eb55d474c5 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_9_0_sm8550.h ++++ b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_9_0_sm8550.h +@@ -131,7 +131,7 @@ static const struct dpu_sspp_cfg sm8550_sspp[] = { + static const struct dpu_lm_cfg sm8550_lm[] = { + { + .name = "lm_0", .id = LM_0, +- .base = 0x44000, .len = 0x320, ++ .base = 0x44000, .len = 0x400, + .features = MIXER_MSM8998_MASK, + .sblk = &sdm845_lm_sblk, + .lm_pair = LM_1, +@@ -139,7 +139,7 @@ static const struct dpu_lm_cfg sm8550_lm[] = { + .dspp = DSPP_0, + }, { + .name = "lm_1", .id = LM_1, +- .base = 0x45000, .len = 0x320, ++ .base = 0x45000, .len = 0x400, + .features = MIXER_MSM8998_MASK, + .sblk = &sdm845_lm_sblk, + .lm_pair = LM_0, +@@ -147,7 +147,7 @@ static const struct dpu_lm_cfg sm8550_lm[] = { + .dspp = DSPP_1, + }, { + .name = "lm_2", .id = LM_2, +- .base = 0x46000, .len = 0x320, ++ .base = 0x46000, .len = 0x400, + .features = MIXER_MSM8998_MASK, + .sblk = &sdm845_lm_sblk, + .lm_pair = LM_3, +@@ -155,7 +155,7 @@ static const struct dpu_lm_cfg sm8550_lm[] = { + .dspp = DSPP_2, + }, { + .name = "lm_3", .id = LM_3, +- .base = 0x47000, .len = 0x320, ++ .base = 0x47000, .len = 0x400, + .features = MIXER_MSM8998_MASK, + .sblk = &sdm845_lm_sblk, + .lm_pair = LM_2, +@@ -163,14 +163,14 @@ static const struct dpu_lm_cfg sm8550_lm[] = { + .dspp = DSPP_3, + }, { + .name = "lm_4", .id = LM_4, +- .base = 0x48000, .len = 0x320, ++ .base = 0x48000, .len = 0x400, + .features = MIXER_MSM8998_MASK, + .sblk = &sdm845_lm_sblk, + .lm_pair = LM_5, + .pingpong = PINGPONG_4, + }, { + .name = "lm_5", .id = LM_5, +- .base = 0x49000, .len = 0x320, ++ .base = 0x49000, .len = 0x400, + .features = MIXER_MSM8998_MASK, + .sblk = &sdm845_lm_sblk, + .lm_pair = LM_4, +diff --git a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_9_1_sar2130p.h b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_9_1_sar2130p.h +index 6caa7d40f3688..dec83ea8167d1 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_9_1_sar2130p.h ++++ b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_9_1_sar2130p.h +@@ -131,7 +131,7 @@ static const struct dpu_sspp_cfg sar2130p_sspp[] = { + static const struct dpu_lm_cfg sar2130p_lm[] = { + { + .name = "lm_0", .id = LM_0, +- .base = 0x44000, .len = 0x320, ++ .base = 0x44000, .len = 0x400, + .features = MIXER_MSM8998_MASK, + .sblk = &sdm845_lm_sblk, + .lm_pair = LM_1, +@@ -139,7 +139,7 @@ static const struct dpu_lm_cfg sar2130p_lm[] = { + .dspp = DSPP_0, + }, { + .name = "lm_1", .id = LM_1, +- .base = 0x45000, .len = 0x320, ++ .base = 0x45000, .len = 0x400, + .features = MIXER_MSM8998_MASK, + .sblk = &sdm845_lm_sblk, + .lm_pair = LM_0, +@@ -147,7 +147,7 @@ static const struct dpu_lm_cfg sar2130p_lm[] = { + .dspp = DSPP_1, + }, { + .name = "lm_2", .id = LM_2, +- .base = 0x46000, .len = 0x320, ++ .base = 0x46000, .len = 0x400, + .features = MIXER_MSM8998_MASK, + .sblk = &sdm845_lm_sblk, + .lm_pair = LM_3, +@@ -155,7 +155,7 @@ static const struct dpu_lm_cfg sar2130p_lm[] = { + .dspp = DSPP_2, + }, { + .name = "lm_3", .id = LM_3, +- .base = 0x47000, .len = 0x320, ++ .base = 0x47000, .len = 0x400, + .features = MIXER_MSM8998_MASK, + .sblk = &sdm845_lm_sblk, + .lm_pair = LM_2, +@@ -163,14 +163,14 @@ static const struct dpu_lm_cfg sar2130p_lm[] = { + .dspp = DSPP_3, + }, { + .name = "lm_4", .id = LM_4, +- .base = 0x48000, .len = 0x320, ++ .base = 0x48000, .len = 0x400, + .features = MIXER_MSM8998_MASK, + .sblk = &sdm845_lm_sblk, + .lm_pair = LM_5, + .pingpong = PINGPONG_4, + }, { + .name = "lm_5", .id = LM_5, +- .base = 0x49000, .len = 0x320, ++ .base = 0x49000, .len = 0x400, + .features = MIXER_MSM8998_MASK, + .sblk = &sdm845_lm_sblk, + .lm_pair = LM_4, +diff --git a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_9_2_x1e80100.h b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_9_2_x1e80100.h +index 7243eebb85f36..52ff4baa668a4 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_9_2_x1e80100.h ++++ b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_9_2_x1e80100.h +@@ -130,7 +130,7 @@ static const struct dpu_sspp_cfg x1e80100_sspp[] = { + static const struct dpu_lm_cfg x1e80100_lm[] = { + { + .name = "lm_0", .id = LM_0, +- .base = 0x44000, .len = 0x320, ++ .base = 0x44000, .len = 0x400, + .features = MIXER_MSM8998_MASK, + .sblk = &sdm845_lm_sblk, + .lm_pair = LM_1, +@@ -138,7 +138,7 @@ static const struct dpu_lm_cfg x1e80100_lm[] = { + .dspp = DSPP_0, + }, { + .name = "lm_1", .id = LM_1, +- .base = 0x45000, .len = 0x320, ++ .base = 0x45000, .len = 0x400, + .features = MIXER_MSM8998_MASK, + .sblk = &sdm845_lm_sblk, + .lm_pair = LM_0, +@@ -146,7 +146,7 @@ static const struct dpu_lm_cfg x1e80100_lm[] = { + .dspp = DSPP_1, + }, { + .name = "lm_2", .id = LM_2, +- .base = 0x46000, .len = 0x320, ++ .base = 0x46000, .len = 0x400, + .features = MIXER_MSM8998_MASK, + .sblk = &sdm845_lm_sblk, + .lm_pair = LM_3, +@@ -154,7 +154,7 @@ static const struct dpu_lm_cfg x1e80100_lm[] = { + .dspp = DSPP_2, + }, { + .name = "lm_3", .id = LM_3, +- .base = 0x47000, .len = 0x320, ++ .base = 0x47000, .len = 0x400, + .features = MIXER_MSM8998_MASK, + .sblk = &sdm845_lm_sblk, + .lm_pair = LM_2, +@@ -162,14 +162,14 @@ static const struct dpu_lm_cfg x1e80100_lm[] = { + .dspp = DSPP_3, + }, { + .name = "lm_4", .id = LM_4, +- .base = 0x48000, .len = 0x320, ++ .base = 0x48000, .len = 0x400, + .features = MIXER_MSM8998_MASK, + .sblk = &sdm845_lm_sblk, + .lm_pair = LM_5, + .pingpong = PINGPONG_4, + }, { + .name = "lm_5", .id = LM_5, +- .base = 0x49000, .len = 0x320, ++ .base = 0x49000, .len = 0x400, + .features = MIXER_MSM8998_MASK, + .sblk = &sdm845_lm_sblk, + .lm_pair = LM_4, +-- +2.51.0 + diff --git a/queue-6.19/drm-msm-dsi-fix-hdisplay-calculation-when-programmin.patch b/queue-6.19/drm-msm-dsi-fix-hdisplay-calculation-when-programmin.patch new file mode 100644 index 0000000000..c2ff047ccc --- /dev/null +++ b/queue-6.19/drm-msm-dsi-fix-hdisplay-calculation-when-programmin.patch @@ -0,0 +1,73 @@ +From 5c8236c2f2cd9998509b0b2bb7cff4c7098dcaf6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Feb 2026 18:51:28 +0800 +Subject: drm/msm/dsi: fix hdisplay calculation when programming dsi registers + +From: Pengyu Luo + +[ Upstream commit ac47870fd795549f03d57e0879fc730c79119f4b ] + +Recently, the hdisplay calculation is working for 3:1 compressed ratio +only. If we have a video panel with DSC BPP = 8, and BPC = 10, we still +use the default bits_per_pclk = 24, then we get the wrong hdisplay. We +can draw the conclusion by cross-comparing the calculation with the +calculation in dsi_adjust_pclk_for_compression(). + +Since CMD mode does not use this, we can remove +!(msm_host->mode_flags & MIPI_DSI_MODE_VIDEO) safely. + +Fixes: efcbd6f9cdeb ("drm/msm/dsi: Enable widebus for DSI") +Signed-off-by: Pengyu Luo +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/704822/ +Link: https://lore.kernel.org/r/20260214105145.105308-1-mitltlatltl@gmail.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/dsi_host.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c +index e0de545d40775..e8e83ee61eb09 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi_host.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c +@@ -993,7 +993,7 @@ static void dsi_timing_setup(struct msm_dsi_host *msm_host, bool is_bonded_dsi) + + if (msm_host->dsc) { + struct drm_dsc_config *dsc = msm_host->dsc; +- u32 bytes_per_pclk; ++ u32 bits_per_pclk; + + /* update dsc params with timing params */ + if (!dsc || !mode->hdisplay || !mode->vdisplay) { +@@ -1015,7 +1015,9 @@ static void dsi_timing_setup(struct msm_dsi_host *msm_host, bool is_bonded_dsi) + + /* + * DPU sends 3 bytes per pclk cycle to DSI. If widebus is +- * enabled, bus width is extended to 6 bytes. ++ * enabled, MDP always sends out 48-bit compressed data per ++ * pclk and on average, DSI consumes an amount of compressed ++ * data equivalent to the uncompressed pixel depth per pclk. + * + * Calculate the number of pclks needed to transmit one line of + * the compressed data. +@@ -1027,12 +1029,12 @@ static void dsi_timing_setup(struct msm_dsi_host *msm_host, bool is_bonded_dsi) + * unused anyway. + */ + h_total -= hdisplay; +- if (wide_bus_enabled && !(msm_host->mode_flags & MIPI_DSI_MODE_VIDEO)) +- bytes_per_pclk = 6; ++ if (wide_bus_enabled) ++ bits_per_pclk = mipi_dsi_pixel_format_to_bpp(msm_host->format); + else +- bytes_per_pclk = 3; ++ bits_per_pclk = 24; + +- hdisplay = DIV_ROUND_UP(msm_dsc_get_bytes_per_line(msm_host->dsc), bytes_per_pclk); ++ hdisplay = DIV_ROUND_UP(msm_dsc_get_bytes_per_line(msm_host->dsc) * 8, bits_per_pclk); + + h_total += hdisplay; + ha_end = ha_start + hdisplay; +-- +2.51.0 + diff --git a/queue-6.19/drm-msm-dsi-fix-pclk-rate-calculation-for-bonded-dsi.patch b/queue-6.19/drm-msm-dsi-fix-pclk-rate-calculation-for-bonded-dsi.patch new file mode 100644 index 0000000000..798734e456 --- /dev/null +++ b/queue-6.19/drm-msm-dsi-fix-pclk-rate-calculation-for-bonded-dsi.patch @@ -0,0 +1,85 @@ +From 4a560264882e08d2436190226e908cbb240e0ef3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Mar 2026 00:32:38 +0800 +Subject: drm/msm/dsi: fix pclk rate calculation for bonded dsi + +From: Pengyu Luo + +[ Upstream commit e4eb11b34d6c84f398d8f08d7cb4d6c38e739dd2 ] + +Recently, we round up new_hdisplay once at most, for bonded dsi, we +may need twice, since they are independent links, we should round up +each half separately. This also aligns with the hdisplay we program +later in dsi_timing_setup() + +Example: + full_hdisplay = 1904, dsc_bpp = 8, bpc = 8 + new_full_hdisplay = DIV_ROUND_UP(1904 * 8, 8 * 3) = 635 + +if we use half display + new_half_hdisplay = DIV_ROUND_UP(952 * 8, 8 * 3) = 318 + new_full_display = 636 + +Fixes: 7c9e4a554d4a ("drm/msm/dsi: Reduce pclk rate for compression") +Signed-off-by: Pengyu Luo +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/709716/ +Link: https://lore.kernel.org/r/20260306163255.215456-1-mitltlatltl@gmail.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/dsi_host.c | 29 +++++++++++++++++++++++------ + 1 file changed, 23 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c +index e8e83ee61eb09..db6da99375a18 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi_host.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c +@@ -584,13 +584,30 @@ void dsi_link_clk_disable_v2(struct msm_dsi_host *msm_host) + * FIXME: Reconsider this if/when CMD mode handling is rewritten to use + * transfer time and data overhead as a starting point of the calculations. + */ +-static unsigned long dsi_adjust_pclk_for_compression(const struct drm_display_mode *mode, +- const struct drm_dsc_config *dsc) ++static unsigned long ++dsi_adjust_pclk_for_compression(const struct drm_display_mode *mode, ++ const struct drm_dsc_config *dsc, ++ bool is_bonded_dsi) + { +- int new_hdisplay = DIV_ROUND_UP(mode->hdisplay * drm_dsc_get_bpp_int(dsc), +- dsc->bits_per_component * 3); ++ int hdisplay, new_hdisplay, new_htotal; + +- int new_htotal = mode->htotal - mode->hdisplay + new_hdisplay; ++ /* ++ * For bonded DSI, split hdisplay across two links and round up each ++ * half separately, passing the full hdisplay would only round up once. ++ * This also aligns with the hdisplay we program later in ++ * dsi_timing_setup() ++ */ ++ hdisplay = mode->hdisplay; ++ if (is_bonded_dsi) ++ hdisplay /= 2; ++ ++ new_hdisplay = DIV_ROUND_UP(hdisplay * drm_dsc_get_bpp_int(dsc), ++ dsc->bits_per_component * 3); ++ ++ if (is_bonded_dsi) ++ new_hdisplay *= 2; ++ ++ new_htotal = mode->htotal - mode->hdisplay + new_hdisplay; + + return mult_frac(mode->clock * 1000u, new_htotal, mode->htotal); + } +@@ -603,7 +620,7 @@ static unsigned long dsi_get_pclk_rate(const struct drm_display_mode *mode, + pclk_rate = mode->clock * 1000u; + + if (dsc) +- pclk_rate = dsi_adjust_pclk_for_compression(mode, dsc); ++ pclk_rate = dsi_adjust_pclk_for_compression(mode, dsc, is_bonded_dsi); + + /* + * For bonded DSI mode, the current DRM mode has the complete width of the +-- +2.51.0 + diff --git a/queue-6.19/drm-sitronix-st7586-fix-bad-pixel-data-due-to-byte-s.patch b/queue-6.19/drm-sitronix-st7586-fix-bad-pixel-data-due-to-byte-s.patch new file mode 100644 index 0000000000..a5b63a04d1 --- /dev/null +++ b/queue-6.19/drm-sitronix-st7586-fix-bad-pixel-data-due-to-byte-s.patch @@ -0,0 +1,68 @@ +From 4d7f7429b4c4ebcd195c4cc683108dc319b60ab3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Feb 2026 22:30:30 -0600 +Subject: drm/sitronix/st7586: fix bad pixel data due to byte swap + +From: David Lechner + +[ Upstream commit 46d8a07b4ae262e2fec6ce2aa454e06243661265 ] + +Correctly set dbi->write_memory_bpw for the ST7586 driver. This driver +is for a monochrome display that has an unusual data format, so the +default value set in mipi_dbi_spi_init() is not correct simply because +this controller is non-standard. + +Previously, we were using dbi->swap_bytes to make the same sort of +workaround, but it was removed in the same commit that added +dbi->write_memory_bpw, so we need to use the latter now to have the +correct behavior. + +This fixes every 3 columns of pixels being swapped on the display. There +are 3 pixels per byte, so the byte swap caused this effect. + +Fixes: df3fb27a74a4 ("drm/mipi-dbi: Make bits per word configurable for pixel transfers") +Acked-by: Thomas Zimmermann +Reviewed-by: Javier Martinez Canillas +Signed-off-by: David Lechner +Link: https://patch.msgid.link/20260228-drm-mipi-dbi-fix-st7586-byte-swap-v1-1-e78f6c24cd28@baylibre.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/sitronix/st7586.c | 15 ++++++--------- + 1 file changed, 6 insertions(+), 9 deletions(-) + +diff --git a/drivers/gpu/drm/sitronix/st7586.c b/drivers/gpu/drm/sitronix/st7586.c +index b57ebf37a664c..16b6b4e368af8 100644 +--- a/drivers/gpu/drm/sitronix/st7586.c ++++ b/drivers/gpu/drm/sitronix/st7586.c +@@ -347,6 +347,12 @@ static int st7586_probe(struct spi_device *spi) + if (ret) + return ret; + ++ /* ++ * Override value set by mipi_dbi_spi_init(). This driver is a bit ++ * non-standard, so best to set it explicitly here. ++ */ ++ dbi->write_memory_bpw = 8; ++ + /* Cannot read from this controller via SPI */ + dbi->read_commands = NULL; + +@@ -356,15 +362,6 @@ static int st7586_probe(struct spi_device *spi) + if (ret) + return ret; + +- /* +- * we are using 8-bit data, so we are not actually swapping anything, +- * but setting mipi->swap_bytes makes mipi_dbi_typec3_command() do the +- * right thing and not use 16-bit transfers (which results in swapped +- * bytes on little-endian systems and causes out of order data to be +- * sent to the display). +- */ +- dbi->swap_bytes = true; +- + drm_mode_config_reset(drm); + + ret = drm_dev_register(drm, 0); +-- +2.51.0 + diff --git a/queue-6.19/dt-bindings-display-msm-qcom-sm8750-mdss-fix-model-t.patch b/queue-6.19/dt-bindings-display-msm-qcom-sm8750-mdss-fix-model-t.patch new file mode 100644 index 0000000000..4b4c85749d --- /dev/null +++ b/queue-6.19/dt-bindings-display-msm-qcom-sm8750-mdss-fix-model-t.patch @@ -0,0 +1,38 @@ +From 2c4a62b4b5eb59b02cf26278bf065238106f99c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Feb 2026 18:34:20 +0100 +Subject: dt-bindings: display/msm: qcom,sm8750-mdss: Fix model typo + +From: Krzysztof Kozlowski + +[ Upstream commit 4355b13d46f696d687f42b982efed7570e03e532 ] + +Fix obvious model typo (SM8650->SM8750) in the description. + +Signed-off-by: Krzysztof Kozlowski +Fixes: 6b93840116df ("dt-bindings: display/msm: qcom,sm8750-mdss: Add SM8750") +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/707192/ +Link: https://lore.kernel.org/r/20260225173419.125565-2-krzysztof.kozlowski@oss.qualcomm.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + .../devicetree/bindings/display/msm/qcom,sm8750-mdss.yaml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Documentation/devicetree/bindings/display/msm/qcom,sm8750-mdss.yaml b/Documentation/devicetree/bindings/display/msm/qcom,sm8750-mdss.yaml +index d55fda9a523e2..a38c2261ef1ac 100644 +--- a/Documentation/devicetree/bindings/display/msm/qcom,sm8750-mdss.yaml ++++ b/Documentation/devicetree/bindings/display/msm/qcom,sm8750-mdss.yaml +@@ -10,7 +10,7 @@ maintainers: + - Krzysztof Kozlowski + + description: +- SM8650 MSM Mobile Display Subsystem(MDSS), which encapsulates sub-blocks like ++ SM8750 MSM Mobile Display Subsystem(MDSS), which encapsulates sub-blocks like + DPU display controller, DSI and DP interfaces etc. + + $ref: /schemas/display/msm/mdss-common.yaml# +-- +2.51.0 + diff --git a/queue-6.19/e1000-e1000e-fix-leak-in-dma-error-cleanup.patch b/queue-6.19/e1000-e1000e-fix-leak-in-dma-error-cleanup.patch new file mode 100644 index 0000000000..0dcf900b65 --- /dev/null +++ b/queue-6.19/e1000-e1000e-fix-leak-in-dma-error-cleanup.patch @@ -0,0 +1,70 @@ +From 385e2a2fb4caa85dffce3c386e445438d2a0e728 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Feb 2026 18:28:33 -0500 +Subject: e1000/e1000e: Fix leak in DMA error cleanup + +From: Matt Vollrath + +[ Upstream commit e94eaef11142b01f77bf8ba4d0b59720b7858109 ] + +If an error is encountered while mapping TX buffers, the driver should +unmap any buffers already mapped for that skb. + +Because count is incremented after a successful mapping, it will always +match the correct number of unmappings needed when dma_error is reached. +Decrementing count before the while loop in dma_error causes an +off-by-one error. If any mapping was successful before an unsuccessful +mapping, exactly one DMA mapping would leak. + +In these commits, a faulty while condition caused an infinite loop in +dma_error: +Commit 03b1320dfcee ("e1000e: remove use of skb_dma_map from e1000e +driver") +Commit 602c0554d7b0 ("e1000: remove use of skb_dma_map from e1000 driver") + +Commit c1fa347f20f1 ("e1000/e1000e/igb/igbvf/ixgb/ixgbe: Fix tests of +unsigned in *_tx_map()") fixed the infinite loop, but introduced the +off-by-one error. + +This issue may still exist in the igbvf driver, but I did not address it +in this patch. + +Fixes: c1fa347f20f1 ("e1000/e1000e/igb/igbvf/ixgb/ixgbe: Fix tests of unsigned in *_tx_map()") +Assisted-by: Claude:claude-4.6-opus +Signed-off-by: Matt Vollrath +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000/e1000_main.c | 2 -- + drivers/net/ethernet/intel/e1000e/netdev.c | 2 -- + 2 files changed, 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c +index 7f078ec9c14c5..15160427c8b30 100644 +--- a/drivers/net/ethernet/intel/e1000/e1000_main.c ++++ b/drivers/net/ethernet/intel/e1000/e1000_main.c +@@ -2952,8 +2952,6 @@ static int e1000_tx_map(struct e1000_adapter *adapter, + dma_error: + dev_err(&pdev->dev, "TX DMA map failed\n"); + buffer_info->dma = 0; +- if (count) +- count--; + + while (count--) { + if (i == 0) +diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c +index ddbe2f7d81121..6bcb57609d16a 100644 +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -5654,8 +5654,6 @@ static int e1000_tx_map(struct e1000_ring *tx_ring, struct sk_buff *skb, + dma_error: + dev_err(&pdev->dev, "Tx DMA map failed\n"); + buffer_info->dma = 0; +- if (count) +- count--; + + while (count--) { + if (i == 0) +-- +2.51.0 + diff --git a/queue-6.19/firmware-cs_dsp-fix-fragmentation-regression-in-firm.patch b/queue-6.19/firmware-cs_dsp-fix-fragmentation-regression-in-firm.patch new file mode 100644 index 0000000000..fac733409c --- /dev/null +++ b/queue-6.19/firmware-cs_dsp-fix-fragmentation-regression-in-firm.patch @@ -0,0 +1,105 @@ +From af8a327f2223dd2d7b84ab9ece88d55c6f5e5fff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 14:12:50 +0000 +Subject: firmware: cs_dsp: Fix fragmentation regression in firmware download + +From: Richard Fitzgerald + +[ Upstream commit facfdef64d11c08e6f1e69d02a0b87cb74cee0f5 ] + +Use vmalloc() instead of kmalloc(..., GFP_DMA) to alloc the temporary +buffer for firmware download blobs. This avoids the problem that a +heavily fragmented system cannot allocate enough physically-contiguous +memory for a large blob. + +The redundant alloc buffer mechanism was removed in commit 900baa6e7bb0 +("firmware: cs_dsp: Remove redundant download buffer allocator"). +While doing that I was overly focused on the possibility of the +underlying bus requiring DMA-safe memory. So I used GFP_DMA kmalloc()s. +I failed to notice that the code I was removing used vmalloc(). +This creates a regression. + +Way back in 2014 the problem of fragmentation with kmalloc()s was fixed +by commit cdcd7f728753 ("ASoC: wm_adsp: Use vmalloc to allocate firmware +download buffer"). + +Although we don't need physically-contiguous memory, we don't know if the +bus needs some particular alignment of the buffers. Since the change in +2014, the firmware download has always used whatever alignment vmalloc() +returns. To avoid introducing a new problem, the temporary buffer is still +used, to keep the same alignment of pointers passed to regmap_raw_write(). + +Signed-off-by: Richard Fitzgerald +Fixes: 900baa6e7bb0 ("firmware: cs_dsp: Remove redundant download buffer allocator") +Link: https://patch.msgid.link/20260304141250.1578597-1-rf@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/firmware/cirrus/cs_dsp.c | 24 ++++++++++++++++++------ + 1 file changed, 18 insertions(+), 6 deletions(-) + +diff --git a/drivers/firmware/cirrus/cs_dsp.c b/drivers/firmware/cirrus/cs_dsp.c +index abed96fa5853a..a34633b875758 100644 +--- a/drivers/firmware/cirrus/cs_dsp.c ++++ b/drivers/firmware/cirrus/cs_dsp.c +@@ -1610,11 +1610,17 @@ static int cs_dsp_load(struct cs_dsp *dsp, const struct firmware *firmware, + region_name); + + if (reg) { ++ /* ++ * Although we expect the underlying bus does not require ++ * physically-contiguous buffers, we pessimistically use ++ * a temporary buffer instead of trusting that the ++ * alignment of region->data is ok. ++ */ + region_len = le32_to_cpu(region->len); + if (region_len > buf_len) { + buf_len = round_up(region_len, PAGE_SIZE); +- kfree(buf); +- buf = kmalloc(buf_len, GFP_KERNEL | GFP_DMA); ++ vfree(buf); ++ buf = vmalloc(buf_len); + if (!buf) { + ret = -ENOMEM; + goto out_fw; +@@ -1643,7 +1649,7 @@ static int cs_dsp_load(struct cs_dsp *dsp, const struct firmware *firmware, + + ret = 0; + out_fw: +- kfree(buf); ++ vfree(buf); + + if (ret == -EOVERFLOW) + cs_dsp_err(dsp, "%s: file content overflows file data\n", file); +@@ -2320,11 +2326,17 @@ static int cs_dsp_load_coeff(struct cs_dsp *dsp, const struct firmware *firmware + } + + if (reg) { ++ /* ++ * Although we expect the underlying bus does not require ++ * physically-contiguous buffers, we pessimistically use ++ * a temporary buffer instead of trusting that the ++ * alignment of blk->data is ok. ++ */ + region_len = le32_to_cpu(blk->len); + if (region_len > buf_len) { + buf_len = round_up(region_len, PAGE_SIZE); +- kfree(buf); +- buf = kmalloc(buf_len, GFP_KERNEL | GFP_DMA); ++ vfree(buf); ++ buf = vmalloc(buf_len); + if (!buf) { + ret = -ENOMEM; + goto out_fw; +@@ -2355,7 +2367,7 @@ static int cs_dsp_load_coeff(struct cs_dsp *dsp, const struct firmware *firmware + + ret = 0; + out_fw: +- kfree(buf); ++ vfree(buf); + + if (ret == -EOVERFLOW) + cs_dsp_err(dsp, "%s: file content overflows file data\n", file); +-- +2.51.0 + diff --git a/queue-6.19/gpu-nova-core-align-libosmemoryregioninitargument-si.patch b/queue-6.19/gpu-nova-core-align-libosmemoryregioninitargument-si.patch new file mode 100644 index 0000000000..bc7958e524 --- /dev/null +++ b/queue-6.19/gpu-nova-core-align-libosmemoryregioninitargument-si.patch @@ -0,0 +1,98 @@ +From 95efa20afcc0288cad7a14ea80136a6771b3b65a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jan 2026 16:28:46 -0600 +Subject: gpu: nova-core: align LibosMemoryRegionInitArgument size to page size + +From: Alexandre Courbot + +[ Upstream commit 58d26d42818c0f8c9b334cc7cf318b43046e675f ] + +On Turing and GA100 (i.e. the versions that use Libos v2), GSP-RM insists +that the 'size' parameter of the LibosMemoryRegionInitArgument struct be +aligned to 4KB. The logging buffers are already aligned to that size, so +only the GSP_ARGUMENTS_CACHED struct needs to be adjusted. Make that +adjustment by adding padding to the end of the struct. + +Signed-off-by: Timur Tabi +Reviewed-by: Gary Guo +Acked-by: Danilo Krummrich +Link: https://patch.msgid.link/20260122222848.2555890-12-ttabi@nvidia.com +[acourbot@nvidia.com: GspArgumentsAligned -> GspArgumentsPadded] +Signed-off-by: Alexandre Courbot +Stable-dep-of: 4da879a0d3fd ("rust: dma: use pointer projection infra for `dma_{read,write}` macro") +Signed-off-by: Sasha Levin +--- + drivers/gpu/nova-core/gsp.rs | 8 ++++---- + drivers/gpu/nova-core/gsp/fw.rs | 14 +++++++++++++- + 2 files changed, 17 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/nova-core/gsp.rs b/drivers/gpu/nova-core/gsp.rs +index 766fd99053589..174feaca0a6b9 100644 +--- a/drivers/gpu/nova-core/gsp.rs ++++ b/drivers/gpu/nova-core/gsp.rs +@@ -27,7 +27,7 @@ pub(crate) use fw::{ + use crate::{ + gsp::cmdq::Cmdq, + gsp::fw::{ +- GspArgumentsCached, ++ GspArgumentsPadded, + LibosMemoryRegionInitArgument, // + }, + num, +@@ -114,7 +114,7 @@ pub(crate) struct Gsp { + /// Command queue. + pub(crate) cmdq: Cmdq, + /// RM arguments. +- rmargs: CoherentAllocation, ++ rmargs: CoherentAllocation, + } + + impl Gsp { +@@ -133,7 +133,7 @@ impl Gsp { + logintr: LogBuffer::new(dev)?, + logrm: LogBuffer::new(dev)?, + cmdq: Cmdq::new(dev)?, +- rmargs: CoherentAllocation::::alloc_coherent( ++ rmargs: CoherentAllocation::::alloc_coherent( + dev, + 1, + GFP_KERNEL | __GFP_ZERO, +@@ -149,7 +149,7 @@ impl Gsp { + libos[1] = LibosMemoryRegionInitArgument::new("LOGINTR", &logintr.0) + )?; + dma_write!(libos[2] = LibosMemoryRegionInitArgument::new("LOGRM", &logrm.0))?; +- dma_write!(rmargs[0] = fw::GspArgumentsCached::new(cmdq))?; ++ dma_write!(rmargs[0].inner = fw::GspArgumentsCached::new(cmdq))?; + dma_write!(libos[3] = LibosMemoryRegionInitArgument::new("RMARGS", rmargs))?; + }, + })) +diff --git a/drivers/gpu/nova-core/gsp/fw.rs b/drivers/gpu/nova-core/gsp/fw.rs +index caeb0d251fe5f..83ff91614e36d 100644 +--- a/drivers/gpu/nova-core/gsp/fw.rs ++++ b/drivers/gpu/nova-core/gsp/fw.rs +@@ -904,9 +904,21 @@ impl GspArgumentsCached { + // SAFETY: Padding is explicit and will not contain uninitialized data. + unsafe impl AsBytes for GspArgumentsCached {} + ++/// On Turing and GA100, the entries in the `LibosMemoryRegionInitArgument` ++/// must all be a multiple of GSP_PAGE_SIZE in size, so add padding to force it ++/// to that size. ++#[repr(C)] ++pub(crate) struct GspArgumentsPadded { ++ pub(crate) inner: GspArgumentsCached, ++ _padding: [u8; GSP_PAGE_SIZE - core::mem::size_of::()], ++} ++ ++// SAFETY: Padding is explicit and will not contain uninitialized data. ++unsafe impl AsBytes for GspArgumentsPadded {} ++ + // SAFETY: This struct only contains integer types for which all bit patterns + // are valid. +-unsafe impl FromBytes for GspArgumentsCached {} ++unsafe impl FromBytes for GspArgumentsPadded {} + + /// Init arguments for the message queue. + #[repr(transparent)] +-- +2.51.0 + diff --git a/queue-6.19/gpu-nova-core-fix-stack-overflow-in-gsp-memory-alloc.patch b/queue-6.19/gpu-nova-core-fix-stack-overflow-in-gsp-memory-alloc.patch new file mode 100644 index 0000000000..d2e1e79df2 --- /dev/null +++ b/queue-6.19/gpu-nova-core-fix-stack-overflow-in-gsp-memory-alloc.patch @@ -0,0 +1,132 @@ +From ef4e635e9a5f24fa6432649c59af405de10b0692 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Mar 2026 12:34:21 -0400 +Subject: gpu: nova-core: fix stack overflow in GSP memory allocation + +From: Tim Kovalenko + +[ Upstream commit c7940c8bf215b9dc6211781c77ce80e76982a723 ] + +The `Cmdq::new` function was allocating a `PteArray` struct on the stack +and was causing a stack overflow with 8216 bytes. + +Modify the `PteArray` to calculate and write the Page Table Entries +directly into the coherent DMA buffer one-by-one. This reduces the stack +usage quite a lot. + +Reported-by: Gary Guo +Closes: https://rust-for-linux.zulipchat.com/#narrow/channel/509436-Nova/topic/.60Cmdq.3A.3Anew.60.20uses.20excessive.20stack.20size/near/570375549 +Link: https://lore.kernel.org/rust-for-linux/CANiq72mAQxbRJZDnik3Qmd4phvFwPA01O2jwaaXRh_T+2=L-qA@mail.gmail.com/ +Fixes: f38b4f105cfc ("gpu: nova-core: Create initial Gsp") +Acked-by: Alexandre Courbot +Signed-off-by: Tim Kovalenko +Link: https://patch.msgid.link/20260309-drm-rust-next-v4-4-4ef485b19a4c@proton.me +[ * Use PteArray::entry() in LogBuffer::new(), + * Add TODO comment to use IoView projections once available, + * Add PTE_ARRAY_SIZE constant to avoid duplication. + + - Danilo ] +Signed-off-by: Danilo Krummrich +Signed-off-by: Sasha Levin +--- + drivers/gpu/nova-core/gsp.rs | 32 ++++++++++++++++--------------- + drivers/gpu/nova-core/gsp/cmdq.rs | 14 ++++++++++++-- + 2 files changed, 29 insertions(+), 17 deletions(-) + +diff --git a/drivers/gpu/nova-core/gsp.rs b/drivers/gpu/nova-core/gsp.rs +index 25cd48514c777..c69adaa92bbe7 100644 +--- a/drivers/gpu/nova-core/gsp.rs ++++ b/drivers/gpu/nova-core/gsp.rs +@@ -47,16 +47,12 @@ struct PteArray([u64; NUM_ENTRIES]); + unsafe impl AsBytes for PteArray {} + + impl PteArray { +- /// Creates a new page table array mapping `NUM_PAGES` GSP pages starting at address `start`. +- fn new(start: DmaAddress) -> Result { +- let mut ptes = [0u64; NUM_PAGES]; +- for (i, pte) in ptes.iter_mut().enumerate() { +- *pte = start +- .checked_add(num::usize_as_u64(i) << GSP_PAGE_SHIFT) +- .ok_or(EOVERFLOW)?; +- } +- +- Ok(Self(ptes)) ++ /// Returns the page table entry for `index`, for a mapping starting at `start`. ++ // TODO: Replace with `IoView` projection once available. ++ fn entry(start: DmaAddress, index: usize) -> Result { ++ start ++ .checked_add(num::usize_as_u64(index) << GSP_PAGE_SHIFT) ++ .ok_or(EOVERFLOW) + } + } + +@@ -86,16 +82,22 @@ impl LogBuffer { + NUM_PAGES * GSP_PAGE_SIZE, + GFP_KERNEL | __GFP_ZERO, + )?); +- let ptes = PteArray::::new(obj.0.dma_handle())?; ++ ++ let start_addr = obj.0.dma_handle(); + + // SAFETY: `obj` has just been created and we are its sole user. +- unsafe { +- // Copy the self-mapping PTE at the expected location. ++ let pte_region = unsafe { + obj.0 +- .as_slice_mut(size_of::(), size_of_val(&ptes))? +- .copy_from_slice(ptes.as_bytes()) ++ .as_slice_mut(size_of::(), NUM_PAGES * size_of::())? + }; + ++ // Write values one by one to avoid an on-stack instance of `PteArray`. ++ for (i, chunk) in pte_region.chunks_exact_mut(size_of::()).enumerate() { ++ let pte_value = PteArray::<0>::entry(start_addr, i)?; ++ ++ chunk.copy_from_slice(&pte_value.to_ne_bytes()); ++ } ++ + Ok(obj) + } + } +diff --git a/drivers/gpu/nova-core/gsp/cmdq.rs b/drivers/gpu/nova-core/gsp/cmdq.rs +index 1cdd1ccfe5702..e94d63f631ceb 100644 +--- a/drivers/gpu/nova-core/gsp/cmdq.rs ++++ b/drivers/gpu/nova-core/gsp/cmdq.rs +@@ -159,7 +159,7 @@ struct Msgq { + #[repr(C)] + struct GspMem { + /// Self-mapping page table entries. +- ptes: PteArray<{ GSP_PAGE_SIZE / size_of::() }>, ++ ptes: PteArray<{ Self::PTE_ARRAY_SIZE }>, + /// CPU queue: the driver writes commands here, and the GSP reads them. It also contains the + /// write and read pointers that the CPU updates. + /// +@@ -172,6 +172,10 @@ struct GspMem { + gspq: Msgq, + } + ++impl GspMem { ++ const PTE_ARRAY_SIZE: usize = GSP_PAGE_SIZE / size_of::(); ++} ++ + // SAFETY: These structs don't meet the no-padding requirements of AsBytes but + // that is not a problem because they are not used outside the kernel. + unsafe impl AsBytes for GspMem {} +@@ -201,7 +205,13 @@ impl DmaGspMem { + + let gsp_mem = + CoherentAllocation::::alloc_coherent(dev, 1, GFP_KERNEL | __GFP_ZERO)?; +- dma_write!(gsp_mem, [0]?.ptes, PteArray::new(gsp_mem.dma_handle())?); ++ ++ let start = gsp_mem.dma_handle(); ++ // Write values one by one to avoid an on-stack instance of `PteArray`. ++ for i in 0..GspMem::PTE_ARRAY_SIZE { ++ dma_write!(gsp_mem, [0]?.ptes.0[i], PteArray::<0>::entry(start, i)?); ++ } ++ + dma_write!( + gsp_mem, + [0]?.cpuq.tx, +-- +2.51.0 + diff --git a/queue-6.19/gpu-nova-core-gsp-fix-ub-in-dmagspmem-pointer-access.patch b/queue-6.19/gpu-nova-core-gsp-fix-ub-in-dmagspmem-pointer-access.patch new file mode 100644 index 0000000000..215b47e593 --- /dev/null +++ b/queue-6.19/gpu-nova-core-gsp-fix-ub-in-dmagspmem-pointer-access.patch @@ -0,0 +1,316 @@ +From af2e195cfb4960e6070fa7f22a78be22174b6321 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Mar 2026 23:53:24 +0100 +Subject: gpu: nova-core: gsp: fix UB in DmaGspMem pointer accessors + +From: Danilo Krummrich + +[ Upstream commit 0073a17b466684413ac87cf8ff6c19560db44e7a ] + +The DmaGspMem pointer accessor methods (gsp_write_ptr, gsp_read_ptr, +cpu_read_ptr, cpu_write_ptr, advance_cpu_read_ptr, +advance_cpu_write_ptr) dereference a raw pointer to DMA memory, creating +an intermediate reference before calling volatile read/write methods. + +This is undefined behavior since DMA memory can be concurrently modified +by the device. + +Fix this by moving the implementations into a gsp_mem module in fw.rs +that uses the dma_read!() / dma_write!() macros, making the original +methods on DmaGspMem thin forwarding wrappers. + +An alternative approach would have been to wrap the shared memory in +Opaque, but that would have required even more unsafe code. + +Since the gsp_mem module lives in fw.rs (to access firmware-specific +binding field names), GspMem, Msgq and their relevant fields are +temporarily widened to pub(super). This will be reverted once IoView +projections are available. + +Cc: Gary Guo +Closes: https://lore.kernel.org/nouveau/DGUT14ILG35P.1UMNRKU93JUM1@kernel.org/ +Fixes: 75f6b1de8133 ("gpu: nova-core: gsp: Add GSP command queue bindings and handling") +Reviewed-by: Alexandre Courbot +Link: https://patch.msgid.link/20260309225408.27714-1-dakr@kernel.org +[ Use pub(super) where possible; replace bitwise-and with modulo + operator analogous to [1]. - Danilo ] +Link: https://lore.kernel.org/all/20260129-nova-core-cmdq1-v3-1-2ede85493a27@nvidia.com/ [1] +Signed-off-by: Danilo Krummrich +Signed-off-by: Sasha Levin +--- + drivers/gpu/nova-core/gsp/cmdq.rs | 71 +++++---------------- + drivers/gpu/nova-core/gsp/fw.rs | 101 ++++++++++++++++++++---------- + 2 files changed, 84 insertions(+), 88 deletions(-) + +diff --git a/drivers/gpu/nova-core/gsp/cmdq.rs b/drivers/gpu/nova-core/gsp/cmdq.rs +index e94d63f631ceb..db53020a495eb 100644 +--- a/drivers/gpu/nova-core/gsp/cmdq.rs ++++ b/drivers/gpu/nova-core/gsp/cmdq.rs +@@ -2,11 +2,7 @@ + + use core::{ + cmp, +- mem, +- sync::atomic::{ +- fence, +- Ordering, // +- }, // ++ mem, // + }; + + use kernel::{ +@@ -146,30 +142,32 @@ static_assert!(align_of::() == GSP_PAGE_SIZE); + #[repr(C)] + // There is no struct defined for this in the open-gpu-kernel-source headers. + // Instead it is defined by code in `GspMsgQueuesInit()`. +-struct Msgq { ++// TODO: Revert to private once `IoView` projections replace the `gsp_mem` module. ++pub(super) struct Msgq { + /// Header for sending messages, including the write pointer. +- tx: MsgqTxHeader, ++ pub(super) tx: MsgqTxHeader, + /// Header for receiving messages, including the read pointer. +- rx: MsgqRxHeader, ++ pub(super) rx: MsgqRxHeader, + /// The message queue proper. + msgq: MsgqData, + } + + /// Structure shared between the driver and the GSP and containing the command and message queues. + #[repr(C)] +-struct GspMem { ++// TODO: Revert to private once `IoView` projections replace the `gsp_mem` module. ++pub(super) struct GspMem { + /// Self-mapping page table entries. + ptes: PteArray<{ Self::PTE_ARRAY_SIZE }>, + /// CPU queue: the driver writes commands here, and the GSP reads them. It also contains the + /// write and read pointers that the CPU updates. + /// + /// This member is read-only for the GSP. +- cpuq: Msgq, ++ pub(super) cpuq: Msgq, + /// GSP queue: the GSP writes messages here, and the driver reads them. It also contains the + /// write and read pointers that the GSP updates. + /// + /// This member is read-only for the driver. +- gspq: Msgq, ++ pub(super) gspq: Msgq, + } + + impl GspMem { +@@ -331,12 +329,7 @@ impl DmaGspMem { + // + // - The returned value is between `0` and `MSGQ_NUM_PAGES`. + fn gsp_write_ptr(&self) -> u32 { +- let gsp_mem = self.0.start_ptr(); +- +- // SAFETY: +- // - The 'CoherentAllocation' contains at least one object. +- // - By the invariants of `CoherentAllocation` the pointer is valid. +- (unsafe { (*gsp_mem).gspq.tx.write_ptr() } % MSGQ_NUM_PAGES) ++ super::fw::gsp_mem::gsp_write_ptr(&self.0) + } + + // Returns the index of the memory page the GSP will read the next command from. +@@ -345,12 +338,7 @@ impl DmaGspMem { + // + // - The returned value is between `0` and `MSGQ_NUM_PAGES`. + fn gsp_read_ptr(&self) -> u32 { +- let gsp_mem = self.0.start_ptr(); +- +- // SAFETY: +- // - The 'CoherentAllocation' contains at least one object. +- // - By the invariants of `CoherentAllocation` the pointer is valid. +- (unsafe { (*gsp_mem).gspq.rx.read_ptr() } % MSGQ_NUM_PAGES) ++ super::fw::gsp_mem::gsp_read_ptr(&self.0) + } + + // Returns the index of the memory page the CPU can read the next message from. +@@ -359,27 +347,12 @@ impl DmaGspMem { + // + // - The returned value is between `0` and `MSGQ_NUM_PAGES`. + fn cpu_read_ptr(&self) -> u32 { +- let gsp_mem = self.0.start_ptr(); +- +- // SAFETY: +- // - The ['CoherentAllocation'] contains at least one object. +- // - By the invariants of CoherentAllocation the pointer is valid. +- (unsafe { (*gsp_mem).cpuq.rx.read_ptr() } % MSGQ_NUM_PAGES) ++ super::fw::gsp_mem::cpu_read_ptr(&self.0) + } + + // Informs the GSP that it can send `elem_count` new pages into the message queue. + fn advance_cpu_read_ptr(&mut self, elem_count: u32) { +- let rptr = self.cpu_read_ptr().wrapping_add(elem_count) % MSGQ_NUM_PAGES; +- +- // Ensure read pointer is properly ordered. +- fence(Ordering::SeqCst); +- +- let gsp_mem = self.0.start_ptr_mut(); +- +- // SAFETY: +- // - The 'CoherentAllocation' contains at least one object. +- // - By the invariants of `CoherentAllocation` the pointer is valid. +- unsafe { (*gsp_mem).cpuq.rx.set_read_ptr(rptr) }; ++ super::fw::gsp_mem::advance_cpu_read_ptr(&self.0, elem_count) + } + + // Returns the index of the memory page the CPU can write the next command to. +@@ -388,26 +361,12 @@ impl DmaGspMem { + // + // - The returned value is between `0` and `MSGQ_NUM_PAGES`. + fn cpu_write_ptr(&self) -> u32 { +- let gsp_mem = self.0.start_ptr(); +- +- // SAFETY: +- // - The 'CoherentAllocation' contains at least one object. +- // - By the invariants of `CoherentAllocation` the pointer is valid. +- (unsafe { (*gsp_mem).cpuq.tx.write_ptr() } % MSGQ_NUM_PAGES) ++ super::fw::gsp_mem::cpu_write_ptr(&self.0) + } + + // Informs the GSP that it can process `elem_count` new pages from the command queue. + fn advance_cpu_write_ptr(&mut self, elem_count: u32) { +- let wptr = self.cpu_write_ptr().wrapping_add(elem_count) & MSGQ_NUM_PAGES; +- let gsp_mem = self.0.start_ptr_mut(); +- +- // SAFETY: +- // - The 'CoherentAllocation' contains at least one object. +- // - By the invariants of `CoherentAllocation` the pointer is valid. +- unsafe { (*gsp_mem).cpuq.tx.set_write_ptr(wptr) }; +- +- // Ensure all command data is visible before triggering the GSP read. +- fence(Ordering::SeqCst); ++ super::fw::gsp_mem::advance_cpu_write_ptr(&self.0, elem_count) + } + } + +diff --git a/drivers/gpu/nova-core/gsp/fw.rs b/drivers/gpu/nova-core/gsp/fw.rs +index 83ff91614e36d..040b30ec3089b 100644 +--- a/drivers/gpu/nova-core/gsp/fw.rs ++++ b/drivers/gpu/nova-core/gsp/fw.rs +@@ -40,6 +40,75 @@ use crate::{ + }, + }; + ++// TODO: Replace with `IoView` projections once available; the `unwrap()` calls go away once we ++// switch to the new `dma::Coherent` API. ++pub(super) mod gsp_mem { ++ use core::sync::atomic::{ ++ fence, ++ Ordering, // ++ }; ++ ++ use kernel::{ ++ dma::CoherentAllocation, ++ dma_read, ++ dma_write, ++ prelude::*, // ++ }; ++ ++ use crate::gsp::cmdq::{ ++ GspMem, ++ MSGQ_NUM_PAGES, // ++ }; ++ ++ pub(in crate::gsp) fn gsp_write_ptr(qs: &CoherentAllocation) -> u32 { ++ // PANIC: A `dma::CoherentAllocation` always contains at least one element. ++ || -> Result { Ok(dma_read!(qs, [0]?.gspq.tx.0.writePtr) % MSGQ_NUM_PAGES) }().unwrap() ++ } ++ ++ pub(in crate::gsp) fn gsp_read_ptr(qs: &CoherentAllocation) -> u32 { ++ // PANIC: A `dma::CoherentAllocation` always contains at least one element. ++ || -> Result { Ok(dma_read!(qs, [0]?.gspq.rx.0.readPtr) % MSGQ_NUM_PAGES) }().unwrap() ++ } ++ ++ pub(in crate::gsp) fn cpu_read_ptr(qs: &CoherentAllocation) -> u32 { ++ // PANIC: A `dma::CoherentAllocation` always contains at least one element. ++ || -> Result { Ok(dma_read!(qs, [0]?.cpuq.rx.0.readPtr) % MSGQ_NUM_PAGES) }().unwrap() ++ } ++ ++ pub(in crate::gsp) fn advance_cpu_read_ptr(qs: &CoherentAllocation, count: u32) { ++ let rptr = cpu_read_ptr(qs).wrapping_add(count) % MSGQ_NUM_PAGES; ++ ++ // Ensure read pointer is properly ordered. ++ fence(Ordering::SeqCst); ++ ++ // PANIC: A `dma::CoherentAllocation` always contains at least one element. ++ || -> Result { ++ dma_write!(qs, [0]?.cpuq.rx.0.readPtr, rptr); ++ Ok(()) ++ }() ++ .unwrap() ++ } ++ ++ pub(in crate::gsp) fn cpu_write_ptr(qs: &CoherentAllocation) -> u32 { ++ // PANIC: A `dma::CoherentAllocation` always contains at least one element. ++ || -> Result { Ok(dma_read!(qs, [0]?.cpuq.tx.0.writePtr) % MSGQ_NUM_PAGES) }().unwrap() ++ } ++ ++ pub(in crate::gsp) fn advance_cpu_write_ptr(qs: &CoherentAllocation, count: u32) { ++ let wptr = cpu_write_ptr(qs).wrapping_add(count) % MSGQ_NUM_PAGES; ++ ++ // PANIC: A `dma::CoherentAllocation` always contains at least one element. ++ || -> Result { ++ dma_write!(qs, [0]?.cpuq.tx.0.writePtr, wptr); ++ Ok(()) ++ }() ++ .unwrap(); ++ ++ // Ensure all command data is visible before triggering the GSP read. ++ fence(Ordering::SeqCst); ++ } ++} ++ + /// Empty type to group methods related to heap parameters for running the GSP firmware. + enum GspFwHeapParams {} + +@@ -708,22 +777,6 @@ impl MsgqTxHeader { + entryOff: num::usize_into_u32::(), + }) + } +- +- /// Returns the value of the write pointer for this queue. +- pub(crate) fn write_ptr(&self) -> u32 { +- let ptr = core::ptr::from_ref(&self.0.writePtr); +- +- // SAFETY: `ptr` is a valid pointer to a `u32`. +- unsafe { ptr.read_volatile() } +- } +- +- /// Sets the value of the write pointer for this queue. +- pub(crate) fn set_write_ptr(&mut self, val: u32) { +- let ptr = core::ptr::from_mut(&mut self.0.writePtr); +- +- // SAFETY: `ptr` is a valid pointer to a `u32`. +- unsafe { ptr.write_volatile(val) } +- } + } + + // SAFETY: Padding is explicit and does not contain uninitialized data. +@@ -739,22 +792,6 @@ impl MsgqRxHeader { + pub(crate) fn new() -> Self { + Self(Default::default()) + } +- +- /// Returns the value of the read pointer for this queue. +- pub(crate) fn read_ptr(&self) -> u32 { +- let ptr = core::ptr::from_ref(&self.0.readPtr); +- +- // SAFETY: `ptr` is a valid pointer to a `u32`. +- unsafe { ptr.read_volatile() } +- } +- +- /// Sets the value of the read pointer for this queue. +- pub(crate) fn set_read_ptr(&mut self, val: u32) { +- let ptr = core::ptr::from_mut(&mut self.0.readPtr); +- +- // SAFETY: `ptr` is a valid pointer to a `u32`. +- unsafe { ptr.write_volatile(val) } +- } + } + + // SAFETY: Padding is explicit and does not contain uninitialized data. +-- +2.51.0 + diff --git a/queue-6.19/gpu-nova-core-gsp-get-rid-of-redundant-result-in-gsp.patch b/queue-6.19/gpu-nova-core-gsp-get-rid-of-redundant-result-in-gsp.patch new file mode 100644 index 0000000000..f1433c394f --- /dev/null +++ b/queue-6.19/gpu-nova-core-gsp-get-rid-of-redundant-result-in-gsp.patch @@ -0,0 +1,130 @@ +From 1c6058aaf9de44791f6355774b03c17778aa3b26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Dec 2025 16:50:50 +0100 +Subject: gpu: nova-core: gsp: get rid of redundant Result in Gsp::new() + +From: Danilo Krummrich + +[ Upstream commit 032a6772d663a26005f4c17be992a716457f095b ] + +In Gsp::new(), utilize pin_init_scope() to get rid of the Result in the +returned + + Result> + +which is unnecessarily redundant. + +Reviewed-by: Joel Fernandes +Link: https://patch.msgid.link/20251218155239.25243-4-dakr@kernel.org +Signed-off-by: Danilo Krummrich +Stable-dep-of: 4da879a0d3fd ("rust: dma: use pointer projection infra for `dma_{read,write}` macro") +Signed-off-by: Sasha Levin +--- + drivers/gpu/nova-core/gpu.rs | 2 +- + drivers/gpu/nova-core/gsp.rs | 78 ++++++++++++++++++------------------ + 2 files changed, 41 insertions(+), 39 deletions(-) + +diff --git a/drivers/gpu/nova-core/gpu.rs b/drivers/gpu/nova-core/gpu.rs +index 629c9d2dc994c..50d76092fbdd7 100644 +--- a/drivers/gpu/nova-core/gpu.rs ++++ b/drivers/gpu/nova-core/gpu.rs +@@ -281,7 +281,7 @@ impl Gpu { + + sec2_falcon: Falcon::new(pdev.as_ref(), spec.chipset)?, + +- gsp <- Gsp::new(pdev)?, ++ gsp <- Gsp::new(pdev), + + _: { gsp.boot(pdev, bar, spec.chipset, gsp_falcon, sec2_falcon)? }, + +diff --git a/drivers/gpu/nova-core/gsp.rs b/drivers/gpu/nova-core/gsp.rs +index fb6f74797178e..8bc86e1bcac52 100644 +--- a/drivers/gpu/nova-core/gsp.rs ++++ b/drivers/gpu/nova-core/gsp.rs +@@ -119,43 +119,45 @@ pub(crate) struct Gsp { + + impl Gsp { + // Creates an in-place initializer for a `Gsp` manager for `pdev`. +- pub(crate) fn new(pdev: &pci::Device) -> Result> { +- let dev = pdev.as_ref(); +- let libos = CoherentAllocation::::alloc_coherent( +- dev, +- GSP_PAGE_SIZE / size_of::(), +- GFP_KERNEL | __GFP_ZERO, +- )?; +- +- // Initialise the logging structures. The OpenRM equivalents are in: +- // _kgspInitLibosLoggingStructures (allocates memory for buffers) +- // kgspSetupLibosInitArgs_IMPL (creates pLibosInitArgs[] array) +- let loginit = LogBuffer::new(dev)?; +- dma_write!(libos[0] = LibosMemoryRegionInitArgument::new("LOGINIT", &loginit.0))?; +- +- let logintr = LogBuffer::new(dev)?; +- dma_write!(libos[1] = LibosMemoryRegionInitArgument::new("LOGINTR", &logintr.0))?; +- +- let logrm = LogBuffer::new(dev)?; +- dma_write!(libos[2] = LibosMemoryRegionInitArgument::new("LOGRM", &logrm.0))?; +- +- let cmdq = Cmdq::new(dev)?; +- +- let rmargs = CoherentAllocation::::alloc_coherent( +- dev, +- 1, +- GFP_KERNEL | __GFP_ZERO, +- )?; +- dma_write!(rmargs[0] = fw::GspArgumentsCached::new(&cmdq))?; +- dma_write!(libos[3] = LibosMemoryRegionInitArgument::new("RMARGS", &rmargs))?; +- +- Ok(try_pin_init!(Self { +- libos, +- loginit, +- logintr, +- logrm, +- rmargs, +- cmdq, +- })) ++ pub(crate) fn new(pdev: &pci::Device) -> impl PinInit + '_ { ++ pin_init::pin_init_scope(move || { ++ let dev = pdev.as_ref(); ++ let libos = CoherentAllocation::::alloc_coherent( ++ dev, ++ GSP_PAGE_SIZE / size_of::(), ++ GFP_KERNEL | __GFP_ZERO, ++ )?; ++ ++ // Initialise the logging structures. The OpenRM equivalents are in: ++ // _kgspInitLibosLoggingStructures (allocates memory for buffers) ++ // kgspSetupLibosInitArgs_IMPL (creates pLibosInitArgs[] array) ++ let loginit = LogBuffer::new(dev)?; ++ dma_write!(libos[0] = LibosMemoryRegionInitArgument::new("LOGINIT", &loginit.0))?; ++ ++ let logintr = LogBuffer::new(dev)?; ++ dma_write!(libos[1] = LibosMemoryRegionInitArgument::new("LOGINTR", &logintr.0))?; ++ ++ let logrm = LogBuffer::new(dev)?; ++ dma_write!(libos[2] = LibosMemoryRegionInitArgument::new("LOGRM", &logrm.0))?; ++ ++ let cmdq = Cmdq::new(dev)?; ++ ++ let rmargs = CoherentAllocation::::alloc_coherent( ++ dev, ++ 1, ++ GFP_KERNEL | __GFP_ZERO, ++ )?; ++ dma_write!(rmargs[0] = fw::GspArgumentsCached::new(&cmdq))?; ++ dma_write!(libos[3] = LibosMemoryRegionInitArgument::new("RMARGS", &rmargs))?; ++ ++ Ok(try_pin_init!(Self { ++ libos, ++ loginit, ++ logintr, ++ logrm, ++ rmargs, ++ cmdq, ++ })) ++ }) + } + } +-- +2.51.0 + diff --git a/queue-6.19/gpu-nova-core-gsp-move-appropriate-code-into-pin-ini.patch b/queue-6.19/gpu-nova-core-gsp-move-appropriate-code-into-pin-ini.patch new file mode 100644 index 0000000000..dd06323ff6 --- /dev/null +++ b/queue-6.19/gpu-nova-core-gsp-move-appropriate-code-into-pin-ini.patch @@ -0,0 +1,110 @@ +From 0ebe84e0db1ec49a9d195c200101de823c6c9a14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Dec 2025 16:50:51 +0100 +Subject: gpu: nova-core: gsp: move appropriate code into pin initializer + +From: Danilo Krummrich + +[ Upstream commit 7acc70476f14661149774ab88d3fe23d83ba4249 ] + +Relocate the code that technically fits in the pin initializer into the +initializer itself. + +While, thanks to pin_init_scope(), it is also possible to keep it as is, +moving appropriate code into the initializer has the advantage that it +structures the dependencies of fields naturally. + +For instance, intermediate data that is only needed for a single field +goes into the initializer block of this field, making it obvious that it +is not needed by anything else. + +On the other hand, intermediate data that is needed for multiple fields +to initialize remains above the initializer, naturally indicating that +it is needed my multiple fields. + +Reviewed-by: Joel Fernandes +Link: https://patch.msgid.link/20251218155239.25243-5-dakr@kernel.org +Signed-off-by: Danilo Krummrich +Stable-dep-of: 4da879a0d3fd ("rust: dma: use pointer projection infra for `dma_{read,write}` macro") +Signed-off-by: Sasha Levin +--- + drivers/gpu/nova-core/gsp.rs | 61 +++++++++++++++++------------------- + 1 file changed, 28 insertions(+), 33 deletions(-) + +diff --git a/drivers/gpu/nova-core/gsp.rs b/drivers/gpu/nova-core/gsp.rs +index 8bc86e1bcac52..766fd99053589 100644 +--- a/drivers/gpu/nova-core/gsp.rs ++++ b/drivers/gpu/nova-core/gsp.rs +@@ -122,41 +122,36 @@ impl Gsp { + pub(crate) fn new(pdev: &pci::Device) -> impl PinInit + '_ { + pin_init::pin_init_scope(move || { + let dev = pdev.as_ref(); +- let libos = CoherentAllocation::::alloc_coherent( +- dev, +- GSP_PAGE_SIZE / size_of::(), +- GFP_KERNEL | __GFP_ZERO, +- )?; +- +- // Initialise the logging structures. The OpenRM equivalents are in: +- // _kgspInitLibosLoggingStructures (allocates memory for buffers) +- // kgspSetupLibosInitArgs_IMPL (creates pLibosInitArgs[] array) +- let loginit = LogBuffer::new(dev)?; +- dma_write!(libos[0] = LibosMemoryRegionInitArgument::new("LOGINIT", &loginit.0))?; +- +- let logintr = LogBuffer::new(dev)?; +- dma_write!(libos[1] = LibosMemoryRegionInitArgument::new("LOGINTR", &logintr.0))?; +- +- let logrm = LogBuffer::new(dev)?; +- dma_write!(libos[2] = LibosMemoryRegionInitArgument::new("LOGRM", &logrm.0))?; +- +- let cmdq = Cmdq::new(dev)?; +- +- let rmargs = CoherentAllocation::::alloc_coherent( +- dev, +- 1, +- GFP_KERNEL | __GFP_ZERO, +- )?; +- dma_write!(rmargs[0] = fw::GspArgumentsCached::new(&cmdq))?; +- dma_write!(libos[3] = LibosMemoryRegionInitArgument::new("RMARGS", &rmargs))?; + + Ok(try_pin_init!(Self { +- libos, +- loginit, +- logintr, +- logrm, +- rmargs, +- cmdq, ++ libos: CoherentAllocation::::alloc_coherent( ++ dev, ++ GSP_PAGE_SIZE / size_of::(), ++ GFP_KERNEL | __GFP_ZERO, ++ )?, ++ loginit: LogBuffer::new(dev)?, ++ logintr: LogBuffer::new(dev)?, ++ logrm: LogBuffer::new(dev)?, ++ cmdq: Cmdq::new(dev)?, ++ rmargs: CoherentAllocation::::alloc_coherent( ++ dev, ++ 1, ++ GFP_KERNEL | __GFP_ZERO, ++ )?, ++ _: { ++ // Initialise the logging structures. The OpenRM equivalents are in: ++ // _kgspInitLibosLoggingStructures (allocates memory for buffers) ++ // kgspSetupLibosInitArgs_IMPL (creates pLibosInitArgs[] array) ++ dma_write!( ++ libos[0] = LibosMemoryRegionInitArgument::new("LOGINIT", &loginit.0) ++ )?; ++ dma_write!( ++ libos[1] = LibosMemoryRegionInitArgument::new("LOGINTR", &logintr.0) ++ )?; ++ dma_write!(libos[2] = LibosMemoryRegionInitArgument::new("LOGRM", &logrm.0))?; ++ dma_write!(rmargs[0] = fw::GspArgumentsCached::new(cmdq))?; ++ dma_write!(libos[3] = LibosMemoryRegionInitArgument::new("RMARGS", rmargs))?; ++ }, + })) + }) + } +-- +2.51.0 + diff --git a/queue-6.19/i40e-fix-src-ip-mask-checks-and-memcpy-argument-name.patch b/queue-6.19/i40e-fix-src-ip-mask-checks-and-memcpy-argument-name.patch new file mode 100644 index 0000000000..ff0038d397 --- /dev/null +++ b/queue-6.19/i40e-fix-src-ip-mask-checks-and-memcpy-argument-name.patch @@ -0,0 +1,86 @@ +From dd589446c1b4070cc1c45fbdab5b1b3c94ab7ced Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Nov 2025 11:13:38 -0800 +Subject: i40e: fix src IP mask checks and memcpy argument names in cloud + filter + +From: Alok Tiwari + +[ Upstream commit e809085f492842ce7a519c9ef72d40f4bca89c13 ] + +Fix following issues in the IPv4 and IPv6 cloud filter handling logic in +both the add and delete paths: + +- The source-IP mask check incorrectly compares mask.src_ip[0] against + tcf.dst_ip[0]. Update it to compare against tcf.src_ip[0]. This likely + goes unnoticed because the check is in an "else if" path that only + executes when dst_ip is not set, most cloud filter use cases focus on + destination-IP matching, and the buggy condition can accidentally + evaluate true in some cases. + +- memcpy() for the IPv4 source address incorrectly uses + ARRAY_SIZE(tcf.dst_ip) instead of ARRAY_SIZE(tcf.src_ip), although + both arrays are the same size. + +- The IPv4 memcpy operations used ARRAY_SIZE(tcf.dst_ip) and ARRAY_SIZE + (tcf.src_ip), Update these to use sizeof(cfilter->ip.v4.dst_ip) and + sizeof(cfilter->ip.v4.src_ip) to ensure correct and explicit copy size. + +- In the IPv6 delete path, memcmp() uses sizeof(src_ip6) when comparing + dst_ip6 fields. Replace this with sizeof(dst_ip6) to make the intent + explicit, even though both fields are struct in6_addr. + +Fixes: e284fc280473 ("i40e: Add and delete cloud filter") +Signed-off-by: Alok Tiwari +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Paul Menzel +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +index 1fa877b52f618..5a383ed09f790 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +@@ -3833,10 +3833,10 @@ static int i40e_vc_del_cloud_filter(struct i40e_vf *vf, u8 *msg) + cfilter.n_proto = ETH_P_IP; + if (mask.dst_ip[0] & tcf.dst_ip[0]) + memcpy(&cfilter.ip.v4.dst_ip, tcf.dst_ip, +- ARRAY_SIZE(tcf.dst_ip)); +- else if (mask.src_ip[0] & tcf.dst_ip[0]) ++ sizeof(cfilter.ip.v4.dst_ip)); ++ else if (mask.src_ip[0] & tcf.src_ip[0]) + memcpy(&cfilter.ip.v4.src_ip, tcf.src_ip, +- ARRAY_SIZE(tcf.dst_ip)); ++ sizeof(cfilter.ip.v4.src_ip)); + break; + case VIRTCHNL_TCP_V6_FLOW: + cfilter.n_proto = ETH_P_IPV6; +@@ -3891,7 +3891,7 @@ static int i40e_vc_del_cloud_filter(struct i40e_vf *vf, u8 *msg) + /* for ipv6, mask is set for all sixteen bytes (4 words) */ + if (cfilter.n_proto == ETH_P_IPV6 && mask.dst_ip[3]) + if (memcmp(&cfilter.ip.v6.dst_ip6, &cf->ip.v6.dst_ip6, +- sizeof(cfilter.ip.v6.src_ip6))) ++ sizeof(cfilter.ip.v6.dst_ip6))) + continue; + if (mask.vlan_id) + if (cfilter.vlan_id != cf->vlan_id) +@@ -3979,10 +3979,10 @@ static int i40e_vc_add_cloud_filter(struct i40e_vf *vf, u8 *msg) + cfilter->n_proto = ETH_P_IP; + if (mask.dst_ip[0] & tcf.dst_ip[0]) + memcpy(&cfilter->ip.v4.dst_ip, tcf.dst_ip, +- ARRAY_SIZE(tcf.dst_ip)); +- else if (mask.src_ip[0] & tcf.dst_ip[0]) ++ sizeof(cfilter->ip.v4.dst_ip)); ++ else if (mask.src_ip[0] & tcf.src_ip[0]) + memcpy(&cfilter->ip.v4.src_ip, tcf.src_ip, +- ARRAY_SIZE(tcf.dst_ip)); ++ sizeof(cfilter->ip.v4.src_ip)); + break; + case VIRTCHNL_TCP_V6_FLOW: + cfilter->n_proto = ETH_P_IPV6; +-- +2.51.0 + diff --git a/queue-6.19/iavf-fix-incorrect-reset-handling-in-callbacks.patch b/queue-6.19/iavf-fix-incorrect-reset-handling-in-callbacks.patch new file mode 100644 index 0000000000..fef2db0cc8 --- /dev/null +++ b/queue-6.19/iavf-fix-incorrect-reset-handling-in-callbacks.patch @@ -0,0 +1,341 @@ +From fa6a7364874074c9d62e5a891e91235f2d8c7eea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Feb 2026 20:18:55 +0100 +Subject: iavf: fix incorrect reset handling in callbacks + +From: Petr Oros + +[ Upstream commit fdadbf6e84c44df8dbb85cfdd38bc10e4431501d ] + +Three driver callbacks schedule a reset and wait for its completion: +ndo_change_mtu(), ethtool set_ringparam(), and ethtool set_channels(). + +Waiting for reset in ndo_change_mtu() and set_ringparam() was added by +commit c2ed2403f12c ("iavf: Wait for reset in callbacks which trigger +it") to fix a race condition where adding an interface to bonding +immediately after MTU or ring parameter change failed because the +interface was still in __RESETTING state. The same commit also added +waiting in iavf_set_priv_flags(), which was later removed by commit +53844673d555 ("iavf: kill "legacy-rx" for good"). + +Waiting in set_channels() was introduced earlier by commit 4e5e6b5d9d13 +("iavf: Fix return of set the new channel count") to ensure the PF has +enough time to complete the VF reset when changing channel count, and to +return correct error codes to userspace. + +Commit ef490bbb2267 ("iavf: Add net_shaper_ops support") added +net_shaper_ops to iavf, which required reset_task to use _locked NAPI +variants (napi_enable_locked, napi_disable_locked) that need the netdev +instance lock. + +Later, commit 7e4d784f5810 ("net: hold netdev instance lock during +rtnetlink operations") and commit 2bcf4772e45a ("net: ethtool: try to +protect all callback with netdev instance lock") started holding the +netdev instance lock during ndo and ethtool callbacks for drivers with +net_shaper_ops. + +Finally, commit 120f28a6f314 ("iavf: get rid of the crit lock") +replaced the driver's crit_lock with netdev_lock in reset_task, causing +incorrect behavior: the callback holds netdev_lock and waits for +reset_task, but reset_task needs the same lock: + + Thread 1 (callback) Thread 2 (reset_task) + ------------------- --------------------- + netdev_lock() [blocked on workqueue] + ndo_change_mtu() or ethtool op + iavf_schedule_reset() + iavf_wait_for_reset() iavf_reset_task() + waiting... netdev_lock() <- blocked + +This does not strictly deadlock because iavf_wait_for_reset() uses +wait_event_interruptible_timeout() with a 5-second timeout. The wait +eventually times out, the callback returns an error to userspace, and +after the lock is released reset_task completes the reset. This leads to +incorrect behavior: userspace sees an error even though the configuration +change silently takes effect after the timeout. + +Fix this by extracting the reset logic from iavf_reset_task() into a new +iavf_reset_step() function that expects netdev_lock to be already held. +The three callbacks now call iavf_reset_step() directly instead of +scheduling the work and waiting, performing the reset synchronously in +the caller's context which already holds netdev_lock. This eliminates +both the incorrect error reporting and the need for +iavf_wait_for_reset(), which is removed along with the now-unused +reset_waitqueue. + +The workqueue-based iavf_reset_task() becomes a thin wrapper that +acquires netdev_lock and calls iavf_reset_step(), preserving its use +for PF-initiated resets. + +The callbacks may block for several seconds while iavf_reset_step() +polls hardware registers, but this is acceptable since netdev_lock is a +per-device mutex and only serializes operations on the same interface. + +v3: +- Remove netif_running() guard from iavf_set_channels(). Unlike + set_ringparam where descriptor counts are picked up by iavf_open() + directly, num_req_queues is only consumed during + iavf_reinit_interrupt_scheme() in the reset path. Skipping the reset + on a down device would silently discard the channel count change. +- Remove dead reset_waitqueue code (struct field, init, and all + wake_up calls) since iavf_wait_for_reset() was the only consumer. + +Fixes: 120f28a6f314 ("iavf: get rid of the crit lock") +Reviewed-by: Jacob Keller +Signed-off-by: Petr Oros +Reviewed-by: Przemek Kitszel +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf.h | 3 +- + .../net/ethernet/intel/iavf/iavf_ethtool.c | 19 ++--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 77 ++++++------------- + .../net/ethernet/intel/iavf/iavf_virtchnl.c | 1 - + 4 files changed, 31 insertions(+), 69 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h +index a87e0c6d4017a..e9fb0a0919e37 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf.h ++++ b/drivers/net/ethernet/intel/iavf/iavf.h +@@ -260,7 +260,6 @@ struct iavf_adapter { + struct work_struct adminq_task; + struct work_struct finish_config; + wait_queue_head_t down_waitqueue; +- wait_queue_head_t reset_waitqueue; + wait_queue_head_t vc_waitqueue; + struct iavf_q_vector *q_vectors; + struct list_head vlan_filter_list; +@@ -626,5 +625,5 @@ void iavf_add_adv_rss_cfg(struct iavf_adapter *adapter); + void iavf_del_adv_rss_cfg(struct iavf_adapter *adapter); + struct iavf_mac_filter *iavf_add_filter(struct iavf_adapter *adapter, + const u8 *macaddr); +-int iavf_wait_for_reset(struct iavf_adapter *adapter); ++void iavf_reset_step(struct iavf_adapter *adapter); + #endif /* _IAVF_H_ */ +diff --git a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +index 2cc21289a7077..6ff3842a1ff1f 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c +@@ -492,7 +492,6 @@ static int iavf_set_ringparam(struct net_device *netdev, + { + struct iavf_adapter *adapter = netdev_priv(netdev); + u32 new_rx_count, new_tx_count; +- int ret = 0; + + if ((ring->rx_mini_pending) || (ring->rx_jumbo_pending)) + return -EINVAL; +@@ -537,13 +536,11 @@ static int iavf_set_ringparam(struct net_device *netdev, + } + + if (netif_running(netdev)) { +- iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED); +- ret = iavf_wait_for_reset(adapter); +- if (ret) +- netdev_warn(netdev, "Changing ring parameters timeout or interrupted waiting for reset"); ++ adapter->flags |= IAVF_FLAG_RESET_NEEDED; ++ iavf_reset_step(adapter); + } + +- return ret; ++ return 0; + } + + /** +@@ -1723,7 +1720,6 @@ static int iavf_set_channels(struct net_device *netdev, + { + struct iavf_adapter *adapter = netdev_priv(netdev); + u32 num_req = ch->combined_count; +- int ret = 0; + + if ((adapter->vf_res->vf_cap_flags & VIRTCHNL_VF_OFFLOAD_ADQ) && + adapter->num_tc) { +@@ -1745,13 +1741,10 @@ static int iavf_set_channels(struct net_device *netdev, + + adapter->num_req_queues = num_req; + adapter->flags |= IAVF_FLAG_REINIT_ITR_NEEDED; +- iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED); ++ adapter->flags |= IAVF_FLAG_RESET_NEEDED; ++ iavf_reset_step(adapter); + +- ret = iavf_wait_for_reset(adapter); +- if (ret) +- netdev_warn(netdev, "Changing channel count timeout or interrupted waiting for reset"); +- +- return ret; ++ return 0; + } + + /** +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 3625c70bc3292..03ab2a4276bbf 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -185,31 +185,6 @@ static bool iavf_is_reset_in_progress(struct iavf_adapter *adapter) + return false; + } + +-/** +- * iavf_wait_for_reset - Wait for reset to finish. +- * @adapter: board private structure +- * +- * Returns 0 if reset finished successfully, negative on timeout or interrupt. +- */ +-int iavf_wait_for_reset(struct iavf_adapter *adapter) +-{ +- int ret = wait_event_interruptible_timeout(adapter->reset_waitqueue, +- !iavf_is_reset_in_progress(adapter), +- msecs_to_jiffies(5000)); +- +- /* If ret < 0 then it means wait was interrupted. +- * If ret == 0 then it means we got a timeout while waiting +- * for reset to finish. +- * If ret > 0 it means reset has finished. +- */ +- if (ret > 0) +- return 0; +- else if (ret < 0) +- return -EINTR; +- else +- return -EBUSY; +-} +- + /** + * iavf_allocate_dma_mem_d - OS specific memory alloc for shared code + * @hw: pointer to the HW structure +@@ -3117,18 +3092,16 @@ static void iavf_reconfig_qs_bw(struct iavf_adapter *adapter) + } + + /** +- * iavf_reset_task - Call-back task to handle hardware reset +- * @work: pointer to work_struct ++ * iavf_reset_step - Perform the VF reset sequence ++ * @adapter: board private structure + * +- * During reset we need to shut down and reinitialize the admin queue +- * before we can use it to communicate with the PF again. We also clear +- * and reinit the rings because that context is lost as well. +- **/ +-static void iavf_reset_task(struct work_struct *work) ++ * Requests a reset from PF, polls for completion, and reconfigures ++ * the driver. Caller must hold the netdev instance lock. ++ * ++ * This can sleep for several seconds while polling HW registers. ++ */ ++void iavf_reset_step(struct iavf_adapter *adapter) + { +- struct iavf_adapter *adapter = container_of(work, +- struct iavf_adapter, +- reset_task); + struct virtchnl_vf_resource *vfres = adapter->vf_res; + struct net_device *netdev = adapter->netdev; + struct iavf_hw *hw = &adapter->hw; +@@ -3139,7 +3112,7 @@ static void iavf_reset_task(struct work_struct *work) + int i = 0, err; + bool running; + +- netdev_lock(netdev); ++ netdev_assert_locked(netdev); + + iavf_misc_irq_disable(adapter); + if (adapter->flags & IAVF_FLAG_RESET_NEEDED) { +@@ -3184,7 +3157,6 @@ static void iavf_reset_task(struct work_struct *work) + dev_err(&adapter->pdev->dev, "Reset never finished (%x)\n", + reg_val); + iavf_disable_vf(adapter); +- netdev_unlock(netdev); + return; /* Do not attempt to reinit. It's dead, Jim. */ + } + +@@ -3196,7 +3168,6 @@ static void iavf_reset_task(struct work_struct *work) + iavf_startup(adapter); + queue_delayed_work(adapter->wq, &adapter->watchdog_task, + msecs_to_jiffies(30)); +- netdev_unlock(netdev); + return; + } + +@@ -3339,9 +3310,6 @@ static void iavf_reset_task(struct work_struct *work) + + adapter->flags &= ~IAVF_FLAG_REINIT_ITR_NEEDED; + +- wake_up(&adapter->reset_waitqueue); +- netdev_unlock(netdev); +- + return; + reset_err: + if (running) { +@@ -3350,10 +3318,21 @@ static void iavf_reset_task(struct work_struct *work) + } + iavf_disable_vf(adapter); + +- netdev_unlock(netdev); + dev_err(&adapter->pdev->dev, "failed to allocate resources during reinit\n"); + } + ++static void iavf_reset_task(struct work_struct *work) ++{ ++ struct iavf_adapter *adapter = container_of(work, ++ struct iavf_adapter, ++ reset_task); ++ struct net_device *netdev = adapter->netdev; ++ ++ netdev_lock(netdev); ++ iavf_reset_step(adapter); ++ netdev_unlock(netdev); ++} ++ + /** + * iavf_adminq_task - worker thread to clean the admin queue + * @work: pointer to work_struct containing our data +@@ -4619,22 +4598,17 @@ static int iavf_close(struct net_device *netdev) + static int iavf_change_mtu(struct net_device *netdev, int new_mtu) + { + struct iavf_adapter *adapter = netdev_priv(netdev); +- int ret = 0; + + netdev_dbg(netdev, "changing MTU from %d to %d\n", + netdev->mtu, new_mtu); + WRITE_ONCE(netdev->mtu, new_mtu); + + if (netif_running(netdev)) { +- iavf_schedule_reset(adapter, IAVF_FLAG_RESET_NEEDED); +- ret = iavf_wait_for_reset(adapter); +- if (ret < 0) +- netdev_warn(netdev, "MTU change interrupted waiting for reset"); +- else if (ret) +- netdev_warn(netdev, "MTU change timed out waiting for reset"); ++ adapter->flags |= IAVF_FLAG_RESET_NEEDED; ++ iavf_reset_step(adapter); + } + +- return ret; ++ return 0; + } + + /** +@@ -5439,9 +5413,6 @@ static int iavf_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + /* Setup the wait queue for indicating transition to down status */ + init_waitqueue_head(&adapter->down_waitqueue); + +- /* Setup the wait queue for indicating transition to running state */ +- init_waitqueue_head(&adapter->reset_waitqueue); +- + /* Setup the wait queue for indicating virtchannel events */ + init_waitqueue_head(&adapter->vc_waitqueue); + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +index 88156082a41da..a52c100dcbc56 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +@@ -2736,7 +2736,6 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter, + case VIRTCHNL_OP_ENABLE_QUEUES: + /* enable transmits */ + iavf_irq_enable(adapter, true); +- wake_up(&adapter->reset_waitqueue); + adapter->flags &= ~IAVF_FLAG_QUEUES_DISABLED; + break; + case VIRTCHNL_OP_DISABLE_QUEUES: +-- +2.51.0 + diff --git a/queue-6.19/iavf-fix-ptp-use-after-free-during-reset.patch b/queue-6.19/iavf-fix-ptp-use-after-free-during-reset.patch new file mode 100644 index 0000000000..3d913d1c27 --- /dev/null +++ b/queue-6.19/iavf-fix-ptp-use-after-free-during-reset.patch @@ -0,0 +1,59 @@ +From ef48ef620381a995280131dfc4e7835cf8fc0575 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jan 2026 10:57:23 +0100 +Subject: iavf: fix PTP use-after-free during reset + +From: Petr Oros + +[ Upstream commit efc54fb13d79117a825fef17364315a58682c7ec ] + +Commit 7c01dbfc8a1c5f ("iavf: periodically cache PHC time") introduced a +worker to cache PHC time, but failed to stop it during reset or disable. + +This creates a race condition where `iavf_reset_task()` or +`iavf_disable_vf()` free adapter resources (AQ) while the worker is still +running. If the worker triggers `iavf_queue_ptp_cmd()` during teardown, it +accesses freed memory/locks, leading to a crash. + +Fix this by calling `iavf_ptp_release()` before tearing down the adapter. +This ensures `ptp_clock_unregister()` synchronously cancels the worker and +cleans up the chardev before the backing resources are destroyed. + +Fixes: 7c01dbfc8a1c5f ("iavf: periodically cache PHC time") +Signed-off-by: Petr Oros +Reviewed-by: Ivan Vecera +Acked-by: Jacob Keller +Reviewed-by: Vadim Fedorenko +Reviewed-by: Paul Menzel +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 53a0366fbf998..3625c70bc3292 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -3040,6 +3040,8 @@ static void iavf_disable_vf(struct iavf_adapter *adapter) + + adapter->flags |= IAVF_FLAG_PF_COMMS_FAILED; + ++ iavf_ptp_release(adapter); ++ + /* We don't use netif_running() because it may be true prior to + * ndo_open() returning, so we can't assume it means all our open + * tasks have finished, since we're not holding the rtnl_lock here. +@@ -3215,6 +3217,8 @@ static void iavf_reset_task(struct work_struct *work) + iavf_change_state(adapter, __IAVF_RESETTING); + adapter->flags &= ~IAVF_FLAG_RESET_PENDING; + ++ iavf_ptp_release(adapter); ++ + /* free the Tx/Rx rings and descriptors, might be better to just + * re-use them sometime in the future + */ +-- +2.51.0 + diff --git a/queue-6.19/iio-imu-inv-mpu9150-fix-irq-ack-preventing-irq-storm.patch b/queue-6.19/iio-imu-inv-mpu9150-fix-irq-ack-preventing-irq-storm.patch new file mode 100644 index 0000000000..27ab1d13a0 --- /dev/null +++ b/queue-6.19/iio-imu-inv-mpu9150-fix-irq-ack-preventing-irq-storm.patch @@ -0,0 +1,86 @@ +From 66206dc4649cb47bbab8750192d278ab86c9fcd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Dec 2025 22:14:16 +0100 +Subject: iio: imu: inv-mpu9150: fix irq ack preventing irq storms + +From: Andreas Kemnade + +[ Upstream commit d23d763e00ace4e9c59f8d33e0713d401133ba88 ] + +IRQ needs to be acked. for some odd reasons, reading from irq status does +not reliable help, enable acking from any register to be on the safe side +and read the irq status register. Comments in the code indicate a known +unreliability with that register. +The blamed commit was tested with mpu6050 in lg,p895 and lg,p880 according +to Tested-bys. But with the MPU9150 in the Epson Moverio BT-200 this leads +to irq storms without properly acking the irq. + +Fixes: 0a3b517c8089 ("iio: imu: inv_mpu6050: fix interrupt status read for old buggy chips") +Signed-off-by: Andreas Kemnade +Acked-by: Jean-Baptiste Maneyrol +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/imu/inv_mpu6050/inv_mpu_core.c | 8 ++++++++ + drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h | 2 ++ + drivers/iio/imu/inv_mpu6050/inv_mpu_trigger.c | 5 ++++- + 3 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c b/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c +index b2fa1f4957a5b..5796896d54cd8 100644 +--- a/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c ++++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c +@@ -1943,6 +1943,14 @@ int inv_mpu_core_probe(struct regmap *regmap, int irq, const char *name, + irq_type); + return -EINVAL; + } ++ ++ /* ++ * Acking interrupts by status register does not work reliably ++ * but seem to work when this bit is set. ++ */ ++ if (st->chip_type == INV_MPU9150) ++ st->irq_mask |= INV_MPU6050_INT_RD_CLEAR; ++ + device_set_wakeup_capable(dev, true); + + st->vdd_supply = devm_regulator_get(dev, "vdd"); +diff --git a/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h b/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h +index 211901f8b8eb6..6239b1a803f77 100644 +--- a/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h ++++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h +@@ -390,6 +390,8 @@ struct inv_mpu6050_state { + /* enable level triggering */ + #define INV_MPU6050_LATCH_INT_EN 0x20 + #define INV_MPU6050_BIT_BYPASS_EN 0x2 ++/* allow acking interrupts by any register read */ ++#define INV_MPU6050_INT_RD_CLEAR 0x10 + + /* Allowed timestamp period jitter in percent */ + #define INV_MPU6050_TS_PERIOD_JITTER 4 +diff --git a/drivers/iio/imu/inv_mpu6050/inv_mpu_trigger.c b/drivers/iio/imu/inv_mpu6050/inv_mpu_trigger.c +index 10a4733420759..22c1ce66f99ee 100644 +--- a/drivers/iio/imu/inv_mpu6050/inv_mpu_trigger.c ++++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_trigger.c +@@ -248,7 +248,6 @@ static irqreturn_t inv_mpu6050_interrupt_handle(int irq, void *p) + switch (st->chip_type) { + case INV_MPU6000: + case INV_MPU6050: +- case INV_MPU9150: + /* + * WoM is not supported and interrupt status read seems to be broken for + * some chips. Since data ready is the only interrupt, bypass interrupt +@@ -257,6 +256,10 @@ static irqreturn_t inv_mpu6050_interrupt_handle(int irq, void *p) + wom_bits = 0; + int_status = INV_MPU6050_BIT_RAW_DATA_RDY_INT; + goto data_ready_interrupt; ++ case INV_MPU9150: ++ /* IRQ needs to be acked */ ++ wom_bits = 0; ++ break; + case INV_MPU6500: + case INV_MPU6515: + case INV_MPU6880: +-- +2.51.0 + diff --git a/queue-6.19/io_uring-fix-physical-sqe-bounds-check-for-sqe_mixed.patch b/queue-6.19/io_uring-fix-physical-sqe-bounds-check-for-sqe_mixed.patch new file mode 100644 index 0000000000..5bf95d14ff --- /dev/null +++ b/queue-6.19/io_uring-fix-physical-sqe-bounds-check-for-sqe_mixed.patch @@ -0,0 +1,56 @@ +From 09bf79466c00acff4748775ebf50aaf3fe91fd1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Mar 2026 22:20:02 -0700 +Subject: io_uring: fix physical SQE bounds check for SQE_MIXED 128-byte ops + +From: Tom Ryan + +[ Upstream commit 6f02c6b196036dbb6defb4647d8707d29b7fe95b ] + +When IORING_SETUP_SQE_MIXED is used without IORING_SETUP_NO_SQARRAY, +the boundary check for 128-byte SQE operations in io_init_req() +validated the logical SQ head position rather than the physical SQE +index. + +The existing check: + + !(ctx->cached_sq_head & (ctx->sq_entries - 1)) + +ensures the logical position isn't at the end of the ring, which is +correct for NO_SQARRAY rings where physical == logical. However, when +sq_array is present, an unprivileged user can remap any logical +position to an arbitrary physical index via sq_array. Setting +sq_array[N] = sq_entries - 1 places a 128-byte operation at the last +physical SQE slot, causing the 128-byte memcpy in +io_uring_cmd_sqe_copy() to read 64 bytes past the end of the SQE +array. + +Replace the cached_sq_head alignment check with a direct validation +of the physical SQE index, which correctly handles both sq_array and +NO_SQARRAY cases. + +Fixes: 1cba30bf9fdd ("io_uring: add support for IORING_SETUP_SQE_MIXED") +Signed-off-by: Tom Ryan +Link: https://patch.msgid.link/20260310052003.72871-1-ryan36005@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + io_uring/io_uring.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c +index 63efd60829f37..b10f33eef19da 100644 +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -2152,7 +2152,7 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, + * well as 2 contiguous entries. + */ + if (!(ctx->flags & IORING_SETUP_SQE_MIXED) || *left < 2 || +- !(ctx->cached_sq_head & (ctx->sq_entries - 1))) ++ (unsigned)(sqe - ctx->sq_sqes) >= ctx->sq_entries - 1) + return io_init_fail_req(req, -EINVAL); + /* + * A 128b operation on a mixed SQ uses two entries, so we have +-- +2.51.0 + diff --git a/queue-6.19/mctp-i2c-fix-skb-memory-leak-in-receive-path.patch b/queue-6.19/mctp-i2c-fix-skb-memory-leak-in-receive-path.patch new file mode 100644 index 0000000000..bd56a32053 --- /dev/null +++ b/queue-6.19/mctp-i2c-fix-skb-memory-leak-in-receive-path.patch @@ -0,0 +1,36 @@ +From d09c1b690e52ffc3e02a956a1be814732aa9696f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 22:32:34 +0800 +Subject: mctp: i2c: fix skb memory leak in receive path + +From: Haiyue Wang + +[ Upstream commit e3f5e0f22cfc2371e7471c9fd5b4da78f9df7c69 ] + +When 'midev->allow_rx' is false, the newly allocated skb isn't consumed +by netif_rx(), it needs to free the skb directly. + +Fixes: f5b8abf9fc3d ("mctp i2c: MCTP I2C binding driver") +Signed-off-by: Haiyue Wang +Link: https://patch.msgid.link/20260305143240.97592-1-haiyuewa@163.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/mctp/mctp-i2c.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/mctp/mctp-i2c.c b/drivers/net/mctp/mctp-i2c.c +index 8043b57bdf250..f138b0251313e 100644 +--- a/drivers/net/mctp/mctp-i2c.c ++++ b/drivers/net/mctp/mctp-i2c.c +@@ -343,6 +343,7 @@ static int mctp_i2c_recv(struct mctp_i2c_dev *midev) + } else { + status = NET_RX_DROP; + spin_unlock_irqrestore(&midev->lock, flags); ++ kfree_skb(skb); + } + + if (status == NET_RX_SUCCESS) { +-- +2.51.0 + diff --git a/queue-6.19/mctp-route-hold-key-lock-in-mctp_flow_prepare_output.patch b/queue-6.19/mctp-route-hold-key-lock-in-mctp_flow_prepare_output.patch new file mode 100644 index 0000000000..26118bfb39 --- /dev/null +++ b/queue-6.19/mctp-route-hold-key-lock-in-mctp_flow_prepare_output.patch @@ -0,0 +1,85 @@ +From cd0a8e21122171a2f931021c2ecfa147edc679fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 03:14:02 +0000 +Subject: mctp: route: hold key->lock in mctp_flow_prepare_output() + +From: Chengfeng Ye + +[ Upstream commit 7d86aa41c073c4e7eb75fd2e674f1fd8f289728a ] + +mctp_flow_prepare_output() checks key->dev and may call +mctp_dev_set_key(), but it does not hold key->lock while doing so. + +mctp_dev_set_key() and mctp_dev_release_key() are annotated with +__must_hold(&key->lock), so key->dev access is intended to be +serialized by key->lock. The mctp_sendmsg() transmit path reaches +mctp_flow_prepare_output() via mctp_local_output() -> mctp_dst_output() +without holding key->lock, so the check-and-set sequence is racy. + +Example interleaving: + + CPU0 CPU1 + ---- ---- + mctp_flow_prepare_output(key, devA) + if (!key->dev) // sees NULL + mctp_flow_prepare_output( + key, devB) + if (!key->dev) // still NULL + mctp_dev_set_key(devB, key) + mctp_dev_hold(devB) + key->dev = devB + mctp_dev_set_key(devA, key) + mctp_dev_hold(devA) + key->dev = devA // overwrites devB + +Now both devA and devB references were acquired, but only the final +key->dev value is tracked for release. One reference can be lost, +causing a resource leak as mctp_dev_release_key() would only decrease +the reference on one dev. + +Fix by taking key->lock around the key->dev check and +mctp_dev_set_key() call. + +Fixes: 67737c457281 ("mctp: Pass flow data & flow release events to drivers") +Signed-off-by: Chengfeng Ye +Link: https://patch.msgid.link/20260306031402.857224-1-dg573847474@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/mctp/route.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/net/mctp/route.c b/net/mctp/route.c +index ecbbe4beb2133..7a94b58f00978 100644 +--- a/net/mctp/route.c ++++ b/net/mctp/route.c +@@ -359,6 +359,7 @@ static void mctp_flow_prepare_output(struct sk_buff *skb, struct mctp_dev *dev) + { + struct mctp_sk_key *key; + struct mctp_flow *flow; ++ unsigned long flags; + + flow = skb_ext_find(skb, SKB_EXT_MCTP); + if (!flow) +@@ -366,12 +367,14 @@ static void mctp_flow_prepare_output(struct sk_buff *skb, struct mctp_dev *dev) + + key = flow->key; + +- if (key->dev) { ++ spin_lock_irqsave(&key->lock, flags); ++ ++ if (!key->dev) ++ mctp_dev_set_key(dev, key); ++ else + WARN_ON(key->dev != dev); +- return; +- } + +- mctp_dev_set_key(dev, key); ++ spin_unlock_irqrestore(&key->lock, flags); + } + #else + static void mctp_skb_set_flow(struct sk_buff *skb, struct mctp_sk_key *key) {} +-- +2.51.0 + diff --git a/queue-6.19/neighbour-restore-protocol-0-check-in-pneigh-update.patch b/queue-6.19/neighbour-restore-protocol-0-check-in-pneigh-update.patch new file mode 100644 index 0000000000..3047d8a920 --- /dev/null +++ b/queue-6.19/neighbour-restore-protocol-0-check-in-pneigh-update.patch @@ -0,0 +1,43 @@ +From 6cbb7b3f592a47aa216a0386b843926659bcd998 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 22:59:16 +0100 +Subject: neighbour: restore protocol != 0 check in pneigh update + +From: Sabrina Dubroca + +[ Upstream commit cbada1048847a348797aec63a1d8056621cbe653 ] + +Prior to commit dc2a27e524ac ("neighbour: Update pneigh_entry in +pneigh_create()."), a pneigh's protocol was updated only when the +value of the NDA_PROTOCOL attribute was non-0. While moving the code, +that check was removed. This is a small change of user-visible +behavior, and inconsistent with the (non-proxy) neighbour behavior. + +Fixes: dc2a27e524ac ("neighbour: Update pneigh_entry in pneigh_create().") +Signed-off-by: Sabrina Dubroca +Reviewed-by: David Ahern +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/38c61de1bb032871a886aff9b9b52fe1cdd4cada.1772894876.git.sd@queasysnail.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/neighbour.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/core/neighbour.c b/net/core/neighbour.c +index 96a3b1a93252a..e4ee0c02fb443 100644 +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -821,7 +821,8 @@ int pneigh_create(struct neigh_table *tbl, struct net *net, + update: + WRITE_ONCE(n->flags, flags); + n->permanent = permanent; +- WRITE_ONCE(n->protocol, protocol); ++ if (protocol) ++ WRITE_ONCE(n->protocol, protocol); + out: + mutex_unlock(&tbl->phash_lock); + return err; +-- +2.51.0 + diff --git a/queue-6.19/net-add-xmit-recursion-limit-to-tunnel-xmit-function.patch b/queue-6.19/net-add-xmit-recursion-limit-to-tunnel-xmit-function.patch new file mode 100644 index 0000000000..77bf05a357 --- /dev/null +++ b/queue-6.19/net-add-xmit-recursion-limit-to-tunnel-xmit-function.patch @@ -0,0 +1,273 @@ +From c3a4386c7008062bd140e780a1aadd87d13f4eb1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Mar 2026 00:01:34 +0800 +Subject: net: add xmit recursion limit to tunnel xmit functions + +From: Weiming Shi + +[ Upstream commit 6f1a9140ecda3baba3d945b9a6155af4268aafc4 ] + +Tunnel xmit functions (iptunnel_xmit, ip6tunnel_xmit) lack their own +recursion limit. When a bond device in broadcast mode has GRE tap +interfaces as slaves, and those GRE tunnels route back through the +bond, multicast/broadcast traffic triggers infinite recursion between +bond_xmit_broadcast() and ip_tunnel_xmit()/ip6_tnl_xmit(), causing +kernel stack overflow. + +The existing XMIT_RECURSION_LIMIT (8) in the no-qdisc path is not +sufficient because tunnel recursion involves route lookups and full IP +output, consuming much more stack per level. Use a lower limit of 4 +(IP_TUNNEL_RECURSION_LIMIT) to prevent overflow. + +Add recursion detection using dev_xmit_recursion helpers directly in +iptunnel_xmit() and ip6tunnel_xmit() to cover all IPv4/IPv6 tunnel +paths including UDP encapsulated tunnels (VXLAN, Geneve, etc.). + +Move dev_xmit_recursion helpers from net/core/dev.h to public header +include/linux/netdevice.h so they can be used by tunnel code. + + BUG: KASAN: stack-out-of-bounds in blake2s.constprop.0+0xe7/0x160 + Write of size 32 at addr ffff88810033fed0 by task kworker/0:1/11 + Workqueue: mld mld_ifc_work + Call Trace: + + __build_flow_key.constprop.0 (net/ipv4/route.c:515) + ip_rt_update_pmtu (net/ipv4/route.c:1073) + iptunnel_xmit (net/ipv4/ip_tunnel_core.c:84) + ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) + gre_tap_xmit (net/ipv4/ip_gre.c:779) + dev_hard_start_xmit (net/core/dev.c:3887) + sch_direct_xmit (net/sched/sch_generic.c:347) + __dev_queue_xmit (net/core/dev.c:4802) + bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312) + bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279) + bond_start_xmit (drivers/net/bonding/bond_main.c:5530) + dev_hard_start_xmit (net/core/dev.c:3887) + __dev_queue_xmit (net/core/dev.c:4841) + ip_finish_output2 (net/ipv4/ip_output.c:237) + ip_output (net/ipv4/ip_output.c:438) + iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86) + gre_tap_xmit (net/ipv4/ip_gre.c:779) + dev_hard_start_xmit (net/core/dev.c:3887) + sch_direct_xmit (net/sched/sch_generic.c:347) + __dev_queue_xmit (net/core/dev.c:4802) + bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312) + bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279) + bond_start_xmit (drivers/net/bonding/bond_main.c:5530) + dev_hard_start_xmit (net/core/dev.c:3887) + __dev_queue_xmit (net/core/dev.c:4841) + ip_finish_output2 (net/ipv4/ip_output.c:237) + ip_output (net/ipv4/ip_output.c:438) + iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86) + ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) + gre_tap_xmit (net/ipv4/ip_gre.c:779) + dev_hard_start_xmit (net/core/dev.c:3887) + sch_direct_xmit (net/sched/sch_generic.c:347) + __dev_queue_xmit (net/core/dev.c:4802) + bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312) + bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279) + bond_start_xmit (drivers/net/bonding/bond_main.c:5530) + dev_hard_start_xmit (net/core/dev.c:3887) + __dev_queue_xmit (net/core/dev.c:4841) + mld_sendpack + mld_ifc_work + process_one_work + worker_thread + + +Fixes: 745e20f1b626 ("net: add a recursion limit in xmit path") +Reported-by: Xiang Mei +Signed-off-by: Weiming Shi +Link: https://patch.msgid.link/20260306160133.3852900-2-bestswngs@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + include/linux/netdevice.h | 32 ++++++++++++++++++++++++++++++++ + include/net/ip6_tunnel.h | 12 ++++++++++++ + include/net/ip_tunnels.h | 7 +++++++ + net/core/dev.h | 35 ----------------------------------- + net/ipv4/ip_tunnel_core.c | 13 +++++++++++++ + 5 files changed, 64 insertions(+), 35 deletions(-) + +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index 6655b0c6e42b4..65d85dc9c8f05 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -3573,17 +3573,49 @@ struct page_pool_bh { + }; + DECLARE_PER_CPU(struct page_pool_bh, system_page_pool); + ++#define XMIT_RECURSION_LIMIT 8 ++ + #ifndef CONFIG_PREEMPT_RT + static inline int dev_recursion_level(void) + { + return this_cpu_read(softnet_data.xmit.recursion); + } ++ ++static inline bool dev_xmit_recursion(void) ++{ ++ return unlikely(__this_cpu_read(softnet_data.xmit.recursion) > ++ XMIT_RECURSION_LIMIT); ++} ++ ++static inline void dev_xmit_recursion_inc(void) ++{ ++ __this_cpu_inc(softnet_data.xmit.recursion); ++} ++ ++static inline void dev_xmit_recursion_dec(void) ++{ ++ __this_cpu_dec(softnet_data.xmit.recursion); ++} + #else + static inline int dev_recursion_level(void) + { + return current->net_xmit.recursion; + } + ++static inline bool dev_xmit_recursion(void) ++{ ++ return unlikely(current->net_xmit.recursion > XMIT_RECURSION_LIMIT); ++} ++ ++static inline void dev_xmit_recursion_inc(void) ++{ ++ current->net_xmit.recursion++; ++} ++ ++static inline void dev_xmit_recursion_dec(void) ++{ ++ current->net_xmit.recursion--; ++} + #endif + + void __netif_schedule(struct Qdisc *q); +diff --git a/include/net/ip6_tunnel.h b/include/net/ip6_tunnel.h +index 120db28658112..1253cbb4b0a45 100644 +--- a/include/net/ip6_tunnel.h ++++ b/include/net/ip6_tunnel.h +@@ -156,6 +156,16 @@ static inline void ip6tunnel_xmit(struct sock *sk, struct sk_buff *skb, + { + int pkt_len, err; + ++ if (dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT) { ++ net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n", ++ dev->name); ++ DEV_STATS_INC(dev, tx_errors); ++ kfree_skb(skb); ++ return; ++ } ++ ++ dev_xmit_recursion_inc(); ++ + memset(skb->cb, 0, sizeof(struct inet6_skb_parm)); + IP6CB(skb)->flags = ip6cb_flags; + pkt_len = skb->len - skb_inner_network_offset(skb); +@@ -166,6 +176,8 @@ static inline void ip6tunnel_xmit(struct sock *sk, struct sk_buff *skb, + pkt_len = -1; + iptunnel_xmit_stats(dev, pkt_len); + } ++ ++ dev_xmit_recursion_dec(); + } + #endif + #endif +diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h +index 4021e6a73e32b..80662f8120803 100644 +--- a/include/net/ip_tunnels.h ++++ b/include/net/ip_tunnels.h +@@ -27,6 +27,13 @@ + #include + #endif + ++/* Recursion limit for tunnel xmit to detect routing loops. ++ * Unlike XMIT_RECURSION_LIMIT (8) used in the no-qdisc path, tunnel ++ * recursion involves route lookups and full IP output, consuming much ++ * more stack per level, so a lower limit is needed. ++ */ ++#define IP_TUNNEL_RECURSION_LIMIT 4 ++ + /* Keep error state on tunnel for 30 sec */ + #define IPTUNNEL_ERR_TIMEO (30*HZ) + +diff --git a/net/core/dev.h b/net/core/dev.h +index da18536cbd357..49173702e15e1 100644 +--- a/net/core/dev.h ++++ b/net/core/dev.h +@@ -361,41 +361,6 @@ static inline void napi_assert_will_not_race(const struct napi_struct *napi) + + void kick_defer_list_purge(unsigned int cpu); + +-#define XMIT_RECURSION_LIMIT 8 +- +-#ifndef CONFIG_PREEMPT_RT +-static inline bool dev_xmit_recursion(void) +-{ +- return unlikely(__this_cpu_read(softnet_data.xmit.recursion) > +- XMIT_RECURSION_LIMIT); +-} +- +-static inline void dev_xmit_recursion_inc(void) +-{ +- __this_cpu_inc(softnet_data.xmit.recursion); +-} +- +-static inline void dev_xmit_recursion_dec(void) +-{ +- __this_cpu_dec(softnet_data.xmit.recursion); +-} +-#else +-static inline bool dev_xmit_recursion(void) +-{ +- return unlikely(current->net_xmit.recursion > XMIT_RECURSION_LIMIT); +-} +- +-static inline void dev_xmit_recursion_inc(void) +-{ +- current->net_xmit.recursion++; +-} +- +-static inline void dev_xmit_recursion_dec(void) +-{ +- current->net_xmit.recursion--; +-} +-#endif +- + int dev_set_hwtstamp_phylib(struct net_device *dev, + struct kernel_hwtstamp_config *cfg, + struct netlink_ext_ack *extack); +diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c +index 2e61ac1371289..b1b6bf949f65a 100644 +--- a/net/ipv4/ip_tunnel_core.c ++++ b/net/ipv4/ip_tunnel_core.c +@@ -58,6 +58,17 @@ void iptunnel_xmit(struct sock *sk, struct rtable *rt, struct sk_buff *skb, + struct iphdr *iph; + int err; + ++ if (dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT) { ++ net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n", ++ dev->name); ++ DEV_STATS_INC(dev, tx_errors); ++ ip_rt_put(rt); ++ kfree_skb(skb); ++ return; ++ } ++ ++ dev_xmit_recursion_inc(); ++ + skb_scrub_packet(skb, xnet); + + skb_clear_hash_if_not_l4(skb); +@@ -88,6 +99,8 @@ void iptunnel_xmit(struct sock *sk, struct rtable *rt, struct sk_buff *skb, + pkt_len = 0; + iptunnel_xmit_stats(dev, pkt_len); + } ++ ++ dev_xmit_recursion_dec(); + } + EXPORT_SYMBOL_GPL(iptunnel_xmit); + +-- +2.51.0 + diff --git a/queue-6.19/net-bcmgenet-fix-broken-eee-by-converting-to-phylib-.patch b/queue-6.19/net-bcmgenet-fix-broken-eee-by-converting-to-phylib-.patch new file mode 100644 index 0000000000..57b0aaec46 --- /dev/null +++ b/queue-6.19/net-bcmgenet-fix-broken-eee-by-converting-to-phylib-.patch @@ -0,0 +1,204 @@ +From abf8b7292d155f05362e1d86096c0e5b2bb7b19c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 06:49:35 +0100 +Subject: net: bcmgenet: fix broken EEE by converting to phylib-managed state + +From: Nicolai Buchwitz + +[ Upstream commit 908c344d5cfac4160f49715da9efacdf5b6a28bd ] + +The bcmgenet EEE implementation is broken in several ways. +phy_support_eee() is never called, so the PHY never advertises EEE +and phylib never sets phydev->enable_tx_lpi. bcmgenet_mac_config() +checks priv->eee.eee_enabled to decide whether to enable the MAC +LPI logic, but that field is never initialised to true, so the MAC +never enters Low Power Idle even when EEE is negotiated - wasting +the power savings EEE is designed to provide. The only way to get +EEE working at all is a manual 'ethtool --set-eee eth0 eee on' after +every link-up, and even then bcmgenet_get_eee() immediately clobbers +the reported state because phy_ethtool_get_eee() overwrites +eee_enabled and tx_lpi_enabled with the uninitialised PHY eee_cfg +values. Finally, bcmgenet_mac_config() is only called on link-up, +so EEE is never disabled in hardware on link-down. + +Fix all of this by removing the MAC-side EEE state tracking +(priv->eee) and aligning with the pattern used by other non-phylink +MAC drivers such as FEC. + +Call phy_support_eee() in bcmgenet_mii_probe() so the PHY advertises +EEE link modes and phylib tracks negotiation state. Move the EEE +hardware control to bcmgenet_mii_setup(), which is called on every +link event, and drive it directly from phydev->enable_tx_lpi - the +flag phylib sets when EEE is negotiated and the user has not disabled +it. This enables EEE automatically once the link partner agrees and +disables it cleanly on link-down. + +Make bcmgenet_get_eee() and bcmgenet_set_eee() pure passthroughs to +phy_ethtool_get_eee() and phy_ethtool_set_eee(), with the MAC +hardware register read/written for tx_lpi_timer. Drop struct +ethtool_keee eee from struct bcmgenet_priv. + +Fixes: fe0d4fd9285e ("net: phy: Keep track of EEE configuration") +Link: https://lore.kernel.org/netdev/d352039f-4cbb-41e6-9aeb-0b4f3941b54c@lunn.ch/ +Suggested-by: Andrew Lunn +Signed-off-by: Nicolai Buchwitz +Reviewed-by: Florian Fainelli +Tested-by: Florian Fainelli +Link: https://patch.msgid.link/20260310054935.1238594-1-nb@tipi-net.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/broadcom/genet/bcmgenet.c | 31 +++++++------------ + .../net/ethernet/broadcom/genet/bcmgenet.h | 5 +-- + drivers/net/ethernet/broadcom/genet/bcmmii.c | 10 +++--- + 3 files changed, 18 insertions(+), 28 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +index 05512aa10c209..1c2fdaca14f9b 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -1342,8 +1342,7 @@ static void bcmgenet_get_ethtool_stats(struct net_device *dev, + } + } + +-void bcmgenet_eee_enable_set(struct net_device *dev, bool enable, +- bool tx_lpi_enabled) ++void bcmgenet_eee_enable_set(struct net_device *dev, bool enable) + { + struct bcmgenet_priv *priv = netdev_priv(dev); + u32 off = priv->hw_params->tbuf_offset + TBUF_ENERGY_CTRL; +@@ -1363,7 +1362,7 @@ void bcmgenet_eee_enable_set(struct net_device *dev, bool enable, + + /* Enable EEE and switch to a 27Mhz clock automatically */ + reg = bcmgenet_readl(priv->base + off); +- if (tx_lpi_enabled) ++ if (enable) + reg |= TBUF_EEE_EN | TBUF_PM_EN; + else + reg &= ~(TBUF_EEE_EN | TBUF_PM_EN); +@@ -1382,14 +1381,12 @@ void bcmgenet_eee_enable_set(struct net_device *dev, bool enable, + priv->clk_eee_enabled = false; + } + +- priv->eee.eee_enabled = enable; +- priv->eee.tx_lpi_enabled = tx_lpi_enabled; + } + + static int bcmgenet_get_eee(struct net_device *dev, struct ethtool_keee *e) + { + struct bcmgenet_priv *priv = netdev_priv(dev); +- struct ethtool_keee *p = &priv->eee; ++ int ret; + + if (GENET_IS_V1(priv)) + return -EOPNOTSUPP; +@@ -1397,17 +1394,21 @@ static int bcmgenet_get_eee(struct net_device *dev, struct ethtool_keee *e) + if (!dev->phydev) + return -ENODEV; + +- e->tx_lpi_enabled = p->tx_lpi_enabled; ++ ret = phy_ethtool_get_eee(dev->phydev, e); ++ if (ret) ++ return ret; ++ ++ /* tx_lpi_timer is maintained by the MAC hardware register; the ++ * PHY-level eee_cfg timer is not set for GENET. ++ */ + e->tx_lpi_timer = bcmgenet_umac_readl(priv, UMAC_EEE_LPI_TIMER); + +- return phy_ethtool_get_eee(dev->phydev, e); ++ return 0; + } + + static int bcmgenet_set_eee(struct net_device *dev, struct ethtool_keee *e) + { + struct bcmgenet_priv *priv = netdev_priv(dev); +- struct ethtool_keee *p = &priv->eee; +- bool active; + + if (GENET_IS_V1(priv)) + return -EOPNOTSUPP; +@@ -1415,15 +1416,7 @@ static int bcmgenet_set_eee(struct net_device *dev, struct ethtool_keee *e) + if (!dev->phydev) + return -ENODEV; + +- p->eee_enabled = e->eee_enabled; +- +- if (!p->eee_enabled) { +- bcmgenet_eee_enable_set(dev, false, false); +- } else { +- active = phy_init_eee(dev->phydev, false) >= 0; +- bcmgenet_umac_writel(priv, e->tx_lpi_timer, UMAC_EEE_LPI_TIMER); +- bcmgenet_eee_enable_set(dev, active, e->tx_lpi_enabled); +- } ++ bcmgenet_umac_writel(priv, e->tx_lpi_timer, UMAC_EEE_LPI_TIMER); + + return phy_ethtool_set_eee(dev->phydev, e); + } +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.h b/drivers/net/ethernet/broadcom/genet/bcmgenet.h +index 5ec3979779ece..9e4110c7fdf6f 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.h ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.h +@@ -665,8 +665,6 @@ struct bcmgenet_priv { + u8 sopass[SOPASS_MAX]; + + struct bcmgenet_mib_counters mib; +- +- struct ethtool_keee eee; + }; + + static inline bool bcmgenet_has_40bits(struct bcmgenet_priv *priv) +@@ -749,7 +747,6 @@ int bcmgenet_wol_power_down_cfg(struct bcmgenet_priv *priv, + int bcmgenet_wol_power_up_cfg(struct bcmgenet_priv *priv, + enum bcmgenet_power_mode mode); + +-void bcmgenet_eee_enable_set(struct net_device *dev, bool enable, +- bool tx_lpi_enabled); ++void bcmgenet_eee_enable_set(struct net_device *dev, bool enable); + + #endif /* __BCMGENET_H__ */ +diff --git a/drivers/net/ethernet/broadcom/genet/bcmmii.c b/drivers/net/ethernet/broadcom/genet/bcmmii.c +index 38f854b94a799..a4e0d5a682687 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmmii.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c +@@ -29,7 +29,6 @@ static void bcmgenet_mac_config(struct net_device *dev) + struct bcmgenet_priv *priv = netdev_priv(dev); + struct phy_device *phydev = dev->phydev; + u32 reg, cmd_bits = 0; +- bool active; + + /* speed */ + if (phydev->speed == SPEED_1000) +@@ -90,10 +89,6 @@ static void bcmgenet_mac_config(struct net_device *dev) + bcmgenet_umac_writel(priv, reg, UMAC_CMD); + spin_unlock_bh(&priv->reg_lock); + +- active = phy_init_eee(phydev, 0) >= 0; +- bcmgenet_eee_enable_set(dev, +- priv->eee.eee_enabled && active, +- priv->eee.tx_lpi_enabled); + } + + /* setup netdev link state when PHY link status change and +@@ -113,6 +108,8 @@ void bcmgenet_mii_setup(struct net_device *dev) + bcmgenet_ext_writel(priv, reg, EXT_RGMII_OOB_CTRL); + } + ++ bcmgenet_eee_enable_set(dev, phydev->enable_tx_lpi); ++ + phy_print_status(phydev); + } + +@@ -412,6 +409,9 @@ int bcmgenet_mii_probe(struct net_device *dev) + /* Indicate that the MAC is responsible for PHY PM */ + dev->phydev->mac_managed_pm = true; + ++ if (!GENET_IS_V1(priv)) ++ phy_support_eee(dev->phydev); ++ + return 0; + } + +-- +2.51.0 + diff --git a/queue-6.19/net-bonding-fix-nd_tbl-null-dereference-when-ipv6-is.patch b/queue-6.19/net-bonding-fix-nd_tbl-null-dereference-when-ipv6-is.patch new file mode 100644 index 0000000000..cd1d76b850 --- /dev/null +++ b/queue-6.19/net-bonding-fix-nd_tbl-null-dereference-when-ipv6-is.patch @@ -0,0 +1,92 @@ +From 5ad397d4068b108f80d9703c3c4c99c304fd728d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Mar 2026 17:50:54 -0300 +Subject: net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ricardo B. Marlière + +[ Upstream commit 30021e969d48e5819d5ae56936c2f34c0f7ce997 ] + +When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never +initialized because inet6_init() exits before ndisc_init() is called +which initializes it. If bonding ARP/NS validation is enabled, an IPv6 +NS/NA packet received on a slave can reach bond_validate_na(), which +calls bond_has_this_ip6(). That path calls ipv6_chk_addr() and can +crash in __ipv6_chk_addr_and_flags(). + + BUG: kernel NULL pointer dereference, address: 00000000000005d8 + Oops: Oops: 0000 [#1] SMP NOPTI + RIP: 0010:__ipv6_chk_addr_and_flags+0x69/0x170 + Call Trace: + + ipv6_chk_addr+0x1f/0x30 + bond_validate_na+0x12e/0x1d0 [bonding] + ? __pfx_bond_handle_frame+0x10/0x10 [bonding] + bond_rcv_validate+0x1a0/0x450 [bonding] + bond_handle_frame+0x5e/0x290 [bonding] + ? srso_alias_return_thunk+0x5/0xfbef5 + __netif_receive_skb_core.constprop.0+0x3e8/0xe50 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? update_cfs_rq_load_avg+0x1a/0x240 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? __enqueue_entity+0x5e/0x240 + __netif_receive_skb_one_core+0x39/0xa0 + process_backlog+0x9c/0x150 + __napi_poll+0x30/0x200 + ? srso_alias_return_thunk+0x5/0xfbef5 + net_rx_action+0x338/0x3b0 + handle_softirqs+0xc9/0x2a0 + do_softirq+0x42/0x60 + + + __local_bh_enable_ip+0x62/0x70 + __dev_queue_xmit+0x2d3/0x1000 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? packet_parse_headers+0x10a/0x1a0 + packet_sendmsg+0x10da/0x1700 + ? kick_pool+0x5f/0x140 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? __queue_work+0x12d/0x4f0 + __sys_sendto+0x1f3/0x220 + __x64_sys_sendto+0x24/0x30 + do_syscall_64+0x101/0xf80 + ? exc_page_fault+0x6e/0x170 + ? srso_alias_return_thunk+0x5/0xfbef5 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + +Fix this by checking ipv6_mod_enabled() before dispatching IPv6 packets to +bond_na_rcv(). If IPv6 is disabled, return early from bond_rcv_validate() +and avoid the path to ipv6_chk_addr(). + +Suggested-by: Fernando Fernandez Mancera +Fixes: 4e24be018eb9 ("bonding: add new parameter ns_targets") +Signed-off-by: Ricardo B. Marlière +Reviewed-by: Hangbin Liu +Link: https://patch.msgid.link/20260307-net-nd_tbl_fixes-v4-2-e2677e85628c@suse.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 139ece7676c50..e8e261e0cb4e1 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3402,7 +3402,7 @@ int bond_rcv_validate(const struct sk_buff *skb, struct bonding *bond, + } else if (is_arp) { + return bond_arp_rcv(skb, bond, slave); + #if IS_ENABLED(CONFIG_IPV6) +- } else if (is_ipv6) { ++ } else if (is_ipv6 && likely(ipv6_mod_enabled())) { + return bond_na_rcv(skb, bond, slave); + #endif + } else { +-- +2.51.0 + diff --git a/queue-6.19/net-dsa-realtek-fix-led-group-port-bit-for-non-zero-.patch b/queue-6.19/net-dsa-realtek-fix-led-group-port-bit-for-non-zero-.patch new file mode 100644 index 0000000000..929b49673f --- /dev/null +++ b/queue-6.19/net-dsa-realtek-fix-led-group-port-bit-for-non-zero-.patch @@ -0,0 +1,53 @@ +From d5ca20f53c249f04e2588b4351afd28b91d2f697 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 12:12:37 +0100 +Subject: net: dsa: realtek: Fix LED group port bit for non-zero LED group +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Behún + +[ Upstream commit e8f0dc024ce55451ebd54bad975134ba802e4fcc ] + +The rtl8366rb_led_group_port_mask() function always returns LED port +bit in LED group 0; the switch statement returns the same thing in all +non-default cases. + +This means that the driver does not currently support configuring LEDs +in non-zero LED groups. + +Fix this. + +Fixes: 32d617005475a71e ("net: dsa: realtek: add LED drivers for rtl8366rb") +Signed-off-by: Marek Behún +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20260311111237.29002-1-kabel@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/realtek/rtl8366rb-leds.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/dsa/realtek/rtl8366rb-leds.c b/drivers/net/dsa/realtek/rtl8366rb-leds.c +index 99c890681ae60..509ffd3f8db5c 100644 +--- a/drivers/net/dsa/realtek/rtl8366rb-leds.c ++++ b/drivers/net/dsa/realtek/rtl8366rb-leds.c +@@ -12,11 +12,11 @@ static inline u32 rtl8366rb_led_group_port_mask(u8 led_group, u8 port) + case 0: + return FIELD_PREP(RTL8366RB_LED_0_X_CTRL_MASK, BIT(port)); + case 1: +- return FIELD_PREP(RTL8366RB_LED_0_X_CTRL_MASK, BIT(port)); ++ return FIELD_PREP(RTL8366RB_LED_X_1_CTRL_MASK, BIT(port)); + case 2: +- return FIELD_PREP(RTL8366RB_LED_0_X_CTRL_MASK, BIT(port)); ++ return FIELD_PREP(RTL8366RB_LED_2_X_CTRL_MASK, BIT(port)); + case 3: +- return FIELD_PREP(RTL8366RB_LED_0_X_CTRL_MASK, BIT(port)); ++ return FIELD_PREP(RTL8366RB_LED_X_3_CTRL_MASK, BIT(port)); + default: + return 0; + } +-- +2.51.0 + diff --git a/queue-6.19/net-dsa-realtek-rtl8365mb-remove-ifoutdiscards-from-.patch b/queue-6.19/net-dsa-realtek-rtl8365mb-remove-ifoutdiscards-from-.patch new file mode 100644 index 0000000000..29b110cf68 --- /dev/null +++ b/queue-6.19/net-dsa-realtek-rtl8365mb-remove-ifoutdiscards-from-.patch @@ -0,0 +1,48 @@ +From b098193fc5f0eed05bb651eed7b1c1c95096a1e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Mar 2026 17:25:12 -0300 +Subject: net: dsa: realtek: rtl8365mb: remove ifOutDiscards from rx_packets + +From: Mieczyslaw Nalewaj + +[ Upstream commit f76a93241d71fbba8425e3967097b498c29264ed ] + +rx_packets should report the number of frames successfully received: +unicast + multicast + broadcast. Subtracting ifOutDiscards (a TX +counter) is incorrect and can undercount RX packets. RX drops are +already reported via rx_dropped (e.g. etherStatsDropEvents), so +there is no need to adjust rx_packets. + +This patch removes the subtraction of ifOutDiscards from rx_packets +in rtl8365mb_stats_update(). + +Link: https://lore.kernel.org/netdev/878777925.105015.1763423928520@mail.yahoo.com/ +Fixes: 4af2950c50c8 ("net: dsa: realtek-smi: add rtl8365mb subdriver for RTL8365MB-VC") +Signed-off-by: Mieczyslaw Nalewaj +Signed-off-by: Luiz Angelo Daros de Luca +Reviewed-by: Simon Horman +Acked-by: Linus Walleij +Link: https://patch.msgid.link/20260303-realtek_namiltd_fix2-v1-1-bfa433d3401e@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/realtek/rtl8365mb.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/realtek/rtl8365mb.c b/drivers/net/dsa/realtek/rtl8365mb.c +index f938a3f701cc9..31fa94dac627d 100644 +--- a/drivers/net/dsa/realtek/rtl8365mb.c ++++ b/drivers/net/dsa/realtek/rtl8365mb.c +@@ -1480,8 +1480,7 @@ static void rtl8365mb_stats_update(struct realtek_priv *priv, int port) + + stats->rx_packets = cnt[RTL8365MB_MIB_ifInUcastPkts] + + cnt[RTL8365MB_MIB_ifInMulticastPkts] + +- cnt[RTL8365MB_MIB_ifInBroadcastPkts] - +- cnt[RTL8365MB_MIB_ifOutDiscards]; ++ cnt[RTL8365MB_MIB_ifInBroadcastPkts]; + + stats->tx_packets = cnt[RTL8365MB_MIB_ifOutUcastPkts] + + cnt[RTL8365MB_MIB_ifOutMulticastPkts] + +-- +2.51.0 + diff --git a/queue-6.19/net-enetc-do-not-skip-setting-labcr-mdio_phyad_prtad.patch b/queue-6.19/net-enetc-do-not-skip-setting-labcr-mdio_phyad_prtad.patch new file mode 100644 index 0000000000..c17be66754 --- /dev/null +++ b/queue-6.19/net-enetc-do-not-skip-setting-labcr-mdio_phyad_prtad.patch @@ -0,0 +1,72 @@ +From 7a0642a898fcc2b0ddd989044c507ff863dcbad9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 11:12:11 +0800 +Subject: net: enetc: do not skip setting LaBCR[MDIO_PHYAD_PRTAD] for addr 0 + +From: Wei Fang + +[ Upstream commit dbe17e7783cb5d6451ff1217d0464865857e97e1 ] + +Given that some platforms may use PHY address 0 (I suppose the PHY may +not treat address 0 as a broadcast address or default response address). +It is possible for some boards to connect multiple PHYs to the same +ENETC MAC, for example: + + - a PHY with a non-zero address connects to ENETC MAC through SGMII + interface (selected via DTS_A) + - a PHY with address 0 connects to ENETC MAC through RGMII interface + (selected via DTS_B) + +For the case where the ENETC port MDIO is used to manage the PHY, when +switching from DTS_A to DTS_B via soft reboot, LaBCR[MDIO_PHYAD_PRTAD] +must be updated to 0 because the NETCMIX block is not reset during soft +reboot. However, the current driver explicitly skips configuring address +0, causing LaBCR[MDIO_PHYAD_PRTAD] to retain its old value. + +Therefore, remove the special-case skip of PHY address 0 so that valid +configurations using address 0 are properly supported. + +Fixes: 6633df05f3ad ("net: enetc: set the external PHY address in IERB for port MDIO usage") +Fixes: 50bfd9c06f0f ("net: enetc: set external PHY address in IERB for i.MX94 ENETC") +Reviewed-by: Clark Wang +Signed-off-by: Wei Fang +Link: https://patch.msgid.link/20260305031211.904812-3-wei.fang@nxp.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/enetc/netc_blk_ctrl.c | 12 ------------ + 1 file changed, 12 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/enetc/netc_blk_ctrl.c b/drivers/net/ethernet/freescale/enetc/netc_blk_ctrl.c +index f0e103615e884..92a0f824dae7a 100644 +--- a/drivers/net/ethernet/freescale/enetc/netc_blk_ctrl.c ++++ b/drivers/net/ethernet/freescale/enetc/netc_blk_ctrl.c +@@ -438,12 +438,6 @@ static int imx95_enetc_mdio_phyaddr_config(struct platform_device *pdev) + return -EINVAL; + } + +- /* The default value of LaBCR[MDIO_PHYAD_PRTAD ] is +- * 0, so no need to set the register. +- */ +- if (!addr) +- continue; +- + switch (bus_devfn) { + case IMX95_ENETC0_BUS_DEVFN: + netc_reg_write(priv->ierb, IERB_LBCR(0), +@@ -590,12 +584,6 @@ static int imx94_enetc_mdio_phyaddr_config(struct netc_blk_ctrl *priv, + return addr; + } + +- /* The default value of LaBCR[MDIO_PHYAD_PRTAD] is 0, +- * so no need to set the register. +- */ +- if (!addr) +- return 0; +- + if (phy_mask & BIT(addr)) { + dev_err(dev, + "Find same PHY address in EMDIO and ENETC node\n"); +-- +2.51.0 + diff --git a/queue-6.19/net-enetc-fix-incorrect-fallback-phy-address-handlin.patch b/queue-6.19/net-enetc-fix-incorrect-fallback-phy-address-handlin.patch new file mode 100644 index 0000000000..9715a46a6c --- /dev/null +++ b/queue-6.19/net-enetc-fix-incorrect-fallback-phy-address-handlin.patch @@ -0,0 +1,75 @@ +From d21c814f2c518290ccb26846e41a3ce4e9c0f312 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 11:12:10 +0800 +Subject: net: enetc: fix incorrect fallback PHY address handling + +From: Wei Fang + +[ Upstream commit 246953f33e8cf95621d6c00332e2780ce1594082 ] + +The current netc_get_phy_addr() implementation falls back to PHY address +0 when the "mdio" node or the PHY child node is missing. On i.MX95, this +causes failures when a real PHY is actually assigned address 0 and is +managed through the EMDIO interface. Because the bit 0 of phy_mask will +be set, leading imx95_enetc_mdio_phyaddr_config() to return an error, and +the netc_blk_ctrl driver probe subsequently fails. Fix this by returning +-ENODEV when neither an "mdio" node nor any PHY node is present, it means +that ENETC port MDIO is not used to manage the PHY, so there is no need +to configure LaBCR[MDIO_PHYAD_PRTAD]. + +Reported-by: Alexander Stein +Closes: https://lore.kernel.org/all/7825188.GXAFRqVoOG@steina-w +Fixes: 6633df05f3ad ("net: enetc: set the external PHY address in IERB for port MDIO usage") +Reviewed-by: Clark Wang +Tested-by: Alexander Stein +Signed-off-by: Wei Fang +Link: https://patch.msgid.link/20260305031211.904812-2-wei.fang@nxp.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/enetc/netc_blk_ctrl.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/enetc/netc_blk_ctrl.c b/drivers/net/ethernet/freescale/enetc/netc_blk_ctrl.c +index 7fd39f8952901..f0e103615e884 100644 +--- a/drivers/net/ethernet/freescale/enetc/netc_blk_ctrl.c ++++ b/drivers/net/ethernet/freescale/enetc/netc_blk_ctrl.c +@@ -333,11 +333,13 @@ static int netc_get_phy_addr(struct device_node *np) + + mdio_node = of_get_child_by_name(np, "mdio"); + if (!mdio_node) +- return 0; ++ return -ENODEV; + + phy_node = of_get_next_child(mdio_node, NULL); +- if (!phy_node) ++ if (!phy_node) { ++ err = -ENODEV; + goto of_put_mdio_node; ++ } + + err = of_property_read_u32(phy_node, "reg", &addr); + if (err) +@@ -423,6 +425,9 @@ static int imx95_enetc_mdio_phyaddr_config(struct platform_device *pdev) + + addr = netc_get_phy_addr(gchild); + if (addr < 0) { ++ if (addr == -ENODEV) ++ continue; ++ + dev_err(dev, "Failed to get PHY address\n"); + return addr; + } +@@ -578,6 +583,9 @@ static int imx94_enetc_mdio_phyaddr_config(struct netc_blk_ctrl *priv, + + addr = netc_get_phy_addr(np); + if (addr < 0) { ++ if (addr == -ENODEV) ++ return 0; ++ + dev_err(dev, "Failed to get PHY address\n"); + return addr; + } +-- +2.51.0 + diff --git a/queue-6.19/net-ethernet-ti-am65-cpsw-nuss-fix-rx_filter-value-f.patch b/queue-6.19/net-ethernet-ti-am65-cpsw-nuss-fix-rx_filter-value-f.patch new file mode 100644 index 0000000000..ff163da891 --- /dev/null +++ b/queue-6.19/net-ethernet-ti-am65-cpsw-nuss-fix-rx_filter-value-f.patch @@ -0,0 +1,100 @@ +From 7673f6b24ca109dd902f3d3c7b31f684a2d5ca61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 21:39:40 +0530 +Subject: net: ethernet: ti: am65-cpsw-nuss: Fix rx_filter value for PTP + support + +From: Chintan Vankar + +[ Upstream commit 840c9d13cb1ca96683a5307ee8e221be163a2c1e ] + +The "rx_filter" member of "hwtstamp_config" structure is an enum field and +does not support bitwise OR combination of multiple filter values. It +causes error while linuxptp application tries to match rx filter version. +Fix this by storing the requested filter type in a new port field. + +Fixes: 97248adb5a3b ("net: ti: am65-cpsw: Update hw timestamping filter for PTPv1 RX packets") +Signed-off-by: Chintan Vankar +Link: https://patch.msgid.link/20260310160940.109822-1-c-vankar@ti.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/am65-cpsw-nuss.c | 16 +++++++++------- + drivers/net/ethernet/ti/am65-cpsw-nuss.h | 2 +- + 2 files changed, 10 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/ti/am65-cpsw-nuss.c b/drivers/net/ethernet/ti/am65-cpsw-nuss.c +index 9679180504330..265ce5479915f 100644 +--- a/drivers/net/ethernet/ti/am65-cpsw-nuss.c ++++ b/drivers/net/ethernet/ti/am65-cpsw-nuss.c +@@ -1351,7 +1351,7 @@ static int am65_cpsw_nuss_rx_packets(struct am65_cpsw_rx_flow *flow, + ndev_priv = netdev_priv(ndev); + am65_cpsw_nuss_set_offload_fwd_mark(skb, ndev_priv->offload_fwd_mark); + skb_put(skb, pkt_len); +- if (port->rx_ts_enabled) ++ if (port->rx_ts_filter) + am65_cpts_rx_timestamp(common->cpts, skb); + skb_mark_for_recycle(skb); + skb->protocol = eth_type_trans(skb, ndev); +@@ -1811,11 +1811,14 @@ static int am65_cpsw_nuss_hwtstamp_set(struct net_device *ndev, + + switch (cfg->rx_filter) { + case HWTSTAMP_FILTER_NONE: +- port->rx_ts_enabled = false; ++ port->rx_ts_filter = HWTSTAMP_FILTER_NONE; + break; + case HWTSTAMP_FILTER_PTP_V1_L4_EVENT: + case HWTSTAMP_FILTER_PTP_V1_L4_SYNC: + case HWTSTAMP_FILTER_PTP_V1_L4_DELAY_REQ: ++ port->rx_ts_filter = HWTSTAMP_FILTER_PTP_V1_L4_EVENT; ++ cfg->rx_filter = HWTSTAMP_FILTER_PTP_V1_L4_EVENT; ++ break; + case HWTSTAMP_FILTER_PTP_V2_L4_EVENT: + case HWTSTAMP_FILTER_PTP_V2_L4_SYNC: + case HWTSTAMP_FILTER_PTP_V2_L4_DELAY_REQ: +@@ -1825,8 +1828,8 @@ static int am65_cpsw_nuss_hwtstamp_set(struct net_device *ndev, + case HWTSTAMP_FILTER_PTP_V2_EVENT: + case HWTSTAMP_FILTER_PTP_V2_SYNC: + case HWTSTAMP_FILTER_PTP_V2_DELAY_REQ: +- port->rx_ts_enabled = true; +- cfg->rx_filter = HWTSTAMP_FILTER_PTP_V2_EVENT | HWTSTAMP_FILTER_PTP_V1_L4_EVENT; ++ port->rx_ts_filter = HWTSTAMP_FILTER_PTP_V2_EVENT; ++ cfg->rx_filter = HWTSTAMP_FILTER_PTP_V2_EVENT; + break; + case HWTSTAMP_FILTER_ALL: + case HWTSTAMP_FILTER_SOME: +@@ -1863,7 +1866,7 @@ static int am65_cpsw_nuss_hwtstamp_set(struct net_device *ndev, + ts_ctrl |= AM65_CPSW_TS_TX_ANX_ALL_EN | + AM65_CPSW_PN_TS_CTL_TX_VLAN_LT1_EN; + +- if (port->rx_ts_enabled) ++ if (port->rx_ts_filter) + ts_ctrl |= AM65_CPSW_TS_RX_ANX_ALL_EN | + AM65_CPSW_PN_TS_CTL_RX_VLAN_LT1_EN; + +@@ -1888,8 +1891,7 @@ static int am65_cpsw_nuss_hwtstamp_get(struct net_device *ndev, + cfg->flags = 0; + cfg->tx_type = port->tx_ts_enabled ? + HWTSTAMP_TX_ON : HWTSTAMP_TX_OFF; +- cfg->rx_filter = port->rx_ts_enabled ? HWTSTAMP_FILTER_PTP_V2_EVENT | +- HWTSTAMP_FILTER_PTP_V1_L4_EVENT : HWTSTAMP_FILTER_NONE; ++ cfg->rx_filter = port->rx_ts_filter; + + return 0; + } +diff --git a/drivers/net/ethernet/ti/am65-cpsw-nuss.h b/drivers/net/ethernet/ti/am65-cpsw-nuss.h +index 917c37e4e89bd..7750448e47468 100644 +--- a/drivers/net/ethernet/ti/am65-cpsw-nuss.h ++++ b/drivers/net/ethernet/ti/am65-cpsw-nuss.h +@@ -52,7 +52,7 @@ struct am65_cpsw_port { + bool disabled; + struct am65_cpsw_slave_data slave; + bool tx_ts_enabled; +- bool rx_ts_enabled; ++ enum hwtstamp_rx_filters rx_ts_filter; + struct am65_cpsw_qos qos; + struct devlink_port devlink_port; + struct bpf_prog *xdp_prog; +-- +2.51.0 + diff --git a/queue-6.19/net-mana-null-service_wq-on-setup-error-to-prevent-d.patch b/queue-6.19/net-mana-null-service_wq-on-setup-error-to-prevent-d.patch new file mode 100644 index 0000000000..b04c2d0707 --- /dev/null +++ b/queue-6.19/net-mana-null-service_wq-on-setup-error-to-prevent-d.patch @@ -0,0 +1,40 @@ +From a4d44d9c4bb00161a523f331ef8278832621f301 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Mar 2026 10:24:43 -0700 +Subject: net/mana: Null service_wq on setup error to prevent double destroy + +From: Shiraz Saleem + +[ Upstream commit 87c2302813abc55c46485711a678e3c312b00666 ] + +In mana_gd_setup() error path, set gc->service_wq to NULL after +destroy_workqueue() to match the cleanup in mana_gd_cleanup(). +This prevents a use-after-free if the workqueue pointer is checked +after a failed setup. + +Fixes: f975a0955276 ("net: mana: Fix double destroy_workqueue on service rescan PCI path") +Signed-off-by: Shiraz Saleem +Signed-off-by: Konstantin Taranov +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20260309172443.688392-1-kotaranov@linux.microsoft.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microsoft/mana/gdma_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/microsoft/mana/gdma_main.c b/drivers/net/ethernet/microsoft/mana/gdma_main.c +index 3926d18f1840b..cbea0ea242c26 100644 +--- a/drivers/net/ethernet/microsoft/mana/gdma_main.c ++++ b/drivers/net/ethernet/microsoft/mana/gdma_main.c +@@ -1934,6 +1934,7 @@ static int mana_gd_setup(struct pci_dev *pdev) + mana_gd_remove_irqs(pdev); + free_workqueue: + destroy_workqueue(gc->service_wq); ++ gc->service_wq = NULL; + dev_err(&pdev->dev, "%s failed (error %d)\n", __func__, err); + return err; + } +-- +2.51.0 + diff --git a/queue-6.19/net-mlx5-fix-crash-when-moving-to-switchdev-mode.patch b/queue-6.19/net-mlx5-fix-crash-when-moving-to-switchdev-mode.patch new file mode 100644 index 0000000000..f201f4779c --- /dev/null +++ b/queue-6.19/net-mlx5-fix-crash-when-moving-to-switchdev-mode.patch @@ -0,0 +1,148 @@ +From 2fba439764264d083f8256809996b1de9b004387 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 16:26:30 +0200 +Subject: net/mlx5: Fix crash when moving to switchdev mode + +From: Patrisious Haddad + +[ Upstream commit 24b2795f9683e092dc22a68f487e7aaaf2ddafea ] + +When moving to switchdev mode when the device doesn't support IPsec, +we try to clean up the IPsec resources anyway which causes the crash +below, fix that by correctly checking for IPsec support before trying +to clean up its resources. + +[27642.515799] WARNING: arch/x86/mm/fault.c:1276 at +do_user_addr_fault+0x18a/0x680, CPU#4: devlink/6490 +[27642.517159] Modules linked in: xt_conntrack xt_MASQUERADE +ip6table_nat ip6table_filter ip6_tables iptable_nat nf_nat xt_addrtype +rpcsec_gss_krb5 auth_rpcgss oid_registry overlay mlx5_fwctl nfnetlink +zram zsmalloc mlx5_ib fuse rpcrdma rdma_ucm ib_uverbs ib_iser libiscsi +scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_core +ib_core +[27642.521358] CPU: 4 UID: 0 PID: 6490 Comm: devlink Not tainted +6.19.0-rc5_for_upstream_min_debug_2026_01_14_16_47 #1 NONE +[27642.522923] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS +rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 +[27642.524528] RIP: 0010:do_user_addr_fault+0x18a/0x680 +[27642.525362] Code: ff 0f 84 75 03 00 00 48 89 ee 4c 89 e7 e8 5e b9 22 +00 49 89 c0 48 85 c0 0f 84 a8 02 00 00 f7 c3 60 80 00 00 74 22 31 c9 eb + ae <0f> 0b 48 83 c4 10 48 89 ea 48 89 de 4c 89 f7 5b 5d 41 5c 41 5d +41 +[27642.528166] RSP: 0018:ffff88810770f6b8 EFLAGS: 00010046 +[27642.529038] RAX: 0000000000000000 RBX: 0000000000000002 RCX: +ffff88810b980f00 +[27642.530158] RDX: 00000000000000a0 RSI: 0000000000000002 RDI: +ffff88810770f728 +[27642.531270] RBP: 00000000000000a0 R08: 0000000000000000 R09: +0000000000000000 +[27642.532383] R10: 0000000000000000 R11: 0000000000000000 R12: +ffff888103f3c4c0 +[27642.533499] R13: 0000000000000000 R14: ffff88810770f728 R15: +0000000000000000 +[27642.534614] FS: 00007f197c741740(0000) GS:ffff88856a94c000(0000) +knlGS:0000000000000000 +[27642.535915] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[27642.536858] CR2: 00000000000000a0 CR3: 000000011334c003 CR4: +0000000000172eb0 +[27642.537982] Call Trace: +[27642.538466] +[27642.538907] exc_page_fault+0x76/0x140 +[27642.539583] asm_exc_page_fault+0x22/0x30 +[27642.540282] RIP: 0010:_raw_spin_lock_irqsave+0x10/0x30 +[27642.541134] Code: 07 85 c0 75 11 ba ff 00 00 00 f0 0f b1 17 75 06 b8 +01 00 00 00 c3 31 c0 c3 90 0f 1f 44 00 00 53 9c 5b fa 31 c0 ba 01 00 00 + 00 0f b1 17 75 05 48 89 d8 5b c3 89 c6 e8 7e 02 00 00 48 89 d8 + 5b +[27642.543936] RSP: 0018:ffff88810770f7d8 EFLAGS: 00010046 +[27642.544803] RAX: 0000000000000000 RBX: 0000000000000202 RCX: +ffff888113ad96d8 +[27642.545916] RDX: 0000000000000001 RSI: ffff88810770f818 RDI: +00000000000000a0 +[27642.547027] RBP: 0000000000000098 R08: 0000000000000400 R09: +ffff88810b980f00 +[27642.548140] R10: 0000000000000001 R11: ffff888101845a80 R12: +00000000000000a8 +[27642.549263] R13: ffffffffa02a9060 R14: 00000000000000a0 R15: +ffff8881130d8a40 +[27642.550379] complete_all+0x20/0x90 +[27642.551010] mlx5e_ipsec_disable_events+0xb6/0xf0 [mlx5_core] +[27642.552022] mlx5e_nic_disable+0x12d/0x220 [mlx5_core] +[27642.552929] mlx5e_detach_netdev+0x66/0xf0 [mlx5_core] +[27642.553822] mlx5e_netdev_change_profile+0x5b/0x120 [mlx5_core] +[27642.554821] mlx5e_vport_rep_load+0x419/0x590 [mlx5_core] +[27642.555757] ? xa_load+0x53/0x90 +[27642.556361] __esw_offloads_load_rep+0x54/0x70 [mlx5_core] +[27642.557328] mlx5_esw_offloads_rep_load+0x45/0xd0 [mlx5_core] +[27642.558320] esw_offloads_enable+0xb4b/0xc90 [mlx5_core] +[27642.559247] mlx5_eswitch_enable_locked+0x34e/0x4f0 [mlx5_core] +[27642.560257] ? mlx5_rescan_drivers_locked+0x222/0x2d0 [mlx5_core] +[27642.561284] mlx5_devlink_eswitch_mode_set+0x5ac/0x9c0 [mlx5_core] +[27642.562334] ? devlink_rate_set_ops_supported+0x21/0x3a0 +[27642.563220] devlink_nl_eswitch_set_doit+0x67/0xe0 +[27642.564026] genl_family_rcv_msg_doit+0xe0/0x130 +[27642.564816] genl_rcv_msg+0x183/0x290 +[27642.565466] ? __devlink_nl_pre_doit.isra.0+0x160/0x160 +[27642.566329] ? devlink_nl_eswitch_get_doit+0x290/0x290 +[27642.567181] ? devlink_nl_pre_doit_parent_dev_optional+0x20/0x20 +[27642.568147] ? genl_family_rcv_msg_dumpit+0xf0/0xf0 +[27642.568966] netlink_rcv_skb+0x4b/0xf0 +[27642.569629] genl_rcv+0x24/0x40 +[27642.570215] netlink_unicast+0x255/0x380 +[27642.570901] ? __alloc_skb+0xfa/0x1e0 +[27642.571560] netlink_sendmsg+0x1f3/0x420 +[27642.572249] __sock_sendmsg+0x38/0x60 +[27642.572911] __sys_sendto+0x119/0x180 +[27642.573561] ? __sys_recvmsg+0x5c/0xb0 +[27642.574227] __x64_sys_sendto+0x20/0x30 +[27642.574904] do_syscall_64+0x55/0xc10 +[27642.575554] entry_SYSCALL_64_after_hwframe+0x4b/0x53 +[27642.576391] RIP: 0033:0x7f197c85e807 +[27642.577050] Code: c7 c0 ff ff ff ff eb be 66 2e 0f 1f 84 00 00 00 00 +00 90 f3 0f 1e fa 80 3d 45 08 0d 00 00 41 89 ca 74 10 b8 2c 00 00 00 0f + 05 <48> 3d 00 f0 ff ff 77 69 c3 55 48 89 e5 53 48 83 ec 38 44 89 4d + d0 +[27642.579846] RSP: 002b:00007ffebd4e2248 EFLAGS: 00000202 ORIG_RAX: +000000000000002c +[27642.581082] RAX: ffffffffffffffda RBX: 000055cfcd9cd2a0 RCX: +00007f197c85e807 +[27642.582200] RDX: 0000000000000038 RSI: 000055cfcd9cd490 RDI: +0000000000000003 +[27642.583320] RBP: 00007ffebd4e2290 R08: 00007f197c942200 R09: +000000000000000c +[27642.584437] R10: 0000000000000000 R11: 0000000000000202 R12: +0000000000000000 +[27642.585555] R13: 000055cfcd9cd490 R14: 00007ffebd4e45d1 R15: +000055cfcd9cd2a0 +[27642.586671] +[27642.587121] ---[ end trace 0000000000000000 ]--- +[27642.587910] BUG: kernel NULL pointer dereference, address: +00000000000000a0 + +Fixes: 664f76be38a1 ("net/mlx5: Fix IPsec cleanup over MPV device") +Signed-off-by: Patrisious Haddad +Reviewed-by: Leon Romanovsky +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/20260305142634.1813208-2-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c +index feef86fff4bfd..91cfabc450325 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c +@@ -2912,7 +2912,7 @@ void mlx5e_ipsec_disable_events(struct mlx5e_priv *priv) + goto out; + + peer_priv = mlx5_devcom_get_next_peer_data(priv->devcom, &tmp); +- if (peer_priv) ++ if (peer_priv && peer_priv->ipsec) + complete_all(&peer_priv->ipsec->comp); + + mlx5_devcom_for_each_peer_end(priv->devcom); +-- +2.51.0 + diff --git a/queue-6.19/net-mlx5-fix-deadlock-between-devlink-lock-and-esw-w.patch b/queue-6.19/net-mlx5-fix-deadlock-between-devlink-lock-and-esw-w.patch new file mode 100644 index 0000000000..73a2c1dd97 --- /dev/null +++ b/queue-6.19/net-mlx5-fix-deadlock-between-devlink-lock-and-esw-w.patch @@ -0,0 +1,152 @@ +From 7db126087dd51ab82b38d66f5bfa22d3b601677f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 10:10:19 +0200 +Subject: net/mlx5: Fix deadlock between devlink lock and esw->wq + +From: Cosmin Ratiu + +[ Upstream commit aed763abf0e905b4b8d747d1ba9e172961572f57 ] + +esw->work_queue executes esw_functions_changed_event_handler -> +esw_vfs_changed_event_handler and acquires the devlink lock. + +.eswitch_mode_set (acquires devlink lock in devlink_nl_pre_doit) -> +mlx5_devlink_eswitch_mode_set -> mlx5_eswitch_disable_locked -> +mlx5_eswitch_event_handler_unregister -> flush_workqueue deadlocks +when esw_vfs_changed_event_handler executes. + +Fix that by no longer flushing the work to avoid the deadlock, and using +a generation counter to keep track of work relevance. This avoids an old +handler manipulating an esw that has undergone one or more mode changes: +- the counter is incremented in mlx5_eswitch_event_handler_unregister. +- the counter is read and passed to the ephemeral mlx5_host_work struct. +- the work handler takes the devlink lock and bails out if the current + generation is different than the one it was scheduled to operate on. +- mlx5_eswitch_cleanup does the final draining before destroying the wq. + +No longer flushing the workqueue has the side effect of maybe no longer +cancelling pending vport_change_handler work items, but that's ok since +those are disabled elsewhere: +- mlx5_eswitch_disable_locked disables the vport eq notifier. +- mlx5_esw_vport_disable disarms the HW EQ notification and marks + vport->enabled under state_lock to false to prevent pending vport + handler from doing anything. +- mlx5_eswitch_cleanup destroys the workqueue and makes sure all events + are disabled/finished. + +Fixes: f1bc646c9a06 ("net/mlx5: Use devl_ API in mlx5_esw_offloads_devlink_port_register") +Signed-off-by: Cosmin Ratiu +Reviewed-by: Moshe Shemesh +Reviewed-by: Dragos Tatulea +Reviewed-by: Simon Horman +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/20260305081019.1811100-1-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/eswitch.c | 7 ++++--- + .../net/ethernet/mellanox/mlx5/core/eswitch.h | 2 ++ + .../mellanox/mlx5/core/eswitch_offloads.c | 18 +++++++++++++----- + 3 files changed, 19 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +index 4b7a1ce7f406b..32bf93e4ffcec 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +@@ -1072,10 +1072,11 @@ static void mlx5_eswitch_event_handler_register(struct mlx5_eswitch *esw) + + static void mlx5_eswitch_event_handler_unregister(struct mlx5_eswitch *esw) + { +- if (esw->mode == MLX5_ESWITCH_OFFLOADS && mlx5_eswitch_is_funcs_handler(esw->dev)) ++ if (esw->mode == MLX5_ESWITCH_OFFLOADS && ++ mlx5_eswitch_is_funcs_handler(esw->dev)) { + mlx5_eq_notifier_unregister(esw->dev, &esw->esw_funcs.nb); +- +- flush_workqueue(esw->work_queue); ++ atomic_inc(&esw->esw_funcs.generation); ++ } + } + + static void mlx5_eswitch_clear_vf_vports_info(struct mlx5_eswitch *esw) +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h +index 714ad28e8445b..0276609a617c0 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h +@@ -334,10 +334,12 @@ struct esw_mc_addr { /* SRIOV only */ + struct mlx5_host_work { + struct work_struct work; + struct mlx5_eswitch *esw; ++ int work_gen; + }; + + struct mlx5_esw_functions { + struct mlx5_nb nb; ++ atomic_t generation; + bool host_funcs_disabled; + u16 num_vfs; + u16 num_ec_vfs; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c +index ccf53d4783628..c79231b437976 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c +@@ -3582,22 +3582,28 @@ static void esw_offloads_steering_cleanup(struct mlx5_eswitch *esw) + } + + static void +-esw_vfs_changed_event_handler(struct mlx5_eswitch *esw, const u32 *out) ++esw_vfs_changed_event_handler(struct mlx5_eswitch *esw, int work_gen, ++ const u32 *out) + { + struct devlink *devlink; + bool host_pf_disabled; + u16 new_num_vfs; + ++ devlink = priv_to_devlink(esw->dev); ++ devl_lock(devlink); ++ ++ /* Stale work from one or more mode changes ago. Bail out. */ ++ if (work_gen != atomic_read(&esw->esw_funcs.generation)) ++ goto unlock; ++ + new_num_vfs = MLX5_GET(query_esw_functions_out, out, + host_params_context.host_num_of_vfs); + host_pf_disabled = MLX5_GET(query_esw_functions_out, out, + host_params_context.host_pf_disabled); + + if (new_num_vfs == esw->esw_funcs.num_vfs || host_pf_disabled) +- return; ++ goto unlock; + +- devlink = priv_to_devlink(esw->dev); +- devl_lock(devlink); + /* Number of VFs can only change from "0 to x" or "x to 0". */ + if (esw->esw_funcs.num_vfs > 0) { + mlx5_eswitch_unload_vf_vports(esw, esw->esw_funcs.num_vfs); +@@ -3612,6 +3618,7 @@ esw_vfs_changed_event_handler(struct mlx5_eswitch *esw, const u32 *out) + } + } + esw->esw_funcs.num_vfs = new_num_vfs; ++unlock: + devl_unlock(devlink); + } + +@@ -3628,7 +3635,7 @@ static void esw_functions_changed_event_handler(struct work_struct *work) + if (IS_ERR(out)) + goto out; + +- esw_vfs_changed_event_handler(esw, out); ++ esw_vfs_changed_event_handler(esw, host_work->work_gen, out); + kvfree(out); + out: + kfree(host_work); +@@ -3648,6 +3655,7 @@ int mlx5_esw_funcs_changed_handler(struct notifier_block *nb, unsigned long type + esw = container_of(esw_funcs, struct mlx5_eswitch, esw_funcs); + + host_work->esw = esw; ++ host_work->work_gen = atomic_read(&esw_funcs->generation); + + INIT_WORK(&host_work->work, esw_functions_changed_event_handler); + queue_work(esw->work_queue, &host_work->work); +-- +2.51.0 + diff --git a/queue-6.19/net-mlx5-fix-peer-miss-rules-host-disabled-checks.patch b/queue-6.19/net-mlx5-fix-peer-miss-rules-host-disabled-checks.patch new file mode 100644 index 0000000000..e18cc07cbc --- /dev/null +++ b/queue-6.19/net-mlx5-fix-peer-miss-rules-host-disabled-checks.patch @@ -0,0 +1,77 @@ +From 252efdcb2d869a6a2c42c3bbb637ce2904d87ab2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 16:26:31 +0200 +Subject: net/mlx5: Fix peer miss rules host disabled checks + +From: Carolina Jubran + +[ Upstream commit 76324e4041c0efb4808702b05426d7a0a7d8df5b ] + +The check on mlx5_esw_host_functions_enabled(esw->dev) for adding VF +peer miss rules is incorrect. These rules match traffic from peer's VFs, +so the local device's host function status is irrelevant. Remove this +check to ensure peer VF traffic is properly handled regardless of local +host configuration. + +Also fix the PF peer miss rule deletion to be symmetric with the add +path, so only attempt to delete the rule if it was actually created. + +Fixes: 520369ef43a8 ("net/mlx5: Support disabling host PFs") +Signed-off-by: Carolina Jubran +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/20260305142634.1813208-3-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../mellanox/mlx5/core/eswitch_offloads.c | 27 +++++++++---------- + 1 file changed, 12 insertions(+), 15 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c +index c79231b437976..166a88988904e 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c +@@ -1241,21 +1241,17 @@ static int esw_add_fdb_peer_miss_rules(struct mlx5_eswitch *esw, + flows[peer_vport->index] = flow; + } + +- if (mlx5_esw_host_functions_enabled(esw->dev)) { +- mlx5_esw_for_each_vf_vport(peer_esw, i, peer_vport, +- mlx5_core_max_vfs(peer_dev)) { +- esw_set_peer_miss_rule_source_port(esw, peer_esw, +- spec, +- peer_vport->vport); +- +- flow = mlx5_add_flow_rules(mlx5_eswitch_get_slow_fdb(esw), +- spec, &flow_act, &dest, 1); +- if (IS_ERR(flow)) { +- err = PTR_ERR(flow); +- goto add_vf_flow_err; +- } +- flows[peer_vport->index] = flow; ++ mlx5_esw_for_each_vf_vport(peer_esw, i, peer_vport, ++ mlx5_core_max_vfs(peer_dev)) { ++ esw_set_peer_miss_rule_source_port(esw, peer_esw, spec, ++ peer_vport->vport); ++ flow = mlx5_add_flow_rules(mlx5_eswitch_get_slow_fdb(esw), ++ spec, &flow_act, &dest, 1); ++ if (IS_ERR(flow)) { ++ err = PTR_ERR(flow); ++ goto add_vf_flow_err; + } ++ flows[peer_vport->index] = flow; + } + + if (mlx5_core_ec_sriov_enabled(peer_dev)) { +@@ -1347,7 +1343,8 @@ static void esw_del_fdb_peer_miss_rules(struct mlx5_eswitch *esw, + mlx5_del_flow_rules(flows[peer_vport->index]); + } + +- if (mlx5_core_is_ecpf_esw_manager(peer_dev)) { ++ if (mlx5_core_is_ecpf_esw_manager(peer_dev) && ++ mlx5_esw_host_functions_enabled(peer_dev)) { + peer_vport = mlx5_eswitch_get_vport(peer_esw, MLX5_VPORT_PF); + mlx5_del_flow_rules(flows[peer_vport->index]); + } +-- +2.51.0 + diff --git a/queue-6.19/net-mlx5e-fix-dma-fifo-desync-on-error-cqe-sq-recove.patch b/queue-6.19/net-mlx5e-fix-dma-fifo-desync-on-error-cqe-sq-recove.patch new file mode 100644 index 0000000000..2ab9180438 --- /dev/null +++ b/queue-6.19/net-mlx5e-fix-dma-fifo-desync-on-error-cqe-sq-recove.patch @@ -0,0 +1,82 @@ +From d0a0777c66185bedc28e34859d32a3e4e5607e5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 16:26:32 +0200 +Subject: net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery + +From: Gal Pressman + +[ Upstream commit 1633111d69053512d099658d4a05fc736fab36b0 ] + +In case of a TX error CQE, a recovery flow is triggered, +mlx5e_reset_txqsq_cc_pc() resets dma_fifo_cc to 0 but not dma_fifo_pc, +desyncing the DMA FIFO producer and consumer. + +After recovery, the producer pushes new DMA entries at the old +dma_fifo_pc, while the consumer reads from position 0. +This causes us to unmap stale DMA addresses from before the recovery. + +The DMA FIFO is a purely software construct with no HW counterpart. +At the point of reset, all WQEs have been flushed so dma_fifo_cc is +already equal to dma_fifo_pc. There is no need to reset either counter, +similar to how skb_fifo pc/cc are untouched. + +Remove the 'dma_fifo_cc = 0' reset. + +This fixes the following WARNING: + WARNING: CPU: 0 PID: 0 at drivers/iommu/dma-iommu.c:1240 iommu_dma_unmap_page+0x79/0x90 + Modules linked in: mlx5_vdpa vringh vdpa bonding mlx5_ib mlx5_vfio_pci ipip mlx5_fwctl tunnel4 mlx5_core ib_ipoib geneve ip6_gre ip_gre gre nf_tables ip6_tunnel rdma_ucm ib_uverbs ib_umad vfio_pci vfio_pci_core act_mirred act_skbedit act_vlan vhost_net vhost tap ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress vhost_iotlb iptable_raw tunnel6 vfio_iommu_type1 vfio openvswitch nsh rpcsec_gss_krb5 auth_rpcgss oid_registry xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter overlay zram zsmalloc rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core fuse [last unloaded: nf_tables] + CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5_for_upstream_min_debug_2024_12_30_21_33 #1 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 + RIP: 0010:iommu_dma_unmap_page+0x79/0x90 + Code: 2b 4d 3b 21 72 26 4d 3b 61 08 73 20 49 89 d8 44 89 f9 5b 4c 89 f2 4c 89 e6 48 89 ef 5d 41 5c 41 5d 41 5e 41 5f e9 c7 ae 9e ff <0f> 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 66 2e 0f 1f 84 00 00 00 00 + Call Trace: + + ? __warn+0x7d/0x110 + ? iommu_dma_unmap_page+0x79/0x90 + ? report_bug+0x16d/0x180 + ? handle_bug+0x4f/0x90 + ? exc_invalid_op+0x14/0x70 + ? asm_exc_invalid_op+0x16/0x20 + ? iommu_dma_unmap_page+0x79/0x90 + ? iommu_dma_unmap_page+0x2e/0x90 + dma_unmap_page_attrs+0x10d/0x1b0 + mlx5e_tx_wi_dma_unmap+0xbe/0x120 [mlx5_core] + mlx5e_poll_tx_cq+0x16d/0x690 [mlx5_core] + mlx5e_napi_poll+0x8b/0xac0 [mlx5_core] + __napi_poll+0x24/0x190 + net_rx_action+0x32a/0x3b0 + ? mlx5_eq_comp_int+0x7e/0x270 [mlx5_core] + ? notifier_call_chain+0x35/0xa0 + handle_softirqs+0xc9/0x270 + irq_exit_rcu+0x71/0xd0 + common_interrupt+0x7f/0xa0 + + + asm_common_interrupt+0x22/0x40 + +Fixes: db75373c91b0 ("net/mlx5e: Recover Send Queue (SQ) from error state") +Signed-off-by: Gal Pressman +Reviewed-by: Dragos Tatulea +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/20260305142634.1813208-4-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c b/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c +index 9f6454102cf79..d6ace2b6fc1df 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c +@@ -46,7 +46,6 @@ static void mlx5e_reset_txqsq_cc_pc(struct mlx5e_txqsq *sq) + "SQ 0x%x: cc (0x%x) != pc (0x%x)\n", + sq->sqn, sq->cc, sq->pc); + sq->cc = 0; +- sq->dma_fifo_cc = 0; + sq->pc = 0; + } + +-- +2.51.0 + diff --git a/queue-6.19/net-mlx5e-rx-fix-xdp-multi-buf-frag-counting-for-leg.patch b/queue-6.19/net-mlx5e-rx-fix-xdp-multi-buf-frag-counting-for-leg.patch new file mode 100644 index 0000000000..1ff0db9a67 --- /dev/null +++ b/queue-6.19/net-mlx5e-rx-fix-xdp-multi-buf-frag-counting-for-leg.patch @@ -0,0 +1,127 @@ +From 2566a59dbc466d2bcfa640b1b22df5c4ab26d35d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 16:26:34 +0200 +Subject: net/mlx5e: RX, Fix XDP multi-buf frag counting for legacy RQ + +From: Dragos Tatulea + +[ Upstream commit a6413e6f6c9d9bb9833324cb3753582f7bc0f2fa ] + +XDP multi-buf programs can modify the layout of the XDP buffer when the +program calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The +referenced commit in the fixes tag corrected the assumption in the mlx5 +driver that the XDP buffer layout doesn't change during a program +execution. However, this fix introduced another issue: the dropped +fragments still need to be counted on the driver side to avoid page +fragment reference counting issues. + +Such issue can be observed with the +test_xdp_native_adjst_tail_shrnk_data selftest when using a payload of +3600 and shrinking by 256 bytes (an upcoming selftest patch): the last +fragment gets released by the XDP code but doesn't get tracked by the +driver. This results in a negative pp_ref_count during page release and +the following splat: + + WARNING: include/net/page_pool/helpers.h:297 at mlx5e_page_release_fragmented.isra.0+0x4a/0x50 [mlx5_core], CPU#12: ip/3137 + Modules linked in: [...] + CPU: 12 UID: 0 PID: 3137 Comm: ip Not tainted 6.19.0-rc3+ #12 NONE + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 + RIP: 0010:mlx5e_page_release_fragmented.isra.0+0x4a/0x50 [mlx5_core] + [...] + Call Trace: + + mlx5e_dealloc_rx_wqe+0xcb/0x1a0 [mlx5_core] + mlx5e_free_rx_descs+0x7f/0x110 [mlx5_core] + mlx5e_close_rq+0x50/0x60 [mlx5_core] + mlx5e_close_queues+0x36/0x2c0 [mlx5_core] + mlx5e_close_channel+0x1c/0x50 [mlx5_core] + mlx5e_close_channels+0x45/0x80 [mlx5_core] + mlx5e_safe_switch_params+0x1a5/0x230 [mlx5_core] + mlx5e_change_mtu+0xf3/0x2f0 [mlx5_core] + netif_set_mtu_ext+0xf1/0x230 + do_setlink.isra.0+0x219/0x1180 + rtnl_newlink+0x79f/0xb60 + rtnetlink_rcv_msg+0x213/0x3a0 + netlink_rcv_skb+0x48/0xf0 + netlink_unicast+0x24a/0x350 + netlink_sendmsg+0x1ee/0x410 + __sock_sendmsg+0x38/0x60 + ____sys_sendmsg+0x232/0x280 + ___sys_sendmsg+0x78/0xb0 + __sys_sendmsg+0x5f/0xb0 + [...] + do_syscall_64+0x57/0xc50 + +This patch fixes the issue by doing page frag counting on all the +original XDP buffer fragments for all relevant XDP actions (XDP_TX , +XDP_REDIRECT and XDP_PASS). This is basically reverting to the original +counting before the commit in the fixes tag. + +As frag_page is still pointing to the original tail, the nr_frags +parameter to xdp_update_skb_frags_info() needs to be calculated +in a different way to reflect the new nr_frags. + +Fixes: afd5ba577c10 ("net/mlx5e: RX, Fix generating skb from non-linear xdp_buff for legacy RQ") +Signed-off-by: Dragos Tatulea +Signed-off-by: Tariq Toukan +Reviewed-by: Amery Hung +Link: https://patch.msgid.link/20260305142634.1813208-6-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +index ea6741a822675..3000286bf29c8 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +@@ -1759,6 +1759,7 @@ mlx5e_skb_from_cqe_nonlinear(struct mlx5e_rq *rq, struct mlx5e_wqe_frag_info *wi + struct skb_shared_info *sinfo; + u32 frag_consumed_bytes; + struct bpf_prog *prog; ++ u8 nr_frags_free = 0; + struct sk_buff *skb; + dma_addr_t addr; + u32 truesize; +@@ -1801,15 +1802,13 @@ mlx5e_skb_from_cqe_nonlinear(struct mlx5e_rq *rq, struct mlx5e_wqe_frag_info *wi + + prog = rcu_dereference(rq->xdp_prog); + if (prog) { +- u8 nr_frags_free, old_nr_frags = sinfo->nr_frags; ++ u8 old_nr_frags = sinfo->nr_frags; + + if (mlx5e_xdp_handle(rq, prog, mxbuf)) { + if (__test_and_clear_bit(MLX5E_RQ_FLAG_XDP_XMIT, + rq->flags)) { + struct mlx5e_wqe_frag_info *pwi; + +- wi -= old_nr_frags - sinfo->nr_frags; +- + for (pwi = head_wi; pwi < wi; pwi++) + pwi->frag_page->frags++; + } +@@ -1817,10 +1816,8 @@ mlx5e_skb_from_cqe_nonlinear(struct mlx5e_rq *rq, struct mlx5e_wqe_frag_info *wi + } + + nr_frags_free = old_nr_frags - sinfo->nr_frags; +- if (unlikely(nr_frags_free)) { +- wi -= nr_frags_free; ++ if (unlikely(nr_frags_free)) + truesize -= nr_frags_free * frag_info->frag_stride; +- } + } + + skb = mlx5e_build_linear_skb( +@@ -1836,7 +1833,7 @@ mlx5e_skb_from_cqe_nonlinear(struct mlx5e_rq *rq, struct mlx5e_wqe_frag_info *wi + + if (xdp_buff_has_frags(&mxbuf->xdp)) { + /* sinfo->nr_frags is reset by build_skb, calculate again. */ +- xdp_update_skb_frags_info(skb, wi - head_wi - 1, ++ xdp_update_skb_frags_info(skb, wi - head_wi - nr_frags_free - 1, + sinfo->xdp_frags_size, truesize, + xdp_buff_get_skb_flags(&mxbuf->xdp)); + +-- +2.51.0 + diff --git a/queue-6.19/net-mlx5e-rx-fix-xdp-multi-buf-frag-counting-for-str.patch b/queue-6.19/net-mlx5e-rx-fix-xdp-multi-buf-frag-counting-for-str.patch new file mode 100644 index 0000000000..31dfbfb0b5 --- /dev/null +++ b/queue-6.19/net-mlx5e-rx-fix-xdp-multi-buf-frag-counting-for-str.patch @@ -0,0 +1,142 @@ +From d1395762cbebb3ad19a375bc5b2182577de0f183 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 16:26:33 +0200 +Subject: net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ + +From: Dragos Tatulea + +[ Upstream commit db25c42c2e1f9c0d136420fff5e5700f7e771a6f ] + +XDP multi-buf programs can modify the layout of the XDP buffer when the +program calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The +referenced commit in the fixes tag corrected the assumption in the mlx5 +driver that the XDP buffer layout doesn't change during a program +execution. However, this fix introduced another issue: the dropped +fragments still need to be counted on the driver side to avoid page +fragment reference counting issues. + +The issue was discovered by the drivers/net/xdp.py selftest, +more specifically the test_xdp_native_tx_mb: +- The mlx5 driver allocates a page_pool page and initializes it with + a frag counter of 64 (pp_ref_count=64) and the internal frag counter + to 0. +- The test sends one packet with no payload. +- On RX (mlx5e_skb_from_cqe_mpwrq_nonlinear()), mlx5 configures the XDP + buffer with the packet data starting in the first fragment which is the + page mentioned above. +- The XDP program runs and calls bpf_xdp_pull_data() which moves the + header into the linear part of the XDP buffer. As the packet doesn't + contain more data, the program drops the tail fragment since it no + longer contains any payload (pp_ref_count=63). +- mlx5 device skips counting this fragment. Internal frag counter + remains 0. +- mlx5 releases all 64 fragments of the page but page pp_ref_count is + 63 => negative reference counting error. + +Resulting splat during the test: + + WARNING: CPU: 0 PID: 188225 at ./include/net/page_pool/helpers.h:297 mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core] + Modules linked in: [...] + CPU: 0 UID: 0 PID: 188225 Comm: ip Not tainted 6.18.0-rc7_for_upstream_min_debug_2025_12_08_11_44 #1 NONE + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 + RIP: 0010:mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core] + [...] + Call Trace: + + mlx5e_free_rx_mpwqe+0x20a/0x250 [mlx5_core] + mlx5e_dealloc_rx_mpwqe+0x37/0xb0 [mlx5_core] + mlx5e_free_rx_descs+0x11a/0x170 [mlx5_core] + mlx5e_close_rq+0x78/0xa0 [mlx5_core] + mlx5e_close_queues+0x46/0x2a0 [mlx5_core] + mlx5e_close_channel+0x24/0x90 [mlx5_core] + mlx5e_close_channels+0x5d/0xf0 [mlx5_core] + mlx5e_safe_switch_params+0x2ec/0x380 [mlx5_core] + mlx5e_change_mtu+0x11d/0x490 [mlx5_core] + mlx5e_change_nic_mtu+0x19/0x30 [mlx5_core] + netif_set_mtu_ext+0xfc/0x240 + do_setlink.isra.0+0x226/0x1100 + rtnl_newlink+0x7a9/0xba0 + rtnetlink_rcv_msg+0x220/0x3c0 + netlink_rcv_skb+0x4b/0xf0 + netlink_unicast+0x255/0x380 + netlink_sendmsg+0x1f3/0x420 + __sock_sendmsg+0x38/0x60 + ____sys_sendmsg+0x1e8/0x240 + ___sys_sendmsg+0x7c/0xb0 + [...] + __sys_sendmsg+0x5f/0xb0 + do_syscall_64+0x55/0xc70 + +The problem applies for XDP_PASS as well which is handled in a different +code path in the driver. + +This patch fixes the issue by doing page frag counting on all the +original XDP buffer fragments for all relevant XDP actions (XDP_TX , +XDP_REDIRECT and XDP_PASS). This is basically reverting to the original +counting before the commit in the fixes tag. + +As frag_page is still pointing to the original tail, the nr_frags +parameter to xdp_update_skb_frags_info() needs to be calculated +in a different way to reflect the new nr_frags. + +Fixes: 87bcef158ac1 ("net/mlx5e: RX, Fix generating skb from non-linear xdp_buff for striding RQ") +Signed-off-by: Dragos Tatulea +Cc: Amery Hung +Reviewed-by: Nimrod Oren +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/20260305142634.1813208-5-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +index 1f6930c774378..ea6741a822675 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +@@ -2118,14 +2118,13 @@ mlx5e_skb_from_cqe_mpwrq_nonlinear(struct mlx5e_rq *rq, struct mlx5e_mpw_info *w + + if (prog) { + u8 nr_frags_free, old_nr_frags = sinfo->nr_frags; ++ u8 new_nr_frags; + u32 len; + + if (mlx5e_xdp_handle(rq, prog, mxbuf)) { + if (__test_and_clear_bit(MLX5E_RQ_FLAG_XDP_XMIT, rq->flags)) { + struct mlx5e_frag_page *pfp; + +- frag_page -= old_nr_frags - sinfo->nr_frags; +- + for (pfp = head_page; pfp < frag_page; pfp++) + pfp->frags++; + +@@ -2136,13 +2135,12 @@ mlx5e_skb_from_cqe_mpwrq_nonlinear(struct mlx5e_rq *rq, struct mlx5e_mpw_info *w + return NULL; /* page/packet was consumed by XDP */ + } + +- nr_frags_free = old_nr_frags - sinfo->nr_frags; +- if (unlikely(nr_frags_free)) { +- frag_page -= nr_frags_free; ++ new_nr_frags = sinfo->nr_frags; ++ nr_frags_free = old_nr_frags - new_nr_frags; ++ if (unlikely(nr_frags_free)) + truesize -= (nr_frags_free - 1) * PAGE_SIZE + + ALIGN(pg_consumed_bytes, + BIT(rq->mpwqe.log_stride_sz)); +- } + + len = mxbuf->xdp.data_end - mxbuf->xdp.data; + +@@ -2164,7 +2162,7 @@ mlx5e_skb_from_cqe_mpwrq_nonlinear(struct mlx5e_rq *rq, struct mlx5e_mpw_info *w + struct mlx5e_frag_page *pagep; + + /* sinfo->nr_frags is reset by build_skb, calculate again. */ +- xdp_update_skb_frags_info(skb, frag_page - head_page, ++ xdp_update_skb_frags_info(skb, new_nr_frags, + sinfo->xdp_frags_size, + truesize, + xdp_buff_get_skb_flags(&mxbuf->xdp)); +-- +2.51.0 + diff --git a/queue-6.19/net-prevent-null-deref-in-ip-6-tunnel_xmit.patch b/queue-6.19/net-prevent-null-deref-in-ip-6-tunnel_xmit.patch new file mode 100644 index 0000000000..9e683c023d --- /dev/null +++ b/queue-6.19/net-prevent-null-deref-in-ip-6-tunnel_xmit.patch @@ -0,0 +1,69 @@ +From 46315e6c72fb018817007beadb805f9d21ec3491 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Mar 2026 04:39:08 +0000 +Subject: net: prevent NULL deref in ip[6]tunnel_xmit() + +From: Eric Dumazet + +[ Upstream commit c38b8f5f791ecce13ab77e2257f8fd2444ba80f6 ] + +Blamed commit missed that both functions can be called with dev == NULL. + +Also add unlikely() hints for these conditions that only fuzzers can hit. + +Fixes: 6f1a9140ecda ("net: add xmit recursion limit to tunnel xmit functions") +Signed-off-by: Eric Dumazet +CC: Weiming Shi +Link: https://patch.msgid.link/20260312043908.2790803-1-edumazet@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + include/net/ip6_tunnel.h | 10 ++++++---- + net/ipv4/ip_tunnel_core.c | 10 ++++++---- + 2 files changed, 12 insertions(+), 8 deletions(-) + +diff --git a/include/net/ip6_tunnel.h b/include/net/ip6_tunnel.h +index 1253cbb4b0a45..359b595f1df93 100644 +--- a/include/net/ip6_tunnel.h ++++ b/include/net/ip6_tunnel.h +@@ -156,10 +156,12 @@ static inline void ip6tunnel_xmit(struct sock *sk, struct sk_buff *skb, + { + int pkt_len, err; + +- if (dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT) { +- net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n", +- dev->name); +- DEV_STATS_INC(dev, tx_errors); ++ if (unlikely(dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT)) { ++ if (dev) { ++ net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n", ++ dev->name); ++ DEV_STATS_INC(dev, tx_errors); ++ } + kfree_skb(skb); + return; + } +diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c +index b1b6bf949f65a..5683c328990f4 100644 +--- a/net/ipv4/ip_tunnel_core.c ++++ b/net/ipv4/ip_tunnel_core.c +@@ -58,10 +58,12 @@ void iptunnel_xmit(struct sock *sk, struct rtable *rt, struct sk_buff *skb, + struct iphdr *iph; + int err; + +- if (dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT) { +- net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n", +- dev->name); +- DEV_STATS_INC(dev, tx_errors); ++ if (unlikely(dev_recursion_level() > IP_TUNNEL_RECURSION_LIMIT)) { ++ if (dev) { ++ net_crit_ratelimited("Dead loop on virtual device %s, fix it urgently!\n", ++ dev->name); ++ DEV_STATS_INC(dev, tx_errors); ++ } + ip_rt_put(rt); + kfree_skb(skb); + return; +-- +2.51.0 + diff --git a/queue-6.19/net-sched-teql-fix-null-pointer-dereference-in-iptun.patch b/queue-6.19/net-sched-teql-fix-null-pointer-dereference-in-iptun.patch new file mode 100644 index 0000000000..95916d7029 --- /dev/null +++ b/queue-6.19/net-sched-teql-fix-null-pointer-dereference-in-iptun.patch @@ -0,0 +1,80 @@ +From bf8fa3252b92a923d07fd274f24a5182b9ffeeeb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 12:42:18 +0800 +Subject: net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on + TEQL slave xmit + +From: Weiming Shi + +[ Upstream commit 0cc0c2e661af418bbf7074179ea5cfffc0a5c466 ] + +teql_master_xmit() calls netdev_start_xmit(skb, slave) to transmit +through slave devices, but does not update skb->dev to the slave device +beforehand. + +When a gretap tunnel is a TEQL slave, the transmit path reaches +iptunnel_xmit() which saves dev = skb->dev (still pointing to teql0 +master) and later calls iptunnel_xmit_stats(dev, pkt_len). This +function does: + + get_cpu_ptr(dev->tstats) + +Since teql_master_setup() does not set dev->pcpu_stat_type to +NETDEV_PCPU_STAT_TSTATS, the core network stack never allocates tstats +for teql0, so dev->tstats is NULL. get_cpu_ptr(NULL) computes +NULL + __per_cpu_offset[cpu], resulting in a page fault. + + BUG: unable to handle page fault for address: ffff8880e6659018 + #PF: supervisor write access in kernel mode + #PF: error_code(0x0002) - not-present page + PGD 68bc067 P4D 68bc067 PUD 0 + Oops: Oops: 0002 [#1] SMP KASAN PTI + RIP: 0010:iptunnel_xmit (./include/net/ip_tunnels.h:664 net/ipv4/ip_tunnel_core.c:89) + Call Trace: + + ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) + __gre_xmit (net/ipv4/ip_gre.c:478) + gre_tap_xmit (net/ipv4/ip_gre.c:779) + teql_master_xmit (net/sched/sch_teql.c:319) + dev_hard_start_xmit (net/core/dev.c:3887) + sch_direct_xmit (net/sched/sch_generic.c:347) + __dev_queue_xmit (net/core/dev.c:4802) + neigh_direct_output (net/core/neighbour.c:1660) + ip_finish_output2 (net/ipv4/ip_output.c:237) + __ip_finish_output.part.0 (net/ipv4/ip_output.c:315) + ip_mc_output (net/ipv4/ip_output.c:369) + ip_send_skb (net/ipv4/ip_output.c:1508) + udp_send_skb (net/ipv4/udp.c:1195) + udp_sendmsg (net/ipv4/udp.c:1485) + inet_sendmsg (net/ipv4/af_inet.c:859) + __sys_sendto (net/socket.c:2206) + +Fix this by setting skb->dev = slave before calling +netdev_start_xmit(), so that tunnel xmit functions see the correct +slave device with properly allocated tstats. + +Fixes: 039f50629b7f ("ip_tunnel: Move stats update to iptunnel_xmit()") +Reported-by: Xiang Mei +Signed-off-by: Weiming Shi +Link: https://patch.msgid.link/20260304044216.3517851-3-bestswngs@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_teql.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/sched/sch_teql.c b/net/sched/sch_teql.c +index 6e4bdaa876ed6..783300d8b0197 100644 +--- a/net/sched/sch_teql.c ++++ b/net/sched/sch_teql.c +@@ -315,6 +315,7 @@ static netdev_tx_t teql_master_xmit(struct sk_buff *skb, struct net_device *dev) + if (__netif_tx_trylock(slave_txq)) { + unsigned int length = qdisc_pkt_len(skb); + ++ skb->dev = slave; + if (!netif_xmit_frozen_or_stopped(slave_txq) && + netdev_start_xmit(skb, slave, slave_txq, false) == + NETDEV_TX_OK) { +-- +2.51.0 + diff --git a/queue-6.19/net-sfp-improve-huawei-ma5671a-fixup.patch b/queue-6.19/net-sfp-improve-huawei-ma5671a-fixup.patch new file mode 100644 index 0000000000..12cea8b8fd --- /dev/null +++ b/queue-6.19/net-sfp-improve-huawei-ma5671a-fixup.patch @@ -0,0 +1,58 @@ +From c975c7d0d1d05a44e4cb35c016d0fda69d32f58f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 13:29:55 +0100 +Subject: net: sfp: improve Huawei MA5671a fixup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Álvaro Fernández Rojas + +[ Upstream commit 87d126852158467ab87d5cbc36ccfd3f15464a6c ] + +With the current sfp_fixup_ignore_tx_fault() fixup we ignore the TX_FAULT +signal, but we also need to apply sfp_fixup_ignore_los() in order to be +able to communicate with the module even if the fiber isn't connected for +configuration purposes. +This is needed for all the MA5671a firmwares, excluding the FS modded +firmware. + +Fixes: 2069624dac19 ("net: sfp: Add tx-fault workaround for Huawei MA5671A SFP ONT") +Signed-off-by: Álvaro Fernández Rojas +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20260306125139.213637-1-noltari@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/sfp.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c +index 43aefdd8b70f7..ca09925335725 100644 +--- a/drivers/net/phy/sfp.c ++++ b/drivers/net/phy/sfp.c +@@ -367,6 +367,12 @@ static void sfp_fixup_ignore_tx_fault(struct sfp *sfp) + sfp->state_ignore_mask |= SFP_F_TX_FAULT; + } + ++static void sfp_fixup_ignore_tx_fault_and_los(struct sfp *sfp) ++{ ++ sfp_fixup_ignore_tx_fault(sfp); ++ sfp_fixup_ignore_los(sfp); ++} ++ + static void sfp_fixup_ignore_hw(struct sfp *sfp, unsigned int mask) + { + sfp->state_hw_mask &= ~mask; +@@ -530,7 +536,7 @@ static const struct sfp_quirk sfp_quirks[] = { + // Huawei MA5671A can operate at 2500base-X, but report 1.2GBd NRZ in + // their EEPROM + SFP_QUIRK("HUAWEI", "MA5671A", sfp_quirk_2500basex, +- sfp_fixup_ignore_tx_fault), ++ sfp_fixup_ignore_tx_fault_and_los), + + // Lantech 8330-262D-E and 8330-265D can operate at 2500base-X, but + // incorrectly report 2500MBd NRZ in their EEPROM. +-- +2.51.0 + diff --git a/queue-6.19/net-spacemit-fix-error-handling-in-emac_alloc_rx_des.patch b/queue-6.19/net-spacemit-fix-error-handling-in-emac_alloc_rx_des.patch new file mode 100644 index 0000000000..0ddff33a57 --- /dev/null +++ b/queue-6.19/net-spacemit-fix-error-handling-in-emac_alloc_rx_des.patch @@ -0,0 +1,53 @@ +From a97e924a4e99ec91acaefb1ccae087bc1cf23f66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 14:39:38 +0800 +Subject: net: spacemit: Fix error handling in emac_alloc_rx_desc_buffers() + +From: Vivian Wang + +[ Upstream commit 3aa1417803c1833cbd5bacb7e6a6489a196f2519 ] + +Even if we get a dma_mapping_error() while mapping an RX buffer, we +should still update rx_ring->head to ensure that the buffers we were +able to allocate and map are used. Fix this by breaking out to the +existing code after the loop, analogous to the existing handling for skb +allocation failure. + +Fixes: bfec6d7f2001 ("net: spacemit: Add K1 Ethernet MAC") +Signed-off-by: Vivian Wang +Link: https://patch.msgid.link/20260305-k1-ethernet-more-fixes-v2-1-e4e434d65055@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/spacemit/k1_emac.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/spacemit/k1_emac.c b/drivers/net/ethernet/spacemit/k1_emac.c +index b49c4708bf9eb..5de69a105168a 100644 +--- a/drivers/net/ethernet/spacemit/k1_emac.c ++++ b/drivers/net/ethernet/spacemit/k1_emac.c +@@ -582,7 +582,9 @@ static void emac_alloc_rx_desc_buffers(struct emac_priv *priv) + DMA_FROM_DEVICE); + if (dma_mapping_error(&priv->pdev->dev, rx_buf->dma_addr)) { + dev_err_ratelimited(&ndev->dev, "Mapping skb failed\n"); +- goto err_free_skb; ++ dev_kfree_skb_any(skb); ++ rx_buf->skb = NULL; ++ break; + } + + rx_desc_addr = &((struct emac_desc *)rx_ring->desc_addr)[i]; +@@ -607,10 +609,6 @@ static void emac_alloc_rx_desc_buffers(struct emac_priv *priv) + + rx_ring->head = i; + return; +- +-err_free_skb: +- dev_kfree_skb_any(skb); +- rx_buf->skb = NULL; + } + + /* Returns number of packets received */ +-- +2.51.0 + diff --git a/queue-6.19/net-spacemit-fix-error-handling-in-emac_tx_mem_map.patch b/queue-6.19/net-spacemit-fix-error-handling-in-emac_tx_mem_map.patch new file mode 100644 index 0000000000..ccd6c6d8c5 --- /dev/null +++ b/queue-6.19/net-spacemit-fix-error-handling-in-emac_tx_mem_map.patch @@ -0,0 +1,53 @@ +From ff942e7b7a8346fbb6ea14cf3d676bbfb35afcdf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 14:39:39 +0800 +Subject: net: spacemit: Fix error handling in emac_tx_mem_map() + +From: Vivian Wang + +[ Upstream commit 86292155bea578ebab0ca3b65d4d87ecd8a0e9ea ] + +The DMA mappings were leaked on mapping error. Free them with the +existing emac_free_tx_buf() function. + +Fixes: bfec6d7f2001 ("net: spacemit: Add K1 Ethernet MAC") +Signed-off-by: Vivian Wang +Link: https://patch.msgid.link/20260305-k1-ethernet-more-fixes-v2-2-e4e434d65055@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/spacemit/k1_emac.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/spacemit/k1_emac.c b/drivers/net/ethernet/spacemit/k1_emac.c +index 5de69a105168a..d64ca7bbda9ea 100644 +--- a/drivers/net/ethernet/spacemit/k1_emac.c ++++ b/drivers/net/ethernet/spacemit/k1_emac.c +@@ -750,7 +750,7 @@ static void emac_tx_mem_map(struct emac_priv *priv, struct sk_buff *skb) + struct emac_desc tx_desc, *tx_desc_addr; + struct device *dev = &priv->pdev->dev; + struct emac_tx_desc_buffer *tx_buf; +- u32 head, old_head, frag_num, f; ++ u32 head, old_head, frag_num, f, i; + bool buf_idx; + + frag_num = skb_shinfo(skb)->nr_frags; +@@ -818,6 +818,15 @@ static void emac_tx_mem_map(struct emac_priv *priv, struct sk_buff *skb) + + err_free_skb: + dev_dstats_tx_dropped(priv->ndev); ++ ++ i = old_head; ++ while (i != head) { ++ emac_free_tx_buf(priv, i); ++ ++ if (++i == tx_ring->total_cnt) ++ i = 0; ++ } ++ + dev_kfree_skb_any(skb); + } + +-- +2.51.0 + diff --git a/queue-6.19/netfilter-nf_tables-always-walk-all-pending-catchall.patch b/queue-6.19/netfilter-nf_tables-always-walk-all-pending-catchall.patch new file mode 100644 index 0000000000..8f2197f603 --- /dev/null +++ b/queue-6.19/netfilter-nf_tables-always-walk-all-pending-catchall.patch @@ -0,0 +1,57 @@ +From def681859e4eb3ef0f1389b6928d89cf4c4447ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 21:32:00 +0100 +Subject: netfilter: nf_tables: always walk all pending catchall elements + +From: Florian Westphal + +[ Upstream commit 7cb9a23d7ae40a702577d3d8bacb7026f04ac2a9 ] + +During transaction processing we might have more than one catchall element: +1 live catchall element and 1 pending element that is coming as part of the +new batch. + +If the map holding the catchall elements is also going away, its +required to toggle all catchall elements and not just the first viable +candidate. + +Otherwise, we get: + WARNING: ./include/net/netfilter/nf_tables.h:1281 at nft_data_release+0xb7/0xe0 [nf_tables], CPU#2: nft/1404 + RIP: 0010:nft_data_release+0xb7/0xe0 [nf_tables] + [..] + __nft_set_elem_destroy+0x106/0x380 [nf_tables] + nf_tables_abort_release+0x348/0x8d0 [nf_tables] + nf_tables_abort+0xcf2/0x3ac0 [nf_tables] + nfnetlink_rcv_batch+0x9c9/0x20e0 [..] + +Fixes: 628bd3e49cba ("netfilter: nf_tables: drop map element references from preparation phase") +Reported-by: Yiming Qian +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index c75c2379d30bd..c9a76c760b17c 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -828,7 +828,6 @@ static void nft_map_catchall_deactivate(const struct nft_ctx *ctx, + + nft_set_elem_change_active(ctx->net, set, ext); + nft_setelem_data_deactivate(ctx->net, set, catchall->elem); +- break; + } + } + +@@ -5873,7 +5872,6 @@ static void nft_map_catchall_activate(const struct nft_ctx *ctx, + + nft_clear(ctx->net, ext); + nft_setelem_data_activate(ctx->net, set, catchall->elem); +- break; + } + } + +-- +2.51.0 + diff --git a/queue-6.19/netfilter-nf_tables-fix-for-duplicate-device-in-netd.patch b/queue-6.19/netfilter-nf_tables-fix-for-duplicate-device-in-netd.patch new file mode 100644 index 0000000000..f5164140cf --- /dev/null +++ b/queue-6.19/netfilter-nf_tables-fix-for-duplicate-device-in-netd.patch @@ -0,0 +1,55 @@ +From ea43c77c204d87354db0f999797851ad63da86b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 13:01:44 +0100 +Subject: netfilter: nf_tables: Fix for duplicate device in netdev hooks + +From: Phil Sutter + +[ Upstream commit b7cdc5a97d02c943f4bdde4d5767ad0c13cad92b ] + +When handling NETDEV_REGISTER notification, duplicate device +registration must be avoided since the device may have been added by +nft_netdev_hook_alloc() already when creating the hook. + +Suggested-by: Florian Westphal +Reported-by: syzbot+bb9127e278fa198e110c@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=bb9127e278fa198e110c +Fixes: a331b78a5525 ("netfilter: nf_tables: Respect NETDEV_REGISTER events") +Tested-by: Helen Koike +Signed-off-by: Phil Sutter +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 2 +- + net/netfilter/nft_chain_filter.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index a3865924a505d..c75c2379d30bd 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -9675,7 +9675,7 @@ static int nft_flowtable_event(unsigned long event, struct net_device *dev, + break; + case NETDEV_REGISTER: + /* NOP if not matching or already registered */ +- if (!match || (changename && ops)) ++ if (!match || ops) + continue; + + ops = kzalloc(sizeof(struct nf_hook_ops), +diff --git a/net/netfilter/nft_chain_filter.c b/net/netfilter/nft_chain_filter.c +index b16185e9a6dd7..041426e3bdbf1 100644 +--- a/net/netfilter/nft_chain_filter.c ++++ b/net/netfilter/nft_chain_filter.c +@@ -344,7 +344,7 @@ static int nft_netdev_event(unsigned long event, struct net_device *dev, + break; + case NETDEV_REGISTER: + /* NOP if not matching or already registered */ +- if (!match || (changename && ops)) ++ if (!match || ops) + continue; + + ops = kmemdup(&basechain->ops, +-- +2.51.0 + diff --git a/queue-6.19/netfilter-nfnetlink_cthelper-fix-oob-read-in-nfnl_ct.patch b/queue-6.19/netfilter-nfnetlink_cthelper-fix-oob-read-in-nfnl_ct.patch new file mode 100644 index 0000000000..1bd634e9c5 --- /dev/null +++ b/queue-6.19/netfilter-nfnetlink_cthelper-fix-oob-read-in-nfnl_ct.patch @@ -0,0 +1,71 @@ +From cd90a9fb7c303e117a9b98248ba671aad2f26840 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Mar 2026 02:23:34 +0900 +Subject: netfilter: nfnetlink_cthelper: fix OOB read in + nfnl_cthelper_dump_table() + +From: Hyunwoo Kim + +[ Upstream commit 6dcee8496d53165b2d8a5909b3050b62ae71fe89 ] + +nfnl_cthelper_dump_table() has a 'goto restart' that jumps to a label +inside the for loop body. When the "last" helper saved in cb->args[1] +is deleted between dump rounds, every entry fails the (cur != last) +check, so cb->args[1] is never cleared. The for loop finishes with +cb->args[0] == nf_ct_helper_hsize, and the 'goto restart' jumps back +into the loop body bypassing the bounds check, causing an 8-byte +out-of-bounds read on nf_ct_helper_hash[nf_ct_helper_hsize]. + +The 'goto restart' block was meant to re-traverse the current bucket +when "last" is no longer found, but it was placed after the for loop +instead of inside it. Move the block into the for loop body so that +the restart only occurs while cb->args[0] is still within bounds. + + BUG: KASAN: slab-out-of-bounds in nfnl_cthelper_dump_table+0x9f/0x1b0 + Read of size 8 at addr ffff888104ca3000 by task poc_cthelper/131 + Call Trace: + nfnl_cthelper_dump_table+0x9f/0x1b0 + netlink_dump+0x333/0x880 + netlink_recvmsg+0x3e2/0x4b0 + sock_recvmsg+0xde/0xf0 + __sys_recvfrom+0x150/0x200 + __x64_sys_recvfrom+0x76/0x90 + do_syscall_64+0xc3/0x6e0 + + Allocated by task 1: + __kvmalloc_node_noprof+0x21b/0x700 + nf_ct_alloc_hashtable+0x65/0xd0 + nf_conntrack_helper_init+0x21/0x60 + nf_conntrack_init_start+0x18d/0x300 + nf_conntrack_standalone_init+0x12/0xc0 + +Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure") +Signed-off-by: Hyunwoo Kim +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_cthelper.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c +index 97248963a7d3b..71a248cca746a 100644 +--- a/net/netfilter/nfnetlink_cthelper.c ++++ b/net/netfilter/nfnetlink_cthelper.c +@@ -603,10 +603,10 @@ nfnl_cthelper_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + goto out; + } + } +- } +- if (cb->args[1]) { +- cb->args[1] = 0; +- goto restart; ++ if (cb->args[1]) { ++ cb->args[1] = 0; ++ goto restart; ++ } + } + out: + rcu_read_unlock(); +-- +2.51.0 + diff --git a/queue-6.19/netfilter-nfnetlink_queue-fix-entry-leak-in-bridge-v.patch b/queue-6.19/netfilter-nfnetlink_queue-fix-entry-leak-in-bridge-v.patch new file mode 100644 index 0000000000..97244dcf7a --- /dev/null +++ b/queue-6.19/netfilter-nfnetlink_queue-fix-entry-leak-in-bridge-v.patch @@ -0,0 +1,52 @@ +From 873f21bd847c684e6e25f7b248297023a9f29dca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Mar 2026 02:24:06 +0900 +Subject: netfilter: nfnetlink_queue: fix entry leak in bridge verdict error + path + +From: Hyunwoo Kim + +[ Upstream commit f1ba83755d81c6fc66ac7acd723d238f974091e9 ] + +nfqnl_recv_verdict() calls find_dequeue_entry() to remove the queue +entry from the queue data structures, taking ownership of the entry. +For PF_BRIDGE packets, it then calls nfqa_parse_bridge() to parse VLAN +attributes. If nfqa_parse_bridge() returns an error (e.g. NFQA_VLAN +present but NFQA_VLAN_TCI missing), the function returns immediately +without freeing the dequeued entry or its sk_buff. + +This leaks the nf_queue_entry, its associated sk_buff, and all held +references (net_device refcounts, struct net refcount). Repeated +triggering exhausts kernel memory. + +Fix this by dropping the entry via nfqnl_reinject() with NF_DROP verdict +on the error path, consistent with other error handling in this file. + +Fixes: 8d45ff22f1b4 ("netfilter: bridge: nf queue verdict to use NFQA_VLAN and NFQA_L2HDR") +Reviewed-by: David Dull +Signed-off-by: Hyunwoo Kim +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_queue.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c +index 34548213f2f14..0b96d20bacb73 100644 +--- a/net/netfilter/nfnetlink_queue.c ++++ b/net/netfilter/nfnetlink_queue.c +@@ -1549,8 +1549,10 @@ static int nfqnl_recv_verdict(struct sk_buff *skb, const struct nfnl_info *info, + + if (entry->state.pf == PF_BRIDGE) { + err = nfqa_parse_bridge(entry, nfqa); +- if (err < 0) ++ if (err < 0) { ++ nfqnl_reinject(entry, NF_DROP); + return err; ++ } + } + + if (nfqa[NFQA_PAYLOAD]) { +-- +2.51.0 + diff --git a/queue-6.19/netfilter-nft_set_pipapo-fix-stack-out-of-bounds-rea.patch b/queue-6.19/netfilter-nft_set_pipapo-fix-stack-out-of-bounds-rea.patch new file mode 100644 index 0000000000..4156076b89 --- /dev/null +++ b/queue-6.19/netfilter-nft_set_pipapo-fix-stack-out-of-bounds-rea.patch @@ -0,0 +1,65 @@ +From f4bfd99772f4e98e629faa9536b50d02e746ab4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 19:12:38 +0000 +Subject: netfilter: nft_set_pipapo: fix stack out-of-bounds read in + pipapo_drop() + +From: Jenny Guanni Qu + +[ Upstream commit d6d8cd2db236a9dd13dbc2d05843b3445cc964b5 ] + +pipapo_drop() passes rulemap[i + 1].n to pipapo_unmap() as the +to_offset argument on every iteration, including the last one where +i == m->field_count - 1. This reads one element past the end of the +stack-allocated rulemap array (declared as rulemap[NFT_PIPAPO_MAX_FIELDS] +with NFT_PIPAPO_MAX_FIELDS == 16). + +Although pipapo_unmap() returns early when is_last is true without +using the to_offset value, the argument is evaluated at the call site +before the function body executes, making this a genuine out-of-bounds +stack read confirmed by KASAN: + + BUG: KASAN: stack-out-of-bounds in pipapo_drop+0x50c/0x57c [nf_tables] + Read of size 4 at addr ffff8000810e71a4 + + This frame has 1 object: + [32, 160) 'rulemap' + + The buggy address is at offset 164 -- exactly 4 bytes past the end + of the rulemap array. + +Pass 0 instead of rulemap[i + 1].n on the last iteration to avoid +the out-of-bounds read. + +Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") +Signed-off-by: Jenny Guanni Qu +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_pipapo.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c +index d9b74d588c768..394b78a00a6a5 100644 +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -1641,6 +1641,7 @@ static void pipapo_drop(struct nft_pipapo_match *m, + int i; + + nft_pipapo_for_each_field(f, i, m) { ++ bool last = i == m->field_count - 1; + int g; + + for (g = 0; g < f->groups; g++) { +@@ -1660,7 +1661,7 @@ static void pipapo_drop(struct nft_pipapo_match *m, + } + + pipapo_unmap(f->mt, f->rules, rulemap[i].to, rulemap[i].n, +- rulemap[i + 1].n, i == m->field_count - 1); ++ last ? 0 : rulemap[i + 1].n, last); + if (pipapo_resize(f, f->rules, f->rules - rulemap[i].n)) { + /* We can ignore this, a failure to shrink tables down + * doesn't make tables invalid. +-- +2.51.0 + diff --git a/queue-6.19/netfilter-x_tables-guard-option-walkers-against-1-by.patch b/queue-6.19/netfilter-x_tables-guard-option-walkers-against-1-by.patch new file mode 100644 index 0000000000..4d72e8350d --- /dev/null +++ b/queue-6.19/netfilter-x_tables-guard-option-walkers-against-1-by.patch @@ -0,0 +1,62 @@ +From 289c81be570066af3a3a71cf40606a485150646b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Mar 2026 20:26:21 +0200 +Subject: netfilter: x_tables: guard option walkers against 1-byte tail reads + +From: David Dull + +[ Upstream commit cfe770220ac2dbd3e104c6b45094037455da81d4 ] + +When the last byte of options is a non-single-byte option kind, walkers +that advance with i += op[i + 1] ? : 1 can read op[i + 1] past the end +of the option area. + +Add an explicit i == optlen - 1 check before dereferencing op[i + 1] +in xt_tcpudp and xt_dccp option walkers. + +Fixes: 2e4e6a17af35 ("[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables") +Signed-off-by: David Dull +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_dccp.c | 4 ++-- + net/netfilter/xt_tcpudp.c | 6 ++++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c +index e5a13ecbe67a0..037ab93e25d0a 100644 +--- a/net/netfilter/xt_dccp.c ++++ b/net/netfilter/xt_dccp.c +@@ -62,10 +62,10 @@ dccp_find_option(u_int8_t option, + return true; + } + +- if (op[i] < 2) ++ if (op[i] < 2 || i == optlen - 1) + i++; + else +- i += op[i+1]?:1; ++ i += op[i + 1] ? : 1; + } + + spin_unlock_bh(&dccp_buflock); +diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c +index e8991130a3de0..f76cf18f1a244 100644 +--- a/net/netfilter/xt_tcpudp.c ++++ b/net/netfilter/xt_tcpudp.c +@@ -59,8 +59,10 @@ tcp_find_option(u_int8_t option, + + for (i = 0; i < optlen; ) { + if (op[i] == option) return !invert; +- if (op[i] < 2) i++; +- else i += op[i+1]?:1; ++ if (op[i] < 2 || i == optlen - 1) ++ i++; ++ else ++ i += op[i + 1] ? : 1; + } + + return invert; +-- +2.51.0 + diff --git a/queue-6.19/netfilter-xt_idletimer-reject-rev0-reuse-of-alarm-ti.patch b/queue-6.19/netfilter-xt_idletimer-reject-rev0-reuse-of-alarm-ti.patch new file mode 100644 index 0000000000..b0242985ca --- /dev/null +++ b/queue-6.19/netfilter-xt_idletimer-reject-rev0-reuse-of-alarm-ti.patch @@ -0,0 +1,54 @@ +From 772062ce15fe1aa4ae688b720b3eb85a7abd25f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Mar 2026 03:41:46 -0700 +Subject: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels + +From: Yuan Tan + +[ Upstream commit 329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf ] + +IDLETIMER revision 0 rules reuse existing timers by label and always call +mod_timer() on timer->timer. + +If the label was created first by revision 1 with XT_IDLETIMER_ALARM, +the object uses alarm timer semantics and timer->timer is never initialized. +Reusing that object from revision 0 causes mod_timer() on an uninitialized +timer_list, triggering debugobjects warnings and possible panic when +panic_on_warn=1. + +Fix this by rejecting revision 0 rule insertion when an existing timer with +the same label is of ALARM type. + +Fixes: 68983a354a65 ("netfilter: xtables: Add snapshot of hardidletimer target") +Co-developed-by: Yifan Wu +Signed-off-by: Yifan Wu +Co-developed-by: Juefei Pu +Signed-off-by: Juefei Pu +Signed-off-by: Yuan Tan +Signed-off-by: Xin Liu +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_IDLETIMER.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c +index d73957592c9d9..bb7af92ac82a4 100644 +--- a/net/netfilter/xt_IDLETIMER.c ++++ b/net/netfilter/xt_IDLETIMER.c +@@ -318,6 +318,12 @@ static int idletimer_tg_checkentry(const struct xt_tgchk_param *par) + + info->timer = __idletimer_tg_find_by_label(info->label); + if (info->timer) { ++ if (info->timer->timer_type & XT_IDLETIMER_ALARM) { ++ pr_debug("Adding/Replacing rule with same label and different timer type is not allowed\n"); ++ mutex_unlock(&list_mutex); ++ return -EINVAL; ++ } ++ + info->timer->refcnt++; + mod_timer(&info->timer->timer, + secs_to_jiffies(info->timeout) + jiffies); +-- +2.51.0 + diff --git a/queue-6.19/nfs-return-eisdir-on-nfs3_proc_create-if-d_alias-is-.patch b/queue-6.19/nfs-return-eisdir-on-nfs3_proc_create-if-d_alias-is-.patch new file mode 100644 index 0000000000..f3205bdc11 --- /dev/null +++ b/queue-6.19/nfs-return-eisdir-on-nfs3_proc_create-if-d_alias-is-.patch @@ -0,0 +1,58 @@ +From fe52d2ed92ac3f1cacfad517e880229dd78ff87a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Feb 2026 13:04:40 +0100 +Subject: nfs: return EISDIR on nfs3_proc_create if d_alias is a dir + +From: Roberto Bergantinos Corpas + +[ Upstream commit 410666a298c34ebd57256fde6b24c96bd23059a2 ] + +If we found an alias through nfs3_do_create/nfs_add_or_obtain +/d_splice_alias which happens to be a dir dentry, we don't return +any error, and simply forget about this alias, but the original +dentry we were adding and passed as parameter remains negative. + +This later causes an oops on nfs_atomic_open_v23/finish_open since we +supply a negative dentry to do_dentry_open. + +This has been observed running lustre-racer, where dirs and files are +created/removed concurrently with the same name and O_EXCL is not +used to open files (frequent file redirection). + +While d_splice_alias typically returns a directory alias or NULL, we +explicitly check d_is_dir() to ensure that we don't attempt to perform +file operations (like finish_open) on a directory inode, which triggers +the observed oops. + +Fixes: 7c6c5249f061 ("NFS: add atomic_open for NFSv3 to handle O_TRUNC correctly.") +Reviewed-by: Olga Kornievskaia +Reviewed-by: Scott Mayhew +Signed-off-by: Roberto Bergantinos Corpas +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs3proc.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/fs/nfs/nfs3proc.c b/fs/nfs/nfs3proc.c +index 1181f9cc6dbdb..f8bc9bffdad90 100644 +--- a/fs/nfs/nfs3proc.c ++++ b/fs/nfs/nfs3proc.c +@@ -392,8 +392,13 @@ nfs3_proc_create(struct inode *dir, struct dentry *dentry, struct iattr *sattr, + if (status != 0) + goto out_release_acls; + +- if (d_alias) ++ if (d_alias) { ++ if (d_is_dir(d_alias)) { ++ status = -EISDIR; ++ goto out_dput; ++ } + dentry = d_alias; ++ } + + /* When we created the file with exclusive semantics, make + * sure we set the attributes afterwards. */ +-- +2.51.0 + diff --git a/queue-6.19/nvme-pci-fix-race-bug-in-nvme_poll_irqdisable.patch b/queue-6.19/nvme-pci-fix-race-bug-in-nvme_poll_irqdisable.patch new file mode 100644 index 0000000000..f546f6bfae --- /dev/null +++ b/queue-6.19/nvme-pci-fix-race-bug-in-nvme_poll_irqdisable.patch @@ -0,0 +1,122 @@ +From 9f21b603f10576674ed3ad8e4b947122b77f1792 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Mar 2026 14:46:36 -0500 +Subject: nvme-pci: Fix race bug in nvme_poll_irqdisable() + +From: Sungwoo Kim + +[ Upstream commit fc71f409b22ca831a9f87a2712eaa09ef2bb4a5e ] + +In the following scenario, pdev can be disabled between (1) and (3) by +(2). This sets pdev->msix_enabled = 0. Then, pci_irq_vector() will +return MSI-X IRQ(>15) for (1) whereas return INTx IRQ(<=15) for (2). +This causes IRQ warning because it tries to enable INTx IRQ that has +never been disabled before. + +To fix this, save IRQ number into a local variable and ensure +disable_irq() and enable_irq() operate on the same IRQ number. Even if +pci_free_irq_vectors() frees the IRQ concurrently, disable_irq() and +enable_irq() on a stale IRQ number is still valid and safe, and the +depth accounting reamins balanced. + +task 1: +nvme_poll_irqdisable() + disable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)) ...(1) + enable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)) ...(3) + +task 2: +nvme_reset_work() + nvme_dev_disable() + pdev->msix_enable = 0; ...(2) + +crash log: + +------------[ cut here ]------------ +Unbalanced enable for IRQ 10 +WARNING: kernel/irq/manage.c:753 at __enable_irq+0x102/0x190 kernel/irq/manage.c:753, CPU#1: kworker/1:0H/26 +Modules linked in: +CPU: 1 UID: 0 PID: 26 Comm: kworker/1:0H Not tainted 6.19.0-dirty #9 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 +Workqueue: kblockd blk_mq_timeout_work +RIP: 0010:__enable_irq+0x107/0x190 kernel/irq/manage.c:753 +Code: ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 79 48 8d 3d 2e 7a 3f 05 41 8b 74 24 2c <67> 48 0f b9 3a e8 ef b9 21 00 5b 41 5c 5d e9 46 54 66 03 e8 e1 b9 +RSP: 0018:ffffc900001bf550 EFLAGS: 00010046 +RAX: 0000000000000007 RBX: 0000000000000000 RCX: ffffffffb20c0e90 +RDX: 0000000000000000 RSI: 000000000000000a RDI: ffffffffb74b88f0 +RBP: ffffc900001bf560 R08: ffff88800197cf00 R09: 0000000000000001 +R10: 0000000000000003 R11: 0000000000000003 R12: ffff8880012a6000 +R13: 1ffff92000037eae R14: 000000000000000a R15: 0000000000000293 +FS: 0000000000000000(0000) GS:ffff8880b49f7000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000555da4a25fa8 CR3: 00000000208e8000 CR4: 00000000000006f0 +Call Trace: + + enable_irq+0x121/0x1e0 kernel/irq/manage.c:797 + nvme_poll_irqdisable+0x162/0x1c0 drivers/nvme/host/pci.c:1494 + nvme_timeout+0x965/0x14b0 drivers/nvme/host/pci.c:1744 + blk_mq_rq_timed_out block/blk-mq.c:1653 [inline] + blk_mq_handle_expired+0x227/0x2d0 block/blk-mq.c:1721 + bt_iter+0x2fc/0x3a0 block/blk-mq-tag.c:292 + __sbitmap_for_each_set include/linux/sbitmap.h:269 [inline] + sbitmap_for_each_set include/linux/sbitmap.h:290 [inline] + bt_for_each block/blk-mq-tag.c:324 [inline] + blk_mq_queue_tag_busy_iter+0x969/0x1e80 block/blk-mq-tag.c:536 + blk_mq_timeout_work+0x627/0x870 block/blk-mq.c:1763 + process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257 + process_scheduled_works kernel/workqueue.c:3340 [inline] + worker_thread+0x65c/0xe60 kernel/workqueue.c:3421 + kthread+0x41a/0x930 kernel/kthread.c:463 + ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + +irq event stamp: 74478 +hardirqs last enabled at (74477): [] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:159 [inline] +hardirqs last enabled at (74477): [] _raw_spin_unlock_irq+0x2c/0x60 kernel/locking/spinlock.c:202 +hardirqs last disabled at (74478): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] +hardirqs last disabled at (74478): [] _raw_spin_lock_irqsave+0x85/0xa0 kernel/locking/spinlock.c:162 +softirqs last enabled at (74304): [] __do_softirq kernel/softirq.c:656 [inline] +softirqs last enabled at (74304): [] invoke_softirq kernel/softirq.c:496 [inline] +softirqs last enabled at (74304): [] __irq_exit_rcu+0xdc/0x120 kernel/softirq.c:723 +softirqs last disabled at (74287): [] __do_softirq kernel/softirq.c:656 [inline] +softirqs last disabled at (74287): [] invoke_softirq kernel/softirq.c:496 [inline] +softirqs last disabled at (74287): [] __irq_exit_rcu+0xdc/0x120 kernel/softirq.c:723 +---[ end trace 0000000000000000 ]--- + +Fixes: fa059b856a59 (nvme-pci: Simplify nvme_poll_irqdisable) +Acked-by: Chao Shi +Acked-by: Weidong Zhu +Acked-by: Dave Tian +Reviewed-by: Christoph Hellwig +Signed-off-by: Sungwoo Kim +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index ca86f85968708..3c83076a57e57 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -1484,14 +1484,16 @@ static irqreturn_t nvme_irq_check(int irq, void *data) + static void nvme_poll_irqdisable(struct nvme_queue *nvmeq) + { + struct pci_dev *pdev = to_pci_dev(nvmeq->dev->dev); ++ int irq; + + WARN_ON_ONCE(test_bit(NVMEQ_POLLED, &nvmeq->flags)); + +- disable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)); ++ irq = pci_irq_vector(pdev, nvmeq->cq_vector); ++ disable_irq(irq); + spin_lock(&nvmeq->cq_poll_lock); + nvme_poll_cq(nvmeq, NULL); + spin_unlock(&nvmeq->cq_poll_lock); +- enable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)); ++ enable_irq(irq); + } + + static int nvme_poll(struct blk_mq_hw_ctx *hctx, struct io_comp_batch *iob) +-- +2.51.0 + diff --git a/queue-6.19/nvme-pci-fix-slab-out-of-bounds-in-nvme_dbbuf_set.patch b/queue-6.19/nvme-pci-fix-slab-out-of-bounds-in-nvme_dbbuf_set.patch new file mode 100644 index 0000000000..df0a178051 --- /dev/null +++ b/queue-6.19/nvme-pci-fix-slab-out-of-bounds-in-nvme_dbbuf_set.patch @@ -0,0 +1,130 @@ +From 2de1d67402a1f46b76c337a089ba985b497c04b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Mar 2026 14:20:59 -0400 +Subject: nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sungwoo Kim + +[ Upstream commit b4e78f1427c7d6859229ae9616df54e1fc05a516 ] + +dev->online_queues is a count incremented in nvme_init_queue. Thus, +valid indices are 0 through dev->online_queues − 1. + +This patch fixes the loop condition to ensure the index stays within the +valid range. Index 0 is excluded because it is the admin queue. + +KASAN splat: + +================================================================== +BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline] +BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404 +Read of size 2 at addr ffff88800592a574 by task kworker/u8:5/74 + +CPU: 0 UID: 0 PID: 74 Comm: kworker/u8:5 Not tainted 6.19.0-dirty #10 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 +Workqueue: nvme-reset-wq nvme_reset_work +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0xea/0x150 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xce/0x5d0 mm/kasan/report.c:482 + kasan_report+0xdc/0x110 mm/kasan/report.c:595 + __asan_report_load2_noabort+0x18/0x20 mm/kasan/report_generic.c:379 + nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline] + nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404 + nvme_reset_work+0x36b/0x8c0 drivers/nvme/host/pci.c:3252 + process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257 + process_scheduled_works kernel/workqueue.c:3340 [inline] + worker_thread+0x65c/0xe60 kernel/workqueue.c:3421 + kthread+0x41a/0x930 kernel/kthread.c:463 + ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + + +Allocated by task 34 on cpu 1 at 4.241550s: + kasan_save_stack+0x2c/0x60 mm/kasan/common.c:57 + kasan_save_track+0x1c/0x70 mm/kasan/common.c:78 + kasan_save_alloc_info+0x3c/0x50 mm/kasan/generic.c:570 + poison_kmalloc_redzone mm/kasan/common.c:398 [inline] + __kasan_kmalloc+0xb5/0xc0 mm/kasan/common.c:415 + kasan_kmalloc include/linux/kasan.h:263 [inline] + __do_kmalloc_node mm/slub.c:5657 [inline] + __kmalloc_node_noprof+0x2bf/0x8d0 mm/slub.c:5663 + kmalloc_array_node_noprof include/linux/slab.h:1075 [inline] + nvme_pci_alloc_dev drivers/nvme/host/pci.c:3479 [inline] + nvme_probe+0x2f1/0x1820 drivers/nvme/host/pci.c:3534 + local_pci_probe+0xef/0x1c0 drivers/pci/pci-driver.c:324 + pci_call_probe drivers/pci/pci-driver.c:392 [inline] + __pci_device_probe drivers/pci/pci-driver.c:417 [inline] + pci_device_probe+0x743/0x920 drivers/pci/pci-driver.c:451 + call_driver_probe drivers/base/dd.c:583 [inline] + really_probe+0x29b/0xb70 drivers/base/dd.c:661 + __driver_probe_device+0x3b0/0x4a0 drivers/base/dd.c:803 + driver_probe_device+0x56/0x1f0 drivers/base/dd.c:833 + __driver_attach_async_helper+0x155/0x340 drivers/base/dd.c:1159 + async_run_entry_fn+0xa6/0x4b0 kernel/async.c:129 + process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257 + process_scheduled_works kernel/workqueue.c:3340 [inline] + worker_thread+0x65c/0xe60 kernel/workqueue.c:3421 + kthread+0x41a/0x930 kernel/kthread.c:463 + ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + +The buggy address belongs to the object at ffff88800592a000 + which belongs to the cache kmalloc-2k of size 2048 +The buggy address is located 244 bytes to the right of + allocated 1152-byte region [ffff88800592a000, ffff88800592a480) + +The buggy address belongs to the physical page: +page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5928 +head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +anon flags: 0xfffffc0000040(head|node=0|zone=1|lastcpupid=0x1fffff) +page_type: f5(slab) +raw: 000fffffc0000040 ffff888001042000 0000000000000000 dead000000000001 +raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 +head: 000fffffc0000040 ffff888001042000 0000000000000000 dead000000000001 +head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 +head: 000fffffc0000003 ffffea0000164a01 00000000ffffffff 00000000ffffffff +head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88800592a400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff88800592a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +>ffff88800592a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffff88800592a580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff88800592a600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +================================================================== + +Fixes: 0f0d2c876c96 (nvme: free sq/cq dbbuf pointers when dbbuf set fails) +Acked-by: Chao Shi +Acked-by: Weidong Zhu +Acked-by: Dave Tian +Signed-off-by: Sungwoo Kim +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index d86f2565a92ca..ca86f85968708 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -400,7 +400,7 @@ static void nvme_dbbuf_set(struct nvme_dev *dev) + /* Free memory and continue on */ + nvme_dbbuf_dma_free(dev); + +- for (i = 1; i <= dev->online_queues; i++) ++ for (i = 1; i < dev->online_queues; i++) + nvme_dbbuf_free(&dev->queues[i]); + } + } +-- +2.51.0 + diff --git a/queue-6.19/octeontx2-af-devlink-fix-nix-ras-reporter-recovery-c.patch b/queue-6.19/octeontx2-af-devlink-fix-nix-ras-reporter-recovery-c.patch new file mode 100644 index 0000000000..68b111fcb9 --- /dev/null +++ b/queue-6.19/octeontx2-af-devlink-fix-nix-ras-reporter-recovery-c.patch @@ -0,0 +1,41 @@ +From 3677f6940fd04267f4ca6229cd56242b8f5c04b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 11:48:16 -0700 +Subject: octeontx2-af: devlink: fix NIX RAS reporter recovery condition + +From: Alok Tiwari + +[ Upstream commit dc26ca99b835e21e76a58b1463b84adb0ca34f58 ] + +The NIX RAS health reporter recovery routine checks nix_af_rvu_int to +decide whether to re-enable NIX_AF_RAS interrupts. This is the RVU +interrupt status field and is unrelated to RAS events, so the recovery +flow may incorrectly skip re-enabling NIX_AF_RAS interrupts. + +Check nix_af_rvu_ras instead before writing NIX_AF_RAS_ENA_W1S. + +Fixes: 5ed66306eab6 ("octeontx2-af: Add devlink health reporters for NIX") +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20260310184824.1183651-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c +index 0f9953eaf1b09..fa6ca4f41b59a 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c +@@ -475,7 +475,7 @@ static int rvu_hw_nix_ras_recover(struct devlink_health_reporter *reporter, + if (blkaddr < 0) + return blkaddr; + +- if (nix_event_ctx->nix_af_rvu_int) ++ if (nix_event_ctx->nix_af_rvu_ras) + rvu_write64(rvu, blkaddr, NIX_AF_RAS_ENA_W1S, ~0ULL); + + return 0; +-- +2.51.0 + diff --git a/queue-6.19/octeontx2-af-devlink-fix-nix-ras-reporter-to-use-ras.patch b/queue-6.19/octeontx2-af-devlink-fix-nix-ras-reporter-to-use-ras.patch new file mode 100644 index 0000000000..4afe9737d1 --- /dev/null +++ b/queue-6.19/octeontx2-af-devlink-fix-nix-ras-reporter-to-use-ras.patch @@ -0,0 +1,45 @@ +From d99f8317181793e59a51cc184408f0e785ff0fbd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 11:48:17 -0700 +Subject: octeontx2-af: devlink: fix NIX RAS reporter to use RAS interrupt + status + +From: Alok Tiwari + +[ Upstream commit 87f7dff3ec75b91def0024ebaaf732457f47a63b ] + +The NIX RAS health report path uses nix_af_rvu_err when handling the +NIX_AF_RVU_RAS case, so the report prints the ERR interrupt status rather +than the RAS interrupt status. + +Use nix_af_rvu_ras for the NIX_AF_RVU_RAS report. + +Fixes: 5ed66306eab6 ("octeontx2-af: Add devlink health reporters for NIX") +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20260310184824.1183651-2-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c +index fa6ca4f41b59a..2a715872e9edf 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c +@@ -327,10 +327,10 @@ static int rvu_nix_report_show(struct devlink_fmsg *fmsg, void *ctx, + rvu_report_pair_end(fmsg); + break; + case NIX_AF_RVU_RAS: +- intr_val = nix_event_context->nix_af_rvu_err; ++ intr_val = nix_event_context->nix_af_rvu_ras; + rvu_report_pair_start(fmsg, "NIX_AF_RAS"); + devlink_fmsg_u64_pair_put(fmsg, "\tNIX RAS Interrupt Reg ", +- nix_event_context->nix_af_rvu_err); ++ nix_event_context->nix_af_rvu_ras); + devlink_fmsg_string_put(fmsg, "\n\tPoison Data on:"); + if (intr_val & BIT_ULL(34)) + devlink_fmsg_string_put(fmsg, "\n\tNIX_AQ_INST_S"); +-- +2.51.0 + diff --git a/queue-6.19/page_pool-store-detach_time-as-ktime_t-to-avoid-fals.patch b/queue-6.19/page_pool-store-detach_time-as-ktime_t-to-avoid-fals.patch new file mode 100644 index 0000000000..b9e3d93c43 --- /dev/null +++ b/queue-6.19/page_pool-store-detach_time-as-ktime_t-to-avoid-fals.patch @@ -0,0 +1,68 @@ +From 8252e33ab8b309b442ae2a8d82e062360837a288 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Mar 2026 17:39:07 -0700 +Subject: page_pool: store detach_time as ktime_t to avoid false-negatives + +From: Jakub Kicinski + +[ Upstream commit 28b225282d44e2ef40e7f46cfdbd5d1b20b8874f ] + +While testing other changes in vng I noticed that +nl_netdev.page_pool_check flakes. This never happens in real CI. + +Turns out vng may boot and get to that test in less than a second. +page_pool_detached() records the detach time in seconds, so if +vng is fast enough detach time is set to 0. Other code treats +0 as "not detached". detach_time is only used to report the state +to the user, so it's not a huge deal in practice but let's fix it. +Store the raw ktime_t (nanoseconds) instead. A nanosecond value +of 0 is practically impossible. + +Acked-by: Jesper Dangaard Brouer +Fixes: 69cb4952b6f6 ("net: page_pool: report when page pool was destroyed") +Link: https://patch.msgid.link/20260310003907.3540019-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/page_pool/types.h | 2 +- + net/core/page_pool_user.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/include/net/page_pool/types.h b/include/net/page_pool/types.h +index 1509a536cb855..fb4f03ccd6156 100644 +--- a/include/net/page_pool/types.h ++++ b/include/net/page_pool/types.h +@@ -246,7 +246,7 @@ struct page_pool { + /* User-facing fields, protected by page_pools_lock */ + struct { + struct hlist_node list; +- u64 detach_time; ++ ktime_t detach_time; + u32 id; + } user; + }; +diff --git a/net/core/page_pool_user.c b/net/core/page_pool_user.c +index c82a95beceff8..ee5060d8eec0e 100644 +--- a/net/core/page_pool_user.c ++++ b/net/core/page_pool_user.c +@@ -245,7 +245,7 @@ page_pool_nl_fill(struct sk_buff *rsp, const struct page_pool *pool, + goto err_cancel; + if (pool->user.detach_time && + nla_put_uint(rsp, NETDEV_A_PAGE_POOL_DETACH_TIME, +- pool->user.detach_time)) ++ ktime_divns(pool->user.detach_time, NSEC_PER_SEC))) + goto err_cancel; + + if (pool->mp_ops && pool->mp_ops->nl_fill(pool->mp_priv, rsp, NULL)) +@@ -337,7 +337,7 @@ int page_pool_list(struct page_pool *pool) + void page_pool_detached(struct page_pool *pool) + { + mutex_lock(&page_pools_lock); +- pool->user.detach_time = ktime_get_boottime_seconds(); ++ pool->user.detach_time = ktime_get_boottime(); + netdev_nl_page_pool_event(pool, NETDEV_CMD_PAGE_POOL_CHANGE_NTF); + mutex_unlock(&page_pools_lock); + } +-- +2.51.0 + diff --git a/queue-6.19/perf-annotate-fix-hashmap__new-error-checking.patch b/queue-6.19/perf-annotate-fix-hashmap__new-error-checking.patch new file mode 100644 index 0000000000..9d4ed234a0 --- /dev/null +++ b/queue-6.19/perf-annotate-fix-hashmap__new-error-checking.patch @@ -0,0 +1,60 @@ +From be0fc9338467271e5af86957dcc59f93fe78c02c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 11:56:48 +0800 +Subject: perf annotate: Fix hashmap__new() error checking + +From: Chen Ni + +[ Upstream commit bf29cb3641b80bac759c3332b02e0b270e16bf94 ] + +The hashmap__new() function never returns NULL, it returns error +pointers. Fix the error checking to match. + +Additionally, set src->samples to NULL to prevent any later code from +accidentally using the error pointer. + +Fixes: d3e7cad6f36d9e80 ("perf annotate: Add a hashmap for symbol histogram") +Reviewed-by: Ian Rogers +Signed-off-by: Chen Ni +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ingo Molnar +Cc: James Clark +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Tianyou Li +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/annotate.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c +index 791d60f97c23e..df7b7e70c19fe 100644 +--- a/tools/perf/util/annotate.c ++++ b/tools/perf/util/annotate.c +@@ -44,6 +44,7 @@ + #include "strbuf.h" + #include + #include ++#include + #include + #include + #include +@@ -137,8 +138,10 @@ static int annotated_source__alloc_histograms(struct annotated_source *src, + return -1; + + src->samples = hashmap__new(sym_hist_hash, sym_hist_equal, NULL); +- if (src->samples == NULL) ++ if (IS_ERR(src->samples)) { + zfree(&src->histograms); ++ src->samples = NULL; ++ } + + return src->histograms ? 0 : -1; + } +-- +2.51.0 + diff --git a/queue-6.19/perf-disasm-fix-off-by-one-bug-in-outside-check.patch b/queue-6.19/perf-disasm-fix-off-by-one-bug-in-outside-check.patch new file mode 100644 index 0000000000..774b58fed4 --- /dev/null +++ b/queue-6.19/perf-disasm-fix-off-by-one-bug-in-outside-check.patch @@ -0,0 +1,53 @@ +From 89b5a4762b10631cabdbbb6950f00ede77923fb9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 11:06:12 -0800 +Subject: perf disasm: Fix off-by-one bug in outside check + +From: Peter Collingbourne + +[ Upstream commit b3ce769203a99d6f3c6d6269ec09232a8c5da422 ] + +If a branch target points to one past the end of a function, the branch +should be treated as a branch to another function. + +This can happen e.g. with a tail call to a function that is laid out +immediately after the caller. + +Fixes: 751b1783da784299 ("perf annotate: Mark jumps to outher functions with the call arrow") +Reviewed-by: Ian Rogers +Signed-off-by: Peter Collingbourne +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Bill Wendling +Cc: Ingo Molnar +Cc: James Clark +Cc: Jiri Olsa +Cc: Justin Stitt +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Nathan Chancellor +Cc: Nick Desaulniers +Cc: Peter Zijlstra +Link: https://linux-review.googlesource.com/id/Ide471112e82d68177e0faf08ca411d9fcf0a7bdf +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/disasm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/disasm.c b/tools/perf/util/disasm.c +index 88706b98b9064..b1be847446fea 100644 +--- a/tools/perf/util/disasm.c ++++ b/tools/perf/util/disasm.c +@@ -412,7 +412,7 @@ static int jump__parse(struct arch *arch, struct ins_operands *ops, struct map_s + start = map__unmap_ip(map, sym->start); + end = map__unmap_ip(map, sym->end); + +- ops->target.outside = target.addr < start || target.addr > end; ++ ops->target.outside = target.addr < start || target.addr >= end; + + /* + * FIXME: things like this in _cpp_lex_token (gcc's cc1 program): +-- +2.51.0 + diff --git a/queue-6.19/perf-ftrace-fix-hashmap__new-error-checking.patch b/queue-6.19/perf-ftrace-fix-hashmap__new-error-checking.patch new file mode 100644 index 0000000000..758eabf432 --- /dev/null +++ b/queue-6.19/perf-ftrace-fix-hashmap__new-error-checking.patch @@ -0,0 +1,62 @@ +From d8f2a0a8730a9a3001cfefbf9a14dc3e8815fad7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 12:10:52 +0800 +Subject: perf ftrace: Fix hashmap__new() error checking + +From: Chen Ni + +[ Upstream commit be34705aa527872e5ce83927b7bc9307ba8095ca ] + +The hashmap__new() function never returns NULL, it returns error +pointers. Fix the error checking to match. + +Additionally, set ftrace->profile_hash to NULL on error, and return the +exact error code from hashmap__new(). + +Fixes: 0f223813edd051a5 ("perf ftrace: Add 'profile' command") +Suggested-by: Ian Rogers +Signed-off-by: Chen Ni +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ingo Molnar +Cc: James Clark +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-ftrace.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/builtin-ftrace.c b/tools/perf/builtin-ftrace.c +index 6b6eec65f93f5..4cc33452d79b6 100644 +--- a/tools/perf/builtin-ftrace.c ++++ b/tools/perf/builtin-ftrace.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -1209,8 +1210,12 @@ static int prepare_func_profile(struct perf_ftrace *ftrace) + ftrace->graph_verbose = 0; + + ftrace->profile_hash = hashmap__new(profile_hash, profile_equal, NULL); +- if (ftrace->profile_hash == NULL) +- return -ENOMEM; ++ if (IS_ERR(ftrace->profile_hash)) { ++ int err = PTR_ERR(ftrace->profile_hash); ++ ++ ftrace->profile_hash = NULL; ++ return err; ++ } + + return 0; + } +-- +2.51.0 + diff --git a/queue-6.19/perf-synthetic-events-fix-stale-build-id-in-module-m.patch b/queue-6.19/perf-synthetic-events-fix-stale-build-id-in-module-m.patch new file mode 100644 index 0000000000..4d2e1d5f5b --- /dev/null +++ b/queue-6.19/perf-synthetic-events-fix-stale-build-id-in-module-m.patch @@ -0,0 +1,79 @@ +From 68db5a8b8e4e50d4ae5ee2bb44bf01e87669cbec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 13:59:51 -0400 +Subject: perf synthetic-events: Fix stale build ID in module MMAP2 records + +From: Chuck Lever + +[ Upstream commit 35b16a7a2c4fc458304447128b86514ce9f70f3c ] + +perf_event__synthesize_modules() allocates a single union perf_event and +reuses it across every kernel module callback. + +After the first module is processed, perf_record_mmap2__read_build_id() +sets PERF_RECORD_MISC_MMAP_BUILD_ID in header.misc and writes that +module's build ID into the event. + +On subsequent iterations the callback overwrites start, len, pid, and +filename for the next module but never clears the stale build ID fields +or the MMAP_BUILD_ID flag. + +When perf_record_mmap2__read_build_id() runs for the second module it +sees the flag, reads the stale build ID into a dso_id, and +__dso__improve_id() permanently poisons the DSO with the wrong build ID. + +Every module after the first therefore receives the first module's build +ID in its MMAP2 record. + +On a system with the sunrpc and nfsd modules loaded, this causes perf +script and perf report to show [unknown] for all module symbols. + +The latent bug has existed since commit d9f2ecbc5e47fca7 ("perf dso: +Move build_id to dso_id") introduced the PERF_RECORD_MISC_MMAP_BUILD_ID +check in perf_record_mmap2__read_build_id(). + +Commit 53b00ff358dc75b1 ("perf record: Make --buildid-mmap the default") +then exposed it to all users by making the MMAP2-with-build-ID path the +default. Both commits were merged in the same series. + +Clear the MMAP_BUILD_ID flag and zero the build_id union before each +call to perf_record_mmap2__read_build_id() so that every module starts +with a clean slate. + +Fixes: d9f2ecbc5e47fca7 ("perf dso: Move build_id to dso_id") +Reviewed-by: Ian Rogers +Signed-off-by: Chuck Lever +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: James Clark +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/synthetic-events.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/tools/perf/util/synthetic-events.c b/tools/perf/util/synthetic-events.c +index 2ba9fa25e00a6..7a47e21c6704f 100644 +--- a/tools/perf/util/synthetic-events.c ++++ b/tools/perf/util/synthetic-events.c +@@ -703,6 +703,11 @@ static int perf_event__synthesize_modules_maps_cb(struct map *map, void *data) + + memcpy(event->mmap2.filename, dso__long_name(dso), dso__long_name_len(dso) + 1); + ++ /* Clear stale build ID from previous module iteration */ ++ event->mmap2.header.misc &= ~PERF_RECORD_MISC_MMAP_BUILD_ID; ++ memset(event->mmap2.build_id, 0, sizeof(event->mmap2.build_id)); ++ event->mmap2.build_id_size = 0; ++ + perf_record_mmap2__read_build_id(&event->mmap2, args->machine, false); + } else { + size = PERF_ALIGN(dso__long_name_len(dso) + 1, sizeof(u64)); +-- +2.51.0 + diff --git a/queue-6.19/regulator-pca9450-correct-interrupt-type.patch b/queue-6.19/regulator-pca9450-correct-interrupt-type.patch new file mode 100644 index 0000000000..e076339f6b --- /dev/null +++ b/queue-6.19/regulator-pca9450-correct-interrupt-type.patch @@ -0,0 +1,44 @@ +From a43c42b20d0eee205c3eeea893b30cd365a110f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 12:25:52 +0800 +Subject: regulator: pca9450: Correct interrupt type + +From: Peng Fan + +[ Upstream commit 5d0efaf47ee90ac60efae790acee3a3ed99ebf80 ] + +Kernel warning on i.MX8MP-EVK when doing module test: +irq: type mismatch, failed to map hwirq-3 for gpio@30200000! + +Per PCA945[X] specification: The IRQ_B pin is pulled low when any unmasked +interrupt bit status is changed and it is released high once application +processor read INT1 register. + +So the interrupt should be configured as IRQF_TRIGGER_LOW, not +IRQF_TRIGGER_FALLING. + +Fixes: 0935ff5f1f0a4 ("regulator: pca9450: add pca9450 pmic driver") +Signed-off-by: Peng Fan +Link: https://patch.msgid.link/20260310-pca9450-irq-v1-1-36adf52c2c55@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/pca9450-regulator.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/regulator/pca9450-regulator.c b/drivers/regulator/pca9450-regulator.c +index 5fa8682642505..2205f6de37e7d 100644 +--- a/drivers/regulator/pca9450-regulator.c ++++ b/drivers/regulator/pca9450-regulator.c +@@ -1369,7 +1369,7 @@ static int pca9450_i2c_probe(struct i2c_client *i2c) + if (pca9450->irq) { + ret = devm_request_threaded_irq(pca9450->dev, pca9450->irq, NULL, + pca9450_irq_handler, +- (IRQF_TRIGGER_FALLING | IRQF_ONESHOT), ++ (IRQF_TRIGGER_LOW | IRQF_ONESHOT), + "pca9450-irq", pca9450); + if (ret != 0) + return dev_err_probe(pca9450->dev, ret, "Failed to request IRQ: %d\n", +-- +2.51.0 + diff --git a/queue-6.19/regulator-pca9450-correct-probed-name-for-pca9452.patch b/queue-6.19/regulator-pca9450-correct-probed-name-for-pca9452.patch new file mode 100644 index 0000000000..7d3d0d4067 --- /dev/null +++ b/queue-6.19/regulator-pca9450-correct-probed-name-for-pca9452.patch @@ -0,0 +1,74 @@ +From 996fc0067bebf844073de93073e130a8db603c63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 12:25:53 +0800 +Subject: regulator: pca9450: Correct probed name for PCA9452 + +From: Peng Fan + +[ Upstream commit 21b3fb7dc19caa488d285e3c47999f7f1a179334 ] + +An incorrect device name was logged for PCA9452 because the dev_info() +ternary omitted PCA9452 and fell through to "pca9450bc". Introduce a +type_name and set it per device type so the probed message matches the +actual PMIC. While here, make the PCA9451A case explicit. + +No functional changes. + +Fixes: 017b76fb8e5b6 ("regulator: pca9450: Add PMIC pca9452 support") +Signed-off-by: Peng Fan +Link: https://patch.msgid.link/20260310-pca9450-irq-v1-2-36adf52c2c55@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/pca9450-regulator.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/regulator/pca9450-regulator.c b/drivers/regulator/pca9450-regulator.c +index 2205f6de37e7d..45d7dc44c2cd0 100644 +--- a/drivers/regulator/pca9450-regulator.c ++++ b/drivers/regulator/pca9450-regulator.c +@@ -1293,6 +1293,7 @@ static int pca9450_i2c_probe(struct i2c_client *i2c) + struct regulator_dev *ldo5; + struct pca9450 *pca9450; + unsigned int device_id, i; ++ const char *type_name; + int ret; + + pca9450 = devm_kzalloc(&i2c->dev, sizeof(struct pca9450), GFP_KERNEL); +@@ -1303,15 +1304,22 @@ static int pca9450_i2c_probe(struct i2c_client *i2c) + case PCA9450_TYPE_PCA9450A: + regulator_desc = pca9450a_regulators; + pca9450->rcnt = ARRAY_SIZE(pca9450a_regulators); ++ type_name = "pca9450a"; + break; + case PCA9450_TYPE_PCA9450BC: + regulator_desc = pca9450bc_regulators; + pca9450->rcnt = ARRAY_SIZE(pca9450bc_regulators); ++ type_name = "pca9450bc"; + break; + case PCA9450_TYPE_PCA9451A: ++ regulator_desc = pca9451a_regulators; ++ pca9450->rcnt = ARRAY_SIZE(pca9451a_regulators); ++ type_name = "pca9451a"; ++ break; + case PCA9450_TYPE_PCA9452: + regulator_desc = pca9451a_regulators; + pca9450->rcnt = ARRAY_SIZE(pca9451a_regulators); ++ type_name = "pca9452"; + break; + default: + dev_err(&i2c->dev, "Unknown device type"); +@@ -1413,9 +1421,7 @@ static int pca9450_i2c_probe(struct i2c_client *i2c) + pca9450_i2c_restart_handler, pca9450)) + dev_warn(&i2c->dev, "Failed to register restart handler\n"); + +- dev_info(&i2c->dev, "%s probed.\n", +- type == PCA9450_TYPE_PCA9450A ? "pca9450a" : +- (type == PCA9450_TYPE_PCA9451A ? "pca9451a" : "pca9450bc")); ++ dev_info(&i2c->dev, "%s probed.\n", type_name); + + return 0; + } +-- +2.51.0 + diff --git a/queue-6.19/rust-dma-use-pointer-projection-infra-for-dma_-read-.patch b/queue-6.19/rust-dma-use-pointer-projection-infra-for-dma_-read-.patch new file mode 100644 index 0000000000..8581422119 --- /dev/null +++ b/queue-6.19/rust-dma-use-pointer-projection-infra-for-dma_-read-.patch @@ -0,0 +1,350 @@ +From 26dd613c37a79884da7fd824263d4c93123688c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Mar 2026 16:42:36 +0000 +Subject: rust: dma: use pointer projection infra for `dma_{read,write}` macro + +From: Gary Guo + +[ Upstream commit 4da879a0d3fd170a70994b73baa554c6913918b5 ] + +Current `dma_read!`, `dma_write!` macros also use a custom +`addr_of!()`-based implementation for projecting pointers, which has +soundness issue as it relies on absence of `Deref` implementation on types. +It also has a soundness issue where it does not protect against unaligned +fields (when `#[repr(packed)]` is used) so it can generate misaligned +accesses. + +This commit migrates them to use the general pointer projection +infrastructure, which handles these cases correctly. + +As part of migration, the macro is updated to have an improved surface +syntax. The current macro have + + dma_read!(a.b.c[d].e.f) + +to mean `a.b.c` is a DMA coherent allocation and it should project into it +with `[d].e.f` and do a read, which is confusing as it makes the indexing +operator integral to the macro (so it will break if you have an array of +`CoherentAllocation`, for example). + +This also is problematic as we would like to generalize +`CoherentAllocation` from just slices to arbitrary types. + +Make the macro expects `dma_read!(path.to.dma, .path.inside.dma)` as the +canonical syntax. The index operator is no longer special and is just one +type of projection (in additional to field projection). Similarly, make +`dma_write!(path.to.dma, .path.inside.dma, value)` become the canonical +syntax for writing. + +Another issue of the current macro is that it is always fallible. This +makes sense with existing design of `CoherentAllocation`, but once we +support fixed size arrays with `CoherentAllocation`, it is desirable to +have the ability to perform infallible indexing as well, e.g. doing a `[0]` +index of `[Foo; 2]` is okay and can be checked at build-time, so forcing +falliblity is non-ideal. To capture this, the macro is changed to use +`[idx]` as infallible projection and `[idx]?` as fallible index projection +(those syntax are part of the general projection infra). A benefit of this +is that while individual indexing operation may fail, the overall +read/write operation is not fallible. + +Fixes: ad2907b4e308 ("rust: add dma coherent allocator abstraction") +Reviewed-by: Benno Lossin +Signed-off-by: Gary Guo +Link: https://patch.msgid.link/20260302164239.284084-4-gary@kernel.org +[ Capitalize safety comments; slightly improve wording in doc-comments. + - Danilo ] +Signed-off-by: Danilo Krummrich +Signed-off-by: Sasha Levin +--- + drivers/gpu/nova-core/gsp.rs | 14 ++-- + drivers/gpu/nova-core/gsp/boot.rs | 2 +- + drivers/gpu/nova-core/gsp/cmdq.rs | 10 ++- + rust/kernel/dma.rs | 114 +++++++++++++----------------- + samples/rust/rust_dma.rs | 30 ++++---- + 5 files changed, 81 insertions(+), 89 deletions(-) + +diff --git a/drivers/gpu/nova-core/gsp.rs b/drivers/gpu/nova-core/gsp.rs +index 174feaca0a6b9..25cd48514c777 100644 +--- a/drivers/gpu/nova-core/gsp.rs ++++ b/drivers/gpu/nova-core/gsp.rs +@@ -143,14 +143,14 @@ impl Gsp { + // _kgspInitLibosLoggingStructures (allocates memory for buffers) + // kgspSetupLibosInitArgs_IMPL (creates pLibosInitArgs[] array) + dma_write!( +- libos[0] = LibosMemoryRegionInitArgument::new("LOGINIT", &loginit.0) +- )?; ++ libos, [0]?, LibosMemoryRegionInitArgument::new("LOGINIT", &loginit.0) ++ ); + dma_write!( +- libos[1] = LibosMemoryRegionInitArgument::new("LOGINTR", &logintr.0) +- )?; +- dma_write!(libos[2] = LibosMemoryRegionInitArgument::new("LOGRM", &logrm.0))?; +- dma_write!(rmargs[0].inner = fw::GspArgumentsCached::new(cmdq))?; +- dma_write!(libos[3] = LibosMemoryRegionInitArgument::new("RMARGS", rmargs))?; ++ libos, [1]?, LibosMemoryRegionInitArgument::new("LOGINTR", &logintr.0) ++ ); ++ dma_write!(libos, [2]?, LibosMemoryRegionInitArgument::new("LOGRM", &logrm.0)); ++ dma_write!(rmargs, [0]?.inner, fw::GspArgumentsCached::new(cmdq)); ++ dma_write!(libos, [3]?, LibosMemoryRegionInitArgument::new("RMARGS", rmargs)); + }, + })) + }) +diff --git a/drivers/gpu/nova-core/gsp/boot.rs b/drivers/gpu/nova-core/gsp/boot.rs +index 54937606b5b0a..38b4682ff01be 100644 +--- a/drivers/gpu/nova-core/gsp/boot.rs ++++ b/drivers/gpu/nova-core/gsp/boot.rs +@@ -160,7 +160,7 @@ impl super::Gsp { + + let wpr_meta = + CoherentAllocation::::alloc_coherent(dev, 1, GFP_KERNEL | __GFP_ZERO)?; +- dma_write!(wpr_meta[0] = GspFwWprMeta::new(&gsp_fw, &fb_layout))?; ++ dma_write!(wpr_meta, [0]?, GspFwWprMeta::new(&gsp_fw, &fb_layout)); + + self.cmdq + .send_command(bar, commands::SetSystemInfo::new(pdev))?; +diff --git a/drivers/gpu/nova-core/gsp/cmdq.rs b/drivers/gpu/nova-core/gsp/cmdq.rs +index 3991ccc0c10f1..1cdd1ccfe5702 100644 +--- a/drivers/gpu/nova-core/gsp/cmdq.rs ++++ b/drivers/gpu/nova-core/gsp/cmdq.rs +@@ -201,9 +201,13 @@ impl DmaGspMem { + + let gsp_mem = + CoherentAllocation::::alloc_coherent(dev, 1, GFP_KERNEL | __GFP_ZERO)?; +- dma_write!(gsp_mem[0].ptes = PteArray::new(gsp_mem.dma_handle())?)?; +- dma_write!(gsp_mem[0].cpuq.tx = MsgqTxHeader::new(MSGQ_SIZE, RX_HDR_OFF, MSGQ_NUM_PAGES))?; +- dma_write!(gsp_mem[0].cpuq.rx = MsgqRxHeader::new())?; ++ dma_write!(gsp_mem, [0]?.ptes, PteArray::new(gsp_mem.dma_handle())?); ++ dma_write!( ++ gsp_mem, ++ [0]?.cpuq.tx, ++ MsgqTxHeader::new(MSGQ_SIZE, RX_HDR_OFF, MSGQ_NUM_PAGES) ++ ); ++ dma_write!(gsp_mem, [0]?.cpuq.rx, MsgqRxHeader::new()); + + Ok(Self(gsp_mem)) + } +diff --git a/rust/kernel/dma.rs b/rust/kernel/dma.rs +index acc65b1e0f245..37e125bb423ad 100644 +--- a/rust/kernel/dma.rs ++++ b/rust/kernel/dma.rs +@@ -444,6 +444,19 @@ impl CoherentAllocation { + self.count * core::mem::size_of::() + } + ++ /// Returns the raw pointer to the allocated region in the CPU's virtual address space. ++ #[inline] ++ pub fn as_ptr(&self) -> *const [T] { ++ core::ptr::slice_from_raw_parts(self.cpu_addr.as_ptr(), self.count) ++ } ++ ++ /// Returns the raw pointer to the allocated region in the CPU's virtual address space as ++ /// a mutable pointer. ++ #[inline] ++ pub fn as_mut_ptr(&self) -> *mut [T] { ++ core::ptr::slice_from_raw_parts_mut(self.cpu_addr.as_ptr(), self.count) ++ } ++ + /// Returns the base address to the allocated region in the CPU's virtual address space. + pub fn start_ptr(&self) -> *const T { + self.cpu_addr.as_ptr() +@@ -564,23 +577,6 @@ impl CoherentAllocation { + Ok(()) + } + +- /// Returns a pointer to an element from the region with bounds checking. `offset` is in +- /// units of `T`, not the number of bytes. +- /// +- /// Public but hidden since it should only be used from [`dma_read`] and [`dma_write`] macros. +- #[doc(hidden)] +- pub fn item_from_index(&self, offset: usize) -> Result<*mut T> { +- if offset >= self.count { +- return Err(EINVAL); +- } +- // SAFETY: +- // - The pointer is valid due to type invariant on `CoherentAllocation` +- // and we've just checked that the range and index is within bounds. +- // - `offset` can't overflow since it is smaller than `self.count` and we've checked +- // that `self.count` won't overflow early in the constructor. +- Ok(unsafe { self.cpu_addr.as_ptr().add(offset) }) +- } +- + /// Reads the value of `field` and ensures that its type is [`FromBytes`]. + /// + /// # Safety +@@ -653,6 +649,9 @@ unsafe impl Send for CoherentAllocation {} + + /// Reads a field of an item from an allocated region of structs. + /// ++/// The syntax is of the form `kernel::dma_read!(dma, proj)` where `dma` is an expression evaluating ++/// to a [`CoherentAllocation`] and `proj` is a [projection specification](kernel::ptr::project!). ++/// + /// # Examples + /// + /// ``` +@@ -667,36 +666,29 @@ unsafe impl Send for CoherentAllocation {} + /// unsafe impl kernel::transmute::AsBytes for MyStruct{}; + /// + /// # fn test(alloc: &kernel::dma::CoherentAllocation) -> Result { +-/// let whole = kernel::dma_read!(alloc[2]); +-/// let field = kernel::dma_read!(alloc[1].field); ++/// let whole = kernel::dma_read!(alloc, [2]?); ++/// let field = kernel::dma_read!(alloc, [1]?.field); + /// # Ok::<(), Error>(()) } + /// ``` + #[macro_export] + macro_rules! dma_read { +- ($dma:expr, $idx: expr, $($field:tt)*) => {{ +- (|| -> ::core::result::Result<_, $crate::error::Error> { +- let item = $crate::dma::CoherentAllocation::item_from_index(&$dma, $idx)?; +- // SAFETY: `item_from_index` ensures that `item` is always a valid pointer and can be +- // dereferenced. The compiler also further validates the expression on whether `field` +- // is a member of `item` when expanded by the macro. +- unsafe { +- let ptr_field = ::core::ptr::addr_of!((*item) $($field)*); +- ::core::result::Result::Ok( +- $crate::dma::CoherentAllocation::field_read(&$dma, ptr_field) +- ) +- } +- })() ++ ($dma:expr, $($proj:tt)*) => {{ ++ let dma = &$dma; ++ let ptr = $crate::ptr::project!( ++ $crate::dma::CoherentAllocation::as_ptr(dma), $($proj)* ++ ); ++ // SAFETY: The pointer created by the projection is within the DMA region. ++ unsafe { $crate::dma::CoherentAllocation::field_read(dma, ptr) } + }}; +- ($dma:ident [ $idx:expr ] $($field:tt)* ) => { +- $crate::dma_read!($dma, $idx, $($field)*) +- }; +- ($($dma:ident).* [ $idx:expr ] $($field:tt)* ) => { +- $crate::dma_read!($($dma).*, $idx, $($field)*) +- }; + } + + /// Writes to a field of an item from an allocated region of structs. + /// ++/// The syntax is of the form `kernel::dma_write!(dma, proj, val)` where `dma` is an expression ++/// evaluating to a [`CoherentAllocation`], `proj` is a ++/// [projection specification](kernel::ptr::project!), and `val` is the value to be written to the ++/// projected location. ++/// + /// # Examples + /// + /// ``` +@@ -711,37 +703,31 @@ macro_rules! dma_read { + /// unsafe impl kernel::transmute::AsBytes for MyStruct{}; + /// + /// # fn test(alloc: &kernel::dma::CoherentAllocation) -> Result { +-/// kernel::dma_write!(alloc[2].member = 0xf); +-/// kernel::dma_write!(alloc[1] = MyStruct { member: 0xf }); ++/// kernel::dma_write!(alloc, [2]?.member, 0xf); ++/// kernel::dma_write!(alloc, [1]?, MyStruct { member: 0xf }); + /// # Ok::<(), Error>(()) } + /// ``` + #[macro_export] + macro_rules! dma_write { +- ($dma:ident [ $idx:expr ] $($field:tt)*) => {{ +- $crate::dma_write!($dma, $idx, $($field)*) +- }}; +- ($($dma:ident).* [ $idx:expr ] $($field:tt)* ) => {{ +- $crate::dma_write!($($dma).*, $idx, $($field)*) ++ (@parse [$dma:expr] [$($proj:tt)*] [, $val:expr]) => {{ ++ let dma = &$dma; ++ let ptr = $crate::ptr::project!( ++ mut $crate::dma::CoherentAllocation::as_mut_ptr(dma), $($proj)* ++ ); ++ let val = $val; ++ // SAFETY: The pointer created by the projection is within the DMA region. ++ unsafe { $crate::dma::CoherentAllocation::field_write(dma, ptr, val) } + }}; +- ($dma:expr, $idx: expr, = $val:expr) => { +- (|| -> ::core::result::Result<_, $crate::error::Error> { +- let item = $crate::dma::CoherentAllocation::item_from_index(&$dma, $idx)?; +- // SAFETY: `item_from_index` ensures that `item` is always a valid item. +- unsafe { $crate::dma::CoherentAllocation::field_write(&$dma, item, $val) } +- ::core::result::Result::Ok(()) +- })() ++ (@parse [$dma:expr] [$($proj:tt)*] [.$field:tt $($rest:tt)*]) => { ++ $crate::dma_write!(@parse [$dma] [$($proj)* .$field] [$($rest)*]) ++ }; ++ (@parse [$dma:expr] [$($proj:tt)*] [[$index:expr]? $($rest:tt)*]) => { ++ $crate::dma_write!(@parse [$dma] [$($proj)* [$index]?] [$($rest)*]) ++ }; ++ (@parse [$dma:expr] [$($proj:tt)*] [[$index:expr] $($rest:tt)*]) => { ++ $crate::dma_write!(@parse [$dma] [$($proj)* [$index]] [$($rest)*]) + }; +- ($dma:expr, $idx: expr, $(.$field:ident)* = $val:expr) => { +- (|| -> ::core::result::Result<_, $crate::error::Error> { +- let item = $crate::dma::CoherentAllocation::item_from_index(&$dma, $idx)?; +- // SAFETY: `item_from_index` ensures that `item` is always a valid pointer and can be +- // dereferenced. The compiler also further validates the expression on whether `field` +- // is a member of `item` when expanded by the macro. +- unsafe { +- let ptr_field = ::core::ptr::addr_of_mut!((*item) $(.$field)*); +- $crate::dma::CoherentAllocation::field_write(&$dma, ptr_field, $val) +- } +- ::core::result::Result::Ok(()) +- })() ++ ($dma:expr, $($rest:tt)*) => { ++ $crate::dma_write!(@parse [$dma] [] [$($rest)*]) + }; + } +diff --git a/samples/rust/rust_dma.rs b/samples/rust/rust_dma.rs +index f53bce2a73e3b..bcba1a6e6aaf4 100644 +--- a/samples/rust/rust_dma.rs ++++ b/samples/rust/rust_dma.rs +@@ -68,7 +68,7 @@ impl pci::Driver for DmaSampleDriver { + CoherentAllocation::alloc_coherent(pdev.as_ref(), TEST_VALUES.len(), GFP_KERNEL)?; + + for (i, value) in TEST_VALUES.into_iter().enumerate() { +- kernel::dma_write!(ca[i] = MyStruct::new(value.0, value.1))?; ++ kernel::dma_write!(ca, [i]?, MyStruct::new(value.0, value.1)); + } + + let size = 4 * page::PAGE_SIZE; +@@ -85,6 +85,20 @@ impl pci::Driver for DmaSampleDriver { + } + } + ++impl DmaSampleDriver { ++ fn check_dma(&self) -> Result { ++ for (i, value) in TEST_VALUES.into_iter().enumerate() { ++ let val0 = kernel::dma_read!(self.ca, [i]?.h); ++ let val1 = kernel::dma_read!(self.ca, [i]?.b); ++ ++ assert_eq!(val0, value.0); ++ assert_eq!(val1, value.1); ++ } ++ ++ Ok(()) ++ } ++} ++ + #[pinned_drop] + impl PinnedDrop for DmaSampleDriver { + fn drop(self: Pin<&mut Self>) { +@@ -92,19 +106,7 @@ impl PinnedDrop for DmaSampleDriver { + + dev_info!(dev, "Unload DMA test driver.\n"); + +- for (i, value) in TEST_VALUES.into_iter().enumerate() { +- let val0 = kernel::dma_read!(self.ca[i].h); +- let val1 = kernel::dma_read!(self.ca[i].b); +- assert!(val0.is_ok()); +- assert!(val1.is_ok()); +- +- if let Ok(val0) = val0 { +- assert_eq!(val0, value.0); +- } +- if let Ok(val1) = val1 { +- assert_eq!(val1, value.1); +- } +- } ++ assert!(self.check_dma().is_ok()); + + for (i, entry) in self.sgt.iter().enumerate() { + dev_info!(dev, "Entry[{}]: DMA address: {:#x}", i, entry.dma_address()); +-- +2.51.0 + diff --git a/queue-6.19/rxrpc-afs-fix-missing-error-pointer-check-after-rxrp.patch b/queue-6.19/rxrpc-afs-fix-missing-error-pointer-check-after-rxrp.patch new file mode 100644 index 0000000000..bb8fadbe56 --- /dev/null +++ b/queue-6.19/rxrpc-afs-fix-missing-error-pointer-check-after-rxrp.patch @@ -0,0 +1,95 @@ +From eb23ca658cc0e665a7d728008dd29e9fb95f88ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 12:31:01 +0000 +Subject: rxrpc, afs: Fix missing error pointer check after + rxrpc_kernel_lookup_peer() + +From: Miaoqian Lin + +[ Upstream commit 4245a79003adf30e67f8e9060915bd05cb31d142 ] + +rxrpc_kernel_lookup_peer() can also return error pointers in addition to +NULL, so just checking for NULL is not sufficient. + +Fix this by: + + (1) Changing rxrpc_kernel_lookup_peer() to return -ENOMEM rather than NULL + on allocation failure. + + (2) Making the callers in afs use IS_ERR() and PTR_ERR() to pass on the + error code returned. + +Fixes: 72904d7b9bfb ("rxrpc, afs: Allow afs to pin rxrpc_peer objects") +Signed-off-by: Miaoqian Lin +Co-developed-by: David Howells +Signed-off-by: David Howells +cc: Marc Dionne +cc: Simon Horman +cc: linux-afs@lists.infradead.org +Link: https://patch.msgid.link/368272.1772713861@warthog.procyon.org.uk +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + fs/afs/addr_list.c | 8 ++++---- + net/rxrpc/af_rxrpc.c | 8 +++++--- + 2 files changed, 9 insertions(+), 7 deletions(-) + +diff --git a/fs/afs/addr_list.c b/fs/afs/addr_list.c +index e941da5b6dd92..b1704de3d95f5 100644 +--- a/fs/afs/addr_list.c ++++ b/fs/afs/addr_list.c +@@ -298,8 +298,8 @@ int afs_merge_fs_addr4(struct afs_net *net, struct afs_addr_list *alist, + srx.transport.sin.sin_addr.s_addr = xdr; + + peer = rxrpc_kernel_lookup_peer(net->socket, &srx, GFP_KERNEL); +- if (!peer) +- return -ENOMEM; ++ if (IS_ERR(peer)) ++ return PTR_ERR(peer); + + for (i = 0; i < alist->nr_ipv4; i++) { + if (peer == alist->addrs[i].peer) { +@@ -342,8 +342,8 @@ int afs_merge_fs_addr6(struct afs_net *net, struct afs_addr_list *alist, + memcpy(&srx.transport.sin6.sin6_addr, xdr, 16); + + peer = rxrpc_kernel_lookup_peer(net->socket, &srx, GFP_KERNEL); +- if (!peer) +- return -ENOMEM; ++ if (IS_ERR(peer)) ++ return PTR_ERR(peer); + + for (i = alist->nr_ipv4; i < alist->nr_addrs; i++) { + if (peer == alist->addrs[i].peer) { +diff --git a/net/rxrpc/af_rxrpc.c b/net/rxrpc/af_rxrpc.c +index 0c2c68c4b07e4..0f90272ac254b 100644 +--- a/net/rxrpc/af_rxrpc.c ++++ b/net/rxrpc/af_rxrpc.c +@@ -267,12 +267,13 @@ static int rxrpc_listen(struct socket *sock, int backlog) + * Lookup or create a remote transport endpoint record for the specified + * address. + * +- * Return: The peer record found with a reference, %NULL if no record is found +- * or a negative error code if the address is invalid or unsupported. ++ * Return: The peer record found with a reference or a negative error code if ++ * the address is invalid or unsupported. + */ + struct rxrpc_peer *rxrpc_kernel_lookup_peer(struct socket *sock, + struct sockaddr_rxrpc *srx, gfp_t gfp) + { ++ struct rxrpc_peer *peer; + struct rxrpc_sock *rx = rxrpc_sk(sock->sk); + int ret; + +@@ -280,7 +281,8 @@ struct rxrpc_peer *rxrpc_kernel_lookup_peer(struct socket *sock, + if (ret < 0) + return ERR_PTR(ret); + +- return rxrpc_lookup_peer(rx->local, srx, gfp); ++ peer = rxrpc_lookup_peer(rx->local, srx, gfp); ++ return peer ?: ERR_PTR(-ENOMEM); + } + EXPORT_SYMBOL(rxrpc_kernel_lookup_peer); + +-- +2.51.0 + diff --git a/queue-6.19/sched-idle-make-skipping-governor-callbacks-more-con.patch b/queue-6.19/sched-idle-make-skipping-governor-callbacks-more-con.patch new file mode 100644 index 0000000000..90ee799817 --- /dev/null +++ b/queue-6.19/sched-idle-make-skipping-governor-callbacks-more-con.patch @@ -0,0 +1,79 @@ +From ece265333d58e4a83ed0465c0428df0375c465e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Mar 2026 17:12:05 +0100 +Subject: sched: idle: Make skipping governor callbacks more consistent + +From: Rafael J. Wysocki + +[ Upstream commit d557640e4ce589a24dca5ca7ce3b9680f471325f ] + +If the cpuidle governor .select() callback is skipped because there +is only one idle state in the cpuidle driver, the .reflect() callback +should be skipped as well, at least for consistency (if not for +correctness), so do it. + +Fixes: e5c9ffc6ae1b ("cpuidle: Skip governor when only one idle state is available") +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Christian Loehle +Reviewed-by: Aboorva Devarajan +Reviewed-by: Frederic Weisbecker +Link: https://patch.msgid.link/12857700.O9o76ZdvQC@rafael.j.wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpuidle/cpuidle.c | 10 ---------- + kernel/sched/idle.c | 11 ++++++++++- + 2 files changed, 10 insertions(+), 11 deletions(-) + +diff --git a/drivers/cpuidle/cpuidle.c b/drivers/cpuidle/cpuidle.c +index 65fbb8e807b97..c7876e9e024f9 100644 +--- a/drivers/cpuidle/cpuidle.c ++++ b/drivers/cpuidle/cpuidle.c +@@ -359,16 +359,6 @@ noinstr int cpuidle_enter_state(struct cpuidle_device *dev, + int cpuidle_select(struct cpuidle_driver *drv, struct cpuidle_device *dev, + bool *stop_tick) + { +- /* +- * If there is only a single idle state (or none), there is nothing +- * meaningful for the governor to choose. Skip the governor and +- * always use state 0 with the tick running. +- */ +- if (drv->state_count <= 1) { +- *stop_tick = false; +- return 0; +- } +- + return cpuidle_curr_governor->select(drv, dev, stop_tick); + } + +diff --git a/kernel/sched/idle.c b/kernel/sched/idle.c +index abf8f15d60c9e..69c70d509e1cf 100644 +--- a/kernel/sched/idle.c ++++ b/kernel/sched/idle.c +@@ -221,7 +221,7 @@ static void cpuidle_idle_call(void) + + next_state = cpuidle_find_deepest_state(drv, dev, max_latency_ns); + call_cpuidle(drv, dev, next_state); +- } else { ++ } else if (drv->state_count > 1) { + bool stop_tick = true; + + /* +@@ -239,6 +239,15 @@ static void cpuidle_idle_call(void) + * Give the governor an opportunity to reflect on the outcome + */ + cpuidle_reflect(dev, entered_state); ++ } else { ++ tick_nohz_idle_retain_tick(); ++ ++ /* ++ * If there is only a single idle state (or none), there is ++ * nothing meaningful for the governor to choose. Skip the ++ * governor and always use state 0. ++ */ ++ call_cpuidle(drv, dev, 0); + } + + exit_idle: +-- +2.51.0 + diff --git a/queue-6.19/serial-caif-hold-tty-link-reference-in-ldisc_open-an.patch b/queue-6.19/serial-caif-hold-tty-link-reference-in-ldisc_open-an.patch new file mode 100644 index 0000000000..0a81024910 --- /dev/null +++ b/queue-6.19/serial-caif-hold-tty-link-reference-in-ldisc_open-an.patch @@ -0,0 +1,63 @@ +From d1238bec50b7119ce5c85aa417e1c3f272c9ac7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 22:40:06 -0500 +Subject: serial: caif: hold tty->link reference in ldisc_open and ser_release + +From: Shuangpeng Bai + +[ Upstream commit 288598d80a068a0e9281de35bcb4ce495f189e2a ] + +A reproducer triggers a KASAN slab-use-after-free in pty_write_room() +when caif_serial's TX path calls tty_write_room(). The faulting access +is on tty->link->port. + +Hold an extra kref on tty->link for the lifetime of the caif_serial line +discipline: get it in ldisc_open() and drop it in ser_release(), and +also drop it on the ldisc_open() error path. + +With this change applied, the reproducer no longer triggers the UAF in +my testing. + +Link: https://gist.github.com/shuangpengbai/c898debad6bdf170a84be7e6b3d8707f +Link: https://lore.kernel.org/netdev/20260301220525.1546355-1-shuangpeng.kernel@gmail.com +Fixes: e31d5a05948e ("caif: tty's are kref objects so take a reference") +Signed-off-by: Shuangpeng Bai +Reviewed-by: Jiayuan Chen +Link: https://patch.msgid.link/20260306034006.3395740-1-shuangpeng.kernel@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/caif/caif_serial.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c +index b90890030751f..1873d8287bb9b 100644 +--- a/drivers/net/caif/caif_serial.c ++++ b/drivers/net/caif/caif_serial.c +@@ -297,6 +297,7 @@ static void ser_release(struct work_struct *work) + dev_close(ser->dev); + unregister_netdevice(ser->dev); + debugfs_deinit(ser); ++ tty_kref_put(tty->link); + tty_kref_put(tty); + } + rtnl_unlock(); +@@ -331,6 +332,7 @@ static int ldisc_open(struct tty_struct *tty) + + ser = netdev_priv(dev); + ser->tty = tty_kref_get(tty); ++ tty_kref_get(tty->link); + ser->dev = dev; + debugfs_init(ser, tty); + tty->receive_room = 4096; +@@ -339,6 +341,7 @@ static int ldisc_open(struct tty_struct *tty) + rtnl_lock(); + result = register_netdevice(dev); + if (result) { ++ tty_kref_put(tty->link); + tty_kref_put(tty); + rtnl_unlock(); + free_netdev(dev); +-- +2.51.0 + diff --git a/queue-6.19/series b/queue-6.19/series index ab328dba1f..57df1b1198 100644 --- a/queue-6.19/series +++ b/queue-6.19/series @@ -23,3 +23,97 @@ scsi-ufs-core-fix-shift-out-of-bounds-when-maxq-32.patch alsa-usb-audio-avoid-implicit-feedback-mode-on-diyin.patch drm-amdgpu-vcn5-add-smu-dpm-interface-type.patch alsa-usb-audio-check-max-frame-size-for-implicit-fee.patch +nfs-return-eisdir-on-nfs3_proc_create-if-d_alias-is-.patch +drm-msm-dpu-fix-lm-size-on-a-number-of-platforms.patch +drm-msm-dsi-fix-hdisplay-calculation-when-programmin.patch +xprtrdma-decrement-re_receiving-on-the-early-exit-pa.patch +btrfs-hold-space_info-lock-when-clearing-periodic-re.patch +drm-msm-a6xx-fix-the-bogus-protect-error-on-x2-85.patch +workqueue-use-pool_bh-instead-of-wq_bh-when-checking.patch +perf-disasm-fix-off-by-one-bug-in-outside-check.patch +drm-msm-a8xx-fix-ubwc-config-related-to-swizzling.patch +dt-bindings-display-msm-qcom-sm8750-mdss-fix-model-t.patch +net-dsa-realtek-rtl8365mb-remove-ifoutdiscards-from-.patch +drm-msm-dsi-fix-pclk-rate-calculation-for-bonded-dsi.patch +drm-amd-pm-add-missing-od-setting-pp_od_feature_zero.patch +drm-amd-pm-add-missing-od-setting-pp_od_feature_zero.patch-1062 +drm-amdgpu-fix-kernel-doc-comments-for-some-lut-prop.patch +bonding-do-not-set-usable_slaves-for-broadcast-mode.patch +bonding-handle-bond_link_fail-bond_link_back-as-vali.patch +net-mlx5-fix-deadlock-between-devlink-lock-and-esw-w.patch +net-mlx5-fix-crash-when-moving-to-switchdev-mode.patch +net-mlx5-fix-peer-miss-rules-host-disabled-checks.patch +net-mlx5e-fix-dma-fifo-desync-on-error-cqe-sq-recove.patch +net-mlx5e-rx-fix-xdp-multi-buf-frag-counting-for-str.patch +net-mlx5e-rx-fix-xdp-multi-buf-frag-counting-for-leg.patch +net-sched-teql-fix-null-pointer-dereference-in-iptun.patch +rxrpc-afs-fix-missing-error-pointer-check-after-rxrp.patch +net-spacemit-fix-error-handling-in-emac_alloc_rx_des.patch +net-spacemit-fix-error-handling-in-emac_tx_mem_map.patch +gpu-nova-core-gsp-get-rid-of-redundant-result-in-gsp.patch +gpu-nova-core-gsp-move-appropriate-code-into-pin-ini.patch +gpu-nova-core-align-libosmemoryregioninitargument-si.patch +rust-dma-use-pointer-projection-infra-for-dma_-read-.patch +drm-sitronix-st7586-fix-bad-pixel-data-due-to-byte-s.patch +firmware-cs_dsp-fix-fragmentation-regression-in-firm.patch +spi-amlogic-spifc-a4-fix-dma-mapping-error-handling.patch +spi-rockchip-sfc-fix-double-free-in-remove-callback.patch +asoc-soc-core-drop-delayed_work_pending-check-before.patch +asoc-soc-core-flush-delayed-work-before-removing-dai.patch +asoc-simple-card-utils-fix-graph_util_is_ports0-for-.patch +net-sfp-improve-huawei-ma5671a-fixup.patch +serial-caif-hold-tty-link-reference-in-ldisc_open-an.patch +bnxt_en-fix-rss-table-size-check-when-changing-ethto.patch +drm-i915-dp-read-alpm-caps-after-dpcd-init.patch +net-enetc-fix-incorrect-fallback-phy-address-handlin.patch +net-enetc-do-not-skip-setting-labcr-mdio_phyad_prtad.patch +mctp-i2c-fix-skb-memory-leak-in-receive-path.patch +can-hi311x-hi3110_open-add-check-for-hi3110_power_en.patch +bonding-fix-type-confusion-in-bond_setup_by_slave.patch +mctp-route-hold-key-lock-in-mctp_flow_prepare_output.patch +amd-xgbe-fix-link-status-handling-in-xgbe_rx_adaptat.patch +amd-xgbe-prevent-crc-errors-during-rx-adaptation-wit.patch +amd-xgbe-reset-phy-settings-before-starting-phy.patch +net-add-xmit-recursion-limit-to-tunnel-xmit-function.patch +netfilter-nf_tables-fix-for-duplicate-device-in-netd.patch +netfilter-nf_tables-always-walk-all-pending-catchall.patch +netfilter-nft_set_pipapo-fix-stack-out-of-bounds-rea.patch +netfilter-x_tables-guard-option-walkers-against-1-by.patch +netfilter-nfnetlink_queue-fix-entry-leak-in-bridge-v.patch +netfilter-nfnetlink_cthelper-fix-oob-read-in-nfnl_ct.patch +netfilter-xt_idletimer-reject-rev0-reuse-of-alarm-ti.patch +perf-annotate-fix-hashmap__new-error-checking.patch +regulator-pca9450-correct-interrupt-type.patch +regulator-pca9450-correct-probed-name-for-pca9452.patch +perf-ftrace-fix-hashmap__new-error-checking.patch +sched-idle-make-skipping-governor-callbacks-more-con.patch +nvme-pci-fix-slab-out-of-bounds-in-nvme_dbbuf_set.patch +nvme-pci-fix-race-bug-in-nvme_poll_irqdisable.patch +drivers-net-ice-fix-devlink-parameters-get-without-i.patch +iavf-fix-ptp-use-after-free-during-reset.patch +iavf-fix-incorrect-reset-handling-in-callbacks.patch +gpu-nova-core-fix-stack-overflow-in-gsp-memory-alloc.patch +accel-amdxdna-fix-runtime-suspend-deadlock-when-ther.patch +asoc-codecs-rt1011-use-component-to-get-the-dapm-con.patch +i40e-fix-src-ip-mask-checks-and-memcpy-argument-name.patch +e1000-e1000e-fix-leak-in-dma-error-cleanup.patch +page_pool-store-detach_time-as-ktime_t-to-avoid-fals.patch +net-bcmgenet-fix-broken-eee-by-converting-to-phylib-.patch +acpi-osl-fix-__iomem-type-on-return-from-acpi_os_map.patch +asoc-amd-acp3x-rt5682-max9836-add-missing-error-chec.patch +gpu-nova-core-gsp-fix-ub-in-dmagspmem-pointer-access.patch +asoc-detect-empty-dmi-strings.patch +drm-amdkfd-unreserve-bo-if-queue-update-failed.patch +asoc-amd-acp-mach-common-add-missing-error-check-for.patch +io_uring-fix-physical-sqe-bounds-check-for-sqe_mixed.patch +perf-synthetic-events-fix-stale-build-id-in-module-m.patch +net-bonding-fix-nd_tbl-null-dereference-when-ipv6-is.patch +net-dsa-realtek-fix-led-group-port-bit-for-non-zero-.patch +neighbour-restore-protocol-0-check-in-pneigh-update.patch +net-mana-null-service_wq-on-setup-error-to-prevent-d.patch +net-ethernet-ti-am65-cpsw-nuss-fix-rx_filter-value-f.patch +octeontx2-af-devlink-fix-nix-ras-reporter-recovery-c.patch +octeontx2-af-devlink-fix-nix-ras-reporter-to-use-ras.patch +net-prevent-null-deref-in-ip-6-tunnel_xmit.patch +iio-imu-inv-mpu9150-fix-irq-ack-preventing-irq-storm.patch +usb-gadget-f_mass_storage-fix-potential-integer-over.patch diff --git a/queue-6.19/spi-amlogic-spifc-a4-fix-dma-mapping-error-handling.patch b/queue-6.19/spi-amlogic-spifc-a4-fix-dma-mapping-error-handling.patch new file mode 100644 index 0000000000..70a6de25ce --- /dev/null +++ b/queue-6.19/spi-amlogic-spifc-a4-fix-dma-mapping-error-handling.patch @@ -0,0 +1,61 @@ +From ee29611a6ae6da21ca2789a0bb206b3cd5ab9fa2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 01:24:32 +0800 +Subject: spi: amlogic: spifc-a4: Fix DMA mapping error handling + +From: Felix Gu + +[ Upstream commit b20b437666e1cb26a7c499d1664e8f2a0ac67000 ] + +Fix three bugs in aml_sfc_dma_buffer_setup() error paths: +1. Unnecessary goto: When the first DMA mapping (sfc->daddr) fails, + nothing needs cleanup. Use direct return instead of goto. +2. Double-unmap bug: When info DMA mapping failed, the code would + unmap sfc->daddr inline, then fall through to out_map_data which + would unmap it again, causing a double-unmap. +3. Wrong unmap size: The out_map_info label used datalen instead of + infolen when unmapping sfc->iaddr, which could lead to incorrect + DMA sync behavior. + +Fixes: 4670db6f32e9 ("spi: amlogic: add driver for Amlogic SPI Flash Controller") +Signed-off-by: Felix Gu +Link: https://patch.msgid.link/20260306-spifc-a4-v1-1-f22c9965f64a@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-amlogic-spifc-a4.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/spi/spi-amlogic-spifc-a4.c b/drivers/spi/spi-amlogic-spifc-a4.c +index 35a7c4965e113..f324aa39a8976 100644 +--- a/drivers/spi/spi-amlogic-spifc-a4.c ++++ b/drivers/spi/spi-amlogic-spifc-a4.c +@@ -411,7 +411,7 @@ static int aml_sfc_dma_buffer_setup(struct aml_sfc *sfc, void *databuf, + ret = dma_mapping_error(sfc->dev, sfc->daddr); + if (ret) { + dev_err(sfc->dev, "DMA mapping error\n"); +- goto out_map_data; ++ return ret; + } + + cmd = CMD_DATA_ADDRL(sfc->daddr); +@@ -429,7 +429,6 @@ static int aml_sfc_dma_buffer_setup(struct aml_sfc *sfc, void *databuf, + ret = dma_mapping_error(sfc->dev, sfc->iaddr); + if (ret) { + dev_err(sfc->dev, "DMA mapping error\n"); +- dma_unmap_single(sfc->dev, sfc->daddr, datalen, dir); + goto out_map_data; + } + +@@ -448,7 +447,7 @@ static int aml_sfc_dma_buffer_setup(struct aml_sfc *sfc, void *databuf, + return 0; + + out_map_info: +- dma_unmap_single(sfc->dev, sfc->iaddr, datalen, dir); ++ dma_unmap_single(sfc->dev, sfc->iaddr, infolen, dir); + out_map_data: + dma_unmap_single(sfc->dev, sfc->daddr, datalen, dir); + +-- +2.51.0 + diff --git a/queue-6.19/spi-rockchip-sfc-fix-double-free-in-remove-callback.patch b/queue-6.19/spi-rockchip-sfc-fix-double-free-in-remove-callback.patch new file mode 100644 index 0000000000..be4e8affc9 --- /dev/null +++ b/queue-6.19/spi-rockchip-sfc-fix-double-free-in-remove-callback.patch @@ -0,0 +1,42 @@ +From f8144b71cb6ed84c548a01ae16de2c92518ee8d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 02:01:34 +0800 +Subject: spi: rockchip-sfc: Fix double-free in remove() callback + +From: Felix Gu + +[ Upstream commit 111e2863372c322e836e0c896f6dd9cf4ee08c71 ] + +The driver uses devm_spi_register_controller() for registration, which +automatically unregisters the controller via devm cleanup when the +device is removed. The manual call to spi_unregister_controller() in +the remove() callback can lead to a double-free. + +And to make sure controller is unregistered before DMA buffer is +unmapped, switch to use spi_register_controller() in probe(). + +Fixes: 8011709906d0 ("spi: rockchip-sfc: Support pm ops") +Signed-off-by: Felix Gu +Link: https://patch.msgid.link/20260310-sfc-v2-1-67fab04b097f@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-rockchip-sfc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-rockchip-sfc.c b/drivers/spi/spi-rockchip-sfc.c +index b3c2b03b11535..8acf955636977 100644 +--- a/drivers/spi/spi-rockchip-sfc.c ++++ b/drivers/spi/spi-rockchip-sfc.c +@@ -712,7 +712,7 @@ static int rockchip_sfc_probe(struct platform_device *pdev) + } + } + +- ret = devm_spi_register_controller(dev, host); ++ ret = spi_register_controller(host); + if (ret) + goto err_register; + +-- +2.51.0 + diff --git a/queue-6.19/usb-gadget-f_mass_storage-fix-potential-integer-over.patch b/queue-6.19/usb-gadget-f_mass_storage-fix-potential-integer-over.patch new file mode 100644 index 0000000000..778c6e775a --- /dev/null +++ b/queue-6.19/usb-gadget-f_mass_storage-fix-potential-integer-over.patch @@ -0,0 +1,72 @@ +From 6fa889e49b72ded6cd0128a383c70ed5842fb5a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Feb 2026 05:43:25 -0500 +Subject: usb: gadget: f_mass_storage: Fix potential integer overflow in + check_command_size_in_blocks() + +From: Seungjin Bae + +[ Upstream commit 8479891d1f04a8ce55366fe4ca361ccdb96f02e1 ] + +The `check_command_size_in_blocks()` function calculates the data size +in bytes by left shifting `common->data_size_from_cmnd` by the block +size (`common->curlun->blkbits`). However, it does not validate whether +this shift operation will cause an integer overflow. + +Initially, the block size is set up in `fsg_lun_open()` , and the +`common->data_size_from_cmnd` is set up in `do_scsi_command()`. During +initialization, there is no integer overflow check for the interaction +between two variables. + +So if a malicious USB host sends a SCSI READ or WRITE command +requesting a large amount of data (`common->data_size_from_cmnd`), the +left shift operation can wrap around. This results in a truncated data +size, which can bypass boundary checks and potentially lead to memory +corruption or out-of-bounds accesses. + +Fix this by using the check_shl_overflow() macro to safely perform the +shift and catch any overflows. + +Fixes: 144974e7f9e3 ("usb: gadget: mass_storage: support multi-luns with different logic block size") +Signed-off-by: Seungjin Bae +Reviewed-by: Alan Stern +Link: https://patch.msgid.link/20260228104324.1696455-2-eeodqql09@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_mass_storage.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_mass_storage.c b/drivers/usb/gadget/function/f_mass_storage.c +index 94d478b6bcd3d..6f275c3d11ac5 100644 +--- a/drivers/usb/gadget/function/f_mass_storage.c ++++ b/drivers/usb/gadget/function/f_mass_storage.c +@@ -180,6 +180,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1853,8 +1854,15 @@ static int check_command_size_in_blocks(struct fsg_common *common, + int cmnd_size, enum data_direction data_dir, + unsigned int mask, int needs_medium, const char *name) + { +- if (common->curlun) +- common->data_size_from_cmnd <<= common->curlun->blkbits; ++ if (common->curlun) { ++ if (check_shl_overflow(common->data_size_from_cmnd, ++ common->curlun->blkbits, ++ &common->data_size_from_cmnd)) { ++ common->phase_error = 1; ++ return -EINVAL; ++ } ++ } ++ + return check_command(common, cmnd_size, data_dir, + mask, needs_medium, name); + } +-- +2.51.0 + diff --git a/queue-6.19/workqueue-use-pool_bh-instead-of-wq_bh-when-checking.patch b/queue-6.19/workqueue-use-pool_bh-instead-of-wq_bh-when-checking.patch new file mode 100644 index 0000000000..1427b140f9 --- /dev/null +++ b/queue-6.19/workqueue-use-pool_bh-instead-of-wq_bh-when-checking.patch @@ -0,0 +1,42 @@ +From 19beec148a2785d22e936cbb48f46db85063cdd9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 08:15:37 -0800 +Subject: workqueue: Use POOL_BH instead of WQ_BH when checking pool flags + +From: Breno Leitao + +[ Upstream commit f42f9091be9e5ff57567a3945cfcdd498f475348 ] + +pr_cont_worker_id() checks pool->flags against WQ_BH, which is a +workqueue-level flag (defined in workqueue.h). Pool flags use a +separate namespace with POOL_* constants (defined in workqueue.c). +The correct constant is POOL_BH. Both WQ_BH and POOL_BH are defined +as (1 << 0) so this has no behavioral impact, but it is semantically +wrong and inconsistent with every other pool-level BH check in the +file. + +Fixes: 4cb1ef64609f ("workqueue: Implement BH workqueues to eventually replace tasklets") +Signed-off-by: Breno Leitao +Acked-by: Song Liu +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/workqueue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/workqueue.c b/kernel/workqueue.c +index 2909c19540ed1..a4574c1e276aa 100644 +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -6254,7 +6254,7 @@ static void pr_cont_worker_id(struct worker *worker) + { + struct worker_pool *pool = worker->pool; + +- if (pool->flags & WQ_BH) ++ if (pool->flags & POOL_BH) + pr_cont("bh%s", + pool->attrs->nice == HIGHPRI_NICE_LEVEL ? "-hi" : ""); + else +-- +2.51.0 + diff --git a/queue-6.19/xprtrdma-decrement-re_receiving-on-the-early-exit-pa.patch b/queue-6.19/xprtrdma-decrement-re_receiving-on-the-early-exit-pa.patch new file mode 100644 index 0000000000..7198d1be32 --- /dev/null +++ b/queue-6.19/xprtrdma-decrement-re_receiving-on-the-early-exit-pa.patch @@ -0,0 +1,90 @@ +From a0e04756e094e0c0d211079e095707e2fd8a4df4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Feb 2026 10:28:55 -0800 +Subject: xprtrdma: Decrement re_receiving on the early exit paths + +From: Eric Badger + +[ Upstream commit 7b6275c80a0c81c5f8943272292dfe67730ce849 ] + +In the event that rpcrdma_post_recvs() fails to create a work request +(due to memory allocation failure, say) or otherwise exits early, we +should decrement ep->re_receiving before returning. Otherwise we will +hang in rpcrdma_xprt_drain() as re_receiving will never reach zero and +the completion will never be triggered. + +On a system with high memory pressure, this can appear as the following +hung task: + + INFO: task kworker/u385:17:8393 blocked for more than 122 seconds. + Tainted: G S E 6.19.0 #3 + "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. + task:kworker/u385:17 state:D stack:0 pid:8393 tgid:8393 ppid:2 task_flags:0x4248060 flags:0x00080000 + Workqueue: xprtiod xprt_autoclose [sunrpc] + Call Trace: + + __schedule+0x48b/0x18b0 + ? ib_post_send_mad+0x247/0xae0 [ib_core] + schedule+0x27/0xf0 + schedule_timeout+0x104/0x110 + __wait_for_common+0x98/0x180 + ? __pfx_schedule_timeout+0x10/0x10 + wait_for_completion+0x24/0x40 + rpcrdma_xprt_disconnect+0x444/0x460 [rpcrdma] + xprt_rdma_close+0x12/0x40 [rpcrdma] + xprt_autoclose+0x5f/0x120 [sunrpc] + process_one_work+0x191/0x3e0 + worker_thread+0x2e3/0x420 + ? __pfx_worker_thread+0x10/0x10 + kthread+0x10d/0x230 + ? __pfx_kthread+0x10/0x10 + ret_from_fork+0x273/0x2b0 + ? __pfx_kthread+0x10/0x10 + ret_from_fork_asm+0x1a/0x30 + +Fixes: 15788d1d1077 ("xprtrdma: Do not refresh Receive Queue while it is draining") +Signed-off-by: Eric Badger +Reviewed-by: Chuck Lever +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + net/sunrpc/xprtrdma/verbs.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c +index 63262ef0c2e3a..8abbd9c4045a4 100644 +--- a/net/sunrpc/xprtrdma/verbs.c ++++ b/net/sunrpc/xprtrdma/verbs.c +@@ -1362,7 +1362,7 @@ void rpcrdma_post_recvs(struct rpcrdma_xprt *r_xprt, int needed) + needed += RPCRDMA_MAX_RECV_BATCH; + + if (atomic_inc_return(&ep->re_receiving) > 1) +- goto out; ++ goto out_dec; + + /* fast path: all needed reps can be found on the free list */ + wr = NULL; +@@ -1385,7 +1385,7 @@ void rpcrdma_post_recvs(struct rpcrdma_xprt *r_xprt, int needed) + ++count; + } + if (!wr) +- goto out; ++ goto out_dec; + + rc = ib_post_recv(ep->re_id->qp, wr, + (const struct ib_recv_wr **)&bad_wr); +@@ -1400,9 +1400,10 @@ void rpcrdma_post_recvs(struct rpcrdma_xprt *r_xprt, int needed) + --count; + } + } ++ ++out_dec: + if (atomic_dec_return(&ep->re_receiving) > 0) + complete(&ep->re_done); +- + out: + trace_xprtrdma_post_recvs(r_xprt, count); + ep->re_receive_count += count; +-- +2.51.0 + diff --git a/queue-6.6/acpi-osl-fix-__iomem-type-on-return-from-acpi_os_map.patch b/queue-6.6/acpi-osl-fix-__iomem-type-on-return-from-acpi_os_map.patch new file mode 100644 index 0000000000..8cc8f16473 --- /dev/null +++ b/queue-6.6/acpi-osl-fix-__iomem-type-on-return-from-acpi_os_map.patch @@ -0,0 +1,46 @@ +From 291655c4212d2d95a75dbb19f8c62eb779894bb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Mar 2026 10:58:35 +0000 +Subject: ACPI: OSL: fix __iomem type on return from + acpi_os_map_generic_address() + +From: Ben Dooks + +[ Upstream commit 393815f57651101f1590632092986d1d5a3a41bd ] + +The pointer returned from acpi_os_map_generic_address() is +tagged with __iomem, so make the rv it is returned to also +of void __iomem * type. + +Fixes the following sparse warning: + +drivers/acpi/osl.c:1686:20: warning: incorrect type in assignment (different address spaces) +drivers/acpi/osl.c:1686:20: expected void *rv +drivers/acpi/osl.c:1686:20: got void [noderef] __iomem * + +Fixes: 6915564dc5a8 ("ACPI: OSL: Change the type of acpi_os_map_generic_address() return value") +Signed-off-by: Ben Dooks +[ rjw: Subject tweak, added Fixes tag ] +Link: https://patch.msgid.link/20260311105835.463030-1-ben.dooks@codethink.co.uk +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/osl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c +index f725813d0cce6..28527d246fc36 100644 +--- a/drivers/acpi/osl.c ++++ b/drivers/acpi/osl.c +@@ -1656,7 +1656,7 @@ acpi_status __init acpi_os_initialize(void) + * Use acpi_os_map_generic_address to pre-map the reset + * register if it's in system memory. + */ +- void *rv; ++ void __iomem *rv; + + rv = acpi_os_map_generic_address(&acpi_gbl_FADT.reset_register); + pr_debug("%s: Reset register mapping %s\n", __func__, +-- +2.51.0 + diff --git a/queue-6.6/amd-xgbe-fix-link-status-handling-in-xgbe_rx_adaptat.patch b/queue-6.6/amd-xgbe-fix-link-status-handling-in-xgbe_rx_adaptat.patch new file mode 100644 index 0000000000..ea01ae8a7f --- /dev/null +++ b/queue-6.6/amd-xgbe-fix-link-status-handling-in-xgbe_rx_adaptat.patch @@ -0,0 +1,63 @@ +From cb91e25466c6b48b37373f43ac79ac4279fb728a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 16:46:27 +0530 +Subject: amd-xgbe: fix link status handling in xgbe_rx_adaptation + +From: Raju Rangoju + +[ Upstream commit 6485cb96be5cd0f4bf39554737ba11322cc9b053 ] + +The link status bit is latched low to allow detection of momentary +link drops. If the status indicates that the link is already down, +read it again to obtain the current state. + +Fixes: 4f3b20bfbb75 ("amd-xgbe: add support for rx-adaptation") +Signed-off-by: Raju Rangoju +Link: https://patch.msgid.link/20260306111629.1515676-2-Raju.Rangoju@amd.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +index 6d2c401bb246e..469b28c159e7d 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +@@ -2050,7 +2050,7 @@ static void xgbe_set_rx_adap_mode(struct xgbe_prv_data *pdata, + static void xgbe_rx_adaptation(struct xgbe_prv_data *pdata) + { + struct xgbe_phy_data *phy_data = pdata->phy_data; +- unsigned int reg; ++ int reg; + + /* step 2: force PCS to send RX_ADAPT Req to PHY */ + XMDIO_WRITE_BITS(pdata, MDIO_MMD_PMAPMD, MDIO_PMA_RX_EQ_CTRL4, +@@ -2072,11 +2072,20 @@ static void xgbe_rx_adaptation(struct xgbe_prv_data *pdata) + + /* Step 4: Check for Block lock */ + +- /* Link status is latched low, so read once to clear +- * and then read again to get current state +- */ +- reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_STAT1); + reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_STAT1); ++ if (reg < 0) ++ goto set_mode; ++ ++ /* Link status is latched low so that momentary link drops ++ * can be detected. If link was already down read again ++ * to get the latest state. ++ */ ++ if (!pdata->phy.link && !(reg & MDIO_STAT1_LSTATUS)) { ++ reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_STAT1); ++ if (reg < 0) ++ goto set_mode; ++ } ++ + if (reg & MDIO_STAT1_LSTATUS) { + /* If the block lock is found, update the helpers + * and declare the link up +-- +2.51.0 + diff --git a/queue-6.6/amd-xgbe-prevent-crc-errors-during-rx-adaptation-wit.patch b/queue-6.6/amd-xgbe-prevent-crc-errors-during-rx-adaptation-wit.patch new file mode 100644 index 0000000000..e8ff0e1009 --- /dev/null +++ b/queue-6.6/amd-xgbe-prevent-crc-errors-during-rx-adaptation-wit.patch @@ -0,0 +1,168 @@ +From 8b0b4ebb75bc3d6d3c298b1222f65eeefadd729b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 16:46:28 +0530 +Subject: amd-xgbe: prevent CRC errors during RX adaptation with AN disabled + +From: Raju Rangoju + +[ Upstream commit 27a4dd0c702b3b2b9cf2c045d100cc2fe8720b81 ] + +When operating in 10GBASE-KR mode with auto-negotiation disabled and RX +adaptation enabled, CRC errors can occur during the RX adaptation +process. This happens because the driver continues transmitting and +receiving packets while adaptation is in progress. + +Fix this by stopping TX/RX immediately when the link goes down and RX +adaptation needs to be re-triggered, and only re-enabling TX/RX after +adaptation completes and the link is confirmed up. Introduce a flag to +track whether TX/RX was disabled for adaptation so it can be restored +correctly. + +This prevents packets from being transmitted or received during the RX +adaptation window and avoids CRC errors from corrupted frames. + +The flag tracking the data path state is synchronized with hardware +state in xgbe_start() to prevent stale state after device restarts. +This ensures that after a restart cycle (where xgbe_stop disables +TX/RX and xgbe_start re-enables them), the flag correctly reflects +that the data path is active. + +Fixes: 4f3b20bfbb75 ("amd-xgbe: add support for rx-adaptation") +Signed-off-by: Raju Rangoju +Link: https://patch.msgid.link/20260306111629.1515676-3-Raju.Rangoju@amd.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 4 ++ + drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 63 ++++++++++++++++++++- + drivers/net/ethernet/amd/xgbe/xgbe.h | 4 ++ + 3 files changed, 69 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +index 256969ac2cb9e..67e1d8eacdaed 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +@@ -1338,6 +1338,10 @@ static int xgbe_start(struct xgbe_prv_data *pdata) + + hw_if->enable_tx(pdata); + hw_if->enable_rx(pdata); ++ /* Synchronize flag with hardware state after enabling TX/RX. ++ * This prevents stale state after device restart cycles. ++ */ ++ pdata->data_path_stopped = false; + + udp_tunnel_nic_reset_ntf(netdev); + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +index 469b28c159e7d..0a99a21af5815 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +@@ -2125,6 +2125,48 @@ static void xgbe_phy_rx_adaptation(struct xgbe_prv_data *pdata) + xgbe_rx_adaptation(pdata); + } + ++/* ++ * xgbe_phy_stop_data_path - Stop TX/RX to prevent packet corruption ++ * @pdata: driver private data ++ * ++ * This function stops the data path (TX and RX) to prevent packet ++ * corruption during critical PHY operations like RX adaptation. ++ * Must be called before initiating RX adaptation when link goes down. ++ */ ++static void xgbe_phy_stop_data_path(struct xgbe_prv_data *pdata) ++{ ++ if (pdata->data_path_stopped) ++ return; ++ ++ /* Stop TX/RX to prevent packet corruption during RX adaptation */ ++ pdata->hw_if.disable_tx(pdata); ++ pdata->hw_if.disable_rx(pdata); ++ pdata->data_path_stopped = true; ++ ++ netif_dbg(pdata, link, pdata->netdev, ++ "stopping data path for RX adaptation\n"); ++} ++ ++/* ++ * xgbe_phy_start_data_path - Re-enable TX/RX after RX adaptation ++ * @pdata: driver private data ++ * ++ * This function re-enables the data path (TX and RX) after RX adaptation ++ * has completed successfully. Only called when link is confirmed up. ++ */ ++static void xgbe_phy_start_data_path(struct xgbe_prv_data *pdata) ++{ ++ if (!pdata->data_path_stopped) ++ return; ++ ++ pdata->hw_if.enable_rx(pdata); ++ pdata->hw_if.enable_tx(pdata); ++ pdata->data_path_stopped = false; ++ ++ netif_dbg(pdata, link, pdata->netdev, ++ "restarting data path after RX adaptation\n"); ++} ++ + static void xgbe_phy_rx_reset(struct xgbe_prv_data *pdata) + { + int reg; +@@ -2918,13 +2960,27 @@ static int xgbe_phy_link_status(struct xgbe_prv_data *pdata, int *an_restart) + if (pdata->en_rx_adap) { + /* if the link is available and adaptation is done, + * declare link up ++ * ++ * Note: When link is up and adaptation is done, we can ++ * safely re-enable the data path if it was stopped ++ * for adaptation. + */ +- if ((reg & MDIO_STAT1_LSTATUS) && pdata->rx_adapt_done) ++ if ((reg & MDIO_STAT1_LSTATUS) && pdata->rx_adapt_done) { ++ xgbe_phy_start_data_path(pdata); + return 1; ++ } + /* If either link is not available or adaptation is not done, + * retrigger the adaptation logic. (if the mode is not set, + * then issue mailbox command first) + */ ++ ++ /* CRITICAL: Stop data path BEFORE triggering RX adaptation ++ * to prevent CRC errors from packets corrupted during ++ * the adaptation process. This is especially important ++ * when AN is OFF in 10G KR mode. ++ */ ++ xgbe_phy_stop_data_path(pdata); ++ + if (pdata->mode_set) { + xgbe_phy_rx_adaptation(pdata); + } else { +@@ -2932,8 +2988,11 @@ static int xgbe_phy_link_status(struct xgbe_prv_data *pdata, int *an_restart) + xgbe_phy_set_mode(pdata, phy_data->cur_mode); + } + +- if (pdata->rx_adapt_done) ++ if (pdata->rx_adapt_done) { ++ /* Adaptation complete, safe to re-enable data path */ ++ xgbe_phy_start_data_path(pdata); + return 1; ++ } + } else if (reg & MDIO_STAT1_LSTATUS) + return 1; + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe.h b/drivers/net/ethernet/amd/xgbe/xgbe.h +index 82a88d0c15e31..ac0f728c5c85d 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe.h ++++ b/drivers/net/ethernet/amd/xgbe/xgbe.h +@@ -1321,6 +1321,10 @@ struct xgbe_prv_data { + bool en_rx_adap; + int rx_adapt_retries; + bool rx_adapt_done; ++ /* Flag to track if data path (TX/RX) was stopped for RX adaptation. ++ * This prevents packet corruption during the adaptation window. ++ */ ++ bool data_path_stopped; + bool mode_set; + }; + +-- +2.51.0 + diff --git a/queue-6.6/asoc-amd-acp3x-rt5682-max9836-add-missing-error-chec.patch b/queue-6.6/asoc-amd-acp3x-rt5682-max9836-add-missing-error-chec.patch new file mode 100644 index 0000000000..c09603c1d7 --- /dev/null +++ b/queue-6.6/asoc-amd-acp3x-rt5682-max9836-add-missing-error-chec.patch @@ -0,0 +1,50 @@ +From 9f3bd6d35c863e7be3054d1b9daae357323731df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 10:42:46 +0800 +Subject: ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock + acquisition + +From: Chen Ni + +[ Upstream commit 53f3a900e9a383d47af7253076e19f510c5708d0 ] + +The acp3x_5682_init() function did not check the return value of +clk_get(), which could lead to dereferencing error pointers in +rt5682_clk_enable(). + +Fix this by: +1. Changing clk_get() to the device-managed devm_clk_get(). +2. Adding proper IS_ERR() checks for both clock acquisitions. + +Fixes: 6b8e4e7db3cd ("ASoC: amd: Add machine driver for Raven based platform") +Signed-off-by: Chen Ni +Link: https://patch.msgid.link/20260310024246.2153827-1-nichen@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/acp3x-rt5682-max9836.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/amd/acp3x-rt5682-max9836.c b/sound/soc/amd/acp3x-rt5682-max9836.c +index 28ad5f5b9a766..73575f6de1ee3 100644 +--- a/sound/soc/amd/acp3x-rt5682-max9836.c ++++ b/sound/soc/amd/acp3x-rt5682-max9836.c +@@ -94,8 +94,13 @@ static int acp3x_5682_init(struct snd_soc_pcm_runtime *rtd) + return ret; + } + +- rt5682_dai_wclk = clk_get(component->dev, "rt5682-dai-wclk"); +- rt5682_dai_bclk = clk_get(component->dev, "rt5682-dai-bclk"); ++ rt5682_dai_wclk = devm_clk_get(component->dev, "rt5682-dai-wclk"); ++ if (IS_ERR(rt5682_dai_wclk)) ++ return PTR_ERR(rt5682_dai_wclk); ++ ++ rt5682_dai_bclk = devm_clk_get(component->dev, "rt5682-dai-bclk"); ++ if (IS_ERR(rt5682_dai_bclk)) ++ return PTR_ERR(rt5682_dai_bclk); + + ret = snd_soc_card_jack_new_pins(card, "Headset Jack", + SND_JACK_HEADSET | +-- +2.51.0 + diff --git a/queue-6.6/asoc-detect-empty-dmi-strings.patch b/queue-6.6/asoc-detect-empty-dmi-strings.patch new file mode 100644 index 0000000000..870ea3ce34 --- /dev/null +++ b/queue-6.6/asoc-detect-empty-dmi-strings.patch @@ -0,0 +1,47 @@ +From 34005d79ccc821c567514a60e7128d84aefb12eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 18:47:07 +0100 +Subject: ASoC: detect empty DMI strings + +From: Casey Connolly + +[ Upstream commit a9683730e8b1d632674f81844ed03ddfbe4821c0 ] + +Some bootloaders like recent versions of U-Boot may install some DMI +properties with empty values rather than not populate them. This manages +to make its way through the validator and cleanup resulting in a rogue +hyphen being appended to the card longname. + +Fixes: 4e01e5dbba96 ("ASoC: improve the DMI long card code in asoc-core") +Signed-off-by: Casey Connolly +Link: https://patch.msgid.link/20260306174707.283071-2-casey.connolly@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index e2a4ff5414099..696f5501a27bc 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -1719,12 +1719,15 @@ static void cleanup_dmi_name(char *name) + + /* + * Check if a DMI field is valid, i.e. not containing any string +- * in the black list. ++ * in the black list and not the empty string. + */ + static int is_dmi_valid(const char *field) + { + int i = 0; + ++ if (!field[0]) ++ return 0; ++ + while (dmi_blacklist[i]) { + if (strstr(field, dmi_blacklist[i])) + return 0; +-- +2.51.0 + diff --git a/queue-6.6/asoc-simple-card-utils-fix-graph_util_is_ports0-for-.patch b/queue-6.6/asoc-simple-card-utils-fix-graph_util_is_ports0-for-.patch new file mode 100644 index 0000000000..964e586f30 --- /dev/null +++ b/queue-6.6/asoc-simple-card-utils-fix-graph_util_is_ports0-for-.patch @@ -0,0 +1,60 @@ +From 65e75dcf76d0b02d8977658dd6c24bc4688285ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Mar 2026 23:21:09 -0500 +Subject: ASoC: simple-card-utils: fix graph_util_is_ports0() for DT overlays + +From: Sen Wang + +[ Upstream commit 4185b95f8a42d92d68c49289b4644546b51e252b ] + +graph_util_is_ports0() identifies DPCM front-end (ports@0) vs back-end +(ports@1) by calling of_get_child_by_name() to find the first "ports" +child and comparing pointers. This relies on child iteration order +matching DTS source order. + +When the DPCM topology comes from a DT overlay, __of_attach_node() +inserts new children at the head of the sibling list, reversing the +order. of_get_child_by_name() then returns ports@1 instead of ports@0, +causing all front-end links to be classified as back-ends. The card +registers with no PCM devices. + +Fix this by matching the unit address directly from the node name +instead of relying on sibling order. + +Fixes: 92939252458f ("ASoC: simple-card-utils: add asoc_graph_is_ports0()") +Signed-off-by: Sen Wang +Acked-by: Kuninori Morimoto +Link: https://patch.msgid.link/20260309042109.2576612-1-sen@ti.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/generic/simple-card-utils.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/sound/soc/generic/simple-card-utils.c b/sound/soc/generic/simple-card-utils.c +index 9ef3e69683271..86ccd044b93c4 100644 +--- a/sound/soc/generic/simple-card-utils.c ++++ b/sound/soc/generic/simple-card-utils.c +@@ -997,11 +997,15 @@ int asoc_graph_is_ports0(struct device_node *np) + else + port = np; + +- struct device_node *ports __free(device_node) = of_get_parent(port); +- struct device_node *top __free(device_node) = of_get_parent(ports); +- struct device_node *ports0 __free(device_node) = of_get_child_by_name(top, "ports"); ++ struct device_node *ports __free(device_node) = of_get_parent(port); ++ const char *at = strchr(kbasename(ports->full_name), '@'); + +- return ports0 == ports; ++ /* ++ * Since child iteration order may differ ++ * between a base DT and DT overlays, ++ * string match "ports" or "ports@0" in the node name instead. ++ */ ++ return !at || !strcmp(at, "@0"); + } + EXPORT_SYMBOL_GPL(asoc_graph_is_ports0); + +-- +2.51.0 + diff --git a/queue-6.6/asoc-simple-card-utils-use-__free-device_node-for-de.patch b/queue-6.6/asoc-simple-card-utils-use-__free-device_node-for-de.patch new file mode 100644 index 0000000000..85ad80a1fd --- /dev/null +++ b/queue-6.6/asoc-simple-card-utils-use-__free-device_node-for-de.patch @@ -0,0 +1,129 @@ +From 71e4485cd78617f152a86735d10360a3d6706660 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2024 02:10:23 +0000 +Subject: ASoC: simple-card-utils: use __free(device_node) for device node + +From: Kuninori Morimoto + +[ Upstream commit 419d1918105e5d9926ab02f1f834bb416dc76f65 ] + +simple-card-utils handles many type of device_node, thus need to +use of_node_put() in many place. Let's use __free(device_node) +and avoid it. + +Signed-off-by: Kuninori Morimoto +Link: https://patch.msgid.link/87r06pfre8.wl-kuninori.morimoto.gx@renesas.com +Signed-off-by: Mark Brown +Stable-dep-of: 4185b95f8a42 ("ASoC: simple-card-utils: fix graph_util_is_ports0() for DT overlays") +Signed-off-by: Sasha Levin +--- + sound/soc/generic/simple-card-utils.c | 44 +++++++++------------------ + 1 file changed, 14 insertions(+), 30 deletions(-) + +diff --git a/sound/soc/generic/simple-card-utils.c b/sound/soc/generic/simple-card-utils.c +index 598b0000df244..9ef3e69683271 100644 +--- a/sound/soc/generic/simple-card-utils.c ++++ b/sound/soc/generic/simple-card-utils.c +@@ -988,35 +988,27 @@ EXPORT_SYMBOL_GPL(asoc_graph_card_probe); + + int asoc_graph_is_ports0(struct device_node *np) + { +- struct device_node *port, *ports, *ports0, *top; +- int ret; ++ struct device_node *parent __free(device_node) = of_get_parent(np); ++ struct device_node *port; + + /* np is "endpoint" or "port" */ +- if (of_node_name_eq(np, "endpoint")) { +- port = of_get_parent(np); +- } else { ++ if (of_node_name_eq(np, "endpoint")) ++ port = parent; ++ else + port = np; +- of_node_get(port); +- } +- +- ports = of_get_parent(port); +- top = of_get_parent(ports); +- ports0 = of_get_child_by_name(top, "ports"); +- +- ret = ports0 == ports; + +- of_node_put(port); +- of_node_put(ports); +- of_node_put(ports0); +- of_node_put(top); ++ struct device_node *ports __free(device_node) = of_get_parent(port); ++ struct device_node *top __free(device_node) = of_get_parent(ports); ++ struct device_node *ports0 __free(device_node) = of_get_child_by_name(top, "ports"); + +- return ret; ++ return ports0 == ports; + } + EXPORT_SYMBOL_GPL(asoc_graph_is_ports0); + + static int graph_get_dai_id(struct device_node *ep) + { +- struct device_node *node; ++ struct device_node *node __free(device_node) = of_graph_get_port_parent(ep); ++ struct device_node *port __free(device_node) = of_get_parent(ep); + struct device_node *endpoint; + struct of_endpoint info; + int i, id; +@@ -1039,13 +1031,10 @@ static int graph_get_dai_id(struct device_node *ep) + if (of_property_present(ep, "reg")) + return info.id; + +- node = of_get_parent(ep); +- ret = of_property_present(node, "reg"); +- of_node_put(node); ++ ret = of_property_present(port, "reg"); + if (ret) + return info.port; + } +- node = of_graph_get_port_parent(ep); + + /* + * Non HDMI sound case, counting port/endpoint on its DT +@@ -1059,8 +1048,6 @@ static int graph_get_dai_id(struct device_node *ep) + i++; + } + +- of_node_put(node); +- + if (id < 0) + return -ENODEV; + +@@ -1070,7 +1057,6 @@ static int graph_get_dai_id(struct device_node *ep) + int asoc_graph_parse_dai(struct device *dev, struct device_node *ep, + struct snd_soc_dai_link_component *dlc, int *is_single_link) + { +- struct device_node *node; + struct of_phandle_args args = {}; + struct snd_soc_dai *dai; + int ret; +@@ -1078,7 +1064,7 @@ int asoc_graph_parse_dai(struct device *dev, struct device_node *ep, + if (!ep) + return 0; + +- node = of_graph_get_port_parent(ep); ++ struct device_node *node __free(device_node) = of_graph_get_port_parent(ep); + + /* + * Try to find from DAI node +@@ -1120,10 +1106,8 @@ int asoc_graph_parse_dai(struct device *dev, struct device_node *ep, + * if he unbinded CPU or Codec. + */ + ret = snd_soc_get_dlc(&args, dlc); +- if (ret < 0) { +- of_node_put(node); ++ if (ret < 0) + return ret; +- } + + parse_dai_end: + if (is_single_link) +-- +2.51.0 + diff --git a/queue-6.6/asoc-soc-core-drop-delayed_work_pending-check-before.patch b/queue-6.6/asoc-soc-core-drop-delayed_work_pending-check-before.patch new file mode 100644 index 0000000000..ae7886b783 --- /dev/null +++ b/queue-6.6/asoc-soc-core-drop-delayed_work_pending-check-before.patch @@ -0,0 +1,45 @@ +From 359ab0ab7722e475a4329ebb2f0181db284131a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Mar 2026 22:54:11 +0100 +Subject: ASoC: soc-core: drop delayed_work_pending() check before flush + +From: matteo.cotifava + +[ Upstream commit 3c99c9f0ed60582c1c9852b685d78d5d3a50de63 ] + +The delayed_work_pending() check before flush_delayed_work() in +soc_free_pcm_runtime() is unnecessary and racy. flush_delayed_work() +is safe to call unconditionally - it is a no-op when no work is +pending. Remove the check. + +The original check was added by commit 9c9b65203492 ("ASoC: core: +only flush inited work during free") but delayed_work_pending() +followed by flush_delayed_work() has a time-of-check/time-of-use +window where work can become pending between the two calls. + +Fixes: 9c9b65203492 ("ASoC: core: only flush inited work during free") +Signed-off-by: Matteo Cotifava +Link: https://patch.msgid.link/20260309215412.545628-2-cotifavamatteo@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index dc95b6f415558..39570e0e92bbc 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -456,8 +456,7 @@ static void soc_free_pcm_runtime(struct snd_soc_pcm_runtime *rtd) + + list_del(&rtd->list); + +- if (delayed_work_pending(&rtd->delayed_work)) +- flush_delayed_work(&rtd->delayed_work); ++ flush_delayed_work(&rtd->delayed_work); + snd_soc_pcm_component_free(rtd); + + /* +-- +2.51.0 + diff --git a/queue-6.6/asoc-soc-core-flush-delayed-work-before-removing-dai.patch b/queue-6.6/asoc-soc-core-flush-delayed-work-before-removing-dai.patch new file mode 100644 index 0000000000..491b0a122d --- /dev/null +++ b/queue-6.6/asoc-soc-core-flush-delayed-work-before-removing-dai.patch @@ -0,0 +1,57 @@ +From 369391ca3cbf015792e922725182337f3e5d7b16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Mar 2026 22:54:12 +0100 +Subject: ASoC: soc-core: flush delayed work before removing DAIs and widgets + +From: matteo.cotifava + +[ Upstream commit 95bc5c225513fc3c4ce169563fb5e3929fbb938b ] + +When a sound card is unbound while a PCM stream is open, a +use-after-free can occur in snd_soc_dapm_stream_event(), called from +the close_delayed_work workqueue handler. + +During unbind, snd_soc_unbind_card() flushes delayed work and then +calls soc_cleanup_card_resources(). Inside cleanup, +snd_card_disconnect_sync() releases all PCM file descriptors, and +the resulting PCM close path can call snd_soc_dapm_stream_stop() +which schedules new delayed work with a pmdown_time timer delay. +Since this happens after the flush in snd_soc_unbind_card(), the +new work is not caught. soc_remove_link_components() then frees +DAPM widgets before this work fires, leading to the use-after-free. + +The existing flush in soc_free_pcm_runtime() also cannot help as it +runs after soc_remove_link_components() has already freed the widgets. + +Add a flush in soc_cleanup_card_resources() after +snd_card_disconnect_sync() (after which no new PCM closes can +schedule further delayed work) and before soc_remove_link_dais() +and soc_remove_link_components() (which tear down the structures the +delayed work accesses). + +Fixes: e894efef9ac7 ("ASoC: core: add support to card rebind") +Signed-off-by: Matteo Cotifava +Link: https://patch.msgid.link/20260309215412.545628-3-cotifavamatteo@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index 39570e0e92bbc..e2a4ff5414099 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -1996,6 +1996,9 @@ static void soc_cleanup_card_resources(struct snd_soc_card *card) + for_each_card_rtds(card, rtd) + if (rtd->initialized) + snd_soc_link_exit(rtd); ++ /* flush delayed work before removing DAIs and DAPM widgets */ ++ snd_soc_flush_all_delayed_work(card); ++ + /* remove and free each DAI */ + soc_remove_link_dais(card); + soc_remove_link_components(card); +-- +2.51.0 + diff --git a/queue-6.6/bonding-handle-bond_link_fail-bond_link_back-as-vali.patch b/queue-6.6/bonding-handle-bond_link_fail-bond_link_back-as-vali.patch new file mode 100644 index 0000000000..7dd83e925c --- /dev/null +++ b/queue-6.6/bonding-handle-bond_link_fail-bond_link_back-as-vali.patch @@ -0,0 +1,60 @@ +From fb705126d0663342fc8b883305fbcc1535e5fe0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 15:13:54 +0800 +Subject: bonding: handle BOND_LINK_FAIL, BOND_LINK_BACK as valid link states + +From: Hangbin Liu + +[ Upstream commit 3348be7978f450ede0c308a4e8416ac716cf1015 ] + +Before the fixed commit, we check slave->new_link during commit +state, which values are only BOND_LINK_{NOCHANGE, UP, DOWN}. After +the commit, we start using slave->link_new_state, which state also could +be BOND_LINK_{FAIL, BACK}. + +For example, when we set updelay/downdelay, after a failover, +the slave->link_new_state could be set to BOND_LINK_{FAIL, BACK} in +bond_miimon_inspect(). And later in bond_miimon_commit(), it will treat +it as invalid and print an error, which would cause confusion for users. + +[ 106.440254] bond0: (slave veth2): link status down for interface, disabling it in 200 ms +[ 106.440265] bond0: (slave veth2): invalid new link 1 on slave +[ 106.648276] bond0: (slave veth2): link status definitely down, disabling slave +[ 107.480271] bond0: (slave veth2): link status up, enabling it in 200 ms +[ 107.480288] bond0: (slave veth2): invalid new link 3 on slave +[ 107.688302] bond0: (slave veth2): link status definitely up, 10000 Mbps full duplex + +Let's handle BOND_LINK_{FAIL, BACK} as valid link states. + +Fixes: 1899bb325149 ("bonding: fix state transition issue in link monitoring") +Signed-off-by: Hangbin Liu +Link: https://patch.msgid.link/20260304-b4-bond_updelay-v1-2-f72eb2e454d0@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index a2bf7bb12ff7c..b36d1781d8463 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2859,8 +2859,14 @@ static void bond_miimon_commit(struct bonding *bond) + + continue; + ++ case BOND_LINK_FAIL: ++ case BOND_LINK_BACK: ++ slave_dbg(bond->dev, slave->dev, "link_new_state %d on slave\n", ++ slave->link_new_state); ++ continue; ++ + default: +- slave_err(bond->dev, slave->dev, "invalid new link %d on slave\n", ++ slave_err(bond->dev, slave->dev, "invalid link_new_state %d on slave\n", + slave->link_new_state); + bond_propose_link_state(slave, BOND_LINK_NOCHANGE); + +-- +2.51.0 + diff --git a/queue-6.6/can-hi311x-hi3110_open-add-check-for-hi3110_power_en.patch b/queue-6.6/can-hi311x-hi3110_open-add-check-for-hi3110_power_en.patch new file mode 100644 index 0000000000..bde22856b1 --- /dev/null +++ b/queue-6.6/can-hi311x-hi3110_open-add-check-for-hi3110_power_en.patch @@ -0,0 +1,52 @@ +From 1828eee564668993c30ed4f18003e6f3fee98036 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 13:08:44 +0800 +Subject: can: hi311x: hi3110_open(): add check for hi3110_power_enable() + return value + +From: Wenyuan Li <2063309626@qq.com> + +[ Upstream commit 47bba09b14fa21712398febf36cb14fd4fc3bded ] + +In hi3110_open(), the return value of hi3110_power_enable() is not checked. +If power enable fails, the device may not function correctly, while the +driver still returns success. + +Add a check for the return value and propagate the error accordingly. + +Signed-off-by: Wenyuan Li <2063309626@qq.com> +Link: https://patch.msgid.link/tencent_B5E2E7528BB28AA8A2A56E16C49BD58B8B07@qq.com +Fixes: 57e83fb9b746 ("can: hi311x: Add Holt HI-311x CAN driver") +[mkl: adjust subject, commit message and jump label] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/spi/hi311x.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/can/spi/hi311x.c b/drivers/net/can/spi/hi311x.c +index 1acd4fc7adc8b..2038b864832c9 100644 +--- a/drivers/net/can/spi/hi311x.c ++++ b/drivers/net/can/spi/hi311x.c +@@ -756,7 +756,9 @@ static int hi3110_open(struct net_device *net) + return ret; + + mutex_lock(&priv->hi3110_lock); +- hi3110_power_enable(priv->transceiver, 1); ++ ret = hi3110_power_enable(priv->transceiver, 1); ++ if (ret) ++ goto out_close_candev; + + priv->force_quit = 0; + priv->tx_skb = NULL; +@@ -791,6 +793,7 @@ static int hi3110_open(struct net_device *net) + hi3110_hw_sleep(spi); + out_close: + hi3110_power_enable(priv->transceiver, 0); ++ out_close_candev: + close_candev(net); + mutex_unlock(&priv->hi3110_lock); + return ret; +-- +2.51.0 + diff --git a/queue-6.6/drm-msm-dsi-document-dsc-related-pclk_rate-and-hdisp.patch b/queue-6.6/drm-msm-dsi-document-dsc-related-pclk_rate-and-hdisp.patch new file mode 100644 index 0000000000..97e06244be --- /dev/null +++ b/queue-6.6/drm-msm-dsi-document-dsc-related-pclk_rate-and-hdisp.patch @@ -0,0 +1,76 @@ +From d448c8e02885a7077f70e541094bbd9a41b9db62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Feb 2024 17:23:08 +0200 +Subject: drm/msm/dsi: Document DSC related pclk_rate and hdisplay calculations + +From: Dmitry Baryshkov + +[ Upstream commit 3b56d27ba1578c3d61f51de4102cf896a9a8617e ] + +Provide actual documentation for the pclk and hdisplay calculations in +the case of DSC compression being used. + +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/577534/ +Link: https://lore.kernel.org/r/20240208-fd_document_dsc_pclk_rate-v4-1-56fe59d0a2e0@linaro.org +Stable-dep-of: e4eb11b34d6c ("drm/msm/dsi: fix pclk rate calculation for bonded dsi") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/dsi_host.c | 33 ++++++++++++++++++++++++++++-- + 1 file changed, 31 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c +index f90ccdfbb2fc7..48a39f8727441 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi_host.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c +@@ -529,6 +529,25 @@ void dsi_link_clk_disable_v2(struct msm_dsi_host *msm_host) + clk_disable_unprepare(msm_host->byte_clk); + } + ++/** ++ * dsi_adjust_pclk_for_compression() - Adjust the pclk rate for compression case ++ * @mode: The selected mode for the DSI output ++ * @dsc: DRM DSC configuration for this DSI output ++ * ++ * Adjust the pclk rate by calculating a new hdisplay proportional to ++ * the compression ratio such that: ++ * new_hdisplay = old_hdisplay * compressed_bpp / uncompressed_bpp ++ * ++ * Porches do not need to be adjusted: ++ * - For VIDEO mode they are not compressed by DSC and are passed as is. ++ * - For CMD mode there are no actual porches. Instead these fields ++ * currently represent the overhead to the image data transfer. As such, they ++ * are calculated for the final mode parameters (after the compression) and ++ * are not to be adjusted too. ++ * ++ * FIXME: Reconsider this if/when CMD mode handling is rewritten to use ++ * transfer time and data overhead as a starting point of the calculations. ++ */ + static unsigned long dsi_adjust_pclk_for_compression(const struct drm_display_mode *mode, + const struct drm_dsc_config *dsc) + { +@@ -937,8 +956,18 @@ static void dsi_timing_setup(struct msm_dsi_host *msm_host, bool is_bonded_dsi) + if (ret) + return; + +- /* Divide the display by 3 but keep back/font porch and +- * pulse width same ++ /* ++ * DPU sends 3 bytes per pclk cycle to DSI. If widebus is ++ * enabled, bus width is extended to 6 bytes. ++ * ++ * Calculate the number of pclks needed to transmit one line of ++ * the compressed data. ++ ++ * The back/font porch and pulse width are kept intact. For ++ * VIDEO mode they represent timing parameters rather than ++ * actual data transfer, see the documentation for ++ * dsi_adjust_pclk_for_compression(). For CMD mode they are ++ * unused anyway. + */ + h_total -= hdisplay; + hdisplay = DIV_ROUND_UP(msm_dsc_get_bytes_per_line(msm_host->dsc), 3); +-- +2.51.0 + diff --git a/queue-6.6/drm-msm-dsi-fix-pclk-rate-calculation-for-bonded-dsi.patch b/queue-6.6/drm-msm-dsi-fix-pclk-rate-calculation-for-bonded-dsi.patch new file mode 100644 index 0000000000..69e9de1c61 --- /dev/null +++ b/queue-6.6/drm-msm-dsi-fix-pclk-rate-calculation-for-bonded-dsi.patch @@ -0,0 +1,85 @@ +From aec2ebe1d4bb32aa250b47b6d939494ced983013 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Mar 2026 00:32:38 +0800 +Subject: drm/msm/dsi: fix pclk rate calculation for bonded dsi + +From: Pengyu Luo + +[ Upstream commit e4eb11b34d6c84f398d8f08d7cb4d6c38e739dd2 ] + +Recently, we round up new_hdisplay once at most, for bonded dsi, we +may need twice, since they are independent links, we should round up +each half separately. This also aligns with the hdisplay we program +later in dsi_timing_setup() + +Example: + full_hdisplay = 1904, dsc_bpp = 8, bpc = 8 + new_full_hdisplay = DIV_ROUND_UP(1904 * 8, 8 * 3) = 635 + +if we use half display + new_half_hdisplay = DIV_ROUND_UP(952 * 8, 8 * 3) = 318 + new_full_display = 636 + +Fixes: 7c9e4a554d4a ("drm/msm/dsi: Reduce pclk rate for compression") +Signed-off-by: Pengyu Luo +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/709716/ +Link: https://lore.kernel.org/r/20260306163255.215456-1-mitltlatltl@gmail.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/dsi_host.c | 29 +++++++++++++++++++++++------ + 1 file changed, 23 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c +index 48a39f8727441..6077331deba97 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi_host.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c +@@ -548,13 +548,30 @@ void dsi_link_clk_disable_v2(struct msm_dsi_host *msm_host) + * FIXME: Reconsider this if/when CMD mode handling is rewritten to use + * transfer time and data overhead as a starting point of the calculations. + */ +-static unsigned long dsi_adjust_pclk_for_compression(const struct drm_display_mode *mode, +- const struct drm_dsc_config *dsc) ++static unsigned long ++dsi_adjust_pclk_for_compression(const struct drm_display_mode *mode, ++ const struct drm_dsc_config *dsc, ++ bool is_bonded_dsi) + { +- int new_hdisplay = DIV_ROUND_UP(mode->hdisplay * drm_dsc_get_bpp_int(dsc), +- dsc->bits_per_component * 3); ++ int hdisplay, new_hdisplay, new_htotal; + +- int new_htotal = mode->htotal - mode->hdisplay + new_hdisplay; ++ /* ++ * For bonded DSI, split hdisplay across two links and round up each ++ * half separately, passing the full hdisplay would only round up once. ++ * This also aligns with the hdisplay we program later in ++ * dsi_timing_setup() ++ */ ++ hdisplay = mode->hdisplay; ++ if (is_bonded_dsi) ++ hdisplay /= 2; ++ ++ new_hdisplay = DIV_ROUND_UP(hdisplay * drm_dsc_get_bpp_int(dsc), ++ dsc->bits_per_component * 3); ++ ++ if (is_bonded_dsi) ++ new_hdisplay *= 2; ++ ++ new_htotal = mode->htotal - mode->hdisplay + new_hdisplay; + + return mult_frac(mode->clock * 1000u, new_htotal, mode->htotal); + } +@@ -567,7 +584,7 @@ static unsigned long dsi_get_pclk_rate(const struct drm_display_mode *mode, + pclk_rate = mode->clock * 1000u; + + if (dsc) +- pclk_rate = dsi_adjust_pclk_for_compression(mode, dsc); ++ pclk_rate = dsi_adjust_pclk_for_compression(mode, dsc, is_bonded_dsi); + + /* + * For bonded DSI mode, the current DRM mode has the complete width of the +-- +2.51.0 + diff --git a/queue-6.6/e1000-e1000e-fix-leak-in-dma-error-cleanup.patch b/queue-6.6/e1000-e1000e-fix-leak-in-dma-error-cleanup.patch new file mode 100644 index 0000000000..6d65f46be5 --- /dev/null +++ b/queue-6.6/e1000-e1000e-fix-leak-in-dma-error-cleanup.patch @@ -0,0 +1,70 @@ +From 6370e5e3ea7b4d72ad32e0c1b0e99fdb02533d5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Feb 2026 18:28:33 -0500 +Subject: e1000/e1000e: Fix leak in DMA error cleanup + +From: Matt Vollrath + +[ Upstream commit e94eaef11142b01f77bf8ba4d0b59720b7858109 ] + +If an error is encountered while mapping TX buffers, the driver should +unmap any buffers already mapped for that skb. + +Because count is incremented after a successful mapping, it will always +match the correct number of unmappings needed when dma_error is reached. +Decrementing count before the while loop in dma_error causes an +off-by-one error. If any mapping was successful before an unsuccessful +mapping, exactly one DMA mapping would leak. + +In these commits, a faulty while condition caused an infinite loop in +dma_error: +Commit 03b1320dfcee ("e1000e: remove use of skb_dma_map from e1000e +driver") +Commit 602c0554d7b0 ("e1000: remove use of skb_dma_map from e1000 driver") + +Commit c1fa347f20f1 ("e1000/e1000e/igb/igbvf/ixgb/ixgbe: Fix tests of +unsigned in *_tx_map()") fixed the infinite loop, but introduced the +off-by-one error. + +This issue may still exist in the igbvf driver, but I did not address it +in this patch. + +Fixes: c1fa347f20f1 ("e1000/e1000e/igb/igbvf/ixgb/ixgbe: Fix tests of unsigned in *_tx_map()") +Assisted-by: Claude:claude-4.6-opus +Signed-off-by: Matt Vollrath +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/e1000/e1000_main.c | 2 -- + drivers/net/ethernet/intel/e1000e/netdev.c | 2 -- + 2 files changed, 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c +index d015a0a85f078..8dcb5d7c5a4b3 100644 +--- a/drivers/net/ethernet/intel/e1000/e1000_main.c ++++ b/drivers/net/ethernet/intel/e1000/e1000_main.c +@@ -2951,8 +2951,6 @@ static int e1000_tx_map(struct e1000_adapter *adapter, + dma_error: + dev_err(&pdev->dev, "TX DMA map failed\n"); + buffer_info->dma = 0; +- if (count) +- count--; + + while (count--) { + if (i == 0) +diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c +index 7e4fea0e186b6..9e9138ccac421 100644 +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -5633,8 +5633,6 @@ static int e1000_tx_map(struct e1000_ring *tx_ring, struct sk_buff *skb, + dma_error: + dev_err(&pdev->dev, "Tx DMA map failed\n"); + buffer_info->dma = 0; +- if (count) +- count--; + + while (count--) { + if (i == 0) +-- +2.51.0 + diff --git a/queue-6.6/i40e-fix-src-ip-mask-checks-and-memcpy-argument-name.patch b/queue-6.6/i40e-fix-src-ip-mask-checks-and-memcpy-argument-name.patch new file mode 100644 index 0000000000..b0eb44c2b1 --- /dev/null +++ b/queue-6.6/i40e-fix-src-ip-mask-checks-and-memcpy-argument-name.patch @@ -0,0 +1,86 @@ +From c77d9abc53945ba1d0483fcb8a3594921060b467 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Nov 2025 11:13:38 -0800 +Subject: i40e: fix src IP mask checks and memcpy argument names in cloud + filter + +From: Alok Tiwari + +[ Upstream commit e809085f492842ce7a519c9ef72d40f4bca89c13 ] + +Fix following issues in the IPv4 and IPv6 cloud filter handling logic in +both the add and delete paths: + +- The source-IP mask check incorrectly compares mask.src_ip[0] against + tcf.dst_ip[0]. Update it to compare against tcf.src_ip[0]. This likely + goes unnoticed because the check is in an "else if" path that only + executes when dst_ip is not set, most cloud filter use cases focus on + destination-IP matching, and the buggy condition can accidentally + evaluate true in some cases. + +- memcpy() for the IPv4 source address incorrectly uses + ARRAY_SIZE(tcf.dst_ip) instead of ARRAY_SIZE(tcf.src_ip), although + both arrays are the same size. + +- The IPv4 memcpy operations used ARRAY_SIZE(tcf.dst_ip) and ARRAY_SIZE + (tcf.src_ip), Update these to use sizeof(cfilter->ip.v4.dst_ip) and + sizeof(cfilter->ip.v4.src_ip) to ensure correct and explicit copy size. + +- In the IPv6 delete path, memcmp() uses sizeof(src_ip6) when comparing + dst_ip6 fields. Replace this with sizeof(dst_ip6) to make the intent + explicit, even though both fields are struct in6_addr. + +Fixes: e284fc280473 ("i40e: Add and delete cloud filter") +Signed-off-by: Alok Tiwari +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Paul Menzel +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +index 7f5538e2c9de5..a9c492d747b9f 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +@@ -3825,10 +3825,10 @@ static int i40e_vc_del_cloud_filter(struct i40e_vf *vf, u8 *msg) + cfilter.n_proto = ETH_P_IP; + if (mask.dst_ip[0] & tcf.dst_ip[0]) + memcpy(&cfilter.ip.v4.dst_ip, tcf.dst_ip, +- ARRAY_SIZE(tcf.dst_ip)); +- else if (mask.src_ip[0] & tcf.dst_ip[0]) ++ sizeof(cfilter.ip.v4.dst_ip)); ++ else if (mask.src_ip[0] & tcf.src_ip[0]) + memcpy(&cfilter.ip.v4.src_ip, tcf.src_ip, +- ARRAY_SIZE(tcf.dst_ip)); ++ sizeof(cfilter.ip.v4.src_ip)); + break; + case VIRTCHNL_TCP_V6_FLOW: + cfilter.n_proto = ETH_P_IPV6; +@@ -3883,7 +3883,7 @@ static int i40e_vc_del_cloud_filter(struct i40e_vf *vf, u8 *msg) + /* for ipv6, mask is set for all sixteen bytes (4 words) */ + if (cfilter.n_proto == ETH_P_IPV6 && mask.dst_ip[3]) + if (memcmp(&cfilter.ip.v6.dst_ip6, &cf->ip.v6.dst_ip6, +- sizeof(cfilter.ip.v6.src_ip6))) ++ sizeof(cfilter.ip.v6.dst_ip6))) + continue; + if (mask.vlan_id) + if (cfilter.vlan_id != cf->vlan_id) +@@ -3971,10 +3971,10 @@ static int i40e_vc_add_cloud_filter(struct i40e_vf *vf, u8 *msg) + cfilter->n_proto = ETH_P_IP; + if (mask.dst_ip[0] & tcf.dst_ip[0]) + memcpy(&cfilter->ip.v4.dst_ip, tcf.dst_ip, +- ARRAY_SIZE(tcf.dst_ip)); +- else if (mask.src_ip[0] & tcf.dst_ip[0]) ++ sizeof(cfilter->ip.v4.dst_ip)); ++ else if (mask.src_ip[0] & tcf.src_ip[0]) + memcpy(&cfilter->ip.v4.src_ip, tcf.src_ip, +- ARRAY_SIZE(tcf.dst_ip)); ++ sizeof(cfilter->ip.v4.src_ip)); + break; + case VIRTCHNL_TCP_V6_FLOW: + cfilter->n_proto = ETH_P_IPV6; +-- +2.51.0 + diff --git a/queue-6.6/mctp-i2c-fix-skb-memory-leak-in-receive-path.patch b/queue-6.6/mctp-i2c-fix-skb-memory-leak-in-receive-path.patch new file mode 100644 index 0000000000..7b12260643 --- /dev/null +++ b/queue-6.6/mctp-i2c-fix-skb-memory-leak-in-receive-path.patch @@ -0,0 +1,36 @@ +From 3b51a219b2299257b5de426a4feee7fcc9adbe66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 22:32:34 +0800 +Subject: mctp: i2c: fix skb memory leak in receive path + +From: Haiyue Wang + +[ Upstream commit e3f5e0f22cfc2371e7471c9fd5b4da78f9df7c69 ] + +When 'midev->allow_rx' is false, the newly allocated skb isn't consumed +by netif_rx(), it needs to free the skb directly. + +Fixes: f5b8abf9fc3d ("mctp i2c: MCTP I2C binding driver") +Signed-off-by: Haiyue Wang +Link: https://patch.msgid.link/20260305143240.97592-1-haiyuewa@163.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/mctp/mctp-i2c.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/mctp/mctp-i2c.c b/drivers/net/mctp/mctp-i2c.c +index c8c2c5dc46eb7..1a7e7397ba75c 100644 +--- a/drivers/net/mctp/mctp-i2c.c ++++ b/drivers/net/mctp/mctp-i2c.c +@@ -344,6 +344,7 @@ static int mctp_i2c_recv(struct mctp_i2c_dev *midev) + } else { + status = NET_RX_DROP; + spin_unlock_irqrestore(&midev->lock, flags); ++ kfree_skb(skb); + } + + if (status == NET_RX_SUCCESS) { +-- +2.51.0 + diff --git a/queue-6.6/mctp-route-hold-key-lock-in-mctp_flow_prepare_output.patch b/queue-6.6/mctp-route-hold-key-lock-in-mctp_flow_prepare_output.patch new file mode 100644 index 0000000000..5afefde953 --- /dev/null +++ b/queue-6.6/mctp-route-hold-key-lock-in-mctp_flow_prepare_output.patch @@ -0,0 +1,85 @@ +From 15bcbbd6c029a64dd5d9e4dcdddd18b4f12ee068 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 03:14:02 +0000 +Subject: mctp: route: hold key->lock in mctp_flow_prepare_output() + +From: Chengfeng Ye + +[ Upstream commit 7d86aa41c073c4e7eb75fd2e674f1fd8f289728a ] + +mctp_flow_prepare_output() checks key->dev and may call +mctp_dev_set_key(), but it does not hold key->lock while doing so. + +mctp_dev_set_key() and mctp_dev_release_key() are annotated with +__must_hold(&key->lock), so key->dev access is intended to be +serialized by key->lock. The mctp_sendmsg() transmit path reaches +mctp_flow_prepare_output() via mctp_local_output() -> mctp_dst_output() +without holding key->lock, so the check-and-set sequence is racy. + +Example interleaving: + + CPU0 CPU1 + ---- ---- + mctp_flow_prepare_output(key, devA) + if (!key->dev) // sees NULL + mctp_flow_prepare_output( + key, devB) + if (!key->dev) // still NULL + mctp_dev_set_key(devB, key) + mctp_dev_hold(devB) + key->dev = devB + mctp_dev_set_key(devA, key) + mctp_dev_hold(devA) + key->dev = devA // overwrites devB + +Now both devA and devB references were acquired, but only the final +key->dev value is tracked for release. One reference can be lost, +causing a resource leak as mctp_dev_release_key() would only decrease +the reference on one dev. + +Fix by taking key->lock around the key->dev check and +mctp_dev_set_key() call. + +Fixes: 67737c457281 ("mctp: Pass flow data & flow release events to drivers") +Signed-off-by: Chengfeng Ye +Link: https://patch.msgid.link/20260306031402.857224-1-dg573847474@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/mctp/route.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/net/mctp/route.c b/net/mctp/route.c +index 009ba5edbd525..59fbc54d8e66c 100644 +--- a/net/mctp/route.c ++++ b/net/mctp/route.c +@@ -267,6 +267,7 @@ static void mctp_flow_prepare_output(struct sk_buff *skb, struct mctp_dev *dev) + { + struct mctp_sk_key *key; + struct mctp_flow *flow; ++ unsigned long flags; + + flow = skb_ext_find(skb, SKB_EXT_MCTP); + if (!flow) +@@ -274,12 +275,14 @@ static void mctp_flow_prepare_output(struct sk_buff *skb, struct mctp_dev *dev) + + key = flow->key; + +- if (key->dev) { ++ spin_lock_irqsave(&key->lock, flags); ++ ++ if (!key->dev) ++ mctp_dev_set_key(dev, key); ++ else + WARN_ON(key->dev != dev); +- return; +- } + +- mctp_dev_set_key(dev, key); ++ spin_unlock_irqrestore(&key->lock, flags); + } + #else + static void mctp_skb_set_flow(struct sk_buff *skb, struct mctp_sk_key *key) {} +-- +2.51.0 + diff --git a/queue-6.6/net-bonding-fix-nd_tbl-null-dereference-when-ipv6-is.patch b/queue-6.6/net-bonding-fix-nd_tbl-null-dereference-when-ipv6-is.patch new file mode 100644 index 0000000000..a0d880d954 --- /dev/null +++ b/queue-6.6/net-bonding-fix-nd_tbl-null-dereference-when-ipv6-is.patch @@ -0,0 +1,92 @@ +From 4492f9594ef611c83f8c3826261c6821f25afcfa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Mar 2026 17:50:54 -0300 +Subject: net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ricardo B. Marlière + +[ Upstream commit 30021e969d48e5819d5ae56936c2f34c0f7ce997 ] + +When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never +initialized because inet6_init() exits before ndisc_init() is called +which initializes it. If bonding ARP/NS validation is enabled, an IPv6 +NS/NA packet received on a slave can reach bond_validate_na(), which +calls bond_has_this_ip6(). That path calls ipv6_chk_addr() and can +crash in __ipv6_chk_addr_and_flags(). + + BUG: kernel NULL pointer dereference, address: 00000000000005d8 + Oops: Oops: 0000 [#1] SMP NOPTI + RIP: 0010:__ipv6_chk_addr_and_flags+0x69/0x170 + Call Trace: + + ipv6_chk_addr+0x1f/0x30 + bond_validate_na+0x12e/0x1d0 [bonding] + ? __pfx_bond_handle_frame+0x10/0x10 [bonding] + bond_rcv_validate+0x1a0/0x450 [bonding] + bond_handle_frame+0x5e/0x290 [bonding] + ? srso_alias_return_thunk+0x5/0xfbef5 + __netif_receive_skb_core.constprop.0+0x3e8/0xe50 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? update_cfs_rq_load_avg+0x1a/0x240 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? __enqueue_entity+0x5e/0x240 + __netif_receive_skb_one_core+0x39/0xa0 + process_backlog+0x9c/0x150 + __napi_poll+0x30/0x200 + ? srso_alias_return_thunk+0x5/0xfbef5 + net_rx_action+0x338/0x3b0 + handle_softirqs+0xc9/0x2a0 + do_softirq+0x42/0x60 + + + __local_bh_enable_ip+0x62/0x70 + __dev_queue_xmit+0x2d3/0x1000 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? packet_parse_headers+0x10a/0x1a0 + packet_sendmsg+0x10da/0x1700 + ? kick_pool+0x5f/0x140 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? __queue_work+0x12d/0x4f0 + __sys_sendto+0x1f3/0x220 + __x64_sys_sendto+0x24/0x30 + do_syscall_64+0x101/0xf80 + ? exc_page_fault+0x6e/0x170 + ? srso_alias_return_thunk+0x5/0xfbef5 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + +Fix this by checking ipv6_mod_enabled() before dispatching IPv6 packets to +bond_na_rcv(). If IPv6 is disabled, return early from bond_rcv_validate() +and avoid the path to ipv6_chk_addr(). + +Suggested-by: Fernando Fernandez Mancera +Fixes: 4e24be018eb9 ("bonding: add new parameter ns_targets") +Signed-off-by: Ricardo B. Marlière +Reviewed-by: Hangbin Liu +Link: https://patch.msgid.link/20260307-net-nd_tbl_fixes-v4-2-e2677e85628c@suse.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index b36d1781d8463..114ebaa284daa 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3447,7 +3447,7 @@ int bond_rcv_validate(const struct sk_buff *skb, struct bonding *bond, + } else if (is_arp) { + return bond_arp_rcv(skb, bond, slave); + #if IS_ENABLED(CONFIG_IPV6) +- } else if (is_ipv6) { ++ } else if (is_ipv6 && likely(ipv6_mod_enabled())) { + return bond_na_rcv(skb, bond, slave); + #endif + } else { +-- +2.51.0 + diff --git a/queue-6.6/net-dsa-realtek-rtl8365mb-remove-ifoutdiscards-from-.patch b/queue-6.6/net-dsa-realtek-rtl8365mb-remove-ifoutdiscards-from-.patch new file mode 100644 index 0000000000..ae230c591f --- /dev/null +++ b/queue-6.6/net-dsa-realtek-rtl8365mb-remove-ifoutdiscards-from-.patch @@ -0,0 +1,48 @@ +From 7aff0c0ea505554ab740d477753d3caa2422edd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Mar 2026 17:25:12 -0300 +Subject: net: dsa: realtek: rtl8365mb: remove ifOutDiscards from rx_packets + +From: Mieczyslaw Nalewaj + +[ Upstream commit f76a93241d71fbba8425e3967097b498c29264ed ] + +rx_packets should report the number of frames successfully received: +unicast + multicast + broadcast. Subtracting ifOutDiscards (a TX +counter) is incorrect and can undercount RX packets. RX drops are +already reported via rx_dropped (e.g. etherStatsDropEvents), so +there is no need to adjust rx_packets. + +This patch removes the subtraction of ifOutDiscards from rx_packets +in rtl8365mb_stats_update(). + +Link: https://lore.kernel.org/netdev/878777925.105015.1763423928520@mail.yahoo.com/ +Fixes: 4af2950c50c8 ("net: dsa: realtek-smi: add rtl8365mb subdriver for RTL8365MB-VC") +Signed-off-by: Mieczyslaw Nalewaj +Signed-off-by: Luiz Angelo Daros de Luca +Reviewed-by: Simon Horman +Acked-by: Linus Walleij +Link: https://patch.msgid.link/20260303-realtek_namiltd_fix2-v1-1-bfa433d3401e@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/realtek/rtl8365mb.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/realtek/rtl8365mb.c b/drivers/net/dsa/realtek/rtl8365mb.c +index 318eced8f0d34..9d59d93807825 100644 +--- a/drivers/net/dsa/realtek/rtl8365mb.c ++++ b/drivers/net/dsa/realtek/rtl8365mb.c +@@ -1482,8 +1482,7 @@ static void rtl8365mb_stats_update(struct realtek_priv *priv, int port) + + stats->rx_packets = cnt[RTL8365MB_MIB_ifInUcastPkts] + + cnt[RTL8365MB_MIB_ifInMulticastPkts] + +- cnt[RTL8365MB_MIB_ifInBroadcastPkts] - +- cnt[RTL8365MB_MIB_ifOutDiscards]; ++ cnt[RTL8365MB_MIB_ifInBroadcastPkts]; + + stats->tx_packets = cnt[RTL8365MB_MIB_ifOutUcastPkts] + + cnt[RTL8365MB_MIB_ifOutMulticastPkts] + +-- +2.51.0 + diff --git a/queue-6.6/net-mlx5-fix-deadlock-between-devlink-lock-and-esw-w.patch b/queue-6.6/net-mlx5-fix-deadlock-between-devlink-lock-and-esw-w.patch new file mode 100644 index 0000000000..18800e7cd4 --- /dev/null +++ b/queue-6.6/net-mlx5-fix-deadlock-between-devlink-lock-and-esw-w.patch @@ -0,0 +1,152 @@ +From 3792cba88bc769ac846271075dc02745a9e26f75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 10:10:19 +0200 +Subject: net/mlx5: Fix deadlock between devlink lock and esw->wq + +From: Cosmin Ratiu + +[ Upstream commit aed763abf0e905b4b8d747d1ba9e172961572f57 ] + +esw->work_queue executes esw_functions_changed_event_handler -> +esw_vfs_changed_event_handler and acquires the devlink lock. + +.eswitch_mode_set (acquires devlink lock in devlink_nl_pre_doit) -> +mlx5_devlink_eswitch_mode_set -> mlx5_eswitch_disable_locked -> +mlx5_eswitch_event_handler_unregister -> flush_workqueue deadlocks +when esw_vfs_changed_event_handler executes. + +Fix that by no longer flushing the work to avoid the deadlock, and using +a generation counter to keep track of work relevance. This avoids an old +handler manipulating an esw that has undergone one or more mode changes: +- the counter is incremented in mlx5_eswitch_event_handler_unregister. +- the counter is read and passed to the ephemeral mlx5_host_work struct. +- the work handler takes the devlink lock and bails out if the current + generation is different than the one it was scheduled to operate on. +- mlx5_eswitch_cleanup does the final draining before destroying the wq. + +No longer flushing the workqueue has the side effect of maybe no longer +cancelling pending vport_change_handler work items, but that's ok since +those are disabled elsewhere: +- mlx5_eswitch_disable_locked disables the vport eq notifier. +- mlx5_esw_vport_disable disarms the HW EQ notification and marks + vport->enabled under state_lock to false to prevent pending vport + handler from doing anything. +- mlx5_eswitch_cleanup destroys the workqueue and makes sure all events + are disabled/finished. + +Fixes: f1bc646c9a06 ("net/mlx5: Use devl_ API in mlx5_esw_offloads_devlink_port_register") +Signed-off-by: Cosmin Ratiu +Reviewed-by: Moshe Shemesh +Reviewed-by: Dragos Tatulea +Reviewed-by: Simon Horman +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/20260305081019.1811100-1-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/eswitch.c | 7 ++++--- + .../net/ethernet/mellanox/mlx5/core/eswitch.h | 2 ++ + .../mellanox/mlx5/core/eswitch_offloads.c | 18 +++++++++++++----- + 3 files changed, 19 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +index 79fa78b188250..2559237da49c5 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +@@ -1068,10 +1068,11 @@ static void mlx5_eswitch_event_handler_register(struct mlx5_eswitch *esw) + + static void mlx5_eswitch_event_handler_unregister(struct mlx5_eswitch *esw) + { +- if (esw->mode == MLX5_ESWITCH_OFFLOADS && mlx5_eswitch_is_funcs_handler(esw->dev)) ++ if (esw->mode == MLX5_ESWITCH_OFFLOADS && ++ mlx5_eswitch_is_funcs_handler(esw->dev)) { + mlx5_eq_notifier_unregister(esw->dev, &esw->esw_funcs.nb); +- +- flush_workqueue(esw->work_queue); ++ atomic_inc(&esw->esw_funcs.generation); ++ } + } + + static void mlx5_eswitch_clear_vf_vports_info(struct mlx5_eswitch *esw) +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h +index 23e612dd329db..48bebc3b8b12c 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h +@@ -311,10 +311,12 @@ struct esw_mc_addr { /* SRIOV only */ + struct mlx5_host_work { + struct work_struct work; + struct mlx5_eswitch *esw; ++ int work_gen; + }; + + struct mlx5_esw_functions { + struct mlx5_nb nb; ++ atomic_t generation; + bool host_funcs_disabled; + u16 num_vfs; + u16 num_ec_vfs; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c +index c218593dc40f4..e69e0f2c33964 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c +@@ -3387,22 +3387,28 @@ static void esw_offloads_steering_cleanup(struct mlx5_eswitch *esw) + } + + static void +-esw_vfs_changed_event_handler(struct mlx5_eswitch *esw, const u32 *out) ++esw_vfs_changed_event_handler(struct mlx5_eswitch *esw, int work_gen, ++ const u32 *out) + { + struct devlink *devlink; + bool host_pf_disabled; + u16 new_num_vfs; + ++ devlink = priv_to_devlink(esw->dev); ++ devl_lock(devlink); ++ ++ /* Stale work from one or more mode changes ago. Bail out. */ ++ if (work_gen != atomic_read(&esw->esw_funcs.generation)) ++ goto unlock; ++ + new_num_vfs = MLX5_GET(query_esw_functions_out, out, + host_params_context.host_num_of_vfs); + host_pf_disabled = MLX5_GET(query_esw_functions_out, out, + host_params_context.host_pf_disabled); + + if (new_num_vfs == esw->esw_funcs.num_vfs || host_pf_disabled) +- return; ++ goto unlock; + +- devlink = priv_to_devlink(esw->dev); +- devl_lock(devlink); + /* Number of VFs can only change from "0 to x" or "x to 0". */ + if (esw->esw_funcs.num_vfs > 0) { + mlx5_eswitch_unload_vf_vports(esw, esw->esw_funcs.num_vfs); +@@ -3417,6 +3423,7 @@ esw_vfs_changed_event_handler(struct mlx5_eswitch *esw, const u32 *out) + } + } + esw->esw_funcs.num_vfs = new_num_vfs; ++unlock: + devl_unlock(devlink); + } + +@@ -3433,7 +3440,7 @@ static void esw_functions_changed_event_handler(struct work_struct *work) + if (IS_ERR(out)) + goto out; + +- esw_vfs_changed_event_handler(esw, out); ++ esw_vfs_changed_event_handler(esw, host_work->work_gen, out); + kvfree(out); + out: + kfree(host_work); +@@ -3453,6 +3460,7 @@ int mlx5_esw_funcs_changed_handler(struct notifier_block *nb, unsigned long type + esw = container_of(esw_funcs, struct mlx5_eswitch, esw_funcs); + + host_work->esw = esw; ++ host_work->work_gen = atomic_read(&esw_funcs->generation); + + INIT_WORK(&host_work->work, esw_functions_changed_event_handler); + queue_work(esw->work_queue, &host_work->work); +-- +2.51.0 + diff --git a/queue-6.6/net-mlx5-ifc-updates-for-disabled-host-pf.patch b/queue-6.6/net-mlx5-ifc-updates-for-disabled-host-pf.patch new file mode 100644 index 0000000000..52abdfc651 --- /dev/null +++ b/queue-6.6/net-mlx5-ifc-updates-for-disabled-host-pf.patch @@ -0,0 +1,40 @@ +From 1d3b28ced0fcb4c19588f0018721608697d5247e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 15:41:07 +0300 +Subject: net/mlx5: IFC updates for disabled host PF + +From: Daniel Jurgens + +[ Upstream commit cd1746cb6555a2238c4aae9f9d60b637a61bf177 ] + +The port 2 host PF can be disabled, this bit reflects that setting. + +Signed-off-by: Daniel Jurgens +Reviewed-by: William Tu +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/1752064867-16874-3-git-send-email-tariqt@nvidia.com +Signed-off-by: Leon Romanovsky +Stable-dep-of: aed763abf0e9 ("net/mlx5: Fix deadlock between devlink lock and esw->wq") +Signed-off-by: Sasha Levin +--- + include/linux/mlx5/mlx5_ifc.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h +index 4913d364e9774..c59fd31719a13 100644 +--- a/include/linux/mlx5/mlx5_ifc.h ++++ b/include/linux/mlx5/mlx5_ifc.h +@@ -11799,7 +11799,9 @@ struct mlx5_ifc_mtrc_ctrl_bits { + + struct mlx5_ifc_host_params_context_bits { + u8 host_number[0x8]; +- u8 reserved_at_8[0x7]; ++ u8 reserved_at_8[0x5]; ++ u8 host_pf_not_exist[0x1]; ++ u8 reserved_at_14[0x1]; + u8 host_pf_disabled[0x1]; + u8 host_num_of_vfs[0x10]; + +-- +2.51.0 + diff --git a/queue-6.6/net-mlx5-query-to-see-if-host-pf-is-disabled.patch b/queue-6.6/net-mlx5-query-to-see-if-host-pf-is-disabled.patch new file mode 100644 index 0000000000..d99aea9345 --- /dev/null +++ b/queue-6.6/net-mlx5-query-to-see-if-host-pf-is-disabled.patch @@ -0,0 +1,80 @@ +From 48e4c37de488aa50040301111f7993b8988b0c1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Aug 2025 22:19:55 +0300 +Subject: net/mlx5: Query to see if host PF is disabled + +From: Daniel Jurgens + +[ Upstream commit 9e84de72aef9bcf0e751a0bff3ac91b0cf52366f ] + +The host PF can be disabled, query firmware to check if the host PF of +this function exists. + +Signed-off-by: Daniel Jurgens +Reviewed-by: William Tu +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/1755112796-467444-2-git-send-email-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: aed763abf0e9 ("net/mlx5: Fix deadlock between devlink lock and esw->wq") +Signed-off-by: Sasha Levin +--- + .../net/ethernet/mellanox/mlx5/core/eswitch.c | 23 +++++++++++++++++++ + .../net/ethernet/mellanox/mlx5/core/eswitch.h | 1 + + 2 files changed, 24 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +index 914b380fd3eeb..79fa78b188250 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +@@ -1038,6 +1038,25 @@ const u32 *mlx5_esw_query_functions(struct mlx5_core_dev *dev) + return ERR_PTR(err); + } + ++static int mlx5_esw_host_functions_enabled_query(struct mlx5_eswitch *esw) ++{ ++ const u32 *query_host_out; ++ ++ if (!mlx5_core_is_ecpf_esw_manager(esw->dev)) ++ return 0; ++ ++ query_host_out = mlx5_esw_query_functions(esw->dev); ++ if (IS_ERR(query_host_out)) ++ return PTR_ERR(query_host_out); ++ ++ esw->esw_funcs.host_funcs_disabled = ++ MLX5_GET(query_esw_functions_out, query_host_out, ++ host_params_context.host_pf_not_exist); ++ ++ kvfree(query_host_out); ++ return 0; ++} ++ + static void mlx5_eswitch_event_handler_register(struct mlx5_eswitch *esw) + { + if (esw->mode == MLX5_ESWITCH_OFFLOADS && mlx5_eswitch_is_funcs_handler(esw->dev)) { +@@ -1870,6 +1889,10 @@ int mlx5_eswitch_init(struct mlx5_core_dev *dev) + goto abort; + } + ++ err = mlx5_esw_host_functions_enabled_query(esw); ++ if (err) ++ goto abort; ++ + err = mlx5_esw_vports_init(esw); + if (err) + goto abort; +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h +index 3e58e731b5697..23e612dd329db 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h +@@ -315,6 +315,7 @@ struct mlx5_host_work { + + struct mlx5_esw_functions { + struct mlx5_nb nb; ++ bool host_funcs_disabled; + u16 num_vfs; + u16 num_ec_vfs; + }; +-- +2.51.0 + diff --git a/queue-6.6/net-mlx5e-fix-dma-fifo-desync-on-error-cqe-sq-recove.patch b/queue-6.6/net-mlx5e-fix-dma-fifo-desync-on-error-cqe-sq-recove.patch new file mode 100644 index 0000000000..14c8b7213f --- /dev/null +++ b/queue-6.6/net-mlx5e-fix-dma-fifo-desync-on-error-cqe-sq-recove.patch @@ -0,0 +1,82 @@ +From b4b25aaf0be7aadbab8d02b00bfe37d669a4d5ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 16:26:32 +0200 +Subject: net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery + +From: Gal Pressman + +[ Upstream commit 1633111d69053512d099658d4a05fc736fab36b0 ] + +In case of a TX error CQE, a recovery flow is triggered, +mlx5e_reset_txqsq_cc_pc() resets dma_fifo_cc to 0 but not dma_fifo_pc, +desyncing the DMA FIFO producer and consumer. + +After recovery, the producer pushes new DMA entries at the old +dma_fifo_pc, while the consumer reads from position 0. +This causes us to unmap stale DMA addresses from before the recovery. + +The DMA FIFO is a purely software construct with no HW counterpart. +At the point of reset, all WQEs have been flushed so dma_fifo_cc is +already equal to dma_fifo_pc. There is no need to reset either counter, +similar to how skb_fifo pc/cc are untouched. + +Remove the 'dma_fifo_cc = 0' reset. + +This fixes the following WARNING: + WARNING: CPU: 0 PID: 0 at drivers/iommu/dma-iommu.c:1240 iommu_dma_unmap_page+0x79/0x90 + Modules linked in: mlx5_vdpa vringh vdpa bonding mlx5_ib mlx5_vfio_pci ipip mlx5_fwctl tunnel4 mlx5_core ib_ipoib geneve ip6_gre ip_gre gre nf_tables ip6_tunnel rdma_ucm ib_uverbs ib_umad vfio_pci vfio_pci_core act_mirred act_skbedit act_vlan vhost_net vhost tap ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress vhost_iotlb iptable_raw tunnel6 vfio_iommu_type1 vfio openvswitch nsh rpcsec_gss_krb5 auth_rpcgss oid_registry xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter overlay zram zsmalloc rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core fuse [last unloaded: nf_tables] + CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5_for_upstream_min_debug_2024_12_30_21_33 #1 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 + RIP: 0010:iommu_dma_unmap_page+0x79/0x90 + Code: 2b 4d 3b 21 72 26 4d 3b 61 08 73 20 49 89 d8 44 89 f9 5b 4c 89 f2 4c 89 e6 48 89 ef 5d 41 5c 41 5d 41 5e 41 5f e9 c7 ae 9e ff <0f> 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 66 2e 0f 1f 84 00 00 00 00 + Call Trace: + + ? __warn+0x7d/0x110 + ? iommu_dma_unmap_page+0x79/0x90 + ? report_bug+0x16d/0x180 + ? handle_bug+0x4f/0x90 + ? exc_invalid_op+0x14/0x70 + ? asm_exc_invalid_op+0x16/0x20 + ? iommu_dma_unmap_page+0x79/0x90 + ? iommu_dma_unmap_page+0x2e/0x90 + dma_unmap_page_attrs+0x10d/0x1b0 + mlx5e_tx_wi_dma_unmap+0xbe/0x120 [mlx5_core] + mlx5e_poll_tx_cq+0x16d/0x690 [mlx5_core] + mlx5e_napi_poll+0x8b/0xac0 [mlx5_core] + __napi_poll+0x24/0x190 + net_rx_action+0x32a/0x3b0 + ? mlx5_eq_comp_int+0x7e/0x270 [mlx5_core] + ? notifier_call_chain+0x35/0xa0 + handle_softirqs+0xc9/0x270 + irq_exit_rcu+0x71/0xd0 + common_interrupt+0x7f/0xa0 + + + asm_common_interrupt+0x22/0x40 + +Fixes: db75373c91b0 ("net/mlx5e: Recover Send Queue (SQ) from error state") +Signed-off-by: Gal Pressman +Reviewed-by: Dragos Tatulea +Signed-off-by: Tariq Toukan +Link: https://patch.msgid.link/20260305142634.1813208-4-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c b/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c +index 51a23345caa18..1319e9ee20fc0 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c +@@ -46,7 +46,6 @@ static void mlx5e_reset_txqsq_cc_pc(struct mlx5e_txqsq *sq) + "SQ 0x%x: cc (0x%x) != pc (0x%x)\n", + sq->sqn, sq->cc, sq->pc); + sq->cc = 0; +- sq->dma_fifo_cc = 0; + sq->pc = 0; + } + +-- +2.51.0 + diff --git a/queue-6.6/net-sched-teql-fix-null-pointer-dereference-in-iptun.patch b/queue-6.6/net-sched-teql-fix-null-pointer-dereference-in-iptun.patch new file mode 100644 index 0000000000..63816108dc --- /dev/null +++ b/queue-6.6/net-sched-teql-fix-null-pointer-dereference-in-iptun.patch @@ -0,0 +1,80 @@ +From 8340d52da9459edd5280f65e22f0be803a14e814 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2026 12:42:18 +0800 +Subject: net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on + TEQL slave xmit + +From: Weiming Shi + +[ Upstream commit 0cc0c2e661af418bbf7074179ea5cfffc0a5c466 ] + +teql_master_xmit() calls netdev_start_xmit(skb, slave) to transmit +through slave devices, but does not update skb->dev to the slave device +beforehand. + +When a gretap tunnel is a TEQL slave, the transmit path reaches +iptunnel_xmit() which saves dev = skb->dev (still pointing to teql0 +master) and later calls iptunnel_xmit_stats(dev, pkt_len). This +function does: + + get_cpu_ptr(dev->tstats) + +Since teql_master_setup() does not set dev->pcpu_stat_type to +NETDEV_PCPU_STAT_TSTATS, the core network stack never allocates tstats +for teql0, so dev->tstats is NULL. get_cpu_ptr(NULL) computes +NULL + __per_cpu_offset[cpu], resulting in a page fault. + + BUG: unable to handle page fault for address: ffff8880e6659018 + #PF: supervisor write access in kernel mode + #PF: error_code(0x0002) - not-present page + PGD 68bc067 P4D 68bc067 PUD 0 + Oops: Oops: 0002 [#1] SMP KASAN PTI + RIP: 0010:iptunnel_xmit (./include/net/ip_tunnels.h:664 net/ipv4/ip_tunnel_core.c:89) + Call Trace: + + ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) + __gre_xmit (net/ipv4/ip_gre.c:478) + gre_tap_xmit (net/ipv4/ip_gre.c:779) + teql_master_xmit (net/sched/sch_teql.c:319) + dev_hard_start_xmit (net/core/dev.c:3887) + sch_direct_xmit (net/sched/sch_generic.c:347) + __dev_queue_xmit (net/core/dev.c:4802) + neigh_direct_output (net/core/neighbour.c:1660) + ip_finish_output2 (net/ipv4/ip_output.c:237) + __ip_finish_output.part.0 (net/ipv4/ip_output.c:315) + ip_mc_output (net/ipv4/ip_output.c:369) + ip_send_skb (net/ipv4/ip_output.c:1508) + udp_send_skb (net/ipv4/udp.c:1195) + udp_sendmsg (net/ipv4/udp.c:1485) + inet_sendmsg (net/ipv4/af_inet.c:859) + __sys_sendto (net/socket.c:2206) + +Fix this by setting skb->dev = slave before calling +netdev_start_xmit(), so that tunnel xmit functions see the correct +slave device with properly allocated tstats. + +Fixes: 039f50629b7f ("ip_tunnel: Move stats update to iptunnel_xmit()") +Reported-by: Xiang Mei +Signed-off-by: Weiming Shi +Link: https://patch.msgid.link/20260304044216.3517851-3-bestswngs@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_teql.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/sched/sch_teql.c b/net/sched/sch_teql.c +index 0a7856e14a975..c89cb6eba27da 100644 +--- a/net/sched/sch_teql.c ++++ b/net/sched/sch_teql.c +@@ -315,6 +315,7 @@ static netdev_tx_t teql_master_xmit(struct sk_buff *skb, struct net_device *dev) + if (__netif_tx_trylock(slave_txq)) { + unsigned int length = qdisc_pkt_len(skb); + ++ skb->dev = slave; + if (!netif_xmit_frozen_or_stopped(slave_txq) && + netdev_start_xmit(skb, slave, slave_txq, false) == + NETDEV_TX_OK) { +-- +2.51.0 + diff --git a/queue-6.6/net-sfp-add-quirk-for-potron-sfp-xgspon-onu-stick.patch b/queue-6.6/net-sfp-add-quirk-for-potron-sfp-xgspon-onu-stick.patch new file mode 100644 index 0000000000..edb5eb7581 --- /dev/null +++ b/queue-6.6/net-sfp-add-quirk-for-potron-sfp-xgspon-onu-stick.patch @@ -0,0 +1,77 @@ +From f3788c265eed7249655da230f395badeebe6c64f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jun 2025 13:03:24 -0500 +Subject: net: sfp: add quirk for Potron SFP+ XGSPON ONU Stick + +From: Chris Morgan + +[ Upstream commit dfec1c14aecee6813f9bafc7b560cc3a31d24079 ] + +Add quirk for Potron SFP+ XGSPON ONU Stick (YV SFP+ONT-XGSPON). + +This device uses pins 2 and 7 for UART communication, so disable +TX_FAULT and LOS. Additionally as it is an embedded system in an +SFP+ form factor provide it enough time to fully boot before we +attempt to use it. + +https://www.potrontec.com/index/index/list/cat_id/2.html#11-83 +https://pon.wiki/xgs-pon/ont/potron-technology/x-onu-sfpp/ + +Signed-off-by: Chris Morgan +Link: https://patch.msgid.link/20250617180324.229487-1-macroalpha82@gmail.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 87d126852158 ("net: sfp: improve Huawei MA5671a fixup") +Signed-off-by: Sasha Levin +--- + drivers/net/phy/sfp.c | 21 ++++++++++++++++++++- + 1 file changed, 20 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c +index c47d7232d1c6e..6ef50d1ce2eda 100644 +--- a/drivers/net/phy/sfp.c ++++ b/drivers/net/phy/sfp.c +@@ -359,6 +359,11 @@ static void sfp_fixup_ignore_tx_fault(struct sfp *sfp) + sfp->state_ignore_mask |= SFP_F_TX_FAULT; + } + ++static void sfp_fixup_ignore_hw(struct sfp *sfp, unsigned int mask) ++{ ++ sfp->state_hw_mask &= ~mask; ++} ++ + static void sfp_fixup_nokia(struct sfp *sfp) + { + sfp_fixup_long_startup(sfp); +@@ -392,7 +397,19 @@ static void sfp_fixup_halny_gsfp(struct sfp *sfp) + * these are possibly used for other purposes on this + * module, e.g. a serial port. + */ +- sfp->state_hw_mask &= ~(SFP_F_TX_FAULT | SFP_F_LOS); ++ sfp_fixup_ignore_hw(sfp, SFP_F_TX_FAULT | SFP_F_LOS); ++} ++ ++static void sfp_fixup_potron(struct sfp *sfp) ++{ ++ /* ++ * The TX_FAULT and LOS pins on this device are used for serial ++ * communication, so ignore them. Additionally, provide extra ++ * time for this device to fully start up. ++ */ ++ ++ sfp_fixup_long_startup(sfp); ++ sfp_fixup_ignore_hw(sfp, SFP_F_TX_FAULT | SFP_F_LOS); + } + + static void sfp_fixup_rollball(struct sfp *sfp) +@@ -500,6 +517,8 @@ static const struct sfp_quirk sfp_quirks[] = { + SFP_QUIRK_F("Walsun", "HXSX-ATRC-1", sfp_fixup_fs_10gt), + SFP_QUIRK_F("Walsun", "HXSX-ATRI-1", sfp_fixup_fs_10gt), + ++ SFP_QUIRK_F("YV", "SFP+ONU-XGSPON", sfp_fixup_potron), ++ + // OEM SFP-GE-T is a 1000Base-T module with broken TX_FAULT indicator + SFP_QUIRK_F("OEM", "SFP-GE-T", sfp_fixup_ignore_tx_fault), + +-- +2.51.0 + diff --git a/queue-6.6/net-sfp-improve-huawei-ma5671a-fixup.patch b/queue-6.6/net-sfp-improve-huawei-ma5671a-fixup.patch new file mode 100644 index 0000000000..fe601ad98b --- /dev/null +++ b/queue-6.6/net-sfp-improve-huawei-ma5671a-fixup.patch @@ -0,0 +1,58 @@ +From e603d8bf95b308f07304c91db34330f6dedbe1ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 13:29:55 +0100 +Subject: net: sfp: improve Huawei MA5671a fixup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Álvaro Fernández Rojas + +[ Upstream commit 87d126852158467ab87d5cbc36ccfd3f15464a6c ] + +With the current sfp_fixup_ignore_tx_fault() fixup we ignore the TX_FAULT +signal, but we also need to apply sfp_fixup_ignore_los() in order to be +able to communicate with the module even if the fiber isn't connected for +configuration purposes. +This is needed for all the MA5671a firmwares, excluding the FS modded +firmware. + +Fixes: 2069624dac19 ("net: sfp: Add tx-fault workaround for Huawei MA5671A SFP ONT") +Signed-off-by: Álvaro Fernández Rojas +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20260306125139.213637-1-noltari@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/sfp.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c +index 6ef50d1ce2eda..00bbe20b0b43e 100644 +--- a/drivers/net/phy/sfp.c ++++ b/drivers/net/phy/sfp.c +@@ -359,6 +359,12 @@ static void sfp_fixup_ignore_tx_fault(struct sfp *sfp) + sfp->state_ignore_mask |= SFP_F_TX_FAULT; + } + ++static void sfp_fixup_ignore_tx_fault_and_los(struct sfp *sfp) ++{ ++ sfp_fixup_ignore_tx_fault(sfp); ++ sfp_fixup_ignore_los(sfp); ++} ++ + static void sfp_fixup_ignore_hw(struct sfp *sfp, unsigned int mask) + { + sfp->state_hw_mask &= ~mask; +@@ -501,7 +507,7 @@ static const struct sfp_quirk sfp_quirks[] = { + // Huawei MA5671A can operate at 2500base-X, but report 1.2GBd NRZ in + // their EEPROM + SFP_QUIRK("HUAWEI", "MA5671A", sfp_quirk_2500basex, +- sfp_fixup_ignore_tx_fault), ++ sfp_fixup_ignore_tx_fault_and_los), + + // FS 2.5G Base-T + SFP_QUIRK_M("FS", "SFP-2.5G-T", sfp_quirk_oem_2_5g), +-- +2.51.0 + diff --git a/queue-6.6/net-sfp-improve-nokia-gpon-sfp-fixup.patch b/queue-6.6/net-sfp-improve-nokia-gpon-sfp-fixup.patch new file mode 100644 index 0000000000..02ac2ed94e --- /dev/null +++ b/queue-6.6/net-sfp-improve-nokia-gpon-sfp-fixup.patch @@ -0,0 +1,68 @@ +From 95c9317842a7441067de6b5ed63a6fc435ceebd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Oct 2023 14:34:29 +0100 +Subject: net: sfp: improve Nokia GPON sfp fixup + +From: Russell King (Oracle) + +[ Upstream commit 5ffe330e40bdfad9c49a615c54d2d89343b2f08a ] + +Improve the Nokia GPON fixup - we need to ignore not only the hardware +LOS signal, but also the software implementation as well. Do this by +using the new state_ignore_mask to indicate that we should ignore not +only the hardware RX_LOS signal, and also clear the LOS bits in the +option field. + +Signed-off-by: Russell King (Oracle) +Tested-by: Christian Marangi +Link: https://lore.kernel.org/r/E1qnfXh-008UDe-F9@rmk-PC.armlinux.org.uk +Signed-off-by: Jakub Kicinski +Stable-dep-of: 87d126852158 ("net: sfp: improve Huawei MA5671a fixup") +Signed-off-by: Sasha Levin +--- + drivers/net/phy/sfp.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c +index 5d1456e1449fb..c47d7232d1c6e 100644 +--- a/drivers/net/phy/sfp.c ++++ b/drivers/net/phy/sfp.c +@@ -345,11 +345,26 @@ static void sfp_fixup_long_startup(struct sfp *sfp) + sfp->module_t_start_up = T_START_UP_BAD_GPON; + } + ++static void sfp_fixup_ignore_los(struct sfp *sfp) ++{ ++ /* This forces LOS to zero, so we ignore transitions */ ++ sfp->state_ignore_mask |= SFP_F_LOS; ++ /* Make sure that LOS options are clear */ ++ sfp->id.ext.options &= ~cpu_to_be16(SFP_OPTIONS_LOS_INVERTED | ++ SFP_OPTIONS_LOS_NORMAL); ++} ++ + static void sfp_fixup_ignore_tx_fault(struct sfp *sfp) + { + sfp->state_ignore_mask |= SFP_F_TX_FAULT; + } + ++static void sfp_fixup_nokia(struct sfp *sfp) ++{ ++ sfp_fixup_long_startup(sfp); ++ sfp_fixup_ignore_los(sfp); ++} ++ + // For 10GBASE-T short-reach modules + static void sfp_fixup_10gbaset_30m(struct sfp *sfp) + { +@@ -449,7 +464,7 @@ static const struct sfp_quirk sfp_quirks[] = { + // Alcatel Lucent G-010S-A can operate at 2500base-X, but report 3.2GBd + // NRZ in their EEPROM + SFP_QUIRK("ALCATELLUCENT", "3FE46541AA", sfp_quirk_2500basex, +- sfp_fixup_long_startup), ++ sfp_fixup_nokia), + + // Fiberstore SFP-10G-T doesn't identify as copper, and uses the + // Rollball protocol to talk to the PHY. +-- +2.51.0 + diff --git a/queue-6.6/net-sfp-re-implement-ignoring-the-hardware-tx_fault-.patch b/queue-6.6/net-sfp-re-implement-ignoring-the-hardware-tx_fault-.patch new file mode 100644 index 0000000000..42220c1efe --- /dev/null +++ b/queue-6.6/net-sfp-re-implement-ignoring-the-hardware-tx_fault-.patch @@ -0,0 +1,96 @@ +From adc4f1a5cabb3df70bafc5f5f88323d989902927 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Oct 2023 14:34:24 +0100 +Subject: net: sfp: re-implement ignoring the hardware TX_FAULT signal + +From: Russell King (Oracle) + +[ Upstream commit e184e8609f8c1cd9fef703f667245b6ebd89c2ed ] + +Re-implement how we ignore the hardware TX_FAULT signal. Rather than +having a separate boolean for this, use a bitmask of the hardware +signals that we wish to ignore. This gives more flexibility in the +future to ignore other signals such as RX_LOS. + +Signed-off-by: Russell King (Oracle) +Tested-by: Christian Marangi +Link: https://lore.kernel.org/r/E1qnfXc-008UDY-91@rmk-PC.armlinux.org.uk +Signed-off-by: Jakub Kicinski +Stable-dep-of: 87d126852158 ("net: sfp: improve Huawei MA5671a fixup") +Signed-off-by: Sasha Levin +--- + drivers/net/phy/sfp.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c +index ff438be4c186e..5d1456e1449fb 100644 +--- a/drivers/net/phy/sfp.c ++++ b/drivers/net/phy/sfp.c +@@ -257,6 +257,7 @@ struct sfp { + unsigned int state_hw_drive; + unsigned int state_hw_mask; + unsigned int state_soft_mask; ++ unsigned int state_ignore_mask; + unsigned int state; + + struct delayed_work poll; +@@ -280,7 +281,6 @@ struct sfp { + unsigned int rs_state_mask; + + bool have_a2; +- bool tx_fault_ignore; + + const struct sfp_quirk *quirk; + +@@ -347,7 +347,7 @@ static void sfp_fixup_long_startup(struct sfp *sfp) + + static void sfp_fixup_ignore_tx_fault(struct sfp *sfp) + { +- sfp->tx_fault_ignore = true; ++ sfp->state_ignore_mask |= SFP_F_TX_FAULT; + } + + // For 10GBASE-T short-reach modules +@@ -800,7 +800,8 @@ static void sfp_soft_start_poll(struct sfp *sfp) + + mutex_lock(&sfp->st_mutex); + // Poll the soft state for hardware pins we want to ignore +- sfp->state_soft_mask = ~sfp->state_hw_mask & mask; ++ sfp->state_soft_mask = ~sfp->state_hw_mask & ~sfp->state_ignore_mask & ++ mask; + + if (sfp->state_soft_mask & (SFP_F_LOS | SFP_F_TX_FAULT) && + !sfp->need_poll) +@@ -2325,7 +2326,7 @@ static int sfp_sm_mod_probe(struct sfp *sfp, bool report) + sfp->module_t_start_up = T_START_UP; + sfp->module_t_wait = T_WAIT; + +- sfp->tx_fault_ignore = false; ++ sfp->state_ignore_mask = 0; + + if (sfp->id.base.extended_cc == SFF8024_ECC_10GBASE_T_SFI || + sfp->id.base.extended_cc == SFF8024_ECC_10GBASE_T_SR || +@@ -2348,6 +2349,8 @@ static int sfp_sm_mod_probe(struct sfp *sfp, bool report) + + if (sfp->quirk && sfp->quirk->fixup) + sfp->quirk->fixup(sfp); ++ ++ sfp->state_hw_mask &= ~sfp->state_ignore_mask; + mutex_unlock(&sfp->st_mutex); + + return 0; +@@ -2848,10 +2851,7 @@ static void sfp_check_state(struct sfp *sfp) + mutex_lock(&sfp->st_mutex); + state = sfp_get_state(sfp); + changed = state ^ sfp->state; +- if (sfp->tx_fault_ignore) +- changed &= SFP_F_PRESENT | SFP_F_LOS; +- else +- changed &= SFP_F_PRESENT | SFP_F_LOS | SFP_F_TX_FAULT; ++ changed &= SFP_F_PRESENT | SFP_F_LOS | SFP_F_TX_FAULT; + + for (i = 0; i < GPIO_MAX; i++) + if (changed & BIT(i)) +-- +2.51.0 + diff --git a/queue-6.6/netfilter-nfnetlink_cthelper-fix-oob-read-in-nfnl_ct.patch b/queue-6.6/netfilter-nfnetlink_cthelper-fix-oob-read-in-nfnl_ct.patch new file mode 100644 index 0000000000..e2791bd99b --- /dev/null +++ b/queue-6.6/netfilter-nfnetlink_cthelper-fix-oob-read-in-nfnl_ct.patch @@ -0,0 +1,71 @@ +From 847e4f419f91525611a786b65e506c5822bb11da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Mar 2026 02:23:34 +0900 +Subject: netfilter: nfnetlink_cthelper: fix OOB read in + nfnl_cthelper_dump_table() + +From: Hyunwoo Kim + +[ Upstream commit 6dcee8496d53165b2d8a5909b3050b62ae71fe89 ] + +nfnl_cthelper_dump_table() has a 'goto restart' that jumps to a label +inside the for loop body. When the "last" helper saved in cb->args[1] +is deleted between dump rounds, every entry fails the (cur != last) +check, so cb->args[1] is never cleared. The for loop finishes with +cb->args[0] == nf_ct_helper_hsize, and the 'goto restart' jumps back +into the loop body bypassing the bounds check, causing an 8-byte +out-of-bounds read on nf_ct_helper_hash[nf_ct_helper_hsize]. + +The 'goto restart' block was meant to re-traverse the current bucket +when "last" is no longer found, but it was placed after the for loop +instead of inside it. Move the block into the for loop body so that +the restart only occurs while cb->args[0] is still within bounds. + + BUG: KASAN: slab-out-of-bounds in nfnl_cthelper_dump_table+0x9f/0x1b0 + Read of size 8 at addr ffff888104ca3000 by task poc_cthelper/131 + Call Trace: + nfnl_cthelper_dump_table+0x9f/0x1b0 + netlink_dump+0x333/0x880 + netlink_recvmsg+0x3e2/0x4b0 + sock_recvmsg+0xde/0xf0 + __sys_recvfrom+0x150/0x200 + __x64_sys_recvfrom+0x76/0x90 + do_syscall_64+0xc3/0x6e0 + + Allocated by task 1: + __kvmalloc_node_noprof+0x21b/0x700 + nf_ct_alloc_hashtable+0x65/0xd0 + nf_conntrack_helper_init+0x21/0x60 + nf_conntrack_init_start+0x18d/0x300 + nf_conntrack_standalone_init+0x12/0xc0 + +Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure") +Signed-off-by: Hyunwoo Kim +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_cthelper.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c +index 97248963a7d3b..71a248cca746a 100644 +--- a/net/netfilter/nfnetlink_cthelper.c ++++ b/net/netfilter/nfnetlink_cthelper.c +@@ -603,10 +603,10 @@ nfnl_cthelper_dump_table(struct sk_buff *skb, struct netlink_callback *cb) + goto out; + } + } +- } +- if (cb->args[1]) { +- cb->args[1] = 0; +- goto restart; ++ if (cb->args[1]) { ++ cb->args[1] = 0; ++ goto restart; ++ } + } + out: + rcu_read_unlock(); +-- +2.51.0 + diff --git a/queue-6.6/netfilter-nfnetlink_queue-fix-entry-leak-in-bridge-v.patch b/queue-6.6/netfilter-nfnetlink_queue-fix-entry-leak-in-bridge-v.patch new file mode 100644 index 0000000000..eb688247bd --- /dev/null +++ b/queue-6.6/netfilter-nfnetlink_queue-fix-entry-leak-in-bridge-v.patch @@ -0,0 +1,52 @@ +From 81f13c2ea67ad104d20f50fab7b033d54b63a0e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Mar 2026 02:24:06 +0900 +Subject: netfilter: nfnetlink_queue: fix entry leak in bridge verdict error + path + +From: Hyunwoo Kim + +[ Upstream commit f1ba83755d81c6fc66ac7acd723d238f974091e9 ] + +nfqnl_recv_verdict() calls find_dequeue_entry() to remove the queue +entry from the queue data structures, taking ownership of the entry. +For PF_BRIDGE packets, it then calls nfqa_parse_bridge() to parse VLAN +attributes. If nfqa_parse_bridge() returns an error (e.g. NFQA_VLAN +present but NFQA_VLAN_TCI missing), the function returns immediately +without freeing the dequeued entry or its sk_buff. + +This leaks the nf_queue_entry, its associated sk_buff, and all held +references (net_device refcounts, struct net refcount). Repeated +triggering exhausts kernel memory. + +Fix this by dropping the entry via nfqnl_reinject() with NF_DROP verdict +on the error path, consistent with other error handling in this file. + +Fixes: 8d45ff22f1b4 ("netfilter: bridge: nf queue verdict to use NFQA_VLAN and NFQA_L2HDR") +Reviewed-by: David Dull +Signed-off-by: Hyunwoo Kim +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_queue.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c +index 09209b4952ad1..0ac0db71dbc61 100644 +--- a/net/netfilter/nfnetlink_queue.c ++++ b/net/netfilter/nfnetlink_queue.c +@@ -1283,8 +1283,10 @@ static int nfqnl_recv_verdict(struct sk_buff *skb, const struct nfnl_info *info, + + if (entry->state.pf == PF_BRIDGE) { + err = nfqa_parse_bridge(entry, nfqa); +- if (err < 0) ++ if (err < 0) { ++ nfqnl_reinject(entry, NF_DROP); + return err; ++ } + } + + if (nfqa[NFQA_PAYLOAD]) { +-- +2.51.0 + diff --git a/queue-6.6/netfilter-nft_set_pipapo-fix-stack-out-of-bounds-rea.patch b/queue-6.6/netfilter-nft_set_pipapo-fix-stack-out-of-bounds-rea.patch new file mode 100644 index 0000000000..ce9e564300 --- /dev/null +++ b/queue-6.6/netfilter-nft_set_pipapo-fix-stack-out-of-bounds-rea.patch @@ -0,0 +1,65 @@ +From d7284b5ad558fdac43befba564e8a6a3b9f6838e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Mar 2026 19:12:38 +0000 +Subject: netfilter: nft_set_pipapo: fix stack out-of-bounds read in + pipapo_drop() + +From: Jenny Guanni Qu + +[ Upstream commit d6d8cd2db236a9dd13dbc2d05843b3445cc964b5 ] + +pipapo_drop() passes rulemap[i + 1].n to pipapo_unmap() as the +to_offset argument on every iteration, including the last one where +i == m->field_count - 1. This reads one element past the end of the +stack-allocated rulemap array (declared as rulemap[NFT_PIPAPO_MAX_FIELDS] +with NFT_PIPAPO_MAX_FIELDS == 16). + +Although pipapo_unmap() returns early when is_last is true without +using the to_offset value, the argument is evaluated at the call site +before the function body executes, making this a genuine out-of-bounds +stack read confirmed by KASAN: + + BUG: KASAN: stack-out-of-bounds in pipapo_drop+0x50c/0x57c [nf_tables] + Read of size 4 at addr ffff8000810e71a4 + + This frame has 1 object: + [32, 160) 'rulemap' + + The buggy address is at offset 164 -- exactly 4 bytes past the end + of the rulemap array. + +Pass 0 instead of rulemap[i + 1].n on the last iteration to avoid +the out-of-bounds read. + +Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") +Signed-off-by: Jenny Guanni Qu +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_set_pipapo.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c +index c3ada6798d4a3..f4d0bb6b377d1 100644 +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -1570,6 +1570,7 @@ static void pipapo_drop(struct nft_pipapo_match *m, + int i; + + nft_pipapo_for_each_field(f, i, m) { ++ bool last = i == m->field_count - 1; + int g; + + for (g = 0; g < f->groups; g++) { +@@ -1589,7 +1590,7 @@ static void pipapo_drop(struct nft_pipapo_match *m, + } + + pipapo_unmap(f->mt, f->rules, rulemap[i].to, rulemap[i].n, +- rulemap[i + 1].n, i == m->field_count - 1); ++ last ? 0 : rulemap[i + 1].n, last); + if (pipapo_resize(f, f->rules, f->rules - rulemap[i].n)) { + /* We can ignore this, a failure to shrink tables down + * doesn't make tables invalid. +-- +2.51.0 + diff --git a/queue-6.6/netfilter-x_tables-guard-option-walkers-against-1-by.patch b/queue-6.6/netfilter-x_tables-guard-option-walkers-against-1-by.patch new file mode 100644 index 0000000000..bb34a306b6 --- /dev/null +++ b/queue-6.6/netfilter-x_tables-guard-option-walkers-against-1-by.patch @@ -0,0 +1,62 @@ +From a1a6497e2863af036ecdc15d496379cd955fd696 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Mar 2026 20:26:21 +0200 +Subject: netfilter: x_tables: guard option walkers against 1-byte tail reads + +From: David Dull + +[ Upstream commit cfe770220ac2dbd3e104c6b45094037455da81d4 ] + +When the last byte of options is a non-single-byte option kind, walkers +that advance with i += op[i + 1] ? : 1 can read op[i + 1] past the end +of the option area. + +Add an explicit i == optlen - 1 check before dereferencing op[i + 1] +in xt_tcpudp and xt_dccp option walkers. + +Fixes: 2e4e6a17af35 ("[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables") +Signed-off-by: David Dull +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_dccp.c | 4 ++-- + net/netfilter/xt_tcpudp.c | 6 ++++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c +index e5a13ecbe67a0..037ab93e25d0a 100644 +--- a/net/netfilter/xt_dccp.c ++++ b/net/netfilter/xt_dccp.c +@@ -62,10 +62,10 @@ dccp_find_option(u_int8_t option, + return true; + } + +- if (op[i] < 2) ++ if (op[i] < 2 || i == optlen - 1) + i++; + else +- i += op[i+1]?:1; ++ i += op[i + 1] ? : 1; + } + + spin_unlock_bh(&dccp_buflock); +diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c +index e8991130a3de0..f76cf18f1a244 100644 +--- a/net/netfilter/xt_tcpudp.c ++++ b/net/netfilter/xt_tcpudp.c +@@ -59,8 +59,10 @@ tcp_find_option(u_int8_t option, + + for (i = 0; i < optlen; ) { + if (op[i] == option) return !invert; +- if (op[i] < 2) i++; +- else i += op[i+1]?:1; ++ if (op[i] < 2 || i == optlen - 1) ++ i++; ++ else ++ i += op[i + 1] ? : 1; + } + + return invert; +-- +2.51.0 + diff --git a/queue-6.6/netfilter-xt_idletimer-reject-rev0-reuse-of-alarm-ti.patch b/queue-6.6/netfilter-xt_idletimer-reject-rev0-reuse-of-alarm-ti.patch new file mode 100644 index 0000000000..da448da2f9 --- /dev/null +++ b/queue-6.6/netfilter-xt_idletimer-reject-rev0-reuse-of-alarm-ti.patch @@ -0,0 +1,54 @@ +From 4d06f49c208f2a50057b6364c2ff29c1878ad1bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Mar 2026 03:41:46 -0700 +Subject: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels + +From: Yuan Tan + +[ Upstream commit 329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf ] + +IDLETIMER revision 0 rules reuse existing timers by label and always call +mod_timer() on timer->timer. + +If the label was created first by revision 1 with XT_IDLETIMER_ALARM, +the object uses alarm timer semantics and timer->timer is never initialized. +Reusing that object from revision 0 causes mod_timer() on an uninitialized +timer_list, triggering debugobjects warnings and possible panic when +panic_on_warn=1. + +Fix this by rejecting revision 0 rule insertion when an existing timer with +the same label is of ALARM type. + +Fixes: 68983a354a65 ("netfilter: xtables: Add snapshot of hardidletimer target") +Co-developed-by: Yifan Wu +Signed-off-by: Yifan Wu +Co-developed-by: Juefei Pu +Signed-off-by: Juefei Pu +Signed-off-by: Yuan Tan +Signed-off-by: Xin Liu +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_IDLETIMER.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c +index 9869ef3c2ab37..92a8289b1cb35 100644 +--- a/net/netfilter/xt_IDLETIMER.c ++++ b/net/netfilter/xt_IDLETIMER.c +@@ -320,6 +320,12 @@ static int idletimer_tg_checkentry(const struct xt_tgchk_param *par) + + info->timer = __idletimer_tg_find_by_label(info->label); + if (info->timer) { ++ if (info->timer->timer_type & XT_IDLETIMER_ALARM) { ++ pr_debug("Adding/Replacing rule with same label and different timer type is not allowed\n"); ++ mutex_unlock(&list_mutex); ++ return -EINVAL; ++ } ++ + info->timer->refcnt++; + mod_timer(&info->timer->timer, + msecs_to_jiffies(info->timeout * 1000) + jiffies); +-- +2.51.0 + diff --git a/queue-6.6/nvme-pci-fix-race-bug-in-nvme_poll_irqdisable.patch b/queue-6.6/nvme-pci-fix-race-bug-in-nvme_poll_irqdisable.patch new file mode 100644 index 0000000000..fe87636bc5 --- /dev/null +++ b/queue-6.6/nvme-pci-fix-race-bug-in-nvme_poll_irqdisable.patch @@ -0,0 +1,122 @@ +From b7d63a20ced68304555e8ba932051f02515b3eba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Mar 2026 14:46:36 -0500 +Subject: nvme-pci: Fix race bug in nvme_poll_irqdisable() + +From: Sungwoo Kim + +[ Upstream commit fc71f409b22ca831a9f87a2712eaa09ef2bb4a5e ] + +In the following scenario, pdev can be disabled between (1) and (3) by +(2). This sets pdev->msix_enabled = 0. Then, pci_irq_vector() will +return MSI-X IRQ(>15) for (1) whereas return INTx IRQ(<=15) for (2). +This causes IRQ warning because it tries to enable INTx IRQ that has +never been disabled before. + +To fix this, save IRQ number into a local variable and ensure +disable_irq() and enable_irq() operate on the same IRQ number. Even if +pci_free_irq_vectors() frees the IRQ concurrently, disable_irq() and +enable_irq() on a stale IRQ number is still valid and safe, and the +depth accounting reamins balanced. + +task 1: +nvme_poll_irqdisable() + disable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)) ...(1) + enable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)) ...(3) + +task 2: +nvme_reset_work() + nvme_dev_disable() + pdev->msix_enable = 0; ...(2) + +crash log: + +------------[ cut here ]------------ +Unbalanced enable for IRQ 10 +WARNING: kernel/irq/manage.c:753 at __enable_irq+0x102/0x190 kernel/irq/manage.c:753, CPU#1: kworker/1:0H/26 +Modules linked in: +CPU: 1 UID: 0 PID: 26 Comm: kworker/1:0H Not tainted 6.19.0-dirty #9 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 +Workqueue: kblockd blk_mq_timeout_work +RIP: 0010:__enable_irq+0x107/0x190 kernel/irq/manage.c:753 +Code: ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 79 48 8d 3d 2e 7a 3f 05 41 8b 74 24 2c <67> 48 0f b9 3a e8 ef b9 21 00 5b 41 5c 5d e9 46 54 66 03 e8 e1 b9 +RSP: 0018:ffffc900001bf550 EFLAGS: 00010046 +RAX: 0000000000000007 RBX: 0000000000000000 RCX: ffffffffb20c0e90 +RDX: 0000000000000000 RSI: 000000000000000a RDI: ffffffffb74b88f0 +RBP: ffffc900001bf560 R08: ffff88800197cf00 R09: 0000000000000001 +R10: 0000000000000003 R11: 0000000000000003 R12: ffff8880012a6000 +R13: 1ffff92000037eae R14: 000000000000000a R15: 0000000000000293 +FS: 0000000000000000(0000) GS:ffff8880b49f7000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000555da4a25fa8 CR3: 00000000208e8000 CR4: 00000000000006f0 +Call Trace: + + enable_irq+0x121/0x1e0 kernel/irq/manage.c:797 + nvme_poll_irqdisable+0x162/0x1c0 drivers/nvme/host/pci.c:1494 + nvme_timeout+0x965/0x14b0 drivers/nvme/host/pci.c:1744 + blk_mq_rq_timed_out block/blk-mq.c:1653 [inline] + blk_mq_handle_expired+0x227/0x2d0 block/blk-mq.c:1721 + bt_iter+0x2fc/0x3a0 block/blk-mq-tag.c:292 + __sbitmap_for_each_set include/linux/sbitmap.h:269 [inline] + sbitmap_for_each_set include/linux/sbitmap.h:290 [inline] + bt_for_each block/blk-mq-tag.c:324 [inline] + blk_mq_queue_tag_busy_iter+0x969/0x1e80 block/blk-mq-tag.c:536 + blk_mq_timeout_work+0x627/0x870 block/blk-mq.c:1763 + process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257 + process_scheduled_works kernel/workqueue.c:3340 [inline] + worker_thread+0x65c/0xe60 kernel/workqueue.c:3421 + kthread+0x41a/0x930 kernel/kthread.c:463 + ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + +irq event stamp: 74478 +hardirqs last enabled at (74477): [] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:159 [inline] +hardirqs last enabled at (74477): [] _raw_spin_unlock_irq+0x2c/0x60 kernel/locking/spinlock.c:202 +hardirqs last disabled at (74478): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] +hardirqs last disabled at (74478): [] _raw_spin_lock_irqsave+0x85/0xa0 kernel/locking/spinlock.c:162 +softirqs last enabled at (74304): [] __do_softirq kernel/softirq.c:656 [inline] +softirqs last enabled at (74304): [] invoke_softirq kernel/softirq.c:496 [inline] +softirqs last enabled at (74304): [] __irq_exit_rcu+0xdc/0x120 kernel/softirq.c:723 +softirqs last disabled at (74287): [] __do_softirq kernel/softirq.c:656 [inline] +softirqs last disabled at (74287): [] invoke_softirq kernel/softirq.c:496 [inline] +softirqs last disabled at (74287): [] __irq_exit_rcu+0xdc/0x120 kernel/softirq.c:723 +---[ end trace 0000000000000000 ]--- + +Fixes: fa059b856a59 (nvme-pci: Simplify nvme_poll_irqdisable) +Acked-by: Chao Shi +Acked-by: Weidong Zhu +Acked-by: Dave Tian +Reviewed-by: Christoph Hellwig +Signed-off-by: Sungwoo Kim +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 8dd1e71ee215e..03a2ca3edb9c3 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -1103,14 +1103,16 @@ static irqreturn_t nvme_irq_check(int irq, void *data) + static void nvme_poll_irqdisable(struct nvme_queue *nvmeq) + { + struct pci_dev *pdev = to_pci_dev(nvmeq->dev->dev); ++ int irq; + + WARN_ON_ONCE(test_bit(NVMEQ_POLLED, &nvmeq->flags)); + +- disable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)); ++ irq = pci_irq_vector(pdev, nvmeq->cq_vector); ++ disable_irq(irq); + spin_lock(&nvmeq->cq_poll_lock); + nvme_poll_cq(nvmeq, NULL); + spin_unlock(&nvmeq->cq_poll_lock); +- enable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)); ++ enable_irq(irq); + } + + static int nvme_poll(struct blk_mq_hw_ctx *hctx, struct io_comp_batch *iob) +-- +2.51.0 + diff --git a/queue-6.6/nvme-pci-fix-slab-out-of-bounds-in-nvme_dbbuf_set.patch b/queue-6.6/nvme-pci-fix-slab-out-of-bounds-in-nvme_dbbuf_set.patch new file mode 100644 index 0000000000..af9d4a5bbd --- /dev/null +++ b/queue-6.6/nvme-pci-fix-slab-out-of-bounds-in-nvme_dbbuf_set.patch @@ -0,0 +1,130 @@ +From 86225a37492a4b03d167f3e0ce6a99d46a414b7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Mar 2026 14:20:59 -0400 +Subject: nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sungwoo Kim + +[ Upstream commit b4e78f1427c7d6859229ae9616df54e1fc05a516 ] + +dev->online_queues is a count incremented in nvme_init_queue. Thus, +valid indices are 0 through dev->online_queues − 1. + +This patch fixes the loop condition to ensure the index stays within the +valid range. Index 0 is excluded because it is the admin queue. + +KASAN splat: + +================================================================== +BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline] +BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404 +Read of size 2 at addr ffff88800592a574 by task kworker/u8:5/74 + +CPU: 0 UID: 0 PID: 74 Comm: kworker/u8:5 Not tainted 6.19.0-dirty #10 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 +Workqueue: nvme-reset-wq nvme_reset_work +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0xea/0x150 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xce/0x5d0 mm/kasan/report.c:482 + kasan_report+0xdc/0x110 mm/kasan/report.c:595 + __asan_report_load2_noabort+0x18/0x20 mm/kasan/report_generic.c:379 + nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline] + nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404 + nvme_reset_work+0x36b/0x8c0 drivers/nvme/host/pci.c:3252 + process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257 + process_scheduled_works kernel/workqueue.c:3340 [inline] + worker_thread+0x65c/0xe60 kernel/workqueue.c:3421 + kthread+0x41a/0x930 kernel/kthread.c:463 + ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + + +Allocated by task 34 on cpu 1 at 4.241550s: + kasan_save_stack+0x2c/0x60 mm/kasan/common.c:57 + kasan_save_track+0x1c/0x70 mm/kasan/common.c:78 + kasan_save_alloc_info+0x3c/0x50 mm/kasan/generic.c:570 + poison_kmalloc_redzone mm/kasan/common.c:398 [inline] + __kasan_kmalloc+0xb5/0xc0 mm/kasan/common.c:415 + kasan_kmalloc include/linux/kasan.h:263 [inline] + __do_kmalloc_node mm/slub.c:5657 [inline] + __kmalloc_node_noprof+0x2bf/0x8d0 mm/slub.c:5663 + kmalloc_array_node_noprof include/linux/slab.h:1075 [inline] + nvme_pci_alloc_dev drivers/nvme/host/pci.c:3479 [inline] + nvme_probe+0x2f1/0x1820 drivers/nvme/host/pci.c:3534 + local_pci_probe+0xef/0x1c0 drivers/pci/pci-driver.c:324 + pci_call_probe drivers/pci/pci-driver.c:392 [inline] + __pci_device_probe drivers/pci/pci-driver.c:417 [inline] + pci_device_probe+0x743/0x920 drivers/pci/pci-driver.c:451 + call_driver_probe drivers/base/dd.c:583 [inline] + really_probe+0x29b/0xb70 drivers/base/dd.c:661 + __driver_probe_device+0x3b0/0x4a0 drivers/base/dd.c:803 + driver_probe_device+0x56/0x1f0 drivers/base/dd.c:833 + __driver_attach_async_helper+0x155/0x340 drivers/base/dd.c:1159 + async_run_entry_fn+0xa6/0x4b0 kernel/async.c:129 + process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257 + process_scheduled_works kernel/workqueue.c:3340 [inline] + worker_thread+0x65c/0xe60 kernel/workqueue.c:3421 + kthread+0x41a/0x930 kernel/kthread.c:463 + ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 + +The buggy address belongs to the object at ffff88800592a000 + which belongs to the cache kmalloc-2k of size 2048 +The buggy address is located 244 bytes to the right of + allocated 1152-byte region [ffff88800592a000, ffff88800592a480) + +The buggy address belongs to the physical page: +page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5928 +head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +anon flags: 0xfffffc0000040(head|node=0|zone=1|lastcpupid=0x1fffff) +page_type: f5(slab) +raw: 000fffffc0000040 ffff888001042000 0000000000000000 dead000000000001 +raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 +head: 000fffffc0000040 ffff888001042000 0000000000000000 dead000000000001 +head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 +head: 000fffffc0000003 ffffea0000164a01 00000000ffffffff 00000000ffffffff +head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88800592a400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff88800592a480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +>ffff88800592a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffff88800592a580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff88800592a600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +================================================================== + +Fixes: 0f0d2c876c96 (nvme: free sq/cq dbbuf pointers when dbbuf set fails) +Acked-by: Chao Shi +Acked-by: Weidong Zhu +Acked-by: Dave Tian +Signed-off-by: Sungwoo Kim +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 8ea38cd6ff30d..8dd1e71ee215e 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -339,7 +339,7 @@ static void nvme_dbbuf_set(struct nvme_dev *dev) + /* Free memory and continue on */ + nvme_dbbuf_dma_free(dev); + +- for (i = 1; i <= dev->online_queues; i++) ++ for (i = 1; i < dev->online_queues; i++) + nvme_dbbuf_free(&dev->queues[i]); + } + } +-- +2.51.0 + diff --git a/queue-6.6/octeontx2-af-devlink-fix-nix-ras-reporter-recovery-c.patch b/queue-6.6/octeontx2-af-devlink-fix-nix-ras-reporter-recovery-c.patch new file mode 100644 index 0000000000..1679b8d6bb --- /dev/null +++ b/queue-6.6/octeontx2-af-devlink-fix-nix-ras-reporter-recovery-c.patch @@ -0,0 +1,41 @@ +From df9fe6971dfc86d751dd8caf6c2dd98c0aefc55b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 11:48:16 -0700 +Subject: octeontx2-af: devlink: fix NIX RAS reporter recovery condition + +From: Alok Tiwari + +[ Upstream commit dc26ca99b835e21e76a58b1463b84adb0ca34f58 ] + +The NIX RAS health reporter recovery routine checks nix_af_rvu_int to +decide whether to re-enable NIX_AF_RAS interrupts. This is the RVU +interrupt status field and is unrelated to RAS events, so the recovery +flow may incorrectly skip re-enabling NIX_AF_RAS interrupts. + +Check nix_af_rvu_ras instead before writing NIX_AF_RAS_ENA_W1S. + +Fixes: 5ed66306eab6 ("octeontx2-af: Add devlink health reporters for NIX") +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20260310184824.1183651-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c +index 774d8b034725d..3f86e0c3fa7a8 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c +@@ -579,7 +579,7 @@ static int rvu_hw_nix_ras_recover(struct devlink_health_reporter *reporter, + if (blkaddr < 0) + return blkaddr; + +- if (nix_event_ctx->nix_af_rvu_int) ++ if (nix_event_ctx->nix_af_rvu_ras) + rvu_write64(rvu, blkaddr, NIX_AF_RAS_ENA_W1S, ~0ULL); + + return 0; +-- +2.51.0 + diff --git a/queue-6.6/octeontx2-af-devlink-fix-nix-ras-reporter-to-use-ras.patch b/queue-6.6/octeontx2-af-devlink-fix-nix-ras-reporter-to-use-ras.patch new file mode 100644 index 0000000000..1001371740 --- /dev/null +++ b/queue-6.6/octeontx2-af-devlink-fix-nix-ras-reporter-to-use-ras.patch @@ -0,0 +1,45 @@ +From ed3380de77127c418a8005eda80fb7c369ef3486 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 11:48:17 -0700 +Subject: octeontx2-af: devlink: fix NIX RAS reporter to use RAS interrupt + status + +From: Alok Tiwari + +[ Upstream commit 87f7dff3ec75b91def0024ebaaf732457f47a63b ] + +The NIX RAS health report path uses nix_af_rvu_err when handling the +NIX_AF_RVU_RAS case, so the report prints the ERR interrupt status rather +than the RAS interrupt status. + +Use nix_af_rvu_ras for the NIX_AF_RVU_RAS report. + +Fixes: 5ed66306eab6 ("octeontx2-af: Add devlink health reporters for NIX") +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20260310184824.1183651-2-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c +index e8c920c7b8d18..f524ecb4645a9 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c +@@ -327,10 +327,10 @@ static int rvu_nix_report_show(struct devlink_fmsg *fmsg, void *ctx, + rvu_report_pair_end(fmsg); + break; + case NIX_AF_RVU_RAS: +- intr_val = nix_event_context->nix_af_rvu_err; ++ intr_val = nix_event_context->nix_af_rvu_ras; + rvu_report_pair_start(fmsg, "NIX_AF_RAS"); + devlink_fmsg_u64_pair_put(fmsg, "\tNIX RAS Interrupt Reg ", +- nix_event_context->nix_af_rvu_err); ++ nix_event_context->nix_af_rvu_ras); + devlink_fmsg_string_put(fmsg, "\n\tPoison Data on:"); + if (intr_val & BIT_ULL(34)) + devlink_fmsg_string_put(fmsg, "\n\tNIX_AQ_INST_S"); +-- +2.51.0 + diff --git a/queue-6.6/octeontx2-af-devlink-health-use-retained-error-fmsg-.patch b/queue-6.6/octeontx2-af-devlink-health-use-retained-error-fmsg-.patch new file mode 100644 index 0000000000..531560375c --- /dev/null +++ b/queue-6.6/octeontx2-af-devlink-health-use-retained-error-fmsg-.patch @@ -0,0 +1,550 @@ +From 214c77bd9fecdc89bb63048842492c73225048aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Oct 2023 22:26:42 +0200 +Subject: octeontx2-af: devlink health: use retained error fmsg API + +From: Przemek Kitszel + +[ Upstream commit d8cf03fca3411de8a493dae5e9fcf815a4f0977e ] + +Drop unneeded error checking. + +devlink_fmsg_*() family of functions is now retaining errors, +so there is no need to check for them after each call. + +Reviewed-by: Jesse Brandeburg +Reviewed-by: Jiri Pirko +Signed-off-by: Przemek Kitszel +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Stable-dep-of: 87f7dff3ec75 ("octeontx2-af: devlink: fix NIX RAS reporter to use RAS interrupt status") +Signed-off-by: Sasha Levin +--- + .../marvell/octeontx2/af/rvu_devlink.c | 464 +++++------------- + 1 file changed, 133 insertions(+), 331 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c +index 3f86e0c3fa7a8..e8c920c7b8d18 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c +@@ -14,26 +14,16 @@ + + #define DRV_NAME "octeontx2-af" + +-static int rvu_report_pair_start(struct devlink_fmsg *fmsg, const char *name) ++static void rvu_report_pair_start(struct devlink_fmsg *fmsg, const char *name) + { +- int err; +- +- err = devlink_fmsg_pair_nest_start(fmsg, name); +- if (err) +- return err; +- +- return devlink_fmsg_obj_nest_start(fmsg); ++ devlink_fmsg_pair_nest_start(fmsg, name); ++ devlink_fmsg_obj_nest_start(fmsg); + } + +-static int rvu_report_pair_end(struct devlink_fmsg *fmsg) ++static void rvu_report_pair_end(struct devlink_fmsg *fmsg) + { +- int err; +- +- err = devlink_fmsg_obj_nest_end(fmsg); +- if (err) +- return err; +- +- return devlink_fmsg_pair_nest_end(fmsg); ++ devlink_fmsg_obj_nest_end(fmsg); ++ devlink_fmsg_pair_nest_end(fmsg); + } + + static bool rvu_common_request_irq(struct rvu *rvu, int offset, +@@ -284,175 +274,81 @@ static int rvu_nix_report_show(struct devlink_fmsg *fmsg, void *ctx, + { + struct rvu_nix_event_ctx *nix_event_context; + u64 intr_val; +- int err; + + nix_event_context = ctx; + switch (health_reporter) { + case NIX_AF_RVU_INTR: + intr_val = nix_event_context->nix_af_rvu_int; +- err = rvu_report_pair_start(fmsg, "NIX_AF_RVU"); +- if (err) +- return err; +- err = devlink_fmsg_u64_pair_put(fmsg, "\tNIX RVU Interrupt Reg ", +- nix_event_context->nix_af_rvu_int); +- if (err) +- return err; +- if (intr_val & BIT_ULL(0)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tUnmap Slot Error"); +- if (err) +- return err; +- } +- err = rvu_report_pair_end(fmsg); +- if (err) +- return err; ++ rvu_report_pair_start(fmsg, "NIX_AF_RVU"); ++ devlink_fmsg_u64_pair_put(fmsg, "\tNIX RVU Interrupt Reg ", ++ nix_event_context->nix_af_rvu_int); ++ if (intr_val & BIT_ULL(0)) ++ devlink_fmsg_string_put(fmsg, "\n\tUnmap Slot Error"); ++ rvu_report_pair_end(fmsg); + break; + case NIX_AF_RVU_GEN: + intr_val = nix_event_context->nix_af_rvu_gen; +- err = rvu_report_pair_start(fmsg, "NIX_AF_GENERAL"); +- if (err) +- return err; +- err = devlink_fmsg_u64_pair_put(fmsg, "\tNIX General Interrupt Reg ", +- nix_event_context->nix_af_rvu_gen); +- if (err) +- return err; +- if (intr_val & BIT_ULL(0)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tRx multicast pkt drop"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(1)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tRx mirror pkt drop"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(4)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tSMQ flush done"); +- if (err) +- return err; +- } +- err = rvu_report_pair_end(fmsg); +- if (err) +- return err; ++ rvu_report_pair_start(fmsg, "NIX_AF_GENERAL"); ++ devlink_fmsg_u64_pair_put(fmsg, "\tNIX General Interrupt Reg ", ++ nix_event_context->nix_af_rvu_gen); ++ if (intr_val & BIT_ULL(0)) ++ devlink_fmsg_string_put(fmsg, "\n\tRx multicast pkt drop"); ++ if (intr_val & BIT_ULL(1)) ++ devlink_fmsg_string_put(fmsg, "\n\tRx mirror pkt drop"); ++ if (intr_val & BIT_ULL(4)) ++ devlink_fmsg_string_put(fmsg, "\n\tSMQ flush done"); ++ rvu_report_pair_end(fmsg); + break; + case NIX_AF_RVU_ERR: + intr_val = nix_event_context->nix_af_rvu_err; +- err = rvu_report_pair_start(fmsg, "NIX_AF_ERR"); +- if (err) +- return err; +- err = devlink_fmsg_u64_pair_put(fmsg, "\tNIX Error Interrupt Reg ", +- nix_event_context->nix_af_rvu_err); +- if (err) +- return err; +- if (intr_val & BIT_ULL(14)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFault on NIX_AQ_INST_S read"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(13)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFault on NIX_AQ_RES_S write"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(12)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tAQ Doorbell Error"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(6)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tRx on unmapped PF_FUNC"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(5)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tRx multicast replication error"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(4)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFault on NIX_RX_MCE_S read"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(3)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFault on multicast WQE read"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(2)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFault on mirror WQE read"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(1)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFault on mirror pkt write"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(0)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFault on multicast pkt write"); +- if (err) +- return err; +- } +- err = rvu_report_pair_end(fmsg); +- if (err) +- return err; ++ rvu_report_pair_start(fmsg, "NIX_AF_ERR"); ++ devlink_fmsg_u64_pair_put(fmsg, "\tNIX Error Interrupt Reg ", ++ nix_event_context->nix_af_rvu_err); ++ if (intr_val & BIT_ULL(14)) ++ devlink_fmsg_string_put(fmsg, "\n\tFault on NIX_AQ_INST_S read"); ++ if (intr_val & BIT_ULL(13)) ++ devlink_fmsg_string_put(fmsg, "\n\tFault on NIX_AQ_RES_S write"); ++ if (intr_val & BIT_ULL(12)) ++ devlink_fmsg_string_put(fmsg, "\n\tAQ Doorbell Error"); ++ if (intr_val & BIT_ULL(6)) ++ devlink_fmsg_string_put(fmsg, "\n\tRx on unmapped PF_FUNC"); ++ if (intr_val & BIT_ULL(5)) ++ devlink_fmsg_string_put(fmsg, "\n\tRx multicast replication error"); ++ if (intr_val & BIT_ULL(4)) ++ devlink_fmsg_string_put(fmsg, "\n\tFault on NIX_RX_MCE_S read"); ++ if (intr_val & BIT_ULL(3)) ++ devlink_fmsg_string_put(fmsg, "\n\tFault on multicast WQE read"); ++ if (intr_val & BIT_ULL(2)) ++ devlink_fmsg_string_put(fmsg, "\n\tFault on mirror WQE read"); ++ if (intr_val & BIT_ULL(1)) ++ devlink_fmsg_string_put(fmsg, "\n\tFault on mirror pkt write"); ++ if (intr_val & BIT_ULL(0)) ++ devlink_fmsg_string_put(fmsg, "\n\tFault on multicast pkt write"); ++ rvu_report_pair_end(fmsg); + break; + case NIX_AF_RVU_RAS: + intr_val = nix_event_context->nix_af_rvu_err; +- err = rvu_report_pair_start(fmsg, "NIX_AF_RAS"); +- if (err) +- return err; +- err = devlink_fmsg_u64_pair_put(fmsg, "\tNIX RAS Interrupt Reg ", +- nix_event_context->nix_af_rvu_err); +- if (err) +- return err; +- err = devlink_fmsg_string_put(fmsg, "\n\tPoison Data on:"); +- if (err) +- return err; +- if (intr_val & BIT_ULL(34)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tNIX_AQ_INST_S"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(33)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tNIX_AQ_RES_S"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(32)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tHW ctx"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(4)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tPacket from mirror buffer"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(3)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tPacket from multicast buffer"); +- +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(2)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tWQE read from mirror buffer"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(1)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tWQE read from multicast buffer"); +- if (err) +- return err; +- } +- if (intr_val & BIT_ULL(0)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tNIX_RX_MCE_S read"); +- if (err) +- return err; +- } +- err = rvu_report_pair_end(fmsg); +- if (err) +- return err; ++ rvu_report_pair_start(fmsg, "NIX_AF_RAS"); ++ devlink_fmsg_u64_pair_put(fmsg, "\tNIX RAS Interrupt Reg ", ++ nix_event_context->nix_af_rvu_err); ++ devlink_fmsg_string_put(fmsg, "\n\tPoison Data on:"); ++ if (intr_val & BIT_ULL(34)) ++ devlink_fmsg_string_put(fmsg, "\n\tNIX_AQ_INST_S"); ++ if (intr_val & BIT_ULL(33)) ++ devlink_fmsg_string_put(fmsg, "\n\tNIX_AQ_RES_S"); ++ if (intr_val & BIT_ULL(32)) ++ devlink_fmsg_string_put(fmsg, "\n\tHW ctx"); ++ if (intr_val & BIT_ULL(4)) ++ devlink_fmsg_string_put(fmsg, "\n\tPacket from mirror buffer"); ++ if (intr_val & BIT_ULL(3)) ++ devlink_fmsg_string_put(fmsg, "\n\tPacket from multicast buffer"); ++ if (intr_val & BIT_ULL(2)) ++ devlink_fmsg_string_put(fmsg, "\n\tWQE read from mirror buffer"); ++ if (intr_val & BIT_ULL(1)) ++ devlink_fmsg_string_put(fmsg, "\n\tWQE read from multicast buffer"); ++ if (intr_val & BIT_ULL(0)) ++ devlink_fmsg_string_put(fmsg, "\n\tNIX_RX_MCE_S read"); ++ rvu_report_pair_end(fmsg); + break; + default: + return -EINVAL; +@@ -919,181 +815,87 @@ static int rvu_npa_report_show(struct devlink_fmsg *fmsg, void *ctx, + struct rvu_npa_event_ctx *npa_event_context; + unsigned int alloc_dis, free_dis; + u64 intr_val; +- int err; + + npa_event_context = ctx; + switch (health_reporter) { + case NPA_AF_RVU_GEN: + intr_val = npa_event_context->npa_af_rvu_gen; +- err = rvu_report_pair_start(fmsg, "NPA_AF_GENERAL"); +- if (err) +- return err; +- err = devlink_fmsg_u64_pair_put(fmsg, "\tNPA General Interrupt Reg ", +- npa_event_context->npa_af_rvu_gen); +- if (err) +- return err; +- if (intr_val & BIT_ULL(32)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tUnmap PF Error"); +- if (err) +- return err; +- } ++ rvu_report_pair_start(fmsg, "NPA_AF_GENERAL"); ++ devlink_fmsg_u64_pair_put(fmsg, "\tNPA General Interrupt Reg ", ++ npa_event_context->npa_af_rvu_gen); ++ if (intr_val & BIT_ULL(32)) ++ devlink_fmsg_string_put(fmsg, "\n\tUnmap PF Error"); + + free_dis = FIELD_GET(GENMASK(15, 0), intr_val); +- if (free_dis & BIT(NPA_INPQ_NIX0_RX)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tNIX0: free disabled RX"); +- if (err) +- return err; +- } +- if (free_dis & BIT(NPA_INPQ_NIX0_TX)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tNIX0:free disabled TX"); +- if (err) +- return err; +- } +- if (free_dis & BIT(NPA_INPQ_NIX1_RX)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tNIX1: free disabled RX"); +- if (err) +- return err; +- } +- if (free_dis & BIT(NPA_INPQ_NIX1_TX)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tNIX1:free disabled TX"); +- if (err) +- return err; +- } +- if (free_dis & BIT(NPA_INPQ_SSO)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for SSO"); +- if (err) +- return err; +- } +- if (free_dis & BIT(NPA_INPQ_TIM)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for TIM"); +- if (err) +- return err; +- } +- if (free_dis & BIT(NPA_INPQ_DPI)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for DPI"); +- if (err) +- return err; +- } +- if (free_dis & BIT(NPA_INPQ_AURA_OP)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for AURA"); +- if (err) +- return err; +- } ++ if (free_dis & BIT(NPA_INPQ_NIX0_RX)) ++ devlink_fmsg_string_put(fmsg, "\n\tNIX0: free disabled RX"); ++ if (free_dis & BIT(NPA_INPQ_NIX0_TX)) ++ devlink_fmsg_string_put(fmsg, "\n\tNIX0:free disabled TX"); ++ if (free_dis & BIT(NPA_INPQ_NIX1_RX)) ++ devlink_fmsg_string_put(fmsg, "\n\tNIX1: free disabled RX"); ++ if (free_dis & BIT(NPA_INPQ_NIX1_TX)) ++ devlink_fmsg_string_put(fmsg, "\n\tNIX1:free disabled TX"); ++ if (free_dis & BIT(NPA_INPQ_SSO)) ++ devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for SSO"); ++ if (free_dis & BIT(NPA_INPQ_TIM)) ++ devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for TIM"); ++ if (free_dis & BIT(NPA_INPQ_DPI)) ++ devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for DPI"); ++ if (free_dis & BIT(NPA_INPQ_AURA_OP)) ++ devlink_fmsg_string_put(fmsg, "\n\tFree Disabled for AURA"); + + alloc_dis = FIELD_GET(GENMASK(31, 16), intr_val); +- if (alloc_dis & BIT(NPA_INPQ_NIX0_RX)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tNIX0: alloc disabled RX"); +- if (err) +- return err; +- } +- if (alloc_dis & BIT(NPA_INPQ_NIX0_TX)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tNIX0:alloc disabled TX"); +- if (err) +- return err; +- } +- if (alloc_dis & BIT(NPA_INPQ_NIX1_RX)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tNIX1: alloc disabled RX"); +- if (err) +- return err; +- } +- if (alloc_dis & BIT(NPA_INPQ_NIX1_TX)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tNIX1:alloc disabled TX"); +- if (err) +- return err; +- } +- if (alloc_dis & BIT(NPA_INPQ_SSO)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for SSO"); +- if (err) +- return err; +- } +- if (alloc_dis & BIT(NPA_INPQ_TIM)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for TIM"); +- if (err) +- return err; +- } +- if (alloc_dis & BIT(NPA_INPQ_DPI)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for DPI"); +- if (err) +- return err; +- } +- if (alloc_dis & BIT(NPA_INPQ_AURA_OP)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for AURA"); +- if (err) +- return err; +- } +- err = rvu_report_pair_end(fmsg); +- if (err) +- return err; ++ if (alloc_dis & BIT(NPA_INPQ_NIX0_RX)) ++ devlink_fmsg_string_put(fmsg, "\n\tNIX0: alloc disabled RX"); ++ if (alloc_dis & BIT(NPA_INPQ_NIX0_TX)) ++ devlink_fmsg_string_put(fmsg, "\n\tNIX0:alloc disabled TX"); ++ if (alloc_dis & BIT(NPA_INPQ_NIX1_RX)) ++ devlink_fmsg_string_put(fmsg, "\n\tNIX1: alloc disabled RX"); ++ if (alloc_dis & BIT(NPA_INPQ_NIX1_TX)) ++ devlink_fmsg_string_put(fmsg, "\n\tNIX1:alloc disabled TX"); ++ if (alloc_dis & BIT(NPA_INPQ_SSO)) ++ devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for SSO"); ++ if (alloc_dis & BIT(NPA_INPQ_TIM)) ++ devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for TIM"); ++ if (alloc_dis & BIT(NPA_INPQ_DPI)) ++ devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for DPI"); ++ if (alloc_dis & BIT(NPA_INPQ_AURA_OP)) ++ devlink_fmsg_string_put(fmsg, "\n\tAlloc Disabled for AURA"); ++ ++ rvu_report_pair_end(fmsg); + break; + case NPA_AF_RVU_ERR: +- err = rvu_report_pair_start(fmsg, "NPA_AF_ERR"); +- if (err) +- return err; +- err = devlink_fmsg_u64_pair_put(fmsg, "\tNPA Error Interrupt Reg ", +- npa_event_context->npa_af_rvu_err); +- if (err) +- return err; +- +- if (npa_event_context->npa_af_rvu_err & BIT_ULL(14)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFault on NPA_AQ_INST_S read"); +- if (err) +- return err; +- } +- if (npa_event_context->npa_af_rvu_err & BIT_ULL(13)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tFault on NPA_AQ_RES_S write"); +- if (err) +- return err; +- } +- if (npa_event_context->npa_af_rvu_err & BIT_ULL(12)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tAQ Doorbell Error"); +- if (err) +- return err; +- } +- err = rvu_report_pair_end(fmsg); +- if (err) +- return err; ++ rvu_report_pair_start(fmsg, "NPA_AF_ERR"); ++ devlink_fmsg_u64_pair_put(fmsg, "\tNPA Error Interrupt Reg ", ++ npa_event_context->npa_af_rvu_err); ++ if (npa_event_context->npa_af_rvu_err & BIT_ULL(14)) ++ devlink_fmsg_string_put(fmsg, "\n\tFault on NPA_AQ_INST_S read"); ++ if (npa_event_context->npa_af_rvu_err & BIT_ULL(13)) ++ devlink_fmsg_string_put(fmsg, "\n\tFault on NPA_AQ_RES_S write"); ++ if (npa_event_context->npa_af_rvu_err & BIT_ULL(12)) ++ devlink_fmsg_string_put(fmsg, "\n\tAQ Doorbell Error"); ++ rvu_report_pair_end(fmsg); + break; + case NPA_AF_RVU_RAS: +- err = rvu_report_pair_start(fmsg, "NPA_AF_RVU_RAS"); +- if (err) +- return err; +- err = devlink_fmsg_u64_pair_put(fmsg, "\tNPA RAS Interrupt Reg ", +- npa_event_context->npa_af_rvu_ras); +- if (err) +- return err; +- if (npa_event_context->npa_af_rvu_ras & BIT_ULL(34)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tPoison data on NPA_AQ_INST_S"); +- if (err) +- return err; +- } +- if (npa_event_context->npa_af_rvu_ras & BIT_ULL(33)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tPoison data on NPA_AQ_RES_S"); +- if (err) +- return err; +- } +- if (npa_event_context->npa_af_rvu_ras & BIT_ULL(32)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tPoison data on HW context"); +- if (err) +- return err; +- } +- err = rvu_report_pair_end(fmsg); +- if (err) +- return err; ++ rvu_report_pair_start(fmsg, "NPA_AF_RVU_RAS"); ++ devlink_fmsg_u64_pair_put(fmsg, "\tNPA RAS Interrupt Reg ", ++ npa_event_context->npa_af_rvu_ras); ++ if (npa_event_context->npa_af_rvu_ras & BIT_ULL(34)) ++ devlink_fmsg_string_put(fmsg, "\n\tPoison data on NPA_AQ_INST_S"); ++ if (npa_event_context->npa_af_rvu_ras & BIT_ULL(33)) ++ devlink_fmsg_string_put(fmsg, "\n\tPoison data on NPA_AQ_RES_S"); ++ if (npa_event_context->npa_af_rvu_ras & BIT_ULL(32)) ++ devlink_fmsg_string_put(fmsg, "\n\tPoison data on HW context"); ++ rvu_report_pair_end(fmsg); + break; + case NPA_AF_RVU_INTR: +- err = rvu_report_pair_start(fmsg, "NPA_AF_RVU"); +- if (err) +- return err; +- err = devlink_fmsg_u64_pair_put(fmsg, "\tNPA RVU Interrupt Reg ", +- npa_event_context->npa_af_rvu_int); +- if (err) +- return err; +- if (npa_event_context->npa_af_rvu_int & BIT_ULL(0)) { +- err = devlink_fmsg_string_put(fmsg, "\n\tUnmap Slot Error"); +- if (err) +- return err; +- } +- return rvu_report_pair_end(fmsg); ++ rvu_report_pair_start(fmsg, "NPA_AF_RVU"); ++ devlink_fmsg_u64_pair_put(fmsg, "\tNPA RVU Interrupt Reg ", ++ npa_event_context->npa_af_rvu_int); ++ if (npa_event_context->npa_af_rvu_int & BIT_ULL(0)) ++ devlink_fmsg_string_put(fmsg, "\n\tUnmap Slot Error"); ++ rvu_report_pair_end(fmsg); ++ break; + default: + return -EINVAL; + } +-- +2.51.0 + diff --git a/queue-6.6/regulator-pca9450-correct-interrupt-type.patch b/queue-6.6/regulator-pca9450-correct-interrupt-type.patch new file mode 100644 index 0000000000..13d588a2bc --- /dev/null +++ b/queue-6.6/regulator-pca9450-correct-interrupt-type.patch @@ -0,0 +1,44 @@ +From 3e84ee5eb4651a0bc629ece1c16fb4b6b7e8e73e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Mar 2026 12:25:52 +0800 +Subject: regulator: pca9450: Correct interrupt type + +From: Peng Fan + +[ Upstream commit 5d0efaf47ee90ac60efae790acee3a3ed99ebf80 ] + +Kernel warning on i.MX8MP-EVK when doing module test: +irq: type mismatch, failed to map hwirq-3 for gpio@30200000! + +Per PCA945[X] specification: The IRQ_B pin is pulled low when any unmasked +interrupt bit status is changed and it is released high once application +processor read INT1 register. + +So the interrupt should be configured as IRQF_TRIGGER_LOW, not +IRQF_TRIGGER_FALLING. + +Fixes: 0935ff5f1f0a4 ("regulator: pca9450: add pca9450 pmic driver") +Signed-off-by: Peng Fan +Link: https://patch.msgid.link/20260310-pca9450-irq-v1-1-36adf52c2c55@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/pca9450-regulator.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/regulator/pca9450-regulator.c b/drivers/regulator/pca9450-regulator.c +index b8f7b13b0cb08..8f09f7f15a119 100644 +--- a/drivers/regulator/pca9450-regulator.c ++++ b/drivers/regulator/pca9450-regulator.c +@@ -780,7 +780,7 @@ static int pca9450_i2c_probe(struct i2c_client *i2c) + if (pca9450->irq) { + ret = devm_request_threaded_irq(pca9450->dev, pca9450->irq, NULL, + pca9450_irq_handler, +- (IRQF_TRIGGER_FALLING | IRQF_ONESHOT), ++ (IRQF_TRIGGER_LOW | IRQF_ONESHOT), + "pca9450-irq", pca9450); + if (ret != 0) { + dev_err(pca9450->dev, "Failed to request IRQ: %d\n", +-- +2.51.0 + diff --git a/queue-6.6/regulator-pca9450-make-irq-optional.patch b/queue-6.6/regulator-pca9450-make-irq-optional.patch new file mode 100644 index 0000000000..88da40e6c0 --- /dev/null +++ b/queue-6.6/regulator-pca9450-make-irq-optional.patch @@ -0,0 +1,83 @@ +From 46d9d9b46102b683c87a024fcc747f59e20b60b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Jul 2024 10:40:34 +0200 +Subject: regulator: pca9450: Make IRQ optional + +From: Frieder Schrempf + +[ Upstream commit 83808c54064eef620ad8645dfdcaffe125551532 ] + +The IRQ line might not be connected on some boards. Allow the driver +to be probed without it. + +Signed-off-by: Frieder Schrempf +Link: https://patch.msgid.link/20240708084107.38986-5-frieder@fris.de +Signed-off-by: Mark Brown +Stable-dep-of: 5d0efaf47ee9 ("regulator: pca9450: Correct interrupt type") +Signed-off-by: Sasha Levin +--- + drivers/regulator/pca9450-regulator.c | 41 +++++++++++++-------------- + 1 file changed, 19 insertions(+), 22 deletions(-) + +diff --git a/drivers/regulator/pca9450-regulator.c b/drivers/regulator/pca9450-regulator.c +index 2ab365d2749f9..b8f7b13b0cb08 100644 +--- a/drivers/regulator/pca9450-regulator.c ++++ b/drivers/regulator/pca9450-regulator.c +@@ -711,11 +711,6 @@ static int pca9450_i2c_probe(struct i2c_client *i2c) + unsigned int reset_ctrl; + int ret; + +- if (!i2c->irq) { +- dev_err(&i2c->dev, "No IRQ configured?\n"); +- return -EINVAL; +- } +- + pca9450 = devm_kzalloc(&i2c->dev, sizeof(struct pca9450), GFP_KERNEL); + if (!pca9450) + return -ENOMEM; +@@ -782,23 +777,25 @@ static int pca9450_i2c_probe(struct i2c_client *i2c) + } + } + +- ret = devm_request_threaded_irq(pca9450->dev, pca9450->irq, NULL, +- pca9450_irq_handler, +- (IRQF_TRIGGER_FALLING | IRQF_ONESHOT), +- "pca9450-irq", pca9450); +- if (ret != 0) { +- dev_err(pca9450->dev, "Failed to request IRQ: %d\n", +- pca9450->irq); +- return ret; +- } +- /* Unmask all interrupt except PWRON/WDOG/RSVD */ +- ret = regmap_update_bits(pca9450->regmap, PCA9450_REG_INT1_MSK, +- IRQ_VR_FLT1 | IRQ_VR_FLT2 | IRQ_LOWVSYS | +- IRQ_THERM_105 | IRQ_THERM_125, +- IRQ_PWRON | IRQ_WDOGB | IRQ_RSVD); +- if (ret) { +- dev_err(&i2c->dev, "Unmask irq error\n"); +- return ret; ++ if (pca9450->irq) { ++ ret = devm_request_threaded_irq(pca9450->dev, pca9450->irq, NULL, ++ pca9450_irq_handler, ++ (IRQF_TRIGGER_FALLING | IRQF_ONESHOT), ++ "pca9450-irq", pca9450); ++ if (ret != 0) { ++ dev_err(pca9450->dev, "Failed to request IRQ: %d\n", ++ pca9450->irq); ++ return ret; ++ } ++ /* Unmask all interrupt except PWRON/WDOG/RSVD */ ++ ret = regmap_update_bits(pca9450->regmap, PCA9450_REG_INT1_MSK, ++ IRQ_VR_FLT1 | IRQ_VR_FLT2 | IRQ_LOWVSYS | ++ IRQ_THERM_105 | IRQ_THERM_125, ++ IRQ_PWRON | IRQ_WDOGB | IRQ_RSVD); ++ if (ret) { ++ dev_err(&i2c->dev, "Unmask irq error\n"); ++ return ret; ++ } + } + + /* Clear PRESET_EN bit in BUCK123_DVS to use DVS registers */ +-- +2.51.0 + diff --git a/queue-6.6/revert-arm64-dts-qcom-sdm845-oneplus-mark-l14a-regul.patch b/queue-6.6/revert-arm64-dts-qcom-sdm845-oneplus-mark-l14a-regul.patch new file mode 100644 index 0000000000..253be56d74 --- /dev/null +++ b/queue-6.6/revert-arm64-dts-qcom-sdm845-oneplus-mark-l14a-regul.patch @@ -0,0 +1,32 @@ +From 75b9a9d827e4ddbca190f6e0547fd14535def2c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Mar 2026 03:16:50 -0400 +Subject: Revert "arm64: dts: qcom: sdm845-oneplus: Mark l14a regulator as + boot-on" + +This reverts commit dc62cf0814fa62177bb4ba944c72d9f122568cdc. + +The backport applied regulator-boot-on to vreg_l12a_1p8 (ldo12) instead +of vreg_l14a_1p88 (ldo14) due to identical surrounding context lines. + +Reported-by: Marco Mattiolo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi b/arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi +index e028b58a30f31..c50d335e0761f 100644 +--- a/arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi ++++ b/arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi +@@ -245,7 +245,6 @@ vreg_l12a_1p8: ldo12 { + regulator-min-microvolt = <1800000>; + regulator-max-microvolt = <1800000>; + regulator-initial-mode = ; +- regulator-boot-on; + }; + + vreg_l14a_1p88: ldo14 { +-- +2.51.0 + diff --git a/queue-6.6/sched-idle-make-skipping-governor-callbacks-more-con.patch b/queue-6.6/sched-idle-make-skipping-governor-callbacks-more-con.patch new file mode 100644 index 0000000000..eeb5c2d881 --- /dev/null +++ b/queue-6.6/sched-idle-make-skipping-governor-callbacks-more-con.patch @@ -0,0 +1,79 @@ +From 30d8a7503afe60d91218ec63f0c3448275b50558 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Mar 2026 17:12:05 +0100 +Subject: sched: idle: Make skipping governor callbacks more consistent + +From: Rafael J. Wysocki + +[ Upstream commit d557640e4ce589a24dca5ca7ce3b9680f471325f ] + +If the cpuidle governor .select() callback is skipped because there +is only one idle state in the cpuidle driver, the .reflect() callback +should be skipped as well, at least for consistency (if not for +correctness), so do it. + +Fixes: e5c9ffc6ae1b ("cpuidle: Skip governor when only one idle state is available") +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Christian Loehle +Reviewed-by: Aboorva Devarajan +Reviewed-by: Frederic Weisbecker +Link: https://patch.msgid.link/12857700.O9o76ZdvQC@rafael.j.wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpuidle/cpuidle.c | 10 ---------- + kernel/sched/idle.c | 11 ++++++++++- + 2 files changed, 10 insertions(+), 11 deletions(-) + +diff --git a/drivers/cpuidle/cpuidle.c b/drivers/cpuidle/cpuidle.c +index aa117f2967fdf..6704d610573ad 100644 +--- a/drivers/cpuidle/cpuidle.c ++++ b/drivers/cpuidle/cpuidle.c +@@ -356,16 +356,6 @@ noinstr int cpuidle_enter_state(struct cpuidle_device *dev, + int cpuidle_select(struct cpuidle_driver *drv, struct cpuidle_device *dev, + bool *stop_tick) + { +- /* +- * If there is only a single idle state (or none), there is nothing +- * meaningful for the governor to choose. Skip the governor and +- * always use state 0 with the tick running. +- */ +- if (drv->state_count <= 1) { +- *stop_tick = false; +- return 0; +- } +- + return cpuidle_curr_governor->select(drv, dev, stop_tick); + } + +diff --git a/kernel/sched/idle.c b/kernel/sched/idle.c +index 565f8374ddbbf..2ba2f21a1c0f2 100644 +--- a/kernel/sched/idle.c ++++ b/kernel/sched/idle.c +@@ -199,7 +199,7 @@ static void cpuidle_idle_call(void) + + next_state = cpuidle_find_deepest_state(drv, dev, max_latency_ns); + call_cpuidle(drv, dev, next_state); +- } else { ++ } else if (drv->state_count > 1) { + bool stop_tick = true; + + /* +@@ -217,6 +217,15 @@ static void cpuidle_idle_call(void) + * Give the governor an opportunity to reflect on the outcome + */ + cpuidle_reflect(dev, entered_state); ++ } else { ++ tick_nohz_idle_retain_tick(); ++ ++ /* ++ * If there is only a single idle state (or none), there is ++ * nothing meaningful for the governor to choose. Skip the ++ * governor and always use state 0. ++ */ ++ call_cpuidle(drv, dev, 0); + } + + exit_idle: +-- +2.51.0 + diff --git a/queue-6.6/serial-caif-hold-tty-link-reference-in-ldisc_open-an.patch b/queue-6.6/serial-caif-hold-tty-link-reference-in-ldisc_open-an.patch new file mode 100644 index 0000000000..3350703b31 --- /dev/null +++ b/queue-6.6/serial-caif-hold-tty-link-reference-in-ldisc_open-an.patch @@ -0,0 +1,63 @@ +From a93faae0334fd009acba687a8396aff342956323 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Mar 2026 22:40:06 -0500 +Subject: serial: caif: hold tty->link reference in ldisc_open and ser_release + +From: Shuangpeng Bai + +[ Upstream commit 288598d80a068a0e9281de35bcb4ce495f189e2a ] + +A reproducer triggers a KASAN slab-use-after-free in pty_write_room() +when caif_serial's TX path calls tty_write_room(). The faulting access +is on tty->link->port. + +Hold an extra kref on tty->link for the lifetime of the caif_serial line +discipline: get it in ldisc_open() and drop it in ser_release(), and +also drop it on the ldisc_open() error path. + +With this change applied, the reproducer no longer triggers the UAF in +my testing. + +Link: https://gist.github.com/shuangpengbai/c898debad6bdf170a84be7e6b3d8707f +Link: https://lore.kernel.org/netdev/20260301220525.1546355-1-shuangpeng.kernel@gmail.com +Fixes: e31d5a05948e ("caif: tty's are kref objects so take a reference") +Signed-off-by: Shuangpeng Bai +Reviewed-by: Jiayuan Chen +Link: https://patch.msgid.link/20260306034006.3395740-1-shuangpeng.kernel@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/caif/caif_serial.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c +index 699ed0ff461e8..6799dbf80f484 100644 +--- a/drivers/net/caif/caif_serial.c ++++ b/drivers/net/caif/caif_serial.c +@@ -311,6 +311,7 @@ static void ser_release(struct work_struct *work) + dev_close(ser->dev); + unregister_netdevice(ser->dev); + debugfs_deinit(ser); ++ tty_kref_put(tty->link); + tty_kref_put(tty); + } + rtnl_unlock(); +@@ -345,6 +346,7 @@ static int ldisc_open(struct tty_struct *tty) + + ser = netdev_priv(dev); + ser->tty = tty_kref_get(tty); ++ tty_kref_get(tty->link); + ser->dev = dev; + debugfs_init(ser, tty); + tty->receive_room = N_TTY_BUF_SIZE; +@@ -353,6 +355,7 @@ static int ldisc_open(struct tty_struct *tty) + rtnl_lock(); + result = register_netdevice(dev); + if (result) { ++ tty_kref_put(tty->link); + tty_kref_put(tty); + rtnl_unlock(); + free_netdev(dev); +-- +2.51.0 + diff --git a/queue-6.6/series b/queue-6.6/series index c32dd73135..6641d2b54c 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -213,3 +213,48 @@ remoteproc-sysmon-correct-subsys_name_len-type-in-qm.patch remoteproc-mediatek-unprepare-scp-clock-during-syste.patch powerpc-83xx-km83xx-fix-keymile-vendor-prefix.patch smb-server-fix-another-refcount-leak-in-smb2_open.patch +xprtrdma-decrement-re_receiving-on-the-early-exit-pa.patch +net-dsa-realtek-rtl8365mb-remove-ifoutdiscards-from-.patch +drm-msm-dsi-document-dsc-related-pclk_rate-and-hdisp.patch +drm-msm-dsi-fix-pclk-rate-calculation-for-bonded-dsi.patch +bonding-handle-bond_link_fail-bond_link_back-as-vali.patch +net-mlx5-ifc-updates-for-disabled-host-pf.patch +net-mlx5-query-to-see-if-host-pf-is-disabled.patch +net-mlx5-fix-deadlock-between-devlink-lock-and-esw-w.patch +net-mlx5e-fix-dma-fifo-desync-on-error-cqe-sq-recove.patch +net-sched-teql-fix-null-pointer-dereference-in-iptun.patch +asoc-soc-core-drop-delayed_work_pending-check-before.patch +asoc-soc-core-flush-delayed-work-before-removing-dai.patch +asoc-simple-card-utils-use-__free-device_node-for-de.patch +asoc-simple-card-utils-fix-graph_util_is_ports0-for-.patch +net-sfp-re-implement-ignoring-the-hardware-tx_fault-.patch +net-sfp-improve-nokia-gpon-sfp-fixup.patch +net-sfp-add-quirk-for-potron-sfp-xgspon-onu-stick.patch +net-sfp-improve-huawei-ma5671a-fixup.patch +serial-caif-hold-tty-link-reference-in-ldisc_open-an.patch +mctp-i2c-fix-skb-memory-leak-in-receive-path.patch +can-hi311x-hi3110_open-add-check-for-hi3110_power_en.patch +mctp-route-hold-key-lock-in-mctp_flow_prepare_output.patch +amd-xgbe-fix-link-status-handling-in-xgbe_rx_adaptat.patch +amd-xgbe-prevent-crc-errors-during-rx-adaptation-wit.patch +netfilter-nft_set_pipapo-fix-stack-out-of-bounds-rea.patch +netfilter-x_tables-guard-option-walkers-against-1-by.patch +netfilter-nfnetlink_queue-fix-entry-leak-in-bridge-v.patch +netfilter-nfnetlink_cthelper-fix-oob-read-in-nfnl_ct.patch +netfilter-xt_idletimer-reject-rev0-reuse-of-alarm-ti.patch +regulator-pca9450-make-irq-optional.patch +regulator-pca9450-correct-interrupt-type.patch +sched-idle-make-skipping-governor-callbacks-more-con.patch +nvme-pci-fix-slab-out-of-bounds-in-nvme_dbbuf_set.patch +nvme-pci-fix-race-bug-in-nvme_poll_irqdisable.patch +i40e-fix-src-ip-mask-checks-and-memcpy-argument-name.patch +e1000-e1000e-fix-leak-in-dma-error-cleanup.patch +acpi-osl-fix-__iomem-type-on-return-from-acpi_os_map.patch +asoc-amd-acp3x-rt5682-max9836-add-missing-error-chec.patch +asoc-detect-empty-dmi-strings.patch +net-bonding-fix-nd_tbl-null-dereference-when-ipv6-is.patch +octeontx2-af-devlink-fix-nix-ras-reporter-recovery-c.patch +octeontx2-af-devlink-health-use-retained-error-fmsg-.patch +octeontx2-af-devlink-fix-nix-ras-reporter-to-use-ras.patch +usb-gadget-f_mass_storage-fix-potential-integer-over.patch +revert-arm64-dts-qcom-sdm845-oneplus-mark-l14a-regul.patch diff --git a/queue-6.6/usb-gadget-f_mass_storage-fix-potential-integer-over.patch b/queue-6.6/usb-gadget-f_mass_storage-fix-potential-integer-over.patch new file mode 100644 index 0000000000..bd3e097488 --- /dev/null +++ b/queue-6.6/usb-gadget-f_mass_storage-fix-potential-integer-over.patch @@ -0,0 +1,72 @@ +From bbd681b82c654e592e4f25def0f0d136e8901682 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Feb 2026 05:43:25 -0500 +Subject: usb: gadget: f_mass_storage: Fix potential integer overflow in + check_command_size_in_blocks() + +From: Seungjin Bae + +[ Upstream commit 8479891d1f04a8ce55366fe4ca361ccdb96f02e1 ] + +The `check_command_size_in_blocks()` function calculates the data size +in bytes by left shifting `common->data_size_from_cmnd` by the block +size (`common->curlun->blkbits`). However, it does not validate whether +this shift operation will cause an integer overflow. + +Initially, the block size is set up in `fsg_lun_open()` , and the +`common->data_size_from_cmnd` is set up in `do_scsi_command()`. During +initialization, there is no integer overflow check for the interaction +between two variables. + +So if a malicious USB host sends a SCSI READ or WRITE command +requesting a large amount of data (`common->data_size_from_cmnd`), the +left shift operation can wrap around. This results in a truncated data +size, which can bypass boundary checks and potentially lead to memory +corruption or out-of-bounds accesses. + +Fix this by using the check_shl_overflow() macro to safely perform the +shift and catch any overflows. + +Fixes: 144974e7f9e3 ("usb: gadget: mass_storage: support multi-luns with different logic block size") +Signed-off-by: Seungjin Bae +Reviewed-by: Alan Stern +Link: https://patch.msgid.link/20260228104324.1696455-2-eeodqql09@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_mass_storage.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_mass_storage.c b/drivers/usb/gadget/function/f_mass_storage.c +index c265a1f62fc14..e01d57a5327c6 100644 +--- a/drivers/usb/gadget/function/f_mass_storage.c ++++ b/drivers/usb/gadget/function/f_mass_storage.c +@@ -180,6 +180,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1853,8 +1854,15 @@ static int check_command_size_in_blocks(struct fsg_common *common, + int cmnd_size, enum data_direction data_dir, + unsigned int mask, int needs_medium, const char *name) + { +- if (common->curlun) +- common->data_size_from_cmnd <<= common->curlun->blkbits; ++ if (common->curlun) { ++ if (check_shl_overflow(common->data_size_from_cmnd, ++ common->curlun->blkbits, ++ &common->data_size_from_cmnd)) { ++ common->phase_error = 1; ++ return -EINVAL; ++ } ++ } ++ + return check_command(common, cmnd_size, data_dir, + mask, needs_medium, name); + } +-- +2.51.0 + diff --git a/queue-6.6/xprtrdma-decrement-re_receiving-on-the-early-exit-pa.patch b/queue-6.6/xprtrdma-decrement-re_receiving-on-the-early-exit-pa.patch new file mode 100644 index 0000000000..1159f978a0 --- /dev/null +++ b/queue-6.6/xprtrdma-decrement-re_receiving-on-the-early-exit-pa.patch @@ -0,0 +1,90 @@ +From 43e2b242477cfcddabe4ff07b637b540a033be27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Feb 2026 10:28:55 -0800 +Subject: xprtrdma: Decrement re_receiving on the early exit paths + +From: Eric Badger + +[ Upstream commit 7b6275c80a0c81c5f8943272292dfe67730ce849 ] + +In the event that rpcrdma_post_recvs() fails to create a work request +(due to memory allocation failure, say) or otherwise exits early, we +should decrement ep->re_receiving before returning. Otherwise we will +hang in rpcrdma_xprt_drain() as re_receiving will never reach zero and +the completion will never be triggered. + +On a system with high memory pressure, this can appear as the following +hung task: + + INFO: task kworker/u385:17:8393 blocked for more than 122 seconds. + Tainted: G S E 6.19.0 #3 + "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. + task:kworker/u385:17 state:D stack:0 pid:8393 tgid:8393 ppid:2 task_flags:0x4248060 flags:0x00080000 + Workqueue: xprtiod xprt_autoclose [sunrpc] + Call Trace: + + __schedule+0x48b/0x18b0 + ? ib_post_send_mad+0x247/0xae0 [ib_core] + schedule+0x27/0xf0 + schedule_timeout+0x104/0x110 + __wait_for_common+0x98/0x180 + ? __pfx_schedule_timeout+0x10/0x10 + wait_for_completion+0x24/0x40 + rpcrdma_xprt_disconnect+0x444/0x460 [rpcrdma] + xprt_rdma_close+0x12/0x40 [rpcrdma] + xprt_autoclose+0x5f/0x120 [sunrpc] + process_one_work+0x191/0x3e0 + worker_thread+0x2e3/0x420 + ? __pfx_worker_thread+0x10/0x10 + kthread+0x10d/0x230 + ? __pfx_kthread+0x10/0x10 + ret_from_fork+0x273/0x2b0 + ? __pfx_kthread+0x10/0x10 + ret_from_fork_asm+0x1a/0x30 + +Fixes: 15788d1d1077 ("xprtrdma: Do not refresh Receive Queue while it is draining") +Signed-off-by: Eric Badger +Reviewed-by: Chuck Lever +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + net/sunrpc/xprtrdma/verbs.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c +index cb909329a5039..4132a505d742a 100644 +--- a/net/sunrpc/xprtrdma/verbs.c ++++ b/net/sunrpc/xprtrdma/verbs.c +@@ -1362,7 +1362,7 @@ void rpcrdma_post_recvs(struct rpcrdma_xprt *r_xprt, int needed, bool temp) + needed += RPCRDMA_MAX_RECV_BATCH; + + if (atomic_inc_return(&ep->re_receiving) > 1) +- goto out; ++ goto out_dec; + + /* fast path: all needed reps can be found on the free list */ + wr = NULL; +@@ -1389,7 +1389,7 @@ void rpcrdma_post_recvs(struct rpcrdma_xprt *r_xprt, int needed, bool temp) + ++count; + } + if (!wr) +- goto out; ++ goto out_dec; + + rc = ib_post_recv(ep->re_id->qp, wr, + (const struct ib_recv_wr **)&bad_wr); +@@ -1404,9 +1404,10 @@ void rpcrdma_post_recvs(struct rpcrdma_xprt *r_xprt, int needed, bool temp) + --count; + } + } ++ ++out_dec: + if (atomic_dec_return(&ep->re_receiving) > 0) + complete(&ep->re_done); +- + out: + trace_xprtrdma_post_recvs(r_xprt, count); + ep->re_receive_count += count; +-- +2.51.0 +