From: Sasha Levin Date: Sun, 4 Jan 2026 17:50:20 +0000 (-0500) Subject: Fixes for all trees X-Git-Tag: v6.12.64~48^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b8444f1ad17e8257b90ee944229115f8919aaa0f;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for all trees Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/crypto-seqiv-do-not-use-req-iv-after-crypto_aead_enc.patch b/queue-5.10/crypto-seqiv-do-not-use-req-iv-after-crypto_aead_enc.patch new file mode 100644 index 0000000000..5befb9bd1f --- /dev/null +++ b/queue-5.10/crypto-seqiv-do-not-use-req-iv-after-crypto_aead_enc.patch @@ -0,0 +1,61 @@ +From 8a8229002d012a9d54369454018e352379730756 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 14:15:41 +0800 +Subject: crypto: seqiv - Do not use req->iv after crypto_aead_encrypt + +From: Herbert Xu + +[ Upstream commit 50fdb78b7c0bcc550910ef69c0984e751cac72fa ] + +As soon as crypto_aead_encrypt is called, the underlying request +may be freed by an asynchronous completion. Thus dereferencing +req->iv after it returns is invalid. + +Instead of checking req->iv against info, create a new variable +unaligned_info and use it for that purpose instead. + +Fixes: 0a270321dbf9 ("[CRYPTO] seqiv: Add Sequence Number IV Generator") +Reported-by: Xiumei Mu +Reported-by: Xin Long +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/seqiv.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/crypto/seqiv.c b/crypto/seqiv.c +index b1bcfe537daf..562ab102226a 100644 +--- a/crypto/seqiv.c ++++ b/crypto/seqiv.c +@@ -51,6 +51,7 @@ static int seqiv_aead_encrypt(struct aead_request *req) + struct aead_geniv_ctx *ctx = crypto_aead_ctx(geniv); + struct aead_request *subreq = aead_request_ctx(req); + crypto_completion_t compl; ++ bool unaligned_info; + void *data; + u8 *info; + unsigned int ivsize = 8; +@@ -80,8 +81,9 @@ static int seqiv_aead_encrypt(struct aead_request *req) + return err; + } + +- if (unlikely(!IS_ALIGNED((unsigned long)info, +- crypto_aead_alignmask(geniv) + 1))) { ++ unaligned_info = !IS_ALIGNED((unsigned long)info, ++ crypto_aead_alignmask(geniv) + 1); ++ if (unlikely(unaligned_info)) { + info = kmemdup(req->iv, ivsize, req->base.flags & + CRYPTO_TFM_REQ_MAY_SLEEP ? GFP_KERNEL : + GFP_ATOMIC); +@@ -101,7 +103,7 @@ static int seqiv_aead_encrypt(struct aead_request *req) + scatterwalk_map_and_copy(info, req->dst, req->assoclen, ivsize, 1); + + err = crypto_aead_encrypt(subreq); +- if (unlikely(info != req->iv)) ++ if (unlikely(unaligned_info)) + seqiv_aead_encrypt_complete2(req, err); + return err; + } +-- +2.51.0 + diff --git a/queue-5.10/firewire-nosy-fix-dma_free_coherent-size.patch b/queue-5.10/firewire-nosy-fix-dma_free_coherent-size.patch new file mode 100644 index 0000000000..7ddb0d9f9f --- /dev/null +++ b/queue-5.10/firewire-nosy-fix-dma_free_coherent-size.patch @@ -0,0 +1,68 @@ +From baab5f791c8b8cda8e97ceefda990a8a62d024c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Dec 2025 17:54:18 +0100 +Subject: firewire: nosy: Fix dma_free_coherent() size + +From: Thomas Fourier + +[ Upstream commit c48c0fd0e19684b6ecdb4108a429e3a4e73f5e21 ] + +It looks like the buffer allocated and mapped in add_card() is done +with size RCV_BUFFER_SIZE which is 16 KB and 4KB. + +Fixes: 286468210d83 ("firewire: new driver: nosy - IEEE 1394 traffic sniffer") +Co-developed-by: Thomas Fourier +Signed-off-by: Thomas Fourier +Co-developed-by: Christophe JAILLET +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/20251216165420.38355-2-fourier.thomas@gmail.com +Signed-off-by: Takashi Sakamoto +Signed-off-by: Sasha Levin +--- + drivers/firewire/nosy.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/firewire/nosy.c b/drivers/firewire/nosy.c +index ea31ac7ac1ca..e59053738a43 100644 +--- a/drivers/firewire/nosy.c ++++ b/drivers/firewire/nosy.c +@@ -36,6 +36,8 @@ + + static char driver_name[] = KBUILD_MODNAME; + ++#define RCV_BUFFER_SIZE (16 * 1024) ++ + /* this is the physical layout of a PCL, its size is 128 bytes */ + struct pcl { + __le32 next; +@@ -517,16 +519,14 @@ remove_card(struct pci_dev *dev) + lynx->rcv_start_pcl, lynx->rcv_start_pcl_bus); + dma_free_coherent(&lynx->pci_device->dev, sizeof(struct pcl), + lynx->rcv_pcl, lynx->rcv_pcl_bus); +- dma_free_coherent(&lynx->pci_device->dev, PAGE_SIZE, lynx->rcv_buffer, +- lynx->rcv_buffer_bus); ++ dma_free_coherent(&lynx->pci_device->dev, RCV_BUFFER_SIZE, ++ lynx->rcv_buffer, lynx->rcv_buffer_bus); + + iounmap(lynx->registers); + pci_disable_device(dev); + lynx_put(lynx); + } + +-#define RCV_BUFFER_SIZE (16 * 1024) +- + static int + add_card(struct pci_dev *dev, const struct pci_device_id *unused) + { +@@ -680,7 +680,7 @@ add_card(struct pci_dev *dev, const struct pci_device_id *unused) + dma_free_coherent(&lynx->pci_device->dev, sizeof(struct pcl), + lynx->rcv_pcl, lynx->rcv_pcl_bus); + if (lynx->rcv_buffer) +- dma_free_coherent(&lynx->pci_device->dev, PAGE_SIZE, ++ dma_free_coherent(&lynx->pci_device->dev, RCV_BUFFER_SIZE, + lynx->rcv_buffer, lynx->rcv_buffer_bus); + iounmap(lynx->registers); + +-- +2.51.0 + diff --git a/queue-5.10/firewire-nosy-switch-from-pci_-to-dma_-api.patch b/queue-5.10/firewire-nosy-switch-from-pci_-to-dma_-api.patch new file mode 100644 index 0000000000..fab83cf9db --- /dev/null +++ b/queue-5.10/firewire-nosy-switch-from-pci_-to-dma_-api.patch @@ -0,0 +1,222 @@ +From d67958d90ce5b61290947e29a4916db180c39470 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Jun 2021 15:27:43 +0200 +Subject: firewire: nosy: switch from 'pci_' to 'dma_' API + +From: Christophe JAILLET + +[ Upstream commit 01d12a6656f7fa239cddbd713656be83cdbdc9b3 ] + +The wrappers in include/linux/pci-dma-compat.h should go away. + +The patch has been generated with the coccinelle script below and has been +hand modified to replace GFP_ with a correct flag. +It has been compile tested. + +When memory is allocated in 'add_card()', GFP_KERNEL can be used because +this flag is already used a few lines above and no lock is taken in the +between. + +While at it, also remove some useless casting. + +@@ @@ +- PCI_DMA_BIDIRECTIONAL ++ DMA_BIDIRECTIONAL + +@@ @@ +- PCI_DMA_TODEVICE ++ DMA_TO_DEVICE + +@@ @@ +- PCI_DMA_FROMDEVICE ++ DMA_FROM_DEVICE + +@@ @@ +- PCI_DMA_NONE ++ DMA_NONE + +@@ +expression e1, e2, e3; +@@ +- pci_alloc_consistent(e1, e2, e3) ++ dma_alloc_coherent(&e1->dev, e2, e3, GFP_) + +@@ +expression e1, e2, e3; +@@ +- pci_zalloc_consistent(e1, e2, e3) ++ dma_alloc_coherent(&e1->dev, e2, e3, GFP_) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_free_consistent(e1, e2, e3, e4) ++ dma_free_coherent(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_map_single(e1, e2, e3, e4) ++ dma_map_single(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_unmap_single(e1, e2, e3, e4) ++ dma_unmap_single(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4, e5; +@@ +- pci_map_page(e1, e2, e3, e4, e5) ++ dma_map_page(&e1->dev, e2, e3, e4, e5) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_unmap_page(e1, e2, e3, e4) ++ dma_unmap_page(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_map_sg(e1, e2, e3, e4) ++ dma_map_sg(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_unmap_sg(e1, e2, e3, e4) ++ dma_unmap_sg(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_dma_sync_single_for_cpu(e1, e2, e3, e4) ++ dma_sync_single_for_cpu(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_dma_sync_single_for_device(e1, e2, e3, e4) ++ dma_sync_single_for_device(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_dma_sync_sg_for_cpu(e1, e2, e3, e4) ++ dma_sync_sg_for_cpu(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_dma_sync_sg_for_device(e1, e2, e3, e4) ++ dma_sync_sg_for_device(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2; +@@ +- pci_dma_mapping_error(e1, e2) ++ dma_mapping_error(&e1->dev, e2) + +@@ +expression e1, e2; +@@ +- pci_set_dma_mask(e1, e2) ++ dma_set_mask(&e1->dev, e2) + +@@ +expression e1, e2; +@@ +- pci_set_consistent_dma_mask(e1, e2) ++ dma_set_coherent_mask(&e1->dev, e2) + +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/e1d7fa558f31abf294659a9d4edcc1e4fc065fab.1623590706.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: c48c0fd0e196 ("firewire: nosy: Fix dma_free_coherent() size") +Signed-off-by: Sasha Levin +--- + drivers/firewire/nosy.c | 43 +++++++++++++++++++++++------------------ + 1 file changed, 24 insertions(+), 19 deletions(-) + +diff --git a/drivers/firewire/nosy.c b/drivers/firewire/nosy.c +index 42d9f25efc5c..ea31ac7ac1ca 100644 +--- a/drivers/firewire/nosy.c ++++ b/drivers/firewire/nosy.c +@@ -513,12 +513,12 @@ remove_card(struct pci_dev *dev) + wake_up_interruptible(&client->buffer.wait); + spin_unlock_irq(&lynx->client_list_lock); + +- pci_free_consistent(lynx->pci_device, sizeof(struct pcl), +- lynx->rcv_start_pcl, lynx->rcv_start_pcl_bus); +- pci_free_consistent(lynx->pci_device, sizeof(struct pcl), +- lynx->rcv_pcl, lynx->rcv_pcl_bus); +- pci_free_consistent(lynx->pci_device, PAGE_SIZE, +- lynx->rcv_buffer, lynx->rcv_buffer_bus); ++ dma_free_coherent(&lynx->pci_device->dev, sizeof(struct pcl), ++ lynx->rcv_start_pcl, lynx->rcv_start_pcl_bus); ++ dma_free_coherent(&lynx->pci_device->dev, sizeof(struct pcl), ++ lynx->rcv_pcl, lynx->rcv_pcl_bus); ++ dma_free_coherent(&lynx->pci_device->dev, PAGE_SIZE, lynx->rcv_buffer, ++ lynx->rcv_buffer_bus); + + iounmap(lynx->registers); + pci_disable_device(dev); +@@ -534,7 +534,7 @@ add_card(struct pci_dev *dev, const struct pci_device_id *unused) + u32 p, end; + int ret, i; + +- if (pci_set_dma_mask(dev, DMA_BIT_MASK(32))) { ++ if (dma_set_mask(&dev->dev, DMA_BIT_MASK(32))) { + dev_err(&dev->dev, + "DMA address limits not supported for PCILynx hardware\n"); + return -ENXIO; +@@ -566,12 +566,16 @@ add_card(struct pci_dev *dev, const struct pci_device_id *unused) + goto fail_deallocate_lynx; + } + +- lynx->rcv_start_pcl = pci_alloc_consistent(lynx->pci_device, +- sizeof(struct pcl), &lynx->rcv_start_pcl_bus); +- lynx->rcv_pcl = pci_alloc_consistent(lynx->pci_device, +- sizeof(struct pcl), &lynx->rcv_pcl_bus); +- lynx->rcv_buffer = pci_alloc_consistent(lynx->pci_device, +- RCV_BUFFER_SIZE, &lynx->rcv_buffer_bus); ++ lynx->rcv_start_pcl = dma_alloc_coherent(&lynx->pci_device->dev, ++ sizeof(struct pcl), ++ &lynx->rcv_start_pcl_bus, ++ GFP_KERNEL); ++ lynx->rcv_pcl = dma_alloc_coherent(&lynx->pci_device->dev, ++ sizeof(struct pcl), ++ &lynx->rcv_pcl_bus, GFP_KERNEL); ++ lynx->rcv_buffer = dma_alloc_coherent(&lynx->pci_device->dev, ++ RCV_BUFFER_SIZE, ++ &lynx->rcv_buffer_bus, GFP_KERNEL); + if (lynx->rcv_start_pcl == NULL || + lynx->rcv_pcl == NULL || + lynx->rcv_buffer == NULL) { +@@ -669,14 +673,15 @@ add_card(struct pci_dev *dev, const struct pci_device_id *unused) + + fail_deallocate_buffers: + if (lynx->rcv_start_pcl) +- pci_free_consistent(lynx->pci_device, sizeof(struct pcl), +- lynx->rcv_start_pcl, lynx->rcv_start_pcl_bus); ++ dma_free_coherent(&lynx->pci_device->dev, sizeof(struct pcl), ++ lynx->rcv_start_pcl, ++ lynx->rcv_start_pcl_bus); + if (lynx->rcv_pcl) +- pci_free_consistent(lynx->pci_device, sizeof(struct pcl), +- lynx->rcv_pcl, lynx->rcv_pcl_bus); ++ dma_free_coherent(&lynx->pci_device->dev, sizeof(struct pcl), ++ lynx->rcv_pcl, lynx->rcv_pcl_bus); + if (lynx->rcv_buffer) +- pci_free_consistent(lynx->pci_device, PAGE_SIZE, +- lynx->rcv_buffer, lynx->rcv_buffer_bus); ++ dma_free_coherent(&lynx->pci_device->dev, PAGE_SIZE, ++ lynx->rcv_buffer, lynx->rcv_buffer_bus); + iounmap(lynx->registers); + + fail_deallocate_lynx: +-- +2.51.0 + diff --git a/queue-5.10/genalloc.h-fix-htmldocs-warning.patch b/queue-5.10/genalloc.h-fix-htmldocs-warning.patch new file mode 100644 index 0000000000..d9a21aa40b --- /dev/null +++ b/queue-5.10/genalloc.h-fix-htmldocs-warning.patch @@ -0,0 +1,38 @@ +From 4fe5fdcd8ed909ba152320ce7f130705e42b1d5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Nov 2025 10:39:24 -0800 +Subject: genalloc.h: fix htmldocs warning + +From: Andrew Morton + +[ Upstream commit 5393802c94e0ab1295c04c94c57bcb00222d4674 ] + +WARNING: include/linux/genalloc.h:52 function parameter 'start_addr' not described in 'genpool_algo_t' + +Fixes: 52fbf1134d47 ("lib/genalloc.c: fix allocation of aligned buffer from non-aligned chunk") +Reported-by: Stephen Rothwell +Closes: https://lkml.kernel.org/r/20251127130624.563597e3@canb.auug.org.au +Acked-by: Randy Dunlap +Tested-by: Randy Dunlap +Cc: Alexey Skidanov +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + include/linux/genalloc.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/genalloc.h b/include/linux/genalloc.h +index 0bd581003cd5..60de63e46b33 100644 +--- a/include/linux/genalloc.h ++++ b/include/linux/genalloc.h +@@ -44,6 +44,7 @@ struct gen_pool; + * @nr: The number of zeroed bits we're looking for + * @data: optional additional data used by the callback + * @pool: the pool being allocated from ++ * @start_addr: start address of memory chunk + */ + typedef unsigned long (*genpool_algo_t)(unsigned long *map, + unsigned long size, +-- +2.51.0 + diff --git a/queue-5.10/i40e-fix-scheduling-in-set_rx_mode.patch b/queue-5.10/i40e-fix-scheduling-in-set_rx_mode.patch new file mode 100644 index 0000000000..80a0e4ebf6 --- /dev/null +++ b/queue-5.10/i40e-fix-scheduling-in-set_rx_mode.patch @@ -0,0 +1,53 @@ +From d46452342fb33b6665430a4fae9bc38e7f1d1700 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Nov 2025 13:07:28 +0100 +Subject: i40e: fix scheduling in set_rx_mode + +From: Przemyslaw Korba + +[ Upstream commit be43abc5514167cc129a8d8e9727b89b8e1d9719 ] + +Add service task schedule to set_rx_mode. +In some cases there are error messages printed out in PTP application +(ptp4l): + +ptp4l[13848.762]: port 1 (ens2f3np3): received SYNC without timestamp +ptp4l[13848.825]: port 1 (ens2f3np3): received SYNC without timestamp +ptp4l[13848.887]: port 1 (ens2f3np3): received SYNC without timestamp + +This happens when service task would not run immediately after +set_rx_mode, and we need it for setup tasks. This service task checks, if +PTP RX packets are hung in firmware, and propagate correct settings such +as multicast address for IEEE 1588 Precision Time Protocol. +RX timestamping depends on some of these filters set. Bug happens only +with high PTP packets frequency incoming, and not every run since +sometimes service task is being ran from a different place immediately +after starting ptp4l. + +Fixes: 0e4425ed641f ("i40e: fix: do not sleep in netdev_ops") +Reviewed-by: Grzegorz Nitka +Reviewed-by: Jacob Keller +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Przemyslaw Korba +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index f11cb3176cab..f11d6166186f 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -2101,6 +2101,7 @@ static void i40e_set_rx_mode(struct net_device *netdev) + vsi->flags |= I40E_VSI_FLAG_FILTER_CHANGED; + set_bit(__I40E_MACVLAN_SYNC_PENDING, vsi->back->state); + } ++ i40e_service_event_schedule(vsi->back); + } + + /** +-- +2.51.0 + diff --git a/queue-5.10/iavf-fix-off-by-one-issues-in-iavf_config_rss_reg.patch b/queue-5.10/iavf-fix-off-by-one-issues-in-iavf_config_rss_reg.patch new file mode 100644 index 0000000000..8b3ab044ca --- /dev/null +++ b/queue-5.10/iavf-fix-off-by-one-issues-in-iavf_config_rss_reg.patch @@ -0,0 +1,113 @@ +From 74028295b4c16c67921a4d93d95295a66d096991 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Oct 2025 01:58:50 +0900 +Subject: iavf: fix off-by-one issues in iavf_config_rss_reg() + +From: Kohei Enju + +[ Upstream commit 6daa2893f323981c7894c68440823326e93a7d61 ] + +There are off-by-one bugs when configuring RSS hash key and lookup +table, causing out-of-bounds reads to memory [1] and out-of-bounds +writes to device registers. + +Before commit 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS"), +the loop upper bounds were: + i <= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX +which is safe since the value is the last valid index. + +That commit changed the bounds to: + i <= adapter->rss_{key,lut}_size / 4 +where `rss_{key,lut}_size / 4` is the number of dwords, so the last +valid index is `(rss_{key,lut}_size / 4) - 1`. Therefore, using `<=` +accesses one element past the end. + +Fix the issues by using `<` instead of `<=`, ensuring we do not exceed +the bounds. + +[1] KASAN splat about rss_key_size off-by-one + BUG: KASAN: slab-out-of-bounds in iavf_config_rss+0x619/0x800 + Read of size 4 at addr ffff888102c50134 by task kworker/u8:6/63 + + CPU: 0 UID: 0 PID: 63 Comm: kworker/u8:6 Not tainted 6.18.0-rc2-enjuk-tnguy-00378-g3005f5b77652-dirty #156 PREEMPT(voluntary) + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 + Workqueue: iavf iavf_watchdog_task + Call Trace: + + dump_stack_lvl+0x6f/0xb0 + print_report+0x170/0x4f3 + kasan_report+0xe1/0x1a0 + iavf_config_rss+0x619/0x800 + iavf_watchdog_task+0x2be7/0x3230 + process_one_work+0x7fd/0x1420 + worker_thread+0x4d1/0xd40 + kthread+0x344/0x660 + ret_from_fork+0x249/0x320 + ret_from_fork_asm+0x1a/0x30 + + + Allocated by task 63: + kasan_save_stack+0x30/0x50 + kasan_save_track+0x14/0x30 + __kasan_kmalloc+0x7f/0x90 + __kmalloc_noprof+0x246/0x6f0 + iavf_watchdog_task+0x28fc/0x3230 + process_one_work+0x7fd/0x1420 + worker_thread+0x4d1/0xd40 + kthread+0x344/0x660 + ret_from_fork+0x249/0x320 + ret_from_fork_asm+0x1a/0x30 + + The buggy address belongs to the object at ffff888102c50100 + which belongs to the cache kmalloc-64 of size 64 + The buggy address is located 0 bytes to the right of + allocated 52-byte region [ffff888102c50100, ffff888102c50134) + + The buggy address belongs to the physical page: + page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c50 + flags: 0x200000000000000(node=0|zone=2) + page_type: f5(slab) + raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 + raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 + page dumped because: kasan: bad access detected + + Memory state around the buggy address: + ffff888102c50000: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc + ffff888102c50080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc + >ffff888102c50100: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc + ^ + ffff888102c50180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc + ffff888102c50200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + +Fixes: 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS") +Signed-off-by: Kohei Enju +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Przemek Kitszel +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 65259722a572..4ed93c7f81d2 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -1262,11 +1262,11 @@ static int iavf_config_rss_reg(struct iavf_adapter *adapter) + u16 i; + + dw = (u32 *)adapter->rss_key; +- for (i = 0; i <= adapter->rss_key_size / 4; i++) ++ for (i = 0; i < adapter->rss_key_size / 4; i++) + wr32(hw, IAVF_VFQF_HKEY(i), dw[i]); + + dw = (u32 *)adapter->rss_lut; +- for (i = 0; i <= adapter->rss_lut_size / 4; i++) ++ for (i = 0; i < adapter->rss_lut_size / 4; i++) + wr32(hw, IAVF_VFQF_HLUT(i), dw[i]); + + iavf_flush(hw); +-- +2.51.0 + diff --git a/queue-5.10/ip6_gre-make-ip6gre_header-robust.patch b/queue-5.10/ip6_gre-make-ip6gre_header-robust.patch new file mode 100644 index 0000000000..eda2c4d2bc --- /dev/null +++ b/queue-5.10/ip6_gre-make-ip6gre_header-robust.patch @@ -0,0 +1,76 @@ +From a67c61d8e2f6f79bbb5e7cc25a897661b3fec2af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Dec 2025 17:35:50 +0000 +Subject: ip6_gre: make ip6gre_header() robust + +From: Eric Dumazet + +[ Upstream commit db5b4e39c4e63700c68a7e65fc4e1f1375273476 ] + +Over the years, syzbot found many ways to crash the kernel +in ip6gre_header() [1]. + +This involves team or bonding drivers ability to dynamically +change their dev->needed_headroom and/or dev->hard_header_len + +In this particular crash mld_newpack() allocated an skb +with a too small reserve/headroom, and by the time mld_sendpack() +was called, syzbot managed to attach an ip6gre device. + +[1] +skbuff: skb_under_panic: text:ffffffff8a1d69a8 len:136 put:40 head:ffff888059bc7000 data:ffff888059bc6fe8 tail:0x70 end:0x6c0 dev:team0 +------------[ cut here ]------------ + kernel BUG at net/core/skbuff.c:213 ! + + skb_under_panic net/core/skbuff.c:223 [inline] + skb_push+0xc3/0xe0 net/core/skbuff.c:2641 + ip6gre_header+0xc8/0x790 net/ipv6/ip6_gre.c:1371 + dev_hard_header include/linux/netdevice.h:3436 [inline] + neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618 + neigh_output include/net/neighbour.h:556 [inline] + ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136 + __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline] + ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:220 + NF_HOOK_COND include/linux/netfilter.h:307 [inline] + ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247 + NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318 + mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855 + mld_send_cr net/ipv6/mcast.c:2154 [inline] + mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 + +Fixes: c12b395a4664 ("gre: Support GRE over IPv6") +Reported-by: syzbot+43a2ebcf2a64b1102d64@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/693b002c.a70a0220.33cd7b.0033.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20251211173550.2032674-1-edumazet@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_gre.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index 13ac0ccdc8d7..1a5b4b176e18 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -1382,9 +1382,16 @@ static int ip6gre_header(struct sk_buff *skb, struct net_device *dev, + { + struct ip6_tnl *t = netdev_priv(dev); + struct ipv6hdr *ipv6h; ++ int needed; + __be16 *p; + +- ipv6h = skb_push(skb, t->hlen + sizeof(*ipv6h)); ++ needed = t->hlen + sizeof(*ipv6h); ++ if (skb_headroom(skb) < needed && ++ pskb_expand_head(skb, HH_DATA_ALIGN(needed - skb_headroom(skb)), ++ 0, GFP_ATOMIC)) ++ return -needed; ++ ++ ipv6h = skb_push(skb, needed); + ip6_flow_hdr(ipv6h, 0, ip6_make_flowlabel(dev_net(dev), skb, + t->fl.u.ip6.flowlabel, + true, &t->fl.u.ip6)); +-- +2.51.0 + diff --git a/queue-5.10/ipv4-fix-reference-count-leak-when-using-error-route.patch b/queue-5.10/ipv4-fix-reference-count-leak-when-using-error-route.patch new file mode 100644 index 0000000000..c58608b964 --- /dev/null +++ b/queue-5.10/ipv4-fix-reference-count-leak-when-using-error-route.patch @@ -0,0 +1,73 @@ +From f8ea0b1151f302d31305cca78bae2ded0984003f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Dec 2025 16:48:28 +0200 +Subject: ipv4: Fix reference count leak when using error routes with nexthop + objects + +From: Ido Schimmel + +[ Upstream commit ac782f4e3bfcde145b8a7f8af31d9422d94d172a ] + +When a nexthop object is deleted, it is marked as dead and then +fib_table_flush() is called to flush all the routes that are using the +dead nexthop. + +The current logic in fib_table_flush() is to only flush error routes +(e.g., blackhole) when it is called as part of network namespace +dismantle (i.e., with flush_all=true). Therefore, error routes are not +flushed when their nexthop object is deleted: + + # ip link add name dummy1 up type dummy + # ip nexthop add id 1 dev dummy1 + # ip route add 198.51.100.1/32 nhid 1 + # ip route add blackhole 198.51.100.2/32 nhid 1 + # ip nexthop del id 1 + # ip route show + blackhole 198.51.100.2 nhid 1 dev dummy1 + +As such, they keep holding a reference on the nexthop object which in +turn holds a reference on the nexthop device, resulting in a reference +count leak: + + # ip link del dev dummy1 + [ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2 + +Fix by flushing error routes when their nexthop is marked as dead. + +IPv6 does not suffer from this problem. + +Fixes: 493ced1ac47c ("ipv4: Allow routes to use nexthop objects") +Reported-by: Tetsuo Handa +Closes: https://lore.kernel.org/netdev/d943f806-4da6-4970-ac28-b9373b0e63ac@I-love.SAKURA.ne.jp/ +Reported-by: syzbot+881d65229ca4f9ae8c84@syzkaller.appspotmail.com +Signed-off-by: Ido Schimmel +Reviewed-by: David Ahern +Link: https://patch.msgid.link/20251221144829.197694-1-idosch@nvidia.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/fib_trie.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c +index 6c53381fa36f..671178ed41d0 100644 +--- a/net/ipv4/fib_trie.c ++++ b/net/ipv4/fib_trie.c +@@ -2005,10 +2005,11 @@ int fib_table_flush(struct net *net, struct fib_table *tb, bool flush_all) + continue; + } + +- /* Do not flush error routes if network namespace is +- * not being dismantled ++ /* When not flushing the entire table, skip error ++ * routes that are not marked for deletion. + */ +- if (!flush_all && fib_props[fa->fa_type].error) { ++ if (!flush_all && fib_props[fa->fa_type].error && ++ !(fi->fib_flags & RTNH_F_DEAD)) { + slen = fa->fa_slen; + continue; + } +-- +2.51.0 + diff --git a/queue-5.10/ipv6-bug-in-pskb_expand_head-as-part-of-calipso_skbu.patch b/queue-5.10/ipv6-bug-in-pskb_expand_head-as-part-of-calipso_skbu.patch new file mode 100644 index 0000000000..fd586f0d88 --- /dev/null +++ b/queue-5.10/ipv6-bug-in-pskb_expand_head-as-part-of-calipso_skbu.patch @@ -0,0 +1,97 @@ +From 7e7f2a9fbdbcf1bd724d8ca3b2bc18f758464367 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 10:36:37 -0700 +Subject: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() + +From: Will Rosenberg + +[ Upstream commit 58fc7342b529803d3c221101102fe913df7adb83 ] + +There exists a kernel oops caused by a BUG_ON(nhead < 0) at +net/core/skbuff.c:2232 in pskb_expand_head(). +This bug is triggered as part of the calipso_skbuff_setattr() +routine when skb_cow() is passed headroom > INT_MAX +(i.e. (int)(skb_headroom(skb) + len_delta) < 0). + +The root cause of the bug is due to an implicit integer cast in +__skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure +that delta = headroom - skb_headroom(skb) is never negative, otherwise +we will trigger a BUG_ON in pskb_expand_head(). However, if +headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta +becomes negative, and pskb_expand_head() is passed a negative value for +nhead. + +Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing +"negative" headroom sizes to skb_cow() within calipso_skbuff_setattr() +by only using skb_cow() to grow headroom. + +PoC: + Using `netlabelctl` tool: + + netlabelctl map del default + netlabelctl calipso add pass doi:7 + netlabelctl map add default address:0::1/128 protocol:calipso,7 + + Then run the following PoC: + + int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP); + + // setup msghdr + int cmsg_size = 2; + int cmsg_len = 0x60; + struct msghdr msg; + struct sockaddr_in6 dest_addr; + struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1, + sizeof(struct cmsghdr) + cmsg_len); + msg.msg_name = &dest_addr; + msg.msg_namelen = sizeof(dest_addr); + msg.msg_iov = NULL; + msg.msg_iovlen = 0; + msg.msg_control = cmsg; + msg.msg_controllen = cmsg_len; + msg.msg_flags = 0; + + // setup sockaddr + dest_addr.sin6_family = AF_INET6; + dest_addr.sin6_port = htons(31337); + dest_addr.sin6_flowinfo = htonl(31337); + dest_addr.sin6_addr = in6addr_loopback; + dest_addr.sin6_scope_id = 31337; + + // setup cmsghdr + cmsg->cmsg_len = cmsg_len; + cmsg->cmsg_level = IPPROTO_IPV6; + cmsg->cmsg_type = IPV6_HOPOPTS; + char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr); + hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80 + + sendmsg(fd, &msg, 0); + +Fixes: 2917f57b6bc1 ("calipso: Allow the lsm to label the skbuff directly.") +Suggested-by: Paul Moore +Signed-off-by: Will Rosenberg +Acked-by: Paul Moore +Link: https://patch.msgid.link/20251219173637.797418-1-whrosenb@asu.edu +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv6/calipso.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c +index 59997e5d1343..c2e716601ed3 100644 +--- a/net/ipv6/calipso.c ++++ b/net/ipv6/calipso.c +@@ -1345,7 +1345,8 @@ static int calipso_skbuff_setattr(struct sk_buff *skb, + /* At this point new_end aligns to 4n, so (new_end & 4) pads to 8n */ + pad = ((new_end & 4) + (end & 7)) & 7; + len_delta = new_end - (int)end + pad; +- ret_val = skb_cow(skb, skb_headroom(skb) + len_delta); ++ ret_val = skb_cow(skb, ++ skb_headroom(skb) + (len_delta > 0 ? len_delta : 0)); + if (ret_val < 0) + return ret_val; + +-- +2.51.0 + diff --git a/queue-5.10/net-bridge-describe-tunnel_hash-member-in-net_bridge.patch b/queue-5.10/net-bridge-describe-tunnel_hash-member-in-net_bridge.patch new file mode 100644 index 0000000000..01a109cec2 --- /dev/null +++ b/queue-5.10/net-bridge-describe-tunnel_hash-member-in-net_bridge.patch @@ -0,0 +1,42 @@ +From e9fb89f684856e41a881bc76ac9bca58eaecb3bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Dec 2025 11:29:37 +0700 +Subject: net: bridge: Describe @tunnel_hash member in net_bridge_vlan_group + struct + +From: Bagas Sanjaya + +[ Upstream commit f79f9b7ace1713e4b83888c385f5f55519dfb687 ] + +Sphinx reports kernel-doc warning: + +WARNING: ./net/bridge/br_private.h:267 struct member 'tunnel_hash' not described in 'net_bridge_vlan_group' + +Fix it by describing @tunnel_hash member. + +Fixes: efa5356b0d9753 ("bridge: per vlan dst_metadata netlink support") +Signed-off-by: Bagas Sanjaya +Acked-by: Nikolay Aleksandrov +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20251218042936.24175-2-bagasdotme@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/bridge/br_private.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h +index 259b43b435a9..19d77a8721fa 100644 +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -158,6 +158,7 @@ struct net_bridge_vlan { + * struct net_bridge_vlan_group + * + * @vlan_hash: VLAN entry rhashtable ++ * @tunnel_hash: Hash table to map from tunnel key ID (e.g. VXLAN VNI) to VLAN + * @vlan_list: sorted VLAN entry list + * @num_vlans: number of total VLAN entries + * @pvid: PVID VLAN id +-- +2.51.0 + diff --git a/queue-5.10/net-dsa-b53-skip-multicast-entries-for-fdb_dump.patch b/queue-5.10/net-dsa-b53-skip-multicast-entries-for-fdb_dump.patch new file mode 100644 index 0000000000..a212f998be --- /dev/null +++ b/queue-5.10/net-dsa-b53-skip-multicast-entries-for-fdb_dump.patch @@ -0,0 +1,45 @@ +From ddae8dcc049192e9a48755cd75509a9827382298 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 21:57:56 +0100 +Subject: net: dsa: b53: skip multicast entries for fdb_dump() + +From: Jonas Gorski + +[ Upstream commit d42bce414d1c5c0b536758466a1f63ac358e613c ] + +port_fdb_dump() is supposed to only add fdb entries, but we iterate over +the full ARL table, which also includes multicast entries. + +So check if the entry is a multicast entry before passing it on to the +callback(). + +Additionally, the port of those entries is a bitmask, not a port number, +so any included entries would have even be for the wrong port. + +Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations") +Signed-off-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20251217205756.172123-1-jonas.gorski@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index 416ed1ca1d52..b80e4216f98c 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1761,6 +1761,9 @@ static int b53_fdb_copy(int port, const struct b53_arl_entry *ent, + if (!ent->is_valid) + return 0; + ++ if (is_multicast_ether_addr(ent->mac)) ++ return 0; ++ + if (port != ent->port) + return 0; + +-- +2.51.0 + diff --git a/queue-5.10/net-mdio-aspeed-add-dummy-read-to-avoid-read-after-w.patch b/queue-5.10/net-mdio-aspeed-add-dummy-read-to-avoid-read-after-w.patch new file mode 100644 index 0000000000..81ebab4352 --- /dev/null +++ b/queue-5.10/net-mdio-aspeed-add-dummy-read-to-avoid-read-after-w.patch @@ -0,0 +1,52 @@ +From db60b0c77f6e75093ff88902d72235ffbce26536 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Dec 2025 14:24:58 +0800 +Subject: net: mdio: aspeed: add dummy read to avoid read-after-write issue + +From: Jacky Chou + +[ Upstream commit d1a1a4bade4b20c0858d0b2f81d2611de055f675 ] + +The Aspeed MDIO controller may return incorrect data when a read operation +follows immediately after a write. Due to a controller bug, the subsequent +read can latch stale data, causing the polling logic to terminate earlier +than expected. + +To work around this hardware issue, insert a dummy read after each write +operation. This ensures that the next actual read returns the correct +data and prevents premature polling exit. + +This workaround has been verified to stabilize MDIO transactions on +affected Aspeed platforms. + +Fixes: f160e99462c6 ("net: phy: Add mdio-aspeed") +Signed-off-by: Jacky Chou +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20251211-aspeed_mdio_add_dummy_read-v3-1-382868869004@aspeedtech.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/mdio/mdio-aspeed.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/mdio/mdio-aspeed.c b/drivers/net/mdio/mdio-aspeed.c +index f22be2f069e9..a929399a10d1 100644 +--- a/drivers/net/mdio/mdio-aspeed.c ++++ b/drivers/net/mdio/mdio-aspeed.c +@@ -57,6 +57,13 @@ static int aspeed_mdio_op(struct mii_bus *bus, u8 st, u8 op, u8 phyad, u8 regad, + + iowrite32(ctrl, ctx->base + ASPEED_MDIO_CTRL); + ++ /* Workaround for read-after-write issue. ++ * The controller may return stale data if a read follows immediately ++ * after a write. A dummy read forces the hardware to update its ++ * internal state, ensuring that the next real read returns correct data. ++ */ ++ ioread32(ctx->base + ASPEED_MDIO_CTRL); ++ + return readl_poll_timeout(ctx->base + ASPEED_MDIO_CTRL, ctrl, + !(ctrl & ASPEED_MDIO_CTRL_FIRE), + ASPEED_MDIO_INTERVAL_US, +-- +2.51.0 + diff --git a/queue-5.10/net-mdio-aspeed-move-reg-accessing-part-into-separat.patch b/queue-5.10/net-mdio-aspeed-move-reg-accessing-part-into-separat.patch new file mode 100644 index 0000000000..88b76d6b43 --- /dev/null +++ b/queue-5.10/net-mdio-aspeed-move-reg-accessing-part-into-separat.patch @@ -0,0 +1,138 @@ +From b4b4c2bc4bd118e1d009204d197272bb68c976e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 09:17:36 +0800 +Subject: net: mdio: aspeed: move reg accessing part into separate functions + +From: Potin Lai + +[ Upstream commit 737ca352569e744bf753b4522a6f91b120a734f1 ] + +Add aspeed_mdio_op() and aseed_mdio_get_data() for register accessing. + +aspeed_mdio_op() handles operations, write command to control register, +then check and wait operations is finished (bit 31 is cleared). + +aseed_mdio_get_data() fetchs the result value of operation from data +register. + +Signed-off-by: Potin Lai +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Stable-dep-of: d1a1a4bade4b ("net: mdio: aspeed: add dummy read to avoid read-after-write issue") +Signed-off-by: Sasha Levin +--- + drivers/net/mdio/mdio-aspeed.c | 70 ++++++++++++++++++---------------- + 1 file changed, 38 insertions(+), 32 deletions(-) + +diff --git a/drivers/net/mdio/mdio-aspeed.c b/drivers/net/mdio/mdio-aspeed.c +index e2273588c75b..f22be2f069e9 100644 +--- a/drivers/net/mdio/mdio-aspeed.c ++++ b/drivers/net/mdio/mdio-aspeed.c +@@ -39,34 +39,35 @@ struct aspeed_mdio { + void __iomem *base; + }; + +-static int aspeed_mdio_read(struct mii_bus *bus, int addr, int regnum) ++static int aspeed_mdio_op(struct mii_bus *bus, u8 st, u8 op, u8 phyad, u8 regad, ++ u16 data) + { + struct aspeed_mdio *ctx = bus->priv; + u32 ctrl; +- u32 data; +- int rc; + +- dev_dbg(&bus->dev, "%s: addr: %d, regnum: %d\n", __func__, addr, +- regnum); +- +- /* Just clause 22 for the moment */ +- if (regnum & MII_ADDR_C45) +- return -EOPNOTSUPP; ++ dev_dbg(&bus->dev, "%s: st: %u op: %u, phyad: %u, regad: %u, data: %u\n", ++ __func__, st, op, phyad, regad, data); + + ctrl = ASPEED_MDIO_CTRL_FIRE +- | FIELD_PREP(ASPEED_MDIO_CTRL_ST, ASPEED_MDIO_CTRL_ST_C22) +- | FIELD_PREP(ASPEED_MDIO_CTRL_OP, MDIO_C22_OP_READ) +- | FIELD_PREP(ASPEED_MDIO_CTRL_PHYAD, addr) +- | FIELD_PREP(ASPEED_MDIO_CTRL_REGAD, regnum); ++ | FIELD_PREP(ASPEED_MDIO_CTRL_ST, st) ++ | FIELD_PREP(ASPEED_MDIO_CTRL_OP, op) ++ | FIELD_PREP(ASPEED_MDIO_CTRL_PHYAD, phyad) ++ | FIELD_PREP(ASPEED_MDIO_CTRL_REGAD, regad) ++ | FIELD_PREP(ASPEED_MDIO_DATA_MIIRDATA, data); + + iowrite32(ctrl, ctx->base + ASPEED_MDIO_CTRL); + +- rc = readl_poll_timeout(ctx->base + ASPEED_MDIO_CTRL, ctrl, ++ return readl_poll_timeout(ctx->base + ASPEED_MDIO_CTRL, ctrl, + !(ctrl & ASPEED_MDIO_CTRL_FIRE), + ASPEED_MDIO_INTERVAL_US, + ASPEED_MDIO_TIMEOUT_US); +- if (rc < 0) +- return rc; ++} ++ ++static int aspeed_mdio_get_data(struct mii_bus *bus) ++{ ++ struct aspeed_mdio *ctx = bus->priv; ++ int rc; ++ u32 data; + + rc = readl_poll_timeout(ctx->base + ASPEED_MDIO_DATA, data, + data & ASPEED_MDIO_DATA_IDLE, +@@ -78,31 +79,36 @@ static int aspeed_mdio_read(struct mii_bus *bus, int addr, int regnum) + return FIELD_GET(ASPEED_MDIO_DATA_MIIRDATA, data); + } + +-static int aspeed_mdio_write(struct mii_bus *bus, int addr, int regnum, u16 val) ++static int aspeed_mdio_read(struct mii_bus *bus, int addr, int regnum) + { +- struct aspeed_mdio *ctx = bus->priv; +- u32 ctrl; ++ int rc; + +- dev_dbg(&bus->dev, "%s: addr: %d, regnum: %d, val: 0x%x\n", +- __func__, addr, regnum, val); ++ dev_dbg(&bus->dev, "%s: addr: %d, regnum: %d\n", __func__, addr, ++ regnum); + + /* Just clause 22 for the moment */ + if (regnum & MII_ADDR_C45) + return -EOPNOTSUPP; + +- ctrl = ASPEED_MDIO_CTRL_FIRE +- | FIELD_PREP(ASPEED_MDIO_CTRL_ST, ASPEED_MDIO_CTRL_ST_C22) +- | FIELD_PREP(ASPEED_MDIO_CTRL_OP, MDIO_C22_OP_WRITE) +- | FIELD_PREP(ASPEED_MDIO_CTRL_PHYAD, addr) +- | FIELD_PREP(ASPEED_MDIO_CTRL_REGAD, regnum) +- | FIELD_PREP(ASPEED_MDIO_CTRL_MIIWDATA, val); ++ rc = aspeed_mdio_op(bus, ASPEED_MDIO_CTRL_ST_C22, MDIO_C22_OP_READ, ++ addr, regnum, 0); ++ if (rc < 0) ++ return rc; + +- iowrite32(ctrl, ctx->base + ASPEED_MDIO_CTRL); ++ return aspeed_mdio_get_data(bus); ++} + +- return readl_poll_timeout(ctx->base + ASPEED_MDIO_CTRL, ctrl, +- !(ctrl & ASPEED_MDIO_CTRL_FIRE), +- ASPEED_MDIO_INTERVAL_US, +- ASPEED_MDIO_TIMEOUT_US); ++static int aspeed_mdio_write(struct mii_bus *bus, int addr, int regnum, u16 val) ++{ ++ dev_dbg(&bus->dev, "%s: addr: %d, regnum: %d, val: 0x%x\n", ++ __func__, addr, regnum, val); ++ ++ /* Just clause 22 for the moment */ ++ if (regnum & MII_ADDR_C45) ++ return -EOPNOTSUPP; ++ ++ return aspeed_mdio_op(bus, ASPEED_MDIO_CTRL_ST_C22, MDIO_C22_OP_WRITE, ++ addr, regnum, val); + } + + static int aspeed_mdio_probe(struct platform_device *pdev) +-- +2.51.0 + diff --git a/queue-5.10/net-openvswitch-avoid-needlessly-taking-the-rtnl-on-.patch b/queue-5.10/net-openvswitch-avoid-needlessly-taking-the-rtnl-on-.patch new file mode 100644 index 0000000000..e03a84bd0c --- /dev/null +++ b/queue-5.10/net-openvswitch-avoid-needlessly-taking-the-rtnl-on-.patch @@ -0,0 +1,68 @@ +From d852d291240adb3343d079914f55a4c43ede5395 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Dec 2025 12:50:05 +0100 +Subject: net: openvswitch: Avoid needlessly taking the RTNL on vport destroy +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit 5498227676303e3ffa9a3a46214af96bc3e81314 ] + +The openvswitch teardown code will immediately call +ovs_netdev_detach_dev() in response to a NETDEV_UNREGISTER notification. +It will then start the dp_notify_work workqueue, which will later end up +calling the vport destroy() callback. This callback takes the RTNL to do +another ovs_netdev_detach_port(), which in this case is unnecessary. +This causes extra pressure on the RTNL, in some cases leading to +"unregister_netdevice: waiting for XX to become free" warnings on +teardown. + +We can straight-forwardly avoid the extra RTNL lock acquisition by +checking the device flags before taking the lock, and skip the locking +altogether if the IFF_OVS_DATAPATH flag has already been unset. + +Fixes: b07c26511e94 ("openvswitch: fix vport-netdev unregister") +Tested-by: Adrian Moreno +Signed-off-by: Toke Høiland-Jørgensen +Acked-by: Eelco Chaudron +Acked-by: Aaron Conole +Link: https://patch.msgid.link/20251211115006.228876-1-toke@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/openvswitch/vport-netdev.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/net/openvswitch/vport-netdev.c b/net/openvswitch/vport-netdev.c +index 57d6436e6f6a..72cf13bbf3dd 100644 +--- a/net/openvswitch/vport-netdev.c ++++ b/net/openvswitch/vport-netdev.c +@@ -155,10 +155,19 @@ void ovs_netdev_detach_dev(struct vport *vport) + + static void netdev_destroy(struct vport *vport) + { +- rtnl_lock(); +- if (netif_is_ovs_port(vport->dev)) +- ovs_netdev_detach_dev(vport); +- rtnl_unlock(); ++ /* When called from ovs_db_notify_wq() after a dp_device_event(), the ++ * port has already been detached, so we can avoid taking the RTNL by ++ * checking this first. ++ */ ++ if (netif_is_ovs_port(vport->dev)) { ++ rtnl_lock(); ++ /* Check again while holding the lock to ensure we don't race ++ * with the netdev notifier and detach twice. ++ */ ++ if (netif_is_ovs_port(vport->dev)) ++ ovs_netdev_detach_dev(vport); ++ rtnl_unlock(); ++ } + + call_rcu(&vport->rcu, vport_netdev_free); + } +-- +2.51.0 + diff --git a/queue-5.10/net-rose-fix-invalid-array-index-in-rose_kill_by_dev.patch b/queue-5.10/net-rose-fix-invalid-array-index-in-rose_kill_by_dev.patch new file mode 100644 index 0000000000..98c082714f --- /dev/null +++ b/queue-5.10/net-rose-fix-invalid-array-index-in-rose_kill_by_dev.patch @@ -0,0 +1,48 @@ +From cf6b0dca63fa846cd008ef074ec34049762cf509 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Dec 2025 21:22:27 +0000 +Subject: net: rose: fix invalid array index in rose_kill_by_device() + +From: Pwnverse + +[ Upstream commit 6595beb40fb0ec47223d3f6058ee40354694c8e4 ] + +rose_kill_by_device() collects sockets into a local array[] and then +iterates over them to disconnect sockets bound to a device being brought +down. + +The loop mistakenly indexes array[cnt] instead of array[i]. For cnt < +ARRAY_SIZE(array), this reads an uninitialized entry; for cnt == +ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to +an invalid socket pointer dereference and also leaks references taken +via sock_hold(). + +Fix the index to use i. + +Fixes: 64b8bc7d5f143 ("net/rose: fix races in rose_kill_by_device()") +Co-developed-by: Fatma Alwasmi +Signed-off-by: Fatma Alwasmi +Signed-off-by: Pwnverse +Link: https://patch.msgid.link/20251222212227.4116041-1-ritviktanksalkar@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/rose/af_rose.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c +index f8cd085c4234..04173c85d92b 100644 +--- a/net/rose/af_rose.c ++++ b/net/rose/af_rose.c +@@ -204,7 +204,7 @@ static void rose_kill_by_device(struct net_device *dev) + spin_unlock_bh(&rose_list_lock); + + for (i = 0; i < cnt; i++) { +- sk = array[cnt]; ++ sk = array[i]; + rose = rose_sk(sk); + lock_sock(sk); + spin_lock_bh(&rose_list_lock); +-- +2.51.0 + diff --git a/queue-5.10/net-usb-rtl8150-fix-memory-leak-on-usb_submit_urb-fa.patch b/queue-5.10/net-usb-rtl8150-fix-memory-leak-on-usb_submit_urb-fa.patch new file mode 100644 index 0000000000..9dc6a6ddc6 --- /dev/null +++ b/queue-5.10/net-usb-rtl8150-fix-memory-leak-on-usb_submit_urb-fa.patch @@ -0,0 +1,47 @@ +From 1cef05868650b749e976eaa08cb18cfc26d57aab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Dec 2025 20:43:05 +0530 +Subject: net: usb: rtl8150: fix memory leak on usb_submit_urb() failure + +From: Deepakkumar Karn + +[ Upstream commit 12cab1191d9890097171156d06bfa8d31f1e39c8 ] + +In async_set_registers(), when usb_submit_urb() fails, the allocated + async_req structure and URB are not freed, causing a memory leak. + + The completion callback async_set_reg_cb() is responsible for freeing + these allocations, but it is only called after the URB is successfully + submitted and completes (successfully or with error). If submission + fails, the callback never runs and the memory is leaked. + + Fix this by freeing both the URB and the request structure in the error + path when usb_submit_urb() fails. + +Reported-by: syzbot+8dd915c7cb0490fc8c52@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=8dd915c7cb0490fc8c52 +Fixes: 4d12997a9bb3 ("drivers: net: usb: rtl8150: concurrent URB bugfix") +Signed-off-by: Deepakkumar Karn +Link: https://patch.msgid.link/20251216151304.59865-2-dkarn@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/rtl8150.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c +index eb4f3f8a1906..185b8c8b19ba 100644 +--- a/drivers/net/usb/rtl8150.c ++++ b/drivers/net/usb/rtl8150.c +@@ -211,6 +211,8 @@ static int async_set_registers(rtl8150_t *dev, u16 indx, u16 size, u16 reg) + if (res == -ENODEV) + netif_device_detach(dev->netdev); + dev_err(&dev->udev->dev, "%s failed with %d\n", __func__, res); ++ kfree(req); ++ usb_free_urb(async_urb); + } + return res; + } +-- +2.51.0 + diff --git a/queue-5.10/octeontx2-pf-fix-ubsan-shift-out-of-bounds-error.patch b/queue-5.10/octeontx2-pf-fix-ubsan-shift-out-of-bounds-error.patch new file mode 100644 index 0000000000..e7ecbbaf8e --- /dev/null +++ b/queue-5.10/octeontx2-pf-fix-ubsan-shift-out-of-bounds-error.patch @@ -0,0 +1,45 @@ +From 0caea13a5961bcc803f61e46103d7fda68d2a260 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 11:52:26 +0530 +Subject: octeontx2-pf: fix "UBSAN: shift-out-of-bounds error" + +From: Anshumali Gaur + +[ Upstream commit 85f4b0c650d9f9db10bda8d3acfa1af83bf78cf7 ] + +This patch ensures that the RX ring size (rx_pending) is not +set below the permitted length. This avoids UBSAN +shift-out-of-bounds errors when users passes small or zero +ring sizes via ethtool -G. + +Fixes: d45d8979840d ("octeontx2-pf: Add basic ethtool support") +Signed-off-by: Anshumali Gaur +Link: https://patch.msgid.link/20251219062226.524844-1-agaur@marvell.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c +index 9b6938dde267..6e547e177511 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c +@@ -382,6 +382,14 @@ static int otx2_set_ringparam(struct net_device *netdev, + */ + if (rx_count < pfvf->hw.rq_skid) + rx_count = pfvf->hw.rq_skid; ++ ++ if (ring->rx_pending < 16) { ++ netdev_err(netdev, ++ "rx ring size %u invalid, min is 16\n", ++ ring->rx_pending); ++ return -EINVAL; ++ } ++ + rx_count = Q_COUNT(Q_SIZE(rx_count, 3)); + + /* Due pipelining impact minimum 2000 unused SQ CQE's +-- +2.51.0 + diff --git a/queue-5.10/platform-x86-ibm_rtl-fix-ebda-signature-search-point.patch b/queue-5.10/platform-x86-ibm_rtl-fix-ebda-signature-search-point.patch new file mode 100644 index 0000000000..c211c5a6e3 --- /dev/null +++ b/queue-5.10/platform-x86-ibm_rtl-fix-ebda-signature-search-point.patch @@ -0,0 +1,47 @@ +From a4396ee9238d7ca4c0297221940a6779e7aba0cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 16:30:29 +0800 +Subject: platform/x86: ibm_rtl: fix EBDA signature search pointer arithmetic +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Junrui Luo + +[ Upstream commit 15dd100349b8526cbdf2de0ce3e72e700eb6c208 ] + +The ibm_rtl_init() function searches for the signature but has a pointer +arithmetic error. The loop counter suggests searching at 4-byte intervals +but the implementation only advances by 1 byte per iteration. + +Fix by properly advancing the pointer by sizeof(unsigned int) bytes +each iteration. + +Reported-by: Yuhao Jiang +Reported-by: Junrui Luo +Fixes: 35f0ce032b0f ("IBM Real-Time "SMI Free" mode driver -v7") +Signed-off-by: Junrui Luo +Link: https://patch.msgid.link/SYBPR01MB78812D887A92DE3802D0D06EAFA9A@SYBPR01MB7881.ausprd01.prod.outlook.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/ibm_rtl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/ibm_rtl.c b/drivers/platform/x86/ibm_rtl.c +index 5fc665f7d9b3..10cab7bdfe15 100644 +--- a/drivers/platform/x86/ibm_rtl.c ++++ b/drivers/platform/x86/ibm_rtl.c +@@ -262,7 +262,7 @@ static int __init ibm_rtl_init(void) { + /* search for the _RTL_ signature at the start of the table */ + for (i = 0 ; i < ebda_size/sizeof(unsigned int); i++) { + struct ibm_rtl_table __iomem * tmp; +- tmp = (struct ibm_rtl_table __iomem *) (ebda_map+i); ++ tmp = (struct ibm_rtl_table __iomem *) (ebda_map + i*sizeof(unsigned int)); + if ((readq(&tmp->signature) & RTL_MASK) == RTL_SIGNATURE) { + phys_addr_t addr; + unsigned int plen; +-- +2.51.0 + diff --git a/queue-5.10/platform-x86-msi-laptop-add-missing-sysfs_remove_gro.patch b/queue-5.10/platform-x86-msi-laptop-add-missing-sysfs_remove_gro.patch new file mode 100644 index 0000000000..6a93b0e667 --- /dev/null +++ b/queue-5.10/platform-x86-msi-laptop-add-missing-sysfs_remove_gro.patch @@ -0,0 +1,42 @@ +From 9d9e876914f213caf9c0bd864d0f55d1fc056058 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 11:36:13 +0100 +Subject: platform/x86: msi-laptop: add missing sysfs_remove_group() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Fourier + +[ Upstream commit 1461209cf813b6ee6d40f29b96b544587df6d2b1 ] + +A sysfs group is created in msi_init() when old_ec_model is enabled, but +never removed. Remove the msipf_old_attribute_group in that case. + +Fixes: 03696e51d75a ("msi-laptop: Disable brightness control for new EC") +Signed-off-by: Thomas Fourier +Link: https://patch.msgid.link/20251217103617.27668-2-fourier.thomas@gmail.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/msi-laptop.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/platform/x86/msi-laptop.c b/drivers/platform/x86/msi-laptop.c +index dfb4af759aa7..fd6b3383ac4f 100644 +--- a/drivers/platform/x86/msi-laptop.c ++++ b/drivers/platform/x86/msi-laptop.c +@@ -1146,6 +1146,9 @@ static void __exit msi_cleanup(void) + sysfs_remove_group(&msipf_device->dev.kobj, &msipf_attribute_group); + if (!quirks->old_ec_model && threeg_exists) + device_remove_file(&msipf_device->dev, &dev_attr_threeg); ++ if (quirks->old_ec_model) ++ sysfs_remove_group(&msipf_device->dev.kobj, ++ &msipf_old_attribute_group); + platform_device_unregister(msipf_device); + platform_driver_unregister(&msipf_driver); + backlight_device_unregister(msibl_device); +-- +2.51.0 + diff --git a/queue-5.10/rdma-bnxt_re-fix-dma_free_coherent-pointer.patch b/queue-5.10/rdma-bnxt_re-fix-dma_free_coherent-pointer.patch new file mode 100644 index 0000000000..5cee1703cf --- /dev/null +++ b/queue-5.10/rdma-bnxt_re-fix-dma_free_coherent-pointer.patch @@ -0,0 +1,40 @@ +From 2ddc1d50b8b202cdd7f192adfb7ad3b94c4854ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Dec 2025 09:51:21 +0100 +Subject: RDMA/bnxt_re: fix dma_free_coherent() pointer + +From: Thomas Fourier + +[ Upstream commit fcd431a9627f272b4c0bec445eba365fe2232a94 ] + +The dma_alloc_coherent() allocates a dma-mapped buffer, pbl->pg_arr[i]. +The dma_free_coherent() should pass the same buffer to +dma_free_coherent() and not page-aligned. + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Signed-off-by: Thomas Fourier +Link: https://patch.msgid.link/20251230085121.8023-2-fourier.thomas@gmail.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_res.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c +index 64e88104165e..8547a8512541 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c +@@ -70,9 +70,7 @@ static void __free_pbl(struct bnxt_qplib_res *res, struct bnxt_qplib_pbl *pbl, + for (i = 0; i < pbl->pg_count; i++) { + if (pbl->pg_arr[i]) + dma_free_coherent(&pdev->dev, pbl->pg_size, +- (void *)((unsigned long) +- pbl->pg_arr[i] & +- PAGE_MASK), ++ pbl->pg_arr[i], + pbl->pg_map_arr[i]); + else + dev_warn(&pdev->dev, +-- +2.51.0 + diff --git a/queue-5.10/rdma-bnxt_re-fix-ib_send_ip_csum-handling-in-post_se.patch b/queue-5.10/rdma-bnxt_re-fix-ib_send_ip_csum-handling-in-post_se.patch new file mode 100644 index 0000000000..0cc7c84358 --- /dev/null +++ b/queue-5.10/rdma-bnxt_re-fix-ib_send_ip_csum-handling-in-post_se.patch @@ -0,0 +1,58 @@ +From 2f8d35eb4a4cd7c0bb1672a2967a3d95e6760293 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 01:32:57 -0800 +Subject: RDMA/bnxt_re: Fix IB_SEND_IP_CSUM handling in post_send + +From: Alok Tiwari + +[ Upstream commit f01765a2361323e78e3d91b1cb1d5527a83c5cf7 ] + +The bnxt_re SEND path checks wr->send_flags to enable features such as +IP checksum offload. However, send_flags is a bitmask and may contain +multiple flags (e.g. IB_SEND_SIGNALED | IB_SEND_IP_CSUM), while the +existing code uses a switch() statement that only matches when +send_flags is exactly IB_SEND_IP_CSUM. + +As a result, checksum offload is not enabled when additional SEND +flags are present. + +Replace the switch() with a bitmask test: + + if (wr->send_flags & IB_SEND_IP_CSUM) + +This ensures IP checksum offload is enabled correctly when multiple +SEND flags are used. + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20251219093308.2415620-1-alok.a.tiwari@oracle.com +Reviewed-by: Kalesh AP +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/ib_verbs.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +index 089d7de829a0..5d0c1241b948 100644 +--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c ++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +@@ -2647,14 +2647,9 @@ int bnxt_re_post_send(struct ib_qp *ib_qp, const struct ib_send_wr *wr, + wqe.rawqp1.lflags |= + SQ_SEND_RAWETH_QP1_LFLAGS_ROCE_CRC; + } +- switch (wr->send_flags) { +- case IB_SEND_IP_CSUM: ++ if (wr->send_flags & IB_SEND_IP_CSUM) + wqe.rawqp1.lflags |= + SQ_SEND_RAWETH_QP1_LFLAGS_IP_CHKSUM; +- break; +- default: +- break; +- } + fallthrough; + case IB_WR_SEND_WITH_INV: + rc = bnxt_re_build_send_wqe(qp, wr, &wqe); +-- +2.51.0 + diff --git a/queue-5.10/rdma-bnxt_re-fix-incorrect-bar-check-in-bnxt_qplib_m.patch b/queue-5.10/rdma-bnxt_re-fix-incorrect-bar-check-in-bnxt_qplib_m.patch new file mode 100644 index 0000000000..5ab9c0768b --- /dev/null +++ b/queue-5.10/rdma-bnxt_re-fix-incorrect-bar-check-in-bnxt_qplib_m.patch @@ -0,0 +1,45 @@ +From 6e756d9ce9634770bf4c420a0943da4a216d650d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 02:01:41 -0800 +Subject: RDMA/bnxt_re: Fix incorrect BAR check in bnxt_qplib_map_creq_db() + +From: Alok Tiwari + +[ Upstream commit 145a417a39d7efbc881f52e829817376972b278c ] + +RCFW_COMM_CONS_PCI_BAR_REGION is defined as BAR 2, so checking +!creq_db->reg.bar_id is incorrect and always false. + +pci_resource_start() returns the BAR base address, and a value of 0 +indicates that the BAR is unassigned. Update the condition to test +bar_base == 0 instead. + +This ensures the driver detects and logs an error for an unassigned +RCFW communication BAR. + +Fixes: cee0c7bba486 ("RDMA/bnxt_re: Refactor command queue management code") +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20251217100158.752504-1-alok.a.tiwari@oracle.com +Reviewed-by: Kalesh AP +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c +index 0d61a1563f48..f9b56744d674 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c +@@ -775,7 +775,7 @@ static int bnxt_qplib_map_creq_db(struct bnxt_qplib_rcfw *rcfw, u32 reg_offt) + + creq_db->reg.bar_id = RCFW_COMM_CONS_PCI_BAR_REGION; + creq_db->reg.bar_base = pci_resource_start(pdev, creq_db->reg.bar_id); +- if (!creq_db->reg.bar_id) ++ if (!creq_db->reg.bar_base) + dev_err(&pdev->dev, + "QPLIB: CREQ BAR region %d resc start is 0!", + creq_db->reg.bar_id); +-- +2.51.0 + diff --git a/queue-5.10/rdma-bnxt_re-fix-to-use-correct-page-size-for-pde-ta.patch b/queue-5.10/rdma-bnxt_re-fix-to-use-correct-page-size-for-pde-ta.patch new file mode 100644 index 0000000000..8e06e29625 --- /dev/null +++ b/queue-5.10/rdma-bnxt_re-fix-to-use-correct-page-size-for-pde-ta.patch @@ -0,0 +1,50 @@ +From 624935066cb1e0caec9467dd086b2da8f0172a3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Dec 2025 18:48:55 +0530 +Subject: RDMA/bnxt_re: Fix to use correct page size for PDE table + +From: Kalesh AP + +[ Upstream commit 3d70e0fb0f289b0c778041c5bb04d099e1aa7c1c ] + +In bnxt_qplib_alloc_init_hwq(), while allocating memory for PDE table +driver incorrectly is using the "pg_size" value passed to the function. +Fixed to use the right value 4K. Also, fixed the allocation size for +PBL table. + +Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation") +Signed-off-by: Damodharam Ammepalli +Signed-off-by: Kalesh AP +Link: https://patch.msgid.link/20251223131855.145955-1-kalesh-anakkur.purayil@broadcom.com +Reviewed-by: Selvin Xavier +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_res.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c +index be98b23488b4..64e88104165e 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c +@@ -242,7 +242,7 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq, + if (npbl % BIT(MAX_PDL_LVL_SHIFT)) + npde++; + /* Alloc PDE pages */ +- sginfo.pgsize = npde * pg_size; ++ sginfo.pgsize = npde * ROCE_PG_SIZE_4K; + sginfo.npages = 1; + rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_0], &sginfo); + if (rc) +@@ -250,7 +250,7 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq, + + /* Alloc PBL pages */ + sginfo.npages = npbl; +- sginfo.pgsize = PAGE_SIZE; ++ sginfo.pgsize = ROCE_PG_SIZE_4K; + rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_1], &sginfo); + if (rc) + goto fail; +-- +2.51.0 + diff --git a/queue-5.10/rdma-core-fix-logic-error-in-ib_get_gids_from_rdma_h.patch b/queue-5.10/rdma-core-fix-logic-error-in-ib_get_gids_from_rdma_h.patch new file mode 100644 index 0000000000..f754d2415a --- /dev/null +++ b/queue-5.10/rdma-core-fix-logic-error-in-ib_get_gids_from_rdma_h.patch @@ -0,0 +1,39 @@ +From 83d1bc47688f08b85943c1e382ede2eb8f3c72d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 13:15:08 +0900 +Subject: RDMA/core: Fix logic error in ib_get_gids_from_rdma_hdr() + +From: Jang Ingyu + +[ Upstream commit 8aaa848eaddd9ef8680fc6aafbd3a0646da5df40 ] + +Fix missing comparison operator for RDMA_NETWORK_ROCE_V1 in the +conditional statement. The constant was used directly instead of +being compared with net_type, causing the condition to always +evaluate to true. + +Fixes: 1c15b4f2a42f ("RDMA/core: Modify enum ib_gid_type and enum rdma_network_type") +Signed-off-by: Jang Ingyu +Link: https://patch.msgid.link/20251219041508.1725947-1-ingyujang25@korea.ac.kr +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/verbs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c +index 4fcabe5a84be..4a28f30c39f1 100644 +--- a/drivers/infiniband/core/verbs.c ++++ b/drivers/infiniband/core/verbs.c +@@ -735,7 +735,7 @@ int ib_get_gids_from_rdma_hdr(const union rdma_network_hdr *hdr, + (struct in6_addr *)dgid); + return 0; + } else if (net_type == RDMA_NETWORK_IPV6 || +- net_type == RDMA_NETWORK_IB || RDMA_NETWORK_ROCE_V1) { ++ net_type == RDMA_NETWORK_IB || net_type == RDMA_NETWORK_ROCE_V1) { + *dgid = hdr->ibgrh.dgid; + *sgid = hdr->ibgrh.sgid; + return 0; +-- +2.51.0 + diff --git a/queue-5.10/rdma-efa-remove-possible-negative-shift.patch b/queue-5.10/rdma-efa-remove-possible-negative-shift.patch new file mode 100644 index 0000000000..b3ccd3cd5d --- /dev/null +++ b/queue-5.10/rdma-efa-remove-possible-negative-shift.patch @@ -0,0 +1,47 @@ +From 12962d353c82d3ca9d18f31d44262f2b6a998b64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Dec 2025 17:36:56 +0000 +Subject: RDMA/efa: Remove possible negative shift + +From: Michael Margolin + +[ Upstream commit 85463eb6a46caf2f1e0e1a6d0731f2f3bab17780 ] + +The page size used for device might in some cases be smaller than +PAGE_SIZE what results in a negative shift when calculating the number of +host pages in PAGE_SIZE for a debug log. Remove the debug line together +with the calculation. + +Fixes: 40909f664d27 ("RDMA/efa: Add EFA verbs implementation") +Link: https://patch.msgid.link/r/20251210173656.8180-1-mrgolin@amazon.com +Reviewed-by: Tom Sela +Reviewed-by: Yonatan Nachum +Signed-off-by: Michael Margolin +Reviewed-by: Gal Pressman +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/efa/efa_verbs.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/infiniband/hw/efa/efa_verbs.c b/drivers/infiniband/hw/efa/efa_verbs.c +index 9cf051818725..d7fccffeeb58 100644 +--- a/drivers/infiniband/hw/efa/efa_verbs.c ++++ b/drivers/infiniband/hw/efa/efa_verbs.c +@@ -1145,13 +1145,9 @@ static int umem_to_page_list(struct efa_dev *dev, + u32 hp_cnt, + u8 hp_shift) + { +- u32 pages_in_hp = BIT(hp_shift - PAGE_SHIFT); + struct ib_block_iter biter; + unsigned int hp_idx = 0; + +- ibdev_dbg(&dev->ibdev, "hp_cnt[%u], pages_in_hp[%u]\n", +- hp_cnt, pages_in_hp); +- + rdma_umem_for_each_dma_block(umem, &biter, BIT(hp_shift)) + page_list[hp_idx++] = rdma_block_iter_dma_address(&biter); + +-- +2.51.0 + diff --git a/queue-5.10/selftests-ftrace-traceonoff_triggers-strip-off-names.patch b/queue-5.10/selftests-ftrace-traceonoff_triggers-strip-off-names.patch new file mode 100644 index 0000000000..1280d8cee0 --- /dev/null +++ b/queue-5.10/selftests-ftrace-traceonoff_triggers-strip-off-names.patch @@ -0,0 +1,93 @@ +From 4c5d1b0e9b01e242e77e9980a04418a263bfc328 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Aug 2023 09:32:26 +0800 +Subject: selftests/ftrace: traceonoff_triggers: strip off names + +From: Yipeng Zou + +[ Upstream commit b889b4fb4cbea3ca7eb9814075d6a51936394bd9 ] + +The func_traceonoff_triggers.tc sometimes goes to fail +on my board, Kunpeng-920. + +[root@localhost]# ./ftracetest ./test.d/ftrace/func_traceonoff_triggers.tc -l fail.log +=== Ftrace unit tests === +[1] ftrace - test for function traceon/off triggers [FAIL] +[2] (instance) ftrace - test for function traceon/off triggers [UNSUPPORTED] + +I look up the log, and it shows that the md5sum is different between csum1 and csum2. + +++ cnt=611 +++ sleep .1 ++++ cnt_trace ++++ grep -v '^#' trace ++++ wc -l +++ cnt2=611 +++ '[' 611 -ne 611 ']' ++++ cat tracing_on +++ on=0 +++ '[' 0 '!=' 0 ']' ++++ md5sum trace +++ csum1='76896aa74362fff66a6a5f3cf8a8a500 trace' +++ sleep .1 ++++ md5sum trace +++ csum2='ee8625a21c058818fc26e45c1ed3f6de trace' +++ '[' '76896aa74362fff66a6a5f3cf8a8a500 trace' '!=' 'ee8625a21c058818fc26e45c1ed3f6de trace' ']' +++ fail 'Tracing file is still changing' +++ echo Tracing file is still changing +Tracing file is still changing +++ exit_fail +++ exit 1 + +So I directly dump the trace file before md5sum, the diff shows that: + +[root@localhost]# diff trace_1.log trace_2.log -y --suppress-common-lines +dockerd-12285 [036] d.... 18385.510290: sched_stat | <...>-12285 [036] d.... 18385.510290: sched_stat +dockerd-12285 [036] d.... 18385.510291: sched_swit | <...>-12285 [036] d.... 18385.510291: sched_swit +<...>-740 [044] d.... 18385.602859: sched_stat | kworker/44:1-740 [044] d.... 18385.602859: sched_stat +<...>-740 [044] d.... 18385.602860: sched_swit | kworker/44:1-740 [044] d.... 18385.602860: sched_swit + +And we can see that <...> filed be filled with names. + +We can strip off the names there to fix that. + +After strip off the names: + +kworker/u257:0-12 [019] d..2. 2528.758910: sched_stat | -12 [019] d..2. 2528.758910: sched_stat_runtime: comm=k +kworker/u257:0-12 [019] d..2. 2528.758912: sched_swit | -12 [019] d..2. 2528.758912: sched_switch: prev_comm=kw +-0 [000] d.s5. 2528.762318: sched_waki | -0 [000] d.s5. 2528.762318: sched_waking: comm=sshd pi +-0 [037] dNh2. 2528.762326: sched_wake | -0 [037] dNh2. 2528.762326: sched_wakeup: comm=sshd pi +-0 [037] d..2. 2528.762334: sched_swit | -0 [037] d..2. 2528.762334: sched_switch: prev_comm=sw + +Link: https://lore.kernel.org/r/20230818013226.2182299-1-zouyipeng@huawei.com +Fixes: d87b29179aa0 ("selftests: ftrace: Use md5sum to take less time of checking logs") +Suggested-by: Steven Rostedt (Google) +Signed-off-by: Yipeng Zou +Acked-by: Masami Hiramatsu (Google) +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + .../ftrace/test.d/ftrace/func_traceonoff_triggers.tc | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc b/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc +index aee22289536b..1b57771dbfdf 100644 +--- a/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc ++++ b/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc +@@ -90,9 +90,10 @@ if [ $on != "0" ]; then + fail "Tracing is not off" + fi + +-csum1=`md5sum trace` ++# Cannot rely on names being around as they are only cached, strip them ++csum1=`cat trace | sed -e 's/^ *[^ ]*\(-[0-9][0-9]*\)/\1/' | md5sum` + sleep $SLEEP_TIME +-csum2=`md5sum trace` ++csum2=`cat trace | sed -e 's/^ *[^ ]*\(-[0-9][0-9]*\)/\1/' | md5sum` + + if [ "$csum1" != "$csum2" ]; then + fail "Tracing file is still changing" +-- +2.51.0 + diff --git a/queue-5.10/series b/queue-5.10/series index 4c5f750964..442959fe71 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -268,3 +268,30 @@ rpmsg-glink-fix-rpmsg-device-leak.patch i2c-amd-mp2-fix-reference-leak-in-mp2-pci-device.patch hwmon-w83791d-convert-macros-to-functions-to-avoid-toctou.patch hwmon-w83l786ng-convert-macros-to-functions-to-avoid-toctou.patch +i40e-fix-scheduling-in-set_rx_mode.patch +iavf-fix-off-by-one-issues-in-iavf_config_rss_reg.patch +crypto-seqiv-do-not-use-req-iv-after-crypto_aead_enc.patch +net-mdio-aspeed-move-reg-accessing-part-into-separat.patch +net-mdio-aspeed-add-dummy-read-to-avoid-read-after-w.patch +net-openvswitch-avoid-needlessly-taking-the-rtnl-on-.patch +ip6_gre-make-ip6gre_header-robust.patch +platform-x86-msi-laptop-add-missing-sysfs_remove_gro.patch +platform-x86-ibm_rtl-fix-ebda-signature-search-point.patch +team-fix-check-for-port-enabled-in-team_queue_overri.patch +net-usb-rtl8150-fix-memory-leak-on-usb_submit_urb-fa.patch +genalloc.h-fix-htmldocs-warning.patch +firewire-nosy-switch-from-pci_-to-dma_-api.patch +firewire-nosy-fix-dma_free_coherent-size.patch +net-dsa-b53-skip-multicast-entries-for-fdb_dump.patch +net-bridge-describe-tunnel_hash-member-in-net_bridge.patch +octeontx2-pf-fix-ubsan-shift-out-of-bounds-error.patch +ipv6-bug-in-pskb_expand_head-as-part-of-calipso_skbu.patch +ipv4-fix-reference-count-leak-when-using-error-route.patch +net-rose-fix-invalid-array-index-in-rose_kill_by_dev.patch +rdma-efa-remove-possible-negative-shift.patch +rdma-core-fix-logic-error-in-ib_get_gids_from_rdma_h.patch +rdma-bnxt_re-fix-incorrect-bar-check-in-bnxt_qplib_m.patch +rdma-bnxt_re-fix-ib_send_ip_csum-handling-in-post_se.patch +rdma-bnxt_re-fix-to-use-correct-page-size-for-pde-ta.patch +rdma-bnxt_re-fix-dma_free_coherent-pointer.patch +selftests-ftrace-traceonoff_triggers-strip-off-names.patch diff --git a/queue-5.10/team-fix-check-for-port-enabled-in-team_queue_overri.patch b/queue-5.10/team-fix-check-for-port-enabled-in-team_queue_overri.patch new file mode 100644 index 0000000000..607e813fbe --- /dev/null +++ b/queue-5.10/team-fix-check-for-port-enabled-in-team_queue_overri.patch @@ -0,0 +1,101 @@ +From 951243649dec1e4ff75a3123f8e0cde7c02ca11e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Dec 2025 11:29:53 +0100 +Subject: team: fix check for port enabled in + team_queue_override_port_prio_changed() + +From: Jiri Pirko + +[ Upstream commit 932ac51d9953eaf77a1252f79b656d4ca86163c6 ] + +There has been a syzkaller bug reported recently with the following +trace: + +list_del corruption, ffff888058bea080->prev is LIST_POISON2 (dead000000000122) +------------[ cut here ]------------ +kernel BUG at lib/list_debug.c:59! +Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI +CPU: 3 UID: 0 PID: 21246 Comm: syz.0.2928 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 +RIP: 0010:__list_del_entry_valid_or_report+0x13e/0x200 lib/list_debug.c:59 +Code: 48 c7 c7 e0 71 f0 8b e8 30 08 ef fc 90 0f 0b 48 89 ef e8 a5 02 55 fd 48 89 ea 48 89 de 48 c7 c7 40 72 f0 8b e8 13 08 ef fc 90 <0f> 0b 48 89 ef e8 88 02 55 fd 48 89 ea 48 b8 00 00 00 00 00 fc ff +RSP: 0018:ffffc9000d49f370 EFLAGS: 00010286 +RAX: 000000000000004e RBX: ffff888058bea080 RCX: ffffc9002817d000 +RDX: 0000000000000000 RSI: ffffffff819becc6 RDI: 0000000000000005 +RBP: dead000000000122 R08: 0000000000000005 R09: 0000000000000000 +R10: 0000000080000000 R11: 0000000000000001 R12: ffff888039e9c230 +R13: ffff888058bea088 R14: ffff888058bea080 R15: ffff888055461480 +FS: 00007fbbcfe6f6c0(0000) GS:ffff8880d6d0a000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000000110c3afcb0 CR3: 00000000382c7000 CR4: 0000000000352ef0 +Call Trace: + + __list_del_entry_valid include/linux/list.h:132 [inline] + __list_del_entry include/linux/list.h:223 [inline] + list_del_rcu include/linux/rculist.h:178 [inline] + __team_queue_override_port_del drivers/net/team/team_core.c:826 [inline] + __team_queue_override_port_del drivers/net/team/team_core.c:821 [inline] + team_queue_override_port_prio_changed drivers/net/team/team_core.c:883 [inline] + team_priority_option_set+0x171/0x2f0 drivers/net/team/team_core.c:1534 + team_option_set drivers/net/team/team_core.c:376 [inline] + team_nl_options_set_doit+0x8ae/0xe60 drivers/net/team/team_core.c:2653 + genl_family_rcv_msg_doit+0x209/0x2f0 net/netlink/genetlink.c:1115 + genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] + genl_rcv_msg+0x55c/0x800 net/netlink/genetlink.c:1210 + netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552 + genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 + netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] + netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346 + netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1896 + sock_sendmsg_nosec net/socket.c:727 [inline] + __sock_sendmsg net/socket.c:742 [inline] + ____sys_sendmsg+0xa98/0xc70 net/socket.c:2630 + ___sys_sendmsg+0x134/0x1d0 net/socket.c:2684 + __sys_sendmsg+0x16d/0x220 net/socket.c:2716 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +The problem is in this flow: +1) Port is enabled, queue_id != 0, in qom_list +2) Port gets disabled + -> team_port_disable() + -> team_queue_override_port_del() + -> del (removed from list) +3) Port is disabled, queue_id != 0, not in any list +4) Priority changes + -> team_queue_override_port_prio_changed() + -> checks: port disabled && queue_id != 0 + -> calls del - hits the BUG as it is removed already + +To fix this, change the check in team_queue_override_port_prio_changed() +so it returns early if port is not enabled. + +Reported-by: syzbot+422806e5f4cce722a71f@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=422806e5f4cce722a71f +Fixes: 6c31ff366c11 ("team: remove synchronize_rcu() called during queue override change") +Signed-off-by: Jiri Pirko +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20251212102953.167287-1-jiri@resnulli.us +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/team/team.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c +index c05a60f23677..03cc3da8c3c1 100644 +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -872,7 +872,7 @@ static void __team_queue_override_enabled_check(struct team *team) + static void team_queue_override_port_prio_changed(struct team *team, + struct team_port *port) + { +- if (!port->queue_id || team_port_enabled(port)) ++ if (!port->queue_id || !team_port_enabled(port)) + return; + __team_queue_override_port_del(team, port); + __team_queue_override_port_add(team, port); +-- +2.51.0 + diff --git a/queue-5.15/bluetooth-btusb-revert-use-of-devm_kzalloc-in-btusb.patch b/queue-5.15/bluetooth-btusb-revert-use-of-devm_kzalloc-in-btusb.patch new file mode 100644 index 0000000000..682936bcf9 --- /dev/null +++ b/queue-5.15/bluetooth-btusb-revert-use-of-devm_kzalloc-in-btusb.patch @@ -0,0 +1,89 @@ +From e2f061c621e7917438904d2105de2bd552a33445 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Dec 2025 11:02:28 -0500 +Subject: Bluetooth: btusb: revert use of devm_kzalloc in btusb + +From: Raphael Pinsonneault-Thibeault + +[ Upstream commit 252714f1e8bdd542025b16321c790458014d6880 ] + +This reverts commit 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in +btusb.c file"). + +In btusb_probe(), we use devm_kzalloc() to allocate the btusb data. This +ties the lifetime of all the btusb data to the binding of a driver to +one interface, INTF. In a driver that binds to other interfaces, ISOC +and DIAG, this is an accident waiting to happen. + +The issue is revealed in btusb_disconnect(), where calling +usb_driver_release_interface(&btusb_driver, data->intf) will have devm +free the data that is also being used by the other interfaces of the +driver that may not be released yet. + +To fix this, revert the use of devm and go back to freeing memory +explicitly. + +Fixes: 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in btusb.c file") +Signed-off-by: Raphael Pinsonneault-Thibeault +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btusb.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index 95483a8d7b1e..c447e2e9417b 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -3788,7 +3788,7 @@ static int btusb_probe(struct usb_interface *intf, + return -ENODEV; + } + +- data = devm_kzalloc(&intf->dev, sizeof(*data), GFP_KERNEL); ++ data = kzalloc(sizeof(*data), GFP_KERNEL); + if (!data) + return -ENOMEM; + +@@ -3811,8 +3811,10 @@ static int btusb_probe(struct usb_interface *intf, + } + } + +- if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep) ++ if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep) { ++ kfree(data); + return -ENODEV; ++ } + + if (id->driver_info & BTUSB_AMP) { + data->cmdreq_type = USB_TYPE_CLASS | 0x01; +@@ -3855,8 +3857,10 @@ static int btusb_probe(struct usb_interface *intf, + data->recv_acl = hci_recv_frame; + + hdev = hci_alloc_dev_priv(priv_size); +- if (!hdev) ++ if (!hdev) { ++ kfree(data); + return -ENOMEM; ++ } + + hdev->bus = HCI_USB; + hci_set_drvdata(hdev, data); +@@ -4104,6 +4108,7 @@ static int btusb_probe(struct usb_interface *intf, + if (data->reset_gpio) + gpiod_put(data->reset_gpio); + hci_free_dev(hdev); ++ kfree(data); + return err; + } + +@@ -4149,6 +4154,7 @@ static void btusb_disconnect(struct usb_interface *intf) + } + + hci_free_dev(hdev); ++ kfree(data); + } + + #ifdef CONFIG_PM +-- +2.51.0 + diff --git a/queue-5.15/crypto-seqiv-do-not-use-req-iv-after-crypto_aead_enc.patch b/queue-5.15/crypto-seqiv-do-not-use-req-iv-after-crypto_aead_enc.patch new file mode 100644 index 0000000000..9a733c0eee --- /dev/null +++ b/queue-5.15/crypto-seqiv-do-not-use-req-iv-after-crypto_aead_enc.patch @@ -0,0 +1,61 @@ +From ec3773f4515eae2e85f828468299e4cadd3f6fc9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 14:15:41 +0800 +Subject: crypto: seqiv - Do not use req->iv after crypto_aead_encrypt + +From: Herbert Xu + +[ Upstream commit 50fdb78b7c0bcc550910ef69c0984e751cac72fa ] + +As soon as crypto_aead_encrypt is called, the underlying request +may be freed by an asynchronous completion. Thus dereferencing +req->iv after it returns is invalid. + +Instead of checking req->iv against info, create a new variable +unaligned_info and use it for that purpose instead. + +Fixes: 0a270321dbf9 ("[CRYPTO] seqiv: Add Sequence Number IV Generator") +Reported-by: Xiumei Mu +Reported-by: Xin Long +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/seqiv.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/crypto/seqiv.c b/crypto/seqiv.c +index b1bcfe537daf..562ab102226a 100644 +--- a/crypto/seqiv.c ++++ b/crypto/seqiv.c +@@ -51,6 +51,7 @@ static int seqiv_aead_encrypt(struct aead_request *req) + struct aead_geniv_ctx *ctx = crypto_aead_ctx(geniv); + struct aead_request *subreq = aead_request_ctx(req); + crypto_completion_t compl; ++ bool unaligned_info; + void *data; + u8 *info; + unsigned int ivsize = 8; +@@ -80,8 +81,9 @@ static int seqiv_aead_encrypt(struct aead_request *req) + return err; + } + +- if (unlikely(!IS_ALIGNED((unsigned long)info, +- crypto_aead_alignmask(geniv) + 1))) { ++ unaligned_info = !IS_ALIGNED((unsigned long)info, ++ crypto_aead_alignmask(geniv) + 1); ++ if (unlikely(unaligned_info)) { + info = kmemdup(req->iv, ivsize, req->base.flags & + CRYPTO_TFM_REQ_MAY_SLEEP ? GFP_KERNEL : + GFP_ATOMIC); +@@ -101,7 +103,7 @@ static int seqiv_aead_encrypt(struct aead_request *req) + scatterwalk_map_and_copy(info, req->dst, req->assoclen, ivsize, 1); + + err = crypto_aead_encrypt(subreq); +- if (unlikely(info != req->iv)) ++ if (unlikely(unaligned_info)) + seqiv_aead_encrypt_complete2(req, err); + return err; + } +-- +2.51.0 + diff --git a/queue-5.15/firewire-nosy-fix-dma_free_coherent-size.patch b/queue-5.15/firewire-nosy-fix-dma_free_coherent-size.patch new file mode 100644 index 0000000000..075d41b2ef --- /dev/null +++ b/queue-5.15/firewire-nosy-fix-dma_free_coherent-size.patch @@ -0,0 +1,68 @@ +From cba3cb789d9e02e9cd6d46905d54a2845bf758fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Dec 2025 17:54:18 +0100 +Subject: firewire: nosy: Fix dma_free_coherent() size + +From: Thomas Fourier + +[ Upstream commit c48c0fd0e19684b6ecdb4108a429e3a4e73f5e21 ] + +It looks like the buffer allocated and mapped in add_card() is done +with size RCV_BUFFER_SIZE which is 16 KB and 4KB. + +Fixes: 286468210d83 ("firewire: new driver: nosy - IEEE 1394 traffic sniffer") +Co-developed-by: Thomas Fourier +Signed-off-by: Thomas Fourier +Co-developed-by: Christophe JAILLET +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/20251216165420.38355-2-fourier.thomas@gmail.com +Signed-off-by: Takashi Sakamoto +Signed-off-by: Sasha Levin +--- + drivers/firewire/nosy.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/firewire/nosy.c b/drivers/firewire/nosy.c +index ea31ac7ac1ca..e59053738a43 100644 +--- a/drivers/firewire/nosy.c ++++ b/drivers/firewire/nosy.c +@@ -36,6 +36,8 @@ + + static char driver_name[] = KBUILD_MODNAME; + ++#define RCV_BUFFER_SIZE (16 * 1024) ++ + /* this is the physical layout of a PCL, its size is 128 bytes */ + struct pcl { + __le32 next; +@@ -517,16 +519,14 @@ remove_card(struct pci_dev *dev) + lynx->rcv_start_pcl, lynx->rcv_start_pcl_bus); + dma_free_coherent(&lynx->pci_device->dev, sizeof(struct pcl), + lynx->rcv_pcl, lynx->rcv_pcl_bus); +- dma_free_coherent(&lynx->pci_device->dev, PAGE_SIZE, lynx->rcv_buffer, +- lynx->rcv_buffer_bus); ++ dma_free_coherent(&lynx->pci_device->dev, RCV_BUFFER_SIZE, ++ lynx->rcv_buffer, lynx->rcv_buffer_bus); + + iounmap(lynx->registers); + pci_disable_device(dev); + lynx_put(lynx); + } + +-#define RCV_BUFFER_SIZE (16 * 1024) +- + static int + add_card(struct pci_dev *dev, const struct pci_device_id *unused) + { +@@ -680,7 +680,7 @@ add_card(struct pci_dev *dev, const struct pci_device_id *unused) + dma_free_coherent(&lynx->pci_device->dev, sizeof(struct pcl), + lynx->rcv_pcl, lynx->rcv_pcl_bus); + if (lynx->rcv_buffer) +- dma_free_coherent(&lynx->pci_device->dev, PAGE_SIZE, ++ dma_free_coherent(&lynx->pci_device->dev, RCV_BUFFER_SIZE, + lynx->rcv_buffer, lynx->rcv_buffer_bus); + iounmap(lynx->registers); + +-- +2.51.0 + diff --git a/queue-5.15/genalloc.h-fix-htmldocs-warning.patch b/queue-5.15/genalloc.h-fix-htmldocs-warning.patch new file mode 100644 index 0000000000..4b640546c8 --- /dev/null +++ b/queue-5.15/genalloc.h-fix-htmldocs-warning.patch @@ -0,0 +1,38 @@ +From 3f48a063e74e7c7d5551c7cf76f519b2eb6da96e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Nov 2025 10:39:24 -0800 +Subject: genalloc.h: fix htmldocs warning + +From: Andrew Morton + +[ Upstream commit 5393802c94e0ab1295c04c94c57bcb00222d4674 ] + +WARNING: include/linux/genalloc.h:52 function parameter 'start_addr' not described in 'genpool_algo_t' + +Fixes: 52fbf1134d47 ("lib/genalloc.c: fix allocation of aligned buffer from non-aligned chunk") +Reported-by: Stephen Rothwell +Closes: https://lkml.kernel.org/r/20251127130624.563597e3@canb.auug.org.au +Acked-by: Randy Dunlap +Tested-by: Randy Dunlap +Cc: Alexey Skidanov +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + include/linux/genalloc.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/genalloc.h b/include/linux/genalloc.h +index 0bd581003cd5..60de63e46b33 100644 +--- a/include/linux/genalloc.h ++++ b/include/linux/genalloc.h +@@ -44,6 +44,7 @@ struct gen_pool; + * @nr: The number of zeroed bits we're looking for + * @data: optional additional data used by the callback + * @pool: the pool being allocated from ++ * @start_addr: start address of memory chunk + */ + typedef unsigned long (*genpool_algo_t)(unsigned long *map, + unsigned long size, +-- +2.51.0 + diff --git a/queue-5.15/i40e-fix-scheduling-in-set_rx_mode.patch b/queue-5.15/i40e-fix-scheduling-in-set_rx_mode.patch new file mode 100644 index 0000000000..1c23549d9f --- /dev/null +++ b/queue-5.15/i40e-fix-scheduling-in-set_rx_mode.patch @@ -0,0 +1,53 @@ +From 2247c2ba02e48f01f6b913082362daee474d05c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Nov 2025 13:07:28 +0100 +Subject: i40e: fix scheduling in set_rx_mode + +From: Przemyslaw Korba + +[ Upstream commit be43abc5514167cc129a8d8e9727b89b8e1d9719 ] + +Add service task schedule to set_rx_mode. +In some cases there are error messages printed out in PTP application +(ptp4l): + +ptp4l[13848.762]: port 1 (ens2f3np3): received SYNC without timestamp +ptp4l[13848.825]: port 1 (ens2f3np3): received SYNC without timestamp +ptp4l[13848.887]: port 1 (ens2f3np3): received SYNC without timestamp + +This happens when service task would not run immediately after +set_rx_mode, and we need it for setup tasks. This service task checks, if +PTP RX packets are hung in firmware, and propagate correct settings such +as multicast address for IEEE 1588 Precision Time Protocol. +RX timestamping depends on some of these filters set. Bug happens only +with high PTP packets frequency incoming, and not every run since +sometimes service task is being ran from a different place immediately +after starting ptp4l. + +Fixes: 0e4425ed641f ("i40e: fix: do not sleep in netdev_ops") +Reviewed-by: Grzegorz Nitka +Reviewed-by: Jacob Keller +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Przemyslaw Korba +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index 4c50e18707c7..8f9cbbfec63e 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -2216,6 +2216,7 @@ static void i40e_set_rx_mode(struct net_device *netdev) + vsi->flags |= I40E_VSI_FLAG_FILTER_CHANGED; + set_bit(__I40E_MACVLAN_SYNC_PENDING, vsi->back->state); + } ++ i40e_service_event_schedule(vsi->back); + } + + /** +-- +2.51.0 + diff --git a/queue-5.15/i40e-refactor-argument-of-i40e_detect_recover_hung.patch b/queue-5.15/i40e-refactor-argument-of-i40e_detect_recover_hung.patch new file mode 100644 index 0000000000..d7c7457ed3 --- /dev/null +++ b/queue-5.15/i40e-refactor-argument-of-i40e_detect_recover_hung.patch @@ -0,0 +1,81 @@ +From 1ca5d84cebe4f1a5df0f83e3077287588854425d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Apr 2024 09:26:04 +0200 +Subject: i40e: Refactor argument of i40e_detect_recover_hung() + +From: Ivan Vecera + +[ Upstream commit 7033ada04e33048c8b33294fecbb0d73f3cd1088 ] + +Commit 07d44190a389 ("i40e/i40evf: Detect and recover hung queue +scenario") changes i40e_detect_recover_hung() argument type from +i40e_pf* to i40e_vsi* to be shareable by both i40e and i40evf. +Because the i40evf does not exist anymore and the function is +exclusively used by i40e we can revert this change. + +Reviewed-by: Michal Schmidt +Tested-by: Pucha Himasekhar Reddy +Signed-off-by: Ivan Vecera +Reviewed-by: Simon Horman +Signed-off-by: Tony Nguyen +Stable-dep-of: 699428342153 ("i40e: validate ring_len parameter against hardware-specific values") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 2 +- + drivers/net/ethernet/intel/i40e/i40e_txrx.c | 10 ++++++---- + drivers/net/ethernet/intel/i40e/i40e_txrx.h | 2 +- + 3 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index 9671058cda40..b2e185357ab2 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -11275,7 +11275,7 @@ static void i40e_service_task(struct work_struct *work) + return; + + if (!test_bit(__I40E_RECOVERY_MODE, pf->state)) { +- i40e_detect_recover_hung(pf->vsi[pf->lan_vsi]); ++ i40e_detect_recover_hung(pf); + i40e_sync_filters_subtask(pf); + i40e_reset_subtask(pf); + i40e_handle_mdd_event(pf); +diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.c b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +index b94d67729283..dabeeffd06fc 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +@@ -867,13 +867,15 @@ u32 i40e_get_tx_pending(struct i40e_ring *ring, bool in_sw) + + /** + * i40e_detect_recover_hung - Function to detect and recover hung_queues +- * @vsi: pointer to vsi struct with tx queues ++ * @pf: pointer to PF struct + * +- * VSI has netdev and netdev has TX queues. This function is to check each of +- * those TX queues if they are hung, trigger recovery by issuing SW interrupt. ++ * LAN VSI has netdev and netdev has TX queues. This function is to check ++ * each of those TX queues if they are hung, trigger recovery by issuing ++ * SW interrupt. + **/ +-void i40e_detect_recover_hung(struct i40e_vsi *vsi) ++void i40e_detect_recover_hung(struct i40e_pf *pf) + { ++ struct i40e_vsi *vsi = pf->vsi[pf->lan_vsi]; + struct i40e_ring *tx_ring = NULL; + struct net_device *netdev; + unsigned int i; +diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.h b/drivers/net/ethernet/intel/i40e/i40e_txrx.h +index 054b7d1632e1..2ea4138099be 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.h ++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.h +@@ -462,7 +462,7 @@ void i40e_free_rx_resources(struct i40e_ring *rx_ring); + int i40e_napi_poll(struct napi_struct *napi, int budget); + void i40e_force_wb(struct i40e_vsi *vsi, struct i40e_q_vector *q_vector); + u32 i40e_get_tx_pending(struct i40e_ring *ring, bool in_sw); +-void i40e_detect_recover_hung(struct i40e_vsi *vsi); ++void i40e_detect_recover_hung(struct i40e_pf *pf); + int __i40e_maybe_stop_tx(struct i40e_ring *tx_ring, int size); + bool __i40e_chk_linearize(struct sk_buff *skb); + int i40e_xdp_xmit(struct net_device *dev, int n, struct xdp_frame **frames, +-- +2.51.0 + diff --git a/queue-5.15/i40e-refactor-argument-of-several-client-notificatio.patch b/queue-5.15/i40e-refactor-argument-of-several-client-notificatio.patch new file mode 100644 index 0000000000..aeb6a45b40 --- /dev/null +++ b/queue-5.15/i40e-refactor-argument-of-several-client-notificatio.patch @@ -0,0 +1,158 @@ +From 06c9de36253d438fb4d7a07bef8bd8ebb34cb151 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Apr 2024 09:26:03 +0200 +Subject: i40e: Refactor argument of several client notification functions + +From: Ivan Vecera + +[ Upstream commit 54c4664e48eea52f2b296c73ddb8f5629b958678 ] + +Commit 0ef2d5afb12d ("i40e: KISS the client interface") simplified +the client interface so in practice it supports only one client +per i40e netdev. But we have still 2 notification functions that +uses as parameter a pointer to VSI of netdevice associated with +the client. After the mentioned commit only possible and used +VSI is the main (LAN) VSI. +So refactor these functions so they are called with PF pointer argument +and the associated VSI (LAN) is taken inside them. + +Reviewed-by: Michal Schmidt +Tested-by: Pucha Himasekhar Reddy +Signed-off-by: Ivan Vecera +Reviewed-by: Simon Horman +Signed-off-by: Tony Nguyen +Stable-dep-of: 699428342153 ("i40e: validate ring_len parameter against hardware-specific values") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e.h | 4 ++-- + drivers/net/ethernet/intel/i40e/i40e_client.c | 20 +++++++++---------- + drivers/net/ethernet/intel/i40e/i40e_main.c | 12 +++++------ + 3 files changed, 17 insertions(+), 19 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e.h b/drivers/net/ethernet/intel/i40e/i40e.h +index e031906f23a4..bbd95b3d7326 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e.h ++++ b/drivers/net/ethernet/intel/i40e/i40e.h +@@ -1198,8 +1198,8 @@ static inline void i40e_dbg_exit(void) {} + int i40e_lan_add_device(struct i40e_pf *pf); + int i40e_lan_del_device(struct i40e_pf *pf); + void i40e_client_subtask(struct i40e_pf *pf); +-void i40e_notify_client_of_l2_param_changes(struct i40e_vsi *vsi); +-void i40e_notify_client_of_netdev_close(struct i40e_vsi *vsi, bool reset); ++void i40e_notify_client_of_l2_param_changes(struct i40e_pf *pf); ++void i40e_notify_client_of_netdev_close(struct i40e_pf *pf, bool reset); + void i40e_notify_client_of_vf_enable(struct i40e_pf *pf, u32 num_vfs); + void i40e_notify_client_of_vf_reset(struct i40e_pf *pf, u32 vf_id); + void i40e_client_update_msix_info(struct i40e_pf *pf); +diff --git a/drivers/net/ethernet/intel/i40e/i40e_client.c b/drivers/net/ethernet/intel/i40e/i40e_client.c +index 4af2a4c59106..126223d28152 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_client.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_client.c +@@ -102,25 +102,26 @@ i40e_notify_client_of_vf_msg(struct i40e_vsi *vsi, u32 vf_id, u8 *msg, u16 len) + + /** + * i40e_notify_client_of_l2_param_changes - call the client notify callback +- * @vsi: the VSI with l2 param changes ++ * @pf: PF device pointer + * +- * If there is a client to this VSI, call the client ++ * If there is a client, call its callback + **/ +-void i40e_notify_client_of_l2_param_changes(struct i40e_vsi *vsi) ++void i40e_notify_client_of_l2_param_changes(struct i40e_pf *pf) + { +- struct i40e_pf *pf = vsi->back; + struct i40e_client_instance *cdev = pf->cinst; ++ struct i40e_vsi *vsi = pf->vsi[pf->lan_vsi]; + struct i40e_params params; + + if (!cdev || !cdev->client) + return; + if (!cdev->client->ops || !cdev->client->ops->l2_param_change) { +- dev_dbg(&vsi->back->pdev->dev, ++ dev_dbg(&pf->pdev->dev, + "Cannot locate client instance l2_param_change routine\n"); + return; + } + if (!test_bit(__I40E_CLIENT_INSTANCE_OPENED, &cdev->state)) { +- dev_dbg(&vsi->back->pdev->dev, "Client is not open, abort l2 param change\n"); ++ dev_dbg(&pf->pdev->dev, ++ "Client is not open, abort l2 param change\n"); + return; + } + memset(¶ms, 0, sizeof(params)); +@@ -160,20 +161,19 @@ static void i40e_client_release_qvlist(struct i40e_info *ldev) + + /** + * i40e_notify_client_of_netdev_close - call the client close callback +- * @vsi: the VSI with netdev closed ++ * @pf: PF device pointer + * @reset: true when close called due to a reset pending + * + * If there is a client to this netdev, call the client with close + **/ +-void i40e_notify_client_of_netdev_close(struct i40e_vsi *vsi, bool reset) ++void i40e_notify_client_of_netdev_close(struct i40e_pf *pf, bool reset) + { +- struct i40e_pf *pf = vsi->back; + struct i40e_client_instance *cdev = pf->cinst; + + if (!cdev || !cdev->client) + return; + if (!cdev->client->ops || !cdev->client->ops->close) { +- dev_dbg(&vsi->back->pdev->dev, ++ dev_dbg(&pf->pdev->dev, + "Cannot locate client instance close routine\n"); + return; + } +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index 8f9cbbfec63e..9671058cda40 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -11284,14 +11284,12 @@ static void i40e_service_task(struct work_struct *work) + i40e_fdir_reinit_subtask(pf); + if (test_and_clear_bit(__I40E_CLIENT_RESET, pf->state)) { + /* Client subtask will reopen next time through. */ +- i40e_notify_client_of_netdev_close(pf->vsi[pf->lan_vsi], +- true); ++ i40e_notify_client_of_netdev_close(pf, true); + } else { + i40e_client_subtask(pf); + if (test_and_clear_bit(__I40E_CLIENT_L2_CHANGE, + pf->state)) +- i40e_notify_client_of_l2_param_changes( +- pf->vsi[pf->lan_vsi]); ++ i40e_notify_client_of_l2_param_changes(pf); + } + i40e_sync_filters_subtask(pf); + } else { +@@ -16263,7 +16261,7 @@ static void i40e_remove(struct pci_dev *pdev) + /* Client close must be called explicitly here because the timer + * has been stopped. + */ +- i40e_notify_client_of_netdev_close(pf->vsi[pf->lan_vsi], false); ++ i40e_notify_client_of_netdev_close(pf, false); + + i40e_fdir_teardown(pf); + +@@ -16529,7 +16527,7 @@ static void i40e_shutdown(struct pci_dev *pdev) + /* Client close must be called explicitly here because the timer + * has been stopped. + */ +- i40e_notify_client_of_netdev_close(pf->vsi[pf->lan_vsi], false); ++ i40e_notify_client_of_netdev_close(pf, false); + + if (pf->wol_en && (pf->hw_features & I40E_HW_WOL_MC_MAGIC_PKT_WAKE)) + i40e_enable_mc_magic_wake(pf); +@@ -16582,7 +16580,7 @@ static int __maybe_unused i40e_suspend(struct device *dev) + /* Client close must be called explicitly here because the timer + * has been stopped. + */ +- i40e_notify_client_of_netdev_close(pf->vsi[pf->lan_vsi], false); ++ i40e_notify_client_of_netdev_close(pf, false); + + if (pf->wol_en && (pf->hw_features & I40E_HW_WOL_MC_MAGIC_PKT_WAKE)) + i40e_enable_mc_magic_wake(pf); +-- +2.51.0 + diff --git a/queue-5.15/i40e-validate-ring_len-parameter-against-hardware-sp.patch b/queue-5.15/i40e-validate-ring_len-parameter-against-hardware-sp.patch new file mode 100644 index 0000000000..979afd01d0 --- /dev/null +++ b/queue-5.15/i40e-validate-ring_len-parameter-against-hardware-sp.patch @@ -0,0 +1,100 @@ +From 7aaedc102596f558944e543ce62b731f880c87d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Dec 2025 22:06:43 +0100 +Subject: i40e: validate ring_len parameter against hardware-specific values + +From: Gregory Herrero + +[ Upstream commit 69942834215323cd9131db557091b4dec43f19c5 ] + +The maximum number of descriptors supported by the hardware is +hardware-dependent and can be retrieved using +i40e_get_max_num_descriptors(). Move this function to a shared header +and use it when checking for valid ring_len parameter rather than using +hardcoded value. + +By fixing an over-acceptance issue, behavior change could be seen where +ring_len could now be rejected while configuring rx and tx queues if its +size is larger than the hardware-dependent maximum number of +descriptors. + +Fixes: 55d225670def ("i40e: add validation for ring_len param") +Signed-off-by: Gregory Herrero +Tested-by: Rafal Romanowski +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e.h | 11 +++++++++++ + drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 12 ------------ + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 4 ++-- + 3 files changed, 13 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e.h b/drivers/net/ethernet/intel/i40e/i40e.h +index bbd95b3d7326..022bf6e86164 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e.h ++++ b/drivers/net/ethernet/intel/i40e/i40e.h +@@ -1305,4 +1305,15 @@ static inline u32 i40e_is_tc_mqprio_enabled(struct i40e_pf *pf) + return pf->flags & I40E_FLAG_TC_MQPRIO; + } + ++static inline u32 i40e_get_max_num_descriptors(const struct i40e_pf *pf) ++{ ++ const struct i40e_hw *hw = &pf->hw; ++ ++ switch (hw->mac.type) { ++ case I40E_MAC_XL710: ++ return I40E_MAX_NUM_DESCRIPTORS_XL710; ++ default: ++ return I40E_MAX_NUM_DESCRIPTORS; ++ } ++} + #endif /* _I40E_H_ */ +diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c +index 74a18b8df11f..04d304eef379 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c +@@ -1918,18 +1918,6 @@ static void i40e_get_drvinfo(struct net_device *netdev, + drvinfo->n_priv_flags += I40E_GL_PRIV_FLAGS_STR_LEN; + } + +-static u32 i40e_get_max_num_descriptors(struct i40e_pf *pf) +-{ +- struct i40e_hw *hw = &pf->hw; +- +- switch (hw->mac.type) { +- case I40E_MAC_XL710: +- return I40E_MAX_NUM_DESCRIPTORS_XL710; +- default: +- return I40E_MAX_NUM_DESCRIPTORS; +- } +-} +- + static void i40e_get_ringparam(struct net_device *netdev, + struct ethtool_ringparam *ring) + { +diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +index 5cd7a2bc40fd..907727604c70 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +@@ -656,7 +656,7 @@ static int i40e_config_vsi_tx_queue(struct i40e_vf *vf, u16 vsi_id, + + /* ring_len has to be multiple of 8 */ + if (!IS_ALIGNED(info->ring_len, 8) || +- info->ring_len > I40E_MAX_NUM_DESCRIPTORS_XL710) { ++ info->ring_len > i40e_get_max_num_descriptors(pf)) { + ret = -EINVAL; + goto error_context; + } +@@ -728,7 +728,7 @@ static int i40e_config_vsi_rx_queue(struct i40e_vf *vf, u16 vsi_id, + + /* ring_len has to be multiple of 32 */ + if (!IS_ALIGNED(info->ring_len, 32) || +- info->ring_len > I40E_MAX_NUM_DESCRIPTORS_XL710) { ++ info->ring_len > i40e_get_max_num_descriptors(pf)) { + ret = -EINVAL; + goto error_param; + } +-- +2.51.0 + diff --git a/queue-5.15/iavf-fix-off-by-one-issues-in-iavf_config_rss_reg.patch b/queue-5.15/iavf-fix-off-by-one-issues-in-iavf_config_rss_reg.patch new file mode 100644 index 0000000000..42c15030e6 --- /dev/null +++ b/queue-5.15/iavf-fix-off-by-one-issues-in-iavf_config_rss_reg.patch @@ -0,0 +1,113 @@ +From 0b48b4365d2e0024e21ab7b41e8f90b37b6bf849 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Oct 2025 01:58:50 +0900 +Subject: iavf: fix off-by-one issues in iavf_config_rss_reg() + +From: Kohei Enju + +[ Upstream commit 6daa2893f323981c7894c68440823326e93a7d61 ] + +There are off-by-one bugs when configuring RSS hash key and lookup +table, causing out-of-bounds reads to memory [1] and out-of-bounds +writes to device registers. + +Before commit 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS"), +the loop upper bounds were: + i <= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX +which is safe since the value is the last valid index. + +That commit changed the bounds to: + i <= adapter->rss_{key,lut}_size / 4 +where `rss_{key,lut}_size / 4` is the number of dwords, so the last +valid index is `(rss_{key,lut}_size / 4) - 1`. Therefore, using `<=` +accesses one element past the end. + +Fix the issues by using `<` instead of `<=`, ensuring we do not exceed +the bounds. + +[1] KASAN splat about rss_key_size off-by-one + BUG: KASAN: slab-out-of-bounds in iavf_config_rss+0x619/0x800 + Read of size 4 at addr ffff888102c50134 by task kworker/u8:6/63 + + CPU: 0 UID: 0 PID: 63 Comm: kworker/u8:6 Not tainted 6.18.0-rc2-enjuk-tnguy-00378-g3005f5b77652-dirty #156 PREEMPT(voluntary) + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 + Workqueue: iavf iavf_watchdog_task + Call Trace: + + dump_stack_lvl+0x6f/0xb0 + print_report+0x170/0x4f3 + kasan_report+0xe1/0x1a0 + iavf_config_rss+0x619/0x800 + iavf_watchdog_task+0x2be7/0x3230 + process_one_work+0x7fd/0x1420 + worker_thread+0x4d1/0xd40 + kthread+0x344/0x660 + ret_from_fork+0x249/0x320 + ret_from_fork_asm+0x1a/0x30 + + + Allocated by task 63: + kasan_save_stack+0x30/0x50 + kasan_save_track+0x14/0x30 + __kasan_kmalloc+0x7f/0x90 + __kmalloc_noprof+0x246/0x6f0 + iavf_watchdog_task+0x28fc/0x3230 + process_one_work+0x7fd/0x1420 + worker_thread+0x4d1/0xd40 + kthread+0x344/0x660 + ret_from_fork+0x249/0x320 + ret_from_fork_asm+0x1a/0x30 + + The buggy address belongs to the object at ffff888102c50100 + which belongs to the cache kmalloc-64 of size 64 + The buggy address is located 0 bytes to the right of + allocated 52-byte region [ffff888102c50100, ffff888102c50134) + + The buggy address belongs to the physical page: + page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c50 + flags: 0x200000000000000(node=0|zone=2) + page_type: f5(slab) + raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 + raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 + page dumped because: kasan: bad access detected + + Memory state around the buggy address: + ffff888102c50000: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc + ffff888102c50080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc + >ffff888102c50100: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc + ^ + ffff888102c50180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc + ffff888102c50200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + +Fixes: 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS") +Signed-off-by: Kohei Enju +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Przemek Kitszel +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 6073dcc414d6..10970001db56 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -1393,11 +1393,11 @@ static int iavf_config_rss_reg(struct iavf_adapter *adapter) + u16 i; + + dw = (u32 *)adapter->rss_key; +- for (i = 0; i <= adapter->rss_key_size / 4; i++) ++ for (i = 0; i < adapter->rss_key_size / 4; i++) + wr32(hw, IAVF_VFQF_HKEY(i), dw[i]); + + dw = (u32 *)adapter->rss_lut; +- for (i = 0; i <= adapter->rss_lut_size / 4; i++) ++ for (i = 0; i < adapter->rss_lut_size / 4; i++) + wr32(hw, IAVF_VFQF_HLUT(i), dw[i]); + + iavf_flush(hw); +-- +2.51.0 + diff --git a/queue-5.15/ip6_gre-make-ip6gre_header-robust.patch b/queue-5.15/ip6_gre-make-ip6gre_header-robust.patch new file mode 100644 index 0000000000..0387a0fad2 --- /dev/null +++ b/queue-5.15/ip6_gre-make-ip6gre_header-robust.patch @@ -0,0 +1,76 @@ +From d8e63307b013243dc1443fb8b243053fcb5110b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Dec 2025 17:35:50 +0000 +Subject: ip6_gre: make ip6gre_header() robust + +From: Eric Dumazet + +[ Upstream commit db5b4e39c4e63700c68a7e65fc4e1f1375273476 ] + +Over the years, syzbot found many ways to crash the kernel +in ip6gre_header() [1]. + +This involves team or bonding drivers ability to dynamically +change their dev->needed_headroom and/or dev->hard_header_len + +In this particular crash mld_newpack() allocated an skb +with a too small reserve/headroom, and by the time mld_sendpack() +was called, syzbot managed to attach an ip6gre device. + +[1] +skbuff: skb_under_panic: text:ffffffff8a1d69a8 len:136 put:40 head:ffff888059bc7000 data:ffff888059bc6fe8 tail:0x70 end:0x6c0 dev:team0 +------------[ cut here ]------------ + kernel BUG at net/core/skbuff.c:213 ! + + skb_under_panic net/core/skbuff.c:223 [inline] + skb_push+0xc3/0xe0 net/core/skbuff.c:2641 + ip6gre_header+0xc8/0x790 net/ipv6/ip6_gre.c:1371 + dev_hard_header include/linux/netdevice.h:3436 [inline] + neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618 + neigh_output include/net/neighbour.h:556 [inline] + ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136 + __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline] + ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:220 + NF_HOOK_COND include/linux/netfilter.h:307 [inline] + ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247 + NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318 + mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855 + mld_send_cr net/ipv6/mcast.c:2154 [inline] + mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 + +Fixes: c12b395a4664 ("gre: Support GRE over IPv6") +Reported-by: syzbot+43a2ebcf2a64b1102d64@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/693b002c.a70a0220.33cd7b.0033.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20251211173550.2032674-1-edumazet@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_gre.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index 501630e3f1b6..84ba9ad00135 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -1383,9 +1383,16 @@ static int ip6gre_header(struct sk_buff *skb, struct net_device *dev, + { + struct ip6_tnl *t = netdev_priv(dev); + struct ipv6hdr *ipv6h; ++ int needed; + __be16 *p; + +- ipv6h = skb_push(skb, t->hlen + sizeof(*ipv6h)); ++ needed = t->hlen + sizeof(*ipv6h); ++ if (skb_headroom(skb) < needed && ++ pskb_expand_head(skb, HH_DATA_ALIGN(needed - skb_headroom(skb)), ++ 0, GFP_ATOMIC)) ++ return -needed; ++ ++ ipv6h = skb_push(skb, needed); + ip6_flow_hdr(ipv6h, 0, ip6_make_flowlabel(dev_net(dev), skb, + t->fl.u.ip6.flowlabel, + true, &t->fl.u.ip6)); +-- +2.51.0 + diff --git a/queue-5.15/ipv4-fix-reference-count-leak-when-using-error-route.patch b/queue-5.15/ipv4-fix-reference-count-leak-when-using-error-route.patch new file mode 100644 index 0000000000..a4c7063deb --- /dev/null +++ b/queue-5.15/ipv4-fix-reference-count-leak-when-using-error-route.patch @@ -0,0 +1,73 @@ +From 8df46ce77ad2bd2336ba0430f4cd240e4725d6f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Dec 2025 16:48:28 +0200 +Subject: ipv4: Fix reference count leak when using error routes with nexthop + objects + +From: Ido Schimmel + +[ Upstream commit ac782f4e3bfcde145b8a7f8af31d9422d94d172a ] + +When a nexthop object is deleted, it is marked as dead and then +fib_table_flush() is called to flush all the routes that are using the +dead nexthop. + +The current logic in fib_table_flush() is to only flush error routes +(e.g., blackhole) when it is called as part of network namespace +dismantle (i.e., with flush_all=true). Therefore, error routes are not +flushed when their nexthop object is deleted: + + # ip link add name dummy1 up type dummy + # ip nexthop add id 1 dev dummy1 + # ip route add 198.51.100.1/32 nhid 1 + # ip route add blackhole 198.51.100.2/32 nhid 1 + # ip nexthop del id 1 + # ip route show + blackhole 198.51.100.2 nhid 1 dev dummy1 + +As such, they keep holding a reference on the nexthop object which in +turn holds a reference on the nexthop device, resulting in a reference +count leak: + + # ip link del dev dummy1 + [ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2 + +Fix by flushing error routes when their nexthop is marked as dead. + +IPv6 does not suffer from this problem. + +Fixes: 493ced1ac47c ("ipv4: Allow routes to use nexthop objects") +Reported-by: Tetsuo Handa +Closes: https://lore.kernel.org/netdev/d943f806-4da6-4970-ac28-b9373b0e63ac@I-love.SAKURA.ne.jp/ +Reported-by: syzbot+881d65229ca4f9ae8c84@syzkaller.appspotmail.com +Signed-off-by: Ido Schimmel +Reviewed-by: David Ahern +Link: https://patch.msgid.link/20251221144829.197694-1-idosch@nvidia.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/fib_trie.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c +index 8ab6ad65d0b8..2cec18cb5c48 100644 +--- a/net/ipv4/fib_trie.c ++++ b/net/ipv4/fib_trie.c +@@ -2049,10 +2049,11 @@ int fib_table_flush(struct net *net, struct fib_table *tb, bool flush_all) + continue; + } + +- /* Do not flush error routes if network namespace is +- * not being dismantled ++ /* When not flushing the entire table, skip error ++ * routes that are not marked for deletion. + */ +- if (!flush_all && fib_props[fa->fa_type].error) { ++ if (!flush_all && fib_props[fa->fa_type].error && ++ !(fi->fib_flags & RTNH_F_DEAD)) { + slen = fa->fa_slen; + continue; + } +-- +2.51.0 + diff --git a/queue-5.15/ipv6-bug-in-pskb_expand_head-as-part-of-calipso_skbu.patch b/queue-5.15/ipv6-bug-in-pskb_expand_head-as-part-of-calipso_skbu.patch new file mode 100644 index 0000000000..0e10cbca74 --- /dev/null +++ b/queue-5.15/ipv6-bug-in-pskb_expand_head-as-part-of-calipso_skbu.patch @@ -0,0 +1,97 @@ +From 3cf619db7e1f5c12ef9124a70fca0d42c2c13470 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 10:36:37 -0700 +Subject: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() + +From: Will Rosenberg + +[ Upstream commit 58fc7342b529803d3c221101102fe913df7adb83 ] + +There exists a kernel oops caused by a BUG_ON(nhead < 0) at +net/core/skbuff.c:2232 in pskb_expand_head(). +This bug is triggered as part of the calipso_skbuff_setattr() +routine when skb_cow() is passed headroom > INT_MAX +(i.e. (int)(skb_headroom(skb) + len_delta) < 0). + +The root cause of the bug is due to an implicit integer cast in +__skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure +that delta = headroom - skb_headroom(skb) is never negative, otherwise +we will trigger a BUG_ON in pskb_expand_head(). However, if +headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta +becomes negative, and pskb_expand_head() is passed a negative value for +nhead. + +Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing +"negative" headroom sizes to skb_cow() within calipso_skbuff_setattr() +by only using skb_cow() to grow headroom. + +PoC: + Using `netlabelctl` tool: + + netlabelctl map del default + netlabelctl calipso add pass doi:7 + netlabelctl map add default address:0::1/128 protocol:calipso,7 + + Then run the following PoC: + + int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP); + + // setup msghdr + int cmsg_size = 2; + int cmsg_len = 0x60; + struct msghdr msg; + struct sockaddr_in6 dest_addr; + struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1, + sizeof(struct cmsghdr) + cmsg_len); + msg.msg_name = &dest_addr; + msg.msg_namelen = sizeof(dest_addr); + msg.msg_iov = NULL; + msg.msg_iovlen = 0; + msg.msg_control = cmsg; + msg.msg_controllen = cmsg_len; + msg.msg_flags = 0; + + // setup sockaddr + dest_addr.sin6_family = AF_INET6; + dest_addr.sin6_port = htons(31337); + dest_addr.sin6_flowinfo = htonl(31337); + dest_addr.sin6_addr = in6addr_loopback; + dest_addr.sin6_scope_id = 31337; + + // setup cmsghdr + cmsg->cmsg_len = cmsg_len; + cmsg->cmsg_level = IPPROTO_IPV6; + cmsg->cmsg_type = IPV6_HOPOPTS; + char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr); + hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80 + + sendmsg(fd, &msg, 0); + +Fixes: 2917f57b6bc1 ("calipso: Allow the lsm to label the skbuff directly.") +Suggested-by: Paul Moore +Signed-off-by: Will Rosenberg +Acked-by: Paul Moore +Link: https://patch.msgid.link/20251219173637.797418-1-whrosenb@asu.edu +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv6/calipso.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c +index 24666291c54a..72079ef2959b 100644 +--- a/net/ipv6/calipso.c ++++ b/net/ipv6/calipso.c +@@ -1345,7 +1345,8 @@ static int calipso_skbuff_setattr(struct sk_buff *skb, + /* At this point new_end aligns to 4n, so (new_end & 4) pads to 8n */ + pad = ((new_end & 4) + (end & 7)) & 7; + len_delta = new_end - (int)end + pad; +- ret_val = skb_cow(skb, skb_headroom(skb) + len_delta); ++ ret_val = skb_cow(skb, ++ skb_headroom(skb) + (len_delta > 0 ? len_delta : 0)); + if (ret_val < 0) + return ret_val; + +-- +2.51.0 + diff --git a/queue-5.15/net-bridge-describe-tunnel_hash-member-in-net_bridge.patch b/queue-5.15/net-bridge-describe-tunnel_hash-member-in-net_bridge.patch new file mode 100644 index 0000000000..166d3e4bd5 --- /dev/null +++ b/queue-5.15/net-bridge-describe-tunnel_hash-member-in-net_bridge.patch @@ -0,0 +1,42 @@ +From fd885a075b798f09eee41ad590107d5cd87cb5d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Dec 2025 11:29:37 +0700 +Subject: net: bridge: Describe @tunnel_hash member in net_bridge_vlan_group + struct + +From: Bagas Sanjaya + +[ Upstream commit f79f9b7ace1713e4b83888c385f5f55519dfb687 ] + +Sphinx reports kernel-doc warning: + +WARNING: ./net/bridge/br_private.h:267 struct member 'tunnel_hash' not described in 'net_bridge_vlan_group' + +Fix it by describing @tunnel_hash member. + +Fixes: efa5356b0d9753 ("bridge: per vlan dst_metadata netlink support") +Signed-off-by: Bagas Sanjaya +Acked-by: Nikolay Aleksandrov +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20251218042936.24175-2-bagasdotme@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/bridge/br_private.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h +index 8acb427ae6de..0fd8dad7eca4 100644 +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -221,6 +221,7 @@ struct net_bridge_vlan { + * struct net_bridge_vlan_group + * + * @vlan_hash: VLAN entry rhashtable ++ * @tunnel_hash: Hash table to map from tunnel key ID (e.g. VXLAN VNI) to VLAN + * @vlan_list: sorted VLAN entry list + * @num_vlans: number of total VLAN entries + * @pvid: PVID VLAN id +-- +2.51.0 + diff --git a/queue-5.15/net-dsa-b53-skip-multicast-entries-for-fdb_dump.patch b/queue-5.15/net-dsa-b53-skip-multicast-entries-for-fdb_dump.patch new file mode 100644 index 0000000000..600bb75865 --- /dev/null +++ b/queue-5.15/net-dsa-b53-skip-multicast-entries-for-fdb_dump.patch @@ -0,0 +1,45 @@ +From 704ced4d4be2fa73e09d04723d0f55bfd7521335 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 21:57:56 +0100 +Subject: net: dsa: b53: skip multicast entries for fdb_dump() + +From: Jonas Gorski + +[ Upstream commit d42bce414d1c5c0b536758466a1f63ac358e613c ] + +port_fdb_dump() is supposed to only add fdb entries, but we iterate over +the full ARL table, which also includes multicast entries. + +So check if the entry is a multicast entry before passing it on to the +callback(). + +Additionally, the port of those entries is a bitmask, not a port number, +so any included entries would have even be for the wrong port. + +Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations") +Signed-off-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20251217205756.172123-1-jonas.gorski@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index d5ed733c0c97..a43cbb481529 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1832,6 +1832,9 @@ static int b53_fdb_copy(int port, const struct b53_arl_entry *ent, + if (!ent->is_valid) + return 0; + ++ if (is_multicast_ether_addr(ent->mac)) ++ return 0; ++ + if (port != ent->port) + return 0; + +-- +2.51.0 + diff --git a/queue-5.15/net-mdio-aspeed-add-dummy-read-to-avoid-read-after-w.patch b/queue-5.15/net-mdio-aspeed-add-dummy-read-to-avoid-read-after-w.patch new file mode 100644 index 0000000000..b66def883c --- /dev/null +++ b/queue-5.15/net-mdio-aspeed-add-dummy-read-to-avoid-read-after-w.patch @@ -0,0 +1,52 @@ +From 9eee2d86d642f1d8069abc1f42d814a2d52437b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Dec 2025 14:24:58 +0800 +Subject: net: mdio: aspeed: add dummy read to avoid read-after-write issue + +From: Jacky Chou + +[ Upstream commit d1a1a4bade4b20c0858d0b2f81d2611de055f675 ] + +The Aspeed MDIO controller may return incorrect data when a read operation +follows immediately after a write. Due to a controller bug, the subsequent +read can latch stale data, causing the polling logic to terminate earlier +than expected. + +To work around this hardware issue, insert a dummy read after each write +operation. This ensures that the next actual read returns the correct +data and prevents premature polling exit. + +This workaround has been verified to stabilize MDIO transactions on +affected Aspeed platforms. + +Fixes: f160e99462c6 ("net: phy: Add mdio-aspeed") +Signed-off-by: Jacky Chou +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20251211-aspeed_mdio_add_dummy_read-v3-1-382868869004@aspeedtech.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/mdio/mdio-aspeed.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/mdio/mdio-aspeed.c b/drivers/net/mdio/mdio-aspeed.c +index f22be2f069e9..a929399a10d1 100644 +--- a/drivers/net/mdio/mdio-aspeed.c ++++ b/drivers/net/mdio/mdio-aspeed.c +@@ -57,6 +57,13 @@ static int aspeed_mdio_op(struct mii_bus *bus, u8 st, u8 op, u8 phyad, u8 regad, + + iowrite32(ctrl, ctx->base + ASPEED_MDIO_CTRL); + ++ /* Workaround for read-after-write issue. ++ * The controller may return stale data if a read follows immediately ++ * after a write. A dummy read forces the hardware to update its ++ * internal state, ensuring that the next real read returns correct data. ++ */ ++ ioread32(ctx->base + ASPEED_MDIO_CTRL); ++ + return readl_poll_timeout(ctx->base + ASPEED_MDIO_CTRL, ctrl, + !(ctrl & ASPEED_MDIO_CTRL_FIRE), + ASPEED_MDIO_INTERVAL_US, +-- +2.51.0 + diff --git a/queue-5.15/net-mdio-aspeed-move-reg-accessing-part-into-separat.patch b/queue-5.15/net-mdio-aspeed-move-reg-accessing-part-into-separat.patch new file mode 100644 index 0000000000..3a1688db31 --- /dev/null +++ b/queue-5.15/net-mdio-aspeed-move-reg-accessing-part-into-separat.patch @@ -0,0 +1,138 @@ +From b30c033fd6d54eadcd7fbe9b504986ad44a39f80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 09:17:36 +0800 +Subject: net: mdio: aspeed: move reg accessing part into separate functions + +From: Potin Lai + +[ Upstream commit 737ca352569e744bf753b4522a6f91b120a734f1 ] + +Add aspeed_mdio_op() and aseed_mdio_get_data() for register accessing. + +aspeed_mdio_op() handles operations, write command to control register, +then check and wait operations is finished (bit 31 is cleared). + +aseed_mdio_get_data() fetchs the result value of operation from data +register. + +Signed-off-by: Potin Lai +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Stable-dep-of: d1a1a4bade4b ("net: mdio: aspeed: add dummy read to avoid read-after-write issue") +Signed-off-by: Sasha Levin +--- + drivers/net/mdio/mdio-aspeed.c | 70 ++++++++++++++++++---------------- + 1 file changed, 38 insertions(+), 32 deletions(-) + +diff --git a/drivers/net/mdio/mdio-aspeed.c b/drivers/net/mdio/mdio-aspeed.c +index e2273588c75b..f22be2f069e9 100644 +--- a/drivers/net/mdio/mdio-aspeed.c ++++ b/drivers/net/mdio/mdio-aspeed.c +@@ -39,34 +39,35 @@ struct aspeed_mdio { + void __iomem *base; + }; + +-static int aspeed_mdio_read(struct mii_bus *bus, int addr, int regnum) ++static int aspeed_mdio_op(struct mii_bus *bus, u8 st, u8 op, u8 phyad, u8 regad, ++ u16 data) + { + struct aspeed_mdio *ctx = bus->priv; + u32 ctrl; +- u32 data; +- int rc; + +- dev_dbg(&bus->dev, "%s: addr: %d, regnum: %d\n", __func__, addr, +- regnum); +- +- /* Just clause 22 for the moment */ +- if (regnum & MII_ADDR_C45) +- return -EOPNOTSUPP; ++ dev_dbg(&bus->dev, "%s: st: %u op: %u, phyad: %u, regad: %u, data: %u\n", ++ __func__, st, op, phyad, regad, data); + + ctrl = ASPEED_MDIO_CTRL_FIRE +- | FIELD_PREP(ASPEED_MDIO_CTRL_ST, ASPEED_MDIO_CTRL_ST_C22) +- | FIELD_PREP(ASPEED_MDIO_CTRL_OP, MDIO_C22_OP_READ) +- | FIELD_PREP(ASPEED_MDIO_CTRL_PHYAD, addr) +- | FIELD_PREP(ASPEED_MDIO_CTRL_REGAD, regnum); ++ | FIELD_PREP(ASPEED_MDIO_CTRL_ST, st) ++ | FIELD_PREP(ASPEED_MDIO_CTRL_OP, op) ++ | FIELD_PREP(ASPEED_MDIO_CTRL_PHYAD, phyad) ++ | FIELD_PREP(ASPEED_MDIO_CTRL_REGAD, regad) ++ | FIELD_PREP(ASPEED_MDIO_DATA_MIIRDATA, data); + + iowrite32(ctrl, ctx->base + ASPEED_MDIO_CTRL); + +- rc = readl_poll_timeout(ctx->base + ASPEED_MDIO_CTRL, ctrl, ++ return readl_poll_timeout(ctx->base + ASPEED_MDIO_CTRL, ctrl, + !(ctrl & ASPEED_MDIO_CTRL_FIRE), + ASPEED_MDIO_INTERVAL_US, + ASPEED_MDIO_TIMEOUT_US); +- if (rc < 0) +- return rc; ++} ++ ++static int aspeed_mdio_get_data(struct mii_bus *bus) ++{ ++ struct aspeed_mdio *ctx = bus->priv; ++ int rc; ++ u32 data; + + rc = readl_poll_timeout(ctx->base + ASPEED_MDIO_DATA, data, + data & ASPEED_MDIO_DATA_IDLE, +@@ -78,31 +79,36 @@ static int aspeed_mdio_read(struct mii_bus *bus, int addr, int regnum) + return FIELD_GET(ASPEED_MDIO_DATA_MIIRDATA, data); + } + +-static int aspeed_mdio_write(struct mii_bus *bus, int addr, int regnum, u16 val) ++static int aspeed_mdio_read(struct mii_bus *bus, int addr, int regnum) + { +- struct aspeed_mdio *ctx = bus->priv; +- u32 ctrl; ++ int rc; + +- dev_dbg(&bus->dev, "%s: addr: %d, regnum: %d, val: 0x%x\n", +- __func__, addr, regnum, val); ++ dev_dbg(&bus->dev, "%s: addr: %d, regnum: %d\n", __func__, addr, ++ regnum); + + /* Just clause 22 for the moment */ + if (regnum & MII_ADDR_C45) + return -EOPNOTSUPP; + +- ctrl = ASPEED_MDIO_CTRL_FIRE +- | FIELD_PREP(ASPEED_MDIO_CTRL_ST, ASPEED_MDIO_CTRL_ST_C22) +- | FIELD_PREP(ASPEED_MDIO_CTRL_OP, MDIO_C22_OP_WRITE) +- | FIELD_PREP(ASPEED_MDIO_CTRL_PHYAD, addr) +- | FIELD_PREP(ASPEED_MDIO_CTRL_REGAD, regnum) +- | FIELD_PREP(ASPEED_MDIO_CTRL_MIIWDATA, val); ++ rc = aspeed_mdio_op(bus, ASPEED_MDIO_CTRL_ST_C22, MDIO_C22_OP_READ, ++ addr, regnum, 0); ++ if (rc < 0) ++ return rc; + +- iowrite32(ctrl, ctx->base + ASPEED_MDIO_CTRL); ++ return aspeed_mdio_get_data(bus); ++} + +- return readl_poll_timeout(ctx->base + ASPEED_MDIO_CTRL, ctrl, +- !(ctrl & ASPEED_MDIO_CTRL_FIRE), +- ASPEED_MDIO_INTERVAL_US, +- ASPEED_MDIO_TIMEOUT_US); ++static int aspeed_mdio_write(struct mii_bus *bus, int addr, int regnum, u16 val) ++{ ++ dev_dbg(&bus->dev, "%s: addr: %d, regnum: %d, val: 0x%x\n", ++ __func__, addr, regnum, val); ++ ++ /* Just clause 22 for the moment */ ++ if (regnum & MII_ADDR_C45) ++ return -EOPNOTSUPP; ++ ++ return aspeed_mdio_op(bus, ASPEED_MDIO_CTRL_ST_C22, MDIO_C22_OP_WRITE, ++ addr, regnum, val); + } + + static int aspeed_mdio_probe(struct platform_device *pdev) +-- +2.51.0 + diff --git a/queue-5.15/net-openvswitch-avoid-needlessly-taking-the-rtnl-on-.patch b/queue-5.15/net-openvswitch-avoid-needlessly-taking-the-rtnl-on-.patch new file mode 100644 index 0000000000..55bd7ada01 --- /dev/null +++ b/queue-5.15/net-openvswitch-avoid-needlessly-taking-the-rtnl-on-.patch @@ -0,0 +1,68 @@ +From 7be5f46094369da34ed6c4077d722386bcda44d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Dec 2025 12:50:05 +0100 +Subject: net: openvswitch: Avoid needlessly taking the RTNL on vport destroy +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit 5498227676303e3ffa9a3a46214af96bc3e81314 ] + +The openvswitch teardown code will immediately call +ovs_netdev_detach_dev() in response to a NETDEV_UNREGISTER notification. +It will then start the dp_notify_work workqueue, which will later end up +calling the vport destroy() callback. This callback takes the RTNL to do +another ovs_netdev_detach_port(), which in this case is unnecessary. +This causes extra pressure on the RTNL, in some cases leading to +"unregister_netdevice: waiting for XX to become free" warnings on +teardown. + +We can straight-forwardly avoid the extra RTNL lock acquisition by +checking the device flags before taking the lock, and skip the locking +altogether if the IFF_OVS_DATAPATH flag has already been unset. + +Fixes: b07c26511e94 ("openvswitch: fix vport-netdev unregister") +Tested-by: Adrian Moreno +Signed-off-by: Toke Høiland-Jørgensen +Acked-by: Eelco Chaudron +Acked-by: Aaron Conole +Link: https://patch.msgid.link/20251211115006.228876-1-toke@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/openvswitch/vport-netdev.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/net/openvswitch/vport-netdev.c b/net/openvswitch/vport-netdev.c +index 8e1a88f13622..3beec619283a 100644 +--- a/net/openvswitch/vport-netdev.c ++++ b/net/openvswitch/vport-netdev.c +@@ -154,10 +154,19 @@ void ovs_netdev_detach_dev(struct vport *vport) + + static void netdev_destroy(struct vport *vport) + { +- rtnl_lock(); +- if (netif_is_ovs_port(vport->dev)) +- ovs_netdev_detach_dev(vport); +- rtnl_unlock(); ++ /* When called from ovs_db_notify_wq() after a dp_device_event(), the ++ * port has already been detached, so we can avoid taking the RTNL by ++ * checking this first. ++ */ ++ if (netif_is_ovs_port(vport->dev)) { ++ rtnl_lock(); ++ /* Check again while holding the lock to ensure we don't race ++ * with the netdev notifier and detach twice. ++ */ ++ if (netif_is_ovs_port(vport->dev)) ++ ovs_netdev_detach_dev(vport); ++ rtnl_unlock(); ++ } + + call_rcu(&vport->rcu, vport_netdev_free); + } +-- +2.51.0 + diff --git a/queue-5.15/net-rose-fix-invalid-array-index-in-rose_kill_by_dev.patch b/queue-5.15/net-rose-fix-invalid-array-index-in-rose_kill_by_dev.patch new file mode 100644 index 0000000000..1c17ae65d6 --- /dev/null +++ b/queue-5.15/net-rose-fix-invalid-array-index-in-rose_kill_by_dev.patch @@ -0,0 +1,48 @@ +From fa978d07ce1975ecce4279a8cd6c4367a9784433 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Dec 2025 21:22:27 +0000 +Subject: net: rose: fix invalid array index in rose_kill_by_device() + +From: Pwnverse + +[ Upstream commit 6595beb40fb0ec47223d3f6058ee40354694c8e4 ] + +rose_kill_by_device() collects sockets into a local array[] and then +iterates over them to disconnect sockets bound to a device being brought +down. + +The loop mistakenly indexes array[cnt] instead of array[i]. For cnt < +ARRAY_SIZE(array), this reads an uninitialized entry; for cnt == +ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to +an invalid socket pointer dereference and also leaks references taken +via sock_hold(). + +Fix the index to use i. + +Fixes: 64b8bc7d5f143 ("net/rose: fix races in rose_kill_by_device()") +Co-developed-by: Fatma Alwasmi +Signed-off-by: Fatma Alwasmi +Signed-off-by: Pwnverse +Link: https://patch.msgid.link/20251222212227.4116041-1-ritviktanksalkar@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/rose/af_rose.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c +index f8cd085c4234..04173c85d92b 100644 +--- a/net/rose/af_rose.c ++++ b/net/rose/af_rose.c +@@ -204,7 +204,7 @@ static void rose_kill_by_device(struct net_device *dev) + spin_unlock_bh(&rose_list_lock); + + for (i = 0; i < cnt; i++) { +- sk = array[cnt]; ++ sk = array[i]; + rose = rose_sk(sk); + lock_sock(sk); + spin_lock_bh(&rose_list_lock); +-- +2.51.0 + diff --git a/queue-5.15/net-usb-asix-validate-phy-address-before-use.patch b/queue-5.15/net-usb-asix-validate-phy-address-before-use.patch new file mode 100644 index 0000000000..0d6a1c39ad --- /dev/null +++ b/queue-5.15/net-usb-asix-validate-phy-address-before-use.patch @@ -0,0 +1,53 @@ +From 77bd69b3e70d45c15314a1289c070d1e21f244d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Dec 2025 06:41:56 +0530 +Subject: net: usb: asix: validate PHY address before use + +From: Deepanshu Kartikey + +[ Upstream commit a1e077a3f76eea0dc671ed6792e7d543946227e8 ] + +The ASIX driver reads the PHY address from the USB device via +asix_read_phy_addr(). A malicious or faulty device can return an +invalid address (>= PHY_MAX_ADDR), which causes a warning in +mdiobus_get_phy(): + + addr 207 out of range + WARNING: drivers/net/phy/mdio_bus.c:76 + +Validate the PHY address in asix_read_phy_addr() and remove the +now-redundant check in ax88172a.c. + +Reported-by: syzbot+3d43c9066a5b54902232@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=3d43c9066a5b54902232 +Tested-by: syzbot+3d43c9066a5b54902232@syzkaller.appspotmail.com +Fixes: 7e88b11a862a ("net: usb: asix: refactor asix_read_phy_addr() and handle errors on return") +Link: https://lore.kernel.org/all/20251217085057.270704-1-kartikey406@gmail.com/T/ [v1] +Signed-off-by: Deepanshu Kartikey +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20251218011156.276824-1-kartikey406@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/asix_common.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c +index 00c23f1d1c94..8c613e3ea05a 100644 +--- a/drivers/net/usb/asix_common.c ++++ b/drivers/net/usb/asix_common.c +@@ -333,6 +333,11 @@ int asix_read_phy_addr(struct usbnet *dev, bool internal) + offset = (internal ? 1 : 0); + ret = buf[offset]; + ++ if (ret >= PHY_MAX_ADDR) { ++ netdev_err(dev->net, "invalid PHY address: %d\n", ret); ++ return -ENODEV; ++ } ++ + netdev_dbg(dev->net, "%s PHY address 0x%x\n", + internal ? "internal" : "external", ret); + +-- +2.51.0 + diff --git a/queue-5.15/net-usb-rtl8150-fix-memory-leak-on-usb_submit_urb-fa.patch b/queue-5.15/net-usb-rtl8150-fix-memory-leak-on-usb_submit_urb-fa.patch new file mode 100644 index 0000000000..d1f02cb045 --- /dev/null +++ b/queue-5.15/net-usb-rtl8150-fix-memory-leak-on-usb_submit_urb-fa.patch @@ -0,0 +1,47 @@ +From 73ef097b4e37d8108e2009c6c3010d4de62ede12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Dec 2025 20:43:05 +0530 +Subject: net: usb: rtl8150: fix memory leak on usb_submit_urb() failure + +From: Deepakkumar Karn + +[ Upstream commit 12cab1191d9890097171156d06bfa8d31f1e39c8 ] + +In async_set_registers(), when usb_submit_urb() fails, the allocated + async_req structure and URB are not freed, causing a memory leak. + + The completion callback async_set_reg_cb() is responsible for freeing + these allocations, but it is only called after the URB is successfully + submitted and completes (successfully or with error). If submission + fails, the callback never runs and the memory is leaked. + + Fix this by freeing both the URB and the request structure in the error + path when usb_submit_urb() fails. + +Reported-by: syzbot+8dd915c7cb0490fc8c52@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=8dd915c7cb0490fc8c52 +Fixes: 4d12997a9bb3 ("drivers: net: usb: rtl8150: concurrent URB bugfix") +Signed-off-by: Deepakkumar Karn +Link: https://patch.msgid.link/20251216151304.59865-2-dkarn@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/rtl8150.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c +index 011cf3a35378..fa69d59a309a 100644 +--- a/drivers/net/usb/rtl8150.c ++++ b/drivers/net/usb/rtl8150.c +@@ -211,6 +211,8 @@ static int async_set_registers(rtl8150_t *dev, u16 indx, u16 size, u16 reg) + if (res == -ENODEV) + netif_device_detach(dev->netdev); + dev_err(&dev->udev->dev, "%s failed with %d\n", __func__, res); ++ kfree(req); ++ usb_free_urb(async_urb); + } + return res; + } +-- +2.51.0 + diff --git a/queue-5.15/octeontx2-pf-fix-ubsan-shift-out-of-bounds-error.patch b/queue-5.15/octeontx2-pf-fix-ubsan-shift-out-of-bounds-error.patch new file mode 100644 index 0000000000..67b1553505 --- /dev/null +++ b/queue-5.15/octeontx2-pf-fix-ubsan-shift-out-of-bounds-error.patch @@ -0,0 +1,45 @@ +From 877bac9d15a958a80b7b526fc99c6214bc94c4e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 11:52:26 +0530 +Subject: octeontx2-pf: fix "UBSAN: shift-out-of-bounds error" + +From: Anshumali Gaur + +[ Upstream commit 85f4b0c650d9f9db10bda8d3acfa1af83bf78cf7 ] + +This patch ensures that the RX ring size (rx_pending) is not +set below the permitted length. This avoids UBSAN +shift-out-of-bounds errors when users passes small or zero +ring sizes via ethtool -G. + +Fixes: d45d8979840d ("octeontx2-pf: Add basic ethtool support") +Signed-off-by: Anshumali Gaur +Link: https://patch.msgid.link/20251219062226.524844-1-agaur@marvell.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c +index db4a9fc399f3..e0c108d48d2e 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c +@@ -391,6 +391,14 @@ static int otx2_set_ringparam(struct net_device *netdev, + */ + if (rx_count < pfvf->hw.rq_skid) + rx_count = pfvf->hw.rq_skid; ++ ++ if (ring->rx_pending < 16) { ++ netdev_err(netdev, ++ "rx ring size %u invalid, min is 16\n", ++ ring->rx_pending); ++ return -EINVAL; ++ } ++ + rx_count = Q_COUNT(Q_SIZE(rx_count, 3)); + + /* Due pipelining impact minimum 2000 unused SQ CQE's +-- +2.51.0 + diff --git a/queue-5.15/platform-x86-ibm_rtl-fix-ebda-signature-search-point.patch b/queue-5.15/platform-x86-ibm_rtl-fix-ebda-signature-search-point.patch new file mode 100644 index 0000000000..2cb7a35251 --- /dev/null +++ b/queue-5.15/platform-x86-ibm_rtl-fix-ebda-signature-search-point.patch @@ -0,0 +1,47 @@ +From 701efa5f3ad608838f9193a3480072fcaec28bd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 16:30:29 +0800 +Subject: platform/x86: ibm_rtl: fix EBDA signature search pointer arithmetic +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Junrui Luo + +[ Upstream commit 15dd100349b8526cbdf2de0ce3e72e700eb6c208 ] + +The ibm_rtl_init() function searches for the signature but has a pointer +arithmetic error. The loop counter suggests searching at 4-byte intervals +but the implementation only advances by 1 byte per iteration. + +Fix by properly advancing the pointer by sizeof(unsigned int) bytes +each iteration. + +Reported-by: Yuhao Jiang +Reported-by: Junrui Luo +Fixes: 35f0ce032b0f ("IBM Real-Time "SMI Free" mode driver -v7") +Signed-off-by: Junrui Luo +Link: https://patch.msgid.link/SYBPR01MB78812D887A92DE3802D0D06EAFA9A@SYBPR01MB7881.ausprd01.prod.outlook.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/ibm_rtl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/ibm_rtl.c b/drivers/platform/x86/ibm_rtl.c +index 5fc665f7d9b3..10cab7bdfe15 100644 +--- a/drivers/platform/x86/ibm_rtl.c ++++ b/drivers/platform/x86/ibm_rtl.c +@@ -262,7 +262,7 @@ static int __init ibm_rtl_init(void) { + /* search for the _RTL_ signature at the start of the table */ + for (i = 0 ; i < ebda_size/sizeof(unsigned int); i++) { + struct ibm_rtl_table __iomem * tmp; +- tmp = (struct ibm_rtl_table __iomem *) (ebda_map+i); ++ tmp = (struct ibm_rtl_table __iomem *) (ebda_map + i*sizeof(unsigned int)); + if ((readq(&tmp->signature) & RTL_MASK) == RTL_SIGNATURE) { + phys_addr_t addr; + unsigned int plen; +-- +2.51.0 + diff --git a/queue-5.15/platform-x86-msi-laptop-add-missing-sysfs_remove_gro.patch b/queue-5.15/platform-x86-msi-laptop-add-missing-sysfs_remove_gro.patch new file mode 100644 index 0000000000..f023edfb97 --- /dev/null +++ b/queue-5.15/platform-x86-msi-laptop-add-missing-sysfs_remove_gro.patch @@ -0,0 +1,42 @@ +From 37b729a74c418e06539f9a88339fc8e2baf7e2af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 11:36:13 +0100 +Subject: platform/x86: msi-laptop: add missing sysfs_remove_group() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Fourier + +[ Upstream commit 1461209cf813b6ee6d40f29b96b544587df6d2b1 ] + +A sysfs group is created in msi_init() when old_ec_model is enabled, but +never removed. Remove the msipf_old_attribute_group in that case. + +Fixes: 03696e51d75a ("msi-laptop: Disable brightness control for new EC") +Signed-off-by: Thomas Fourier +Link: https://patch.msgid.link/20251217103617.27668-2-fourier.thomas@gmail.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/msi-laptop.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/platform/x86/msi-laptop.c b/drivers/platform/x86/msi-laptop.c +index dfb4af759aa7..fd6b3383ac4f 100644 +--- a/drivers/platform/x86/msi-laptop.c ++++ b/drivers/platform/x86/msi-laptop.c +@@ -1146,6 +1146,9 @@ static void __exit msi_cleanup(void) + sysfs_remove_group(&msipf_device->dev.kobj, &msipf_attribute_group); + if (!quirks->old_ec_model && threeg_exists) + device_remove_file(&msipf_device->dev, &dev_attr_threeg); ++ if (quirks->old_ec_model) ++ sysfs_remove_group(&msipf_device->dev.kobj, ++ &msipf_old_attribute_group); + platform_device_unregister(msipf_device); + platform_driver_unregister(&msipf_driver); + backlight_device_unregister(msibl_device); +-- +2.51.0 + diff --git a/queue-5.15/rdma-bnxt_re-fix-dma_free_coherent-pointer.patch b/queue-5.15/rdma-bnxt_re-fix-dma_free_coherent-pointer.patch new file mode 100644 index 0000000000..4d4c277741 --- /dev/null +++ b/queue-5.15/rdma-bnxt_re-fix-dma_free_coherent-pointer.patch @@ -0,0 +1,40 @@ +From b8444d7d4e9c0cae8f9dcf2170644c9840304ec9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Dec 2025 09:51:21 +0100 +Subject: RDMA/bnxt_re: fix dma_free_coherent() pointer + +From: Thomas Fourier + +[ Upstream commit fcd431a9627f272b4c0bec445eba365fe2232a94 ] + +The dma_alloc_coherent() allocates a dma-mapped buffer, pbl->pg_arr[i]. +The dma_free_coherent() should pass the same buffer to +dma_free_coherent() and not page-aligned. + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Signed-off-by: Thomas Fourier +Link: https://patch.msgid.link/20251230085121.8023-2-fourier.thomas@gmail.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_res.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c +index 76fbe52a957c..2bdb428fd273 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c +@@ -70,9 +70,7 @@ static void __free_pbl(struct bnxt_qplib_res *res, struct bnxt_qplib_pbl *pbl, + for (i = 0; i < pbl->pg_count; i++) { + if (pbl->pg_arr[i]) + dma_free_coherent(&pdev->dev, pbl->pg_size, +- (void *)((unsigned long) +- pbl->pg_arr[i] & +- PAGE_MASK), ++ pbl->pg_arr[i], + pbl->pg_map_arr[i]); + else + dev_warn(&pdev->dev, +-- +2.51.0 + diff --git a/queue-5.15/rdma-bnxt_re-fix-ib_send_ip_csum-handling-in-post_se.patch b/queue-5.15/rdma-bnxt_re-fix-ib_send_ip_csum-handling-in-post_se.patch new file mode 100644 index 0000000000..aeb484368c --- /dev/null +++ b/queue-5.15/rdma-bnxt_re-fix-ib_send_ip_csum-handling-in-post_se.patch @@ -0,0 +1,58 @@ +From d2fa48087bdbeff299061bdf372b762080048f17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 01:32:57 -0800 +Subject: RDMA/bnxt_re: Fix IB_SEND_IP_CSUM handling in post_send + +From: Alok Tiwari + +[ Upstream commit f01765a2361323e78e3d91b1cb1d5527a83c5cf7 ] + +The bnxt_re SEND path checks wr->send_flags to enable features such as +IP checksum offload. However, send_flags is a bitmask and may contain +multiple flags (e.g. IB_SEND_SIGNALED | IB_SEND_IP_CSUM), while the +existing code uses a switch() statement that only matches when +send_flags is exactly IB_SEND_IP_CSUM. + +As a result, checksum offload is not enabled when additional SEND +flags are present. + +Replace the switch() with a bitmask test: + + if (wr->send_flags & IB_SEND_IP_CSUM) + +This ensures IP checksum offload is enabled correctly when multiple +SEND flags are used. + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20251219093308.2415620-1-alok.a.tiwari@oracle.com +Reviewed-by: Kalesh AP +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/ib_verbs.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +index cb733fc497c8..83bc013c8f79 100644 +--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c ++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +@@ -2644,14 +2644,9 @@ int bnxt_re_post_send(struct ib_qp *ib_qp, const struct ib_send_wr *wr, + wqe.rawqp1.lflags |= + SQ_SEND_RAWETH_QP1_LFLAGS_ROCE_CRC; + } +- switch (wr->send_flags) { +- case IB_SEND_IP_CSUM: ++ if (wr->send_flags & IB_SEND_IP_CSUM) + wqe.rawqp1.lflags |= + SQ_SEND_RAWETH_QP1_LFLAGS_IP_CHKSUM; +- break; +- default: +- break; +- } + fallthrough; + case IB_WR_SEND_WITH_INV: + rc = bnxt_re_build_send_wqe(qp, wr, &wqe); +-- +2.51.0 + diff --git a/queue-5.15/rdma-bnxt_re-fix-incorrect-bar-check-in-bnxt_qplib_m.patch b/queue-5.15/rdma-bnxt_re-fix-incorrect-bar-check-in-bnxt_qplib_m.patch new file mode 100644 index 0000000000..4e0b0010b6 --- /dev/null +++ b/queue-5.15/rdma-bnxt_re-fix-incorrect-bar-check-in-bnxt_qplib_m.patch @@ -0,0 +1,45 @@ +From de71e644296413e6238a3964fb9866cc1e1c235f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 02:01:41 -0800 +Subject: RDMA/bnxt_re: Fix incorrect BAR check in bnxt_qplib_map_creq_db() + +From: Alok Tiwari + +[ Upstream commit 145a417a39d7efbc881f52e829817376972b278c ] + +RCFW_COMM_CONS_PCI_BAR_REGION is defined as BAR 2, so checking +!creq_db->reg.bar_id is incorrect and always false. + +pci_resource_start() returns the BAR base address, and a value of 0 +indicates that the BAR is unassigned. Update the condition to test +bar_base == 0 instead. + +This ensures the driver detects and logs an error for an unassigned +RCFW communication BAR. + +Fixes: cee0c7bba486 ("RDMA/bnxt_re: Refactor command queue management code") +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20251217100158.752504-1-alok.a.tiwari@oracle.com +Reviewed-by: Kalesh AP +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c +index 2394dcc0338c..67c12e604e9b 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c +@@ -779,7 +779,7 @@ static int bnxt_qplib_map_creq_db(struct bnxt_qplib_rcfw *rcfw, u32 reg_offt) + + creq_db->reg.bar_id = RCFW_COMM_CONS_PCI_BAR_REGION; + creq_db->reg.bar_base = pci_resource_start(pdev, creq_db->reg.bar_id); +- if (!creq_db->reg.bar_id) ++ if (!creq_db->reg.bar_base) + dev_err(&pdev->dev, + "QPLIB: CREQ BAR region %d resc start is 0!", + creq_db->reg.bar_id); +-- +2.51.0 + diff --git a/queue-5.15/rdma-bnxt_re-fix-to-use-correct-page-size-for-pde-ta.patch b/queue-5.15/rdma-bnxt_re-fix-to-use-correct-page-size-for-pde-ta.patch new file mode 100644 index 0000000000..75aec745da --- /dev/null +++ b/queue-5.15/rdma-bnxt_re-fix-to-use-correct-page-size-for-pde-ta.patch @@ -0,0 +1,50 @@ +From 5d71004b2be4803704a2f804895e96cb24b30509 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Dec 2025 18:48:55 +0530 +Subject: RDMA/bnxt_re: Fix to use correct page size for PDE table + +From: Kalesh AP + +[ Upstream commit 3d70e0fb0f289b0c778041c5bb04d099e1aa7c1c ] + +In bnxt_qplib_alloc_init_hwq(), while allocating memory for PDE table +driver incorrectly is using the "pg_size" value passed to the function. +Fixed to use the right value 4K. Also, fixed the allocation size for +PBL table. + +Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation") +Signed-off-by: Damodharam Ammepalli +Signed-off-by: Kalesh AP +Link: https://patch.msgid.link/20251223131855.145955-1-kalesh-anakkur.purayil@broadcom.com +Reviewed-by: Selvin Xavier +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_res.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c +index 7585d5a55db2..76fbe52a957c 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c +@@ -242,7 +242,7 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq, + if (npbl % BIT(MAX_PDL_LVL_SHIFT)) + npde++; + /* Alloc PDE pages */ +- sginfo.pgsize = npde * pg_size; ++ sginfo.pgsize = npde * ROCE_PG_SIZE_4K; + sginfo.npages = 1; + rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_0], &sginfo); + if (rc) +@@ -250,7 +250,7 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq, + + /* Alloc PBL pages */ + sginfo.npages = npbl; +- sginfo.pgsize = PAGE_SIZE; ++ sginfo.pgsize = ROCE_PG_SIZE_4K; + rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_1], &sginfo); + if (rc) + goto fail; +-- +2.51.0 + diff --git a/queue-5.15/rdma-core-fix-logic-error-in-ib_get_gids_from_rdma_h.patch b/queue-5.15/rdma-core-fix-logic-error-in-ib_get_gids_from_rdma_h.patch new file mode 100644 index 0000000000..0819ad74f1 --- /dev/null +++ b/queue-5.15/rdma-core-fix-logic-error-in-ib_get_gids_from_rdma_h.patch @@ -0,0 +1,39 @@ +From d2ed79376f68ec11edb3e3be765b4b082ec2dcfd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 13:15:08 +0900 +Subject: RDMA/core: Fix logic error in ib_get_gids_from_rdma_hdr() + +From: Jang Ingyu + +[ Upstream commit 8aaa848eaddd9ef8680fc6aafbd3a0646da5df40 ] + +Fix missing comparison operator for RDMA_NETWORK_ROCE_V1 in the +conditional statement. The constant was used directly instead of +being compared with net_type, causing the condition to always +evaluate to true. + +Fixes: 1c15b4f2a42f ("RDMA/core: Modify enum ib_gid_type and enum rdma_network_type") +Signed-off-by: Jang Ingyu +Link: https://patch.msgid.link/20251219041508.1725947-1-ingyujang25@korea.ac.kr +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/verbs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c +index bdc9564f0ff8..53552559917c 100644 +--- a/drivers/infiniband/core/verbs.c ++++ b/drivers/infiniband/core/verbs.c +@@ -740,7 +740,7 @@ int ib_get_gids_from_rdma_hdr(const union rdma_network_hdr *hdr, + (struct in6_addr *)dgid); + return 0; + } else if (net_type == RDMA_NETWORK_IPV6 || +- net_type == RDMA_NETWORK_IB || RDMA_NETWORK_ROCE_V1) { ++ net_type == RDMA_NETWORK_IB || net_type == RDMA_NETWORK_ROCE_V1) { + *dgid = hdr->ibgrh.dgid; + *sgid = hdr->ibgrh.sgid; + return 0; +-- +2.51.0 + diff --git a/queue-5.15/rdma-efa-remove-possible-negative-shift.patch b/queue-5.15/rdma-efa-remove-possible-negative-shift.patch new file mode 100644 index 0000000000..97da3a7d2d --- /dev/null +++ b/queue-5.15/rdma-efa-remove-possible-negative-shift.patch @@ -0,0 +1,47 @@ +From 6fe742fa7a20cf70207da4978c8585ba72d27394 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Dec 2025 17:36:56 +0000 +Subject: RDMA/efa: Remove possible negative shift + +From: Michael Margolin + +[ Upstream commit 85463eb6a46caf2f1e0e1a6d0731f2f3bab17780 ] + +The page size used for device might in some cases be smaller than +PAGE_SIZE what results in a negative shift when calculating the number of +host pages in PAGE_SIZE for a debug log. Remove the debug line together +with the calculation. + +Fixes: 40909f664d27 ("RDMA/efa: Add EFA verbs implementation") +Link: https://patch.msgid.link/r/20251210173656.8180-1-mrgolin@amazon.com +Reviewed-by: Tom Sela +Reviewed-by: Yonatan Nachum +Signed-off-by: Michael Margolin +Reviewed-by: Gal Pressman +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/efa/efa_verbs.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/infiniband/hw/efa/efa_verbs.c b/drivers/infiniband/hw/efa/efa_verbs.c +index 1aab6c3e9f53..6fca145f1e8a 100644 +--- a/drivers/infiniband/hw/efa/efa_verbs.c ++++ b/drivers/infiniband/hw/efa/efa_verbs.c +@@ -1151,13 +1151,9 @@ static int umem_to_page_list(struct efa_dev *dev, + u32 hp_cnt, + u8 hp_shift) + { +- u32 pages_in_hp = BIT(hp_shift - PAGE_SHIFT); + struct ib_block_iter biter; + unsigned int hp_idx = 0; + +- ibdev_dbg(&dev->ibdev, "hp_cnt[%u], pages_in_hp[%u]\n", +- hp_cnt, pages_in_hp); +- + rdma_umem_for_each_dma_block(umem, &biter, BIT(hp_shift)) + page_list[hp_idx++] = rdma_block_iter_dma_address(&biter); + +-- +2.51.0 + diff --git a/queue-5.15/rdma-irdma-avoid-invalid-read-in-irdma_net_event.patch b/queue-5.15/rdma-irdma-avoid-invalid-read-in-irdma_net_event.patch new file mode 100644 index 0000000000..d679e47b2f --- /dev/null +++ b/queue-5.15/rdma-irdma-avoid-invalid-read-in-irdma_net_event.patch @@ -0,0 +1,83 @@ +From 76caba48c3285084fc6bfed0acaa27752dfc8630 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Nov 2025 15:31:50 +0100 +Subject: RDMA/irdma: avoid invalid read in irdma_net_event + +From: Michal Schmidt + +[ Upstream commit 6f05611728e9d0ab024832a4f1abb74a5f5d0bb0 ] + +irdma_net_event() should not dereference anything from "neigh" (alias +"ptr") until it has checked that the event is NETEVENT_NEIGH_UPDATE. +Other events come with different structures pointed to by "ptr" and they +may be smaller than struct neighbour. + +Move the read of neigh->dev under the NETEVENT_NEIGH_UPDATE case. + +The bug is mostly harmless, but it triggers KASAN on debug kernels: + + BUG: KASAN: stack-out-of-bounds in irdma_net_event+0x32e/0x3b0 [irdma] + Read of size 8 at addr ffffc900075e07f0 by task kworker/27:2/542554 + + CPU: 27 PID: 542554 Comm: kworker/27:2 Kdump: loaded Not tainted 5.14.0-630.el9.x86_64+debug #1 + Hardware name: [...] + Workqueue: events rt6_probe_deferred + Call Trace: + + dump_stack_lvl+0x60/0xb0 + print_address_description.constprop.0+0x2c/0x3f0 + print_report+0xb4/0x270 + kasan_report+0x92/0xc0 + irdma_net_event+0x32e/0x3b0 [irdma] + notifier_call_chain+0x9e/0x180 + atomic_notifier_call_chain+0x5c/0x110 + rt6_do_redirect+0xb91/0x1080 + tcp_v6_err+0xe9b/0x13e0 + icmpv6_notify+0x2b2/0x630 + ndisc_redirect_rcv+0x328/0x530 + icmpv6_rcv+0xc16/0x1360 + ip6_protocol_deliver_rcu+0xb84/0x12e0 + ip6_input_finish+0x117/0x240 + ip6_input+0xc4/0x370 + ipv6_rcv+0x420/0x7d0 + __netif_receive_skb_one_core+0x118/0x1b0 + process_backlog+0xd1/0x5d0 + __napi_poll.constprop.0+0xa3/0x440 + net_rx_action+0x78a/0xba0 + handle_softirqs+0x2d4/0x9c0 + do_softirq+0xad/0xe0 + + +Fixes: 915cc7ac0f8e ("RDMA/irdma: Add miscellaneous utility definitions") +Link: https://patch.msgid.link/r/20251127143150.121099-1-mschmidt@redhat.com +Signed-off-by: Michal Schmidt +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/irdma/utils.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/irdma/utils.c b/drivers/infiniband/hw/irdma/utils.c +index a47eedb6df82..235515e8bf9b 100644 +--- a/drivers/infiniband/hw/irdma/utils.c ++++ b/drivers/infiniband/hw/irdma/utils.c +@@ -251,7 +251,7 @@ int irdma_net_event(struct notifier_block *notifier, unsigned long event, + void *ptr) + { + struct neighbour *neigh = ptr; +- struct net_device *real_dev, *netdev = (struct net_device *)neigh->dev; ++ struct net_device *real_dev, *netdev; + struct irdma_device *iwdev; + struct ib_device *ibdev; + __be32 *p; +@@ -260,6 +260,7 @@ int irdma_net_event(struct notifier_block *notifier, unsigned long event, + + switch (event) { + case NETEVENT_NEIGH_UPDATE: ++ netdev = neigh->dev; + real_dev = rdma_vlan_dev_real_dev(netdev); + if (!real_dev) + real_dev = netdev; +-- +2.51.0 + diff --git a/queue-5.15/rdma-rtrs-fix-clt_path-max_pages_per_mr-calculation.patch b/queue-5.15/rdma-rtrs-fix-clt_path-max_pages_per_mr-calculation.patch new file mode 100644 index 0000000000..ed1c7f30b1 --- /dev/null +++ b/queue-5.15/rdma-rtrs-fix-clt_path-max_pages_per_mr-calculation.patch @@ -0,0 +1,40 @@ +From cdf11822c2f269849fa475ae77dd412462d37649 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Dec 2025 10:56:17 +0800 +Subject: RDMA/rtrs: Fix clt_path::max_pages_per_mr calculation + +From: Honggang LI + +[ Upstream commit 43bd09d5b750f700499ae8ec45fd41a4c48673e6 ] + +If device max_mr_size bits in the range [mr_page_shift+31:mr_page_shift] +are zero, the `min3` function will set clt_path::max_pages_per_mr to +zero. + +`alloc_path_reqs` will pass zero, which is invalid, as the third parameter +to `ib_alloc_mr`. + +Fixes: 6a98d71daea1 ("RDMA/rtrs: client: main functionality") +Signed-off-by: Honggang LI +Link: https://patch.msgid.link/20251229025617.13241-1-honggangli@163.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/rtrs/rtrs-clt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/ulp/rtrs/rtrs-clt.c b/drivers/infiniband/ulp/rtrs/rtrs-clt.c +index e8f5a1f104cf..cda7849e2133 100644 +--- a/drivers/infiniband/ulp/rtrs/rtrs-clt.c ++++ b/drivers/infiniband/ulp/rtrs/rtrs-clt.c +@@ -1469,6 +1469,7 @@ static void query_fast_reg_mode(struct rtrs_clt_path *clt_path) + mr_page_shift = max(12, ffs(ib_dev->attrs.page_size_cap) - 1); + max_pages_per_mr = ib_dev->attrs.max_mr_size; + do_div(max_pages_per_mr, (1ull << mr_page_shift)); ++ max_pages_per_mr = min_not_zero((u32)max_pages_per_mr, U32_MAX); + clt_path->max_pages_per_mr = + min3(clt_path->max_pages_per_mr, (u32)max_pages_per_mr, + ib_dev->attrs.max_fast_reg_page_list_len); +-- +2.51.0 + diff --git a/queue-5.15/selftests-ftrace-traceonoff_triggers-strip-off-names.patch b/queue-5.15/selftests-ftrace-traceonoff_triggers-strip-off-names.patch new file mode 100644 index 0000000000..b8c17a9b11 --- /dev/null +++ b/queue-5.15/selftests-ftrace-traceonoff_triggers-strip-off-names.patch @@ -0,0 +1,93 @@ +From 103d92c051a699818738f8506f7345830d66f4bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Aug 2023 09:32:26 +0800 +Subject: selftests/ftrace: traceonoff_triggers: strip off names + +From: Yipeng Zou + +[ Upstream commit b889b4fb4cbea3ca7eb9814075d6a51936394bd9 ] + +The func_traceonoff_triggers.tc sometimes goes to fail +on my board, Kunpeng-920. + +[root@localhost]# ./ftracetest ./test.d/ftrace/func_traceonoff_triggers.tc -l fail.log +=== Ftrace unit tests === +[1] ftrace - test for function traceon/off triggers [FAIL] +[2] (instance) ftrace - test for function traceon/off triggers [UNSUPPORTED] + +I look up the log, and it shows that the md5sum is different between csum1 and csum2. + +++ cnt=611 +++ sleep .1 ++++ cnt_trace ++++ grep -v '^#' trace ++++ wc -l +++ cnt2=611 +++ '[' 611 -ne 611 ']' ++++ cat tracing_on +++ on=0 +++ '[' 0 '!=' 0 ']' ++++ md5sum trace +++ csum1='76896aa74362fff66a6a5f3cf8a8a500 trace' +++ sleep .1 ++++ md5sum trace +++ csum2='ee8625a21c058818fc26e45c1ed3f6de trace' +++ '[' '76896aa74362fff66a6a5f3cf8a8a500 trace' '!=' 'ee8625a21c058818fc26e45c1ed3f6de trace' ']' +++ fail 'Tracing file is still changing' +++ echo Tracing file is still changing +Tracing file is still changing +++ exit_fail +++ exit 1 + +So I directly dump the trace file before md5sum, the diff shows that: + +[root@localhost]# diff trace_1.log trace_2.log -y --suppress-common-lines +dockerd-12285 [036] d.... 18385.510290: sched_stat | <...>-12285 [036] d.... 18385.510290: sched_stat +dockerd-12285 [036] d.... 18385.510291: sched_swit | <...>-12285 [036] d.... 18385.510291: sched_swit +<...>-740 [044] d.... 18385.602859: sched_stat | kworker/44:1-740 [044] d.... 18385.602859: sched_stat +<...>-740 [044] d.... 18385.602860: sched_swit | kworker/44:1-740 [044] d.... 18385.602860: sched_swit + +And we can see that <...> filed be filled with names. + +We can strip off the names there to fix that. + +After strip off the names: + +kworker/u257:0-12 [019] d..2. 2528.758910: sched_stat | -12 [019] d..2. 2528.758910: sched_stat_runtime: comm=k +kworker/u257:0-12 [019] d..2. 2528.758912: sched_swit | -12 [019] d..2. 2528.758912: sched_switch: prev_comm=kw +-0 [000] d.s5. 2528.762318: sched_waki | -0 [000] d.s5. 2528.762318: sched_waking: comm=sshd pi +-0 [037] dNh2. 2528.762326: sched_wake | -0 [037] dNh2. 2528.762326: sched_wakeup: comm=sshd pi +-0 [037] d..2. 2528.762334: sched_swit | -0 [037] d..2. 2528.762334: sched_switch: prev_comm=sw + +Link: https://lore.kernel.org/r/20230818013226.2182299-1-zouyipeng@huawei.com +Fixes: d87b29179aa0 ("selftests: ftrace: Use md5sum to take less time of checking logs") +Suggested-by: Steven Rostedt (Google) +Signed-off-by: Yipeng Zou +Acked-by: Masami Hiramatsu (Google) +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + .../ftrace/test.d/ftrace/func_traceonoff_triggers.tc | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc b/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc +index aee22289536b..1b57771dbfdf 100644 +--- a/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc ++++ b/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc +@@ -90,9 +90,10 @@ if [ $on != "0" ]; then + fail "Tracing is not off" + fi + +-csum1=`md5sum trace` ++# Cannot rely on names being around as they are only cached, strip them ++csum1=`cat trace | sed -e 's/^ *[^ ]*\(-[0-9][0-9]*\)/\1/' | md5sum` + sleep $SLEEP_TIME +-csum2=`md5sum trace` ++csum2=`cat trace | sed -e 's/^ *[^ ]*\(-[0-9][0-9]*\)/\1/' | md5sum` + + if [ "$csum1" != "$csum2" ]; then + fail "Tracing file is still changing" +-- +2.51.0 + diff --git a/queue-5.15/series b/queue-5.15/series index a2faba1fb8..a63cb4f237 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -332,3 +332,37 @@ i2c-amd-mp2-fix-reference-leak-in-mp2-pci-device.patch hwmon-max16065-use-local-variable-to-avoid-toctou.patch hwmon-w83791d-convert-macros-to-functions-to-avoid-toctou.patch hwmon-w83l786ng-convert-macros-to-functions-to-avoid-toctou.patch +i40e-fix-scheduling-in-set_rx_mode.patch +i40e-refactor-argument-of-several-client-notificatio.patch +i40e-refactor-argument-of-i40e_detect_recover_hung.patch +i40e-validate-ring_len-parameter-against-hardware-sp.patch +iavf-fix-off-by-one-issues-in-iavf_config_rss_reg.patch +crypto-seqiv-do-not-use-req-iv-after-crypto_aead_enc.patch +bluetooth-btusb-revert-use-of-devm_kzalloc-in-btusb.patch +net-mdio-aspeed-move-reg-accessing-part-into-separat.patch +net-mdio-aspeed-add-dummy-read-to-avoid-read-after-w.patch +net-openvswitch-avoid-needlessly-taking-the-rtnl-on-.patch +ip6_gre-make-ip6gre_header-robust.patch +platform-x86-msi-laptop-add-missing-sysfs_remove_gro.patch +platform-x86-ibm_rtl-fix-ebda-signature-search-point.patch +team-fix-check-for-port-enabled-in-team_queue_overri.patch +net-usb-rtl8150-fix-memory-leak-on-usb_submit_urb-fa.patch +smc91x-fix-broken-irq-context-in-preempt_rt.patch +genalloc.h-fix-htmldocs-warning.patch +firewire-nosy-fix-dma_free_coherent-size.patch +net-dsa-b53-skip-multicast-entries-for-fdb_dump.patch +net-usb-asix-validate-phy-address-before-use.patch +net-bridge-describe-tunnel_hash-member-in-net_bridge.patch +octeontx2-pf-fix-ubsan-shift-out-of-bounds-error.patch +ipv6-bug-in-pskb_expand_head-as-part-of-calipso_skbu.patch +ipv4-fix-reference-count-leak-when-using-error-route.patch +net-rose-fix-invalid-array-index-in-rose_kill_by_dev.patch +rdma-irdma-avoid-invalid-read-in-irdma_net_event.patch +rdma-efa-remove-possible-negative-shift.patch +rdma-core-fix-logic-error-in-ib_get_gids_from_rdma_h.patch +rdma-bnxt_re-fix-incorrect-bar-check-in-bnxt_qplib_m.patch +rdma-bnxt_re-fix-ib_send_ip_csum-handling-in-post_se.patch +rdma-bnxt_re-fix-to-use-correct-page-size-for-pde-ta.patch +rdma-rtrs-fix-clt_path-max_pages_per_mr-calculation.patch +rdma-bnxt_re-fix-dma_free_coherent-pointer.patch +selftests-ftrace-traceonoff_triggers-strip-off-names.patch diff --git a/queue-5.15/smc91x-fix-broken-irq-context-in-preempt_rt.patch b/queue-5.15/smc91x-fix-broken-irq-context-in-preempt_rt.patch new file mode 100644 index 0000000000..a4bd93a04a --- /dev/null +++ b/queue-5.15/smc91x-fix-broken-irq-context-in-preempt_rt.patch @@ -0,0 +1,72 @@ +From e02b217e50afbdf2cc80eef6a58cf2fcff25d71a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 08:51:15 +0000 +Subject: smc91x: fix broken irq-context in PREEMPT_RT + +From: Yeoreum Yun + +[ Upstream commit 6402078bd9d1ed46e79465e1faaa42e3458f8a33 ] + +When smc91x.c is built with PREEMPT_RT, the following splat occurs +in FVP_RevC: + +[ 13.055000] smc91x LNRO0003:00 eth0: link up, 10Mbps, half-duplex, lpa 0x0000 +[ 13.062137] BUG: workqueue leaked atomic, lock or RCU: kworker/2:1[106] +[ 13.062137] preempt=0x00000000 lock=0->0 RCU=0->1 workfn=mld_ifc_work +[ 13.062266] C +** replaying previous printk message ** +[ 13.062266] CPU: 2 UID: 0 PID: 106 Comm: kworker/2:1 Not tainted 6.18.0-dirty #179 PREEMPT_{RT,(full)} +[ 13.062353] Hardware name: , BIOS +[ 13.062382] Workqueue: mld mld_ifc_work +[ 13.062469] Call trace: +[ 13.062494] show_stack+0x24/0x40 (C) +[ 13.062602] __dump_stack+0x28/0x48 +[ 13.062710] dump_stack_lvl+0x7c/0xb0 +[ 13.062818] dump_stack+0x18/0x34 +[ 13.062926] process_scheduled_works+0x294/0x450 +[ 13.063043] worker_thread+0x260/0x3d8 +[ 13.063124] kthread+0x1c4/0x228 +[ 13.063235] ret_from_fork+0x10/0x20 + +This happens because smc_special_trylock() disables IRQs even on PREEMPT_RT, +but smc_special_unlock() does not restore IRQs on PREEMPT_RT. +The reason is that smc_special_unlock() calls spin_unlock_irqrestore(), +and rcu_read_unlock_bh() in __dev_queue_xmit() cannot invoke +rcu_read_unlock() through __local_bh_enable_ip() when current->softirq_disable_cnt becomes zero. + +To address this issue, replace smc_special_trylock() with spin_trylock_irqsave(). + +Fixes: 342a93247e08 ("locking/spinlock: Provide RT variant header: ") +Signed-off-by: Yeoreum Yun +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20251217085115.1730036-1-yeoreum.yun@arm.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/smsc/smc91x.c | 10 +--------- + 1 file changed, 1 insertion(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/smsc/smc91x.c b/drivers/net/ethernet/smsc/smc91x.c +index 813ea941b91a..c63783516202 100644 +--- a/drivers/net/ethernet/smsc/smc91x.c ++++ b/drivers/net/ethernet/smsc/smc91x.c +@@ -515,15 +515,7 @@ static inline void smc_rcv(struct net_device *dev) + * any other concurrent access and C would always interrupt B. But life + * isn't that easy in a SMP world... + */ +-#define smc_special_trylock(lock, flags) \ +-({ \ +- int __ret; \ +- local_irq_save(flags); \ +- __ret = spin_trylock(lock); \ +- if (!__ret) \ +- local_irq_restore(flags); \ +- __ret; \ +-}) ++#define smc_special_trylock(lock, flags) spin_trylock_irqsave(lock, flags) + #define smc_special_lock(lock, flags) spin_lock_irqsave(lock, flags) + #define smc_special_unlock(lock, flags) spin_unlock_irqrestore(lock, flags) + #else +-- +2.51.0 + diff --git a/queue-5.15/team-fix-check-for-port-enabled-in-team_queue_overri.patch b/queue-5.15/team-fix-check-for-port-enabled-in-team_queue_overri.patch new file mode 100644 index 0000000000..e11d5ae6cf --- /dev/null +++ b/queue-5.15/team-fix-check-for-port-enabled-in-team_queue_overri.patch @@ -0,0 +1,101 @@ +From d930a0ed202de97cfb828418f69aa975b86a5817 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Dec 2025 11:29:53 +0100 +Subject: team: fix check for port enabled in + team_queue_override_port_prio_changed() + +From: Jiri Pirko + +[ Upstream commit 932ac51d9953eaf77a1252f79b656d4ca86163c6 ] + +There has been a syzkaller bug reported recently with the following +trace: + +list_del corruption, ffff888058bea080->prev is LIST_POISON2 (dead000000000122) +------------[ cut here ]------------ +kernel BUG at lib/list_debug.c:59! +Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI +CPU: 3 UID: 0 PID: 21246 Comm: syz.0.2928 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 +RIP: 0010:__list_del_entry_valid_or_report+0x13e/0x200 lib/list_debug.c:59 +Code: 48 c7 c7 e0 71 f0 8b e8 30 08 ef fc 90 0f 0b 48 89 ef e8 a5 02 55 fd 48 89 ea 48 89 de 48 c7 c7 40 72 f0 8b e8 13 08 ef fc 90 <0f> 0b 48 89 ef e8 88 02 55 fd 48 89 ea 48 b8 00 00 00 00 00 fc ff +RSP: 0018:ffffc9000d49f370 EFLAGS: 00010286 +RAX: 000000000000004e RBX: ffff888058bea080 RCX: ffffc9002817d000 +RDX: 0000000000000000 RSI: ffffffff819becc6 RDI: 0000000000000005 +RBP: dead000000000122 R08: 0000000000000005 R09: 0000000000000000 +R10: 0000000080000000 R11: 0000000000000001 R12: ffff888039e9c230 +R13: ffff888058bea088 R14: ffff888058bea080 R15: ffff888055461480 +FS: 00007fbbcfe6f6c0(0000) GS:ffff8880d6d0a000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000000110c3afcb0 CR3: 00000000382c7000 CR4: 0000000000352ef0 +Call Trace: + + __list_del_entry_valid include/linux/list.h:132 [inline] + __list_del_entry include/linux/list.h:223 [inline] + list_del_rcu include/linux/rculist.h:178 [inline] + __team_queue_override_port_del drivers/net/team/team_core.c:826 [inline] + __team_queue_override_port_del drivers/net/team/team_core.c:821 [inline] + team_queue_override_port_prio_changed drivers/net/team/team_core.c:883 [inline] + team_priority_option_set+0x171/0x2f0 drivers/net/team/team_core.c:1534 + team_option_set drivers/net/team/team_core.c:376 [inline] + team_nl_options_set_doit+0x8ae/0xe60 drivers/net/team/team_core.c:2653 + genl_family_rcv_msg_doit+0x209/0x2f0 net/netlink/genetlink.c:1115 + genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] + genl_rcv_msg+0x55c/0x800 net/netlink/genetlink.c:1210 + netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552 + genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 + netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] + netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346 + netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1896 + sock_sendmsg_nosec net/socket.c:727 [inline] + __sock_sendmsg net/socket.c:742 [inline] + ____sys_sendmsg+0xa98/0xc70 net/socket.c:2630 + ___sys_sendmsg+0x134/0x1d0 net/socket.c:2684 + __sys_sendmsg+0x16d/0x220 net/socket.c:2716 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +The problem is in this flow: +1) Port is enabled, queue_id != 0, in qom_list +2) Port gets disabled + -> team_port_disable() + -> team_queue_override_port_del() + -> del (removed from list) +3) Port is disabled, queue_id != 0, not in any list +4) Priority changes + -> team_queue_override_port_prio_changed() + -> checks: port disabled && queue_id != 0 + -> calls del - hits the BUG as it is removed already + +To fix this, change the check in team_queue_override_port_prio_changed() +so it returns early if port is not enabled. + +Reported-by: syzbot+422806e5f4cce722a71f@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=422806e5f4cce722a71f +Fixes: 6c31ff366c11 ("team: remove synchronize_rcu() called during queue override change") +Signed-off-by: Jiri Pirko +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20251212102953.167287-1-jiri@resnulli.us +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/team/team.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c +index 1e0adeb5e177..f866f7a4be31 100644 +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -873,7 +873,7 @@ static void __team_queue_override_enabled_check(struct team *team) + static void team_queue_override_port_prio_changed(struct team *team, + struct team_port *port) + { +- if (!port->queue_id || team_port_enabled(port)) ++ if (!port->queue_id || !team_port_enabled(port)) + return; + __team_queue_override_port_del(team, port); + __team_queue_override_port_add(team, port); +-- +2.51.0 + diff --git a/queue-6.1/blk-mq-don-t-schedule-block-kworker-on-isolated-cpus.patch b/queue-6.1/blk-mq-don-t-schedule-block-kworker-on-isolated-cpus.patch new file mode 100644 index 0000000000..462785db6e --- /dev/null +++ b/queue-6.1/blk-mq-don-t-schedule-block-kworker-on-isolated-cpus.patch @@ -0,0 +1,158 @@ +From e9ec1f61cbb463f40c3137429c8a7b62c07fe062 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Mar 2024 10:12:44 +0800 +Subject: blk-mq: don't schedule block kworker on isolated CPUs + +From: Ming Lei + +[ Upstream commit a46c27026da10a126dd870f7b65380010bd20db5 ] + +Kernel parameter of `isolcpus=` or 'nohz_full=' are used to isolate CPUs +for specific task, and it isn't expected to let block IO disturb these CPUs. +blk-mq kworker shouldn't be scheduled on isolated CPUs. Also if isolated +CPUs is run for blk-mq kworker, long block IO latency can be caused. + +Kernel workqueue only respects CPU isolation for WQ_UNBOUND, for bound +WQ, the responsibility is on user because CPU is specified as WQ API +parameter, such as mod_delayed_work_on(cpu), queue_delayed_work_on(cpu) +and queue_work_on(cpu). + +So not run blk-mq kworker on isolated CPUs by removing isolated CPUs +from hctx->cpumask. Meantime use queue map to check if all CPUs in this +hw queue are offline instead of hctx->cpumask, this way can avoid any +cost in fast IO code path, and is safe since hctx->cpumask are only +used in the two cases. + +Cc: Tim Chen +Cc: Juri Lelli +Cc: Andrew Theurer +Cc: Joe Mario +Cc: Sebastian Jug +Cc: Frederic Weisbecker +Cc: Bart Van Assche +Cc: Tejun Heo +Tesed-by: Joe Mario +Signed-off-by: Ming Lei +Reviewed-by: Ewan D. Milne +Link: https://lore.kernel.org/r/20240322021244.1056223-1-ming.lei@redhat.com +Signed-off-by: Jens Axboe +Stable-dep-of: 10845a105bbc ("blk-mq: skip CPU offline notify on unmapped hctx") +Signed-off-by: Sasha Levin +--- + block/blk-mq.c | 57 +++++++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 47 insertions(+), 10 deletions(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index d3ced0cff916..6cfbbe0d7792 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + + #include + +@@ -2216,6 +2217,15 @@ static inline int blk_mq_first_mapped_cpu(struct blk_mq_hw_ctx *hctx) + return cpu; + } + ++/* ++ * ->next_cpu is always calculated from hctx->cpumask, so simply use ++ * it for speeding up the check ++ */ ++static bool blk_mq_hctx_empty_cpumask(struct blk_mq_hw_ctx *hctx) ++{ ++ return hctx->next_cpu >= nr_cpu_ids; ++} ++ + /* + * It'd be great if the workqueue API had a way to pass + * in a mask and had some smarts for more clever placement. +@@ -2227,7 +2237,8 @@ static int blk_mq_hctx_next_cpu(struct blk_mq_hw_ctx *hctx) + bool tried = false; + int next_cpu = hctx->next_cpu; + +- if (hctx->queue->nr_hw_queues == 1) ++ /* Switch to unbound if no allowable CPUs in this hctx */ ++ if (hctx->queue->nr_hw_queues == 1 || blk_mq_hctx_empty_cpumask(hctx)) + return WORK_CPU_UNBOUND; + + if (--hctx->next_cpu_batch <= 0) { +@@ -3497,14 +3508,30 @@ static bool blk_mq_hctx_has_requests(struct blk_mq_hw_ctx *hctx) + return data.has_rq; + } + +-static inline bool blk_mq_last_cpu_in_hctx(unsigned int cpu, +- struct blk_mq_hw_ctx *hctx) ++static bool blk_mq_hctx_has_online_cpu(struct blk_mq_hw_ctx *hctx, ++ unsigned int this_cpu) + { +- if (cpumask_first_and(hctx->cpumask, cpu_online_mask) != cpu) +- return false; +- if (cpumask_next_and(cpu, hctx->cpumask, cpu_online_mask) < nr_cpu_ids) +- return false; +- return true; ++ enum hctx_type type = hctx->type; ++ int cpu; ++ ++ /* ++ * hctx->cpumask has to rule out isolated CPUs, but userspace still ++ * might submit IOs on these isolated CPUs, so use the queue map to ++ * check if all CPUs mapped to this hctx are offline ++ */ ++ for_each_online_cpu(cpu) { ++ struct blk_mq_hw_ctx *h = blk_mq_map_queue_type(hctx->queue, ++ type, cpu); ++ ++ if (h != hctx) ++ continue; ++ ++ /* this hctx has at least one online CPU */ ++ if (this_cpu != cpu) ++ return true; ++ } ++ ++ return false; + } + + static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node) +@@ -3513,8 +3540,7 @@ static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node) + struct blk_mq_hw_ctx, cpuhp_online); + int ret = 0; + +- if (!cpumask_test_cpu(cpu, hctx->cpumask) || +- !blk_mq_last_cpu_in_hctx(cpu, hctx)) ++ if (blk_mq_hctx_has_online_cpu(hctx, cpu)) + return 0; + + /* +@@ -3933,6 +3959,8 @@ static void blk_mq_map_swqueue(struct request_queue *q) + } + + queue_for_each_hw_ctx(q, hctx, i) { ++ int cpu; ++ + /* + * If no software queues are mapped to this hardware queue, + * disable it and free the request entries. +@@ -3959,6 +3987,15 @@ static void blk_mq_map_swqueue(struct request_queue *q) + */ + sbitmap_resize(&hctx->ctx_map, hctx->nr_ctx); + ++ /* ++ * Rule out isolated CPUs from hctx->cpumask to avoid ++ * running block kworker on isolated CPUs ++ */ ++ for_each_cpu(cpu, hctx->cpumask) { ++ if (cpu_is_isolated(cpu)) ++ cpumask_clear_cpu(cpu, hctx->cpumask); ++ } ++ + /* + * Initialize batch roundrobin counts + */ +-- +2.51.0 + diff --git a/queue-6.1/blk-mq-skip-cpu-offline-notify-on-unmapped-hctx.patch b/queue-6.1/blk-mq-skip-cpu-offline-notify-on-unmapped-hctx.patch new file mode 100644 index 0000000000..c331d156b0 --- /dev/null +++ b/queue-6.1/blk-mq-skip-cpu-offline-notify-on-unmapped-hctx.patch @@ -0,0 +1,39 @@ +From f43ac1f920c754ad4adfb41a710a912422d1a67a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Dec 2025 17:17:05 +0800 +Subject: blk-mq: skip CPU offline notify on unmapped hctx + +From: Cong Zhang + +[ Upstream commit 10845a105bbcb030647a729f1716c2309da71d33 ] + +If an hctx has no software ctx mapped, blk_mq_map_swqueue() never +allocates tags and leaves hctx->tags NULL. The CPU hotplug offline +notifier can still run for that hctx, return early since hctx cannot +hold any requests. + +Signed-off-by: Cong Zhang +Fixes: bf0beec0607d ("blk-mq: drain I/O when all CPUs in a hctx are offline") +Reviewed-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index 6cfbbe0d7792..2edad54b1788 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -3540,7 +3540,7 @@ static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node) + struct blk_mq_hw_ctx, cpuhp_online); + int ret = 0; + +- if (blk_mq_hctx_has_online_cpu(hctx, cpu)) ++ if (!hctx->nr_ctx || blk_mq_hctx_has_online_cpu(hctx, cpu)) + return 0; + + /* +-- +2.51.0 + diff --git a/queue-6.1/bluetooth-btusb-revert-use-of-devm_kzalloc-in-btusb.patch b/queue-6.1/bluetooth-btusb-revert-use-of-devm_kzalloc-in-btusb.patch new file mode 100644 index 0000000000..311bb0e3d1 --- /dev/null +++ b/queue-6.1/bluetooth-btusb-revert-use-of-devm_kzalloc-in-btusb.patch @@ -0,0 +1,89 @@ +From c07d6c88ade52b5f5cc8a88568f87925ffb8cf15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Dec 2025 11:02:28 -0500 +Subject: Bluetooth: btusb: revert use of devm_kzalloc in btusb + +From: Raphael Pinsonneault-Thibeault + +[ Upstream commit 252714f1e8bdd542025b16321c790458014d6880 ] + +This reverts commit 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in +btusb.c file"). + +In btusb_probe(), we use devm_kzalloc() to allocate the btusb data. This +ties the lifetime of all the btusb data to the binding of a driver to +one interface, INTF. In a driver that binds to other interfaces, ISOC +and DIAG, this is an accident waiting to happen. + +The issue is revealed in btusb_disconnect(), where calling +usb_driver_release_interface(&btusb_driver, data->intf) will have devm +free the data that is also being used by the other interfaces of the +driver that may not be released yet. + +To fix this, revert the use of devm and go back to freeing memory +explicitly. + +Fixes: 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in btusb.c file") +Signed-off-by: Raphael Pinsonneault-Thibeault +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btusb.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index 983794632927..c6ac351209c0 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -3849,7 +3849,7 @@ static int btusb_probe(struct usb_interface *intf, + return -ENODEV; + } + +- data = devm_kzalloc(&intf->dev, sizeof(*data), GFP_KERNEL); ++ data = kzalloc(sizeof(*data), GFP_KERNEL); + if (!data) + return -ENOMEM; + +@@ -3872,8 +3872,10 @@ static int btusb_probe(struct usb_interface *intf, + } + } + +- if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep) ++ if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep) { ++ kfree(data); + return -ENODEV; ++ } + + if (id->driver_info & BTUSB_AMP) { + data->cmdreq_type = USB_TYPE_CLASS | 0x01; +@@ -3920,8 +3922,10 @@ static int btusb_probe(struct usb_interface *intf, + data->recv_acl = hci_recv_frame; + + hdev = hci_alloc_dev_priv(priv_size); +- if (!hdev) ++ if (!hdev) { ++ kfree(data); + return -ENOMEM; ++ } + + hdev->bus = HCI_USB; + hci_set_drvdata(hdev, data); +@@ -4182,6 +4186,7 @@ static int btusb_probe(struct usb_interface *intf, + if (data->reset_gpio) + gpiod_put(data->reset_gpio); + hci_free_dev(hdev); ++ kfree(data); + return err; + } + +@@ -4227,6 +4232,7 @@ static void btusb_disconnect(struct usb_interface *intf) + } + + hci_free_dev(hdev); ++ kfree(data); + } + + #ifdef CONFIG_PM +-- +2.51.0 + diff --git a/queue-6.1/cfg80211-support-rnr-for-ema-ap.patch b/queue-6.1/cfg80211-support-rnr-for-ema-ap.patch new file mode 100644 index 0000000000..bf4d3948fb --- /dev/null +++ b/queue-6.1/cfg80211-support-rnr-for-ema-ap.patch @@ -0,0 +1,303 @@ +From a8a49e3c4429aefa3290d473384bf99eeb138695 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Mar 2023 04:38:00 -0700 +Subject: cfg80211: support RNR for EMA AP + +From: Aloka Dixit + +[ Upstream commit dbbb27e183b1568d5a907ace1cd144b0709ea52a ] + +As per IEEE Std 802.11ax-2021, 11.1.3.8.3 Discovery of a nontransmitted +BSSID profile, an EMA AP that transmits a Beacon frame carrying a partial +list of nontransmitted BSSID profiles should include in the frame +a Reduced Neighbor Report element carrying information for at least the +nontransmitted BSSIDs that are not present in the Multiple BSSID element +carried in that frame. +Add new nested attribute NL80211_ATTR_EMA_RNR_ELEMS to support the above. +Number of RNR elements must be more than or equal to the number of +MBSSID elements. This attribute can be used only when EMA is enabled. +Userspace is responsible for splitting the RNR into multiple elements such +that each element excludes the non-transmitting profiles already included +in the MBSSID element (%NL80211_ATTR_MBSSID_ELEMS) at the same index. +Each EMA beacon will be generated by adding MBSSID and RNR elements +at the same index. If the userspace provides more RNR elements than the +number of MBSSID elements then these will be added in every EMA beacon. + +Signed-off-by: Aloka Dixit +Link: https://lore.kernel.org/r/20230323113801.6903-2-quic_alokad@quicinc.com +[Johannes: validate elements] +Signed-off-by: Johannes Berg +Stable-dep-of: a519be2f5d95 ("wifi: mac80211: do not use old MBSSID elements") +Signed-off-by: Sasha Levin +--- + include/net/cfg80211.h | 19 +++++++++ + include/uapi/linux/nl80211.h | 13 ++++++ + net/wireless/nl80211.c | 79 ++++++++++++++++++++++++++++++++---- + 3 files changed, 104 insertions(+), 7 deletions(-) + +diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h +index 34709bd733ed..f39a60475c24 100644 +--- a/include/net/cfg80211.h ++++ b/include/net/cfg80211.h +@@ -1187,6 +1187,23 @@ struct cfg80211_mbssid_elems { + } elem[]; + }; + ++/** ++ * struct cfg80211_rnr_elems - Reduced neighbor report (RNR) elements ++ * ++ * @cnt: Number of elements in array %elems. ++ * ++ * @elem: Array of RNR element(s) to be added into Beacon frames. ++ * @elem.data: Data for RNR elements. ++ * @elem.len: Length of data. ++ */ ++struct cfg80211_rnr_elems { ++ u8 cnt; ++ struct { ++ const u8 *data; ++ size_t len; ++ } elem[]; ++}; ++ + /** + * struct cfg80211_beacon_data - beacon data + * @link_id: the link ID for the AP MLD link sending this beacon +@@ -1207,6 +1224,7 @@ struct cfg80211_mbssid_elems { + * @probe_resp_len: length of probe response template (@probe_resp) + * @probe_resp: probe response template (AP mode only) + * @mbssid_ies: multiple BSSID elements ++ * @rnr_ies: reduced neighbor report elements + * @ftm_responder: enable FTM responder functionality; -1 for no change + * (which also implies no change in LCI/civic location data) + * @lci: Measurement Report element content, starting with Measurement Token +@@ -1230,6 +1248,7 @@ struct cfg80211_beacon_data { + const u8 *lci; + const u8 *civicloc; + struct cfg80211_mbssid_elems *mbssid_ies; ++ struct cfg80211_rnr_elems *rnr_ies; + s8 ftm_responder; + + size_t head_len, tail_len; +diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h +index 274d1b34c954..63d7241edd49 100644 +--- a/include/uapi/linux/nl80211.h ++++ b/include/uapi/linux/nl80211.h +@@ -2776,6 +2776,17 @@ enum nl80211_commands { + * @NL80211_ATTR_HW_TIMESTAMP_ENABLED: Indicates whether HW timestamping should + * be enabled or not (flag attribute). + * ++ * @NL80211_ATTR_EMA_RNR_ELEMS: Optional nested attribute for ++ * reduced neighbor report (RNR) elements. This attribute can be used ++ * only when NL80211_MBSSID_CONFIG_ATTR_EMA is enabled. ++ * Userspace is responsible for splitting the RNR into multiple ++ * elements such that each element excludes the non-transmitting ++ * profiles already included in the MBSSID element ++ * (%NL80211_ATTR_MBSSID_ELEMS) at the same index. Each EMA beacon ++ * will be generated by adding MBSSID and RNR elements at the same ++ * index. If the userspace includes more RNR elements than number of ++ * MBSSID elements then these will be added in every EMA beacon. ++ * + * @NUM_NL80211_ATTR: total number of nl80211_attrs available + * @NL80211_ATTR_MAX: highest attribute number currently defined + * @__NL80211_ATTR_AFTER_LAST: internal use +@@ -3310,6 +3321,8 @@ enum nl80211_attrs { + NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS, + NL80211_ATTR_HW_TIMESTAMP_ENABLED, + ++ NL80211_ATTR_EMA_RNR_ELEMS, ++ + /* add attributes here, update the policy in nl80211.c */ + + __NL80211_ATTR_AFTER_LAST, +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 5e2b676f5ce0..7a976bd1641f 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -814,6 +814,7 @@ static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = { + + [NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS] = { .type = NLA_U16 }, + [NL80211_ATTR_HW_TIMESTAMP_ENABLED] = { .type = NLA_FLAG }, ++ [NL80211_ATTR_EMA_RNR_ELEMS] = { .type = NLA_NESTED }, + }; + + /* policy for the key attributes */ +@@ -5455,6 +5456,38 @@ nl80211_parse_mbssid_elems(struct wiphy *wiphy, struct nlattr *attrs) + return elems; + } + ++static struct cfg80211_rnr_elems * ++nl80211_parse_rnr_elems(struct wiphy *wiphy, struct nlattr *attrs, ++ struct netlink_ext_ack *extack) ++{ ++ struct nlattr *nl_elems; ++ struct cfg80211_rnr_elems *elems; ++ int rem_elems; ++ u8 i = 0, num_elems = 0; ++ ++ nla_for_each_nested(nl_elems, attrs, rem_elems) { ++ int ret; ++ ++ ret = validate_ie_attr(nl_elems, extack); ++ if (ret) ++ return ERR_PTR(ret); ++ ++ num_elems++; ++ } ++ ++ elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL); ++ if (!elems) ++ return ERR_PTR(-ENOMEM); ++ ++ nla_for_each_nested(nl_elems, attrs, rem_elems) { ++ elems->elem[i].data = nla_data(nl_elems); ++ elems->elem[i].len = nla_len(nl_elems); ++ i++; ++ } ++ elems->cnt = num_elems; ++ return elems; ++} ++ + static int nl80211_parse_he_bss_color(struct nlattr *attrs, + struct cfg80211_he_bss_color *he_bss_color) + { +@@ -5481,7 +5514,8 @@ static int nl80211_parse_he_bss_color(struct nlattr *attrs, + + static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev, + struct nlattr *attrs[], +- struct cfg80211_beacon_data *bcn) ++ struct cfg80211_beacon_data *bcn, ++ struct netlink_ext_ack *extack) + { + bool haveinfo = false; + int err; +@@ -5578,6 +5612,21 @@ static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev, + return PTR_ERR(mbssid); + + bcn->mbssid_ies = mbssid; ++ ++ if (bcn->mbssid_ies && attrs[NL80211_ATTR_EMA_RNR_ELEMS]) { ++ struct cfg80211_rnr_elems *rnr = ++ nl80211_parse_rnr_elems(&rdev->wiphy, ++ attrs[NL80211_ATTR_EMA_RNR_ELEMS], ++ extack); ++ ++ if (IS_ERR(rnr)) ++ return PTR_ERR(rnr); ++ ++ if (rnr && rnr->cnt < bcn->mbssid_ies->cnt) ++ return -EINVAL; ++ ++ bcn->rnr_ies = rnr; ++ } + } + + return 0; +@@ -5860,7 +5909,8 @@ static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info) + if (!params) + return -ENOMEM; + +- err = nl80211_parse_beacon(rdev, info->attrs, ¶ms->beacon); ++ err = nl80211_parse_beacon(rdev, info->attrs, ¶ms->beacon, ++ info->extack); + if (err) + goto out; + +@@ -6090,6 +6140,11 @@ static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info) + goto out_unlock; + } + ++ if (!params->mbssid_config.ema && params->beacon.rnr_ies) { ++ err = -EINVAL; ++ goto out_unlock; ++ } ++ + err = nl80211_calculate_ap_params(params); + if (err) + goto out_unlock; +@@ -6129,6 +6184,7 @@ static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info) + params->mbssid_config.tx_wdev->netdev && + params->mbssid_config.tx_wdev->netdev != dev) + dev_put(params->mbssid_config.tx_wdev->netdev); ++ kfree(params->beacon.rnr_ies); + kfree(params); + + return err; +@@ -6153,7 +6209,7 @@ static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info) + if (!wdev->links[link_id].ap.beacon_interval) + return -EINVAL; + +- err = nl80211_parse_beacon(rdev, info->attrs, ¶ms); ++ err = nl80211_parse_beacon(rdev, info->attrs, ¶ms, info->extack); + if (err) + goto out; + +@@ -6163,6 +6219,7 @@ static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info) + + out: + kfree(params.mbssid_ies); ++ kfree(params.rnr_ies); + return err; + } + +@@ -10017,7 +10074,8 @@ static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info) + if (!need_new_beacon) + goto skip_beacons; + +- err = nl80211_parse_beacon(rdev, info->attrs, ¶ms.beacon_after); ++ err = nl80211_parse_beacon(rdev, info->attrs, ¶ms.beacon_after, ++ info->extack); + if (err) + goto free; + +@@ -10034,7 +10092,8 @@ static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info) + if (err) + goto free; + +- err = nl80211_parse_beacon(rdev, csa_attrs, ¶ms.beacon_csa); ++ err = nl80211_parse_beacon(rdev, csa_attrs, ¶ms.beacon_csa, ++ info->extack); + if (err) + goto free; + +@@ -10154,6 +10213,8 @@ static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info) + free: + kfree(params.beacon_after.mbssid_ies); + kfree(params.beacon_csa.mbssid_ies); ++ kfree(params.beacon_after.rnr_ies); ++ kfree(params.beacon_csa.rnr_ies); + kfree(csa_attrs); + return err; + } +@@ -15880,7 +15941,8 @@ static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info) + params.count = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT]); + params.color = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR]); + +- err = nl80211_parse_beacon(rdev, info->attrs, ¶ms.beacon_next); ++ err = nl80211_parse_beacon(rdev, info->attrs, ¶ms.beacon_next, ++ info->extack); + if (err) + return err; + +@@ -15894,7 +15956,8 @@ static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info) + if (err) + goto out; + +- err = nl80211_parse_beacon(rdev, tb, ¶ms.beacon_color_change); ++ err = nl80211_parse_beacon(rdev, tb, ¶ms.beacon_color_change, ++ info->extack); + if (err) + goto out; + +@@ -15950,6 +16013,8 @@ static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info) + out: + kfree(params.beacon_next.mbssid_ies); + kfree(params.beacon_color_change.mbssid_ies); ++ kfree(params.beacon_next.rnr_ies); ++ kfree(params.beacon_color_change.rnr_ies); + kfree(tb); + return err; + } +-- +2.51.0 + diff --git a/queue-6.1/cfg80211-update-transition-disable-policy-during-por.patch b/queue-6.1/cfg80211-update-transition-disable-policy-during-por.patch new file mode 100644 index 0000000000..e31e799b14 --- /dev/null +++ b/queue-6.1/cfg80211-update-transition-disable-policy-during-por.patch @@ -0,0 +1,213 @@ +From d101d504399ad0d3acbb2b70e3f04c6466e1400a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Sep 2022 18:14:48 +0530 +Subject: cfg80211: Update Transition Disable policy during port authorization + +From: Vinayak Yadawad + +[ Upstream commit 0ff57171d6d225558c81a69439d5323e35b40549 ] + +In case of 4way handshake offload, transition disable policy +updated by the AP during EAPOL 3/4 is not updated to the upper layer. +This results in mismatch between transition disable policy +between the upper layer and the driver. This patch addresses this +issue by updating transition disable policy as part of port +authorization indication. + +Signed-off-by: Vinayak Yadawad +Signed-off-by: Johannes Berg +Stable-dep-of: a519be2f5d95 ("wifi: mac80211: do not use old MBSSID elements") +Signed-off-by: Sasha Levin +--- + .../wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 +- + include/net/cfg80211.h | 4 +++- + include/uapi/linux/nl80211.h | 3 +++ + net/wireless/core.h | 5 ++++- + net/wireless/nl80211.c | 8 +++++++- + net/wireless/nl80211.h | 3 ++- + net/wireless/sme.c | 12 ++++++++---- + net/wireless/util.c | 4 +++- + 8 files changed, 31 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +index 7eec5eb62371..6e7de5dce49e 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +@@ -6009,7 +6009,7 @@ brcmf_bss_roaming_done(struct brcmf_cfg80211_info *cfg, + brcmf_dbg(CONN, "Report roaming result\n"); + + if (profile->use_fwsup == BRCMF_PROFILE_FWSUP_1X && profile->is_ft) { +- cfg80211_port_authorized(ndev, profile->bssid, GFP_KERNEL); ++ cfg80211_port_authorized(ndev, profile->bssid, NULL, 0, GFP_KERNEL); + brcmf_dbg(CONN, "Report port authorized\n"); + } + +diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h +index e35bc5c35732..d15033420ca3 100644 +--- a/include/net/cfg80211.h ++++ b/include/net/cfg80211.h +@@ -7825,6 +7825,8 @@ void cfg80211_roamed(struct net_device *dev, struct cfg80211_roam_info *info, + * + * @dev: network device + * @bssid: the BSSID of the AP ++ * @td_bitmap: transition disable policy ++ * @td_bitmap_len: Length of transition disable policy + * @gfp: allocation flags + * + * This function should be called by a driver that supports 4 way handshake +@@ -7835,7 +7837,7 @@ void cfg80211_roamed(struct net_device *dev, struct cfg80211_roam_info *info, + * indicate the 802.11 association. + */ + void cfg80211_port_authorized(struct net_device *dev, const u8 *bssid, +- gfp_t gfp); ++ const u8* td_bitmap, u8 td_bitmap_len, gfp_t gfp); + + /** + * cfg80211_disconnected - notify cfg80211 that connection was dropped +diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h +index c32e7616a366..c14a91bbca7c 100644 +--- a/include/uapi/linux/nl80211.h ++++ b/include/uapi/linux/nl80211.h +@@ -2749,6 +2749,8 @@ enum nl80211_commands { + * When used with %NL80211_CMD_FRAME_TX_STATUS, indicates the ack RX + * timestamp. When used with %NL80211_CMD_FRAME RX notification, indicates + * the incoming frame RX timestamp. ++ * @NL80211_ATTR_TD_BITMAP: Transition Disable bitmap, for subsequent ++ * (re)associations. + * @NUM_NL80211_ATTR: total number of nl80211_attrs available + * @NL80211_ATTR_MAX: highest attribute number currently defined + * @__NL80211_ATTR_AFTER_LAST: internal use +@@ -3276,6 +3278,7 @@ enum nl80211_attrs { + + NL80211_ATTR_TX_HW_TIMESTAMP, + NL80211_ATTR_RX_HW_TIMESTAMP, ++ NL80211_ATTR_TD_BITMAP, + + /* add attributes here, update the policy in nl80211.c */ + +diff --git a/net/wireless/core.h b/net/wireless/core.h +index ee980965a7cf..17dfdf9fe749 100644 +--- a/net/wireless/core.h ++++ b/net/wireless/core.h +@@ -277,6 +277,8 @@ struct cfg80211_event { + } ij; + struct { + u8 bssid[ETH_ALEN]; ++ const u8 *td_bitmap; ++ u8 td_bitmap_len; + } pa; + }; + }; +@@ -421,7 +423,8 @@ int cfg80211_disconnect(struct cfg80211_registered_device *rdev, + bool wextev); + void __cfg80211_roamed(struct wireless_dev *wdev, + struct cfg80211_roam_info *info); +-void __cfg80211_port_authorized(struct wireless_dev *wdev, const u8 *bssid); ++void __cfg80211_port_authorized(struct wireless_dev *wdev, const u8 *bssid, ++ const u8 *td_bitmap, u8 td_bitmap_len); + int cfg80211_mgd_wext_connect(struct cfg80211_registered_device *rdev, + struct wireless_dev *wdev); + void cfg80211_autodisconnect_wk(struct work_struct *work); +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 3ff2fe98a974..1ab60967d6cd 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -18016,7 +18016,8 @@ void nl80211_send_roamed(struct cfg80211_registered_device *rdev, + } + + void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev, +- struct net_device *netdev, const u8 *bssid) ++ struct net_device *netdev, const u8 *bssid, ++ const u8 *td_bitmap, u8 td_bitmap_len) + { + struct sk_buff *msg; + void *hdr; +@@ -18036,6 +18037,11 @@ void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev, + nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid)) + goto nla_put_failure; + ++ if ((td_bitmap_len > 0) && td_bitmap) ++ if (nla_put(msg, NL80211_ATTR_TD_BITMAP, ++ td_bitmap_len, td_bitmap)) ++ goto nla_put_failure; ++ + genlmsg_end(msg, hdr); + + genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0, +diff --git a/net/wireless/nl80211.h b/net/wireless/nl80211.h +index 855d540ddfb9..ba9457e94c43 100644 +--- a/net/wireless/nl80211.h ++++ b/net/wireless/nl80211.h +@@ -83,7 +83,8 @@ void nl80211_send_roamed(struct cfg80211_registered_device *rdev, + struct net_device *netdev, + struct cfg80211_roam_info *info, gfp_t gfp); + void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev, +- struct net_device *netdev, const u8 *bssid); ++ struct net_device *netdev, const u8 *bssid, ++ const u8 *td_bitmap, u8 td_bitmap_len); + void nl80211_send_disconnected(struct cfg80211_registered_device *rdev, + struct net_device *netdev, u16 reason, + const u8 *ie, size_t ie_len, bool from_ap); +diff --git a/net/wireless/sme.c b/net/wireless/sme.c +index 26106802b17b..5adf3912f585 100644 +--- a/net/wireless/sme.c ++++ b/net/wireless/sme.c +@@ -1270,7 +1270,8 @@ void cfg80211_roamed(struct net_device *dev, struct cfg80211_roam_info *info, + } + EXPORT_SYMBOL(cfg80211_roamed); + +-void __cfg80211_port_authorized(struct wireless_dev *wdev, const u8 *bssid) ++void __cfg80211_port_authorized(struct wireless_dev *wdev, const u8 *bssid, ++ const u8 *td_bitmap, u8 td_bitmap_len) + { + ASSERT_WDEV_LOCK(wdev); + +@@ -1283,11 +1284,11 @@ void __cfg80211_port_authorized(struct wireless_dev *wdev, const u8 *bssid) + return; + + nl80211_send_port_authorized(wiphy_to_rdev(wdev->wiphy), wdev->netdev, +- bssid); ++ bssid, td_bitmap, td_bitmap_len); + } + + void cfg80211_port_authorized(struct net_device *dev, const u8 *bssid, +- gfp_t gfp) ++ const u8 *td_bitmap, u8 td_bitmap_len, gfp_t gfp) + { + struct wireless_dev *wdev = dev->ieee80211_ptr; + struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy); +@@ -1297,12 +1298,15 @@ void cfg80211_port_authorized(struct net_device *dev, const u8 *bssid, + if (WARN_ON(!bssid)) + return; + +- ev = kzalloc(sizeof(*ev), gfp); ++ ev = kzalloc(sizeof(*ev) + td_bitmap_len, gfp); + if (!ev) + return; + + ev->type = EVENT_PORT_AUTHORIZED; + memcpy(ev->pa.bssid, bssid, ETH_ALEN); ++ ev->pa.td_bitmap = ((u8 *)ev) + sizeof(*ev); ++ ev->pa.td_bitmap_len = td_bitmap_len; ++ memcpy((void *)ev->pa.td_bitmap, td_bitmap, td_bitmap_len); + + /* + * Use the wdev event list so that if there are pending +diff --git a/net/wireless/util.c b/net/wireless/util.c +index 00c1530e1979..b513e24572a3 100644 +--- a/net/wireless/util.c ++++ b/net/wireless/util.c +@@ -1113,7 +1113,9 @@ void cfg80211_process_wdev_events(struct wireless_dev *wdev) + __cfg80211_leave(wiphy_to_rdev(wdev->wiphy), wdev); + break; + case EVENT_PORT_AUTHORIZED: +- __cfg80211_port_authorized(wdev, ev->pa.bssid); ++ __cfg80211_port_authorized(wdev, ev->pa.bssid, ++ ev->pa.td_bitmap, ++ ev->pa.td_bitmap_len); + break; + } + wdev_unlock(wdev); +-- +2.51.0 + diff --git a/queue-6.1/crypto-seqiv-do-not-use-req-iv-after-crypto_aead_enc.patch b/queue-6.1/crypto-seqiv-do-not-use-req-iv-after-crypto_aead_enc.patch new file mode 100644 index 0000000000..5536b1716a --- /dev/null +++ b/queue-6.1/crypto-seqiv-do-not-use-req-iv-after-crypto_aead_enc.patch @@ -0,0 +1,61 @@ +From bdf4273d250621adabbbecdd64f062e8f73300d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 14:15:41 +0800 +Subject: crypto: seqiv - Do not use req->iv after crypto_aead_encrypt + +From: Herbert Xu + +[ Upstream commit 50fdb78b7c0bcc550910ef69c0984e751cac72fa ] + +As soon as crypto_aead_encrypt is called, the underlying request +may be freed by an asynchronous completion. Thus dereferencing +req->iv after it returns is invalid. + +Instead of checking req->iv against info, create a new variable +unaligned_info and use it for that purpose instead. + +Fixes: 0a270321dbf9 ("[CRYPTO] seqiv: Add Sequence Number IV Generator") +Reported-by: Xiumei Mu +Reported-by: Xin Long +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/seqiv.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/crypto/seqiv.c b/crypto/seqiv.c +index b1bcfe537daf..562ab102226a 100644 +--- a/crypto/seqiv.c ++++ b/crypto/seqiv.c +@@ -51,6 +51,7 @@ static int seqiv_aead_encrypt(struct aead_request *req) + struct aead_geniv_ctx *ctx = crypto_aead_ctx(geniv); + struct aead_request *subreq = aead_request_ctx(req); + crypto_completion_t compl; ++ bool unaligned_info; + void *data; + u8 *info; + unsigned int ivsize = 8; +@@ -80,8 +81,9 @@ static int seqiv_aead_encrypt(struct aead_request *req) + return err; + } + +- if (unlikely(!IS_ALIGNED((unsigned long)info, +- crypto_aead_alignmask(geniv) + 1))) { ++ unaligned_info = !IS_ALIGNED((unsigned long)info, ++ crypto_aead_alignmask(geniv) + 1); ++ if (unlikely(unaligned_info)) { + info = kmemdup(req->iv, ivsize, req->base.flags & + CRYPTO_TFM_REQ_MAY_SLEEP ? GFP_KERNEL : + GFP_ATOMIC); +@@ -101,7 +103,7 @@ static int seqiv_aead_encrypt(struct aead_request *req) + scatterwalk_map_and_copy(info, req->dst, req->assoclen, ivsize, 1); + + err = crypto_aead_encrypt(subreq); +- if (unlikely(info != req->iv)) ++ if (unlikely(unaligned_info)) + seqiv_aead_encrypt_complete2(req, err); + return err; + } +-- +2.51.0 + diff --git a/queue-6.1/firewire-nosy-fix-dma_free_coherent-size.patch b/queue-6.1/firewire-nosy-fix-dma_free_coherent-size.patch new file mode 100644 index 0000000000..7f11819e09 --- /dev/null +++ b/queue-6.1/firewire-nosy-fix-dma_free_coherent-size.patch @@ -0,0 +1,68 @@ +From ffc028d346a5c6c4cd4fdd75de67f414fc615d1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Dec 2025 17:54:18 +0100 +Subject: firewire: nosy: Fix dma_free_coherent() size + +From: Thomas Fourier + +[ Upstream commit c48c0fd0e19684b6ecdb4108a429e3a4e73f5e21 ] + +It looks like the buffer allocated and mapped in add_card() is done +with size RCV_BUFFER_SIZE which is 16 KB and 4KB. + +Fixes: 286468210d83 ("firewire: new driver: nosy - IEEE 1394 traffic sniffer") +Co-developed-by: Thomas Fourier +Signed-off-by: Thomas Fourier +Co-developed-by: Christophe JAILLET +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/20251216165420.38355-2-fourier.thomas@gmail.com +Signed-off-by: Takashi Sakamoto +Signed-off-by: Sasha Levin +--- + drivers/firewire/nosy.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/firewire/nosy.c b/drivers/firewire/nosy.c +index ea31ac7ac1ca..e59053738a43 100644 +--- a/drivers/firewire/nosy.c ++++ b/drivers/firewire/nosy.c +@@ -36,6 +36,8 @@ + + static char driver_name[] = KBUILD_MODNAME; + ++#define RCV_BUFFER_SIZE (16 * 1024) ++ + /* this is the physical layout of a PCL, its size is 128 bytes */ + struct pcl { + __le32 next; +@@ -517,16 +519,14 @@ remove_card(struct pci_dev *dev) + lynx->rcv_start_pcl, lynx->rcv_start_pcl_bus); + dma_free_coherent(&lynx->pci_device->dev, sizeof(struct pcl), + lynx->rcv_pcl, lynx->rcv_pcl_bus); +- dma_free_coherent(&lynx->pci_device->dev, PAGE_SIZE, lynx->rcv_buffer, +- lynx->rcv_buffer_bus); ++ dma_free_coherent(&lynx->pci_device->dev, RCV_BUFFER_SIZE, ++ lynx->rcv_buffer, lynx->rcv_buffer_bus); + + iounmap(lynx->registers); + pci_disable_device(dev); + lynx_put(lynx); + } + +-#define RCV_BUFFER_SIZE (16 * 1024) +- + static int + add_card(struct pci_dev *dev, const struct pci_device_id *unused) + { +@@ -680,7 +680,7 @@ add_card(struct pci_dev *dev, const struct pci_device_id *unused) + dma_free_coherent(&lynx->pci_device->dev, sizeof(struct pcl), + lynx->rcv_pcl, lynx->rcv_pcl_bus); + if (lynx->rcv_buffer) +- dma_free_coherent(&lynx->pci_device->dev, PAGE_SIZE, ++ dma_free_coherent(&lynx->pci_device->dev, RCV_BUFFER_SIZE, + lynx->rcv_buffer, lynx->rcv_buffer_bus); + iounmap(lynx->registers); + +-- +2.51.0 + diff --git a/queue-6.1/genalloc.h-fix-htmldocs-warning.patch b/queue-6.1/genalloc.h-fix-htmldocs-warning.patch new file mode 100644 index 0000000000..ff249ca174 --- /dev/null +++ b/queue-6.1/genalloc.h-fix-htmldocs-warning.patch @@ -0,0 +1,38 @@ +From 10160131344a950f6eb7180e9bba548c80a9ad22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Nov 2025 10:39:24 -0800 +Subject: genalloc.h: fix htmldocs warning + +From: Andrew Morton + +[ Upstream commit 5393802c94e0ab1295c04c94c57bcb00222d4674 ] + +WARNING: include/linux/genalloc.h:52 function parameter 'start_addr' not described in 'genpool_algo_t' + +Fixes: 52fbf1134d47 ("lib/genalloc.c: fix allocation of aligned buffer from non-aligned chunk") +Reported-by: Stephen Rothwell +Closes: https://lkml.kernel.org/r/20251127130624.563597e3@canb.auug.org.au +Acked-by: Randy Dunlap +Tested-by: Randy Dunlap +Cc: Alexey Skidanov +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + include/linux/genalloc.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/genalloc.h b/include/linux/genalloc.h +index 0bd581003cd5..60de63e46b33 100644 +--- a/include/linux/genalloc.h ++++ b/include/linux/genalloc.h +@@ -44,6 +44,7 @@ struct gen_pool; + * @nr: The number of zeroed bits we're looking for + * @data: optional additional data used by the callback + * @pool: the pool being allocated from ++ * @start_addr: start address of memory chunk + */ + typedef unsigned long (*genpool_algo_t)(unsigned long *map, + unsigned long size, +-- +2.51.0 + diff --git a/queue-6.1/i40e-fix-scheduling-in-set_rx_mode.patch b/queue-6.1/i40e-fix-scheduling-in-set_rx_mode.patch new file mode 100644 index 0000000000..eedfe3dea5 --- /dev/null +++ b/queue-6.1/i40e-fix-scheduling-in-set_rx_mode.patch @@ -0,0 +1,53 @@ +From 6d89e49eb5b80e9d956f7083c8e58dd043029269 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Nov 2025 13:07:28 +0100 +Subject: i40e: fix scheduling in set_rx_mode + +From: Przemyslaw Korba + +[ Upstream commit be43abc5514167cc129a8d8e9727b89b8e1d9719 ] + +Add service task schedule to set_rx_mode. +In some cases there are error messages printed out in PTP application +(ptp4l): + +ptp4l[13848.762]: port 1 (ens2f3np3): received SYNC without timestamp +ptp4l[13848.825]: port 1 (ens2f3np3): received SYNC without timestamp +ptp4l[13848.887]: port 1 (ens2f3np3): received SYNC without timestamp + +This happens when service task would not run immediately after +set_rx_mode, and we need it for setup tasks. This service task checks, if +PTP RX packets are hung in firmware, and propagate correct settings such +as multicast address for IEEE 1588 Precision Time Protocol. +RX timestamping depends on some of these filters set. Bug happens only +with high PTP packets frequency incoming, and not every run since +sometimes service task is being ran from a different place immediately +after starting ptp4l. + +Fixes: 0e4425ed641f ("i40e: fix: do not sleep in netdev_ops") +Reviewed-by: Grzegorz Nitka +Reviewed-by: Jacob Keller +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Przemyslaw Korba +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index 522267314160..5823229ae598 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -2252,6 +2252,7 @@ static void i40e_set_rx_mode(struct net_device *netdev) + vsi->flags |= I40E_VSI_FLAG_FILTER_CHANGED; + set_bit(__I40E_MACVLAN_SYNC_PENDING, vsi->back->state); + } ++ i40e_service_event_schedule(vsi->back); + } + + /** +-- +2.51.0 + diff --git a/queue-6.1/i40e-refactor-argument-of-i40e_detect_recover_hung.patch b/queue-6.1/i40e-refactor-argument-of-i40e_detect_recover_hung.patch new file mode 100644 index 0000000000..cbb9b1b97e --- /dev/null +++ b/queue-6.1/i40e-refactor-argument-of-i40e_detect_recover_hung.patch @@ -0,0 +1,81 @@ +From 36ae0923964da83750856854f869c6389494bf07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Apr 2024 09:26:04 +0200 +Subject: i40e: Refactor argument of i40e_detect_recover_hung() + +From: Ivan Vecera + +[ Upstream commit 7033ada04e33048c8b33294fecbb0d73f3cd1088 ] + +Commit 07d44190a389 ("i40e/i40evf: Detect and recover hung queue +scenario") changes i40e_detect_recover_hung() argument type from +i40e_pf* to i40e_vsi* to be shareable by both i40e and i40evf. +Because the i40evf does not exist anymore and the function is +exclusively used by i40e we can revert this change. + +Reviewed-by: Michal Schmidt +Tested-by: Pucha Himasekhar Reddy +Signed-off-by: Ivan Vecera +Reviewed-by: Simon Horman +Signed-off-by: Tony Nguyen +Stable-dep-of: 699428342153 ("i40e: validate ring_len parameter against hardware-specific values") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 2 +- + drivers/net/ethernet/intel/i40e/i40e_txrx.c | 10 ++++++---- + drivers/net/ethernet/intel/i40e/i40e_txrx.h | 2 +- + 3 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index fb0dd6f33090..f64ef96ed4f7 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -11304,7 +11304,7 @@ static void i40e_service_task(struct work_struct *work) + return; + + if (!test_bit(__I40E_RECOVERY_MODE, pf->state)) { +- i40e_detect_recover_hung(pf->vsi[pf->lan_vsi]); ++ i40e_detect_recover_hung(pf); + i40e_sync_filters_subtask(pf); + i40e_reset_subtask(pf); + i40e_handle_mdd_event(pf); +diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.c b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +index 2ede35ba3919..d6fe9e3a8482 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c +@@ -867,13 +867,15 @@ u32 i40e_get_tx_pending(struct i40e_ring *ring, bool in_sw) + + /** + * i40e_detect_recover_hung - Function to detect and recover hung_queues +- * @vsi: pointer to vsi struct with tx queues ++ * @pf: pointer to PF struct + * +- * VSI has netdev and netdev has TX queues. This function is to check each of +- * those TX queues if they are hung, trigger recovery by issuing SW interrupt. ++ * LAN VSI has netdev and netdev has TX queues. This function is to check ++ * each of those TX queues if they are hung, trigger recovery by issuing ++ * SW interrupt. + **/ +-void i40e_detect_recover_hung(struct i40e_vsi *vsi) ++void i40e_detect_recover_hung(struct i40e_pf *pf) + { ++ struct i40e_vsi *vsi = pf->vsi[pf->lan_vsi]; + struct i40e_ring *tx_ring = NULL; + struct net_device *netdev; + unsigned int i; +diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.h b/drivers/net/ethernet/intel/i40e/i40e_txrx.h +index 6e567d343e03..8188ec7e3ef2 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.h ++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.h +@@ -465,7 +465,7 @@ void i40e_free_rx_resources(struct i40e_ring *rx_ring); + int i40e_napi_poll(struct napi_struct *napi, int budget); + void i40e_force_wb(struct i40e_vsi *vsi, struct i40e_q_vector *q_vector); + u32 i40e_get_tx_pending(struct i40e_ring *ring, bool in_sw); +-void i40e_detect_recover_hung(struct i40e_vsi *vsi); ++void i40e_detect_recover_hung(struct i40e_pf *pf); + int __i40e_maybe_stop_tx(struct i40e_ring *tx_ring, int size); + bool __i40e_chk_linearize(struct sk_buff *skb); + int i40e_xdp_xmit(struct net_device *dev, int n, struct xdp_frame **frames, +-- +2.51.0 + diff --git a/queue-6.1/i40e-refactor-argument-of-several-client-notificatio.patch b/queue-6.1/i40e-refactor-argument-of-several-client-notificatio.patch new file mode 100644 index 0000000000..c544ddc1ec --- /dev/null +++ b/queue-6.1/i40e-refactor-argument-of-several-client-notificatio.patch @@ -0,0 +1,158 @@ +From 5fe3cbbf504f59ec2be7763a4b4a674aa8589e3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Apr 2024 09:26:03 +0200 +Subject: i40e: Refactor argument of several client notification functions + +From: Ivan Vecera + +[ Upstream commit 54c4664e48eea52f2b296c73ddb8f5629b958678 ] + +Commit 0ef2d5afb12d ("i40e: KISS the client interface") simplified +the client interface so in practice it supports only one client +per i40e netdev. But we have still 2 notification functions that +uses as parameter a pointer to VSI of netdevice associated with +the client. After the mentioned commit only possible and used +VSI is the main (LAN) VSI. +So refactor these functions so they are called with PF pointer argument +and the associated VSI (LAN) is taken inside them. + +Reviewed-by: Michal Schmidt +Tested-by: Pucha Himasekhar Reddy +Signed-off-by: Ivan Vecera +Reviewed-by: Simon Horman +Signed-off-by: Tony Nguyen +Stable-dep-of: 699428342153 ("i40e: validate ring_len parameter against hardware-specific values") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e.h | 4 ++-- + drivers/net/ethernet/intel/i40e/i40e_client.c | 20 +++++++++---------- + drivers/net/ethernet/intel/i40e/i40e_main.c | 12 +++++------ + 3 files changed, 17 insertions(+), 19 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e.h b/drivers/net/ethernet/intel/i40e/i40e.h +index 3c9ac53da331..bc2ccb77dbe0 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e.h ++++ b/drivers/net/ethernet/intel/i40e/i40e.h +@@ -1217,8 +1217,8 @@ static inline void i40e_dbg_exit(void) {} + int i40e_lan_add_device(struct i40e_pf *pf); + int i40e_lan_del_device(struct i40e_pf *pf); + void i40e_client_subtask(struct i40e_pf *pf); +-void i40e_notify_client_of_l2_param_changes(struct i40e_vsi *vsi); +-void i40e_notify_client_of_netdev_close(struct i40e_vsi *vsi, bool reset); ++void i40e_notify_client_of_l2_param_changes(struct i40e_pf *pf); ++void i40e_notify_client_of_netdev_close(struct i40e_pf *pf, bool reset); + void i40e_notify_client_of_vf_enable(struct i40e_pf *pf, u32 num_vfs); + void i40e_notify_client_of_vf_reset(struct i40e_pf *pf, u32 vf_id); + void i40e_client_update_msix_info(struct i40e_pf *pf); +diff --git a/drivers/net/ethernet/intel/i40e/i40e_client.c b/drivers/net/ethernet/intel/i40e/i40e_client.c +index 86fd82412e9e..406cfb9c5ac9 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_client.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_client.c +@@ -102,25 +102,26 @@ i40e_notify_client_of_vf_msg(struct i40e_vsi *vsi, u32 vf_id, u8 *msg, u16 len) + + /** + * i40e_notify_client_of_l2_param_changes - call the client notify callback +- * @vsi: the VSI with l2 param changes ++ * @pf: PF device pointer + * +- * If there is a client to this VSI, call the client ++ * If there is a client, call its callback + **/ +-void i40e_notify_client_of_l2_param_changes(struct i40e_vsi *vsi) ++void i40e_notify_client_of_l2_param_changes(struct i40e_pf *pf) + { +- struct i40e_pf *pf = vsi->back; + struct i40e_client_instance *cdev = pf->cinst; ++ struct i40e_vsi *vsi = pf->vsi[pf->lan_vsi]; + struct i40e_params params; + + if (!cdev || !cdev->client) + return; + if (!cdev->client->ops || !cdev->client->ops->l2_param_change) { +- dev_dbg(&vsi->back->pdev->dev, ++ dev_dbg(&pf->pdev->dev, + "Cannot locate client instance l2_param_change routine\n"); + return; + } + if (!test_bit(__I40E_CLIENT_INSTANCE_OPENED, &cdev->state)) { +- dev_dbg(&vsi->back->pdev->dev, "Client is not open, abort l2 param change\n"); ++ dev_dbg(&pf->pdev->dev, ++ "Client is not open, abort l2 param change\n"); + return; + } + memset(¶ms, 0, sizeof(params)); +@@ -160,20 +161,19 @@ static void i40e_client_release_qvlist(struct i40e_info *ldev) + + /** + * i40e_notify_client_of_netdev_close - call the client close callback +- * @vsi: the VSI with netdev closed ++ * @pf: PF device pointer + * @reset: true when close called due to a reset pending + * + * If there is a client to this netdev, call the client with close + **/ +-void i40e_notify_client_of_netdev_close(struct i40e_vsi *vsi, bool reset) ++void i40e_notify_client_of_netdev_close(struct i40e_pf *pf, bool reset) + { +- struct i40e_pf *pf = vsi->back; + struct i40e_client_instance *cdev = pf->cinst; + + if (!cdev || !cdev->client) + return; + if (!cdev->client->ops || !cdev->client->ops->close) { +- dev_dbg(&vsi->back->pdev->dev, ++ dev_dbg(&pf->pdev->dev, + "Cannot locate client instance close routine\n"); + return; + } +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index 5823229ae598..fb0dd6f33090 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -11313,14 +11313,12 @@ static void i40e_service_task(struct work_struct *work) + i40e_fdir_reinit_subtask(pf); + if (test_and_clear_bit(__I40E_CLIENT_RESET, pf->state)) { + /* Client subtask will reopen next time through. */ +- i40e_notify_client_of_netdev_close(pf->vsi[pf->lan_vsi], +- true); ++ i40e_notify_client_of_netdev_close(pf, true); + } else { + i40e_client_subtask(pf); + if (test_and_clear_bit(__I40E_CLIENT_L2_CHANGE, + pf->state)) +- i40e_notify_client_of_l2_param_changes( +- pf->vsi[pf->lan_vsi]); ++ i40e_notify_client_of_l2_param_changes(pf); + } + i40e_sync_filters_subtask(pf); + } else { +@@ -16307,7 +16305,7 @@ static void i40e_remove(struct pci_dev *pdev) + /* Client close must be called explicitly here because the timer + * has been stopped. + */ +- i40e_notify_client_of_netdev_close(pf->vsi[pf->lan_vsi], false); ++ i40e_notify_client_of_netdev_close(pf, false); + + i40e_fdir_teardown(pf); + +@@ -16573,7 +16571,7 @@ static void i40e_shutdown(struct pci_dev *pdev) + /* Client close must be called explicitly here because the timer + * has been stopped. + */ +- i40e_notify_client_of_netdev_close(pf->vsi[pf->lan_vsi], false); ++ i40e_notify_client_of_netdev_close(pf, false); + + if (pf->wol_en && (pf->hw_features & I40E_HW_WOL_MC_MAGIC_PKT_WAKE)) + i40e_enable_mc_magic_wake(pf); +@@ -16626,7 +16624,7 @@ static int __maybe_unused i40e_suspend(struct device *dev) + /* Client close must be called explicitly here because the timer + * has been stopped. + */ +- i40e_notify_client_of_netdev_close(pf->vsi[pf->lan_vsi], false); ++ i40e_notify_client_of_netdev_close(pf, false); + + if (pf->wol_en && (pf->hw_features & I40E_HW_WOL_MC_MAGIC_PKT_WAKE)) + i40e_enable_mc_magic_wake(pf); +-- +2.51.0 + diff --git a/queue-6.1/i40e-validate-ring_len-parameter-against-hardware-sp.patch b/queue-6.1/i40e-validate-ring_len-parameter-against-hardware-sp.patch new file mode 100644 index 0000000000..94b3e43138 --- /dev/null +++ b/queue-6.1/i40e-validate-ring_len-parameter-against-hardware-sp.patch @@ -0,0 +1,100 @@ +From 8fe01eea9bf50118183bf344235ef9b0ceaefc8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Dec 2025 22:06:43 +0100 +Subject: i40e: validate ring_len parameter against hardware-specific values + +From: Gregory Herrero + +[ Upstream commit 69942834215323cd9131db557091b4dec43f19c5 ] + +The maximum number of descriptors supported by the hardware is +hardware-dependent and can be retrieved using +i40e_get_max_num_descriptors(). Move this function to a shared header +and use it when checking for valid ring_len parameter rather than using +hardcoded value. + +By fixing an over-acceptance issue, behavior change could be seen where +ring_len could now be rejected while configuring rx and tx queues if its +size is larger than the hardware-dependent maximum number of +descriptors. + +Fixes: 55d225670def ("i40e: add validation for ring_len param") +Signed-off-by: Gregory Herrero +Tested-by: Rafal Romanowski +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e.h | 11 +++++++++++ + drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 12 ------------ + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 4 ++-- + 3 files changed, 13 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e.h b/drivers/net/ethernet/intel/i40e/i40e.h +index bc2ccb77dbe0..af60be8626aa 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e.h ++++ b/drivers/net/ethernet/intel/i40e/i40e.h +@@ -1325,4 +1325,15 @@ static inline u32 i40e_is_tc_mqprio_enabled(struct i40e_pf *pf) + return pf->flags & I40E_FLAG_TC_MQPRIO; + } + ++static inline u32 i40e_get_max_num_descriptors(const struct i40e_pf *pf) ++{ ++ const struct i40e_hw *hw = &pf->hw; ++ ++ switch (hw->mac.type) { ++ case I40E_MAC_XL710: ++ return I40E_MAX_NUM_DESCRIPTORS_XL710; ++ default: ++ return I40E_MAX_NUM_DESCRIPTORS; ++ } ++} + #endif /* _I40E_H_ */ +diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c +index c3378106946c..1aed31bc2e8a 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c +@@ -2012,18 +2012,6 @@ static void i40e_get_drvinfo(struct net_device *netdev, + drvinfo->n_priv_flags += I40E_GL_PRIV_FLAGS_STR_LEN; + } + +-static u32 i40e_get_max_num_descriptors(struct i40e_pf *pf) +-{ +- struct i40e_hw *hw = &pf->hw; +- +- switch (hw->mac.type) { +- case I40E_MAC_XL710: +- return I40E_MAX_NUM_DESCRIPTORS_XL710; +- default: +- return I40E_MAX_NUM_DESCRIPTORS; +- } +-} +- + static void i40e_get_ringparam(struct net_device *netdev, + struct ethtool_ringparam *ring, + struct kernel_ethtool_ringparam *kernel_ring, +diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +index 2b2f9bb755b6..1bba77347efb 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +@@ -656,7 +656,7 @@ static int i40e_config_vsi_tx_queue(struct i40e_vf *vf, u16 vsi_id, + + /* ring_len has to be multiple of 8 */ + if (!IS_ALIGNED(info->ring_len, 8) || +- info->ring_len > I40E_MAX_NUM_DESCRIPTORS_XL710) { ++ info->ring_len > i40e_get_max_num_descriptors(pf)) { + ret = -EINVAL; + goto error_context; + } +@@ -728,7 +728,7 @@ static int i40e_config_vsi_rx_queue(struct i40e_vf *vf, u16 vsi_id, + + /* ring_len has to be multiple of 32 */ + if (!IS_ALIGNED(info->ring_len, 32) || +- info->ring_len > I40E_MAX_NUM_DESCRIPTORS_XL710) { ++ info->ring_len > i40e_get_max_num_descriptors(pf)) { + ret = -EINVAL; + goto error_param; + } +-- +2.51.0 + diff --git a/queue-6.1/iavf-fix-off-by-one-issues-in-iavf_config_rss_reg.patch b/queue-6.1/iavf-fix-off-by-one-issues-in-iavf_config_rss_reg.patch new file mode 100644 index 0000000000..223914428a --- /dev/null +++ b/queue-6.1/iavf-fix-off-by-one-issues-in-iavf_config_rss_reg.patch @@ -0,0 +1,113 @@ +From 50080a7f2c01a698e133d33f7230de1cd9fb515c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Oct 2025 01:58:50 +0900 +Subject: iavf: fix off-by-one issues in iavf_config_rss_reg() + +From: Kohei Enju + +[ Upstream commit 6daa2893f323981c7894c68440823326e93a7d61 ] + +There are off-by-one bugs when configuring RSS hash key and lookup +table, causing out-of-bounds reads to memory [1] and out-of-bounds +writes to device registers. + +Before commit 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS"), +the loop upper bounds were: + i <= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX +which is safe since the value is the last valid index. + +That commit changed the bounds to: + i <= adapter->rss_{key,lut}_size / 4 +where `rss_{key,lut}_size / 4` is the number of dwords, so the last +valid index is `(rss_{key,lut}_size / 4) - 1`. Therefore, using `<=` +accesses one element past the end. + +Fix the issues by using `<` instead of `<=`, ensuring we do not exceed +the bounds. + +[1] KASAN splat about rss_key_size off-by-one + BUG: KASAN: slab-out-of-bounds in iavf_config_rss+0x619/0x800 + Read of size 4 at addr ffff888102c50134 by task kworker/u8:6/63 + + CPU: 0 UID: 0 PID: 63 Comm: kworker/u8:6 Not tainted 6.18.0-rc2-enjuk-tnguy-00378-g3005f5b77652-dirty #156 PREEMPT(voluntary) + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 + Workqueue: iavf iavf_watchdog_task + Call Trace: + + dump_stack_lvl+0x6f/0xb0 + print_report+0x170/0x4f3 + kasan_report+0xe1/0x1a0 + iavf_config_rss+0x619/0x800 + iavf_watchdog_task+0x2be7/0x3230 + process_one_work+0x7fd/0x1420 + worker_thread+0x4d1/0xd40 + kthread+0x344/0x660 + ret_from_fork+0x249/0x320 + ret_from_fork_asm+0x1a/0x30 + + + Allocated by task 63: + kasan_save_stack+0x30/0x50 + kasan_save_track+0x14/0x30 + __kasan_kmalloc+0x7f/0x90 + __kmalloc_noprof+0x246/0x6f0 + iavf_watchdog_task+0x28fc/0x3230 + process_one_work+0x7fd/0x1420 + worker_thread+0x4d1/0xd40 + kthread+0x344/0x660 + ret_from_fork+0x249/0x320 + ret_from_fork_asm+0x1a/0x30 + + The buggy address belongs to the object at ffff888102c50100 + which belongs to the cache kmalloc-64 of size 64 + The buggy address is located 0 bytes to the right of + allocated 52-byte region [ffff888102c50100, ffff888102c50134) + + The buggy address belongs to the physical page: + page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c50 + flags: 0x200000000000000(node=0|zone=2) + page_type: f5(slab) + raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 + raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 + page dumped because: kasan: bad access detected + + Memory state around the buggy address: + ffff888102c50000: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc + ffff888102c50080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc + >ffff888102c50100: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc + ^ + ffff888102c50180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc + ffff888102c50200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + +Fixes: 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS") +Signed-off-by: Kohei Enju +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Przemek Kitszel +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 7119bce4c091..467ad433a47b 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -1783,11 +1783,11 @@ static int iavf_config_rss_reg(struct iavf_adapter *adapter) + u16 i; + + dw = (u32 *)adapter->rss_key; +- for (i = 0; i <= adapter->rss_key_size / 4; i++) ++ for (i = 0; i < adapter->rss_key_size / 4; i++) + wr32(hw, IAVF_VFQF_HKEY(i), dw[i]); + + dw = (u32 *)adapter->rss_lut; +- for (i = 0; i <= adapter->rss_lut_size / 4; i++) ++ for (i = 0; i < adapter->rss_lut_size / 4; i++) + wr32(hw, IAVF_VFQF_HLUT(i), dw[i]); + + iavf_flush(hw); +-- +2.51.0 + diff --git a/queue-6.1/ip6_gre-make-ip6gre_header-robust.patch b/queue-6.1/ip6_gre-make-ip6gre_header-robust.patch new file mode 100644 index 0000000000..e64b098a14 --- /dev/null +++ b/queue-6.1/ip6_gre-make-ip6gre_header-robust.patch @@ -0,0 +1,76 @@ +From 20472c953ef355e2bca2995b8b6f9179a82ab9ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Dec 2025 17:35:50 +0000 +Subject: ip6_gre: make ip6gre_header() robust + +From: Eric Dumazet + +[ Upstream commit db5b4e39c4e63700c68a7e65fc4e1f1375273476 ] + +Over the years, syzbot found many ways to crash the kernel +in ip6gre_header() [1]. + +This involves team or bonding drivers ability to dynamically +change their dev->needed_headroom and/or dev->hard_header_len + +In this particular crash mld_newpack() allocated an skb +with a too small reserve/headroom, and by the time mld_sendpack() +was called, syzbot managed to attach an ip6gre device. + +[1] +skbuff: skb_under_panic: text:ffffffff8a1d69a8 len:136 put:40 head:ffff888059bc7000 data:ffff888059bc6fe8 tail:0x70 end:0x6c0 dev:team0 +------------[ cut here ]------------ + kernel BUG at net/core/skbuff.c:213 ! + + skb_under_panic net/core/skbuff.c:223 [inline] + skb_push+0xc3/0xe0 net/core/skbuff.c:2641 + ip6gre_header+0xc8/0x790 net/ipv6/ip6_gre.c:1371 + dev_hard_header include/linux/netdevice.h:3436 [inline] + neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618 + neigh_output include/net/neighbour.h:556 [inline] + ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136 + __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline] + ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:220 + NF_HOOK_COND include/linux/netfilter.h:307 [inline] + ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247 + NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318 + mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855 + mld_send_cr net/ipv6/mcast.c:2154 [inline] + mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 + +Fixes: c12b395a4664 ("gre: Support GRE over IPv6") +Reported-by: syzbot+43a2ebcf2a64b1102d64@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/693b002c.a70a0220.33cd7b.0033.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20251211173550.2032674-1-edumazet@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_gre.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index 718fcad69cf1..249c613a9280 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -1405,9 +1405,16 @@ static int ip6gre_header(struct sk_buff *skb, struct net_device *dev, + { + struct ip6_tnl *t = netdev_priv(dev); + struct ipv6hdr *ipv6h; ++ int needed; + __be16 *p; + +- ipv6h = skb_push(skb, t->hlen + sizeof(*ipv6h)); ++ needed = t->hlen + sizeof(*ipv6h); ++ if (skb_headroom(skb) < needed && ++ pskb_expand_head(skb, HH_DATA_ALIGN(needed - skb_headroom(skb)), ++ 0, GFP_ATOMIC)) ++ return -needed; ++ ++ ipv6h = skb_push(skb, needed); + ip6_flow_hdr(ipv6h, 0, ip6_make_flowlabel(dev_net(dev), skb, + t->fl.u.ip6.flowlabel, + true, &t->fl.u.ip6)); +-- +2.51.0 + diff --git a/queue-6.1/ipv4-fix-reference-count-leak-when-using-error-route.patch b/queue-6.1/ipv4-fix-reference-count-leak-when-using-error-route.patch new file mode 100644 index 0000000000..e5bc5da806 --- /dev/null +++ b/queue-6.1/ipv4-fix-reference-count-leak-when-using-error-route.patch @@ -0,0 +1,73 @@ +From 10866d25db0e5fdc8142a2168e2a87d9d54d7ebc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Dec 2025 16:48:28 +0200 +Subject: ipv4: Fix reference count leak when using error routes with nexthop + objects + +From: Ido Schimmel + +[ Upstream commit ac782f4e3bfcde145b8a7f8af31d9422d94d172a ] + +When a nexthop object is deleted, it is marked as dead and then +fib_table_flush() is called to flush all the routes that are using the +dead nexthop. + +The current logic in fib_table_flush() is to only flush error routes +(e.g., blackhole) when it is called as part of network namespace +dismantle (i.e., with flush_all=true). Therefore, error routes are not +flushed when their nexthop object is deleted: + + # ip link add name dummy1 up type dummy + # ip nexthop add id 1 dev dummy1 + # ip route add 198.51.100.1/32 nhid 1 + # ip route add blackhole 198.51.100.2/32 nhid 1 + # ip nexthop del id 1 + # ip route show + blackhole 198.51.100.2 nhid 1 dev dummy1 + +As such, they keep holding a reference on the nexthop object which in +turn holds a reference on the nexthop device, resulting in a reference +count leak: + + # ip link del dev dummy1 + [ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2 + +Fix by flushing error routes when their nexthop is marked as dead. + +IPv6 does not suffer from this problem. + +Fixes: 493ced1ac47c ("ipv4: Allow routes to use nexthop objects") +Reported-by: Tetsuo Handa +Closes: https://lore.kernel.org/netdev/d943f806-4da6-4970-ac28-b9373b0e63ac@I-love.SAKURA.ne.jp/ +Reported-by: syzbot+881d65229ca4f9ae8c84@syzkaller.appspotmail.com +Signed-off-by: Ido Schimmel +Reviewed-by: David Ahern +Link: https://patch.msgid.link/20251221144829.197694-1-idosch@nvidia.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/fib_trie.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c +index fa54b36b241a..4d148d089232 100644 +--- a/net/ipv4/fib_trie.c ++++ b/net/ipv4/fib_trie.c +@@ -2059,10 +2059,11 @@ int fib_table_flush(struct net *net, struct fib_table *tb, bool flush_all) + continue; + } + +- /* Do not flush error routes if network namespace is +- * not being dismantled ++ /* When not flushing the entire table, skip error ++ * routes that are not marked for deletion. + */ +- if (!flush_all && fib_props[fa->fa_type].error) { ++ if (!flush_all && fib_props[fa->fa_type].error && ++ !(fi->fib_flags & RTNH_F_DEAD)) { + slen = fa->fa_slen; + continue; + } +-- +2.51.0 + diff --git a/queue-6.1/ipv6-bug-in-pskb_expand_head-as-part-of-calipso_skbu.patch b/queue-6.1/ipv6-bug-in-pskb_expand_head-as-part-of-calipso_skbu.patch new file mode 100644 index 0000000000..5fa4f42db6 --- /dev/null +++ b/queue-6.1/ipv6-bug-in-pskb_expand_head-as-part-of-calipso_skbu.patch @@ -0,0 +1,97 @@ +From aac1d74d4677db37f88a1acba20996d2411732e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 10:36:37 -0700 +Subject: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() + +From: Will Rosenberg + +[ Upstream commit 58fc7342b529803d3c221101102fe913df7adb83 ] + +There exists a kernel oops caused by a BUG_ON(nhead < 0) at +net/core/skbuff.c:2232 in pskb_expand_head(). +This bug is triggered as part of the calipso_skbuff_setattr() +routine when skb_cow() is passed headroom > INT_MAX +(i.e. (int)(skb_headroom(skb) + len_delta) < 0). + +The root cause of the bug is due to an implicit integer cast in +__skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure +that delta = headroom - skb_headroom(skb) is never negative, otherwise +we will trigger a BUG_ON in pskb_expand_head(). However, if +headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta +becomes negative, and pskb_expand_head() is passed a negative value for +nhead. + +Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing +"negative" headroom sizes to skb_cow() within calipso_skbuff_setattr() +by only using skb_cow() to grow headroom. + +PoC: + Using `netlabelctl` tool: + + netlabelctl map del default + netlabelctl calipso add pass doi:7 + netlabelctl map add default address:0::1/128 protocol:calipso,7 + + Then run the following PoC: + + int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP); + + // setup msghdr + int cmsg_size = 2; + int cmsg_len = 0x60; + struct msghdr msg; + struct sockaddr_in6 dest_addr; + struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1, + sizeof(struct cmsghdr) + cmsg_len); + msg.msg_name = &dest_addr; + msg.msg_namelen = sizeof(dest_addr); + msg.msg_iov = NULL; + msg.msg_iovlen = 0; + msg.msg_control = cmsg; + msg.msg_controllen = cmsg_len; + msg.msg_flags = 0; + + // setup sockaddr + dest_addr.sin6_family = AF_INET6; + dest_addr.sin6_port = htons(31337); + dest_addr.sin6_flowinfo = htonl(31337); + dest_addr.sin6_addr = in6addr_loopback; + dest_addr.sin6_scope_id = 31337; + + // setup cmsghdr + cmsg->cmsg_len = cmsg_len; + cmsg->cmsg_level = IPPROTO_IPV6; + cmsg->cmsg_type = IPV6_HOPOPTS; + char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr); + hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80 + + sendmsg(fd, &msg, 0); + +Fixes: 2917f57b6bc1 ("calipso: Allow the lsm to label the skbuff directly.") +Suggested-by: Paul Moore +Signed-off-by: Will Rosenberg +Acked-by: Paul Moore +Link: https://patch.msgid.link/20251219173637.797418-1-whrosenb@asu.edu +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv6/calipso.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c +index 24666291c54a..72079ef2959b 100644 +--- a/net/ipv6/calipso.c ++++ b/net/ipv6/calipso.c +@@ -1345,7 +1345,8 @@ static int calipso_skbuff_setattr(struct sk_buff *skb, + /* At this point new_end aligns to 4n, so (new_end & 4) pads to 8n */ + pad = ((new_end & 4) + (end & 7)) & 7; + len_delta = new_end - (int)end + pad; +- ret_val = skb_cow(skb, skb_headroom(skb) + len_delta); ++ ret_val = skb_cow(skb, ++ skb_headroom(skb) + (len_delta > 0 ? len_delta : 0)); + if (ret_val < 0) + return ret_val; + +-- +2.51.0 + diff --git a/queue-6.1/mac80211-support-rnr-for-ema-ap.patch b/queue-6.1/mac80211-support-rnr-for-ema-ap.patch new file mode 100644 index 0000000000..443349a300 --- /dev/null +++ b/queue-6.1/mac80211-support-rnr-for-ema-ap.patch @@ -0,0 +1,241 @@ +From 102b24b9027d944f1c162075791843948c3d0b3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Mar 2023 04:38:01 -0700 +Subject: mac80211: support RNR for EMA AP + +From: Aloka Dixit + +[ Upstream commit 68b9bea267bfc1259e195dcac1bf69db0c0c28da ] + +Generate EMA beacons, each including MBSSID and RNR elements at a given +index. If number of stored RNR elements is more than the number of +MBSSID elements then add those in every EMA beacon. + +Signed-off-by: Aloka Dixit +Link: https://lore.kernel.org/r/20230323113801.6903-3-quic_alokad@quicinc.com +Signed-off-by: Johannes Berg +Stable-dep-of: a519be2f5d95 ("wifi: mac80211: do not use old MBSSID elements") +Signed-off-by: Sasha Levin +--- + net/mac80211/cfg.c | 63 +++++++++++++++++++++++++++++++++++--- + net/mac80211/ieee80211_i.h | 21 +++++++++++-- + net/mac80211/tx.c | 10 ++++++ + 3 files changed, 86 insertions(+), 8 deletions(-) + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index 72dd534492bf..a25d647c1c4b 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1087,6 +1087,23 @@ ieee80211_copy_mbssid_beacon(u8 *pos, struct cfg80211_mbssid_elems *dst, + return offset; + } + ++static int ++ieee80211_copy_rnr_beacon(u8 *pos, struct cfg80211_rnr_elems *dst, ++ struct cfg80211_rnr_elems *src) ++{ ++ int i, offset = 0; ++ ++ for (i = 0; i < src->cnt; i++) { ++ memcpy(pos + offset, src->elem[i].data, src->elem[i].len); ++ dst->elem[i].len = src->elem[i].len; ++ dst->elem[i].data = pos + offset; ++ offset += dst->elem[i].len; ++ } ++ dst->cnt = src->cnt; ++ ++ return offset; ++} ++ + static int ieee80211_assign_beacon(struct ieee80211_sub_if_data *sdata, + struct ieee80211_link_data *link, + struct cfg80211_beacon_data *params, +@@ -1094,6 +1111,7 @@ static int ieee80211_assign_beacon(struct ieee80211_sub_if_data *sdata, + const struct ieee80211_color_change_settings *cca) + { + struct cfg80211_mbssid_elems *mbssid = NULL; ++ struct cfg80211_rnr_elems *rnr = NULL; + struct beacon_data *new, *old; + int new_head_len, new_tail_len; + int size, err; +@@ -1125,11 +1143,21 @@ static int ieee80211_assign_beacon(struct ieee80211_sub_if_data *sdata, + if (params->mbssid_ies) { + mbssid = params->mbssid_ies; + size += struct_size(new->mbssid_ies, elem, mbssid->cnt); +- size += ieee80211_get_mbssid_beacon_len(mbssid, mbssid->cnt); ++ if (params->rnr_ies) { ++ rnr = params->rnr_ies; ++ size += struct_size(new->rnr_ies, elem, rnr->cnt); ++ } ++ size += ieee80211_get_mbssid_beacon_len(mbssid, rnr, ++ mbssid->cnt); + } else if (old && old->mbssid_ies) { + mbssid = old->mbssid_ies; + size += struct_size(new->mbssid_ies, elem, mbssid->cnt); +- size += ieee80211_get_mbssid_beacon_len(mbssid, mbssid->cnt); ++ if (old && old->rnr_ies) { ++ rnr = old->rnr_ies; ++ size += struct_size(new->rnr_ies, elem, rnr->cnt); ++ } ++ size += ieee80211_get_mbssid_beacon_len(mbssid, rnr, ++ mbssid->cnt); + } + + new = kzalloc(size, GFP_KERNEL); +@@ -1140,7 +1168,7 @@ static int ieee80211_assign_beacon(struct ieee80211_sub_if_data *sdata, + + /* + * pointers go into the block we allocated, +- * memory is | beacon_data | head | tail | mbssid_ies ++ * memory is | beacon_data | head | tail | mbssid_ies | rnr_ies + */ + new->head = ((u8 *) new) + sizeof(*new); + new->tail = new->head + new_head_len; +@@ -1152,7 +1180,13 @@ static int ieee80211_assign_beacon(struct ieee80211_sub_if_data *sdata, + + new->mbssid_ies = (void *)pos; + pos += struct_size(new->mbssid_ies, elem, mbssid->cnt); +- ieee80211_copy_mbssid_beacon(pos, new->mbssid_ies, mbssid); ++ pos += ieee80211_copy_mbssid_beacon(pos, new->mbssid_ies, ++ mbssid); ++ if (rnr) { ++ new->rnr_ies = (void *)pos; ++ pos += struct_size(new->rnr_ies, elem, rnr->cnt); ++ ieee80211_copy_rnr_beacon(pos, new->rnr_ies, rnr); ++ } + /* update bssid_indicator */ + link_conf->bssid_indicator = + ilog2(__roundup_pow_of_two(mbssid->cnt + 1)); +@@ -1448,6 +1482,7 @@ static void ieee80211_free_next_beacon(struct ieee80211_link_data *link) + return; + + kfree(link->u.ap.next_beacon->mbssid_ies); ++ kfree(link->u.ap.next_beacon->rnr_ies); + kfree(link->u.ap.next_beacon); + link->u.ap.next_beacon = NULL; + } +@@ -3360,6 +3395,7 @@ cfg80211_beacon_dup(struct cfg80211_beacon_data *beacon) + + if (beacon->mbssid_ies) + len += ieee80211_get_mbssid_beacon_len(beacon->mbssid_ies, ++ beacon->rnr_ies, + beacon->mbssid_ies->cnt); + + new_beacon = kzalloc(sizeof(*new_beacon) + len, GFP_KERNEL); +@@ -3375,6 +3411,18 @@ cfg80211_beacon_dup(struct cfg80211_beacon_data *beacon) + kfree(new_beacon); + return NULL; + } ++ ++ if (beacon->rnr_ies && beacon->rnr_ies->cnt) { ++ new_beacon->rnr_ies = ++ kzalloc(struct_size(new_beacon->rnr_ies, ++ elem, beacon->rnr_ies->cnt), ++ GFP_KERNEL); ++ if (!new_beacon->rnr_ies) { ++ kfree(new_beacon->mbssid_ies); ++ kfree(new_beacon); ++ return NULL; ++ } ++ } + } + + pos = (u8 *)(new_beacon + 1); +@@ -3414,10 +3462,15 @@ cfg80211_beacon_dup(struct cfg80211_beacon_data *beacon) + memcpy(pos, beacon->probe_resp, beacon->probe_resp_len); + pos += beacon->probe_resp_len; + } +- if (beacon->mbssid_ies && beacon->mbssid_ies->cnt) ++ if (beacon->mbssid_ies && beacon->mbssid_ies->cnt) { + pos += ieee80211_copy_mbssid_beacon(pos, + new_beacon->mbssid_ies, + beacon->mbssid_ies); ++ if (beacon->rnr_ies && beacon->rnr_ies->cnt) ++ pos += ieee80211_copy_rnr_beacon(pos, ++ new_beacon->rnr_ies, ++ beacon->rnr_ies); ++ } + + /* might copy -1, meaning no changes requested */ + new_beacon->ftm_responder = beacon->ftm_responder; +diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h +index d08aa09002df..64f8d8f2b799 100644 +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -269,6 +269,7 @@ struct beacon_data { + u16 cntdwn_counter_offsets[IEEE80211_MAX_CNTDWN_COUNTERS_NUM]; + u8 cntdwn_current_counter; + struct cfg80211_mbssid_elems *mbssid_ies; ++ struct cfg80211_rnr_elems *rnr_ies; + struct rcu_head rcu_head; + }; + +@@ -1165,20 +1166,34 @@ ieee80211_vif_get_shift(struct ieee80211_vif *vif) + } + + static inline int +-ieee80211_get_mbssid_beacon_len(struct cfg80211_mbssid_elems *elems, u8 i) ++ieee80211_get_mbssid_beacon_len(struct cfg80211_mbssid_elems *elems, ++ struct cfg80211_rnr_elems *rnr_elems, ++ u8 i) + { + int len = 0; + + if (!elems || !elems->cnt || i > elems->cnt) + return 0; + +- if (i < elems->cnt) +- return elems->elem[i].len; ++ if (i < elems->cnt) { ++ len = elems->elem[i].len; ++ if (rnr_elems) { ++ len += rnr_elems->elem[i].len; ++ for (i = elems->cnt; i < rnr_elems->cnt; i++) ++ len += rnr_elems->elem[i].len; ++ } ++ return len; ++ } + + /* i == elems->cnt, calculate total length of all MBSSID elements */ + for (i = 0; i < elems->cnt; i++) + len += elems->elem[i].len; + ++ if (rnr_elems) { ++ for (i = 0; i < rnr_elems->cnt; i++) ++ len += rnr_elems->elem[i].len; ++ } ++ + return len; + } + +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index 854bad6fbe19..5b7587cda883 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -5149,6 +5149,15 @@ ieee80211_beacon_add_mbssid(struct sk_buff *skb, struct beacon_data *beacon, + if (i < beacon->mbssid_ies->cnt) { + skb_put_data(skb, beacon->mbssid_ies->elem[i].data, + beacon->mbssid_ies->elem[i].len); ++ ++ if (beacon->rnr_ies && beacon->rnr_ies->cnt) { ++ skb_put_data(skb, beacon->rnr_ies->elem[i].data, ++ beacon->rnr_ies->elem[i].len); ++ ++ for (i = beacon->mbssid_ies->cnt; i < beacon->rnr_ies->cnt; i++) ++ skb_put_data(skb, beacon->rnr_ies->elem[i].data, ++ beacon->rnr_ies->elem[i].len); ++ } + return; + } + +@@ -5186,6 +5195,7 @@ ieee80211_beacon_get_ap(struct ieee80211_hw *hw, + * tail length, maximum TIM length and multiple BSSID length + */ + mbssid_len = ieee80211_get_mbssid_beacon_len(beacon->mbssid_ies, ++ beacon->rnr_ies, + ema_index); + + skb = dev_alloc_skb(local->tx_headroom + beacon->head_len + +-- +2.51.0 + diff --git a/queue-6.1/net-bridge-describe-tunnel_hash-member-in-net_bridge.patch b/queue-6.1/net-bridge-describe-tunnel_hash-member-in-net_bridge.patch new file mode 100644 index 0000000000..440ecf0dae --- /dev/null +++ b/queue-6.1/net-bridge-describe-tunnel_hash-member-in-net_bridge.patch @@ -0,0 +1,42 @@ +From 75cdcb842aa5ed915fe8a6fd01eb96d8057c0c82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Dec 2025 11:29:37 +0700 +Subject: net: bridge: Describe @tunnel_hash member in net_bridge_vlan_group + struct + +From: Bagas Sanjaya + +[ Upstream commit f79f9b7ace1713e4b83888c385f5f55519dfb687 ] + +Sphinx reports kernel-doc warning: + +WARNING: ./net/bridge/br_private.h:267 struct member 'tunnel_hash' not described in 'net_bridge_vlan_group' + +Fix it by describing @tunnel_hash member. + +Fixes: efa5356b0d9753 ("bridge: per vlan dst_metadata netlink support") +Signed-off-by: Bagas Sanjaya +Acked-by: Nikolay Aleksandrov +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20251218042936.24175-2-bagasdotme@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/bridge/br_private.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h +index 901b9f609b0c..9f3f636587f3 100644 +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -224,6 +224,7 @@ struct net_bridge_vlan { + * struct net_bridge_vlan_group + * + * @vlan_hash: VLAN entry rhashtable ++ * @tunnel_hash: Hash table to map from tunnel key ID (e.g. VXLAN VNI) to VLAN + * @vlan_list: sorted VLAN entry list + * @num_vlans: number of total VLAN entries + * @pvid: PVID VLAN id +-- +2.51.0 + diff --git a/queue-6.1/net-dsa-b53-skip-multicast-entries-for-fdb_dump.patch b/queue-6.1/net-dsa-b53-skip-multicast-entries-for-fdb_dump.patch new file mode 100644 index 0000000000..f1fae27594 --- /dev/null +++ b/queue-6.1/net-dsa-b53-skip-multicast-entries-for-fdb_dump.patch @@ -0,0 +1,45 @@ +From 0d7aa1312bcc7cd937c1161f53d1a3f3c36d2e97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 21:57:56 +0100 +Subject: net: dsa: b53: skip multicast entries for fdb_dump() + +From: Jonas Gorski + +[ Upstream commit d42bce414d1c5c0b536758466a1f63ac358e613c ] + +port_fdb_dump() is supposed to only add fdb entries, but we iterate over +the full ARL table, which also includes multicast entries. + +So check if the entry is a multicast entry before passing it on to the +callback(). + +Additionally, the port of those entries is a bitmask, not a port number, +so any included entries would have even be for the wrong port. + +Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations") +Signed-off-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20251217205756.172123-1-jonas.gorski@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index bdbb873fe6eb..49fb610db484 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1815,6 +1815,9 @@ static int b53_fdb_copy(int port, const struct b53_arl_entry *ent, + if (!ent->is_valid) + return 0; + ++ if (is_multicast_ether_addr(ent->mac)) ++ return 0; ++ + if (port != ent->port) + return 0; + +-- +2.51.0 + diff --git a/queue-6.1/net-mdio-aspeed-add-dummy-read-to-avoid-read-after-w.patch b/queue-6.1/net-mdio-aspeed-add-dummy-read-to-avoid-read-after-w.patch new file mode 100644 index 0000000000..87ab9b789d --- /dev/null +++ b/queue-6.1/net-mdio-aspeed-add-dummy-read-to-avoid-read-after-w.patch @@ -0,0 +1,52 @@ +From bfd71b99988d4bf258438d964b857e4003f30793 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Dec 2025 14:24:58 +0800 +Subject: net: mdio: aspeed: add dummy read to avoid read-after-write issue + +From: Jacky Chou + +[ Upstream commit d1a1a4bade4b20c0858d0b2f81d2611de055f675 ] + +The Aspeed MDIO controller may return incorrect data when a read operation +follows immediately after a write. Due to a controller bug, the subsequent +read can latch stale data, causing the polling logic to terminate earlier +than expected. + +To work around this hardware issue, insert a dummy read after each write +operation. This ensures that the next actual read returns the correct +data and prevents premature polling exit. + +This workaround has been verified to stabilize MDIO transactions on +affected Aspeed platforms. + +Fixes: f160e99462c6 ("net: phy: Add mdio-aspeed") +Signed-off-by: Jacky Chou +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20251211-aspeed_mdio_add_dummy_read-v3-1-382868869004@aspeedtech.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/mdio/mdio-aspeed.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/mdio/mdio-aspeed.c b/drivers/net/mdio/mdio-aspeed.c +index 944d005d2bd1..77fccb903718 100644 +--- a/drivers/net/mdio/mdio-aspeed.c ++++ b/drivers/net/mdio/mdio-aspeed.c +@@ -63,6 +63,13 @@ static int aspeed_mdio_op(struct mii_bus *bus, u8 st, u8 op, u8 phyad, u8 regad, + + iowrite32(ctrl, ctx->base + ASPEED_MDIO_CTRL); + ++ /* Workaround for read-after-write issue. ++ * The controller may return stale data if a read follows immediately ++ * after a write. A dummy read forces the hardware to update its ++ * internal state, ensuring that the next real read returns correct data. ++ */ ++ ioread32(ctx->base + ASPEED_MDIO_CTRL); ++ + return readl_poll_timeout(ctx->base + ASPEED_MDIO_CTRL, ctrl, + !(ctrl & ASPEED_MDIO_CTRL_FIRE), + ASPEED_MDIO_INTERVAL_US, +-- +2.51.0 + diff --git a/queue-6.1/net-openvswitch-avoid-needlessly-taking-the-rtnl-on-.patch b/queue-6.1/net-openvswitch-avoid-needlessly-taking-the-rtnl-on-.patch new file mode 100644 index 0000000000..146085b74f --- /dev/null +++ b/queue-6.1/net-openvswitch-avoid-needlessly-taking-the-rtnl-on-.patch @@ -0,0 +1,68 @@ +From 903e54de2ea262b391be606981f1910b6ca34c69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Dec 2025 12:50:05 +0100 +Subject: net: openvswitch: Avoid needlessly taking the RTNL on vport destroy +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit 5498227676303e3ffa9a3a46214af96bc3e81314 ] + +The openvswitch teardown code will immediately call +ovs_netdev_detach_dev() in response to a NETDEV_UNREGISTER notification. +It will then start the dp_notify_work workqueue, which will later end up +calling the vport destroy() callback. This callback takes the RTNL to do +another ovs_netdev_detach_port(), which in this case is unnecessary. +This causes extra pressure on the RTNL, in some cases leading to +"unregister_netdevice: waiting for XX to become free" warnings on +teardown. + +We can straight-forwardly avoid the extra RTNL lock acquisition by +checking the device flags before taking the lock, and skip the locking +altogether if the IFF_OVS_DATAPATH flag has already been unset. + +Fixes: b07c26511e94 ("openvswitch: fix vport-netdev unregister") +Tested-by: Adrian Moreno +Signed-off-by: Toke Høiland-Jørgensen +Acked-by: Eelco Chaudron +Acked-by: Aaron Conole +Link: https://patch.msgid.link/20251211115006.228876-1-toke@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/openvswitch/vport-netdev.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/net/openvswitch/vport-netdev.c b/net/openvswitch/vport-netdev.c +index 2f61d5bdce1a..7126ff104550 100644 +--- a/net/openvswitch/vport-netdev.c ++++ b/net/openvswitch/vport-netdev.c +@@ -153,10 +153,19 @@ void ovs_netdev_detach_dev(struct vport *vport) + + static void netdev_destroy(struct vport *vport) + { +- rtnl_lock(); +- if (netif_is_ovs_port(vport->dev)) +- ovs_netdev_detach_dev(vport); +- rtnl_unlock(); ++ /* When called from ovs_db_notify_wq() after a dp_device_event(), the ++ * port has already been detached, so we can avoid taking the RTNL by ++ * checking this first. ++ */ ++ if (netif_is_ovs_port(vport->dev)) { ++ rtnl_lock(); ++ /* Check again while holding the lock to ensure we don't race ++ * with the netdev notifier and detach twice. ++ */ ++ if (netif_is_ovs_port(vport->dev)) ++ ovs_netdev_detach_dev(vport); ++ rtnl_unlock(); ++ } + + call_rcu(&vport->rcu, vport_netdev_free); + } +-- +2.51.0 + diff --git a/queue-6.1/net-rose-fix-invalid-array-index-in-rose_kill_by_dev.patch b/queue-6.1/net-rose-fix-invalid-array-index-in-rose_kill_by_dev.patch new file mode 100644 index 0000000000..1537cd594f --- /dev/null +++ b/queue-6.1/net-rose-fix-invalid-array-index-in-rose_kill_by_dev.patch @@ -0,0 +1,48 @@ +From d6a27d72b1172494697f4070f1e4e343c81cebfb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Dec 2025 21:22:27 +0000 +Subject: net: rose: fix invalid array index in rose_kill_by_device() + +From: Pwnverse + +[ Upstream commit 6595beb40fb0ec47223d3f6058ee40354694c8e4 ] + +rose_kill_by_device() collects sockets into a local array[] and then +iterates over them to disconnect sockets bound to a device being brought +down. + +The loop mistakenly indexes array[cnt] instead of array[i]. For cnt < +ARRAY_SIZE(array), this reads an uninitialized entry; for cnt == +ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to +an invalid socket pointer dereference and also leaks references taken +via sock_hold(). + +Fix the index to use i. + +Fixes: 64b8bc7d5f143 ("net/rose: fix races in rose_kill_by_device()") +Co-developed-by: Fatma Alwasmi +Signed-off-by: Fatma Alwasmi +Signed-off-by: Pwnverse +Link: https://patch.msgid.link/20251222212227.4116041-1-ritviktanksalkar@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/rose/af_rose.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c +index 5a0bf022a84b..d13ec76a1fec 100644 +--- a/net/rose/af_rose.c ++++ b/net/rose/af_rose.c +@@ -205,7 +205,7 @@ static void rose_kill_by_device(struct net_device *dev) + spin_unlock_bh(&rose_list_lock); + + for (i = 0; i < cnt; i++) { +- sk = array[cnt]; ++ sk = array[i]; + rose = rose_sk(sk); + lock_sock(sk); + spin_lock_bh(&rose_list_lock); +-- +2.51.0 + diff --git a/queue-6.1/net-stmmac-dwmac4-allow-platforms-to-specify-some-dm.patch b/queue-6.1/net-stmmac-dwmac4-allow-platforms-to-specify-some-dm.patch new file mode 100644 index 0000000000..609b2affce --- /dev/null +++ b/queue-6.1/net-stmmac-dwmac4-allow-platforms-to-specify-some-dm.patch @@ -0,0 +1,926 @@ +From ec0e6e10d2fc2ffb27a2c6fcc0987f0be554c0a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Apr 2023 15:04:06 -0500 +Subject: net: stmmac: dwmac4: Allow platforms to specify some DMA/MTL offsets + +From: Andrew Halaney + +[ Upstream commit 33719b57f52e5b761234373f98f55f4e036d61c9 ] + +Some platforms have dwmac4 implementations that have a different +address space layout than the default, resulting in the need to define +their own DMA/MTL offsets. + +Extend the functions to allow a platform driver to indicate what its +addresses are, overriding the defaults. + +Signed-off-by: Andrew Halaney +Reviewed-by: Jesse Brandeburg +Tested-by: Brian Masney +Signed-off-by: Paolo Abeni +Stable-dep-of: a48e23221000 ("net: stmmac: fix the crash issue for zero copy XDP_TX action") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwmac4.h | 101 +++++++++-- + .../net/ethernet/stmicro/stmmac/dwmac4_core.c | 36 ++-- + .../net/ethernet/stmicro/stmmac/dwmac4_dma.c | 157 ++++++++++-------- + .../net/ethernet/stmicro/stmmac/dwmac4_dma.h | 54 +++--- + .../net/ethernet/stmicro/stmmac/dwmac4_lib.c | 67 +++++--- + include/linux/stmmac.h | 19 +++ + 6 files changed, 293 insertions(+), 141 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4.h b/drivers/net/ethernet/stmicro/stmmac/dwmac4.h +index 12c0e60809f4..9c16265e527f 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4.h ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4.h +@@ -339,14 +339,25 @@ enum power_event { + + #define MTL_CHAN_BASE_ADDR 0x00000d00 + #define MTL_CHAN_BASE_OFFSET 0x40 +-#define MTL_CHANX_BASE_ADDR(x) (MTL_CHAN_BASE_ADDR + \ +- (x * MTL_CHAN_BASE_OFFSET)) + +-#define MTL_CHAN_TX_OP_MODE(x) MTL_CHANX_BASE_ADDR(x) +-#define MTL_CHAN_TX_DEBUG(x) (MTL_CHANX_BASE_ADDR(x) + 0x8) +-#define MTL_CHAN_INT_CTRL(x) (MTL_CHANX_BASE_ADDR(x) + 0x2c) +-#define MTL_CHAN_RX_OP_MODE(x) (MTL_CHANX_BASE_ADDR(x) + 0x30) +-#define MTL_CHAN_RX_DEBUG(x) (MTL_CHANX_BASE_ADDR(x) + 0x38) ++static inline u32 mtl_chanx_base_addr(const struct dwmac4_addrs *addrs, ++ const u32 x) ++{ ++ u32 addr; ++ ++ if (addrs) ++ addr = addrs->mtl_chan + (x * addrs->mtl_chan_offset); ++ else ++ addr = MTL_CHAN_BASE_ADDR + (x * MTL_CHAN_BASE_OFFSET); ++ ++ return addr; ++} ++ ++#define MTL_CHAN_TX_OP_MODE(addrs, x) mtl_chanx_base_addr(addrs, x) ++#define MTL_CHAN_TX_DEBUG(addrs, x) (mtl_chanx_base_addr(addrs, x) + 0x8) ++#define MTL_CHAN_INT_CTRL(addrs, x) (mtl_chanx_base_addr(addrs, x) + 0x2c) ++#define MTL_CHAN_RX_OP_MODE(addrs, x) (mtl_chanx_base_addr(addrs, x) + 0x30) ++#define MTL_CHAN_RX_DEBUG(addrs, x) (mtl_chanx_base_addr(addrs, x) + 0x38) + + #define MTL_OP_MODE_RSF BIT(5) + #define MTL_OP_MODE_TXQEN_MASK GENMASK(3, 2) +@@ -391,8 +402,19 @@ enum power_event { + /* MTL ETS Control register */ + #define MTL_ETS_CTRL_BASE_ADDR 0x00000d10 + #define MTL_ETS_CTRL_BASE_OFFSET 0x40 +-#define MTL_ETSX_CTRL_BASE_ADDR(x) (MTL_ETS_CTRL_BASE_ADDR + \ +- ((x) * MTL_ETS_CTRL_BASE_OFFSET)) ++ ++static inline u32 mtl_etsx_ctrl_base_addr(const struct dwmac4_addrs *addrs, ++ const u32 x) ++{ ++ u32 addr; ++ ++ if (addrs) ++ addr = addrs->mtl_ets_ctrl + (x * addrs->mtl_ets_ctrl_offset); ++ else ++ addr = MTL_ETS_CTRL_BASE_ADDR + (x * MTL_ETS_CTRL_BASE_OFFSET); ++ ++ return addr; ++} + + #define MTL_ETS_CTRL_CC BIT(3) + #define MTL_ETS_CTRL_AVALG BIT(2) +@@ -400,31 +422,76 @@ enum power_event { + /* MTL Queue Quantum Weight */ + #define MTL_TXQ_WEIGHT_BASE_ADDR 0x00000d18 + #define MTL_TXQ_WEIGHT_BASE_OFFSET 0x40 +-#define MTL_TXQX_WEIGHT_BASE_ADDR(x) (MTL_TXQ_WEIGHT_BASE_ADDR + \ +- ((x) * MTL_TXQ_WEIGHT_BASE_OFFSET)) ++ ++static inline u32 mtl_txqx_weight_base_addr(const struct dwmac4_addrs *addrs, ++ const u32 x) ++{ ++ u32 addr; ++ ++ if (addrs) ++ addr = addrs->mtl_txq_weight + (x * addrs->mtl_txq_weight_offset); ++ else ++ addr = MTL_TXQ_WEIGHT_BASE_ADDR + (x * MTL_TXQ_WEIGHT_BASE_OFFSET); ++ ++ return addr; ++} ++ + #define MTL_TXQ_WEIGHT_ISCQW_MASK GENMASK(20, 0) + + /* MTL sendSlopeCredit register */ + #define MTL_SEND_SLP_CRED_BASE_ADDR 0x00000d1c + #define MTL_SEND_SLP_CRED_OFFSET 0x40 +-#define MTL_SEND_SLP_CREDX_BASE_ADDR(x) (MTL_SEND_SLP_CRED_BASE_ADDR + \ +- ((x) * MTL_SEND_SLP_CRED_OFFSET)) ++ ++static inline u32 mtl_send_slp_credx_base_addr(const struct dwmac4_addrs *addrs, ++ const u32 x) ++{ ++ u32 addr; ++ ++ if (addrs) ++ addr = addrs->mtl_send_slp_cred + (x * addrs->mtl_send_slp_cred_offset); ++ else ++ addr = MTL_SEND_SLP_CRED_BASE_ADDR + (x * MTL_SEND_SLP_CRED_OFFSET); ++ ++ return addr; ++} + + #define MTL_SEND_SLP_CRED_SSC_MASK GENMASK(13, 0) + + /* MTL hiCredit register */ + #define MTL_HIGH_CRED_BASE_ADDR 0x00000d20 + #define MTL_HIGH_CRED_OFFSET 0x40 +-#define MTL_HIGH_CREDX_BASE_ADDR(x) (MTL_HIGH_CRED_BASE_ADDR + \ +- ((x) * MTL_HIGH_CRED_OFFSET)) ++ ++static inline u32 mtl_high_credx_base_addr(const struct dwmac4_addrs *addrs, ++ const u32 x) ++{ ++ u32 addr; ++ ++ if (addrs) ++ addr = addrs->mtl_high_cred + (x * addrs->mtl_high_cred_offset); ++ else ++ addr = MTL_HIGH_CRED_BASE_ADDR + (x * MTL_HIGH_CRED_OFFSET); ++ ++ return addr; ++} + + #define MTL_HIGH_CRED_HC_MASK GENMASK(28, 0) + + /* MTL loCredit register */ + #define MTL_LOW_CRED_BASE_ADDR 0x00000d24 + #define MTL_LOW_CRED_OFFSET 0x40 +-#define MTL_LOW_CREDX_BASE_ADDR(x) (MTL_LOW_CRED_BASE_ADDR + \ +- ((x) * MTL_LOW_CRED_OFFSET)) ++ ++static inline u32 mtl_low_credx_base_addr(const struct dwmac4_addrs *addrs, ++ const u32 x) ++{ ++ u32 addr; ++ ++ if (addrs) ++ addr = addrs->mtl_low_cred + (x * addrs->mtl_low_cred_offset); ++ else ++ addr = MTL_LOW_CRED_BASE_ADDR + (x * MTL_LOW_CRED_OFFSET); ++ ++ return addr; ++} + + #define MTL_HIGH_CRED_LC_MASK GENMASK(28, 0) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +index 279977d0d565..e7c1e150e2e9 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +@@ -230,12 +230,14 @@ static void dwmac4_set_mtl_tx_queue_weight(struct stmmac_priv *priv, + struct mac_device_info *hw, + u32 weight, u32 queue) + { ++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs; + void __iomem *ioaddr = hw->pcsr; +- u32 value = readl(ioaddr + MTL_TXQX_WEIGHT_BASE_ADDR(queue)); ++ u32 value = readl(ioaddr + mtl_txqx_weight_base_addr(dwmac4_addrs, ++ queue)); + + value &= ~MTL_TXQ_WEIGHT_ISCQW_MASK; + value |= weight & MTL_TXQ_WEIGHT_ISCQW_MASK; +- writel(value, ioaddr + MTL_TXQX_WEIGHT_BASE_ADDR(queue)); ++ writel(value, ioaddr + mtl_txqx_weight_base_addr(dwmac4_addrs, queue)); + } + + static void dwmac4_map_mtl_dma(struct mac_device_info *hw, u32 queue, u32 chan) +@@ -270,6 +272,7 @@ static void dwmac4_config_cbs(struct stmmac_priv *priv, + u32 send_slope, u32 idle_slope, + u32 high_credit, u32 low_credit, u32 queue) + { ++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs; + void __iomem *ioaddr = hw->pcsr; + u32 value; + +@@ -280,31 +283,33 @@ static void dwmac4_config_cbs(struct stmmac_priv *priv, + pr_debug("\tlow_credit: 0x%08x\n", low_credit); + + /* enable AV algorithm */ +- value = readl(ioaddr + MTL_ETSX_CTRL_BASE_ADDR(queue)); ++ value = readl(ioaddr + mtl_etsx_ctrl_base_addr(dwmac4_addrs, queue)); + value |= MTL_ETS_CTRL_AVALG; + value |= MTL_ETS_CTRL_CC; +- writel(value, ioaddr + MTL_ETSX_CTRL_BASE_ADDR(queue)); ++ writel(value, ioaddr + mtl_etsx_ctrl_base_addr(dwmac4_addrs, queue)); + + /* configure send slope */ +- value = readl(ioaddr + MTL_SEND_SLP_CREDX_BASE_ADDR(queue)); ++ value = readl(ioaddr + mtl_send_slp_credx_base_addr(dwmac4_addrs, ++ queue)); + value &= ~MTL_SEND_SLP_CRED_SSC_MASK; + value |= send_slope & MTL_SEND_SLP_CRED_SSC_MASK; +- writel(value, ioaddr + MTL_SEND_SLP_CREDX_BASE_ADDR(queue)); ++ writel(value, ioaddr + mtl_send_slp_credx_base_addr(dwmac4_addrs, ++ queue)); + + /* configure idle slope (same register as tx weight) */ + dwmac4_set_mtl_tx_queue_weight(priv, hw, idle_slope, queue); + + /* configure high credit */ +- value = readl(ioaddr + MTL_HIGH_CREDX_BASE_ADDR(queue)); ++ value = readl(ioaddr + mtl_high_credx_base_addr(dwmac4_addrs, queue)); + value &= ~MTL_HIGH_CRED_HC_MASK; + value |= high_credit & MTL_HIGH_CRED_HC_MASK; +- writel(value, ioaddr + MTL_HIGH_CREDX_BASE_ADDR(queue)); ++ writel(value, ioaddr + mtl_high_credx_base_addr(dwmac4_addrs, queue)); + + /* configure high credit */ +- value = readl(ioaddr + MTL_LOW_CREDX_BASE_ADDR(queue)); ++ value = readl(ioaddr + mtl_low_credx_base_addr(dwmac4_addrs, queue)); + value &= ~MTL_HIGH_CRED_LC_MASK; + value |= low_credit & MTL_HIGH_CRED_LC_MASK; +- writel(value, ioaddr + MTL_LOW_CREDX_BASE_ADDR(queue)); ++ writel(value, ioaddr + mtl_low_credx_base_addr(dwmac4_addrs, queue)); + } + + static void dwmac4_dump_regs(struct mac_device_info *hw, u32 *reg_space) +@@ -800,6 +805,7 @@ static void dwmac4_phystatus(void __iomem *ioaddr, struct stmmac_extra_stats *x) + static int dwmac4_irq_mtl_status(struct stmmac_priv *priv, + struct mac_device_info *hw, u32 chan) + { ++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs; + void __iomem *ioaddr = hw->pcsr; + u32 mtl_int_qx_status; + int ret = 0; +@@ -809,12 +815,13 @@ static int dwmac4_irq_mtl_status(struct stmmac_priv *priv, + /* Check MTL Interrupt */ + if (mtl_int_qx_status & MTL_INT_QX(chan)) { + /* read Queue x Interrupt status */ +- u32 status = readl(ioaddr + MTL_CHAN_INT_CTRL(chan)); ++ u32 status = readl(ioaddr + MTL_CHAN_INT_CTRL(dwmac4_addrs, ++ chan)); + + if (status & MTL_RX_OVERFLOW_INT) { + /* clear Interrupt */ + writel(status | MTL_RX_OVERFLOW_INT, +- ioaddr + MTL_CHAN_INT_CTRL(chan)); ++ ioaddr + MTL_CHAN_INT_CTRL(dwmac4_addrs, chan)); + ret = CORE_IRQ_MTL_RX_OVERFLOW; + } + } +@@ -876,11 +883,12 @@ static void dwmac4_debug(struct stmmac_priv *priv, void __iomem *ioaddr, + struct stmmac_extra_stats *x, + u32 rx_queues, u32 tx_queues) + { ++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs; + u32 value; + u32 queue; + + for (queue = 0; queue < tx_queues; queue++) { +- value = readl(ioaddr + MTL_CHAN_TX_DEBUG(queue)); ++ value = readl(ioaddr + MTL_CHAN_TX_DEBUG(dwmac4_addrs, queue)); + + if (value & MTL_DEBUG_TXSTSFSTS) + x->mtl_tx_status_fifo_full++; +@@ -905,7 +913,7 @@ static void dwmac4_debug(struct stmmac_priv *priv, void __iomem *ioaddr, + } + + for (queue = 0; queue < rx_queues; queue++) { +- value = readl(ioaddr + MTL_CHAN_RX_DEBUG(queue)); ++ value = readl(ioaddr + MTL_CHAN_RX_DEBUG(dwmac4_addrs, queue)); + + if (value & MTL_DEBUG_RXFSTS_MASK) { + u32 rxfsts = (value & MTL_DEBUG_RXFSTS_MASK) +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c +index 6f255d12f60f..84d3a8551b03 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c +@@ -13,6 +13,7 @@ + #include + #include "dwmac4.h" + #include "dwmac4_dma.h" ++#include "stmmac.h" + + static void dwmac4_dma_axi(void __iomem *ioaddr, struct stmmac_axi *axi) + { +@@ -73,18 +74,20 @@ static void dwmac4_dma_init_rx_chan(struct stmmac_priv *priv, + struct stmmac_dma_cfg *dma_cfg, + dma_addr_t dma_rx_phy, u32 chan) + { ++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs; + u32 value; + u32 rxpbl = dma_cfg->rxpbl ?: dma_cfg->pbl; + +- value = readl(ioaddr + DMA_CHAN_RX_CONTROL(chan)); ++ value = readl(ioaddr + DMA_CHAN_RX_CONTROL(dwmac4_addrs, chan)); + value = value | (rxpbl << DMA_BUS_MODE_RPBL_SHIFT); +- writel(value, ioaddr + DMA_CHAN_RX_CONTROL(chan)); ++ writel(value, ioaddr + DMA_CHAN_RX_CONTROL(dwmac4_addrs, chan)); + + if (IS_ENABLED(CONFIG_ARCH_DMA_ADDR_T_64BIT) && likely(dma_cfg->eame)) + writel(upper_32_bits(dma_rx_phy), +- ioaddr + DMA_CHAN_RX_BASE_ADDR_HI(chan)); ++ ioaddr + DMA_CHAN_RX_BASE_ADDR_HI(dwmac4_addrs, chan)); + +- writel(lower_32_bits(dma_rx_phy), ioaddr + DMA_CHAN_RX_BASE_ADDR(chan)); ++ writel(lower_32_bits(dma_rx_phy), ++ ioaddr + DMA_CHAN_RX_BASE_ADDR(dwmac4_addrs, chan)); + } + + static void dwmac4_dma_init_tx_chan(struct stmmac_priv *priv, +@@ -92,57 +95,61 @@ static void dwmac4_dma_init_tx_chan(struct stmmac_priv *priv, + struct stmmac_dma_cfg *dma_cfg, + dma_addr_t dma_tx_phy, u32 chan) + { ++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs; + u32 value; + u32 txpbl = dma_cfg->txpbl ?: dma_cfg->pbl; + +- value = readl(ioaddr + DMA_CHAN_TX_CONTROL(chan)); ++ value = readl(ioaddr + DMA_CHAN_TX_CONTROL(dwmac4_addrs, chan)); + value = value | (txpbl << DMA_BUS_MODE_PBL_SHIFT); + + /* Enable OSP to get best performance */ + value |= DMA_CONTROL_OSP; + +- writel(value, ioaddr + DMA_CHAN_TX_CONTROL(chan)); ++ writel(value, ioaddr + DMA_CHAN_TX_CONTROL(dwmac4_addrs, chan)); + + if (IS_ENABLED(CONFIG_ARCH_DMA_ADDR_T_64BIT) && likely(dma_cfg->eame)) + writel(upper_32_bits(dma_tx_phy), +- ioaddr + DMA_CHAN_TX_BASE_ADDR_HI(chan)); ++ ioaddr + DMA_CHAN_TX_BASE_ADDR_HI(dwmac4_addrs, chan)); + +- writel(lower_32_bits(dma_tx_phy), ioaddr + DMA_CHAN_TX_BASE_ADDR(chan)); ++ writel(lower_32_bits(dma_tx_phy), ++ ioaddr + DMA_CHAN_TX_BASE_ADDR(dwmac4_addrs, chan)); + } + + static void dwmac4_dma_init_channel(struct stmmac_priv *priv, + void __iomem *ioaddr, + struct stmmac_dma_cfg *dma_cfg, u32 chan) + { ++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs; + u32 value; + + /* common channel control register config */ +- value = readl(ioaddr + DMA_CHAN_CONTROL(chan)); ++ value = readl(ioaddr + DMA_CHAN_CONTROL(dwmac4_addrs, chan)); + if (dma_cfg->pblx8) + value = value | DMA_BUS_MODE_PBL; +- writel(value, ioaddr + DMA_CHAN_CONTROL(chan)); ++ writel(value, ioaddr + DMA_CHAN_CONTROL(dwmac4_addrs, chan)); + + /* Mask interrupts by writing to CSR7 */ + writel(DMA_CHAN_INTR_DEFAULT_MASK, +- ioaddr + DMA_CHAN_INTR_ENA(chan)); ++ ioaddr + DMA_CHAN_INTR_ENA(dwmac4_addrs, chan)); + } + + static void dwmac410_dma_init_channel(struct stmmac_priv *priv, + void __iomem *ioaddr, + struct stmmac_dma_cfg *dma_cfg, u32 chan) + { ++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs; + u32 value; + + /* common channel control register config */ +- value = readl(ioaddr + DMA_CHAN_CONTROL(chan)); ++ value = readl(ioaddr + DMA_CHAN_CONTROL(dwmac4_addrs, chan)); + if (dma_cfg->pblx8) + value = value | DMA_BUS_MODE_PBL; + +- writel(value, ioaddr + DMA_CHAN_CONTROL(chan)); ++ writel(value, ioaddr + DMA_CHAN_CONTROL(dwmac4_addrs, chan)); + + /* Mask interrupts by writing to CSR7 */ + writel(DMA_CHAN_INTR_DEFAULT_MASK_4_10, +- ioaddr + DMA_CHAN_INTR_ENA(chan)); ++ ioaddr + DMA_CHAN_INTR_ENA(dwmac4_addrs, chan)); + } + + static void dwmac4_dma_init(void __iomem *ioaddr, +@@ -184,40 +191,46 @@ static void _dwmac4_dump_dma_regs(struct stmmac_priv *priv, + void __iomem *ioaddr, u32 channel, + u32 *reg_space) + { +- reg_space[DMA_CHAN_CONTROL(channel) / 4] = +- readl(ioaddr + DMA_CHAN_CONTROL(channel)); +- reg_space[DMA_CHAN_TX_CONTROL(channel) / 4] = +- readl(ioaddr + DMA_CHAN_TX_CONTROL(channel)); +- reg_space[DMA_CHAN_RX_CONTROL(channel) / 4] = +- readl(ioaddr + DMA_CHAN_RX_CONTROL(channel)); +- reg_space[DMA_CHAN_TX_BASE_ADDR(channel) / 4] = +- readl(ioaddr + DMA_CHAN_TX_BASE_ADDR(channel)); +- reg_space[DMA_CHAN_RX_BASE_ADDR(channel) / 4] = +- readl(ioaddr + DMA_CHAN_RX_BASE_ADDR(channel)); +- reg_space[DMA_CHAN_TX_END_ADDR(channel) / 4] = +- readl(ioaddr + DMA_CHAN_TX_END_ADDR(channel)); +- reg_space[DMA_CHAN_RX_END_ADDR(channel) / 4] = +- readl(ioaddr + DMA_CHAN_RX_END_ADDR(channel)); +- reg_space[DMA_CHAN_TX_RING_LEN(channel) / 4] = +- readl(ioaddr + DMA_CHAN_TX_RING_LEN(channel)); +- reg_space[DMA_CHAN_RX_RING_LEN(channel) / 4] = +- readl(ioaddr + DMA_CHAN_RX_RING_LEN(channel)); +- reg_space[DMA_CHAN_INTR_ENA(channel) / 4] = +- readl(ioaddr + DMA_CHAN_INTR_ENA(channel)); +- reg_space[DMA_CHAN_RX_WATCHDOG(channel) / 4] = +- readl(ioaddr + DMA_CHAN_RX_WATCHDOG(channel)); +- reg_space[DMA_CHAN_SLOT_CTRL_STATUS(channel) / 4] = +- readl(ioaddr + DMA_CHAN_SLOT_CTRL_STATUS(channel)); +- reg_space[DMA_CHAN_CUR_TX_DESC(channel) / 4] = +- readl(ioaddr + DMA_CHAN_CUR_TX_DESC(channel)); +- reg_space[DMA_CHAN_CUR_RX_DESC(channel) / 4] = +- readl(ioaddr + DMA_CHAN_CUR_RX_DESC(channel)); +- reg_space[DMA_CHAN_CUR_TX_BUF_ADDR(channel) / 4] = +- readl(ioaddr + DMA_CHAN_CUR_TX_BUF_ADDR(channel)); +- reg_space[DMA_CHAN_CUR_RX_BUF_ADDR(channel) / 4] = +- readl(ioaddr + DMA_CHAN_CUR_RX_BUF_ADDR(channel)); +- reg_space[DMA_CHAN_STATUS(channel) / 4] = +- readl(ioaddr + DMA_CHAN_STATUS(channel)); ++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs; ++ const struct dwmac4_addrs *default_addrs = NULL; ++ ++ /* Purposely save the registers in the "normal" layout, regardless of ++ * platform modifications, to keep reg_space size constant ++ */ ++ reg_space[DMA_CHAN_CONTROL(default_addrs, channel) / 4] = ++ readl(ioaddr + DMA_CHAN_CONTROL(dwmac4_addrs, channel)); ++ reg_space[DMA_CHAN_TX_CONTROL(default_addrs, channel) / 4] = ++ readl(ioaddr + DMA_CHAN_TX_CONTROL(dwmac4_addrs, channel)); ++ reg_space[DMA_CHAN_RX_CONTROL(default_addrs, channel) / 4] = ++ readl(ioaddr + DMA_CHAN_RX_CONTROL(dwmac4_addrs, channel)); ++ reg_space[DMA_CHAN_TX_BASE_ADDR(default_addrs, channel) / 4] = ++ readl(ioaddr + DMA_CHAN_TX_BASE_ADDR(dwmac4_addrs, channel)); ++ reg_space[DMA_CHAN_RX_BASE_ADDR(default_addrs, channel) / 4] = ++ readl(ioaddr + DMA_CHAN_RX_BASE_ADDR(dwmac4_addrs, channel)); ++ reg_space[DMA_CHAN_TX_END_ADDR(default_addrs, channel) / 4] = ++ readl(ioaddr + DMA_CHAN_TX_END_ADDR(dwmac4_addrs, channel)); ++ reg_space[DMA_CHAN_RX_END_ADDR(default_addrs, channel) / 4] = ++ readl(ioaddr + DMA_CHAN_RX_END_ADDR(dwmac4_addrs, channel)); ++ reg_space[DMA_CHAN_TX_RING_LEN(default_addrs, channel) / 4] = ++ readl(ioaddr + DMA_CHAN_TX_RING_LEN(dwmac4_addrs, channel)); ++ reg_space[DMA_CHAN_RX_RING_LEN(default_addrs, channel) / 4] = ++ readl(ioaddr + DMA_CHAN_RX_RING_LEN(dwmac4_addrs, channel)); ++ reg_space[DMA_CHAN_INTR_ENA(default_addrs, channel) / 4] = ++ readl(ioaddr + DMA_CHAN_INTR_ENA(dwmac4_addrs, channel)); ++ reg_space[DMA_CHAN_RX_WATCHDOG(default_addrs, channel) / 4] = ++ readl(ioaddr + DMA_CHAN_RX_WATCHDOG(dwmac4_addrs, channel)); ++ reg_space[DMA_CHAN_SLOT_CTRL_STATUS(default_addrs, channel) / 4] = ++ readl(ioaddr + DMA_CHAN_SLOT_CTRL_STATUS(dwmac4_addrs, channel)); ++ reg_space[DMA_CHAN_CUR_TX_DESC(default_addrs, channel) / 4] = ++ readl(ioaddr + DMA_CHAN_CUR_TX_DESC(dwmac4_addrs, channel)); ++ reg_space[DMA_CHAN_CUR_RX_DESC(default_addrs, channel) / 4] = ++ readl(ioaddr + DMA_CHAN_CUR_RX_DESC(dwmac4_addrs, channel)); ++ reg_space[DMA_CHAN_CUR_TX_BUF_ADDR(default_addrs, channel) / 4] = ++ readl(ioaddr + DMA_CHAN_CUR_TX_BUF_ADDR(dwmac4_addrs, channel)); ++ reg_space[DMA_CHAN_CUR_RX_BUF_ADDR(default_addrs, channel) / 4] = ++ readl(ioaddr + DMA_CHAN_CUR_RX_BUF_ADDR(dwmac4_addrs, channel)); ++ reg_space[DMA_CHAN_STATUS(default_addrs, channel) / 4] = ++ readl(ioaddr + DMA_CHAN_STATUS(dwmac4_addrs, channel)); + } + + static void dwmac4_dump_dma_regs(struct stmmac_priv *priv, void __iomem *ioaddr, +@@ -232,17 +245,20 @@ static void dwmac4_dump_dma_regs(struct stmmac_priv *priv, void __iomem *ioaddr, + static void dwmac4_rx_watchdog(struct stmmac_priv *priv, void __iomem *ioaddr, + u32 riwt, u32 queue) + { +- writel(riwt, ioaddr + DMA_CHAN_RX_WATCHDOG(queue)); ++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs; ++ ++ writel(riwt, ioaddr + DMA_CHAN_RX_WATCHDOG(dwmac4_addrs, queue)); + } + + static void dwmac4_dma_rx_chan_op_mode(struct stmmac_priv *priv, + void __iomem *ioaddr, int mode, + u32 channel, int fifosz, u8 qmode) + { ++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs; + unsigned int rqs = fifosz / 256 - 1; + u32 mtl_rx_op; + +- mtl_rx_op = readl(ioaddr + MTL_CHAN_RX_OP_MODE(channel)); ++ mtl_rx_op = readl(ioaddr + MTL_CHAN_RX_OP_MODE(dwmac4_addrs, channel)); + + if (mode == SF_DMA_MODE) { + pr_debug("GMAC: enable RX store and forward mode\n"); +@@ -300,14 +316,16 @@ static void dwmac4_dma_rx_chan_op_mode(struct stmmac_priv *priv, + mtl_rx_op |= rfa << MTL_OP_MODE_RFA_SHIFT; + } + +- writel(mtl_rx_op, ioaddr + MTL_CHAN_RX_OP_MODE(channel)); ++ writel(mtl_rx_op, ioaddr + MTL_CHAN_RX_OP_MODE(dwmac4_addrs, channel)); + } + + static void dwmac4_dma_tx_chan_op_mode(struct stmmac_priv *priv, + void __iomem *ioaddr, int mode, + u32 channel, int fifosz, u8 qmode) + { +- u32 mtl_tx_op = readl(ioaddr + MTL_CHAN_TX_OP_MODE(channel)); ++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs; ++ u32 mtl_tx_op = readl(ioaddr + MTL_CHAN_TX_OP_MODE(dwmac4_addrs, ++ channel)); + unsigned int tqs = fifosz / 256 - 1; + + if (mode == SF_DMA_MODE) { +@@ -353,7 +371,7 @@ static void dwmac4_dma_tx_chan_op_mode(struct stmmac_priv *priv, + mtl_tx_op &= ~MTL_OP_MODE_TQS_MASK; + mtl_tx_op |= tqs << MTL_OP_MODE_TQS_SHIFT; + +- writel(mtl_tx_op, ioaddr + MTL_CHAN_TX_OP_MODE(channel)); ++ writel(mtl_tx_op, ioaddr + MTL_CHAN_TX_OP_MODE(dwmac4_addrs, channel)); + } + + static int dwmac4_get_hw_feature(void __iomem *ioaddr, +@@ -454,25 +472,28 @@ static int dwmac4_get_hw_feature(void __iomem *ioaddr, + static void dwmac4_enable_tso(struct stmmac_priv *priv, void __iomem *ioaddr, + bool en, u32 chan) + { ++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs; + u32 value; + + if (en) { + /* enable TSO */ +- value = readl(ioaddr + DMA_CHAN_TX_CONTROL(chan)); ++ value = readl(ioaddr + DMA_CHAN_TX_CONTROL(dwmac4_addrs, chan)); + writel(value | DMA_CONTROL_TSE, +- ioaddr + DMA_CHAN_TX_CONTROL(chan)); ++ ioaddr + DMA_CHAN_TX_CONTROL(dwmac4_addrs, chan)); + } else { + /* enable TSO */ +- value = readl(ioaddr + DMA_CHAN_TX_CONTROL(chan)); ++ value = readl(ioaddr + DMA_CHAN_TX_CONTROL(dwmac4_addrs, chan)); + writel(value & ~DMA_CONTROL_TSE, +- ioaddr + DMA_CHAN_TX_CONTROL(chan)); ++ ioaddr + DMA_CHAN_TX_CONTROL(dwmac4_addrs, chan)); + } + } + + static void dwmac4_qmode(struct stmmac_priv *priv, void __iomem *ioaddr, + u32 channel, u8 qmode) + { +- u32 mtl_tx_op = readl(ioaddr + MTL_CHAN_TX_OP_MODE(channel)); ++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs; ++ u32 mtl_tx_op = readl(ioaddr + MTL_CHAN_TX_OP_MODE(dwmac4_addrs, ++ channel)); + + mtl_tx_op &= ~MTL_OP_MODE_TXQEN_MASK; + if (qmode != MTL_QUEUE_AVB) +@@ -480,50 +501,54 @@ static void dwmac4_qmode(struct stmmac_priv *priv, void __iomem *ioaddr, + else + mtl_tx_op |= MTL_OP_MODE_TXQEN_AV; + +- writel(mtl_tx_op, ioaddr + MTL_CHAN_TX_OP_MODE(channel)); ++ writel(mtl_tx_op, ioaddr + MTL_CHAN_TX_OP_MODE(dwmac4_addrs, channel)); + } + + static void dwmac4_set_bfsize(struct stmmac_priv *priv, void __iomem *ioaddr, + int bfsize, u32 chan) + { +- u32 value = readl(ioaddr + DMA_CHAN_RX_CONTROL(chan)); ++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs; ++ u32 value = readl(ioaddr + DMA_CHAN_RX_CONTROL(dwmac4_addrs, chan)); + + value &= ~DMA_RBSZ_MASK; + value |= (bfsize << DMA_RBSZ_SHIFT) & DMA_RBSZ_MASK; + +- writel(value, ioaddr + DMA_CHAN_RX_CONTROL(chan)); ++ writel(value, ioaddr + DMA_CHAN_RX_CONTROL(dwmac4_addrs, chan)); + } + + static void dwmac4_enable_sph(struct stmmac_priv *priv, void __iomem *ioaddr, + bool en, u32 chan) + { ++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs; + u32 value = readl(ioaddr + GMAC_EXT_CONFIG); + + value &= ~GMAC_CONFIG_HDSMS; + value |= GMAC_CONFIG_HDSMS_256; /* Segment max 256 bytes */ + writel(value, ioaddr + GMAC_EXT_CONFIG); + +- value = readl(ioaddr + DMA_CHAN_CONTROL(chan)); ++ value = readl(ioaddr + DMA_CHAN_CONTROL(dwmac4_addrs, chan)); + if (en) + value |= DMA_CONTROL_SPH; + else + value &= ~DMA_CONTROL_SPH; +- writel(value, ioaddr + DMA_CHAN_CONTROL(chan)); ++ writel(value, ioaddr + DMA_CHAN_CONTROL(dwmac4_addrs, chan)); + } + + static int dwmac4_enable_tbs(struct stmmac_priv *priv, void __iomem *ioaddr, + bool en, u32 chan) + { +- u32 value = readl(ioaddr + DMA_CHAN_TX_CONTROL(chan)); ++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs; ++ u32 value = readl(ioaddr + DMA_CHAN_TX_CONTROL(dwmac4_addrs, chan)); + + if (en) + value |= DMA_CONTROL_EDSE; + else + value &= ~DMA_CONTROL_EDSE; + +- writel(value, ioaddr + DMA_CHAN_TX_CONTROL(chan)); ++ writel(value, ioaddr + DMA_CHAN_TX_CONTROL(dwmac4_addrs, chan)); + +- value = readl(ioaddr + DMA_CHAN_TX_CONTROL(chan)) & DMA_CONTROL_EDSE; ++ value = readl(ioaddr + DMA_CHAN_TX_CONTROL(dwmac4_addrs, ++ chan)) & DMA_CONTROL_EDSE; + if (en && !value) + return -EIO; + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.h b/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.h +index 740c3bc8d9a0..358e7dcb6a9a 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.h ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.h +@@ -95,29 +95,41 @@ + /* Following DMA defines are chanels oriented */ + #define DMA_CHAN_BASE_ADDR 0x00001100 + #define DMA_CHAN_BASE_OFFSET 0x80 +-#define DMA_CHANX_BASE_ADDR(x) (DMA_CHAN_BASE_ADDR + \ +- (x * DMA_CHAN_BASE_OFFSET)) ++ ++static inline u32 dma_chanx_base_addr(const struct dwmac4_addrs *addrs, ++ const u32 x) ++{ ++ u32 addr; ++ ++ if (addrs) ++ addr = addrs->dma_chan + (x * addrs->dma_chan_offset); ++ else ++ addr = DMA_CHAN_BASE_ADDR + (x * DMA_CHAN_BASE_OFFSET); ++ ++ return addr; ++} ++ + #define DMA_CHAN_REG_NUMBER 17 + +-#define DMA_CHAN_CONTROL(x) DMA_CHANX_BASE_ADDR(x) +-#define DMA_CHAN_TX_CONTROL(x) (DMA_CHANX_BASE_ADDR(x) + 0x4) +-#define DMA_CHAN_RX_CONTROL(x) (DMA_CHANX_BASE_ADDR(x) + 0x8) +-#define DMA_CHAN_TX_BASE_ADDR_HI(x) (DMA_CHANX_BASE_ADDR(x) + 0x10) +-#define DMA_CHAN_TX_BASE_ADDR(x) (DMA_CHANX_BASE_ADDR(x) + 0x14) +-#define DMA_CHAN_RX_BASE_ADDR_HI(x) (DMA_CHANX_BASE_ADDR(x) + 0x18) +-#define DMA_CHAN_RX_BASE_ADDR(x) (DMA_CHANX_BASE_ADDR(x) + 0x1c) +-#define DMA_CHAN_TX_END_ADDR(x) (DMA_CHANX_BASE_ADDR(x) + 0x20) +-#define DMA_CHAN_RX_END_ADDR(x) (DMA_CHANX_BASE_ADDR(x) + 0x28) +-#define DMA_CHAN_TX_RING_LEN(x) (DMA_CHANX_BASE_ADDR(x) + 0x2c) +-#define DMA_CHAN_RX_RING_LEN(x) (DMA_CHANX_BASE_ADDR(x) + 0x30) +-#define DMA_CHAN_INTR_ENA(x) (DMA_CHANX_BASE_ADDR(x) + 0x34) +-#define DMA_CHAN_RX_WATCHDOG(x) (DMA_CHANX_BASE_ADDR(x) + 0x38) +-#define DMA_CHAN_SLOT_CTRL_STATUS(x) (DMA_CHANX_BASE_ADDR(x) + 0x3c) +-#define DMA_CHAN_CUR_TX_DESC(x) (DMA_CHANX_BASE_ADDR(x) + 0x44) +-#define DMA_CHAN_CUR_RX_DESC(x) (DMA_CHANX_BASE_ADDR(x) + 0x4c) +-#define DMA_CHAN_CUR_TX_BUF_ADDR(x) (DMA_CHANX_BASE_ADDR(x) + 0x54) +-#define DMA_CHAN_CUR_RX_BUF_ADDR(x) (DMA_CHANX_BASE_ADDR(x) + 0x5c) +-#define DMA_CHAN_STATUS(x) (DMA_CHANX_BASE_ADDR(x) + 0x60) ++#define DMA_CHAN_CONTROL(addrs, x) dma_chanx_base_addr(addrs, x) ++#define DMA_CHAN_TX_CONTROL(addrs, x) (dma_chanx_base_addr(addrs, x) + 0x4) ++#define DMA_CHAN_RX_CONTROL(addrs, x) (dma_chanx_base_addr(addrs, x) + 0x8) ++#define DMA_CHAN_TX_BASE_ADDR_HI(addrs, x) (dma_chanx_base_addr(addrs, x) + 0x10) ++#define DMA_CHAN_TX_BASE_ADDR(addrs, x) (dma_chanx_base_addr(addrs, x) + 0x14) ++#define DMA_CHAN_RX_BASE_ADDR_HI(addrs, x) (dma_chanx_base_addr(addrs, x) + 0x18) ++#define DMA_CHAN_RX_BASE_ADDR(addrs, x) (dma_chanx_base_addr(addrs, x) + 0x1c) ++#define DMA_CHAN_TX_END_ADDR(addrs, x) (dma_chanx_base_addr(addrs, x) + 0x20) ++#define DMA_CHAN_RX_END_ADDR(addrs, x) (dma_chanx_base_addr(addrs, x) + 0x28) ++#define DMA_CHAN_TX_RING_LEN(addrs, x) (dma_chanx_base_addr(addrs, x) + 0x2c) ++#define DMA_CHAN_RX_RING_LEN(addrs, x) (dma_chanx_base_addr(addrs, x) + 0x30) ++#define DMA_CHAN_INTR_ENA(addrs, x) (dma_chanx_base_addr(addrs, x) + 0x34) ++#define DMA_CHAN_RX_WATCHDOG(addrs, x) (dma_chanx_base_addr(addrs, x) + 0x38) ++#define DMA_CHAN_SLOT_CTRL_STATUS(addrs, x) (dma_chanx_base_addr(addrs, x) + 0x3c) ++#define DMA_CHAN_CUR_TX_DESC(addrs, x) (dma_chanx_base_addr(addrs, x) + 0x44) ++#define DMA_CHAN_CUR_RX_DESC(addrs, x) (dma_chanx_base_addr(addrs, x) + 0x4c) ++#define DMA_CHAN_CUR_TX_BUF_ADDR(addrs, x) (dma_chanx_base_addr(addrs, x) + 0x54) ++#define DMA_CHAN_CUR_RX_BUF_ADDR(addrs, x) (dma_chanx_base_addr(addrs, x) + 0x5c) ++#define DMA_CHAN_STATUS(addrs, x) (dma_chanx_base_addr(addrs, x) + 0x60) + + /* DMA Control X */ + #define DMA_CONTROL_SPH BIT(24) +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_lib.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_lib.c +index 57328f010ab9..03ceb6a94073 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_lib.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_lib.c +@@ -11,6 +11,7 @@ + #include "common.h" + #include "dwmac4_dma.h" + #include "dwmac4.h" ++#include "stmmac.h" + + int dwmac4_dma_reset(void __iomem *ioaddr) + { +@@ -28,22 +29,27 @@ int dwmac4_dma_reset(void __iomem *ioaddr) + void dwmac4_set_rx_tail_ptr(struct stmmac_priv *priv, void __iomem *ioaddr, + u32 tail_ptr, u32 chan) + { +- writel(tail_ptr, ioaddr + DMA_CHAN_RX_END_ADDR(chan)); ++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs; ++ ++ writel(tail_ptr, ioaddr + DMA_CHAN_RX_END_ADDR(dwmac4_addrs, chan)); + } + + void dwmac4_set_tx_tail_ptr(struct stmmac_priv *priv, void __iomem *ioaddr, + u32 tail_ptr, u32 chan) + { +- writel(tail_ptr, ioaddr + DMA_CHAN_TX_END_ADDR(chan)); ++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs; ++ ++ writel(tail_ptr, ioaddr + DMA_CHAN_TX_END_ADDR(dwmac4_addrs, chan)); + } + + void dwmac4_dma_start_tx(struct stmmac_priv *priv, void __iomem *ioaddr, + u32 chan) + { +- u32 value = readl(ioaddr + DMA_CHAN_TX_CONTROL(chan)); ++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs; ++ u32 value = readl(ioaddr + DMA_CHAN_TX_CONTROL(dwmac4_addrs, chan)); + + value |= DMA_CONTROL_ST; +- writel(value, ioaddr + DMA_CHAN_TX_CONTROL(chan)); ++ writel(value, ioaddr + DMA_CHAN_TX_CONTROL(dwmac4_addrs, chan)); + + value = readl(ioaddr + GMAC_CONFIG); + value |= GMAC_CONFIG_TE; +@@ -53,20 +59,24 @@ void dwmac4_dma_start_tx(struct stmmac_priv *priv, void __iomem *ioaddr, + void dwmac4_dma_stop_tx(struct stmmac_priv *priv, void __iomem *ioaddr, + u32 chan) + { +- u32 value = readl(ioaddr + DMA_CHAN_TX_CONTROL(chan)); ++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs; ++ ++ u32 value = readl(ioaddr + DMA_CHAN_TX_CONTROL(dwmac4_addrs, chan)); + + value &= ~DMA_CONTROL_ST; +- writel(value, ioaddr + DMA_CHAN_TX_CONTROL(chan)); ++ writel(value, ioaddr + DMA_CHAN_TX_CONTROL(dwmac4_addrs, chan)); + } + + void dwmac4_dma_start_rx(struct stmmac_priv *priv, void __iomem *ioaddr, + u32 chan) + { +- u32 value = readl(ioaddr + DMA_CHAN_RX_CONTROL(chan)); ++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs; ++ ++ u32 value = readl(ioaddr + DMA_CHAN_RX_CONTROL(dwmac4_addrs, chan)); + + value |= DMA_CONTROL_SR; + +- writel(value, ioaddr + DMA_CHAN_RX_CONTROL(chan)); ++ writel(value, ioaddr + DMA_CHAN_RX_CONTROL(dwmac4_addrs, chan)); + + value = readl(ioaddr + GMAC_CONFIG); + value |= GMAC_CONFIG_RE; +@@ -76,81 +86,91 @@ void dwmac4_dma_start_rx(struct stmmac_priv *priv, void __iomem *ioaddr, + void dwmac4_dma_stop_rx(struct stmmac_priv *priv, void __iomem *ioaddr, + u32 chan) + { +- u32 value = readl(ioaddr + DMA_CHAN_RX_CONTROL(chan)); ++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs; ++ u32 value = readl(ioaddr + DMA_CHAN_RX_CONTROL(dwmac4_addrs, chan)); + + value &= ~DMA_CONTROL_SR; +- writel(value, ioaddr + DMA_CHAN_RX_CONTROL(chan)); ++ writel(value, ioaddr + DMA_CHAN_RX_CONTROL(dwmac4_addrs, chan)); + } + + void dwmac4_set_tx_ring_len(struct stmmac_priv *priv, void __iomem *ioaddr, + u32 len, u32 chan) + { +- writel(len, ioaddr + DMA_CHAN_TX_RING_LEN(chan)); ++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs; ++ ++ writel(len, ioaddr + DMA_CHAN_TX_RING_LEN(dwmac4_addrs, chan)); + } + + void dwmac4_set_rx_ring_len(struct stmmac_priv *priv, void __iomem *ioaddr, + u32 len, u32 chan) + { +- writel(len, ioaddr + DMA_CHAN_RX_RING_LEN(chan)); ++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs; ++ ++ writel(len, ioaddr + DMA_CHAN_RX_RING_LEN(dwmac4_addrs, chan)); + } + + void dwmac4_enable_dma_irq(struct stmmac_priv *priv, void __iomem *ioaddr, + u32 chan, bool rx, bool tx) + { +- u32 value = readl(ioaddr + DMA_CHAN_INTR_ENA(chan)); ++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs; ++ u32 value = readl(ioaddr + DMA_CHAN_INTR_ENA(dwmac4_addrs, chan)); + + if (rx) + value |= DMA_CHAN_INTR_DEFAULT_RX; + if (tx) + value |= DMA_CHAN_INTR_DEFAULT_TX; + +- writel(value, ioaddr + DMA_CHAN_INTR_ENA(chan)); ++ writel(value, ioaddr + DMA_CHAN_INTR_ENA(dwmac4_addrs, chan)); + } + + void dwmac410_enable_dma_irq(struct stmmac_priv *priv, void __iomem *ioaddr, + u32 chan, bool rx, bool tx) + { +- u32 value = readl(ioaddr + DMA_CHAN_INTR_ENA(chan)); ++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs; ++ u32 value = readl(ioaddr + DMA_CHAN_INTR_ENA(dwmac4_addrs, chan)); + + if (rx) + value |= DMA_CHAN_INTR_DEFAULT_RX_4_10; + if (tx) + value |= DMA_CHAN_INTR_DEFAULT_TX_4_10; + +- writel(value, ioaddr + DMA_CHAN_INTR_ENA(chan)); ++ writel(value, ioaddr + DMA_CHAN_INTR_ENA(dwmac4_addrs, chan)); + } + + void dwmac4_disable_dma_irq(struct stmmac_priv *priv, void __iomem *ioaddr, + u32 chan, bool rx, bool tx) + { +- u32 value = readl(ioaddr + DMA_CHAN_INTR_ENA(chan)); ++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs; ++ u32 value = readl(ioaddr + DMA_CHAN_INTR_ENA(dwmac4_addrs, chan)); + + if (rx) + value &= ~DMA_CHAN_INTR_DEFAULT_RX; + if (tx) + value &= ~DMA_CHAN_INTR_DEFAULT_TX; + +- writel(value, ioaddr + DMA_CHAN_INTR_ENA(chan)); ++ writel(value, ioaddr + DMA_CHAN_INTR_ENA(dwmac4_addrs, chan)); + } + + void dwmac410_disable_dma_irq(struct stmmac_priv *priv, void __iomem *ioaddr, + u32 chan, bool rx, bool tx) + { +- u32 value = readl(ioaddr + DMA_CHAN_INTR_ENA(chan)); ++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs; ++ u32 value = readl(ioaddr + DMA_CHAN_INTR_ENA(dwmac4_addrs, chan)); + + if (rx) + value &= ~DMA_CHAN_INTR_DEFAULT_RX_4_10; + if (tx) + value &= ~DMA_CHAN_INTR_DEFAULT_TX_4_10; + +- writel(value, ioaddr + DMA_CHAN_INTR_ENA(chan)); ++ writel(value, ioaddr + DMA_CHAN_INTR_ENA(dwmac4_addrs, chan)); + } + + int dwmac4_dma_interrupt(struct stmmac_priv *priv, void __iomem *ioaddr, + struct stmmac_extra_stats *x, u32 chan, u32 dir) + { +- u32 intr_status = readl(ioaddr + DMA_CHAN_STATUS(chan)); +- u32 intr_en = readl(ioaddr + DMA_CHAN_INTR_ENA(chan)); ++ const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs; ++ u32 intr_status = readl(ioaddr + DMA_CHAN_STATUS(dwmac4_addrs, chan)); ++ u32 intr_en = readl(ioaddr + DMA_CHAN_INTR_ENA(dwmac4_addrs, chan)); + int ret = 0; + + if (dir == DMA_DIR_RX) +@@ -195,7 +215,8 @@ int dwmac4_dma_interrupt(struct stmmac_priv *priv, void __iomem *ioaddr, + if (unlikely(intr_status & DMA_CHAN_STATUS_ERI)) + x->rx_early_irq++; + +- writel(intr_status & intr_en, ioaddr + DMA_CHAN_STATUS(chan)); ++ writel(intr_status & intr_en, ++ ioaddr + DMA_CHAN_STATUS(dwmac4_addrs, chan)); + return ret; + } + +diff --git a/include/linux/stmmac.h b/include/linux/stmmac.h +index c97df9464f90..7c7553efa698 100644 +--- a/include/linux/stmmac.h ++++ b/include/linux/stmmac.h +@@ -187,6 +187,24 @@ struct stmmac_safety_feature_cfg { + u32 tmouten; + }; + ++/* Addresses that may be customized by a platform */ ++struct dwmac4_addrs { ++ u32 dma_chan; ++ u32 dma_chan_offset; ++ u32 mtl_chan; ++ u32 mtl_chan_offset; ++ u32 mtl_ets_ctrl; ++ u32 mtl_ets_ctrl_offset; ++ u32 mtl_txq_weight; ++ u32 mtl_txq_weight_offset; ++ u32 mtl_send_slp_cred; ++ u32 mtl_send_slp_cred_offset; ++ u32 mtl_high_cred; ++ u32 mtl_high_cred_offset; ++ u32 mtl_low_cred; ++ u32 mtl_low_cred_offset; ++}; ++ + struct plat_stmmacenet_data { + int bus_id; + int phy_addr; +@@ -274,5 +292,6 @@ struct plat_stmmacenet_data { + bool use_phy_wol; + bool sph_disable; + bool serdes_up_after_phy_linkup; ++ const struct dwmac4_addrs *dwmac4_addrs; + }; + #endif +-- +2.51.0 + diff --git a/queue-6.1/net-stmmac-fix-the-crash-issue-for-zero-copy-xdp_tx-.patch b/queue-6.1/net-stmmac-fix-the-crash-issue-for-zero-copy-xdp_tx-.patch new file mode 100644 index 0000000000..ad6a59d21f --- /dev/null +++ b/queue-6.1/net-stmmac-fix-the-crash-issue-for-zero-copy-xdp_tx-.patch @@ -0,0 +1,96 @@ +From 3eb5fda5511625e96c03ede4b6366c2e2bc11ae2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Dec 2025 15:13:32 +0800 +Subject: net: stmmac: fix the crash issue for zero copy XDP_TX action + +From: Wei Fang + +[ Upstream commit a48e232210009be50591fdea8ba7c07b0f566a13 ] + +There is a crash issue when running zero copy XDP_TX action, the crash +log is shown below. + +[ 216.122464] Unable to handle kernel paging request at virtual address fffeffff80000000 +[ 216.187524] Internal error: Oops: 0000000096000144 [#1] SMP +[ 216.301694] Call trace: +[ 216.304130] dcache_clean_poc+0x20/0x38 (P) +[ 216.308308] __dma_sync_single_for_device+0x1bc/0x1e0 +[ 216.313351] stmmac_xdp_xmit_xdpf+0x354/0x400 +[ 216.317701] __stmmac_xdp_run_prog+0x164/0x368 +[ 216.322139] stmmac_napi_poll_rxtx+0xba8/0xf00 +[ 216.326576] __napi_poll+0x40/0x218 +[ 216.408054] Kernel panic - not syncing: Oops: Fatal exception in interrupt + +For XDP_TX action, the xdp_buff is converted to xdp_frame by +xdp_convert_buff_to_frame(). The memory type of the resulting xdp_frame +depends on the memory type of the xdp_buff. For page pool based xdp_buff +it produces xdp_frame with memory type MEM_TYPE_PAGE_POOL. For zero copy +XSK pool based xdp_buff it produces xdp_frame with memory type +MEM_TYPE_PAGE_ORDER0. However, stmmac_xdp_xmit_back() does not check the +memory type and always uses the page pool type, this leads to invalid +mappings and causes the crash. Therefore, check the xdp_buff memory type +in stmmac_xdp_xmit_back() to fix this issue. + +Fixes: bba2556efad6 ("net: stmmac: Enable RX via AF_XDP zero-copy") +Signed-off-by: Wei Fang +Reviewed-by: Hariprasad Kelam +Link: https://patch.msgid.link/20251204071332.1907111-1-wei.fang@nxp.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .../net/ethernet/stmicro/stmmac/stmmac_main.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index b2362e107f20..438d0b7da345 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -86,6 +86,7 @@ MODULE_PARM_DESC(phyaddr, "Physical device address"); + #define STMMAC_XDP_CONSUMED BIT(0) + #define STMMAC_XDP_TX BIT(1) + #define STMMAC_XDP_REDIRECT BIT(2) ++#define STMMAC_XSK_CONSUMED BIT(3) + + static int flow_ctrl = FLOW_AUTO; + module_param(flow_ctrl, int, 0644); +@@ -4839,6 +4840,7 @@ static int stmmac_xdp_get_tx_queue(struct stmmac_priv *priv, + static int stmmac_xdp_xmit_back(struct stmmac_priv *priv, + struct xdp_buff *xdp) + { ++ bool zc = !!(xdp->rxq->mem.type == MEM_TYPE_XSK_BUFF_POOL); + struct xdp_frame *xdpf = xdp_convert_buff_to_frame(xdp); + int cpu = smp_processor_id(); + struct netdev_queue *nq; +@@ -4855,9 +4857,18 @@ static int stmmac_xdp_xmit_back(struct stmmac_priv *priv, + /* Avoids TX time-out as we are sharing with slow path */ + txq_trans_cond_update(nq); + +- res = stmmac_xdp_xmit_xdpf(priv, queue, xdpf, false); +- if (res == STMMAC_XDP_TX) ++ /* For zero copy XDP_TX action, dma_map is true */ ++ res = stmmac_xdp_xmit_xdpf(priv, queue, xdpf, zc); ++ if (res == STMMAC_XDP_TX) { + stmmac_flush_tx_descriptors(priv, queue); ++ } else if (res == STMMAC_XDP_CONSUMED && zc) { ++ /* xdp has been freed by xdp_convert_buff_to_frame(), ++ * no need to call xsk_buff_free() again, so return ++ * STMMAC_XSK_CONSUMED. ++ */ ++ res = STMMAC_XSK_CONSUMED; ++ xdp_return_frame(xdpf); ++ } + + __netif_tx_unlock(nq); + +@@ -5188,6 +5199,8 @@ static int stmmac_rx_zc(struct stmmac_priv *priv, int limit, u32 queue) + break; + case STMMAC_XDP_CONSUMED: + xsk_buff_free(buf->xdp); ++ fallthrough; ++ case STMMAC_XSK_CONSUMED: + rx_dropped++; + break; + case STMMAC_XDP_TX: +-- +2.51.0 + diff --git a/queue-6.1/net-stmmac-introduce-wrapper-for-struct-xdp_buff.patch b/queue-6.1/net-stmmac-introduce-wrapper-for-struct-xdp_buff.patch new file mode 100644 index 0000000000..108317a753 --- /dev/null +++ b/queue-6.1/net-stmmac-introduce-wrapper-for-struct-xdp_buff.patch @@ -0,0 +1,104 @@ +From 4bce10d4d5ed783831842d4a2d0a1149e48f7fd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Apr 2023 14:45:01 +0800 +Subject: net: stmmac: introduce wrapper for struct xdp_buff + +From: Song Yoong Siang + +[ Upstream commit 5b24324a907c996faf47ea3969499e04beea9c4f ] + +Introduce struct stmmac_xdp_buff as a preparation to support XDP Rx +metadata via kfuncs. + +Signed-off-by: Song Yoong Siang +Reviewed-by: Jacob Keller +Acked-by: Jesper Dangaard Brouer +Signed-off-by: Jakub Kicinski +Stable-dep-of: a48e23221000 ("net: stmmac: fix the crash issue for zero copy XDP_TX action") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac.h | 4 ++++ + .../net/ethernet/stmicro/stmmac/stmmac_main.c | 18 +++++++++--------- + 2 files changed, 13 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac.h b/drivers/net/ethernet/stmicro/stmmac/stmmac.h +index 46944c02b45e..b9b41dd18cde 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac.h ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac.h +@@ -92,6 +92,10 @@ struct stmmac_rx_buffer { + dma_addr_t sec_addr; + }; + ++struct stmmac_xdp_buff { ++ struct xdp_buff xdp; ++}; ++ + struct stmmac_rx_queue { + u32 rx_count_frames; + u32 queue_index; +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 0483e8c2f1de..4aeacb5fe81e 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -5217,7 +5217,7 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue) + enum dma_data_direction dma_dir; + unsigned int desc_size; + struct sk_buff *skb = NULL; +- struct xdp_buff xdp; ++ struct stmmac_xdp_buff ctx; + int xdp_status = 0; + int buf_sz; + +@@ -5339,17 +5339,17 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue) + dma_sync_single_for_cpu(priv->device, buf->addr, + buf1_len, dma_dir); + +- xdp_init_buff(&xdp, buf_sz, &rx_q->xdp_rxq); +- xdp_prepare_buff(&xdp, page_address(buf->page), ++ xdp_init_buff(&ctx.xdp, buf_sz, &rx_q->xdp_rxq); ++ xdp_prepare_buff(&ctx.xdp, page_address(buf->page), + buf->page_offset, buf1_len, false); + +- pre_len = xdp.data_end - xdp.data_hard_start - ++ pre_len = ctx.xdp.data_end - ctx.xdp.data_hard_start - + buf->page_offset; +- skb = stmmac_xdp_run_prog(priv, &xdp); ++ skb = stmmac_xdp_run_prog(priv, &ctx.xdp); + /* Due xdp_adjust_tail: DMA sync for_device + * cover max len CPU touch + */ +- sync_len = xdp.data_end - xdp.data_hard_start - ++ sync_len = ctx.xdp.data_end - ctx.xdp.data_hard_start - + buf->page_offset; + sync_len = max(sync_len, pre_len); + +@@ -5359,7 +5359,7 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue) + + if (xdp_res & STMMAC_XDP_CONSUMED) { + page_pool_put_page(rx_q->page_pool, +- virt_to_head_page(xdp.data), ++ virt_to_head_page(ctx.xdp.data), + sync_len, true); + buf->page = NULL; + priv->dev->stats.rx_dropped++; +@@ -5387,7 +5387,7 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue) + + if (!skb) { + /* XDP program may expand or reduce tail */ +- buf1_len = xdp.data_end - xdp.data; ++ buf1_len = ctx.xdp.data_end - ctx.xdp.data; + + skb = napi_alloc_skb(&ch->rx_napi, buf1_len); + if (!skb) { +@@ -5397,7 +5397,7 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue) + } + + /* XDP program may adjust header */ +- skb_copy_to_linear_data(skb, xdp.data, buf1_len); ++ skb_copy_to_linear_data(skb, ctx.xdp.data, buf1_len); + skb_put(skb, buf1_len); + + /* Data payload copied into SKB, page ready for recycle */ +-- +2.51.0 + diff --git a/queue-6.1/net-stmmac-pass-stmmac_priv-in-some-callbacks.patch b/queue-6.1/net-stmmac-pass-stmmac_priv-in-some-callbacks.patch new file mode 100644 index 0000000000..51a4bce04e --- /dev/null +++ b/queue-6.1/net-stmmac-pass-stmmac_priv-in-some-callbacks.patch @@ -0,0 +1,1279 @@ +From e86e71dbabb8d186122ce545090895639cc8be5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Apr 2023 15:04:05 -0500 +Subject: net: stmmac: Pass stmmac_priv in some callbacks + +From: Andrew Halaney + +[ Upstream commit 1d84b487bc2d9061bd00203f571e5cb99fe0a312 ] + +Passing stmmac_priv to some of the callbacks allows hwif implementations +to grab some data that platforms can customize. Adjust the callbacks +accordingly in preparation of such a platform customization. + +Signed-off-by: Andrew Halaney +Reviewed-by: Jesse Brandeburg +Tested-by: Brian Masney +Signed-off-by: Paolo Abeni +Stable-dep-of: a48e23221000 ("net: stmmac: fix the crash issue for zero copy XDP_TX action") +Signed-off-by: Sasha Levin +--- + .../net/ethernet/stmicro/stmmac/dwmac-sun8i.c | 36 +++-- + .../ethernet/stmicro/stmmac/dwmac1000_core.c | 3 +- + .../ethernet/stmicro/stmmac/dwmac1000_dma.c | 19 ++- + .../ethernet/stmicro/stmmac/dwmac100_dma.c | 10 +- + .../net/ethernet/stmicro/stmmac/dwmac4_core.c | 14 +- + .../net/ethernet/stmicro/stmmac/dwmac4_dma.c | 44 ++++-- + .../net/ethernet/stmicro/stmmac/dwmac4_dma.h | 38 +++-- + .../net/ethernet/stmicro/stmmac/dwmac4_lib.c | 38 +++-- + .../net/ethernet/stmicro/stmmac/dwmac_dma.h | 22 ++- + .../net/ethernet/stmicro/stmmac/dwmac_lib.c | 18 ++- + .../ethernet/stmicro/stmmac/dwxgmac2_core.c | 9 +- + .../ethernet/stmicro/stmmac/dwxgmac2_dma.c | 71 ++++++--- + drivers/net/ethernet/stmicro/stmmac/hwif.h | 146 ++++++++++-------- + 13 files changed, 291 insertions(+), 177 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c +index 0921b78c6244..b44e76a25965 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c +@@ -304,7 +304,8 @@ static void sun8i_dwmac_dma_init(void __iomem *ioaddr, + writel(0x1FFFFFF, ioaddr + EMAC_INT_STA); + } + +-static void sun8i_dwmac_dma_init_rx(void __iomem *ioaddr, ++static void sun8i_dwmac_dma_init_rx(struct stmmac_priv *priv, ++ void __iomem *ioaddr, + struct stmmac_dma_cfg *dma_cfg, + dma_addr_t dma_rx_phy, u32 chan) + { +@@ -312,7 +313,8 @@ static void sun8i_dwmac_dma_init_rx(void __iomem *ioaddr, + writel(lower_32_bits(dma_rx_phy), ioaddr + EMAC_RX_DESC_LIST); + } + +-static void sun8i_dwmac_dma_init_tx(void __iomem *ioaddr, ++static void sun8i_dwmac_dma_init_tx(struct stmmac_priv *priv, ++ void __iomem *ioaddr, + struct stmmac_dma_cfg *dma_cfg, + dma_addr_t dma_tx_phy, u32 chan) + { +@@ -324,7 +326,8 @@ static void sun8i_dwmac_dma_init_tx(void __iomem *ioaddr, + * Called from stmmac_dma_ops->dump_regs + * Used for ethtool + */ +-static void sun8i_dwmac_dump_regs(void __iomem *ioaddr, u32 *reg_space) ++static void sun8i_dwmac_dump_regs(struct stmmac_priv *priv, ++ void __iomem *ioaddr, u32 *reg_space) + { + int i; + +@@ -352,7 +355,8 @@ static void sun8i_dwmac_dump_mac_regs(struct mac_device_info *hw, + } + } + +-static void sun8i_dwmac_enable_dma_irq(void __iomem *ioaddr, u32 chan, ++static void sun8i_dwmac_enable_dma_irq(struct stmmac_priv *priv, ++ void __iomem *ioaddr, u32 chan, + bool rx, bool tx) + { + u32 value = readl(ioaddr + EMAC_INT_EN); +@@ -365,7 +369,8 @@ static void sun8i_dwmac_enable_dma_irq(void __iomem *ioaddr, u32 chan, + writel(value, ioaddr + EMAC_INT_EN); + } + +-static void sun8i_dwmac_disable_dma_irq(void __iomem *ioaddr, u32 chan, ++static void sun8i_dwmac_disable_dma_irq(struct stmmac_priv *priv, ++ void __iomem *ioaddr, u32 chan, + bool rx, bool tx) + { + u32 value = readl(ioaddr + EMAC_INT_EN); +@@ -378,7 +383,8 @@ static void sun8i_dwmac_disable_dma_irq(void __iomem *ioaddr, u32 chan, + writel(value, ioaddr + EMAC_INT_EN); + } + +-static void sun8i_dwmac_dma_start_tx(void __iomem *ioaddr, u32 chan) ++static void sun8i_dwmac_dma_start_tx(struct stmmac_priv *priv, ++ void __iomem *ioaddr, u32 chan) + { + u32 v; + +@@ -398,7 +404,8 @@ static void sun8i_dwmac_enable_dma_transmission(void __iomem *ioaddr) + writel(v, ioaddr + EMAC_TX_CTL1); + } + +-static void sun8i_dwmac_dma_stop_tx(void __iomem *ioaddr, u32 chan) ++static void sun8i_dwmac_dma_stop_tx(struct stmmac_priv *priv, ++ void __iomem *ioaddr, u32 chan) + { + u32 v; + +@@ -407,7 +414,8 @@ static void sun8i_dwmac_dma_stop_tx(void __iomem *ioaddr, u32 chan) + writel(v, ioaddr + EMAC_TX_CTL1); + } + +-static void sun8i_dwmac_dma_start_rx(void __iomem *ioaddr, u32 chan) ++static void sun8i_dwmac_dma_start_rx(struct stmmac_priv *priv, ++ void __iomem *ioaddr, u32 chan) + { + u32 v; + +@@ -417,7 +425,8 @@ static void sun8i_dwmac_dma_start_rx(void __iomem *ioaddr, u32 chan) + writel(v, ioaddr + EMAC_RX_CTL1); + } + +-static void sun8i_dwmac_dma_stop_rx(void __iomem *ioaddr, u32 chan) ++static void sun8i_dwmac_dma_stop_rx(struct stmmac_priv *priv, ++ void __iomem *ioaddr, u32 chan) + { + u32 v; + +@@ -426,7 +435,8 @@ static void sun8i_dwmac_dma_stop_rx(void __iomem *ioaddr, u32 chan) + writel(v, ioaddr + EMAC_RX_CTL1); + } + +-static int sun8i_dwmac_dma_interrupt(void __iomem *ioaddr, ++static int sun8i_dwmac_dma_interrupt(struct stmmac_priv *priv, ++ void __iomem *ioaddr, + struct stmmac_extra_stats *x, u32 chan, + u32 dir) + { +@@ -492,7 +502,8 @@ static int sun8i_dwmac_dma_interrupt(void __iomem *ioaddr, + return ret; + } + +-static void sun8i_dwmac_dma_operation_mode_rx(void __iomem *ioaddr, int mode, ++static void sun8i_dwmac_dma_operation_mode_rx(struct stmmac_priv *priv, ++ void __iomem *ioaddr, int mode, + u32 channel, int fifosz, u8 qmode) + { + u32 v; +@@ -515,7 +526,8 @@ static void sun8i_dwmac_dma_operation_mode_rx(void __iomem *ioaddr, int mode, + writel(v, ioaddr + EMAC_RX_CTL1); + } + +-static void sun8i_dwmac_dma_operation_mode_tx(void __iomem *ioaddr, int mode, ++static void sun8i_dwmac_dma_operation_mode_tx(struct stmmac_priv *priv, ++ void __iomem *ioaddr, int mode, + u32 channel, int fifosz, u8 qmode) + { + u32 v; +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c +index 0e00dd83d027..3927609abc44 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c +@@ -414,7 +414,8 @@ static void dwmac1000_get_adv_lp(void __iomem *ioaddr, struct rgmii_adv *adv) + dwmac_get_adv_lp(ioaddr, GMAC_PCS_BASE, adv); + } + +-static void dwmac1000_debug(void __iomem *ioaddr, struct stmmac_extra_stats *x, ++static void dwmac1000_debug(struct stmmac_priv *priv, void __iomem *ioaddr, ++ struct stmmac_extra_stats *x, + u32 rx_queues, u32 tx_queues) + { + u32 value = readl(ioaddr + GMAC_DEBUG); +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_dma.c b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_dma.c +index f5581db0ba9b..daf79cdbd3ec 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_dma.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_dma.c +@@ -110,7 +110,8 @@ static void dwmac1000_dma_init(void __iomem *ioaddr, + writel(DMA_INTR_DEFAULT_MASK, ioaddr + DMA_INTR_ENA); + } + +-static void dwmac1000_dma_init_rx(void __iomem *ioaddr, ++static void dwmac1000_dma_init_rx(struct stmmac_priv *priv, ++ void __iomem *ioaddr, + struct stmmac_dma_cfg *dma_cfg, + dma_addr_t dma_rx_phy, u32 chan) + { +@@ -118,7 +119,8 @@ static void dwmac1000_dma_init_rx(void __iomem *ioaddr, + writel(lower_32_bits(dma_rx_phy), ioaddr + DMA_RCV_BASE_ADDR); + } + +-static void dwmac1000_dma_init_tx(void __iomem *ioaddr, ++static void dwmac1000_dma_init_tx(struct stmmac_priv *priv, ++ void __iomem *ioaddr, + struct stmmac_dma_cfg *dma_cfg, + dma_addr_t dma_tx_phy, u32 chan) + { +@@ -147,7 +149,8 @@ static u32 dwmac1000_configure_fc(u32 csr6, int rxfifosz) + return csr6; + } + +-static void dwmac1000_dma_operation_mode_rx(void __iomem *ioaddr, int mode, ++static void dwmac1000_dma_operation_mode_rx(struct stmmac_priv *priv, ++ void __iomem *ioaddr, int mode, + u32 channel, int fifosz, u8 qmode) + { + u32 csr6 = readl(ioaddr + DMA_CONTROL); +@@ -175,7 +178,8 @@ static void dwmac1000_dma_operation_mode_rx(void __iomem *ioaddr, int mode, + writel(csr6, ioaddr + DMA_CONTROL); + } + +-static void dwmac1000_dma_operation_mode_tx(void __iomem *ioaddr, int mode, ++static void dwmac1000_dma_operation_mode_tx(struct stmmac_priv *priv, ++ void __iomem *ioaddr, int mode, + u32 channel, int fifosz, u8 qmode) + { + u32 csr6 = readl(ioaddr + DMA_CONTROL); +@@ -208,7 +212,8 @@ static void dwmac1000_dma_operation_mode_tx(void __iomem *ioaddr, int mode, + writel(csr6, ioaddr + DMA_CONTROL); + } + +-static void dwmac1000_dump_dma_regs(void __iomem *ioaddr, u32 *reg_space) ++static void dwmac1000_dump_dma_regs(struct stmmac_priv *priv, ++ void __iomem *ioaddr, u32 *reg_space) + { + int i; + +@@ -263,8 +268,8 @@ static int dwmac1000_get_hw_feature(void __iomem *ioaddr, + return 0; + } + +-static void dwmac1000_rx_watchdog(void __iomem *ioaddr, u32 riwt, +- u32 queue) ++static void dwmac1000_rx_watchdog(struct stmmac_priv *priv, ++ void __iomem *ioaddr, u32 riwt, u32 queue) + { + writel(riwt, ioaddr + DMA_RX_WATCHDOG); + } +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac100_dma.c b/drivers/net/ethernet/stmicro/stmmac/dwmac100_dma.c +index f6abc7bfd29d..1c32b1788f02 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac100_dma.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac100_dma.c +@@ -29,7 +29,7 @@ static void dwmac100_dma_init(void __iomem *ioaddr, + writel(DMA_INTR_DEFAULT_MASK, ioaddr + DMA_INTR_ENA); + } + +-static void dwmac100_dma_init_rx(void __iomem *ioaddr, ++static void dwmac100_dma_init_rx(struct stmmac_priv *priv, void __iomem *ioaddr, + struct stmmac_dma_cfg *dma_cfg, + dma_addr_t dma_rx_phy, u32 chan) + { +@@ -37,7 +37,7 @@ static void dwmac100_dma_init_rx(void __iomem *ioaddr, + writel(lower_32_bits(dma_rx_phy), ioaddr + DMA_RCV_BASE_ADDR); + } + +-static void dwmac100_dma_init_tx(void __iomem *ioaddr, ++static void dwmac100_dma_init_tx(struct stmmac_priv *priv, void __iomem *ioaddr, + struct stmmac_dma_cfg *dma_cfg, + dma_addr_t dma_tx_phy, u32 chan) + { +@@ -50,7 +50,8 @@ static void dwmac100_dma_init_tx(void __iomem *ioaddr, + * The transmit threshold can be programmed by setting the TTC bits in the DMA + * control register. + */ +-static void dwmac100_dma_operation_mode_tx(void __iomem *ioaddr, int mode, ++static void dwmac100_dma_operation_mode_tx(struct stmmac_priv *priv, ++ void __iomem *ioaddr, int mode, + u32 channel, int fifosz, u8 qmode) + { + u32 csr6 = readl(ioaddr + DMA_CONTROL); +@@ -65,7 +66,8 @@ static void dwmac100_dma_operation_mode_tx(void __iomem *ioaddr, int mode, + writel(csr6, ioaddr + DMA_CONTROL); + } + +-static void dwmac100_dump_dma_regs(void __iomem *ioaddr, u32 *reg_space) ++static void dwmac100_dump_dma_regs(struct stmmac_priv *priv, ++ void __iomem *ioaddr, u32 *reg_space) + { + int i; + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +index c75868f3ceae..279977d0d565 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +@@ -226,7 +226,8 @@ static void dwmac4_prog_mtl_tx_algorithms(struct mac_device_info *hw, + writel(value, ioaddr + MTL_OPERATION_MODE); + } + +-static void dwmac4_set_mtl_tx_queue_weight(struct mac_device_info *hw, ++static void dwmac4_set_mtl_tx_queue_weight(struct stmmac_priv *priv, ++ struct mac_device_info *hw, + u32 weight, u32 queue) + { + void __iomem *ioaddr = hw->pcsr; +@@ -264,7 +265,8 @@ static void dwmac4_map_mtl_dma(struct mac_device_info *hw, u32 queue, u32 chan) + writel(value, ioaddr + MTL_RXQ_DMA_MAP1); + } + +-static void dwmac4_config_cbs(struct mac_device_info *hw, ++static void dwmac4_config_cbs(struct stmmac_priv *priv, ++ struct mac_device_info *hw, + u32 send_slope, u32 idle_slope, + u32 high_credit, u32 low_credit, u32 queue) + { +@@ -290,7 +292,7 @@ static void dwmac4_config_cbs(struct mac_device_info *hw, + writel(value, ioaddr + MTL_SEND_SLP_CREDX_BASE_ADDR(queue)); + + /* configure idle slope (same register as tx weight) */ +- dwmac4_set_mtl_tx_queue_weight(hw, idle_slope, queue); ++ dwmac4_set_mtl_tx_queue_weight(priv, hw, idle_slope, queue); + + /* configure high credit */ + value = readl(ioaddr + MTL_HIGH_CREDX_BASE_ADDR(queue)); +@@ -795,7 +797,8 @@ static void dwmac4_phystatus(void __iomem *ioaddr, struct stmmac_extra_stats *x) + } + } + +-static int dwmac4_irq_mtl_status(struct mac_device_info *hw, u32 chan) ++static int dwmac4_irq_mtl_status(struct stmmac_priv *priv, ++ struct mac_device_info *hw, u32 chan) + { + void __iomem *ioaddr = hw->pcsr; + u32 mtl_int_qx_status; +@@ -869,7 +872,8 @@ static int dwmac4_irq_status(struct mac_device_info *hw, + return ret; + } + +-static void dwmac4_debug(void __iomem *ioaddr, struct stmmac_extra_stats *x, ++static void dwmac4_debug(struct stmmac_priv *priv, void __iomem *ioaddr, ++ struct stmmac_extra_stats *x, + u32 rx_queues, u32 tx_queues) + { + u32 value; +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c +index d99fa028c646..6f255d12f60f 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.c +@@ -68,7 +68,8 @@ static void dwmac4_dma_axi(void __iomem *ioaddr, struct stmmac_axi *axi) + writel(value, ioaddr + DMA_SYS_BUS_MODE); + } + +-static void dwmac4_dma_init_rx_chan(void __iomem *ioaddr, ++static void dwmac4_dma_init_rx_chan(struct stmmac_priv *priv, ++ void __iomem *ioaddr, + struct stmmac_dma_cfg *dma_cfg, + dma_addr_t dma_rx_phy, u32 chan) + { +@@ -86,7 +87,8 @@ static void dwmac4_dma_init_rx_chan(void __iomem *ioaddr, + writel(lower_32_bits(dma_rx_phy), ioaddr + DMA_CHAN_RX_BASE_ADDR(chan)); + } + +-static void dwmac4_dma_init_tx_chan(void __iomem *ioaddr, ++static void dwmac4_dma_init_tx_chan(struct stmmac_priv *priv, ++ void __iomem *ioaddr, + struct stmmac_dma_cfg *dma_cfg, + dma_addr_t dma_tx_phy, u32 chan) + { +@@ -108,7 +110,8 @@ static void dwmac4_dma_init_tx_chan(void __iomem *ioaddr, + writel(lower_32_bits(dma_tx_phy), ioaddr + DMA_CHAN_TX_BASE_ADDR(chan)); + } + +-static void dwmac4_dma_init_channel(void __iomem *ioaddr, ++static void dwmac4_dma_init_channel(struct stmmac_priv *priv, ++ void __iomem *ioaddr, + struct stmmac_dma_cfg *dma_cfg, u32 chan) + { + u32 value; +@@ -124,7 +127,8 @@ static void dwmac4_dma_init_channel(void __iomem *ioaddr, + ioaddr + DMA_CHAN_INTR_ENA(chan)); + } + +-static void dwmac410_dma_init_channel(void __iomem *ioaddr, ++static void dwmac410_dma_init_channel(struct stmmac_priv *priv, ++ void __iomem *ioaddr, + struct stmmac_dma_cfg *dma_cfg, u32 chan) + { + u32 value; +@@ -176,7 +180,8 @@ static void dwmac4_dma_init(void __iomem *ioaddr, + + } + +-static void _dwmac4_dump_dma_regs(void __iomem *ioaddr, u32 channel, ++static void _dwmac4_dump_dma_regs(struct stmmac_priv *priv, ++ void __iomem *ioaddr, u32 channel, + u32 *reg_space) + { + reg_space[DMA_CHAN_CONTROL(channel) / 4] = +@@ -215,20 +220,23 @@ static void _dwmac4_dump_dma_regs(void __iomem *ioaddr, u32 channel, + readl(ioaddr + DMA_CHAN_STATUS(channel)); + } + +-static void dwmac4_dump_dma_regs(void __iomem *ioaddr, u32 *reg_space) ++static void dwmac4_dump_dma_regs(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 *reg_space) + { + int i; + + for (i = 0; i < DMA_CHANNEL_NB_MAX; i++) +- _dwmac4_dump_dma_regs(ioaddr, i, reg_space); ++ _dwmac4_dump_dma_regs(priv, ioaddr, i, reg_space); + } + +-static void dwmac4_rx_watchdog(void __iomem *ioaddr, u32 riwt, u32 queue) ++static void dwmac4_rx_watchdog(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 riwt, u32 queue) + { + writel(riwt, ioaddr + DMA_CHAN_RX_WATCHDOG(queue)); + } + +-static void dwmac4_dma_rx_chan_op_mode(void __iomem *ioaddr, int mode, ++static void dwmac4_dma_rx_chan_op_mode(struct stmmac_priv *priv, ++ void __iomem *ioaddr, int mode, + u32 channel, int fifosz, u8 qmode) + { + unsigned int rqs = fifosz / 256 - 1; +@@ -295,7 +303,8 @@ static void dwmac4_dma_rx_chan_op_mode(void __iomem *ioaddr, int mode, + writel(mtl_rx_op, ioaddr + MTL_CHAN_RX_OP_MODE(channel)); + } + +-static void dwmac4_dma_tx_chan_op_mode(void __iomem *ioaddr, int mode, ++static void dwmac4_dma_tx_chan_op_mode(struct stmmac_priv *priv, ++ void __iomem *ioaddr, int mode, + u32 channel, int fifosz, u8 qmode) + { + u32 mtl_tx_op = readl(ioaddr + MTL_CHAN_TX_OP_MODE(channel)); +@@ -442,7 +451,8 @@ static int dwmac4_get_hw_feature(void __iomem *ioaddr, + } + + /* Enable/disable TSO feature and set MSS */ +-static void dwmac4_enable_tso(void __iomem *ioaddr, bool en, u32 chan) ++static void dwmac4_enable_tso(struct stmmac_priv *priv, void __iomem *ioaddr, ++ bool en, u32 chan) + { + u32 value; + +@@ -459,7 +469,8 @@ static void dwmac4_enable_tso(void __iomem *ioaddr, bool en, u32 chan) + } + } + +-static void dwmac4_qmode(void __iomem *ioaddr, u32 channel, u8 qmode) ++static void dwmac4_qmode(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 channel, u8 qmode) + { + u32 mtl_tx_op = readl(ioaddr + MTL_CHAN_TX_OP_MODE(channel)); + +@@ -472,7 +483,8 @@ static void dwmac4_qmode(void __iomem *ioaddr, u32 channel, u8 qmode) + writel(mtl_tx_op, ioaddr + MTL_CHAN_TX_OP_MODE(channel)); + } + +-static void dwmac4_set_bfsize(void __iomem *ioaddr, int bfsize, u32 chan) ++static void dwmac4_set_bfsize(struct stmmac_priv *priv, void __iomem *ioaddr, ++ int bfsize, u32 chan) + { + u32 value = readl(ioaddr + DMA_CHAN_RX_CONTROL(chan)); + +@@ -482,7 +494,8 @@ static void dwmac4_set_bfsize(void __iomem *ioaddr, int bfsize, u32 chan) + writel(value, ioaddr + DMA_CHAN_RX_CONTROL(chan)); + } + +-static void dwmac4_enable_sph(void __iomem *ioaddr, bool en, u32 chan) ++static void dwmac4_enable_sph(struct stmmac_priv *priv, void __iomem *ioaddr, ++ bool en, u32 chan) + { + u32 value = readl(ioaddr + GMAC_EXT_CONFIG); + +@@ -498,7 +511,8 @@ static void dwmac4_enable_sph(void __iomem *ioaddr, bool en, u32 chan) + writel(value, ioaddr + DMA_CHAN_CONTROL(chan)); + } + +-static int dwmac4_enable_tbs(void __iomem *ioaddr, bool en, u32 chan) ++static int dwmac4_enable_tbs(struct stmmac_priv *priv, void __iomem *ioaddr, ++ bool en, u32 chan) + { + u32 value = readl(ioaddr + DMA_CHAN_TX_CONTROL(chan)); + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.h b/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.h +index 9321879b599c..740c3bc8d9a0 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.h ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_dma.h +@@ -220,19 +220,31 @@ + #define DMA_CHAN0_DBG_STAT_RPS_SHIFT 8 + + int dwmac4_dma_reset(void __iomem *ioaddr); +-void dwmac4_enable_dma_irq(void __iomem *ioaddr, u32 chan, bool rx, bool tx); +-void dwmac410_enable_dma_irq(void __iomem *ioaddr, u32 chan, bool rx, bool tx); +-void dwmac4_disable_dma_irq(void __iomem *ioaddr, u32 chan, bool rx, bool tx); +-void dwmac410_disable_dma_irq(void __iomem *ioaddr, u32 chan, bool rx, bool tx); +-void dwmac4_dma_start_tx(void __iomem *ioaddr, u32 chan); +-void dwmac4_dma_stop_tx(void __iomem *ioaddr, u32 chan); +-void dwmac4_dma_start_rx(void __iomem *ioaddr, u32 chan); +-void dwmac4_dma_stop_rx(void __iomem *ioaddr, u32 chan); +-int dwmac4_dma_interrupt(void __iomem *ioaddr, ++void dwmac4_enable_dma_irq(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 chan, bool rx, bool tx); ++void dwmac410_enable_dma_irq(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 chan, bool rx, bool tx); ++void dwmac4_disable_dma_irq(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 chan, bool rx, bool tx); ++void dwmac410_disable_dma_irq(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 chan, bool rx, bool tx); ++void dwmac4_dma_start_tx(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 chan); ++void dwmac4_dma_stop_tx(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 chan); ++void dwmac4_dma_start_rx(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 chan); ++void dwmac4_dma_stop_rx(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 chan); ++int dwmac4_dma_interrupt(struct stmmac_priv *priv, void __iomem *ioaddr, + struct stmmac_extra_stats *x, u32 chan, u32 dir); +-void dwmac4_set_rx_ring_len(void __iomem *ioaddr, u32 len, u32 chan); +-void dwmac4_set_tx_ring_len(void __iomem *ioaddr, u32 len, u32 chan); +-void dwmac4_set_rx_tail_ptr(void __iomem *ioaddr, u32 tail_ptr, u32 chan); +-void dwmac4_set_tx_tail_ptr(void __iomem *ioaddr, u32 tail_ptr, u32 chan); ++void dwmac4_set_rx_ring_len(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 len, u32 chan); ++void dwmac4_set_tx_ring_len(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 len, u32 chan); ++void dwmac4_set_rx_tail_ptr(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 tail_ptr, u32 chan); ++void dwmac4_set_tx_tail_ptr(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 tail_ptr, u32 chan); + + #endif /* __DWMAC4_DMA_H__ */ +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_lib.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_lib.c +index 7c26394f665e..57328f010ab9 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_lib.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_lib.c +@@ -25,17 +25,20 @@ int dwmac4_dma_reset(void __iomem *ioaddr) + 10000, 1000000); + } + +-void dwmac4_set_rx_tail_ptr(void __iomem *ioaddr, u32 tail_ptr, u32 chan) ++void dwmac4_set_rx_tail_ptr(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 tail_ptr, u32 chan) + { + writel(tail_ptr, ioaddr + DMA_CHAN_RX_END_ADDR(chan)); + } + +-void dwmac4_set_tx_tail_ptr(void __iomem *ioaddr, u32 tail_ptr, u32 chan) ++void dwmac4_set_tx_tail_ptr(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 tail_ptr, u32 chan) + { + writel(tail_ptr, ioaddr + DMA_CHAN_TX_END_ADDR(chan)); + } + +-void dwmac4_dma_start_tx(void __iomem *ioaddr, u32 chan) ++void dwmac4_dma_start_tx(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 chan) + { + u32 value = readl(ioaddr + DMA_CHAN_TX_CONTROL(chan)); + +@@ -47,7 +50,8 @@ void dwmac4_dma_start_tx(void __iomem *ioaddr, u32 chan) + writel(value, ioaddr + GMAC_CONFIG); + } + +-void dwmac4_dma_stop_tx(void __iomem *ioaddr, u32 chan) ++void dwmac4_dma_stop_tx(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 chan) + { + u32 value = readl(ioaddr + DMA_CHAN_TX_CONTROL(chan)); + +@@ -55,7 +59,8 @@ void dwmac4_dma_stop_tx(void __iomem *ioaddr, u32 chan) + writel(value, ioaddr + DMA_CHAN_TX_CONTROL(chan)); + } + +-void dwmac4_dma_start_rx(void __iomem *ioaddr, u32 chan) ++void dwmac4_dma_start_rx(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 chan) + { + u32 value = readl(ioaddr + DMA_CHAN_RX_CONTROL(chan)); + +@@ -68,7 +73,8 @@ void dwmac4_dma_start_rx(void __iomem *ioaddr, u32 chan) + writel(value, ioaddr + GMAC_CONFIG); + } + +-void dwmac4_dma_stop_rx(void __iomem *ioaddr, u32 chan) ++void dwmac4_dma_stop_rx(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 chan) + { + u32 value = readl(ioaddr + DMA_CHAN_RX_CONTROL(chan)); + +@@ -76,17 +82,20 @@ void dwmac4_dma_stop_rx(void __iomem *ioaddr, u32 chan) + writel(value, ioaddr + DMA_CHAN_RX_CONTROL(chan)); + } + +-void dwmac4_set_tx_ring_len(void __iomem *ioaddr, u32 len, u32 chan) ++void dwmac4_set_tx_ring_len(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 len, u32 chan) + { + writel(len, ioaddr + DMA_CHAN_TX_RING_LEN(chan)); + } + +-void dwmac4_set_rx_ring_len(void __iomem *ioaddr, u32 len, u32 chan) ++void dwmac4_set_rx_ring_len(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 len, u32 chan) + { + writel(len, ioaddr + DMA_CHAN_RX_RING_LEN(chan)); + } + +-void dwmac4_enable_dma_irq(void __iomem *ioaddr, u32 chan, bool rx, bool tx) ++void dwmac4_enable_dma_irq(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 chan, bool rx, bool tx) + { + u32 value = readl(ioaddr + DMA_CHAN_INTR_ENA(chan)); + +@@ -98,7 +107,8 @@ void dwmac4_enable_dma_irq(void __iomem *ioaddr, u32 chan, bool rx, bool tx) + writel(value, ioaddr + DMA_CHAN_INTR_ENA(chan)); + } + +-void dwmac410_enable_dma_irq(void __iomem *ioaddr, u32 chan, bool rx, bool tx) ++void dwmac410_enable_dma_irq(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 chan, bool rx, bool tx) + { + u32 value = readl(ioaddr + DMA_CHAN_INTR_ENA(chan)); + +@@ -110,7 +120,8 @@ void dwmac410_enable_dma_irq(void __iomem *ioaddr, u32 chan, bool rx, bool tx) + writel(value, ioaddr + DMA_CHAN_INTR_ENA(chan)); + } + +-void dwmac4_disable_dma_irq(void __iomem *ioaddr, u32 chan, bool rx, bool tx) ++void dwmac4_disable_dma_irq(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 chan, bool rx, bool tx) + { + u32 value = readl(ioaddr + DMA_CHAN_INTR_ENA(chan)); + +@@ -122,7 +133,8 @@ void dwmac4_disable_dma_irq(void __iomem *ioaddr, u32 chan, bool rx, bool tx) + writel(value, ioaddr + DMA_CHAN_INTR_ENA(chan)); + } + +-void dwmac410_disable_dma_irq(void __iomem *ioaddr, u32 chan, bool rx, bool tx) ++void dwmac410_disable_dma_irq(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 chan, bool rx, bool tx) + { + u32 value = readl(ioaddr + DMA_CHAN_INTR_ENA(chan)); + +@@ -134,7 +146,7 @@ void dwmac410_disable_dma_irq(void __iomem *ioaddr, u32 chan, bool rx, bool tx) + writel(value, ioaddr + DMA_CHAN_INTR_ENA(chan)); + } + +-int dwmac4_dma_interrupt(void __iomem *ioaddr, ++int dwmac4_dma_interrupt(struct stmmac_priv *priv, void __iomem *ioaddr, + struct stmmac_extra_stats *x, u32 chan, u32 dir) + { + u32 intr_status = readl(ioaddr + DMA_CHAN_STATUS(chan)); +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac_dma.h b/drivers/net/ethernet/stmicro/stmmac/dwmac_dma.h +index acd70b9a3173..72672391675f 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac_dma.h ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac_dma.h +@@ -153,14 +153,20 @@ + #define NUM_DWMAC4_DMA_REGS 27 + + void dwmac_enable_dma_transmission(void __iomem *ioaddr); +-void dwmac_enable_dma_irq(void __iomem *ioaddr, u32 chan, bool rx, bool tx); +-void dwmac_disable_dma_irq(void __iomem *ioaddr, u32 chan, bool rx, bool tx); +-void dwmac_dma_start_tx(void __iomem *ioaddr, u32 chan); +-void dwmac_dma_stop_tx(void __iomem *ioaddr, u32 chan); +-void dwmac_dma_start_rx(void __iomem *ioaddr, u32 chan); +-void dwmac_dma_stop_rx(void __iomem *ioaddr, u32 chan); +-int dwmac_dma_interrupt(void __iomem *ioaddr, struct stmmac_extra_stats *x, +- u32 chan, u32 dir); ++void dwmac_enable_dma_irq(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 chan, bool rx, bool tx); ++void dwmac_disable_dma_irq(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 chan, bool rx, bool tx); ++void dwmac_dma_start_tx(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 chan); ++void dwmac_dma_stop_tx(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 chan); ++void dwmac_dma_start_rx(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 chan); ++void dwmac_dma_stop_rx(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 chan); ++int dwmac_dma_interrupt(struct stmmac_priv *priv, void __iomem *ioaddr, ++ struct stmmac_extra_stats *x, u32 chan, u32 dir); + int dwmac_dma_reset(void __iomem *ioaddr); + + #endif /* __DWMAC_DMA_H__ */ +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac_lib.c b/drivers/net/ethernet/stmicro/stmmac/dwmac_lib.c +index 9b6138b11776..0b6f999a8305 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac_lib.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac_lib.c +@@ -32,7 +32,8 @@ void dwmac_enable_dma_transmission(void __iomem *ioaddr) + writel(1, ioaddr + DMA_XMT_POLL_DEMAND); + } + +-void dwmac_enable_dma_irq(void __iomem *ioaddr, u32 chan, bool rx, bool tx) ++void dwmac_enable_dma_irq(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 chan, bool rx, bool tx) + { + u32 value = readl(ioaddr + DMA_INTR_ENA); + +@@ -44,7 +45,8 @@ void dwmac_enable_dma_irq(void __iomem *ioaddr, u32 chan, bool rx, bool tx) + writel(value, ioaddr + DMA_INTR_ENA); + } + +-void dwmac_disable_dma_irq(void __iomem *ioaddr, u32 chan, bool rx, bool tx) ++void dwmac_disable_dma_irq(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 chan, bool rx, bool tx) + { + u32 value = readl(ioaddr + DMA_INTR_ENA); + +@@ -56,28 +58,30 @@ void dwmac_disable_dma_irq(void __iomem *ioaddr, u32 chan, bool rx, bool tx) + writel(value, ioaddr + DMA_INTR_ENA); + } + +-void dwmac_dma_start_tx(void __iomem *ioaddr, u32 chan) ++void dwmac_dma_start_tx(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 chan) + { + u32 value = readl(ioaddr + DMA_CONTROL); + value |= DMA_CONTROL_ST; + writel(value, ioaddr + DMA_CONTROL); + } + +-void dwmac_dma_stop_tx(void __iomem *ioaddr, u32 chan) ++void dwmac_dma_stop_tx(struct stmmac_priv *priv, void __iomem *ioaddr, u32 chan) + { + u32 value = readl(ioaddr + DMA_CONTROL); + value &= ~DMA_CONTROL_ST; + writel(value, ioaddr + DMA_CONTROL); + } + +-void dwmac_dma_start_rx(void __iomem *ioaddr, u32 chan) ++void dwmac_dma_start_rx(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 chan) + { + u32 value = readl(ioaddr + DMA_CONTROL); + value |= DMA_CONTROL_SR; + writel(value, ioaddr + DMA_CONTROL); + } + +-void dwmac_dma_stop_rx(void __iomem *ioaddr, u32 chan) ++void dwmac_dma_stop_rx(struct stmmac_priv *priv, void __iomem *ioaddr, u32 chan) + { + u32 value = readl(ioaddr + DMA_CONTROL); + value &= ~DMA_CONTROL_SR; +@@ -154,7 +158,7 @@ static void show_rx_process_state(unsigned int status) + } + #endif + +-int dwmac_dma_interrupt(void __iomem *ioaddr, ++int dwmac_dma_interrupt(struct stmmac_priv *priv, void __iomem *ioaddr, + struct stmmac_extra_stats *x, u32 chan, u32 dir) + { + int ret = 0; +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c +index 813327d04c56..d0e2748a0ed2 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c +@@ -211,7 +211,8 @@ static void dwxgmac2_prog_mtl_tx_algorithms(struct mac_device_info *hw, + } + } + +-static void dwxgmac2_set_mtl_tx_queue_weight(struct mac_device_info *hw, ++static void dwxgmac2_set_mtl_tx_queue_weight(struct stmmac_priv *priv, ++ struct mac_device_info *hw, + u32 weight, u32 queue) + { + void __iomem *ioaddr = hw->pcsr; +@@ -236,7 +237,8 @@ static void dwxgmac2_map_mtl_to_dma(struct mac_device_info *hw, u32 queue, + writel(value, ioaddr + reg); + } + +-static void dwxgmac2_config_cbs(struct mac_device_info *hw, ++static void dwxgmac2_config_cbs(struct stmmac_priv *priv, ++ struct mac_device_info *hw, + u32 send_slope, u32 idle_slope, + u32 high_credit, u32 low_credit, u32 queue) + { +@@ -300,7 +302,8 @@ static int dwxgmac2_host_irq_status(struct mac_device_info *hw, + return ret; + } + +-static int dwxgmac2_host_mtl_irq_status(struct mac_device_info *hw, u32 chan) ++static int dwxgmac2_host_mtl_irq_status(struct stmmac_priv *priv, ++ struct mac_device_info *hw, u32 chan) + { + void __iomem *ioaddr = hw->pcsr; + int ret = 0; +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c +index 3e4318d5dcdf..e92c29199e77 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c +@@ -33,7 +33,8 @@ static void dwxgmac2_dma_init(void __iomem *ioaddr, + writel(value, ioaddr + XGMAC_DMA_SYSBUS_MODE); + } + +-static void dwxgmac2_dma_init_chan(void __iomem *ioaddr, ++static void dwxgmac2_dma_init_chan(struct stmmac_priv *priv, ++ void __iomem *ioaddr, + struct stmmac_dma_cfg *dma_cfg, u32 chan) + { + u32 value = readl(ioaddr + XGMAC_DMA_CH_CONTROL(chan)); +@@ -45,7 +46,8 @@ static void dwxgmac2_dma_init_chan(void __iomem *ioaddr, + writel(XGMAC_DMA_INT_DEFAULT_EN, ioaddr + XGMAC_DMA_CH_INT_EN(chan)); + } + +-static void dwxgmac2_dma_init_rx_chan(void __iomem *ioaddr, ++static void dwxgmac2_dma_init_rx_chan(struct stmmac_priv *priv, ++ void __iomem *ioaddr, + struct stmmac_dma_cfg *dma_cfg, + dma_addr_t phy, u32 chan) + { +@@ -61,7 +63,8 @@ static void dwxgmac2_dma_init_rx_chan(void __iomem *ioaddr, + writel(lower_32_bits(phy), ioaddr + XGMAC_DMA_CH_RxDESC_LADDR(chan)); + } + +-static void dwxgmac2_dma_init_tx_chan(void __iomem *ioaddr, ++static void dwxgmac2_dma_init_tx_chan(struct stmmac_priv *priv, ++ void __iomem *ioaddr, + struct stmmac_dma_cfg *dma_cfg, + dma_addr_t phy, u32 chan) + { +@@ -131,7 +134,8 @@ static void dwxgmac2_dma_axi(void __iomem *ioaddr, struct stmmac_axi *axi) + writel(XGMAC_RDPS, ioaddr + XGMAC_RX_EDMA_CTRL); + } + +-static void dwxgmac2_dma_dump_regs(void __iomem *ioaddr, u32 *reg_space) ++static void dwxgmac2_dma_dump_regs(struct stmmac_priv *priv, ++ void __iomem *ioaddr, u32 *reg_space) + { + int i; + +@@ -139,8 +143,8 @@ static void dwxgmac2_dma_dump_regs(void __iomem *ioaddr, u32 *reg_space) + reg_space[i] = readl(ioaddr + i * 4); + } + +-static void dwxgmac2_dma_rx_mode(void __iomem *ioaddr, int mode, +- u32 channel, int fifosz, u8 qmode) ++static void dwxgmac2_dma_rx_mode(struct stmmac_priv *priv, void __iomem *ioaddr, ++ int mode, u32 channel, int fifosz, u8 qmode) + { + u32 value = readl(ioaddr + XGMAC_MTL_RXQ_OPMODE(channel)); + unsigned int rqs = fifosz / 256 - 1; +@@ -201,8 +205,8 @@ static void dwxgmac2_dma_rx_mode(void __iomem *ioaddr, int mode, + writel(value, ioaddr + XGMAC_MTL_RXQ_OPMODE(channel)); + } + +-static void dwxgmac2_dma_tx_mode(void __iomem *ioaddr, int mode, +- u32 channel, int fifosz, u8 qmode) ++static void dwxgmac2_dma_tx_mode(struct stmmac_priv *priv, void __iomem *ioaddr, ++ int mode, u32 channel, int fifosz, u8 qmode) + { + u32 value = readl(ioaddr + XGMAC_MTL_TXQ_OPMODE(channel)); + unsigned int tqs = fifosz / 256 - 1; +@@ -244,7 +248,8 @@ static void dwxgmac2_dma_tx_mode(void __iomem *ioaddr, int mode, + writel(value, ioaddr + XGMAC_MTL_TXQ_OPMODE(channel)); + } + +-static void dwxgmac2_enable_dma_irq(void __iomem *ioaddr, u32 chan, ++static void dwxgmac2_enable_dma_irq(struct stmmac_priv *priv, ++ void __iomem *ioaddr, u32 chan, + bool rx, bool tx) + { + u32 value = readl(ioaddr + XGMAC_DMA_CH_INT_EN(chan)); +@@ -257,7 +262,8 @@ static void dwxgmac2_enable_dma_irq(void __iomem *ioaddr, u32 chan, + writel(value, ioaddr + XGMAC_DMA_CH_INT_EN(chan)); + } + +-static void dwxgmac2_disable_dma_irq(void __iomem *ioaddr, u32 chan, ++static void dwxgmac2_disable_dma_irq(struct stmmac_priv *priv, ++ void __iomem *ioaddr, u32 chan, + bool rx, bool tx) + { + u32 value = readl(ioaddr + XGMAC_DMA_CH_INT_EN(chan)); +@@ -270,7 +276,8 @@ static void dwxgmac2_disable_dma_irq(void __iomem *ioaddr, u32 chan, + writel(value, ioaddr + XGMAC_DMA_CH_INT_EN(chan)); + } + +-static void dwxgmac2_dma_start_tx(void __iomem *ioaddr, u32 chan) ++static void dwxgmac2_dma_start_tx(struct stmmac_priv *priv, ++ void __iomem *ioaddr, u32 chan) + { + u32 value; + +@@ -283,7 +290,8 @@ static void dwxgmac2_dma_start_tx(void __iomem *ioaddr, u32 chan) + writel(value, ioaddr + XGMAC_TX_CONFIG); + } + +-static void dwxgmac2_dma_stop_tx(void __iomem *ioaddr, u32 chan) ++static void dwxgmac2_dma_stop_tx(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 chan) + { + u32 value; + +@@ -296,7 +304,8 @@ static void dwxgmac2_dma_stop_tx(void __iomem *ioaddr, u32 chan) + writel(value, ioaddr + XGMAC_TX_CONFIG); + } + +-static void dwxgmac2_dma_start_rx(void __iomem *ioaddr, u32 chan) ++static void dwxgmac2_dma_start_rx(struct stmmac_priv *priv, ++ void __iomem *ioaddr, u32 chan) + { + u32 value; + +@@ -309,7 +318,8 @@ static void dwxgmac2_dma_start_rx(void __iomem *ioaddr, u32 chan) + writel(value, ioaddr + XGMAC_RX_CONFIG); + } + +-static void dwxgmac2_dma_stop_rx(void __iomem *ioaddr, u32 chan) ++static void dwxgmac2_dma_stop_rx(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 chan) + { + u32 value; + +@@ -318,7 +328,8 @@ static void dwxgmac2_dma_stop_rx(void __iomem *ioaddr, u32 chan) + writel(value, ioaddr + XGMAC_DMA_CH_RX_CONTROL(chan)); + } + +-static int dwxgmac2_dma_interrupt(void __iomem *ioaddr, ++static int dwxgmac2_dma_interrupt(struct stmmac_priv *priv, ++ void __iomem *ioaddr, + struct stmmac_extra_stats *x, u32 chan, + u32 dir) + { +@@ -445,32 +456,38 @@ static int dwxgmac2_get_hw_feature(void __iomem *ioaddr, + return 0; + } + +-static void dwxgmac2_rx_watchdog(void __iomem *ioaddr, u32 riwt, u32 queue) ++static void dwxgmac2_rx_watchdog(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 riwt, u32 queue) + { + writel(riwt & XGMAC_RWT, ioaddr + XGMAC_DMA_CH_Rx_WATCHDOG(queue)); + } + +-static void dwxgmac2_set_rx_ring_len(void __iomem *ioaddr, u32 len, u32 chan) ++static void dwxgmac2_set_rx_ring_len(struct stmmac_priv *priv, ++ void __iomem *ioaddr, u32 len, u32 chan) + { + writel(len, ioaddr + XGMAC_DMA_CH_RxDESC_RING_LEN(chan)); + } + +-static void dwxgmac2_set_tx_ring_len(void __iomem *ioaddr, u32 len, u32 chan) ++static void dwxgmac2_set_tx_ring_len(struct stmmac_priv *priv, ++ void __iomem *ioaddr, u32 len, u32 chan) + { + writel(len, ioaddr + XGMAC_DMA_CH_TxDESC_RING_LEN(chan)); + } + +-static void dwxgmac2_set_rx_tail_ptr(void __iomem *ioaddr, u32 ptr, u32 chan) ++static void dwxgmac2_set_rx_tail_ptr(struct stmmac_priv *priv, ++ void __iomem *ioaddr, u32 ptr, u32 chan) + { + writel(ptr, ioaddr + XGMAC_DMA_CH_RxDESC_TAIL_LPTR(chan)); + } + +-static void dwxgmac2_set_tx_tail_ptr(void __iomem *ioaddr, u32 ptr, u32 chan) ++static void dwxgmac2_set_tx_tail_ptr(struct stmmac_priv *priv, ++ void __iomem *ioaddr, u32 ptr, u32 chan) + { + writel(ptr, ioaddr + XGMAC_DMA_CH_TxDESC_TAIL_LPTR(chan)); + } + +-static void dwxgmac2_enable_tso(void __iomem *ioaddr, bool en, u32 chan) ++static void dwxgmac2_enable_tso(struct stmmac_priv *priv, void __iomem *ioaddr, ++ bool en, u32 chan) + { + u32 value = readl(ioaddr + XGMAC_DMA_CH_TX_CONTROL(chan)); + +@@ -482,7 +499,8 @@ static void dwxgmac2_enable_tso(void __iomem *ioaddr, bool en, u32 chan) + writel(value, ioaddr + XGMAC_DMA_CH_TX_CONTROL(chan)); + } + +-static void dwxgmac2_qmode(void __iomem *ioaddr, u32 channel, u8 qmode) ++static void dwxgmac2_qmode(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 channel, u8 qmode) + { + u32 value = readl(ioaddr + XGMAC_MTL_TXQ_OPMODE(channel)); + u32 flow = readl(ioaddr + XGMAC_RX_FLOW_CTRL); +@@ -499,7 +517,8 @@ static void dwxgmac2_qmode(void __iomem *ioaddr, u32 channel, u8 qmode) + writel(value, ioaddr + XGMAC_MTL_TXQ_OPMODE(channel)); + } + +-static void dwxgmac2_set_bfsize(void __iomem *ioaddr, int bfsize, u32 chan) ++static void dwxgmac2_set_bfsize(struct stmmac_priv *priv, void __iomem *ioaddr, ++ int bfsize, u32 chan) + { + u32 value; + +@@ -509,7 +528,8 @@ static void dwxgmac2_set_bfsize(void __iomem *ioaddr, int bfsize, u32 chan) + writel(value, ioaddr + XGMAC_DMA_CH_RX_CONTROL(chan)); + } + +-static void dwxgmac2_enable_sph(void __iomem *ioaddr, bool en, u32 chan) ++static void dwxgmac2_enable_sph(struct stmmac_priv *priv, void __iomem *ioaddr, ++ bool en, u32 chan) + { + u32 value = readl(ioaddr + XGMAC_RX_CONFIG); + +@@ -525,7 +545,8 @@ static void dwxgmac2_enable_sph(void __iomem *ioaddr, bool en, u32 chan) + writel(value, ioaddr + XGMAC_DMA_CH_CONTROL(chan)); + } + +-static int dwxgmac2_enable_tbs(void __iomem *ioaddr, bool en, u32 chan) ++static int dwxgmac2_enable_tbs(struct stmmac_priv *priv, void __iomem *ioaddr, ++ bool en, u32 chan) + { + u32 value = readl(ioaddr + XGMAC_DMA_CH_TX_CONTROL(chan)); + +diff --git a/drivers/net/ethernet/stmicro/stmmac/hwif.h b/drivers/net/ethernet/stmicro/stmmac/hwif.h +index 17ea6216a78f..87161c85b1a1 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/hwif.h ++++ b/drivers/net/ethernet/stmicro/stmmac/hwif.h +@@ -26,6 +26,7 @@ + }) + + struct stmmac_extra_stats; ++struct stmmac_priv; + struct stmmac_safety_stats; + struct dma_desc; + struct dma_extended_desc; +@@ -171,51 +172,67 @@ struct stmmac_dma_ops { + int (*reset)(void __iomem *ioaddr); + void (*init)(void __iomem *ioaddr, struct stmmac_dma_cfg *dma_cfg, + int atds); +- void (*init_chan)(void __iomem *ioaddr, ++ void (*init_chan)(struct stmmac_priv *priv, void __iomem *ioaddr, + struct stmmac_dma_cfg *dma_cfg, u32 chan); +- void (*init_rx_chan)(void __iomem *ioaddr, ++ void (*init_rx_chan)(struct stmmac_priv *priv, void __iomem *ioaddr, + struct stmmac_dma_cfg *dma_cfg, + dma_addr_t phy, u32 chan); +- void (*init_tx_chan)(void __iomem *ioaddr, ++ void (*init_tx_chan)(struct stmmac_priv *priv, void __iomem *ioaddr, + struct stmmac_dma_cfg *dma_cfg, + dma_addr_t phy, u32 chan); + /* Configure the AXI Bus Mode Register */ + void (*axi)(void __iomem *ioaddr, struct stmmac_axi *axi); + /* Dump DMA registers */ +- void (*dump_regs)(void __iomem *ioaddr, u32 *reg_space); +- void (*dma_rx_mode)(void __iomem *ioaddr, int mode, u32 channel, +- int fifosz, u8 qmode); +- void (*dma_tx_mode)(void __iomem *ioaddr, int mode, u32 channel, ++ void (*dump_regs)(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 *reg_space); ++ void (*dma_rx_mode)(struct stmmac_priv *priv, void __iomem *ioaddr, ++ int mode, u32 channel, + int fifosz, u8 qmode); ++ void (*dma_tx_mode)(struct stmmac_priv *priv, void __iomem *ioaddr, ++ int mode, u32 channel, int fifosz, u8 qmode); + /* To track extra statistic (if supported) */ + void (*dma_diagnostic_fr)(struct net_device_stats *stats, + struct stmmac_extra_stats *x, + void __iomem *ioaddr); + void (*enable_dma_transmission) (void __iomem *ioaddr); +- void (*enable_dma_irq)(void __iomem *ioaddr, u32 chan, +- bool rx, bool tx); +- void (*disable_dma_irq)(void __iomem *ioaddr, u32 chan, +- bool rx, bool tx); +- void (*start_tx)(void __iomem *ioaddr, u32 chan); +- void (*stop_tx)(void __iomem *ioaddr, u32 chan); +- void (*start_rx)(void __iomem *ioaddr, u32 chan); +- void (*stop_rx)(void __iomem *ioaddr, u32 chan); +- int (*dma_interrupt) (void __iomem *ioaddr, +- struct stmmac_extra_stats *x, u32 chan, u32 dir); ++ void (*enable_dma_irq)(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 chan, bool rx, bool tx); ++ void (*disable_dma_irq)(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 chan, bool rx, bool tx); ++ void (*start_tx)(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 chan); ++ void (*stop_tx)(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 chan); ++ void (*start_rx)(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 chan); ++ void (*stop_rx)(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 chan); ++ int (*dma_interrupt)(struct stmmac_priv *priv, void __iomem *ioaddr, ++ struct stmmac_extra_stats *x, u32 chan, u32 dir); + /* If supported then get the optional core features */ + int (*get_hw_feature)(void __iomem *ioaddr, + struct dma_features *dma_cap); + /* Program the HW RX Watchdog */ +- void (*rx_watchdog)(void __iomem *ioaddr, u32 riwt, u32 queue); +- void (*set_tx_ring_len)(void __iomem *ioaddr, u32 len, u32 chan); +- void (*set_rx_ring_len)(void __iomem *ioaddr, u32 len, u32 chan); +- void (*set_rx_tail_ptr)(void __iomem *ioaddr, u32 tail_ptr, u32 chan); +- void (*set_tx_tail_ptr)(void __iomem *ioaddr, u32 tail_ptr, u32 chan); +- void (*enable_tso)(void __iomem *ioaddr, bool en, u32 chan); +- void (*qmode)(void __iomem *ioaddr, u32 channel, u8 qmode); +- void (*set_bfsize)(void __iomem *ioaddr, int bfsize, u32 chan); +- void (*enable_sph)(void __iomem *ioaddr, bool en, u32 chan); +- int (*enable_tbs)(void __iomem *ioaddr, bool en, u32 chan); ++ void (*rx_watchdog)(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 riwt, u32 queue); ++ void (*set_tx_ring_len)(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 len, u32 chan); ++ void (*set_rx_ring_len)(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 len, u32 chan); ++ void (*set_rx_tail_ptr)(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 tail_ptr, u32 chan); ++ void (*set_tx_tail_ptr)(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 tail_ptr, u32 chan); ++ void (*enable_tso)(struct stmmac_priv *priv, void __iomem *ioaddr, ++ bool en, u32 chan); ++ void (*qmode)(struct stmmac_priv *priv, void __iomem *ioaddr, ++ u32 channel, u8 qmode); ++ void (*set_bfsize)(struct stmmac_priv *priv, void __iomem *ioaddr, ++ int bfsize, u32 chan); ++ void (*enable_sph)(struct stmmac_priv *priv, void __iomem *ioaddr, ++ bool en, u32 chan); ++ int (*enable_tbs)(struct stmmac_priv *priv, void __iomem *ioaddr, ++ bool en, u32 chan); + }; + + #define stmmac_reset(__priv, __args...) \ +@@ -223,59 +240,59 @@ struct stmmac_dma_ops { + #define stmmac_dma_init(__priv, __args...) \ + stmmac_do_void_callback(__priv, dma, init, __args) + #define stmmac_init_chan(__priv, __args...) \ +- stmmac_do_void_callback(__priv, dma, init_chan, __args) ++ stmmac_do_void_callback(__priv, dma, init_chan, __priv, __args) + #define stmmac_init_rx_chan(__priv, __args...) \ +- stmmac_do_void_callback(__priv, dma, init_rx_chan, __args) ++ stmmac_do_void_callback(__priv, dma, init_rx_chan, __priv, __args) + #define stmmac_init_tx_chan(__priv, __args...) \ +- stmmac_do_void_callback(__priv, dma, init_tx_chan, __args) ++ stmmac_do_void_callback(__priv, dma, init_tx_chan, __priv, __args) + #define stmmac_axi(__priv, __args...) \ + stmmac_do_void_callback(__priv, dma, axi, __args) + #define stmmac_dump_dma_regs(__priv, __args...) \ +- stmmac_do_void_callback(__priv, dma, dump_regs, __args) ++ stmmac_do_void_callback(__priv, dma, dump_regs, __priv, __args) + #define stmmac_dma_rx_mode(__priv, __args...) \ +- stmmac_do_void_callback(__priv, dma, dma_rx_mode, __args) ++ stmmac_do_void_callback(__priv, dma, dma_rx_mode, __priv, __args) + #define stmmac_dma_tx_mode(__priv, __args...) \ +- stmmac_do_void_callback(__priv, dma, dma_tx_mode, __args) ++ stmmac_do_void_callback(__priv, dma, dma_tx_mode, __priv, __args) + #define stmmac_dma_diagnostic_fr(__priv, __args...) \ + stmmac_do_void_callback(__priv, dma, dma_diagnostic_fr, __args) + #define stmmac_enable_dma_transmission(__priv, __args...) \ + stmmac_do_void_callback(__priv, dma, enable_dma_transmission, __args) + #define stmmac_enable_dma_irq(__priv, __args...) \ +- stmmac_do_void_callback(__priv, dma, enable_dma_irq, __args) ++ stmmac_do_void_callback(__priv, dma, enable_dma_irq, __priv, __args) + #define stmmac_disable_dma_irq(__priv, __args...) \ +- stmmac_do_void_callback(__priv, dma, disable_dma_irq, __args) ++ stmmac_do_void_callback(__priv, dma, disable_dma_irq, __priv, __args) + #define stmmac_start_tx(__priv, __args...) \ +- stmmac_do_void_callback(__priv, dma, start_tx, __args) ++ stmmac_do_void_callback(__priv, dma, start_tx, __priv, __args) + #define stmmac_stop_tx(__priv, __args...) \ +- stmmac_do_void_callback(__priv, dma, stop_tx, __args) ++ stmmac_do_void_callback(__priv, dma, stop_tx, __priv, __args) + #define stmmac_start_rx(__priv, __args...) \ +- stmmac_do_void_callback(__priv, dma, start_rx, __args) ++ stmmac_do_void_callback(__priv, dma, start_rx, __priv, __args) + #define stmmac_stop_rx(__priv, __args...) \ +- stmmac_do_void_callback(__priv, dma, stop_rx, __args) ++ stmmac_do_void_callback(__priv, dma, stop_rx, __priv, __args) + #define stmmac_dma_interrupt_status(__priv, __args...) \ +- stmmac_do_callback(__priv, dma, dma_interrupt, __args) ++ stmmac_do_callback(__priv, dma, dma_interrupt, __priv, __args) + #define stmmac_get_hw_feature(__priv, __args...) \ + stmmac_do_callback(__priv, dma, get_hw_feature, __args) + #define stmmac_rx_watchdog(__priv, __args...) \ +- stmmac_do_void_callback(__priv, dma, rx_watchdog, __args) ++ stmmac_do_void_callback(__priv, dma, rx_watchdog, __priv, __args) + #define stmmac_set_tx_ring_len(__priv, __args...) \ +- stmmac_do_void_callback(__priv, dma, set_tx_ring_len, __args) ++ stmmac_do_void_callback(__priv, dma, set_tx_ring_len, __priv, __args) + #define stmmac_set_rx_ring_len(__priv, __args...) \ +- stmmac_do_void_callback(__priv, dma, set_rx_ring_len, __args) ++ stmmac_do_void_callback(__priv, dma, set_rx_ring_len, __priv, __args) + #define stmmac_set_rx_tail_ptr(__priv, __args...) \ +- stmmac_do_void_callback(__priv, dma, set_rx_tail_ptr, __args) ++ stmmac_do_void_callback(__priv, dma, set_rx_tail_ptr, __priv, __args) + #define stmmac_set_tx_tail_ptr(__priv, __args...) \ +- stmmac_do_void_callback(__priv, dma, set_tx_tail_ptr, __args) ++ stmmac_do_void_callback(__priv, dma, set_tx_tail_ptr, __priv, __args) + #define stmmac_enable_tso(__priv, __args...) \ +- stmmac_do_void_callback(__priv, dma, enable_tso, __args) ++ stmmac_do_void_callback(__priv, dma, enable_tso, __priv, __args) + #define stmmac_dma_qmode(__priv, __args...) \ +- stmmac_do_void_callback(__priv, dma, qmode, __args) ++ stmmac_do_void_callback(__priv, dma, qmode, __priv, __args) + #define stmmac_set_dma_bfsize(__priv, __args...) \ +- stmmac_do_void_callback(__priv, dma, set_bfsize, __args) ++ stmmac_do_void_callback(__priv, dma, set_bfsize, __priv, __args) + #define stmmac_enable_sph(__priv, __args...) \ +- stmmac_do_void_callback(__priv, dma, enable_sph, __args) ++ stmmac_do_void_callback(__priv, dma, enable_sph, __priv, __args) + #define stmmac_enable_tbs(__priv, __args...) \ +- stmmac_do_callback(__priv, dma, enable_tbs, __args) ++ stmmac_do_callback(__priv, dma, enable_tbs, __priv, __args) + + struct mac_device_info; + struct net_device; +@@ -307,21 +324,23 @@ struct stmmac_ops { + /* Program TX Algorithms */ + void (*prog_mtl_tx_algorithms)(struct mac_device_info *hw, u32 tx_alg); + /* Set MTL TX queues weight */ +- void (*set_mtl_tx_queue_weight)(struct mac_device_info *hw, ++ void (*set_mtl_tx_queue_weight)(struct stmmac_priv *priv, ++ struct mac_device_info *hw, + u32 weight, u32 queue); + /* RX MTL queue to RX dma mapping */ + void (*map_mtl_to_dma)(struct mac_device_info *hw, u32 queue, u32 chan); + /* Configure AV Algorithm */ +- void (*config_cbs)(struct mac_device_info *hw, u32 send_slope, +- u32 idle_slope, u32 high_credit, u32 low_credit, +- u32 queue); ++ void (*config_cbs)(struct stmmac_priv *priv, struct mac_device_info *hw, ++ u32 send_slope, u32 idle_slope, u32 high_credit, ++ u32 low_credit, u32 queue); + /* Dump MAC registers */ + void (*dump_regs)(struct mac_device_info *hw, u32 *reg_space); + /* Handle extra events on specific interrupts hw dependent */ + int (*host_irq_status)(struct mac_device_info *hw, + struct stmmac_extra_stats *x); + /* Handle MTL interrupts */ +- int (*host_mtl_irq_status)(struct mac_device_info *hw, u32 chan); ++ int (*host_mtl_irq_status)(struct stmmac_priv *priv, ++ struct mac_device_info *hw, u32 chan); + /* Multicast filter setting */ + void (*set_filter)(struct mac_device_info *hw, struct net_device *dev); + /* Flow control setting */ +@@ -341,8 +360,9 @@ struct stmmac_ops { + void (*set_eee_lpi_entry_timer)(struct mac_device_info *hw, int et); + void (*set_eee_timer)(struct mac_device_info *hw, int ls, int tw); + void (*set_eee_pls)(struct mac_device_info *hw, int link); +- void (*debug)(void __iomem *ioaddr, struct stmmac_extra_stats *x, +- u32 rx_queues, u32 tx_queues); ++ void (*debug)(struct stmmac_priv *priv, void __iomem *ioaddr, ++ struct stmmac_extra_stats *x, u32 rx_queues, ++ u32 tx_queues); + /* PCS calls */ + void (*pcs_ctrl_ane)(void __iomem *ioaddr, bool ane, bool srgmi_ral, + bool loopback); +@@ -424,17 +444,17 @@ struct stmmac_ops { + #define stmmac_prog_mtl_tx_algorithms(__priv, __args...) \ + stmmac_do_void_callback(__priv, mac, prog_mtl_tx_algorithms, __args) + #define stmmac_set_mtl_tx_queue_weight(__priv, __args...) \ +- stmmac_do_void_callback(__priv, mac, set_mtl_tx_queue_weight, __args) ++ stmmac_do_void_callback(__priv, mac, set_mtl_tx_queue_weight, __priv, __args) + #define stmmac_map_mtl_to_dma(__priv, __args...) \ + stmmac_do_void_callback(__priv, mac, map_mtl_to_dma, __args) + #define stmmac_config_cbs(__priv, __args...) \ +- stmmac_do_void_callback(__priv, mac, config_cbs, __args) ++ stmmac_do_void_callback(__priv, mac, config_cbs, __priv, __args) + #define stmmac_dump_mac_regs(__priv, __args...) \ + stmmac_do_void_callback(__priv, mac, dump_regs, __args) + #define stmmac_host_irq_status(__priv, __args...) \ + stmmac_do_callback(__priv, mac, host_irq_status, __args) + #define stmmac_host_mtl_irq_status(__priv, __args...) \ +- stmmac_do_callback(__priv, mac, host_mtl_irq_status, __args) ++ stmmac_do_callback(__priv, mac, host_mtl_irq_status, __priv, __args) + #define stmmac_set_filter(__priv, __args...) \ + stmmac_do_void_callback(__priv, mac, set_filter, __args) + #define stmmac_flow_ctrl(__priv, __args...) \ +@@ -456,11 +476,11 @@ struct stmmac_ops { + #define stmmac_set_eee_pls(__priv, __args...) \ + stmmac_do_void_callback(__priv, mac, set_eee_pls, __args) + #define stmmac_mac_debug(__priv, __args...) \ +- stmmac_do_void_callback(__priv, mac, debug, __args) ++ stmmac_do_void_callback(__priv, mac, debug, __priv, __args) + #define stmmac_pcs_ctrl_ane(__priv, __args...) \ + stmmac_do_void_callback(__priv, mac, pcs_ctrl_ane, __args) + #define stmmac_pcs_rane(__priv, __args...) \ +- stmmac_do_void_callback(__priv, mac, pcs_rane, __args) ++ stmmac_do_void_callback(__priv, mac, pcs_rane, __priv, __args) + #define stmmac_pcs_get_adv_lp(__priv, __args...) \ + stmmac_do_void_callback(__priv, mac, pcs_get_adv_lp, __args) + #define stmmac_safety_feat_config(__priv, __args...) \ +@@ -508,8 +528,6 @@ struct stmmac_ops { + #define stmmac_fpe_irq_status(__priv, __args...) \ + stmmac_do_callback(__priv, mac, fpe_irq_status, __args) + +-struct stmmac_priv; +- + /* PTP and HW Timer helpers */ + struct stmmac_hwtimestamp { + void (*config_hw_tstamping) (void __iomem *ioaddr, u32 data); +-- +2.51.0 + diff --git a/queue-6.1/net-stmmac-power-up-serdes-after-the-phy-link.patch b/queue-6.1/net-stmmac-power-up-serdes-after-the-phy-link.patch new file mode 100644 index 0000000000..73ddb3cd53 --- /dev/null +++ b/queue-6.1/net-stmmac-power-up-serdes-after-the-phy-link.patch @@ -0,0 +1,70 @@ +From cd43909740d459cd2cf70a08af1088d824b53a2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Dec 2022 15:58:43 +0000 +Subject: net: stmmac: Power up SERDES after the PHY link + +From: Revanth Kumar Uppala + +[ Upstream commit a46e9010124256f5bf5fc2c241a45cf1944b768e ] + +The Tegra MGBE ethernet controller requires that the SERDES link is +powered-up after the PHY link is up, otherwise the link fails to +become ready following a resume from suspend. Add a variable to indicate +that the SERDES link must be powered-up after the PHY link. + +Signed-off-by: Revanth Kumar Uppala +Signed-off-by: Jon Hunter +Signed-off-by: David S. Miller +Stable-dep-of: a48e23221000 ("net: stmmac: fix the crash issue for zero copy XDP_TX action") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 7 +++++-- + include/linux/stmmac.h | 1 + + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 202c43d73a2b..0483e8c2f1de 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -994,6 +994,9 @@ static void stmmac_mac_link_up(struct phylink_config *config, + struct stmmac_priv *priv = netdev_priv(to_net_dev(config->dev)); + u32 old_ctrl, ctrl; + ++ if (priv->plat->serdes_up_after_phy_linkup && priv->plat->serdes_powerup) ++ priv->plat->serdes_powerup(priv->dev, priv->plat->bsp_priv); ++ + old_ctrl = readl(priv->ioaddr + MAC_CTRL_REG); + ctrl = old_ctrl & ~priv->hw->link.speed_mask; + +@@ -3839,7 +3842,7 @@ static int __stmmac_open(struct net_device *dev, + + stmmac_reset_queues_param(priv); + +- if (priv->plat->serdes_powerup) { ++ if (!priv->plat->serdes_up_after_phy_linkup && priv->plat->serdes_powerup) { + ret = priv->plat->serdes_powerup(dev, priv->plat->bsp_priv); + if (ret < 0) { + netdev_err(priv->dev, "%s: Serdes powerup failed\n", +@@ -7563,7 +7566,7 @@ int stmmac_resume(struct device *dev) + stmmac_mdio_reset(priv->mii); + } + +- if (priv->plat->serdes_powerup) { ++ if (!priv->plat->serdes_up_after_phy_linkup && priv->plat->serdes_powerup) { + ret = priv->plat->serdes_powerup(ndev, + priv->plat->bsp_priv); + +diff --git a/include/linux/stmmac.h b/include/linux/stmmac.h +index 9f4a4f70270d..c97df9464f90 100644 +--- a/include/linux/stmmac.h ++++ b/include/linux/stmmac.h +@@ -273,5 +273,6 @@ struct plat_stmmacenet_data { + int msi_tx_base_vec; + bool use_phy_wol; + bool sph_disable; ++ bool serdes_up_after_phy_linkup; + }; + #endif +-- +2.51.0 + diff --git a/queue-6.1/net-stmmac-remove-some-unnecessary-void-pointers.patch b/queue-6.1/net-stmmac-remove-some-unnecessary-void-pointers.patch new file mode 100644 index 0000000000..fb93bd1887 --- /dev/null +++ b/queue-6.1/net-stmmac-remove-some-unnecessary-void-pointers.patch @@ -0,0 +1,324 @@ +From 5b684b4248bf1c59f0981e493c3b955e037fa6d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Apr 2023 15:04:04 -0500 +Subject: net: stmmac: Remove some unnecessary void pointers + +From: Andrew Halaney + +[ Upstream commit 0c3f3c4f4b15a2c105e1ca882d100048074a2865 ] + +There's a few spots in the hardware interface where a void pointer is +used, but what's passed in and later cast out is always the same type. + +Just use the proper type directly. + +Reviewed-by: Simon Horman +Signed-off-by: Andrew Halaney +Reviewed-by: Jesse Brandeburg +Tested-by: Brian Masney +Signed-off-by: Paolo Abeni +Stable-dep-of: a48e23221000 ("net: stmmac: fix the crash issue for zero copy XDP_TX action") +Signed-off-by: Sasha Levin +--- + .../net/ethernet/stmicro/stmmac/chain_mode.c | 10 +++---- + .../ethernet/stmicro/stmmac/dwmac100_dma.c | 4 +-- + .../ethernet/stmicro/stmmac/dwmac4_descs.c | 8 ++--- + .../ethernet/stmicro/stmmac/dwxgmac2_descs.c | 6 ++-- + .../net/ethernet/stmicro/stmmac/enh_desc.c | 11 +++---- + drivers/net/ethernet/stmicro/stmmac/hwif.h | 30 ++++++++++++------- + .../net/ethernet/stmicro/stmmac/norm_desc.c | 8 ++--- + .../net/ethernet/stmicro/stmmac/ring_mode.c | 10 +++---- + 8 files changed, 47 insertions(+), 40 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/chain_mode.c b/drivers/net/ethernet/stmicro/stmmac/chain_mode.c +index 2e8744ac6b91..fb55efd52240 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/chain_mode.c ++++ b/drivers/net/ethernet/stmicro/stmmac/chain_mode.c +@@ -14,9 +14,9 @@ + + #include "stmmac.h" + +-static int jumbo_frm(void *p, struct sk_buff *skb, int csum) ++static int jumbo_frm(struct stmmac_tx_queue *tx_q, struct sk_buff *skb, ++ int csum) + { +- struct stmmac_tx_queue *tx_q = (struct stmmac_tx_queue *)p; + unsigned int nopaged_len = skb_headlen(skb); + struct stmmac_priv *priv = tx_q->priv_data; + unsigned int entry = tx_q->cur_tx; +@@ -125,9 +125,8 @@ static void init_dma_chain(void *des, dma_addr_t phy_addr, + } + } + +-static void refill_desc3(void *priv_ptr, struct dma_desc *p) ++static void refill_desc3(struct stmmac_rx_queue *rx_q, struct dma_desc *p) + { +- struct stmmac_rx_queue *rx_q = (struct stmmac_rx_queue *)priv_ptr; + struct stmmac_priv *priv = rx_q->priv_data; + + if (priv->hwts_rx_en && !priv->extend_desc) +@@ -141,9 +140,8 @@ static void refill_desc3(void *priv_ptr, struct dma_desc *p) + sizeof(struct dma_desc))); + } + +-static void clean_desc3(void *priv_ptr, struct dma_desc *p) ++static void clean_desc3(struct stmmac_tx_queue *tx_q, struct dma_desc *p) + { +- struct stmmac_tx_queue *tx_q = (struct stmmac_tx_queue *)priv_ptr; + struct stmmac_priv *priv = tx_q->priv_data; + unsigned int entry = tx_q->dirty_tx; + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac100_dma.c b/drivers/net/ethernet/stmicro/stmmac/dwmac100_dma.c +index 8f0d9bc7cab5..f6abc7bfd29d 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac100_dma.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac100_dma.c +@@ -80,10 +80,10 @@ static void dwmac100_dump_dma_regs(void __iomem *ioaddr, u32 *reg_space) + } + + /* DMA controller has two counters to track the number of the missed frames. */ +-static void dwmac100_dma_diagnostic_fr(void *data, struct stmmac_extra_stats *x, ++static void dwmac100_dma_diagnostic_fr(struct net_device_stats *stats, ++ struct stmmac_extra_stats *x, + void __iomem *ioaddr) + { +- struct net_device_stats *stats = (struct net_device_stats *)data; + u32 csr8 = readl(ioaddr + DMA_MISSED_FRAME_CTR); + + if (unlikely(csr8)) { +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_descs.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_descs.c +index 8cc80b1db4cb..6a011d8633e8 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_descs.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_descs.c +@@ -13,11 +13,11 @@ + #include "dwmac4.h" + #include "dwmac4_descs.h" + +-static int dwmac4_wrback_get_tx_status(void *data, struct stmmac_extra_stats *x, ++static int dwmac4_wrback_get_tx_status(struct net_device_stats *stats, ++ struct stmmac_extra_stats *x, + struct dma_desc *p, + void __iomem *ioaddr) + { +- struct net_device_stats *stats = (struct net_device_stats *)data; + unsigned int tdes3; + int ret = tx_done; + +@@ -73,10 +73,10 @@ static int dwmac4_wrback_get_tx_status(void *data, struct stmmac_extra_stats *x, + return ret; + } + +-static int dwmac4_wrback_get_rx_status(void *data, struct stmmac_extra_stats *x, ++static int dwmac4_wrback_get_rx_status(struct net_device_stats *stats, ++ struct stmmac_extra_stats *x, + struct dma_desc *p) + { +- struct net_device_stats *stats = (struct net_device_stats *)data; + unsigned int rdes1 = le32_to_cpu(p->des1); + unsigned int rdes2 = le32_to_cpu(p->des2); + unsigned int rdes3 = le32_to_cpu(p->des3); +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_descs.c b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_descs.c +index b1f0c3984a09..13c347ee8be9 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_descs.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_descs.c +@@ -8,7 +8,8 @@ + #include "common.h" + #include "dwxgmac2.h" + +-static int dwxgmac2_get_tx_status(void *data, struct stmmac_extra_stats *x, ++static int dwxgmac2_get_tx_status(struct net_device_stats *stats, ++ struct stmmac_extra_stats *x, + struct dma_desc *p, void __iomem *ioaddr) + { + unsigned int tdes3 = le32_to_cpu(p->des3); +@@ -22,7 +23,8 @@ static int dwxgmac2_get_tx_status(void *data, struct stmmac_extra_stats *x, + return ret; + } + +-static int dwxgmac2_get_rx_status(void *data, struct stmmac_extra_stats *x, ++static int dwxgmac2_get_rx_status(struct net_device_stats *stats, ++ struct stmmac_extra_stats *x, + struct dma_desc *p) + { + unsigned int rdes3 = le32_to_cpu(p->des3); +diff --git a/drivers/net/ethernet/stmicro/stmmac/enh_desc.c b/drivers/net/ethernet/stmicro/stmmac/enh_desc.c +index 1bcbbd724fb5..a91d8f13a931 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/enh_desc.c ++++ b/drivers/net/ethernet/stmicro/stmmac/enh_desc.c +@@ -12,10 +12,10 @@ + #include "common.h" + #include "descs_com.h" + +-static int enh_desc_get_tx_status(void *data, struct stmmac_extra_stats *x, ++static int enh_desc_get_tx_status(struct net_device_stats *stats, ++ struct stmmac_extra_stats *x, + struct dma_desc *p, void __iomem *ioaddr) + { +- struct net_device_stats *stats = (struct net_device_stats *)data; + unsigned int tdes0 = le32_to_cpu(p->des0); + int ret = tx_done; + +@@ -117,7 +117,8 @@ static int enh_desc_coe_rdes0(int ipc_err, int type, int payload_err) + return ret; + } + +-static void enh_desc_get_ext_status(void *data, struct stmmac_extra_stats *x, ++static void enh_desc_get_ext_status(struct net_device_stats *stats, ++ struct stmmac_extra_stats *x, + struct dma_extended_desc *p) + { + unsigned int rdes0 = le32_to_cpu(p->basic.des0); +@@ -181,10 +182,10 @@ static void enh_desc_get_ext_status(void *data, struct stmmac_extra_stats *x, + } + } + +-static int enh_desc_get_rx_status(void *data, struct stmmac_extra_stats *x, ++static int enh_desc_get_rx_status(struct net_device_stats *stats, ++ struct stmmac_extra_stats *x, + struct dma_desc *p) + { +- struct net_device_stats *stats = (struct net_device_stats *)data; + unsigned int rdes0 = le32_to_cpu(p->des0); + int ret = good_frame; + +diff --git a/drivers/net/ethernet/stmicro/stmmac/hwif.h b/drivers/net/ethernet/stmicro/stmmac/hwif.h +index 820e2251b7c8..17ea6216a78f 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/hwif.h ++++ b/drivers/net/ethernet/stmicro/stmmac/hwif.h +@@ -56,8 +56,9 @@ struct stmmac_desc_ops { + /* Last tx segment reports the transmit status */ + int (*get_tx_ls)(struct dma_desc *p); + /* Return the transmit status looking at the TDES1 */ +- int (*tx_status)(void *data, struct stmmac_extra_stats *x, +- struct dma_desc *p, void __iomem *ioaddr); ++ int (*tx_status)(struct net_device_stats *stats, ++ struct stmmac_extra_stats *x, ++ struct dma_desc *p, void __iomem *ioaddr); + /* Get the buffer size from the descriptor */ + int (*get_tx_len)(struct dma_desc *p); + /* Handle extra events on specific interrupts hw dependent */ +@@ -65,10 +66,12 @@ struct stmmac_desc_ops { + /* Get the receive frame size */ + int (*get_rx_frame_len)(struct dma_desc *p, int rx_coe_type); + /* Return the reception status looking at the RDES1 */ +- int (*rx_status)(void *data, struct stmmac_extra_stats *x, +- struct dma_desc *p); +- void (*rx_extended_status)(void *data, struct stmmac_extra_stats *x, +- struct dma_extended_desc *p); ++ int (*rx_status)(struct net_device_stats *stats, ++ struct stmmac_extra_stats *x, ++ struct dma_desc *p); ++ void (*rx_extended_status)(struct net_device_stats *stats, ++ struct stmmac_extra_stats *x, ++ struct dma_extended_desc *p); + /* Set tx timestamp enable bit */ + void (*enable_tx_timestamp) (struct dma_desc *p); + /* get tx timestamp status */ +@@ -185,8 +188,9 @@ struct stmmac_dma_ops { + void (*dma_tx_mode)(void __iomem *ioaddr, int mode, u32 channel, + int fifosz, u8 qmode); + /* To track extra statistic (if supported) */ +- void (*dma_diagnostic_fr) (void *data, struct stmmac_extra_stats *x, +- void __iomem *ioaddr); ++ void (*dma_diagnostic_fr)(struct net_device_stats *stats, ++ struct stmmac_extra_stats *x, ++ void __iomem *ioaddr); + void (*enable_dma_transmission) (void __iomem *ioaddr); + void (*enable_dma_irq)(void __iomem *ioaddr, u32 chan, + bool rx, bool tx); +@@ -537,16 +541,20 @@ struct stmmac_hwtimestamp { + #define stmmac_timestamp_interrupt(__priv, __args...) \ + stmmac_do_void_callback(__priv, ptp, timestamp_interrupt, __args) + ++struct stmmac_tx_queue; ++struct stmmac_rx_queue; ++ + /* Helpers to manage the descriptors for chain and ring modes */ + struct stmmac_mode_ops { + void (*init) (void *des, dma_addr_t phy_addr, unsigned int size, + unsigned int extend_desc); + unsigned int (*is_jumbo_frm) (int len, int ehn_desc); +- int (*jumbo_frm)(void *priv, struct sk_buff *skb, int csum); ++ int (*jumbo_frm)(struct stmmac_tx_queue *tx_q, struct sk_buff *skb, ++ int csum); + int (*set_16kib_bfsize)(int mtu); + void (*init_desc3)(struct dma_desc *p); +- void (*refill_desc3) (void *priv, struct dma_desc *p); +- void (*clean_desc3) (void *priv, struct dma_desc *p); ++ void (*refill_desc3)(struct stmmac_rx_queue *rx_q, struct dma_desc *p); ++ void (*clean_desc3)(struct stmmac_tx_queue *tx_q, struct dma_desc *p); + }; + + #define stmmac_mode_init(__priv, __args...) \ +diff --git a/drivers/net/ethernet/stmicro/stmmac/norm_desc.c b/drivers/net/ethernet/stmicro/stmmac/norm_desc.c +index e3da4da242ee..350e6670a576 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/norm_desc.c ++++ b/drivers/net/ethernet/stmicro/stmmac/norm_desc.c +@@ -12,10 +12,10 @@ + #include "common.h" + #include "descs_com.h" + +-static int ndesc_get_tx_status(void *data, struct stmmac_extra_stats *x, ++static int ndesc_get_tx_status(struct net_device_stats *stats, ++ struct stmmac_extra_stats *x, + struct dma_desc *p, void __iomem *ioaddr) + { +- struct net_device_stats *stats = (struct net_device_stats *)data; + unsigned int tdes0 = le32_to_cpu(p->des0); + unsigned int tdes1 = le32_to_cpu(p->des1); + int ret = tx_done; +@@ -70,12 +70,12 @@ static int ndesc_get_tx_len(struct dma_desc *p) + * and, if required, updates the multicast statistics. + * In case of success, it returns good_frame because the GMAC device + * is supposed to be able to compute the csum in HW. */ +-static int ndesc_get_rx_status(void *data, struct stmmac_extra_stats *x, ++static int ndesc_get_rx_status(struct net_device_stats *stats, ++ struct stmmac_extra_stats *x, + struct dma_desc *p) + { + int ret = good_frame; + unsigned int rdes0 = le32_to_cpu(p->des0); +- struct net_device_stats *stats = (struct net_device_stats *)data; + + if (unlikely(rdes0 & RDES0_OWN)) + return dma_own; +diff --git a/drivers/net/ethernet/stmicro/stmmac/ring_mode.c b/drivers/net/ethernet/stmicro/stmmac/ring_mode.c +index 2b5b17d8b8a0..d218412ca832 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/ring_mode.c ++++ b/drivers/net/ethernet/stmicro/stmmac/ring_mode.c +@@ -14,9 +14,9 @@ + + #include "stmmac.h" + +-static int jumbo_frm(void *p, struct sk_buff *skb, int csum) ++static int jumbo_frm(struct stmmac_tx_queue *tx_q, struct sk_buff *skb, ++ int csum) + { +- struct stmmac_tx_queue *tx_q = (struct stmmac_tx_queue *)p; + unsigned int nopaged_len = skb_headlen(skb); + struct stmmac_priv *priv = tx_q->priv_data; + unsigned int entry = tx_q->cur_tx; +@@ -101,9 +101,8 @@ static unsigned int is_jumbo_frm(int len, int enh_desc) + return ret; + } + +-static void refill_desc3(void *priv_ptr, struct dma_desc *p) ++static void refill_desc3(struct stmmac_rx_queue *rx_q, struct dma_desc *p) + { +- struct stmmac_rx_queue *rx_q = priv_ptr; + struct stmmac_priv *priv = rx_q->priv_data; + + /* Fill DES3 in case of RING mode */ +@@ -117,9 +116,8 @@ static void init_desc3(struct dma_desc *p) + p->des3 = cpu_to_le32(le32_to_cpu(p->des2) + BUF_SIZE_8KiB); + } + +-static void clean_desc3(void *priv_ptr, struct dma_desc *p) ++static void clean_desc3(struct stmmac_tx_queue *tx_q, struct dma_desc *p) + { +- struct stmmac_tx_queue *tx_q = (struct stmmac_tx_queue *)priv_ptr; + struct stmmac_priv *priv = tx_q->priv_data; + unsigned int entry = tx_q->dirty_tx; + +-- +2.51.0 + diff --git a/queue-6.1/net-stmmac-use-per-queue-64-bit-statistics-where-nec.patch b/queue-6.1/net-stmmac-use-per-queue-64-bit-statistics-where-nec.patch new file mode 100644 index 0000000000..f649d13815 --- /dev/null +++ b/queue-6.1/net-stmmac-use-per-queue-64-bit-statistics-where-nec.patch @@ -0,0 +1,1334 @@ +From 0f6cf4967feccc8a6db4b865e3b5483d5b8392c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jul 2023 00:06:30 +0800 +Subject: net: stmmac: use per-queue 64 bit statistics where necessary + +From: Jisheng Zhang + +[ Upstream commit 133466c3bbe171f826294161db203f7670bb30c8 ] + +Currently, there are two major issues with stmmac driver statistics +First of all, statistics in stmmac_extra_stats, stmmac_rxq_stats +and stmmac_txq_stats are 32 bit variables on 32 bit platforms. This +can cause some stats to overflow after several minutes of +high traffic, for example rx_pkt_n, tx_pkt_n and so on. + +Secondly, if HW supports multiqueues, there are frequent cacheline +ping pongs on some driver statistic vars, for example, normal_irq_n, +tx_pkt_n and so on. What's more, frequent cacheline ping pongs on +normal_irq_n happens in ISR, this makes the situation worse. + +To improve the driver, we convert those statistics to 64 bit, implement +ndo_get_stats64 and update .get_ethtool_stats implementation +accordingly. We also use per-queue statistics where necessary to remove +the cacheline ping pongs as much as possible to make multiqueue +operations faster. Those statistics which are not possible to overflow +and not frequently updated are kept as is. + +Signed-off-by: Jisheng Zhang +Link: https://lore.kernel.org/r/20230717160630.1892-3-jszhang@kernel.org +Signed-off-by: Jakub Kicinski +Stable-dep-of: a48e23221000 ("net: stmmac: fix the crash issue for zero copy XDP_TX action") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/common.h | 39 ++-- + .../net/ethernet/stmicro/stmmac/dwmac-sun8i.c | 12 +- + .../ethernet/stmicro/stmmac/dwmac100_dma.c | 7 +- + .../ethernet/stmicro/stmmac/dwmac4_descs.c | 16 +- + .../net/ethernet/stmicro/stmmac/dwmac4_lib.c | 15 +- + .../net/ethernet/stmicro/stmmac/dwmac_lib.c | 12 +- + .../ethernet/stmicro/stmmac/dwxgmac2_descs.c | 6 +- + .../ethernet/stmicro/stmmac/dwxgmac2_dma.c | 14 +- + .../net/ethernet/stmicro/stmmac/enh_desc.c | 20 +- + drivers/net/ethernet/stmicro/stmmac/hwif.h | 12 +- + .../net/ethernet/stmicro/stmmac/norm_desc.c | 15 +- + drivers/net/ethernet/stmicro/stmmac/stmmac.h | 2 + + .../ethernet/stmicro/stmmac/stmmac_ethtool.c | 123 ++++++++--- + .../net/ethernet/stmicro/stmmac/stmmac_main.c | 200 ++++++++++++++---- + 14 files changed, 335 insertions(+), 158 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/common.h b/drivers/net/ethernet/stmicro/stmmac/common.h +index c11d62685624..471729c0bd70 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/common.h ++++ b/drivers/net/ethernet/stmicro/stmmac/common.h +@@ -59,13 +59,25 @@ + /* #define FRAME_FILTER_DEBUG */ + + struct stmmac_txq_stats { +- unsigned long tx_pkt_n; +- unsigned long tx_normal_irq_n; ++ u64 tx_bytes; ++ u64 tx_packets; ++ u64 tx_pkt_n; ++ u64 tx_normal_irq_n; ++ u64 napi_poll; ++ u64 tx_clean; ++ u64 tx_set_ic_bit; ++ u64 tx_tso_frames; ++ u64 tx_tso_nfrags; ++ struct u64_stats_sync syncp; + }; + + struct stmmac_rxq_stats { +- unsigned long rx_pkt_n; +- unsigned long rx_normal_irq_n; ++ u64 rx_bytes; ++ u64 rx_packets; ++ u64 rx_pkt_n; ++ u64 rx_normal_irq_n; ++ u64 napi_poll; ++ struct u64_stats_sync syncp; + }; + + /* Extra statistic and debug information exposed by ethtool */ +@@ -81,6 +93,7 @@ struct stmmac_extra_stats { + unsigned long tx_frame_flushed; + unsigned long tx_payload_error; + unsigned long tx_ip_header_error; ++ unsigned long tx_collision; + /* Receive errors */ + unsigned long rx_desc; + unsigned long sa_filter_fail; +@@ -113,14 +126,6 @@ struct stmmac_extra_stats { + /* Tx/Rx IRQ Events */ + unsigned long rx_early_irq; + unsigned long threshold; +- unsigned long tx_pkt_n; +- unsigned long rx_pkt_n; +- unsigned long normal_irq_n; +- unsigned long rx_normal_irq_n; +- unsigned long napi_poll; +- unsigned long tx_normal_irq_n; +- unsigned long tx_clean; +- unsigned long tx_set_ic_bit; + unsigned long irq_receive_pmt_irq_n; + /* MMC info */ + unsigned long mmc_tx_irq_n; +@@ -190,18 +195,16 @@ struct stmmac_extra_stats { + unsigned long mtl_rx_fifo_ctrl_active; + unsigned long mac_rx_frame_ctrl_fifo; + unsigned long mac_gmii_rx_proto_engine; +- /* TSO */ +- unsigned long tx_tso_frames; +- unsigned long tx_tso_nfrags; + /* EST */ + unsigned long mtl_est_cgce; + unsigned long mtl_est_hlbs; + unsigned long mtl_est_hlbf; + unsigned long mtl_est_btre; + unsigned long mtl_est_btrlm; +- /* per queue statistics */ +- struct stmmac_txq_stats txq_stats[MTL_MAX_TX_QUEUES]; +- struct stmmac_rxq_stats rxq_stats[MTL_MAX_RX_QUEUES]; ++ unsigned long rx_dropped; ++ unsigned long rx_errors; ++ unsigned long tx_dropped; ++ unsigned long tx_errors; + }; + + /* Safety Feature statistics exposed by ethtool */ +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c +index b44e76a25965..87f0e65bfaa8 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c +@@ -440,8 +440,10 @@ static int sun8i_dwmac_dma_interrupt(struct stmmac_priv *priv, + struct stmmac_extra_stats *x, u32 chan, + u32 dir) + { +- u32 v; ++ struct stmmac_rx_queue *rx_q = &priv->dma_conf.rx_queue[chan]; ++ struct stmmac_tx_queue *tx_q = &priv->dma_conf.tx_queue[chan]; + int ret = 0; ++ u32 v; + + v = readl(ioaddr + EMAC_INT_STA); + +@@ -452,7 +454,9 @@ static int sun8i_dwmac_dma_interrupt(struct stmmac_priv *priv, + + if (v & EMAC_TX_INT) { + ret |= handle_tx; +- x->tx_normal_irq_n++; ++ u64_stats_update_begin(&tx_q->txq_stats.syncp); ++ tx_q->txq_stats.tx_normal_irq_n++; ++ u64_stats_update_end(&tx_q->txq_stats.syncp); + } + + if (v & EMAC_TX_DMA_STOP_INT) +@@ -474,7 +478,9 @@ static int sun8i_dwmac_dma_interrupt(struct stmmac_priv *priv, + + if (v & EMAC_RX_INT) { + ret |= handle_rx; +- x->rx_normal_irq_n++; ++ u64_stats_update_begin(&rx_q->rxq_stats.syncp); ++ rx_q->rxq_stats.rx_normal_irq_n++; ++ u64_stats_update_end(&rx_q->rxq_stats.syncp); + } + + if (v & EMAC_RX_BUF_UA_INT) +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac100_dma.c b/drivers/net/ethernet/stmicro/stmmac/dwmac100_dma.c +index 1c32b1788f02..dea270f60cc3 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac100_dma.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac100_dma.c +@@ -82,29 +82,24 @@ static void dwmac100_dump_dma_regs(struct stmmac_priv *priv, + } + + /* DMA controller has two counters to track the number of the missed frames. */ +-static void dwmac100_dma_diagnostic_fr(struct net_device_stats *stats, +- struct stmmac_extra_stats *x, ++static void dwmac100_dma_diagnostic_fr(struct stmmac_extra_stats *x, + void __iomem *ioaddr) + { + u32 csr8 = readl(ioaddr + DMA_MISSED_FRAME_CTR); + + if (unlikely(csr8)) { + if (csr8 & DMA_MISSED_FRAME_OVE) { +- stats->rx_over_errors += 0x800; + x->rx_overflow_cntr += 0x800; + } else { + unsigned int ove_cntr; + ove_cntr = ((csr8 & DMA_MISSED_FRAME_OVE_CNTR) >> 17); +- stats->rx_over_errors += ove_cntr; + x->rx_overflow_cntr += ove_cntr; + } + + if (csr8 & DMA_MISSED_FRAME_OVE_M) { +- stats->rx_missed_errors += 0xffff; + x->rx_missed_cntr += 0xffff; + } else { + unsigned int miss_f = (csr8 & DMA_MISSED_FRAME_M_CNTR); +- stats->rx_missed_errors += miss_f; + x->rx_missed_cntr += miss_f; + } + } +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_descs.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_descs.c +index 6a011d8633e8..89a14084c611 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_descs.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_descs.c +@@ -13,8 +13,7 @@ + #include "dwmac4.h" + #include "dwmac4_descs.h" + +-static int dwmac4_wrback_get_tx_status(struct net_device_stats *stats, +- struct stmmac_extra_stats *x, ++static int dwmac4_wrback_get_tx_status(struct stmmac_extra_stats *x, + struct dma_desc *p, + void __iomem *ioaddr) + { +@@ -40,15 +39,13 @@ static int dwmac4_wrback_get_tx_status(struct net_device_stats *stats, + x->tx_frame_flushed++; + if (unlikely(tdes3 & TDES3_LOSS_CARRIER)) { + x->tx_losscarrier++; +- stats->tx_carrier_errors++; + } + if (unlikely(tdes3 & TDES3_NO_CARRIER)) { + x->tx_carrier++; +- stats->tx_carrier_errors++; + } + if (unlikely((tdes3 & TDES3_LATE_COLLISION) || + (tdes3 & TDES3_EXCESSIVE_COLLISION))) +- stats->collisions += ++ x->tx_collision += + (tdes3 & TDES3_COLLISION_COUNT_MASK) + >> TDES3_COLLISION_COUNT_SHIFT; + +@@ -73,8 +70,7 @@ static int dwmac4_wrback_get_tx_status(struct net_device_stats *stats, + return ret; + } + +-static int dwmac4_wrback_get_rx_status(struct net_device_stats *stats, +- struct stmmac_extra_stats *x, ++static int dwmac4_wrback_get_rx_status(struct stmmac_extra_stats *x, + struct dma_desc *p) + { + unsigned int rdes1 = le32_to_cpu(p->des1); +@@ -93,7 +89,7 @@ static int dwmac4_wrback_get_rx_status(struct net_device_stats *stats, + + if (unlikely(rdes3 & RDES3_ERROR_SUMMARY)) { + if (unlikely(rdes3 & RDES3_GIANT_PACKET)) +- stats->rx_length_errors++; ++ x->rx_length++; + if (unlikely(rdes3 & RDES3_OVERFLOW_ERROR)) + x->rx_gmac_overflow++; + +@@ -103,10 +99,8 @@ static int dwmac4_wrback_get_rx_status(struct net_device_stats *stats, + if (unlikely(rdes3 & RDES3_RECEIVE_ERROR)) + x->rx_mii++; + +- if (unlikely(rdes3 & RDES3_CRC_ERROR)) { ++ if (unlikely(rdes3 & RDES3_CRC_ERROR)) + x->rx_crc_errors++; +- stats->rx_crc_errors++; +- } + + if (unlikely(rdes3 & RDES3_DRIBBLE_ERROR)) + x->dribbling_bit++; +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_lib.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_lib.c +index 03ceb6a94073..980e5f8a37ec 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_lib.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_lib.c +@@ -171,6 +171,8 @@ int dwmac4_dma_interrupt(struct stmmac_priv *priv, void __iomem *ioaddr, + const struct dwmac4_addrs *dwmac4_addrs = priv->plat->dwmac4_addrs; + u32 intr_status = readl(ioaddr + DMA_CHAN_STATUS(dwmac4_addrs, chan)); + u32 intr_en = readl(ioaddr + DMA_CHAN_INTR_ENA(dwmac4_addrs, chan)); ++ struct stmmac_rx_queue *rx_q = &priv->dma_conf.rx_queue[chan]; ++ struct stmmac_tx_queue *tx_q = &priv->dma_conf.tx_queue[chan]; + int ret = 0; + + if (dir == DMA_DIR_RX) +@@ -198,18 +200,19 @@ int dwmac4_dma_interrupt(struct stmmac_priv *priv, void __iomem *ioaddr, + } + } + /* TX/RX NORMAL interrupts */ +- if (likely(intr_status & DMA_CHAN_STATUS_NIS)) +- x->normal_irq_n++; + if (likely(intr_status & DMA_CHAN_STATUS_RI)) { +- x->rx_normal_irq_n++; +- x->rxq_stats[chan].rx_normal_irq_n++; ++ u64_stats_update_begin(&rx_q->rxq_stats.syncp); ++ rx_q->rxq_stats.rx_normal_irq_n++; ++ u64_stats_update_end(&rx_q->rxq_stats.syncp); + ret |= handle_rx; + } + if (likely(intr_status & DMA_CHAN_STATUS_TI)) { +- x->tx_normal_irq_n++; +- x->txq_stats[chan].tx_normal_irq_n++; ++ u64_stats_update_begin(&tx_q->txq_stats.syncp); ++ tx_q->txq_stats.tx_normal_irq_n++; ++ u64_stats_update_end(&tx_q->txq_stats.syncp); + ret |= handle_tx; + } ++ + if (unlikely(intr_status & DMA_CHAN_STATUS_TBU)) + ret |= handle_tx; + if (unlikely(intr_status & DMA_CHAN_STATUS_ERI)) +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac_lib.c b/drivers/net/ethernet/stmicro/stmmac/dwmac_lib.c +index 0b6f999a8305..aaa09b16b016 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac_lib.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac_lib.c +@@ -10,6 +10,7 @@ + #include + #include "common.h" + #include "dwmac_dma.h" ++#include "stmmac.h" + + #define GMAC_HI_REG_AE 0x80000000 + +@@ -161,6 +162,8 @@ static void show_rx_process_state(unsigned int status) + int dwmac_dma_interrupt(struct stmmac_priv *priv, void __iomem *ioaddr, + struct stmmac_extra_stats *x, u32 chan, u32 dir) + { ++ struct stmmac_rx_queue *rx_q = &priv->dma_conf.rx_queue[chan]; ++ struct stmmac_tx_queue *tx_q = &priv->dma_conf.tx_queue[chan]; + int ret = 0; + /* read the status register (CSR5) */ + u32 intr_status = readl(ioaddr + DMA_STATUS); +@@ -208,17 +211,20 @@ int dwmac_dma_interrupt(struct stmmac_priv *priv, void __iomem *ioaddr, + } + /* TX/RX NORMAL interrupts */ + if (likely(intr_status & DMA_STATUS_NIS)) { +- x->normal_irq_n++; + if (likely(intr_status & DMA_STATUS_RI)) { + u32 value = readl(ioaddr + DMA_INTR_ENA); + /* to schedule NAPI on real RIE event. */ + if (likely(value & DMA_INTR_ENA_RIE)) { +- x->rx_normal_irq_n++; ++ u64_stats_update_begin(&rx_q->rxq_stats.syncp); ++ rx_q->rxq_stats.rx_normal_irq_n++; ++ u64_stats_update_end(&rx_q->rxq_stats.syncp); + ret |= handle_rx; + } + } + if (likely(intr_status & DMA_STATUS_TI)) { +- x->tx_normal_irq_n++; ++ u64_stats_update_begin(&tx_q->txq_stats.syncp); ++ tx_q->txq_stats.tx_normal_irq_n++; ++ u64_stats_update_end(&tx_q->txq_stats.syncp); + ret |= handle_tx; + } + if (unlikely(intr_status & DMA_STATUS_ERI)) +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_descs.c b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_descs.c +index 13c347ee8be9..fc82862a612c 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_descs.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_descs.c +@@ -8,8 +8,7 @@ + #include "common.h" + #include "dwxgmac2.h" + +-static int dwxgmac2_get_tx_status(struct net_device_stats *stats, +- struct stmmac_extra_stats *x, ++static int dwxgmac2_get_tx_status(struct stmmac_extra_stats *x, + struct dma_desc *p, void __iomem *ioaddr) + { + unsigned int tdes3 = le32_to_cpu(p->des3); +@@ -23,8 +22,7 @@ static int dwxgmac2_get_tx_status(struct net_device_stats *stats, + return ret; + } + +-static int dwxgmac2_get_rx_status(struct net_device_stats *stats, +- struct stmmac_extra_stats *x, ++static int dwxgmac2_get_rx_status(struct stmmac_extra_stats *x, + struct dma_desc *p) + { + unsigned int rdes3 = le32_to_cpu(p->des3); +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c +index 5187c5da709a..136ef20d827f 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c +@@ -333,6 +333,8 @@ static int dwxgmac2_dma_interrupt(struct stmmac_priv *priv, + struct stmmac_extra_stats *x, u32 chan, + u32 dir) + { ++ struct stmmac_rx_queue *rx_q = &priv->dma_conf.rx_queue[chan]; ++ struct stmmac_tx_queue *tx_q = &priv->dma_conf.tx_queue[chan]; + u32 intr_status = readl(ioaddr + XGMAC_DMA_CH_STATUS(chan)); + u32 intr_en = readl(ioaddr + XGMAC_DMA_CH_INT_EN(chan)); + int ret = 0; +@@ -360,16 +362,16 @@ static int dwxgmac2_dma_interrupt(struct stmmac_priv *priv, + + /* TX/RX NORMAL interrupts */ + if (likely(intr_status & XGMAC_NIS)) { +- x->normal_irq_n++; +- + if (likely(intr_status & XGMAC_RI)) { +- x->rx_normal_irq_n++; +- x->rxq_stats[chan].rx_normal_irq_n++; ++ u64_stats_update_begin(&rx_q->rxq_stats.syncp); ++ rx_q->rxq_stats.rx_normal_irq_n++; ++ u64_stats_update_end(&rx_q->rxq_stats.syncp); + ret |= handle_rx; + } + if (likely(intr_status & (XGMAC_TI | XGMAC_TBU))) { +- x->tx_normal_irq_n++; +- x->txq_stats[chan].tx_normal_irq_n++; ++ u64_stats_update_begin(&tx_q->txq_stats.syncp); ++ tx_q->txq_stats.tx_normal_irq_n++; ++ u64_stats_update_end(&tx_q->txq_stats.syncp); + ret |= handle_tx; + } + } +diff --git a/drivers/net/ethernet/stmicro/stmmac/enh_desc.c b/drivers/net/ethernet/stmicro/stmmac/enh_desc.c +index a91d8f13a931..937b7a0466fc 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/enh_desc.c ++++ b/drivers/net/ethernet/stmicro/stmmac/enh_desc.c +@@ -12,8 +12,7 @@ + #include "common.h" + #include "descs_com.h" + +-static int enh_desc_get_tx_status(struct net_device_stats *stats, +- struct stmmac_extra_stats *x, ++static int enh_desc_get_tx_status(struct stmmac_extra_stats *x, + struct dma_desc *p, void __iomem *ioaddr) + { + unsigned int tdes0 = le32_to_cpu(p->des0); +@@ -38,15 +37,13 @@ static int enh_desc_get_tx_status(struct net_device_stats *stats, + + if (unlikely(tdes0 & ETDES0_LOSS_CARRIER)) { + x->tx_losscarrier++; +- stats->tx_carrier_errors++; + } + if (unlikely(tdes0 & ETDES0_NO_CARRIER)) { + x->tx_carrier++; +- stats->tx_carrier_errors++; + } + if (unlikely((tdes0 & ETDES0_LATE_COLLISION) || + (tdes0 & ETDES0_EXCESSIVE_COLLISIONS))) +- stats->collisions += ++ x->tx_collision += + (tdes0 & ETDES0_COLLISION_COUNT_MASK) >> 3; + + if (unlikely(tdes0 & ETDES0_EXCESSIVE_DEFERRAL)) +@@ -117,8 +114,7 @@ static int enh_desc_coe_rdes0(int ipc_err, int type, int payload_err) + return ret; + } + +-static void enh_desc_get_ext_status(struct net_device_stats *stats, +- struct stmmac_extra_stats *x, ++static void enh_desc_get_ext_status(struct stmmac_extra_stats *x, + struct dma_extended_desc *p) + { + unsigned int rdes0 = le32_to_cpu(p->basic.des0); +@@ -182,8 +178,7 @@ static void enh_desc_get_ext_status(struct net_device_stats *stats, + } + } + +-static int enh_desc_get_rx_status(struct net_device_stats *stats, +- struct stmmac_extra_stats *x, ++static int enh_desc_get_rx_status(struct stmmac_extra_stats *x, + struct dma_desc *p) + { + unsigned int rdes0 = le32_to_cpu(p->des0); +@@ -193,14 +188,14 @@ static int enh_desc_get_rx_status(struct net_device_stats *stats, + return dma_own; + + if (unlikely(!(rdes0 & RDES0_LAST_DESCRIPTOR))) { +- stats->rx_length_errors++; ++ x->rx_length++; + return discard_frame; + } + + if (unlikely(rdes0 & RDES0_ERROR_SUMMARY)) { + if (unlikely(rdes0 & RDES0_DESCRIPTOR_ERROR)) { + x->rx_desc++; +- stats->rx_length_errors++; ++ x->rx_length++; + } + if (unlikely(rdes0 & RDES0_OVERFLOW_ERROR)) + x->rx_gmac_overflow++; +@@ -209,7 +204,7 @@ static int enh_desc_get_rx_status(struct net_device_stats *stats, + pr_err("\tIPC Csum Error/Giant frame\n"); + + if (unlikely(rdes0 & RDES0_COLLISION)) +- stats->collisions++; ++ x->rx_collision++; + if (unlikely(rdes0 & RDES0_RECEIVE_WATCHDOG)) + x->rx_watchdog++; + +@@ -218,7 +213,6 @@ static int enh_desc_get_rx_status(struct net_device_stats *stats, + + if (unlikely(rdes0 & RDES0_CRC_ERROR)) { + x->rx_crc_errors++; +- stats->rx_crc_errors++; + } + ret = discard_frame; + } +diff --git a/drivers/net/ethernet/stmicro/stmmac/hwif.h b/drivers/net/ethernet/stmicro/stmmac/hwif.h +index 87161c85b1a1..19424af936d2 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/hwif.h ++++ b/drivers/net/ethernet/stmicro/stmmac/hwif.h +@@ -57,8 +57,7 @@ struct stmmac_desc_ops { + /* Last tx segment reports the transmit status */ + int (*get_tx_ls)(struct dma_desc *p); + /* Return the transmit status looking at the TDES1 */ +- int (*tx_status)(struct net_device_stats *stats, +- struct stmmac_extra_stats *x, ++ int (*tx_status)(struct stmmac_extra_stats *x, + struct dma_desc *p, void __iomem *ioaddr); + /* Get the buffer size from the descriptor */ + int (*get_tx_len)(struct dma_desc *p); +@@ -67,11 +66,9 @@ struct stmmac_desc_ops { + /* Get the receive frame size */ + int (*get_rx_frame_len)(struct dma_desc *p, int rx_coe_type); + /* Return the reception status looking at the RDES1 */ +- int (*rx_status)(struct net_device_stats *stats, +- struct stmmac_extra_stats *x, ++ int (*rx_status)(struct stmmac_extra_stats *x, + struct dma_desc *p); +- void (*rx_extended_status)(struct net_device_stats *stats, +- struct stmmac_extra_stats *x, ++ void (*rx_extended_status)(struct stmmac_extra_stats *x, + struct dma_extended_desc *p); + /* Set tx timestamp enable bit */ + void (*enable_tx_timestamp) (struct dma_desc *p); +@@ -191,8 +188,7 @@ struct stmmac_dma_ops { + void (*dma_tx_mode)(struct stmmac_priv *priv, void __iomem *ioaddr, + int mode, u32 channel, int fifosz, u8 qmode); + /* To track extra statistic (if supported) */ +- void (*dma_diagnostic_fr)(struct net_device_stats *stats, +- struct stmmac_extra_stats *x, ++ void (*dma_diagnostic_fr)(struct stmmac_extra_stats *x, + void __iomem *ioaddr); + void (*enable_dma_transmission) (void __iomem *ioaddr); + void (*enable_dma_irq)(struct stmmac_priv *priv, void __iomem *ioaddr, +diff --git a/drivers/net/ethernet/stmicro/stmmac/norm_desc.c b/drivers/net/ethernet/stmicro/stmmac/norm_desc.c +index 350e6670a576..68a7cfcb1d8f 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/norm_desc.c ++++ b/drivers/net/ethernet/stmicro/stmmac/norm_desc.c +@@ -12,8 +12,7 @@ + #include "common.h" + #include "descs_com.h" + +-static int ndesc_get_tx_status(struct net_device_stats *stats, +- struct stmmac_extra_stats *x, ++static int ndesc_get_tx_status(struct stmmac_extra_stats *x, + struct dma_desc *p, void __iomem *ioaddr) + { + unsigned int tdes0 = le32_to_cpu(p->des0); +@@ -31,15 +30,12 @@ static int ndesc_get_tx_status(struct net_device_stats *stats, + if (unlikely(tdes0 & TDES0_ERROR_SUMMARY)) { + if (unlikely(tdes0 & TDES0_UNDERFLOW_ERROR)) { + x->tx_underflow++; +- stats->tx_fifo_errors++; + } + if (unlikely(tdes0 & TDES0_NO_CARRIER)) { + x->tx_carrier++; +- stats->tx_carrier_errors++; + } + if (unlikely(tdes0 & TDES0_LOSS_CARRIER)) { + x->tx_losscarrier++; +- stats->tx_carrier_errors++; + } + if (unlikely((tdes0 & TDES0_EXCESSIVE_DEFERRAL) || + (tdes0 & TDES0_EXCESSIVE_COLLISIONS) || +@@ -47,7 +43,7 @@ static int ndesc_get_tx_status(struct net_device_stats *stats, + unsigned int collisions; + + collisions = (tdes0 & TDES0_COLLISION_COUNT_MASK) >> 3; +- stats->collisions += collisions; ++ x->tx_collision += collisions; + } + ret = tx_err; + } +@@ -70,8 +66,7 @@ static int ndesc_get_tx_len(struct dma_desc *p) + * and, if required, updates the multicast statistics. + * In case of success, it returns good_frame because the GMAC device + * is supposed to be able to compute the csum in HW. */ +-static int ndesc_get_rx_status(struct net_device_stats *stats, +- struct stmmac_extra_stats *x, ++static int ndesc_get_rx_status(struct stmmac_extra_stats *x, + struct dma_desc *p) + { + int ret = good_frame; +@@ -81,7 +76,7 @@ static int ndesc_get_rx_status(struct net_device_stats *stats, + return dma_own; + + if (unlikely(!(rdes0 & RDES0_LAST_DESCRIPTOR))) { +- stats->rx_length_errors++; ++ x->rx_length++; + return discard_frame; + } + +@@ -96,11 +91,9 @@ static int ndesc_get_rx_status(struct net_device_stats *stats, + x->ipc_csum_error++; + if (unlikely(rdes0 & RDES0_COLLISION)) { + x->rx_collision++; +- stats->collisions++; + } + if (unlikely(rdes0 & RDES0_CRC_ERROR)) { + x->rx_crc_errors++; +- stats->rx_crc_errors++; + } + ret = discard_frame; + } +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac.h b/drivers/net/ethernet/stmicro/stmmac/stmmac.h +index b9b41dd18cde..b3f9e318f6e2 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac.h ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac.h +@@ -77,6 +77,7 @@ struct stmmac_tx_queue { + dma_addr_t dma_tx_phy; + dma_addr_t tx_tail_addr; + u32 mss; ++ struct stmmac_txq_stats txq_stats; + }; + + struct stmmac_rx_buffer { +@@ -118,6 +119,7 @@ struct stmmac_rx_queue { + unsigned int len; + unsigned int error; + } state; ++ struct stmmac_rxq_stats rxq_stats; + }; + + struct stmmac_channel { +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c +index f03aa8a0b895..a808a32e52d1 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c +@@ -89,14 +89,6 @@ static const struct stmmac_stats stmmac_gstrings_stats[] = { + /* Tx/Rx IRQ Events */ + STMMAC_STAT(rx_early_irq), + STMMAC_STAT(threshold), +- STMMAC_STAT(tx_pkt_n), +- STMMAC_STAT(rx_pkt_n), +- STMMAC_STAT(normal_irq_n), +- STMMAC_STAT(rx_normal_irq_n), +- STMMAC_STAT(napi_poll), +- STMMAC_STAT(tx_normal_irq_n), +- STMMAC_STAT(tx_clean), +- STMMAC_STAT(tx_set_ic_bit), + STMMAC_STAT(irq_receive_pmt_irq_n), + /* MMC info */ + STMMAC_STAT(mmc_tx_irq_n), +@@ -163,9 +155,6 @@ static const struct stmmac_stats stmmac_gstrings_stats[] = { + STMMAC_STAT(mtl_rx_fifo_ctrl_active), + STMMAC_STAT(mac_rx_frame_ctrl_fifo), + STMMAC_STAT(mac_gmii_rx_proto_engine), +- /* TSO */ +- STMMAC_STAT(tx_tso_frames), +- STMMAC_STAT(tx_tso_nfrags), + /* EST */ + STMMAC_STAT(mtl_est_cgce), + STMMAC_STAT(mtl_est_hlbs), +@@ -175,6 +164,23 @@ static const struct stmmac_stats stmmac_gstrings_stats[] = { + }; + #define STMMAC_STATS_LEN ARRAY_SIZE(stmmac_gstrings_stats) + ++/* statistics collected in queue which will be summed up for all TX or RX ++ * queues, or summed up for both TX and RX queues(napi_poll, normal_irq_n). ++ */ ++static const char stmmac_qstats_string[][ETH_GSTRING_LEN] = { ++ "rx_pkt_n", ++ "rx_normal_irq_n", ++ "tx_pkt_n", ++ "tx_normal_irq_n", ++ "tx_clean", ++ "tx_set_ic_bit", ++ "tx_tso_frames", ++ "tx_tso_nfrags", ++ "normal_irq_n", ++ "napi_poll", ++}; ++#define STMMAC_QSTATS ARRAY_SIZE(stmmac_qstats_string) ++ + /* HW MAC Management counters (if supported) */ + #define STMMAC_MMC_STAT(m) \ + { #m, sizeof_field(struct stmmac_counters, m), \ +@@ -544,23 +550,44 @@ static void stmmac_get_per_qstats(struct stmmac_priv *priv, u64 *data) + { + u32 tx_cnt = priv->plat->tx_queues_to_use; + u32 rx_cnt = priv->plat->rx_queues_to_use; ++ unsigned int start; + int q, stat; ++ u64 *pos; + char *p; + ++ pos = data; + for (q = 0; q < tx_cnt; q++) { +- p = (char *)priv + offsetof(struct stmmac_priv, +- xstats.txq_stats[q].tx_pkt_n); ++ struct stmmac_tx_queue *tx_q = &priv->dma_conf.tx_queue[q]; ++ struct stmmac_txq_stats snapshot; ++ ++ data = pos; ++ do { ++ start = u64_stats_fetch_begin(&tx_q->txq_stats.syncp); ++ snapshot = tx_q->txq_stats; ++ } while (u64_stats_fetch_retry(&tx_q->txq_stats.syncp, start)); ++ ++ p = (char *)&snapshot + offsetof(struct stmmac_txq_stats, tx_pkt_n); + for (stat = 0; stat < STMMAC_TXQ_STATS; stat++) { +- *data++ = (*(unsigned long *)p); +- p += sizeof(unsigned long); ++ *data++ += (*(u64 *)p); ++ p += sizeof(u64); + } + } ++ ++ pos = data; + for (q = 0; q < rx_cnt; q++) { +- p = (char *)priv + offsetof(struct stmmac_priv, +- xstats.rxq_stats[q].rx_pkt_n); ++ struct stmmac_rx_queue *rx_q = &priv->dma_conf.rx_queue[q]; ++ struct stmmac_rxq_stats snapshot; ++ ++ data = pos; ++ do { ++ start = u64_stats_fetch_begin(&rx_q->rxq_stats.syncp); ++ snapshot = rx_q->rxq_stats; ++ } while (u64_stats_fetch_retry(&rx_q->rxq_stats.syncp, start)); ++ ++ p = (char *)&snapshot + offsetof(struct stmmac_rxq_stats, rx_pkt_n); + for (stat = 0; stat < STMMAC_RXQ_STATS; stat++) { +- *data++ = (*(unsigned long *)p); +- p += sizeof(unsigned long); ++ *data++ += (*(u64 *)p); ++ p += sizeof(u64); + } + } + } +@@ -571,8 +598,10 @@ static void stmmac_get_ethtool_stats(struct net_device *dev, + struct stmmac_priv *priv = netdev_priv(dev); + u32 rx_queues_count = priv->plat->rx_queues_to_use; + u32 tx_queues_count = priv->plat->tx_queues_to_use; ++ u64 napi_poll = 0, normal_irq_n = 0; ++ int i, j = 0, pos, ret; + unsigned long count; +- int i, j = 0, ret; ++ unsigned int start; + + if (priv->dma_cap.asp) { + for (i = 0; i < STMMAC_SAFETY_FEAT_SIZE; i++) { +@@ -583,8 +612,7 @@ static void stmmac_get_ethtool_stats(struct net_device *dev, + } + + /* Update the DMA HW counters for dwmac10/100 */ +- ret = stmmac_dma_diagnostic_fr(priv, &dev->stats, (void *) &priv->xstats, +- priv->ioaddr); ++ ret = stmmac_dma_diagnostic_fr(priv, &priv->xstats, priv->ioaddr); + if (ret) { + /* If supported, for new GMAC chips expose the MMC counters */ + if (priv->dma_cap.rmon) { +@@ -615,6 +643,48 @@ static void stmmac_get_ethtool_stats(struct net_device *dev, + data[j++] = (stmmac_gstrings_stats[i].sizeof_stat == + sizeof(u64)) ? (*(u64 *)p) : (*(u32 *)p); + } ++ ++ pos = j; ++ for (i = 0; i < rx_queues_count; i++) { ++ struct stmmac_rx_queue *rx_q = &priv->dma_conf.rx_queue[i]; ++ struct stmmac_rxq_stats snapshot; ++ ++ j = pos; ++ do { ++ start = u64_stats_fetch_begin(&rx_q->rxq_stats.syncp); ++ snapshot = rx_q->rxq_stats; ++ } while (u64_stats_fetch_retry(&rx_q->rxq_stats.syncp, start)); ++ ++ data[j++] += snapshot.rx_pkt_n; ++ data[j++] += snapshot.rx_normal_irq_n; ++ normal_irq_n += snapshot.rx_normal_irq_n; ++ napi_poll += snapshot.napi_poll; ++ } ++ ++ pos = j; ++ for (i = 0; i < tx_queues_count; i++) { ++ struct stmmac_tx_queue *tx_q = &priv->dma_conf.tx_queue[i]; ++ struct stmmac_txq_stats snapshot; ++ ++ j = pos; ++ do { ++ start = u64_stats_fetch_begin(&tx_q->txq_stats.syncp); ++ snapshot = tx_q->txq_stats; ++ } while (u64_stats_fetch_retry(&tx_q->txq_stats.syncp, start)); ++ ++ data[j++] += snapshot.tx_pkt_n; ++ data[j++] += snapshot.tx_normal_irq_n; ++ normal_irq_n += snapshot.tx_normal_irq_n; ++ data[j++] += snapshot.tx_clean; ++ data[j++] += snapshot.tx_set_ic_bit; ++ data[j++] += snapshot.tx_tso_frames; ++ data[j++] += snapshot.tx_tso_nfrags; ++ napi_poll += snapshot.napi_poll; ++ } ++ normal_irq_n += priv->xstats.rx_early_irq; ++ data[j++] = normal_irq_n; ++ data[j++] = napi_poll; ++ + stmmac_get_per_qstats(priv, &data[j]); + } + +@@ -627,7 +697,7 @@ static int stmmac_get_sset_count(struct net_device *netdev, int sset) + + switch (sset) { + case ETH_SS_STATS: +- len = STMMAC_STATS_LEN + ++ len = STMMAC_STATS_LEN + STMMAC_QSTATS + + STMMAC_TXQ_STATS * tx_cnt + + STMMAC_RXQ_STATS * rx_cnt; + +@@ -700,8 +770,11 @@ static void stmmac_get_strings(struct net_device *dev, u32 stringset, u8 *data) + p += ETH_GSTRING_LEN; + } + for (i = 0; i < STMMAC_STATS_LEN; i++) { +- memcpy(p, stmmac_gstrings_stats[i].stat_string, +- ETH_GSTRING_LEN); ++ memcpy(p, stmmac_gstrings_stats[i].stat_string, ETH_GSTRING_LEN); ++ p += ETH_GSTRING_LEN; ++ } ++ for (i = 0; i < STMMAC_QSTATS; i++) { ++ memcpy(p, stmmac_qstats_string[i], ETH_GSTRING_LEN); + p += ETH_GSTRING_LEN; + } + stmmac_get_qstats_string(priv, p); +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 4aeacb5fe81e..b2362e107f20 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -2430,6 +2430,8 @@ static bool stmmac_xdp_xmit_zc(struct stmmac_priv *priv, u32 queue, u32 budget) + struct dma_desc *tx_desc = NULL; + struct xdp_desc xdp_desc; + bool work_done = true; ++ u32 tx_set_ic_bit = 0; ++ unsigned long flags; + + /* Avoids TX time-out as we are sharing with slow path */ + txq_trans_cond_update(nq); +@@ -2490,7 +2492,7 @@ static bool stmmac_xdp_xmit_zc(struct stmmac_priv *priv, u32 queue, u32 budget) + if (set_ic) { + tx_q->tx_count_frames = 0; + stmmac_set_tx_ic(priv, tx_desc); +- priv->xstats.tx_set_ic_bit++; ++ tx_set_ic_bit++; + } + + stmmac_prepare_tx_desc(priv, tx_desc, 1, xdp_desc.len, +@@ -2502,6 +2504,9 @@ static bool stmmac_xdp_xmit_zc(struct stmmac_priv *priv, u32 queue, u32 budget) + tx_q->cur_tx = STMMAC_GET_ENTRY(tx_q->cur_tx, priv->dma_conf.dma_tx_size); + entry = tx_q->cur_tx; + } ++ flags = u64_stats_update_begin_irqsave(&tx_q->txq_stats.syncp); ++ tx_q->txq_stats.tx_set_ic_bit += tx_set_ic_bit; ++ u64_stats_update_end_irqrestore(&tx_q->txq_stats.syncp, flags); + + if (tx_desc) { + stmmac_flush_tx_descriptors(priv, queue); +@@ -2543,11 +2548,11 @@ static int stmmac_tx_clean(struct stmmac_priv *priv, int budget, u32 queue) + struct stmmac_tx_queue *tx_q = &priv->dma_conf.tx_queue[queue]; + unsigned int bytes_compl = 0, pkts_compl = 0; + unsigned int entry, xmits = 0, count = 0; ++ u32 tx_packets = 0, tx_errors = 0; ++ unsigned long flags; + + __netif_tx_lock_bh(netdev_get_tx_queue(priv->dev, queue)); + +- priv->xstats.tx_clean++; +- + tx_q->xsk_frames_done = 0; + + entry = tx_q->dirty_tx; +@@ -2578,8 +2583,7 @@ static int stmmac_tx_clean(struct stmmac_priv *priv, int budget, u32 queue) + else + p = tx_q->dma_tx + entry; + +- status = stmmac_tx_status(priv, &priv->dev->stats, +- &priv->xstats, p, priv->ioaddr); ++ status = stmmac_tx_status(priv, &priv->xstats, p, priv->ioaddr); + /* Check if the descriptor is owned by the DMA */ + if (unlikely(status & tx_dma_own)) + break; +@@ -2595,13 +2599,11 @@ static int stmmac_tx_clean(struct stmmac_priv *priv, int budget, u32 queue) + if (likely(!(status & tx_not_ls))) { + /* ... verify the status error condition */ + if (unlikely(status & tx_err)) { +- priv->dev->stats.tx_errors++; ++ tx_errors++; + if (unlikely(status & tx_err_bump_tc)) + stmmac_bump_dma_threshold(priv, queue); + } else { +- priv->dev->stats.tx_packets++; +- priv->xstats.tx_pkt_n++; +- priv->xstats.txq_stats[queue].tx_pkt_n++; ++ tx_packets++; + } + if (skb) + stmmac_get_tx_hwtstamp(priv, p, skb); +@@ -2703,6 +2705,14 @@ static int stmmac_tx_clean(struct stmmac_priv *priv, int budget, u32 queue) + if (tx_q->dirty_tx != tx_q->cur_tx) + stmmac_tx_timer_arm(priv, queue); + ++ flags = u64_stats_update_begin_irqsave(&tx_q->txq_stats.syncp); ++ tx_q->txq_stats.tx_packets += tx_packets; ++ tx_q->txq_stats.tx_pkt_n += tx_packets; ++ tx_q->txq_stats.tx_clean++; ++ u64_stats_update_end_irqrestore(&tx_q->txq_stats.syncp, flags); ++ ++ priv->xstats.tx_errors += tx_errors; ++ + __netif_tx_unlock_bh(netdev_get_tx_queue(priv->dev, queue)); + + /* Combine decisions from TX clean and XSK TX */ +@@ -2730,7 +2740,7 @@ static void stmmac_tx_err(struct stmmac_priv *priv, u32 chan) + tx_q->dma_tx_phy, chan); + stmmac_start_tx_dma(priv, chan); + +- priv->dev->stats.tx_errors++; ++ priv->xstats.tx_errors++; + netif_tx_wake_queue(netdev_get_tx_queue(priv->dev, chan)); + } + +@@ -4116,6 +4126,7 @@ static netdev_tx_t stmmac_tso_xmit(struct sk_buff *skb, struct net_device *dev) + struct stmmac_tx_queue *tx_q; + bool has_vlan, set_ic; + u8 proto_hdr_len, hdr; ++ unsigned long flags; + u32 pay_len, mss; + dma_addr_t des; + int i; +@@ -4276,7 +4287,6 @@ static netdev_tx_t stmmac_tso_xmit(struct sk_buff *skb, struct net_device *dev) + + tx_q->tx_count_frames = 0; + stmmac_set_tx_ic(priv, desc); +- priv->xstats.tx_set_ic_bit++; + } + + /* We've used all descriptors we need for this skb, however, +@@ -4292,9 +4302,13 @@ static netdev_tx_t stmmac_tso_xmit(struct sk_buff *skb, struct net_device *dev) + netif_tx_stop_queue(netdev_get_tx_queue(priv->dev, queue)); + } + +- dev->stats.tx_bytes += skb->len; +- priv->xstats.tx_tso_frames++; +- priv->xstats.tx_tso_nfrags += nfrags; ++ flags = u64_stats_update_begin_irqsave(&tx_q->txq_stats.syncp); ++ tx_q->txq_stats.tx_bytes += skb->len; ++ tx_q->txq_stats.tx_tso_frames++; ++ tx_q->txq_stats.tx_tso_nfrags += nfrags; ++ if (set_ic) ++ tx_q->txq_stats.tx_set_ic_bit++; ++ u64_stats_update_end_irqrestore(&tx_q->txq_stats.syncp, flags); + + if (priv->sarc_type) + stmmac_set_desc_sarc(priv, first, priv->sarc_type); +@@ -4344,7 +4358,7 @@ static netdev_tx_t stmmac_tso_xmit(struct sk_buff *skb, struct net_device *dev) + dma_map_err: + dev_err(priv->device, "Tx dma map failed\n"); + dev_kfree_skb(skb); +- priv->dev->stats.tx_dropped++; ++ priv->xstats.tx_dropped++; + return NETDEV_TX_OK; + } + +@@ -4370,6 +4384,7 @@ static netdev_tx_t stmmac_xmit(struct sk_buff *skb, struct net_device *dev) + struct stmmac_tx_queue *tx_q; + bool has_vlan, set_ic; + int entry, first_tx; ++ unsigned long flags; + dma_addr_t des; + + tx_q = &priv->dma_conf.tx_queue[queue]; +@@ -4498,7 +4513,6 @@ static netdev_tx_t stmmac_xmit(struct sk_buff *skb, struct net_device *dev) + + tx_q->tx_count_frames = 0; + stmmac_set_tx_ic(priv, desc); +- priv->xstats.tx_set_ic_bit++; + } + + /* We've used all descriptors we need for this skb, however, +@@ -4525,7 +4539,11 @@ static netdev_tx_t stmmac_xmit(struct sk_buff *skb, struct net_device *dev) + netif_tx_stop_queue(netdev_get_tx_queue(priv->dev, queue)); + } + +- dev->stats.tx_bytes += skb->len; ++ flags = u64_stats_update_begin_irqsave(&tx_q->txq_stats.syncp); ++ tx_q->txq_stats.tx_bytes += skb->len; ++ if (set_ic) ++ tx_q->txq_stats.tx_set_ic_bit++; ++ u64_stats_update_end_irqrestore(&tx_q->txq_stats.syncp, flags); + + if (priv->sarc_type) + stmmac_set_desc_sarc(priv, first, priv->sarc_type); +@@ -4587,7 +4605,7 @@ static netdev_tx_t stmmac_xmit(struct sk_buff *skb, struct net_device *dev) + dma_map_err: + netdev_err(priv->dev, "Tx DMA map failed\n"); + dev_kfree_skb(skb); +- priv->dev->stats.tx_dropped++; ++ priv->xstats.tx_dropped++; + return NETDEV_TX_OK; + } + +@@ -4788,9 +4806,12 @@ static int stmmac_xdp_xmit_xdpf(struct stmmac_priv *priv, int queue, + set_ic = false; + + if (set_ic) { ++ unsigned long flags; + tx_q->tx_count_frames = 0; + stmmac_set_tx_ic(priv, tx_desc); +- priv->xstats.tx_set_ic_bit++; ++ flags = u64_stats_update_begin_irqsave(&tx_q->txq_stats.syncp); ++ tx_q->txq_stats.tx_set_ic_bit++; ++ u64_stats_update_end_irqrestore(&tx_q->txq_stats.syncp, flags); + } + + stmmac_enable_dma_transmission(priv, priv->ioaddr); +@@ -4935,16 +4956,18 @@ static void stmmac_dispatch_skb_zc(struct stmmac_priv *priv, u32 queue, + struct dma_desc *p, struct dma_desc *np, + struct xdp_buff *xdp) + { ++ struct stmmac_rx_queue *rx_q = &priv->dma_conf.rx_queue[queue]; + struct stmmac_channel *ch = &priv->channel[queue]; + unsigned int len = xdp->data_end - xdp->data; + enum pkt_hash_types hash_type; + int coe = priv->hw->rx_csum; ++ unsigned long flags; + struct sk_buff *skb; + u32 hash; + + skb = stmmac_construct_skb_zc(ch, xdp); + if (!skb) { +- priv->dev->stats.rx_dropped++; ++ priv->xstats.rx_dropped++; + return; + } + +@@ -4963,8 +4986,10 @@ static void stmmac_dispatch_skb_zc(struct stmmac_priv *priv, u32 queue, + skb_record_rx_queue(skb, queue); + napi_gro_receive(&ch->rxtx_napi, skb); + +- priv->dev->stats.rx_packets++; +- priv->dev->stats.rx_bytes += len; ++ flags = u64_stats_update_begin_irqsave(&rx_q->rxq_stats.syncp); ++ rx_q->rxq_stats.rx_pkt_n++; ++ rx_q->rxq_stats.rx_bytes += len; ++ u64_stats_update_end_irqrestore(&rx_q->rxq_stats.syncp, flags); + } + + static bool stmmac_rx_refill_zc(struct stmmac_priv *priv, u32 queue, u32 budget) +@@ -5031,9 +5056,11 @@ static int stmmac_rx_zc(struct stmmac_priv *priv, int limit, u32 queue) + unsigned int count = 0, error = 0, len = 0; + int dirty = stmmac_rx_dirty(priv, queue); + unsigned int next_entry = rx_q->cur_rx; ++ u32 rx_errors = 0, rx_dropped = 0; + unsigned int desc_size; + struct bpf_prog *prog; + bool failure = false; ++ unsigned long flags; + int xdp_status = 0; + int status = 0; + +@@ -5088,8 +5115,7 @@ static int stmmac_rx_zc(struct stmmac_priv *priv, int limit, u32 queue) + p = rx_q->dma_rx + entry; + + /* read the status of the incoming frame */ +- status = stmmac_rx_status(priv, &priv->dev->stats, +- &priv->xstats, p); ++ status = stmmac_rx_status(priv, &priv->xstats, p); + /* check if managed by the DMA otherwise go ahead */ + if (unlikely(status & dma_own)) + break; +@@ -5111,8 +5137,7 @@ static int stmmac_rx_zc(struct stmmac_priv *priv, int limit, u32 queue) + break; + + if (priv->extend_desc) +- stmmac_rx_extended_status(priv, &priv->dev->stats, +- &priv->xstats, ++ stmmac_rx_extended_status(priv, &priv->xstats, + rx_q->dma_erx + entry); + if (unlikely(status == discard_frame)) { + xsk_buff_free(buf->xdp); +@@ -5120,7 +5145,7 @@ static int stmmac_rx_zc(struct stmmac_priv *priv, int limit, u32 queue) + dirty++; + error = 1; + if (!priv->hwts_rx_en) +- priv->dev->stats.rx_errors++; ++ rx_errors++; + } + + if (unlikely(error && (status & rx_not_ls))) +@@ -5163,7 +5188,7 @@ static int stmmac_rx_zc(struct stmmac_priv *priv, int limit, u32 queue) + break; + case STMMAC_XDP_CONSUMED: + xsk_buff_free(buf->xdp); +- priv->dev->stats.rx_dropped++; ++ rx_dropped++; + break; + case STMMAC_XDP_TX: + case STMMAC_XDP_REDIRECT: +@@ -5184,8 +5209,12 @@ static int stmmac_rx_zc(struct stmmac_priv *priv, int limit, u32 queue) + + stmmac_finalize_xdp_rx(priv, xdp_status); + +- priv->xstats.rx_pkt_n += count; +- priv->xstats.rxq_stats[queue].rx_pkt_n += count; ++ flags = u64_stats_update_begin_irqsave(&rx_q->rxq_stats.syncp); ++ rx_q->rxq_stats.rx_pkt_n += count; ++ u64_stats_update_end_irqrestore(&rx_q->rxq_stats.syncp, flags); ++ ++ priv->xstats.rx_dropped += rx_dropped; ++ priv->xstats.rx_errors += rx_errors; + + if (xsk_uses_need_wakeup(rx_q->xsk_pool)) { + if (failure || stmmac_rx_dirty(priv, queue) > 0) +@@ -5209,6 +5238,7 @@ static int stmmac_rx_zc(struct stmmac_priv *priv, int limit, u32 queue) + */ + static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue) + { ++ u32 rx_errors = 0, rx_dropped = 0, rx_bytes = 0, rx_packets = 0; + struct stmmac_rx_queue *rx_q = &priv->dma_conf.rx_queue[queue]; + struct stmmac_channel *ch = &priv->channel[queue]; + unsigned int count = 0, error = 0, len = 0; +@@ -5218,6 +5248,7 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue) + unsigned int desc_size; + struct sk_buff *skb = NULL; + struct stmmac_xdp_buff ctx; ++ unsigned long flags; + int xdp_status = 0; + int buf_sz; + +@@ -5274,8 +5305,7 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue) + p = rx_q->dma_rx + entry; + + /* read the status of the incoming frame */ +- status = stmmac_rx_status(priv, &priv->dev->stats, +- &priv->xstats, p); ++ status = stmmac_rx_status(priv, &priv->xstats, p); + /* check if managed by the DMA otherwise go ahead */ + if (unlikely(status & dma_own)) + break; +@@ -5292,14 +5322,13 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue) + prefetch(np); + + if (priv->extend_desc) +- stmmac_rx_extended_status(priv, &priv->dev->stats, +- &priv->xstats, rx_q->dma_erx + entry); ++ stmmac_rx_extended_status(priv, &priv->xstats, rx_q->dma_erx + entry); + if (unlikely(status == discard_frame)) { + page_pool_recycle_direct(rx_q->page_pool, buf->page); + buf->page = NULL; + error = 1; + if (!priv->hwts_rx_en) +- priv->dev->stats.rx_errors++; ++ rx_errors++; + } + + if (unlikely(error && (status & rx_not_ls))) +@@ -5362,7 +5391,7 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue) + virt_to_head_page(ctx.xdp.data), + sync_len, true); + buf->page = NULL; +- priv->dev->stats.rx_dropped++; ++ rx_dropped++; + + /* Clear skb as it was set as + * status by XDP program. +@@ -5391,7 +5420,7 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue) + + skb = napi_alloc_skb(&ch->rx_napi, buf1_len); + if (!skb) { +- priv->dev->stats.rx_dropped++; ++ rx_dropped++; + count++; + goto drain_data; + } +@@ -5451,8 +5480,8 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue) + napi_gro_receive(&ch->rx_napi, skb); + skb = NULL; + +- priv->dev->stats.rx_packets++; +- priv->dev->stats.rx_bytes += len; ++ rx_packets++; ++ rx_bytes += len; + count++; + } + +@@ -5467,8 +5496,14 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue) + + stmmac_rx_refill(priv, queue); + +- priv->xstats.rx_pkt_n += count; +- priv->xstats.rxq_stats[queue].rx_pkt_n += count; ++ flags = u64_stats_update_begin_irqsave(&rx_q->rxq_stats.syncp); ++ rx_q->rxq_stats.rx_packets += rx_packets; ++ rx_q->rxq_stats.rx_bytes += rx_bytes; ++ rx_q->rxq_stats.rx_pkt_n += count; ++ u64_stats_update_end_irqrestore(&rx_q->rxq_stats.syncp, flags); ++ ++ priv->xstats.rx_dropped += rx_dropped; ++ priv->xstats.rx_errors += rx_errors; + + return count; + } +@@ -5478,10 +5513,15 @@ static int stmmac_napi_poll_rx(struct napi_struct *napi, int budget) + struct stmmac_channel *ch = + container_of(napi, struct stmmac_channel, rx_napi); + struct stmmac_priv *priv = ch->priv_data; ++ struct stmmac_rx_queue *rx_q; + u32 chan = ch->index; ++ unsigned long flags; + int work_done; + +- priv->xstats.napi_poll++; ++ rx_q = &priv->dma_conf.rx_queue[chan]; ++ flags = u64_stats_update_begin_irqsave(&rx_q->rxq_stats.syncp); ++ rx_q->rxq_stats.napi_poll++; ++ u64_stats_update_end_irqrestore(&rx_q->rxq_stats.syncp, flags); + + work_done = stmmac_rx(priv, budget, chan); + if (work_done < budget && napi_complete_done(napi, work_done)) { +@@ -5500,10 +5540,15 @@ static int stmmac_napi_poll_tx(struct napi_struct *napi, int budget) + struct stmmac_channel *ch = + container_of(napi, struct stmmac_channel, tx_napi); + struct stmmac_priv *priv = ch->priv_data; ++ struct stmmac_tx_queue *tx_q; + u32 chan = ch->index; ++ unsigned long flags; + int work_done; + +- priv->xstats.napi_poll++; ++ tx_q = &priv->dma_conf.tx_queue[chan]; ++ flags = u64_stats_update_begin_irqsave(&tx_q->txq_stats.syncp); ++ tx_q->txq_stats.napi_poll++; ++ u64_stats_update_end_irqrestore(&tx_q->txq_stats.syncp, flags); + + work_done = stmmac_tx_clean(priv, budget, chan); + work_done = min(work_done, budget); +@@ -5525,9 +5570,20 @@ static int stmmac_napi_poll_rxtx(struct napi_struct *napi, int budget) + container_of(napi, struct stmmac_channel, rxtx_napi); + struct stmmac_priv *priv = ch->priv_data; + int rx_done, tx_done, rxtx_done; ++ struct stmmac_rx_queue *rx_q; ++ struct stmmac_tx_queue *tx_q; + u32 chan = ch->index; ++ unsigned long flags; ++ ++ rx_q = &priv->dma_conf.rx_queue[chan]; ++ flags = u64_stats_update_begin_irqsave(&rx_q->rxq_stats.syncp); ++ rx_q->rxq_stats.napi_poll++; ++ u64_stats_update_end_irqrestore(&rx_q->rxq_stats.syncp, flags); + +- priv->xstats.napi_poll++; ++ tx_q = &priv->dma_conf.tx_queue[chan]; ++ flags = u64_stats_update_begin_irqsave(&tx_q->txq_stats.syncp); ++ tx_q->txq_stats.napi_poll++; ++ u64_stats_update_end_irqrestore(&tx_q->txq_stats.syncp, flags); + + tx_done = stmmac_tx_clean(priv, budget, chan); + tx_done = min(tx_done, budget); +@@ -6765,6 +6821,56 @@ int stmmac_xsk_wakeup(struct net_device *dev, u32 queue, u32 flags) + return 0; + } + ++static void stmmac_get_stats64(struct net_device *dev, struct rtnl_link_stats64 *stats) ++{ ++ struct stmmac_priv *priv = netdev_priv(dev); ++ u32 tx_cnt = priv->plat->tx_queues_to_use; ++ u32 rx_cnt = priv->plat->rx_queues_to_use; ++ unsigned int start; ++ int q; ++ ++ for (q = 0; q < tx_cnt; q++) { ++ struct stmmac_txq_stats *txq_stats = &priv->dma_conf.tx_queue[q].txq_stats; ++ u64 tx_packets; ++ u64 tx_bytes; ++ ++ do { ++ start = u64_stats_fetch_begin(&txq_stats->syncp); ++ tx_packets = txq_stats->tx_packets; ++ tx_bytes = txq_stats->tx_bytes; ++ } while (u64_stats_fetch_retry(&txq_stats->syncp, start)); ++ ++ stats->tx_packets += tx_packets; ++ stats->tx_bytes += tx_bytes; ++ } ++ ++ for (q = 0; q < rx_cnt; q++) { ++ struct stmmac_rxq_stats *rxq_stats = &priv->dma_conf.rx_queue[q].rxq_stats; ++ u64 rx_packets; ++ u64 rx_bytes; ++ ++ do { ++ start = u64_stats_fetch_begin(&rxq_stats->syncp); ++ rx_packets = rxq_stats->rx_packets; ++ rx_bytes = rxq_stats->rx_bytes; ++ } while (u64_stats_fetch_retry(&rxq_stats->syncp, start)); ++ ++ stats->rx_packets += rx_packets; ++ stats->rx_bytes += rx_bytes; ++ } ++ ++ stats->rx_dropped = priv->xstats.rx_dropped; ++ stats->rx_errors = priv->xstats.rx_errors; ++ stats->tx_dropped = priv->xstats.tx_dropped; ++ stats->tx_errors = priv->xstats.tx_errors; ++ stats->tx_carrier_errors = priv->xstats.tx_losscarrier + priv->xstats.tx_carrier; ++ stats->collisions = priv->xstats.tx_collision + priv->xstats.rx_collision; ++ stats->rx_length_errors = priv->xstats.rx_length; ++ stats->rx_crc_errors = priv->xstats.rx_crc_errors; ++ stats->rx_over_errors = priv->xstats.rx_overflow_cntr; ++ stats->rx_missed_errors = priv->xstats.rx_missed_cntr; ++} ++ + static const struct net_device_ops stmmac_netdev_ops = { + .ndo_open = stmmac_open, + .ndo_start_xmit = stmmac_xmit, +@@ -6775,6 +6881,7 @@ static const struct net_device_ops stmmac_netdev_ops = { + .ndo_set_rx_mode = stmmac_set_rx_mode, + .ndo_tx_timeout = stmmac_tx_timeout, + .ndo_eth_ioctl = stmmac_ioctl, ++ .ndo_get_stats64 = stmmac_get_stats64, + .ndo_setup_tc = stmmac_setup_tc, + .ndo_select_queue = stmmac_select_queue, + #ifdef CONFIG_NET_POLL_CONTROLLER +@@ -7109,6 +7216,11 @@ int stmmac_dvr_probe(struct device *device, + priv->device = device; + priv->dev = ndev; + ++ for (i = 0; i < MTL_MAX_RX_QUEUES; i++) ++ u64_stats_init(&priv->dma_conf.rx_queue[i].rxq_stats.syncp); ++ for (i = 0; i < MTL_MAX_TX_QUEUES; i++) ++ u64_stats_init(&priv->dma_conf.tx_queue[i].txq_stats.syncp); ++ + stmmac_set_ethtool_ops(ndev); + priv->pause = pause; + priv->plat = plat_dat; +-- +2.51.0 + diff --git a/queue-6.1/net-stmmac-xgmac-add-ethtool-per-queue-irq-statistic.patch b/queue-6.1/net-stmmac-xgmac-add-ethtool-per-queue-irq-statistic.patch new file mode 100644 index 0000000000..ad2d386722 --- /dev/null +++ b/queue-6.1/net-stmmac-xgmac-add-ethtool-per-queue-irq-statistic.patch @@ -0,0 +1,44 @@ +From a31cfd15fdc0acb4acf585d391447312bf7e8c97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 May 2023 22:43:40 +0800 +Subject: net: stmmac: xgmac: add ethtool per-queue irq statistic support + +From: Teoh Ji Sheng + +[ Upstream commit af8eacf2b42e0a736a7a2a1379fb6c0b7fd66da4 ] + +Commit af9bf70154eb ("net: stmmac: add ethtool per-queue irq statistic +support") introduced ethtool per-queue statistics support to display +number of interrupts generated by DMA tx and DMA rx for DWMAC4 core. +This patch extend the support to XGMAC core. + +Signed-off-by: Teoh Ji Sheng +Reviewed-by: Simon Horman +Link: https://lore.kernel.org/r/20230508144339.3014402-1-ji.sheng.teoh@intel.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: a48e23221000 ("net: stmmac: fix the crash issue for zero copy XDP_TX action") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c +index e92c29199e77..5187c5da709a 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c +@@ -364,10 +364,12 @@ static int dwxgmac2_dma_interrupt(struct stmmac_priv *priv, + + if (likely(intr_status & XGMAC_RI)) { + x->rx_normal_irq_n++; ++ x->rxq_stats[chan].rx_normal_irq_n++; + ret |= handle_rx; + } + if (likely(intr_status & (XGMAC_TI | XGMAC_TBU))) { + x->tx_normal_irq_n++; ++ x->txq_stats[chan].tx_normal_irq_n++; + ret |= handle_tx; + } + } +-- +2.51.0 + diff --git a/queue-6.1/net-usb-asix-validate-phy-address-before-use.patch b/queue-6.1/net-usb-asix-validate-phy-address-before-use.patch new file mode 100644 index 0000000000..322d18b1be --- /dev/null +++ b/queue-6.1/net-usb-asix-validate-phy-address-before-use.patch @@ -0,0 +1,53 @@ +From 6dbe1d2db9ac4e7415cf671d1d8d93a60b53e265 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Dec 2025 06:41:56 +0530 +Subject: net: usb: asix: validate PHY address before use + +From: Deepanshu Kartikey + +[ Upstream commit a1e077a3f76eea0dc671ed6792e7d543946227e8 ] + +The ASIX driver reads the PHY address from the USB device via +asix_read_phy_addr(). A malicious or faulty device can return an +invalid address (>= PHY_MAX_ADDR), which causes a warning in +mdiobus_get_phy(): + + addr 207 out of range + WARNING: drivers/net/phy/mdio_bus.c:76 + +Validate the PHY address in asix_read_phy_addr() and remove the +now-redundant check in ax88172a.c. + +Reported-by: syzbot+3d43c9066a5b54902232@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=3d43c9066a5b54902232 +Tested-by: syzbot+3d43c9066a5b54902232@syzkaller.appspotmail.com +Fixes: 7e88b11a862a ("net: usb: asix: refactor asix_read_phy_addr() and handle errors on return") +Link: https://lore.kernel.org/all/20251217085057.270704-1-kartikey406@gmail.com/T/ [v1] +Signed-off-by: Deepanshu Kartikey +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20251218011156.276824-1-kartikey406@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/asix_common.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c +index 72ffc89b477a..9d6eb88083b6 100644 +--- a/drivers/net/usb/asix_common.c ++++ b/drivers/net/usb/asix_common.c +@@ -335,6 +335,11 @@ int asix_read_phy_addr(struct usbnet *dev, bool internal) + offset = (internal ? 1 : 0); + ret = buf[offset]; + ++ if (ret >= PHY_MAX_ADDR) { ++ netdev_err(dev->net, "invalid PHY address: %d\n", ret); ++ return -ENODEV; ++ } ++ + netdev_dbg(dev->net, "%s PHY address 0x%x\n", + internal ? "internal" : "external", ret); + +-- +2.51.0 + diff --git a/queue-6.1/net-usb-rtl8150-fix-memory-leak-on-usb_submit_urb-fa.patch b/queue-6.1/net-usb-rtl8150-fix-memory-leak-on-usb_submit_urb-fa.patch new file mode 100644 index 0000000000..a17743cbc7 --- /dev/null +++ b/queue-6.1/net-usb-rtl8150-fix-memory-leak-on-usb_submit_urb-fa.patch @@ -0,0 +1,47 @@ +From f51e0249e167c6ed09400a1e00a3c4c7c09fe297 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Dec 2025 20:43:05 +0530 +Subject: net: usb: rtl8150: fix memory leak on usb_submit_urb() failure + +From: Deepakkumar Karn + +[ Upstream commit 12cab1191d9890097171156d06bfa8d31f1e39c8 ] + +In async_set_registers(), when usb_submit_urb() fails, the allocated + async_req structure and URB are not freed, causing a memory leak. + + The completion callback async_set_reg_cb() is responsible for freeing + these allocations, but it is only called after the URB is successfully + submitted and completes (successfully or with error). If submission + fails, the callback never runs and the memory is leaked. + + Fix this by freeing both the URB and the request structure in the error + path when usb_submit_urb() fails. + +Reported-by: syzbot+8dd915c7cb0490fc8c52@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=8dd915c7cb0490fc8c52 +Fixes: 4d12997a9bb3 ("drivers: net: usb: rtl8150: concurrent URB bugfix") +Signed-off-by: Deepakkumar Karn +Link: https://patch.msgid.link/20251216151304.59865-2-dkarn@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/rtl8150.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c +index 278e6cb6f4d9..e40b0669d9f4 100644 +--- a/drivers/net/usb/rtl8150.c ++++ b/drivers/net/usb/rtl8150.c +@@ -211,6 +211,8 @@ static int async_set_registers(rtl8150_t *dev, u16 indx, u16 size, u16 reg) + if (res == -ENODEV) + netif_device_detach(dev->netdev); + dev_err(&dev->udev->dev, "%s failed with %d\n", __func__, res); ++ kfree(req); ++ usb_free_urb(async_urb); + } + return res; + } +-- +2.51.0 + diff --git a/queue-6.1/octeontx2-pf-fix-ubsan-shift-out-of-bounds-error.patch b/queue-6.1/octeontx2-pf-fix-ubsan-shift-out-of-bounds-error.patch new file mode 100644 index 0000000000..8d9c146c17 --- /dev/null +++ b/queue-6.1/octeontx2-pf-fix-ubsan-shift-out-of-bounds-error.patch @@ -0,0 +1,45 @@ +From 1e7f08ac528e8e7cfa202effabffbc32bf336f9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 11:52:26 +0530 +Subject: octeontx2-pf: fix "UBSAN: shift-out-of-bounds error" + +From: Anshumali Gaur + +[ Upstream commit 85f4b0c650d9f9db10bda8d3acfa1af83bf78cf7 ] + +This patch ensures that the RX ring size (rx_pending) is not +set below the permitted length. This avoids UBSAN +shift-out-of-bounds errors when users passes small or zero +ring sizes via ethtool -G. + +Fixes: d45d8979840d ("octeontx2-pf: Add basic ethtool support") +Signed-off-by: Anshumali Gaur +Link: https://patch.msgid.link/20251219062226.524844-1-agaur@marvell.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c +index 2d6f6edb1510..835e85f0667a 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c +@@ -422,6 +422,14 @@ static int otx2_set_ringparam(struct net_device *netdev, + */ + if (rx_count < pfvf->hw.rq_skid) + rx_count = pfvf->hw.rq_skid; ++ ++ if (ring->rx_pending < 16) { ++ netdev_err(netdev, ++ "rx ring size %u invalid, min is 16\n", ++ ring->rx_pending); ++ return -EINVAL; ++ } ++ + rx_count = Q_COUNT(Q_SIZE(rx_count, 3)); + + /* Due pipelining impact minimum 2000 unused SQ CQE's +-- +2.51.0 + diff --git a/queue-6.1/platform-x86-ibm_rtl-fix-ebda-signature-search-point.patch b/queue-6.1/platform-x86-ibm_rtl-fix-ebda-signature-search-point.patch new file mode 100644 index 0000000000..bee8af82e0 --- /dev/null +++ b/queue-6.1/platform-x86-ibm_rtl-fix-ebda-signature-search-point.patch @@ -0,0 +1,47 @@ +From 0e20f0b754f619c00194690fcb3673a8c78f6b3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 16:30:29 +0800 +Subject: platform/x86: ibm_rtl: fix EBDA signature search pointer arithmetic +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Junrui Luo + +[ Upstream commit 15dd100349b8526cbdf2de0ce3e72e700eb6c208 ] + +The ibm_rtl_init() function searches for the signature but has a pointer +arithmetic error. The loop counter suggests searching at 4-byte intervals +but the implementation only advances by 1 byte per iteration. + +Fix by properly advancing the pointer by sizeof(unsigned int) bytes +each iteration. + +Reported-by: Yuhao Jiang +Reported-by: Junrui Luo +Fixes: 35f0ce032b0f ("IBM Real-Time "SMI Free" mode driver -v7") +Signed-off-by: Junrui Luo +Link: https://patch.msgid.link/SYBPR01MB78812D887A92DE3802D0D06EAFA9A@SYBPR01MB7881.ausprd01.prod.outlook.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/ibm_rtl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/ibm_rtl.c b/drivers/platform/x86/ibm_rtl.c +index 5fc665f7d9b3..10cab7bdfe15 100644 +--- a/drivers/platform/x86/ibm_rtl.c ++++ b/drivers/platform/x86/ibm_rtl.c +@@ -262,7 +262,7 @@ static int __init ibm_rtl_init(void) { + /* search for the _RTL_ signature at the start of the table */ + for (i = 0 ; i < ebda_size/sizeof(unsigned int); i++) { + struct ibm_rtl_table __iomem * tmp; +- tmp = (struct ibm_rtl_table __iomem *) (ebda_map+i); ++ tmp = (struct ibm_rtl_table __iomem *) (ebda_map + i*sizeof(unsigned int)); + if ((readq(&tmp->signature) & RTL_MASK) == RTL_SIGNATURE) { + phys_addr_t addr; + unsigned int plen; +-- +2.51.0 + diff --git a/queue-6.1/platform-x86-msi-laptop-add-missing-sysfs_remove_gro.patch b/queue-6.1/platform-x86-msi-laptop-add-missing-sysfs_remove_gro.patch new file mode 100644 index 0000000000..99ec0f452b --- /dev/null +++ b/queue-6.1/platform-x86-msi-laptop-add-missing-sysfs_remove_gro.patch @@ -0,0 +1,42 @@ +From cd1942939880ba0c0ada410553647e12a5d93b45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 11:36:13 +0100 +Subject: platform/x86: msi-laptop: add missing sysfs_remove_group() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Fourier + +[ Upstream commit 1461209cf813b6ee6d40f29b96b544587df6d2b1 ] + +A sysfs group is created in msi_init() when old_ec_model is enabled, but +never removed. Remove the msipf_old_attribute_group in that case. + +Fixes: 03696e51d75a ("msi-laptop: Disable brightness control for new EC") +Signed-off-by: Thomas Fourier +Link: https://patch.msgid.link/20251217103617.27668-2-fourier.thomas@gmail.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/msi-laptop.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/platform/x86/msi-laptop.c b/drivers/platform/x86/msi-laptop.c +index f4c6c36e05a5..2a8839135492 100644 +--- a/drivers/platform/x86/msi-laptop.c ++++ b/drivers/platform/x86/msi-laptop.c +@@ -1130,6 +1130,9 @@ static void __exit msi_cleanup(void) + sysfs_remove_group(&msipf_device->dev.kobj, &msipf_attribute_group); + if (!quirks->old_ec_model && threeg_exists) + device_remove_file(&msipf_device->dev, &dev_attr_threeg); ++ if (quirks->old_ec_model) ++ sysfs_remove_group(&msipf_device->dev.kobj, ++ &msipf_old_attribute_group); + platform_device_unregister(msipf_device); + platform_driver_unregister(&msipf_driver); + backlight_device_unregister(msibl_device); +-- +2.51.0 + diff --git a/queue-6.1/rdma-bnxt_re-fix-dma_free_coherent-pointer.patch b/queue-6.1/rdma-bnxt_re-fix-dma_free_coherent-pointer.patch new file mode 100644 index 0000000000..3b9d88f721 --- /dev/null +++ b/queue-6.1/rdma-bnxt_re-fix-dma_free_coherent-pointer.patch @@ -0,0 +1,40 @@ +From 731f18bde9fcd4de97b7aee93d7d43528b7a2c5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Dec 2025 09:51:21 +0100 +Subject: RDMA/bnxt_re: fix dma_free_coherent() pointer + +From: Thomas Fourier + +[ Upstream commit fcd431a9627f272b4c0bec445eba365fe2232a94 ] + +The dma_alloc_coherent() allocates a dma-mapped buffer, pbl->pg_arr[i]. +The dma_free_coherent() should pass the same buffer to +dma_free_coherent() and not page-aligned. + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Signed-off-by: Thomas Fourier +Link: https://patch.msgid.link/20251230085121.8023-2-fourier.thomas@gmail.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_res.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c +index 5edad6a5a112..6d811f67934e 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c +@@ -70,9 +70,7 @@ static void __free_pbl(struct bnxt_qplib_res *res, struct bnxt_qplib_pbl *pbl, + for (i = 0; i < pbl->pg_count; i++) { + if (pbl->pg_arr[i]) + dma_free_coherent(&pdev->dev, pbl->pg_size, +- (void *)((unsigned long) +- pbl->pg_arr[i] & +- PAGE_MASK), ++ pbl->pg_arr[i], + pbl->pg_map_arr[i]); + else + dev_warn(&pdev->dev, +-- +2.51.0 + diff --git a/queue-6.1/rdma-bnxt_re-fix-ib_send_ip_csum-handling-in-post_se.patch b/queue-6.1/rdma-bnxt_re-fix-ib_send_ip_csum-handling-in-post_se.patch new file mode 100644 index 0000000000..d545dbb48b --- /dev/null +++ b/queue-6.1/rdma-bnxt_re-fix-ib_send_ip_csum-handling-in-post_se.patch @@ -0,0 +1,58 @@ +From 51e5b3b22d912bc21be72c972eb87bff97b3b72d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 01:32:57 -0800 +Subject: RDMA/bnxt_re: Fix IB_SEND_IP_CSUM handling in post_send + +From: Alok Tiwari + +[ Upstream commit f01765a2361323e78e3d91b1cb1d5527a83c5cf7 ] + +The bnxt_re SEND path checks wr->send_flags to enable features such as +IP checksum offload. However, send_flags is a bitmask and may contain +multiple flags (e.g. IB_SEND_SIGNALED | IB_SEND_IP_CSUM), while the +existing code uses a switch() statement that only matches when +send_flags is exactly IB_SEND_IP_CSUM. + +As a result, checksum offload is not enabled when additional SEND +flags are present. + +Replace the switch() with a bitmask test: + + if (wr->send_flags & IB_SEND_IP_CSUM) + +This ensures IP checksum offload is enabled correctly when multiple +SEND flags are used. + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20251219093308.2415620-1-alok.a.tiwari@oracle.com +Reviewed-by: Kalesh AP +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/ib_verbs.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +index 94c34ba103ea..edd1457a99b2 100644 +--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c ++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +@@ -2650,14 +2650,9 @@ int bnxt_re_post_send(struct ib_qp *ib_qp, const struct ib_send_wr *wr, + wqe.rawqp1.lflags |= + SQ_SEND_RAWETH_QP1_LFLAGS_ROCE_CRC; + } +- switch (wr->send_flags) { +- case IB_SEND_IP_CSUM: ++ if (wr->send_flags & IB_SEND_IP_CSUM) + wqe.rawqp1.lflags |= + SQ_SEND_RAWETH_QP1_LFLAGS_IP_CHKSUM; +- break; +- default: +- break; +- } + fallthrough; + case IB_WR_SEND_WITH_INV: + rc = bnxt_re_build_send_wqe(qp, wr, &wqe); +-- +2.51.0 + diff --git a/queue-6.1/rdma-bnxt_re-fix-incorrect-bar-check-in-bnxt_qplib_m.patch b/queue-6.1/rdma-bnxt_re-fix-incorrect-bar-check-in-bnxt_qplib_m.patch new file mode 100644 index 0000000000..c9d41aafd5 --- /dev/null +++ b/queue-6.1/rdma-bnxt_re-fix-incorrect-bar-check-in-bnxt_qplib_m.patch @@ -0,0 +1,45 @@ +From 7efc35b3e84696297b046a10a42c04327521b040 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 02:01:41 -0800 +Subject: RDMA/bnxt_re: Fix incorrect BAR check in bnxt_qplib_map_creq_db() + +From: Alok Tiwari + +[ Upstream commit 145a417a39d7efbc881f52e829817376972b278c ] + +RCFW_COMM_CONS_PCI_BAR_REGION is defined as BAR 2, so checking +!creq_db->reg.bar_id is incorrect and always false. + +pci_resource_start() returns the BAR base address, and a value of 0 +indicates that the BAR is unassigned. Update the condition to test +bar_base == 0 instead. + +This ensures the driver detects and logs an error for an unassigned +RCFW communication BAR. + +Fixes: cee0c7bba486 ("RDMA/bnxt_re: Refactor command queue management code") +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20251217100158.752504-1-alok.a.tiwari@oracle.com +Reviewed-by: Kalesh AP +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c +index c03475b9fa28..69eb6408ce86 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c +@@ -777,7 +777,7 @@ static int bnxt_qplib_map_creq_db(struct bnxt_qplib_rcfw *rcfw, u32 reg_offt) + + creq_db->reg.bar_id = RCFW_COMM_CONS_PCI_BAR_REGION; + creq_db->reg.bar_base = pci_resource_start(pdev, creq_db->reg.bar_id); +- if (!creq_db->reg.bar_id) ++ if (!creq_db->reg.bar_base) + dev_err(&pdev->dev, + "QPLIB: CREQ BAR region %d resc start is 0!", + creq_db->reg.bar_id); +-- +2.51.0 + diff --git a/queue-6.1/rdma-bnxt_re-fix-to-use-correct-page-size-for-pde-ta.patch b/queue-6.1/rdma-bnxt_re-fix-to-use-correct-page-size-for-pde-ta.patch new file mode 100644 index 0000000000..c9e71f8455 --- /dev/null +++ b/queue-6.1/rdma-bnxt_re-fix-to-use-correct-page-size-for-pde-ta.patch @@ -0,0 +1,50 @@ +From 88a945f53d28a0c610eb1d6b0ebbbf7a8f5851ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Dec 2025 18:48:55 +0530 +Subject: RDMA/bnxt_re: Fix to use correct page size for PDE table + +From: Kalesh AP + +[ Upstream commit 3d70e0fb0f289b0c778041c5bb04d099e1aa7c1c ] + +In bnxt_qplib_alloc_init_hwq(), while allocating memory for PDE table +driver incorrectly is using the "pg_size" value passed to the function. +Fixed to use the right value 4K. Also, fixed the allocation size for +PBL table. + +Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation") +Signed-off-by: Damodharam Ammepalli +Signed-off-by: Kalesh AP +Link: https://patch.msgid.link/20251223131855.145955-1-kalesh-anakkur.purayil@broadcom.com +Reviewed-by: Selvin Xavier +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_res.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c +index 4962d68bf217..5edad6a5a112 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c +@@ -243,7 +243,7 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq, + if (npbl % BIT(MAX_PDL_LVL_SHIFT)) + npde++; + /* Alloc PDE pages */ +- sginfo.pgsize = npde * pg_size; ++ sginfo.pgsize = npde * ROCE_PG_SIZE_4K; + sginfo.npages = 1; + rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_0], &sginfo); + if (rc) +@@ -251,7 +251,7 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq, + + /* Alloc PBL pages */ + sginfo.npages = npbl; +- sginfo.pgsize = PAGE_SIZE; ++ sginfo.pgsize = ROCE_PG_SIZE_4K; + rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_1], &sginfo); + if (rc) + goto fail; +-- +2.51.0 + diff --git a/queue-6.1/rdma-core-fix-logic-error-in-ib_get_gids_from_rdma_h.patch b/queue-6.1/rdma-core-fix-logic-error-in-ib_get_gids_from_rdma_h.patch new file mode 100644 index 0000000000..6ddbe4e679 --- /dev/null +++ b/queue-6.1/rdma-core-fix-logic-error-in-ib_get_gids_from_rdma_h.patch @@ -0,0 +1,39 @@ +From df136f01d73226b3de870fc03664da9079aaa6fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 13:15:08 +0900 +Subject: RDMA/core: Fix logic error in ib_get_gids_from_rdma_hdr() + +From: Jang Ingyu + +[ Upstream commit 8aaa848eaddd9ef8680fc6aafbd3a0646da5df40 ] + +Fix missing comparison operator for RDMA_NETWORK_ROCE_V1 in the +conditional statement. The constant was used directly instead of +being compared with net_type, causing the condition to always +evaluate to true. + +Fixes: 1c15b4f2a42f ("RDMA/core: Modify enum ib_gid_type and enum rdma_network_type") +Signed-off-by: Jang Ingyu +Link: https://patch.msgid.link/20251219041508.1725947-1-ingyujang25@korea.ac.kr +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/verbs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c +index 97a116960f31..d0c8ad45f3c2 100644 +--- a/drivers/infiniband/core/verbs.c ++++ b/drivers/infiniband/core/verbs.c +@@ -732,7 +732,7 @@ int ib_get_gids_from_rdma_hdr(const union rdma_network_hdr *hdr, + (struct in6_addr *)dgid); + return 0; + } else if (net_type == RDMA_NETWORK_IPV6 || +- net_type == RDMA_NETWORK_IB || RDMA_NETWORK_ROCE_V1) { ++ net_type == RDMA_NETWORK_IB || net_type == RDMA_NETWORK_ROCE_V1) { + *dgid = hdr->ibgrh.dgid; + *sgid = hdr->ibgrh.sgid; + return 0; +-- +2.51.0 + diff --git a/queue-6.1/rdma-efa-remove-possible-negative-shift.patch b/queue-6.1/rdma-efa-remove-possible-negative-shift.patch new file mode 100644 index 0000000000..3971179e24 --- /dev/null +++ b/queue-6.1/rdma-efa-remove-possible-negative-shift.patch @@ -0,0 +1,47 @@ +From 7d4979950db216d4deef88415e7d7a8f21ae461a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Dec 2025 17:36:56 +0000 +Subject: RDMA/efa: Remove possible negative shift + +From: Michael Margolin + +[ Upstream commit 85463eb6a46caf2f1e0e1a6d0731f2f3bab17780 ] + +The page size used for device might in some cases be smaller than +PAGE_SIZE what results in a negative shift when calculating the number of +host pages in PAGE_SIZE for a debug log. Remove the debug line together +with the calculation. + +Fixes: 40909f664d27 ("RDMA/efa: Add EFA verbs implementation") +Link: https://patch.msgid.link/r/20251210173656.8180-1-mrgolin@amazon.com +Reviewed-by: Tom Sela +Reviewed-by: Yonatan Nachum +Signed-off-by: Michael Margolin +Reviewed-by: Gal Pressman +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/efa/efa_verbs.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/infiniband/hw/efa/efa_verbs.c b/drivers/infiniband/hw/efa/efa_verbs.c +index 90d5f1a96f3e..a22ddb2088f6 100644 +--- a/drivers/infiniband/hw/efa/efa_verbs.c ++++ b/drivers/infiniband/hw/efa/efa_verbs.c +@@ -1214,13 +1214,9 @@ static int umem_to_page_list(struct efa_dev *dev, + u32 hp_cnt, + u8 hp_shift) + { +- u32 pages_in_hp = BIT(hp_shift - PAGE_SHIFT); + struct ib_block_iter biter; + unsigned int hp_idx = 0; + +- ibdev_dbg(&dev->ibdev, "hp_cnt[%u], pages_in_hp[%u]\n", +- hp_cnt, pages_in_hp); +- + rdma_umem_for_each_dma_block(umem, &biter, BIT(hp_shift)) + page_list[hp_idx++] = rdma_block_iter_dma_address(&biter); + +-- +2.51.0 + diff --git a/queue-6.1/rdma-irdma-avoid-invalid-read-in-irdma_net_event.patch b/queue-6.1/rdma-irdma-avoid-invalid-read-in-irdma_net_event.patch new file mode 100644 index 0000000000..b714d404ee --- /dev/null +++ b/queue-6.1/rdma-irdma-avoid-invalid-read-in-irdma_net_event.patch @@ -0,0 +1,83 @@ +From eced0ef7173df1b639930dab23b5a2e518d00ee9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Nov 2025 15:31:50 +0100 +Subject: RDMA/irdma: avoid invalid read in irdma_net_event + +From: Michal Schmidt + +[ Upstream commit 6f05611728e9d0ab024832a4f1abb74a5f5d0bb0 ] + +irdma_net_event() should not dereference anything from "neigh" (alias +"ptr") until it has checked that the event is NETEVENT_NEIGH_UPDATE. +Other events come with different structures pointed to by "ptr" and they +may be smaller than struct neighbour. + +Move the read of neigh->dev under the NETEVENT_NEIGH_UPDATE case. + +The bug is mostly harmless, but it triggers KASAN on debug kernels: + + BUG: KASAN: stack-out-of-bounds in irdma_net_event+0x32e/0x3b0 [irdma] + Read of size 8 at addr ffffc900075e07f0 by task kworker/27:2/542554 + + CPU: 27 PID: 542554 Comm: kworker/27:2 Kdump: loaded Not tainted 5.14.0-630.el9.x86_64+debug #1 + Hardware name: [...] + Workqueue: events rt6_probe_deferred + Call Trace: + + dump_stack_lvl+0x60/0xb0 + print_address_description.constprop.0+0x2c/0x3f0 + print_report+0xb4/0x270 + kasan_report+0x92/0xc0 + irdma_net_event+0x32e/0x3b0 [irdma] + notifier_call_chain+0x9e/0x180 + atomic_notifier_call_chain+0x5c/0x110 + rt6_do_redirect+0xb91/0x1080 + tcp_v6_err+0xe9b/0x13e0 + icmpv6_notify+0x2b2/0x630 + ndisc_redirect_rcv+0x328/0x530 + icmpv6_rcv+0xc16/0x1360 + ip6_protocol_deliver_rcu+0xb84/0x12e0 + ip6_input_finish+0x117/0x240 + ip6_input+0xc4/0x370 + ipv6_rcv+0x420/0x7d0 + __netif_receive_skb_one_core+0x118/0x1b0 + process_backlog+0xd1/0x5d0 + __napi_poll.constprop.0+0xa3/0x440 + net_rx_action+0x78a/0xba0 + handle_softirqs+0x2d4/0x9c0 + do_softirq+0xad/0xe0 + + +Fixes: 915cc7ac0f8e ("RDMA/irdma: Add miscellaneous utility definitions") +Link: https://patch.msgid.link/r/20251127143150.121099-1-mschmidt@redhat.com +Signed-off-by: Michal Schmidt +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/irdma/utils.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/irdma/utils.c b/drivers/infiniband/hw/irdma/utils.c +index 8c7617776e58..d236e4a27ca9 100644 +--- a/drivers/infiniband/hw/irdma/utils.c ++++ b/drivers/infiniband/hw/irdma/utils.c +@@ -251,7 +251,7 @@ int irdma_net_event(struct notifier_block *notifier, unsigned long event, + void *ptr) + { + struct neighbour *neigh = ptr; +- struct net_device *real_dev, *netdev = (struct net_device *)neigh->dev; ++ struct net_device *real_dev, *netdev; + struct irdma_device *iwdev; + struct ib_device *ibdev; + __be32 *p; +@@ -260,6 +260,7 @@ int irdma_net_event(struct notifier_block *notifier, unsigned long event, + + switch (event) { + case NETEVENT_NEIGH_UPDATE: ++ netdev = neigh->dev; + real_dev = rdma_vlan_dev_real_dev(netdev); + if (!real_dev) + real_dev = netdev; +-- +2.51.0 + diff --git a/queue-6.1/rdma-rtrs-fix-clt_path-max_pages_per_mr-calculation.patch b/queue-6.1/rdma-rtrs-fix-clt_path-max_pages_per_mr-calculation.patch new file mode 100644 index 0000000000..a4bb9fa86c --- /dev/null +++ b/queue-6.1/rdma-rtrs-fix-clt_path-max_pages_per_mr-calculation.patch @@ -0,0 +1,40 @@ +From 8086c614ba71db3d90a0fd550c365671812fdb32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Dec 2025 10:56:17 +0800 +Subject: RDMA/rtrs: Fix clt_path::max_pages_per_mr calculation + +From: Honggang LI + +[ Upstream commit 43bd09d5b750f700499ae8ec45fd41a4c48673e6 ] + +If device max_mr_size bits in the range [mr_page_shift+31:mr_page_shift] +are zero, the `min3` function will set clt_path::max_pages_per_mr to +zero. + +`alloc_path_reqs` will pass zero, which is invalid, as the third parameter +to `ib_alloc_mr`. + +Fixes: 6a98d71daea1 ("RDMA/rtrs: client: main functionality") +Signed-off-by: Honggang LI +Link: https://patch.msgid.link/20251229025617.13241-1-honggangli@163.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/rtrs/rtrs-clt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/ulp/rtrs/rtrs-clt.c b/drivers/infiniband/ulp/rtrs/rtrs-clt.c +index dac8ddfc89e7..7c81452d73cf 100644 +--- a/drivers/infiniband/ulp/rtrs/rtrs-clt.c ++++ b/drivers/infiniband/ulp/rtrs/rtrs-clt.c +@@ -1465,6 +1465,7 @@ static void query_fast_reg_mode(struct rtrs_clt_path *clt_path) + mr_page_shift = max(12, ffs(ib_dev->attrs.page_size_cap) - 1); + max_pages_per_mr = ib_dev->attrs.max_mr_size; + do_div(max_pages_per_mr, (1ull << mr_page_shift)); ++ max_pages_per_mr = min_not_zero((u32)max_pages_per_mr, U32_MAX); + clt_path->max_pages_per_mr = + min3(clt_path->max_pages_per_mr, (u32)max_pages_per_mr, + ib_dev->attrs.max_fast_reg_page_list_len); +-- +2.51.0 + diff --git a/queue-6.1/sched-isolation-add-cpu_is_isolated-api.patch b/queue-6.1/sched-isolation-add-cpu_is_isolated-api.patch new file mode 100644 index 0000000000..9697ca4d8c --- /dev/null +++ b/queue-6.1/sched-isolation-add-cpu_is_isolated-api.patch @@ -0,0 +1,95 @@ +From b26b0ca07ed85ce9ce7bb50da2346ad8518d9ab6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Mar 2023 14:44:47 +0100 +Subject: sched/isolation: add cpu_is_isolated() API + +From: Frederic Weisbecker + +[ Upstream commit a85c2257a8ac353af16dbcbf32c50d3380860bc5 ] + +Patch series "memcg, cpuisol: do not interfere pcp cache charges draining +with cpuisol workloads". + +Leonardo has reported [1] that pcp memcg charge draining can interfere +with cpu isolated workloads. The said draining is done from a WQ context +with a pcp worker scheduled on each CPU which holds any cached charges for +a specific memcg hierarchy. Operation is not really a common operation +[2]. It can be triggered from the userspace though so some care is +definitely due. + +Leonardo has tried to address the issue by allowing remote charge draining +[3]. This approach requires an additional locking to synchronize pcp +caches sync from a remote cpu from local pcp consumers. Even though the +proposed lock was per-cpu there is still potential for contention and less +predictable behavior. + +This patchset addresses the issue from a different angle. Rather than +dealing with a potential synchronization, cpus which are isolated are +simply never scheduled to be drained. This means that a small amount of +charges could be laying around and waiting for a later use or they are +flushed when a different memcg is charged from the same cpu. More details +are in patch 2. The first patch from Frederic is implementing an +abstraction to tell whether a specific cpu has been isolated and therefore +require a special treatment. + +This patch (of 2): + +Provide this new API to check if a CPU has been isolated either through +isolcpus= or nohz_full= kernel parameter. + +It aims at avoiding kernel load deemed to be safely spared on CPUs running +sensitive workload that can't bear any disturbance, such as pcp cache +draining. + +Link: https://lkml.kernel.org/r/20230317134448.11082-1-mhocko@kernel.org +Link: https://lkml.kernel.org/r/20230317134448.11082-2-mhocko@kernel.org +Signed-off-by: Frederic Weisbecker +Signed-off-by: Michal Hocko +Suggested-by: Michal Hocko +Cc: Johannes Weiner +Cc: Marcelo Tosatti +Cc: Muchun Song +Cc: Peter Zijlstra +Cc: Roman Gushchin +Cc: Shakeel Butt +Cc: Thomas Gleixner +Cc: Leonardo Bras +Cc: Ingo Molnar +Signed-off-by: Andrew Morton +Stable-dep-of: 10845a105bbc ("blk-mq: skip CPU offline notify on unmapped hctx") +Signed-off-by: Sasha Levin +--- + include/linux/sched/isolation.h | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/include/linux/sched/isolation.h b/include/linux/sched/isolation.h +index 8c15abd67aed..fe1a46f30d24 100644 +--- a/include/linux/sched/isolation.h ++++ b/include/linux/sched/isolation.h +@@ -46,6 +46,12 @@ static inline bool housekeeping_enabled(enum hk_type type) + + static inline void housekeeping_affine(struct task_struct *t, + enum hk_type type) { } ++ ++static inline bool housekeeping_test_cpu(int cpu, enum hk_type type) ++{ ++ return true; ++} ++ + static inline void housekeeping_init(void) { } + #endif /* CONFIG_CPU_ISOLATION */ + +@@ -58,4 +64,10 @@ static inline bool housekeeping_cpu(int cpu, enum hk_type type) + return true; + } + ++static inline bool cpu_is_isolated(int cpu) ++{ ++ return !housekeeping_test_cpu(cpu, HK_TYPE_DOMAIN) || ++ !housekeeping_test_cpu(cpu, HK_TYPE_TICK); ++} ++ + #endif /* _LINUX_SCHED_ISOLATION_H */ +-- +2.51.0 + diff --git a/queue-6.1/selftests-ftrace-traceonoff_triggers-strip-off-names.patch b/queue-6.1/selftests-ftrace-traceonoff_triggers-strip-off-names.patch new file mode 100644 index 0000000000..e30f31bff6 --- /dev/null +++ b/queue-6.1/selftests-ftrace-traceonoff_triggers-strip-off-names.patch @@ -0,0 +1,93 @@ +From e7616533164df6299c1a78a576fb88c7ac951ab1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Aug 2023 09:32:26 +0800 +Subject: selftests/ftrace: traceonoff_triggers: strip off names + +From: Yipeng Zou + +[ Upstream commit b889b4fb4cbea3ca7eb9814075d6a51936394bd9 ] + +The func_traceonoff_triggers.tc sometimes goes to fail +on my board, Kunpeng-920. + +[root@localhost]# ./ftracetest ./test.d/ftrace/func_traceonoff_triggers.tc -l fail.log +=== Ftrace unit tests === +[1] ftrace - test for function traceon/off triggers [FAIL] +[2] (instance) ftrace - test for function traceon/off triggers [UNSUPPORTED] + +I look up the log, and it shows that the md5sum is different between csum1 and csum2. + +++ cnt=611 +++ sleep .1 ++++ cnt_trace ++++ grep -v '^#' trace ++++ wc -l +++ cnt2=611 +++ '[' 611 -ne 611 ']' ++++ cat tracing_on +++ on=0 +++ '[' 0 '!=' 0 ']' ++++ md5sum trace +++ csum1='76896aa74362fff66a6a5f3cf8a8a500 trace' +++ sleep .1 ++++ md5sum trace +++ csum2='ee8625a21c058818fc26e45c1ed3f6de trace' +++ '[' '76896aa74362fff66a6a5f3cf8a8a500 trace' '!=' 'ee8625a21c058818fc26e45c1ed3f6de trace' ']' +++ fail 'Tracing file is still changing' +++ echo Tracing file is still changing +Tracing file is still changing +++ exit_fail +++ exit 1 + +So I directly dump the trace file before md5sum, the diff shows that: + +[root@localhost]# diff trace_1.log trace_2.log -y --suppress-common-lines +dockerd-12285 [036] d.... 18385.510290: sched_stat | <...>-12285 [036] d.... 18385.510290: sched_stat +dockerd-12285 [036] d.... 18385.510291: sched_swit | <...>-12285 [036] d.... 18385.510291: sched_swit +<...>-740 [044] d.... 18385.602859: sched_stat | kworker/44:1-740 [044] d.... 18385.602859: sched_stat +<...>-740 [044] d.... 18385.602860: sched_swit | kworker/44:1-740 [044] d.... 18385.602860: sched_swit + +And we can see that <...> filed be filled with names. + +We can strip off the names there to fix that. + +After strip off the names: + +kworker/u257:0-12 [019] d..2. 2528.758910: sched_stat | -12 [019] d..2. 2528.758910: sched_stat_runtime: comm=k +kworker/u257:0-12 [019] d..2. 2528.758912: sched_swit | -12 [019] d..2. 2528.758912: sched_switch: prev_comm=kw +-0 [000] d.s5. 2528.762318: sched_waki | -0 [000] d.s5. 2528.762318: sched_waking: comm=sshd pi +-0 [037] dNh2. 2528.762326: sched_wake | -0 [037] dNh2. 2528.762326: sched_wakeup: comm=sshd pi +-0 [037] d..2. 2528.762334: sched_swit | -0 [037] d..2. 2528.762334: sched_switch: prev_comm=sw + +Link: https://lore.kernel.org/r/20230818013226.2182299-1-zouyipeng@huawei.com +Fixes: d87b29179aa0 ("selftests: ftrace: Use md5sum to take less time of checking logs") +Suggested-by: Steven Rostedt (Google) +Signed-off-by: Yipeng Zou +Acked-by: Masami Hiramatsu (Google) +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + .../ftrace/test.d/ftrace/func_traceonoff_triggers.tc | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc b/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc +index aee22289536b..1b57771dbfdf 100644 +--- a/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc ++++ b/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc +@@ -90,9 +90,10 @@ if [ $on != "0" ]; then + fail "Tracing is not off" + fi + +-csum1=`md5sum trace` ++# Cannot rely on names being around as they are only cached, strip them ++csum1=`cat trace | sed -e 's/^ *[^ ]*\(-[0-9][0-9]*\)/\1/' | md5sum` + sleep $SLEEP_TIME +-csum2=`md5sum trace` ++csum2=`cat trace | sed -e 's/^ *[^ ]*\(-[0-9][0-9]*\)/\1/' | md5sum` + + if [ "$csum1" != "$csum2" ]; then + fail "Tracing file is still changing" +-- +2.51.0 + diff --git a/queue-6.1/selftests-net-fix-buffer-overflow-detected-for-tap.c.patch b/queue-6.1/selftests-net-fix-buffer-overflow-detected-for-tap.c.patch new file mode 100644 index 0000000000..c3564915f7 --- /dev/null +++ b/queue-6.1/selftests-net-fix-buffer-overflow-detected-for-tap.c.patch @@ -0,0 +1,97 @@ +From 918046859d11369e146c1f1661ee0565567522fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Dec 2025 12:06:41 -0500 +Subject: selftests: net: fix "buffer overflow detected" for tap.c + +From: Alice C. Munduruca + +[ Upstream commit 472c5dd6b95c02b3e5d7395acf542150e91165e7 ] + +When the selftest 'tap.c' is compiled with '-D_FORTIFY_SOURCE=3', +the strcpy() in rtattr_add_strsz() is replaced with a checked +version which causes the test to consistently fail when compiled +with toolchains for which this option is enabled by default. + + TAP version 13 + 1..3 + # Starting 3 tests from 1 test cases. + # RUN tap.test_packet_valid_udp_gso ... + *** buffer overflow detected ***: terminated + # test_packet_valid_udp_gso: Test terminated by assertion + # FAIL tap.test_packet_valid_udp_gso + not ok 1 tap.test_packet_valid_udp_gso + # RUN tap.test_packet_valid_udp_csum ... + *** buffer overflow detected ***: terminated + # test_packet_valid_udp_csum: Test terminated by assertion + # FAIL tap.test_packet_valid_udp_csum + not ok 2 tap.test_packet_valid_udp_csum + # RUN tap.test_packet_crash_tap_invalid_eth_proto ... + *** buffer overflow detected ***: terminated + # test_packet_crash_tap_invalid_eth_proto: Test terminated by assertion + # FAIL tap.test_packet_crash_tap_invalid_eth_proto + not ok 3 tap.test_packet_crash_tap_invalid_eth_proto + # FAILED: 0 / 3 tests passed. + # Totals: pass:0 fail:3 xfail:0 xpass:0 skip:0 error:0 + +A buffer overflow is detected by the fortified glibc __strcpy_chk() +since the __builtin_object_size() of `RTA_DATA(rta)` is incorrectly +reported as 1, even though there is ample space in its bounding +buffer `req`. + +Additionally, given that IFLA_IFNAME also expects a null-terminated +string, callers of rtaddr_add_str{,sz}() could simply use the +rtaddr_add_strsz() variant. (which has been renamed to remove the +trailing `sz`) memset() has been used for this function since it +is unchecked and thus circumvents the issue discussed in the +previous paragraph. + +Fixes: 2e64fe4624d1 ("selftests: add few test cases for tap driver") +Signed-off-by: Alice C. Munduruca +Reviewed-by: Cengiz Can +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/20251216170641.250494-1-alice.munduruca@canonical.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/tap.c | 16 +++++----------- + 1 file changed, 5 insertions(+), 11 deletions(-) + +diff --git a/tools/testing/selftests/net/tap.c b/tools/testing/selftests/net/tap.c +index 247c3b3ac1c9..51a209014f1c 100644 +--- a/tools/testing/selftests/net/tap.c ++++ b/tools/testing/selftests/net/tap.c +@@ -56,18 +56,12 @@ static void rtattr_end(struct nlmsghdr *nh, struct rtattr *attr) + static struct rtattr *rtattr_add_str(struct nlmsghdr *nh, unsigned short type, + const char *s) + { +- struct rtattr *rta = rtattr_add(nh, type, strlen(s)); ++ unsigned int strsz = strlen(s) + 1; ++ struct rtattr *rta; + +- memcpy(RTA_DATA(rta), s, strlen(s)); +- return rta; +-} +- +-static struct rtattr *rtattr_add_strsz(struct nlmsghdr *nh, unsigned short type, +- const char *s) +-{ +- struct rtattr *rta = rtattr_add(nh, type, strlen(s) + 1); ++ rta = rtattr_add(nh, type, strsz); + +- strcpy(RTA_DATA(rta), s); ++ memcpy(RTA_DATA(rta), s, strsz); + return rta; + } + +@@ -119,7 +113,7 @@ static int dev_create(const char *dev, const char *link_type, + + link_info = rtattr_begin(&req.nh, IFLA_LINKINFO); + +- rtattr_add_strsz(&req.nh, IFLA_INFO_KIND, link_type); ++ rtattr_add_str(&req.nh, IFLA_INFO_KIND, link_type); + + if (fill_info_data) { + info_data = rtattr_begin(&req.nh, IFLA_INFO_DATA); +-- +2.51.0 + diff --git a/queue-6.1/series b/queue-6.1/series index 6e44219806..aaa2b023ff 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -385,3 +385,58 @@ i2c-amd-mp2-fix-reference-leak-in-mp2-pci-device.patch hwmon-max16065-use-local-variable-to-avoid-toctou.patch hwmon-w83791d-convert-macros-to-functions-to-avoid-toctou.patch hwmon-w83l786ng-convert-macros-to-functions-to-avoid-toctou.patch +wifi-cfg80211-sme-store-capped-length-in-__cfg80211_.patch +cfg80211-update-transition-disable-policy-during-por.patch +wifi-mac80211-mlme-handle-eht-channel-puncturing.patch +wifi-cfg80211-move-puncturing-bitmap-validation-from.patch +wifi-nl80211-validate-and-configure-puncturing-bitma.patch +wifi-nl80211-add-a-command-to-enable-disable-hw-time.patch +wifi-mac80211-generate-ema-beacons-in-ap-mode.patch +cfg80211-support-rnr-for-ema-ap.patch +mac80211-support-rnr-for-ema-ap.patch +wifi-mac80211-do-not-use-old-mbssid-elements.patch +i40e-fix-scheduling-in-set_rx_mode.patch +i40e-refactor-argument-of-several-client-notificatio.patch +i40e-refactor-argument-of-i40e_detect_recover_hung.patch +i40e-validate-ring_len-parameter-against-hardware-sp.patch +iavf-fix-off-by-one-issues-in-iavf_config_rss_reg.patch +crypto-seqiv-do-not-use-req-iv-after-crypto_aead_enc.patch +bluetooth-btusb-revert-use-of-devm_kzalloc-in-btusb.patch +net-mdio-aspeed-add-dummy-read-to-avoid-read-after-w.patch +net-openvswitch-avoid-needlessly-taking-the-rtnl-on-.patch +ip6_gre-make-ip6gre_header-robust.patch +platform-x86-msi-laptop-add-missing-sysfs_remove_gro.patch +platform-x86-ibm_rtl-fix-ebda-signature-search-point.patch +team-fix-check-for-port-enabled-in-team_queue_overri.patch +net-usb-rtl8150-fix-memory-leak-on-usb_submit_urb-fa.patch +selftests-net-fix-buffer-overflow-detected-for-tap.c.patch +smc91x-fix-broken-irq-context-in-preempt_rt.patch +genalloc.h-fix-htmldocs-warning.patch +firewire-nosy-fix-dma_free_coherent-size.patch +net-dsa-b53-skip-multicast-entries-for-fdb_dump.patch +net-usb-asix-validate-phy-address-before-use.patch +net-bridge-describe-tunnel_hash-member-in-net_bridge.patch +octeontx2-pf-fix-ubsan-shift-out-of-bounds-error.patch +net-stmmac-power-up-serdes-after-the-phy-link.patch +net-stmmac-remove-some-unnecessary-void-pointers.patch +net-stmmac-pass-stmmac_priv-in-some-callbacks.patch +net-stmmac-dwmac4-allow-platforms-to-specify-some-dm.patch +net-stmmac-introduce-wrapper-for-struct-xdp_buff.patch +net-stmmac-xgmac-add-ethtool-per-queue-irq-statistic.patch +net-stmmac-use-per-queue-64-bit-statistics-where-nec.patch +net-stmmac-fix-the-crash-issue-for-zero-copy-xdp_tx-.patch +ipv6-bug-in-pskb_expand_head-as-part-of-calipso_skbu.patch +ipv4-fix-reference-count-leak-when-using-error-route.patch +net-rose-fix-invalid-array-index-in-rose_kill_by_dev.patch +rdma-irdma-avoid-invalid-read-in-irdma_net_event.patch +rdma-efa-remove-possible-negative-shift.patch +rdma-core-fix-logic-error-in-ib_get_gids_from_rdma_h.patch +rdma-bnxt_re-fix-incorrect-bar-check-in-bnxt_qplib_m.patch +rdma-bnxt_re-fix-ib_send_ip_csum-handling-in-post_se.patch +rdma-bnxt_re-fix-to-use-correct-page-size-for-pde-ta.patch +rdma-rtrs-fix-clt_path-max_pages_per_mr-calculation.patch +rdma-bnxt_re-fix-dma_free_coherent-pointer.patch +sched-isolation-add-cpu_is_isolated-api.patch +blk-mq-don-t-schedule-block-kworker-on-isolated-cpus.patch +blk-mq-skip-cpu-offline-notify-on-unmapped-hctx.patch +selftests-ftrace-traceonoff_triggers-strip-off-names.patch diff --git a/queue-6.1/smc91x-fix-broken-irq-context-in-preempt_rt.patch b/queue-6.1/smc91x-fix-broken-irq-context-in-preempt_rt.patch new file mode 100644 index 0000000000..03d0020d7c --- /dev/null +++ b/queue-6.1/smc91x-fix-broken-irq-context-in-preempt_rt.patch @@ -0,0 +1,72 @@ +From 8e704f3fd97768b59c87bdba9d520a5ea00d9f1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 08:51:15 +0000 +Subject: smc91x: fix broken irq-context in PREEMPT_RT + +From: Yeoreum Yun + +[ Upstream commit 6402078bd9d1ed46e79465e1faaa42e3458f8a33 ] + +When smc91x.c is built with PREEMPT_RT, the following splat occurs +in FVP_RevC: + +[ 13.055000] smc91x LNRO0003:00 eth0: link up, 10Mbps, half-duplex, lpa 0x0000 +[ 13.062137] BUG: workqueue leaked atomic, lock or RCU: kworker/2:1[106] +[ 13.062137] preempt=0x00000000 lock=0->0 RCU=0->1 workfn=mld_ifc_work +[ 13.062266] C +** replaying previous printk message ** +[ 13.062266] CPU: 2 UID: 0 PID: 106 Comm: kworker/2:1 Not tainted 6.18.0-dirty #179 PREEMPT_{RT,(full)} +[ 13.062353] Hardware name: , BIOS +[ 13.062382] Workqueue: mld mld_ifc_work +[ 13.062469] Call trace: +[ 13.062494] show_stack+0x24/0x40 (C) +[ 13.062602] __dump_stack+0x28/0x48 +[ 13.062710] dump_stack_lvl+0x7c/0xb0 +[ 13.062818] dump_stack+0x18/0x34 +[ 13.062926] process_scheduled_works+0x294/0x450 +[ 13.063043] worker_thread+0x260/0x3d8 +[ 13.063124] kthread+0x1c4/0x228 +[ 13.063235] ret_from_fork+0x10/0x20 + +This happens because smc_special_trylock() disables IRQs even on PREEMPT_RT, +but smc_special_unlock() does not restore IRQs on PREEMPT_RT. +The reason is that smc_special_unlock() calls spin_unlock_irqrestore(), +and rcu_read_unlock_bh() in __dev_queue_xmit() cannot invoke +rcu_read_unlock() through __local_bh_enable_ip() when current->softirq_disable_cnt becomes zero. + +To address this issue, replace smc_special_trylock() with spin_trylock_irqsave(). + +Fixes: 342a93247e08 ("locking/spinlock: Provide RT variant header: ") +Signed-off-by: Yeoreum Yun +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20251217085115.1730036-1-yeoreum.yun@arm.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/smsc/smc91x.c | 10 +--------- + 1 file changed, 1 insertion(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/smsc/smc91x.c b/drivers/net/ethernet/smsc/smc91x.c +index 35e99bf0c401..b4da1e5af753 100644 +--- a/drivers/net/ethernet/smsc/smc91x.c ++++ b/drivers/net/ethernet/smsc/smc91x.c +@@ -515,15 +515,7 @@ static inline void smc_rcv(struct net_device *dev) + * any other concurrent access and C would always interrupt B. But life + * isn't that easy in a SMP world... + */ +-#define smc_special_trylock(lock, flags) \ +-({ \ +- int __ret; \ +- local_irq_save(flags); \ +- __ret = spin_trylock(lock); \ +- if (!__ret) \ +- local_irq_restore(flags); \ +- __ret; \ +-}) ++#define smc_special_trylock(lock, flags) spin_trylock_irqsave(lock, flags) + #define smc_special_lock(lock, flags) spin_lock_irqsave(lock, flags) + #define smc_special_unlock(lock, flags) spin_unlock_irqrestore(lock, flags) + #else +-- +2.51.0 + diff --git a/queue-6.1/team-fix-check-for-port-enabled-in-team_queue_overri.patch b/queue-6.1/team-fix-check-for-port-enabled-in-team_queue_overri.patch new file mode 100644 index 0000000000..59fc6604a1 --- /dev/null +++ b/queue-6.1/team-fix-check-for-port-enabled-in-team_queue_overri.patch @@ -0,0 +1,101 @@ +From 183e2706bd728ea42633351100affb66794b57ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Dec 2025 11:29:53 +0100 +Subject: team: fix check for port enabled in + team_queue_override_port_prio_changed() + +From: Jiri Pirko + +[ Upstream commit 932ac51d9953eaf77a1252f79b656d4ca86163c6 ] + +There has been a syzkaller bug reported recently with the following +trace: + +list_del corruption, ffff888058bea080->prev is LIST_POISON2 (dead000000000122) +------------[ cut here ]------------ +kernel BUG at lib/list_debug.c:59! +Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI +CPU: 3 UID: 0 PID: 21246 Comm: syz.0.2928 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 +RIP: 0010:__list_del_entry_valid_or_report+0x13e/0x200 lib/list_debug.c:59 +Code: 48 c7 c7 e0 71 f0 8b e8 30 08 ef fc 90 0f 0b 48 89 ef e8 a5 02 55 fd 48 89 ea 48 89 de 48 c7 c7 40 72 f0 8b e8 13 08 ef fc 90 <0f> 0b 48 89 ef e8 88 02 55 fd 48 89 ea 48 b8 00 00 00 00 00 fc ff +RSP: 0018:ffffc9000d49f370 EFLAGS: 00010286 +RAX: 000000000000004e RBX: ffff888058bea080 RCX: ffffc9002817d000 +RDX: 0000000000000000 RSI: ffffffff819becc6 RDI: 0000000000000005 +RBP: dead000000000122 R08: 0000000000000005 R09: 0000000000000000 +R10: 0000000080000000 R11: 0000000000000001 R12: ffff888039e9c230 +R13: ffff888058bea088 R14: ffff888058bea080 R15: ffff888055461480 +FS: 00007fbbcfe6f6c0(0000) GS:ffff8880d6d0a000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000000110c3afcb0 CR3: 00000000382c7000 CR4: 0000000000352ef0 +Call Trace: + + __list_del_entry_valid include/linux/list.h:132 [inline] + __list_del_entry include/linux/list.h:223 [inline] + list_del_rcu include/linux/rculist.h:178 [inline] + __team_queue_override_port_del drivers/net/team/team_core.c:826 [inline] + __team_queue_override_port_del drivers/net/team/team_core.c:821 [inline] + team_queue_override_port_prio_changed drivers/net/team/team_core.c:883 [inline] + team_priority_option_set+0x171/0x2f0 drivers/net/team/team_core.c:1534 + team_option_set drivers/net/team/team_core.c:376 [inline] + team_nl_options_set_doit+0x8ae/0xe60 drivers/net/team/team_core.c:2653 + genl_family_rcv_msg_doit+0x209/0x2f0 net/netlink/genetlink.c:1115 + genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] + genl_rcv_msg+0x55c/0x800 net/netlink/genetlink.c:1210 + netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552 + genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 + netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] + netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346 + netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1896 + sock_sendmsg_nosec net/socket.c:727 [inline] + __sock_sendmsg net/socket.c:742 [inline] + ____sys_sendmsg+0xa98/0xc70 net/socket.c:2630 + ___sys_sendmsg+0x134/0x1d0 net/socket.c:2684 + __sys_sendmsg+0x16d/0x220 net/socket.c:2716 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +The problem is in this flow: +1) Port is enabled, queue_id != 0, in qom_list +2) Port gets disabled + -> team_port_disable() + -> team_queue_override_port_del() + -> del (removed from list) +3) Port is disabled, queue_id != 0, not in any list +4) Priority changes + -> team_queue_override_port_prio_changed() + -> checks: port disabled && queue_id != 0 + -> calls del - hits the BUG as it is removed already + +To fix this, change the check in team_queue_override_port_prio_changed() +so it returns early if port is not enabled. + +Reported-by: syzbot+422806e5f4cce722a71f@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=422806e5f4cce722a71f +Fixes: 6c31ff366c11 ("team: remove synchronize_rcu() called during queue override change") +Signed-off-by: Jiri Pirko +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20251212102953.167287-1-jiri@resnulli.us +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/team/team.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c +index c2327fa10747..e315a1d3a9e9 100644 +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -878,7 +878,7 @@ static void __team_queue_override_enabled_check(struct team *team) + static void team_queue_override_port_prio_changed(struct team *team, + struct team_port *port) + { +- if (!port->queue_id || team_port_enabled(port)) ++ if (!port->queue_id || !team_port_enabled(port)) + return; + __team_queue_override_port_del(team, port); + __team_queue_override_port_add(team, port); +-- +2.51.0 + diff --git a/queue-6.1/wifi-cfg80211-move-puncturing-bitmap-validation-from.patch b/queue-6.1/wifi-cfg80211-move-puncturing-bitmap-validation-from.patch new file mode 100644 index 0000000000..7620e386f8 --- /dev/null +++ b/queue-6.1/wifi-cfg80211-move-puncturing-bitmap-validation-from.patch @@ -0,0 +1,233 @@ +From 5c7d856063ef5d5bc59d6c11e67c9e4c991a9249 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jan 2023 16:12:24 -0800 +Subject: wifi: cfg80211: move puncturing bitmap validation from mac80211 + +From: Aloka Dixit + +[ Upstream commit b25413fed3d43e1ed3340df4d928971bb8639f66 ] + +- Move ieee80211_valid_disable_subchannel_bitmap() from mlme.c to + chan.c, rename it as cfg80211_valid_disable_subchannel_bitmap() + and export it. +- Modify the prototype to include struct cfg80211_chan_def instead + of only bandwidth to support a check which returns false if the + primary channel is punctured. + +Signed-off-by: Aloka Dixit +Link: https://lore.kernel.org/r/20230131001227.25014-2-quic_alokad@quicinc.com +Signed-off-by: Johannes Berg +Stable-dep-of: a519be2f5d95 ("wifi: mac80211: do not use old MBSSID elements") +Signed-off-by: Sasha Levin +--- + include/net/cfg80211.h | 12 +++++++ + net/mac80211/mlme.c | 73 ++++-------------------------------------- + net/wireless/chan.c | 69 +++++++++++++++++++++++++++++++++++++++ + 3 files changed, 87 insertions(+), 67 deletions(-) + +diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h +index d15033420ca3..bf79788f1c5d 100644 +--- a/include/net/cfg80211.h ++++ b/include/net/cfg80211.h +@@ -9056,4 +9056,16 @@ static inline int cfg80211_color_change_notify(struct net_device *dev) + 0, 0); + } + ++/** ++ * cfg80211_valid_disable_subchannel_bitmap - validate puncturing bitmap ++ * @bitmap: bitmap to be validated ++ * @chandef: channel definition ++ * ++ * Validate the puncturing bitmap. ++ * ++ * Return: %true if the bitmap is valid. %false otherwise. ++ */ ++bool cfg80211_valid_disable_subchannel_bitmap(u16 *bitmap, ++ const struct cfg80211_chan_def *chandef); ++ + #endif /* __NET_CFG80211_H */ +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index 25483596f22e..1fb41e5cc577 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -88,67 +88,6 @@ MODULE_PARM_DESC(probe_wait_ms, + */ + #define IEEE80211_SIGNAL_AVE_MIN_COUNT 4 + +-struct ieee80211_per_bw_puncturing_values { +- u8 len; +- const u16 *valid_values; +-}; +- +-static const u16 puncturing_values_80mhz[] = { +- 0x8, 0x4, 0x2, 0x1 +-}; +- +-static const u16 puncturing_values_160mhz[] = { +- 0x80, 0x40, 0x20, 0x10, 0x8, 0x4, 0x2, 0x1, 0xc0, 0x30, 0xc, 0x3 +-}; +- +-static const u16 puncturing_values_320mhz[] = { +- 0xc000, 0x3000, 0xc00, 0x300, 0xc0, 0x30, 0xc, 0x3, 0xf000, 0xf00, +- 0xf0, 0xf, 0xfc00, 0xf300, 0xf0c0, 0xf030, 0xf00c, 0xf003, 0xc00f, +- 0x300f, 0xc0f, 0x30f, 0xcf, 0x3f +-}; +- +-#define IEEE80211_PER_BW_VALID_PUNCTURING_VALUES(_bw) \ +- { \ +- .len = ARRAY_SIZE(puncturing_values_ ## _bw ## mhz), \ +- .valid_values = puncturing_values_ ## _bw ## mhz \ +- } +- +-static const struct ieee80211_per_bw_puncturing_values per_bw_puncturing[] = { +- IEEE80211_PER_BW_VALID_PUNCTURING_VALUES(80), +- IEEE80211_PER_BW_VALID_PUNCTURING_VALUES(160), +- IEEE80211_PER_BW_VALID_PUNCTURING_VALUES(320) +-}; +- +-static bool ieee80211_valid_disable_subchannel_bitmap(u16 *bitmap, +- enum nl80211_chan_width bw) +-{ +- u32 idx, i; +- +- switch (bw) { +- case NL80211_CHAN_WIDTH_80: +- idx = 0; +- break; +- case NL80211_CHAN_WIDTH_160: +- idx = 1; +- break; +- case NL80211_CHAN_WIDTH_320: +- idx = 2; +- break; +- default: +- *bitmap = 0; +- break; +- } +- +- if (!*bitmap) +- return true; +- +- for (i = 0; i < per_bw_puncturing[idx].len; i++) +- if (per_bw_puncturing[idx].valid_values[i] == *bitmap) +- return true; +- +- return false; +-} +- + /* + * Extract from the given disabled subchannel bitmap (raw format + * from the EHT Operation Element) the bits for the subchannel +@@ -206,8 +145,8 @@ ieee80211_handle_puncturing_bitmap(struct ieee80211_link_data *link, + ieee80211_extract_dis_subch_bmap(eht_oper, chandef, + bitmap); + +- if (ieee80211_valid_disable_subchannel_bitmap(&bitmap, +- chandef->width)) ++ if (cfg80211_valid_disable_subchannel_bitmap(&bitmap, ++ chandef)) + break; + link->u.mgd.conn_flags |= + ieee80211_chandef_downgrade(chandef); +@@ -5621,8 +5560,8 @@ static bool ieee80211_config_puncturing(struct ieee80211_link_data *link, + extracted == link->conf->eht_puncturing) + return true; + +- if (!ieee80211_valid_disable_subchannel_bitmap(&bitmap, +- link->conf->chandef.width)) { ++ if (!cfg80211_valid_disable_subchannel_bitmap(&bitmap, ++ &link->conf->chandef)) { + link_info(link, + "Got an invalid disable subchannel bitmap from AP %pM: bitmap = 0x%x, bw = 0x%x. disconnect\n", + link->u.mgd.bssid, +@@ -7110,8 +7049,8 @@ ieee80211_setup_assoc_link(struct ieee80211_sub_if_data *sdata, + u16 bitmap; + + bitmap = get_unaligned_le16(disable_subchannel_bitmap); +- if (ieee80211_valid_disable_subchannel_bitmap(&bitmap, +- link->conf->chandef.width)) ++ if (cfg80211_valid_disable_subchannel_bitmap(&bitmap, ++ &link->conf->chandef)) + ieee80211_handle_puncturing_bitmap(link, + eht_oper, + bitmap, +diff --git a/net/wireless/chan.c b/net/wireless/chan.c +index 0e5835cd8c61..0b7e81db383d 100644 +--- a/net/wireless/chan.c ++++ b/net/wireless/chan.c +@@ -1460,3 +1460,72 @@ struct cfg80211_chan_def *wdev_chandef(struct wireless_dev *wdev, + } + } + EXPORT_SYMBOL(wdev_chandef); ++ ++struct cfg80211_per_bw_puncturing_values { ++ u8 len; ++ const u16 *valid_values; ++}; ++ ++static const u16 puncturing_values_80mhz[] = { ++ 0x8, 0x4, 0x2, 0x1 ++}; ++ ++static const u16 puncturing_values_160mhz[] = { ++ 0x80, 0x40, 0x20, 0x10, 0x8, 0x4, 0x2, 0x1, 0xc0, 0x30, 0xc, 0x3 ++}; ++ ++static const u16 puncturing_values_320mhz[] = { ++ 0xc000, 0x3000, 0xc00, 0x300, 0xc0, 0x30, 0xc, 0x3, 0xf000, 0xf00, ++ 0xf0, 0xf, 0xfc00, 0xf300, 0xf0c0, 0xf030, 0xf00c, 0xf003, 0xc00f, ++ 0x300f, 0xc0f, 0x30f, 0xcf, 0x3f ++}; ++ ++#define CFG80211_PER_BW_VALID_PUNCTURING_VALUES(_bw) \ ++ { \ ++ .len = ARRAY_SIZE(puncturing_values_ ## _bw ## mhz), \ ++ .valid_values = puncturing_values_ ## _bw ## mhz \ ++ } ++ ++static const struct cfg80211_per_bw_puncturing_values per_bw_puncturing[] = { ++ CFG80211_PER_BW_VALID_PUNCTURING_VALUES(80), ++ CFG80211_PER_BW_VALID_PUNCTURING_VALUES(160), ++ CFG80211_PER_BW_VALID_PUNCTURING_VALUES(320) ++}; ++ ++bool cfg80211_valid_disable_subchannel_bitmap(u16 *bitmap, ++ const struct cfg80211_chan_def *chandef) ++{ ++ u32 idx, i, start_freq; ++ ++ switch (chandef->width) { ++ case NL80211_CHAN_WIDTH_80: ++ idx = 0; ++ start_freq = chandef->center_freq1 - 40; ++ break; ++ case NL80211_CHAN_WIDTH_160: ++ idx = 1; ++ start_freq = chandef->center_freq1 - 80; ++ break; ++ case NL80211_CHAN_WIDTH_320: ++ idx = 2; ++ start_freq = chandef->center_freq1 - 160; ++ break; ++ default: ++ *bitmap = 0; ++ break; ++ } ++ ++ if (!*bitmap) ++ return true; ++ ++ /* check if primary channel is punctured */ ++ if (*bitmap & (u16)BIT((chandef->chan->center_freq - start_freq) / 20)) ++ return false; ++ ++ for (i = 0; i < per_bw_puncturing[idx].len; i++) ++ if (per_bw_puncturing[idx].valid_values[i] == *bitmap) ++ return true; ++ ++ return false; ++} ++EXPORT_SYMBOL(cfg80211_valid_disable_subchannel_bitmap); +-- +2.51.0 + diff --git a/queue-6.1/wifi-cfg80211-sme-store-capped-length-in-__cfg80211_.patch b/queue-6.1/wifi-cfg80211-sme-store-capped-length-in-__cfg80211_.patch new file mode 100644 index 0000000000..8888a2ccdf --- /dev/null +++ b/queue-6.1/wifi-cfg80211-sme-store-capped-length-in-__cfg80211_.patch @@ -0,0 +1,38 @@ +From 6b61dbb58c21e501b1858fbfc20b82b985332015 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 14:14:47 +0300 +Subject: wifi: cfg80211: sme: store capped length in + __cfg80211_connect_result() + +From: Dan Carpenter + +[ Upstream commit 2b77b9551d1184cb5af8271ff350e6e2c1b3db0d ] + +The QGenie AI code review tool says we should store the capped length to +wdev->u.client.ssid_len. The AI is correct. + +Fixes: 62b635dcd69c ("wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result()") +Signed-off-by: Dan Carpenter +Link: https://patch.msgid.link/aTAbp5RleyH_lnZE@stanley.mountain +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/sme.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/wireless/sme.c b/net/wireless/sme.c +index ed16e852133e..26106802b17b 100644 +--- a/net/wireless/sme.c ++++ b/net/wireless/sme.c +@@ -896,7 +896,7 @@ void __cfg80211_connect_result(struct net_device *dev, + + ssid_len = min(ssid->datalen, IEEE80211_MAX_SSID_LEN); + memcpy(wdev->u.client.ssid, ssid->data, ssid_len); +- wdev->u.client.ssid_len = ssid->datalen; ++ wdev->u.client.ssid_len = ssid_len; + break; + } + rcu_read_unlock(); +-- +2.51.0 + diff --git a/queue-6.1/wifi-mac80211-do-not-use-old-mbssid-elements.patch b/queue-6.1/wifi-mac80211-do-not-use-old-mbssid-elements.patch new file mode 100644 index 0000000000..df87ae89ea --- /dev/null +++ b/queue-6.1/wifi-mac80211-do-not-use-old-mbssid-elements.patch @@ -0,0 +1,68 @@ +From 975399347ab2523563e4fe3dd7bdc66cf311303a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Dec 2025 09:46:56 -0800 +Subject: wifi: mac80211: do not use old MBSSID elements + +From: Aloka Dixit + +[ Upstream commit a519be2f5d958c5804f2cfd68f1f384291271fab ] + +When userspace brings down and deletes a non-transmitted profile, +it is expected to send a new updated Beacon template for the +transmitted profile of that multiple BSSID (MBSSID) group which +does not include the removed profile in MBSSID element. This +update comes via NL80211_CMD_SET_BEACON. + +Such updates work well as long as the group continues to have at +least one non-transmitted profile as NL80211_ATTR_MBSSID_ELEMS +is included in the new Beacon template. + +But when the last non-trasmitted profile is removed, it still +gets included in Beacon templates sent to driver. This happens +because when no MBSSID elements are sent by the userspace, +ieee80211_assign_beacon() ends up using the element stored from +earlier Beacon template. + +Do not copy old MBSSID elements, instead userspace should always +include these when applicable. + +Fixes: 2b3171c6fe0a ("mac80211: MBSSID beacon handling in AP mode") +Signed-off-by: Aloka Dixit +Link: https://patch.msgid.link/20251215174656.2866319-2-aloka.dixit@oss.qualcomm.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/cfg.c | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index a25d647c1c4b..0d5ddd3d2c5f 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1139,7 +1139,6 @@ static int ieee80211_assign_beacon(struct ieee80211_sub_if_data *sdata, + + size = sizeof(*new) + new_head_len + new_tail_len; + +- /* new or old multiple BSSID elements? */ + if (params->mbssid_ies) { + mbssid = params->mbssid_ies; + size += struct_size(new->mbssid_ies, elem, mbssid->cnt); +@@ -1149,15 +1148,6 @@ static int ieee80211_assign_beacon(struct ieee80211_sub_if_data *sdata, + } + size += ieee80211_get_mbssid_beacon_len(mbssid, rnr, + mbssid->cnt); +- } else if (old && old->mbssid_ies) { +- mbssid = old->mbssid_ies; +- size += struct_size(new->mbssid_ies, elem, mbssid->cnt); +- if (old && old->rnr_ies) { +- rnr = old->rnr_ies; +- size += struct_size(new->rnr_ies, elem, rnr->cnt); +- } +- size += ieee80211_get_mbssid_beacon_len(mbssid, rnr, +- mbssid->cnt); + } + + new = kzalloc(size, GFP_KERNEL); +-- +2.51.0 + diff --git a/queue-6.1/wifi-mac80211-generate-ema-beacons-in-ap-mode.patch b/queue-6.1/wifi-mac80211-generate-ema-beacons-in-ap-mode.patch new file mode 100644 index 0000000000..811b98e598 --- /dev/null +++ b/queue-6.1/wifi-mac80211-generate-ema-beacons-in-ap-mode.patch @@ -0,0 +1,389 @@ +From ad41fc40c94996782f18c49bc3eebc84b158ce00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Dec 2022 16:50:37 -0800 +Subject: wifi: mac80211: generate EMA beacons in AP mode + +From: Aloka Dixit + +[ Upstream commit bd54f3c29077f23dad92ef82a78061b40be30c65 ] + +Add APIs to generate an array of beacons for an EMA AP (enhanced +multiple BSSID advertisements), each including a single MBSSID element. +EMA profile periodicity equals the count of elements. + +- ieee80211_beacon_get_template_ema_list() - Generate and return all +EMA beacon templates. Drivers must call ieee80211_beacon_free_ema_list() +to free the memory. No change in the prototype for the existing API, +ieee80211_beacon_get_template(), which should be used for non-EMA AP. + +- ieee80211_beacon_get_template_ema_index() - Generate a beacon which +includes the multiple BSSID element at the given index. Drivers can use +this function in a loop until NULL is returned which indicates end of +available MBSSID elements. + +- ieee80211_beacon_free_ema_list() - free the memory allocated for the +list of EMA beacon templates. + +Modify existing functions ieee80211_beacon_get_ap(), +ieee80211_get_mbssid_beacon_len() and ieee80211_beacon_add_mbssid() +to accept a new parameter for EMA index. + +Signed-off-by: Aloka Dixit +Co-developed-by: John Crispin +Signed-off-by: John Crispin +Link: https://lore.kernel.org/r/20221206005040.3177-2-quic_alokad@quicinc.com +Signed-off-by: Johannes Berg +Stable-dep-of: a519be2f5d95 ("wifi: mac80211: do not use old MBSSID elements") +Signed-off-by: Sasha Levin +--- + include/net/mac80211.h | 68 +++++++++++++++++++ + net/mac80211/cfg.c | 11 +-- + net/mac80211/ieee80211_i.h | 10 ++- + net/mac80211/tx.c | 134 ++++++++++++++++++++++++++++++++++--- + 4 files changed, 205 insertions(+), 18 deletions(-) + +diff --git a/include/net/mac80211.h b/include/net/mac80211.h +index b2f0a2cf5f38..62e0847d3793 100644 +--- a/include/net/mac80211.h ++++ b/include/net/mac80211.h +@@ -5222,6 +5222,74 @@ ieee80211_beacon_get_template(struct ieee80211_hw *hw, + struct ieee80211_mutable_offsets *offs, + unsigned int link_id); + ++/** ++ * ieee80211_beacon_get_template_ema_index - EMA beacon template generation ++ * @hw: pointer obtained from ieee80211_alloc_hw(). ++ * @vif: &struct ieee80211_vif pointer from the add_interface callback. ++ * @offs: &struct ieee80211_mutable_offsets pointer to struct that will ++ * receive the offsets that may be updated by the driver. ++ * @link_id: the link id to which the beacon belongs (or 0 for a non-MLD AP). ++ * @ema_index: index of the beacon in the EMA set. ++ * ++ * This function follows the same rules as ieee80211_beacon_get_template() ++ * but returns a beacon template which includes multiple BSSID element at the ++ * requested index. ++ * ++ * Return: The beacon template. %NULL indicates the end of EMA templates. ++ */ ++struct sk_buff * ++ieee80211_beacon_get_template_ema_index(struct ieee80211_hw *hw, ++ struct ieee80211_vif *vif, ++ struct ieee80211_mutable_offsets *offs, ++ unsigned int link_id, u8 ema_index); ++ ++/** ++ * struct ieee80211_ema_beacons - List of EMA beacons ++ * @cnt: count of EMA beacons. ++ * ++ * @bcn: array of EMA beacons. ++ * @bcn.skb: the skb containing this specific beacon ++ * @bcn.offs: &struct ieee80211_mutable_offsets pointer to struct that will ++ * receive the offsets that may be updated by the driver. ++ */ ++struct ieee80211_ema_beacons { ++ u8 cnt; ++ struct { ++ struct sk_buff *skb; ++ struct ieee80211_mutable_offsets offs; ++ } bcn[]; ++}; ++ ++/** ++ * ieee80211_beacon_get_template_ema_list - EMA beacon template generation ++ * @hw: pointer obtained from ieee80211_alloc_hw(). ++ * @vif: &struct ieee80211_vif pointer from the add_interface callback. ++ * @link_id: the link id to which the beacon belongs (or 0 for a non-MLD AP) ++ * ++ * This function follows the same rules as ieee80211_beacon_get_template() ++ * but allocates and returns a pointer to list of all beacon templates required ++ * to cover all profiles in the multiple BSSID set. Each template includes only ++ * one multiple BSSID element. ++ * ++ * Driver must call ieee80211_beacon_free_ema_list() to free the memory. ++ * ++ * Return: EMA beacon templates of type struct ieee80211_ema_beacons *. ++ * %NULL on error. ++ */ ++struct ieee80211_ema_beacons * ++ieee80211_beacon_get_template_ema_list(struct ieee80211_hw *hw, ++ struct ieee80211_vif *vif, ++ unsigned int link_id); ++ ++/** ++ * ieee80211_beacon_free_ema_list - free an EMA beacon template list ++ * @ema_beacons: list of EMA beacons of type &struct ieee80211_ema_beacons pointers. ++ * ++ * This function will free a list previously acquired by calling ++ * ieee80211_beacon_get_template_ema_list() ++ */ ++void ieee80211_beacon_free_ema_list(struct ieee80211_ema_beacons *ema_beacons); ++ + /** + * ieee80211_beacon_get_tim - beacon generation function + * @hw: pointer obtained from ieee80211_alloc_hw(). +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index 2e99207bf0c7..72dd534492bf 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1125,11 +1125,11 @@ static int ieee80211_assign_beacon(struct ieee80211_sub_if_data *sdata, + if (params->mbssid_ies) { + mbssid = params->mbssid_ies; + size += struct_size(new->mbssid_ies, elem, mbssid->cnt); +- size += ieee80211_get_mbssid_beacon_len(mbssid); ++ size += ieee80211_get_mbssid_beacon_len(mbssid, mbssid->cnt); + } else if (old && old->mbssid_ies) { + mbssid = old->mbssid_ies; + size += struct_size(new->mbssid_ies, elem, mbssid->cnt); +- size += ieee80211_get_mbssid_beacon_len(mbssid); ++ size += ieee80211_get_mbssid_beacon_len(mbssid, mbssid->cnt); + } + + new = kzalloc(size, GFP_KERNEL); +@@ -3356,8 +3356,11 @@ cfg80211_beacon_dup(struct cfg80211_beacon_data *beacon) + + len = beacon->head_len + beacon->tail_len + beacon->beacon_ies_len + + beacon->proberesp_ies_len + beacon->assocresp_ies_len + +- beacon->probe_resp_len + beacon->lci_len + beacon->civicloc_len + +- ieee80211_get_mbssid_beacon_len(beacon->mbssid_ies); ++ beacon->probe_resp_len + beacon->lci_len + beacon->civicloc_len; ++ ++ if (beacon->mbssid_ies) ++ len += ieee80211_get_mbssid_beacon_len(beacon->mbssid_ies, ++ beacon->mbssid_ies->cnt); + + new_beacon = kzalloc(sizeof(*new_beacon) + len, GFP_KERNEL); + if (!new_beacon) +diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h +index a82392314778..d08aa09002df 100644 +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -1165,13 +1165,17 @@ ieee80211_vif_get_shift(struct ieee80211_vif *vif) + } + + static inline int +-ieee80211_get_mbssid_beacon_len(struct cfg80211_mbssid_elems *elems) ++ieee80211_get_mbssid_beacon_len(struct cfg80211_mbssid_elems *elems, u8 i) + { +- int i, len = 0; ++ int len = 0; + +- if (!elems) ++ if (!elems || !elems->cnt || i > elems->cnt) + return 0; + ++ if (i < elems->cnt) ++ return elems->elem[i].len; ++ ++ /* i == elems->cnt, calculate total length of all MBSSID elements */ + for (i = 0; i < elems->cnt; i++) + len += elems->elem[i].len; + +diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c +index e6cf5ab928a6..854bad6fbe19 100644 +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -5139,13 +5139,20 @@ ieee80211_beacon_get_finish(struct ieee80211_hw *hw, + } + + static void +-ieee80211_beacon_add_mbssid(struct sk_buff *skb, struct beacon_data *beacon) ++ieee80211_beacon_add_mbssid(struct sk_buff *skb, struct beacon_data *beacon, ++ u8 i) + { +- int i; ++ if (!beacon->mbssid_ies || !beacon->mbssid_ies->cnt || ++ i > beacon->mbssid_ies->cnt) ++ return; + +- if (!beacon->mbssid_ies) ++ if (i < beacon->mbssid_ies->cnt) { ++ skb_put_data(skb, beacon->mbssid_ies->elem[i].data, ++ beacon->mbssid_ies->elem[i].len); + return; ++ } + ++ /* i == beacon->mbssid_ies->cnt, include all MBSSID elements */ + for (i = 0; i < beacon->mbssid_ies->cnt; i++) + skb_put_data(skb, beacon->mbssid_ies->elem[i].data, + beacon->mbssid_ies->elem[i].len); +@@ -5158,7 +5165,8 @@ ieee80211_beacon_get_ap(struct ieee80211_hw *hw, + struct ieee80211_mutable_offsets *offs, + bool is_template, + struct beacon_data *beacon, +- struct ieee80211_chanctx_conf *chanctx_conf) ++ struct ieee80211_chanctx_conf *chanctx_conf, ++ u8 ema_index) + { + struct ieee80211_local *local = hw_to_local(hw); + struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif); +@@ -5177,7 +5185,9 @@ ieee80211_beacon_get_ap(struct ieee80211_hw *hw, + /* headroom, head length, + * tail length, maximum TIM length and multiple BSSID length + */ +- mbssid_len = ieee80211_get_mbssid_beacon_len(beacon->mbssid_ies); ++ mbssid_len = ieee80211_get_mbssid_beacon_len(beacon->mbssid_ies, ++ ema_index); ++ + skb = dev_alloc_skb(local->tx_headroom + beacon->head_len + + beacon->tail_len + 256 + + local->hw.extra_beacon_tailroom + mbssid_len); +@@ -5195,7 +5205,7 @@ ieee80211_beacon_get_ap(struct ieee80211_hw *hw, + offs->cntdwn_counter_offs[0] = beacon->cntdwn_counter_offsets[0]; + + if (mbssid_len) { +- ieee80211_beacon_add_mbssid(skb, beacon); ++ ieee80211_beacon_add_mbssid(skb, beacon, ema_index); + offs->mbssid_off = skb->len - mbssid_len; + } + +@@ -5216,12 +5226,51 @@ ieee80211_beacon_get_ap(struct ieee80211_hw *hw, + return skb; + } + ++static struct ieee80211_ema_beacons * ++ieee80211_beacon_get_ap_ema_list(struct ieee80211_hw *hw, ++ struct ieee80211_vif *vif, ++ struct ieee80211_link_data *link, ++ struct ieee80211_mutable_offsets *offs, ++ bool is_template, struct beacon_data *beacon, ++ struct ieee80211_chanctx_conf *chanctx_conf) ++{ ++ struct ieee80211_ema_beacons *ema = NULL; ++ ++ if (!beacon->mbssid_ies || !beacon->mbssid_ies->cnt) ++ return NULL; ++ ++ ema = kzalloc(struct_size(ema, bcn, beacon->mbssid_ies->cnt), ++ GFP_ATOMIC); ++ if (!ema) ++ return NULL; ++ ++ for (ema->cnt = 0; ema->cnt < beacon->mbssid_ies->cnt; ema->cnt++) { ++ ema->bcn[ema->cnt].skb = ++ ieee80211_beacon_get_ap(hw, vif, link, ++ &ema->bcn[ema->cnt].offs, ++ is_template, beacon, ++ chanctx_conf, ema->cnt); ++ if (!ema->bcn[ema->cnt].skb) ++ break; ++ } ++ ++ if (ema->cnt == beacon->mbssid_ies->cnt) ++ return ema; ++ ++ ieee80211_beacon_free_ema_list(ema); ++ return NULL; ++} ++ ++#define IEEE80211_INCLUDE_ALL_MBSSID_ELEMS -1 ++ + static struct sk_buff * + __ieee80211_beacon_get(struct ieee80211_hw *hw, + struct ieee80211_vif *vif, + struct ieee80211_mutable_offsets *offs, + bool is_template, +- unsigned int link_id) ++ unsigned int link_id, ++ int ema_index, ++ struct ieee80211_ema_beacons **ema_beacons) + { + struct ieee80211_local *local = hw_to_local(hw); + struct beacon_data *beacon = NULL; +@@ -5250,8 +5299,29 @@ __ieee80211_beacon_get(struct ieee80211_hw *hw, + if (!beacon) + goto out; + +- skb = ieee80211_beacon_get_ap(hw, vif, link, offs, is_template, +- beacon, chanctx_conf); ++ if (ema_beacons) { ++ *ema_beacons = ++ ieee80211_beacon_get_ap_ema_list(hw, vif, link, ++ offs, ++ is_template, ++ beacon, ++ chanctx_conf); ++ } else { ++ if (beacon->mbssid_ies && beacon->mbssid_ies->cnt) { ++ if (ema_index >= beacon->mbssid_ies->cnt) ++ goto out; /* End of MBSSID elements */ ++ ++ if (ema_index <= IEEE80211_INCLUDE_ALL_MBSSID_ELEMS) ++ ema_index = beacon->mbssid_ies->cnt; ++ } else { ++ ema_index = 0; ++ } ++ ++ skb = ieee80211_beacon_get_ap(hw, vif, link, offs, ++ is_template, beacon, ++ chanctx_conf, ++ ema_index); ++ } + } else if (sdata->vif.type == NL80211_IFTYPE_ADHOC) { + struct ieee80211_if_ibss *ifibss = &sdata->u.ibss; + struct ieee80211_hdr *hdr; +@@ -5339,10 +5409,50 @@ ieee80211_beacon_get_template(struct ieee80211_hw *hw, + struct ieee80211_mutable_offsets *offs, + unsigned int link_id) + { +- return __ieee80211_beacon_get(hw, vif, offs, true, link_id); ++ return __ieee80211_beacon_get(hw, vif, offs, true, link_id, ++ IEEE80211_INCLUDE_ALL_MBSSID_ELEMS, NULL); + } + EXPORT_SYMBOL(ieee80211_beacon_get_template); + ++struct sk_buff * ++ieee80211_beacon_get_template_ema_index(struct ieee80211_hw *hw, ++ struct ieee80211_vif *vif, ++ struct ieee80211_mutable_offsets *offs, ++ unsigned int link_id, u8 ema_index) ++{ ++ return __ieee80211_beacon_get(hw, vif, offs, true, link_id, ema_index, ++ NULL); ++} ++EXPORT_SYMBOL(ieee80211_beacon_get_template_ema_index); ++ ++void ieee80211_beacon_free_ema_list(struct ieee80211_ema_beacons *ema_beacons) ++{ ++ u8 i; ++ ++ if (!ema_beacons) ++ return; ++ ++ for (i = 0; i < ema_beacons->cnt; i++) ++ kfree_skb(ema_beacons->bcn[i].skb); ++ ++ kfree(ema_beacons); ++} ++EXPORT_SYMBOL(ieee80211_beacon_free_ema_list); ++ ++struct ieee80211_ema_beacons * ++ieee80211_beacon_get_template_ema_list(struct ieee80211_hw *hw, ++ struct ieee80211_vif *vif, ++ unsigned int link_id) ++{ ++ struct ieee80211_ema_beacons *ema_beacons = NULL; ++ ++ WARN_ON(__ieee80211_beacon_get(hw, vif, NULL, false, link_id, 0, ++ &ema_beacons)); ++ ++ return ema_beacons; ++} ++EXPORT_SYMBOL(ieee80211_beacon_get_template_ema_list); ++ + struct sk_buff *ieee80211_beacon_get_tim(struct ieee80211_hw *hw, + struct ieee80211_vif *vif, + u16 *tim_offset, u16 *tim_length, +@@ -5350,7 +5460,9 @@ struct sk_buff *ieee80211_beacon_get_tim(struct ieee80211_hw *hw, + { + struct ieee80211_mutable_offsets offs = {}; + struct sk_buff *bcn = __ieee80211_beacon_get(hw, vif, &offs, false, +- link_id); ++ link_id, ++ IEEE80211_INCLUDE_ALL_MBSSID_ELEMS, ++ NULL); + struct sk_buff *copy; + int shift; + +-- +2.51.0 + diff --git a/queue-6.1/wifi-mac80211-mlme-handle-eht-channel-puncturing.patch b/queue-6.1/wifi-mac80211-mlme-handle-eht-channel-puncturing.patch new file mode 100644 index 0000000000..0d0dcfaca1 --- /dev/null +++ b/queue-6.1/wifi-mac80211-mlme-handle-eht-channel-puncturing.patch @@ -0,0 +1,406 @@ +From f9831f36df2f21f837f6dcb20ad12ca00eebc2f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jan 2023 12:39:31 +0100 +Subject: wifi: mac80211: mlme: handle EHT channel puncturing + +From: Johannes Berg + +[ Upstream commit aa87cd8b35736a5183745ab0ec4b82419024dfd7 ] + +Handle the Puncturing info received from the AP in the +EHT Operation element in beacons. + +If the info is invalid: + - during association: disable EHT connection for the AP + - after association: disconnect + +This commit includes many (internal) bugfixes and spec +updates various people. + +Co-developed-by: Miri Korenblit +Signed-off-by: Miri Korenblit +Link: https://lore.kernel.org/r/20230127123930.4fbc74582331.I3547481d49f958389f59dfeba3fcc75e72b0aa6e@changeid +Signed-off-by: Johannes Berg +Stable-dep-of: a519be2f5d95 ("wifi: mac80211: do not use old MBSSID elements") +Signed-off-by: Sasha Levin +--- + include/net/mac80211.h | 5 +- + net/mac80211/cfg.c | 2 +- + net/mac80211/chan.c | 2 +- + net/mac80211/ieee80211_i.h | 2 +- + net/mac80211/mlme.c | 224 ++++++++++++++++++++++++++++++++++++- + 5 files changed, 228 insertions(+), 7 deletions(-) + +diff --git a/include/net/mac80211.h b/include/net/mac80211.h +index 28a9b9c00e6b..b2f0a2cf5f38 100644 +--- a/include/net/mac80211.h ++++ b/include/net/mac80211.h +@@ -339,7 +339,7 @@ struct ieee80211_vif_chanctx_switch { + * @BSS_CHANGED_FILS_DISCOVERY: FILS discovery status changed. + * @BSS_CHANGED_UNSOL_BCAST_PROBE_RESP: Unsolicited broadcast probe response + * status changed. +- * ++ * @BSS_CHANGED_EHT_PUNCTURING: The channel puncturing bitmap changed. + */ + enum ieee80211_bss_change { + BSS_CHANGED_ASSOC = 1<<0, +@@ -374,6 +374,7 @@ enum ieee80211_bss_change { + BSS_CHANGED_HE_BSS_COLOR = 1<<29, + BSS_CHANGED_FILS_DISCOVERY = 1<<30, + BSS_CHANGED_UNSOL_BCAST_PROBE_RESP = 1<<31, ++ BSS_CHANGED_EHT_PUNCTURING = BIT_ULL(32), + + /* when adding here, make sure to change ieee80211_reconfig */ + }; +@@ -639,6 +640,7 @@ struct ieee80211_fils_discovery { + * @tx_pwr_env_num: number of @tx_pwr_env. + * @pwr_reduction: power constraint of BSS. + * @eht_support: does this BSS support EHT ++ * @eht_puncturing: bitmap to indicate which channels are punctured in this BSS + * @csa_active: marks whether a channel switch is going on. Internally it is + * write-protected by sdata_lock and local->mtx so holding either is fine + * for read access. +@@ -718,6 +720,7 @@ struct ieee80211_bss_conf { + u8 tx_pwr_env_num; + u8 pwr_reduction; + bool eht_support; ++ u16 eht_puncturing; + + bool csa_active; + bool mu_mimo_owner; +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index b42eb781d7f7..2e99207bf0c7 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -4154,7 +4154,7 @@ static int ieee80211_set_ap_chanwidth(struct wiphy *wiphy, + struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev); + struct ieee80211_link_data *link; + int ret; +- u32 changed = 0; ++ u64 changed = 0; + + link = sdata_dereference(sdata->link[link_id], sdata); + +diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c +index 648af67b8ec8..26e692a853d9 100644 +--- a/net/mac80211/chan.c ++++ b/net/mac80211/chan.c +@@ -1936,7 +1936,7 @@ int ieee80211_link_use_reserved_context(struct ieee80211_link_data *link) + + int ieee80211_link_change_bandwidth(struct ieee80211_link_data *link, + const struct cfg80211_chan_def *chandef, +- u32 *changed) ++ u64 *changed) + { + struct ieee80211_sub_if_data *sdata = link->sdata; + struct ieee80211_bss_conf *link_conf = link->conf; +diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h +index 4cd413bd764f..a82392314778 100644 +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -2465,7 +2465,7 @@ int ieee80211_link_unreserve_chanctx(struct ieee80211_link_data *link); + int __must_check + ieee80211_link_change_bandwidth(struct ieee80211_link_data *link, + const struct cfg80211_chan_def *chandef, +- u32 *changed); ++ u64 *changed); + void ieee80211_link_release_channel(struct ieee80211_link_data *link); + void ieee80211_link_vlan_copy_chanctx(struct ieee80211_link_data *link); + void ieee80211_link_copy_chanctx_to_vlans(struct ieee80211_link_data *link, +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index 15826bbde70c..25483596f22e 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -8,7 +8,7 @@ + * Copyright 2007, Michael Wu + * Copyright 2013-2014 Intel Mobile Communications GmbH + * Copyright (C) 2015 - 2017 Intel Deutschland GmbH +- * Copyright (C) 2018 - 2022 Intel Corporation ++ * Copyright (C) 2018 - 2023 Intel Corporation + */ + + #include +@@ -88,6 +88,141 @@ MODULE_PARM_DESC(probe_wait_ms, + */ + #define IEEE80211_SIGNAL_AVE_MIN_COUNT 4 + ++struct ieee80211_per_bw_puncturing_values { ++ u8 len; ++ const u16 *valid_values; ++}; ++ ++static const u16 puncturing_values_80mhz[] = { ++ 0x8, 0x4, 0x2, 0x1 ++}; ++ ++static const u16 puncturing_values_160mhz[] = { ++ 0x80, 0x40, 0x20, 0x10, 0x8, 0x4, 0x2, 0x1, 0xc0, 0x30, 0xc, 0x3 ++}; ++ ++static const u16 puncturing_values_320mhz[] = { ++ 0xc000, 0x3000, 0xc00, 0x300, 0xc0, 0x30, 0xc, 0x3, 0xf000, 0xf00, ++ 0xf0, 0xf, 0xfc00, 0xf300, 0xf0c0, 0xf030, 0xf00c, 0xf003, 0xc00f, ++ 0x300f, 0xc0f, 0x30f, 0xcf, 0x3f ++}; ++ ++#define IEEE80211_PER_BW_VALID_PUNCTURING_VALUES(_bw) \ ++ { \ ++ .len = ARRAY_SIZE(puncturing_values_ ## _bw ## mhz), \ ++ .valid_values = puncturing_values_ ## _bw ## mhz \ ++ } ++ ++static const struct ieee80211_per_bw_puncturing_values per_bw_puncturing[] = { ++ IEEE80211_PER_BW_VALID_PUNCTURING_VALUES(80), ++ IEEE80211_PER_BW_VALID_PUNCTURING_VALUES(160), ++ IEEE80211_PER_BW_VALID_PUNCTURING_VALUES(320) ++}; ++ ++static bool ieee80211_valid_disable_subchannel_bitmap(u16 *bitmap, ++ enum nl80211_chan_width bw) ++{ ++ u32 idx, i; ++ ++ switch (bw) { ++ case NL80211_CHAN_WIDTH_80: ++ idx = 0; ++ break; ++ case NL80211_CHAN_WIDTH_160: ++ idx = 1; ++ break; ++ case NL80211_CHAN_WIDTH_320: ++ idx = 2; ++ break; ++ default: ++ *bitmap = 0; ++ break; ++ } ++ ++ if (!*bitmap) ++ return true; ++ ++ for (i = 0; i < per_bw_puncturing[idx].len; i++) ++ if (per_bw_puncturing[idx].valid_values[i] == *bitmap) ++ return true; ++ ++ return false; ++} ++ ++/* ++ * Extract from the given disabled subchannel bitmap (raw format ++ * from the EHT Operation Element) the bits for the subchannel ++ * we're using right now. ++ */ ++static u16 ++ieee80211_extract_dis_subch_bmap(const struct ieee80211_eht_operation *eht_oper, ++ struct cfg80211_chan_def *chandef, u16 bitmap) ++{ ++ struct ieee80211_eht_operation_info *info = (void *)eht_oper->optional; ++ struct cfg80211_chan_def ap_chandef = *chandef; ++ u32 ap_center_freq, local_center_freq; ++ u32 ap_bw, local_bw; ++ int ap_start_freq, local_start_freq; ++ u16 shift, mask; ++ ++ if (!(eht_oper->params & IEEE80211_EHT_OPER_INFO_PRESENT) || ++ !(eht_oper->params & ++ IEEE80211_EHT_OPER_DISABLED_SUBCHANNEL_BITMAP_PRESENT)) ++ return 0; ++ ++ /* set 160/320 supported to get the full AP definition */ ++ ieee80211_chandef_eht_oper(eht_oper, true, true, &ap_chandef); ++ ap_center_freq = ap_chandef.center_freq1; ++ ap_bw = 20 * BIT(u8_get_bits(info->control, ++ IEEE80211_EHT_OPER_CHAN_WIDTH)); ++ ap_start_freq = ap_center_freq - ap_bw / 2; ++ local_center_freq = chandef->center_freq1; ++ local_bw = 20 * BIT(ieee80211_chan_width_to_rx_bw(chandef->width)); ++ local_start_freq = local_center_freq - local_bw / 2; ++ shift = (local_start_freq - ap_start_freq) / 20; ++ mask = BIT(local_bw / 20) - 1; ++ ++ return (bitmap >> shift) & mask; ++} ++ ++/* ++ * Handle the puncturing bitmap, possibly downgrading bandwidth to get a ++ * valid bitmap. ++ */ ++static void ++ieee80211_handle_puncturing_bitmap(struct ieee80211_link_data *link, ++ const struct ieee80211_eht_operation *eht_oper, ++ u16 bitmap, u64 *changed) ++{ ++ struct cfg80211_chan_def *chandef = &link->conf->chandef; ++ u16 extracted; ++ u64 _changed = 0; ++ ++ if (!changed) ++ changed = &_changed; ++ ++ while (chandef->width > NL80211_CHAN_WIDTH_40) { ++ extracted = ++ ieee80211_extract_dis_subch_bmap(eht_oper, chandef, ++ bitmap); ++ ++ if (ieee80211_valid_disable_subchannel_bitmap(&bitmap, ++ chandef->width)) ++ break; ++ link->u.mgd.conn_flags |= ++ ieee80211_chandef_downgrade(chandef); ++ *changed |= BSS_CHANGED_BANDWIDTH; ++ } ++ ++ if (chandef->width <= NL80211_CHAN_WIDTH_40) ++ extracted = 0; ++ ++ if (link->conf->eht_puncturing != extracted) { ++ link->conf->eht_puncturing = extracted; ++ *changed |= BSS_CHANGED_EHT_PUNCTURING; ++ } ++} ++ + /* + * We can have multiple work items (and connection probing) + * scheduling this timer, but we need to take care to only +@@ -413,7 +548,7 @@ static int ieee80211_config_bw(struct ieee80211_link_data *link, + const struct ieee80211_he_operation *he_oper, + const struct ieee80211_eht_operation *eht_oper, + const struct ieee80211_s1g_oper_ie *s1g_oper, +- const u8 *bssid, u32 *changed) ++ const u8 *bssid, u64 *changed) + { + struct ieee80211_sub_if_data *sdata = link->sdata; + struct ieee80211_local *local = sdata->local; +@@ -4148,6 +4283,7 @@ static bool ieee80211_assoc_config_link(struct ieee80211_link_data *link, + link_sta); + + bss_conf->eht_support = link_sta->pub->eht_cap.has_eht; ++ *changed |= BSS_CHANGED_EHT_PUNCTURING; + } else { + bss_conf->eht_support = false; + } +@@ -5460,6 +5596,45 @@ static bool ieee80211_rx_our_beacon(const u8 *tx_bssid, + return ether_addr_equal(tx_bssid, bss->transmitted_bss->bssid); + } + ++static bool ieee80211_config_puncturing(struct ieee80211_link_data *link, ++ const struct ieee80211_eht_operation *eht_oper, ++ u64 *changed) ++{ ++ u16 bitmap = 0, extracted; ++ ++ if ((eht_oper->params & IEEE80211_EHT_OPER_INFO_PRESENT) && ++ (eht_oper->params & ++ IEEE80211_EHT_OPER_DISABLED_SUBCHANNEL_BITMAP_PRESENT)) { ++ const struct ieee80211_eht_operation_info *info = ++ (void *)eht_oper->optional; ++ const u8 *disable_subchannel_bitmap = info->optional; ++ ++ bitmap = get_unaligned_le16(disable_subchannel_bitmap); ++ } ++ ++ extracted = ieee80211_extract_dis_subch_bmap(eht_oper, ++ &link->conf->chandef, ++ bitmap); ++ ++ /* accept if there are no changes */ ++ if (!(*changed & BSS_CHANGED_BANDWIDTH) && ++ extracted == link->conf->eht_puncturing) ++ return true; ++ ++ if (!ieee80211_valid_disable_subchannel_bitmap(&bitmap, ++ link->conf->chandef.width)) { ++ link_info(link, ++ "Got an invalid disable subchannel bitmap from AP %pM: bitmap = 0x%x, bw = 0x%x. disconnect\n", ++ link->u.mgd.bssid, ++ bitmap, ++ link->conf->chandef.width); ++ return false; ++ } ++ ++ ieee80211_handle_puncturing_bitmap(link, eht_oper, bitmap, changed); ++ return true; ++} ++ + static void ieee80211_rx_mgmt_beacon(struct ieee80211_link_data *link, + struct ieee80211_hdr *hdr, size_t len, + struct ieee80211_rx_status *rx_status) +@@ -5476,7 +5651,7 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_link_data *link, + struct ieee80211_channel *chan; + struct link_sta_info *link_sta; + struct sta_info *sta; +- u32 changed = 0; ++ u64 changed = 0; + bool erp_valid; + u8 erp_value = 0; + u32 ncrc = 0; +@@ -5769,6 +5944,21 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_link_data *link, + elems->pwr_constr_elem, + elems->cisco_dtpc_elem); + ++ if (elems->eht_operation && ++ !(link->u.mgd.conn_flags & IEEE80211_CONN_DISABLE_EHT)) { ++ if (!ieee80211_config_puncturing(link, elems->eht_operation, ++ &changed)) { ++ ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH, ++ WLAN_REASON_DEAUTH_LEAVING, ++ true, deauth_buf); ++ ieee80211_report_disconnect(sdata, deauth_buf, ++ sizeof(deauth_buf), true, ++ WLAN_REASON_DEAUTH_LEAVING, ++ false); ++ goto free; ++ } ++ } ++ + ieee80211_link_info_change_notify(sdata, link, changed); + free: + kfree(elems); +@@ -6870,9 +7060,12 @@ ieee80211_setup_assoc_link(struct ieee80211_sub_if_data *sdata, + ieee80211_apply_htcap_overrides(sdata, &sta_ht_cap); + } + ++ link->conf->eht_puncturing = 0; ++ + rcu_read_lock(); + beacon_ies = rcu_dereference(cbss->beacon_ies); + if (beacon_ies) { ++ const struct ieee80211_eht_operation *eht_oper; + const struct element *elem; + u8 dtim_count = 0; + +@@ -6901,6 +7094,31 @@ ieee80211_setup_assoc_link(struct ieee80211_sub_if_data *sdata, + link->conf->ema_ap = true; + else + link->conf->ema_ap = false; ++ ++ elem = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_OPERATION, ++ beacon_ies->data, beacon_ies->len); ++ eht_oper = (const void *)(elem->data + 1); ++ ++ if (elem && ++ ieee80211_eht_oper_size_ok((const void *)(elem->data + 1), ++ elem->datalen - 1) && ++ (eht_oper->params & IEEE80211_EHT_OPER_INFO_PRESENT) && ++ (eht_oper->params & IEEE80211_EHT_OPER_DISABLED_SUBCHANNEL_BITMAP_PRESENT)) { ++ const struct ieee80211_eht_operation_info *info = ++ (void *)eht_oper->optional; ++ const u8 *disable_subchannel_bitmap = info->optional; ++ u16 bitmap; ++ ++ bitmap = get_unaligned_le16(disable_subchannel_bitmap); ++ if (ieee80211_valid_disable_subchannel_bitmap(&bitmap, ++ link->conf->chandef.width)) ++ ieee80211_handle_puncturing_bitmap(link, ++ eht_oper, ++ bitmap, ++ NULL); ++ else ++ conn_flags |= IEEE80211_CONN_DISABLE_EHT; ++ } + } + rcu_read_unlock(); + +-- +2.51.0 + diff --git a/queue-6.1/wifi-nl80211-add-a-command-to-enable-disable-hw-time.patch b/queue-6.1/wifi-nl80211-add-a-command-to-enable-disable-hw-time.patch new file mode 100644 index 0000000000..775b89ee96 --- /dev/null +++ b/queue-6.1/wifi-nl80211-add-a-command-to-enable-disable-hw-time.patch @@ -0,0 +1,293 @@ +From bc25a3bf5bc3c24a45c98e6a97e22a27fb4c364c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Mar 2023 12:09:21 +0200 +Subject: wifi: nl80211: add a command to enable/disable HW timestamping + +From: Avraham Stern + +[ Upstream commit cbbaf2bb829b6c4ef911d4a725fc9b1fadc1e43f ] + +Add a command to enable and disable HW timestamping of TM and FTM +frames. HW timestamping can be enabled for a specific mac address +or for all addresses. + +The low level driver will indicate how many peers HW timestamping +can be enabled concurrently, and this information will be passed +to userspace. + +Signed-off-by: Avraham Stern +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230301115906.05678d7b1c17.Iccc08869ea8156f1c71a3111a47f86dd56234bd0@changeid +[switch to needing netdev UP, minor edits] +Signed-off-by: Johannes Berg +Stable-dep-of: a519be2f5d95 ("wifi: mac80211: do not use old MBSSID elements") +Signed-off-by: Sasha Levin +--- + include/net/cfg80211.h | 27 ++++++++++++++++++++++++++ + include/uapi/linux/nl80211.h | 22 +++++++++++++++++++++ + net/wireless/nl80211.c | 37 ++++++++++++++++++++++++++++++++++++ + net/wireless/rdev-ops.h | 17 +++++++++++++++++ + net/wireless/trace.h | 25 ++++++++++++++++++++++++ + 5 files changed, 128 insertions(+) + +diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h +index 7efa3adf234d..34709bd733ed 100644 +--- a/include/net/cfg80211.h ++++ b/include/net/cfg80211.h +@@ -830,6 +830,18 @@ struct cfg80211_fils_aad { + const u8 *anonce; + }; + ++/** ++ * struct cfg80211_set_hw_timestamp - enable/disable HW timestamping ++ * @macaddr: peer MAC address. NULL to enable/disable HW timestamping for all ++ * addresses. ++ * @enable: if set, enable HW timestamping for the specified MAC address. ++ * Otherwise disable HW timestamping for the specified MAC address. ++ */ ++struct cfg80211_set_hw_timestamp { ++ const u8 *macaddr; ++ bool enable; ++}; ++ + /** + * cfg80211_get_chandef_type - return old channel type from chandef + * @chandef: the channel definition +@@ -4291,6 +4303,8 @@ struct mgmt_frame_regs { + * @add_link_station: Add a link to a station. + * @mod_link_station: Modify a link of a station. + * @del_link_station: Remove a link of a station. ++ * ++ * @set_hw_timestamp: Enable/disable HW timestamping of TM/FTM frames. + */ + struct cfg80211_ops { + int (*suspend)(struct wiphy *wiphy, struct cfg80211_wowlan *wow); +@@ -4644,6 +4658,8 @@ struct cfg80211_ops { + struct link_station_parameters *params); + int (*del_link_station)(struct wiphy *wiphy, struct net_device *dev, + struct link_station_del_parameters *params); ++ int (*set_hw_timestamp)(struct wiphy *wiphy, struct net_device *dev, ++ struct cfg80211_set_hw_timestamp *hwts); + }; + + /* +@@ -5099,6 +5115,8 @@ struct wiphy_iftype_akm_suites { + int n_akm_suites; + }; + ++#define CFG80211_HW_TIMESTAMP_ALL_PEERS 0xffff ++ + /** + * struct wiphy - wireless hardware description + * @mtx: mutex for the data (structures) of this device +@@ -5308,6 +5326,13 @@ struct wiphy_iftype_akm_suites { + * NL80211_MAX_NR_AKM_SUITES in order to avoid compatibility issues with + * legacy userspace and maximum allowed value is + * CFG80211_MAX_NUM_AKM_SUITES. ++ * ++ * @hw_timestamp_max_peers: maximum number of peers that the driver supports ++ * enabling HW timestamping for concurrently. Setting this field to a ++ * non-zero value indicates that the driver supports HW timestamping. ++ * A value of %CFG80211_HW_TIMESTAMP_ALL_PEERS indicates the driver ++ * supports enabling HW timestamping for all peers (i.e. no need to ++ * specify a mac address). + */ + struct wiphy { + struct mutex mtx; +@@ -5456,6 +5481,8 @@ struct wiphy { + u8 ema_max_profile_periodicity; + u16 max_num_akm_suites; + ++ u16 hw_timestamp_max_peers; ++ + char priv[] __aligned(NETDEV_ALIGN); + }; + +diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h +index 173aef8916ae..274d1b34c954 100644 +--- a/include/uapi/linux/nl80211.h ++++ b/include/uapi/linux/nl80211.h +@@ -1281,6 +1281,16 @@ + * @NL80211_CMD_MODIFY_LINK_STA: Modify a link of an MLD station + * @NL80211_CMD_REMOVE_LINK_STA: Remove a link of an MLD station + * ++ * @NL80211_CMD_SET_HW_TIMESTAMP: Enable/disable HW timestamping of Timing ++ * measurement and Fine timing measurement frames. If %NL80211_ATTR_MAC ++ * is included, enable/disable HW timestamping only for frames to/from the ++ * specified MAC address. Otherwise enable/disable HW timestamping for ++ * all TM/FTM frames (including ones that were enabled with specific MAC ++ * address). If %NL80211_ATTR_HW_TIMESTAMP_ENABLED is not included, disable ++ * HW timestamping. ++ * The number of peers that HW timestamping can be enabled for concurrently ++ * is indicated by %NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS. ++ * + * @NL80211_CMD_MAX: highest used command number + * @__NL80211_CMD_AFTER_LAST: internal use + */ +@@ -1532,6 +1542,8 @@ enum nl80211_commands { + NL80211_CMD_MODIFY_LINK_STA, + NL80211_CMD_REMOVE_LINK_STA, + ++ NL80211_CMD_SET_HW_TIMESTAMP, ++ + /* add new commands above here */ + + /* used to define NL80211_CMD_MAX below */ +@@ -2757,6 +2769,13 @@ enum nl80211_commands { + * indicates that the sub-channel is punctured. Higher 16 bits are + * reserved. + * ++ * @NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS: Maximum number of peers that HW ++ * timestamping can be enabled for concurrently (u16), a wiphy attribute. ++ * A value of 0xffff indicates setting for all peers (i.e. not specifying ++ * an address with %NL80211_CMD_SET_HW_TIMESTAMP) is supported. ++ * @NL80211_ATTR_HW_TIMESTAMP_ENABLED: Indicates whether HW timestamping should ++ * be enabled or not (flag attribute). ++ * + * @NUM_NL80211_ATTR: total number of nl80211_attrs available + * @NL80211_ATTR_MAX: highest attribute number currently defined + * @__NL80211_ATTR_AFTER_LAST: internal use +@@ -3288,6 +3307,9 @@ enum nl80211_attrs { + + NL80211_ATTR_PUNCT_BITMAP, + ++ NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS, ++ NL80211_ATTR_HW_TIMESTAMP_ENABLED, ++ + /* add attributes here, update the policy in nl80211.c */ + + __NL80211_ATTR_AFTER_LAST, +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 0eb8c8e0bf18..5e2b676f5ce0 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -811,6 +811,9 @@ static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = { + [NL80211_ATTR_MLO_SUPPORT] = { .type = NLA_FLAG }, + [NL80211_ATTR_MAX_NUM_AKM_SUITES] = { .type = NLA_REJECT }, + [NL80211_ATTR_PUNCT_BITMAP] = NLA_POLICY_RANGE(NLA_U8, 0, 0xffff), ++ ++ [NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS] = { .type = NLA_U16 }, ++ [NL80211_ATTR_HW_TIMESTAMP_ENABLED] = { .type = NLA_FLAG }, + }; + + /* policy for the key attributes */ +@@ -2965,6 +2968,11 @@ static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev, + if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO) + nla_put_flag(msg, NL80211_ATTR_MLO_SUPPORT); + ++ if (rdev->wiphy.hw_timestamp_max_peers && ++ nla_put_u16(msg, NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS, ++ rdev->wiphy.hw_timestamp_max_peers)) ++ goto nla_put_failure; ++ + /* done */ + state->split_start = 0; + break; +@@ -16162,6 +16170,29 @@ nl80211_remove_link_station(struct sk_buff *skb, struct genl_info *info) + return ret; + } + ++static int nl80211_set_hw_timestamp(struct sk_buff *skb, ++ struct genl_info *info) ++{ ++ struct cfg80211_registered_device *rdev = info->user_ptr[0]; ++ struct net_device *dev = info->user_ptr[1]; ++ struct cfg80211_set_hw_timestamp hwts = {}; ++ ++ if (!rdev->wiphy.hw_timestamp_max_peers) ++ return -EOPNOTSUPP; ++ ++ if (!info->attrs[NL80211_ATTR_MAC] && ++ rdev->wiphy.hw_timestamp_max_peers != CFG80211_HW_TIMESTAMP_ALL_PEERS) ++ return -EOPNOTSUPP; ++ ++ if (info->attrs[NL80211_ATTR_MAC]) ++ hwts.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]); ++ ++ hwts.enable = ++ nla_get_flag(info->attrs[NL80211_ATTR_HW_TIMESTAMP_ENABLED]); ++ ++ return rdev_set_hw_timestamp(rdev, dev, &hwts); ++} ++ + #define NL80211_FLAG_NEED_WIPHY 0x01 + #define NL80211_FLAG_NEED_NETDEV 0x02 + #define NL80211_FLAG_NEED_RTNL 0x04 +@@ -17333,6 +17364,12 @@ static const struct genl_small_ops nl80211_small_ops[] = { + .internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP | + NL80211_FLAG_MLO_VALID_LINK_ID), + }, ++ { ++ .cmd = NL80211_CMD_SET_HW_TIMESTAMP, ++ .doit = nl80211_set_hw_timestamp, ++ .flags = GENL_UNS_ADMIN_PERM, ++ .internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP), ++ }, + }; + + static struct genl_family nl80211_fam __ro_after_init = { +diff --git a/net/wireless/rdev-ops.h b/net/wireless/rdev-ops.h +index 5f210686c411..df7f88ca0db3 100644 +--- a/net/wireless/rdev-ops.h ++++ b/net/wireless/rdev-ops.h +@@ -1498,4 +1498,21 @@ rdev_del_link_station(struct cfg80211_registered_device *rdev, + return ret; + } + ++static inline int ++rdev_set_hw_timestamp(struct cfg80211_registered_device *rdev, ++ struct net_device *dev, ++ struct cfg80211_set_hw_timestamp *hwts) ++{ ++ struct wiphy *wiphy = &rdev->wiphy; ++ int ret; ++ ++ if (!rdev->ops->set_hw_timestamp) ++ return -EOPNOTSUPP; ++ ++ trace_rdev_set_hw_timestamp(wiphy, dev, hwts); ++ ret = rdev->ops->set_hw_timestamp(wiphy, dev, hwts); ++ trace_rdev_return_int(wiphy, ret); ++ ++ return ret; ++} + #endif /* __CFG80211_RDEV_OPS */ +diff --git a/net/wireless/trace.h b/net/wireless/trace.h +index 137937b1f4b3..f325ca28face 100644 +--- a/net/wireless/trace.h ++++ b/net/wireless/trace.h +@@ -3901,6 +3901,31 @@ TRACE_EVENT(rdev_del_link_station, + __entry->link_id) + ); + ++TRACE_EVENT(rdev_set_hw_timestamp, ++ TP_PROTO(struct wiphy *wiphy, struct net_device *netdev, ++ struct cfg80211_set_hw_timestamp *hwts), ++ ++ TP_ARGS(wiphy, netdev, hwts), ++ ++ TP_STRUCT__entry( ++ WIPHY_ENTRY ++ NETDEV_ENTRY ++ MAC_ENTRY(macaddr) ++ __field(bool, enable) ++ ), ++ ++ TP_fast_assign( ++ WIPHY_ASSIGN; ++ NETDEV_ASSIGN; ++ MAC_ASSIGN(macaddr, hwts->macaddr); ++ __entry->enable = hwts->enable; ++ ), ++ ++ TP_printk(WIPHY_PR_FMT ", " NETDEV_PR_FMT ", mac %pM, enable: %u", ++ WIPHY_PR_ARG, NETDEV_PR_ARG, __entry->macaddr, ++ __entry->enable) ++); ++ + #endif /* !__RDEV_OPS_TRACE || TRACE_HEADER_MULTI_READ */ + + #undef TRACE_INCLUDE_PATH +-- +2.51.0 + diff --git a/queue-6.1/wifi-nl80211-validate-and-configure-puncturing-bitma.patch b/queue-6.1/wifi-nl80211-validate-and-configure-puncturing-bitma.patch new file mode 100644 index 0000000000..8624203744 --- /dev/null +++ b/queue-6.1/wifi-nl80211-validate-and-configure-puncturing-bitma.patch @@ -0,0 +1,184 @@ +From 99d1ac33cbc58770b40c2fbd2139bbd5009c95eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jan 2023 16:12:25 -0800 +Subject: wifi: nl80211: validate and configure puncturing bitmap + +From: Aloka Dixit + +[ Upstream commit d7c1a9a0ed180d8884798ce97afe7283622a484f ] + +- New feature flag, NL80211_EXT_FEATURE_PUNCT, to advertise + driver support for preamble puncturing in AP mode. +- New attribute, NL80211_ATTR_PUNCT_BITMAP, to receive a puncturing + bitmap from the userspace during AP bring up (NL80211_CMD_START_AP) + and channel switch (NL80211_CMD_CHANNEL_SWITCH) operations. Each bit + corresponds to a 20 MHz channel in the operating bandwidth, lowest + bit for the lowest channel. Bit set to 1 indicates that the channel + is punctured. Higher 16 bits are reserved. +- New members added to structures cfg80211_ap_settings and + cfg80211_csa_settings to propagate the bitmap to the driver after + validation. + +Signed-off-by: Aloka Dixit +Signed-off-by: Muna Sinada +Link: https://lore.kernel.org/r/20230131001227.25014-3-quic_alokad@quicinc.com +[move validation against 0xffff into policy] +Signed-off-by: Johannes Berg +Stable-dep-of: a519be2f5d95 ("wifi: mac80211: do not use old MBSSID elements") +Signed-off-by: Sasha Levin +--- + include/net/cfg80211.h | 8 ++++++++ + include/uapi/linux/nl80211.h | 11 +++++++++++ + net/wireless/nl80211.c | 32 ++++++++++++++++++++++++++++++++ + 3 files changed, 51 insertions(+) + +diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h +index bf79788f1c5d..7efa3adf234d 100644 +--- a/include/net/cfg80211.h ++++ b/include/net/cfg80211.h +@@ -1325,6 +1325,9 @@ struct cfg80211_unsol_bcast_probe_resp { + * @fils_discovery: FILS discovery transmission parameters + * @unsol_bcast_probe_resp: Unsolicited broadcast probe response parameters + * @mbssid_config: AP settings for multiple bssid ++ * @punct_bitmap: Preamble puncturing bitmap. Each bit represents ++ * a 20 MHz channel, lowest bit corresponding to the lowest channel. ++ * Bit set to 1 indicates that the channel is punctured. + */ + struct cfg80211_ap_settings { + struct cfg80211_chan_def chandef; +@@ -1359,6 +1362,7 @@ struct cfg80211_ap_settings { + struct cfg80211_fils_discovery fils_discovery; + struct cfg80211_unsol_bcast_probe_resp unsol_bcast_probe_resp; + struct cfg80211_mbssid_config mbssid_config; ++ u16 punct_bitmap; + }; + + /** +@@ -1376,6 +1380,9 @@ struct cfg80211_ap_settings { + * @radar_required: whether radar detection is required on the new channel + * @block_tx: whether transmissions should be blocked while changing + * @count: number of beacons until switch ++ * @punct_bitmap: Preamble puncturing bitmap. Each bit represents ++ * a 20 MHz channel, lowest bit corresponding to the lowest channel. ++ * Bit set to 1 indicates that the channel is punctured. + */ + struct cfg80211_csa_settings { + struct cfg80211_chan_def chandef; +@@ -1388,6 +1395,7 @@ struct cfg80211_csa_settings { + bool radar_required; + bool block_tx; + u8 count; ++ u16 punct_bitmap; + }; + + /** +diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h +index c14a91bbca7c..173aef8916ae 100644 +--- a/include/uapi/linux/nl80211.h ++++ b/include/uapi/linux/nl80211.h +@@ -2751,6 +2751,12 @@ enum nl80211_commands { + * the incoming frame RX timestamp. + * @NL80211_ATTR_TD_BITMAP: Transition Disable bitmap, for subsequent + * (re)associations. ++ * ++ * @NL80211_ATTR_PUNCT_BITMAP: (u32) Preamble puncturing bitmap, lowest ++ * bit corresponds to the lowest 20 MHz channel. Each bit set to 1 ++ * indicates that the sub-channel is punctured. Higher 16 bits are ++ * reserved. ++ * + * @NUM_NL80211_ATTR: total number of nl80211_attrs available + * @NL80211_ATTR_MAX: highest attribute number currently defined + * @__NL80211_ATTR_AFTER_LAST: internal use +@@ -3280,6 +3286,8 @@ enum nl80211_attrs { + NL80211_ATTR_RX_HW_TIMESTAMP, + NL80211_ATTR_TD_BITMAP, + ++ NL80211_ATTR_PUNCT_BITMAP, ++ + /* add attributes here, update the policy in nl80211.c */ + + __NL80211_ATTR_AFTER_LAST, +@@ -6294,6 +6302,8 @@ enum nl80211_feature_flags { + * might apply, e.g. no scans in progress, no offchannel operations + * in progress, and no active connections. + * ++ * @NL80211_EXT_FEATURE_PUNCT: Driver supports preamble puncturing in AP mode. ++ * + * @NUM_NL80211_EXT_FEATURES: number of extended features. + * @MAX_NL80211_EXT_FEATURES: highest extended feature index. + */ +@@ -6362,6 +6372,7 @@ enum nl80211_ext_feature_index { + NL80211_EXT_FEATURE_FILS_CRYPTO_OFFLOAD, + NL80211_EXT_FEATURE_RADAR_BACKGROUND, + NL80211_EXT_FEATURE_POWERED_ADDR_CHANGE, ++ NL80211_EXT_FEATURE_PUNCT, + + /* add new features before the definition below */ + NUM_NL80211_EXT_FEATURES, +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 1ab60967d6cd..0eb8c8e0bf18 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -810,6 +810,7 @@ static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = { + [NL80211_ATTR_MLD_ADDR] = NLA_POLICY_EXACT_LEN(ETH_ALEN), + [NL80211_ATTR_MLO_SUPPORT] = { .type = NLA_FLAG }, + [NL80211_ATTR_MAX_NUM_AKM_SUITES] = { .type = NLA_REJECT }, ++ [NL80211_ATTR_PUNCT_BITMAP] = NLA_POLICY_RANGE(NLA_U8, 0, 0xffff), + }; + + /* policy for the key attributes */ +@@ -3178,6 +3179,21 @@ static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev) + wdev->iftype == NL80211_IFTYPE_P2P_GO; + } + ++static int nl80211_parse_punct_bitmap(struct cfg80211_registered_device *rdev, ++ struct genl_info *info, ++ const struct cfg80211_chan_def *chandef, ++ u16 *punct_bitmap) ++{ ++ if (!wiphy_ext_feature_isset(&rdev->wiphy, NL80211_EXT_FEATURE_PUNCT)) ++ return -EINVAL; ++ ++ *punct_bitmap = nla_get_u32(info->attrs[NL80211_ATTR_PUNCT_BITMAP]); ++ if (!cfg80211_valid_disable_subchannel_bitmap(punct_bitmap, chandef)) ++ return -EINVAL; ++ ++ return 0; ++} ++ + int nl80211_parse_chandef(struct cfg80211_registered_device *rdev, + struct genl_info *info, + struct cfg80211_chan_def *chandef) +@@ -5955,6 +5971,14 @@ static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info) + goto out; + } + ++ if (info->attrs[NL80211_ATTR_PUNCT_BITMAP]) { ++ err = nl80211_parse_punct_bitmap(rdev, info, ++ ¶ms->chandef, ++ ¶ms->punct_bitmap); ++ if (err) ++ goto out; ++ } ++ + if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, ¶ms->chandef, + wdev->iftype)) { + err = -EINVAL; +@@ -10107,6 +10131,14 @@ static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info) + if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX]) + params.block_tx = true; + ++ if (info->attrs[NL80211_ATTR_PUNCT_BITMAP]) { ++ err = nl80211_parse_punct_bitmap(rdev, info, ++ ¶ms.chandef, ++ ¶ms.punct_bitmap); ++ if (err) ++ goto free; ++ } ++ + wdev_lock(wdev); + err = rdev_channel_switch(rdev, dev, ¶ms); + wdev_unlock(wdev); +-- +2.51.0 + diff --git a/queue-6.12/amd-xgbe-reset-retries-and-mode-on-rx-adapt-failures.patch b/queue-6.12/amd-xgbe-reset-retries-and-mode-on-rx-adapt-failures.patch new file mode 100644 index 0000000000..57d334cdc0 --- /dev/null +++ b/queue-6.12/amd-xgbe-reset-retries-and-mode-on-rx-adapt-failures.patch @@ -0,0 +1,53 @@ +From 429b53df98fe56ed7ac2d8c1031eb8b60dad1fee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Dec 2025 20:47:28 +0530 +Subject: amd-xgbe: reset retries and mode on RX adapt failures + +From: Raju Rangoju + +[ Upstream commit df60c332caf95d70f967aeace826e7e2f0847361 ] + +During the stress tests, early RX adaptation handshakes can fail, such +as missing the RX_ADAPT ACK or not receiving a coefficient update before +block lock is established. Continuing to retry RX adaptation in this +state is often ineffective if the current mode selection is not viable. + +Resetting the RX adaptation retry counter when an RX_ADAPT request fails +to receive ACK or a coefficient update prior to block lock, and clearing +mode_set so the next bring-up performs a fresh mode selection rather +than looping on a likely invalid configuration. + +Fixes: 4f3b20bfbb75 ("amd-xgbe: add support for rx-adaptation") +Signed-off-by: Raju Rangoju +Reviewed-by: Simon Horman +Reviewed-by: Shyam Sundar S K +Link: https://patch.msgid.link/20251215151728.311713-1-Raju.Rangoju@amd.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +index 32e633d11348..6d2c401bb246 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +@@ -2036,6 +2036,7 @@ static void xgbe_set_rx_adap_mode(struct xgbe_prv_data *pdata, + { + if (pdata->rx_adapt_retries++ >= MAX_RX_ADAPT_RETRIES) { + pdata->rx_adapt_retries = 0; ++ pdata->mode_set = false; + return; + } + +@@ -2082,6 +2083,7 @@ static void xgbe_rx_adaptation(struct xgbe_prv_data *pdata) + */ + netif_dbg(pdata, link, pdata->netdev, "Block_lock done"); + pdata->rx_adapt_done = true; ++ pdata->rx_adapt_retries = 0; + pdata->mode_set = false; + return; + } +-- +2.51.0 + diff --git a/queue-6.12/blk-mq-skip-cpu-offline-notify-on-unmapped-hctx.patch b/queue-6.12/blk-mq-skip-cpu-offline-notify-on-unmapped-hctx.patch new file mode 100644 index 0000000000..f1c917688c --- /dev/null +++ b/queue-6.12/blk-mq-skip-cpu-offline-notify-on-unmapped-hctx.patch @@ -0,0 +1,39 @@ +From d9b9b18a333a85abb3b115e2f5dc0de524529027 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Dec 2025 17:17:05 +0800 +Subject: blk-mq: skip CPU offline notify on unmapped hctx + +From: Cong Zhang + +[ Upstream commit 10845a105bbcb030647a729f1716c2309da71d33 ] + +If an hctx has no software ctx mapped, blk_mq_map_swqueue() never +allocates tags and leaves hctx->tags NULL. The CPU hotplug offline +notifier can still run for that hctx, return early since hctx cannot +hold any requests. + +Signed-off-by: Cong Zhang +Fixes: bf0beec0607d ("blk-mq: drain I/O when all CPUs in a hctx are offline") +Reviewed-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index db72779760d5..1891863dcba1 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -3658,7 +3658,7 @@ static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node) + struct blk_mq_hw_ctx, cpuhp_online); + int ret = 0; + +- if (blk_mq_hctx_has_online_cpu(hctx, cpu)) ++ if (!hctx->nr_ctx || blk_mq_hctx_has_online_cpu(hctx, cpu)) + return 0; + + /* +-- +2.51.0 + diff --git a/queue-6.12/bluetooth-btusb-revert-use-of-devm_kzalloc-in-btusb.patch b/queue-6.12/bluetooth-btusb-revert-use-of-devm_kzalloc-in-btusb.patch new file mode 100644 index 0000000000..f16ff1d40c --- /dev/null +++ b/queue-6.12/bluetooth-btusb-revert-use-of-devm_kzalloc-in-btusb.patch @@ -0,0 +1,89 @@ +From 05016d9b6419d3b5583b9d1827beeb5180b932c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Dec 2025 11:02:28 -0500 +Subject: Bluetooth: btusb: revert use of devm_kzalloc in btusb + +From: Raphael Pinsonneault-Thibeault + +[ Upstream commit 252714f1e8bdd542025b16321c790458014d6880 ] + +This reverts commit 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in +btusb.c file"). + +In btusb_probe(), we use devm_kzalloc() to allocate the btusb data. This +ties the lifetime of all the btusb data to the binding of a driver to +one interface, INTF. In a driver that binds to other interfaces, ISOC +and DIAG, this is an accident waiting to happen. + +The issue is revealed in btusb_disconnect(), where calling +usb_driver_release_interface(&btusb_driver, data->intf) will have devm +free the data that is also being used by the other interfaces of the +driver that may not be released yet. + +To fix this, revert the use of devm and go back to freeing memory +explicitly. + +Fixes: 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in btusb.c file") +Signed-off-by: Raphael Pinsonneault-Thibeault +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btusb.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index fc7b3e02f14b..603ff13d9f7c 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -3835,7 +3835,7 @@ static int btusb_probe(struct usb_interface *intf, + return -ENODEV; + } + +- data = devm_kzalloc(&intf->dev, sizeof(*data), GFP_KERNEL); ++ data = kzalloc(sizeof(*data), GFP_KERNEL); + if (!data) + return -ENOMEM; + +@@ -3858,8 +3858,10 @@ static int btusb_probe(struct usb_interface *intf, + } + } + +- if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep) ++ if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep) { ++ kfree(data); + return -ENODEV; ++ } + + if (id->driver_info & BTUSB_AMP) { + data->cmdreq_type = USB_TYPE_CLASS | 0x01; +@@ -3914,8 +3916,10 @@ static int btusb_probe(struct usb_interface *intf, + data->recv_acl = hci_recv_frame; + + hdev = hci_alloc_dev_priv(priv_size); +- if (!hdev) ++ if (!hdev) { ++ kfree(data); + return -ENOMEM; ++ } + + hdev->bus = HCI_USB; + hci_set_drvdata(hdev, data); +@@ -4187,6 +4191,7 @@ static int btusb_probe(struct usb_interface *intf, + if (data->reset_gpio) + gpiod_put(data->reset_gpio); + hci_free_dev(hdev); ++ kfree(data); + return err; + } + +@@ -4235,6 +4240,7 @@ static void btusb_disconnect(struct usb_interface *intf) + } + + hci_free_dev(hdev); ++ kfree(data); + } + + #ifdef CONFIG_PM +-- +2.51.0 + diff --git a/queue-6.12/crypto-seqiv-do-not-use-req-iv-after-crypto_aead_enc.patch b/queue-6.12/crypto-seqiv-do-not-use-req-iv-after-crypto_aead_enc.patch new file mode 100644 index 0000000000..fc6e5f9ab4 --- /dev/null +++ b/queue-6.12/crypto-seqiv-do-not-use-req-iv-after-crypto_aead_enc.patch @@ -0,0 +1,61 @@ +From b0b987f46a56a095baaae6e72ff02ae5bc4b9d7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 14:15:41 +0800 +Subject: crypto: seqiv - Do not use req->iv after crypto_aead_encrypt + +From: Herbert Xu + +[ Upstream commit 50fdb78b7c0bcc550910ef69c0984e751cac72fa ] + +As soon as crypto_aead_encrypt is called, the underlying request +may be freed by an asynchronous completion. Thus dereferencing +req->iv after it returns is invalid. + +Instead of checking req->iv against info, create a new variable +unaligned_info and use it for that purpose instead. + +Fixes: 0a270321dbf9 ("[CRYPTO] seqiv: Add Sequence Number IV Generator") +Reported-by: Xiumei Mu +Reported-by: Xin Long +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/seqiv.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/crypto/seqiv.c b/crypto/seqiv.c +index 17e11d51ddc3..04928df0095b 100644 +--- a/crypto/seqiv.c ++++ b/crypto/seqiv.c +@@ -50,6 +50,7 @@ static int seqiv_aead_encrypt(struct aead_request *req) + struct aead_geniv_ctx *ctx = crypto_aead_ctx(geniv); + struct aead_request *subreq = aead_request_ctx(req); + crypto_completion_t compl; ++ bool unaligned_info; + void *data; + u8 *info; + unsigned int ivsize = 8; +@@ -79,8 +80,9 @@ static int seqiv_aead_encrypt(struct aead_request *req) + return err; + } + +- if (unlikely(!IS_ALIGNED((unsigned long)info, +- crypto_aead_alignmask(geniv) + 1))) { ++ unaligned_info = !IS_ALIGNED((unsigned long)info, ++ crypto_aead_alignmask(geniv) + 1); ++ if (unlikely(unaligned_info)) { + info = kmemdup(req->iv, ivsize, req->base.flags & + CRYPTO_TFM_REQ_MAY_SLEEP ? GFP_KERNEL : + GFP_ATOMIC); +@@ -100,7 +102,7 @@ static int seqiv_aead_encrypt(struct aead_request *req) + scatterwalk_map_and_copy(info, req->dst, req->assoclen, ivsize, 1); + + err = crypto_aead_encrypt(subreq); +- if (unlikely(info != req->iv)) ++ if (unlikely(unaligned_info)) + seqiv_aead_encrypt_complete2(req, err); + return err; + } +-- +2.51.0 + diff --git a/queue-6.12/firewire-nosy-fix-dma_free_coherent-size.patch b/queue-6.12/firewire-nosy-fix-dma_free_coherent-size.patch new file mode 100644 index 0000000000..d76a431523 --- /dev/null +++ b/queue-6.12/firewire-nosy-fix-dma_free_coherent-size.patch @@ -0,0 +1,68 @@ +From 23865985d70fae84b9e97249b3ffc12ad111d0c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Dec 2025 17:54:18 +0100 +Subject: firewire: nosy: Fix dma_free_coherent() size + +From: Thomas Fourier + +[ Upstream commit c48c0fd0e19684b6ecdb4108a429e3a4e73f5e21 ] + +It looks like the buffer allocated and mapped in add_card() is done +with size RCV_BUFFER_SIZE which is 16 KB and 4KB. + +Fixes: 286468210d83 ("firewire: new driver: nosy - IEEE 1394 traffic sniffer") +Co-developed-by: Thomas Fourier +Signed-off-by: Thomas Fourier +Co-developed-by: Christophe JAILLET +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/20251216165420.38355-2-fourier.thomas@gmail.com +Signed-off-by: Takashi Sakamoto +Signed-off-by: Sasha Levin +--- + drivers/firewire/nosy.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/firewire/nosy.c b/drivers/firewire/nosy.c +index ea31ac7ac1ca..e59053738a43 100644 +--- a/drivers/firewire/nosy.c ++++ b/drivers/firewire/nosy.c +@@ -36,6 +36,8 @@ + + static char driver_name[] = KBUILD_MODNAME; + ++#define RCV_BUFFER_SIZE (16 * 1024) ++ + /* this is the physical layout of a PCL, its size is 128 bytes */ + struct pcl { + __le32 next; +@@ -517,16 +519,14 @@ remove_card(struct pci_dev *dev) + lynx->rcv_start_pcl, lynx->rcv_start_pcl_bus); + dma_free_coherent(&lynx->pci_device->dev, sizeof(struct pcl), + lynx->rcv_pcl, lynx->rcv_pcl_bus); +- dma_free_coherent(&lynx->pci_device->dev, PAGE_SIZE, lynx->rcv_buffer, +- lynx->rcv_buffer_bus); ++ dma_free_coherent(&lynx->pci_device->dev, RCV_BUFFER_SIZE, ++ lynx->rcv_buffer, lynx->rcv_buffer_bus); + + iounmap(lynx->registers); + pci_disable_device(dev); + lynx_put(lynx); + } + +-#define RCV_BUFFER_SIZE (16 * 1024) +- + static int + add_card(struct pci_dev *dev, const struct pci_device_id *unused) + { +@@ -680,7 +680,7 @@ add_card(struct pci_dev *dev, const struct pci_device_id *unused) + dma_free_coherent(&lynx->pci_device->dev, sizeof(struct pcl), + lynx->rcv_pcl, lynx->rcv_pcl_bus); + if (lynx->rcv_buffer) +- dma_free_coherent(&lynx->pci_device->dev, PAGE_SIZE, ++ dma_free_coherent(&lynx->pci_device->dev, RCV_BUFFER_SIZE, + lynx->rcv_buffer, lynx->rcv_buffer_bus); + iounmap(lynx->registers); + +-- +2.51.0 + diff --git a/queue-6.12/genalloc.h-fix-htmldocs-warning.patch b/queue-6.12/genalloc.h-fix-htmldocs-warning.patch new file mode 100644 index 0000000000..3b9cc24d05 --- /dev/null +++ b/queue-6.12/genalloc.h-fix-htmldocs-warning.patch @@ -0,0 +1,38 @@ +From d4259c27b91389004e04050a2e418489bb03d6a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Nov 2025 10:39:24 -0800 +Subject: genalloc.h: fix htmldocs warning + +From: Andrew Morton + +[ Upstream commit 5393802c94e0ab1295c04c94c57bcb00222d4674 ] + +WARNING: include/linux/genalloc.h:52 function parameter 'start_addr' not described in 'genpool_algo_t' + +Fixes: 52fbf1134d47 ("lib/genalloc.c: fix allocation of aligned buffer from non-aligned chunk") +Reported-by: Stephen Rothwell +Closes: https://lkml.kernel.org/r/20251127130624.563597e3@canb.auug.org.au +Acked-by: Randy Dunlap +Tested-by: Randy Dunlap +Cc: Alexey Skidanov +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + include/linux/genalloc.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/genalloc.h b/include/linux/genalloc.h +index 0bd581003cd5..60de63e46b33 100644 +--- a/include/linux/genalloc.h ++++ b/include/linux/genalloc.h +@@ -44,6 +44,7 @@ struct gen_pool; + * @nr: The number of zeroed bits we're looking for + * @data: optional additional data used by the callback + * @pool: the pool being allocated from ++ * @start_addr: start address of memory chunk + */ + typedef unsigned long (*genpool_algo_t)(unsigned long *map, + unsigned long size, +-- +2.51.0 + diff --git a/queue-6.12/i40e-fix-scheduling-in-set_rx_mode.patch b/queue-6.12/i40e-fix-scheduling-in-set_rx_mode.patch new file mode 100644 index 0000000000..b212064ecf --- /dev/null +++ b/queue-6.12/i40e-fix-scheduling-in-set_rx_mode.patch @@ -0,0 +1,53 @@ +From 6a38c5ed8ce2a4de8f464335653e53549f08a221 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Nov 2025 13:07:28 +0100 +Subject: i40e: fix scheduling in set_rx_mode + +From: Przemyslaw Korba + +[ Upstream commit be43abc5514167cc129a8d8e9727b89b8e1d9719 ] + +Add service task schedule to set_rx_mode. +In some cases there are error messages printed out in PTP application +(ptp4l): + +ptp4l[13848.762]: port 1 (ens2f3np3): received SYNC without timestamp +ptp4l[13848.825]: port 1 (ens2f3np3): received SYNC without timestamp +ptp4l[13848.887]: port 1 (ens2f3np3): received SYNC without timestamp + +This happens when service task would not run immediately after +set_rx_mode, and we need it for setup tasks. This service task checks, if +PTP RX packets are hung in firmware, and propagate correct settings such +as multicast address for IEEE 1588 Precision Time Protocol. +RX timestamping depends on some of these filters set. Bug happens only +with high PTP packets frequency incoming, and not every run since +sometimes service task is being ran from a different place immediately +after starting ptp4l. + +Fixes: 0e4425ed641f ("i40e: fix: do not sleep in netdev_ops") +Reviewed-by: Grzegorz Nitka +Reviewed-by: Jacob Keller +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Przemyslaw Korba +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index eae5923104f7..2dc737c7e3fd 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -2256,6 +2256,7 @@ static void i40e_set_rx_mode(struct net_device *netdev) + vsi->flags |= I40E_VSI_FLAG_FILTER_CHANGED; + set_bit(__I40E_MACVLAN_SYNC_PENDING, vsi->back->state); + } ++ i40e_service_event_schedule(vsi->back); + } + + /** +-- +2.51.0 + diff --git a/queue-6.12/i40e-validate-ring_len-parameter-against-hardware-sp.patch b/queue-6.12/i40e-validate-ring_len-parameter-against-hardware-sp.patch new file mode 100644 index 0000000000..727f63bb33 --- /dev/null +++ b/queue-6.12/i40e-validate-ring_len-parameter-against-hardware-sp.patch @@ -0,0 +1,100 @@ +From faa8f60d572e95bba57a5d16dacf0c2615cb04e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Dec 2025 22:06:43 +0100 +Subject: i40e: validate ring_len parameter against hardware-specific values + +From: Gregory Herrero + +[ Upstream commit 69942834215323cd9131db557091b4dec43f19c5 ] + +The maximum number of descriptors supported by the hardware is +hardware-dependent and can be retrieved using +i40e_get_max_num_descriptors(). Move this function to a shared header +and use it when checking for valid ring_len parameter rather than using +hardcoded value. + +By fixing an over-acceptance issue, behavior change could be seen where +ring_len could now be rejected while configuring rx and tx queues if its +size is larger than the hardware-dependent maximum number of +descriptors. + +Fixes: 55d225670def ("i40e: add validation for ring_len param") +Signed-off-by: Gregory Herrero +Tested-by: Rafal Romanowski +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e.h | 11 +++++++++++ + drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 12 ------------ + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 4 ++-- + 3 files changed, 13 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e.h b/drivers/net/ethernet/intel/i40e/i40e.h +index b8de97343ad3..de3d5e5b8306 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e.h ++++ b/drivers/net/ethernet/intel/i40e/i40e.h +@@ -1415,4 +1415,15 @@ static inline struct i40e_veb *i40e_pf_get_main_veb(struct i40e_pf *pf) + return (pf->lan_veb != I40E_NO_VEB) ? pf->veb[pf->lan_veb] : NULL; + } + ++static inline u32 i40e_get_max_num_descriptors(const struct i40e_pf *pf) ++{ ++ const struct i40e_hw *hw = &pf->hw; ++ ++ switch (hw->mac.type) { ++ case I40E_MAC_XL710: ++ return I40E_MAX_NUM_DESCRIPTORS_XL710; ++ default: ++ return I40E_MAX_NUM_DESCRIPTORS; ++ } ++} + #endif /* _I40E_H_ */ +diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c +index bce5b76f1e7a..9a96f67fb648 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c +@@ -2010,18 +2010,6 @@ static void i40e_get_drvinfo(struct net_device *netdev, + drvinfo->n_priv_flags += I40E_GL_PRIV_FLAGS_STR_LEN; + } + +-static u32 i40e_get_max_num_descriptors(struct i40e_pf *pf) +-{ +- struct i40e_hw *hw = &pf->hw; +- +- switch (hw->mac.type) { +- case I40E_MAC_XL710: +- return I40E_MAX_NUM_DESCRIPTORS_XL710; +- default: +- return I40E_MAX_NUM_DESCRIPTORS; +- } +-} +- + static void i40e_get_ringparam(struct net_device *netdev, + struct ethtool_ringparam *ring, + struct kernel_ethtool_ringparam *kernel_ring, +diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +index 646e394f5190..3251ffa7d994 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +@@ -656,7 +656,7 @@ static int i40e_config_vsi_tx_queue(struct i40e_vf *vf, u16 vsi_id, + + /* ring_len has to be multiple of 8 */ + if (!IS_ALIGNED(info->ring_len, 8) || +- info->ring_len > I40E_MAX_NUM_DESCRIPTORS_XL710) { ++ info->ring_len > i40e_get_max_num_descriptors(pf)) { + ret = -EINVAL; + goto error_context; + } +@@ -726,7 +726,7 @@ static int i40e_config_vsi_rx_queue(struct i40e_vf *vf, u16 vsi_id, + + /* ring_len has to be multiple of 32 */ + if (!IS_ALIGNED(info->ring_len, 32) || +- info->ring_len > I40E_MAX_NUM_DESCRIPTORS_XL710) { ++ info->ring_len > i40e_get_max_num_descriptors(pf)) { + ret = -EINVAL; + goto error_param; + } +-- +2.51.0 + diff --git a/queue-6.12/iavf-fix-off-by-one-issues-in-iavf_config_rss_reg.patch b/queue-6.12/iavf-fix-off-by-one-issues-in-iavf_config_rss_reg.patch new file mode 100644 index 0000000000..2b8f188307 --- /dev/null +++ b/queue-6.12/iavf-fix-off-by-one-issues-in-iavf_config_rss_reg.patch @@ -0,0 +1,113 @@ +From 73965ba79f463e594a8a6487ce26f2731db1669c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Oct 2025 01:58:50 +0900 +Subject: iavf: fix off-by-one issues in iavf_config_rss_reg() + +From: Kohei Enju + +[ Upstream commit 6daa2893f323981c7894c68440823326e93a7d61 ] + +There are off-by-one bugs when configuring RSS hash key and lookup +table, causing out-of-bounds reads to memory [1] and out-of-bounds +writes to device registers. + +Before commit 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS"), +the loop upper bounds were: + i <= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX +which is safe since the value is the last valid index. + +That commit changed the bounds to: + i <= adapter->rss_{key,lut}_size / 4 +where `rss_{key,lut}_size / 4` is the number of dwords, so the last +valid index is `(rss_{key,lut}_size / 4) - 1`. Therefore, using `<=` +accesses one element past the end. + +Fix the issues by using `<` instead of `<=`, ensuring we do not exceed +the bounds. + +[1] KASAN splat about rss_key_size off-by-one + BUG: KASAN: slab-out-of-bounds in iavf_config_rss+0x619/0x800 + Read of size 4 at addr ffff888102c50134 by task kworker/u8:6/63 + + CPU: 0 UID: 0 PID: 63 Comm: kworker/u8:6 Not tainted 6.18.0-rc2-enjuk-tnguy-00378-g3005f5b77652-dirty #156 PREEMPT(voluntary) + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 + Workqueue: iavf iavf_watchdog_task + Call Trace: + + dump_stack_lvl+0x6f/0xb0 + print_report+0x170/0x4f3 + kasan_report+0xe1/0x1a0 + iavf_config_rss+0x619/0x800 + iavf_watchdog_task+0x2be7/0x3230 + process_one_work+0x7fd/0x1420 + worker_thread+0x4d1/0xd40 + kthread+0x344/0x660 + ret_from_fork+0x249/0x320 + ret_from_fork_asm+0x1a/0x30 + + + Allocated by task 63: + kasan_save_stack+0x30/0x50 + kasan_save_track+0x14/0x30 + __kasan_kmalloc+0x7f/0x90 + __kmalloc_noprof+0x246/0x6f0 + iavf_watchdog_task+0x28fc/0x3230 + process_one_work+0x7fd/0x1420 + worker_thread+0x4d1/0xd40 + kthread+0x344/0x660 + ret_from_fork+0x249/0x320 + ret_from_fork_asm+0x1a/0x30 + + The buggy address belongs to the object at ffff888102c50100 + which belongs to the cache kmalloc-64 of size 64 + The buggy address is located 0 bytes to the right of + allocated 52-byte region [ffff888102c50100, ffff888102c50134) + + The buggy address belongs to the physical page: + page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c50 + flags: 0x200000000000000(node=0|zone=2) + page_type: f5(slab) + raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 + raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 + page dumped because: kasan: bad access detected + + Memory state around the buggy address: + ffff888102c50000: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc + ffff888102c50080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc + >ffff888102c50100: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc + ^ + ffff888102c50180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc + ffff888102c50200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + +Fixes: 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS") +Signed-off-by: Kohei Enju +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Przemek Kitszel +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 5516795cc250..422af897d933 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -1718,11 +1718,11 @@ static int iavf_config_rss_reg(struct iavf_adapter *adapter) + u16 i; + + dw = (u32 *)adapter->rss_key; +- for (i = 0; i <= adapter->rss_key_size / 4; i++) ++ for (i = 0; i < adapter->rss_key_size / 4; i++) + wr32(hw, IAVF_VFQF_HKEY(i), dw[i]); + + dw = (u32 *)adapter->rss_lut; +- for (i = 0; i <= adapter->rss_lut_size / 4; i++) ++ for (i = 0; i < adapter->rss_lut_size / 4; i++) + wr32(hw, IAVF_VFQF_HLUT(i), dw[i]); + + iavf_flush(hw); +-- +2.51.0 + diff --git a/queue-6.12/idpf-reduce-mbx_task-schedule-delay-to-300us.patch b/queue-6.12/idpf-reduce-mbx_task-schedule-delay-to-300us.patch new file mode 100644 index 0000000000..79ab93db11 --- /dev/null +++ b/queue-6.12/idpf-reduce-mbx_task-schedule-delay-to-300us.patch @@ -0,0 +1,57 @@ +From e32cb708e8bfb8972daa71e68ab516a026209bab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Nov 2025 20:58:37 +0000 +Subject: idpf: reduce mbx_task schedule delay to 300us + +From: Brian Vazquez + +[ Upstream commit b3d6bbae1d6d5638a4ab702ab195476787cde857 ] + +During the IDPF init phase, the mailbox runs in poll mode until it is +configured to properly handle interrupts. The previous delay of 300ms is +excessively long for the mailbox polling mechanism, which causes a slow +initialization of ~2s: + +echo 0000:06:12.4 > /sys/bus/pci/drivers/idpf/bind + +[ 52.444239] idpf 0000:06:12.4: enabling device (0000 -> 0002) +[ 52.485005] idpf 0000:06:12.4: Device HW Reset initiated +[ 54.177181] idpf 0000:06:12.4: PTP init failed, err=-EOPNOTSUPP +[ 54.206177] idpf 0000:06:12.4: Minimum RX descriptor support not provided, using the default +[ 54.206182] idpf 0000:06:12.4: Minimum TX descriptor support not provided, using the default + +Changing the delay to 300us avoids the delays during the initial mailbox +transactions, making the init phase much faster: + +[ 83.342590] idpf 0000:06:12.4: enabling device (0000 -> 0002) +[ 83.384402] idpf 0000:06:12.4: Device HW Reset initiated +[ 83.518323] idpf 0000:06:12.4: PTP init failed, err=-EOPNOTSUPP +[ 83.547430] idpf 0000:06:12.4: Minimum RX descriptor support not provided, using the default +[ 83.547435] idpf 0000:06:12.4: Minimum TX descriptor support not provided, using the default + +Fixes: 4930fbf419a7 ("idpf: add core init and interrupt request") +Signed-off-by: Brian Vazquez +Reviewed-by: Aleksandr Loktionov +Tested-by: Samuel Salin +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/idpf/idpf_lib.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c +index 371fc5052420..173ddc248867 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c +@@ -1214,7 +1214,7 @@ void idpf_mbx_task(struct work_struct *work) + idpf_mb_irq_enable(adapter); + else + queue_delayed_work(adapter->mbx_wq, &adapter->mbx_task, +- msecs_to_jiffies(300)); ++ usecs_to_jiffies(300)); + + idpf_recv_mb_msg(adapter); + } +-- +2.51.0 + diff --git a/queue-6.12/ip6_gre-make-ip6gre_header-robust.patch b/queue-6.12/ip6_gre-make-ip6gre_header-robust.patch new file mode 100644 index 0000000000..4249e5a79a --- /dev/null +++ b/queue-6.12/ip6_gre-make-ip6gre_header-robust.patch @@ -0,0 +1,76 @@ +From 1345effc81373c79d0a983c637a645b136f3a48e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Dec 2025 17:35:50 +0000 +Subject: ip6_gre: make ip6gre_header() robust + +From: Eric Dumazet + +[ Upstream commit db5b4e39c4e63700c68a7e65fc4e1f1375273476 ] + +Over the years, syzbot found many ways to crash the kernel +in ip6gre_header() [1]. + +This involves team or bonding drivers ability to dynamically +change their dev->needed_headroom and/or dev->hard_header_len + +In this particular crash mld_newpack() allocated an skb +with a too small reserve/headroom, and by the time mld_sendpack() +was called, syzbot managed to attach an ip6gre device. + +[1] +skbuff: skb_under_panic: text:ffffffff8a1d69a8 len:136 put:40 head:ffff888059bc7000 data:ffff888059bc6fe8 tail:0x70 end:0x6c0 dev:team0 +------------[ cut here ]------------ + kernel BUG at net/core/skbuff.c:213 ! + + skb_under_panic net/core/skbuff.c:223 [inline] + skb_push+0xc3/0xe0 net/core/skbuff.c:2641 + ip6gre_header+0xc8/0x790 net/ipv6/ip6_gre.c:1371 + dev_hard_header include/linux/netdevice.h:3436 [inline] + neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618 + neigh_output include/net/neighbour.h:556 [inline] + ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136 + __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline] + ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:220 + NF_HOOK_COND include/linux/netfilter.h:307 [inline] + ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247 + NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318 + mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855 + mld_send_cr net/ipv6/mcast.c:2154 [inline] + mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 + +Fixes: c12b395a4664 ("gre: Support GRE over IPv6") +Reported-by: syzbot+43a2ebcf2a64b1102d64@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/693b002c.a70a0220.33cd7b.0033.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20251211173550.2032674-1-edumazet@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_gre.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index 68e9a41eed49..1c186d132fe0 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -1395,9 +1395,16 @@ static int ip6gre_header(struct sk_buff *skb, struct net_device *dev, + { + struct ip6_tnl *t = netdev_priv(dev); + struct ipv6hdr *ipv6h; ++ int needed; + __be16 *p; + +- ipv6h = skb_push(skb, t->hlen + sizeof(*ipv6h)); ++ needed = t->hlen + sizeof(*ipv6h); ++ if (skb_headroom(skb) < needed && ++ pskb_expand_head(skb, HH_DATA_ALIGN(needed - skb_headroom(skb)), ++ 0, GFP_ATOMIC)) ++ return -needed; ++ ++ ipv6h = skb_push(skb, needed); + ip6_flow_hdr(ipv6h, 0, ip6_make_flowlabel(dev_net(dev), skb, + t->fl.u.ip6.flowlabel, + true, &t->fl.u.ip6)); +-- +2.51.0 + diff --git a/queue-6.12/ipv4-fix-reference-count-leak-when-using-error-route.patch b/queue-6.12/ipv4-fix-reference-count-leak-when-using-error-route.patch new file mode 100644 index 0000000000..3c33b62b89 --- /dev/null +++ b/queue-6.12/ipv4-fix-reference-count-leak-when-using-error-route.patch @@ -0,0 +1,73 @@ +From e2fd2e52436a14bf9626f9331efdfa7ab2de5a02 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Dec 2025 16:48:28 +0200 +Subject: ipv4: Fix reference count leak when using error routes with nexthop + objects + +From: Ido Schimmel + +[ Upstream commit ac782f4e3bfcde145b8a7f8af31d9422d94d172a ] + +When a nexthop object is deleted, it is marked as dead and then +fib_table_flush() is called to flush all the routes that are using the +dead nexthop. + +The current logic in fib_table_flush() is to only flush error routes +(e.g., blackhole) when it is called as part of network namespace +dismantle (i.e., with flush_all=true). Therefore, error routes are not +flushed when their nexthop object is deleted: + + # ip link add name dummy1 up type dummy + # ip nexthop add id 1 dev dummy1 + # ip route add 198.51.100.1/32 nhid 1 + # ip route add blackhole 198.51.100.2/32 nhid 1 + # ip nexthop del id 1 + # ip route show + blackhole 198.51.100.2 nhid 1 dev dummy1 + +As such, they keep holding a reference on the nexthop object which in +turn holds a reference on the nexthop device, resulting in a reference +count leak: + + # ip link del dev dummy1 + [ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2 + +Fix by flushing error routes when their nexthop is marked as dead. + +IPv6 does not suffer from this problem. + +Fixes: 493ced1ac47c ("ipv4: Allow routes to use nexthop objects") +Reported-by: Tetsuo Handa +Closes: https://lore.kernel.org/netdev/d943f806-4da6-4970-ac28-b9373b0e63ac@I-love.SAKURA.ne.jp/ +Reported-by: syzbot+881d65229ca4f9ae8c84@syzkaller.appspotmail.com +Signed-off-by: Ido Schimmel +Reviewed-by: David Ahern +Link: https://patch.msgid.link/20251221144829.197694-1-idosch@nvidia.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/fib_trie.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c +index cc86031d2050..658f26d9a9ec 100644 +--- a/net/ipv4/fib_trie.c ++++ b/net/ipv4/fib_trie.c +@@ -2059,10 +2059,11 @@ int fib_table_flush(struct net *net, struct fib_table *tb, bool flush_all) + continue; + } + +- /* Do not flush error routes if network namespace is +- * not being dismantled ++ /* When not flushing the entire table, skip error ++ * routes that are not marked for deletion. + */ +- if (!flush_all && fib_props[fa->fa_type].error) { ++ if (!flush_all && fib_props[fa->fa_type].error && ++ !(fi->fib_flags & RTNH_F_DEAD)) { + slen = fa->fa_slen; + continue; + } +-- +2.51.0 + diff --git a/queue-6.12/ipv6-bug-in-pskb_expand_head-as-part-of-calipso_skbu.patch b/queue-6.12/ipv6-bug-in-pskb_expand_head-as-part-of-calipso_skbu.patch new file mode 100644 index 0000000000..737b1ee68d --- /dev/null +++ b/queue-6.12/ipv6-bug-in-pskb_expand_head-as-part-of-calipso_skbu.patch @@ -0,0 +1,97 @@ +From 7f0bf7f4239f770d4c188ed0c358522f70959309 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 10:36:37 -0700 +Subject: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() + +From: Will Rosenberg + +[ Upstream commit 58fc7342b529803d3c221101102fe913df7adb83 ] + +There exists a kernel oops caused by a BUG_ON(nhead < 0) at +net/core/skbuff.c:2232 in pskb_expand_head(). +This bug is triggered as part of the calipso_skbuff_setattr() +routine when skb_cow() is passed headroom > INT_MAX +(i.e. (int)(skb_headroom(skb) + len_delta) < 0). + +The root cause of the bug is due to an implicit integer cast in +__skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure +that delta = headroom - skb_headroom(skb) is never negative, otherwise +we will trigger a BUG_ON in pskb_expand_head(). However, if +headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta +becomes negative, and pskb_expand_head() is passed a negative value for +nhead. + +Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing +"negative" headroom sizes to skb_cow() within calipso_skbuff_setattr() +by only using skb_cow() to grow headroom. + +PoC: + Using `netlabelctl` tool: + + netlabelctl map del default + netlabelctl calipso add pass doi:7 + netlabelctl map add default address:0::1/128 protocol:calipso,7 + + Then run the following PoC: + + int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP); + + // setup msghdr + int cmsg_size = 2; + int cmsg_len = 0x60; + struct msghdr msg; + struct sockaddr_in6 dest_addr; + struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1, + sizeof(struct cmsghdr) + cmsg_len); + msg.msg_name = &dest_addr; + msg.msg_namelen = sizeof(dest_addr); + msg.msg_iov = NULL; + msg.msg_iovlen = 0; + msg.msg_control = cmsg; + msg.msg_controllen = cmsg_len; + msg.msg_flags = 0; + + // setup sockaddr + dest_addr.sin6_family = AF_INET6; + dest_addr.sin6_port = htons(31337); + dest_addr.sin6_flowinfo = htonl(31337); + dest_addr.sin6_addr = in6addr_loopback; + dest_addr.sin6_scope_id = 31337; + + // setup cmsghdr + cmsg->cmsg_len = cmsg_len; + cmsg->cmsg_level = IPPROTO_IPV6; + cmsg->cmsg_type = IPV6_HOPOPTS; + char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr); + hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80 + + sendmsg(fd, &msg, 0); + +Fixes: 2917f57b6bc1 ("calipso: Allow the lsm to label the skbuff directly.") +Suggested-by: Paul Moore +Signed-off-by: Will Rosenberg +Acked-by: Paul Moore +Link: https://patch.msgid.link/20251219173637.797418-1-whrosenb@asu.edu +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv6/calipso.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c +index a247bb93908b..f5cc02ea3092 100644 +--- a/net/ipv6/calipso.c ++++ b/net/ipv6/calipso.c +@@ -1342,7 +1342,8 @@ static int calipso_skbuff_setattr(struct sk_buff *skb, + /* At this point new_end aligns to 4n, so (new_end & 4) pads to 8n */ + pad = ((new_end & 4) + (end & 7)) & 7; + len_delta = new_end - (int)end + pad; +- ret_val = skb_cow(skb, skb_headroom(skb) + len_delta); ++ ret_val = skb_cow(skb, ++ skb_headroom(skb) + (len_delta > 0 ? len_delta : 0)); + if (ret_val < 0) + return ret_val; + +-- +2.51.0 + diff --git a/queue-6.12/ipv6-fix-a-bug-in-rt6_get_pcpu_route-under-preempt_r.patch b/queue-6.12/ipv6-fix-a-bug-in-rt6_get_pcpu_route-under-preempt_r.patch new file mode 100644 index 0000000000..da7e841227 --- /dev/null +++ b/queue-6.12/ipv6-fix-a-bug-in-rt6_get_pcpu_route-under-preempt_r.patch @@ -0,0 +1,64 @@ +From 20a59d097bd5ff5dc7cc3f14fcb680b14a47bdce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Dec 2025 13:14:12 +0800 +Subject: ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT + +From: Jiayuan Chen + +[ Upstream commit 1adaea51c61b52e24e7ab38f7d3eba023b2d050d ] + +On PREEMPT_RT kernels, after rt6_get_pcpu_route() returns NULL, the +current task can be preempted. Another task running on the same CPU +may then execute rt6_make_pcpu_route() and successfully install a +pcpu_rt entry. When the first task resumes execution, its cmpxchg() +in rt6_make_pcpu_route() will fail because rt6i_pcpu is no longer +NULL, triggering the BUG_ON(prev). It's easy to reproduce it by adding +mdelay() after rt6_get_pcpu_route(). + +Using preempt_disable/enable is not appropriate here because +ip6_rt_pcpu_alloc() may sleep. + +Fix this by handling the cmpxchg() failure gracefully on PREEMPT_RT: +free our allocation and return the existing pcpu_rt installed by +another task. The BUG_ON is replaced by WARN_ON_ONCE for non-PREEMPT_RT +kernels where such races should not occur. + +Link: https://syzkaller.appspot.com/bug?extid=9b35e9bc0951140d13e6 +Fixes: d2d6422f8bd1 ("x86: Allow to enable PREEMPT_RT.") +Reported-by: syzbot+9b35e9bc0951140d13e6@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/6918cd88.050a0220.1c914e.0045.GAE@google.com/T/ +Signed-off-by: Jiayuan Chen +Link: https://patch.msgid.link/20251223051413.124687-1-jiayuan.chen@linux.dev +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv6/route.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 22866444efc0..276fa74af206 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -1470,7 +1470,18 @@ static struct rt6_info *rt6_make_pcpu_route(struct net *net, + + p = this_cpu_ptr(res->nh->rt6i_pcpu); + prev = cmpxchg(p, NULL, pcpu_rt); +- BUG_ON(prev); ++ if (unlikely(prev)) { ++ /* ++ * Another task on this CPU already installed a pcpu_rt. ++ * This can happen on PREEMPT_RT where preemption is possible. ++ * Free our allocation and return the existing one. ++ */ ++ WARN_ON_ONCE(!IS_ENABLED(CONFIG_PREEMPT_RT)); ++ ++ dst_dev_put(&pcpu_rt->dst); ++ dst_release(&pcpu_rt->dst); ++ return prev; ++ } + + if (res->f6i->fib6_destroying) { + struct fib6_info *from; +-- +2.51.0 + diff --git a/queue-6.12/kbuild-fix-compilation-of-dtb-specified-on-command-l.patch b/queue-6.12/kbuild-fix-compilation-of-dtb-specified-on-command-l.patch new file mode 100644 index 0000000000..d41cbcf22f --- /dev/null +++ b/queue-6.12/kbuild-fix-compilation-of-dtb-specified-on-command-l.patch @@ -0,0 +1,89 @@ +From fe3e3cb2e41be380e0ff0c3a7e01d4427a922177 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Nov 2025 11:00:16 +0100 +Subject: kbuild: fix compilation of dtb specified on command-line without make + rule + +From: Thomas De Schampheleire + +[ Upstream commit b08fc4d0ec2466558f6d5511434efdfabbddf2a6 ] + +Since commit e7e2941300d2 ("kbuild: split device tree build rules into +scripts/Makefile.dtbs"), it is no longer possible to compile a device tree +blob that is not specified in a make rule +like: + dtb-$(CONFIG_FOO) += foo.dtb + +Before the mentioned commit, one could copy a dts file to e.g. +arch/arm64/boot/dts/ (or a new subdirectory) and then convert it to a dtb +file using: + make ARCH=arm64 foo.dtb + +In this scenario, both 'dtb-y' and 'dtb-' are empty, and the inclusion of +scripts/Makefile.dtbs relies on 'targets' to contain the MAKECMDGOALS. The +value of 'targets', however, is only final later in the code. + +Move the conditional include of scripts/Makefile.dtbs down to where the +value of 'targets' is final. Since Makefile.dtbs updates 'always-y' which is +used as a prerequisite in the build rule, the build rule also needs to move +down. + +Fixes: e7e2941300d2 ("kbuild: split device tree build rules into scripts/Makefile.dtbs") +Signed-off-by: Thomas De Schampheleire +Reviewed-by: Nathan Chancellor +Tested-by: Nathan Chancellor +Acked-by: Rob Herring (Arm) +Link: https://patch.msgid.link/20251126100017.1162330-1-thomas.de_schampheleire@nokia.com +Signed-off-by: Nicolas Schier +Signed-off-by: Sasha Levin +--- + scripts/Makefile.build | 26 ++++++++++++++------------ + 1 file changed, 14 insertions(+), 12 deletions(-) + +diff --git a/scripts/Makefile.build b/scripts/Makefile.build +index 2c5c1a214f3b..6e07023b5442 100644 +--- a/scripts/Makefile.build ++++ b/scripts/Makefile.build +@@ -449,18 +449,6 @@ ifneq ($(userprogs),) + include $(srctree)/scripts/Makefile.userprogs + endif + +-ifneq ($(need-dtbslist)$(dtb-y)$(dtb-)$(filter %.dtb %.dtb.o %.dtbo.o,$(targets)),) +-include $(srctree)/scripts/Makefile.dtbs +-endif +- +-# Build +-# --------------------------------------------------------------------------- +- +-$(obj)/: $(if $(KBUILD_BUILTIN), $(targets-for-builtin)) \ +- $(if $(KBUILD_MODULES), $(targets-for-modules)) \ +- $(subdir-ym) $(always-y) +- @: +- + # Single targets + # --------------------------------------------------------------------------- + +@@ -490,6 +478,20 @@ FORCE: + targets += $(filter-out $(single-subdir-goals), $(MAKECMDGOALS)) + targets := $(filter-out $(PHONY), $(targets)) + ++# Now that targets is fully known, include dtb rules if needed ++ifneq ($(need-dtbslist)$(dtb-y)$(dtb-)$(filter %.dtb %.dtb.o %.dtbo.o,$(targets)),) ++include $(srctree)/scripts/Makefile.dtbs ++endif ++ ++# Build ++# Needs to be after the include of Makefile.dtbs, which updates always-y ++# --------------------------------------------------------------------------- ++ ++$(obj)/: $(if $(KBUILD_BUILTIN), $(targets-for-builtin)) \ ++ $(if $(KBUILD_MODULES), $(targets-for-modules)) \ ++ $(subdir-ym) $(always-y) ++ @: ++ + # Read all saved command lines and dependencies for the $(targets) we + # may be building above, using $(if_changed{,_dep}). As an + # optimization, we don't need to read them if the target does not +-- +2.51.0 + diff --git a/queue-6.12/ksmbd-fix-memory-leak-in-get_file_all_info.patch b/queue-6.12/ksmbd-fix-memory-leak-in-get_file_all_info.patch new file mode 100644 index 0000000000..9e73e886b5 --- /dev/null +++ b/queue-6.12/ksmbd-fix-memory-leak-in-get_file_all_info.patch @@ -0,0 +1,43 @@ +From cc03dfe20f7a118b98814b23c388685d61662464 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 14:20:16 +0000 +Subject: ksmbd: Fix memory leak in get_file_all_info() + +From: Zilin Guan + +[ Upstream commit 0c56693b06a68476ba113db6347e7897475f9e4c ] + +In get_file_all_info(), if vfs_getattr() fails, the function returns +immediately without freeing the allocated filename, leading to a memory +leak. + +Fix this by freeing the filename before returning in this error case. + +Fixes: 5614c8c487f6a ("ksmbd: replace generic_fillattr with vfs_getattr") +Signed-off-by: Zilin Guan +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/server/smb2pdu.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c +index a1579f76e063..e2cde9723001 100644 +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -4926,8 +4926,10 @@ static int get_file_all_info(struct ksmbd_work *work, + + ret = vfs_getattr(&fp->filp->f_path, &stat, STATX_BASIC_STATS, + AT_STATX_SYNC_AS_STAT); +- if (ret) ++ if (ret) { ++ kfree(filename); + return ret; ++ } + + ksmbd_debug(SMB, "filename = %s\n", filename); + delete_pending = ksmbd_inode_pending_delete(fp); +-- +2.51.0 + diff --git a/queue-6.12/md-fix-static-checker-warning-in-analyze_sbs.patch b/queue-6.12/md-fix-static-checker-warning-in-analyze_sbs.patch new file mode 100644 index 0000000000..7f1c72acde --- /dev/null +++ b/queue-6.12/md-fix-static-checker-warning-in-analyze_sbs.patch @@ -0,0 +1,53 @@ +From 2fe74dc8c6330e27051c103a60f0c4d2990d9459 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Dec 2025 20:44:12 +0800 +Subject: md: Fix static checker warning in analyze_sbs + +From: Li Nan + +[ Upstream commit 00f6c1b4d15d35fadb7f34768a1831c81aaa8936 ] + +The following warn is reported: + + drivers/md/md.c:3912 analyze_sbs() + warn: iterator 'i' not incremented + +Fixes: d8730f0cf4ef ("md: Remove deprecated CONFIG_MD_MULTIPATH") +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/linux-raid/7e2e95ce-3740-09d8-a561-af6bfb767f18@huaweicloud.com/T/#t +Signed-off-by: Li Nan +Link: https://lore.kernel.org/linux-raid/20251215124412.4015572-1-linan666@huaweicloud.com +Signed-off-by: Yu Kuai +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 5c39246c467e..26056d53f40c 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -3729,7 +3729,6 @@ static struct md_rdev *md_import_device(dev_t newdev, int super_format, int supe + + static int analyze_sbs(struct mddev *mddev) + { +- int i; + struct md_rdev *rdev, *freshest, *tmp; + + freshest = NULL; +@@ -3756,11 +3755,9 @@ static int analyze_sbs(struct mddev *mddev) + super_types[mddev->major_version]. + validate_super(mddev, NULL/*freshest*/, freshest); + +- i = 0; + rdev_for_each_safe(rdev, tmp, mddev) { + if (mddev->max_disks && +- (rdev->desc_nr >= mddev->max_disks || +- i > mddev->max_disks)) { ++ rdev->desc_nr >= mddev->max_disks) { + pr_warn("md: %s: %pg: only %d devices permitted\n", + mdname(mddev), rdev->bdev, + mddev->max_disks); +-- +2.51.0 + diff --git a/queue-6.12/md-raid5-fix-possible-null-pointer-dereferences-in-r.patch b/queue-6.12/md-raid5-fix-possible-null-pointer-dereferences-in-r.patch new file mode 100644 index 0000000000..e54d19507c --- /dev/null +++ b/queue-6.12/md-raid5-fix-possible-null-pointer-dereferences-in-r.patch @@ -0,0 +1,68 @@ +From 30f54808084e545a5408a84c6ec14c9bab2941b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Dec 2025 21:03:26 +0800 +Subject: md/raid5: fix possible null-pointer dereferences in + raid5_store_group_thread_cnt() + +From: Tuo Li + +[ Upstream commit 7ad6ef91d8745d04aff9cce7bdbc6320d8e05fe9 ] + +The variable mddev->private is first assigned to conf and then checked: + + conf = mddev->private; + if (!conf) ... + +If conf is NULL, then mddev->private is also NULL. In this case, +null-pointer dereferences can occur when calling raid5_quiesce(): + + raid5_quiesce(mddev, true); + raid5_quiesce(mddev, false); + +since mddev->private is assigned to conf again in raid5_quiesce(), and conf +is dereferenced in several places, for example: + + conf->quiesce = 0; + wake_up(&conf->wait_for_quiescent); + +To fix this issue, the function should unlock mddev and return before +invoking raid5_quiesce() when conf is NULL, following the existing pattern +in raid5_change_consistency_policy(). + +Fixes: fa1944bbe622 ("md/raid5: Wait sync io to finish before changing group cnt") +Signed-off-by: Tuo Li +Reviewed-by: Xiao Ni +Reviewed-by: Paul Menzel +Link: https://lore.kernel.org/linux-raid/20251225130326.67780-1-islituo@gmail.com +Signed-off-by: Yu Kuai +Signed-off-by: Sasha Levin +--- + drivers/md/raid5.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c +index 8e5ccca3b68b..7262b77a8e02 100644 +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -7181,12 +7181,14 @@ raid5_store_group_thread_cnt(struct mddev *mddev, const char *page, size_t len) + err = mddev_suspend_and_lock(mddev); + if (err) + return err; ++ conf = mddev->private; ++ if (!conf) { ++ mddev_unlock_and_resume(mddev); ++ return -ENODEV; ++ } + raid5_quiesce(mddev, true); + +- conf = mddev->private; +- if (!conf) +- err = -ENODEV; +- else if (new != conf->worker_cnt_per_group) { ++ if (new != conf->worker_cnt_per_group) { + old_groups = conf->worker_groups; + if (old_groups) + flush_workqueue(raid5_wq); +-- +2.51.0 + diff --git a/queue-6.12/net-bridge-describe-tunnel_hash-member-in-net_bridge.patch b/queue-6.12/net-bridge-describe-tunnel_hash-member-in-net_bridge.patch new file mode 100644 index 0000000000..e70e8a3016 --- /dev/null +++ b/queue-6.12/net-bridge-describe-tunnel_hash-member-in-net_bridge.patch @@ -0,0 +1,42 @@ +From dc8994cd16febc6b94207c7550367576733fbdad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Dec 2025 11:29:37 +0700 +Subject: net: bridge: Describe @tunnel_hash member in net_bridge_vlan_group + struct + +From: Bagas Sanjaya + +[ Upstream commit f79f9b7ace1713e4b83888c385f5f55519dfb687 ] + +Sphinx reports kernel-doc warning: + +WARNING: ./net/bridge/br_private.h:267 struct member 'tunnel_hash' not described in 'net_bridge_vlan_group' + +Fix it by describing @tunnel_hash member. + +Fixes: efa5356b0d9753 ("bridge: per vlan dst_metadata netlink support") +Signed-off-by: Bagas Sanjaya +Acked-by: Nikolay Aleksandrov +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20251218042936.24175-2-bagasdotme@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/bridge/br_private.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h +index 741b0b8c4bab..a2e59108a5dc 100644 +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -247,6 +247,7 @@ struct net_bridge_vlan { + * struct net_bridge_vlan_group + * + * @vlan_hash: VLAN entry rhashtable ++ * @tunnel_hash: Hash table to map from tunnel key ID (e.g. VXLAN VNI) to VLAN + * @vlan_list: sorted VLAN entry list + * @num_vlans: number of total VLAN entries + * @pvid: PVID VLAN id +-- +2.51.0 + diff --git a/queue-6.12/net-dsa-b53-skip-multicast-entries-for-fdb_dump.patch b/queue-6.12/net-dsa-b53-skip-multicast-entries-for-fdb_dump.patch new file mode 100644 index 0000000000..9e73bd8601 --- /dev/null +++ b/queue-6.12/net-dsa-b53-skip-multicast-entries-for-fdb_dump.patch @@ -0,0 +1,45 @@ +From 964c8c9ef49bb5c0e9910fbf12b04ed83d975ae8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 21:57:56 +0100 +Subject: net: dsa: b53: skip multicast entries for fdb_dump() + +From: Jonas Gorski + +[ Upstream commit d42bce414d1c5c0b536758466a1f63ac358e613c ] + +port_fdb_dump() is supposed to only add fdb entries, but we iterate over +the full ARL table, which also includes multicast entries. + +So check if the entry is a multicast entry before passing it on to the +callback(). + +Additionally, the port of those entries is a bitmask, not a port number, +so any included entries would have even be for the wrong port. + +Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations") +Signed-off-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20251217205756.172123-1-jonas.gorski@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index 01eb62706412..0b666a77ea97 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1972,6 +1972,9 @@ static int b53_fdb_copy(int port, const struct b53_arl_entry *ent, + if (!ent->is_valid) + return 0; + ++ if (is_multicast_ether_addr(ent->mac)) ++ return 0; ++ + if (port != ent->port) + return 0; + +-- +2.51.0 + diff --git a/queue-6.12/net-dsa-fix-missing-put_device-in-dsa_tree_find_firs.patch b/queue-6.12/net-dsa-fix-missing-put_device-in-dsa_tree_find_firs.patch new file mode 100644 index 0000000000..9e0635bb8b --- /dev/null +++ b/queue-6.12/net-dsa-fix-missing-put_device-in-dsa_tree_find_firs.patch @@ -0,0 +1,102 @@ +From 25c5abc3bc60380302345ac31310b487c0704e3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Dec 2025 17:02:36 +0200 +Subject: net: dsa: fix missing put_device() in dsa_tree_find_first_conduit() + +From: Vladimir Oltean + +[ Upstream commit a9f96dc59b4a50ffbf86158f315e115969172d48 ] + +of_find_net_device_by_node() searches net devices by their /sys/class/net/, +entry. It is documented in its kernel-doc that: + + * If successful, returns a pointer to the net_device with the embedded + * struct device refcount incremented by one, or NULL on failure. The + * refcount must be dropped when done with the net_device. + +We are missing a put_device(&conduit->dev) which we could place at the +end of dsa_tree_find_first_conduit(). But to explain why calling +put_device() right away is safe is the same as to explain why the chosen +solution is different. + +The code is very poorly split: dsa_tree_find_first_conduit() was first +introduced in commit 95f510d0b792 ("net: dsa: allow the DSA master to be +seen and changed through rtnetlink") but was first used several commits +later, in commit acc43b7bf52a ("net: dsa: allow masters to join a LAG"). + +Assume there is a switch with 2 CPU ports and 2 conduits, eno2 and eno3. +When we create a LAG (bonding or team device) and place eno2 and eno3 +beneath it, we create a 3rd conduit (the LAG device itself), but this is +slightly different than the first two. + +Namely, the cpu_dp->conduit pointer of the CPU ports does not change, +and remains pointing towards the physical Ethernet controllers which are +now LAG ports. Only 2 things change: +- the LAG device has a dev->dsa_ptr which marks it as a DSA conduit +- dsa_port_to_conduit(user port) finds the LAG and not the physical + conduit, because of the dp->cpu_port_in_lag bit being set. + +When the LAG device is destroyed, dsa_tree_migrate_ports_from_lag_conduit() +is called and this is where dsa_tree_find_first_conduit() kicks in. + +This is the logical mistake and the reason why introducing code in one +patch and using it from another is bad practice. I didn't realize that I +don't have to call of_find_net_device_by_node() again; the cpu_dp->conduit +association was never undone, and is still available for direct (re)use. +There's only one concern - maybe the conduit disappeared in the +meantime, but the netdev_hold() call we made during dsa_port_parse_cpu() +(see previous change) ensures that this was not the case. + +Therefore, fixing the code means reimplementing it in the simplest way. + +I am blaming the time of use, since this is what "git blame" would show +if we were to monitor for the conduit's kobject's refcount remaining +elevated instead of being freed. + +Tested on the NXP LS1028A, using the steps from +Documentation/networking/dsa/configuration.rst section "Affinity of user +ports to CPU ports", followed by (extra prints added by me): + +$ ip link del bond0 +mscc_felix 0000:00:00.5 swp3: Link is Down +bond0 (unregistering): (slave eno2): Releasing backup interface +fsl_enetc 0000:00:00.2 eno2: Link is Down +mscc_felix 0000:00:00.5 swp0: bond0 disappeared, migrating to eno2 +mscc_felix 0000:00:00.5 swp1: bond0 disappeared, migrating to eno2 +mscc_felix 0000:00:00.5 swp2: bond0 disappeared, migrating to eno2 +mscc_felix 0000:00:00.5 swp3: bond0 disappeared, migrating to eno2 + +Fixes: acc43b7bf52a ("net: dsa: allow masters to join a LAG") +Signed-off-by: Vladimir Oltean +Link: https://patch.msgid.link/20251215150236.3931670-2-vladimir.oltean@nxp.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/dsa/dsa.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/net/dsa/dsa.c b/net/dsa/dsa.c +index ac3a252969cb..97599e0d5a1d 100644 +--- a/net/dsa/dsa.c ++++ b/net/dsa/dsa.c +@@ -366,16 +366,10 @@ static struct dsa_port *dsa_tree_find_first_cpu(struct dsa_switch_tree *dst) + + struct net_device *dsa_tree_find_first_conduit(struct dsa_switch_tree *dst) + { +- struct device_node *ethernet; +- struct net_device *conduit; + struct dsa_port *cpu_dp; + + cpu_dp = dsa_tree_find_first_cpu(dst); +- ethernet = of_parse_phandle(cpu_dp->dn, "ethernet", 0); +- conduit = of_find_net_device_by_node(ethernet); +- of_node_put(ethernet); +- +- return conduit; ++ return cpu_dp->conduit; + } + + /* Assign the default CPU port (the first one in the tree) to all ports of the +-- +2.51.0 + diff --git a/queue-6.12/net-mdio-aspeed-add-dummy-read-to-avoid-read-after-w.patch b/queue-6.12/net-mdio-aspeed-add-dummy-read-to-avoid-read-after-w.patch new file mode 100644 index 0000000000..75a4a2ed74 --- /dev/null +++ b/queue-6.12/net-mdio-aspeed-add-dummy-read-to-avoid-read-after-w.patch @@ -0,0 +1,52 @@ +From 761547384ebf3b3a849b85d02366cf622b9d5149 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Dec 2025 14:24:58 +0800 +Subject: net: mdio: aspeed: add dummy read to avoid read-after-write issue + +From: Jacky Chou + +[ Upstream commit d1a1a4bade4b20c0858d0b2f81d2611de055f675 ] + +The Aspeed MDIO controller may return incorrect data when a read operation +follows immediately after a write. Due to a controller bug, the subsequent +read can latch stale data, causing the polling logic to terminate earlier +than expected. + +To work around this hardware issue, insert a dummy read after each write +operation. This ensures that the next actual read returns the correct +data and prevents premature polling exit. + +This workaround has been verified to stabilize MDIO transactions on +affected Aspeed platforms. + +Fixes: f160e99462c6 ("net: phy: Add mdio-aspeed") +Signed-off-by: Jacky Chou +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20251211-aspeed_mdio_add_dummy_read-v3-1-382868869004@aspeedtech.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/mdio/mdio-aspeed.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/mdio/mdio-aspeed.c b/drivers/net/mdio/mdio-aspeed.c +index c2170650415c..4f2bd20cdc05 100644 +--- a/drivers/net/mdio/mdio-aspeed.c ++++ b/drivers/net/mdio/mdio-aspeed.c +@@ -63,6 +63,13 @@ static int aspeed_mdio_op(struct mii_bus *bus, u8 st, u8 op, u8 phyad, u8 regad, + + iowrite32(ctrl, ctx->base + ASPEED_MDIO_CTRL); + ++ /* Workaround for read-after-write issue. ++ * The controller may return stale data if a read follows immediately ++ * after a write. A dummy read forces the hardware to update its ++ * internal state, ensuring that the next real read returns correct data. ++ */ ++ ioread32(ctx->base + ASPEED_MDIO_CTRL); ++ + return readl_poll_timeout(ctx->base + ASPEED_MDIO_CTRL, ctrl, + !(ctrl & ASPEED_MDIO_CTRL_FIRE), + ASPEED_MDIO_INTERVAL_US, +-- +2.51.0 + diff --git a/queue-6.12/net-openvswitch-avoid-needlessly-taking-the-rtnl-on-.patch b/queue-6.12/net-openvswitch-avoid-needlessly-taking-the-rtnl-on-.patch new file mode 100644 index 0000000000..b33b65965e --- /dev/null +++ b/queue-6.12/net-openvswitch-avoid-needlessly-taking-the-rtnl-on-.patch @@ -0,0 +1,68 @@ +From 684fa7ea55ff8d8e1c7dd0c3a9d7258411769dc2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Dec 2025 12:50:05 +0100 +Subject: net: openvswitch: Avoid needlessly taking the RTNL on vport destroy +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit 5498227676303e3ffa9a3a46214af96bc3e81314 ] + +The openvswitch teardown code will immediately call +ovs_netdev_detach_dev() in response to a NETDEV_UNREGISTER notification. +It will then start the dp_notify_work workqueue, which will later end up +calling the vport destroy() callback. This callback takes the RTNL to do +another ovs_netdev_detach_port(), which in this case is unnecessary. +This causes extra pressure on the RTNL, in some cases leading to +"unregister_netdevice: waiting for XX to become free" warnings on +teardown. + +We can straight-forwardly avoid the extra RTNL lock acquisition by +checking the device flags before taking the lock, and skip the locking +altogether if the IFF_OVS_DATAPATH flag has already been unset. + +Fixes: b07c26511e94 ("openvswitch: fix vport-netdev unregister") +Tested-by: Adrian Moreno +Signed-off-by: Toke Høiland-Jørgensen +Acked-by: Eelco Chaudron +Acked-by: Aaron Conole +Link: https://patch.msgid.link/20251211115006.228876-1-toke@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/openvswitch/vport-netdev.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/net/openvswitch/vport-netdev.c b/net/openvswitch/vport-netdev.c +index 91a11067e458..6574f9bcdc02 100644 +--- a/net/openvswitch/vport-netdev.c ++++ b/net/openvswitch/vport-netdev.c +@@ -160,10 +160,19 @@ void ovs_netdev_detach_dev(struct vport *vport) + + static void netdev_destroy(struct vport *vport) + { +- rtnl_lock(); +- if (netif_is_ovs_port(vport->dev)) +- ovs_netdev_detach_dev(vport); +- rtnl_unlock(); ++ /* When called from ovs_db_notify_wq() after a dp_device_event(), the ++ * port has already been detached, so we can avoid taking the RTNL by ++ * checking this first. ++ */ ++ if (netif_is_ovs_port(vport->dev)) { ++ rtnl_lock(); ++ /* Check again while holding the lock to ensure we don't race ++ * with the netdev notifier and detach twice. ++ */ ++ if (netif_is_ovs_port(vport->dev)) ++ ovs_netdev_detach_dev(vport); ++ rtnl_unlock(); ++ } + + call_rcu(&vport->rcu, vport_netdev_free); + } +-- +2.51.0 + diff --git a/queue-6.12/net-rose-fix-invalid-array-index-in-rose_kill_by_dev.patch b/queue-6.12/net-rose-fix-invalid-array-index-in-rose_kill_by_dev.patch new file mode 100644 index 0000000000..c5927ae60e --- /dev/null +++ b/queue-6.12/net-rose-fix-invalid-array-index-in-rose_kill_by_dev.patch @@ -0,0 +1,48 @@ +From f0f83b0bc0dbeeb8d731969debaabdd66436faa2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Dec 2025 21:22:27 +0000 +Subject: net: rose: fix invalid array index in rose_kill_by_device() + +From: Pwnverse + +[ Upstream commit 6595beb40fb0ec47223d3f6058ee40354694c8e4 ] + +rose_kill_by_device() collects sockets into a local array[] and then +iterates over them to disconnect sockets bound to a device being brought +down. + +The loop mistakenly indexes array[cnt] instead of array[i]. For cnt < +ARRAY_SIZE(array), this reads an uninitialized entry; for cnt == +ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to +an invalid socket pointer dereference and also leaks references taken +via sock_hold(). + +Fix the index to use i. + +Fixes: 64b8bc7d5f143 ("net/rose: fix races in rose_kill_by_device()") +Co-developed-by: Fatma Alwasmi +Signed-off-by: Fatma Alwasmi +Signed-off-by: Pwnverse +Link: https://patch.msgid.link/20251222212227.4116041-1-ritviktanksalkar@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/rose/af_rose.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c +index b8078b42f5de..1676c9f4ab84 100644 +--- a/net/rose/af_rose.c ++++ b/net/rose/af_rose.c +@@ -205,7 +205,7 @@ static void rose_kill_by_device(struct net_device *dev) + spin_unlock_bh(&rose_list_lock); + + for (i = 0; i < cnt; i++) { +- sk = array[cnt]; ++ sk = array[i]; + rose = rose_sk(sk); + lock_sock(sk); + spin_lock_bh(&rose_list_lock); +-- +2.51.0 + diff --git a/queue-6.12/net-stmmac-fix-the-crash-issue-for-zero-copy-xdp_tx-.patch b/queue-6.12/net-stmmac-fix-the-crash-issue-for-zero-copy-xdp_tx-.patch new file mode 100644 index 0000000000..d09bbcfd93 --- /dev/null +++ b/queue-6.12/net-stmmac-fix-the-crash-issue-for-zero-copy-xdp_tx-.patch @@ -0,0 +1,96 @@ +From b73f0ed1b4a7f57a6ba81a7c2d4e4af9830812a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Dec 2025 15:13:32 +0800 +Subject: net: stmmac: fix the crash issue for zero copy XDP_TX action + +From: Wei Fang + +[ Upstream commit a48e232210009be50591fdea8ba7c07b0f566a13 ] + +There is a crash issue when running zero copy XDP_TX action, the crash +log is shown below. + +[ 216.122464] Unable to handle kernel paging request at virtual address fffeffff80000000 +[ 216.187524] Internal error: Oops: 0000000096000144 [#1] SMP +[ 216.301694] Call trace: +[ 216.304130] dcache_clean_poc+0x20/0x38 (P) +[ 216.308308] __dma_sync_single_for_device+0x1bc/0x1e0 +[ 216.313351] stmmac_xdp_xmit_xdpf+0x354/0x400 +[ 216.317701] __stmmac_xdp_run_prog+0x164/0x368 +[ 216.322139] stmmac_napi_poll_rxtx+0xba8/0xf00 +[ 216.326576] __napi_poll+0x40/0x218 +[ 216.408054] Kernel panic - not syncing: Oops: Fatal exception in interrupt + +For XDP_TX action, the xdp_buff is converted to xdp_frame by +xdp_convert_buff_to_frame(). The memory type of the resulting xdp_frame +depends on the memory type of the xdp_buff. For page pool based xdp_buff +it produces xdp_frame with memory type MEM_TYPE_PAGE_POOL. For zero copy +XSK pool based xdp_buff it produces xdp_frame with memory type +MEM_TYPE_PAGE_ORDER0. However, stmmac_xdp_xmit_back() does not check the +memory type and always uses the page pool type, this leads to invalid +mappings and causes the crash. Therefore, check the xdp_buff memory type +in stmmac_xdp_xmit_back() to fix this issue. + +Fixes: bba2556efad6 ("net: stmmac: Enable RX via AF_XDP zero-copy") +Signed-off-by: Wei Fang +Reviewed-by: Hariprasad Kelam +Link: https://patch.msgid.link/20251204071332.1907111-1-wei.fang@nxp.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .../net/ethernet/stmicro/stmmac/stmmac_main.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index ce35a6f12679..112287a6e9ab 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -87,6 +87,7 @@ MODULE_PARM_DESC(phyaddr, "Physical device address"); + #define STMMAC_XDP_CONSUMED BIT(0) + #define STMMAC_XDP_TX BIT(1) + #define STMMAC_XDP_REDIRECT BIT(2) ++#define STMMAC_XSK_CONSUMED BIT(3) + + static int flow_ctrl = FLOW_AUTO; + module_param(flow_ctrl, int, 0644); +@@ -4998,6 +4999,7 @@ static int stmmac_xdp_get_tx_queue(struct stmmac_priv *priv, + static int stmmac_xdp_xmit_back(struct stmmac_priv *priv, + struct xdp_buff *xdp) + { ++ bool zc = !!(xdp->rxq->mem.type == MEM_TYPE_XSK_BUFF_POOL); + struct xdp_frame *xdpf = xdp_convert_buff_to_frame(xdp); + int cpu = smp_processor_id(); + struct netdev_queue *nq; +@@ -5014,9 +5016,18 @@ static int stmmac_xdp_xmit_back(struct stmmac_priv *priv, + /* Avoids TX time-out as we are sharing with slow path */ + txq_trans_cond_update(nq); + +- res = stmmac_xdp_xmit_xdpf(priv, queue, xdpf, false); +- if (res == STMMAC_XDP_TX) ++ /* For zero copy XDP_TX action, dma_map is true */ ++ res = stmmac_xdp_xmit_xdpf(priv, queue, xdpf, zc); ++ if (res == STMMAC_XDP_TX) { + stmmac_flush_tx_descriptors(priv, queue); ++ } else if (res == STMMAC_XDP_CONSUMED && zc) { ++ /* xdp has been freed by xdp_convert_buff_to_frame(), ++ * no need to call xsk_buff_free() again, so return ++ * STMMAC_XSK_CONSUMED. ++ */ ++ res = STMMAC_XSK_CONSUMED; ++ xdp_return_frame(xdpf); ++ } + + __netif_tx_unlock(nq); + +@@ -5366,6 +5377,8 @@ static int stmmac_rx_zc(struct stmmac_priv *priv, int limit, u32 queue) + break; + case STMMAC_XDP_CONSUMED: + xsk_buff_free(buf->xdp); ++ fallthrough; ++ case STMMAC_XSK_CONSUMED: + rx_dropped++; + break; + case STMMAC_XDP_TX: +-- +2.51.0 + diff --git a/queue-6.12/net-usb-asix-validate-phy-address-before-use.patch b/queue-6.12/net-usb-asix-validate-phy-address-before-use.patch new file mode 100644 index 0000000000..1efd4822a3 --- /dev/null +++ b/queue-6.12/net-usb-asix-validate-phy-address-before-use.patch @@ -0,0 +1,53 @@ +From 6b36b6b00f66b71c85a3613772dd95cc0c648d2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Dec 2025 06:41:56 +0530 +Subject: net: usb: asix: validate PHY address before use + +From: Deepanshu Kartikey + +[ Upstream commit a1e077a3f76eea0dc671ed6792e7d543946227e8 ] + +The ASIX driver reads the PHY address from the USB device via +asix_read_phy_addr(). A malicious or faulty device can return an +invalid address (>= PHY_MAX_ADDR), which causes a warning in +mdiobus_get_phy(): + + addr 207 out of range + WARNING: drivers/net/phy/mdio_bus.c:76 + +Validate the PHY address in asix_read_phy_addr() and remove the +now-redundant check in ax88172a.c. + +Reported-by: syzbot+3d43c9066a5b54902232@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=3d43c9066a5b54902232 +Tested-by: syzbot+3d43c9066a5b54902232@syzkaller.appspotmail.com +Fixes: 7e88b11a862a ("net: usb: asix: refactor asix_read_phy_addr() and handle errors on return") +Link: https://lore.kernel.org/all/20251217085057.270704-1-kartikey406@gmail.com/T/ [v1] +Signed-off-by: Deepanshu Kartikey +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20251218011156.276824-1-kartikey406@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/asix_common.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c +index 7fd763917ae2..6ab3486072cb 100644 +--- a/drivers/net/usb/asix_common.c ++++ b/drivers/net/usb/asix_common.c +@@ -335,6 +335,11 @@ int asix_read_phy_addr(struct usbnet *dev, bool internal) + offset = (internal ? 1 : 0); + ret = buf[offset]; + ++ if (ret >= PHY_MAX_ADDR) { ++ netdev_err(dev->net, "invalid PHY address: %d\n", ret); ++ return -ENODEV; ++ } ++ + netdev_dbg(dev->net, "%s PHY address 0x%x\n", + internal ? "internal" : "external", ret); + +-- +2.51.0 + diff --git a/queue-6.12/net-usb-rtl8150-fix-memory-leak-on-usb_submit_urb-fa.patch b/queue-6.12/net-usb-rtl8150-fix-memory-leak-on-usb_submit_urb-fa.patch new file mode 100644 index 0000000000..c0116f7a0d --- /dev/null +++ b/queue-6.12/net-usb-rtl8150-fix-memory-leak-on-usb_submit_urb-fa.patch @@ -0,0 +1,47 @@ +From 02f1ecc3b56d1eb5d7a66e7aafc4e53f55dd1555 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Dec 2025 20:43:05 +0530 +Subject: net: usb: rtl8150: fix memory leak on usb_submit_urb() failure + +From: Deepakkumar Karn + +[ Upstream commit 12cab1191d9890097171156d06bfa8d31f1e39c8 ] + +In async_set_registers(), when usb_submit_urb() fails, the allocated + async_req structure and URB are not freed, causing a memory leak. + + The completion callback async_set_reg_cb() is responsible for freeing + these allocations, but it is only called after the URB is successfully + submitted and completes (successfully or with error). If submission + fails, the callback never runs and the memory is leaked. + + Fix this by freeing both the URB and the request structure in the error + path when usb_submit_urb() fails. + +Reported-by: syzbot+8dd915c7cb0490fc8c52@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=8dd915c7cb0490fc8c52 +Fixes: 4d12997a9bb3 ("drivers: net: usb: rtl8150: concurrent URB bugfix") +Signed-off-by: Deepakkumar Karn +Link: https://patch.msgid.link/20251216151304.59865-2-dkarn@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/rtl8150.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c +index 278e6cb6f4d9..e40b0669d9f4 100644 +--- a/drivers/net/usb/rtl8150.c ++++ b/drivers/net/usb/rtl8150.c +@@ -211,6 +211,8 @@ static int async_set_registers(rtl8150_t *dev, u16 indx, u16 size, u16 reg) + if (res == -ENODEV) + netif_device_detach(dev->netdev); + dev_err(&dev->udev->dev, "%s failed with %d\n", __func__, res); ++ kfree(req); ++ usb_free_urb(async_urb); + } + return res; + } +-- +2.51.0 + diff --git a/queue-6.12/octeontx2-pf-fix-ubsan-shift-out-of-bounds-error.patch b/queue-6.12/octeontx2-pf-fix-ubsan-shift-out-of-bounds-error.patch new file mode 100644 index 0000000000..aaa12b0738 --- /dev/null +++ b/queue-6.12/octeontx2-pf-fix-ubsan-shift-out-of-bounds-error.patch @@ -0,0 +1,45 @@ +From 2624de2fa3da88c72903d4b8496dfef13912f4d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 11:52:26 +0530 +Subject: octeontx2-pf: fix "UBSAN: shift-out-of-bounds error" + +From: Anshumali Gaur + +[ Upstream commit 85f4b0c650d9f9db10bda8d3acfa1af83bf78cf7 ] + +This patch ensures that the RX ring size (rx_pending) is not +set below the permitted length. This avoids UBSAN +shift-out-of-bounds errors when users passes small or zero +ring sizes via ethtool -G. + +Fixes: d45d8979840d ("octeontx2-pf: Add basic ethtool support") +Signed-off-by: Anshumali Gaur +Link: https://patch.msgid.link/20251219062226.524844-1-agaur@marvell.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c +index 5197ce816581..cc6a63e2573f 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c +@@ -432,6 +432,14 @@ static int otx2_set_ringparam(struct net_device *netdev, + */ + if (rx_count < pfvf->hw.rq_skid) + rx_count = pfvf->hw.rq_skid; ++ ++ if (ring->rx_pending < 16) { ++ netdev_err(netdev, ++ "rx ring size %u invalid, min is 16\n", ++ ring->rx_pending); ++ return -EINVAL; ++ } ++ + rx_count = Q_COUNT(Q_SIZE(rx_count, 3)); + + /* Due pipelining impact minimum 2000 unused SQ CQE's +-- +2.51.0 + diff --git a/queue-6.12/platform-mellanox-mlxbf-pmc-remove-trailing-whitespa.patch b/queue-6.12/platform-mellanox-mlxbf-pmc-remove-trailing-whitespa.patch new file mode 100644 index 0000000000..aa268c2379 --- /dev/null +++ b/queue-6.12/platform-mellanox-mlxbf-pmc-remove-trailing-whitespa.patch @@ -0,0 +1,61 @@ +From e98df0b4da1603824e9da1cbdbc3d387e4388abb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Dec 2025 12:18:13 +0000 +Subject: platform/mellanox: mlxbf-pmc: Remove trailing whitespaces from event + names +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Shravan Kumar Ramani + +[ Upstream commit f13bce715d1600698310a4a7832f6a52499d5395 ] + +Some event names have trailing whitespaces at the end which causes programming +of counters using the name for these specific events to fail and hence need to +be removed. + +Fixes: 423c3361855c ("platform/mellanox: mlxbf-pmc: Add support for BlueField-3") +Signed-off-by: Shravan Kumar Ramani +Reviewed-by: David Thompson +Link: https://patch.msgid.link/065cbae0717dcc1169681c4dbb1a6e050b8574b3.1766059953.git.shravankr@nvidia.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/mellanox/mlxbf-pmc.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/platform/mellanox/mlxbf-pmc.c b/drivers/platform/mellanox/mlxbf-pmc.c +index 9a0220b4de3c..67d9b19731ed 100644 +--- a/drivers/platform/mellanox/mlxbf-pmc.c ++++ b/drivers/platform/mellanox/mlxbf-pmc.c +@@ -796,18 +796,18 @@ static const struct mlxbf_pmc_events mlxbf_pmc_llt_miss_events[] = { + {11, "GDC_MISS_MACHINE_CHI_TXDAT"}, + {12, "GDC_MISS_MACHINE_CHI_RXDAT"}, + {13, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC0_0"}, +- {14, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC0_1 "}, ++ {14, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC0_1"}, + {15, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC0_2"}, +- {16, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC0_3 "}, +- {17, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_0 "}, +- {18, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_1 "}, +- {19, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_2 "}, +- {20, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_3 "}, ++ {16, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC0_3"}, ++ {17, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_0"}, ++ {18, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_1"}, ++ {19, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_2"}, ++ {20, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_3"}, + {21, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE0_0"}, + {22, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE0_1"}, + {23, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE0_2"}, + {24, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE0_3"}, +- {25, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE1_0 "}, ++ {25, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE1_0"}, + {26, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE1_1"}, + {27, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE1_2"}, + {28, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE1_3"}, +-- +2.51.0 + diff --git a/queue-6.12/platform-x86-hp-bioscfg-fix-out-of-bounds-array-acce.patch b/queue-6.12/platform-x86-hp-bioscfg-fix-out-of-bounds-array-acce.patch new file mode 100644 index 0000000000..53ac6c5ebc --- /dev/null +++ b/queue-6.12/platform-x86-hp-bioscfg-fix-out-of-bounds-array-acce.patch @@ -0,0 +1,129 @@ +From b9576a13baa179ed9d882e514323d90496fbd9fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Dec 2025 19:42:05 +0800 +Subject: platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI + package parsing +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Junrui Luo + +[ Upstream commit e44c42c830b7ab36e3a3a86321c619f24def5206 ] + +The hp_populate_*_elements_from_package() functions in the hp-bioscfg +driver contain out-of-bounds array access vulnerabilities. + +These functions parse ACPI packages into internal data structures using +a for loop with index variable 'elem' that iterates through +enum_obj/integer_obj/order_obj/password_obj/string_obj arrays. + +When processing multi-element fields like PREREQUISITES and +ENUM_POSSIBLE_VALUES, these functions read multiple consecutive array +elements using expressions like 'enum_obj[elem + reqs]' and +'enum_obj[elem + pos_values]' within nested loops. + +The bug is that the bounds check only validated elem, but did not consider +the additional offset when accessing elem + reqs or elem + pos_values. + +The fix changes the bounds check to validate the actual accessed index. + +Reported-by: Yuhao Jiang +Reported-by: Junrui Luo +Fixes: e6c7b3e15559 ("platform/x86: hp-bioscfg: string-attributes") +Signed-off-by: Junrui Luo +Link: https://patch.msgid.link/SYBPR01MB788173D7DD4EA2CB6383683DAFB0A@SYBPR01MB7881.ausprd01.prod.outlook.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c | 4 ++-- + drivers/platform/x86/hp/hp-bioscfg/int-attributes.c | 2 +- + drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c | 5 +++++ + drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c | 5 +++++ + drivers/platform/x86/hp/hp-bioscfg/string-attributes.c | 2 +- + 5 files changed, 14 insertions(+), 4 deletions(-) + +diff --git a/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c +index c50ad5880503..f346aad8e9d8 100644 +--- a/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c ++++ b/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c +@@ -207,7 +207,7 @@ static int hp_populate_enumeration_elements_from_package(union acpi_object *enum + case PREREQUISITES: + size = min_t(u32, enum_data->common.prerequisites_size, MAX_PREREQUISITES_SIZE); + for (reqs = 0; reqs < size; reqs++) { +- if (elem >= enum_obj_count) { ++ if (elem + reqs >= enum_obj_count) { + pr_err("Error enum-objects package is too small\n"); + return -EINVAL; + } +@@ -255,7 +255,7 @@ static int hp_populate_enumeration_elements_from_package(union acpi_object *enum + + for (pos_values = 0; pos_values < size && pos_values < MAX_VALUES_SIZE; + pos_values++) { +- if (elem >= enum_obj_count) { ++ if (elem + pos_values >= enum_obj_count) { + pr_err("Error enum-objects package is too small\n"); + return -EINVAL; + } +diff --git a/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c +index 6c7f4d5fa9cb..63b1fda2be4e 100644 +--- a/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c ++++ b/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c +@@ -227,7 +227,7 @@ static int hp_populate_integer_elements_from_package(union acpi_object *integer_ + size = min_t(u32, integer_data->common.prerequisites_size, MAX_PREREQUISITES_SIZE); + + for (reqs = 0; reqs < size; reqs++) { +- if (elem >= integer_obj_count) { ++ if (elem + reqs >= integer_obj_count) { + pr_err("Error elem-objects package is too small\n"); + return -EINVAL; + } +diff --git a/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c +index c6e57bb9d8b7..6a31f47ce3f5 100644 +--- a/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c ++++ b/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c +@@ -216,6 +216,11 @@ static int hp_populate_ordered_list_elements_from_package(union acpi_object *ord + size = min_t(u32, ordered_list_data->common.prerequisites_size, + MAX_PREREQUISITES_SIZE); + for (reqs = 0; reqs < size; reqs++) { ++ if (elem + reqs >= order_obj_count) { ++ pr_err("Error elem-objects package is too small\n"); ++ return -EINVAL; ++ } ++ + ret = hp_convert_hexstr_to_str(order_obj[elem + reqs].string.pointer, + order_obj[elem + reqs].string.length, + &str_value, &value_len); +diff --git a/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c +index 35936c05e45b..a5c457d06b9c 100644 +--- a/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c ++++ b/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c +@@ -303,6 +303,11 @@ static int hp_populate_password_elements_from_package(union acpi_object *passwor + MAX_PREREQUISITES_SIZE); + + for (reqs = 0; reqs < size; reqs++) { ++ if (elem + reqs >= password_obj_count) { ++ pr_err("Error elem-objects package is too small\n"); ++ return -EINVAL; ++ } ++ + ret = hp_convert_hexstr_to_str(password_obj[elem + reqs].string.pointer, + password_obj[elem + reqs].string.length, + &str_value, &value_len); +diff --git a/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c +index 27758b779b2d..7b885d25650c 100644 +--- a/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c ++++ b/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c +@@ -217,7 +217,7 @@ static int hp_populate_string_elements_from_package(union acpi_object *string_ob + MAX_PREREQUISITES_SIZE); + + for (reqs = 0; reqs < size; reqs++) { +- if (elem >= string_obj_count) { ++ if (elem + reqs >= string_obj_count) { + pr_err("Error elem-objects package is too small\n"); + return -EINVAL; + } +-- +2.51.0 + diff --git a/queue-6.12/platform-x86-ibm_rtl-fix-ebda-signature-search-point.patch b/queue-6.12/platform-x86-ibm_rtl-fix-ebda-signature-search-point.patch new file mode 100644 index 0000000000..9f6aeba650 --- /dev/null +++ b/queue-6.12/platform-x86-ibm_rtl-fix-ebda-signature-search-point.patch @@ -0,0 +1,47 @@ +From 7ad288b22f92889a268c54071e95353776d26e81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 16:30:29 +0800 +Subject: platform/x86: ibm_rtl: fix EBDA signature search pointer arithmetic +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Junrui Luo + +[ Upstream commit 15dd100349b8526cbdf2de0ce3e72e700eb6c208 ] + +The ibm_rtl_init() function searches for the signature but has a pointer +arithmetic error. The loop counter suggests searching at 4-byte intervals +but the implementation only advances by 1 byte per iteration. + +Fix by properly advancing the pointer by sizeof(unsigned int) bytes +each iteration. + +Reported-by: Yuhao Jiang +Reported-by: Junrui Luo +Fixes: 35f0ce032b0f ("IBM Real-Time "SMI Free" mode driver -v7") +Signed-off-by: Junrui Luo +Link: https://patch.msgid.link/SYBPR01MB78812D887A92DE3802D0D06EAFA9A@SYBPR01MB7881.ausprd01.prod.outlook.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/ibm_rtl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/ibm_rtl.c b/drivers/platform/x86/ibm_rtl.c +index 231b37909801..139956168cf9 100644 +--- a/drivers/platform/x86/ibm_rtl.c ++++ b/drivers/platform/x86/ibm_rtl.c +@@ -273,7 +273,7 @@ static int __init ibm_rtl_init(void) { + /* search for the _RTL_ signature at the start of the table */ + for (i = 0 ; i < ebda_size/sizeof(unsigned int); i++) { + struct ibm_rtl_table __iomem * tmp; +- tmp = (struct ibm_rtl_table __iomem *) (ebda_map+i); ++ tmp = (struct ibm_rtl_table __iomem *) (ebda_map + i*sizeof(unsigned int)); + if ((readq(&tmp->signature) & RTL_MASK) == RTL_SIGNATURE) { + phys_addr_t addr; + unsigned int plen; +-- +2.51.0 + diff --git a/queue-6.12/platform-x86-msi-laptop-add-missing-sysfs_remove_gro.patch b/queue-6.12/platform-x86-msi-laptop-add-missing-sysfs_remove_gro.patch new file mode 100644 index 0000000000..d897ffeec5 --- /dev/null +++ b/queue-6.12/platform-x86-msi-laptop-add-missing-sysfs_remove_gro.patch @@ -0,0 +1,42 @@ +From c042a37fe7032d78793766b8ebe87f159dba6b59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 11:36:13 +0100 +Subject: platform/x86: msi-laptop: add missing sysfs_remove_group() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Fourier + +[ Upstream commit 1461209cf813b6ee6d40f29b96b544587df6d2b1 ] + +A sysfs group is created in msi_init() when old_ec_model is enabled, but +never removed. Remove the msipf_old_attribute_group in that case. + +Fixes: 03696e51d75a ("msi-laptop: Disable brightness control for new EC") +Signed-off-by: Thomas Fourier +Link: https://patch.msgid.link/20251217103617.27668-2-fourier.thomas@gmail.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/msi-laptop.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/platform/x86/msi-laptop.c b/drivers/platform/x86/msi-laptop.c +index e5391a37014d..db3dadd29b29 100644 +--- a/drivers/platform/x86/msi-laptop.c ++++ b/drivers/platform/x86/msi-laptop.c +@@ -1130,6 +1130,9 @@ static void __exit msi_cleanup(void) + sysfs_remove_group(&msipf_device->dev.kobj, &msipf_attribute_group); + if (!quirks->old_ec_model && threeg_exists) + device_remove_file(&msipf_device->dev, &dev_attr_threeg); ++ if (quirks->old_ec_model) ++ sysfs_remove_group(&msipf_device->dev.kobj, ++ &msipf_old_attribute_group); + platform_device_unregister(msipf_device); + platform_driver_unregister(&msipf_driver); + backlight_device_unregister(msibl_device); +-- +2.51.0 + diff --git a/queue-6.12/rdma-bnxt_re-fix-dma_free_coherent-pointer.patch b/queue-6.12/rdma-bnxt_re-fix-dma_free_coherent-pointer.patch new file mode 100644 index 0000000000..4f5242dd67 --- /dev/null +++ b/queue-6.12/rdma-bnxt_re-fix-dma_free_coherent-pointer.patch @@ -0,0 +1,40 @@ +From 7628cb03dc1300330f5e3ffa942d517d632d0a1a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Dec 2025 09:51:21 +0100 +Subject: RDMA/bnxt_re: fix dma_free_coherent() pointer + +From: Thomas Fourier + +[ Upstream commit fcd431a9627f272b4c0bec445eba365fe2232a94 ] + +The dma_alloc_coherent() allocates a dma-mapped buffer, pbl->pg_arr[i]. +The dma_free_coherent() should pass the same buffer to +dma_free_coherent() and not page-aligned. + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Signed-off-by: Thomas Fourier +Link: https://patch.msgid.link/20251230085121.8023-2-fourier.thomas@gmail.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_res.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c +index f1a4bce6ce64..dfb72a5adc91 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c +@@ -70,9 +70,7 @@ static void __free_pbl(struct bnxt_qplib_res *res, struct bnxt_qplib_pbl *pbl, + for (i = 0; i < pbl->pg_count; i++) { + if (pbl->pg_arr[i]) + dma_free_coherent(&pdev->dev, pbl->pg_size, +- (void *)((unsigned long) +- pbl->pg_arr[i] & +- PAGE_MASK), ++ pbl->pg_arr[i], + pbl->pg_map_arr[i]); + else + dev_warn(&pdev->dev, +-- +2.51.0 + diff --git a/queue-6.12/rdma-bnxt_re-fix-ib_send_ip_csum-handling-in-post_se.patch b/queue-6.12/rdma-bnxt_re-fix-ib_send_ip_csum-handling-in-post_se.patch new file mode 100644 index 0000000000..c57ae43c7d --- /dev/null +++ b/queue-6.12/rdma-bnxt_re-fix-ib_send_ip_csum-handling-in-post_se.patch @@ -0,0 +1,58 @@ +From c3b6fececed402cfe0760ccc8dcee03a35731b69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 01:32:57 -0800 +Subject: RDMA/bnxt_re: Fix IB_SEND_IP_CSUM handling in post_send + +From: Alok Tiwari + +[ Upstream commit f01765a2361323e78e3d91b1cb1d5527a83c5cf7 ] + +The bnxt_re SEND path checks wr->send_flags to enable features such as +IP checksum offload. However, send_flags is a bitmask and may contain +multiple flags (e.g. IB_SEND_SIGNALED | IB_SEND_IP_CSUM), while the +existing code uses a switch() statement that only matches when +send_flags is exactly IB_SEND_IP_CSUM. + +As a result, checksum offload is not enabled when additional SEND +flags are present. + +Replace the switch() with a bitmask test: + + if (wr->send_flags & IB_SEND_IP_CSUM) + +This ensures IP checksum offload is enabled correctly when multiple +SEND flags are used. + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20251219093308.2415620-1-alok.a.tiwari@oracle.com +Reviewed-by: Kalesh AP +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/ib_verbs.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +index c2abf2bb8026..c1587845f280 100644 +--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c ++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +@@ -2823,14 +2823,9 @@ int bnxt_re_post_send(struct ib_qp *ib_qp, const struct ib_send_wr *wr, + wqe.rawqp1.lflags |= + SQ_SEND_RAWETH_QP1_LFLAGS_ROCE_CRC; + } +- switch (wr->send_flags) { +- case IB_SEND_IP_CSUM: ++ if (wr->send_flags & IB_SEND_IP_CSUM) + wqe.rawqp1.lflags |= + SQ_SEND_RAWETH_QP1_LFLAGS_IP_CHKSUM; +- break; +- default: +- break; +- } + fallthrough; + case IB_WR_SEND_WITH_INV: + rc = bnxt_re_build_send_wqe(qp, wr, &wqe); +-- +2.51.0 + diff --git a/queue-6.12/rdma-bnxt_re-fix-incorrect-bar-check-in-bnxt_qplib_m.patch b/queue-6.12/rdma-bnxt_re-fix-incorrect-bar-check-in-bnxt_qplib_m.patch new file mode 100644 index 0000000000..e909f3341e --- /dev/null +++ b/queue-6.12/rdma-bnxt_re-fix-incorrect-bar-check-in-bnxt_qplib_m.patch @@ -0,0 +1,45 @@ +From 724757e79b1d7f5c61c143f75a2443a8a4f38caa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 02:01:41 -0800 +Subject: RDMA/bnxt_re: Fix incorrect BAR check in bnxt_qplib_map_creq_db() + +From: Alok Tiwari + +[ Upstream commit 145a417a39d7efbc881f52e829817376972b278c ] + +RCFW_COMM_CONS_PCI_BAR_REGION is defined as BAR 2, so checking +!creq_db->reg.bar_id is incorrect and always false. + +pci_resource_start() returns the BAR base address, and a value of 0 +indicates that the BAR is unassigned. Update the condition to test +bar_base == 0 instead. + +This ensures the driver detects and logs an error for an unassigned +RCFW communication BAR. + +Fixes: cee0c7bba486 ("RDMA/bnxt_re: Refactor command queue management code") +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20251217100158.752504-1-alok.a.tiwari@oracle.com +Reviewed-by: Kalesh AP +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c +index 7a099580ca8b..38ded4687122 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c +@@ -1117,7 +1117,7 @@ static int bnxt_qplib_map_creq_db(struct bnxt_qplib_rcfw *rcfw, u32 reg_offt) + creq_db->dbinfo.flags = 0; + creq_db->reg.bar_id = RCFW_COMM_CONS_PCI_BAR_REGION; + creq_db->reg.bar_base = pci_resource_start(pdev, creq_db->reg.bar_id); +- if (!creq_db->reg.bar_id) ++ if (!creq_db->reg.bar_base) + dev_err(&pdev->dev, + "QPLIB: CREQ BAR region %d resc start is 0!", + creq_db->reg.bar_id); +-- +2.51.0 + diff --git a/queue-6.12/rdma-bnxt_re-fix-to-use-correct-page-size-for-pde-ta.patch b/queue-6.12/rdma-bnxt_re-fix-to-use-correct-page-size-for-pde-ta.patch new file mode 100644 index 0000000000..39a262049e --- /dev/null +++ b/queue-6.12/rdma-bnxt_re-fix-to-use-correct-page-size-for-pde-ta.patch @@ -0,0 +1,50 @@ +From 8af2d7058a6126389d1be138d58680df12ba1bb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Dec 2025 18:48:55 +0530 +Subject: RDMA/bnxt_re: Fix to use correct page size for PDE table + +From: Kalesh AP + +[ Upstream commit 3d70e0fb0f289b0c778041c5bb04d099e1aa7c1c ] + +In bnxt_qplib_alloc_init_hwq(), while allocating memory for PDE table +driver incorrectly is using the "pg_size" value passed to the function. +Fixed to use the right value 4K. Also, fixed the allocation size for +PBL table. + +Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation") +Signed-off-by: Damodharam Ammepalli +Signed-off-by: Kalesh AP +Link: https://patch.msgid.link/20251223131855.145955-1-kalesh-anakkur.purayil@broadcom.com +Reviewed-by: Selvin Xavier +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_res.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c +index b785d9e7774c..f1a4bce6ce64 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c +@@ -243,7 +243,7 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq, + if (npbl % BIT(MAX_PDL_LVL_SHIFT)) + npde++; + /* Alloc PDE pages */ +- sginfo.pgsize = npde * pg_size; ++ sginfo.pgsize = npde * ROCE_PG_SIZE_4K; + sginfo.npages = 1; + rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_0], &sginfo); + if (rc) +@@ -251,7 +251,7 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq, + + /* Alloc PBL pages */ + sginfo.npages = npbl; +- sginfo.pgsize = PAGE_SIZE; ++ sginfo.pgsize = ROCE_PG_SIZE_4K; + rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_1], &sginfo); + if (rc) + goto fail; +-- +2.51.0 + diff --git a/queue-6.12/rdma-core-always-drop-device-refcount-in-ib_del_sub_.patch b/queue-6.12/rdma-core-always-drop-device-refcount-in-ib_del_sub_.patch new file mode 100644 index 0000000000..335d6db790 --- /dev/null +++ b/queue-6.12/rdma-core-always-drop-device-refcount-in-ib_del_sub_.patch @@ -0,0 +1,45 @@ +From 55c6ff662e7dbd0450ad8280d4ba499e320477ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 Dec 2025 11:11:33 +0900 +Subject: RDMA/core: always drop device refcount in ib_del_sub_device_and_put() + +From: Tetsuo Handa + +[ Upstream commit fa3c411d21ebc26ffd175c7256c37cefa35020aa ] + +Since nldev_deldev() (introduced by commit 060c642b2ab8 ("RDMA/nldev: Add +support to add/delete a sub IB device through netlink") grabs a reference +using ib_device_get_by_index() before calling ib_del_sub_device_and_put(), +we need to drop that reference before returning -EOPNOTSUPP error. + +Reported-by: syzbot+881d65229ca4f9ae8c84@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=881d65229ca4f9ae8c84 +Fixes: bca51197620a ("RDMA/core: Support IB sub device with type "SMI"") +Signed-off-by: Tetsuo Handa +Link: https://patch.msgid.link/80749a85-cbe2-460c-8451-42516013f9fa@I-love.SAKURA.ne.jp +Reviewed-by: Parav Pandit +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/device.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c +index df2aa15a5bc9..bbc131737378 100644 +--- a/drivers/infiniband/core/device.c ++++ b/drivers/infiniband/core/device.c +@@ -2823,8 +2823,10 @@ int ib_del_sub_device_and_put(struct ib_device *sub) + { + struct ib_device *parent = sub->parent; + +- if (!parent) ++ if (!parent) { ++ ib_device_put(sub); + return -EOPNOTSUPP; ++ } + + mutex_lock(&parent->subdev_lock); + list_del(&sub->subdev_list); +-- +2.51.0 + diff --git a/queue-6.12/rdma-core-fix-logic-error-in-ib_get_gids_from_rdma_h.patch b/queue-6.12/rdma-core-fix-logic-error-in-ib_get_gids_from_rdma_h.patch new file mode 100644 index 0000000000..24b9f9d65b --- /dev/null +++ b/queue-6.12/rdma-core-fix-logic-error-in-ib_get_gids_from_rdma_h.patch @@ -0,0 +1,39 @@ +From c84ee1b1235bb823a22048224ecd3359e2f5fb75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 13:15:08 +0900 +Subject: RDMA/core: Fix logic error in ib_get_gids_from_rdma_hdr() + +From: Jang Ingyu + +[ Upstream commit 8aaa848eaddd9ef8680fc6aafbd3a0646da5df40 ] + +Fix missing comparison operator for RDMA_NETWORK_ROCE_V1 in the +conditional statement. The constant was used directly instead of +being compared with net_type, causing the condition to always +evaluate to true. + +Fixes: 1c15b4f2a42f ("RDMA/core: Modify enum ib_gid_type and enum rdma_network_type") +Signed-off-by: Jang Ingyu +Link: https://patch.msgid.link/20251219041508.1725947-1-ingyujang25@korea.ac.kr +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/verbs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c +index dc40001072a5..8dd96dc98fd3 100644 +--- a/drivers/infiniband/core/verbs.c ++++ b/drivers/infiniband/core/verbs.c +@@ -735,7 +735,7 @@ int ib_get_gids_from_rdma_hdr(const union rdma_network_hdr *hdr, + (struct in6_addr *)dgid); + return 0; + } else if (net_type == RDMA_NETWORK_IPV6 || +- net_type == RDMA_NETWORK_IB || RDMA_NETWORK_ROCE_V1) { ++ net_type == RDMA_NETWORK_IB || net_type == RDMA_NETWORK_ROCE_V1) { + *dgid = hdr->ibgrh.dgid; + *sgid = hdr->ibgrh.sgid; + return 0; +-- +2.51.0 + diff --git a/queue-6.12/rdma-efa-remove-possible-negative-shift.patch b/queue-6.12/rdma-efa-remove-possible-negative-shift.patch new file mode 100644 index 0000000000..1ca3a46f66 --- /dev/null +++ b/queue-6.12/rdma-efa-remove-possible-negative-shift.patch @@ -0,0 +1,47 @@ +From 162e579f34793fe8cce7d39acce35de590ac33aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Dec 2025 17:36:56 +0000 +Subject: RDMA/efa: Remove possible negative shift + +From: Michael Margolin + +[ Upstream commit 85463eb6a46caf2f1e0e1a6d0731f2f3bab17780 ] + +The page size used for device might in some cases be smaller than +PAGE_SIZE what results in a negative shift when calculating the number of +host pages in PAGE_SIZE for a debug log. Remove the debug line together +with the calculation. + +Fixes: 40909f664d27 ("RDMA/efa: Add EFA verbs implementation") +Link: https://patch.msgid.link/r/20251210173656.8180-1-mrgolin@amazon.com +Reviewed-by: Tom Sela +Reviewed-by: Yonatan Nachum +Signed-off-by: Michael Margolin +Reviewed-by: Gal Pressman +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/efa/efa_verbs.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/infiniband/hw/efa/efa_verbs.c b/drivers/infiniband/hw/efa/efa_verbs.c +index cc13415ff7e7..46eddef7a1cc 100644 +--- a/drivers/infiniband/hw/efa/efa_verbs.c ++++ b/drivers/infiniband/hw/efa/efa_verbs.c +@@ -1241,13 +1241,9 @@ static int umem_to_page_list(struct efa_dev *dev, + u32 hp_cnt, + u8 hp_shift) + { +- u32 pages_in_hp = BIT(hp_shift - PAGE_SHIFT); + struct ib_block_iter biter; + unsigned int hp_idx = 0; + +- ibdev_dbg(&dev->ibdev, "hp_cnt[%u], pages_in_hp[%u]\n", +- hp_cnt, pages_in_hp); +- + rdma_umem_for_each_dma_block(umem, &biter, BIT(hp_shift)) + page_list[hp_idx++] = rdma_block_iter_dma_address(&biter); + +-- +2.51.0 + diff --git a/queue-6.12/rdma-irdma-avoid-invalid-read-in-irdma_net_event.patch b/queue-6.12/rdma-irdma-avoid-invalid-read-in-irdma_net_event.patch new file mode 100644 index 0000000000..64c353231b --- /dev/null +++ b/queue-6.12/rdma-irdma-avoid-invalid-read-in-irdma_net_event.patch @@ -0,0 +1,83 @@ +From 501569d4a9c76750abba2432d2fe4d880a7de990 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Nov 2025 15:31:50 +0100 +Subject: RDMA/irdma: avoid invalid read in irdma_net_event + +From: Michal Schmidt + +[ Upstream commit 6f05611728e9d0ab024832a4f1abb74a5f5d0bb0 ] + +irdma_net_event() should not dereference anything from "neigh" (alias +"ptr") until it has checked that the event is NETEVENT_NEIGH_UPDATE. +Other events come with different structures pointed to by "ptr" and they +may be smaller than struct neighbour. + +Move the read of neigh->dev under the NETEVENT_NEIGH_UPDATE case. + +The bug is mostly harmless, but it triggers KASAN on debug kernels: + + BUG: KASAN: stack-out-of-bounds in irdma_net_event+0x32e/0x3b0 [irdma] + Read of size 8 at addr ffffc900075e07f0 by task kworker/27:2/542554 + + CPU: 27 PID: 542554 Comm: kworker/27:2 Kdump: loaded Not tainted 5.14.0-630.el9.x86_64+debug #1 + Hardware name: [...] + Workqueue: events rt6_probe_deferred + Call Trace: + + dump_stack_lvl+0x60/0xb0 + print_address_description.constprop.0+0x2c/0x3f0 + print_report+0xb4/0x270 + kasan_report+0x92/0xc0 + irdma_net_event+0x32e/0x3b0 [irdma] + notifier_call_chain+0x9e/0x180 + atomic_notifier_call_chain+0x5c/0x110 + rt6_do_redirect+0xb91/0x1080 + tcp_v6_err+0xe9b/0x13e0 + icmpv6_notify+0x2b2/0x630 + ndisc_redirect_rcv+0x328/0x530 + icmpv6_rcv+0xc16/0x1360 + ip6_protocol_deliver_rcu+0xb84/0x12e0 + ip6_input_finish+0x117/0x240 + ip6_input+0xc4/0x370 + ipv6_rcv+0x420/0x7d0 + __netif_receive_skb_one_core+0x118/0x1b0 + process_backlog+0xd1/0x5d0 + __napi_poll.constprop.0+0xa3/0x440 + net_rx_action+0x78a/0xba0 + handle_softirqs+0x2d4/0x9c0 + do_softirq+0xad/0xe0 + + +Fixes: 915cc7ac0f8e ("RDMA/irdma: Add miscellaneous utility definitions") +Link: https://patch.msgid.link/r/20251127143150.121099-1-mschmidt@redhat.com +Signed-off-by: Michal Schmidt +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/irdma/utils.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/irdma/utils.c b/drivers/infiniband/hw/irdma/utils.c +index 0422787592d8..87a6d58663de 100644 +--- a/drivers/infiniband/hw/irdma/utils.c ++++ b/drivers/infiniband/hw/irdma/utils.c +@@ -251,7 +251,7 @@ int irdma_net_event(struct notifier_block *notifier, unsigned long event, + void *ptr) + { + struct neighbour *neigh = ptr; +- struct net_device *real_dev, *netdev = (struct net_device *)neigh->dev; ++ struct net_device *real_dev, *netdev; + struct irdma_device *iwdev; + struct ib_device *ibdev; + __be32 *p; +@@ -260,6 +260,7 @@ int irdma_net_event(struct notifier_block *notifier, unsigned long event, + + switch (event) { + case NETEVENT_NEIGH_UPDATE: ++ netdev = neigh->dev; + real_dev = rdma_vlan_dev_real_dev(netdev); + if (!real_dev) + real_dev = netdev; +-- +2.51.0 + diff --git a/queue-6.12/rdma-rtrs-fix-clt_path-max_pages_per_mr-calculation.patch b/queue-6.12/rdma-rtrs-fix-clt_path-max_pages_per_mr-calculation.patch new file mode 100644 index 0000000000..f87e0799ac --- /dev/null +++ b/queue-6.12/rdma-rtrs-fix-clt_path-max_pages_per_mr-calculation.patch @@ -0,0 +1,40 @@ +From 3e6a4e86b6893cbacfc99391e648cf3b96133ccd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Dec 2025 10:56:17 +0800 +Subject: RDMA/rtrs: Fix clt_path::max_pages_per_mr calculation + +From: Honggang LI + +[ Upstream commit 43bd09d5b750f700499ae8ec45fd41a4c48673e6 ] + +If device max_mr_size bits in the range [mr_page_shift+31:mr_page_shift] +are zero, the `min3` function will set clt_path::max_pages_per_mr to +zero. + +`alloc_path_reqs` will pass zero, which is invalid, as the third parameter +to `ib_alloc_mr`. + +Fixes: 6a98d71daea1 ("RDMA/rtrs: client: main functionality") +Signed-off-by: Honggang LI +Link: https://patch.msgid.link/20251229025617.13241-1-honggangli@163.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/rtrs/rtrs-clt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/ulp/rtrs/rtrs-clt.c b/drivers/infiniband/ulp/rtrs/rtrs-clt.c +index 71387811b281..2b397a544cb9 100644 +--- a/drivers/infiniband/ulp/rtrs/rtrs-clt.c ++++ b/drivers/infiniband/ulp/rtrs/rtrs-clt.c +@@ -1464,6 +1464,7 @@ static void query_fast_reg_mode(struct rtrs_clt_path *clt_path) + mr_page_shift = max(12, ffs(ib_dev->attrs.page_size_cap) - 1); + max_pages_per_mr = ib_dev->attrs.max_mr_size; + do_div(max_pages_per_mr, (1ull << mr_page_shift)); ++ max_pages_per_mr = min_not_zero((u32)max_pages_per_mr, U32_MAX); + clt_path->max_pages_per_mr = + min3(clt_path->max_pages_per_mr, (u32)max_pages_per_mr, + ib_dev->attrs.max_fast_reg_page_list_len); +-- +2.51.0 + diff --git a/queue-6.12/selftests-ftrace-traceonoff_triggers-strip-off-names.patch b/queue-6.12/selftests-ftrace-traceonoff_triggers-strip-off-names.patch new file mode 100644 index 0000000000..76f4341187 --- /dev/null +++ b/queue-6.12/selftests-ftrace-traceonoff_triggers-strip-off-names.patch @@ -0,0 +1,93 @@ +From 48a3c7ee27dd803d504bcfec034202209ff1451c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Aug 2023 09:32:26 +0800 +Subject: selftests/ftrace: traceonoff_triggers: strip off names + +From: Yipeng Zou + +[ Upstream commit b889b4fb4cbea3ca7eb9814075d6a51936394bd9 ] + +The func_traceonoff_triggers.tc sometimes goes to fail +on my board, Kunpeng-920. + +[root@localhost]# ./ftracetest ./test.d/ftrace/func_traceonoff_triggers.tc -l fail.log +=== Ftrace unit tests === +[1] ftrace - test for function traceon/off triggers [FAIL] +[2] (instance) ftrace - test for function traceon/off triggers [UNSUPPORTED] + +I look up the log, and it shows that the md5sum is different between csum1 and csum2. + +++ cnt=611 +++ sleep .1 ++++ cnt_trace ++++ grep -v '^#' trace ++++ wc -l +++ cnt2=611 +++ '[' 611 -ne 611 ']' ++++ cat tracing_on +++ on=0 +++ '[' 0 '!=' 0 ']' ++++ md5sum trace +++ csum1='76896aa74362fff66a6a5f3cf8a8a500 trace' +++ sleep .1 ++++ md5sum trace +++ csum2='ee8625a21c058818fc26e45c1ed3f6de trace' +++ '[' '76896aa74362fff66a6a5f3cf8a8a500 trace' '!=' 'ee8625a21c058818fc26e45c1ed3f6de trace' ']' +++ fail 'Tracing file is still changing' +++ echo Tracing file is still changing +Tracing file is still changing +++ exit_fail +++ exit 1 + +So I directly dump the trace file before md5sum, the diff shows that: + +[root@localhost]# diff trace_1.log trace_2.log -y --suppress-common-lines +dockerd-12285 [036] d.... 18385.510290: sched_stat | <...>-12285 [036] d.... 18385.510290: sched_stat +dockerd-12285 [036] d.... 18385.510291: sched_swit | <...>-12285 [036] d.... 18385.510291: sched_swit +<...>-740 [044] d.... 18385.602859: sched_stat | kworker/44:1-740 [044] d.... 18385.602859: sched_stat +<...>-740 [044] d.... 18385.602860: sched_swit | kworker/44:1-740 [044] d.... 18385.602860: sched_swit + +And we can see that <...> filed be filled with names. + +We can strip off the names there to fix that. + +After strip off the names: + +kworker/u257:0-12 [019] d..2. 2528.758910: sched_stat | -12 [019] d..2. 2528.758910: sched_stat_runtime: comm=k +kworker/u257:0-12 [019] d..2. 2528.758912: sched_swit | -12 [019] d..2. 2528.758912: sched_switch: prev_comm=kw +-0 [000] d.s5. 2528.762318: sched_waki | -0 [000] d.s5. 2528.762318: sched_waking: comm=sshd pi +-0 [037] dNh2. 2528.762326: sched_wake | -0 [037] dNh2. 2528.762326: sched_wakeup: comm=sshd pi +-0 [037] d..2. 2528.762334: sched_swit | -0 [037] d..2. 2528.762334: sched_switch: prev_comm=sw + +Link: https://lore.kernel.org/r/20230818013226.2182299-1-zouyipeng@huawei.com +Fixes: d87b29179aa0 ("selftests: ftrace: Use md5sum to take less time of checking logs") +Suggested-by: Steven Rostedt (Google) +Signed-off-by: Yipeng Zou +Acked-by: Masami Hiramatsu (Google) +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + .../ftrace/test.d/ftrace/func_traceonoff_triggers.tc | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc b/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc +index aee22289536b..1b57771dbfdf 100644 +--- a/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc ++++ b/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc +@@ -90,9 +90,10 @@ if [ $on != "0" ]; then + fail "Tracing is not off" + fi + +-csum1=`md5sum trace` ++# Cannot rely on names being around as they are only cached, strip them ++csum1=`cat trace | sed -e 's/^ *[^ ]*\(-[0-9][0-9]*\)/\1/' | md5sum` + sleep $SLEEP_TIME +-csum2=`md5sum trace` ++csum2=`cat trace | sed -e 's/^ *[^ ]*\(-[0-9][0-9]*\)/\1/' | md5sum` + + if [ "$csum1" != "$csum2" ]; then + fail "Tracing file is still changing" +-- +2.51.0 + diff --git a/queue-6.12/selftests-net-fix-buffer-overflow-detected-for-tap.c.patch b/queue-6.12/selftests-net-fix-buffer-overflow-detected-for-tap.c.patch new file mode 100644 index 0000000000..532b218bb8 --- /dev/null +++ b/queue-6.12/selftests-net-fix-buffer-overflow-detected-for-tap.c.patch @@ -0,0 +1,97 @@ +From 3f7e17de91ced4c2779738522f3c3685ab6a937d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Dec 2025 12:06:41 -0500 +Subject: selftests: net: fix "buffer overflow detected" for tap.c + +From: Alice C. Munduruca + +[ Upstream commit 472c5dd6b95c02b3e5d7395acf542150e91165e7 ] + +When the selftest 'tap.c' is compiled with '-D_FORTIFY_SOURCE=3', +the strcpy() in rtattr_add_strsz() is replaced with a checked +version which causes the test to consistently fail when compiled +with toolchains for which this option is enabled by default. + + TAP version 13 + 1..3 + # Starting 3 tests from 1 test cases. + # RUN tap.test_packet_valid_udp_gso ... + *** buffer overflow detected ***: terminated + # test_packet_valid_udp_gso: Test terminated by assertion + # FAIL tap.test_packet_valid_udp_gso + not ok 1 tap.test_packet_valid_udp_gso + # RUN tap.test_packet_valid_udp_csum ... + *** buffer overflow detected ***: terminated + # test_packet_valid_udp_csum: Test terminated by assertion + # FAIL tap.test_packet_valid_udp_csum + not ok 2 tap.test_packet_valid_udp_csum + # RUN tap.test_packet_crash_tap_invalid_eth_proto ... + *** buffer overflow detected ***: terminated + # test_packet_crash_tap_invalid_eth_proto: Test terminated by assertion + # FAIL tap.test_packet_crash_tap_invalid_eth_proto + not ok 3 tap.test_packet_crash_tap_invalid_eth_proto + # FAILED: 0 / 3 tests passed. + # Totals: pass:0 fail:3 xfail:0 xpass:0 skip:0 error:0 + +A buffer overflow is detected by the fortified glibc __strcpy_chk() +since the __builtin_object_size() of `RTA_DATA(rta)` is incorrectly +reported as 1, even though there is ample space in its bounding +buffer `req`. + +Additionally, given that IFLA_IFNAME also expects a null-terminated +string, callers of rtaddr_add_str{,sz}() could simply use the +rtaddr_add_strsz() variant. (which has been renamed to remove the +trailing `sz`) memset() has been used for this function since it +is unchecked and thus circumvents the issue discussed in the +previous paragraph. + +Fixes: 2e64fe4624d1 ("selftests: add few test cases for tap driver") +Signed-off-by: Alice C. Munduruca +Reviewed-by: Cengiz Can +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/20251216170641.250494-1-alice.munduruca@canonical.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/tap.c | 16 +++++----------- + 1 file changed, 5 insertions(+), 11 deletions(-) + +diff --git a/tools/testing/selftests/net/tap.c b/tools/testing/selftests/net/tap.c +index 247c3b3ac1c9..51a209014f1c 100644 +--- a/tools/testing/selftests/net/tap.c ++++ b/tools/testing/selftests/net/tap.c +@@ -56,18 +56,12 @@ static void rtattr_end(struct nlmsghdr *nh, struct rtattr *attr) + static struct rtattr *rtattr_add_str(struct nlmsghdr *nh, unsigned short type, + const char *s) + { +- struct rtattr *rta = rtattr_add(nh, type, strlen(s)); ++ unsigned int strsz = strlen(s) + 1; ++ struct rtattr *rta; + +- memcpy(RTA_DATA(rta), s, strlen(s)); +- return rta; +-} +- +-static struct rtattr *rtattr_add_strsz(struct nlmsghdr *nh, unsigned short type, +- const char *s) +-{ +- struct rtattr *rta = rtattr_add(nh, type, strlen(s) + 1); ++ rta = rtattr_add(nh, type, strsz); + +- strcpy(RTA_DATA(rta), s); ++ memcpy(RTA_DATA(rta), s, strsz); + return rta; + } + +@@ -119,7 +113,7 @@ static int dev_create(const char *dev, const char *link_type, + + link_info = rtattr_begin(&req.nh, IFLA_LINKINFO); + +- rtattr_add_strsz(&req.nh, IFLA_INFO_KIND, link_type); ++ rtattr_add_str(&req.nh, IFLA_INFO_KIND, link_type); + + if (fill_info_data) { + info_data = rtattr_begin(&req.nh, IFLA_INFO_DATA); +-- +2.51.0 + diff --git a/queue-6.12/series b/queue-6.12/series index 7b6d81391a..257aa28d2b 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -291,3 +291,53 @@ arm-dts-microchip-sama5d2-fix-spi-flexcom-fifo-size-to-32.patch x86-msi-make-irq_retrigger-functional-for-posted-msi.patch iommu-mediatek-fix-use-after-free-on-probe-deferral.patch fuse-fix-readahead-reclaim-deadlock.patch +wifi-rtw88-limit-indirect-io-under-powered-off-for-r.patch +wifi-rtlwifi-8192cu-fix-tid-out-of-range-in-rtl92cu_.patch +wifi-cfg80211-sme-store-capped-length-in-__cfg80211_.patch +wifi-mac80211-do-not-use-old-mbssid-elements.patch +i40e-fix-scheduling-in-set_rx_mode.patch +i40e-validate-ring_len-parameter-against-hardware-sp.patch +iavf-fix-off-by-one-issues-in-iavf_config_rss_reg.patch +idpf-reduce-mbx_task-schedule-delay-to-300us.patch +crypto-seqiv-do-not-use-req-iv-after-crypto_aead_enc.patch +bluetooth-btusb-revert-use-of-devm_kzalloc-in-btusb.patch +net-mdio-aspeed-add-dummy-read-to-avoid-read-after-w.patch +net-openvswitch-avoid-needlessly-taking-the-rtnl-on-.patch +ip6_gre-make-ip6gre_header-robust.patch +platform-mellanox-mlxbf-pmc-remove-trailing-whitespa.patch +platform-x86-msi-laptop-add-missing-sysfs_remove_gro.patch +platform-x86-ibm_rtl-fix-ebda-signature-search-point.patch +team-fix-check-for-port-enabled-in-team_queue_overri.patch +net-dsa-fix-missing-put_device-in-dsa_tree_find_firs.patch +amd-xgbe-reset-retries-and-mode-on-rx-adapt-failures.patch +net-usb-rtl8150-fix-memory-leak-on-usb_submit_urb-fa.patch +selftests-net-fix-buffer-overflow-detected-for-tap.c.patch +smc91x-fix-broken-irq-context-in-preempt_rt.patch +genalloc.h-fix-htmldocs-warning.patch +firewire-nosy-fix-dma_free_coherent-size.patch +net-dsa-b53-skip-multicast-entries-for-fdb_dump.patch +kbuild-fix-compilation-of-dtb-specified-on-command-l.patch +net-usb-asix-validate-phy-address-before-use.patch +net-bridge-describe-tunnel_hash-member-in-net_bridge.patch +vfio-pds-fix-memory-leak-in-pds_vfio_dirty_enable.patch +platform-x86-hp-bioscfg-fix-out-of-bounds-array-acce.patch +octeontx2-pf-fix-ubsan-shift-out-of-bounds-error.patch +net-stmmac-fix-the-crash-issue-for-zero-copy-xdp_tx-.patch +ipv6-bug-in-pskb_expand_head-as-part-of-calipso_skbu.patch +ipv4-fix-reference-count-leak-when-using-error-route.patch +net-rose-fix-invalid-array-index-in-rose_kill_by_dev.patch +ipv6-fix-a-bug-in-rt6_get_pcpu_route-under-preempt_r.patch +rdma-irdma-avoid-invalid-read-in-irdma_net_event.patch +rdma-efa-remove-possible-negative-shift.patch +rdma-core-fix-logic-error-in-ib_get_gids_from_rdma_h.patch +rdma-bnxt_re-fix-incorrect-bar-check-in-bnxt_qplib_m.patch +rdma-core-always-drop-device-refcount-in-ib_del_sub_.patch +rdma-bnxt_re-fix-ib_send_ip_csum-handling-in-post_se.patch +rdma-bnxt_re-fix-to-use-correct-page-size-for-pde-ta.patch +md-fix-static-checker-warning-in-analyze_sbs.patch +md-raid5-fix-possible-null-pointer-dereferences-in-r.patch +ksmbd-fix-memory-leak-in-get_file_all_info.patch +rdma-rtrs-fix-clt_path-max_pages_per_mr-calculation.patch +rdma-bnxt_re-fix-dma_free_coherent-pointer.patch +blk-mq-skip-cpu-offline-notify-on-unmapped-hctx.patch +selftests-ftrace-traceonoff_triggers-strip-off-names.patch diff --git a/queue-6.12/smc91x-fix-broken-irq-context-in-preempt_rt.patch b/queue-6.12/smc91x-fix-broken-irq-context-in-preempt_rt.patch new file mode 100644 index 0000000000..01c9cfbb2d --- /dev/null +++ b/queue-6.12/smc91x-fix-broken-irq-context-in-preempt_rt.patch @@ -0,0 +1,72 @@ +From 045b7ff22780ba6efad0d64191c8e7f382272897 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 08:51:15 +0000 +Subject: smc91x: fix broken irq-context in PREEMPT_RT + +From: Yeoreum Yun + +[ Upstream commit 6402078bd9d1ed46e79465e1faaa42e3458f8a33 ] + +When smc91x.c is built with PREEMPT_RT, the following splat occurs +in FVP_RevC: + +[ 13.055000] smc91x LNRO0003:00 eth0: link up, 10Mbps, half-duplex, lpa 0x0000 +[ 13.062137] BUG: workqueue leaked atomic, lock or RCU: kworker/2:1[106] +[ 13.062137] preempt=0x00000000 lock=0->0 RCU=0->1 workfn=mld_ifc_work +[ 13.062266] C +** replaying previous printk message ** +[ 13.062266] CPU: 2 UID: 0 PID: 106 Comm: kworker/2:1 Not tainted 6.18.0-dirty #179 PREEMPT_{RT,(full)} +[ 13.062353] Hardware name: , BIOS +[ 13.062382] Workqueue: mld mld_ifc_work +[ 13.062469] Call trace: +[ 13.062494] show_stack+0x24/0x40 (C) +[ 13.062602] __dump_stack+0x28/0x48 +[ 13.062710] dump_stack_lvl+0x7c/0xb0 +[ 13.062818] dump_stack+0x18/0x34 +[ 13.062926] process_scheduled_works+0x294/0x450 +[ 13.063043] worker_thread+0x260/0x3d8 +[ 13.063124] kthread+0x1c4/0x228 +[ 13.063235] ret_from_fork+0x10/0x20 + +This happens because smc_special_trylock() disables IRQs even on PREEMPT_RT, +but smc_special_unlock() does not restore IRQs on PREEMPT_RT. +The reason is that smc_special_unlock() calls spin_unlock_irqrestore(), +and rcu_read_unlock_bh() in __dev_queue_xmit() cannot invoke +rcu_read_unlock() through __local_bh_enable_ip() when current->softirq_disable_cnt becomes zero. + +To address this issue, replace smc_special_trylock() with spin_trylock_irqsave(). + +Fixes: 342a93247e08 ("locking/spinlock: Provide RT variant header: ") +Signed-off-by: Yeoreum Yun +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20251217085115.1730036-1-yeoreum.yun@arm.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/smsc/smc91x.c | 10 +--------- + 1 file changed, 1 insertion(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/smsc/smc91x.c b/drivers/net/ethernet/smsc/smc91x.c +index a5e23e2da90f..953a1d22e60a 100644 +--- a/drivers/net/ethernet/smsc/smc91x.c ++++ b/drivers/net/ethernet/smsc/smc91x.c +@@ -516,15 +516,7 @@ static inline void smc_rcv(struct net_device *dev) + * any other concurrent access and C would always interrupt B. But life + * isn't that easy in a SMP world... + */ +-#define smc_special_trylock(lock, flags) \ +-({ \ +- int __ret; \ +- local_irq_save(flags); \ +- __ret = spin_trylock(lock); \ +- if (!__ret) \ +- local_irq_restore(flags); \ +- __ret; \ +-}) ++#define smc_special_trylock(lock, flags) spin_trylock_irqsave(lock, flags) + #define smc_special_lock(lock, flags) spin_lock_irqsave(lock, flags) + #define smc_special_unlock(lock, flags) spin_unlock_irqrestore(lock, flags) + #else +-- +2.51.0 + diff --git a/queue-6.12/team-fix-check-for-port-enabled-in-team_queue_overri.patch b/queue-6.12/team-fix-check-for-port-enabled-in-team_queue_overri.patch new file mode 100644 index 0000000000..8b573a7bf8 --- /dev/null +++ b/queue-6.12/team-fix-check-for-port-enabled-in-team_queue_overri.patch @@ -0,0 +1,101 @@ +From 841d764e95725834b429d7720cbb85295e063247 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Dec 2025 11:29:53 +0100 +Subject: team: fix check for port enabled in + team_queue_override_port_prio_changed() + +From: Jiri Pirko + +[ Upstream commit 932ac51d9953eaf77a1252f79b656d4ca86163c6 ] + +There has been a syzkaller bug reported recently with the following +trace: + +list_del corruption, ffff888058bea080->prev is LIST_POISON2 (dead000000000122) +------------[ cut here ]------------ +kernel BUG at lib/list_debug.c:59! +Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI +CPU: 3 UID: 0 PID: 21246 Comm: syz.0.2928 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 +RIP: 0010:__list_del_entry_valid_or_report+0x13e/0x200 lib/list_debug.c:59 +Code: 48 c7 c7 e0 71 f0 8b e8 30 08 ef fc 90 0f 0b 48 89 ef e8 a5 02 55 fd 48 89 ea 48 89 de 48 c7 c7 40 72 f0 8b e8 13 08 ef fc 90 <0f> 0b 48 89 ef e8 88 02 55 fd 48 89 ea 48 b8 00 00 00 00 00 fc ff +RSP: 0018:ffffc9000d49f370 EFLAGS: 00010286 +RAX: 000000000000004e RBX: ffff888058bea080 RCX: ffffc9002817d000 +RDX: 0000000000000000 RSI: ffffffff819becc6 RDI: 0000000000000005 +RBP: dead000000000122 R08: 0000000000000005 R09: 0000000000000000 +R10: 0000000080000000 R11: 0000000000000001 R12: ffff888039e9c230 +R13: ffff888058bea088 R14: ffff888058bea080 R15: ffff888055461480 +FS: 00007fbbcfe6f6c0(0000) GS:ffff8880d6d0a000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000000110c3afcb0 CR3: 00000000382c7000 CR4: 0000000000352ef0 +Call Trace: + + __list_del_entry_valid include/linux/list.h:132 [inline] + __list_del_entry include/linux/list.h:223 [inline] + list_del_rcu include/linux/rculist.h:178 [inline] + __team_queue_override_port_del drivers/net/team/team_core.c:826 [inline] + __team_queue_override_port_del drivers/net/team/team_core.c:821 [inline] + team_queue_override_port_prio_changed drivers/net/team/team_core.c:883 [inline] + team_priority_option_set+0x171/0x2f0 drivers/net/team/team_core.c:1534 + team_option_set drivers/net/team/team_core.c:376 [inline] + team_nl_options_set_doit+0x8ae/0xe60 drivers/net/team/team_core.c:2653 + genl_family_rcv_msg_doit+0x209/0x2f0 net/netlink/genetlink.c:1115 + genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] + genl_rcv_msg+0x55c/0x800 net/netlink/genetlink.c:1210 + netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552 + genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 + netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] + netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346 + netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1896 + sock_sendmsg_nosec net/socket.c:727 [inline] + __sock_sendmsg net/socket.c:742 [inline] + ____sys_sendmsg+0xa98/0xc70 net/socket.c:2630 + ___sys_sendmsg+0x134/0x1d0 net/socket.c:2684 + __sys_sendmsg+0x16d/0x220 net/socket.c:2716 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +The problem is in this flow: +1) Port is enabled, queue_id != 0, in qom_list +2) Port gets disabled + -> team_port_disable() + -> team_queue_override_port_del() + -> del (removed from list) +3) Port is disabled, queue_id != 0, not in any list +4) Priority changes + -> team_queue_override_port_prio_changed() + -> checks: port disabled && queue_id != 0 + -> calls del - hits the BUG as it is removed already + +To fix this, change the check in team_queue_override_port_prio_changed() +so it returns early if port is not enabled. + +Reported-by: syzbot+422806e5f4cce722a71f@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=422806e5f4cce722a71f +Fixes: 6c31ff366c11 ("team: remove synchronize_rcu() called during queue override change") +Signed-off-by: Jiri Pirko +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20251212102953.167287-1-jiri@resnulli.us +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/team/team_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/team/team_core.c b/drivers/net/team/team_core.c +index 94c40c5cebdd..50732f9699ee 100644 +--- a/drivers/net/team/team_core.c ++++ b/drivers/net/team/team_core.c +@@ -877,7 +877,7 @@ static void __team_queue_override_enabled_check(struct team *team) + static void team_queue_override_port_prio_changed(struct team *team, + struct team_port *port) + { +- if (!port->queue_id || team_port_enabled(port)) ++ if (!port->queue_id || !team_port_enabled(port)) + return; + __team_queue_override_port_del(team, port); + __team_queue_override_port_add(team, port); +-- +2.51.0 + diff --git a/queue-6.12/vfio-pds-fix-memory-leak-in-pds_vfio_dirty_enable.patch b/queue-6.12/vfio-pds-fix-memory-leak-in-pds_vfio_dirty_enable.patch new file mode 100644 index 0000000000..f703890693 --- /dev/null +++ b/queue-6.12/vfio-pds-fix-memory-leak-in-pds_vfio_dirty_enable.patch @@ -0,0 +1,46 @@ +From 3786d5569429e25ca3831c35967e66b40d11fa1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Dec 2025 14:31:50 +0000 +Subject: vfio/pds: Fix memory leak in pds_vfio_dirty_enable() + +From: Zilin Guan + +[ Upstream commit 665077d78dc7941ce6a330c02023a2b469cc8cc7 ] + +pds_vfio_dirty_enable() allocates memory for region_info. If +interval_tree_iter_first() returns NULL, the function returns -EINVAL +immediately without freeing the allocated memory, causing a memory leak. + +Fix this by jumping to the out_free_region_info label to ensure +region_info is freed. + +Fixes: 2e7c6feb4ef52 ("vfio/pds: Add multi-region support") +Signed-off-by: Zilin Guan +Link: https://lore.kernel.org/r/20251225143150.1117366-1-zilin@seu.edu.cn +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/pds/dirty.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/vfio/pci/pds/dirty.c b/drivers/vfio/pci/pds/dirty.c +index 481992142f79..4915a7c1c491 100644 +--- a/drivers/vfio/pci/pds/dirty.c ++++ b/drivers/vfio/pci/pds/dirty.c +@@ -292,8 +292,11 @@ static int pds_vfio_dirty_enable(struct pds_vfio_pci_device *pds_vfio, + len = num_ranges * sizeof(*region_info); + + node = interval_tree_iter_first(ranges, 0, ULONG_MAX); +- if (!node) +- return -EINVAL; ++ if (!node) { ++ err = -EINVAL; ++ goto out_free_region_info; ++ } ++ + for (int i = 0; i < num_ranges; i++) { + struct pds_lm_dirty_region_info *ri = ®ion_info[i]; + u64 region_size = node->last - node->start + 1; +-- +2.51.0 + diff --git a/queue-6.12/wifi-cfg80211-sme-store-capped-length-in-__cfg80211_.patch b/queue-6.12/wifi-cfg80211-sme-store-capped-length-in-__cfg80211_.patch new file mode 100644 index 0000000000..740aa25091 --- /dev/null +++ b/queue-6.12/wifi-cfg80211-sme-store-capped-length-in-__cfg80211_.patch @@ -0,0 +1,38 @@ +From e08e94dc4d4633f818d3a59fd0d4939ae9128b0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 14:14:47 +0300 +Subject: wifi: cfg80211: sme: store capped length in + __cfg80211_connect_result() + +From: Dan Carpenter + +[ Upstream commit 2b77b9551d1184cb5af8271ff350e6e2c1b3db0d ] + +The QGenie AI code review tool says we should store the capped length to +wdev->u.client.ssid_len. The AI is correct. + +Fixes: 62b635dcd69c ("wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result()") +Signed-off-by: Dan Carpenter +Link: https://patch.msgid.link/aTAbp5RleyH_lnZE@stanley.mountain +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/sme.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/wireless/sme.c b/net/wireless/sme.c +index e0d3c713538b..d8250ae17d94 100644 +--- a/net/wireless/sme.c ++++ b/net/wireless/sme.c +@@ -913,7 +913,7 @@ void __cfg80211_connect_result(struct net_device *dev, + + ssid_len = min(ssid->datalen, IEEE80211_MAX_SSID_LEN); + memcpy(wdev->u.client.ssid, ssid->data, ssid_len); +- wdev->u.client.ssid_len = ssid->datalen; ++ wdev->u.client.ssid_len = ssid_len; + break; + } + rcu_read_unlock(); +-- +2.51.0 + diff --git a/queue-6.12/wifi-mac80211-do-not-use-old-mbssid-elements.patch b/queue-6.12/wifi-mac80211-do-not-use-old-mbssid-elements.patch new file mode 100644 index 0000000000..43b18a4bb2 --- /dev/null +++ b/queue-6.12/wifi-mac80211-do-not-use-old-mbssid-elements.patch @@ -0,0 +1,68 @@ +From 22a4a71bec6dca8c19fc3b474db95cb145627087 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Dec 2025 09:46:56 -0800 +Subject: wifi: mac80211: do not use old MBSSID elements + +From: Aloka Dixit + +[ Upstream commit a519be2f5d958c5804f2cfd68f1f384291271fab ] + +When userspace brings down and deletes a non-transmitted profile, +it is expected to send a new updated Beacon template for the +transmitted profile of that multiple BSSID (MBSSID) group which +does not include the removed profile in MBSSID element. This +update comes via NL80211_CMD_SET_BEACON. + +Such updates work well as long as the group continues to have at +least one non-transmitted profile as NL80211_ATTR_MBSSID_ELEMS +is included in the new Beacon template. + +But when the last non-trasmitted profile is removed, it still +gets included in Beacon templates sent to driver. This happens +because when no MBSSID elements are sent by the userspace, +ieee80211_assign_beacon() ends up using the element stored from +earlier Beacon template. + +Do not copy old MBSSID elements, instead userspace should always +include these when applicable. + +Fixes: 2b3171c6fe0a ("mac80211: MBSSID beacon handling in AP mode") +Signed-off-by: Aloka Dixit +Link: https://patch.msgid.link/20251215174656.2866319-2-aloka.dixit@oss.qualcomm.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/cfg.c | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index 2df4df75f195..0abb687fd58d 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1140,7 +1140,6 @@ ieee80211_assign_beacon(struct ieee80211_sub_if_data *sdata, + + size = sizeof(*new) + new_head_len + new_tail_len; + +- /* new or old multiple BSSID elements? */ + if (params->mbssid_ies) { + mbssid = params->mbssid_ies; + size += struct_size(new->mbssid_ies, elem, mbssid->cnt); +@@ -1150,15 +1149,6 @@ ieee80211_assign_beacon(struct ieee80211_sub_if_data *sdata, + } + size += ieee80211_get_mbssid_beacon_len(mbssid, rnr, + mbssid->cnt); +- } else if (old && old->mbssid_ies) { +- mbssid = old->mbssid_ies; +- size += struct_size(new->mbssid_ies, elem, mbssid->cnt); +- if (old && old->rnr_ies) { +- rnr = old->rnr_ies; +- size += struct_size(new->rnr_ies, elem, rnr->cnt); +- } +- size += ieee80211_get_mbssid_beacon_len(mbssid, rnr, +- mbssid->cnt); + } + + new = kzalloc(size, GFP_KERNEL); +-- +2.51.0 + diff --git a/queue-6.12/wifi-rtlwifi-8192cu-fix-tid-out-of-range-in-rtl92cu_.patch b/queue-6.12/wifi-rtlwifi-8192cu-fix-tid-out-of-range-in-rtl92cu_.patch new file mode 100644 index 0000000000..acde61dfd2 --- /dev/null +++ b/queue-6.12/wifi-rtlwifi-8192cu-fix-tid-out-of-range-in-rtl92cu_.patch @@ -0,0 +1,42 @@ +From fa69d7c6d0b101a451fdae8e12d1cfe4b9fd99c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Nov 2025 16:37:08 +0800 +Subject: wifi: rtlwifi: 8192cu: fix tid out of range in rtl92cu_tx_fill_desc() + +From: Morning Star + +[ Upstream commit dd39edb445f07400e748da967a07d5dca5c5f96e ] + +TID getting from ieee80211_get_tid() might be out of range of array size +of sta_entry->tids[], so check TID is less than MAX_TID_COUNT. Othwerwise, +UBSAN warn: + + UBSAN: array-index-out-of-bounds in drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c:514:30 + index 10 is out of range for type 'rtl_tid_data [9]' + +Fixes: 8ca4cdef9329 ("wifi: rtlwifi: rtl8192cu: Fix TX aggregation") +Signed-off-by: Morning Star +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/1764232628-13625-1-git-send-email-pkshih@realtek.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c +index aa702ba7c9f5..d6c35e8d02a5 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c +@@ -511,7 +511,8 @@ void rtl92cu_tx_fill_desc(struct ieee80211_hw *hw, + if (sta) { + sta_entry = (struct rtl_sta_info *)sta->drv_priv; + tid = ieee80211_get_tid(hdr); +- agg_state = sta_entry->tids[tid].agg.agg_state; ++ if (tid < MAX_TID_COUNT) ++ agg_state = sta_entry->tids[tid].agg.agg_state; + ampdu_density = sta->deflink.ht_cap.ampdu_density; + } + +-- +2.51.0 + diff --git a/queue-6.12/wifi-rtw88-limit-indirect-io-under-powered-off-for-r.patch b/queue-6.12/wifi-rtw88-limit-indirect-io-under-powered-off-for-r.patch new file mode 100644 index 0000000000..f22f0d53b6 --- /dev/null +++ b/queue-6.12/wifi-rtw88-limit-indirect-io-under-powered-off-for-r.patch @@ -0,0 +1,51 @@ +From 58b7e6d207a46a5155840b11e93b81d20a107638 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Nov 2025 09:38:49 +0800 +Subject: wifi: rtw88: limit indirect IO under powered off for RTL8822CS + +From: Ping-Ke Shih + +[ Upstream commit f3ccdfda345ca9a624ea425840a926b8338c1e25 ] + +The indirect IO is necessary for RTL8822CS, but not necessary for other +chips. Otherwiese, it throws errors and becomes unusable. + + rtw88_8723cs mmc1:0001:1: WOW Firmware version 11.0.0, H2C version 0 + rtw88_8723cs mmc1:0001:1: Firmware version 11.0.0, H2C version 0 + rtw88_8723cs mmc1:0001:1: sdio read32 failed (0xf0): -110 + rtw88_8723cs mmc1:0001:1: sdio write8 failed (0x1c): -110 + rtw88_8723cs mmc1:0001:1: sdio read32 failed (0xf0): -110 + +By vendor driver, only RTL8822CS and RTL8822ES need indirect IO, but +RTL8822ES isn't supported yet. Therefore, limit it to RTL8822CS only. + +Reported-by: Andrey Skvortsov +Closes: https://lore.kernel.org/linux-wireless/07a32e2d6c764eb1bd9415b5a921a652@realtek.com/T/#m997b4522f7209ba629561c776bfd1d13ab24c1d4 +Fixes: 58de1f91e033 ("wifi: rtw88: sdio: use indirect IO for device registers before power-on") +Signed-off-by: Ping-Ke Shih +Tested-by: Andrey Skvortsov +Link: https://patch.msgid.link/1764034729-1251-1-git-send-email-pkshih@realtek.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw88/sdio.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtw88/sdio.c b/drivers/net/wireless/realtek/rtw88/sdio.c +index d6bea5ec8e24..d8db341a5731 100644 +--- a/drivers/net/wireless/realtek/rtw88/sdio.c ++++ b/drivers/net/wireless/realtek/rtw88/sdio.c +@@ -144,8 +144,10 @@ static u32 rtw_sdio_to_io_address(struct rtw_dev *rtwdev, u32 addr, + + static bool rtw_sdio_use_direct_io(struct rtw_dev *rtwdev, u32 addr) + { ++ bool might_indirect_under_power_off = rtwdev->chip->id == RTW_CHIP_TYPE_8822C; ++ + if (!test_bit(RTW_FLAG_POWERON, rtwdev->flags) && +- !rtw_sdio_is_bus_addr(addr)) ++ !rtw_sdio_is_bus_addr(addr) && might_indirect_under_power_off) + return false; + + return !rtw_sdio_is_sdio30_supported(rtwdev) || +-- +2.51.0 + diff --git a/queue-6.18/amd-xgbe-reset-retries-and-mode-on-rx-adapt-failures.patch b/queue-6.18/amd-xgbe-reset-retries-and-mode-on-rx-adapt-failures.patch new file mode 100644 index 0000000000..0c260e6ce7 --- /dev/null +++ b/queue-6.18/amd-xgbe-reset-retries-and-mode-on-rx-adapt-failures.patch @@ -0,0 +1,53 @@ +From 9f22c45d81f4dc61945063744f4792f13b70ee23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Dec 2025 20:47:28 +0530 +Subject: amd-xgbe: reset retries and mode on RX adapt failures + +From: Raju Rangoju + +[ Upstream commit df60c332caf95d70f967aeace826e7e2f0847361 ] + +During the stress tests, early RX adaptation handshakes can fail, such +as missing the RX_ADAPT ACK or not receiving a coefficient update before +block lock is established. Continuing to retry RX adaptation in this +state is often ineffective if the current mode selection is not viable. + +Resetting the RX adaptation retry counter when an RX_ADAPT request fails +to receive ACK or a coefficient update prior to block lock, and clearing +mode_set so the next bring-up performs a fresh mode selection rather +than looping on a likely invalid configuration. + +Fixes: 4f3b20bfbb75 ("amd-xgbe: add support for rx-adaptation") +Signed-off-by: Raju Rangoju +Reviewed-by: Simon Horman +Reviewed-by: Shyam Sundar S K +Link: https://patch.msgid.link/20251215151728.311713-1-Raju.Rangoju@amd.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +index a56efc1bee33..450a573960e7 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +@@ -1927,6 +1927,7 @@ static void xgbe_set_rx_adap_mode(struct xgbe_prv_data *pdata, + { + if (pdata->rx_adapt_retries++ >= MAX_RX_ADAPT_RETRIES) { + pdata->rx_adapt_retries = 0; ++ pdata->mode_set = false; + return; + } + +@@ -1973,6 +1974,7 @@ static void xgbe_rx_adaptation(struct xgbe_prv_data *pdata) + */ + netif_dbg(pdata, link, pdata->netdev, "Block_lock done"); + pdata->rx_adapt_done = true; ++ pdata->rx_adapt_retries = 0; + pdata->mode_set = false; + return; + } +-- +2.51.0 + diff --git a/queue-6.18/blk-mq-skip-cpu-offline-notify-on-unmapped-hctx.patch b/queue-6.18/blk-mq-skip-cpu-offline-notify-on-unmapped-hctx.patch new file mode 100644 index 0000000000..0c0024f1e0 --- /dev/null +++ b/queue-6.18/blk-mq-skip-cpu-offline-notify-on-unmapped-hctx.patch @@ -0,0 +1,39 @@ +From b3cd50a05f25456b4ac830355422fb8b5e795f5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Dec 2025 17:17:05 +0800 +Subject: blk-mq: skip CPU offline notify on unmapped hctx + +From: Cong Zhang + +[ Upstream commit 10845a105bbcb030647a729f1716c2309da71d33 ] + +If an hctx has no software ctx mapped, blk_mq_map_swqueue() never +allocates tags and leaves hctx->tags NULL. The CPU hotplug offline +notifier can still run for that hctx, return early since hctx cannot +hold any requests. + +Signed-off-by: Cong Zhang +Fixes: bf0beec0607d ("blk-mq: drain I/O when all CPUs in a hctx are offline") +Reviewed-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index ea5f948af7a4..a03f52ab87d6 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -3710,7 +3710,7 @@ static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node) + struct blk_mq_hw_ctx, cpuhp_online); + int ret = 0; + +- if (blk_mq_hctx_has_online_cpu(hctx, cpu)) ++ if (!hctx->nr_ctx || blk_mq_hctx_has_online_cpu(hctx, cpu)) + return 0; + + /* +-- +2.51.0 + diff --git a/queue-6.18/bluetooth-btusb-revert-use-of-devm_kzalloc-in-btusb.patch b/queue-6.18/bluetooth-btusb-revert-use-of-devm_kzalloc-in-btusb.patch new file mode 100644 index 0000000000..0256dc5837 --- /dev/null +++ b/queue-6.18/bluetooth-btusb-revert-use-of-devm_kzalloc-in-btusb.patch @@ -0,0 +1,89 @@ +From 932f197cbd5a7f8cda9a482a817ea7243aac5400 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Dec 2025 11:02:28 -0500 +Subject: Bluetooth: btusb: revert use of devm_kzalloc in btusb + +From: Raphael Pinsonneault-Thibeault + +[ Upstream commit 252714f1e8bdd542025b16321c790458014d6880 ] + +This reverts commit 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in +btusb.c file"). + +In btusb_probe(), we use devm_kzalloc() to allocate the btusb data. This +ties the lifetime of all the btusb data to the binding of a driver to +one interface, INTF. In a driver that binds to other interfaces, ISOC +and DIAG, this is an accident waiting to happen. + +The issue is revealed in btusb_disconnect(), where calling +usb_driver_release_interface(&btusb_driver, data->intf) will have devm +free the data that is also being used by the other interfaces of the +driver that may not be released yet. + +To fix this, revert the use of devm and go back to freeing memory +explicitly. + +Fixes: 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in btusb.c file") +Signed-off-by: Raphael Pinsonneault-Thibeault +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btusb.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index b92bfd131567..3420f711f0f0 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -4017,7 +4017,7 @@ static int btusb_probe(struct usb_interface *intf, + return -ENODEV; + } + +- data = devm_kzalloc(&intf->dev, sizeof(*data), GFP_KERNEL); ++ data = kzalloc(sizeof(*data), GFP_KERNEL); + if (!data) + return -ENOMEM; + +@@ -4040,8 +4040,10 @@ static int btusb_probe(struct usb_interface *intf, + } + } + +- if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep) ++ if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep) { ++ kfree(data); + return -ENODEV; ++ } + + if (id->driver_info & BTUSB_AMP) { + data->cmdreq_type = USB_TYPE_CLASS | 0x01; +@@ -4096,8 +4098,10 @@ static int btusb_probe(struct usb_interface *intf, + data->recv_acl = hci_recv_frame; + + hdev = hci_alloc_dev_priv(priv_size); +- if (!hdev) ++ if (!hdev) { ++ kfree(data); + return -ENOMEM; ++ } + + hdev->bus = HCI_USB; + hci_set_drvdata(hdev, data); +@@ -4370,6 +4374,7 @@ static int btusb_probe(struct usb_interface *intf, + if (data->reset_gpio) + gpiod_put(data->reset_gpio); + hci_free_dev(hdev); ++ kfree(data); + return err; + } + +@@ -4418,6 +4423,7 @@ static void btusb_disconnect(struct usb_interface *intf) + } + + hci_free_dev(hdev); ++ kfree(data); + } + + #ifdef CONFIG_PM +-- +2.51.0 + diff --git a/queue-6.18/bluetooth-mgmt-report-bis-capability-flags-in-suppor.patch b/queue-6.18/bluetooth-mgmt-report-bis-capability-flags-in-suppor.patch new file mode 100644 index 0000000000..fb428c57d3 --- /dev/null +++ b/queue-6.18/bluetooth-mgmt-report-bis-capability-flags-in-suppor.patch @@ -0,0 +1,42 @@ +From 0c32f7ce8eb96314fa555eb1edd2fe9c9640d15a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Dec 2025 22:40:20 +0200 +Subject: Bluetooth: MGMT: report BIS capability flags in supported settings + +From: Pauli Virtanen + +[ Upstream commit 348240e5fa901d3d4ba8dffa0e2ba9fc7aba93ab ] + +MGMT_SETTING_ISO_BROADCASTER and MGMT_SETTING_ISO_RECEIVER flags are +missing from supported_settings although they are in current_settings. + +Report them also in supported_settings to be consistent. + +Fixes: ae7533613133 ("Bluetooth: Check for ISO support in controller") +Signed-off-by: Pauli Virtanen +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/mgmt.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c +index 262bf984d2aa..211951eb832a 100644 +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -849,6 +849,12 @@ static u32 get_supported_settings(struct hci_dev *hdev) + if (cis_peripheral_capable(hdev)) + settings |= MGMT_SETTING_CIS_PERIPHERAL; + ++ if (bis_capable(hdev)) ++ settings |= MGMT_SETTING_ISO_BROADCASTER; ++ ++ if (sync_recv_capable(hdev)) ++ settings |= MGMT_SETTING_ISO_SYNC_RECEIVER; ++ + if (ll_privacy_capable(hdev)) + settings |= MGMT_SETTING_LL_PRIVACY; + +-- +2.51.0 + diff --git a/queue-6.18/bng_en-update-module-description.patch b/queue-6.18/bng_en-update-module-description.patch new file mode 100644 index 0000000000..ac0eca5344 --- /dev/null +++ b/queue-6.18/bng_en-update-module-description.patch @@ -0,0 +1,77 @@ +From d0a934d5fcd0916fca73dee6f9299d077e89f3cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 02:47:48 -0800 +Subject: bng_en: update module description + +From: Rajashekar Hudumula + +[ Upstream commit d5dc28305143f126dc3d8da21e1ad75865b194e2 ] + +The Broadcom BCM57708/800G NIC family is branded as ThorUltra. +Update the driver description accordingly. + +Fixes: 74715c4ab0fa0 ("bng_en: Add PCI interface") +Signed-off-by: Rajashekar Hudumula +Reviewed-by: Vikas Gupta +Reviewed-by: Bhargava Chenna Marreddy +Link: https://patch.msgid.link/20251217104748.3004706-1-rajashekar.hudumula@broadcom.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/Kconfig | 8 ++++---- + drivers/net/ethernet/broadcom/bnge/bnge.h | 2 +- + drivers/net/ethernet/broadcom/bnge/bnge_core.c | 2 +- + 3 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/Kconfig b/drivers/net/ethernet/broadcom/Kconfig +index 9fdef874f5ca..fe15d684990f 100644 +--- a/drivers/net/ethernet/broadcom/Kconfig ++++ b/drivers/net/ethernet/broadcom/Kconfig +@@ -254,14 +254,14 @@ config BNXT_HWMON + devices, via the hwmon sysfs interface. + + config BNGE +- tristate "Broadcom Ethernet device support" ++ tristate "Broadcom ThorUltra Ethernet device support" + depends on PCI + select NET_DEVLINK + select PAGE_POOL + help +- This driver supports Broadcom 50/100/200/400/800 gigabit Ethernet cards. +- The module will be called bng_en. To compile this driver as a module, +- choose M here. ++ This driver supports Broadcom ThorUltra 50/100/200/400/800 gigabit ++ Ethernet cards. The module will be called bng_en. To compile this ++ driver as a module, choose M here. + + config BCMASP + tristate "Broadcom ASP 2.0 Ethernet support" +diff --git a/drivers/net/ethernet/broadcom/bnge/bnge.h b/drivers/net/ethernet/broadcom/bnge/bnge.h +index 7aed5f81cd51..0c154995d9ab 100644 +--- a/drivers/net/ethernet/broadcom/bnge/bnge.h ++++ b/drivers/net/ethernet/broadcom/bnge/bnge.h +@@ -5,7 +5,7 @@ + #define _BNGE_H_ + + #define DRV_NAME "bng_en" +-#define DRV_SUMMARY "Broadcom 800G Ethernet Linux Driver" ++#define DRV_SUMMARY "Broadcom ThorUltra NIC Ethernet Driver" + + #include + #include +diff --git a/drivers/net/ethernet/broadcom/bnge/bnge_core.c b/drivers/net/ethernet/broadcom/bnge/bnge_core.c +index 2c72dd34d50d..312a9db4d75d 100644 +--- a/drivers/net/ethernet/broadcom/bnge/bnge_core.c ++++ b/drivers/net/ethernet/broadcom/bnge/bnge_core.c +@@ -19,7 +19,7 @@ char bnge_driver_name[] = DRV_NAME; + static const struct { + char *name; + } board_info[] = { +- [BCM57708] = { "Broadcom BCM57708 50Gb/100Gb/200Gb/400Gb/800Gb Ethernet" }, ++ [BCM57708] = { "Broadcom BCM57708 ThorUltra 50Gb/100Gb/200Gb/400Gb/800Gb Ethernet" }, + }; + + static const struct pci_device_id bnge_pci_tbl[] = { +-- +2.51.0 + diff --git a/queue-6.18/cpuset-fix-warning-when-disabling-remote-partition.patch b/queue-6.18/cpuset-fix-warning-when-disabling-remote-partition.patch new file mode 100644 index 0000000000..da7a793f48 --- /dev/null +++ b/queue-6.18/cpuset-fix-warning-when-disabling-remote-partition.patch @@ -0,0 +1,117 @@ +From 371447746dc672f52d5cd33f60026f461b8b709f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Dec 2025 01:59:50 +0000 +Subject: cpuset: fix warning when disabling remote partition + +From: Chen Ridong + +[ Upstream commit aa7d3a56a20f07978d9f401e13637a6479b13bd0 ] + +A warning was triggered as follows: + +WARNING: kernel/cgroup/cpuset.c:1651 at remote_partition_disable+0xf7/0x110 +RIP: 0010:remote_partition_disable+0xf7/0x110 +RSP: 0018:ffffc90001947d88 EFLAGS: 00000206 +RAX: 0000000000007fff RBX: ffff888103b6e000 RCX: 0000000000006f40 +RDX: 0000000000006f00 RSI: ffffc90001947da8 RDI: ffff888103b6e000 +RBP: ffff888103b6e000 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000001 R11: ffff88810b2e2728 R12: ffffc90001947da8 +R13: 0000000000000000 R14: ffffc90001947da8 R15: ffff8881081f1c00 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f55c8bbe0b2 CR3: 000000010b14c000 CR4: 00000000000006f0 +Call Trace: + + update_prstate+0x2d3/0x580 + cpuset_partition_write+0x94/0xf0 + kernfs_fop_write_iter+0x147/0x200 + vfs_write+0x35d/0x500 + ksys_write+0x66/0xe0 + do_syscall_64+0x6b/0x390 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 +RIP: 0033:0x7f55c8cd4887 + +Reproduction steps (on a 16-CPU machine): + + # cd /sys/fs/cgroup/ + # mkdir A1 + # echo +cpuset > A1/cgroup.subtree_control + # echo "0-14" > A1/cpuset.cpus.exclusive + # mkdir A1/A2 + # echo "0-14" > A1/A2/cpuset.cpus.exclusive + # echo "root" > A1/A2/cpuset.cpus.partition + # echo 0 > /sys/devices/system/cpu/cpu15/online + # echo member > A1/A2/cpuset.cpus.partition + +When CPU 15 is offlined, subpartitions_cpus gets cleared because no CPUs +remain available for the top_cpuset, forcing partitions to share CPUs with +the top_cpuset. In this scenario, disabling the remote partition triggers +a warning stating that effective_xcpus is not a subset of +subpartitions_cpus. Partitions should be invalidated in this case to +inform users that the partition is now invalid(cpus are shared with +top_cpuset). + +To fix this issue: +1. Only emit the warning only if subpartitions_cpus is not empty and the + effective_xcpus is not a subset of subpartitions_cpus. +2. During the CPU hotplug process, invalidate partitions if + subpartitions_cpus is empty. + +Fixes: f62a5d39368e ("cgroup/cpuset: Remove remote_partition_check() & make update_cpumasks_hier() handle remote partition") +Signed-off-by: Chen Ridong +Reviewed-by: Waiman Long +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/cgroup/cpuset.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c +index 4dcd633fd6df..61b56b6ca66a 100644 +--- a/kernel/cgroup/cpuset.c ++++ b/kernel/cgroup/cpuset.c +@@ -1600,7 +1600,14 @@ static void remote_partition_disable(struct cpuset *cs, struct tmpmasks *tmp) + bool isolcpus_updated; + + WARN_ON_ONCE(!is_remote_partition(cs)); +- WARN_ON_ONCE(!cpumask_subset(cs->effective_xcpus, subpartitions_cpus)); ++ /* ++ * When a CPU is offlined, top_cpuset may end up with no available CPUs, ++ * which should clear subpartitions_cpus. We should not emit a warning for this ++ * scenario: the hierarchy is updated from top to bottom, so subpartitions_cpus ++ * may already be cleared when disabling the partition. ++ */ ++ WARN_ON_ONCE(!cpumask_subset(cs->effective_xcpus, subpartitions_cpus) && ++ !cpumask_empty(subpartitions_cpus)); + + spin_lock_irq(&callback_lock); + list_del_init(&cs->remote_sibling); +@@ -3927,8 +3934,9 @@ static void cpuset_hotplug_update_tasks(struct cpuset *cs, struct tmpmasks *tmp) + if (remote || (is_partition_valid(cs) && is_partition_valid(parent))) + compute_partition_effective_cpumask(cs, &new_cpus); + +- if (remote && cpumask_empty(&new_cpus) && +- partition_is_populated(cs, NULL)) { ++ if (remote && (cpumask_empty(subpartitions_cpus) || ++ (cpumask_empty(&new_cpus) && ++ partition_is_populated(cs, NULL)))) { + cs->prs_err = PERR_HOTPLUG; + remote_partition_disable(cs, tmp); + compute_effective_cpumask(&new_cpus, cs, parent); +@@ -3941,9 +3949,12 @@ static void cpuset_hotplug_update_tasks(struct cpuset *cs, struct tmpmasks *tmp) + * 1) empty effective cpus but not valid empty partition. + * 2) parent is invalid or doesn't grant any cpus to child + * partitions. ++ * 3) subpartitions_cpus is empty. + */ +- if (is_local_partition(cs) && (!is_partition_valid(parent) || +- tasks_nocpu_error(parent, cs, &new_cpus))) ++ if (is_local_partition(cs) && ++ (!is_partition_valid(parent) || ++ tasks_nocpu_error(parent, cs, &new_cpus) || ++ cpumask_empty(subpartitions_cpus))) + partcmd = partcmd_invalidate; + /* + * On the other hand, an invalid partition root may be transitioned +-- +2.51.0 + diff --git a/queue-6.18/crypto-seqiv-do-not-use-req-iv-after-crypto_aead_enc.patch b/queue-6.18/crypto-seqiv-do-not-use-req-iv-after-crypto_aead_enc.patch new file mode 100644 index 0000000000..2caa2739f8 --- /dev/null +++ b/queue-6.18/crypto-seqiv-do-not-use-req-iv-after-crypto_aead_enc.patch @@ -0,0 +1,61 @@ +From fb00e49ef424e8eea9835386d36612a6f65224ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 14:15:41 +0800 +Subject: crypto: seqiv - Do not use req->iv after crypto_aead_encrypt + +From: Herbert Xu + +[ Upstream commit 50fdb78b7c0bcc550910ef69c0984e751cac72fa ] + +As soon as crypto_aead_encrypt is called, the underlying request +may be freed by an asynchronous completion. Thus dereferencing +req->iv after it returns is invalid. + +Instead of checking req->iv against info, create a new variable +unaligned_info and use it for that purpose instead. + +Fixes: 0a270321dbf9 ("[CRYPTO] seqiv: Add Sequence Number IV Generator") +Reported-by: Xiumei Mu +Reported-by: Xin Long +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/seqiv.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/crypto/seqiv.c b/crypto/seqiv.c +index 2bae99e33526..678bb4145d78 100644 +--- a/crypto/seqiv.c ++++ b/crypto/seqiv.c +@@ -50,6 +50,7 @@ static int seqiv_aead_encrypt(struct aead_request *req) + struct aead_geniv_ctx *ctx = crypto_aead_ctx(geniv); + struct aead_request *subreq = aead_request_ctx(req); + crypto_completion_t compl; ++ bool unaligned_info; + void *data; + u8 *info; + unsigned int ivsize = 8; +@@ -68,8 +69,9 @@ static int seqiv_aead_encrypt(struct aead_request *req) + memcpy_sglist(req->dst, req->src, + req->assoclen + req->cryptlen); + +- if (unlikely(!IS_ALIGNED((unsigned long)info, +- crypto_aead_alignmask(geniv) + 1))) { ++ unaligned_info = !IS_ALIGNED((unsigned long)info, ++ crypto_aead_alignmask(geniv) + 1); ++ if (unlikely(unaligned_info)) { + info = kmemdup(req->iv, ivsize, req->base.flags & + CRYPTO_TFM_REQ_MAY_SLEEP ? GFP_KERNEL : + GFP_ATOMIC); +@@ -89,7 +91,7 @@ static int seqiv_aead_encrypt(struct aead_request *req) + scatterwalk_map_and_copy(info, req->dst, req->assoclen, ivsize, 1); + + err = crypto_aead_encrypt(subreq); +- if (unlikely(info != req->iv)) ++ if (unlikely(unaligned_info)) + seqiv_aead_encrypt_complete2(req, err); + return err; + } +-- +2.51.0 + diff --git a/queue-6.18/drm-gem-shmem-fix-the-module_license-string.patch b/queue-6.18/drm-gem-shmem-fix-the-module_license-string.patch new file mode 100644 index 0000000000..bf68902d61 --- /dev/null +++ b/queue-6.18/drm-gem-shmem-fix-the-module_license-string.patch @@ -0,0 +1,39 @@ +From 3e92f2d2f02fc6846484e1d2a8535acc02a00d60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Dec 2025 14:41:59 +0100 +Subject: drm/gem-shmem: Fix the MODULE_LICENSE() string + +From: Thomas Zimmermann + +[ Upstream commit 3fbd97618f49e07e05aad96510e5f2ed22d68809 ] + +Replace the bogus "GPL v2" with "GPL" as MODULE_LICNSE() string. The +value does not declare the module's exact license, but only lets the +module loader test whether the module is Free Software or not. + +See commit bf7fbeeae6db ("module: Cure the MODULE_LICENSE "GPL" vs. +"GPL v2" bogosity") in the details of the issue. The fix is to use +"GPL" for all modules under any variant of the GPL. + +Signed-off-by: Thomas Zimmermann +Reviewed-by: Boris Brezillon +Fixes: 4b2b5e142ff4 ("drm: Move GEM memory managers into modules") +Link: https://patch.msgid.link/20251209140141.94407-3-tzimmermann@suse.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_gem_shmem_helper.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/drm_gem_shmem_helper.c b/drivers/gpu/drm/drm_gem_shmem_helper.c +index 5d1349c34afd..365b5737ca2c 100644 +--- a/drivers/gpu/drm/drm_gem_shmem_helper.c ++++ b/drivers/gpu/drm/drm_gem_shmem_helper.c +@@ -863,4 +863,4 @@ EXPORT_SYMBOL_GPL(drm_gem_shmem_prime_import_no_map); + + MODULE_DESCRIPTION("DRM SHMEM memory-management helpers"); + MODULE_IMPORT_NS("DMA_BUF"); +-MODULE_LICENSE("GPL v2"); ++MODULE_LICENSE("GPL"); +-- +2.51.0 + diff --git a/queue-6.18/drm-xe-guc-read-write_once-g2h_fence-done.patch b/queue-6.18/drm-xe-guc-read-write_once-g2h_fence-done.patch new file mode 100644 index 0000000000..175c1fd608 --- /dev/null +++ b/queue-6.18/drm-xe-guc-read-write_once-g2h_fence-done.patch @@ -0,0 +1,74 @@ +From c3a15c7ecb300c15e3f2779483a9e42f2ed70e43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Dec 2025 20:19:59 +0000 +Subject: drm/xe/guc: READ/WRITE_ONCE g2h_fence->done +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonathan Cavitt + +[ Upstream commit bed2a6bd20681aacfb063015c1edfab6f58a333e ] + +Use READ_ONCE and WRITE_ONCE when operating on g2h_fence->done +to prevent the compiler from ignoring important modifications +to its value. + +Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") +Suggested-by: Matthew Brost +Signed-off-by: Jonathan Cavitt +Cc: Rodrigo Vivi +Reviewed-by: Matthew Brost +Link: https://patch.msgid.link/20251222201957.63245-5-jonathan.cavitt@intel.com +Signed-off-by: Rodrigo Vivi +(cherry picked from commit b5179dbd1c14743ae80f0aaa28eaaf35c361608f) +Signed-off-by: Thomas Hellström +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_guc_ct.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/xe/xe_guc_ct.c b/drivers/gpu/drm/xe/xe_guc_ct.c +index b7afe8e983cb..3aac1a7aa2e7 100644 +--- a/drivers/gpu/drm/xe/xe_guc_ct.c ++++ b/drivers/gpu/drm/xe/xe_guc_ct.c +@@ -106,7 +106,9 @@ static void g2h_fence_cancel(struct g2h_fence *g2h_fence) + { + g2h_fence->cancel = true; + g2h_fence->fail = true; +- g2h_fence->done = true; ++ ++ /* WRITE_ONCE pairs with READ_ONCEs in guc_ct_send_recv. */ ++ WRITE_ONCE(g2h_fence->done, true); + } + + static bool g2h_fence_needs_alloc(struct g2h_fence *g2h_fence) +@@ -1128,10 +1130,13 @@ static int guc_ct_send_recv(struct xe_guc_ct *ct, const u32 *action, u32 len, + return ret; + } + +- ret = wait_event_timeout(ct->g2h_fence_wq, g2h_fence.done, HZ); ++ /* READ_ONCEs pairs with WRITE_ONCEs in parse_g2h_response ++ * and g2h_fence_cancel. ++ */ ++ ret = wait_event_timeout(ct->g2h_fence_wq, READ_ONCE(g2h_fence.done), HZ); + if (!ret) { + LNL_FLUSH_WORK(&ct->g2h_worker); +- if (g2h_fence.done) { ++ if (READ_ONCE(g2h_fence.done)) { + xe_gt_warn(gt, "G2H fence %u, action %04x, done\n", + g2h_fence.seqno, action[0]); + ret = 1; +@@ -1375,7 +1380,8 @@ static int parse_g2h_response(struct xe_guc_ct *ct, u32 *msg, u32 len) + + g2h_release_space(ct, GUC_CTB_HXG_MSG_MAX_LEN); + +- g2h_fence->done = true; ++ /* WRITE_ONCE pairs with READ_ONCEs in guc_ct_send_recv. */ ++ WRITE_ONCE(g2h_fence->done, true); + smp_mb(); + + wake_up_all(&ct->g2h_fence_wq); +-- +2.51.0 + diff --git a/queue-6.18/firewire-nosy-fix-dma_free_coherent-size.patch b/queue-6.18/firewire-nosy-fix-dma_free_coherent-size.patch new file mode 100644 index 0000000000..d8294693ba --- /dev/null +++ b/queue-6.18/firewire-nosy-fix-dma_free_coherent-size.patch @@ -0,0 +1,68 @@ +From d348a62120dc8ec7563612376f1c35a95e94bd0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Dec 2025 17:54:18 +0100 +Subject: firewire: nosy: Fix dma_free_coherent() size + +From: Thomas Fourier + +[ Upstream commit c48c0fd0e19684b6ecdb4108a429e3a4e73f5e21 ] + +It looks like the buffer allocated and mapped in add_card() is done +with size RCV_BUFFER_SIZE which is 16 KB and 4KB. + +Fixes: 286468210d83 ("firewire: new driver: nosy - IEEE 1394 traffic sniffer") +Co-developed-by: Thomas Fourier +Signed-off-by: Thomas Fourier +Co-developed-by: Christophe JAILLET +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/20251216165420.38355-2-fourier.thomas@gmail.com +Signed-off-by: Takashi Sakamoto +Signed-off-by: Sasha Levin +--- + drivers/firewire/nosy.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/firewire/nosy.c b/drivers/firewire/nosy.c +index ea31ac7ac1ca..e59053738a43 100644 +--- a/drivers/firewire/nosy.c ++++ b/drivers/firewire/nosy.c +@@ -36,6 +36,8 @@ + + static char driver_name[] = KBUILD_MODNAME; + ++#define RCV_BUFFER_SIZE (16 * 1024) ++ + /* this is the physical layout of a PCL, its size is 128 bytes */ + struct pcl { + __le32 next; +@@ -517,16 +519,14 @@ remove_card(struct pci_dev *dev) + lynx->rcv_start_pcl, lynx->rcv_start_pcl_bus); + dma_free_coherent(&lynx->pci_device->dev, sizeof(struct pcl), + lynx->rcv_pcl, lynx->rcv_pcl_bus); +- dma_free_coherent(&lynx->pci_device->dev, PAGE_SIZE, lynx->rcv_buffer, +- lynx->rcv_buffer_bus); ++ dma_free_coherent(&lynx->pci_device->dev, RCV_BUFFER_SIZE, ++ lynx->rcv_buffer, lynx->rcv_buffer_bus); + + iounmap(lynx->registers); + pci_disable_device(dev); + lynx_put(lynx); + } + +-#define RCV_BUFFER_SIZE (16 * 1024) +- + static int + add_card(struct pci_dev *dev, const struct pci_device_id *unused) + { +@@ -680,7 +680,7 @@ add_card(struct pci_dev *dev, const struct pci_device_id *unused) + dma_free_coherent(&lynx->pci_device->dev, sizeof(struct pcl), + lynx->rcv_pcl, lynx->rcv_pcl_bus); + if (lynx->rcv_buffer) +- dma_free_coherent(&lynx->pci_device->dev, PAGE_SIZE, ++ dma_free_coherent(&lynx->pci_device->dev, RCV_BUFFER_SIZE, + lynx->rcv_buffer, lynx->rcv_buffer_bus); + iounmap(lynx->registers); + +-- +2.51.0 + diff --git a/queue-6.18/genalloc.h-fix-htmldocs-warning.patch b/queue-6.18/genalloc.h-fix-htmldocs-warning.patch new file mode 100644 index 0000000000..e6ff8057a3 --- /dev/null +++ b/queue-6.18/genalloc.h-fix-htmldocs-warning.patch @@ -0,0 +1,38 @@ +From 4542eca4e41c4602cc182e8ca51cdb395c24fcab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Nov 2025 10:39:24 -0800 +Subject: genalloc.h: fix htmldocs warning + +From: Andrew Morton + +[ Upstream commit 5393802c94e0ab1295c04c94c57bcb00222d4674 ] + +WARNING: include/linux/genalloc.h:52 function parameter 'start_addr' not described in 'genpool_algo_t' + +Fixes: 52fbf1134d47 ("lib/genalloc.c: fix allocation of aligned buffer from non-aligned chunk") +Reported-by: Stephen Rothwell +Closes: https://lkml.kernel.org/r/20251127130624.563597e3@canb.auug.org.au +Acked-by: Randy Dunlap +Tested-by: Randy Dunlap +Cc: Alexey Skidanov +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + include/linux/genalloc.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/genalloc.h b/include/linux/genalloc.h +index 0bd581003cd5..60de63e46b33 100644 +--- a/include/linux/genalloc.h ++++ b/include/linux/genalloc.h +@@ -44,6 +44,7 @@ struct gen_pool; + * @nr: The number of zeroed bits we're looking for + * @data: optional additional data used by the callback + * @pool: the pool being allocated from ++ * @start_addr: start address of memory chunk + */ + typedef unsigned long (*genpool_algo_t)(unsigned long *map, + unsigned long size, +-- +2.51.0 + diff --git a/queue-6.18/i40e-fix-scheduling-in-set_rx_mode.patch b/queue-6.18/i40e-fix-scheduling-in-set_rx_mode.patch new file mode 100644 index 0000000000..fe42fae3e6 --- /dev/null +++ b/queue-6.18/i40e-fix-scheduling-in-set_rx_mode.patch @@ -0,0 +1,53 @@ +From 11c61e88afeb0b1286bd5b1012d499fdd4b255d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Nov 2025 13:07:28 +0100 +Subject: i40e: fix scheduling in set_rx_mode + +From: Przemyslaw Korba + +[ Upstream commit be43abc5514167cc129a8d8e9727b89b8e1d9719 ] + +Add service task schedule to set_rx_mode. +In some cases there are error messages printed out in PTP application +(ptp4l): + +ptp4l[13848.762]: port 1 (ens2f3np3): received SYNC without timestamp +ptp4l[13848.825]: port 1 (ens2f3np3): received SYNC without timestamp +ptp4l[13848.887]: port 1 (ens2f3np3): received SYNC without timestamp + +This happens when service task would not run immediately after +set_rx_mode, and we need it for setup tasks. This service task checks, if +PTP RX packets are hung in firmware, and propagate correct settings such +as multicast address for IEEE 1588 Precision Time Protocol. +RX timestamping depends on some of these filters set. Bug happens only +with high PTP packets frequency incoming, and not every run since +sometimes service task is being ran from a different place immediately +after starting ptp4l. + +Fixes: 0e4425ed641f ("i40e: fix: do not sleep in netdev_ops") +Reviewed-by: Grzegorz Nitka +Reviewed-by: Jacob Keller +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Przemyslaw Korba +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index 50be0a60ae13..07d32f2586c8 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -2234,6 +2234,7 @@ static void i40e_set_rx_mode(struct net_device *netdev) + vsi->flags |= I40E_VSI_FLAG_FILTER_CHANGED; + set_bit(__I40E_MACVLAN_SYNC_PENDING, vsi->back->state); + } ++ i40e_service_event_schedule(vsi->back); + } + + /** +-- +2.51.0 + diff --git a/queue-6.18/i40e-validate-ring_len-parameter-against-hardware-sp.patch b/queue-6.18/i40e-validate-ring_len-parameter-against-hardware-sp.patch new file mode 100644 index 0000000000..667b1ae572 --- /dev/null +++ b/queue-6.18/i40e-validate-ring_len-parameter-against-hardware-sp.patch @@ -0,0 +1,100 @@ +From b71f7e003f7201edcc381f1a6e1af66f09c48b02 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Dec 2025 22:06:43 +0100 +Subject: i40e: validate ring_len parameter against hardware-specific values + +From: Gregory Herrero + +[ Upstream commit 69942834215323cd9131db557091b4dec43f19c5 ] + +The maximum number of descriptors supported by the hardware is +hardware-dependent and can be retrieved using +i40e_get_max_num_descriptors(). Move this function to a shared header +and use it when checking for valid ring_len parameter rather than using +hardcoded value. + +By fixing an over-acceptance issue, behavior change could be seen where +ring_len could now be rejected while configuring rx and tx queues if its +size is larger than the hardware-dependent maximum number of +descriptors. + +Fixes: 55d225670def ("i40e: add validation for ring_len param") +Signed-off-by: Gregory Herrero +Tested-by: Rafal Romanowski +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e.h | 11 +++++++++++ + drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 12 ------------ + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 4 ++-- + 3 files changed, 13 insertions(+), 14 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e.h b/drivers/net/ethernet/intel/i40e/i40e.h +index 801a57a925da..feec9e1e13b3 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e.h ++++ b/drivers/net/ethernet/intel/i40e/i40e.h +@@ -1418,4 +1418,15 @@ static inline struct i40e_veb *i40e_pf_get_main_veb(struct i40e_pf *pf) + return (pf->lan_veb != I40E_NO_VEB) ? pf->veb[pf->lan_veb] : NULL; + } + ++static inline u32 i40e_get_max_num_descriptors(const struct i40e_pf *pf) ++{ ++ const struct i40e_hw *hw = &pf->hw; ++ ++ switch (hw->mac.type) { ++ case I40E_MAC_XL710: ++ return I40E_MAX_NUM_DESCRIPTORS_XL710; ++ default: ++ return I40E_MAX_NUM_DESCRIPTORS; ++ } ++} + #endif /* _I40E_H_ */ +diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c +index 86c72596617a..61c39e881b00 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c +@@ -2013,18 +2013,6 @@ static void i40e_get_drvinfo(struct net_device *netdev, + drvinfo->n_priv_flags += I40E_GL_PRIV_FLAGS_STR_LEN; + } + +-static u32 i40e_get_max_num_descriptors(struct i40e_pf *pf) +-{ +- struct i40e_hw *hw = &pf->hw; +- +- switch (hw->mac.type) { +- case I40E_MAC_XL710: +- return I40E_MAX_NUM_DESCRIPTORS_XL710; +- default: +- return I40E_MAX_NUM_DESCRIPTORS; +- } +-} +- + static void i40e_get_ringparam(struct net_device *netdev, + struct ethtool_ringparam *ring, + struct kernel_ethtool_ringparam *kernel_ring, +diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +index 081a4526a2f0..cf831c649c9c 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +@@ -656,7 +656,7 @@ static int i40e_config_vsi_tx_queue(struct i40e_vf *vf, u16 vsi_id, + + /* ring_len has to be multiple of 8 */ + if (!IS_ALIGNED(info->ring_len, 8) || +- info->ring_len > I40E_MAX_NUM_DESCRIPTORS_XL710) { ++ info->ring_len > i40e_get_max_num_descriptors(pf)) { + ret = -EINVAL; + goto error_context; + } +@@ -726,7 +726,7 @@ static int i40e_config_vsi_rx_queue(struct i40e_vf *vf, u16 vsi_id, + + /* ring_len has to be multiple of 32 */ + if (!IS_ALIGNED(info->ring_len, 32) || +- info->ring_len > I40E_MAX_NUM_DESCRIPTORS_XL710) { ++ info->ring_len > i40e_get_max_num_descriptors(pf)) { + ret = -EINVAL; + goto error_param; + } +-- +2.51.0 + diff --git a/queue-6.18/iavf-fix-off-by-one-issues-in-iavf_config_rss_reg.patch b/queue-6.18/iavf-fix-off-by-one-issues-in-iavf_config_rss_reg.patch new file mode 100644 index 0000000000..f7f89650d4 --- /dev/null +++ b/queue-6.18/iavf-fix-off-by-one-issues-in-iavf_config_rss_reg.patch @@ -0,0 +1,113 @@ +From 5020f0e7ec8501924a1cec6b81f23932473368ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Oct 2025 01:58:50 +0900 +Subject: iavf: fix off-by-one issues in iavf_config_rss_reg() + +From: Kohei Enju + +[ Upstream commit 6daa2893f323981c7894c68440823326e93a7d61 ] + +There are off-by-one bugs when configuring RSS hash key and lookup +table, causing out-of-bounds reads to memory [1] and out-of-bounds +writes to device registers. + +Before commit 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS"), +the loop upper bounds were: + i <= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX +which is safe since the value is the last valid index. + +That commit changed the bounds to: + i <= adapter->rss_{key,lut}_size / 4 +where `rss_{key,lut}_size / 4` is the number of dwords, so the last +valid index is `(rss_{key,lut}_size / 4) - 1`. Therefore, using `<=` +accesses one element past the end. + +Fix the issues by using `<` instead of `<=`, ensuring we do not exceed +the bounds. + +[1] KASAN splat about rss_key_size off-by-one + BUG: KASAN: slab-out-of-bounds in iavf_config_rss+0x619/0x800 + Read of size 4 at addr ffff888102c50134 by task kworker/u8:6/63 + + CPU: 0 UID: 0 PID: 63 Comm: kworker/u8:6 Not tainted 6.18.0-rc2-enjuk-tnguy-00378-g3005f5b77652-dirty #156 PREEMPT(voluntary) + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 + Workqueue: iavf iavf_watchdog_task + Call Trace: + + dump_stack_lvl+0x6f/0xb0 + print_report+0x170/0x4f3 + kasan_report+0xe1/0x1a0 + iavf_config_rss+0x619/0x800 + iavf_watchdog_task+0x2be7/0x3230 + process_one_work+0x7fd/0x1420 + worker_thread+0x4d1/0xd40 + kthread+0x344/0x660 + ret_from_fork+0x249/0x320 + ret_from_fork_asm+0x1a/0x30 + + + Allocated by task 63: + kasan_save_stack+0x30/0x50 + kasan_save_track+0x14/0x30 + __kasan_kmalloc+0x7f/0x90 + __kmalloc_noprof+0x246/0x6f0 + iavf_watchdog_task+0x28fc/0x3230 + process_one_work+0x7fd/0x1420 + worker_thread+0x4d1/0xd40 + kthread+0x344/0x660 + ret_from_fork+0x249/0x320 + ret_from_fork_asm+0x1a/0x30 + + The buggy address belongs to the object at ffff888102c50100 + which belongs to the cache kmalloc-64 of size 64 + The buggy address is located 0 bytes to the right of + allocated 52-byte region [ffff888102c50100, ffff888102c50134) + + The buggy address belongs to the physical page: + page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c50 + flags: 0x200000000000000(node=0|zone=2) + page_type: f5(slab) + raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 + raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 + page dumped because: kasan: bad access detected + + Memory state around the buggy address: + ffff888102c50000: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc + ffff888102c50080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc + >ffff888102c50100: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc + ^ + ffff888102c50180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc + ffff888102c50200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + +Fixes: 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS") +Signed-off-by: Kohei Enju +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Przemek Kitszel +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index c2fbe443ef85..4b0fc8f354bc 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -1726,11 +1726,11 @@ static int iavf_config_rss_reg(struct iavf_adapter *adapter) + u16 i; + + dw = (u32 *)adapter->rss_key; +- for (i = 0; i <= adapter->rss_key_size / 4; i++) ++ for (i = 0; i < adapter->rss_key_size / 4; i++) + wr32(hw, IAVF_VFQF_HKEY(i), dw[i]); + + dw = (u32 *)adapter->rss_lut; +- for (i = 0; i <= adapter->rss_lut_size / 4; i++) ++ for (i = 0; i < adapter->rss_lut_size / 4; i++) + wr32(hw, IAVF_VFQF_HLUT(i), dw[i]); + + iavf_flush(hw); +-- +2.51.0 + diff --git a/queue-6.18/ib-rxe-fix-missing-umem_odp-umem_mutex-unlock-on-err.patch b/queue-6.18/ib-rxe-fix-missing-umem_odp-umem_mutex-unlock-on-err.patch new file mode 100644 index 0000000000..6fa4afc038 --- /dev/null +++ b/queue-6.18/ib-rxe-fix-missing-umem_odp-umem_mutex-unlock-on-err.patch @@ -0,0 +1,41 @@ +From d6abe3e5c06dcac6cdf552fd89e07004784e47f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Dec 2025 17:41:12 +0800 +Subject: IB/rxe: Fix missing umem_odp->umem_mutex unlock on error path + +From: Li Zhijian + +[ Upstream commit 3c68cf68233e556e0102f45b69f7448908dc1f44 ] + +rxe_odp_map_range_and_lock() must release umem_odp->umem_mutex when an +error occurs, including cases where rxe_check_pagefault() fails. + +Fixes: 2fae67ab63db ("RDMA/rxe: Add support for Send/Recv/Write/Read with ODP") +Signed-off-by: Li Zhijian +Link: https://patch.msgid.link/20251226094112.3042583-1-lizhijian@fujitsu.com +Reviewed-by: Zhu Yanjun +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_odp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_odp.c b/drivers/infiniband/sw/rxe/rxe_odp.c +index f58e3ec6252f..4d4e3b324dd2 100644 +--- a/drivers/infiniband/sw/rxe/rxe_odp.c ++++ b/drivers/infiniband/sw/rxe/rxe_odp.c +@@ -179,8 +179,10 @@ static int rxe_odp_map_range_and_lock(struct rxe_mr *mr, u64 iova, int length, u + return err; + + need_fault = rxe_check_pagefault(umem_odp, iova, length); +- if (need_fault) ++ if (need_fault) { ++ mutex_unlock(&umem_odp->umem_mutex); + return -EFAULT; ++ } + } + + return 0; +-- +2.51.0 + diff --git a/queue-6.18/idpf-fix-lan-memory-regions-command-on-some-nvms.patch b/queue-6.18/idpf-fix-lan-memory-regions-command-on-some-nvms.patch new file mode 100644 index 0000000000..e0f85129ea --- /dev/null +++ b/queue-6.18/idpf-fix-lan-memory-regions-command-on-some-nvms.patch @@ -0,0 +1,50 @@ +From 88bd28f9bdab3723b57887dc9c98353047ea0b31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Oct 2025 13:46:22 +0200 +Subject: idpf: fix LAN memory regions command on some NVMs + +From: Larysa Zaremba + +[ Upstream commit 4af1f9a47291f7d446398065e0d6eb4943f7e184 ] + +IPU SDK versions 1.9 through 2.0.5 require send buffer to contain a single +empty memory region. Set number of regions to 1 and use appropriate send +buffer size to satisfy this requirement. + +Fixes: 6aa53e861c1a ("idpf: implement get LAN MMIO memory regions") +Suggested-by: Michal Swiatkowski +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Larysa Zaremba +Tested-by: Krishneil Singh +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/idpf/idpf_virtchnl.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c +index cbb5fa30f5a0..fc03d55bc9b9 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c +@@ -1016,6 +1016,9 @@ static int idpf_send_get_lan_memory_regions(struct idpf_adapter *adapter) + struct idpf_vc_xn_params xn_params = { + .vc_op = VIRTCHNL2_OP_GET_LAN_MEMORY_REGIONS, + .recv_buf.iov_len = IDPF_CTLQ_MAX_BUF_LEN, ++ .send_buf.iov_len = ++ sizeof(struct virtchnl2_get_lan_memory_regions) + ++ sizeof(struct virtchnl2_mem_region), + .timeout_ms = IDPF_VC_XN_DEFAULT_TIMEOUT_MSEC, + }; + int num_regions, size; +@@ -1028,6 +1031,8 @@ static int idpf_send_get_lan_memory_regions(struct idpf_adapter *adapter) + return -ENOMEM; + + xn_params.recv_buf.iov_base = rcvd_regions; ++ rcvd_regions->num_memory_regions = cpu_to_le16(1); ++ xn_params.send_buf.iov_base = rcvd_regions; + reply_sz = idpf_vc_xn_exec(adapter, &xn_params); + if (reply_sz < 0) + return reply_sz; +-- +2.51.0 + diff --git a/queue-6.18/idpf-reduce-mbx_task-schedule-delay-to-300us.patch b/queue-6.18/idpf-reduce-mbx_task-schedule-delay-to-300us.patch new file mode 100644 index 0000000000..d8a9f08f8c --- /dev/null +++ b/queue-6.18/idpf-reduce-mbx_task-schedule-delay-to-300us.patch @@ -0,0 +1,57 @@ +From 2004766d0aa6e97c338473a60abb42e08e08159c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Nov 2025 20:58:37 +0000 +Subject: idpf: reduce mbx_task schedule delay to 300us + +From: Brian Vazquez + +[ Upstream commit b3d6bbae1d6d5638a4ab702ab195476787cde857 ] + +During the IDPF init phase, the mailbox runs in poll mode until it is +configured to properly handle interrupts. The previous delay of 300ms is +excessively long for the mailbox polling mechanism, which causes a slow +initialization of ~2s: + +echo 0000:06:12.4 > /sys/bus/pci/drivers/idpf/bind + +[ 52.444239] idpf 0000:06:12.4: enabling device (0000 -> 0002) +[ 52.485005] idpf 0000:06:12.4: Device HW Reset initiated +[ 54.177181] idpf 0000:06:12.4: PTP init failed, err=-EOPNOTSUPP +[ 54.206177] idpf 0000:06:12.4: Minimum RX descriptor support not provided, using the default +[ 54.206182] idpf 0000:06:12.4: Minimum TX descriptor support not provided, using the default + +Changing the delay to 300us avoids the delays during the initial mailbox +transactions, making the init phase much faster: + +[ 83.342590] idpf 0000:06:12.4: enabling device (0000 -> 0002) +[ 83.384402] idpf 0000:06:12.4: Device HW Reset initiated +[ 83.518323] idpf 0000:06:12.4: PTP init failed, err=-EOPNOTSUPP +[ 83.547430] idpf 0000:06:12.4: Minimum RX descriptor support not provided, using the default +[ 83.547435] idpf 0000:06:12.4: Minimum TX descriptor support not provided, using the default + +Fixes: 4930fbf419a7 ("idpf: add core init and interrupt request") +Signed-off-by: Brian Vazquez +Reviewed-by: Aleksandr Loktionov +Tested-by: Samuel Salin +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/idpf/idpf_lib.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c +index 8a941f0fb048..aaafe40f5eaf 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c +@@ -1271,7 +1271,7 @@ void idpf_mbx_task(struct work_struct *work) + idpf_mb_irq_enable(adapter); + else + queue_delayed_work(adapter->mbx_wq, &adapter->mbx_task, +- msecs_to_jiffies(300)); ++ usecs_to_jiffies(300)); + + idpf_recv_mb_msg(adapter); + } +-- +2.51.0 + diff --git a/queue-6.18/ip6_gre-make-ip6gre_header-robust.patch b/queue-6.18/ip6_gre-make-ip6gre_header-robust.patch new file mode 100644 index 0000000000..5b3e248fad --- /dev/null +++ b/queue-6.18/ip6_gre-make-ip6gre_header-robust.patch @@ -0,0 +1,76 @@ +From 018fae30571975a5c4b132155c1749e03e709911 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Dec 2025 17:35:50 +0000 +Subject: ip6_gre: make ip6gre_header() robust + +From: Eric Dumazet + +[ Upstream commit db5b4e39c4e63700c68a7e65fc4e1f1375273476 ] + +Over the years, syzbot found many ways to crash the kernel +in ip6gre_header() [1]. + +This involves team or bonding drivers ability to dynamically +change their dev->needed_headroom and/or dev->hard_header_len + +In this particular crash mld_newpack() allocated an skb +with a too small reserve/headroom, and by the time mld_sendpack() +was called, syzbot managed to attach an ip6gre device. + +[1] +skbuff: skb_under_panic: text:ffffffff8a1d69a8 len:136 put:40 head:ffff888059bc7000 data:ffff888059bc6fe8 tail:0x70 end:0x6c0 dev:team0 +------------[ cut here ]------------ + kernel BUG at net/core/skbuff.c:213 ! + + skb_under_panic net/core/skbuff.c:223 [inline] + skb_push+0xc3/0xe0 net/core/skbuff.c:2641 + ip6gre_header+0xc8/0x790 net/ipv6/ip6_gre.c:1371 + dev_hard_header include/linux/netdevice.h:3436 [inline] + neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618 + neigh_output include/net/neighbour.h:556 [inline] + ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136 + __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline] + ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:220 + NF_HOOK_COND include/linux/netfilter.h:307 [inline] + ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247 + NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318 + mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855 + mld_send_cr net/ipv6/mcast.c:2154 [inline] + mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 + +Fixes: c12b395a4664 ("gre: Support GRE over IPv6") +Reported-by: syzbot+43a2ebcf2a64b1102d64@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/693b002c.a70a0220.33cd7b.0033.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20251211173550.2032674-1-edumazet@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_gre.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index c82a75510c0e..8bc3f05f594e 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -1366,9 +1366,16 @@ static int ip6gre_header(struct sk_buff *skb, struct net_device *dev, + { + struct ip6_tnl *t = netdev_priv(dev); + struct ipv6hdr *ipv6h; ++ int needed; + __be16 *p; + +- ipv6h = skb_push(skb, t->hlen + sizeof(*ipv6h)); ++ needed = t->hlen + sizeof(*ipv6h); ++ if (skb_headroom(skb) < needed && ++ pskb_expand_head(skb, HH_DATA_ALIGN(needed - skb_headroom(skb)), ++ 0, GFP_ATOMIC)) ++ return -needed; ++ ++ ipv6h = skb_push(skb, needed); + ip6_flow_hdr(ipv6h, 0, ip6_make_flowlabel(dev_net(dev), skb, + t->fl.u.ip6.flowlabel, + true, &t->fl.u.ip6)); +-- +2.51.0 + diff --git a/queue-6.18/ipv4-fix-reference-count-leak-when-using-error-route.patch b/queue-6.18/ipv4-fix-reference-count-leak-when-using-error-route.patch new file mode 100644 index 0000000000..21635058de --- /dev/null +++ b/queue-6.18/ipv4-fix-reference-count-leak-when-using-error-route.patch @@ -0,0 +1,73 @@ +From 56ecf88ab5ae8c037fb6fe4561549ccf8c66eaf9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Dec 2025 16:48:28 +0200 +Subject: ipv4: Fix reference count leak when using error routes with nexthop + objects + +From: Ido Schimmel + +[ Upstream commit ac782f4e3bfcde145b8a7f8af31d9422d94d172a ] + +When a nexthop object is deleted, it is marked as dead and then +fib_table_flush() is called to flush all the routes that are using the +dead nexthop. + +The current logic in fib_table_flush() is to only flush error routes +(e.g., blackhole) when it is called as part of network namespace +dismantle (i.e., with flush_all=true). Therefore, error routes are not +flushed when their nexthop object is deleted: + + # ip link add name dummy1 up type dummy + # ip nexthop add id 1 dev dummy1 + # ip route add 198.51.100.1/32 nhid 1 + # ip route add blackhole 198.51.100.2/32 nhid 1 + # ip nexthop del id 1 + # ip route show + blackhole 198.51.100.2 nhid 1 dev dummy1 + +As such, they keep holding a reference on the nexthop object which in +turn holds a reference on the nexthop device, resulting in a reference +count leak: + + # ip link del dev dummy1 + [ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2 + +Fix by flushing error routes when their nexthop is marked as dead. + +IPv6 does not suffer from this problem. + +Fixes: 493ced1ac47c ("ipv4: Allow routes to use nexthop objects") +Reported-by: Tetsuo Handa +Closes: https://lore.kernel.org/netdev/d943f806-4da6-4970-ac28-b9373b0e63ac@I-love.SAKURA.ne.jp/ +Reported-by: syzbot+881d65229ca4f9ae8c84@syzkaller.appspotmail.com +Signed-off-by: Ido Schimmel +Reviewed-by: David Ahern +Link: https://patch.msgid.link/20251221144829.197694-1-idosch@nvidia.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/fib_trie.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c +index 59a6f0a9638f..7e2c17fec3fc 100644 +--- a/net/ipv4/fib_trie.c ++++ b/net/ipv4/fib_trie.c +@@ -2053,10 +2053,11 @@ int fib_table_flush(struct net *net, struct fib_table *tb, bool flush_all) + continue; + } + +- /* Do not flush error routes if network namespace is +- * not being dismantled ++ /* When not flushing the entire table, skip error ++ * routes that are not marked for deletion. + */ +- if (!flush_all && fib_props[fa->fa_type].error) { ++ if (!flush_all && fib_props[fa->fa_type].error && ++ !(fi->fib_flags & RTNH_F_DEAD)) { + slen = fa->fa_slen; + continue; + } +-- +2.51.0 + diff --git a/queue-6.18/ipv6-bug-in-pskb_expand_head-as-part-of-calipso_skbu.patch b/queue-6.18/ipv6-bug-in-pskb_expand_head-as-part-of-calipso_skbu.patch new file mode 100644 index 0000000000..c252e373d4 --- /dev/null +++ b/queue-6.18/ipv6-bug-in-pskb_expand_head-as-part-of-calipso_skbu.patch @@ -0,0 +1,97 @@ +From 6e72dfcf52f3fb4d21b0ef67308c8de5b896fc2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 10:36:37 -0700 +Subject: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() + +From: Will Rosenberg + +[ Upstream commit 58fc7342b529803d3c221101102fe913df7adb83 ] + +There exists a kernel oops caused by a BUG_ON(nhead < 0) at +net/core/skbuff.c:2232 in pskb_expand_head(). +This bug is triggered as part of the calipso_skbuff_setattr() +routine when skb_cow() is passed headroom > INT_MAX +(i.e. (int)(skb_headroom(skb) + len_delta) < 0). + +The root cause of the bug is due to an implicit integer cast in +__skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure +that delta = headroom - skb_headroom(skb) is never negative, otherwise +we will trigger a BUG_ON in pskb_expand_head(). However, if +headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta +becomes negative, and pskb_expand_head() is passed a negative value for +nhead. + +Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing +"negative" headroom sizes to skb_cow() within calipso_skbuff_setattr() +by only using skb_cow() to grow headroom. + +PoC: + Using `netlabelctl` tool: + + netlabelctl map del default + netlabelctl calipso add pass doi:7 + netlabelctl map add default address:0::1/128 protocol:calipso,7 + + Then run the following PoC: + + int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP); + + // setup msghdr + int cmsg_size = 2; + int cmsg_len = 0x60; + struct msghdr msg; + struct sockaddr_in6 dest_addr; + struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1, + sizeof(struct cmsghdr) + cmsg_len); + msg.msg_name = &dest_addr; + msg.msg_namelen = sizeof(dest_addr); + msg.msg_iov = NULL; + msg.msg_iovlen = 0; + msg.msg_control = cmsg; + msg.msg_controllen = cmsg_len; + msg.msg_flags = 0; + + // setup sockaddr + dest_addr.sin6_family = AF_INET6; + dest_addr.sin6_port = htons(31337); + dest_addr.sin6_flowinfo = htonl(31337); + dest_addr.sin6_addr = in6addr_loopback; + dest_addr.sin6_scope_id = 31337; + + // setup cmsghdr + cmsg->cmsg_len = cmsg_len; + cmsg->cmsg_level = IPPROTO_IPV6; + cmsg->cmsg_type = IPV6_HOPOPTS; + char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr); + hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80 + + sendmsg(fd, &msg, 0); + +Fixes: 2917f57b6bc1 ("calipso: Allow the lsm to label the skbuff directly.") +Suggested-by: Paul Moore +Signed-off-by: Will Rosenberg +Acked-by: Paul Moore +Link: https://patch.msgid.link/20251219173637.797418-1-whrosenb@asu.edu +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv6/calipso.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c +index df1986973430..21f6ed126253 100644 +--- a/net/ipv6/calipso.c ++++ b/net/ipv6/calipso.c +@@ -1342,7 +1342,8 @@ static int calipso_skbuff_setattr(struct sk_buff *skb, + /* At this point new_end aligns to 4n, so (new_end & 4) pads to 8n */ + pad = ((new_end & 4) + (end & 7)) & 7; + len_delta = new_end - (int)end + pad; +- ret_val = skb_cow(skb, skb_headroom(skb) + len_delta); ++ ret_val = skb_cow(skb, ++ skb_headroom(skb) + (len_delta > 0 ? len_delta : 0)); + if (ret_val < 0) + return ret_val; + +-- +2.51.0 + diff --git a/queue-6.18/ipv6-fix-a-bug-in-rt6_get_pcpu_route-under-preempt_r.patch b/queue-6.18/ipv6-fix-a-bug-in-rt6_get_pcpu_route-under-preempt_r.patch new file mode 100644 index 0000000000..0b108ec8db --- /dev/null +++ b/queue-6.18/ipv6-fix-a-bug-in-rt6_get_pcpu_route-under-preempt_r.patch @@ -0,0 +1,64 @@ +From 98f161be8e8989b929106983e7efb77748c49c5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Dec 2025 13:14:12 +0800 +Subject: ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT + +From: Jiayuan Chen + +[ Upstream commit 1adaea51c61b52e24e7ab38f7d3eba023b2d050d ] + +On PREEMPT_RT kernels, after rt6_get_pcpu_route() returns NULL, the +current task can be preempted. Another task running on the same CPU +may then execute rt6_make_pcpu_route() and successfully install a +pcpu_rt entry. When the first task resumes execution, its cmpxchg() +in rt6_make_pcpu_route() will fail because rt6i_pcpu is no longer +NULL, triggering the BUG_ON(prev). It's easy to reproduce it by adding +mdelay() after rt6_get_pcpu_route(). + +Using preempt_disable/enable is not appropriate here because +ip6_rt_pcpu_alloc() may sleep. + +Fix this by handling the cmpxchg() failure gracefully on PREEMPT_RT: +free our allocation and return the existing pcpu_rt installed by +another task. The BUG_ON is replaced by WARN_ON_ONCE for non-PREEMPT_RT +kernels where such races should not occur. + +Link: https://syzkaller.appspot.com/bug?extid=9b35e9bc0951140d13e6 +Fixes: d2d6422f8bd1 ("x86: Allow to enable PREEMPT_RT.") +Reported-by: syzbot+9b35e9bc0951140d13e6@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/6918cd88.050a0220.1c914e.0045.GAE@google.com/T/ +Signed-off-by: Jiayuan Chen +Link: https://patch.msgid.link/20251223051413.124687-1-jiayuan.chen@linux.dev +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv6/route.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index aee6a10b112a..a3e051dc66ee 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -1470,7 +1470,18 @@ static struct rt6_info *rt6_make_pcpu_route(struct net *net, + + p = this_cpu_ptr(res->nh->rt6i_pcpu); + prev = cmpxchg(p, NULL, pcpu_rt); +- BUG_ON(prev); ++ if (unlikely(prev)) { ++ /* ++ * Another task on this CPU already installed a pcpu_rt. ++ * This can happen on PREEMPT_RT where preemption is possible. ++ * Free our allocation and return the existing one. ++ */ ++ WARN_ON_ONCE(!IS_ENABLED(CONFIG_PREEMPT_RT)); ++ ++ dst_dev_put(&pcpu_rt->dst); ++ dst_release(&pcpu_rt->dst); ++ return prev; ++ } + + if (res->f6i->fib6_destroying) { + struct fib6_info *from; +-- +2.51.0 + diff --git a/queue-6.18/kbuild-fix-compilation-of-dtb-specified-on-command-l.patch b/queue-6.18/kbuild-fix-compilation-of-dtb-specified-on-command-l.patch new file mode 100644 index 0000000000..936c9c15f2 --- /dev/null +++ b/queue-6.18/kbuild-fix-compilation-of-dtb-specified-on-command-l.patch @@ -0,0 +1,89 @@ +From b0a00c7d2e89c9a80574fdcb9660abae2929e459 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Nov 2025 11:00:16 +0100 +Subject: kbuild: fix compilation of dtb specified on command-line without make + rule + +From: Thomas De Schampheleire + +[ Upstream commit b08fc4d0ec2466558f6d5511434efdfabbddf2a6 ] + +Since commit e7e2941300d2 ("kbuild: split device tree build rules into +scripts/Makefile.dtbs"), it is no longer possible to compile a device tree +blob that is not specified in a make rule +like: + dtb-$(CONFIG_FOO) += foo.dtb + +Before the mentioned commit, one could copy a dts file to e.g. +arch/arm64/boot/dts/ (or a new subdirectory) and then convert it to a dtb +file using: + make ARCH=arm64 foo.dtb + +In this scenario, both 'dtb-y' and 'dtb-' are empty, and the inclusion of +scripts/Makefile.dtbs relies on 'targets' to contain the MAKECMDGOALS. The +value of 'targets', however, is only final later in the code. + +Move the conditional include of scripts/Makefile.dtbs down to where the +value of 'targets' is final. Since Makefile.dtbs updates 'always-y' which is +used as a prerequisite in the build rule, the build rule also needs to move +down. + +Fixes: e7e2941300d2 ("kbuild: split device tree build rules into scripts/Makefile.dtbs") +Signed-off-by: Thomas De Schampheleire +Reviewed-by: Nathan Chancellor +Tested-by: Nathan Chancellor +Acked-by: Rob Herring (Arm) +Link: https://patch.msgid.link/20251126100017.1162330-1-thomas.de_schampheleire@nokia.com +Signed-off-by: Nicolas Schier +Signed-off-by: Sasha Levin +--- + scripts/Makefile.build | 26 ++++++++++++++------------ + 1 file changed, 14 insertions(+), 12 deletions(-) + +diff --git a/scripts/Makefile.build b/scripts/Makefile.build +index 52c08c4eb0b9..5037f4715d74 100644 +--- a/scripts/Makefile.build ++++ b/scripts/Makefile.build +@@ -527,18 +527,6 @@ ifneq ($(userprogs),) + include $(srctree)/scripts/Makefile.userprogs + endif + +-ifneq ($(need-dtbslist)$(dtb-y)$(dtb-)$(filter %.dtb %.dtb.o %.dtbo.o,$(targets)),) +-include $(srctree)/scripts/Makefile.dtbs +-endif +- +-# Build +-# --------------------------------------------------------------------------- +- +-$(obj)/: $(if $(KBUILD_BUILTIN), $(targets-for-builtin)) \ +- $(if $(KBUILD_MODULES), $(targets-for-modules)) \ +- $(subdir-ym) $(always-y) +- @: +- + # Single targets + # --------------------------------------------------------------------------- + +@@ -568,6 +556,20 @@ FORCE: + targets += $(filter-out $(single-subdir-goals), $(MAKECMDGOALS)) + targets := $(filter-out $(PHONY), $(targets)) + ++# Now that targets is fully known, include dtb rules if needed ++ifneq ($(need-dtbslist)$(dtb-y)$(dtb-)$(filter %.dtb %.dtb.o %.dtbo.o,$(targets)),) ++include $(srctree)/scripts/Makefile.dtbs ++endif ++ ++# Build ++# Needs to be after the include of Makefile.dtbs, which updates always-y ++# --------------------------------------------------------------------------- ++ ++$(obj)/: $(if $(KBUILD_BUILTIN), $(targets-for-builtin)) \ ++ $(if $(KBUILD_MODULES), $(targets-for-modules)) \ ++ $(subdir-ym) $(always-y) ++ @: ++ + # Read all saved command lines and dependencies for the $(targets) we + # may be building above, using $(if_changed{,_dep}). As an + # optimization, we don't need to read them if the target does not +-- +2.51.0 + diff --git a/queue-6.18/ksmbd-fix-memory-leak-in-get_file_all_info.patch b/queue-6.18/ksmbd-fix-memory-leak-in-get_file_all_info.patch new file mode 100644 index 0000000000..e7ec2006f0 --- /dev/null +++ b/queue-6.18/ksmbd-fix-memory-leak-in-get_file_all_info.patch @@ -0,0 +1,43 @@ +From 1fc7a3c2308e6e45f2b397682fd125a04882d80d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 14:20:16 +0000 +Subject: ksmbd: Fix memory leak in get_file_all_info() + +From: Zilin Guan + +[ Upstream commit 0c56693b06a68476ba113db6347e7897475f9e4c ] + +In get_file_all_info(), if vfs_getattr() fails, the function returns +immediately without freeing the allocated filename, leading to a memory +leak. + +Fix this by freeing the filename before returning in this error case. + +Fixes: 5614c8c487f6a ("ksmbd: replace generic_fillattr with vfs_getattr") +Signed-off-by: Zilin Guan +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/server/smb2pdu.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c +index 6a94cda0927d..2b59c282cda5 100644 +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -4933,8 +4933,10 @@ static int get_file_all_info(struct ksmbd_work *work, + + ret = vfs_getattr(&fp->filp->f_path, &stat, STATX_BASIC_STATS, + AT_STATX_SYNC_AS_STAT); +- if (ret) ++ if (ret) { ++ kfree(filename); + return ret; ++ } + + ksmbd_debug(SMB, "filename = %s\n", filename); + delete_pending = ksmbd_inode_pending_delete(fp); +-- +2.51.0 + diff --git a/queue-6.18/kunit-enforce-task-execution-in-soft-hard-irq-contex.patch b/queue-6.18/kunit-enforce-task-execution-in-soft-hard-irq-contex.patch new file mode 100644 index 0000000000..449d7a80fd --- /dev/null +++ b/queue-6.18/kunit-enforce-task-execution-in-soft-hard-irq-contex.patch @@ -0,0 +1,163 @@ +From 74953336f59a7fbcbb06134843a49a795088d6ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 16:52:58 +0800 +Subject: kunit: Enforce task execution in {soft,hard}irq contexts + +From: David Gow + +[ Upstream commit c31f4aa8fed048fa70e742c4bb49bb48dc489ab3 ] + +The kunit_run_irq_test() helper allows a function to be run in hardirq +and softirq contexts (in addition to the task context). It does this by +running the user-provided function concurrently in the three contexts, +until either a timeout has expired or a number of iterations have +completed in the normal task context. + +However, on setups where the initialisation of the hardirq and softirq +contexts (or, indeed, the scheduling of those tasks) is significantly +slower than the function execution, it's possible for that number of +iterations to be exceeded before any runs in irq contexts actually +occur. This occurs with the polyval.test_polyval_preparekey_in_irqs +test, which runs 20000 iterations of the relatively fast preparekey +function, and therefore fails often under many UML, 32-bit arm, m68k and +other environments. + +Instead, ensure that the max_iterations limit counts executions in all +three contexts, and requires at least one of each. This will cause the +test to continue iterating until at least the irq contexts have been +tested, or the 1s wall-clock limit has been exceeded. This causes the +test to pass in all of my environments. + +In so doing, we also update the task counters to atomic ints, to better +match both the 'int' max_iterations input, and to ensure they are +correctly updated across contexts. + +Finally, we also fix a few potential assertion messages to be +less-specific to the original crypto usecases. + +Fixes: 950a81224e8b ("lib/crypto: tests: Add hash-test-template.h and gen-hash-testvecs.py") +Signed-off-by: David Gow +Link: https://lore.kernel.org/r/20251219085259.1163048-1-davidgow@google.com +Signed-off-by: Eric Biggers +Signed-off-by: Sasha Levin +--- + include/kunit/run-in-irq-context.h | 53 +++++++++++++++++++----------- + 1 file changed, 33 insertions(+), 20 deletions(-) + +diff --git a/include/kunit/run-in-irq-context.h b/include/kunit/run-in-irq-context.h +index 108e96433ea4..c89b1b1b12dd 100644 +--- a/include/kunit/run-in-irq-context.h ++++ b/include/kunit/run-in-irq-context.h +@@ -20,8 +20,8 @@ struct kunit_irq_test_state { + bool task_func_reported_failure; + bool hardirq_func_reported_failure; + bool softirq_func_reported_failure; +- unsigned long hardirq_func_calls; +- unsigned long softirq_func_calls; ++ atomic_t hardirq_func_calls; ++ atomic_t softirq_func_calls; + struct hrtimer timer; + struct work_struct bh_work; + }; +@@ -32,7 +32,7 @@ static enum hrtimer_restart kunit_irq_test_timer_func(struct hrtimer *timer) + container_of(timer, typeof(*state), timer); + + WARN_ON_ONCE(!in_hardirq()); +- state->hardirq_func_calls++; ++ atomic_inc(&state->hardirq_func_calls); + + if (!state->func(state->test_specific_state)) + state->hardirq_func_reported_failure = true; +@@ -48,7 +48,7 @@ static void kunit_irq_test_bh_work_func(struct work_struct *work) + container_of(work, typeof(*state), bh_work); + + WARN_ON_ONCE(!in_serving_softirq()); +- state->softirq_func_calls++; ++ atomic_inc(&state->softirq_func_calls); + + if (!state->func(state->test_specific_state)) + state->softirq_func_reported_failure = true; +@@ -59,7 +59,10 @@ static void kunit_irq_test_bh_work_func(struct work_struct *work) + * hardirq context concurrently, and reports a failure to KUnit if any + * invocation of @func in any context returns false. @func is passed + * @test_specific_state as its argument. At most 3 invocations of @func will +- * run concurrently: one in each of task, softirq, and hardirq context. ++ * run concurrently: one in each of task, softirq, and hardirq context. @func ++ * will continue running until either @max_iterations calls have been made (so ++ * long as at least one each runs in task, softirq, and hardirq contexts), or ++ * one second has passed. + * + * The main purpose of this interrupt context testing is to validate fallback + * code paths that run in contexts where the normal code path cannot be used, +@@ -85,6 +88,8 @@ static inline void kunit_run_irq_test(struct kunit *test, bool (*func)(void *), + .test_specific_state = test_specific_state, + }; + unsigned long end_jiffies; ++ int hardirq_calls, softirq_calls; ++ bool allctx = false; + + /* + * Set up a hrtimer (the way we access hardirq context) and a work +@@ -94,14 +99,25 @@ static inline void kunit_run_irq_test(struct kunit *test, bool (*func)(void *), + CLOCK_MONOTONIC, HRTIMER_MODE_REL_HARD); + INIT_WORK_ONSTACK(&state.bh_work, kunit_irq_test_bh_work_func); + +- /* Run for up to max_iterations or 1 second, whichever comes first. */ ++ /* ++ * Run for up to max_iterations (including at least one task, softirq, ++ * and hardirq), or 1 second, whichever comes first. ++ */ + end_jiffies = jiffies + HZ; + hrtimer_start(&state.timer, KUNIT_IRQ_TEST_HRTIMER_INTERVAL, + HRTIMER_MODE_REL_HARD); +- for (int i = 0; i < max_iterations && !time_after(jiffies, end_jiffies); +- i++) { ++ for (int task_calls = 0, calls = 0; ++ ((calls < max_iterations) || !allctx) && ++ !time_after(jiffies, end_jiffies); ++ task_calls++) { + if (!func(test_specific_state)) + state.task_func_reported_failure = true; ++ ++ hardirq_calls = atomic_read(&state.hardirq_func_calls); ++ softirq_calls = atomic_read(&state.softirq_func_calls); ++ calls = task_calls + hardirq_calls + softirq_calls; ++ allctx = (task_calls > 0) && (hardirq_calls > 0) && ++ (softirq_calls > 0); + } + + /* Cancel the timer and work. */ +@@ -109,21 +125,18 @@ static inline void kunit_run_irq_test(struct kunit *test, bool (*func)(void *), + flush_work(&state.bh_work); + + /* Sanity check: the timer and BH functions should have been run. */ +- KUNIT_EXPECT_GT_MSG(test, state.hardirq_func_calls, 0, ++ KUNIT_EXPECT_GT_MSG(test, atomic_read(&state.hardirq_func_calls), 0, + "Timer function was not called"); +- KUNIT_EXPECT_GT_MSG(test, state.softirq_func_calls, 0, ++ KUNIT_EXPECT_GT_MSG(test, atomic_read(&state.softirq_func_calls), 0, + "BH work function was not called"); + +- /* Check for incorrect hash values reported from any context. */ +- KUNIT_EXPECT_FALSE_MSG( +- test, state.task_func_reported_failure, +- "Incorrect hash values reported from task context"); +- KUNIT_EXPECT_FALSE_MSG( +- test, state.hardirq_func_reported_failure, +- "Incorrect hash values reported from hardirq context"); +- KUNIT_EXPECT_FALSE_MSG( +- test, state.softirq_func_reported_failure, +- "Incorrect hash values reported from softirq context"); ++ /* Check for failure reported from any context. */ ++ KUNIT_EXPECT_FALSE_MSG(test, state.task_func_reported_failure, ++ "Failure reported from task context"); ++ KUNIT_EXPECT_FALSE_MSG(test, state.hardirq_func_reported_failure, ++ "Failure reported from hardirq context"); ++ KUNIT_EXPECT_FALSE_MSG(test, state.softirq_func_reported_failure, ++ "Failure reported from softirq context"); + } + + #endif /* _KUNIT_RUN_IN_IRQ_CONTEXT_H */ +-- +2.51.0 + diff --git a/queue-6.18/mcb-add-missing-modpost-build-support.patch b/queue-6.18/mcb-add-missing-modpost-build-support.patch new file mode 100644 index 0000000000..dcd6e1ba53 --- /dev/null +++ b/queue-6.18/mcb-add-missing-modpost-build-support.patch @@ -0,0 +1,73 @@ +From b809b678a677148f72ce7ef18f404526311d8cfb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Dec 2025 09:42:00 +0100 +Subject: mcb: Add missing modpost build support + +From: Jose Javier Rodriguez Barbarin + +[ Upstream commit 1f4ea4838b13c3b2278436a8dcb148e3c23f4b64 ] + +mcb bus is not prepared to autoload client drivers with the data defined on +the drivers' MODULE_DEVICE_TABLE. modpost cannot access to mcb_table_id +inside MODULE_DEVICE_TABLE so the data declared inside is ignored. + +Add modpost build support for accessing to the mcb_table_id coded on device +drivers' MODULE_DEVICE_TABLE. + +Fixes: 3764e82e5150 ("drivers: Introduce MEN Chameleon Bus") +Reviewed-by: Jorge Sanjuan Garcia +Signed-off-by: Jose Javier Rodriguez Barbarin +Acked-by: Nathan Chancellor +Reviewed-by: Andy Shevchenko +Link: https://patch.msgid.link/20251202084200.10410-1-dev-josejavier.rodriguez@duagon.com +Signed-off-by: Nicolas Schier +Signed-off-by: Sasha Levin +--- + scripts/mod/devicetable-offsets.c | 3 +++ + scripts/mod/file2alias.c | 9 +++++++++ + 2 files changed, 12 insertions(+) + +diff --git a/scripts/mod/devicetable-offsets.c b/scripts/mod/devicetable-offsets.c +index d3d00e85edf7..0470ba7c796d 100644 +--- a/scripts/mod/devicetable-offsets.c ++++ b/scripts/mod/devicetable-offsets.c +@@ -198,6 +198,9 @@ int main(void) + DEVID(cpu_feature); + DEVID_FIELD(cpu_feature, feature); + ++ DEVID(mcb_device_id); ++ DEVID_FIELD(mcb_device_id, device); ++ + DEVID(mei_cl_device_id); + DEVID_FIELD(mei_cl_device_id, name); + DEVID_FIELD(mei_cl_device_id, uuid); +diff --git a/scripts/mod/file2alias.c b/scripts/mod/file2alias.c +index b3333560b95e..4e99393a35f1 100644 +--- a/scripts/mod/file2alias.c ++++ b/scripts/mod/file2alias.c +@@ -1110,6 +1110,14 @@ static void do_cpu_entry(struct module *mod, void *symval) + module_alias_printf(mod, false, "cpu:type:*:feature:*%04X*", feature); + } + ++/* Looks like: mcb:16zN */ ++static void do_mcb_entry(struct module *mod, void *symval) ++{ ++ DEF_FIELD(symval, mcb_device_id, device); ++ ++ module_alias_printf(mod, false, "mcb:16z%03d", device); ++} ++ + /* Looks like: mei:S:uuid:N:* */ + static void do_mei_entry(struct module *mod, void *symval) + { +@@ -1444,6 +1452,7 @@ static const struct devtable devtable[] = { + {"mipscdmm", SIZE_mips_cdmm_device_id, do_mips_cdmm_entry}, + {"x86cpu", SIZE_x86_cpu_id, do_x86cpu_entry}, + {"cpu", SIZE_cpu_feature, do_cpu_entry}, ++ {"mcb", SIZE_mcb_device_id, do_mcb_entry}, + {"mei", SIZE_mei_cl_device_id, do_mei_entry}, + {"rapidio", SIZE_rio_device_id, do_rio_entry}, + {"ulpi", SIZE_ulpi_device_id, do_ulpi_entry}, +-- +2.51.0 + diff --git a/queue-6.18/md-fix-static-checker-warning-in-analyze_sbs.patch b/queue-6.18/md-fix-static-checker-warning-in-analyze_sbs.patch new file mode 100644 index 0000000000..54eab5fc50 --- /dev/null +++ b/queue-6.18/md-fix-static-checker-warning-in-analyze_sbs.patch @@ -0,0 +1,53 @@ +From f6849f97240b04d09d2b5e9d6655b38cf8103a48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Dec 2025 20:44:12 +0800 +Subject: md: Fix static checker warning in analyze_sbs + +From: Li Nan + +[ Upstream commit 00f6c1b4d15d35fadb7f34768a1831c81aaa8936 ] + +The following warn is reported: + + drivers/md/md.c:3912 analyze_sbs() + warn: iterator 'i' not incremented + +Fixes: d8730f0cf4ef ("md: Remove deprecated CONFIG_MD_MULTIPATH") +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/linux-raid/7e2e95ce-3740-09d8-a561-af6bfb767f18@huaweicloud.com/T/#t +Signed-off-by: Li Nan +Link: https://lore.kernel.org/linux-raid/20251215124412.4015572-1-linan666@huaweicloud.com +Signed-off-by: Yu Kuai +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index cef5b2954ac5..7b1365143f58 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -3874,7 +3874,6 @@ static struct md_rdev *md_import_device(dev_t newdev, int super_format, int supe + + static int analyze_sbs(struct mddev *mddev) + { +- int i; + struct md_rdev *rdev, *freshest, *tmp; + + freshest = NULL; +@@ -3901,11 +3900,9 @@ static int analyze_sbs(struct mddev *mddev) + super_types[mddev->major_version]. + validate_super(mddev, NULL/*freshest*/, freshest); + +- i = 0; + rdev_for_each_safe(rdev, tmp, mddev) { + if (mddev->max_disks && +- (rdev->desc_nr >= mddev->max_disks || +- i > mddev->max_disks)) { ++ rdev->desc_nr >= mddev->max_disks) { + pr_warn("md: %s: %pg: only %d devices permitted\n", + mdname(mddev), rdev->bdev, + mddev->max_disks); +-- +2.51.0 + diff --git a/queue-6.18/md-raid5-fix-possible-null-pointer-dereferences-in-r.patch b/queue-6.18/md-raid5-fix-possible-null-pointer-dereferences-in-r.patch new file mode 100644 index 0000000000..46febc2f9c --- /dev/null +++ b/queue-6.18/md-raid5-fix-possible-null-pointer-dereferences-in-r.patch @@ -0,0 +1,68 @@ +From a5fb0f1f78f879c39351d598a2a0851b3228a024 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Dec 2025 21:03:26 +0800 +Subject: md/raid5: fix possible null-pointer dereferences in + raid5_store_group_thread_cnt() + +From: Tuo Li + +[ Upstream commit 7ad6ef91d8745d04aff9cce7bdbc6320d8e05fe9 ] + +The variable mddev->private is first assigned to conf and then checked: + + conf = mddev->private; + if (!conf) ... + +If conf is NULL, then mddev->private is also NULL. In this case, +null-pointer dereferences can occur when calling raid5_quiesce(): + + raid5_quiesce(mddev, true); + raid5_quiesce(mddev, false); + +since mddev->private is assigned to conf again in raid5_quiesce(), and conf +is dereferenced in several places, for example: + + conf->quiesce = 0; + wake_up(&conf->wait_for_quiescent); + +To fix this issue, the function should unlock mddev and return before +invoking raid5_quiesce() when conf is NULL, following the existing pattern +in raid5_change_consistency_policy(). + +Fixes: fa1944bbe622 ("md/raid5: Wait sync io to finish before changing group cnt") +Signed-off-by: Tuo Li +Reviewed-by: Xiao Ni +Reviewed-by: Paul Menzel +Link: https://lore.kernel.org/linux-raid/20251225130326.67780-1-islituo@gmail.com +Signed-off-by: Yu Kuai +Signed-off-by: Sasha Levin +--- + drivers/md/raid5.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c +index 8b5f8a12d417..41de29206402 100644 +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -7187,12 +7187,14 @@ raid5_store_group_thread_cnt(struct mddev *mddev, const char *page, size_t len) + err = mddev_suspend_and_lock(mddev); + if (err) + return err; ++ conf = mddev->private; ++ if (!conf) { ++ mddev_unlock_and_resume(mddev); ++ return -ENODEV; ++ } + raid5_quiesce(mddev, true); + +- conf = mddev->private; +- if (!conf) +- err = -ENODEV; +- else if (new != conf->worker_cnt_per_group) { ++ if (new != conf->worker_cnt_per_group) { + old_groups = conf->worker_groups; + if (old_groups) + flush_workqueue(raid5_wq); +-- +2.51.0 + diff --git a/queue-6.18/net-airoha-move-net_devs-registration-in-a-dedicated.patch b/queue-6.18/net-airoha-move-net_devs-registration-in-a-dedicated.patch new file mode 100644 index 0000000000..db242a5a2c --- /dev/null +++ b/queue-6.18/net-airoha-move-net_devs-registration-in-a-dedicated.patch @@ -0,0 +1,98 @@ +From 099c6e980e2fdaf084683213533dfcef48dcaf79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Dec 2025 10:30:07 +0100 +Subject: net: airoha: Move net_devs registration in a dedicated routine + +From: Lorenzo Bianconi + +[ Upstream commit 5e7365b5a1ac8f517a7a84442289d7de242deb76 ] + +Since airoha_probe() is not executed under rtnl lock, there is small race +where a given device is configured by user-space while the remaining ones +are not completely loaded from the dts yet. This condition will allow a +hw device misconfiguration since there are some conditions (e.g. GDM2 check +in airoha_dev_init()) that require all device are properly loaded from the +device tree. Fix the issue moving net_devices registration at the end of +the airoha_probe routine. + +Fixes: 9cd451d414f6e ("net: airoha: Add loopback support for GDM2") +Signed-off-by: Lorenzo Bianconi +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20251214-airoha-fix-dev-registration-v1-1-860e027ad4c6@kernel.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/airoha/airoha_eth.c | 39 ++++++++++++++++-------- + 1 file changed, 26 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c +index 433a646e9831..0394ba6a90a9 100644 +--- a/drivers/net/ethernet/airoha/airoha_eth.c ++++ b/drivers/net/ethernet/airoha/airoha_eth.c +@@ -2900,19 +2900,26 @@ static int airoha_alloc_gdm_port(struct airoha_eth *eth, + port->id = id; + eth->ports[p] = port; + +- err = airoha_metadata_dst_alloc(port); +- if (err) +- return err; ++ return airoha_metadata_dst_alloc(port); ++} + +- err = register_netdev(dev); +- if (err) +- goto free_metadata_dst; ++static int airoha_register_gdm_devices(struct airoha_eth *eth) ++{ ++ int i; + +- return 0; ++ for (i = 0; i < ARRAY_SIZE(eth->ports); i++) { ++ struct airoha_gdm_port *port = eth->ports[i]; ++ int err; + +-free_metadata_dst: +- airoha_metadata_dst_free(port); +- return err; ++ if (!port) ++ continue; ++ ++ err = register_netdev(port->dev); ++ if (err) ++ return err; ++ } ++ ++ return 0; + } + + static int airoha_probe(struct platform_device *pdev) +@@ -2993,6 +3000,10 @@ static int airoha_probe(struct platform_device *pdev) + } + } + ++ err = airoha_register_gdm_devices(eth); ++ if (err) ++ goto error_napi_stop; ++ + return 0; + + error_napi_stop: +@@ -3006,10 +3017,12 @@ static int airoha_probe(struct platform_device *pdev) + for (i = 0; i < ARRAY_SIZE(eth->ports); i++) { + struct airoha_gdm_port *port = eth->ports[i]; + +- if (port && port->dev->reg_state == NETREG_REGISTERED) { ++ if (!port) ++ continue; ++ ++ if (port->dev->reg_state == NETREG_REGISTERED) + unregister_netdev(port->dev); +- airoha_metadata_dst_free(port); +- } ++ airoha_metadata_dst_free(port); + } + free_netdev(eth->napi_dev); + platform_set_drvdata(pdev, NULL); +-- +2.51.0 + diff --git a/queue-6.18/net-bridge-describe-tunnel_hash-member-in-net_bridge.patch b/queue-6.18/net-bridge-describe-tunnel_hash-member-in-net_bridge.patch new file mode 100644 index 0000000000..3777ae9046 --- /dev/null +++ b/queue-6.18/net-bridge-describe-tunnel_hash-member-in-net_bridge.patch @@ -0,0 +1,42 @@ +From 3c99d05166484bcccc0710afa6d9122e8c7725c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Dec 2025 11:29:37 +0700 +Subject: net: bridge: Describe @tunnel_hash member in net_bridge_vlan_group + struct + +From: Bagas Sanjaya + +[ Upstream commit f79f9b7ace1713e4b83888c385f5f55519dfb687 ] + +Sphinx reports kernel-doc warning: + +WARNING: ./net/bridge/br_private.h:267 struct member 'tunnel_hash' not described in 'net_bridge_vlan_group' + +Fix it by describing @tunnel_hash member. + +Fixes: efa5356b0d9753 ("bridge: per vlan dst_metadata netlink support") +Signed-off-by: Bagas Sanjaya +Acked-by: Nikolay Aleksandrov +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20251218042936.24175-2-bagasdotme@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/bridge/br_private.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h +index 7280c4e9305f..b9b2981c4841 100644 +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -247,6 +247,7 @@ struct net_bridge_vlan { + * struct net_bridge_vlan_group + * + * @vlan_hash: VLAN entry rhashtable ++ * @tunnel_hash: Hash table to map from tunnel key ID (e.g. VXLAN VNI) to VLAN + * @vlan_list: sorted VLAN entry list + * @num_vlans: number of total VLAN entries + * @pvid: PVID VLAN id +-- +2.51.0 + diff --git a/queue-6.18/net-dsa-b53-skip-multicast-entries-for-fdb_dump.patch b/queue-6.18/net-dsa-b53-skip-multicast-entries-for-fdb_dump.patch new file mode 100644 index 0000000000..a632cfcebf --- /dev/null +++ b/queue-6.18/net-dsa-b53-skip-multicast-entries-for-fdb_dump.patch @@ -0,0 +1,45 @@ +From fc5fda716f0474924b8e2d26972c63be12bd7ee5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 21:57:56 +0100 +Subject: net: dsa: b53: skip multicast entries for fdb_dump() + +From: Jonas Gorski + +[ Upstream commit d42bce414d1c5c0b536758466a1f63ac358e613c ] + +port_fdb_dump() is supposed to only add fdb entries, but we iterate over +the full ARL table, which also includes multicast entries. + +So check if the entry is a multicast entry before passing it on to the +callback(). + +Additionally, the port of those entries is a bitmask, not a port number, +so any included entries would have even be for the wrong port. + +Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations") +Signed-off-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20251217205756.172123-1-jonas.gorski@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index 62cafced758e..7d6ec2eb7c75 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -2155,6 +2155,9 @@ static int b53_fdb_copy(int port, const struct b53_arl_entry *ent, + if (!ent->is_valid) + return 0; + ++ if (is_multicast_ether_addr(ent->mac)) ++ return 0; ++ + if (port != ent->port) + return 0; + +-- +2.51.0 + diff --git a/queue-6.18/net-dsa-fix-missing-put_device-in-dsa_tree_find_firs.patch b/queue-6.18/net-dsa-fix-missing-put_device-in-dsa_tree_find_firs.patch new file mode 100644 index 0000000000..53f8d3e7b1 --- /dev/null +++ b/queue-6.18/net-dsa-fix-missing-put_device-in-dsa_tree_find_firs.patch @@ -0,0 +1,102 @@ +From 48ff9e70107cf8ecbbd9b96f794e1af14c370eb8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Dec 2025 17:02:36 +0200 +Subject: net: dsa: fix missing put_device() in dsa_tree_find_first_conduit() + +From: Vladimir Oltean + +[ Upstream commit a9f96dc59b4a50ffbf86158f315e115969172d48 ] + +of_find_net_device_by_node() searches net devices by their /sys/class/net/, +entry. It is documented in its kernel-doc that: + + * If successful, returns a pointer to the net_device with the embedded + * struct device refcount incremented by one, or NULL on failure. The + * refcount must be dropped when done with the net_device. + +We are missing a put_device(&conduit->dev) which we could place at the +end of dsa_tree_find_first_conduit(). But to explain why calling +put_device() right away is safe is the same as to explain why the chosen +solution is different. + +The code is very poorly split: dsa_tree_find_first_conduit() was first +introduced in commit 95f510d0b792 ("net: dsa: allow the DSA master to be +seen and changed through rtnetlink") but was first used several commits +later, in commit acc43b7bf52a ("net: dsa: allow masters to join a LAG"). + +Assume there is a switch with 2 CPU ports and 2 conduits, eno2 and eno3. +When we create a LAG (bonding or team device) and place eno2 and eno3 +beneath it, we create a 3rd conduit (the LAG device itself), but this is +slightly different than the first two. + +Namely, the cpu_dp->conduit pointer of the CPU ports does not change, +and remains pointing towards the physical Ethernet controllers which are +now LAG ports. Only 2 things change: +- the LAG device has a dev->dsa_ptr which marks it as a DSA conduit +- dsa_port_to_conduit(user port) finds the LAG and not the physical + conduit, because of the dp->cpu_port_in_lag bit being set. + +When the LAG device is destroyed, dsa_tree_migrate_ports_from_lag_conduit() +is called and this is where dsa_tree_find_first_conduit() kicks in. + +This is the logical mistake and the reason why introducing code in one +patch and using it from another is bad practice. I didn't realize that I +don't have to call of_find_net_device_by_node() again; the cpu_dp->conduit +association was never undone, and is still available for direct (re)use. +There's only one concern - maybe the conduit disappeared in the +meantime, but the netdev_hold() call we made during dsa_port_parse_cpu() +(see previous change) ensures that this was not the case. + +Therefore, fixing the code means reimplementing it in the simplest way. + +I am blaming the time of use, since this is what "git blame" would show +if we were to monitor for the conduit's kobject's refcount remaining +elevated instead of being freed. + +Tested on the NXP LS1028A, using the steps from +Documentation/networking/dsa/configuration.rst section "Affinity of user +ports to CPU ports", followed by (extra prints added by me): + +$ ip link del bond0 +mscc_felix 0000:00:00.5 swp3: Link is Down +bond0 (unregistering): (slave eno2): Releasing backup interface +fsl_enetc 0000:00:00.2 eno2: Link is Down +mscc_felix 0000:00:00.5 swp0: bond0 disappeared, migrating to eno2 +mscc_felix 0000:00:00.5 swp1: bond0 disappeared, migrating to eno2 +mscc_felix 0000:00:00.5 swp2: bond0 disappeared, migrating to eno2 +mscc_felix 0000:00:00.5 swp3: bond0 disappeared, migrating to eno2 + +Fixes: acc43b7bf52a ("net: dsa: allow masters to join a LAG") +Signed-off-by: Vladimir Oltean +Link: https://patch.msgid.link/20251215150236.3931670-2-vladimir.oltean@nxp.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/dsa/dsa.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/net/dsa/dsa.c b/net/dsa/dsa.c +index d466d0234087..ded9a291e620 100644 +--- a/net/dsa/dsa.c ++++ b/net/dsa/dsa.c +@@ -366,16 +366,10 @@ static struct dsa_port *dsa_tree_find_first_cpu(struct dsa_switch_tree *dst) + + struct net_device *dsa_tree_find_first_conduit(struct dsa_switch_tree *dst) + { +- struct device_node *ethernet; +- struct net_device *conduit; + struct dsa_port *cpu_dp; + + cpu_dp = dsa_tree_find_first_cpu(dst); +- ethernet = of_parse_phandle(cpu_dp->dn, "ethernet", 0); +- conduit = of_find_net_device_by_node(ethernet); +- of_node_put(ethernet); +- +- return conduit; ++ return cpu_dp->conduit; + } + + /* Assign the default CPU port (the first one in the tree) to all ports of the +-- +2.51.0 + diff --git a/queue-6.18/net-dsa-properly-keep-track-of-conduit-reference.patch b/queue-6.18/net-dsa-properly-keep-track-of-conduit-reference.patch new file mode 100644 index 0000000000..89386a4bbc --- /dev/null +++ b/queue-6.18/net-dsa-properly-keep-track-of-conduit-reference.patch @@ -0,0 +1,295 @@ +From 14cfe3444719fde80e2aab3cf1c6a7f98adafcaf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Dec 2025 17:02:35 +0200 +Subject: net: dsa: properly keep track of conduit reference + +From: Vladimir Oltean + +[ Upstream commit 06e219f6a706c367c93051f408ac61417643d2f9 ] + +Problem description +------------------- + +DSA has a mumbo-jumbo of reference handling of the conduit net device +and its kobject which, sadly, is just wrong and doesn't make sense. + +There are two distinct problems. + +1. The OF path, which uses of_find_net_device_by_node(), never releases + the elevated refcount on the conduit's kobject. Nominally, the OF and + non-OF paths should result in objects having identical reference + counts taken, and it is already suspicious that + dsa_dev_to_net_device() has a put_device() call which is missing in + dsa_port_parse_of(), but we can actually even verify that an issue + exists. With CONFIG_DEBUG_KOBJECT_RELEASE=y, if we run this command + "before" and "after" applying this patch: + +(unbind the conduit driver for net device eno2) +echo 0000:00:00.2 > /sys/bus/pci/drivers/fsl_enetc/unbind + +we see these lines in the output diff which appear only with the patch +applied: + +kobject: 'eno2' (ffff002009a3a6b8): kobject_release, parent 0000000000000000 (delayed 1000) +kobject: '109' (ffff0020099d59a0): kobject_release, parent 0000000000000000 (delayed 1000) + +2. After we find the conduit interface one way (OF) or another (non-OF), + it can get unregistered at any time, and DSA remains with a long-lived, + but in this case stale, cpu_dp->conduit pointer. Holding the net + device's underlying kobject isn't actually of much help, it just + prevents it from being freed (but we never need that kobject + directly). What helps us to prevent the net device from being + unregistered is the parallel netdev reference mechanism (dev_hold() + and dev_put()). + +Actually we actually use that netdev tracker mechanism implicitly on +user ports since commit 2f1e8ea726e9 ("net: dsa: link interfaces with +the DSA master to get rid of lockdep warnings"), via netdev_upper_dev_link(). +But time still passes at DSA switch probe time between the initial +of_find_net_device_by_node() code and the user port creation time, time +during which the conduit could unregister itself and DSA wouldn't know +about it. + +So we have to run of_find_net_device_by_node() under rtnl_lock() to +prevent that from happening, and release the lock only with the netdev +tracker having acquired the reference. + +Do we need to keep the reference until dsa_unregister_switch() / +dsa_switch_shutdown()? +1: Maybe yes. A switch device will still be registered even if all user + ports failed to probe, see commit 86f8b1c01a0a ("net: dsa: Do not + make user port errors fatal"), and the cpu_dp->conduit pointers + remain valid. I haven't audited all call paths to see whether they + will actually use the conduit in lack of any user port, but if they + do, it seems safer to not rely on user ports for that reference. +2. Definitely yes. We support changing the conduit which a user port is + associated to, and we can get into a situation where we've moved all + user ports away from a conduit, thus no longer hold any reference to + it via the net device tracker. But we shouldn't let it go nonetheless + - see the next change in relation to dsa_tree_find_first_conduit() + and LAG conduits which disappear. + We have to be prepared to return to the physical conduit, so the CPU + port must explicitly keep another reference to it. This is also to + say: the user ports and their CPU ports may not always keep a + reference to the same conduit net device, and both are needed. + +As for the conduit's kobject for the /sys/class/net/ entry, we don't +care about it, we can release it as soon as we hold the net device +object itself. + +History and blame attribution +----------------------------- + +The code has been refactored so many times, it is very difficult to +follow and properly attribute a blame, but I'll try to make a short +history which I hope to be correct. + +We have two distinct probing paths: +- one for OF, introduced in 2016 in commit 83c0afaec7b7 ("net: dsa: Add + new binding implementation") +- one for non-OF, introduced in 2017 in commit 71e0bbde0d88 ("net: dsa: + Add support for platform data") + +These are both complete rewrites of the original probing paths (which +used struct dsa_switch_driver and other weird stuff, instead of regular +devices on their respective buses for register access, like MDIO, SPI, +I2C etc): +- one for OF, introduced in 2013 in commit 5e95329b701c ("dsa: add + device tree bindings to register DSA switches") +- one for non-OF, introduced in 2008 in commit 91da11f870f0 ("net: + Distributed Switch Architecture protocol support") + +except for tiny bits and pieces like dsa_dev_to_net_device() which were +seemingly carried over since the original commit, and used to this day. + +The point is that the original probing paths received a fix in 2015 in +the form of commit 679fb46c5785 ("net: dsa: Add missing master netdev +dev_put() calls"), but the fix never made it into the "new" (dsa2) +probing paths that can still be traced to today, and the fixed probing +path was later deleted in 2019 in commit 93e86b3bc842 ("net: dsa: Remove +legacy probing support"). + +That is to say, the new probing paths were never quite correct in this +area. + +The existence of the legacy probing support which was deleted in 2019 +explains why dsa_dev_to_net_device() returns a conduit with elevated +refcount (because it was supposed to be released during +dsa_remove_dst()). After the removal of the legacy code, the only user +of dsa_dev_to_net_device() calls dev_put(conduit) immediately after this +function returns. This pattern makes no sense today, and can only be +interpreted historically to understand why dev_hold() was there in the +first place. + +Change details +-------------- + +Today we have a better netdev tracking infrastructure which we should +use. Logically netdev_hold() belongs in common code +(dsa_port_parse_cpu(), where dp->conduit is assigned), but there is a +tradeoff to be made with the rtnl_lock() section which would become a +bit too long if we did that - dsa_port_parse_cpu() also calls +request_module(). So we duplicate a bit of logic in order for the +callers of dsa_port_parse_cpu() to be the ones responsible of holding +the conduit reference and releasing it on error. This shortens the +rtnl_lock() section significantly. + +In the dsa_switch_probe() error path, dsa_switch_release_ports() will be +called in a number of situations, one being where dsa_port_parse_cpu() +maybe didn't get the chance to run at all (a different port failed +earlier, etc). So we have to test for the conduit being NULL prior to +calling netdev_put(). + +There have still been so many transformations to the code since the +blamed commits (rename master -> conduit, commit 0650bf52b31f ("net: +dsa: be compatible with masters which unregister on shutdown")), that it +only makes sense to fix the code using the best methods available today +and see how it can be backported to stable later. I suspect the fix +cannot even be backported to kernels which lack dsa_switch_shutdown(), +and I suspect this is also maybe why the long-lived conduit reference +didn't make it into the new DSA probing paths at the time (problems +during shutdown). + +Because dsa_dev_to_net_device() has a single call site and has to be +changed anyway, the logic was just absorbed into the non-OF +dsa_port_parse(). + +Tested on the ocelot/felix switch and on dsa_loop, both on the NXP +LS1028A with CONFIG_DEBUG_KOBJECT_RELEASE=y. + +Reported-by: Ma Ke +Closes: https://lore.kernel.org/netdev/20251214131204.4684-1-make24@iscas.ac.cn/ +Fixes: 83c0afaec7b7 ("net: dsa: Add new binding implementation") +Fixes: 71e0bbde0d88 ("net: dsa: Add support for platform data") +Reviewed-by: Jonas Gorski +Signed-off-by: Vladimir Oltean +Link: https://patch.msgid.link/20251215150236.3931670-1-vladimir.oltean@nxp.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + include/net/dsa.h | 1 + + net/dsa/dsa.c | 59 +++++++++++++++++++++++++++-------------------- + 2 files changed, 35 insertions(+), 25 deletions(-) + +diff --git a/include/net/dsa.h b/include/net/dsa.h +index d73ea0880066..5cb456bf4639 100644 +--- a/include/net/dsa.h ++++ b/include/net/dsa.h +@@ -298,6 +298,7 @@ struct dsa_port { + struct devlink_port devlink_port; + struct phylink *pl; + struct phylink_config pl_config; ++ netdevice_tracker conduit_tracker; + struct dsa_lag *lag; + struct net_device *hsr_dev; + +diff --git a/net/dsa/dsa.c b/net/dsa/dsa.c +index 5b01a0e43ebe..d466d0234087 100644 +--- a/net/dsa/dsa.c ++++ b/net/dsa/dsa.c +@@ -1252,14 +1252,25 @@ static int dsa_port_parse_of(struct dsa_port *dp, struct device_node *dn) + if (ethernet) { + struct net_device *conduit; + const char *user_protocol; ++ int err; + ++ rtnl_lock(); + conduit = of_find_net_device_by_node(ethernet); + of_node_put(ethernet); +- if (!conduit) ++ if (!conduit) { ++ rtnl_unlock(); + return -EPROBE_DEFER; ++ } ++ ++ netdev_hold(conduit, &dp->conduit_tracker, GFP_KERNEL); ++ put_device(&conduit->dev); ++ rtnl_unlock(); + + user_protocol = of_get_property(dn, "dsa-tag-protocol", NULL); +- return dsa_port_parse_cpu(dp, conduit, user_protocol); ++ err = dsa_port_parse_cpu(dp, conduit, user_protocol); ++ if (err) ++ netdev_put(conduit, &dp->conduit_tracker); ++ return err; + } + + if (link) +@@ -1392,37 +1403,30 @@ static struct device *dev_find_class(struct device *parent, char *class) + return device_find_child(parent, class, dev_is_class); + } + +-static struct net_device *dsa_dev_to_net_device(struct device *dev) +-{ +- struct device *d; +- +- d = dev_find_class(dev, "net"); +- if (d != NULL) { +- struct net_device *nd; +- +- nd = to_net_dev(d); +- dev_hold(nd); +- put_device(d); +- +- return nd; +- } +- +- return NULL; +-} +- + static int dsa_port_parse(struct dsa_port *dp, const char *name, + struct device *dev) + { + if (!strcmp(name, "cpu")) { + struct net_device *conduit; ++ struct device *d; ++ int err; + +- conduit = dsa_dev_to_net_device(dev); +- if (!conduit) ++ rtnl_lock(); ++ d = dev_find_class(dev, "net"); ++ if (!d) { ++ rtnl_unlock(); + return -EPROBE_DEFER; ++ } + +- dev_put(conduit); ++ conduit = to_net_dev(d); ++ netdev_hold(conduit, &dp->conduit_tracker, GFP_KERNEL); ++ put_device(d); ++ rtnl_unlock(); + +- return dsa_port_parse_cpu(dp, conduit, NULL); ++ err = dsa_port_parse_cpu(dp, conduit, NULL); ++ if (err) ++ netdev_put(conduit, &dp->conduit_tracker); ++ return err; + } + + if (!strcmp(name, "dsa")) +@@ -1490,6 +1494,9 @@ static void dsa_switch_release_ports(struct dsa_switch *ds) + struct dsa_vlan *v, *n; + + dsa_switch_for_each_port_safe(dp, next, ds) { ++ if (dsa_port_is_cpu(dp) && dp->conduit) ++ netdev_put(dp->conduit, &dp->conduit_tracker); ++ + /* These are either entries that upper layers lost track of + * (probably due to bugs), or installed through interfaces + * where one does not necessarily have to remove them, like +@@ -1634,8 +1641,10 @@ void dsa_switch_shutdown(struct dsa_switch *ds) + /* Disconnect from further netdevice notifiers on the conduit, + * since netdev_uses_dsa() will now return false. + */ +- dsa_switch_for_each_cpu_port(dp, ds) ++ dsa_switch_for_each_cpu_port(dp, ds) { + dp->conduit->dsa_ptr = NULL; ++ netdev_put(dp->conduit, &dp->conduit_tracker); ++ } + + rtnl_unlock(); + out: +-- +2.51.0 + diff --git a/queue-6.18/net-fib-restore-ecmp-balance-from-loopback.patch b/queue-6.18/net-fib-restore-ecmp-balance-from-loopback.patch new file mode 100644 index 0000000000..ea6a615552 --- /dev/null +++ b/queue-6.18/net-fib-restore-ecmp-balance-from-loopback.patch @@ -0,0 +1,122 @@ +From 4cb09782da5bf920877de3147f59fe3658365783 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Dec 2025 19:26:38 +0000 +Subject: net: fib: restore ECMP balance from loopback + +From: Vadim Fedorenko + +[ Upstream commit 6e17474aa9fe15015c9921a5081c7ca71783aac6 ] + +Preference of nexthop with source address broke ECMP for packets with +source addresses which are not in the broadcast domain, but rather added +to loopback/dummy interfaces. Original behaviour was to balance over +nexthops while now it uses the latest nexthop from the group. To fix the +issue introduce next hop scoring system where next hops with source +address equal to requested will always have higher priority. + +For the case with 198.51.100.1/32 assigned to dummy0 and routed using +192.0.2.0/24 and 203.0.113.0/24 networks: + +2: dummy0: mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000 + link/ether d6:54:8a:ff:78:f5 brd ff:ff:ff:ff:ff:ff + inet 198.51.100.1/32 scope global dummy0 + valid_lft forever preferred_lft forever +7: veth1@if6: mtu 1500 qdisc noqueue state UP group default qlen 1000 + link/ether 06:ed:98:87:6d:8a brd ff:ff:ff:ff:ff:ff link-netnsid 0 + inet 192.0.2.2/24 scope global veth1 + valid_lft forever preferred_lft forever + inet6 fe80::4ed:98ff:fe87:6d8a/64 scope link proto kernel_ll + valid_lft forever preferred_lft forever +9: veth3@if8: mtu 1500 qdisc noqueue state UP group default qlen 1000 + link/ether ae:75:23:38:a0:d2 brd ff:ff:ff:ff:ff:ff link-netnsid 0 + inet 203.0.113.2/24 scope global veth3 + valid_lft forever preferred_lft forever + inet6 fe80::ac75:23ff:fe38:a0d2/64 scope link proto kernel_ll + valid_lft forever preferred_lft forever + +~ ip ro list: +default + nexthop via 192.0.2.1 dev veth1 weight 1 + nexthop via 203.0.113.1 dev veth3 weight 1 +192.0.2.0/24 dev veth1 proto kernel scope link src 192.0.2.2 +203.0.113.0/24 dev veth3 proto kernel scope link src 203.0.113.2 + +before: + for i in {1..255} ; do ip ro get 10.0.0.$i; done | grep veth | awk ' {print $(NF-2)}' | sort | uniq -c: + 255 veth3 + +after: + for i in {1..255} ; do ip ro get 10.0.0.$i; done | grep veth | awk ' {print $(NF-2)}' | sort | uniq -c: + 122 veth1 + 133 veth3 + +Fixes: 32607a332cfe ("ipv4: prefer multipath nexthop that matches source address") +Signed-off-by: Vadim Fedorenko +Reviewed-by: Ido Schimmel +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/20251221192639.3911901-1-vadim.fedorenko@linux.dev +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/fib_semantics.c | 26 ++++++++++---------------- + 1 file changed, 10 insertions(+), 16 deletions(-) + +diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c +index a5f3c8459758..0caf38e44c73 100644 +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -2167,8 +2167,8 @@ void fib_select_multipath(struct fib_result *res, int hash, + { + struct fib_info *fi = res->fi; + struct net *net = fi->fib_net; +- bool found = false; + bool use_neigh; ++ int score = -1; + __be32 saddr; + + if (unlikely(res->fi->nh)) { +@@ -2180,7 +2180,7 @@ void fib_select_multipath(struct fib_result *res, int hash, + saddr = fl4 ? fl4->saddr : 0; + + change_nexthops(fi) { +- int nh_upper_bound; ++ int nh_upper_bound, nh_score = 0; + + /* Nexthops without a carrier are assigned an upper bound of + * minus one when "ignore_routes_with_linkdown" is set. +@@ -2190,24 +2190,18 @@ void fib_select_multipath(struct fib_result *res, int hash, + (use_neigh && !fib_good_nh(nexthop_nh))) + continue; + +- if (!found) { ++ if (saddr && nexthop_nh->nh_saddr == saddr) ++ nh_score += 2; ++ if (hash <= nh_upper_bound) ++ nh_score++; ++ if (score < nh_score) { + res->nh_sel = nhsel; + res->nhc = &nexthop_nh->nh_common; +- found = !saddr || nexthop_nh->nh_saddr == saddr; ++ if (nh_score == 3 || (!saddr && nh_score == 1)) ++ return; ++ score = nh_score; + } + +- if (hash > nh_upper_bound) +- continue; +- +- if (!saddr || nexthop_nh->nh_saddr == saddr) { +- res->nh_sel = nhsel; +- res->nhc = &nexthop_nh->nh_common; +- return; +- } +- +- if (found) +- return; +- + } endfor_nexthops(fi); + } + #endif +-- +2.51.0 + diff --git a/queue-6.18/net-mdio-aspeed-add-dummy-read-to-avoid-read-after-w.patch b/queue-6.18/net-mdio-aspeed-add-dummy-read-to-avoid-read-after-w.patch new file mode 100644 index 0000000000..9b8ef46682 --- /dev/null +++ b/queue-6.18/net-mdio-aspeed-add-dummy-read-to-avoid-read-after-w.patch @@ -0,0 +1,52 @@ +From cd049b55cbff0c6d46d2ce8043577c305a002a82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Dec 2025 14:24:58 +0800 +Subject: net: mdio: aspeed: add dummy read to avoid read-after-write issue + +From: Jacky Chou + +[ Upstream commit d1a1a4bade4b20c0858d0b2f81d2611de055f675 ] + +The Aspeed MDIO controller may return incorrect data when a read operation +follows immediately after a write. Due to a controller bug, the subsequent +read can latch stale data, causing the polling logic to terminate earlier +than expected. + +To work around this hardware issue, insert a dummy read after each write +operation. This ensures that the next actual read returns the correct +data and prevents premature polling exit. + +This workaround has been verified to stabilize MDIO transactions on +affected Aspeed platforms. + +Fixes: f160e99462c6 ("net: phy: Add mdio-aspeed") +Signed-off-by: Jacky Chou +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20251211-aspeed_mdio_add_dummy_read-v3-1-382868869004@aspeedtech.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/mdio/mdio-aspeed.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/mdio/mdio-aspeed.c b/drivers/net/mdio/mdio-aspeed.c +index e55be6dc9ae7..d6b9004c61dc 100644 +--- a/drivers/net/mdio/mdio-aspeed.c ++++ b/drivers/net/mdio/mdio-aspeed.c +@@ -63,6 +63,13 @@ static int aspeed_mdio_op(struct mii_bus *bus, u8 st, u8 op, u8 phyad, u8 regad, + + iowrite32(ctrl, ctx->base + ASPEED_MDIO_CTRL); + ++ /* Workaround for read-after-write issue. ++ * The controller may return stale data if a read follows immediately ++ * after a write. A dummy read forces the hardware to update its ++ * internal state, ensuring that the next real read returns correct data. ++ */ ++ ioread32(ctx->base + ASPEED_MDIO_CTRL); ++ + return readl_poll_timeout(ctx->base + ASPEED_MDIO_CTRL, ctrl, + !(ctrl & ASPEED_MDIO_CTRL_FIRE), + ASPEED_MDIO_INTERVAL_US, +-- +2.51.0 + diff --git a/queue-6.18/net-mdio-rtl9300-use-scoped-for-loops.patch b/queue-6.18/net-mdio-rtl9300-use-scoped-for-loops.patch new file mode 100644 index 0000000000..6430bbe582 --- /dev/null +++ b/queue-6.18/net-mdio-rtl9300-use-scoped-for-loops.patch @@ -0,0 +1,62 @@ +From 312152e8c0e1ef5596ddd96366ef62569556fff8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 13:01:53 -0800 +Subject: net: mdio: rtl9300: use scoped for loops + +From: Rosen Penev + +[ Upstream commit a4f800c4487dc5d6fcc28da89c7cc3c187ccc731 ] + +Currently in the return path, fwnode_handle_put calls are missing. Just use +_scoped to avoid the issue. + +Fixes: 24e31e474769 ("net: mdio: Add RTL9300 MDIO driver") +Signed-off-by: Rosen Penev +Link: https://patch.msgid.link/20251217210153.14641-1-rosenp@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/mdio/mdio-realtek-rtl9300.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/mdio/mdio-realtek-rtl9300.c b/drivers/net/mdio/mdio-realtek-rtl9300.c +index 33694c3ff9a7..405a07075dd1 100644 +--- a/drivers/net/mdio/mdio-realtek-rtl9300.c ++++ b/drivers/net/mdio/mdio-realtek-rtl9300.c +@@ -354,7 +354,6 @@ static int rtl9300_mdiobus_probe_one(struct device *dev, struct rtl9300_mdio_pri + struct fwnode_handle *node) + { + struct rtl9300_mdio_chan *chan; +- struct fwnode_handle *child; + struct mii_bus *bus; + u32 mdio_bus; + int err; +@@ -371,7 +370,7 @@ static int rtl9300_mdiobus_probe_one(struct device *dev, struct rtl9300_mdio_pri + * compatible = "ethernet-phy-ieee802.3-c45". This does mean we can't + * support both c45 and c22 on the same MDIO bus. + */ +- fwnode_for_each_child_node(node, child) ++ fwnode_for_each_child_node_scoped(node, child) + if (fwnode_device_is_compatible(child, "ethernet-phy-ieee802.3-c45")) + priv->smi_bus_is_c45[mdio_bus] = true; + +@@ -409,7 +408,6 @@ static int rtl9300_mdiobus_map_ports(struct device *dev) + { + struct rtl9300_mdio_priv *priv = dev_get_drvdata(dev); + struct device *parent = dev->parent; +- struct fwnode_handle *port; + int err; + + struct fwnode_handle *ports __free(fwnode_handle) = +@@ -418,7 +416,7 @@ static int rtl9300_mdiobus_map_ports(struct device *dev) + return dev_err_probe(dev, -EINVAL, "%pfwP missing ethernet-ports\n", + dev_fwnode(parent)); + +- fwnode_for_each_child_node(ports, port) { ++ fwnode_for_each_child_node_scoped(ports, port) { + struct device_node *mdio_dn; + u32 addr; + u32 bus; +-- +2.51.0 + diff --git a/queue-6.18/net-openvswitch-avoid-needlessly-taking-the-rtnl-on-.patch b/queue-6.18/net-openvswitch-avoid-needlessly-taking-the-rtnl-on-.patch new file mode 100644 index 0000000000..b4dc6c44dc --- /dev/null +++ b/queue-6.18/net-openvswitch-avoid-needlessly-taking-the-rtnl-on-.patch @@ -0,0 +1,68 @@ +From e467464de2e2d52dbf4502024a809d2f30af768b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Dec 2025 12:50:05 +0100 +Subject: net: openvswitch: Avoid needlessly taking the RTNL on vport destroy +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit 5498227676303e3ffa9a3a46214af96bc3e81314 ] + +The openvswitch teardown code will immediately call +ovs_netdev_detach_dev() in response to a NETDEV_UNREGISTER notification. +It will then start the dp_notify_work workqueue, which will later end up +calling the vport destroy() callback. This callback takes the RTNL to do +another ovs_netdev_detach_port(), which in this case is unnecessary. +This causes extra pressure on the RTNL, in some cases leading to +"unregister_netdevice: waiting for XX to become free" warnings on +teardown. + +We can straight-forwardly avoid the extra RTNL lock acquisition by +checking the device flags before taking the lock, and skip the locking +altogether if the IFF_OVS_DATAPATH flag has already been unset. + +Fixes: b07c26511e94 ("openvswitch: fix vport-netdev unregister") +Tested-by: Adrian Moreno +Signed-off-by: Toke Høiland-Jørgensen +Acked-by: Eelco Chaudron +Acked-by: Aaron Conole +Link: https://patch.msgid.link/20251211115006.228876-1-toke@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/openvswitch/vport-netdev.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/net/openvswitch/vport-netdev.c b/net/openvswitch/vport-netdev.c +index 91a11067e458..6574f9bcdc02 100644 +--- a/net/openvswitch/vport-netdev.c ++++ b/net/openvswitch/vport-netdev.c +@@ -160,10 +160,19 @@ void ovs_netdev_detach_dev(struct vport *vport) + + static void netdev_destroy(struct vport *vport) + { +- rtnl_lock(); +- if (netif_is_ovs_port(vport->dev)) +- ovs_netdev_detach_dev(vport); +- rtnl_unlock(); ++ /* When called from ovs_db_notify_wq() after a dp_device_event(), the ++ * port has already been detached, so we can avoid taking the RTNL by ++ * checking this first. ++ */ ++ if (netif_is_ovs_port(vport->dev)) { ++ rtnl_lock(); ++ /* Check again while holding the lock to ensure we don't race ++ * with the netdev notifier and detach twice. ++ */ ++ if (netif_is_ovs_port(vport->dev)) ++ ovs_netdev_detach_dev(vport); ++ rtnl_unlock(); ++ } + + call_rcu(&vport->rcu, vport_netdev_free); + } +-- +2.51.0 + diff --git a/queue-6.18/net-rose-fix-invalid-array-index-in-rose_kill_by_dev.patch b/queue-6.18/net-rose-fix-invalid-array-index-in-rose_kill_by_dev.patch new file mode 100644 index 0000000000..8117216e8f --- /dev/null +++ b/queue-6.18/net-rose-fix-invalid-array-index-in-rose_kill_by_dev.patch @@ -0,0 +1,48 @@ +From 7827a7a6470c60bf54ddfe557656e21ff66357b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Dec 2025 21:22:27 +0000 +Subject: net: rose: fix invalid array index in rose_kill_by_device() + +From: Pwnverse + +[ Upstream commit 6595beb40fb0ec47223d3f6058ee40354694c8e4 ] + +rose_kill_by_device() collects sockets into a local array[] and then +iterates over them to disconnect sockets bound to a device being brought +down. + +The loop mistakenly indexes array[cnt] instead of array[i]. For cnt < +ARRAY_SIZE(array), this reads an uninitialized entry; for cnt == +ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to +an invalid socket pointer dereference and also leaks references taken +via sock_hold(). + +Fix the index to use i. + +Fixes: 64b8bc7d5f143 ("net/rose: fix races in rose_kill_by_device()") +Co-developed-by: Fatma Alwasmi +Signed-off-by: Fatma Alwasmi +Signed-off-by: Pwnverse +Link: https://patch.msgid.link/20251222212227.4116041-1-ritviktanksalkar@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/rose/af_rose.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c +index 543f9e8ebb69..fad6518e6e39 100644 +--- a/net/rose/af_rose.c ++++ b/net/rose/af_rose.c +@@ -205,7 +205,7 @@ static void rose_kill_by_device(struct net_device *dev) + spin_unlock_bh(&rose_list_lock); + + for (i = 0; i < cnt; i++) { +- sk = array[cnt]; ++ sk = array[i]; + rose = rose_sk(sk); + lock_sock(sk); + spin_lock_bh(&rose_list_lock); +-- +2.51.0 + diff --git a/queue-6.18/net-stmmac-fix-the-crash-issue-for-zero-copy-xdp_tx-.patch b/queue-6.18/net-stmmac-fix-the-crash-issue-for-zero-copy-xdp_tx-.patch new file mode 100644 index 0000000000..893788a26f --- /dev/null +++ b/queue-6.18/net-stmmac-fix-the-crash-issue-for-zero-copy-xdp_tx-.patch @@ -0,0 +1,96 @@ +From a69c584adf112a34a97d27046c10d089bd33f60b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Dec 2025 15:13:32 +0800 +Subject: net: stmmac: fix the crash issue for zero copy XDP_TX action + +From: Wei Fang + +[ Upstream commit a48e232210009be50591fdea8ba7c07b0f566a13 ] + +There is a crash issue when running zero copy XDP_TX action, the crash +log is shown below. + +[ 216.122464] Unable to handle kernel paging request at virtual address fffeffff80000000 +[ 216.187524] Internal error: Oops: 0000000096000144 [#1] SMP +[ 216.301694] Call trace: +[ 216.304130] dcache_clean_poc+0x20/0x38 (P) +[ 216.308308] __dma_sync_single_for_device+0x1bc/0x1e0 +[ 216.313351] stmmac_xdp_xmit_xdpf+0x354/0x400 +[ 216.317701] __stmmac_xdp_run_prog+0x164/0x368 +[ 216.322139] stmmac_napi_poll_rxtx+0xba8/0xf00 +[ 216.326576] __napi_poll+0x40/0x218 +[ 216.408054] Kernel panic - not syncing: Oops: Fatal exception in interrupt + +For XDP_TX action, the xdp_buff is converted to xdp_frame by +xdp_convert_buff_to_frame(). The memory type of the resulting xdp_frame +depends on the memory type of the xdp_buff. For page pool based xdp_buff +it produces xdp_frame with memory type MEM_TYPE_PAGE_POOL. For zero copy +XSK pool based xdp_buff it produces xdp_frame with memory type +MEM_TYPE_PAGE_ORDER0. However, stmmac_xdp_xmit_back() does not check the +memory type and always uses the page pool type, this leads to invalid +mappings and causes the crash. Therefore, check the xdp_buff memory type +in stmmac_xdp_xmit_back() to fix this issue. + +Fixes: bba2556efad6 ("net: stmmac: Enable RX via AF_XDP zero-copy") +Signed-off-by: Wei Fang +Reviewed-by: Hariprasad Kelam +Link: https://patch.msgid.link/20251204071332.1907111-1-wei.fang@nxp.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .../net/ethernet/stmicro/stmmac/stmmac_main.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 86e912471dea..0dd17179c85d 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -88,6 +88,7 @@ MODULE_PARM_DESC(phyaddr, "Physical device address"); + #define STMMAC_XDP_CONSUMED BIT(0) + #define STMMAC_XDP_TX BIT(1) + #define STMMAC_XDP_REDIRECT BIT(2) ++#define STMMAC_XSK_CONSUMED BIT(3) + + static int flow_ctrl = 0xdead; + module_param(flow_ctrl, int, 0644); +@@ -4988,6 +4989,7 @@ static int stmmac_xdp_get_tx_queue(struct stmmac_priv *priv, + static int stmmac_xdp_xmit_back(struct stmmac_priv *priv, + struct xdp_buff *xdp) + { ++ bool zc = !!(xdp->rxq->mem.type == MEM_TYPE_XSK_BUFF_POOL); + struct xdp_frame *xdpf = xdp_convert_buff_to_frame(xdp); + int cpu = smp_processor_id(); + struct netdev_queue *nq; +@@ -5004,9 +5006,18 @@ static int stmmac_xdp_xmit_back(struct stmmac_priv *priv, + /* Avoids TX time-out as we are sharing with slow path */ + txq_trans_cond_update(nq); + +- res = stmmac_xdp_xmit_xdpf(priv, queue, xdpf, false); +- if (res == STMMAC_XDP_TX) ++ /* For zero copy XDP_TX action, dma_map is true */ ++ res = stmmac_xdp_xmit_xdpf(priv, queue, xdpf, zc); ++ if (res == STMMAC_XDP_TX) { + stmmac_flush_tx_descriptors(priv, queue); ++ } else if (res == STMMAC_XDP_CONSUMED && zc) { ++ /* xdp has been freed by xdp_convert_buff_to_frame(), ++ * no need to call xsk_buff_free() again, so return ++ * STMMAC_XSK_CONSUMED. ++ */ ++ res = STMMAC_XSK_CONSUMED; ++ xdp_return_frame(xdpf); ++ } + + __netif_tx_unlock(nq); + +@@ -5356,6 +5367,8 @@ static int stmmac_rx_zc(struct stmmac_priv *priv, int limit, u32 queue) + break; + case STMMAC_XDP_CONSUMED: + xsk_buff_free(buf->xdp); ++ fallthrough; ++ case STMMAC_XSK_CONSUMED: + rx_dropped++; + break; + case STMMAC_XDP_TX: +-- +2.51.0 + diff --git a/queue-6.18/net-usb-asix-validate-phy-address-before-use.patch b/queue-6.18/net-usb-asix-validate-phy-address-before-use.patch new file mode 100644 index 0000000000..7db460761e --- /dev/null +++ b/queue-6.18/net-usb-asix-validate-phy-address-before-use.patch @@ -0,0 +1,71 @@ +From f6db1de271cccfc868eca4a6e06c00632e1ee3b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Dec 2025 06:41:56 +0530 +Subject: net: usb: asix: validate PHY address before use + +From: Deepanshu Kartikey + +[ Upstream commit a1e077a3f76eea0dc671ed6792e7d543946227e8 ] + +The ASIX driver reads the PHY address from the USB device via +asix_read_phy_addr(). A malicious or faulty device can return an +invalid address (>= PHY_MAX_ADDR), which causes a warning in +mdiobus_get_phy(): + + addr 207 out of range + WARNING: drivers/net/phy/mdio_bus.c:76 + +Validate the PHY address in asix_read_phy_addr() and remove the +now-redundant check in ax88172a.c. + +Reported-by: syzbot+3d43c9066a5b54902232@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=3d43c9066a5b54902232 +Tested-by: syzbot+3d43c9066a5b54902232@syzkaller.appspotmail.com +Fixes: 7e88b11a862a ("net: usb: asix: refactor asix_read_phy_addr() and handle errors on return") +Link: https://lore.kernel.org/all/20251217085057.270704-1-kartikey406@gmail.com/T/ [v1] +Signed-off-by: Deepanshu Kartikey +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20251218011156.276824-1-kartikey406@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/asix_common.c | 5 +++++ + drivers/net/usb/ax88172a.c | 6 +----- + 2 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c +index 7fd763917ae2..6ab3486072cb 100644 +--- a/drivers/net/usb/asix_common.c ++++ b/drivers/net/usb/asix_common.c +@@ -335,6 +335,11 @@ int asix_read_phy_addr(struct usbnet *dev, bool internal) + offset = (internal ? 1 : 0); + ret = buf[offset]; + ++ if (ret >= PHY_MAX_ADDR) { ++ netdev_err(dev->net, "invalid PHY address: %d\n", ret); ++ return -ENODEV; ++ } ++ + netdev_dbg(dev->net, "%s PHY address 0x%x\n", + internal ? "internal" : "external", ret); + +diff --git a/drivers/net/usb/ax88172a.c b/drivers/net/usb/ax88172a.c +index f613e4bc68c8..758a423a459b 100644 +--- a/drivers/net/usb/ax88172a.c ++++ b/drivers/net/usb/ax88172a.c +@@ -210,11 +210,7 @@ static int ax88172a_bind(struct usbnet *dev, struct usb_interface *intf) + ret = asix_read_phy_addr(dev, priv->use_embdphy); + if (ret < 0) + goto free; +- if (ret >= PHY_MAX_ADDR) { +- netdev_err(dev->net, "Invalid PHY address %#x\n", ret); +- ret = -ENODEV; +- goto free; +- } ++ + priv->phy_addr = ret; + + ax88172a_reset_phy(dev, priv->use_embdphy); +-- +2.51.0 + diff --git a/queue-6.18/net-usb-rtl8150-fix-memory-leak-on-usb_submit_urb-fa.patch b/queue-6.18/net-usb-rtl8150-fix-memory-leak-on-usb_submit_urb-fa.patch new file mode 100644 index 0000000000..6b34ab3fe7 --- /dev/null +++ b/queue-6.18/net-usb-rtl8150-fix-memory-leak-on-usb_submit_urb-fa.patch @@ -0,0 +1,47 @@ +From 942b88d71b698aa4561ad2c14a92e25da405507d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Dec 2025 20:43:05 +0530 +Subject: net: usb: rtl8150: fix memory leak on usb_submit_urb() failure + +From: Deepakkumar Karn + +[ Upstream commit 12cab1191d9890097171156d06bfa8d31f1e39c8 ] + +In async_set_registers(), when usb_submit_urb() fails, the allocated + async_req structure and URB are not freed, causing a memory leak. + + The completion callback async_set_reg_cb() is responsible for freeing + these allocations, but it is only called after the URB is successfully + submitted and completes (successfully or with error). If submission + fails, the callback never runs and the memory is leaked. + + Fix this by freeing both the URB and the request structure in the error + path when usb_submit_urb() fails. + +Reported-by: syzbot+8dd915c7cb0490fc8c52@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=8dd915c7cb0490fc8c52 +Fixes: 4d12997a9bb3 ("drivers: net: usb: rtl8150: concurrent URB bugfix") +Signed-off-by: Deepakkumar Karn +Link: https://patch.msgid.link/20251216151304.59865-2-dkarn@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/rtl8150.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c +index 278e6cb6f4d9..e40b0669d9f4 100644 +--- a/drivers/net/usb/rtl8150.c ++++ b/drivers/net/usb/rtl8150.c +@@ -211,6 +211,8 @@ static int async_set_registers(rtl8150_t *dev, u16 indx, u16 size, u16 reg) + if (res == -ENODEV) + netif_device_detach(dev->netdev); + dev_err(&dev->udev->dev, "%s failed with %d\n", __func__, res); ++ kfree(req); ++ usb_free_urb(async_urb); + } + return res; + } +-- +2.51.0 + diff --git a/queue-6.18/net-wangxun-move-phylink-dependency.patch b/queue-6.18/net-wangxun-move-phylink-dependency.patch new file mode 100644 index 0000000000..94e1b255c8 --- /dev/null +++ b/queue-6.18/net-wangxun-move-phylink-dependency.patch @@ -0,0 +1,76 @@ +From f7dd1a8e9fca940d9b3ee00c50c85f225bf3fed4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Dec 2025 22:35:42 +0100 +Subject: net: wangxun: move PHYLINK dependency + +From: Arnd Bergmann + +[ Upstream commit b94f11af9d9201426f4d6c8a753493fd58d6ac16 ] + +The LIBWX library code is what calls into phylink, so any user of +it has to select CONFIG_PHYLINK at the moment, with NGBEVF missing this: + +x86_64-linux-ld: drivers/net/ethernet/wangxun/libwx/wx_ethtool.o: in function `wx_nway_reset': +wx_ethtool.c:(.text+0x613): undefined reference to `phylink_ethtool_nway_reset' +x86_64-linux-ld: drivers/net/ethernet/wangxun/libwx/wx_ethtool.o: in function `wx_get_link_ksettings': +wx_ethtool.c:(.text+0x62b): undefined reference to `phylink_ethtool_ksettings_get' +x86_64-linux-ld: drivers/net/ethernet/wangxun/libwx/wx_ethtool.o: in function `wx_set_link_ksettings': +wx_ethtool.c:(.text+0x643): undefined reference to `phylink_ethtool_ksettings_set' +x86_64-linux-ld: drivers/net/ethernet/wangxun/libwx/wx_ethtool.o: in function `wx_get_pauseparam': +wx_ethtool.c:(.text+0x65b): undefined reference to `phylink_ethtool_get_pauseparam' +x86_64-linux-ld: drivers/net/ethernet/wangxun/libwx/wx_ethtool.o: in function `wx_set_pauseparam': +wx_ethtool.c:(.text+0x677): undefined reference to `phylink_ethtool_set_pauseparam' + +Add the 'select PHYLINK' line in the libwx option directly so this will +always be enabled for all current and future wangxun drivers, and remove +the now duplicate lines. + +Fixes: a0008a3658a3 ("net: wangxun: add ngbevf build") +Signed-off-by: Arnd Bergmann +Reviewed-by: Vadim Fedorenko +Link: https://patch.msgid.link/20251216213547.115026-1-arnd@kernel.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/wangxun/Kconfig | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/wangxun/Kconfig b/drivers/net/ethernet/wangxun/Kconfig +index d138dea7d208..ec278f99d295 100644 +--- a/drivers/net/ethernet/wangxun/Kconfig ++++ b/drivers/net/ethernet/wangxun/Kconfig +@@ -21,6 +21,7 @@ config LIBWX + depends on PTP_1588_CLOCK_OPTIONAL + select PAGE_POOL + select DIMLIB ++ select PHYLINK + help + Common library for Wangxun(R) Ethernet drivers. + +@@ -29,7 +30,6 @@ config NGBE + depends on PCI + depends on PTP_1588_CLOCK_OPTIONAL + select LIBWX +- select PHYLINK + help + This driver supports Wangxun(R) GbE PCI Express family of + adapters. +@@ -48,7 +48,6 @@ config TXGBE + depends on PTP_1588_CLOCK_OPTIONAL + select MARVELL_10G_PHY + select REGMAP +- select PHYLINK + select HWMON if TXGBE=y + select SFP + select GPIOLIB +@@ -71,7 +70,6 @@ config TXGBEVF + depends on PCI_MSI + depends on PTP_1588_CLOCK_OPTIONAL + select LIBWX +- select PHYLINK + help + This driver supports virtual functions for SP1000A, WX1820AL, + WX5XXX, WX5XXXAL. +-- +2.51.0 + diff --git a/queue-6.18/octeontx2-pf-fix-ubsan-shift-out-of-bounds-error.patch b/queue-6.18/octeontx2-pf-fix-ubsan-shift-out-of-bounds-error.patch new file mode 100644 index 0000000000..fabc4c63f3 --- /dev/null +++ b/queue-6.18/octeontx2-pf-fix-ubsan-shift-out-of-bounds-error.patch @@ -0,0 +1,45 @@ +From db35ae8bc3ff10f293285ed183199327b6d08972 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 11:52:26 +0530 +Subject: octeontx2-pf: fix "UBSAN: shift-out-of-bounds error" + +From: Anshumali Gaur + +[ Upstream commit 85f4b0c650d9f9db10bda8d3acfa1af83bf78cf7 ] + +This patch ensures that the RX ring size (rx_pending) is not +set below the permitted length. This avoids UBSAN +shift-out-of-bounds errors when users passes small or zero +ring sizes via ethtool -G. + +Fixes: d45d8979840d ("octeontx2-pf: Add basic ethtool support") +Signed-off-by: Anshumali Gaur +Link: https://patch.msgid.link/20251219062226.524844-1-agaur@marvell.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c +index b90e23dc49de..b6449f0a9e7d 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c +@@ -418,6 +418,14 @@ static int otx2_set_ringparam(struct net_device *netdev, + */ + if (rx_count < pfvf->hw.rq_skid) + rx_count = pfvf->hw.rq_skid; ++ ++ if (ring->rx_pending < 16) { ++ netdev_err(netdev, ++ "rx ring size %u invalid, min is 16\n", ++ ring->rx_pending); ++ return -EINVAL; ++ } ++ + rx_count = Q_COUNT(Q_SIZE(rx_count, 3)); + + /* Due pipelining impact minimum 2000 unused SQ CQE's +-- +2.51.0 + diff --git a/queue-6.18/platform-mellanox-mlxbf-pmc-remove-trailing-whitespa.patch b/queue-6.18/platform-mellanox-mlxbf-pmc-remove-trailing-whitespa.patch new file mode 100644 index 0000000000..bb4b4316b6 --- /dev/null +++ b/queue-6.18/platform-mellanox-mlxbf-pmc-remove-trailing-whitespa.patch @@ -0,0 +1,61 @@ +From 82e213e5adbc84e5bbe9b28d66d1ae3c72888c31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Dec 2025 12:18:13 +0000 +Subject: platform/mellanox: mlxbf-pmc: Remove trailing whitespaces from event + names +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Shravan Kumar Ramani + +[ Upstream commit f13bce715d1600698310a4a7832f6a52499d5395 ] + +Some event names have trailing whitespaces at the end which causes programming +of counters using the name for these specific events to fail and hence need to +be removed. + +Fixes: 423c3361855c ("platform/mellanox: mlxbf-pmc: Add support for BlueField-3") +Signed-off-by: Shravan Kumar Ramani +Reviewed-by: David Thompson +Link: https://patch.msgid.link/065cbae0717dcc1169681c4dbb1a6e050b8574b3.1766059953.git.shravankr@nvidia.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/mellanox/mlxbf-pmc.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/platform/mellanox/mlxbf-pmc.c b/drivers/platform/mellanox/mlxbf-pmc.c +index 16a2fd9fdd9b..5ec1ad471696 100644 +--- a/drivers/platform/mellanox/mlxbf-pmc.c ++++ b/drivers/platform/mellanox/mlxbf-pmc.c +@@ -801,18 +801,18 @@ static const struct mlxbf_pmc_events mlxbf_pmc_llt_miss_events[] = { + {11, "GDC_MISS_MACHINE_CHI_TXDAT"}, + {12, "GDC_MISS_MACHINE_CHI_RXDAT"}, + {13, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC0_0"}, +- {14, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC0_1 "}, ++ {14, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC0_1"}, + {15, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC0_2"}, +- {16, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC0_3 "}, +- {17, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_0 "}, +- {18, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_1 "}, +- {19, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_2 "}, +- {20, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_3 "}, ++ {16, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC0_3"}, ++ {17, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_0"}, ++ {18, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_1"}, ++ {19, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_2"}, ++ {20, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_3"}, + {21, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE0_0"}, + {22, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE0_1"}, + {23, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE0_2"}, + {24, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE0_3"}, +- {25, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE1_0 "}, ++ {25, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE1_0"}, + {26, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE1_1"}, + {27, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE1_2"}, + {28, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE1_3"}, +-- +2.51.0 + diff --git a/queue-6.18/platform-x86-hp-bioscfg-fix-out-of-bounds-array-acce.patch b/queue-6.18/platform-x86-hp-bioscfg-fix-out-of-bounds-array-acce.patch new file mode 100644 index 0000000000..816c04221b --- /dev/null +++ b/queue-6.18/platform-x86-hp-bioscfg-fix-out-of-bounds-array-acce.patch @@ -0,0 +1,129 @@ +From abd8f0c43e201d426317630466a8d7332f5d00f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Dec 2025 19:42:05 +0800 +Subject: platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI + package parsing +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Junrui Luo + +[ Upstream commit e44c42c830b7ab36e3a3a86321c619f24def5206 ] + +The hp_populate_*_elements_from_package() functions in the hp-bioscfg +driver contain out-of-bounds array access vulnerabilities. + +These functions parse ACPI packages into internal data structures using +a for loop with index variable 'elem' that iterates through +enum_obj/integer_obj/order_obj/password_obj/string_obj arrays. + +When processing multi-element fields like PREREQUISITES and +ENUM_POSSIBLE_VALUES, these functions read multiple consecutive array +elements using expressions like 'enum_obj[elem + reqs]' and +'enum_obj[elem + pos_values]' within nested loops. + +The bug is that the bounds check only validated elem, but did not consider +the additional offset when accessing elem + reqs or elem + pos_values. + +The fix changes the bounds check to validate the actual accessed index. + +Reported-by: Yuhao Jiang +Reported-by: Junrui Luo +Fixes: e6c7b3e15559 ("platform/x86: hp-bioscfg: string-attributes") +Signed-off-by: Junrui Luo +Link: https://patch.msgid.link/SYBPR01MB788173D7DD4EA2CB6383683DAFB0A@SYBPR01MB7881.ausprd01.prod.outlook.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c | 4 ++-- + drivers/platform/x86/hp/hp-bioscfg/int-attributes.c | 2 +- + drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c | 5 +++++ + drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c | 5 +++++ + drivers/platform/x86/hp/hp-bioscfg/string-attributes.c | 2 +- + 5 files changed, 14 insertions(+), 4 deletions(-) + +diff --git a/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c +index c50ad5880503..f346aad8e9d8 100644 +--- a/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c ++++ b/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c +@@ -207,7 +207,7 @@ static int hp_populate_enumeration_elements_from_package(union acpi_object *enum + case PREREQUISITES: + size = min_t(u32, enum_data->common.prerequisites_size, MAX_PREREQUISITES_SIZE); + for (reqs = 0; reqs < size; reqs++) { +- if (elem >= enum_obj_count) { ++ if (elem + reqs >= enum_obj_count) { + pr_err("Error enum-objects package is too small\n"); + return -EINVAL; + } +@@ -255,7 +255,7 @@ static int hp_populate_enumeration_elements_from_package(union acpi_object *enum + + for (pos_values = 0; pos_values < size && pos_values < MAX_VALUES_SIZE; + pos_values++) { +- if (elem >= enum_obj_count) { ++ if (elem + pos_values >= enum_obj_count) { + pr_err("Error enum-objects package is too small\n"); + return -EINVAL; + } +diff --git a/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c +index 6c7f4d5fa9cb..63b1fda2be4e 100644 +--- a/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c ++++ b/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c +@@ -227,7 +227,7 @@ static int hp_populate_integer_elements_from_package(union acpi_object *integer_ + size = min_t(u32, integer_data->common.prerequisites_size, MAX_PREREQUISITES_SIZE); + + for (reqs = 0; reqs < size; reqs++) { +- if (elem >= integer_obj_count) { ++ if (elem + reqs >= integer_obj_count) { + pr_err("Error elem-objects package is too small\n"); + return -EINVAL; + } +diff --git a/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c +index c6e57bb9d8b7..6a31f47ce3f5 100644 +--- a/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c ++++ b/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c +@@ -216,6 +216,11 @@ static int hp_populate_ordered_list_elements_from_package(union acpi_object *ord + size = min_t(u32, ordered_list_data->common.prerequisites_size, + MAX_PREREQUISITES_SIZE); + for (reqs = 0; reqs < size; reqs++) { ++ if (elem + reqs >= order_obj_count) { ++ pr_err("Error elem-objects package is too small\n"); ++ return -EINVAL; ++ } ++ + ret = hp_convert_hexstr_to_str(order_obj[elem + reqs].string.pointer, + order_obj[elem + reqs].string.length, + &str_value, &value_len); +diff --git a/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c +index 187b372123ed..ec79d9d50377 100644 +--- a/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c ++++ b/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c +@@ -303,6 +303,11 @@ static int hp_populate_password_elements_from_package(union acpi_object *passwor + MAX_PREREQUISITES_SIZE); + + for (reqs = 0; reqs < size; reqs++) { ++ if (elem + reqs >= password_obj_count) { ++ pr_err("Error elem-objects package is too small\n"); ++ return -EINVAL; ++ } ++ + ret = hp_convert_hexstr_to_str(password_obj[elem + reqs].string.pointer, + password_obj[elem + reqs].string.length, + &str_value, &value_len); +diff --git a/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c +index 27758b779b2d..7b885d25650c 100644 +--- a/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c ++++ b/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c +@@ -217,7 +217,7 @@ static int hp_populate_string_elements_from_package(union acpi_object *string_ob + MAX_PREREQUISITES_SIZE); + + for (reqs = 0; reqs < size; reqs++) { +- if (elem >= string_obj_count) { ++ if (elem + reqs >= string_obj_count) { + pr_err("Error elem-objects package is too small\n"); + return -EINVAL; + } +-- +2.51.0 + diff --git a/queue-6.18/platform-x86-ibm_rtl-fix-ebda-signature-search-point.patch b/queue-6.18/platform-x86-ibm_rtl-fix-ebda-signature-search-point.patch new file mode 100644 index 0000000000..091b5d6b1d --- /dev/null +++ b/queue-6.18/platform-x86-ibm_rtl-fix-ebda-signature-search-point.patch @@ -0,0 +1,47 @@ +From 303907a0363ccd588182b9c72a2f106cb98c18df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 16:30:29 +0800 +Subject: platform/x86: ibm_rtl: fix EBDA signature search pointer arithmetic +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Junrui Luo + +[ Upstream commit 15dd100349b8526cbdf2de0ce3e72e700eb6c208 ] + +The ibm_rtl_init() function searches for the signature but has a pointer +arithmetic error. The loop counter suggests searching at 4-byte intervals +but the implementation only advances by 1 byte per iteration. + +Fix by properly advancing the pointer by sizeof(unsigned int) bytes +each iteration. + +Reported-by: Yuhao Jiang +Reported-by: Junrui Luo +Fixes: 35f0ce032b0f ("IBM Real-Time "SMI Free" mode driver -v7") +Signed-off-by: Junrui Luo +Link: https://patch.msgid.link/SYBPR01MB78812D887A92DE3802D0D06EAFA9A@SYBPR01MB7881.ausprd01.prod.outlook.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/ibm_rtl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/ibm_rtl.c b/drivers/platform/x86/ibm_rtl.c +index 231b37909801..139956168cf9 100644 +--- a/drivers/platform/x86/ibm_rtl.c ++++ b/drivers/platform/x86/ibm_rtl.c +@@ -273,7 +273,7 @@ static int __init ibm_rtl_init(void) { + /* search for the _RTL_ signature at the start of the table */ + for (i = 0 ; i < ebda_size/sizeof(unsigned int); i++) { + struct ibm_rtl_table __iomem * tmp; +- tmp = (struct ibm_rtl_table __iomem *) (ebda_map+i); ++ tmp = (struct ibm_rtl_table __iomem *) (ebda_map + i*sizeof(unsigned int)); + if ((readq(&tmp->signature) & RTL_MASK) == RTL_SIGNATURE) { + phys_addr_t addr; + unsigned int plen; +-- +2.51.0 + diff --git a/queue-6.18/platform-x86-intel-pmt-discovery-use-valid-device-po.patch b/queue-6.18/platform-x86-intel-pmt-discovery-use-valid-device-po.patch new file mode 100644 index 0000000000..e04f3775ca --- /dev/null +++ b/queue-6.18/platform-x86-intel-pmt-discovery-use-valid-device-po.patch @@ -0,0 +1,51 @@ +From 9d97bd7567db5f013d3122d4b3d26545b5034658 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 01:51:09 -0800 +Subject: platform/x86/intel/pmt/discovery: use valid device pointer in + dev_err_probe +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alok Tiwari + +[ Upstream commit 66e245db16f0175af656cd812b6dc1a5e1f7b80a ] + +The PMT feature probe creates a child device with device_create(). +If device creation fail, the code pass priv->dev (which is an ERR_PTR) +to dev_err_probe(), which is not a valid device pointer. + +This patch change the dev_err_probe() call to use the parent auxiliary +device (&auxdev->dev) and update the error message to reference the +parent device name. It ensure correct error reporting and avoid +passing an invalid device pointer. + +Fixes: d9a078809356 ("platform/x86/intel/pmt: Add PMT Discovery driver") +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20251224095133.115678-1-alok.a.tiwari@oracle.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel/pmt/discovery.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/platform/x86/intel/pmt/discovery.c b/drivers/platform/x86/intel/pmt/discovery.c +index 9c5b4d0e1fae..e500aa327d23 100644 +--- a/drivers/platform/x86/intel/pmt/discovery.c ++++ b/drivers/platform/x86/intel/pmt/discovery.c +@@ -548,9 +548,9 @@ static int pmt_features_probe(struct auxiliary_device *auxdev, const struct auxi + priv->dev = device_create(&intel_pmt_class, &auxdev->dev, MKDEV(0, 0), priv, + "%s-%s", "features", dev_name(priv->parent)); + if (IS_ERR(priv->dev)) +- return dev_err_probe(priv->dev, PTR_ERR(priv->dev), ++ return dev_err_probe(&auxdev->dev, PTR_ERR(priv->dev), + "Could not create %s-%s device node\n", +- "features", dev_name(priv->dev)); ++ "features", dev_name(priv->parent)); + + /* Initialize each feature */ + for (i = 0; i < ivdev->num_resources; i++) { +-- +2.51.0 + diff --git a/queue-6.18/platform-x86-intel-pmt-fix-kobject-memory-leak-on-in.patch b/queue-6.18/platform-x86-intel-pmt-fix-kobject-memory-leak-on-in.patch new file mode 100644 index 0000000000..c51c630ffe --- /dev/null +++ b/queue-6.18/platform-x86-intel-pmt-fix-kobject-memory-leak-on-in.patch @@ -0,0 +1,46 @@ +From c41ee97df586f5c07604c782a90d19b421280577 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Dec 2025 14:10:41 +0530 +Subject: platform/x86/intel/pmt: Fix kobject memory leak on init failure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kaushlendra Kumar + +[ Upstream commit 00c22b1e84288bf0e17ab1e7e59d75237cf0d0dc ] + +When kobject_init_and_add() fails in pmt_features_discovery(), the +function returns without calling kobject_put(). This violates the +kobject API contract where kobject_put() must be called even on +initialization failure to properly release allocated resources. + +Fixes: d9a078809356 ("platform/x86/intel/pmt: Add PMT Discovery driver") +Signed-off-by: Kaushlendra Kumar +Link: https://patch.msgid.link/20251223084041.3832933-1-kaushlendra.kumar@intel.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel/pmt/discovery.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/intel/pmt/discovery.c b/drivers/platform/x86/intel/pmt/discovery.c +index 32713a194a55..9c5b4d0e1fae 100644 +--- a/drivers/platform/x86/intel/pmt/discovery.c ++++ b/drivers/platform/x86/intel/pmt/discovery.c +@@ -503,8 +503,10 @@ static int pmt_features_discovery(struct pmt_features_priv *priv, + + ret = kobject_init_and_add(&feature->kobj, ktype, &priv->dev->kobj, + "%s", pmt_feature_names[feature->id]); +- if (ret) ++ if (ret) { ++ kobject_put(&feature->kobj); + return ret; ++ } + + kobject_uevent(&feature->kobj, KOBJ_ADD); + pmt_features_add_feat(feature); +-- +2.51.0 + diff --git a/queue-6.18/platform-x86-msi-laptop-add-missing-sysfs_remove_gro.patch b/queue-6.18/platform-x86-msi-laptop-add-missing-sysfs_remove_gro.patch new file mode 100644 index 0000000000..b6754bb3ec --- /dev/null +++ b/queue-6.18/platform-x86-msi-laptop-add-missing-sysfs_remove_gro.patch @@ -0,0 +1,42 @@ +From 01b7712404170fc68d2ed13f2a8cdd82a7b7b8a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 11:36:13 +0100 +Subject: platform/x86: msi-laptop: add missing sysfs_remove_group() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Fourier + +[ Upstream commit 1461209cf813b6ee6d40f29b96b544587df6d2b1 ] + +A sysfs group is created in msi_init() when old_ec_model is enabled, but +never removed. Remove the msipf_old_attribute_group in that case. + +Fixes: 03696e51d75a ("msi-laptop: Disable brightness control for new EC") +Signed-off-by: Thomas Fourier +Link: https://patch.msgid.link/20251217103617.27668-2-fourier.thomas@gmail.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/msi-laptop.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/platform/x86/msi-laptop.c b/drivers/platform/x86/msi-laptop.c +index c4b150fa093f..ddef6b78d2fa 100644 +--- a/drivers/platform/x86/msi-laptop.c ++++ b/drivers/platform/x86/msi-laptop.c +@@ -1130,6 +1130,9 @@ static void __exit msi_cleanup(void) + sysfs_remove_group(&msipf_device->dev.kobj, &msipf_attribute_group); + if (!quirks->old_ec_model && threeg_exists) + device_remove_file(&msipf_device->dev, &dev_attr_threeg); ++ if (quirks->old_ec_model) ++ sysfs_remove_group(&msipf_device->dev.kobj, ++ &msipf_old_attribute_group); + platform_device_unregister(msipf_device); + platform_driver_unregister(&msipf_driver); + backlight_device_unregister(msibl_device); +-- +2.51.0 + diff --git a/queue-6.18/powerpc-tools-drop-o-pipefail-in-gcc-check-scripts.patch b/queue-6.18/powerpc-tools-drop-o-pipefail-in-gcc-check-scripts.patch new file mode 100644 index 0000000000..e296fe6f9b --- /dev/null +++ b/queue-6.18/powerpc-tools-drop-o-pipefail-in-gcc-check-scripts.patch @@ -0,0 +1,54 @@ +From 8e5fde095f392995561bb37d56203ec1793459a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Sep 2025 17:32:16 +0200 +Subject: powerpc/tools: drop `-o pipefail` in gcc check scripts + +From: Jan Stancek + +[ Upstream commit f1164534ad62f0cc247d99650b07bd59ad2a49fd ] + +Fixes: 0f71dcfb4aef ("powerpc/ftrace: Add support for -fpatchable-function-entry") +Fixes: b71c9ffb1405 ("powerpc: Add arch/powerpc/tools directory") +Reported-by: Joe Lawrence +Acked-by: Joe Lawrence +Signed-off-by: Jan Stancek +Fixes: 8c50b72a3b4f ("powerpc/ftrace: Add Kconfig & Make glue for mprofile-kernel") +Fixes: abba759796f9 ("powerpc/kbuild: move -mprofile-kernel check to Kconfig") +Tested-by: Justin M. Forbes +Reviewed-by: Naveen N Rao (AMD) +Reviewed-by: Josh Poimboeuf +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/cc6cdd116c3ad9d990df21f13c6d8e8a83815bbd.1758641374.git.jstancek@redhat.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/tools/gcc-check-fpatchable-function-entry.sh | 1 - + arch/powerpc/tools/gcc-check-mprofile-kernel.sh | 1 - + 2 files changed, 2 deletions(-) + +diff --git a/arch/powerpc/tools/gcc-check-fpatchable-function-entry.sh b/arch/powerpc/tools/gcc-check-fpatchable-function-entry.sh +index 06706903503b..baed467a016b 100755 +--- a/arch/powerpc/tools/gcc-check-fpatchable-function-entry.sh ++++ b/arch/powerpc/tools/gcc-check-fpatchable-function-entry.sh +@@ -2,7 +2,6 @@ + # SPDX-License-Identifier: GPL-2.0 + + set -e +-set -o pipefail + + # To debug, uncomment the following line + # set -x +diff --git a/arch/powerpc/tools/gcc-check-mprofile-kernel.sh b/arch/powerpc/tools/gcc-check-mprofile-kernel.sh +index 73e331e7660e..6193b0ed0c77 100755 +--- a/arch/powerpc/tools/gcc-check-mprofile-kernel.sh ++++ b/arch/powerpc/tools/gcc-check-mprofile-kernel.sh +@@ -2,7 +2,6 @@ + # SPDX-License-Identifier: GPL-2.0 + + set -e +-set -o pipefail + + # To debug, uncomment the following line + # set -x +-- +2.51.0 + diff --git a/queue-6.18/rdma-bnxt_re-fix-dma_free_coherent-pointer.patch b/queue-6.18/rdma-bnxt_re-fix-dma_free_coherent-pointer.patch new file mode 100644 index 0000000000..a4ea70d1c5 --- /dev/null +++ b/queue-6.18/rdma-bnxt_re-fix-dma_free_coherent-pointer.patch @@ -0,0 +1,40 @@ +From 09851a4d00950b00603210ffe226ea319a655ec6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Dec 2025 09:51:21 +0100 +Subject: RDMA/bnxt_re: fix dma_free_coherent() pointer + +From: Thomas Fourier + +[ Upstream commit fcd431a9627f272b4c0bec445eba365fe2232a94 ] + +The dma_alloc_coherent() allocates a dma-mapped buffer, pbl->pg_arr[i]. +The dma_free_coherent() should pass the same buffer to +dma_free_coherent() and not page-aligned. + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Signed-off-by: Thomas Fourier +Link: https://patch.msgid.link/20251230085121.8023-2-fourier.thomas@gmail.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_res.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c +index d5c12a51aa43..4d674a3aee1a 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c +@@ -64,9 +64,7 @@ static void __free_pbl(struct bnxt_qplib_res *res, struct bnxt_qplib_pbl *pbl, + for (i = 0; i < pbl->pg_count; i++) { + if (pbl->pg_arr[i]) + dma_free_coherent(&pdev->dev, pbl->pg_size, +- (void *)((unsigned long) +- pbl->pg_arr[i] & +- PAGE_MASK), ++ pbl->pg_arr[i], + pbl->pg_map_arr[i]); + else + dev_warn(&pdev->dev, +-- +2.51.0 + diff --git a/queue-6.18/rdma-bnxt_re-fix-ib_send_ip_csum-handling-in-post_se.patch b/queue-6.18/rdma-bnxt_re-fix-ib_send_ip_csum-handling-in-post_se.patch new file mode 100644 index 0000000000..0425aba909 --- /dev/null +++ b/queue-6.18/rdma-bnxt_re-fix-ib_send_ip_csum-handling-in-post_se.patch @@ -0,0 +1,58 @@ +From 6afbe4008ac1da1f8e16ff84d5cfdfa8b2568561 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 01:32:57 -0800 +Subject: RDMA/bnxt_re: Fix IB_SEND_IP_CSUM handling in post_send + +From: Alok Tiwari + +[ Upstream commit f01765a2361323e78e3d91b1cb1d5527a83c5cf7 ] + +The bnxt_re SEND path checks wr->send_flags to enable features such as +IP checksum offload. However, send_flags is a bitmask and may contain +multiple flags (e.g. IB_SEND_SIGNALED | IB_SEND_IP_CSUM), while the +existing code uses a switch() statement that only matches when +send_flags is exactly IB_SEND_IP_CSUM. + +As a result, checksum offload is not enabled when additional SEND +flags are present. + +Replace the switch() with a bitmask test: + + if (wr->send_flags & IB_SEND_IP_CSUM) + +This ensures IP checksum offload is enabled correctly when multiple +SEND flags are used. + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20251219093308.2415620-1-alok.a.tiwari@oracle.com +Reviewed-by: Kalesh AP +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/ib_verbs.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +index f19b55c13d58..ff91511bd338 100644 +--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c ++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +@@ -2919,14 +2919,9 @@ int bnxt_re_post_send(struct ib_qp *ib_qp, const struct ib_send_wr *wr, + wqe.rawqp1.lflags |= + SQ_SEND_RAWETH_QP1_LFLAGS_ROCE_CRC; + } +- switch (wr->send_flags) { +- case IB_SEND_IP_CSUM: ++ if (wr->send_flags & IB_SEND_IP_CSUM) + wqe.rawqp1.lflags |= + SQ_SEND_RAWETH_QP1_LFLAGS_IP_CHKSUM; +- break; +- default: +- break; +- } + fallthrough; + case IB_WR_SEND_WITH_INV: + rc = bnxt_re_build_send_wqe(qp, wr, &wqe); +-- +2.51.0 + diff --git a/queue-6.18/rdma-bnxt_re-fix-incorrect-bar-check-in-bnxt_qplib_m.patch b/queue-6.18/rdma-bnxt_re-fix-incorrect-bar-check-in-bnxt_qplib_m.patch new file mode 100644 index 0000000000..dbf4576b95 --- /dev/null +++ b/queue-6.18/rdma-bnxt_re-fix-incorrect-bar-check-in-bnxt_qplib_m.patch @@ -0,0 +1,45 @@ +From 373a15aa009e8c46c60402bb434431efb42a3aee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 02:01:41 -0800 +Subject: RDMA/bnxt_re: Fix incorrect BAR check in bnxt_qplib_map_creq_db() + +From: Alok Tiwari + +[ Upstream commit 145a417a39d7efbc881f52e829817376972b278c ] + +RCFW_COMM_CONS_PCI_BAR_REGION is defined as BAR 2, so checking +!creq_db->reg.bar_id is incorrect and always false. + +pci_resource_start() returns the BAR base address, and a value of 0 +indicates that the BAR is unassigned. Update the condition to test +bar_base == 0 instead. + +This ensures the driver detects and logs an error for an unassigned +RCFW communication BAR. + +Fixes: cee0c7bba486 ("RDMA/bnxt_re: Refactor command queue management code") +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20251217100158.752504-1-alok.a.tiwari@oracle.com +Reviewed-by: Kalesh AP +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c +index 295a9610f3e6..4dad0cfcfa98 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c +@@ -1112,7 +1112,7 @@ static int bnxt_qplib_map_creq_db(struct bnxt_qplib_rcfw *rcfw, u32 reg_offt) + creq_db->dbinfo.flags = 0; + creq_db->reg.bar_id = RCFW_COMM_CONS_PCI_BAR_REGION; + creq_db->reg.bar_base = pci_resource_start(pdev, creq_db->reg.bar_id); +- if (!creq_db->reg.bar_id) ++ if (!creq_db->reg.bar_base) + dev_err(&pdev->dev, + "QPLIB: CREQ BAR region %d resc start is 0!", + creq_db->reg.bar_id); +-- +2.51.0 + diff --git a/queue-6.18/rdma-bnxt_re-fix-oob-write-in-bnxt_re_copy_err_stats.patch b/queue-6.18/rdma-bnxt_re-fix-oob-write-in-bnxt_re_copy_err_stats.patch new file mode 100644 index 0000000000..1f926164ff --- /dev/null +++ b/queue-6.18/rdma-bnxt_re-fix-oob-write-in-bnxt_re_copy_err_stats.patch @@ -0,0 +1,66 @@ +From ae9a4687c852b4bde6bbd9ab70bdacd8e6d8ecb9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Dec 2025 15:21:10 +0800 +Subject: RDMA/bnxt_re: Fix OOB write in bnxt_re_copy_err_stats() + +From: Ding Hui + +[ Upstream commit 9b68a1cc966bc947d00e4c0df7722d118125aa37 ] + +Commit ef56081d1864 ("RDMA/bnxt_re: RoCE related hardware counters +update") added three new counters and placed them after +BNXT_RE_OUT_OF_SEQ_ERR. + +BNXT_RE_OUT_OF_SEQ_ERR acts as a boundary marker for allocating hardware +statistics with different num_counters values on chip_gen_p5_p7 devices. + +As a result, BNXT_RE_NUM_STD_COUNTERS are used when allocating +hw_stats, which leads to an out-of-bounds write in +bnxt_re_copy_err_stats(). + +The counters BNXT_RE_REQ_CQE_ERROR, BNXT_RE_RESP_CQE_ERROR, and +BNXT_RE_RESP_REMOTE_ACCESS_ERRS are applicable to generic hardware, not +only p5/p7 devices. + +Fix this by moving these counters before BNXT_RE_OUT_OF_SEQ_ERR so they +are included in the generic counter set. + +Fixes: ef56081d1864 ("RDMA/bnxt_re: RoCE related hardware counters update") +Reported-by: Yingying Zheng +Signed-off-by: Ding Hui +Link: https://patch.msgid.link/20251208072110.28874-1-dinghui@sangfor.com.cn +Reviewed-by: Kalesh AP +Tested-by: Kalesh AP +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/hw_counters.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/hw_counters.h b/drivers/infiniband/hw/bnxt_re/hw_counters.h +index 09d371d442aa..cebec033f4a0 100644 +--- a/drivers/infiniband/hw/bnxt_re/hw_counters.h ++++ b/drivers/infiniband/hw/bnxt_re/hw_counters.h +@@ -89,6 +89,9 @@ enum bnxt_re_hw_stats { + BNXT_RE_RES_SRQ_LOAD_ERR, + BNXT_RE_RES_TX_PCI_ERR, + BNXT_RE_RES_RX_PCI_ERR, ++ BNXT_RE_REQ_CQE_ERROR, ++ BNXT_RE_RESP_CQE_ERROR, ++ BNXT_RE_RESP_REMOTE_ACCESS_ERRS, + BNXT_RE_OUT_OF_SEQ_ERR, + BNXT_RE_TX_ATOMIC_REQ, + BNXT_RE_TX_READ_REQ, +@@ -110,9 +113,6 @@ enum bnxt_re_hw_stats { + BNXT_RE_TX_CNP, + BNXT_RE_RX_CNP, + BNXT_RE_RX_ECN, +- BNXT_RE_REQ_CQE_ERROR, +- BNXT_RE_RESP_CQE_ERROR, +- BNXT_RE_RESP_REMOTE_ACCESS_ERRS, + BNXT_RE_NUM_EXT_COUNTERS + }; + +-- +2.51.0 + diff --git a/queue-6.18/rdma-bnxt_re-fix-to-use-correct-page-size-for-pde-ta.patch b/queue-6.18/rdma-bnxt_re-fix-to-use-correct-page-size-for-pde-ta.patch new file mode 100644 index 0000000000..03ca709c86 --- /dev/null +++ b/queue-6.18/rdma-bnxt_re-fix-to-use-correct-page-size-for-pde-ta.patch @@ -0,0 +1,50 @@ +From 7475dafe0d7d7a53827c9fb014367325d3dd6e3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Dec 2025 18:48:55 +0530 +Subject: RDMA/bnxt_re: Fix to use correct page size for PDE table + +From: Kalesh AP + +[ Upstream commit 3d70e0fb0f289b0c778041c5bb04d099e1aa7c1c ] + +In bnxt_qplib_alloc_init_hwq(), while allocating memory for PDE table +driver incorrectly is using the "pg_size" value passed to the function. +Fixed to use the right value 4K. Also, fixed the allocation size for +PBL table. + +Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation") +Signed-off-by: Damodharam Ammepalli +Signed-off-by: Kalesh AP +Link: https://patch.msgid.link/20251223131855.145955-1-kalesh-anakkur.purayil@broadcom.com +Reviewed-by: Selvin Xavier +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_res.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c +index 875d7b52c06a..d5c12a51aa43 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c +@@ -237,7 +237,7 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq, + if (npbl % BIT(MAX_PDL_LVL_SHIFT)) + npde++; + /* Alloc PDE pages */ +- sginfo.pgsize = npde * pg_size; ++ sginfo.pgsize = npde * ROCE_PG_SIZE_4K; + sginfo.npages = 1; + rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_0], &sginfo); + if (rc) +@@ -245,7 +245,7 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq, + + /* Alloc PBL pages */ + sginfo.npages = npbl; +- sginfo.pgsize = PAGE_SIZE; ++ sginfo.pgsize = ROCE_PG_SIZE_4K; + rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_1], &sginfo); + if (rc) + goto fail; +-- +2.51.0 + diff --git a/queue-6.18/rdma-core-always-drop-device-refcount-in-ib_del_sub_.patch b/queue-6.18/rdma-core-always-drop-device-refcount-in-ib_del_sub_.patch new file mode 100644 index 0000000000..28e9e89a2c --- /dev/null +++ b/queue-6.18/rdma-core-always-drop-device-refcount-in-ib_del_sub_.patch @@ -0,0 +1,45 @@ +From 75218538a44fa721165b3de05336138a60979716 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 Dec 2025 11:11:33 +0900 +Subject: RDMA/core: always drop device refcount in ib_del_sub_device_and_put() + +From: Tetsuo Handa + +[ Upstream commit fa3c411d21ebc26ffd175c7256c37cefa35020aa ] + +Since nldev_deldev() (introduced by commit 060c642b2ab8 ("RDMA/nldev: Add +support to add/delete a sub IB device through netlink") grabs a reference +using ib_device_get_by_index() before calling ib_del_sub_device_and_put(), +we need to drop that reference before returning -EOPNOTSUPP error. + +Reported-by: syzbot+881d65229ca4f9ae8c84@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=881d65229ca4f9ae8c84 +Fixes: bca51197620a ("RDMA/core: Support IB sub device with type "SMI"") +Signed-off-by: Tetsuo Handa +Link: https://patch.msgid.link/80749a85-cbe2-460c-8451-42516013f9fa@I-love.SAKURA.ne.jp +Reviewed-by: Parav Pandit +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/device.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c +index b4f3c835844a..e3ba236d7c09 100644 +--- a/drivers/infiniband/core/device.c ++++ b/drivers/infiniband/core/device.c +@@ -2881,8 +2881,10 @@ int ib_del_sub_device_and_put(struct ib_device *sub) + { + struct ib_device *parent = sub->parent; + +- if (!parent) ++ if (!parent) { ++ ib_device_put(sub); + return -EOPNOTSUPP; ++ } + + mutex_lock(&parent->subdev_lock); + list_del(&sub->subdev_list); +-- +2.51.0 + diff --git a/queue-6.18/rdma-core-fix-logic-error-in-ib_get_gids_from_rdma_h.patch b/queue-6.18/rdma-core-fix-logic-error-in-ib_get_gids_from_rdma_h.patch new file mode 100644 index 0000000000..1a9e82747e --- /dev/null +++ b/queue-6.18/rdma-core-fix-logic-error-in-ib_get_gids_from_rdma_h.patch @@ -0,0 +1,39 @@ +From 30f9f6b3d44f7caf475cab8dc6c6bf8507ecfa35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 13:15:08 +0900 +Subject: RDMA/core: Fix logic error in ib_get_gids_from_rdma_hdr() + +From: Jang Ingyu + +[ Upstream commit 8aaa848eaddd9ef8680fc6aafbd3a0646da5df40 ] + +Fix missing comparison operator for RDMA_NETWORK_ROCE_V1 in the +conditional statement. The constant was used directly instead of +being compared with net_type, causing the condition to always +evaluate to true. + +Fixes: 1c15b4f2a42f ("RDMA/core: Modify enum ib_gid_type and enum rdma_network_type") +Signed-off-by: Jang Ingyu +Link: https://patch.msgid.link/20251219041508.1725947-1-ingyujang25@korea.ac.kr +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/verbs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c +index 3a5f81402d2f..d279e301f5a1 100644 +--- a/drivers/infiniband/core/verbs.c ++++ b/drivers/infiniband/core/verbs.c +@@ -735,7 +735,7 @@ int ib_get_gids_from_rdma_hdr(const union rdma_network_hdr *hdr, + (struct in6_addr *)dgid); + return 0; + } else if (net_type == RDMA_NETWORK_IPV6 || +- net_type == RDMA_NETWORK_IB || RDMA_NETWORK_ROCE_V1) { ++ net_type == RDMA_NETWORK_IB || net_type == RDMA_NETWORK_ROCE_V1) { + *dgid = hdr->ibgrh.dgid; + *sgid = hdr->ibgrh.sgid; + return 0; +-- +2.51.0 + diff --git a/queue-6.18/rdma-efa-remove-possible-negative-shift.patch b/queue-6.18/rdma-efa-remove-possible-negative-shift.patch new file mode 100644 index 0000000000..0ab239141a --- /dev/null +++ b/queue-6.18/rdma-efa-remove-possible-negative-shift.patch @@ -0,0 +1,47 @@ +From 90441d55ba5e51995b89b3aa7a2999bd5362fad0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Dec 2025 17:36:56 +0000 +Subject: RDMA/efa: Remove possible negative shift + +From: Michael Margolin + +[ Upstream commit 85463eb6a46caf2f1e0e1a6d0731f2f3bab17780 ] + +The page size used for device might in some cases be smaller than +PAGE_SIZE what results in a negative shift when calculating the number of +host pages in PAGE_SIZE for a debug log. Remove the debug line together +with the calculation. + +Fixes: 40909f664d27 ("RDMA/efa: Add EFA verbs implementation") +Link: https://patch.msgid.link/r/20251210173656.8180-1-mrgolin@amazon.com +Reviewed-by: Tom Sela +Reviewed-by: Yonatan Nachum +Signed-off-by: Michael Margolin +Reviewed-by: Gal Pressman +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/efa/efa_verbs.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/infiniband/hw/efa/efa_verbs.c b/drivers/infiniband/hw/efa/efa_verbs.c +index 22d3e25c3b9d..755bba8d58bb 100644 +--- a/drivers/infiniband/hw/efa/efa_verbs.c ++++ b/drivers/infiniband/hw/efa/efa_verbs.c +@@ -1320,13 +1320,9 @@ static int umem_to_page_list(struct efa_dev *dev, + u32 hp_cnt, + u8 hp_shift) + { +- u32 pages_in_hp = BIT(hp_shift - PAGE_SHIFT); + struct ib_block_iter biter; + unsigned int hp_idx = 0; + +- ibdev_dbg(&dev->ibdev, "hp_cnt[%u], pages_in_hp[%u]\n", +- hp_cnt, pages_in_hp); +- + rdma_umem_for_each_dma_block(umem, &biter, BIT(hp_shift)) + page_list[hp_idx++] = rdma_block_iter_dma_address(&biter); + +-- +2.51.0 + diff --git a/queue-6.18/rdma-irdma-avoid-invalid-read-in-irdma_net_event.patch b/queue-6.18/rdma-irdma-avoid-invalid-read-in-irdma_net_event.patch new file mode 100644 index 0000000000..ccbfedbc0b --- /dev/null +++ b/queue-6.18/rdma-irdma-avoid-invalid-read-in-irdma_net_event.patch @@ -0,0 +1,83 @@ +From d8635b5660ce3db15c3374adeb73f2beaf72f053 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Nov 2025 15:31:50 +0100 +Subject: RDMA/irdma: avoid invalid read in irdma_net_event + +From: Michal Schmidt + +[ Upstream commit 6f05611728e9d0ab024832a4f1abb74a5f5d0bb0 ] + +irdma_net_event() should not dereference anything from "neigh" (alias +"ptr") until it has checked that the event is NETEVENT_NEIGH_UPDATE. +Other events come with different structures pointed to by "ptr" and they +may be smaller than struct neighbour. + +Move the read of neigh->dev under the NETEVENT_NEIGH_UPDATE case. + +The bug is mostly harmless, but it triggers KASAN on debug kernels: + + BUG: KASAN: stack-out-of-bounds in irdma_net_event+0x32e/0x3b0 [irdma] + Read of size 8 at addr ffffc900075e07f0 by task kworker/27:2/542554 + + CPU: 27 PID: 542554 Comm: kworker/27:2 Kdump: loaded Not tainted 5.14.0-630.el9.x86_64+debug #1 + Hardware name: [...] + Workqueue: events rt6_probe_deferred + Call Trace: + + dump_stack_lvl+0x60/0xb0 + print_address_description.constprop.0+0x2c/0x3f0 + print_report+0xb4/0x270 + kasan_report+0x92/0xc0 + irdma_net_event+0x32e/0x3b0 [irdma] + notifier_call_chain+0x9e/0x180 + atomic_notifier_call_chain+0x5c/0x110 + rt6_do_redirect+0xb91/0x1080 + tcp_v6_err+0xe9b/0x13e0 + icmpv6_notify+0x2b2/0x630 + ndisc_redirect_rcv+0x328/0x530 + icmpv6_rcv+0xc16/0x1360 + ip6_protocol_deliver_rcu+0xb84/0x12e0 + ip6_input_finish+0x117/0x240 + ip6_input+0xc4/0x370 + ipv6_rcv+0x420/0x7d0 + __netif_receive_skb_one_core+0x118/0x1b0 + process_backlog+0xd1/0x5d0 + __napi_poll.constprop.0+0xa3/0x440 + net_rx_action+0x78a/0xba0 + handle_softirqs+0x2d4/0x9c0 + do_softirq+0xad/0xe0 + + +Fixes: 915cc7ac0f8e ("RDMA/irdma: Add miscellaneous utility definitions") +Link: https://patch.msgid.link/r/20251127143150.121099-1-mschmidt@redhat.com +Signed-off-by: Michal Schmidt +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/irdma/utils.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/irdma/utils.c b/drivers/infiniband/hw/irdma/utils.c +index 8b94d87b0192..b6c4ccf38eb7 100644 +--- a/drivers/infiniband/hw/irdma/utils.c ++++ b/drivers/infiniband/hw/irdma/utils.c +@@ -251,7 +251,7 @@ int irdma_net_event(struct notifier_block *notifier, unsigned long event, + void *ptr) + { + struct neighbour *neigh = ptr; +- struct net_device *real_dev, *netdev = (struct net_device *)neigh->dev; ++ struct net_device *real_dev, *netdev; + struct irdma_device *iwdev; + struct ib_device *ibdev; + __be32 *p; +@@ -260,6 +260,7 @@ int irdma_net_event(struct notifier_block *notifier, unsigned long event, + + switch (event) { + case NETEVENT_NEIGH_UPDATE: ++ netdev = neigh->dev; + real_dev = rdma_vlan_dev_real_dev(netdev); + if (!real_dev) + real_dev = netdev; +-- +2.51.0 + diff --git a/queue-6.18/rdma-irdma-fix-irdma_alloc_ucontext_resp-padding.patch b/queue-6.18/rdma-irdma-fix-irdma_alloc_ucontext_resp-padding.patch new file mode 100644 index 0000000000..54cc805b67 --- /dev/null +++ b/queue-6.18/rdma-irdma-fix-irdma_alloc_ucontext_resp-padding.patch @@ -0,0 +1,54 @@ +From 692834666454c1c7510c52c4e2fca82aa3ac8a70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Dec 2025 14:38:44 +0100 +Subject: RDMA/irdma: Fix irdma_alloc_ucontext_resp padding + +From: Arnd Bergmann + +[ Upstream commit d95e99a74eaf35c070f5939295331e5d7857c723 ] + +A recent commit modified struct irdma_alloc_ucontext_resp by adding a +member with implicit padding in front of it, though this does not change +the offset of the data members other than m68k. Reported by +scripts/check-uapi.sh: + +==== ABI differences detected in include/rdma/irdma-abi.h from 1dd7bde2e91c -> HEAD ==== + [C] 'struct irdma_alloc_ucontext_resp' changed: + type size changed from 704 to 640 (in bits) + 1 data member deletion: + '__u8 rsvd3[2]', at offset 640 (in bits) at irdma-abi.h:61:1 + 1 data member insertion: + '__u8 revd3[2]', at offset 592 (in bits) at irdma-abi.h:60:1 + +Change the size back to the previous version, and remove the implicit +padding by making it explicit and matching what x86-64 would do by placing +max_hw_srq_quanta member into a naturally aligned location. + +Fixes: 563e1feb5f6e ("RDMA/irdma: Add SRQ support") +Link: https://patch.msgid.link/r/20251208133849.315451-1-arnd@kernel.org +Signed-off-by: Arnd Bergmann +Reviewed-by: Geert Uytterhoeven +Tested-by: Jacob Moroni +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + include/uapi/rdma/irdma-abi.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/rdma/irdma-abi.h b/include/uapi/rdma/irdma-abi.h +index f7788d33376b..36f20802bcc8 100644 +--- a/include/uapi/rdma/irdma-abi.h ++++ b/include/uapi/rdma/irdma-abi.h +@@ -57,8 +57,8 @@ struct irdma_alloc_ucontext_resp { + __u8 rsvd2; + __aligned_u64 comp_mask; + __u16 min_hw_wq_size; ++ __u8 revd3[2]; + __u32 max_hw_srq_quanta; +- __u8 rsvd3[2]; + }; + + struct irdma_alloc_pd_resp { +-- +2.51.0 + diff --git a/queue-6.18/rdma-mana_ib-check-cqe-length-for-kernel-cqs.patch b/queue-6.18/rdma-mana_ib-check-cqe-length-for-kernel-cqs.patch new file mode 100644 index 0000000000..aa43383d95 --- /dev/null +++ b/queue-6.18/rdma-mana_ib-check-cqe-length-for-kernel-cqs.patch @@ -0,0 +1,39 @@ +From afa09123554f3685993d3de3bf05c8c0217881d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Oct 2025 03:03:00 -0700 +Subject: RDMA/mana_ib: check cqe length for kernel CQs + +From: Konstantin Taranov + +[ Upstream commit 887bfe5986396aca908b7afd2d214471ba7d5544 ] + +Check queue size during kernel CQ creation to prevent overflow of u32. + +Fixes: bec127e45d9f ("RDMA/mana_ib: create kernel-level CQs") +Link: https://patch.msgid.link/r/1761213780-5457-1-git-send-email-kotaranov@linux.microsoft.com +Signed-off-by: Konstantin Taranov +Reviewed-by: Long Li +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mana/cq.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/infiniband/hw/mana/cq.c b/drivers/infiniband/hw/mana/cq.c +index 1becc8779123..7600412b0739 100644 +--- a/drivers/infiniband/hw/mana/cq.c ++++ b/drivers/infiniband/hw/mana/cq.c +@@ -56,6 +56,10 @@ int mana_ib_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr, + doorbell = mana_ucontext->doorbell; + } else { + is_rnic_cq = true; ++ if (attr->cqe > U32_MAX / COMP_ENTRY_SIZE / 2 + 1) { ++ ibdev_dbg(ibdev, "CQE %d exceeding limit\n", attr->cqe); ++ return -EINVAL; ++ } + buf_size = MANA_PAGE_ALIGN(roundup_pow_of_two(attr->cqe * COMP_ENTRY_SIZE)); + cq->cqe = buf_size / COMP_ENTRY_SIZE; + err = mana_ib_create_kernel_queue(mdev, buf_size, GDMA_CQ, &cq->queue); +-- +2.51.0 + diff --git a/queue-6.18/rdma-rtrs-fix-clt_path-max_pages_per_mr-calculation.patch b/queue-6.18/rdma-rtrs-fix-clt_path-max_pages_per_mr-calculation.patch new file mode 100644 index 0000000000..bf6824bdc3 --- /dev/null +++ b/queue-6.18/rdma-rtrs-fix-clt_path-max_pages_per_mr-calculation.patch @@ -0,0 +1,40 @@ +From 8380e178838cc18f930962b2ecb3f737c6bbdb4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Dec 2025 10:56:17 +0800 +Subject: RDMA/rtrs: Fix clt_path::max_pages_per_mr calculation + +From: Honggang LI + +[ Upstream commit 43bd09d5b750f700499ae8ec45fd41a4c48673e6 ] + +If device max_mr_size bits in the range [mr_page_shift+31:mr_page_shift] +are zero, the `min3` function will set clt_path::max_pages_per_mr to +zero. + +`alloc_path_reqs` will pass zero, which is invalid, as the third parameter +to `ib_alloc_mr`. + +Fixes: 6a98d71daea1 ("RDMA/rtrs: client: main functionality") +Signed-off-by: Honggang LI +Link: https://patch.msgid.link/20251229025617.13241-1-honggangli@163.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/rtrs/rtrs-clt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/ulp/rtrs/rtrs-clt.c b/drivers/infiniband/ulp/rtrs/rtrs-clt.c +index 71387811b281..2b397a544cb9 100644 +--- a/drivers/infiniband/ulp/rtrs/rtrs-clt.c ++++ b/drivers/infiniband/ulp/rtrs/rtrs-clt.c +@@ -1464,6 +1464,7 @@ static void query_fast_reg_mode(struct rtrs_clt_path *clt_path) + mr_page_shift = max(12, ffs(ib_dev->attrs.page_size_cap) - 1); + max_pages_per_mr = ib_dev->attrs.max_mr_size; + do_div(max_pages_per_mr, (1ull << mr_page_shift)); ++ max_pages_per_mr = min_not_zero((u32)max_pages_per_mr, U32_MAX); + clt_path->max_pages_per_mr = + min3(clt_path->max_pages_per_mr, (u32)max_pages_per_mr, + ib_dev->attrs.max_fast_reg_page_list_len); +-- +2.51.0 + diff --git a/queue-6.18/rdma-ucma-fix-rdma_ucm_query_ib_service_resp-struct-.patch b/queue-6.18/rdma-ucma-fix-rdma_ucm_query_ib_service_resp-struct-.patch new file mode 100644 index 0000000000..f9f6afe657 --- /dev/null +++ b/queue-6.18/rdma-ucma-fix-rdma_ucm_query_ib_service_resp-struct-.patch @@ -0,0 +1,60 @@ +From 34f184f64d39f36f7762f1919307e0d8423c942a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Dec 2025 14:33:05 +0100 +Subject: RDMA/ucma: Fix rdma_ucm_query_ib_service_resp struct padding + +From: Arnd Bergmann + +[ Upstream commit 2dc675f614850b80deab7cf6d12902636ed8a7f4 ] + +On a few 32-bit architectures, the newly added ib_user_service_rec +structure is not 64-bit aligned the way it is on most regular ones. + +Add explicit padding into the rdma_ucm_query_ib_service_resp and +rdma_ucm_resolve_ib_service structures that embed it, so that the layout +is compatible across all of them. + +This is an ABI change on i386, aligning it with x86_64 and the other +64-bit architectures to avoid having to use a compat ioctl handler. + +Fixes: 810f874eda8e ("RDMA/ucma: Support query resolved service records") +Link: https://patch.msgid.link/r/20251208133311.313977-1-arnd@kernel.org +Signed-off-by: Arnd Bergmann +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + include/uapi/rdma/rdma_user_cm.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/include/uapi/rdma/rdma_user_cm.h b/include/uapi/rdma/rdma_user_cm.h +index 5ded174687ee..838f8d460256 100644 +--- a/include/uapi/rdma/rdma_user_cm.h ++++ b/include/uapi/rdma/rdma_user_cm.h +@@ -192,6 +192,7 @@ struct rdma_ucm_query_path_resp { + + struct rdma_ucm_query_ib_service_resp { + __u32 num_service_recs; ++ __u32 reserved; + struct ib_user_service_rec recs[]; + }; + +@@ -354,7 +355,7 @@ enum { + + #define RDMA_USER_CM_IB_SERVICE_NAME_SIZE 64 + struct rdma_ucm_ib_service { +- __u64 service_id; ++ __aligned_u64 service_id; + __u8 service_name[RDMA_USER_CM_IB_SERVICE_NAME_SIZE]; + __u32 flags; + __u32 reserved; +@@ -362,6 +363,7 @@ struct rdma_ucm_ib_service { + + struct rdma_ucm_resolve_ib_service { + __u32 id; ++ __u32 reserved; + struct rdma_ucm_ib_service ibs; + }; + +-- +2.51.0 + diff --git a/queue-6.18/sched_ext-fix-uninitialized-ret-on-alloc_percpu-fail.patch b/queue-6.18/sched_ext-fix-uninitialized-ret-on-alloc_percpu-fail.patch new file mode 100644 index 0000000000..7ca811b897 --- /dev/null +++ b/queue-6.18/sched_ext-fix-uninitialized-ret-on-alloc_percpu-fail.patch @@ -0,0 +1,53 @@ +From a72f86d6f19bf3e263bfa7ab17d826abba836f5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Dec 2025 17:39:55 +0800 +Subject: sched_ext: fix uninitialized ret on alloc_percpu() failure + +From: Liang Jie + +[ Upstream commit b0101ccb5b4641885f30fecc352ef891ed06e083 ] + +Smatch reported: + + kernel/sched/ext.c:5332 scx_alloc_and_add_sched() warn: passing zero to 'ERR_PTR' + +In scx_alloc_and_add_sched(), the alloc_percpu() failure path jumps to +err_free_gdsqs without initializing @ret. That can lead to returning +ERR_PTR(0), which violates the ERR_PTR() convention and confuses +callers. + +Set @ret to -ENOMEM before jumping to the error path when +alloc_percpu() fails. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/r/202512141601.yAXDAeA9-lkp@intel.com/ +Reported-by: Dan Carpenter +Fixes: c201ea1578d3 ("sched_ext: Move event_stats_cpu into scx_sched") +Signed-off-by: Liang Jie +Reviewed-by: Emil Tsalapatis +Reviewed-by: Andrea Righi +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/sched/ext.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c +index 6139263afd59..31eda2a56920 100644 +--- a/kernel/sched/ext.c ++++ b/kernel/sched/ext.c +@@ -4508,8 +4508,10 @@ static struct scx_sched *scx_alloc_and_add_sched(struct sched_ext_ops *ops) + } + + sch->pcpu = alloc_percpu(struct scx_sched_pcpu); +- if (!sch->pcpu) ++ if (!sch->pcpu) { ++ ret = -ENOMEM; + goto err_free_gdsqs; ++ } + + sch->helper = kthread_run_worker(0, "sched_ext_helper"); + if (IS_ERR(sch->helper)) { +-- +2.51.0 + diff --git a/queue-6.18/selftests-drv-net-psp-fix-templated-test-names-in-ps.patch b/queue-6.18/selftests-drv-net-psp-fix-templated-test-names-in-ps.patch new file mode 100644 index 0000000000..fe1000dbc7 --- /dev/null +++ b/queue-6.18/selftests-drv-net-psp-fix-templated-test-names-in-ps.patch @@ -0,0 +1,41 @@ +From 4025a4bb71bcfca984df28cfc48bc6933a65099a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Dec 2025 06:21:35 -0800 +Subject: selftests: drv-net: psp: fix templated test names in + psp_ip_ver_test_builder() + +From: Daniel Zahka + +[ Upstream commit d52668cac3f98f86aa1fb238dec1320c80fbefea ] + +test_case will only take on its formatted name after it is called by +the test runner. Move the assignment to test_case.__name__ to when the +test_case is constructed, not called. + +Fixes: 8f90dc6e417a ("selftests: drv-net: psp: add basic data transfer and key rotation tests") +Signed-off-by: Daniel Zahka +Link: https://patch.msgid.link/20251216-psp-test-fix-v1-1-3b5a6dde186f@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/drivers/net/psp.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/drivers/net/psp.py b/tools/testing/selftests/drivers/net/psp.py +index 4ae7a785ff10..827e04cc8423 100755 +--- a/tools/testing/selftests/drivers/net/psp.py ++++ b/tools/testing/selftests/drivers/net/psp.py +@@ -560,8 +560,9 @@ def psp_ip_ver_test_builder(name, test_func, psp_ver, ipver): + """Build test cases for each combo of PSP version and IP version""" + def test_case(cfg): + cfg.require_ipver(ipver) +- test_case.__name__ = f"{name}_v{psp_ver}_ip{ipver}" + test_func(cfg, psp_ver, ipver) ++ ++ test_case.__name__ = f"{name}_v{psp_ver}_ip{ipver}" + return test_case + + +-- +2.51.0 + diff --git a/queue-6.18/selftests-drv-net-psp-fix-test-names-in-ipver_test_b.patch b/queue-6.18/selftests-drv-net-psp-fix-test-names-in-ipver_test_b.patch new file mode 100644 index 0000000000..c58bf8d174 --- /dev/null +++ b/queue-6.18/selftests-drv-net-psp-fix-test-names-in-ipver_test_b.patch @@ -0,0 +1,40 @@ +From e72a250baf99be2b4bef1df1496802cec295e4c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Dec 2025 06:21:36 -0800 +Subject: selftests: drv-net: psp: fix test names in ipver_test_builder() + +From: Daniel Zahka + +[ Upstream commit f0e5126f5e55d4939784ff61b0b7e9f9636d787d ] + +test_case will only take on the formatted name after being +called. This does not work with the way ksft_run() currently +works. Assign the name after the test_case is created. + +Fixes: 81236c74dba6 ("selftests: drv-net: psp: add test for auto-adjusting TCP MSS") +Signed-off-by: Daniel Zahka +Link: https://patch.msgid.link/20251216-psp-test-fix-v1-2-3b5a6dde186f@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/drivers/net/psp.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/drivers/net/psp.py b/tools/testing/selftests/drivers/net/psp.py +index 827e04cc8423..473573e216e3 100755 +--- a/tools/testing/selftests/drivers/net/psp.py ++++ b/tools/testing/selftests/drivers/net/psp.py +@@ -570,8 +570,9 @@ def ipver_test_builder(name, test_func, ipver): + """Build test cases for each IP version""" + def test_case(cfg): + cfg.require_ipver(ipver) +- test_case.__name__ = f"{name}_ip{ipver}" + test_func(cfg, ipver) ++ ++ test_case.__name__ = f"{name}_ip{ipver}" + return test_case + + +-- +2.51.0 + diff --git a/queue-6.18/selftests-ftrace-traceonoff_triggers-strip-off-names.patch b/queue-6.18/selftests-ftrace-traceonoff_triggers-strip-off-names.patch new file mode 100644 index 0000000000..f1b8730e57 --- /dev/null +++ b/queue-6.18/selftests-ftrace-traceonoff_triggers-strip-off-names.patch @@ -0,0 +1,93 @@ +From 22abf245a454ca0266421d23145228d09c6436ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Aug 2023 09:32:26 +0800 +Subject: selftests/ftrace: traceonoff_triggers: strip off names + +From: Yipeng Zou + +[ Upstream commit b889b4fb4cbea3ca7eb9814075d6a51936394bd9 ] + +The func_traceonoff_triggers.tc sometimes goes to fail +on my board, Kunpeng-920. + +[root@localhost]# ./ftracetest ./test.d/ftrace/func_traceonoff_triggers.tc -l fail.log +=== Ftrace unit tests === +[1] ftrace - test for function traceon/off triggers [FAIL] +[2] (instance) ftrace - test for function traceon/off triggers [UNSUPPORTED] + +I look up the log, and it shows that the md5sum is different between csum1 and csum2. + +++ cnt=611 +++ sleep .1 ++++ cnt_trace ++++ grep -v '^#' trace ++++ wc -l +++ cnt2=611 +++ '[' 611 -ne 611 ']' ++++ cat tracing_on +++ on=0 +++ '[' 0 '!=' 0 ']' ++++ md5sum trace +++ csum1='76896aa74362fff66a6a5f3cf8a8a500 trace' +++ sleep .1 ++++ md5sum trace +++ csum2='ee8625a21c058818fc26e45c1ed3f6de trace' +++ '[' '76896aa74362fff66a6a5f3cf8a8a500 trace' '!=' 'ee8625a21c058818fc26e45c1ed3f6de trace' ']' +++ fail 'Tracing file is still changing' +++ echo Tracing file is still changing +Tracing file is still changing +++ exit_fail +++ exit 1 + +So I directly dump the trace file before md5sum, the diff shows that: + +[root@localhost]# diff trace_1.log trace_2.log -y --suppress-common-lines +dockerd-12285 [036] d.... 18385.510290: sched_stat | <...>-12285 [036] d.... 18385.510290: sched_stat +dockerd-12285 [036] d.... 18385.510291: sched_swit | <...>-12285 [036] d.... 18385.510291: sched_swit +<...>-740 [044] d.... 18385.602859: sched_stat | kworker/44:1-740 [044] d.... 18385.602859: sched_stat +<...>-740 [044] d.... 18385.602860: sched_swit | kworker/44:1-740 [044] d.... 18385.602860: sched_swit + +And we can see that <...> filed be filled with names. + +We can strip off the names there to fix that. + +After strip off the names: + +kworker/u257:0-12 [019] d..2. 2528.758910: sched_stat | -12 [019] d..2. 2528.758910: sched_stat_runtime: comm=k +kworker/u257:0-12 [019] d..2. 2528.758912: sched_swit | -12 [019] d..2. 2528.758912: sched_switch: prev_comm=kw +-0 [000] d.s5. 2528.762318: sched_waki | -0 [000] d.s5. 2528.762318: sched_waking: comm=sshd pi +-0 [037] dNh2. 2528.762326: sched_wake | -0 [037] dNh2. 2528.762326: sched_wakeup: comm=sshd pi +-0 [037] d..2. 2528.762334: sched_swit | -0 [037] d..2. 2528.762334: sched_switch: prev_comm=sw + +Link: https://lore.kernel.org/r/20230818013226.2182299-1-zouyipeng@huawei.com +Fixes: d87b29179aa0 ("selftests: ftrace: Use md5sum to take less time of checking logs") +Suggested-by: Steven Rostedt (Google) +Signed-off-by: Yipeng Zou +Acked-by: Masami Hiramatsu (Google) +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + .../ftrace/test.d/ftrace/func_traceonoff_triggers.tc | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc b/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc +index aee22289536b..1b57771dbfdf 100644 +--- a/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc ++++ b/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc +@@ -90,9 +90,10 @@ if [ $on != "0" ]; then + fail "Tracing is not off" + fi + +-csum1=`md5sum trace` ++# Cannot rely on names being around as they are only cached, strip them ++csum1=`cat trace | sed -e 's/^ *[^ ]*\(-[0-9][0-9]*\)/\1/' | md5sum` + sleep $SLEEP_TIME +-csum2=`md5sum trace` ++csum2=`cat trace | sed -e 's/^ *[^ ]*\(-[0-9][0-9]*\)/\1/' | md5sum` + + if [ "$csum1" != "$csum2" ]; then + fail "Tracing file is still changing" +-- +2.51.0 + diff --git a/queue-6.18/selftests-net-fix-buffer-overflow-detected-for-tap.c.patch b/queue-6.18/selftests-net-fix-buffer-overflow-detected-for-tap.c.patch new file mode 100644 index 0000000000..3844c72ab9 --- /dev/null +++ b/queue-6.18/selftests-net-fix-buffer-overflow-detected-for-tap.c.patch @@ -0,0 +1,97 @@ +From 519df61f68c044a033e9f43f041fa7dd443e5882 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Dec 2025 12:06:41 -0500 +Subject: selftests: net: fix "buffer overflow detected" for tap.c + +From: Alice C. Munduruca + +[ Upstream commit 472c5dd6b95c02b3e5d7395acf542150e91165e7 ] + +When the selftest 'tap.c' is compiled with '-D_FORTIFY_SOURCE=3', +the strcpy() in rtattr_add_strsz() is replaced with a checked +version which causes the test to consistently fail when compiled +with toolchains for which this option is enabled by default. + + TAP version 13 + 1..3 + # Starting 3 tests from 1 test cases. + # RUN tap.test_packet_valid_udp_gso ... + *** buffer overflow detected ***: terminated + # test_packet_valid_udp_gso: Test terminated by assertion + # FAIL tap.test_packet_valid_udp_gso + not ok 1 tap.test_packet_valid_udp_gso + # RUN tap.test_packet_valid_udp_csum ... + *** buffer overflow detected ***: terminated + # test_packet_valid_udp_csum: Test terminated by assertion + # FAIL tap.test_packet_valid_udp_csum + not ok 2 tap.test_packet_valid_udp_csum + # RUN tap.test_packet_crash_tap_invalid_eth_proto ... + *** buffer overflow detected ***: terminated + # test_packet_crash_tap_invalid_eth_proto: Test terminated by assertion + # FAIL tap.test_packet_crash_tap_invalid_eth_proto + not ok 3 tap.test_packet_crash_tap_invalid_eth_proto + # FAILED: 0 / 3 tests passed. + # Totals: pass:0 fail:3 xfail:0 xpass:0 skip:0 error:0 + +A buffer overflow is detected by the fortified glibc __strcpy_chk() +since the __builtin_object_size() of `RTA_DATA(rta)` is incorrectly +reported as 1, even though there is ample space in its bounding +buffer `req`. + +Additionally, given that IFLA_IFNAME also expects a null-terminated +string, callers of rtaddr_add_str{,sz}() could simply use the +rtaddr_add_strsz() variant. (which has been renamed to remove the +trailing `sz`) memset() has been used for this function since it +is unchecked and thus circumvents the issue discussed in the +previous paragraph. + +Fixes: 2e64fe4624d1 ("selftests: add few test cases for tap driver") +Signed-off-by: Alice C. Munduruca +Reviewed-by: Cengiz Can +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/20251216170641.250494-1-alice.munduruca@canonical.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/tap.c | 16 +++++----------- + 1 file changed, 5 insertions(+), 11 deletions(-) + +diff --git a/tools/testing/selftests/net/tap.c b/tools/testing/selftests/net/tap.c +index 247c3b3ac1c9..51a209014f1c 100644 +--- a/tools/testing/selftests/net/tap.c ++++ b/tools/testing/selftests/net/tap.c +@@ -56,18 +56,12 @@ static void rtattr_end(struct nlmsghdr *nh, struct rtattr *attr) + static struct rtattr *rtattr_add_str(struct nlmsghdr *nh, unsigned short type, + const char *s) + { +- struct rtattr *rta = rtattr_add(nh, type, strlen(s)); ++ unsigned int strsz = strlen(s) + 1; ++ struct rtattr *rta; + +- memcpy(RTA_DATA(rta), s, strlen(s)); +- return rta; +-} +- +-static struct rtattr *rtattr_add_strsz(struct nlmsghdr *nh, unsigned short type, +- const char *s) +-{ +- struct rtattr *rta = rtattr_add(nh, type, strlen(s) + 1); ++ rta = rtattr_add(nh, type, strsz); + +- strcpy(RTA_DATA(rta), s); ++ memcpy(RTA_DATA(rta), s, strsz); + return rta; + } + +@@ -119,7 +113,7 @@ static int dev_create(const char *dev, const char *link_type, + + link_info = rtattr_begin(&req.nh, IFLA_LINKINFO); + +- rtattr_add_strsz(&req.nh, IFLA_INFO_KIND, link_type); ++ rtattr_add_str(&req.nh, IFLA_INFO_KIND, link_type); + + if (fill_info_data) { + info_data = rtattr_begin(&req.nh, IFLA_INFO_DATA); +-- +2.51.0 + diff --git a/queue-6.18/series b/queue-6.18/series index 60388b54c4..f508824e06 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -8,3 +8,80 @@ mm-huge_memory-merge-uniform_split_supported-and-non_uniform_split_supported.pat kvm-s390-fix-gmap_helper_zap_one_page-again.patch drm-edid-add-drm_edid_ident_init-to-initialize-struct-drm_edid_ident.patch drm-displayid-add-quirk-to-ignore-displayid-checksum-errors.patch +wifi-rtw88-limit-indirect-io-under-powered-off-for-r.patch +wifi-rtlwifi-8192cu-fix-tid-out-of-range-in-rtl92cu_.patch +wifi-cfg80211-sme-store-capped-length-in-__cfg80211_.patch +wifi-mac80211-do-not-use-old-mbssid-elements.patch +sched_ext-fix-uninitialized-ret-on-alloc_percpu-fail.patch +i40e-fix-scheduling-in-set_rx_mode.patch +i40e-validate-ring_len-parameter-against-hardware-sp.patch +iavf-fix-off-by-one-issues-in-iavf_config_rss_reg.patch +idpf-fix-lan-memory-regions-command-on-some-nvms.patch +idpf-reduce-mbx_task-schedule-delay-to-300us.patch +cpuset-fix-warning-when-disabling-remote-partition.patch +crypto-seqiv-do-not-use-req-iv-after-crypto_aead_enc.patch +bluetooth-mgmt-report-bis-capability-flags-in-suppor.patch +bluetooth-btusb-revert-use-of-devm_kzalloc-in-btusb.patch +net-mdio-aspeed-add-dummy-read-to-avoid-read-after-w.patch +net-openvswitch-avoid-needlessly-taking-the-rtnl-on-.patch +ip6_gre-make-ip6gre_header-robust.patch +powerpc-tools-drop-o-pipefail-in-gcc-check-scripts.patch +platform-mellanox-mlxbf-pmc-remove-trailing-whitespa.patch +platform-x86-msi-laptop-add-missing-sysfs_remove_gro.patch +platform-x86-ibm_rtl-fix-ebda-signature-search-point.patch +team-fix-check-for-port-enabled-in-team_queue_overri.patch +net-airoha-move-net_devs-registration-in-a-dedicated.patch +net-dsa-properly-keep-track-of-conduit-reference.patch +net-dsa-fix-missing-put_device-in-dsa_tree_find_firs.patch +amd-xgbe-reset-retries-and-mode-on-rx-adapt-failures.patch +selftests-drv-net-psp-fix-templated-test-names-in-ps.patch +selftests-drv-net-psp-fix-test-names-in-ipver_test_b.patch +net-usb-rtl8150-fix-memory-leak-on-usb_submit_urb-fa.patch +selftests-net-fix-buffer-overflow-detected-for-tap.c.patch +net-wangxun-move-phylink-dependency.patch +platform-x86-intel-pmt-fix-kobject-memory-leak-on-in.patch +smc91x-fix-broken-irq-context-in-preempt_rt.patch +genalloc.h-fix-htmldocs-warning.patch +firewire-nosy-fix-dma_free_coherent-size.patch +bng_en-update-module-description.patch +net-dsa-b53-skip-multicast-entries-for-fdb_dump.patch +kbuild-fix-compilation-of-dtb-specified-on-command-l.patch +mcb-add-missing-modpost-build-support.patch +net-mdio-rtl9300-use-scoped-for-loops.patch +net-usb-asix-validate-phy-address-before-use.patch +net-bridge-describe-tunnel_hash-member-in-net_bridge.patch +tools-sched_ext-fix-scx_show_state.py-for-scx_root-c.patch +vfio-pds-fix-memory-leak-in-pds_vfio_dirty_enable.patch +platform-x86-hp-bioscfg-fix-out-of-bounds-array-acce.patch +platform-x86-intel-pmt-discovery-use-valid-device-po.patch +octeontx2-pf-fix-ubsan-shift-out-of-bounds-error.patch +net-stmmac-fix-the-crash-issue-for-zero-copy-xdp_tx-.patch +ipv6-bug-in-pskb_expand_head-as-part-of-calipso_skbu.patch +ipv4-fix-reference-count-leak-when-using-error-route.patch +net-fib-restore-ecmp-balance-from-loopback.patch +net-rose-fix-invalid-array-index-in-rose_kill_by_dev.patch +ipv6-fix-a-bug-in-rt6_get_pcpu_route-under-preempt_r.patch +rdma-ucma-fix-rdma_ucm_query_ib_service_resp-struct-.patch +rdma-irdma-fix-irdma_alloc_ucontext_resp-padding.patch +rdma-mana_ib-check-cqe-length-for-kernel-cqs.patch +rdma-irdma-avoid-invalid-read-in-irdma_net_event.patch +rdma-efa-remove-possible-negative-shift.patch +rdma-core-fix-logic-error-in-ib_get_gids_from_rdma_h.patch +rdma-bnxt_re-fix-incorrect-bar-check-in-bnxt_qplib_m.patch +rdma-core-always-drop-device-refcount-in-ib_del_sub_.patch +drm-gem-shmem-fix-the-module_license-string.patch +rdma-bnxt_re-fix-ib_send_ip_csum-handling-in-post_se.patch +rdma-bnxt_re-fix-oob-write-in-bnxt_re_copy_err_stats.patch +kunit-enforce-task-execution-in-soft-hard-irq-contex.patch +rdma-bnxt_re-fix-to-use-correct-page-size-for-pde-ta.patch +md-fix-static-checker-warning-in-analyze_sbs.patch +md-raid5-fix-possible-null-pointer-dereferences-in-r.patch +ublk-implement-numa-aware-memory-allocation.patch +ublk-scan-partition-in-async-way.patch +drm-xe-guc-read-write_once-g2h_fence-done.patch +ksmbd-fix-memory-leak-in-get_file_all_info.patch +ib-rxe-fix-missing-umem_odp-umem_mutex-unlock-on-err.patch +rdma-rtrs-fix-clt_path-max_pages_per_mr-calculation.patch +rdma-bnxt_re-fix-dma_free_coherent-pointer.patch +blk-mq-skip-cpu-offline-notify-on-unmapped-hctx.patch +selftests-ftrace-traceonoff_triggers-strip-off-names.patch diff --git a/queue-6.18/smc91x-fix-broken-irq-context-in-preempt_rt.patch b/queue-6.18/smc91x-fix-broken-irq-context-in-preempt_rt.patch new file mode 100644 index 0000000000..843c2c1112 --- /dev/null +++ b/queue-6.18/smc91x-fix-broken-irq-context-in-preempt_rt.patch @@ -0,0 +1,72 @@ +From c94e4e7ff4ae4079984c6584227a75ef0489c56d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 08:51:15 +0000 +Subject: smc91x: fix broken irq-context in PREEMPT_RT + +From: Yeoreum Yun + +[ Upstream commit 6402078bd9d1ed46e79465e1faaa42e3458f8a33 ] + +When smc91x.c is built with PREEMPT_RT, the following splat occurs +in FVP_RevC: + +[ 13.055000] smc91x LNRO0003:00 eth0: link up, 10Mbps, half-duplex, lpa 0x0000 +[ 13.062137] BUG: workqueue leaked atomic, lock or RCU: kworker/2:1[106] +[ 13.062137] preempt=0x00000000 lock=0->0 RCU=0->1 workfn=mld_ifc_work +[ 13.062266] C +** replaying previous printk message ** +[ 13.062266] CPU: 2 UID: 0 PID: 106 Comm: kworker/2:1 Not tainted 6.18.0-dirty #179 PREEMPT_{RT,(full)} +[ 13.062353] Hardware name: , BIOS +[ 13.062382] Workqueue: mld mld_ifc_work +[ 13.062469] Call trace: +[ 13.062494] show_stack+0x24/0x40 (C) +[ 13.062602] __dump_stack+0x28/0x48 +[ 13.062710] dump_stack_lvl+0x7c/0xb0 +[ 13.062818] dump_stack+0x18/0x34 +[ 13.062926] process_scheduled_works+0x294/0x450 +[ 13.063043] worker_thread+0x260/0x3d8 +[ 13.063124] kthread+0x1c4/0x228 +[ 13.063235] ret_from_fork+0x10/0x20 + +This happens because smc_special_trylock() disables IRQs even on PREEMPT_RT, +but smc_special_unlock() does not restore IRQs on PREEMPT_RT. +The reason is that smc_special_unlock() calls spin_unlock_irqrestore(), +and rcu_read_unlock_bh() in __dev_queue_xmit() cannot invoke +rcu_read_unlock() through __local_bh_enable_ip() when current->softirq_disable_cnt becomes zero. + +To address this issue, replace smc_special_trylock() with spin_trylock_irqsave(). + +Fixes: 342a93247e08 ("locking/spinlock: Provide RT variant header: ") +Signed-off-by: Yeoreum Yun +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20251217085115.1730036-1-yeoreum.yun@arm.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/smsc/smc91x.c | 10 +--------- + 1 file changed, 1 insertion(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/smsc/smc91x.c b/drivers/net/ethernet/smsc/smc91x.c +index 9d1a83a5fa7e..d16c178d1034 100644 +--- a/drivers/net/ethernet/smsc/smc91x.c ++++ b/drivers/net/ethernet/smsc/smc91x.c +@@ -516,15 +516,7 @@ static inline void smc_rcv(struct net_device *dev) + * any other concurrent access and C would always interrupt B. But life + * isn't that easy in a SMP world... + */ +-#define smc_special_trylock(lock, flags) \ +-({ \ +- int __ret; \ +- local_irq_save(flags); \ +- __ret = spin_trylock(lock); \ +- if (!__ret) \ +- local_irq_restore(flags); \ +- __ret; \ +-}) ++#define smc_special_trylock(lock, flags) spin_trylock_irqsave(lock, flags) + #define smc_special_lock(lock, flags) spin_lock_irqsave(lock, flags) + #define smc_special_unlock(lock, flags) spin_unlock_irqrestore(lock, flags) + #else +-- +2.51.0 + diff --git a/queue-6.18/team-fix-check-for-port-enabled-in-team_queue_overri.patch b/queue-6.18/team-fix-check-for-port-enabled-in-team_queue_overri.patch new file mode 100644 index 0000000000..db387c051d --- /dev/null +++ b/queue-6.18/team-fix-check-for-port-enabled-in-team_queue_overri.patch @@ -0,0 +1,101 @@ +From 1087b2442e32ab9bf9acaaa2243b8712fb12ecaa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Dec 2025 11:29:53 +0100 +Subject: team: fix check for port enabled in + team_queue_override_port_prio_changed() + +From: Jiri Pirko + +[ Upstream commit 932ac51d9953eaf77a1252f79b656d4ca86163c6 ] + +There has been a syzkaller bug reported recently with the following +trace: + +list_del corruption, ffff888058bea080->prev is LIST_POISON2 (dead000000000122) +------------[ cut here ]------------ +kernel BUG at lib/list_debug.c:59! +Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI +CPU: 3 UID: 0 PID: 21246 Comm: syz.0.2928 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 +RIP: 0010:__list_del_entry_valid_or_report+0x13e/0x200 lib/list_debug.c:59 +Code: 48 c7 c7 e0 71 f0 8b e8 30 08 ef fc 90 0f 0b 48 89 ef e8 a5 02 55 fd 48 89 ea 48 89 de 48 c7 c7 40 72 f0 8b e8 13 08 ef fc 90 <0f> 0b 48 89 ef e8 88 02 55 fd 48 89 ea 48 b8 00 00 00 00 00 fc ff +RSP: 0018:ffffc9000d49f370 EFLAGS: 00010286 +RAX: 000000000000004e RBX: ffff888058bea080 RCX: ffffc9002817d000 +RDX: 0000000000000000 RSI: ffffffff819becc6 RDI: 0000000000000005 +RBP: dead000000000122 R08: 0000000000000005 R09: 0000000000000000 +R10: 0000000080000000 R11: 0000000000000001 R12: ffff888039e9c230 +R13: ffff888058bea088 R14: ffff888058bea080 R15: ffff888055461480 +FS: 00007fbbcfe6f6c0(0000) GS:ffff8880d6d0a000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000000110c3afcb0 CR3: 00000000382c7000 CR4: 0000000000352ef0 +Call Trace: + + __list_del_entry_valid include/linux/list.h:132 [inline] + __list_del_entry include/linux/list.h:223 [inline] + list_del_rcu include/linux/rculist.h:178 [inline] + __team_queue_override_port_del drivers/net/team/team_core.c:826 [inline] + __team_queue_override_port_del drivers/net/team/team_core.c:821 [inline] + team_queue_override_port_prio_changed drivers/net/team/team_core.c:883 [inline] + team_priority_option_set+0x171/0x2f0 drivers/net/team/team_core.c:1534 + team_option_set drivers/net/team/team_core.c:376 [inline] + team_nl_options_set_doit+0x8ae/0xe60 drivers/net/team/team_core.c:2653 + genl_family_rcv_msg_doit+0x209/0x2f0 net/netlink/genetlink.c:1115 + genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] + genl_rcv_msg+0x55c/0x800 net/netlink/genetlink.c:1210 + netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552 + genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 + netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] + netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346 + netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1896 + sock_sendmsg_nosec net/socket.c:727 [inline] + __sock_sendmsg net/socket.c:742 [inline] + ____sys_sendmsg+0xa98/0xc70 net/socket.c:2630 + ___sys_sendmsg+0x134/0x1d0 net/socket.c:2684 + __sys_sendmsg+0x16d/0x220 net/socket.c:2716 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +The problem is in this flow: +1) Port is enabled, queue_id != 0, in qom_list +2) Port gets disabled + -> team_port_disable() + -> team_queue_override_port_del() + -> del (removed from list) +3) Port is disabled, queue_id != 0, not in any list +4) Priority changes + -> team_queue_override_port_prio_changed() + -> checks: port disabled && queue_id != 0 + -> calls del - hits the BUG as it is removed already + +To fix this, change the check in team_queue_override_port_prio_changed() +so it returns early if port is not enabled. + +Reported-by: syzbot+422806e5f4cce722a71f@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=422806e5f4cce722a71f +Fixes: 6c31ff366c11 ("team: remove synchronize_rcu() called during queue override change") +Signed-off-by: Jiri Pirko +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20251212102953.167287-1-jiri@resnulli.us +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/team/team_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/team/team_core.c b/drivers/net/team/team_core.c +index 25562b17debe..2fd3469d1046 100644 +--- a/drivers/net/team/team_core.c ++++ b/drivers/net/team/team_core.c +@@ -878,7 +878,7 @@ static void __team_queue_override_enabled_check(struct team *team) + static void team_queue_override_port_prio_changed(struct team *team, + struct team_port *port) + { +- if (!port->queue_id || team_port_enabled(port)) ++ if (!port->queue_id || !team_port_enabled(port)) + return; + __team_queue_override_port_del(team, port); + __team_queue_override_port_add(team, port); +-- +2.51.0 + diff --git a/queue-6.18/tools-sched_ext-fix-scx_show_state.py-for-scx_root-c.patch b/queue-6.18/tools-sched_ext-fix-scx_show_state.py-for-scx_root-c.patch new file mode 100644 index 0000000000..24c6f50903 --- /dev/null +++ b/queue-6.18/tools-sched_ext-fix-scx_show_state.py-for-scx_root-c.patch @@ -0,0 +1,68 @@ +From d0d3729af9a1838951e54f02bbe4ba5e83b8d543 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Dec 2025 17:46:49 +0900 +Subject: tools/sched_ext: fix scx_show_state.py for scx_root change + +From: Kohei Enju + +[ Upstream commit f92ff79ba2640fc482bf2bfb5b42e33957f90caf ] + +Commit 48e126777386 ("sched_ext: Introduce scx_sched") introduced +scx_root and removed scx_ops, causing scx_show_state.py to fail when +searching for the 'scx_ops' object. [1] + +Fix by using 'scx_root' instead, with NULL pointer handling. + +[1] + # drgn -s vmlinux ./tools/sched_ext/scx_show_state.py + Traceback (most recent call last): + File "/root/.venv/bin/drgn", line 8, in + sys.exit(_main()) + ~~~~~^^ + File "/root/.venv/lib64/python3.14/site-packages/drgn/cli.py", line 625, in _main + runpy.run_path( + ~~~~~~~~~~~~~~^ + script_path, init_globals={"prog": prog}, run_name="__main__" + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + ) + ^ + File "", line 287, in run_path + File "", line 98, in _run_module_code + File "", line 88, in _run_code + File "./tools/sched_ext/scx_show_state.py", line 30, in + ops = prog['scx_ops'] + ~~~~^^^^^^^^^^^ + _drgn.ObjectNotFoundError: could not find 'scx_ops' + +Fixes: 48e126777386 ("sched_ext: Introduce scx_sched") +Signed-off-by: Kohei Enju +Reviewed-by: Emil Tsalapatis +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + tools/sched_ext/scx_show_state.py | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/tools/sched_ext/scx_show_state.py b/tools/sched_ext/scx_show_state.py +index 7cdcc6729ea4..aec4a4498140 100644 +--- a/tools/sched_ext/scx_show_state.py ++++ b/tools/sched_ext/scx_show_state.py +@@ -27,10 +27,13 @@ def read_static_key(name): + def state_str(state): + return prog['scx_enable_state_str'][state].string_().decode() + +-ops = prog['scx_ops'] ++root = prog['scx_root'] + enable_state = read_atomic("scx_enable_state_var") + +-print(f'ops : {ops.name.string_().decode()}') ++if root: ++ print(f'ops : {root.ops.name.string_().decode()}') ++else: ++ print('ops : ') + print(f'enabled : {read_static_key("__scx_enabled")}') + print(f'switching_all : {read_int("scx_switching_all")}') + print(f'switched_all : {read_static_key("__scx_switched_all")}') +-- +2.51.0 + diff --git a/queue-6.18/ublk-implement-numa-aware-memory-allocation.patch b/queue-6.18/ublk-implement-numa-aware-memory-allocation.patch new file mode 100644 index 0000000000..9330e56faa --- /dev/null +++ b/queue-6.18/ublk-implement-numa-aware-memory-allocation.patch @@ -0,0 +1,213 @@ +From 3da67f136c0f825a36708935a3202d97ede8240b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Nov 2025 21:31:17 +0800 +Subject: ublk: implement NUMA-aware memory allocation + +From: Ming Lei + +[ Upstream commit 529d4d6327880e5c60f4e0def39b3faaa7954e54 ] + +Implement NUMA-friendly memory allocation for ublk driver to improve +performance on multi-socket systems. + +This commit includes the following changes: + +1. Rename __queues to queues, dropping the __ prefix since the field is + now accessed directly throughout the codebase rather than only through + the ublk_get_queue() helper. + +2. Remove the queue_size field from struct ublk_device as it is no longer + needed. + +3. Move queue allocation and deallocation into ublk_init_queue() and + ublk_deinit_queue() respectively, improving encapsulation. This + simplifies ublk_init_queues() and ublk_deinit_queues() to just + iterate and call the per-queue functions. + +4. Add ublk_get_queue_numa_node() helper function to determine the + appropriate NUMA node for a queue by finding the first CPU mapped + to that queue via tag_set.map[HCTX_TYPE_DEFAULT].mq_map[] and + converting it to a NUMA node using cpu_to_node(). This function is + called internally by ublk_init_queue() to determine the allocation + node. + +5. Allocate each queue structure on its local NUMA node using + kvzalloc_node() in ublk_init_queue(). + +6. Allocate the I/O command buffer on the same NUMA node using + alloc_pages_node(). + +This reduces memory access latency on multi-socket NUMA systems by +ensuring each queue's data structures are local to the CPUs that +access them. + +Reviewed-by: Caleb Sander Mateos +Signed-off-by: Ming Lei +Signed-off-by: Jens Axboe +Stable-dep-of: 7fc4da6a304b ("ublk: scan partition in async way") +Signed-off-by: Sasha Levin +--- + drivers/block/ublk_drv.c | 84 +++++++++++++++++++++++++--------------- + 1 file changed, 53 insertions(+), 31 deletions(-) + +diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c +index d8079ea8f8ca..796035891888 100644 +--- a/drivers/block/ublk_drv.c ++++ b/drivers/block/ublk_drv.c +@@ -210,9 +210,6 @@ struct ublk_queue { + struct ublk_device { + struct gendisk *ub_disk; + +- char *__queues; +- +- unsigned int queue_size; + struct ublksrv_ctrl_dev_info dev_info; + + struct blk_mq_tag_set tag_set; +@@ -240,6 +237,8 @@ struct ublk_device { + bool canceling; + pid_t ublksrv_tgid; + struct delayed_work exit_work; ++ ++ struct ublk_queue *queues[]; + }; + + /* header of ublk_params */ +@@ -782,7 +781,7 @@ static noinline void ublk_put_device(struct ublk_device *ub) + static inline struct ublk_queue *ublk_get_queue(struct ublk_device *dev, + int qid) + { +- return (struct ublk_queue *)&(dev->__queues[qid * dev->queue_size]); ++ return dev->queues[qid]; + } + + static inline bool ublk_rq_has_data(const struct request *rq) +@@ -2713,9 +2712,13 @@ static const struct file_operations ublk_ch_fops = { + + static void ublk_deinit_queue(struct ublk_device *ub, int q_id) + { +- int size = ublk_queue_cmd_buf_size(ub); +- struct ublk_queue *ubq = ublk_get_queue(ub, q_id); +- int i; ++ struct ublk_queue *ubq = ub->queues[q_id]; ++ int size, i; ++ ++ if (!ubq) ++ return; ++ ++ size = ublk_queue_cmd_buf_size(ub); + + for (i = 0; i < ubq->q_depth; i++) { + struct ublk_io *io = &ubq->ios[i]; +@@ -2727,57 +2730,76 @@ static void ublk_deinit_queue(struct ublk_device *ub, int q_id) + + if (ubq->io_cmd_buf) + free_pages((unsigned long)ubq->io_cmd_buf, get_order(size)); ++ ++ kvfree(ubq); ++ ub->queues[q_id] = NULL; ++} ++ ++static int ublk_get_queue_numa_node(struct ublk_device *ub, int q_id) ++{ ++ unsigned int cpu; ++ ++ /* Find first CPU mapped to this queue */ ++ for_each_possible_cpu(cpu) { ++ if (ub->tag_set.map[HCTX_TYPE_DEFAULT].mq_map[cpu] == q_id) ++ return cpu_to_node(cpu); ++ } ++ ++ return NUMA_NO_NODE; + } + + static int ublk_init_queue(struct ublk_device *ub, int q_id) + { +- struct ublk_queue *ubq = ublk_get_queue(ub, q_id); ++ int depth = ub->dev_info.queue_depth; ++ int ubq_size = sizeof(struct ublk_queue) + depth * sizeof(struct ublk_io); + gfp_t gfp_flags = GFP_KERNEL | __GFP_ZERO; +- void *ptr; ++ struct ublk_queue *ubq; ++ struct page *page; ++ int numa_node; + int size; + ++ /* Determine NUMA node based on queue's CPU affinity */ ++ numa_node = ublk_get_queue_numa_node(ub, q_id); ++ ++ /* Allocate queue structure on local NUMA node */ ++ ubq = kvzalloc_node(ubq_size, GFP_KERNEL, numa_node); ++ if (!ubq) ++ return -ENOMEM; ++ + spin_lock_init(&ubq->cancel_lock); + ubq->flags = ub->dev_info.flags; + ubq->q_id = q_id; +- ubq->q_depth = ub->dev_info.queue_depth; ++ ubq->q_depth = depth; + size = ublk_queue_cmd_buf_size(ub); + +- ptr = (void *) __get_free_pages(gfp_flags, get_order(size)); +- if (!ptr) ++ /* Allocate I/O command buffer on local NUMA node */ ++ page = alloc_pages_node(numa_node, gfp_flags, get_order(size)); ++ if (!page) { ++ kvfree(ubq); + return -ENOMEM; ++ } ++ ubq->io_cmd_buf = page_address(page); + +- ubq->io_cmd_buf = ptr; ++ ub->queues[q_id] = ubq; + ubq->dev = ub; + return 0; + } + + static void ublk_deinit_queues(struct ublk_device *ub) + { +- int nr_queues = ub->dev_info.nr_hw_queues; + int i; + +- if (!ub->__queues) +- return; +- +- for (i = 0; i < nr_queues; i++) ++ for (i = 0; i < ub->dev_info.nr_hw_queues; i++) + ublk_deinit_queue(ub, i); +- kvfree(ub->__queues); + } + + static int ublk_init_queues(struct ublk_device *ub) + { +- int nr_queues = ub->dev_info.nr_hw_queues; +- int depth = ub->dev_info.queue_depth; +- int ubq_size = sizeof(struct ublk_queue) + depth * sizeof(struct ublk_io); +- int i, ret = -ENOMEM; ++ int i, ret; + +- ub->queue_size = ubq_size; +- ub->__queues = kvcalloc(nr_queues, ubq_size, GFP_KERNEL); +- if (!ub->__queues) +- return ret; +- +- for (i = 0; i < nr_queues; i++) { +- if (ublk_init_queue(ub, i)) ++ for (i = 0; i < ub->dev_info.nr_hw_queues; i++) { ++ ret = ublk_init_queue(ub, i); ++ if (ret) + goto fail; + } + +@@ -3179,7 +3201,7 @@ static int ublk_ctrl_add_dev(const struct ublksrv_ctrl_cmd *header) + goto out_unlock; + + ret = -ENOMEM; +- ub = kzalloc(sizeof(*ub), GFP_KERNEL); ++ ub = kzalloc(struct_size(ub, queues, info.nr_hw_queues), GFP_KERNEL); + if (!ub) + goto out_unlock; + mutex_init(&ub->mutex); +-- +2.51.0 + diff --git a/queue-6.18/ublk-scan-partition-in-async-way.patch b/queue-6.18/ublk-scan-partition-in-async-way.patch new file mode 100644 index 0000000000..510ac8eec8 --- /dev/null +++ b/queue-6.18/ublk-scan-partition-in-async-way.patch @@ -0,0 +1,119 @@ +From db4903c2e7c23cb6914052f287d18a50855256b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Dec 2025 11:27:40 +0800 +Subject: ublk: scan partition in async way + +From: Ming Lei + +[ Upstream commit 7fc4da6a304bdcd3de14fc946dc2c19437a9cc5a ] + +Implement async partition scan to avoid IO hang when reading partition +tables. Similar to nvme_partition_scan_work(), partition scanning is +deferred to a work queue to prevent deadlocks. + +When partition scan happens synchronously during add_disk(), IO errors +can cause the partition scan to wait while holding ub->mutex, which +can deadlock with other operations that need the mutex. + +Changes: +- Add partition_scan_work to ublk_device structure +- Implement ublk_partition_scan_work() to perform async scan +- Always suppress sync partition scan during add_disk() +- Schedule async work after add_disk() for trusted daemons +- Add flush_work() in ublk_stop_dev() before grabbing ub->mutex + +Reviewed-by: Caleb Sander Mateos +Reported-by: Yoav Cohen +Closes: https://lore.kernel.org/linux-block/DM4PR12MB63280C5637917C071C2F0D65A9A8A@DM4PR12MB6328.namprd12.prod.outlook.com/ +Fixes: 71f28f3136af ("ublk_drv: add io_uring based userspace block driver") +Signed-off-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/ublk_drv.c | 35 ++++++++++++++++++++++++++++++++--- + 1 file changed, 32 insertions(+), 3 deletions(-) + +diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c +index 796035891888..23aba73d24dc 100644 +--- a/drivers/block/ublk_drv.c ++++ b/drivers/block/ublk_drv.c +@@ -237,6 +237,7 @@ struct ublk_device { + bool canceling; + pid_t ublksrv_tgid; + struct delayed_work exit_work; ++ struct work_struct partition_scan_work; + + struct ublk_queue *queues[]; + }; +@@ -254,6 +255,20 @@ static inline struct request *__ublk_check_and_get_req(struct ublk_device *ub, + u16 q_id, u16 tag, struct ublk_io *io, size_t offset); + static inline unsigned int ublk_req_build_flags(struct request *req); + ++static void ublk_partition_scan_work(struct work_struct *work) ++{ ++ struct ublk_device *ub = ++ container_of(work, struct ublk_device, partition_scan_work); ++ ++ if (WARN_ON_ONCE(!test_and_clear_bit(GD_SUPPRESS_PART_SCAN, ++ &ub->ub_disk->state))) ++ return; ++ ++ mutex_lock(&ub->ub_disk->open_mutex); ++ bdev_disk_changed(ub->ub_disk, false); ++ mutex_unlock(&ub->ub_disk->open_mutex); ++} ++ + static inline struct ublksrv_io_desc * + ublk_get_iod(const struct ublk_queue *ubq, unsigned tag) + { +@@ -2092,6 +2107,7 @@ static void ublk_stop_dev(struct ublk_device *ub) + mutex_lock(&ub->mutex); + ublk_stop_dev_unlocked(ub); + mutex_unlock(&ub->mutex); ++ flush_work(&ub->partition_scan_work); + ublk_cancel_dev(ub); + } + +@@ -3023,9 +3039,17 @@ static int ublk_ctrl_start_dev(struct ublk_device *ub, + + ublk_apply_params(ub); + +- /* don't probe partitions if any daemon task is un-trusted */ +- if (ub->unprivileged_daemons) +- set_bit(GD_SUPPRESS_PART_SCAN, &disk->state); ++ /* ++ * Suppress partition scan to avoid potential IO hang. ++ * ++ * If ublk server error occurs during partition scan, the IO may ++ * wait while holding ub->mutex, which can deadlock with other ++ * operations that need the mutex. Defer partition scan to async ++ * work. ++ * For unprivileged daemons, keep GD_SUPPRESS_PART_SCAN set ++ * permanently. ++ */ ++ set_bit(GD_SUPPRESS_PART_SCAN, &disk->state); + + ublk_get_device(ub); + ub->dev_info.state = UBLK_S_DEV_LIVE; +@@ -3042,6 +3066,10 @@ static int ublk_ctrl_start_dev(struct ublk_device *ub, + + set_bit(UB_STATE_USED, &ub->state); + ++ /* Schedule async partition scan for trusted daemons */ ++ if (!ub->unprivileged_daemons) ++ schedule_work(&ub->partition_scan_work); ++ + out_put_cdev: + if (ret) { + ublk_detach_disk(ub); +@@ -3207,6 +3235,7 @@ static int ublk_ctrl_add_dev(const struct ublksrv_ctrl_cmd *header) + mutex_init(&ub->mutex); + spin_lock_init(&ub->lock); + mutex_init(&ub->cancel_mutex); ++ INIT_WORK(&ub->partition_scan_work, ublk_partition_scan_work); + + ret = ublk_alloc_dev_number(ub, header->dev_id); + if (ret < 0) +-- +2.51.0 + diff --git a/queue-6.18/vfio-pds-fix-memory-leak-in-pds_vfio_dirty_enable.patch b/queue-6.18/vfio-pds-fix-memory-leak-in-pds_vfio_dirty_enable.patch new file mode 100644 index 0000000000..48a98bb489 --- /dev/null +++ b/queue-6.18/vfio-pds-fix-memory-leak-in-pds_vfio_dirty_enable.patch @@ -0,0 +1,46 @@ +From d53c035913c58d7348701d4bc70e2369ffa4a15c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Dec 2025 14:31:50 +0000 +Subject: vfio/pds: Fix memory leak in pds_vfio_dirty_enable() + +From: Zilin Guan + +[ Upstream commit 665077d78dc7941ce6a330c02023a2b469cc8cc7 ] + +pds_vfio_dirty_enable() allocates memory for region_info. If +interval_tree_iter_first() returns NULL, the function returns -EINVAL +immediately without freeing the allocated memory, causing a memory leak. + +Fix this by jumping to the out_free_region_info label to ensure +region_info is freed. + +Fixes: 2e7c6feb4ef52 ("vfio/pds: Add multi-region support") +Signed-off-by: Zilin Guan +Link: https://lore.kernel.org/r/20251225143150.1117366-1-zilin@seu.edu.cn +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/pds/dirty.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/vfio/pci/pds/dirty.c b/drivers/vfio/pci/pds/dirty.c +index 481992142f79..4915a7c1c491 100644 +--- a/drivers/vfio/pci/pds/dirty.c ++++ b/drivers/vfio/pci/pds/dirty.c +@@ -292,8 +292,11 @@ static int pds_vfio_dirty_enable(struct pds_vfio_pci_device *pds_vfio, + len = num_ranges * sizeof(*region_info); + + node = interval_tree_iter_first(ranges, 0, ULONG_MAX); +- if (!node) +- return -EINVAL; ++ if (!node) { ++ err = -EINVAL; ++ goto out_free_region_info; ++ } ++ + for (int i = 0; i < num_ranges; i++) { + struct pds_lm_dirty_region_info *ri = ®ion_info[i]; + u64 region_size = node->last - node->start + 1; +-- +2.51.0 + diff --git a/queue-6.18/wifi-cfg80211-sme-store-capped-length-in-__cfg80211_.patch b/queue-6.18/wifi-cfg80211-sme-store-capped-length-in-__cfg80211_.patch new file mode 100644 index 0000000000..4ebba266e5 --- /dev/null +++ b/queue-6.18/wifi-cfg80211-sme-store-capped-length-in-__cfg80211_.patch @@ -0,0 +1,38 @@ +From 014b9d4e9dc58d57fde2f8d52e71d51b69ef9125 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 14:14:47 +0300 +Subject: wifi: cfg80211: sme: store capped length in + __cfg80211_connect_result() + +From: Dan Carpenter + +[ Upstream commit 2b77b9551d1184cb5af8271ff350e6e2c1b3db0d ] + +The QGenie AI code review tool says we should store the capped length to +wdev->u.client.ssid_len. The AI is correct. + +Fixes: 62b635dcd69c ("wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result()") +Signed-off-by: Dan Carpenter +Link: https://patch.msgid.link/aTAbp5RleyH_lnZE@stanley.mountain +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/sme.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/wireless/sme.c b/net/wireless/sme.c +index 3a028ff287fb..4e629ca305bc 100644 +--- a/net/wireless/sme.c ++++ b/net/wireless/sme.c +@@ -910,7 +910,7 @@ void __cfg80211_connect_result(struct net_device *dev, + + ssid_len = min(ssid->datalen, IEEE80211_MAX_SSID_LEN); + memcpy(wdev->u.client.ssid, ssid->data, ssid_len); +- wdev->u.client.ssid_len = ssid->datalen; ++ wdev->u.client.ssid_len = ssid_len; + break; + } + rcu_read_unlock(); +-- +2.51.0 + diff --git a/queue-6.18/wifi-mac80211-do-not-use-old-mbssid-elements.patch b/queue-6.18/wifi-mac80211-do-not-use-old-mbssid-elements.patch new file mode 100644 index 0000000000..afba5e18e5 --- /dev/null +++ b/queue-6.18/wifi-mac80211-do-not-use-old-mbssid-elements.patch @@ -0,0 +1,68 @@ +From 88eb399ada4f20fad8f75ec7f380ae5cdb4b567c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Dec 2025 09:46:56 -0800 +Subject: wifi: mac80211: do not use old MBSSID elements + +From: Aloka Dixit + +[ Upstream commit a519be2f5d958c5804f2cfd68f1f384291271fab ] + +When userspace brings down and deletes a non-transmitted profile, +it is expected to send a new updated Beacon template for the +transmitted profile of that multiple BSSID (MBSSID) group which +does not include the removed profile in MBSSID element. This +update comes via NL80211_CMD_SET_BEACON. + +Such updates work well as long as the group continues to have at +least one non-transmitted profile as NL80211_ATTR_MBSSID_ELEMS +is included in the new Beacon template. + +But when the last non-trasmitted profile is removed, it still +gets included in Beacon templates sent to driver. This happens +because when no MBSSID elements are sent by the userspace, +ieee80211_assign_beacon() ends up using the element stored from +earlier Beacon template. + +Do not copy old MBSSID elements, instead userspace should always +include these when applicable. + +Fixes: 2b3171c6fe0a ("mac80211: MBSSID beacon handling in AP mode") +Signed-off-by: Aloka Dixit +Link: https://patch.msgid.link/20251215174656.2866319-2-aloka.dixit@oss.qualcomm.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/cfg.c | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index c52b0456039d..e18df59951a8 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1328,7 +1328,6 @@ ieee80211_assign_beacon(struct ieee80211_sub_if_data *sdata, + + size = sizeof(*new) + new_head_len + new_tail_len; + +- /* new or old multiple BSSID elements? */ + if (params->mbssid_ies) { + mbssid = params->mbssid_ies; + size += struct_size(new->mbssid_ies, elem, mbssid->cnt); +@@ -1338,15 +1337,6 @@ ieee80211_assign_beacon(struct ieee80211_sub_if_data *sdata, + } + size += ieee80211_get_mbssid_beacon_len(mbssid, rnr, + mbssid->cnt); +- } else if (old && old->mbssid_ies) { +- mbssid = old->mbssid_ies; +- size += struct_size(new->mbssid_ies, elem, mbssid->cnt); +- if (old && old->rnr_ies) { +- rnr = old->rnr_ies; +- size += struct_size(new->rnr_ies, elem, rnr->cnt); +- } +- size += ieee80211_get_mbssid_beacon_len(mbssid, rnr, +- mbssid->cnt); + } + + new = kzalloc(size, GFP_KERNEL); +-- +2.51.0 + diff --git a/queue-6.18/wifi-rtlwifi-8192cu-fix-tid-out-of-range-in-rtl92cu_.patch b/queue-6.18/wifi-rtlwifi-8192cu-fix-tid-out-of-range-in-rtl92cu_.patch new file mode 100644 index 0000000000..bd0be4a639 --- /dev/null +++ b/queue-6.18/wifi-rtlwifi-8192cu-fix-tid-out-of-range-in-rtl92cu_.patch @@ -0,0 +1,42 @@ +From fb8d0081636731abd0dee633ebf6e39451cbfc68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Nov 2025 16:37:08 +0800 +Subject: wifi: rtlwifi: 8192cu: fix tid out of range in rtl92cu_tx_fill_desc() + +From: Morning Star + +[ Upstream commit dd39edb445f07400e748da967a07d5dca5c5f96e ] + +TID getting from ieee80211_get_tid() might be out of range of array size +of sta_entry->tids[], so check TID is less than MAX_TID_COUNT. Othwerwise, +UBSAN warn: + + UBSAN: array-index-out-of-bounds in drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c:514:30 + index 10 is out of range for type 'rtl_tid_data [9]' + +Fixes: 8ca4cdef9329 ("wifi: rtlwifi: rtl8192cu: Fix TX aggregation") +Signed-off-by: Morning Star +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/1764232628-13625-1-git-send-email-pkshih@realtek.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c +index aa702ba7c9f5..d6c35e8d02a5 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c +@@ -511,7 +511,8 @@ void rtl92cu_tx_fill_desc(struct ieee80211_hw *hw, + if (sta) { + sta_entry = (struct rtl_sta_info *)sta->drv_priv; + tid = ieee80211_get_tid(hdr); +- agg_state = sta_entry->tids[tid].agg.agg_state; ++ if (tid < MAX_TID_COUNT) ++ agg_state = sta_entry->tids[tid].agg.agg_state; + ampdu_density = sta->deflink.ht_cap.ampdu_density; + } + +-- +2.51.0 + diff --git a/queue-6.18/wifi-rtw88-limit-indirect-io-under-powered-off-for-r.patch b/queue-6.18/wifi-rtw88-limit-indirect-io-under-powered-off-for-r.patch new file mode 100644 index 0000000000..79c865a5ea --- /dev/null +++ b/queue-6.18/wifi-rtw88-limit-indirect-io-under-powered-off-for-r.patch @@ -0,0 +1,51 @@ +From 1e780c62309355e1fe612abe5f6d0316f428bf15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Nov 2025 09:38:49 +0800 +Subject: wifi: rtw88: limit indirect IO under powered off for RTL8822CS + +From: Ping-Ke Shih + +[ Upstream commit f3ccdfda345ca9a624ea425840a926b8338c1e25 ] + +The indirect IO is necessary for RTL8822CS, but not necessary for other +chips. Otherwiese, it throws errors and becomes unusable. + + rtw88_8723cs mmc1:0001:1: WOW Firmware version 11.0.0, H2C version 0 + rtw88_8723cs mmc1:0001:1: Firmware version 11.0.0, H2C version 0 + rtw88_8723cs mmc1:0001:1: sdio read32 failed (0xf0): -110 + rtw88_8723cs mmc1:0001:1: sdio write8 failed (0x1c): -110 + rtw88_8723cs mmc1:0001:1: sdio read32 failed (0xf0): -110 + +By vendor driver, only RTL8822CS and RTL8822ES need indirect IO, but +RTL8822ES isn't supported yet. Therefore, limit it to RTL8822CS only. + +Reported-by: Andrey Skvortsov +Closes: https://lore.kernel.org/linux-wireless/07a32e2d6c764eb1bd9415b5a921a652@realtek.com/T/#m997b4522f7209ba629561c776bfd1d13ab24c1d4 +Fixes: 58de1f91e033 ("wifi: rtw88: sdio: use indirect IO for device registers before power-on") +Signed-off-by: Ping-Ke Shih +Tested-by: Andrey Skvortsov +Link: https://patch.msgid.link/1764034729-1251-1-git-send-email-pkshih@realtek.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw88/sdio.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtw88/sdio.c b/drivers/net/wireless/realtek/rtw88/sdio.c +index 99d7c629eac6..e35de52d8eb4 100644 +--- a/drivers/net/wireless/realtek/rtw88/sdio.c ++++ b/drivers/net/wireless/realtek/rtw88/sdio.c +@@ -144,8 +144,10 @@ static u32 rtw_sdio_to_io_address(struct rtw_dev *rtwdev, u32 addr, + + static bool rtw_sdio_use_direct_io(struct rtw_dev *rtwdev, u32 addr) + { ++ bool might_indirect_under_power_off = rtwdev->chip->id == RTW_CHIP_TYPE_8822C; ++ + if (!test_bit(RTW_FLAG_POWERON, rtwdev->flags) && +- !rtw_sdio_is_bus_addr(addr)) ++ !rtw_sdio_is_bus_addr(addr) && might_indirect_under_power_off) + return false; + + return !rtw_sdio_is_sdio30_supported(rtwdev) || +-- +2.51.0 + diff --git a/queue-6.6/amd-xgbe-reset-retries-and-mode-on-rx-adapt-failures.patch b/queue-6.6/amd-xgbe-reset-retries-and-mode-on-rx-adapt-failures.patch new file mode 100644 index 0000000000..6afafd9c1a --- /dev/null +++ b/queue-6.6/amd-xgbe-reset-retries-and-mode-on-rx-adapt-failures.patch @@ -0,0 +1,53 @@ +From 0ff5ed9996181009e5e18f330f287a0a3b76be77 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Dec 2025 20:47:28 +0530 +Subject: amd-xgbe: reset retries and mode on RX adapt failures + +From: Raju Rangoju + +[ Upstream commit df60c332caf95d70f967aeace826e7e2f0847361 ] + +During the stress tests, early RX adaptation handshakes can fail, such +as missing the RX_ADAPT ACK or not receiving a coefficient update before +block lock is established. Continuing to retry RX adaptation in this +state is often ineffective if the current mode selection is not viable. + +Resetting the RX adaptation retry counter when an RX_ADAPT request fails +to receive ACK or a coefficient update prior to block lock, and clearing +mode_set so the next bring-up performs a fresh mode selection rather +than looping on a likely invalid configuration. + +Fixes: 4f3b20bfbb75 ("amd-xgbe: add support for rx-adaptation") +Signed-off-by: Raju Rangoju +Reviewed-by: Simon Horman +Reviewed-by: Shyam Sundar S K +Link: https://patch.msgid.link/20251215151728.311713-1-Raju.Rangoju@amd.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +index 32e633d11348..6d2c401bb246 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +@@ -2036,6 +2036,7 @@ static void xgbe_set_rx_adap_mode(struct xgbe_prv_data *pdata, + { + if (pdata->rx_adapt_retries++ >= MAX_RX_ADAPT_RETRIES) { + pdata->rx_adapt_retries = 0; ++ pdata->mode_set = false; + return; + } + +@@ -2082,6 +2083,7 @@ static void xgbe_rx_adaptation(struct xgbe_prv_data *pdata) + */ + netif_dbg(pdata, link, pdata->netdev, "Block_lock done"); + pdata->rx_adapt_done = true; ++ pdata->rx_adapt_retries = 0; + pdata->mode_set = false; + return; + } +-- +2.51.0 + diff --git a/queue-6.6/blk-mq-don-t-schedule-block-kworker-on-isolated-cpus.patch b/queue-6.6/blk-mq-don-t-schedule-block-kworker-on-isolated-cpus.patch new file mode 100644 index 0000000000..befef05050 --- /dev/null +++ b/queue-6.6/blk-mq-don-t-schedule-block-kworker-on-isolated-cpus.patch @@ -0,0 +1,158 @@ +From b486ce3914982fe695311552d240ae08827c049c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Mar 2024 10:12:44 +0800 +Subject: blk-mq: don't schedule block kworker on isolated CPUs + +From: Ming Lei + +[ Upstream commit a46c27026da10a126dd870f7b65380010bd20db5 ] + +Kernel parameter of `isolcpus=` or 'nohz_full=' are used to isolate CPUs +for specific task, and it isn't expected to let block IO disturb these CPUs. +blk-mq kworker shouldn't be scheduled on isolated CPUs. Also if isolated +CPUs is run for blk-mq kworker, long block IO latency can be caused. + +Kernel workqueue only respects CPU isolation for WQ_UNBOUND, for bound +WQ, the responsibility is on user because CPU is specified as WQ API +parameter, such as mod_delayed_work_on(cpu), queue_delayed_work_on(cpu) +and queue_work_on(cpu). + +So not run blk-mq kworker on isolated CPUs by removing isolated CPUs +from hctx->cpumask. Meantime use queue map to check if all CPUs in this +hw queue are offline instead of hctx->cpumask, this way can avoid any +cost in fast IO code path, and is safe since hctx->cpumask are only +used in the two cases. + +Cc: Tim Chen +Cc: Juri Lelli +Cc: Andrew Theurer +Cc: Joe Mario +Cc: Sebastian Jug +Cc: Frederic Weisbecker +Cc: Bart Van Assche +Cc: Tejun Heo +Tesed-by: Joe Mario +Signed-off-by: Ming Lei +Reviewed-by: Ewan D. Milne +Link: https://lore.kernel.org/r/20240322021244.1056223-1-ming.lei@redhat.com +Signed-off-by: Jens Axboe +Stable-dep-of: 10845a105bbc ("blk-mq: skip CPU offline notify on unmapped hctx") +Signed-off-by: Sasha Levin +--- + block/blk-mq.c | 57 +++++++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 47 insertions(+), 10 deletions(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index 01fe1e715669..a3cd5079557b 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + + #include + +@@ -2193,6 +2194,15 @@ static inline int blk_mq_first_mapped_cpu(struct blk_mq_hw_ctx *hctx) + return cpu; + } + ++/* ++ * ->next_cpu is always calculated from hctx->cpumask, so simply use ++ * it for speeding up the check ++ */ ++static bool blk_mq_hctx_empty_cpumask(struct blk_mq_hw_ctx *hctx) ++{ ++ return hctx->next_cpu >= nr_cpu_ids; ++} ++ + /* + * It'd be great if the workqueue API had a way to pass + * in a mask and had some smarts for more clever placement. +@@ -2204,7 +2214,8 @@ static int blk_mq_hctx_next_cpu(struct blk_mq_hw_ctx *hctx) + bool tried = false; + int next_cpu = hctx->next_cpu; + +- if (hctx->queue->nr_hw_queues == 1) ++ /* Switch to unbound if no allowable CPUs in this hctx */ ++ if (hctx->queue->nr_hw_queues == 1 || blk_mq_hctx_empty_cpumask(hctx)) + return WORK_CPU_UNBOUND; + + if (--hctx->next_cpu_batch <= 0) { +@@ -3535,14 +3546,30 @@ static bool blk_mq_hctx_has_requests(struct blk_mq_hw_ctx *hctx) + return data.has_rq; + } + +-static inline bool blk_mq_last_cpu_in_hctx(unsigned int cpu, +- struct blk_mq_hw_ctx *hctx) ++static bool blk_mq_hctx_has_online_cpu(struct blk_mq_hw_ctx *hctx, ++ unsigned int this_cpu) + { +- if (cpumask_first_and(hctx->cpumask, cpu_online_mask) != cpu) +- return false; +- if (cpumask_next_and(cpu, hctx->cpumask, cpu_online_mask) < nr_cpu_ids) +- return false; +- return true; ++ enum hctx_type type = hctx->type; ++ int cpu; ++ ++ /* ++ * hctx->cpumask has to rule out isolated CPUs, but userspace still ++ * might submit IOs on these isolated CPUs, so use the queue map to ++ * check if all CPUs mapped to this hctx are offline ++ */ ++ for_each_online_cpu(cpu) { ++ struct blk_mq_hw_ctx *h = blk_mq_map_queue_type(hctx->queue, ++ type, cpu); ++ ++ if (h != hctx) ++ continue; ++ ++ /* this hctx has at least one online CPU */ ++ if (this_cpu != cpu) ++ return true; ++ } ++ ++ return false; + } + + static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node) +@@ -3551,8 +3578,7 @@ static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node) + struct blk_mq_hw_ctx, cpuhp_online); + int ret = 0; + +- if (!cpumask_test_cpu(cpu, hctx->cpumask) || +- !blk_mq_last_cpu_in_hctx(cpu, hctx)) ++ if (blk_mq_hctx_has_online_cpu(hctx, cpu)) + return 0; + + /* +@@ -4045,6 +4071,8 @@ static void blk_mq_map_swqueue(struct request_queue *q) + } + + queue_for_each_hw_ctx(q, hctx, i) { ++ int cpu; ++ + /* + * If no software queues are mapped to this hardware queue, + * disable it and free the request entries. +@@ -4071,6 +4099,15 @@ static void blk_mq_map_swqueue(struct request_queue *q) + */ + sbitmap_resize(&hctx->ctx_map, hctx->nr_ctx); + ++ /* ++ * Rule out isolated CPUs from hctx->cpumask to avoid ++ * running block kworker on isolated CPUs ++ */ ++ for_each_cpu(cpu, hctx->cpumask) { ++ if (cpu_is_isolated(cpu)) ++ cpumask_clear_cpu(cpu, hctx->cpumask); ++ } ++ + /* + * Initialize batch roundrobin counts + */ +-- +2.51.0 + diff --git a/queue-6.6/blk-mq-skip-cpu-offline-notify-on-unmapped-hctx.patch b/queue-6.6/blk-mq-skip-cpu-offline-notify-on-unmapped-hctx.patch new file mode 100644 index 0000000000..c326a2ac0b --- /dev/null +++ b/queue-6.6/blk-mq-skip-cpu-offline-notify-on-unmapped-hctx.patch @@ -0,0 +1,39 @@ +From 310ae2979779bc3494ac470120dbd92849e86758 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Dec 2025 17:17:05 +0800 +Subject: blk-mq: skip CPU offline notify on unmapped hctx + +From: Cong Zhang + +[ Upstream commit 10845a105bbcb030647a729f1716c2309da71d33 ] + +If an hctx has no software ctx mapped, blk_mq_map_swqueue() never +allocates tags and leaves hctx->tags NULL. The CPU hotplug offline +notifier can still run for that hctx, return early since hctx cannot +hold any requests. + +Signed-off-by: Cong Zhang +Fixes: bf0beec0607d ("blk-mq: drain I/O when all CPUs in a hctx are offline") +Reviewed-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index a3cd5079557b..427a36237da3 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -3578,7 +3578,7 @@ static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node) + struct blk_mq_hw_ctx, cpuhp_online); + int ret = 0; + +- if (blk_mq_hctx_has_online_cpu(hctx, cpu)) ++ if (!hctx->nr_ctx || blk_mq_hctx_has_online_cpu(hctx, cpu)) + return 0; + + /* +-- +2.51.0 + diff --git a/queue-6.6/bluetooth-btusb-revert-use-of-devm_kzalloc-in-btusb.patch b/queue-6.6/bluetooth-btusb-revert-use-of-devm_kzalloc-in-btusb.patch new file mode 100644 index 0000000000..aa62ee8021 --- /dev/null +++ b/queue-6.6/bluetooth-btusb-revert-use-of-devm_kzalloc-in-btusb.patch @@ -0,0 +1,89 @@ +From 30a16aa1680585028b9589908672142136d27986 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Dec 2025 11:02:28 -0500 +Subject: Bluetooth: btusb: revert use of devm_kzalloc in btusb + +From: Raphael Pinsonneault-Thibeault + +[ Upstream commit 252714f1e8bdd542025b16321c790458014d6880 ] + +This reverts commit 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in +btusb.c file"). + +In btusb_probe(), we use devm_kzalloc() to allocate the btusb data. This +ties the lifetime of all the btusb data to the binding of a driver to +one interface, INTF. In a driver that binds to other interfaces, ISOC +and DIAG, this is an accident waiting to happen. + +The issue is revealed in btusb_disconnect(), where calling +usb_driver_release_interface(&btusb_driver, data->intf) will have devm +free the data that is also being used by the other interfaces of the +driver that may not be released yet. + +To fix this, revert the use of devm and go back to freeing memory +explicitly. + +Fixes: 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in btusb.c file") +Signed-off-by: Raphael Pinsonneault-Thibeault +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btusb.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index 7bc7ee4eebd3..1309e9318bdb 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -4342,7 +4342,7 @@ static int btusb_probe(struct usb_interface *intf, + return -ENODEV; + } + +- data = devm_kzalloc(&intf->dev, sizeof(*data), GFP_KERNEL); ++ data = kzalloc(sizeof(*data), GFP_KERNEL); + if (!data) + return -ENOMEM; + +@@ -4365,8 +4365,10 @@ static int btusb_probe(struct usb_interface *intf, + } + } + +- if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep) ++ if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep) { ++ kfree(data); + return -ENODEV; ++ } + + if (id->driver_info & BTUSB_AMP) { + data->cmdreq_type = USB_TYPE_CLASS | 0x01; +@@ -4421,8 +4423,10 @@ static int btusb_probe(struct usb_interface *intf, + data->recv_acl = hci_recv_frame; + + hdev = hci_alloc_dev_priv(priv_size); +- if (!hdev) ++ if (!hdev) { ++ kfree(data); + return -ENOMEM; ++ } + + hdev->bus = HCI_USB; + hci_set_drvdata(hdev, data); +@@ -4690,6 +4694,7 @@ static int btusb_probe(struct usb_interface *intf, + if (data->reset_gpio) + gpiod_put(data->reset_gpio); + hci_free_dev(hdev); ++ kfree(data); + return err; + } + +@@ -4738,6 +4743,7 @@ static void btusb_disconnect(struct usb_interface *intf) + } + + hci_free_dev(hdev); ++ kfree(data); + } + + #ifdef CONFIG_PM +-- +2.51.0 + diff --git a/queue-6.6/crypto-seqiv-do-not-use-req-iv-after-crypto_aead_enc.patch b/queue-6.6/crypto-seqiv-do-not-use-req-iv-after-crypto_aead_enc.patch new file mode 100644 index 0000000000..6a3d548003 --- /dev/null +++ b/queue-6.6/crypto-seqiv-do-not-use-req-iv-after-crypto_aead_enc.patch @@ -0,0 +1,61 @@ +From a3f9fe27db9335006df92ce348abf41fe0b9b484 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 14:15:41 +0800 +Subject: crypto: seqiv - Do not use req->iv after crypto_aead_encrypt + +From: Herbert Xu + +[ Upstream commit 50fdb78b7c0bcc550910ef69c0984e751cac72fa ] + +As soon as crypto_aead_encrypt is called, the underlying request +may be freed by an asynchronous completion. Thus dereferencing +req->iv after it returns is invalid. + +Instead of checking req->iv against info, create a new variable +unaligned_info and use it for that purpose instead. + +Fixes: 0a270321dbf9 ("[CRYPTO] seqiv: Add Sequence Number IV Generator") +Reported-by: Xiumei Mu +Reported-by: Xin Long +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/seqiv.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/crypto/seqiv.c b/crypto/seqiv.c +index 17e11d51ddc3..04928df0095b 100644 +--- a/crypto/seqiv.c ++++ b/crypto/seqiv.c +@@ -50,6 +50,7 @@ static int seqiv_aead_encrypt(struct aead_request *req) + struct aead_geniv_ctx *ctx = crypto_aead_ctx(geniv); + struct aead_request *subreq = aead_request_ctx(req); + crypto_completion_t compl; ++ bool unaligned_info; + void *data; + u8 *info; + unsigned int ivsize = 8; +@@ -79,8 +80,9 @@ static int seqiv_aead_encrypt(struct aead_request *req) + return err; + } + +- if (unlikely(!IS_ALIGNED((unsigned long)info, +- crypto_aead_alignmask(geniv) + 1))) { ++ unaligned_info = !IS_ALIGNED((unsigned long)info, ++ crypto_aead_alignmask(geniv) + 1); ++ if (unlikely(unaligned_info)) { + info = kmemdup(req->iv, ivsize, req->base.flags & + CRYPTO_TFM_REQ_MAY_SLEEP ? GFP_KERNEL : + GFP_ATOMIC); +@@ -100,7 +102,7 @@ static int seqiv_aead_encrypt(struct aead_request *req) + scatterwalk_map_and_copy(info, req->dst, req->assoclen, ivsize, 1); + + err = crypto_aead_encrypt(subreq); +- if (unlikely(info != req->iv)) ++ if (unlikely(unaligned_info)) + seqiv_aead_encrypt_complete2(req, err); + return err; + } +-- +2.51.0 + diff --git a/queue-6.6/firewire-nosy-fix-dma_free_coherent-size.patch b/queue-6.6/firewire-nosy-fix-dma_free_coherent-size.patch new file mode 100644 index 0000000000..5498a370b8 --- /dev/null +++ b/queue-6.6/firewire-nosy-fix-dma_free_coherent-size.patch @@ -0,0 +1,68 @@ +From 086ae0a837ed10c810ec9845f5cae4e1ab1ca99a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Dec 2025 17:54:18 +0100 +Subject: firewire: nosy: Fix dma_free_coherent() size + +From: Thomas Fourier + +[ Upstream commit c48c0fd0e19684b6ecdb4108a429e3a4e73f5e21 ] + +It looks like the buffer allocated and mapped in add_card() is done +with size RCV_BUFFER_SIZE which is 16 KB and 4KB. + +Fixes: 286468210d83 ("firewire: new driver: nosy - IEEE 1394 traffic sniffer") +Co-developed-by: Thomas Fourier +Signed-off-by: Thomas Fourier +Co-developed-by: Christophe JAILLET +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/20251216165420.38355-2-fourier.thomas@gmail.com +Signed-off-by: Takashi Sakamoto +Signed-off-by: Sasha Levin +--- + drivers/firewire/nosy.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/firewire/nosy.c b/drivers/firewire/nosy.c +index ea31ac7ac1ca..e59053738a43 100644 +--- a/drivers/firewire/nosy.c ++++ b/drivers/firewire/nosy.c +@@ -36,6 +36,8 @@ + + static char driver_name[] = KBUILD_MODNAME; + ++#define RCV_BUFFER_SIZE (16 * 1024) ++ + /* this is the physical layout of a PCL, its size is 128 bytes */ + struct pcl { + __le32 next; +@@ -517,16 +519,14 @@ remove_card(struct pci_dev *dev) + lynx->rcv_start_pcl, lynx->rcv_start_pcl_bus); + dma_free_coherent(&lynx->pci_device->dev, sizeof(struct pcl), + lynx->rcv_pcl, lynx->rcv_pcl_bus); +- dma_free_coherent(&lynx->pci_device->dev, PAGE_SIZE, lynx->rcv_buffer, +- lynx->rcv_buffer_bus); ++ dma_free_coherent(&lynx->pci_device->dev, RCV_BUFFER_SIZE, ++ lynx->rcv_buffer, lynx->rcv_buffer_bus); + + iounmap(lynx->registers); + pci_disable_device(dev); + lynx_put(lynx); + } + +-#define RCV_BUFFER_SIZE (16 * 1024) +- + static int + add_card(struct pci_dev *dev, const struct pci_device_id *unused) + { +@@ -680,7 +680,7 @@ add_card(struct pci_dev *dev, const struct pci_device_id *unused) + dma_free_coherent(&lynx->pci_device->dev, sizeof(struct pcl), + lynx->rcv_pcl, lynx->rcv_pcl_bus); + if (lynx->rcv_buffer) +- dma_free_coherent(&lynx->pci_device->dev, PAGE_SIZE, ++ dma_free_coherent(&lynx->pci_device->dev, RCV_BUFFER_SIZE, + lynx->rcv_buffer, lynx->rcv_buffer_bus); + iounmap(lynx->registers); + +-- +2.51.0 + diff --git a/queue-6.6/genalloc.h-fix-htmldocs-warning.patch b/queue-6.6/genalloc.h-fix-htmldocs-warning.patch new file mode 100644 index 0000000000..990cbf23b4 --- /dev/null +++ b/queue-6.6/genalloc.h-fix-htmldocs-warning.patch @@ -0,0 +1,38 @@ +From 37f4c2668d8a07b78cd404219b10c1fa89551bb5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Nov 2025 10:39:24 -0800 +Subject: genalloc.h: fix htmldocs warning + +From: Andrew Morton + +[ Upstream commit 5393802c94e0ab1295c04c94c57bcb00222d4674 ] + +WARNING: include/linux/genalloc.h:52 function parameter 'start_addr' not described in 'genpool_algo_t' + +Fixes: 52fbf1134d47 ("lib/genalloc.c: fix allocation of aligned buffer from non-aligned chunk") +Reported-by: Stephen Rothwell +Closes: https://lkml.kernel.org/r/20251127130624.563597e3@canb.auug.org.au +Acked-by: Randy Dunlap +Tested-by: Randy Dunlap +Cc: Alexey Skidanov +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + include/linux/genalloc.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/genalloc.h b/include/linux/genalloc.h +index 0bd581003cd5..60de63e46b33 100644 +--- a/include/linux/genalloc.h ++++ b/include/linux/genalloc.h +@@ -44,6 +44,7 @@ struct gen_pool; + * @nr: The number of zeroed bits we're looking for + * @data: optional additional data used by the callback + * @pool: the pool being allocated from ++ * @start_addr: start address of memory chunk + */ + typedef unsigned long (*genpool_algo_t)(unsigned long *map, + unsigned long size, +-- +2.51.0 + diff --git a/queue-6.6/i40e-fix-scheduling-in-set_rx_mode.patch b/queue-6.6/i40e-fix-scheduling-in-set_rx_mode.patch new file mode 100644 index 0000000000..234f4a36fd --- /dev/null +++ b/queue-6.6/i40e-fix-scheduling-in-set_rx_mode.patch @@ -0,0 +1,53 @@ +From e5264aaa2b26f56024adbb8653361db27224e4e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Nov 2025 13:07:28 +0100 +Subject: i40e: fix scheduling in set_rx_mode + +From: Przemyslaw Korba + +[ Upstream commit be43abc5514167cc129a8d8e9727b89b8e1d9719 ] + +Add service task schedule to set_rx_mode. +In some cases there are error messages printed out in PTP application +(ptp4l): + +ptp4l[13848.762]: port 1 (ens2f3np3): received SYNC without timestamp +ptp4l[13848.825]: port 1 (ens2f3np3): received SYNC without timestamp +ptp4l[13848.887]: port 1 (ens2f3np3): received SYNC without timestamp + +This happens when service task would not run immediately after +set_rx_mode, and we need it for setup tasks. This service task checks, if +PTP RX packets are hung in firmware, and propagate correct settings such +as multicast address for IEEE 1588 Precision Time Protocol. +RX timestamping depends on some of these filters set. Bug happens only +with high PTP packets frequency incoming, and not every run since +sometimes service task is being ran from a different place immediately +after starting ptp4l. + +Fixes: 0e4425ed641f ("i40e: fix: do not sleep in netdev_ops") +Reviewed-by: Grzegorz Nitka +Reviewed-by: Jacob Keller +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Przemyslaw Korba +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index affdbd3ee76c..8a0eb51fe974 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -2260,6 +2260,7 @@ static void i40e_set_rx_mode(struct net_device *netdev) + vsi->flags |= I40E_VSI_FLAG_FILTER_CHANGED; + set_bit(__I40E_MACVLAN_SYNC_PENDING, vsi->back->state); + } ++ i40e_service_event_schedule(vsi->back); + } + + /** +-- +2.51.0 + diff --git a/queue-6.6/iavf-fix-off-by-one-issues-in-iavf_config_rss_reg.patch b/queue-6.6/iavf-fix-off-by-one-issues-in-iavf_config_rss_reg.patch new file mode 100644 index 0000000000..f36ca159ff --- /dev/null +++ b/queue-6.6/iavf-fix-off-by-one-issues-in-iavf_config_rss_reg.patch @@ -0,0 +1,113 @@ +From 933c10f3f4dca56c414a1f37229eeb511c804ff6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Oct 2025 01:58:50 +0900 +Subject: iavf: fix off-by-one issues in iavf_config_rss_reg() + +From: Kohei Enju + +[ Upstream commit 6daa2893f323981c7894c68440823326e93a7d61 ] + +There are off-by-one bugs when configuring RSS hash key and lookup +table, causing out-of-bounds reads to memory [1] and out-of-bounds +writes to device registers. + +Before commit 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS"), +the loop upper bounds were: + i <= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX +which is safe since the value is the last valid index. + +That commit changed the bounds to: + i <= adapter->rss_{key,lut}_size / 4 +where `rss_{key,lut}_size / 4` is the number of dwords, so the last +valid index is `(rss_{key,lut}_size / 4) - 1`. Therefore, using `<=` +accesses one element past the end. + +Fix the issues by using `<` instead of `<=`, ensuring we do not exceed +the bounds. + +[1] KASAN splat about rss_key_size off-by-one + BUG: KASAN: slab-out-of-bounds in iavf_config_rss+0x619/0x800 + Read of size 4 at addr ffff888102c50134 by task kworker/u8:6/63 + + CPU: 0 UID: 0 PID: 63 Comm: kworker/u8:6 Not tainted 6.18.0-rc2-enjuk-tnguy-00378-g3005f5b77652-dirty #156 PREEMPT(voluntary) + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 + Workqueue: iavf iavf_watchdog_task + Call Trace: + + dump_stack_lvl+0x6f/0xb0 + print_report+0x170/0x4f3 + kasan_report+0xe1/0x1a0 + iavf_config_rss+0x619/0x800 + iavf_watchdog_task+0x2be7/0x3230 + process_one_work+0x7fd/0x1420 + worker_thread+0x4d1/0xd40 + kthread+0x344/0x660 + ret_from_fork+0x249/0x320 + ret_from_fork_asm+0x1a/0x30 + + + Allocated by task 63: + kasan_save_stack+0x30/0x50 + kasan_save_track+0x14/0x30 + __kasan_kmalloc+0x7f/0x90 + __kmalloc_noprof+0x246/0x6f0 + iavf_watchdog_task+0x28fc/0x3230 + process_one_work+0x7fd/0x1420 + worker_thread+0x4d1/0xd40 + kthread+0x344/0x660 + ret_from_fork+0x249/0x320 + ret_from_fork_asm+0x1a/0x30 + + The buggy address belongs to the object at ffff888102c50100 + which belongs to the cache kmalloc-64 of size 64 + The buggy address is located 0 bytes to the right of + allocated 52-byte region [ffff888102c50100, ffff888102c50134) + + The buggy address belongs to the physical page: + page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c50 + flags: 0x200000000000000(node=0|zone=2) + page_type: f5(slab) + raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 + raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 + page dumped because: kasan: bad access detected + + Memory state around the buggy address: + ffff888102c50000: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc + ffff888102c50080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc + >ffff888102c50100: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc + ^ + ffff888102c50180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc + ffff888102c50200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + +Fixes: 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS") +Signed-off-by: Kohei Enju +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Przemek Kitszel +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index fde8d7b80ca6..f6a748ae1c95 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -1750,11 +1750,11 @@ static int iavf_config_rss_reg(struct iavf_adapter *adapter) + u16 i; + + dw = (u32 *)adapter->rss_key; +- for (i = 0; i <= adapter->rss_key_size / 4; i++) ++ for (i = 0; i < adapter->rss_key_size / 4; i++) + wr32(hw, IAVF_VFQF_HKEY(i), dw[i]); + + dw = (u32 *)adapter->rss_lut; +- for (i = 0; i <= adapter->rss_lut_size / 4; i++) ++ for (i = 0; i < adapter->rss_lut_size / 4; i++) + wr32(hw, IAVF_VFQF_HLUT(i), dw[i]); + + iavf_flush(hw); +-- +2.51.0 + diff --git a/queue-6.6/ip6_gre-make-ip6gre_header-robust.patch b/queue-6.6/ip6_gre-make-ip6gre_header-robust.patch new file mode 100644 index 0000000000..451209fb18 --- /dev/null +++ b/queue-6.6/ip6_gre-make-ip6gre_header-robust.patch @@ -0,0 +1,76 @@ +From c88760e2a83e6451f009d434719efe404fce78c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Dec 2025 17:35:50 +0000 +Subject: ip6_gre: make ip6gre_header() robust + +From: Eric Dumazet + +[ Upstream commit db5b4e39c4e63700c68a7e65fc4e1f1375273476 ] + +Over the years, syzbot found many ways to crash the kernel +in ip6gre_header() [1]. + +This involves team or bonding drivers ability to dynamically +change their dev->needed_headroom and/or dev->hard_header_len + +In this particular crash mld_newpack() allocated an skb +with a too small reserve/headroom, and by the time mld_sendpack() +was called, syzbot managed to attach an ip6gre device. + +[1] +skbuff: skb_under_panic: text:ffffffff8a1d69a8 len:136 put:40 head:ffff888059bc7000 data:ffff888059bc6fe8 tail:0x70 end:0x6c0 dev:team0 +------------[ cut here ]------------ + kernel BUG at net/core/skbuff.c:213 ! + + skb_under_panic net/core/skbuff.c:223 [inline] + skb_push+0xc3/0xe0 net/core/skbuff.c:2641 + ip6gre_header+0xc8/0x790 net/ipv6/ip6_gre.c:1371 + dev_hard_header include/linux/netdevice.h:3436 [inline] + neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618 + neigh_output include/net/neighbour.h:556 [inline] + ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136 + __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline] + ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:220 + NF_HOOK_COND include/linux/netfilter.h:307 [inline] + ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247 + NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318 + mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855 + mld_send_cr net/ipv6/mcast.c:2154 [inline] + mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 + +Fixes: c12b395a4664 ("gre: Support GRE over IPv6") +Reported-by: syzbot+43a2ebcf2a64b1102d64@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/693b002c.a70a0220.33cd7b.0033.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20251211173550.2032674-1-edumazet@google.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_gre.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index 289b83347d9d..63ac4a8e095b 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -1382,9 +1382,16 @@ static int ip6gre_header(struct sk_buff *skb, struct net_device *dev, + { + struct ip6_tnl *t = netdev_priv(dev); + struct ipv6hdr *ipv6h; ++ int needed; + __be16 *p; + +- ipv6h = skb_push(skb, t->hlen + sizeof(*ipv6h)); ++ needed = t->hlen + sizeof(*ipv6h); ++ if (skb_headroom(skb) < needed && ++ pskb_expand_head(skb, HH_DATA_ALIGN(needed - skb_headroom(skb)), ++ 0, GFP_ATOMIC)) ++ return -needed; ++ ++ ipv6h = skb_push(skb, needed); + ip6_flow_hdr(ipv6h, 0, ip6_make_flowlabel(dev_net(dev), skb, + t->fl.u.ip6.flowlabel, + true, &t->fl.u.ip6)); +-- +2.51.0 + diff --git a/queue-6.6/ipv4-fix-reference-count-leak-when-using-error-route.patch b/queue-6.6/ipv4-fix-reference-count-leak-when-using-error-route.patch new file mode 100644 index 0000000000..16169392dc --- /dev/null +++ b/queue-6.6/ipv4-fix-reference-count-leak-when-using-error-route.patch @@ -0,0 +1,73 @@ +From 2b60146c867b915dc893e9ee920d4e662f548bc4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Dec 2025 16:48:28 +0200 +Subject: ipv4: Fix reference count leak when using error routes with nexthop + objects + +From: Ido Schimmel + +[ Upstream commit ac782f4e3bfcde145b8a7f8af31d9422d94d172a ] + +When a nexthop object is deleted, it is marked as dead and then +fib_table_flush() is called to flush all the routes that are using the +dead nexthop. + +The current logic in fib_table_flush() is to only flush error routes +(e.g., blackhole) when it is called as part of network namespace +dismantle (i.e., with flush_all=true). Therefore, error routes are not +flushed when their nexthop object is deleted: + + # ip link add name dummy1 up type dummy + # ip nexthop add id 1 dev dummy1 + # ip route add 198.51.100.1/32 nhid 1 + # ip route add blackhole 198.51.100.2/32 nhid 1 + # ip nexthop del id 1 + # ip route show + blackhole 198.51.100.2 nhid 1 dev dummy1 + +As such, they keep holding a reference on the nexthop object which in +turn holds a reference on the nexthop device, resulting in a reference +count leak: + + # ip link del dev dummy1 + [ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2 + +Fix by flushing error routes when their nexthop is marked as dead. + +IPv6 does not suffer from this problem. + +Fixes: 493ced1ac47c ("ipv4: Allow routes to use nexthop objects") +Reported-by: Tetsuo Handa +Closes: https://lore.kernel.org/netdev/d943f806-4da6-4970-ac28-b9373b0e63ac@I-love.SAKURA.ne.jp/ +Reported-by: syzbot+881d65229ca4f9ae8c84@syzkaller.appspotmail.com +Signed-off-by: Ido Schimmel +Reviewed-by: David Ahern +Link: https://patch.msgid.link/20251221144829.197694-1-idosch@nvidia.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/fib_trie.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c +index fa54b36b241a..4d148d089232 100644 +--- a/net/ipv4/fib_trie.c ++++ b/net/ipv4/fib_trie.c +@@ -2059,10 +2059,11 @@ int fib_table_flush(struct net *net, struct fib_table *tb, bool flush_all) + continue; + } + +- /* Do not flush error routes if network namespace is +- * not being dismantled ++ /* When not flushing the entire table, skip error ++ * routes that are not marked for deletion. + */ +- if (!flush_all && fib_props[fa->fa_type].error) { ++ if (!flush_all && fib_props[fa->fa_type].error && ++ !(fi->fib_flags & RTNH_F_DEAD)) { + slen = fa->fa_slen; + continue; + } +-- +2.51.0 + diff --git a/queue-6.6/ipv6-bug-in-pskb_expand_head-as-part-of-calipso_skbu.patch b/queue-6.6/ipv6-bug-in-pskb_expand_head-as-part-of-calipso_skbu.patch new file mode 100644 index 0000000000..d292b017c2 --- /dev/null +++ b/queue-6.6/ipv6-bug-in-pskb_expand_head-as-part-of-calipso_skbu.patch @@ -0,0 +1,97 @@ +From 833f20844a89120ed483dccb63055ebf89cc8a4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 10:36:37 -0700 +Subject: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() + +From: Will Rosenberg + +[ Upstream commit 58fc7342b529803d3c221101102fe913df7adb83 ] + +There exists a kernel oops caused by a BUG_ON(nhead < 0) at +net/core/skbuff.c:2232 in pskb_expand_head(). +This bug is triggered as part of the calipso_skbuff_setattr() +routine when skb_cow() is passed headroom > INT_MAX +(i.e. (int)(skb_headroom(skb) + len_delta) < 0). + +The root cause of the bug is due to an implicit integer cast in +__skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure +that delta = headroom - skb_headroom(skb) is never negative, otherwise +we will trigger a BUG_ON in pskb_expand_head(). However, if +headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta +becomes negative, and pskb_expand_head() is passed a negative value for +nhead. + +Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing +"negative" headroom sizes to skb_cow() within calipso_skbuff_setattr() +by only using skb_cow() to grow headroom. + +PoC: + Using `netlabelctl` tool: + + netlabelctl map del default + netlabelctl calipso add pass doi:7 + netlabelctl map add default address:0::1/128 protocol:calipso,7 + + Then run the following PoC: + + int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP); + + // setup msghdr + int cmsg_size = 2; + int cmsg_len = 0x60; + struct msghdr msg; + struct sockaddr_in6 dest_addr; + struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1, + sizeof(struct cmsghdr) + cmsg_len); + msg.msg_name = &dest_addr; + msg.msg_namelen = sizeof(dest_addr); + msg.msg_iov = NULL; + msg.msg_iovlen = 0; + msg.msg_control = cmsg; + msg.msg_controllen = cmsg_len; + msg.msg_flags = 0; + + // setup sockaddr + dest_addr.sin6_family = AF_INET6; + dest_addr.sin6_port = htons(31337); + dest_addr.sin6_flowinfo = htonl(31337); + dest_addr.sin6_addr = in6addr_loopback; + dest_addr.sin6_scope_id = 31337; + + // setup cmsghdr + cmsg->cmsg_len = cmsg_len; + cmsg->cmsg_level = IPPROTO_IPV6; + cmsg->cmsg_type = IPV6_HOPOPTS; + char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr); + hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80 + + sendmsg(fd, &msg, 0); + +Fixes: 2917f57b6bc1 ("calipso: Allow the lsm to label the skbuff directly.") +Suggested-by: Paul Moore +Signed-off-by: Will Rosenberg +Acked-by: Paul Moore +Link: https://patch.msgid.link/20251219173637.797418-1-whrosenb@asu.edu +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv6/calipso.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c +index 24666291c54a..72079ef2959b 100644 +--- a/net/ipv6/calipso.c ++++ b/net/ipv6/calipso.c +@@ -1345,7 +1345,8 @@ static int calipso_skbuff_setattr(struct sk_buff *skb, + /* At this point new_end aligns to 4n, so (new_end & 4) pads to 8n */ + pad = ((new_end & 4) + (end & 7)) & 7; + len_delta = new_end - (int)end + pad; +- ret_val = skb_cow(skb, skb_headroom(skb) + len_delta); ++ ret_val = skb_cow(skb, ++ skb_headroom(skb) + (len_delta > 0 ? len_delta : 0)); + if (ret_val < 0) + return ret_val; + +-- +2.51.0 + diff --git a/queue-6.6/ksmbd-fix-memory-leak-in-get_file_all_info.patch b/queue-6.6/ksmbd-fix-memory-leak-in-get_file_all_info.patch new file mode 100644 index 0000000000..6cbad934d2 --- /dev/null +++ b/queue-6.6/ksmbd-fix-memory-leak-in-get_file_all_info.patch @@ -0,0 +1,43 @@ +From 4c60d919c0dbc04c0dc8d6ad094cde74d77ba6ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Dec 2025 14:20:16 +0000 +Subject: ksmbd: Fix memory leak in get_file_all_info() + +From: Zilin Guan + +[ Upstream commit 0c56693b06a68476ba113db6347e7897475f9e4c ] + +In get_file_all_info(), if vfs_getattr() fails, the function returns +immediately without freeing the allocated filename, leading to a memory +leak. + +Fix this by freeing the filename before returning in this error case. + +Fixes: 5614c8c487f6a ("ksmbd: replace generic_fillattr with vfs_getattr") +Signed-off-by: Zilin Guan +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/server/smb2pdu.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c +index 3ed78decdca4..f4b3798279d9 100644 +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -4912,8 +4912,10 @@ static int get_file_all_info(struct ksmbd_work *work, + + ret = vfs_getattr(&fp->filp->f_path, &stat, STATX_BASIC_STATS, + AT_STATX_SYNC_AS_STAT); +- if (ret) ++ if (ret) { ++ kfree(filename); + return ret; ++ } + + ksmbd_debug(SMB, "filename = %s\n", filename); + delete_pending = ksmbd_inode_pending_delete(fp); +-- +2.51.0 + diff --git a/queue-6.6/net-bridge-describe-tunnel_hash-member-in-net_bridge.patch b/queue-6.6/net-bridge-describe-tunnel_hash-member-in-net_bridge.patch new file mode 100644 index 0000000000..904ef0cf71 --- /dev/null +++ b/queue-6.6/net-bridge-describe-tunnel_hash-member-in-net_bridge.patch @@ -0,0 +1,42 @@ +From 42f8d77b03efe54397ea38ad225077e20ddc5a1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Dec 2025 11:29:37 +0700 +Subject: net: bridge: Describe @tunnel_hash member in net_bridge_vlan_group + struct + +From: Bagas Sanjaya + +[ Upstream commit f79f9b7ace1713e4b83888c385f5f55519dfb687 ] + +Sphinx reports kernel-doc warning: + +WARNING: ./net/bridge/br_private.h:267 struct member 'tunnel_hash' not described in 'net_bridge_vlan_group' + +Fix it by describing @tunnel_hash member. + +Fixes: efa5356b0d9753 ("bridge: per vlan dst_metadata netlink support") +Signed-off-by: Bagas Sanjaya +Acked-by: Nikolay Aleksandrov +Reviewed-by: Ido Schimmel +Link: https://patch.msgid.link/20251218042936.24175-2-bagasdotme@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/bridge/br_private.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h +index c8a4e3b39b0e..371a948d29cc 100644 +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -245,6 +245,7 @@ struct net_bridge_vlan { + * struct net_bridge_vlan_group + * + * @vlan_hash: VLAN entry rhashtable ++ * @tunnel_hash: Hash table to map from tunnel key ID (e.g. VXLAN VNI) to VLAN + * @vlan_list: sorted VLAN entry list + * @num_vlans: number of total VLAN entries + * @pvid: PVID VLAN id +-- +2.51.0 + diff --git a/queue-6.6/net-dsa-b53-skip-multicast-entries-for-fdb_dump.patch b/queue-6.6/net-dsa-b53-skip-multicast-entries-for-fdb_dump.patch new file mode 100644 index 0000000000..c5a9eeddef --- /dev/null +++ b/queue-6.6/net-dsa-b53-skip-multicast-entries-for-fdb_dump.patch @@ -0,0 +1,45 @@ +From 37e19142043c943e32e774d49258d863fc3be81a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 21:57:56 +0100 +Subject: net: dsa: b53: skip multicast entries for fdb_dump() + +From: Jonas Gorski + +[ Upstream commit d42bce414d1c5c0b536758466a1f63ac358e613c ] + +port_fdb_dump() is supposed to only add fdb entries, but we iterate over +the full ARL table, which also includes multicast entries. + +So check if the entry is a multicast entry before passing it on to the +callback(). + +Additionally, the port of those entries is a bitmask, not a port number, +so any included entries would have even be for the wrong port. + +Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations") +Signed-off-by: Jonas Gorski +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20251217205756.172123-1-jonas.gorski@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index ffe8db7c2f1f..ee20f6487a02 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1846,6 +1846,9 @@ static int b53_fdb_copy(int port, const struct b53_arl_entry *ent, + if (!ent->is_valid) + return 0; + ++ if (is_multicast_ether_addr(ent->mac)) ++ return 0; ++ + if (port != ent->port) + return 0; + +-- +2.51.0 + diff --git a/queue-6.6/net-mdio-aspeed-add-dummy-read-to-avoid-read-after-w.patch b/queue-6.6/net-mdio-aspeed-add-dummy-read-to-avoid-read-after-w.patch new file mode 100644 index 0000000000..bf8cdbe094 --- /dev/null +++ b/queue-6.6/net-mdio-aspeed-add-dummy-read-to-avoid-read-after-w.patch @@ -0,0 +1,52 @@ +From 67bc6f3f803679ba47d4f0489c2a47a7baf558fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Dec 2025 14:24:58 +0800 +Subject: net: mdio: aspeed: add dummy read to avoid read-after-write issue + +From: Jacky Chou + +[ Upstream commit d1a1a4bade4b20c0858d0b2f81d2611de055f675 ] + +The Aspeed MDIO controller may return incorrect data when a read operation +follows immediately after a write. Due to a controller bug, the subsequent +read can latch stale data, causing the polling logic to terminate earlier +than expected. + +To work around this hardware issue, insert a dummy read after each write +operation. This ensures that the next actual read returns the correct +data and prevents premature polling exit. + +This workaround has been verified to stabilize MDIO transactions on +affected Aspeed platforms. + +Fixes: f160e99462c6 ("net: phy: Add mdio-aspeed") +Signed-off-by: Jacky Chou +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20251211-aspeed_mdio_add_dummy_read-v3-1-382868869004@aspeedtech.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/mdio/mdio-aspeed.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/mdio/mdio-aspeed.c b/drivers/net/mdio/mdio-aspeed.c +index c727103c8b05..339198a4dbc0 100644 +--- a/drivers/net/mdio/mdio-aspeed.c ++++ b/drivers/net/mdio/mdio-aspeed.c +@@ -63,6 +63,13 @@ static int aspeed_mdio_op(struct mii_bus *bus, u8 st, u8 op, u8 phyad, u8 regad, + + iowrite32(ctrl, ctx->base + ASPEED_MDIO_CTRL); + ++ /* Workaround for read-after-write issue. ++ * The controller may return stale data if a read follows immediately ++ * after a write. A dummy read forces the hardware to update its ++ * internal state, ensuring that the next real read returns correct data. ++ */ ++ ioread32(ctx->base + ASPEED_MDIO_CTRL); ++ + return readl_poll_timeout(ctx->base + ASPEED_MDIO_CTRL, ctrl, + !(ctrl & ASPEED_MDIO_CTRL_FIRE), + ASPEED_MDIO_INTERVAL_US, +-- +2.51.0 + diff --git a/queue-6.6/net-openvswitch-avoid-needlessly-taking-the-rtnl-on-.patch b/queue-6.6/net-openvswitch-avoid-needlessly-taking-the-rtnl-on-.patch new file mode 100644 index 0000000000..240be02150 --- /dev/null +++ b/queue-6.6/net-openvswitch-avoid-needlessly-taking-the-rtnl-on-.patch @@ -0,0 +1,68 @@ +From 2af538c35ad42eaa0cc08b129754e184bf25456b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Dec 2025 12:50:05 +0100 +Subject: net: openvswitch: Avoid needlessly taking the RTNL on vport destroy +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit 5498227676303e3ffa9a3a46214af96bc3e81314 ] + +The openvswitch teardown code will immediately call +ovs_netdev_detach_dev() in response to a NETDEV_UNREGISTER notification. +It will then start the dp_notify_work workqueue, which will later end up +calling the vport destroy() callback. This callback takes the RTNL to do +another ovs_netdev_detach_port(), which in this case is unnecessary. +This causes extra pressure on the RTNL, in some cases leading to +"unregister_netdevice: waiting for XX to become free" warnings on +teardown. + +We can straight-forwardly avoid the extra RTNL lock acquisition by +checking the device flags before taking the lock, and skip the locking +altogether if the IFF_OVS_DATAPATH flag has already been unset. + +Fixes: b07c26511e94 ("openvswitch: fix vport-netdev unregister") +Tested-by: Adrian Moreno +Signed-off-by: Toke Høiland-Jørgensen +Acked-by: Eelco Chaudron +Acked-by: Aaron Conole +Link: https://patch.msgid.link/20251211115006.228876-1-toke@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/openvswitch/vport-netdev.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/net/openvswitch/vport-netdev.c b/net/openvswitch/vport-netdev.c +index 903537a5da22..3c41d53bb9e9 100644 +--- a/net/openvswitch/vport-netdev.c ++++ b/net/openvswitch/vport-netdev.c +@@ -153,10 +153,19 @@ void ovs_netdev_detach_dev(struct vport *vport) + + static void netdev_destroy(struct vport *vport) + { +- rtnl_lock(); +- if (netif_is_ovs_port(vport->dev)) +- ovs_netdev_detach_dev(vport); +- rtnl_unlock(); ++ /* When called from ovs_db_notify_wq() after a dp_device_event(), the ++ * port has already been detached, so we can avoid taking the RTNL by ++ * checking this first. ++ */ ++ if (netif_is_ovs_port(vport->dev)) { ++ rtnl_lock(); ++ /* Check again while holding the lock to ensure we don't race ++ * with the netdev notifier and detach twice. ++ */ ++ if (netif_is_ovs_port(vport->dev)) ++ ovs_netdev_detach_dev(vport); ++ rtnl_unlock(); ++ } + + call_rcu(&vport->rcu, vport_netdev_free); + } +-- +2.51.0 + diff --git a/queue-6.6/net-rose-fix-invalid-array-index-in-rose_kill_by_dev.patch b/queue-6.6/net-rose-fix-invalid-array-index-in-rose_kill_by_dev.patch new file mode 100644 index 0000000000..62fc699ded --- /dev/null +++ b/queue-6.6/net-rose-fix-invalid-array-index-in-rose_kill_by_dev.patch @@ -0,0 +1,48 @@ +From fd7b5b8a4fcb288b7cd00082577c976d50248b08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Dec 2025 21:22:27 +0000 +Subject: net: rose: fix invalid array index in rose_kill_by_device() + +From: Pwnverse + +[ Upstream commit 6595beb40fb0ec47223d3f6058ee40354694c8e4 ] + +rose_kill_by_device() collects sockets into a local array[] and then +iterates over them to disconnect sockets bound to a device being brought +down. + +The loop mistakenly indexes array[cnt] instead of array[i]. For cnt < +ARRAY_SIZE(array), this reads an uninitialized entry; for cnt == +ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to +an invalid socket pointer dereference and also leaks references taken +via sock_hold(). + +Fix the index to use i. + +Fixes: 64b8bc7d5f143 ("net/rose: fix races in rose_kill_by_device()") +Co-developed-by: Fatma Alwasmi +Signed-off-by: Fatma Alwasmi +Signed-off-by: Pwnverse +Link: https://patch.msgid.link/20251222212227.4116041-1-ritviktanksalkar@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/rose/af_rose.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c +index 614695444b6a..1cc5eaeb1c60 100644 +--- a/net/rose/af_rose.c ++++ b/net/rose/af_rose.c +@@ -205,7 +205,7 @@ static void rose_kill_by_device(struct net_device *dev) + spin_unlock_bh(&rose_list_lock); + + for (i = 0; i < cnt; i++) { +- sk = array[cnt]; ++ sk = array[i]; + rose = rose_sk(sk); + lock_sock(sk); + spin_lock_bh(&rose_list_lock); +-- +2.51.0 + diff --git a/queue-6.6/net-stmmac-fix-the-crash-issue-for-zero-copy-xdp_tx-.patch b/queue-6.6/net-stmmac-fix-the-crash-issue-for-zero-copy-xdp_tx-.patch new file mode 100644 index 0000000000..968aaeea8b --- /dev/null +++ b/queue-6.6/net-stmmac-fix-the-crash-issue-for-zero-copy-xdp_tx-.patch @@ -0,0 +1,96 @@ +From 1dbb1c5c9d3abc472627d4ac332d5643d9b07646 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Dec 2025 15:13:32 +0800 +Subject: net: stmmac: fix the crash issue for zero copy XDP_TX action + +From: Wei Fang + +[ Upstream commit a48e232210009be50591fdea8ba7c07b0f566a13 ] + +There is a crash issue when running zero copy XDP_TX action, the crash +log is shown below. + +[ 216.122464] Unable to handle kernel paging request at virtual address fffeffff80000000 +[ 216.187524] Internal error: Oops: 0000000096000144 [#1] SMP +[ 216.301694] Call trace: +[ 216.304130] dcache_clean_poc+0x20/0x38 (P) +[ 216.308308] __dma_sync_single_for_device+0x1bc/0x1e0 +[ 216.313351] stmmac_xdp_xmit_xdpf+0x354/0x400 +[ 216.317701] __stmmac_xdp_run_prog+0x164/0x368 +[ 216.322139] stmmac_napi_poll_rxtx+0xba8/0xf00 +[ 216.326576] __napi_poll+0x40/0x218 +[ 216.408054] Kernel panic - not syncing: Oops: Fatal exception in interrupt + +For XDP_TX action, the xdp_buff is converted to xdp_frame by +xdp_convert_buff_to_frame(). The memory type of the resulting xdp_frame +depends on the memory type of the xdp_buff. For page pool based xdp_buff +it produces xdp_frame with memory type MEM_TYPE_PAGE_POOL. For zero copy +XSK pool based xdp_buff it produces xdp_frame with memory type +MEM_TYPE_PAGE_ORDER0. However, stmmac_xdp_xmit_back() does not check the +memory type and always uses the page pool type, this leads to invalid +mappings and causes the crash. Therefore, check the xdp_buff memory type +in stmmac_xdp_xmit_back() to fix this issue. + +Fixes: bba2556efad6 ("net: stmmac: Enable RX via AF_XDP zero-copy") +Signed-off-by: Wei Fang +Reviewed-by: Hariprasad Kelam +Link: https://patch.msgid.link/20251204071332.1907111-1-wei.fang@nxp.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + .../net/ethernet/stmicro/stmmac/stmmac_main.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 255c95988675..7a8861d77e04 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -87,6 +87,7 @@ MODULE_PARM_DESC(phyaddr, "Physical device address"); + #define STMMAC_XDP_CONSUMED BIT(0) + #define STMMAC_XDP_TX BIT(1) + #define STMMAC_XDP_REDIRECT BIT(2) ++#define STMMAC_XSK_CONSUMED BIT(3) + + static int flow_ctrl = FLOW_AUTO; + module_param(flow_ctrl, int, 0644); +@@ -4875,6 +4876,7 @@ static int stmmac_xdp_get_tx_queue(struct stmmac_priv *priv, + static int stmmac_xdp_xmit_back(struct stmmac_priv *priv, + struct xdp_buff *xdp) + { ++ bool zc = !!(xdp->rxq->mem.type == MEM_TYPE_XSK_BUFF_POOL); + struct xdp_frame *xdpf = xdp_convert_buff_to_frame(xdp); + int cpu = smp_processor_id(); + struct netdev_queue *nq; +@@ -4891,9 +4893,18 @@ static int stmmac_xdp_xmit_back(struct stmmac_priv *priv, + /* Avoids TX time-out as we are sharing with slow path */ + txq_trans_cond_update(nq); + +- res = stmmac_xdp_xmit_xdpf(priv, queue, xdpf, false); +- if (res == STMMAC_XDP_TX) ++ /* For zero copy XDP_TX action, dma_map is true */ ++ res = stmmac_xdp_xmit_xdpf(priv, queue, xdpf, zc); ++ if (res == STMMAC_XDP_TX) { + stmmac_flush_tx_descriptors(priv, queue); ++ } else if (res == STMMAC_XDP_CONSUMED && zc) { ++ /* xdp has been freed by xdp_convert_buff_to_frame(), ++ * no need to call xsk_buff_free() again, so return ++ * STMMAC_XSK_CONSUMED. ++ */ ++ res = STMMAC_XSK_CONSUMED; ++ xdp_return_frame(xdpf); ++ } + + __netif_tx_unlock(nq); + +@@ -5239,6 +5250,8 @@ static int stmmac_rx_zc(struct stmmac_priv *priv, int limit, u32 queue) + break; + case STMMAC_XDP_CONSUMED: + xsk_buff_free(buf->xdp); ++ fallthrough; ++ case STMMAC_XSK_CONSUMED: + rx_dropped++; + break; + case STMMAC_XDP_TX: +-- +2.51.0 + diff --git a/queue-6.6/net-usb-asix-validate-phy-address-before-use.patch b/queue-6.6/net-usb-asix-validate-phy-address-before-use.patch new file mode 100644 index 0000000000..66187cd342 --- /dev/null +++ b/queue-6.6/net-usb-asix-validate-phy-address-before-use.patch @@ -0,0 +1,53 @@ +From c203e307d6cd761bfbe1f2fe4ee77a0be46e60f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Dec 2025 06:41:56 +0530 +Subject: net: usb: asix: validate PHY address before use + +From: Deepanshu Kartikey + +[ Upstream commit a1e077a3f76eea0dc671ed6792e7d543946227e8 ] + +The ASIX driver reads the PHY address from the USB device via +asix_read_phy_addr(). A malicious or faulty device can return an +invalid address (>= PHY_MAX_ADDR), which causes a warning in +mdiobus_get_phy(): + + addr 207 out of range + WARNING: drivers/net/phy/mdio_bus.c:76 + +Validate the PHY address in asix_read_phy_addr() and remove the +now-redundant check in ax88172a.c. + +Reported-by: syzbot+3d43c9066a5b54902232@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=3d43c9066a5b54902232 +Tested-by: syzbot+3d43c9066a5b54902232@syzkaller.appspotmail.com +Fixes: 7e88b11a862a ("net: usb: asix: refactor asix_read_phy_addr() and handle errors on return") +Link: https://lore.kernel.org/all/20251217085057.270704-1-kartikey406@gmail.com/T/ [v1] +Signed-off-by: Deepanshu Kartikey +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20251218011156.276824-1-kartikey406@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/asix_common.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c +index 7fd763917ae2..6ab3486072cb 100644 +--- a/drivers/net/usb/asix_common.c ++++ b/drivers/net/usb/asix_common.c +@@ -335,6 +335,11 @@ int asix_read_phy_addr(struct usbnet *dev, bool internal) + offset = (internal ? 1 : 0); + ret = buf[offset]; + ++ if (ret >= PHY_MAX_ADDR) { ++ netdev_err(dev->net, "invalid PHY address: %d\n", ret); ++ return -ENODEV; ++ } ++ + netdev_dbg(dev->net, "%s PHY address 0x%x\n", + internal ? "internal" : "external", ret); + +-- +2.51.0 + diff --git a/queue-6.6/net-usb-rtl8150-fix-memory-leak-on-usb_submit_urb-fa.patch b/queue-6.6/net-usb-rtl8150-fix-memory-leak-on-usb_submit_urb-fa.patch new file mode 100644 index 0000000000..1c35024684 --- /dev/null +++ b/queue-6.6/net-usb-rtl8150-fix-memory-leak-on-usb_submit_urb-fa.patch @@ -0,0 +1,47 @@ +From f309a658b46a14a094ab0cce0b48df6dea4da132 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Dec 2025 20:43:05 +0530 +Subject: net: usb: rtl8150: fix memory leak on usb_submit_urb() failure + +From: Deepakkumar Karn + +[ Upstream commit 12cab1191d9890097171156d06bfa8d31f1e39c8 ] + +In async_set_registers(), when usb_submit_urb() fails, the allocated + async_req structure and URB are not freed, causing a memory leak. + + The completion callback async_set_reg_cb() is responsible for freeing + these allocations, but it is only called after the URB is successfully + submitted and completes (successfully or with error). If submission + fails, the callback never runs and the memory is leaked. + + Fix this by freeing both the URB and the request structure in the error + path when usb_submit_urb() fails. + +Reported-by: syzbot+8dd915c7cb0490fc8c52@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=8dd915c7cb0490fc8c52 +Fixes: 4d12997a9bb3 ("drivers: net: usb: rtl8150: concurrent URB bugfix") +Signed-off-by: Deepakkumar Karn +Link: https://patch.msgid.link/20251216151304.59865-2-dkarn@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/rtl8150.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c +index 278e6cb6f4d9..e40b0669d9f4 100644 +--- a/drivers/net/usb/rtl8150.c ++++ b/drivers/net/usb/rtl8150.c +@@ -211,6 +211,8 @@ static int async_set_registers(rtl8150_t *dev, u16 indx, u16 size, u16 reg) + if (res == -ENODEV) + netif_device_detach(dev->netdev); + dev_err(&dev->udev->dev, "%s failed with %d\n", __func__, res); ++ kfree(req); ++ usb_free_urb(async_urb); + } + return res; + } +-- +2.51.0 + diff --git a/queue-6.6/octeontx2-pf-fix-ubsan-shift-out-of-bounds-error.patch b/queue-6.6/octeontx2-pf-fix-ubsan-shift-out-of-bounds-error.patch new file mode 100644 index 0000000000..e6d0a3770f --- /dev/null +++ b/queue-6.6/octeontx2-pf-fix-ubsan-shift-out-of-bounds-error.patch @@ -0,0 +1,45 @@ +From 06da88a378fb115f5366c96cee876e0b87411038 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 11:52:26 +0530 +Subject: octeontx2-pf: fix "UBSAN: shift-out-of-bounds error" + +From: Anshumali Gaur + +[ Upstream commit 85f4b0c650d9f9db10bda8d3acfa1af83bf78cf7 ] + +This patch ensures that the RX ring size (rx_pending) is not +set below the permitted length. This avoids UBSAN +shift-out-of-bounds errors when users passes small or zero +ring sizes via ethtool -G. + +Fixes: d45d8979840d ("octeontx2-pf: Add basic ethtool support") +Signed-off-by: Anshumali Gaur +Link: https://patch.msgid.link/20251219062226.524844-1-agaur@marvell.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c +index 532e84bc38c7..bd01c538f208 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c +@@ -432,6 +432,14 @@ static int otx2_set_ringparam(struct net_device *netdev, + */ + if (rx_count < pfvf->hw.rq_skid) + rx_count = pfvf->hw.rq_skid; ++ ++ if (ring->rx_pending < 16) { ++ netdev_err(netdev, ++ "rx ring size %u invalid, min is 16\n", ++ ring->rx_pending); ++ return -EINVAL; ++ } ++ + rx_count = Q_COUNT(Q_SIZE(rx_count, 3)); + + /* Due pipelining impact minimum 2000 unused SQ CQE's +-- +2.51.0 + diff --git a/queue-6.6/platform-x86-hp-bioscfg-fix-out-of-bounds-array-acce.patch b/queue-6.6/platform-x86-hp-bioscfg-fix-out-of-bounds-array-acce.patch new file mode 100644 index 0000000000..e6bdbc6d3f --- /dev/null +++ b/queue-6.6/platform-x86-hp-bioscfg-fix-out-of-bounds-array-acce.patch @@ -0,0 +1,129 @@ +From 7feb9df01cae85e81cb13708f521bd7f5a258756 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Dec 2025 19:42:05 +0800 +Subject: platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI + package parsing +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Junrui Luo + +[ Upstream commit e44c42c830b7ab36e3a3a86321c619f24def5206 ] + +The hp_populate_*_elements_from_package() functions in the hp-bioscfg +driver contain out-of-bounds array access vulnerabilities. + +These functions parse ACPI packages into internal data structures using +a for loop with index variable 'elem' that iterates through +enum_obj/integer_obj/order_obj/password_obj/string_obj arrays. + +When processing multi-element fields like PREREQUISITES and +ENUM_POSSIBLE_VALUES, these functions read multiple consecutive array +elements using expressions like 'enum_obj[elem + reqs]' and +'enum_obj[elem + pos_values]' within nested loops. + +The bug is that the bounds check only validated elem, but did not consider +the additional offset when accessing elem + reqs or elem + pos_values. + +The fix changes the bounds check to validate the actual accessed index. + +Reported-by: Yuhao Jiang +Reported-by: Junrui Luo +Fixes: e6c7b3e15559 ("platform/x86: hp-bioscfg: string-attributes") +Signed-off-by: Junrui Luo +Link: https://patch.msgid.link/SYBPR01MB788173D7DD4EA2CB6383683DAFB0A@SYBPR01MB7881.ausprd01.prod.outlook.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c | 4 ++-- + drivers/platform/x86/hp/hp-bioscfg/int-attributes.c | 2 +- + drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c | 5 +++++ + drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c | 5 +++++ + drivers/platform/x86/hp/hp-bioscfg/string-attributes.c | 2 +- + 5 files changed, 14 insertions(+), 4 deletions(-) + +diff --git a/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c +index a2402d31c146..20de4596e301 100644 +--- a/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c ++++ b/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c +@@ -210,7 +210,7 @@ static int hp_populate_enumeration_elements_from_package(union acpi_object *enum + case PREREQUISITES: + size = min_t(u32, enum_data->common.prerequisites_size, MAX_PREREQUISITES_SIZE); + for (reqs = 0; reqs < size; reqs++) { +- if (elem >= enum_obj_count) { ++ if (elem + reqs >= enum_obj_count) { + pr_err("Error enum-objects package is too small\n"); + return -EINVAL; + } +@@ -261,7 +261,7 @@ static int hp_populate_enumeration_elements_from_package(union acpi_object *enum + + for (pos_values = 0; pos_values < size && pos_values < MAX_VALUES_SIZE; + pos_values++) { +- if (elem >= enum_obj_count) { ++ if (elem + pos_values >= enum_obj_count) { + pr_err("Error enum-objects package is too small\n"); + return -EINVAL; + } +diff --git a/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c +index 86b7ac63fec2..875a807ccb89 100644 +--- a/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c ++++ b/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c +@@ -228,7 +228,7 @@ static int hp_populate_integer_elements_from_package(union acpi_object *integer_ + size = min_t(u32, integer_data->common.prerequisites_size, MAX_PREREQUISITES_SIZE); + + for (reqs = 0; reqs < size; reqs++) { +- if (elem >= integer_obj_count) { ++ if (elem + reqs >= integer_obj_count) { + pr_err("Error elem-objects package is too small\n"); + return -EINVAL; + } +diff --git a/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c +index 1ff09dfb7d7e..94a95ee57810 100644 +--- a/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c ++++ b/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c +@@ -220,6 +220,11 @@ static int hp_populate_ordered_list_elements_from_package(union acpi_object *ord + size = min_t(u32, ordered_list_data->common.prerequisites_size, + MAX_PREREQUISITES_SIZE); + for (reqs = 0; reqs < size; reqs++) { ++ if (elem + reqs >= order_obj_count) { ++ pr_err("Error elem-objects package is too small\n"); ++ return -EINVAL; ++ } ++ + ret = hp_convert_hexstr_to_str(order_obj[elem + reqs].string.pointer, + order_obj[elem + reqs].string.length, + &str_value, &value_len); +diff --git a/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c +index 03d0188804ba..6775a7ca74f5 100644 +--- a/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c ++++ b/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c +@@ -309,6 +309,11 @@ static int hp_populate_password_elements_from_package(union acpi_object *passwor + MAX_PREREQUISITES_SIZE); + + for (reqs = 0; reqs < size; reqs++) { ++ if (elem + reqs >= password_obj_count) { ++ pr_err("Error elem-objects package is too small\n"); ++ return -EINVAL; ++ } ++ + ret = hp_convert_hexstr_to_str(password_obj[elem + reqs].string.pointer, + password_obj[elem + reqs].string.length, + &str_value, &value_len); +diff --git a/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c +index f0c20070094d..5b3eac7f1685 100644 +--- a/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c ++++ b/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c +@@ -219,7 +219,7 @@ static int hp_populate_string_elements_from_package(union acpi_object *string_ob + MAX_PREREQUISITES_SIZE); + + for (reqs = 0; reqs < size; reqs++) { +- if (elem >= string_obj_count) { ++ if (elem + reqs >= string_obj_count) { + pr_err("Error elem-objects package is too small\n"); + return -EINVAL; + } +-- +2.51.0 + diff --git a/queue-6.6/platform-x86-ibm_rtl-fix-ebda-signature-search-point.patch b/queue-6.6/platform-x86-ibm_rtl-fix-ebda-signature-search-point.patch new file mode 100644 index 0000000000..063219723f --- /dev/null +++ b/queue-6.6/platform-x86-ibm_rtl-fix-ebda-signature-search-point.patch @@ -0,0 +1,47 @@ +From 586f36de1a7a6862200f205feefacc978f478ec5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 16:30:29 +0800 +Subject: platform/x86: ibm_rtl: fix EBDA signature search pointer arithmetic +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Junrui Luo + +[ Upstream commit 15dd100349b8526cbdf2de0ce3e72e700eb6c208 ] + +The ibm_rtl_init() function searches for the signature but has a pointer +arithmetic error. The loop counter suggests searching at 4-byte intervals +but the implementation only advances by 1 byte per iteration. + +Fix by properly advancing the pointer by sizeof(unsigned int) bytes +each iteration. + +Reported-by: Yuhao Jiang +Reported-by: Junrui Luo +Fixes: 35f0ce032b0f ("IBM Real-Time "SMI Free" mode driver -v7") +Signed-off-by: Junrui Luo +Link: https://patch.msgid.link/SYBPR01MB78812D887A92DE3802D0D06EAFA9A@SYBPR01MB7881.ausprd01.prod.outlook.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/ibm_rtl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/ibm_rtl.c b/drivers/platform/x86/ibm_rtl.c +index 2ab7d9ac542d..5fb25a602533 100644 +--- a/drivers/platform/x86/ibm_rtl.c ++++ b/drivers/platform/x86/ibm_rtl.c +@@ -272,7 +272,7 @@ static int __init ibm_rtl_init(void) { + /* search for the _RTL_ signature at the start of the table */ + for (i = 0 ; i < ebda_size/sizeof(unsigned int); i++) { + struct ibm_rtl_table __iomem * tmp; +- tmp = (struct ibm_rtl_table __iomem *) (ebda_map+i); ++ tmp = (struct ibm_rtl_table __iomem *) (ebda_map + i*sizeof(unsigned int)); + if ((readq(&tmp->signature) & RTL_MASK) == RTL_SIGNATURE) { + phys_addr_t addr; + unsigned int plen; +-- +2.51.0 + diff --git a/queue-6.6/platform-x86-msi-laptop-add-missing-sysfs_remove_gro.patch b/queue-6.6/platform-x86-msi-laptop-add-missing-sysfs_remove_gro.patch new file mode 100644 index 0000000000..8d6c060d3e --- /dev/null +++ b/queue-6.6/platform-x86-msi-laptop-add-missing-sysfs_remove_gro.patch @@ -0,0 +1,42 @@ +From ce9abe3283f740a666abf7360dbe59467dc7f351 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 11:36:13 +0100 +Subject: platform/x86: msi-laptop: add missing sysfs_remove_group() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Fourier + +[ Upstream commit 1461209cf813b6ee6d40f29b96b544587df6d2b1 ] + +A sysfs group is created in msi_init() when old_ec_model is enabled, but +never removed. Remove the msipf_old_attribute_group in that case. + +Fixes: 03696e51d75a ("msi-laptop: Disable brightness control for new EC") +Signed-off-by: Thomas Fourier +Link: https://patch.msgid.link/20251217103617.27668-2-fourier.thomas@gmail.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/msi-laptop.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/platform/x86/msi-laptop.c b/drivers/platform/x86/msi-laptop.c +index f4c6c36e05a5..2a8839135492 100644 +--- a/drivers/platform/x86/msi-laptop.c ++++ b/drivers/platform/x86/msi-laptop.c +@@ -1130,6 +1130,9 @@ static void __exit msi_cleanup(void) + sysfs_remove_group(&msipf_device->dev.kobj, &msipf_attribute_group); + if (!quirks->old_ec_model && threeg_exists) + device_remove_file(&msipf_device->dev, &dev_attr_threeg); ++ if (quirks->old_ec_model) ++ sysfs_remove_group(&msipf_device->dev.kobj, ++ &msipf_old_attribute_group); + platform_device_unregister(msipf_device); + platform_driver_unregister(&msipf_driver); + backlight_device_unregister(msibl_device); +-- +2.51.0 + diff --git a/queue-6.6/rdma-bnxt_re-fix-dma_free_coherent-pointer.patch b/queue-6.6/rdma-bnxt_re-fix-dma_free_coherent-pointer.patch new file mode 100644 index 0000000000..4a67d891e4 --- /dev/null +++ b/queue-6.6/rdma-bnxt_re-fix-dma_free_coherent-pointer.patch @@ -0,0 +1,40 @@ +From aaae849280f14cf1d19182d3356b592064b6afb2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Dec 2025 09:51:21 +0100 +Subject: RDMA/bnxt_re: fix dma_free_coherent() pointer + +From: Thomas Fourier + +[ Upstream commit fcd431a9627f272b4c0bec445eba365fe2232a94 ] + +The dma_alloc_coherent() allocates a dma-mapped buffer, pbl->pg_arr[i]. +The dma_free_coherent() should pass the same buffer to +dma_free_coherent() and not page-aligned. + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Signed-off-by: Thomas Fourier +Link: https://patch.msgid.link/20251230085121.8023-2-fourier.thomas@gmail.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_res.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c +index 1c56a0107d1e..d2c8f21468dc 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c +@@ -70,9 +70,7 @@ static void __free_pbl(struct bnxt_qplib_res *res, struct bnxt_qplib_pbl *pbl, + for (i = 0; i < pbl->pg_count; i++) { + if (pbl->pg_arr[i]) + dma_free_coherent(&pdev->dev, pbl->pg_size, +- (void *)((unsigned long) +- pbl->pg_arr[i] & +- PAGE_MASK), ++ pbl->pg_arr[i], + pbl->pg_map_arr[i]); + else + dev_warn(&pdev->dev, +-- +2.51.0 + diff --git a/queue-6.6/rdma-bnxt_re-fix-ib_send_ip_csum-handling-in-post_se.patch b/queue-6.6/rdma-bnxt_re-fix-ib_send_ip_csum-handling-in-post_se.patch new file mode 100644 index 0000000000..6e9725bca5 --- /dev/null +++ b/queue-6.6/rdma-bnxt_re-fix-ib_send_ip_csum-handling-in-post_se.patch @@ -0,0 +1,58 @@ +From aa6d84d27aacf2b7e7e2514db3b819ca3bd69306 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 01:32:57 -0800 +Subject: RDMA/bnxt_re: Fix IB_SEND_IP_CSUM handling in post_send + +From: Alok Tiwari + +[ Upstream commit f01765a2361323e78e3d91b1cb1d5527a83c5cf7 ] + +The bnxt_re SEND path checks wr->send_flags to enable features such as +IP checksum offload. However, send_flags is a bitmask and may contain +multiple flags (e.g. IB_SEND_SIGNALED | IB_SEND_IP_CSUM), while the +existing code uses a switch() statement that only matches when +send_flags is exactly IB_SEND_IP_CSUM. + +As a result, checksum offload is not enabled when additional SEND +flags are present. + +Replace the switch() with a bitmask test: + + if (wr->send_flags & IB_SEND_IP_CSUM) + +This ensures IP checksum offload is enabled correctly when multiple +SEND flags are used. + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20251219093308.2415620-1-alok.a.tiwari@oracle.com +Reviewed-by: Kalesh AP +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/ib_verbs.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +index 31fff5885f1a..5a4644f7ad98 100644 +--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c ++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +@@ -2771,14 +2771,9 @@ int bnxt_re_post_send(struct ib_qp *ib_qp, const struct ib_send_wr *wr, + wqe.rawqp1.lflags |= + SQ_SEND_RAWETH_QP1_LFLAGS_ROCE_CRC; + } +- switch (wr->send_flags) { +- case IB_SEND_IP_CSUM: ++ if (wr->send_flags & IB_SEND_IP_CSUM) + wqe.rawqp1.lflags |= + SQ_SEND_RAWETH_QP1_LFLAGS_IP_CHKSUM; +- break; +- default: +- break; +- } + fallthrough; + case IB_WR_SEND_WITH_INV: + rc = bnxt_re_build_send_wqe(qp, wr, &wqe); +-- +2.51.0 + diff --git a/queue-6.6/rdma-bnxt_re-fix-incorrect-bar-check-in-bnxt_qplib_m.patch b/queue-6.6/rdma-bnxt_re-fix-incorrect-bar-check-in-bnxt_qplib_m.patch new file mode 100644 index 0000000000..f65ae07fea --- /dev/null +++ b/queue-6.6/rdma-bnxt_re-fix-incorrect-bar-check-in-bnxt_qplib_m.patch @@ -0,0 +1,45 @@ +From 47d6ae44c5222fedb5ce02ffcf69463e788b6a6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 02:01:41 -0800 +Subject: RDMA/bnxt_re: Fix incorrect BAR check in bnxt_qplib_map_creq_db() + +From: Alok Tiwari + +[ Upstream commit 145a417a39d7efbc881f52e829817376972b278c ] + +RCFW_COMM_CONS_PCI_BAR_REGION is defined as BAR 2, so checking +!creq_db->reg.bar_id is incorrect and always false. + +pci_resource_start() returns the BAR base address, and a value of 0 +indicates that the BAR is unassigned. Update the condition to test +bar_base == 0 instead. + +This ensures the driver detects and logs an error for an unassigned +RCFW communication BAR. + +Fixes: cee0c7bba486 ("RDMA/bnxt_re: Refactor command queue management code") +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20251217100158.752504-1-alok.a.tiwari@oracle.com +Reviewed-by: Kalesh AP +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c +index e82bd37158ad..2accda5a04a1 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c +@@ -1116,7 +1116,7 @@ static int bnxt_qplib_map_creq_db(struct bnxt_qplib_rcfw *rcfw, u32 reg_offt) + creq_db->dbinfo.flags = 0; + creq_db->reg.bar_id = RCFW_COMM_CONS_PCI_BAR_REGION; + creq_db->reg.bar_base = pci_resource_start(pdev, creq_db->reg.bar_id); +- if (!creq_db->reg.bar_id) ++ if (!creq_db->reg.bar_base) + dev_err(&pdev->dev, + "QPLIB: CREQ BAR region %d resc start is 0!", + creq_db->reg.bar_id); +-- +2.51.0 + diff --git a/queue-6.6/rdma-bnxt_re-fix-to-use-correct-page-size-for-pde-ta.patch b/queue-6.6/rdma-bnxt_re-fix-to-use-correct-page-size-for-pde-ta.patch new file mode 100644 index 0000000000..ffa05402b0 --- /dev/null +++ b/queue-6.6/rdma-bnxt_re-fix-to-use-correct-page-size-for-pde-ta.patch @@ -0,0 +1,50 @@ +From e8d3c17158939ad9caeb49728ec4d5839dd91741 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Dec 2025 18:48:55 +0530 +Subject: RDMA/bnxt_re: Fix to use correct page size for PDE table + +From: Kalesh AP + +[ Upstream commit 3d70e0fb0f289b0c778041c5bb04d099e1aa7c1c ] + +In bnxt_qplib_alloc_init_hwq(), while allocating memory for PDE table +driver incorrectly is using the "pg_size" value passed to the function. +Fixed to use the right value 4K. Also, fixed the allocation size for +PBL table. + +Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation") +Signed-off-by: Damodharam Ammepalli +Signed-off-by: Kalesh AP +Link: https://patch.msgid.link/20251223131855.145955-1-kalesh-anakkur.purayil@broadcom.com +Reviewed-by: Selvin Xavier +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_res.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c +index 77da7cf34427..1c56a0107d1e 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c +@@ -243,7 +243,7 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq, + if (npbl % BIT(MAX_PDL_LVL_SHIFT)) + npde++; + /* Alloc PDE pages */ +- sginfo.pgsize = npde * pg_size; ++ sginfo.pgsize = npde * ROCE_PG_SIZE_4K; + sginfo.npages = 1; + rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_0], &sginfo); + if (rc) +@@ -251,7 +251,7 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq, + + /* Alloc PBL pages */ + sginfo.npages = npbl; +- sginfo.pgsize = PAGE_SIZE; ++ sginfo.pgsize = ROCE_PG_SIZE_4K; + rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_1], &sginfo); + if (rc) + goto fail; +-- +2.51.0 + diff --git a/queue-6.6/rdma-core-fix-logic-error-in-ib_get_gids_from_rdma_h.patch b/queue-6.6/rdma-core-fix-logic-error-in-ib_get_gids_from_rdma_h.patch new file mode 100644 index 0000000000..297964fc7d --- /dev/null +++ b/queue-6.6/rdma-core-fix-logic-error-in-ib_get_gids_from_rdma_h.patch @@ -0,0 +1,39 @@ +From 52e1c89a5ca0de08bfe23dc6e0791b8cd75a2e07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Dec 2025 13:15:08 +0900 +Subject: RDMA/core: Fix logic error in ib_get_gids_from_rdma_hdr() + +From: Jang Ingyu + +[ Upstream commit 8aaa848eaddd9ef8680fc6aafbd3a0646da5df40 ] + +Fix missing comparison operator for RDMA_NETWORK_ROCE_V1 in the +conditional statement. The constant was used directly instead of +being compared with net_type, causing the condition to always +evaluate to true. + +Fixes: 1c15b4f2a42f ("RDMA/core: Modify enum ib_gid_type and enum rdma_network_type") +Signed-off-by: Jang Ingyu +Link: https://patch.msgid.link/20251219041508.1725947-1-ingyujang25@korea.ac.kr +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/verbs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c +index 6567d4375128..615b73f038bb 100644 +--- a/drivers/infiniband/core/verbs.c ++++ b/drivers/infiniband/core/verbs.c +@@ -735,7 +735,7 @@ int ib_get_gids_from_rdma_hdr(const union rdma_network_hdr *hdr, + (struct in6_addr *)dgid); + return 0; + } else if (net_type == RDMA_NETWORK_IPV6 || +- net_type == RDMA_NETWORK_IB || RDMA_NETWORK_ROCE_V1) { ++ net_type == RDMA_NETWORK_IB || net_type == RDMA_NETWORK_ROCE_V1) { + *dgid = hdr->ibgrh.dgid; + *sgid = hdr->ibgrh.sgid; + return 0; +-- +2.51.0 + diff --git a/queue-6.6/rdma-efa-remove-possible-negative-shift.patch b/queue-6.6/rdma-efa-remove-possible-negative-shift.patch new file mode 100644 index 0000000000..a813620a78 --- /dev/null +++ b/queue-6.6/rdma-efa-remove-possible-negative-shift.patch @@ -0,0 +1,47 @@ +From 528a6b29ec2544383748338c458225ec59a3abe0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Dec 2025 17:36:56 +0000 +Subject: RDMA/efa: Remove possible negative shift + +From: Michael Margolin + +[ Upstream commit 85463eb6a46caf2f1e0e1a6d0731f2f3bab17780 ] + +The page size used for device might in some cases be smaller than +PAGE_SIZE what results in a negative shift when calculating the number of +host pages in PAGE_SIZE for a debug log. Remove the debug line together +with the calculation. + +Fixes: 40909f664d27 ("RDMA/efa: Add EFA verbs implementation") +Link: https://patch.msgid.link/r/20251210173656.8180-1-mrgolin@amazon.com +Reviewed-by: Tom Sela +Reviewed-by: Yonatan Nachum +Signed-off-by: Michael Margolin +Reviewed-by: Gal Pressman +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/efa/efa_verbs.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/infiniband/hw/efa/efa_verbs.c b/drivers/infiniband/hw/efa/efa_verbs.c +index 0f8ca99d0827..2a5b93ef4b33 100644 +--- a/drivers/infiniband/hw/efa/efa_verbs.c ++++ b/drivers/infiniband/hw/efa/efa_verbs.c +@@ -1224,13 +1224,9 @@ static int umem_to_page_list(struct efa_dev *dev, + u32 hp_cnt, + u8 hp_shift) + { +- u32 pages_in_hp = BIT(hp_shift - PAGE_SHIFT); + struct ib_block_iter biter; + unsigned int hp_idx = 0; + +- ibdev_dbg(&dev->ibdev, "hp_cnt[%u], pages_in_hp[%u]\n", +- hp_cnt, pages_in_hp); +- + rdma_umem_for_each_dma_block(umem, &biter, BIT(hp_shift)) + page_list[hp_idx++] = rdma_block_iter_dma_address(&biter); + +-- +2.51.0 + diff --git a/queue-6.6/rdma-irdma-avoid-invalid-read-in-irdma_net_event.patch b/queue-6.6/rdma-irdma-avoid-invalid-read-in-irdma_net_event.patch new file mode 100644 index 0000000000..d52ecfdea9 --- /dev/null +++ b/queue-6.6/rdma-irdma-avoid-invalid-read-in-irdma_net_event.patch @@ -0,0 +1,83 @@ +From 80c93bccadfa02988e23d9423ef45f0d8a187559 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Nov 2025 15:31:50 +0100 +Subject: RDMA/irdma: avoid invalid read in irdma_net_event + +From: Michal Schmidt + +[ Upstream commit 6f05611728e9d0ab024832a4f1abb74a5f5d0bb0 ] + +irdma_net_event() should not dereference anything from "neigh" (alias +"ptr") until it has checked that the event is NETEVENT_NEIGH_UPDATE. +Other events come with different structures pointed to by "ptr" and they +may be smaller than struct neighbour. + +Move the read of neigh->dev under the NETEVENT_NEIGH_UPDATE case. + +The bug is mostly harmless, but it triggers KASAN on debug kernels: + + BUG: KASAN: stack-out-of-bounds in irdma_net_event+0x32e/0x3b0 [irdma] + Read of size 8 at addr ffffc900075e07f0 by task kworker/27:2/542554 + + CPU: 27 PID: 542554 Comm: kworker/27:2 Kdump: loaded Not tainted 5.14.0-630.el9.x86_64+debug #1 + Hardware name: [...] + Workqueue: events rt6_probe_deferred + Call Trace: + + dump_stack_lvl+0x60/0xb0 + print_address_description.constprop.0+0x2c/0x3f0 + print_report+0xb4/0x270 + kasan_report+0x92/0xc0 + irdma_net_event+0x32e/0x3b0 [irdma] + notifier_call_chain+0x9e/0x180 + atomic_notifier_call_chain+0x5c/0x110 + rt6_do_redirect+0xb91/0x1080 + tcp_v6_err+0xe9b/0x13e0 + icmpv6_notify+0x2b2/0x630 + ndisc_redirect_rcv+0x328/0x530 + icmpv6_rcv+0xc16/0x1360 + ip6_protocol_deliver_rcu+0xb84/0x12e0 + ip6_input_finish+0x117/0x240 + ip6_input+0xc4/0x370 + ipv6_rcv+0x420/0x7d0 + __netif_receive_skb_one_core+0x118/0x1b0 + process_backlog+0xd1/0x5d0 + __napi_poll.constprop.0+0xa3/0x440 + net_rx_action+0x78a/0xba0 + handle_softirqs+0x2d4/0x9c0 + do_softirq+0xad/0xe0 + + +Fixes: 915cc7ac0f8e ("RDMA/irdma: Add miscellaneous utility definitions") +Link: https://patch.msgid.link/r/20251127143150.121099-1-mschmidt@redhat.com +Signed-off-by: Michal Schmidt +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/irdma/utils.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/irdma/utils.c b/drivers/infiniband/hw/irdma/utils.c +index 6cd5cb85dafe..91ed7edcd788 100644 +--- a/drivers/infiniband/hw/irdma/utils.c ++++ b/drivers/infiniband/hw/irdma/utils.c +@@ -251,7 +251,7 @@ int irdma_net_event(struct notifier_block *notifier, unsigned long event, + void *ptr) + { + struct neighbour *neigh = ptr; +- struct net_device *real_dev, *netdev = (struct net_device *)neigh->dev; ++ struct net_device *real_dev, *netdev; + struct irdma_device *iwdev; + struct ib_device *ibdev; + __be32 *p; +@@ -260,6 +260,7 @@ int irdma_net_event(struct notifier_block *notifier, unsigned long event, + + switch (event) { + case NETEVENT_NEIGH_UPDATE: ++ netdev = neigh->dev; + real_dev = rdma_vlan_dev_real_dev(netdev); + if (!real_dev) + real_dev = netdev; +-- +2.51.0 + diff --git a/queue-6.6/rdma-rtrs-fix-clt_path-max_pages_per_mr-calculation.patch b/queue-6.6/rdma-rtrs-fix-clt_path-max_pages_per_mr-calculation.patch new file mode 100644 index 0000000000..ca47461899 --- /dev/null +++ b/queue-6.6/rdma-rtrs-fix-clt_path-max_pages_per_mr-calculation.patch @@ -0,0 +1,40 @@ +From 82f77faafdde18144153c9c176cad7e558105b4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Dec 2025 10:56:17 +0800 +Subject: RDMA/rtrs: Fix clt_path::max_pages_per_mr calculation + +From: Honggang LI + +[ Upstream commit 43bd09d5b750f700499ae8ec45fd41a4c48673e6 ] + +If device max_mr_size bits in the range [mr_page_shift+31:mr_page_shift] +are zero, the `min3` function will set clt_path::max_pages_per_mr to +zero. + +`alloc_path_reqs` will pass zero, which is invalid, as the third parameter +to `ib_alloc_mr`. + +Fixes: 6a98d71daea1 ("RDMA/rtrs: client: main functionality") +Signed-off-by: Honggang LI +Link: https://patch.msgid.link/20251229025617.13241-1-honggangli@163.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/rtrs/rtrs-clt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/ulp/rtrs/rtrs-clt.c b/drivers/infiniband/ulp/rtrs/rtrs-clt.c +index 82aa47efb807..eaf911e2ffa9 100644 +--- a/drivers/infiniband/ulp/rtrs/rtrs-clt.c ++++ b/drivers/infiniband/ulp/rtrs/rtrs-clt.c +@@ -1465,6 +1465,7 @@ static void query_fast_reg_mode(struct rtrs_clt_path *clt_path) + mr_page_shift = max(12, ffs(ib_dev->attrs.page_size_cap) - 1); + max_pages_per_mr = ib_dev->attrs.max_mr_size; + do_div(max_pages_per_mr, (1ull << mr_page_shift)); ++ max_pages_per_mr = min_not_zero((u32)max_pages_per_mr, U32_MAX); + clt_path->max_pages_per_mr = + min3(clt_path->max_pages_per_mr, (u32)max_pages_per_mr, + ib_dev->attrs.max_fast_reg_page_list_len); +-- +2.51.0 + diff --git a/queue-6.6/selftests-ftrace-traceonoff_triggers-strip-off-names.patch b/queue-6.6/selftests-ftrace-traceonoff_triggers-strip-off-names.patch new file mode 100644 index 0000000000..e2909e8e0c --- /dev/null +++ b/queue-6.6/selftests-ftrace-traceonoff_triggers-strip-off-names.patch @@ -0,0 +1,93 @@ +From 7fa8e3f56ed7e7e49093c691e11f095655d3fab4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Aug 2023 09:32:26 +0800 +Subject: selftests/ftrace: traceonoff_triggers: strip off names + +From: Yipeng Zou + +[ Upstream commit b889b4fb4cbea3ca7eb9814075d6a51936394bd9 ] + +The func_traceonoff_triggers.tc sometimes goes to fail +on my board, Kunpeng-920. + +[root@localhost]# ./ftracetest ./test.d/ftrace/func_traceonoff_triggers.tc -l fail.log +=== Ftrace unit tests === +[1] ftrace - test for function traceon/off triggers [FAIL] +[2] (instance) ftrace - test for function traceon/off triggers [UNSUPPORTED] + +I look up the log, and it shows that the md5sum is different between csum1 and csum2. + +++ cnt=611 +++ sleep .1 ++++ cnt_trace ++++ grep -v '^#' trace ++++ wc -l +++ cnt2=611 +++ '[' 611 -ne 611 ']' ++++ cat tracing_on +++ on=0 +++ '[' 0 '!=' 0 ']' ++++ md5sum trace +++ csum1='76896aa74362fff66a6a5f3cf8a8a500 trace' +++ sleep .1 ++++ md5sum trace +++ csum2='ee8625a21c058818fc26e45c1ed3f6de trace' +++ '[' '76896aa74362fff66a6a5f3cf8a8a500 trace' '!=' 'ee8625a21c058818fc26e45c1ed3f6de trace' ']' +++ fail 'Tracing file is still changing' +++ echo Tracing file is still changing +Tracing file is still changing +++ exit_fail +++ exit 1 + +So I directly dump the trace file before md5sum, the diff shows that: + +[root@localhost]# diff trace_1.log trace_2.log -y --suppress-common-lines +dockerd-12285 [036] d.... 18385.510290: sched_stat | <...>-12285 [036] d.... 18385.510290: sched_stat +dockerd-12285 [036] d.... 18385.510291: sched_swit | <...>-12285 [036] d.... 18385.510291: sched_swit +<...>-740 [044] d.... 18385.602859: sched_stat | kworker/44:1-740 [044] d.... 18385.602859: sched_stat +<...>-740 [044] d.... 18385.602860: sched_swit | kworker/44:1-740 [044] d.... 18385.602860: sched_swit + +And we can see that <...> filed be filled with names. + +We can strip off the names there to fix that. + +After strip off the names: + +kworker/u257:0-12 [019] d..2. 2528.758910: sched_stat | -12 [019] d..2. 2528.758910: sched_stat_runtime: comm=k +kworker/u257:0-12 [019] d..2. 2528.758912: sched_swit | -12 [019] d..2. 2528.758912: sched_switch: prev_comm=kw +-0 [000] d.s5. 2528.762318: sched_waki | -0 [000] d.s5. 2528.762318: sched_waking: comm=sshd pi +-0 [037] dNh2. 2528.762326: sched_wake | -0 [037] dNh2. 2528.762326: sched_wakeup: comm=sshd pi +-0 [037] d..2. 2528.762334: sched_swit | -0 [037] d..2. 2528.762334: sched_switch: prev_comm=sw + +Link: https://lore.kernel.org/r/20230818013226.2182299-1-zouyipeng@huawei.com +Fixes: d87b29179aa0 ("selftests: ftrace: Use md5sum to take less time of checking logs") +Suggested-by: Steven Rostedt (Google) +Signed-off-by: Yipeng Zou +Acked-by: Masami Hiramatsu (Google) +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + .../ftrace/test.d/ftrace/func_traceonoff_triggers.tc | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc b/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc +index aee22289536b..1b57771dbfdf 100644 +--- a/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc ++++ b/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc +@@ -90,9 +90,10 @@ if [ $on != "0" ]; then + fail "Tracing is not off" + fi + +-csum1=`md5sum trace` ++# Cannot rely on names being around as they are only cached, strip them ++csum1=`cat trace | sed -e 's/^ *[^ ]*\(-[0-9][0-9]*\)/\1/' | md5sum` + sleep $SLEEP_TIME +-csum2=`md5sum trace` ++csum2=`cat trace | sed -e 's/^ *[^ ]*\(-[0-9][0-9]*\)/\1/' | md5sum` + + if [ "$csum1" != "$csum2" ]; then + fail "Tracing file is still changing" +-- +2.51.0 + diff --git a/queue-6.6/selftests-net-fix-buffer-overflow-detected-for-tap.c.patch b/queue-6.6/selftests-net-fix-buffer-overflow-detected-for-tap.c.patch new file mode 100644 index 0000000000..ae36d4aa90 --- /dev/null +++ b/queue-6.6/selftests-net-fix-buffer-overflow-detected-for-tap.c.patch @@ -0,0 +1,97 @@ +From 04f670d77e0e7f24bc5e1b56622da202591c83f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Dec 2025 12:06:41 -0500 +Subject: selftests: net: fix "buffer overflow detected" for tap.c + +From: Alice C. Munduruca + +[ Upstream commit 472c5dd6b95c02b3e5d7395acf542150e91165e7 ] + +When the selftest 'tap.c' is compiled with '-D_FORTIFY_SOURCE=3', +the strcpy() in rtattr_add_strsz() is replaced with a checked +version which causes the test to consistently fail when compiled +with toolchains for which this option is enabled by default. + + TAP version 13 + 1..3 + # Starting 3 tests from 1 test cases. + # RUN tap.test_packet_valid_udp_gso ... + *** buffer overflow detected ***: terminated + # test_packet_valid_udp_gso: Test terminated by assertion + # FAIL tap.test_packet_valid_udp_gso + not ok 1 tap.test_packet_valid_udp_gso + # RUN tap.test_packet_valid_udp_csum ... + *** buffer overflow detected ***: terminated + # test_packet_valid_udp_csum: Test terminated by assertion + # FAIL tap.test_packet_valid_udp_csum + not ok 2 tap.test_packet_valid_udp_csum + # RUN tap.test_packet_crash_tap_invalid_eth_proto ... + *** buffer overflow detected ***: terminated + # test_packet_crash_tap_invalid_eth_proto: Test terminated by assertion + # FAIL tap.test_packet_crash_tap_invalid_eth_proto + not ok 3 tap.test_packet_crash_tap_invalid_eth_proto + # FAILED: 0 / 3 tests passed. + # Totals: pass:0 fail:3 xfail:0 xpass:0 skip:0 error:0 + +A buffer overflow is detected by the fortified glibc __strcpy_chk() +since the __builtin_object_size() of `RTA_DATA(rta)` is incorrectly +reported as 1, even though there is ample space in its bounding +buffer `req`. + +Additionally, given that IFLA_IFNAME also expects a null-terminated +string, callers of rtaddr_add_str{,sz}() could simply use the +rtaddr_add_strsz() variant. (which has been renamed to remove the +trailing `sz`) memset() has been used for this function since it +is unchecked and thus circumvents the issue discussed in the +previous paragraph. + +Fixes: 2e64fe4624d1 ("selftests: add few test cases for tap driver") +Signed-off-by: Alice C. Munduruca +Reviewed-by: Cengiz Can +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/20251216170641.250494-1-alice.munduruca@canonical.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/tap.c | 16 +++++----------- + 1 file changed, 5 insertions(+), 11 deletions(-) + +diff --git a/tools/testing/selftests/net/tap.c b/tools/testing/selftests/net/tap.c +index 247c3b3ac1c9..51a209014f1c 100644 +--- a/tools/testing/selftests/net/tap.c ++++ b/tools/testing/selftests/net/tap.c +@@ -56,18 +56,12 @@ static void rtattr_end(struct nlmsghdr *nh, struct rtattr *attr) + static struct rtattr *rtattr_add_str(struct nlmsghdr *nh, unsigned short type, + const char *s) + { +- struct rtattr *rta = rtattr_add(nh, type, strlen(s)); ++ unsigned int strsz = strlen(s) + 1; ++ struct rtattr *rta; + +- memcpy(RTA_DATA(rta), s, strlen(s)); +- return rta; +-} +- +-static struct rtattr *rtattr_add_strsz(struct nlmsghdr *nh, unsigned short type, +- const char *s) +-{ +- struct rtattr *rta = rtattr_add(nh, type, strlen(s) + 1); ++ rta = rtattr_add(nh, type, strsz); + +- strcpy(RTA_DATA(rta), s); ++ memcpy(RTA_DATA(rta), s, strsz); + return rta; + } + +@@ -119,7 +113,7 @@ static int dev_create(const char *dev, const char *link_type, + + link_info = rtattr_begin(&req.nh, IFLA_LINKINFO); + +- rtattr_add_strsz(&req.nh, IFLA_INFO_KIND, link_type); ++ rtattr_add_str(&req.nh, IFLA_INFO_KIND, link_type); + + if (fill_info_data) { + info_data = rtattr_begin(&req.nh, IFLA_INFO_DATA); +-- +2.51.0 + diff --git a/queue-6.6/series b/queue-6.6/series index 39d45741bb..a0ac646b55 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -498,3 +498,43 @@ hwmon-w83791d-convert-macros-to-functions-to-avoid-toctou.patch hwmon-w83l786ng-convert-macros-to-functions-to-avoid-toctou.patch arm-dts-microchip-sama5d2-fix-spi-flexcom-fifo-size-to-32.patch iommu-mediatek-fix-use-after-free-on-probe-deferral.patch +wifi-rtw88-limit-indirect-io-under-powered-off-for-r.patch +wifi-cfg80211-sme-store-capped-length-in-__cfg80211_.patch +wifi-mac80211-do-not-use-old-mbssid-elements.patch +i40e-fix-scheduling-in-set_rx_mode.patch +iavf-fix-off-by-one-issues-in-iavf_config_rss_reg.patch +crypto-seqiv-do-not-use-req-iv-after-crypto_aead_enc.patch +bluetooth-btusb-revert-use-of-devm_kzalloc-in-btusb.patch +net-mdio-aspeed-add-dummy-read-to-avoid-read-after-w.patch +net-openvswitch-avoid-needlessly-taking-the-rtnl-on-.patch +ip6_gre-make-ip6gre_header-robust.patch +platform-x86-msi-laptop-add-missing-sysfs_remove_gro.patch +platform-x86-ibm_rtl-fix-ebda-signature-search-point.patch +team-fix-check-for-port-enabled-in-team_queue_overri.patch +amd-xgbe-reset-retries-and-mode-on-rx-adapt-failures.patch +net-usb-rtl8150-fix-memory-leak-on-usb_submit_urb-fa.patch +selftests-net-fix-buffer-overflow-detected-for-tap.c.patch +smc91x-fix-broken-irq-context-in-preempt_rt.patch +genalloc.h-fix-htmldocs-warning.patch +firewire-nosy-fix-dma_free_coherent-size.patch +net-dsa-b53-skip-multicast-entries-for-fdb_dump.patch +net-usb-asix-validate-phy-address-before-use.patch +net-bridge-describe-tunnel_hash-member-in-net_bridge.patch +platform-x86-hp-bioscfg-fix-out-of-bounds-array-acce.patch +octeontx2-pf-fix-ubsan-shift-out-of-bounds-error.patch +net-stmmac-fix-the-crash-issue-for-zero-copy-xdp_tx-.patch +ipv6-bug-in-pskb_expand_head-as-part-of-calipso_skbu.patch +ipv4-fix-reference-count-leak-when-using-error-route.patch +net-rose-fix-invalid-array-index-in-rose_kill_by_dev.patch +rdma-irdma-avoid-invalid-read-in-irdma_net_event.patch +rdma-efa-remove-possible-negative-shift.patch +rdma-core-fix-logic-error-in-ib_get_gids_from_rdma_h.patch +rdma-bnxt_re-fix-incorrect-bar-check-in-bnxt_qplib_m.patch +rdma-bnxt_re-fix-ib_send_ip_csum-handling-in-post_se.patch +rdma-bnxt_re-fix-to-use-correct-page-size-for-pde-ta.patch +ksmbd-fix-memory-leak-in-get_file_all_info.patch +rdma-rtrs-fix-clt_path-max_pages_per_mr-calculation.patch +rdma-bnxt_re-fix-dma_free_coherent-pointer.patch +blk-mq-don-t-schedule-block-kworker-on-isolated-cpus.patch +blk-mq-skip-cpu-offline-notify-on-unmapped-hctx.patch +selftests-ftrace-traceonoff_triggers-strip-off-names.patch diff --git a/queue-6.6/smc91x-fix-broken-irq-context-in-preempt_rt.patch b/queue-6.6/smc91x-fix-broken-irq-context-in-preempt_rt.patch new file mode 100644 index 0000000000..0286a1d8c4 --- /dev/null +++ b/queue-6.6/smc91x-fix-broken-irq-context-in-preempt_rt.patch @@ -0,0 +1,72 @@ +From 6991cbe534e61cadaf5cad1b4a7954809e95f06b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 08:51:15 +0000 +Subject: smc91x: fix broken irq-context in PREEMPT_RT + +From: Yeoreum Yun + +[ Upstream commit 6402078bd9d1ed46e79465e1faaa42e3458f8a33 ] + +When smc91x.c is built with PREEMPT_RT, the following splat occurs +in FVP_RevC: + +[ 13.055000] smc91x LNRO0003:00 eth0: link up, 10Mbps, half-duplex, lpa 0x0000 +[ 13.062137] BUG: workqueue leaked atomic, lock or RCU: kworker/2:1[106] +[ 13.062137] preempt=0x00000000 lock=0->0 RCU=0->1 workfn=mld_ifc_work +[ 13.062266] C +** replaying previous printk message ** +[ 13.062266] CPU: 2 UID: 0 PID: 106 Comm: kworker/2:1 Not tainted 6.18.0-dirty #179 PREEMPT_{RT,(full)} +[ 13.062353] Hardware name: , BIOS +[ 13.062382] Workqueue: mld mld_ifc_work +[ 13.062469] Call trace: +[ 13.062494] show_stack+0x24/0x40 (C) +[ 13.062602] __dump_stack+0x28/0x48 +[ 13.062710] dump_stack_lvl+0x7c/0xb0 +[ 13.062818] dump_stack+0x18/0x34 +[ 13.062926] process_scheduled_works+0x294/0x450 +[ 13.063043] worker_thread+0x260/0x3d8 +[ 13.063124] kthread+0x1c4/0x228 +[ 13.063235] ret_from_fork+0x10/0x20 + +This happens because smc_special_trylock() disables IRQs even on PREEMPT_RT, +but smc_special_unlock() does not restore IRQs on PREEMPT_RT. +The reason is that smc_special_unlock() calls spin_unlock_irqrestore(), +and rcu_read_unlock_bh() in __dev_queue_xmit() cannot invoke +rcu_read_unlock() through __local_bh_enable_ip() when current->softirq_disable_cnt becomes zero. + +To address this issue, replace smc_special_trylock() with spin_trylock_irqsave(). + +Fixes: 342a93247e08 ("locking/spinlock: Provide RT variant header: ") +Signed-off-by: Yeoreum Yun +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20251217085115.1730036-1-yeoreum.yun@arm.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/smsc/smc91x.c | 10 +--------- + 1 file changed, 1 insertion(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/smsc/smc91x.c b/drivers/net/ethernet/smsc/smc91x.c +index 032eccf8eb42..7c2fdd02f1d3 100644 +--- a/drivers/net/ethernet/smsc/smc91x.c ++++ b/drivers/net/ethernet/smsc/smc91x.c +@@ -515,15 +515,7 @@ static inline void smc_rcv(struct net_device *dev) + * any other concurrent access and C would always interrupt B. But life + * isn't that easy in a SMP world... + */ +-#define smc_special_trylock(lock, flags) \ +-({ \ +- int __ret; \ +- local_irq_save(flags); \ +- __ret = spin_trylock(lock); \ +- if (!__ret) \ +- local_irq_restore(flags); \ +- __ret; \ +-}) ++#define smc_special_trylock(lock, flags) spin_trylock_irqsave(lock, flags) + #define smc_special_lock(lock, flags) spin_lock_irqsave(lock, flags) + #define smc_special_unlock(lock, flags) spin_unlock_irqrestore(lock, flags) + #else +-- +2.51.0 + diff --git a/queue-6.6/team-fix-check-for-port-enabled-in-team_queue_overri.patch b/queue-6.6/team-fix-check-for-port-enabled-in-team_queue_overri.patch new file mode 100644 index 0000000000..47bcccb207 --- /dev/null +++ b/queue-6.6/team-fix-check-for-port-enabled-in-team_queue_overri.patch @@ -0,0 +1,101 @@ +From 30b2c22eeca58ab02261831d7a126e93321dabad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Dec 2025 11:29:53 +0100 +Subject: team: fix check for port enabled in + team_queue_override_port_prio_changed() + +From: Jiri Pirko + +[ Upstream commit 932ac51d9953eaf77a1252f79b656d4ca86163c6 ] + +There has been a syzkaller bug reported recently with the following +trace: + +list_del corruption, ffff888058bea080->prev is LIST_POISON2 (dead000000000122) +------------[ cut here ]------------ +kernel BUG at lib/list_debug.c:59! +Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI +CPU: 3 UID: 0 PID: 21246 Comm: syz.0.2928 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 +RIP: 0010:__list_del_entry_valid_or_report+0x13e/0x200 lib/list_debug.c:59 +Code: 48 c7 c7 e0 71 f0 8b e8 30 08 ef fc 90 0f 0b 48 89 ef e8 a5 02 55 fd 48 89 ea 48 89 de 48 c7 c7 40 72 f0 8b e8 13 08 ef fc 90 <0f> 0b 48 89 ef e8 88 02 55 fd 48 89 ea 48 b8 00 00 00 00 00 fc ff +RSP: 0018:ffffc9000d49f370 EFLAGS: 00010286 +RAX: 000000000000004e RBX: ffff888058bea080 RCX: ffffc9002817d000 +RDX: 0000000000000000 RSI: ffffffff819becc6 RDI: 0000000000000005 +RBP: dead000000000122 R08: 0000000000000005 R09: 0000000000000000 +R10: 0000000080000000 R11: 0000000000000001 R12: ffff888039e9c230 +R13: ffff888058bea088 R14: ffff888058bea080 R15: ffff888055461480 +FS: 00007fbbcfe6f6c0(0000) GS:ffff8880d6d0a000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000000110c3afcb0 CR3: 00000000382c7000 CR4: 0000000000352ef0 +Call Trace: + + __list_del_entry_valid include/linux/list.h:132 [inline] + __list_del_entry include/linux/list.h:223 [inline] + list_del_rcu include/linux/rculist.h:178 [inline] + __team_queue_override_port_del drivers/net/team/team_core.c:826 [inline] + __team_queue_override_port_del drivers/net/team/team_core.c:821 [inline] + team_queue_override_port_prio_changed drivers/net/team/team_core.c:883 [inline] + team_priority_option_set+0x171/0x2f0 drivers/net/team/team_core.c:1534 + team_option_set drivers/net/team/team_core.c:376 [inline] + team_nl_options_set_doit+0x8ae/0xe60 drivers/net/team/team_core.c:2653 + genl_family_rcv_msg_doit+0x209/0x2f0 net/netlink/genetlink.c:1115 + genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] + genl_rcv_msg+0x55c/0x800 net/netlink/genetlink.c:1210 + netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552 + genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 + netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] + netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346 + netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1896 + sock_sendmsg_nosec net/socket.c:727 [inline] + __sock_sendmsg net/socket.c:742 [inline] + ____sys_sendmsg+0xa98/0xc70 net/socket.c:2630 + ___sys_sendmsg+0x134/0x1d0 net/socket.c:2684 + __sys_sendmsg+0x16d/0x220 net/socket.c:2716 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +The problem is in this flow: +1) Port is enabled, queue_id != 0, in qom_list +2) Port gets disabled + -> team_port_disable() + -> team_queue_override_port_del() + -> del (removed from list) +3) Port is disabled, queue_id != 0, not in any list +4) Priority changes + -> team_queue_override_port_prio_changed() + -> checks: port disabled && queue_id != 0 + -> calls del - hits the BUG as it is removed already + +To fix this, change the check in team_queue_override_port_prio_changed() +so it returns early if port is not enabled. + +Reported-by: syzbot+422806e5f4cce722a71f@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=422806e5f4cce722a71f +Fixes: 6c31ff366c11 ("team: remove synchronize_rcu() called during queue override change") +Signed-off-by: Jiri Pirko +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20251212102953.167287-1-jiri@resnulli.us +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/team/team.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c +index 1ce3bccd4ebd..9baa13808933 100644 +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -876,7 +876,7 @@ static void __team_queue_override_enabled_check(struct team *team) + static void team_queue_override_port_prio_changed(struct team *team, + struct team_port *port) + { +- if (!port->queue_id || team_port_enabled(port)) ++ if (!port->queue_id || !team_port_enabled(port)) + return; + __team_queue_override_port_del(team, port); + __team_queue_override_port_add(team, port); +-- +2.51.0 + diff --git a/queue-6.6/wifi-cfg80211-sme-store-capped-length-in-__cfg80211_.patch b/queue-6.6/wifi-cfg80211-sme-store-capped-length-in-__cfg80211_.patch new file mode 100644 index 0000000000..0c22e4982c --- /dev/null +++ b/queue-6.6/wifi-cfg80211-sme-store-capped-length-in-__cfg80211_.patch @@ -0,0 +1,38 @@ +From efdfcc61c2c3c29f609ce37a6bf71d8d9817c8dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 14:14:47 +0300 +Subject: wifi: cfg80211: sme: store capped length in + __cfg80211_connect_result() + +From: Dan Carpenter + +[ Upstream commit 2b77b9551d1184cb5af8271ff350e6e2c1b3db0d ] + +The QGenie AI code review tool says we should store the capped length to +wdev->u.client.ssid_len. The AI is correct. + +Fixes: 62b635dcd69c ("wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result()") +Signed-off-by: Dan Carpenter +Link: https://patch.msgid.link/aTAbp5RleyH_lnZE@stanley.mountain +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/sme.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/wireless/sme.c b/net/wireless/sme.c +index 5904c869085c..6f116ae5442b 100644 +--- a/net/wireless/sme.c ++++ b/net/wireless/sme.c +@@ -925,7 +925,7 @@ void __cfg80211_connect_result(struct net_device *dev, + + ssid_len = min(ssid->datalen, IEEE80211_MAX_SSID_LEN); + memcpy(wdev->u.client.ssid, ssid->data, ssid_len); +- wdev->u.client.ssid_len = ssid->datalen; ++ wdev->u.client.ssid_len = ssid_len; + break; + } + rcu_read_unlock(); +-- +2.51.0 + diff --git a/queue-6.6/wifi-mac80211-do-not-use-old-mbssid-elements.patch b/queue-6.6/wifi-mac80211-do-not-use-old-mbssid-elements.patch new file mode 100644 index 0000000000..d35d8f8d24 --- /dev/null +++ b/queue-6.6/wifi-mac80211-do-not-use-old-mbssid-elements.patch @@ -0,0 +1,68 @@ +From 0805129f2988a88b8a44c7e217a77dc91a3e66ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Dec 2025 09:46:56 -0800 +Subject: wifi: mac80211: do not use old MBSSID elements + +From: Aloka Dixit + +[ Upstream commit a519be2f5d958c5804f2cfd68f1f384291271fab ] + +When userspace brings down and deletes a non-transmitted profile, +it is expected to send a new updated Beacon template for the +transmitted profile of that multiple BSSID (MBSSID) group which +does not include the removed profile in MBSSID element. This +update comes via NL80211_CMD_SET_BEACON. + +Such updates work well as long as the group continues to have at +least one non-transmitted profile as NL80211_ATTR_MBSSID_ELEMS +is included in the new Beacon template. + +But when the last non-trasmitted profile is removed, it still +gets included in Beacon templates sent to driver. This happens +because when no MBSSID elements are sent by the userspace, +ieee80211_assign_beacon() ends up using the element stored from +earlier Beacon template. + +Do not copy old MBSSID elements, instead userspace should always +include these when applicable. + +Fixes: 2b3171c6fe0a ("mac80211: MBSSID beacon handling in AP mode") +Signed-off-by: Aloka Dixit +Link: https://patch.msgid.link/20251215174656.2866319-2-aloka.dixit@oss.qualcomm.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/cfg.c | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index 1addfba4b285..16270bea49a2 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1147,7 +1147,6 @@ ieee80211_assign_beacon(struct ieee80211_sub_if_data *sdata, + + size = sizeof(*new) + new_head_len + new_tail_len; + +- /* new or old multiple BSSID elements? */ + if (params->mbssid_ies) { + mbssid = params->mbssid_ies; + size += struct_size(new->mbssid_ies, elem, mbssid->cnt); +@@ -1157,15 +1156,6 @@ ieee80211_assign_beacon(struct ieee80211_sub_if_data *sdata, + } + size += ieee80211_get_mbssid_beacon_len(mbssid, rnr, + mbssid->cnt); +- } else if (old && old->mbssid_ies) { +- mbssid = old->mbssid_ies; +- size += struct_size(new->mbssid_ies, elem, mbssid->cnt); +- if (old && old->rnr_ies) { +- rnr = old->rnr_ies; +- size += struct_size(new->rnr_ies, elem, rnr->cnt); +- } +- size += ieee80211_get_mbssid_beacon_len(mbssid, rnr, +- mbssid->cnt); + } + + new = kzalloc(size, GFP_KERNEL); +-- +2.51.0 + diff --git a/queue-6.6/wifi-rtw88-limit-indirect-io-under-powered-off-for-r.patch b/queue-6.6/wifi-rtw88-limit-indirect-io-under-powered-off-for-r.patch new file mode 100644 index 0000000000..40d18b5dea --- /dev/null +++ b/queue-6.6/wifi-rtw88-limit-indirect-io-under-powered-off-for-r.patch @@ -0,0 +1,51 @@ +From 5fad4bd838a0466b371f7ab6b6281a1c2fd600a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Nov 2025 09:38:49 +0800 +Subject: wifi: rtw88: limit indirect IO under powered off for RTL8822CS + +From: Ping-Ke Shih + +[ Upstream commit f3ccdfda345ca9a624ea425840a926b8338c1e25 ] + +The indirect IO is necessary for RTL8822CS, but not necessary for other +chips. Otherwiese, it throws errors and becomes unusable. + + rtw88_8723cs mmc1:0001:1: WOW Firmware version 11.0.0, H2C version 0 + rtw88_8723cs mmc1:0001:1: Firmware version 11.0.0, H2C version 0 + rtw88_8723cs mmc1:0001:1: sdio read32 failed (0xf0): -110 + rtw88_8723cs mmc1:0001:1: sdio write8 failed (0x1c): -110 + rtw88_8723cs mmc1:0001:1: sdio read32 failed (0xf0): -110 + +By vendor driver, only RTL8822CS and RTL8822ES need indirect IO, but +RTL8822ES isn't supported yet. Therefore, limit it to RTL8822CS only. + +Reported-by: Andrey Skvortsov +Closes: https://lore.kernel.org/linux-wireless/07a32e2d6c764eb1bd9415b5a921a652@realtek.com/T/#m997b4522f7209ba629561c776bfd1d13ab24c1d4 +Fixes: 58de1f91e033 ("wifi: rtw88: sdio: use indirect IO for device registers before power-on") +Signed-off-by: Ping-Ke Shih +Tested-by: Andrey Skvortsov +Link: https://patch.msgid.link/1764034729-1251-1-git-send-email-pkshih@realtek.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw88/sdio.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtw88/sdio.c b/drivers/net/wireless/realtek/rtw88/sdio.c +index df4248744d87..025a97526551 100644 +--- a/drivers/net/wireless/realtek/rtw88/sdio.c ++++ b/drivers/net/wireless/realtek/rtw88/sdio.c +@@ -143,8 +143,10 @@ static u32 rtw_sdio_to_io_address(struct rtw_dev *rtwdev, u32 addr, + + static bool rtw_sdio_use_direct_io(struct rtw_dev *rtwdev, u32 addr) + { ++ bool might_indirect_under_power_off = rtwdev->chip->id == RTW_CHIP_TYPE_8822C; ++ + if (!test_bit(RTW_FLAG_POWERON, rtwdev->flags) && +- !rtw_sdio_is_bus_addr(addr)) ++ !rtw_sdio_is_bus_addr(addr) && might_indirect_under_power_off) + return false; + + return !rtw_sdio_is_sdio30_supported(rtwdev) || +-- +2.51.0 +