From: Sasha Levin Date: Tue, 27 Jan 2026 03:42:26 +0000 (-0500) Subject: Fixes for all trees X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ffd7e40a1930ead94f73ed6fe1cf8226e74cbe84;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for all trees Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/alsa-usb-increase-volume-range-that-triggers-a-warni.patch b/queue-5.10/alsa-usb-increase-volume-range-that-triggers-a-warni.patch new file mode 100644 index 0000000000..f1ac862772 --- /dev/null +++ b/queue-5.10/alsa-usb-increase-volume-range-that-triggers-a-warni.patch @@ -0,0 +1,47 @@ +From 2803ca1ae922ae1f80a6a9455b19bd648ae4ffd3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jan 2026 14:58:04 -0800 +Subject: ALSA: usb: Increase volume range that triggers a warning + +From: Arun Raghavan + +[ Upstream commit 6b971191fcfc9e3c2c0143eea22534f1f48dbb62 ] + +On at least the HyperX Cloud III, the range is 18944 (-18944 -> 0 in +steps of 1), so the original check for 255 steps is definitely obsolete. +Let's give ourselves a little more headroom before we emit a warning. + +Fixes: 80acefff3bc7 ("ALSA: usb-audio - Add volume range check and warn if it too big") +Cc: Jaroslav Kysela +Cc: Takashi Iwai +Cc: linux-sound@vger.kernel.org +Signed-off-by: Arun Raghavan +Link: https://patch.msgid.link/20260116225804.3845935-1-arunr@valvesoftware.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/mixer.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c +index 949b171377267..b5baf9d609333 100644 +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -1741,11 +1741,10 @@ static void __build_feature_ctl(struct usb_mixer_interface *mixer, + + range = (cval->max - cval->min) / cval->res; + /* +- * Are there devices with volume range more than 255? I use a bit more +- * to be sure. 384 is a resolution magic number found on Logitech +- * devices. It will definitively catch all buggy Logitech devices. ++ * There are definitely devices with a range of ~20,000, so let's be ++ * conservative and allow for a bit more. + */ +- if (range > 384) { ++ if (range > 65535) { + usb_audio_warn(mixer->chip, + "Warning! Unlikely big volume range (=%u), cval->res is probably wrong.", + range); +-- +2.51.0 + diff --git a/queue-5.10/be2net-fix-null-pointer-dereference-in-be_cmd_get_ma.patch b/queue-5.10/be2net-fix-null-pointer-dereference-in-be_cmd_get_ma.patch new file mode 100644 index 0000000000..9a3b2b518d --- /dev/null +++ b/queue-5.10/be2net-fix-null-pointer-dereference-in-be_cmd_get_ma.patch @@ -0,0 +1,54 @@ +From c7c0b68094ed4caf57060d78f5ce2ac34c257fef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 11:37:47 +0000 +Subject: be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list + +From: Andrey Vatoropin + +[ Upstream commit 8215794403d264739cc676668087512950b2ff31 ] + +When the parameter pmac_id_valid argument of be_cmd_get_mac_from_list() is +set to false, the driver may request the PMAC_ID from the firmware of the +network card, and this function will store that PMAC_ID at the provided +address pmac_id. This is the contract of this function. + +However, there is a location within the driver where both +pmac_id_valid == false and pmac_id == NULL are being passed. This could +result in dereferencing a NULL pointer. + +To resolve this issue, it is necessary to pass the address of a stub +variable to the function. + +Fixes: 95046b927a54 ("be2net: refactor MAC-addr setup code") +Signed-off-by: Andrey Vatoropin +Link: https://patch.msgid.link/20260120113734.20193-1-a.vatoropin@crpt.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/emulex/benet/be_cmds.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/emulex/benet/be_cmds.c b/drivers/net/ethernet/emulex/benet/be_cmds.c +index d6984c179bae0..a0f4bfe522d44 100644 +--- a/drivers/net/ethernet/emulex/benet/be_cmds.c ++++ b/drivers/net/ethernet/emulex/benet/be_cmds.c +@@ -3796,6 +3796,7 @@ int be_cmd_get_perm_mac(struct be_adapter *adapter, u8 *mac) + { + int status; + bool pmac_valid = false; ++ u32 pmac_id; + + eth_zero_addr(mac); + +@@ -3808,7 +3809,7 @@ int be_cmd_get_perm_mac(struct be_adapter *adapter, u8 *mac) + adapter->if_handle, 0); + } else { + status = be_cmd_get_mac_from_list(adapter, mac, &pmac_valid, +- NULL, adapter->if_handle, 0); ++ &pmac_id, adapter->if_handle, 0); + } + + return status; +-- +2.51.0 + diff --git a/queue-5.10/bonding-add-a-vlan-srcmac-tx-hashing-option.patch b/queue-5.10/bonding-add-a-vlan-srcmac-tx-hashing-option.patch new file mode 100644 index 0000000000..c93d368690 --- /dev/null +++ b/queue-5.10/bonding-add-a-vlan-srcmac-tx-hashing-option.patch @@ -0,0 +1,199 @@ +From 99e16e20e3cd649a343cd64b81afa8a2cdcbb2d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Jan 2021 20:09:27 -0500 +Subject: bonding: add a vlan+srcmac tx hashing option + +From: Jarod Wilson + +[ Upstream commit 7b8fc0103bb51d1d3e1fb5fd67958612e709f883 ] + +This comes from an end-user request, where they're running multiple VMs on +hosts with bonded interfaces connected to some interest switch topologies, +where 802.3ad isn't an option. They're currently running a proprietary +solution that effectively achieves load-balancing of VMs and bandwidth +utilization improvements with a similar form of transmission algorithm. + +Basically, each VM has it's own vlan, so it always sends its traffic out +the same interface, unless that interface fails. Traffic gets split +between the interfaces, maintaining a consistent path, with failover still +available if an interface goes down. + +Unlike bond_eth_hash(), this hash function is using the full source MAC +address instead of just the last byte, as there are so few components to +the hash, and in the no-vlan case, we would be returning just the last +byte of the source MAC as the hash value. It's entirely possible to have +two NICs in a bond with the same last byte of their MAC, but not the same +MAC, so this adjustment should guarantee distinct hashes in all cases. + +This has been rudimetarily tested to provide similar results to the +proprietary solution it is aiming to replace. A patch for iproute2 is also +posted, to properly support the new mode there as well. + +Cc: Jay Vosburgh +Cc: Veaceslav Falico +Cc: Andy Gospodarek +Cc: Thomas Davis +Signed-off-by: Jarod Wilson +Link: https://lore.kernel.org/r/20210119010927.1191922-1-jarod@redhat.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 5f9b32909659 ("bonding: provide a net pointer to __skb_flow_dissect()") +Signed-off-by: Sasha Levin +--- + Documentation/networking/bonding.rst | 13 +++++++++++ + drivers/net/bonding/bond_main.c | 34 ++++++++++++++++++++++++++-- + drivers/net/bonding/bond_options.c | 13 ++++++----- + include/linux/netdevice.h | 1 + + include/uapi/linux/if_bonding.h | 1 + + 5 files changed, 54 insertions(+), 8 deletions(-) + +diff --git a/Documentation/networking/bonding.rst b/Documentation/networking/bonding.rst +index 413dca513e1db..5390e79de5bb8 100644 +--- a/Documentation/networking/bonding.rst ++++ b/Documentation/networking/bonding.rst +@@ -952,6 +952,19 @@ xmit_hash_policy + packets will be distributed according to the encapsulated + flows. + ++ vlan+srcmac ++ ++ This policy uses a very rudimentary vlan ID and source mac ++ hash to load-balance traffic per-vlan, with failover ++ should one leg fail. The intended use case is for a bond ++ shared by multiple virtual machines, all configured to ++ use their own vlan, to give lacp-like functionality ++ without requiring lacp-capable switching hardware. ++ ++ The formula for the hash is simply ++ ++ hash = (vlan ID) XOR (source MAC vendor) XOR (source MAC dev) ++ + The default value is layer2. This option was added in bonding + version 2.6.3. In earlier versions of bonding, this parameter + does not exist, and the layer2 policy is the only policy. The +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index b4b2e6a7fdd40..2a6870a3b56dc 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -164,7 +164,7 @@ module_param(xmit_hash_policy, charp, 0); + MODULE_PARM_DESC(xmit_hash_policy, "balance-alb, balance-tlb, balance-xor, 802.3ad hashing method; " + "0 for layer 2 (default), 1 for layer 3+4, " + "2 for layer 2+3, 3 for encap layer 2+3, " +- "4 for encap layer 3+4"); ++ "4 for encap layer 3+4, 5 for vlan+srcmac"); + module_param(arp_interval, int, 0); + MODULE_PARM_DESC(arp_interval, "arp interval in milliseconds"); + module_param_array(arp_ip_target, charp, NULL, 0); +@@ -1560,6 +1560,8 @@ static enum netdev_lag_hash bond_lag_hash_type(struct bonding *bond, + return NETDEV_LAG_HASH_E23; + case BOND_XMIT_POLICY_ENCAP34: + return NETDEV_LAG_HASH_E34; ++ case BOND_XMIT_POLICY_VLAN_SRCMAC: ++ return NETDEV_LAG_HASH_VLAN_SRCMAC; + default: + return NETDEV_LAG_HASH_UNKNOWN; + } +@@ -3633,6 +3635,27 @@ static bool bond_flow_ip(struct sk_buff *skb, struct flow_keys *fk, + return true; + } + ++static u32 bond_vlan_srcmac_hash(struct sk_buff *skb) ++{ ++ struct ethhdr *mac_hdr = (struct ethhdr *)skb_mac_header(skb); ++ u32 srcmac_vendor = 0, srcmac_dev = 0; ++ u16 vlan; ++ int i; ++ ++ for (i = 0; i < 3; i++) ++ srcmac_vendor = (srcmac_vendor << 8) | mac_hdr->h_source[i]; ++ ++ for (i = 3; i < ETH_ALEN; i++) ++ srcmac_dev = (srcmac_dev << 8) | mac_hdr->h_source[i]; ++ ++ if (!skb_vlan_tag_present(skb)) ++ return srcmac_vendor ^ srcmac_dev; ++ ++ vlan = skb_vlan_tag_get(skb); ++ ++ return vlan ^ srcmac_vendor ^ srcmac_dev; ++} ++ + /* Extract the appropriate headers based on bond's xmit policy */ + static bool bond_flow_dissect(struct bonding *bond, struct sk_buff *skb, + struct flow_keys *fk) +@@ -3640,10 +3663,14 @@ static bool bond_flow_dissect(struct bonding *bond, struct sk_buff *skb, + bool l34 = bond->params.xmit_policy == BOND_XMIT_POLICY_LAYER34; + int noff, proto = -1; + +- if (bond->params.xmit_policy > BOND_XMIT_POLICY_LAYER23) { ++ switch (bond->params.xmit_policy) { ++ case BOND_XMIT_POLICY_ENCAP23: ++ case BOND_XMIT_POLICY_ENCAP34: + memset(fk, 0, sizeof(*fk)); + return __skb_flow_dissect(NULL, skb, &flow_keys_bonding, + fk, NULL, 0, 0, 0, 0); ++ default: ++ break; + } + + fk->ports.ports = 0; +@@ -3705,6 +3732,9 @@ u32 bond_xmit_hash(struct bonding *bond, struct sk_buff *skb) + skb->l4_hash) + return skb->hash; + ++ if (bond->params.xmit_policy == BOND_XMIT_POLICY_VLAN_SRCMAC) ++ return bond_vlan_srcmac_hash(skb); ++ + if (bond->params.xmit_policy == BOND_XMIT_POLICY_LAYER2 || + !bond_flow_dissect(bond, skb, &flow)) + return bond_eth_hash(skb); +diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c +index acc6185749945..2f2e4c4a84581 100644 +--- a/drivers/net/bonding/bond_options.c ++++ b/drivers/net/bonding/bond_options.c +@@ -96,12 +96,13 @@ static const struct bond_opt_value bond_pps_tbl[] = { + }; + + static const struct bond_opt_value bond_xmit_hashtype_tbl[] = { +- { "layer2", BOND_XMIT_POLICY_LAYER2, BOND_VALFLAG_DEFAULT}, +- { "layer3+4", BOND_XMIT_POLICY_LAYER34, 0}, +- { "layer2+3", BOND_XMIT_POLICY_LAYER23, 0}, +- { "encap2+3", BOND_XMIT_POLICY_ENCAP23, 0}, +- { "encap3+4", BOND_XMIT_POLICY_ENCAP34, 0}, +- { NULL, -1, 0}, ++ { "layer2", BOND_XMIT_POLICY_LAYER2, BOND_VALFLAG_DEFAULT}, ++ { "layer3+4", BOND_XMIT_POLICY_LAYER34, 0}, ++ { "layer2+3", BOND_XMIT_POLICY_LAYER23, 0}, ++ { "encap2+3", BOND_XMIT_POLICY_ENCAP23, 0}, ++ { "encap3+4", BOND_XMIT_POLICY_ENCAP34, 0}, ++ { "vlan+srcmac", BOND_XMIT_POLICY_VLAN_SRCMAC, 0}, ++ { NULL, -1, 0}, + }; + + static const struct bond_opt_value bond_arp_validate_tbl[] = { +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index dcf1b603cb516..3e0da2c9ff51d 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -2670,6 +2670,7 @@ enum netdev_lag_hash { + NETDEV_LAG_HASH_L23, + NETDEV_LAG_HASH_E23, + NETDEV_LAG_HASH_E34, ++ NETDEV_LAG_HASH_VLAN_SRCMAC, + NETDEV_LAG_HASH_UNKNOWN, + }; + +diff --git a/include/uapi/linux/if_bonding.h b/include/uapi/linux/if_bonding.h +index 45f3750aa861b..e8eb4ad03cf18 100644 +--- a/include/uapi/linux/if_bonding.h ++++ b/include/uapi/linux/if_bonding.h +@@ -94,6 +94,7 @@ + #define BOND_XMIT_POLICY_LAYER23 2 /* layer 2+3 (IP ^ MAC) */ + #define BOND_XMIT_POLICY_ENCAP23 3 /* encapsulated layer 2+3 */ + #define BOND_XMIT_POLICY_ENCAP34 4 /* encapsulated layer 3+4 */ ++#define BOND_XMIT_POLICY_VLAN_SRCMAC 5 /* vlan + source MAC */ + + /* 802.3ad port state definitions (43.4.2.2 in the 802.3ad standard) */ + #define LACP_STATE_LACP_ACTIVITY 0x1 +-- +2.51.0 + diff --git a/queue-5.10/bonding-provide-a-net-pointer-to-__skb_flow_dissect.patch b/queue-5.10/bonding-provide-a-net-pointer-to-__skb_flow_dissect.patch new file mode 100644 index 0000000000..652c5441bc --- /dev/null +++ b/queue-5.10/bonding-provide-a-net-pointer-to-__skb_flow_dissect.patch @@ -0,0 +1,67 @@ +From 2257a8697ce5ccbda1b82aa4218fadb9ebd7a579 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 16:17:44 +0000 +Subject: bonding: provide a net pointer to __skb_flow_dissect() + +From: Eric Dumazet + +[ Upstream commit 5f9b329096596b7e53e07d041d7fca4cbe1be752 ] + +After 3cbf4ffba5ee ("net: plumb network namespace into __skb_flow_dissect") +we have to provide a net pointer to __skb_flow_dissect(), +either via skb->dev, skb->sk, or a user provided pointer. + +In the following case, syzbot was able to cook a bare skb. + +WARNING: net/core/flow_dissector.c:1131 at __skb_flow_dissect+0xb57/0x68b0 net/core/flow_dissector.c:1131, CPU#1: syz.2.1418/11053 +Call Trace: + + bond_flow_dissect drivers/net/bonding/bond_main.c:4093 [inline] + __bond_xmit_hash+0x2d7/0xba0 drivers/net/bonding/bond_main.c:4157 + bond_xmit_hash_xdp drivers/net/bonding/bond_main.c:4208 [inline] + bond_xdp_xmit_3ad_xor_slave_get drivers/net/bonding/bond_main.c:5139 [inline] + bond_xdp_get_xmit_slave+0x1fd/0x710 drivers/net/bonding/bond_main.c:5515 + xdp_master_redirect+0x13f/0x2c0 net/core/filter.c:4388 + bpf_prog_run_xdp include/net/xdp.h:700 [inline] + bpf_test_run+0x6b2/0x7d0 net/bpf/test_run.c:421 + bpf_prog_test_run_xdp+0x795/0x10e0 net/bpf/test_run.c:1390 + bpf_prog_test_run+0x2c7/0x340 kernel/bpf/syscall.c:4703 + __sys_bpf+0x562/0x860 kernel/bpf/syscall.c:6182 + __do_sys_bpf kernel/bpf/syscall.c:6274 [inline] + __se_sys_bpf kernel/bpf/syscall.c:6272 [inline] + __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6272 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94 + +Fixes: 58deb77cc52d ("bonding: balance ICMP echoes in layer3+4 mode") +Reported-by: syzbot+c46409299c70a221415e@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/696faa23.050a0220.4cb9c.001f.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Matteo Croce +Acked-by: Stanislav Fomichev +Link: https://patch.msgid.link/20260120161744.1893263-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 08d9aae7d5fc7..487105b24d7ac 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3692,8 +3692,9 @@ static bool bond_flow_dissect(struct bonding *bond, struct sk_buff *skb, const v + case BOND_XMIT_POLICY_ENCAP23: + case BOND_XMIT_POLICY_ENCAP34: + memset(fk, 0, sizeof(*fk)); +- return __skb_flow_dissect(NULL, skb, &flow_keys_bonding, +- fk, data, l2_proto, nhoff, hlen, 0); ++ return __skb_flow_dissect(dev_net(bond->dev), skb, ++ &flow_keys_bonding, fk, data, ++ l2_proto, nhoff, hlen, 0); + default: + break; + } +-- +2.51.0 + diff --git a/queue-5.10/drm-amd-pm-don-t-clear-si-smc-table-when-setting-pow.patch b/queue-5.10/drm-amd-pm-don-t-clear-si-smc-table-when-setting-pow.patch new file mode 100644 index 0000000000..68770a2b55 --- /dev/null +++ b/queue-5.10/drm-amd-pm-don-t-clear-si-smc-table-when-setting-pow.patch @@ -0,0 +1,58 @@ +From 8340e9efef49d6dc809495a7d14897705bcd7e0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 21:36:23 +0100 +Subject: drm/amd/pm: Don't clear SI SMC table when setting power limit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Timur Kristóf + +[ Upstream commit d5077426e1a76d269e518e048bde2e9fc49b32ad ] + +There is no reason to clear the SMC table. +We also don't need to recalculate the power limit then. + +Fixes: 841686df9f7d ("drm/amdgpu: add SI DPM support (v4)") +Reviewed-by: Alex Deucher +Signed-off-by: Timur Kristóf +Signed-off-by: Alex Deucher +(cherry picked from commit e214d626253f5b180db10dedab161b7caa41f5e9) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/powerplay/si_dpm.c | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/si_dpm.c b/drivers/gpu/drm/amd/pm/powerplay/si_dpm.c +index 6f0653c81f8fb..0238b91d95e7e 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/si_dpm.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/si_dpm.c +@@ -2242,8 +2242,6 @@ static int si_populate_smc_tdp_limits(struct amdgpu_device *adev, + if (scaling_factor == 0) + return -EINVAL; + +- memset(smc_table, 0, sizeof(SISLANDS_SMC_STATETABLE)); +- + ret = si_calculate_adjusted_tdp_limits(adev, + false, /* ??? */ + adev->pm.dpm.tdp_adjustment, +@@ -2297,16 +2295,8 @@ static int si_populate_smc_tdp_limits_2(struct amdgpu_device *adev, + + if (ni_pi->enable_power_containment) { + SISLANDS_SMC_STATETABLE *smc_table = &si_pi->smc_statetable; +- u32 scaling_factor = si_get_smc_power_scaling_factor(adev); + int ret; + +- memset(smc_table, 0, sizeof(SISLANDS_SMC_STATETABLE)); +- +- smc_table->dpm2Params.NearTDPLimit = +- cpu_to_be32(si_scale_power_for_smc(adev->pm.dpm.near_tdp_limit_adjusted, scaling_factor) * 1000); +- smc_table->dpm2Params.SafePowerLimit = +- cpu_to_be32(si_scale_power_for_smc((adev->pm.dpm.near_tdp_limit_adjusted * SISLANDS_DPM2_TDP_SAFE_LIMIT_PERCENT) / 100, scaling_factor) * 1000); +- + ret = amdgpu_si_copy_bytes_to_smc(adev, + (si_pi->state_table_start + + offsetof(SISLANDS_SMC_STATETABLE, dpm2Params) + +-- +2.51.0 + diff --git a/queue-5.10/drm-amd-pm-workaround-si-powertune-issue-on-radeon-4.patch b/queue-5.10/drm-amd-pm-workaround-si-powertune-issue-on-radeon-4.patch new file mode 100644 index 0000000000..82ef0d349a --- /dev/null +++ b/queue-5.10/drm-amd-pm-workaround-si-powertune-issue-on-radeon-4.patch @@ -0,0 +1,83 @@ +From 55c7d04e40c4415559d3a153fbef6d5af66ae4d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 21:36:24 +0100 +Subject: drm/amd/pm: Workaround SI powertune issue on Radeon 430 (v2) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Timur Kristóf + +[ Upstream commit 764a90eb02268a23b1bb98be5f4a13671346804a ] + +Radeon 430 and 520 are OEM GPUs from 2016~2017 +They have the same device id: 0x6611 and revision: 0x87 + +On the Radeon 430, powertune is buggy and throttles the GPU, +never allowing it to reach its maximum SCLK. Work around this +bug by raising the TDP limits we program to the SMC from +24W (specified by the VBIOS on Radeon 430) to 32W. + +Disabling powertune entirely is not a viable workaround, +because it causes the Radeon 520 to heat up above 100 C, +which I prefer to avoid. + +Additionally, revise the maximum SCLK limit. Considering the +above issue, these GPUs never reached a high SCLK on Linux, +and the workarounds were added before the GPUs were released, +so the workaround likely didn't target these specifically. +Use 780 MHz (the maximum SCLK according to the VBIOS on the +Radeon 430). Note that the Radeon 520 VBIOS has a higher +maximum SCLK: 905 MHz, but in practice it doesn't seem to +perform better with the higher clock, only heats up more. + +v2: +Move the workaround to si_populate_smc_tdp_limits. + +Fixes: 841686df9f7d ("drm/amdgpu: add SI DPM support (v4)") +Reviewed-by: Alex Deucher +Signed-off-by: Timur Kristóf +Signed-off-by: Alex Deucher +(cherry picked from commit 966d70f1e160bdfdecaf7ff2b3f22ad088516e9f) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/powerplay/si_dpm.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/si_dpm.c b/drivers/gpu/drm/amd/pm/powerplay/si_dpm.c +index 0238b91d95e7e..ece892b16d9a7 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/si_dpm.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/si_dpm.c +@@ -2250,6 +2250,12 @@ static int si_populate_smc_tdp_limits(struct amdgpu_device *adev, + if (ret) + return ret; + ++ if (adev->pdev->device == 0x6611 && adev->pdev->revision == 0x87) { ++ /* Workaround buggy powertune on Radeon 430 and 520. */ ++ tdp_limit = 32; ++ near_tdp_limit = 28; ++ } ++ + smc_table->dpm2Params.TDPLimit = + cpu_to_be32(si_scale_power_for_smc(tdp_limit, scaling_factor) * 1000); + smc_table->dpm2Params.NearTDPLimit = +@@ -3425,10 +3431,15 @@ static void si_apply_state_adjust_rules(struct amdgpu_device *adev, + (adev->pdev->revision == 0x80) || + (adev->pdev->revision == 0x81) || + (adev->pdev->revision == 0x83) || +- (adev->pdev->revision == 0x87) || ++ (adev->pdev->revision == 0x87 && ++ adev->pdev->device != 0x6611) || + (adev->pdev->device == 0x6604) || + (adev->pdev->device == 0x6605)) { + max_sclk = 75000; ++ } else if (adev->pdev->revision == 0x87 && ++ adev->pdev->device == 0x6611) { ++ /* Radeon 430 and 520 */ ++ max_sclk = 78000; + } + } + +-- +2.51.0 + diff --git a/queue-5.10/iio-adc-ad7280a-handle-spi_setup-errors-in-probe.patch b/queue-5.10/iio-adc-ad7280a-handle-spi_setup-errors-in-probe.patch new file mode 100644 index 0000000000..990a346ae9 --- /dev/null +++ b/queue-5.10/iio-adc-ad7280a-handle-spi_setup-errors-in-probe.patch @@ -0,0 +1,45 @@ +From 67443c770418bcf63238edf8ca8326589925f61f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Nov 2025 18:13:01 +0300 +Subject: iio: adc: ad7280a: handle spi_setup() errors in probe() + +From: Pavel Zhigulin + +[ Upstream commit 6b39824ac4c15783787e6434449772bfb2e31214 ] + +The probe() function ignored the return value of spi_setup(), leaving SPI +configuration failures undetected. If spi_setup() fails, the driver should +stop initialization and propagate the error to the caller. + +Add proper error handling: check the return value of spi_setup() and return +it on failure. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 2051f25d2a26 ("iio: adc: New driver for AD7280A Lithium Ion Battery Monitoring System") +Signed-off-by: Pavel Zhigulin +Reviewed-by: Marcelo Schmitt +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/staging/iio/adc/ad7280a.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/iio/adc/ad7280a.c b/drivers/staging/iio/adc/ad7280a.c +index 0f64b2fbfa7aa..cc66c3d7141aa 100644 +--- a/drivers/staging/iio/adc/ad7280a.c ++++ b/drivers/staging/iio/adc/ad7280a.c +@@ -964,7 +964,9 @@ static int ad7280_probe(struct spi_device *spi) + + st->spi->max_speed_hz = AD7280A_MAX_SPI_CLK_HZ; + st->spi->mode = SPI_MODE_1; +- spi_setup(st->spi); ++ ret = spi_setup(st->spi); ++ if (ret < 0) ++ return ret; + + st->ctrl_lb = FIELD_PREP(AD7280A_CTRL_LB_ACQ_TIME_MSK, pdata->acquisition_time) | + FIELD_PREP(AD7280A_CTRL_LB_THERMISTOR_MSK, pdata->thermistor_term_en); +-- +2.51.0 + diff --git a/queue-5.10/misdn-annotate-data-race-around-dev-work.patch b/queue-5.10/misdn-annotate-data-race-around-dev-work.patch new file mode 100644 index 0000000000..83dfcb74b7 --- /dev/null +++ b/queue-5.10/misdn-annotate-data-race-around-dev-work.patch @@ -0,0 +1,103 @@ +From 8fdc4e77164d166bb4fe0abac880c5af22d22f17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jan 2026 13:25:28 +0000 +Subject: mISDN: annotate data-race around dev->work + +From: Eric Dumazet + +[ Upstream commit 8175dbf174d487afab81e936a862a8d9b8a1ccb6 ] + +dev->work can re read locklessly in mISDN_read() +and mISDN_poll(). Add READ_ONCE()/WRITE_ONCE() annotations. + +BUG: KCSAN: data-race in mISDN_ioctl / mISDN_read + +write to 0xffff88812d848280 of 4 bytes by task 10864 on cpu 1: + misdn_add_timer drivers/isdn/mISDN/timerdev.c:175 [inline] + mISDN_ioctl+0x2fb/0x550 drivers/isdn/mISDN/timerdev.c:233 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:597 [inline] + __se_sys_ioctl+0xce/0x140 fs/ioctl.c:583 + __x64_sys_ioctl+0x43/0x50 fs/ioctl.c:583 + x64_sys_call+0x14b0/0x3000 arch/x86/include/generated/asm/syscalls_64.h:17 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xd8/0x2c0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +read to 0xffff88812d848280 of 4 bytes by task 10857 on cpu 0: + mISDN_read+0x1f2/0x470 drivers/isdn/mISDN/timerdev.c:112 + do_loop_readv_writev fs/read_write.c:847 [inline] + vfs_readv+0x3fb/0x690 fs/read_write.c:1020 + do_readv+0xe7/0x210 fs/read_write.c:1080 + __do_sys_readv fs/read_write.c:1165 [inline] + __se_sys_readv fs/read_write.c:1162 [inline] + __x64_sys_readv+0x45/0x50 fs/read_write.c:1162 + x64_sys_call+0x2831/0x3000 arch/x86/include/generated/asm/syscalls_64.h:20 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xd8/0x2c0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +value changed: 0x00000000 -> 0x00000001 + +Fixes: 1b2b03f8e514 ("Add mISDN core files") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260118132528.2349573-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/isdn/mISDN/timerdev.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/isdn/mISDN/timerdev.c b/drivers/isdn/mISDN/timerdev.c +index abdf36ac3bee5..74d6ed49dc368 100644 +--- a/drivers/isdn/mISDN/timerdev.c ++++ b/drivers/isdn/mISDN/timerdev.c +@@ -109,14 +109,14 @@ mISDN_read(struct file *filep, char __user *buf, size_t count, loff_t *off) + spin_unlock_irq(&dev->lock); + if (filep->f_flags & O_NONBLOCK) + return -EAGAIN; +- wait_event_interruptible(dev->wait, (dev->work || ++ wait_event_interruptible(dev->wait, (READ_ONCE(dev->work) || + !list_empty(list))); + if (signal_pending(current)) + return -ERESTARTSYS; + spin_lock_irq(&dev->lock); + } + if (dev->work) +- dev->work = 0; ++ WRITE_ONCE(dev->work, 0); + if (!list_empty(list)) { + timer = list_first_entry(list, struct mISDNtimer, list); + list_del(&timer->list); +@@ -141,13 +141,16 @@ mISDN_poll(struct file *filep, poll_table *wait) + if (*debug & DEBUG_TIMER) + printk(KERN_DEBUG "%s(%p, %p)\n", __func__, filep, wait); + if (dev) { ++ u32 work; ++ + poll_wait(filep, &dev->wait, wait); + mask = 0; +- if (dev->work || !list_empty(&dev->expired)) ++ work = READ_ONCE(dev->work); ++ if (work || !list_empty(&dev->expired)) + mask |= (EPOLLIN | EPOLLRDNORM); + if (*debug & DEBUG_TIMER) + printk(KERN_DEBUG "%s work(%d) empty(%d)\n", __func__, +- dev->work, list_empty(&dev->expired)); ++ work, list_empty(&dev->expired)); + } + return mask; + } +@@ -172,7 +175,7 @@ misdn_add_timer(struct mISDNtimerdev *dev, int timeout) + struct mISDNtimer *timer; + + if (!timeout) { +- dev->work = 1; ++ WRITE_ONCE(dev->work, 1); + wake_up_interruptible(&dev->wait); + id = 0; + } else { +-- +2.51.0 + diff --git a/queue-5.10/net-bonding-refactor-bond_xmit_hash-for-use-with-xdp.patch b/queue-5.10/net-bonding-refactor-bond_xmit_hash-for-use-with-xdp.patch new file mode 100644 index 0000000000..75f6550264 --- /dev/null +++ b/queue-5.10/net-bonding-refactor-bond_xmit_hash-for-use-with-xdp.patch @@ -0,0 +1,294 @@ +From c5ec62e61dc7b1694e06920c529a4137440077af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 31 Jul 2021 05:57:32 +0000 +Subject: net, bonding: Refactor bond_xmit_hash for use with xdp_buff + +From: Jussi Maki + +[ Upstream commit a815bde56b15ce626caaacc952ab12501671e45d ] + +In preparation for adding XDP support to the bonding driver +refactor the packet hashing functions to be able to work with +any linear data buffer without an skb. + +Signed-off-by: Jussi Maki +Signed-off-by: Daniel Borkmann +Cc: Jay Vosburgh +Cc: Veaceslav Falico +Cc: Andy Gospodarek +Link: https://lore.kernel.org/bpf/20210731055738.16820-2-joamaki@gmail.com +Stable-dep-of: 5f9b32909659 ("bonding: provide a net pointer to __skb_flow_dissect()") +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 147 +++++++++++++++++++------------- + 1 file changed, 90 insertions(+), 57 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 2a6870a3b56dc..08d9aae7d5fc7 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3593,55 +3593,80 @@ static struct notifier_block bond_netdev_notifier = { + + /*---------------------------- Hashing Policies -----------------------------*/ + ++/* Helper to access data in a packet, with or without a backing skb. ++ * If skb is given the data is linearized if necessary via pskb_may_pull. ++ */ ++static inline const void *bond_pull_data(struct sk_buff *skb, ++ const void *data, int hlen, int n) ++{ ++ if (likely(n <= hlen)) ++ return data; ++ else if (skb && likely(pskb_may_pull(skb, n))) ++ return skb->head; ++ ++ return NULL; ++} ++ + /* L2 hash helper */ +-static inline u32 bond_eth_hash(struct sk_buff *skb) ++static inline u32 bond_eth_hash(struct sk_buff *skb, const void *data, int mhoff, int hlen) + { +- struct ethhdr *ep, hdr_tmp; ++ struct ethhdr *ep; + +- ep = skb_header_pointer(skb, 0, sizeof(hdr_tmp), &hdr_tmp); +- if (ep) +- return ep->h_dest[5] ^ ep->h_source[5] ^ ep->h_proto; +- return 0; ++ data = bond_pull_data(skb, data, hlen, mhoff + sizeof(struct ethhdr)); ++ if (!data) ++ return 0; ++ ++ ep = (struct ethhdr *)(data + mhoff); ++ return ep->h_dest[5] ^ ep->h_source[5] ^ ep->h_proto; + } + +-static bool bond_flow_ip(struct sk_buff *skb, struct flow_keys *fk, +- int *noff, int *proto, bool l34) ++static bool bond_flow_ip(struct sk_buff *skb, struct flow_keys *fk, const void *data, ++ int hlen, __be16 l2_proto, int *nhoff, int *ip_proto, bool l34) + { + const struct ipv6hdr *iph6; + const struct iphdr *iph; + +- if (skb->protocol == htons(ETH_P_IP)) { +- if (unlikely(!pskb_may_pull(skb, *noff + sizeof(*iph)))) ++ if (l2_proto == htons(ETH_P_IP)) { ++ data = bond_pull_data(skb, data, hlen, *nhoff + sizeof(*iph)); ++ if (!data) + return false; +- iph = (const struct iphdr *)(skb->data + *noff); ++ ++ iph = (const struct iphdr *)(data + *nhoff); + iph_to_flow_copy_v4addrs(fk, iph); +- *noff += iph->ihl << 2; ++ *nhoff += iph->ihl << 2; + if (!ip_is_fragment(iph)) +- *proto = iph->protocol; +- } else if (skb->protocol == htons(ETH_P_IPV6)) { +- if (unlikely(!pskb_may_pull(skb, *noff + sizeof(*iph6)))) ++ *ip_proto = iph->protocol; ++ } else if (l2_proto == htons(ETH_P_IPV6)) { ++ data = bond_pull_data(skb, data, hlen, *nhoff + sizeof(*iph6)); ++ if (!data) + return false; +- iph6 = (const struct ipv6hdr *)(skb->data + *noff); ++ ++ iph6 = (const struct ipv6hdr *)(data + *nhoff); + iph_to_flow_copy_v6addrs(fk, iph6); +- *noff += sizeof(*iph6); +- *proto = iph6->nexthdr; ++ *nhoff += sizeof(*iph6); ++ *ip_proto = iph6->nexthdr; + } else { + return false; + } + +- if (l34 && *proto >= 0) +- fk->ports.ports = skb_flow_get_ports(skb, *noff, *proto); ++ if (l34 && *ip_proto >= 0) ++ fk->ports.ports = __skb_flow_get_ports(skb, *nhoff, *ip_proto, data, hlen); + + return true; + } + +-static u32 bond_vlan_srcmac_hash(struct sk_buff *skb) ++static u32 bond_vlan_srcmac_hash(struct sk_buff *skb, const void *data, int mhoff, int hlen) + { +- struct ethhdr *mac_hdr = (struct ethhdr *)skb_mac_header(skb); ++ struct ethhdr *mac_hdr; + u32 srcmac_vendor = 0, srcmac_dev = 0; + u16 vlan; + int i; + ++ data = bond_pull_data(skb, data, hlen, mhoff + sizeof(struct ethhdr)); ++ if (!data) ++ return 0; ++ mac_hdr = (struct ethhdr *)(data + mhoff); ++ + for (i = 0; i < 3; i++) + srcmac_vendor = (srcmac_vendor << 8) | mac_hdr->h_source[i]; + +@@ -3657,26 +3682,25 @@ static u32 bond_vlan_srcmac_hash(struct sk_buff *skb) + } + + /* Extract the appropriate headers based on bond's xmit policy */ +-static bool bond_flow_dissect(struct bonding *bond, struct sk_buff *skb, +- struct flow_keys *fk) ++static bool bond_flow_dissect(struct bonding *bond, struct sk_buff *skb, const void *data, ++ __be16 l2_proto, int nhoff, int hlen, struct flow_keys *fk) + { + bool l34 = bond->params.xmit_policy == BOND_XMIT_POLICY_LAYER34; +- int noff, proto = -1; ++ int ip_proto = -1; + + switch (bond->params.xmit_policy) { + case BOND_XMIT_POLICY_ENCAP23: + case BOND_XMIT_POLICY_ENCAP34: + memset(fk, 0, sizeof(*fk)); + return __skb_flow_dissect(NULL, skb, &flow_keys_bonding, +- fk, NULL, 0, 0, 0, 0); ++ fk, data, l2_proto, nhoff, hlen, 0); + default: + break; + } + + fk->ports.ports = 0; + memset(&fk->icmp, 0, sizeof(fk->icmp)); +- noff = skb_network_offset(skb); +- if (!bond_flow_ip(skb, fk, &noff, &proto, l34)) ++ if (!bond_flow_ip(skb, fk, data, hlen, l2_proto, &nhoff, &ip_proto, l34)) + return false; + + /* ICMP error packets contains at least 8 bytes of the header +@@ -3684,22 +3708,20 @@ static bool bond_flow_dissect(struct bonding *bond, struct sk_buff *skb, + * to correlate ICMP error packets within the same flow which + * generated the error. + */ +- if (proto == IPPROTO_ICMP || proto == IPPROTO_ICMPV6) { +- skb_flow_get_icmp_tci(skb, &fk->icmp, skb->data, +- skb_transport_offset(skb), +- skb_headlen(skb)); +- if (proto == IPPROTO_ICMP) { ++ if (ip_proto == IPPROTO_ICMP || ip_proto == IPPROTO_ICMPV6) { ++ skb_flow_get_icmp_tci(skb, &fk->icmp, data, nhoff, hlen); ++ if (ip_proto == IPPROTO_ICMP) { + if (!icmp_is_err(fk->icmp.type)) + return true; + +- noff += sizeof(struct icmphdr); +- } else if (proto == IPPROTO_ICMPV6) { ++ nhoff += sizeof(struct icmphdr); ++ } else if (ip_proto == IPPROTO_ICMPV6) { + if (!icmpv6_is_err(fk->icmp.type)) + return true; + +- noff += sizeof(struct icmp6hdr); ++ nhoff += sizeof(struct icmp6hdr); + } +- return bond_flow_ip(skb, fk, &noff, &proto, l34); ++ return bond_flow_ip(skb, fk, data, hlen, l2_proto, &nhoff, &ip_proto, l34); + } + + return true; +@@ -3715,33 +3737,26 @@ static u32 bond_ip_hash(u32 hash, struct flow_keys *flow) + return hash >> 1; + } + +-/** +- * bond_xmit_hash - generate a hash value based on the xmit policy +- * @bond: bonding device +- * @skb: buffer to use for headers +- * +- * This function will extract the necessary headers from the skb buffer and use +- * them to generate a hash based on the xmit_policy set in the bonding device ++/* Generate hash based on xmit policy. If @skb is given it is used to linearize ++ * the data as required, but this function can be used without it if the data is ++ * known to be linear (e.g. with xdp_buff). + */ +-u32 bond_xmit_hash(struct bonding *bond, struct sk_buff *skb) ++static u32 __bond_xmit_hash(struct bonding *bond, struct sk_buff *skb, const void *data, ++ __be16 l2_proto, int mhoff, int nhoff, int hlen) + { + struct flow_keys flow; + u32 hash; + +- if (bond->params.xmit_policy == BOND_XMIT_POLICY_ENCAP34 && +- skb->l4_hash) +- return skb->hash; +- + if (bond->params.xmit_policy == BOND_XMIT_POLICY_VLAN_SRCMAC) +- return bond_vlan_srcmac_hash(skb); ++ return bond_vlan_srcmac_hash(skb, data, mhoff, hlen); + + if (bond->params.xmit_policy == BOND_XMIT_POLICY_LAYER2 || +- !bond_flow_dissect(bond, skb, &flow)) +- return bond_eth_hash(skb); ++ !bond_flow_dissect(bond, skb, data, l2_proto, nhoff, hlen, &flow)) ++ return bond_eth_hash(skb, data, mhoff, hlen); + + if (bond->params.xmit_policy == BOND_XMIT_POLICY_LAYER23 || + bond->params.xmit_policy == BOND_XMIT_POLICY_ENCAP23) { +- hash = bond_eth_hash(skb); ++ hash = bond_eth_hash(skb, data, mhoff, hlen); + } else { + if (flow.icmp.id) + memcpy(&hash, &flow.icmp, sizeof(hash)); +@@ -3752,6 +3767,25 @@ u32 bond_xmit_hash(struct bonding *bond, struct sk_buff *skb) + return bond_ip_hash(hash, &flow); + } + ++/** ++ * bond_xmit_hash - generate a hash value based on the xmit policy ++ * @bond: bonding device ++ * @skb: buffer to use for headers ++ * ++ * This function will extract the necessary headers from the skb buffer and use ++ * them to generate a hash based on the xmit_policy set in the bonding device ++ */ ++u32 bond_xmit_hash(struct bonding *bond, struct sk_buff *skb) ++{ ++ if (bond->params.xmit_policy == BOND_XMIT_POLICY_ENCAP34 && ++ skb->l4_hash) ++ return skb->hash; ++ ++ return __bond_xmit_hash(bond, skb, skb->head, skb->protocol, ++ skb->mac_header, skb->network_header, ++ skb_headlen(skb)); ++} ++ + /*-------------------------- Device entry points ----------------------------*/ + + void bond_work_init_all(struct bonding *bond) +@@ -4398,8 +4432,7 @@ static netdev_tx_t bond_xmit_roundrobin(struct sk_buff *skb, + return bond_tx_drop(bond_dev, skb); + } + +-static struct slave *bond_xmit_activebackup_slave_get(struct bonding *bond, +- struct sk_buff *skb) ++static struct slave *bond_xmit_activebackup_slave_get(struct bonding *bond) + { + return rcu_dereference(bond->curr_active_slave); + } +@@ -4413,7 +4446,7 @@ static netdev_tx_t bond_xmit_activebackup(struct sk_buff *skb, + struct bonding *bond = netdev_priv(bond_dev); + struct slave *slave; + +- slave = bond_xmit_activebackup_slave_get(bond, skb); ++ slave = bond_xmit_activebackup_slave_get(bond); + if (slave) + return bond_dev_queue_xmit(bond, skb, slave->dev); + +@@ -4724,7 +4757,7 @@ static struct net_device *bond_xmit_get_slave(struct net_device *master_dev, + slave = bond_xmit_roundrobin_slave_get(bond, skb); + break; + case BOND_MODE_ACTIVEBACKUP: +- slave = bond_xmit_activebackup_slave_get(bond, skb); ++ slave = bond_xmit_activebackup_slave_get(bond); + break; + case BOND_MODE_8023AD: + case BOND_MODE_XOR: +-- +2.51.0 + diff --git a/queue-5.10/net-bonding-take-ip-hash-logic-into-a-helper.patch b/queue-5.10/net-bonding-take-ip-hash-logic-into-a-helper.patch new file mode 100644 index 0000000000..d067b54261 --- /dev/null +++ b/queue-5.10/net-bonding-take-ip-hash-logic-into-a-helper.patch @@ -0,0 +1,60 @@ +From 4d7dcee5006c62899e19faf8ac5a839bb1865ab7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Jan 2021 16:59:43 +0200 +Subject: net/bonding: Take IP hash logic into a helper + +From: Tariq Toukan + +[ Upstream commit 5b99854540e35c2c6a226bcdb4bafbae1bccad5a ] + +Hash logic on L3 will be used in a downstream patch for one more use +case. +Take it to a function for a better code reuse. + +Signed-off-by: Tariq Toukan +Reviewed-by: Boris Pismenny +Signed-off-by: Jakub Kicinski +Stable-dep-of: 5f9b32909659 ("bonding: provide a net pointer to __skb_flow_dissect()") +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 08bc930afc4cf..b4b2e6a7fdd40 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3678,6 +3678,16 @@ static bool bond_flow_dissect(struct bonding *bond, struct sk_buff *skb, + return true; + } + ++static u32 bond_ip_hash(u32 hash, struct flow_keys *flow) ++{ ++ hash ^= (__force u32)flow_get_u32_dst(flow) ^ ++ (__force u32)flow_get_u32_src(flow); ++ hash ^= (hash >> 16); ++ hash ^= (hash >> 8); ++ /* discard lowest hash bit to deal with the common even ports pattern */ ++ return hash >> 1; ++} ++ + /** + * bond_xmit_hash - generate a hash value based on the xmit policy + * @bond: bonding device +@@ -3708,12 +3718,8 @@ u32 bond_xmit_hash(struct bonding *bond, struct sk_buff *skb) + else + memcpy(&hash, &flow.ports.ports, sizeof(hash)); + } +- hash ^= (__force u32)flow_get_u32_dst(&flow) ^ +- (__force u32)flow_get_u32_src(&flow); +- hash ^= (hash >> 16); +- hash ^= (hash >> 8); + +- return hash >> 1; ++ return bond_ip_hash(hash, &flow); + } + + /*-------------------------- Device entry points ----------------------------*/ +-- +2.51.0 + diff --git a/queue-5.10/net-hns3-fix-the-hclge_fd_ad_nxt_key-error-setting-i.patch b/queue-5.10/net-hns3-fix-the-hclge_fd_ad_nxt_key-error-setting-i.patch new file mode 100644 index 0000000000..b814d17927 --- /dev/null +++ b/queue-5.10/net-hns3-fix-the-hclge_fd_ad_nxt_key-error-setting-i.patch @@ -0,0 +1,36 @@ +From 03680270e133b602522c098175222441f6f0de07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 21:28:40 +0800 +Subject: net: hns3: fix the HCLGE_FD_AD_NXT_KEY error setting issue + +From: Jijie Shao + +[ Upstream commit f87e034d16e43af984380a95c32c25201b7759a7 ] + +Use next_input_key instead of counter_id to set HCLGE_FD_AD_NXT_KEY. + +Fixes: 117328680288 ("net: hns3: Add input key and action config support for flow director") +Signed-off-by: Jijie Shao +Link: https://patch.msgid.link/20260119132840.410513-3-shaojijie@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +index 99b5b956ed8f9..fa51463bfd8b4 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -5109,7 +5109,7 @@ static int hclge_fd_ad_config(struct hclge_dev *hdev, u8 stage, int loc, + HCLGE_FD_AD_COUNTER_NUM_S, action->counter_id); + hnae3_set_bit(ad_data, HCLGE_FD_AD_NXT_STEP_B, action->use_next_stage); + hnae3_set_field(ad_data, HCLGE_FD_AD_NXT_KEY_M, HCLGE_FD_AD_NXT_KEY_S, +- action->counter_id); ++ action->next_input_key); + + req->ad_data = cpu_to_le64(ad_data); + ret = hclge_cmd_send(&hdev->hw, &desc, 1); +-- +2.51.0 + diff --git a/queue-5.10/net-hns3-fix-wrong-genmask-for-hclge_fd_ad_counter_n.patch b/queue-5.10/net-hns3-fix-wrong-genmask-for-hclge_fd_ad_counter_n.patch new file mode 100644 index 0000000000..a4a9c1be7d --- /dev/null +++ b/queue-5.10/net-hns3-fix-wrong-genmask-for-hclge_fd_ad_counter_n.patch @@ -0,0 +1,40 @@ +From c51077a877e3690746af0f6f5a76aedc8842d291 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 21:28:39 +0800 +Subject: net: hns3: fix wrong GENMASK() for HCLGE_FD_AD_COUNTER_NUM_M + +From: Jijie Shao + +[ Upstream commit d57c67c956a1bad15115eba6e59d77a6dfeba01d ] + +HCLGE_FD_AD_COUNTER_NUM_M should be at GENMASK(19, 13), +rather than at GENMASK(20, 13), because bit 20 is +HCLGE_FD_AD_NXT_STEP_B. + +This patch corrects the wrong definition. + +Fixes: 117328680288 ("net: hns3: Add input key and action config support for flow director") +Signed-off-by: Jijie Shao +Link: https://patch.msgid.link/20260119132840.410513-2-shaojijie@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h +index 3d70c3a47d631..67d878eb8a7d6 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h +@@ -1038,7 +1038,7 @@ struct hclge_fd_tcam_config_3_cmd { + #define HCLGE_FD_AD_QID_M GENMASK(11, 2) + #define HCLGE_FD_AD_USE_COUNTER_B 12 + #define HCLGE_FD_AD_COUNTER_NUM_S 13 +-#define HCLGE_FD_AD_COUNTER_NUM_M GENMASK(20, 13) ++#define HCLGE_FD_AD_COUNTER_NUM_M GENMASK(19, 13) + #define HCLGE_FD_AD_NXT_STEP_B 20 + #define HCLGE_FD_AD_NXT_KEY_S 21 + #define HCLGE_FD_AD_NXT_KEY_M GENMASK(25, 21) +-- +2.51.0 + diff --git a/queue-5.10/net-sched-act_ife-avoid-possible-null-deref.patch b/queue-5.10/net-sched-act_ife-avoid-possible-null-deref.patch new file mode 100644 index 0000000000..402c7b0479 --- /dev/null +++ b/queue-5.10/net-sched-act_ife-avoid-possible-null-deref.patch @@ -0,0 +1,82 @@ +From 4c91ebd94a1c7b8f7eb1c7efae7a36d5ae10f507 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 13:37:24 +0000 +Subject: net/sched: act_ife: avoid possible NULL deref + +From: Eric Dumazet + +[ Upstream commit 27880b0b0d35ad1c98863d09788254e36f874968 ] + +tcf_ife_encode() must make sure ife_encode() does not return NULL. + +syzbot reported: + +Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] + RIP: 0010:ife_tlv_meta_encode+0x41/0xa0 net/ife/ife.c:166 +CPU: 3 UID: 0 PID: 8990 Comm: syz.0.696 Not tainted syzkaller #0 PREEMPT(full) +Call Trace: + + ife_encode_meta_u32+0x153/0x180 net/sched/act_ife.c:101 + tcf_ife_encode net/sched/act_ife.c:841 [inline] + tcf_ife_act+0x1022/0x1de0 net/sched/act_ife.c:877 + tc_act include/net/tc_wrapper.h:130 [inline] + tcf_action_exec+0x1c0/0xa20 net/sched/act_api.c:1152 + tcf_exts_exec include/net/pkt_cls.h:349 [inline] + mall_classify+0x1a0/0x2a0 net/sched/cls_matchall.c:42 + tc_classify include/net/tc_wrapper.h:197 [inline] + __tcf_classify net/sched/cls_api.c:1764 [inline] + tcf_classify+0x7f2/0x1380 net/sched/cls_api.c:1860 + multiq_classify net/sched/sch_multiq.c:39 [inline] + multiq_enqueue+0xe0/0x510 net/sched/sch_multiq.c:66 + dev_qdisc_enqueue+0x45/0x250 net/core/dev.c:4147 + __dev_xmit_skb net/core/dev.c:4262 [inline] + __dev_queue_xmit+0x2998/0x46c0 net/core/dev.c:4798 + +Fixes: 295a6e06d21e ("net/sched: act_ife: Change to use ife module") +Reported-by: syzbot+5cf914f193dffde3bd3c@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6970d61d.050a0220.706b.0010.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Yotam Gigi +Reviewed-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20260121133724.3400020-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/act_ife.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/sched/act_ife.c b/net/sched/act_ife.c +index 892d4824d81d5..a953d29c1892e 100644 +--- a/net/sched/act_ife.c ++++ b/net/sched/act_ife.c +@@ -820,6 +820,7 @@ static int tcf_ife_encode(struct sk_buff *skb, const struct tc_action *a, + /* could be stupid policy setup or mtu config + * so lets be conservative.. */ + if ((action == TC_ACT_SHOT) || exceed_mtu) { ++drop: + qstats_drop_inc(this_cpu_ptr(ife->common.cpu_qstats)); + return TC_ACT_SHOT; + } +@@ -828,6 +829,8 @@ static int tcf_ife_encode(struct sk_buff *skb, const struct tc_action *a, + skb_push(skb, skb->dev->hard_header_len); + + ife_meta = ife_encode(skb, metalen); ++ if (!ife_meta) ++ goto drop; + + spin_lock(&ife->tcf_lock); + +@@ -843,8 +846,7 @@ static int tcf_ife_encode(struct sk_buff *skb, const struct tc_action *a, + if (err < 0) { + /* too corrupt to keep around if overwritten */ + spin_unlock(&ife->tcf_lock); +- qstats_drop_inc(this_cpu_ptr(ife->common.cpu_qstats)); +- return TC_ACT_SHOT; ++ goto drop; + } + skboff += err; + } +-- +2.51.0 + diff --git a/queue-5.10/octeontx2-af-fix-error-handling.patch b/queue-5.10/octeontx2-af-fix-error-handling.patch new file mode 100644 index 0000000000..042aee1d6d --- /dev/null +++ b/queue-5.10/octeontx2-af-fix-error-handling.patch @@ -0,0 +1,188 @@ +From 16f10d58fabd32350286009b89bb99d0c7877362 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 09:09:34 +0530 +Subject: octeontx2-af: Fix error handling + +From: Ratheesh Kannoth + +[ Upstream commit 19e4175e997a5b85eab97d522f00cc99abd1873c ] + +This commit adds error handling and rollback logic to +rvu_mbox_handler_attach_resources() to properly clean up partially +attached resources when rvu_attach_block() fails. + +Fixes: 746ea74241fa0 ("octeontx2-af: Add RVU block LF provisioning support") +Signed-off-by: Ratheesh Kannoth +Link: https://patch.msgid.link/20260121033934.1900761-1-rkannoth@marvell.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/marvell/octeontx2/af/rvu.c | 86 ++++++++++++++----- + 1 file changed, 64 insertions(+), 22 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +index f8e86f2535635..3514564e2cc60 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +@@ -1273,8 +1273,8 @@ static int rvu_get_attach_blkaddr(struct rvu *rvu, int blktype, + return -ENODEV; + } + +-static void rvu_attach_block(struct rvu *rvu, int pcifunc, int blktype, +- int num_lfs, struct rsrc_attach *attach) ++static int rvu_attach_block(struct rvu *rvu, int pcifunc, int blktype, ++ int num_lfs, struct rsrc_attach *attach) + { + struct rvu_pfvf *pfvf = rvu_get_pfvf(rvu, pcifunc); + struct rvu_hwinfo *hw = rvu->hw; +@@ -1284,21 +1284,21 @@ static void rvu_attach_block(struct rvu *rvu, int pcifunc, int blktype, + u64 cfg; + + if (!num_lfs) +- return; ++ return -EINVAL; + + blkaddr = rvu_get_attach_blkaddr(rvu, blktype, pcifunc, attach); + if (blkaddr < 0) +- return; ++ return -EFAULT; + + block = &hw->block[blkaddr]; + if (!block->lf.bmap) +- return; ++ return -ESRCH; + + for (slot = 0; slot < num_lfs; slot++) { + /* Allocate the resource */ + lf = rvu_alloc_rsrc(&block->lf); + if (lf < 0) +- return; ++ return -EFAULT; + + cfg = (1ULL << 63) | (pcifunc << 8) | slot; + rvu_write64(rvu, blkaddr, block->lfcfg_reg | +@@ -1309,6 +1309,8 @@ static void rvu_attach_block(struct rvu *rvu, int pcifunc, int blktype, + /* Set start MSIX vector for this LF within this PF/VF */ + rvu_set_msix_offset(rvu, pfvf, block, lf); + } ++ ++ return 0; + } + + static int rvu_check_rsrc_availability(struct rvu *rvu, +@@ -1446,22 +1448,31 @@ int rvu_mbox_handler_attach_resources(struct rvu *rvu, + int err; + + /* If first request, detach all existing attached resources */ +- if (!attach->modify) +- rvu_detach_rsrcs(rvu, NULL, pcifunc); ++ if (!attach->modify) { ++ err = rvu_detach_rsrcs(rvu, NULL, pcifunc); ++ if (err) ++ return err; ++ } + + mutex_lock(&rvu->rsrc_lock); + + /* Check if the request can be accommodated */ + err = rvu_check_rsrc_availability(rvu, attach, pcifunc); + if (err) +- goto exit; ++ goto fail1; + + /* Now attach the requested resources */ +- if (attach->npalf) +- rvu_attach_block(rvu, pcifunc, BLKTYPE_NPA, 1, attach); ++ if (attach->npalf) { ++ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_NPA, 1, attach); ++ if (err) ++ goto fail1; ++ } + +- if (attach->nixlf) +- rvu_attach_block(rvu, pcifunc, BLKTYPE_NIX, 1, attach); ++ if (attach->nixlf) { ++ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_NIX, 1, attach); ++ if (err) ++ goto fail2; ++ } + + if (attach->sso) { + /* RVU func doesn't know which exact LF or slot is attached +@@ -1471,33 +1482,64 @@ int rvu_mbox_handler_attach_resources(struct rvu *rvu, + */ + if (attach->modify) + rvu_detach_block(rvu, pcifunc, BLKTYPE_SSO); +- rvu_attach_block(rvu, pcifunc, BLKTYPE_SSO, +- attach->sso, attach); ++ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_SSO, ++ attach->sso, attach); ++ if (err) ++ goto fail3; + } + + if (attach->ssow) { + if (attach->modify) + rvu_detach_block(rvu, pcifunc, BLKTYPE_SSOW); +- rvu_attach_block(rvu, pcifunc, BLKTYPE_SSOW, +- attach->ssow, attach); ++ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_SSOW, ++ attach->ssow, attach); ++ if (err) ++ goto fail4; + } + + if (attach->timlfs) { + if (attach->modify) + rvu_detach_block(rvu, pcifunc, BLKTYPE_TIM); +- rvu_attach_block(rvu, pcifunc, BLKTYPE_TIM, +- attach->timlfs, attach); ++ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_TIM, ++ attach->timlfs, attach); ++ if (err) ++ goto fail5; + } + + if (attach->cptlfs) { + if (attach->modify && + rvu_attach_from_same_block(rvu, BLKTYPE_CPT, attach)) + rvu_detach_block(rvu, pcifunc, BLKTYPE_CPT); +- rvu_attach_block(rvu, pcifunc, BLKTYPE_CPT, +- attach->cptlfs, attach); ++ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_CPT, ++ attach->cptlfs, attach); ++ if (err) ++ goto fail6; + } + +-exit: ++ mutex_unlock(&rvu->rsrc_lock); ++ return 0; ++ ++fail6: ++ if (attach->timlfs) ++ rvu_detach_block(rvu, pcifunc, BLKTYPE_TIM); ++ ++fail5: ++ if (attach->ssow) ++ rvu_detach_block(rvu, pcifunc, BLKTYPE_SSOW); ++ ++fail4: ++ if (attach->sso) ++ rvu_detach_block(rvu, pcifunc, BLKTYPE_SSO); ++ ++fail3: ++ if (attach->nixlf) ++ rvu_detach_block(rvu, pcifunc, BLKTYPE_NIX); ++ ++fail2: ++ if (attach->npalf) ++ rvu_detach_block(rvu, pcifunc, BLKTYPE_NPA); ++ ++fail1: + mutex_unlock(&rvu->rsrc_lock); + return err; + } +-- +2.51.0 + diff --git a/queue-5.10/regmap-fix-race-condition-in-hwspinlock-irqsave-rout.patch b/queue-5.10/regmap-fix-race-condition-in-hwspinlock-irqsave-rout.patch new file mode 100644 index 0000000000..6ecab0e288 --- /dev/null +++ b/queue-5.10/regmap-fix-race-condition-in-hwspinlock-irqsave-rout.patch @@ -0,0 +1,49 @@ +From c382a682ab5a59debe3509ca1acdd4e4357aa8c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jan 2026 11:26:33 +0800 +Subject: regmap: Fix race condition in hwspinlock irqsave routine + +From: Cheng-Yu Lee + +[ Upstream commit 4b58aac989c1e3fafb1c68a733811859df388250 ] + +Previously, the address of the shared member '&map->spinlock_flags' was +passed directly to 'hwspin_lock_timeout_irqsave'. This creates a race +condition where multiple contexts contending for the lock could overwrite +the shared flags variable, potentially corrupting the state for the +current lock owner. + +Fix this by using a local stack variable 'flags' to store the IRQ state +temporarily. + +Fixes: 8698b9364710 ("regmap: Add hardware spinlock support") +Signed-off-by: Cheng-Yu Lee +Co-developed-by: Yu-Chun Lin +Signed-off-by: Yu-Chun Lin +Link: https://patch.msgid.link/20260109032633.8732-1-eleanor.lin@realtek.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/base/regmap/regmap.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c +index 02c21fce457c1..e86d069894c06 100644 +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -463,9 +463,11 @@ static void regmap_lock_hwlock_irq(void *__map) + static void regmap_lock_hwlock_irqsave(void *__map) + { + struct regmap *map = __map; ++ unsigned long flags = 0; + + hwspin_lock_timeout_irqsave(map->hwlock, UINT_MAX, +- &map->spinlock_flags); ++ &flags); ++ map->spinlock_flags = flags; + } + + static void regmap_unlock_hwlock(void *__map) +-- +2.51.0 + diff --git a/queue-5.10/scsi-core-wake-up-the-error-handler-when-final-compl.patch b/queue-5.10/scsi-core-wake-up-the-error-handler-when-final-compl.patch new file mode 100644 index 0000000000..4b6580cfbb --- /dev/null +++ b/queue-5.10/scsi-core-wake-up-the-error-handler-when-final-compl.patch @@ -0,0 +1,96 @@ +From 36c4f3cc883754aa7348ee7954dc4b6091661b28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 11:08:13 -0500 +Subject: scsi: core: Wake up the error handler when final completions race + against each other + +From: David Jeffery + +[ Upstream commit fe2f8ad6f0999db3b318359a01ee0108c703a8c3 ] + +The fragile ordering between marking commands completed or failed so +that the error handler only wakes when the last running command +completes or times out has race conditions. These race conditions can +cause the SCSI layer to fail to wake the error handler, leaving I/O +through the SCSI host stuck as the error state cannot advance. + +First, there is an memory ordering issue within scsi_dec_host_busy(). +The write which clears SCMD_STATE_INFLIGHT may be reordered with reads +counting in scsi_host_busy(). While the local CPU will see its own +write, reordering can allow other CPUs in scsi_dec_host_busy() or +scsi_eh_inc_host_failed() to see a raised busy count, causing no CPU to +see a host busy equal to the host_failed count. + +This race condition can be prevented with a memory barrier on the error +path to force the write to be visible before counting host busy +commands. + +Second, there is a general ordering issue with scsi_eh_inc_host_failed(). By +counting busy commands before incrementing host_failed, it can race with a +final command in scsi_dec_host_busy(), such that scsi_dec_host_busy() does +not see host_failed incremented but scsi_eh_inc_host_failed() counts busy +commands before SCMD_STATE_INFLIGHT is cleared by scsi_dec_host_busy(), +resulting in neither waking the error handler task. + +This needs the call to scsi_host_busy() to be moved after host_failed is +incremented to close the race condition. + +Fixes: 6eb045e092ef ("scsi: core: avoid host-wide host_busy counter for scsi_mq") +Signed-off-by: David Jeffery +Reviewed-by: Bart Van Assche +Link: https://patch.msgid.link/20260113161036.6730-1-djeffery@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_error.c | 11 ++++++++++- + drivers/scsi/scsi_lib.c | 8 ++++++++ + 2 files changed, 18 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c +index ffc6f3031e82b..4e9114f069832 100644 +--- a/drivers/scsi/scsi_error.c ++++ b/drivers/scsi/scsi_error.c +@@ -241,11 +241,20 @@ static void scsi_eh_inc_host_failed(struct rcu_head *head) + { + struct scsi_cmnd *scmd = container_of(head, typeof(*scmd), rcu); + struct Scsi_Host *shost = scmd->device->host; +- unsigned int busy = scsi_host_busy(shost); ++ unsigned int busy; + unsigned long flags; + + spin_lock_irqsave(shost->host_lock, flags); + shost->host_failed++; ++ spin_unlock_irqrestore(shost->host_lock, flags); ++ /* ++ * The counting of busy requests needs to occur after adding to ++ * host_failed or after the lock acquire for adding to host_failed ++ * to prevent a race with host unbusy and missing an eh wakeup. ++ */ ++ busy = scsi_host_busy(shost); ++ ++ spin_lock_irqsave(shost->host_lock, flags); + scsi_eh_wakeup(shost, busy); + spin_unlock_irqrestore(shost->host_lock, flags); + } +diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c +index fb48d47e9183e..8d570632982f3 100644 +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -310,6 +310,14 @@ static void scsi_dec_host_busy(struct Scsi_Host *shost, struct scsi_cmnd *cmd) + rcu_read_lock(); + __clear_bit(SCMD_STATE_INFLIGHT, &cmd->state); + if (unlikely(scsi_host_in_recovery(shost))) { ++ /* ++ * Ensure the clear of SCMD_STATE_INFLIGHT is visible to ++ * other CPUs before counting busy requests. Otherwise, ++ * reordering can cause CPUs to race and miss an eh wakeup ++ * when no CPU sees all busy requests as done or timed out. ++ */ ++ smp_mb(); ++ + unsigned int busy = scsi_host_busy(shost); + + spin_lock_irqsave(shost->host_lock, flags); +-- +2.51.0 + diff --git a/queue-5.10/scsi-hisi_sas-use-managed-pci-functions.patch b/queue-5.10/scsi-hisi_sas-use-managed-pci-functions.patch new file mode 100644 index 0000000000..d10debb03c --- /dev/null +++ b/queue-5.10/scsi-hisi_sas-use-managed-pci-functions.patch @@ -0,0 +1,101 @@ +From 4b2f16eb5ce1d71357997119313c5585b9fc193a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Aug 2021 18:00:56 +0800 +Subject: scsi: hisi_sas: Use managed PCI functions + +From: Xiang Chen + +[ Upstream commit 4f6094f1663e2ed26a940f1842cdaa15c1dd649a ] + +Use managed PCI functions such as pcim_enable_device() and +pcim_iomap_regions() to simplify exception handling code. + +Link: https://lore.kernel.org/r/1629799260-120116-2-git-send-email-john.garry@huawei.com +Signed-off-by: Xiang Chen +Signed-off-by: John Garry +Signed-off-by: Martin K. Petersen +Stable-dep-of: d5077426e1a7 ("drm/amd/pm: Don't clear SI SMC table when setting power limit") +Signed-off-by: Sasha Levin +--- + drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 20 ++++++++------------ + 1 file changed, 8 insertions(+), 12 deletions(-) + +diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c +index fdd765d41f190..4da5f84d46358 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c +@@ -510,6 +510,8 @@ struct hisi_sas_err_record_v3 { + #define CHNL_INT_STS_INT2_MSK BIT(3) + #define CHNL_WIDTH 4 + ++#define BAR_NO_V3_HW 5 ++ + enum { + DSM_FUNC_ERR_HANDLE_MSI = 0, + }; +@@ -3259,15 +3261,15 @@ hisi_sas_v3_probe(struct pci_dev *pdev, const struct pci_device_id *id) + struct sas_ha_struct *sha; + int rc, phy_nr, port_nr, i; + +- rc = pci_enable_device(pdev); ++ rc = pcim_enable_device(pdev); + if (rc) + goto err_out; + + pci_set_master(pdev); + +- rc = pci_request_regions(pdev, DRV_NAME); ++ rc = pcim_iomap_regions(pdev, 1 << BAR_NO_V3_HW, DRV_NAME); + if (rc) +- goto err_out_disable_device; ++ goto err_out; + + rc = dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(64)); + if (rc) +@@ -3275,20 +3277,20 @@ hisi_sas_v3_probe(struct pci_dev *pdev, const struct pci_device_id *id) + if (rc) { + dev_err(dev, "No usable DMA addressing method\n"); + rc = -ENODEV; +- goto err_out_regions; ++ goto err_out; + } + + shost = hisi_sas_shost_alloc_pci(pdev); + if (!shost) { + rc = -ENOMEM; +- goto err_out_regions; ++ goto err_out; + } + + sha = SHOST_TO_SAS_HA(shost); + hisi_hba = shost_priv(shost); + dev_set_drvdata(dev, sha); + +- hisi_hba->regs = pcim_iomap(pdev, 5, 0); ++ hisi_hba->regs = pcim_iomap_table(pdev)[BAR_NO_V3_HW]; + if (!hisi_hba->regs) { + dev_err(dev, "cannot map register\n"); + rc = -ENOMEM; +@@ -3378,10 +3380,6 @@ hisi_sas_v3_probe(struct pci_dev *pdev, const struct pci_device_id *id) + err_out_ha: + hisi_sas_free(hisi_hba); + scsi_host_put(shost); +-err_out_regions: +- pci_release_regions(pdev); +-err_out_disable_device: +- pci_disable_device(pdev); + err_out: + return rc; + } +@@ -3417,8 +3415,6 @@ static void hisi_sas_v3_remove(struct pci_dev *pdev) + sas_remove_host(sha->core.shost); + + hisi_sas_v3_destroy_irqs(pdev, hisi_hba); +- pci_release_regions(pdev); +- pci_disable_device(pdev); + hisi_sas_free(hisi_hba); + hisi_sas_debugfs_exit(hisi_hba); + scsi_host_put(shost); +-- +2.51.0 + diff --git a/queue-5.10/series b/queue-5.10/series index eeafbfc539..ad8a8eb953 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -68,3 +68,22 @@ input-i8042-add-quirks-for-mechrevo-wujie-15x-pro.patch input-i8042-add-quirk-for-asus-zenbook-ux425qa_um425qa.patch scsi-storvsc-process-unsupported-mode_sense_10.patch iio-imu-st_lsm6dsx-fix-iio_chan_spec-for-sensors-without-event-detection.patch +staging-iio-adc-ad7280a-register-define-cleanup.patch +iio-adc-ad7280a-handle-spi_setup-errors-in-probe.patch +regmap-fix-race-condition-in-hwspinlock-irqsave-rout.patch +scsi-core-wake-up-the-error-handler-when-final-compl.patch +alsa-usb-increase-volume-range-that-triggers-a-warni.patch +net-hns3-fix-wrong-genmask-for-hclge_fd_ad_counter_n.patch +net-hns3-fix-the-hclge_fd_ad_nxt_key-error-setting-i.patch +misdn-annotate-data-race-around-dev-work.patch +usbnet-limit-max_mtu-based-on-device-s-hard_mtu.patch +scsi-hisi_sas-use-managed-pci-functions.patch +drm-amd-pm-don-t-clear-si-smc-table-when-setting-pow.patch +drm-amd-pm-workaround-si-powertune-issue-on-radeon-4.patch +be2net-fix-null-pointer-dereference-in-be_cmd_get_ma.patch +net-bonding-take-ip-hash-logic-into-a-helper.patch +bonding-add-a-vlan-srcmac-tx-hashing-option.patch +net-bonding-refactor-bond_xmit_hash-for-use-with-xdp.patch +bonding-provide-a-net-pointer-to-__skb_flow_dissect.patch +octeontx2-af-fix-error-handling.patch +net-sched-act_ife-avoid-possible-null-deref.patch diff --git a/queue-5.10/staging-iio-adc-ad7280a-register-define-cleanup.patch b/queue-5.10/staging-iio-adc-ad7280a-register-define-cleanup.patch new file mode 100644 index 0000000000..4d8eb2681d --- /dev/null +++ b/queue-5.10/staging-iio-adc-ad7280a-register-define-cleanup.patch @@ -0,0 +1,560 @@ +From 492b4d8f0277005ff2d6a53054ab888d01e64d3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Feb 2022 19:03:10 +0000 +Subject: staging:iio:adc:ad7280a: Register define cleanup. + +From: Jonathan Cameron + +[ Upstream commit 4c59aabd9a93d8f867d9f6aa0407cc6a7db47fa5 ] + +1. Postfix register addresses with _REG to distinguish them from + fields within the registers +2. Switch to using FIELD_PREP and masks to aid readability. +3. Shorten a few defines to make the lines remain a sensible length. +4. Fix an issue whether where an CTRL_LB field is set in CTRL_HB. +5. Fix wrong AUX1_3_4 which should be AUX_1_3_5 according to + table 14 in the datasheet. + +Signed-off-by: Jonathan Cameron +Reviewed-by: Marcelo Schmitt +Link: https://lore.kernel.org/r/20220206190328.333093-3-jic23@kernel.org +Stable-dep-of: 6b39824ac4c1 ("iio: adc: ad7280a: handle spi_setup() errors in probe()") +Signed-off-by: Sasha Levin +--- + drivers/staging/iio/adc/ad7280a.c | 285 ++++++++++++++++-------------- + 1 file changed, 154 insertions(+), 131 deletions(-) + +diff --git a/drivers/staging/iio/adc/ad7280a.c b/drivers/staging/iio/adc/ad7280a.c +index 20183b2ea1279..0f64b2fbfa7aa 100644 +--- a/drivers/staging/iio/adc/ad7280a.c ++++ b/drivers/staging/iio/adc/ad7280a.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -23,78 +24,86 @@ + #include "ad7280a.h" + + /* Registers */ +-#define AD7280A_CELL_VOLTAGE_1 0x0 /* D11 to D0, Read only */ +-#define AD7280A_CELL_VOLTAGE_2 0x1 /* D11 to D0, Read only */ +-#define AD7280A_CELL_VOLTAGE_3 0x2 /* D11 to D0, Read only */ +-#define AD7280A_CELL_VOLTAGE_4 0x3 /* D11 to D0, Read only */ +-#define AD7280A_CELL_VOLTAGE_5 0x4 /* D11 to D0, Read only */ +-#define AD7280A_CELL_VOLTAGE_6 0x5 /* D11 to D0, Read only */ +-#define AD7280A_AUX_ADC_1 0x6 /* D11 to D0, Read only */ +-#define AD7280A_AUX_ADC_2 0x7 /* D11 to D0, Read only */ +-#define AD7280A_AUX_ADC_3 0x8 /* D11 to D0, Read only */ +-#define AD7280A_AUX_ADC_4 0x9 /* D11 to D0, Read only */ +-#define AD7280A_AUX_ADC_5 0xA /* D11 to D0, Read only */ +-#define AD7280A_AUX_ADC_6 0xB /* D11 to D0, Read only */ +-#define AD7280A_SELF_TEST 0xC /* D11 to D0, Read only */ +-#define AD7280A_CONTROL_HB 0xD /* D15 to D8, Read/write */ +-#define AD7280A_CONTROL_LB 0xE /* D7 to D0, Read/write */ +-#define AD7280A_CELL_OVERVOLTAGE 0xF /* D7 to D0, Read/write */ +-#define AD7280A_CELL_UNDERVOLTAGE 0x10 /* D7 to D0, Read/write */ +-#define AD7280A_AUX_ADC_OVERVOLTAGE 0x11 /* D7 to D0, Read/write */ +-#define AD7280A_AUX_ADC_UNDERVOLTAGE 0x12 /* D7 to D0, Read/write */ +-#define AD7280A_ALERT 0x13 /* D7 to D0, Read/write */ +-#define AD7280A_CELL_BALANCE 0x14 /* D7 to D0, Read/write */ +-#define AD7280A_CB1_TIMER 0x15 /* D7 to D0, Read/write */ +-#define AD7280A_CB2_TIMER 0x16 /* D7 to D0, Read/write */ +-#define AD7280A_CB3_TIMER 0x17 /* D7 to D0, Read/write */ +-#define AD7280A_CB4_TIMER 0x18 /* D7 to D0, Read/write */ +-#define AD7280A_CB5_TIMER 0x19 /* D7 to D0, Read/write */ +-#define AD7280A_CB6_TIMER 0x1A /* D7 to D0, Read/write */ +-#define AD7280A_PD_TIMER 0x1B /* D7 to D0, Read/write */ +-#define AD7280A_READ 0x1C /* D7 to D0, Read/write */ +-#define AD7280A_CNVST_CONTROL 0x1D /* D7 to D0, Read/write */ +- +-/* Bits and Masks */ +-#define AD7280A_CTRL_HB_CONV_INPUT_ALL 0 +-#define AD7280A_CTRL_HB_CONV_INPUT_6CELL_AUX1_3_4 BIT(6) +-#define AD7280A_CTRL_HB_CONV_INPUT_6CELL BIT(7) +-#define AD7280A_CTRL_HB_CONV_INPUT_SELF_TEST (BIT(7) | BIT(6)) +-#define AD7280A_CTRL_HB_CONV_RES_READ_ALL 0 +-#define AD7280A_CTRL_HB_CONV_RES_READ_6CELL_AUX1_3_4 BIT(4) +-#define AD7280A_CTRL_HB_CONV_RES_READ_6CELL BIT(5) +-#define AD7280A_CTRL_HB_CONV_RES_READ_NO (BIT(5) | BIT(4)) +-#define AD7280A_CTRL_HB_CONV_START_CNVST 0 +-#define AD7280A_CTRL_HB_CONV_START_CS BIT(3) +-#define AD7280A_CTRL_HB_CONV_AVG_DIS 0 +-#define AD7280A_CTRL_HB_CONV_AVG_2 BIT(1) +-#define AD7280A_CTRL_HB_CONV_AVG_4 BIT(2) +-#define AD7280A_CTRL_HB_CONV_AVG_8 (BIT(2) | BIT(1)) +-#define AD7280A_CTRL_HB_CONV_AVG(x) ((x) << 1) +-#define AD7280A_CTRL_HB_PWRDN_SW BIT(0) +- +-#define AD7280A_CTRL_LB_SWRST BIT(7) +-#define AD7280A_CTRL_LB_ACQ_TIME_400ns 0 +-#define AD7280A_CTRL_LB_ACQ_TIME_800ns BIT(5) +-#define AD7280A_CTRL_LB_ACQ_TIME_1200ns BIT(6) +-#define AD7280A_CTRL_LB_ACQ_TIME_1600ns (BIT(6) | BIT(5)) +-#define AD7280A_CTRL_LB_ACQ_TIME(x) ((x) << 5) +-#define AD7280A_CTRL_LB_MUST_SET BIT(4) +-#define AD7280A_CTRL_LB_THERMISTOR_EN BIT(3) +-#define AD7280A_CTRL_LB_LOCK_DEV_ADDR BIT(2) +-#define AD7280A_CTRL_LB_INC_DEV_ADDR BIT(1) +-#define AD7280A_CTRL_LB_DAISY_CHAIN_RB_EN BIT(0) +- +-#define AD7280A_ALERT_GEN_STATIC_HIGH BIT(6) +-#define AD7280A_ALERT_RELAY_SIG_CHAIN_DOWN (BIT(7) | BIT(6)) + ++#define AD7280A_CELL_VOLTAGE_1_REG 0x0 /* D11 to D0, Read only */ ++#define AD7280A_CELL_VOLTAGE_2_REG 0x1 /* D11 to D0, Read only */ ++#define AD7280A_CELL_VOLTAGE_3_REG 0x2 /* D11 to D0, Read only */ ++#define AD7280A_CELL_VOLTAGE_4_REG 0x3 /* D11 to D0, Read only */ ++#define AD7280A_CELL_VOLTAGE_5_REG 0x4 /* D11 to D0, Read only */ ++#define AD7280A_CELL_VOLTAGE_6_REG 0x5 /* D11 to D0, Read only */ ++#define AD7280A_AUX_ADC_1_REG 0x6 /* D11 to D0, Read only */ ++#define AD7280A_AUX_ADC_2_REG 0x7 /* D11 to D0, Read only */ ++#define AD7280A_AUX_ADC_3_REG 0x8 /* D11 to D0, Read only */ ++#define AD7280A_AUX_ADC_4_REG 0x9 /* D11 to D0, Read only */ ++#define AD7280A_AUX_ADC_5_REG 0xA /* D11 to D0, Read only */ ++#define AD7280A_AUX_ADC_6_REG 0xB /* D11 to D0, Read only */ ++#define AD7280A_SELF_TEST_REG 0xC /* D11 to D0, Read only */ ++ ++#define AD7280A_CTRL_HB_REG 0xD /* D15 to D8, Read/write */ ++#define AD7280A_CTRL_HB_CONV_INPUT_MSK GENMASK(7, 6) ++#define AD7280A_CTRL_HB_CONV_INPUT_ALL 0 ++#define AD7280A_CTRL_HB_CONV_INPUT_6CELL_AUX1_3_5 1 ++#define AD7280A_CTRL_HB_CONV_INPUT_6CELL 2 ++#define AD7280A_CTRL_HB_CONV_INPUT_SELF_TEST 3 ++#define AD7280A_CTRL_HB_CONV_RREAD_MSK GENMASK(5, 4) ++#define AD7280A_CTRL_HB_CONV_RREAD_ALL 0 ++#define AD7280A_CTRL_HB_CONV_RREAD_6CELL_AUX1_3_5 1 ++#define AD7280A_CTRL_HB_CONV_RREAD_6CELL 2 ++#define AD7280A_CTRL_HB_CONV_RREAD_NO 3 ++#define AD7280A_CTRL_HB_CONV_START_MSK BIT(3) ++#define AD7280A_CTRL_HB_CONV_START_CNVST 0 ++#define AD7280A_CTRL_HB_CONV_START_CS 1 ++#define AD7280A_CTRL_HB_CONV_AVG_MSK GENMASK(2, 1) ++#define AD7280A_CTRL_HB_CONV_AVG_DIS 0 ++#define AD7280A_CTRL_HB_CONV_AVG_2 1 ++#define AD7280A_CTRL_HB_CONV_AVG_4 2 ++#define AD7280A_CTRL_HB_CONV_AVG_8 3 ++#define AD7280A_CTRL_HB_PWRDN_SW BIT(0) ++ ++#define AD7280A_CTRL_LB_REG 0xE /* D7 to D0, Read/write */ ++#define AD7280A_CTRL_LB_SWRST_MSK BIT(7) ++#define AD7280A_CTRL_LB_ACQ_TIME_MSK GENMASK(6, 5) ++#define AD7280A_CTRL_LB_ACQ_TIME_400ns 0 ++#define AD7280A_CTRL_LB_ACQ_TIME_800ns 1 ++#define AD7280A_CTRL_LB_ACQ_TIME_1200ns 2 ++#define AD7280A_CTRL_LB_ACQ_TIME_1600ns 3 ++#define AD7280A_CTRL_LB_MUST_SET BIT(4) ++#define AD7280A_CTRL_LB_THERMISTOR_MSK BIT(3) ++#define AD7280A_CTRL_LB_LOCK_DEV_ADDR_MSK BIT(2) ++#define AD7280A_CTRL_LB_INC_DEV_ADDR_MSK BIT(1) ++#define AD7280A_CTRL_LB_DAISY_CHAIN_RB_MSK BIT(0) ++ ++#define AD7280A_CELL_OVERVOLTAGE_REG 0xF /* D7 to D0, Read/write */ ++#define AD7280A_CELL_UNDERVOLTAGE_REG 0x10 /* D7 to D0, Read/write */ ++#define AD7280A_AUX_ADC_OVERVOLTAGE_REG 0x11 /* D7 to D0, Read/write */ ++#define AD7280A_AUX_ADC_UNDERVOLTAGE_REG 0x12 /* D7 to D0, Read/write */ ++ ++#define AD7280A_ALERT_REG 0x13 /* D7 to D0, Read/write */ ++#define AD7280A_ALERT_GEN_STATIC_HIGH BIT(6) ++#define AD7280A_ALERT_RELAY_SIG_CHAIN_DOWN (BIT(7) | BIT(6)) ++ ++#define AD7280A_CELL_BALANCE_REG 0x14 /* D7 to D0, Read/write */ ++#define AD7280A_CB1_TIMER_REG 0x15 /* D7 to D0, Read/write */ ++#define AD7280A_CB_TIMER_VAL_MSK GENMASK(7, 3) ++#define AD7280A_CB2_TIMER_REG 0x16 /* D7 to D0, Read/write */ ++#define AD7280A_CB3_TIMER_REG 0x17 /* D7 to D0, Read/write */ ++#define AD7280A_CB4_TIMER_REG 0x18 /* D7 to D0, Read/write */ ++#define AD7280A_CB5_TIMER_REG 0x19 /* D7 to D0, Read/write */ ++#define AD7280A_CB6_TIMER_REG 0x1A /* D7 to D0, Read/write */ ++#define AD7280A_PD_TIMER_REG 0x1B /* D7 to D0, Read/write */ ++#define AD7280A_READ_REG 0x1C /* D7 to D0, Read/write */ ++#define AD7280A_READ_ADDR_MSK GENMASK(7, 2) ++#define AD7280A_CNVST_CTRL_REG 0x1D /* D7 to D0, Read/write */ ++ ++/* Magic value used to indicate this special case */ + #define AD7280A_ALL_CELLS (0xAD << 16) + + #define AD7280A_MAX_SPI_CLK_HZ 700000 /* < 1MHz */ + #define AD7280A_MAX_CHAIN 8 + #define AD7280A_CELLS_PER_DEV 6 + #define AD7280A_BITS 12 +-#define AD7280A_NUM_CH (AD7280A_AUX_ADC_6 - \ +- AD7280A_CELL_VOLTAGE_1 + 1) ++#define AD7280A_NUM_CH (AD7280A_AUX_ADC_6_REG - \ ++ AD7280A_CELL_VOLTAGE_1_REG + 1) + + #define AD7280A_CALC_VOLTAGE_CHAN_NUM(d, c) (((d) * AD7280A_CELLS_PER_DEV) + \ + (c)) +@@ -222,23 +231,28 @@ static int ad7280_read(struct ad7280_state *st, unsigned int devaddr, + unsigned int tmp; + + /* turns off the read operation on all parts */ +- ret = ad7280_write(st, AD7280A_DEVADDR_MASTER, AD7280A_CONTROL_HB, 1, +- AD7280A_CTRL_HB_CONV_INPUT_ALL | +- AD7280A_CTRL_HB_CONV_RES_READ_NO | ++ ret = ad7280_write(st, AD7280A_DEVADDR_MASTER, AD7280A_CTRL_HB_REG, 1, ++ FIELD_PREP(AD7280A_CTRL_HB_CONV_INPUT_MSK, ++ AD7280A_CTRL_HB_CONV_INPUT_ALL) | ++ FIELD_PREP(AD7280A_CTRL_HB_CONV_RREAD_MSK, ++ AD7280A_CTRL_HB_CONV_RREAD_NO) | + st->ctrl_hb); + if (ret) + return ret; + + /* turns on the read operation on the addressed part */ +- ret = ad7280_write(st, devaddr, AD7280A_CONTROL_HB, 0, +- AD7280A_CTRL_HB_CONV_INPUT_ALL | +- AD7280A_CTRL_HB_CONV_RES_READ_ALL | ++ ret = ad7280_write(st, devaddr, AD7280A_CTRL_HB_REG, 0, ++ FIELD_PREP(AD7280A_CTRL_HB_CONV_INPUT_MSK, ++ AD7280A_CTRL_HB_CONV_INPUT_ALL) | ++ FIELD_PREP(AD7280A_CTRL_HB_CONV_RREAD_MSK, ++ AD7280A_CTRL_HB_CONV_RREAD_ALL) | + st->ctrl_hb); + if (ret) + return ret; + + /* Set register address on the part to be read from */ +- ret = ad7280_write(st, devaddr, AD7280A_READ, 0, addr << 2); ++ ret = ad7280_write(st, devaddr, AD7280A_READ_REG, 0, ++ FIELD_PREP(AD7280A_READ_ADDR_MSK, addr)); + if (ret) + return ret; + +@@ -261,21 +275,27 @@ static int ad7280_read_channel(struct ad7280_state *st, unsigned int devaddr, + int ret; + unsigned int tmp; + +- ret = ad7280_write(st, devaddr, AD7280A_READ, 0, addr << 2); ++ ret = ad7280_write(st, devaddr, AD7280A_READ_REG, 0, ++ FIELD_PREP(AD7280A_READ_ADDR_MSK, addr)); + if (ret) + return ret; + +- ret = ad7280_write(st, AD7280A_DEVADDR_MASTER, AD7280A_CONTROL_HB, 1, +- AD7280A_CTRL_HB_CONV_INPUT_ALL | +- AD7280A_CTRL_HB_CONV_RES_READ_NO | ++ ret = ad7280_write(st, AD7280A_DEVADDR_MASTER, AD7280A_CTRL_HB_REG, 1, ++ FIELD_PREP(AD7280A_CTRL_HB_CONV_INPUT_MSK, ++ AD7280A_CTRL_HB_CONV_INPUT_ALL) | ++ FIELD_PREP(AD7280A_CTRL_HB_CONV_RREAD_MSK, ++ AD7280A_CTRL_HB_CONV_RREAD_NO) | + st->ctrl_hb); + if (ret) + return ret; + +- ret = ad7280_write(st, devaddr, AD7280A_CONTROL_HB, 0, +- AD7280A_CTRL_HB_CONV_INPUT_ALL | +- AD7280A_CTRL_HB_CONV_RES_READ_ALL | +- AD7280A_CTRL_HB_CONV_START_CS | ++ ret = ad7280_write(st, devaddr, AD7280A_CTRL_HB_REG, 0, ++ FIELD_PREP(AD7280A_CTRL_HB_CONV_INPUT_MSK, ++ AD7280A_CTRL_HB_CONV_INPUT_ALL) | ++ FIELD_PREP(AD7280A_CTRL_HB_CONV_RREAD_MSK, ++ AD7280A_CTRL_HB_CONV_RREAD_ALL) | ++ FIELD_PREP(AD7280A_CTRL_HB_CONV_START_MSK, ++ AD7280A_CTRL_HB_CONV_START_CS) | + st->ctrl_hb); + if (ret) + return ret; +@@ -301,15 +321,18 @@ static int ad7280_read_all_channels(struct ad7280_state *st, unsigned int cnt, + int i, ret; + unsigned int tmp, sum = 0; + +- ret = ad7280_write(st, AD7280A_DEVADDR_MASTER, AD7280A_READ, 1, +- AD7280A_CELL_VOLTAGE_1 << 2); ++ ret = ad7280_write(st, AD7280A_DEVADDR_MASTER, AD7280A_READ_REG, 1, ++ AD7280A_CELL_VOLTAGE_1_REG << 2); + if (ret) + return ret; + +- ret = ad7280_write(st, AD7280A_DEVADDR_MASTER, AD7280A_CONTROL_HB, 1, +- AD7280A_CTRL_HB_CONV_INPUT_ALL | +- AD7280A_CTRL_HB_CONV_RES_READ_ALL | +- AD7280A_CTRL_HB_CONV_START_CS | ++ ret = ad7280_write(st, AD7280A_DEVADDR_MASTER, AD7280A_CTRL_HB_REG, 1, ++ FIELD_PREP(AD7280A_CTRL_HB_CONV_INPUT_MSK, ++ AD7280A_CTRL_HB_CONV_INPUT_ALL) | ++ FIELD_PREP(AD7280A_CTRL_HB_CONV_RREAD_MSK, ++ AD7280A_CTRL_HB_CONV_RREAD_ALL) | ++ FIELD_PREP(AD7280A_CTRL_HB_CONV_START_MSK, ++ AD7280A_CTRL_HB_CONV_START_CS) | + st->ctrl_hb); + if (ret) + return ret; +@@ -327,7 +350,7 @@ static int ad7280_read_all_channels(struct ad7280_state *st, unsigned int cnt, + if (array) + array[i] = tmp; + /* only sum cell voltages */ +- if (((tmp >> 23) & 0xF) <= AD7280A_CELL_VOLTAGE_6) ++ if (((tmp >> 23) & 0xF) <= AD7280A_CELL_VOLTAGE_6_REG) + sum += ((tmp >> 11) & 0xFFF); + } + +@@ -338,7 +361,7 @@ static void ad7280_sw_power_down(void *data) + { + struct ad7280_state *st = data; + +- ad7280_write(st, AD7280A_DEVADDR_MASTER, AD7280A_CONTROL_HB, 1, ++ ad7280_write(st, AD7280A_DEVADDR_MASTER, AD7280A_CTRL_HB_REG, 1, + AD7280A_CTRL_HB_PWRDN_SW | st->ctrl_hb); + } + +@@ -347,25 +370,26 @@ static int ad7280_chain_setup(struct ad7280_state *st) + unsigned int val, n; + int ret; + +- ret = ad7280_write(st, AD7280A_DEVADDR_MASTER, AD7280A_CONTROL_LB, 1, +- AD7280A_CTRL_LB_DAISY_CHAIN_RB_EN | +- AD7280A_CTRL_LB_LOCK_DEV_ADDR | ++ ret = ad7280_write(st, AD7280A_DEVADDR_MASTER, AD7280A_CTRL_LB_REG, 1, ++ FIELD_PREP(AD7280A_CTRL_LB_DAISY_CHAIN_RB_MSK, 1) | ++ FIELD_PREP(AD7280A_CTRL_LB_LOCK_DEV_ADDR_MSK, 1) | + AD7280A_CTRL_LB_MUST_SET | +- AD7280A_CTRL_LB_SWRST | ++ FIELD_PREP(AD7280A_CTRL_LB_SWRST_MSK, 1) | + st->ctrl_lb); + if (ret) + return ret; + +- ret = ad7280_write(st, AD7280A_DEVADDR_MASTER, AD7280A_CONTROL_LB, 1, +- AD7280A_CTRL_LB_DAISY_CHAIN_RB_EN | +- AD7280A_CTRL_LB_LOCK_DEV_ADDR | ++ ret = ad7280_write(st, AD7280A_DEVADDR_MASTER, AD7280A_CTRL_LB_REG, 1, ++ FIELD_PREP(AD7280A_CTRL_LB_DAISY_CHAIN_RB_MSK, 1) | ++ FIELD_PREP(AD7280A_CTRL_LB_LOCK_DEV_ADDR_MSK, 1) | + AD7280A_CTRL_LB_MUST_SET | ++ FIELD_PREP(AD7280A_CTRL_LB_SWRST_MSK, 0) | + st->ctrl_lb); + if (ret) + goto error_power_down; + +- ret = ad7280_write(st, AD7280A_DEVADDR_MASTER, AD7280A_READ, 1, +- AD7280A_CONTROL_LB << 2); ++ ret = ad7280_write(st, AD7280A_DEVADDR_MASTER, AD7280A_READ_REG, 1, ++ FIELD_PREP(AD7280A_READ_ADDR_MSK, AD7280A_CTRL_LB_REG)); + if (ret) + goto error_power_down; + +@@ -390,7 +414,7 @@ static int ad7280_chain_setup(struct ad7280_state *st) + ret = -EFAULT; + + error_power_down: +- ad7280_write(st, AD7280A_DEVADDR_MASTER, AD7280A_CONTROL_HB, 1, ++ ad7280_write(st, AD7280A_DEVADDR_MASTER, AD7280A_CTRL_HB_REG, 1, + AD7280A_CTRL_HB_PWRDN_SW | st->ctrl_hb); + + return ret; +@@ -434,7 +458,7 @@ static ssize_t ad7280_store_balance_sw(struct device *dev, + else + st->cb_mask[devaddr] &= ~(1 << (ch + 2)); + +- ret = ad7280_write(st, devaddr, AD7280A_CELL_BALANCE, ++ ret = ad7280_write(st, devaddr, AD7280A_CELL_BALANCE_REG, + 0, st->cb_mask[devaddr]); + mutex_unlock(&st->lock); + +@@ -459,7 +483,7 @@ static ssize_t ad7280_show_balance_timer(struct device *dev, + if (ret < 0) + return ret; + +- msecs = (ret >> 3) * 71500; ++ msecs = FIELD_GET(AD7280A_CB_TIMER_VAL_MSK, ret) * 71500; + + return sprintf(buf, "%u\n", msecs); + } +@@ -486,8 +510,8 @@ static ssize_t ad7280_store_balance_timer(struct device *dev, + + mutex_lock(&st->lock); + ret = ad7280_write(st, this_attr->address >> 8, +- this_attr->address & 0xFF, +- 0, (val & 0x1F) << 3); ++ this_attr->address & 0xFF, 0, ++ FIELD_PREP(AD7280A_CB_TIMER_VAL_MSK, val)); + mutex_unlock(&st->lock); + + return ret ? ret : len; +@@ -559,10 +583,10 @@ static void ad7280_init_dev_channels(struct ad7280_state *st, int dev, int *cnt) + int addr, ch, i; + struct iio_chan_spec *chan; + +- for (ch = AD7280A_CELL_VOLTAGE_1; ch <= AD7280A_AUX_ADC_6; ch++) { ++ for (ch = AD7280A_CELL_VOLTAGE_1_REG; ch <= AD7280A_AUX_ADC_6_REG; ch++) { + chan = &st->channels[*cnt]; + +- if (ch < AD7280A_AUX_ADC_1) { ++ if (ch < AD7280A_AUX_ADC_1_REG) { + i = AD7280A_CALC_VOLTAGE_CHAN_NUM(dev, ch); + ad7280_voltage_channel_init(chan, i); + } else { +@@ -634,7 +658,7 @@ static int ad7280_init_dev_attrs(struct ad7280_state *st, int dev, int *cnt) + struct iio_dev_attr *iio_attr; + struct device *sdev = &st->spi->dev; + +- for (ch = AD7280A_CELL_VOLTAGE_1; ch <= AD7280A_CELL_VOLTAGE_6; ch++) { ++ for (ch = AD7280A_CELL_VOLTAGE_1_REG; ch <= AD7280A_CELL_VOLTAGE_6_REG; ch++) { + iio_attr = &st->iio_attr[*cnt]; + addr = ad7280a_devaddr(dev) << 8 | ch; + i = dev * AD7280A_CELLS_PER_DEV + ch; +@@ -647,7 +671,7 @@ static int ad7280_init_dev_attrs(struct ad7280_state *st, int dev, int *cnt) + + (*cnt)++; + iio_attr = &st->iio_attr[*cnt]; +- addr = ad7280a_devaddr(dev) << 8 | (AD7280A_CB1_TIMER + ch); ++ addr = ad7280a_devaddr(dev) << 8 | (AD7280A_CB1_TIMER_REG + ch); + + ret = ad7280_balance_timer_attr_init(iio_attr, sdev, addr, i); + if (ret < 0) +@@ -691,16 +715,16 @@ static ssize_t ad7280_read_channel_config(struct device *dev, + unsigned int val; + + switch (this_attr->address) { +- case AD7280A_CELL_OVERVOLTAGE: ++ case AD7280A_CELL_OVERVOLTAGE_REG: + val = 1000 + (st->cell_threshhigh * 1568) / 100; + break; +- case AD7280A_CELL_UNDERVOLTAGE: ++ case AD7280A_CELL_UNDERVOLTAGE_REG: + val = 1000 + (st->cell_threshlow * 1568) / 100; + break; +- case AD7280A_AUX_ADC_OVERVOLTAGE: ++ case AD7280A_AUX_ADC_OVERVOLTAGE_REG: + val = (st->aux_threshhigh * 196) / 10; + break; +- case AD7280A_AUX_ADC_UNDERVOLTAGE: ++ case AD7280A_AUX_ADC_UNDERVOLTAGE_REG: + val = (st->aux_threshlow * 196) / 10; + break; + default: +@@ -727,12 +751,12 @@ static ssize_t ad7280_write_channel_config(struct device *dev, + return ret; + + switch (this_attr->address) { +- case AD7280A_CELL_OVERVOLTAGE: +- case AD7280A_CELL_UNDERVOLTAGE: ++ case AD7280A_CELL_OVERVOLTAGE_REG: ++ case AD7280A_CELL_UNDERVOLTAGE_REG: + val = ((val - 1000) * 100) / 1568; /* LSB 15.68mV */ + break; +- case AD7280A_AUX_ADC_OVERVOLTAGE: +- case AD7280A_AUX_ADC_UNDERVOLTAGE: ++ case AD7280A_AUX_ADC_OVERVOLTAGE_REG: ++ case AD7280A_AUX_ADC_UNDERVOLTAGE_REG: + val = (val * 10) / 196; /* LSB 19.6mV */ + break; + default: +@@ -743,16 +767,16 @@ static ssize_t ad7280_write_channel_config(struct device *dev, + + mutex_lock(&st->lock); + switch (this_attr->address) { +- case AD7280A_CELL_OVERVOLTAGE: ++ case AD7280A_CELL_OVERVOLTAGE_REG: + st->cell_threshhigh = val; + break; +- case AD7280A_CELL_UNDERVOLTAGE: ++ case AD7280A_CELL_UNDERVOLTAGE_REG: + st->cell_threshlow = val; + break; +- case AD7280A_AUX_ADC_OVERVOLTAGE: ++ case AD7280A_AUX_ADC_OVERVOLTAGE_REG: + st->aux_threshhigh = val; + break; +- case AD7280A_AUX_ADC_UNDERVOLTAGE: ++ case AD7280A_AUX_ADC_UNDERVOLTAGE_REG: + st->aux_threshlow = val; + break; + } +@@ -781,7 +805,7 @@ static irqreturn_t ad7280_event_handler(int irq, void *private) + goto out; + + for (i = 0; i < st->scan_cnt; i++) { +- if (((channels[i] >> 23) & 0xF) <= AD7280A_CELL_VOLTAGE_6) { ++ if (((channels[i] >> 23) & 0xF) <= AD7280A_CELL_VOLTAGE_6_REG) { + if (((channels[i] >> 11) & 0xFFF) >= + st->cell_threshhigh) { + u64 tmp = IIO_EVENT_CODE(IIO_VOLTAGE, 1, 0, +@@ -801,7 +825,7 @@ static irqreturn_t ad7280_event_handler(int irq, void *private) + } + } else { + if (((channels[i] >> 11) & 0xFFF) >= +- st->aux_threshhigh) { ++ st->aux_threshhigh) { + u64 tmp = IIO_UNMOD_EVENT_CODE(IIO_TEMP, 0, + IIO_EV_TYPE_THRESH, + IIO_EV_DIR_RISING); +@@ -833,26 +857,26 @@ static IIO_DEVICE_ATTR_NAMED(in_thresh_low_value, + 0644, + ad7280_read_channel_config, + ad7280_write_channel_config, +- AD7280A_CELL_UNDERVOLTAGE); ++ AD7280A_CELL_UNDERVOLTAGE_REG); + + static IIO_DEVICE_ATTR_NAMED(in_thresh_high_value, + in_voltage-voltage_thresh_high_value, + 0644, + ad7280_read_channel_config, + ad7280_write_channel_config, +- AD7280A_CELL_OVERVOLTAGE); ++ AD7280A_CELL_OVERVOLTAGE_REG); + + static IIO_DEVICE_ATTR(in_temp_thresh_low_value, + 0644, + ad7280_read_channel_config, + ad7280_write_channel_config, +- AD7280A_AUX_ADC_UNDERVOLTAGE); ++ AD7280A_AUX_ADC_UNDERVOLTAGE_REG); + + static IIO_DEVICE_ATTR(in_temp_thresh_high_value, + 0644, + ad7280_read_channel_config, + ad7280_write_channel_config, +- AD7280A_AUX_ADC_OVERVOLTAGE); ++ AD7280A_AUX_ADC_OVERVOLTAGE_REG); + + static struct attribute *ad7280_event_attributes[] = { + &iio_dev_attr_in_thresh_low_value.dev_attr.attr, +@@ -892,7 +916,7 @@ static int ad7280_read_raw(struct iio_dev *indio_dev, + + return IIO_VAL_INT; + case IIO_CHAN_INFO_SCALE: +- if ((chan->address & 0xFF) <= AD7280A_CELL_VOLTAGE_6) ++ if ((chan->address & 0xFF) <= AD7280A_CELL_VOLTAGE_6_REG) + *val = 4000; + else + *val = 5000; +@@ -942,10 +966,9 @@ static int ad7280_probe(struct spi_device *spi) + st->spi->mode = SPI_MODE_1; + spi_setup(st->spi); + +- st->ctrl_lb = AD7280A_CTRL_LB_ACQ_TIME(pdata->acquisition_time & 0x3); +- st->ctrl_hb = AD7280A_CTRL_HB_CONV_AVG(pdata->conversion_averaging +- & 0x3) | (pdata->thermistor_term_en ? +- AD7280A_CTRL_LB_THERMISTOR_EN : 0); ++ st->ctrl_lb = FIELD_PREP(AD7280A_CTRL_LB_ACQ_TIME_MSK, pdata->acquisition_time) | ++ FIELD_PREP(AD7280A_CTRL_LB_THERMISTOR_MSK, pdata->thermistor_term_en); ++ st->ctrl_hb = FIELD_PREP(AD7280A_CTRL_HB_CONV_AVG_MSK, pdata->conversion_averaging); + + ret = ad7280_chain_setup(st); + if (ret < 0) +@@ -998,13 +1021,13 @@ static int ad7280_probe(struct spi_device *spi) + + if (spi->irq > 0) { + ret = ad7280_write(st, AD7280A_DEVADDR_MASTER, +- AD7280A_ALERT, 1, ++ AD7280A_ALERT_REG, 1, + AD7280A_ALERT_RELAY_SIG_CHAIN_DOWN); + if (ret) + return ret; + + ret = ad7280_write(st, ad7280a_devaddr(st->slave_num), +- AD7280A_ALERT, 0, ++ AD7280A_ALERT_REG, 0, + AD7280A_ALERT_GEN_STATIC_HIGH | + (pdata->chain_last_alert_ignore & 0xF)); + if (ret) +-- +2.51.0 + diff --git a/queue-5.10/usbnet-limit-max_mtu-based-on-device-s-hard_mtu.patch b/queue-5.10/usbnet-limit-max_mtu-based-on-device-s-hard_mtu.patch new file mode 100644 index 0000000000..92d93e2196 --- /dev/null +++ b/queue-5.10/usbnet-limit-max_mtu-based-on-device-s-hard_mtu.patch @@ -0,0 +1,59 @@ +From bc173026654ef27eac69702f9a169e9726277d12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 08:55:18 +0100 +Subject: usbnet: limit max_mtu based on device's hard_mtu + +From: Laurent Vivier + +[ Upstream commit c7159e960f1472a5493ac99aff0086ab1d683594 ] + +The usbnet driver initializes net->max_mtu to ETH_MAX_MTU before calling +the device's bind() callback. When the bind() callback sets +dev->hard_mtu based the device's actual capability (from CDC Ethernet's +wMaxSegmentSize descriptor), max_mtu is never updated to reflect this +hardware limitation). + +This allows userspace (DHCP or IPv6 RA) to configure MTU larger than the +device can handle, leading to silent packet drops when the backend sends +packet exceeding the device's buffer size. + +Fix this by limiting net->max_mtu to the device's hard_mtu after the +bind callback returns. + +See https://gitlab.com/qemu-project/qemu/-/issues/3268 and + https://bugs.passt.top/attachment.cgi?bugid=189 + +Fixes: f77f0aee4da4 ("net: use core MTU range checking in USB NIC drivers") +Signed-off-by: Laurent Vivier +Link: https://bugs.passt.top/show_bug.cgi?id=189 +Reviewed-by: Stefano Brivio +Link: https://patch.msgid.link/20260119075518.2774373-1-lvivier@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/usbnet.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c +index 9ac9fbdad5c08..4a83228a2db57 100644 +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -1745,9 +1745,12 @@ usbnet_probe (struct usb_interface *udev, const struct usb_device_id *prod) + if ((dev->driver_info->flags & FLAG_NOARP) != 0) + net->flags |= IFF_NOARP; + +- /* maybe the remote can't receive an Ethernet MTU */ +- if (net->mtu > (dev->hard_mtu - net->hard_header_len)) +- net->mtu = dev->hard_mtu - net->hard_header_len; ++ if (net->max_mtu > (dev->hard_mtu - net->hard_header_len)) ++ net->max_mtu = dev->hard_mtu - net->hard_header_len; ++ ++ if (net->mtu > net->max_mtu) ++ net->mtu = net->max_mtu; ++ + } else if (!info->in || !info->out) + status = usbnet_get_endpoints (dev, udev); + else { +-- +2.51.0 + diff --git a/queue-5.15/alsa-usb-increase-volume-range-that-triggers-a-warni.patch b/queue-5.15/alsa-usb-increase-volume-range-that-triggers-a-warni.patch new file mode 100644 index 0000000000..0da8b0c9ca --- /dev/null +++ b/queue-5.15/alsa-usb-increase-volume-range-that-triggers-a-warni.patch @@ -0,0 +1,47 @@ +From 3379d3e3c27fd316545fdaedc95f93467543edd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jan 2026 14:58:04 -0800 +Subject: ALSA: usb: Increase volume range that triggers a warning + +From: Arun Raghavan + +[ Upstream commit 6b971191fcfc9e3c2c0143eea22534f1f48dbb62 ] + +On at least the HyperX Cloud III, the range is 18944 (-18944 -> 0 in +steps of 1), so the original check for 255 steps is definitely obsolete. +Let's give ourselves a little more headroom before we emit a warning. + +Fixes: 80acefff3bc7 ("ALSA: usb-audio - Add volume range check and warn if it too big") +Cc: Jaroslav Kysela +Cc: Takashi Iwai +Cc: linux-sound@vger.kernel.org +Signed-off-by: Arun Raghavan +Link: https://patch.msgid.link/20260116225804.3845935-1-arunr@valvesoftware.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/mixer.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c +index 5cc97982ab82e..f9f991775a950 100644 +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -1797,11 +1797,10 @@ static void __build_feature_ctl(struct usb_mixer_interface *mixer, + + range = (cval->max - cval->min) / cval->res; + /* +- * Are there devices with volume range more than 255? I use a bit more +- * to be sure. 384 is a resolution magic number found on Logitech +- * devices. It will definitively catch all buggy Logitech devices. ++ * There are definitely devices with a range of ~20,000, so let's be ++ * conservative and allow for a bit more. + */ +- if (range > 384) { ++ if (range > 65535) { + usb_audio_warn(mixer->chip, + "Warning! Unlikely big volume range (=%u), cval->res is probably wrong.", + range); +-- +2.51.0 + diff --git a/queue-5.15/be2net-fix-null-pointer-dereference-in-be_cmd_get_ma.patch b/queue-5.15/be2net-fix-null-pointer-dereference-in-be_cmd_get_ma.patch new file mode 100644 index 0000000000..045b16cc0b --- /dev/null +++ b/queue-5.15/be2net-fix-null-pointer-dereference-in-be_cmd_get_ma.patch @@ -0,0 +1,54 @@ +From 6b91b481901ca151046794fb7a532f9a596008b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 11:37:47 +0000 +Subject: be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list + +From: Andrey Vatoropin + +[ Upstream commit 8215794403d264739cc676668087512950b2ff31 ] + +When the parameter pmac_id_valid argument of be_cmd_get_mac_from_list() is +set to false, the driver may request the PMAC_ID from the firmware of the +network card, and this function will store that PMAC_ID at the provided +address pmac_id. This is the contract of this function. + +However, there is a location within the driver where both +pmac_id_valid == false and pmac_id == NULL are being passed. This could +result in dereferencing a NULL pointer. + +To resolve this issue, it is necessary to pass the address of a stub +variable to the function. + +Fixes: 95046b927a54 ("be2net: refactor MAC-addr setup code") +Signed-off-by: Andrey Vatoropin +Link: https://patch.msgid.link/20260120113734.20193-1-a.vatoropin@crpt.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/emulex/benet/be_cmds.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/emulex/benet/be_cmds.c b/drivers/net/ethernet/emulex/benet/be_cmds.c +index 96a8749cf34fb..92ee82d4b18f1 100644 +--- a/drivers/net/ethernet/emulex/benet/be_cmds.c ++++ b/drivers/net/ethernet/emulex/benet/be_cmds.c +@@ -3796,6 +3796,7 @@ int be_cmd_get_perm_mac(struct be_adapter *adapter, u8 *mac) + { + int status; + bool pmac_valid = false; ++ u32 pmac_id; + + eth_zero_addr(mac); + +@@ -3808,7 +3809,7 @@ int be_cmd_get_perm_mac(struct be_adapter *adapter, u8 *mac) + adapter->if_handle, 0); + } else { + status = be_cmd_get_mac_from_list(adapter, mac, &pmac_valid, +- NULL, adapter->if_handle, 0); ++ &pmac_id, adapter->if_handle, 0); + } + + return status; +-- +2.51.0 + diff --git a/queue-5.15/bonding-provide-a-net-pointer-to-__skb_flow_dissect.patch b/queue-5.15/bonding-provide-a-net-pointer-to-__skb_flow_dissect.patch new file mode 100644 index 0000000000..52e749ebd2 --- /dev/null +++ b/queue-5.15/bonding-provide-a-net-pointer-to-__skb_flow_dissect.patch @@ -0,0 +1,67 @@ +From 817a007d1f9146286771b9341c4053241ff41636 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 16:17:44 +0000 +Subject: bonding: provide a net pointer to __skb_flow_dissect() + +From: Eric Dumazet + +[ Upstream commit 5f9b329096596b7e53e07d041d7fca4cbe1be752 ] + +After 3cbf4ffba5ee ("net: plumb network namespace into __skb_flow_dissect") +we have to provide a net pointer to __skb_flow_dissect(), +either via skb->dev, skb->sk, or a user provided pointer. + +In the following case, syzbot was able to cook a bare skb. + +WARNING: net/core/flow_dissector.c:1131 at __skb_flow_dissect+0xb57/0x68b0 net/core/flow_dissector.c:1131, CPU#1: syz.2.1418/11053 +Call Trace: + + bond_flow_dissect drivers/net/bonding/bond_main.c:4093 [inline] + __bond_xmit_hash+0x2d7/0xba0 drivers/net/bonding/bond_main.c:4157 + bond_xmit_hash_xdp drivers/net/bonding/bond_main.c:4208 [inline] + bond_xdp_xmit_3ad_xor_slave_get drivers/net/bonding/bond_main.c:5139 [inline] + bond_xdp_get_xmit_slave+0x1fd/0x710 drivers/net/bonding/bond_main.c:5515 + xdp_master_redirect+0x13f/0x2c0 net/core/filter.c:4388 + bpf_prog_run_xdp include/net/xdp.h:700 [inline] + bpf_test_run+0x6b2/0x7d0 net/bpf/test_run.c:421 + bpf_prog_test_run_xdp+0x795/0x10e0 net/bpf/test_run.c:1390 + bpf_prog_test_run+0x2c7/0x340 kernel/bpf/syscall.c:4703 + __sys_bpf+0x562/0x860 kernel/bpf/syscall.c:6182 + __do_sys_bpf kernel/bpf/syscall.c:6274 [inline] + __se_sys_bpf kernel/bpf/syscall.c:6272 [inline] + __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6272 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94 + +Fixes: 58deb77cc52d ("bonding: balance ICMP echoes in layer3+4 mode") +Reported-by: syzbot+c46409299c70a221415e@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/696faa23.050a0220.4cb9c.001f.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Matteo Croce +Acked-by: Stanislav Fomichev +Link: https://patch.msgid.link/20260120161744.1893263-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 86be928b210a2..e6394fd45f6df 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3811,8 +3811,9 @@ static bool bond_flow_dissect(struct bonding *bond, struct sk_buff *skb, const v + case BOND_XMIT_POLICY_ENCAP23: + case BOND_XMIT_POLICY_ENCAP34: + memset(fk, 0, sizeof(*fk)); +- return __skb_flow_dissect(NULL, skb, &flow_keys_bonding, +- fk, data, l2_proto, nhoff, hlen, 0); ++ return __skb_flow_dissect(dev_net(bond->dev), skb, ++ &flow_keys_bonding, fk, data, ++ l2_proto, nhoff, hlen, 0); + default: + break; + } +-- +2.51.0 + diff --git a/queue-5.15/drm-amd-pm-don-t-clear-si-smc-table-when-setting-pow.patch b/queue-5.15/drm-amd-pm-don-t-clear-si-smc-table-when-setting-pow.patch new file mode 100644 index 0000000000..c4b51cc4aa --- /dev/null +++ b/queue-5.15/drm-amd-pm-don-t-clear-si-smc-table-when-setting-pow.patch @@ -0,0 +1,58 @@ +From 598f9939c715203c3ae00b023e37e238393e8e67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 21:36:23 +0100 +Subject: drm/amd/pm: Don't clear SI SMC table when setting power limit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Timur Kristóf + +[ Upstream commit d5077426e1a76d269e518e048bde2e9fc49b32ad ] + +There is no reason to clear the SMC table. +We also don't need to recalculate the power limit then. + +Fixes: 841686df9f7d ("drm/amdgpu: add SI DPM support (v4)") +Reviewed-by: Alex Deucher +Signed-off-by: Timur Kristóf +Signed-off-by: Alex Deucher +(cherry picked from commit e214d626253f5b180db10dedab161b7caa41f5e9) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/powerplay/si_dpm.c | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/si_dpm.c b/drivers/gpu/drm/amd/pm/powerplay/si_dpm.c +index 09e78575db877..0bc785f09ee1d 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/si_dpm.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/si_dpm.c +@@ -2242,8 +2242,6 @@ static int si_populate_smc_tdp_limits(struct amdgpu_device *adev, + if (scaling_factor == 0) + return -EINVAL; + +- memset(smc_table, 0, sizeof(SISLANDS_SMC_STATETABLE)); +- + ret = si_calculate_adjusted_tdp_limits(adev, + false, /* ??? */ + adev->pm.dpm.tdp_adjustment, +@@ -2297,16 +2295,8 @@ static int si_populate_smc_tdp_limits_2(struct amdgpu_device *adev, + + if (ni_pi->enable_power_containment) { + SISLANDS_SMC_STATETABLE *smc_table = &si_pi->smc_statetable; +- u32 scaling_factor = si_get_smc_power_scaling_factor(adev); + int ret; + +- memset(smc_table, 0, sizeof(SISLANDS_SMC_STATETABLE)); +- +- smc_table->dpm2Params.NearTDPLimit = +- cpu_to_be32(si_scale_power_for_smc(adev->pm.dpm.near_tdp_limit_adjusted, scaling_factor) * 1000); +- smc_table->dpm2Params.SafePowerLimit = +- cpu_to_be32(si_scale_power_for_smc((adev->pm.dpm.near_tdp_limit_adjusted * SISLANDS_DPM2_TDP_SAFE_LIMIT_PERCENT) / 100, scaling_factor) * 1000); +- + ret = amdgpu_si_copy_bytes_to_smc(adev, + (si_pi->state_table_start + + offsetof(SISLANDS_SMC_STATETABLE, dpm2Params) + +-- +2.51.0 + diff --git a/queue-5.15/drm-amd-pm-workaround-si-powertune-issue-on-radeon-4.patch b/queue-5.15/drm-amd-pm-workaround-si-powertune-issue-on-radeon-4.patch new file mode 100644 index 0000000000..43b3196209 --- /dev/null +++ b/queue-5.15/drm-amd-pm-workaround-si-powertune-issue-on-radeon-4.patch @@ -0,0 +1,83 @@ +From 1b159644b9557e071bf9666faef2bd47b366b78a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 21:36:24 +0100 +Subject: drm/amd/pm: Workaround SI powertune issue on Radeon 430 (v2) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Timur Kristóf + +[ Upstream commit 764a90eb02268a23b1bb98be5f4a13671346804a ] + +Radeon 430 and 520 are OEM GPUs from 2016~2017 +They have the same device id: 0x6611 and revision: 0x87 + +On the Radeon 430, powertune is buggy and throttles the GPU, +never allowing it to reach its maximum SCLK. Work around this +bug by raising the TDP limits we program to the SMC from +24W (specified by the VBIOS on Radeon 430) to 32W. + +Disabling powertune entirely is not a viable workaround, +because it causes the Radeon 520 to heat up above 100 C, +which I prefer to avoid. + +Additionally, revise the maximum SCLK limit. Considering the +above issue, these GPUs never reached a high SCLK on Linux, +and the workarounds were added before the GPUs were released, +so the workaround likely didn't target these specifically. +Use 780 MHz (the maximum SCLK according to the VBIOS on the +Radeon 430). Note that the Radeon 520 VBIOS has a higher +maximum SCLK: 905 MHz, but in practice it doesn't seem to +perform better with the higher clock, only heats up more. + +v2: +Move the workaround to si_populate_smc_tdp_limits. + +Fixes: 841686df9f7d ("drm/amdgpu: add SI DPM support (v4)") +Reviewed-by: Alex Deucher +Signed-off-by: Timur Kristóf +Signed-off-by: Alex Deucher +(cherry picked from commit 966d70f1e160bdfdecaf7ff2b3f22ad088516e9f) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/powerplay/si_dpm.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/si_dpm.c b/drivers/gpu/drm/amd/pm/powerplay/si_dpm.c +index 0bc785f09ee1d..a6ed28ab07083 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/si_dpm.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/si_dpm.c +@@ -2250,6 +2250,12 @@ static int si_populate_smc_tdp_limits(struct amdgpu_device *adev, + if (ret) + return ret; + ++ if (adev->pdev->device == 0x6611 && adev->pdev->revision == 0x87) { ++ /* Workaround buggy powertune on Radeon 430 and 520. */ ++ tdp_limit = 32; ++ near_tdp_limit = 28; ++ } ++ + smc_table->dpm2Params.TDPLimit = + cpu_to_be32(si_scale_power_for_smc(tdp_limit, scaling_factor) * 1000); + smc_table->dpm2Params.NearTDPLimit = +@@ -3425,10 +3431,15 @@ static void si_apply_state_adjust_rules(struct amdgpu_device *adev, + (adev->pdev->revision == 0x80) || + (adev->pdev->revision == 0x81) || + (adev->pdev->revision == 0x83) || +- (adev->pdev->revision == 0x87) || ++ (adev->pdev->revision == 0x87 && ++ adev->pdev->device != 0x6611) || + (adev->pdev->device == 0x6604) || + (adev->pdev->device == 0x6605)) { + max_sclk = 75000; ++ } else if (adev->pdev->revision == 0x87 && ++ adev->pdev->device == 0x6611) { ++ /* Radeon 430 and 520 */ ++ max_sclk = 78000; + } + } + +-- +2.51.0 + diff --git a/queue-5.15/iio-adc-ad7280a-handle-spi_setup-errors-in-probe.patch b/queue-5.15/iio-adc-ad7280a-handle-spi_setup-errors-in-probe.patch new file mode 100644 index 0000000000..9503e2789f --- /dev/null +++ b/queue-5.15/iio-adc-ad7280a-handle-spi_setup-errors-in-probe.patch @@ -0,0 +1,45 @@ +From 24de2ab451e29317b8aafb2bb2f2ce627069310c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Nov 2025 18:13:01 +0300 +Subject: iio: adc: ad7280a: handle spi_setup() errors in probe() + +From: Pavel Zhigulin + +[ Upstream commit 6b39824ac4c15783787e6434449772bfb2e31214 ] + +The probe() function ignored the return value of spi_setup(), leaving SPI +configuration failures undetected. If spi_setup() fails, the driver should +stop initialization and propagate the error to the caller. + +Add proper error handling: check the return value of spi_setup() and return +it on failure. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 2051f25d2a26 ("iio: adc: New driver for AD7280A Lithium Ion Battery Monitoring System") +Signed-off-by: Pavel Zhigulin +Reviewed-by: Marcelo Schmitt +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/staging/iio/adc/ad7280a.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/iio/adc/ad7280a.c b/drivers/staging/iio/adc/ad7280a.c +index 0f64b2fbfa7aa..cc66c3d7141aa 100644 +--- a/drivers/staging/iio/adc/ad7280a.c ++++ b/drivers/staging/iio/adc/ad7280a.c +@@ -964,7 +964,9 @@ static int ad7280_probe(struct spi_device *spi) + + st->spi->max_speed_hz = AD7280A_MAX_SPI_CLK_HZ; + st->spi->mode = SPI_MODE_1; +- spi_setup(st->spi); ++ ret = spi_setup(st->spi); ++ if (ret < 0) ++ return ret; + + st->ctrl_lb = FIELD_PREP(AD7280A_CTRL_LB_ACQ_TIME_MSK, pdata->acquisition_time) | + FIELD_PREP(AD7280A_CTRL_LB_THERMISTOR_MSK, pdata->thermistor_term_en); +-- +2.51.0 + diff --git a/queue-5.15/ipv6-annotate-data-race-in-ndisc_router_discovery.patch b/queue-5.15/ipv6-annotate-data-race-in-ndisc_router_discovery.patch new file mode 100644 index 0000000000..d50c205af6 --- /dev/null +++ b/queue-5.15/ipv6-annotate-data-race-in-ndisc_router_discovery.patch @@ -0,0 +1,79 @@ +From df686d072631242353a6fee42f80b4ffcf8ff4ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jan 2026 15:29:41 +0000 +Subject: ipv6: annotate data-race in ndisc_router_discovery() + +From: Eric Dumazet + +[ Upstream commit 9a063f96d87efc3a6cc667f8de096a3d38d74bb5 ] + +syzbot found that ndisc_router_discovery() could read and write +in6_dev->ra_mtu without holding a lock [1] + +This looks fine, IFLA_INET6_RA_MTU is best effort. + +Add READ_ONCE()/WRITE_ONCE() to document the race. + +Note that we might also reject illegal MTU values +(mtu < IPV6_MIN_MTU || mtu > skb->dev->mtu) in a future patch. + +[1] +BUG: KCSAN: data-race in ndisc_router_discovery / ndisc_router_discovery + +read to 0xffff888119809c20 of 4 bytes by task 25817 on cpu 1: + ndisc_router_discovery+0x151d/0x1c90 net/ipv6/ndisc.c:1558 + ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841 + icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989 + ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438 + ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489 + NF_HOOK include/linux/netfilter.h:318 [inline] + ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500 + ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590 + dst_input include/net/dst.h:474 [inline] + ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79 +... + +write to 0xffff888119809c20 of 4 bytes by task 25816 on cpu 0: + ndisc_router_discovery+0x155a/0x1c90 net/ipv6/ndisc.c:1559 + ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841 + icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989 + ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438 + ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489 + NF_HOOK include/linux/netfilter.h:318 [inline] + ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500 + ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590 + dst_input include/net/dst.h:474 [inline] + ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79 +... + +value changed: 0x00000000 -> 0xe5400659 + +Fixes: 49b99da2c9ce ("ipv6: add IFLA_INET6_RA_MTU to expose mtu value") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Rocco Yue +Link: https://patch.msgid.link/20260118152941.2563857-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/ndisc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c +index af584e879467e..1821c1aa97ad4 100644 +--- a/net/ipv6/ndisc.c ++++ b/net/ipv6/ndisc.c +@@ -1507,8 +1507,8 @@ static void ndisc_router_discovery(struct sk_buff *skb) + memcpy(&n, ((u8 *)(ndopts.nd_opts_mtu+1))+2, sizeof(mtu)); + mtu = ntohl(n); + +- if (in6_dev->ra_mtu != mtu) { +- in6_dev->ra_mtu = mtu; ++ if (READ_ONCE(in6_dev->ra_mtu) != mtu) { ++ WRITE_ONCE(in6_dev->ra_mtu, mtu); + send_ifinfo_notify = true; + } + +-- +2.51.0 + diff --git a/queue-5.15/misdn-annotate-data-race-around-dev-work.patch b/queue-5.15/misdn-annotate-data-race-around-dev-work.patch new file mode 100644 index 0000000000..20c0f8d336 --- /dev/null +++ b/queue-5.15/misdn-annotate-data-race-around-dev-work.patch @@ -0,0 +1,103 @@ +From a13aa7f7e13f26cb60360f9d37e9517d43064526 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jan 2026 13:25:28 +0000 +Subject: mISDN: annotate data-race around dev->work + +From: Eric Dumazet + +[ Upstream commit 8175dbf174d487afab81e936a862a8d9b8a1ccb6 ] + +dev->work can re read locklessly in mISDN_read() +and mISDN_poll(). Add READ_ONCE()/WRITE_ONCE() annotations. + +BUG: KCSAN: data-race in mISDN_ioctl / mISDN_read + +write to 0xffff88812d848280 of 4 bytes by task 10864 on cpu 1: + misdn_add_timer drivers/isdn/mISDN/timerdev.c:175 [inline] + mISDN_ioctl+0x2fb/0x550 drivers/isdn/mISDN/timerdev.c:233 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:597 [inline] + __se_sys_ioctl+0xce/0x140 fs/ioctl.c:583 + __x64_sys_ioctl+0x43/0x50 fs/ioctl.c:583 + x64_sys_call+0x14b0/0x3000 arch/x86/include/generated/asm/syscalls_64.h:17 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xd8/0x2c0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +read to 0xffff88812d848280 of 4 bytes by task 10857 on cpu 0: + mISDN_read+0x1f2/0x470 drivers/isdn/mISDN/timerdev.c:112 + do_loop_readv_writev fs/read_write.c:847 [inline] + vfs_readv+0x3fb/0x690 fs/read_write.c:1020 + do_readv+0xe7/0x210 fs/read_write.c:1080 + __do_sys_readv fs/read_write.c:1165 [inline] + __se_sys_readv fs/read_write.c:1162 [inline] + __x64_sys_readv+0x45/0x50 fs/read_write.c:1162 + x64_sys_call+0x2831/0x3000 arch/x86/include/generated/asm/syscalls_64.h:20 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xd8/0x2c0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +value changed: 0x00000000 -> 0x00000001 + +Fixes: 1b2b03f8e514 ("Add mISDN core files") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260118132528.2349573-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/isdn/mISDN/timerdev.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/isdn/mISDN/timerdev.c b/drivers/isdn/mISDN/timerdev.c +index abdf36ac3bee5..74d6ed49dc368 100644 +--- a/drivers/isdn/mISDN/timerdev.c ++++ b/drivers/isdn/mISDN/timerdev.c +@@ -109,14 +109,14 @@ mISDN_read(struct file *filep, char __user *buf, size_t count, loff_t *off) + spin_unlock_irq(&dev->lock); + if (filep->f_flags & O_NONBLOCK) + return -EAGAIN; +- wait_event_interruptible(dev->wait, (dev->work || ++ wait_event_interruptible(dev->wait, (READ_ONCE(dev->work) || + !list_empty(list))); + if (signal_pending(current)) + return -ERESTARTSYS; + spin_lock_irq(&dev->lock); + } + if (dev->work) +- dev->work = 0; ++ WRITE_ONCE(dev->work, 0); + if (!list_empty(list)) { + timer = list_first_entry(list, struct mISDNtimer, list); + list_del(&timer->list); +@@ -141,13 +141,16 @@ mISDN_poll(struct file *filep, poll_table *wait) + if (*debug & DEBUG_TIMER) + printk(KERN_DEBUG "%s(%p, %p)\n", __func__, filep, wait); + if (dev) { ++ u32 work; ++ + poll_wait(filep, &dev->wait, wait); + mask = 0; +- if (dev->work || !list_empty(&dev->expired)) ++ work = READ_ONCE(dev->work); ++ if (work || !list_empty(&dev->expired)) + mask |= (EPOLLIN | EPOLLRDNORM); + if (*debug & DEBUG_TIMER) + printk(KERN_DEBUG "%s work(%d) empty(%d)\n", __func__, +- dev->work, list_empty(&dev->expired)); ++ work, list_empty(&dev->expired)); + } + return mask; + } +@@ -172,7 +175,7 @@ misdn_add_timer(struct mISDNtimerdev *dev, int timeout) + struct mISDNtimer *timer; + + if (!timeout) { +- dev->work = 1; ++ WRITE_ONCE(dev->work, 1); + wake_up_interruptible(&dev->wait); + id = 0; + } else { +-- +2.51.0 + diff --git a/queue-5.15/net-hns3-fix-the-hclge_fd_ad_nxt_key-error-setting-i.patch b/queue-5.15/net-hns3-fix-the-hclge_fd_ad_nxt_key-error-setting-i.patch new file mode 100644 index 0000000000..3b798afd57 --- /dev/null +++ b/queue-5.15/net-hns3-fix-the-hclge_fd_ad_nxt_key-error-setting-i.patch @@ -0,0 +1,36 @@ +From 806b4ebc4e9ed031c718b77c818098b486352653 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 21:28:40 +0800 +Subject: net: hns3: fix the HCLGE_FD_AD_NXT_KEY error setting issue + +From: Jijie Shao + +[ Upstream commit f87e034d16e43af984380a95c32c25201b7759a7 ] + +Use next_input_key instead of counter_id to set HCLGE_FD_AD_NXT_KEY. + +Fixes: 117328680288 ("net: hns3: Add input key and action config support for flow director") +Signed-off-by: Jijie Shao +Link: https://patch.msgid.link/20260119132840.410513-3-shaojijie@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +index dd9d5df31905a..1dae7500fa57c 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -5856,7 +5856,7 @@ static int hclge_fd_ad_config(struct hclge_dev *hdev, u8 stage, int loc, + HCLGE_FD_AD_COUNTER_NUM_S, action->counter_id); + hnae3_set_bit(ad_data, HCLGE_FD_AD_NXT_STEP_B, action->use_next_stage); + hnae3_set_field(ad_data, HCLGE_FD_AD_NXT_KEY_M, HCLGE_FD_AD_NXT_KEY_S, +- action->counter_id); ++ action->next_input_key); + + req->ad_data = cpu_to_le64(ad_data); + ret = hclge_cmd_send(&hdev->hw, &desc, 1); +-- +2.51.0 + diff --git a/queue-5.15/net-hns3-fix-wrong-genmask-for-hclge_fd_ad_counter_n.patch b/queue-5.15/net-hns3-fix-wrong-genmask-for-hclge_fd_ad_counter_n.patch new file mode 100644 index 0000000000..ac9fb19e6b --- /dev/null +++ b/queue-5.15/net-hns3-fix-wrong-genmask-for-hclge_fd_ad_counter_n.patch @@ -0,0 +1,40 @@ +From a22290d8958383df4a1ec6a2b88fe056839eec39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 21:28:39 +0800 +Subject: net: hns3: fix wrong GENMASK() for HCLGE_FD_AD_COUNTER_NUM_M + +From: Jijie Shao + +[ Upstream commit d57c67c956a1bad15115eba6e59d77a6dfeba01d ] + +HCLGE_FD_AD_COUNTER_NUM_M should be at GENMASK(19, 13), +rather than at GENMASK(20, 13), because bit 20 is +HCLGE_FD_AD_NXT_STEP_B. + +This patch corrects the wrong definition. + +Fixes: 117328680288 ("net: hns3: Add input key and action config support for flow director") +Signed-off-by: Jijie Shao +Link: https://patch.msgid.link/20260119132840.410513-2-shaojijie@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h +index 303a7592bb18d..7d96aa361f633 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h +@@ -1036,7 +1036,7 @@ struct hclge_fd_tcam_config_3_cmd { + #define HCLGE_FD_AD_QID_M GENMASK(11, 2) + #define HCLGE_FD_AD_USE_COUNTER_B 12 + #define HCLGE_FD_AD_COUNTER_NUM_S 13 +-#define HCLGE_FD_AD_COUNTER_NUM_M GENMASK(20, 13) ++#define HCLGE_FD_AD_COUNTER_NUM_M GENMASK(19, 13) + #define HCLGE_FD_AD_NXT_STEP_B 20 + #define HCLGE_FD_AD_NXT_KEY_S 21 + #define HCLGE_FD_AD_NXT_KEY_M GENMASK(25, 21) +-- +2.51.0 + diff --git a/queue-5.15/net-sched-act_ife-avoid-possible-null-deref.patch b/queue-5.15/net-sched-act_ife-avoid-possible-null-deref.patch new file mode 100644 index 0000000000..416b1bc5ca --- /dev/null +++ b/queue-5.15/net-sched-act_ife-avoid-possible-null-deref.patch @@ -0,0 +1,82 @@ +From 897ba4f374d7c94b55e2c7548f33bdbfdeb3c046 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 13:37:24 +0000 +Subject: net/sched: act_ife: avoid possible NULL deref + +From: Eric Dumazet + +[ Upstream commit 27880b0b0d35ad1c98863d09788254e36f874968 ] + +tcf_ife_encode() must make sure ife_encode() does not return NULL. + +syzbot reported: + +Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] + RIP: 0010:ife_tlv_meta_encode+0x41/0xa0 net/ife/ife.c:166 +CPU: 3 UID: 0 PID: 8990 Comm: syz.0.696 Not tainted syzkaller #0 PREEMPT(full) +Call Trace: + + ife_encode_meta_u32+0x153/0x180 net/sched/act_ife.c:101 + tcf_ife_encode net/sched/act_ife.c:841 [inline] + tcf_ife_act+0x1022/0x1de0 net/sched/act_ife.c:877 + tc_act include/net/tc_wrapper.h:130 [inline] + tcf_action_exec+0x1c0/0xa20 net/sched/act_api.c:1152 + tcf_exts_exec include/net/pkt_cls.h:349 [inline] + mall_classify+0x1a0/0x2a0 net/sched/cls_matchall.c:42 + tc_classify include/net/tc_wrapper.h:197 [inline] + __tcf_classify net/sched/cls_api.c:1764 [inline] + tcf_classify+0x7f2/0x1380 net/sched/cls_api.c:1860 + multiq_classify net/sched/sch_multiq.c:39 [inline] + multiq_enqueue+0xe0/0x510 net/sched/sch_multiq.c:66 + dev_qdisc_enqueue+0x45/0x250 net/core/dev.c:4147 + __dev_xmit_skb net/core/dev.c:4262 [inline] + __dev_queue_xmit+0x2998/0x46c0 net/core/dev.c:4798 + +Fixes: 295a6e06d21e ("net/sched: act_ife: Change to use ife module") +Reported-by: syzbot+5cf914f193dffde3bd3c@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6970d61d.050a0220.706b.0010.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Yotam Gigi +Reviewed-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20260121133724.3400020-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/act_ife.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/sched/act_ife.c b/net/sched/act_ife.c +index a8a5dbd7221b0..1e29e9ec228e5 100644 +--- a/net/sched/act_ife.c ++++ b/net/sched/act_ife.c +@@ -820,6 +820,7 @@ static int tcf_ife_encode(struct sk_buff *skb, const struct tc_action *a, + /* could be stupid policy setup or mtu config + * so lets be conservative.. */ + if ((action == TC_ACT_SHOT) || exceed_mtu) { ++drop: + qstats_drop_inc(this_cpu_ptr(ife->common.cpu_qstats)); + return TC_ACT_SHOT; + } +@@ -828,6 +829,8 @@ static int tcf_ife_encode(struct sk_buff *skb, const struct tc_action *a, + skb_push(skb, skb->dev->hard_header_len); + + ife_meta = ife_encode(skb, metalen); ++ if (!ife_meta) ++ goto drop; + + spin_lock(&ife->tcf_lock); + +@@ -843,8 +846,7 @@ static int tcf_ife_encode(struct sk_buff *skb, const struct tc_action *a, + if (err < 0) { + /* too corrupt to keep around if overwritten */ + spin_unlock(&ife->tcf_lock); +- qstats_drop_inc(this_cpu_ptr(ife->common.cpu_qstats)); +- return TC_ACT_SHOT; ++ goto drop; + } + skboff += err; + } +-- +2.51.0 + diff --git a/queue-5.15/octeontx2-af-fix-error-handling.patch b/queue-5.15/octeontx2-af-fix-error-handling.patch new file mode 100644 index 0000000000..8efa514d53 --- /dev/null +++ b/queue-5.15/octeontx2-af-fix-error-handling.patch @@ -0,0 +1,188 @@ +From 6879a17e51f60c1f788debb97b54f5a846b66a6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 09:09:34 +0530 +Subject: octeontx2-af: Fix error handling + +From: Ratheesh Kannoth + +[ Upstream commit 19e4175e997a5b85eab97d522f00cc99abd1873c ] + +This commit adds error handling and rollback logic to +rvu_mbox_handler_attach_resources() to properly clean up partially +attached resources when rvu_attach_block() fails. + +Fixes: 746ea74241fa0 ("octeontx2-af: Add RVU block LF provisioning support") +Signed-off-by: Ratheesh Kannoth +Link: https://patch.msgid.link/20260121033934.1900761-1-rkannoth@marvell.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/marvell/octeontx2/af/rvu.c | 86 ++++++++++++++----- + 1 file changed, 64 insertions(+), 22 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +index 0863fa06c06d1..53f742a507dbe 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +@@ -1455,8 +1455,8 @@ static int rvu_get_attach_blkaddr(struct rvu *rvu, int blktype, + return -ENODEV; + } + +-static void rvu_attach_block(struct rvu *rvu, int pcifunc, int blktype, +- int num_lfs, struct rsrc_attach *attach) ++static int rvu_attach_block(struct rvu *rvu, int pcifunc, int blktype, ++ int num_lfs, struct rsrc_attach *attach) + { + struct rvu_pfvf *pfvf = rvu_get_pfvf(rvu, pcifunc); + struct rvu_hwinfo *hw = rvu->hw; +@@ -1466,21 +1466,21 @@ static void rvu_attach_block(struct rvu *rvu, int pcifunc, int blktype, + u64 cfg; + + if (!num_lfs) +- return; ++ return -EINVAL; + + blkaddr = rvu_get_attach_blkaddr(rvu, blktype, pcifunc, attach); + if (blkaddr < 0) +- return; ++ return -EFAULT; + + block = &hw->block[blkaddr]; + if (!block->lf.bmap) +- return; ++ return -ESRCH; + + for (slot = 0; slot < num_lfs; slot++) { + /* Allocate the resource */ + lf = rvu_alloc_rsrc(&block->lf); + if (lf < 0) +- return; ++ return -EFAULT; + + cfg = (1ULL << 63) | (pcifunc << 8) | slot; + rvu_write64(rvu, blkaddr, block->lfcfg_reg | +@@ -1491,6 +1491,8 @@ static void rvu_attach_block(struct rvu *rvu, int pcifunc, int blktype, + /* Set start MSIX vector for this LF within this PF/VF */ + rvu_set_msix_offset(rvu, pfvf, block, lf); + } ++ ++ return 0; + } + + static int rvu_check_rsrc_availability(struct rvu *rvu, +@@ -1628,22 +1630,31 @@ int rvu_mbox_handler_attach_resources(struct rvu *rvu, + int err; + + /* If first request, detach all existing attached resources */ +- if (!attach->modify) +- rvu_detach_rsrcs(rvu, NULL, pcifunc); ++ if (!attach->modify) { ++ err = rvu_detach_rsrcs(rvu, NULL, pcifunc); ++ if (err) ++ return err; ++ } + + mutex_lock(&rvu->rsrc_lock); + + /* Check if the request can be accommodated */ + err = rvu_check_rsrc_availability(rvu, attach, pcifunc); + if (err) +- goto exit; ++ goto fail1; + + /* Now attach the requested resources */ +- if (attach->npalf) +- rvu_attach_block(rvu, pcifunc, BLKTYPE_NPA, 1, attach); ++ if (attach->npalf) { ++ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_NPA, 1, attach); ++ if (err) ++ goto fail1; ++ } + +- if (attach->nixlf) +- rvu_attach_block(rvu, pcifunc, BLKTYPE_NIX, 1, attach); ++ if (attach->nixlf) { ++ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_NIX, 1, attach); ++ if (err) ++ goto fail2; ++ } + + if (attach->sso) { + /* RVU func doesn't know which exact LF or slot is attached +@@ -1653,33 +1664,64 @@ int rvu_mbox_handler_attach_resources(struct rvu *rvu, + */ + if (attach->modify) + rvu_detach_block(rvu, pcifunc, BLKTYPE_SSO); +- rvu_attach_block(rvu, pcifunc, BLKTYPE_SSO, +- attach->sso, attach); ++ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_SSO, ++ attach->sso, attach); ++ if (err) ++ goto fail3; + } + + if (attach->ssow) { + if (attach->modify) + rvu_detach_block(rvu, pcifunc, BLKTYPE_SSOW); +- rvu_attach_block(rvu, pcifunc, BLKTYPE_SSOW, +- attach->ssow, attach); ++ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_SSOW, ++ attach->ssow, attach); ++ if (err) ++ goto fail4; + } + + if (attach->timlfs) { + if (attach->modify) + rvu_detach_block(rvu, pcifunc, BLKTYPE_TIM); +- rvu_attach_block(rvu, pcifunc, BLKTYPE_TIM, +- attach->timlfs, attach); ++ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_TIM, ++ attach->timlfs, attach); ++ if (err) ++ goto fail5; + } + + if (attach->cptlfs) { + if (attach->modify && + rvu_attach_from_same_block(rvu, BLKTYPE_CPT, attach)) + rvu_detach_block(rvu, pcifunc, BLKTYPE_CPT); +- rvu_attach_block(rvu, pcifunc, BLKTYPE_CPT, +- attach->cptlfs, attach); ++ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_CPT, ++ attach->cptlfs, attach); ++ if (err) ++ goto fail6; + } + +-exit: ++ mutex_unlock(&rvu->rsrc_lock); ++ return 0; ++ ++fail6: ++ if (attach->timlfs) ++ rvu_detach_block(rvu, pcifunc, BLKTYPE_TIM); ++ ++fail5: ++ if (attach->ssow) ++ rvu_detach_block(rvu, pcifunc, BLKTYPE_SSOW); ++ ++fail4: ++ if (attach->sso) ++ rvu_detach_block(rvu, pcifunc, BLKTYPE_SSO); ++ ++fail3: ++ if (attach->nixlf) ++ rvu_detach_block(rvu, pcifunc, BLKTYPE_NIX); ++ ++fail2: ++ if (attach->npalf) ++ rvu_detach_block(rvu, pcifunc, BLKTYPE_NPA); ++ ++fail1: + mutex_unlock(&rvu->rsrc_lock); + return err; + } +-- +2.51.0 + diff --git a/queue-5.15/regmap-fix-race-condition-in-hwspinlock-irqsave-rout.patch b/queue-5.15/regmap-fix-race-condition-in-hwspinlock-irqsave-rout.patch new file mode 100644 index 0000000000..5b915f5b4e --- /dev/null +++ b/queue-5.15/regmap-fix-race-condition-in-hwspinlock-irqsave-rout.patch @@ -0,0 +1,49 @@ +From 329f07ac6a48c276319fe50df161938e71628ec5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jan 2026 11:26:33 +0800 +Subject: regmap: Fix race condition in hwspinlock irqsave routine + +From: Cheng-Yu Lee + +[ Upstream commit 4b58aac989c1e3fafb1c68a733811859df388250 ] + +Previously, the address of the shared member '&map->spinlock_flags' was +passed directly to 'hwspin_lock_timeout_irqsave'. This creates a race +condition where multiple contexts contending for the lock could overwrite +the shared flags variable, potentially corrupting the state for the +current lock owner. + +Fix this by using a local stack variable 'flags' to store the IRQ state +temporarily. + +Fixes: 8698b9364710 ("regmap: Add hardware spinlock support") +Signed-off-by: Cheng-Yu Lee +Co-developed-by: Yu-Chun Lin +Signed-off-by: Yu-Chun Lin +Link: https://patch.msgid.link/20260109032633.8732-1-eleanor.lin@realtek.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/base/regmap/regmap.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c +index 35cfbec6bf9ac..e1380b08685f4 100644 +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -473,9 +473,11 @@ static void regmap_lock_hwlock_irq(void *__map) + static void regmap_lock_hwlock_irqsave(void *__map) + { + struct regmap *map = __map; ++ unsigned long flags = 0; + + hwspin_lock_timeout_irqsave(map->hwlock, UINT_MAX, +- &map->spinlock_flags); ++ &flags); ++ map->spinlock_flags = flags; + } + + static void regmap_unlock_hwlock(void *__map) +-- +2.51.0 + diff --git a/queue-5.15/scsi-core-wake-up-the-error-handler-when-final-compl.patch b/queue-5.15/scsi-core-wake-up-the-error-handler-when-final-compl.patch new file mode 100644 index 0000000000..ec8ec6097e --- /dev/null +++ b/queue-5.15/scsi-core-wake-up-the-error-handler-when-final-compl.patch @@ -0,0 +1,96 @@ +From 91adf137c885ef6e01eb88f38c2f113930228995 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 11:08:13 -0500 +Subject: scsi: core: Wake up the error handler when final completions race + against each other + +From: David Jeffery + +[ Upstream commit fe2f8ad6f0999db3b318359a01ee0108c703a8c3 ] + +The fragile ordering between marking commands completed or failed so +that the error handler only wakes when the last running command +completes or times out has race conditions. These race conditions can +cause the SCSI layer to fail to wake the error handler, leaving I/O +through the SCSI host stuck as the error state cannot advance. + +First, there is an memory ordering issue within scsi_dec_host_busy(). +The write which clears SCMD_STATE_INFLIGHT may be reordered with reads +counting in scsi_host_busy(). While the local CPU will see its own +write, reordering can allow other CPUs in scsi_dec_host_busy() or +scsi_eh_inc_host_failed() to see a raised busy count, causing no CPU to +see a host busy equal to the host_failed count. + +This race condition can be prevented with a memory barrier on the error +path to force the write to be visible before counting host busy +commands. + +Second, there is a general ordering issue with scsi_eh_inc_host_failed(). By +counting busy commands before incrementing host_failed, it can race with a +final command in scsi_dec_host_busy(), such that scsi_dec_host_busy() does +not see host_failed incremented but scsi_eh_inc_host_failed() counts busy +commands before SCMD_STATE_INFLIGHT is cleared by scsi_dec_host_busy(), +resulting in neither waking the error handler task. + +This needs the call to scsi_host_busy() to be moved after host_failed is +incremented to close the race condition. + +Fixes: 6eb045e092ef ("scsi: core: avoid host-wide host_busy counter for scsi_mq") +Signed-off-by: David Jeffery +Reviewed-by: Bart Van Assche +Link: https://patch.msgid.link/20260113161036.6730-1-djeffery@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_error.c | 11 ++++++++++- + drivers/scsi/scsi_lib.c | 8 ++++++++ + 2 files changed, 18 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c +index 2d5dc488f5117..08ad3c0af12ea 100644 +--- a/drivers/scsi/scsi_error.c ++++ b/drivers/scsi/scsi_error.c +@@ -276,11 +276,20 @@ static void scsi_eh_inc_host_failed(struct rcu_head *head) + { + struct scsi_cmnd *scmd = container_of(head, typeof(*scmd), rcu); + struct Scsi_Host *shost = scmd->device->host; +- unsigned int busy = scsi_host_busy(shost); ++ unsigned int busy; + unsigned long flags; + + spin_lock_irqsave(shost->host_lock, flags); + shost->host_failed++; ++ spin_unlock_irqrestore(shost->host_lock, flags); ++ /* ++ * The counting of busy requests needs to occur after adding to ++ * host_failed or after the lock acquire for adding to host_failed ++ * to prevent a race with host unbusy and missing an eh wakeup. ++ */ ++ busy = scsi_host_busy(shost); ++ ++ spin_lock_irqsave(shost->host_lock, flags); + scsi_eh_wakeup(shost, busy); + spin_unlock_irqrestore(shost->host_lock, flags); + } +diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c +index c8be41d8eb247..576e0eb8f8f80 100644 +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -281,6 +281,14 @@ static void scsi_dec_host_busy(struct Scsi_Host *shost, struct scsi_cmnd *cmd) + rcu_read_lock(); + __clear_bit(SCMD_STATE_INFLIGHT, &cmd->state); + if (unlikely(scsi_host_in_recovery(shost))) { ++ /* ++ * Ensure the clear of SCMD_STATE_INFLIGHT is visible to ++ * other CPUs before counting busy requests. Otherwise, ++ * reordering can cause CPUs to race and miss an eh wakeup ++ * when no CPU sees all busy requests as done or timed out. ++ */ ++ smp_mb(); ++ + unsigned int busy = scsi_host_busy(shost); + + spin_lock_irqsave(shost->host_lock, flags); +-- +2.51.0 + diff --git a/queue-5.15/series b/queue-5.15/series index e36ec0357a..8bb8d66d01 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -87,3 +87,20 @@ input-i8042-add-quirk-for-asus-zenbook-ux425qa_um425qa.patch scsi-storvsc-process-unsupported-mode_sense_10.patch x86-kfence-avoid-writing-l1tf-vulnerable-ptes.patch iio-imu-st_lsm6dsx-fix-iio_chan_spec-for-sensors-without-event-detection.patch +staging-iio-adc-ad7280a-register-define-cleanup.patch +iio-adc-ad7280a-handle-spi_setup-errors-in-probe.patch +regmap-fix-race-condition-in-hwspinlock-irqsave-rout.patch +scsi-core-wake-up-the-error-handler-when-final-compl.patch +alsa-usb-increase-volume-range-that-triggers-a-warni.patch +net-hns3-fix-wrong-genmask-for-hclge_fd_ad_counter_n.patch +net-hns3-fix-the-hclge_fd_ad_nxt_key-error-setting-i.patch +misdn-annotate-data-race-around-dev-work.patch +ipv6-annotate-data-race-in-ndisc_router_discovery.patch +usbnet-limit-max_mtu-based-on-device-s-hard_mtu.patch +drm-amd-pm-don-t-clear-si-smc-table-when-setting-pow.patch +drm-amd-pm-workaround-si-powertune-issue-on-radeon-4.patch +be2net-fix-null-pointer-dereference-in-be_cmd_get_ma.patch +bonding-provide-a-net-pointer-to-__skb_flow_dissect.patch +octeontx2-af-fix-error-handling.patch +net-sched-act_ife-avoid-possible-null-deref.patch +x86-make-page-fault-handling-disable-interrupts-prop.patch diff --git a/queue-5.15/staging-iio-adc-ad7280a-register-define-cleanup.patch b/queue-5.15/staging-iio-adc-ad7280a-register-define-cleanup.patch new file mode 100644 index 0000000000..850b62c72d --- /dev/null +++ b/queue-5.15/staging-iio-adc-ad7280a-register-define-cleanup.patch @@ -0,0 +1,560 @@ +From 3c5fca5712b007fa35db8707fb5dc38912dfd26e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Feb 2022 19:03:10 +0000 +Subject: staging:iio:adc:ad7280a: Register define cleanup. + +From: Jonathan Cameron + +[ Upstream commit 4c59aabd9a93d8f867d9f6aa0407cc6a7db47fa5 ] + +1. Postfix register addresses with _REG to distinguish them from + fields within the registers +2. Switch to using FIELD_PREP and masks to aid readability. +3. Shorten a few defines to make the lines remain a sensible length. +4. Fix an issue whether where an CTRL_LB field is set in CTRL_HB. +5. Fix wrong AUX1_3_4 which should be AUX_1_3_5 according to + table 14 in the datasheet. + +Signed-off-by: Jonathan Cameron +Reviewed-by: Marcelo Schmitt +Link: https://lore.kernel.org/r/20220206190328.333093-3-jic23@kernel.org +Stable-dep-of: 6b39824ac4c1 ("iio: adc: ad7280a: handle spi_setup() errors in probe()") +Signed-off-by: Sasha Levin +--- + drivers/staging/iio/adc/ad7280a.c | 285 ++++++++++++++++-------------- + 1 file changed, 154 insertions(+), 131 deletions(-) + +diff --git a/drivers/staging/iio/adc/ad7280a.c b/drivers/staging/iio/adc/ad7280a.c +index 20183b2ea1279..0f64b2fbfa7aa 100644 +--- a/drivers/staging/iio/adc/ad7280a.c ++++ b/drivers/staging/iio/adc/ad7280a.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -23,78 +24,86 @@ + #include "ad7280a.h" + + /* Registers */ +-#define AD7280A_CELL_VOLTAGE_1 0x0 /* D11 to D0, Read only */ +-#define AD7280A_CELL_VOLTAGE_2 0x1 /* D11 to D0, Read only */ +-#define AD7280A_CELL_VOLTAGE_3 0x2 /* D11 to D0, Read only */ +-#define AD7280A_CELL_VOLTAGE_4 0x3 /* D11 to D0, Read only */ +-#define AD7280A_CELL_VOLTAGE_5 0x4 /* D11 to D0, Read only */ +-#define AD7280A_CELL_VOLTAGE_6 0x5 /* D11 to D0, Read only */ +-#define AD7280A_AUX_ADC_1 0x6 /* D11 to D0, Read only */ +-#define AD7280A_AUX_ADC_2 0x7 /* D11 to D0, Read only */ +-#define AD7280A_AUX_ADC_3 0x8 /* D11 to D0, Read only */ +-#define AD7280A_AUX_ADC_4 0x9 /* D11 to D0, Read only */ +-#define AD7280A_AUX_ADC_5 0xA /* D11 to D0, Read only */ +-#define AD7280A_AUX_ADC_6 0xB /* D11 to D0, Read only */ +-#define AD7280A_SELF_TEST 0xC /* D11 to D0, Read only */ +-#define AD7280A_CONTROL_HB 0xD /* D15 to D8, Read/write */ +-#define AD7280A_CONTROL_LB 0xE /* D7 to D0, Read/write */ +-#define AD7280A_CELL_OVERVOLTAGE 0xF /* D7 to D0, Read/write */ +-#define AD7280A_CELL_UNDERVOLTAGE 0x10 /* D7 to D0, Read/write */ +-#define AD7280A_AUX_ADC_OVERVOLTAGE 0x11 /* D7 to D0, Read/write */ +-#define AD7280A_AUX_ADC_UNDERVOLTAGE 0x12 /* D7 to D0, Read/write */ +-#define AD7280A_ALERT 0x13 /* D7 to D0, Read/write */ +-#define AD7280A_CELL_BALANCE 0x14 /* D7 to D0, Read/write */ +-#define AD7280A_CB1_TIMER 0x15 /* D7 to D0, Read/write */ +-#define AD7280A_CB2_TIMER 0x16 /* D7 to D0, Read/write */ +-#define AD7280A_CB3_TIMER 0x17 /* D7 to D0, Read/write */ +-#define AD7280A_CB4_TIMER 0x18 /* D7 to D0, Read/write */ +-#define AD7280A_CB5_TIMER 0x19 /* D7 to D0, Read/write */ +-#define AD7280A_CB6_TIMER 0x1A /* D7 to D0, Read/write */ +-#define AD7280A_PD_TIMER 0x1B /* D7 to D0, Read/write */ +-#define AD7280A_READ 0x1C /* D7 to D0, Read/write */ +-#define AD7280A_CNVST_CONTROL 0x1D /* D7 to D0, Read/write */ +- +-/* Bits and Masks */ +-#define AD7280A_CTRL_HB_CONV_INPUT_ALL 0 +-#define AD7280A_CTRL_HB_CONV_INPUT_6CELL_AUX1_3_4 BIT(6) +-#define AD7280A_CTRL_HB_CONV_INPUT_6CELL BIT(7) +-#define AD7280A_CTRL_HB_CONV_INPUT_SELF_TEST (BIT(7) | BIT(6)) +-#define AD7280A_CTRL_HB_CONV_RES_READ_ALL 0 +-#define AD7280A_CTRL_HB_CONV_RES_READ_6CELL_AUX1_3_4 BIT(4) +-#define AD7280A_CTRL_HB_CONV_RES_READ_6CELL BIT(5) +-#define AD7280A_CTRL_HB_CONV_RES_READ_NO (BIT(5) | BIT(4)) +-#define AD7280A_CTRL_HB_CONV_START_CNVST 0 +-#define AD7280A_CTRL_HB_CONV_START_CS BIT(3) +-#define AD7280A_CTRL_HB_CONV_AVG_DIS 0 +-#define AD7280A_CTRL_HB_CONV_AVG_2 BIT(1) +-#define AD7280A_CTRL_HB_CONV_AVG_4 BIT(2) +-#define AD7280A_CTRL_HB_CONV_AVG_8 (BIT(2) | BIT(1)) +-#define AD7280A_CTRL_HB_CONV_AVG(x) ((x) << 1) +-#define AD7280A_CTRL_HB_PWRDN_SW BIT(0) +- +-#define AD7280A_CTRL_LB_SWRST BIT(7) +-#define AD7280A_CTRL_LB_ACQ_TIME_400ns 0 +-#define AD7280A_CTRL_LB_ACQ_TIME_800ns BIT(5) +-#define AD7280A_CTRL_LB_ACQ_TIME_1200ns BIT(6) +-#define AD7280A_CTRL_LB_ACQ_TIME_1600ns (BIT(6) | BIT(5)) +-#define AD7280A_CTRL_LB_ACQ_TIME(x) ((x) << 5) +-#define AD7280A_CTRL_LB_MUST_SET BIT(4) +-#define AD7280A_CTRL_LB_THERMISTOR_EN BIT(3) +-#define AD7280A_CTRL_LB_LOCK_DEV_ADDR BIT(2) +-#define AD7280A_CTRL_LB_INC_DEV_ADDR BIT(1) +-#define AD7280A_CTRL_LB_DAISY_CHAIN_RB_EN BIT(0) +- +-#define AD7280A_ALERT_GEN_STATIC_HIGH BIT(6) +-#define AD7280A_ALERT_RELAY_SIG_CHAIN_DOWN (BIT(7) | BIT(6)) + ++#define AD7280A_CELL_VOLTAGE_1_REG 0x0 /* D11 to D0, Read only */ ++#define AD7280A_CELL_VOLTAGE_2_REG 0x1 /* D11 to D0, Read only */ ++#define AD7280A_CELL_VOLTAGE_3_REG 0x2 /* D11 to D0, Read only */ ++#define AD7280A_CELL_VOLTAGE_4_REG 0x3 /* D11 to D0, Read only */ ++#define AD7280A_CELL_VOLTAGE_5_REG 0x4 /* D11 to D0, Read only */ ++#define AD7280A_CELL_VOLTAGE_6_REG 0x5 /* D11 to D0, Read only */ ++#define AD7280A_AUX_ADC_1_REG 0x6 /* D11 to D0, Read only */ ++#define AD7280A_AUX_ADC_2_REG 0x7 /* D11 to D0, Read only */ ++#define AD7280A_AUX_ADC_3_REG 0x8 /* D11 to D0, Read only */ ++#define AD7280A_AUX_ADC_4_REG 0x9 /* D11 to D0, Read only */ ++#define AD7280A_AUX_ADC_5_REG 0xA /* D11 to D0, Read only */ ++#define AD7280A_AUX_ADC_6_REG 0xB /* D11 to D0, Read only */ ++#define AD7280A_SELF_TEST_REG 0xC /* D11 to D0, Read only */ ++ ++#define AD7280A_CTRL_HB_REG 0xD /* D15 to D8, Read/write */ ++#define AD7280A_CTRL_HB_CONV_INPUT_MSK GENMASK(7, 6) ++#define AD7280A_CTRL_HB_CONV_INPUT_ALL 0 ++#define AD7280A_CTRL_HB_CONV_INPUT_6CELL_AUX1_3_5 1 ++#define AD7280A_CTRL_HB_CONV_INPUT_6CELL 2 ++#define AD7280A_CTRL_HB_CONV_INPUT_SELF_TEST 3 ++#define AD7280A_CTRL_HB_CONV_RREAD_MSK GENMASK(5, 4) ++#define AD7280A_CTRL_HB_CONV_RREAD_ALL 0 ++#define AD7280A_CTRL_HB_CONV_RREAD_6CELL_AUX1_3_5 1 ++#define AD7280A_CTRL_HB_CONV_RREAD_6CELL 2 ++#define AD7280A_CTRL_HB_CONV_RREAD_NO 3 ++#define AD7280A_CTRL_HB_CONV_START_MSK BIT(3) ++#define AD7280A_CTRL_HB_CONV_START_CNVST 0 ++#define AD7280A_CTRL_HB_CONV_START_CS 1 ++#define AD7280A_CTRL_HB_CONV_AVG_MSK GENMASK(2, 1) ++#define AD7280A_CTRL_HB_CONV_AVG_DIS 0 ++#define AD7280A_CTRL_HB_CONV_AVG_2 1 ++#define AD7280A_CTRL_HB_CONV_AVG_4 2 ++#define AD7280A_CTRL_HB_CONV_AVG_8 3 ++#define AD7280A_CTRL_HB_PWRDN_SW BIT(0) ++ ++#define AD7280A_CTRL_LB_REG 0xE /* D7 to D0, Read/write */ ++#define AD7280A_CTRL_LB_SWRST_MSK BIT(7) ++#define AD7280A_CTRL_LB_ACQ_TIME_MSK GENMASK(6, 5) ++#define AD7280A_CTRL_LB_ACQ_TIME_400ns 0 ++#define AD7280A_CTRL_LB_ACQ_TIME_800ns 1 ++#define AD7280A_CTRL_LB_ACQ_TIME_1200ns 2 ++#define AD7280A_CTRL_LB_ACQ_TIME_1600ns 3 ++#define AD7280A_CTRL_LB_MUST_SET BIT(4) ++#define AD7280A_CTRL_LB_THERMISTOR_MSK BIT(3) ++#define AD7280A_CTRL_LB_LOCK_DEV_ADDR_MSK BIT(2) ++#define AD7280A_CTRL_LB_INC_DEV_ADDR_MSK BIT(1) ++#define AD7280A_CTRL_LB_DAISY_CHAIN_RB_MSK BIT(0) ++ ++#define AD7280A_CELL_OVERVOLTAGE_REG 0xF /* D7 to D0, Read/write */ ++#define AD7280A_CELL_UNDERVOLTAGE_REG 0x10 /* D7 to D0, Read/write */ ++#define AD7280A_AUX_ADC_OVERVOLTAGE_REG 0x11 /* D7 to D0, Read/write */ ++#define AD7280A_AUX_ADC_UNDERVOLTAGE_REG 0x12 /* D7 to D0, Read/write */ ++ ++#define AD7280A_ALERT_REG 0x13 /* D7 to D0, Read/write */ ++#define AD7280A_ALERT_GEN_STATIC_HIGH BIT(6) ++#define AD7280A_ALERT_RELAY_SIG_CHAIN_DOWN (BIT(7) | BIT(6)) ++ ++#define AD7280A_CELL_BALANCE_REG 0x14 /* D7 to D0, Read/write */ ++#define AD7280A_CB1_TIMER_REG 0x15 /* D7 to D0, Read/write */ ++#define AD7280A_CB_TIMER_VAL_MSK GENMASK(7, 3) ++#define AD7280A_CB2_TIMER_REG 0x16 /* D7 to D0, Read/write */ ++#define AD7280A_CB3_TIMER_REG 0x17 /* D7 to D0, Read/write */ ++#define AD7280A_CB4_TIMER_REG 0x18 /* D7 to D0, Read/write */ ++#define AD7280A_CB5_TIMER_REG 0x19 /* D7 to D0, Read/write */ ++#define AD7280A_CB6_TIMER_REG 0x1A /* D7 to D0, Read/write */ ++#define AD7280A_PD_TIMER_REG 0x1B /* D7 to D0, Read/write */ ++#define AD7280A_READ_REG 0x1C /* D7 to D0, Read/write */ ++#define AD7280A_READ_ADDR_MSK GENMASK(7, 2) ++#define AD7280A_CNVST_CTRL_REG 0x1D /* D7 to D0, Read/write */ ++ ++/* Magic value used to indicate this special case */ + #define AD7280A_ALL_CELLS (0xAD << 16) + + #define AD7280A_MAX_SPI_CLK_HZ 700000 /* < 1MHz */ + #define AD7280A_MAX_CHAIN 8 + #define AD7280A_CELLS_PER_DEV 6 + #define AD7280A_BITS 12 +-#define AD7280A_NUM_CH (AD7280A_AUX_ADC_6 - \ +- AD7280A_CELL_VOLTAGE_1 + 1) ++#define AD7280A_NUM_CH (AD7280A_AUX_ADC_6_REG - \ ++ AD7280A_CELL_VOLTAGE_1_REG + 1) + + #define AD7280A_CALC_VOLTAGE_CHAN_NUM(d, c) (((d) * AD7280A_CELLS_PER_DEV) + \ + (c)) +@@ -222,23 +231,28 @@ static int ad7280_read(struct ad7280_state *st, unsigned int devaddr, + unsigned int tmp; + + /* turns off the read operation on all parts */ +- ret = ad7280_write(st, AD7280A_DEVADDR_MASTER, AD7280A_CONTROL_HB, 1, +- AD7280A_CTRL_HB_CONV_INPUT_ALL | +- AD7280A_CTRL_HB_CONV_RES_READ_NO | ++ ret = ad7280_write(st, AD7280A_DEVADDR_MASTER, AD7280A_CTRL_HB_REG, 1, ++ FIELD_PREP(AD7280A_CTRL_HB_CONV_INPUT_MSK, ++ AD7280A_CTRL_HB_CONV_INPUT_ALL) | ++ FIELD_PREP(AD7280A_CTRL_HB_CONV_RREAD_MSK, ++ AD7280A_CTRL_HB_CONV_RREAD_NO) | + st->ctrl_hb); + if (ret) + return ret; + + /* turns on the read operation on the addressed part */ +- ret = ad7280_write(st, devaddr, AD7280A_CONTROL_HB, 0, +- AD7280A_CTRL_HB_CONV_INPUT_ALL | +- AD7280A_CTRL_HB_CONV_RES_READ_ALL | ++ ret = ad7280_write(st, devaddr, AD7280A_CTRL_HB_REG, 0, ++ FIELD_PREP(AD7280A_CTRL_HB_CONV_INPUT_MSK, ++ AD7280A_CTRL_HB_CONV_INPUT_ALL) | ++ FIELD_PREP(AD7280A_CTRL_HB_CONV_RREAD_MSK, ++ AD7280A_CTRL_HB_CONV_RREAD_ALL) | + st->ctrl_hb); + if (ret) + return ret; + + /* Set register address on the part to be read from */ +- ret = ad7280_write(st, devaddr, AD7280A_READ, 0, addr << 2); ++ ret = ad7280_write(st, devaddr, AD7280A_READ_REG, 0, ++ FIELD_PREP(AD7280A_READ_ADDR_MSK, addr)); + if (ret) + return ret; + +@@ -261,21 +275,27 @@ static int ad7280_read_channel(struct ad7280_state *st, unsigned int devaddr, + int ret; + unsigned int tmp; + +- ret = ad7280_write(st, devaddr, AD7280A_READ, 0, addr << 2); ++ ret = ad7280_write(st, devaddr, AD7280A_READ_REG, 0, ++ FIELD_PREP(AD7280A_READ_ADDR_MSK, addr)); + if (ret) + return ret; + +- ret = ad7280_write(st, AD7280A_DEVADDR_MASTER, AD7280A_CONTROL_HB, 1, +- AD7280A_CTRL_HB_CONV_INPUT_ALL | +- AD7280A_CTRL_HB_CONV_RES_READ_NO | ++ ret = ad7280_write(st, AD7280A_DEVADDR_MASTER, AD7280A_CTRL_HB_REG, 1, ++ FIELD_PREP(AD7280A_CTRL_HB_CONV_INPUT_MSK, ++ AD7280A_CTRL_HB_CONV_INPUT_ALL) | ++ FIELD_PREP(AD7280A_CTRL_HB_CONV_RREAD_MSK, ++ AD7280A_CTRL_HB_CONV_RREAD_NO) | + st->ctrl_hb); + if (ret) + return ret; + +- ret = ad7280_write(st, devaddr, AD7280A_CONTROL_HB, 0, +- AD7280A_CTRL_HB_CONV_INPUT_ALL | +- AD7280A_CTRL_HB_CONV_RES_READ_ALL | +- AD7280A_CTRL_HB_CONV_START_CS | ++ ret = ad7280_write(st, devaddr, AD7280A_CTRL_HB_REG, 0, ++ FIELD_PREP(AD7280A_CTRL_HB_CONV_INPUT_MSK, ++ AD7280A_CTRL_HB_CONV_INPUT_ALL) | ++ FIELD_PREP(AD7280A_CTRL_HB_CONV_RREAD_MSK, ++ AD7280A_CTRL_HB_CONV_RREAD_ALL) | ++ FIELD_PREP(AD7280A_CTRL_HB_CONV_START_MSK, ++ AD7280A_CTRL_HB_CONV_START_CS) | + st->ctrl_hb); + if (ret) + return ret; +@@ -301,15 +321,18 @@ static int ad7280_read_all_channels(struct ad7280_state *st, unsigned int cnt, + int i, ret; + unsigned int tmp, sum = 0; + +- ret = ad7280_write(st, AD7280A_DEVADDR_MASTER, AD7280A_READ, 1, +- AD7280A_CELL_VOLTAGE_1 << 2); ++ ret = ad7280_write(st, AD7280A_DEVADDR_MASTER, AD7280A_READ_REG, 1, ++ AD7280A_CELL_VOLTAGE_1_REG << 2); + if (ret) + return ret; + +- ret = ad7280_write(st, AD7280A_DEVADDR_MASTER, AD7280A_CONTROL_HB, 1, +- AD7280A_CTRL_HB_CONV_INPUT_ALL | +- AD7280A_CTRL_HB_CONV_RES_READ_ALL | +- AD7280A_CTRL_HB_CONV_START_CS | ++ ret = ad7280_write(st, AD7280A_DEVADDR_MASTER, AD7280A_CTRL_HB_REG, 1, ++ FIELD_PREP(AD7280A_CTRL_HB_CONV_INPUT_MSK, ++ AD7280A_CTRL_HB_CONV_INPUT_ALL) | ++ FIELD_PREP(AD7280A_CTRL_HB_CONV_RREAD_MSK, ++ AD7280A_CTRL_HB_CONV_RREAD_ALL) | ++ FIELD_PREP(AD7280A_CTRL_HB_CONV_START_MSK, ++ AD7280A_CTRL_HB_CONV_START_CS) | + st->ctrl_hb); + if (ret) + return ret; +@@ -327,7 +350,7 @@ static int ad7280_read_all_channels(struct ad7280_state *st, unsigned int cnt, + if (array) + array[i] = tmp; + /* only sum cell voltages */ +- if (((tmp >> 23) & 0xF) <= AD7280A_CELL_VOLTAGE_6) ++ if (((tmp >> 23) & 0xF) <= AD7280A_CELL_VOLTAGE_6_REG) + sum += ((tmp >> 11) & 0xFFF); + } + +@@ -338,7 +361,7 @@ static void ad7280_sw_power_down(void *data) + { + struct ad7280_state *st = data; + +- ad7280_write(st, AD7280A_DEVADDR_MASTER, AD7280A_CONTROL_HB, 1, ++ ad7280_write(st, AD7280A_DEVADDR_MASTER, AD7280A_CTRL_HB_REG, 1, + AD7280A_CTRL_HB_PWRDN_SW | st->ctrl_hb); + } + +@@ -347,25 +370,26 @@ static int ad7280_chain_setup(struct ad7280_state *st) + unsigned int val, n; + int ret; + +- ret = ad7280_write(st, AD7280A_DEVADDR_MASTER, AD7280A_CONTROL_LB, 1, +- AD7280A_CTRL_LB_DAISY_CHAIN_RB_EN | +- AD7280A_CTRL_LB_LOCK_DEV_ADDR | ++ ret = ad7280_write(st, AD7280A_DEVADDR_MASTER, AD7280A_CTRL_LB_REG, 1, ++ FIELD_PREP(AD7280A_CTRL_LB_DAISY_CHAIN_RB_MSK, 1) | ++ FIELD_PREP(AD7280A_CTRL_LB_LOCK_DEV_ADDR_MSK, 1) | + AD7280A_CTRL_LB_MUST_SET | +- AD7280A_CTRL_LB_SWRST | ++ FIELD_PREP(AD7280A_CTRL_LB_SWRST_MSK, 1) | + st->ctrl_lb); + if (ret) + return ret; + +- ret = ad7280_write(st, AD7280A_DEVADDR_MASTER, AD7280A_CONTROL_LB, 1, +- AD7280A_CTRL_LB_DAISY_CHAIN_RB_EN | +- AD7280A_CTRL_LB_LOCK_DEV_ADDR | ++ ret = ad7280_write(st, AD7280A_DEVADDR_MASTER, AD7280A_CTRL_LB_REG, 1, ++ FIELD_PREP(AD7280A_CTRL_LB_DAISY_CHAIN_RB_MSK, 1) | ++ FIELD_PREP(AD7280A_CTRL_LB_LOCK_DEV_ADDR_MSK, 1) | + AD7280A_CTRL_LB_MUST_SET | ++ FIELD_PREP(AD7280A_CTRL_LB_SWRST_MSK, 0) | + st->ctrl_lb); + if (ret) + goto error_power_down; + +- ret = ad7280_write(st, AD7280A_DEVADDR_MASTER, AD7280A_READ, 1, +- AD7280A_CONTROL_LB << 2); ++ ret = ad7280_write(st, AD7280A_DEVADDR_MASTER, AD7280A_READ_REG, 1, ++ FIELD_PREP(AD7280A_READ_ADDR_MSK, AD7280A_CTRL_LB_REG)); + if (ret) + goto error_power_down; + +@@ -390,7 +414,7 @@ static int ad7280_chain_setup(struct ad7280_state *st) + ret = -EFAULT; + + error_power_down: +- ad7280_write(st, AD7280A_DEVADDR_MASTER, AD7280A_CONTROL_HB, 1, ++ ad7280_write(st, AD7280A_DEVADDR_MASTER, AD7280A_CTRL_HB_REG, 1, + AD7280A_CTRL_HB_PWRDN_SW | st->ctrl_hb); + + return ret; +@@ -434,7 +458,7 @@ static ssize_t ad7280_store_balance_sw(struct device *dev, + else + st->cb_mask[devaddr] &= ~(1 << (ch + 2)); + +- ret = ad7280_write(st, devaddr, AD7280A_CELL_BALANCE, ++ ret = ad7280_write(st, devaddr, AD7280A_CELL_BALANCE_REG, + 0, st->cb_mask[devaddr]); + mutex_unlock(&st->lock); + +@@ -459,7 +483,7 @@ static ssize_t ad7280_show_balance_timer(struct device *dev, + if (ret < 0) + return ret; + +- msecs = (ret >> 3) * 71500; ++ msecs = FIELD_GET(AD7280A_CB_TIMER_VAL_MSK, ret) * 71500; + + return sprintf(buf, "%u\n", msecs); + } +@@ -486,8 +510,8 @@ static ssize_t ad7280_store_balance_timer(struct device *dev, + + mutex_lock(&st->lock); + ret = ad7280_write(st, this_attr->address >> 8, +- this_attr->address & 0xFF, +- 0, (val & 0x1F) << 3); ++ this_attr->address & 0xFF, 0, ++ FIELD_PREP(AD7280A_CB_TIMER_VAL_MSK, val)); + mutex_unlock(&st->lock); + + return ret ? ret : len; +@@ -559,10 +583,10 @@ static void ad7280_init_dev_channels(struct ad7280_state *st, int dev, int *cnt) + int addr, ch, i; + struct iio_chan_spec *chan; + +- for (ch = AD7280A_CELL_VOLTAGE_1; ch <= AD7280A_AUX_ADC_6; ch++) { ++ for (ch = AD7280A_CELL_VOLTAGE_1_REG; ch <= AD7280A_AUX_ADC_6_REG; ch++) { + chan = &st->channels[*cnt]; + +- if (ch < AD7280A_AUX_ADC_1) { ++ if (ch < AD7280A_AUX_ADC_1_REG) { + i = AD7280A_CALC_VOLTAGE_CHAN_NUM(dev, ch); + ad7280_voltage_channel_init(chan, i); + } else { +@@ -634,7 +658,7 @@ static int ad7280_init_dev_attrs(struct ad7280_state *st, int dev, int *cnt) + struct iio_dev_attr *iio_attr; + struct device *sdev = &st->spi->dev; + +- for (ch = AD7280A_CELL_VOLTAGE_1; ch <= AD7280A_CELL_VOLTAGE_6; ch++) { ++ for (ch = AD7280A_CELL_VOLTAGE_1_REG; ch <= AD7280A_CELL_VOLTAGE_6_REG; ch++) { + iio_attr = &st->iio_attr[*cnt]; + addr = ad7280a_devaddr(dev) << 8 | ch; + i = dev * AD7280A_CELLS_PER_DEV + ch; +@@ -647,7 +671,7 @@ static int ad7280_init_dev_attrs(struct ad7280_state *st, int dev, int *cnt) + + (*cnt)++; + iio_attr = &st->iio_attr[*cnt]; +- addr = ad7280a_devaddr(dev) << 8 | (AD7280A_CB1_TIMER + ch); ++ addr = ad7280a_devaddr(dev) << 8 | (AD7280A_CB1_TIMER_REG + ch); + + ret = ad7280_balance_timer_attr_init(iio_attr, sdev, addr, i); + if (ret < 0) +@@ -691,16 +715,16 @@ static ssize_t ad7280_read_channel_config(struct device *dev, + unsigned int val; + + switch (this_attr->address) { +- case AD7280A_CELL_OVERVOLTAGE: ++ case AD7280A_CELL_OVERVOLTAGE_REG: + val = 1000 + (st->cell_threshhigh * 1568) / 100; + break; +- case AD7280A_CELL_UNDERVOLTAGE: ++ case AD7280A_CELL_UNDERVOLTAGE_REG: + val = 1000 + (st->cell_threshlow * 1568) / 100; + break; +- case AD7280A_AUX_ADC_OVERVOLTAGE: ++ case AD7280A_AUX_ADC_OVERVOLTAGE_REG: + val = (st->aux_threshhigh * 196) / 10; + break; +- case AD7280A_AUX_ADC_UNDERVOLTAGE: ++ case AD7280A_AUX_ADC_UNDERVOLTAGE_REG: + val = (st->aux_threshlow * 196) / 10; + break; + default: +@@ -727,12 +751,12 @@ static ssize_t ad7280_write_channel_config(struct device *dev, + return ret; + + switch (this_attr->address) { +- case AD7280A_CELL_OVERVOLTAGE: +- case AD7280A_CELL_UNDERVOLTAGE: ++ case AD7280A_CELL_OVERVOLTAGE_REG: ++ case AD7280A_CELL_UNDERVOLTAGE_REG: + val = ((val - 1000) * 100) / 1568; /* LSB 15.68mV */ + break; +- case AD7280A_AUX_ADC_OVERVOLTAGE: +- case AD7280A_AUX_ADC_UNDERVOLTAGE: ++ case AD7280A_AUX_ADC_OVERVOLTAGE_REG: ++ case AD7280A_AUX_ADC_UNDERVOLTAGE_REG: + val = (val * 10) / 196; /* LSB 19.6mV */ + break; + default: +@@ -743,16 +767,16 @@ static ssize_t ad7280_write_channel_config(struct device *dev, + + mutex_lock(&st->lock); + switch (this_attr->address) { +- case AD7280A_CELL_OVERVOLTAGE: ++ case AD7280A_CELL_OVERVOLTAGE_REG: + st->cell_threshhigh = val; + break; +- case AD7280A_CELL_UNDERVOLTAGE: ++ case AD7280A_CELL_UNDERVOLTAGE_REG: + st->cell_threshlow = val; + break; +- case AD7280A_AUX_ADC_OVERVOLTAGE: ++ case AD7280A_AUX_ADC_OVERVOLTAGE_REG: + st->aux_threshhigh = val; + break; +- case AD7280A_AUX_ADC_UNDERVOLTAGE: ++ case AD7280A_AUX_ADC_UNDERVOLTAGE_REG: + st->aux_threshlow = val; + break; + } +@@ -781,7 +805,7 @@ static irqreturn_t ad7280_event_handler(int irq, void *private) + goto out; + + for (i = 0; i < st->scan_cnt; i++) { +- if (((channels[i] >> 23) & 0xF) <= AD7280A_CELL_VOLTAGE_6) { ++ if (((channels[i] >> 23) & 0xF) <= AD7280A_CELL_VOLTAGE_6_REG) { + if (((channels[i] >> 11) & 0xFFF) >= + st->cell_threshhigh) { + u64 tmp = IIO_EVENT_CODE(IIO_VOLTAGE, 1, 0, +@@ -801,7 +825,7 @@ static irqreturn_t ad7280_event_handler(int irq, void *private) + } + } else { + if (((channels[i] >> 11) & 0xFFF) >= +- st->aux_threshhigh) { ++ st->aux_threshhigh) { + u64 tmp = IIO_UNMOD_EVENT_CODE(IIO_TEMP, 0, + IIO_EV_TYPE_THRESH, + IIO_EV_DIR_RISING); +@@ -833,26 +857,26 @@ static IIO_DEVICE_ATTR_NAMED(in_thresh_low_value, + 0644, + ad7280_read_channel_config, + ad7280_write_channel_config, +- AD7280A_CELL_UNDERVOLTAGE); ++ AD7280A_CELL_UNDERVOLTAGE_REG); + + static IIO_DEVICE_ATTR_NAMED(in_thresh_high_value, + in_voltage-voltage_thresh_high_value, + 0644, + ad7280_read_channel_config, + ad7280_write_channel_config, +- AD7280A_CELL_OVERVOLTAGE); ++ AD7280A_CELL_OVERVOLTAGE_REG); + + static IIO_DEVICE_ATTR(in_temp_thresh_low_value, + 0644, + ad7280_read_channel_config, + ad7280_write_channel_config, +- AD7280A_AUX_ADC_UNDERVOLTAGE); ++ AD7280A_AUX_ADC_UNDERVOLTAGE_REG); + + static IIO_DEVICE_ATTR(in_temp_thresh_high_value, + 0644, + ad7280_read_channel_config, + ad7280_write_channel_config, +- AD7280A_AUX_ADC_OVERVOLTAGE); ++ AD7280A_AUX_ADC_OVERVOLTAGE_REG); + + static struct attribute *ad7280_event_attributes[] = { + &iio_dev_attr_in_thresh_low_value.dev_attr.attr, +@@ -892,7 +916,7 @@ static int ad7280_read_raw(struct iio_dev *indio_dev, + + return IIO_VAL_INT; + case IIO_CHAN_INFO_SCALE: +- if ((chan->address & 0xFF) <= AD7280A_CELL_VOLTAGE_6) ++ if ((chan->address & 0xFF) <= AD7280A_CELL_VOLTAGE_6_REG) + *val = 4000; + else + *val = 5000; +@@ -942,10 +966,9 @@ static int ad7280_probe(struct spi_device *spi) + st->spi->mode = SPI_MODE_1; + spi_setup(st->spi); + +- st->ctrl_lb = AD7280A_CTRL_LB_ACQ_TIME(pdata->acquisition_time & 0x3); +- st->ctrl_hb = AD7280A_CTRL_HB_CONV_AVG(pdata->conversion_averaging +- & 0x3) | (pdata->thermistor_term_en ? +- AD7280A_CTRL_LB_THERMISTOR_EN : 0); ++ st->ctrl_lb = FIELD_PREP(AD7280A_CTRL_LB_ACQ_TIME_MSK, pdata->acquisition_time) | ++ FIELD_PREP(AD7280A_CTRL_LB_THERMISTOR_MSK, pdata->thermistor_term_en); ++ st->ctrl_hb = FIELD_PREP(AD7280A_CTRL_HB_CONV_AVG_MSK, pdata->conversion_averaging); + + ret = ad7280_chain_setup(st); + if (ret < 0) +@@ -998,13 +1021,13 @@ static int ad7280_probe(struct spi_device *spi) + + if (spi->irq > 0) { + ret = ad7280_write(st, AD7280A_DEVADDR_MASTER, +- AD7280A_ALERT, 1, ++ AD7280A_ALERT_REG, 1, + AD7280A_ALERT_RELAY_SIG_CHAIN_DOWN); + if (ret) + return ret; + + ret = ad7280_write(st, ad7280a_devaddr(st->slave_num), +- AD7280A_ALERT, 0, ++ AD7280A_ALERT_REG, 0, + AD7280A_ALERT_GEN_STATIC_HIGH | + (pdata->chain_last_alert_ignore & 0xF)); + if (ret) +-- +2.51.0 + diff --git a/queue-5.15/usbnet-limit-max_mtu-based-on-device-s-hard_mtu.patch b/queue-5.15/usbnet-limit-max_mtu-based-on-device-s-hard_mtu.patch new file mode 100644 index 0000000000..5c9f829911 --- /dev/null +++ b/queue-5.15/usbnet-limit-max_mtu-based-on-device-s-hard_mtu.patch @@ -0,0 +1,59 @@ +From 679af9ef6d7f97d3bbbab91153e914d4c78db02f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 08:55:18 +0100 +Subject: usbnet: limit max_mtu based on device's hard_mtu + +From: Laurent Vivier + +[ Upstream commit c7159e960f1472a5493ac99aff0086ab1d683594 ] + +The usbnet driver initializes net->max_mtu to ETH_MAX_MTU before calling +the device's bind() callback. When the bind() callback sets +dev->hard_mtu based the device's actual capability (from CDC Ethernet's +wMaxSegmentSize descriptor), max_mtu is never updated to reflect this +hardware limitation). + +This allows userspace (DHCP or IPv6 RA) to configure MTU larger than the +device can handle, leading to silent packet drops when the backend sends +packet exceeding the device's buffer size. + +Fix this by limiting net->max_mtu to the device's hard_mtu after the +bind callback returns. + +See https://gitlab.com/qemu-project/qemu/-/issues/3268 and + https://bugs.passt.top/attachment.cgi?bugid=189 + +Fixes: f77f0aee4da4 ("net: use core MTU range checking in USB NIC drivers") +Signed-off-by: Laurent Vivier +Link: https://bugs.passt.top/show_bug.cgi?id=189 +Reviewed-by: Stefano Brivio +Link: https://patch.msgid.link/20260119075518.2774373-1-lvivier@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/usbnet.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c +index aceec2381e802..c4767a729be10 100644 +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -1797,9 +1797,12 @@ usbnet_probe (struct usb_interface *udev, const struct usb_device_id *prod) + if ((dev->driver_info->flags & FLAG_NOARP) != 0) + net->flags |= IFF_NOARP; + +- /* maybe the remote can't receive an Ethernet MTU */ +- if (net->mtu > (dev->hard_mtu - net->hard_header_len)) +- net->mtu = dev->hard_mtu - net->hard_header_len; ++ if (net->max_mtu > (dev->hard_mtu - net->hard_header_len)) ++ net->max_mtu = dev->hard_mtu - net->hard_header_len; ++ ++ if (net->mtu > net->max_mtu) ++ net->mtu = net->max_mtu; ++ + } else if (!info->in || !info->out) + status = usbnet_get_endpoints (dev, udev); + else { +-- +2.51.0 + diff --git a/queue-5.15/x86-make-page-fault-handling-disable-interrupts-prop.patch b/queue-5.15/x86-make-page-fault-handling-disable-interrupts-prop.patch new file mode 100644 index 0000000000..b2c60a1f08 --- /dev/null +++ b/queue-5.15/x86-make-page-fault-handling-disable-interrupts-prop.patch @@ -0,0 +1,96 @@ +From c7c95319777a520935fef324a51b42e1bb6c6af5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jan 2026 18:39:15 -0600 +Subject: x86: make page fault handling disable interrupts properly + +From: Cedric Xing + +[ Upstream commit 614da1d3d4cdbd6e41aea06bc97ec15aacff6daf ] + +There's a big comment in the x86 do_page_fault() about our interrupt +disabling code: + + * User address page fault handling might have reenabled + * interrupts. Fixing up all potential exit points of + * do_user_addr_fault() and its leaf functions is just not + * doable w/o creating an unholy mess or turning the code + * upside down. + +but it turns out that comment is subtly wrong, and the code as a result +is also wrong. + +Because it's certainly true that we may have re-enabled interrupts when +handling user page faults. And it's most certainly true that we don't +want to bother fixing up all the cases. + +But what isn't true is that it's limited to user address page faults. + +The confusion stems from the fact that we have logic here that depends +on the address range of the access, but other code then depends on the +_context_ the access was done in. The two are not related, even though +both of them are about user-vs-kernel. + +In other words, both user and kernel addresses can cause interrupts to +have been enabled (eg when __bad_area_nosemaphore() gets called for user +accesses to kernel addresses). As a result we should make sure to +disable interrupts again regardless of the address range before +returning to the low-level fault handling code. + +The __bad_area_nosemaphore() code actually did disable interrupts again +after enabling them, just not consistently. Ironically, as noted in the +original comment, fixing up all the cases is just not worth it, when the +simple solution is to just do it unconditionally in one single place. + +So remove the incomplete case that unsuccessfully tried to do what the +comment said was "not doable" in commit ca4c6a9858c2 ("x86/traps: Make +interrupt enable/disable symmetric in C code"), and just make it do the +simple and straightforward thing. + +Signed-off-by: Cedric Xing +Reviewed-by: Dave Hansen +Fixes: ca4c6a9858c2 ("x86/traps: Make interrupt enable/disable symmetric in C code") +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/x86/mm/fault.c | 15 +++++---------- + 1 file changed, 5 insertions(+), 10 deletions(-) + +diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c +index 31afd82b95245..7215e74076ec9 100644 +--- a/arch/x86/mm/fault.c ++++ b/arch/x86/mm/fault.c +@@ -804,8 +804,6 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code, + force_sig_pkuerr((void __user *)address, pkey); + else + force_sig_fault(SIGSEGV, si_code, (void __user *)address); +- +- local_irq_disable(); + } + + static noinline void +@@ -1443,15 +1441,12 @@ handle_page_fault(struct pt_regs *regs, unsigned long error_code, + do_kern_addr_fault(regs, error_code, address); + } else { + do_user_addr_fault(regs, error_code, address); +- /* +- * User address page fault handling might have reenabled +- * interrupts. Fixing up all potential exit points of +- * do_user_addr_fault() and its leaf functions is just not +- * doable w/o creating an unholy mess or turning the code +- * upside down. +- */ +- local_irq_disable(); + } ++ /* ++ * page fault handling might have reenabled interrupts, ++ * make sure to disable them again. ++ */ ++ local_irq_disable(); + } + + DEFINE_IDTENTRY_RAW_ERRORCODE(exc_page_fault) +-- +2.51.0 + diff --git a/queue-6.1/alsa-usb-increase-volume-range-that-triggers-a-warni.patch b/queue-6.1/alsa-usb-increase-volume-range-that-triggers-a-warni.patch new file mode 100644 index 0000000000..ec3963dbb6 --- /dev/null +++ b/queue-6.1/alsa-usb-increase-volume-range-that-triggers-a-warni.patch @@ -0,0 +1,47 @@ +From b2aa900bb8fdabae68cf9fb98f0bcda0b1a8ebcb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jan 2026 14:58:04 -0800 +Subject: ALSA: usb: Increase volume range that triggers a warning + +From: Arun Raghavan + +[ Upstream commit 6b971191fcfc9e3c2c0143eea22534f1f48dbb62 ] + +On at least the HyperX Cloud III, the range is 18944 (-18944 -> 0 in +steps of 1), so the original check for 255 steps is definitely obsolete. +Let's give ourselves a little more headroom before we emit a warning. + +Fixes: 80acefff3bc7 ("ALSA: usb-audio - Add volume range check and warn if it too big") +Cc: Jaroslav Kysela +Cc: Takashi Iwai +Cc: linux-sound@vger.kernel.org +Signed-off-by: Arun Raghavan +Link: https://patch.msgid.link/20260116225804.3845935-1-arunr@valvesoftware.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/mixer.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c +index 1540e9f1c2e3f..ec6aad748cd4b 100644 +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -1807,11 +1807,10 @@ static void __build_feature_ctl(struct usb_mixer_interface *mixer, + + range = (cval->max - cval->min) / cval->res; + /* +- * Are there devices with volume range more than 255? I use a bit more +- * to be sure. 384 is a resolution magic number found on Logitech +- * devices. It will definitively catch all buggy Logitech devices. ++ * There are definitely devices with a range of ~20,000, so let's be ++ * conservative and allow for a bit more. + */ +- if (range > 384) { ++ if (range > 65535) { + usb_audio_warn(mixer->chip, + "Warning! Unlikely big volume range (=%u), cval->res is probably wrong.", + range); +-- +2.51.0 + diff --git a/queue-6.1/be2net-fix-null-pointer-dereference-in-be_cmd_get_ma.patch b/queue-6.1/be2net-fix-null-pointer-dereference-in-be_cmd_get_ma.patch new file mode 100644 index 0000000000..1397f1022c --- /dev/null +++ b/queue-6.1/be2net-fix-null-pointer-dereference-in-be_cmd_get_ma.patch @@ -0,0 +1,54 @@ +From bff68fd57d75aedd71ad523b928ae8b8b70055bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 11:37:47 +0000 +Subject: be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list + +From: Andrey Vatoropin + +[ Upstream commit 8215794403d264739cc676668087512950b2ff31 ] + +When the parameter pmac_id_valid argument of be_cmd_get_mac_from_list() is +set to false, the driver may request the PMAC_ID from the firmware of the +network card, and this function will store that PMAC_ID at the provided +address pmac_id. This is the contract of this function. + +However, there is a location within the driver where both +pmac_id_valid == false and pmac_id == NULL are being passed. This could +result in dereferencing a NULL pointer. + +To resolve this issue, it is necessary to pass the address of a stub +variable to the function. + +Fixes: 95046b927a54 ("be2net: refactor MAC-addr setup code") +Signed-off-by: Andrey Vatoropin +Link: https://patch.msgid.link/20260120113734.20193-1-a.vatoropin@crpt.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/emulex/benet/be_cmds.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/emulex/benet/be_cmds.c b/drivers/net/ethernet/emulex/benet/be_cmds.c +index e764d2be4948a..12c48ad9a32d6 100644 +--- a/drivers/net/ethernet/emulex/benet/be_cmds.c ++++ b/drivers/net/ethernet/emulex/benet/be_cmds.c +@@ -3796,6 +3796,7 @@ int be_cmd_get_perm_mac(struct be_adapter *adapter, u8 *mac) + { + int status; + bool pmac_valid = false; ++ u32 pmac_id; + + eth_zero_addr(mac); + +@@ -3808,7 +3809,7 @@ int be_cmd_get_perm_mac(struct be_adapter *adapter, u8 *mac) + adapter->if_handle, 0); + } else { + status = be_cmd_get_mac_from_list(adapter, mac, &pmac_valid, +- NULL, adapter->if_handle, 0); ++ &pmac_id, adapter->if_handle, 0); + } + + return status; +-- +2.51.0 + diff --git a/queue-6.1/bonding-provide-a-net-pointer-to-__skb_flow_dissect.patch b/queue-6.1/bonding-provide-a-net-pointer-to-__skb_flow_dissect.patch new file mode 100644 index 0000000000..f4fc1391be --- /dev/null +++ b/queue-6.1/bonding-provide-a-net-pointer-to-__skb_flow_dissect.patch @@ -0,0 +1,67 @@ +From 3dc94f412a52ab07ebc747674b93f76236836e50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 16:17:44 +0000 +Subject: bonding: provide a net pointer to __skb_flow_dissect() + +From: Eric Dumazet + +[ Upstream commit 5f9b329096596b7e53e07d041d7fca4cbe1be752 ] + +After 3cbf4ffba5ee ("net: plumb network namespace into __skb_flow_dissect") +we have to provide a net pointer to __skb_flow_dissect(), +either via skb->dev, skb->sk, or a user provided pointer. + +In the following case, syzbot was able to cook a bare skb. + +WARNING: net/core/flow_dissector.c:1131 at __skb_flow_dissect+0xb57/0x68b0 net/core/flow_dissector.c:1131, CPU#1: syz.2.1418/11053 +Call Trace: + + bond_flow_dissect drivers/net/bonding/bond_main.c:4093 [inline] + __bond_xmit_hash+0x2d7/0xba0 drivers/net/bonding/bond_main.c:4157 + bond_xmit_hash_xdp drivers/net/bonding/bond_main.c:4208 [inline] + bond_xdp_xmit_3ad_xor_slave_get drivers/net/bonding/bond_main.c:5139 [inline] + bond_xdp_get_xmit_slave+0x1fd/0x710 drivers/net/bonding/bond_main.c:5515 + xdp_master_redirect+0x13f/0x2c0 net/core/filter.c:4388 + bpf_prog_run_xdp include/net/xdp.h:700 [inline] + bpf_test_run+0x6b2/0x7d0 net/bpf/test_run.c:421 + bpf_prog_test_run_xdp+0x795/0x10e0 net/bpf/test_run.c:1390 + bpf_prog_test_run+0x2c7/0x340 kernel/bpf/syscall.c:4703 + __sys_bpf+0x562/0x860 kernel/bpf/syscall.c:6182 + __do_sys_bpf kernel/bpf/syscall.c:6274 [inline] + __se_sys_bpf kernel/bpf/syscall.c:6272 [inline] + __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6272 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94 + +Fixes: 58deb77cc52d ("bonding: balance ICMP echoes in layer3+4 mode") +Reported-by: syzbot+c46409299c70a221415e@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/696faa23.050a0220.4cb9c.001f.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Matteo Croce +Acked-by: Stanislav Fomichev +Link: https://patch.msgid.link/20260120161744.1893263-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index dd0ea86d7934a..b0bc811aaab91 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -4128,8 +4128,9 @@ static bool bond_flow_dissect(struct bonding *bond, struct sk_buff *skb, const v + case BOND_XMIT_POLICY_ENCAP23: + case BOND_XMIT_POLICY_ENCAP34: + memset(fk, 0, sizeof(*fk)); +- return __skb_flow_dissect(NULL, skb, &flow_keys_bonding, +- fk, data, l2_proto, nhoff, hlen, 0); ++ return __skb_flow_dissect(dev_net(bond->dev), skb, ++ &flow_keys_bonding, fk, data, ++ l2_proto, nhoff, hlen, 0); + default: + break; + } +-- +2.51.0 + diff --git a/queue-6.1/drm-amd-pm-don-t-clear-si-smc-table-when-setting-pow.patch b/queue-6.1/drm-amd-pm-don-t-clear-si-smc-table-when-setting-pow.patch new file mode 100644 index 0000000000..69a255b021 --- /dev/null +++ b/queue-6.1/drm-amd-pm-don-t-clear-si-smc-table-when-setting-pow.patch @@ -0,0 +1,58 @@ +From 506dadb01f058656677eb2c7c136d07236efce14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 21:36:23 +0100 +Subject: drm/amd/pm: Don't clear SI SMC table when setting power limit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Timur Kristóf + +[ Upstream commit d5077426e1a76d269e518e048bde2e9fc49b32ad ] + +There is no reason to clear the SMC table. +We also don't need to recalculate the power limit then. + +Fixes: 841686df9f7d ("drm/amdgpu: add SI DPM support (v4)") +Reviewed-by: Alex Deucher +Signed-off-by: Timur Kristóf +Signed-off-by: Alex Deucher +(cherry picked from commit e214d626253f5b180db10dedab161b7caa41f5e9) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c b/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c +index 2395d0a831846..a8278fa75ff9a 100644 +--- a/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c ++++ b/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c +@@ -2257,8 +2257,6 @@ static int si_populate_smc_tdp_limits(struct amdgpu_device *adev, + if (scaling_factor == 0) + return -EINVAL; + +- memset(smc_table, 0, sizeof(SISLANDS_SMC_STATETABLE)); +- + ret = si_calculate_adjusted_tdp_limits(adev, + false, /* ??? */ + adev->pm.dpm.tdp_adjustment, +@@ -2312,16 +2310,8 @@ static int si_populate_smc_tdp_limits_2(struct amdgpu_device *adev, + + if (ni_pi->enable_power_containment) { + SISLANDS_SMC_STATETABLE *smc_table = &si_pi->smc_statetable; +- u32 scaling_factor = si_get_smc_power_scaling_factor(adev); + int ret; + +- memset(smc_table, 0, sizeof(SISLANDS_SMC_STATETABLE)); +- +- smc_table->dpm2Params.NearTDPLimit = +- cpu_to_be32(si_scale_power_for_smc(adev->pm.dpm.near_tdp_limit_adjusted, scaling_factor) * 1000); +- smc_table->dpm2Params.SafePowerLimit = +- cpu_to_be32(si_scale_power_for_smc((adev->pm.dpm.near_tdp_limit_adjusted * SISLANDS_DPM2_TDP_SAFE_LIMIT_PERCENT) / 100, scaling_factor) * 1000); +- + ret = amdgpu_si_copy_bytes_to_smc(adev, + (si_pi->state_table_start + + offsetof(SISLANDS_SMC_STATETABLE, dpm2Params) + +-- +2.51.0 + diff --git a/queue-6.1/drm-amd-pm-workaround-si-powertune-issue-on-radeon-4.patch b/queue-6.1/drm-amd-pm-workaround-si-powertune-issue-on-radeon-4.patch new file mode 100644 index 0000000000..6562e598f3 --- /dev/null +++ b/queue-6.1/drm-amd-pm-workaround-si-powertune-issue-on-radeon-4.patch @@ -0,0 +1,83 @@ +From c4d12c96f2e76c33d17d9a3ceaa1c498ffbba400 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 21:36:24 +0100 +Subject: drm/amd/pm: Workaround SI powertune issue on Radeon 430 (v2) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Timur Kristóf + +[ Upstream commit 764a90eb02268a23b1bb98be5f4a13671346804a ] + +Radeon 430 and 520 are OEM GPUs from 2016~2017 +They have the same device id: 0x6611 and revision: 0x87 + +On the Radeon 430, powertune is buggy and throttles the GPU, +never allowing it to reach its maximum SCLK. Work around this +bug by raising the TDP limits we program to the SMC from +24W (specified by the VBIOS on Radeon 430) to 32W. + +Disabling powertune entirely is not a viable workaround, +because it causes the Radeon 520 to heat up above 100 C, +which I prefer to avoid. + +Additionally, revise the maximum SCLK limit. Considering the +above issue, these GPUs never reached a high SCLK on Linux, +and the workarounds were added before the GPUs were released, +so the workaround likely didn't target these specifically. +Use 780 MHz (the maximum SCLK according to the VBIOS on the +Radeon 430). Note that the Radeon 520 VBIOS has a higher +maximum SCLK: 905 MHz, but in practice it doesn't seem to +perform better with the higher clock, only heats up more. + +v2: +Move the workaround to si_populate_smc_tdp_limits. + +Fixes: 841686df9f7d ("drm/amdgpu: add SI DPM support (v4)") +Reviewed-by: Alex Deucher +Signed-off-by: Timur Kristóf +Signed-off-by: Alex Deucher +(cherry picked from commit 966d70f1e160bdfdecaf7ff2b3f22ad088516e9f) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c b/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c +index a8278fa75ff9a..bcc4d9fa5b0d2 100644 +--- a/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c ++++ b/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c +@@ -2265,6 +2265,12 @@ static int si_populate_smc_tdp_limits(struct amdgpu_device *adev, + if (ret) + return ret; + ++ if (adev->pdev->device == 0x6611 && adev->pdev->revision == 0x87) { ++ /* Workaround buggy powertune on Radeon 430 and 520. */ ++ tdp_limit = 32; ++ near_tdp_limit = 28; ++ } ++ + smc_table->dpm2Params.TDPLimit = + cpu_to_be32(si_scale_power_for_smc(tdp_limit, scaling_factor) * 1000); + smc_table->dpm2Params.NearTDPLimit = +@@ -3448,10 +3454,15 @@ static void si_apply_state_adjust_rules(struct amdgpu_device *adev, + (adev->pdev->revision == 0x80) || + (adev->pdev->revision == 0x81) || + (adev->pdev->revision == 0x83) || +- (adev->pdev->revision == 0x87) || ++ (adev->pdev->revision == 0x87 && ++ adev->pdev->device != 0x6611) || + (adev->pdev->device == 0x6604) || + (adev->pdev->device == 0x6605)) { + max_sclk = 75000; ++ } else if (adev->pdev->revision == 0x87 && ++ adev->pdev->device == 0x6611) { ++ /* Radeon 430 and 520 */ ++ max_sclk = 78000; + } + } + +-- +2.51.0 + diff --git a/queue-6.1/iio-adc-ad7280a-handle-spi_setup-errors-in-probe.patch b/queue-6.1/iio-adc-ad7280a-handle-spi_setup-errors-in-probe.patch new file mode 100644 index 0000000000..0372a4d01a --- /dev/null +++ b/queue-6.1/iio-adc-ad7280a-handle-spi_setup-errors-in-probe.patch @@ -0,0 +1,45 @@ +From 039c974fd7123ab54c6fdd168d4828683f5394bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Nov 2025 18:13:01 +0300 +Subject: iio: adc: ad7280a: handle spi_setup() errors in probe() + +From: Pavel Zhigulin + +[ Upstream commit 6b39824ac4c15783787e6434449772bfb2e31214 ] + +The probe() function ignored the return value of spi_setup(), leaving SPI +configuration failures undetected. If spi_setup() fails, the driver should +stop initialization and propagate the error to the caller. + +Add proper error handling: check the return value of spi_setup() and return +it on failure. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 2051f25d2a26 ("iio: adc: New driver for AD7280A Lithium Ion Battery Monitoring System") +Signed-off-by: Pavel Zhigulin +Reviewed-by: Marcelo Schmitt +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/ad7280a.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/iio/adc/ad7280a.c b/drivers/iio/adc/ad7280a.c +index 9080c795dcb7e..10cc623bf62a3 100644 +--- a/drivers/iio/adc/ad7280a.c ++++ b/drivers/iio/adc/ad7280a.c +@@ -1028,7 +1028,9 @@ static int ad7280_probe(struct spi_device *spi) + + st->spi->max_speed_hz = AD7280A_MAX_SPI_CLK_HZ; + st->spi->mode = SPI_MODE_1; +- spi_setup(st->spi); ++ ret = spi_setup(st->spi); ++ if (ret < 0) ++ return ret; + + st->ctrl_lb = FIELD_PREP(AD7280A_CTRL_LB_ACQ_TIME_MSK, st->acquisition_time) | + FIELD_PREP(AD7280A_CTRL_LB_THERMISTOR_MSK, st->thermistor_term_en); +-- +2.51.0 + diff --git a/queue-6.1/ipv6-annotate-data-race-in-ndisc_router_discovery.patch b/queue-6.1/ipv6-annotate-data-race-in-ndisc_router_discovery.patch new file mode 100644 index 0000000000..a5f99e9d66 --- /dev/null +++ b/queue-6.1/ipv6-annotate-data-race-in-ndisc_router_discovery.patch @@ -0,0 +1,79 @@ +From eac3c49d412b32434ec750a16d7b3a95f7c2dab8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jan 2026 15:29:41 +0000 +Subject: ipv6: annotate data-race in ndisc_router_discovery() + +From: Eric Dumazet + +[ Upstream commit 9a063f96d87efc3a6cc667f8de096a3d38d74bb5 ] + +syzbot found that ndisc_router_discovery() could read and write +in6_dev->ra_mtu without holding a lock [1] + +This looks fine, IFLA_INET6_RA_MTU is best effort. + +Add READ_ONCE()/WRITE_ONCE() to document the race. + +Note that we might also reject illegal MTU values +(mtu < IPV6_MIN_MTU || mtu > skb->dev->mtu) in a future patch. + +[1] +BUG: KCSAN: data-race in ndisc_router_discovery / ndisc_router_discovery + +read to 0xffff888119809c20 of 4 bytes by task 25817 on cpu 1: + ndisc_router_discovery+0x151d/0x1c90 net/ipv6/ndisc.c:1558 + ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841 + icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989 + ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438 + ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489 + NF_HOOK include/linux/netfilter.h:318 [inline] + ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500 + ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590 + dst_input include/net/dst.h:474 [inline] + ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79 +... + +write to 0xffff888119809c20 of 4 bytes by task 25816 on cpu 0: + ndisc_router_discovery+0x155a/0x1c90 net/ipv6/ndisc.c:1559 + ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841 + icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989 + ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438 + ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489 + NF_HOOK include/linux/netfilter.h:318 [inline] + ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500 + ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590 + dst_input include/net/dst.h:474 [inline] + ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79 +... + +value changed: 0x00000000 -> 0xe5400659 + +Fixes: 49b99da2c9ce ("ipv6: add IFLA_INET6_RA_MTU to expose mtu value") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Rocco Yue +Link: https://patch.msgid.link/20260118152941.2563857-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/ndisc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c +index 1a6408a24d21c..affbf12d44f57 100644 +--- a/net/ipv6/ndisc.c ++++ b/net/ipv6/ndisc.c +@@ -1572,8 +1572,8 @@ static void ndisc_router_discovery(struct sk_buff *skb) + memcpy(&n, ((u8 *)(ndopts.nd_opts_mtu+1))+2, sizeof(mtu)); + mtu = ntohl(n); + +- if (in6_dev->ra_mtu != mtu) { +- in6_dev->ra_mtu = mtu; ++ if (READ_ONCE(in6_dev->ra_mtu) != mtu) { ++ WRITE_ONCE(in6_dev->ra_mtu, mtu); + send_ifinfo_notify = true; + } + +-- +2.51.0 + diff --git a/queue-6.1/kconfig-fix-static-linking-of-nconf.patch b/queue-6.1/kconfig-fix-static-linking-of-nconf.patch new file mode 100644 index 0000000000..5cef563f70 --- /dev/null +++ b/queue-6.1/kconfig-fix-static-linking-of-nconf.patch @@ -0,0 +1,70 @@ +From ecc47ad41f4b87794aebd54504b62b40adb813a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Jan 2026 12:48:08 +0100 +Subject: kconfig: fix static linking of nconf + +From: Arkadiusz Kozdra + +[ Upstream commit baaecfcac559bcac73206df447eb5c385fa22f2a ] + +When running make nconfig with a static linking host toolchain, +the libraries are linked in an incorrect order, +resulting in errors similar to the following: + +$ MAKEFLAGS='HOSTCC=cc\ -static' make nconfig +/usr/bin/ld: /usr/lib64/gcc/x86_64-unknown-linux-gnu/14.2.1/../../../../lib64/libpanel.a(p_new.o): in function `new_panel': +(.text+0x13): undefined reference to `_nc_panelhook_sp' +/usr/bin/ld: (.text+0x6c): undefined reference to `_nc_panelhook_sp' + +Fixes: 1c5af5cf9308 ("kconfig: refactor ncurses package checks for building mconf and nconf") +Signed-off-by: Arusekk +Link: https://patch.msgid.link/20260110114808.22595-1-floss@arusekk.pl +[nsc: Added comment about library order] +Signed-off-by: Nicolas Schier +Signed-off-by: Sasha Levin +--- + scripts/kconfig/nconf-cfg.sh | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/scripts/kconfig/nconf-cfg.sh b/scripts/kconfig/nconf-cfg.sh +index f871a2160e363..59814eb3616c6 100755 +--- a/scripts/kconfig/nconf-cfg.sh ++++ b/scripts/kconfig/nconf-cfg.sh +@@ -4,8 +4,9 @@ + cflags=$1 + libs=$2 + +-PKG="ncursesw menuw panelw" +-PKG2="ncurses menu panel" ++# Keep library order for static linking (HOSTCC='cc -static') ++PKG="menuw panelw ncursesw" ++PKG2="menu panel ncurses" + + if [ -n "$(command -v ${HOSTPKG_CONFIG})" ]; then + if ${HOSTPKG_CONFIG} --exists $PKG; then +@@ -26,19 +27,19 @@ fi + # find ncurses by pkg-config.) + if [ -f /usr/include/ncursesw/ncurses.h ]; then + echo -D_GNU_SOURCE -I/usr/include/ncursesw > ${cflags} +- echo -lncursesw -lmenuw -lpanelw > ${libs} ++ echo -lmenuw -lpanelw -lncursesw > ${libs} + exit 0 + fi + + if [ -f /usr/include/ncurses/ncurses.h ]; then + echo -D_GNU_SOURCE -I/usr/include/ncurses > ${cflags} +- echo -lncurses -lmenu -lpanel > ${libs} ++ echo -lmenu -lpanel -lncurses > ${libs} + exit 0 + fi + + if [ -f /usr/include/ncurses.h ]; then + echo -D_GNU_SOURCE > ${cflags} +- echo -lncurses -lmenu -lpanel > ${libs} ++ echo -lmenu -lpanel -lncurses > ${libs} + exit 0 + fi + +-- +2.51.0 + diff --git a/queue-6.1/kconfig-refactor-makefile-to-reduce-process-forks.patch b/queue-6.1/kconfig-refactor-makefile-to-reduce-process-forks.patch new file mode 100644 index 0000000000..3f8c220164 --- /dev/null +++ b/queue-6.1/kconfig-refactor-makefile-to-reduce-process-forks.patch @@ -0,0 +1,305 @@ +From 77b4f34df14c6ee74ea690dadc1e311fb30d35fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Dec 2022 11:54:48 +0900 +Subject: kconfig: refactor Makefile to reduce process forks + +From: Masahiro Yamada + +[ Upstream commit 3122c84409d578a5df8bcb1953547e0b871ac4c2 ] + +Refactor Makefile and use read-file macro. For Make >= 4.2, it can read +out a file by using the built-in function. + +Signed-off-by: Masahiro Yamada +Reviewed-by: Nicolas Schier +Stable-dep-of: baaecfcac559 ("kconfig: fix static linking of nconf") +Signed-off-by: Sasha Levin +--- + scripts/kconfig/.gitignore | 4 +++- + scripts/kconfig/Makefile | 45 +++++++++++++++++++----------------- + scripts/kconfig/gconf-cfg.sh | 7 ++++-- + scripts/kconfig/mconf-cfg.sh | 25 +++++++++++--------- + scripts/kconfig/nconf-cfg.sh | 23 ++++++++++-------- + scripts/kconfig/qconf-cfg.sh | 10 +++++--- + scripts/remove-stale-files | 2 ++ + 7 files changed, 68 insertions(+), 48 deletions(-) + +diff --git a/scripts/kconfig/.gitignore b/scripts/kconfig/.gitignore +index 500e7424b3ef9..c8a3f9cd52f02 100644 +--- a/scripts/kconfig/.gitignore ++++ b/scripts/kconfig/.gitignore +@@ -1,5 +1,7 @@ + # SPDX-License-Identifier: GPL-2.0-only + /conf + /[gmnq]conf +-/[gmnq]conf-cfg ++/[gmnq]conf-cflags ++/[gmnq]conf-libs ++/qconf-bin + /qconf-moc.cc +diff --git a/scripts/kconfig/Makefile b/scripts/kconfig/Makefile +index b8ef0fb4bbef7..0b1d15efaeb0c 100644 +--- a/scripts/kconfig/Makefile ++++ b/scripts/kconfig/Makefile +@@ -159,11 +159,12 @@ conf-objs := conf.o $(common-objs) + hostprogs += nconf + nconf-objs := nconf.o nconf.gui.o $(common-objs) + +-HOSTLDLIBS_nconf = $(shell . $(obj)/nconf-cfg && echo $$libs) +-HOSTCFLAGS_nconf.o = $(shell . $(obj)/nconf-cfg && echo $$cflags) +-HOSTCFLAGS_nconf.gui.o = $(shell . $(obj)/nconf-cfg && echo $$cflags) ++HOSTLDLIBS_nconf = $(call read-file, $(obj)/nconf-libs) ++HOSTCFLAGS_nconf.o = $(call read-file, $(obj)/nconf-cflags) ++HOSTCFLAGS_nconf.gui.o = $(call read-file, $(obj)/nconf-cflags) + +-$(obj)/nconf.o $(obj)/nconf.gui.o: $(obj)/nconf-cfg ++$(obj)/nconf: | $(obj)/nconf-libs ++$(obj)/nconf.o $(obj)/nconf.gui.o: | $(obj)/nconf-cflags + + # mconf: Used for the menuconfig target based on lxdialog + hostprogs += mconf +@@ -171,27 +172,28 @@ lxdialog := $(addprefix lxdialog/, \ + checklist.o inputbox.o menubox.o textbox.o util.o yesno.o) + mconf-objs := mconf.o $(lxdialog) $(common-objs) + +-HOSTLDLIBS_mconf = $(shell . $(obj)/mconf-cfg && echo $$libs) ++HOSTLDLIBS_mconf = $(call read-file, $(obj)/mconf-libs) + $(foreach f, mconf.o $(lxdialog), \ +- $(eval HOSTCFLAGS_$f = $$(shell . $(obj)/mconf-cfg && echo $$$$cflags))) ++ $(eval HOSTCFLAGS_$f = $$(call read-file, $(obj)/mconf-cflags))) + +-$(addprefix $(obj)/, mconf.o $(lxdialog)): $(obj)/mconf-cfg ++$(obj)/mconf: | $(obj)/mconf-libs ++$(addprefix $(obj)/, mconf.o $(lxdialog)): | $(obj)/mconf-cflags + + # qconf: Used for the xconfig target based on Qt + hostprogs += qconf + qconf-cxxobjs := qconf.o qconf-moc.o + qconf-objs := images.o $(common-objs) + +-HOSTLDLIBS_qconf = $(shell . $(obj)/qconf-cfg && echo $$libs) +-HOSTCXXFLAGS_qconf.o = $(shell . $(obj)/qconf-cfg && echo $$cflags) +-HOSTCXXFLAGS_qconf-moc.o = $(shell . $(obj)/qconf-cfg && echo $$cflags) +- +-$(obj)/qconf.o: $(obj)/qconf-cfg ++HOSTLDLIBS_qconf = $(call read-file, $(obj)/qconf-libs) ++HOSTCXXFLAGS_qconf.o = -std=c++11 -fPIC $(call read-file, $(obj)/qconf-cflags) ++HOSTCXXFLAGS_qconf-moc.o = -std=c++11 -fPIC $(call read-file, $(obj)/qconf-cflags) ++$(obj)/qconf: | $(obj)/qconf-libs ++$(obj)/qconf.o $(obj)/qconf-moc.o: | $(obj)/qconf-cflags + + quiet_cmd_moc = MOC $@ +- cmd_moc = $(shell . $(obj)/qconf-cfg && echo $$moc) $< -o $@ ++ cmd_moc = $(call read-file, $(obj)/qconf-bin)/moc $< -o $@ + +-$(obj)/qconf-moc.cc: $(src)/qconf.h $(obj)/qconf-cfg FORCE ++$(obj)/qconf-moc.cc: $(src)/qconf.h FORCE | $(obj)/qconf-bin + $(call if_changed,moc) + + targets += qconf-moc.cc +@@ -200,15 +202,16 @@ targets += qconf-moc.cc + hostprogs += gconf + gconf-objs := gconf.o images.o $(common-objs) + +-HOSTLDLIBS_gconf = $(shell . $(obj)/gconf-cfg && echo $$libs) +-HOSTCFLAGS_gconf.o = $(shell . $(obj)/gconf-cfg && echo $$cflags) ++HOSTLDLIBS_gconf = $(call read-file, $(obj)/gconf-libs) ++HOSTCFLAGS_gconf.o = $(call read-file, $(obj)/gconf-cflags) + +-$(obj)/gconf.o: $(obj)/gconf-cfg ++$(obj)/gconf: | $(obj)/gconf-libs ++$(obj)/gconf.o: | $(obj)/gconf-cflags + + # check if necessary packages are available, and configure build flags +-filechk_conf_cfg = $(CONFIG_SHELL) $< ++cmd_conf_cfg = $< $(addprefix $(obj)/$*conf-, cflags libs bin) + +-$(obj)/%conf-cfg: $(src)/%conf-cfg.sh FORCE +- $(call filechk,conf_cfg) ++$(obj)/%conf-cflags $(obj)/%conf-libs $(obj)/%conf-bin: $(src)/%conf-cfg.sh ++ $(call cmd,conf_cfg) + +-clean-files += *conf-cfg ++clean-files += *conf-cflags *conf-libs *conf-bin +diff --git a/scripts/kconfig/gconf-cfg.sh b/scripts/kconfig/gconf-cfg.sh +index cbd90c28c05f2..040d8f3388202 100755 +--- a/scripts/kconfig/gconf-cfg.sh ++++ b/scripts/kconfig/gconf-cfg.sh +@@ -1,6 +1,9 @@ + #!/bin/sh + # SPDX-License-Identifier: GPL-2.0 + ++cflags=$1 ++libs=$2 ++ + PKG="gtk+-2.0 gmodule-2.0 libglade-2.0" + + if [ -z "$(command -v ${HOSTPKG_CONFIG})" ]; then +@@ -26,5 +29,5 @@ if ! ${HOSTPKG_CONFIG} --atleast-version=2.0.0 gtk+-2.0; then + exit 1 + fi + +-echo cflags=\"$(${HOSTPKG_CONFIG} --cflags $PKG)\" +-echo libs=\"$(${HOSTPKG_CONFIG} --libs $PKG)\" ++${HOSTPKG_CONFIG} --cflags ${PKG} > ${cflags} ++${HOSTPKG_CONFIG} --libs ${PKG} > ${libs} +diff --git a/scripts/kconfig/mconf-cfg.sh b/scripts/kconfig/mconf-cfg.sh +index 025b565e0b7cd..1e61f50a59050 100755 +--- a/scripts/kconfig/mconf-cfg.sh ++++ b/scripts/kconfig/mconf-cfg.sh +@@ -1,19 +1,22 @@ + #!/bin/sh + # SPDX-License-Identifier: GPL-2.0 + ++cflags=$1 ++libs=$2 ++ + PKG="ncursesw" + PKG2="ncurses" + + if [ -n "$(command -v ${HOSTPKG_CONFIG})" ]; then + if ${HOSTPKG_CONFIG} --exists $PKG; then +- echo cflags=\"$(${HOSTPKG_CONFIG} --cflags $PKG)\" +- echo libs=\"$(${HOSTPKG_CONFIG} --libs $PKG)\" ++ ${HOSTPKG_CONFIG} --cflags ${PKG} > ${cflags} ++ ${HOSTPKG_CONFIG} --libs ${PKG} > ${libs} + exit 0 + fi + +- if ${HOSTPKG_CONFIG} --exists $PKG2; then +- echo cflags=\"$(${HOSTPKG_CONFIG} --cflags $PKG2)\" +- echo libs=\"$(${HOSTPKG_CONFIG} --libs $PKG2)\" ++ if ${HOSTPKG_CONFIG} --exists ${PKG2}; then ++ ${HOSTPKG_CONFIG} --cflags ${PKG2} > ${cflags} ++ ${HOSTPKG_CONFIG} --libs ${PKG2} > ${libs} + exit 0 + fi + fi +@@ -22,22 +25,22 @@ fi + # (Even if it is installed, some distributions such as openSUSE cannot + # find ncurses by pkg-config.) + if [ -f /usr/include/ncursesw/ncurses.h ]; then +- echo cflags=\"-D_GNU_SOURCE -I/usr/include/ncursesw\" +- echo libs=\"-lncursesw\" ++ echo -D_GNU_SOURCE -I/usr/include/ncursesw > ${cflags} ++ echo -lncursesw > ${libs} + exit 0 + fi + + if [ -f /usr/include/ncurses/ncurses.h ]; then +- echo cflags=\"-D_GNU_SOURCE -I/usr/include/ncurses\" +- echo libs=\"-lncurses\" ++ echo -D_GNU_SOURCE -I/usr/include/ncurses > ${cflags} ++ echo -lncurses > ${libs} + exit 0 + fi + + # As a final fallback before giving up, check if $HOSTCC knows of a default + # ncurses installation (e.g. from a vendor-specific sysroot). + if echo '#include ' | ${HOSTCC} -E - >/dev/null 2>&1; then +- echo cflags=\"-D_GNU_SOURCE\" +- echo libs=\"-lncurses\" ++ echo -D_GNU_SOURCE > ${cflags} ++ echo -lncurses > ${libs} + exit 0 + fi + +diff --git a/scripts/kconfig/nconf-cfg.sh b/scripts/kconfig/nconf-cfg.sh +index 3a10bac2adb3a..f871a2160e363 100755 +--- a/scripts/kconfig/nconf-cfg.sh ++++ b/scripts/kconfig/nconf-cfg.sh +@@ -1,19 +1,22 @@ + #!/bin/sh + # SPDX-License-Identifier: GPL-2.0 + ++cflags=$1 ++libs=$2 ++ + PKG="ncursesw menuw panelw" + PKG2="ncurses menu panel" + + if [ -n "$(command -v ${HOSTPKG_CONFIG})" ]; then + if ${HOSTPKG_CONFIG} --exists $PKG; then +- echo cflags=\"$(${HOSTPKG_CONFIG} --cflags $PKG)\" +- echo libs=\"$(${HOSTPKG_CONFIG} --libs $PKG)\" ++ ${HOSTPKG_CONFIG} --cflags ${PKG} > ${cflags} ++ ${HOSTPKG_CONFIG} --libs ${PKG} > ${libs} + exit 0 + fi + + if ${HOSTPKG_CONFIG} --exists $PKG2; then +- echo cflags=\"$(${HOSTPKG_CONFIG} --cflags $PKG2)\" +- echo libs=\"$(${HOSTPKG_CONFIG} --libs $PKG2)\" ++ ${HOSTPKG_CONFIG} --cflags ${PKG2} > ${cflags} ++ ${HOSTPKG_CONFIG} --libs ${PKG2} > ${libs} + exit 0 + fi + fi +@@ -22,20 +25,20 @@ fi + # (Even if it is installed, some distributions such as openSUSE cannot + # find ncurses by pkg-config.) + if [ -f /usr/include/ncursesw/ncurses.h ]; then +- echo cflags=\"-D_GNU_SOURCE -I/usr/include/ncursesw\" +- echo libs=\"-lncursesw -lmenuw -lpanelw\" ++ echo -D_GNU_SOURCE -I/usr/include/ncursesw > ${cflags} ++ echo -lncursesw -lmenuw -lpanelw > ${libs} + exit 0 + fi + + if [ -f /usr/include/ncurses/ncurses.h ]; then +- echo cflags=\"-D_GNU_SOURCE -I/usr/include/ncurses\" +- echo libs=\"-lncurses -lmenu -lpanel\" ++ echo -D_GNU_SOURCE -I/usr/include/ncurses > ${cflags} ++ echo -lncurses -lmenu -lpanel > ${libs} + exit 0 + fi + + if [ -f /usr/include/ncurses.h ]; then +- echo cflags=\"-D_GNU_SOURCE\" +- echo libs=\"-lncurses -lmenu -lpanel\" ++ echo -D_GNU_SOURCE > ${cflags} ++ echo -lncurses -lmenu -lpanel > ${libs} + exit 0 + fi + +diff --git a/scripts/kconfig/qconf-cfg.sh b/scripts/kconfig/qconf-cfg.sh +index ad652cb539474..117f36e568fc5 100755 +--- a/scripts/kconfig/qconf-cfg.sh ++++ b/scripts/kconfig/qconf-cfg.sh +@@ -1,6 +1,10 @@ + #!/bin/sh + # SPDX-License-Identifier: GPL-2.0 + ++cflags=$1 ++libs=$2 ++bin=$3 ++ + PKG="Qt5Core Qt5Gui Qt5Widgets" + + if [ -z "$(command -v ${HOSTPKG_CONFIG})" ]; then +@@ -11,9 +15,9 @@ if [ -z "$(command -v ${HOSTPKG_CONFIG})" ]; then + fi + + if ${HOSTPKG_CONFIG} --exists $PKG; then +- echo cflags=\"-std=c++11 -fPIC $(${HOSTPKG_CONFIG} --cflags $PKG)\" +- echo libs=\"$(${HOSTPKG_CONFIG} --libs $PKG)\" +- echo moc=\"$(${HOSTPKG_CONFIG} --variable=host_bins Qt5Core)/moc\" ++ ${HOSTPKG_CONFIG} --cflags ${PKG} > ${cflags} ++ ${HOSTPKG_CONFIG} --libs ${PKG} > ${libs} ++ ${HOSTPKG_CONFIG} --variable=host_bins Qt5Core > ${bin} + exit 0 + fi + +diff --git a/scripts/remove-stale-files b/scripts/remove-stale-files +index ccadfa3afb2b8..64b14aa5aebf4 100755 +--- a/scripts/remove-stale-files ++++ b/scripts/remove-stale-files +@@ -47,3 +47,5 @@ rm -f arch/riscv/purgatory/kexec-purgatory.c + rm -f scripts/extract-cert + + rm -f arch/x86/purgatory/kexec-purgatory.c ++ ++rm -f scripts/kconfig/[gmnq]conf-cfg +-- +2.51.0 + diff --git a/queue-6.1/misdn-annotate-data-race-around-dev-work.patch b/queue-6.1/misdn-annotate-data-race-around-dev-work.patch new file mode 100644 index 0000000000..d4f643dd96 --- /dev/null +++ b/queue-6.1/misdn-annotate-data-race-around-dev-work.patch @@ -0,0 +1,103 @@ +From 559ac91449d17d3502040dc0bf1d906970763c62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jan 2026 13:25:28 +0000 +Subject: mISDN: annotate data-race around dev->work + +From: Eric Dumazet + +[ Upstream commit 8175dbf174d487afab81e936a862a8d9b8a1ccb6 ] + +dev->work can re read locklessly in mISDN_read() +and mISDN_poll(). Add READ_ONCE()/WRITE_ONCE() annotations. + +BUG: KCSAN: data-race in mISDN_ioctl / mISDN_read + +write to 0xffff88812d848280 of 4 bytes by task 10864 on cpu 1: + misdn_add_timer drivers/isdn/mISDN/timerdev.c:175 [inline] + mISDN_ioctl+0x2fb/0x550 drivers/isdn/mISDN/timerdev.c:233 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:597 [inline] + __se_sys_ioctl+0xce/0x140 fs/ioctl.c:583 + __x64_sys_ioctl+0x43/0x50 fs/ioctl.c:583 + x64_sys_call+0x14b0/0x3000 arch/x86/include/generated/asm/syscalls_64.h:17 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xd8/0x2c0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +read to 0xffff88812d848280 of 4 bytes by task 10857 on cpu 0: + mISDN_read+0x1f2/0x470 drivers/isdn/mISDN/timerdev.c:112 + do_loop_readv_writev fs/read_write.c:847 [inline] + vfs_readv+0x3fb/0x690 fs/read_write.c:1020 + do_readv+0xe7/0x210 fs/read_write.c:1080 + __do_sys_readv fs/read_write.c:1165 [inline] + __se_sys_readv fs/read_write.c:1162 [inline] + __x64_sys_readv+0x45/0x50 fs/read_write.c:1162 + x64_sys_call+0x2831/0x3000 arch/x86/include/generated/asm/syscalls_64.h:20 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xd8/0x2c0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +value changed: 0x00000000 -> 0x00000001 + +Fixes: 1b2b03f8e514 ("Add mISDN core files") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260118132528.2349573-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/isdn/mISDN/timerdev.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/isdn/mISDN/timerdev.c b/drivers/isdn/mISDN/timerdev.c +index abdf36ac3bee5..74d6ed49dc368 100644 +--- a/drivers/isdn/mISDN/timerdev.c ++++ b/drivers/isdn/mISDN/timerdev.c +@@ -109,14 +109,14 @@ mISDN_read(struct file *filep, char __user *buf, size_t count, loff_t *off) + spin_unlock_irq(&dev->lock); + if (filep->f_flags & O_NONBLOCK) + return -EAGAIN; +- wait_event_interruptible(dev->wait, (dev->work || ++ wait_event_interruptible(dev->wait, (READ_ONCE(dev->work) || + !list_empty(list))); + if (signal_pending(current)) + return -ERESTARTSYS; + spin_lock_irq(&dev->lock); + } + if (dev->work) +- dev->work = 0; ++ WRITE_ONCE(dev->work, 0); + if (!list_empty(list)) { + timer = list_first_entry(list, struct mISDNtimer, list); + list_del(&timer->list); +@@ -141,13 +141,16 @@ mISDN_poll(struct file *filep, poll_table *wait) + if (*debug & DEBUG_TIMER) + printk(KERN_DEBUG "%s(%p, %p)\n", __func__, filep, wait); + if (dev) { ++ u32 work; ++ + poll_wait(filep, &dev->wait, wait); + mask = 0; +- if (dev->work || !list_empty(&dev->expired)) ++ work = READ_ONCE(dev->work); ++ if (work || !list_empty(&dev->expired)) + mask |= (EPOLLIN | EPOLLRDNORM); + if (*debug & DEBUG_TIMER) + printk(KERN_DEBUG "%s work(%d) empty(%d)\n", __func__, +- dev->work, list_empty(&dev->expired)); ++ work, list_empty(&dev->expired)); + } + return mask; + } +@@ -172,7 +175,7 @@ misdn_add_timer(struct mISDNtimerdev *dev, int timeout) + struct mISDNtimer *timer; + + if (!timeout) { +- dev->work = 1; ++ WRITE_ONCE(dev->work, 1); + wake_up_interruptible(&dev->wait); + id = 0; + } else { +-- +2.51.0 + diff --git a/queue-6.1/net-hns3-fix-the-hclge_fd_ad_nxt_key-error-setting-i.patch b/queue-6.1/net-hns3-fix-the-hclge_fd_ad_nxt_key-error-setting-i.patch new file mode 100644 index 0000000000..0a44023a45 --- /dev/null +++ b/queue-6.1/net-hns3-fix-the-hclge_fd_ad_nxt_key-error-setting-i.patch @@ -0,0 +1,36 @@ +From 05b270a76bfc640975ceb8e399962d0954337de2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 21:28:40 +0800 +Subject: net: hns3: fix the HCLGE_FD_AD_NXT_KEY error setting issue + +From: Jijie Shao + +[ Upstream commit f87e034d16e43af984380a95c32c25201b7759a7 ] + +Use next_input_key instead of counter_id to set HCLGE_FD_AD_NXT_KEY. + +Fixes: 117328680288 ("net: hns3: Add input key and action config support for flow director") +Signed-off-by: Jijie Shao +Link: https://patch.msgid.link/20260119132840.410513-3-shaojijie@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +index a92f056b25613..42173a076163f 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -5717,7 +5717,7 @@ static int hclge_fd_ad_config(struct hclge_dev *hdev, u8 stage, int loc, + HCLGE_FD_AD_COUNTER_NUM_S, action->counter_id); + hnae3_set_bit(ad_data, HCLGE_FD_AD_NXT_STEP_B, action->use_next_stage); + hnae3_set_field(ad_data, HCLGE_FD_AD_NXT_KEY_M, HCLGE_FD_AD_NXT_KEY_S, +- action->counter_id); ++ action->next_input_key); + + req->ad_data = cpu_to_le64(ad_data); + ret = hclge_cmd_send(&hdev->hw, &desc, 1); +-- +2.51.0 + diff --git a/queue-6.1/net-hns3-fix-wrong-genmask-for-hclge_fd_ad_counter_n.patch b/queue-6.1/net-hns3-fix-wrong-genmask-for-hclge_fd_ad_counter_n.patch new file mode 100644 index 0000000000..f0f62ae1c7 --- /dev/null +++ b/queue-6.1/net-hns3-fix-wrong-genmask-for-hclge_fd_ad_counter_n.patch @@ -0,0 +1,40 @@ +From b12487a781d9a99057dcfa7913417c0230702145 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 21:28:39 +0800 +Subject: net: hns3: fix wrong GENMASK() for HCLGE_FD_AD_COUNTER_NUM_M + +From: Jijie Shao + +[ Upstream commit d57c67c956a1bad15115eba6e59d77a6dfeba01d ] + +HCLGE_FD_AD_COUNTER_NUM_M should be at GENMASK(19, 13), +rather than at GENMASK(20, 13), because bit 20 is +HCLGE_FD_AD_NXT_STEP_B. + +This patch corrects the wrong definition. + +Fixes: 117328680288 ("net: hns3: Add input key and action config support for flow director") +Signed-off-by: Jijie Shao +Link: https://patch.msgid.link/20260119132840.410513-2-shaojijie@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h +index 43cada51d8cb3..0b9d3fc749b95 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h +@@ -731,7 +731,7 @@ struct hclge_fd_tcam_config_3_cmd { + #define HCLGE_FD_AD_QID_M GENMASK(11, 2) + #define HCLGE_FD_AD_USE_COUNTER_B 12 + #define HCLGE_FD_AD_COUNTER_NUM_S 13 +-#define HCLGE_FD_AD_COUNTER_NUM_M GENMASK(20, 13) ++#define HCLGE_FD_AD_COUNTER_NUM_M GENMASK(19, 13) + #define HCLGE_FD_AD_NXT_STEP_B 20 + #define HCLGE_FD_AD_NXT_KEY_S 21 + #define HCLGE_FD_AD_NXT_KEY_M GENMASK(25, 21) +-- +2.51.0 + diff --git a/queue-6.1/net-sched-act_ife-avoid-possible-null-deref.patch b/queue-6.1/net-sched-act_ife-avoid-possible-null-deref.patch new file mode 100644 index 0000000000..3fa57e7773 --- /dev/null +++ b/queue-6.1/net-sched-act_ife-avoid-possible-null-deref.patch @@ -0,0 +1,82 @@ +From 6e19a3a04963a619f5fb61ed5b5c3681387d58a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 13:37:24 +0000 +Subject: net/sched: act_ife: avoid possible NULL deref + +From: Eric Dumazet + +[ Upstream commit 27880b0b0d35ad1c98863d09788254e36f874968 ] + +tcf_ife_encode() must make sure ife_encode() does not return NULL. + +syzbot reported: + +Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] + RIP: 0010:ife_tlv_meta_encode+0x41/0xa0 net/ife/ife.c:166 +CPU: 3 UID: 0 PID: 8990 Comm: syz.0.696 Not tainted syzkaller #0 PREEMPT(full) +Call Trace: + + ife_encode_meta_u32+0x153/0x180 net/sched/act_ife.c:101 + tcf_ife_encode net/sched/act_ife.c:841 [inline] + tcf_ife_act+0x1022/0x1de0 net/sched/act_ife.c:877 + tc_act include/net/tc_wrapper.h:130 [inline] + tcf_action_exec+0x1c0/0xa20 net/sched/act_api.c:1152 + tcf_exts_exec include/net/pkt_cls.h:349 [inline] + mall_classify+0x1a0/0x2a0 net/sched/cls_matchall.c:42 + tc_classify include/net/tc_wrapper.h:197 [inline] + __tcf_classify net/sched/cls_api.c:1764 [inline] + tcf_classify+0x7f2/0x1380 net/sched/cls_api.c:1860 + multiq_classify net/sched/sch_multiq.c:39 [inline] + multiq_enqueue+0xe0/0x510 net/sched/sch_multiq.c:66 + dev_qdisc_enqueue+0x45/0x250 net/core/dev.c:4147 + __dev_xmit_skb net/core/dev.c:4262 [inline] + __dev_queue_xmit+0x2998/0x46c0 net/core/dev.c:4798 + +Fixes: 295a6e06d21e ("net/sched: act_ife: Change to use ife module") +Reported-by: syzbot+5cf914f193dffde3bd3c@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6970d61d.050a0220.706b.0010.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Yotam Gigi +Reviewed-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20260121133724.3400020-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/act_ife.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/sched/act_ife.c b/net/sched/act_ife.c +index a4505b926a1e4..2e2283ce2d886 100644 +--- a/net/sched/act_ife.c ++++ b/net/sched/act_ife.c +@@ -820,6 +820,7 @@ static int tcf_ife_encode(struct sk_buff *skb, const struct tc_action *a, + /* could be stupid policy setup or mtu config + * so lets be conservative.. */ + if ((action == TC_ACT_SHOT) || exceed_mtu) { ++drop: + qstats_drop_inc(this_cpu_ptr(ife->common.cpu_qstats)); + return TC_ACT_SHOT; + } +@@ -828,6 +829,8 @@ static int tcf_ife_encode(struct sk_buff *skb, const struct tc_action *a, + skb_push(skb, skb->dev->hard_header_len); + + ife_meta = ife_encode(skb, metalen); ++ if (!ife_meta) ++ goto drop; + + spin_lock(&ife->tcf_lock); + +@@ -843,8 +846,7 @@ static int tcf_ife_encode(struct sk_buff *skb, const struct tc_action *a, + if (err < 0) { + /* too corrupt to keep around if overwritten */ + spin_unlock(&ife->tcf_lock); +- qstats_drop_inc(this_cpu_ptr(ife->common.cpu_qstats)); +- return TC_ACT_SHOT; ++ goto drop; + } + skboff += err; + } +-- +2.51.0 + diff --git a/queue-6.1/netdevsim-fix-a-race-issue-related-to-the-operation-.patch b/queue-6.1/netdevsim-fix-a-race-issue-related-to-the-operation-.patch new file mode 100644 index 0000000000..37d0441749 --- /dev/null +++ b/queue-6.1/netdevsim-fix-a-race-issue-related-to-the-operation-.patch @@ -0,0 +1,131 @@ +From 49949ea5325f76bc9bef16269838c8a4d0c4102a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jan 2026 17:53:08 +0800 +Subject: netdevsim: fix a race issue related to the operation on + bpf_bound_progs list + +From: Yun Lu + +[ Upstream commit b97d5eedf4976cc94321243be83b39efe81a0e15 ] + +The netdevsim driver lacks a protection mechanism for operations on the +bpf_bound_progs list. When the nsim_bpf_create_prog() performs +list_add_tail, it is possible that nsim_bpf_destroy_prog() is +simultaneously performs list_del. Concurrent operations on the list may +lead to list corruption and trigger a kernel crash as follows: + +[ 417.290971] kernel BUG at lib/list_debug.c:62! +[ 417.290983] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI +[ 417.290992] CPU: 10 PID: 168 Comm: kworker/10:1 Kdump: loaded Not tainted 6.19.0-rc5 #1 +[ 417.291003] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 417.291007] Workqueue: events bpf_prog_free_deferred +[ 417.291021] RIP: 0010:__list_del_entry_valid_or_report+0xa7/0xc0 +[ 417.291034] Code: a8 ff 0f 0b 48 89 fe 48 89 ca 48 c7 c7 48 a1 eb ae e8 ed fb a8 ff 0f 0b 48 89 fe 48 89 c2 48 c7 c7 80 a1 eb ae e8 d9 fb a8 ff <0f> 0b 48 89 d1 48 c7 c7 d0 a1 eb ae 48 89 f2 48 89 c6 e8 c2 fb a8 +[ 417.291040] RSP: 0018:ffffb16a40807df8 EFLAGS: 00010246 +[ 417.291046] RAX: 000000000000006d RBX: ffff8e589866f500 RCX: 0000000000000000 +[ 417.291051] RDX: 0000000000000000 RSI: ffff8e59f7b23180 RDI: ffff8e59f7b23180 +[ 417.291055] RBP: ffffb16a412c9000 R08: 0000000000000000 R09: 0000000000000003 +[ 417.291059] R10: ffffb16a40807c80 R11: ffffffffaf9edce8 R12: ffff8e594427ac20 +[ 417.291063] R13: ffff8e59f7b44780 R14: ffff8e58800b7a05 R15: 0000000000000000 +[ 417.291074] FS: 0000000000000000(0000) GS:ffff8e59f7b00000(0000) knlGS:0000000000000000 +[ 417.291079] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 417.291083] CR2: 00007fc4083efe08 CR3: 00000001c3626006 CR4: 0000000000770ee0 +[ 417.291088] PKRU: 55555554 +[ 417.291091] Call Trace: +[ 417.291096] +[ 417.291103] nsim_bpf_destroy_prog+0x31/0x80 [netdevsim] +[ 417.291154] __bpf_prog_offload_destroy+0x2a/0x80 +[ 417.291163] bpf_prog_dev_bound_destroy+0x6f/0xb0 +[ 417.291171] bpf_prog_free_deferred+0x18e/0x1a0 +[ 417.291178] process_one_work+0x18a/0x3a0 +[ 417.291188] worker_thread+0x27b/0x3a0 +[ 417.291197] ? __pfx_worker_thread+0x10/0x10 +[ 417.291207] kthread+0xe5/0x120 +[ 417.291214] ? __pfx_kthread+0x10/0x10 +[ 417.291221] ret_from_fork+0x31/0x50 +[ 417.291230] ? __pfx_kthread+0x10/0x10 +[ 417.291236] ret_from_fork_asm+0x1a/0x30 +[ 417.291246] + +Add a mutex lock, to prevent simultaneous addition and deletion operations +on the list. + +Fixes: 31d3ad832948 ("netdevsim: add bpf offload support") +Reported-by: Yinhao Hu +Reported-by: Kaiyan Mei +Signed-off-by: Yun Lu +Link: https://patch.msgid.link/20260116095308.11441-1-luyun_611@163.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/netdevsim/bpf.c | 6 ++++++ + drivers/net/netdevsim/dev.c | 2 ++ + drivers/net/netdevsim/netdevsim.h | 1 + + 3 files changed, 9 insertions(+) + +diff --git a/drivers/net/netdevsim/bpf.c b/drivers/net/netdevsim/bpf.c +index 50854265864d1..7064a3397be23 100644 +--- a/drivers/net/netdevsim/bpf.c ++++ b/drivers/net/netdevsim/bpf.c +@@ -244,7 +244,9 @@ static int nsim_bpf_create_prog(struct nsim_dev *nsim_dev, + &state->state, &nsim_bpf_string_fops); + debugfs_create_bool("loaded", 0400, state->ddir, &state->is_loaded); + ++ mutex_lock(&nsim_dev->progs_list_lock); + list_add_tail(&state->l, &nsim_dev->bpf_bound_progs); ++ mutex_unlock(&nsim_dev->progs_list_lock); + + prog->aux->offload->dev_priv = state; + +@@ -273,12 +275,16 @@ static int nsim_bpf_translate(struct bpf_prog *prog) + static void nsim_bpf_destroy_prog(struct bpf_prog *prog) + { + struct nsim_bpf_bound_prog *state; ++ struct nsim_dev *nsim_dev; + + state = prog->aux->offload->dev_priv; ++ nsim_dev = state->nsim_dev; + WARN(state->is_loaded, + "offload state destroyed while program still bound"); + debugfs_remove_recursive(state->ddir); ++ mutex_lock(&nsim_dev->progs_list_lock); + list_del(&state->l); ++ mutex_unlock(&nsim_dev->progs_list_lock); + kfree(state); + } + +diff --git a/drivers/net/netdevsim/dev.c b/drivers/net/netdevsim/dev.c +index cdf7a70d66591..971796b30605a 100644 +--- a/drivers/net/netdevsim/dev.c ++++ b/drivers/net/netdevsim/dev.c +@@ -1550,6 +1550,7 @@ int nsim_drv_probe(struct nsim_bus_dev *nsim_bus_dev) + nsim_dev->max_macs = NSIM_DEV_MAX_MACS_DEFAULT; + nsim_dev->test1 = NSIM_DEV_TEST1_DEFAULT; + spin_lock_init(&nsim_dev->fa_cookie_lock); ++ mutex_init(&nsim_dev->progs_list_lock); + + dev_set_drvdata(&nsim_bus_dev->dev, nsim_dev); + +@@ -1684,6 +1685,7 @@ void nsim_drv_remove(struct nsim_bus_dev *nsim_bus_dev) + devl_resources_unregister(devlink); + kfree(nsim_dev->vfconfigs); + kfree(nsim_dev->fa_cookie); ++ mutex_destroy(&nsim_dev->progs_list_lock); + devl_unlock(devlink); + devlink_free(devlink); + dev_set_drvdata(&nsim_bus_dev->dev, NULL); +diff --git a/drivers/net/netdevsim/netdevsim.h b/drivers/net/netdevsim/netdevsim.h +index 02e3518e9a7e2..c28f5a9f92302 100644 +--- a/drivers/net/netdevsim/netdevsim.h ++++ b/drivers/net/netdevsim/netdevsim.h +@@ -272,6 +272,7 @@ struct nsim_dev { + u32 prog_id_gen; + struct list_head bpf_bound_progs; + struct list_head bpf_bound_maps; ++ struct mutex progs_list_lock; + struct netdev_phys_item_id switch_id; + struct list_head port_list; + bool fw_update_status; +-- +2.51.0 + diff --git a/queue-6.1/octeontx2-af-fix-error-handling.patch b/queue-6.1/octeontx2-af-fix-error-handling.patch new file mode 100644 index 0000000000..4b7ddc2174 --- /dev/null +++ b/queue-6.1/octeontx2-af-fix-error-handling.patch @@ -0,0 +1,188 @@ +From 4b3c1ea384af075671e54374ff647703a14fd032 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 09:09:34 +0530 +Subject: octeontx2-af: Fix error handling + +From: Ratheesh Kannoth + +[ Upstream commit 19e4175e997a5b85eab97d522f00cc99abd1873c ] + +This commit adds error handling and rollback logic to +rvu_mbox_handler_attach_resources() to properly clean up partially +attached resources when rvu_attach_block() fails. + +Fixes: 746ea74241fa0 ("octeontx2-af: Add RVU block LF provisioning support") +Signed-off-by: Ratheesh Kannoth +Link: https://patch.msgid.link/20260121033934.1900761-1-rkannoth@marvell.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/marvell/octeontx2/af/rvu.c | 86 ++++++++++++++----- + 1 file changed, 64 insertions(+), 22 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +index d9c68f8166aff..7034a977102ea 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +@@ -1540,8 +1540,8 @@ static int rvu_get_attach_blkaddr(struct rvu *rvu, int blktype, + return -ENODEV; + } + +-static void rvu_attach_block(struct rvu *rvu, int pcifunc, int blktype, +- int num_lfs, struct rsrc_attach *attach) ++static int rvu_attach_block(struct rvu *rvu, int pcifunc, int blktype, ++ int num_lfs, struct rsrc_attach *attach) + { + struct rvu_pfvf *pfvf = rvu_get_pfvf(rvu, pcifunc); + struct rvu_hwinfo *hw = rvu->hw; +@@ -1551,21 +1551,21 @@ static void rvu_attach_block(struct rvu *rvu, int pcifunc, int blktype, + u64 cfg; + + if (!num_lfs) +- return; ++ return -EINVAL; + + blkaddr = rvu_get_attach_blkaddr(rvu, blktype, pcifunc, attach); + if (blkaddr < 0) +- return; ++ return -EFAULT; + + block = &hw->block[blkaddr]; + if (!block->lf.bmap) +- return; ++ return -ESRCH; + + for (slot = 0; slot < num_lfs; slot++) { + /* Allocate the resource */ + lf = rvu_alloc_rsrc(&block->lf); + if (lf < 0) +- return; ++ return -EFAULT; + + cfg = (1ULL << 63) | (pcifunc << 8) | slot; + rvu_write64(rvu, blkaddr, block->lfcfg_reg | +@@ -1576,6 +1576,8 @@ static void rvu_attach_block(struct rvu *rvu, int pcifunc, int blktype, + /* Set start MSIX vector for this LF within this PF/VF */ + rvu_set_msix_offset(rvu, pfvf, block, lf); + } ++ ++ return 0; + } + + static int rvu_check_rsrc_availability(struct rvu *rvu, +@@ -1713,22 +1715,31 @@ int rvu_mbox_handler_attach_resources(struct rvu *rvu, + int err; + + /* If first request, detach all existing attached resources */ +- if (!attach->modify) +- rvu_detach_rsrcs(rvu, NULL, pcifunc); ++ if (!attach->modify) { ++ err = rvu_detach_rsrcs(rvu, NULL, pcifunc); ++ if (err) ++ return err; ++ } + + mutex_lock(&rvu->rsrc_lock); + + /* Check if the request can be accommodated */ + err = rvu_check_rsrc_availability(rvu, attach, pcifunc); + if (err) +- goto exit; ++ goto fail1; + + /* Now attach the requested resources */ +- if (attach->npalf) +- rvu_attach_block(rvu, pcifunc, BLKTYPE_NPA, 1, attach); ++ if (attach->npalf) { ++ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_NPA, 1, attach); ++ if (err) ++ goto fail1; ++ } + +- if (attach->nixlf) +- rvu_attach_block(rvu, pcifunc, BLKTYPE_NIX, 1, attach); ++ if (attach->nixlf) { ++ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_NIX, 1, attach); ++ if (err) ++ goto fail2; ++ } + + if (attach->sso) { + /* RVU func doesn't know which exact LF or slot is attached +@@ -1738,33 +1749,64 @@ int rvu_mbox_handler_attach_resources(struct rvu *rvu, + */ + if (attach->modify) + rvu_detach_block(rvu, pcifunc, BLKTYPE_SSO); +- rvu_attach_block(rvu, pcifunc, BLKTYPE_SSO, +- attach->sso, attach); ++ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_SSO, ++ attach->sso, attach); ++ if (err) ++ goto fail3; + } + + if (attach->ssow) { + if (attach->modify) + rvu_detach_block(rvu, pcifunc, BLKTYPE_SSOW); +- rvu_attach_block(rvu, pcifunc, BLKTYPE_SSOW, +- attach->ssow, attach); ++ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_SSOW, ++ attach->ssow, attach); ++ if (err) ++ goto fail4; + } + + if (attach->timlfs) { + if (attach->modify) + rvu_detach_block(rvu, pcifunc, BLKTYPE_TIM); +- rvu_attach_block(rvu, pcifunc, BLKTYPE_TIM, +- attach->timlfs, attach); ++ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_TIM, ++ attach->timlfs, attach); ++ if (err) ++ goto fail5; + } + + if (attach->cptlfs) { + if (attach->modify && + rvu_attach_from_same_block(rvu, BLKTYPE_CPT, attach)) + rvu_detach_block(rvu, pcifunc, BLKTYPE_CPT); +- rvu_attach_block(rvu, pcifunc, BLKTYPE_CPT, +- attach->cptlfs, attach); ++ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_CPT, ++ attach->cptlfs, attach); ++ if (err) ++ goto fail6; + } + +-exit: ++ mutex_unlock(&rvu->rsrc_lock); ++ return 0; ++ ++fail6: ++ if (attach->timlfs) ++ rvu_detach_block(rvu, pcifunc, BLKTYPE_TIM); ++ ++fail5: ++ if (attach->ssow) ++ rvu_detach_block(rvu, pcifunc, BLKTYPE_SSOW); ++ ++fail4: ++ if (attach->sso) ++ rvu_detach_block(rvu, pcifunc, BLKTYPE_SSO); ++ ++fail3: ++ if (attach->nixlf) ++ rvu_detach_block(rvu, pcifunc, BLKTYPE_NIX); ++ ++fail2: ++ if (attach->npalf) ++ rvu_detach_block(rvu, pcifunc, BLKTYPE_NPA); ++ ++fail1: + mutex_unlock(&rvu->rsrc_lock); + return err; + } +-- +2.51.0 + diff --git a/queue-6.1/regmap-fix-race-condition-in-hwspinlock-irqsave-rout.patch b/queue-6.1/regmap-fix-race-condition-in-hwspinlock-irqsave-rout.patch new file mode 100644 index 0000000000..43b39b5c7f --- /dev/null +++ b/queue-6.1/regmap-fix-race-condition-in-hwspinlock-irqsave-rout.patch @@ -0,0 +1,49 @@ +From ed5916ac0c8dda9a098c66b5014910f183432884 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jan 2026 11:26:33 +0800 +Subject: regmap: Fix race condition in hwspinlock irqsave routine + +From: Cheng-Yu Lee + +[ Upstream commit 4b58aac989c1e3fafb1c68a733811859df388250 ] + +Previously, the address of the shared member '&map->spinlock_flags' was +passed directly to 'hwspin_lock_timeout_irqsave'. This creates a race +condition where multiple contexts contending for the lock could overwrite +the shared flags variable, potentially corrupting the state for the +current lock owner. + +Fix this by using a local stack variable 'flags' to store the IRQ state +temporarily. + +Fixes: 8698b9364710 ("regmap: Add hardware spinlock support") +Signed-off-by: Cheng-Yu Lee +Co-developed-by: Yu-Chun Lin +Signed-off-by: Yu-Chun Lin +Link: https://patch.msgid.link/20260109032633.8732-1-eleanor.lin@realtek.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/base/regmap/regmap.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c +index bdbde64e4b21d..bc89790ff0ded 100644 +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -462,9 +462,11 @@ static void regmap_lock_hwlock_irq(void *__map) + static void regmap_lock_hwlock_irqsave(void *__map) + { + struct regmap *map = __map; ++ unsigned long flags = 0; + + hwspin_lock_timeout_irqsave(map->hwlock, UINT_MAX, +- &map->spinlock_flags); ++ &flags); ++ map->spinlock_flags = flags; + } + + static void regmap_unlock_hwlock(void *__map) +-- +2.51.0 + diff --git a/queue-6.1/riscv-clocksource-fix-stimecmp-update-hazard-on-rv32.patch b/queue-6.1/riscv-clocksource-fix-stimecmp-update-hazard-on-rv32.patch new file mode 100644 index 0000000000..5c4a337f80 --- /dev/null +++ b/queue-6.1/riscv-clocksource-fix-stimecmp-update-hazard-on-rv32.patch @@ -0,0 +1,57 @@ +From 4a23bb092c026848e93b82294d1b20772b460d30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Jan 2026 22:59:36 +0900 +Subject: riscv: clocksource: Fix stimecmp update hazard on RV32 + +From: Naohiko Shimizu + +[ Upstream commit eaa9bb1d39d59e7c17b06cec12622b7c586ab629 ] + +On RV32, updating the 64-bit stimecmp (or vstimecmp) CSR requires two +separate 32-bit writes. A race condition exists if the timer triggers +during these two writes. + +The RISC-V Privileged Specification (e.g., Section 3.2.1 for mtimecmp) +recommends a specific 3-step sequence to avoid spurious interrupts +when updating 64-bit comparison registers on 32-bit systems: + +1. Set the low-order bits (stimecmp) to all ones (ULONG_MAX). +2. Set the high-order bits (stimecmph) to the desired value. +3. Set the low-order bits (stimecmp) to the desired value. + +Current implementation writes the LSB first without ensuring a future +value, which may lead to a transient state where the 64-bit comparison +is incorrectly evaluated as "expired" by the hardware. This results in +spurious timer interrupts. + +This patch adopts the spec-recommended 3-step sequence to ensure the +intermediate 64-bit state is never smaller than the current time. + +Fixes: 9f7a8ff6391f ("RISC-V: Prefer sstc extension if available") +Signed-off-by: Naohiko Shimizu +Reviewed-by: Anup Patel +Link: https://patch.msgid.link/20260104135938.524-2-naohiko.shimizu@gmail.com +Signed-off-by: Paul Walmsley +Signed-off-by: Sasha Levin +--- + drivers/clocksource/timer-riscv.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/clocksource/timer-riscv.c b/drivers/clocksource/timer-riscv.c +index a01c2bd241349..e36cecede518a 100644 +--- a/drivers/clocksource/timer-riscv.c ++++ b/drivers/clocksource/timer-riscv.c +@@ -37,8 +37,9 @@ static int riscv_clock_next_event(unsigned long delta, + csr_set(CSR_IE, IE_TIE); + if (static_branch_likely(&riscv_sstc_available)) { + #if defined(CONFIG_32BIT) +- csr_write(CSR_STIMECMP, next_tval & 0xFFFFFFFF); ++ csr_write(CSR_STIMECMP, ULONG_MAX); + csr_write(CSR_STIMECMPH, next_tval >> 32); ++ csr_write(CSR_STIMECMP, next_tval & 0xFFFFFFFF); + #else + csr_write(CSR_STIMECMP, next_tval); + #endif +-- +2.51.0 + diff --git a/queue-6.1/scsi-core-wake-up-the-error-handler-when-final-compl.patch b/queue-6.1/scsi-core-wake-up-the-error-handler-when-final-compl.patch new file mode 100644 index 0000000000..cbd03b52a5 --- /dev/null +++ b/queue-6.1/scsi-core-wake-up-the-error-handler-when-final-compl.patch @@ -0,0 +1,96 @@ +From 185682449b072d22f0cc1b3f9068e85da7f07c62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 11:08:13 -0500 +Subject: scsi: core: Wake up the error handler when final completions race + against each other + +From: David Jeffery + +[ Upstream commit fe2f8ad6f0999db3b318359a01ee0108c703a8c3 ] + +The fragile ordering between marking commands completed or failed so +that the error handler only wakes when the last running command +completes or times out has race conditions. These race conditions can +cause the SCSI layer to fail to wake the error handler, leaving I/O +through the SCSI host stuck as the error state cannot advance. + +First, there is an memory ordering issue within scsi_dec_host_busy(). +The write which clears SCMD_STATE_INFLIGHT may be reordered with reads +counting in scsi_host_busy(). While the local CPU will see its own +write, reordering can allow other CPUs in scsi_dec_host_busy() or +scsi_eh_inc_host_failed() to see a raised busy count, causing no CPU to +see a host busy equal to the host_failed count. + +This race condition can be prevented with a memory barrier on the error +path to force the write to be visible before counting host busy +commands. + +Second, there is a general ordering issue with scsi_eh_inc_host_failed(). By +counting busy commands before incrementing host_failed, it can race with a +final command in scsi_dec_host_busy(), such that scsi_dec_host_busy() does +not see host_failed incremented but scsi_eh_inc_host_failed() counts busy +commands before SCMD_STATE_INFLIGHT is cleared by scsi_dec_host_busy(), +resulting in neither waking the error handler task. + +This needs the call to scsi_host_busy() to be moved after host_failed is +incremented to close the race condition. + +Fixes: 6eb045e092ef ("scsi: core: avoid host-wide host_busy counter for scsi_mq") +Signed-off-by: David Jeffery +Reviewed-by: Bart Van Assche +Link: https://patch.msgid.link/20260113161036.6730-1-djeffery@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_error.c | 11 ++++++++++- + drivers/scsi/scsi_lib.c | 8 ++++++++ + 2 files changed, 18 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c +index c1a454b3bbbf1..79dc157661ce9 100644 +--- a/drivers/scsi/scsi_error.c ++++ b/drivers/scsi/scsi_error.c +@@ -277,11 +277,20 @@ static void scsi_eh_inc_host_failed(struct rcu_head *head) + { + struct scsi_cmnd *scmd = container_of(head, typeof(*scmd), rcu); + struct Scsi_Host *shost = scmd->device->host; +- unsigned int busy = scsi_host_busy(shost); ++ unsigned int busy; + unsigned long flags; + + spin_lock_irqsave(shost->host_lock, flags); + shost->host_failed++; ++ spin_unlock_irqrestore(shost->host_lock, flags); ++ /* ++ * The counting of busy requests needs to occur after adding to ++ * host_failed or after the lock acquire for adding to host_failed ++ * to prevent a race with host unbusy and missing an eh wakeup. ++ */ ++ busy = scsi_host_busy(shost); ++ ++ spin_lock_irqsave(shost->host_lock, flags); + scsi_eh_wakeup(shost, busy); + spin_unlock_irqrestore(shost->host_lock, flags); + } +diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c +index df61d7b906653..ddc986ff51615 100644 +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -280,6 +280,14 @@ static void scsi_dec_host_busy(struct Scsi_Host *shost, struct scsi_cmnd *cmd) + rcu_read_lock(); + __clear_bit(SCMD_STATE_INFLIGHT, &cmd->state); + if (unlikely(scsi_host_in_recovery(shost))) { ++ /* ++ * Ensure the clear of SCMD_STATE_INFLIGHT is visible to ++ * other CPUs before counting busy requests. Otherwise, ++ * reordering can cause CPUs to race and miss an eh wakeup ++ * when no CPU sees all busy requests as done or timed out. ++ */ ++ smp_mb(); ++ + unsigned int busy = scsi_host_busy(shost); + + spin_lock_irqsave(shost->host_lock, flags); +-- +2.51.0 + diff --git a/queue-6.1/selftests-net-amt-wait-longer-for-connection-before-.patch b/queue-6.1/selftests-net-amt-wait-longer-for-connection-before-.patch new file mode 100644 index 0000000000..d1c24f4431 --- /dev/null +++ b/queue-6.1/selftests-net-amt-wait-longer-for-connection-before-.patch @@ -0,0 +1,63 @@ +From 9c5d89d42b43bcdec27528df8d8d29a407d54fa5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 13:39:30 +0000 +Subject: selftests: net: amt: wait longer for connection before sending + packets + +From: Taehee Yoo + +[ Upstream commit 04708606fd7bdc34b69089a4ff848ff36d7088f9 ] + +Both send_mcast4() and send_mcast6() use sleep 2 to wait for the tunnel +connection between the gateway and the relay, and for the listener +socket to be created in the LISTENER namespace. + +However, tests sometimes fail because packets are sent before the +connection is fully established. + +Increase the waiting time to make the tests more reliable, and use +wait_local_port_listen() to explicitly wait for the listener socket. + +Fixes: c08e8baea78e ("selftests: add amt interface selftest script") +Signed-off-by: Taehee Yoo +Link: https://patch.msgid.link/20260120133930.863845-1-ap420073@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/amt.sh | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/net/amt.sh b/tools/testing/selftests/net/amt.sh +index 7e7ed6c558da9..ea40b469a8c11 100755 +--- a/tools/testing/selftests/net/amt.sh ++++ b/tools/testing/selftests/net/amt.sh +@@ -73,6 +73,8 @@ + # +------------------------+ + #============================================================================== + ++source lib.sh ++ + readonly LISTENER=$(mktemp -u listener-XXXXXXXX) + readonly GATEWAY=$(mktemp -u gateway-XXXXXXXX) + readonly RELAY=$(mktemp -u relay-XXXXXXXX) +@@ -240,14 +242,15 @@ test_ipv6_forward() + + send_mcast4() + { +- sleep 2 ++ sleep 5 ++ wait_local_port_listen ${LISTENER} 4000 udp + ip netns exec "${SOURCE}" bash -c \ + 'printf "%s %128s" 172.17.0.2 | nc -w 1 -u 239.0.0.1 4000' & + } + + send_mcast6() + { +- sleep 2 ++ wait_local_port_listen ${LISTENER} 6000 udp + ip netns exec "${SOURCE}" bash -c \ + 'printf "%s %128s" 2001:db8:3::2 | nc -w 1 -u ff0e::5:6 6000' & + } +-- +2.51.0 + diff --git a/queue-6.1/series b/queue-6.1/series index 2b91498daf..10051bd207 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -124,3 +124,31 @@ arm64-dts-rockchip-remove-dangerous-max-link-speed-from-helios64.patch x86-kfence-avoid-writing-l1tf-vulnerable-ptes.patch comedi-fix-getting-range-information-for-subdevices-16-to-255.patch iio-imu-st_lsm6dsx-fix-iio_chan_spec-for-sensors-without-event-detection.patch +iio-adc-ad7280a-handle-spi_setup-errors-in-probe.patch +spi-sprd-adi-convert-to-platform-remove-callback-ret.patch +spi-sprd-adi-use-devm_platform_get_and_ioremap_resou.patch +spi-sprd-adi-use-devm_register_restart_handler.patch +spi-sprd-adi-switch-to-use-spi_alloc_host.patch +spi-spi-sprd-adi-fix-double-free-in-probe-error-path.patch +regmap-fix-race-condition-in-hwspinlock-irqsave-rout.patch +kconfig-refactor-makefile-to-reduce-process-forks.patch +kconfig-fix-static-linking-of-nconf.patch +riscv-clocksource-fix-stimecmp-update-hazard-on-rv32.patch +scsi-core-wake-up-the-error-handler-when-final-compl.patch +alsa-usb-increase-volume-range-that-triggers-a-warni.patch +netdevsim-fix-a-race-issue-related-to-the-operation-.patch +net-hns3-fix-wrong-genmask-for-hclge_fd_ad_counter_n.patch +net-hns3-fix-the-hclge_fd_ad_nxt_key-error-setting-i.patch +misdn-annotate-data-race-around-dev-work.patch +ipv6-annotate-data-race-in-ndisc_router_discovery.patch +usbnet-limit-max_mtu-based-on-device-s-hard_mtu.patch +drm-amd-pm-don-t-clear-si-smc-table-when-setting-pow.patch +drm-amd-pm-workaround-si-powertune-issue-on-radeon-4.patch +be2net-fix-null-pointer-dereference-in-be_cmd_get_ma.patch +selftests-net-amt-wait-longer-for-connection-before-.patch +bonding-provide-a-net-pointer-to-__skb_flow_dissect.patch +octeontx2-af-fix-error-handling.patch +vsock-virtio-fix-potential-underflow-in-virtio_trans.patch +vsock-virtio-cap-tx-credit-to-local-buffer-size.patch +net-sched-act_ife-avoid-possible-null-deref.patch +x86-make-page-fault-handling-disable-interrupts-prop.patch diff --git a/queue-6.1/spi-spi-sprd-adi-fix-double-free-in-probe-error-path.patch b/queue-6.1/spi-spi-sprd-adi-fix-double-free-in-probe-error-path.patch new file mode 100644 index 0000000000..24f6551141 --- /dev/null +++ b/queue-6.1/spi-spi-sprd-adi-fix-double-free-in-probe-error-path.patch @@ -0,0 +1,113 @@ +From 7866dda88aa885b36377d3ed748b951762aaef28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jan 2026 20:49:53 +0800 +Subject: spi: spi-sprd-adi: Fix double free in probe error path + +From: Felix Gu + +[ Upstream commit 383d4f5cffcc8df930d95b06518a9d25a6d74aac ] + +The driver currently uses spi_alloc_host() to allocate the controller +but registers it using devm_spi_register_controller(). + +If devm_register_restart_handler() fails, the code jumps to the +put_ctlr label and calls spi_controller_put(). However, since the +controller was registered via a devm function, the device core will +automatically call spi_controller_put() again when the probe fails. +This results in a double-free of the spi_controller structure. + +Fix this by switching to devm_spi_alloc_host() and removing the +manual spi_controller_put() call. + +Fixes: ac17750 ("spi: sprd: Add the support of restarting the system") +Signed-off-by: Felix Gu +Reviewed-by: Baolin Wang +Link: https://patch.msgid.link/tencent_AC7D389CE7E24318445E226F7CDCCC2F0D07@qq.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-sprd-adi.c | 33 ++++++++++----------------------- + 1 file changed, 10 insertions(+), 23 deletions(-) + +diff --git a/drivers/spi/spi-sprd-adi.c b/drivers/spi/spi-sprd-adi.c +index 441cde971f7b8..3e546cd87157b 100644 +--- a/drivers/spi/spi-sprd-adi.c ++++ b/drivers/spi/spi-sprd-adi.c +@@ -529,7 +529,7 @@ static int sprd_adi_probe(struct platform_device *pdev) + pdev->id = of_alias_get_id(np, "spi"); + num_chipselect = of_get_child_count(np); + +- ctlr = spi_alloc_host(&pdev->dev, sizeof(struct sprd_adi)); ++ ctlr = devm_spi_alloc_host(&pdev->dev, sizeof(struct sprd_adi)); + if (!ctlr) + return -ENOMEM; + +@@ -537,10 +537,8 @@ static int sprd_adi_probe(struct platform_device *pdev) + sadi = spi_controller_get_devdata(ctlr); + + sadi->base = devm_platform_get_and_ioremap_resource(pdev, 0, &res); +- if (IS_ERR(sadi->base)) { +- ret = PTR_ERR(sadi->base); +- goto put_ctlr; +- } ++ if (IS_ERR(sadi->base)) ++ return PTR_ERR(sadi->base); + + sadi->slave_vbase = (unsigned long)sadi->base + + data->slave_offset; +@@ -552,18 +550,15 @@ static int sprd_adi_probe(struct platform_device *pdev) + if (ret > 0 || (IS_ENABLED(CONFIG_HWSPINLOCK) && ret == 0)) { + sadi->hwlock = + devm_hwspin_lock_request_specific(&pdev->dev, ret); +- if (!sadi->hwlock) { +- ret = -ENXIO; +- goto put_ctlr; +- } ++ if (!sadi->hwlock) ++ return -ENXIO; + } else { + switch (ret) { + case -ENOENT: + dev_info(&pdev->dev, "no hardware spinlock supplied\n"); + break; + default: +- dev_err_probe(&pdev->dev, ret, "failed to find hwlock id\n"); +- goto put_ctlr; ++ return dev_err_probe(&pdev->dev, ret, "failed to find hwlock id\n"); + } + } + +@@ -580,26 +575,18 @@ static int sprd_adi_probe(struct platform_device *pdev) + ctlr->transfer_one = sprd_adi_transfer_one; + + ret = devm_spi_register_controller(&pdev->dev, ctlr); +- if (ret) { +- dev_err(&pdev->dev, "failed to register SPI controller\n"); +- goto put_ctlr; +- } ++ if (ret) ++ return dev_err_probe(&pdev->dev, ret, "failed to register SPI controller\n"); + + if (sadi->data->restart) { + ret = devm_register_restart_handler(&pdev->dev, + sadi->data->restart, + sadi); +- if (ret) { +- dev_err(&pdev->dev, "can not register restart handler\n"); +- goto put_ctlr; +- } ++ if (ret) ++ return dev_err_probe(&pdev->dev, ret, "can not register restart handler\n"); + } + + return 0; +- +-put_ctlr: +- spi_controller_put(ctlr); +- return ret; + } + + static struct sprd_adi_data sc9860_data = { +-- +2.51.0 + diff --git a/queue-6.1/spi-sprd-adi-convert-to-platform-remove-callback-ret.patch b/queue-6.1/spi-sprd-adi-convert-to-platform-remove-callback-ret.patch new file mode 100644 index 0000000000..028dcd937f --- /dev/null +++ b/queue-6.1/spi-sprd-adi-convert-to-platform-remove-callback-ret.patch @@ -0,0 +1,63 @@ +From 7f9fbe791bb1144895229df4ebb0e0ec8150cbf4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Mar 2023 18:20:24 +0100 +Subject: spi: sprd-adi: Convert to platform remove callback returning void +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit f7f785f125d03360d3766d96d04cf08b8472ce8f ] + +The .remove() callback for a platform driver returns an int which makes +many driver authors wrongly assume it's possible to do error handling by +returning an error code. However the value returned is (mostly) ignored +and this typically results in resource leaks. To improve here there is a +quest to make the remove callback return void. In the first step of this +quest all drivers are converted to .remove_new() which already returns +void. + +Trivially convert this driver from always returning zero in the remove +callback to the void returning variant. + +Signed-off-by: Uwe Kleine-König +Link: https://lore.kernel.org/r/20230303172041.2103336-71-u.kleine-koenig@pengutronix.de +Signed-off-by: Mark Brown +Stable-dep-of: 383d4f5cffcc ("spi: spi-sprd-adi: Fix double free in probe error path") +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-sprd-adi.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/spi/spi-sprd-adi.c b/drivers/spi/spi-sprd-adi.c +index 1edbf44c05a72..3b158124d79f7 100644 +--- a/drivers/spi/spi-sprd-adi.c ++++ b/drivers/spi/spi-sprd-adi.c +@@ -608,13 +608,12 @@ static int sprd_adi_probe(struct platform_device *pdev) + return ret; + } + +-static int sprd_adi_remove(struct platform_device *pdev) ++static void sprd_adi_remove(struct platform_device *pdev) + { + struct spi_controller *ctlr = dev_get_drvdata(&pdev->dev); + struct sprd_adi *sadi = spi_controller_get_devdata(ctlr); + + unregister_restart_handler(&sadi->restart_handler); +- return 0; + } + + static struct sprd_adi_data sc9860_data = { +@@ -660,7 +659,7 @@ static struct platform_driver sprd_adi_driver = { + .of_match_table = sprd_adi_of_match, + }, + .probe = sprd_adi_probe, +- .remove = sprd_adi_remove, ++ .remove_new = sprd_adi_remove, + }; + module_platform_driver(sprd_adi_driver); + +-- +2.51.0 + diff --git a/queue-6.1/spi-sprd-adi-switch-to-use-spi_alloc_host.patch b/queue-6.1/spi-sprd-adi-switch-to-use-spi_alloc_host.patch new file mode 100644 index 0000000000..4eb9d62857 --- /dev/null +++ b/queue-6.1/spi-sprd-adi-switch-to-use-spi_alloc_host.patch @@ -0,0 +1,38 @@ +From 5ae1a840dcc5216d3d99a6517a66e83b42b6009e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Nov 2023 17:30:06 +0800 +Subject: spi: sprd-adi: switch to use spi_alloc_host() + +From: Yang Yingliang + +[ Upstream commit 0a3d087d09a8f52c02d0014bad63be99c53c4812 ] + +Switch to use modern name function spi_alloc_host(). + +No functional changed. + +Signed-off-by: Yang Yingliang +Link: https://msgid.link/r/20231128093031.3707034-2-yangyingliang@huawei.com +Signed-off-by: Mark Brown +Stable-dep-of: 383d4f5cffcc ("spi: spi-sprd-adi: Fix double free in probe error path") +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-sprd-adi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-sprd-adi.c b/drivers/spi/spi-sprd-adi.c +index 24f1358e7e8ba..441cde971f7b8 100644 +--- a/drivers/spi/spi-sprd-adi.c ++++ b/drivers/spi/spi-sprd-adi.c +@@ -529,7 +529,7 @@ static int sprd_adi_probe(struct platform_device *pdev) + pdev->id = of_alias_get_id(np, "spi"); + num_chipselect = of_get_child_count(np); + +- ctlr = spi_alloc_master(&pdev->dev, sizeof(struct sprd_adi)); ++ ctlr = spi_alloc_host(&pdev->dev, sizeof(struct sprd_adi)); + if (!ctlr) + return -ENOMEM; + +-- +2.51.0 + diff --git a/queue-6.1/spi-sprd-adi-use-devm_platform_get_and_ioremap_resou.patch b/queue-6.1/spi-sprd-adi-use-devm_platform_get_and_ioremap_resou.patch new file mode 100644 index 0000000000..66002dec3b --- /dev/null +++ b/queue-6.1/spi-sprd-adi-use-devm_platform_get_and_ioremap_resou.patch @@ -0,0 +1,42 @@ +From 30315f866163baed84bdb0dbee3c319a112a4fc0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Mar 2023 14:05:15 +0800 +Subject: spi: sprd-adi: Use devm_platform_get_and_ioremap_resource() + +From: Yang Li + +[ Upstream commit 8499d4b5970f5fd135ee8860075768562a5efe70 ] + +According to commit 890cc39a8799 ("drivers: provide +devm_platform_get_and_ioremap_resource()"), convert +platform_get_resource(), devm_ioremap_resource() to a single +call to devm_platform_get_and_ioremap_resource(), as this is exactly +what this function does. + +Signed-off-by: Yang Li +Reviewed-by: Baolin Wang +Link: https://lore.kernel.org/r/20230327060516.93509-1-yang.lee@linux.alibaba.com +Signed-off-by: Mark Brown +Stable-dep-of: 383d4f5cffcc ("spi: spi-sprd-adi: Fix double free in probe error path") +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-sprd-adi.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/spi/spi-sprd-adi.c b/drivers/spi/spi-sprd-adi.c +index 3b158124d79f7..22e39c4c12c4e 100644 +--- a/drivers/spi/spi-sprd-adi.c ++++ b/drivers/spi/spi-sprd-adi.c +@@ -541,8 +541,7 @@ static int sprd_adi_probe(struct platform_device *pdev) + dev_set_drvdata(&pdev->dev, ctlr); + sadi = spi_controller_get_devdata(ctlr); + +- res = platform_get_resource(pdev, IORESOURCE_MEM, 0); +- sadi->base = devm_ioremap_resource(&pdev->dev, res); ++ sadi->base = devm_platform_get_and_ioremap_resource(pdev, 0, &res); + if (IS_ERR(sadi->base)) { + ret = PTR_ERR(sadi->base); + goto put_ctlr; +-- +2.51.0 + diff --git a/queue-6.1/spi-sprd-adi-use-devm_register_restart_handler.patch b/queue-6.1/spi-sprd-adi-use-devm_register_restart_handler.patch new file mode 100644 index 0000000000..0e1fdbffc5 --- /dev/null +++ b/queue-6.1/spi-sprd-adi-use-devm_register_restart_handler.patch @@ -0,0 +1,115 @@ +From a7f217785c50d57171e0955c668dd8945aaad05a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Nov 2023 10:10:05 -0600 +Subject: spi: sprd: adi: Use devm_register_restart_handler() + +From: Andrew Davis + +[ Upstream commit 8e6a43961f24cf841d3c0d199521d0b284d948b9 ] + +Use device life-cycle managed register function to simplify probe error +path and eliminate need for explicit remove function. + +Signed-off-by: Andrew Davis +Link: https://lore.kernel.org/r/20231117161006.87734-5-afd@ti.com +Signed-off-by: Mark Brown +Stable-dep-of: 383d4f5cffcc ("spi: spi-sprd-adi: Fix double free in probe error path") +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-sprd-adi.c | 30 ++++++++---------------------- + 1 file changed, 8 insertions(+), 22 deletions(-) + +diff --git a/drivers/spi/spi-sprd-adi.c b/drivers/spi/spi-sprd-adi.c +index 22e39c4c12c4e..24f1358e7e8ba 100644 +--- a/drivers/spi/spi-sprd-adi.c ++++ b/drivers/spi/spi-sprd-adi.c +@@ -139,8 +139,7 @@ struct sprd_adi_data { + u32 slave_offset; + u32 slave_addr_size; + int (*read_check)(u32 val, u32 reg); +- int (*restart)(struct notifier_block *this, +- unsigned long mode, void *cmd); ++ int (*restart)(struct sys_off_data *data); + void (*wdg_rst)(void *p); + }; + +@@ -151,7 +150,6 @@ struct sprd_adi { + struct hwspinlock *hwlock; + unsigned long slave_vbase; + unsigned long slave_pbase; +- struct notifier_block restart_handler; + const struct sprd_adi_data *data; + }; + +@@ -371,11 +369,9 @@ static void sprd_adi_set_wdt_rst_mode(void *p) + #endif + } + +-static int sprd_adi_restart(struct notifier_block *this, unsigned long mode, +- void *cmd, struct sprd_adi_wdg *wdg) ++static int sprd_adi_restart(struct sprd_adi *sadi, unsigned long mode, ++ const char *cmd, struct sprd_adi_wdg *wdg) + { +- struct sprd_adi *sadi = container_of(this, struct sprd_adi, +- restart_handler); + u32 val, reboot_mode = 0; + + if (!cmd) +@@ -449,8 +445,7 @@ static int sprd_adi_restart(struct notifier_block *this, unsigned long mode, + return NOTIFY_DONE; + } + +-static int sprd_adi_restart_sc9860(struct notifier_block *this, +- unsigned long mode, void *cmd) ++static int sprd_adi_restart_sc9860(struct sys_off_data *data) + { + struct sprd_adi_wdg wdg = { + .base = PMIC_WDG_BASE, +@@ -459,7 +454,7 @@ static int sprd_adi_restart_sc9860(struct notifier_block *this, + .wdg_clk = PMIC_CLK_EN, + }; + +- return sprd_adi_restart(this, mode, cmd, &wdg); ++ return sprd_adi_restart(data->cb_data, data->mode, data->cmd, &wdg); + } + + static void sprd_adi_hw_init(struct sprd_adi *sadi) +@@ -591,9 +586,9 @@ static int sprd_adi_probe(struct platform_device *pdev) + } + + if (sadi->data->restart) { +- sadi->restart_handler.notifier_call = sadi->data->restart; +- sadi->restart_handler.priority = 128; +- ret = register_restart_handler(&sadi->restart_handler); ++ ret = devm_register_restart_handler(&pdev->dev, ++ sadi->data->restart, ++ sadi); + if (ret) { + dev_err(&pdev->dev, "can not register restart handler\n"); + goto put_ctlr; +@@ -607,14 +602,6 @@ static int sprd_adi_probe(struct platform_device *pdev) + return ret; + } + +-static void sprd_adi_remove(struct platform_device *pdev) +-{ +- struct spi_controller *ctlr = dev_get_drvdata(&pdev->dev); +- struct sprd_adi *sadi = spi_controller_get_devdata(ctlr); +- +- unregister_restart_handler(&sadi->restart_handler); +-} +- + static struct sprd_adi_data sc9860_data = { + .slave_offset = ADI_10BIT_SLAVE_OFFSET, + .slave_addr_size = ADI_10BIT_SLAVE_ADDR_SIZE, +@@ -658,7 +645,6 @@ static struct platform_driver sprd_adi_driver = { + .of_match_table = sprd_adi_of_match, + }, + .probe = sprd_adi_probe, +- .remove_new = sprd_adi_remove, + }; + module_platform_driver(sprd_adi_driver); + +-- +2.51.0 + diff --git a/queue-6.1/usbnet-limit-max_mtu-based-on-device-s-hard_mtu.patch b/queue-6.1/usbnet-limit-max_mtu-based-on-device-s-hard_mtu.patch new file mode 100644 index 0000000000..cb80593b93 --- /dev/null +++ b/queue-6.1/usbnet-limit-max_mtu-based-on-device-s-hard_mtu.patch @@ -0,0 +1,59 @@ +From 930a81e161a11ae1576af0b6bbbaea8951ecebcf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 08:55:18 +0100 +Subject: usbnet: limit max_mtu based on device's hard_mtu + +From: Laurent Vivier + +[ Upstream commit c7159e960f1472a5493ac99aff0086ab1d683594 ] + +The usbnet driver initializes net->max_mtu to ETH_MAX_MTU before calling +the device's bind() callback. When the bind() callback sets +dev->hard_mtu based the device's actual capability (from CDC Ethernet's +wMaxSegmentSize descriptor), max_mtu is never updated to reflect this +hardware limitation). + +This allows userspace (DHCP or IPv6 RA) to configure MTU larger than the +device can handle, leading to silent packet drops when the backend sends +packet exceeding the device's buffer size. + +Fix this by limiting net->max_mtu to the device's hard_mtu after the +bind callback returns. + +See https://gitlab.com/qemu-project/qemu/-/issues/3268 and + https://bugs.passt.top/attachment.cgi?bugid=189 + +Fixes: f77f0aee4da4 ("net: use core MTU range checking in USB NIC drivers") +Signed-off-by: Laurent Vivier +Link: https://bugs.passt.top/show_bug.cgi?id=189 +Reviewed-by: Stefano Brivio +Link: https://patch.msgid.link/20260119075518.2774373-1-lvivier@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/usbnet.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c +index 6bdf035e35f56..10bde8a8bb1ef 100644 +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -1794,9 +1794,12 @@ usbnet_probe (struct usb_interface *udev, const struct usb_device_id *prod) + if ((dev->driver_info->flags & FLAG_NOARP) != 0) + net->flags |= IFF_NOARP; + +- /* maybe the remote can't receive an Ethernet MTU */ +- if (net->mtu > (dev->hard_mtu - net->hard_header_len)) +- net->mtu = dev->hard_mtu - net->hard_header_len; ++ if (net->max_mtu > (dev->hard_mtu - net->hard_header_len)) ++ net->max_mtu = dev->hard_mtu - net->hard_header_len; ++ ++ if (net->mtu > net->max_mtu) ++ net->mtu = net->max_mtu; ++ + } else if (!info->in || !info->out) + status = usbnet_get_endpoints (dev, udev); + else { +-- +2.51.0 + diff --git a/queue-6.1/vsock-virtio-cap-tx-credit-to-local-buffer-size.patch b/queue-6.1/vsock-virtio-cap-tx-credit-to-local-buffer-size.patch new file mode 100644 index 0000000000..f6e3364788 --- /dev/null +++ b/queue-6.1/vsock-virtio-cap-tx-credit-to-local-buffer-size.patch @@ -0,0 +1,128 @@ +From 8d12dee2c2e9e8050720cbc81a479921b3b1645d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 10:36:27 +0100 +Subject: vsock/virtio: cap TX credit to local buffer size + +From: Melbin K Mathew + +[ Upstream commit 8ee784fdf006cbe8739cfa093f54d326cbf54037 ] + +The virtio transports derives its TX credit directly from peer_buf_alloc, +which is set from the remote endpoint's SO_VM_SOCKETS_BUFFER_SIZE value. + +On the host side this means that the amount of data we are willing to +queue for a connection is scaled by a guest-chosen buffer size, rather +than the host's own vsock configuration. A malicious guest can advertise +a large buffer and read slowly, causing the host to allocate a +correspondingly large amount of sk_buff memory. +The same thing would happen in the guest with a malicious host, since +virtio transports share the same code base. + +Introduce a small helper, virtio_transport_tx_buf_size(), that +returns min(peer_buf_alloc, buf_alloc), and use it wherever we consume +peer_buf_alloc. + +This ensures the effective TX window is bounded by both the peer's +advertised buffer and our own buf_alloc (already clamped to +buffer_max_size via SO_VM_SOCKETS_BUFFER_MAX_SIZE), so a remote peer +cannot force the other to queue more data than allowed by its own +vsock settings. + +On an unpatched Ubuntu 22.04 host (~64 GiB RAM), running a PoC with +32 guest vsock connections advertising 2 GiB each and reading slowly +drove Slab/SUnreclaim from ~0.5 GiB to ~57 GiB; the system only +recovered after killing the QEMU process. That said, if QEMU memory is +limited with cgroups, the maximum memory used will be limited. + +With this patch applied: + + Before: + MemFree: ~61.6 GiB + Slab: ~142 MiB + SUnreclaim: ~117 MiB + + After 32 high-credit connections: + MemFree: ~61.5 GiB + Slab: ~178 MiB + SUnreclaim: ~152 MiB + +Only ~35 MiB increase in Slab/SUnreclaim, no host OOM, and the guest +remains responsive. + +Compatibility with non-virtio transports: + + - VMCI uses the AF_VSOCK buffer knobs to size its queue pairs per + socket based on the local vsk->buffer_* values; the remote side + cannot enlarge those queues beyond what the local endpoint + configured. + + - Hyper-V's vsock transport uses fixed-size VMBus ring buffers and + an MTU bound; there is no peer-controlled credit field comparable + to peer_buf_alloc, and the remote endpoint cannot drive in-flight + kernel memory above those ring sizes. + + - The loopback path reuses virtio_transport_common.c, so it + naturally follows the same semantics as the virtio transport. + +This change is limited to virtio_transport_common.c and thus affects +virtio-vsock, vhost-vsock, and loopback, bringing them in line with the +"remote window intersected with local policy" behaviour that VMCI and +Hyper-V already effectively have. + +Fixes: 06a8fc78367d ("VSOCK: Introduce virtio_vsock_common.ko") +Suggested-by: Stefano Garzarella +Signed-off-by: Melbin K Mathew +[Stefano: small adjustments after changing the previous patch] +[Stefano: tweak the commit message] +Signed-off-by: Stefano Garzarella +Reviewed-by: Luigi Leonardi +Link: https://patch.msgid.link/20260121093628.9941-4-sgarzare@redhat.com +Acked-by: Michael S. Tsirkin +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/virtio_transport_common.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c +index 76329191102a0..bb44a95b43d5a 100644 +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -532,6 +532,15 @@ virtio_transport_seqpacket_dequeue(struct vsock_sock *vsk, + } + EXPORT_SYMBOL_GPL(virtio_transport_seqpacket_dequeue); + ++static u32 virtio_transport_tx_buf_size(struct virtio_vsock_sock *vvs) ++{ ++ /* The peer advertises its receive buffer via peer_buf_alloc, but we ++ * cap it to our local buf_alloc so a remote peer cannot force us to ++ * queue more data than our own buffer configuration allows. ++ */ ++ return min(vvs->peer_buf_alloc, vvs->buf_alloc); ++} ++ + int + virtio_transport_seqpacket_enqueue(struct vsock_sock *vsk, + struct msghdr *msg, +@@ -541,7 +550,7 @@ virtio_transport_seqpacket_enqueue(struct vsock_sock *vsk, + + spin_lock_bh(&vvs->tx_lock); + +- if (len > vvs->peer_buf_alloc) { ++ if (len > virtio_transport_tx_buf_size(vvs)) { + spin_unlock_bh(&vvs->tx_lock); + return -EMSGSIZE; + } +@@ -595,7 +604,8 @@ static s64 virtio_transport_has_space(struct virtio_vsock_sock *vvs) + * we have bytes in flight (tx_cnt - peer_fwd_cnt), the subtraction + * does not underflow. + */ +- bytes = (s64)vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt); ++ bytes = (s64)virtio_transport_tx_buf_size(vvs) - ++ (vvs->tx_cnt - vvs->peer_fwd_cnt); + if (bytes < 0) + bytes = 0; + +-- +2.51.0 + diff --git a/queue-6.1/vsock-virtio-fix-potential-underflow-in-virtio_trans.patch b/queue-6.1/vsock-virtio-fix-potential-underflow-in-virtio_trans.patch new file mode 100644 index 0000000000..2244dbb281 --- /dev/null +++ b/queue-6.1/vsock-virtio-fix-potential-underflow-in-virtio_trans.patch @@ -0,0 +1,99 @@ +From 33ff1d5cd83af090f33b6f7cb83401837642b9de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 10:36:25 +0100 +Subject: vsock/virtio: fix potential underflow in + virtio_transport_get_credit() + +From: Melbin K Mathew + +[ Upstream commit 3ef3d52a1a9860d094395c7a3e593f3aa26ff012 ] + +The credit calculation in virtio_transport_get_credit() uses unsigned +arithmetic: + + ret = vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt); + +If the peer shrinks its advertised buffer (peer_buf_alloc) while bytes +are in flight, the subtraction can underflow and produce a large +positive value, potentially allowing more data to be queued than the +peer can handle. + +Reuse virtio_transport_has_space() which already handles this case and +add a comment to make it clear why we are doing that. + +Fixes: 06a8fc78367d ("VSOCK: Introduce virtio_vsock_common.ko") +Suggested-by: Stefano Garzarella +Signed-off-by: Melbin K Mathew +[Stefano: use virtio_transport_has_space() instead of duplicating the code] +[Stefano: tweak the commit message] +Signed-off-by: Stefano Garzarella +Reviewed-by: Luigi Leonardi +Link: https://patch.msgid.link/20260121093628.9941-2-sgarzare@redhat.com +Acked-by: Michael S. Tsirkin +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/virtio_transport_common.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c +index a65da57fe26fd..76329191102a0 100644 +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -28,6 +28,7 @@ + + static void virtio_transport_cancel_close_work(struct vsock_sock *vsk, + bool cancel_timeout); ++static s64 virtio_transport_has_space(struct virtio_vsock_sock *vvs); + + static const struct virtio_transport * + virtio_transport_get_ops(struct vsock_sock *vsk) +@@ -284,9 +285,7 @@ u32 virtio_transport_get_credit(struct virtio_vsock_sock *vvs, u32 credit) + u32 ret; + + spin_lock_bh(&vvs->tx_lock); +- ret = vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt); +- if (ret > credit) +- ret = credit; ++ ret = min_t(u32, credit, virtio_transport_has_space(vvs)); + vvs->tx_cnt += ret; + spin_unlock_bh(&vvs->tx_lock); + +@@ -588,11 +587,14 @@ u32 virtio_transport_seqpacket_has_data(struct vsock_sock *vsk) + } + EXPORT_SYMBOL_GPL(virtio_transport_seqpacket_has_data); + +-static s64 virtio_transport_has_space(struct vsock_sock *vsk) ++static s64 virtio_transport_has_space(struct virtio_vsock_sock *vvs) + { +- struct virtio_vsock_sock *vvs = vsk->trans; + s64 bytes; + ++ /* Use s64 arithmetic so if the peer shrinks peer_buf_alloc while ++ * we have bytes in flight (tx_cnt - peer_fwd_cnt), the subtraction ++ * does not underflow. ++ */ + bytes = (s64)vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt); + if (bytes < 0) + bytes = 0; +@@ -606,7 +608,7 @@ s64 virtio_transport_stream_has_space(struct vsock_sock *vsk) + s64 bytes; + + spin_lock_bh(&vvs->tx_lock); +- bytes = virtio_transport_has_space(vsk); ++ bytes = virtio_transport_has_space(vvs); + spin_unlock_bh(&vvs->tx_lock); + + return bytes; +@@ -1207,7 +1209,7 @@ static bool virtio_transport_space_update(struct sock *sk, + spin_lock_bh(&vvs->tx_lock); + vvs->peer_buf_alloc = le32_to_cpu(hdr->buf_alloc); + vvs->peer_fwd_cnt = le32_to_cpu(hdr->fwd_cnt); +- space_available = virtio_transport_has_space(vsk); ++ space_available = virtio_transport_has_space(vvs); + spin_unlock_bh(&vvs->tx_lock); + return space_available; + } +-- +2.51.0 + diff --git a/queue-6.1/x86-make-page-fault-handling-disable-interrupts-prop.patch b/queue-6.1/x86-make-page-fault-handling-disable-interrupts-prop.patch new file mode 100644 index 0000000000..dbe79321c6 --- /dev/null +++ b/queue-6.1/x86-make-page-fault-handling-disable-interrupts-prop.patch @@ -0,0 +1,96 @@ +From 0317d40188f1cae28363677670bd74c46b339cab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jan 2026 18:39:15 -0600 +Subject: x86: make page fault handling disable interrupts properly + +From: Cedric Xing + +[ Upstream commit 614da1d3d4cdbd6e41aea06bc97ec15aacff6daf ] + +There's a big comment in the x86 do_page_fault() about our interrupt +disabling code: + + * User address page fault handling might have reenabled + * interrupts. Fixing up all potential exit points of + * do_user_addr_fault() and its leaf functions is just not + * doable w/o creating an unholy mess or turning the code + * upside down. + +but it turns out that comment is subtly wrong, and the code as a result +is also wrong. + +Because it's certainly true that we may have re-enabled interrupts when +handling user page faults. And it's most certainly true that we don't +want to bother fixing up all the cases. + +But what isn't true is that it's limited to user address page faults. + +The confusion stems from the fact that we have logic here that depends +on the address range of the access, but other code then depends on the +_context_ the access was done in. The two are not related, even though +both of them are about user-vs-kernel. + +In other words, both user and kernel addresses can cause interrupts to +have been enabled (eg when __bad_area_nosemaphore() gets called for user +accesses to kernel addresses). As a result we should make sure to +disable interrupts again regardless of the address range before +returning to the low-level fault handling code. + +The __bad_area_nosemaphore() code actually did disable interrupts again +after enabling them, just not consistently. Ironically, as noted in the +original comment, fixing up all the cases is just not worth it, when the +simple solution is to just do it unconditionally in one single place. + +So remove the incomplete case that unsuccessfully tried to do what the +comment said was "not doable" in commit ca4c6a9858c2 ("x86/traps: Make +interrupt enable/disable symmetric in C code"), and just make it do the +simple and straightforward thing. + +Signed-off-by: Cedric Xing +Reviewed-by: Dave Hansen +Fixes: ca4c6a9858c2 ("x86/traps: Make interrupt enable/disable symmetric in C code") +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/x86/mm/fault.c | 15 +++++---------- + 1 file changed, 5 insertions(+), 10 deletions(-) + +diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c +index 2fc007752ceb1..54f8fe0ea5a93 100644 +--- a/arch/x86/mm/fault.c ++++ b/arch/x86/mm/fault.c +@@ -835,8 +835,6 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code, + force_sig_pkuerr((void __user *)address, pkey); + else + force_sig_fault(SIGSEGV, si_code, (void __user *)address); +- +- local_irq_disable(); + } + + static noinline void +@@ -1429,15 +1427,12 @@ handle_page_fault(struct pt_regs *regs, unsigned long error_code, + do_kern_addr_fault(regs, error_code, address); + } else { + do_user_addr_fault(regs, error_code, address); +- /* +- * User address page fault handling might have reenabled +- * interrupts. Fixing up all potential exit points of +- * do_user_addr_fault() and its leaf functions is just not +- * doable w/o creating an unholy mess or turning the code +- * upside down. +- */ +- local_irq_disable(); + } ++ /* ++ * page fault handling might have reenabled interrupts, ++ * make sure to disable them again. ++ */ ++ local_irq_disable(); + } + + DEFINE_IDTENTRY_RAW_ERRORCODE(exc_page_fault) +-- +2.51.0 + diff --git a/queue-6.12/alsa-usb-increase-volume-range-that-triggers-a-warni.patch b/queue-6.12/alsa-usb-increase-volume-range-that-triggers-a-warni.patch new file mode 100644 index 0000000000..45c3371f29 --- /dev/null +++ b/queue-6.12/alsa-usb-increase-volume-range-that-triggers-a-warni.patch @@ -0,0 +1,47 @@ +From 2f8c3961e7807cccf98e7ef062e561f873ac92ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jan 2026 14:58:04 -0800 +Subject: ALSA: usb: Increase volume range that triggers a warning + +From: Arun Raghavan + +[ Upstream commit 6b971191fcfc9e3c2c0143eea22534f1f48dbb62 ] + +On at least the HyperX Cloud III, the range is 18944 (-18944 -> 0 in +steps of 1), so the original check for 255 steps is definitely obsolete. +Let's give ourselves a little more headroom before we emit a warning. + +Fixes: 80acefff3bc7 ("ALSA: usb-audio - Add volume range check and warn if it too big") +Cc: Jaroslav Kysela +Cc: Takashi Iwai +Cc: linux-sound@vger.kernel.org +Signed-off-by: Arun Raghavan +Link: https://patch.msgid.link/20260116225804.3845935-1-arunr@valvesoftware.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/mixer.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c +index 7307e29c60b75..577f9121971e8 100644 +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -1807,11 +1807,10 @@ static void __build_feature_ctl(struct usb_mixer_interface *mixer, + + range = (cval->max - cval->min) / cval->res; + /* +- * Are there devices with volume range more than 255? I use a bit more +- * to be sure. 384 is a resolution magic number found on Logitech +- * devices. It will definitively catch all buggy Logitech devices. ++ * There are definitely devices with a range of ~20,000, so let's be ++ * conservative and allow for a bit more. + */ +- if (range > 384) { ++ if (range > 65535) { + usb_audio_warn(mixer->chip, + "Warning! Unlikely big volume range (=%u), cval->res is probably wrong.", + range); +-- +2.51.0 + diff --git a/queue-6.12/be2net-fix-data-race-in-be_get_new_eqd.patch b/queue-6.12/be2net-fix-data-race-in-be_get_new_eqd.patch new file mode 100644 index 0000000000..49ec2d0821 --- /dev/null +++ b/queue-6.12/be2net-fix-data-race-in-be_get_new_eqd.patch @@ -0,0 +1,61 @@ +From 9072ea268e4e21f4b61c05724a70d8f10ff93412 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 23:34:36 +0800 +Subject: be2net: fix data race in be_get_new_eqd + +From: David Yang + +[ Upstream commit 302e5b481caa7b3d11ec0e058434c1fc95195e50 ] + +In be_get_new_eqd(), statistics of pkts, protected by u64_stats_sync, are +read and accumulated in ignorance of possible u64_stats_fetch_retry() +events. Before the commit in question, these statistics were retrieved +one by one directly from queues. Fix this by reading them into temporary +variables first. + +Fixes: 209477704187 ("be2net: set interrupt moderation for Skyhawk-R using EQ-DB") +Signed-off-by: David Yang +Reviewed-by: Vadim Fedorenko +Link: https://patch.msgid.link/20260119153440.1440578-1-mmyangfl@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/emulex/benet/be_main.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c +index 8c3314445acab..71565b27893e3 100644 +--- a/drivers/net/ethernet/emulex/benet/be_main.c ++++ b/drivers/net/ethernet/emulex/benet/be_main.c +@@ -2141,7 +2141,7 @@ static int be_get_new_eqd(struct be_eq_obj *eqo) + struct be_aic_obj *aic; + struct be_rx_obj *rxo; + struct be_tx_obj *txo; +- u64 rx_pkts = 0, tx_pkts = 0; ++ u64 rx_pkts = 0, tx_pkts = 0, pkts; + ulong now; + u32 pps, delta; + int i; +@@ -2157,15 +2157,17 @@ static int be_get_new_eqd(struct be_eq_obj *eqo) + for_all_rx_queues_on_eq(adapter, eqo, rxo, i) { + do { + start = u64_stats_fetch_begin(&rxo->stats.sync); +- rx_pkts += rxo->stats.rx_pkts; ++ pkts = rxo->stats.rx_pkts; + } while (u64_stats_fetch_retry(&rxo->stats.sync, start)); ++ rx_pkts += pkts; + } + + for_all_tx_queues_on_eq(adapter, eqo, txo, i) { + do { + start = u64_stats_fetch_begin(&txo->stats.sync); +- tx_pkts += txo->stats.tx_reqs; ++ pkts = txo->stats.tx_reqs; + } while (u64_stats_fetch_retry(&txo->stats.sync, start)); ++ tx_pkts += pkts; + } + + /* Skip, if wrapped around or first calculation */ +-- +2.51.0 + diff --git a/queue-6.12/be2net-fix-null-pointer-dereference-in-be_cmd_get_ma.patch b/queue-6.12/be2net-fix-null-pointer-dereference-in-be_cmd_get_ma.patch new file mode 100644 index 0000000000..613d3b1cc2 --- /dev/null +++ b/queue-6.12/be2net-fix-null-pointer-dereference-in-be_cmd_get_ma.patch @@ -0,0 +1,54 @@ +From 2acfd05579951ca0fba63bcece51075695e69a01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 11:37:47 +0000 +Subject: be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list + +From: Andrey Vatoropin + +[ Upstream commit 8215794403d264739cc676668087512950b2ff31 ] + +When the parameter pmac_id_valid argument of be_cmd_get_mac_from_list() is +set to false, the driver may request the PMAC_ID from the firmware of the +network card, and this function will store that PMAC_ID at the provided +address pmac_id. This is the contract of this function. + +However, there is a location within the driver where both +pmac_id_valid == false and pmac_id == NULL are being passed. This could +result in dereferencing a NULL pointer. + +To resolve this issue, it is necessary to pass the address of a stub +variable to the function. + +Fixes: 95046b927a54 ("be2net: refactor MAC-addr setup code") +Signed-off-by: Andrey Vatoropin +Link: https://patch.msgid.link/20260120113734.20193-1-a.vatoropin@crpt.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/emulex/benet/be_cmds.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/emulex/benet/be_cmds.c b/drivers/net/ethernet/emulex/benet/be_cmds.c +index 779f1324bb5f8..0cda78b78fb87 100644 +--- a/drivers/net/ethernet/emulex/benet/be_cmds.c ++++ b/drivers/net/ethernet/emulex/benet/be_cmds.c +@@ -3797,6 +3797,7 @@ int be_cmd_get_perm_mac(struct be_adapter *adapter, u8 *mac) + { + int status; + bool pmac_valid = false; ++ u32 pmac_id; + + eth_zero_addr(mac); + +@@ -3809,7 +3810,7 @@ int be_cmd_get_perm_mac(struct be_adapter *adapter, u8 *mac) + adapter->if_handle, 0); + } else { + status = be_cmd_get_mac_from_list(adapter, mac, &pmac_valid, +- NULL, adapter->if_handle, 0); ++ &pmac_id, adapter->if_handle, 0); + } + + return status; +-- +2.51.0 + diff --git a/queue-6.12/bonding-provide-a-net-pointer-to-__skb_flow_dissect.patch b/queue-6.12/bonding-provide-a-net-pointer-to-__skb_flow_dissect.patch new file mode 100644 index 0000000000..7cc8467ad5 --- /dev/null +++ b/queue-6.12/bonding-provide-a-net-pointer-to-__skb_flow_dissect.patch @@ -0,0 +1,67 @@ +From e4eb72ef79a67bd306443ced00d0100f746685bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 16:17:44 +0000 +Subject: bonding: provide a net pointer to __skb_flow_dissect() + +From: Eric Dumazet + +[ Upstream commit 5f9b329096596b7e53e07d041d7fca4cbe1be752 ] + +After 3cbf4ffba5ee ("net: plumb network namespace into __skb_flow_dissect") +we have to provide a net pointer to __skb_flow_dissect(), +either via skb->dev, skb->sk, or a user provided pointer. + +In the following case, syzbot was able to cook a bare skb. + +WARNING: net/core/flow_dissector.c:1131 at __skb_flow_dissect+0xb57/0x68b0 net/core/flow_dissector.c:1131, CPU#1: syz.2.1418/11053 +Call Trace: + + bond_flow_dissect drivers/net/bonding/bond_main.c:4093 [inline] + __bond_xmit_hash+0x2d7/0xba0 drivers/net/bonding/bond_main.c:4157 + bond_xmit_hash_xdp drivers/net/bonding/bond_main.c:4208 [inline] + bond_xdp_xmit_3ad_xor_slave_get drivers/net/bonding/bond_main.c:5139 [inline] + bond_xdp_get_xmit_slave+0x1fd/0x710 drivers/net/bonding/bond_main.c:5515 + xdp_master_redirect+0x13f/0x2c0 net/core/filter.c:4388 + bpf_prog_run_xdp include/net/xdp.h:700 [inline] + bpf_test_run+0x6b2/0x7d0 net/bpf/test_run.c:421 + bpf_prog_test_run_xdp+0x795/0x10e0 net/bpf/test_run.c:1390 + bpf_prog_test_run+0x2c7/0x340 kernel/bpf/syscall.c:4703 + __sys_bpf+0x562/0x860 kernel/bpf/syscall.c:6182 + __do_sys_bpf kernel/bpf/syscall.c:6274 [inline] + __se_sys_bpf kernel/bpf/syscall.c:6272 [inline] + __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6272 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94 + +Fixes: 58deb77cc52d ("bonding: balance ICMP echoes in layer3+4 mode") +Reported-by: syzbot+c46409299c70a221415e@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/696faa23.050a0220.4cb9c.001f.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Matteo Croce +Acked-by: Stanislav Fomichev +Link: https://patch.msgid.link/20260120161744.1893263-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 6f87d7e29e19b..b52f5f64e3abb 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -4263,8 +4263,9 @@ static bool bond_flow_dissect(struct bonding *bond, struct sk_buff *skb, const v + case BOND_XMIT_POLICY_ENCAP23: + case BOND_XMIT_POLICY_ENCAP34: + memset(fk, 0, sizeof(*fk)); +- return __skb_flow_dissect(NULL, skb, &flow_keys_bonding, +- fk, data, l2_proto, nhoff, hlen, 0); ++ return __skb_flow_dissect(dev_net(bond->dev), skb, ++ &flow_keys_bonding, fk, data, ++ l2_proto, nhoff, hlen, 0); + default: + break; + } +-- +2.51.0 + diff --git a/queue-6.12/clocksource-reduce-watchdog-readout-delay-limit-to-p.patch b/queue-6.12/clocksource-reduce-watchdog-readout-delay-limit-to-p.patch new file mode 100644 index 0000000000..dc7638d1ed --- /dev/null +++ b/queue-6.12/clocksource-reduce-watchdog-readout-delay-limit-to-p.patch @@ -0,0 +1,98 @@ +From fff9983382aa5dac9bc8d04c542ce8c0be51ab20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 18:21:05 +0100 +Subject: clocksource: Reduce watchdog readout delay limit to prevent false + positives + +From: Thomas Gleixner + +[ Upstream commit c06343be0b4e03fe319910dd7a5d5b9929e1c0cb ] + +The "valid" readout delay between the two reads of the watchdog is larger +than the valid delta between the resulting watchdog and clocksource +intervals, which results in false positive watchdog results. + +Assume TSC is the clocksource and HPET is the watchdog and both have a +uncertainty margin of 250us (default). The watchdog readout does: + + 1) wdnow = read(HPET); + 2) csnow = read(TSC); + 3) wdend = read(HPET); + +The valid window for the delta between #1 and #3 is calculated by the +uncertainty margins of the watchdog and the clocksource: + + m = 2 * watchdog.uncertainty_margin + cs.uncertainty margin; + +which results in 750us for the TSC/HPET case. + +The actual interval comparison uses a smaller margin: + + m = watchdog.uncertainty_margin + cs.uncertainty margin; + +which results in 500us for the TSC/HPET case. + +That means the following scenario will trigger the watchdog: + + Watchdog cycle N: + + 1) wdnow[N] = read(HPET); + 2) csnow[N] = read(TSC); + 3) wdend[N] = read(HPET); + +Assume the delay between #1 and #2 is 100us and the delay between #1 and + + Watchdog cycle N + 1: + + 4) wdnow[N + 1] = read(HPET); + 5) csnow[N + 1] = read(TSC); + 6) wdend[N + 1] = read(HPET); + +If the delay between #4 and #6 is within the 750us margin then any delay +between #4 and #5 which is larger than 600us will fail the interval check +and mark the TSC unstable because the intervals are calculated against the +previous value: + + wd_int = wdnow[N + 1] - wdnow[N]; + cs_int = csnow[N + 1] - csnow[N]; + +Putting the above delays in place this results in: + + cs_int = (wdnow[N + 1] + 610us) - (wdnow[N] + 100us); + -> cs_int = wd_int + 510us; + +which is obviously larger than the allowed 500us margin and results in +marking TSC unstable. + +Fix this by using the same margin as the interval comparison. If the delay +between two watchdog reads is larger than that, then the readout was either +disturbed by interconnect congestion, NMIs or SMIs. + +Fixes: 4ac1dd3245b9 ("clocksource: Set cs_watchdog_read() checks based on .uncertainty_margin") +Reported-by: Daniel J Blueman +Signed-off-by: Thomas Gleixner +Reviewed-by: Paul E. McKenney +Tested-by: Paul E. McKenney +Link: https://lore.kernel.org/lkml/20250602223251.496591-1-daniel@quora.org/ +Link: https://patch.msgid.link/87bjjxc9dq.ffs@tglx +Signed-off-by: Sasha Levin +--- + kernel/time/clocksource.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/time/clocksource.c b/kernel/time/clocksource.c +index ae862ad9642cb..df386912f9613 100644 +--- a/kernel/time/clocksource.c ++++ b/kernel/time/clocksource.c +@@ -244,7 +244,7 @@ enum wd_read_status { + + static enum wd_read_status cs_watchdog_read(struct clocksource *cs, u64 *csnow, u64 *wdnow) + { +- int64_t md = 2 * watchdog->uncertainty_margin; ++ int64_t md = watchdog->uncertainty_margin; + unsigned int nretries, max_retries; + int64_t wd_delay, wd_seq_delay; + u64 wd_end, wd_end2; +-- +2.51.0 + diff --git a/queue-6.12/dpll-prevent-duplicate-registrations.patch b/queue-6.12/dpll-prevent-duplicate-registrations.patch new file mode 100644 index 0000000000..53205fcbf3 --- /dev/null +++ b/queue-6.12/dpll-prevent-duplicate-registrations.patch @@ -0,0 +1,68 @@ +From 63646f718da932df68c487539f658d5bea668711 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 14:00:11 +0100 +Subject: dpll: Prevent duplicate registrations + +From: Ivan Vecera + +[ Upstream commit f3ddbaaaaf4d0633b40482f471753f9c71294a4a ] + +Modify the internal registration helpers dpll_xa_ref_{dpll,pin}_add() +to reject duplicate registration attempts. + +Previously, if a caller attempted to register the same pin multiple +times (with the same ops, priv, and cookie) on the same device, the core +silently increments the reference count and return success. This behavior +is incorrect because if the caller makes these duplicate registrations +then for the first one dpll_pin_registration is allocated and for others +the associated dpll_pin_ref.refcount is incremented. During the first +unregistration the associated dpll_pin_registration is freed and for +others WARN is fired. + +Fix this by updating the logic to return `-EEXIST` if a matching +registration is found to enforce a strict "register once" policy. + +Fixes: 9431063ad323 ("dpll: core: Add DPLL framework base functions") +Signed-off-by: Ivan Vecera +Reviewed-by: Arkadiusz Kubalewski +Reviewed-by: Vadim Fedorenko +Link: https://patch.msgid.link/20260121130012.112606-1-ivecera@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/dpll/dpll_core.c | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +diff --git a/drivers/dpll/dpll_core.c b/drivers/dpll/dpll_core.c +index 20bdc52f63a50..cafb8832219d0 100644 +--- a/drivers/dpll/dpll_core.c ++++ b/drivers/dpll/dpll_core.c +@@ -83,10 +83,8 @@ dpll_xa_ref_pin_add(struct xarray *xa_pins, struct dpll_pin *pin, + if (ref->pin != pin) + continue; + reg = dpll_pin_registration_find(ref, ops, priv, cookie); +- if (reg) { +- refcount_inc(&ref->refcount); +- return 0; +- } ++ if (reg) ++ return -EEXIST; + ref_exists = true; + break; + } +@@ -164,10 +162,8 @@ dpll_xa_ref_dpll_add(struct xarray *xa_dplls, struct dpll_device *dpll, + if (ref->dpll != dpll) + continue; + reg = dpll_pin_registration_find(ref, ops, priv, cookie); +- if (reg) { +- refcount_inc(&ref->refcount); +- return 0; +- } ++ if (reg) ++ return -EEXIST; + ref_exists = true; + break; + } +-- +2.51.0 + diff --git a/queue-6.12/drm-amd-pm-don-t-clear-si-smc-table-when-setting-pow.patch b/queue-6.12/drm-amd-pm-don-t-clear-si-smc-table-when-setting-pow.patch new file mode 100644 index 0000000000..7cee47b480 --- /dev/null +++ b/queue-6.12/drm-amd-pm-don-t-clear-si-smc-table-when-setting-pow.patch @@ -0,0 +1,58 @@ +From ea9aa1a1f5b26c820e03d7f270feff9c5d6d8f58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 21:36:23 +0100 +Subject: drm/amd/pm: Don't clear SI SMC table when setting power limit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Timur Kristóf + +[ Upstream commit d5077426e1a76d269e518e048bde2e9fc49b32ad ] + +There is no reason to clear the SMC table. +We also don't need to recalculate the power limit then. + +Fixes: 841686df9f7d ("drm/amdgpu: add SI DPM support (v4)") +Reviewed-by: Alex Deucher +Signed-off-by: Timur Kristóf +Signed-off-by: Alex Deucher +(cherry picked from commit e214d626253f5b180db10dedab161b7caa41f5e9) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c b/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c +index f6ba54cf701e7..45bde4f4c8515 100644 +--- a/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c ++++ b/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c +@@ -2257,8 +2257,6 @@ static int si_populate_smc_tdp_limits(struct amdgpu_device *adev, + if (scaling_factor == 0) + return -EINVAL; + +- memset(smc_table, 0, sizeof(SISLANDS_SMC_STATETABLE)); +- + ret = si_calculate_adjusted_tdp_limits(adev, + false, /* ??? */ + adev->pm.dpm.tdp_adjustment, +@@ -2312,16 +2310,8 @@ static int si_populate_smc_tdp_limits_2(struct amdgpu_device *adev, + + if (ni_pi->enable_power_containment) { + SISLANDS_SMC_STATETABLE *smc_table = &si_pi->smc_statetable; +- u32 scaling_factor = si_get_smc_power_scaling_factor(adev); + int ret; + +- memset(smc_table, 0, sizeof(SISLANDS_SMC_STATETABLE)); +- +- smc_table->dpm2Params.NearTDPLimit = +- cpu_to_be32(si_scale_power_for_smc(adev->pm.dpm.near_tdp_limit_adjusted, scaling_factor) * 1000); +- smc_table->dpm2Params.SafePowerLimit = +- cpu_to_be32(si_scale_power_for_smc((adev->pm.dpm.near_tdp_limit_adjusted * SISLANDS_DPM2_TDP_SAFE_LIMIT_PERCENT) / 100, scaling_factor) * 1000); +- + ret = amdgpu_si_copy_bytes_to_smc(adev, + (si_pi->state_table_start + + offsetof(SISLANDS_SMC_STATETABLE, dpm2Params) + +-- +2.51.0 + diff --git a/queue-6.12/drm-amd-pm-workaround-si-powertune-issue-on-radeon-4.patch b/queue-6.12/drm-amd-pm-workaround-si-powertune-issue-on-radeon-4.patch new file mode 100644 index 0000000000..2fa577646d --- /dev/null +++ b/queue-6.12/drm-amd-pm-workaround-si-powertune-issue-on-radeon-4.patch @@ -0,0 +1,83 @@ +From b72de36b6ac3086641f7eb0d19dfb6616ee917d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 21:36:24 +0100 +Subject: drm/amd/pm: Workaround SI powertune issue on Radeon 430 (v2) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Timur Kristóf + +[ Upstream commit 764a90eb02268a23b1bb98be5f4a13671346804a ] + +Radeon 430 and 520 are OEM GPUs from 2016~2017 +They have the same device id: 0x6611 and revision: 0x87 + +On the Radeon 430, powertune is buggy and throttles the GPU, +never allowing it to reach its maximum SCLK. Work around this +bug by raising the TDP limits we program to the SMC from +24W (specified by the VBIOS on Radeon 430) to 32W. + +Disabling powertune entirely is not a viable workaround, +because it causes the Radeon 520 to heat up above 100 C, +which I prefer to avoid. + +Additionally, revise the maximum SCLK limit. Considering the +above issue, these GPUs never reached a high SCLK on Linux, +and the workarounds were added before the GPUs were released, +so the workaround likely didn't target these specifically. +Use 780 MHz (the maximum SCLK according to the VBIOS on the +Radeon 430). Note that the Radeon 520 VBIOS has a higher +maximum SCLK: 905 MHz, but in practice it doesn't seem to +perform better with the higher clock, only heats up more. + +v2: +Move the workaround to si_populate_smc_tdp_limits. + +Fixes: 841686df9f7d ("drm/amdgpu: add SI DPM support (v4)") +Reviewed-by: Alex Deucher +Signed-off-by: Timur Kristóf +Signed-off-by: Alex Deucher +(cherry picked from commit 966d70f1e160bdfdecaf7ff2b3f22ad088516e9f) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c b/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c +index 45bde4f4c8515..29cecfab07042 100644 +--- a/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c ++++ b/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c +@@ -2265,6 +2265,12 @@ static int si_populate_smc_tdp_limits(struct amdgpu_device *adev, + if (ret) + return ret; + ++ if (adev->pdev->device == 0x6611 && adev->pdev->revision == 0x87) { ++ /* Workaround buggy powertune on Radeon 430 and 520. */ ++ tdp_limit = 32; ++ near_tdp_limit = 28; ++ } ++ + smc_table->dpm2Params.TDPLimit = + cpu_to_be32(si_scale_power_for_smc(tdp_limit, scaling_factor) * 1000); + smc_table->dpm2Params.NearTDPLimit = +@@ -3448,10 +3454,15 @@ static void si_apply_state_adjust_rules(struct amdgpu_device *adev, + (adev->pdev->revision == 0x80) || + (adev->pdev->revision == 0x81) || + (adev->pdev->revision == 0x83) || +- (adev->pdev->revision == 0x87) || ++ (adev->pdev->revision == 0x87 && ++ adev->pdev->device != 0x6611) || + (adev->pdev->device == 0x6604) || + (adev->pdev->device == 0x6605)) { + max_sclk = 75000; ++ } else if (adev->pdev->revision == 0x87 && ++ adev->pdev->device == 0x6611) { ++ /* Radeon 430 and 520 */ ++ max_sclk = 78000; + } + } + +-- +2.51.0 + diff --git a/queue-6.12/drm-imagination-wait-for-fw-trace-update-command-com.patch b/queue-6.12/drm-imagination-wait-for-fw-trace-update-command-com.patch new file mode 100644 index 0000000000..a50573c273 --- /dev/null +++ b/queue-6.12/drm-imagination-wait-for-fw-trace-update-command-com.patch @@ -0,0 +1,55 @@ +From fae0f07b41aea13b1da356d85c243b2cc358e095 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 04:09:36 +0000 +Subject: drm/imagination: Wait for FW trace update command completion + +From: Brajesh Gupta + +[ Upstream commit 812062e74a3945b575dce89d330b67cb50054a77 ] + +Possibility of no FW trace available after update in the fw_trace_mask due +to asynchronous mode of command consumption in the FW. + +To ensure FW trace is available after update, wait for FW trace log update +command completion from the FW. + +Fixes: cc1aeedb98ad ("drm/imagination: Implement firmware infrastructure and META FW support") +Signed-off-by: Brajesh Gupta +Reviewed-by: Matt Coster +Link: https://patch.msgid.link/20260108040936.129769-1-brajesh.gupta@imgtec.com +Signed-off-by: Matt Coster +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/imagination/pvr_fw_trace.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/imagination/pvr_fw_trace.c b/drivers/gpu/drm/imagination/pvr_fw_trace.c +index 5dbb636d7d4ff..634c84bfc885a 100644 +--- a/drivers/gpu/drm/imagination/pvr_fw_trace.c ++++ b/drivers/gpu/drm/imagination/pvr_fw_trace.c +@@ -141,6 +141,7 @@ update_logtype(struct pvr_device *pvr_dev, u32 group_mask) + struct rogue_fwif_kccb_cmd cmd; + int idx; + int err; ++ int slot; + + if (group_mask) + fw_trace->tracebuf_ctrl->log_type = ROGUE_FWIF_LOG_TYPE_TRACE | group_mask; +@@ -158,8 +159,13 @@ update_logtype(struct pvr_device *pvr_dev, u32 group_mask) + cmd.cmd_type = ROGUE_FWIF_KCCB_CMD_LOGTYPE_UPDATE; + cmd.kccb_flags = 0; + +- err = pvr_kccb_send_cmd(pvr_dev, &cmd, NULL); ++ err = pvr_kccb_send_cmd(pvr_dev, &cmd, &slot); ++ if (err) ++ goto err_drm_dev_exit; ++ ++ err = pvr_kccb_wait_for_completion(pvr_dev, slot, HZ, NULL); + ++err_drm_dev_exit: + drm_dev_exit(idx); + + err_up_read: +-- +2.51.0 + diff --git a/queue-6.12/drm-nouveau-add-missing-dcb-connector-types.patch b/queue-6.12/drm-nouveau-add-missing-dcb-connector-types.patch new file mode 100644 index 0000000000..ee145e16f2 --- /dev/null +++ b/queue-6.12/drm-nouveau-add-missing-dcb-connector-types.patch @@ -0,0 +1,141 @@ +From b8e19f90ff6b7a9bd0f0e1f928cb10e57c182077 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Dec 2025 19:53:26 -0500 +Subject: drm/nouveau: add missing DCB connector types +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Ramírez + +[ Upstream commit 3036b4ce4b209af690fa776e4616925892caba4c ] + +* Add missing DCB connectors in conn.h as per the NVIDIA DCB specification. + +A lot of connector logic was rewritten for Linux v6.5; some display connector types +went unaccounted-for which caused kernel warnings on devices with the now-unsupported +DCB connectors. This patch adds all of the DCB connectors as defined by NVIDIA to the +dcb_connector_type enum to bring back support for these connectors to the new logic. + +Fixes: 8b7d92cad953 ("drm/nouveau/kms/nv50-: create connectors based on nvkm info") +Link: https://download.nvidia.com/open-gpu-doc/DCB/1/DCB-4.0-Specification.html#_connector_table_entry +Signed-off-by: Alex Ramírez +Reviewed-by: Lyude Paul +[Lyude: Clarify DCB_CONNECTOR_HDMI_0 weirdness in comments] +Signed-off-by: Lyude Paul +Link: https://patch.msgid.link/20251213005327.9495-2-lxrmrz732@gmail.com +Signed-off-by: Sasha Levin +--- + .../nouveau/include/nvkm/subdev/bios/conn.h | 95 +++++++++++++++---- + 1 file changed, 74 insertions(+), 21 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/include/nvkm/subdev/bios/conn.h b/drivers/gpu/drm/nouveau/include/nvkm/subdev/bios/conn.h +index d1beaad0c82b6..834ed6587aa52 100644 +--- a/drivers/gpu/drm/nouveau/include/nvkm/subdev/bios/conn.h ++++ b/drivers/gpu/drm/nouveau/include/nvkm/subdev/bios/conn.h +@@ -1,28 +1,81 @@ + /* SPDX-License-Identifier: MIT */ + #ifndef __NVBIOS_CONN_H__ + #define __NVBIOS_CONN_H__ ++ ++/* ++ * An enumerator representing all of the possible VBIOS connector types defined ++ * by Nvidia at ++ * https://nvidia.github.io/open-gpu-doc/DCB/DCB-4.x-Specification.html. ++ * ++ * [1] Nvidia's documentation actually claims DCB_CONNECTOR_HDMI_0 is a "3-Pin ++ * DIN Stereo Connector". This seems very likely to be a documentation typo ++ * or some sort of funny historical baggage, because we've treated this ++ * connector type as HDMI for years without issue. ++ * TODO: Check with Nvidia what's actually happening here. ++ */ + enum dcb_connector_type { +- DCB_CONNECTOR_VGA = 0x00, +- DCB_CONNECTOR_TV_0 = 0x10, +- DCB_CONNECTOR_TV_1 = 0x11, +- DCB_CONNECTOR_TV_3 = 0x13, +- DCB_CONNECTOR_DVI_I = 0x30, +- DCB_CONNECTOR_DVI_D = 0x31, +- DCB_CONNECTOR_DMS59_0 = 0x38, +- DCB_CONNECTOR_DMS59_1 = 0x39, +- DCB_CONNECTOR_LVDS = 0x40, +- DCB_CONNECTOR_LVDS_SPWG = 0x41, +- DCB_CONNECTOR_DP = 0x46, +- DCB_CONNECTOR_eDP = 0x47, +- DCB_CONNECTOR_mDP = 0x48, +- DCB_CONNECTOR_HDMI_0 = 0x60, +- DCB_CONNECTOR_HDMI_1 = 0x61, +- DCB_CONNECTOR_HDMI_C = 0x63, +- DCB_CONNECTOR_DMS59_DP0 = 0x64, +- DCB_CONNECTOR_DMS59_DP1 = 0x65, +- DCB_CONNECTOR_WFD = 0x70, +- DCB_CONNECTOR_USB_C = 0x71, +- DCB_CONNECTOR_NONE = 0xff ++ /* Analog outputs */ ++ DCB_CONNECTOR_VGA = 0x00, // VGA 15-pin connector ++ DCB_CONNECTOR_DVI_A = 0x01, // DVI-A ++ DCB_CONNECTOR_POD_VGA = 0x02, // Pod - VGA 15-pin connector ++ DCB_CONNECTOR_TV_0 = 0x10, // TV - Composite Out ++ DCB_CONNECTOR_TV_1 = 0x11, // TV - S-Video Out ++ DCB_CONNECTOR_TV_2 = 0x12, // TV - S-Video Breakout - Composite ++ DCB_CONNECTOR_TV_3 = 0x13, // HDTV Component - YPrPb ++ DCB_CONNECTOR_TV_SCART = 0x14, // TV - SCART Connector ++ DCB_CONNECTOR_TV_SCART_D = 0x16, // TV - Composite SCART over D-connector ++ DCB_CONNECTOR_TV_DTERM = 0x17, // HDTV - D-connector (EIAJ4120) ++ DCB_CONNECTOR_POD_TV_3 = 0x18, // Pod - HDTV - YPrPb ++ DCB_CONNECTOR_POD_TV_1 = 0x19, // Pod - S-Video ++ DCB_CONNECTOR_POD_TV_0 = 0x1a, // Pod - Composite ++ ++ /* DVI digital outputs */ ++ DCB_CONNECTOR_DVI_I_TV_1 = 0x20, // DVI-I-TV-S-Video ++ DCB_CONNECTOR_DVI_I_TV_0 = 0x21, // DVI-I-TV-Composite ++ DCB_CONNECTOR_DVI_I_TV_2 = 0x22, // DVI-I-TV-S-Video Breakout-Composite ++ DCB_CONNECTOR_DVI_I = 0x30, // DVI-I ++ DCB_CONNECTOR_DVI_D = 0x31, // DVI-D ++ DCB_CONNECTOR_DVI_ADC = 0x32, // Apple Display Connector (ADC) ++ DCB_CONNECTOR_DMS59_0 = 0x38, // LFH-DVI-I-1 ++ DCB_CONNECTOR_DMS59_1 = 0x39, // LFH-DVI-I-2 ++ DCB_CONNECTOR_BNC = 0x3c, // BNC Connector [for SDI?] ++ ++ /* LVDS / TMDS digital outputs */ ++ DCB_CONNECTOR_LVDS = 0x40, // LVDS-SPWG-Attached [is this name correct?] ++ DCB_CONNECTOR_LVDS_SPWG = 0x41, // LVDS-OEM-Attached (non-removable) ++ DCB_CONNECTOR_LVDS_REM = 0x42, // LVDS-SPWG-Detached [following naming above] ++ DCB_CONNECTOR_LVDS_SPWG_REM = 0x43, // LVDS-OEM-Detached (removable) ++ DCB_CONNECTOR_TMDS = 0x45, // TMDS-OEM-Attached (non-removable) ++ ++ /* DP digital outputs */ ++ DCB_CONNECTOR_DP = 0x46, // DisplayPort External Connector ++ DCB_CONNECTOR_eDP = 0x47, // DisplayPort Internal Connector ++ DCB_CONNECTOR_mDP = 0x48, // DisplayPort (Mini) External Connector ++ ++ /* Dock outputs (not used) */ ++ DCB_CONNECTOR_DOCK_VGA_0 = 0x50, // VGA 15-pin if not docked ++ DCB_CONNECTOR_DOCK_VGA_1 = 0x51, // VGA 15-pin if docked ++ DCB_CONNECTOR_DOCK_DVI_I_0 = 0x52, // DVI-I if not docked ++ DCB_CONNECTOR_DOCK_DVI_I_1 = 0x53, // DVI-I if docked ++ DCB_CONNECTOR_DOCK_DVI_D_0 = 0x54, // DVI-D if not docked ++ DCB_CONNECTOR_DOCK_DVI_D_1 = 0x55, // DVI-D if docked ++ DCB_CONNECTOR_DOCK_DP_0 = 0x56, // DisplayPort if not docked ++ DCB_CONNECTOR_DOCK_DP_1 = 0x57, // DisplayPort if docked ++ DCB_CONNECTOR_DOCK_mDP_0 = 0x58, // DisplayPort (Mini) if not docked ++ DCB_CONNECTOR_DOCK_mDP_1 = 0x59, // DisplayPort (Mini) if docked ++ ++ /* HDMI? digital outputs */ ++ DCB_CONNECTOR_HDMI_0 = 0x60, // HDMI? See [1] in top-level enum comment above ++ DCB_CONNECTOR_HDMI_1 = 0x61, // HDMI-A connector ++ DCB_CONNECTOR_SPDIF = 0x62, // Audio S/PDIF connector ++ DCB_CONNECTOR_HDMI_C = 0x63, // HDMI-C (Mini) connector ++ ++ /* Misc. digital outputs */ ++ DCB_CONNECTOR_DMS59_DP0 = 0x64, // LFH-DP-1 ++ DCB_CONNECTOR_DMS59_DP1 = 0x65, // LFH-DP-2 ++ DCB_CONNECTOR_WFD = 0x70, // Virtual connector for Wifi Display (WFD) ++ DCB_CONNECTOR_USB_C = 0x71, // [DP over USB-C; not present in docs] ++ DCB_CONNECTOR_NONE = 0xff // Skip Entry + }; + + struct nvbios_connT { +-- +2.51.0 + diff --git a/queue-6.12/drm-nouveau-implement-missing-dcb-connector-types-gr.patch b/queue-6.12/drm-nouveau-implement-missing-dcb-connector-types-gr.patch new file mode 100644 index 0000000000..8fb4a4c4bf --- /dev/null +++ b/queue-6.12/drm-nouveau-implement-missing-dcb-connector-types-gr.patch @@ -0,0 +1,122 @@ +From e715826c05ac171f356548c75bb9304d4bc99060 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Dec 2025 19:53:27 -0500 +Subject: drm/nouveau: implement missing DCB connector types; gracefully handle + unknown connectors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Ramírez + +[ Upstream commit d0bd10792d6cc3725ddee43f03fd6ee234f24844 ] + +* Implement missing DCB connectors in uconn.c previously defined in conn.h. +* Replace kernel WARN_ON macro with printk message to more gracefully signify + an unknown connector was encountered. + +With this patch, unknown connectors are explicitly marked with value 0 +(DCB_CONNECTOR_VGA) to match the tested current behavior. Although 0xff +(DCB_CONNECTOR_NONE) may be more suitable, I don't want to introduce a +breaking change. + +Fixes: 8b7d92cad953 ("drm/nouveau/kms/nv50-: create connectors based on nvkm info") +Link: https://download.nvidia.com/open-gpu-doc/DCB/1/DCB-4.0-Specification.html#_connector_table_entry +Signed-off-by: Alex Ramírez +Reviewed-by: Lyude Paul +[Lyude: Remove unneeded parenthesis around nvkm_warn()] +Signed-off-by: Lyude Paul +Link: https://patch.msgid.link/20251213005327.9495-3-lxrmrz732@gmail.com +Signed-off-by: Sasha Levin +--- + .../gpu/drm/nouveau/nvkm/engine/disp/uconn.c | 73 ++++++++++++++----- + 1 file changed, 53 insertions(+), 20 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/uconn.c b/drivers/gpu/drm/nouveau/nvkm/engine/disp/uconn.c +index 2dab6612c4fc8..23d1e5c27bb1e 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/uconn.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/uconn.c +@@ -191,27 +191,60 @@ nvkm_uconn_new(const struct nvkm_oclass *oclass, void *argv, u32 argc, struct nv + spin_lock(&disp->client.lock); + if (!conn->object.func) { + switch (conn->info.type) { +- case DCB_CONNECTOR_VGA : args->v0.type = NVIF_CONN_V0_VGA; break; +- case DCB_CONNECTOR_TV_0 : +- case DCB_CONNECTOR_TV_1 : +- case DCB_CONNECTOR_TV_3 : args->v0.type = NVIF_CONN_V0_TV; break; +- case DCB_CONNECTOR_DMS59_0 : +- case DCB_CONNECTOR_DMS59_1 : +- case DCB_CONNECTOR_DVI_I : args->v0.type = NVIF_CONN_V0_DVI_I; break; +- case DCB_CONNECTOR_DVI_D : args->v0.type = NVIF_CONN_V0_DVI_D; break; +- case DCB_CONNECTOR_LVDS : args->v0.type = NVIF_CONN_V0_LVDS; break; +- case DCB_CONNECTOR_LVDS_SPWG: args->v0.type = NVIF_CONN_V0_LVDS_SPWG; break; +- case DCB_CONNECTOR_DMS59_DP0: +- case DCB_CONNECTOR_DMS59_DP1: +- case DCB_CONNECTOR_DP : +- case DCB_CONNECTOR_mDP : +- case DCB_CONNECTOR_USB_C : args->v0.type = NVIF_CONN_V0_DP; break; +- case DCB_CONNECTOR_eDP : args->v0.type = NVIF_CONN_V0_EDP; break; +- case DCB_CONNECTOR_HDMI_0 : +- case DCB_CONNECTOR_HDMI_1 : +- case DCB_CONNECTOR_HDMI_C : args->v0.type = NVIF_CONN_V0_HDMI; break; ++ /* VGA */ ++ case DCB_CONNECTOR_DVI_A : ++ case DCB_CONNECTOR_POD_VGA : ++ case DCB_CONNECTOR_VGA : args->v0.type = NVIF_CONN_V0_VGA; break; ++ ++ /* TV */ ++ case DCB_CONNECTOR_TV_0 : ++ case DCB_CONNECTOR_TV_1 : ++ case DCB_CONNECTOR_TV_2 : ++ case DCB_CONNECTOR_TV_SCART : ++ case DCB_CONNECTOR_TV_SCART_D : ++ case DCB_CONNECTOR_TV_DTERM : ++ case DCB_CONNECTOR_POD_TV_3 : ++ case DCB_CONNECTOR_POD_TV_1 : ++ case DCB_CONNECTOR_POD_TV_0 : ++ case DCB_CONNECTOR_TV_3 : args->v0.type = NVIF_CONN_V0_TV; break; ++ ++ /* DVI */ ++ case DCB_CONNECTOR_DVI_I_TV_1 : ++ case DCB_CONNECTOR_DVI_I_TV_0 : ++ case DCB_CONNECTOR_DVI_I_TV_2 : ++ case DCB_CONNECTOR_DVI_ADC : ++ case DCB_CONNECTOR_DMS59_0 : ++ case DCB_CONNECTOR_DMS59_1 : ++ case DCB_CONNECTOR_DVI_I : args->v0.type = NVIF_CONN_V0_DVI_I; break; ++ case DCB_CONNECTOR_TMDS : ++ case DCB_CONNECTOR_DVI_D : args->v0.type = NVIF_CONN_V0_DVI_D; break; ++ ++ /* LVDS */ ++ case DCB_CONNECTOR_LVDS : args->v0.type = NVIF_CONN_V0_LVDS; break; ++ case DCB_CONNECTOR_LVDS_SPWG : args->v0.type = NVIF_CONN_V0_LVDS_SPWG; break; ++ ++ /* DP */ ++ case DCB_CONNECTOR_DMS59_DP0 : ++ case DCB_CONNECTOR_DMS59_DP1 : ++ case DCB_CONNECTOR_DP : ++ case DCB_CONNECTOR_mDP : ++ case DCB_CONNECTOR_USB_C : args->v0.type = NVIF_CONN_V0_DP; break; ++ case DCB_CONNECTOR_eDP : args->v0.type = NVIF_CONN_V0_EDP; break; ++ ++ /* HDMI */ ++ case DCB_CONNECTOR_HDMI_0 : ++ case DCB_CONNECTOR_HDMI_1 : ++ case DCB_CONNECTOR_HDMI_C : args->v0.type = NVIF_CONN_V0_HDMI; break; ++ ++ /* ++ * Dock & unused outputs. ++ * BNC, SPDIF, WFD, and detached LVDS go here. ++ */ + default: +- WARN_ON(1); ++ nvkm_warn(&disp->engine.subdev, ++ "unimplemented connector type 0x%02x\n", ++ conn->info.type); ++ args->v0.type = NVIF_CONN_V0_VGA; + ret = -EINVAL; + break; + } +-- +2.51.0 + diff --git a/queue-6.12/ice-fix-persistent-failure-in-ice_get_rxfh.patch b/queue-6.12/ice-fix-persistent-failure-in-ice_get_rxfh.patch new file mode 100644 index 0000000000..23d29361ac --- /dev/null +++ b/queue-6.12/ice-fix-persistent-failure-in-ice_get_rxfh.patch @@ -0,0 +1,104 @@ +From 395891cba945897689b7de4671da4411db8f01b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Dec 2025 16:22:26 -0800 +Subject: ice: Fix persistent failure in ice_get_rxfh + +From: Cody Haas + +[ Upstream commit f406220eb8e227ca344eef1a6d30aff53706b196 ] + +Several ioctl functions have the ability to call ice_get_rxfh, however +all of these ioctl functions do not provide all of the expected +information in ethtool_rxfh_param. For example, ethtool_get_rxfh_indir does +not provide an rss_key. This previously caused ethtool_get_rxfh_indir to +always fail with -EINVAL. + +This change draws inspiration from i40e_get_rss to handle this +situation, by only calling the appropriate rss helpers when the +necessary information has been provided via ethtool_rxfh_param. + +Fixes: b66a972abb6b ("ice: Refactor ice_set/get_rss into LUT and key specific functions") +Signed-off-by: Cody Haas +Closes: https://lore.kernel.org/intel-wired-lan/CAH7f-UKkJV8MLY7zCdgCrGE55whRhbGAXvgkDnwgiZ9gUZT7_w@mail.gmail.com/ +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Przemek Kitszel +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice.h | 1 + + drivers/net/ethernet/intel/ice/ice_ethtool.c | 6 +---- + drivers/net/ethernet/intel/ice/ice_main.c | 28 ++++++++++++++++++++ + 3 files changed, 30 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice.h b/drivers/net/ethernet/intel/ice/ice.h +index 0e699a0432c5b..bffdf537dafa8 100644 +--- a/drivers/net/ethernet/intel/ice/ice.h ++++ b/drivers/net/ethernet/intel/ice/ice.h +@@ -952,6 +952,7 @@ void ice_map_xdp_rings(struct ice_vsi *vsi); + int + ice_xdp_xmit(struct net_device *dev, int n, struct xdp_frame **frames, + u32 flags); ++int ice_get_rss(struct ice_vsi *vsi, u8 *seed, u8 *lut, u16 lut_size); + int ice_set_rss_lut(struct ice_vsi *vsi, u8 *lut, u16 lut_size); + int ice_get_rss_lut(struct ice_vsi *vsi, u8 *lut, u16 lut_size); + int ice_set_rss_key(struct ice_vsi *vsi, u8 *seed); +diff --git a/drivers/net/ethernet/intel/ice/ice_ethtool.c b/drivers/net/ethernet/intel/ice/ice_ethtool.c +index 2a2acbeb57221..5379fbe06b073 100644 +--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c ++++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c +@@ -3649,11 +3649,7 @@ ice_get_rxfh(struct net_device *netdev, struct ethtool_rxfh_param *rxfh) + if (!lut) + return -ENOMEM; + +- err = ice_get_rss_key(vsi, rxfh->key); +- if (err) +- goto out; +- +- err = ice_get_rss_lut(vsi, lut, vsi->rss_table_size); ++ err = ice_get_rss(vsi, rxfh->key, lut, vsi->rss_table_size); + if (err) + goto out; + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index 4f4678607e55f..d024e71722de3 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -8042,6 +8042,34 @@ int ice_get_rss_key(struct ice_vsi *vsi, u8 *seed) + return status; + } + ++/** ++ * ice_get_rss - Get RSS LUT and/or key ++ * @vsi: Pointer to VSI structure ++ * @seed: Buffer to store the key in ++ * @lut: Buffer to store the lookup table entries ++ * @lut_size: Size of buffer to store the lookup table entries ++ * ++ * Return: 0 on success, negative on failure ++ */ ++int ice_get_rss(struct ice_vsi *vsi, u8 *seed, u8 *lut, u16 lut_size) ++{ ++ int err; ++ ++ if (seed) { ++ err = ice_get_rss_key(vsi, seed); ++ if (err) ++ return err; ++ } ++ ++ if (lut) { ++ err = ice_get_rss_lut(vsi, lut, lut_size); ++ if (err) ++ return err; ++ } ++ ++ return 0; ++} ++ + /** + * ice_set_rss_hfunc - Set RSS HASH function + * @vsi: Pointer to VSI structure +-- +2.51.0 + diff --git a/queue-6.12/iio-adc-ad7280a-handle-spi_setup-errors-in-probe.patch b/queue-6.12/iio-adc-ad7280a-handle-spi_setup-errors-in-probe.patch new file mode 100644 index 0000000000..1609ce9085 --- /dev/null +++ b/queue-6.12/iio-adc-ad7280a-handle-spi_setup-errors-in-probe.patch @@ -0,0 +1,45 @@ +From 75e327f19cf6542cdbf5519800ad8186c7c30516 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Nov 2025 18:13:01 +0300 +Subject: iio: adc: ad7280a: handle spi_setup() errors in probe() + +From: Pavel Zhigulin + +[ Upstream commit 6b39824ac4c15783787e6434449772bfb2e31214 ] + +The probe() function ignored the return value of spi_setup(), leaving SPI +configuration failures undetected. If spi_setup() fails, the driver should +stop initialization and propagate the error to the caller. + +Add proper error handling: check the return value of spi_setup() and return +it on failure. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 2051f25d2a26 ("iio: adc: New driver for AD7280A Lithium Ion Battery Monitoring System") +Signed-off-by: Pavel Zhigulin +Reviewed-by: Marcelo Schmitt +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/ad7280a.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/iio/adc/ad7280a.c b/drivers/iio/adc/ad7280a.c +index 37522dca2c7c8..01d5719aa3eac 100644 +--- a/drivers/iio/adc/ad7280a.c ++++ b/drivers/iio/adc/ad7280a.c +@@ -1026,7 +1026,9 @@ static int ad7280_probe(struct spi_device *spi) + + st->spi->max_speed_hz = AD7280A_MAX_SPI_CLK_HZ; + st->spi->mode = SPI_MODE_1; +- spi_setup(st->spi); ++ ret = spi_setup(st->spi); ++ if (ret < 0) ++ return ret; + + st->ctrl_lb = FIELD_PREP(AD7280A_CTRL_LB_ACQ_TIME_MSK, st->acquisition_time) | + FIELD_PREP(AD7280A_CTRL_LB_THERMISTOR_MSK, st->thermistor_term_en); +-- +2.51.0 + diff --git a/queue-6.12/interconnect-debugfs-initialize-src_node-and-dst_nod.patch b/queue-6.12/interconnect-debugfs-initialize-src_node-and-dst_nod.patch new file mode 100644 index 0000000000..24a0824952 --- /dev/null +++ b/queue-6.12/interconnect-debugfs-initialize-src_node-and-dst_nod.patch @@ -0,0 +1,47 @@ +From 80d68d98bf52ee8cf7f66520a490567c899d926e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jan 2026 14:25:23 +0200 +Subject: interconnect: debugfs: initialize src_node and dst_node to empty + strings + +From: Georgi Djakov + +[ Upstream commit 8cc27f5c6dd17dd090f3a696683f04336c162ff5 ] + +The debugfs_create_str() API assumes that the string pointer is either NULL +or points to valid kmalloc() memory. Leaving the pointer uninitialized can +cause problems. + +Initialize src_node and dst_node to empty strings before creating the +debugfs entries to guarantee that reads and writes are safe. + +Fixes: 770c69f037c1 ("interconnect: Add debugfs test client") +Signed-off-by: Georgi Djakov +Reviewed-by: Kuan-Wei Chiu +Tested-by: Kuan-Wei Chiu +Link: https://lore.kernel.org/r/20260109122523.125843-1-djakov@kernel.org +Signed-off-by: Georgi Djakov +Signed-off-by: Sasha Levin +--- + drivers/interconnect/debugfs-client.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/interconnect/debugfs-client.c b/drivers/interconnect/debugfs-client.c +index 778deeb4a7e8a..24d7b5a577945 100644 +--- a/drivers/interconnect/debugfs-client.c ++++ b/drivers/interconnect/debugfs-client.c +@@ -150,6 +150,11 @@ int icc_debugfs_client_init(struct dentry *icc_dir) + return ret; + } + ++ src_node = devm_kstrdup(&pdev->dev, "", GFP_KERNEL); ++ dst_node = devm_kstrdup(&pdev->dev, "", GFP_KERNEL); ++ if (!src_node || !dst_node) ++ return -ENOMEM; ++ + client_dir = debugfs_create_dir("test_client", icc_dir); + + debugfs_create_str("src_node", 0600, client_dir, &src_node); +-- +2.51.0 + diff --git a/queue-6.12/ipv6-annotate-data-race-in-ndisc_router_discovery.patch b/queue-6.12/ipv6-annotate-data-race-in-ndisc_router_discovery.patch new file mode 100644 index 0000000000..757c328fcf --- /dev/null +++ b/queue-6.12/ipv6-annotate-data-race-in-ndisc_router_discovery.patch @@ -0,0 +1,79 @@ +From 4d08ea38bd129a8eedc358918ed80dbd00f8dfe9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jan 2026 15:29:41 +0000 +Subject: ipv6: annotate data-race in ndisc_router_discovery() + +From: Eric Dumazet + +[ Upstream commit 9a063f96d87efc3a6cc667f8de096a3d38d74bb5 ] + +syzbot found that ndisc_router_discovery() could read and write +in6_dev->ra_mtu without holding a lock [1] + +This looks fine, IFLA_INET6_RA_MTU is best effort. + +Add READ_ONCE()/WRITE_ONCE() to document the race. + +Note that we might also reject illegal MTU values +(mtu < IPV6_MIN_MTU || mtu > skb->dev->mtu) in a future patch. + +[1] +BUG: KCSAN: data-race in ndisc_router_discovery / ndisc_router_discovery + +read to 0xffff888119809c20 of 4 bytes by task 25817 on cpu 1: + ndisc_router_discovery+0x151d/0x1c90 net/ipv6/ndisc.c:1558 + ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841 + icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989 + ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438 + ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489 + NF_HOOK include/linux/netfilter.h:318 [inline] + ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500 + ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590 + dst_input include/net/dst.h:474 [inline] + ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79 +... + +write to 0xffff888119809c20 of 4 bytes by task 25816 on cpu 0: + ndisc_router_discovery+0x155a/0x1c90 net/ipv6/ndisc.c:1559 + ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841 + icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989 + ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438 + ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489 + NF_HOOK include/linux/netfilter.h:318 [inline] + ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500 + ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590 + dst_input include/net/dst.h:474 [inline] + ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79 +... + +value changed: 0x00000000 -> 0xe5400659 + +Fixes: 49b99da2c9ce ("ipv6: add IFLA_INET6_RA_MTU to expose mtu value") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Rocco Yue +Link: https://patch.msgid.link/20260118152941.2563857-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/ndisc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c +index d961e6c2d09d7..480c906cb374c 100644 +--- a/net/ipv6/ndisc.c ++++ b/net/ipv6/ndisc.c +@@ -1582,8 +1582,8 @@ static enum skb_drop_reason ndisc_router_discovery(struct sk_buff *skb) + memcpy(&n, ((u8 *)(ndopts.nd_opts_mtu+1))+2, sizeof(mtu)); + mtu = ntohl(n); + +- if (in6_dev->ra_mtu != mtu) { +- in6_dev->ra_mtu = mtu; ++ if (READ_ONCE(in6_dev->ra_mtu) != mtu) { ++ WRITE_ONCE(in6_dev->ra_mtu, mtu); + send_ifinfo_notify = true; + } + +-- +2.51.0 + diff --git a/queue-6.12/kconfig-fix-static-linking-of-nconf.patch b/queue-6.12/kconfig-fix-static-linking-of-nconf.patch new file mode 100644 index 0000000000..688dcf7c33 --- /dev/null +++ b/queue-6.12/kconfig-fix-static-linking-of-nconf.patch @@ -0,0 +1,70 @@ +From 05229a2932406ac4522e453203abb99d68eb6c2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Jan 2026 12:48:08 +0100 +Subject: kconfig: fix static linking of nconf + +From: Arkadiusz Kozdra + +[ Upstream commit baaecfcac559bcac73206df447eb5c385fa22f2a ] + +When running make nconfig with a static linking host toolchain, +the libraries are linked in an incorrect order, +resulting in errors similar to the following: + +$ MAKEFLAGS='HOSTCC=cc\ -static' make nconfig +/usr/bin/ld: /usr/lib64/gcc/x86_64-unknown-linux-gnu/14.2.1/../../../../lib64/libpanel.a(p_new.o): in function `new_panel': +(.text+0x13): undefined reference to `_nc_panelhook_sp' +/usr/bin/ld: (.text+0x6c): undefined reference to `_nc_panelhook_sp' + +Fixes: 1c5af5cf9308 ("kconfig: refactor ncurses package checks for building mconf and nconf") +Signed-off-by: Arusekk +Link: https://patch.msgid.link/20260110114808.22595-1-floss@arusekk.pl +[nsc: Added comment about library order] +Signed-off-by: Nicolas Schier +Signed-off-by: Sasha Levin +--- + scripts/kconfig/nconf-cfg.sh | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/scripts/kconfig/nconf-cfg.sh b/scripts/kconfig/nconf-cfg.sh +index a20290b1a37d8..4d08453f9bdb7 100755 +--- a/scripts/kconfig/nconf-cfg.sh ++++ b/scripts/kconfig/nconf-cfg.sh +@@ -6,8 +6,9 @@ set -eu + cflags=$1 + libs=$2 + +-PKG="ncursesw menuw panelw" +-PKG2="ncurses menu panel" ++# Keep library order for static linking (HOSTCC='cc -static') ++PKG="menuw panelw ncursesw" ++PKG2="menu panel ncurses" + + if [ -n "$(command -v ${HOSTPKG_CONFIG})" ]; then + if ${HOSTPKG_CONFIG} --exists $PKG; then +@@ -28,19 +29,19 @@ fi + # find ncurses by pkg-config.) + if [ -f /usr/include/ncursesw/ncurses.h ]; then + echo -D_GNU_SOURCE -I/usr/include/ncursesw > ${cflags} +- echo -lncursesw -lmenuw -lpanelw > ${libs} ++ echo -lmenuw -lpanelw -lncursesw > ${libs} + exit 0 + fi + + if [ -f /usr/include/ncurses/ncurses.h ]; then + echo -D_GNU_SOURCE -I/usr/include/ncurses > ${cflags} +- echo -lncurses -lmenu -lpanel > ${libs} ++ echo -lmenu -lpanel -lncurses > ${libs} + exit 0 + fi + + if [ -f /usr/include/ncurses.h ]; then + echo -D_GNU_SOURCE > ${cflags} +- echo -lncurses -lmenu -lpanel > ${libs} ++ echo -lmenu -lpanel -lncurses > ${libs} + exit 0 + fi + +-- +2.51.0 + diff --git a/queue-6.12/keys-trusted_keys-fix-handle-passed-to-tpm_buf_appen.patch b/queue-6.12/keys-trusted_keys-fix-handle-passed-to-tpm_buf_appen.patch new file mode 100644 index 0000000000..bca9f85428 --- /dev/null +++ b/queue-6.12/keys-trusted_keys-fix-handle-passed-to-tpm_buf_appen.patch @@ -0,0 +1,57 @@ +From 15db51742018e9184004dd2483ccb9c38d7583f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jan 2026 22:25:03 +0530 +Subject: keys/trusted_keys: fix handle passed to tpm_buf_append_name during + unseal + +From: Srish Srinivasan + +[ Upstream commit 6342969dafbc63597cfc221aa13c3b123c2800c5 ] + +TPM2_Unseal[1] expects the handle of a loaded data object, and not the +handle of the parent key. But the tpm2_unseal_cmd provides the parent +keyhandle instead of blob_handle for the session HMAC calculation. This +causes unseal to fail. + +Fix this by passing blob_handle to tpm_buf_append_name(). + +References: + +[1] trustedcomputinggroup.org/wp-content/uploads/ + Trusted-Platform-Module-2.0-Library-Part-3-Version-184_pub.pdf + +Fixes: 6e9722e9a7bf ("tpm2-sessions: Fix out of range indexing in name_size") +Signed-off-by: Srish Srinivasan +Reviewed-by: Stefan Berger +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Sasha Levin +--- + security/keys/trusted-keys/trusted_tpm2.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trusted-keys/trusted_tpm2.c +index 7187768716b78..74cea80ed9be5 100644 +--- a/security/keys/trusted-keys/trusted_tpm2.c ++++ b/security/keys/trusted-keys/trusted_tpm2.c +@@ -489,7 +489,7 @@ static int tpm2_load_cmd(struct tpm_chip *chip, + } + + /** +- * tpm2_unseal_cmd() - execute a TPM2_Unload command ++ * tpm2_unseal_cmd() - execute a TPM2_Unseal command + * + * @chip: TPM chip to use + * @payload: the key data in clear and encrypted form +@@ -520,7 +520,7 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip, + return rc; + } + +- rc = tpm_buf_append_name(chip, &buf, options->keyhandle, NULL); ++ rc = tpm_buf_append_name(chip, &buf, blob_handle, NULL); + if (rc) + goto out; + +-- +2.51.0 + diff --git a/queue-6.12/misdn-annotate-data-race-around-dev-work.patch b/queue-6.12/misdn-annotate-data-race-around-dev-work.patch new file mode 100644 index 0000000000..6cd092200b --- /dev/null +++ b/queue-6.12/misdn-annotate-data-race-around-dev-work.patch @@ -0,0 +1,103 @@ +From 671ea0f9a3ed0d59343033a88c81a56b7c2cd20a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jan 2026 13:25:28 +0000 +Subject: mISDN: annotate data-race around dev->work + +From: Eric Dumazet + +[ Upstream commit 8175dbf174d487afab81e936a862a8d9b8a1ccb6 ] + +dev->work can re read locklessly in mISDN_read() +and mISDN_poll(). Add READ_ONCE()/WRITE_ONCE() annotations. + +BUG: KCSAN: data-race in mISDN_ioctl / mISDN_read + +write to 0xffff88812d848280 of 4 bytes by task 10864 on cpu 1: + misdn_add_timer drivers/isdn/mISDN/timerdev.c:175 [inline] + mISDN_ioctl+0x2fb/0x550 drivers/isdn/mISDN/timerdev.c:233 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:597 [inline] + __se_sys_ioctl+0xce/0x140 fs/ioctl.c:583 + __x64_sys_ioctl+0x43/0x50 fs/ioctl.c:583 + x64_sys_call+0x14b0/0x3000 arch/x86/include/generated/asm/syscalls_64.h:17 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xd8/0x2c0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +read to 0xffff88812d848280 of 4 bytes by task 10857 on cpu 0: + mISDN_read+0x1f2/0x470 drivers/isdn/mISDN/timerdev.c:112 + do_loop_readv_writev fs/read_write.c:847 [inline] + vfs_readv+0x3fb/0x690 fs/read_write.c:1020 + do_readv+0xe7/0x210 fs/read_write.c:1080 + __do_sys_readv fs/read_write.c:1165 [inline] + __se_sys_readv fs/read_write.c:1162 [inline] + __x64_sys_readv+0x45/0x50 fs/read_write.c:1162 + x64_sys_call+0x2831/0x3000 arch/x86/include/generated/asm/syscalls_64.h:20 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xd8/0x2c0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +value changed: 0x00000000 -> 0x00000001 + +Fixes: 1b2b03f8e514 ("Add mISDN core files") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260118132528.2349573-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/isdn/mISDN/timerdev.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/isdn/mISDN/timerdev.c b/drivers/isdn/mISDN/timerdev.c +index 7cfa8c61dba0a..b2df23234ed3c 100644 +--- a/drivers/isdn/mISDN/timerdev.c ++++ b/drivers/isdn/mISDN/timerdev.c +@@ -109,14 +109,14 @@ mISDN_read(struct file *filep, char __user *buf, size_t count, loff_t *off) + spin_unlock_irq(&dev->lock); + if (filep->f_flags & O_NONBLOCK) + return -EAGAIN; +- wait_event_interruptible(dev->wait, (dev->work || ++ wait_event_interruptible(dev->wait, (READ_ONCE(dev->work) || + !list_empty(list))); + if (signal_pending(current)) + return -ERESTARTSYS; + spin_lock_irq(&dev->lock); + } + if (dev->work) +- dev->work = 0; ++ WRITE_ONCE(dev->work, 0); + if (!list_empty(list)) { + timer = list_first_entry(list, struct mISDNtimer, list); + list_del(&timer->list); +@@ -141,13 +141,16 @@ mISDN_poll(struct file *filep, poll_table *wait) + if (*debug & DEBUG_TIMER) + printk(KERN_DEBUG "%s(%p, %p)\n", __func__, filep, wait); + if (dev) { ++ u32 work; ++ + poll_wait(filep, &dev->wait, wait); + mask = 0; +- if (dev->work || !list_empty(&dev->expired)) ++ work = READ_ONCE(dev->work); ++ if (work || !list_empty(&dev->expired)) + mask |= (EPOLLIN | EPOLLRDNORM); + if (*debug & DEBUG_TIMER) + printk(KERN_DEBUG "%s work(%d) empty(%d)\n", __func__, +- dev->work, list_empty(&dev->expired)); ++ work, list_empty(&dev->expired)); + } + return mask; + } +@@ -172,7 +175,7 @@ misdn_add_timer(struct mISDNtimerdev *dev, int timeout) + struct mISDNtimer *timer; + + if (!timeout) { +- dev->work = 1; ++ WRITE_ONCE(dev->work, 1); + wake_up_interruptible(&dev->wait); + id = 0; + } else { +-- +2.51.0 + diff --git a/queue-6.12/net-dsa-fix-off-by-one-in-maximum-bridge-id-determin.patch b/queue-6.12/net-dsa-fix-off-by-one-in-maximum-bridge-id-determin.patch new file mode 100644 index 0000000000..65d99f47b5 --- /dev/null +++ b/queue-6.12/net-dsa-fix-off-by-one-in-maximum-bridge-id-determin.patch @@ -0,0 +1,52 @@ +From e20a6e7b7cc3be5dc2fea39e52f1ed3c1f2750f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 23:10:39 +0200 +Subject: net: dsa: fix off-by-one in maximum bridge ID determination + +From: Vladimir Oltean + +[ Upstream commit dfca045cd4d0ea07ff4198ba392be3e718acaddc ] + +Prior to the blamed commit, the bridge_num range was from +0 to ds->max_num_bridges - 1. After the commit, it is from +1 to ds->max_num_bridges. + +So this check: + if (bridge_num >= max) + return 0; +must be updated to: + if (bridge_num > max) + return 0; + +in order to allow the last bridge_num value (==max) to be used. + +This is easiest visible when a driver sets ds->max_num_bridges=1. +The observed behaviour is that even the first created bridge triggers +the netlink extack "Range of offloadable bridges exceeded" warning, and +is handled in software rather than being offloaded. + +Fixes: 3f9bb0301d50 ("net: dsa: make dp->bridge_num one-based") +Signed-off-by: Vladimir Oltean +Link: https://patch.msgid.link/20260120211039.3228999-1-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/dsa/dsa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/dsa/dsa.c b/net/dsa/dsa.c +index 97599e0d5a1d0..76a086e846c45 100644 +--- a/net/dsa/dsa.c ++++ b/net/dsa/dsa.c +@@ -157,7 +157,7 @@ unsigned int dsa_bridge_num_get(const struct net_device *bridge_dev, int max) + bridge_num = find_next_zero_bit(&dsa_fwd_offloading_bridges, + DSA_MAX_NUM_OFFLOADING_BRIDGES, + 1); +- if (bridge_num >= max) ++ if (bridge_num > max) + return 0; + + set_bit(bridge_num, &dsa_fwd_offloading_bridges); +-- +2.51.0 + diff --git a/queue-6.12/net-hns3-fix-data-race-in-hns3_fetch_stats.patch b/queue-6.12/net-hns3-fix-data-race-in-hns3_fetch_stats.patch new file mode 100644 index 0000000000..1c03c3a3d5 --- /dev/null +++ b/queue-6.12/net-hns3-fix-data-race-in-hns3_fetch_stats.patch @@ -0,0 +1,112 @@ +From 29a02c2dd73972c364d74e0e77ee8fc01c411807 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 00:07:37 +0800 +Subject: net: hns3: fix data race in hns3_fetch_stats + +From: David Yang + +[ Upstream commit 748a81c8ceda1fdbdcd0af595947422e810442aa ] + +In hns3_fetch_stats(), ring statistics, protected by u64_stats_sync, are +read and accumulated in ignorance of possible u64_stats_fetch_retry() +events. These statistics are already accumulated by +hns3_ring_stats_update(). Fix this by reading them into a temporary +buffer first. + +Fixes: b20d7fe51e0d ("net: hns3: add some statitics info to tx process") +Signed-off-by: David Yang +Link: https://patch.msgid.link/20260119160759.1455950-1-mmyangfl@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/hisilicon/hns3/hns3_enet.c | 69 ++++++++++--------- + 1 file changed, 36 insertions(+), 33 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +index 94432e237640d..b477bd286ed72 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +@@ -2500,44 +2500,47 @@ static netdev_features_t hns3_features_check(struct sk_buff *skb, + static void hns3_fetch_stats(struct rtnl_link_stats64 *stats, + struct hns3_enet_ring *ring, bool is_tx) + { ++ struct ring_stats ring_stats; + unsigned int start; + + do { + start = u64_stats_fetch_begin(&ring->syncp); +- if (is_tx) { +- stats->tx_bytes += ring->stats.tx_bytes; +- stats->tx_packets += ring->stats.tx_pkts; +- stats->tx_dropped += ring->stats.sw_err_cnt; +- stats->tx_dropped += ring->stats.tx_vlan_err; +- stats->tx_dropped += ring->stats.tx_l4_proto_err; +- stats->tx_dropped += ring->stats.tx_l2l3l4_err; +- stats->tx_dropped += ring->stats.tx_tso_err; +- stats->tx_dropped += ring->stats.over_max_recursion; +- stats->tx_dropped += ring->stats.hw_limitation; +- stats->tx_dropped += ring->stats.copy_bits_err; +- stats->tx_dropped += ring->stats.skb2sgl_err; +- stats->tx_dropped += ring->stats.map_sg_err; +- stats->tx_errors += ring->stats.sw_err_cnt; +- stats->tx_errors += ring->stats.tx_vlan_err; +- stats->tx_errors += ring->stats.tx_l4_proto_err; +- stats->tx_errors += ring->stats.tx_l2l3l4_err; +- stats->tx_errors += ring->stats.tx_tso_err; +- stats->tx_errors += ring->stats.over_max_recursion; +- stats->tx_errors += ring->stats.hw_limitation; +- stats->tx_errors += ring->stats.copy_bits_err; +- stats->tx_errors += ring->stats.skb2sgl_err; +- stats->tx_errors += ring->stats.map_sg_err; +- } else { +- stats->rx_bytes += ring->stats.rx_bytes; +- stats->rx_packets += ring->stats.rx_pkts; +- stats->rx_dropped += ring->stats.l2_err; +- stats->rx_errors += ring->stats.l2_err; +- stats->rx_errors += ring->stats.l3l4_csum_err; +- stats->rx_crc_errors += ring->stats.l2_err; +- stats->multicast += ring->stats.rx_multicast; +- stats->rx_length_errors += ring->stats.err_pkt_len; +- } ++ ring_stats = ring->stats; + } while (u64_stats_fetch_retry(&ring->syncp, start)); ++ ++ if (is_tx) { ++ stats->tx_bytes += ring_stats.tx_bytes; ++ stats->tx_packets += ring_stats.tx_pkts; ++ stats->tx_dropped += ring_stats.sw_err_cnt; ++ stats->tx_dropped += ring_stats.tx_vlan_err; ++ stats->tx_dropped += ring_stats.tx_l4_proto_err; ++ stats->tx_dropped += ring_stats.tx_l2l3l4_err; ++ stats->tx_dropped += ring_stats.tx_tso_err; ++ stats->tx_dropped += ring_stats.over_max_recursion; ++ stats->tx_dropped += ring_stats.hw_limitation; ++ stats->tx_dropped += ring_stats.copy_bits_err; ++ stats->tx_dropped += ring_stats.skb2sgl_err; ++ stats->tx_dropped += ring_stats.map_sg_err; ++ stats->tx_errors += ring_stats.sw_err_cnt; ++ stats->tx_errors += ring_stats.tx_vlan_err; ++ stats->tx_errors += ring_stats.tx_l4_proto_err; ++ stats->tx_errors += ring_stats.tx_l2l3l4_err; ++ stats->tx_errors += ring_stats.tx_tso_err; ++ stats->tx_errors += ring_stats.over_max_recursion; ++ stats->tx_errors += ring_stats.hw_limitation; ++ stats->tx_errors += ring_stats.copy_bits_err; ++ stats->tx_errors += ring_stats.skb2sgl_err; ++ stats->tx_errors += ring_stats.map_sg_err; ++ } else { ++ stats->rx_bytes += ring_stats.rx_bytes; ++ stats->rx_packets += ring_stats.rx_pkts; ++ stats->rx_dropped += ring_stats.l2_err; ++ stats->rx_errors += ring_stats.l2_err; ++ stats->rx_errors += ring_stats.l3l4_csum_err; ++ stats->rx_crc_errors += ring_stats.l2_err; ++ stats->multicast += ring_stats.rx_multicast; ++ stats->rx_length_errors += ring_stats.err_pkt_len; ++ } + } + + static void hns3_nic_get_stats64(struct net_device *netdev, +-- +2.51.0 + diff --git a/queue-6.12/net-hns3-fix-the-hclge_fd_ad_nxt_key-error-setting-i.patch b/queue-6.12/net-hns3-fix-the-hclge_fd_ad_nxt_key-error-setting-i.patch new file mode 100644 index 0000000000..5641097895 --- /dev/null +++ b/queue-6.12/net-hns3-fix-the-hclge_fd_ad_nxt_key-error-setting-i.patch @@ -0,0 +1,36 @@ +From d235196d8d17ce350be0c3f3c53afbabcfb80286 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 21:28:40 +0800 +Subject: net: hns3: fix the HCLGE_FD_AD_NXT_KEY error setting issue + +From: Jijie Shao + +[ Upstream commit f87e034d16e43af984380a95c32c25201b7759a7 ] + +Use next_input_key instead of counter_id to set HCLGE_FD_AD_NXT_KEY. + +Fixes: 117328680288 ("net: hns3: Add input key and action config support for flow director") +Signed-off-by: Jijie Shao +Link: https://patch.msgid.link/20260119132840.410513-3-shaojijie@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +index 8dd970ef02ac6..7468e03051ea4 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -5700,7 +5700,7 @@ static int hclge_fd_ad_config(struct hclge_dev *hdev, u8 stage, int loc, + HCLGE_FD_AD_COUNTER_NUM_S, action->counter_id); + hnae3_set_bit(ad_data, HCLGE_FD_AD_NXT_STEP_B, action->use_next_stage); + hnae3_set_field(ad_data, HCLGE_FD_AD_NXT_KEY_M, HCLGE_FD_AD_NXT_KEY_S, +- action->counter_id); ++ action->next_input_key); + + req->ad_data = cpu_to_le64(ad_data); + ret = hclge_cmd_send(&hdev->hw, &desc, 1); +-- +2.51.0 + diff --git a/queue-6.12/net-hns3-fix-wrong-genmask-for-hclge_fd_ad_counter_n.patch b/queue-6.12/net-hns3-fix-wrong-genmask-for-hclge_fd_ad_counter_n.patch new file mode 100644 index 0000000000..1fb59e86be --- /dev/null +++ b/queue-6.12/net-hns3-fix-wrong-genmask-for-hclge_fd_ad_counter_n.patch @@ -0,0 +1,40 @@ +From 93c5d9c5ee82a77a8ae36adb6f57183b29ff6dea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 21:28:39 +0800 +Subject: net: hns3: fix wrong GENMASK() for HCLGE_FD_AD_COUNTER_NUM_M + +From: Jijie Shao + +[ Upstream commit d57c67c956a1bad15115eba6e59d77a6dfeba01d ] + +HCLGE_FD_AD_COUNTER_NUM_M should be at GENMASK(19, 13), +rather than at GENMASK(20, 13), because bit 20 is +HCLGE_FD_AD_NXT_STEP_B. + +This patch corrects the wrong definition. + +Fixes: 117328680288 ("net: hns3: Add input key and action config support for flow director") +Signed-off-by: Jijie Shao +Link: https://patch.msgid.link/20260119132840.410513-2-shaojijie@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h +index 9bb708fa42f24..416e02e7b995f 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h +@@ -731,7 +731,7 @@ struct hclge_fd_tcam_config_3_cmd { + #define HCLGE_FD_AD_QID_M GENMASK(11, 2) + #define HCLGE_FD_AD_USE_COUNTER_B 12 + #define HCLGE_FD_AD_COUNTER_NUM_S 13 +-#define HCLGE_FD_AD_COUNTER_NUM_M GENMASK(20, 13) ++#define HCLGE_FD_AD_COUNTER_NUM_M GENMASK(19, 13) + #define HCLGE_FD_AD_NXT_STEP_B 20 + #define HCLGE_FD_AD_NXT_KEY_S 21 + #define HCLGE_FD_AD_NXT_KEY_M GENMASK(25, 21) +-- +2.51.0 + diff --git a/queue-6.12/net-openvswitch-fix-data-race-in-ovs_vport_get_upcal.patch b/queue-6.12/net-openvswitch-fix-data-race-in-ovs_vport_get_upcal.patch new file mode 100644 index 0000000000..4feab277b7 --- /dev/null +++ b/queue-6.12/net-openvswitch-fix-data-race-in-ovs_vport_get_upcal.patch @@ -0,0 +1,63 @@ +From bc1c81b7dac4a4682c8288eef98081c52a230216 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 15:29:26 +0800 +Subject: net: openvswitch: fix data race in ovs_vport_get_upcall_stats + +From: David Yang + +[ Upstream commit cc4816bdb08639e5cd9acb295a02d6f0f09736b4 ] + +In ovs_vport_get_upcall_stats(), some statistics protected by +u64_stats_sync, are read and accumulated in ignorance of possible +u64_stats_fetch_retry() events. These statistics are already accumulated +by u64_stats_inc(). Fix this by reading them into temporary variables +first. + +Fixes: 1933ea365aa7 ("net: openvswitch: Add support to count upcall packets") +Signed-off-by: David Yang +Acked-by: Ilya Maximets +Reviewed-by: Eric Dumazet +Reviewed-by: Aaron Conole +Link: https://patch.msgid.link/20260121072932.2360971-1-mmyangfl@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/openvswitch/vport.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/net/openvswitch/vport.c b/net/openvswitch/vport.c +index 8732f6e51ae5a..2a996858a9145 100644 +--- a/net/openvswitch/vport.c ++++ b/net/openvswitch/vport.c +@@ -310,22 +310,23 @@ void ovs_vport_get_stats(struct vport *vport, struct ovs_vport_stats *stats) + */ + int ovs_vport_get_upcall_stats(struct vport *vport, struct sk_buff *skb) + { ++ u64 tx_success = 0, tx_fail = 0; + struct nlattr *nla; + int i; + +- __u64 tx_success = 0; +- __u64 tx_fail = 0; +- + for_each_possible_cpu(i) { + const struct vport_upcall_stats_percpu *stats; ++ u64 n_success, n_fail; + unsigned int start; + + stats = per_cpu_ptr(vport->upcall_stats, i); + do { + start = u64_stats_fetch_begin(&stats->syncp); +- tx_success += u64_stats_read(&stats->n_success); +- tx_fail += u64_stats_read(&stats->n_fail); ++ n_success = u64_stats_read(&stats->n_success); ++ n_fail = u64_stats_read(&stats->n_fail); + } while (u64_stats_fetch_retry(&stats->syncp, start)); ++ tx_success += n_success; ++ tx_fail += n_fail; + } + + nla = nla_nest_start_noflag(skb, OVS_VPORT_ATTR_UPCALL_STATS); +-- +2.51.0 + diff --git a/queue-6.12/net-sched-act_ife-avoid-possible-null-deref.patch b/queue-6.12/net-sched-act_ife-avoid-possible-null-deref.patch new file mode 100644 index 0000000000..c81198c7e3 --- /dev/null +++ b/queue-6.12/net-sched-act_ife-avoid-possible-null-deref.patch @@ -0,0 +1,82 @@ +From f0eb68ddc801d86afc9985c804368e4a74403a5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 13:37:24 +0000 +Subject: net/sched: act_ife: avoid possible NULL deref + +From: Eric Dumazet + +[ Upstream commit 27880b0b0d35ad1c98863d09788254e36f874968 ] + +tcf_ife_encode() must make sure ife_encode() does not return NULL. + +syzbot reported: + +Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] + RIP: 0010:ife_tlv_meta_encode+0x41/0xa0 net/ife/ife.c:166 +CPU: 3 UID: 0 PID: 8990 Comm: syz.0.696 Not tainted syzkaller #0 PREEMPT(full) +Call Trace: + + ife_encode_meta_u32+0x153/0x180 net/sched/act_ife.c:101 + tcf_ife_encode net/sched/act_ife.c:841 [inline] + tcf_ife_act+0x1022/0x1de0 net/sched/act_ife.c:877 + tc_act include/net/tc_wrapper.h:130 [inline] + tcf_action_exec+0x1c0/0xa20 net/sched/act_api.c:1152 + tcf_exts_exec include/net/pkt_cls.h:349 [inline] + mall_classify+0x1a0/0x2a0 net/sched/cls_matchall.c:42 + tc_classify include/net/tc_wrapper.h:197 [inline] + __tcf_classify net/sched/cls_api.c:1764 [inline] + tcf_classify+0x7f2/0x1380 net/sched/cls_api.c:1860 + multiq_classify net/sched/sch_multiq.c:39 [inline] + multiq_enqueue+0xe0/0x510 net/sched/sch_multiq.c:66 + dev_qdisc_enqueue+0x45/0x250 net/core/dev.c:4147 + __dev_xmit_skb net/core/dev.c:4262 [inline] + __dev_queue_xmit+0x2998/0x46c0 net/core/dev.c:4798 + +Fixes: 295a6e06d21e ("net/sched: act_ife: Change to use ife module") +Reported-by: syzbot+5cf914f193dffde3bd3c@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6970d61d.050a0220.706b.0010.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Yotam Gigi +Reviewed-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20260121133724.3400020-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/act_ife.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/sched/act_ife.c b/net/sched/act_ife.c +index 7c6975632fc2e..c7ab25642d997 100644 +--- a/net/sched/act_ife.c ++++ b/net/sched/act_ife.c +@@ -821,6 +821,7 @@ static int tcf_ife_encode(struct sk_buff *skb, const struct tc_action *a, + /* could be stupid policy setup or mtu config + * so lets be conservative.. */ + if ((action == TC_ACT_SHOT) || exceed_mtu) { ++drop: + qstats_drop_inc(this_cpu_ptr(ife->common.cpu_qstats)); + return TC_ACT_SHOT; + } +@@ -829,6 +830,8 @@ static int tcf_ife_encode(struct sk_buff *skb, const struct tc_action *a, + skb_push(skb, skb->dev->hard_header_len); + + ife_meta = ife_encode(skb, metalen); ++ if (!ife_meta) ++ goto drop; + + spin_lock(&ife->tcf_lock); + +@@ -844,8 +847,7 @@ static int tcf_ife_encode(struct sk_buff *skb, const struct tc_action *a, + if (err < 0) { + /* too corrupt to keep around if overwritten */ + spin_unlock(&ife->tcf_lock); +- qstats_drop_inc(this_cpu_ptr(ife->common.cpu_qstats)); +- return TC_ACT_SHOT; ++ goto drop; + } + skboff += err; + } +-- +2.51.0 + diff --git a/queue-6.12/netdevsim-fix-a-race-issue-related-to-the-operation-.patch b/queue-6.12/netdevsim-fix-a-race-issue-related-to-the-operation-.patch new file mode 100644 index 0000000000..3cf6045d4d --- /dev/null +++ b/queue-6.12/netdevsim-fix-a-race-issue-related-to-the-operation-.patch @@ -0,0 +1,131 @@ +From a39a5a85ac5c77a5cea20b3503c86479eec6d2e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jan 2026 17:53:08 +0800 +Subject: netdevsim: fix a race issue related to the operation on + bpf_bound_progs list + +From: Yun Lu + +[ Upstream commit b97d5eedf4976cc94321243be83b39efe81a0e15 ] + +The netdevsim driver lacks a protection mechanism for operations on the +bpf_bound_progs list. When the nsim_bpf_create_prog() performs +list_add_tail, it is possible that nsim_bpf_destroy_prog() is +simultaneously performs list_del. Concurrent operations on the list may +lead to list corruption and trigger a kernel crash as follows: + +[ 417.290971] kernel BUG at lib/list_debug.c:62! +[ 417.290983] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI +[ 417.290992] CPU: 10 PID: 168 Comm: kworker/10:1 Kdump: loaded Not tainted 6.19.0-rc5 #1 +[ 417.291003] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 417.291007] Workqueue: events bpf_prog_free_deferred +[ 417.291021] RIP: 0010:__list_del_entry_valid_or_report+0xa7/0xc0 +[ 417.291034] Code: a8 ff 0f 0b 48 89 fe 48 89 ca 48 c7 c7 48 a1 eb ae e8 ed fb a8 ff 0f 0b 48 89 fe 48 89 c2 48 c7 c7 80 a1 eb ae e8 d9 fb a8 ff <0f> 0b 48 89 d1 48 c7 c7 d0 a1 eb ae 48 89 f2 48 89 c6 e8 c2 fb a8 +[ 417.291040] RSP: 0018:ffffb16a40807df8 EFLAGS: 00010246 +[ 417.291046] RAX: 000000000000006d RBX: ffff8e589866f500 RCX: 0000000000000000 +[ 417.291051] RDX: 0000000000000000 RSI: ffff8e59f7b23180 RDI: ffff8e59f7b23180 +[ 417.291055] RBP: ffffb16a412c9000 R08: 0000000000000000 R09: 0000000000000003 +[ 417.291059] R10: ffffb16a40807c80 R11: ffffffffaf9edce8 R12: ffff8e594427ac20 +[ 417.291063] R13: ffff8e59f7b44780 R14: ffff8e58800b7a05 R15: 0000000000000000 +[ 417.291074] FS: 0000000000000000(0000) GS:ffff8e59f7b00000(0000) knlGS:0000000000000000 +[ 417.291079] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 417.291083] CR2: 00007fc4083efe08 CR3: 00000001c3626006 CR4: 0000000000770ee0 +[ 417.291088] PKRU: 55555554 +[ 417.291091] Call Trace: +[ 417.291096] +[ 417.291103] nsim_bpf_destroy_prog+0x31/0x80 [netdevsim] +[ 417.291154] __bpf_prog_offload_destroy+0x2a/0x80 +[ 417.291163] bpf_prog_dev_bound_destroy+0x6f/0xb0 +[ 417.291171] bpf_prog_free_deferred+0x18e/0x1a0 +[ 417.291178] process_one_work+0x18a/0x3a0 +[ 417.291188] worker_thread+0x27b/0x3a0 +[ 417.291197] ? __pfx_worker_thread+0x10/0x10 +[ 417.291207] kthread+0xe5/0x120 +[ 417.291214] ? __pfx_kthread+0x10/0x10 +[ 417.291221] ret_from_fork+0x31/0x50 +[ 417.291230] ? __pfx_kthread+0x10/0x10 +[ 417.291236] ret_from_fork_asm+0x1a/0x30 +[ 417.291246] + +Add a mutex lock, to prevent simultaneous addition and deletion operations +on the list. + +Fixes: 31d3ad832948 ("netdevsim: add bpf offload support") +Reported-by: Yinhao Hu +Reported-by: Kaiyan Mei +Signed-off-by: Yun Lu +Link: https://patch.msgid.link/20260116095308.11441-1-luyun_611@163.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/netdevsim/bpf.c | 6 ++++++ + drivers/net/netdevsim/dev.c | 2 ++ + drivers/net/netdevsim/netdevsim.h | 1 + + 3 files changed, 9 insertions(+) + +diff --git a/drivers/net/netdevsim/bpf.c b/drivers/net/netdevsim/bpf.c +index 608953d4f98da..ca64136372fca 100644 +--- a/drivers/net/netdevsim/bpf.c ++++ b/drivers/net/netdevsim/bpf.c +@@ -244,7 +244,9 @@ static int nsim_bpf_create_prog(struct nsim_dev *nsim_dev, + &state->state, &nsim_bpf_string_fops); + debugfs_create_bool("loaded", 0400, state->ddir, &state->is_loaded); + ++ mutex_lock(&nsim_dev->progs_list_lock); + list_add_tail(&state->l, &nsim_dev->bpf_bound_progs); ++ mutex_unlock(&nsim_dev->progs_list_lock); + + prog->aux->offload->dev_priv = state; + +@@ -273,12 +275,16 @@ static int nsim_bpf_translate(struct bpf_prog *prog) + static void nsim_bpf_destroy_prog(struct bpf_prog *prog) + { + struct nsim_bpf_bound_prog *state; ++ struct nsim_dev *nsim_dev; + + state = prog->aux->offload->dev_priv; ++ nsim_dev = state->nsim_dev; + WARN(state->is_loaded, + "offload state destroyed while program still bound"); + debugfs_remove_recursive(state->ddir); ++ mutex_lock(&nsim_dev->progs_list_lock); + list_del(&state->l); ++ mutex_unlock(&nsim_dev->progs_list_lock); + kfree(state); + } + +diff --git a/drivers/net/netdevsim/dev.c b/drivers/net/netdevsim/dev.c +index 3e0b61202f0c9..2614d6509954c 100644 +--- a/drivers/net/netdevsim/dev.c ++++ b/drivers/net/netdevsim/dev.c +@@ -1545,6 +1545,7 @@ int nsim_drv_probe(struct nsim_bus_dev *nsim_bus_dev) + nsim_dev->max_macs = NSIM_DEV_MAX_MACS_DEFAULT; + nsim_dev->test1 = NSIM_DEV_TEST1_DEFAULT; + spin_lock_init(&nsim_dev->fa_cookie_lock); ++ mutex_init(&nsim_dev->progs_list_lock); + + dev_set_drvdata(&nsim_bus_dev->dev, nsim_dev); + +@@ -1683,6 +1684,7 @@ void nsim_drv_remove(struct nsim_bus_dev *nsim_bus_dev) + devl_unregister(devlink); + kfree(nsim_dev->vfconfigs); + kfree(nsim_dev->fa_cookie); ++ mutex_destroy(&nsim_dev->progs_list_lock); + devl_unlock(devlink); + devlink_free(devlink); + dev_set_drvdata(&nsim_bus_dev->dev, NULL); +diff --git a/drivers/net/netdevsim/netdevsim.h b/drivers/net/netdevsim/netdevsim.h +index 84181dcb98831..736d0dde679ec 100644 +--- a/drivers/net/netdevsim/netdevsim.h ++++ b/drivers/net/netdevsim/netdevsim.h +@@ -308,6 +308,7 @@ struct nsim_dev { + u32 prog_id_gen; + struct list_head bpf_bound_progs; + struct list_head bpf_bound_maps; ++ struct mutex progs_list_lock; + struct netdev_phys_item_id switch_id; + struct list_head port_list; + bool fw_update_status; +-- +2.51.0 + diff --git a/queue-6.12/octeontx2-af-fix-error-handling.patch b/queue-6.12/octeontx2-af-fix-error-handling.patch new file mode 100644 index 0000000000..76f996014f --- /dev/null +++ b/queue-6.12/octeontx2-af-fix-error-handling.patch @@ -0,0 +1,188 @@ +From 8a3cfa75e89370e0570a595c9b1241ed58c29d4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 09:09:34 +0530 +Subject: octeontx2-af: Fix error handling + +From: Ratheesh Kannoth + +[ Upstream commit 19e4175e997a5b85eab97d522f00cc99abd1873c ] + +This commit adds error handling and rollback logic to +rvu_mbox_handler_attach_resources() to properly clean up partially +attached resources when rvu_attach_block() fails. + +Fixes: 746ea74241fa0 ("octeontx2-af: Add RVU block LF provisioning support") +Signed-off-by: Ratheesh Kannoth +Link: https://patch.msgid.link/20260121033934.1900761-1-rkannoth@marvell.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/marvell/octeontx2/af/rvu.c | 86 ++++++++++++++----- + 1 file changed, 64 insertions(+), 22 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +index 6575c422635b7..74201e0210bbf 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +@@ -1546,8 +1546,8 @@ static int rvu_get_attach_blkaddr(struct rvu *rvu, int blktype, + return -ENODEV; + } + +-static void rvu_attach_block(struct rvu *rvu, int pcifunc, int blktype, +- int num_lfs, struct rsrc_attach *attach) ++static int rvu_attach_block(struct rvu *rvu, int pcifunc, int blktype, ++ int num_lfs, struct rsrc_attach *attach) + { + struct rvu_pfvf *pfvf = rvu_get_pfvf(rvu, pcifunc); + struct rvu_hwinfo *hw = rvu->hw; +@@ -1557,21 +1557,21 @@ static void rvu_attach_block(struct rvu *rvu, int pcifunc, int blktype, + u64 cfg; + + if (!num_lfs) +- return; ++ return -EINVAL; + + blkaddr = rvu_get_attach_blkaddr(rvu, blktype, pcifunc, attach); + if (blkaddr < 0) +- return; ++ return -EFAULT; + + block = &hw->block[blkaddr]; + if (!block->lf.bmap) +- return; ++ return -ESRCH; + + for (slot = 0; slot < num_lfs; slot++) { + /* Allocate the resource */ + lf = rvu_alloc_rsrc(&block->lf); + if (lf < 0) +- return; ++ return -EFAULT; + + cfg = (1ULL << 63) | (pcifunc << 8) | slot; + rvu_write64(rvu, blkaddr, block->lfcfg_reg | +@@ -1582,6 +1582,8 @@ static void rvu_attach_block(struct rvu *rvu, int pcifunc, int blktype, + /* Set start MSIX vector for this LF within this PF/VF */ + rvu_set_msix_offset(rvu, pfvf, block, lf); + } ++ ++ return 0; + } + + static int rvu_check_rsrc_availability(struct rvu *rvu, +@@ -1719,22 +1721,31 @@ int rvu_mbox_handler_attach_resources(struct rvu *rvu, + int err; + + /* If first request, detach all existing attached resources */ +- if (!attach->modify) +- rvu_detach_rsrcs(rvu, NULL, pcifunc); ++ if (!attach->modify) { ++ err = rvu_detach_rsrcs(rvu, NULL, pcifunc); ++ if (err) ++ return err; ++ } + + mutex_lock(&rvu->rsrc_lock); + + /* Check if the request can be accommodated */ + err = rvu_check_rsrc_availability(rvu, attach, pcifunc); + if (err) +- goto exit; ++ goto fail1; + + /* Now attach the requested resources */ +- if (attach->npalf) +- rvu_attach_block(rvu, pcifunc, BLKTYPE_NPA, 1, attach); ++ if (attach->npalf) { ++ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_NPA, 1, attach); ++ if (err) ++ goto fail1; ++ } + +- if (attach->nixlf) +- rvu_attach_block(rvu, pcifunc, BLKTYPE_NIX, 1, attach); ++ if (attach->nixlf) { ++ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_NIX, 1, attach); ++ if (err) ++ goto fail2; ++ } + + if (attach->sso) { + /* RVU func doesn't know which exact LF or slot is attached +@@ -1744,33 +1755,64 @@ int rvu_mbox_handler_attach_resources(struct rvu *rvu, + */ + if (attach->modify) + rvu_detach_block(rvu, pcifunc, BLKTYPE_SSO); +- rvu_attach_block(rvu, pcifunc, BLKTYPE_SSO, +- attach->sso, attach); ++ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_SSO, ++ attach->sso, attach); ++ if (err) ++ goto fail3; + } + + if (attach->ssow) { + if (attach->modify) + rvu_detach_block(rvu, pcifunc, BLKTYPE_SSOW); +- rvu_attach_block(rvu, pcifunc, BLKTYPE_SSOW, +- attach->ssow, attach); ++ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_SSOW, ++ attach->ssow, attach); ++ if (err) ++ goto fail4; + } + + if (attach->timlfs) { + if (attach->modify) + rvu_detach_block(rvu, pcifunc, BLKTYPE_TIM); +- rvu_attach_block(rvu, pcifunc, BLKTYPE_TIM, +- attach->timlfs, attach); ++ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_TIM, ++ attach->timlfs, attach); ++ if (err) ++ goto fail5; + } + + if (attach->cptlfs) { + if (attach->modify && + rvu_attach_from_same_block(rvu, BLKTYPE_CPT, attach)) + rvu_detach_block(rvu, pcifunc, BLKTYPE_CPT); +- rvu_attach_block(rvu, pcifunc, BLKTYPE_CPT, +- attach->cptlfs, attach); ++ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_CPT, ++ attach->cptlfs, attach); ++ if (err) ++ goto fail6; + } + +-exit: ++ mutex_unlock(&rvu->rsrc_lock); ++ return 0; ++ ++fail6: ++ if (attach->timlfs) ++ rvu_detach_block(rvu, pcifunc, BLKTYPE_TIM); ++ ++fail5: ++ if (attach->ssow) ++ rvu_detach_block(rvu, pcifunc, BLKTYPE_SSOW); ++ ++fail4: ++ if (attach->sso) ++ rvu_detach_block(rvu, pcifunc, BLKTYPE_SSO); ++ ++fail3: ++ if (attach->nixlf) ++ rvu_detach_block(rvu, pcifunc, BLKTYPE_NIX); ++ ++fail2: ++ if (attach->npalf) ++ rvu_detach_block(rvu, pcifunc, BLKTYPE_NPA); ++ ++fail1: + mutex_unlock(&rvu->rsrc_lock); + return err; + } +-- +2.51.0 + diff --git a/queue-6.12/platform-x86-amd-fix-memory-leak-in-wbrf_record.patch b/queue-6.12/platform-x86-amd-fix-memory-leak-in-wbrf_record.patch new file mode 100644 index 0000000000..e9af2959a9 --- /dev/null +++ b/queue-6.12/platform-x86-amd-fix-memory-leak-in-wbrf_record.patch @@ -0,0 +1,50 @@ +From 61f112c8889590ac0a5ccb8e7c1bc7c4a50c16a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jan 2026 09:13:17 +0000 +Subject: platform/x86/amd: Fix memory leak in wbrf_record() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Zilin Guan + +[ Upstream commit 2bf1877b7094c684e1d652cac6912cfbc507ad3e ] + +The tmp buffer is allocated using kcalloc() but is not freed if +acpi_evaluate_dsm() fails. This causes a memory leak in the error path. + +Fix this by explicitly freeing the tmp buffer in the error handling +path of acpi_evaluate_dsm(). + +Fixes: 58e82a62669d ("platform/x86/amd: Add support for AMD ACPI based Wifi band RFI mitigation feature") +Suggested-by: Ilpo Järvinen +Co-developed-by: Jianhao Xu +Signed-off-by: Jianhao Xu +Signed-off-by: Zilin Guan +Link: https://patch.msgid.link/20260106091318.747019-1-zilin@seu.edu.cn +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/amd/wbrf.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/amd/wbrf.c b/drivers/platform/x86/amd/wbrf.c +index dd197b3aebe06..0f58d252b620a 100644 +--- a/drivers/platform/x86/amd/wbrf.c ++++ b/drivers/platform/x86/amd/wbrf.c +@@ -104,8 +104,10 @@ static int wbrf_record(struct acpi_device *adev, uint8_t action, struct wbrf_ran + obj = acpi_evaluate_dsm(adev->handle, &wifi_acpi_dsm_guid, + WBRF_REVISION, WBRF_RECORD, &argv4); + +- if (!obj) ++ if (!obj) { ++ kfree(tmp); + return -EINVAL; ++ } + + if (obj->type != ACPI_TYPE_INTEGER) { + ret = -EINVAL; +-- +2.51.0 + diff --git a/queue-6.12/regmap-fix-race-condition-in-hwspinlock-irqsave-rout.patch b/queue-6.12/regmap-fix-race-condition-in-hwspinlock-irqsave-rout.patch new file mode 100644 index 0000000000..f350c52704 --- /dev/null +++ b/queue-6.12/regmap-fix-race-condition-in-hwspinlock-irqsave-rout.patch @@ -0,0 +1,49 @@ +From f76d8229cdbf02c7c4432d22417e266d3efc8f24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jan 2026 11:26:33 +0800 +Subject: regmap: Fix race condition in hwspinlock irqsave routine + +From: Cheng-Yu Lee + +[ Upstream commit 4b58aac989c1e3fafb1c68a733811859df388250 ] + +Previously, the address of the shared member '&map->spinlock_flags' was +passed directly to 'hwspin_lock_timeout_irqsave'. This creates a race +condition where multiple contexts contending for the lock could overwrite +the shared flags variable, potentially corrupting the state for the +current lock owner. + +Fix this by using a local stack variable 'flags' to store the IRQ state +temporarily. + +Fixes: 8698b9364710 ("regmap: Add hardware spinlock support") +Signed-off-by: Cheng-Yu Lee +Co-developed-by: Yu-Chun Lin +Signed-off-by: Yu-Chun Lin +Link: https://patch.msgid.link/20260109032633.8732-1-eleanor.lin@realtek.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/base/regmap/regmap.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c +index 66b3840bd96e3..70cde1bd04000 100644 +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -408,9 +408,11 @@ static void regmap_lock_hwlock_irq(void *__map) + static void regmap_lock_hwlock_irqsave(void *__map) + { + struct regmap *map = __map; ++ unsigned long flags = 0; + + hwspin_lock_timeout_irqsave(map->hwlock, UINT_MAX, +- &map->spinlock_flags); ++ &flags); ++ map->spinlock_flags = flags; + } + + static void regmap_unlock_hwlock(void *__map) +-- +2.51.0 + diff --git a/queue-6.12/riscv-clocksource-fix-stimecmp-update-hazard-on-rv32.patch b/queue-6.12/riscv-clocksource-fix-stimecmp-update-hazard-on-rv32.patch new file mode 100644 index 0000000000..fc817624bb --- /dev/null +++ b/queue-6.12/riscv-clocksource-fix-stimecmp-update-hazard-on-rv32.patch @@ -0,0 +1,57 @@ +From 81a7f4b387c92a1360302f0ef2601419cebcf734 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Jan 2026 22:59:36 +0900 +Subject: riscv: clocksource: Fix stimecmp update hazard on RV32 + +From: Naohiko Shimizu + +[ Upstream commit eaa9bb1d39d59e7c17b06cec12622b7c586ab629 ] + +On RV32, updating the 64-bit stimecmp (or vstimecmp) CSR requires two +separate 32-bit writes. A race condition exists if the timer triggers +during these two writes. + +The RISC-V Privileged Specification (e.g., Section 3.2.1 for mtimecmp) +recommends a specific 3-step sequence to avoid spurious interrupts +when updating 64-bit comparison registers on 32-bit systems: + +1. Set the low-order bits (stimecmp) to all ones (ULONG_MAX). +2. Set the high-order bits (stimecmph) to the desired value. +3. Set the low-order bits (stimecmp) to the desired value. + +Current implementation writes the LSB first without ensuring a future +value, which may lead to a transient state where the 64-bit comparison +is incorrectly evaluated as "expired" by the hardware. This results in +spurious timer interrupts. + +This patch adopts the spec-recommended 3-step sequence to ensure the +intermediate 64-bit state is never smaller than the current time. + +Fixes: 9f7a8ff6391f ("RISC-V: Prefer sstc extension if available") +Signed-off-by: Naohiko Shimizu +Reviewed-by: Anup Patel +Link: https://patch.msgid.link/20260104135938.524-2-naohiko.shimizu@gmail.com +Signed-off-by: Paul Walmsley +Signed-off-by: Sasha Levin +--- + drivers/clocksource/timer-riscv.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/clocksource/timer-riscv.c b/drivers/clocksource/timer-riscv.c +index 4d7cf338824a3..cfc4d83c42c03 100644 +--- a/drivers/clocksource/timer-riscv.c ++++ b/drivers/clocksource/timer-riscv.c +@@ -50,8 +50,9 @@ static int riscv_clock_next_event(unsigned long delta, + + if (static_branch_likely(&riscv_sstc_available)) { + #if defined(CONFIG_32BIT) +- csr_write(CSR_STIMECMP, next_tval & 0xFFFFFFFF); ++ csr_write(CSR_STIMECMP, ULONG_MAX); + csr_write(CSR_STIMECMPH, next_tval >> 32); ++ csr_write(CSR_STIMECMP, next_tval & 0xFFFFFFFF); + #else + csr_write(CSR_STIMECMP, next_tval); + #endif +-- +2.51.0 + diff --git a/queue-6.12/sched-fair-fix-pelt-clock-sync-when-entering-idle.patch b/queue-6.12/sched-fair-fix-pelt-clock-sync-when-entering-idle.patch new file mode 100644 index 0000000000..56152318c6 --- /dev/null +++ b/queue-6.12/sched-fair-fix-pelt-clock-sync-when-entering-idle.patch @@ -0,0 +1,71 @@ +From 5b9b96dc5ad66084b21a13fba8f6727f56cdac14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 17:33:17 +0100 +Subject: sched/fair: Fix pelt clock sync when entering idle + +From: Vincent Guittot + +[ Upstream commit 98c88dc8a1ace642d9021b103b28cba7b51e3abc ] + +Samuel and Alex reported regressions of the util_avg of RT rq with +commit 17e3e88ed0b6 ("sched/fair: Fix pelt lost idle time detection"). +It happens that fair is updating and syncing the pelt clock with task one +when pick_next_task_fair() fails to pick a task but before the prev +scheduling class got a chance to update its pelt signals. + +Move update_idle_rq_clock_pelt() in set_next_task_idle() which is called +after prev class has been called. + +Fixes: 17e3e88ed0b6 ("sched/fair: Fix pelt lost idle time detection") +Closes: https://lore.kernel.org/all/CAG2KctpO6VKS6GN4QWDji0t92_gNBJ7HjjXrE+6H+RwRXt=iLg@mail.gmail.com/ +Closes: https://lore.kernel.org/all/8cf19bf0e0054dcfed70e9935029201694f1bb5a.camel@mediatek.com/ +Reported-by: Samuel Wu +Reported-by: Alex Hoh +Signed-off-by: Vincent Guittot +Signed-off-by: Peter Zijlstra (Intel) +Tested-by: Samuel Wu +Tested-by: Alex Hoh +Link: https://patch.msgid.link/20260121163317.505635-1-vincent.guittot@linaro.org +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 6 ------ + kernel/sched/idle.c | 6 ++++++ + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index 1436d6bb86ec4..6efb1dfcd943a 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -9033,12 +9033,6 @@ pick_next_task_fair(struct rq *rq, struct task_struct *prev, struct rq_flags *rf + goto again; + } + +- /* +- * rq is about to be idle, check if we need to update the +- * lost_idle_time of clock_pelt +- */ +- update_idle_rq_clock_pelt(rq); +- + return NULL; + } + +diff --git a/kernel/sched/idle.c b/kernel/sched/idle.c +index 53bb9193c537a..624ef809f6715 100644 +--- a/kernel/sched/idle.c ++++ b/kernel/sched/idle.c +@@ -462,6 +462,12 @@ static void set_next_task_idle(struct rq *rq, struct task_struct *next, bool fir + scx_update_idle(rq, true, true); + schedstat_inc(rq->sched_goidle); + next->se.exec_start = rq_clock_task(rq); ++ ++ /* ++ * rq is about to be idle, check if we need to update the ++ * lost_idle_time of clock_pelt ++ */ ++ update_idle_rq_clock_pelt(rq); + } + + struct task_struct *pick_task_idle(struct rq *rq) +-- +2.51.0 + diff --git a/queue-6.12/scsi-core-wake-up-the-error-handler-when-final-compl.patch b/queue-6.12/scsi-core-wake-up-the-error-handler-when-final-compl.patch new file mode 100644 index 0000000000..37e6ad0d2e --- /dev/null +++ b/queue-6.12/scsi-core-wake-up-the-error-handler-when-final-compl.patch @@ -0,0 +1,96 @@ +From 0c2962f44b9d558956d313bd0eeae262afed9cf0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 11:08:13 -0500 +Subject: scsi: core: Wake up the error handler when final completions race + against each other + +From: David Jeffery + +[ Upstream commit fe2f8ad6f0999db3b318359a01ee0108c703a8c3 ] + +The fragile ordering between marking commands completed or failed so +that the error handler only wakes when the last running command +completes or times out has race conditions. These race conditions can +cause the SCSI layer to fail to wake the error handler, leaving I/O +through the SCSI host stuck as the error state cannot advance. + +First, there is an memory ordering issue within scsi_dec_host_busy(). +The write which clears SCMD_STATE_INFLIGHT may be reordered with reads +counting in scsi_host_busy(). While the local CPU will see its own +write, reordering can allow other CPUs in scsi_dec_host_busy() or +scsi_eh_inc_host_failed() to see a raised busy count, causing no CPU to +see a host busy equal to the host_failed count. + +This race condition can be prevented with a memory barrier on the error +path to force the write to be visible before counting host busy +commands. + +Second, there is a general ordering issue with scsi_eh_inc_host_failed(). By +counting busy commands before incrementing host_failed, it can race with a +final command in scsi_dec_host_busy(), such that scsi_dec_host_busy() does +not see host_failed incremented but scsi_eh_inc_host_failed() counts busy +commands before SCMD_STATE_INFLIGHT is cleared by scsi_dec_host_busy(), +resulting in neither waking the error handler task. + +This needs the call to scsi_host_busy() to be moved after host_failed is +incremented to close the race condition. + +Fixes: 6eb045e092ef ("scsi: core: avoid host-wide host_busy counter for scsi_mq") +Signed-off-by: David Jeffery +Reviewed-by: Bart Van Assche +Link: https://patch.msgid.link/20260113161036.6730-1-djeffery@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_error.c | 11 ++++++++++- + drivers/scsi/scsi_lib.c | 8 ++++++++ + 2 files changed, 18 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c +index 35b841515d1d6..9a89a94784cd0 100644 +--- a/drivers/scsi/scsi_error.c ++++ b/drivers/scsi/scsi_error.c +@@ -282,11 +282,20 @@ static void scsi_eh_inc_host_failed(struct rcu_head *head) + { + struct scsi_cmnd *scmd = container_of(head, typeof(*scmd), rcu); + struct Scsi_Host *shost = scmd->device->host; +- unsigned int busy = scsi_host_busy(shost); ++ unsigned int busy; + unsigned long flags; + + spin_lock_irqsave(shost->host_lock, flags); + shost->host_failed++; ++ spin_unlock_irqrestore(shost->host_lock, flags); ++ /* ++ * The counting of busy requests needs to occur after adding to ++ * host_failed or after the lock acquire for adding to host_failed ++ * to prevent a race with host unbusy and missing an eh wakeup. ++ */ ++ busy = scsi_host_busy(shost); ++ ++ spin_lock_irqsave(shost->host_lock, flags); + scsi_eh_wakeup(shost, busy); + spin_unlock_irqrestore(shost->host_lock, flags); + } +diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c +index a4cafc688c2a1..55717fd3234be 100644 +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -373,6 +373,14 @@ static void scsi_dec_host_busy(struct Scsi_Host *shost, struct scsi_cmnd *cmd) + rcu_read_lock(); + __clear_bit(SCMD_STATE_INFLIGHT, &cmd->state); + if (unlikely(scsi_host_in_recovery(shost))) { ++ /* ++ * Ensure the clear of SCMD_STATE_INFLIGHT is visible to ++ * other CPUs before counting busy requests. Otherwise, ++ * reordering can cause CPUs to race and miss an eh wakeup ++ * when no CPU sees all busy requests as done or timed out. ++ */ ++ smp_mb(); ++ + unsigned int busy = scsi_host_busy(shost); + + spin_lock_irqsave(shost->host_lock, flags); +-- +2.51.0 + diff --git a/queue-6.12/scsi-qla2xxx-sanitize-payload-size-to-prevent-member.patch b/queue-6.12/scsi-qla2xxx-sanitize-payload-size-to-prevent-member.patch new file mode 100644 index 0000000000..cc1cd4170d --- /dev/null +++ b/queue-6.12/scsi-qla2xxx-sanitize-payload-size-to-prevent-member.patch @@ -0,0 +1,61 @@ +From cce771d63057cfd9e5239c5920c21a2ffcfa16b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jan 2026 20:53:44 +0000 +Subject: scsi: qla2xxx: Sanitize payload size to prevent member overflow + +From: Jiasheng Jiang + +[ Upstream commit 19bc5f2a6962dfaa0e32d0e0bc2271993d85d414 ] + +In qla27xx_copy_fpin_pkt() and qla27xx_copy_multiple_pkt(), the frame_size +reported by firmware is used to calculate the copy length into +item->iocb. However, the iocb member is defined as a fixed-size 64-byte +array within struct purex_item. + +If the reported frame_size exceeds 64 bytes, subsequent memcpy calls will +overflow the iocb member boundary. While extra memory might be allocated, +this cross-member write is unsafe and triggers warnings under +CONFIG_FORTIFY_SOURCE. + +Fix this by capping total_bytes to the size of the iocb member (64 bytes) +before allocation and copying. This ensures all copies remain within the +bounds of the destination structure member. + +Fixes: 875386b98857 ("scsi: qla2xxx: Add Unsolicited LS Request and Response Support for NVMe") +Signed-off-by: Jiasheng Jiang +Reviewed-by: Himanshu Madhani +Link: https://patch.msgid.link/20260106205344.18031-1-jiashengjiangcool@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_isr.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c +index 77c779cca97f8..a1c5ef569f9d8 100644 +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -878,6 +878,9 @@ qla27xx_copy_multiple_pkt(struct scsi_qla_host *vha, void **pkt, + payload_size = sizeof(purex->els_frame_payload); + } + ++ if (total_bytes > sizeof(item->iocb.iocb)) ++ total_bytes = sizeof(item->iocb.iocb); ++ + pending_bytes = total_bytes; + no_bytes = (pending_bytes > payload_size) ? payload_size : + pending_bytes; +@@ -1163,6 +1166,10 @@ qla27xx_copy_fpin_pkt(struct scsi_qla_host *vha, void **pkt, + + total_bytes = (le16_to_cpu(purex->frame_size) & 0x0FFF) + - PURX_ELS_HEADER_SIZE; ++ ++ if (total_bytes > sizeof(item->iocb.iocb)) ++ total_bytes = sizeof(item->iocb.iocb); ++ + pending_bytes = total_bytes; + entry_count = entry_count_remaining = purex->entry_count; + no_bytes = (pending_bytes > sizeof(purex->els_frame_payload)) ? +-- +2.51.0 + diff --git a/queue-6.12/selftests-net-amt-wait-longer-for-connection-before-.patch b/queue-6.12/selftests-net-amt-wait-longer-for-connection-before-.patch new file mode 100644 index 0000000000..12807f3c2b --- /dev/null +++ b/queue-6.12/selftests-net-amt-wait-longer-for-connection-before-.patch @@ -0,0 +1,63 @@ +From 94e28ee007ae24d1ff68a9a322119035a6654d31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 13:39:30 +0000 +Subject: selftests: net: amt: wait longer for connection before sending + packets + +From: Taehee Yoo + +[ Upstream commit 04708606fd7bdc34b69089a4ff848ff36d7088f9 ] + +Both send_mcast4() and send_mcast6() use sleep 2 to wait for the tunnel +connection between the gateway and the relay, and for the listener +socket to be created in the LISTENER namespace. + +However, tests sometimes fail because packets are sent before the +connection is fully established. + +Increase the waiting time to make the tests more reliable, and use +wait_local_port_listen() to explicitly wait for the listener socket. + +Fixes: c08e8baea78e ("selftests: add amt interface selftest script") +Signed-off-by: Taehee Yoo +Link: https://patch.msgid.link/20260120133930.863845-1-ap420073@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/amt.sh | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/net/amt.sh b/tools/testing/selftests/net/amt.sh +index d458b45c775b4..42957561c414a 100755 +--- a/tools/testing/selftests/net/amt.sh ++++ b/tools/testing/selftests/net/amt.sh +@@ -73,6 +73,8 @@ + # +------------------------+ + #============================================================================== + ++source lib.sh ++ + readonly LISTENER=$(mktemp -u listener-XXXXXXXX) + readonly GATEWAY=$(mktemp -u gateway-XXXXXXXX) + readonly RELAY=$(mktemp -u relay-XXXXXXXX) +@@ -240,14 +242,15 @@ test_ipv6_forward() + + send_mcast4() + { +- sleep 2 ++ sleep 5 ++ wait_local_port_listen ${LISTENER} 4000 udp + ip netns exec "${SOURCE}" bash -c \ + 'printf "%s %128s" 172.17.0.2 | nc -w 1 -u 239.0.0.1 4000' & + } + + send_mcast6() + { +- sleep 2 ++ wait_local_port_listen ${LISTENER} 6000 udp + ip netns exec "${SOURCE}" bash -c \ + 'printf "%s %128s" 2001:db8:3::2 | nc -w 1 -u ff0e::5:6 6000' & + } +-- +2.51.0 + diff --git a/queue-6.12/series b/queue-6.12/series index 3088f306a9..376676a367 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -58,3 +58,43 @@ platform-x86-hp-bioscfg-fix-kernel-panic-in-get_instance_id-macro.patch mm-rmap-fix-two-comments-related-to-huge_pmd_unshare.patch io_uring-io-wq-check-io_wq_bit_exit-inside-work-run-loop.patch iio-imu-st_lsm6dsx-fix-iio_chan_spec-for-sensors-without-event-detection.patch +iio-adc-ad7280a-handle-spi_setup-errors-in-probe.patch +interconnect-debugfs-initialize-src_node-and-dst_nod.patch +spi-spi-sprd-adi-fix-double-free-in-probe-error-path.patch +regmap-fix-race-condition-in-hwspinlock-irqsave-rout.patch +kconfig-fix-static-linking-of-nconf.patch +riscv-clocksource-fix-stimecmp-update-hazard-on-rv32.patch +platform-x86-amd-fix-memory-leak-in-wbrf_record.patch +scsi-core-wake-up-the-error-handler-when-final-compl.patch +scsi-qla2xxx-sanitize-payload-size-to-prevent-member.patch +alsa-usb-increase-volume-range-that-triggers-a-warni.patch +drm-imagination-wait-for-fw-trace-update-command-com.patch +netdevsim-fix-a-race-issue-related-to-the-operation-.patch +ice-fix-persistent-failure-in-ice_get_rxfh.patch +net-hns3-fix-data-race-in-hns3_fetch_stats.patch +be2net-fix-data-race-in-be_get_new_eqd.patch +net-hns3-fix-wrong-genmask-for-hclge_fd_ad_counter_n.patch +net-hns3-fix-the-hclge_fd_ad_nxt_key-error-setting-i.patch +misdn-annotate-data-race-around-dev-work.patch +ipv6-annotate-data-race-in-ndisc_router_discovery.patch +usbnet-limit-max_mtu-based-on-device-s-hard_mtu.patch +clocksource-reduce-watchdog-readout-delay-limit-to-p.patch +sched-fair-fix-pelt-clock-sync-when-entering-idle.patch +drm-amd-pm-don-t-clear-si-smc-table-when-setting-pow.patch +drm-amd-pm-workaround-si-powertune-issue-on-radeon-4.patch +drm-nouveau-add-missing-dcb-connector-types.patch +drm-nouveau-implement-missing-dcb-connector-types-gr.patch +be2net-fix-null-pointer-dereference-in-be_cmd_get_ma.patch +selftests-net-amt-wait-longer-for-connection-before-.patch +bonding-provide-a-net-pointer-to-__skb_flow_dissect.patch +net-dsa-fix-off-by-one-in-maximum-bridge-id-determin.patch +octeontx2-af-fix-error-handling.patch +net-openvswitch-fix-data-race-in-ovs_vport_get_upcal.patch +vsock-virtio-fix-potential-underflow-in-virtio_trans.patch +vsock-test-fix-seqpacket-message-bounds-test.patch +vsock-virtio-cap-tx-credit-to-local-buffer-size.patch +net-sched-act_ife-avoid-possible-null-deref.patch +dpll-prevent-duplicate-registrations.patch +x86-make-page-fault-handling-disable-interrupts-prop.patch +tpm-compare-hmac-values-in-constant-time.patch +keys-trusted_keys-fix-handle-passed-to-tpm_buf_appen.patch diff --git a/queue-6.12/spi-spi-sprd-adi-fix-double-free-in-probe-error-path.patch b/queue-6.12/spi-spi-sprd-adi-fix-double-free-in-probe-error-path.patch new file mode 100644 index 0000000000..907989f537 --- /dev/null +++ b/queue-6.12/spi-spi-sprd-adi-fix-double-free-in-probe-error-path.patch @@ -0,0 +1,113 @@ +From ce443149aaa32b4c89178199b680204da5840942 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jan 2026 20:49:53 +0800 +Subject: spi: spi-sprd-adi: Fix double free in probe error path + +From: Felix Gu + +[ Upstream commit 383d4f5cffcc8df930d95b06518a9d25a6d74aac ] + +The driver currently uses spi_alloc_host() to allocate the controller +but registers it using devm_spi_register_controller(). + +If devm_register_restart_handler() fails, the code jumps to the +put_ctlr label and calls spi_controller_put(). However, since the +controller was registered via a devm function, the device core will +automatically call spi_controller_put() again when the probe fails. +This results in a double-free of the spi_controller structure. + +Fix this by switching to devm_spi_alloc_host() and removing the +manual spi_controller_put() call. + +Fixes: ac17750 ("spi: sprd: Add the support of restarting the system") +Signed-off-by: Felix Gu +Reviewed-by: Baolin Wang +Link: https://patch.msgid.link/tencent_AC7D389CE7E24318445E226F7CDCCC2F0D07@qq.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-sprd-adi.c | 33 ++++++++++----------------------- + 1 file changed, 10 insertions(+), 23 deletions(-) + +diff --git a/drivers/spi/spi-sprd-adi.c b/drivers/spi/spi-sprd-adi.c +index 262c11d977ea3..f25b34a91756f 100644 +--- a/drivers/spi/spi-sprd-adi.c ++++ b/drivers/spi/spi-sprd-adi.c +@@ -528,7 +528,7 @@ static int sprd_adi_probe(struct platform_device *pdev) + pdev->id = of_alias_get_id(np, "spi"); + num_chipselect = of_get_child_count(np); + +- ctlr = spi_alloc_host(&pdev->dev, sizeof(struct sprd_adi)); ++ ctlr = devm_spi_alloc_host(&pdev->dev, sizeof(struct sprd_adi)); + if (!ctlr) + return -ENOMEM; + +@@ -536,10 +536,8 @@ static int sprd_adi_probe(struct platform_device *pdev) + sadi = spi_controller_get_devdata(ctlr); + + sadi->base = devm_platform_get_and_ioremap_resource(pdev, 0, &res); +- if (IS_ERR(sadi->base)) { +- ret = PTR_ERR(sadi->base); +- goto put_ctlr; +- } ++ if (IS_ERR(sadi->base)) ++ return PTR_ERR(sadi->base); + + sadi->slave_vbase = (unsigned long)sadi->base + + data->slave_offset; +@@ -551,18 +549,15 @@ static int sprd_adi_probe(struct platform_device *pdev) + if (ret > 0 || (IS_ENABLED(CONFIG_HWSPINLOCK) && ret == 0)) { + sadi->hwlock = + devm_hwspin_lock_request_specific(&pdev->dev, ret); +- if (!sadi->hwlock) { +- ret = -ENXIO; +- goto put_ctlr; +- } ++ if (!sadi->hwlock) ++ return -ENXIO; + } else { + switch (ret) { + case -ENOENT: + dev_info(&pdev->dev, "no hardware spinlock supplied\n"); + break; + default: +- dev_err_probe(&pdev->dev, ret, "failed to find hwlock id\n"); +- goto put_ctlr; ++ return dev_err_probe(&pdev->dev, ret, "failed to find hwlock id\n"); + } + } + +@@ -579,26 +574,18 @@ static int sprd_adi_probe(struct platform_device *pdev) + ctlr->transfer_one = sprd_adi_transfer_one; + + ret = devm_spi_register_controller(&pdev->dev, ctlr); +- if (ret) { +- dev_err(&pdev->dev, "failed to register SPI controller\n"); +- goto put_ctlr; +- } ++ if (ret) ++ return dev_err_probe(&pdev->dev, ret, "failed to register SPI controller\n"); + + if (sadi->data->restart) { + ret = devm_register_restart_handler(&pdev->dev, + sadi->data->restart, + sadi); +- if (ret) { +- dev_err(&pdev->dev, "can not register restart handler\n"); +- goto put_ctlr; +- } ++ if (ret) ++ return dev_err_probe(&pdev->dev, ret, "can not register restart handler\n"); + } + + return 0; +- +-put_ctlr: +- spi_controller_put(ctlr); +- return ret; + } + + static struct sprd_adi_data sc9860_data = { +-- +2.51.0 + diff --git a/queue-6.12/tpm-compare-hmac-values-in-constant-time.patch b/queue-6.12/tpm-compare-hmac-values-in-constant-time.patch new file mode 100644 index 0000000000..e00ef28755 --- /dev/null +++ b/queue-6.12/tpm-compare-hmac-values-in-constant-time.patch @@ -0,0 +1,72 @@ +From ed3aab121fae7be0803f43fa7321bcaf9229ea05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Aug 2025 14:24:21 -0700 +Subject: tpm: Compare HMAC values in constant time + +From: Eric Biggers + +[ Upstream commit 2c2615c8423890b5ef8e0a186b65607ef5fdeda1 ] + +In tpm_buf_check_hmac_response(), compare the HMAC values in constant +time using crypto_memneq() instead of in variable time using memcmp(). + +This is worthwhile to follow best practices and to be consistent with +MAC comparisons elsewhere in the kernel. However, in this driver the +side channel seems to have been benign: the HMAC input data is +guaranteed to always be unique, which makes the usual MAC forgery via +timing side channel not possible. Specifically, the HMAC input data in +tpm_buf_check_hmac_response() includes the "our_nonce" field, which was +generated by the kernel earlier, remains under the control of the +kernel, and is unique for each call to tpm_buf_check_hmac_response(). + +Signed-off-by: Eric Biggers +Signed-off-by: Jarkko Sakkinen +Stable-dep-of: 6342969dafbc ("keys/trusted_keys: fix handle passed to tpm_buf_append_name during unseal") +Signed-off-by: Sasha Levin +--- + drivers/char/tpm/Kconfig | 1 + + drivers/char/tpm/tpm2-sessions.c | 6 +++--- + 2 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/char/tpm/Kconfig b/drivers/char/tpm/Kconfig +index db41301e63f28..f0473d2148786 100644 +--- a/drivers/char/tpm/Kconfig ++++ b/drivers/char/tpm/Kconfig +@@ -33,6 +33,7 @@ config TCG_TPM2_HMAC + select CRYPTO_ECDH + select CRYPTO_LIB_AESCFB + select CRYPTO_LIB_SHA256 ++ select CRYPTO_LIB_UTILS + help + Setting this causes us to deploy a scheme which uses request + and response HMACs in addition to encryption for +diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c +index 4d9acfb1787e9..cb944df7b3ca6 100644 +--- a/drivers/char/tpm/tpm2-sessions.c ++++ b/drivers/char/tpm/tpm2-sessions.c +@@ -71,6 +71,7 @@ + #include + #include + #include ++#include + + /* maximum number of names the TPM must remember for authorization */ + #define AUTH_MAX_NAMES 3 +@@ -888,12 +889,11 @@ int tpm_buf_check_hmac_response(struct tpm_chip *chip, struct tpm_buf *buf, + /* we're done with the rphash, so put our idea of the hmac there */ + tpm2_hmac_final(&sctx, auth->session_key, sizeof(auth->session_key) + + auth->passphrase_len, rphash); +- if (memcmp(rphash, &buf->data[offset_s], SHA256_DIGEST_SIZE) == 0) { +- rc = 0; +- } else { ++ if (crypto_memneq(rphash, &buf->data[offset_s], SHA256_DIGEST_SIZE)) { + dev_err(&chip->dev, "TPM: HMAC check failed\n"); + goto out; + } ++ rc = 0; + + /* now do response decryption */ + if (auth->attrs & TPM2_SA_ENCRYPT) { +-- +2.51.0 + diff --git a/queue-6.12/usbnet-limit-max_mtu-based-on-device-s-hard_mtu.patch b/queue-6.12/usbnet-limit-max_mtu-based-on-device-s-hard_mtu.patch new file mode 100644 index 0000000000..ef6a3b208f --- /dev/null +++ b/queue-6.12/usbnet-limit-max_mtu-based-on-device-s-hard_mtu.patch @@ -0,0 +1,59 @@ +From acaae84de9c13f24576644cb9704282aa60cb946 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 08:55:18 +0100 +Subject: usbnet: limit max_mtu based on device's hard_mtu + +From: Laurent Vivier + +[ Upstream commit c7159e960f1472a5493ac99aff0086ab1d683594 ] + +The usbnet driver initializes net->max_mtu to ETH_MAX_MTU before calling +the device's bind() callback. When the bind() callback sets +dev->hard_mtu based the device's actual capability (from CDC Ethernet's +wMaxSegmentSize descriptor), max_mtu is never updated to reflect this +hardware limitation). + +This allows userspace (DHCP or IPv6 RA) to configure MTU larger than the +device can handle, leading to silent packet drops when the backend sends +packet exceeding the device's buffer size. + +Fix this by limiting net->max_mtu to the device's hard_mtu after the +bind callback returns. + +See https://gitlab.com/qemu-project/qemu/-/issues/3268 and + https://bugs.passt.top/attachment.cgi?bugid=189 + +Fixes: f77f0aee4da4 ("net: use core MTU range checking in USB NIC drivers") +Signed-off-by: Laurent Vivier +Link: https://bugs.passt.top/show_bug.cgi?id=189 +Reviewed-by: Stefano Brivio +Link: https://patch.msgid.link/20260119075518.2774373-1-lvivier@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/usbnet.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c +index f1f61d85d9498..f4a05737abf7a 100644 +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -1797,9 +1797,12 @@ usbnet_probe (struct usb_interface *udev, const struct usb_device_id *prod) + if ((dev->driver_info->flags & FLAG_NOARP) != 0) + net->flags |= IFF_NOARP; + +- /* maybe the remote can't receive an Ethernet MTU */ +- if (net->mtu > (dev->hard_mtu - net->hard_header_len)) +- net->mtu = dev->hard_mtu - net->hard_header_len; ++ if (net->max_mtu > (dev->hard_mtu - net->hard_header_len)) ++ net->max_mtu = dev->hard_mtu - net->hard_header_len; ++ ++ if (net->mtu > net->max_mtu) ++ net->mtu = net->max_mtu; ++ + } else if (!info->in || !info->out) + status = usbnet_get_endpoints (dev, udev); + else { +-- +2.51.0 + diff --git a/queue-6.12/vsock-test-fix-seqpacket-message-bounds-test.patch b/queue-6.12/vsock-test-fix-seqpacket-message-bounds-test.patch new file mode 100644 index 0000000000..fb57a1eb74 --- /dev/null +++ b/queue-6.12/vsock-test-fix-seqpacket-message-bounds-test.patch @@ -0,0 +1,61 @@ +From e8530d5805c366c36dc3fcc464bb3f5540884037 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 10:36:26 +0100 +Subject: vsock/test: fix seqpacket message bounds test + +From: Stefano Garzarella + +[ Upstream commit 0a98de80136968bab7db37b16282b37f044694d3 ] + +The test requires the sender (client) to send all messages before waking +up the receiver (server). +Since virtio-vsock had a bug and did not respect the size of the TX +buffer, this test worked, but now that we are going to fix the bug, the +test hangs because the sender would fill the TX buffer before waking up +the receiver. + +Set the buffer size in the sender (client) as well, as we already do for +the receiver (server). + +Fixes: 5c338112e48a ("test/vsock: rework message bounds test") +Signed-off-by: Stefano Garzarella +Link: https://patch.msgid.link/20260121093628.9941-3-sgarzare@redhat.com +Acked-by: Michael S. Tsirkin +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + tools/testing/vsock/vsock_test.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/tools/testing/vsock/vsock_test.c b/tools/testing/vsock/vsock_test.c +index 0c22ff7a8de2a..79ef11c0ab14f 100644 +--- a/tools/testing/vsock/vsock_test.c ++++ b/tools/testing/vsock/vsock_test.c +@@ -359,6 +359,7 @@ static void test_stream_msg_peek_server(const struct test_opts *opts) + + static void test_seqpacket_msg_bounds_client(const struct test_opts *opts) + { ++ unsigned long long sock_buf_size; + unsigned long curr_hash; + size_t max_msg_size; + int page_size; +@@ -371,6 +372,16 @@ static void test_seqpacket_msg_bounds_client(const struct test_opts *opts) + exit(EXIT_FAILURE); + } + ++ sock_buf_size = SOCK_BUF_SIZE; ++ ++ setsockopt_ull_check(fd, AF_VSOCK, SO_VM_SOCKETS_BUFFER_MAX_SIZE, ++ sock_buf_size, ++ "setsockopt(SO_VM_SOCKETS_BUFFER_MAX_SIZE)"); ++ ++ setsockopt_ull_check(fd, AF_VSOCK, SO_VM_SOCKETS_BUFFER_SIZE, ++ sock_buf_size, ++ "setsockopt(SO_VM_SOCKETS_BUFFER_SIZE)"); ++ + /* Wait, until receiver sets buffer size. */ + control_expectln("SRVREADY"); + +-- +2.51.0 + diff --git a/queue-6.12/vsock-virtio-cap-tx-credit-to-local-buffer-size.patch b/queue-6.12/vsock-virtio-cap-tx-credit-to-local-buffer-size.patch new file mode 100644 index 0000000000..b92cb044b5 --- /dev/null +++ b/queue-6.12/vsock-virtio-cap-tx-credit-to-local-buffer-size.patch @@ -0,0 +1,128 @@ +From cb95e45b68b13d9979bbfad2eba4c99a451ac44d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 10:36:27 +0100 +Subject: vsock/virtio: cap TX credit to local buffer size + +From: Melbin K Mathew + +[ Upstream commit 8ee784fdf006cbe8739cfa093f54d326cbf54037 ] + +The virtio transports derives its TX credit directly from peer_buf_alloc, +which is set from the remote endpoint's SO_VM_SOCKETS_BUFFER_SIZE value. + +On the host side this means that the amount of data we are willing to +queue for a connection is scaled by a guest-chosen buffer size, rather +than the host's own vsock configuration. A malicious guest can advertise +a large buffer and read slowly, causing the host to allocate a +correspondingly large amount of sk_buff memory. +The same thing would happen in the guest with a malicious host, since +virtio transports share the same code base. + +Introduce a small helper, virtio_transport_tx_buf_size(), that +returns min(peer_buf_alloc, buf_alloc), and use it wherever we consume +peer_buf_alloc. + +This ensures the effective TX window is bounded by both the peer's +advertised buffer and our own buf_alloc (already clamped to +buffer_max_size via SO_VM_SOCKETS_BUFFER_MAX_SIZE), so a remote peer +cannot force the other to queue more data than allowed by its own +vsock settings. + +On an unpatched Ubuntu 22.04 host (~64 GiB RAM), running a PoC with +32 guest vsock connections advertising 2 GiB each and reading slowly +drove Slab/SUnreclaim from ~0.5 GiB to ~57 GiB; the system only +recovered after killing the QEMU process. That said, if QEMU memory is +limited with cgroups, the maximum memory used will be limited. + +With this patch applied: + + Before: + MemFree: ~61.6 GiB + Slab: ~142 MiB + SUnreclaim: ~117 MiB + + After 32 high-credit connections: + MemFree: ~61.5 GiB + Slab: ~178 MiB + SUnreclaim: ~152 MiB + +Only ~35 MiB increase in Slab/SUnreclaim, no host OOM, and the guest +remains responsive. + +Compatibility with non-virtio transports: + + - VMCI uses the AF_VSOCK buffer knobs to size its queue pairs per + socket based on the local vsk->buffer_* values; the remote side + cannot enlarge those queues beyond what the local endpoint + configured. + + - Hyper-V's vsock transport uses fixed-size VMBus ring buffers and + an MTU bound; there is no peer-controlled credit field comparable + to peer_buf_alloc, and the remote endpoint cannot drive in-flight + kernel memory above those ring sizes. + + - The loopback path reuses virtio_transport_common.c, so it + naturally follows the same semantics as the virtio transport. + +This change is limited to virtio_transport_common.c and thus affects +virtio-vsock, vhost-vsock, and loopback, bringing them in line with the +"remote window intersected with local policy" behaviour that VMCI and +Hyper-V already effectively have. + +Fixes: 06a8fc78367d ("VSOCK: Introduce virtio_vsock_common.ko") +Suggested-by: Stefano Garzarella +Signed-off-by: Melbin K Mathew +[Stefano: small adjustments after changing the previous patch] +[Stefano: tweak the commit message] +Signed-off-by: Stefano Garzarella +Reviewed-by: Luigi Leonardi +Link: https://patch.msgid.link/20260121093628.9941-4-sgarzare@redhat.com +Acked-by: Michael S. Tsirkin +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/virtio_transport_common.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c +index dfb8cad4259c2..a2f0f81be1d5d 100644 +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -819,6 +819,15 @@ virtio_transport_seqpacket_dequeue(struct vsock_sock *vsk, + } + EXPORT_SYMBOL_GPL(virtio_transport_seqpacket_dequeue); + ++static u32 virtio_transport_tx_buf_size(struct virtio_vsock_sock *vvs) ++{ ++ /* The peer advertises its receive buffer via peer_buf_alloc, but we ++ * cap it to our local buf_alloc so a remote peer cannot force us to ++ * queue more data than our own buffer configuration allows. ++ */ ++ return min(vvs->peer_buf_alloc, vvs->buf_alloc); ++} ++ + int + virtio_transport_seqpacket_enqueue(struct vsock_sock *vsk, + struct msghdr *msg, +@@ -828,7 +837,7 @@ virtio_transport_seqpacket_enqueue(struct vsock_sock *vsk, + + spin_lock_bh(&vvs->tx_lock); + +- if (len > vvs->peer_buf_alloc) { ++ if (len > virtio_transport_tx_buf_size(vvs)) { + spin_unlock_bh(&vvs->tx_lock); + return -EMSGSIZE; + } +@@ -882,7 +891,8 @@ static s64 virtio_transport_has_space(struct virtio_vsock_sock *vvs) + * we have bytes in flight (tx_cnt - peer_fwd_cnt), the subtraction + * does not underflow. + */ +- bytes = (s64)vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt); ++ bytes = (s64)virtio_transport_tx_buf_size(vvs) - ++ (vvs->tx_cnt - vvs->peer_fwd_cnt); + if (bytes < 0) + bytes = 0; + +-- +2.51.0 + diff --git a/queue-6.12/vsock-virtio-fix-potential-underflow-in-virtio_trans.patch b/queue-6.12/vsock-virtio-fix-potential-underflow-in-virtio_trans.patch new file mode 100644 index 0000000000..e3a1660f26 --- /dev/null +++ b/queue-6.12/vsock-virtio-fix-potential-underflow-in-virtio_trans.patch @@ -0,0 +1,99 @@ +From 9977ca4c3f00c7cac129ad6bdab95758645a7245 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 10:36:25 +0100 +Subject: vsock/virtio: fix potential underflow in + virtio_transport_get_credit() + +From: Melbin K Mathew + +[ Upstream commit 3ef3d52a1a9860d094395c7a3e593f3aa26ff012 ] + +The credit calculation in virtio_transport_get_credit() uses unsigned +arithmetic: + + ret = vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt); + +If the peer shrinks its advertised buffer (peer_buf_alloc) while bytes +are in flight, the subtraction can underflow and produce a large +positive value, potentially allowing more data to be queued than the +peer can handle. + +Reuse virtio_transport_has_space() which already handles this case and +add a comment to make it clear why we are doing that. + +Fixes: 06a8fc78367d ("VSOCK: Introduce virtio_vsock_common.ko") +Suggested-by: Stefano Garzarella +Signed-off-by: Melbin K Mathew +[Stefano: use virtio_transport_has_space() instead of duplicating the code] +[Stefano: tweak the commit message] +Signed-off-by: Stefano Garzarella +Reviewed-by: Luigi Leonardi +Link: https://patch.msgid.link/20260121093628.9941-2-sgarzare@redhat.com +Acked-by: Michael S. Tsirkin +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/virtio_transport_common.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c +index 4e8a9771a04d6..dfb8cad4259c2 100644 +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -28,6 +28,7 @@ + + static void virtio_transport_cancel_close_work(struct vsock_sock *vsk, + bool cancel_timeout); ++static s64 virtio_transport_has_space(struct virtio_vsock_sock *vvs); + + static const struct virtio_transport * + virtio_transport_get_ops(struct vsock_sock *vsk) +@@ -497,9 +498,7 @@ u32 virtio_transport_get_credit(struct virtio_vsock_sock *vvs, u32 credit) + return 0; + + spin_lock_bh(&vvs->tx_lock); +- ret = vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt); +- if (ret > credit) +- ret = credit; ++ ret = min_t(u32, credit, virtio_transport_has_space(vvs)); + vvs->tx_cnt += ret; + vvs->bytes_unsent += ret; + spin_unlock_bh(&vvs->tx_lock); +@@ -875,11 +874,14 @@ u32 virtio_transport_seqpacket_has_data(struct vsock_sock *vsk) + } + EXPORT_SYMBOL_GPL(virtio_transport_seqpacket_has_data); + +-static s64 virtio_transport_has_space(struct vsock_sock *vsk) ++static s64 virtio_transport_has_space(struct virtio_vsock_sock *vvs) + { +- struct virtio_vsock_sock *vvs = vsk->trans; + s64 bytes; + ++ /* Use s64 arithmetic so if the peer shrinks peer_buf_alloc while ++ * we have bytes in flight (tx_cnt - peer_fwd_cnt), the subtraction ++ * does not underflow. ++ */ + bytes = (s64)vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt); + if (bytes < 0) + bytes = 0; +@@ -893,7 +895,7 @@ s64 virtio_transport_stream_has_space(struct vsock_sock *vsk) + s64 bytes; + + spin_lock_bh(&vvs->tx_lock); +- bytes = virtio_transport_has_space(vsk); ++ bytes = virtio_transport_has_space(vvs); + spin_unlock_bh(&vvs->tx_lock); + + return bytes; +@@ -1507,7 +1509,7 @@ static bool virtio_transport_space_update(struct sock *sk, + spin_lock_bh(&vvs->tx_lock); + vvs->peer_buf_alloc = le32_to_cpu(hdr->buf_alloc); + vvs->peer_fwd_cnt = le32_to_cpu(hdr->fwd_cnt); +- space_available = virtio_transport_has_space(vsk); ++ space_available = virtio_transport_has_space(vvs); + spin_unlock_bh(&vvs->tx_lock); + return space_available; + } +-- +2.51.0 + diff --git a/queue-6.12/x86-make-page-fault-handling-disable-interrupts-prop.patch b/queue-6.12/x86-make-page-fault-handling-disable-interrupts-prop.patch new file mode 100644 index 0000000000..ecc97d3cbb --- /dev/null +++ b/queue-6.12/x86-make-page-fault-handling-disable-interrupts-prop.patch @@ -0,0 +1,96 @@ +From c558b1693df80b6082ee28e43dea7f3de92d9775 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jan 2026 18:39:15 -0600 +Subject: x86: make page fault handling disable interrupts properly + +From: Cedric Xing + +[ Upstream commit 614da1d3d4cdbd6e41aea06bc97ec15aacff6daf ] + +There's a big comment in the x86 do_page_fault() about our interrupt +disabling code: + + * User address page fault handling might have reenabled + * interrupts. Fixing up all potential exit points of + * do_user_addr_fault() and its leaf functions is just not + * doable w/o creating an unholy mess or turning the code + * upside down. + +but it turns out that comment is subtly wrong, and the code as a result +is also wrong. + +Because it's certainly true that we may have re-enabled interrupts when +handling user page faults. And it's most certainly true that we don't +want to bother fixing up all the cases. + +But what isn't true is that it's limited to user address page faults. + +The confusion stems from the fact that we have logic here that depends +on the address range of the access, but other code then depends on the +_context_ the access was done in. The two are not related, even though +both of them are about user-vs-kernel. + +In other words, both user and kernel addresses can cause interrupts to +have been enabled (eg when __bad_area_nosemaphore() gets called for user +accesses to kernel addresses). As a result we should make sure to +disable interrupts again regardless of the address range before +returning to the low-level fault handling code. + +The __bad_area_nosemaphore() code actually did disable interrupts again +after enabling them, just not consistently. Ironically, as noted in the +original comment, fixing up all the cases is just not worth it, when the +simple solution is to just do it unconditionally in one single place. + +So remove the incomplete case that unsuccessfully tried to do what the +comment said was "not doable" in commit ca4c6a9858c2 ("x86/traps: Make +interrupt enable/disable symmetric in C code"), and just make it do the +simple and straightforward thing. + +Signed-off-by: Cedric Xing +Reviewed-by: Dave Hansen +Fixes: ca4c6a9858c2 ("x86/traps: Make interrupt enable/disable symmetric in C code") +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/x86/mm/fault.c | 15 +++++---------- + 1 file changed, 5 insertions(+), 10 deletions(-) + +diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c +index ac52255fab01f..adef0e8dc5e12 100644 +--- a/arch/x86/mm/fault.c ++++ b/arch/x86/mm/fault.c +@@ -823,8 +823,6 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code, + force_sig_pkuerr((void __user *)address, pkey); + else + force_sig_fault(SIGSEGV, si_code, (void __user *)address); +- +- local_irq_disable(); + } + + static noinline void +@@ -1479,15 +1477,12 @@ handle_page_fault(struct pt_regs *regs, unsigned long error_code, + do_kern_addr_fault(regs, error_code, address); + } else { + do_user_addr_fault(regs, error_code, address); +- /* +- * User address page fault handling might have reenabled +- * interrupts. Fixing up all potential exit points of +- * do_user_addr_fault() and its leaf functions is just not +- * doable w/o creating an unholy mess or turning the code +- * upside down. +- */ +- local_irq_disable(); + } ++ /* ++ * page fault handling might have reenabled interrupts, ++ * make sure to disable them again. ++ */ ++ local_irq_disable(); + } + + DEFINE_IDTENTRY_RAW_ERRORCODE(exc_page_fault) +-- +2.51.0 + diff --git a/queue-6.18/alsa-usb-increase-volume-range-that-triggers-a-warni.patch b/queue-6.18/alsa-usb-increase-volume-range-that-triggers-a-warni.patch new file mode 100644 index 0000000000..3ce67a643b --- /dev/null +++ b/queue-6.18/alsa-usb-increase-volume-range-that-triggers-a-warni.patch @@ -0,0 +1,47 @@ +From bb3d4104b8ed81a242cb5399af72097f1fcba7af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jan 2026 14:58:04 -0800 +Subject: ALSA: usb: Increase volume range that triggers a warning + +From: Arun Raghavan + +[ Upstream commit 6b971191fcfc9e3c2c0143eea22534f1f48dbb62 ] + +On at least the HyperX Cloud III, the range is 18944 (-18944 -> 0 in +steps of 1), so the original check for 255 steps is definitely obsolete. +Let's give ourselves a little more headroom before we emit a warning. + +Fixes: 80acefff3bc7 ("ALSA: usb-audio - Add volume range check and warn if it too big") +Cc: Jaroslav Kysela +Cc: Takashi Iwai +Cc: linux-sound@vger.kernel.org +Signed-off-by: Arun Raghavan +Link: https://patch.msgid.link/20260116225804.3845935-1-arunr@valvesoftware.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/mixer.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c +index 3af71d42b9b9a..90917c6ea871b 100644 +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -1813,11 +1813,10 @@ static void __build_feature_ctl(struct usb_mixer_interface *mixer, + + range = (cval->max - cval->min) / cval->res; + /* +- * Are there devices with volume range more than 255? I use a bit more +- * to be sure. 384 is a resolution magic number found on Logitech +- * devices. It will definitively catch all buggy Logitech devices. ++ * There are definitely devices with a range of ~20,000, so let's be ++ * conservative and allow for a bit more. + */ +- if (range > 384) { ++ if (range > 65535) { + usb_audio_warn(mixer->chip, + "Warning! Unlikely big volume range (=%u), cval->res is probably wrong.", + range); +-- +2.51.0 + diff --git a/queue-6.18/be2net-fix-data-race-in-be_get_new_eqd.patch b/queue-6.18/be2net-fix-data-race-in-be_get_new_eqd.patch new file mode 100644 index 0000000000..2288a3fa19 --- /dev/null +++ b/queue-6.18/be2net-fix-data-race-in-be_get_new_eqd.patch @@ -0,0 +1,61 @@ +From f2a733cfd09801373d04c2145d4bd648f659c60a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 23:34:36 +0800 +Subject: be2net: fix data race in be_get_new_eqd + +From: David Yang + +[ Upstream commit 302e5b481caa7b3d11ec0e058434c1fc95195e50 ] + +In be_get_new_eqd(), statistics of pkts, protected by u64_stats_sync, are +read and accumulated in ignorance of possible u64_stats_fetch_retry() +events. Before the commit in question, these statistics were retrieved +one by one directly from queues. Fix this by reading them into temporary +variables first. + +Fixes: 209477704187 ("be2net: set interrupt moderation for Skyhawk-R using EQ-DB") +Signed-off-by: David Yang +Reviewed-by: Vadim Fedorenko +Link: https://patch.msgid.link/20260119153440.1440578-1-mmyangfl@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/emulex/benet/be_main.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c +index 5bb31c8fab391..995c159003d79 100644 +--- a/drivers/net/ethernet/emulex/benet/be_main.c ++++ b/drivers/net/ethernet/emulex/benet/be_main.c +@@ -2141,7 +2141,7 @@ static int be_get_new_eqd(struct be_eq_obj *eqo) + struct be_aic_obj *aic; + struct be_rx_obj *rxo; + struct be_tx_obj *txo; +- u64 rx_pkts = 0, tx_pkts = 0; ++ u64 rx_pkts = 0, tx_pkts = 0, pkts; + ulong now; + u32 pps, delta; + int i; +@@ -2157,15 +2157,17 @@ static int be_get_new_eqd(struct be_eq_obj *eqo) + for_all_rx_queues_on_eq(adapter, eqo, rxo, i) { + do { + start = u64_stats_fetch_begin(&rxo->stats.sync); +- rx_pkts += rxo->stats.rx_pkts; ++ pkts = rxo->stats.rx_pkts; + } while (u64_stats_fetch_retry(&rxo->stats.sync, start)); ++ rx_pkts += pkts; + } + + for_all_tx_queues_on_eq(adapter, eqo, txo, i) { + do { + start = u64_stats_fetch_begin(&txo->stats.sync); +- tx_pkts += txo->stats.tx_reqs; ++ pkts = txo->stats.tx_reqs; + } while (u64_stats_fetch_retry(&txo->stats.sync, start)); ++ tx_pkts += pkts; + } + + /* Skip, if wrapped around or first calculation */ +-- +2.51.0 + diff --git a/queue-6.18/be2net-fix-null-pointer-dereference-in-be_cmd_get_ma.patch b/queue-6.18/be2net-fix-null-pointer-dereference-in-be_cmd_get_ma.patch new file mode 100644 index 0000000000..3783079ae8 --- /dev/null +++ b/queue-6.18/be2net-fix-null-pointer-dereference-in-be_cmd_get_ma.patch @@ -0,0 +1,54 @@ +From d9cad011a38e9922a62b3ac8985bdd27d59af696 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 11:37:47 +0000 +Subject: be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list + +From: Andrey Vatoropin + +[ Upstream commit 8215794403d264739cc676668087512950b2ff31 ] + +When the parameter pmac_id_valid argument of be_cmd_get_mac_from_list() is +set to false, the driver may request the PMAC_ID from the firmware of the +network card, and this function will store that PMAC_ID at the provided +address pmac_id. This is the contract of this function. + +However, there is a location within the driver where both +pmac_id_valid == false and pmac_id == NULL are being passed. This could +result in dereferencing a NULL pointer. + +To resolve this issue, it is necessary to pass the address of a stub +variable to the function. + +Fixes: 95046b927a54 ("be2net: refactor MAC-addr setup code") +Signed-off-by: Andrey Vatoropin +Link: https://patch.msgid.link/20260120113734.20193-1-a.vatoropin@crpt.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/emulex/benet/be_cmds.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/emulex/benet/be_cmds.c b/drivers/net/ethernet/emulex/benet/be_cmds.c +index bb5d2fa157365..8ed45bceb5379 100644 +--- a/drivers/net/ethernet/emulex/benet/be_cmds.c ++++ b/drivers/net/ethernet/emulex/benet/be_cmds.c +@@ -3801,6 +3801,7 @@ int be_cmd_get_perm_mac(struct be_adapter *adapter, u8 *mac) + { + int status; + bool pmac_valid = false; ++ u32 pmac_id; + + eth_zero_addr(mac); + +@@ -3813,7 +3814,7 @@ int be_cmd_get_perm_mac(struct be_adapter *adapter, u8 *mac) + adapter->if_handle, 0); + } else { + status = be_cmd_get_mac_from_list(adapter, mac, &pmac_valid, +- NULL, adapter->if_handle, 0); ++ &pmac_id, adapter->if_handle, 0); + } + + return status; +-- +2.51.0 + diff --git a/queue-6.18/bonding-provide-a-net-pointer-to-__skb_flow_dissect.patch b/queue-6.18/bonding-provide-a-net-pointer-to-__skb_flow_dissect.patch new file mode 100644 index 0000000000..ff3b0ee8fc --- /dev/null +++ b/queue-6.18/bonding-provide-a-net-pointer-to-__skb_flow_dissect.patch @@ -0,0 +1,67 @@ +From ad552536bfa0f0e56df455ac79d70afe03c57c62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 16:17:44 +0000 +Subject: bonding: provide a net pointer to __skb_flow_dissect() + +From: Eric Dumazet + +[ Upstream commit 5f9b329096596b7e53e07d041d7fca4cbe1be752 ] + +After 3cbf4ffba5ee ("net: plumb network namespace into __skb_flow_dissect") +we have to provide a net pointer to __skb_flow_dissect(), +either via skb->dev, skb->sk, or a user provided pointer. + +In the following case, syzbot was able to cook a bare skb. + +WARNING: net/core/flow_dissector.c:1131 at __skb_flow_dissect+0xb57/0x68b0 net/core/flow_dissector.c:1131, CPU#1: syz.2.1418/11053 +Call Trace: + + bond_flow_dissect drivers/net/bonding/bond_main.c:4093 [inline] + __bond_xmit_hash+0x2d7/0xba0 drivers/net/bonding/bond_main.c:4157 + bond_xmit_hash_xdp drivers/net/bonding/bond_main.c:4208 [inline] + bond_xdp_xmit_3ad_xor_slave_get drivers/net/bonding/bond_main.c:5139 [inline] + bond_xdp_get_xmit_slave+0x1fd/0x710 drivers/net/bonding/bond_main.c:5515 + xdp_master_redirect+0x13f/0x2c0 net/core/filter.c:4388 + bpf_prog_run_xdp include/net/xdp.h:700 [inline] + bpf_test_run+0x6b2/0x7d0 net/bpf/test_run.c:421 + bpf_prog_test_run_xdp+0x795/0x10e0 net/bpf/test_run.c:1390 + bpf_prog_test_run+0x2c7/0x340 kernel/bpf/syscall.c:4703 + __sys_bpf+0x562/0x860 kernel/bpf/syscall.c:6182 + __do_sys_bpf kernel/bpf/syscall.c:6274 [inline] + __se_sys_bpf kernel/bpf/syscall.c:6272 [inline] + __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6272 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94 + +Fixes: 58deb77cc52d ("bonding: balance ICMP echoes in layer3+4 mode") +Reported-by: syzbot+c46409299c70a221415e@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/696faa23.050a0220.4cb9c.001f.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Matteo Croce +Acked-by: Stanislav Fomichev +Link: https://patch.msgid.link/20260120161744.1893263-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index c66cb2d43dcf1..595fda2444b1f 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -4187,8 +4187,9 @@ static bool bond_flow_dissect(struct bonding *bond, struct sk_buff *skb, const v + case BOND_XMIT_POLICY_ENCAP23: + case BOND_XMIT_POLICY_ENCAP34: + memset(fk, 0, sizeof(*fk)); +- return __skb_flow_dissect(NULL, skb, &flow_keys_bonding, +- fk, data, l2_proto, nhoff, hlen, 0); ++ return __skb_flow_dissect(dev_net(bond->dev), skb, ++ &flow_keys_bonding, fk, data, ++ l2_proto, nhoff, hlen, 0); + default: + break; + } +-- +2.51.0 + diff --git a/queue-6.18/clocksource-reduce-watchdog-readout-delay-limit-to-p.patch b/queue-6.18/clocksource-reduce-watchdog-readout-delay-limit-to-p.patch new file mode 100644 index 0000000000..3dd4a0d67c --- /dev/null +++ b/queue-6.18/clocksource-reduce-watchdog-readout-delay-limit-to-p.patch @@ -0,0 +1,98 @@ +From 0a03932dc5a6a28b98738038248f92c15460c606 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Dec 2025 18:21:05 +0100 +Subject: clocksource: Reduce watchdog readout delay limit to prevent false + positives + +From: Thomas Gleixner + +[ Upstream commit c06343be0b4e03fe319910dd7a5d5b9929e1c0cb ] + +The "valid" readout delay between the two reads of the watchdog is larger +than the valid delta between the resulting watchdog and clocksource +intervals, which results in false positive watchdog results. + +Assume TSC is the clocksource and HPET is the watchdog and both have a +uncertainty margin of 250us (default). The watchdog readout does: + + 1) wdnow = read(HPET); + 2) csnow = read(TSC); + 3) wdend = read(HPET); + +The valid window for the delta between #1 and #3 is calculated by the +uncertainty margins of the watchdog and the clocksource: + + m = 2 * watchdog.uncertainty_margin + cs.uncertainty margin; + +which results in 750us for the TSC/HPET case. + +The actual interval comparison uses a smaller margin: + + m = watchdog.uncertainty_margin + cs.uncertainty margin; + +which results in 500us for the TSC/HPET case. + +That means the following scenario will trigger the watchdog: + + Watchdog cycle N: + + 1) wdnow[N] = read(HPET); + 2) csnow[N] = read(TSC); + 3) wdend[N] = read(HPET); + +Assume the delay between #1 and #2 is 100us and the delay between #1 and + + Watchdog cycle N + 1: + + 4) wdnow[N + 1] = read(HPET); + 5) csnow[N + 1] = read(TSC); + 6) wdend[N + 1] = read(HPET); + +If the delay between #4 and #6 is within the 750us margin then any delay +between #4 and #5 which is larger than 600us will fail the interval check +and mark the TSC unstable because the intervals are calculated against the +previous value: + + wd_int = wdnow[N + 1] - wdnow[N]; + cs_int = csnow[N + 1] - csnow[N]; + +Putting the above delays in place this results in: + + cs_int = (wdnow[N + 1] + 610us) - (wdnow[N] + 100us); + -> cs_int = wd_int + 510us; + +which is obviously larger than the allowed 500us margin and results in +marking TSC unstable. + +Fix this by using the same margin as the interval comparison. If the delay +between two watchdog reads is larger than that, then the readout was either +disturbed by interconnect congestion, NMIs or SMIs. + +Fixes: 4ac1dd3245b9 ("clocksource: Set cs_watchdog_read() checks based on .uncertainty_margin") +Reported-by: Daniel J Blueman +Signed-off-by: Thomas Gleixner +Reviewed-by: Paul E. McKenney +Tested-by: Paul E. McKenney +Link: https://lore.kernel.org/lkml/20250602223251.496591-1-daniel@quora.org/ +Link: https://patch.msgid.link/87bjjxc9dq.ffs@tglx +Signed-off-by: Sasha Levin +--- + kernel/time/clocksource.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/time/clocksource.c b/kernel/time/clocksource.c +index a1890a073196b..df71949616584 100644 +--- a/kernel/time/clocksource.c ++++ b/kernel/time/clocksource.c +@@ -252,7 +252,7 @@ enum wd_read_status { + + static enum wd_read_status cs_watchdog_read(struct clocksource *cs, u64 *csnow, u64 *wdnow) + { +- int64_t md = 2 * watchdog->uncertainty_margin; ++ int64_t md = watchdog->uncertainty_margin; + unsigned int nretries, max_retries; + int64_t wd_delay, wd_seq_delay; + u64 wd_end, wd_end2; +-- +2.51.0 + diff --git a/queue-6.18/dpll-prevent-duplicate-registrations.patch b/queue-6.18/dpll-prevent-duplicate-registrations.patch new file mode 100644 index 0000000000..83f0a5e930 --- /dev/null +++ b/queue-6.18/dpll-prevent-duplicate-registrations.patch @@ -0,0 +1,68 @@ +From 72377d3fdf9dac550776d97a3469423be132294a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 14:00:11 +0100 +Subject: dpll: Prevent duplicate registrations + +From: Ivan Vecera + +[ Upstream commit f3ddbaaaaf4d0633b40482f471753f9c71294a4a ] + +Modify the internal registration helpers dpll_xa_ref_{dpll,pin}_add() +to reject duplicate registration attempts. + +Previously, if a caller attempted to register the same pin multiple +times (with the same ops, priv, and cookie) on the same device, the core +silently increments the reference count and return success. This behavior +is incorrect because if the caller makes these duplicate registrations +then for the first one dpll_pin_registration is allocated and for others +the associated dpll_pin_ref.refcount is incremented. During the first +unregistration the associated dpll_pin_registration is freed and for +others WARN is fired. + +Fix this by updating the logic to return `-EEXIST` if a matching +registration is found to enforce a strict "register once" policy. + +Fixes: 9431063ad323 ("dpll: core: Add DPLL framework base functions") +Signed-off-by: Ivan Vecera +Reviewed-by: Arkadiusz Kubalewski +Reviewed-by: Vadim Fedorenko +Link: https://patch.msgid.link/20260121130012.112606-1-ivecera@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/dpll/dpll_core.c | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +diff --git a/drivers/dpll/dpll_core.c b/drivers/dpll/dpll_core.c +index a461095efd8ac..8879a72351561 100644 +--- a/drivers/dpll/dpll_core.c ++++ b/drivers/dpll/dpll_core.c +@@ -83,10 +83,8 @@ dpll_xa_ref_pin_add(struct xarray *xa_pins, struct dpll_pin *pin, + if (ref->pin != pin) + continue; + reg = dpll_pin_registration_find(ref, ops, priv, cookie); +- if (reg) { +- refcount_inc(&ref->refcount); +- return 0; +- } ++ if (reg) ++ return -EEXIST; + ref_exists = true; + break; + } +@@ -164,10 +162,8 @@ dpll_xa_ref_dpll_add(struct xarray *xa_dplls, struct dpll_device *dpll, + if (ref->dpll != dpll) + continue; + reg = dpll_pin_registration_find(ref, ops, priv, cookie); +- if (reg) { +- refcount_inc(&ref->refcount); +- return 0; +- } ++ if (reg) ++ return -EEXIST; + ref_exists = true; + break; + } +-- +2.51.0 + diff --git a/queue-6.18/drm-amd-pm-don-t-clear-si-smc-table-when-setting-pow.patch b/queue-6.18/drm-amd-pm-don-t-clear-si-smc-table-when-setting-pow.patch new file mode 100644 index 0000000000..7e5530a3c6 --- /dev/null +++ b/queue-6.18/drm-amd-pm-don-t-clear-si-smc-table-when-setting-pow.patch @@ -0,0 +1,58 @@ +From 2c3eca168fe0993dfb52a0aafcb10f0b5857c144 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 21:36:23 +0100 +Subject: drm/amd/pm: Don't clear SI SMC table when setting power limit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Timur Kristóf + +[ Upstream commit d5077426e1a76d269e518e048bde2e9fc49b32ad ] + +There is no reason to clear the SMC table. +We also don't need to recalculate the power limit then. + +Fixes: 841686df9f7d ("drm/amdgpu: add SI DPM support (v4)") +Reviewed-by: Alex Deucher +Signed-off-by: Timur Kristóf +Signed-off-by: Alex Deucher +(cherry picked from commit e214d626253f5b180db10dedab161b7caa41f5e9) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c b/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c +index 70499bf50ad47..08ffa79154111 100644 +--- a/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c ++++ b/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c +@@ -2273,8 +2273,6 @@ static int si_populate_smc_tdp_limits(struct amdgpu_device *adev, + if (scaling_factor == 0) + return -EINVAL; + +- memset(smc_table, 0, sizeof(SISLANDS_SMC_STATETABLE)); +- + ret = si_calculate_adjusted_tdp_limits(adev, + false, /* ??? */ + adev->pm.dpm.tdp_adjustment, +@@ -2328,16 +2326,8 @@ static int si_populate_smc_tdp_limits_2(struct amdgpu_device *adev, + + if (ni_pi->enable_power_containment) { + SISLANDS_SMC_STATETABLE *smc_table = &si_pi->smc_statetable; +- u32 scaling_factor = si_get_smc_power_scaling_factor(adev); + int ret; + +- memset(smc_table, 0, sizeof(SISLANDS_SMC_STATETABLE)); +- +- smc_table->dpm2Params.NearTDPLimit = +- cpu_to_be32(si_scale_power_for_smc(adev->pm.dpm.near_tdp_limit_adjusted, scaling_factor) * 1000); +- smc_table->dpm2Params.SafePowerLimit = +- cpu_to_be32(si_scale_power_for_smc((adev->pm.dpm.near_tdp_limit_adjusted * SISLANDS_DPM2_TDP_SAFE_LIMIT_PERCENT) / 100, scaling_factor) * 1000); +- + ret = amdgpu_si_copy_bytes_to_smc(adev, + (si_pi->state_table_start + + offsetof(SISLANDS_SMC_STATETABLE, dpm2Params) + +-- +2.51.0 + diff --git a/queue-6.18/drm-amd-pm-fix-si_dpm-mmcg_thermal_int-setting.patch b/queue-6.18/drm-amd-pm-fix-si_dpm-mmcg_thermal_int-setting.patch new file mode 100644 index 0000000000..373ba82342 --- /dev/null +++ b/queue-6.18/drm-amd-pm-fix-si_dpm-mmcg_thermal_int-setting.patch @@ -0,0 +1,62 @@ +From 9f4df3c79e428b69e27666257e5f39e447a0fc08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 21:36:22 +0100 +Subject: drm/amd/pm: Fix si_dpm mmCG_THERMAL_INT setting +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Timur Kristóf + +[ Upstream commit 4ca284c6d15dda481f714e3687a1d5fb70b3bf5c ] + +Use WREG32 to write mmCG_THERMAL_INT. +This is a direct access register. + +Fixes: 841686df9f7d ("drm/amdgpu: add SI DPM support (v4)") +Reviewed-by: Alex Deucher +Signed-off-by: Timur Kristóf +Signed-off-by: Alex Deucher +(cherry picked from commit 2555f4e4a741d31e0496572a8ab4f55941b4e30e) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c b/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c +index 3a9522c17fee3..70499bf50ad47 100644 +--- a/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c ++++ b/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c +@@ -7600,12 +7600,12 @@ static int si_dpm_set_interrupt_state(struct amdgpu_device *adev, + case AMDGPU_IRQ_STATE_DISABLE: + cg_thermal_int = RREG32_SMC(mmCG_THERMAL_INT); + cg_thermal_int |= CG_THERMAL_INT__THERM_INT_MASK_HIGH_MASK; +- WREG32_SMC(mmCG_THERMAL_INT, cg_thermal_int); ++ WREG32(mmCG_THERMAL_INT, cg_thermal_int); + break; + case AMDGPU_IRQ_STATE_ENABLE: + cg_thermal_int = RREG32_SMC(mmCG_THERMAL_INT); + cg_thermal_int &= ~CG_THERMAL_INT__THERM_INT_MASK_HIGH_MASK; +- WREG32_SMC(mmCG_THERMAL_INT, cg_thermal_int); ++ WREG32(mmCG_THERMAL_INT, cg_thermal_int); + break; + default: + break; +@@ -7617,12 +7617,12 @@ static int si_dpm_set_interrupt_state(struct amdgpu_device *adev, + case AMDGPU_IRQ_STATE_DISABLE: + cg_thermal_int = RREG32_SMC(mmCG_THERMAL_INT); + cg_thermal_int |= CG_THERMAL_INT__THERM_INT_MASK_LOW_MASK; +- WREG32_SMC(mmCG_THERMAL_INT, cg_thermal_int); ++ WREG32(mmCG_THERMAL_INT, cg_thermal_int); + break; + case AMDGPU_IRQ_STATE_ENABLE: + cg_thermal_int = RREG32_SMC(mmCG_THERMAL_INT); + cg_thermal_int &= ~CG_THERMAL_INT__THERM_INT_MASK_LOW_MASK; +- WREG32_SMC(mmCG_THERMAL_INT, cg_thermal_int); ++ WREG32(mmCG_THERMAL_INT, cg_thermal_int); + break; + default: + break; +-- +2.51.0 + diff --git a/queue-6.18/drm-amd-pm-workaround-si-powertune-issue-on-radeon-4.patch b/queue-6.18/drm-amd-pm-workaround-si-powertune-issue-on-radeon-4.patch new file mode 100644 index 0000000000..61bcaa7fb4 --- /dev/null +++ b/queue-6.18/drm-amd-pm-workaround-si-powertune-issue-on-radeon-4.patch @@ -0,0 +1,83 @@ +From 4c1e460ef0a502144db2e2f5cbb48ad3e4a40a02 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 21:36:24 +0100 +Subject: drm/amd/pm: Workaround SI powertune issue on Radeon 430 (v2) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Timur Kristóf + +[ Upstream commit 764a90eb02268a23b1bb98be5f4a13671346804a ] + +Radeon 430 and 520 are OEM GPUs from 2016~2017 +They have the same device id: 0x6611 and revision: 0x87 + +On the Radeon 430, powertune is buggy and throttles the GPU, +never allowing it to reach its maximum SCLK. Work around this +bug by raising the TDP limits we program to the SMC from +24W (specified by the VBIOS on Radeon 430) to 32W. + +Disabling powertune entirely is not a viable workaround, +because it causes the Radeon 520 to heat up above 100 C, +which I prefer to avoid. + +Additionally, revise the maximum SCLK limit. Considering the +above issue, these GPUs never reached a high SCLK on Linux, +and the workarounds were added before the GPUs were released, +so the workaround likely didn't target these specifically. +Use 780 MHz (the maximum SCLK according to the VBIOS on the +Radeon 430). Note that the Radeon 520 VBIOS has a higher +maximum SCLK: 905 MHz, but in practice it doesn't seem to +perform better with the higher clock, only heats up more. + +v2: +Move the workaround to si_populate_smc_tdp_limits. + +Fixes: 841686df9f7d ("drm/amdgpu: add SI DPM support (v4)") +Reviewed-by: Alex Deucher +Signed-off-by: Timur Kristóf +Signed-off-by: Alex Deucher +(cherry picked from commit 966d70f1e160bdfdecaf7ff2b3f22ad088516e9f) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c b/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c +index 08ffa79154111..a1da3e5812ce3 100644 +--- a/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c ++++ b/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c +@@ -2281,6 +2281,12 @@ static int si_populate_smc_tdp_limits(struct amdgpu_device *adev, + if (ret) + return ret; + ++ if (adev->pdev->device == 0x6611 && adev->pdev->revision == 0x87) { ++ /* Workaround buggy powertune on Radeon 430 and 520. */ ++ tdp_limit = 32; ++ near_tdp_limit = 28; ++ } ++ + smc_table->dpm2Params.TDPLimit = + cpu_to_be32(si_scale_power_for_smc(tdp_limit, scaling_factor) * 1000); + smc_table->dpm2Params.NearTDPLimit = +@@ -3468,10 +3474,15 @@ static void si_apply_state_adjust_rules(struct amdgpu_device *adev, + (adev->pdev->revision == 0x80) || + (adev->pdev->revision == 0x81) || + (adev->pdev->revision == 0x83) || +- (adev->pdev->revision == 0x87) || ++ (adev->pdev->revision == 0x87 && ++ adev->pdev->device != 0x6611) || + (adev->pdev->device == 0x6604) || + (adev->pdev->device == 0x6605)) { + max_sclk = 75000; ++ } else if (adev->pdev->revision == 0x87 && ++ adev->pdev->device == 0x6611) { ++ /* Radeon 430 and 520 */ ++ max_sclk = 78000; + } + } + +-- +2.51.0 + diff --git a/queue-6.18/drm-amdgpu-fix-type-for-wptr-in-ring-backup.patch b/queue-6.18/drm-amdgpu-fix-type-for-wptr-in-ring-backup.patch new file mode 100644 index 0000000000..bdf3f2eaa6 --- /dev/null +++ b/queue-6.18/drm-amdgpu-fix-type-for-wptr-in-ring-backup.patch @@ -0,0 +1,39 @@ +From 1121d531b7637cdddfc2243688ce1ca028b1a611 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jan 2026 21:45:43 -0500 +Subject: drm/amdgpu: fix type for wptr in ring backup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +[ Upstream commit 095ca815174e51fc0049771712d5455cabd7231e ] + +Needs to be a u64. + +Fixes: 77cc0da39c7c ("drm/amdgpu: track ring state associated with a fence") +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +(cherry picked from commit 56fff1941abd3ca3b6f394979614ca7972552f7f) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c +index 18a7829122d24..89a639044d520 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c +@@ -804,7 +804,7 @@ void amdgpu_fence_save_wptr(struct dma_fence *fence) + } + + static void amdgpu_ring_backup_unprocessed_command(struct amdgpu_ring *ring, +- u64 start_wptr, u32 end_wptr) ++ u64 start_wptr, u64 end_wptr) + { + unsigned int first_idx = start_wptr & ring->buf_mask; + unsigned int last_idx = end_wptr & ring->buf_mask; +-- +2.51.0 + diff --git a/queue-6.18/drm-imagination-wait-for-fw-trace-update-command-com.patch b/queue-6.18/drm-imagination-wait-for-fw-trace-update-command-com.patch new file mode 100644 index 0000000000..c41f67cd23 --- /dev/null +++ b/queue-6.18/drm-imagination-wait-for-fw-trace-update-command-com.patch @@ -0,0 +1,55 @@ +From b566ce28c1522f976c98b086fd1e80ebf92ca652 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 04:09:36 +0000 +Subject: drm/imagination: Wait for FW trace update command completion + +From: Brajesh Gupta + +[ Upstream commit 812062e74a3945b575dce89d330b67cb50054a77 ] + +Possibility of no FW trace available after update in the fw_trace_mask due +to asynchronous mode of command consumption in the FW. + +To ensure FW trace is available after update, wait for FW trace log update +command completion from the FW. + +Fixes: cc1aeedb98ad ("drm/imagination: Implement firmware infrastructure and META FW support") +Signed-off-by: Brajesh Gupta +Reviewed-by: Matt Coster +Link: https://patch.msgid.link/20260108040936.129769-1-brajesh.gupta@imgtec.com +Signed-off-by: Matt Coster +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/imagination/pvr_fw_trace.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/imagination/pvr_fw_trace.c b/drivers/gpu/drm/imagination/pvr_fw_trace.c +index a1098b5214856..e7f4554510fd4 100644 +--- a/drivers/gpu/drm/imagination/pvr_fw_trace.c ++++ b/drivers/gpu/drm/imagination/pvr_fw_trace.c +@@ -136,6 +136,7 @@ update_logtype(struct pvr_device *pvr_dev, u32 group_mask) + struct rogue_fwif_kccb_cmd cmd; + int idx; + int err; ++ int slot; + + if (group_mask) + fw_trace->tracebuf_ctrl->log_type = ROGUE_FWIF_LOG_TYPE_TRACE | group_mask; +@@ -153,8 +154,13 @@ update_logtype(struct pvr_device *pvr_dev, u32 group_mask) + cmd.cmd_type = ROGUE_FWIF_KCCB_CMD_LOGTYPE_UPDATE; + cmd.kccb_flags = 0; + +- err = pvr_kccb_send_cmd(pvr_dev, &cmd, NULL); ++ err = pvr_kccb_send_cmd(pvr_dev, &cmd, &slot); ++ if (err) ++ goto err_drm_dev_exit; ++ ++ err = pvr_kccb_wait_for_completion(pvr_dev, slot, HZ, NULL); + ++err_drm_dev_exit: + drm_dev_exit(idx); + + err_up_read: +-- +2.51.0 + diff --git a/queue-6.18/drm-mediatek-dpi-find-next-bridge-during-probe.patch b/queue-6.18/drm-mediatek-dpi-find-next-bridge-during-probe.patch new file mode 100644 index 0000000000..f1ac8ee0d7 --- /dev/null +++ b/queue-6.18/drm-mediatek-dpi-find-next-bridge-during-probe.patch @@ -0,0 +1,114 @@ +From 740526f6b1e45f3d1d50b746f9825637453c6771 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jan 2026 17:22:42 +0800 +Subject: drm/mediatek: dpi: Find next bridge during probe + +From: Chen-Yu Tsai + +[ Upstream commit 21465e73400dc69a5f732ae7bcc2a58bad673cd1 ] + +Trying to find the next bridge and deferring probe in the bridge attach +callback is much too late. At this point the driver has already finished +probing and is now running the component bind code path. What's even +worse is that in the specific case of the DSI host being the last +component to be added as part of the dsi_host_attach callback, the code +path that this is in: + + -> devm_drm_of_get_bridge() + mtk_dpi_bridge_attach() + drm_bridge_attach() + mtk_dpi_bind() + ... + component_add() + mtk_dsi_host_attach() + anx7625_attach_dsi() + anx7625_link_bridge() + - done_probing callback for of_dp_aux_populate_bus() + of_dp_aux_populate_bus() + anx7625_i2c_probe() + +_cannot_ return probe defer: + + anx7625 4-0058: [drm:anx7625_bridge_attach] drm attach + mediatek-drm mediatek-drm.15.auto: bound 14014000.dsi + (ops mtk_dsi_component_ops) + mediatek-drm mediatek-drm.15.auto: error -EPROBE_DEFER: + failed to attach bridge /soc/dpi@14015000 to encoder TMDS-37 + [drm:mtk_dsi_host_attach] *ERROR* failed to add dsi_host + component: -517 + anx7625 4-0058: [drm:anx7625_link_bridge] *ERROR* fail to attach dsi + to host. + panel-simple-dp-aux aux-4-0058: DP AUX done_probing() can't defer + panel-simple-dp-aux aux-4-0058: probe with driver panel-simple-dp-aux + failed with error -22 + anx7625 4-0058: [drm:anx7625_i2c_probe] probe done + +This results in the whole display driver failing to probe. + +Perhaps this was an attempt to mirror the structure in the DSI driver; +but in the DSI driver the next bridge is retrieved in the DSI attach +callback, not the bridge attach callback. + +Move the code finding the next bridge back to the probe function so that +deferred probing works correctly. Also rework the fallback to the old OF +graph endpoint numbering scheme so that deferred probing logs in both +cases. + +This issue was found on an MT8183 Jacuzzi device with an extra patch +enabling the DPI-based external display pipeline. Also tested on an +MT8192 Hayato device with both DSI and DPI display pipelines enabled. + +Fixes: 4c932840db1d ("drm/mediatek: Implement OF graphs support for display paths") +Signed-off-by: Chen-Yu Tsai +Reviewed-by: CK Hu +Link: https://patchwork.kernel.org/project/dri-devel/patch/20260114092243.3914836-1-wenst@chromium.org/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_dpi.c | 23 +++++++++-------------- + 1 file changed, 9 insertions(+), 14 deletions(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_dpi.c b/drivers/gpu/drm/mediatek/mtk_dpi.c +index 61cab32e213af..53360b5d12ba5 100644 +--- a/drivers/gpu/drm/mediatek/mtk_dpi.c ++++ b/drivers/gpu/drm/mediatek/mtk_dpi.c +@@ -836,20 +836,6 @@ static int mtk_dpi_bridge_attach(struct drm_bridge *bridge, + enum drm_bridge_attach_flags flags) + { + struct mtk_dpi *dpi = bridge_to_dpi(bridge); +- int ret; +- +- dpi->next_bridge = devm_drm_of_get_bridge(dpi->dev, dpi->dev->of_node, 1, -1); +- if (IS_ERR(dpi->next_bridge)) { +- ret = PTR_ERR(dpi->next_bridge); +- if (ret == -EPROBE_DEFER) +- return ret; +- +- /* Old devicetree has only one endpoint */ +- dpi->next_bridge = devm_drm_of_get_bridge(dpi->dev, dpi->dev->of_node, 0, 0); +- if (IS_ERR(dpi->next_bridge)) +- return dev_err_probe(dpi->dev, PTR_ERR(dpi->next_bridge), +- "Failed to get bridge\n"); +- } + + return drm_bridge_attach(encoder, dpi->next_bridge, + &dpi->bridge, flags); +@@ -1319,6 +1305,15 @@ static int mtk_dpi_probe(struct platform_device *pdev) + if (dpi->irq < 0) + return dpi->irq; + ++ dpi->next_bridge = devm_drm_of_get_bridge(dpi->dev, dpi->dev->of_node, 1, -1); ++ if (IS_ERR(dpi->next_bridge) && PTR_ERR(dpi->next_bridge) == -ENODEV) { ++ /* Old devicetree has only one endpoint */ ++ dpi->next_bridge = devm_drm_of_get_bridge(dpi->dev, dpi->dev->of_node, 0, 0); ++ } ++ if (IS_ERR(dpi->next_bridge)) ++ return dev_err_probe(dpi->dev, PTR_ERR(dpi->next_bridge), ++ "Failed to get bridge\n"); ++ + platform_set_drvdata(pdev, dpi); + + dpi->bridge.of_node = dev->of_node; +-- +2.51.0 + diff --git a/queue-6.18/drm-nouveau-add-missing-dcb-connector-types.patch b/queue-6.18/drm-nouveau-add-missing-dcb-connector-types.patch new file mode 100644 index 0000000000..b1da1d8aef --- /dev/null +++ b/queue-6.18/drm-nouveau-add-missing-dcb-connector-types.patch @@ -0,0 +1,141 @@ +From 9ba473bf87f124137ce5bbe0942254754a55c587 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Dec 2025 19:53:26 -0500 +Subject: drm/nouveau: add missing DCB connector types +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Ramírez + +[ Upstream commit 3036b4ce4b209af690fa776e4616925892caba4c ] + +* Add missing DCB connectors in conn.h as per the NVIDIA DCB specification. + +A lot of connector logic was rewritten for Linux v6.5; some display connector types +went unaccounted-for which caused kernel warnings on devices with the now-unsupported +DCB connectors. This patch adds all of the DCB connectors as defined by NVIDIA to the +dcb_connector_type enum to bring back support for these connectors to the new logic. + +Fixes: 8b7d92cad953 ("drm/nouveau/kms/nv50-: create connectors based on nvkm info") +Link: https://download.nvidia.com/open-gpu-doc/DCB/1/DCB-4.0-Specification.html#_connector_table_entry +Signed-off-by: Alex Ramírez +Reviewed-by: Lyude Paul +[Lyude: Clarify DCB_CONNECTOR_HDMI_0 weirdness in comments] +Signed-off-by: Lyude Paul +Link: https://patch.msgid.link/20251213005327.9495-2-lxrmrz732@gmail.com +Signed-off-by: Sasha Levin +--- + .../nouveau/include/nvkm/subdev/bios/conn.h | 95 +++++++++++++++---- + 1 file changed, 74 insertions(+), 21 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/include/nvkm/subdev/bios/conn.h b/drivers/gpu/drm/nouveau/include/nvkm/subdev/bios/conn.h +index d1beaad0c82b6..834ed6587aa52 100644 +--- a/drivers/gpu/drm/nouveau/include/nvkm/subdev/bios/conn.h ++++ b/drivers/gpu/drm/nouveau/include/nvkm/subdev/bios/conn.h +@@ -1,28 +1,81 @@ + /* SPDX-License-Identifier: MIT */ + #ifndef __NVBIOS_CONN_H__ + #define __NVBIOS_CONN_H__ ++ ++/* ++ * An enumerator representing all of the possible VBIOS connector types defined ++ * by Nvidia at ++ * https://nvidia.github.io/open-gpu-doc/DCB/DCB-4.x-Specification.html. ++ * ++ * [1] Nvidia's documentation actually claims DCB_CONNECTOR_HDMI_0 is a "3-Pin ++ * DIN Stereo Connector". This seems very likely to be a documentation typo ++ * or some sort of funny historical baggage, because we've treated this ++ * connector type as HDMI for years without issue. ++ * TODO: Check with Nvidia what's actually happening here. ++ */ + enum dcb_connector_type { +- DCB_CONNECTOR_VGA = 0x00, +- DCB_CONNECTOR_TV_0 = 0x10, +- DCB_CONNECTOR_TV_1 = 0x11, +- DCB_CONNECTOR_TV_3 = 0x13, +- DCB_CONNECTOR_DVI_I = 0x30, +- DCB_CONNECTOR_DVI_D = 0x31, +- DCB_CONNECTOR_DMS59_0 = 0x38, +- DCB_CONNECTOR_DMS59_1 = 0x39, +- DCB_CONNECTOR_LVDS = 0x40, +- DCB_CONNECTOR_LVDS_SPWG = 0x41, +- DCB_CONNECTOR_DP = 0x46, +- DCB_CONNECTOR_eDP = 0x47, +- DCB_CONNECTOR_mDP = 0x48, +- DCB_CONNECTOR_HDMI_0 = 0x60, +- DCB_CONNECTOR_HDMI_1 = 0x61, +- DCB_CONNECTOR_HDMI_C = 0x63, +- DCB_CONNECTOR_DMS59_DP0 = 0x64, +- DCB_CONNECTOR_DMS59_DP1 = 0x65, +- DCB_CONNECTOR_WFD = 0x70, +- DCB_CONNECTOR_USB_C = 0x71, +- DCB_CONNECTOR_NONE = 0xff ++ /* Analog outputs */ ++ DCB_CONNECTOR_VGA = 0x00, // VGA 15-pin connector ++ DCB_CONNECTOR_DVI_A = 0x01, // DVI-A ++ DCB_CONNECTOR_POD_VGA = 0x02, // Pod - VGA 15-pin connector ++ DCB_CONNECTOR_TV_0 = 0x10, // TV - Composite Out ++ DCB_CONNECTOR_TV_1 = 0x11, // TV - S-Video Out ++ DCB_CONNECTOR_TV_2 = 0x12, // TV - S-Video Breakout - Composite ++ DCB_CONNECTOR_TV_3 = 0x13, // HDTV Component - YPrPb ++ DCB_CONNECTOR_TV_SCART = 0x14, // TV - SCART Connector ++ DCB_CONNECTOR_TV_SCART_D = 0x16, // TV - Composite SCART over D-connector ++ DCB_CONNECTOR_TV_DTERM = 0x17, // HDTV - D-connector (EIAJ4120) ++ DCB_CONNECTOR_POD_TV_3 = 0x18, // Pod - HDTV - YPrPb ++ DCB_CONNECTOR_POD_TV_1 = 0x19, // Pod - S-Video ++ DCB_CONNECTOR_POD_TV_0 = 0x1a, // Pod - Composite ++ ++ /* DVI digital outputs */ ++ DCB_CONNECTOR_DVI_I_TV_1 = 0x20, // DVI-I-TV-S-Video ++ DCB_CONNECTOR_DVI_I_TV_0 = 0x21, // DVI-I-TV-Composite ++ DCB_CONNECTOR_DVI_I_TV_2 = 0x22, // DVI-I-TV-S-Video Breakout-Composite ++ DCB_CONNECTOR_DVI_I = 0x30, // DVI-I ++ DCB_CONNECTOR_DVI_D = 0x31, // DVI-D ++ DCB_CONNECTOR_DVI_ADC = 0x32, // Apple Display Connector (ADC) ++ DCB_CONNECTOR_DMS59_0 = 0x38, // LFH-DVI-I-1 ++ DCB_CONNECTOR_DMS59_1 = 0x39, // LFH-DVI-I-2 ++ DCB_CONNECTOR_BNC = 0x3c, // BNC Connector [for SDI?] ++ ++ /* LVDS / TMDS digital outputs */ ++ DCB_CONNECTOR_LVDS = 0x40, // LVDS-SPWG-Attached [is this name correct?] ++ DCB_CONNECTOR_LVDS_SPWG = 0x41, // LVDS-OEM-Attached (non-removable) ++ DCB_CONNECTOR_LVDS_REM = 0x42, // LVDS-SPWG-Detached [following naming above] ++ DCB_CONNECTOR_LVDS_SPWG_REM = 0x43, // LVDS-OEM-Detached (removable) ++ DCB_CONNECTOR_TMDS = 0x45, // TMDS-OEM-Attached (non-removable) ++ ++ /* DP digital outputs */ ++ DCB_CONNECTOR_DP = 0x46, // DisplayPort External Connector ++ DCB_CONNECTOR_eDP = 0x47, // DisplayPort Internal Connector ++ DCB_CONNECTOR_mDP = 0x48, // DisplayPort (Mini) External Connector ++ ++ /* Dock outputs (not used) */ ++ DCB_CONNECTOR_DOCK_VGA_0 = 0x50, // VGA 15-pin if not docked ++ DCB_CONNECTOR_DOCK_VGA_1 = 0x51, // VGA 15-pin if docked ++ DCB_CONNECTOR_DOCK_DVI_I_0 = 0x52, // DVI-I if not docked ++ DCB_CONNECTOR_DOCK_DVI_I_1 = 0x53, // DVI-I if docked ++ DCB_CONNECTOR_DOCK_DVI_D_0 = 0x54, // DVI-D if not docked ++ DCB_CONNECTOR_DOCK_DVI_D_1 = 0x55, // DVI-D if docked ++ DCB_CONNECTOR_DOCK_DP_0 = 0x56, // DisplayPort if not docked ++ DCB_CONNECTOR_DOCK_DP_1 = 0x57, // DisplayPort if docked ++ DCB_CONNECTOR_DOCK_mDP_0 = 0x58, // DisplayPort (Mini) if not docked ++ DCB_CONNECTOR_DOCK_mDP_1 = 0x59, // DisplayPort (Mini) if docked ++ ++ /* HDMI? digital outputs */ ++ DCB_CONNECTOR_HDMI_0 = 0x60, // HDMI? See [1] in top-level enum comment above ++ DCB_CONNECTOR_HDMI_1 = 0x61, // HDMI-A connector ++ DCB_CONNECTOR_SPDIF = 0x62, // Audio S/PDIF connector ++ DCB_CONNECTOR_HDMI_C = 0x63, // HDMI-C (Mini) connector ++ ++ /* Misc. digital outputs */ ++ DCB_CONNECTOR_DMS59_DP0 = 0x64, // LFH-DP-1 ++ DCB_CONNECTOR_DMS59_DP1 = 0x65, // LFH-DP-2 ++ DCB_CONNECTOR_WFD = 0x70, // Virtual connector for Wifi Display (WFD) ++ DCB_CONNECTOR_USB_C = 0x71, // [DP over USB-C; not present in docs] ++ DCB_CONNECTOR_NONE = 0xff // Skip Entry + }; + + struct nvbios_connT { +-- +2.51.0 + diff --git a/queue-6.18/drm-nouveau-implement-missing-dcb-connector-types-gr.patch b/queue-6.18/drm-nouveau-implement-missing-dcb-connector-types-gr.patch new file mode 100644 index 0000000000..ef880cd8da --- /dev/null +++ b/queue-6.18/drm-nouveau-implement-missing-dcb-connector-types-gr.patch @@ -0,0 +1,122 @@ +From cab04d3dc97aecb2290e88758feb97b2e8b0ab52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Dec 2025 19:53:27 -0500 +Subject: drm/nouveau: implement missing DCB connector types; gracefully handle + unknown connectors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Ramírez + +[ Upstream commit d0bd10792d6cc3725ddee43f03fd6ee234f24844 ] + +* Implement missing DCB connectors in uconn.c previously defined in conn.h. +* Replace kernel WARN_ON macro with printk message to more gracefully signify + an unknown connector was encountered. + +With this patch, unknown connectors are explicitly marked with value 0 +(DCB_CONNECTOR_VGA) to match the tested current behavior. Although 0xff +(DCB_CONNECTOR_NONE) may be more suitable, I don't want to introduce a +breaking change. + +Fixes: 8b7d92cad953 ("drm/nouveau/kms/nv50-: create connectors based on nvkm info") +Link: https://download.nvidia.com/open-gpu-doc/DCB/1/DCB-4.0-Specification.html#_connector_table_entry +Signed-off-by: Alex Ramírez +Reviewed-by: Lyude Paul +[Lyude: Remove unneeded parenthesis around nvkm_warn()] +Signed-off-by: Lyude Paul +Link: https://patch.msgid.link/20251213005327.9495-3-lxrmrz732@gmail.com +Signed-off-by: Sasha Levin +--- + .../gpu/drm/nouveau/nvkm/engine/disp/uconn.c | 73 ++++++++++++++----- + 1 file changed, 53 insertions(+), 20 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/uconn.c b/drivers/gpu/drm/nouveau/nvkm/engine/disp/uconn.c +index 2dab6612c4fc8..23d1e5c27bb1e 100644 +--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/uconn.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/uconn.c +@@ -191,27 +191,60 @@ nvkm_uconn_new(const struct nvkm_oclass *oclass, void *argv, u32 argc, struct nv + spin_lock(&disp->client.lock); + if (!conn->object.func) { + switch (conn->info.type) { +- case DCB_CONNECTOR_VGA : args->v0.type = NVIF_CONN_V0_VGA; break; +- case DCB_CONNECTOR_TV_0 : +- case DCB_CONNECTOR_TV_1 : +- case DCB_CONNECTOR_TV_3 : args->v0.type = NVIF_CONN_V0_TV; break; +- case DCB_CONNECTOR_DMS59_0 : +- case DCB_CONNECTOR_DMS59_1 : +- case DCB_CONNECTOR_DVI_I : args->v0.type = NVIF_CONN_V0_DVI_I; break; +- case DCB_CONNECTOR_DVI_D : args->v0.type = NVIF_CONN_V0_DVI_D; break; +- case DCB_CONNECTOR_LVDS : args->v0.type = NVIF_CONN_V0_LVDS; break; +- case DCB_CONNECTOR_LVDS_SPWG: args->v0.type = NVIF_CONN_V0_LVDS_SPWG; break; +- case DCB_CONNECTOR_DMS59_DP0: +- case DCB_CONNECTOR_DMS59_DP1: +- case DCB_CONNECTOR_DP : +- case DCB_CONNECTOR_mDP : +- case DCB_CONNECTOR_USB_C : args->v0.type = NVIF_CONN_V0_DP; break; +- case DCB_CONNECTOR_eDP : args->v0.type = NVIF_CONN_V0_EDP; break; +- case DCB_CONNECTOR_HDMI_0 : +- case DCB_CONNECTOR_HDMI_1 : +- case DCB_CONNECTOR_HDMI_C : args->v0.type = NVIF_CONN_V0_HDMI; break; ++ /* VGA */ ++ case DCB_CONNECTOR_DVI_A : ++ case DCB_CONNECTOR_POD_VGA : ++ case DCB_CONNECTOR_VGA : args->v0.type = NVIF_CONN_V0_VGA; break; ++ ++ /* TV */ ++ case DCB_CONNECTOR_TV_0 : ++ case DCB_CONNECTOR_TV_1 : ++ case DCB_CONNECTOR_TV_2 : ++ case DCB_CONNECTOR_TV_SCART : ++ case DCB_CONNECTOR_TV_SCART_D : ++ case DCB_CONNECTOR_TV_DTERM : ++ case DCB_CONNECTOR_POD_TV_3 : ++ case DCB_CONNECTOR_POD_TV_1 : ++ case DCB_CONNECTOR_POD_TV_0 : ++ case DCB_CONNECTOR_TV_3 : args->v0.type = NVIF_CONN_V0_TV; break; ++ ++ /* DVI */ ++ case DCB_CONNECTOR_DVI_I_TV_1 : ++ case DCB_CONNECTOR_DVI_I_TV_0 : ++ case DCB_CONNECTOR_DVI_I_TV_2 : ++ case DCB_CONNECTOR_DVI_ADC : ++ case DCB_CONNECTOR_DMS59_0 : ++ case DCB_CONNECTOR_DMS59_1 : ++ case DCB_CONNECTOR_DVI_I : args->v0.type = NVIF_CONN_V0_DVI_I; break; ++ case DCB_CONNECTOR_TMDS : ++ case DCB_CONNECTOR_DVI_D : args->v0.type = NVIF_CONN_V0_DVI_D; break; ++ ++ /* LVDS */ ++ case DCB_CONNECTOR_LVDS : args->v0.type = NVIF_CONN_V0_LVDS; break; ++ case DCB_CONNECTOR_LVDS_SPWG : args->v0.type = NVIF_CONN_V0_LVDS_SPWG; break; ++ ++ /* DP */ ++ case DCB_CONNECTOR_DMS59_DP0 : ++ case DCB_CONNECTOR_DMS59_DP1 : ++ case DCB_CONNECTOR_DP : ++ case DCB_CONNECTOR_mDP : ++ case DCB_CONNECTOR_USB_C : args->v0.type = NVIF_CONN_V0_DP; break; ++ case DCB_CONNECTOR_eDP : args->v0.type = NVIF_CONN_V0_EDP; break; ++ ++ /* HDMI */ ++ case DCB_CONNECTOR_HDMI_0 : ++ case DCB_CONNECTOR_HDMI_1 : ++ case DCB_CONNECTOR_HDMI_C : args->v0.type = NVIF_CONN_V0_HDMI; break; ++ ++ /* ++ * Dock & unused outputs. ++ * BNC, SPDIF, WFD, and detached LVDS go here. ++ */ + default: +- WARN_ON(1); ++ nvkm_warn(&disp->engine.subdev, ++ "unimplemented connector type 0x%02x\n", ++ conn->info.type); ++ args->v0.type = NVIF_CONN_V0_VGA; + ret = -EINVAL; + break; + } +-- +2.51.0 + diff --git a/queue-6.18/drm-xe-disable-timestamp-wa-on-vfs.patch b/queue-6.18/drm-xe-disable-timestamp-wa-on-vfs.patch new file mode 100644 index 0000000000..91b4d69663 --- /dev/null +++ b/queue-6.18/drm-xe-disable-timestamp-wa-on-vfs.patch @@ -0,0 +1,46 @@ +From 4138416e1bda74675d2cc022874630e33df9c71c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jan 2026 17:27:38 -0800 +Subject: drm/xe: Disable timestamp WA on VFs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matthew Brost + +[ Upstream commit b886aa65eafe3098bbd691f0ca4a9abce03f9d03 ] + +The timestamp WA does not work on a VF because it requires reading MMIO +registers, which are inaccessible on a VF. This timestamp WA confuses +LRC sampling on a VF during TDR, as the LRC timestamp would always read +as 1 for any active context. Disable the timestamp WA on VFs to avoid +this confusion. + +Signed-off-by: Matthew Brost +Reviewed-by: Umesh Nerlige Ramappa +Fixes: 617d824c5323 ("drm/xe: Add WA BB to capture active context utilization") +Link: https://patch.msgid.link/20260110012739.2888434-7-matthew.brost@intel.com +(cherry picked from commit efffd56e4bd894e0935eea00e437f233b6cebc0d) +Signed-off-by: Thomas Hellström +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_lrc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/xe/xe_lrc.c b/drivers/gpu/drm/xe/xe_lrc.c +index 47e9df7750725..d77ef556e994e 100644 +--- a/drivers/gpu/drm/xe/xe_lrc.c ++++ b/drivers/gpu/drm/xe/xe_lrc.c +@@ -1050,6 +1050,9 @@ static ssize_t setup_utilization_wa(struct xe_lrc *lrc, + { + u32 *cmd = batch; + ++ if (IS_SRIOV_VF(gt_to_xe(lrc->gt))) ++ return 0; ++ + if (xe_gt_WARN_ON(lrc->gt, max_len < 12)) + return -ENOSPC; + +-- +2.51.0 + diff --git a/queue-6.18/drm-xe-migrate-fix-job-lock-assert.patch b/queue-6.18/drm-xe-migrate-fix-job-lock-assert.patch new file mode 100644 index 0000000000..95dc95a3fb --- /dev/null +++ b/queue-6.18/drm-xe-migrate-fix-job-lock-assert.patch @@ -0,0 +1,58 @@ +From 3dc9ebc264f31ea18d766a282bee80b8a28d39e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 11:06:11 +0000 +Subject: drm/xe/migrate: fix job lock assert +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matthew Auld + +[ Upstream commit 772157f626d0e1a7c6d49dffb0bbe4b2343a1d44 ] + +We are meant to be checking the user vm for the bind queue, but actually +we are checking the migrate vm. For various reasons this is not +currently firing but this will likely change in the future. + +Now that we have the user_vm attached to the bind queue, we can fix this +by directly checking that here. + +Fixes: dba89840a920 ("drm/xe: Add GT TLB invalidation jobs") +Signed-off-by: Matthew Auld +Cc: Thomas Hellström +Cc: Matthew Brost +Reviewed-by: Matthew Brost +Reviewed-by: Arvind Yadav +Link: https://patch.msgid.link/20260120110609.77958-4-matthew.auld@intel.com +(cherry picked from commit 9dd1048bca4fe2aa67c7a286bafb3947537adedb) +Signed-off-by: Thomas Hellström +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_migrate.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/xe/xe_migrate.c b/drivers/gpu/drm/xe/xe_migrate.c +index 3acdcbf41887f..b6905f35d6c81 100644 +--- a/drivers/gpu/drm/xe/xe_migrate.c ++++ b/drivers/gpu/drm/xe/xe_migrate.c +@@ -2182,7 +2182,7 @@ void xe_migrate_job_lock(struct xe_migrate *m, struct xe_exec_queue *q) + if (is_migrate) + mutex_lock(&m->job_mutex); + else +- xe_vm_assert_held(q->vm); /* User queues VM's should be locked */ ++ xe_vm_assert_held(q->user_vm); /* User queues VM's should be locked */ + } + + /** +@@ -2200,7 +2200,7 @@ void xe_migrate_job_unlock(struct xe_migrate *m, struct xe_exec_queue *q) + if (is_migrate) + mutex_unlock(&m->job_mutex); + else +- xe_vm_assert_held(q->vm); /* User queues VM's should be locked */ ++ xe_vm_assert_held(q->user_vm); /* User queues VM's should be locked */ + } + + #if IS_ENABLED(CONFIG_DRM_XE_KUNIT_TEST) +-- +2.51.0 + diff --git a/queue-6.18/drm-xe-pm-add-scope-based-cleanup-helper-for-runtime.patch b/queue-6.18/drm-xe-pm-add-scope-based-cleanup-helper-for-runtime.patch new file mode 100644 index 0000000000..2249fab963 --- /dev/null +++ b/queue-6.18/drm-xe-pm-add-scope-based-cleanup-helper-for-runtime.patch @@ -0,0 +1,145 @@ +From f36ba3fe4df96389283796162520dcd5c3694a1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Nov 2025 08:43:41 -0800 +Subject: drm/xe/pm: Add scope-based cleanup helper for runtime PM +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matt Roper + +[ Upstream commit 50a59230fa63989d59253622a8dd6386cca0db07 ] + +Add a scope-based helpers for runtime PM that may be used to simplify +cleanup logic and potentially avoid goto-based cleanup. + +For example, using + + guard(xe_pm_runtime)(xe); + +will get runtime PM and cause a corresponding put to occur automatically +when the current scope is exited. 'xe_pm_runtime_noresume' can be used +as a guard replacement for the corresponding 'noresume' variant. +There's also an xe_pm_runtime_ioctl conditional guard that can be used +as a replacement for xe_runtime_ioctl(): + + ACQUIRE(xe_pm_runtime_ioctl, pm)(xe); + if ((ret = ACQUIRE_ERR(xe_pm_runtime_ioctl, &pm)) < 0) + /* failed */ + +In a few rare cases (such as gt_reset_worker()) we need to ensure that +runtime PM is dropped when the function is exited by any means +(including error paths), but the function does not need to acquire +runtime PM because that has already been done earlier by a different +function. For these special cases, an 'xe_pm_runtime_release_only' +guard can be used to handle the release without doing an acquisition. + +These guards will be used in future patches to eliminate some of our +goto-based cleanup. + +v2: + - Specify success condition for xe_pm runtime_ioctl as _RET >= 0 so + that positive values will be properly identified as success and + trigger destructor cleanup properly. + +v3: + - Add comments to the kerneldoc for the existing 'get' functions + indicating that scope-based handling should be preferred where + possible. (Gustavo) + +Cc: Gustavo Sousa +Reviewed-by: Michal Wajdeczko +Reviewed-by: Gustavo Sousa +Link: https://patch.msgid.link/20251118164338.3572146-31-matthew.d.roper@intel.com +Signed-off-by: Matt Roper +(cherry picked from commit 59e7528dbfd52efbed05e0f11b2143217a12bc74) +Signed-off-by: Thomas Hellström +Stable-dep-of: f262015b9797 ("drm/xe: Update wedged.mode only after successful reset policy change") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_pm.c | 21 +++++++++++++++++++++ + drivers/gpu/drm/xe/xe_pm.h | 17 +++++++++++++++++ + 2 files changed, 38 insertions(+) + +diff --git a/drivers/gpu/drm/xe/xe_pm.c b/drivers/gpu/drm/xe/xe_pm.c +index 2c5a44377994b..a58bf004aee73 100644 +--- a/drivers/gpu/drm/xe/xe_pm.c ++++ b/drivers/gpu/drm/xe/xe_pm.c +@@ -660,6 +660,13 @@ static void xe_pm_runtime_lockdep_prime(void) + /** + * xe_pm_runtime_get - Get a runtime_pm reference and resume synchronously + * @xe: xe device instance ++ * ++ * When possible, scope-based runtime PM (through guard(xe_pm_runtime)) is ++ * be preferred over direct usage of this function. Manual get/put handling ++ * should only be used when the function contains goto-based logic which ++ * can break scope-based handling, or when the lifetime of the runtime PM ++ * reference does not match a specific scope (e.g., runtime PM obtained in one ++ * function and released in a different one). + */ + void xe_pm_runtime_get(struct xe_device *xe) + { +@@ -692,6 +699,13 @@ void xe_pm_runtime_put(struct xe_device *xe) + * xe_pm_runtime_get_ioctl - Get a runtime_pm reference before ioctl + * @xe: xe device instance + * ++ * When possible, scope-based runtime PM (through ++ * ACQUIRE(xe_pm_runtime_ioctl, ...)) is be preferred over direct usage of this ++ * function. Manual get/put handling should only be used when the function ++ * contains goto-based logic which can break scope-based handling, or when the ++ * lifetime of the runtime PM reference does not match a specific scope (e.g., ++ * runtime PM obtained in one function and released in a different one). ++ * + * Returns: Any number greater than or equal to 0 for success, negative error + * code otherwise. + */ +@@ -761,6 +775,13 @@ static bool xe_pm_suspending_or_resuming(struct xe_device *xe) + * It will warn if not protected. + * The reference should be put back after this function regardless, since it + * will always bump the usage counter, regardless. ++ * ++ * When possible, scope-based runtime PM (through guard(xe_pm_runtime_noresume)) ++ * is be preferred over direct usage of this function. Manual get/put handling ++ * should only be used when the function contains goto-based logic which can ++ * break scope-based handling, or when the lifetime of the runtime PM reference ++ * does not match a specific scope (e.g., runtime PM obtained in one function ++ * and released in a different one). + */ + void xe_pm_runtime_get_noresume(struct xe_device *xe) + { +diff --git a/drivers/gpu/drm/xe/xe_pm.h b/drivers/gpu/drm/xe/xe_pm.h +index 59678b310e55f..e8005775be39e 100644 +--- a/drivers/gpu/drm/xe/xe_pm.h ++++ b/drivers/gpu/drm/xe/xe_pm.h +@@ -6,6 +6,7 @@ + #ifndef _XE_PM_H_ + #define _XE_PM_H_ + ++#include + #include + + #define DEFAULT_VRAM_THRESHOLD 300 /* in MB */ +@@ -35,4 +36,20 @@ bool xe_rpm_reclaim_safe(const struct xe_device *xe); + struct task_struct *xe_pm_read_callback_task(struct xe_device *xe); + int xe_pm_module_init(void); + ++static inline void __xe_pm_runtime_noop(struct xe_device *xe) {} ++ ++DEFINE_GUARD(xe_pm_runtime, struct xe_device *, ++ xe_pm_runtime_get(_T), xe_pm_runtime_put(_T)) ++DEFINE_GUARD(xe_pm_runtime_noresume, struct xe_device *, ++ xe_pm_runtime_get_noresume(_T), xe_pm_runtime_put(_T)) ++DEFINE_GUARD_COND(xe_pm_runtime, _ioctl, xe_pm_runtime_get_ioctl(_T), _RET >= 0) ++ ++/* ++ * Used when a function needs to release runtime PM in all possible cases ++ * and error paths, but the wakeref was already acquired by a different ++ * function (i.e., get() has already happened so only a put() is needed). ++ */ ++DEFINE_GUARD(xe_pm_runtime_release_only, struct xe_device *, ++ __xe_pm_runtime_noop(_T), xe_pm_runtime_put(_T)); ++ + #endif +-- +2.51.0 + diff --git a/queue-6.18/drm-xe-uapi-disallow-bind-queue-sharing.patch b/queue-6.18/drm-xe-uapi-disallow-bind-queue-sharing.patch new file mode 100644 index 0000000000..54786ddd71 --- /dev/null +++ b/queue-6.18/drm-xe-uapi-disallow-bind-queue-sharing.patch @@ -0,0 +1,215 @@ +From 114467d1a8bae4d19171355bab087d0f6fb904eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 11:06:10 +0000 +Subject: drm/xe/uapi: disallow bind queue sharing +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matthew Auld + +[ Upstream commit 6f4b7aed61817624250e590ba0ef304146d34614 ] + +Currently this is very broken if someone attempts to create a bind +queue and share it across multiple VMs. For example currently we assume +it is safe to acquire the user VM lock to protect some of the bind queue +state, but if allow sharing the bind queue with multiple VMs then this +quickly breaks down. + +To fix this reject using a bind queue with any VM that is not the same +VM that was originally passed when creating the bind queue. This a uAPI +change, however this was more of an oversight on kernel side that we +didn't reject this, and expectation is that userspace shouldn't be using +bind queues in this way, so in theory this change should go unnoticed. + +Based on a patch from Matt Brost. + +v2 (Matt B): + - Hold the vm lock over queue create, to ensure it can't be closed as + we attach the user_vm to the queue. + - Make sure we actually check for NULL user_vm in destruction path. +v3: + - Fix error path handling. + +Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") +Reported-by: Thomas Hellström +Signed-off-by: Matthew Auld +Cc: José Roberto de Souza +Cc: Matthew Brost +Cc: Michal Mrozek +Cc: Carl Zhang +Cc: # v6.8+ +Acked-by: José Roberto de Souza +Reviewed-by: Matthew Brost +Reviewed-by: Arvind Yadav +Acked-by: Michal Mrozek +Link: https://patch.msgid.link/20260120110609.77958-3-matthew.auld@intel.com +(cherry picked from commit 9dd08fdecc0c98d6516c2d2d1fa189c1332f8dab) +Signed-off-by: Thomas Hellström +Stable-dep-of: 772157f626d0 ("drm/xe/migrate: fix job lock assert") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_exec_queue.c | 32 +++++++++++++++++++++++- + drivers/gpu/drm/xe/xe_exec_queue.h | 1 + + drivers/gpu/drm/xe/xe_exec_queue_types.h | 6 +++++ + drivers/gpu/drm/xe/xe_sriov_vf_ccs.c | 2 +- + drivers/gpu/drm/xe/xe_vm.c | 7 +++++- + 5 files changed, 45 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/xe/xe_exec_queue.c b/drivers/gpu/drm/xe/xe_exec_queue.c +index cb5f204c08ed6..231d1fbe5eefa 100644 +--- a/drivers/gpu/drm/xe/xe_exec_queue.c ++++ b/drivers/gpu/drm/xe/xe_exec_queue.c +@@ -284,6 +284,7 @@ struct xe_exec_queue *xe_exec_queue_create_class(struct xe_device *xe, struct xe + * @xe: Xe device. + * @tile: tile which bind exec queue belongs to. + * @flags: exec queue creation flags ++ * @user_vm: The user VM which this exec queue belongs to + * @extensions: exec queue creation extensions + * + * Normalize bind exec queue creation. Bind exec queue is tied to migration VM +@@ -297,6 +298,7 @@ struct xe_exec_queue *xe_exec_queue_create_class(struct xe_device *xe, struct xe + */ + struct xe_exec_queue *xe_exec_queue_create_bind(struct xe_device *xe, + struct xe_tile *tile, ++ struct xe_vm *user_vm, + u32 flags, u64 extensions) + { + struct xe_gt *gt = tile->primary_gt; +@@ -333,6 +335,9 @@ struct xe_exec_queue *xe_exec_queue_create_bind(struct xe_device *xe, + xe_exec_queue_put(q); + return ERR_PTR(err); + } ++ ++ if (user_vm) ++ q->user_vm = xe_vm_get(user_vm); + } + + return q; +@@ -357,6 +362,11 @@ void xe_exec_queue_destroy(struct kref *ref) + xe_exec_queue_put(eq); + } + ++ if (q->user_vm) { ++ xe_vm_put(q->user_vm); ++ q->user_vm = NULL; ++ } ++ + q->ops->destroy(q); + } + +@@ -692,6 +702,22 @@ int xe_exec_queue_create_ioctl(struct drm_device *dev, void *data, + XE_IOCTL_DBG(xe, eci[0].engine_instance != 0)) + return -EINVAL; + ++ vm = xe_vm_lookup(xef, args->vm_id); ++ if (XE_IOCTL_DBG(xe, !vm)) ++ return -ENOENT; ++ ++ err = down_read_interruptible(&vm->lock); ++ if (err) { ++ xe_vm_put(vm); ++ return err; ++ } ++ ++ if (XE_IOCTL_DBG(xe, xe_vm_is_closed_or_banned(vm))) { ++ up_read(&vm->lock); ++ xe_vm_put(vm); ++ return -ENOENT; ++ } ++ + for_each_tile(tile, xe, id) { + struct xe_exec_queue *new; + +@@ -699,9 +725,11 @@ int xe_exec_queue_create_ioctl(struct drm_device *dev, void *data, + if (id) + flags |= EXEC_QUEUE_FLAG_BIND_ENGINE_CHILD; + +- new = xe_exec_queue_create_bind(xe, tile, flags, ++ new = xe_exec_queue_create_bind(xe, tile, vm, flags, + args->extensions); + if (IS_ERR(new)) { ++ up_read(&vm->lock); ++ xe_vm_put(vm); + err = PTR_ERR(new); + if (q) + goto put_exec_queue; +@@ -713,6 +741,8 @@ int xe_exec_queue_create_ioctl(struct drm_device *dev, void *data, + list_add_tail(&new->multi_gt_list, + &q->multi_gt_link); + } ++ up_read(&vm->lock); ++ xe_vm_put(vm); + } else { + logical_mask = calc_validate_logical_mask(xe, eci, + args->width, +diff --git a/drivers/gpu/drm/xe/xe_exec_queue.h b/drivers/gpu/drm/xe/xe_exec_queue.h +index 15ec852e7f7e7..5343c1b8cab54 100644 +--- a/drivers/gpu/drm/xe/xe_exec_queue.h ++++ b/drivers/gpu/drm/xe/xe_exec_queue.h +@@ -24,6 +24,7 @@ struct xe_exec_queue *xe_exec_queue_create_class(struct xe_device *xe, struct xe + u32 flags, u64 extensions); + struct xe_exec_queue *xe_exec_queue_create_bind(struct xe_device *xe, + struct xe_tile *tile, ++ struct xe_vm *user_vm, + u32 flags, u64 extensions); + + void xe_exec_queue_fini(struct xe_exec_queue *q); +diff --git a/drivers/gpu/drm/xe/xe_exec_queue_types.h b/drivers/gpu/drm/xe/xe_exec_queue_types.h +index df1c69dc81f17..38906cb7608ca 100644 +--- a/drivers/gpu/drm/xe/xe_exec_queue_types.h ++++ b/drivers/gpu/drm/xe/xe_exec_queue_types.h +@@ -54,6 +54,12 @@ struct xe_exec_queue { + struct kref refcount; + /** @vm: VM (address space) for this exec queue */ + struct xe_vm *vm; ++ /** ++ * @user_vm: User VM (address space) for this exec queue (bind queues ++ * only) ++ */ ++ struct xe_vm *user_vm; ++ + /** @class: class of this exec queue */ + enum xe_engine_class class; + /** +diff --git a/drivers/gpu/drm/xe/xe_sriov_vf_ccs.c b/drivers/gpu/drm/xe/xe_sriov_vf_ccs.c +index 8dec616c37c98..739a3eb180b53 100644 +--- a/drivers/gpu/drm/xe/xe_sriov_vf_ccs.c ++++ b/drivers/gpu/drm/xe/xe_sriov_vf_ccs.c +@@ -276,7 +276,7 @@ int xe_sriov_vf_ccs_init(struct xe_device *xe) + flags = EXEC_QUEUE_FLAG_KERNEL | + EXEC_QUEUE_FLAG_PERMANENT | + EXEC_QUEUE_FLAG_MIGRATE; +- q = xe_exec_queue_create_bind(xe, tile, flags, 0); ++ q = xe_exec_queue_create_bind(xe, tile, NULL, flags, 0); + if (IS_ERR(q)) { + err = PTR_ERR(q); + goto err_ret; +diff --git a/drivers/gpu/drm/xe/xe_vm.c b/drivers/gpu/drm/xe/xe_vm.c +index 747aa8cff60d4..145cd9ffa36b3 100644 +--- a/drivers/gpu/drm/xe/xe_vm.c ++++ b/drivers/gpu/drm/xe/xe_vm.c +@@ -1590,7 +1590,7 @@ struct xe_vm *xe_vm_create(struct xe_device *xe, u32 flags, struct xe_file *xef) + if (!vm->pt_root[id]) + continue; + +- q = xe_exec_queue_create_bind(xe, tile, create_flags, 0); ++ q = xe_exec_queue_create_bind(xe, tile, vm, create_flags, 0); + if (IS_ERR(q)) { + err = PTR_ERR(q); + goto err_close; +@@ -3536,6 +3536,11 @@ int xe_vm_bind_ioctl(struct drm_device *dev, void *data, struct drm_file *file) + } + } + ++ if (XE_IOCTL_DBG(xe, q && vm != q->user_vm)) { ++ err = -EINVAL; ++ goto put_exec_queue; ++ } ++ + /* Ensure all UNMAPs visible */ + xe_svm_flush(vm); + +-- +2.51.0 + diff --git a/queue-6.18/drm-xe-update-wedged.mode-only-after-successful-rese.patch b/queue-6.18/drm-xe-update-wedged.mode-only-after-successful-rese.patch new file mode 100644 index 0000000000..0357513dbd --- /dev/null +++ b/queue-6.18/drm-xe-update-wedged.mode-only-after-successful-rese.patch @@ -0,0 +1,250 @@ +From dad6e99cbc51a24ff332132089325851b570e3c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 15:33:04 +0100 +Subject: drm/xe: Update wedged.mode only after successful reset policy change +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lukasz Laguna + +[ Upstream commit f262015b9797effdec15e8a81c81b2158ede9578 ] + +Previously, the driver's internal wedged.mode state was updated without +verifying whether the corresponding engine reset policy update in GuC +succeeded. This could leave the driver reporting a wedged.mode state +that doesn't match the actual reset behavior programmed in GuC. + +With this change, the reset policy is updated first, and the driver's +wedged.mode state is modified only if the policy update succeeds on all +available GTs. + +This patch also introduces two functional improvements: + + - The policy is sent to GuC only when a change is required. An update + is needed only when entering or leaving XE_WEDGED_MODE_UPON_ANY_HANG, + because only in that case the reset policy changes. For example, + switching between XE_WEDGED_MODE_UPON_CRITICAL_ERROR and + XE_WEDGED_MODE_NEVER doesn't affect the reset policy, so there is no + need to send the same value to GuC. + + - An inconsistent_reset flag is added to track cases where reset policy + update succeeds only on a subset of GTs. If such inconsistency is + detected, future wedged mode configuration will force a retry of the + reset policy update to restore a consistent state across all GTs. + +Fixes: 6b8ef44cc0a9 ("drm/xe: Introduce the wedged_mode debugfs") +Signed-off-by: Lukasz Laguna +Link: https://patch.msgid.link/20260107174741.29163-3-lukasz.laguna@intel.com +Reviewed-by: Rodrigo Vivi +Signed-off-by: Rodrigo Vivi +(cherry picked from commit 0f13dead4e0385859f5c9c3625a19df116b389d3) +Signed-off-by: Thomas Hellström +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_debugfs.c | 72 ++++++++++++++++++++++------ + drivers/gpu/drm/xe/xe_device_types.h | 18 +++++++ + drivers/gpu/drm/xe/xe_guc_ads.c | 14 +++--- + drivers/gpu/drm/xe/xe_guc_ads.h | 5 +- + 4 files changed, 87 insertions(+), 22 deletions(-) + +diff --git a/drivers/gpu/drm/xe/xe_debugfs.c b/drivers/gpu/drm/xe/xe_debugfs.c +index cd977dbd1ef63..7b48bf90cab8f 100644 +--- a/drivers/gpu/drm/xe/xe_debugfs.c ++++ b/drivers/gpu/drm/xe/xe_debugfs.c +@@ -255,14 +255,64 @@ static ssize_t wedged_mode_show(struct file *f, char __user *ubuf, + return simple_read_from_buffer(ubuf, size, pos, buf, len); + } + ++static int __wedged_mode_set_reset_policy(struct xe_gt *gt, enum xe_wedged_mode mode) ++{ ++ bool enable_engine_reset; ++ int ret; ++ ++ enable_engine_reset = (mode != XE_WEDGED_MODE_UPON_ANY_HANG_NO_RESET); ++ ret = xe_guc_ads_scheduler_policy_toggle_reset(>->uc.guc.ads, ++ enable_engine_reset); ++ if (ret) ++ xe_gt_err(gt, "Failed to update GuC ADS scheduler policy (%pe)\n", ERR_PTR(ret)); ++ ++ return ret; ++} ++ ++static int wedged_mode_set_reset_policy(struct xe_device *xe, enum xe_wedged_mode mode) ++{ ++ struct xe_gt *gt; ++ int ret; ++ u8 id; ++ ++ guard(xe_pm_runtime)(xe); ++ for_each_gt(gt, xe, id) { ++ ret = __wedged_mode_set_reset_policy(gt, mode); ++ if (ret) { ++ if (id > 0) { ++ xe->wedged.inconsistent_reset = true; ++ drm_err(&xe->drm, "Inconsistent reset policy state between GTs\n"); ++ } ++ return ret; ++ } ++ } ++ ++ xe->wedged.inconsistent_reset = false; ++ ++ return 0; ++} ++ ++static bool wedged_mode_needs_policy_update(struct xe_device *xe, enum xe_wedged_mode mode) ++{ ++ if (xe->wedged.inconsistent_reset) ++ return true; ++ ++ if (xe->wedged.mode == mode) ++ return false; ++ ++ if (xe->wedged.mode == XE_WEDGED_MODE_UPON_ANY_HANG_NO_RESET || ++ mode == XE_WEDGED_MODE_UPON_ANY_HANG_NO_RESET) ++ return true; ++ ++ return false; ++} ++ + static ssize_t wedged_mode_set(struct file *f, const char __user *ubuf, + size_t size, loff_t *pos) + { + struct xe_device *xe = file_inode(f)->i_private; +- struct xe_gt *gt; + u32 wedged_mode; + ssize_t ret; +- u8 id; + + ret = kstrtouint_from_user(ubuf, size, 0, &wedged_mode); + if (ret) +@@ -271,22 +321,14 @@ static ssize_t wedged_mode_set(struct file *f, const char __user *ubuf, + if (wedged_mode > 2) + return -EINVAL; + +- if (xe->wedged.mode == wedged_mode) +- return size; ++ if (wedged_mode_needs_policy_update(xe, wedged_mode)) { ++ ret = wedged_mode_set_reset_policy(xe, wedged_mode); ++ if (ret) ++ return ret; ++ } + + xe->wedged.mode = wedged_mode; + +- xe_pm_runtime_get(xe); +- for_each_gt(gt, xe, id) { +- ret = xe_guc_ads_scheduler_policy_toggle_reset(>->uc.guc.ads); +- if (ret) { +- xe_gt_err(gt, "Failed to update GuC ADS scheduler policy. GuC may still cause engine reset even with wedged_mode=2\n"); +- xe_pm_runtime_put(xe); +- return -EIO; +- } +- } +- xe_pm_runtime_put(xe); +- + return size; + } + +diff --git a/drivers/gpu/drm/xe/xe_device_types.h b/drivers/gpu/drm/xe/xe_device_types.h +index 74d7af830b85d..0e80f2940c996 100644 +--- a/drivers/gpu/drm/xe/xe_device_types.h ++++ b/drivers/gpu/drm/xe/xe_device_types.h +@@ -42,6 +42,22 @@ struct xe_pat_ops; + struct xe_pxp; + struct xe_vram_region; + ++/** ++ * enum xe_wedged_mode - possible wedged modes ++ * @XE_WEDGED_MODE_NEVER: Device will never be declared wedged. ++ * @XE_WEDGED_MODE_UPON_CRITICAL_ERROR: Device will be declared wedged only ++ * when critical error occurs like GT reset failure or firmware failure. ++ * This is the default mode. ++ * @XE_WEDGED_MODE_UPON_ANY_HANG_NO_RESET: Device will be declared wedged on ++ * any hang. In this mode, engine resets are disabled to avoid automatic ++ * recovery attempts. This mode is primarily intended for debugging hangs. ++ */ ++enum xe_wedged_mode { ++ XE_WEDGED_MODE_NEVER = 0, ++ XE_WEDGED_MODE_UPON_CRITICAL_ERROR = 1, ++ XE_WEDGED_MODE_UPON_ANY_HANG_NO_RESET = 2, ++}; ++ + #define XE_BO_INVALID_OFFSET LONG_MAX + + #define GRAPHICS_VER(xe) ((xe)->info.graphics_verx100 / 100) +@@ -556,6 +572,8 @@ struct xe_device { + int mode; + /** @wedged.method: Recovery method to be sent in the drm device wedged uevent */ + unsigned long method; ++ /** @wedged.inconsistent_reset: Inconsistent reset policy state between GTs */ ++ bool inconsistent_reset; + } wedged; + + /** @bo_device: Struct to control async free of BOs */ +diff --git a/drivers/gpu/drm/xe/xe_guc_ads.c b/drivers/gpu/drm/xe/xe_guc_ads.c +index 58e0b0294a5bc..0e2bece1d8b83 100644 +--- a/drivers/gpu/drm/xe/xe_guc_ads.c ++++ b/drivers/gpu/drm/xe/xe_guc_ads.c +@@ -979,16 +979,17 @@ static int guc_ads_action_update_policies(struct xe_guc_ads *ads, u32 policy_off + /** + * xe_guc_ads_scheduler_policy_toggle_reset - Toggle reset policy + * @ads: Additional data structures object ++ * @enable_engine_reset: true to enable engine resets, false otherwise + * +- * This function update the GuC's engine reset policy based on wedged.mode. ++ * This function update the GuC's engine reset policy. + * + * Return: 0 on success, and negative error code otherwise. + */ +-int xe_guc_ads_scheduler_policy_toggle_reset(struct xe_guc_ads *ads) ++int xe_guc_ads_scheduler_policy_toggle_reset(struct xe_guc_ads *ads, ++ bool enable_engine_reset) + { + struct guc_policies *policies; + struct xe_guc *guc = ads_to_guc(ads); +- struct xe_device *xe = ads_to_xe(ads); + CLASS(xe_guc_buf, buf)(&guc->buf, sizeof(*policies)); + + if (!xe_guc_buf_is_valid(buf)) +@@ -1000,10 +1001,11 @@ int xe_guc_ads_scheduler_policy_toggle_reset(struct xe_guc_ads *ads) + policies->dpc_promote_time = ads_blob_read(ads, policies.dpc_promote_time); + policies->max_num_work_items = ads_blob_read(ads, policies.max_num_work_items); + policies->is_valid = 1; +- if (xe->wedged.mode == 2) +- policies->global_flags |= GLOBAL_POLICY_DISABLE_ENGINE_RESET; +- else ++ ++ if (enable_engine_reset) + policies->global_flags &= ~GLOBAL_POLICY_DISABLE_ENGINE_RESET; ++ else ++ policies->global_flags |= GLOBAL_POLICY_DISABLE_ENGINE_RESET; + + return guc_ads_action_update_policies(ads, xe_guc_buf_flush(buf)); + } +diff --git a/drivers/gpu/drm/xe/xe_guc_ads.h b/drivers/gpu/drm/xe/xe_guc_ads.h +index 2e6674c760ff9..7a39f361cb17d 100644 +--- a/drivers/gpu/drm/xe/xe_guc_ads.h ++++ b/drivers/gpu/drm/xe/xe_guc_ads.h +@@ -6,6 +6,8 @@ + #ifndef _XE_GUC_ADS_H_ + #define _XE_GUC_ADS_H_ + ++#include ++ + struct xe_guc_ads; + + int xe_guc_ads_init(struct xe_guc_ads *ads); +@@ -13,6 +15,7 @@ int xe_guc_ads_init_post_hwconfig(struct xe_guc_ads *ads); + void xe_guc_ads_populate(struct xe_guc_ads *ads); + void xe_guc_ads_populate_minimal(struct xe_guc_ads *ads); + void xe_guc_ads_populate_post_load(struct xe_guc_ads *ads); +-int xe_guc_ads_scheduler_policy_toggle_reset(struct xe_guc_ads *ads); ++int xe_guc_ads_scheduler_policy_toggle_reset(struct xe_guc_ads *ads, ++ bool enable_engine_reset); + + #endif +-- +2.51.0 + diff --git a/queue-6.18/drm-xe-vm-fix-xe_vm_validation_exec-kernel-doc.patch b/queue-6.18/drm-xe-vm-fix-xe_vm_validation_exec-kernel-doc.patch new file mode 100644 index 0000000000..23a07de196 --- /dev/null +++ b/queue-6.18/drm-xe-vm-fix-xe_vm_validation_exec-kernel-doc.patch @@ -0,0 +1,47 @@ +From 040836ac9d7e83b087cd8f42b939448550cf2beb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jan 2026 17:54:00 +0200 +Subject: drm/xe/vm: fix xe_vm_validation_exec() kernel-doc +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jani Nikula + +[ Upstream commit 47bf28e22a121b807a9a9680c4209846a78a98a6 ] + +Fix kernel-doc warnings on xe_vm_validation_exec(): + +Warning: ../drivers/gpu/drm/xe/xe_vm.h:392 expecting prototype for + xe_vm_set_validation_exec(). Prototype was for xe_vm_validation_exec() + instead + +Fixes: 0131514f9789 ("drm/xe: Pass down drm_exec context to validation") +Cc: Thomas Hellström +Cc: Matthew Brost +Reviewed-by: Matt Roper +Link: https://patch.msgid.link/20260107155401.2379127-4-jani.nikula@intel.com +Signed-off-by: Jani Nikula +(cherry picked from commit b3a7767989e6519127ac5e0cde682c50ad587f3b) +Signed-off-by: Thomas Hellström +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_vm.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/xe/xe_vm.h b/drivers/gpu/drm/xe/xe_vm.h +index ef8a5019574e6..016f6786134cb 100644 +--- a/drivers/gpu/drm/xe/xe_vm.h ++++ b/drivers/gpu/drm/xe/xe_vm.h +@@ -379,7 +379,7 @@ static inline void xe_vm_set_validation_exec(struct xe_vm *vm, struct drm_exec * + } + + /** +- * xe_vm_set_validation_exec() - Accessor to read the drm_exec object ++ * xe_vm_validation_exec() - Accessor to read the drm_exec object + * @vm: The vm we want to register a drm_exec object with. + * + * Return: The drm_exec object used to lock the vm's resv. The value +-- +2.51.0 + diff --git a/queue-6.18/drm-xe-xe_late_bind_fw-fix-enum-xe_late_bind_fw_id-k.patch b/queue-6.18/drm-xe-xe_late_bind_fw-fix-enum-xe_late_bind_fw_id-k.patch new file mode 100644 index 0000000000..5162f78182 --- /dev/null +++ b/queue-6.18/drm-xe-xe_late_bind_fw-fix-enum-xe_late_bind_fw_id-k.patch @@ -0,0 +1,52 @@ +From fef0e3e2c544abe4f36645152ecd3ee63aaeaa84 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jan 2026 17:53:59 +0200 +Subject: drm/xe/xe_late_bind_fw: fix enum xe_late_bind_fw_id kernel-doc +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jani Nikula + +[ Upstream commit dc1d0ffee09740088eb190af84a2c470d279bad9 ] + +Fix kernel-doc warnings on enum xe_late_bind_fw_id: + +Warning: ../drivers/gpu/drm/xe/xe_late_bind_fw_types.h:19 cannot + understand function prototype: 'enum xe_late_bind_fw_id' + +Fixes: 45832bf9c10f ("drm/xe/xe_late_bind_fw: Initialize late binding firmware") +Cc: Badal Nilawar +Cc: Daniele Ceraolo Spurio +Cc: Rodrigo Vivi +Reviewed-by: Badal Nilawar +Link: https://patch.msgid.link/20260107155401.2379127-3-jani.nikula@intel.com +Signed-off-by: Jani Nikula +(cherry picked from commit a857e6102970c7bd8f2db967fe02d76741179d14) +Signed-off-by: Thomas Hellström +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_late_bind_fw_types.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/xe/xe_late_bind_fw_types.h b/drivers/gpu/drm/xe/xe_late_bind_fw_types.h +index 0f5da89ce98b8..2a8a985c37e71 100644 +--- a/drivers/gpu/drm/xe/xe_late_bind_fw_types.h ++++ b/drivers/gpu/drm/xe/xe_late_bind_fw_types.h +@@ -15,10 +15,12 @@ + #define XE_LB_MAX_PAYLOAD_SIZE SZ_4K + + /** +- * xe_late_bind_fw_id - enum to determine late binding fw index ++ * enum xe_late_bind_fw_id - enum to determine late binding fw index + */ + enum xe_late_bind_fw_id { ++ /** @XE_LB_FW_FAN_CONTROL: Fan control */ + XE_LB_FW_FAN_CONTROL = 0, ++ /** @XE_LB_FW_MAX_ID: Number of IDs */ + XE_LB_FW_MAX_ID + }; + +-- +2.51.0 + diff --git a/queue-6.18/hinic3-fix-netif_queue_set_napi-queue_index-input-pa.patch b/queue-6.18/hinic3-fix-netif_queue_set_napi-queue_index-input-pa.patch new file mode 100644 index 0000000000..ef4a40cc9f --- /dev/null +++ b/queue-6.18/hinic3-fix-netif_queue_set_napi-queue_index-input-pa.patch @@ -0,0 +1,90 @@ +From 669cb65d288927dcbc02841d12b81c84a07de65a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jan 2026 17:41:55 +0800 +Subject: hinic3: Fix netif_queue_set_napi queue_index input parameter error + +From: Fan Gong + +[ Upstream commit fb2bb2a1ebf7b9514c32b03bb5c3be5d518d437b ] + +Incorrectly transmitted interrupt number instead of queue number +when using netif_queue_set_napi. Besides, move this to appropriate +code location to set napi. + +Remove redundant netif_stop_subqueue beacuase it is not part of the +hinic3_send_one_skb process. + +Fixes: 17fcb3dc12bb ("hinic3: module initialization and tx/rx logic") +Co-developed-by: Zhu Yikai +Signed-off-by: Zhu Yikai +Signed-off-by: Fan Gong +Link: https://patch.msgid.link/7b8e4eb5c53cbd873ee9aaefeb3d9dbbaff52deb.1769070766.git.zhuyikai1@h-partners.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/huawei/hinic3/hinic3_irq.c | 22 +++++++++++-------- + 1 file changed, 13 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/huawei/hinic3/hinic3_irq.c b/drivers/net/ethernet/huawei/hinic3/hinic3_irq.c +index a69b361225e90..84bee5d6e638e 100644 +--- a/drivers/net/ethernet/huawei/hinic3/hinic3_irq.c ++++ b/drivers/net/ethernet/huawei/hinic3/hinic3_irq.c +@@ -43,21 +43,12 @@ static void qp_add_napi(struct hinic3_irq_cfg *irq_cfg) + struct hinic3_nic_dev *nic_dev = netdev_priv(irq_cfg->netdev); + + netif_napi_add(nic_dev->netdev, &irq_cfg->napi, hinic3_poll); +- netif_queue_set_napi(irq_cfg->netdev, irq_cfg->irq_id, +- NETDEV_QUEUE_TYPE_RX, &irq_cfg->napi); +- netif_queue_set_napi(irq_cfg->netdev, irq_cfg->irq_id, +- NETDEV_QUEUE_TYPE_TX, &irq_cfg->napi); + napi_enable(&irq_cfg->napi); + } + + static void qp_del_napi(struct hinic3_irq_cfg *irq_cfg) + { + napi_disable(&irq_cfg->napi); +- netif_queue_set_napi(irq_cfg->netdev, irq_cfg->irq_id, +- NETDEV_QUEUE_TYPE_RX, NULL); +- netif_queue_set_napi(irq_cfg->netdev, irq_cfg->irq_id, +- NETDEV_QUEUE_TYPE_TX, NULL); +- netif_stop_subqueue(irq_cfg->netdev, irq_cfg->irq_id); + netif_napi_del(&irq_cfg->napi); + } + +@@ -150,6 +141,11 @@ int hinic3_qps_irq_init(struct net_device *netdev) + goto err_release_irqs; + } + ++ netif_queue_set_napi(irq_cfg->netdev, q_id, ++ NETDEV_QUEUE_TYPE_RX, &irq_cfg->napi); ++ netif_queue_set_napi(irq_cfg->netdev, q_id, ++ NETDEV_QUEUE_TYPE_TX, &irq_cfg->napi); ++ + hinic3_set_msix_auto_mask_state(nic_dev->hwdev, + irq_cfg->msix_entry_idx, + HINIC3_SET_MSIX_AUTO_MASK); +@@ -164,6 +160,10 @@ int hinic3_qps_irq_init(struct net_device *netdev) + q_id--; + irq_cfg = &nic_dev->q_params.irq_cfg[q_id]; + qp_del_napi(irq_cfg); ++ netif_queue_set_napi(irq_cfg->netdev, q_id, ++ NETDEV_QUEUE_TYPE_RX, NULL); ++ netif_queue_set_napi(irq_cfg->netdev, q_id, ++ NETDEV_QUEUE_TYPE_TX, NULL); + hinic3_set_msix_state(nic_dev->hwdev, irq_cfg->msix_entry_idx, + HINIC3_MSIX_DISABLE); + hinic3_set_msix_auto_mask_state(nic_dev->hwdev, +@@ -184,6 +184,10 @@ void hinic3_qps_irq_uninit(struct net_device *netdev) + for (q_id = 0; q_id < nic_dev->q_params.num_qps; q_id++) { + irq_cfg = &nic_dev->q_params.irq_cfg[q_id]; + qp_del_napi(irq_cfg); ++ netif_queue_set_napi(irq_cfg->netdev, q_id, ++ NETDEV_QUEUE_TYPE_RX, NULL); ++ netif_queue_set_napi(irq_cfg->netdev, q_id, ++ NETDEV_QUEUE_TYPE_TX, NULL); + hinic3_set_msix_state(nic_dev->hwdev, irq_cfg->msix_entry_idx, + HINIC3_MSIX_DISABLE); + hinic3_set_msix_auto_mask_state(nic_dev->hwdev, +-- +2.51.0 + diff --git a/queue-6.18/ice-add-missing-ice_deinit_hw-in-devlink-reinit-path.patch b/queue-6.18/ice-add-missing-ice_deinit_hw-in-devlink-reinit-path.patch new file mode 100644 index 0000000000..a06926cf85 --- /dev/null +++ b/queue-6.18/ice-add-missing-ice_deinit_hw-in-devlink-reinit-path.patch @@ -0,0 +1,55 @@ +From c955e99aa442b95293c0d2e40abb4d7f9d02aad1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Dec 2025 08:36:53 -0500 +Subject: ice: add missing ice_deinit_hw() in devlink reinit path + +From: Paul Greenwalt + +[ Upstream commit 42fb5f3deb582cb96440e4683745017dbabb83d6 ] + +devlink-reload results in ice_init_hw failed error, and then removing +the ice driver causes a NULL pointer dereference. + +[ +0.102213] ice 0000:ca:00.0: ice_init_hw failed: -16 +... +[ +0.000001] Call Trace: +[ +0.000003] +[ +0.000006] ice_unload+0x8f/0x100 [ice] +[ +0.000081] ice_remove+0xba/0x300 [ice] + +Commit 1390b8b3d2be ("ice: remove duplicate call to ice_deinit_hw() on +error paths") removed ice_deinit_hw() from ice_deinit_dev(). As a result +ice_devlink_reinit_down() no longer calls ice_deinit_hw(), but +ice_devlink_reinit_up() still calls ice_init_hw(). Since the control +queues are not uninitialized, ice_init_hw() fails with -EBUSY. + +Add ice_deinit_hw() to ice_devlink_reinit_down() to correspond with +ice_init_hw() in ice_devlink_reinit_up(). + +Fixes: 1390b8b3d2be ("ice: remove duplicate call to ice_deinit_hw() on error paths") +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Przemek Kitszel +Signed-off-by: Paul Greenwalt +Reviewed-by: Paul Menzel +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/devlink/devlink.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/ice/devlink/devlink.c b/drivers/net/ethernet/intel/ice/devlink/devlink.c +index 938914abbe066..ac071c5b4ce38 100644 +--- a/drivers/net/ethernet/intel/ice/devlink/devlink.c ++++ b/drivers/net/ethernet/intel/ice/devlink/devlink.c +@@ -460,6 +460,7 @@ static void ice_devlink_reinit_down(struct ice_pf *pf) + ice_vsi_decfg(ice_get_main_vsi(pf)); + rtnl_unlock(); + ice_deinit_pf(pf); ++ ice_deinit_hw(&pf->hw); + ice_deinit_dev(pf); + } + +-- +2.51.0 + diff --git a/queue-6.18/ice-fix-devlink-reload-call-trace.patch b/queue-6.18/ice-fix-devlink-reload-call-trace.patch new file mode 100644 index 0000000000..d8cf44e4ce --- /dev/null +++ b/queue-6.18/ice-fix-devlink-reload-call-trace.patch @@ -0,0 +1,74 @@ +From 1b885fa866032e76a5968b2b3cf8a96b7d03ed9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Dec 2025 03:52:34 -0500 +Subject: ice: fix devlink reload call trace + +From: Paul Greenwalt + +[ Upstream commit d3f867e7a04678640ebcbfb81893c59f4af48586 ] + +Commit 4da71a77fc3b ("ice: read internal temperature sensor") introduced +internal temperature sensor reading via HWMON. ice_hwmon_init() was added +to ice_init_feature() and ice_hwmon_exit() was added to ice_remove(). As a +result if devlink reload is used to reinit the device and then the driver +is removed, a call trace can occur. + +BUG: unable to handle page fault for address: ffffffffc0fd4b5d +Call Trace: + string+0x48/0xe0 + vsnprintf+0x1f9/0x650 + sprintf+0x62/0x80 + name_show+0x1f/0x30 + dev_attr_show+0x19/0x60 + +The call trace repeats approximately every 10 minutes when system +monitoring tools (e.g., sadc) attempt to read the orphaned hwmon sysfs +attributes that reference freed module memory. + +The sequence is: +1. Driver load, ice_hwmon_init() gets called from ice_init_feature() +2. Devlink reload down, flow does not call ice_remove() +3. Devlink reload up, ice_hwmon_init() gets called from + ice_init_feature() resulting in a second instance +4. Driver unload, ice_hwmon_exit() called from ice_remove() leaving the + first hwmon instance orphaned with dangling pointer + +Fix this by moving ice_hwmon_exit() from ice_remove() to +ice_deinit_features() to ensure proper cleanup symmetry with +ice_hwmon_init(). + +Fixes: 4da71a77fc3b ("ice: read internal temperature sensor") +Reviewed-by: Aleksandr Loktionov +Signed-off-by: Paul Greenwalt +Reviewed-by: Paul Menzel +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_main.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index 6c392495f4a76..fc284802e2bcd 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -4845,6 +4845,7 @@ static void ice_deinit_features(struct ice_pf *pf) + ice_dpll_deinit(pf); + if (pf->eswitch_mode == DEVLINK_ESWITCH_MODE_SWITCHDEV) + xa_destroy(&pf->eswitch.reprs); ++ ice_hwmon_exit(pf); + } + + static void ice_init_wakeup(struct ice_pf *pf) +@@ -5446,8 +5447,6 @@ static void ice_remove(struct pci_dev *pdev) + ice_free_vfs(pf); + } + +- ice_hwmon_exit(pf); +- + if (!ice_is_safe_mode(pf)) + ice_remove_arfs(pf); + +-- +2.51.0 + diff --git a/queue-6.18/ice-fix-persistent-failure-in-ice_get_rxfh.patch b/queue-6.18/ice-fix-persistent-failure-in-ice_get_rxfh.patch new file mode 100644 index 0000000000..1f2e29643c --- /dev/null +++ b/queue-6.18/ice-fix-persistent-failure-in-ice_get_rxfh.patch @@ -0,0 +1,104 @@ +From 9f54563f8729150f7a42051bc1595804e0bcb9bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Dec 2025 16:22:26 -0800 +Subject: ice: Fix persistent failure in ice_get_rxfh + +From: Cody Haas + +[ Upstream commit f406220eb8e227ca344eef1a6d30aff53706b196 ] + +Several ioctl functions have the ability to call ice_get_rxfh, however +all of these ioctl functions do not provide all of the expected +information in ethtool_rxfh_param. For example, ethtool_get_rxfh_indir does +not provide an rss_key. This previously caused ethtool_get_rxfh_indir to +always fail with -EINVAL. + +This change draws inspiration from i40e_get_rss to handle this +situation, by only calling the appropriate rss helpers when the +necessary information has been provided via ethtool_rxfh_param. + +Fixes: b66a972abb6b ("ice: Refactor ice_set/get_rss into LUT and key specific functions") +Signed-off-by: Cody Haas +Closes: https://lore.kernel.org/intel-wired-lan/CAH7f-UKkJV8MLY7zCdgCrGE55whRhbGAXvgkDnwgiZ9gUZT7_w@mail.gmail.com/ +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Przemek Kitszel +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice.h | 1 + + drivers/net/ethernet/intel/ice/ice_ethtool.c | 6 +---- + drivers/net/ethernet/intel/ice/ice_main.c | 28 ++++++++++++++++++++ + 3 files changed, 30 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice.h b/drivers/net/ethernet/intel/ice/ice.h +index 9ee596773f34e..a23ccd4ba08d2 100644 +--- a/drivers/net/ethernet/intel/ice/ice.h ++++ b/drivers/net/ethernet/intel/ice/ice.h +@@ -977,6 +977,7 @@ void ice_map_xdp_rings(struct ice_vsi *vsi); + int + ice_xdp_xmit(struct net_device *dev, int n, struct xdp_frame **frames, + u32 flags); ++int ice_get_rss(struct ice_vsi *vsi, u8 *seed, u8 *lut, u16 lut_size); + int ice_set_rss_lut(struct ice_vsi *vsi, u8 *lut, u16 lut_size); + int ice_get_rss_lut(struct ice_vsi *vsi, u8 *lut, u16 lut_size); + int ice_set_rss_key(struct ice_vsi *vsi, u8 *seed); +diff --git a/drivers/net/ethernet/intel/ice/ice_ethtool.c b/drivers/net/ethernet/intel/ice/ice_ethtool.c +index dc131779d4267..06b5677e9bff8 100644 +--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c ++++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c +@@ -3621,11 +3621,7 @@ ice_get_rxfh(struct net_device *netdev, struct ethtool_rxfh_param *rxfh) + if (!lut) + return -ENOMEM; + +- err = ice_get_rss_key(vsi, rxfh->key); +- if (err) +- goto out; +- +- err = ice_get_rss_lut(vsi, lut, vsi->rss_table_size); ++ err = ice_get_rss(vsi, rxfh->key, lut, vsi->rss_table_size); + if (err) + goto out; + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index b0f8a96c13b47..6c392495f4a76 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -8002,6 +8002,34 @@ int ice_get_rss_key(struct ice_vsi *vsi, u8 *seed) + return status; + } + ++/** ++ * ice_get_rss - Get RSS LUT and/or key ++ * @vsi: Pointer to VSI structure ++ * @seed: Buffer to store the key in ++ * @lut: Buffer to store the lookup table entries ++ * @lut_size: Size of buffer to store the lookup table entries ++ * ++ * Return: 0 on success, negative on failure ++ */ ++int ice_get_rss(struct ice_vsi *vsi, u8 *seed, u8 *lut, u16 lut_size) ++{ ++ int err; ++ ++ if (seed) { ++ err = ice_get_rss_key(vsi, seed); ++ if (err) ++ return err; ++ } ++ ++ if (lut) { ++ err = ice_get_rss_lut(vsi, lut, lut_size); ++ if (err) ++ return err; ++ } ++ ++ return 0; ++} ++ + /** + * ice_set_rss_hfunc - Set RSS HASH function + * @vsi: Pointer to VSI structure +-- +2.51.0 + diff --git a/queue-6.18/idpf-fix-data-race-in-idpf_net_dim.patch b/queue-6.18/idpf-fix-data-race-in-idpf_net_dim.patch new file mode 100644 index 0000000000..288c67f0b7 --- /dev/null +++ b/queue-6.18/idpf-fix-data-race-in-idpf_net_dim.patch @@ -0,0 +1,72 @@ +From 9c586ca6ed49d786a2261c2119ac2427e8031f66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 00:27:16 +0800 +Subject: idpf: Fix data race in idpf_net_dim + +From: David Yang + +[ Upstream commit 5fbe395cd1fdbc883584e7f38369e4ba5ca778d2 ] + +In idpf_net_dim(), some statistics protected by u64_stats_sync, are read +and accumulated in ignorance of possible u64_stats_fetch_retry() events. +The correct way to copy statistics is already illustrated by +idpf_add_queue_stats(). Fix this by reading them into temporary variables +first. + +Fixes: c2d548cad150 ("idpf: add TX splitq napi poll support") +Fixes: 3a8845af66ed ("idpf: add RX splitq napi poll support") +Signed-off-by: David Yang +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20260119162720.1463859-1-mmyangfl@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/idpf/idpf_txrx.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.c b/drivers/net/ethernet/intel/idpf/idpf_txrx.c +index f66948f5de78b..a48088eb9b822 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.c +@@ -3941,7 +3941,7 @@ static void idpf_update_dim_sample(struct idpf_q_vector *q_vector, + static void idpf_net_dim(struct idpf_q_vector *q_vector) + { + struct dim_sample dim_sample = { }; +- u64 packets, bytes; ++ u64 packets, bytes, pkts, bts; + u32 i; + + if (!IDPF_ITR_IS_DYNAMIC(q_vector->tx_intr_mode)) +@@ -3953,9 +3953,12 @@ static void idpf_net_dim(struct idpf_q_vector *q_vector) + + do { + start = u64_stats_fetch_begin(&txq->stats_sync); +- packets += u64_stats_read(&txq->q_stats.packets); +- bytes += u64_stats_read(&txq->q_stats.bytes); ++ pkts = u64_stats_read(&txq->q_stats.packets); ++ bts = u64_stats_read(&txq->q_stats.bytes); + } while (u64_stats_fetch_retry(&txq->stats_sync, start)); ++ ++ packets += pkts; ++ bytes += bts; + } + + idpf_update_dim_sample(q_vector, &dim_sample, &q_vector->tx_dim, +@@ -3972,9 +3975,12 @@ static void idpf_net_dim(struct idpf_q_vector *q_vector) + + do { + start = u64_stats_fetch_begin(&rxq->stats_sync); +- packets += u64_stats_read(&rxq->q_stats.packets); +- bytes += u64_stats_read(&rxq->q_stats.bytes); ++ pkts = u64_stats_read(&rxq->q_stats.packets); ++ bts = u64_stats_read(&rxq->q_stats.bytes); + } while (u64_stats_fetch_retry(&rxq->stats_sync, start)); ++ ++ packets += pkts; ++ bytes += bts; + } + + idpf_update_dim_sample(q_vector, &dim_sample, &q_vector->rx_dim, +-- +2.51.0 + diff --git a/queue-6.18/idpf-read-lower-clock-bits-inside-the-time-sandwich.patch b/queue-6.18/idpf-read-lower-clock-bits-inside-the-time-sandwich.patch new file mode 100644 index 0000000000..461934d91f --- /dev/null +++ b/queue-6.18/idpf-read-lower-clock-bits-inside-the-time-sandwich.patch @@ -0,0 +1,54 @@ +From aa314c014de9f1bde18eedec69a836f4281fa514 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Dec 2025 10:19:29 +0000 +Subject: idpf: read lower clock bits inside the time sandwich + +From: Mina Almasry + +[ Upstream commit bdfc7b55adcd04834ccc1b6b13e55e3fd7eaa789 ] + +PCIe reads need to be done inside the time sandwich because PCIe +writes may get buffered in the PCIe fabric and posted to the device +after the _postts completes. Doing the PCIe read inside the time +sandwich guarantees that the write gets flushed before the _postts +timestamp is taken. + +Cc: lrizzo@google.com +Cc: namangulati@google.com +Cc: willemb@google.com +Cc: intel-wired-lan@lists.osuosl.org +Cc: milena.olech@intel.com +Cc: jacob.e.keller@intel.com + +Fixes: 5cb8805d2366 ("idpf: negotiate PTP capabilities and get PTP clock") +Suggested-by: Shachar Raindel +Signed-off-by: Mina Almasry +Reviewed-by: Jacob Keller +Reviewed-by: Aleksandr Loktionov +Tested-by: Samuel Salin +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/idpf/idpf_ptp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/idpf/idpf_ptp.c b/drivers/net/ethernet/intel/idpf/idpf_ptp.c +index 3e1052d070cfd..0a8b50350b860 100644 +--- a/drivers/net/ethernet/intel/idpf/idpf_ptp.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_ptp.c +@@ -108,11 +108,11 @@ static u64 idpf_ptp_read_src_clk_reg_direct(struct idpf_adapter *adapter, + ptp_read_system_prets(sts); + + idpf_ptp_enable_shtime(adapter); ++ lo = readl(ptp->dev_clk_regs.dev_clk_ns_l); + + /* Read the system timestamp post PHC read */ + ptp_read_system_postts(sts); + +- lo = readl(ptp->dev_clk_regs.dev_clk_ns_l); + hi = readl(ptp->dev_clk_regs.dev_clk_ns_h); + + spin_unlock(&ptp->read_dev_clk_lock); +-- +2.51.0 + diff --git a/queue-6.18/iio-adc-ad7280a-handle-spi_setup-errors-in-probe.patch b/queue-6.18/iio-adc-ad7280a-handle-spi_setup-errors-in-probe.patch new file mode 100644 index 0000000000..87f11543de --- /dev/null +++ b/queue-6.18/iio-adc-ad7280a-handle-spi_setup-errors-in-probe.patch @@ -0,0 +1,45 @@ +From 389b6f0f35c663a3a45f34f10fc4d98a688e9b2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Nov 2025 18:13:01 +0300 +Subject: iio: adc: ad7280a: handle spi_setup() errors in probe() + +From: Pavel Zhigulin + +[ Upstream commit 6b39824ac4c15783787e6434449772bfb2e31214 ] + +The probe() function ignored the return value of spi_setup(), leaving SPI +configuration failures undetected. If spi_setup() fails, the driver should +stop initialization and propagate the error to the caller. + +Add proper error handling: check the return value of spi_setup() and return +it on failure. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 2051f25d2a26 ("iio: adc: New driver for AD7280A Lithium Ion Battery Monitoring System") +Signed-off-by: Pavel Zhigulin +Reviewed-by: Marcelo Schmitt +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/ad7280a.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/iio/adc/ad7280a.c b/drivers/iio/adc/ad7280a.c +index 50a6ff7c8b1c7..ba12a3796e2b1 100644 +--- a/drivers/iio/adc/ad7280a.c ++++ b/drivers/iio/adc/ad7280a.c +@@ -1024,7 +1024,9 @@ static int ad7280_probe(struct spi_device *spi) + + st->spi->max_speed_hz = AD7280A_MAX_SPI_CLK_HZ; + st->spi->mode = SPI_MODE_1; +- spi_setup(st->spi); ++ ret = spi_setup(st->spi); ++ if (ret < 0) ++ return ret; + + st->ctrl_lb = FIELD_PREP(AD7280A_CTRL_LB_ACQ_TIME_MSK, st->acquisition_time) | + FIELD_PREP(AD7280A_CTRL_LB_THERMISTOR_MSK, st->thermistor_term_en); +-- +2.51.0 + diff --git a/queue-6.18/iio-adc-ad7606-fix-incorrect-type-for-error-return-v.patch b/queue-6.18/iio-adc-ad7606-fix-incorrect-type-for-error-return-v.patch new file mode 100644 index 0000000000..bb2c247c77 --- /dev/null +++ b/queue-6.18/iio-adc-ad7606-fix-incorrect-type-for-error-return-v.patch @@ -0,0 +1,40 @@ +From 714c73d4a5e53aa59c11b74e129adb13c5f023fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2025 13:08:44 +0800 +Subject: iio: adc: ad7606: Fix incorrect type for error return variable + +From: Haotian Zhang + +[ Upstream commit c5512e016817a150fd6de97fbb3e74aa799ea3c1 ] + +The variable ret is declared as unsigned int but is used to store return +values from functions returning int, which may be negative error codes. + +Change ret from unsigned int to int. + +Fixes: 849cebf8dc67 ("iio: adc: ad7606: Add iio-backend support") +Signed-off-by: Haotian Zhang +Reviewed-by: Andy Shevchenko +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/ad7606_par.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/iio/adc/ad7606_par.c b/drivers/iio/adc/ad7606_par.c +index 634852c4bbd2c..b81e707ab40c5 100644 +--- a/drivers/iio/adc/ad7606_par.c ++++ b/drivers/iio/adc/ad7606_par.c +@@ -43,7 +43,8 @@ static int ad7606_par_bus_setup_iio_backend(struct device *dev, + struct iio_dev *indio_dev) + { + struct ad7606_state *st = iio_priv(indio_dev); +- unsigned int ret, c; ++ unsigned int c; ++ int ret; + struct iio_backend_data_fmt data = { + .sign_extend = true, + .enable = true, +-- +2.51.0 + diff --git a/queue-6.18/interconnect-debugfs-initialize-src_node-and-dst_nod.patch b/queue-6.18/interconnect-debugfs-initialize-src_node-and-dst_nod.patch new file mode 100644 index 0000000000..a717e821f2 --- /dev/null +++ b/queue-6.18/interconnect-debugfs-initialize-src_node-and-dst_nod.patch @@ -0,0 +1,47 @@ +From 33e9513b7f5577f0f394cd13045b2341a5671caa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jan 2026 14:25:23 +0200 +Subject: interconnect: debugfs: initialize src_node and dst_node to empty + strings + +From: Georgi Djakov + +[ Upstream commit 8cc27f5c6dd17dd090f3a696683f04336c162ff5 ] + +The debugfs_create_str() API assumes that the string pointer is either NULL +or points to valid kmalloc() memory. Leaving the pointer uninitialized can +cause problems. + +Initialize src_node and dst_node to empty strings before creating the +debugfs entries to guarantee that reads and writes are safe. + +Fixes: 770c69f037c1 ("interconnect: Add debugfs test client") +Signed-off-by: Georgi Djakov +Reviewed-by: Kuan-Wei Chiu +Tested-by: Kuan-Wei Chiu +Link: https://lore.kernel.org/r/20260109122523.125843-1-djakov@kernel.org +Signed-off-by: Georgi Djakov +Signed-off-by: Sasha Levin +--- + drivers/interconnect/debugfs-client.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/interconnect/debugfs-client.c b/drivers/interconnect/debugfs-client.c +index 778deeb4a7e8a..24d7b5a577945 100644 +--- a/drivers/interconnect/debugfs-client.c ++++ b/drivers/interconnect/debugfs-client.c +@@ -150,6 +150,11 @@ int icc_debugfs_client_init(struct dentry *icc_dir) + return ret; + } + ++ src_node = devm_kstrdup(&pdev->dev, "", GFP_KERNEL); ++ dst_node = devm_kstrdup(&pdev->dev, "", GFP_KERNEL); ++ if (!src_node || !dst_node) ++ return -ENOMEM; ++ + client_dir = debugfs_create_dir("test_client", icc_dir); + + debugfs_create_str("src_node", 0600, client_dir, &src_node); +-- +2.51.0 + diff --git a/queue-6.18/iommu-amd-fix-error-path-in-amd_iommu_probe_device.patch b/queue-6.18/iommu-amd-fix-error-path-in-amd_iommu_probe_device.patch new file mode 100644 index 0000000000..b923c24b9c --- /dev/null +++ b/queue-6.18/iommu-amd-fix-error-path-in-amd_iommu_probe_device.patch @@ -0,0 +1,56 @@ +From 9b34956b8b6100a2c01cd4af6045291e708eb1c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jan 2026 05:53:32 +0000 +Subject: iommu/amd: Fix error path in amd_iommu_probe_device() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Vasant Hegde + +[ Upstream commit 3222b6de5145272c43a90cb8667377d676635ea0 ] + +Currently, the error path of amd_iommu_probe_device() unconditionally +references dev_data, which may not be initialized if an early failure +occurs (like iommu_init_device() fails). + +Move the out_err label to ensure the function exits immediately on +failure without accessing potentially uninitialized dev_data. + +Fixes: 19e5cc156cb ("iommu/amd: Enable support for up to 2K interrupts per function") +Cc: Rakuram Eswaran +Cc: Jörg Rödel +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/r/202512191724.meqJENXe-lkp@intel.com/ +Signed-off-by: Vasant Hegde +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd/iommu.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c +index a38304f1a8df5..5914bef0c8c19 100644 +--- a/drivers/iommu/amd/iommu.c ++++ b/drivers/iommu/amd/iommu.c +@@ -2426,8 +2426,6 @@ static struct iommu_device *amd_iommu_probe_device(struct device *dev) + goto out_err; + } + +-out_err: +- + iommu_completion_wait(iommu); + + if (FEATURE_NUM_INT_REMAP_SUP_2K(amd_iommu_efr2)) +@@ -2438,6 +2436,7 @@ static struct iommu_device *amd_iommu_probe_device(struct device *dev) + if (dev_is_pci(dev)) + pci_prepare_ats(to_pci_dev(dev), PAGE_SHIFT); + ++out_err: + return iommu_dev; + } + +-- +2.51.0 + diff --git a/queue-6.18/ipv6-annotate-data-race-in-ndisc_router_discovery.patch b/queue-6.18/ipv6-annotate-data-race-in-ndisc_router_discovery.patch new file mode 100644 index 0000000000..8d3f234707 --- /dev/null +++ b/queue-6.18/ipv6-annotate-data-race-in-ndisc_router_discovery.patch @@ -0,0 +1,79 @@ +From 4d677a7409cb2247d101a85c2d20f42eadeaefdb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jan 2026 15:29:41 +0000 +Subject: ipv6: annotate data-race in ndisc_router_discovery() + +From: Eric Dumazet + +[ Upstream commit 9a063f96d87efc3a6cc667f8de096a3d38d74bb5 ] + +syzbot found that ndisc_router_discovery() could read and write +in6_dev->ra_mtu without holding a lock [1] + +This looks fine, IFLA_INET6_RA_MTU is best effort. + +Add READ_ONCE()/WRITE_ONCE() to document the race. + +Note that we might also reject illegal MTU values +(mtu < IPV6_MIN_MTU || mtu > skb->dev->mtu) in a future patch. + +[1] +BUG: KCSAN: data-race in ndisc_router_discovery / ndisc_router_discovery + +read to 0xffff888119809c20 of 4 bytes by task 25817 on cpu 1: + ndisc_router_discovery+0x151d/0x1c90 net/ipv6/ndisc.c:1558 + ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841 + icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989 + ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438 + ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489 + NF_HOOK include/linux/netfilter.h:318 [inline] + ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500 + ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590 + dst_input include/net/dst.h:474 [inline] + ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79 +... + +write to 0xffff888119809c20 of 4 bytes by task 25816 on cpu 0: + ndisc_router_discovery+0x155a/0x1c90 net/ipv6/ndisc.c:1559 + ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841 + icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989 + ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438 + ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489 + NF_HOOK include/linux/netfilter.h:318 [inline] + ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500 + ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590 + dst_input include/net/dst.h:474 [inline] + ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79 +... + +value changed: 0x00000000 -> 0xe5400659 + +Fixes: 49b99da2c9ce ("ipv6: add IFLA_INET6_RA_MTU to expose mtu value") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Rocco Yue +Link: https://patch.msgid.link/20260118152941.2563857-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/ndisc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c +index f427e41e9c49b..0fd3f53dbb52e 100644 +--- a/net/ipv6/ndisc.c ++++ b/net/ipv6/ndisc.c +@@ -1555,8 +1555,8 @@ static enum skb_drop_reason ndisc_router_discovery(struct sk_buff *skb) + memcpy(&n, ((u8 *)(ndopts.nd_opts_mtu+1))+2, sizeof(mtu)); + mtu = ntohl(n); + +- if (in6_dev->ra_mtu != mtu) { +- in6_dev->ra_mtu = mtu; ++ if (READ_ONCE(in6_dev->ra_mtu) != mtu) { ++ WRITE_ONCE(in6_dev->ra_mtu, mtu); + send_ifinfo_notify = true; + } + +-- +2.51.0 + diff --git a/queue-6.18/kconfig-fix-static-linking-of-nconf.patch b/queue-6.18/kconfig-fix-static-linking-of-nconf.patch new file mode 100644 index 0000000000..80a025c4e4 --- /dev/null +++ b/queue-6.18/kconfig-fix-static-linking-of-nconf.patch @@ -0,0 +1,70 @@ +From ce7b9559cd1ca1a38bb1083fc391e1a2d1b61d16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Jan 2026 12:48:08 +0100 +Subject: kconfig: fix static linking of nconf + +From: Arkadiusz Kozdra + +[ Upstream commit baaecfcac559bcac73206df447eb5c385fa22f2a ] + +When running make nconfig with a static linking host toolchain, +the libraries are linked in an incorrect order, +resulting in errors similar to the following: + +$ MAKEFLAGS='HOSTCC=cc\ -static' make nconfig +/usr/bin/ld: /usr/lib64/gcc/x86_64-unknown-linux-gnu/14.2.1/../../../../lib64/libpanel.a(p_new.o): in function `new_panel': +(.text+0x13): undefined reference to `_nc_panelhook_sp' +/usr/bin/ld: (.text+0x6c): undefined reference to `_nc_panelhook_sp' + +Fixes: 1c5af5cf9308 ("kconfig: refactor ncurses package checks for building mconf and nconf") +Signed-off-by: Arusekk +Link: https://patch.msgid.link/20260110114808.22595-1-floss@arusekk.pl +[nsc: Added comment about library order] +Signed-off-by: Nicolas Schier +Signed-off-by: Sasha Levin +--- + scripts/kconfig/nconf-cfg.sh | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/scripts/kconfig/nconf-cfg.sh b/scripts/kconfig/nconf-cfg.sh +index a20290b1a37d8..4d08453f9bdb7 100755 +--- a/scripts/kconfig/nconf-cfg.sh ++++ b/scripts/kconfig/nconf-cfg.sh +@@ -6,8 +6,9 @@ set -eu + cflags=$1 + libs=$2 + +-PKG="ncursesw menuw panelw" +-PKG2="ncurses menu panel" ++# Keep library order for static linking (HOSTCC='cc -static') ++PKG="menuw panelw ncursesw" ++PKG2="menu panel ncurses" + + if [ -n "$(command -v ${HOSTPKG_CONFIG})" ]; then + if ${HOSTPKG_CONFIG} --exists $PKG; then +@@ -28,19 +29,19 @@ fi + # find ncurses by pkg-config.) + if [ -f /usr/include/ncursesw/ncurses.h ]; then + echo -D_GNU_SOURCE -I/usr/include/ncursesw > ${cflags} +- echo -lncursesw -lmenuw -lpanelw > ${libs} ++ echo -lmenuw -lpanelw -lncursesw > ${libs} + exit 0 + fi + + if [ -f /usr/include/ncurses/ncurses.h ]; then + echo -D_GNU_SOURCE -I/usr/include/ncurses > ${cflags} +- echo -lncurses -lmenu -lpanel > ${libs} ++ echo -lmenu -lpanel -lncurses > ${libs} + exit 0 + fi + + if [ -f /usr/include/ncurses.h ]; then + echo -D_GNU_SOURCE > ${cflags} +- echo -lncurses -lmenu -lpanel > ${libs} ++ echo -lmenu -lpanel -lncurses > ${libs} + exit 0 + fi + +-- +2.51.0 + diff --git a/queue-6.18/keys-trusted_keys-fix-handle-passed-to-tpm_buf_appen.patch b/queue-6.18/keys-trusted_keys-fix-handle-passed-to-tpm_buf_appen.patch new file mode 100644 index 0000000000..95b811858f --- /dev/null +++ b/queue-6.18/keys-trusted_keys-fix-handle-passed-to-tpm_buf_appen.patch @@ -0,0 +1,57 @@ +From a56713665d063d80ba0cd16bbfa73efb14744303 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jan 2026 22:25:03 +0530 +Subject: keys/trusted_keys: fix handle passed to tpm_buf_append_name during + unseal + +From: Srish Srinivasan + +[ Upstream commit 6342969dafbc63597cfc221aa13c3b123c2800c5 ] + +TPM2_Unseal[1] expects the handle of a loaded data object, and not the +handle of the parent key. But the tpm2_unseal_cmd provides the parent +keyhandle instead of blob_handle for the session HMAC calculation. This +causes unseal to fail. + +Fix this by passing blob_handle to tpm_buf_append_name(). + +References: + +[1] trustedcomputinggroup.org/wp-content/uploads/ + Trusted-Platform-Module-2.0-Library-Part-3-Version-184_pub.pdf + +Fixes: 6e9722e9a7bf ("tpm2-sessions: Fix out of range indexing in name_size") +Signed-off-by: Srish Srinivasan +Reviewed-by: Stefan Berger +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Sasha Levin +--- + security/keys/trusted-keys/trusted_tpm2.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trusted-keys/trusted_tpm2.c +index 7187768716b78..74cea80ed9be5 100644 +--- a/security/keys/trusted-keys/trusted_tpm2.c ++++ b/security/keys/trusted-keys/trusted_tpm2.c +@@ -489,7 +489,7 @@ static int tpm2_load_cmd(struct tpm_chip *chip, + } + + /** +- * tpm2_unseal_cmd() - execute a TPM2_Unload command ++ * tpm2_unseal_cmd() - execute a TPM2_Unseal command + * + * @chip: TPM chip to use + * @payload: the key data in clear and encrypted form +@@ -520,7 +520,7 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip, + return rc; + } + +- rc = tpm_buf_append_name(chip, &buf, options->keyhandle, NULL); ++ rc = tpm_buf_append_name(chip, &buf, blob_handle, NULL); + if (rc) + goto out; + +-- +2.51.0 + diff --git a/queue-6.18/misdn-annotate-data-race-around-dev-work.patch b/queue-6.18/misdn-annotate-data-race-around-dev-work.patch new file mode 100644 index 0000000000..ba19b6f046 --- /dev/null +++ b/queue-6.18/misdn-annotate-data-race-around-dev-work.patch @@ -0,0 +1,103 @@ +From e66d7118041da04affba677d9a5a700bc8eae3d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jan 2026 13:25:28 +0000 +Subject: mISDN: annotate data-race around dev->work + +From: Eric Dumazet + +[ Upstream commit 8175dbf174d487afab81e936a862a8d9b8a1ccb6 ] + +dev->work can re read locklessly in mISDN_read() +and mISDN_poll(). Add READ_ONCE()/WRITE_ONCE() annotations. + +BUG: KCSAN: data-race in mISDN_ioctl / mISDN_read + +write to 0xffff88812d848280 of 4 bytes by task 10864 on cpu 1: + misdn_add_timer drivers/isdn/mISDN/timerdev.c:175 [inline] + mISDN_ioctl+0x2fb/0x550 drivers/isdn/mISDN/timerdev.c:233 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:597 [inline] + __se_sys_ioctl+0xce/0x140 fs/ioctl.c:583 + __x64_sys_ioctl+0x43/0x50 fs/ioctl.c:583 + x64_sys_call+0x14b0/0x3000 arch/x86/include/generated/asm/syscalls_64.h:17 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xd8/0x2c0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +read to 0xffff88812d848280 of 4 bytes by task 10857 on cpu 0: + mISDN_read+0x1f2/0x470 drivers/isdn/mISDN/timerdev.c:112 + do_loop_readv_writev fs/read_write.c:847 [inline] + vfs_readv+0x3fb/0x690 fs/read_write.c:1020 + do_readv+0xe7/0x210 fs/read_write.c:1080 + __do_sys_readv fs/read_write.c:1165 [inline] + __se_sys_readv fs/read_write.c:1162 [inline] + __x64_sys_readv+0x45/0x50 fs/read_write.c:1162 + x64_sys_call+0x2831/0x3000 arch/x86/include/generated/asm/syscalls_64.h:20 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xd8/0x2c0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +value changed: 0x00000000 -> 0x00000001 + +Fixes: 1b2b03f8e514 ("Add mISDN core files") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260118132528.2349573-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/isdn/mISDN/timerdev.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/isdn/mISDN/timerdev.c b/drivers/isdn/mISDN/timerdev.c +index df98144a95394..33521c328a827 100644 +--- a/drivers/isdn/mISDN/timerdev.c ++++ b/drivers/isdn/mISDN/timerdev.c +@@ -109,14 +109,14 @@ mISDN_read(struct file *filep, char __user *buf, size_t count, loff_t *off) + spin_unlock_irq(&dev->lock); + if (filep->f_flags & O_NONBLOCK) + return -EAGAIN; +- wait_event_interruptible(dev->wait, (dev->work || ++ wait_event_interruptible(dev->wait, (READ_ONCE(dev->work) || + !list_empty(list))); + if (signal_pending(current)) + return -ERESTARTSYS; + spin_lock_irq(&dev->lock); + } + if (dev->work) +- dev->work = 0; ++ WRITE_ONCE(dev->work, 0); + if (!list_empty(list)) { + timer = list_first_entry(list, struct mISDNtimer, list); + list_del(&timer->list); +@@ -141,13 +141,16 @@ mISDN_poll(struct file *filep, poll_table *wait) + if (*debug & DEBUG_TIMER) + printk(KERN_DEBUG "%s(%p, %p)\n", __func__, filep, wait); + if (dev) { ++ u32 work; ++ + poll_wait(filep, &dev->wait, wait); + mask = 0; +- if (dev->work || !list_empty(&dev->expired)) ++ work = READ_ONCE(dev->work); ++ if (work || !list_empty(&dev->expired)) + mask |= (EPOLLIN | EPOLLRDNORM); + if (*debug & DEBUG_TIMER) + printk(KERN_DEBUG "%s work(%d) empty(%d)\n", __func__, +- dev->work, list_empty(&dev->expired)); ++ work, list_empty(&dev->expired)); + } + return mask; + } +@@ -172,7 +175,7 @@ misdn_add_timer(struct mISDNtimerdev *dev, int timeout) + struct mISDNtimer *timer; + + if (!timeout) { +- dev->work = 1; ++ WRITE_ONCE(dev->work, 1); + wake_up_interruptible(&dev->wait); + id = 0; + } else { +-- +2.51.0 + diff --git a/queue-6.18/net-bcmasp-fix-network-filter-wake-for-asp-3.0.patch b/queue-6.18/net-bcmasp-fix-network-filter-wake-for-asp-3.0.patch new file mode 100644 index 0000000000..d1b1570831 --- /dev/null +++ b/queue-6.18/net-bcmasp-fix-network-filter-wake-for-asp-3.0.patch @@ -0,0 +1,68 @@ +From bc201bc0b9d640c560f596afde07772a4e3375f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 11:23:39 -0800 +Subject: net: bcmasp: Fix network filter wake for asp-3.0 + +From: Justin Chen + +[ Upstream commit bbb11b8d758d17a4ce34b8ed0b49de150568265b ] + +We need to apply the tx_chan_offset to the netfilter cfg channel or the +output channel will be incorrect for asp-3.0 and newer. + +Fixes: e9f31435ee7d ("net: bcmasp: Add support for asp-v3.0") +Signed-off-by: Justin Chen +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20260120192339.2031648-1-justin.chen@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/asp2/bcmasp.c | 5 +++-- + drivers/net/ethernet/broadcom/asp2/bcmasp.h | 1 + + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/asp2/bcmasp.c b/drivers/net/ethernet/broadcom/asp2/bcmasp.c +index fd35f4b4dc50b..014340f33345a 100644 +--- a/drivers/net/ethernet/broadcom/asp2/bcmasp.c ++++ b/drivers/net/ethernet/broadcom/asp2/bcmasp.c +@@ -156,7 +156,7 @@ static void bcmasp_netfilt_hw_en_wake(struct bcmasp_priv *priv, + ASP_RX_FILTER_NET_OFFSET_L4(32), + ASP_RX_FILTER_NET_OFFSET(nfilt->hw_index + 1)); + +- rx_filter_core_wl(priv, ASP_RX_FILTER_NET_CFG_CH(nfilt->port + 8) | ++ rx_filter_core_wl(priv, ASP_RX_FILTER_NET_CFG_CH(nfilt->ch) | + ASP_RX_FILTER_NET_CFG_EN | + ASP_RX_FILTER_NET_CFG_L2_EN | + ASP_RX_FILTER_NET_CFG_L3_EN | +@@ -166,7 +166,7 @@ static void bcmasp_netfilt_hw_en_wake(struct bcmasp_priv *priv, + ASP_RX_FILTER_NET_CFG_UMC(nfilt->port), + ASP_RX_FILTER_NET_CFG(nfilt->hw_index)); + +- rx_filter_core_wl(priv, ASP_RX_FILTER_NET_CFG_CH(nfilt->port + 8) | ++ rx_filter_core_wl(priv, ASP_RX_FILTER_NET_CFG_CH(nfilt->ch) | + ASP_RX_FILTER_NET_CFG_EN | + ASP_RX_FILTER_NET_CFG_L2_EN | + ASP_RX_FILTER_NET_CFG_L3_EN | +@@ -714,6 +714,7 @@ struct bcmasp_net_filter *bcmasp_netfilt_get_init(struct bcmasp_intf *intf, + nfilter = &priv->net_filters[open_index]; + nfilter->claimed = true; + nfilter->port = intf->port; ++ nfilter->ch = intf->channel + priv->tx_chan_offset; + nfilter->hw_index = open_index; + } + +diff --git a/drivers/net/ethernet/broadcom/asp2/bcmasp.h b/drivers/net/ethernet/broadcom/asp2/bcmasp.h +index 74adfdb50e11d..e238507be40af 100644 +--- a/drivers/net/ethernet/broadcom/asp2/bcmasp.h ++++ b/drivers/net/ethernet/broadcom/asp2/bcmasp.h +@@ -348,6 +348,7 @@ struct bcmasp_net_filter { + bool wake_filter; + + int port; ++ int ch; + unsigned int hw_index; + }; + +-- +2.51.0 + diff --git a/queue-6.18/net-dsa-fix-off-by-one-in-maximum-bridge-id-determin.patch b/queue-6.18/net-dsa-fix-off-by-one-in-maximum-bridge-id-determin.patch new file mode 100644 index 0000000000..327f5ed620 --- /dev/null +++ b/queue-6.18/net-dsa-fix-off-by-one-in-maximum-bridge-id-determin.patch @@ -0,0 +1,52 @@ +From d712df255f8b9f0bc410ad78a5ad7e95d26d82b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 23:10:39 +0200 +Subject: net: dsa: fix off-by-one in maximum bridge ID determination + +From: Vladimir Oltean + +[ Upstream commit dfca045cd4d0ea07ff4198ba392be3e718acaddc ] + +Prior to the blamed commit, the bridge_num range was from +0 to ds->max_num_bridges - 1. After the commit, it is from +1 to ds->max_num_bridges. + +So this check: + if (bridge_num >= max) + return 0; +must be updated to: + if (bridge_num > max) + return 0; + +in order to allow the last bridge_num value (==max) to be used. + +This is easiest visible when a driver sets ds->max_num_bridges=1. +The observed behaviour is that even the first created bridge triggers +the netlink extack "Range of offloadable bridges exceeded" warning, and +is handled in software rather than being offloaded. + +Fixes: 3f9bb0301d50 ("net: dsa: make dp->bridge_num one-based") +Signed-off-by: Vladimir Oltean +Link: https://patch.msgid.link/20260120211039.3228999-1-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/dsa/dsa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/dsa/dsa.c b/net/dsa/dsa.c +index ded9a291e6204..0505e90033f23 100644 +--- a/net/dsa/dsa.c ++++ b/net/dsa/dsa.c +@@ -157,7 +157,7 @@ unsigned int dsa_bridge_num_get(const struct net_device *bridge_dev, int max) + bridge_num = find_next_zero_bit(&dsa_fwd_offloading_bridges, + DSA_MAX_NUM_OFFLOADING_BRIDGES, + 1); +- if (bridge_num >= max) ++ if (bridge_num > max) + return 0; + + set_bit(bridge_num, &dsa_fwd_offloading_bridges); +-- +2.51.0 + diff --git a/queue-6.18/net-hns3-fix-data-race-in-hns3_fetch_stats.patch b/queue-6.18/net-hns3-fix-data-race-in-hns3_fetch_stats.patch new file mode 100644 index 0000000000..99711f99ee --- /dev/null +++ b/queue-6.18/net-hns3-fix-data-race-in-hns3_fetch_stats.patch @@ -0,0 +1,112 @@ +From 4db684a0d1f08cdc6403cc9dfe623ab6f59de550 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 00:07:37 +0800 +Subject: net: hns3: fix data race in hns3_fetch_stats + +From: David Yang + +[ Upstream commit 748a81c8ceda1fdbdcd0af595947422e810442aa ] + +In hns3_fetch_stats(), ring statistics, protected by u64_stats_sync, are +read and accumulated in ignorance of possible u64_stats_fetch_retry() +events. These statistics are already accumulated by +hns3_ring_stats_update(). Fix this by reading them into a temporary +buffer first. + +Fixes: b20d7fe51e0d ("net: hns3: add some statitics info to tx process") +Signed-off-by: David Yang +Link: https://patch.msgid.link/20260119160759.1455950-1-mmyangfl@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/hisilicon/hns3/hns3_enet.c | 69 ++++++++++--------- + 1 file changed, 36 insertions(+), 33 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +index bfa5568baa926..e976a88b952f0 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +@@ -2500,44 +2500,47 @@ static netdev_features_t hns3_features_check(struct sk_buff *skb, + static void hns3_fetch_stats(struct rtnl_link_stats64 *stats, + struct hns3_enet_ring *ring, bool is_tx) + { ++ struct ring_stats ring_stats; + unsigned int start; + + do { + start = u64_stats_fetch_begin(&ring->syncp); +- if (is_tx) { +- stats->tx_bytes += ring->stats.tx_bytes; +- stats->tx_packets += ring->stats.tx_pkts; +- stats->tx_dropped += ring->stats.sw_err_cnt; +- stats->tx_dropped += ring->stats.tx_vlan_err; +- stats->tx_dropped += ring->stats.tx_l4_proto_err; +- stats->tx_dropped += ring->stats.tx_l2l3l4_err; +- stats->tx_dropped += ring->stats.tx_tso_err; +- stats->tx_dropped += ring->stats.over_max_recursion; +- stats->tx_dropped += ring->stats.hw_limitation; +- stats->tx_dropped += ring->stats.copy_bits_err; +- stats->tx_dropped += ring->stats.skb2sgl_err; +- stats->tx_dropped += ring->stats.map_sg_err; +- stats->tx_errors += ring->stats.sw_err_cnt; +- stats->tx_errors += ring->stats.tx_vlan_err; +- stats->tx_errors += ring->stats.tx_l4_proto_err; +- stats->tx_errors += ring->stats.tx_l2l3l4_err; +- stats->tx_errors += ring->stats.tx_tso_err; +- stats->tx_errors += ring->stats.over_max_recursion; +- stats->tx_errors += ring->stats.hw_limitation; +- stats->tx_errors += ring->stats.copy_bits_err; +- stats->tx_errors += ring->stats.skb2sgl_err; +- stats->tx_errors += ring->stats.map_sg_err; +- } else { +- stats->rx_bytes += ring->stats.rx_bytes; +- stats->rx_packets += ring->stats.rx_pkts; +- stats->rx_dropped += ring->stats.l2_err; +- stats->rx_errors += ring->stats.l2_err; +- stats->rx_errors += ring->stats.l3l4_csum_err; +- stats->rx_crc_errors += ring->stats.l2_err; +- stats->multicast += ring->stats.rx_multicast; +- stats->rx_length_errors += ring->stats.err_pkt_len; +- } ++ ring_stats = ring->stats; + } while (u64_stats_fetch_retry(&ring->syncp, start)); ++ ++ if (is_tx) { ++ stats->tx_bytes += ring_stats.tx_bytes; ++ stats->tx_packets += ring_stats.tx_pkts; ++ stats->tx_dropped += ring_stats.sw_err_cnt; ++ stats->tx_dropped += ring_stats.tx_vlan_err; ++ stats->tx_dropped += ring_stats.tx_l4_proto_err; ++ stats->tx_dropped += ring_stats.tx_l2l3l4_err; ++ stats->tx_dropped += ring_stats.tx_tso_err; ++ stats->tx_dropped += ring_stats.over_max_recursion; ++ stats->tx_dropped += ring_stats.hw_limitation; ++ stats->tx_dropped += ring_stats.copy_bits_err; ++ stats->tx_dropped += ring_stats.skb2sgl_err; ++ stats->tx_dropped += ring_stats.map_sg_err; ++ stats->tx_errors += ring_stats.sw_err_cnt; ++ stats->tx_errors += ring_stats.tx_vlan_err; ++ stats->tx_errors += ring_stats.tx_l4_proto_err; ++ stats->tx_errors += ring_stats.tx_l2l3l4_err; ++ stats->tx_errors += ring_stats.tx_tso_err; ++ stats->tx_errors += ring_stats.over_max_recursion; ++ stats->tx_errors += ring_stats.hw_limitation; ++ stats->tx_errors += ring_stats.copy_bits_err; ++ stats->tx_errors += ring_stats.skb2sgl_err; ++ stats->tx_errors += ring_stats.map_sg_err; ++ } else { ++ stats->rx_bytes += ring_stats.rx_bytes; ++ stats->rx_packets += ring_stats.rx_pkts; ++ stats->rx_dropped += ring_stats.l2_err; ++ stats->rx_errors += ring_stats.l2_err; ++ stats->rx_errors += ring_stats.l3l4_csum_err; ++ stats->rx_crc_errors += ring_stats.l2_err; ++ stats->multicast += ring_stats.rx_multicast; ++ stats->rx_length_errors += ring_stats.err_pkt_len; ++ } + } + + static void hns3_nic_get_stats64(struct net_device *netdev, +-- +2.51.0 + diff --git a/queue-6.18/net-hns3-fix-the-hclge_fd_ad_nxt_key-error-setting-i.patch b/queue-6.18/net-hns3-fix-the-hclge_fd_ad_nxt_key-error-setting-i.patch new file mode 100644 index 0000000000..e6b14b3b0c --- /dev/null +++ b/queue-6.18/net-hns3-fix-the-hclge_fd_ad_nxt_key-error-setting-i.patch @@ -0,0 +1,36 @@ +From 29355db5dd751b5e250fb156bbc5773b13ee7611 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 21:28:40 +0800 +Subject: net: hns3: fix the HCLGE_FD_AD_NXT_KEY error setting issue + +From: Jijie Shao + +[ Upstream commit f87e034d16e43af984380a95c32c25201b7759a7 ] + +Use next_input_key instead of counter_id to set HCLGE_FD_AD_NXT_KEY. + +Fixes: 117328680288 ("net: hns3: Add input key and action config support for flow director") +Signed-off-by: Jijie Shao +Link: https://patch.msgid.link/20260119132840.410513-3-shaojijie@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +index 1b103d1154da9..5cc5ee9dcd982 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -5690,7 +5690,7 @@ static int hclge_fd_ad_config(struct hclge_dev *hdev, u8 stage, int loc, + HCLGE_FD_AD_COUNTER_NUM_S, action->counter_id); + hnae3_set_bit(ad_data, HCLGE_FD_AD_NXT_STEP_B, action->use_next_stage); + hnae3_set_field(ad_data, HCLGE_FD_AD_NXT_KEY_M, HCLGE_FD_AD_NXT_KEY_S, +- action->counter_id); ++ action->next_input_key); + + req->ad_data = cpu_to_le64(ad_data); + ret = hclge_cmd_send(&hdev->hw, &desc, 1); +-- +2.51.0 + diff --git a/queue-6.18/net-hns3-fix-wrong-genmask-for-hclge_fd_ad_counter_n.patch b/queue-6.18/net-hns3-fix-wrong-genmask-for-hclge_fd_ad_counter_n.patch new file mode 100644 index 0000000000..6e63900ebd --- /dev/null +++ b/queue-6.18/net-hns3-fix-wrong-genmask-for-hclge_fd_ad_counter_n.patch @@ -0,0 +1,40 @@ +From af73a7fe607824fdcbe5dd90a3d40b0fc961ebf8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 21:28:39 +0800 +Subject: net: hns3: fix wrong GENMASK() for HCLGE_FD_AD_COUNTER_NUM_M + +From: Jijie Shao + +[ Upstream commit d57c67c956a1bad15115eba6e59d77a6dfeba01d ] + +HCLGE_FD_AD_COUNTER_NUM_M should be at GENMASK(19, 13), +rather than at GENMASK(20, 13), because bit 20 is +HCLGE_FD_AD_NXT_STEP_B. + +This patch corrects the wrong definition. + +Fixes: 117328680288 ("net: hns3: Add input key and action config support for flow director") +Signed-off-by: Jijie Shao +Link: https://patch.msgid.link/20260119132840.410513-2-shaojijie@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h +index 9bb708fa42f24..416e02e7b995f 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h +@@ -731,7 +731,7 @@ struct hclge_fd_tcam_config_3_cmd { + #define HCLGE_FD_AD_QID_M GENMASK(11, 2) + #define HCLGE_FD_AD_USE_COUNTER_B 12 + #define HCLGE_FD_AD_COUNTER_NUM_S 13 +-#define HCLGE_FD_AD_COUNTER_NUM_M GENMASK(20, 13) ++#define HCLGE_FD_AD_COUNTER_NUM_M GENMASK(19, 13) + #define HCLGE_FD_AD_NXT_STEP_B 20 + #define HCLGE_FD_AD_NXT_KEY_S 21 + #define HCLGE_FD_AD_NXT_KEY_M GENMASK(25, 21) +-- +2.51.0 + diff --git a/queue-6.18/net-openvswitch-fix-data-race-in-ovs_vport_get_upcal.patch b/queue-6.18/net-openvswitch-fix-data-race-in-ovs_vport_get_upcal.patch new file mode 100644 index 0000000000..ba30dcdee8 --- /dev/null +++ b/queue-6.18/net-openvswitch-fix-data-race-in-ovs_vport_get_upcal.patch @@ -0,0 +1,63 @@ +From 666382f34020da620aee36544ac8b3bb1af05d36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 15:29:26 +0800 +Subject: net: openvswitch: fix data race in ovs_vport_get_upcall_stats + +From: David Yang + +[ Upstream commit cc4816bdb08639e5cd9acb295a02d6f0f09736b4 ] + +In ovs_vport_get_upcall_stats(), some statistics protected by +u64_stats_sync, are read and accumulated in ignorance of possible +u64_stats_fetch_retry() events. These statistics are already accumulated +by u64_stats_inc(). Fix this by reading them into temporary variables +first. + +Fixes: 1933ea365aa7 ("net: openvswitch: Add support to count upcall packets") +Signed-off-by: David Yang +Acked-by: Ilya Maximets +Reviewed-by: Eric Dumazet +Reviewed-by: Aaron Conole +Link: https://patch.msgid.link/20260121072932.2360971-1-mmyangfl@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/openvswitch/vport.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/net/openvswitch/vport.c b/net/openvswitch/vport.c +index 6bbbc16ab7780..f0ce8ce1dce0e 100644 +--- a/net/openvswitch/vport.c ++++ b/net/openvswitch/vport.c +@@ -310,22 +310,23 @@ void ovs_vport_get_stats(struct vport *vport, struct ovs_vport_stats *stats) + */ + int ovs_vport_get_upcall_stats(struct vport *vport, struct sk_buff *skb) + { ++ u64 tx_success = 0, tx_fail = 0; + struct nlattr *nla; + int i; + +- __u64 tx_success = 0; +- __u64 tx_fail = 0; +- + for_each_possible_cpu(i) { + const struct vport_upcall_stats_percpu *stats; ++ u64 n_success, n_fail; + unsigned int start; + + stats = per_cpu_ptr(vport->upcall_stats, i); + do { + start = u64_stats_fetch_begin(&stats->syncp); +- tx_success += u64_stats_read(&stats->n_success); +- tx_fail += u64_stats_read(&stats->n_fail); ++ n_success = u64_stats_read(&stats->n_success); ++ n_fail = u64_stats_read(&stats->n_fail); + } while (u64_stats_fetch_retry(&stats->syncp, start)); ++ tx_success += n_success; ++ tx_fail += n_fail; + } + + nla = nla_nest_start_noflag(skb, OVS_VPORT_ATTR_UPCALL_STATS); +-- +2.51.0 + diff --git a/queue-6.18/net-pcs-pcs-mtk-lynxi-report-in-band-capability-for-.patch b/queue-6.18/net-pcs-pcs-mtk-lynxi-report-in-band-capability-for-.patch new file mode 100644 index 0000000000..5eed7eb3b9 --- /dev/null +++ b/queue-6.18/net-pcs-pcs-mtk-lynxi-report-in-band-capability-for-.patch @@ -0,0 +1,52 @@ +From a3c38ca6f39efffffbfe920fc5f2e8b8e6bdd38c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 02:23:17 +0000 +Subject: net: pcs: pcs-mtk-lynxi: report in-band capability for 2500Base-X + +From: Daniel Golle + +[ Upstream commit e8ca461f7d19464b47c64fe4cf2f83162421bcc0 ] + +It turns out that 2500Base-X actually works fine with in-band status on +MediaTek's LynxI PCS -- I wrongly concluded it didn't because it is +broken in all the copper SFP modules and GPON sticks I used for testing. + +Hence report LINK_INBAND_ENABLE also for 2500Base-X mode. + +This reverts most of commit a003c38d9bbb ("net: pcs: pcs-mtk-lynxi: +correctly report in-band status capabilities"). + +The removal of the QSGMII interface mode was correct and is left +untouched. + +Link: https://github.com/openwrt/openwrt/issues/21436 +Fixes: a003c38d9bbb ("net: pcs: pcs-mtk-lynxi: correctly report in-band status capabilities") +Signed-off-by: Daniel Golle +Link: https://patch.msgid.link/b1cf26157b63fee838be09ae810497fb22fd8104.1768961746.git.daniel@makrotopia.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/pcs/pcs-mtk-lynxi.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/pcs/pcs-mtk-lynxi.c b/drivers/net/pcs/pcs-mtk-lynxi.c +index 149ddf51d7856..87df3a9dfc9bc 100644 +--- a/drivers/net/pcs/pcs-mtk-lynxi.c ++++ b/drivers/net/pcs/pcs-mtk-lynxi.c +@@ -93,12 +93,10 @@ static unsigned int mtk_pcs_lynxi_inband_caps(struct phylink_pcs *pcs, + { + switch (interface) { + case PHY_INTERFACE_MODE_1000BASEX: ++ case PHY_INTERFACE_MODE_2500BASEX: + case PHY_INTERFACE_MODE_SGMII: + return LINK_INBAND_DISABLE | LINK_INBAND_ENABLE; + +- case PHY_INTERFACE_MODE_2500BASEX: +- return LINK_INBAND_DISABLE; +- + default: + return 0; + } +-- +2.51.0 + diff --git a/queue-6.18/net-phy-intel-xway-fix-of-node-refcount-leakage.patch b/queue-6.18/net-phy-intel-xway-fix-of-node-refcount-leakage.patch new file mode 100644 index 0000000000..3b91a1cda6 --- /dev/null +++ b/queue-6.18/net-phy-intel-xway-fix-of-node-refcount-leakage.patch @@ -0,0 +1,52 @@ +From d3e709ea094a36824ca3cc3e73167432deed13bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 00:41:54 +0000 +Subject: net: phy: intel-xway: fix OF node refcount leakage + +From: Daniel Golle + +[ Upstream commit 79912b256e14054e6ba177d7e7e631485ce23dbe ] + +Automated review spotted am OF node reference count leakage when +checking if the 'leds' child node exists. + +Call of_put_node() to correctly maintain the refcount. + +Link: https://netdev-ai.bots.linux.dev/ai-review.html?id=20f173ba-0c64-422b-a663-fea4b4ad01d0 +Fixes: 1758af47b98c1 ("net: phy: intel-xway: add support for PHY LEDs") +Signed-off-by: Daniel Golle +Link: https://patch.msgid.link/e3275e1c1cdca7e6426bb9c11f33bd84b8d900c8.1768783208.git.daniel@makrotopia.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/intel-xway.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/phy/intel-xway.c b/drivers/net/phy/intel-xway.c +index 9766dd99afaa0..12ff4c1f285d2 100644 +--- a/drivers/net/phy/intel-xway.c ++++ b/drivers/net/phy/intel-xway.c +@@ -277,7 +277,7 @@ static int xway_gphy_init_leds(struct phy_device *phydev) + + static int xway_gphy_config_init(struct phy_device *phydev) + { +- struct device_node *np = phydev->mdio.dev.of_node; ++ struct device_node *np; + int err; + + /* Mask all interrupts */ +@@ -286,7 +286,10 @@ static int xway_gphy_config_init(struct phy_device *phydev) + return err; + + /* Use default LED configuration if 'leds' node isn't defined */ +- if (!of_get_child_by_name(np, "leds")) ++ np = of_get_child_by_name(phydev->mdio.dev.of_node, "leds"); ++ if (np) ++ of_node_put(np); ++ else + xway_gphy_init_leds(phydev); + + /* Clear all pending interrupts */ +-- +2.51.0 + diff --git a/queue-6.18/net-sched-act_ife-avoid-possible-null-deref.patch b/queue-6.18/net-sched-act_ife-avoid-possible-null-deref.patch new file mode 100644 index 0000000000..920b85e7eb --- /dev/null +++ b/queue-6.18/net-sched-act_ife-avoid-possible-null-deref.patch @@ -0,0 +1,82 @@ +From 666fa79b60cbc990453736dad881b00ffbaceebf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 13:37:24 +0000 +Subject: net/sched: act_ife: avoid possible NULL deref + +From: Eric Dumazet + +[ Upstream commit 27880b0b0d35ad1c98863d09788254e36f874968 ] + +tcf_ife_encode() must make sure ife_encode() does not return NULL. + +syzbot reported: + +Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] + RIP: 0010:ife_tlv_meta_encode+0x41/0xa0 net/ife/ife.c:166 +CPU: 3 UID: 0 PID: 8990 Comm: syz.0.696 Not tainted syzkaller #0 PREEMPT(full) +Call Trace: + + ife_encode_meta_u32+0x153/0x180 net/sched/act_ife.c:101 + tcf_ife_encode net/sched/act_ife.c:841 [inline] + tcf_ife_act+0x1022/0x1de0 net/sched/act_ife.c:877 + tc_act include/net/tc_wrapper.h:130 [inline] + tcf_action_exec+0x1c0/0xa20 net/sched/act_api.c:1152 + tcf_exts_exec include/net/pkt_cls.h:349 [inline] + mall_classify+0x1a0/0x2a0 net/sched/cls_matchall.c:42 + tc_classify include/net/tc_wrapper.h:197 [inline] + __tcf_classify net/sched/cls_api.c:1764 [inline] + tcf_classify+0x7f2/0x1380 net/sched/cls_api.c:1860 + multiq_classify net/sched/sch_multiq.c:39 [inline] + multiq_enqueue+0xe0/0x510 net/sched/sch_multiq.c:66 + dev_qdisc_enqueue+0x45/0x250 net/core/dev.c:4147 + __dev_xmit_skb net/core/dev.c:4262 [inline] + __dev_queue_xmit+0x2998/0x46c0 net/core/dev.c:4798 + +Fixes: 295a6e06d21e ("net/sched: act_ife: Change to use ife module") +Reported-by: syzbot+5cf914f193dffde3bd3c@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6970d61d.050a0220.706b.0010.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Yotam Gigi +Reviewed-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20260121133724.3400020-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/act_ife.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/sched/act_ife.c b/net/sched/act_ife.c +index 7c6975632fc2e..c7ab25642d997 100644 +--- a/net/sched/act_ife.c ++++ b/net/sched/act_ife.c +@@ -821,6 +821,7 @@ static int tcf_ife_encode(struct sk_buff *skb, const struct tc_action *a, + /* could be stupid policy setup or mtu config + * so lets be conservative.. */ + if ((action == TC_ACT_SHOT) || exceed_mtu) { ++drop: + qstats_drop_inc(this_cpu_ptr(ife->common.cpu_qstats)); + return TC_ACT_SHOT; + } +@@ -829,6 +830,8 @@ static int tcf_ife_encode(struct sk_buff *skb, const struct tc_action *a, + skb_push(skb, skb->dev->hard_header_len); + + ife_meta = ife_encode(skb, metalen); ++ if (!ife_meta) ++ goto drop; + + spin_lock(&ife->tcf_lock); + +@@ -844,8 +847,7 @@ static int tcf_ife_encode(struct sk_buff *skb, const struct tc_action *a, + if (err < 0) { + /* too corrupt to keep around if overwritten */ + spin_unlock(&ife->tcf_lock); +- qstats_drop_inc(this_cpu_ptr(ife->common.cpu_qstats)); +- return TC_ACT_SHOT; ++ goto drop; + } + skboff += err; + } +-- +2.51.0 + diff --git a/queue-6.18/netdevsim-fix-a-race-issue-related-to-the-operation-.patch b/queue-6.18/netdevsim-fix-a-race-issue-related-to-the-operation-.patch new file mode 100644 index 0000000000..3b2214d7d7 --- /dev/null +++ b/queue-6.18/netdevsim-fix-a-race-issue-related-to-the-operation-.patch @@ -0,0 +1,131 @@ +From eb12fa9f5e6078dcb2d63575f64c8b946260004c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jan 2026 17:53:08 +0800 +Subject: netdevsim: fix a race issue related to the operation on + bpf_bound_progs list + +From: Yun Lu + +[ Upstream commit b97d5eedf4976cc94321243be83b39efe81a0e15 ] + +The netdevsim driver lacks a protection mechanism for operations on the +bpf_bound_progs list. When the nsim_bpf_create_prog() performs +list_add_tail, it is possible that nsim_bpf_destroy_prog() is +simultaneously performs list_del. Concurrent operations on the list may +lead to list corruption and trigger a kernel crash as follows: + +[ 417.290971] kernel BUG at lib/list_debug.c:62! +[ 417.290983] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI +[ 417.290992] CPU: 10 PID: 168 Comm: kworker/10:1 Kdump: loaded Not tainted 6.19.0-rc5 #1 +[ 417.291003] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 417.291007] Workqueue: events bpf_prog_free_deferred +[ 417.291021] RIP: 0010:__list_del_entry_valid_or_report+0xa7/0xc0 +[ 417.291034] Code: a8 ff 0f 0b 48 89 fe 48 89 ca 48 c7 c7 48 a1 eb ae e8 ed fb a8 ff 0f 0b 48 89 fe 48 89 c2 48 c7 c7 80 a1 eb ae e8 d9 fb a8 ff <0f> 0b 48 89 d1 48 c7 c7 d0 a1 eb ae 48 89 f2 48 89 c6 e8 c2 fb a8 +[ 417.291040] RSP: 0018:ffffb16a40807df8 EFLAGS: 00010246 +[ 417.291046] RAX: 000000000000006d RBX: ffff8e589866f500 RCX: 0000000000000000 +[ 417.291051] RDX: 0000000000000000 RSI: ffff8e59f7b23180 RDI: ffff8e59f7b23180 +[ 417.291055] RBP: ffffb16a412c9000 R08: 0000000000000000 R09: 0000000000000003 +[ 417.291059] R10: ffffb16a40807c80 R11: ffffffffaf9edce8 R12: ffff8e594427ac20 +[ 417.291063] R13: ffff8e59f7b44780 R14: ffff8e58800b7a05 R15: 0000000000000000 +[ 417.291074] FS: 0000000000000000(0000) GS:ffff8e59f7b00000(0000) knlGS:0000000000000000 +[ 417.291079] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 417.291083] CR2: 00007fc4083efe08 CR3: 00000001c3626006 CR4: 0000000000770ee0 +[ 417.291088] PKRU: 55555554 +[ 417.291091] Call Trace: +[ 417.291096] +[ 417.291103] nsim_bpf_destroy_prog+0x31/0x80 [netdevsim] +[ 417.291154] __bpf_prog_offload_destroy+0x2a/0x80 +[ 417.291163] bpf_prog_dev_bound_destroy+0x6f/0xb0 +[ 417.291171] bpf_prog_free_deferred+0x18e/0x1a0 +[ 417.291178] process_one_work+0x18a/0x3a0 +[ 417.291188] worker_thread+0x27b/0x3a0 +[ 417.291197] ? __pfx_worker_thread+0x10/0x10 +[ 417.291207] kthread+0xe5/0x120 +[ 417.291214] ? __pfx_kthread+0x10/0x10 +[ 417.291221] ret_from_fork+0x31/0x50 +[ 417.291230] ? __pfx_kthread+0x10/0x10 +[ 417.291236] ret_from_fork_asm+0x1a/0x30 +[ 417.291246] + +Add a mutex lock, to prevent simultaneous addition and deletion operations +on the list. + +Fixes: 31d3ad832948 ("netdevsim: add bpf offload support") +Reported-by: Yinhao Hu +Reported-by: Kaiyan Mei +Signed-off-by: Yun Lu +Link: https://patch.msgid.link/20260116095308.11441-1-luyun_611@163.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/netdevsim/bpf.c | 6 ++++++ + drivers/net/netdevsim/dev.c | 2 ++ + drivers/net/netdevsim/netdevsim.h | 1 + + 3 files changed, 9 insertions(+) + +diff --git a/drivers/net/netdevsim/bpf.c b/drivers/net/netdevsim/bpf.c +index 49537d3c41205..5f17f68f3c083 100644 +--- a/drivers/net/netdevsim/bpf.c ++++ b/drivers/net/netdevsim/bpf.c +@@ -244,7 +244,9 @@ static int nsim_bpf_create_prog(struct nsim_dev *nsim_dev, + &state->state, &nsim_bpf_string_fops); + debugfs_create_bool("loaded", 0400, state->ddir, &state->is_loaded); + ++ mutex_lock(&nsim_dev->progs_list_lock); + list_add_tail(&state->l, &nsim_dev->bpf_bound_progs); ++ mutex_unlock(&nsim_dev->progs_list_lock); + + prog->aux->offload->dev_priv = state; + +@@ -273,12 +275,16 @@ static int nsim_bpf_translate(struct bpf_prog *prog) + static void nsim_bpf_destroy_prog(struct bpf_prog *prog) + { + struct nsim_bpf_bound_prog *state; ++ struct nsim_dev *nsim_dev; + + state = prog->aux->offload->dev_priv; ++ nsim_dev = state->nsim_dev; + WARN(state->is_loaded, + "offload state destroyed while program still bound"); + debugfs_remove_recursive(state->ddir); ++ mutex_lock(&nsim_dev->progs_list_lock); + list_del(&state->l); ++ mutex_unlock(&nsim_dev->progs_list_lock); + kfree(state); + } + +diff --git a/drivers/net/netdevsim/dev.c b/drivers/net/netdevsim/dev.c +index 95f66c1f59db8..56a47c060f2e1 100644 +--- a/drivers/net/netdevsim/dev.c ++++ b/drivers/net/netdevsim/dev.c +@@ -1591,6 +1591,7 @@ int nsim_drv_probe(struct nsim_bus_dev *nsim_bus_dev) + nsim_dev->max_macs = NSIM_DEV_MAX_MACS_DEFAULT; + nsim_dev->test1 = NSIM_DEV_TEST1_DEFAULT; + spin_lock_init(&nsim_dev->fa_cookie_lock); ++ mutex_init(&nsim_dev->progs_list_lock); + + dev_set_drvdata(&nsim_bus_dev->dev, nsim_dev); + +@@ -1729,6 +1730,7 @@ void nsim_drv_remove(struct nsim_bus_dev *nsim_bus_dev) + devl_unregister(devlink); + kfree(nsim_dev->vfconfigs); + kfree(nsim_dev->fa_cookie); ++ mutex_destroy(&nsim_dev->progs_list_lock); + devl_unlock(devlink); + devlink_free(devlink); + dev_set_drvdata(&nsim_bus_dev->dev, NULL); +diff --git a/drivers/net/netdevsim/netdevsim.h b/drivers/net/netdevsim/netdevsim.h +index 02c1c97b70080..d91c0899e536e 100644 +--- a/drivers/net/netdevsim/netdevsim.h ++++ b/drivers/net/netdevsim/netdevsim.h +@@ -319,6 +319,7 @@ struct nsim_dev { + u32 prog_id_gen; + struct list_head bpf_bound_progs; + struct list_head bpf_bound_maps; ++ struct mutex progs_list_lock; + struct netdev_phys_item_id switch_id; + struct list_head port_list; + bool fw_update_status; +-- +2.51.0 + diff --git a/queue-6.18/ntb-transport-fix-uninitialized-mutex.patch b/queue-6.18/ntb-transport-fix-uninitialized-mutex.patch new file mode 100644 index 0000000000..2f03707dd6 --- /dev/null +++ b/queue-6.18/ntb-transport-fix-uninitialized-mutex.patch @@ -0,0 +1,37 @@ +From 4a0c73254115b8d016f765beb07638158ee70e5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jan 2026 14:09:33 -0700 +Subject: ntb: transport: Fix uninitialized mutex + +From: Dave Jiang + +[ Upstream commit 2ccb5e8dbcd2dedf13e0270165ac48bd79b7f673 ] + +When the mutex 'link_event_lock' was introduced, it was never +initialized and it triggers kernel warnings when used with locking +debug turned on. Add initialization for the mutex. + +Fixes: 3db835dd8f9a ("ntb: Add mutex to make link_event_callback executed linearly.") +Cc: fuyuanli +Signed-off-by: Dave Jiang +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/ntb_transport.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/ntb/ntb_transport.c b/drivers/ntb/ntb_transport.c +index eb875e3db2e3b..71d4bb25f7fdd 100644 +--- a/drivers/ntb/ntb_transport.c ++++ b/drivers/ntb/ntb_transport.c +@@ -1394,6 +1394,7 @@ static int ntb_transport_probe(struct ntb_client *self, struct ntb_dev *ndev) + goto err2; + } + ++ mutex_init(&nt->link_event_lock); + INIT_DELAYED_WORK(&nt->link_work, ntb_transport_link_work); + INIT_WORK(&nt->link_cleanup, ntb_transport_link_cleanup_work); + +-- +2.51.0 + diff --git a/queue-6.18/octeontx2-af-add-proper-checks-for-fwdata.patch b/queue-6.18/octeontx2-af-add-proper-checks-for-fwdata.patch new file mode 100644 index 0000000000..a99517e25d --- /dev/null +++ b/queue-6.18/octeontx2-af-add-proper-checks-for-fwdata.patch @@ -0,0 +1,66 @@ +From 7ada26ee634cffd6f9b27db1e7104fbf518e89c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 15:18:19 +0530 +Subject: Octeontx2-af: Add proper checks for fwdata + +From: Hariprasad Kelam + +[ Upstream commit 4a3dba48188208e4f66822800e042686784d29d1 ] + +firmware populates MAC address, link modes (supported, advertised) +and EEPROM data in shared firmware structure which kernel access +via MAC block(CGX/RPM). + +Accessing fwdata, on boards booted with out MAC block leading to +kernel panics. + +Internal error: Oops: 0000000096000005 [#1] SMP +[ 10.460721] Modules linked in: +[ 10.463779] CPU: 0 UID: 0 PID: 174 Comm: kworker/0:3 Not tainted 6.19.0-rc5-00154-g76ec646abdf7-dirty #3 PREEMPT +[ 10.474045] Hardware name: Marvell OcteonTX CN98XX board (DT) +[ 10.479793] Workqueue: events work_for_cpu_fn +[ 10.484159] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 10.491124] pc : rvu_sdp_init+0x18/0x114 +[ 10.495051] lr : rvu_probe+0xe58/0x1d18 + +Fixes: 997814491cee ("Octeontx2-af: Fetch MAC channel info from firmware") +Fixes: 5f21226b79fd ("Octeontx2-pf: ethtool: support multi advertise mode") +Signed-off-by: Hariprasad Kelam +Link: https://patch.msgid.link/20260121094819.2566786-1-hkelam@marvell.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu_cgx.c | 3 +++ + drivers/net/ethernet/marvell/octeontx2/af/rvu_sdp.c | 2 +- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_cgx.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_cgx.c +index 3abd750a4bd74..3d91a34f8b57b 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_cgx.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_cgx.c +@@ -1222,6 +1222,9 @@ int rvu_mbox_handler_cgx_set_link_mode(struct rvu *rvu, + u8 cgx_idx, lmac; + void *cgxd; + ++ if (!rvu->fwdata) ++ return LMAC_AF_ERR_FIRMWARE_DATA_NOT_MAPPED; ++ + if (!is_cgx_config_permitted(rvu, req->hdr.pcifunc)) + return -EPERM; + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_sdp.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_sdp.c +index e4a5f9fa6fd46..bbfd8231aed5c 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_sdp.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_sdp.c +@@ -56,7 +56,7 @@ int rvu_sdp_init(struct rvu *rvu) + struct rvu_pfvf *pfvf; + u32 i = 0; + +- if (rvu->fwdata->channel_data.valid) { ++ if (rvu->fwdata && rvu->fwdata->channel_data.valid) { + sdp_pf_num[0] = 0; + pfvf = &rvu->pf[sdp_pf_num[0]]; + pfvf->sdp_info = &rvu->fwdata->channel_data.info; +-- +2.51.0 + diff --git a/queue-6.18/octeontx2-af-fix-error-handling.patch b/queue-6.18/octeontx2-af-fix-error-handling.patch new file mode 100644 index 0000000000..fc714721a7 --- /dev/null +++ b/queue-6.18/octeontx2-af-fix-error-handling.patch @@ -0,0 +1,188 @@ +From d42775b027197df95bffe7d103526524f5f26330 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 09:09:34 +0530 +Subject: octeontx2-af: Fix error handling + +From: Ratheesh Kannoth + +[ Upstream commit 19e4175e997a5b85eab97d522f00cc99abd1873c ] + +This commit adds error handling and rollback logic to +rvu_mbox_handler_attach_resources() to properly clean up partially +attached resources when rvu_attach_block() fails. + +Fixes: 746ea74241fa0 ("octeontx2-af: Add RVU block LF provisioning support") +Signed-off-by: Ratheesh Kannoth +Link: https://patch.msgid.link/20260121033934.1900761-1-rkannoth@marvell.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/marvell/octeontx2/af/rvu.c | 86 ++++++++++++++----- + 1 file changed, 64 insertions(+), 22 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +index 2d78e08f985f0..747fbdf2a908f 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +@@ -1551,8 +1551,8 @@ static int rvu_get_attach_blkaddr(struct rvu *rvu, int blktype, + return -ENODEV; + } + +-static void rvu_attach_block(struct rvu *rvu, int pcifunc, int blktype, +- int num_lfs, struct rsrc_attach *attach) ++static int rvu_attach_block(struct rvu *rvu, int pcifunc, int blktype, ++ int num_lfs, struct rsrc_attach *attach) + { + struct rvu_pfvf *pfvf = rvu_get_pfvf(rvu, pcifunc); + struct rvu_hwinfo *hw = rvu->hw; +@@ -1562,21 +1562,21 @@ static void rvu_attach_block(struct rvu *rvu, int pcifunc, int blktype, + u64 cfg; + + if (!num_lfs) +- return; ++ return -EINVAL; + + blkaddr = rvu_get_attach_blkaddr(rvu, blktype, pcifunc, attach); + if (blkaddr < 0) +- return; ++ return -EFAULT; + + block = &hw->block[blkaddr]; + if (!block->lf.bmap) +- return; ++ return -ESRCH; + + for (slot = 0; slot < num_lfs; slot++) { + /* Allocate the resource */ + lf = rvu_alloc_rsrc(&block->lf); + if (lf < 0) +- return; ++ return -EFAULT; + + cfg = (1ULL << 63) | (pcifunc << 8) | slot; + rvu_write64(rvu, blkaddr, block->lfcfg_reg | +@@ -1587,6 +1587,8 @@ static void rvu_attach_block(struct rvu *rvu, int pcifunc, int blktype, + /* Set start MSIX vector for this LF within this PF/VF */ + rvu_set_msix_offset(rvu, pfvf, block, lf); + } ++ ++ return 0; + } + + static int rvu_check_rsrc_availability(struct rvu *rvu, +@@ -1724,22 +1726,31 @@ int rvu_mbox_handler_attach_resources(struct rvu *rvu, + int err; + + /* If first request, detach all existing attached resources */ +- if (!attach->modify) +- rvu_detach_rsrcs(rvu, NULL, pcifunc); ++ if (!attach->modify) { ++ err = rvu_detach_rsrcs(rvu, NULL, pcifunc); ++ if (err) ++ return err; ++ } + + mutex_lock(&rvu->rsrc_lock); + + /* Check if the request can be accommodated */ + err = rvu_check_rsrc_availability(rvu, attach, pcifunc); + if (err) +- goto exit; ++ goto fail1; + + /* Now attach the requested resources */ +- if (attach->npalf) +- rvu_attach_block(rvu, pcifunc, BLKTYPE_NPA, 1, attach); ++ if (attach->npalf) { ++ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_NPA, 1, attach); ++ if (err) ++ goto fail1; ++ } + +- if (attach->nixlf) +- rvu_attach_block(rvu, pcifunc, BLKTYPE_NIX, 1, attach); ++ if (attach->nixlf) { ++ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_NIX, 1, attach); ++ if (err) ++ goto fail2; ++ } + + if (attach->sso) { + /* RVU func doesn't know which exact LF or slot is attached +@@ -1749,33 +1760,64 @@ int rvu_mbox_handler_attach_resources(struct rvu *rvu, + */ + if (attach->modify) + rvu_detach_block(rvu, pcifunc, BLKTYPE_SSO); +- rvu_attach_block(rvu, pcifunc, BLKTYPE_SSO, +- attach->sso, attach); ++ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_SSO, ++ attach->sso, attach); ++ if (err) ++ goto fail3; + } + + if (attach->ssow) { + if (attach->modify) + rvu_detach_block(rvu, pcifunc, BLKTYPE_SSOW); +- rvu_attach_block(rvu, pcifunc, BLKTYPE_SSOW, +- attach->ssow, attach); ++ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_SSOW, ++ attach->ssow, attach); ++ if (err) ++ goto fail4; + } + + if (attach->timlfs) { + if (attach->modify) + rvu_detach_block(rvu, pcifunc, BLKTYPE_TIM); +- rvu_attach_block(rvu, pcifunc, BLKTYPE_TIM, +- attach->timlfs, attach); ++ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_TIM, ++ attach->timlfs, attach); ++ if (err) ++ goto fail5; + } + + if (attach->cptlfs) { + if (attach->modify && + rvu_attach_from_same_block(rvu, BLKTYPE_CPT, attach)) + rvu_detach_block(rvu, pcifunc, BLKTYPE_CPT); +- rvu_attach_block(rvu, pcifunc, BLKTYPE_CPT, +- attach->cptlfs, attach); ++ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_CPT, ++ attach->cptlfs, attach); ++ if (err) ++ goto fail6; + } + +-exit: ++ mutex_unlock(&rvu->rsrc_lock); ++ return 0; ++ ++fail6: ++ if (attach->timlfs) ++ rvu_detach_block(rvu, pcifunc, BLKTYPE_TIM); ++ ++fail5: ++ if (attach->ssow) ++ rvu_detach_block(rvu, pcifunc, BLKTYPE_SSOW); ++ ++fail4: ++ if (attach->sso) ++ rvu_detach_block(rvu, pcifunc, BLKTYPE_SSO); ++ ++fail3: ++ if (attach->nixlf) ++ rvu_detach_block(rvu, pcifunc, BLKTYPE_NIX); ++ ++fail2: ++ if (attach->npalf) ++ rvu_detach_block(rvu, pcifunc, BLKTYPE_NPA); ++ ++fail1: + mutex_unlock(&rvu->rsrc_lock); + return err; + } +-- +2.51.0 + diff --git a/queue-6.18/octeontx2-pf-update-xdp-features.patch b/queue-6.18/octeontx2-pf-update-xdp-features.patch new file mode 100644 index 0000000000..345f10f284 --- /dev/null +++ b/queue-6.18/octeontx2-pf-update-xdp-features.patch @@ -0,0 +1,40 @@ +From 4558f627e9e5d73380a7518ae2b1d91cb8f617cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 15:32:22 +0530 +Subject: Octeontx2-pf: Update xdp features + +From: Hariprasad Kelam + +[ Upstream commit cdf8de9c6bfe94508d251cb290ee66e34e6f3368 ] + +In recent testing, verification of XDP_REDIRECT and zero-copy features +failed because the driver is not setting the corresponding feature flags. + +Fixes: efabce290151 ("octeontx2-pf: AF_XDP zero copy receive support") +Fixes: 66c0e13ad236 ("drivers: net: turn on XDP features") +Signed-off-by: Hariprasad Kelam +Link: https://patch.msgid.link/20260119100222.2267925-1-hkelam@marvell.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c +index e808995703cfd..a7a7bc0e1b675 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c +@@ -3255,7 +3255,9 @@ static int otx2_probe(struct pci_dev *pdev, const struct pci_device_id *id) + netdev->watchdog_timeo = OTX2_TX_TIMEOUT; + + netdev->netdev_ops = &otx2_netdev_ops; +- netdev->xdp_features = NETDEV_XDP_ACT_BASIC | NETDEV_XDP_ACT_REDIRECT; ++ netdev->xdp_features = NETDEV_XDP_ACT_BASIC | NETDEV_XDP_ACT_REDIRECT | ++ NETDEV_XDP_ACT_NDO_XMIT | ++ NETDEV_XDP_ACT_XSK_ZEROCOPY; + + netdev->min_mtu = OTX2_MIN_MTU; + netdev->max_mtu = otx2_get_max_mtu(pf); +-- +2.51.0 + diff --git a/queue-6.18/perf-fix-refcount-warning-on-event-mmap_count-increm.patch b/queue-6.18/perf-fix-refcount-warning-on-event-mmap_count-increm.patch new file mode 100644 index 0000000000..23a633f244 --- /dev/null +++ b/queue-6.18/perf-fix-refcount-warning-on-event-mmap_count-increm.patch @@ -0,0 +1,68 @@ +From 121985b975d5a6016e09bd7aa2a553bad779236d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 11:49:56 -0700 +Subject: perf: Fix refcount warning on event->mmap_count increment + +From: Will Rosenberg + +[ Upstream commit d06bf78e55d5159c1b00072e606ab924ffbbad35 ] + +When calling refcount_inc(&event->mmap_count) inside perf_mmap_rb(), the +following warning is triggered: + + refcount_t: addition on 0; use-after-free. + WARNING: lib/refcount.c:25 + +PoC: + + struct perf_event_attr attr = {0}; + int fd = syscall(__NR_perf_event_open, &attr, 0, -1, -1, 0); + mmap(NULL, 0x3000, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); + int victim = syscall(__NR_perf_event_open, &attr, 0, -1, fd, + PERF_FLAG_FD_OUTPUT); + mmap(NULL, 0x3000, PROT_READ | PROT_WRITE, MAP_SHARED, victim, 0); + +This occurs when creating a group member event with the flag +PERF_FLAG_FD_OUTPUT. The group leader should be mmap-ed and then mmap-ing +the event triggers the warning. + +Since the event has copied the output_event in perf_event_set_output(), +event->rb is set. As a result, perf_mmap_rb() calls +refcount_inc(&event->mmap_count) when event->mmap_count = 0. + +Disallow the case when event->mmap_count = 0. This also prevents two +events from updating the same user_page. + +Fixes: 448f97fba901 ("perf: Convert mmap() refcounts to refcount_t") +Suggested-by: Peter Zijlstra +Signed-off-by: Will Rosenberg +Signed-off-by: Peter Zijlstra (Intel) +Link: https://patch.msgid.link/20260119184956.801238-1-whrosenb@asu.edu +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index d95f9dce018f4..df0717f4592a9 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -6996,6 +6996,15 @@ static int perf_mmap_rb(struct vm_area_struct *vma, struct perf_event *event, + if (data_page_nr(event->rb) != nr_pages) + return -EINVAL; + ++ /* ++ * If this event doesn't have mmap_count, we're attempting to ++ * create an alias of another event's mmap(); this would mean ++ * both events will end up scribbling the same user_page; ++ * which makes no sense. ++ */ ++ if (!refcount_read(&event->mmap_count)) ++ return -EBUSY; ++ + if (refcount_inc_not_zero(&event->rb->mmap_count)) { + /* + * Success -- managed to mmap() the same buffer +-- +2.51.0 + diff --git a/queue-6.18/platform-mellanox-fix-sn5640-sn5610-led-platform-dat.patch b/queue-6.18/platform-mellanox-fix-sn5640-sn5610-led-platform-dat.patch new file mode 100644 index 0000000000..f465aaab44 --- /dev/null +++ b/queue-6.18/platform-mellanox-fix-sn5640-sn5610-led-platform-dat.patch @@ -0,0 +1,42 @@ +From 47496ac4e3b39ca1c45f06b2c1a6469bf9b33591 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Jan 2026 16:25:48 +0200 +Subject: platform/mellanox: Fix SN5640/SN5610 LED platform data +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Oleksandr Shamray + +[ Upstream commit 3113bcf4ccf06c938f0bc0c34cf6efe03278badc ] + +In SN5640/SN5610 platforms should be used XDR style LED data with +predefined slot index per led_fan. + +Fixes: 317bbe169c46 ("platform: mellanox: mlx-platform: Add support for new Nvidia system") + +Signed-off-by: Oleksandr Shamray +Reviewed-by: Vadim Pasternak +Link: https://patch.msgid.link/20260107142548.916556-1-oleksandrs@nvidia.com +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/mellanox/mlx-platform.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/mellanox/mlx-platform.c b/drivers/platform/mellanox/mlx-platform.c +index d0df18be93c76..efd0c074ad937 100644 +--- a/drivers/platform/mellanox/mlx-platform.c ++++ b/drivers/platform/mellanox/mlx-platform.c +@@ -7381,7 +7381,7 @@ static int __init mlxplat_dmi_ng400_hi171_matched(const struct dmi_system_id *dm + mlxplat_hotplug = &mlxplat_mlxcpld_ng800_hi171_data; + mlxplat_hotplug->deferred_nr = + mlxplat_msn21xx_channels[MLXPLAT_CPLD_GRP_CHNL_NUM - 1]; +- mlxplat_led = &mlxplat_default_ng_led_data; ++ mlxplat_led = &mlxplat_xdr_led_data; + mlxplat_regs_io = &mlxplat_default_ng_regs_io_data; + mlxplat_fan = &mlxplat_xdr_fan_data; + +-- +2.51.0 + diff --git a/queue-6.18/platform-x86-amd-fix-memory-leak-in-wbrf_record.patch b/queue-6.18/platform-x86-amd-fix-memory-leak-in-wbrf_record.patch new file mode 100644 index 0000000000..88de98db79 --- /dev/null +++ b/queue-6.18/platform-x86-amd-fix-memory-leak-in-wbrf_record.patch @@ -0,0 +1,50 @@ +From ad977b2155786e8bf47a682f1d8ffa446adca08a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jan 2026 09:13:17 +0000 +Subject: platform/x86/amd: Fix memory leak in wbrf_record() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Zilin Guan + +[ Upstream commit 2bf1877b7094c684e1d652cac6912cfbc507ad3e ] + +The tmp buffer is allocated using kcalloc() but is not freed if +acpi_evaluate_dsm() fails. This causes a memory leak in the error path. + +Fix this by explicitly freeing the tmp buffer in the error handling +path of acpi_evaluate_dsm(). + +Fixes: 58e82a62669d ("platform/x86/amd: Add support for AMD ACPI based Wifi band RFI mitigation feature") +Suggested-by: Ilpo Järvinen +Co-developed-by: Jianhao Xu +Signed-off-by: Jianhao Xu +Signed-off-by: Zilin Guan +Link: https://patch.msgid.link/20260106091318.747019-1-zilin@seu.edu.cn +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/amd/wbrf.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/amd/wbrf.c b/drivers/platform/x86/amd/wbrf.c +index dd197b3aebe06..0f58d252b620a 100644 +--- a/drivers/platform/x86/amd/wbrf.c ++++ b/drivers/platform/x86/amd/wbrf.c +@@ -104,8 +104,10 @@ static int wbrf_record(struct acpi_device *adev, uint8_t action, struct wbrf_ran + obj = acpi_evaluate_dsm(adev->handle, &wifi_acpi_dsm_guid, + WBRF_REVISION, WBRF_RECORD, &argv4); + +- if (!obj) ++ if (!obj) { ++ kfree(tmp); + return -EINVAL; ++ } + + if (obj->type != ACPI_TYPE_INTEGER) { + ret = -EINVAL; +-- +2.51.0 + diff --git a/queue-6.18/regmap-fix-race-condition-in-hwspinlock-irqsave-rout.patch b/queue-6.18/regmap-fix-race-condition-in-hwspinlock-irqsave-rout.patch new file mode 100644 index 0000000000..c3261a6f9f --- /dev/null +++ b/queue-6.18/regmap-fix-race-condition-in-hwspinlock-irqsave-rout.patch @@ -0,0 +1,49 @@ +From f5b1dff2b65aa14ec0edb85e00c2d1029e70dcb9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jan 2026 11:26:33 +0800 +Subject: regmap: Fix race condition in hwspinlock irqsave routine + +From: Cheng-Yu Lee + +[ Upstream commit 4b58aac989c1e3fafb1c68a733811859df388250 ] + +Previously, the address of the shared member '&map->spinlock_flags' was +passed directly to 'hwspin_lock_timeout_irqsave'. This creates a race +condition where multiple contexts contending for the lock could overwrite +the shared flags variable, potentially corrupting the state for the +current lock owner. + +Fix this by using a local stack variable 'flags' to store the IRQ state +temporarily. + +Fixes: 8698b9364710 ("regmap: Add hardware spinlock support") +Signed-off-by: Cheng-Yu Lee +Co-developed-by: Yu-Chun Lin +Signed-off-by: Yu-Chun Lin +Link: https://patch.msgid.link/20260109032633.8732-1-eleanor.lin@realtek.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/base/regmap/regmap.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c +index ce9be3989a218..ae2215d4e61c3 100644 +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -408,9 +408,11 @@ static void regmap_lock_hwlock_irq(void *__map) + static void regmap_lock_hwlock_irqsave(void *__map) + { + struct regmap *map = __map; ++ unsigned long flags = 0; + + hwspin_lock_timeout_irqsave(map->hwlock, UINT_MAX, +- &map->spinlock_flags); ++ &flags); ++ map->spinlock_flags = flags; + } + + static void regmap_unlock_hwlock(void *__map) +-- +2.51.0 + diff --git a/queue-6.18/riscv-clocksource-fix-stimecmp-update-hazard-on-rv32.patch b/queue-6.18/riscv-clocksource-fix-stimecmp-update-hazard-on-rv32.patch new file mode 100644 index 0000000000..3fc9cd19eb --- /dev/null +++ b/queue-6.18/riscv-clocksource-fix-stimecmp-update-hazard-on-rv32.patch @@ -0,0 +1,57 @@ +From 7150cde36cc784efc9c51b7374de7bde58039c3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Jan 2026 22:59:36 +0900 +Subject: riscv: clocksource: Fix stimecmp update hazard on RV32 + +From: Naohiko Shimizu + +[ Upstream commit eaa9bb1d39d59e7c17b06cec12622b7c586ab629 ] + +On RV32, updating the 64-bit stimecmp (or vstimecmp) CSR requires two +separate 32-bit writes. A race condition exists if the timer triggers +during these two writes. + +The RISC-V Privileged Specification (e.g., Section 3.2.1 for mtimecmp) +recommends a specific 3-step sequence to avoid spurious interrupts +when updating 64-bit comparison registers on 32-bit systems: + +1. Set the low-order bits (stimecmp) to all ones (ULONG_MAX). +2. Set the high-order bits (stimecmph) to the desired value. +3. Set the low-order bits (stimecmp) to the desired value. + +Current implementation writes the LSB first without ensuring a future +value, which may lead to a transient state where the 64-bit comparison +is incorrectly evaluated as "expired" by the hardware. This results in +spurious timer interrupts. + +This patch adopts the spec-recommended 3-step sequence to ensure the +intermediate 64-bit state is never smaller than the current time. + +Fixes: 9f7a8ff6391f ("RISC-V: Prefer sstc extension if available") +Signed-off-by: Naohiko Shimizu +Reviewed-by: Anup Patel +Link: https://patch.msgid.link/20260104135938.524-2-naohiko.shimizu@gmail.com +Signed-off-by: Paul Walmsley +Signed-off-by: Sasha Levin +--- + drivers/clocksource/timer-riscv.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/clocksource/timer-riscv.c b/drivers/clocksource/timer-riscv.c +index 4d7cf338824a3..cfc4d83c42c03 100644 +--- a/drivers/clocksource/timer-riscv.c ++++ b/drivers/clocksource/timer-riscv.c +@@ -50,8 +50,9 @@ static int riscv_clock_next_event(unsigned long delta, + + if (static_branch_likely(&riscv_sstc_available)) { + #if defined(CONFIG_32BIT) +- csr_write(CSR_STIMECMP, next_tval & 0xFFFFFFFF); ++ csr_write(CSR_STIMECMP, ULONG_MAX); + csr_write(CSR_STIMECMPH, next_tval >> 32); ++ csr_write(CSR_STIMECMP, next_tval & 0xFFFFFFFF); + #else + csr_write(CSR_STIMECMP, next_tval); + #endif +-- +2.51.0 + diff --git a/queue-6.18/riscv-suspend-fix-stimecmp-update-hazard-on-rv32.patch b/queue-6.18/riscv-suspend-fix-stimecmp-update-hazard-on-rv32.patch new file mode 100644 index 0000000000..c25611001c --- /dev/null +++ b/queue-6.18/riscv-suspend-fix-stimecmp-update-hazard-on-rv32.patch @@ -0,0 +1,59 @@ +From 095ab15b17bfdb9ac8356563cfd97cc4ff25b236 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Jan 2026 22:59:38 +0900 +Subject: riscv: suspend: Fix stimecmp update hazard on RV32 + +From: Naohiko Shimizu + +[ Upstream commit 344c5281f43851b22c7cc223fd0250c143fcbc79 ] + +On RV32, updating the 64-bit stimecmp (or vstimecmp) CSR requires two +separate 32-bit writes. A race condition exists if the timer triggers +during these two writes. + +The RISC-V Privileged Specification (e.g., Section 3.2.1 for mtimecmp) +recommends a specific 3-step sequence to avoid spurious interrupts +when updating 64-bit comparison registers on 32-bit systems: + +1. Set the low-order bits (stimecmp) to all ones (ULONG_MAX). +2. Set the high-order bits (stimecmph) to the desired value. +3. Set the low-order bits (stimecmp) to the desired value. + +Current implementation writes the LSB first without ensuring a future +value, which may lead to a transient state where the 64-bit comparison +is incorrectly evaluated as "expired" by the hardware. This results in +spurious timer interrupts. + +This patch adopts the spec-recommended 3-step sequence to ensure the +intermediate 64-bit state is never smaller than the current time. + +Fixes: ffef54ad4110 ("riscv: Add stimecmp save and restore") +Signed-off-by: Naohiko Shimizu +Reviewed-by: Anup Patel +Link: https://patch.msgid.link/20260104135938.524-4-naohiko.shimizu@gmail.com +Signed-off-by: Paul Walmsley +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/suspend.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/riscv/kernel/suspend.c b/arch/riscv/kernel/suspend.c +index 24b3f57d467f8..aff93090c4efc 100644 +--- a/arch/riscv/kernel/suspend.c ++++ b/arch/riscv/kernel/suspend.c +@@ -51,10 +51,11 @@ void suspend_restore_csrs(struct suspend_context *context) + + #ifdef CONFIG_MMU + if (riscv_has_extension_unlikely(RISCV_ISA_EXT_SSTC)) { +- csr_write(CSR_STIMECMP, context->stimecmp); + #if __riscv_xlen < 64 ++ csr_write(CSR_STIMECMP, ULONG_MAX); + csr_write(CSR_STIMECMPH, context->stimecmph); + #endif ++ csr_write(CSR_STIMECMP, context->stimecmp); + } + + csr_write(CSR_SATP, context->satp); +-- +2.51.0 + diff --git a/queue-6.18/sched-fair-fix-pelt-clock-sync-when-entering-idle.patch b/queue-6.18/sched-fair-fix-pelt-clock-sync-when-entering-idle.patch new file mode 100644 index 0000000000..1edafe0179 --- /dev/null +++ b/queue-6.18/sched-fair-fix-pelt-clock-sync-when-entering-idle.patch @@ -0,0 +1,71 @@ +From 507f8b4358b6cf530ee7f4b0b72013a7e50c04fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 17:33:17 +0100 +Subject: sched/fair: Fix pelt clock sync when entering idle + +From: Vincent Guittot + +[ Upstream commit 98c88dc8a1ace642d9021b103b28cba7b51e3abc ] + +Samuel and Alex reported regressions of the util_avg of RT rq with +commit 17e3e88ed0b6 ("sched/fair: Fix pelt lost idle time detection"). +It happens that fair is updating and syncing the pelt clock with task one +when pick_next_task_fair() fails to pick a task but before the prev +scheduling class got a chance to update its pelt signals. + +Move update_idle_rq_clock_pelt() in set_next_task_idle() which is called +after prev class has been called. + +Fixes: 17e3e88ed0b6 ("sched/fair: Fix pelt lost idle time detection") +Closes: https://lore.kernel.org/all/CAG2KctpO6VKS6GN4QWDji0t92_gNBJ7HjjXrE+6H+RwRXt=iLg@mail.gmail.com/ +Closes: https://lore.kernel.org/all/8cf19bf0e0054dcfed70e9935029201694f1bb5a.camel@mediatek.com/ +Reported-by: Samuel Wu +Reported-by: Alex Hoh +Signed-off-by: Vincent Guittot +Signed-off-by: Peter Zijlstra (Intel) +Tested-by: Samuel Wu +Tested-by: Alex Hoh +Link: https://patch.msgid.link/20260121163317.505635-1-vincent.guittot@linaro.org +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 6 ------ + kernel/sched/idle.c | 6 ++++++ + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index d1206f81f8b2e..f0c7c94421bea 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -8901,12 +8901,6 @@ pick_next_task_fair(struct rq *rq, struct task_struct *prev, struct rq_flags *rf + goto again; + } + +- /* +- * rq is about to be idle, check if we need to update the +- * lost_idle_time of clock_pelt +- */ +- update_idle_rq_clock_pelt(rq); +- + return NULL; + } + +diff --git a/kernel/sched/idle.c b/kernel/sched/idle.c +index c39b089d4f09b..ac9690805be4f 100644 +--- a/kernel/sched/idle.c ++++ b/kernel/sched/idle.c +@@ -464,6 +464,12 @@ static void set_next_task_idle(struct rq *rq, struct task_struct *next, bool fir + scx_update_idle(rq, true, true); + schedstat_inc(rq->sched_goidle); + next->se.exec_start = rq_clock_task(rq); ++ ++ /* ++ * rq is about to be idle, check if we need to update the ++ * lost_idle_time of clock_pelt ++ */ ++ update_idle_rq_clock_pelt(rq); + } + + struct task_struct *pick_task_idle(struct rq *rq) +-- +2.51.0 + diff --git a/queue-6.18/scsi-core-wake-up-the-error-handler-when-final-compl.patch b/queue-6.18/scsi-core-wake-up-the-error-handler-when-final-compl.patch new file mode 100644 index 0000000000..d9367617c8 --- /dev/null +++ b/queue-6.18/scsi-core-wake-up-the-error-handler-when-final-compl.patch @@ -0,0 +1,96 @@ +From 30db0ec42bd372dddf370c46a33a17dcea69274c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 11:08:13 -0500 +Subject: scsi: core: Wake up the error handler when final completions race + against each other + +From: David Jeffery + +[ Upstream commit fe2f8ad6f0999db3b318359a01ee0108c703a8c3 ] + +The fragile ordering between marking commands completed or failed so +that the error handler only wakes when the last running command +completes or times out has race conditions. These race conditions can +cause the SCSI layer to fail to wake the error handler, leaving I/O +through the SCSI host stuck as the error state cannot advance. + +First, there is an memory ordering issue within scsi_dec_host_busy(). +The write which clears SCMD_STATE_INFLIGHT may be reordered with reads +counting in scsi_host_busy(). While the local CPU will see its own +write, reordering can allow other CPUs in scsi_dec_host_busy() or +scsi_eh_inc_host_failed() to see a raised busy count, causing no CPU to +see a host busy equal to the host_failed count. + +This race condition can be prevented with a memory barrier on the error +path to force the write to be visible before counting host busy +commands. + +Second, there is a general ordering issue with scsi_eh_inc_host_failed(). By +counting busy commands before incrementing host_failed, it can race with a +final command in scsi_dec_host_busy(), such that scsi_dec_host_busy() does +not see host_failed incremented but scsi_eh_inc_host_failed() counts busy +commands before SCMD_STATE_INFLIGHT is cleared by scsi_dec_host_busy(), +resulting in neither waking the error handler task. + +This needs the call to scsi_host_busy() to be moved after host_failed is +incremented to close the race condition. + +Fixes: 6eb045e092ef ("scsi: core: avoid host-wide host_busy counter for scsi_mq") +Signed-off-by: David Jeffery +Reviewed-by: Bart Van Assche +Link: https://patch.msgid.link/20260113161036.6730-1-djeffery@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_error.c | 11 ++++++++++- + drivers/scsi/scsi_lib.c | 8 ++++++++ + 2 files changed, 18 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c +index 830429483319a..2fd4ca96b3089 100644 +--- a/drivers/scsi/scsi_error.c ++++ b/drivers/scsi/scsi_error.c +@@ -282,11 +282,20 @@ static void scsi_eh_inc_host_failed(struct rcu_head *head) + { + struct scsi_cmnd *scmd = container_of(head, typeof(*scmd), rcu); + struct Scsi_Host *shost = scmd->device->host; +- unsigned int busy = scsi_host_busy(shost); ++ unsigned int busy; + unsigned long flags; + + spin_lock_irqsave(shost->host_lock, flags); + shost->host_failed++; ++ spin_unlock_irqrestore(shost->host_lock, flags); ++ /* ++ * The counting of busy requests needs to occur after adding to ++ * host_failed or after the lock acquire for adding to host_failed ++ * to prevent a race with host unbusy and missing an eh wakeup. ++ */ ++ busy = scsi_host_busy(shost); ++ ++ spin_lock_irqsave(shost->host_lock, flags); + scsi_eh_wakeup(shost, busy); + spin_unlock_irqrestore(shost->host_lock, flags); + } +diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c +index d7e42293b8645..7ddb73cd6d9fe 100644 +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -376,6 +376,14 @@ static void scsi_dec_host_busy(struct Scsi_Host *shost, struct scsi_cmnd *cmd) + rcu_read_lock(); + __clear_bit(SCMD_STATE_INFLIGHT, &cmd->state); + if (unlikely(scsi_host_in_recovery(shost))) { ++ /* ++ * Ensure the clear of SCMD_STATE_INFLIGHT is visible to ++ * other CPUs before counting busy requests. Otherwise, ++ * reordering can cause CPUs to race and miss an eh wakeup ++ * when no CPU sees all busy requests as done or timed out. ++ */ ++ smp_mb(); ++ + unsigned int busy = scsi_host_busy(shost); + + spin_lock_irqsave(shost->host_lock, flags); +-- +2.51.0 + diff --git a/queue-6.18/scsi-qla2xxx-sanitize-payload-size-to-prevent-member.patch b/queue-6.18/scsi-qla2xxx-sanitize-payload-size-to-prevent-member.patch new file mode 100644 index 0000000000..b1a3e36412 --- /dev/null +++ b/queue-6.18/scsi-qla2xxx-sanitize-payload-size-to-prevent-member.patch @@ -0,0 +1,61 @@ +From 5c976f8febf61680009c9833858d6d6f5a3edff6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jan 2026 20:53:44 +0000 +Subject: scsi: qla2xxx: Sanitize payload size to prevent member overflow + +From: Jiasheng Jiang + +[ Upstream commit 19bc5f2a6962dfaa0e32d0e0bc2271993d85d414 ] + +In qla27xx_copy_fpin_pkt() and qla27xx_copy_multiple_pkt(), the frame_size +reported by firmware is used to calculate the copy length into +item->iocb. However, the iocb member is defined as a fixed-size 64-byte +array within struct purex_item. + +If the reported frame_size exceeds 64 bytes, subsequent memcpy calls will +overflow the iocb member boundary. While extra memory might be allocated, +this cross-member write is unsafe and triggers warnings under +CONFIG_FORTIFY_SOURCE. + +Fix this by capping total_bytes to the size of the iocb member (64 bytes) +before allocation and copying. This ensures all copies remain within the +bounds of the destination structure member. + +Fixes: 875386b98857 ("scsi: qla2xxx: Add Unsolicited LS Request and Response Support for NVMe") +Signed-off-by: Jiasheng Jiang +Reviewed-by: Himanshu Madhani +Link: https://patch.msgid.link/20260106205344.18031-1-jiashengjiangcool@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_isr.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c +index a3971afc2dd1e..a04a5aa0d0057 100644 +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -878,6 +878,9 @@ qla27xx_copy_multiple_pkt(struct scsi_qla_host *vha, void **pkt, + payload_size = sizeof(purex->els_frame_payload); + } + ++ if (total_bytes > sizeof(item->iocb.iocb)) ++ total_bytes = sizeof(item->iocb.iocb); ++ + pending_bytes = total_bytes; + no_bytes = (pending_bytes > payload_size) ? payload_size : + pending_bytes; +@@ -1163,6 +1166,10 @@ qla27xx_copy_fpin_pkt(struct scsi_qla_host *vha, void **pkt, + + total_bytes = (le16_to_cpu(purex->frame_size) & 0x0FFF) + - PURX_ELS_HEADER_SIZE; ++ ++ if (total_bytes > sizeof(item->iocb.iocb)) ++ total_bytes = sizeof(item->iocb.iocb); ++ + pending_bytes = total_bytes; + entry_count = entry_count_remaining = purex->entry_count; + no_bytes = (pending_bytes > sizeof(purex->els_frame_payload)) ? +-- +2.51.0 + diff --git a/queue-6.18/selftests-net-amt-wait-longer-for-connection-before-.patch b/queue-6.18/selftests-net-amt-wait-longer-for-connection-before-.patch new file mode 100644 index 0000000000..ce79b21165 --- /dev/null +++ b/queue-6.18/selftests-net-amt-wait-longer-for-connection-before-.patch @@ -0,0 +1,63 @@ +From c4b29037df42969f7b482b80dde78b52f4cf9fda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 13:39:30 +0000 +Subject: selftests: net: amt: wait longer for connection before sending + packets + +From: Taehee Yoo + +[ Upstream commit 04708606fd7bdc34b69089a4ff848ff36d7088f9 ] + +Both send_mcast4() and send_mcast6() use sleep 2 to wait for the tunnel +connection between the gateway and the relay, and for the listener +socket to be created in the LISTENER namespace. + +However, tests sometimes fail because packets are sent before the +connection is fully established. + +Increase the waiting time to make the tests more reliable, and use +wait_local_port_listen() to explicitly wait for the listener socket. + +Fixes: c08e8baea78e ("selftests: add amt interface selftest script") +Signed-off-by: Taehee Yoo +Link: https://patch.msgid.link/20260120133930.863845-1-ap420073@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/amt.sh | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/net/amt.sh b/tools/testing/selftests/net/amt.sh +index 3ef209cacb8ed..663744305e521 100755 +--- a/tools/testing/selftests/net/amt.sh ++++ b/tools/testing/selftests/net/amt.sh +@@ -73,6 +73,8 @@ + # +------------------------+ + #============================================================================== + ++source lib.sh ++ + readonly LISTENER=$(mktemp -u listener-XXXXXXXX) + readonly GATEWAY=$(mktemp -u gateway-XXXXXXXX) + readonly RELAY=$(mktemp -u relay-XXXXXXXX) +@@ -246,14 +248,15 @@ test_ipv6_forward() + + send_mcast4() + { +- sleep 2 ++ sleep 5 ++ wait_local_port_listen ${LISTENER} 4000 udp + ip netns exec "${SOURCE}" bash -c \ + 'printf "%s %128s" 172.17.0.2 | nc -w 1 -u 239.0.0.1 4000' & + } + + send_mcast6() + { +- sleep 2 ++ wait_local_port_listen ${LISTENER} 6000 udp + ip netns exec "${SOURCE}" bash -c \ + 'printf "%s %128s" 2001:db8:3::2 | nc -w 1 -u ff0e::5:6 6000' & + } +-- +2.51.0 + diff --git a/queue-6.18/selftests-ublk-fix-error-handling-for-starting-devic.patch b/queue-6.18/selftests-ublk-fix-error-handling-for-starting-devic.patch new file mode 100644 index 0000000000..9e70f99c61 --- /dev/null +++ b/queue-6.18/selftests-ublk-fix-error-handling-for-starting-devic.patch @@ -0,0 +1,54 @@ +From c29fecddcc7b7835abe6c9bdbb7d7bdac5382272 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 16:58:01 +0800 +Subject: selftests/ublk: fix error handling for starting device + +From: Ming Lei + +[ Upstream commit 23e62cf75518825aac12e9a22bdc40f062428898 ] + +Fix error handling in ublk_start_daemon() when start_dev fails: + +1. Call ublk_ctrl_stop_dev() to cancel inflight uring_cmd before + cleanup. Without this, the device deletion may hang waiting for + I/O completion that will never happen. + +2. Add fail_start label so that pthread_join() is called on the + error path. This ensures proper thread cleanup when startup fails. + +Fixes: 6aecda00b7d1 ("selftests: ublk: add kernel selftests for ublk") +Signed-off-by: Ming Lei +Reviewed-by: Caleb Sander Mateos +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/ublk/kublk.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/ublk/kublk.c b/tools/testing/selftests/ublk/kublk.c +index 0e863d13eaee4..9c05f046ad5ee 100644 +--- a/tools/testing/selftests/ublk/kublk.c ++++ b/tools/testing/selftests/ublk/kublk.c +@@ -1002,7 +1002,9 @@ static int ublk_start_daemon(const struct dev_ctx *ctx, struct ublk_dev *dev) + } + if (ret < 0) { + ublk_err("%s: ublk_ctrl_start_dev failed: %d\n", __func__, ret); +- goto fail; ++ /* stop device so that inflight uring_cmd can be cancelled */ ++ ublk_ctrl_stop_dev(dev); ++ goto fail_start; + } + + ublk_ctrl_get_info(dev); +@@ -1010,7 +1012,7 @@ static int ublk_start_daemon(const struct dev_ctx *ctx, struct ublk_dev *dev) + ublk_ctrl_dump(dev); + else + ublk_send_dev_event(ctx, dev, dev->dev_info.dev_id); +- ++fail_start: + /* wait until we are terminated */ + for (i = 0; i < dev->nthreads; i++) + pthread_join(dev->threads[i].thread, &thread_ret); +-- +2.51.0 + diff --git a/queue-6.18/selftests-ublk-fix-garbage-output-in-foreground-mode.patch b/queue-6.18/selftests-ublk-fix-garbage-output-in-foreground-mode.patch new file mode 100644 index 0000000000..244c267023 --- /dev/null +++ b/queue-6.18/selftests-ublk-fix-garbage-output-in-foreground-mode.patch @@ -0,0 +1,49 @@ +From 5347e548afb3409f396eb1d8bbc51b0052af4307 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 16:58:02 +0800 +Subject: selftests/ublk: fix garbage output in foreground mode + +From: Ming Lei + +[ Upstream commit e7e1cc18f120a415646be12470169a978a1adcd9 ] + +Initialize _evtfd to -1 in struct dev_ctx to prevent garbage output +when running kublk in foreground mode. Without this, _evtfd is +zero-initialized to 0 (stdin), and ublk_send_dev_event() writes +binary data to stdin which appears as garbage on the terminal. + +Also fix debug message format string. + +Fixes: 6aecda00b7d1 ("selftests: ublk: add kernel selftests for ublk") +Signed-off-by: Ming Lei +Reviewed-by: Caleb Sander Mateos +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/ublk/kublk.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/ublk/kublk.c b/tools/testing/selftests/ublk/kublk.c +index 9c05f046ad5ee..cbd23444c8a98 100644 +--- a/tools/testing/selftests/ublk/kublk.c ++++ b/tools/testing/selftests/ublk/kublk.c +@@ -1221,7 +1221,7 @@ static int __cmd_dev_add(const struct dev_ctx *ctx) + } + + ret = ublk_start_daemon(ctx, dev); +- ublk_dbg(UBLK_DBG_DEV, "%s: daemon exit %d\b", ret); ++ ublk_dbg(UBLK_DBG_DEV, "%s: daemon exit %d\n", __func__, ret); + if (ret < 0) + ublk_ctrl_del_dev(dev); + +@@ -1566,6 +1566,7 @@ int main(int argc, char *argv[]) + int option_idx, opt; + const char *cmd = argv[1]; + struct dev_ctx ctx = { ++ ._evtfd = -1, + .queue_depth = 128, + .nr_hw_queues = 2, + .dev_id = -1, +-- +2.51.0 + diff --git a/queue-6.18/selftests-ublk-fix-io-thread-idle-check.patch b/queue-6.18/selftests-ublk-fix-io-thread-idle-check.patch new file mode 100644 index 0000000000..db44475c24 --- /dev/null +++ b/queue-6.18/selftests-ublk-fix-io-thread-idle-check.patch @@ -0,0 +1,37 @@ +From 575b9d74968e8299e4b895ca3ceb66bfcdda4383 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 16:58:00 +0800 +Subject: selftests/ublk: fix IO thread idle check + +From: Ming Lei + +[ Upstream commit 75aad5ffe099a1b1a342257236dc260493917ed2 ] + +Include cmd_inflight in ublk_thread_is_done() check. Without this, +the thread may exit before all FETCH commands are completed, which +may cause device deletion to hang. + +Fixes: 6aecda00b7d1 ("selftests: ublk: add kernel selftests for ublk") +Signed-off-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/ublk/kublk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/ublk/kublk.c b/tools/testing/selftests/ublk/kublk.c +index 6b8123c12a7ae..0e863d13eaee4 100644 +--- a/tools/testing/selftests/ublk/kublk.c ++++ b/tools/testing/selftests/ublk/kublk.c +@@ -718,7 +718,7 @@ static int ublk_thread_is_idle(struct ublk_thread *t) + + static int ublk_thread_is_done(struct ublk_thread *t) + { +- return (t->state & UBLKS_T_STOPPING) && ublk_thread_is_idle(t); ++ return (t->state & UBLKS_T_STOPPING) && ublk_thread_is_idle(t) && !t->cmd_inflight; + } + + static inline void ublksrv_handle_tgt_cqe(struct ublk_thread *t, +-- +2.51.0 + diff --git a/queue-6.18/series b/queue-6.18/series index 00a0a1265d..5c9640c27f 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -79,3 +79,73 @@ mm-restore-per-memcg-proactive-reclaim-with-config_numa.patch timekeeping-adjust-the-leap-state-for-the-correct-auxiliary-timekeeper.patch io_uring-io-wq-check-io_wq_bit_exit-inside-work-run-loop.patch iio-imu-st_lsm6dsx-fix-iio_chan_spec-for-sensors-without-event-detection.patch +iio-adc-ad7280a-handle-spi_setup-errors-in-probe.patch +iio-adc-ad7606-fix-incorrect-type-for-error-return-v.patch +interconnect-debugfs-initialize-src_node-and-dst_nod.patch +spi-spi-sprd-adi-fix-double-free-in-probe-error-path.patch +regmap-fix-race-condition-in-hwspinlock-irqsave-rout.patch +kconfig-fix-static-linking-of-nconf.patch +riscv-clocksource-fix-stimecmp-update-hazard-on-rv32.patch +riscv-suspend-fix-stimecmp-update-hazard-on-rv32.patch +platform-mellanox-fix-sn5640-sn5610-led-platform-dat.patch +platform-x86-amd-fix-memory-leak-in-wbrf_record.patch +scsi-core-wake-up-the-error-handler-when-final-compl.patch +scsi-qla2xxx-sanitize-payload-size-to-prevent-member.patch +alsa-usb-increase-volume-range-that-triggers-a-warni.patch +ntb-transport-fix-uninitialized-mutex.patch +iommu-amd-fix-error-path-in-amd_iommu_probe_device.patch +drm-xe-xe_late_bind_fw-fix-enum-xe_late_bind_fw_id-k.patch +drm-xe-vm-fix-xe_vm_validation_exec-kernel-doc.patch +drm-xe-disable-timestamp-wa-on-vfs.patch +drm-mediatek-dpi-find-next-bridge-during-probe.patch +drm-imagination-wait-for-fw-trace-update-command-com.patch +vsock-test-do-not-filter-kallsyms-by-symbol-type.patch +netdevsim-fix-a-race-issue-related-to-the-operation-.patch +ice-fix-persistent-failure-in-ice_get_rxfh.patch +ice-add-missing-ice_deinit_hw-in-devlink-reinit-path.patch +ice-fix-devlink-reload-call-trace.patch +idpf-read-lower-clock-bits-inside-the-time-sandwich.patch +net-phy-intel-xway-fix-of-node-refcount-leakage.patch +net-hns3-fix-data-race-in-hns3_fetch_stats.patch +idpf-fix-data-race-in-idpf_net_dim.patch +be2net-fix-data-race-in-be_get_new_eqd.patch +net-hns3-fix-wrong-genmask-for-hclge_fd_ad_counter_n.patch +net-hns3-fix-the-hclge_fd_ad_nxt_key-error-setting-i.patch +misdn-annotate-data-race-around-dev-work.patch +ipv6-annotate-data-race-in-ndisc_router_discovery.patch +usbnet-limit-max_mtu-based-on-device-s-hard_mtu.patch +octeontx2-pf-update-xdp-features.patch +clocksource-reduce-watchdog-readout-delay-limit-to-p.patch +drm-xe-uapi-disallow-bind-queue-sharing.patch +drm-xe-migrate-fix-job-lock-assert.patch +drm-xe-pm-add-scope-based-cleanup-helper-for-runtime.patch +drm-xe-update-wedged.mode-only-after-successful-rese.patch +ublk-fix-ublksrv-pid-handling-for-pid-namespaces.patch +selftests-ublk-fix-io-thread-idle-check.patch +selftests-ublk-fix-error-handling-for-starting-devic.patch +selftests-ublk-fix-garbage-output-in-foreground-mode.patch +perf-fix-refcount-warning-on-event-mmap_count-increm.patch +sched-fair-fix-pelt-clock-sync-when-entering-idle.patch +drm-amd-pm-fix-si_dpm-mmcg_thermal_int-setting.patch +drm-amd-pm-don-t-clear-si-smc-table-when-setting-pow.patch +drm-amd-pm-workaround-si-powertune-issue-on-radeon-4.patch +drm-amdgpu-fix-type-for-wptr-in-ring-backup.patch +drm-nouveau-add-missing-dcb-connector-types.patch +drm-nouveau-implement-missing-dcb-connector-types-gr.patch +be2net-fix-null-pointer-dereference-in-be_cmd_get_ma.patch +selftests-net-amt-wait-longer-for-connection-before-.patch +bonding-provide-a-net-pointer-to-__skb_flow_dissect.patch +net-bcmasp-fix-network-filter-wake-for-asp-3.0.patch +net-dsa-fix-off-by-one-in-maximum-bridge-id-determin.patch +net-pcs-pcs-mtk-lynxi-report-in-band-capability-for-.patch +octeontx2-af-fix-error-handling.patch +net-openvswitch-fix-data-race-in-ovs_vport_get_upcal.patch +vsock-virtio-fix-potential-underflow-in-virtio_trans.patch +vsock-test-fix-seqpacket-message-bounds-test.patch +vsock-virtio-cap-tx-credit-to-local-buffer-size.patch +hinic3-fix-netif_queue_set_napi-queue_index-input-pa.patch +net-sched-act_ife-avoid-possible-null-deref.patch +dpll-prevent-duplicate-registrations.patch +octeontx2-af-add-proper-checks-for-fwdata.patch +x86-make-page-fault-handling-disable-interrupts-prop.patch +keys-trusted_keys-fix-handle-passed-to-tpm_buf_appen.patch diff --git a/queue-6.18/spi-spi-sprd-adi-fix-double-free-in-probe-error-path.patch b/queue-6.18/spi-spi-sprd-adi-fix-double-free-in-probe-error-path.patch new file mode 100644 index 0000000000..fd3737e272 --- /dev/null +++ b/queue-6.18/spi-spi-sprd-adi-fix-double-free-in-probe-error-path.patch @@ -0,0 +1,113 @@ +From d3ce55eb70677ef1122b7f18fea43fc151cd4548 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jan 2026 20:49:53 +0800 +Subject: spi: spi-sprd-adi: Fix double free in probe error path + +From: Felix Gu + +[ Upstream commit 383d4f5cffcc8df930d95b06518a9d25a6d74aac ] + +The driver currently uses spi_alloc_host() to allocate the controller +but registers it using devm_spi_register_controller(). + +If devm_register_restart_handler() fails, the code jumps to the +put_ctlr label and calls spi_controller_put(). However, since the +controller was registered via a devm function, the device core will +automatically call spi_controller_put() again when the probe fails. +This results in a double-free of the spi_controller structure. + +Fix this by switching to devm_spi_alloc_host() and removing the +manual spi_controller_put() call. + +Fixes: ac17750 ("spi: sprd: Add the support of restarting the system") +Signed-off-by: Felix Gu +Reviewed-by: Baolin Wang +Link: https://patch.msgid.link/tencent_AC7D389CE7E24318445E226F7CDCCC2F0D07@qq.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-sprd-adi.c | 33 ++++++++++----------------------- + 1 file changed, 10 insertions(+), 23 deletions(-) + +diff --git a/drivers/spi/spi-sprd-adi.c b/drivers/spi/spi-sprd-adi.c +index 262c11d977ea3..f25b34a91756f 100644 +--- a/drivers/spi/spi-sprd-adi.c ++++ b/drivers/spi/spi-sprd-adi.c +@@ -528,7 +528,7 @@ static int sprd_adi_probe(struct platform_device *pdev) + pdev->id = of_alias_get_id(np, "spi"); + num_chipselect = of_get_child_count(np); + +- ctlr = spi_alloc_host(&pdev->dev, sizeof(struct sprd_adi)); ++ ctlr = devm_spi_alloc_host(&pdev->dev, sizeof(struct sprd_adi)); + if (!ctlr) + return -ENOMEM; + +@@ -536,10 +536,8 @@ static int sprd_adi_probe(struct platform_device *pdev) + sadi = spi_controller_get_devdata(ctlr); + + sadi->base = devm_platform_get_and_ioremap_resource(pdev, 0, &res); +- if (IS_ERR(sadi->base)) { +- ret = PTR_ERR(sadi->base); +- goto put_ctlr; +- } ++ if (IS_ERR(sadi->base)) ++ return PTR_ERR(sadi->base); + + sadi->slave_vbase = (unsigned long)sadi->base + + data->slave_offset; +@@ -551,18 +549,15 @@ static int sprd_adi_probe(struct platform_device *pdev) + if (ret > 0 || (IS_ENABLED(CONFIG_HWSPINLOCK) && ret == 0)) { + sadi->hwlock = + devm_hwspin_lock_request_specific(&pdev->dev, ret); +- if (!sadi->hwlock) { +- ret = -ENXIO; +- goto put_ctlr; +- } ++ if (!sadi->hwlock) ++ return -ENXIO; + } else { + switch (ret) { + case -ENOENT: + dev_info(&pdev->dev, "no hardware spinlock supplied\n"); + break; + default: +- dev_err_probe(&pdev->dev, ret, "failed to find hwlock id\n"); +- goto put_ctlr; ++ return dev_err_probe(&pdev->dev, ret, "failed to find hwlock id\n"); + } + } + +@@ -579,26 +574,18 @@ static int sprd_adi_probe(struct platform_device *pdev) + ctlr->transfer_one = sprd_adi_transfer_one; + + ret = devm_spi_register_controller(&pdev->dev, ctlr); +- if (ret) { +- dev_err(&pdev->dev, "failed to register SPI controller\n"); +- goto put_ctlr; +- } ++ if (ret) ++ return dev_err_probe(&pdev->dev, ret, "failed to register SPI controller\n"); + + if (sadi->data->restart) { + ret = devm_register_restart_handler(&pdev->dev, + sadi->data->restart, + sadi); +- if (ret) { +- dev_err(&pdev->dev, "can not register restart handler\n"); +- goto put_ctlr; +- } ++ if (ret) ++ return dev_err_probe(&pdev->dev, ret, "can not register restart handler\n"); + } + + return 0; +- +-put_ctlr: +- spi_controller_put(ctlr); +- return ret; + } + + static struct sprd_adi_data sc9860_data = { +-- +2.51.0 + diff --git a/queue-6.18/ublk-fix-ublksrv-pid-handling-for-pid-namespaces.patch b/queue-6.18/ublk-fix-ublksrv-pid-handling-for-pid-namespaces.patch new file mode 100644 index 0000000000..f3f42099f3 --- /dev/null +++ b/queue-6.18/ublk-fix-ublksrv-pid-handling-for-pid-namespaces.patch @@ -0,0 +1,125 @@ +From 790e51ac25b892cbe39eae32ece3b8818b6886e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jan 2026 18:59:52 -0800 +Subject: ublk: fix ublksrv pid handling for pid namespaces +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Seamus Connor + +[ Upstream commit 47bdf1d29caec7207b7f112230055db36602dfc0 ] + +When ublksrv runs inside a pid namespace, START/END_RECOVERY compared +the stored init-ns tgid against the userspace pid (getpid vnr), so the +check failed and control ops could not proceed. Compare against the +caller’s init-ns tgid and store that value, then translate it back to +the caller’s pid namespace when reporting GET_DEV_INFO so ublk list +shows a sensible pid. + +Testing: start/recover in a pid namespace; `ublk list` shows +reasonable pid values in init, child, and sibling namespaces. + +Fixes: c2c8089f325e ("ublk: validate ublk server pid") +Signed-off-by: Seamus Connor +Reviewed-by: Caleb Sander Mateos +Reviewed-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/ublk_drv.c | 39 ++++++++++++++++++++++++++++++++++----- + 1 file changed, 34 insertions(+), 5 deletions(-) + +diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c +index e09c1b5999b75..4b6d7b785d7b3 100644 +--- a/drivers/block/ublk_drv.c ++++ b/drivers/block/ublk_drv.c +@@ -2954,6 +2954,15 @@ static struct ublk_device *ublk_get_device_from_id(int idx) + return ub; + } + ++static bool ublk_validate_user_pid(struct ublk_device *ub, pid_t ublksrv_pid) ++{ ++ rcu_read_lock(); ++ ublksrv_pid = pid_nr(find_vpid(ublksrv_pid)); ++ rcu_read_unlock(); ++ ++ return ub->ublksrv_tgid == ublksrv_pid; ++} ++ + static int ublk_ctrl_start_dev(struct ublk_device *ub, + const struct ublksrv_ctrl_cmd *header) + { +@@ -3022,7 +3031,7 @@ static int ublk_ctrl_start_dev(struct ublk_device *ub, + if (wait_for_completion_interruptible(&ub->completion) != 0) + return -EINTR; + +- if (ub->ublksrv_tgid != ublksrv_pid) ++ if (!ublk_validate_user_pid(ub, ublksrv_pid)) + return -EINVAL; + + mutex_lock(&ub->mutex); +@@ -3041,7 +3050,7 @@ static int ublk_ctrl_start_dev(struct ublk_device *ub, + disk->fops = &ub_fops; + disk->private_data = ub; + +- ub->dev_info.ublksrv_pid = ublksrv_pid; ++ ub->dev_info.ublksrv_pid = ub->ublksrv_tgid; + ub->ub_disk = disk; + + ublk_apply_params(ub); +@@ -3389,12 +3398,32 @@ static int ublk_ctrl_stop_dev(struct ublk_device *ub) + static int ublk_ctrl_get_dev_info(struct ublk_device *ub, + const struct ublksrv_ctrl_cmd *header) + { ++ struct task_struct *p; ++ struct pid *pid; ++ struct ublksrv_ctrl_dev_info dev_info; ++ pid_t init_ublksrv_tgid = ub->dev_info.ublksrv_pid; + void __user *argp = (void __user *)(unsigned long)header->addr; + + if (header->len < sizeof(struct ublksrv_ctrl_dev_info) || !header->addr) + return -EINVAL; + +- if (copy_to_user(argp, &ub->dev_info, sizeof(ub->dev_info))) ++ memcpy(&dev_info, &ub->dev_info, sizeof(dev_info)); ++ dev_info.ublksrv_pid = -1; ++ ++ if (init_ublksrv_tgid > 0) { ++ rcu_read_lock(); ++ pid = find_pid_ns(init_ublksrv_tgid, &init_pid_ns); ++ p = pid_task(pid, PIDTYPE_TGID); ++ if (p) { ++ int vnr = task_tgid_vnr(p); ++ ++ if (vnr) ++ dev_info.ublksrv_pid = vnr; ++ } ++ rcu_read_unlock(); ++ } ++ ++ if (copy_to_user(argp, &dev_info, sizeof(dev_info))) + return -EFAULT; + + return 0; +@@ -3539,7 +3568,7 @@ static int ublk_ctrl_end_recovery(struct ublk_device *ub, + pr_devel("%s: All FETCH_REQs received, dev id %d\n", __func__, + header->dev_id); + +- if (ub->ublksrv_tgid != ublksrv_pid) ++ if (!ublk_validate_user_pid(ub, ublksrv_pid)) + return -EINVAL; + + mutex_lock(&ub->mutex); +@@ -3550,7 +3579,7 @@ static int ublk_ctrl_end_recovery(struct ublk_device *ub, + ret = -EBUSY; + goto out_unlock; + } +- ub->dev_info.ublksrv_pid = ublksrv_pid; ++ ub->dev_info.ublksrv_pid = ub->ublksrv_tgid; + ub->dev_info.state = UBLK_S_DEV_LIVE; + pr_devel("%s: new ublksrv_pid %d, dev id %d\n", + __func__, ublksrv_pid, header->dev_id); +-- +2.51.0 + diff --git a/queue-6.18/usbnet-limit-max_mtu-based-on-device-s-hard_mtu.patch b/queue-6.18/usbnet-limit-max_mtu-based-on-device-s-hard_mtu.patch new file mode 100644 index 0000000000..ad47307919 --- /dev/null +++ b/queue-6.18/usbnet-limit-max_mtu-based-on-device-s-hard_mtu.patch @@ -0,0 +1,59 @@ +From 9cd9f3dace5ea2df85c87b55c91beeb023f36cf0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 08:55:18 +0100 +Subject: usbnet: limit max_mtu based on device's hard_mtu + +From: Laurent Vivier + +[ Upstream commit c7159e960f1472a5493ac99aff0086ab1d683594 ] + +The usbnet driver initializes net->max_mtu to ETH_MAX_MTU before calling +the device's bind() callback. When the bind() callback sets +dev->hard_mtu based the device's actual capability (from CDC Ethernet's +wMaxSegmentSize descriptor), max_mtu is never updated to reflect this +hardware limitation). + +This allows userspace (DHCP or IPv6 RA) to configure MTU larger than the +device can handle, leading to silent packet drops when the backend sends +packet exceeding the device's buffer size. + +Fix this by limiting net->max_mtu to the device's hard_mtu after the +bind callback returns. + +See https://gitlab.com/qemu-project/qemu/-/issues/3268 and + https://bugs.passt.top/attachment.cgi?bugid=189 + +Fixes: f77f0aee4da4 ("net: use core MTU range checking in USB NIC drivers") +Signed-off-by: Laurent Vivier +Link: https://bugs.passt.top/show_bug.cgi?id=189 +Reviewed-by: Stefano Brivio +Link: https://patch.msgid.link/20260119075518.2774373-1-lvivier@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/usbnet.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c +index 697cd9d866d3d..ab5ded8f38cf8 100644 +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -1803,9 +1803,12 @@ usbnet_probe (struct usb_interface *udev, const struct usb_device_id *prod) + if ((dev->driver_info->flags & FLAG_NOARP) != 0) + net->flags |= IFF_NOARP; + +- /* maybe the remote can't receive an Ethernet MTU */ +- if (net->mtu > (dev->hard_mtu - net->hard_header_len)) +- net->mtu = dev->hard_mtu - net->hard_header_len; ++ if (net->max_mtu > (dev->hard_mtu - net->hard_header_len)) ++ net->max_mtu = dev->hard_mtu - net->hard_header_len; ++ ++ if (net->mtu > net->max_mtu) ++ net->mtu = net->max_mtu; ++ + } else if (!info->in || !info->out) + status = usbnet_get_endpoints (dev, udev); + else { +-- +2.51.0 + diff --git a/queue-6.18/vsock-test-do-not-filter-kallsyms-by-symbol-type.patch b/queue-6.18/vsock-test-do-not-filter-kallsyms-by-symbol-type.patch new file mode 100644 index 0000000000..1183a1c0e6 --- /dev/null +++ b/queue-6.18/vsock-test-do-not-filter-kallsyms-by-symbol-type.patch @@ -0,0 +1,54 @@ +From 7a991e16405e82d304c262ad4a1ed01bf8c1dad5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jan 2026 09:52:36 +0100 +Subject: vsock/test: Do not filter kallsyms by symbol type + +From: Michal Luczaj + +[ Upstream commit 5d54aa40c7b7e9dee5746cca99e9ddbcca13e895 ] + +Blamed commit implemented logic to discover available vsock transports by +grepping /proc/kallsyms for known symbols. It incorrectly filtered entries +by type 'd'. + +For some kernel configs having + + CONFIG_VIRTIO_VSOCKETS=m + CONFIG_VSOCKETS_LOOPBACK=y + +kallsyms reports + + 0000000000000000 d virtio_transport [vmw_vsock_virtio_transport] + 0000000000000000 t loopback_transport + +Overzealous filtering might have affected vsock test suit, resulting in +insufficient/misleading testing. + +Do not filter symbols by type. It never helped much. + +Fixes: 3070c05b7afd ("vsock/test: Introduce get_transports()") +Signed-off-by: Michal Luczaj +Reviewed-by: Stefano Garzarella +Link: https://patch.msgid.link/20260116-vsock_test-kallsyms-grep-v1-1-3320bc3346f2@rbox.co +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + tools/testing/vsock/util.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/vsock/util.h b/tools/testing/vsock/util.h +index 142c02a6834ac..bf633cde82b07 100644 +--- a/tools/testing/vsock/util.h ++++ b/tools/testing/vsock/util.h +@@ -25,7 +25,7 @@ enum transport { + }; + + static const char * const transport_ksyms[] = { +- #define x(name, symbol) "d " symbol "_transport", ++ #define x(name, symbol) " " symbol "_transport", + KNOWN_TRANSPORTS(x) + #undef x + }; +-- +2.51.0 + diff --git a/queue-6.18/vsock-test-fix-seqpacket-message-bounds-test.patch b/queue-6.18/vsock-test-fix-seqpacket-message-bounds-test.patch new file mode 100644 index 0000000000..303494e3a5 --- /dev/null +++ b/queue-6.18/vsock-test-fix-seqpacket-message-bounds-test.patch @@ -0,0 +1,61 @@ +From b180cb5dce3a1c66d4ada90e6719917c1ed6f002 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 10:36:26 +0100 +Subject: vsock/test: fix seqpacket message bounds test + +From: Stefano Garzarella + +[ Upstream commit 0a98de80136968bab7db37b16282b37f044694d3 ] + +The test requires the sender (client) to send all messages before waking +up the receiver (server). +Since virtio-vsock had a bug and did not respect the size of the TX +buffer, this test worked, but now that we are going to fix the bug, the +test hangs because the sender would fill the TX buffer before waking up +the receiver. + +Set the buffer size in the sender (client) as well, as we already do for +the receiver (server). + +Fixes: 5c338112e48a ("test/vsock: rework message bounds test") +Signed-off-by: Stefano Garzarella +Link: https://patch.msgid.link/20260121093628.9941-3-sgarzare@redhat.com +Acked-by: Michael S. Tsirkin +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + tools/testing/vsock/vsock_test.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/tools/testing/vsock/vsock_test.c b/tools/testing/vsock/vsock_test.c +index d4517386e551e..667f6f0ad6afa 100644 +--- a/tools/testing/vsock/vsock_test.c ++++ b/tools/testing/vsock/vsock_test.c +@@ -351,6 +351,7 @@ static void test_stream_msg_peek_server(const struct test_opts *opts) + + static void test_seqpacket_msg_bounds_client(const struct test_opts *opts) + { ++ unsigned long long sock_buf_size; + unsigned long curr_hash; + size_t max_msg_size; + int page_size; +@@ -363,6 +364,16 @@ static void test_seqpacket_msg_bounds_client(const struct test_opts *opts) + exit(EXIT_FAILURE); + } + ++ sock_buf_size = SOCK_BUF_SIZE; ++ ++ setsockopt_ull_check(fd, AF_VSOCK, SO_VM_SOCKETS_BUFFER_MAX_SIZE, ++ sock_buf_size, ++ "setsockopt(SO_VM_SOCKETS_BUFFER_MAX_SIZE)"); ++ ++ setsockopt_ull_check(fd, AF_VSOCK, SO_VM_SOCKETS_BUFFER_SIZE, ++ sock_buf_size, ++ "setsockopt(SO_VM_SOCKETS_BUFFER_SIZE)"); ++ + /* Wait, until receiver sets buffer size. */ + control_expectln("SRVREADY"); + +-- +2.51.0 + diff --git a/queue-6.18/vsock-virtio-cap-tx-credit-to-local-buffer-size.patch b/queue-6.18/vsock-virtio-cap-tx-credit-to-local-buffer-size.patch new file mode 100644 index 0000000000..3a5bf42aed --- /dev/null +++ b/queue-6.18/vsock-virtio-cap-tx-credit-to-local-buffer-size.patch @@ -0,0 +1,128 @@ +From 3fe19b282c7f64763db246de3b6f57b87e58aedb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 10:36:27 +0100 +Subject: vsock/virtio: cap TX credit to local buffer size + +From: Melbin K Mathew + +[ Upstream commit 8ee784fdf006cbe8739cfa093f54d326cbf54037 ] + +The virtio transports derives its TX credit directly from peer_buf_alloc, +which is set from the remote endpoint's SO_VM_SOCKETS_BUFFER_SIZE value. + +On the host side this means that the amount of data we are willing to +queue for a connection is scaled by a guest-chosen buffer size, rather +than the host's own vsock configuration. A malicious guest can advertise +a large buffer and read slowly, causing the host to allocate a +correspondingly large amount of sk_buff memory. +The same thing would happen in the guest with a malicious host, since +virtio transports share the same code base. + +Introduce a small helper, virtio_transport_tx_buf_size(), that +returns min(peer_buf_alloc, buf_alloc), and use it wherever we consume +peer_buf_alloc. + +This ensures the effective TX window is bounded by both the peer's +advertised buffer and our own buf_alloc (already clamped to +buffer_max_size via SO_VM_SOCKETS_BUFFER_MAX_SIZE), so a remote peer +cannot force the other to queue more data than allowed by its own +vsock settings. + +On an unpatched Ubuntu 22.04 host (~64 GiB RAM), running a PoC with +32 guest vsock connections advertising 2 GiB each and reading slowly +drove Slab/SUnreclaim from ~0.5 GiB to ~57 GiB; the system only +recovered after killing the QEMU process. That said, if QEMU memory is +limited with cgroups, the maximum memory used will be limited. + +With this patch applied: + + Before: + MemFree: ~61.6 GiB + Slab: ~142 MiB + SUnreclaim: ~117 MiB + + After 32 high-credit connections: + MemFree: ~61.5 GiB + Slab: ~178 MiB + SUnreclaim: ~152 MiB + +Only ~35 MiB increase in Slab/SUnreclaim, no host OOM, and the guest +remains responsive. + +Compatibility with non-virtio transports: + + - VMCI uses the AF_VSOCK buffer knobs to size its queue pairs per + socket based on the local vsk->buffer_* values; the remote side + cannot enlarge those queues beyond what the local endpoint + configured. + + - Hyper-V's vsock transport uses fixed-size VMBus ring buffers and + an MTU bound; there is no peer-controlled credit field comparable + to peer_buf_alloc, and the remote endpoint cannot drive in-flight + kernel memory above those ring sizes. + + - The loopback path reuses virtio_transport_common.c, so it + naturally follows the same semantics as the virtio transport. + +This change is limited to virtio_transport_common.c and thus affects +virtio-vsock, vhost-vsock, and loopback, bringing them in line with the +"remote window intersected with local policy" behaviour that VMCI and +Hyper-V already effectively have. + +Fixes: 06a8fc78367d ("VSOCK: Introduce virtio_vsock_common.ko") +Suggested-by: Stefano Garzarella +Signed-off-by: Melbin K Mathew +[Stefano: small adjustments after changing the previous patch] +[Stefano: tweak the commit message] +Signed-off-by: Stefano Garzarella +Reviewed-by: Luigi Leonardi +Link: https://patch.msgid.link/20260121093628.9941-4-sgarzare@redhat.com +Acked-by: Michael S. Tsirkin +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/virtio_transport_common.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c +index 6175124d63d34..d3e26025ef589 100644 +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -821,6 +821,15 @@ virtio_transport_seqpacket_dequeue(struct vsock_sock *vsk, + } + EXPORT_SYMBOL_GPL(virtio_transport_seqpacket_dequeue); + ++static u32 virtio_transport_tx_buf_size(struct virtio_vsock_sock *vvs) ++{ ++ /* The peer advertises its receive buffer via peer_buf_alloc, but we ++ * cap it to our local buf_alloc so a remote peer cannot force us to ++ * queue more data than our own buffer configuration allows. ++ */ ++ return min(vvs->peer_buf_alloc, vvs->buf_alloc); ++} ++ + int + virtio_transport_seqpacket_enqueue(struct vsock_sock *vsk, + struct msghdr *msg, +@@ -830,7 +839,7 @@ virtio_transport_seqpacket_enqueue(struct vsock_sock *vsk, + + spin_lock_bh(&vvs->tx_lock); + +- if (len > vvs->peer_buf_alloc) { ++ if (len > virtio_transport_tx_buf_size(vvs)) { + spin_unlock_bh(&vvs->tx_lock); + return -EMSGSIZE; + } +@@ -884,7 +893,8 @@ static s64 virtio_transport_has_space(struct virtio_vsock_sock *vvs) + * we have bytes in flight (tx_cnt - peer_fwd_cnt), the subtraction + * does not underflow. + */ +- bytes = (s64)vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt); ++ bytes = (s64)virtio_transport_tx_buf_size(vvs) - ++ (vvs->tx_cnt - vvs->peer_fwd_cnt); + if (bytes < 0) + bytes = 0; + +-- +2.51.0 + diff --git a/queue-6.18/vsock-virtio-fix-potential-underflow-in-virtio_trans.patch b/queue-6.18/vsock-virtio-fix-potential-underflow-in-virtio_trans.patch new file mode 100644 index 0000000000..4405a1fcfe --- /dev/null +++ b/queue-6.18/vsock-virtio-fix-potential-underflow-in-virtio_trans.patch @@ -0,0 +1,99 @@ +From 6dbfaa83cff442cc0b1665f5d8430484b70022ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 10:36:25 +0100 +Subject: vsock/virtio: fix potential underflow in + virtio_transport_get_credit() + +From: Melbin K Mathew + +[ Upstream commit 3ef3d52a1a9860d094395c7a3e593f3aa26ff012 ] + +The credit calculation in virtio_transport_get_credit() uses unsigned +arithmetic: + + ret = vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt); + +If the peer shrinks its advertised buffer (peer_buf_alloc) while bytes +are in flight, the subtraction can underflow and produce a large +positive value, potentially allowing more data to be queued than the +peer can handle. + +Reuse virtio_transport_has_space() which already handles this case and +add a comment to make it clear why we are doing that. + +Fixes: 06a8fc78367d ("VSOCK: Introduce virtio_vsock_common.ko") +Suggested-by: Stefano Garzarella +Signed-off-by: Melbin K Mathew +[Stefano: use virtio_transport_has_space() instead of duplicating the code] +[Stefano: tweak the commit message] +Signed-off-by: Stefano Garzarella +Reviewed-by: Luigi Leonardi +Link: https://patch.msgid.link/20260121093628.9941-2-sgarzare@redhat.com +Acked-by: Michael S. Tsirkin +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/virtio_transport_common.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c +index 26b979ad71f09..6175124d63d34 100644 +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -28,6 +28,7 @@ + + static void virtio_transport_cancel_close_work(struct vsock_sock *vsk, + bool cancel_timeout); ++static s64 virtio_transport_has_space(struct virtio_vsock_sock *vvs); + + static const struct virtio_transport * + virtio_transport_get_ops(struct vsock_sock *vsk) +@@ -499,9 +500,7 @@ u32 virtio_transport_get_credit(struct virtio_vsock_sock *vvs, u32 credit) + return 0; + + spin_lock_bh(&vvs->tx_lock); +- ret = vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt); +- if (ret > credit) +- ret = credit; ++ ret = min_t(u32, credit, virtio_transport_has_space(vvs)); + vvs->tx_cnt += ret; + vvs->bytes_unsent += ret; + spin_unlock_bh(&vvs->tx_lock); +@@ -877,11 +876,14 @@ u32 virtio_transport_seqpacket_has_data(struct vsock_sock *vsk) + } + EXPORT_SYMBOL_GPL(virtio_transport_seqpacket_has_data); + +-static s64 virtio_transport_has_space(struct vsock_sock *vsk) ++static s64 virtio_transport_has_space(struct virtio_vsock_sock *vvs) + { +- struct virtio_vsock_sock *vvs = vsk->trans; + s64 bytes; + ++ /* Use s64 arithmetic so if the peer shrinks peer_buf_alloc while ++ * we have bytes in flight (tx_cnt - peer_fwd_cnt), the subtraction ++ * does not underflow. ++ */ + bytes = (s64)vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt); + if (bytes < 0) + bytes = 0; +@@ -895,7 +897,7 @@ s64 virtio_transport_stream_has_space(struct vsock_sock *vsk) + s64 bytes; + + spin_lock_bh(&vvs->tx_lock); +- bytes = virtio_transport_has_space(vsk); ++ bytes = virtio_transport_has_space(vvs); + spin_unlock_bh(&vvs->tx_lock); + + return bytes; +@@ -1492,7 +1494,7 @@ static bool virtio_transport_space_update(struct sock *sk, + spin_lock_bh(&vvs->tx_lock); + vvs->peer_buf_alloc = le32_to_cpu(hdr->buf_alloc); + vvs->peer_fwd_cnt = le32_to_cpu(hdr->fwd_cnt); +- space_available = virtio_transport_has_space(vsk); ++ space_available = virtio_transport_has_space(vvs); + spin_unlock_bh(&vvs->tx_lock); + return space_available; + } +-- +2.51.0 + diff --git a/queue-6.18/x86-make-page-fault-handling-disable-interrupts-prop.patch b/queue-6.18/x86-make-page-fault-handling-disable-interrupts-prop.patch new file mode 100644 index 0000000000..124356e9fa --- /dev/null +++ b/queue-6.18/x86-make-page-fault-handling-disable-interrupts-prop.patch @@ -0,0 +1,96 @@ +From db17a20431c5ab640018f9ab395a3e7846a1ac30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jan 2026 18:39:15 -0600 +Subject: x86: make page fault handling disable interrupts properly + +From: Cedric Xing + +[ Upstream commit 614da1d3d4cdbd6e41aea06bc97ec15aacff6daf ] + +There's a big comment in the x86 do_page_fault() about our interrupt +disabling code: + + * User address page fault handling might have reenabled + * interrupts. Fixing up all potential exit points of + * do_user_addr_fault() and its leaf functions is just not + * doable w/o creating an unholy mess or turning the code + * upside down. + +but it turns out that comment is subtly wrong, and the code as a result +is also wrong. + +Because it's certainly true that we may have re-enabled interrupts when +handling user page faults. And it's most certainly true that we don't +want to bother fixing up all the cases. + +But what isn't true is that it's limited to user address page faults. + +The confusion stems from the fact that we have logic here that depends +on the address range of the access, but other code then depends on the +_context_ the access was done in. The two are not related, even though +both of them are about user-vs-kernel. + +In other words, both user and kernel addresses can cause interrupts to +have been enabled (eg when __bad_area_nosemaphore() gets called for user +accesses to kernel addresses). As a result we should make sure to +disable interrupts again regardless of the address range before +returning to the low-level fault handling code. + +The __bad_area_nosemaphore() code actually did disable interrupts again +after enabling them, just not consistently. Ironically, as noted in the +original comment, fixing up all the cases is just not worth it, when the +simple solution is to just do it unconditionally in one single place. + +So remove the incomplete case that unsuccessfully tried to do what the +comment said was "not doable" in commit ca4c6a9858c2 ("x86/traps: Make +interrupt enable/disable symmetric in C code"), and just make it do the +simple and straightforward thing. + +Signed-off-by: Cedric Xing +Reviewed-by: Dave Hansen +Fixes: ca4c6a9858c2 ("x86/traps: Make interrupt enable/disable symmetric in C code") +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/x86/mm/fault.c | 15 +++++---------- + 1 file changed, 5 insertions(+), 10 deletions(-) + +diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c +index 998bd807fc7ba..b83a06739b511 100644 +--- a/arch/x86/mm/fault.c ++++ b/arch/x86/mm/fault.c +@@ -821,8 +821,6 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code, + force_sig_pkuerr((void __user *)address, pkey); + else + force_sig_fault(SIGSEGV, si_code, (void __user *)address); +- +- local_irq_disable(); + } + + static noinline void +@@ -1474,15 +1472,12 @@ handle_page_fault(struct pt_regs *regs, unsigned long error_code, + do_kern_addr_fault(regs, error_code, address); + } else { + do_user_addr_fault(regs, error_code, address); +- /* +- * User address page fault handling might have reenabled +- * interrupts. Fixing up all potential exit points of +- * do_user_addr_fault() and its leaf functions is just not +- * doable w/o creating an unholy mess or turning the code +- * upside down. +- */ +- local_irq_disable(); + } ++ /* ++ * page fault handling might have reenabled interrupts, ++ * make sure to disable them again. ++ */ ++ local_irq_disable(); + } + + DEFINE_IDTENTRY_RAW_ERRORCODE(exc_page_fault) +-- +2.51.0 + diff --git a/queue-6.6/alsa-usb-increase-volume-range-that-triggers-a-warni.patch b/queue-6.6/alsa-usb-increase-volume-range-that-triggers-a-warni.patch new file mode 100644 index 0000000000..cbde02af64 --- /dev/null +++ b/queue-6.6/alsa-usb-increase-volume-range-that-triggers-a-warni.patch @@ -0,0 +1,47 @@ +From 57fb08f40d5991739d72d526749292c77cd94a9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jan 2026 14:58:04 -0800 +Subject: ALSA: usb: Increase volume range that triggers a warning + +From: Arun Raghavan + +[ Upstream commit 6b971191fcfc9e3c2c0143eea22534f1f48dbb62 ] + +On at least the HyperX Cloud III, the range is 18944 (-18944 -> 0 in +steps of 1), so the original check for 255 steps is definitely obsolete. +Let's give ourselves a little more headroom before we emit a warning. + +Fixes: 80acefff3bc7 ("ALSA: usb-audio - Add volume range check and warn if it too big") +Cc: Jaroslav Kysela +Cc: Takashi Iwai +Cc: linux-sound@vger.kernel.org +Signed-off-by: Arun Raghavan +Link: https://patch.msgid.link/20260116225804.3845935-1-arunr@valvesoftware.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/mixer.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c +index e19d962fab870..76aac42c3c805 100644 +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -1807,11 +1807,10 @@ static void __build_feature_ctl(struct usb_mixer_interface *mixer, + + range = (cval->max - cval->min) / cval->res; + /* +- * Are there devices with volume range more than 255? I use a bit more +- * to be sure. 384 is a resolution magic number found on Logitech +- * devices. It will definitively catch all buggy Logitech devices. ++ * There are definitely devices with a range of ~20,000, so let's be ++ * conservative and allow for a bit more. + */ +- if (range > 384) { ++ if (range > 65535) { + usb_audio_warn(mixer->chip, + "Warning! Unlikely big volume range (=%u), cval->res is probably wrong.", + range); +-- +2.51.0 + diff --git a/queue-6.6/be2net-fix-data-race-in-be_get_new_eqd.patch b/queue-6.6/be2net-fix-data-race-in-be_get_new_eqd.patch new file mode 100644 index 0000000000..f8735cd7c3 --- /dev/null +++ b/queue-6.6/be2net-fix-data-race-in-be_get_new_eqd.patch @@ -0,0 +1,61 @@ +From 4b5f0f92411a13dca5dc285b1c1695955fa10eeb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 23:34:36 +0800 +Subject: be2net: fix data race in be_get_new_eqd + +From: David Yang + +[ Upstream commit 302e5b481caa7b3d11ec0e058434c1fc95195e50 ] + +In be_get_new_eqd(), statistics of pkts, protected by u64_stats_sync, are +read and accumulated in ignorance of possible u64_stats_fetch_retry() +events. Before the commit in question, these statistics were retrieved +one by one directly from queues. Fix this by reading them into temporary +variables first. + +Fixes: 209477704187 ("be2net: set interrupt moderation for Skyhawk-R using EQ-DB") +Signed-off-by: David Yang +Reviewed-by: Vadim Fedorenko +Link: https://patch.msgid.link/20260119153440.1440578-1-mmyangfl@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/emulex/benet/be_main.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c +index 011c8cc8429e3..2ed1e290f9d78 100644 +--- a/drivers/net/ethernet/emulex/benet/be_main.c ++++ b/drivers/net/ethernet/emulex/benet/be_main.c +@@ -2141,7 +2141,7 @@ static int be_get_new_eqd(struct be_eq_obj *eqo) + struct be_aic_obj *aic; + struct be_rx_obj *rxo; + struct be_tx_obj *txo; +- u64 rx_pkts = 0, tx_pkts = 0; ++ u64 rx_pkts = 0, tx_pkts = 0, pkts; + ulong now; + u32 pps, delta; + int i; +@@ -2157,15 +2157,17 @@ static int be_get_new_eqd(struct be_eq_obj *eqo) + for_all_rx_queues_on_eq(adapter, eqo, rxo, i) { + do { + start = u64_stats_fetch_begin(&rxo->stats.sync); +- rx_pkts += rxo->stats.rx_pkts; ++ pkts = rxo->stats.rx_pkts; + } while (u64_stats_fetch_retry(&rxo->stats.sync, start)); ++ rx_pkts += pkts; + } + + for_all_tx_queues_on_eq(adapter, eqo, txo, i) { + do { + start = u64_stats_fetch_begin(&txo->stats.sync); +- tx_pkts += txo->stats.tx_reqs; ++ pkts = txo->stats.tx_reqs; + } while (u64_stats_fetch_retry(&txo->stats.sync, start)); ++ tx_pkts += pkts; + } + + /* Skip, if wrapped around or first calculation */ +-- +2.51.0 + diff --git a/queue-6.6/be2net-fix-null-pointer-dereference-in-be_cmd_get_ma.patch b/queue-6.6/be2net-fix-null-pointer-dereference-in-be_cmd_get_ma.patch new file mode 100644 index 0000000000..1dd52f9353 --- /dev/null +++ b/queue-6.6/be2net-fix-null-pointer-dereference-in-be_cmd_get_ma.patch @@ -0,0 +1,54 @@ +From 7f4e41372cc73844f97597672a5d15b0e16898ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 11:37:47 +0000 +Subject: be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list + +From: Andrey Vatoropin + +[ Upstream commit 8215794403d264739cc676668087512950b2ff31 ] + +When the parameter pmac_id_valid argument of be_cmd_get_mac_from_list() is +set to false, the driver may request the PMAC_ID from the firmware of the +network card, and this function will store that PMAC_ID at the provided +address pmac_id. This is the contract of this function. + +However, there is a location within the driver where both +pmac_id_valid == false and pmac_id == NULL are being passed. This could +result in dereferencing a NULL pointer. + +To resolve this issue, it is necessary to pass the address of a stub +variable to the function. + +Fixes: 95046b927a54 ("be2net: refactor MAC-addr setup code") +Signed-off-by: Andrey Vatoropin +Link: https://patch.msgid.link/20260120113734.20193-1-a.vatoropin@crpt.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/emulex/benet/be_cmds.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/emulex/benet/be_cmds.c b/drivers/net/ethernet/emulex/benet/be_cmds.c +index 779f1324bb5f8..0cda78b78fb87 100644 +--- a/drivers/net/ethernet/emulex/benet/be_cmds.c ++++ b/drivers/net/ethernet/emulex/benet/be_cmds.c +@@ -3797,6 +3797,7 @@ int be_cmd_get_perm_mac(struct be_adapter *adapter, u8 *mac) + { + int status; + bool pmac_valid = false; ++ u32 pmac_id; + + eth_zero_addr(mac); + +@@ -3809,7 +3810,7 @@ int be_cmd_get_perm_mac(struct be_adapter *adapter, u8 *mac) + adapter->if_handle, 0); + } else { + status = be_cmd_get_mac_from_list(adapter, mac, &pmac_valid, +- NULL, adapter->if_handle, 0); ++ &pmac_id, adapter->if_handle, 0); + } + + return status; +-- +2.51.0 + diff --git a/queue-6.6/bonding-provide-a-net-pointer-to-__skb_flow_dissect.patch b/queue-6.6/bonding-provide-a-net-pointer-to-__skb_flow_dissect.patch new file mode 100644 index 0000000000..74462de9b8 --- /dev/null +++ b/queue-6.6/bonding-provide-a-net-pointer-to-__skb_flow_dissect.patch @@ -0,0 +1,67 @@ +From 7ac8d2307308394cff6ac0ed80066b311d81f403 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 16:17:44 +0000 +Subject: bonding: provide a net pointer to __skb_flow_dissect() + +From: Eric Dumazet + +[ Upstream commit 5f9b329096596b7e53e07d041d7fca4cbe1be752 ] + +After 3cbf4ffba5ee ("net: plumb network namespace into __skb_flow_dissect") +we have to provide a net pointer to __skb_flow_dissect(), +either via skb->dev, skb->sk, or a user provided pointer. + +In the following case, syzbot was able to cook a bare skb. + +WARNING: net/core/flow_dissector.c:1131 at __skb_flow_dissect+0xb57/0x68b0 net/core/flow_dissector.c:1131, CPU#1: syz.2.1418/11053 +Call Trace: + + bond_flow_dissect drivers/net/bonding/bond_main.c:4093 [inline] + __bond_xmit_hash+0x2d7/0xba0 drivers/net/bonding/bond_main.c:4157 + bond_xmit_hash_xdp drivers/net/bonding/bond_main.c:4208 [inline] + bond_xdp_xmit_3ad_xor_slave_get drivers/net/bonding/bond_main.c:5139 [inline] + bond_xdp_get_xmit_slave+0x1fd/0x710 drivers/net/bonding/bond_main.c:5515 + xdp_master_redirect+0x13f/0x2c0 net/core/filter.c:4388 + bpf_prog_run_xdp include/net/xdp.h:700 [inline] + bpf_test_run+0x6b2/0x7d0 net/bpf/test_run.c:421 + bpf_prog_test_run_xdp+0x795/0x10e0 net/bpf/test_run.c:1390 + bpf_prog_test_run+0x2c7/0x340 kernel/bpf/syscall.c:4703 + __sys_bpf+0x562/0x860 kernel/bpf/syscall.c:6182 + __do_sys_bpf kernel/bpf/syscall.c:6274 [inline] + __se_sys_bpf kernel/bpf/syscall.c:6272 [inline] + __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6272 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94 + +Fixes: 58deb77cc52d ("bonding: balance ICMP echoes in layer3+4 mode") +Reported-by: syzbot+c46409299c70a221415e@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/696faa23.050a0220.4cb9c.001f.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Matteo Croce +Acked-by: Stanislav Fomichev +Link: https://patch.msgid.link/20260120161744.1893263-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 9dfbbf4cd71f0..9385c3ac0c83c 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -4186,8 +4186,9 @@ static bool bond_flow_dissect(struct bonding *bond, struct sk_buff *skb, const v + case BOND_XMIT_POLICY_ENCAP23: + case BOND_XMIT_POLICY_ENCAP34: + memset(fk, 0, sizeof(*fk)); +- return __skb_flow_dissect(NULL, skb, &flow_keys_bonding, +- fk, data, l2_proto, nhoff, hlen, 0); ++ return __skb_flow_dissect(dev_net(bond->dev), skb, ++ &flow_keys_bonding, fk, data, ++ l2_proto, nhoff, hlen, 0); + default: + break; + } +-- +2.51.0 + diff --git a/queue-6.6/drm-amd-pm-don-t-clear-si-smc-table-when-setting-pow.patch b/queue-6.6/drm-amd-pm-don-t-clear-si-smc-table-when-setting-pow.patch new file mode 100644 index 0000000000..389b2533b2 --- /dev/null +++ b/queue-6.6/drm-amd-pm-don-t-clear-si-smc-table-when-setting-pow.patch @@ -0,0 +1,58 @@ +From da377e83c1321cf1429e6283b6a227b52109004c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 21:36:23 +0100 +Subject: drm/amd/pm: Don't clear SI SMC table when setting power limit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Timur Kristóf + +[ Upstream commit d5077426e1a76d269e518e048bde2e9fc49b32ad ] + +There is no reason to clear the SMC table. +We also don't need to recalculate the power limit then. + +Fixes: 841686df9f7d ("drm/amdgpu: add SI DPM support (v4)") +Reviewed-by: Alex Deucher +Signed-off-by: Timur Kristóf +Signed-off-by: Alex Deucher +(cherry picked from commit e214d626253f5b180db10dedab161b7caa41f5e9) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c b/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c +index e5f68b2b8def3..e8ca74fc089b7 100644 +--- a/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c ++++ b/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c +@@ -2257,8 +2257,6 @@ static int si_populate_smc_tdp_limits(struct amdgpu_device *adev, + if (scaling_factor == 0) + return -EINVAL; + +- memset(smc_table, 0, sizeof(SISLANDS_SMC_STATETABLE)); +- + ret = si_calculate_adjusted_tdp_limits(adev, + false, /* ??? */ + adev->pm.dpm.tdp_adjustment, +@@ -2312,16 +2310,8 @@ static int si_populate_smc_tdp_limits_2(struct amdgpu_device *adev, + + if (ni_pi->enable_power_containment) { + SISLANDS_SMC_STATETABLE *smc_table = &si_pi->smc_statetable; +- u32 scaling_factor = si_get_smc_power_scaling_factor(adev); + int ret; + +- memset(smc_table, 0, sizeof(SISLANDS_SMC_STATETABLE)); +- +- smc_table->dpm2Params.NearTDPLimit = +- cpu_to_be32(si_scale_power_for_smc(adev->pm.dpm.near_tdp_limit_adjusted, scaling_factor) * 1000); +- smc_table->dpm2Params.SafePowerLimit = +- cpu_to_be32(si_scale_power_for_smc((adev->pm.dpm.near_tdp_limit_adjusted * SISLANDS_DPM2_TDP_SAFE_LIMIT_PERCENT) / 100, scaling_factor) * 1000); +- + ret = amdgpu_si_copy_bytes_to_smc(adev, + (si_pi->state_table_start + + offsetof(SISLANDS_SMC_STATETABLE, dpm2Params) + +-- +2.51.0 + diff --git a/queue-6.6/drm-amd-pm-workaround-si-powertune-issue-on-radeon-4.patch b/queue-6.6/drm-amd-pm-workaround-si-powertune-issue-on-radeon-4.patch new file mode 100644 index 0000000000..8833dc70f3 --- /dev/null +++ b/queue-6.6/drm-amd-pm-workaround-si-powertune-issue-on-radeon-4.patch @@ -0,0 +1,83 @@ +From 9ea88d4e5cace37a8c5ba32a1ad08e4056cf0e37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 21:36:24 +0100 +Subject: drm/amd/pm: Workaround SI powertune issue on Radeon 430 (v2) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Timur Kristóf + +[ Upstream commit 764a90eb02268a23b1bb98be5f4a13671346804a ] + +Radeon 430 and 520 are OEM GPUs from 2016~2017 +They have the same device id: 0x6611 and revision: 0x87 + +On the Radeon 430, powertune is buggy and throttles the GPU, +never allowing it to reach its maximum SCLK. Work around this +bug by raising the TDP limits we program to the SMC from +24W (specified by the VBIOS on Radeon 430) to 32W. + +Disabling powertune entirely is not a viable workaround, +because it causes the Radeon 520 to heat up above 100 C, +which I prefer to avoid. + +Additionally, revise the maximum SCLK limit. Considering the +above issue, these GPUs never reached a high SCLK on Linux, +and the workarounds were added before the GPUs were released, +so the workaround likely didn't target these specifically. +Use 780 MHz (the maximum SCLK according to the VBIOS on the +Radeon 430). Note that the Radeon 520 VBIOS has a higher +maximum SCLK: 905 MHz, but in practice it doesn't seem to +perform better with the higher clock, only heats up more. + +v2: +Move the workaround to si_populate_smc_tdp_limits. + +Fixes: 841686df9f7d ("drm/amdgpu: add SI DPM support (v4)") +Reviewed-by: Alex Deucher +Signed-off-by: Timur Kristóf +Signed-off-by: Alex Deucher +(cherry picked from commit 966d70f1e160bdfdecaf7ff2b3f22ad088516e9f) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c b/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c +index e8ca74fc089b7..caf590caaf2c7 100644 +--- a/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c ++++ b/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c +@@ -2265,6 +2265,12 @@ static int si_populate_smc_tdp_limits(struct amdgpu_device *adev, + if (ret) + return ret; + ++ if (adev->pdev->device == 0x6611 && adev->pdev->revision == 0x87) { ++ /* Workaround buggy powertune on Radeon 430 and 520. */ ++ tdp_limit = 32; ++ near_tdp_limit = 28; ++ } ++ + smc_table->dpm2Params.TDPLimit = + cpu_to_be32(si_scale_power_for_smc(tdp_limit, scaling_factor) * 1000); + smc_table->dpm2Params.NearTDPLimit = +@@ -3448,10 +3454,15 @@ static void si_apply_state_adjust_rules(struct amdgpu_device *adev, + (adev->pdev->revision == 0x80) || + (adev->pdev->revision == 0x81) || + (adev->pdev->revision == 0x83) || +- (adev->pdev->revision == 0x87) || ++ (adev->pdev->revision == 0x87 && ++ adev->pdev->device != 0x6611) || + (adev->pdev->device == 0x6604) || + (adev->pdev->device == 0x6605)) { + max_sclk = 75000; ++ } else if (adev->pdev->revision == 0x87 && ++ adev->pdev->device == 0x6611) { ++ /* Radeon 430 and 520 */ ++ max_sclk = 78000; + } + } + +-- +2.51.0 + diff --git a/queue-6.6/iio-adc-ad7280a-handle-spi_setup-errors-in-probe.patch b/queue-6.6/iio-adc-ad7280a-handle-spi_setup-errors-in-probe.patch new file mode 100644 index 0000000000..3ced83320a --- /dev/null +++ b/queue-6.6/iio-adc-ad7280a-handle-spi_setup-errors-in-probe.patch @@ -0,0 +1,45 @@ +From 4e5ac69f150f8ea240d16c6e1ae4da8dcc562358 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Nov 2025 18:13:01 +0300 +Subject: iio: adc: ad7280a: handle spi_setup() errors in probe() + +From: Pavel Zhigulin + +[ Upstream commit 6b39824ac4c15783787e6434449772bfb2e31214 ] + +The probe() function ignored the return value of spi_setup(), leaving SPI +configuration failures undetected. If spi_setup() fails, the driver should +stop initialization and propagate the error to the caller. + +Add proper error handling: check the return value of spi_setup() and return +it on failure. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 2051f25d2a26 ("iio: adc: New driver for AD7280A Lithium Ion Battery Monitoring System") +Signed-off-by: Pavel Zhigulin +Reviewed-by: Marcelo Schmitt +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/ad7280a.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/iio/adc/ad7280a.c b/drivers/iio/adc/ad7280a.c +index 9080c795dcb7e..10cc623bf62a3 100644 +--- a/drivers/iio/adc/ad7280a.c ++++ b/drivers/iio/adc/ad7280a.c +@@ -1028,7 +1028,9 @@ static int ad7280_probe(struct spi_device *spi) + + st->spi->max_speed_hz = AD7280A_MAX_SPI_CLK_HZ; + st->spi->mode = SPI_MODE_1; +- spi_setup(st->spi); ++ ret = spi_setup(st->spi); ++ if (ret < 0) ++ return ret; + + st->ctrl_lb = FIELD_PREP(AD7280A_CTRL_LB_ACQ_TIME_MSK, st->acquisition_time) | + FIELD_PREP(AD7280A_CTRL_LB_THERMISTOR_MSK, st->thermistor_term_en); +-- +2.51.0 + diff --git a/queue-6.6/interconnect-debugfs-initialize-src_node-and-dst_nod.patch b/queue-6.6/interconnect-debugfs-initialize-src_node-and-dst_nod.patch new file mode 100644 index 0000000000..52ec9265fb --- /dev/null +++ b/queue-6.6/interconnect-debugfs-initialize-src_node-and-dst_nod.patch @@ -0,0 +1,47 @@ +From 038bcb5d377c5b8bbb381c6506696054412a5215 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jan 2026 14:25:23 +0200 +Subject: interconnect: debugfs: initialize src_node and dst_node to empty + strings + +From: Georgi Djakov + +[ Upstream commit 8cc27f5c6dd17dd090f3a696683f04336c162ff5 ] + +The debugfs_create_str() API assumes that the string pointer is either NULL +or points to valid kmalloc() memory. Leaving the pointer uninitialized can +cause problems. + +Initialize src_node and dst_node to empty strings before creating the +debugfs entries to guarantee that reads and writes are safe. + +Fixes: 770c69f037c1 ("interconnect: Add debugfs test client") +Signed-off-by: Georgi Djakov +Reviewed-by: Kuan-Wei Chiu +Tested-by: Kuan-Wei Chiu +Link: https://lore.kernel.org/r/20260109122523.125843-1-djakov@kernel.org +Signed-off-by: Georgi Djakov +Signed-off-by: Sasha Levin +--- + drivers/interconnect/debugfs-client.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/interconnect/debugfs-client.c b/drivers/interconnect/debugfs-client.c +index 778deeb4a7e8a..24d7b5a577945 100644 +--- a/drivers/interconnect/debugfs-client.c ++++ b/drivers/interconnect/debugfs-client.c +@@ -150,6 +150,11 @@ int icc_debugfs_client_init(struct dentry *icc_dir) + return ret; + } + ++ src_node = devm_kstrdup(&pdev->dev, "", GFP_KERNEL); ++ dst_node = devm_kstrdup(&pdev->dev, "", GFP_KERNEL); ++ if (!src_node || !dst_node) ++ return -ENOMEM; ++ + client_dir = debugfs_create_dir("test_client", icc_dir); + + debugfs_create_str("src_node", 0600, client_dir, &src_node); +-- +2.51.0 + diff --git a/queue-6.6/ipv6-annotate-data-race-in-ndisc_router_discovery.patch b/queue-6.6/ipv6-annotate-data-race-in-ndisc_router_discovery.patch new file mode 100644 index 0000000000..4e063c56a9 --- /dev/null +++ b/queue-6.6/ipv6-annotate-data-race-in-ndisc_router_discovery.patch @@ -0,0 +1,79 @@ +From 55a56a7071094eec8cce1a1ffa13a401cfbb8fbd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jan 2026 15:29:41 +0000 +Subject: ipv6: annotate data-race in ndisc_router_discovery() + +From: Eric Dumazet + +[ Upstream commit 9a063f96d87efc3a6cc667f8de096a3d38d74bb5 ] + +syzbot found that ndisc_router_discovery() could read and write +in6_dev->ra_mtu without holding a lock [1] + +This looks fine, IFLA_INET6_RA_MTU is best effort. + +Add READ_ONCE()/WRITE_ONCE() to document the race. + +Note that we might also reject illegal MTU values +(mtu < IPV6_MIN_MTU || mtu > skb->dev->mtu) in a future patch. + +[1] +BUG: KCSAN: data-race in ndisc_router_discovery / ndisc_router_discovery + +read to 0xffff888119809c20 of 4 bytes by task 25817 on cpu 1: + ndisc_router_discovery+0x151d/0x1c90 net/ipv6/ndisc.c:1558 + ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841 + icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989 + ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438 + ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489 + NF_HOOK include/linux/netfilter.h:318 [inline] + ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500 + ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590 + dst_input include/net/dst.h:474 [inline] + ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79 +... + +write to 0xffff888119809c20 of 4 bytes by task 25816 on cpu 0: + ndisc_router_discovery+0x155a/0x1c90 net/ipv6/ndisc.c:1559 + ndisc_rcv+0x2ad/0x3d0 net/ipv6/ndisc.c:1841 + icmpv6_rcv+0xe5a/0x12f0 net/ipv6/icmp.c:989 + ip6_protocol_deliver_rcu+0xb2a/0x10d0 net/ipv6/ip6_input.c:438 + ip6_input_finish+0xf0/0x1d0 net/ipv6/ip6_input.c:489 + NF_HOOK include/linux/netfilter.h:318 [inline] + ip6_input+0x5e/0x140 net/ipv6/ip6_input.c:500 + ip6_mc_input+0x27c/0x470 net/ipv6/ip6_input.c:590 + dst_input include/net/dst.h:474 [inline] + ip6_rcv_finish+0x336/0x340 net/ipv6/ip6_input.c:79 +... + +value changed: 0x00000000 -> 0xe5400659 + +Fixes: 49b99da2c9ce ("ipv6: add IFLA_INET6_RA_MTU to expose mtu value") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Rocco Yue +Link: https://patch.msgid.link/20260118152941.2563857-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/ndisc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c +index d8e5e2833eded..80ceb401ecf2d 100644 +--- a/net/ipv6/ndisc.c ++++ b/net/ipv6/ndisc.c +@@ -1574,8 +1574,8 @@ static enum skb_drop_reason ndisc_router_discovery(struct sk_buff *skb) + memcpy(&n, ((u8 *)(ndopts.nd_opts_mtu+1))+2, sizeof(mtu)); + mtu = ntohl(n); + +- if (in6_dev->ra_mtu != mtu) { +- in6_dev->ra_mtu = mtu; ++ if (READ_ONCE(in6_dev->ra_mtu) != mtu) { ++ WRITE_ONCE(in6_dev->ra_mtu, mtu); + send_ifinfo_notify = true; + } + +-- +2.51.0 + diff --git a/queue-6.6/kconfig-fix-static-linking-of-nconf.patch b/queue-6.6/kconfig-fix-static-linking-of-nconf.patch new file mode 100644 index 0000000000..537655c874 --- /dev/null +++ b/queue-6.6/kconfig-fix-static-linking-of-nconf.patch @@ -0,0 +1,70 @@ +From d960bd25d4f9548b756b8c288c0cf9404f404f27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Jan 2026 12:48:08 +0100 +Subject: kconfig: fix static linking of nconf + +From: Arkadiusz Kozdra + +[ Upstream commit baaecfcac559bcac73206df447eb5c385fa22f2a ] + +When running make nconfig with a static linking host toolchain, +the libraries are linked in an incorrect order, +resulting in errors similar to the following: + +$ MAKEFLAGS='HOSTCC=cc\ -static' make nconfig +/usr/bin/ld: /usr/lib64/gcc/x86_64-unknown-linux-gnu/14.2.1/../../../../lib64/libpanel.a(p_new.o): in function `new_panel': +(.text+0x13): undefined reference to `_nc_panelhook_sp' +/usr/bin/ld: (.text+0x6c): undefined reference to `_nc_panelhook_sp' + +Fixes: 1c5af5cf9308 ("kconfig: refactor ncurses package checks for building mconf and nconf") +Signed-off-by: Arusekk +Link: https://patch.msgid.link/20260110114808.22595-1-floss@arusekk.pl +[nsc: Added comment about library order] +Signed-off-by: Nicolas Schier +Signed-off-by: Sasha Levin +--- + scripts/kconfig/nconf-cfg.sh | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/scripts/kconfig/nconf-cfg.sh b/scripts/kconfig/nconf-cfg.sh +index f871a2160e363..59814eb3616c6 100755 +--- a/scripts/kconfig/nconf-cfg.sh ++++ b/scripts/kconfig/nconf-cfg.sh +@@ -4,8 +4,9 @@ + cflags=$1 + libs=$2 + +-PKG="ncursesw menuw panelw" +-PKG2="ncurses menu panel" ++# Keep library order for static linking (HOSTCC='cc -static') ++PKG="menuw panelw ncursesw" ++PKG2="menu panel ncurses" + + if [ -n "$(command -v ${HOSTPKG_CONFIG})" ]; then + if ${HOSTPKG_CONFIG} --exists $PKG; then +@@ -26,19 +27,19 @@ fi + # find ncurses by pkg-config.) + if [ -f /usr/include/ncursesw/ncurses.h ]; then + echo -D_GNU_SOURCE -I/usr/include/ncursesw > ${cflags} +- echo -lncursesw -lmenuw -lpanelw > ${libs} ++ echo -lmenuw -lpanelw -lncursesw > ${libs} + exit 0 + fi + + if [ -f /usr/include/ncurses/ncurses.h ]; then + echo -D_GNU_SOURCE -I/usr/include/ncurses > ${cflags} +- echo -lncurses -lmenu -lpanel > ${libs} ++ echo -lmenu -lpanel -lncurses > ${libs} + exit 0 + fi + + if [ -f /usr/include/ncurses.h ]; then + echo -D_GNU_SOURCE > ${cflags} +- echo -lncurses -lmenu -lpanel > ${libs} ++ echo -lmenu -lpanel -lncurses > ${libs} + exit 0 + fi + +-- +2.51.0 + diff --git a/queue-6.6/misdn-annotate-data-race-around-dev-work.patch b/queue-6.6/misdn-annotate-data-race-around-dev-work.patch new file mode 100644 index 0000000000..78d7d533fa --- /dev/null +++ b/queue-6.6/misdn-annotate-data-race-around-dev-work.patch @@ -0,0 +1,103 @@ +From 4c3baae9ae00416afad8cd6579a19c1ccb73dfba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Jan 2026 13:25:28 +0000 +Subject: mISDN: annotate data-race around dev->work + +From: Eric Dumazet + +[ Upstream commit 8175dbf174d487afab81e936a862a8d9b8a1ccb6 ] + +dev->work can re read locklessly in mISDN_read() +and mISDN_poll(). Add READ_ONCE()/WRITE_ONCE() annotations. + +BUG: KCSAN: data-race in mISDN_ioctl / mISDN_read + +write to 0xffff88812d848280 of 4 bytes by task 10864 on cpu 1: + misdn_add_timer drivers/isdn/mISDN/timerdev.c:175 [inline] + mISDN_ioctl+0x2fb/0x550 drivers/isdn/mISDN/timerdev.c:233 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:597 [inline] + __se_sys_ioctl+0xce/0x140 fs/ioctl.c:583 + __x64_sys_ioctl+0x43/0x50 fs/ioctl.c:583 + x64_sys_call+0x14b0/0x3000 arch/x86/include/generated/asm/syscalls_64.h:17 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xd8/0x2c0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +read to 0xffff88812d848280 of 4 bytes by task 10857 on cpu 0: + mISDN_read+0x1f2/0x470 drivers/isdn/mISDN/timerdev.c:112 + do_loop_readv_writev fs/read_write.c:847 [inline] + vfs_readv+0x3fb/0x690 fs/read_write.c:1020 + do_readv+0xe7/0x210 fs/read_write.c:1080 + __do_sys_readv fs/read_write.c:1165 [inline] + __se_sys_readv fs/read_write.c:1162 [inline] + __x64_sys_readv+0x45/0x50 fs/read_write.c:1162 + x64_sys_call+0x2831/0x3000 arch/x86/include/generated/asm/syscalls_64.h:20 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xd8/0x2c0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +value changed: 0x00000000 -> 0x00000001 + +Fixes: 1b2b03f8e514 ("Add mISDN core files") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260118132528.2349573-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/isdn/mISDN/timerdev.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/isdn/mISDN/timerdev.c b/drivers/isdn/mISDN/timerdev.c +index 83d6b484d3c6c..2ea1887ca2fa0 100644 +--- a/drivers/isdn/mISDN/timerdev.c ++++ b/drivers/isdn/mISDN/timerdev.c +@@ -109,14 +109,14 @@ mISDN_read(struct file *filep, char __user *buf, size_t count, loff_t *off) + spin_unlock_irq(&dev->lock); + if (filep->f_flags & O_NONBLOCK) + return -EAGAIN; +- wait_event_interruptible(dev->wait, (dev->work || ++ wait_event_interruptible(dev->wait, (READ_ONCE(dev->work) || + !list_empty(list))); + if (signal_pending(current)) + return -ERESTARTSYS; + spin_lock_irq(&dev->lock); + } + if (dev->work) +- dev->work = 0; ++ WRITE_ONCE(dev->work, 0); + if (!list_empty(list)) { + timer = list_first_entry(list, struct mISDNtimer, list); + list_del(&timer->list); +@@ -141,13 +141,16 @@ mISDN_poll(struct file *filep, poll_table *wait) + if (*debug & DEBUG_TIMER) + printk(KERN_DEBUG "%s(%p, %p)\n", __func__, filep, wait); + if (dev) { ++ u32 work; ++ + poll_wait(filep, &dev->wait, wait); + mask = 0; +- if (dev->work || !list_empty(&dev->expired)) ++ work = READ_ONCE(dev->work); ++ if (work || !list_empty(&dev->expired)) + mask |= (EPOLLIN | EPOLLRDNORM); + if (*debug & DEBUG_TIMER) + printk(KERN_DEBUG "%s work(%d) empty(%d)\n", __func__, +- dev->work, list_empty(&dev->expired)); ++ work, list_empty(&dev->expired)); + } + return mask; + } +@@ -172,7 +175,7 @@ misdn_add_timer(struct mISDNtimerdev *dev, int timeout) + struct mISDNtimer *timer; + + if (!timeout) { +- dev->work = 1; ++ WRITE_ONCE(dev->work, 1); + wake_up_interruptible(&dev->wait); + id = 0; + } else { +-- +2.51.0 + diff --git a/queue-6.6/net-dsa-fix-off-by-one-in-maximum-bridge-id-determin.patch b/queue-6.6/net-dsa-fix-off-by-one-in-maximum-bridge-id-determin.patch new file mode 100644 index 0000000000..2fdeb47864 --- /dev/null +++ b/queue-6.6/net-dsa-fix-off-by-one-in-maximum-bridge-id-determin.patch @@ -0,0 +1,52 @@ +From a9766f3f5e056b1d7d53da1bec60cca897d9428b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 23:10:39 +0200 +Subject: net: dsa: fix off-by-one in maximum bridge ID determination + +From: Vladimir Oltean + +[ Upstream commit dfca045cd4d0ea07ff4198ba392be3e718acaddc ] + +Prior to the blamed commit, the bridge_num range was from +0 to ds->max_num_bridges - 1. After the commit, it is from +1 to ds->max_num_bridges. + +So this check: + if (bridge_num >= max) + return 0; +must be updated to: + if (bridge_num > max) + return 0; + +in order to allow the last bridge_num value (==max) to be used. + +This is easiest visible when a driver sets ds->max_num_bridges=1. +The observed behaviour is that even the first created bridge triggers +the netlink extack "Range of offloadable bridges exceeded" warning, and +is handled in software rather than being offloaded. + +Fixes: 3f9bb0301d50 ("net: dsa: make dp->bridge_num one-based") +Signed-off-by: Vladimir Oltean +Link: https://patch.msgid.link/20260120211039.3228999-1-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/dsa/dsa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/dsa/dsa.c b/net/dsa/dsa.c +index c9bf1a9a6c99b..ea30827409367 100644 +--- a/net/dsa/dsa.c ++++ b/net/dsa/dsa.c +@@ -158,7 +158,7 @@ unsigned int dsa_bridge_num_get(const struct net_device *bridge_dev, int max) + bridge_num = find_next_zero_bit(&dsa_fwd_offloading_bridges, + DSA_MAX_NUM_OFFLOADING_BRIDGES, + 1); +- if (bridge_num >= max) ++ if (bridge_num > max) + return 0; + + set_bit(bridge_num, &dsa_fwd_offloading_bridges); +-- +2.51.0 + diff --git a/queue-6.6/net-hns3-fix-data-race-in-hns3_fetch_stats.patch b/queue-6.6/net-hns3-fix-data-race-in-hns3_fetch_stats.patch new file mode 100644 index 0000000000..701ed215cf --- /dev/null +++ b/queue-6.6/net-hns3-fix-data-race-in-hns3_fetch_stats.patch @@ -0,0 +1,112 @@ +From 476c85b11fc053a6397be60236aff806f31ab29c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 00:07:37 +0800 +Subject: net: hns3: fix data race in hns3_fetch_stats + +From: David Yang + +[ Upstream commit 748a81c8ceda1fdbdcd0af595947422e810442aa ] + +In hns3_fetch_stats(), ring statistics, protected by u64_stats_sync, are +read and accumulated in ignorance of possible u64_stats_fetch_retry() +events. These statistics are already accumulated by +hns3_ring_stats_update(). Fix this by reading them into a temporary +buffer first. + +Fixes: b20d7fe51e0d ("net: hns3: add some statitics info to tx process") +Signed-off-by: David Yang +Link: https://patch.msgid.link/20260119160759.1455950-1-mmyangfl@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/hisilicon/hns3/hns3_enet.c | 69 ++++++++++--------- + 1 file changed, 36 insertions(+), 33 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +index dbf44a17987eb..34627de2e311e 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +@@ -2505,44 +2505,47 @@ static netdev_features_t hns3_features_check(struct sk_buff *skb, + static void hns3_fetch_stats(struct rtnl_link_stats64 *stats, + struct hns3_enet_ring *ring, bool is_tx) + { ++ struct ring_stats ring_stats; + unsigned int start; + + do { + start = u64_stats_fetch_begin(&ring->syncp); +- if (is_tx) { +- stats->tx_bytes += ring->stats.tx_bytes; +- stats->tx_packets += ring->stats.tx_pkts; +- stats->tx_dropped += ring->stats.sw_err_cnt; +- stats->tx_dropped += ring->stats.tx_vlan_err; +- stats->tx_dropped += ring->stats.tx_l4_proto_err; +- stats->tx_dropped += ring->stats.tx_l2l3l4_err; +- stats->tx_dropped += ring->stats.tx_tso_err; +- stats->tx_dropped += ring->stats.over_max_recursion; +- stats->tx_dropped += ring->stats.hw_limitation; +- stats->tx_dropped += ring->stats.copy_bits_err; +- stats->tx_dropped += ring->stats.skb2sgl_err; +- stats->tx_dropped += ring->stats.map_sg_err; +- stats->tx_errors += ring->stats.sw_err_cnt; +- stats->tx_errors += ring->stats.tx_vlan_err; +- stats->tx_errors += ring->stats.tx_l4_proto_err; +- stats->tx_errors += ring->stats.tx_l2l3l4_err; +- stats->tx_errors += ring->stats.tx_tso_err; +- stats->tx_errors += ring->stats.over_max_recursion; +- stats->tx_errors += ring->stats.hw_limitation; +- stats->tx_errors += ring->stats.copy_bits_err; +- stats->tx_errors += ring->stats.skb2sgl_err; +- stats->tx_errors += ring->stats.map_sg_err; +- } else { +- stats->rx_bytes += ring->stats.rx_bytes; +- stats->rx_packets += ring->stats.rx_pkts; +- stats->rx_dropped += ring->stats.l2_err; +- stats->rx_errors += ring->stats.l2_err; +- stats->rx_errors += ring->stats.l3l4_csum_err; +- stats->rx_crc_errors += ring->stats.l2_err; +- stats->multicast += ring->stats.rx_multicast; +- stats->rx_length_errors += ring->stats.err_pkt_len; +- } ++ ring_stats = ring->stats; + } while (u64_stats_fetch_retry(&ring->syncp, start)); ++ ++ if (is_tx) { ++ stats->tx_bytes += ring_stats.tx_bytes; ++ stats->tx_packets += ring_stats.tx_pkts; ++ stats->tx_dropped += ring_stats.sw_err_cnt; ++ stats->tx_dropped += ring_stats.tx_vlan_err; ++ stats->tx_dropped += ring_stats.tx_l4_proto_err; ++ stats->tx_dropped += ring_stats.tx_l2l3l4_err; ++ stats->tx_dropped += ring_stats.tx_tso_err; ++ stats->tx_dropped += ring_stats.over_max_recursion; ++ stats->tx_dropped += ring_stats.hw_limitation; ++ stats->tx_dropped += ring_stats.copy_bits_err; ++ stats->tx_dropped += ring_stats.skb2sgl_err; ++ stats->tx_dropped += ring_stats.map_sg_err; ++ stats->tx_errors += ring_stats.sw_err_cnt; ++ stats->tx_errors += ring_stats.tx_vlan_err; ++ stats->tx_errors += ring_stats.tx_l4_proto_err; ++ stats->tx_errors += ring_stats.tx_l2l3l4_err; ++ stats->tx_errors += ring_stats.tx_tso_err; ++ stats->tx_errors += ring_stats.over_max_recursion; ++ stats->tx_errors += ring_stats.hw_limitation; ++ stats->tx_errors += ring_stats.copy_bits_err; ++ stats->tx_errors += ring_stats.skb2sgl_err; ++ stats->tx_errors += ring_stats.map_sg_err; ++ } else { ++ stats->rx_bytes += ring_stats.rx_bytes; ++ stats->rx_packets += ring_stats.rx_pkts; ++ stats->rx_dropped += ring_stats.l2_err; ++ stats->rx_errors += ring_stats.l2_err; ++ stats->rx_errors += ring_stats.l3l4_csum_err; ++ stats->rx_crc_errors += ring_stats.l2_err; ++ stats->multicast += ring_stats.rx_multicast; ++ stats->rx_length_errors += ring_stats.err_pkt_len; ++ } + } + + static void hns3_nic_get_stats64(struct net_device *netdev, +-- +2.51.0 + diff --git a/queue-6.6/net-hns3-fix-the-hclge_fd_ad_nxt_key-error-setting-i.patch b/queue-6.6/net-hns3-fix-the-hclge_fd_ad_nxt_key-error-setting-i.patch new file mode 100644 index 0000000000..e6403674f0 --- /dev/null +++ b/queue-6.6/net-hns3-fix-the-hclge_fd_ad_nxt_key-error-setting-i.patch @@ -0,0 +1,36 @@ +From 5939774edb0b2632bf1d5d550051f430a885944f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 21:28:40 +0800 +Subject: net: hns3: fix the HCLGE_FD_AD_NXT_KEY error setting issue + +From: Jijie Shao + +[ Upstream commit f87e034d16e43af984380a95c32c25201b7759a7 ] + +Use next_input_key instead of counter_id to set HCLGE_FD_AD_NXT_KEY. + +Fixes: 117328680288 ("net: hns3: Add input key and action config support for flow director") +Signed-off-by: Jijie Shao +Link: https://patch.msgid.link/20260119132840.410513-3-shaojijie@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +index 2df0c6305b908..72a5df4e3a329 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -5617,7 +5617,7 @@ static int hclge_fd_ad_config(struct hclge_dev *hdev, u8 stage, int loc, + HCLGE_FD_AD_COUNTER_NUM_S, action->counter_id); + hnae3_set_bit(ad_data, HCLGE_FD_AD_NXT_STEP_B, action->use_next_stage); + hnae3_set_field(ad_data, HCLGE_FD_AD_NXT_KEY_M, HCLGE_FD_AD_NXT_KEY_S, +- action->counter_id); ++ action->next_input_key); + + req->ad_data = cpu_to_le64(ad_data); + ret = hclge_cmd_send(&hdev->hw, &desc, 1); +-- +2.51.0 + diff --git a/queue-6.6/net-hns3-fix-wrong-genmask-for-hclge_fd_ad_counter_n.patch b/queue-6.6/net-hns3-fix-wrong-genmask-for-hclge_fd_ad_counter_n.patch new file mode 100644 index 0000000000..17a6bfdeaf --- /dev/null +++ b/queue-6.6/net-hns3-fix-wrong-genmask-for-hclge_fd_ad_counter_n.patch @@ -0,0 +1,40 @@ +From 564207ba8c3de6e359b3936505b2c11a9c53c2f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 21:28:39 +0800 +Subject: net: hns3: fix wrong GENMASK() for HCLGE_FD_AD_COUNTER_NUM_M + +From: Jijie Shao + +[ Upstream commit d57c67c956a1bad15115eba6e59d77a6dfeba01d ] + +HCLGE_FD_AD_COUNTER_NUM_M should be at GENMASK(19, 13), +rather than at GENMASK(20, 13), because bit 20 is +HCLGE_FD_AD_NXT_STEP_B. + +This patch corrects the wrong definition. + +Fixes: 117328680288 ("net: hns3: Add input key and action config support for flow director") +Signed-off-by: Jijie Shao +Link: https://patch.msgid.link/20260119132840.410513-2-shaojijie@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h +index 4d15eb73b9728..659d6351f26c8 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_cmd.h +@@ -731,7 +731,7 @@ struct hclge_fd_tcam_config_3_cmd { + #define HCLGE_FD_AD_QID_M GENMASK(11, 2) + #define HCLGE_FD_AD_USE_COUNTER_B 12 + #define HCLGE_FD_AD_COUNTER_NUM_S 13 +-#define HCLGE_FD_AD_COUNTER_NUM_M GENMASK(20, 13) ++#define HCLGE_FD_AD_COUNTER_NUM_M GENMASK(19, 13) + #define HCLGE_FD_AD_NXT_STEP_B 20 + #define HCLGE_FD_AD_NXT_KEY_S 21 + #define HCLGE_FD_AD_NXT_KEY_M GENMASK(25, 21) +-- +2.51.0 + diff --git a/queue-6.6/net-openvswitch-fix-data-race-in-ovs_vport_get_upcal.patch b/queue-6.6/net-openvswitch-fix-data-race-in-ovs_vport_get_upcal.patch new file mode 100644 index 0000000000..319e900c34 --- /dev/null +++ b/queue-6.6/net-openvswitch-fix-data-race-in-ovs_vport_get_upcal.patch @@ -0,0 +1,63 @@ +From 61a05a854ec52e21c33f8da27e93df90747b2b9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 15:29:26 +0800 +Subject: net: openvswitch: fix data race in ovs_vport_get_upcall_stats + +From: David Yang + +[ Upstream commit cc4816bdb08639e5cd9acb295a02d6f0f09736b4 ] + +In ovs_vport_get_upcall_stats(), some statistics protected by +u64_stats_sync, are read and accumulated in ignorance of possible +u64_stats_fetch_retry() events. These statistics are already accumulated +by u64_stats_inc(). Fix this by reading them into temporary variables +first. + +Fixes: 1933ea365aa7 ("net: openvswitch: Add support to count upcall packets") +Signed-off-by: David Yang +Acked-by: Ilya Maximets +Reviewed-by: Eric Dumazet +Reviewed-by: Aaron Conole +Link: https://patch.msgid.link/20260121072932.2360971-1-mmyangfl@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/openvswitch/vport.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/net/openvswitch/vport.c b/net/openvswitch/vport.c +index 972ae01a70f76..0faa6e097829c 100644 +--- a/net/openvswitch/vport.c ++++ b/net/openvswitch/vport.c +@@ -310,22 +310,23 @@ void ovs_vport_get_stats(struct vport *vport, struct ovs_vport_stats *stats) + */ + int ovs_vport_get_upcall_stats(struct vport *vport, struct sk_buff *skb) + { ++ u64 tx_success = 0, tx_fail = 0; + struct nlattr *nla; + int i; + +- __u64 tx_success = 0; +- __u64 tx_fail = 0; +- + for_each_possible_cpu(i) { + const struct vport_upcall_stats_percpu *stats; ++ u64 n_success, n_fail; + unsigned int start; + + stats = per_cpu_ptr(vport->upcall_stats, i); + do { + start = u64_stats_fetch_begin(&stats->syncp); +- tx_success += u64_stats_read(&stats->n_success); +- tx_fail += u64_stats_read(&stats->n_fail); ++ n_success = u64_stats_read(&stats->n_success); ++ n_fail = u64_stats_read(&stats->n_fail); + } while (u64_stats_fetch_retry(&stats->syncp, start)); ++ tx_success += n_success; ++ tx_fail += n_fail; + } + + nla = nla_nest_start_noflag(skb, OVS_VPORT_ATTR_UPCALL_STATS); +-- +2.51.0 + diff --git a/queue-6.6/net-sched-act_ife-avoid-possible-null-deref.patch b/queue-6.6/net-sched-act_ife-avoid-possible-null-deref.patch new file mode 100644 index 0000000000..aa7664bbbf --- /dev/null +++ b/queue-6.6/net-sched-act_ife-avoid-possible-null-deref.patch @@ -0,0 +1,82 @@ +From 32ca38d3de7f932925398a3e023944302304ad33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 13:37:24 +0000 +Subject: net/sched: act_ife: avoid possible NULL deref + +From: Eric Dumazet + +[ Upstream commit 27880b0b0d35ad1c98863d09788254e36f874968 ] + +tcf_ife_encode() must make sure ife_encode() does not return NULL. + +syzbot reported: + +Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] + RIP: 0010:ife_tlv_meta_encode+0x41/0xa0 net/ife/ife.c:166 +CPU: 3 UID: 0 PID: 8990 Comm: syz.0.696 Not tainted syzkaller #0 PREEMPT(full) +Call Trace: + + ife_encode_meta_u32+0x153/0x180 net/sched/act_ife.c:101 + tcf_ife_encode net/sched/act_ife.c:841 [inline] + tcf_ife_act+0x1022/0x1de0 net/sched/act_ife.c:877 + tc_act include/net/tc_wrapper.h:130 [inline] + tcf_action_exec+0x1c0/0xa20 net/sched/act_api.c:1152 + tcf_exts_exec include/net/pkt_cls.h:349 [inline] + mall_classify+0x1a0/0x2a0 net/sched/cls_matchall.c:42 + tc_classify include/net/tc_wrapper.h:197 [inline] + __tcf_classify net/sched/cls_api.c:1764 [inline] + tcf_classify+0x7f2/0x1380 net/sched/cls_api.c:1860 + multiq_classify net/sched/sch_multiq.c:39 [inline] + multiq_enqueue+0xe0/0x510 net/sched/sch_multiq.c:66 + dev_qdisc_enqueue+0x45/0x250 net/core/dev.c:4147 + __dev_xmit_skb net/core/dev.c:4262 [inline] + __dev_queue_xmit+0x2998/0x46c0 net/core/dev.c:4798 + +Fixes: 295a6e06d21e ("net/sched: act_ife: Change to use ife module") +Reported-by: syzbot+5cf914f193dffde3bd3c@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6970d61d.050a0220.706b.0010.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Yotam Gigi +Reviewed-by: Jamal Hadi Salim +Link: https://patch.msgid.link/20260121133724.3400020-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/act_ife.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/sched/act_ife.c b/net/sched/act_ife.c +index 431921204f660..567a58d30df8d 100644 +--- a/net/sched/act_ife.c ++++ b/net/sched/act_ife.c +@@ -821,6 +821,7 @@ static int tcf_ife_encode(struct sk_buff *skb, const struct tc_action *a, + /* could be stupid policy setup or mtu config + * so lets be conservative.. */ + if ((action == TC_ACT_SHOT) || exceed_mtu) { ++drop: + qstats_drop_inc(this_cpu_ptr(ife->common.cpu_qstats)); + return TC_ACT_SHOT; + } +@@ -829,6 +830,8 @@ static int tcf_ife_encode(struct sk_buff *skb, const struct tc_action *a, + skb_push(skb, skb->dev->hard_header_len); + + ife_meta = ife_encode(skb, metalen); ++ if (!ife_meta) ++ goto drop; + + spin_lock(&ife->tcf_lock); + +@@ -844,8 +847,7 @@ static int tcf_ife_encode(struct sk_buff *skb, const struct tc_action *a, + if (err < 0) { + /* too corrupt to keep around if overwritten */ + spin_unlock(&ife->tcf_lock); +- qstats_drop_inc(this_cpu_ptr(ife->common.cpu_qstats)); +- return TC_ACT_SHOT; ++ goto drop; + } + skboff += err; + } +-- +2.51.0 + diff --git a/queue-6.6/netdevsim-fix-a-race-issue-related-to-the-operation-.patch b/queue-6.6/netdevsim-fix-a-race-issue-related-to-the-operation-.patch new file mode 100644 index 0000000000..0c8bfc3af7 --- /dev/null +++ b/queue-6.6/netdevsim-fix-a-race-issue-related-to-the-operation-.patch @@ -0,0 +1,131 @@ +From e360443091ba26109792a27b6ba14ac7e943ee1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Jan 2026 17:53:08 +0800 +Subject: netdevsim: fix a race issue related to the operation on + bpf_bound_progs list + +From: Yun Lu + +[ Upstream commit b97d5eedf4976cc94321243be83b39efe81a0e15 ] + +The netdevsim driver lacks a protection mechanism for operations on the +bpf_bound_progs list. When the nsim_bpf_create_prog() performs +list_add_tail, it is possible that nsim_bpf_destroy_prog() is +simultaneously performs list_del. Concurrent operations on the list may +lead to list corruption and trigger a kernel crash as follows: + +[ 417.290971] kernel BUG at lib/list_debug.c:62! +[ 417.290983] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI +[ 417.290992] CPU: 10 PID: 168 Comm: kworker/10:1 Kdump: loaded Not tainted 6.19.0-rc5 #1 +[ 417.291003] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 417.291007] Workqueue: events bpf_prog_free_deferred +[ 417.291021] RIP: 0010:__list_del_entry_valid_or_report+0xa7/0xc0 +[ 417.291034] Code: a8 ff 0f 0b 48 89 fe 48 89 ca 48 c7 c7 48 a1 eb ae e8 ed fb a8 ff 0f 0b 48 89 fe 48 89 c2 48 c7 c7 80 a1 eb ae e8 d9 fb a8 ff <0f> 0b 48 89 d1 48 c7 c7 d0 a1 eb ae 48 89 f2 48 89 c6 e8 c2 fb a8 +[ 417.291040] RSP: 0018:ffffb16a40807df8 EFLAGS: 00010246 +[ 417.291046] RAX: 000000000000006d RBX: ffff8e589866f500 RCX: 0000000000000000 +[ 417.291051] RDX: 0000000000000000 RSI: ffff8e59f7b23180 RDI: ffff8e59f7b23180 +[ 417.291055] RBP: ffffb16a412c9000 R08: 0000000000000000 R09: 0000000000000003 +[ 417.291059] R10: ffffb16a40807c80 R11: ffffffffaf9edce8 R12: ffff8e594427ac20 +[ 417.291063] R13: ffff8e59f7b44780 R14: ffff8e58800b7a05 R15: 0000000000000000 +[ 417.291074] FS: 0000000000000000(0000) GS:ffff8e59f7b00000(0000) knlGS:0000000000000000 +[ 417.291079] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 417.291083] CR2: 00007fc4083efe08 CR3: 00000001c3626006 CR4: 0000000000770ee0 +[ 417.291088] PKRU: 55555554 +[ 417.291091] Call Trace: +[ 417.291096] +[ 417.291103] nsim_bpf_destroy_prog+0x31/0x80 [netdevsim] +[ 417.291154] __bpf_prog_offload_destroy+0x2a/0x80 +[ 417.291163] bpf_prog_dev_bound_destroy+0x6f/0xb0 +[ 417.291171] bpf_prog_free_deferred+0x18e/0x1a0 +[ 417.291178] process_one_work+0x18a/0x3a0 +[ 417.291188] worker_thread+0x27b/0x3a0 +[ 417.291197] ? __pfx_worker_thread+0x10/0x10 +[ 417.291207] kthread+0xe5/0x120 +[ 417.291214] ? __pfx_kthread+0x10/0x10 +[ 417.291221] ret_from_fork+0x31/0x50 +[ 417.291230] ? __pfx_kthread+0x10/0x10 +[ 417.291236] ret_from_fork_asm+0x1a/0x30 +[ 417.291246] + +Add a mutex lock, to prevent simultaneous addition and deletion operations +on the list. + +Fixes: 31d3ad832948 ("netdevsim: add bpf offload support") +Reported-by: Yinhao Hu +Reported-by: Kaiyan Mei +Signed-off-by: Yun Lu +Link: https://patch.msgid.link/20260116095308.11441-1-luyun_611@163.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/netdevsim/bpf.c | 6 ++++++ + drivers/net/netdevsim/dev.c | 2 ++ + drivers/net/netdevsim/netdevsim.h | 1 + + 3 files changed, 9 insertions(+) + +diff --git a/drivers/net/netdevsim/bpf.c b/drivers/net/netdevsim/bpf.c +index 608953d4f98da..ca64136372fca 100644 +--- a/drivers/net/netdevsim/bpf.c ++++ b/drivers/net/netdevsim/bpf.c +@@ -244,7 +244,9 @@ static int nsim_bpf_create_prog(struct nsim_dev *nsim_dev, + &state->state, &nsim_bpf_string_fops); + debugfs_create_bool("loaded", 0400, state->ddir, &state->is_loaded); + ++ mutex_lock(&nsim_dev->progs_list_lock); + list_add_tail(&state->l, &nsim_dev->bpf_bound_progs); ++ mutex_unlock(&nsim_dev->progs_list_lock); + + prog->aux->offload->dev_priv = state; + +@@ -273,12 +275,16 @@ static int nsim_bpf_translate(struct bpf_prog *prog) + static void nsim_bpf_destroy_prog(struct bpf_prog *prog) + { + struct nsim_bpf_bound_prog *state; ++ struct nsim_dev *nsim_dev; + + state = prog->aux->offload->dev_priv; ++ nsim_dev = state->nsim_dev; + WARN(state->is_loaded, + "offload state destroyed while program still bound"); + debugfs_remove_recursive(state->ddir); ++ mutex_lock(&nsim_dev->progs_list_lock); + list_del(&state->l); ++ mutex_unlock(&nsim_dev->progs_list_lock); + kfree(state); + } + +diff --git a/drivers/net/netdevsim/dev.c b/drivers/net/netdevsim/dev.c +index 3e0b61202f0c9..2614d6509954c 100644 +--- a/drivers/net/netdevsim/dev.c ++++ b/drivers/net/netdevsim/dev.c +@@ -1545,6 +1545,7 @@ int nsim_drv_probe(struct nsim_bus_dev *nsim_bus_dev) + nsim_dev->max_macs = NSIM_DEV_MAX_MACS_DEFAULT; + nsim_dev->test1 = NSIM_DEV_TEST1_DEFAULT; + spin_lock_init(&nsim_dev->fa_cookie_lock); ++ mutex_init(&nsim_dev->progs_list_lock); + + dev_set_drvdata(&nsim_bus_dev->dev, nsim_dev); + +@@ -1683,6 +1684,7 @@ void nsim_drv_remove(struct nsim_bus_dev *nsim_bus_dev) + devl_unregister(devlink); + kfree(nsim_dev->vfconfigs); + kfree(nsim_dev->fa_cookie); ++ mutex_destroy(&nsim_dev->progs_list_lock); + devl_unlock(devlink); + devlink_free(devlink); + dev_set_drvdata(&nsim_bus_dev->dev, NULL); +diff --git a/drivers/net/netdevsim/netdevsim.h b/drivers/net/netdevsim/netdevsim.h +index dfc6e00b718e3..f2a31acc5e2e4 100644 +--- a/drivers/net/netdevsim/netdevsim.h ++++ b/drivers/net/netdevsim/netdevsim.h +@@ -295,6 +295,7 @@ struct nsim_dev { + u32 prog_id_gen; + struct list_head bpf_bound_progs; + struct list_head bpf_bound_maps; ++ struct mutex progs_list_lock; + struct netdev_phys_item_id switch_id; + struct list_head port_list; + bool fw_update_status; +-- +2.51.0 + diff --git a/queue-6.6/octeontx2-af-fix-error-handling.patch b/queue-6.6/octeontx2-af-fix-error-handling.patch new file mode 100644 index 0000000000..77fd3574ba --- /dev/null +++ b/queue-6.6/octeontx2-af-fix-error-handling.patch @@ -0,0 +1,188 @@ +From ca5dc12f7c517d190b0b453e278bbbfdeeee8422 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 09:09:34 +0530 +Subject: octeontx2-af: Fix error handling + +From: Ratheesh Kannoth + +[ Upstream commit 19e4175e997a5b85eab97d522f00cc99abd1873c ] + +This commit adds error handling and rollback logic to +rvu_mbox_handler_attach_resources() to properly clean up partially +attached resources when rvu_attach_block() fails. + +Fixes: 746ea74241fa0 ("octeontx2-af: Add RVU block LF provisioning support") +Signed-off-by: Ratheesh Kannoth +Link: https://patch.msgid.link/20260121033934.1900761-1-rkannoth@marvell.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/marvell/octeontx2/af/rvu.c | 86 ++++++++++++++----- + 1 file changed, 64 insertions(+), 22 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +index 67e6d755b30ec..846049b6c4d60 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +@@ -1541,8 +1541,8 @@ static int rvu_get_attach_blkaddr(struct rvu *rvu, int blktype, + return -ENODEV; + } + +-static void rvu_attach_block(struct rvu *rvu, int pcifunc, int blktype, +- int num_lfs, struct rsrc_attach *attach) ++static int rvu_attach_block(struct rvu *rvu, int pcifunc, int blktype, ++ int num_lfs, struct rsrc_attach *attach) + { + struct rvu_pfvf *pfvf = rvu_get_pfvf(rvu, pcifunc); + struct rvu_hwinfo *hw = rvu->hw; +@@ -1552,21 +1552,21 @@ static void rvu_attach_block(struct rvu *rvu, int pcifunc, int blktype, + u64 cfg; + + if (!num_lfs) +- return; ++ return -EINVAL; + + blkaddr = rvu_get_attach_blkaddr(rvu, blktype, pcifunc, attach); + if (blkaddr < 0) +- return; ++ return -EFAULT; + + block = &hw->block[blkaddr]; + if (!block->lf.bmap) +- return; ++ return -ESRCH; + + for (slot = 0; slot < num_lfs; slot++) { + /* Allocate the resource */ + lf = rvu_alloc_rsrc(&block->lf); + if (lf < 0) +- return; ++ return -EFAULT; + + cfg = (1ULL << 63) | (pcifunc << 8) | slot; + rvu_write64(rvu, blkaddr, block->lfcfg_reg | +@@ -1577,6 +1577,8 @@ static void rvu_attach_block(struct rvu *rvu, int pcifunc, int blktype, + /* Set start MSIX vector for this LF within this PF/VF */ + rvu_set_msix_offset(rvu, pfvf, block, lf); + } ++ ++ return 0; + } + + static int rvu_check_rsrc_availability(struct rvu *rvu, +@@ -1714,22 +1716,31 @@ int rvu_mbox_handler_attach_resources(struct rvu *rvu, + int err; + + /* If first request, detach all existing attached resources */ +- if (!attach->modify) +- rvu_detach_rsrcs(rvu, NULL, pcifunc); ++ if (!attach->modify) { ++ err = rvu_detach_rsrcs(rvu, NULL, pcifunc); ++ if (err) ++ return err; ++ } + + mutex_lock(&rvu->rsrc_lock); + + /* Check if the request can be accommodated */ + err = rvu_check_rsrc_availability(rvu, attach, pcifunc); + if (err) +- goto exit; ++ goto fail1; + + /* Now attach the requested resources */ +- if (attach->npalf) +- rvu_attach_block(rvu, pcifunc, BLKTYPE_NPA, 1, attach); ++ if (attach->npalf) { ++ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_NPA, 1, attach); ++ if (err) ++ goto fail1; ++ } + +- if (attach->nixlf) +- rvu_attach_block(rvu, pcifunc, BLKTYPE_NIX, 1, attach); ++ if (attach->nixlf) { ++ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_NIX, 1, attach); ++ if (err) ++ goto fail2; ++ } + + if (attach->sso) { + /* RVU func doesn't know which exact LF or slot is attached +@@ -1739,33 +1750,64 @@ int rvu_mbox_handler_attach_resources(struct rvu *rvu, + */ + if (attach->modify) + rvu_detach_block(rvu, pcifunc, BLKTYPE_SSO); +- rvu_attach_block(rvu, pcifunc, BLKTYPE_SSO, +- attach->sso, attach); ++ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_SSO, ++ attach->sso, attach); ++ if (err) ++ goto fail3; + } + + if (attach->ssow) { + if (attach->modify) + rvu_detach_block(rvu, pcifunc, BLKTYPE_SSOW); +- rvu_attach_block(rvu, pcifunc, BLKTYPE_SSOW, +- attach->ssow, attach); ++ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_SSOW, ++ attach->ssow, attach); ++ if (err) ++ goto fail4; + } + + if (attach->timlfs) { + if (attach->modify) + rvu_detach_block(rvu, pcifunc, BLKTYPE_TIM); +- rvu_attach_block(rvu, pcifunc, BLKTYPE_TIM, +- attach->timlfs, attach); ++ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_TIM, ++ attach->timlfs, attach); ++ if (err) ++ goto fail5; + } + + if (attach->cptlfs) { + if (attach->modify && + rvu_attach_from_same_block(rvu, BLKTYPE_CPT, attach)) + rvu_detach_block(rvu, pcifunc, BLKTYPE_CPT); +- rvu_attach_block(rvu, pcifunc, BLKTYPE_CPT, +- attach->cptlfs, attach); ++ err = rvu_attach_block(rvu, pcifunc, BLKTYPE_CPT, ++ attach->cptlfs, attach); ++ if (err) ++ goto fail6; + } + +-exit: ++ mutex_unlock(&rvu->rsrc_lock); ++ return 0; ++ ++fail6: ++ if (attach->timlfs) ++ rvu_detach_block(rvu, pcifunc, BLKTYPE_TIM); ++ ++fail5: ++ if (attach->ssow) ++ rvu_detach_block(rvu, pcifunc, BLKTYPE_SSOW); ++ ++fail4: ++ if (attach->sso) ++ rvu_detach_block(rvu, pcifunc, BLKTYPE_SSO); ++ ++fail3: ++ if (attach->nixlf) ++ rvu_detach_block(rvu, pcifunc, BLKTYPE_NIX); ++ ++fail2: ++ if (attach->npalf) ++ rvu_detach_block(rvu, pcifunc, BLKTYPE_NPA); ++ ++fail1: + mutex_unlock(&rvu->rsrc_lock); + return err; + } +-- +2.51.0 + diff --git a/queue-6.6/regmap-fix-race-condition-in-hwspinlock-irqsave-rout.patch b/queue-6.6/regmap-fix-race-condition-in-hwspinlock-irqsave-rout.patch new file mode 100644 index 0000000000..d6c6bc3a03 --- /dev/null +++ b/queue-6.6/regmap-fix-race-condition-in-hwspinlock-irqsave-rout.patch @@ -0,0 +1,49 @@ +From 29072883321c0aad738891f9e921108c7158f860 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jan 2026 11:26:33 +0800 +Subject: regmap: Fix race condition in hwspinlock irqsave routine + +From: Cheng-Yu Lee + +[ Upstream commit 4b58aac989c1e3fafb1c68a733811859df388250 ] + +Previously, the address of the shared member '&map->spinlock_flags' was +passed directly to 'hwspin_lock_timeout_irqsave'. This creates a race +condition where multiple contexts contending for the lock could overwrite +the shared flags variable, potentially corrupting the state for the +current lock owner. + +Fix this by using a local stack variable 'flags' to store the IRQ state +temporarily. + +Fixes: 8698b9364710 ("regmap: Add hardware spinlock support") +Signed-off-by: Cheng-Yu Lee +Co-developed-by: Yu-Chun Lin +Signed-off-by: Yu-Chun Lin +Link: https://patch.msgid.link/20260109032633.8732-1-eleanor.lin@realtek.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/base/regmap/regmap.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c +index 9603c28a3ed82..48860beff95c9 100644 +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -408,9 +408,11 @@ static void regmap_lock_hwlock_irq(void *__map) + static void regmap_lock_hwlock_irqsave(void *__map) + { + struct regmap *map = __map; ++ unsigned long flags = 0; + + hwspin_lock_timeout_irqsave(map->hwlock, UINT_MAX, +- &map->spinlock_flags); ++ &flags); ++ map->spinlock_flags = flags; + } + + static void regmap_unlock_hwlock(void *__map) +-- +2.51.0 + diff --git a/queue-6.6/riscv-clocksource-fix-stimecmp-update-hazard-on-rv32.patch b/queue-6.6/riscv-clocksource-fix-stimecmp-update-hazard-on-rv32.patch new file mode 100644 index 0000000000..cfff0a13d7 --- /dev/null +++ b/queue-6.6/riscv-clocksource-fix-stimecmp-update-hazard-on-rv32.patch @@ -0,0 +1,57 @@ +From 33511f9eb268bf6efdca6f4e63cec69108fb3b62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Jan 2026 22:59:36 +0900 +Subject: riscv: clocksource: Fix stimecmp update hazard on RV32 + +From: Naohiko Shimizu + +[ Upstream commit eaa9bb1d39d59e7c17b06cec12622b7c586ab629 ] + +On RV32, updating the 64-bit stimecmp (or vstimecmp) CSR requires two +separate 32-bit writes. A race condition exists if the timer triggers +during these two writes. + +The RISC-V Privileged Specification (e.g., Section 3.2.1 for mtimecmp) +recommends a specific 3-step sequence to avoid spurious interrupts +when updating 64-bit comparison registers on 32-bit systems: + +1. Set the low-order bits (stimecmp) to all ones (ULONG_MAX). +2. Set the high-order bits (stimecmph) to the desired value. +3. Set the low-order bits (stimecmp) to the desired value. + +Current implementation writes the LSB first without ensuring a future +value, which may lead to a transient state where the 64-bit comparison +is incorrectly evaluated as "expired" by the hardware. This results in +spurious timer interrupts. + +This patch adopts the spec-recommended 3-step sequence to ensure the +intermediate 64-bit state is never smaller than the current time. + +Fixes: 9f7a8ff6391f ("RISC-V: Prefer sstc extension if available") +Signed-off-by: Naohiko Shimizu +Reviewed-by: Anup Patel +Link: https://patch.msgid.link/20260104135938.524-2-naohiko.shimizu@gmail.com +Signed-off-by: Paul Walmsley +Signed-off-by: Sasha Levin +--- + drivers/clocksource/timer-riscv.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/clocksource/timer-riscv.c b/drivers/clocksource/timer-riscv.c +index da3071b387eb5..3d542d0f76034 100644 +--- a/drivers/clocksource/timer-riscv.c ++++ b/drivers/clocksource/timer-riscv.c +@@ -39,8 +39,9 @@ static int riscv_clock_next_event(unsigned long delta, + csr_set(CSR_IE, IE_TIE); + if (static_branch_likely(&riscv_sstc_available)) { + #if defined(CONFIG_32BIT) +- csr_write(CSR_STIMECMP, next_tval & 0xFFFFFFFF); ++ csr_write(CSR_STIMECMP, ULONG_MAX); + csr_write(CSR_STIMECMPH, next_tval >> 32); ++ csr_write(CSR_STIMECMP, next_tval & 0xFFFFFFFF); + #else + csr_write(CSR_STIMECMP, next_tval); + #endif +-- +2.51.0 + diff --git a/queue-6.6/scsi-core-wake-up-the-error-handler-when-final-compl.patch b/queue-6.6/scsi-core-wake-up-the-error-handler-when-final-compl.patch new file mode 100644 index 0000000000..d056f857d6 --- /dev/null +++ b/queue-6.6/scsi-core-wake-up-the-error-handler-when-final-compl.patch @@ -0,0 +1,96 @@ +From 5f33fc6f1ed548c2084510bfcc8ebbddc993e7f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jan 2026 11:08:13 -0500 +Subject: scsi: core: Wake up the error handler when final completions race + against each other + +From: David Jeffery + +[ Upstream commit fe2f8ad6f0999db3b318359a01ee0108c703a8c3 ] + +The fragile ordering between marking commands completed or failed so +that the error handler only wakes when the last running command +completes or times out has race conditions. These race conditions can +cause the SCSI layer to fail to wake the error handler, leaving I/O +through the SCSI host stuck as the error state cannot advance. + +First, there is an memory ordering issue within scsi_dec_host_busy(). +The write which clears SCMD_STATE_INFLIGHT may be reordered with reads +counting in scsi_host_busy(). While the local CPU will see its own +write, reordering can allow other CPUs in scsi_dec_host_busy() or +scsi_eh_inc_host_failed() to see a raised busy count, causing no CPU to +see a host busy equal to the host_failed count. + +This race condition can be prevented with a memory barrier on the error +path to force the write to be visible before counting host busy +commands. + +Second, there is a general ordering issue with scsi_eh_inc_host_failed(). By +counting busy commands before incrementing host_failed, it can race with a +final command in scsi_dec_host_busy(), such that scsi_dec_host_busy() does +not see host_failed incremented but scsi_eh_inc_host_failed() counts busy +commands before SCMD_STATE_INFLIGHT is cleared by scsi_dec_host_busy(), +resulting in neither waking the error handler task. + +This needs the call to scsi_host_busy() to be moved after host_failed is +incremented to close the race condition. + +Fixes: 6eb045e092ef ("scsi: core: avoid host-wide host_busy counter for scsi_mq") +Signed-off-by: David Jeffery +Reviewed-by: Bart Van Assche +Link: https://patch.msgid.link/20260113161036.6730-1-djeffery@redhat.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_error.c | 11 ++++++++++- + drivers/scsi/scsi_lib.c | 8 ++++++++ + 2 files changed, 18 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c +index 5882b5f80c049..c4c05cf38aa55 100644 +--- a/drivers/scsi/scsi_error.c ++++ b/drivers/scsi/scsi_error.c +@@ -282,11 +282,20 @@ static void scsi_eh_inc_host_failed(struct rcu_head *head) + { + struct scsi_cmnd *scmd = container_of(head, typeof(*scmd), rcu); + struct Scsi_Host *shost = scmd->device->host; +- unsigned int busy = scsi_host_busy(shost); ++ unsigned int busy; + unsigned long flags; + + spin_lock_irqsave(shost->host_lock, flags); + shost->host_failed++; ++ spin_unlock_irqrestore(shost->host_lock, flags); ++ /* ++ * The counting of busy requests needs to occur after adding to ++ * host_failed or after the lock acquire for adding to host_failed ++ * to prevent a race with host unbusy and missing an eh wakeup. ++ */ ++ busy = scsi_host_busy(shost); ++ ++ spin_lock_irqsave(shost->host_lock, flags); + scsi_eh_wakeup(shost, busy); + spin_unlock_irqrestore(shost->host_lock, flags); + } +diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c +index bd75e3ebc14da..efd1f1d6e4e9b 100644 +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -278,6 +278,14 @@ static void scsi_dec_host_busy(struct Scsi_Host *shost, struct scsi_cmnd *cmd) + rcu_read_lock(); + __clear_bit(SCMD_STATE_INFLIGHT, &cmd->state); + if (unlikely(scsi_host_in_recovery(shost))) { ++ /* ++ * Ensure the clear of SCMD_STATE_INFLIGHT is visible to ++ * other CPUs before counting busy requests. Otherwise, ++ * reordering can cause CPUs to race and miss an eh wakeup ++ * when no CPU sees all busy requests as done or timed out. ++ */ ++ smp_mb(); ++ + unsigned int busy = scsi_host_busy(shost); + + spin_lock_irqsave(shost->host_lock, flags); +-- +2.51.0 + diff --git a/queue-6.6/scsi-qla2xxx-sanitize-payload-size-to-prevent-member.patch b/queue-6.6/scsi-qla2xxx-sanitize-payload-size-to-prevent-member.patch new file mode 100644 index 0000000000..cf0b87d778 --- /dev/null +++ b/queue-6.6/scsi-qla2xxx-sanitize-payload-size-to-prevent-member.patch @@ -0,0 +1,61 @@ +From 55b227edadc3cfbaac945fab649a4ec89515af17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jan 2026 20:53:44 +0000 +Subject: scsi: qla2xxx: Sanitize payload size to prevent member overflow + +From: Jiasheng Jiang + +[ Upstream commit 19bc5f2a6962dfaa0e32d0e0bc2271993d85d414 ] + +In qla27xx_copy_fpin_pkt() and qla27xx_copy_multiple_pkt(), the frame_size +reported by firmware is used to calculate the copy length into +item->iocb. However, the iocb member is defined as a fixed-size 64-byte +array within struct purex_item. + +If the reported frame_size exceeds 64 bytes, subsequent memcpy calls will +overflow the iocb member boundary. While extra memory might be allocated, +this cross-member write is unsafe and triggers warnings under +CONFIG_FORTIFY_SOURCE. + +Fix this by capping total_bytes to the size of the iocb member (64 bytes) +before allocation and copying. This ensures all copies remain within the +bounds of the destination structure member. + +Fixes: 875386b98857 ("scsi: qla2xxx: Add Unsolicited LS Request and Response Support for NVMe") +Signed-off-by: Jiasheng Jiang +Reviewed-by: Himanshu Madhani +Link: https://patch.msgid.link/20260106205344.18031-1-jiashengjiangcool@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_isr.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c +index a85d3a40ee490..ae2bea27a18a6 100644 +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -878,6 +878,9 @@ qla27xx_copy_multiple_pkt(struct scsi_qla_host *vha, void **pkt, + payload_size = sizeof(purex->els_frame_payload); + } + ++ if (total_bytes > sizeof(item->iocb.iocb)) ++ total_bytes = sizeof(item->iocb.iocb); ++ + pending_bytes = total_bytes; + no_bytes = (pending_bytes > payload_size) ? payload_size : + pending_bytes; +@@ -1163,6 +1166,10 @@ qla27xx_copy_fpin_pkt(struct scsi_qla_host *vha, void **pkt, + + total_bytes = (le16_to_cpu(purex->frame_size) & 0x0FFF) + - PURX_ELS_HEADER_SIZE; ++ ++ if (total_bytes > sizeof(item->iocb.iocb)) ++ total_bytes = sizeof(item->iocb.iocb); ++ + pending_bytes = total_bytes; + entry_count = entry_count_remaining = purex->entry_count; + no_bytes = (pending_bytes > sizeof(purex->els_frame_payload)) ? +-- +2.51.0 + diff --git a/queue-6.6/selftests-net-amt-wait-longer-for-connection-before-.patch b/queue-6.6/selftests-net-amt-wait-longer-for-connection-before-.patch new file mode 100644 index 0000000000..9c34722c9b --- /dev/null +++ b/queue-6.6/selftests-net-amt-wait-longer-for-connection-before-.patch @@ -0,0 +1,63 @@ +From de341962813af592717e56fb60027294dba6fc2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jan 2026 13:39:30 +0000 +Subject: selftests: net: amt: wait longer for connection before sending + packets + +From: Taehee Yoo + +[ Upstream commit 04708606fd7bdc34b69089a4ff848ff36d7088f9 ] + +Both send_mcast4() and send_mcast6() use sleep 2 to wait for the tunnel +connection between the gateway and the relay, and for the listener +socket to be created in the LISTENER namespace. + +However, tests sometimes fail because packets are sent before the +connection is fully established. + +Increase the waiting time to make the tests more reliable, and use +wait_local_port_listen() to explicitly wait for the listener socket. + +Fixes: c08e8baea78e ("selftests: add amt interface selftest script") +Signed-off-by: Taehee Yoo +Link: https://patch.msgid.link/20260120133930.863845-1-ap420073@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/amt.sh | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/net/amt.sh b/tools/testing/selftests/net/amt.sh +index 7e7ed6c558da9..ea40b469a8c11 100755 +--- a/tools/testing/selftests/net/amt.sh ++++ b/tools/testing/selftests/net/amt.sh +@@ -73,6 +73,8 @@ + # +------------------------+ + #============================================================================== + ++source lib.sh ++ + readonly LISTENER=$(mktemp -u listener-XXXXXXXX) + readonly GATEWAY=$(mktemp -u gateway-XXXXXXXX) + readonly RELAY=$(mktemp -u relay-XXXXXXXX) +@@ -240,14 +242,15 @@ test_ipv6_forward() + + send_mcast4() + { +- sleep 2 ++ sleep 5 ++ wait_local_port_listen ${LISTENER} 4000 udp + ip netns exec "${SOURCE}" bash -c \ + 'printf "%s %128s" 172.17.0.2 | nc -w 1 -u 239.0.0.1 4000' & + } + + send_mcast6() + { +- sleep 2 ++ wait_local_port_listen ${LISTENER} 6000 udp + ip netns exec "${SOURCE}" bash -c \ + 'printf "%s %128s" 2001:db8:3::2 | nc -w 1 -u ff0e::5:6 6000' & + } +-- +2.51.0 + diff --git a/queue-6.6/series b/queue-6.6/series index b604a37473..6d9f12fc04 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -149,3 +149,35 @@ platform-x86-hp-bioscfg-fix-kobject-warnings-for-empty-attribute-names.patch platform-x86-hp-bioscfg-fix-kernel-panic-in-get_instance_id-macro.patch io_uring-io-wq-check-io_wq_bit_exit-inside-work-run-loop.patch iio-imu-st_lsm6dsx-fix-iio_chan_spec-for-sensors-without-event-detection.patch +iio-adc-ad7280a-handle-spi_setup-errors-in-probe.patch +interconnect-debugfs-initialize-src_node-and-dst_nod.patch +spi-sprd-adi-use-devm_register_restart_handler.patch +spi-sprd-adi-switch-to-use-spi_alloc_host.patch +spi-spi-sprd-adi-fix-double-free-in-probe-error-path.patch +regmap-fix-race-condition-in-hwspinlock-irqsave-rout.patch +kconfig-fix-static-linking-of-nconf.patch +riscv-clocksource-fix-stimecmp-update-hazard-on-rv32.patch +scsi-core-wake-up-the-error-handler-when-final-compl.patch +scsi-qla2xxx-sanitize-payload-size-to-prevent-member.patch +alsa-usb-increase-volume-range-that-triggers-a-warni.patch +netdevsim-fix-a-race-issue-related-to-the-operation-.patch +net-hns3-fix-data-race-in-hns3_fetch_stats.patch +be2net-fix-data-race-in-be_get_new_eqd.patch +net-hns3-fix-wrong-genmask-for-hclge_fd_ad_counter_n.patch +net-hns3-fix-the-hclge_fd_ad_nxt_key-error-setting-i.patch +misdn-annotate-data-race-around-dev-work.patch +ipv6-annotate-data-race-in-ndisc_router_discovery.patch +usbnet-limit-max_mtu-based-on-device-s-hard_mtu.patch +drm-amd-pm-don-t-clear-si-smc-table-when-setting-pow.patch +drm-amd-pm-workaround-si-powertune-issue-on-radeon-4.patch +be2net-fix-null-pointer-dereference-in-be_cmd_get_ma.patch +selftests-net-amt-wait-longer-for-connection-before-.patch +bonding-provide-a-net-pointer-to-__skb_flow_dissect.patch +net-dsa-fix-off-by-one-in-maximum-bridge-id-determin.patch +octeontx2-af-fix-error-handling.patch +net-openvswitch-fix-data-race-in-ovs_vport_get_upcal.patch +vsock-virtio-fix-potential-underflow-in-virtio_trans.patch +vsock-test-fix-seqpacket-message-bounds-test.patch +vsock-virtio-cap-tx-credit-to-local-buffer-size.patch +net-sched-act_ife-avoid-possible-null-deref.patch +x86-make-page-fault-handling-disable-interrupts-prop.patch diff --git a/queue-6.6/spi-spi-sprd-adi-fix-double-free-in-probe-error-path.patch b/queue-6.6/spi-spi-sprd-adi-fix-double-free-in-probe-error-path.patch new file mode 100644 index 0000000000..ceafd7e4a5 --- /dev/null +++ b/queue-6.6/spi-spi-sprd-adi-fix-double-free-in-probe-error-path.patch @@ -0,0 +1,113 @@ +From 98a7b8ebe0a3064d1b7536aeeceec6ce35bb1d93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jan 2026 20:49:53 +0800 +Subject: spi: spi-sprd-adi: Fix double free in probe error path + +From: Felix Gu + +[ Upstream commit 383d4f5cffcc8df930d95b06518a9d25a6d74aac ] + +The driver currently uses spi_alloc_host() to allocate the controller +but registers it using devm_spi_register_controller(). + +If devm_register_restart_handler() fails, the code jumps to the +put_ctlr label and calls spi_controller_put(). However, since the +controller was registered via a devm function, the device core will +automatically call spi_controller_put() again when the probe fails. +This results in a double-free of the spi_controller structure. + +Fix this by switching to devm_spi_alloc_host() and removing the +manual spi_controller_put() call. + +Fixes: ac17750 ("spi: sprd: Add the support of restarting the system") +Signed-off-by: Felix Gu +Reviewed-by: Baolin Wang +Link: https://patch.msgid.link/tencent_AC7D389CE7E24318445E226F7CDCCC2F0D07@qq.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-sprd-adi.c | 33 ++++++++++----------------------- + 1 file changed, 10 insertions(+), 23 deletions(-) + +diff --git a/drivers/spi/spi-sprd-adi.c b/drivers/spi/spi-sprd-adi.c +index 262c11d977ea3..f25b34a91756f 100644 +--- a/drivers/spi/spi-sprd-adi.c ++++ b/drivers/spi/spi-sprd-adi.c +@@ -528,7 +528,7 @@ static int sprd_adi_probe(struct platform_device *pdev) + pdev->id = of_alias_get_id(np, "spi"); + num_chipselect = of_get_child_count(np); + +- ctlr = spi_alloc_host(&pdev->dev, sizeof(struct sprd_adi)); ++ ctlr = devm_spi_alloc_host(&pdev->dev, sizeof(struct sprd_adi)); + if (!ctlr) + return -ENOMEM; + +@@ -536,10 +536,8 @@ static int sprd_adi_probe(struct platform_device *pdev) + sadi = spi_controller_get_devdata(ctlr); + + sadi->base = devm_platform_get_and_ioremap_resource(pdev, 0, &res); +- if (IS_ERR(sadi->base)) { +- ret = PTR_ERR(sadi->base); +- goto put_ctlr; +- } ++ if (IS_ERR(sadi->base)) ++ return PTR_ERR(sadi->base); + + sadi->slave_vbase = (unsigned long)sadi->base + + data->slave_offset; +@@ -551,18 +549,15 @@ static int sprd_adi_probe(struct platform_device *pdev) + if (ret > 0 || (IS_ENABLED(CONFIG_HWSPINLOCK) && ret == 0)) { + sadi->hwlock = + devm_hwspin_lock_request_specific(&pdev->dev, ret); +- if (!sadi->hwlock) { +- ret = -ENXIO; +- goto put_ctlr; +- } ++ if (!sadi->hwlock) ++ return -ENXIO; + } else { + switch (ret) { + case -ENOENT: + dev_info(&pdev->dev, "no hardware spinlock supplied\n"); + break; + default: +- dev_err_probe(&pdev->dev, ret, "failed to find hwlock id\n"); +- goto put_ctlr; ++ return dev_err_probe(&pdev->dev, ret, "failed to find hwlock id\n"); + } + } + +@@ -579,26 +574,18 @@ static int sprd_adi_probe(struct platform_device *pdev) + ctlr->transfer_one = sprd_adi_transfer_one; + + ret = devm_spi_register_controller(&pdev->dev, ctlr); +- if (ret) { +- dev_err(&pdev->dev, "failed to register SPI controller\n"); +- goto put_ctlr; +- } ++ if (ret) ++ return dev_err_probe(&pdev->dev, ret, "failed to register SPI controller\n"); + + if (sadi->data->restart) { + ret = devm_register_restart_handler(&pdev->dev, + sadi->data->restart, + sadi); +- if (ret) { +- dev_err(&pdev->dev, "can not register restart handler\n"); +- goto put_ctlr; +- } ++ if (ret) ++ return dev_err_probe(&pdev->dev, ret, "can not register restart handler\n"); + } + + return 0; +- +-put_ctlr: +- spi_controller_put(ctlr); +- return ret; + } + + static struct sprd_adi_data sc9860_data = { +-- +2.51.0 + diff --git a/queue-6.6/spi-sprd-adi-switch-to-use-spi_alloc_host.patch b/queue-6.6/spi-sprd-adi-switch-to-use-spi_alloc_host.patch new file mode 100644 index 0000000000..1ae7db9083 --- /dev/null +++ b/queue-6.6/spi-sprd-adi-switch-to-use-spi_alloc_host.patch @@ -0,0 +1,38 @@ +From 6665931441de23e9a2de3ddf7865c063efd6c65b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Nov 2023 17:30:06 +0800 +Subject: spi: sprd-adi: switch to use spi_alloc_host() + +From: Yang Yingliang + +[ Upstream commit 0a3d087d09a8f52c02d0014bad63be99c53c4812 ] + +Switch to use modern name function spi_alloc_host(). + +No functional changed. + +Signed-off-by: Yang Yingliang +Link: https://msgid.link/r/20231128093031.3707034-2-yangyingliang@huawei.com +Signed-off-by: Mark Brown +Stable-dep-of: 383d4f5cffcc ("spi: spi-sprd-adi: Fix double free in probe error path") +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-sprd-adi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-sprd-adi.c b/drivers/spi/spi-sprd-adi.c +index 58c3badd9c79a..262c11d977ea3 100644 +--- a/drivers/spi/spi-sprd-adi.c ++++ b/drivers/spi/spi-sprd-adi.c +@@ -528,7 +528,7 @@ static int sprd_adi_probe(struct platform_device *pdev) + pdev->id = of_alias_get_id(np, "spi"); + num_chipselect = of_get_child_count(np); + +- ctlr = spi_alloc_master(&pdev->dev, sizeof(struct sprd_adi)); ++ ctlr = spi_alloc_host(&pdev->dev, sizeof(struct sprd_adi)); + if (!ctlr) + return -ENOMEM; + +-- +2.51.0 + diff --git a/queue-6.6/spi-sprd-adi-use-devm_register_restart_handler.patch b/queue-6.6/spi-sprd-adi-use-devm_register_restart_handler.patch new file mode 100644 index 0000000000..0af8a7c01b --- /dev/null +++ b/queue-6.6/spi-sprd-adi-use-devm_register_restart_handler.patch @@ -0,0 +1,115 @@ +From f81f6dd8a1bd17100452ebd6b20047c1863a2998 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Nov 2023 10:10:05 -0600 +Subject: spi: sprd: adi: Use devm_register_restart_handler() + +From: Andrew Davis + +[ Upstream commit 8e6a43961f24cf841d3c0d199521d0b284d948b9 ] + +Use device life-cycle managed register function to simplify probe error +path and eliminate need for explicit remove function. + +Signed-off-by: Andrew Davis +Link: https://lore.kernel.org/r/20231117161006.87734-5-afd@ti.com +Signed-off-by: Mark Brown +Stable-dep-of: 383d4f5cffcc ("spi: spi-sprd-adi: Fix double free in probe error path") +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-sprd-adi.c | 30 ++++++++---------------------- + 1 file changed, 8 insertions(+), 22 deletions(-) + +diff --git a/drivers/spi/spi-sprd-adi.c b/drivers/spi/spi-sprd-adi.c +index bf01feedbf93f..58c3badd9c79a 100644 +--- a/drivers/spi/spi-sprd-adi.c ++++ b/drivers/spi/spi-sprd-adi.c +@@ -138,8 +138,7 @@ struct sprd_adi_data { + u32 slave_offset; + u32 slave_addr_size; + int (*read_check)(u32 val, u32 reg); +- int (*restart)(struct notifier_block *this, +- unsigned long mode, void *cmd); ++ int (*restart)(struct sys_off_data *data); + void (*wdg_rst)(void *p); + }; + +@@ -150,7 +149,6 @@ struct sprd_adi { + struct hwspinlock *hwlock; + unsigned long slave_vbase; + unsigned long slave_pbase; +- struct notifier_block restart_handler; + const struct sprd_adi_data *data; + }; + +@@ -370,11 +368,9 @@ static void sprd_adi_set_wdt_rst_mode(void *p) + #endif + } + +-static int sprd_adi_restart(struct notifier_block *this, unsigned long mode, +- void *cmd, struct sprd_adi_wdg *wdg) ++static int sprd_adi_restart(struct sprd_adi *sadi, unsigned long mode, ++ const char *cmd, struct sprd_adi_wdg *wdg) + { +- struct sprd_adi *sadi = container_of(this, struct sprd_adi, +- restart_handler); + u32 val, reboot_mode = 0; + + if (!cmd) +@@ -448,8 +444,7 @@ static int sprd_adi_restart(struct notifier_block *this, unsigned long mode, + return NOTIFY_DONE; + } + +-static int sprd_adi_restart_sc9860(struct notifier_block *this, +- unsigned long mode, void *cmd) ++static int sprd_adi_restart_sc9860(struct sys_off_data *data) + { + struct sprd_adi_wdg wdg = { + .base = PMIC_WDG_BASE, +@@ -458,7 +453,7 @@ static int sprd_adi_restart_sc9860(struct notifier_block *this, + .wdg_clk = PMIC_CLK_EN, + }; + +- return sprd_adi_restart(this, mode, cmd, &wdg); ++ return sprd_adi_restart(data->cb_data, data->mode, data->cmd, &wdg); + } + + static void sprd_adi_hw_init(struct sprd_adi *sadi) +@@ -590,9 +585,9 @@ static int sprd_adi_probe(struct platform_device *pdev) + } + + if (sadi->data->restart) { +- sadi->restart_handler.notifier_call = sadi->data->restart; +- sadi->restart_handler.priority = 128; +- ret = register_restart_handler(&sadi->restart_handler); ++ ret = devm_register_restart_handler(&pdev->dev, ++ sadi->data->restart, ++ sadi); + if (ret) { + dev_err(&pdev->dev, "can not register restart handler\n"); + goto put_ctlr; +@@ -606,14 +601,6 @@ static int sprd_adi_probe(struct platform_device *pdev) + return ret; + } + +-static void sprd_adi_remove(struct platform_device *pdev) +-{ +- struct spi_controller *ctlr = dev_get_drvdata(&pdev->dev); +- struct sprd_adi *sadi = spi_controller_get_devdata(ctlr); +- +- unregister_restart_handler(&sadi->restart_handler); +-} +- + static struct sprd_adi_data sc9860_data = { + .slave_offset = ADI_10BIT_SLAVE_OFFSET, + .slave_addr_size = ADI_10BIT_SLAVE_ADDR_SIZE, +@@ -657,7 +644,6 @@ static struct platform_driver sprd_adi_driver = { + .of_match_table = sprd_adi_of_match, + }, + .probe = sprd_adi_probe, +- .remove_new = sprd_adi_remove, + }; + module_platform_driver(sprd_adi_driver); + +-- +2.51.0 + diff --git a/queue-6.6/usbnet-limit-max_mtu-based-on-device-s-hard_mtu.patch b/queue-6.6/usbnet-limit-max_mtu-based-on-device-s-hard_mtu.patch new file mode 100644 index 0000000000..ea0f3d3a84 --- /dev/null +++ b/queue-6.6/usbnet-limit-max_mtu-based-on-device-s-hard_mtu.patch @@ -0,0 +1,59 @@ +From 684e495f96c74d377cbfcc06c83c96c2e4d0fda6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Jan 2026 08:55:18 +0100 +Subject: usbnet: limit max_mtu based on device's hard_mtu + +From: Laurent Vivier + +[ Upstream commit c7159e960f1472a5493ac99aff0086ab1d683594 ] + +The usbnet driver initializes net->max_mtu to ETH_MAX_MTU before calling +the device's bind() callback. When the bind() callback sets +dev->hard_mtu based the device's actual capability (from CDC Ethernet's +wMaxSegmentSize descriptor), max_mtu is never updated to reflect this +hardware limitation). + +This allows userspace (DHCP or IPv6 RA) to configure MTU larger than the +device can handle, leading to silent packet drops when the backend sends +packet exceeding the device's buffer size. + +Fix this by limiting net->max_mtu to the device's hard_mtu after the +bind callback returns. + +See https://gitlab.com/qemu-project/qemu/-/issues/3268 and + https://bugs.passt.top/attachment.cgi?bugid=189 + +Fixes: f77f0aee4da4 ("net: use core MTU range checking in USB NIC drivers") +Signed-off-by: Laurent Vivier +Link: https://bugs.passt.top/show_bug.cgi?id=189 +Reviewed-by: Stefano Brivio +Link: https://patch.msgid.link/20260119075518.2774373-1-lvivier@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/usbnet.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c +index e6a1864f03f94..e41649365efff 100644 +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -1799,9 +1799,12 @@ usbnet_probe (struct usb_interface *udev, const struct usb_device_id *prod) + if ((dev->driver_info->flags & FLAG_NOARP) != 0) + net->flags |= IFF_NOARP; + +- /* maybe the remote can't receive an Ethernet MTU */ +- if (net->mtu > (dev->hard_mtu - net->hard_header_len)) +- net->mtu = dev->hard_mtu - net->hard_header_len; ++ if (net->max_mtu > (dev->hard_mtu - net->hard_header_len)) ++ net->max_mtu = dev->hard_mtu - net->hard_header_len; ++ ++ if (net->mtu > net->max_mtu) ++ net->mtu = net->max_mtu; ++ + } else if (!info->in || !info->out) + status = usbnet_get_endpoints (dev, udev); + else { +-- +2.51.0 + diff --git a/queue-6.6/vsock-test-fix-seqpacket-message-bounds-test.patch b/queue-6.6/vsock-test-fix-seqpacket-message-bounds-test.patch new file mode 100644 index 0000000000..ad765b8b4a --- /dev/null +++ b/queue-6.6/vsock-test-fix-seqpacket-message-bounds-test.patch @@ -0,0 +1,61 @@ +From 810b48345743865ee59acf47dce304850cfd46ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 10:36:26 +0100 +Subject: vsock/test: fix seqpacket message bounds test + +From: Stefano Garzarella + +[ Upstream commit 0a98de80136968bab7db37b16282b37f044694d3 ] + +The test requires the sender (client) to send all messages before waking +up the receiver (server). +Since virtio-vsock had a bug and did not respect the size of the TX +buffer, this test worked, but now that we are going to fix the bug, the +test hangs because the sender would fill the TX buffer before waking up +the receiver. + +Set the buffer size in the sender (client) as well, as we already do for +the receiver (server). + +Fixes: 5c338112e48a ("test/vsock: rework message bounds test") +Signed-off-by: Stefano Garzarella +Link: https://patch.msgid.link/20260121093628.9941-3-sgarzare@redhat.com +Acked-by: Michael S. Tsirkin +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + tools/testing/vsock/vsock_test.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/tools/testing/vsock/vsock_test.c b/tools/testing/vsock/vsock_test.c +index 5dc7767039f6f..793d688cd4da6 100644 +--- a/tools/testing/vsock/vsock_test.c ++++ b/tools/testing/vsock/vsock_test.c +@@ -396,6 +396,7 @@ static void test_stream_msg_peek_server(const struct test_opts *opts) + + static void test_seqpacket_msg_bounds_client(const struct test_opts *opts) + { ++ unsigned long long sock_buf_size; + unsigned long curr_hash; + size_t max_msg_size; + int page_size; +@@ -408,6 +409,16 @@ static void test_seqpacket_msg_bounds_client(const struct test_opts *opts) + exit(EXIT_FAILURE); + } + ++ sock_buf_size = SOCK_BUF_SIZE; ++ ++ setsockopt_ull_check(fd, AF_VSOCK, SO_VM_SOCKETS_BUFFER_MAX_SIZE, ++ sock_buf_size, ++ "setsockopt(SO_VM_SOCKETS_BUFFER_MAX_SIZE)"); ++ ++ setsockopt_ull_check(fd, AF_VSOCK, SO_VM_SOCKETS_BUFFER_SIZE, ++ sock_buf_size, ++ "setsockopt(SO_VM_SOCKETS_BUFFER_SIZE)"); ++ + /* Wait, until receiver sets buffer size. */ + control_expectln("SRVREADY"); + +-- +2.51.0 + diff --git a/queue-6.6/vsock-virtio-cap-tx-credit-to-local-buffer-size.patch b/queue-6.6/vsock-virtio-cap-tx-credit-to-local-buffer-size.patch new file mode 100644 index 0000000000..621010fec6 --- /dev/null +++ b/queue-6.6/vsock-virtio-cap-tx-credit-to-local-buffer-size.patch @@ -0,0 +1,128 @@ +From 2a1de902e7632a38dc60e848c347f3f87c153380 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 10:36:27 +0100 +Subject: vsock/virtio: cap TX credit to local buffer size + +From: Melbin K Mathew + +[ Upstream commit 8ee784fdf006cbe8739cfa093f54d326cbf54037 ] + +The virtio transports derives its TX credit directly from peer_buf_alloc, +which is set from the remote endpoint's SO_VM_SOCKETS_BUFFER_SIZE value. + +On the host side this means that the amount of data we are willing to +queue for a connection is scaled by a guest-chosen buffer size, rather +than the host's own vsock configuration. A malicious guest can advertise +a large buffer and read slowly, causing the host to allocate a +correspondingly large amount of sk_buff memory. +The same thing would happen in the guest with a malicious host, since +virtio transports share the same code base. + +Introduce a small helper, virtio_transport_tx_buf_size(), that +returns min(peer_buf_alloc, buf_alloc), and use it wherever we consume +peer_buf_alloc. + +This ensures the effective TX window is bounded by both the peer's +advertised buffer and our own buf_alloc (already clamped to +buffer_max_size via SO_VM_SOCKETS_BUFFER_MAX_SIZE), so a remote peer +cannot force the other to queue more data than allowed by its own +vsock settings. + +On an unpatched Ubuntu 22.04 host (~64 GiB RAM), running a PoC with +32 guest vsock connections advertising 2 GiB each and reading slowly +drove Slab/SUnreclaim from ~0.5 GiB to ~57 GiB; the system only +recovered after killing the QEMU process. That said, if QEMU memory is +limited with cgroups, the maximum memory used will be limited. + +With this patch applied: + + Before: + MemFree: ~61.6 GiB + Slab: ~142 MiB + SUnreclaim: ~117 MiB + + After 32 high-credit connections: + MemFree: ~61.5 GiB + Slab: ~178 MiB + SUnreclaim: ~152 MiB + +Only ~35 MiB increase in Slab/SUnreclaim, no host OOM, and the guest +remains responsive. + +Compatibility with non-virtio transports: + + - VMCI uses the AF_VSOCK buffer knobs to size its queue pairs per + socket based on the local vsk->buffer_* values; the remote side + cannot enlarge those queues beyond what the local endpoint + configured. + + - Hyper-V's vsock transport uses fixed-size VMBus ring buffers and + an MTU bound; there is no peer-controlled credit field comparable + to peer_buf_alloc, and the remote endpoint cannot drive in-flight + kernel memory above those ring sizes. + + - The loopback path reuses virtio_transport_common.c, so it + naturally follows the same semantics as the virtio transport. + +This change is limited to virtio_transport_common.c and thus affects +virtio-vsock, vhost-vsock, and loopback, bringing them in line with the +"remote window intersected with local policy" behaviour that VMCI and +Hyper-V already effectively have. + +Fixes: 06a8fc78367d ("VSOCK: Introduce virtio_vsock_common.ko") +Suggested-by: Stefano Garzarella +Signed-off-by: Melbin K Mathew +[Stefano: small adjustments after changing the previous patch] +[Stefano: tweak the commit message] +Signed-off-by: Stefano Garzarella +Reviewed-by: Luigi Leonardi +Link: https://patch.msgid.link/20260121093628.9941-4-sgarzare@redhat.com +Acked-by: Michael S. Tsirkin +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/virtio_transport_common.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c +index 1401177e26222..4c374c36c29d1 100644 +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -628,6 +628,15 @@ virtio_transport_seqpacket_dequeue(struct vsock_sock *vsk, + } + EXPORT_SYMBOL_GPL(virtio_transport_seqpacket_dequeue); + ++static u32 virtio_transport_tx_buf_size(struct virtio_vsock_sock *vvs) ++{ ++ /* The peer advertises its receive buffer via peer_buf_alloc, but we ++ * cap it to our local buf_alloc so a remote peer cannot force us to ++ * queue more data than our own buffer configuration allows. ++ */ ++ return min(vvs->peer_buf_alloc, vvs->buf_alloc); ++} ++ + int + virtio_transport_seqpacket_enqueue(struct vsock_sock *vsk, + struct msghdr *msg, +@@ -637,7 +646,7 @@ virtio_transport_seqpacket_enqueue(struct vsock_sock *vsk, + + spin_lock_bh(&vvs->tx_lock); + +- if (len > vvs->peer_buf_alloc) { ++ if (len > virtio_transport_tx_buf_size(vvs)) { + spin_unlock_bh(&vvs->tx_lock); + return -EMSGSIZE; + } +@@ -691,7 +700,8 @@ static s64 virtio_transport_has_space(struct virtio_vsock_sock *vvs) + * we have bytes in flight (tx_cnt - peer_fwd_cnt), the subtraction + * does not underflow. + */ +- bytes = (s64)vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt); ++ bytes = (s64)virtio_transport_tx_buf_size(vvs) - ++ (vvs->tx_cnt - vvs->peer_fwd_cnt); + if (bytes < 0) + bytes = 0; + +-- +2.51.0 + diff --git a/queue-6.6/vsock-virtio-fix-potential-underflow-in-virtio_trans.patch b/queue-6.6/vsock-virtio-fix-potential-underflow-in-virtio_trans.patch new file mode 100644 index 0000000000..2934247cb2 --- /dev/null +++ b/queue-6.6/vsock-virtio-fix-potential-underflow-in-virtio_trans.patch @@ -0,0 +1,99 @@ +From e57bcfdfdac1f3228a839309dbc5b64422e73baf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jan 2026 10:36:25 +0100 +Subject: vsock/virtio: fix potential underflow in + virtio_transport_get_credit() + +From: Melbin K Mathew + +[ Upstream commit 3ef3d52a1a9860d094395c7a3e593f3aa26ff012 ] + +The credit calculation in virtio_transport_get_credit() uses unsigned +arithmetic: + + ret = vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt); + +If the peer shrinks its advertised buffer (peer_buf_alloc) while bytes +are in flight, the subtraction can underflow and produce a large +positive value, potentially allowing more data to be queued than the +peer can handle. + +Reuse virtio_transport_has_space() which already handles this case and +add a comment to make it clear why we are doing that. + +Fixes: 06a8fc78367d ("VSOCK: Introduce virtio_vsock_common.ko") +Suggested-by: Stefano Garzarella +Signed-off-by: Melbin K Mathew +[Stefano: use virtio_transport_has_space() instead of duplicating the code] +[Stefano: tweak the commit message] +Signed-off-by: Stefano Garzarella +Reviewed-by: Luigi Leonardi +Link: https://patch.msgid.link/20260121093628.9941-2-sgarzare@redhat.com +Acked-by: Michael S. Tsirkin +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/virtio_transport_common.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c +index c57fe7ddcf73b..1401177e26222 100644 +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -28,6 +28,7 @@ + + static void virtio_transport_cancel_close_work(struct vsock_sock *vsk, + bool cancel_timeout); ++static s64 virtio_transport_has_space(struct virtio_vsock_sock *vvs); + + static const struct virtio_transport * + virtio_transport_get_ops(struct vsock_sock *vsk) +@@ -316,9 +317,7 @@ u32 virtio_transport_get_credit(struct virtio_vsock_sock *vvs, u32 credit) + return 0; + + spin_lock_bh(&vvs->tx_lock); +- ret = vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt); +- if (ret > credit) +- ret = credit; ++ ret = min_t(u32, credit, virtio_transport_has_space(vvs)); + vvs->tx_cnt += ret; + spin_unlock_bh(&vvs->tx_lock); + +@@ -684,11 +683,14 @@ u32 virtio_transport_seqpacket_has_data(struct vsock_sock *vsk) + } + EXPORT_SYMBOL_GPL(virtio_transport_seqpacket_has_data); + +-static s64 virtio_transport_has_space(struct vsock_sock *vsk) ++static s64 virtio_transport_has_space(struct virtio_vsock_sock *vvs) + { +- struct virtio_vsock_sock *vvs = vsk->trans; + s64 bytes; + ++ /* Use s64 arithmetic so if the peer shrinks peer_buf_alloc while ++ * we have bytes in flight (tx_cnt - peer_fwd_cnt), the subtraction ++ * does not underflow. ++ */ + bytes = (s64)vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt); + if (bytes < 0) + bytes = 0; +@@ -702,7 +704,7 @@ s64 virtio_transport_stream_has_space(struct vsock_sock *vsk) + s64 bytes; + + spin_lock_bh(&vvs->tx_lock); +- bytes = virtio_transport_has_space(vsk); ++ bytes = virtio_transport_has_space(vvs); + spin_unlock_bh(&vvs->tx_lock); + + return bytes; +@@ -1301,7 +1303,7 @@ static bool virtio_transport_space_update(struct sock *sk, + spin_lock_bh(&vvs->tx_lock); + vvs->peer_buf_alloc = le32_to_cpu(hdr->buf_alloc); + vvs->peer_fwd_cnt = le32_to_cpu(hdr->fwd_cnt); +- space_available = virtio_transport_has_space(vsk); ++ space_available = virtio_transport_has_space(vvs); + spin_unlock_bh(&vvs->tx_lock); + return space_available; + } +-- +2.51.0 + diff --git a/queue-6.6/x86-make-page-fault-handling-disable-interrupts-prop.patch b/queue-6.6/x86-make-page-fault-handling-disable-interrupts-prop.patch new file mode 100644 index 0000000000..7da4149a03 --- /dev/null +++ b/queue-6.6/x86-make-page-fault-handling-disable-interrupts-prop.patch @@ -0,0 +1,96 @@ +From e21c8bd8dbf1d37865ac01bc730eb6f5715de759 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Jan 2026 18:39:15 -0600 +Subject: x86: make page fault handling disable interrupts properly + +From: Cedric Xing + +[ Upstream commit 614da1d3d4cdbd6e41aea06bc97ec15aacff6daf ] + +There's a big comment in the x86 do_page_fault() about our interrupt +disabling code: + + * User address page fault handling might have reenabled + * interrupts. Fixing up all potential exit points of + * do_user_addr_fault() and its leaf functions is just not + * doable w/o creating an unholy mess or turning the code + * upside down. + +but it turns out that comment is subtly wrong, and the code as a result +is also wrong. + +Because it's certainly true that we may have re-enabled interrupts when +handling user page faults. And it's most certainly true that we don't +want to bother fixing up all the cases. + +But what isn't true is that it's limited to user address page faults. + +The confusion stems from the fact that we have logic here that depends +on the address range of the access, but other code then depends on the +_context_ the access was done in. The two are not related, even though +both of them are about user-vs-kernel. + +In other words, both user and kernel addresses can cause interrupts to +have been enabled (eg when __bad_area_nosemaphore() gets called for user +accesses to kernel addresses). As a result we should make sure to +disable interrupts again regardless of the address range before +returning to the low-level fault handling code. + +The __bad_area_nosemaphore() code actually did disable interrupts again +after enabling them, just not consistently. Ironically, as noted in the +original comment, fixing up all the cases is just not worth it, when the +simple solution is to just do it unconditionally in one single place. + +So remove the incomplete case that unsuccessfully tried to do what the +comment said was "not doable" in commit ca4c6a9858c2 ("x86/traps: Make +interrupt enable/disable symmetric in C code"), and just make it do the +simple and straightforward thing. + +Signed-off-by: Cedric Xing +Reviewed-by: Dave Hansen +Fixes: ca4c6a9858c2 ("x86/traps: Make interrupt enable/disable symmetric in C code") +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/x86/mm/fault.c | 15 +++++---------- + 1 file changed, 5 insertions(+), 10 deletions(-) + +diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c +index 6529b3e2cff3c..4890cafea7b66 100644 +--- a/arch/x86/mm/fault.c ++++ b/arch/x86/mm/fault.c +@@ -815,8 +815,6 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code, + force_sig_pkuerr((void __user *)address, pkey); + else + force_sig_fault(SIGSEGV, si_code, (void __user *)address); +- +- local_irq_disable(); + } + + static noinline void +@@ -1463,15 +1461,12 @@ handle_page_fault(struct pt_regs *regs, unsigned long error_code, + do_kern_addr_fault(regs, error_code, address); + } else { + do_user_addr_fault(regs, error_code, address); +- /* +- * User address page fault handling might have reenabled +- * interrupts. Fixing up all potential exit points of +- * do_user_addr_fault() and its leaf functions is just not +- * doable w/o creating an unholy mess or turning the code +- * upside down. +- */ +- local_irq_disable(); + } ++ /* ++ * page fault handling might have reenabled interrupts, ++ * make sure to disable them again. ++ */ ++ local_irq_disable(); + } + + DEFINE_IDTENTRY_RAW_ERRORCODE(exc_page_fault) +-- +2.51.0 +